firmware(9): Change type of data pointer
[dragonfly.git] / sys / bus / u4b / wlan / if_run.c
1 /*-
2  * Copyright (c) 2008,2010 Damien Bergamini <damien.bergamini@free.fr>
3  * ported to FreeBSD by Akinori Furukoshi <moonlightakkiy@yahoo.ca>
4  * USB Consulting, Hans Petter Selasky <hselasky@freebsd.org>
5  * Copyright (c) 2013-2014 Kevin Lo
6  *
7  * Permission to use, copy, modify, and distribute this software for any
8  * purpose with or without fee is hereby granted, provided that the above
9  * copyright notice and this permission notice appear in all copies.
10  *
11  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18  *
19  * $FreeBSD: head/sys/dev/usb/wlan/if_run.c 299176 2016-05-06 15:09:21Z pfg $
20  */
21
22 /*-
23  * Ralink Technology RT2700U/RT2800U/RT3000U/RT3900E chipset driver.
24  * http://www.ralinktech.com/
25  */
26
27 #include <sys/param.h>
28 #include <sys/sockio.h>
29 #include <sys/sysctl.h>
30 #include <sys/lock.h>
31 #include <sys/mbuf.h>
32 #include <sys/kernel.h>
33 #include <sys/socket.h>
34 #include <sys/systm.h>
35 #include <sys/malloc.h>
36 #include <sys/module.h>
37 #include <sys/bus.h>
38 #include <sys/endian.h>
39 #include <sys/linker.h>
40 #include <sys/firmware.h>
41
42 #include <sys/rman.h>
43
44 #include <net/bpf.h>
45 #include <net/if.h>
46 #include <net/if_var.h>
47 #include <net/if_arp.h>
48 #include <net/ethernet.h>
49 #include <net/if_dl.h>
50 #include <net/if_media.h>
51 #include <net/if_types.h>
52
53 #include <netinet/in.h>
54 #include <netinet/in_systm.h>
55 #include <netinet/in_var.h>
56 #include <netinet/if_ether.h>
57 #include <netinet/ip.h>
58
59 #include <netproto/802_11/ieee80211_var.h>
60 #include <netproto/802_11/ieee80211_regdomain.h>
61 #include <netproto/802_11/ieee80211_radiotap.h>
62 #include <netproto/802_11/ieee80211_ratectl.h>
63
64 #include <bus/u4b/usb.h>
65 #include <bus/u4b/usbdi.h>
66 #include "usbdevs.h"
67
68 #define USB_DEBUG_VAR   run_debug
69 #include <bus/u4b/usb_debug.h>
70 #include <bus/u4b/usb_msctest.h>
71
72 #include <bus/u4b/wlan/if_runreg.h>
73 #include <bus/u4b/wlan/if_runvar.h>
74
75 #ifdef  USB_DEBUG
76 #define RUN_DEBUG
77 #endif
78
79 #ifdef  RUN_DEBUG
80 int run_debug = 0;
81 static SYSCTL_NODE(_hw_usb, OID_AUTO, run, CTLFLAG_RW, 0, "USB run");
82 SYSCTL_INT(_hw_usb_run, OID_AUTO, debug, CTLFLAG_RW, &run_debug, 0,
83     "run debug level");
84 #endif
85
86 #define IEEE80211_HAS_ADDR4(wh) IEEE80211_IS_DSTODS(wh)
87
88 /*
89  * Because of LOR in run_key_delete(), use atomic instead.
90  * '& RUN_CMDQ_MASQ' is to loop cmdq[].
91  */
92 #define RUN_CMDQ_GET(c) (atomic_fetchadd_32((c), 1) & RUN_CMDQ_MASQ)
93
94 static const STRUCT_USB_HOST_ID run_devs[] = {
95 #define RUN_DEV(v,p)    { USB_VP(USB_VENDOR_##v, USB_PRODUCT_##v##_##p) }
96 #define RUN_DEV_EJECT(v,p)      \
97         { USB_VPI(USB_VENDOR_##v, USB_PRODUCT_##v##_##p, RUN_EJECT) }
98 #define RUN_EJECT       1
99     RUN_DEV(ABOCOM,             RT2770),
100     RUN_DEV(ABOCOM,             RT2870),
101     RUN_DEV(ABOCOM,             RT3070),
102     RUN_DEV(ABOCOM,             RT3071),
103     RUN_DEV(ABOCOM,             RT3072),
104     RUN_DEV(ABOCOM2,            RT2870_1),
105     RUN_DEV(ACCTON,             RT2770),
106     RUN_DEV(ACCTON,             RT2870_1),
107     RUN_DEV(ACCTON,             RT2870_2),
108     RUN_DEV(ACCTON,             RT2870_3),
109     RUN_DEV(ACCTON,             RT2870_4),
110     RUN_DEV(ACCTON,             RT2870_5),
111     RUN_DEV(ACCTON,             RT3070),
112     RUN_DEV(ACCTON,             RT3070_1),
113     RUN_DEV(ACCTON,             RT3070_2),
114     RUN_DEV(ACCTON,             RT3070_3),
115     RUN_DEV(ACCTON,             RT3070_4),
116     RUN_DEV(ACCTON,             RT3070_5),
117     RUN_DEV(AIRTIES,            RT3070),
118     RUN_DEV(ALLWIN,             RT2070),
119     RUN_DEV(ALLWIN,             RT2770),
120     RUN_DEV(ALLWIN,             RT2870),
121     RUN_DEV(ALLWIN,             RT3070),
122     RUN_DEV(ALLWIN,             RT3071),
123     RUN_DEV(ALLWIN,             RT3072),
124     RUN_DEV(ALLWIN,             RT3572),
125     RUN_DEV(AMIGO,              RT2870_1),
126     RUN_DEV(AMIGO,              RT2870_2),
127     RUN_DEV(AMIT,               CGWLUSB2GNR),
128     RUN_DEV(AMIT,               RT2870_1),
129     RUN_DEV(AMIT2,              RT2870),
130     RUN_DEV(ASUS,               RT2870_1),
131     RUN_DEV(ASUS,               RT2870_2),
132     RUN_DEV(ASUS,               RT2870_3),
133     RUN_DEV(ASUS,               RT2870_4),
134     RUN_DEV(ASUS,               RT2870_5),
135     RUN_DEV(ASUS,               USBN13),
136     RUN_DEV(ASUS,               RT3070_1),
137     RUN_DEV(ASUS,               USBN66),
138     RUN_DEV(ASUS,               USB_N53),
139     RUN_DEV(ASUS2,              USBN11),
140     RUN_DEV(AZUREWAVE,          RT2870_1),
141     RUN_DEV(AZUREWAVE,          RT2870_2),
142     RUN_DEV(AZUREWAVE,          RT3070_1),
143     RUN_DEV(AZUREWAVE,          RT3070_2),
144     RUN_DEV(AZUREWAVE,          RT3070_3),
145     RUN_DEV(BELKIN,             F9L1103),
146     RUN_DEV(BELKIN,             F5D8053V3),
147     RUN_DEV(BELKIN,             F5D8055),
148     RUN_DEV(BELKIN,             F5D8055V2),
149     RUN_DEV(BELKIN,             F6D4050V1),
150     RUN_DEV(BELKIN,             F6D4050V2),
151     RUN_DEV(BELKIN,             RT2870_1),
152     RUN_DEV(BELKIN,             RT2870_2),
153     RUN_DEV(CISCOLINKSYS,       AE1000),
154     RUN_DEV(CISCOLINKSYS2,      RT3070),
155     RUN_DEV(CISCOLINKSYS3,      RT3070),
156     RUN_DEV(CONCEPTRONIC2,      RT2870_1),
157     RUN_DEV(CONCEPTRONIC2,      RT2870_2),
158     RUN_DEV(CONCEPTRONIC2,      RT2870_3),
159     RUN_DEV(CONCEPTRONIC2,      RT2870_4),
160     RUN_DEV(CONCEPTRONIC2,      RT2870_5),
161     RUN_DEV(CONCEPTRONIC2,      RT2870_6),
162     RUN_DEV(CONCEPTRONIC2,      RT2870_7),
163     RUN_DEV(CONCEPTRONIC2,      RT2870_8),
164     RUN_DEV(CONCEPTRONIC2,      RT3070_1),
165     RUN_DEV(CONCEPTRONIC2,      RT3070_2),
166     RUN_DEV(CONCEPTRONIC2,      VIGORN61),
167     RUN_DEV(COREGA,             CGWLUSB300GNM),
168     RUN_DEV(COREGA,             RT2870_1),
169     RUN_DEV(COREGA,             RT2870_2),
170     RUN_DEV(COREGA,             RT2870_3),
171     RUN_DEV(COREGA,             RT3070),
172     RUN_DEV(CYBERTAN,           RT2870),
173     RUN_DEV(DLINK,              RT2870),
174     RUN_DEV(DLINK,              RT3072),
175     RUN_DEV(DLINK,              DWA127),
176     RUN_DEV(DLINK,              DWA140B3),
177     RUN_DEV(DLINK,              DWA160B2),
178     RUN_DEV(DLINK,              DWA140D1),
179     RUN_DEV(DLINK,              DWA162),
180     RUN_DEV(DLINK2,             DWA130),
181     RUN_DEV(DLINK2,             RT2870_1),
182     RUN_DEV(DLINK2,             RT2870_2),
183     RUN_DEV(DLINK2,             RT3070_1),
184     RUN_DEV(DLINK2,             RT3070_2),
185     RUN_DEV(DLINK2,             RT3070_3),
186     RUN_DEV(DLINK2,             RT3070_4),
187     RUN_DEV(DLINK2,             RT3070_5),
188     RUN_DEV(DLINK2,             RT3072),
189     RUN_DEV(DLINK2,             RT3072_1),
190     RUN_DEV(EDIMAX,             EW7717),
191     RUN_DEV(EDIMAX,             EW7718),
192     RUN_DEV(EDIMAX,             EW7733UND),
193     RUN_DEV(EDIMAX,             RT2870_1),
194     RUN_DEV(ENCORE,             RT3070_1),
195     RUN_DEV(ENCORE,             RT3070_2),
196     RUN_DEV(ENCORE,             RT3070_3),
197     RUN_DEV(GIGABYTE,           GNWB31N),
198     RUN_DEV(GIGABYTE,           GNWB32L),
199     RUN_DEV(GIGABYTE,           RT2870_1),
200     RUN_DEV(GIGASET,            RT3070_1),
201     RUN_DEV(GIGASET,            RT3070_2),
202     RUN_DEV(GUILLEMOT,          HWNU300),
203     RUN_DEV(HAWKING,            HWUN2),
204     RUN_DEV(HAWKING,            RT2870_1),
205     RUN_DEV(HAWKING,            RT2870_2),
206     RUN_DEV(HAWKING,            RT3070),
207     RUN_DEV(IODATA,             RT3072_1),
208     RUN_DEV(IODATA,             RT3072_2),
209     RUN_DEV(IODATA,             RT3072_3),
210     RUN_DEV(IODATA,             RT3072_4),
211     RUN_DEV(LINKSYS4,           RT3070),
212     RUN_DEV(LINKSYS4,           WUSB100),
213     RUN_DEV(LINKSYS4,           WUSB54GCV3),
214     RUN_DEV(LINKSYS4,           WUSB600N),
215     RUN_DEV(LINKSYS4,           WUSB600NV2),
216     RUN_DEV(LOGITEC,            RT2870_1),
217     RUN_DEV(LOGITEC,            RT2870_2),
218     RUN_DEV(LOGITEC,            RT2870_3),
219     RUN_DEV(LOGITEC,            LANW300NU2),
220     RUN_DEV(LOGITEC,            LANW150NU2),
221     RUN_DEV(LOGITEC,            LANW300NU2S),
222     RUN_DEV(MELCO,              WLIUCG300HP),
223     RUN_DEV(MELCO,              RT2870_2),
224     RUN_DEV(MELCO,              WLIUCAG300N),
225     RUN_DEV(MELCO,              WLIUCG300N),
226     RUN_DEV(MELCO,              WLIUCG301N),
227     RUN_DEV(MELCO,              WLIUCGN),
228     RUN_DEV(MELCO,              WLIUCGNM),
229     RUN_DEV(MELCO,              WLIUCG300HPV1),
230     RUN_DEV(MELCO,              WLIUCGNM2),
231     RUN_DEV(MOTOROLA4,          RT2770),
232     RUN_DEV(MOTOROLA4,          RT3070),
233     RUN_DEV(MSI,                RT3070_1),
234     RUN_DEV(MSI,                RT3070_2),
235     RUN_DEV(MSI,                RT3070_3),
236     RUN_DEV(MSI,                RT3070_4),
237     RUN_DEV(MSI,                RT3070_5),
238     RUN_DEV(MSI,                RT3070_6),
239     RUN_DEV(MSI,                RT3070_7),
240     RUN_DEV(MSI,                RT3070_8),
241     RUN_DEV(MSI,                RT3070_9),
242     RUN_DEV(MSI,                RT3070_10),
243     RUN_DEV(MSI,                RT3070_11),
244     RUN_DEV(NETGEAR,            WNDA4100),
245     RUN_DEV(OVISLINK,           RT3072),
246     RUN_DEV(PARA,               RT3070),
247     RUN_DEV(PEGATRON,           RT2870),
248     RUN_DEV(PEGATRON,           RT3070),
249     RUN_DEV(PEGATRON,           RT3070_2),
250     RUN_DEV(PEGATRON,           RT3070_3),
251     RUN_DEV(PHILIPS,            RT2870),
252     RUN_DEV(PLANEX2,            GWUS300MINIS),
253     RUN_DEV(PLANEX2,            GWUSMICRON),
254     RUN_DEV(PLANEX2,            RT2870),
255     RUN_DEV(PLANEX2,            RT3070),
256     RUN_DEV(QCOM,               RT2870),
257     RUN_DEV(QUANTA,             RT3070),
258     RUN_DEV(RALINK,             RT2070),
259     RUN_DEV(RALINK,             RT2770),
260     RUN_DEV(RALINK,             RT2870),
261     RUN_DEV(RALINK,             RT3070),
262     RUN_DEV(RALINK,             RT3071),
263     RUN_DEV(RALINK,             RT3072),
264     RUN_DEV(RALINK,             RT3370),
265     RUN_DEV(RALINK,             RT3572),
266     RUN_DEV(RALINK,             RT3573),
267     RUN_DEV(RALINK,             RT5370),
268     RUN_DEV(RALINK,             RT5572),
269     RUN_DEV(RALINK,             RT8070),
270     RUN_DEV(SAMSUNG,            WIS09ABGN),
271     RUN_DEV(SAMSUNG2,           RT2870_1),
272     RUN_DEV(SENAO,              RT2870_1),
273     RUN_DEV(SENAO,              RT2870_2),
274     RUN_DEV(SENAO,              RT2870_3),
275     RUN_DEV(SENAO,              RT2870_4),
276     RUN_DEV(SENAO,              RT3070),
277     RUN_DEV(SENAO,              RT3071),
278     RUN_DEV(SENAO,              RT3072_1),
279     RUN_DEV(SENAO,              RT3072_2),
280     RUN_DEV(SENAO,              RT3072_3),
281     RUN_DEV(SENAO,              RT3072_4),
282     RUN_DEV(SENAO,              RT3072_5),
283     RUN_DEV(SITECOMEU,          RT2770),
284     RUN_DEV(SITECOMEU,          RT2870_1),
285     RUN_DEV(SITECOMEU,          RT2870_2),
286     RUN_DEV(SITECOMEU,          RT2870_3),
287     RUN_DEV(SITECOMEU,          RT2870_4),
288     RUN_DEV(SITECOMEU,          RT3070),
289     RUN_DEV(SITECOMEU,          RT3070_2),
290     RUN_DEV(SITECOMEU,          RT3070_3),
291     RUN_DEV(SITECOMEU,          RT3070_4),
292     RUN_DEV(SITECOMEU,          RT3071),
293     RUN_DEV(SITECOMEU,          RT3072_1),
294     RUN_DEV(SITECOMEU,          RT3072_2),
295     RUN_DEV(SITECOMEU,          RT3072_3),
296     RUN_DEV(SITECOMEU,          RT3072_4),
297     RUN_DEV(SITECOMEU,          RT3072_5),
298     RUN_DEV(SITECOMEU,          RT3072_6),
299     RUN_DEV(SITECOMEU,          WL608),
300     RUN_DEV(SPARKLAN,           RT2870_1),
301     RUN_DEV(SPARKLAN,           RT3070),
302     RUN_DEV(SWEEX2,             LW153),
303     RUN_DEV(SWEEX2,             LW303),
304     RUN_DEV(SWEEX2,             LW313),
305     RUN_DEV(TOSHIBA,            RT3070),
306     RUN_DEV(UMEDIA,             RT2870_1),
307     RUN_DEV(ZCOM,               RT2870_1),
308     RUN_DEV(ZCOM,               RT2870_2),
309     RUN_DEV(ZINWELL,            RT2870_1),
310     RUN_DEV(ZINWELL,            RT2870_2),
311     RUN_DEV(ZINWELL,            RT3070),
312     RUN_DEV(ZINWELL,            RT3072_1),
313     RUN_DEV(ZINWELL,            RT3072_2),
314     RUN_DEV(ZYXEL,              RT2870_1),
315     RUN_DEV(ZYXEL,              RT2870_2),
316     RUN_DEV(ZYXEL,              RT3070),
317     RUN_DEV_EJECT(ZYXEL,        NWD2705),
318     RUN_DEV_EJECT(RALINK,       RT_STOR),
319 #undef RUN_DEV_EJECT
320 #undef RUN_DEV
321 };
322
323 static device_probe_t   run_match;
324 static device_attach_t  run_attach;
325 static device_detach_t  run_detach;
326
327 static usb_callback_t   run_bulk_rx_callback;
328 static usb_callback_t   run_bulk_tx_callback0;
329 static usb_callback_t   run_bulk_tx_callback1;
330 static usb_callback_t   run_bulk_tx_callback2;
331 static usb_callback_t   run_bulk_tx_callback3;
332 static usb_callback_t   run_bulk_tx_callback4;
333 static usb_callback_t   run_bulk_tx_callback5;
334
335 static void     run_autoinst(void *, struct usb_device *,
336                     struct usb_attach_arg *);
337 static int      run_driver_loaded(struct module *, int, void *);
338 static void     run_bulk_tx_callbackN(struct usb_xfer *xfer,
339                     usb_error_t error, u_int index);
340 static struct ieee80211vap *run_vap_create(struct ieee80211com *,
341                     const char [IFNAMSIZ], int, enum ieee80211_opmode, int,
342                     const uint8_t [IEEE80211_ADDR_LEN],
343                     const uint8_t [IEEE80211_ADDR_LEN]);
344 static void     run_vap_delete(struct ieee80211vap *);
345 static void     run_cmdq_cb(void *, int);
346 static void     run_setup_tx_list(struct run_softc *,
347                     struct run_endpoint_queue *);
348 static void     run_unsetup_tx_list(struct run_softc *,
349                     struct run_endpoint_queue *);
350 static int      run_load_microcode(struct run_softc *);
351 static int      run_reset(struct run_softc *);
352 static usb_error_t run_do_request(struct run_softc *,
353                     struct usb_device_request *, void *);
354 static int      run_read(struct run_softc *, uint16_t, uint32_t *);
355 static int      run_read_region_1(struct run_softc *, uint16_t, uint8_t *, int);
356 static int      run_write_2(struct run_softc *, uint16_t, uint16_t);
357 static int      run_write(struct run_softc *, uint16_t, uint32_t);
358 static int      run_write_region_1(struct run_softc *, uint16_t,
359                     const uint8_t *, int);
360 static int      run_set_region_4(struct run_softc *, uint16_t, uint32_t, int);
361 static int      run_efuse_read(struct run_softc *, uint16_t, uint16_t *, int);
362 static int      run_efuse_read_2(struct run_softc *, uint16_t, uint16_t *);
363 static int      run_eeprom_read_2(struct run_softc *, uint16_t, uint16_t *);
364 static int      run_rt2870_rf_write(struct run_softc *, uint32_t);
365 static int      run_rt3070_rf_read(struct run_softc *, uint8_t, uint8_t *);
366 static int      run_rt3070_rf_write(struct run_softc *, uint8_t, uint8_t);
367 static int      run_bbp_read(struct run_softc *, uint8_t, uint8_t *);
368 static int      run_bbp_write(struct run_softc *, uint8_t, uint8_t);
369 static int      run_mcu_cmd(struct run_softc *, uint8_t, uint16_t);
370 static const char *run_get_rf(uint16_t);
371 static void     run_rt3593_get_txpower(struct run_softc *);
372 static void     run_get_txpower(struct run_softc *);
373 static int      run_read_eeprom(struct run_softc *);
374 static struct ieee80211_node *run_node_alloc(struct ieee80211vap *,
375                             const uint8_t mac[IEEE80211_ADDR_LEN]);
376 static int      run_media_change(struct ifnet *);
377 static int      run_newstate(struct ieee80211vap *, enum ieee80211_state, int);
378 static int      run_wme_update(struct ieee80211com *);
379 static void     run_key_set_cb(void *);
380 static int      run_key_set(struct ieee80211vap *, struct ieee80211_key *);
381 static void     run_key_delete_cb(void *);
382 static int      run_key_delete(struct ieee80211vap *, struct ieee80211_key *);
383 static void     run_ratectl_to(void *);
384 static void     run_ratectl_cb(void *, int);
385 static void     run_drain_fifo(void *);
386 static void     run_iter_func(void *, struct ieee80211_node *);
387 static void     run_newassoc_cb(void *);
388 static void     run_newassoc(struct ieee80211_node *, int);
389 static void     run_recv_mgmt(struct ieee80211_node *, struct mbuf *, int,
390                     const struct ieee80211_rx_stats *, int, int);
391 static void     run_rx_frame(struct run_softc *, struct mbuf *, uint32_t);
392 static void     run_tx_free(struct run_endpoint_queue *pq,
393                     struct run_tx_data *, int);
394 static void     run_set_tx_desc(struct run_softc *, struct run_tx_data *);
395 static int      run_tx(struct run_softc *, struct mbuf *,
396                     struct ieee80211_node *);
397 static int      run_tx_mgt(struct run_softc *, struct mbuf *,
398                     struct ieee80211_node *);
399 static int      run_sendprot(struct run_softc *, const struct mbuf *,
400                     struct ieee80211_node *, int, int);
401 static int      run_tx_param(struct run_softc *, struct mbuf *,
402                     struct ieee80211_node *,
403                     const struct ieee80211_bpf_params *);
404 static int      run_raw_xmit(struct ieee80211_node *, struct mbuf *,
405                     const struct ieee80211_bpf_params *);
406 static int      run_transmit(struct ieee80211com *, struct mbuf *);
407 static void     run_start(struct run_softc *);
408 static void     run_parent(struct ieee80211com *);
409 static void     run_iq_calib(struct run_softc *, u_int);
410 static void     run_set_agc(struct run_softc *, uint8_t);
411 static void     run_select_chan_group(struct run_softc *, int);
412 static void     run_set_rx_antenna(struct run_softc *, int);
413 static void     run_rt2870_set_chan(struct run_softc *, u_int);
414 static void     run_rt3070_set_chan(struct run_softc *, u_int);
415 static void     run_rt3572_set_chan(struct run_softc *, u_int);
416 static void     run_rt3593_set_chan(struct run_softc *, u_int);
417 static void     run_rt5390_set_chan(struct run_softc *, u_int);
418 static void     run_rt5592_set_chan(struct run_softc *, u_int);
419 static int      run_set_chan(struct run_softc *, struct ieee80211_channel *);
420 static void     run_set_channel(struct ieee80211com *);
421 static void     run_scan_start(struct ieee80211com *);
422 static void     run_scan_end(struct ieee80211com *);
423 static void     run_update_beacon(struct ieee80211vap *, int);
424 static void     run_update_beacon_cb(void *);
425 static void     run_updateprot(struct ieee80211com *);
426 static void     run_updateprot_cb(void *);
427 static void     run_usb_timeout_cb(void *);
428 static void     run_reset_livelock(struct run_softc *);
429 static void     run_enable_tsf_sync(struct run_softc *);
430 static void     run_enable_tsf(struct run_softc *);
431 static void     run_get_tsf(struct run_softc *, uint64_t *);
432 static void     run_enable_mrr(struct run_softc *);
433 static void     run_set_txpreamble(struct run_softc *);
434 static void     run_set_basicrates(struct run_softc *);
435 static void     run_set_leds(struct run_softc *, uint16_t);
436 static void     run_set_bssid(struct run_softc *, const uint8_t *);
437 static void     run_set_macaddr(struct run_softc *, const uint8_t *);
438 static void     run_updateslot(struct ieee80211com *);
439 static void     run_updateslot_cb(void *);
440 static void     run_update_mcast(struct ieee80211com *);
441 static int8_t   run_rssi2dbm(struct run_softc *, uint8_t, uint8_t);
442 static void     run_update_promisc_locked(struct run_softc *);
443 static void     run_update_promisc(struct ieee80211com *);
444 static void     run_rt5390_bbp_init(struct run_softc *);
445 static int      run_bbp_init(struct run_softc *);
446 static int      run_rt3070_rf_init(struct run_softc *);
447 static void     run_rt3593_rf_init(struct run_softc *);
448 static void     run_rt5390_rf_init(struct run_softc *);
449 static int      run_rt3070_filter_calib(struct run_softc *, uint8_t, uint8_t,
450                     uint8_t *);
451 static void     run_rt3070_rf_setup(struct run_softc *);
452 static void     run_rt3593_rf_setup(struct run_softc *);
453 static void     run_rt5390_rf_setup(struct run_softc *);
454 static int      run_txrx_enable(struct run_softc *);
455 static void     run_adjust_freq_offset(struct run_softc *);
456 static void     run_init_locked(struct run_softc *);
457 static void     run_stop(void *);
458 static void     run_delay(struct run_softc *, u_int);
459
460 static eventhandler_tag run_etag;
461
462 static const struct rt2860_rate {
463         uint8_t         rate;
464         uint8_t         mcs;
465         enum            ieee80211_phytype phy;
466         uint8_t         ctl_ridx;
467         uint16_t        sp_ack_dur;
468         uint16_t        lp_ack_dur;
469 } rt2860_rates[] = {
470         {   2, 0, IEEE80211_T_DS,   0, 314, 314 },
471         {   4, 1, IEEE80211_T_DS,   1, 258, 162 },
472         {  11, 2, IEEE80211_T_DS,   2, 223, 127 },
473         {  22, 3, IEEE80211_T_DS,   3, 213, 117 },
474         {  12, 0, IEEE80211_T_OFDM, 4,  60,  60 },
475         {  18, 1, IEEE80211_T_OFDM, 4,  52,  52 },
476         {  24, 2, IEEE80211_T_OFDM, 6,  48,  48 },
477         {  36, 3, IEEE80211_T_OFDM, 6,  44,  44 },
478         {  48, 4, IEEE80211_T_OFDM, 8,  44,  44 },
479         {  72, 5, IEEE80211_T_OFDM, 8,  40,  40 },
480         {  96, 6, IEEE80211_T_OFDM, 8,  40,  40 },
481         { 108, 7, IEEE80211_T_OFDM, 8,  40,  40 }
482 };
483
484 static const struct {
485         uint16_t        reg;
486         uint32_t        val;
487 } rt2870_def_mac[] = {
488         RT2870_DEF_MAC
489 };
490
491 static const struct {
492         uint8_t reg;
493         uint8_t val;
494 } rt2860_def_bbp[] = {
495         RT2860_DEF_BBP
496 },rt5390_def_bbp[] = {
497         RT5390_DEF_BBP
498 },rt5592_def_bbp[] = {
499         RT5592_DEF_BBP
500 };
501
502 /* 
503  * Default values for BBP register R196 for RT5592.
