usb4bsd: Re-port the if_rum driver
[dragonfly.git] / sys / bus / u4b / wlan / if_run.c
1 /*-
2  * Copyright (c) 2008,2010 Damien Bergamini <damien.bergamini@free.fr>
3  * ported to FreeBSD by Akinori Furukoshi <moonlightakkiy@yahoo.ca>
4  * USB Consulting, Hans Petter Selasky <hselasky@freebsd.org>
5  * Copyright (c) 2013-2014 Kevin Lo
6  *
7  * Permission to use, copy, modify, and distribute this software for any
8  * purpose with or without fee is hereby granted, provided that the above
9  * copyright notice and this permission notice appear in all copies.
10  *
11  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18  *
19  * $FreeBSD: head/sys/dev/usb/wlan/if_run.c 262795 2014-03-05 18:39:27Z hselasky $
20  */
21
22 /*-
23  * Ralink Technology RT2700U/RT2800U/RT3000U/RT3900E chipset driver.
24  * http://www.ralinktech.com/
25  */
26
27 #include <sys/param.h>
28 #include <sys/sockio.h>
29 #include <sys/sysctl.h>
30 #include <sys/lock.h>
31 #include <sys/mbuf.h>
32 #include <sys/kernel.h>
33 #include <sys/socket.h>
34 #include <sys/systm.h>
35 #include <sys/malloc.h>
36 #include <sys/module.h>
37 #include <sys/bus.h>
38 #include <sys/endian.h>
39 #include <sys/linker.h>
40 #include <sys/firmware.h>
41
42 #include <sys/rman.h>
43
44 #include <net/bpf.h>
45 #include <net/if.h>
46 #include <net/if_var.h>
47 #include <net/if_arp.h>
48 #include <net/ethernet.h>
49 #include <net/if_dl.h>
50 #include <net/if_media.h>
51 #include <net/if_types.h>
52 #include <net/ifq_var.h>
53
54 #include <netinet/in.h>
55 #include <netinet/in_systm.h>
56 #include <netinet/in_var.h>
57 #include <netinet/if_ether.h>
58 #include <netinet/ip.h>
59
60 #include <netproto/802_11/ieee80211_var.h>
61 #include <netproto/802_11/ieee80211_regdomain.h>
62 #include <netproto/802_11/ieee80211_radiotap.h>
63 #include <netproto/802_11/ieee80211_ratectl.h>
64
65 #include <bus/u4b/usb.h>
66 #include <bus/u4b/usbdi.h>
67 #include "usbdevs.h"
68
69 #define USB_DEBUG_VAR   run_debug
70 #include <bus/u4b/usb_debug.h>
71 #include <bus/u4b/usb_msctest.h>
72
73 #include <bus/u4b/wlan/if_runreg.h>
74 #include <bus/u4b/wlan/if_runvar.h>
75
76 #ifdef  USB_DEBUG
77 #define RUN_DEBUG
78 #endif
79
80 #ifdef  RUN_DEBUG
81 int run_debug = 0;
82 static SYSCTL_NODE(_hw_usb, OID_AUTO, run, CTLFLAG_RW, 0, "USB run");
83 SYSCTL_INT(_hw_usb_run, OID_AUTO, debug, CTLFLAG_RW, &run_debug, 0,
84     "run debug level");
85 #endif
86
87 #define IEEE80211_HAS_ADDR4(wh) \
88         (((wh)->i_fc[1] & IEEE80211_FC1_DIR_MASK) == IEEE80211_FC1_DIR_DSTODS)
89
90 /*
91  * Because of LOR in run_key_delete(), use atomic instead.
92  * '& RUN_CMDQ_MASQ' is to loop cmdq[].
93  */
94 #define RUN_CMDQ_GET(c) (atomic_fetchadd_32((c), 1) & RUN_CMDQ_MASQ)
95
96 static const STRUCT_USB_HOST_ID run_devs[] = {
97 #define RUN_DEV(v,p)    { USB_VP(USB_VENDOR_##v, USB_PRODUCT_##v##_##p) }
98 #define RUN_DEV_EJECT(v,p)      \
99         { USB_VPI(USB_VENDOR_##v, USB_PRODUCT_##v##_##p, RUN_EJECT) }
100 #define RUN_EJECT       1
101     RUN_DEV(ABOCOM,             RT2770),
102     RUN_DEV(ABOCOM,             RT2870),
103     RUN_DEV(ABOCOM,             RT3070),
104     RUN_DEV(ABOCOM,             RT3071),
105     RUN_DEV(ABOCOM,             RT3072),
106     RUN_DEV(ABOCOM2,            RT2870_1),
107     RUN_DEV(ACCTON,             RT2770),
108     RUN_DEV(ACCTON,             RT2870_1),
109     RUN_DEV(ACCTON,             RT2870_2),
110     RUN_DEV(ACCTON,             RT2870_3),
111     RUN_DEV(ACCTON,             RT2870_4),
112     RUN_DEV(ACCTON,             RT2870_5),
113     RUN_DEV(ACCTON,             RT3070),
114     RUN_DEV(ACCTON,             RT3070_1),
115     RUN_DEV(ACCTON,             RT3070_2),
116     RUN_DEV(ACCTON,             RT3070_3),
117     RUN_DEV(ACCTON,             RT3070_4),
118     RUN_DEV(ACCTON,             RT3070_5),
119     RUN_DEV(AIRTIES,            RT3070),
120     RUN_DEV(ALLWIN,             RT2070),
121     RUN_DEV(ALLWIN,             RT2770),
122     RUN_DEV(ALLWIN,             RT2870),
123     RUN_DEV(ALLWIN,             RT3070),
124     RUN_DEV(ALLWIN,             RT3071),
125     RUN_DEV(ALLWIN,             RT3072),
126     RUN_DEV(ALLWIN,             RT3572),
127     RUN_DEV(AMIGO,              RT2870_1),
128     RUN_DEV(AMIGO,              RT2870_2),
129     RUN_DEV(AMIT,               CGWLUSB2GNR),
130     RUN_DEV(AMIT,               RT2870_1),
131     RUN_DEV(AMIT2,              RT2870),
132     RUN_DEV(ASUS,               RT2870_1),
133     RUN_DEV(ASUS,               RT2870_2),
134     RUN_DEV(ASUS,               RT2870_3),
135     RUN_DEV(ASUS,               RT2870_4),
136     RUN_DEV(ASUS,               RT2870_5),
137     RUN_DEV(ASUS,               USBN13),
138     RUN_DEV(ASUS,               RT3070_1),
139     RUN_DEV(ASUS,               USBN66),
140     RUN_DEV(ASUS,               USB_N53),
141     RUN_DEV(ASUS2,              USBN11),
142     RUN_DEV(AZUREWAVE,          RT2870_1),
143     RUN_DEV(AZUREWAVE,          RT2870_2),
144     RUN_DEV(AZUREWAVE,          RT3070_1),
145     RUN_DEV(AZUREWAVE,          RT3070_2),
146     RUN_DEV(AZUREWAVE,          RT3070_3),
147     RUN_DEV(BELKIN,             F9L1103),
148     RUN_DEV(BELKIN,             F5D8053V3),
149     RUN_DEV(BELKIN,             F5D8055),
150     RUN_DEV(BELKIN,             F5D8055V2),
151     RUN_DEV(BELKIN,             F6D4050V1),
152     RUN_DEV(BELKIN,             F6D4050V2),
153     RUN_DEV(BELKIN,             RT2870_1),
154     RUN_DEV(BELKIN,             RT2870_2),
155     RUN_DEV(CISCOLINKSYS,       AE1000),
156     RUN_DEV(CISCOLINKSYS2,      RT3070),
157     RUN_DEV(CISCOLINKSYS3,      RT3070),
158     RUN_DEV(CONCEPTRONIC2,      RT2870_1),
159     RUN_DEV(CONCEPTRONIC2,      RT2870_2),
160     RUN_DEV(CONCEPTRONIC2,      RT2870_3),
161     RUN_DEV(CONCEPTRONIC2,      RT2870_4),
162     RUN_DEV(CONCEPTRONIC2,      RT2870_5),
163     RUN_DEV(CONCEPTRONIC2,      RT2870_6),
164     RUN_DEV(CONCEPTRONIC2,      RT2870_7),
165     RUN_DEV(CONCEPTRONIC2,      RT2870_8),
166     RUN_DEV(CONCEPTRONIC2,      RT3070_1),
167     RUN_DEV(CONCEPTRONIC2,      RT3070_2),
168     RUN_DEV(CONCEPTRONIC2,      VIGORN61),
169     RUN_DEV(COREGA,             CGWLUSB300GNM),
170     RUN_DEV(COREGA,             RT2870_1),
171     RUN_DEV(COREGA,             RT2870_2),
172     RUN_DEV(COREGA,             RT2870_3),
173     RUN_DEV(COREGA,             RT3070),
174     RUN_DEV(CYBERTAN,           RT2870),
175     RUN_DEV(DLINK,              RT2870),
176     RUN_DEV(DLINK,              RT3072),
177     RUN_DEV(DLINK,              DWA127),
178     RUN_DEV(DLINK,              DWA140B3),
179     RUN_DEV(DLINK,              DWA160B2),
180     RUN_DEV(DLINK,              DWA162),
181     RUN_DEV(DLINK2,             DWA130),
182     RUN_DEV(DLINK2,             RT2870_1),
183     RUN_DEV(DLINK2,             RT2870_2),
184     RUN_DEV(DLINK2,             RT3070_1),
185     RUN_DEV(DLINK2,             RT3070_2),
186     RUN_DEV(DLINK2,             RT3070_3),
187     RUN_DEV(DLINK2,             RT3070_4),
188     RUN_DEV(DLINK2,             RT3070_5),
189     RUN_DEV(DLINK2,             RT3072),
190     RUN_DEV(DLINK2,             RT3072_1),
191     RUN_DEV(EDIMAX,             EW7717),
192     RUN_DEV(EDIMAX,             EW7718),
193     RUN_DEV(EDIMAX,             EW7733UND),
194     RUN_DEV(EDIMAX,             RT2870_1),
195     RUN_DEV(ENCORE,             RT3070_1),
196     RUN_DEV(ENCORE,             RT3070_2),
197     RUN_DEV(ENCORE,             RT3070_3),
198     RUN_DEV(GIGABYTE,           GNWB31N),
199     RUN_DEV(GIGABYTE,           GNWB32L),
200     RUN_DEV(GIGABYTE,           RT2870_1),
201     RUN_DEV(GIGASET,            RT3070_1),
202     RUN_DEV(GIGASET,            RT3070_2),
203     RUN_DEV(GUILLEMOT,          HWNU300),
204     RUN_DEV(HAWKING,            HWUN2),
205     RUN_DEV(HAWKING,            RT2870_1),
206     RUN_DEV(HAWKING,            RT2870_2),
207     RUN_DEV(HAWKING,            RT3070),
208     RUN_DEV(IODATA,             RT3072_1),
209     RUN_DEV(IODATA,             RT3072_2),
210     RUN_DEV(IODATA,             RT3072_3),
211     RUN_DEV(IODATA,             RT3072_4),
212     RUN_DEV(LINKSYS4,           RT3070),
213     RUN_DEV(LINKSYS4,           WUSB100),
214     RUN_DEV(LINKSYS4,           WUSB54GCV3),
215     RUN_DEV(LINKSYS4,           WUSB600N),
216     RUN_DEV(LINKSYS4,           WUSB600NV2),
217     RUN_DEV(LOGITEC,            RT2870_1),
218     RUN_DEV(LOGITEC,            RT2870_2),
219     RUN_DEV(LOGITEC,            RT2870_3),
220     RUN_DEV(LOGITEC,            LANW300NU2),
221     RUN_DEV(LOGITEC,            LANW150NU2),
222     RUN_DEV(LOGITEC,            LANW300NU2S),
223     RUN_DEV(MELCO,              RT2870_1),
224     RUN_DEV(MELCO,              RT2870_2),
225     RUN_DEV(MELCO,              WLIUCAG300N),
226     RUN_DEV(MELCO,              WLIUCG300N),
227     RUN_DEV(MELCO,              WLIUCG301N),
228     RUN_DEV(MELCO,              WLIUCGN),
229     RUN_DEV(MELCO,              WLIUCGNM),
230     RUN_DEV(MELCO,              WLIUCGNM2),
231     RUN_DEV(MOTOROLA4,          RT2770),
232     RUN_DEV(MOTOROLA4,          RT3070),
233     RUN_DEV(MSI,                RT3070_1),
234     RUN_DEV(MSI,                RT3070_2),
235     RUN_DEV(MSI,                RT3070_3),
236     RUN_DEV(MSI,                RT3070_4),
237     RUN_DEV(MSI,                RT3070_5),
238     RUN_DEV(MSI,                RT3070_6),
239     RUN_DEV(MSI,                RT3070_7),
240     RUN_DEV(MSI,                RT3070_8),
241     RUN_DEV(MSI,                RT3070_9),
242     RUN_DEV(MSI,                RT3070_10),
243     RUN_DEV(MSI,                RT3070_11),
244     RUN_DEV(OVISLINK,           RT3072),
245     RUN_DEV(PARA,               RT3070),
246     RUN_DEV(PEGATRON,           RT2870),
247     RUN_DEV(PEGATRON,           RT3070),
248     RUN_DEV(PEGATRON,           RT3070_2),
249     RUN_DEV(PEGATRON,           RT3070_3),
250     RUN_DEV(PHILIPS,            RT2870),
251     RUN_DEV(PLANEX2,            GWUS300MINIS),
252     RUN_DEV(PLANEX2,            GWUSMICRON),
253     RUN_DEV(PLANEX2,            RT2870),
254     RUN_DEV(PLANEX2,            RT3070),
255     RUN_DEV(QCOM,               RT2870),
256     RUN_DEV(QUANTA,             RT3070),
257     RUN_DEV(RALINK,             RT2070),
258     RUN_DEV(RALINK,             RT2770),
259     RUN_DEV(RALINK,             RT2870),
260     RUN_DEV(RALINK,             RT3070),
261     RUN_DEV(RALINK,             RT3071),
262     RUN_DEV(RALINK,             RT3072),
263     RUN_DEV(RALINK,             RT3370),
264     RUN_DEV(RALINK,             RT3572),
265     RUN_DEV(RALINK,             RT3573),
266     RUN_DEV(RALINK,             RT5370),
267     RUN_DEV(RALINK,             RT5572),
268     RUN_DEV(RALINK,             RT8070),
269     RUN_DEV(SAMSUNG,            WIS09ABGN),
270     RUN_DEV(SAMSUNG2,           RT2870_1),
271     RUN_DEV(SENAO,              RT2870_1),
272     RUN_DEV(SENAO,              RT2870_2),
273     RUN_DEV(SENAO,              RT2870_3),
274     RUN_DEV(SENAO,              RT2870_4),
275     RUN_DEV(SENAO,              RT3070),
276     RUN_DEV(SENAO,              RT3071),
277     RUN_DEV(SENAO,              RT3072_1),
278     RUN_DEV(SENAO,              RT3072_2),
279     RUN_DEV(SENAO,              RT3072_3),
280     RUN_DEV(SENAO,              RT3072_4),
281     RUN_DEV(SENAO,              RT3072_5),
282     RUN_DEV(SITECOMEU,          RT2770),
283     RUN_DEV(SITECOMEU,          RT2870_1),
284     RUN_DEV(SITECOMEU,          RT2870_2),
285     RUN_DEV(SITECOMEU,          RT2870_3),
286     RUN_DEV(SITECOMEU,          RT2870_4),
287     RUN_DEV(SITECOMEU,          RT3070),
288     RUN_DEV(SITECOMEU,          RT3070_2),
289     RUN_DEV(SITECOMEU,          RT3070_3),
290     RUN_DEV(SITECOMEU,          RT3070_4),
291     RUN_DEV(SITECOMEU,          RT3071),
292     RUN_DEV(SITECOMEU,          RT3072_1),
293     RUN_DEV(SITECOMEU,          RT3072_2),
294     RUN_DEV(SITECOMEU,          RT3072_3),
295     RUN_DEV(SITECOMEU,          RT3072_4),
296     RUN_DEV(SITECOMEU,          RT3072_5),
297     RUN_DEV(SITECOMEU,          RT3072_6),
298     RUN_DEV(SITECOMEU,          WL608),
299     RUN_DEV(SPARKLAN,           RT2870_1),
300     RUN_DEV(SPARKLAN,           RT3070),
301     RUN_DEV(SWEEX2,             LW153),
302     RUN_DEV(SWEEX2,             LW303),
303     RUN_DEV(SWEEX2,             LW313),
304     RUN_DEV(TOSHIBA,            RT3070),
305     RUN_DEV(UMEDIA,             RT2870_1),
306     RUN_DEV(ZCOM,               RT2870_1),
307     RUN_DEV(ZCOM,               RT2870_2),
308     RUN_DEV(ZINWELL,            RT2870_1),
309     RUN_DEV(ZINWELL,            RT2870_2),
310     RUN_DEV(ZINWELL,            RT3070),
311     RUN_DEV(ZINWELL,            RT3072_1),
312     RUN_DEV(ZINWELL,            RT3072_2),
313     RUN_DEV(ZYXEL,              RT2870_1),
314     RUN_DEV(ZYXEL,              RT2870_2),
315     RUN_DEV_EJECT(ZYXEL,        NWD2705),
316     RUN_DEV_EJECT(RALINK,       RT_STOR),
317 #undef RUN_DEV_EJECT
318 #undef RUN_DEV
319 };
320
321 static device_probe_t   run_match;
322 static device_attach_t  run_attach;
323 static device_detach_t  run_detach;
324
325 static usb_callback_t   run_bulk_rx_callback;
326 static usb_callback_t   run_bulk_tx_callback0;
327 static usb_callback_t   run_bulk_tx_callback1;
328 static usb_callback_t   run_bulk_tx_callback2;
329 static usb_callback_t   run_bulk_tx_callback3;
330 static usb_callback_t   run_bulk_tx_callback4;
331 static usb_callback_t   run_bulk_tx_callback5;
332
333 static void     run_autoinst(void *, struct usb_device *,
334                     struct usb_attach_arg *);
335 static int      run_driver_loaded(struct module *, int, void *);
336 static void     run_bulk_tx_callbackN(struct usb_xfer *xfer,
337                     usb_error_t error, u_int index);
338 static struct ieee80211vap *run_vap_create(struct ieee80211com *,
339                     const char [IFNAMSIZ], int, enum ieee80211_opmode, int,
340                     const uint8_t [IEEE80211_ADDR_LEN],
341                     const uint8_t [IEEE80211_ADDR_LEN]);
342 static void     run_vap_delete(struct ieee80211vap *);
343 static void     run_cmdq_cb(void *, int);
344 static void     run_setup_tx_list(struct run_softc *,
345                     struct run_endpoint_queue *);
346 static void     run_unsetup_tx_list(struct run_softc *,
347                     struct run_endpoint_queue *);
348 static int      run_load_microcode(struct run_softc *);
349 static int      run_reset(struct run_softc *);
350 static usb_error_t run_do_request(struct run_softc *,
351                     struct usb_device_request *, void *);
352 static int      run_read(struct run_softc *, uint16_t, uint32_t *);
353 static int      run_read_region_1(struct run_softc *, uint16_t, uint8_t *, int);
354 static int      run_write_2(struct run_softc *, uint16_t, uint16_t);
355 static int      run_write(struct run_softc *, uint16_t, uint32_t);
356 static int      run_write_region_1(struct run_softc *, uint16_t,
357                     const uint8_t *, int);
358 static int      run_set_region_4(struct run_softc *, uint16_t, uint32_t, int);
359 static int      run_efuse_read(struct run_softc *, uint16_t, uint16_t *, int);
360 static int      run_efuse_read_2(struct run_softc *, uint16_t, uint16_t *);
361 static int      run_eeprom_read_2(struct run_softc *, uint16_t, uint16_t *);
362 static int      run_rt2870_rf_write(struct run_softc *, uint32_t);
363 static int      run_rt3070_rf_read(struct run_softc *, uint8_t, uint8_t *);
364 static int      run_rt3070_rf_write(struct run_softc *, uint8_t, uint8_t);
365 static int      run_bbp_read(struct run_softc *, uint8_t, uint8_t *);
366 static int      run_bbp_write(struct run_softc *, uint8_t, uint8_t);
367 static int      run_mcu_cmd(struct run_softc *, uint8_t, uint16_t);
368 static const char *run_get_rf(uint16_t);
369 static void     run_rt3593_get_txpower(struct run_softc *);
370 static void     run_get_txpower(struct run_softc *);
371 static int      run_read_eeprom(struct run_softc *);
372 static struct ieee80211_node *run_node_alloc(struct ieee80211vap *,
373                             const uint8_t mac[IEEE80211_ADDR_LEN]);
374 static int      run_media_change(struct ifnet *);
375 static int      run_newstate(struct ieee80211vap *, enum ieee80211_state, int);
376 static int      run_wme_update(struct ieee80211com *);
377 static void     run_wme_update_cb(void *);
378 static void     run_key_update_begin(struct ieee80211vap *);
379 static void     run_key_update_end(struct ieee80211vap *);
380 static void     run_key_set_cb(void *);
381 static int      run_key_set(struct ieee80211vap *, struct ieee80211_key *,
382                     const uint8_t mac[IEEE80211_ADDR_LEN]);
383 static void     run_key_delete_cb(void *);
384 static int      run_key_delete(struct ieee80211vap *, struct ieee80211_key *);
385 static void     run_ratectl_to(void *);
386 static void     run_ratectl_cb(void *, int);
387 static void     run_drain_fifo(void *);
388 static void     run_iter_func(void *, struct ieee80211_node *);
389 static void     run_newassoc_cb(void *);
390 static void     run_newassoc(struct ieee80211_node *, int);
391 static void     run_rx_frame(struct run_softc *, struct mbuf *, uint32_t);
392 static void     run_tx_free(struct run_endpoint_queue *pq,
393                     struct run_tx_data *, int);
394 static void     run_set_tx_desc(struct run_softc *, struct run_tx_data *);
395 static int      run_tx(struct run_softc *, struct mbuf *,
396                     struct ieee80211_node *);
397 static int      run_tx_mgt(struct run_softc *, struct mbuf *,
398                     struct ieee80211_node *);
399 static int      run_sendprot(struct run_softc *, const struct mbuf *,
400                     struct ieee80211_node *, int, int);
401 static int      run_tx_param(struct run_softc *, struct mbuf *,
402                     struct ieee80211_node *,
403                     const struct ieee80211_bpf_params *);
404 static int      run_raw_xmit(struct ieee80211_node *, struct mbuf *,
405                     const struct ieee80211_bpf_params *);
406 static void     run_start_locked(struct ifnet *);
407 static void     run_start(struct ifnet *, struct ifaltq_subque *);
408 static int      run_ioctl(struct ifnet *, u_long, caddr_t, struct ucred *);
409 static void     run_iq_calib(struct run_softc *, u_int);
410 static void     run_set_agc(struct run_softc *, uint8_t);
411 static void     run_select_chan_group(struct run_softc *, int);
412 static void     run_set_rx_antenna(struct run_softc *, int);
413 static void     run_rt2870_set_chan(struct run_softc *, u_int);
414 static void     run_rt3070_set_chan(struct run_softc *, u_int);
415 static void     run_rt3572_set_chan(struct run_softc *, u_int);
416 static void     run_rt3593_set_chan(struct run_softc *, u_int);
417 static void     run_rt5390_set_chan(struct run_softc *, u_int);
418 static void     run_rt5592_set_chan(struct run_softc *, u_int);
419 static int      run_set_chan(struct run_softc *, struct ieee80211_channel *);
420 static void     run_set_channel(struct ieee80211com *);
421 static void     run_scan_start(struct ieee80211com *);
422 static void     run_scan_end(struct ieee80211com *);
423 static void     run_update_beacon(struct ieee80211vap *, int);
424 static void     run_update_beacon_cb(void *);
425 static void     run_updateprot(struct ieee80211com *);
426 static void     run_updateprot_cb(void *);
427 static void     run_usb_timeout_cb(void *);
428 static void     run_reset_livelock(struct run_softc *);
429 static void     run_enable_tsf_sync(struct run_softc *);
430 static void     run_enable_mrr(struct run_softc *);
431 static void     run_set_txpreamble(struct run_softc *);
432 static void     run_set_basicrates(struct run_softc *);
433 static void     run_set_leds(struct run_softc *, uint16_t);
434 static void     run_set_bssid(struct run_softc *, const uint8_t *);
435 static void     run_set_macaddr(struct run_softc *, const uint8_t *);
436 static void     run_updateslot(struct ifnet *);
437 static void     run_updateslot_cb(void *);
438 static void     run_update_mcast(struct ifnet *);
439 static int8_t   run_rssi2dbm(struct run_softc *, uint8_t, uint8_t);
440 static void     run_update_promisc_locked(struct ifnet *);
441 static void     run_update_promisc(struct ifnet *);
442 static void     run_rt5390_bbp_init(struct run_softc *);
443 static int      run_bbp_init(struct run_softc *);
444 static int      run_rt3070_rf_init(struct run_softc *);
445 static void     run_rt3593_rf_init(struct run_softc *);
446 static void     run_rt5390_rf_init(struct run_softc *);
447 static int      run_rt3070_filter_calib(struct run_softc *, uint8_t, uint8_t,
448                     uint8_t *);
449 static void     run_rt3070_rf_setup(struct run_softc *);
450 static void     run_rt3593_rf_setup(struct run_softc *);
451 static void     run_rt5390_rf_setup(struct run_softc *);
452 static int      run_txrx_enable(struct run_softc *);
453 static void     run_adjust_freq_offset(struct run_softc *);
454 static void     run_init(void *);
455 static void     run_init_locked(struct run_softc *);
456 static void     run_stop(void *);
457 static void     run_delay(struct run_softc *, u_int);
458
459 static eventhandler_tag run_etag;
460
461 static const struct rt2860_rate {
462         uint8_t         rate;
463         uint8_t         mcs;
464         enum            ieee80211_phytype phy;
465         uint8_t         ctl_ridx;
466         uint16_t        sp_ack_dur;
467         uint16_t        lp_ack_dur;
468 } rt2860_rates[] = {
469         {   2, 0, IEEE80211_T_DS,   0, 314, 314 },
470         {   4, 1, IEEE80211_T_DS,   1, 258, 162 },
471         {  11, 2, IEEE80211_T_DS,   2, 223, 127 },
472         {  22, 3, IEEE80211_T_DS,   3, 213, 117 },
473         {  12, 0, IEEE80211_T_OFDM, 4,  60,  60 },
474         {  18, 1, IEEE80211_T_OFDM, 4,  52,  52 },
475         {  24, 2, IEEE80211_T_OFDM, 6,  48,  48 },
476         {  36, 3, IEEE80211_T_OFDM, 6,  44,  44 },
477         {  48, 4, IEEE80211_T_OFDM, 8,  44,  44 },
478         {  72, 5, IEEE80211_T_OFDM, 8,  40,  40 },
479         {  96, 6, IEEE80211_T_OFDM, 8,  40,  40 },
480         { 108, 7, IEEE80211_T_OFDM, 8,  40,  40 }
481 };
482
483 static const struct {
484         uint16_t        reg;
485         uint32_t        val;
486 } rt2870_def_mac[] = {
487         RT2870_DEF_MAC
488 };
489
490 static const struct {
491         uint8_t reg;
492         uint8_t val;
493 } rt2860_def_bbp[] = {
494         RT2860_DEF_BBP
495 },rt5390_def_bbp[] = {
496         RT5390_DEF_BBP
497 },rt5592_def_bbp[] = {
498         RT5592_DEF_BBP
499 };
500
501 /* 
502  * Default values for BBP register R196 for RT5592.
