sys/dev/usb/wlan/if_run.c

   1 /*-
   2  * Copyright (c) 2008,2010 Damien Bergamini <damien.bergamini@free.fr>
   3  * ported to FreeBSD by Akinori Furukoshi <moonlightakkiy@yahoo.ca>
   4  * USB Consulting, Hans Petter Selasky <hselasky@freebsd.org>
   5  * Copyright (c) 2013-2014 Kevin Lo
   6  *
   7  * Permission to use, copy, modify, and distribute this software for any
   8  * purpose with or without fee is hereby granted, provided that the above
   9  * copyright notice and this permission notice appear in all copies.
  10  *
  11  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  12  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  13  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
  14  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  18  */
  19
  20 #include <sys/cdefs.h>
  21 __FBSDID("$FreeBSD$");
  22
  23 /*-
  24  * Ralink Technology RT2700U/RT2800U/RT3000U/RT3900E chipset driver.
  25  * http://www.ralinktech.com/
  26  */
  27
  28 #include <sys/param.h>
  29 #include <sys/sockio.h>
  30 #include <sys/sysctl.h>
  31 #include <sys/lock.h>
  32 #include <sys/mutex.h>
  33 #include <sys/mbuf.h>
  34 #include <sys/kernel.h>
  35 #include <sys/socket.h>
  36 #include <sys/systm.h>
  37 #include <sys/malloc.h>
  38 #include <sys/module.h>
  39 #include <sys/bus.h>
  40 #include <sys/endian.h>
  41 #include <sys/linker.h>
  42 #include <sys/firmware.h>
  43 #include <sys/kdb.h>
  44
  45 #include <machine/bus.h>
  46 #include <machine/resource.h>
  47 #include <sys/rman.h>
  48
  49 #include <net/bpf.h>
  50 #include <net/if.h>
  51 #include <net/if_arp.h>
  52 #include <net/ethernet.h>
  53 #include <net/if_dl.h>
  54 #include <net/if_media.h>
  55 #include <net/if_types.h>
  56
  57 #include <netinet/in.h>
  58 #include <netinet/in_systm.h>
  59 #include <netinet/in_var.h>
  60 #include <netinet/if_ether.h>
  61 #include <netinet/ip.h>
  62
  63 #include <net80211/ieee80211_var.h>
  64 #include <net80211/ieee80211_regdomain.h>
  65 #include <net80211/ieee80211_radiotap.h>
  66 #include <net80211/ieee80211_ratectl.h>
  67
  68 #include <dev/usb/usb.h>
  69 #include <dev/usb/usbdi.h>
  70 #include "usbdevs.h"
  71
  72 #define USB_DEBUG_VAR   run_debug
  73 #include <dev/usb/usb_debug.h>
  74 #include <dev/usb/usb_msctest.h>
  75
  76 #include <dev/usb/wlan/if_runreg.h>
  77 #include <dev/usb/wlan/if_runvar.h>
  78
  79 #ifdef  USB_DEBUG
  80 #define RUN_DEBUG
  81 #endif
  82
  83 #ifdef  RUN_DEBUG
  84 int run_debug = 0;
  85 static SYSCTL_NODE(_hw_usb, OID_AUTO, run, CTLFLAG_RW, 0, "USB run");
  86 SYSCTL_INT(_hw_usb_run, OID_AUTO, debug, CTLFLAG_RW, &run_debug, 0,
  87     "run debug level");
  88 #endif
  89
  90 #define IEEE80211_HAS_ADDR4(wh) \
  91         (((wh)->i_fc[1] & IEEE80211_FC1_DIR_MASK) == IEEE80211_FC1_DIR_DSTODS)
  92
  93 /*
  94  * Because of LOR in run_key_delete(), use atomic instead.
  95  * '& RUN_CMDQ_MASQ' is to loop cmdq[].
  96  */
  97 #define RUN_CMDQ_GET(c) (atomic_fetchadd_32((c), 1) & RUN_CMDQ_MASQ)
  98
  99 static const STRUCT_USB_HOST_ID run_devs[] = {
 100 #define RUN_DEV(v,p)    { USB_VP(USB_VENDOR_##v, USB_PRODUCT_##v##_##p) }
 101 #define RUN_DEV_EJECT(v,p)      \
 102         { USB_VPI(USB_VENDOR_##v, USB_PRODUCT_##v##_##p, RUN_EJECT) }
 103 #define RUN_EJECT       1
 104     RUN_DEV(ABOCOM,             RT2770),
 105     RUN_DEV(ABOCOM,             RT2870),
 106     RUN_DEV(ABOCOM,             RT3070),
 107     RUN_DEV(ABOCOM,             RT3071),
 108     RUN_DEV(ABOCOM,             RT3072),
 109     RUN_DEV(ABOCOM2,            RT2870_1),
 110     RUN_DEV(ACCTON,             RT2770),
 111     RUN_DEV(ACCTON,             RT2870_1),
 112     RUN_DEV(ACCTON,             RT2870_2),
 113     RUN_DEV(ACCTON,             RT2870_3),
 114     RUN_DEV(ACCTON,             RT2870_4),
 115     RUN_DEV(ACCTON,             RT2870_5),
 116     RUN_DEV(ACCTON,             RT3070),
 117     RUN_DEV(ACCTON,             RT3070_1),
 118     RUN_DEV(ACCTON,             RT3070_2),
 119     RUN_DEV(ACCTON,             RT3070_3),
 120     RUN_DEV(ACCTON,             RT3070_4),
 121     RUN_DEV(ACCTON,             RT3070_5),
 122     RUN_DEV(AIRTIES,            RT3070),
 123     RUN_DEV(ALLWIN,             RT2070),
 124     RUN_DEV(ALLWIN,             RT2770),
 125     RUN_DEV(ALLWIN,             RT2870),
 126     RUN_DEV(ALLWIN,             RT3070),
 127     RUN_DEV(ALLWIN,             RT3071),
 128     RUN_DEV(ALLWIN,             RT3072),
 129     RUN_DEV(ALLWIN,             RT3572),
 130     RUN_DEV(AMIGO,              RT2870_1),
 131     RUN_DEV(AMIGO,              RT2870_2),
 132     RUN_DEV(AMIT,               CGWLUSB2GNR),
 133     RUN_DEV(AMIT,               RT2870_1),
 134     RUN_DEV(AMIT2,              RT2870),
 135     RUN_DEV(ASUS,               RT2870_1),
 136     RUN_DEV(ASUS,               RT2870_2),
 137     RUN_DEV(ASUS,               RT2870_3),
 138     RUN_DEV(ASUS,               RT2870_4),
 139     RUN_DEV(ASUS,               RT2870_5),
 140     RUN_DEV(ASUS,               USBN13),
 141     RUN_DEV(ASUS,               RT3070_1),
 142     RUN_DEV(ASUS,               USBN66),
 143     RUN_DEV(ASUS,               USB_N53),
 144     RUN_DEV(ASUS2,              USBN11),
 145     RUN_DEV(AZUREWAVE,          RT2870_1),
 146     RUN_DEV(AZUREWAVE,          RT2870_2),
 147     RUN_DEV(AZUREWAVE,          RT3070_1),
 148     RUN_DEV(AZUREWAVE,          RT3070_2),
 149     RUN_DEV(AZUREWAVE,          RT3070_3),
 150     RUN_DEV(BELKIN,             F9L1103),
 151     RUN_DEV(BELKIN,             F5D8053V3),
 152     RUN_DEV(BELKIN,             F5D8055),
 153     RUN_DEV(BELKIN,             F5D8055V2),
 154     RUN_DEV(BELKIN,             F6D4050V1),
 155     RUN_DEV(BELKIN,             F6D4050V2),
 156     RUN_DEV(BELKIN,             RT2870_1),
 157     RUN_DEV(BELKIN,             RT2870_2),
 158     RUN_DEV(CISCOLINKSYS,       AE1000),
 159     RUN_DEV(CISCOLINKSYS2,      RT3070),
 160     RUN_DEV(CISCOLINKSYS3,      RT3070),
 161     RUN_DEV(CONCEPTRONIC2,      RT2870_1),
 162     RUN_DEV(CONCEPTRONIC2,      RT2870_2),
 163     RUN_DEV(CONCEPTRONIC2,      RT2870_3),
 164     RUN_DEV(CONCEPTRONIC2,      RT2870_4),
 165     RUN_DEV(CONCEPTRONIC2,      RT2870_5),
 166     RUN_DEV(CONCEPTRONIC2,      RT2870_6),
 167     RUN_DEV(CONCEPTRONIC2,      RT2870_7),
 168     RUN_DEV(CONCEPTRONIC2,      RT2870_8),
 169     RUN_DEV(CONCEPTRONIC2,      RT3070_1),
 170     RUN_DEV(CONCEPTRONIC2,      RT3070_2),
 171     RUN_DEV(CONCEPTRONIC2,      VIGORN61),
 172     RUN_DEV(COREGA,             CGWLUSB300GNM),
 173     RUN_DEV(COREGA,             RT2870_1),
 174     RUN_DEV(COREGA,             RT2870_2),
 175     RUN_DEV(COREGA,             RT2870_3),
 176     RUN_DEV(COREGA,             RT3070),
 177     RUN_DEV(CYBERTAN,           RT2870),
 178     RUN_DEV(DLINK,              RT2870),
 179     RUN_DEV(DLINK,              RT3072),
 180     RUN_DEV(DLINK,              DWA127),
 181     RUN_DEV(DLINK,              DWA140B3),
 182     RUN_DEV(DLINK,              DWA160B2),
 183     RUN_DEV(DLINK,              DWA162),
 184     RUN_DEV(DLINK2,             DWA130),
 185     RUN_DEV(DLINK2,             RT2870_1),
 186     RUN_DEV(DLINK2,             RT2870_2),
 187     RUN_DEV(DLINK2,             RT3070_1),
 188     RUN_DEV(DLINK2,             RT3070_2),
 189     RUN_DEV(DLINK2,             RT3070_3),
 190     RUN_DEV(DLINK2,             RT3070_4),
 191     RUN_DEV(DLINK2,             RT3070_5),
 192     RUN_DEV(DLINK2,             RT3072),
 193     RUN_DEV(DLINK2,             RT3072_1),
 194     RUN_DEV(EDIMAX,             EW7717),
 195     RUN_DEV(EDIMAX,             EW7718),
 196     RUN_DEV(EDIMAX,             EW7733UND),
 197     RUN_DEV(EDIMAX,             RT2870_1),
 198     RUN_DEV(ENCORE,             RT3070_1),
 199     RUN_DEV(ENCORE,             RT3070_2),
 200     RUN_DEV(ENCORE,             RT3070_3),
 201     RUN_DEV(GIGABYTE,           GNWB31N),
 202     RUN_DEV(GIGABYTE,           GNWB32L),
 203     RUN_DEV(GIGABYTE,           RT2870_1),
 204     RUN_DEV(GIGASET,            RT3070_1),
 205     RUN_DEV(GIGASET,            RT3070_2),
 206     RUN_DEV(GUILLEMOT,          HWNU300),
 207     RUN_DEV(HAWKING,            HWUN2),
 208     RUN_DEV(HAWKING,            RT2870_1),
 209     RUN_DEV(HAWKING,            RT2870_2),
 210     RUN_DEV(HAWKING,            RT3070),
 211     RUN_DEV(IODATA,             RT3072_1),
 212     RUN_DEV(IODATA,             RT3072_2),
 213     RUN_DEV(IODATA,             RT3072_3),
 214     RUN_DEV(IODATA,             RT3072_4),
 215     RUN_DEV(LINKSYS4,           RT3070),
 216     RUN_DEV(LINKSYS4,           WUSB100),
 217     RUN_DEV(LINKSYS4,           WUSB54GCV3),
 218     RUN_DEV(LINKSYS4,           WUSB600N),
 219     RUN_DEV(LINKSYS4,           WUSB600NV2),
 220     RUN_DEV(LOGITEC,            RT2870_1),
 221     RUN_DEV(LOGITEC,            RT2870_2),
 222     RUN_DEV(LOGITEC,            RT2870_3),
 223     RUN_DEV(LOGITEC,            LANW300NU2),
 224     RUN_DEV(LOGITEC,            LANW150NU2),
 225     RUN_DEV(LOGITEC,            LANW300NU2S),
 226     RUN_DEV(MELCO,              RT2870_1),
 227     RUN_DEV(MELCO,              RT2870_2),
 228     RUN_DEV(MELCO,              WLIUCAG300N),
 229     RUN_DEV(MELCO,              WLIUCG300N),
 230     RUN_DEV(MELCO,              WLIUCG301N),
 231     RUN_DEV(MELCO,              WLIUCGN),
 232     RUN_DEV(MELCO,              WLIUCGNM),
 233     RUN_DEV(MELCO,              WLIUCGNM2),
 234     RUN_DEV(MOTOROLA4,          RT2770),
 235     RUN_DEV(MOTOROLA4,          RT3070),
 236     RUN_DEV(MSI,                RT3070_1),
 237     RUN_DEV(MSI,                RT3070_2),
 238     RUN_DEV(MSI,                RT3070_3),
 239     RUN_DEV(MSI,                RT3070_4),
 240     RUN_DEV(MSI,                RT3070_5),
 241     RUN_DEV(MSI,                RT3070_6),
 242     RUN_DEV(MSI,                RT3070_7),
 243     RUN_DEV(MSI,                RT3070_8),
 244     RUN_DEV(MSI,                RT3070_9),
 245     RUN_DEV(MSI,                RT3070_10),
 246     RUN_DEV(MSI,                RT3070_11),
 247     RUN_DEV(OVISLINK,           RT3072),
 248     RUN_DEV(PARA,               RT3070),
 249     RUN_DEV(PEGATRON,           RT2870),
 250     RUN_DEV(PEGATRON,           RT3070),
 251     RUN_DEV(PEGATRON,           RT3070_2),
 252     RUN_DEV(PEGATRON,           RT3070_3),
 253     RUN_DEV(PHILIPS,            RT2870),
 254     RUN_DEV(PLANEX2,            GWUS300MINIS),
 255     RUN_DEV(PLANEX2,            GWUSMICRON),
 256     RUN_DEV(PLANEX2,            RT2870),
 257     RUN_DEV(PLANEX2,            RT3070),
 258     RUN_DEV(QCOM,               RT2870),
 259     RUN_DEV(QUANTA,             RT3070),
 260     RUN_DEV(RALINK,             RT2070),
 261     RUN_DEV(RALINK,             RT2770),
 262     RUN_DEV(RALINK,             RT2870),
 263     RUN_DEV(RALINK,             RT3070),
 264     RUN_DEV(RALINK,             RT3071),
 265     RUN_DEV(RALINK,             RT3072),
 266     RUN_DEV(RALINK,             RT3370),
 267     RUN_DEV(RALINK,             RT3572),
 268     RUN_DEV(RALINK,             RT3573),
 269     RUN_DEV(RALINK,             RT5370),
 270     RUN_DEV(RALINK,             RT5572),
 271     RUN_DEV(RALINK,             RT8070),
 272     RUN_DEV(SAMSUNG,            WIS09ABGN),
 273     RUN_DEV(SAMSUNG2,           RT2870_1),
 274     RUN_DEV(SENAO,              RT2870_1),
 275     RUN_DEV(SENAO,              RT2870_2),
 276     RUN_DEV(SENAO,              RT2870_3),
 277     RUN_DEV(SENAO,              RT2870_4),
 278     RUN_DEV(SENAO,              RT3070),
 279     RUN_DEV(SENAO,              RT3071),
 280     RUN_DEV(SENAO,              RT3072_1),
 281     RUN_DEV(SENAO,              RT3072_2),
 282     RUN_DEV(SENAO,              RT3072_3),
 283     RUN_DEV(SENAO,              RT3072_4),
 284     RUN_DEV(SENAO,              RT3072_5),
 285     RUN_DEV(SITECOMEU,          RT2770),
 286     RUN_DEV(SITECOMEU,          RT2870_1),
 287     RUN_DEV(SITECOMEU,          RT2870_2),
 288     RUN_DEV(SITECOMEU,          RT2870_3),
 289     RUN_DEV(SITECOMEU,          RT2870_4),
 290     RUN_DEV(SITECOMEU,          RT3070),
 291     RUN_DEV(SITECOMEU,          RT3070_2),
 292     RUN_DEV(SITECOMEU,          RT3070_3),
 293     RUN_DEV(SITECOMEU,          RT3070_4),
 294     RUN_DEV(SITECOMEU,          RT3071),
 295     RUN_DEV(SITECOMEU,          RT3072_1),
 296     RUN_DEV(SITECOMEU,          RT3072_2),
 297     RUN_DEV(SITECOMEU,          RT3072_3),
 298     RUN_DEV(SITECOMEU,          RT3072_4),
 299     RUN_DEV(SITECOMEU,          RT3072_5),
 300     RUN_DEV(SITECOMEU,          RT3072_6),
 301     RUN_DEV(SITECOMEU,          WL608),
 302     RUN_DEV(SPARKLAN,           RT2870_1),
 303     RUN_DEV(SPARKLAN,           RT3070),
 304     RUN_DEV(SWEEX2,             LW153),
 305     RUN_DEV(SWEEX2,             LW303),
 306     RUN_DEV(SWEEX2,             LW313),
 307     RUN_DEV(TOSHIBA,            RT3070),
 308     RUN_DEV(UMEDIA,             RT2870_1),
 309     RUN_DEV(ZCOM,               RT2870_1),
 310     RUN_DEV(ZCOM,               RT2870_2),
 311     RUN_DEV(ZINWELL,            RT2870_1),
 312     RUN_DEV(ZINWELL,            RT2870_2),
 313     RUN_DEV(ZINWELL,            RT3070),
 314     RUN_DEV(ZINWELL,            RT3072_1),
 315     RUN_DEV(ZINWELL,            RT3072_2),
 316     RUN_DEV(ZYXEL,              RT2870_1),
 317     RUN_DEV(ZYXEL,              RT2870_2),
 318     RUN_DEV_EJECT(ZYXEL,        NWD2705),
 319     RUN_DEV_EJECT(RALINK,       RT_STOR),
 320 #undef RUN_DEV_EJECT
 321 #undef RUN_DEV
 322 };
 323
 324 static device_probe_t   run_match;
 325 static device_attach_t  run_attach;
 326 static device_detach_t  run_detach;
 327
 328 static usb_callback_t   run_bulk_rx_callback;
 329 static usb_callback_t   run_bulk_tx_callback0;
 330 static usb_callback_t   run_bulk_tx_callback1;
 331 static usb_callback_t   run_bulk_tx_callback2;
 332 static usb_callback_t   run_bulk_tx_callback3;
 333 static usb_callback_t   run_bulk_tx_callback4;
 334 static usb_callback_t   run_bulk_tx_callback5;
 335
 336 static void     run_autoinst(void *, struct usb_device *,
 337                     struct usb_attach_arg *);
 338 static int      run_driver_loaded(struct module *, int, void *);
 339 static void     run_bulk_tx_callbackN(struct usb_xfer *xfer,
 340                     usb_error_t error, u_int index);
 341 static struct ieee80211vap *run_vap_create(struct ieee80211com *,
 342                     const char [IFNAMSIZ], int, enum ieee80211_opmode, int,
 343                     const uint8_t [IEEE80211_ADDR_LEN],
 344                     const uint8_t [IEEE80211_ADDR_LEN]);
 345 static void     run_vap_delete(struct ieee80211vap *);
 346 static void     run_cmdq_cb(void *, int);
 347 static void     run_setup_tx_list(struct run_softc *,
 348                     struct run_endpoint_queue *);
 349 static void     run_unsetup_tx_list(struct run_softc *,
 350                     struct run_endpoint_queue *);
 351 static int      run_load_microcode(struct run_softc *);
 352 static int      run_reset(struct run_softc *);
 353 static usb_error_t run_do_request(struct run_softc *,
 354                     struct usb_device_request *, void *);
 355 static int      run_read(struct run_softc *, uint16_t, uint32_t *);
 356 static int      run_read_region_1(struct run_softc *, uint16_t, uint8_t *, int);
 357 static int      run_write_2(struct run_softc *, uint16_t, uint16_t);
 358 static int      run_write(struct run_softc *, uint16_t, uint32_t);
 359 static int      run_write_region_1(struct run_softc *, uint16_t,
 360                     const uint8_t *, int);
 361 static int      run_set_region_4(struct run_softc *, uint16_t, uint32_t, int);
 362 static int      run_efuse_read(struct run_softc *, uint16_t, uint16_t *, int);
 363 static int      run_efuse_read_2(struct run_softc *, uint16_t, uint16_t *);
 364 static int      run_eeprom_read_2(struct run_softc *, uint16_t, uint16_t *);
 365 static int      run_rt2870_rf_write(struct run_softc *, uint32_t);
 366 static int      run_rt3070_rf_read(struct run_softc *, uint8_t, uint8_t *);
 367 static int      run_rt3070_rf_write(struct run_softc *, uint8_t, uint8_t);
 368 static int      run_bbp_read(struct run_softc *, uint8_t, uint8_t *);
 369 static int      run_bbp_write(struct run_softc *, uint8_t, uint8_t);
 370 static int      run_mcu_cmd(struct run_softc *, uint8_t, uint16_t);
 371 static const char *run_get_rf(uint16_t);
 372 static void     run_rt3593_get_txpower(struct run_softc *);
 373 static void     run_get_txpower(struct run_softc *);
 374 static int      run_read_eeprom(struct run_softc *);
 375 static struct ieee80211_node *run_node_alloc(struct ieee80211vap *,
 376                             const uint8_t mac[IEEE80211_ADDR_LEN]);
 377 static int      run_media_change(struct ifnet *);
 378 static int      run_newstate(struct ieee80211vap *, enum ieee80211_state, int);
 379 static int      run_wme_update(struct ieee80211com *);
 380 static void     run_wme_update_cb(void *);
 381 static void     run_key_update_begin(struct ieee80211vap *);
 382 static void     run_key_update_end(struct ieee80211vap *);
 383 static void     run_key_set_cb(void *);
 384 static int      run_key_set(struct ieee80211vap *, struct ieee80211_key *,
 385                     const uint8_t mac[IEEE80211_ADDR_LEN]);
 386 static void     run_key_delete_cb(void *);
 387 static int      run_key_delete(struct ieee80211vap *, struct ieee80211_key *);
 388 static void     run_ratectl_to(void *);
 389 static void     run_ratectl_cb(void *, int);
 390 static void     run_drain_fifo(void *);
 391 static void     run_iter_func(void *, struct ieee80211_node *);
 392 static void     run_newassoc_cb(void *);
 393 static void     run_newassoc(struct ieee80211_node *, int);
 394 static void     run_rx_frame(struct run_softc *, struct mbuf *, uint32_t);
 395 static void     run_tx_free(struct run_endpoint_queue *pq,
 396                     struct run_tx_data *, int);
 397 static void     run_set_tx_desc(struct run_softc *, struct run_tx_data *);
 398 static int      run_tx(struct run_softc *, struct mbuf *,
 399                     struct ieee80211_node *);
 400 static int      run_tx_mgt(struct run_softc *, struct mbuf *,
 401                     struct ieee80211_node *);
 402 static int      run_sendprot(struct run_softc *, const struct mbuf *,
 403                     struct ieee80211_node *, int, int);
 404 static int      run_tx_param(struct run_softc *, struct mbuf *,
 405                     struct ieee80211_node *,
 406                     const struct ieee80211_bpf_params *);
 407 static int      run_raw_xmit(struct ieee80211_node *, struct mbuf *,
 408                     const struct ieee80211_bpf_params *);
 409 static void     run_start(struct ifnet *);
 410 static int      run_ioctl(struct ifnet *, u_long, caddr_t);
 411 static void     run_iq_calib(struct run_softc *, u_int);
 412 static void     run_set_agc(struct run_softc *, uint8_t);
 413 static void     run_select_chan_group(struct run_softc *, int);
 414 static void     run_set_rx_antenna(struct run_softc *, int);
 415 static void     run_rt2870_set_chan(struct run_softc *, u_int);
 416 static void     run_rt3070_set_chan(struct run_softc *, u_int);
 417 static void     run_rt3572_set_chan(struct run_softc *, u_int);
 418 static void     run_rt3593_set_chan(struct run_softc *, u_int);
 419 static void     run_rt5390_set_chan(struct run_softc *, u_int);
 420 static void     run_rt5592_set_chan(struct run_softc *, u_int);
 421 static int      run_set_chan(struct run_softc *, struct ieee80211_channel *);
 422 static void     run_set_channel(struct ieee80211com *);
 423 static void     run_scan_start(struct ieee80211com *);
 424 static void     run_scan_end(struct ieee80211com *);
 425 static void     run_update_beacon(struct ieee80211vap *, int);
 426 static void     run_update_beacon_cb(void *);
 427 static void     run_updateprot(struct ieee80211com *);
 428 static void     run_updateprot_cb(void *);
 429 static void     run_usb_timeout_cb(void *);
 430 static void     run_reset_livelock(struct run_softc *);
 431 static void     run_enable_tsf_sync(struct run_softc *);
 432 static void     run_enable_mrr(struct run_softc *);
 433 static void     run_set_txpreamble(struct run_softc *);
 434 static void     run_set_basicrates(struct run_softc *);
 435 static void     run_set_leds(struct run_softc *, uint16_t);
 436 static void     run_set_bssid(struct run_softc *, const uint8_t *);
 437 static void     run_set_macaddr(struct run_softc *, const uint8_t *);
 438 static void     run_updateslot(struct ifnet *);
 439 static void     run_updateslot_cb(void *);
 440 static void     run_update_mcast(struct ifnet *);
 441 static int8_t   run_rssi2dbm(struct run_softc *, uint8_t, uint8_t);
 442 static void     run_update_promisc_locked(struct ifnet *);
 443 static void     run_update_promisc(struct ifnet *);
 444 static void     run_rt5390_bbp_init(struct run_softc *);
 445 static int      run_bbp_init(struct run_softc *);
 446 static int      run_rt3070_rf_init(struct run_softc *);
 447 static void     run_rt3593_rf_init(struct run_softc *);
 448 static void     run_rt5390_rf_init(struct run_softc *);
 449 static int      run_rt3070_filter_calib(struct run_softc *, uint8_t, uint8_t,
 450                     uint8_t *);
 451 static void     run_rt3070_rf_setup(struct run_softc *);
 452 static void     run_rt3593_rf_setup(struct run_softc *);
 453 static void     run_rt5390_rf_setup(struct run_softc *);
 454 static int      run_txrx_enable(struct run_softc *);
 455 static void     run_adjust_freq_offset(struct run_softc *);
 456 static void     run_init(void *);
 457 static void     run_init_locked(struct run_softc *);
 458 static void     run_stop(void *);
 459 static void     run_delay(struct run_softc *, u_int);
 460
 461 static eventhandler_tag run_etag;
 462
 463 static const struct rt2860_rate {
 464         uint8_t         rate;
 465         uint8_t         mcs;
 466         enum            ieee80211_phytype phy;
 467         uint8_t         ctl_ridx;
 468         uint16_t        sp_ack_dur;
 469         uint16_t        lp_ack_dur;
 470 } rt2860_rates[] = {
 471         {   2, 0, IEEE80211_T_DS,   0, 314, 314 },
 472         {   4, 1, IEEE80211_T_DS,   1, 258, 162 },
 473         {  11, 2, IEEE80211_T_DS,   2, 223, 127 },
 474         {  22, 3, IEEE80211_T_DS,   3, 213, 117 },
 475         {  12, 0, IEEE80211_T_OFDM, 4,  60,  60 },
 476         {  18, 1, IEEE80211_T_OFDM, 4,  52,  52 },
 477         {  24, 2, IEEE80211_T_OFDM, 6,  48,  48 },
 478         {  36, 3, IEEE80211_T_OFDM, 6,  44,  44 },
 479         {  48, 4, IEEE80211_T_OFDM, 8,  44,  44 },
 480         {  72, 5, IEEE80211_T_OFDM, 8,  40,  40 },
 481         {  96, 6, IEEE80211_T_OFDM, 8,  40,  40 },
 482         { 108, 7, IEEE80211_T_OFDM, 8,  40,  40 }
 483 };
 484
 485 static const struct {
 486         uint16_t        reg;
 487         uint32_t        val;
 488 } rt2870_def_mac[] = {
 489         RT2870_DEF_MAC
 490 };
 491
 492 static const struct {
 493         uint8_t reg;
 494         uint8_t val;
 495 } rt2860_def_bbp[] = {
 496         RT2860_DEF_BBP
 497 },rt5390_def_bbp[] = {
 498         RT5390_DEF_BBP
 499 },rt5592_def_bbp[] = {
 500         RT5592_DEF_BBP
 501 };
 502
 503 /*
 504  * Default values for BBP register R196 for RT5592.