504  */
505 static const uint8_t rt5592_bbp_r196[] = {
506         0xe0, 0x1f, 0x38, 0x32, 0x08, 0x28, 0x19, 0x0a, 0xff, 0x00,
507         0x16, 0x10, 0x10, 0x0b, 0x36, 0x2c, 0x26, 0x24, 0x42, 0x36,
508         0x30, 0x2d, 0x4c, 0x46, 0x3d, 0x40, 0x3e, 0x42, 0x3d, 0x40,
509         0x3c, 0x34, 0x2c, 0x2f, 0x3c, 0x35, 0x2e, 0x2a, 0x49, 0x41,
510         0x36, 0x31, 0x30, 0x30, 0x0e, 0x0d, 0x28, 0x21, 0x1c, 0x16,
511         0x50, 0x4a, 0x43, 0x40, 0x10, 0x10, 0x10, 0x10, 0x00, 0x00,
512         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
513         0x00, 0x00, 0x7d, 0x14, 0x32, 0x2c, 0x36, 0x4c, 0x43, 0x2c,
514         0x2e, 0x36, 0x30, 0x6e
515 };
516
517 static const struct rfprog {
518         uint8_t         chan;
519         uint32_t        r1, r2, r3, r4;
520 } rt2860_rf2850[] = {
521         RT2860_RF2850
522 };
523
524 struct {
525         uint8_t n, r, k;
526 } rt3070_freqs[] = {
527         RT3070_RF3052
528 };
529
530 static const struct rt5592_freqs {
531         uint16_t        n;
532         uint8_t         k, m, r;
533 } rt5592_freqs_20mhz[] = {
534         RT5592_RF5592_20MHZ
535 },rt5592_freqs_40mhz[] = {
536         RT5592_RF5592_40MHZ
537 };
538
539 static const struct {
540         uint8_t reg;
541         uint8_t val;
542 } rt3070_def_rf[] = {
543         RT3070_DEF_RF
544 },rt3572_def_rf[] = {
545         RT3572_DEF_RF
546 },rt3593_def_rf[] = {
547         RT3593_DEF_RF
548 },rt5390_def_rf[] = {
549         RT5390_DEF_RF
550 },rt5392_def_rf[] = {
551         RT5392_DEF_RF
552 },rt5592_def_rf[] = {
553         RT5592_DEF_RF
554 },rt5592_2ghz_def_rf[] = {
555         RT5592_2GHZ_DEF_RF
556 },rt5592_5ghz_def_rf[] = {
557         RT5592_5GHZ_DEF_RF
558 };
559
560 static const struct {
561         u_int   firstchan;
562         u_int   lastchan;
563         uint8_t reg;
564         uint8_t val;
565 } rt5592_chan_5ghz[] = {
566         RT5592_CHAN_5GHZ
567 };
568
569 static const struct usb_config run_config[RUN_N_XFER] = {
570     [RUN_BULK_TX_BE] = {
571         .type = UE_BULK,
572         .endpoint = UE_ADDR_ANY,
573         .ep_index = 0,
574         .direction = UE_DIR_OUT,
575         .bufsize = RUN_MAX_TXSZ,
576         .flags = {.pipe_bof = 1,.force_short_xfer = 1,},
577         .callback = run_bulk_tx_callback0,
578         .timeout = 5000,        /* ms */
579     },
580     [RUN_BULK_TX_BK] = {
581         .type = UE_BULK,
582         .endpoint = UE_ADDR_ANY,
583         .direction = UE_DIR_OUT,
584         .ep_index = 1,
585         .bufsize = RUN_MAX_TXSZ,
586         .flags = {.pipe_bof = 1,.force_short_xfer = 1,},
587         .callback = run_bulk_tx_callback1,
588         .timeout = 5000,        /* ms */
589     },
590     [RUN_BULK_TX_VI] = {
591         .type = UE_BULK,
592         .endpoint = UE_ADDR_ANY,
593         .direction = UE_DIR_OUT,
594         .ep_index = 2,
595         .bufsize = RUN_MAX_TXSZ,
596         .flags = {.pipe_bof = 1,.force_short_xfer = 1,},
597         .callback = run_bulk_tx_callback2,
598         .timeout = 5000,        /* ms */
599     },
600     [RUN_BULK_TX_VO] = {
601         .type = UE_BULK,
602         .endpoint = UE_ADDR_ANY,
603         .direction = UE_DIR_OUT,
604         .ep_index = 3,
605         .bufsize = RUN_MAX_TXSZ,
606         .flags = {.pipe_bof = 1,.force_short_xfer = 1,},
607         .callback = run_bulk_tx_callback3,
608         .timeout = 5000,        /* ms */
609     },
610     [RUN_BULK_TX_HCCA] = {
611         .type = UE_BULK,
612         .endpoint = UE_ADDR_ANY,
613         .direction = UE_DIR_OUT,
614         .ep_index = 4,
615         .bufsize = RUN_MAX_TXSZ,
616         .flags = {.pipe_bof = 1,.force_short_xfer = 1,.no_pipe_ok = 1,},
617         .callback = run_bulk_tx_callback4,
618         .timeout = 5000,        /* ms */
619     },
620     [RUN_BULK_TX_PRIO] = {
621         .type = UE_BULK,
622         .endpoint = UE_ADDR_ANY,
623         .direction = UE_DIR_OUT,
624         .ep_index = 5,
625         .bufsize = RUN_MAX_TXSZ,
626         .flags = {.pipe_bof = 1,.force_short_xfer = 1,.no_pipe_ok = 1,},
627         .callback = run_bulk_tx_callback5,
628         .timeout = 5000,        /* ms */
629     },
630     [RUN_BULK_RX] = {
631         .type = UE_BULK,
632         .endpoint = UE_ADDR_ANY,
633         .direction = UE_DIR_IN,
634         .bufsize = RUN_MAX_RXSZ,
635         .flags = {.pipe_bof = 1,.short_xfer_ok = 1,},
636         .callback = run_bulk_rx_callback,
637     }
638 };
639
640 static void
641 run_autoinst(void *arg, struct usb_device *udev,
642     struct usb_attach_arg *uaa)
643 {
644         struct usb_interface *iface;
645         struct usb_interface_descriptor *id;
646
647         if (uaa->dev_state != UAA_DEV_READY)
648                 return;
649
650         iface = usbd_get_iface(udev, 0);
651         if (iface == NULL)
652                 return;
653         id = iface->idesc;
654         if (id == NULL || id->bInterfaceClass != UICLASS_MASS)
655                 return;
656         if (usbd_lookup_id_by_uaa(run_devs, sizeof(run_devs), uaa))
657                 return;
658
659         if (usb_msc_eject(udev, 0, MSC_EJECT_STOPUNIT) == 0)
660                 uaa->dev_state = UAA_DEV_EJECTING;
661 }
662
663 static int
664 run_driver_loaded(struct module *mod, int what, void *arg)
665 {
666         switch (what) {
667         case MOD_LOAD:
668                 run_etag = EVENTHANDLER_REGISTER(usb_dev_configured,
669                     run_autoinst, NULL, EVENTHANDLER_PRI_ANY);
670                 break;
671         case MOD_UNLOAD:
672                 EVENTHANDLER_DEREGISTER(usb_dev_configured, run_etag);
673                 break;
674         default:
675                 return (EOPNOTSUPP);
676         }
677         return (0);
678 }
679
680 static int
681 run_match(device_t self)
682 {
683         struct usb_attach_arg *uaa = device_get_ivars(self);
684
685         if (uaa->usb_mode != USB_MODE_HOST)
686                 return (ENXIO);
687         if (uaa->info.bConfigIndex != 0)
688                 return (ENXIO);
689         if (uaa->info.bIfaceIndex != RT2860_IFACE_INDEX)
690                 return (ENXIO);
691
692         return (usbd_lookup_id_by_uaa(run_devs, sizeof(run_devs), uaa));
693 }
694
695 static int
696 run_attach(device_t self)
697 {
698         struct run_softc *sc = device_get_softc(self);
699         struct usb_attach_arg *uaa = device_get_ivars(self);
700         struct ieee80211com *ic = &sc->sc_ic;
701         uint32_t ver;
702         uint8_t bands[IEEE80211_MODE_BYTES];
703         uint8_t iface_index;
704         int ntries, error;
705
706         device_set_usb_desc(self);
707         sc->sc_udev = uaa->device;
708         sc->sc_dev = self;
709         if (USB_GET_DRIVER_INFO(uaa) != RUN_EJECT)
710                 sc->sc_flags |= RUN_FLAG_FWLOAD_NEEDED;
711
712 #if defined(__DragonFly__)
713         lockinit(&sc->sc_lock, device_get_nameunit(sc->sc_dev),
714             0, LK_CANRECURSE);
715 #else
716         mtx_init(&sc->sc_mtx, device_get_nameunit(sc->sc_dev),
717             MTX_NETWORK_LOCK, MTX_DEF);
718 #endif
719         mbufq_init(&sc->sc_snd, ifqmaxlen);
720
721         iface_index = RT2860_IFACE_INDEX;
722
723         error = usbd_transfer_setup(uaa->device, &iface_index,
724             sc->sc_xfer, run_config, RUN_N_XFER, sc, &sc->sc_lock);
725         if (error) {
726                 device_printf(self, "could not allocate USB transfers, "
727                     "err=%s\n", usbd_errstr(error));
728                 goto detach;
729         }
730
731         RUN_LOCK(sc);
732
733         /* wait for the chip to settle */
734         for (ntries = 0; ntries < 100; ntries++) {
735                 if (run_read(sc, RT2860_ASIC_VER_ID, &ver) != 0) {
736                         RUN_UNLOCK(sc);
737                         goto detach;
738                 }
739                 if (ver != 0 && ver != 0xffffffff)
740                         break;
741                 run_delay(sc, 10);
742         }
743         if (ntries == 100) {
744                 device_printf(sc->sc_dev,
745                     "timeout waiting for NIC to initialize\n");
746                 RUN_UNLOCK(sc);
747                 goto detach;
748         }
749         sc->mac_ver = ver >> 16;
750         sc->mac_rev = ver & 0xffff;
751
752         /* retrieve RF rev. no and various other things from EEPROM */
753         run_read_eeprom(sc);
754
755         device_printf(sc->sc_dev,
756             "MAC/BBP RT%04X (rev 0x%04X), RF %s (MIMO %dT%dR), address %s\n",
757             sc->mac_ver, sc->mac_rev, run_get_rf(sc->rf_rev),
758             sc->ntxchains, sc->nrxchains, ether_sprintf(ic->ic_macaddr));
759
760         RUN_UNLOCK(sc);
761
762         ic->ic_softc = sc;
763         ic->ic_name = device_get_nameunit(self);
764         ic->ic_phytype = IEEE80211_T_OFDM;      /* not only, but not used */
765         ic->ic_opmode = IEEE80211_M_STA;        /* default to BSS mode */
766
767         /* set device capabilities */
768         ic->ic_caps =
769             IEEE80211_C_STA |           /* station mode supported */
770             IEEE80211_C_MONITOR |       /* monitor mode supported */
771             IEEE80211_C_IBSS |
772             IEEE80211_C_HOSTAP |
773             IEEE80211_C_WDS |           /* 4-address traffic works */
774             IEEE80211_C_MBSS |
775             IEEE80211_C_SHPREAMBLE |    /* short preamble supported */
776             IEEE80211_C_SHSLOT |        /* short slot time supported */
777             IEEE80211_C_WME |           /* WME */
778             IEEE80211_C_WPA;            /* WPA1|WPA2(RSN) */
779
780         ic->ic_cryptocaps =
781             IEEE80211_CRYPTO_WEP |
782             IEEE80211_CRYPTO_AES_CCM |
783             IEEE80211_CRYPTO_TKIPMIC |
784             IEEE80211_CRYPTO_TKIP;
785
786         ic->ic_flags |= IEEE80211_F_DATAPAD;
787         ic->ic_flags_ext |= IEEE80211_FEXT_SWBMISS;
788
789         memset(bands, 0, sizeof(bands));
790         setbit(bands, IEEE80211_MODE_11B);
791         setbit(bands, IEEE80211_MODE_11G);
792         if (sc->rf_rev == RT2860_RF_2750 || sc->rf_rev == RT2860_RF_2850 ||
793             sc->rf_rev == RT3070_RF_3052 || sc->rf_rev == RT3593_RF_3053 ||
794             sc->rf_rev == RT5592_RF_5592)
795                 setbit(bands, IEEE80211_MODE_11A);
796         ieee80211_init_channels(ic, NULL, bands);
797
798         ieee80211_ifattach(ic);
799
800         ic->ic_scan_start = run_scan_start;
801         ic->ic_scan_end = run_scan_end;
802         ic->ic_set_channel = run_set_channel;
803         ic->ic_node_alloc = run_node_alloc;
804         ic->ic_newassoc = run_newassoc;
805         ic->ic_updateslot = run_updateslot;
806         ic->ic_update_mcast = run_update_mcast;
807         ic->ic_wme.wme_update = run_wme_update;
808         ic->ic_raw_xmit = run_raw_xmit;
809         ic->ic_update_promisc = run_update_promisc;
810         ic->ic_vap_create = run_vap_create;
811         ic->ic_vap_delete = run_vap_delete;
812         ic->ic_transmit = run_transmit;
813         ic->ic_parent = run_parent;
814
815         ieee80211_radiotap_attach(ic,
816             &sc->sc_txtap.wt_ihdr, sizeof(sc->sc_txtap),
817                 RUN_TX_RADIOTAP_PRESENT,
818             &sc->sc_rxtap.wr_ihdr, sizeof(sc->sc_rxtap),
819                 RUN_RX_RADIOTAP_PRESENT);
820
821         TASK_INIT(&sc->cmdq_task, 0, run_cmdq_cb, sc);
822         TASK_INIT(&sc->ratectl_task, 0, run_ratectl_cb, sc);
823         usb_callout_init_mtx(&sc->ratectl_ch, &sc->sc_lock, 0);
824
825         if (bootverbose)
826                 ieee80211_announce(ic);
827
828         return (0);
829
830 detach:
831         run_detach(self);
832         return (ENXIO);
833 }
834
835 static void
836 run_drain_mbufq(struct run_softc *sc)
837 {
838         struct mbuf *m;
839         struct ieee80211_node *ni;
840
841         RUN_LOCK_ASSERT(sc, MA_OWNED);
842         while ((m = mbufq_dequeue(&sc->sc_snd)) != NULL) {
843                 ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
844                 m->m_pkthdr.rcvif = NULL;
845                 ieee80211_free_node(ni);
846                 m_freem(m);
847         }
848 }
849
850 static int
851 run_detach(device_t self)
852 {
853         struct run_softc *sc = device_get_softc(self);
854         struct ieee80211com *ic = &sc->sc_ic;
855         int i;
856
857         RUN_LOCK(sc);
858         sc->sc_detached = 1;
859         RUN_UNLOCK(sc);
860
861         /* stop all USB transfers */
862         usbd_transfer_unsetup(sc->sc_xfer, RUN_N_XFER);
863
864         RUN_LOCK(sc);
865         sc->ratectl_run = RUN_RATECTL_OFF;
866         sc->cmdq_run = sc->cmdq_key_set = RUN_CMDQ_ABORT;
867
868         /* free TX list, if any */
869         for (i = 0; i != RUN_EP_QUEUES; i++)
870                 run_unsetup_tx_list(sc, &sc->sc_epq[i]);
871
872         /* Free TX queue */
873         run_drain_mbufq(sc);
874         RUN_UNLOCK(sc);
875
876         if (sc->sc_ic.ic_softc == sc) {
877                 /* drain tasks */
878                 usb_callout_drain(&sc->ratectl_ch);
879                 ieee80211_draintask(ic, &sc->cmdq_task);
880                 ieee80211_draintask(ic, &sc->ratectl_task);
881                 ieee80211_ifdetach(ic);
882         }
883
884 #if defined(__DragonFly__)
885         lockuninit(&sc->sc_lock);
886 #else
887         mtx_destroy(&sc->sc_mtx);
888 #endif
889
890         return (0);
891 }
892
893 static struct ieee80211vap *
894 run_vap_create(struct ieee80211com *ic, const char name[IFNAMSIZ], int unit,
895     enum ieee80211_opmode opmode, int flags,
896     const uint8_t bssid[IEEE80211_ADDR_LEN],
897     const uint8_t mac[IEEE80211_ADDR_LEN])
898 {
899         struct run_softc *sc = ic->ic_softc;
900         struct run_vap *rvp;
901         struct ieee80211vap *vap;
902         int i;
903
904         if (sc->rvp_cnt >= RUN_VAP_MAX) {
905                 device_printf(sc->sc_dev, "number of VAPs maxed out\n");
906                 return (NULL);
907         }
908
909         switch (opmode) {
910         case IEEE80211_M_STA:
911                 /* enable s/w bmiss handling for sta mode */
912                 flags |= IEEE80211_CLONE_NOBEACONS; 
913                 /* fall though */
914         case IEEE80211_M_IBSS:
915         case IEEE80211_M_MONITOR:
916         case IEEE80211_M_HOSTAP:
917         case IEEE80211_M_MBSS:
918                 /* other than WDS vaps, only one at a time */
919                 if (!TAILQ_EMPTY(&ic->ic_vaps))
920                         return (NULL);
921                 break;
922         case IEEE80211_M_WDS:
923                 TAILQ_FOREACH(vap, &ic->ic_vaps, iv_next){
924                         if(vap->iv_opmode != IEEE80211_M_HOSTAP)
925                                 continue;
926                         /* WDS vap's always share the local mac address. */
927                         flags &= ~IEEE80211_CLONE_BSSID;
928                         break;
929                 }
930                 if (vap == NULL) {
931                         device_printf(sc->sc_dev,
932                             "wds only supported in ap mode\n");
933                         return (NULL);
934                 }
935                 break;
936         default:
937                 device_printf(sc->sc_dev, "unknown opmode %d\n", opmode);
938                 return (NULL);
939         }
940
941         rvp = kmalloc(sizeof(struct run_vap), M_80211_VAP, M_WAITOK | M_ZERO);
942         vap = &rvp->vap;
943
944         if (ieee80211_vap_setup(ic, vap, name, unit, opmode, flags,
945             bssid) != 0) {
946                 /* out of memory */
947                 kfree(rvp, M_80211_VAP);
948                 return (NULL);
949         }
950
951         vap->iv_update_beacon = run_update_beacon;
952         vap->iv_max_aid = RT2870_WCID_MAX;
953         /*
954          * To delete the right key from h/w, we need wcid.