503  */
504 static const uint8_t rt5592_bbp_r196[] = {
505         0xe0, 0x1f, 0x38, 0x32, 0x08, 0x28, 0x19, 0x0a, 0xff, 0x00,
506         0x16, 0x10, 0x10, 0x0b, 0x36, 0x2c, 0x26, 0x24, 0x42, 0x36,
507         0x30, 0x2d, 0x4c, 0x46, 0x3d, 0x40, 0x3e, 0x42, 0x3d, 0x40,
508         0x3c, 0x34, 0x2c, 0x2f, 0x3c, 0x35, 0x2e, 0x2a, 0x49, 0x41,
509         0x36, 0x31, 0x30, 0x30, 0x0e, 0x0d, 0x28, 0x21, 0x1c, 0x16,
510         0x50, 0x4a, 0x43, 0x40, 0x10, 0x10, 0x10, 0x10, 0x00, 0x00,
511         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
512         0x00, 0x00, 0x7d, 0x14, 0x32, 0x2c, 0x36, 0x4c, 0x43, 0x2c,
513         0x2e, 0x36, 0x30, 0x6e
514 };
515
516 static const struct rfprog {
517         uint8_t         chan;
518         uint32_t        r1, r2, r3, r4;
519 } rt2860_rf2850[] = {
520         RT2860_RF2850
521 };
522
523 struct {
524         uint8_t n, r, k;
525 } rt3070_freqs[] = {
526         RT3070_RF3052
527 };
528
529 static const struct rt5592_freqs {
530         uint16_t        n;
531         uint8_t         k, m, r;
532 } rt5592_freqs_20mhz[] = {
533         RT5592_RF5592_20MHZ
534 },rt5592_freqs_40mhz[] = {
535         RT5592_RF5592_40MHZ
536 };
537
538 static const struct {
539         uint8_t reg;
540         uint8_t val;
541 } rt3070_def_rf[] = {
542         RT3070_DEF_RF
543 },rt3572_def_rf[] = {
544         RT3572_DEF_RF
545 },rt3593_def_rf[] = {
546         RT3593_DEF_RF
547 },rt5390_def_rf[] = {
548         RT5390_DEF_RF
549 },rt5392_def_rf[] = {
550         RT5392_DEF_RF
551 },rt5592_def_rf[] = {
552         RT5592_DEF_RF
553 },rt5592_2ghz_def_rf[] = {
554         RT5592_2GHZ_DEF_RF
555 },rt5592_5ghz_def_rf[] = {
556         RT5592_5GHZ_DEF_RF
557 };
558
559 static const struct {
560         u_int   firstchan;
561         u_int   lastchan;
562         uint8_t reg;
563         uint8_t val;
564 } rt5592_chan_5ghz[] = {
565         RT5592_CHAN_5GHZ
566 };
567
568 static const struct usb_config run_config[RUN_N_XFER] = {
569     [RUN_BULK_TX_BE] = {
570         .type = UE_BULK,
571         .endpoint = UE_ADDR_ANY,
572         .ep_index = 0,
573         .direction = UE_DIR_OUT,
574         .bufsize = RUN_MAX_TXSZ,
575         .flags = {.pipe_bof = 1,.force_short_xfer = 1,},
576         .callback = run_bulk_tx_callback0,
577         .timeout = 5000,        /* ms */
578     },
579     [RUN_BULK_TX_BK] = {
580         .type = UE_BULK,
581         .endpoint = UE_ADDR_ANY,
582         .direction = UE_DIR_OUT,
583         .ep_index = 1,
584         .bufsize = RUN_MAX_TXSZ,
585         .flags = {.pipe_bof = 1,.force_short_xfer = 1,},
586         .callback = run_bulk_tx_callback1,
587         .timeout = 5000,        /* ms */
588     },
589     [RUN_BULK_TX_VI] = {
590         .type = UE_BULK,
591         .endpoint = UE_ADDR_ANY,
592         .direction = UE_DIR_OUT,
593         .ep_index = 2,
594         .bufsize = RUN_MAX_TXSZ,
595         .flags = {.pipe_bof = 1,.force_short_xfer = 1,},
596         .callback = run_bulk_tx_callback2,
597         .timeout = 5000,        /* ms */
598     },
599     [RUN_BULK_TX_VO] = {
600         .type = UE_BULK,
601         .endpoint = UE_ADDR_ANY,
602         .direction = UE_DIR_OUT,
603         .ep_index = 3,
604         .bufsize = RUN_MAX_TXSZ,
605         .flags = {.pipe_bof = 1,.force_short_xfer = 1,},
606         .callback = run_bulk_tx_callback3,
607         .timeout = 5000,        /* ms */
608     },
609     [RUN_BULK_TX_HCCA] = {
610         .type = UE_BULK,
611         .endpoint = UE_ADDR_ANY,
612         .direction = UE_DIR_OUT,
613         .ep_index = 4,
614         .bufsize = RUN_MAX_TXSZ,
615         .flags = {.pipe_bof = 1,.force_short_xfer = 1,.no_pipe_ok = 1,},
616         .callback = run_bulk_tx_callback4,
617         .timeout = 5000,        /* ms */
618     },
619     [RUN_BULK_TX_PRIO] = {
620         .type = UE_BULK,
621         .endpoint = UE_ADDR_ANY,
622         .direction = UE_DIR_OUT,
623         .ep_index = 5,
624         .bufsize = RUN_MAX_TXSZ,
625         .flags = {.pipe_bof = 1,.force_short_xfer = 1,.no_pipe_ok = 1,},
626         .callback = run_bulk_tx_callback5,
627         .timeout = 5000,        /* ms */
628     },
629     [RUN_BULK_RX] = {
630         .type = UE_BULK,
631         .endpoint = UE_ADDR_ANY,
632         .direction = UE_DIR_IN,
633         .bufsize = RUN_MAX_RXSZ,
634         .flags = {.pipe_bof = 1,.short_xfer_ok = 1,},
635         .callback = run_bulk_rx_callback,
636     }
637 };
638
639 static void
640 run_autoinst(void *arg, struct usb_device *udev,
641     struct usb_attach_arg *uaa)
642 {
643         struct usb_interface *iface;
644         struct usb_interface_descriptor *id;
645
646         if (uaa->dev_state != UAA_DEV_READY)
647                 return;
648
649         iface = usbd_get_iface(udev, 0);
650         if (iface == NULL)
651                 return;
652         id = iface->idesc;
653         if (id == NULL || id->bInterfaceClass != UICLASS_MASS)
654                 return;
655         if (usbd_lookup_id_by_uaa(run_devs, sizeof(run_devs), uaa))
656                 return;
657
658         if (usb_msc_eject(udev, 0, MSC_EJECT_STOPUNIT) == 0)
659                 uaa->dev_state = UAA_DEV_EJECTING;
660 }
661
662 static int
663 run_driver_loaded(struct module *mod, int what, void *arg)
664 {
665         switch (what) {
666         case MOD_LOAD:
667                 run_etag = EVENTHANDLER_REGISTER(usb_dev_configured,
668                     run_autoinst, NULL, EVENTHANDLER_PRI_ANY);
669                 break;
670         case MOD_UNLOAD:
671                 EVENTHANDLER_DEREGISTER(usb_dev_configured, run_etag);
672                 break;
673         default:
674                 return (EOPNOTSUPP);
675         }
676         return (0);
677 }
678
679 static int
680 run_match(device_t self)
681 {
682         struct usb_attach_arg *uaa = device_get_ivars(self);
683
684         if (uaa->usb_mode != USB_MODE_HOST)
685                 return (ENXIO);
686         if (uaa->info.bConfigIndex != 0)
687                 return (ENXIO);
688         if (uaa->info.bIfaceIndex != RT2860_IFACE_INDEX)
689                 return (ENXIO);
690
691         return (usbd_lookup_id_by_uaa(run_devs, sizeof(run_devs), uaa));
692 }
693
694 static int
695 run_attach(device_t self)
696 {
697         struct run_softc *sc = device_get_softc(self);
698         struct usb_attach_arg *uaa = device_get_ivars(self);
699         struct ieee80211com *ic;
700         struct ifnet *ifp;
701         uint32_t ver;
702         int ntries, error;
703         uint8_t iface_index, bands;
704         char ethstr[ETHER_ADDRSTRLEN + 1];
705
706         wlan_serialize_enter();
707
708         device_set_usb_desc(self);
709         sc->sc_udev = uaa->device;
710         sc->sc_dev = self;
711         if (USB_GET_DRIVER_INFO(uaa) != RUN_EJECT)
712                 sc->sc_flags |= RUN_FLAG_FWLOAD_NEEDED;
713
714         lockinit(&sc->sc_lock, device_get_nameunit(sc->sc_dev),
715             0, LK_CANRECURSE);
716
717         iface_index = RT2860_IFACE_INDEX;
718
719         error = usbd_transfer_setup(uaa->device, &iface_index,
720             sc->sc_xfer, run_config, RUN_N_XFER, sc, &sc->sc_lock);
721         if (error) {
722                 device_printf(self, "could not allocate USB transfers, "
723                     "err=%s\n", usbd_errstr(error));
724                 goto detach;
725         }
726
727         RUN_LOCK(sc);
728
729         /* wait for the chip to settle */
730         for (ntries = 0; ntries < 100; ntries++) {
731                 if (run_read(sc, RT2860_ASIC_VER_ID, &ver) != 0) {
732                         RUN_UNLOCK(sc);
733                         goto detach;
734                 }
735                 if (ver != 0 && ver != 0xffffffff)
736                         break;
737                 run_delay(sc, 10);
738         }
739         if (ntries == 100) {
740                 device_printf(sc->sc_dev,
741                     "timeout waiting for NIC to initialize\n");
742                 RUN_UNLOCK(sc);
743                 goto detach;
744         }
745         sc->mac_ver = ver >> 16;
746         sc->mac_rev = ver & 0xffff;
747
748         /* retrieve RF rev. no and various other things from EEPROM */
749         run_read_eeprom(sc);
750
751         device_printf(sc->sc_dev,
752             "MAC/BBP RT%04X (rev 0x%04X), RF %s (MIMO %dT%dR), address %s\n",
753             sc->mac_ver, sc->mac_rev, run_get_rf(sc->rf_rev),
754             sc->ntxchains, sc->nrxchains, kether_ntoa(sc->sc_bssid, ethstr));
755
756         RUN_UNLOCK(sc);
757
758         ifp = sc->sc_ifp = if_alloc(IFT_IEEE80211);
759         if (ifp == NULL) {
760                 device_printf(sc->sc_dev, "can not if_alloc()\n");
761                 goto detach;
762         }
763         ic = ifp->if_l2com;
764
765         ifp->if_softc = sc;
766         if_initname(ifp, "run", device_get_unit(sc->sc_dev));
767         ifp->if_flags = IFF_BROADCAST | IFF_SIMPLEX | IFF_MULTICAST;
768         ifp->if_init = run_init;
769         ifp->if_ioctl = run_ioctl;
770         ifp->if_start = run_start;
771         ifq_set_maxlen(&ifp->if_snd, ifqmaxlen);
772 #if 0 /* XXX swildner: see c3d4131842e47b168d93a0650d58d425ebeef789 */
773         ifq_set_ready(&ifp->if_snd);
774 #endif
775
776         ic->ic_ifp = ifp;
777         ic->ic_phytype = IEEE80211_T_OFDM;      /* not only, but not used */
778         ic->ic_opmode = IEEE80211_M_STA;        /* default to BSS mode */
779
780         /* set device capabilities */
781         ic->ic_caps =
782             IEEE80211_C_STA |           /* station mode supported */
783             IEEE80211_C_MONITOR |       /* monitor mode supported */
784             IEEE80211_C_IBSS |
785             IEEE80211_C_HOSTAP |
786             IEEE80211_C_WDS |           /* 4-address traffic works */
787             IEEE80211_C_MBSS |
788             IEEE80211_C_SHPREAMBLE |    /* short preamble supported */
789             IEEE80211_C_SHSLOT |        /* short slot time supported */
790             IEEE80211_C_WME |           /* WME */
791             IEEE80211_C_WPA;            /* WPA1|WPA2(RSN) */
792
793         ic->ic_cryptocaps =
794             IEEE80211_CRYPTO_WEP |
795             IEEE80211_CRYPTO_AES_CCM |
796             IEEE80211_CRYPTO_TKIPMIC |
797             IEEE80211_CRYPTO_TKIP;
798
799         ic->ic_flags |= IEEE80211_F_DATAPAD;
800         ic->ic_flags_ext |= IEEE80211_FEXT_SWBMISS;
801
802         bands = 0;
803         setbit(&bands, IEEE80211_MODE_11B);
804         setbit(&bands, IEEE80211_MODE_11G);
805         if (sc->rf_rev == RT2860_RF_2750 || sc->rf_rev == RT2860_RF_2850 ||
806             sc->rf_rev == RT3070_RF_3052 || sc->rf_rev == RT3593_RF_3053 ||
807             sc->rf_rev == RT5592_RF_5592)
808                 setbit(&bands, IEEE80211_MODE_11A);
809         ieee80211_init_channels(ic, NULL, &bands);
810
811         ieee80211_ifattach(ic, sc->sc_bssid);
812
813         ic->ic_scan_start = run_scan_start;
814         ic->ic_scan_end = run_scan_end;
815         ic->ic_set_channel = run_set_channel;
816         ic->ic_node_alloc = run_node_alloc;
817         ic->ic_newassoc = run_newassoc;
818         ic->ic_updateslot = run_updateslot;
819         ic->ic_update_mcast = run_update_mcast;
820         ic->ic_wme.wme_update = run_wme_update;
821         ic->ic_raw_xmit = run_raw_xmit;
822         ic->ic_update_promisc = run_update_promisc;
823
824         ic->ic_vap_create = run_vap_create;
825         ic->ic_vap_delete = run_vap_delete;
826
827         ieee80211_radiotap_attach(ic,
828             &sc->sc_txtap.wt_ihdr, sizeof(sc->sc_txtap),
829                 RUN_TX_RADIOTAP_PRESENT,
830             &sc->sc_rxtap.wr_ihdr, sizeof(sc->sc_rxtap),
831                 RUN_RX_RADIOTAP_PRESENT);
832
833         TASK_INIT(&sc->cmdq_task, 0, run_cmdq_cb, sc);
834         TASK_INIT(&sc->ratectl_task, 0, run_ratectl_cb, sc);
835         usb_callout_init_mtx(&sc->ratectl_ch, &sc->sc_lock, 1);
836
837         if (bootverbose)
838                 ieee80211_announce(ic);
839
840         wlan_serialize_exit();
841         return (0);
842
843 detach:
844         wlan_serialize_exit();
845         run_detach(self);
846         return (ENXIO);
847 }
848
849 static int
850 run_detach(device_t self)
851 {
852         struct run_softc *sc = device_get_softc(self);
853         struct ifnet *ifp = sc->sc_ifp;
854         struct ieee80211com *ic;
855         int i;
856
857         wlan_serialize_enter();
858         sc->sc_detached = 1;
859
860         /* stop all USB transfers */
861         usbd_transfer_unsetup(sc->sc_xfer, RUN_N_XFER);
862
863         RUN_LOCK(sc);
864
865         sc->ratectl_run = RUN_RATECTL_OFF;
866         sc->cmdq_run = sc->cmdq_key_set = RUN_CMDQ_ABORT;
867
868         /* free TX list, if any */
869         for (i = 0; i != RUN_EP_QUEUES; i++)
870                 run_unsetup_tx_list(sc, &sc->sc_epq[i]);
871         RUN_UNLOCK(sc);
872
873         if (ifp) {
874                 ic = ifp->if_l2com;
875                 /* drain tasks */
876                 usb_callout_drain(&sc->ratectl_ch);
877                 ieee80211_draintask(ic, &sc->cmdq_task);
878                 ieee80211_draintask(ic, &sc->ratectl_task);
879                 ieee80211_ifdetach(ic);
880                 if_free(ifp);
881         }
882
883         lockuninit(&sc->sc_lock);
884
885         wlan_serialize_exit();
886         return (0);
887 }
888
889 static struct ieee80211vap *
890 run_vap_create(struct ieee80211com *ic, const char name[IFNAMSIZ], int unit,
891     enum ieee80211_opmode opmode, int flags,
892     const uint8_t bssid[IEEE80211_ADDR_LEN],
893     const uint8_t mac[IEEE80211_ADDR_LEN])
894 {
895         struct ifnet *ifp = ic->ic_ifp;
896         struct run_softc *sc = ifp->if_softc;
897         struct run_vap *rvp;
898         struct ieee80211vap *vap;
899         int i;
900
901         if (sc->rvp_cnt >= RUN_VAP_MAX) {
902                 if_printf(ifp, "number of VAPs maxed out\n");
903                 return (NULL);
904         }
905
906         switch (opmode) {
907         case IEEE80211_M_STA:
908                 /* enable s/w bmiss handling for sta mode */
909                 flags |= IEEE80211_CLONE_NOBEACONS; 
910                 /* fall though */
911         case IEEE80211_M_IBSS:
912         case IEEE80211_M_MONITOR:
913         case IEEE80211_M_HOSTAP:
914         case IEEE80211_M_MBSS:
915                 /* other than WDS vaps, only one at a time */
916                 if (!TAILQ_EMPTY(&ic->ic_vaps))
917                         return (NULL);
918                 break;
919         case IEEE80211_M_WDS:
920                 TAILQ_FOREACH(vap, &ic->ic_vaps, iv_next){
921                         if(vap->iv_opmode != IEEE80211_M_HOSTAP)
922                                 continue;
923                         /* WDS vap's always share the local mac address. */
924                         flags &= ~IEEE80211_CLONE_BSSID;
925                         break;
926                 }
927                 if (vap == NULL) {
928                         if_printf(ifp, "wds only supported in ap mode\n");
929                         return (NULL);
930                 }
931                 break;
932         default:
933                 if_printf(ifp, "unknown opmode %d\n", opmode);
934                 return (NULL);
935         }
936
937         rvp = (struct run_vap *) kmalloc(sizeof(struct run_vap),
938             M_80211_VAP, M_INTWAIT | M_ZERO);
939         vap = &rvp->vap;
940
941         if (ieee80211_vap_setup(ic, vap, name, unit,
942             opmode, flags, bssid, mac) != 0) {
943                 /* out of memory */
944                 kfree(rvp, M_80211_VAP);
945                 return (NULL);
946         }
947
948         vap->iv_key_update_begin = run_key_update_begin;
949         vap->iv_key_update_end = run_key_update_end;
950         vap->iv_update_beacon = run_update_beacon;
951         vap->iv_max_aid = RT2870_WCID_MAX;
952         /*
953          * To delete the right key from h/w, we need wcid.