 505  */
 506 static const uint8_t rt5592_bbp_r196[] = {
 507         0xe0, 0x1f, 0x38, 0x32, 0x08, 0x28, 0x19, 0x0a, 0xff, 0x00,
 508         0x16, 0x10, 0x10, 0x0b, 0x36, 0x2c, 0x26, 0x24, 0x42, 0x36,
 509         0x30, 0x2d, 0x4c, 0x46, 0x3d, 0x40, 0x3e, 0x42, 0x3d, 0x40,
 510         0x3c, 0x34, 0x2c, 0x2f, 0x3c, 0x35, 0x2e, 0x2a, 0x49, 0x41,
 511         0x36, 0x31, 0x30, 0x30, 0x0e, 0x0d, 0x28, 0x21, 0x1c, 0x16,
 512         0x50, 0x4a, 0x43, 0x40, 0x10, 0x10, 0x10, 0x10, 0x00, 0x00,
 513         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 514         0x00, 0x00, 0x7d, 0x14, 0x32, 0x2c, 0x36, 0x4c, 0x43, 0x2c,
 515         0x2e, 0x36, 0x30, 0x6e
 516 };
 517
 518 static const struct rfprog {
 519         uint8_t         chan;
 520         uint32_t        r1, r2, r3, r4;
 521 } rt2860_rf2850[] = {
 522         RT2860_RF2850
 523 };
 524
 525 struct {
 526         uint8_t n, r, k;
 527 } rt3070_freqs[] = {
 528         RT3070_RF3052
 529 };
 530
 531 static const struct rt5592_freqs {
 532         uint16_t        n;
 533         uint8_t         k, m, r;
 534 } rt5592_freqs_20mhz[] = {
 535         RT5592_RF5592_20MHZ
 536 },rt5592_freqs_40mhz[] = {
 537         RT5592_RF5592_40MHZ
 538 };
 539
 540 static const struct {
 541         uint8_t reg;
 542         uint8_t val;
 543 } rt3070_def_rf[] = {
 544         RT3070_DEF_RF
 545 },rt3572_def_rf[] = {
 546         RT3572_DEF_RF
 547 },rt3593_def_rf[] = {
 548         RT3593_DEF_RF
 549 },rt5390_def_rf[] = {
 550         RT5390_DEF_RF
 551 },rt5392_def_rf[] = {
 552         RT5392_DEF_RF
 553 },rt5592_def_rf[] = {
 554         RT5592_DEF_RF
 555 },rt5592_2ghz_def_rf[] = {
 556         RT5592_2GHZ_DEF_RF
 557 },rt5592_5ghz_def_rf[] = {
 558         RT5592_5GHZ_DEF_RF
 559 };
 560
 561 static const struct {
 562         u_int   firstchan;
 563         u_int   lastchan;
 564         uint8_t reg;
 565         uint8_t val;
 566 } rt5592_chan_5ghz[] = {
 567         RT5592_CHAN_5GHZ
 568 };
 569
 570 static const struct usb_config run_config[RUN_N_XFER] = {
 571     [RUN_BULK_TX_BE] = {
 572         .type = UE_BULK,
 573         .endpoint = UE_ADDR_ANY,
 574         .ep_index = 0,
 575         .direction = UE_DIR_OUT,
 576         .bufsize = RUN_MAX_TXSZ,
 577         .flags = {.pipe_bof = 1,.force_short_xfer = 1,},
 578         .callback = run_bulk_tx_callback0,
 579         .timeout = 5000,        /* ms */
 580     },
 581     [RUN_BULK_TX_BK] = {
 582         .type = UE_BULK,
 583         .endpoint = UE_ADDR_ANY,
 584         .direction = UE_DIR_OUT,
 585         .ep_index = 1,
 586         .bufsize = RUN_MAX_TXSZ,
 587         .flags = {.pipe_bof = 1,.force_short_xfer = 1,},
 588         .callback = run_bulk_tx_callback1,
 589         .timeout = 5000,        /* ms */
 590     },
 591     [RUN_BULK_TX_VI] = {
 592         .type = UE_BULK,
 593         .endpoint = UE_ADDR_ANY,
 594         .direction = UE_DIR_OUT,
 595         .ep_index = 2,
 596         .bufsize = RUN_MAX_TXSZ,
 597         .flags = {.pipe_bof = 1,.force_short_xfer = 1,},
 598         .callback = run_bulk_tx_callback2,
 599         .timeout = 5000,        /* ms */
 600     },
 601     [RUN_BULK_TX_VO] = {
 602         .type = UE_BULK,
 603         .endpoint = UE_ADDR_ANY,
 604         .direction = UE_DIR_OUT,
 605         .ep_index = 3,
 606         .bufsize = RUN_MAX_TXSZ,
 607         .flags = {.pipe_bof = 1,.force_short_xfer = 1,},
 608         .callback = run_bulk_tx_callback3,
 609         .timeout = 5000,        /* ms */
 610     },
 611     [RUN_BULK_TX_HCCA] = {
 612         .type = UE_BULK,
 613         .endpoint = UE_ADDR_ANY,
 614         .direction = UE_DIR_OUT,
 615         .ep_index = 4,
 616         .bufsize = RUN_MAX_TXSZ,
 617         .flags = {.pipe_bof = 1,.force_short_xfer = 1,.no_pipe_ok = 1,},
 618         .callback = run_bulk_tx_callback4,
 619         .timeout = 5000,        /* ms */
 620     },
 621     [RUN_BULK_TX_PRIO] = {
 622         .type = UE_BULK,
 623         .endpoint = UE_ADDR_ANY,
 624         .direction = UE_DIR_OUT,
 625         .ep_index = 5,
 626         .bufsize = RUN_MAX_TXSZ,
 627         .flags = {.pipe_bof = 1,.force_short_xfer = 1,.no_pipe_ok = 1,},
 628         .callback = run_bulk_tx_callback5,
 629         .timeout = 5000,        /* ms */
 630     },
 631     [RUN_BULK_RX] = {
 632         .type = UE_BULK,
 633         .endpoint = UE_ADDR_ANY,
 634         .direction = UE_DIR_IN,
 635         .bufsize = RUN_MAX_RXSZ,
 636         .flags = {.pipe_bof = 1,.short_xfer_ok = 1,},
 637         .callback = run_bulk_rx_callback,
 638     }
 639 };
 640
 641 static void
 642 run_autoinst(void *arg, struct usb_device *udev,
 643     struct usb_attach_arg *uaa)
 644 {
 645         struct usb_interface *iface;
 646         struct usb_interface_descriptor *id;
 647
 648         if (uaa->dev_state != UAA_DEV_READY)
 649                 return;
 650
 651         iface = usbd_get_iface(udev, 0);
 652         if (iface == NULL)
 653                 return;
 654         id = iface->idesc;
 655         if (id == NULL || id->bInterfaceClass != UICLASS_MASS)
 656                 return;
 657         if (usbd_lookup_id_by_uaa(run_devs, sizeof(run_devs), uaa))
 658                 return;
 659
 660         if (usb_msc_eject(udev, 0, MSC_EJECT_STOPUNIT) == 0)
 661                 uaa->dev_state = UAA_DEV_EJECTING;
 662 }
 663
 664 static int
 665 run_driver_loaded(struct module *mod, int what, void *arg)
 666 {
 667         switch (what) {
 668         case MOD_LOAD:
 669                 run_etag = EVENTHANDLER_REGISTER(usb_dev_configured,
 670                     run_autoinst, NULL, EVENTHANDLER_PRI_ANY);
 671                 break;
 672         case MOD_UNLOAD:
 673                 EVENTHANDLER_DEREGISTER(usb_dev_configured, run_etag);
 674                 break;
 675         default:
 676                 return (EOPNOTSUPP);
 677         }
 678         return (0);
 679 }
 680
 681 static int
 682 run_match(device_t self)
 683 {
 684         struct usb_attach_arg *uaa = device_get_ivars(self);
 685
 686         if (uaa->usb_mode != USB_MODE_HOST)
 687                 return (ENXIO);
 688         if (uaa->info.bConfigIndex != 0)
 689                 return (ENXIO);
 690         if (uaa->info.bIfaceIndex != RT2860_IFACE_INDEX)
 691                 return (ENXIO);
 692
 693         return (usbd_lookup_id_by_uaa(run_devs, sizeof(run_devs), uaa));
 694 }
 695
 696 static int
 697 run_attach(device_t self)
 698 {
 699         struct run_softc *sc = device_get_softc(self);
 700         struct usb_attach_arg *uaa = device_get_ivars(self);
 701         struct ieee80211com *ic;
 702         struct ifnet *ifp;
 703         uint32_t ver;
 704         int ntries, error;
 705         uint8_t iface_index, bands;
 706
 707         device_set_usb_desc(self);
 708         sc->sc_udev = uaa->device;
 709         sc->sc_dev = self;
 710         if (USB_GET_DRIVER_INFO(uaa) != RUN_EJECT)
 711                 sc->sc_flags |= RUN_FLAG_FWLOAD_NEEDED;
 712
 713         mtx_init(&sc->sc_mtx, device_get_nameunit(sc->sc_dev),
 714             MTX_NETWORK_LOCK, MTX_DEF);
 715
 716         iface_index = RT2860_IFACE_INDEX;
 717
 718         error = usbd_transfer_setup(uaa->device, &iface_index,
 719             sc->sc_xfer, run_config, RUN_N_XFER, sc, &sc->sc_mtx);
 720         if (error) {
 721                 device_printf(self, "could not allocate USB transfers, "
 722                     "err=%s\n", usbd_errstr(error));
 723                 goto detach;
 724         }
 725
 726         RUN_LOCK(sc);
 727
 728         /* wait for the chip to settle */
 729         for (ntries = 0; ntries < 100; ntries++) {
 730                 if (run_read(sc, RT2860_ASIC_VER_ID, &ver) != 0) {
 731                         RUN_UNLOCK(sc);
 732                         goto detach;
 733                 }
 734                 if (ver != 0 && ver != 0xffffffff)
 735                         break;
 736                 run_delay(sc, 10);
 737         }
 738         if (ntries == 100) {
 739                 device_printf(sc->sc_dev,
 740                     "timeout waiting for NIC to initialize\n");
 741                 RUN_UNLOCK(sc);
 742                 goto detach;
 743         }
 744         sc->mac_ver = ver >> 16;
 745         sc->mac_rev = ver & 0xffff;
 746
 747         /* retrieve RF rev. no and various other things from EEPROM */
 748         run_read_eeprom(sc);
 749
 750         device_printf(sc->sc_dev,
 751             "MAC/BBP RT%04X (rev 0x%04X), RF %s (MIMO %dT%dR), address %s\n",
 752             sc->mac_ver, sc->mac_rev, run_get_rf(sc->rf_rev),
 753             sc->ntxchains, sc->nrxchains, ether_sprintf(sc->sc_bssid));
 754
 755         RUN_UNLOCK(sc);
 756
 757         ifp = sc->sc_ifp = if_alloc(IFT_IEEE80211);
 758         if (ifp == NULL) {
 759                 device_printf(sc->sc_dev, "can not if_alloc()\n");
 760                 goto detach;
 761         }
 762         ic = ifp->if_l2com;
 763
 764         ifp->if_softc = sc;
 765         if_initname(ifp, "run", device_get_unit(sc->sc_dev));
 766         ifp->if_flags = IFF_BROADCAST | IFF_SIMPLEX | IFF_MULTICAST;
 767         ifp->if_init = run_init;
 768         ifp->if_ioctl = run_ioctl;
 769         ifp->if_start = run_start;
 770         IFQ_SET_MAXLEN(&ifp->if_snd, ifqmaxlen);
 771         ifp->if_snd.ifq_drv_maxlen = ifqmaxlen;
 772         IFQ_SET_READY(&ifp->if_snd);
 773
 774         ic->ic_ifp = ifp;
 775         ic->ic_phytype = IEEE80211_T_OFDM;      /* not only, but not used */
 776         ic->ic_opmode = IEEE80211_M_STA;        /* default to BSS mode */
 777
 778         /* set device capabilities */
 779         ic->ic_caps =
 780             IEEE80211_C_STA |           /* station mode supported */
 781             IEEE80211_C_MONITOR |       /* monitor mode supported */
 782             IEEE80211_C_IBSS |
 783             IEEE80211_C_HOSTAP |
 784             IEEE80211_C_WDS |           /* 4-address traffic works */
 785             IEEE80211_C_MBSS |
 786             IEEE80211_C_SHPREAMBLE |    /* short preamble supported */
 787             IEEE80211_C_SHSLOT |        /* short slot time supported */
 788             IEEE80211_C_WME |           /* WME */
 789             IEEE80211_C_WPA;            /* WPA1|WPA2(RSN) */
 790
 791         ic->ic_cryptocaps =
 792             IEEE80211_CRYPTO_WEP |
 793             IEEE80211_CRYPTO_AES_CCM |
 794             IEEE80211_CRYPTO_TKIPMIC |
 795             IEEE80211_CRYPTO_TKIP;
 796
 797         ic->ic_flags |= IEEE80211_F_DATAPAD;
 798         ic->ic_flags_ext |= IEEE80211_FEXT_SWBMISS;
 799
 800         bands = 0;
 801         setbit(&bands, IEEE80211_MODE_11B);
 802         setbit(&bands, IEEE80211_MODE_11G);
 803         if (sc->rf_rev == RT2860_RF_2750 || sc->rf_rev == RT2860_RF_2850 ||
 804             sc->rf_rev == RT3070_RF_3052 || sc->rf_rev == RT3593_RF_3053 ||
 805             sc->rf_rev == RT5592_RF_5592)
 806                 setbit(&bands, IEEE80211_MODE_11A);
 807         ieee80211_init_channels(ic, NULL, &bands);
 808
 809         ieee80211_ifattach(ic, sc->sc_bssid);
 810
 811         ic->ic_scan_start = run_scan_start;
 812         ic->ic_scan_end = run_scan_end;
 813         ic->ic_set_channel = run_set_channel;
 814         ic->ic_node_alloc = run_node_alloc;
 815         ic->ic_newassoc = run_newassoc;
 816         ic->ic_updateslot = run_updateslot;
 817         ic->ic_update_mcast = run_update_mcast;
 818         ic->ic_wme.wme_update = run_wme_update;
 819         ic->ic_raw_xmit = run_raw_xmit;
 820         ic->ic_update_promisc = run_update_promisc;
 821
 822         ic->ic_vap_create = run_vap_create;
 823         ic->ic_vap_delete = run_vap_delete;
 824
 825         ieee80211_radiotap_attach(ic,
 826             &sc->sc_txtap.wt_ihdr, sizeof(sc->sc_txtap),
 827                 RUN_TX_RADIOTAP_PRESENT,
 828             &sc->sc_rxtap.wr_ihdr, sizeof(sc->sc_rxtap),
 829                 RUN_RX_RADIOTAP_PRESENT);
 830
 831         TASK_INIT(&sc->cmdq_task, 0, run_cmdq_cb, sc);
 832         TASK_INIT(&sc->ratectl_task, 0, run_ratectl_cb, sc);
 833         usb_callout_init_mtx(&sc->ratectl_ch, &sc->sc_mtx, 0);
 834
 835         if (bootverbose)
 836                 ieee80211_announce(ic);
 837
 838         return (0);
 839
 840 detach:
 841         run_detach(self);
 842         return (ENXIO);
 843 }
 844
 845 static int
 846 run_detach(device_t self)
 847 {
 848         struct run_softc *sc = device_get_softc(self);
 849         struct ifnet *ifp = sc->sc_ifp;
 850         struct ieee80211com *ic;
 851         int i;
 852
 853         RUN_LOCK(sc);
 854         sc->sc_detached = 1;
 855         RUN_UNLOCK(sc);
 856
 857         /* stop all USB transfers */
 858         usbd_transfer_unsetup(sc->sc_xfer, RUN_N_XFER);
 859
 860         RUN_LOCK(sc);
 861         sc->ratectl_run = RUN_RATECTL_OFF;
 862         sc->cmdq_run = sc->cmdq_key_set = RUN_CMDQ_ABORT;
 863
 864         /* free TX list, if any */
 865         for (i = 0; i != RUN_EP_QUEUES; i++)
 866                 run_unsetup_tx_list(sc, &sc->sc_epq[i]);
 867         RUN_UNLOCK(sc);
 868
 869         if (ifp) {
 870                 ic = ifp->if_l2com;
 871                 /* drain tasks */
 872                 usb_callout_drain(&sc->ratectl_ch);
 873                 ieee80211_draintask(ic, &sc->cmdq_task);
 874                 ieee80211_draintask(ic, &sc->ratectl_task);
 875                 ieee80211_ifdetach(ic);
 876                 if_free(ifp);
 877         }
 878
 879         mtx_destroy(&sc->sc_mtx);
 880
 881         return (0);
 882 }
 883
 884 static struct ieee80211vap *
 885 run_vap_create(struct ieee80211com *ic, const char name[IFNAMSIZ], int unit,
 886     enum ieee80211_opmode opmode, int flags,
 887     const uint8_t bssid[IEEE80211_ADDR_LEN],
 888     const uint8_t mac[IEEE80211_ADDR_LEN])
 889 {
 890         struct ifnet *ifp = ic->ic_ifp;
 891         struct run_softc *sc = ifp->if_softc;
 892         struct run_vap *rvp;
 893         struct ieee80211vap *vap;
 894         int i;
 895
 896         if (sc->rvp_cnt >= RUN_VAP_MAX) {
 897                 if_printf(ifp, "number of VAPs maxed out\n");
 898                 return (NULL);
 899         }
 900
 901         switch (opmode) {
 902         case IEEE80211_M_STA:
 903                 /* enable s/w bmiss handling for sta mode */
 904                 flags |= IEEE80211_CLONE_NOBEACONS;
 905                 /* fall though */
 906         case IEEE80211_M_IBSS:
 907         case IEEE80211_M_MONITOR:
 908         case IEEE80211_M_HOSTAP:
 909         case IEEE80211_M_MBSS:
 910                 /* other than WDS vaps, only one at a time */
 911                 if (!TAILQ_EMPTY(&ic->ic_vaps))
 912                         return (NULL);
 913                 break;
 914         case IEEE80211_M_WDS:
 915                 TAILQ_FOREACH(vap, &ic->ic_vaps, iv_next){
 916                         if(vap->iv_opmode != IEEE80211_M_HOSTAP)
 917                                 continue;
 918                         /* WDS vap's always share the local mac address. */
 919                         flags &= ~IEEE80211_CLONE_BSSID;
 920                         break;
 921                 }
 922                 if (vap == NULL) {
 923                         if_printf(ifp, "wds only supported in ap mode\n");
 924                         return (NULL);
 925                 }
 926                 break;
 927         default:
 928                 if_printf(ifp, "unknown opmode %d\n", opmode);
 929                 return (NULL);
 930         }
 931
 932         rvp = (struct run_vap *) malloc(sizeof(struct run_vap),
 933             M_80211_VAP, M_NOWAIT | M_ZERO);
 934         if (rvp == NULL)
 935                 return (NULL);
 936         vap = &rvp->vap;
 937
 938         if (ieee80211_vap_setup(ic, vap, name, unit,
 939             opmode, flags, bssid, mac) != 0) {
 940                 /* out of memory */
 941                 free(rvp, M_80211_VAP);
 942                 return (NULL);
 943         }
 944
 945         vap->iv_key_update_begin = run_key_update_begin;
 946         vap->iv_key_update_end = run_key_update_end;
 947         vap->iv_update_beacon = run_update_beacon;
 948         vap->iv_max_aid = RT2870_WCID_MAX;
 949         /*
 950          * To delete the right key from h/w, we need wcid.
 951          * Luckily, there is unused space in ieee80211_key{}, wk_pad,
 952          * and matching wcid will be written into there. So, cast
 953          * some spells to remove 'const' from ieee80211_key{}
 954          */
 955         vap->iv_key_delete = (void *)run_key_delete;
 956         vap->iv_key_set = (void *)run_key_set;
 957
 958         /* override state transition machine */
 959         rvp->newstate = vap->iv_newstate;
 960         vap->iv_newstate = run_newstate;
 961
 962         ieee80211_ratectl_init(vap);
 963         ieee80211_ratectl_setinterval(vap, 1000 /* 1 sec */);
 964
 965         /* complete setup */
 966         ieee80211_vap_attach(vap, run_media_change, ieee80211_media_status);
 967
 968         /* make sure id is always unique */
 969         for (i = 0; i < RUN_VAP_MAX; i++) {
 970                 if((sc->rvp_bmap & 1 << i) == 0){
 971                         sc->rvp_bmap |= 1 << i;
 972                         rvp->rvp_id = i;
 973                         break;
 974                 }
 975         }
 976         if (sc->rvp_cnt++ == 0)
 977                 ic->ic_opmode = opmode;
 978
 979         if (opmode == IEEE80211_M_HOSTAP)
 980                 sc->cmdq_run = RUN_CMDQ_GO;
 981
 982         DPRINTF("rvp_id=%d bmap=%x rvp_cnt=%d\n",
 983             rvp->rvp_id, sc->rvp_bmap, sc->rvp_cnt);
 984
 985         return (vap);
 986 }
 987
 988 static void
 989 run_vap_delete(struct ieee80211vap *vap)
 990 {
 991         struct run_vap *rvp = RUN_VAP(vap);
 992         struct ifnet *ifp;
 993         struct ieee80211com *ic;
 994         struct run_softc *sc;
 995         uint8_t rvp_id;
 996
 997         if (vap == NULL)
 998                 return;
 999
1000         ic = vap->iv_ic;
1001         ifp = ic->ic_ifp;
1002
1003         sc = ifp->if_softc;
1004
1005         RUN_LOCK(sc);
1006
1007         m_freem(rvp->beacon_mbuf);
1008         rvp->beacon_mbuf = NULL;
1009
1010         rvp_id = rvp->rvp_id;
1011         sc->ratectl_run &= ~(1 << rvp_id);
1012         sc->rvp_bmap &= ~(1 << rvp_id);
1013         run_set_region_4(sc, RT2860_SKEY(rvp_id, 0), 0, 128);
1014         run_set_region_4(sc, RT2860_BCN_BASE(rvp_id), 0, 512);
1015         --sc->rvp_cnt;
1016
1017         DPRINTF("vap=%p rvp_id=%d bmap=%x rvp_cnt=%d\n",
1018             vap, rvp_id, sc->rvp_bmap, sc->rvp_cnt);
1019
1020         RUN_UNLOCK(sc);
1021
1022         ieee80211_ratectl_deinit(vap);
1023         ieee80211_vap_detach(vap);
1024         free(rvp, M_80211_VAP);
1025 }
1026
1027 /*
1028  * There are numbers of functions need to be called in context thread.
1029  * Rather than creating taskqueue event for each of those functions,
1030  * here is all-for-one taskqueue callback function. This function
1031  * gurantees deferred functions are executed in the same order they
1032  * were enqueued.
1033  * '& RUN_CMDQ_MASQ' is to loop cmdq[].
1034  */
1035 static void
1036 run_cmdq_cb(void *arg, int pending)
1037 {
1038         struct run_softc *sc = arg;
1039         uint8_t i;
1040
1041         /* call cmdq[].func locked */
1042         RUN_LOCK(sc);
1043         for (i = sc->cmdq_exec; sc->cmdq[i].func && pending;
1044             i = sc->cmdq_exec, pending--) {
1045                 DPRINTFN(6, "cmdq_exec=%d pending=%d\n", i, pending);
1046                 if (sc->cmdq_run == RUN_CMDQ_GO) {
1047                         /*
1048                          * If arg0 is NULL, callback func needs more
1049                          * than one arg. So, pass ptr to cmdq struct.
1050                          */
1051                         if (sc->cmdq[i].arg0)
1052                                 sc->cmdq[i].func(sc->cmdq[i].arg0);
1053                         else
1054                                 sc->cmdq[i].func(&sc->cmdq[i]);
1055                 }
1056                 sc->cmdq[i].arg0 = NULL;
1057                 sc->cmdq[i].func = NULL;
1058                 sc->cmdq_exec++;
1059                 sc->cmdq_exec &= RUN_CMDQ_MASQ;
1060         }
1061         RUN_UNLOCK(sc);
1062 }
1063
1064 static void
1065 run_setup_tx_list(struct run_softc *sc, struct run_endpoint_queue *pq)
1066 {
1067         struct run_tx_data *data;
1068
1069         memset(pq, 0, sizeof(*pq));
1070
1071         STAILQ_INIT(&pq->tx_qh);
1072         STAILQ_INIT(&pq->tx_fh);
1073
1074         for (data = &pq->tx_data[0];
1075             data < &pq->tx_data[RUN_TX_RING_COUNT]; data++) {
1076                 data->sc = sc;
1077                 STAILQ_INSERT_TAIL(&pq->tx_fh, data, next);
1078         }
1079         pq->tx_nfree = RUN_TX_RING_COUNT;
1080 }
1081
1082 static void
1083 run_unsetup_tx_list(struct run_softc *sc, struct run_endpoint_queue *pq)
1084 {
1085         struct run_tx_data *data;
1086
1087         /* make sure any subsequent use of the queues will fail */
1088         pq->tx_nfree = 0;
1089         STAILQ_INIT(&pq->tx_fh);
1090         STAILQ_INIT(&pq->tx_qh);
1091
1092         /* free up all node references and mbufs */
1093         for (data = &pq->tx_data[0];
1094             data < &pq->tx_data[RUN_TX_RING_COUNT]; data++) {
1095                 if (data->m != NULL) {
1096                         m_freem(data->m);
1097                         data->m = NULL;
1098                 }
1099                 if (data->ni != NULL) {
1100                         ieee80211_free_node(data->ni);
1101                         data->ni = NULL;
1102                 }
1103         }
1104 }
1105
1106 static int
1107 run_load_microcode(struct run_softc *sc)
1108 {
1109         usb_device_request_t req;
1110         const struct firmware *fw;
1111         const u_char *base;
1112         uint32_t tmp;
1113         int ntries, error;
1114         const uint64_t *temp;
1115         uint64_t bytes;
1116
1117         RUN_UNLOCK(sc);
1118         fw = firmware_get("runfw");
1119         RUN_LOCK(sc);
1120         if (fw == NULL) {
1121                 device_printf(sc->sc_dev,
1122                     "failed loadfirmware of file %s\n", "runfw");
1123                 return ENOENT;
1124         }
1125
1126         if (fw->datasize != 8192) {
1127                 device_printf(sc->sc_dev,
1128                     "invalid firmware size (should be 8KB)\n");
1129                 error = EINVAL;
1130                 goto fail;
1131         }
1132
1133         /*
1134          * RT3071/RT3072 use a different firmware
1135          * run-rt2870 (8KB) contains both,
1136          * first half (4KB) is for rt2870,
1137          * last half is for rt3071.