955          * Luckily, there is unused space in ieee80211_key{}, wk_pad,
956          * and matching wcid will be written into there. So, cast
957          * some spells to remove 'const' from ieee80211_key{}
958          */
959         vap->iv_key_delete = (void *)run_key_delete;
960         vap->iv_key_set = (void *)run_key_set;
961
962         /* override state transition machine */
963         rvp->newstate = vap->iv_newstate;
964         vap->iv_newstate = run_newstate;
965         if (opmode == IEEE80211_M_IBSS) {
966                 rvp->recv_mgmt = vap->iv_recv_mgmt;
967                 vap->iv_recv_mgmt = run_recv_mgmt;
968         }
969
970         ieee80211_ratectl_init(vap);
971         ieee80211_ratectl_setinterval(vap, 1000 /* 1 sec */);
972
973         /* complete setup */
974         ieee80211_vap_attach(vap, run_media_change, ieee80211_media_status,
975             mac);
976
977         /* make sure id is always unique */
978         for (i = 0; i < RUN_VAP_MAX; i++) {
979                 if((sc->rvp_bmap & 1 << i) == 0){
980                         sc->rvp_bmap |= 1 << i;
981                         rvp->rvp_id = i;
982                         break;
983                 }
984         }
985         if (sc->rvp_cnt++ == 0)
986                 ic->ic_opmode = opmode;
987
988         if (opmode == IEEE80211_M_HOSTAP)
989                 sc->cmdq_run = RUN_CMDQ_GO;
990
991         DPRINTF("rvp_id=%d bmap=%x rvp_cnt=%d\n",
992             rvp->rvp_id, sc->rvp_bmap, sc->rvp_cnt);
993
994         return (vap);
995 }
996
997 static void
998 run_vap_delete(struct ieee80211vap *vap)
999 {
1000         struct run_vap *rvp = RUN_VAP(vap);
1001         struct ieee80211com *ic;
1002         struct run_softc *sc;
1003         uint8_t rvp_id;
1004
1005         if (vap == NULL)
1006                 return;
1007
1008         ic = vap->iv_ic;
1009         sc = ic->ic_softc;
1010
1011         RUN_LOCK(sc);
1012
1013         m_freem(rvp->beacon_mbuf);
1014         rvp->beacon_mbuf = NULL;
1015
1016         rvp_id = rvp->rvp_id;
1017         sc->ratectl_run &= ~(1 << rvp_id);
1018         sc->rvp_bmap &= ~(1 << rvp_id);
1019         run_set_region_4(sc, RT2860_SKEY(rvp_id, 0), 0, 128);
1020         run_set_region_4(sc, RT2860_BCN_BASE(rvp_id), 0, 512);
1021         --sc->rvp_cnt;
1022
1023         DPRINTF("vap=%p rvp_id=%d bmap=%x rvp_cnt=%d\n",
1024             vap, rvp_id, sc->rvp_bmap, sc->rvp_cnt);
1025
1026         RUN_UNLOCK(sc);
1027
1028         ieee80211_ratectl_deinit(vap);
1029         ieee80211_vap_detach(vap);
1030         kfree(rvp, M_80211_VAP);
1031 }
1032
1033 /*
1034  * There are numbers of functions need to be called in context thread.
1035  * Rather than creating taskqueue event for each of those functions,
1036  * here is all-for-one taskqueue callback function. This function
1037  * guarantees deferred functions are executed in the same order they
1038  * were enqueued.
1039  * '& RUN_CMDQ_MASQ' is to loop cmdq[].
1040  */
1041 static void
1042 run_cmdq_cb(void *arg, int pending)
1043 {
1044         struct run_softc *sc = arg;
1045         uint8_t i;
1046
1047         /* call cmdq[].func locked */
1048         RUN_LOCK(sc);
1049         for (i = sc->cmdq_exec; sc->cmdq[i].func && pending;
1050             i = sc->cmdq_exec, pending--) {
1051                 DPRINTFN(6, "cmdq_exec=%d pending=%d\n", i, pending);
1052                 if (sc->cmdq_run == RUN_CMDQ_GO) {
1053                         /*
1054                          * If arg0 is NULL, callback func needs more
1055                          * than one arg. So, pass ptr to cmdq struct.
1056                          */
1057                         if (sc->cmdq[i].arg0)
1058                                 sc->cmdq[i].func(sc->cmdq[i].arg0);
1059                         else
1060                                 sc->cmdq[i].func(&sc->cmdq[i]);
1061                 }
1062                 sc->cmdq[i].arg0 = NULL;
1063                 sc->cmdq[i].func = NULL;
1064                 sc->cmdq_exec++;
1065                 sc->cmdq_exec &= RUN_CMDQ_MASQ;
1066         }
1067         RUN_UNLOCK(sc);
1068 }
1069
1070 static void
1071 run_setup_tx_list(struct run_softc *sc, struct run_endpoint_queue *pq)
1072 {
1073         struct run_tx_data *data;
1074
1075         memset(pq, 0, sizeof(*pq));
1076
1077         STAILQ_INIT(&pq->tx_qh);
1078         STAILQ_INIT(&pq->tx_fh);
1079
1080         for (data = &pq->tx_data[0];
1081             data < &pq->tx_data[RUN_TX_RING_COUNT]; data++) {
1082                 data->sc = sc;
1083                 STAILQ_INSERT_TAIL(&pq->tx_fh, data, next);
1084         }
1085         pq->tx_nfree = RUN_TX_RING_COUNT;
1086 }
1087
1088 static void
1089 run_unsetup_tx_list(struct run_softc *sc, struct run_endpoint_queue *pq)
1090 {
1091         struct run_tx_data *data;
1092
1093         /* make sure any subsequent use of the queues will fail */
1094         pq->tx_nfree = 0;
1095         STAILQ_INIT(&pq->tx_fh);
1096         STAILQ_INIT(&pq->tx_qh);
1097
1098         /* free up all node references and mbufs */
1099         for (data = &pq->tx_data[0];
1100             data < &pq->tx_data[RUN_TX_RING_COUNT]; data++) {
1101                 if (data->m != NULL) {
1102                         m_freem(data->m);
1103                         data->m = NULL;
1104                 }
1105                 if (data->ni != NULL) {
1106                         ieee80211_free_node(data->ni);
1107                         data->ni = NULL;
1108                 }
1109         }
1110 }
1111
1112 static int
1113 run_load_microcode(struct run_softc *sc)
1114 {
1115         usb_device_request_t req;
1116         const struct firmware *fw;
1117         const u_char *base;
1118         uint32_t tmp;
1119         int ntries, error;
1120         const uint64_t *temp;
1121         uint64_t bytes;
1122
1123         RUN_UNLOCK(sc);
1124         fw = firmware_get("runfw");
1125         RUN_LOCK(sc);
1126         if (fw == NULL) {
1127                 device_printf(sc->sc_dev,
1128                     "failed loadfirmware of file %s\n", "runfw");
1129                 return ENOENT;
1130         }
1131
1132         if (fw->datasize != 8192) {
1133                 device_printf(sc->sc_dev,
1134                     "invalid firmware size (should be 8KB)\n");
1135                 error = EINVAL;
1136                 goto fail;
1137         }
1138
1139         /*
1140          * RT3071/RT3072 use a different firmware
1141          * run-rt2870 (8KB) contains both,
1142          * first half (4KB) is for rt2870,
1143          * last half is for rt3071.
1144          */
1145         base = fw->data;
1146         if ((sc->mac_ver) != 0x2860 &&
1147             (sc->mac_ver) != 0x2872 &&
1148             (sc->mac_ver) != 0x3070) { 
1149                 base += 4096;
1150         }
1151
1152         /* cheap sanity check */
1153         temp = (const void *)fw->data;
1154         bytes = *temp;
1155         if (bytes != be64toh(0xffffff0210280210ULL)) {
1156                 device_printf(sc->sc_dev, "firmware checksum failed\n");
1157                 error = EINVAL;
1158                 goto fail;
1159         }
1160
1161         /* write microcode image */
1162         if (sc->sc_flags & RUN_FLAG_FWLOAD_NEEDED) {
1163                 run_write_region_1(sc, RT2870_FW_BASE, base, 4096);
1164                 run_write(sc, RT2860_H2M_MAILBOX_CID, 0xffffffff);
1165                 run_write(sc, RT2860_H2M_MAILBOX_STATUS, 0xffffffff);
1166         }
1167
1168         req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1169         req.bRequest = RT2870_RESET;
1170         USETW(req.wValue, 8);
1171         USETW(req.wIndex, 0);
1172         USETW(req.wLength, 0);
1173         if ((error = usbd_do_request(sc->sc_udev, &sc->sc_lock, &req, NULL))
1174             != 0) {
1175                 device_printf(sc->sc_dev, "firmware reset failed\n");
1176                 goto fail;
1177         }
1178
1179         run_delay(sc, 10);
1180
1181         run_write(sc, RT2860_H2M_BBPAGENT, 0);
1182         run_write(sc, RT2860_H2M_MAILBOX, 0);
1183         run_write(sc, RT2860_H2M_INTSRC, 0);
1184         if ((error = run_mcu_cmd(sc, RT2860_MCU_CMD_RFRESET, 0)) != 0)
1185                 goto fail;
1186
1187         /* wait until microcontroller is ready */
1188         for (ntries = 0; ntries < 1000; ntries++) {
1189                 if ((error = run_read(sc, RT2860_SYS_CTRL, &tmp)) != 0)
1190                         goto fail;
1191                 if (tmp & RT2860_MCU_READY)
1192                         break;
1193                 run_delay(sc, 10);
1194         }
1195         if (ntries == 1000) {
1196                 device_printf(sc->sc_dev,
1197                     "timeout waiting for MCU to initialize\n");
1198                 error = ETIMEDOUT;
1199                 goto fail;
1200         }
1201         device_printf(sc->sc_dev, "firmware %s ver. %u.%u loaded\n",
1202             (base == fw->data) ? "RT2870" : "RT3071",
1203             *(base + 4092), *(base + 4093));
1204
1205 fail:
1206         firmware_put(fw, FIRMWARE_UNLOAD);
1207         return (error);
1208 }
1209
1210 static int
1211 run_reset(struct run_softc *sc)
1212 {
1213         usb_device_request_t req;
1214
1215         req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1216         req.bRequest = RT2870_RESET;
1217         USETW(req.wValue, 1);
1218         USETW(req.wIndex, 0);
1219         USETW(req.wLength, 0);
1220         return (usbd_do_request(sc->sc_udev, &sc->sc_lock, &req, NULL));
1221 }
1222
1223 static usb_error_t
1224 run_do_request(struct run_softc *sc,
1225     struct usb_device_request *req, void *data)
1226 {
1227         usb_error_t err = 0;    /* assign to whack bogus gcc warning */
1228         int ntries = 10;
1229
1230         RUN_LOCK_ASSERT(sc, MA_OWNED);
1231
1232         while (ntries--) {
1233                 err = usbd_do_request_flags(sc->sc_udev, &sc->sc_lock,
1234                     req, data, 0, NULL, 250 /* ms */);
1235                 if (err == 0)
1236                         break;
1237                 DPRINTFN(1, "Control request failed, %s (retrying)\n",
1238                     usbd_errstr(err));
1239                 run_delay(sc, 10);
1240         }
1241         return (err);
1242 }
1243
1244 static int
1245 run_read(struct run_softc *sc, uint16_t reg, uint32_t *val)
1246 {
1247         uint32_t tmp;
1248         int error;
1249
1250         error = run_read_region_1(sc, reg, (uint8_t *)&tmp, sizeof tmp);
1251         if (error == 0)
1252                 *val = le32toh(tmp);
1253         else
1254                 *val = 0xffffffff;
1255         return (error);
1256 }
1257
1258 static int
1259 run_read_region_1(struct run_softc *sc, uint16_t reg, uint8_t *buf, int len)
1260 {
1261         usb_device_request_t req;
1262
1263         req.bmRequestType = UT_READ_VENDOR_DEVICE;
1264         req.bRequest = RT2870_READ_REGION_1;
1265         USETW(req.wValue, 0);
1266         USETW(req.wIndex, reg);
1267         USETW(req.wLength, len);
1268
1269         return (run_do_request(sc, &req, buf));
1270 }
1271
1272 static int
1273 run_write_2(struct run_softc *sc, uint16_t reg, uint16_t val)
1274 {
1275         usb_device_request_t req;
1276
1277         req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1278         req.bRequest = RT2870_WRITE_2;
1279         USETW(req.wValue, val);
1280         USETW(req.wIndex, reg);
1281         USETW(req.wLength, 0);
1282
1283         return (run_do_request(sc, &req, NULL));
1284 }
1285
1286 static int
1287 run_write(struct run_softc *sc, uint16_t reg, uint32_t val)
1288 {
1289         int error;
1290
1291         if ((error = run_write_2(sc, reg, val & 0xffff)) == 0)
1292                 error = run_write_2(sc, reg + 2, val >> 16);
1293         return (error);
1294 }
1295
1296 static int
1297 run_write_region_1(struct run_softc *sc, uint16_t reg, const uint8_t *buf,
1298     int len)
1299 {
1300 #if 1
1301         int i, error = 0;
1302         /*
1303          * NB: the WRITE_REGION_1 command is not stable on RT2860.
1304          * We thus issue multiple WRITE_2 commands instead.
1305          */
1306         KASSERT((len & 1) == 0, ("run_write_region_1: Data too long.\n"));
1307         for (i = 0; i < len && error == 0; i += 2)
1308                 error = run_write_2(sc, reg + i, buf[i] | buf[i + 1] << 8);
1309         return (error);
1310 #else
1311         usb_device_request_t req;
1312         int error = 0;
1313
1314         /*
1315          * NOTE: It appears the WRITE_REGION_1 command cannot be
1316          * passed a huge amount of data, which will crash the
1317          * firmware. Limit amount of data passed to 64-bytes at a
1318          * time.
1319          */
1320         while (len > 0) {
1321                 int delta = 64;
1322                 if (delta > len)
1323                         delta = len;
1324
1325                 req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1326                 req.bRequest = RT2870_WRITE_REGION_1;
1327                 USETW(req.wValue, 0);
1328                 USETW(req.wIndex, reg);
1329                 USETW(req.wLength, delta);
1330                 error = run_do_request(sc, &req, __DECONST(uint8_t *, buf));
1331                 if (error != 0)
1332                         break;
1333                 reg += delta;
1334                 buf += delta;
1335                 len -= delta;
1336         }
1337         return (error);
1338 #endif
1339 }
1340
1341 static int
1342 run_set_region_4(struct run_softc *sc, uint16_t reg, uint32_t val, int len)
1343 {
1344         int i, error = 0;
1345
1346         KASSERT((len & 3) == 0, ("run_set_region_4: Invalid data length.\n"));
1347         for (i = 0; i < len && error == 0; i += 4)
1348                 error = run_write(sc, reg + i, val);
1349         return (error);
1350 }
1351
1352 static int
1353 run_efuse_read(struct run_softc *sc, uint16_t addr, uint16_t *val, int count)
1354 {
1355         uint32_t tmp;
1356         uint16_t reg;
1357         int error, ntries;
1358
1359         if ((error = run_read(sc, RT3070_EFUSE_CTRL, &tmp)) != 0)
1360                 return (error);
1361
1362         if (count == 2)
1363                 addr *= 2;
1364         /*-
1365          * Read one 16-byte block into registers EFUSE_DATA[0-3]:
1366          * DATA0: F E D C
1367          * DATA1: B A 9 8
1368          * DATA2: 7 6 5 4
1369          * DATA3: 3 2 1 0
1370          */
1371         tmp &= ~(RT3070_EFSROM_MODE_MASK | RT3070_EFSROM_AIN_MASK);
1372         tmp |= (addr & ~0xf) << RT3070_EFSROM_AIN_SHIFT | RT3070_EFSROM_KICK;
1373         run_write(sc, RT3070_EFUSE_CTRL, tmp);
1374         for (ntries = 0; ntries < 100; ntries++) {
1375                 if ((error = run_read(sc, RT3070_EFUSE_CTRL, &tmp)) != 0)
1376                         return (error);
1377                 if (!(tmp & RT3070_EFSROM_KICK))
1378                         break;
1379                 run_delay(sc, 2);
1380         }
1381         if (ntries == 100)
1382                 return (ETIMEDOUT);
1383
1384         if ((tmp & RT3070_EFUSE_AOUT_MASK) == RT3070_EFUSE_AOUT_MASK) {
1385                 *val = 0xffff;  /* address not found */
1386                 return (0);
1387         }
1388         /* determine to which 32-bit register our 16-bit word belongs */
1389         reg = RT3070_EFUSE_DATA3 - (addr & 0xc);
1390         if ((error = run_read(sc, reg, &tmp)) != 0)
1391                 return (error);
1392
1393         tmp >>= (8 * (addr & 0x3));
1394         *val = (addr & 1) ? tmp >> 16 : tmp & 0xffff;
1395
1396         return (0);
1397 }
1398
1399 /* Read 16-bit from eFUSE ROM for RT3xxx. */
1400 static int
1401 run_efuse_read_2(struct run_softc *sc, uint16_t addr, uint16_t *val)
1402 {
1403         return (run_efuse_read(sc, addr, val, 2));
1404 }
1405
1406 static int
1407 run_eeprom_read_2(struct run_softc *sc, uint16_t addr, uint16_t *val)
1408 {
1409         usb_device_request_t req;
1410         uint16_t tmp;
1411         int error;
1412
1413         addr *= 2;
1414         req.bmRequestType = UT_READ_VENDOR_DEVICE;
1415         req.bRequest = RT2870_EEPROM_READ;
1416         USETW(req.wValue, 0);
1417         USETW(req.wIndex, addr);
1418         USETW(req.wLength, sizeof(tmp));
1419
1420         error = usbd_do_request(sc->sc_udev, &sc->sc_lock, &req, &tmp);
1421         if (error == 0)
1422                 *val = le16toh(tmp);
1423         else
1424                 *val = 0xffff;
1425         return (error);
1426 }
1427
1428 static __inline int
1429 run_srom_read(struct run_softc *sc, uint16_t addr, uint16_t *val)
1430 {
1431         /* either eFUSE ROM or EEPROM */
1432         return sc->sc_srom_read(sc, addr, val);
1433 }
1434
1435 static int
1436 run_rt2870_rf_write(struct run_softc *sc, uint32_t val)
1437 {
1438         uint32_t tmp;
1439         int error, ntries;
1440
1441         for (ntries = 0; ntries < 10; ntries++) {
1442                 if ((error = run_read(sc, RT2860_RF_CSR_CFG0, &tmp)) != 0)
1443                         return (error);
1444                 if (!(tmp & RT2860_RF_REG_CTRL))
1445                         break;
1446         }
1447         if (ntries == 10)
1448                 return (ETIMEDOUT);
1449
1450         return (run_write(sc, RT2860_RF_CSR_CFG0, val));
1451 }
1452
1453 static int
1454 run_rt3070_rf_read(struct run_softc *sc, uint8_t reg, uint8_t *val)
1455 {
1456         uint32_t tmp;
1457         int error, ntries;
1458
1459         *val = 0;
1460         for (ntries = 0; ntries < 100; ntries++) {
1461                 if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1462                         return (error);
1463                 if (!(tmp & RT3070_RF_KICK))
1464                         break;
1465         }
1466         if (ntries == 100)
1467                 return (ETIMEDOUT);
1468
1469         tmp = RT3070_RF_KICK | reg << 8;
1470         if ((error = run_write(sc, RT3070_RF_CSR_CFG, tmp)) != 0)
1471                 return (error);
1472
1473         for (ntries = 0; ntries < 100; ntries++) {
1474                 if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1475                         return (error);
1476                 if (!(tmp & RT3070_RF_KICK))
1477                         break;
1478         }
1479         if (ntries == 100)
1480                 return (ETIMEDOUT);
1481
1482         *val = tmp & 0xff;
1483         return (0);
1484 }
1485
1486 static int
1487 run_rt3070_rf_write(struct run_softc *sc, uint8_t reg, uint8_t val)
1488 {
1489         uint32_t tmp;
1490         int error, ntries;
1491
1492         for (ntries = 0; ntries < 10; ntries++) {
1493                 if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1494                         return (error);
1495                 if (!(tmp & RT3070_RF_KICK))
1496                         break;
1497         }
1498         if (ntries == 10)
1499                 return (ETIMEDOUT);
1500
1501         tmp = RT3070_RF_WRITE | RT3070_RF_KICK | reg << 8 | val;
1502         return (run_write(sc, RT3070_RF_CSR_CFG, tmp));
1503 }
1504
1505 static int
1506 run_bbp_read(struct run_softc *sc, uint8_t reg, uint8_t *val)
1507 {
1508         uint32_t tmp;
1509         int ntries, error;
1510
1511         for (ntries = 0; ntries < 10; ntries++) {
1512                 if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1513                         return (error);
1514                 if (!(tmp & RT2860_BBP_CSR_KICK))
1515                         break;
1516         }
1517         if (ntries == 10)
1518                 return (ETIMEDOUT);
1519
1520         tmp = RT2860_BBP_CSR_READ | RT2860_BBP_CSR_KICK | reg << 8;
1521         if ((error = run_write(sc, RT2860_BBP_CSR_CFG, tmp)) != 0)
1522                 return (error);
1523
1524         for (ntries = 0; ntries < 10; ntries++) {
1525                 if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1526                         return (error);
1527                 if (!(tmp & RT2860_BBP_CSR_KICK))
1528                         break;
1529         }
1530         if (ntries == 10)
1531                 return (ETIMEDOUT);
1532
1533         *val = tmp & 0xff;
1534         return (0);
1535 }
1536
1537 static int
1538 run_bbp_write(struct run_softc *sc, uint8_t reg, uint8_t val)
1539 {
1540         uint32_t tmp;
1541         int ntries, error;
1542
1543         for (ntries = 0; ntries < 10; ntries++) {
1544                 if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1545                         return (error);
1546                 if (!(tmp & RT2860_BBP_CSR_KICK))
1547                         break;
1548         }
1549         if (ntries == 10)
1550                 return (ETIMEDOUT);
1551
1552         tmp = RT2860_BBP_CSR_KICK | reg << 8 | val;
1553         return (run_write(sc, RT2860_BBP_CSR_CFG, tmp));
1554 }
1555
1556 /*
1557  * Send a command to the 8051 microcontroller unit.