954          * Luckily, there is unused space in ieee80211_key{}, wk_pad,
955          * and matching wcid will be written into there. So, cast
956          * some spells to remove 'const' from ieee80211_key{}
957          */
958         vap->iv_key_delete = (void *)run_key_delete;
959         vap->iv_key_set = (void *)run_key_set;
960
961         /* override state transition machine */
962         rvp->newstate = vap->iv_newstate;
963         vap->iv_newstate = run_newstate;
964
965         ieee80211_ratectl_init(vap);
966         ieee80211_ratectl_setinterval(vap, 1000 /* 1 sec */);
967
968         /* complete setup */
969         ieee80211_vap_attach(vap, run_media_change, ieee80211_media_status);
970
971         /* make sure id is always unique */
972         for (i = 0; i < RUN_VAP_MAX; i++) {
973                 if((sc->rvp_bmap & 1 << i) == 0){
974                         sc->rvp_bmap |= 1 << i;
975                         rvp->rvp_id = i;
976                         break;
977                 }
978         }
979         if (sc->rvp_cnt++ == 0)
980                 ic->ic_opmode = opmode;
981
982         if (opmode == IEEE80211_M_HOSTAP)
983                 sc->cmdq_run = RUN_CMDQ_GO;
984
985         DPRINTF("rvp_id=%d bmap=%x rvp_cnt=%d\n",
986             rvp->rvp_id, sc->rvp_bmap, sc->rvp_cnt);
987
988         return (vap);
989 }
990
991 static void
992 run_vap_delete(struct ieee80211vap *vap)
993 {
994         struct run_vap *rvp = RUN_VAP(vap);
995         struct ifnet *ifp;
996         struct ieee80211com *ic;
997         struct run_softc *sc;
998         uint8_t rvp_id;
999
1000         if (vap == NULL)
1001                 return;
1002
1003         ic = vap->iv_ic;
1004         ifp = ic->ic_ifp;
1005
1006         sc = ifp->if_softc;
1007
1008         RUN_LOCK(sc);
1009
1010         m_freem(rvp->beacon_mbuf);
1011         rvp->beacon_mbuf = NULL;
1012
1013         rvp_id = rvp->rvp_id;
1014         sc->ratectl_run &= ~(1 << rvp_id);
1015         sc->rvp_bmap &= ~(1 << rvp_id);
1016         run_set_region_4(sc, RT2860_SKEY(rvp_id, 0), 0, 128);
1017         run_set_region_4(sc, RT2860_BCN_BASE(rvp_id), 0, 512);
1018         --sc->rvp_cnt;
1019
1020         DPRINTF("vap=%p rvp_id=%d bmap=%x rvp_cnt=%d\n",
1021             vap, rvp_id, sc->rvp_bmap, sc->rvp_cnt);
1022
1023         RUN_UNLOCK(sc);
1024
1025         ieee80211_ratectl_deinit(vap);
1026         ieee80211_vap_detach(vap);
1027         kfree(rvp, M_80211_VAP);
1028 }
1029
1030 /*
1031  * There are numbers of functions need to be called in context thread.
1032  * Rather than creating taskqueue event for each of those functions,
1033  * here is all-for-one taskqueue callback function. This function
1034  * gurantees deferred functions are executed in the same order they
1035  * were enqueued.
1036  * '& RUN_CMDQ_MASQ' is to loop cmdq[].
1037  */
1038 static void
1039 run_cmdq_cb(void *arg, int pending)
1040 {
1041         struct run_softc *sc = arg;
1042         uint8_t i;
1043
1044         /* call cmdq[].func locked */
1045         RUN_LOCK(sc);
1046         for (i = sc->cmdq_exec; sc->cmdq[i].func && pending;
1047             i = sc->cmdq_exec, pending--) {
1048                 DPRINTFN(6, "cmdq_exec=%d pending=%d\n", i, pending);
1049                 if (sc->cmdq_run == RUN_CMDQ_GO) {
1050                         /*
1051                          * If arg0 is NULL, callback func needs more
1052                          * than one arg. So, pass ptr to cmdq struct.
1053                          */
1054                         if (sc->cmdq[i].arg0)
1055                                 sc->cmdq[i].func(sc->cmdq[i].arg0);
1056                         else
1057                                 sc->cmdq[i].func(&sc->cmdq[i]);
1058                 }
1059                 sc->cmdq[i].arg0 = NULL;
1060                 sc->cmdq[i].func = NULL;
1061                 sc->cmdq_exec++;
1062                 sc->cmdq_exec &= RUN_CMDQ_MASQ;
1063         }
1064         RUN_UNLOCK(sc);
1065 }
1066
1067 static void
1068 run_setup_tx_list(struct run_softc *sc, struct run_endpoint_queue *pq)
1069 {
1070         struct run_tx_data *data;
1071
1072         memset(pq, 0, sizeof(*pq));
1073
1074         STAILQ_INIT(&pq->tx_qh);
1075         STAILQ_INIT(&pq->tx_fh);
1076
1077         for (data = &pq->tx_data[0];
1078             data < &pq->tx_data[RUN_TX_RING_COUNT]; data++) {
1079                 data->sc = sc;
1080                 STAILQ_INSERT_TAIL(&pq->tx_fh, data, next);
1081         }
1082         pq->tx_nfree = RUN_TX_RING_COUNT;
1083 }
1084
1085 static void
1086 run_unsetup_tx_list(struct run_softc *sc, struct run_endpoint_queue *pq)
1087 {
1088         struct run_tx_data *data;
1089
1090         /* make sure any subsequent use of the queues will fail */
1091         pq->tx_nfree = 0;
1092         STAILQ_INIT(&pq->tx_fh);
1093         STAILQ_INIT(&pq->tx_qh);
1094
1095         /* free up all node references and mbufs */
1096         for (data = &pq->tx_data[0];
1097             data < &pq->tx_data[RUN_TX_RING_COUNT]; data++) {
1098                 if (data->m != NULL) {
1099                         m_freem(data->m);
1100                         data->m = NULL;
1101                 }
1102                 if (data->ni != NULL) {
1103                         ieee80211_free_node(data->ni);
1104                         data->ni = NULL;
1105                 }
1106         }
1107 }
1108
1109 static int
1110 run_load_microcode(struct run_softc *sc)
1111 {
1112         usb_device_request_t req;
1113         const struct firmware *fw;
1114         const u_char *base;
1115         uint32_t tmp;
1116         int ntries, error;
1117         const uint64_t *temp;
1118         uint64_t bytes;
1119
1120         wlan_assert_serialized();
1121
1122         wlan_serialize_exit();
1123         fw = firmware_get("runfw");
1124         wlan_serialize_enter();
1125         if (fw == NULL) {
1126                 device_printf(sc->sc_dev,
1127                     "failed loadfirmware of file %s\n", "runfw");
1128                 return ENOENT;
1129         }
1130
1131         if (fw->datasize != 8192) {
1132                 device_printf(sc->sc_dev,
1133                     "invalid firmware size (should be 8KB)\n");
1134                 error = EINVAL;
1135                 goto fail;
1136         }
1137
1138         /*
1139          * RT3071/RT3072 use a different firmware
1140          * run-rt2870 (8KB) contains both,
1141          * first half (4KB) is for rt2870,
1142          * last half is for rt3071.
1143          */
1144         base = fw->data;
1145         if ((sc->mac_ver) != 0x2860 &&
1146             (sc->mac_ver) != 0x2872 &&
1147             (sc->mac_ver) != 0x3070) { 
1148                 base += 4096;
1149         }
1150
1151         /* cheap sanity check */
1152         temp = fw->data;
1153         bytes = *temp;
1154         if (bytes != be64toh(0xffffff0210280210ULL)) {
1155                 device_printf(sc->sc_dev, "firmware checksum failed\n");
1156                 error = EINVAL;
1157                 goto fail;
1158         }
1159
1160         /* write microcode image */
1161         if (sc->sc_flags & RUN_FLAG_FWLOAD_NEEDED) {
1162                 run_write_region_1(sc, RT2870_FW_BASE, base, 4096);
1163                 run_write(sc, RT2860_H2M_MAILBOX_CID, 0xffffffff);
1164                 run_write(sc, RT2860_H2M_MAILBOX_STATUS, 0xffffffff);
1165         }
1166
1167         req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1168         req.bRequest = RT2870_RESET;
1169         USETW(req.wValue, 8);
1170         USETW(req.wIndex, 0);
1171         USETW(req.wLength, 0);
1172         if ((error = usbd_do_request(sc->sc_udev, &sc->sc_lock, &req, NULL))
1173             != 0) {
1174                 device_printf(sc->sc_dev, "firmware reset failed\n");
1175                 goto fail;
1176         }
1177
1178         run_delay(sc, 10);
1179
1180         run_write(sc, RT2860_H2M_BBPAGENT, 0);
1181         run_write(sc, RT2860_H2M_MAILBOX, 0);
1182         run_write(sc, RT2860_H2M_INTSRC, 0);
1183         if ((error = run_mcu_cmd(sc, RT2860_MCU_CMD_RFRESET, 0)) != 0)
1184                 goto fail;
1185
1186         /* wait until microcontroller is ready */
1187         for (ntries = 0; ntries < 1000; ntries++) {
1188                 if ((error = run_read(sc, RT2860_SYS_CTRL, &tmp)) != 0)
1189                         goto fail;
1190                 if (tmp & RT2860_MCU_READY)
1191                         break;
1192                 run_delay(sc, 10);
1193         }
1194         if (ntries == 1000) {
1195                 device_printf(sc->sc_dev,
1196                     "timeout waiting for MCU to initialize\n");
1197                 error = ETIMEDOUT;
1198                 goto fail;
1199         }
1200         device_printf(sc->sc_dev, "firmware %s ver. %u.%u loaded\n",
1201             (base == fw->data) ? "RT2870" : "RT3071",
1202             *(base + 4092), *(base + 4093));
1203
1204 fail:
1205         firmware_put(fw, FIRMWARE_UNLOAD);
1206         return (error);
1207 }
1208
1209 static int
1210 run_reset(struct run_softc *sc)
1211 {
1212         usb_device_request_t req;
1213         usb_error_t error;
1214
1215         req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1216         req.bRequest = RT2870_RESET;
1217         USETW(req.wValue, 1);
1218         USETW(req.wIndex, 0);
1219         USETW(req.wLength, 0);
1220         error = usbd_do_request(sc->sc_udev, &sc->sc_lock, &req, NULL);
1221         return (error);
1222 }
1223
1224 static usb_error_t
1225 run_do_request(struct run_softc *sc,
1226     struct usb_device_request *req, void *data)
1227 {
1228         usb_error_t err;
1229         int ntries = 10;
1230
1231         RUN_LOCK_ASSERT(sc, MA_OWNED);
1232
1233         while (ntries--) {
1234                 err = usbd_do_request_flags(sc->sc_udev, &sc->sc_lock,
1235                     req, data, 0, NULL, 250 /* ms */);
1236                 if (err == 0)
1237                         break;
1238                 DPRINTFN(1, "Control request failed, %s (retrying)\n",
1239                     usbd_errstr(err));
1240                 run_delay(sc, 10);
1241         }
1242         return (err);
1243 }
1244
1245 static int
1246 run_read(struct run_softc *sc, uint16_t reg, uint32_t *val)
1247 {
1248         uint32_t tmp;
1249         int error;
1250
1251         error = run_read_region_1(sc, reg, (uint8_t *)&tmp, sizeof tmp);
1252         if (error == 0)
1253                 *val = le32toh(tmp);
1254         else
1255                 *val = 0xffffffff;
1256         return (error);
1257 }
1258
1259 static int
1260 run_read_region_1(struct run_softc *sc, uint16_t reg, uint8_t *buf, int len)
1261 {
1262         usb_device_request_t req;
1263
1264         req.bmRequestType = UT_READ_VENDOR_DEVICE;
1265         req.bRequest = RT2870_READ_REGION_1;
1266         USETW(req.wValue, 0);
1267         USETW(req.wIndex, reg);
1268         USETW(req.wLength, len);
1269
1270         return (run_do_request(sc, &req, buf));
1271 }
1272
1273 static int
1274 run_write_2(struct run_softc *sc, uint16_t reg, uint16_t val)
1275 {
1276         usb_device_request_t req;
1277
1278         req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1279         req.bRequest = RT2870_WRITE_2;
1280         USETW(req.wValue, val);
1281         USETW(req.wIndex, reg);
1282         USETW(req.wLength, 0);
1283
1284         return (run_do_request(sc, &req, NULL));
1285 }
1286
1287 static int
1288 run_write(struct run_softc *sc, uint16_t reg, uint32_t val)
1289 {
1290         int error;
1291
1292         if ((error = run_write_2(sc, reg, val & 0xffff)) == 0)
1293                 error = run_write_2(sc, reg + 2, val >> 16);
1294         return (error);
1295 }
1296
1297 static int
1298 run_write_region_1(struct run_softc *sc, uint16_t reg, const uint8_t *buf,
1299     int len)
1300 {
1301 #if 1
1302         int i, error = 0;
1303         /*
1304          * NB: the WRITE_REGION_1 command is not stable on RT2860.
1305          * We thus issue multiple WRITE_2 commands instead.
1306          */
1307         KASSERT((len & 1) == 0, ("run_write_region_1: Data too long.\n"));
1308         for (i = 0; i < len && error == 0; i += 2)
1309                 error = run_write_2(sc, reg + i, buf[i] | buf[i + 1] << 8);
1310         return (error);
1311 #else
1312         usb_device_request_t req;
1313         int error = 0;
1314
1315         /*
1316          * NOTE: It appears the WRITE_REGION_1 command cannot be
1317          * passed a huge amount of data, which will crash the
1318          * firmware. Limit amount of data passed to 64-bytes at a
1319          * time.
1320          */
1321         while (len > 0) {
1322                 int delta = 64;
1323                 if (delta > len)
1324                         delta = len;
1325
1326                 req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1327                 req.bRequest = RT2870_WRITE_REGION_1;
1328                 USETW(req.wValue, 0);
1329                 USETW(req.wIndex, reg);
1330                 USETW(req.wLength, delta);
1331                 error = run_do_request(sc, &req, __DECONST(uint8_t *, buf));
1332                 if (error != 0)
1333                         break;
1334                 reg += delta;
1335                 buf += delta;
1336                 len -= delta;
1337         }
1338         return (error);
1339 #endif
1340 }
1341
1342 static int
1343 run_set_region_4(struct run_softc *sc, uint16_t reg, uint32_t val, int len)
1344 {
1345         int i, error = 0;
1346
1347         KASSERT((len & 3) == 0, ("run_set_region_4: Invalid data length.\n"));
1348         for (i = 0; i < len && error == 0; i += 4)
1349                 error = run_write(sc, reg + i, val);
1350         return (error);
1351 }
1352
1353 static int
1354 run_efuse_read(struct run_softc *sc, uint16_t addr, uint16_t *val, int count)
1355 {
1356         uint32_t tmp;
1357         uint16_t reg;
1358         int error, ntries;
1359
1360         if ((error = run_read(sc, RT3070_EFUSE_CTRL, &tmp)) != 0)
1361                 return (error);
1362
1363         if (count == 2)
1364                 addr *= 2;
1365         /*-
1366          * Read one 16-byte block into registers EFUSE_DATA[0-3]:
1367          * DATA0: F E D C
1368          * DATA1: B A 9 8
1369          * DATA2: 7 6 5 4
1370          * DATA3: 3 2 1 0
1371          */
1372         tmp &= ~(RT3070_EFSROM_MODE_MASK | RT3070_EFSROM_AIN_MASK);
1373         tmp |= (addr & ~0xf) << RT3070_EFSROM_AIN_SHIFT | RT3070_EFSROM_KICK;
1374         run_write(sc, RT3070_EFUSE_CTRL, tmp);
1375         for (ntries = 0; ntries < 100; ntries++) {
1376                 if ((error = run_read(sc, RT3070_EFUSE_CTRL, &tmp)) != 0)
1377                         return (error);
1378                 if (!(tmp & RT3070_EFSROM_KICK))
1379                         break;
1380                 run_delay(sc, 2);
1381         }
1382         if (ntries == 100)
1383                 return (ETIMEDOUT);
1384
1385         if ((tmp & RT3070_EFUSE_AOUT_MASK) == RT3070_EFUSE_AOUT_MASK) {
1386                 *val = 0xffff;  /* address not found */
1387                 return (0);
1388         }
1389         /* determine to which 32-bit register our 16-bit word belongs */
1390         reg = RT3070_EFUSE_DATA3 - (addr & 0xc);
1391         if ((error = run_read(sc, reg, &tmp)) != 0)
1392                 return (error);
1393
1394         tmp >>= (8 * (addr & 0x3));
1395         *val = (addr & 1) ? tmp >> 16 : tmp & 0xffff;
1396
1397         return (0);
1398 }
1399
1400 /* Read 16-bit from eFUSE ROM for RT3xxx. */
1401 static int
1402 run_efuse_read_2(struct run_softc *sc, uint16_t addr, uint16_t *val)
1403 {
1404         return (run_efuse_read(sc, addr, val, 2));
1405 }
1406
1407 static int
1408 run_eeprom_read_2(struct run_softc *sc, uint16_t addr, uint16_t *val)
1409 {
1410         usb_device_request_t req;
1411         uint16_t tmp;
1412         int error;
1413
1414         addr *= 2;
1415         req.bmRequestType = UT_READ_VENDOR_DEVICE;
1416         req.bRequest = RT2870_EEPROM_READ;
1417         USETW(req.wValue, 0);
1418         USETW(req.wIndex, addr);
1419         USETW(req.wLength, sizeof(tmp));
1420
1421         error = usbd_do_request(sc->sc_udev, &sc->sc_lock, &req, &tmp);
1422         if (error == 0)
1423                 *val = le16toh(tmp);
1424         else
1425                 *val = 0xffff;
1426         return (error);
1427 }
1428
1429 static __inline int
1430 run_srom_read(struct run_softc *sc, uint16_t addr, uint16_t *val)
1431 {
1432         /* either eFUSE ROM or EEPROM */
1433         return sc->sc_srom_read(sc, addr, val);
1434 }
1435
1436 static int
1437 run_rt2870_rf_write(struct run_softc *sc, uint32_t val)
1438 {
1439         uint32_t tmp;
1440         int error, ntries;
1441
1442         for (ntries = 0; ntries < 10; ntries++) {
1443                 if ((error = run_read(sc, RT2860_RF_CSR_CFG0, &tmp)) != 0)
1444                         return (error);
1445                 if (!(tmp & RT2860_RF_REG_CTRL))
1446                         break;
1447         }
1448         if (ntries == 10)
1449                 return (ETIMEDOUT);
1450
1451         return (run_write(sc, RT2860_RF_CSR_CFG0, val));
1452 }
1453
1454 static int
1455 run_rt3070_rf_read(struct run_softc *sc, uint8_t reg, uint8_t *val)
1456 {
1457         uint32_t tmp;
1458         int error, ntries;
1459
1460         for (ntries = 0; ntries < 100; ntries++) {
1461                 if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1462                         return (error);
1463                 if (!(tmp & RT3070_RF_KICK))
1464                         break;
1465         }
1466         if (ntries == 100)
1467                 return (ETIMEDOUT);
1468
1469         tmp = RT3070_RF_KICK | reg << 8;
1470         if ((error = run_write(sc, RT3070_RF_CSR_CFG, tmp)) != 0)
1471                 return (error);
1472
1473         for (ntries = 0; ntries < 100; ntries++) {
1474                 if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1475                         return (error);
1476                 if (!(tmp & RT3070_RF_KICK))
1477                         break;
1478         }
1479         if (ntries == 100)
1480                 return (ETIMEDOUT);
1481
1482         *val = tmp & 0xff;
1483         return (0);
1484 }
1485
1486 static int
1487 run_rt3070_rf_write(struct run_softc *sc, uint8_t reg, uint8_t val)
1488 {
1489         uint32_t tmp;
1490         int error, ntries;
1491
1492         for (ntries = 0; ntries < 10; ntries++) {
1493                 if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1494                         return (error);
1495                 if (!(tmp & RT3070_RF_KICK))
1496                         break;
1497         }
1498         if (ntries == 10)
1499                 return (ETIMEDOUT);
1500
1501         tmp = RT3070_RF_WRITE | RT3070_RF_KICK | reg << 8 | val;
1502         return (run_write(sc, RT3070_RF_CSR_CFG, tmp));
1503 }
1504
1505 static int
1506 run_bbp_read(struct run_softc *sc, uint8_t reg, uint8_t *val)
1507 {
1508         uint32_t tmp;
1509         int ntries, error;
1510
1511         for (ntries = 0; ntries < 10; ntries++) {
1512                 if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1513                         return (error);
1514                 if (!(tmp & RT2860_BBP_CSR_KICK))
1515                         break;
1516         }
1517         if (ntries == 10)
1518                 return (ETIMEDOUT);
1519
1520         tmp = RT2860_BBP_CSR_READ | RT2860_BBP_CSR_KICK | reg << 8;
1521         if ((error = run_write(sc, RT2860_BBP_CSR_CFG, tmp)) != 0)
1522                 return (error);
1523
1524         for (ntries = 0; ntries < 10; ntries++) {
1525                 if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1526                         return (error);
1527                 if (!(tmp & RT2860_BBP_CSR_KICK))
1528                         break;
1529         }
1530         if (ntries == 10)
1531                 return (ETIMEDOUT);
1532
1533         *val = tmp & 0xff;
1534         return (0);
1535 }
1536
1537 static int
1538 run_bbp_write(struct run_softc *sc, uint8_t reg, uint8_t val)
1539 {
1540         uint32_t tmp;
1541         int ntries, error;
1542
1543         for (ntries = 0; ntries < 10; ntries++) {
1544                 if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1545                         return (error);
1546                 if (!(tmp & RT2860_BBP_CSR_KICK))
1547                         break;
1548         }
1549         if (ntries == 10)
1550                 return (ETIMEDOUT);
1551
1552         tmp = RT2860_BBP_CSR_KICK | reg << 8 | val;
1553         return (run_write(sc, RT2860_BBP_CSR_CFG, tmp));
1554 }
1555
1556 /*
1557  * Send a command to the 8051 microcontroller unit.