1138          */
1139         base = fw->data;
1140         if ((sc->mac_ver) != 0x2860 &&
1141             (sc->mac_ver) != 0x2872 &&
1142             (sc->mac_ver) != 0x3070) {
1143                 base += 4096;
1144         }
1145
1146         /* cheap sanity check */
1147         temp = fw->data;
1148         bytes = *temp;
1149         if (bytes != be64toh(0xffffff0210280210ULL)) {
1150                 device_printf(sc->sc_dev, "firmware checksum failed\n");
1151                 error = EINVAL;
1152                 goto fail;
1153         }
1154
1155         /* write microcode image */
1156         if (sc->sc_flags & RUN_FLAG_FWLOAD_NEEDED) {
1157                 run_write_region_1(sc, RT2870_FW_BASE, base, 4096);
1158                 run_write(sc, RT2860_H2M_MAILBOX_CID, 0xffffffff);
1159                 run_write(sc, RT2860_H2M_MAILBOX_STATUS, 0xffffffff);
1160         }
1161
1162         req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1163         req.bRequest = RT2870_RESET;
1164         USETW(req.wValue, 8);
1165         USETW(req.wIndex, 0);
1166         USETW(req.wLength, 0);
1167         if ((error = usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, NULL))
1168             != 0) {
1169                 device_printf(sc->sc_dev, "firmware reset failed\n");
1170                 goto fail;
1171         }
1172
1173         run_delay(sc, 10);
1174
1175         run_write(sc, RT2860_H2M_BBPAGENT, 0);
1176         run_write(sc, RT2860_H2M_MAILBOX, 0);
1177         run_write(sc, RT2860_H2M_INTSRC, 0);
1178         if ((error = run_mcu_cmd(sc, RT2860_MCU_CMD_RFRESET, 0)) != 0)
1179                 goto fail;
1180
1181         /* wait until microcontroller is ready */
1182         for (ntries = 0; ntries < 1000; ntries++) {
1183                 if ((error = run_read(sc, RT2860_SYS_CTRL, &tmp)) != 0)
1184                         goto fail;
1185                 if (tmp & RT2860_MCU_READY)
1186                         break;
1187                 run_delay(sc, 10);
1188         }
1189         if (ntries == 1000) {
1190                 device_printf(sc->sc_dev,
1191                     "timeout waiting for MCU to initialize\n");
1192                 error = ETIMEDOUT;
1193                 goto fail;
1194         }
1195         device_printf(sc->sc_dev, "firmware %s ver. %u.%u loaded\n",
1196             (base == fw->data) ? "RT2870" : "RT3071",
1197             *(base + 4092), *(base + 4093));
1198
1199 fail:
1200         firmware_put(fw, FIRMWARE_UNLOAD);
1201         return (error);
1202 }
1203
1204 static int
1205 run_reset(struct run_softc *sc)
1206 {
1207         usb_device_request_t req;
1208
1209         req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1210         req.bRequest = RT2870_RESET;
1211         USETW(req.wValue, 1);
1212         USETW(req.wIndex, 0);
1213         USETW(req.wLength, 0);
1214         return (usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, NULL));
1215 }
1216
1217 static usb_error_t
1218 run_do_request(struct run_softc *sc,
1219     struct usb_device_request *req, void *data)
1220 {
1221         usb_error_t err;
1222         int ntries = 10;
1223
1224         RUN_LOCK_ASSERT(sc, MA_OWNED);
1225
1226         while (ntries--) {
1227                 err = usbd_do_request_flags(sc->sc_udev, &sc->sc_mtx,
1228                     req, data, 0, NULL, 250 /* ms */);
1229                 if (err == 0)
1230                         break;
1231                 DPRINTFN(1, "Control request failed, %s (retrying)\n",
1232                     usbd_errstr(err));
1233                 run_delay(sc, 10);
1234         }
1235         return (err);
1236 }
1237
1238 static int
1239 run_read(struct run_softc *sc, uint16_t reg, uint32_t *val)
1240 {
1241         uint32_t tmp;
1242         int error;
1243
1244         error = run_read_region_1(sc, reg, (uint8_t *)&tmp, sizeof tmp);
1245         if (error == 0)
1246                 *val = le32toh(tmp);
1247         else
1248                 *val = 0xffffffff;
1249         return (error);
1250 }
1251
1252 static int
1253 run_read_region_1(struct run_softc *sc, uint16_t reg, uint8_t *buf, int len)
1254 {
1255         usb_device_request_t req;
1256
1257         req.bmRequestType = UT_READ_VENDOR_DEVICE;
1258         req.bRequest = RT2870_READ_REGION_1;
1259         USETW(req.wValue, 0);
1260         USETW(req.wIndex, reg);
1261         USETW(req.wLength, len);
1262
1263         return (run_do_request(sc, &req, buf));
1264 }
1265
1266 static int
1267 run_write_2(struct run_softc *sc, uint16_t reg, uint16_t val)
1268 {
1269         usb_device_request_t req;
1270
1271         req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1272         req.bRequest = RT2870_WRITE_2;
1273         USETW(req.wValue, val);
1274         USETW(req.wIndex, reg);
1275         USETW(req.wLength, 0);
1276
1277         return (run_do_request(sc, &req, NULL));
1278 }
1279
1280 static int
1281 run_write(struct run_softc *sc, uint16_t reg, uint32_t val)
1282 {
1283         int error;
1284
1285         if ((error = run_write_2(sc, reg, val & 0xffff)) == 0)
1286                 error = run_write_2(sc, reg + 2, val >> 16);
1287         return (error);
1288 }
1289
1290 static int
1291 run_write_region_1(struct run_softc *sc, uint16_t reg, const uint8_t *buf,
1292     int len)
1293 {
1294 #if 1
1295         int i, error = 0;
1296         /*
1297          * NB: the WRITE_REGION_1 command is not stable on RT2860.
1298          * We thus issue multiple WRITE_2 commands instead.
1299          */
1300         KASSERT((len & 1) == 0, ("run_write_region_1: Data too long.\n"));
1301         for (i = 0; i < len && error == 0; i += 2)
1302                 error = run_write_2(sc, reg + i, buf[i] | buf[i + 1] << 8);
1303         return (error);
1304 #else
1305         usb_device_request_t req;
1306         int error = 0;
1307
1308         /*
1309          * NOTE: It appears the WRITE_REGION_1 command cannot be
1310          * passed a huge amount of data, which will crash the
1311          * firmware. Limit amount of data passed to 64-bytes at a
1312          * time.
1313          */
1314         while (len > 0) {
1315                 int delta = 64;
1316                 if (delta > len)
1317                         delta = len;
1318
1319                 req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1320                 req.bRequest = RT2870_WRITE_REGION_1;
1321                 USETW(req.wValue, 0);
1322                 USETW(req.wIndex, reg);
1323                 USETW(req.wLength, delta);
1324                 error = run_do_request(sc, &req, __DECONST(uint8_t *, buf));
1325                 if (error != 0)
1326                         break;
1327                 reg += delta;
1328                 buf += delta;
1329                 len -= delta;
1330         }
1331         return (error);
1332 #endif
1333 }
1334
1335 static int
1336 run_set_region_4(struct run_softc *sc, uint16_t reg, uint32_t val, int len)
1337 {
1338         int i, error = 0;
1339
1340         KASSERT((len & 3) == 0, ("run_set_region_4: Invalid data length.\n"));
1341         for (i = 0; i < len && error == 0; i += 4)
1342                 error = run_write(sc, reg + i, val);
1343         return (error);
1344 }
1345
1346 static int
1347 run_efuse_read(struct run_softc *sc, uint16_t addr, uint16_t *val, int count)
1348 {
1349         uint32_t tmp;
1350         uint16_t reg;
1351         int error, ntries;
1352
1353         if ((error = run_read(sc, RT3070_EFUSE_CTRL, &tmp)) != 0)
1354                 return (error);
1355
1356         if (count == 2)
1357                 addr *= 2;
1358         /*-
1359          * Read one 16-byte block into registers EFUSE_DATA[0-3]:
1360          * DATA0: F E D C
1361          * DATA1: B A 9 8
1362          * DATA2: 7 6 5 4
1363          * DATA3: 3 2 1 0
1364          */
1365         tmp &= ~(RT3070_EFSROM_MODE_MASK | RT3070_EFSROM_AIN_MASK);
1366         tmp |= (addr & ~0xf) << RT3070_EFSROM_AIN_SHIFT | RT3070_EFSROM_KICK;
1367         run_write(sc, RT3070_EFUSE_CTRL, tmp);
1368         for (ntries = 0; ntries < 100; ntries++) {
1369                 if ((error = run_read(sc, RT3070_EFUSE_CTRL, &tmp)) != 0)
1370                         return (error);
1371                 if (!(tmp & RT3070_EFSROM_KICK))
1372                         break;
1373                 run_delay(sc, 2);
1374         }
1375         if (ntries == 100)
1376                 return (ETIMEDOUT);
1377
1378         if ((tmp & RT3070_EFUSE_AOUT_MASK) == RT3070_EFUSE_AOUT_MASK) {
1379                 *val = 0xffff;  /* address not found */
1380                 return (0);
1381         }
1382         /* determine to which 32-bit register our 16-bit word belongs */
1383         reg = RT3070_EFUSE_DATA3 - (addr & 0xc);
1384         if ((error = run_read(sc, reg, &tmp)) != 0)
1385                 return (error);
1386
1387         tmp >>= (8 * (addr & 0x3));
1388         *val = (addr & 1) ? tmp >> 16 : tmp & 0xffff;
1389
1390         return (0);
1391 }
1392
1393 /* Read 16-bit from eFUSE ROM for RT3xxx. */
1394 static int
1395 run_efuse_read_2(struct run_softc *sc, uint16_t addr, uint16_t *val)
1396 {
1397         return (run_efuse_read(sc, addr, val, 2));
1398 }
1399
1400 static int
1401 run_eeprom_read_2(struct run_softc *sc, uint16_t addr, uint16_t *val)
1402 {
1403         usb_device_request_t req;
1404         uint16_t tmp;
1405         int error;
1406
1407         addr *= 2;
1408         req.bmRequestType = UT_READ_VENDOR_DEVICE;
1409         req.bRequest = RT2870_EEPROM_READ;
1410         USETW(req.wValue, 0);
1411         USETW(req.wIndex, addr);
1412         USETW(req.wLength, sizeof(tmp));
1413
1414         error = usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, &tmp);
1415         if (error == 0)
1416                 *val = le16toh(tmp);
1417         else
1418                 *val = 0xffff;
1419         return (error);
1420 }
1421
1422 static __inline int
1423 run_srom_read(struct run_softc *sc, uint16_t addr, uint16_t *val)
1424 {
1425         /* either eFUSE ROM or EEPROM */
1426         return sc->sc_srom_read(sc, addr, val);
1427 }
1428
1429 static int
1430 run_rt2870_rf_write(struct run_softc *sc, uint32_t val)
1431 {
1432         uint32_t tmp;
1433         int error, ntries;
1434
1435         for (ntries = 0; ntries < 10; ntries++) {
1436                 if ((error = run_read(sc, RT2860_RF_CSR_CFG0, &tmp)) != 0)
1437                         return (error);
1438                 if (!(tmp & RT2860_RF_REG_CTRL))
1439                         break;
1440         }
1441         if (ntries == 10)
1442                 return (ETIMEDOUT);
1443
1444         return (run_write(sc, RT2860_RF_CSR_CFG0, val));
1445 }
1446
1447 static int
1448 run_rt3070_rf_read(struct run_softc *sc, uint8_t reg, uint8_t *val)
1449 {
1450         uint32_t tmp;
1451         int error, ntries;
1452
1453         for (ntries = 0; ntries < 100; ntries++) {
1454                 if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1455                         return (error);
1456                 if (!(tmp & RT3070_RF_KICK))
1457                         break;
1458         }
1459         if (ntries == 100)
1460                 return (ETIMEDOUT);
1461
1462         tmp = RT3070_RF_KICK | reg << 8;
1463         if ((error = run_write(sc, RT3070_RF_CSR_CFG, tmp)) != 0)
1464                 return (error);
1465
1466         for (ntries = 0; ntries < 100; ntries++) {
1467                 if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1468                         return (error);
1469                 if (!(tmp & RT3070_RF_KICK))
1470                         break;
1471         }
1472         if (ntries == 100)
1473                 return (ETIMEDOUT);
1474
1475         *val = tmp & 0xff;
1476         return (0);
1477 }
1478
1479 static int
1480 run_rt3070_rf_write(struct run_softc *sc, uint8_t reg, uint8_t val)
1481 {
1482         uint32_t tmp;
1483         int error, ntries;
1484
1485         for (ntries = 0; ntries < 10; ntries++) {
1486                 if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1487                         return (error);
1488                 if (!(tmp & RT3070_RF_KICK))
1489                         break;
1490         }
1491         if (ntries == 10)
1492                 return (ETIMEDOUT);
1493
1494         tmp = RT3070_RF_WRITE | RT3070_RF_KICK | reg << 8 | val;
1495         return (run_write(sc, RT3070_RF_CSR_CFG, tmp));
1496 }
1497
1498 static int
1499 run_bbp_read(struct run_softc *sc, uint8_t reg, uint8_t *val)
1500 {
1501         uint32_t tmp;
1502         int ntries, error;
1503
1504         for (ntries = 0; ntries < 10; ntries++) {
1505                 if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1506                         return (error);
1507                 if (!(tmp & RT2860_BBP_CSR_KICK))
1508                         break;
1509         }
1510         if (ntries == 10)
1511                 return (ETIMEDOUT);
1512
1513         tmp = RT2860_BBP_CSR_READ | RT2860_BBP_CSR_KICK | reg << 8;
1514         if ((error = run_write(sc, RT2860_BBP_CSR_CFG, tmp)) != 0)
1515                 return (error);
1516
1517         for (ntries = 0; ntries < 10; ntries++) {
1518                 if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1519                         return (error);
1520                 if (!(tmp & RT2860_BBP_CSR_KICK))
1521                         break;
1522         }
1523         if (ntries == 10)
1524                 return (ETIMEDOUT);
1525
1526         *val = tmp & 0xff;
1527         return (0);
1528 }
1529
1530 static int
1531 run_bbp_write(struct run_softc *sc, uint8_t reg, uint8_t val)
1532 {
1533         uint32_t tmp;
1534         int ntries, error;
1535
1536         for (ntries = 0; ntries < 10; ntries++) {
1537                 if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1538                         return (error);
1539                 if (!(tmp & RT2860_BBP_CSR_KICK))
1540                         break;
1541         }
1542         if (ntries == 10)
1543                 return (ETIMEDOUT);
1544
1545         tmp = RT2860_BBP_CSR_KICK | reg << 8 | val;
1546         return (run_write(sc, RT2860_BBP_CSR_CFG, tmp));
1547 }
1548
1549 /*
1550  * Send a command to the 8051 microcontroller unit.
1551  */
1552 static int
1553 run_mcu_cmd(struct run_softc *sc, uint8_t cmd, uint16_t arg)
1554 {
1555         uint32_t tmp;
1556         int error, ntries;
1557
1558         for (ntries = 0; ntries < 100; ntries++) {
1559                 if ((error = run_read(sc, RT2860_H2M_MAILBOX, &tmp)) != 0)
1560                         return error;
1561                 if (!(tmp & RT2860_H2M_BUSY))
1562                         break;
1563         }
1564         if (ntries == 100)
1565                 return ETIMEDOUT;
1566
1567         tmp = RT2860_H2M_BUSY | RT2860_TOKEN_NO_INTR << 16 | arg;
1568         if ((error = run_write(sc, RT2860_H2M_MAILBOX, tmp)) == 0)
1569                 error = run_write(sc, RT2860_HOST_CMD, cmd);
1570         return (error);
1571 }
1572
1573 /*
1574  * Add `delta' (signed) to each 4-bit sub-word of a 32-bit word.
1575  * Used to adjust per-rate Tx power registers.
1576  */
1577 static __inline uint32_t
1578 b4inc(uint32_t b32, int8_t delta)
1579 {
1580         int8_t i, b4;
1581
1582         for (i = 0; i < 8; i++) {
1583                 b4 = b32 & 0xf;
1584                 b4 += delta;
1585                 if (b4 < 0)
1586                         b4 = 0;
1587                 else if (b4 > 0xf)
1588                         b4 = 0xf;
1589                 b32 = b32 >> 4 | b4 << 28;
1590         }
1591         return (b32);
1592 }
1593
1594 static const char *
1595 run_get_rf(uint16_t rev)
1596 {
1597         switch (rev) {
1598         case RT2860_RF_2820:    return "RT2820";
1599         case RT2860_RF_2850:    return "RT2850";
1600         case RT2860_RF_2720:    return "RT2720";
1601         case RT2860_RF_2750:    return "RT2750";
1602         case RT3070_RF_3020:    return "RT3020";
1603         case RT3070_RF_2020:    return "RT2020";
1604         case RT3070_RF_3021:    return "RT3021";
1605         case RT3070_RF_3022:    return "RT3022";
1606         case RT3070_RF_3052:    return "RT3052";
1607         case RT3593_RF_3053:    return "RT3053";
1608         case RT5592_RF_5592:    return "RT5592";
1609         case RT5390_RF_5370:    return "RT5370";
1610         case RT5390_RF_5372:    return "RT5372";
1611         }
1612         return ("unknown");
1613 }
1614
1615 static void
1616 run_rt3593_get_txpower(struct run_softc *sc)
1617 {
1618         uint16_t addr, val;
1619         int i;
1620
1621         /* Read power settings for 2GHz channels. */
1622         for (i = 0; i < 14; i += 2) {
1623                 addr = (sc->ntxchains == 3) ? RT3593_EEPROM_PWR2GHZ_BASE1 :
1624                     RT2860_EEPROM_PWR2GHZ_BASE1;
1625                 run_srom_read(sc, addr + i / 2, &val);
1626                 sc->txpow1[i + 0] = (int8_t)(val & 0xff);
1627                 sc->txpow1[i + 1] = (int8_t)(val >> 8);
1628
1629                 addr = (sc->ntxchains == 3) ? RT3593_EEPROM_PWR2GHZ_BASE2 :
1630                     RT2860_EEPROM_PWR2GHZ_BASE2;
1631                 run_srom_read(sc, addr + i / 2, &val);
1632                 sc->txpow2[i + 0] = (int8_t)(val & 0xff);
1633                 sc->txpow2[i + 1] = (int8_t)(val >> 8);
1634
1635                 if (sc->ntxchains == 3) {
1636                         run_srom_read(sc, RT3593_EEPROM_PWR2GHZ_BASE3 + i / 2,
1637                             &val);
1638                         sc->txpow3[i + 0] = (int8_t)(val & 0xff);
1639                         sc->txpow3[i + 1] = (int8_t)(val >> 8);
1640                 }
1641         }
1642         /* Fix broken Tx power entries. */
1643         for (i = 0; i < 14; i++) {
1644                 if (sc->txpow1[i] > 31)
1645                         sc->txpow1[i] = 5;
1646                 if (sc->txpow2[i] > 31)
1647                         sc->txpow2[i] = 5;
1648                 if (sc->ntxchains == 3) {
1649                         if (sc->txpow3[i] > 31)
1650                                 sc->txpow3[i] = 5;
1651                 }
1652         }
1653         /* Read power settings for 5GHz channels. */
1654         for (i = 0; i < 40; i += 2) {
1655                 run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE1 + i / 2, &val);
1656                 sc->txpow1[i + 14] = (int8_t)(val & 0xff);
1657                 sc->txpow1[i + 15] = (int8_t)(val >> 8);
1658
1659                 run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE2 + i / 2, &val);
1660                 sc->txpow2[i + 14] = (int8_t)(val & 0xff);
1661                 sc->txpow2[i + 15] = (int8_t)(val >> 8);
1662
1663                 if (sc->ntxchains == 3) {
1664                         run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE3 + i / 2,
1665                             &val);
1666                         sc->txpow3[i + 14] = (int8_t)(val & 0xff);
1667                         sc->txpow3[i + 15] = (int8_t)(val >> 8);
1668                 }
1669         }
1670 }
1671
1672 static void
1673 run_get_txpower(struct run_softc *sc)
1674 {
1675         uint16_t val;
1676         int i;
1677
1678         /* Read power settings for 2GHz channels. */
1679         for (i = 0; i < 14; i += 2) {
1680                 run_srom_read(sc, RT2860_EEPROM_PWR2GHZ_BASE1 + i / 2, &val);
1681                 sc->txpow1[i + 0] = (int8_t)(val & 0xff);
1682                 sc->txpow1[i + 1] = (int8_t)(val >> 8);
1683
1684                 if (sc->mac_ver != 0x5390) {
1685                         run_srom_read(sc,
1686                             RT2860_EEPROM_PWR2GHZ_BASE2 + i / 2, &val);
1687                         sc->txpow2[i + 0] = (int8_t)(val & 0xff);
1688                         sc->txpow2[i + 1] = (int8_t)(val >> 8);
1689                 }
1690         }
1691         /* Fix broken Tx power entries. */
1692         for (i = 0; i < 14; i++) {
1693                 if (sc->mac_ver >= 0x5390) {
1694                         if (sc->txpow1[i] < 0 || sc->txpow1[i] > 27)
1695                                 sc->txpow1[i] = 5;
1696                 } else {
1697                         if (sc->txpow1[i] < 0 || sc->txpow1[i] > 31)
1698                                 sc->txpow1[i] = 5;
1699                 }
1700                 if (sc->mac_ver > 0x5390) {
1701                         if (sc->txpow2[i] < 0 || sc->txpow2[i] > 27)
1702                                 sc->txpow2[i] = 5;
1703                 } else if (sc->mac_ver < 0x5390) {
1704                         if (sc->txpow2[i] < 0 || sc->txpow2[i] > 31)
1705                                 sc->txpow2[i] = 5;
1706                 }
1707                 DPRINTF("chan %d: power1=%d, power2=%d\n",
1708                     rt2860_rf2850[i].chan, sc->txpow1[i], sc->txpow2[i]);
1709         }
1710         /* Read power settings for 5GHz channels. */
1711         for (i = 0; i < 40; i += 2) {
1712                 run_srom_read(sc, RT2860_EEPROM_PWR5GHZ_BASE1 + i / 2, &val);
1713                 sc->txpow1[i + 14] = (int8_t)(val & 0xff);
1714                 sc->txpow1[i + 15] = (int8_t)(val >> 8);
1715
1716                 run_srom_read(sc, RT2860_EEPROM_PWR5GHZ_BASE2 + i / 2, &val);
1717                 sc->txpow2[i + 14] = (int8_t)(val & 0xff);
1718                 sc->txpow2[i + 15] = (int8_t)(val >> 8);
1719         }
1720         /* Fix broken Tx power entries. */
1721         for (i = 0; i < 40; i++ ) {
1722                 if (sc->mac_ver != 0x5592) {
1723                         if (sc->txpow1[14 + i] < -7 || sc->txpow1[14 + i] > 15)
1724                                 sc->txpow1[14 + i] = 5;
1725                         if (sc->txpow2[14 + i] < -7 || sc->txpow2[14 + i] > 15)
1726                                 sc->txpow2[14 + i] = 5;
1727                 }
1728                 DPRINTF("chan %d: power1=%d, power2=%d\n",
1729                     rt2860_rf2850[14 + i].chan, sc->txpow1[14 + i],
1730                     sc->txpow2[14 + i]);
1731         }
1732 }
1733
1734 static int
1735 run_read_eeprom(struct run_softc *sc)
1736 {
1737         int8_t delta_2ghz, delta_5ghz;
1738         uint32_t tmp;
1739         uint16_t val;
1740         int ridx, ant, i;
1741
1742         /* check whether the ROM is eFUSE ROM or EEPROM */
1743         sc->sc_srom_read = run_eeprom_read_2;
1744         if (sc->mac_ver >= 0x3070) {
1745                 run_read(sc, RT3070_EFUSE_CTRL, &tmp);
1746                 DPRINTF("EFUSE_CTRL=0x%08x\n", tmp);
1747                 if ((tmp & RT3070_SEL_EFUSE) || sc->mac_ver == 0x3593)
1748                         sc->sc_srom_read = run_efuse_read_2;
1749         }
1750
1751         /* read ROM version */
1752         run_srom_read(sc, RT2860_EEPROM_VERSION, &val);
1753         DPRINTF("EEPROM rev=%d, FAE=%d\n", val & 0xff, val >> 8);
1754
1755         /* read MAC address */
1756         run_srom_read(sc, RT2860_EEPROM_MAC01, &val);
1757         sc->sc_bssid[0] = val & 0xff;
1758         sc->sc_bssid[1] = val >> 8;
1759         run_srom_read(sc, RT2860_EEPROM_MAC23, &val);
1760         sc->sc_bssid[2] = val & 0xff;
1761         sc->sc_bssid[3] = val >> 8;
1762         run_srom_read(sc, RT2860_EEPROM_MAC45, &val);
1763         sc->sc_bssid[4] = val & 0xff;
1764         sc->sc_bssid[5] = val >> 8;
1765
1766         if (sc->mac_ver < 0x3593) {
1767                 /* read vender BBP settings */
1768                 for (i = 0; i < 10; i++) {
1769                         run_srom_read(sc, RT2860_EEPROM_BBP_BASE + i, &val);
1770                         sc->bbp[i].val = val & 0xff;
1771                         sc->bbp[i].reg = val >> 8;
1772                         DPRINTF("BBP%d=0x%02x\n", sc->bbp[i].reg,
1773                             sc->bbp[i].val);
1774                 }
1775                 if (sc->mac_ver >= 0x3071) {
1776                         /* read vendor RF settings */
1777                         for (i = 0; i < 10; i++) {
1778                                 run_srom_read(sc, RT3071_EEPROM_RF_BASE + i,
1779                                    &val);
1780                                 sc->rf[i].val = val & 0xff;
1781                                 sc->rf[i].reg = val >> 8;
1782                                 DPRINTF("RF%d=0x%02x\n", sc->rf[i].reg,
1783                                     sc->rf[i].val);
1784                         }
1785                 }
1786         }
1787
1788         /* read RF frequency offset from EEPROM */
1789         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_FREQ_LEDS :
1790             RT3593_EEPROM_FREQ, &val);
1791         sc->freq = ((val & 0xff) != 0xff) ? val & 0xff : 0;
1792         DPRINTF("EEPROM freq offset %d\n", sc->freq & 0xff);
1793
1794         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_FREQ_LEDS :
1795             RT3593_EEPROM_FREQ_LEDS, &val);
1796         if (val >> 8 != 0xff) {
1797                 /* read LEDs operating mode */
1798                 sc->leds = val >> 8;
1799                 run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED1 :
1800                     RT3593_EEPROM_LED1, &sc->led[0]);
1801                 run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED2 :
1802                     RT3593_EEPROM_LED2, &sc->led[1]);
1803                 run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED3 :
1804                     RT3593_EEPROM_LED3, &sc->led[2]);
1805         } else {
1806                 /* broken EEPROM, use default settings */
1807                 sc->leds = 0x01;
1808                 sc->led[0] = 0x5555;
1809                 sc->led[1] = 0x2221;
1810                 sc->led[2] = 0x5627;    /* differs from RT2860 */
1811         }
1812         DPRINTF("EEPROM LED mode=0x%02x, LEDs=0x%04x/0x%04x/0x%04x\n",
1813             sc->leds, sc->led[0], sc->led[1], sc->led[2]);
1814
1815         /* read RF information */
1816         if (sc->mac_ver == 0x5390 || sc->mac_ver ==0x5392)
1817                 run_srom_read(sc, 0x00, &val);
1818         else
1819                 run_srom_read(sc, RT2860_EEPROM_ANTENNA, &val);
1820
1821         if (val == 0xffff) {
1822                 device_printf(sc->sc_dev,
1823                     "invalid EEPROM antenna info, using default\n");
1824                 DPRINTF("invalid EEPROM antenna info, using default\n");
1825                 if (sc->mac_ver == 0x3572) {
1826                         /* default to RF3052 2T2R */
1827                         sc->rf_rev = RT3070_RF_3052;
1828                         sc->ntxchains = 2;
1829                         sc->nrxchains = 2;
1830                 } else if (sc->mac_ver >= 0x3070) {
1831                         /* default to RF3020 1T1R */
1832                         sc->rf_rev = RT3070_RF_3020;
1833                         sc->ntxchains = 1;
1834                         sc->nrxchains = 1;
1835                 } else {
1836                         /* default to RF2820 1T2R */
1837                         sc->rf_rev = RT2860_RF_2820;
1838                         sc->ntxchains = 1;
1839                         sc->nrxchains = 2;
1840                 }
1841         } else {
1842                 if (sc->mac_ver == 0x5390 || sc->mac_ver ==0x5392) {
1843                         sc->rf_rev = val;
1844                         run_srom_read(sc, RT2860_EEPROM_ANTENNA, &val);
1845                 } else
1846                         sc->rf_rev = (val >> 8) & 0xf;
1847                 sc->ntxchains = (val >> 4) & 0xf;
1848                 sc->nrxchains = val & 0xf;
1849         }
1850         DPRINTF("EEPROM RF rev=0x%04x chains=%dT%dR\n",
1851             sc->rf_rev, sc->ntxchains, sc->nrxchains);
1852
1853         /* check if RF supports automatic Tx access gain control */
1854         run_srom_read(sc, RT2860_EEPROM_CONFIG, &val);
1855         DPRINTF("EEPROM CFG 0x%04x\n", val);
1856         /* check if driver should patch the DAC issue */
1857         if ((val >> 8) != 0xff)
1858                 sc->patch_dac = (val >> 15) & 1;
1859         if ((val & 0xff) != 0xff) {
1860                 sc->ext_5ghz_lna = (val >> 3) & 1;
1861                 sc->ext_2ghz_lna = (val >> 2) & 1;
1862                 /* check if RF supports automatic Tx access gain control */
1863                 sc->calib_2ghz = sc->calib_5ghz = (val >> 1) & 1;
1864                 /* check if we have a hardware radio switch */
1865                 sc->rfswitch = val & 1;
1866         }
1867
1868         /* Read Tx power settings. */
1869         if (sc->mac_ver == 0x3593)
1870                 run_rt3593_get_txpower(sc);
1871         else
1872                 run_get_txpower(sc);
1873
1874         /* read Tx power compensation for each Tx rate */
1875         run_srom_read(sc, RT2860_EEPROM_DELTAPWR, &val);
1876         delta_2ghz = delta_5ghz = 0;
1877         if ((val & 0xff) != 0xff && (val & 0x80)) {
1878                 delta_2ghz = val & 0xf;
1879                 if (!(val & 0x40))      /* negative number */
1880                         delta_2ghz = -delta_2ghz;
1881         }
1882         val >>= 8;
1883         if ((val & 0xff) != 0xff && (val & 0x80)) {
1884                 delta_5ghz = val & 0xf;
1885                 if (!(val & 0x40))      /* negative number */
1886                         delta_5ghz = -delta_5ghz;
1887         }
1888         DPRINTF("power compensation=%d (2GHz), %d (5GHz)\n",
1889             delta_2ghz, delta_5ghz);
1890
1891         for (ridx = 0; ridx < 5; ridx++) {
1892                 uint32_t reg;
1893
1894                 run_srom_read(sc, RT2860_EEPROM_RPWR + ridx * 2, &val);
1895                 reg = val;
1896                 run_srom_read(sc, RT2860_EEPROM_RPWR + ridx * 2 + 1, &val);
1897                 reg |= (uint32_t)val << 16;
1898
1899                 sc->txpow20mhz[ridx] = reg;
1900                 sc->txpow40mhz_2ghz[ridx] = b4inc(reg, delta_2ghz);
1901                 sc->txpow40mhz_5ghz[ridx] = b4inc(reg, delta_5ghz);
1902
1903                 DPRINTF("ridx %d: power 20MHz=0x%08x, 40MHz/2GHz=0x%08x, "
1904                     "40MHz/5GHz=0x%08x\n", ridx, sc->txpow20mhz[ridx],
1905                     sc->txpow40mhz_2ghz[ridx], sc->txpow40mhz_5ghz[ridx]);
1906         }
1907
1908         /* Read RSSI offsets and LNA gains from EEPROM. */
1909         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI1_2GHZ :
1910             RT3593_EEPROM_RSSI1_2GHZ, &val);
1911         sc->rssi_2ghz[0] = val & 0xff;  /* Ant A */
1912         sc->rssi_2ghz[1] = val >> 8;    /* Ant B */
1913         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI2_2GHZ :
1914             RT3593_EEPROM_RSSI2_2GHZ, &val);
1915         if (sc->mac_ver >= 0x3070) {
1916                 if (sc->mac_ver == 0x3593) {
1917                         sc->txmixgain_2ghz = 0;
1918                         sc->rssi_2ghz[2] = val & 0xff;  /* Ant C */
1919                 } else {
1920                         /*
1921                          * On RT3070 chips (limited to 2 Rx chains), this ROM
1922                          * field contains the Tx mixer gain for the 2GHz band.