1558  */
1559 static int
1560 run_mcu_cmd(struct run_softc *sc, uint8_t cmd, uint16_t arg)
1561 {
1562         uint32_t tmp;
1563         int error, ntries;
1564
1565         for (ntries = 0; ntries < 100; ntries++) {
1566                 if ((error = run_read(sc, RT2860_H2M_MAILBOX, &tmp)) != 0)
1567                         return error;
1568                 if (!(tmp & RT2860_H2M_BUSY))
1569                         break;
1570         }
1571         if (ntries == 100)
1572                 return ETIMEDOUT;
1573
1574         tmp = RT2860_H2M_BUSY | RT2860_TOKEN_NO_INTR << 16 | arg;
1575         if ((error = run_write(sc, RT2860_H2M_MAILBOX, tmp)) == 0)
1576                 error = run_write(sc, RT2860_HOST_CMD, cmd);
1577         return (error);
1578 }
1579
1580 /*
1581  * Add `delta' (signed) to each 4-bit sub-word of a 32-bit word.
1582  * Used to adjust per-rate Tx power registers.
1583  */
1584 static __inline uint32_t
1585 b4inc(uint32_t b32, int8_t delta)
1586 {
1587         int8_t i, b4;
1588
1589         for (i = 0; i < 8; i++) {
1590                 b4 = b32 & 0xf;
1591                 b4 += delta;
1592                 if (b4 < 0)
1593                         b4 = 0;
1594                 else if (b4 > 0xf)
1595                         b4 = 0xf;
1596                 b32 = b32 >> 4 | b4 << 28;
1597         }
1598         return (b32);
1599 }
1600
1601 static const char *
1602 run_get_rf(uint16_t rev)
1603 {
1604         switch (rev) {
1605         case RT2860_RF_2820:    return "RT2820";
1606         case RT2860_RF_2850:    return "RT2850";
1607         case RT2860_RF_2720:    return "RT2720";
1608         case RT2860_RF_2750:    return "RT2750";
1609         case RT3070_RF_3020:    return "RT3020";
1610         case RT3070_RF_2020:    return "RT2020";
1611         case RT3070_RF_3021:    return "RT3021";
1612         case RT3070_RF_3022:    return "RT3022";
1613         case RT3070_RF_3052:    return "RT3052";
1614         case RT3593_RF_3053:    return "RT3053";
1615         case RT5592_RF_5592:    return "RT5592";
1616         case RT5390_RF_5370:    return "RT5370";
1617         case RT5390_RF_5372:    return "RT5372";
1618         }
1619         return ("unknown");
1620 }
1621
1622 static void
1623 run_rt3593_get_txpower(struct run_softc *sc)
1624 {
1625         uint16_t addr, val;
1626         int i;
1627
1628         /* Read power settings for 2GHz channels. */
1629         for (i = 0; i < 14; i += 2) {
1630                 addr = (sc->ntxchains == 3) ? RT3593_EEPROM_PWR2GHZ_BASE1 :
1631                     RT2860_EEPROM_PWR2GHZ_BASE1;
1632                 run_srom_read(sc, addr + i / 2, &val);
1633                 sc->txpow1[i + 0] = (int8_t)(val & 0xff);
1634                 sc->txpow1[i + 1] = (int8_t)(val >> 8);
1635
1636                 addr = (sc->ntxchains == 3) ? RT3593_EEPROM_PWR2GHZ_BASE2 :
1637                     RT2860_EEPROM_PWR2GHZ_BASE2;
1638                 run_srom_read(sc, addr + i / 2, &val);
1639                 sc->txpow2[i + 0] = (int8_t)(val & 0xff);
1640                 sc->txpow2[i + 1] = (int8_t)(val >> 8);
1641
1642                 if (sc->ntxchains == 3) {
1643                         run_srom_read(sc, RT3593_EEPROM_PWR2GHZ_BASE3 + i / 2,
1644                             &val);
1645                         sc->txpow3[i + 0] = (int8_t)(val & 0xff);
1646                         sc->txpow3[i + 1] = (int8_t)(val >> 8);
1647                 }
1648         }
1649         /* Fix broken Tx power entries. */
1650         for (i = 0; i < 14; i++) {
1651                 if (sc->txpow1[i] > 31)
1652                         sc->txpow1[i] = 5;
1653                 if (sc->txpow2[i] > 31)
1654                         sc->txpow2[i] = 5;
1655                 if (sc->ntxchains == 3) {
1656                         if (sc->txpow3[i] > 31)
1657                                 sc->txpow3[i] = 5;
1658                 }
1659         }
1660         /* Read power settings for 5GHz channels. */
1661         for (i = 0; i < 40; i += 2) {
1662                 run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE1 + i / 2, &val);
1663                 sc->txpow1[i + 14] = (int8_t)(val & 0xff);
1664                 sc->txpow1[i + 15] = (int8_t)(val >> 8);
1665
1666                 run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE2 + i / 2, &val);
1667                 sc->txpow2[i + 14] = (int8_t)(val & 0xff);
1668                 sc->txpow2[i + 15] = (int8_t)(val >> 8);
1669
1670                 if (sc->ntxchains == 3) {
1671                         run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE3 + i / 2,
1672                             &val);
1673                         sc->txpow3[i + 14] = (int8_t)(val & 0xff);
1674                         sc->txpow3[i + 15] = (int8_t)(val >> 8);
1675                 }
1676         }
1677 }
1678
1679 static void
1680 run_get_txpower(struct run_softc *sc)
1681 {
1682         uint16_t val;
1683         int i;
1684
1685         /* Read power settings for 2GHz channels. */
1686         for (i = 0; i < 14; i += 2) {
1687                 run_srom_read(sc, RT2860_EEPROM_PWR2GHZ_BASE1 + i / 2, &val);
1688                 sc->txpow1[i + 0] = (int8_t)(val & 0xff);
1689                 sc->txpow1[i + 1] = (int8_t)(val >> 8);
1690
1691                 if (sc->mac_ver != 0x5390) {
1692                         run_srom_read(sc,
1693                             RT2860_EEPROM_PWR2GHZ_BASE2 + i / 2, &val);
1694                         sc->txpow2[i + 0] = (int8_t)(val & 0xff);
1695                         sc->txpow2[i + 1] = (int8_t)(val >> 8);
1696                 }
1697         }
1698         /* Fix broken Tx power entries. */
1699         for (i = 0; i < 14; i++) {
1700                 if (sc->mac_ver >= 0x5390) {
1701                         if (sc->txpow1[i] < 0 || sc->txpow1[i] > 39)
1702                                 sc->txpow1[i] = 5;
1703                 } else {
1704                         if (sc->txpow1[i] < 0 || sc->txpow1[i] > 31)
1705                                 sc->txpow1[i] = 5;
1706                 }
1707                 if (sc->mac_ver > 0x5390) {
1708                         if (sc->txpow2[i] < 0 || sc->txpow2[i] > 39)
1709                                 sc->txpow2[i] = 5;
1710                 } else if (sc->mac_ver < 0x5390) {
1711                         if (sc->txpow2[i] < 0 || sc->txpow2[i] > 31)
1712                                 sc->txpow2[i] = 5;
1713                 }
1714                 DPRINTF("chan %d: power1=%d, power2=%d\n",
1715                     rt2860_rf2850[i].chan, sc->txpow1[i], sc->txpow2[i]);
1716         }
1717         /* Read power settings for 5GHz channels. */
1718         for (i = 0; i < 40; i += 2) {
1719                 run_srom_read(sc, RT2860_EEPROM_PWR5GHZ_BASE1 + i / 2, &val);
1720                 sc->txpow1[i + 14] = (int8_t)(val & 0xff);
1721                 sc->txpow1[i + 15] = (int8_t)(val >> 8);
1722
1723                 run_srom_read(sc, RT2860_EEPROM_PWR5GHZ_BASE2 + i / 2, &val);
1724                 sc->txpow2[i + 14] = (int8_t)(val & 0xff);
1725                 sc->txpow2[i + 15] = (int8_t)(val >> 8);
1726         }
1727         /* Fix broken Tx power entries. */
1728         for (i = 0; i < 40; i++ ) {
1729                 if (sc->mac_ver != 0x5592) {
1730                         if (sc->txpow1[14 + i] < -7 || sc->txpow1[14 + i] > 15)
1731                                 sc->txpow1[14 + i] = 5;
1732                         if (sc->txpow2[14 + i] < -7 || sc->txpow2[14 + i] > 15)
1733                                 sc->txpow2[14 + i] = 5;
1734                 }
1735                 DPRINTF("chan %d: power1=%d, power2=%d\n",
1736                     rt2860_rf2850[14 + i].chan, sc->txpow1[14 + i],
1737                     sc->txpow2[14 + i]);
1738         }
1739 }
1740
1741 static int
1742 run_read_eeprom(struct run_softc *sc)
1743 {
1744         struct ieee80211com *ic = &sc->sc_ic;
1745         int8_t delta_2ghz, delta_5ghz;
1746         uint32_t tmp;
1747         uint16_t val;
1748         int ridx, ant, i;
1749
1750         /* check whether the ROM is eFUSE ROM or EEPROM */
1751         sc->sc_srom_read = run_eeprom_read_2;
1752         if (sc->mac_ver >= 0x3070) {
1753                 run_read(sc, RT3070_EFUSE_CTRL, &tmp);
1754                 DPRINTF("EFUSE_CTRL=0x%08x\n", tmp);
1755                 if ((tmp & RT3070_SEL_EFUSE) || sc->mac_ver == 0x3593)
1756                         sc->sc_srom_read = run_efuse_read_2;
1757         }
1758
1759         /* read ROM version */
1760         run_srom_read(sc, RT2860_EEPROM_VERSION, &val);
1761         DPRINTF("EEPROM rev=%d, FAE=%d\n", val >> 8, val & 0xff);
1762
1763         /* read MAC address */
1764         run_srom_read(sc, RT2860_EEPROM_MAC01, &val);
1765         ic->ic_macaddr[0] = val & 0xff;
1766         ic->ic_macaddr[1] = val >> 8;
1767         run_srom_read(sc, RT2860_EEPROM_MAC23, &val);
1768         ic->ic_macaddr[2] = val & 0xff;
1769         ic->ic_macaddr[3] = val >> 8;
1770         run_srom_read(sc, RT2860_EEPROM_MAC45, &val);
1771         ic->ic_macaddr[4] = val & 0xff;
1772         ic->ic_macaddr[5] = val >> 8;
1773
1774         if (sc->mac_ver < 0x3593) {
1775                 /* read vender BBP settings */
1776                 for (i = 0; i < 10; i++) {
1777                         run_srom_read(sc, RT2860_EEPROM_BBP_BASE + i, &val);
1778                         sc->bbp[i].val = val & 0xff;
1779                         sc->bbp[i].reg = val >> 8;
1780                         DPRINTF("BBP%d=0x%02x\n", sc->bbp[i].reg,
1781                             sc->bbp[i].val);
1782                 }
1783                 if (sc->mac_ver >= 0x3071) {
1784                         /* read vendor RF settings */
1785                         for (i = 0; i < 10; i++) {
1786                                 run_srom_read(sc, RT3071_EEPROM_RF_BASE + i,
1787                                    &val);
1788                                 sc->rf[i].val = val & 0xff;
1789                                 sc->rf[i].reg = val >> 8;
1790                                 DPRINTF("RF%d=0x%02x\n", sc->rf[i].reg,
1791                                     sc->rf[i].val);
1792                         }
1793                 }
1794         }
1795
1796         /* read RF frequency offset from EEPROM */
1797         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_FREQ_LEDS :
1798             RT3593_EEPROM_FREQ, &val);
1799         sc->freq = ((val & 0xff) != 0xff) ? val & 0xff : 0;
1800         DPRINTF("EEPROM freq offset %d\n", sc->freq & 0xff);
1801
1802         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_FREQ_LEDS :
1803             RT3593_EEPROM_FREQ_LEDS, &val);
1804         if (val >> 8 != 0xff) {
1805                 /* read LEDs operating mode */
1806                 sc->leds = val >> 8;
1807                 run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED1 :
1808                     RT3593_EEPROM_LED1, &sc->led[0]);
1809                 run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED2 :
1810                     RT3593_EEPROM_LED2, &sc->led[1]);
1811                 run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED3 :
1812                     RT3593_EEPROM_LED3, &sc->led[2]);
1813         } else {
1814                 /* broken EEPROM, use default settings */
1815                 sc->leds = 0x01;
1816                 sc->led[0] = 0x5555;
1817                 sc->led[1] = 0x2221;
1818                 sc->led[2] = 0x5627;    /* differs from RT2860 */
1819         }
1820         DPRINTF("EEPROM LED mode=0x%02x, LEDs=0x%04x/0x%04x/0x%04x\n",
1821             sc->leds, sc->led[0], sc->led[1], sc->led[2]);
1822
1823         /* read RF information */
1824         if (sc->mac_ver == 0x5390 || sc->mac_ver ==0x5392)
1825                 run_srom_read(sc, 0x00, &val);
1826         else
1827                 run_srom_read(sc, RT2860_EEPROM_ANTENNA, &val);
1828
1829         if (val == 0xffff) {
1830                 device_printf(sc->sc_dev,
1831                     "invalid EEPROM antenna info, using default\n");
1832                 DPRINTF("invalid EEPROM antenna info, using default\n");
1833                 if (sc->mac_ver == 0x3572) {
1834                         /* default to RF3052 2T2R */
1835                         sc->rf_rev = RT3070_RF_3052;
1836                         sc->ntxchains = 2;
1837                         sc->nrxchains = 2;
1838                 } else if (sc->mac_ver >= 0x3070) {
1839                         /* default to RF3020 1T1R */
1840                         sc->rf_rev = RT3070_RF_3020;
1841                         sc->ntxchains = 1;
1842                         sc->nrxchains = 1;
1843                 } else {
1844                         /* default to RF2820 1T2R */
1845                         sc->rf_rev = RT2860_RF_2820;
1846                         sc->ntxchains = 1;
1847                         sc->nrxchains = 2;
1848                 }
1849         } else {
1850                 if (sc->mac_ver == 0x5390 || sc->mac_ver ==0x5392) {
1851                         sc->rf_rev = val;
1852                         run_srom_read(sc, RT2860_EEPROM_ANTENNA, &val);
1853                 } else
1854                         sc->rf_rev = (val >> 8) & 0xf;
1855                 sc->ntxchains = (val >> 4) & 0xf;
1856                 sc->nrxchains = val & 0xf;
1857         }
1858         DPRINTF("EEPROM RF rev=0x%04x chains=%dT%dR\n",
1859             sc->rf_rev, sc->ntxchains, sc->nrxchains);
1860
1861         /* check if RF supports automatic Tx access gain control */
1862         run_srom_read(sc, RT2860_EEPROM_CONFIG, &val);
1863         DPRINTF("EEPROM CFG 0x%04x\n", val);
1864         /* check if driver should patch the DAC issue */
1865         if ((val >> 8) != 0xff)
1866                 sc->patch_dac = (val >> 15) & 1;
1867         if ((val & 0xff) != 0xff) {
1868                 sc->ext_5ghz_lna = (val >> 3) & 1;
1869                 sc->ext_2ghz_lna = (val >> 2) & 1;
1870                 /* check if RF supports automatic Tx access gain control */
1871                 sc->calib_2ghz = sc->calib_5ghz = (val >> 1) & 1;
1872                 /* check if we have a hardware radio switch */
1873                 sc->rfswitch = val & 1;
1874         }
1875
1876         /* Read Tx power settings. */
1877         if (sc->mac_ver == 0x3593)
1878                 run_rt3593_get_txpower(sc);
1879         else
1880                 run_get_txpower(sc);
1881
1882         /* read Tx power compensation for each Tx rate */
1883         run_srom_read(sc, RT2860_EEPROM_DELTAPWR, &val);
1884         delta_2ghz = delta_5ghz = 0;
1885         if ((val & 0xff) != 0xff && (val & 0x80)) {
1886                 delta_2ghz = val & 0xf;
1887                 if (!(val & 0x40))      /* negative number */
1888                         delta_2ghz = -delta_2ghz;
1889         }
1890         val >>= 8;
1891         if ((val & 0xff) != 0xff && (val & 0x80)) {
1892                 delta_5ghz = val & 0xf;
1893                 if (!(val & 0x40))      /* negative number */
1894                         delta_5ghz = -delta_5ghz;
1895         }
1896         DPRINTF("power compensation=%d (2GHz), %d (5GHz)\n",
1897             delta_2ghz, delta_5ghz);
1898
1899         for (ridx = 0; ridx < 5; ridx++) {
1900                 uint32_t reg;
1901
1902                 run_srom_read(sc, RT2860_EEPROM_RPWR + ridx * 2, &val);
1903                 reg = val;
1904                 run_srom_read(sc, RT2860_EEPROM_RPWR + ridx * 2 + 1, &val);
1905                 reg |= (uint32_t)val << 16;
1906
1907                 sc->txpow20mhz[ridx] = reg;
1908                 sc->txpow40mhz_2ghz[ridx] = b4inc(reg, delta_2ghz);
1909                 sc->txpow40mhz_5ghz[ridx] = b4inc(reg, delta_5ghz);
1910
1911                 DPRINTF("ridx %d: power 20MHz=0x%08x, 40MHz/2GHz=0x%08x, "
1912                     "40MHz/5GHz=0x%08x\n", ridx, sc->txpow20mhz[ridx],
1913                     sc->txpow40mhz_2ghz[ridx], sc->txpow40mhz_5ghz[ridx]);
1914         }
1915
1916         /* Read RSSI offsets and LNA gains from EEPROM. */
1917         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI1_2GHZ :
1918             RT3593_EEPROM_RSSI1_2GHZ, &val);
1919         sc->rssi_2ghz[0] = val & 0xff;  /* Ant A */
1920         sc->rssi_2ghz[1] = val >> 8;    /* Ant B */
1921         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI2_2GHZ :
1922             RT3593_EEPROM_RSSI2_2GHZ, &val);
1923         if (sc->mac_ver >= 0x3070) {
1924                 if (sc->mac_ver == 0x3593) {
1925                         sc->txmixgain_2ghz = 0;
1926                         sc->rssi_2ghz[2] = val & 0xff;  /* Ant C */
1927                 } else {
1928                         /*
1929                          * On RT3070 chips (limited to 2 Rx chains), this ROM
1930                          * field contains the Tx mixer gain for the 2GHz band.