1558  */
1559 static int
1560 run_mcu_cmd(struct run_softc *sc, uint8_t cmd, uint16_t arg)
1561 {
1562         uint32_t tmp;
1563         int error, ntries;
1564
1565         for (ntries = 0; ntries < 100; ntries++) {
1566                 if ((error = run_read(sc, RT2860_H2M_MAILBOX, &tmp)) != 0)
1567                         return error;
1568                 if (!(tmp & RT2860_H2M_BUSY))
1569                         break;
1570         }
1571         if (ntries == 100)
1572                 return ETIMEDOUT;
1573
1574         tmp = RT2860_H2M_BUSY | RT2860_TOKEN_NO_INTR << 16 | arg;
1575         if ((error = run_write(sc, RT2860_H2M_MAILBOX, tmp)) == 0)
1576                 error = run_write(sc, RT2860_HOST_CMD, cmd);
1577         return (error);
1578 }
1579
1580 /*
1581  * Add `delta' (signed) to each 4-bit sub-word of a 32-bit word.
1582  * Used to adjust per-rate Tx power registers.
1583  */
1584 static __inline uint32_t
1585 b4inc(uint32_t b32, int8_t delta)
1586 {
1587         int8_t i, b4;
1588
1589         for (i = 0; i < 8; i++) {
1590                 b4 = b32 & 0xf;
1591                 b4 += delta;
1592                 if (b4 < 0)
1593                         b4 = 0;
1594                 else if (b4 > 0xf)
1595                         b4 = 0xf;
1596                 b32 = b32 >> 4 | b4 << 28;
1597         }
1598         return (b32);
1599 }
1600
1601 static const char *
1602 run_get_rf(uint16_t rev)
1603 {
1604         switch (rev) {
1605         case RT2860_RF_2820:    return "RT2820";
1606         case RT2860_RF_2850:    return "RT2850";
1607         case RT2860_RF_2720:    return "RT2720";
1608         case RT2860_RF_2750:    return "RT2750";
1609         case RT3070_RF_3020:    return "RT3020";
1610         case RT3070_RF_2020:    return "RT2020";
1611         case RT3070_RF_3021:    return "RT3021";
1612         case RT3070_RF_3022:    return "RT3022";
1613         case RT3070_RF_3052:    return "RT3052";
1614         case RT3593_RF_3053:    return "RT3053";
1615         case RT5592_RF_5592:    return "RT5592";
1616         case RT5390_RF_5370:    return "RT5370";
1617         case RT5390_RF_5372:    return "RT5372";
1618         }
1619         return ("unknown");
1620 }
1621
1622 static void
1623 run_rt3593_get_txpower(struct run_softc *sc)
1624 {
1625         uint16_t addr, val;
1626         int i;
1627
1628         /* Read power settings for 2GHz channels. */
1629         for (i = 0; i < 14; i += 2) {
1630                 addr = (sc->ntxchains == 3) ? RT3593_EEPROM_PWR2GHZ_BASE1 :
1631                     RT2860_EEPROM_PWR2GHZ_BASE1;
1632                 run_srom_read(sc, addr + i / 2, &val);
1633                 sc->txpow1[i + 0] = (int8_t)(val & 0xff);
1634                 sc->txpow1[i + 1] = (int8_t)(val >> 8);
1635
1636                 addr = (sc->ntxchains == 3) ? RT3593_EEPROM_PWR2GHZ_BASE2 :
1637                     RT2860_EEPROM_PWR2GHZ_BASE2;
1638                 run_srom_read(sc, addr + i / 2, &val);
1639                 sc->txpow2[i + 0] = (int8_t)(val & 0xff);
1640                 sc->txpow2[i + 1] = (int8_t)(val >> 8);
1641
1642                 if (sc->ntxchains == 3) {
1643                         run_srom_read(sc, RT3593_EEPROM_PWR2GHZ_BASE3 + i / 2,
1644                             &val);
1645                         sc->txpow3[i + 0] = (int8_t)(val & 0xff);
1646                         sc->txpow3[i + 1] = (int8_t)(val >> 8);
1647                 }
1648         }
1649         /* Fix broken Tx power entries. */
1650         for (i = 0; i < 14; i++) {
1651                 if (sc->txpow1[i] > 31)
1652                         sc->txpow1[i] = 5;
1653                 if (sc->txpow2[i] > 31)
1654                         sc->txpow2[i] = 5;
1655                 if (sc->ntxchains == 3) {
1656                         if (sc->txpow3[i] > 31)
1657                                 sc->txpow3[i] = 5;
1658                 }
1659         }
1660         /* Read power settings for 5GHz channels. */
1661         for (i = 0; i < 40; i += 2) {
1662                 run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE1 + i / 2, &val);
1663                 sc->txpow1[i + 14] = (int8_t)(val & 0xff);
1664                 sc->txpow1[i + 15] = (int8_t)(val >> 8);
1665
1666                 run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE2 + i / 2, &val);
1667                 sc->txpow2[i + 14] = (int8_t)(val & 0xff);
1668                 sc->txpow2[i + 15] = (int8_t)(val >> 8);
1669
1670                 if (sc->ntxchains == 3) {
1671                         run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE3 + i / 2,
1672                             &val);
1673                         sc->txpow3[i + 14] = (int8_t)(val & 0xff);
1674                         sc->txpow3[i + 15] = (int8_t)(val >> 8);
1675                 }
1676         }
1677 }
1678
1679 static void
1680 run_get_txpower(struct run_softc *sc)
1681 {
1682         uint16_t val;
1683         int i;
1684
1685         /* Read power settings for 2GHz channels. */
1686         for (i = 0; i < 14; i += 2) {
1687                 run_srom_read(sc, RT2860_EEPROM_PWR2GHZ_BASE1 + i / 2, &val);
1688                 sc->txpow1[i + 0] = (int8_t)(val & 0xff);
1689                 sc->txpow1[i + 1] = (int8_t)(val >> 8);
1690
1691                 if (sc->mac_ver != 0x5390) {
1692                         run_srom_read(sc,
1693                             RT2860_EEPROM_PWR2GHZ_BASE2 + i / 2, &val);
1694                         sc->txpow2[i + 0] = (int8_t)(val & 0xff);
1695                         sc->txpow2[i + 1] = (int8_t)(val >> 8);
1696                 }
1697         }
1698         /* Fix broken Tx power entries. */
1699         for (i = 0; i < 14; i++) {
1700                 if (sc->mac_ver >= 0x5390) {
1701                         if (sc->txpow1[i] < 0 || sc->txpow1[i] > 27)
1702                                 sc->txpow1[i] = 5;
1703                 } else {
1704                         if (sc->txpow1[i] < 0 || sc->txpow1[i] > 31)
1705                                 sc->txpow1[i] = 5;
1706                 }
1707                 if (sc->mac_ver > 0x5390) {
1708                         if (sc->txpow2[i] < 0 || sc->txpow2[i] > 27)
1709                                 sc->txpow2[i] = 5;
1710                 } else if (sc->mac_ver < 0x5390) {
1711                         if (sc->txpow2[i] < 0 || sc->txpow2[i] > 31)
1712                                 sc->txpow2[i] = 5;
1713                 }
1714                 DPRINTF("chan %d: power1=%d, power2=%d\n",
1715                     rt2860_rf2850[i].chan, sc->txpow1[i], sc->txpow2[i]);
1716         }
1717         /* Read power settings for 5GHz channels. */
1718         for (i = 0; i < 40; i += 2) {
1719                 run_srom_read(sc, RT2860_EEPROM_PWR5GHZ_BASE1 + i / 2, &val);
1720                 sc->txpow1[i + 14] = (int8_t)(val & 0xff);
1721                 sc->txpow1[i + 15] = (int8_t)(val >> 8);
1722
1723                 run_srom_read(sc, RT2860_EEPROM_PWR5GHZ_BASE2 + i / 2, &val);
1724                 sc->txpow2[i + 14] = (int8_t)(val & 0xff);
1725                 sc->txpow2[i + 15] = (int8_t)(val >> 8);
1726         }
1727         /* Fix broken Tx power entries. */
1728         for (i = 0; i < 40; i++ ) {
1729                 if (sc->mac_ver != 0x5592) {
1730                         if (sc->txpow1[14 + i] < -7 || sc->txpow1[14 + i] > 15)
1731                                 sc->txpow1[14 + i] = 5;
1732                         if (sc->txpow2[14 + i] < -7 || sc->txpow2[14 + i] > 15)
1733                                 sc->txpow2[14 + i] = 5;
1734                 }
1735                 DPRINTF("chan %d: power1=%d, power2=%d\n",
1736                     rt2860_rf2850[14 + i].chan, sc->txpow1[14 + i],
1737                     sc->txpow2[14 + i]);
1738         }
1739 }
1740
1741 static int
1742 run_read_eeprom(struct run_softc *sc)
1743 {
1744         int8_t delta_2ghz, delta_5ghz;
1745         uint32_t tmp;
1746         uint16_t val;
1747         int ridx, ant, i;
1748
1749         /* check whether the ROM is eFUSE ROM or EEPROM */
1750         sc->sc_srom_read = run_eeprom_read_2;
1751         if (sc->mac_ver >= 0x3070) {
1752                 run_read(sc, RT3070_EFUSE_CTRL, &tmp);
1753                 DPRINTF("EFUSE_CTRL=0x%08x\n", tmp);
1754                 if ((tmp & RT3070_SEL_EFUSE) || sc->mac_ver == 0x3593)
1755                         sc->sc_srom_read = run_efuse_read_2;
1756         }
1757
1758         /* read ROM version */
1759         run_srom_read(sc, RT2860_EEPROM_VERSION, &val);
1760         DPRINTF("EEPROM rev=%d, FAE=%d\n", val & 0xff, val >> 8);
1761
1762         /* read MAC address */
1763         run_srom_read(sc, RT2860_EEPROM_MAC01, &val);
1764         sc->sc_bssid[0] = val & 0xff;
1765         sc->sc_bssid[1] = val >> 8;
1766         run_srom_read(sc, RT2860_EEPROM_MAC23, &val);
1767         sc->sc_bssid[2] = val & 0xff;
1768         sc->sc_bssid[3] = val >> 8;
1769         run_srom_read(sc, RT2860_EEPROM_MAC45, &val);
1770         sc->sc_bssid[4] = val & 0xff;
1771         sc->sc_bssid[5] = val >> 8;
1772
1773         if (sc->mac_ver < 0x3593) {
1774                 /* read vender BBP settings */
1775                 for (i = 0; i < 10; i++) {
1776                         run_srom_read(sc, RT2860_EEPROM_BBP_BASE + i, &val);
1777                         sc->bbp[i].val = val & 0xff;
1778                         sc->bbp[i].reg = val >> 8;
1779                         DPRINTF("BBP%d=0x%02x\n", sc->bbp[i].reg,
1780                             sc->bbp[i].val);
1781                 }
1782                 if (sc->mac_ver >= 0x3071) {
1783                         /* read vendor RF settings */
1784                         for (i = 0; i < 10; i++) {
1785                                 run_srom_read(sc, RT3071_EEPROM_RF_BASE + i,
1786                                    &val);
1787                                 sc->rf[i].val = val & 0xff;
1788                                 sc->rf[i].reg = val >> 8;
1789                                 DPRINTF("RF%d=0x%02x\n", sc->rf[i].reg,
1790                                     sc->rf[i].val);
1791                         }
1792                 }
1793         }
1794
1795         /* read RF frequency offset from EEPROM */
1796         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_FREQ_LEDS :
1797             RT3593_EEPROM_FREQ, &val);
1798         sc->freq = ((val & 0xff) != 0xff) ? val & 0xff : 0;
1799         DPRINTF("EEPROM freq offset %d\n", sc->freq & 0xff);
1800
1801         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_FREQ_LEDS :
1802             RT3593_EEPROM_FREQ_LEDS, &val);
1803         if (val >> 8 != 0xff) {
1804                 /* read LEDs operating mode */
1805                 sc->leds = val >> 8;
1806                 run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED1 :
1807                     RT3593_EEPROM_LED1, &sc->led[0]);
1808                 run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED2 :
1809                     RT3593_EEPROM_LED2, &sc->led[1]);
1810                 run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED3 :
1811                     RT3593_EEPROM_LED3, &sc->led[2]);
1812         } else {
1813                 /* broken EEPROM, use default settings */
1814                 sc->leds = 0x01;
1815                 sc->led[0] = 0x5555;
1816                 sc->led[1] = 0x2221;
1817                 sc->led[2] = 0x5627;    /* differs from RT2860 */
1818         }
1819         DPRINTF("EEPROM LED mode=0x%02x, LEDs=0x%04x/0x%04x/0x%04x\n",
1820             sc->leds, sc->led[0], sc->led[1], sc->led[2]);
1821
1822         /* read RF information */
1823         if (sc->mac_ver == 0x5390 || sc->mac_ver ==0x5392)
1824                 run_srom_read(sc, 0x00, &val);
1825         else
1826                 run_srom_read(sc, RT2860_EEPROM_ANTENNA, &val);
1827
1828         if (val == 0xffff) {
1829                 device_printf(sc->sc_dev,
1830                     "invalid EEPROM antenna info, using default\n");
1831                 DPRINTF("invalid EEPROM antenna info, using default\n");
1832                 if (sc->mac_ver == 0x3572) {
1833                         /* default to RF3052 2T2R */
1834                         sc->rf_rev = RT3070_RF_3052;
1835                         sc->ntxchains = 2;
1836                         sc->nrxchains = 2;
1837                 } else if (sc->mac_ver >= 0x3070) {
1838                         /* default to RF3020 1T1R */
1839                         sc->rf_rev = RT3070_RF_3020;
1840                         sc->ntxchains = 1;
1841                         sc->nrxchains = 1;
1842                 } else {
1843                         /* default to RF2820 1T2R */
1844                         sc->rf_rev = RT2860_RF_2820;
1845                         sc->ntxchains = 1;
1846                         sc->nrxchains = 2;
1847                 }
1848         } else {
1849                 if (sc->mac_ver == 0x5390 || sc->mac_ver ==0x5392) {
1850                         sc->rf_rev = val;
1851                         run_srom_read(sc, RT2860_EEPROM_ANTENNA, &val);
1852                 } else
1853                         sc->rf_rev = (val >> 8) & 0xf;
1854                 sc->ntxchains = (val >> 4) & 0xf;
1855                 sc->nrxchains = val & 0xf;
1856         }
1857         DPRINTF("EEPROM RF rev=0x%04x chains=%dT%dR\n",
1858             sc->rf_rev, sc->ntxchains, sc->nrxchains);
1859
1860         /* check if RF supports automatic Tx access gain control */
1861         run_srom_read(sc, RT2860_EEPROM_CONFIG, &val);
1862         DPRINTF("EEPROM CFG 0x%04x\n", val);
1863         /* check if driver should patch the DAC issue */
1864         if ((val >> 8) != 0xff)
1865                 sc->patch_dac = (val >> 15) & 1;
1866         if ((val & 0xff) != 0xff) {
1867                 sc->ext_5ghz_lna = (val >> 3) & 1;
1868                 sc->ext_2ghz_lna = (val >> 2) & 1;
1869                 /* check if RF supports automatic Tx access gain control */
1870                 sc->calib_2ghz = sc->calib_5ghz = (val >> 1) & 1;
1871                 /* check if we have a hardware radio switch */
1872                 sc->rfswitch = val & 1;
1873         }
1874
1875         /* Read Tx power settings. */
1876         if (sc->mac_ver == 0x3593)
1877                 run_rt3593_get_txpower(sc);
1878         else
1879                 run_get_txpower(sc);
1880
1881         /* read Tx power compensation for each Tx rate */
1882         run_srom_read(sc, RT2860_EEPROM_DELTAPWR, &val);
1883         delta_2ghz = delta_5ghz = 0;
1884         if ((val & 0xff) != 0xff && (val & 0x80)) {
1885                 delta_2ghz = val & 0xf;
1886                 if (!(val & 0x40))      /* negative number */
1887                         delta_2ghz = -delta_2ghz;
1888         }
1889         val >>= 8;
1890         if ((val & 0xff) != 0xff && (val & 0x80)) {
1891                 delta_5ghz = val & 0xf;
1892                 if (!(val & 0x40))      /* negative number */
1893                         delta_5ghz = -delta_5ghz;
1894         }
1895         DPRINTF("power compensation=%d (2GHz), %d (5GHz)\n",
1896             delta_2ghz, delta_5ghz);
1897
1898         for (ridx = 0; ridx < 5; ridx++) {
1899                 uint32_t reg;
1900
1901                 run_srom_read(sc, RT2860_EEPROM_RPWR + ridx * 2, &val);
1902                 reg = val;
1903                 run_srom_read(sc, RT2860_EEPROM_RPWR + ridx * 2 + 1, &val);
1904                 reg |= (uint32_t)val << 16;
1905
1906                 sc->txpow20mhz[ridx] = reg;
1907                 sc->txpow40mhz_2ghz[ridx] = b4inc(reg, delta_2ghz);
1908                 sc->txpow40mhz_5ghz[ridx] = b4inc(reg, delta_5ghz);
1909
1910                 DPRINTF("ridx %d: power 20MHz=0x%08x, 40MHz/2GHz=0x%08x, "
1911                     "40MHz/5GHz=0x%08x\n", ridx, sc->txpow20mhz[ridx],
1912                     sc->txpow40mhz_2ghz[ridx], sc->txpow40mhz_5ghz[ridx]);
1913         }
1914
1915         /* Read RSSI offsets and LNA gains from EEPROM. */
1916         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI1_2GHZ :
1917             RT3593_EEPROM_RSSI1_2GHZ, &val);
1918         sc->rssi_2ghz[0] = val & 0xff;  /* Ant A */
1919         sc->rssi_2ghz[1] = val >> 8;    /* Ant B */
1920         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI2_2GHZ :
1921             RT3593_EEPROM_RSSI2_2GHZ, &val);
1922         if (sc->mac_ver >= 0x3070) {
1923                 if (sc->mac_ver == 0x3593) {
1924                         sc->txmixgain_2ghz = 0;
1925                         sc->rssi_2ghz[2] = val & 0xff;  /* Ant C */
1926                 } else {
1927                         /*
1928                          * On RT3070 chips (limited to 2 Rx chains), this ROM
1929                          * field contains the Tx mixer gain for the 2GHz band.