1923                          */
1924                         if ((val & 0xff) != 0xff)
1925                                 sc->txmixgain_2ghz = val & 0x7;
1926                 }
1927                 DPRINTF("tx mixer gain=%u (2GHz)\n", sc->txmixgain_2ghz);
1928         } else
1929                 sc->rssi_2ghz[2] = val & 0xff;  /* Ant C */
1930         if (sc->mac_ver == 0x3593)
1931                 run_srom_read(sc, RT3593_EEPROM_LNA_5GHZ, &val);
1932         sc->lna[2] = val >> 8;          /* channel group 2 */
1933
1934         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI1_5GHZ :
1935             RT3593_EEPROM_RSSI1_5GHZ, &val);
1936         sc->rssi_5ghz[0] = val & 0xff;  /* Ant A */
1937         sc->rssi_5ghz[1] = val >> 8;    /* Ant B */
1938         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI2_5GHZ :
1939             RT3593_EEPROM_RSSI2_5GHZ, &val);
1940         if (sc->mac_ver == 0x3572) {
1941                 /*
1942                  * On RT3572 chips (limited to 2 Rx chains), this ROM
1943                  * field contains the Tx mixer gain for the 5GHz band.
1944                  */
1945                 if ((val & 0xff) != 0xff)
1946                         sc->txmixgain_5ghz = val & 0x7;
1947                 DPRINTF("tx mixer gain=%u (5GHz)\n", sc->txmixgain_5ghz);
1948         } else
1949                 sc->rssi_5ghz[2] = val & 0xff;  /* Ant C */
1950         if (sc->mac_ver == 0x3593) {
1951                 sc->txmixgain_5ghz = 0;
1952                 run_srom_read(sc, RT3593_EEPROM_LNA_5GHZ, &val);
1953         }
1954         sc->lna[3] = val >> 8;          /* channel group 3 */
1955
1956         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LNA :
1957             RT3593_EEPROM_LNA, &val);
1958         sc->lna[0] = val & 0xff;        /* channel group 0 */
1959         sc->lna[1] = val >> 8;          /* channel group 1 */
1960
1961         /* fix broken 5GHz LNA entries */
1962         if (sc->lna[2] == 0 || sc->lna[2] == 0xff) {
1963                 DPRINTF("invalid LNA for channel group %d\n", 2);
1964                 sc->lna[2] = sc->lna[1];
1965         }
1966         if (sc->lna[3] == 0 || sc->lna[3] == 0xff) {
1967                 DPRINTF("invalid LNA for channel group %d\n", 3);
1968                 sc->lna[3] = sc->lna[1];
1969         }
1970
1971         /* fix broken RSSI offset entries */
1972         for (ant = 0; ant < 3; ant++) {
1973                 if (sc->rssi_2ghz[ant] < -10 || sc->rssi_2ghz[ant] > 10) {
1974                         DPRINTF("invalid RSSI%d offset: %d (2GHz)\n",
1975                             ant + 1, sc->rssi_2ghz[ant]);
1976                         sc->rssi_2ghz[ant] = 0;
1977                 }
1978                 if (sc->rssi_5ghz[ant] < -10 || sc->rssi_5ghz[ant] > 10) {
1979                         DPRINTF("invalid RSSI%d offset: %d (5GHz)\n",
1980                             ant + 1, sc->rssi_5ghz[ant]);
1981                         sc->rssi_5ghz[ant] = 0;
1982                 }
1983         }
1984         return (0);
1985 }
1986
1987 static struct ieee80211_node *
1988 run_node_alloc(struct ieee80211vap *vap, const uint8_t mac[IEEE80211_ADDR_LEN])
1989 {
1990         return malloc(sizeof (struct run_node), M_DEVBUF, M_NOWAIT | M_ZERO);
1991 }
1992
1993 static int
1994 run_media_change(struct ifnet *ifp)
1995 {
1996         struct ieee80211vap *vap = ifp->if_softc;
1997         struct ieee80211com *ic = vap->iv_ic;
1998         const struct ieee80211_txparam *tp;
1999         struct run_softc *sc = ic->ic_ifp->if_softc;
2000         uint8_t rate, ridx;
2001         int error;
2002
2003         RUN_LOCK(sc);
2004
2005         error = ieee80211_media_change(ifp);
2006         if (error != ENETRESET) {
2007                 RUN_UNLOCK(sc);
2008                 return (error);
2009         }
2010
2011         tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
2012         if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE) {
2013                 struct ieee80211_node *ni;
2014                 struct run_node *rn;
2015
2016                 rate = ic->ic_sup_rates[ic->ic_curmode].
2017                     rs_rates[tp->ucastrate] & IEEE80211_RATE_VAL;
2018                 for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2019                         if (rt2860_rates[ridx].rate == rate)
2020                                 break;
2021                 ni = ieee80211_ref_node(vap->iv_bss);
2022                 rn = (struct run_node *)ni;
2023                 rn->fix_ridx = ridx;
2024                 DPRINTF("rate=%d, fix_ridx=%d\n", rate, rn->fix_ridx);
2025                 ieee80211_free_node(ni);
2026         }
2027
2028 #if 0
2029         if ((ifp->if_flags & IFF_UP) &&
2030             (ifp->if_drv_flags &  IFF_DRV_RUNNING)){
2031                 run_init_locked(sc);
2032         }
2033 #endif
2034
2035         RUN_UNLOCK(sc);
2036
2037         return (0);
2038 }
2039
2040 static int
2041 run_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
2042 {
2043         const struct ieee80211_txparam *tp;
2044         struct ieee80211com *ic = vap->iv_ic;
2045         struct run_softc *sc = ic->ic_ifp->if_softc;
2046         struct run_vap *rvp = RUN_VAP(vap);
2047         enum ieee80211_state ostate;
2048         uint32_t sta[3];
2049         uint32_t tmp;
2050         uint8_t ratectl;
2051         uint8_t restart_ratectl = 0;
2052         uint8_t bid = 1 << rvp->rvp_id;
2053
2054         ostate = vap->iv_state;
2055         DPRINTF("%s -> %s\n",
2056                 ieee80211_state_name[ostate],
2057                 ieee80211_state_name[nstate]);
2058
2059         IEEE80211_UNLOCK(ic);
2060         RUN_LOCK(sc);
2061
2062         ratectl = sc->ratectl_run; /* remember current state */
2063         sc->ratectl_run = RUN_RATECTL_OFF;
2064         usb_callout_stop(&sc->ratectl_ch);
2065
2066         if (ostate == IEEE80211_S_RUN) {
2067                 /* turn link LED off */
2068                 run_set_leds(sc, RT2860_LED_RADIO);
2069         }
2070
2071         switch (nstate) {
2072         case IEEE80211_S_INIT:
2073                 restart_ratectl = 1;
2074
2075                 if (ostate != IEEE80211_S_RUN)
2076                         break;
2077
2078                 ratectl &= ~bid;
2079                 sc->runbmap &= ~bid;
2080
2081                 /* abort TSF synchronization if there is no vap running */
2082                 if (--sc->running == 0) {
2083                         run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
2084                         run_write(sc, RT2860_BCN_TIME_CFG,
2085                             tmp & ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
2086                             RT2860_TBTT_TIMER_EN));
2087                 }
2088                 break;
2089
2090         case IEEE80211_S_RUN:
2091                 if (!(sc->runbmap & bid)) {
2092                         if(sc->running++)
2093                                 restart_ratectl = 1;
2094                         sc->runbmap |= bid;
2095                 }
2096
2097                 m_freem(rvp->beacon_mbuf);
2098                 rvp->beacon_mbuf = NULL;
2099
2100                 switch (vap->iv_opmode) {
2101                 case IEEE80211_M_HOSTAP:
2102                 case IEEE80211_M_MBSS:
2103                         sc->ap_running |= bid;
2104                         ic->ic_opmode = vap->iv_opmode;
2105                         run_update_beacon_cb(vap);
2106                         break;
2107                 case IEEE80211_M_IBSS:
2108                         sc->adhoc_running |= bid;
2109                         if (!sc->ap_running)
2110                                 ic->ic_opmode = vap->iv_opmode;
2111                         run_update_beacon_cb(vap);
2112                         break;
2113                 case IEEE80211_M_STA:
2114                         sc->sta_running |= bid;
2115                         if (!sc->ap_running && !sc->adhoc_running)
2116                                 ic->ic_opmode = vap->iv_opmode;
2117
2118                         /* read statistic counters (clear on read) */
2119                         run_read_region_1(sc, RT2860_TX_STA_CNT0,
2120                             (uint8_t *)sta, sizeof sta);
2121
2122                         break;
2123                 default:
2124                         ic->ic_opmode = vap->iv_opmode;
2125                         break;
2126                 }
2127
2128                 if (vap->iv_opmode != IEEE80211_M_MONITOR) {
2129                         struct ieee80211_node *ni;
2130
2131                         if (ic->ic_bsschan == IEEE80211_CHAN_ANYC) {
2132                                 RUN_UNLOCK(sc);
2133                                 IEEE80211_LOCK(ic);
2134                                 return (-1);
2135                         }
2136                         run_updateslot(ic->ic_ifp);
2137                         run_enable_mrr(sc);
2138                         run_set_txpreamble(sc);
2139                         run_set_basicrates(sc);
2140                         ni = ieee80211_ref_node(vap->iv_bss);
2141                         IEEE80211_ADDR_COPY(sc->sc_bssid, ni->ni_bssid);
2142                         run_set_bssid(sc, ni->ni_bssid);
2143                         ieee80211_free_node(ni);
2144                         run_enable_tsf_sync(sc);
2145
2146                         /* enable automatic rate adaptation */
2147                         tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
2148                         if (tp->ucastrate == IEEE80211_FIXED_RATE_NONE)
2149                                 ratectl |= bid;
2150                 }
2151
2152                 /* turn link LED on */
2153                 run_set_leds(sc, RT2860_LED_RADIO |
2154                     (IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan) ?
2155                      RT2860_LED_LINK_2GHZ : RT2860_LED_LINK_5GHZ));
2156
2157                 break;
2158         default:
2159                 DPRINTFN(6, "undefined case\n");
2160                 break;
2161         }
2162
2163         /* restart amrr for running VAPs */
2164         if ((sc->ratectl_run = ratectl) && restart_ratectl)
2165                 usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2166
2167         RUN_UNLOCK(sc);
2168         IEEE80211_LOCK(ic);
2169
2170         return(rvp->newstate(vap, nstate, arg));
2171 }
2172
2173 /* ARGSUSED */
2174 static void
2175 run_wme_update_cb(void *arg)
2176 {
2177         struct ieee80211com *ic = arg;
2178         struct run_softc *sc = ic->ic_ifp->if_softc;
2179         struct ieee80211_wme_state *wmesp = &ic->ic_wme;
2180         int aci, error = 0;
2181
2182         RUN_LOCK_ASSERT(sc, MA_OWNED);
2183
2184         /* update MAC TX configuration registers */
2185         for (aci = 0; aci < WME_NUM_AC; aci++) {
2186                 error = run_write(sc, RT2860_EDCA_AC_CFG(aci),
2187                     wmesp->wme_params[aci].wmep_logcwmax << 16 |
2188                     wmesp->wme_params[aci].wmep_logcwmin << 12 |
2189                     wmesp->wme_params[aci].wmep_aifsn  <<  8 |
2190                     wmesp->wme_params[aci].wmep_txopLimit);
2191                 if (error) goto err;
2192         }
2193
2194         /* update SCH/DMA registers too */
2195         error = run_write(sc, RT2860_WMM_AIFSN_CFG,
2196             wmesp->wme_params[WME_AC_VO].wmep_aifsn  << 12 |
2197             wmesp->wme_params[WME_AC_VI].wmep_aifsn  <<  8 |
2198             wmesp->wme_params[WME_AC_BK].wmep_aifsn  <<  4 |
2199             wmesp->wme_params[WME_AC_BE].wmep_aifsn);
2200         if (error) goto err;
2201         error = run_write(sc, RT2860_WMM_CWMIN_CFG,
2202             wmesp->wme_params[WME_AC_VO].wmep_logcwmin << 12 |
2203             wmesp->wme_params[WME_AC_VI].wmep_logcwmin <<  8 |
2204             wmesp->wme_params[WME_AC_BK].wmep_logcwmin <<  4 |
2205             wmesp->wme_params[WME_AC_BE].wmep_logcwmin);
2206         if (error) goto err;
2207         error = run_write(sc, RT2860_WMM_CWMAX_CFG,
2208             wmesp->wme_params[WME_AC_VO].wmep_logcwmax << 12 |
2209             wmesp->wme_params[WME_AC_VI].wmep_logcwmax <<  8 |
2210             wmesp->wme_params[WME_AC_BK].wmep_logcwmax <<  4 |
2211             wmesp->wme_params[WME_AC_BE].wmep_logcwmax);
2212         if (error) goto err;
2213         error = run_write(sc, RT2860_WMM_TXOP0_CFG,
2214             wmesp->wme_params[WME_AC_BK].wmep_txopLimit << 16 |
2215             wmesp->wme_params[WME_AC_BE].wmep_txopLimit);
2216         if (error) goto err;
2217         error = run_write(sc, RT2860_WMM_TXOP1_CFG,
2218             wmesp->wme_params[WME_AC_VO].wmep_txopLimit << 16 |
2219             wmesp->wme_params[WME_AC_VI].wmep_txopLimit);
2220
2221 err:
2222         if (error)
2223                 DPRINTF("WME update failed\n");
2224
2225         return;
2226 }
2227
2228 static int
2229 run_wme_update(struct ieee80211com *ic)
2230 {
2231         struct run_softc *sc = ic->ic_ifp->if_softc;
2232
2233         /* sometime called wothout lock */
2234         if (mtx_owned(&ic->ic_comlock.mtx)) {
2235                 uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
2236                 DPRINTF("cmdq_store=%d\n", i);
2237                 sc->cmdq[i].func = run_wme_update_cb;
2238                 sc->cmdq[i].arg0 = ic;
2239                 ieee80211_runtask(ic, &sc->cmdq_task);
2240                 return (0);
2241         }
2242
2243         RUN_LOCK(sc);
2244         run_wme_update_cb(ic);
2245         RUN_UNLOCK(sc);
2246
2247         /* return whatever, upper layer desn't care anyway */
2248         return (0);
2249 }
2250
2251 static void
2252 run_key_update_begin(struct ieee80211vap *vap)
2253 {
2254         /*
2255          * To avoid out-of-order events, both run_key_set() and
2256          * _delete() are deferred and handled by run_cmdq_cb().
2257          * So, there is nothing we need to do here.
2258          */
2259 }
2260
2261 static void
2262 run_key_update_end(struct ieee80211vap *vap)
2263 {
2264         /* null */
2265 }
2266
2267 static void
2268 run_key_set_cb(void *arg)
2269 {
2270         struct run_cmdq *cmdq = arg;
2271         struct ieee80211vap *vap = cmdq->arg1;
2272         struct ieee80211_key *k = cmdq->k;
2273         struct ieee80211com *ic = vap->iv_ic;
2274         struct run_softc *sc = ic->ic_ifp->if_softc;
2275         struct ieee80211_node *ni;
2276         uint32_t attr;
2277         uint16_t base, associd;
2278         uint8_t mode, wcid, iv[8];
2279
2280         RUN_LOCK_ASSERT(sc, MA_OWNED);
2281
2282         if (vap->iv_opmode == IEEE80211_M_HOSTAP)
2283                 ni = ieee80211_find_vap_node(&ic->ic_sta, vap, cmdq->mac);
2284         else
2285                 ni = vap->iv_bss;
2286         associd = (ni != NULL) ? ni->ni_associd : 0;
2287
2288         /* map net80211 cipher to RT2860 security mode */
2289         switch (k->wk_cipher->ic_cipher) {
2290         case IEEE80211_CIPHER_WEP:
2291                 if(k->wk_keylen < 8)
2292                         mode = RT2860_MODE_WEP40;
2293                 else
2294                         mode = RT2860_MODE_WEP104;
2295                 break;
2296         case IEEE80211_CIPHER_TKIP:
2297                 mode = RT2860_MODE_TKIP;
2298                 break;
2299         case IEEE80211_CIPHER_AES_CCM:
2300                 mode = RT2860_MODE_AES_CCMP;
2301                 break;
2302         default:
2303                 DPRINTF("undefined case\n");
2304                 return;
2305         }
2306
2307         DPRINTFN(1, "associd=%x, keyix=%d, mode=%x, type=%s, tx=%s, rx=%s\n",
2308             associd, k->wk_keyix, mode,
2309             (k->wk_flags & IEEE80211_KEY_GROUP) ? "group" : "pairwise",
2310             (k->wk_flags & IEEE80211_KEY_XMIT) ? "on" : "off",
2311             (k->wk_flags & IEEE80211_KEY_RECV) ? "on" : "off");
2312
2313         if (k->wk_flags & IEEE80211_KEY_GROUP) {
2314                 wcid = 0;       /* NB: update WCID0 for group keys */
2315                 base = RT2860_SKEY(RUN_VAP(vap)->rvp_id, k->wk_keyix);
2316         } else {
2317                 wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
2318                     1 : RUN_AID2WCID(associd);
2319                 base = RT2860_PKEY(wcid);
2320         }
2321
2322         if (k->wk_cipher->ic_cipher == IEEE80211_CIPHER_TKIP) {
2323                 if(run_write_region_1(sc, base, k->wk_key, 16))
2324                         return;
2325                 if(run_write_region_1(sc, base + 16, &k->wk_key[16], 8))        /* wk_txmic */
2326                         return;
2327                 if(run_write_region_1(sc, base + 24, &k->wk_key[24], 8))        /* wk_rxmic */
2328                         return;
2329         } else {
2330                 /* roundup len to 16-bit: XXX fix write_region_1() instead */
2331                 if(run_write_region_1(sc, base, k->wk_key, (k->wk_keylen + 1) & ~1))
2332                         return;
2333         }
2334
2335         if (!(k->wk_flags & IEEE80211_KEY_GROUP) ||
2336             (k->wk_flags & (IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV))) {
2337                 /* set initial packet number in IV+EIV */
2338                 if (k->wk_cipher == IEEE80211_CIPHER_WEP) {
2339                         memset(iv, 0, sizeof iv);
2340                         iv[3] = vap->iv_def_txkey << 6;
2341                 } else {
2342                         if (k->wk_cipher->ic_cipher == IEEE80211_CIPHER_TKIP) {
2343                                 iv[0] = k->wk_keytsc >> 8;
2344                                 iv[1] = (iv[0] | 0x20) & 0x7f;
2345                                 iv[2] = k->wk_keytsc;
2346                         } else /* CCMP */ {
2347                                 iv[0] = k->wk_keytsc;
2348                                 iv[1] = k->wk_keytsc >> 8;
2349                                 iv[2] = 0;
2350                         }
2351                         iv[3] = k->wk_keyix << 6 | IEEE80211_WEP_EXTIV;
2352                         iv[4] = k->wk_keytsc >> 16;
2353                         iv[5] = k->wk_keytsc >> 24;
2354                         iv[6] = k->wk_keytsc >> 32;
2355                         iv[7] = k->wk_keytsc >> 40;
2356                 }
2357                 if (run_write_region_1(sc, RT2860_IVEIV(wcid), iv, 8))
2358                         return;
2359         }
2360
2361         if (k->wk_flags & IEEE80211_KEY_GROUP) {
2362                 /* install group key */
2363                 if (run_read(sc, RT2860_SKEY_MODE_0_7, &attr))
2364                         return;
2365                 attr &= ~(0xf << (k->wk_keyix * 4));
2366                 attr |= mode << (k->wk_keyix * 4);
2367                 if (run_write(sc, RT2860_SKEY_MODE_0_7, attr))
2368                         return;
2369         } else {
2370                 /* install pairwise key */
2371                 if (run_read(sc, RT2860_WCID_ATTR(wcid), &attr))
2372                         return;
2373                 attr = (attr & ~0xf) | (mode << 1) | RT2860_RX_PKEY_EN;
2374                 if (run_write(sc, RT2860_WCID_ATTR(wcid), attr))
2375                         return;
2376         }
2377
2378         /* TODO create a pass-thru key entry? */
2379
2380         /* need wcid to delete the right key later */
2381         k->wk_pad = wcid;
2382 }
2383
2384 /*
2385  * Don't have to be deferred, but in order to keep order of
2386  * execution, i.e. with run_key_delete(), defer this and let
2387  * run_cmdq_cb() maintain the order.
2388  *
2389  * return 0 on error
2390  */
2391 static int
2392 run_key_set(struct ieee80211vap *vap, struct ieee80211_key *k,
2393                 const uint8_t mac[IEEE80211_ADDR_LEN])
2394 {
2395         struct ieee80211com *ic = vap->iv_ic;
2396         struct run_softc *sc = ic->ic_ifp->if_softc;
2397         uint32_t i;
2398
2399         i = RUN_CMDQ_GET(&sc->cmdq_store);
2400         DPRINTF("cmdq_store=%d\n", i);
2401         sc->cmdq[i].func = run_key_set_cb;
2402         sc->cmdq[i].arg0 = NULL;
2403         sc->cmdq[i].arg1 = vap;
2404         sc->cmdq[i].k = k;
2405         IEEE80211_ADDR_COPY(sc->cmdq[i].mac, mac);
2406         ieee80211_runtask(ic, &sc->cmdq_task);
2407
2408         /*
2409          * To make sure key will be set when hostapd
2410          * calls iv_key_set() before if_init().