1931                          */
1932                         if ((val & 0xff) != 0xff)
1933                                 sc->txmixgain_2ghz = val & 0x7;
1934                 }
1935                 DPRINTF("tx mixer gain=%u (2GHz)\n", sc->txmixgain_2ghz);
1936         } else
1937                 sc->rssi_2ghz[2] = val & 0xff;  /* Ant C */
1938         if (sc->mac_ver == 0x3593)
1939                 run_srom_read(sc, RT3593_EEPROM_LNA_5GHZ, &val);
1940         sc->lna[2] = val >> 8;          /* channel group 2 */
1941
1942         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI1_5GHZ :
1943             RT3593_EEPROM_RSSI1_5GHZ, &val);
1944         sc->rssi_5ghz[0] = val & 0xff;  /* Ant A */
1945         sc->rssi_5ghz[1] = val >> 8;    /* Ant B */
1946         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI2_5GHZ :
1947             RT3593_EEPROM_RSSI2_5GHZ, &val);
1948         if (sc->mac_ver == 0x3572) {
1949                 /*
1950                  * On RT3572 chips (limited to 2 Rx chains), this ROM
1951                  * field contains the Tx mixer gain for the 5GHz band.
1952                  */
1953                 if ((val & 0xff) != 0xff)
1954                         sc->txmixgain_5ghz = val & 0x7;
1955                 DPRINTF("tx mixer gain=%u (5GHz)\n", sc->txmixgain_5ghz);
1956         } else
1957                 sc->rssi_5ghz[2] = val & 0xff;  /* Ant C */
1958         if (sc->mac_ver == 0x3593) {
1959                 sc->txmixgain_5ghz = 0;
1960                 run_srom_read(sc, RT3593_EEPROM_LNA_5GHZ, &val);
1961         }
1962         sc->lna[3] = val >> 8;          /* channel group 3 */
1963
1964         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LNA :
1965             RT3593_EEPROM_LNA, &val);
1966         sc->lna[0] = val & 0xff;        /* channel group 0 */
1967         sc->lna[1] = val >> 8;          /* channel group 1 */
1968
1969         /* fix broken 5GHz LNA entries */
1970         if (sc->lna[2] == 0 || sc->lna[2] == 0xff) {
1971                 DPRINTF("invalid LNA for channel group %d\n", 2);
1972                 sc->lna[2] = sc->lna[1];
1973         }
1974         if (sc->lna[3] == 0 || sc->lna[3] == 0xff) {
1975                 DPRINTF("invalid LNA for channel group %d\n", 3);
1976                 sc->lna[3] = sc->lna[1];
1977         }
1978
1979         /* fix broken RSSI offset entries */
1980         for (ant = 0; ant < 3; ant++) {
1981                 if (sc->rssi_2ghz[ant] < -10 || sc->rssi_2ghz[ant] > 10) {
1982                         DPRINTF("invalid RSSI%d offset: %d (2GHz)\n",
1983                             ant + 1, sc->rssi_2ghz[ant]);
1984                         sc->rssi_2ghz[ant] = 0;
1985                 }
1986                 if (sc->rssi_5ghz[ant] < -10 || sc->rssi_5ghz[ant] > 10) {
1987                         DPRINTF("invalid RSSI%d offset: %d (5GHz)\n",
1988                             ant + 1, sc->rssi_5ghz[ant]);
1989                         sc->rssi_5ghz[ant] = 0;
1990                 }
1991         }
1992         return (0);
1993 }
1994
1995 static struct ieee80211_node *
1996 run_node_alloc(struct ieee80211vap *vap, const uint8_t mac[IEEE80211_ADDR_LEN])
1997 {
1998         return kmalloc(sizeof (struct run_node), M_DEVBUF, M_WAITOK | M_ZERO);
1999 }
2000
2001 static int
2002 run_media_change(struct ifnet *ifp)
2003 {
2004         struct ieee80211vap *vap = ifp->if_softc;
2005         struct ieee80211com *ic = vap->iv_ic;
2006         const struct ieee80211_txparam *tp;
2007         struct run_softc *sc = ic->ic_softc;
2008         uint8_t rate, ridx;
2009         int error;
2010
2011         RUN_LOCK(sc);
2012
2013         error = ieee80211_media_change(ifp);
2014         if (error != ENETRESET) {
2015                 RUN_UNLOCK(sc);
2016                 return (error);
2017         }
2018
2019         tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
2020         if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE) {
2021                 struct ieee80211_node *ni;
2022                 struct run_node *rn;
2023
2024                 rate = ic->ic_sup_rates[ic->ic_curmode].
2025                     rs_rates[tp->ucastrate] & IEEE80211_RATE_VAL;
2026                 for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2027                         if (rt2860_rates[ridx].rate == rate)
2028                                 break;
2029                 ni = ieee80211_ref_node(vap->iv_bss);
2030                 rn = RUN_NODE(ni);
2031                 rn->fix_ridx = ridx;
2032                 DPRINTF("rate=%d, fix_ridx=%d\n", rate, rn->fix_ridx);
2033                 ieee80211_free_node(ni);
2034         }
2035
2036 #if 0
2037         if ((ifp->if_flags & IFF_UP) &&
2038             (ifp->if_drv_flags &  RUN_RUNNING)){
2039                 run_init_locked(sc);
2040         }
2041 #endif
2042
2043         RUN_UNLOCK(sc);
2044
2045         return (0);
2046 }
2047
2048 static int
2049 run_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
2050 {
2051         const struct ieee80211_txparam *tp;
2052         struct ieee80211com *ic = vap->iv_ic;
2053         struct run_softc *sc = ic->ic_softc;
2054         struct run_vap *rvp = RUN_VAP(vap);
2055         enum ieee80211_state ostate;
2056         uint32_t sta[3];
2057         uint32_t tmp;
2058         uint8_t ratectl;
2059         uint8_t restart_ratectl = 0;
2060         uint8_t bid = 1 << rvp->rvp_id;
2061
2062         ostate = vap->iv_state;
2063         DPRINTF("%s -> %s\n",
2064                 ieee80211_state_name[ostate],
2065                 ieee80211_state_name[nstate]);
2066
2067         IEEE80211_UNLOCK(ic);
2068         RUN_LOCK(sc);
2069
2070         ratectl = sc->ratectl_run; /* remember current state */
2071         sc->ratectl_run = RUN_RATECTL_OFF;
2072         usb_callout_stop(&sc->ratectl_ch);
2073
2074         if (ostate == IEEE80211_S_RUN) {
2075                 /* turn link LED off */
2076                 run_set_leds(sc, RT2860_LED_RADIO);
2077         }
2078
2079         switch (nstate) {
2080         case IEEE80211_S_INIT:
2081                 restart_ratectl = 1;
2082
2083                 if (ostate != IEEE80211_S_RUN)
2084                         break;
2085
2086                 ratectl &= ~bid;
2087                 sc->runbmap &= ~bid;
2088
2089                 /* abort TSF synchronization if there is no vap running */
2090                 if (--sc->running == 0) {
2091                         run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
2092                         run_write(sc, RT2860_BCN_TIME_CFG,
2093                             tmp & ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
2094                             RT2860_TBTT_TIMER_EN));
2095                 }
2096                 break;
2097
2098         case IEEE80211_S_RUN:
2099                 if (!(sc->runbmap & bid)) {
2100                         if(sc->running++)
2101                                 restart_ratectl = 1;
2102                         sc->runbmap |= bid;
2103                 }
2104
2105                 m_freem(rvp->beacon_mbuf);
2106                 rvp->beacon_mbuf = NULL;
2107
2108                 switch (vap->iv_opmode) {
2109                 case IEEE80211_M_HOSTAP:
2110                 case IEEE80211_M_MBSS:
2111                         sc->ap_running |= bid;
2112                         ic->ic_opmode = vap->iv_opmode;
2113                         run_update_beacon_cb(vap);
2114                         break;
2115                 case IEEE80211_M_IBSS:
2116                         sc->adhoc_running |= bid;
2117                         if (!sc->ap_running)
2118                                 ic->ic_opmode = vap->iv_opmode;
2119                         run_update_beacon_cb(vap);
2120                         break;
2121                 case IEEE80211_M_STA:
2122                         sc->sta_running |= bid;
2123                         if (!sc->ap_running && !sc->adhoc_running)
2124                                 ic->ic_opmode = vap->iv_opmode;
2125
2126                         /* read statistic counters (clear on read) */
2127                         run_read_region_1(sc, RT2860_TX_STA_CNT0,
2128                             (uint8_t *)sta, sizeof sta);
2129
2130                         break;
2131                 default:
2132                         ic->ic_opmode = vap->iv_opmode;
2133                         break;
2134                 }
2135
2136                 if (vap->iv_opmode != IEEE80211_M_MONITOR) {
2137                         struct ieee80211_node *ni;
2138
2139                         if (ic->ic_bsschan == IEEE80211_CHAN_ANYC) {
2140                                 RUN_UNLOCK(sc);
2141                                 IEEE80211_LOCK(ic);
2142                                 return (-1);
2143                         }
2144                         run_updateslot(ic);
2145                         run_enable_mrr(sc);
2146                         run_set_txpreamble(sc);
2147                         run_set_basicrates(sc);
2148                         ni = ieee80211_ref_node(vap->iv_bss);
2149                         IEEE80211_ADDR_COPY(sc->sc_bssid, ni->ni_bssid);
2150                         run_set_bssid(sc, sc->sc_bssid);
2151                         ieee80211_free_node(ni);
2152                         run_enable_tsf_sync(sc);
2153
2154                         /* enable automatic rate adaptation */
2155                         tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
2156                         if (tp->ucastrate == IEEE80211_FIXED_RATE_NONE)
2157                                 ratectl |= bid;
2158                 } else
2159                         run_enable_tsf(sc);
2160
2161                 /* turn link LED on */
2162                 run_set_leds(sc, RT2860_LED_RADIO |
2163                     (IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan) ?
2164                      RT2860_LED_LINK_2GHZ : RT2860_LED_LINK_5GHZ));
2165
2166                 break;
2167         default:
2168                 DPRINTFN(6, "undefined case\n");
2169                 break;
2170         }
2171
2172         /* restart amrr for running VAPs */
2173         if ((sc->ratectl_run = ratectl) && restart_ratectl)
2174                 usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2175
2176         RUN_UNLOCK(sc);
2177         IEEE80211_LOCK(ic);
2178
2179         return(rvp->newstate(vap, nstate, arg));
2180 }
2181
2182 static int
2183 run_wme_update(struct ieee80211com *ic)
2184 {
2185         struct run_softc *sc = ic->ic_softc;
2186         const struct wmeParams *ac =
2187             ic->ic_wme.wme_chanParams.cap_wmeParams;
2188         int aci, error = 0;
2189
2190         /* update MAC TX configuration registers */
2191         RUN_LOCK(sc);
2192         for (aci = 0; aci < WME_NUM_AC; aci++) {
2193                 error = run_write(sc, RT2860_EDCA_AC_CFG(aci),
2194                     ac[aci].wmep_logcwmax << 16 |
2195                     ac[aci].wmep_logcwmin << 12 |
2196                     ac[aci].wmep_aifsn    <<  8 |
2197                     ac[aci].wmep_txopLimit);
2198                 if (error) goto err;
2199         }
2200
2201         /* update SCH/DMA registers too */
2202         error = run_write(sc, RT2860_WMM_AIFSN_CFG,
2203             ac[WME_AC_VO].wmep_aifsn  << 12 |
2204             ac[WME_AC_VI].wmep_aifsn  <<  8 |
2205             ac[WME_AC_BK].wmep_aifsn  <<  4 |
2206             ac[WME_AC_BE].wmep_aifsn);
2207         if (error) goto err;
2208         error = run_write(sc, RT2860_WMM_CWMIN_CFG,
2209             ac[WME_AC_VO].wmep_logcwmin << 12 |
2210             ac[WME_AC_VI].wmep_logcwmin <<  8 |
2211             ac[WME_AC_BK].wmep_logcwmin <<  4 |
2212             ac[WME_AC_BE].wmep_logcwmin);
2213         if (error) goto err;
2214         error = run_write(sc, RT2860_WMM_CWMAX_CFG,
2215             ac[WME_AC_VO].wmep_logcwmax << 12 |
2216             ac[WME_AC_VI].wmep_logcwmax <<  8 |
2217             ac[WME_AC_BK].wmep_logcwmax <<  4 |
2218             ac[WME_AC_BE].wmep_logcwmax);
2219         if (error) goto err;
2220         error = run_write(sc, RT2860_WMM_TXOP0_CFG,
2221             ac[WME_AC_BK].wmep_txopLimit << 16 |
2222             ac[WME_AC_BE].wmep_txopLimit);
2223         if (error) goto err;
2224         error = run_write(sc, RT2860_WMM_TXOP1_CFG,
2225             ac[WME_AC_VO].wmep_txopLimit << 16 |
2226             ac[WME_AC_VI].wmep_txopLimit);
2227
2228 err:
2229         RUN_UNLOCK(sc);
2230         if (error)
2231                 DPRINTF("WME update failed\n");
2232
2233         return (error);
2234 }
2235
2236 static void
2237 run_key_set_cb(void *arg)
2238 {
2239         struct run_cmdq *cmdq = arg;
2240         struct ieee80211vap *vap = cmdq->arg1;
2241         struct ieee80211_key *k = cmdq->k;
2242         struct ieee80211com *ic = vap->iv_ic;
2243         struct run_softc *sc = ic->ic_softc;
2244         struct ieee80211_node *ni;
2245         u_int cipher = k->wk_cipher->ic_cipher;
2246         uint32_t attr;
2247         uint16_t base, associd;
2248         uint8_t mode, wcid, iv[8];
2249
2250         RUN_LOCK_ASSERT(sc, MA_OWNED);
2251
2252         if (vap->iv_opmode == IEEE80211_M_HOSTAP)
2253                 ni = ieee80211_find_vap_node(&ic->ic_sta, vap, cmdq->mac);
2254         else
2255                 ni = vap->iv_bss;
2256         associd = (ni != NULL) ? ni->ni_associd : 0;
2257
2258         /* map net80211 cipher to RT2860 security mode */
2259         switch (cipher) {
2260         case IEEE80211_CIPHER_WEP:
2261                 if(k->wk_keylen < 8)
2262                         mode = RT2860_MODE_WEP40;
2263                 else
2264                         mode = RT2860_MODE_WEP104;
2265                 break;
2266         case IEEE80211_CIPHER_TKIP:
2267                 mode = RT2860_MODE_TKIP;
2268                 break;
2269         case IEEE80211_CIPHER_AES_CCM:
2270                 mode = RT2860_MODE_AES_CCMP;
2271                 break;
2272         default:
2273                 DPRINTF("undefined case\n");
2274                 return;
2275         }
2276
2277         DPRINTFN(1, "associd=%x, keyix=%d, mode=%x, type=%s, tx=%s, rx=%s\n",
2278             associd, k->wk_keyix, mode,
2279             (k->wk_flags & IEEE80211_KEY_GROUP) ? "group" : "pairwise",
2280             (k->wk_flags & IEEE80211_KEY_XMIT) ? "on" : "off",
2281             (k->wk_flags & IEEE80211_KEY_RECV) ? "on" : "off");
2282
2283         if (k->wk_flags & IEEE80211_KEY_GROUP) {
2284                 wcid = 0;       /* NB: update WCID0 for group keys */
2285                 base = RT2860_SKEY(RUN_VAP(vap)->rvp_id, k->wk_keyix);
2286         } else {
2287                 wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
2288                     1 : RUN_AID2WCID(associd);
2289                 base = RT2860_PKEY(wcid);
2290         }
2291
2292         if (cipher == IEEE80211_CIPHER_TKIP) {
2293                 if(run_write_region_1(sc, base, k->wk_key, 16))
2294                         return;
2295                 if(run_write_region_1(sc, base + 16, &k->wk_key[16], 8))        /* wk_txmic */
2296                         return;
2297                 if(run_write_region_1(sc, base + 24, &k->wk_key[24], 8))        /* wk_rxmic */
2298                         return;
2299         } else {
2300                 /* roundup len to 16-bit: XXX fix write_region_1() instead */
2301                 if(run_write_region_1(sc, base, k->wk_key, (k->wk_keylen + 1) & ~1))
2302                         return;
2303         }
2304
2305         if (!(k->wk_flags & IEEE80211_KEY_GROUP) ||
2306             (k->wk_flags & (IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV))) {
2307                 /* set initial packet number in IV+EIV */
2308                 if (cipher == IEEE80211_CIPHER_WEP) {
2309                         memset(iv, 0, sizeof iv);
2310                         iv[3] = vap->iv_def_txkey << 6;
2311                 } else {
2312                         if (cipher == IEEE80211_CIPHER_TKIP) {
2313                                 iv[0] = k->wk_keytsc >> 8;
2314                                 iv[1] = (iv[0] | 0x20) & 0x7f;
2315                                 iv[2] = k->wk_keytsc;
2316                         } else /* CCMP */ {
2317                                 iv[0] = k->wk_keytsc;
2318                                 iv[1] = k->wk_keytsc >> 8;
2319                                 iv[2] = 0;
2320                         }
2321                         iv[3] = k->wk_keyix << 6 | IEEE80211_WEP_EXTIV;
2322                         iv[4] = k->wk_keytsc >> 16;
2323                         iv[5] = k->wk_keytsc >> 24;
2324                         iv[6] = k->wk_keytsc >> 32;
2325                         iv[7] = k->wk_keytsc >> 40;
2326                 }
2327                 if (run_write_region_1(sc, RT2860_IVEIV(wcid), iv, 8))
2328                         return;
2329         }
2330
2331         if (k->wk_flags & IEEE80211_KEY_GROUP) {
2332                 /* install group key */
2333                 if (run_read(sc, RT2860_SKEY_MODE_0_7, &attr))
2334                         return;
2335                 attr &= ~(0xf << (k->wk_keyix * 4));
2336                 attr |= mode << (k->wk_keyix * 4);
2337                 if (run_write(sc, RT2860_SKEY_MODE_0_7, attr))
2338                         return;
2339         } else {
2340                 /* install pairwise key */
2341                 if (run_read(sc, RT2860_WCID_ATTR(wcid), &attr))
2342                         return;
2343                 attr = (attr & ~0xf) | (mode << 1) | RT2860_RX_PKEY_EN;
2344                 if (run_write(sc, RT2860_WCID_ATTR(wcid), attr))
2345                         return;
2346         }
2347
2348         /* TODO create a pass-thru key entry? */
2349
2350         /* need wcid to delete the right key later */
2351         k->wk_pad = wcid;
2352 }
2353
2354 /*
2355  * Don't have to be deferred, but in order to keep order of
2356  * execution, i.e. with run_key_delete(), defer this and let
2357  * run_cmdq_cb() maintain the order.
2358  *
2359  * return 0 on error
2360  */
2361 static int
2362 run_key_set(struct ieee80211vap *vap, struct ieee80211_key *k)
2363 {
2364         struct ieee80211com *ic = vap->iv_ic;
2365         struct run_softc *sc = ic->ic_softc;
2366         uint32_t i;
2367
2368         i = RUN_CMDQ_GET(&sc->cmdq_store);
2369         DPRINTF("cmdq_store=%d\n", i);
2370         sc->cmdq[i].func = run_key_set_cb;
2371         sc->cmdq[i].arg0 = NULL;
2372         sc->cmdq[i].arg1 = vap;
2373         sc->cmdq[i].k = k;
2374         IEEE80211_ADDR_COPY(sc->cmdq[i].mac, k->wk_macaddr);
2375         ieee80211_runtask(ic, &sc->cmdq_task);
2376
2377         /*
2378          * To make sure key will be set when hostapd
2379          * calls iv_key_set() before if_init().
2380          */
2381         if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
2382                 RUN_LOCK(sc);
2383                 sc->cmdq_key_set = RUN_CMDQ_GO;
2384                 RUN_UNLOCK(sc);
2385         }
2386
2387         return (1);
2388 }
2389
2390 /*
2391  * If wlan is destroyed without being brought down i.e. without
2392  * wlan down or wpa_cli terminate, this function is called after
2393  * vap is gone. Don't refer it.
2394  */
2395 static void
2396 run_key_delete_cb(void *arg)
2397 {
2398         struct run_cmdq *cmdq = arg;
2399         struct run_softc *sc = cmdq->arg1;
2400         struct ieee80211_key *k = &cmdq->key;
2401         uint32_t attr;
2402         uint8_t wcid;
2403
2404         RUN_LOCK_ASSERT(sc, MA_OWNED);
2405
2406         if (k->wk_flags & IEEE80211_KEY_GROUP) {
2407                 /* remove group key */
2408                 DPRINTF("removing group key\n");
2409                 run_read(sc, RT2860_SKEY_MODE_0_7, &attr);
2410                 attr &= ~(0xf << (k->wk_keyix * 4));
2411                 run_write(sc, RT2860_SKEY_MODE_0_7, attr);
2412         } else {
2413                 /* remove pairwise key */
2414                 DPRINTF("removing key for wcid %x\n", k->wk_pad);
2415                 /* matching wcid was written to wk_pad in run_key_set() */
2416                 wcid = k->wk_pad;
2417                 run_read(sc, RT2860_WCID_ATTR(wcid), &attr);
2418                 attr &= ~0xf;
2419                 run_write(sc, RT2860_WCID_ATTR(wcid), attr);
2420                 run_set_region_4(sc, RT2860_WCID_ENTRY(wcid), 0, 8);
2421         }
2422
2423         k->wk_pad = 0;
2424 }
2425
2426 /*
2427  * return 0 on error
2428  */
2429 static int
2430 run_key_delete(struct ieee80211vap *vap, struct ieee80211_key *k)
2431 {
2432         struct ieee80211com *ic = vap->iv_ic;
2433         struct run_softc *sc = ic->ic_softc;
2434         struct ieee80211_key *k0;
2435         uint32_t i;
2436
2437         /*
2438          * When called back, key might be gone. So, make a copy
2439          * of some values need to delete keys before deferring.