1930                          */
1931                         if ((val & 0xff) != 0xff)
1932                                 sc->txmixgain_2ghz = val & 0x7;
1933                 }
1934                 DPRINTF("tx mixer gain=%u (2GHz)\n", sc->txmixgain_2ghz);
1935         } else
1936                 sc->rssi_2ghz[2] = val & 0xff;  /* Ant C */
1937         if (sc->mac_ver == 0x3593)
1938                 run_srom_read(sc, RT3593_EEPROM_LNA_5GHZ, &val);
1939         sc->lna[2] = val >> 8;          /* channel group 2 */
1940
1941         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI1_5GHZ :
1942             RT3593_EEPROM_RSSI1_5GHZ, &val);
1943         sc->rssi_5ghz[0] = val & 0xff;  /* Ant A */
1944         sc->rssi_5ghz[1] = val >> 8;    /* Ant B */
1945         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI2_5GHZ :
1946             RT3593_EEPROM_RSSI2_5GHZ, &val);
1947         if (sc->mac_ver == 0x3572) {
1948                 /*
1949                  * On RT3572 chips (limited to 2 Rx chains), this ROM
1950                  * field contains the Tx mixer gain for the 5GHz band.
1951                  */
1952                 if ((val & 0xff) != 0xff)
1953                         sc->txmixgain_5ghz = val & 0x7;
1954                 DPRINTF("tx mixer gain=%u (5GHz)\n", sc->txmixgain_5ghz);
1955         } else
1956                 sc->rssi_5ghz[2] = val & 0xff;  /* Ant C */
1957         if (sc->mac_ver == 0x3593) {
1958                 sc->txmixgain_5ghz = 0;
1959                 run_srom_read(sc, RT3593_EEPROM_LNA_5GHZ, &val);
1960         }
1961         sc->lna[3] = val >> 8;          /* channel group 3 */
1962
1963         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LNA :
1964             RT3593_EEPROM_LNA, &val);
1965         sc->lna[0] = val & 0xff;        /* channel group 0 */
1966         sc->lna[1] = val >> 8;          /* channel group 1 */
1967
1968         /* fix broken 5GHz LNA entries */
1969         if (sc->lna[2] == 0 || sc->lna[2] == 0xff) {
1970                 DPRINTF("invalid LNA for channel group %d\n", 2);
1971                 sc->lna[2] = sc->lna[1];
1972         }
1973         if (sc->lna[3] == 0 || sc->lna[3] == 0xff) {
1974                 DPRINTF("invalid LNA for channel group %d\n", 3);
1975                 sc->lna[3] = sc->lna[1];
1976         }
1977
1978         /* fix broken RSSI offset entries */
1979         for (ant = 0; ant < 3; ant++) {
1980                 if (sc->rssi_2ghz[ant] < -10 || sc->rssi_2ghz[ant] > 10) {
1981                         DPRINTF("invalid RSSI%d offset: %d (2GHz)\n",
1982                             ant + 1, sc->rssi_2ghz[ant]);
1983                         sc->rssi_2ghz[ant] = 0;
1984                 }
1985                 if (sc->rssi_5ghz[ant] < -10 || sc->rssi_5ghz[ant] > 10) {
1986                         DPRINTF("invalid RSSI%d offset: %d (5GHz)\n",
1987                             ant + 1, sc->rssi_5ghz[ant]);
1988                         sc->rssi_5ghz[ant] = 0;
1989                 }
1990         }
1991         return (0);
1992 }
1993
1994 static struct ieee80211_node *
1995 run_node_alloc(struct ieee80211vap *vap, const uint8_t mac[IEEE80211_ADDR_LEN])
1996 {
1997         return kmalloc(sizeof (struct run_node), M_DEVBUF, M_WAITOK | M_ZERO);
1998 }
1999
2000 static int
2001 run_media_change(struct ifnet *ifp)
2002 {
2003         struct ieee80211vap *vap = ifp->if_softc;
2004         struct ieee80211com *ic = vap->iv_ic;
2005         const struct ieee80211_txparam *tp;
2006         struct run_softc *sc = ic->ic_ifp->if_softc;
2007         uint8_t rate, ridx;
2008         int error;
2009
2010         RUN_LOCK(sc);
2011
2012         error = ieee80211_media_change(ifp);
2013         if (error != ENETRESET) {
2014                 RUN_UNLOCK(sc);
2015                 return (error);
2016         }
2017
2018         tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
2019         if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE) {
2020                 struct ieee80211_node *ni;
2021                 struct run_node *rn;
2022
2023                 rate = ic->ic_sup_rates[ic->ic_curmode].
2024                     rs_rates[tp->ucastrate] & IEEE80211_RATE_VAL;
2025                 for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2026                         if (rt2860_rates[ridx].rate == rate)
2027                                 break;
2028                 ni = ieee80211_ref_node(vap->iv_bss);
2029                 rn = (struct run_node *)ni;
2030                 rn->fix_ridx = ridx;
2031                 DPRINTF("rate=%d, fix_ridx=%d\n", rate, rn->fix_ridx);
2032                 ieee80211_free_node(ni);
2033         }
2034
2035 #if 0
2036         if ((ifp->if_flags & IFF_UP) &&
2037             (ifp->if_flags &  IFF_RUNNING)){
2038                 run_init_locked(sc);
2039         }
2040 #endif
2041
2042         RUN_UNLOCK(sc);
2043
2044         return (0);
2045 }
2046
2047 static int
2048 run_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
2049 {
2050         const struct ieee80211_txparam *tp;
2051         struct ieee80211com *ic = vap->iv_ic;
2052         struct run_softc *sc = ic->ic_ifp->if_softc;
2053         struct run_vap *rvp = RUN_VAP(vap);
2054         enum ieee80211_state ostate;
2055         uint32_t sta[3];
2056         uint32_t tmp;
2057         uint8_t ratectl;
2058         uint8_t restart_ratectl = 0;
2059         uint8_t bid = 1 << rvp->rvp_id;
2060
2061         ostate = vap->iv_state;
2062         DPRINTF("%s -> %s\n",
2063                 ieee80211_state_name[ostate],
2064                 ieee80211_state_name[nstate]);
2065
2066         RUN_LOCK(sc);
2067
2068         ratectl = sc->ratectl_run; /* remember current state */
2069         sc->ratectl_run = RUN_RATECTL_OFF;
2070         usb_callout_stop(&sc->ratectl_ch);
2071
2072         if (ostate == IEEE80211_S_RUN) {
2073                 /* turn link LED off */
2074                 run_set_leds(sc, RT2860_LED_RADIO);
2075         }
2076
2077         switch (nstate) {
2078         case IEEE80211_S_INIT:
2079                 restart_ratectl = 1;
2080
2081                 if (ostate != IEEE80211_S_RUN)
2082                         break;
2083
2084                 ratectl &= ~bid;
2085                 sc->runbmap &= ~bid;
2086
2087                 /* abort TSF synchronization if there is no vap running */
2088                 if (--sc->running == 0) {
2089                         run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
2090                         run_write(sc, RT2860_BCN_TIME_CFG,
2091                             tmp & ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
2092                             RT2860_TBTT_TIMER_EN));
2093                 }
2094                 break;
2095
2096         case IEEE80211_S_RUN:
2097                 if (!(sc->runbmap & bid)) {
2098                         if(sc->running++)
2099                                 restart_ratectl = 1;
2100                         sc->runbmap |= bid;
2101                 }
2102
2103                 m_freem(rvp->beacon_mbuf);
2104                 rvp->beacon_mbuf = NULL;
2105
2106                 switch (vap->iv_opmode) {
2107                 case IEEE80211_M_HOSTAP:
2108                 case IEEE80211_M_MBSS:
2109                         sc->ap_running |= bid;
2110                         ic->ic_opmode = vap->iv_opmode;
2111                         run_update_beacon_cb(vap);
2112                         break;
2113                 case IEEE80211_M_IBSS:
2114                         sc->adhoc_running |= bid;
2115                         if (!sc->ap_running)
2116                                 ic->ic_opmode = vap->iv_opmode;
2117                         run_update_beacon_cb(vap);
2118                         break;
2119                 case IEEE80211_M_STA:
2120                         sc->sta_running |= bid;
2121                         if (!sc->ap_running && !sc->adhoc_running)
2122                                 ic->ic_opmode = vap->iv_opmode;
2123
2124                         /* read statistic counters (clear on read) */
2125                         run_read_region_1(sc, RT2860_TX_STA_CNT0,
2126                             (uint8_t *)sta, sizeof sta);
2127
2128                         break;
2129                 default:
2130                         ic->ic_opmode = vap->iv_opmode;
2131                         break;
2132                 }
2133
2134                 if (vap->iv_opmode != IEEE80211_M_MONITOR) {
2135                         struct ieee80211_node *ni;
2136
2137                         if (ic->ic_bsschan == IEEE80211_CHAN_ANYC) {
2138                                 RUN_UNLOCK(sc);
2139                                 return (-1);
2140                         }
2141                         run_updateslot(ic->ic_ifp);
2142                         run_enable_mrr(sc);
2143                         run_set_txpreamble(sc);
2144                         run_set_basicrates(sc);
2145                         ni = ieee80211_ref_node(vap->iv_bss);
2146                         IEEE80211_ADDR_COPY(sc->sc_bssid, ni->ni_bssid);
2147                         run_set_bssid(sc, ni->ni_bssid);
2148                         ieee80211_free_node(ni);
2149                         run_enable_tsf_sync(sc);
2150
2151                         /* enable automatic rate adaptation */
2152                         tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
2153                         if (tp->ucastrate == IEEE80211_FIXED_RATE_NONE)
2154                                 ratectl |= bid;
2155                 }
2156
2157                 /* turn link LED on */
2158                 run_set_leds(sc, RT2860_LED_RADIO |
2159                     (IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan) ?
2160                      RT2860_LED_LINK_2GHZ : RT2860_LED_LINK_5GHZ));
2161
2162                 break;
2163         default:
2164                 DPRINTFN(6, "undefined case\n");
2165                 break;
2166         }
2167
2168         /* restart amrr for running VAPs */
2169         if ((sc->ratectl_run = ratectl) && restart_ratectl)
2170                 usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2171
2172         RUN_UNLOCK(sc);
2173
2174         return(rvp->newstate(vap, nstate, arg));
2175 }
2176
2177 /* ARGSUSED */
2178 static void
2179 run_wme_update_cb(void *arg)
2180 {
2181         struct ieee80211com *ic = arg;
2182         struct run_softc *sc = ic->ic_ifp->if_softc;
2183         struct ieee80211_wme_state *wmesp = &ic->ic_wme;
2184         int aci, error = 0;
2185
2186         RUN_LOCK_ASSERT(sc, MA_OWNED);
2187
2188         /* update MAC TX configuration registers */
2189         for (aci = 0; aci < WME_NUM_AC; aci++) {
2190                 error = run_write(sc, RT2860_EDCA_AC_CFG(aci),
2191                     wmesp->wme_params[aci].wmep_logcwmax << 16 |
2192                     wmesp->wme_params[aci].wmep_logcwmin << 12 |
2193                     wmesp->wme_params[aci].wmep_aifsn  <<  8 |
2194                     wmesp->wme_params[aci].wmep_txopLimit);
2195                 if (error) goto err;
2196         }
2197
2198         /* update SCH/DMA registers too */
2199         error = run_write(sc, RT2860_WMM_AIFSN_CFG,
2200             wmesp->wme_params[WME_AC_VO].wmep_aifsn  << 12 |
2201             wmesp->wme_params[WME_AC_VI].wmep_aifsn  <<  8 |
2202             wmesp->wme_params[WME_AC_BK].wmep_aifsn  <<  4 |
2203             wmesp->wme_params[WME_AC_BE].wmep_aifsn);
2204         if (error) goto err;
2205         error = run_write(sc, RT2860_WMM_CWMIN_CFG,
2206             wmesp->wme_params[WME_AC_VO].wmep_logcwmin << 12 |
2207             wmesp->wme_params[WME_AC_VI].wmep_logcwmin <<  8 |
2208             wmesp->wme_params[WME_AC_BK].wmep_logcwmin <<  4 |
2209             wmesp->wme_params[WME_AC_BE].wmep_logcwmin);
2210         if (error) goto err;
2211         error = run_write(sc, RT2860_WMM_CWMAX_CFG,
2212             wmesp->wme_params[WME_AC_VO].wmep_logcwmax << 12 |
2213             wmesp->wme_params[WME_AC_VI].wmep_logcwmax <<  8 |
2214             wmesp->wme_params[WME_AC_BK].wmep_logcwmax <<  4 |
2215             wmesp->wme_params[WME_AC_BE].wmep_logcwmax);
2216         if (error) goto err;
2217         error = run_write(sc, RT2860_WMM_TXOP0_CFG,
2218             wmesp->wme_params[WME_AC_BK].wmep_txopLimit << 16 |
2219             wmesp->wme_params[WME_AC_BE].wmep_txopLimit);
2220         if (error) goto err;
2221         error = run_write(sc, RT2860_WMM_TXOP1_CFG,
2222             wmesp->wme_params[WME_AC_VO].wmep_txopLimit << 16 |
2223             wmesp->wme_params[WME_AC_VI].wmep_txopLimit);
2224
2225 err:
2226         if (error)
2227                 DPRINTF("WME update failed\n");
2228
2229         return;
2230 }
2231
2232 static int
2233 run_wme_update(struct ieee80211com *ic)
2234 {
2235         struct run_softc *sc = ic->ic_ifp->if_softc;
2236
2237 #if 0 /* XXX swildner */
2238         /* sometime called without lock */
2239         if (mtx_owned(&ic->ic_comlock.mtx)) {
2240                 uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
2241                 DPRINTF("cmdq_store=%d\n", i);
2242                 sc->cmdq[i].func = run_wme_update_cb;
2243                 sc->cmdq[i].arg0 = ic;
2244                 ieee80211_runtask(ic, &sc->cmdq_task);
2245                 return (0);
2246         }
2247 #endif
2248
2249         RUN_LOCK(sc);
2250         run_wme_update_cb(ic);
2251         RUN_UNLOCK(sc);
2252
2253         /* return whatever, upper layer desn't care anyway */
2254         return (0);
2255 }
2256
2257 static void
2258 run_key_update_begin(struct ieee80211vap *vap)
2259 {
2260         /*
2261          * To avoid out-of-order events, both run_key_set() and
2262          * _delete() are deferred and handled by run_cmdq_cb().
2263          * So, there is nothing we need to do here.
2264          */
2265 }
2266
2267 static void
2268 run_key_update_end(struct ieee80211vap *vap)
2269 {
2270         /* null */
2271 }
2272
2273 static void
2274 run_key_set_cb(void *arg)
2275 {
2276         struct run_cmdq *cmdq = arg;
2277         struct ieee80211vap *vap = cmdq->arg1;
2278         struct ieee80211_key *k = cmdq->k;
2279         struct ieee80211com *ic = vap->iv_ic;
2280         struct run_softc *sc = ic->ic_ifp->if_softc;
2281         struct ieee80211_node *ni;
2282         uint32_t attr;
2283         uint16_t base, associd;
2284         uint8_t mode, wcid, iv[8];
2285
2286         RUN_LOCK_ASSERT(sc, MA_OWNED);
2287
2288         if (vap->iv_opmode == IEEE80211_M_HOSTAP)
2289                 ni = ieee80211_find_vap_node(&ic->ic_sta, vap, cmdq->mac);
2290         else
2291                 ni = vap->iv_bss;
2292         associd = (ni != NULL) ? ni->ni_associd : 0;
2293
2294         /* map net80211 cipher to RT2860 security mode */
2295         switch (k->wk_cipher->ic_cipher) {
2296         case IEEE80211_CIPHER_WEP:
2297                 if(k->wk_keylen < 8)
2298                         mode = RT2860_MODE_WEP40;
2299                 else
2300                         mode = RT2860_MODE_WEP104;
2301                 break;
2302         case IEEE80211_CIPHER_TKIP:
2303                 mode = RT2860_MODE_TKIP;
2304                 break;
2305         case IEEE80211_CIPHER_AES_CCM:
2306                 mode = RT2860_MODE_AES_CCMP;
2307                 break;
2308         default:
2309                 DPRINTF("undefined case\n");
2310                 return;
2311         }
2312
2313         DPRINTFN(1, "associd=%x, keyix=%d, mode=%x, type=%s, tx=%s, rx=%s\n",
2314             associd, k->wk_keyix, mode,
2315             (k->wk_flags & IEEE80211_KEY_GROUP) ? "group" : "pairwise",
2316             (k->wk_flags & IEEE80211_KEY_XMIT) ? "on" : "off",
2317             (k->wk_flags & IEEE80211_KEY_RECV) ? "on" : "off");
2318
2319         if (k->wk_flags & IEEE80211_KEY_GROUP) {
2320                 wcid = 0;       /* NB: update WCID0 for group keys */
2321                 base = RT2860_SKEY(RUN_VAP(vap)->rvp_id, k->wk_keyix);
2322         } else {
2323                 wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
2324                     1 : RUN_AID2WCID(associd);
2325                 base = RT2860_PKEY(wcid);
2326         }
2327
2328         if (k->wk_cipher->ic_cipher == IEEE80211_CIPHER_TKIP) {
2329                 if(run_write_region_1(sc, base, k->wk_key, 16))
2330                         return;
2331                 if(run_write_region_1(sc, base + 16, &k->wk_key[16], 8))        /* wk_txmic */
2332                         return;
2333                 if(run_write_region_1(sc, base + 24, &k->wk_key[24], 8))        /* wk_rxmic */
2334                         return;
2335         } else {
2336                 /* roundup len to 16-bit: XXX fix write_region_1() instead */
2337                 if(run_write_region_1(sc, base, k->wk_key, (k->wk_keylen + 1) & ~1))
2338                         return;
2339         }
2340
2341         if (!(k->wk_flags & IEEE80211_KEY_GROUP) ||
2342             (k->wk_flags & (IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV))) {
2343                 /* set initial packet number in IV+EIV */
2344                 if (k->wk_cipher == IEEE80211_CIPHER_WEP) {
2345                         memset(iv, 0, sizeof iv);
2346                         iv[3] = vap->iv_def_txkey << 6;
2347                 } else {
2348                         if (k->wk_cipher->ic_cipher == IEEE80211_CIPHER_TKIP) {
2349                                 iv[0] = k->wk_keytsc >> 8;
2350                                 iv[1] = (iv[0] | 0x20) & 0x7f;
2351                                 iv[2] = k->wk_keytsc;
2352                         } else /* CCMP */ {
2353                                 iv[0] = k->wk_keytsc;
2354                                 iv[1] = k->wk_keytsc >> 8;
2355                                 iv[2] = 0;
2356                         }
2357                         iv[3] = k->wk_keyix << 6 | IEEE80211_WEP_EXTIV;
2358                         iv[4] = k->wk_keytsc >> 16;
2359                         iv[5] = k->wk_keytsc >> 24;
2360                         iv[6] = k->wk_keytsc >> 32;
2361                         iv[7] = k->wk_keytsc >> 40;
2362                 }
2363                 if (run_write_region_1(sc, RT2860_IVEIV(wcid), iv, 8))
2364                         return;
2365         }
2366
2367         if (k->wk_flags & IEEE80211_KEY_GROUP) {
2368                 /* install group key */
2369                 if (run_read(sc, RT2860_SKEY_MODE_0_7, &attr))
2370                         return;
2371                 attr &= ~(0xf << (k->wk_keyix * 4));
2372                 attr |= mode << (k->wk_keyix * 4);
2373                 if (run_write(sc, RT2860_SKEY_MODE_0_7, attr))
2374                         return;
2375         } else {
2376                 /* install pairwise key */
2377                 if (run_read(sc, RT2860_WCID_ATTR(wcid), &attr))
2378                         return;
2379                 attr = (attr & ~0xf) | (mode << 1) | RT2860_RX_PKEY_EN;
2380                 if (run_write(sc, RT2860_WCID_ATTR(wcid), attr))
2381                         return;
2382         }
2383
2384         /* TODO create a pass-thru key entry? */
2385
2386         /* need wcid to delete the right key later */
2387         k->wk_pad = wcid;
2388 }
2389
2390 /*
2391  * Don't have to be deferred, but in order to keep order of
2392  * execution, i.e. with run_key_delete(), defer this and let
2393  * run_cmdq_cb() maintain the order.
2394  *
2395  * return 0 on error
2396  */
2397 static int
2398 run_key_set(struct ieee80211vap *vap, struct ieee80211_key *k,
2399                 const uint8_t mac[IEEE80211_ADDR_LEN])
2400 {
2401         struct ieee80211com *ic = vap->iv_ic;
2402         struct run_softc *sc = ic->ic_ifp->if_softc;
2403         uint32_t i;
2404
2405         i = RUN_CMDQ_GET(&sc->cmdq_store);
2406         DPRINTF("cmdq_store=%d\n", i);
2407         sc->cmdq[i].func = run_key_set_cb;
2408         sc->cmdq[i].arg0 = NULL;
2409         sc->cmdq[i].arg1 = vap;
2410         sc->cmdq[i].k = k;
2411         IEEE80211_ADDR_COPY(sc->cmdq[i].mac, mac);
2412         ieee80211_runtask(ic, &sc->cmdq_task);
2413
2414         /*
2415          * To make sure key will be set when hostapd
2416          * calls iv_key_set() before if_init().
2417          */
2418         if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
2419                 RUN_LOCK(sc);
2420                 sc->cmdq_key_set = RUN_CMDQ_GO;
2421                 RUN_UNLOCK(sc);
2422         }
2423
2424         return (1);
2425 }
2426
2427 /*
2428  * If wlan is destroyed without being brought down i.e. without
2429  * wlan down or wpa_cli terminate, this function is called after
2430  * vap is gone. Don't refer it.