2411          */
2412         if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
2413                 RUN_LOCK(sc);
2414                 sc->cmdq_key_set = RUN_CMDQ_GO;
2415                 RUN_UNLOCK(sc);
2416         }
2417
2418         return (1);
2419 }
2420
2421 /*
2422  * If wlan is destroyed without being brought down i.e. without
2423  * wlan down or wpa_cli terminate, this function is called after
2424  * vap is gone. Don't refer it.
2425  */
2426 static void
2427 run_key_delete_cb(void *arg)
2428 {
2429         struct run_cmdq *cmdq = arg;
2430         struct run_softc *sc = cmdq->arg1;
2431         struct ieee80211_key *k = &cmdq->key;
2432         uint32_t attr;
2433         uint8_t wcid;
2434
2435         RUN_LOCK_ASSERT(sc, MA_OWNED);
2436
2437         if (k->wk_flags & IEEE80211_KEY_GROUP) {
2438                 /* remove group key */
2439                 DPRINTF("removing group key\n");
2440                 run_read(sc, RT2860_SKEY_MODE_0_7, &attr);
2441                 attr &= ~(0xf << (k->wk_keyix * 4));
2442                 run_write(sc, RT2860_SKEY_MODE_0_7, attr);
2443         } else {
2444                 /* remove pairwise key */
2445                 DPRINTF("removing key for wcid %x\n", k->wk_pad);
2446                 /* matching wcid was written to wk_pad in run_key_set() */
2447                 wcid = k->wk_pad;
2448                 run_read(sc, RT2860_WCID_ATTR(wcid), &attr);
2449                 attr &= ~0xf;
2450                 run_write(sc, RT2860_WCID_ATTR(wcid), attr);
2451                 run_set_region_4(sc, RT2860_WCID_ENTRY(wcid), 0, 8);
2452         }
2453
2454         k->wk_pad = 0;
2455 }
2456
2457 /*
2458  * return 0 on error
2459  */
2460 static int
2461 run_key_delete(struct ieee80211vap *vap, struct ieee80211_key *k)
2462 {
2463         struct ieee80211com *ic = vap->iv_ic;
2464         struct run_softc *sc = ic->ic_ifp->if_softc;
2465         struct ieee80211_key *k0;
2466         uint32_t i;
2467
2468         /*
2469          * When called back, key might be gone. So, make a copy
2470          * of some values need to delete keys before deferring.
2471          * But, because of LOR with node lock, cannot use lock here.
2472          * So, use atomic instead.
2473          */
2474         i = RUN_CMDQ_GET(&sc->cmdq_store);
2475         DPRINTF("cmdq_store=%d\n", i);
2476         sc->cmdq[i].func = run_key_delete_cb;
2477         sc->cmdq[i].arg0 = NULL;
2478         sc->cmdq[i].arg1 = sc;
2479         k0 = &sc->cmdq[i].key;
2480         k0->wk_flags = k->wk_flags;
2481         k0->wk_keyix = k->wk_keyix;
2482         /* matching wcid was written to wk_pad in run_key_set() */
2483         k0->wk_pad = k->wk_pad;
2484         ieee80211_runtask(ic, &sc->cmdq_task);
2485         return (1);     /* return fake success */
2486
2487 }
2488
2489 static void
2490 run_ratectl_to(void *arg)
2491 {
2492         struct run_softc *sc = arg;
2493
2494         /* do it in a process context, so it can go sleep */
2495         ieee80211_runtask(sc->sc_ifp->if_l2com, &sc->ratectl_task);
2496         /* next timeout will be rescheduled in the callback task */
2497 }
2498
2499 /* ARGSUSED */
2500 static void
2501 run_ratectl_cb(void *arg, int pending)
2502 {
2503         struct run_softc *sc = arg;
2504         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
2505         struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
2506
2507         if (vap == NULL)
2508                 return;
2509
2510         if (sc->rvp_cnt > 1 || vap->iv_opmode != IEEE80211_M_STA) {
2511                 /*
2512                  * run_reset_livelock() doesn't do anything with AMRR,
2513                  * but Ralink wants us to call it every 1 sec. So, we
2514                  * piggyback here rather than creating another callout.
2515                  * Livelock may occur only in HOSTAP or IBSS mode
2516                  * (when h/w is sending beacons).
2517                  */
2518                 RUN_LOCK(sc);
2519                 run_reset_livelock(sc);
2520                 /* just in case, there are some stats to drain */
2521                 run_drain_fifo(sc);
2522                 RUN_UNLOCK(sc);
2523         }
2524
2525         ieee80211_iterate_nodes(&ic->ic_sta, run_iter_func, sc);
2526
2527         RUN_LOCK(sc);
2528         if(sc->ratectl_run != RUN_RATECTL_OFF)
2529                 usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2530         RUN_UNLOCK(sc);
2531 }
2532
2533 static void
2534 run_drain_fifo(void *arg)
2535 {
2536         struct run_softc *sc = arg;
2537         struct ifnet *ifp = sc->sc_ifp;
2538         uint32_t stat;
2539         uint16_t (*wstat)[3];
2540         uint8_t wcid, mcs, pid;
2541         int8_t retry;
2542
2543         RUN_LOCK_ASSERT(sc, MA_OWNED);
2544
2545         for (;;) {
2546                 /* drain Tx status FIFO (maxsize = 16) */
2547                 run_read(sc, RT2860_TX_STAT_FIFO, &stat);
2548                 DPRINTFN(4, "tx stat 0x%08x\n", stat);
2549                 if (!(stat & RT2860_TXQ_VLD))
2550                         break;
2551
2552                 wcid = (stat >> RT2860_TXQ_WCID_SHIFT) & 0xff;
2553
2554                 /* if no ACK was requested, no feedback is available */
2555                 if (!(stat & RT2860_TXQ_ACKREQ) || wcid > RT2870_WCID_MAX ||
2556                     wcid == 0)
2557                         continue;
2558
2559                 /*
2560                  * Even though each stat is Tx-complete-status like format,
2561                  * the device can poll stats. Because there is no guarantee
2562                  * that the referring node is still around when read the stats.
2563                  * So that, if we use ieee80211_ratectl_tx_update(), we will
2564                  * have hard time not to refer already freed node.
2565                  *
2566                  * To eliminate such page faults, we poll stats in softc.
2567                  * Then, update the rates later with ieee80211_ratectl_tx_update().
2568                  */
2569                 wstat = &(sc->wcid_stats[wcid]);
2570                 (*wstat)[RUN_TXCNT]++;
2571                 if (stat & RT2860_TXQ_OK)
2572                         (*wstat)[RUN_SUCCESS]++;
2573                 else
2574                         ifp->if_oerrors++;
2575                 /*
2576                  * Check if there were retries, ie if the Tx success rate is
2577                  * different from the requested rate. Note that it works only
2578                  * because we do not allow rate fallback from OFDM to CCK.
2579                  */
2580                 mcs = (stat >> RT2860_TXQ_MCS_SHIFT) & 0x7f;
2581                 pid = (stat >> RT2860_TXQ_PID_SHIFT) & 0xf;
2582                 if ((retry = pid -1 - mcs) > 0) {
2583                         (*wstat)[RUN_TXCNT] += retry;
2584                         (*wstat)[RUN_RETRY] += retry;
2585                 }
2586         }
2587         DPRINTFN(3, "count=%d\n", sc->fifo_cnt);
2588
2589         sc->fifo_cnt = 0;
2590 }
2591
2592 static void
2593 run_iter_func(void *arg, struct ieee80211_node *ni)
2594 {
2595         struct run_softc *sc = arg;
2596         struct ieee80211vap *vap = ni->ni_vap;
2597         struct ieee80211com *ic = ni->ni_ic;
2598         struct ifnet *ifp = ic->ic_ifp;
2599         struct run_node *rn = (void *)ni;
2600         union run_stats sta[2];
2601         uint16_t (*wstat)[3];
2602         int txcnt, success, retrycnt, error;
2603
2604         RUN_LOCK(sc);
2605
2606         /* Check for special case */
2607         if (sc->rvp_cnt <= 1 && vap->iv_opmode == IEEE80211_M_STA &&
2608             ni != vap->iv_bss)
2609                 goto fail;
2610
2611         if (sc->rvp_cnt <= 1 && (vap->iv_opmode == IEEE80211_M_IBSS ||
2612             vap->iv_opmode == IEEE80211_M_STA)) {
2613                 /* read statistic counters (clear on read) and update AMRR state */
2614                 error = run_read_region_1(sc, RT2860_TX_STA_CNT0, (uint8_t *)sta,
2615                     sizeof sta);
2616                 if (error != 0)
2617                         goto fail;
2618
2619                 /* count failed TX as errors */
2620                 ifp->if_oerrors += le16toh(sta[0].error.fail);
2621
2622                 retrycnt = le16toh(sta[1].tx.retry);
2623                 success = le16toh(sta[1].tx.success);
2624                 txcnt = retrycnt + success + le16toh(sta[0].error.fail);
2625
2626                 DPRINTFN(3, "retrycnt=%d success=%d failcnt=%d\n",
2627                         retrycnt, success, le16toh(sta[0].error.fail));
2628         } else {
2629                 wstat = &(sc->wcid_stats[RUN_AID2WCID(ni->ni_associd)]);
2630
2631                 if (wstat == &(sc->wcid_stats[0]) ||
2632                     wstat > &(sc->wcid_stats[RT2870_WCID_MAX]))
2633                         goto fail;
2634
2635                 txcnt = (*wstat)[RUN_TXCNT];
2636                 success = (*wstat)[RUN_SUCCESS];
2637                 retrycnt = (*wstat)[RUN_RETRY];
2638                 DPRINTFN(3, "retrycnt=%d txcnt=%d success=%d\n",
2639                     retrycnt, txcnt, success);
2640
2641                 memset(wstat, 0, sizeof(*wstat));
2642         }
2643
2644         ieee80211_ratectl_tx_update(vap, ni, &txcnt, &success, &retrycnt);
2645         rn->amrr_ridx = ieee80211_ratectl_rate(ni, NULL, 0);
2646
2647 fail:
2648         RUN_UNLOCK(sc);
2649
2650         DPRINTFN(3, "ridx=%d\n", rn->amrr_ridx);
2651 }
2652
2653 static void
2654 run_newassoc_cb(void *arg)
2655 {
2656         struct run_cmdq *cmdq = arg;
2657         struct ieee80211_node *ni = cmdq->arg1;
2658         struct run_softc *sc = ni->ni_vap->iv_ic->ic_ifp->if_softc;
2659         uint8_t wcid = cmdq->wcid;
2660
2661         RUN_LOCK_ASSERT(sc, MA_OWNED);
2662
2663         run_write_region_1(sc, RT2860_WCID_ENTRY(wcid),
2664             ni->ni_macaddr, IEEE80211_ADDR_LEN);
2665
2666         memset(&(sc->wcid_stats[wcid]), 0, sizeof(sc->wcid_stats[wcid]));
2667 }
2668
2669 static void
2670 run_newassoc(struct ieee80211_node *ni, int isnew)
2671 {
2672         struct run_node *rn = (void *)ni;
2673         struct ieee80211_rateset *rs = &ni->ni_rates;
2674         struct ieee80211vap *vap = ni->ni_vap;
2675         struct ieee80211com *ic = vap->iv_ic;
2676         struct run_softc *sc = ic->ic_ifp->if_softc;
2677         uint8_t rate;
2678         uint8_t ridx;
2679         uint8_t wcid;
2680         int i, j;
2681
2682         wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
2683             1 : RUN_AID2WCID(ni->ni_associd);
2684
2685         if (wcid > RT2870_WCID_MAX) {
2686                 device_printf(sc->sc_dev, "wcid=%d out of range\n", wcid);
2687                 return;
2688         }
2689
2690         /* only interested in true associations */
2691         if (isnew && ni->ni_associd != 0) {
2692
2693                 /*
2694                  * This function could is called though timeout function.
2695                  * Need to defer.
2696                  */
2697                 uint32_t cnt = RUN_CMDQ_GET(&sc->cmdq_store);
2698                 DPRINTF("cmdq_store=%d\n", cnt);
2699                 sc->cmdq[cnt].func = run_newassoc_cb;
2700                 sc->cmdq[cnt].arg0 = NULL;
2701                 sc->cmdq[cnt].arg1 = ni;
2702                 sc->cmdq[cnt].wcid = wcid;
2703                 ieee80211_runtask(ic, &sc->cmdq_task);
2704         }
2705
2706         DPRINTF("new assoc isnew=%d associd=%x addr=%s\n",
2707             isnew, ni->ni_associd, ether_sprintf(ni->ni_macaddr));
2708
2709         for (i = 0; i < rs->rs_nrates; i++) {
2710                 rate = rs->rs_rates[i] & IEEE80211_RATE_VAL;
2711                 /* convert 802.11 rate to hardware rate index */
2712                 for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2713                         if (rt2860_rates[ridx].rate == rate)
2714                                 break;
2715                 rn->ridx[i] = ridx;
2716                 /* determine rate of control response frames */
2717                 for (j = i; j >= 0; j--) {
2718                         if ((rs->rs_rates[j] & IEEE80211_RATE_BASIC) &&
2719                             rt2860_rates[rn->ridx[i]].phy ==
2720                             rt2860_rates[rn->ridx[j]].phy)
2721                                 break;
2722                 }
2723                 if (j >= 0) {
2724                         rn->ctl_ridx[i] = rn->ridx[j];
2725                 } else {
2726                         /* no basic rate found, use mandatory one */
2727                         rn->ctl_ridx[i] = rt2860_rates[ridx].ctl_ridx;
2728                 }
2729                 DPRINTF("rate=0x%02x ridx=%d ctl_ridx=%d\n",
2730                     rs->rs_rates[i], rn->ridx[i], rn->ctl_ridx[i]);
2731         }
2732         rate = vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)].mgmtrate;
2733         for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2734                 if (rt2860_rates[ridx].rate == rate)
2735                         break;
2736         rn->mgt_ridx = ridx;
2737         DPRINTF("rate=%d, mgmt_ridx=%d\n", rate, rn->mgt_ridx);
2738
2739         RUN_LOCK(sc);
2740         if(sc->ratectl_run != RUN_RATECTL_OFF)
2741                 usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2742         RUN_UNLOCK(sc);
2743 }
2744
2745 /*
2746  * Return the Rx chain with the highest RSSI for a given frame.
2747  */
2748 static __inline uint8_t
2749 run_maxrssi_chain(struct run_softc *sc, const struct rt2860_rxwi *rxwi)
2750 {
2751         uint8_t rxchain = 0;
2752
2753         if (sc->nrxchains > 1) {
2754                 if (rxwi->rssi[1] > rxwi->rssi[rxchain])
2755                         rxchain = 1;
2756                 if (sc->nrxchains > 2)
2757                         if (rxwi->rssi[2] > rxwi->rssi[rxchain])
2758                                 rxchain = 2;
2759         }
2760         return (rxchain);
2761 }
2762
2763 static void
2764 run_rx_frame(struct run_softc *sc, struct mbuf *m, uint32_t dmalen)
2765 {
2766         struct ifnet *ifp = sc->sc_ifp;
2767         struct ieee80211com *ic = ifp->if_l2com;
2768         struct ieee80211_frame *wh;
2769         struct ieee80211_node *ni;
2770         struct rt2870_rxd *rxd;
2771         struct rt2860_rxwi *rxwi;
2772         uint32_t flags;
2773         uint16_t len, rxwisize;
2774         uint8_t ant, rssi;
2775         int8_t nf;
2776
2777         rxwi = mtod(m, struct rt2860_rxwi *);
2778         len = le16toh(rxwi->len) & 0xfff;
2779         rxwisize = sizeof(struct rt2860_rxwi);
2780         if (sc->mac_ver == 0x5592)
2781                 rxwisize += sizeof(uint64_t);
2782         else if (sc->mac_ver == 0x3593)
2783                 rxwisize += sizeof(uint32_t);
2784         if (__predict_false(len > dmalen)) {
2785                 m_freem(m);
2786                 ifp->if_ierrors++;
2787                 DPRINTF("bad RXWI length %u > %u\n", len, dmalen);
2788                 return;
2789         }
2790         /* Rx descriptor is located at the end */
2791         rxd = (struct rt2870_rxd *)(mtod(m, caddr_t) + dmalen);
2792         flags = le32toh(rxd->flags);
2793
2794         if (__predict_false(flags & (RT2860_RX_CRCERR | RT2860_RX_ICVERR))) {
2795                 m_freem(m);
2796                 ifp->if_ierrors++;
2797                 DPRINTF("%s error.\n", (flags & RT2860_RX_CRCERR)?"CRC":"ICV");
2798                 return;
2799         }
2800
2801         m->m_data += rxwisize;
2802         m->m_pkthdr.len = m->m_len -= rxwisize;
2803
2804         wh = mtod(m, struct ieee80211_frame *);
2805
2806         if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
2807                 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
2808                 m->m_flags |= M_WEP;
2809         }
2810
2811         if (flags & RT2860_RX_L2PAD) {
2812                 DPRINTFN(8, "received RT2860_RX_L2PAD frame\n");
2813                 len += 2;
2814         }
2815
2816         ni = ieee80211_find_rxnode(ic,
2817             mtod(m, struct ieee80211_frame_min *));
2818
2819         if (__predict_false(flags & RT2860_RX_MICERR)) {
2820                 /* report MIC failures to net80211 for TKIP */
2821                 if (ni != NULL)
2822                         ieee80211_notify_michael_failure(ni->ni_vap, wh,
2823                             rxwi->keyidx);
2824                 m_freem(m);
2825                 ifp->if_ierrors++;
2826                 DPRINTF("MIC error. Someone is lying.\n");
2827                 return;
2828         }
2829
2830         ant = run_maxrssi_chain(sc, rxwi);
2831         rssi = rxwi->rssi[ant];
2832         nf = run_rssi2dbm(sc, rssi, ant);
2833
2834         m->m_pkthdr.rcvif = ifp;
2835         m->m_pkthdr.len = m->m_len = len;
2836
2837         if (ni != NULL) {
2838                 (void)ieee80211_input(ni, m, rssi, nf);
2839                 ieee80211_free_node(ni);
2840         } else {
2841                 (void)ieee80211_input_all(ic, m, rssi, nf);
2842         }
2843
2844         if (__predict_false(ieee80211_radiotap_active(ic))) {
2845                 struct run_rx_radiotap_header *tap = &sc->sc_rxtap;
2846                 uint16_t phy;
2847
2848                 tap->wr_flags = 0;
2849                 tap->wr_chan_freq = htole16(ic->ic_curchan->ic_freq);
2850                 tap->wr_chan_flags = htole16(ic->ic_curchan->ic_flags);
2851                 tap->wr_antsignal = rssi;
2852                 tap->wr_antenna = ant;
2853                 tap->wr_dbm_antsignal = run_rssi2dbm(sc, rssi, ant);
2854                 tap->wr_rate = 2;       /* in case it can't be found below */
2855                 phy = le16toh(rxwi->phy);
2856                 switch (phy & RT2860_PHY_MODE) {
2857                 case RT2860_PHY_CCK:
2858                         switch ((phy & RT2860_PHY_MCS) & ~RT2860_PHY_SHPRE) {
2859                         case 0: tap->wr_rate =   2; break;
2860                         case 1: tap->wr_rate =   4; break;
2861                         case 2: tap->wr_rate =  11; break;
2862                         case 3: tap->wr_rate =  22; break;
2863                         }
2864                         if (phy & RT2860_PHY_SHPRE)
2865                                 tap->wr_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
2866                         break;
2867                 case RT2860_PHY_OFDM:
2868                         switch (phy & RT2860_PHY_MCS) {
2869                         case 0: tap->wr_rate =  12; break;
2870                         case 1: tap->wr_rate =  18; break;
2871                         case 2: tap->wr_rate =  24; break;
2872                         case 3: tap->wr_rate =  36; break;
2873                         case 4: tap->wr_rate =  48; break;
2874                         case 5: tap->wr_rate =  72; break;
2875                         case 6: tap->wr_rate =  96; break;
2876                         case 7: tap->wr_rate = 108; break;
2877                         }
2878                         break;
2879                 }
2880         }
2881 }
2882
2883 static void
2884 run_bulk_rx_callback(struct usb_xfer *xfer, usb_error_t error)
2885 {
2886         struct run_softc *sc = usbd_xfer_softc(xfer);
2887         struct ifnet *ifp = sc->sc_ifp;
2888         struct mbuf *m = NULL;
2889         struct mbuf *m0;
2890         uint32_t dmalen;
2891         uint16_t rxwisize;
2892         int xferlen;
2893
2894         rxwisize = sizeof(struct rt2860_rxwi);
2895         if (sc->mac_ver == 0x5592)
2896                 rxwisize += sizeof(uint64_t);
2897         else if (sc->mac_ver == 0x3593)
2898                 rxwisize += sizeof(uint32_t);
2899
2900         usbd_xfer_status(xfer, &xferlen, NULL, NULL, NULL);
2901
2902         switch (USB_GET_STATE(xfer)) {
2903         case USB_ST_TRANSFERRED:
2904
2905                 DPRINTFN(15, "rx done, actlen=%d\n", xferlen);
2906
2907                 if (xferlen < (int)(sizeof(uint32_t) + rxwisize +
2908                     sizeof(struct rt2870_rxd))) {
2909                         DPRINTF("xfer too short %d\n", xferlen);
2910                         goto tr_setup;
2911                 }
2912
2913                 m = sc->rx_m;
2914                 sc->rx_m = NULL;
2915
2916                 /* FALLTHROUGH */
2917         case USB_ST_SETUP:
2918 tr_setup:
2919                 if (sc->rx_m == NULL) {
2920                         sc->rx_m = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR,
2921                             MJUMPAGESIZE /* xfer can be bigger than MCLBYTES */);
2922                 }
2923                 if (sc->rx_m == NULL) {
2924                         DPRINTF("could not allocate mbuf - idle with stall\n");
2925                         ifp->if_ierrors++;
2926                         usbd_xfer_set_stall(xfer);
2927                         usbd_xfer_set_frames(xfer, 0);
2928                 } else {
2929                         /*
2930                          * Directly loading a mbuf cluster into DMA to
2931                          * save some data copying. This works because
2932                          * there is only one cluster.
2933                          */
2934                         usbd_xfer_set_frame_data(xfer, 0,
2935                             mtod(sc->rx_m, caddr_t), RUN_MAX_RXSZ);
2936                         usbd_xfer_set_frames(xfer, 1);
2937                 }
2938                 usbd_transfer_submit(xfer);
2939                 break;
2940
2941         default:        /* Error */
2942                 if (error != USB_ERR_CANCELLED) {
2943                         /* try to clear stall first */
2944                         usbd_xfer_set_stall(xfer);
2945
2946                         if (error == USB_ERR_TIMEOUT)
2947                                 device_printf(sc->sc_dev, "device timeout\n");
2948
2949                         ifp->if_ierrors++;
2950
2951                         goto tr_setup;
2952                 }
2953                 if (sc->rx_m != NULL) {
2954                         m_freem(sc->rx_m);
2955                         sc->rx_m = NULL;
2956                 }
2957                 break;
2958         }
2959
2960         if (m == NULL)
2961                 return;
2962
2963         /* inputting all the frames must be last */
2964
2965         RUN_UNLOCK(sc);
2966
2967         m->m_pkthdr.len = m->m_len = xferlen;
2968
2969         /* HW can aggregate multiple 802.11 frames in a single USB xfer */
2970         for(;;) {
2971                 dmalen = le32toh(*mtod(m, uint32_t *)) & 0xffff;
2972
2973                 if ((dmalen >= (uint32_t)-8) || (dmalen == 0) ||
2974                     ((dmalen & 3) != 0)) {
2975                         DPRINTF("bad DMA length %u\n", dmalen);
2976                         break;
2977                 }
2978                 if ((dmalen + 8) > (uint32_t)xferlen) {
2979                         DPRINTF("bad DMA length %u > %d\n",
2980                         dmalen + 8, xferlen);
2981                         break;
2982                 }
2983
2984                 /* If it is the last one or a single frame, we won't copy. */
2985                 if ((xferlen -= dmalen + 8) <= 8) {
2986                         /* trim 32-bit DMA-len header */
2987                         m->m_data += 4;
2988                         m->m_pkthdr.len = m->m_len -= 4;
2989                         run_rx_frame(sc, m, dmalen);
2990                         m = NULL;       /* don't free source buffer */
2991                         break;
2992                 }
2993
2994                 /* copy aggregated frames to another mbuf */
2995                 m0 = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
2996                 if (__predict_false(m0 == NULL)) {
2997                         DPRINTF("could not allocate mbuf\n");
2998                         ifp->if_ierrors++;
2999                         break;
3000                 }
3001                 m_copydata(m, 4 /* skip 32-bit DMA-len header */,
3002                     dmalen + sizeof(struct rt2870_rxd), mtod(m0, caddr_t));
3003                 m0->m_pkthdr.len = m0->m_len =
3004                     dmalen + sizeof(struct rt2870_rxd);
3005                 run_rx_frame(sc, m0, dmalen);
3006
3007                 /* update data ptr */
3008                 m->m_data += dmalen + 8;
3009                 m->m_pkthdr.len = m->m_len -= dmalen + 8;
3010         }
3011
3012         /* make sure we free the source buffer, if any */
3013         m_freem(m);
3014
3015         RUN_LOCK(sc);
3016 }
3017
3018 static void
3019 run_tx_free(struct run_endpoint_queue *pq,
3020     struct run_tx_data *data, int txerr)
3021 {
3022         if (data->m != NULL) {
3023                 if (data->m->m_flags & M_TXCB)
3024                         ieee80211_process_callback(data->ni, data->m,
3025                             txerr ? ETIMEDOUT : 0);
3026                 m_freem(data->m);
3027                 data->m = NULL;
3028
3029                 if (data->ni == NULL) {
3030                         DPRINTF("no node\n");
3031                 } else {
3032                         ieee80211_free_node(data->ni);
3033                         data->ni = NULL;
3034                 }
3035         }
3036
3037         STAILQ_INSERT_TAIL(&pq->tx_fh, data, next);
3038         pq->tx_nfree++;
3039 }
3040
3041 static void
3042 run_bulk_tx_callbackN(struct usb_xfer *xfer, usb_error_t error, u_int index)
3043 {
3044         struct run_softc *sc = usbd_xfer_softc(xfer);
3045         struct ifnet *ifp = sc->sc_ifp;
3046         struct ieee80211com *ic = ifp->if_l2com;
3047         struct run_tx_data *data;
3048         struct ieee80211vap *vap = NULL;
3049         struct usb_page_cache *pc;
3050         struct run_endpoint_queue *pq = &sc->sc_epq[index];
3051         struct mbuf *m;
3052         usb_frlength_t size;
3053         int actlen;
3054         int sumlen;
3055
3056         usbd_xfer_status(xfer, &actlen, &sumlen, NULL, NULL);
3057
3058         switch (USB_GET_STATE(xfer)) {
3059         case USB_ST_TRANSFERRED:
3060                 DPRINTFN(11, "transfer complete: %d "
3061                     "bytes @ index %d\n", actlen, index);
3062
3063                 data = usbd_xfer_get_priv(xfer);
3064
3065                 run_tx_free(pq, data, 0);
3066                 ifp->if_drv_flags &= ~IFF_DRV_OACTIVE;
3067
3068                 usbd_xfer_set_priv(xfer, NULL);
3069
3070                 ifp->if_opackets++;
3071
3072                 /* FALLTHROUGH */
3073         case USB_ST_SETUP:
3074 tr_setup:
3075                 data = STAILQ_FIRST(&pq->tx_qh);
3076                 if (data == NULL)
3077                         break;
3078
3079                 STAILQ_REMOVE_HEAD(&pq->tx_qh, next);
3080
3081                 m = data->m;
3082                 size = (sc->mac_ver == 0x5592) ?