2440          * But, because of LOR with node lock, cannot use lock here.
2441          * So, use atomic instead.
2442          */
2443         i = RUN_CMDQ_GET(&sc->cmdq_store);
2444         DPRINTF("cmdq_store=%d\n", i);
2445         sc->cmdq[i].func = run_key_delete_cb;
2446         sc->cmdq[i].arg0 = NULL;
2447         sc->cmdq[i].arg1 = sc;
2448         k0 = &sc->cmdq[i].key;
2449         k0->wk_flags = k->wk_flags;
2450         k0->wk_keyix = k->wk_keyix;
2451         /* matching wcid was written to wk_pad in run_key_set() */
2452         k0->wk_pad = k->wk_pad;
2453         ieee80211_runtask(ic, &sc->cmdq_task);
2454         return (1);     /* return fake success */
2455
2456 }
2457
2458 static void
2459 run_ratectl_to(void *arg)
2460 {
2461         struct run_softc *sc = arg;
2462
2463         /* do it in a process context, so it can go sleep */
2464         ieee80211_runtask(&sc->sc_ic, &sc->ratectl_task);
2465         /* next timeout will be rescheduled in the callback task */
2466 }
2467
2468 /* ARGSUSED */
2469 static void
2470 run_ratectl_cb(void *arg, int pending)
2471 {
2472         struct run_softc *sc = arg;
2473         struct ieee80211com *ic = &sc->sc_ic;
2474         struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
2475
2476         if (vap == NULL)
2477                 return;
2478
2479         if (sc->rvp_cnt > 1 || vap->iv_opmode != IEEE80211_M_STA) {
2480                 /*
2481                  * run_reset_livelock() doesn't do anything with AMRR,
2482                  * but Ralink wants us to call it every 1 sec. So, we
2483                  * piggyback here rather than creating another callout.
2484                  * Livelock may occur only in HOSTAP or IBSS mode
2485                  * (when h/w is sending beacons).
2486                  */
2487                 RUN_LOCK(sc);
2488                 run_reset_livelock(sc);
2489                 /* just in case, there are some stats to drain */
2490                 run_drain_fifo(sc);
2491                 RUN_UNLOCK(sc);
2492         }
2493
2494         ieee80211_iterate_nodes(&ic->ic_sta, run_iter_func, sc);
2495
2496         RUN_LOCK(sc);
2497         if(sc->ratectl_run != RUN_RATECTL_OFF)
2498                 usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2499         RUN_UNLOCK(sc);
2500 }
2501
2502 static void
2503 run_drain_fifo(void *arg)
2504 {
2505         struct run_softc *sc = arg;
2506         uint32_t stat;
2507         uint16_t (*wstat)[3];
2508         uint8_t wcid, mcs, pid;
2509         int8_t retry;
2510
2511         RUN_LOCK_ASSERT(sc, MA_OWNED);
2512
2513         for (;;) {
2514                 /* drain Tx status FIFO (maxsize = 16) */
2515                 run_read(sc, RT2860_TX_STAT_FIFO, &stat);
2516                 DPRINTFN(4, "tx stat 0x%08x\n", stat);
2517                 if (!(stat & RT2860_TXQ_VLD))
2518                         break;
2519
2520                 wcid = (stat >> RT2860_TXQ_WCID_SHIFT) & 0xff;
2521
2522                 /* if no ACK was requested, no feedback is available */
2523                 if (!(stat & RT2860_TXQ_ACKREQ) || wcid > RT2870_WCID_MAX ||
2524                     wcid == 0)
2525                         continue;
2526
2527                 /*
2528                  * Even though each stat is Tx-complete-status like format,
2529                  * the device can poll stats. Because there is no guarantee
2530                  * that the referring node is still around when read the stats.
2531                  * So that, if we use ieee80211_ratectl_tx_update(), we will
2532                  * have hard time not to refer already freed node.
2533                  *
2534                  * To eliminate such page faults, we poll stats in softc.
2535                  * Then, update the rates later with ieee80211_ratectl_tx_update().
2536                  */
2537                 wstat = &(sc->wcid_stats[wcid]);
2538                 (*wstat)[RUN_TXCNT]++;
2539                 if (stat & RT2860_TXQ_OK) {
2540                         (*wstat)[RUN_SUCCESS]++;
2541                 } else {
2542 #if defined(__DragonFly__)
2543                         ++sc->sc_ic.ic_oerrors;
2544 #else
2545                         counter_u64_add(sc->sc_ic.ic_oerrors, 1);
2546 #endif
2547                 }
2548                 /*
2549                  * Check if there were retries, ie if the Tx success rate is
2550                  * different from the requested rate. Note that it works only
2551                  * because we do not allow rate fallback from OFDM to CCK.
2552                  */
2553                 mcs = (stat >> RT2860_TXQ_MCS_SHIFT) & 0x7f;
2554                 pid = (stat >> RT2860_TXQ_PID_SHIFT) & 0xf;
2555                 if ((retry = pid -1 - mcs) > 0) {
2556                         (*wstat)[RUN_TXCNT] += retry;
2557                         (*wstat)[RUN_RETRY] += retry;
2558                 }
2559         }
2560         DPRINTFN(3, "count=%d\n", sc->fifo_cnt);
2561
2562         sc->fifo_cnt = 0;
2563 }
2564
2565 static void
2566 run_iter_func(void *arg, struct ieee80211_node *ni)
2567 {
2568         struct run_softc *sc = arg;
2569         struct ieee80211vap *vap = ni->ni_vap;
2570         struct run_node *rn = RUN_NODE(ni);
2571         union run_stats sta[2];
2572         uint16_t (*wstat)[3];
2573         int txcnt, success, retrycnt, error;
2574
2575         RUN_LOCK(sc);
2576
2577         /* Check for special case */
2578         if (sc->rvp_cnt <= 1 && vap->iv_opmode == IEEE80211_M_STA &&
2579             ni != vap->iv_bss)
2580                 goto fail;
2581
2582         if (sc->rvp_cnt <= 1 && (vap->iv_opmode == IEEE80211_M_IBSS ||
2583             vap->iv_opmode == IEEE80211_M_STA)) {
2584                 /* read statistic counters (clear on read) and update AMRR state */
2585                 error = run_read_region_1(sc, RT2860_TX_STA_CNT0, (uint8_t *)sta,
2586                     sizeof sta);
2587                 if (error != 0)
2588                         goto fail;
2589
2590                 /* count failed TX as errors */
2591                 if_inc_counter(vap->iv_ifp, IFCOUNTER_OERRORS,
2592                     le16toh(sta[0].error.fail));
2593
2594                 retrycnt = le16toh(sta[1].tx.retry);
2595                 success = le16toh(sta[1].tx.success);
2596                 txcnt = retrycnt + success + le16toh(sta[0].error.fail);
2597
2598                 DPRINTFN(3, "retrycnt=%d success=%d failcnt=%d\n",
2599                         retrycnt, success, le16toh(sta[0].error.fail));
2600         } else {
2601                 wstat = &(sc->wcid_stats[RUN_AID2WCID(ni->ni_associd)]);
2602
2603                 if (wstat == &(sc->wcid_stats[0]) ||
2604                     wstat > &(sc->wcid_stats[RT2870_WCID_MAX]))
2605                         goto fail;
2606
2607                 txcnt = (*wstat)[RUN_TXCNT];
2608                 success = (*wstat)[RUN_SUCCESS];
2609                 retrycnt = (*wstat)[RUN_RETRY];
2610                 DPRINTFN(3, "retrycnt=%d txcnt=%d success=%d\n",
2611                     retrycnt, txcnt, success);
2612
2613                 memset(wstat, 0, sizeof(*wstat));
2614         }
2615
2616         ieee80211_ratectl_tx_update(vap, ni, &txcnt, &success, &retrycnt);
2617         rn->amrr_ridx = ieee80211_ratectl_rate(ni, NULL, 0);
2618
2619 fail:
2620         RUN_UNLOCK(sc);
2621
2622         DPRINTFN(3, "ridx=%d\n", rn->amrr_ridx);
2623 }
2624
2625 static void
2626 run_newassoc_cb(void *arg)
2627 {
2628         struct run_cmdq *cmdq = arg;
2629         struct ieee80211_node *ni = cmdq->arg1;
2630         struct run_softc *sc = ni->ni_vap->iv_ic->ic_softc;
2631         uint8_t wcid = cmdq->wcid;
2632
2633         RUN_LOCK_ASSERT(sc, MA_OWNED);
2634
2635         run_write_region_1(sc, RT2860_WCID_ENTRY(wcid),
2636             ni->ni_macaddr, IEEE80211_ADDR_LEN);
2637
2638         memset(&(sc->wcid_stats[wcid]), 0, sizeof(sc->wcid_stats[wcid]));
2639 }
2640
2641 static void
2642 run_newassoc(struct ieee80211_node *ni, int isnew)
2643 {
2644         struct run_node *rn = RUN_NODE(ni);
2645         struct ieee80211_rateset *rs = &ni->ni_rates;
2646         struct ieee80211vap *vap = ni->ni_vap;
2647         struct ieee80211com *ic = vap->iv_ic;
2648         struct run_softc *sc = ic->ic_softc;
2649         uint8_t rate;
2650         uint8_t ridx;
2651         uint8_t wcid;
2652         int i, j;
2653
2654         wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
2655             1 : RUN_AID2WCID(ni->ni_associd);
2656
2657         if (wcid > RT2870_WCID_MAX) {
2658                 device_printf(sc->sc_dev, "wcid=%d out of range\n", wcid);
2659                 return;
2660         }
2661
2662         /* only interested in true associations */
2663         if (isnew && ni->ni_associd != 0) {
2664
2665                 /*
2666                  * This function could is called though timeout function.
2667                  * Need to defer.
2668                  */
2669                 uint32_t cnt = RUN_CMDQ_GET(&sc->cmdq_store);
2670                 DPRINTF("cmdq_store=%d\n", cnt);
2671                 sc->cmdq[cnt].func = run_newassoc_cb;
2672                 sc->cmdq[cnt].arg0 = NULL;
2673                 sc->cmdq[cnt].arg1 = ni;
2674                 sc->cmdq[cnt].wcid = wcid;
2675                 ieee80211_runtask(ic, &sc->cmdq_task);
2676         }
2677
2678         DPRINTF("new assoc isnew=%d associd=%x addr=%s\n",
2679             isnew, ni->ni_associd, ether_sprintf(ni->ni_macaddr));
2680
2681         for (i = 0; i < rs->rs_nrates; i++) {
2682                 rate = rs->rs_rates[i] & IEEE80211_RATE_VAL;
2683                 /* convert 802.11 rate to hardware rate index */
2684                 for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2685                         if (rt2860_rates[ridx].rate == rate)
2686                                 break;
2687                 rn->ridx[i] = ridx;
2688                 /* determine rate of control response frames */
2689                 for (j = i; j >= 0; j--) {
2690                         if ((rs->rs_rates[j] & IEEE80211_RATE_BASIC) &&
2691                             rt2860_rates[rn->ridx[i]].phy ==
2692                             rt2860_rates[rn->ridx[j]].phy)
2693                                 break;
2694                 }
2695                 if (j >= 0) {
2696                         rn->ctl_ridx[i] = rn->ridx[j];
2697                 } else {
2698                         /* no basic rate found, use mandatory one */
2699                         rn->ctl_ridx[i] = rt2860_rates[ridx].ctl_ridx;
2700                 }
2701                 DPRINTF("rate=0x%02x ridx=%d ctl_ridx=%d\n",
2702                     rs->rs_rates[i], rn->ridx[i], rn->ctl_ridx[i]);
2703         }
2704         rate = vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)].mgmtrate;
2705         for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2706                 if (rt2860_rates[ridx].rate == rate)
2707                         break;
2708         rn->mgt_ridx = ridx;
2709         DPRINTF("rate=%d, mgmt_ridx=%d\n", rate, rn->mgt_ridx);
2710
2711         RUN_LOCK(sc);
2712         if(sc->ratectl_run != RUN_RATECTL_OFF)
2713                 usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2714         RUN_UNLOCK(sc);
2715 }
2716
2717 /*
2718  * Return the Rx chain with the highest RSSI for a given frame.
2719  */
2720 static __inline uint8_t
2721 run_maxrssi_chain(struct run_softc *sc, const struct rt2860_rxwi *rxwi)
2722 {
2723         uint8_t rxchain = 0;
2724
2725         if (sc->nrxchains > 1) {
2726                 if (rxwi->rssi[1] > rxwi->rssi[rxchain])
2727                         rxchain = 1;
2728                 if (sc->nrxchains > 2)
2729                         if (rxwi->rssi[2] > rxwi->rssi[rxchain])
2730                                 rxchain = 2;
2731         }
2732         return (rxchain);
2733 }
2734
2735 static void
2736 run_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m, int subtype,
2737     const struct ieee80211_rx_stats *rxs, int rssi, int nf)
2738 {
2739         struct ieee80211vap *vap = ni->ni_vap;
2740         struct run_softc *sc = vap->iv_ic->ic_softc;
2741         struct run_vap *rvp = RUN_VAP(vap);
2742         uint64_t ni_tstamp, rx_tstamp;
2743
2744         rvp->recv_mgmt(ni, m, subtype, rxs, rssi, nf);
2745
2746         if (vap->iv_state == IEEE80211_S_RUN &&
2747             (subtype == IEEE80211_FC0_SUBTYPE_BEACON ||
2748             subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP)) {
2749                 ni_tstamp = le64toh(ni->ni_tstamp.tsf);
2750                 RUN_LOCK(sc);
2751                 run_get_tsf(sc, &rx_tstamp);
2752                 RUN_UNLOCK(sc);
2753                 rx_tstamp = le64toh(rx_tstamp);
2754
2755                 if (ni_tstamp >= rx_tstamp) {
2756                         DPRINTF("ibss merge, tsf %ju tstamp %ju\n",
2757                             (uintmax_t)rx_tstamp, (uintmax_t)ni_tstamp);
2758                         (void) ieee80211_ibss_merge(ni);
2759                 }
2760         }
2761 }
2762
2763 static void
2764 run_rx_frame(struct run_softc *sc, struct mbuf *m, uint32_t dmalen)
2765 {
2766         struct ieee80211com *ic = &sc->sc_ic;
2767         struct ieee80211_frame *wh;
2768         struct ieee80211_node *ni;
2769         struct rt2870_rxd *rxd;
2770         struct rt2860_rxwi *rxwi;
2771         uint32_t flags;
2772         uint16_t len, rxwisize;
2773         uint8_t ant, rssi;
2774         int8_t nf;
2775
2776         rxwi = mtod(m, struct rt2860_rxwi *);
2777         len = le16toh(rxwi->len) & 0xfff;
2778         rxwisize = sizeof(struct rt2860_rxwi);
2779         if (sc->mac_ver == 0x5592)
2780                 rxwisize += sizeof(uint64_t);
2781         else if (sc->mac_ver == 0x3593)
2782                 rxwisize += sizeof(uint32_t);
2783         if (__predict_false(len > dmalen)) {
2784                 m_freem(m);
2785 #if defined(__DragonFly__)
2786                 ++ic->ic_ierrors;
2787 #else
2788                 counter_u64_add(ic->ic_ierrors, 1);
2789 #endif
2790                 DPRINTF("bad RXWI length %u > %u\n", len, dmalen);
2791                 return;
2792         }
2793         /* Rx descriptor is located at the end */
2794         rxd = (struct rt2870_rxd *)(mtod(m, caddr_t) + dmalen);
2795         flags = le32toh(rxd->flags);
2796
2797         if (__predict_false(flags & (RT2860_RX_CRCERR | RT2860_RX_ICVERR))) {
2798                 m_freem(m);
2799 #if defined(__DragonFly__)
2800                 ++ic->ic_ierrors;
2801 #else
2802                 counter_u64_add(ic->ic_ierrors, 1);
2803 #endif
2804                 DPRINTF("%s error.\n", (flags & RT2860_RX_CRCERR)?"CRC":"ICV");
2805                 return;
2806         }
2807
2808         m->m_data += rxwisize;
2809         m->m_pkthdr.len = m->m_len -= rxwisize;
2810
2811         wh = mtod(m, struct ieee80211_frame *);
2812
2813         if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
2814                 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
2815                 m->m_flags |= M_WEP;
2816         }
2817
2818         if (flags & RT2860_RX_L2PAD) {
2819                 DPRINTFN(8, "received RT2860_RX_L2PAD frame\n");
2820                 len += 2;
2821         }
2822
2823         ni = ieee80211_find_rxnode(ic,
2824             mtod(m, struct ieee80211_frame_min *));
2825
2826         if (__predict_false(flags & RT2860_RX_MICERR)) {
2827                 /* report MIC failures to net80211 for TKIP */
2828                 if (ni != NULL)
2829                         ieee80211_notify_michael_failure(ni->ni_vap, wh,
2830                             rxwi->keyidx);
2831                 m_freem(m);
2832 #if defined(__DragonFly__)
2833                 ++ic->ic_ierrors;
2834 #else
2835                 counter_u64_add(ic->ic_ierrors, 1);
2836 #endif
2837                 DPRINTF("MIC error. Someone is lying.\n");
2838                 return;
2839         }
2840
2841         ant = run_maxrssi_chain(sc, rxwi);
2842         rssi = rxwi->rssi[ant];
2843         nf = run_rssi2dbm(sc, rssi, ant);
2844
2845         m->m_pkthdr.len = m->m_len = len;
2846
2847         if (__predict_false(ieee80211_radiotap_active(ic))) {
2848                 struct run_rx_radiotap_header *tap = &sc->sc_rxtap;
2849                 uint16_t phy;
2850
2851                 tap->wr_flags = 0;
2852                 tap->wr_chan_freq = htole16(ic->ic_curchan->ic_freq);
2853                 tap->wr_chan_flags = htole16(ic->ic_curchan->ic_flags);
2854                 tap->wr_antsignal = rssi;
2855                 tap->wr_antenna = ant;
2856                 tap->wr_dbm_antsignal = run_rssi2dbm(sc, rssi, ant);
2857                 tap->wr_rate = 2;       /* in case it can't be found below */
2858                 RUN_LOCK(sc);
2859                 run_get_tsf(sc, &tap->wr_tsf);
2860                 RUN_UNLOCK(sc);
2861                 phy = le16toh(rxwi->phy);
2862                 switch (phy & RT2860_PHY_MODE) {
2863                 case RT2860_PHY_CCK:
2864                         switch ((phy & RT2860_PHY_MCS) & ~RT2860_PHY_SHPRE) {
2865                         case 0: tap->wr_rate =   2; break;
2866                         case 1: tap->wr_rate =   4; break;
2867                         case 2: tap->wr_rate =  11; break;
2868                         case 3: tap->wr_rate =  22; break;
2869                         }
2870                         if (phy & RT2860_PHY_SHPRE)
2871                                 tap->wr_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
2872                         break;
2873                 case RT2860_PHY_OFDM:
2874                         switch (phy & RT2860_PHY_MCS) {
2875                         case 0: tap->wr_rate =  12; break;
2876                         case 1: tap->wr_rate =  18; break;
2877                         case 2: tap->wr_rate =  24; break;
2878                         case 3: tap->wr_rate =  36; break;
2879                         case 4: tap->wr_rate =  48; break;
2880                         case 5: tap->wr_rate =  72; break;
2881                         case 6: tap->wr_rate =  96; break;
2882                         case 7: tap->wr_rate = 108; break;
2883                         }
2884                         break;
2885                 }
2886         }
2887
2888         if (ni != NULL) {
2889                 (void)ieee80211_input(ni, m, rssi, nf);
2890                 ieee80211_free_node(ni);
2891         } else {
2892                 (void)ieee80211_input_all(ic, m, rssi, nf);
2893         }
2894 }
2895
2896 static void
2897 run_bulk_rx_callback(struct usb_xfer *xfer, usb_error_t error)
2898 {
2899         struct run_softc *sc = usbd_xfer_softc(xfer);
2900         struct ieee80211com *ic = &sc->sc_ic;
2901         struct mbuf *m = NULL;
2902         struct mbuf *m0;
2903         uint32_t dmalen;
2904         uint16_t rxwisize;
2905         int xferlen;
2906
2907         rxwisize = sizeof(struct rt2860_rxwi);
2908         if (sc->mac_ver == 0x5592)
2909                 rxwisize += sizeof(uint64_t);
2910         else if (sc->mac_ver == 0x3593)
2911                 rxwisize += sizeof(uint32_t);
2912
2913         usbd_xfer_status(xfer, &xferlen, NULL, NULL, NULL);
2914
2915         switch (USB_GET_STATE(xfer)) {
2916         case USB_ST_TRANSFERRED:
2917
2918                 DPRINTFN(15, "rx done, actlen=%d\n", xferlen);
2919
2920                 if (xferlen < (int)(sizeof(uint32_t) + rxwisize +
2921                     sizeof(struct rt2870_rxd))) {
2922                         DPRINTF("xfer too short %d\n", xferlen);
2923                         goto tr_setup;
2924                 }
2925
2926                 m = sc->rx_m;
2927                 sc->rx_m = NULL;
2928
2929                 /* FALLTHROUGH */
2930         case USB_ST_SETUP:
2931 tr_setup:
2932                 if (sc->rx_m == NULL) {
2933                         sc->rx_m = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR,
2934                             MJUMPAGESIZE /* xfer can be bigger than MCLBYTES */);
2935                 }
2936                 if (sc->rx_m == NULL) {
2937                         DPRINTF("could not allocate mbuf - idle with stall\n");
2938 #if defined(__DragonFly__)
2939                         ++ic->ic_ierrors;
2940 #else
2941                         counter_u64_add(ic->ic_ierrors, 1);
2942 #endif
2943                         usbd_xfer_set_stall(xfer);
2944                         usbd_xfer_set_frames(xfer, 0);
2945                 } else {
2946                         /*
2947                          * Directly loading a mbuf cluster into DMA to
2948                          * save some data copying. This works because
2949                          * there is only one cluster.