2431  */
2432 static void
2433 run_key_delete_cb(void *arg)
2434 {
2435         struct run_cmdq *cmdq = arg;
2436         struct run_softc *sc = cmdq->arg1;
2437         struct ieee80211_key *k = &cmdq->key;
2438         uint32_t attr;
2439         uint8_t wcid;
2440
2441         RUN_LOCK_ASSERT(sc, MA_OWNED);
2442
2443         if (k->wk_flags & IEEE80211_KEY_GROUP) {
2444                 /* remove group key */
2445                 DPRINTF("removing group key\n");
2446                 run_read(sc, RT2860_SKEY_MODE_0_7, &attr);
2447                 attr &= ~(0xf << (k->wk_keyix * 4));
2448                 run_write(sc, RT2860_SKEY_MODE_0_7, attr);
2449         } else {
2450                 /* remove pairwise key */
2451                 DPRINTF("removing key for wcid %x\n", k->wk_pad);
2452                 /* matching wcid was written to wk_pad in run_key_set() */
2453                 wcid = k->wk_pad;
2454                 run_read(sc, RT2860_WCID_ATTR(wcid), &attr);
2455                 attr &= ~0xf;
2456                 run_write(sc, RT2860_WCID_ATTR(wcid), attr);
2457                 run_set_region_4(sc, RT2860_WCID_ENTRY(wcid), 0, 8);
2458         }
2459
2460         k->wk_pad = 0;
2461 }
2462
2463 /*
2464  * return 0 on error
2465  */
2466 static int
2467 run_key_delete(struct ieee80211vap *vap, struct ieee80211_key *k)
2468 {
2469         struct ieee80211com *ic = vap->iv_ic;
2470         struct run_softc *sc = ic->ic_ifp->if_softc;
2471         struct ieee80211_key *k0;
2472         uint32_t i;
2473
2474         /*
2475          * When called back, key might be gone. So, make a copy
2476          * of some values need to delete keys before deferring.
2477          * But, because of LOR with node lock, cannot use lock here.
2478          * So, use atomic instead.
2479          */
2480         i = RUN_CMDQ_GET(&sc->cmdq_store);
2481         DPRINTF("cmdq_store=%d\n", i);
2482         sc->cmdq[i].func = run_key_delete_cb;
2483         sc->cmdq[i].arg0 = NULL;
2484         sc->cmdq[i].arg1 = sc;
2485         k0 = &sc->cmdq[i].key;
2486         k0->wk_flags = k->wk_flags;
2487         k0->wk_keyix = k->wk_keyix;
2488         /* matching wcid was written to wk_pad in run_key_set() */
2489         k0->wk_pad = k->wk_pad;
2490         ieee80211_runtask(ic, &sc->cmdq_task);
2491         return (1);     /* return fake success */
2492
2493 }
2494
2495 static void
2496 run_ratectl_to(void *arg)
2497 {
2498         struct run_softc *sc = arg;
2499
2500         /* do it in a process context, so it can go sleep */
2501         ieee80211_runtask(sc->sc_ifp->if_l2com, &sc->ratectl_task);
2502         /* next timeout will be rescheduled in the callback task */
2503 }
2504
2505 /* ARGSUSED */
2506 static void
2507 run_ratectl_cb(void *arg, int pending)
2508 {
2509         struct run_softc *sc = arg;
2510         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
2511         struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
2512
2513         if (vap == NULL)
2514                 return;
2515
2516         if (sc->rvp_cnt > 1 || vap->iv_opmode != IEEE80211_M_STA) {
2517                 /*
2518                  * run_reset_livelock() doesn't do anything with AMRR,
2519                  * but Ralink wants us to call it every 1 sec. So, we
2520                  * piggyback here rather than creating another callout.
2521                  * Livelock may occur only in HOSTAP or IBSS mode
2522                  * (when h/w is sending beacons).
2523                  */
2524                 RUN_LOCK(sc);
2525                 run_reset_livelock(sc);
2526                 /* just in case, there are some stats to drain */
2527                 run_drain_fifo(sc);
2528                 RUN_UNLOCK(sc);
2529         }
2530
2531         ieee80211_iterate_nodes(&ic->ic_sta, run_iter_func, sc);
2532
2533         RUN_LOCK(sc);
2534         if(sc->ratectl_run != RUN_RATECTL_OFF)
2535                 usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2536         RUN_UNLOCK(sc);
2537 }
2538
2539 static void
2540 run_drain_fifo(void *arg)
2541 {
2542         struct run_softc *sc = arg;
2543         struct ifnet *ifp = sc->sc_ifp;
2544         uint32_t stat;
2545         uint16_t (*wstat)[3];
2546         uint8_t wcid, mcs, pid;
2547         int8_t retry;
2548
2549         RUN_LOCK_ASSERT(sc, MA_OWNED);
2550
2551         for (;;) {
2552                 /* drain Tx status FIFO (maxsize = 16) */
2553                 run_read(sc, RT2860_TX_STAT_FIFO, &stat);
2554                 DPRINTFN(4, "tx stat 0x%08x\n", stat);
2555                 if (!(stat & RT2860_TXQ_VLD))
2556                         break;
2557
2558                 wcid = (stat >> RT2860_TXQ_WCID_SHIFT) & 0xff;
2559
2560                 /* if no ACK was requested, no feedback is available */
2561                 if (!(stat & RT2860_TXQ_ACKREQ) || wcid > RT2870_WCID_MAX ||
2562                     wcid == 0)
2563                         continue;
2564
2565                 /*
2566                  * Even though each stat is Tx-complete-status like format,
2567                  * the device can poll stats. Because there is no guarantee
2568                  * that the referring node is still around when read the stats.
2569                  * So that, if we use ieee80211_ratectl_tx_update(), we will
2570                  * have hard time not to refer already freed node.
2571                  *
2572                  * To eliminate such page faults, we poll stats in softc.
2573                  * Then, update the rates later with ieee80211_ratectl_tx_update().
2574                  */
2575                 wstat = &(sc->wcid_stats[wcid]);
2576                 (*wstat)[RUN_TXCNT]++;
2577                 if (stat & RT2860_TXQ_OK)
2578                         (*wstat)[RUN_SUCCESS]++;
2579                 else
2580                         ifp->if_oerrors++;
2581                 /*
2582                  * Check if there were retries, ie if the Tx success rate is
2583                  * different from the requested rate. Note that it works only
2584                  * because we do not allow rate fallback from OFDM to CCK.
2585                  */
2586                 mcs = (stat >> RT2860_TXQ_MCS_SHIFT) & 0x7f;
2587                 pid = (stat >> RT2860_TXQ_PID_SHIFT) & 0xf;
2588                 if ((retry = pid -1 - mcs) > 0) {
2589                         (*wstat)[RUN_TXCNT] += retry;
2590                         (*wstat)[RUN_RETRY] += retry;
2591                 }
2592         }
2593         DPRINTFN(3, "count=%d\n", sc->fifo_cnt);
2594
2595         sc->fifo_cnt = 0;
2596 }
2597
2598 static void
2599 run_iter_func(void *arg, struct ieee80211_node *ni)
2600 {
2601         struct run_softc *sc = arg;
2602         struct ieee80211vap *vap = ni->ni_vap;
2603         struct ieee80211com *ic = ni->ni_ic;
2604         struct ifnet *ifp = ic->ic_ifp;
2605         struct run_node *rn = (void *)ni;
2606         union run_stats sta[2];
2607         uint16_t (*wstat)[3];
2608         int txcnt, success, retrycnt, error;
2609
2610         RUN_LOCK(sc);
2611
2612         /* Check for special case */
2613         if (sc->rvp_cnt <= 1 && vap->iv_opmode == IEEE80211_M_STA &&
2614             ni != vap->iv_bss)
2615                 goto fail;
2616
2617         if (sc->rvp_cnt <= 1 && (vap->iv_opmode == IEEE80211_M_IBSS ||
2618             vap->iv_opmode == IEEE80211_M_STA)) {
2619                 /* read statistic counters (clear on read) and update AMRR state */
2620                 error = run_read_region_1(sc, RT2860_TX_STA_CNT0, (uint8_t *)sta,
2621                     sizeof sta);
2622                 if (error != 0)
2623                         goto fail;
2624
2625                 /* count failed TX as errors */
2626                 ifp->if_oerrors += le16toh(sta[0].error.fail);
2627
2628                 retrycnt = le16toh(sta[1].tx.retry);
2629                 success = le16toh(sta[1].tx.success);
2630                 txcnt = retrycnt + success + le16toh(sta[0].error.fail);
2631
2632                 DPRINTFN(3, "retrycnt=%d success=%d failcnt=%d\n",
2633                         retrycnt, success, le16toh(sta[0].error.fail));
2634         } else {
2635                 wstat = &(sc->wcid_stats[RUN_AID2WCID(ni->ni_associd)]);
2636
2637                 if (wstat == &(sc->wcid_stats[0]) ||
2638                     wstat > &(sc->wcid_stats[RT2870_WCID_MAX]))
2639                         goto fail;
2640
2641                 txcnt = (*wstat)[RUN_TXCNT];
2642                 success = (*wstat)[RUN_SUCCESS];
2643                 retrycnt = (*wstat)[RUN_RETRY];
2644                 DPRINTFN(3, "retrycnt=%d txcnt=%d success=%d\n",
2645                     retrycnt, txcnt, success);
2646
2647                 memset(wstat, 0, sizeof(*wstat));
2648         }
2649
2650         ieee80211_ratectl_tx_update(vap, ni, &txcnt, &success, &retrycnt);
2651         rn->amrr_ridx = ieee80211_ratectl_rate(ni, NULL, 0);
2652
2653 fail:
2654         RUN_UNLOCK(sc);
2655
2656         DPRINTFN(3, "ridx=%d\n", rn->amrr_ridx);
2657 }
2658
2659 static void
2660 run_newassoc_cb(void *arg)
2661 {
2662         struct run_cmdq *cmdq = arg;
2663         struct ieee80211_node *ni = cmdq->arg1;
2664         struct run_softc *sc = ni->ni_vap->iv_ic->ic_ifp->if_softc;
2665         uint8_t wcid = cmdq->wcid;
2666
2667         RUN_LOCK_ASSERT(sc, MA_OWNED);
2668
2669         run_write_region_1(sc, RT2860_WCID_ENTRY(wcid),
2670             ni->ni_macaddr, IEEE80211_ADDR_LEN);
2671
2672         memset(&(sc->wcid_stats[wcid]), 0, sizeof(sc->wcid_stats[wcid]));
2673 }
2674
2675 static void
2676 run_newassoc(struct ieee80211_node *ni, int isnew)
2677 {
2678         struct run_node *rn = (void *)ni;
2679         struct ieee80211_rateset *rs = &ni->ni_rates;
2680         struct ieee80211vap *vap = ni->ni_vap;
2681         struct ieee80211com *ic = vap->iv_ic;
2682         struct run_softc *sc = ic->ic_ifp->if_softc;
2683         uint8_t rate;
2684         uint8_t ridx;
2685         uint8_t wcid;
2686         int i, j;
2687 #ifdef RUN_DEBUG
2688         char ethstr[ETHER_ADDRSTRLEN + 1];
2689 #endif
2690
2691         wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
2692             1 : RUN_AID2WCID(ni->ni_associd);
2693
2694         if (wcid > RT2870_WCID_MAX) {
2695                 device_printf(sc->sc_dev, "wcid=%d out of range\n", wcid);
2696                 return;
2697         }
2698
2699         /* only interested in true associations */
2700         if (isnew && ni->ni_associd != 0) {
2701
2702                 /*
2703                  * This function could is called though timeout function.
2704                  * Need to defer.
2705                  */
2706                 uint32_t cnt = RUN_CMDQ_GET(&sc->cmdq_store);
2707                 DPRINTF("cmdq_store=%d\n", cnt);
2708                 sc->cmdq[cnt].func = run_newassoc_cb;
2709                 sc->cmdq[cnt].arg0 = NULL;
2710                 sc->cmdq[cnt].arg1 = ni;
2711                 sc->cmdq[cnt].wcid = wcid;
2712                 ieee80211_runtask(ic, &sc->cmdq_task);
2713         }
2714
2715         DPRINTF("new assoc isnew=%d associd=%x addr=%s\n",
2716             isnew, ni->ni_associd, kether_ntoa(ni->ni_macaddr, ethstr));
2717
2718         for (i = 0; i < rs->rs_nrates; i++) {
2719                 rate = rs->rs_rates[i] & IEEE80211_RATE_VAL;
2720                 /* convert 802.11 rate to hardware rate index */
2721                 for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2722                         if (rt2860_rates[ridx].rate == rate)
2723                                 break;
2724                 rn->ridx[i] = ridx;
2725                 /* determine rate of control response frames */
2726                 for (j = i; j >= 0; j--) {
2727                         if ((rs->rs_rates[j] & IEEE80211_RATE_BASIC) &&
2728                             rt2860_rates[rn->ridx[i]].phy ==
2729                             rt2860_rates[rn->ridx[j]].phy)
2730                                 break;
2731                 }
2732                 if (j >= 0) {
2733                         rn->ctl_ridx[i] = rn->ridx[j];
2734                 } else {
2735                         /* no basic rate found, use mandatory one */
2736                         rn->ctl_ridx[i] = rt2860_rates[ridx].ctl_ridx;
2737                 }
2738                 DPRINTF("rate=0x%02x ridx=%d ctl_ridx=%d\n",
2739                     rs->rs_rates[i], rn->ridx[i], rn->ctl_ridx[i]);
2740         }
2741         rate = vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)].mgmtrate;
2742         for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2743                 if (rt2860_rates[ridx].rate == rate)
2744                         break;
2745         rn->mgt_ridx = ridx;
2746         DPRINTF("rate=%d, mgmt_ridx=%d\n", rate, rn->mgt_ridx);
2747
2748         RUN_LOCK(sc);
2749         if(sc->ratectl_run != RUN_RATECTL_OFF)
2750                 usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2751         RUN_UNLOCK(sc);
2752 }
2753
2754 /*
2755  * Return the Rx chain with the highest RSSI for a given frame.
2756  */
2757 static __inline uint8_t
2758 run_maxrssi_chain(struct run_softc *sc, const struct rt2860_rxwi *rxwi)
2759 {
2760         uint8_t rxchain = 0;
2761
2762         if (sc->nrxchains > 1) {
2763                 if (rxwi->rssi[1] > rxwi->rssi[rxchain])
2764                         rxchain = 1;
2765                 if (sc->nrxchains > 2)
2766                         if (rxwi->rssi[2] > rxwi->rssi[rxchain])
2767                                 rxchain = 2;
2768         }
2769         return (rxchain);
2770 }
2771
2772 static void
2773 run_rx_frame(struct run_softc *sc, struct mbuf *m, uint32_t dmalen)
2774 {
2775         struct ifnet *ifp = sc->sc_ifp;
2776         struct ieee80211com *ic = ifp->if_l2com;
2777         struct ieee80211_frame *wh;
2778         struct ieee80211_node *ni;
2779         struct rt2870_rxd *rxd;
2780         struct rt2860_rxwi *rxwi;
2781         uint32_t flags;
2782         uint16_t len, rxwisize;
2783         uint8_t ant, rssi;
2784         int8_t nf;
2785
2786         rxwi = mtod(m, struct rt2860_rxwi *);
2787         len = le16toh(rxwi->len) & 0xfff;
2788         rxwisize = sizeof(struct rt2860_rxwi);
2789         if (sc->mac_ver == 0x5592)
2790                 rxwisize += sizeof(uint64_t);
2791         else if (sc->mac_ver == 0x3593)
2792                 rxwisize += sizeof(uint32_t);
2793         if (__predict_false(len > dmalen)) {
2794                 m_freem(m);
2795                 ifp->if_ierrors++;
2796                 DPRINTF("bad RXWI length %u > %u\n", len, dmalen);
2797                 return;
2798         }
2799         /* Rx descriptor is located at the end */
2800         rxd = (struct rt2870_rxd *)(mtod(m, caddr_t) + dmalen);
2801         flags = le32toh(rxd->flags);
2802
2803         if (__predict_false(flags & (RT2860_RX_CRCERR | RT2860_RX_ICVERR))) {
2804                 m_freem(m);
2805                 ifp->if_ierrors++;
2806                 DPRINTF("%s error.\n", (flags & RT2860_RX_CRCERR)?"CRC":"ICV");
2807                 return;
2808         }
2809
2810         m->m_data += rxwisize;
2811         m->m_pkthdr.len = m->m_len -= rxwisize;
2812
2813         wh = mtod(m, struct ieee80211_frame *);
2814
2815         if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
2816                 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
2817                 m->m_flags |= M_WEP;
2818         }
2819
2820         if (flags & RT2860_RX_L2PAD) {
2821                 DPRINTFN(8, "received RT2860_RX_L2PAD frame\n");
2822                 len += 2;
2823         }
2824
2825         ni = ieee80211_find_rxnode(ic,
2826             mtod(m, struct ieee80211_frame_min *));
2827
2828         if (__predict_false(flags & RT2860_RX_MICERR)) {
2829                 /* report MIC failures to net80211 for TKIP */
2830                 if (ni != NULL)
2831                         ieee80211_notify_michael_failure(ni->ni_vap, wh,
2832                             rxwi->keyidx);
2833                 m_freem(m);
2834                 ifp->if_ierrors++;
2835                 DPRINTF("MIC error. Someone is lying.\n");
2836                 return;
2837         }
2838
2839         ant = run_maxrssi_chain(sc, rxwi);
2840         rssi = rxwi->rssi[ant];
2841         nf = run_rssi2dbm(sc, rssi, ant);
2842
2843         m->m_pkthdr.rcvif = ifp;
2844         m->m_pkthdr.len = m->m_len = len;
2845
2846         if (ni != NULL) {
2847                 (void)ieee80211_input(ni, m, rssi, nf);
2848                 ieee80211_free_node(ni);
2849         } else {
2850                 (void)ieee80211_input_all(ic, m, rssi, nf);
2851         }
2852
2853         if (__predict_false(ieee80211_radiotap_active(ic))) {
2854                 struct run_rx_radiotap_header *tap = &sc->sc_rxtap;
2855                 uint16_t phy;
2856
2857                 tap->wr_flags = 0;
2858                 tap->wr_chan_freq = htole16(ic->ic_curchan->ic_freq);
2859                 tap->wr_chan_flags = htole16(ic->ic_curchan->ic_flags);
2860                 tap->wr_antsignal = rssi;
2861                 tap->wr_antenna = ant;
2862                 tap->wr_dbm_antsignal = run_rssi2dbm(sc, rssi, ant);
2863                 tap->wr_rate = 2;       /* in case it can't be found below */
2864                 phy = le16toh(rxwi->phy);
2865                 switch (phy & RT2860_PHY_MODE) {
2866                 case RT2860_PHY_CCK:
2867                         switch ((phy & RT2860_PHY_MCS) & ~RT2860_PHY_SHPRE) {
2868                         case 0: tap->wr_rate =   2; break;
2869                         case 1: tap->wr_rate =   4; break;
2870                         case 2: tap->wr_rate =  11; break;
2871                         case 3: tap->wr_rate =  22; break;
2872                         }
2873                         if (phy & RT2860_PHY_SHPRE)
2874                                 tap->wr_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
2875                         break;
2876                 case RT2860_PHY_OFDM:
2877                         switch (phy & RT2860_PHY_MCS) {
2878                         case 0: tap->wr_rate =  12; break;
2879                         case 1: tap->wr_rate =  18; break;
2880                         case 2: tap->wr_rate =  24; break;
2881                         case 3: tap->wr_rate =  36; break;
2882                         case 4: tap->wr_rate =  48; break;
2883                         case 5: tap->wr_rate =  72; break;
2884                         case 6: tap->wr_rate =  96; break;
2885                         case 7: tap->wr_rate = 108; break;
2886                         }
2887                         break;
2888                 }
2889         }
2890 }
2891
2892 static void
2893 run_bulk_rx_callback(struct usb_xfer *xfer, usb_error_t error)
2894 {
2895         struct run_softc *sc = usbd_xfer_softc(xfer);
2896         struct ifnet *ifp = sc->sc_ifp;
2897         struct mbuf *m = NULL;
2898         struct mbuf *m0;
2899         uint32_t dmalen;
2900         uint16_t rxwisize;
2901         int xferlen;
2902
2903         rxwisize = sizeof(struct rt2860_rxwi);
2904         if (sc->mac_ver == 0x5592)
2905                 rxwisize += sizeof(uint64_t);
2906         else if (sc->mac_ver == 0x3593)
2907                 rxwisize += sizeof(uint32_t);
2908
2909         usbd_xfer_status(xfer, &xferlen, NULL, NULL, NULL);
2910
2911         switch (USB_GET_STATE(xfer)) {
2912         case USB_ST_TRANSFERRED:
2913
2914                 DPRINTFN(15, "rx done, actlen=%d\n", xferlen);
2915
2916                 if (xferlen < (int)(sizeof(uint32_t) + rxwisize +
2917                     sizeof(struct rt2870_rxd))) {
2918                         DPRINTF("xfer too short %d\n", xferlen);
2919                         goto tr_setup;
2920                 }
2921
2922                 m = sc->rx_m;
2923                 sc->rx_m = NULL;
2924
2925                 /* FALLTHROUGH */
2926         case USB_ST_SETUP:
2927 tr_setup:
2928                 if (sc->rx_m == NULL) {
2929                         sc->rx_m = m_getjcl(MB_DONTWAIT, MT_DATA, M_PKTHDR,
2930                             MJUMPAGESIZE /* xfer can be bigger than MCLBYTES */);
2931                 }
2932                 if (sc->rx_m == NULL) {
2933                         DPRINTF("could not allocate mbuf - idle with stall\n");
2934                         ifp->if_ierrors++;
2935                         usbd_xfer_set_stall(xfer);
2936                         usbd_xfer_set_frames(xfer, 0);
2937                 } else {
2938                         /*
2939                          * Directly loading a mbuf cluster into DMA to
2940                          * save some data copying. This works because
2941                          * there is only one cluster.