3083                     sizeof(data->desc) + sizeof(uint32_t) : sizeof(data->desc);
3084                 if ((m->m_pkthdr.len +
3085                     size + 3 + 8) > RUN_MAX_TXSZ) {
3086                         DPRINTF("data overflow, %u bytes\n",
3087                             m->m_pkthdr.len);
3088
3089                         ifp->if_oerrors++;
3090
3091                         run_tx_free(pq, data, 1);
3092
3093                         goto tr_setup;
3094                 }
3095
3096                 pc = usbd_xfer_get_frame(xfer, 0);
3097                 usbd_copy_in(pc, 0, &data->desc, size);
3098                 usbd_m_copy_in(pc, size, m, 0, m->m_pkthdr.len);
3099                 size += m->m_pkthdr.len;
3100                 /*
3101                  * Align end on a 4-byte boundary, pad 8 bytes (CRC +
3102                  * 4-byte padding), and be sure to zero those trailing
3103                  * bytes:
3104                  */
3105                 usbd_frame_zero(pc, size, ((-size) & 3) + 8);
3106                 size += ((-size) & 3) + 8;
3107
3108                 vap = data->ni->ni_vap;
3109                 if (ieee80211_radiotap_active_vap(vap)) {
3110                         struct run_tx_radiotap_header *tap = &sc->sc_txtap;
3111                         struct rt2860_txwi *txwi =
3112                             (struct rt2860_txwi *)(&data->desc + sizeof(struct rt2870_txd));
3113                         tap->wt_flags = 0;
3114                         tap->wt_rate = rt2860_rates[data->ridx].rate;
3115                         tap->wt_chan_freq = htole16(ic->ic_curchan->ic_freq);
3116                         tap->wt_chan_flags = htole16(ic->ic_curchan->ic_flags);
3117                         tap->wt_hwqueue = index;
3118                         if (le16toh(txwi->phy) & RT2860_PHY_SHPRE)
3119                                 tap->wt_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
3120
3121                         ieee80211_radiotap_tx(vap, m);
3122                 }
3123
3124                 DPRINTFN(11, "sending frame len=%u/%u  @ index %d\n",
3125                     m->m_pkthdr.len, size, index);
3126
3127                 usbd_xfer_set_frame_len(xfer, 0, size);
3128                 usbd_xfer_set_priv(xfer, data);
3129
3130                 usbd_transfer_submit(xfer);
3131
3132                 RUN_UNLOCK(sc);
3133                 run_start(ifp);
3134                 RUN_LOCK(sc);
3135
3136                 break;
3137
3138         default:
3139                 DPRINTF("USB transfer error, %s\n",
3140                     usbd_errstr(error));
3141
3142                 data = usbd_xfer_get_priv(xfer);
3143
3144                 ifp->if_oerrors++;
3145
3146                 if (data != NULL) {
3147                         if(data->ni != NULL)
3148                                 vap = data->ni->ni_vap;
3149                         run_tx_free(pq, data, error);
3150                         usbd_xfer_set_priv(xfer, NULL);
3151                 }
3152                 if (vap == NULL)
3153                         vap = TAILQ_FIRST(&ic->ic_vaps);
3154
3155                 if (error != USB_ERR_CANCELLED) {
3156                         if (error == USB_ERR_TIMEOUT) {
3157                                 device_printf(sc->sc_dev, "device timeout\n");
3158                                 uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
3159                                 DPRINTF("cmdq_store=%d\n", i);
3160                                 sc->cmdq[i].func = run_usb_timeout_cb;
3161                                 sc->cmdq[i].arg0 = vap;
3162                                 ieee80211_runtask(ic, &sc->cmdq_task);
3163                         }
3164
3165                         /*
3166                          * Try to clear stall first, also if other
3167                          * errors occur, hence clearing stall
3168                          * introduces a 50 ms delay:
3169                          */
3170                         usbd_xfer_set_stall(xfer);
3171                         goto tr_setup;
3172                 }
3173                 break;
3174         }
3175 }
3176
3177 static void
3178 run_bulk_tx_callback0(struct usb_xfer *xfer, usb_error_t error)
3179 {
3180         run_bulk_tx_callbackN(xfer, error, 0);
3181 }
3182
3183 static void
3184 run_bulk_tx_callback1(struct usb_xfer *xfer, usb_error_t error)
3185 {
3186         run_bulk_tx_callbackN(xfer, error, 1);
3187 }
3188
3189 static void
3190 run_bulk_tx_callback2(struct usb_xfer *xfer, usb_error_t error)
3191 {
3192         run_bulk_tx_callbackN(xfer, error, 2);
3193 }
3194
3195 static void
3196 run_bulk_tx_callback3(struct usb_xfer *xfer, usb_error_t error)
3197 {
3198         run_bulk_tx_callbackN(xfer, error, 3);
3199 }
3200
3201 static void
3202 run_bulk_tx_callback4(struct usb_xfer *xfer, usb_error_t error)
3203 {
3204         run_bulk_tx_callbackN(xfer, error, 4);
3205 }
3206
3207 static void
3208 run_bulk_tx_callback5(struct usb_xfer *xfer, usb_error_t error)
3209 {
3210         run_bulk_tx_callbackN(xfer, error, 5);
3211 }
3212
3213 static void
3214 run_set_tx_desc(struct run_softc *sc, struct run_tx_data *data)
3215 {
3216         struct mbuf *m = data->m;
3217         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
3218         struct ieee80211vap *vap = data->ni->ni_vap;
3219         struct ieee80211_frame *wh;
3220         struct rt2870_txd *txd;
3221         struct rt2860_txwi *txwi;
3222         uint16_t xferlen, txwisize;
3223         uint16_t mcs;
3224         uint8_t ridx = data->ridx;
3225         uint8_t pad;
3226
3227         /* get MCS code from rate index */
3228         mcs = rt2860_rates[ridx].mcs;
3229
3230         txwisize = (sc->mac_ver == 0x5592) ?
3231             sizeof(*txwi) + sizeof(uint32_t) : sizeof(*txwi);
3232         xferlen = txwisize + m->m_pkthdr.len;
3233
3234         /* roundup to 32-bit alignment */
3235         xferlen = (xferlen + 3) & ~3;
3236
3237         txd = (struct rt2870_txd *)&data->desc;
3238         txd->len = htole16(xferlen);
3239
3240         wh = mtod(m, struct ieee80211_frame *);
3241
3242         /*
3243          * Ether both are true or both are false, the header
3244          * are nicely aligned to 32-bit. So, no L2 padding.
3245          */
3246         if(IEEE80211_HAS_ADDR4(wh) == IEEE80211_QOS_HAS_SEQ(wh))
3247                 pad = 0;
3248         else
3249                 pad = 2;
3250
3251         /* setup TX Wireless Information */
3252         txwi = (struct rt2860_txwi *)(txd + 1);
3253         txwi->len = htole16(m->m_pkthdr.len - pad);
3254         if (rt2860_rates[ridx].phy == IEEE80211_T_DS) {
3255                 txwi->phy = htole16(RT2860_PHY_CCK);
3256                 if (ridx != RT2860_RIDX_CCK1 &&
3257                     (ic->ic_flags & IEEE80211_F_SHPREAMBLE))
3258                         mcs |= RT2860_PHY_SHPRE;
3259         } else
3260                 txwi->phy = htole16(RT2860_PHY_OFDM);
3261         txwi->phy |= htole16(mcs);
3262
3263         /* check if RTS/CTS or CTS-to-self protection is required */
3264         if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
3265             (m->m_pkthdr.len + IEEE80211_CRC_LEN > vap->iv_rtsthreshold ||
3266              ((ic->ic_flags & IEEE80211_F_USEPROT) &&
3267               rt2860_rates[ridx].phy == IEEE80211_T_OFDM)))
3268                 txwi->txop |= RT2860_TX_TXOP_HT;
3269         else
3270                 txwi->txop |= RT2860_TX_TXOP_BACKOFF;
3271
3272         if (vap->iv_opmode != IEEE80211_M_STA && !IEEE80211_QOS_HAS_SEQ(wh))
3273                 txwi->xflags |= RT2860_TX_NSEQ;
3274 }
3275
3276 /* This function must be called locked */
3277 static int
3278 run_tx(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
3279 {
3280         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
3281         struct ieee80211vap *vap = ni->ni_vap;
3282         struct ieee80211_frame *wh;
3283         struct ieee80211_channel *chan;
3284         const struct ieee80211_txparam *tp;
3285         struct run_node *rn = (void *)ni;
3286         struct run_tx_data *data;
3287         struct rt2870_txd *txd;
3288         struct rt2860_txwi *txwi;
3289         uint16_t qos;
3290         uint16_t dur;
3291         uint16_t qid;
3292         uint8_t type;
3293         uint8_t tid;
3294         uint8_t ridx;
3295         uint8_t ctl_ridx;
3296         uint8_t qflags;
3297         uint8_t xflags = 0;
3298         int hasqos;
3299
3300         RUN_LOCK_ASSERT(sc, MA_OWNED);
3301
3302         wh = mtod(m, struct ieee80211_frame *);
3303
3304         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3305
3306         /*
3307          * There are 7 bulk endpoints: 1 for RX
3308          * and 6 for TX (4 EDCAs + HCCA + Prio).
3309          * Update 03-14-2009:  some devices like the Planex GW-US300MiniS
3310          * seem to have only 4 TX bulk endpoints (Fukaumi Naoki).
3311          */
3312         if ((hasqos = IEEE80211_QOS_HAS_SEQ(wh))) {
3313                 uint8_t *frm;
3314
3315                 if(IEEE80211_HAS_ADDR4(wh))
3316                         frm = ((struct ieee80211_qosframe_addr4 *)wh)->i_qos;
3317                 else
3318                         frm =((struct ieee80211_qosframe *)wh)->i_qos;
3319
3320                 qos = le16toh(*(const uint16_t *)frm);
3321                 tid = qos & IEEE80211_QOS_TID;
3322                 qid = TID_TO_WME_AC(tid);
3323         } else {
3324                 qos = 0;
3325                 tid = 0;
3326                 qid = WME_AC_BE;
3327         }
3328         qflags = (qid < 4) ? RT2860_TX_QSEL_EDCA : RT2860_TX_QSEL_HCCA;
3329
3330         DPRINTFN(8, "qos %d\tqid %d\ttid %d\tqflags %x\n",
3331             qos, qid, tid, qflags);
3332
3333         chan = (ni->ni_chan != IEEE80211_CHAN_ANYC)?ni->ni_chan:ic->ic_curchan;
3334         tp = &vap->iv_txparms[ieee80211_chan2mode(chan)];
3335
3336         /* pickup a rate index */
3337         if (IEEE80211_IS_MULTICAST(wh->i_addr1) ||
3338             type != IEEE80211_FC0_TYPE_DATA) {
3339                 ridx = (ic->ic_curmode == IEEE80211_MODE_11A) ?
3340                     RT2860_RIDX_OFDM6 : RT2860_RIDX_CCK1;
3341                 ctl_ridx = rt2860_rates[ridx].ctl_ridx;
3342         } else {
3343                 if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE)
3344                         ridx = rn->fix_ridx;
3345                 else
3346                         ridx = rn->amrr_ridx;
3347                 ctl_ridx = rt2860_rates[ridx].ctl_ridx;
3348         }
3349
3350         if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
3351             (!hasqos || (qos & IEEE80211_QOS_ACKPOLICY) !=
3352              IEEE80211_QOS_ACKPOLICY_NOACK)) {
3353                 xflags |= RT2860_TX_ACK;
3354                 if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
3355                         dur = rt2860_rates[ctl_ridx].sp_ack_dur;
3356                 else
3357                         dur = rt2860_rates[ctl_ridx].lp_ack_dur;
3358                 USETW(wh->i_dur, dur);
3359         }
3360
3361         /* reserve slots for mgmt packets, just in case */
3362         if (sc->sc_epq[qid].tx_nfree < 3) {
3363                 DPRINTFN(10, "tx ring %d is full\n", qid);
3364                 return (-1);
3365         }
3366
3367         data = STAILQ_FIRST(&sc->sc_epq[qid].tx_fh);
3368         STAILQ_REMOVE_HEAD(&sc->sc_epq[qid].tx_fh, next);
3369         sc->sc_epq[qid].tx_nfree--;
3370
3371         txd = (struct rt2870_txd *)&data->desc;
3372         txd->flags = qflags;
3373         txwi = (struct rt2860_txwi *)(txd + 1);
3374         txwi->xflags = xflags;
3375         if (IEEE80211_IS_MULTICAST(wh->i_addr1))
3376                 txwi->wcid = 0;
3377         else
3378                 txwi->wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
3379                     1 : RUN_AID2WCID(ni->ni_associd);
3380
3381         /* clear leftover garbage bits */
3382         txwi->flags = 0;
3383         txwi->txop = 0;
3384
3385         data->m = m;
3386         data->ni = ni;
3387         data->ridx = ridx;
3388
3389         run_set_tx_desc(sc, data);
3390
3391         /*
3392          * The chip keeps track of 2 kind of Tx stats,
3393          *  * TX_STAT_FIFO, for per WCID stats, and
3394          *  * TX_STA_CNT0 for all-TX-in-one stats.
3395          *
3396          * To use FIFO stats, we need to store MCS into the driver-private
3397          * PacketID field. So that, we can tell whose stats when we read them.
3398          * We add 1 to the MCS because setting the PacketID field to 0 means
3399          * that we don't want feedback in TX_STAT_FIFO.
3400          * And, that's what we want for STA mode, since TX_STA_CNT0 does the job.
3401          *
3402          * FIFO stats doesn't count Tx with WCID 0xff, so we do this in run_tx().
3403          */
3404         if (sc->rvp_cnt > 1 || vap->iv_opmode == IEEE80211_M_HOSTAP ||
3405             vap->iv_opmode == IEEE80211_M_MBSS) {
3406                 uint16_t pid = (rt2860_rates[ridx].mcs + 1) & 0xf;
3407                 txwi->len |= htole16(pid << RT2860_TX_PID_SHIFT);
3408
3409                 /*
3410                  * Unlike PCI based devices, we don't get any interrupt from
3411                  * USB devices, so we simulate FIFO-is-full interrupt here.
3412                  * Ralink recomends to drain FIFO stats every 100 ms, but 16 slots
3413                  * quickly get fulled. To prevent overflow, increment a counter on
3414                  * every FIFO stat request, so we know how many slots are left.
3415                  * We do this only in HOSTAP or multiple vap mode since FIFO stats
3416                  * are used only in those modes.
3417                  * We just drain stats. AMRR gets updated every 1 sec by
3418                  * run_ratectl_cb() via callout.
3419                  * Call it early. Otherwise overflow.
3420                  */
3421                 if (sc->fifo_cnt++ == 10) {
3422                         /*
3423                          * With multiple vaps or if_bridge, if_start() is called
3424                          * with a non-sleepable lock, tcpinp. So, need to defer.
3425                          */
3426                         uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
3427                         DPRINTFN(6, "cmdq_store=%d\n", i);
3428                         sc->cmdq[i].func = run_drain_fifo;
3429                         sc->cmdq[i].arg0 = sc;
3430                         ieee80211_runtask(ic, &sc->cmdq_task);
3431                 }
3432         }
3433
3434         STAILQ_INSERT_TAIL(&sc->sc_epq[qid].tx_qh, data, next);
3435
3436         usbd_transfer_start(sc->sc_xfer[qid]);
3437
3438         DPRINTFN(8, "sending data frame len=%d rate=%d qid=%d\n",
3439             m->m_pkthdr.len + (int)(sizeof(struct rt2870_txd) +
3440             sizeof(struct rt2860_txwi)), rt2860_rates[ridx].rate, qid);
3441
3442         return (0);
3443 }
3444
3445 static int
3446 run_tx_mgt(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
3447 {
3448         struct ifnet *ifp = sc->sc_ifp;
3449         struct ieee80211com *ic = ifp->if_l2com;
3450         struct run_node *rn = (void *)ni;
3451         struct run_tx_data *data;
3452         struct ieee80211_frame *wh;
3453         struct rt2870_txd *txd;
3454         struct rt2860_txwi *txwi;
3455         uint16_t dur;
3456         uint8_t ridx = rn->mgt_ridx;
3457         uint8_t type;
3458         uint8_t xflags = 0;
3459         uint8_t wflags = 0;
3460
3461         RUN_LOCK_ASSERT(sc, MA_OWNED);
3462
3463         wh = mtod(m, struct ieee80211_frame *);
3464
3465         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3466
3467         /* tell hardware to add timestamp for probe responses */
3468         if ((wh->i_fc[0] &
3469             (IEEE80211_FC0_TYPE_MASK | IEEE80211_FC0_SUBTYPE_MASK)) ==
3470             (IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_RESP))
3471                 wflags |= RT2860_TX_TS;
3472         else if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
3473                 xflags |= RT2860_TX_ACK;
3474
3475                 dur = ieee80211_ack_duration(ic->ic_rt, rt2860_rates[ridx].rate,
3476                     ic->ic_flags & IEEE80211_F_SHPREAMBLE);
3477                 USETW(wh->i_dur, dur);
3478         }
3479
3480         if (sc->sc_epq[0].tx_nfree == 0) {
3481                 /* let caller free mbuf */
3482                 ifp->if_drv_flags |= IFF_DRV_OACTIVE;
3483                 return (EIO);
3484         }
3485         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3486         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3487         sc->sc_epq[0].tx_nfree--;
3488
3489         txd = (struct rt2870_txd *)&data->desc;
3490         txd->flags = RT2860_TX_QSEL_EDCA;
3491         txwi = (struct rt2860_txwi *)(txd + 1);
3492         txwi->wcid = 0xff;
3493         txwi->flags = wflags;
3494         txwi->xflags = xflags;
3495         txwi->txop = 0; /* clear leftover garbage bits */
3496
3497         data->m = m;
3498         data->ni = ni;
3499         data->ridx = ridx;
3500
3501         run_set_tx_desc(sc, data);
3502
3503         DPRINTFN(10, "sending mgt frame len=%d rate=%d\n", m->m_pkthdr.len +
3504             (int)(sizeof(struct rt2870_txd) + sizeof(struct rt2860_txwi)),
3505             rt2860_rates[ridx].rate);
3506
3507         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3508
3509         usbd_transfer_start(sc->sc_xfer[0]);
3510
3511         return (0);
3512 }
3513
3514 static int
3515 run_sendprot(struct run_softc *sc,
3516     const struct mbuf *m, struct ieee80211_node *ni, int prot, int rate)
3517 {
3518         struct ieee80211com *ic = ni->ni_ic;
3519         struct ieee80211_frame *wh;
3520         struct run_tx_data *data;
3521         struct rt2870_txd *txd;
3522         struct rt2860_txwi *txwi;
3523         struct mbuf *mprot;
3524         int ridx;
3525         int protrate;
3526         int ackrate;
3527         int pktlen;
3528         int isshort;
3529         uint16_t dur;
3530         uint8_t type;
3531         uint8_t wflags = 0;
3532         uint8_t xflags = 0;
3533
3534         RUN_LOCK_ASSERT(sc, MA_OWNED);
3535
3536         KASSERT(prot == IEEE80211_PROT_RTSCTS || prot == IEEE80211_PROT_CTSONLY,
3537             ("protection %d", prot));
3538
3539         wh = mtod(m, struct ieee80211_frame *);
3540         pktlen = m->m_pkthdr.len + IEEE80211_CRC_LEN;
3541         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3542
3543         protrate = ieee80211_ctl_rate(ic->ic_rt, rate);
3544         ackrate = ieee80211_ack_rate(ic->ic_rt, rate);
3545
3546         isshort = (ic->ic_flags & IEEE80211_F_SHPREAMBLE) != 0;
3547         dur = ieee80211_compute_duration(ic->ic_rt, pktlen, rate, isshort)
3548             + ieee80211_ack_duration(ic->ic_rt, rate, isshort);
3549         wflags = RT2860_TX_FRAG;
3550
3551         /* check that there are free slots before allocating the mbuf */
3552         if (sc->sc_epq[0].tx_nfree == 0) {
3553                 /* let caller free mbuf */
3554                 sc->sc_ifp->if_drv_flags |= IFF_DRV_OACTIVE;
3555                 return (ENOBUFS);
3556         }
3557
3558         if (prot == IEEE80211_PROT_RTSCTS) {
3559                 /* NB: CTS is the same size as an ACK */
3560                 dur += ieee80211_ack_duration(ic->ic_rt, rate, isshort);
3561                 xflags |= RT2860_TX_ACK;
3562                 mprot = ieee80211_alloc_rts(ic, wh->i_addr1, wh->i_addr2, dur);
3563         } else {
3564                 mprot = ieee80211_alloc_cts(ic, ni->ni_vap->iv_myaddr, dur);
3565         }
3566         if (mprot == NULL) {
3567                 sc->sc_ifp->if_oerrors++;
3568                 DPRINTF("could not allocate mbuf\n");
3569                 return (ENOBUFS);
3570         }
3571
3572         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3573         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3574         sc->sc_epq[0].tx_nfree--;
3575
3576         txd = (struct rt2870_txd *)&data->desc;
3577         txd->flags = RT2860_TX_QSEL_EDCA;
3578         txwi = (struct rt2860_txwi *)(txd + 1);
3579         txwi->wcid = 0xff;
3580         txwi->flags = wflags;
3581         txwi->xflags = xflags;
3582         txwi->txop = 0; /* clear leftover garbage bits */
3583
3584         data->m = mprot;
3585         data->ni = ieee80211_ref_node(ni);
3586
3587         for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
3588                 if (rt2860_rates[ridx].rate == protrate)
3589                         break;
3590         data->ridx = ridx;
3591
3592         run_set_tx_desc(sc, data);
3593
3594         DPRINTFN(1, "sending prot len=%u rate=%u\n",
3595             m->m_pkthdr.len, rate);
3596
3597         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3598
3599         usbd_transfer_start(sc->sc_xfer[0]);
3600
3601         return (0);
3602 }
3603
3604 static int
3605 run_tx_param(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni,
3606     const struct ieee80211_bpf_params *params)
3607 {
3608         struct ieee80211com *ic = ni->ni_ic;
3609         struct ieee80211_frame *wh;
3610         struct run_tx_data *data;
3611         struct rt2870_txd *txd;
3612         struct rt2860_txwi *txwi;
3613         uint8_t type;
3614         uint8_t ridx;
3615         uint8_t rate;
3616         uint8_t opflags = 0;
3617         uint8_t xflags = 0;
3618         int error;
3619
3620         RUN_LOCK_ASSERT(sc, MA_OWNED);
3621
3622         KASSERT(params != NULL, ("no raw xmit params"));
3623
3624         wh = mtod(m, struct ieee80211_frame *);
3625         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3626
3627         rate = params->ibp_rate0;
3628         if (!ieee80211_isratevalid(ic->ic_rt, rate)) {
3629                 /* let caller free mbuf */
3630                 return (EINVAL);
3631         }
3632
3633         if ((params->ibp_flags & IEEE80211_BPF_NOACK) == 0)
3634                 xflags |= RT2860_TX_ACK;
3635         if (params->ibp_flags & (IEEE80211_BPF_RTS|IEEE80211_BPF_CTS)) {
3636                 error = run_sendprot(sc, m, ni,
3637                     params->ibp_flags & IEEE80211_BPF_RTS ?