2950                          */
2951                         usbd_xfer_set_frame_data(xfer, 0, 
2952                             mtod(sc->rx_m, caddr_t), RUN_MAX_RXSZ);
2953                         usbd_xfer_set_frames(xfer, 1);
2954                 }
2955                 usbd_transfer_submit(xfer);
2956                 break;
2957
2958         default:        /* Error */
2959                 if (error != USB_ERR_CANCELLED) {
2960                         /* try to clear stall first */
2961                         usbd_xfer_set_stall(xfer);
2962                         if (error == USB_ERR_TIMEOUT)
2963                                 device_printf(sc->sc_dev, "device timeout\n");
2964 #if defined(__DragonFly__)
2965                         ++ic->ic_ierrors;
2966 #else
2967                         counter_u64_add(ic->ic_ierrors, 1);
2968 #endif
2969                         goto tr_setup;
2970                 }
2971                 if (sc->rx_m != NULL) {
2972                         m_freem(sc->rx_m);
2973                         sc->rx_m = NULL;
2974                 }
2975                 break;
2976         }
2977
2978         if (m == NULL)
2979                 return;
2980
2981         /* inputting all the frames must be last */
2982
2983         RUN_UNLOCK(sc);
2984
2985         m->m_pkthdr.len = m->m_len = xferlen;
2986
2987         /* HW can aggregate multiple 802.11 frames in a single USB xfer */
2988         for(;;) {
2989                 dmalen = le32toh(*mtod(m, uint32_t *)) & 0xffff;
2990
2991                 if ((dmalen >= (uint32_t)-8) || (dmalen == 0) ||
2992                     ((dmalen & 3) != 0)) {
2993                         DPRINTF("bad DMA length %u\n", dmalen);
2994                         break;
2995                 }
2996                 if ((dmalen + 8) > (uint32_t)xferlen) {
2997                         DPRINTF("bad DMA length %u > %d\n",
2998                         dmalen + 8, xferlen);
2999                         break;
3000                 }
3001
3002                 /* If it is the last one or a single frame, we won't copy. */
3003                 if ((xferlen -= dmalen + 8) <= 8) {
3004                         /* trim 32-bit DMA-len header */
3005                         m->m_data += 4;
3006                         m->m_pkthdr.len = m->m_len -= 4;
3007                         run_rx_frame(sc, m, dmalen);
3008                         m = NULL;       /* don't free source buffer */
3009                         break;
3010                 }
3011
3012                 /* copy aggregated frames to another mbuf */
3013                 m0 = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
3014                 if (__predict_false(m0 == NULL)) {
3015                         DPRINTF("could not allocate mbuf\n");
3016 #if defined(__DragonFly__)
3017                         ++ic->ic_ierrors;
3018 #else
3019                         counter_u64_add(ic->ic_ierrors, 1);
3020 #endif
3021                         break;
3022                 }
3023                 m_copydata(m, 4 /* skip 32-bit DMA-len header */,
3024                     dmalen + sizeof(struct rt2870_rxd), mtod(m0, caddr_t));
3025                 m0->m_pkthdr.len = m0->m_len =
3026                     dmalen + sizeof(struct rt2870_rxd);
3027                 run_rx_frame(sc, m0, dmalen);
3028
3029                 /* update data ptr */
3030                 m->m_data += dmalen + 8;
3031                 m->m_pkthdr.len = m->m_len -= dmalen + 8;
3032         }
3033
3034         /* make sure we free the source buffer, if any */
3035         m_freem(m);
3036
3037         RUN_LOCK(sc);
3038 }
3039
3040 static void
3041 run_tx_free(struct run_endpoint_queue *pq,
3042     struct run_tx_data *data, int txerr)
3043 {
3044
3045         ieee80211_tx_complete(data->ni, data->m, txerr);
3046
3047         data->m = NULL;
3048         data->ni = NULL;
3049
3050         STAILQ_INSERT_TAIL(&pq->tx_fh, data, next);
3051         pq->tx_nfree++;
3052 }
3053
3054 static void
3055 run_bulk_tx_callbackN(struct usb_xfer *xfer, usb_error_t error, u_int index)
3056 {
3057         struct run_softc *sc = usbd_xfer_softc(xfer);
3058         struct ieee80211com *ic = &sc->sc_ic;
3059         struct run_tx_data *data;
3060         struct ieee80211vap *vap = NULL;
3061         struct usb_page_cache *pc;
3062         struct run_endpoint_queue *pq = &sc->sc_epq[index];
3063         struct mbuf *m;
3064         usb_frlength_t size;
3065         int actlen;
3066         int sumlen;
3067
3068         usbd_xfer_status(xfer, &actlen, &sumlen, NULL, NULL);
3069
3070         switch (USB_GET_STATE(xfer)) {
3071         case USB_ST_TRANSFERRED:
3072                 DPRINTFN(11, "transfer complete: %d "
3073                     "bytes @ index %d\n", actlen, index);
3074
3075                 data = usbd_xfer_get_priv(xfer);
3076                 run_tx_free(pq, data, 0);
3077                 usbd_xfer_set_priv(xfer, NULL);
3078
3079                 /* FALLTHROUGH */
3080         case USB_ST_SETUP:
3081 tr_setup:
3082                 data = STAILQ_FIRST(&pq->tx_qh);
3083                 if (data == NULL)
3084                         break;
3085
3086                 STAILQ_REMOVE_HEAD(&pq->tx_qh, next);
3087
3088                 m = data->m;
3089                 size = (sc->mac_ver == 0x5592) ?
3090                     sizeof(data->desc) + sizeof(uint32_t) : sizeof(data->desc);
3091                 if ((m->m_pkthdr.len +
3092                     size + 3 + 8) > RUN_MAX_TXSZ) {
3093                         DPRINTF("data overflow, %u bytes\n",
3094                             m->m_pkthdr.len);
3095                         run_tx_free(pq, data, 1);
3096                         goto tr_setup;
3097                 }
3098
3099                 pc = usbd_xfer_get_frame(xfer, 0);
3100                 usbd_copy_in(pc, 0, &data->desc, size);
3101                 usbd_m_copy_in(pc, size, m, 0, m->m_pkthdr.len);
3102                 size += m->m_pkthdr.len;
3103                 /*
3104                  * Align end on a 4-byte boundary, pad 8 bytes (CRC +
3105                  * 4-byte padding), and be sure to zero those trailing
3106                  * bytes:
3107                  */
3108                 usbd_frame_zero(pc, size, ((-size) & 3) + 8);
3109                 size += ((-size) & 3) + 8;
3110
3111                 vap = data->ni->ni_vap;
3112                 if (ieee80211_radiotap_active_vap(vap)) {
3113                         struct run_tx_radiotap_header *tap = &sc->sc_txtap;
3114                         struct rt2860_txwi *txwi = 
3115                             (struct rt2860_txwi *)(&data->desc + sizeof(struct rt2870_txd));
3116                         tap->wt_flags = 0;
3117                         tap->wt_rate = rt2860_rates[data->ridx].rate;
3118                         run_get_tsf(sc, &tap->wt_tsf);
3119                         tap->wt_chan_freq = htole16(ic->ic_curchan->ic_freq);
3120                         tap->wt_chan_flags = htole16(ic->ic_curchan->ic_flags);
3121                         tap->wt_hwqueue = index;
3122                         if (le16toh(txwi->phy) & RT2860_PHY_SHPRE)
3123                                 tap->wt_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
3124
3125                         ieee80211_radiotap_tx(vap, m);
3126                 }
3127
3128                 DPRINTFN(11, "sending frame len=%u/%u  @ index %d\n",
3129                     m->m_pkthdr.len, size, index);
3130
3131                 usbd_xfer_set_frame_len(xfer, 0, size);
3132                 usbd_xfer_set_priv(xfer, data);
3133                 usbd_transfer_submit(xfer);
3134                 run_start(sc);
3135
3136                 break;
3137
3138         default:
3139                 DPRINTF("USB transfer error, %s\n",
3140                     usbd_errstr(error));
3141
3142                 data = usbd_xfer_get_priv(xfer);
3143
3144                 if (data != NULL) {
3145                         if(data->ni != NULL)
3146                                 vap = data->ni->ni_vap;
3147                         run_tx_free(pq, data, error);
3148                         usbd_xfer_set_priv(xfer, NULL);
3149                 }
3150
3151                 if (vap == NULL)
3152                         vap = TAILQ_FIRST(&ic->ic_vaps);
3153
3154                 if (error != USB_ERR_CANCELLED) {
3155                         if (error == USB_ERR_TIMEOUT) {
3156                                 device_printf(sc->sc_dev, "device timeout\n");
3157                                 uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
3158                                 DPRINTF("cmdq_store=%d\n", i);
3159                                 sc->cmdq[i].func = run_usb_timeout_cb;
3160                                 sc->cmdq[i].arg0 = vap;
3161                                 ieee80211_runtask(ic, &sc->cmdq_task);
3162                         }
3163
3164                         /*
3165                          * Try to clear stall first, also if other
3166                          * errors occur, hence clearing stall
3167                          * introduces a 50 ms delay:
3168                          */
3169                         usbd_xfer_set_stall(xfer);
3170                         goto tr_setup;
3171                 }
3172                 break;
3173         }
3174 }
3175
3176 static void
3177 run_bulk_tx_callback0(struct usb_xfer *xfer, usb_error_t error)
3178 {
3179         run_bulk_tx_callbackN(xfer, error, 0);
3180 }
3181
3182 static void
3183 run_bulk_tx_callback1(struct usb_xfer *xfer, usb_error_t error)
3184 {
3185         run_bulk_tx_callbackN(xfer, error, 1);
3186 }
3187
3188 static void
3189 run_bulk_tx_callback2(struct usb_xfer *xfer, usb_error_t error)
3190 {
3191         run_bulk_tx_callbackN(xfer, error, 2);
3192 }
3193
3194 static void
3195 run_bulk_tx_callback3(struct usb_xfer *xfer, usb_error_t error)
3196 {
3197         run_bulk_tx_callbackN(xfer, error, 3);
3198 }
3199
3200 static void
3201 run_bulk_tx_callback4(struct usb_xfer *xfer, usb_error_t error)
3202 {
3203         run_bulk_tx_callbackN(xfer, error, 4);
3204 }
3205
3206 static void
3207 run_bulk_tx_callback5(struct usb_xfer *xfer, usb_error_t error)
3208 {
3209         run_bulk_tx_callbackN(xfer, error, 5);
3210 }
3211
3212 static void
3213 run_set_tx_desc(struct run_softc *sc, struct run_tx_data *data)
3214 {
3215         struct mbuf *m = data->m;
3216         struct ieee80211com *ic = &sc->sc_ic;
3217         struct ieee80211vap *vap = data->ni->ni_vap;
3218         struct ieee80211_frame *wh;
3219         struct rt2870_txd *txd;
3220         struct rt2860_txwi *txwi;
3221         uint16_t xferlen, txwisize;
3222         uint16_t mcs;
3223         uint8_t ridx = data->ridx;
3224         uint8_t pad;
3225
3226         /* get MCS code from rate index */
3227         mcs = rt2860_rates[ridx].mcs;
3228
3229         txwisize = (sc->mac_ver == 0x5592) ?
3230             sizeof(*txwi) + sizeof(uint32_t) : sizeof(*txwi);
3231         xferlen = txwisize + m->m_pkthdr.len;
3232
3233         /* roundup to 32-bit alignment */
3234         xferlen = (xferlen + 3) & ~3;
3235
3236         txd = (struct rt2870_txd *)&data->desc;
3237         txd->len = htole16(xferlen);
3238
3239         wh = mtod(m, struct ieee80211_frame *);
3240
3241         /*
3242          * Ether both are true or both are false, the header
3243          * are nicely aligned to 32-bit. So, no L2 padding.
3244          */
3245         if(IEEE80211_HAS_ADDR4(wh) == IEEE80211_QOS_HAS_SEQ(wh))
3246                 pad = 0;
3247         else
3248                 pad = 2;
3249
3250         /* setup TX Wireless Information */
3251         txwi = (struct rt2860_txwi *)(txd + 1);
3252         txwi->len = htole16(m->m_pkthdr.len - pad);
3253         if (rt2860_rates[ridx].phy == IEEE80211_T_DS) {
3254                 mcs |= RT2860_PHY_CCK;
3255                 if (ridx != RT2860_RIDX_CCK1 &&
3256                     (ic->ic_flags & IEEE80211_F_SHPREAMBLE))
3257                         mcs |= RT2860_PHY_SHPRE;
3258         } else
3259                 mcs |= RT2860_PHY_OFDM;
3260         txwi->phy = htole16(mcs);
3261
3262         /* check if RTS/CTS or CTS-to-self protection is required */
3263         if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
3264             (m->m_pkthdr.len + IEEE80211_CRC_LEN > vap->iv_rtsthreshold ||
3265              ((ic->ic_flags & IEEE80211_F_USEPROT) &&
3266               rt2860_rates[ridx].phy == IEEE80211_T_OFDM)))
3267                 txwi->txop |= RT2860_TX_TXOP_HT;
3268         else
3269                 txwi->txop |= RT2860_TX_TXOP_BACKOFF;
3270
3271         if (vap->iv_opmode != IEEE80211_M_STA && !IEEE80211_QOS_HAS_SEQ(wh))
3272                 txwi->xflags |= RT2860_TX_NSEQ;
3273 }
3274
3275 /* This function must be called locked */
3276 static int
3277 run_tx(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
3278 {
3279         struct ieee80211com *ic = &sc->sc_ic;
3280         struct ieee80211vap *vap = ni->ni_vap;
3281         struct ieee80211_frame *wh;
3282         struct ieee80211_channel *chan;
3283         const struct ieee80211_txparam *tp;
3284         struct run_node *rn = RUN_NODE(ni);
3285         struct run_tx_data *data;
3286         struct rt2870_txd *txd;
3287         struct rt2860_txwi *txwi;
3288         uint16_t qos;
3289         uint16_t dur;
3290         uint16_t qid;
3291         uint8_t type;
3292         uint8_t tid;
3293         uint8_t ridx;
3294         uint8_t ctl_ridx;
3295         uint8_t qflags;
3296         uint8_t xflags = 0;
3297         int hasqos;
3298
3299         RUN_LOCK_ASSERT(sc, MA_OWNED);
3300
3301         wh = mtod(m, struct ieee80211_frame *);
3302
3303         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3304
3305         /*
3306          * There are 7 bulk endpoints: 1 for RX
3307          * and 6 for TX (4 EDCAs + HCCA + Prio).
3308          * Update 03-14-2009:  some devices like the Planex GW-US300MiniS
3309          * seem to have only 4 TX bulk endpoints (Fukaumi Naoki).
3310          */
3311         if ((hasqos = IEEE80211_QOS_HAS_SEQ(wh))) {
3312                 uint8_t *frm;
3313
3314                 if(IEEE80211_HAS_ADDR4(wh))
3315                         frm = ((struct ieee80211_qosframe_addr4 *)wh)->i_qos;
3316                 else
3317                         frm =((struct ieee80211_qosframe *)wh)->i_qos;
3318
3319                 qos = le16toh(*(const uint16_t *)frm);
3320                 tid = qos & IEEE80211_QOS_TID;
3321                 qid = TID_TO_WME_AC(tid);
3322         } else {
3323                 qos = 0;
3324                 tid = 0;
3325                 qid = WME_AC_BE;
3326         }
3327         qflags = (qid < 4) ? RT2860_TX_QSEL_EDCA : RT2860_TX_QSEL_HCCA;
3328
3329         DPRINTFN(8, "qos %d\tqid %d\ttid %d\tqflags %x\n",
3330             qos, qid, tid, qflags);
3331
3332         chan = (ni->ni_chan != IEEE80211_CHAN_ANYC)?ni->ni_chan:ic->ic_curchan;
3333         tp = &vap->iv_txparms[ieee80211_chan2mode(chan)];
3334
3335         /* pickup a rate index */
3336         if (IEEE80211_IS_MULTICAST(wh->i_addr1) ||
3337             type != IEEE80211_FC0_TYPE_DATA || m->m_flags & M_EAPOL) {
3338                 ridx = (ic->ic_curmode == IEEE80211_MODE_11A) ?
3339                     RT2860_RIDX_OFDM6 : RT2860_RIDX_CCK1;
3340                 ctl_ridx = rt2860_rates[ridx].ctl_ridx;
3341         } else {
3342                 if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE)
3343                         ridx = rn->fix_ridx;
3344                 else
3345                         ridx = rn->amrr_ridx;
3346                 ctl_ridx = rt2860_rates[ridx].ctl_ridx;
3347         }
3348
3349         if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
3350             (!hasqos || (qos & IEEE80211_QOS_ACKPOLICY) !=
3351              IEEE80211_QOS_ACKPOLICY_NOACK)) {
3352                 xflags |= RT2860_TX_ACK;
3353                 if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
3354                         dur = rt2860_rates[ctl_ridx].sp_ack_dur;
3355                 else
3356                         dur = rt2860_rates[ctl_ridx].lp_ack_dur;
3357                 USETW(wh->i_dur, dur);
3358         }
3359
3360         /* reserve slots for mgmt packets, just in case */
3361         if (sc->sc_epq[qid].tx_nfree < 3) {
3362                 DPRINTFN(10, "tx ring %d is full\n", qid);
3363                 return (-1);
3364         }
3365
3366         data = STAILQ_FIRST(&sc->sc_epq[qid].tx_fh);
3367         STAILQ_REMOVE_HEAD(&sc->sc_epq[qid].tx_fh, next);
3368         sc->sc_epq[qid].tx_nfree--;
3369
3370         txd = (struct rt2870_txd *)&data->desc;
3371         txd->flags = qflags;
3372         txwi = (struct rt2860_txwi *)(txd + 1);
3373         txwi->xflags = xflags;
3374         if (IEEE80211_IS_MULTICAST(wh->i_addr1))
3375                 txwi->wcid = 0;
3376         else
3377                 txwi->wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
3378                     1 : RUN_AID2WCID(ni->ni_associd);
3379
3380         /* clear leftover garbage bits */
3381         txwi->flags = 0;
3382         txwi->txop = 0;
3383
3384         data->m = m;
3385         data->ni = ni;
3386         data->ridx = ridx;
3387
3388         run_set_tx_desc(sc, data);
3389
3390         /*
3391          * The chip keeps track of 2 kind of Tx stats,
3392          *  * TX_STAT_FIFO, for per WCID stats, and
3393          *  * TX_STA_CNT0 for all-TX-in-one stats.
3394          *
3395          * To use FIFO stats, we need to store MCS into the driver-private
3396          * PacketID field. So that, we can tell whose stats when we read them.
3397          * We add 1 to the MCS because setting the PacketID field to 0 means
3398          * that we don't want feedback in TX_STAT_FIFO.
3399          * And, that's what we want for STA mode, since TX_STA_CNT0 does the job.
3400          *
3401          * FIFO stats doesn't count Tx with WCID 0xff, so we do this in run_tx().
3402          */
3403         if (sc->rvp_cnt > 1 || vap->iv_opmode == IEEE80211_M_HOSTAP ||
3404             vap->iv_opmode == IEEE80211_M_MBSS) {
3405                 uint16_t pid = (rt2860_rates[ridx].mcs + 1) & 0xf;
3406                 txwi->len |= htole16(pid << RT2860_TX_PID_SHIFT);
3407
3408                 /*
3409                  * Unlike PCI based devices, we don't get any interrupt from
3410                  * USB devices, so we simulate FIFO-is-full interrupt here.
3411                  * Ralink recommends to drain FIFO stats every 100 ms, but 16 slots
3412                  * quickly get fulled. To prevent overflow, increment a counter on
3413                  * every FIFO stat request, so we know how many slots are left.
3414                  * We do this only in HOSTAP or multiple vap mode since FIFO stats
3415                  * are used only in those modes.
3416                  * We just drain stats. AMRR gets updated every 1 sec by
3417                  * run_ratectl_cb() via callout.
3418                  * Call it early. Otherwise overflow.
3419                  */
3420                 if (sc->fifo_cnt++ == 10) {
3421                         /*
3422                          * With multiple vaps or if_bridge, if_start() is called
3423                          * with a non-sleepable lock, tcpinp. So, need to defer.