2942                          */
2943                         usbd_xfer_set_frame_data(xfer, 0, 
2944                             mtod(sc->rx_m, caddr_t), RUN_MAX_RXSZ);
2945                         usbd_xfer_set_frames(xfer, 1);
2946                 }
2947                 usbd_transfer_submit(xfer);
2948                 break;
2949
2950         default:        /* Error */
2951                 if (error != USB_ERR_CANCELLED) {
2952                         /* try to clear stall first */
2953                         usbd_xfer_set_stall(xfer);
2954
2955                         if (error == USB_ERR_TIMEOUT)
2956                                 device_printf(sc->sc_dev, "device timeout\n");
2957
2958                         ifp->if_ierrors++;
2959
2960                         goto tr_setup;
2961                 }
2962                 if (sc->rx_m != NULL) {
2963                         m_freem(sc->rx_m);
2964                         sc->rx_m = NULL;
2965                 }
2966                 break;
2967         }
2968
2969         if (m == NULL)
2970                 return;
2971
2972         /* inputting all the frames must be last */
2973
2974         RUN_UNLOCK(sc);
2975
2976         m->m_pkthdr.len = m->m_len = xferlen;
2977
2978         /* HW can aggregate multiple 802.11 frames in a single USB xfer */
2979         for(;;) {
2980                 dmalen = le32toh(*mtod(m, uint32_t *)) & 0xffff;
2981
2982                 if ((dmalen >= (uint32_t)-8) || (dmalen == 0) ||
2983                     ((dmalen & 3) != 0)) {
2984                         DPRINTF("bad DMA length %u\n", dmalen);
2985                         break;
2986                 }
2987                 if ((dmalen + 8) > (uint32_t)xferlen) {
2988                         DPRINTF("bad DMA length %u > %d\n",
2989                         dmalen + 8, xferlen);
2990                         break;
2991                 }
2992
2993                 /* If it is the last one or a single frame, we won't copy. */
2994                 if ((xferlen -= dmalen + 8) <= 8) {
2995                         /* trim 32-bit DMA-len header */
2996                         m->m_data += 4;
2997                         m->m_pkthdr.len = m->m_len -= 4;
2998                         run_rx_frame(sc, m, dmalen);
2999                         m = NULL;       /* don't free source buffer */
3000                         break;
3001                 }
3002
3003                 /* copy aggregated frames to another mbuf */
3004                 m0 = m_getcl(MB_DONTWAIT, MT_DATA, M_PKTHDR);
3005                 if (__predict_false(m0 == NULL)) {
3006                         DPRINTF("could not allocate mbuf\n");
3007                         ifp->if_ierrors++;
3008                         break;
3009                 }
3010                 m_copydata(m, 4 /* skip 32-bit DMA-len header */,
3011                     dmalen + sizeof(struct rt2870_rxd), mtod(m0, caddr_t));
3012                 m0->m_pkthdr.len = m0->m_len =
3013                     dmalen + sizeof(struct rt2870_rxd);
3014                 run_rx_frame(sc, m0, dmalen);
3015
3016                 /* update data ptr */
3017                 m->m_data += dmalen + 8;
3018                 m->m_pkthdr.len = m->m_len -= dmalen + 8;
3019         }
3020
3021         /* make sure we free the source buffer, if any */
3022         m_freem(m);
3023
3024         RUN_LOCK(sc);
3025 }
3026
3027 static void
3028 run_tx_free(struct run_endpoint_queue *pq,
3029     struct run_tx_data *data, int txerr)
3030 {
3031         if (data->m != NULL) {
3032                 if (data->m->m_flags & M_TXCB)
3033                         ieee80211_process_callback(data->ni, data->m,
3034                             txerr ? ETIMEDOUT : 0);
3035                 m_freem(data->m);
3036                 data->m = NULL;
3037
3038                 if (data->ni == NULL) {
3039                         DPRINTF("no node\n");
3040                 } else {
3041                         ieee80211_free_node(data->ni);
3042                         data->ni = NULL;
3043                 }
3044         }
3045
3046         STAILQ_INSERT_TAIL(&pq->tx_fh, data, next);
3047         pq->tx_nfree++;
3048 }
3049
3050 static void
3051 run_bulk_tx_callbackN(struct usb_xfer *xfer, usb_error_t error, u_int index)
3052 {
3053         struct run_softc *sc = usbd_xfer_softc(xfer);
3054         struct ifnet *ifp = sc->sc_ifp;
3055         struct ieee80211com *ic = ifp->if_l2com;
3056         struct run_tx_data *data;
3057         struct ieee80211vap *vap = NULL;
3058         struct usb_page_cache *pc;
3059         struct run_endpoint_queue *pq = &sc->sc_epq[index];
3060         struct mbuf *m;
3061         usb_frlength_t size;
3062         int actlen;
3063         int sumlen;
3064
3065         usbd_xfer_status(xfer, &actlen, &sumlen, NULL, NULL);
3066
3067         switch (USB_GET_STATE(xfer)) {
3068         case USB_ST_TRANSFERRED:
3069                 DPRINTFN(11, "transfer complete: %d "
3070                     "bytes @ index %d\n", actlen, index);
3071
3072                 data = usbd_xfer_get_priv(xfer);
3073
3074                 run_tx_free(pq, data, 0);
3075                 ifq_clr_oactive(&ifp->if_snd);
3076
3077                 usbd_xfer_set_priv(xfer, NULL);
3078
3079                 ifp->if_opackets++;
3080
3081                 /* FALLTHROUGH */
3082         case USB_ST_SETUP:
3083 tr_setup:
3084                 data = STAILQ_FIRST(&pq->tx_qh);
3085                 if (data == NULL)
3086                         break;
3087
3088                 STAILQ_REMOVE_HEAD(&pq->tx_qh, next);
3089
3090                 m = data->m;
3091                 size = (sc->mac_ver == 0x5592) ?
3092                     sizeof(data->desc) + sizeof(uint32_t) : sizeof(data->desc);
3093                 if ((m->m_pkthdr.len +
3094                     size + 3 + 8) > RUN_MAX_TXSZ) {
3095                         DPRINTF("data overflow, %u bytes\n",
3096                             m->m_pkthdr.len);
3097
3098                         ifp->if_oerrors++;
3099
3100                         run_tx_free(pq, data, 1);
3101
3102                         goto tr_setup;
3103                 }
3104
3105                 pc = usbd_xfer_get_frame(xfer, 0);
3106                 usbd_copy_in(pc, 0, &data->desc, size);
3107                 usbd_m_copy_in(pc, size, m, 0, m->m_pkthdr.len);
3108                 size += m->m_pkthdr.len;
3109                 /*
3110                  * Align end on a 4-byte boundary, pad 8 bytes (CRC +
3111                  * 4-byte padding), and be sure to zero those trailing
3112                  * bytes:
3113                  */
3114                 usbd_frame_zero(pc, size, ((-size) & 3) + 8);
3115                 size += ((-size) & 3) + 8;
3116
3117                 vap = data->ni->ni_vap;
3118                 if (ieee80211_radiotap_active_vap(vap)) {
3119                         struct run_tx_radiotap_header *tap = &sc->sc_txtap;
3120                         struct rt2860_txwi *txwi = 
3121                             (struct rt2860_txwi *)(&data->desc + sizeof(struct rt2870_txd));
3122                         tap->wt_flags = 0;
3123                         tap->wt_rate = rt2860_rates[data->ridx].rate;
3124                         tap->wt_chan_freq = htole16(ic->ic_curchan->ic_freq);
3125                         tap->wt_chan_flags = htole16(ic->ic_curchan->ic_flags);
3126                         tap->wt_hwqueue = index;
3127                         if (le16toh(txwi->phy) & RT2860_PHY_SHPRE)
3128                                 tap->wt_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
3129
3130                         ieee80211_radiotap_tx(vap, m);
3131                 }
3132
3133                 DPRINTFN(11, "sending frame len=%u/%u  @ index %d\n",
3134                     m->m_pkthdr.len, size, index);
3135
3136                 usbd_xfer_set_frame_len(xfer, 0, size);
3137                 usbd_xfer_set_priv(xfer, data);
3138
3139                 usbd_transfer_submit(xfer);
3140
3141                 run_start_locked(ifp);
3142
3143                 break;
3144
3145         default:
3146                 DPRINTF("USB transfer error, %s\n",
3147                     usbd_errstr(error));
3148
3149                 data = usbd_xfer_get_priv(xfer);
3150
3151                 ifp->if_oerrors++;
3152
3153                 if (data != NULL) {
3154                         if(data->ni != NULL)
3155                                 vap = data->ni->ni_vap;
3156                         run_tx_free(pq, data, error);
3157                         usbd_xfer_set_priv(xfer, NULL);
3158                 }
3159                 if (vap == NULL)
3160                         vap = TAILQ_FIRST(&ic->ic_vaps);
3161
3162                 if (error != USB_ERR_CANCELLED) {
3163                         if (error == USB_ERR_TIMEOUT) {
3164                                 device_printf(sc->sc_dev, "device timeout\n");
3165                                 uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
3166                                 DPRINTF("cmdq_store=%d\n", i);
3167                                 sc->cmdq[i].func = run_usb_timeout_cb;
3168                                 sc->cmdq[i].arg0 = vap;
3169                                 ieee80211_runtask(ic, &sc->cmdq_task);
3170                         }
3171
3172                         /*
3173                          * Try to clear stall first, also if other
3174                          * errors occur, hence clearing stall
3175                          * introduces a 50 ms delay:
3176                          */
3177                         usbd_xfer_set_stall(xfer);
3178                         goto tr_setup;
3179                 }
3180                 break;
3181         }
3182 }
3183
3184 static void
3185 run_bulk_tx_callback0(struct usb_xfer *xfer, usb_error_t error)
3186 {
3187         run_bulk_tx_callbackN(xfer, error, 0);
3188 }
3189
3190 static void
3191 run_bulk_tx_callback1(struct usb_xfer *xfer, usb_error_t error)
3192 {
3193         run_bulk_tx_callbackN(xfer, error, 1);
3194 }
3195
3196 static void
3197 run_bulk_tx_callback2(struct usb_xfer *xfer, usb_error_t error)
3198 {
3199         run_bulk_tx_callbackN(xfer, error, 2);
3200 }
3201
3202 static void
3203 run_bulk_tx_callback3(struct usb_xfer *xfer, usb_error_t error)
3204 {
3205         run_bulk_tx_callbackN(xfer, error, 3);
3206 }
3207
3208 static void
3209 run_bulk_tx_callback4(struct usb_xfer *xfer, usb_error_t error)
3210 {
3211         run_bulk_tx_callbackN(xfer, error, 4);
3212 }
3213
3214 static void
3215 run_bulk_tx_callback5(struct usb_xfer *xfer, usb_error_t error)
3216 {
3217         run_bulk_tx_callbackN(xfer, error, 5);
3218 }
3219
3220 static void
3221 run_set_tx_desc(struct run_softc *sc, struct run_tx_data *data)
3222 {
3223         struct mbuf *m = data->m;
3224         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
3225         struct ieee80211vap *vap = data->ni->ni_vap;
3226         struct ieee80211_frame *wh;
3227         struct rt2870_txd *txd;
3228         struct rt2860_txwi *txwi;
3229         uint16_t xferlen, txwisize;
3230         uint16_t mcs;
3231         uint8_t ridx = data->ridx;
3232         uint8_t pad;
3233
3234         /* get MCS code from rate index */
3235         mcs = rt2860_rates[ridx].mcs;
3236
3237         txwisize = (sc->mac_ver == 0x5592) ?
3238             sizeof(*txwi) + sizeof(uint32_t) : sizeof(*txwi);
3239         xferlen = txwisize + m->m_pkthdr.len;
3240
3241         /* roundup to 32-bit alignment */
3242         xferlen = (xferlen + 3) & ~3;
3243
3244         txd = (struct rt2870_txd *)&data->desc;
3245         txd->len = htole16(xferlen);
3246
3247         wh = mtod(m, struct ieee80211_frame *);
3248
3249         /*
3250          * Ether both are true or both are false, the header
3251          * are nicely aligned to 32-bit. So, no L2 padding.
3252          */
3253         if(IEEE80211_HAS_ADDR4(wh) == IEEE80211_QOS_HAS_SEQ(wh))
3254                 pad = 0;
3255         else
3256                 pad = 2;
3257
3258         /* setup TX Wireless Information */
3259         txwi = (struct rt2860_txwi *)(txd + 1);
3260         txwi->len = htole16(m->m_pkthdr.len - pad);
3261         if (rt2860_rates[ridx].phy == IEEE80211_T_DS) {
3262                 txwi->phy = htole16(RT2860_PHY_CCK);
3263                 if (ridx != RT2860_RIDX_CCK1 &&
3264                     (ic->ic_flags & IEEE80211_F_SHPREAMBLE))
3265                         mcs |= RT2860_PHY_SHPRE;
3266         } else
3267                 txwi->phy = htole16(RT2860_PHY_OFDM);
3268         txwi->phy |= htole16(mcs);
3269
3270         /* check if RTS/CTS or CTS-to-self protection is required */
3271         if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
3272             (m->m_pkthdr.len + IEEE80211_CRC_LEN > vap->iv_rtsthreshold ||
3273              ((ic->ic_flags & IEEE80211_F_USEPROT) &&
3274               rt2860_rates[ridx].phy == IEEE80211_T_OFDM)))
3275                 txwi->txop |= RT2860_TX_TXOP_HT;
3276         else
3277                 txwi->txop |= RT2860_TX_TXOP_BACKOFF;
3278
3279         if (vap->iv_opmode != IEEE80211_M_STA && !IEEE80211_QOS_HAS_SEQ(wh))
3280                 txwi->xflags |= RT2860_TX_NSEQ;
3281 }
3282
3283 /* This function must be called locked */
3284 static int
3285 run_tx(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
3286 {
3287         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
3288         struct ieee80211vap *vap = ni->ni_vap;
3289         struct ieee80211_frame *wh;
3290         struct ieee80211_channel *chan;
3291         const struct ieee80211_txparam *tp;
3292         struct run_node *rn = (void *)ni;
3293         struct run_tx_data *data;
3294         struct rt2870_txd *txd;
3295         struct rt2860_txwi *txwi;
3296         uint16_t qos;
3297         uint16_t dur;
3298         uint16_t qid;
3299         uint8_t type;
3300         uint8_t tid;
3301         uint8_t ridx;
3302         uint8_t ctl_ridx;
3303         uint8_t qflags;
3304         uint8_t xflags = 0;
3305         int hasqos;
3306
3307 #if 0 /* XXX swildner: lock needed? */
3308         RUN_LOCK_ASSERT(sc, MA_OWNED);
3309 #endif
3310
3311         wh = mtod(m, struct ieee80211_frame *);
3312
3313         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3314
3315         /*
3316          * There are 7 bulk endpoints: 1 for RX
3317          * and 6 for TX (4 EDCAs + HCCA + Prio).
3318          * Update 03-14-2009:  some devices like the Planex GW-US300MiniS
3319          * seem to have only 4 TX bulk endpoints (Fukaumi Naoki).
3320          */
3321         if ((hasqos = IEEE80211_QOS_HAS_SEQ(wh))) {
3322                 uint8_t *frm;
3323
3324                 if(IEEE80211_HAS_ADDR4(wh))
3325                         frm = ((struct ieee80211_qosframe_addr4 *)wh)->i_qos;
3326                 else
3327                         frm =((struct ieee80211_qosframe *)wh)->i_qos;
3328
3329                 qos = le16toh(*(const uint16_t *)frm);
3330                 tid = qos & IEEE80211_QOS_TID;
3331                 qid = TID_TO_WME_AC(tid);
3332         } else {
3333                 qos = 0;
3334                 tid = 0;
3335                 qid = WME_AC_BE;
3336         }
3337         qflags = (qid < 4) ? RT2860_TX_QSEL_EDCA : RT2860_TX_QSEL_HCCA;
3338
3339         DPRINTFN(8, "qos %d\tqid %d\ttid %d\tqflags %x\n",
3340             qos, qid, tid, qflags);
3341
3342         chan = (ni->ni_chan != IEEE80211_CHAN_ANYC)?ni->ni_chan:ic->ic_curchan;
3343         tp = &vap->iv_txparms[ieee80211_chan2mode(chan)];
3344
3345         /* pickup a rate index */
3346         if (IEEE80211_IS_MULTICAST(wh->i_addr1) ||
3347             type != IEEE80211_FC0_TYPE_DATA) {
3348                 ridx = (ic->ic_curmode == IEEE80211_MODE_11A) ?
3349                     RT2860_RIDX_OFDM6 : RT2860_RIDX_CCK1;
3350                 ctl_ridx = rt2860_rates[ridx].ctl_ridx;
3351         } else {
3352                 if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE)
3353                         ridx = rn->fix_ridx;
3354                 else
3355                         ridx = rn->amrr_ridx;
3356                 ctl_ridx = rt2860_rates[ridx].ctl_ridx;
3357         }
3358
3359         if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
3360             (!hasqos || (qos & IEEE80211_QOS_ACKPOLICY) !=
3361              IEEE80211_QOS_ACKPOLICY_NOACK)) {
3362                 xflags |= RT2860_TX_ACK;
3363                 if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
3364                         dur = rt2860_rates[ctl_ridx].sp_ack_dur;
3365                 else
3366                         dur = rt2860_rates[ctl_ridx].lp_ack_dur;
3367                 USETW(wh->i_dur, dur);
3368         }
3369
3370         /* reserve slots for mgmt packets, just in case */
3371         if (sc->sc_epq[qid].tx_nfree < 3) {
3372                 DPRINTFN(10, "tx ring %d is full\n", qid);
3373                 return (-1);
3374         }
3375
3376         data = STAILQ_FIRST(&sc->sc_epq[qid].tx_fh);
3377         STAILQ_REMOVE_HEAD(&sc->sc_epq[qid].tx_fh, next);
3378         sc->sc_epq[qid].tx_nfree--;
3379
3380         txd = (struct rt2870_txd *)&data->desc;
3381         txd->flags = qflags;
3382         txwi = (struct rt2860_txwi *)(txd + 1);
3383         txwi->xflags = xflags;
3384         if (IEEE80211_IS_MULTICAST(wh->i_addr1))
3385                 txwi->wcid = 0;
3386         else
3387                 txwi->wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
3388                     1 : RUN_AID2WCID(ni->ni_associd);
3389
3390         /* clear leftover garbage bits */
3391         txwi->flags = 0;
3392         txwi->txop = 0;
3393
3394         data->m = m;
3395         data->ni = ni;
3396         data->ridx = ridx;
3397
3398         run_set_tx_desc(sc, data);
3399
3400         /*
3401          * The chip keeps track of 2 kind of Tx stats,
3402          *  * TX_STAT_FIFO, for per WCID stats, and
3403          *  * TX_STA_CNT0 for all-TX-in-one stats.
3404          *
3405          * To use FIFO stats, we need to store MCS into the driver-private
3406          * PacketID field. So that, we can tell whose stats when we read them.
3407          * We add 1 to the MCS because setting the PacketID field to 0 means
3408          * that we don't want feedback in TX_STAT_FIFO.
3409          * And, that's what we want for STA mode, since TX_STA_CNT0 does the job.
3410          *
3411          * FIFO stats doesn't count Tx with WCID 0xff, so we do this in run_tx().
3412          */
3413         if (sc->rvp_cnt > 1 || vap->iv_opmode == IEEE80211_M_HOSTAP ||
3414             vap->iv_opmode == IEEE80211_M_MBSS) {
3415                 uint16_t pid = (rt2860_rates[ridx].mcs + 1) & 0xf;
3416                 txwi->len |= htole16(pid << RT2860_TX_PID_SHIFT);
3417
3418                 /*
3419                  * Unlike PCI based devices, we don't get any interrupt from
3420                  * USB devices, so we simulate FIFO-is-full interrupt here.
3421                  * Ralink recomends to drain FIFO stats every 100 ms, but 16 slots
3422                  * quickly get fulled. To prevent overflow, increment a counter on
3423                  * every FIFO stat request, so we know how many slots are left.
3424                  * We do this only in HOSTAP or multiple vap mode since FIFO stats
3425                  * are used only in those modes.
3426                  * We just drain stats. AMRR gets updated every 1 sec by
3427                  * run_ratectl_cb() via callout.
3428                  * Call it early. Otherwise overflow.
3429                  */
3430                 if (sc->fifo_cnt++ == 10) {
3431                         /*
3432                          * With multiple vaps or if_bridge, if_start() is called
3433                          * with a non-sleepable lock, tcpinp. So, need to defer.