3638                         IEEE80211_PROT_RTSCTS : IEEE80211_PROT_CTSONLY,
3639                     rate);
3640                 if (error) {
3641                         /* let caller free mbuf */
3642                         return error;
3643                 }
3644                 opflags |= /*XXX RT2573_TX_LONG_RETRY |*/ RT2860_TX_TXOP_SIFS;
3645         }
3646
3647         if (sc->sc_epq[0].tx_nfree == 0) {
3648                 /* let caller free mbuf */
3649                 sc->sc_ifp->if_drv_flags |= IFF_DRV_OACTIVE;
3650                 DPRINTF("sending raw frame, but tx ring is full\n");
3651                 return (EIO);
3652         }
3653         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3654         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3655         sc->sc_epq[0].tx_nfree--;
3656
3657         txd = (struct rt2870_txd *)&data->desc;
3658         txd->flags = RT2860_TX_QSEL_EDCA;
3659         txwi = (struct rt2860_txwi *)(txd + 1);
3660         txwi->wcid = 0xff;
3661         txwi->xflags = xflags;
3662         txwi->txop = opflags;
3663         txwi->flags = 0;        /* clear leftover garbage bits */
3664
3665         data->m = m;
3666         data->ni = ni;
3667         for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
3668                 if (rt2860_rates[ridx].rate == rate)
3669                         break;
3670         data->ridx = ridx;
3671
3672         run_set_tx_desc(sc, data);
3673
3674         DPRINTFN(10, "sending raw frame len=%u rate=%u\n",
3675             m->m_pkthdr.len, rate);
3676
3677         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3678
3679         usbd_transfer_start(sc->sc_xfer[0]);
3680
3681         return (0);
3682 }
3683
3684 static int
3685 run_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
3686     const struct ieee80211_bpf_params *params)
3687 {
3688         struct ifnet *ifp = ni->ni_ic->ic_ifp;
3689         struct run_softc *sc = ifp->if_softc;
3690         int error = 0;
3691
3692         RUN_LOCK(sc);
3693
3694         /* prevent management frames from being sent if we're not ready */
3695         if (!(ifp->if_drv_flags & IFF_DRV_RUNNING)) {
3696                 error =  ENETDOWN;
3697                 goto done;
3698         }
3699
3700         if (params == NULL) {
3701                 /* tx mgt packet */
3702                 if ((error = run_tx_mgt(sc, m, ni)) != 0) {
3703                         ifp->if_oerrors++;
3704                         DPRINTF("mgt tx failed\n");
3705                         goto done;
3706                 }
3707         } else {
3708                 /* tx raw packet with param */
3709                 if ((error = run_tx_param(sc, m, ni, params)) != 0) {
3710                         ifp->if_oerrors++;
3711                         DPRINTF("tx with param failed\n");
3712                         goto done;
3713                 }
3714         }
3715
3716         ifp->if_opackets++;
3717
3718 done:
3719         RUN_UNLOCK(sc);
3720
3721         if (error != 0) {
3722                 if(m != NULL)
3723                         m_freem(m);
3724                 ieee80211_free_node(ni);
3725         }
3726
3727         return (error);
3728 }
3729
3730 static void
3731 run_start(struct ifnet *ifp)
3732 {
3733         struct run_softc *sc = ifp->if_softc;
3734         struct ieee80211_node *ni;
3735         struct mbuf *m;
3736
3737         RUN_LOCK(sc);
3738
3739         if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0) {
3740                 RUN_UNLOCK(sc);
3741                 return;
3742         }
3743
3744         for (;;) {
3745                 /* send data frames */
3746                 IFQ_DRV_DEQUEUE(&ifp->if_snd, m);
3747                 if (m == NULL)
3748                         break;
3749
3750                 ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
3751                 if (run_tx(sc, m, ni) != 0) {
3752                         IFQ_DRV_PREPEND(&ifp->if_snd, m);
3753                         ifp->if_drv_flags |= IFF_DRV_OACTIVE;
3754                         break;
3755                 }
3756         }
3757
3758         RUN_UNLOCK(sc);
3759 }
3760
3761 static int
3762 run_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
3763 {
3764         struct run_softc *sc = ifp->if_softc;
3765         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
3766         struct ifreq *ifr = (struct ifreq *) data;
3767         int startall = 0;
3768         int error;
3769
3770         RUN_LOCK(sc);
3771         error = sc->sc_detached ? ENXIO : 0;
3772         RUN_UNLOCK(sc);
3773         if (error)
3774                 return (error);
3775
3776         switch (cmd) {
3777         case SIOCSIFFLAGS:
3778                 RUN_LOCK(sc);
3779                 if (ifp->if_flags & IFF_UP) {
3780                         if (!(ifp->if_drv_flags & IFF_DRV_RUNNING)){
3781                                 startall = 1;
3782                                 run_init_locked(sc);
3783                         } else
3784                                 run_update_promisc_locked(ifp);
3785                 } else {
3786                         if (ifp->if_drv_flags & IFF_DRV_RUNNING &&
3787                             (ic->ic_nrunning == 0 || sc->rvp_cnt <= 1)) {
3788                                         run_stop(sc);
3789                         }
3790                 }
3791                 RUN_UNLOCK(sc);
3792                 if (startall)
3793                         ieee80211_start_all(ic);
3794                 break;
3795         case SIOCGIFMEDIA:
3796                 error = ifmedia_ioctl(ifp, ifr, &ic->ic_media, cmd);
3797                 break;
3798         case SIOCGIFADDR:
3799                 error = ether_ioctl(ifp, cmd, data);
3800                 break;
3801         default:
3802                 error = EINVAL;
3803                 break;
3804         }
3805
3806         return (error);
3807 }
3808
3809 static void
3810 run_iq_calib(struct run_softc *sc, u_int chan)
3811 {
3812         uint16_t val;
3813
3814         /* Tx0 IQ gain. */
3815         run_bbp_write(sc, 158, 0x2c);
3816         if (chan <= 14)
3817                 run_efuse_read(sc, RT5390_EEPROM_IQ_GAIN_CAL_TX0_2GHZ, &val, 1);
3818         else if (chan <= 64) {
3819                 run_efuse_read(sc,
3820                     RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH36_TO_CH64_5GHZ,
3821                     &val, 1);
3822         } else if (chan <= 138) {
3823                 run_efuse_read(sc,
3824                     RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH100_TO_CH138_5GHZ,
3825                     &val, 1);
3826         } else if (chan <= 165) {
3827                 run_efuse_read(sc,
3828             RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH140_TO_CH165_5GHZ,
3829                     &val, 1);
3830         } else
3831                 val = 0;
3832         run_bbp_write(sc, 159, val);
3833
3834         /* Tx0 IQ phase. */
3835         run_bbp_write(sc, 158, 0x2d);
3836         if (chan <= 14) {
3837                 run_efuse_read(sc, RT5390_EEPROM_IQ_PHASE_CAL_TX0_2GHZ,
3838                     &val, 1);
3839         } else if (chan <= 64) {
3840                 run_efuse_read(sc,
3841                     RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH36_TO_CH64_5GHZ,
3842                     &val, 1);
3843         } else if (chan <= 138) {
3844                 run_efuse_read(sc,
3845                     RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH100_TO_CH138_5GHZ,
3846                     &val, 1);
3847         } else if (chan <= 165) {
3848                 run_efuse_read(sc,
3849                     RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH140_TO_CH165_5GHZ,
3850                     &val, 1);
3851         } else
3852                 val = 0;
3853         run_bbp_write(sc, 159, val);
3854
3855         /* Tx1 IQ gain. */
3856         run_bbp_write(sc, 158, 0x4a);
3857         if (chan <= 14) {
3858                 run_efuse_read(sc, RT5390_EEPROM_IQ_GAIN_CAL_TX1_2GHZ,
3859                     &val, 1);
3860         } else if (chan <= 64) {
3861                 run_efuse_read(sc,
3862                     RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH36_TO_CH64_5GHZ,
3863                     &val, 1);
3864         } else if (chan <= 138) {
3865                 run_efuse_read(sc,
3866                     RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH100_TO_CH138_5GHZ,
3867                     &val, 1);
3868         } else if (chan <= 165) {
3869                 run_efuse_read(sc,
3870                     RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH140_TO_CH165_5GHZ,
3871                     &val, 1);
3872         } else
3873                 val = 0;
3874         run_bbp_write(sc, 159, val);
3875
3876         /* Tx1 IQ phase. */
3877         run_bbp_write(sc, 158, 0x4b);
3878         if (chan <= 14) {
3879                 run_efuse_read(sc, RT5390_EEPROM_IQ_PHASE_CAL_TX1_2GHZ,
3880                     &val, 1);
3881         } else if (chan <= 64) {
3882                 run_efuse_read(sc,
3883                     RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH36_TO_CH64_5GHZ,
3884                     &val, 1);
3885         } else if (chan <= 138) {
3886                 run_efuse_read(sc,
3887                     RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH100_TO_CH138_5GHZ,
3888                     &val, 1);
3889         } else if (chan <= 165) {
3890                 run_efuse_read(sc,
3891                     RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH140_TO_CH165_5GHZ,
3892                     &val, 1);
3893         } else
3894                 val = 0;
3895         run_bbp_write(sc, 159, val);
3896
3897         /* RF IQ compensation control. */
3898         run_bbp_write(sc, 158, 0x04);
3899         run_efuse_read(sc, RT5390_EEPROM_RF_IQ_COMPENSATION_CTL,
3900             &val, 1);
3901         run_bbp_write(sc, 159, val);
3902
3903         /* RF IQ imbalance compensation control. */
3904         run_bbp_write(sc, 158, 0x03);
3905         run_efuse_read(sc,
3906             RT5390_EEPROM_RF_IQ_IMBALANCE_COMPENSATION_CTL, &val, 1);
3907         run_bbp_write(sc, 159, val);
3908 }
3909
3910 static void
3911 run_set_agc(struct run_softc *sc, uint8_t agc)
3912 {
3913         uint8_t bbp;
3914
3915         if (sc->mac_ver == 0x3572) {
3916                 run_bbp_read(sc, 27, &bbp);
3917                 bbp &= ~(0x3 << 5);
3918                 run_bbp_write(sc, 27, bbp | 0 << 5);    /* select Rx0 */
3919                 run_bbp_write(sc, 66, agc);
3920                 run_bbp_write(sc, 27, bbp | 1 << 5);    /* select Rx1 */
3921                 run_bbp_write(sc, 66, agc);
3922         } else
3923                 run_bbp_write(sc, 66, agc);
3924 }
3925
3926 static void
3927 run_select_chan_group(struct run_softc *sc, int group)
3928 {
3929         uint32_t tmp;
3930         uint8_t agc;
3931
3932         run_bbp_write(sc, 62, 0x37 - sc->lna[group]);
3933         run_bbp_write(sc, 63, 0x37 - sc->lna[group]);
3934         run_bbp_write(sc, 64, 0x37 - sc->lna[group]);
3935         if (sc->mac_ver < 0x3572)
3936                 run_bbp_write(sc, 86, 0x00);
3937
3938         if (sc->mac_ver == 0x3593) {
3939                 run_bbp_write(sc, 77, 0x98);
3940                 run_bbp_write(sc, 83, (group == 0) ? 0x8a : 0x9a);
3941         }
3942
3943         if (group == 0) {
3944                 if (sc->ext_2ghz_lna) {
3945                         if (sc->mac_ver >= 0x5390)
3946                                 run_bbp_write(sc, 75, 0x52);
3947                         else {
3948                                 run_bbp_write(sc, 82, 0x62);
3949                                 run_bbp_write(sc, 75, 0x46);
3950                         }
3951                 } else {
3952                         if (sc->mac_ver == 0x5592) {
3953                                 run_bbp_write(sc, 79, 0x1c);
3954                                 run_bbp_write(sc, 80, 0x0e);
3955                                 run_bbp_write(sc, 81, 0x3a);
3956                                 run_bbp_write(sc, 82, 0x62);
3957
3958                                 run_bbp_write(sc, 195, 0x80);
3959                                 run_bbp_write(sc, 196, 0xe0);
3960                                 run_bbp_write(sc, 195, 0x81);
3961                                 run_bbp_write(sc, 196, 0x1f);
3962                                 run_bbp_write(sc, 195, 0x82);
3963                                 run_bbp_write(sc, 196, 0x38);
3964                                 run_bbp_write(sc, 195, 0x83);
3965                                 run_bbp_write(sc, 196, 0x32);
3966                                 run_bbp_write(sc, 195, 0x85);
3967                                 run_bbp_write(sc, 196, 0x28);
3968                                 run_bbp_write(sc, 195, 0x86);
3969                                 run_bbp_write(sc, 196, 0x19);
3970                         } else if (sc->mac_ver >= 0x5390)
3971                                 run_bbp_write(sc, 75, 0x50);
3972                         else {
3973                                 run_bbp_write(sc, 82,
3974                                     (sc->mac_ver == 0x3593) ? 0x62 : 0x84);
3975                                 run_bbp_write(sc, 75, 0x50);
3976                         }
3977                 }
3978         } else {
3979                 if (sc->mac_ver == 0x5592) {
3980                         run_bbp_write(sc, 79, 0x18);
3981                         run_bbp_write(sc, 80, 0x08);
3982                         run_bbp_write(sc, 81, 0x38);
3983                         run_bbp_write(sc, 82, 0x92);
3984
3985                         run_bbp_write(sc, 195, 0x80);
3986                         run_bbp_write(sc, 196, 0xf0);
3987                         run_bbp_write(sc, 195, 0x81);
3988                         run_bbp_write(sc, 196, 0x1e);
3989                         run_bbp_write(sc, 195, 0x82);
3990                         run_bbp_write(sc, 196, 0x28);
3991                         run_bbp_write(sc, 195, 0x83);
3992                         run_bbp_write(sc, 196, 0x20);
3993                         run_bbp_write(sc, 195, 0x85);
3994                         run_bbp_write(sc, 196, 0x7f);
3995                         run_bbp_write(sc, 195, 0x86);
3996                         run_bbp_write(sc, 196, 0x7f);
3997                 } else if (sc->mac_ver == 0x3572)
3998                         run_bbp_write(sc, 82, 0x94);
3999                 else
4000                         run_bbp_write(sc, 82,
4001                             (sc->mac_ver == 0x3593) ? 0x82 : 0xf2);
4002                 if (sc->ext_5ghz_lna)
4003                         run_bbp_write(sc, 75, 0x46);
4004                 else
4005                         run_bbp_write(sc, 75, 0x50);
4006         }
4007
4008         run_read(sc, RT2860_TX_BAND_CFG, &tmp);
4009         tmp &= ~(RT2860_5G_BAND_SEL_N | RT2860_5G_BAND_SEL_P);
4010         tmp |= (group == 0) ? RT2860_5G_BAND_SEL_N : RT2860_5G_BAND_SEL_P;
4011         run_write(sc, RT2860_TX_BAND_CFG, tmp);
4012
4013         /* enable appropriate Power Amplifiers and Low Noise Amplifiers */
4014         tmp = RT2860_RFTR_EN | RT2860_TRSW_EN | RT2860_LNA_PE0_EN;
4015         if (sc->mac_ver == 0x3593)
4016                 tmp |= 1 << 29 | 1 << 28;
4017         if (sc->nrxchains > 1)
4018                 tmp |= RT2860_LNA_PE1_EN;
4019         if (group == 0) {       /* 2GHz */
4020                 tmp |= RT2860_PA_PE_G0_EN;
4021                 if (sc->ntxchains > 1)
4022                         tmp |= RT2860_PA_PE_G1_EN;
4023                 if (sc->mac_ver == 0x3593) {
4024                         if (sc->ntxchains > 2)
4025                                 tmp |= 1 << 25;
4026                 }
4027         } else {                /* 5GHz */
4028                 tmp |= RT2860_PA_PE_A0_EN;
4029                 if (sc->ntxchains > 1)
4030                         tmp |= RT2860_PA_PE_A1_EN;
4031         }
4032         if (sc->mac_ver == 0x3572) {
4033                 run_rt3070_rf_write(sc, 8, 0x00);
4034                 run_write(sc, RT2860_TX_PIN_CFG, tmp);
4035                 run_rt3070_rf_write(sc, 8, 0x80);
4036         } else
4037                 run_write(sc, RT2860_TX_PIN_CFG, tmp);
4038
4039         if (sc->mac_ver == 0x5592) {
4040                 run_bbp_write(sc, 195, 0x8d);
4041                 run_bbp_write(sc, 196, 0x1a);
4042         }
4043
4044         if (sc->mac_ver == 0x3593) {
4045                 run_read(sc, RT2860_GPIO_CTRL, &tmp);
4046                 tmp &= ~0x01010000;
4047                 if (group == 0)
4048                         tmp |= 0x00010000;
4049                 tmp = (tmp & ~0x00009090) | 0x00000090;
4050                 run_write(sc, RT2860_GPIO_CTRL, tmp);
4051         }
4052
4053         /* set initial AGC value */
4054         if (group == 0) {       /* 2GHz band */
4055                 if (sc->mac_ver >= 0x3070)
4056                         agc = 0x1c + sc->lna[0] * 2;
4057                 else
4058                         agc = 0x2e + sc->lna[0];
4059         } else {                /* 5GHz band */
4060                 if (sc->mac_ver == 0x5592)
4061                         agc = 0x24 + sc->lna[group] * 2;
4062                 else if (sc->mac_ver == 0x3572 || sc->mac_ver == 0x3593)
4063                         agc = 0x22 + (sc->lna[group] * 5) / 3;
4064                 else
4065                         agc = 0x32 + (sc->lna[group] * 5) / 3;
4066         }
4067         run_set_agc(sc, agc);
4068 }
4069
4070 static void
4071 run_rt2870_set_chan(struct run_softc *sc, u_int chan)
4072 {
4073         const struct rfprog *rfprog = rt2860_rf2850;
4074         uint32_t r2, r3, r4;
4075         int8_t txpow1, txpow2;
4076         int i;
4077
4078         /* find the settings for this channel (we know it exists) */
4079         for (i = 0; rfprog[i].chan != chan; i++);
4080
4081         r2 = rfprog[i].r2;
4082         if (sc->ntxchains == 1)
4083                 r2 |= 1 << 14;          /* 1T: disable Tx chain 2 */
4084         if (sc->nrxchains == 1)
4085                 r2 |= 1 << 17 | 1 << 6; /* 1R: disable Rx chains 2 & 3 */
4086         else if (sc->nrxchains == 2)
4087                 r2 |= 1 << 6;           /* 2R: disable Rx chain 3 */
4088
4089         /* use Tx power values from EEPROM */
4090         txpow1 = sc->txpow1[i];
4091         txpow2 = sc->txpow2[i];
4092
4093         /* Initialize RF R3 and R4. */
4094         r3 = rfprog[i].r3 & 0xffffc1ff;
4095         r4 = (rfprog[i].r4 & ~(0x001f87c0)) | (sc->freq << 15);
4096         if (chan > 14) {
4097                 if (txpow1 >= 0) {
4098                         txpow1 = (txpow1 > 0xf) ? (0xf) : (txpow1);
4099                         r3 |= (txpow1 << 10) | (1 << 9);
4100                 } else {
4101                         txpow1 += 7;
4102
4103                         /* txpow1 is not possible larger than 15. */
4104                         r3 |= (txpow1 << 10);
4105                 }
4106                 if (txpow2 >= 0) {
4107                         txpow2 = (txpow2 > 0xf) ? (0xf) : (txpow2);
4108                         r4 |= (txpow2 << 7) | (1 << 6);
4109                 } else {
4110                         txpow2 += 7;
4111                         r4 |= (txpow2 << 7);
4112                 }
4113         } else {
4114                 /* Set Tx0 power. */
4115                 r3 |= (txpow1 << 9);
4116
4117                 /* Set frequency offset and Tx1 power. */
4118                 r4 |= (txpow2 << 6);
4119         }
4120
4121         run_rt2870_rf_write(sc, rfprog[i].r1);
4122         run_rt2870_rf_write(sc, r2);
4123         run_rt2870_rf_write(sc, r3 & ~(1 << 2));
4124         run_rt2870_rf_write(sc, r4);
4125
4126         run_delay(sc, 10);
4127
4128         run_rt2870_rf_write(sc, rfprog[i].r1);
4129         run_rt2870_rf_write(sc, r2);
4130         run_rt2870_rf_write(sc, r3 | (1 << 2));
4131         run_rt2870_rf_write(sc, r4);
4132
4133         run_delay(sc, 10);
4134
4135         run_rt2870_rf_write(sc, rfprog[i].r1);
4136         run_rt2870_rf_write(sc, r2);
4137         run_rt2870_rf_write(sc, r3 & ~(1 << 2));
4138         run_rt2870_rf_write(sc, r4);
4139 }
4140
4141 static void
4142 run_rt3070_set_chan(struct run_softc *sc, u_int chan)
4143 {
4144         int8_t txpow1, txpow2;
4145         uint8_t rf;
4146         int i;
4147
4148         /* find the settings for this channel (we know it exists) */
4149         for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4150
4151         /* use Tx power values from EEPROM */
4152         txpow1 = sc->txpow1[i];
4153         txpow2 = sc->txpow2[i];
4154
4155         run_rt3070_rf_write(sc, 2, rt3070_freqs[i].n);
4156
4157         /* RT3370/RT3390: RF R3 [7:4] is not reserved bits. */
4158         run_rt3070_rf_read(sc, 3, &rf);
4159         rf = (rf & ~0x0f) | rt3070_freqs[i].k;
4160         run_rt3070_rf_write(sc, 3, rf);
4161
4162         run_rt3070_rf_read(sc, 6, &rf);
4163         rf = (rf & ~0x03) | rt3070_freqs[i].r;
4164         run_rt3070_rf_write(sc, 6, rf);
4165
4166         /* set Tx0 power */
4167         run_rt3070_rf_read(sc, 12, &rf);
4168         rf = (rf & ~0x1f) | txpow1;
4169         run_rt3070_rf_write(sc, 12, rf);
4170
4171         /* set Tx1 power */
4172         run_rt3070_rf_read(sc, 13, &rf);
4173         rf = (rf & ~0x1f) | txpow2;
4174         run_rt3070_rf_write(sc, 13, rf);
4175
4176         run_rt3070_rf_read(sc, 1, &rf);
4177         rf &= ~0xfc;
4178         if (sc->ntxchains == 1)
4179                 rf |= 1 << 7 | 1 << 5;  /* 1T: disable Tx chains 2 & 3 */
4180         else if (sc->ntxchains == 2)
4181                 rf |= 1 << 7;           /* 2T: disable Tx chain 3 */
4182         if (sc->nrxchains == 1)
4183                 rf |= 1 << 6 | 1 << 4;  /* 1R: disable Rx chains 2 & 3 */
4184         else if (sc->nrxchains == 2)
4185                 rf |= 1 << 6;           /* 2R: disable Rx chain 3 */
4186         run_rt3070_rf_write(sc, 1, rf);
4187
4188         /* set RF offset */
4189         run_rt3070_rf_read(sc, 23, &rf);
4190         rf = (rf & ~0x7f) | sc->freq;
4191         run_rt3070_rf_write(sc, 23, rf);
4192
4193         /* program RF filter */
4194         run_rt3070_rf_read(sc, 24, &rf);        /* Tx */
4195         rf = (rf & ~0x3f) | sc->rf24_20mhz;
4196         run_rt3070_rf_write(sc, 24, rf);
4197         run_rt3070_rf_read(sc, 31, &rf);        /* Rx */
4198         rf = (rf & ~0x3f) | sc->rf24_20mhz;
4199         run_rt3070_rf_write(sc, 31, rf);
4200
4201         /* enable RF tuning */
4202         run_rt3070_rf_read(sc, 7, &rf);
4203         run_rt3070_rf_write(sc, 7, rf | 0x01);
4204 }
4205
4206 static void
4207 run_rt3572_set_chan(struct run_softc *sc, u_int chan)
4208 {
4209         int8_t txpow1, txpow2;
4210         uint32_t tmp;
4211         uint8_t rf;
4212         int i;
4213
4214         /* find the settings for this channel (we know it exists) */
4215         for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4216
4217         /* use Tx power values from EEPROM */
4218         txpow1 = sc->txpow1[i];
4219         txpow2 = sc->txpow2[i];
4220
4221         if (chan <= 14) {
4222                 run_bbp_write(sc, 25, sc->bbp25);
4223                 run_bbp_write(sc, 26, sc->bbp26);
4224         } else {
4225                 /* enable IQ phase correction */
4226                 run_bbp_write(sc, 25, 0x09);
4227                 run_bbp_write(sc, 26, 0xff);
4228         }
4229
4230         run_rt3070_rf_write(sc, 2, rt3070_freqs[i].n);
4231         run_rt3070_rf_write(sc, 3, rt3070_freqs[i].k);
4232         run_rt3070_rf_read(sc, 6, &rf);
4233         rf  = (rf & ~0x0f) | rt3070_freqs[i].r;
4234         rf |= (chan <= 14) ? 0x08 : 0x04;
4235         run_rt3070_rf_write(sc, 6, rf);
4236
4237         /* set PLL mode */
4238         run_rt3070_rf_read(sc, 5, &rf);
4239         rf &= ~(0x08 | 0x04);
4240         rf |= (chan <= 14) ? 0x04 : 0x08;
4241         run_rt3070_rf_write(sc, 5, rf);
4242
4243         /* set Tx power for chain 0 */
4244         if (chan <= 14)
4245                 rf = 0x60 | txpow1;
4246         else
4247                 rf = 0xe0 | (txpow1 & 0xc) << 1 | (txpow1 & 0x3);
4248         run_rt3070_rf_write(sc, 12, rf);
4249
4250         /* set Tx power for chain 1 */
4251         if (chan <= 14)
4252                 rf = 0x60 | txpow2;
4253         else
4254                 rf = 0xe0 | (txpow2 & 0xc) << 1 | (txpow2 & 0x3);
4255         run_rt3070_rf_write(sc, 13, rf);
4256
4257         /* set Tx/Rx streams */
4258         run_rt3070_rf_read(sc, 1, &rf);
4259         rf &= ~0xfc;
4260         if (sc->ntxchains == 1)
4261                 rf |= 1 << 7 | 1 << 5;  /* 1T: disable Tx chains 2 & 3 */
4262         else if (sc->ntxchains == 2)
4263                 rf |= 1 << 7;           /* 2T: disable Tx chain 3 */
4264         if (sc->nrxchains == 1)
4265                 rf |= 1 << 6 | 1 << 4;  /* 1R: disable Rx chains 2 & 3 */
4266         else if (sc->nrxchains == 2)
4267                 rf |= 1 << 6;           /* 2R: disable Rx chain 3 */
4268         run_rt3070_rf_write(sc, 1, rf);
4269
4270         /* set RF offset */
4271         run_rt3070_rf_read(sc, 23, &rf);
4272         rf = (rf & ~0x7f) | sc->freq;
4273         run_rt3070_rf_write(sc, 23, rf);
4274
4275         /* program RF filter */
4276         rf = sc->rf24_20mhz;
4277         run_rt3070_rf_write(sc, 24, rf);        /* Tx */
4278         run_rt3070_rf_write(sc, 31, rf);        /* Rx */
4279
4280         /* enable RF tuning */
4281         run_rt3070_rf_read(sc, 7, &rf);
4282         rf = (chan <= 14) ? 0xd8 : ((rf & ~0xc8) | 0x14);
4283         run_rt3070_rf_write(sc, 7, rf);
4284
4285         /* TSSI */
4286         rf = (chan <= 14) ? 0xc3 : 0xc0;
4287         run_rt3070_rf_write(sc, 9, rf);
4288
4289         /* set loop filter 1 */
4290         run_rt3070_rf_write(sc, 10, 0xf1);
4291         /* set loop filter 2 */