3424                          */
3425                         uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
3426                         DPRINTFN(6, "cmdq_store=%d\n", i);
3427                         sc->cmdq[i].func = run_drain_fifo;
3428                         sc->cmdq[i].arg0 = sc;
3429                         ieee80211_runtask(ic, &sc->cmdq_task);
3430                 }
3431         }
3432
3433         STAILQ_INSERT_TAIL(&sc->sc_epq[qid].tx_qh, data, next);
3434
3435         usbd_transfer_start(sc->sc_xfer[qid]);
3436
3437         DPRINTFN(8, "sending data frame len=%d rate=%d qid=%d\n",
3438             m->m_pkthdr.len + (int)(sizeof(struct rt2870_txd) +
3439             sizeof(struct rt2860_txwi)), rt2860_rates[ridx].rate, qid);
3440
3441         return (0);
3442 }
3443
3444 static int
3445 run_tx_mgt(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
3446 {
3447         struct ieee80211com *ic = &sc->sc_ic;
3448         struct run_node *rn = RUN_NODE(ni);
3449         struct run_tx_data *data;
3450         struct ieee80211_frame *wh;
3451         struct rt2870_txd *txd;
3452         struct rt2860_txwi *txwi;
3453         uint16_t dur;
3454         uint8_t ridx = rn->mgt_ridx;
3455         uint8_t type;
3456         uint8_t xflags = 0;
3457         uint8_t wflags = 0;
3458
3459         RUN_LOCK_ASSERT(sc, MA_OWNED);
3460
3461         wh = mtod(m, struct ieee80211_frame *);
3462
3463         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3464
3465         /* tell hardware to add timestamp for probe responses */
3466         if ((wh->i_fc[0] &
3467             (IEEE80211_FC0_TYPE_MASK | IEEE80211_FC0_SUBTYPE_MASK)) ==
3468             (IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_RESP))
3469                 wflags |= RT2860_TX_TS;
3470         else if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
3471                 xflags |= RT2860_TX_ACK;
3472
3473                 dur = ieee80211_ack_duration(ic->ic_rt, rt2860_rates[ridx].rate, 
3474                     ic->ic_flags & IEEE80211_F_SHPREAMBLE);
3475                 USETW(wh->i_dur, dur);
3476         }
3477
3478         if (sc->sc_epq[0].tx_nfree == 0)
3479                 /* let caller free mbuf */
3480                 return (EIO);
3481         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3482         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3483         sc->sc_epq[0].tx_nfree--;
3484
3485         txd = (struct rt2870_txd *)&data->desc;
3486         txd->flags = RT2860_TX_QSEL_EDCA;
3487         txwi = (struct rt2860_txwi *)(txd + 1);
3488         txwi->wcid = 0xff;
3489         txwi->flags = wflags;
3490         txwi->xflags = xflags;
3491         txwi->txop = 0; /* clear leftover garbage bits */
3492
3493         data->m = m;
3494         data->ni = ni;
3495         data->ridx = ridx;
3496
3497         run_set_tx_desc(sc, data);
3498
3499         DPRINTFN(10, "sending mgt frame len=%d rate=%d\n", m->m_pkthdr.len +
3500             (int)(sizeof(struct rt2870_txd) + sizeof(struct rt2860_txwi)),
3501             rt2860_rates[ridx].rate);
3502
3503         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3504
3505         usbd_transfer_start(sc->sc_xfer[0]);
3506
3507         return (0);
3508 }
3509
3510 static int
3511 run_sendprot(struct run_softc *sc,
3512     const struct mbuf *m, struct ieee80211_node *ni, int prot, int rate)
3513 {
3514         struct ieee80211com *ic = ni->ni_ic;
3515         struct ieee80211_frame *wh;
3516         struct run_tx_data *data;
3517         struct rt2870_txd *txd;
3518         struct rt2860_txwi *txwi;
3519         struct mbuf *mprot;
3520         int ridx;
3521         int protrate;
3522         int ackrate;
3523         int pktlen;
3524         int isshort;
3525         uint16_t dur;
3526         uint8_t type;
3527         uint8_t wflags = 0;
3528         uint8_t xflags = 0;
3529
3530         RUN_LOCK_ASSERT(sc, MA_OWNED);
3531
3532         KASSERT(prot == IEEE80211_PROT_RTSCTS || prot == IEEE80211_PROT_CTSONLY,
3533             ("protection %d", prot));
3534
3535         wh = mtod(m, struct ieee80211_frame *);
3536         pktlen = m->m_pkthdr.len + IEEE80211_CRC_LEN;
3537         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3538
3539         protrate = ieee80211_ctl_rate(ic->ic_rt, rate);
3540         ackrate = ieee80211_ack_rate(ic->ic_rt, rate);
3541
3542         isshort = (ic->ic_flags & IEEE80211_F_SHPREAMBLE) != 0;
3543         dur = ieee80211_compute_duration(ic->ic_rt, pktlen, rate, isshort)
3544             + ieee80211_ack_duration(ic->ic_rt, rate, isshort);
3545         wflags = RT2860_TX_FRAG;
3546
3547         /* check that there are free slots before allocating the mbuf */
3548         if (sc->sc_epq[0].tx_nfree == 0)
3549                 /* let caller free mbuf */
3550                 return (ENOBUFS);
3551
3552         if (prot == IEEE80211_PROT_RTSCTS) {
3553                 /* NB: CTS is the same size as an ACK */
3554                 dur += ieee80211_ack_duration(ic->ic_rt, rate, isshort);
3555                 xflags |= RT2860_TX_ACK;
3556                 mprot = ieee80211_alloc_rts(ic, wh->i_addr1, wh->i_addr2, dur);
3557         } else {
3558                 mprot = ieee80211_alloc_cts(ic, ni->ni_vap->iv_myaddr, dur);
3559         }
3560         if (mprot == NULL) {
3561                 if_inc_counter(ni->ni_vap->iv_ifp, IFCOUNTER_OERRORS, 1);
3562                 DPRINTF("could not allocate mbuf\n");
3563                 return (ENOBUFS);
3564         }
3565
3566         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3567         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3568         sc->sc_epq[0].tx_nfree--;
3569
3570         txd = (struct rt2870_txd *)&data->desc;
3571         txd->flags = RT2860_TX_QSEL_EDCA;
3572         txwi = (struct rt2860_txwi *)(txd + 1);
3573         txwi->wcid = 0xff;
3574         txwi->flags = wflags;
3575         txwi->xflags = xflags;
3576         txwi->txop = 0; /* clear leftover garbage bits */
3577
3578         data->m = mprot;
3579         data->ni = ieee80211_ref_node(ni);
3580
3581         for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
3582                 if (rt2860_rates[ridx].rate == protrate)
3583                         break;
3584         data->ridx = ridx;
3585
3586         run_set_tx_desc(sc, data);
3587
3588         DPRINTFN(1, "sending prot len=%u rate=%u\n",
3589             m->m_pkthdr.len, rate);
3590
3591         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3592
3593         usbd_transfer_start(sc->sc_xfer[0]);
3594
3595         return (0);
3596 }
3597
3598 static int
3599 run_tx_param(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni,
3600     const struct ieee80211_bpf_params *params)
3601 {
3602         struct ieee80211com *ic = ni->ni_ic;
3603         struct ieee80211_frame *wh;
3604         struct run_tx_data *data;
3605         struct rt2870_txd *txd;
3606         struct rt2860_txwi *txwi;
3607         uint8_t type;
3608         uint8_t ridx;
3609         uint8_t rate;
3610         uint8_t opflags = 0;
3611         uint8_t xflags = 0;
3612         int error;
3613
3614         RUN_LOCK_ASSERT(sc, MA_OWNED);
3615
3616         KASSERT(params != NULL, ("no raw xmit params"));
3617
3618         wh = mtod(m, struct ieee80211_frame *);
3619         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3620
3621         rate = params->ibp_rate0;
3622         if (!ieee80211_isratevalid(ic->ic_rt, rate)) {
3623                 /* let caller free mbuf */
3624                 return (EINVAL);
3625         }
3626
3627         if ((params->ibp_flags & IEEE80211_BPF_NOACK) == 0)
3628                 xflags |= RT2860_TX_ACK;
3629         if (params->ibp_flags & (IEEE80211_BPF_RTS|IEEE80211_BPF_CTS)) {
3630                 error = run_sendprot(sc, m, ni,
3631                     params->ibp_flags & IEEE80211_BPF_RTS ?
3632                         IEEE80211_PROT_RTSCTS : IEEE80211_PROT_CTSONLY,
3633                     rate);
3634                 if (error) {
3635                         /* let caller free mbuf */
3636                         return error;
3637                 }
3638                 opflags |= /*XXX RT2573_TX_LONG_RETRY |*/ RT2860_TX_TXOP_SIFS;
3639         }
3640
3641         if (sc->sc_epq[0].tx_nfree == 0) {
3642                 /* let caller free mbuf */
3643                 DPRINTF("sending raw frame, but tx ring is full\n");
3644                 return (EIO);
3645         }
3646         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3647         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3648         sc->sc_epq[0].tx_nfree--;
3649
3650         txd = (struct rt2870_txd *)&data->desc;
3651         txd->flags = RT2860_TX_QSEL_EDCA;
3652         txwi = (struct rt2860_txwi *)(txd + 1);
3653         txwi->wcid = 0xff;
3654         txwi->xflags = xflags;
3655         txwi->txop = opflags;
3656         txwi->flags = 0;        /* clear leftover garbage bits */
3657
3658         data->m = m;
3659         data->ni = ni;
3660         for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
3661                 if (rt2860_rates[ridx].rate == rate)
3662                         break;
3663         data->ridx = ridx;
3664
3665         run_set_tx_desc(sc, data);
3666
3667         DPRINTFN(10, "sending raw frame len=%u rate=%u\n",
3668             m->m_pkthdr.len, rate);
3669
3670         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3671
3672         usbd_transfer_start(sc->sc_xfer[0]);
3673
3674         return (0);
3675 }
3676
3677 static int
3678 run_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
3679     const struct ieee80211_bpf_params *params)
3680 {
3681         struct run_softc *sc = ni->ni_ic->ic_softc;
3682         int error = 0;
3683  
3684         RUN_LOCK(sc);
3685
3686         /* prevent management frames from being sent if we're not ready */
3687         if (!(sc->sc_flags & RUN_RUNNING)) {
3688                 error = ENETDOWN;
3689                 goto done;
3690         }
3691
3692         if (params == NULL) {
3693                 /* tx mgt packet */
3694                 if ((error = run_tx_mgt(sc, m, ni)) != 0) {
3695                         DPRINTF("mgt tx failed\n");
3696                         goto done;
3697                 }
3698         } else {
3699                 /* tx raw packet with param */
3700                 if ((error = run_tx_param(sc, m, ni, params)) != 0) {
3701                         DPRINTF("tx with param failed\n");
3702                         goto done;
3703                 }
3704         }
3705
3706 done:
3707         RUN_UNLOCK(sc);
3708
3709         if (error != 0) {
3710                 if(m != NULL)
3711                         m_freem(m);
3712         }
3713
3714         return (error);
3715 }
3716
3717 static int
3718 run_transmit(struct ieee80211com *ic, struct mbuf *m)
3719 {
3720         struct run_softc *sc = ic->ic_softc;
3721         int error;
3722
3723         RUN_LOCK(sc);
3724         if ((sc->sc_flags & RUN_RUNNING) == 0) {
3725                 RUN_UNLOCK(sc);
3726                 return (ENXIO);
3727         }
3728         error = mbufq_enqueue(&sc->sc_snd, m);
3729         if (error) {
3730                 RUN_UNLOCK(sc);
3731                 return (error);
3732         }
3733         run_start(sc);
3734         RUN_UNLOCK(sc);
3735
3736         return (0);
3737 }
3738
3739 static void
3740 run_start(struct run_softc *sc)
3741 {
3742         struct ieee80211_node *ni;
3743         struct mbuf *m;
3744
3745         RUN_LOCK_ASSERT(sc, MA_OWNED);
3746
3747         if ((sc->sc_flags & RUN_RUNNING) == 0)
3748                 return;
3749
3750         while ((m = mbufq_dequeue(&sc->sc_snd)) != NULL) {
3751                 ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
3752                 if (run_tx(sc, m, ni) != 0) {
3753                         mbufq_prepend(&sc->sc_snd, m);
3754                         break;
3755                 }
3756         }
3757 }
3758
3759 static void
3760 run_parent(struct ieee80211com *ic)
3761 {
3762         struct run_softc *sc = ic->ic_softc;
3763         int startall = 0;
3764
3765         RUN_LOCK(sc);
3766         if (sc->sc_detached) {
3767                 RUN_UNLOCK(sc);
3768                 return;
3769         }
3770
3771         if (ic->ic_nrunning > 0) {
3772                 if (!(sc->sc_flags & RUN_RUNNING)) {
3773                         startall = 1;
3774                         run_init_locked(sc);
3775                 } else
3776                         run_update_promisc_locked(sc);
3777         } else if ((sc->sc_flags & RUN_RUNNING) && sc->rvp_cnt <= 1)
3778                 run_stop(sc);
3779         RUN_UNLOCK(sc);
3780         if (startall)
3781                 ieee80211_start_all(ic);
3782 }
3783
3784 static void
3785 run_iq_calib(struct run_softc *sc, u_int chan)
3786 {
3787         uint16_t val;
3788
3789         /* Tx0 IQ gain. */
3790         run_bbp_write(sc, 158, 0x2c);
3791         if (chan <= 14)
3792                 run_efuse_read(sc, RT5390_EEPROM_IQ_GAIN_CAL_TX0_2GHZ, &val, 1);
3793         else if (chan <= 64) {
3794                 run_efuse_read(sc,
3795                     RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH36_TO_CH64_5GHZ,
3796                     &val, 1);
3797         } else if (chan <= 138) {
3798                 run_efuse_read(sc,
3799                     RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH100_TO_CH138_5GHZ,
3800                     &val, 1);
3801         } else if (chan <= 165) {
3802                 run_efuse_read(sc,
3803             RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH140_TO_CH165_5GHZ,
3804                     &val, 1);
3805         } else
3806                 val = 0;
3807         run_bbp_write(sc, 159, val);
3808
3809         /* Tx0 IQ phase. */
3810         run_bbp_write(sc, 158, 0x2d);
3811         if (chan <= 14) {
3812                 run_efuse_read(sc, RT5390_EEPROM_IQ_PHASE_CAL_TX0_2GHZ,
3813                     &val, 1);
3814         } else if (chan <= 64) {
3815                 run_efuse_read(sc,
3816                     RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH36_TO_CH64_5GHZ,
3817                     &val, 1);
3818         } else if (chan <= 138) {
3819                 run_efuse_read(sc,
3820                     RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH100_TO_CH138_5GHZ,
3821                     &val, 1);
3822         } else if (chan <= 165) {
3823                 run_efuse_read(sc,
3824                     RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH140_TO_CH165_5GHZ,
3825                     &val, 1);
3826         } else
3827                 val = 0;
3828         run_bbp_write(sc, 159, val);
3829
3830         /* Tx1 IQ gain. */
3831         run_bbp_write(sc, 158, 0x4a);
3832         if (chan <= 14) {
3833                 run_efuse_read(sc, RT5390_EEPROM_IQ_GAIN_CAL_TX1_2GHZ,
3834                     &val, 1);
3835         } else if (chan <= 64) {
3836                 run_efuse_read(sc,
3837                     RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH36_TO_CH64_5GHZ,
3838                     &val, 1);
3839         } else if (chan <= 138) {
3840                 run_efuse_read(sc,
3841                     RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH100_TO_CH138_5GHZ,
3842                     &val, 1);
3843         } else if (chan <= 165) {
3844                 run_efuse_read(sc,
3845                     RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH140_TO_CH165_5GHZ,
3846                     &val, 1);
3847         } else
3848                 val = 0;
3849         run_bbp_write(sc, 159, val);
3850
3851         /* Tx1 IQ phase. */
3852         run_bbp_write(sc, 158, 0x4b);
3853         if (chan <= 14) {
3854                 run_efuse_read(sc, RT5390_EEPROM_IQ_PHASE_CAL_TX1_2GHZ,
3855                     &val, 1);
3856         } else if (chan <= 64) {
3857                 run_efuse_read(sc,
3858                     RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH36_TO_CH64_5GHZ,
3859                     &val, 1);
3860         } else if (chan <= 138) {
3861                 run_efuse_read(sc,
3862                     RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH100_TO_CH138_5GHZ,
3863                     &val, 1);
3864         } else if (chan <= 165) {
3865                 run_efuse_read(sc,
3866                     RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH140_TO_CH165_5GHZ,
3867                     &val, 1);
3868         } else
3869                 val = 0;
3870         run_bbp_write(sc, 159, val);
3871
3872         /* RF IQ compensation control. */
3873         run_bbp_write(sc, 158, 0x04);
3874         run_efuse_read(sc, RT5390_EEPROM_RF_IQ_COMPENSATION_CTL,
3875             &val, 1);
3876         run_bbp_write(sc, 159, val);
3877
3878         /* RF IQ imbalance compensation control. */
3879         run_bbp_write(sc, 158, 0x03);
3880         run_efuse_read(sc,
3881             RT5390_EEPROM_RF_IQ_IMBALANCE_COMPENSATION_CTL, &val, 1);
3882         run_bbp_write(sc, 159, val);
3883 }
3884
3885 static void
3886 run_set_agc(struct run_softc *sc, uint8_t agc)
3887 {
3888         uint8_t bbp;
3889
3890         if (sc->mac_ver == 0x3572) {
3891                 run_bbp_read(sc, 27, &bbp);
3892                 bbp &= ~(0x3 << 5);
3893                 run_bbp_write(sc, 27, bbp | 0 << 5);    /* select Rx0 */
3894                 run_bbp_write(sc, 66, agc);
3895                 run_bbp_write(sc, 27, bbp | 1 << 5);    /* select Rx1 */
3896                 run_bbp_write(sc, 66, agc);
3897         } else
3898                 run_bbp_write(sc, 66, agc);
3899 }
3900
3901 static void
3902 run_select_chan_group(struct run_softc *sc, int group)
3903 {
3904         uint32_t tmp;
3905         uint8_t agc;
3906
3907         run_bbp_write(sc, 62, 0x37 - sc->lna[group]);
3908         run_bbp_write(sc, 63, 0x37 - sc->lna[group]);
3909         run_bbp_write(sc, 64, 0x37 - sc->lna[group]);
3910         if (sc->mac_ver < 0x3572)
3911                 run_bbp_write(sc, 86, 0x00);
3912
3913         if (sc->mac_ver == 0x3593) {
3914                 run_bbp_write(sc, 77, 0x98);
3915                 run_bbp_write(sc, 83, (group == 0) ? 0x8a : 0x9a);
3916         }
3917
3918         if (group == 0) {
3919                 if (sc->ext_2ghz_lna) {
3920                         if (sc->mac_ver >= 0x5390)
3921                                 run_bbp_write(sc, 75, 0x52);
3922                         else {
3923                                 run_bbp_write(sc, 82, 0x62);
3924                                 run_bbp_write(sc, 75, 0x46);
3925                         }
3926                 } else {
3927                         if (sc->mac_ver == 0x5592) {
3928                                 run_bbp_write(sc, 79, 0x1c);
3929                                 run_bbp_write(sc, 80, 0x0e);
3930                                 run_bbp_write(sc, 81, 0x3a);
3931                                 run_bbp_write(sc, 82, 0x62);
3932
3933                                 run_bbp_write(sc, 195, 0x80);
3934                                 run_bbp_write(sc, 196, 0xe0);
3935                                 run_bbp_write(sc, 195, 0x81);
3936                                 run_bbp_write(sc, 196, 0x1f);
3937                                 run_bbp_write(sc, 195, 0x82);
3938                                 run_bbp_write(sc, 196, 0x38);
3939                                 run_bbp_write(sc, 195, 0x83);
3940                                 run_bbp_write(sc, 196, 0x32);
3941                                 run_bbp_write(sc, 195, 0x85);
3942                                 run_bbp_write(sc, 196, 0x28);
3943                                 run_bbp_write(sc, 195, 0x86);
3944                                 run_bbp_write(sc, 196, 0x19);
3945                         } else if (sc->mac_ver >= 0x5390)
3946                                 run_bbp_write(sc, 75, 0x50);
3947                         else {
3948                                 run_bbp_write(sc, 82,
3949                                     (sc->mac_ver == 0x3593) ? 0x62 : 0x84);
3950                                 run_bbp_write(sc, 75, 0x50);
3951                         }
3952                 }
3953         } else {
3954                 if (sc->mac_ver == 0x5592) {
3955                         run_bbp_write(sc, 79, 0x18);
3956                         run_bbp_write(sc, 80, 0x08);
3957                         run_bbp_write(sc, 81, 0x38);
3958                         run_bbp_write(sc, 82, 0x92);
3959
3960                         run_bbp_write(sc, 195, 0x80);
3961                         run_bbp_write(sc, 196, 0xf0);
3962                         run_bbp_write(sc, 195, 0x81);
3963                         run_bbp_write(sc, 196, 0x1e);
3964                         run_bbp_write(sc, 195, 0x82);
3965                         run_bbp_write(sc, 196, 0x28);
3966                         run_bbp_write(sc, 195, 0x83);
3967                         run_bbp_write(sc, 196, 0x20);
3968                         run_bbp_write(sc, 195, 0x85);
3969                         run_bbp_write(sc, 196, 0x7f);
3970                         run_bbp_write(sc, 195, 0x86);
3971                         run_bbp_write(sc, 196, 0x7f);
3972                 } else if (sc->mac_ver == 0x3572)
3973                         run_bbp_write(sc, 82, 0x94);
3974                 else
3975                         run_bbp_write(sc, 82,
3976                             (sc->mac_ver == 0x3593) ? 0x82 : 0xf2);
3977                 if (sc->ext_5ghz_lna)
3978                         run_bbp_write(sc, 75, 0x46);
3979                 else 
3980                         run_bbp_write(sc, 75, 0x50);
3981         }
3982
3983         run_read(sc, RT2860_TX_BAND_CFG, &tmp);
3984         tmp &= ~(RT2860_5G_BAND_SEL_N | RT2860_5G_BAND_SEL_P);
3985         tmp |= (group == 0) ? RT2860_5G_BAND_SEL_N : RT2860_5G_BAND_SEL_P;
3986         run_write(sc, RT2860_TX_BAND_CFG, tmp);
3987
3988         /* enable appropriate Power Amplifiers and Low Noise Amplifiers */
3989         tmp = RT2860_RFTR_EN | RT2860_TRSW_EN | RT2860_LNA_PE0_EN;
3990         if (sc->mac_ver == 0x3593)
3991                 tmp |= 1 << 29 | 1 << 28;
3992         if (sc->nrxchains > 1)
3993                 tmp |= RT2860_LNA_PE1_EN;
3994         if (group == 0) {       /* 2GHz */
3995                 tmp |= RT2860_PA_PE_G0_EN;
3996                 if (sc->ntxchains > 1)
3997                         tmp |= RT2860_PA_PE_G1_EN;
3998                 if (sc->mac_ver == 0x3593) {
3999                         if (sc->ntxchains > 2)
4000                                 tmp |= 1 << 25;