3434                          */
3435                         uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
3436                         DPRINTFN(6, "cmdq_store=%d\n", i);
3437                         sc->cmdq[i].func = run_drain_fifo;
3438                         sc->cmdq[i].arg0 = sc;
3439                         ieee80211_runtask(ic, &sc->cmdq_task);
3440                 }
3441         }
3442
3443         STAILQ_INSERT_TAIL(&sc->sc_epq[qid].tx_qh, data, next);
3444
3445         RUN_LOCK(sc);
3446         usbd_transfer_start(sc->sc_xfer[qid]);
3447         RUN_UNLOCK(sc);
3448
3449         DPRINTFN(8, "sending data frame len=%d rate=%d qid=%d\n",
3450             m->m_pkthdr.len + (int)(sizeof(struct rt2870_txd) +
3451             sizeof(struct rt2860_txwi)), rt2860_rates[ridx].rate, qid);
3452
3453         return (0);
3454 }
3455
3456 static int
3457 run_tx_mgt(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
3458 {
3459         struct ifnet *ifp = sc->sc_ifp;
3460         struct ieee80211com *ic = ifp->if_l2com;
3461         struct run_node *rn = (void *)ni;
3462         struct run_tx_data *data;
3463         struct ieee80211_frame *wh;
3464         struct rt2870_txd *txd;
3465         struct rt2860_txwi *txwi;
3466         uint16_t dur;
3467         uint8_t ridx = rn->mgt_ridx;
3468         uint8_t type;
3469         uint8_t xflags = 0;
3470         uint8_t wflags = 0;
3471
3472         RUN_LOCK_ASSERT(sc, MA_OWNED);
3473
3474         wh = mtod(m, struct ieee80211_frame *);
3475
3476         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3477
3478         /* tell hardware to add timestamp for probe responses */
3479         if ((wh->i_fc[0] &
3480             (IEEE80211_FC0_TYPE_MASK | IEEE80211_FC0_SUBTYPE_MASK)) ==
3481             (IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_RESP))
3482                 wflags |= RT2860_TX_TS;
3483         else if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
3484                 xflags |= RT2860_TX_ACK;
3485
3486                 dur = ieee80211_ack_duration(ic->ic_rt, rt2860_rates[ridx].rate, 
3487                     ic->ic_flags & IEEE80211_F_SHPREAMBLE);
3488                 USETW(wh->i_dur, dur);
3489         }
3490
3491         if (sc->sc_epq[0].tx_nfree == 0) {
3492                 /* let caller free mbuf */
3493                 ifq_set_oactive(&ifp->if_snd);
3494                 return (EIO);
3495         }
3496         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3497         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3498         sc->sc_epq[0].tx_nfree--;
3499
3500         txd = (struct rt2870_txd *)&data->desc;
3501         txd->flags = RT2860_TX_QSEL_EDCA;
3502         txwi = (struct rt2860_txwi *)(txd + 1);
3503         txwi->wcid = 0xff;
3504         txwi->flags = wflags;
3505         txwi->xflags = xflags;
3506         txwi->txop = 0; /* clear leftover garbage bits */
3507
3508         data->m = m;
3509         data->ni = ni;
3510         data->ridx = ridx;
3511
3512         run_set_tx_desc(sc, data);
3513
3514         DPRINTFN(10, "sending mgt frame len=%d rate=%d\n", m->m_pkthdr.len +
3515             (int)(sizeof(struct rt2870_txd) + sizeof(struct rt2860_txwi)),
3516             rt2860_rates[ridx].rate);
3517
3518         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3519
3520         usbd_transfer_start(sc->sc_xfer[0]);
3521
3522         return (0);
3523 }
3524
3525 static int
3526 run_sendprot(struct run_softc *sc,
3527     const struct mbuf *m, struct ieee80211_node *ni, int prot, int rate)
3528 {
3529         struct ieee80211com *ic = ni->ni_ic;
3530         struct ieee80211_frame *wh;
3531         struct run_tx_data *data;
3532         struct rt2870_txd *txd;
3533         struct rt2860_txwi *txwi;
3534         struct mbuf *mprot;
3535         int ridx;
3536         int protrate;
3537         int ackrate;
3538         int pktlen;
3539         int isshort;
3540         uint16_t dur;
3541         uint8_t type;
3542         uint8_t wflags = 0;
3543         uint8_t xflags = 0;
3544
3545         RUN_LOCK_ASSERT(sc, MA_OWNED);
3546
3547         KASSERT(prot == IEEE80211_PROT_RTSCTS || prot == IEEE80211_PROT_CTSONLY,
3548             ("protection %d", prot));
3549
3550         wh = mtod(m, struct ieee80211_frame *);
3551         pktlen = m->m_pkthdr.len + IEEE80211_CRC_LEN;
3552         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3553
3554         protrate = ieee80211_ctl_rate(ic->ic_rt, rate);
3555         ackrate = ieee80211_ack_rate(ic->ic_rt, rate);
3556
3557         isshort = (ic->ic_flags & IEEE80211_F_SHPREAMBLE) != 0;
3558         dur = ieee80211_compute_duration(ic->ic_rt, pktlen, rate, isshort)
3559             + ieee80211_ack_duration(ic->ic_rt, rate, isshort);
3560         wflags = RT2860_TX_FRAG;
3561
3562         /* check that there are free slots before allocating the mbuf */
3563         if (sc->sc_epq[0].tx_nfree == 0) {
3564                 /* let caller free mbuf */
3565                 ifq_set_oactive(&sc->sc_ifp->if_snd);
3566                 return (ENOBUFS);
3567         }
3568
3569         if (prot == IEEE80211_PROT_RTSCTS) {
3570                 /* NB: CTS is the same size as an ACK */
3571                 dur += ieee80211_ack_duration(ic->ic_rt, rate, isshort);
3572                 xflags |= RT2860_TX_ACK;
3573                 mprot = ieee80211_alloc_rts(ic, wh->i_addr1, wh->i_addr2, dur);
3574         } else {
3575                 mprot = ieee80211_alloc_cts(ic, ni->ni_vap->iv_myaddr, dur);
3576         }
3577         if (mprot == NULL) {
3578                 sc->sc_ifp->if_oerrors++;
3579                 DPRINTF("could not allocate mbuf\n");
3580                 return (ENOBUFS);
3581         }
3582
3583         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3584         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3585         sc->sc_epq[0].tx_nfree--;
3586
3587         txd = (struct rt2870_txd *)&data->desc;
3588         txd->flags = RT2860_TX_QSEL_EDCA;
3589         txwi = (struct rt2860_txwi *)(txd + 1);
3590         txwi->wcid = 0xff;
3591         txwi->flags = wflags;
3592         txwi->xflags = xflags;
3593         txwi->txop = 0; /* clear leftover garbage bits */
3594
3595         data->m = mprot;
3596         data->ni = ieee80211_ref_node(ni);
3597
3598         for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
3599                 if (rt2860_rates[ridx].rate == protrate)
3600                         break;
3601         data->ridx = ridx;
3602
3603         run_set_tx_desc(sc, data);
3604
3605         DPRINTFN(1, "sending prot len=%u rate=%u\n",
3606             m->m_pkthdr.len, rate);
3607
3608         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3609
3610         usbd_transfer_start(sc->sc_xfer[0]);
3611
3612         return (0);
3613 }
3614
3615 static int
3616 run_tx_param(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni,
3617     const struct ieee80211_bpf_params *params)
3618 {
3619         struct ieee80211com *ic = ni->ni_ic;
3620         struct ieee80211_frame *wh;
3621         struct run_tx_data *data;
3622         struct rt2870_txd *txd;
3623         struct rt2860_txwi *txwi;
3624         uint8_t type;
3625         uint8_t ridx;
3626         uint8_t rate;
3627         uint8_t opflags = 0;
3628         uint8_t xflags = 0;
3629         int error;
3630
3631         RUN_LOCK_ASSERT(sc, MA_OWNED);
3632
3633         KASSERT(params != NULL, ("no raw xmit params"));
3634
3635         wh = mtod(m, struct ieee80211_frame *);
3636         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3637
3638         rate = params->ibp_rate0;
3639         if (!ieee80211_isratevalid(ic->ic_rt, rate)) {
3640                 /* let caller free mbuf */
3641                 return (EINVAL);
3642         }
3643
3644         if ((params->ibp_flags & IEEE80211_BPF_NOACK) == 0)
3645                 xflags |= RT2860_TX_ACK;
3646         if (params->ibp_flags & (IEEE80211_BPF_RTS|IEEE80211_BPF_CTS)) {
3647                 error = run_sendprot(sc, m, ni,
3648                     params->ibp_flags & IEEE80211_BPF_RTS ?
3649                         IEEE80211_PROT_RTSCTS : IEEE80211_PROT_CTSONLY,
3650                     rate);
3651                 if (error) {
3652                         /* let caller free mbuf */
3653                         return error;
3654                 }
3655                 opflags |= /*XXX RT2573_TX_LONG_RETRY |*/ RT2860_TX_TXOP_SIFS;
3656         }
3657
3658         if (sc->sc_epq[0].tx_nfree == 0) {
3659                 /* let caller free mbuf */
3660                 ifq_set_oactive(&sc->sc_ifp->if_snd);
3661                 DPRINTF("sending raw frame, but tx ring is full\n");
3662                 return (EIO);
3663         }
3664         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3665         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3666         sc->sc_epq[0].tx_nfree--;
3667
3668         txd = (struct rt2870_txd *)&data->desc;
3669         txd->flags = RT2860_TX_QSEL_EDCA;
3670         txwi = (struct rt2860_txwi *)(txd + 1);
3671         txwi->wcid = 0xff;
3672         txwi->xflags = xflags;
3673         txwi->txop = opflags;
3674         txwi->flags = 0;        /* clear leftover garbage bits */
3675
3676         data->m = m;
3677         data->ni = ni;
3678         for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
3679                 if (rt2860_rates[ridx].rate == rate)
3680                         break;
3681         data->ridx = ridx;
3682
3683         run_set_tx_desc(sc, data);
3684
3685         DPRINTFN(10, "sending raw frame len=%u rate=%u\n",
3686             m->m_pkthdr.len, rate);
3687
3688         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3689
3690         usbd_transfer_start(sc->sc_xfer[0]);
3691
3692         return (0);
3693 }
3694
3695 static int
3696 run_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
3697     const struct ieee80211_bpf_params *params)
3698 {
3699         struct ifnet *ifp = ni->ni_ic->ic_ifp;
3700         struct run_softc *sc = ifp->if_softc;
3701         int error = 0;
3702  
3703         RUN_LOCK(sc);
3704
3705         /* prevent management frames from being sent if we're not ready */
3706         if (!(ifp->if_flags & IFF_RUNNING)) {
3707                 error =  ENETDOWN;
3708                 goto done;
3709         }
3710
3711         if (params == NULL) {
3712                 /* tx mgt packet */
3713                 if ((error = run_tx_mgt(sc, m, ni)) != 0) {
3714                         ifp->if_oerrors++;
3715                         DPRINTF("mgt tx failed\n");
3716                         goto done;
3717                 }
3718         } else {
3719                 /* tx raw packet with param */
3720                 if ((error = run_tx_param(sc, m, ni, params)) != 0) {
3721                         ifp->if_oerrors++;
3722                         DPRINTF("tx with param failed\n");
3723                         goto done;
3724                 }
3725         }
3726
3727         ifp->if_opackets++;
3728
3729 done:
3730         RUN_UNLOCK(sc);
3731
3732         if (error != 0) {
3733                 if(m != NULL)
3734                         m_freem(m);
3735                 ieee80211_free_node(ni);
3736         }
3737
3738         return (error);
3739 }
3740
3741 static void
3742 run_start_locked(struct ifnet *ifp)
3743 {
3744         struct run_softc *sc = ifp->if_softc;
3745         struct ieee80211_node *ni;
3746         struct mbuf *m = NULL;
3747
3748         if ((ifp->if_flags & IFF_RUNNING) == 0)
3749                 return;
3750
3751         for (;;) {
3752                 /* send data frames */
3753                 m = ifq_dequeue(&ifp->if_snd);
3754                 if (m == NULL)
3755                         break;
3756
3757                 ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
3758                 if (run_tx(sc, m, ni) != 0) {
3759                         ifq_prepend(&ifp->if_snd, m);
3760                         ifq_set_oactive(&ifp->if_snd);
3761                         break;
3762                 }
3763         }
3764 }
3765
3766 static void
3767 run_start(struct ifnet *ifp, struct ifaltq_subque *ifsq)
3768 {
3769         ASSERT_ALTQ_SQ_DEFAULT(ifp, ifsq);
3770         run_start_locked(ifp);
3771 }
3772
3773 static int
3774 run_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data, struct ucred *cr)
3775 {
3776         struct run_softc *sc = ifp->if_softc;
3777         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
3778         struct ifreq *ifr = (struct ifreq *) data;
3779         int startall = 0;
3780         int error;
3781
3782         RUN_LOCK(sc);
3783         error = sc->sc_detached ? ENXIO : 0;
3784         RUN_UNLOCK(sc);
3785         if (error)
3786                 return (error);
3787
3788         switch (cmd) {
3789         case SIOCSIFFLAGS:
3790                 RUN_LOCK(sc);
3791                 if (ifp->if_flags & IFF_UP) {
3792                         if (!(ifp->if_flags & IFF_RUNNING)){
3793                                 startall = 1;
3794                                 run_init_locked(sc);
3795                         } else
3796                                 run_update_promisc_locked(ifp);
3797                 } else {
3798                         if (ifp->if_flags & IFF_RUNNING &&
3799                             (ic->ic_nrunning == 0 || sc->rvp_cnt <= 1)) {
3800                                         run_stop(sc);
3801                         }
3802                 }
3803                 RUN_UNLOCK(sc);
3804                 if (startall)
3805                         ieee80211_start_all(ic);
3806                 break;
3807         case SIOCGIFMEDIA:
3808                 error = ifmedia_ioctl(ifp, ifr, &ic->ic_media, cmd);
3809                 break;
3810         case SIOCGIFADDR:
3811                 error = ether_ioctl(ifp, cmd, data);
3812                 break;
3813         default:
3814                 error = EINVAL;
3815                 break;
3816         }
3817
3818         return (error);
3819 }
3820
3821 static void
3822 run_iq_calib(struct run_softc *sc, u_int chan)
3823 {
3824         uint16_t val;
3825
3826         /* Tx0 IQ gain. */
3827         run_bbp_write(sc, 158, 0x2c);
3828         if (chan <= 14)
3829                 run_efuse_read(sc, RT5390_EEPROM_IQ_GAIN_CAL_TX0_2GHZ, &val, 1);
3830         else if (chan <= 64) {
3831                 run_efuse_read(sc,
3832                     RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH36_TO_CH64_5GHZ,
3833                     &val, 1);
3834         } else if (chan <= 138) {
3835                 run_efuse_read(sc,
3836                     RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH100_TO_CH138_5GHZ,
3837                     &val, 1);
3838         } else if (chan <= 165) {
3839                 run_efuse_read(sc,
3840             RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH140_TO_CH165_5GHZ,
3841                     &val, 1);
3842         } else
3843                 val = 0;
3844         run_bbp_write(sc, 159, val);
3845
3846         /* Tx0 IQ phase. */
3847         run_bbp_write(sc, 158, 0x2d);
3848         if (chan <= 14) {
3849                 run_efuse_read(sc, RT5390_EEPROM_IQ_PHASE_CAL_TX0_2GHZ,
3850                     &val, 1);
3851         } else if (chan <= 64) {
3852                 run_efuse_read(sc,
3853                     RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH36_TO_CH64_5GHZ,
3854                     &val, 1);
3855         } else if (chan <= 138) {
3856                 run_efuse_read(sc,
3857                     RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH100_TO_CH138_5GHZ,
3858                     &val, 1);
3859         } else if (chan <= 165) {
3860                 run_efuse_read(sc,
3861                     RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH140_TO_CH165_5GHZ,
3862                     &val, 1);
3863         } else
3864                 val = 0;
3865         run_bbp_write(sc, 159, val);
3866
3867         /* Tx1 IQ gain. */
3868         run_bbp_write(sc, 158, 0x4a);
3869         if (chan <= 14) {
3870                 run_efuse_read(sc, RT5390_EEPROM_IQ_GAIN_CAL_TX1_2GHZ,
3871                     &val, 1);
3872         } else if (chan <= 64) {
3873                 run_efuse_read(sc,
3874                     RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH36_TO_CH64_5GHZ,
3875                     &val, 1);
3876         } else if (chan <= 138) {
3877                 run_efuse_read(sc,
3878                     RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH100_TO_CH138_5GHZ,
3879                     &val, 1);
3880         } else if (chan <= 165) {
3881                 run_efuse_read(sc,
3882                     RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH140_TO_CH165_5GHZ,
3883                     &val, 1);
3884         } else
3885                 val = 0;
3886         run_bbp_write(sc, 159, val);
3887
3888         /* Tx1 IQ phase. */
3889         run_bbp_write(sc, 158, 0x4b);
3890         if (chan <= 14) {
3891                 run_efuse_read(sc, RT5390_EEPROM_IQ_PHASE_CAL_TX1_2GHZ,
3892                     &val, 1);
3893         } else if (chan <= 64) {
3894                 run_efuse_read(sc,
3895                     RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH36_TO_CH64_5GHZ,
3896                     &val, 1);
3897         } else if (chan <= 138) {
3898                 run_efuse_read(sc,
3899                     RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH100_TO_CH138_5GHZ,
3900                     &val, 1);
3901         } else if (chan <= 165) {
3902                 run_efuse_read(sc,
3903                     RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH140_TO_CH165_5GHZ,
3904                     &val, 1);
3905         } else
3906                 val = 0;
3907         run_bbp_write(sc, 159, val);
3908
3909         /* RF IQ compensation control. */
3910         run_bbp_write(sc, 158, 0x04);
3911         run_efuse_read(sc, RT5390_EEPROM_RF_IQ_COMPENSATION_CTL,
3912             &val, 1);
3913         run_bbp_write(sc, 159, val);
3914
3915         /* RF IQ imbalance compensation control. */
3916         run_bbp_write(sc, 158, 0x03);
3917         run_efuse_read(sc,
3918             RT5390_EEPROM_RF_IQ_IMBALANCE_COMPENSATION_CTL, &val, 1);
3919         run_bbp_write(sc, 159, val);
3920 }
3921
3922 static void
3923 run_set_agc(struct run_softc *sc, uint8_t agc)
3924 {
3925         uint8_t bbp;
3926
3927         if (sc->mac_ver == 0x3572) {
3928                 run_bbp_read(sc, 27, &bbp);
3929                 bbp &= ~(0x3 << 5);
3930                 run_bbp_write(sc, 27, bbp | 0 << 5);    /* select Rx0 */
3931                 run_bbp_write(sc, 66, agc);
3932                 run_bbp_write(sc, 27, bbp | 1 << 5);    /* select Rx1 */
3933                 run_bbp_write(sc, 66, agc);
3934         } else
3935                 run_bbp_write(sc, 66, agc);
3936 }
3937
3938 static void
3939 run_select_chan_group(struct run_softc *sc, int group)
3940 {
3941         uint32_t tmp;
3942         uint8_t agc;
3943
3944         run_bbp_write(sc, 62, 0x37 - sc->lna[group]);
3945         run_bbp_write(sc, 63, 0x37 - sc->lna[group]);
3946         run_bbp_write(sc, 64, 0x37 - sc->lna[group]);
3947         if (sc->mac_ver < 0x3572)
3948                 run_bbp_write(sc, 86, 0x00);
3949
3950         if (sc->mac_ver == 0x3593) {
3951                 run_bbp_write(sc, 77, 0x98);
3952                 run_bbp_write(sc, 83, (group == 0) ? 0x8a : 0x9a);
3953         }
3954
3955         if (group == 0) {
3956                 if (sc->ext_2ghz_lna) {
3957                         if (sc->mac_ver >= 0x5390)
3958                                 run_bbp_write(sc, 75, 0x52);
3959                         else {
3960                                 run_bbp_write(sc, 82, 0x62);
3961                                 run_bbp_write(sc, 75, 0x46);
3962                         }
3963                 } else {
3964                         if (sc->mac_ver == 0x5592) {
3965                                 run_bbp_write(sc, 79, 0x1c);
3966                                 run_bbp_write(sc, 80, 0x0e);
3967                                 run_bbp_write(sc, 81, 0x3a);
3968                                 run_bbp_write(sc, 82, 0x62);
3969
3970                                 run_bbp_write(sc, 195, 0x80);
3971                                 run_bbp_write(sc, 196, 0xe0);
3972                                 run_bbp_write(sc, 195, 0x81);
3973                                 run_bbp_write(sc, 196, 0x1f);
3974                                 run_bbp_write(sc, 195, 0x82);
3975                                 run_bbp_write(sc, 196, 0x38);
3976                                 run_bbp_write(sc, 195, 0x83);
3977                                 run_bbp_write(sc, 196, 0x32);
3978                                 run_bbp_write(sc, 195, 0x85);
3979                                 run_bbp_write(sc, 196, 0x28);
3980                                 run_bbp_write(sc, 195, 0x86);
3981                                 run_bbp_write(sc, 196, 0x19);
3982                         } else if (sc->mac_ver >= 0x5390)
3983                                 run_bbp_write(sc, 75, 0x50);
3984                         else {
3985                                 run_bbp_write(sc, 82,
3986                                     (sc->mac_ver == 0x3593) ? 0x62 : 0x84);
3987                                 run_bbp_write(sc, 75, 0x50);
3988                         }
3989                 }
3990         } else {
3991                 if (sc->mac_ver == 0x5592) {
3992                         run_bbp_write(sc, 79, 0x18);
3993                         run_bbp_write(sc, 80, 0x08);
3994                         run_bbp_write(sc, 81, 0x38);
3995                         run_bbp_write(sc, 82, 0x92);
3996
3997                         run_bbp_write(sc, 195, 0x80);
3998                         run_bbp_write(sc, 196, 0xf0);
3999                         run_bbp_write(sc, 195, 0x81);
4000                         run_bbp_write(sc, 196, 0x1e);
4001                         run_bbp_write(sc, 195, 0x82);
4002                         run_bbp_write(sc, 196, 0x28);
4003                         run_bbp_write(sc, 195, 0x83);
4004                         run_bbp_write(sc,