4292         run_rt3070_rf_write(sc, 11, (chan <= 14) ? 0xb9 : 0x00);
4293
4294         /* set tx_mx2_ic */
4295         run_rt3070_rf_write(sc, 15, (chan <= 14) ? 0x53 : 0x43);
4296         /* set tx_mx1_ic */
4297         if (chan <= 14)
4298                 rf = 0x48 | sc->txmixgain_2ghz;
4299         else
4300                 rf = 0x78 | sc->txmixgain_5ghz;
4301         run_rt3070_rf_write(sc, 16, rf);
4302
4303         /* set tx_lo1 */
4304         run_rt3070_rf_write(sc, 17, 0x23);
4305         /* set tx_lo2 */
4306         if (chan <= 14)
4307                 rf = 0x93;
4308         else if (chan <= 64)
4309                 rf = 0xb7;
4310         else if (chan <= 128)
4311                 rf = 0x74;
4312         else
4313                 rf = 0x72;
4314         run_rt3070_rf_write(sc, 19, rf);
4315
4316         /* set rx_lo1 */
4317         if (chan <= 14)
4318                 rf = 0xb3;
4319         else if (chan <= 64)
4320                 rf = 0xf6;
4321         else if (chan <= 128)
4322                 rf = 0xf4;
4323         else
4324                 rf = 0xf3;
4325         run_rt3070_rf_write(sc, 20, rf);
4326
4327         /* set pfd_delay */
4328         if (chan <= 14)
4329                 rf = 0x15;
4330         else if (chan <= 64)
4331                 rf = 0x3d;
4332         else
4333                 rf = 0x01;
4334         run_rt3070_rf_write(sc, 25, rf);
4335
4336         /* set rx_lo2 */
4337         run_rt3070_rf_write(sc, 26, (chan <= 14) ? 0x85 : 0x87);
4338         /* set ldo_rf_vc */
4339         run_rt3070_rf_write(sc, 27, (chan <= 14) ? 0x00 : 0x01);
4340         /* set drv_cc */
4341         run_rt3070_rf_write(sc, 29, (chan <= 14) ? 0x9b : 0x9f);
4342
4343         run_read(sc, RT2860_GPIO_CTRL, &tmp);
4344         tmp &= ~0x8080;
4345         if (chan <= 14)
4346                 tmp |= 0x80;
4347         run_write(sc, RT2860_GPIO_CTRL, tmp);
4348
4349         /* enable RF tuning */
4350         run_rt3070_rf_read(sc, 7, &rf);
4351         run_rt3070_rf_write(sc, 7, rf | 0x01);
4352
4353         run_delay(sc, 2);
4354 }
4355
4356 static void
4357 run_rt3593_set_chan(struct run_softc *sc, u_int chan)
4358 {
4359         int8_t txpow1, txpow2, txpow3;
4360         uint8_t h20mhz, rf;
4361         int i;
4362
4363         /* find the settings for this channel (we know it exists) */
4364         for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4365
4366         /* use Tx power values from EEPROM */
4367         txpow1 = sc->txpow1[i];
4368         txpow2 = sc->txpow2[i];
4369         txpow3 = (sc->ntxchains == 3) ? sc->txpow3[i] : 0;
4370
4371         if (chan <= 14) {
4372                 run_bbp_write(sc, 25, sc->bbp25);
4373                 run_bbp_write(sc, 26, sc->bbp26);
4374         } else {
4375                 /* Enable IQ phase correction. */
4376                 run_bbp_write(sc, 25, 0x09);
4377                 run_bbp_write(sc, 26, 0xff);
4378         }
4379
4380         run_rt3070_rf_write(sc, 8, rt3070_freqs[i].n);
4381         run_rt3070_rf_write(sc, 9, rt3070_freqs[i].k & 0x0f);
4382         run_rt3070_rf_read(sc, 11, &rf);
4383         rf = (rf & ~0x03) | (rt3070_freqs[i].r & 0x03);
4384         run_rt3070_rf_write(sc, 11, rf);
4385
4386         /* Set pll_idoh. */
4387         run_rt3070_rf_read(sc, 11, &rf);
4388         rf &= ~0x4c;
4389         rf |= (chan <= 14) ? 0x44 : 0x48;
4390         run_rt3070_rf_write(sc, 11, rf);
4391
4392         if (chan <= 14)
4393                 rf = txpow1 & 0x1f;
4394         else
4395                 rf = 0x40 | ((txpow1 & 0x18) << 1) | (txpow1 & 0x07);
4396         run_rt3070_rf_write(sc, 53, rf);
4397
4398         if (chan <= 14)
4399                 rf = txpow2 & 0x1f;
4400         else
4401                 rf = 0x40 | ((txpow2 & 0x18) << 1) | (txpow2 & 0x07);
4402         run_rt3070_rf_write(sc, 55, rf);
4403
4404         if (chan <= 14)
4405                 rf = txpow3 & 0x1f;
4406         else
4407                 rf = 0x40 | ((txpow3 & 0x18) << 1) | (txpow3 & 0x07);
4408         run_rt3070_rf_write(sc, 54, rf);
4409
4410         rf = RT3070_RF_BLOCK | RT3070_PLL_PD;
4411         if (sc->ntxchains == 3)
4412                 rf |= RT3070_TX0_PD | RT3070_TX1_PD | RT3070_TX2_PD;
4413         else
4414                 rf |= RT3070_TX0_PD | RT3070_TX1_PD;
4415         rf |= RT3070_RX0_PD | RT3070_RX1_PD | RT3070_RX2_PD;
4416         run_rt3070_rf_write(sc, 1, rf);
4417
4418         run_adjust_freq_offset(sc);
4419
4420         run_rt3070_rf_write(sc, 31, (chan <= 14) ? 0xa0 : 0x80);
4421
4422         h20mhz = (sc->rf24_20mhz & 0x20) >> 5;
4423         run_rt3070_rf_read(sc, 30, &rf);
4424         rf = (rf & ~0x06) | (h20mhz << 1) | (h20mhz << 2);
4425         run_rt3070_rf_write(sc, 30, rf);
4426
4427         run_rt3070_rf_read(sc, 36, &rf);
4428         if (chan <= 14)
4429                 rf |= 0x80;
4430         else
4431                 rf &= ~0x80;
4432         run_rt3070_rf_write(sc, 36, rf);
4433
4434         /* Set vcolo_bs. */
4435         run_rt3070_rf_write(sc, 34, (chan <= 14) ? 0x3c : 0x20);
4436         /* Set pfd_delay. */
4437         run_rt3070_rf_write(sc, 12, (chan <= 14) ? 0x1a : 0x12);
4438
4439         /* Set vco bias current control. */
4440         run_rt3070_rf_read(sc, 6, &rf);
4441         rf &= ~0xc0;
4442         if (chan <= 14)
4443                 rf |= 0x40;
4444         else if (chan <= 128)
4445                 rf |= 0x80;
4446         else
4447                 rf |= 0x40;
4448         run_rt3070_rf_write(sc, 6, rf);
4449
4450         run_rt3070_rf_read(sc, 30, &rf);
4451         rf = (rf & ~0x18) | 0x10;
4452         run_rt3070_rf_write(sc, 30, rf);
4453
4454         run_rt3070_rf_write(sc, 10, (chan <= 14) ? 0xd3 : 0xd8);
4455         run_rt3070_rf_write(sc, 13, (chan <= 14) ? 0x12 : 0x23);
4456
4457         run_rt3070_rf_read(sc, 51, &rf);
4458         rf = (rf & ~0x03) | 0x01;
4459         run_rt3070_rf_write(sc, 51, rf);
4460         /* Set tx_mx1_cc. */
4461         run_rt3070_rf_read(sc, 51, &rf);
4462         rf &= ~0x1c;
4463         rf |= (chan <= 14) ? 0x14 : 0x10;
4464         run_rt3070_rf_write(sc, 51, rf);
4465         /* Set tx_mx1_ic. */
4466         run_rt3070_rf_read(sc, 51, &rf);
4467         rf &= ~0xe0;
4468         rf |= (chan <= 14) ? 0x60 : 0x40;
4469         run_rt3070_rf_write(sc, 51, rf);
4470         /* Set tx_lo1_ic. */
4471         run_rt3070_rf_read(sc, 49, &rf);
4472         rf &= ~0x1c;
4473         rf |= (chan <= 14) ? 0x0c : 0x08;
4474         run_rt3070_rf_write(sc, 49, rf);
4475         /* Set tx_lo1_en. */
4476         run_rt3070_rf_read(sc, 50, &rf);
4477         run_rt3070_rf_write(sc, 50, rf & ~0x20);
4478         /* Set drv_cc. */
4479         run_rt3070_rf_read(sc, 57, &rf);
4480         rf &= ~0xfc;
4481         rf |= (chan <= 14) ?  0x6c : 0x3c;
4482         run_rt3070_rf_write(sc, 57, rf);
4483         /* Set rx_mix1_ic, rxa_lnactr, lna_vc, lna_inbias_en and lna_en. */
4484         run_rt3070_rf_write(sc, 44, (chan <= 14) ? 0x93 : 0x9b);
4485         /* Set drv_gnd_a, tx_vga_cc_a and tx_mx2_gain. */
4486         run_rt3070_rf_write(sc, 52, (chan <= 14) ? 0x45 : 0x05);
4487         /* Enable VCO calibration. */
4488         run_rt3070_rf_read(sc, 3, &rf);
4489         rf &= ~RT5390_VCOCAL;
4490         rf |= (chan <= 14) ? RT5390_VCOCAL : 0xbe;
4491         run_rt3070_rf_write(sc, 3, rf);
4492
4493         if (chan <= 14)
4494                 rf = 0x23;
4495         else if (chan <= 64)
4496                 rf = 0x36;
4497         else if (chan <= 128)
4498                 rf = 0x32;
4499         else
4500                 rf = 0x30;
4501         run_rt3070_rf_write(sc, 39, rf);
4502         if (chan <= 14)
4503                 rf = 0xbb;
4504         else if (chan <= 64)
4505                 rf = 0xeb;
4506         else if (chan <= 128)
4507                 rf = 0xb3;
4508         else
4509                 rf = 0x9b;
4510         run_rt3070_rf_write(sc, 45, rf);
4511
4512         /* Set FEQ/AEQ control. */
4513         run_bbp_write(sc, 105, 0x34);
4514 }
4515
4516 static void
4517 run_rt5390_set_chan(struct run_softc *sc, u_int chan)
4518 {
4519         int8_t txpow1, txpow2;
4520         uint8_t rf;
4521         int i;
4522
4523         /* find the settings for this channel (we know it exists) */
4524         for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4525
4526         /* use Tx power values from EEPROM */
4527         txpow1 = sc->txpow1[i];
4528         txpow2 = sc->txpow2[i];
4529
4530         run_rt3070_rf_write(sc, 8, rt3070_freqs[i].n);
4531         run_rt3070_rf_write(sc, 9, rt3070_freqs[i].k & 0x0f);
4532         run_rt3070_rf_read(sc, 11, &rf);
4533         rf = (rf & ~0x03) | (rt3070_freqs[i].r & 0x03);
4534         run_rt3070_rf_write(sc, 11, rf);
4535
4536         run_rt3070_rf_read(sc, 49, &rf);
4537         rf = (rf & ~0x3f) | (txpow1 & 0x3f);
4538         /* The valid range of the RF R49 is 0x00 to 0x27. */
4539         if ((rf & 0x3f) > 0x27)
4540                 rf = (rf & ~0x3f) | 0x27;
4541         run_rt3070_rf_write(sc, 49, rf);
4542
4543         if (sc->mac_ver == 0x5392) {
4544                 run_rt3070_rf_read(sc, 50, &rf);
4545                 rf = (rf & ~0x3f) | (txpow2 & 0x3f);
4546                 /* The valid range of the RF R50 is 0x00 to 0x27. */
4547                 if ((rf & 0x3f) > 0x27)
4548                         rf = (rf & ~0x3f) | 0x27;
4549                 run_rt3070_rf_write(sc, 50, rf);
4550         }
4551
4552         run_rt3070_rf_read(sc, 1, &rf);
4553         rf |= RT3070_RF_BLOCK | RT3070_PLL_PD | RT3070_RX0_PD | RT3070_TX0_PD;
4554         if (sc->mac_ver == 0x5392)
4555                 rf |= RT3070_RX1_PD | RT3070_TX1_PD;
4556         run_rt3070_rf_write(sc, 1, rf);
4557
4558         if (sc->mac_ver != 0x5392) {
4559                 run_rt3070_rf_read(sc, 2, &rf);
4560                 rf |= 0x80;
4561                 run_rt3070_rf_write(sc, 2, rf);
4562                 run_delay(sc, 10);
4563                 rf &= 0x7f;
4564                 run_rt3070_rf_write(sc, 2, rf);
4565         }
4566
4567         run_adjust_freq_offset(sc);
4568
4569         if (sc->mac_ver == 0x5392) {
4570                 /* Fix for RT5392C. */
4571                 if (sc->mac_rev >= 0x0223) {
4572                         if (chan <= 4)
4573                                 rf = 0x0f;
4574                         else if (chan >= 5 && chan <= 7)
4575                                 rf = 0x0e;
4576                         else
4577                                 rf = 0x0d;
4578                         run_rt3070_rf_write(sc, 23, rf);
4579
4580                         if (chan <= 4)
4581                                 rf = 0x0c;
4582                         else if (chan == 5)
4583                                 rf = 0x0b;
4584                         else if (chan >= 6 && chan <= 7)
4585                                 rf = 0x0a;
4586                         else if (chan >= 8 && chan <= 10)
4587                                 rf = 0x09;
4588                         else
4589                                 rf = 0x08;
4590                         run_rt3070_rf_write(sc, 59, rf);
4591                 } else {
4592                         if (chan <= 11)
4593                                 rf = 0x0f;
4594                         else
4595                                 rf = 0x0b;
4596                         run_rt3070_rf_write(sc, 59, rf);
4597                 }
4598         } else {
4599                 /* Fix for RT5390F. */
4600                 if (sc->mac_rev >= 0x0502) {
4601                         if (chan <= 11)
4602                                 rf = 0x43;
4603                         else
4604                                 rf = 0x23;
4605                         run_rt3070_rf_write(sc, 55, rf);
4606
4607                         if (chan <= 11)
4608                                 rf = 0x0f;
4609                         else if (chan == 12)
4610                                 rf = 0x0d;
4611                         else
4612                                 rf = 0x0b;
4613                         run_rt3070_rf_write(sc, 59, rf);
4614                 } else {
4615                         run_rt3070_rf_write(sc, 55, 0x44);
4616                         run_rt3070_rf_write(sc, 59, 0x8f);
4617                 }
4618         }
4619
4620         /* Enable VCO calibration. */
4621         run_rt3070_rf_read(sc, 3, &rf);
4622         rf |= RT5390_VCOCAL;
4623         run_rt3070_rf_write(sc, 3, rf);
4624 }
4625
4626 static void
4627 run_rt5592_set_chan(struct run_softc *sc, u_int chan)
4628 {
4629         const struct rt5592_freqs *freqs;
4630         uint32_t tmp;
4631         uint8_t reg, rf, txpow_bound;
4632         int8_t txpow1, txpow2;
4633         int i;
4634
4635         run_read(sc, RT5592_DEBUG_INDEX, &tmp);
4636         freqs = (tmp & RT5592_SEL_XTAL) ?
4637             rt5592_freqs_40mhz : rt5592_freqs_20mhz;
4638
4639         /* find the settings for this channel (we know it exists) */
4640         for (i = 0; rt2860_rf2850[i].chan != chan; i++, freqs++);
4641
4642         /* use Tx power values from EEPROM */
4643         txpow1 = sc->txpow1[i];
4644         txpow2 = sc->txpow2[i];
4645
4646         run_read(sc, RT3070_LDO_CFG0, &tmp);
4647         tmp &= ~0x1c000000;
4648         if (chan > 14)
4649                 tmp |= 0x14000000;
4650         run_write(sc, RT3070_LDO_CFG0, tmp);
4651
4652         /* N setting. */
4653         run_rt3070_rf_write(sc, 8, freqs->n & 0xff);
4654         run_rt3070_rf_read(sc, 9, &rf);
4655         rf &= ~(1 << 4);
4656         rf |= ((freqs->n & 0x0100) >> 8) << 4;
4657         run_rt3070_rf_write(sc, 9, rf);
4658
4659         /* K setting. */
4660         run_rt3070_rf_read(sc, 9, &rf);
4661         rf &= ~0x0f;
4662         rf |= (freqs->k & 0x0f);
4663         run_rt3070_rf_write(sc, 9, rf);
4664
4665         /* Mode setting. */
4666         run_rt3070_rf_read(sc, 11, &rf);
4667         rf &= ~0x0c;
4668         rf |= ((freqs->m - 0x8) & 0x3) << 2;
4669         run_rt3070_rf_write(sc, 11, rf);
4670         run_rt3070_rf_read(sc, 9, &rf);
4671         rf &= ~(1 << 7);
4672         rf |= (((freqs->m - 0x8) & 0x4) >> 2) << 7;
4673         run_rt3070_rf_write(sc, 9, rf);
4674
4675         /* R setting. */
4676         run_rt3070_rf_read(sc, 11, &rf);
4677         rf &= ~0x03;
4678         rf |= (freqs->r - 0x1);
4679         run_rt3070_rf_write(sc, 11, rf);
4680
4681         if (chan <= 14) {
4682                 /* Initialize RF registers for 2GHZ. */
4683                 for (i = 0; i < nitems(rt5592_2ghz_def_rf); i++) {
4684                         run_rt3070_rf_write(sc, rt5592_2ghz_def_rf[i].reg,
4685                             rt5592_2ghz_def_rf[i].val);
4686                 }
4687
4688                 rf = (chan <= 10) ? 0x07 : 0x06;
4689                 run_rt3070_rf_write(sc, 23, rf);
4690                 run_rt3070_rf_write(sc, 59, rf);
4691
4692                 run_rt3070_rf_write(sc, 55, 0x43);
4693
4694                 /*
4695                  * RF R49/R50 Tx power ALC code.
4696                  * G-band bit<7:6>=1:0, bit<5:0> range from 0x0 ~ 0x27.
4697                  */
4698                 reg = 2;
4699                 txpow_bound = 0x27;
4700         } else {
4701                 /* Initialize RF registers for 5GHZ. */
4702                 for (i = 0; i < nitems(rt5592_5ghz_def_rf); i++) {
4703                         run_rt3070_rf_write(sc, rt5592_5ghz_def_rf[i].reg,
4704                             rt5592_5ghz_def_rf[i].val);
4705                 }
4706                 for (i = 0; i < nitems(rt5592_chan_5ghz); i++) {
4707                         if (chan >= rt5592_chan_5ghz[i].firstchan &&
4708                             chan <= rt5592_chan_5ghz[i].lastchan) {
4709                                 run_rt3070_rf_write(sc, rt5592_chan_5ghz[i].reg,
4710                                     rt5592_chan_5ghz[i].val);
4711                         }
4712                 }
4713
4714                 /*
4715                  * RF R49/R50 Tx power ALC code.
4716                  * A-band bit<7:6>=1:1, bit<5:0> range from 0x0 ~ 0x2b.
4717                  */
4718                 reg = 3;
4719                 txpow_bound = 0x2b;
4720         }
4721
4722         /* RF R49 ch0 Tx power ALC code. */
4723         run_rt3070_rf_read(sc, 49, &rf);
4724         rf &= ~0xc0;
4725         rf |= (reg << 6);
4726         rf = (rf & ~0x3f) | (txpow1 & 0x3f);
4727         if ((rf & 0x3f) > txpow_bound)
4728                 rf = (rf & ~0x3f) | txpow_bound;
4729         run_rt3070_rf_write(sc, 49, rf);
4730
4731         /* RF R50 ch1 Tx power ALC code. */
4732         run_rt3070_rf_read(sc, 50, &rf);
4733         rf &= ~(1 << 7 | 1 << 6);
4734         rf |= (reg << 6);
4735         rf = (rf & ~0x3f) | (txpow2 & 0x3f);
4736         if ((rf & 0x3f) > txpow_bound)
4737                 rf = (rf & ~0x3f) | txpow_bound;
4738         run_rt3070_rf_write(sc, 50, rf);
4739
4740         /* Enable RF_BLOCK, PLL_PD, RX0_PD, and TX0_PD. */
4741         run_rt3070_rf_read(sc, 1, &rf);
4742         rf |= (RT3070_RF_BLOCK | RT3070_PLL_PD | RT3070_RX0_PD | RT3070_TX0_PD);
4743         if (sc->ntxchains > 1)
4744                 rf |= RT3070_TX1_PD;
4745         if (sc->nrxchains > 1)
4746                 rf |= RT3070_RX1_PD;
4747         run_rt3070_rf_write(sc, 1, rf);
4748
4749         run_rt3070_rf_write(sc, 6, 0xe4);
4750
4751         run_rt3070_rf_write(sc, 30, 0x10);
4752         run_rt3070_rf_write(sc, 31, 0x80);
4753         run_rt3070_rf_write(sc, 32, 0x80);
4754
4755         run_adjust_freq_offset(sc);
4756
4757         /* Enable VCO calibration. */
4758         run_rt3070_rf_read(sc, 3, &rf);
4759         rf |= RT5390_VCOCAL;
4760         run_rt3070_rf_write(sc, 3, rf);
4761 }
4762
4763 static void
4764 run_set_rx_antenna(struct run_softc *sc, int aux)
4765 {
4766         uint32_t tmp;
4767         uint8_t bbp152;
4768
4769         if (aux) {
4770                 if (sc->rf_rev == RT5390_RF_5370) {
4771                         run_bbp_read(sc, 152, &bbp152);
4772                         run_bbp_write(sc, 152, bbp152 & ~0x80);
4773                 } else {
4774                         run_mcu_cmd(sc, RT2860_MCU_CMD_ANTSEL, 0);
4775                         run_read(sc, RT2860_GPIO_CTRL, &tmp);
4776                         run_write(sc, RT2860_GPIO_CTRL, (tmp & ~0x0808) | 0x08);
4777                 }
4778         } else {
4779                 if (sc->rf_rev == RT5390_RF_5370) {
4780                         run_bbp_read(sc, 152, &bbp152);
4781                         run_bbp_write(sc, 152, bbp152 | 0x80);
4782                 } else {
4783                         run_mcu_cmd(sc, RT2860_MCU_CMD_ANTSEL, 1);
4784                         run_read(sc, RT2860_GPIO_CTRL, &tmp);
4785                         run_write(sc, RT2860_GPIO_CTRL, tmp & ~0x0808);
4786                 }
4787         }
4788 }
4789
4790 static int
4791 run_set_chan(struct run_softc *sc, struct ieee80211_channel *c)
4792 {
4793         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
4794         u_int chan, group;
4795
4796         chan = ieee80211_chan2ieee(ic, c);
4797         if (chan == 0 || chan == IEEE80211_CHAN_ANY)
4798                 return (EINVAL);
4799
4800         if (sc->mac_ver == 0x5592)
4801                 run_rt5592_set_chan(sc, chan);
4802         else if (sc->mac_ver >= 0x5390)
4803                 run_rt5390_set_chan(sc, chan);
4804         else if (sc->mac_ver == 0x3593)
4805                 run_rt3593_set_chan(sc, chan);
4806         else if (sc->mac_ver == 0x3572)
4807                 run_rt3572_set_chan(sc, chan);
4808         else if (sc->mac_ver >= 0x3070)
4809                 run_rt3070_set_chan(sc, chan);
4810         else
4811                 run_rt2870_set_chan(sc, chan);
4812
4813         /* determine channel group */
4814         if (chan <= 14)
4815                 group = 0;
4816         else if (chan <= 64)
4817                 group = 1;
4818         else if (chan <= 128)
4819                 group = 2;
4820         else
4821                 group = 3;
4822
4823         /* XXX necessary only when group has changed! */
4824         run_select_chan_group(sc, group);
4825
4826         run_delay(sc, 10);
4827
4828         /* Perform IQ calibration. */
4829         if (sc->mac_ver >= 0x5392)
4830                 run_iq_calib(sc, chan);
4831
4832         return (0);
4833 }
4834
4835 static void
4836 run_set_channel(struct ieee80211com *ic)
4837 {
4838         struct run_softc *sc = ic->ic_ifp->if_softc;
4839
4840         RUN_LOCK(sc);
4841         run_set_chan(sc, ic->ic_curchan);
4842         RUN_UNLOCK(sc);
4843
4844         return;
4845 }
4846
4847 static void
4848 run_scan_start(struct ieee80211com *ic)
4849 {
4850         struct run_softc *sc = ic->ic_ifp->if_softc;
4851         uint32_t tmp;
4852
4853         RUN_LOCK(sc);
4854
4855         /* abort TSF synchronization */
4856         run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
4857         run_write(sc, RT2860_BCN_TIME_CFG,
4858             tmp & ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
4859             RT2860_TBTT_TIMER_EN));
4860         run_set_bssid(sc, sc->sc_ifp->if_broadcastaddr);
4861
4862         RUN_UNLOCK(sc);
4863
4864         return;
4865 }
4866
4867 static void
4868 run_scan_end(struct ieee80211com *ic)
4869 {
4870         struct run_softc *sc = ic->ic_ifp->if_softc;
4871
4872         RUN_LOCK(sc);
4873
4874         run_enable_tsf_sync(sc);
4875         /* XXX keep local copy */
4876         run_set_bssid(sc, sc->sc_bssid);
4877
4878         RUN_UNLOCK(sc);
4879
4880         return;
4881 }
4882
4883 /*
4884  * Could be called from ieee80211_node_timeout()
4885  * (non-sleepable thread)
4886  */
4887 static void
4888 run_update_beacon(struct ieee80211vap *vap, int item)
4889 {
4890         struct ieee80211com *ic = vap->iv_ic;
4891         struct run_softc *sc = ic->ic_ifp->if_softc;
4892         struct run_vap *rvp = RUN_VAP(vap);
4893         int mcast = 0;
4894         uint32_t i;
4895
4896         KASSERT(vap != NULL, ("no beacon"));
4897
4898         switch (item) {
4899         case IEEE80211_BEACON_ERP:
4900                 run_updateslot(ic->ic_ifp);
4901                 break;
4902         case IEEE80211_BEACON_HTINFO:
4903                 run_updateprot(ic);
4904                 break;
4905         case IEEE80211_BEACON_TIM:
4906                 mcast = 1;      /*TODO*/
4907                 break;
4908         default:
4909                 break;
4910         }
4911
4912         setbit(rvp->bo.bo_flags, item);
4913         ieee80211_beacon_update(vap->iv_bss, &rvp->bo, rvp->beacon_mbuf, mcast);
4914
4915         i = RUN_CMDQ_GET(&sc->cmdq_store);
4916         DPRINTF("cmdq_store=%d\n", i);
4917         sc->cmdq[i].func = run_update_beacon_cb;
4918         sc->cmdq[i].arg0 = vap;
4919         ieee80211_runtask(ic, &sc->cmdq_task);
4920
4921         return;
4922 }
4923
4924 static void
4925 run_update_beacon_cb(void *arg)
4926 {
4927         struct ieee80211vap *vap = arg;
4928         struct run_vap *rvp = RUN_VAP(vap);
4929         struct ieee80211com *ic = vap->iv_ic;
4930         struct run_softc *sc = ic->ic_ifp->if_softc;
4931         struct rt2860_txwi txwi;
4932         struct mbuf *m;
4933         uint16_t txwisize;
4934         uint8_t ridx;
4935
4936         if (vap->iv_bss->ni_chan == IEEE80211_CHAN_ANYC)
4937                 return;
4938         if (ic->ic_bsschan == IEEE80211_CHAN_ANYC)
4939                 return;
4940
4941         /*
4942          * No need to call ieee80211_beacon_update(), run_update_beacon()
4943          * is taking care of apropriate calls.
4944          */
4945         if (rvp->beacon_mbuf == NULL) {
4946                 rvp->beacon_mbuf = ieee80211_beacon_alloc(vap->iv_bss,
4947                     &rvp->bo);
4948                 if (rvp->beacon_mbuf == NULL)
4949                         return;
4950         }
4951         m = rvp->beacon_mbuf;
4952
4953         memset(&txwi, 0, sizeof(txwi));
4954         txwi.wcid = 0xff;
4955         txwi.len = htole16(m->m_pkthdr.len);
4956
4957         /* send beacons at the lowest available rate */
4958         ridx = (ic->ic_curmode == IEEE80211_MODE_11A) ?
4959             RT2860_RIDX_OFDM6 : RT2860_RIDX_CCK1;
4960         txwi.phy = htole16(rt2860_rates[ridx].mcs);
4961         if (rt2860_rates[ridx].phy == IEEE80211_T_OFDM)
4962                 txwi.phy |= htole16(RT2860_PHY_OFDM);
4963         txwi.txop = RT2860_TX_TXOP_HT;
4964         txwi.flags = RT2860_TX_TS;
4965         txwi.xflags = RT2860_TX_NSEQ;
4966
4967         txwisize = (sc->mac_ver == 0x5592) ?
4968             sizeof(txwi) + sizeof(uint32_t) : sizeof(txwi);
4969         run_write_region_1(sc, RT2860_BCN_BASE(rvp->rvp_id), (uint8_t *)&txwi,
4970             txwisize);
4971         run_write_region_1(sc, RT2860_BCN_BASE(rvp->rvp_id) + txwisize,
4972             mtod(m, uint8_t *), (m->m_pkthdr.len + 1) & ~1);
4973 }
4974
4975 static void
4976 run_updateprot(struct ieee80211com *ic)
4977 {
4978         struct run_softc *sc = ic->ic_ifp->if_softc;
4979         uint32_t i;
4980
4981         i = RUN_CMDQ_GET(&sc->cmdq_store);
4982         DPRINTF("cmdq_store=%d\n", i);
4983         sc->cmdq[i].func = run_updateprot_cb;
4984         sc->cmdq[i].arg0 = ic;
4985         ieee80211_runtask(ic, &sc->cmdq_task);
4986 }
4987
4988 static void
4989 run_updateprot_cb(void *arg)
4990 {
4991         struct ieee80211com *ic = arg;
4992         struct run_softc *sc = ic->ic_ifp->if_softc;
4993         uint32_t tmp;
4994
4995         tmp = RT2860_RTSTH_EN | RT2860_PROT_NAV_SHORT | RT2860_TXOP_ALLOW_ALL;
4996         /* setup protection frame rate (MCS code) */
4997         tmp |= (ic->ic_curmode == IEEE80211_MODE_11A) ?
4998             rt2860_rates[RT2860_RIDX_OFDM6].mcs :
4999             rt2860_rates[RT2860_RIDX_CCK11].mcs;
5000
5001         /* CCK frames don't require protection */
5002         run_write(sc, RT2860_CCK_PROT_CFG, tmp);
5003         if (ic->ic_flags & IEEE80211_F_USEPROT) {
5004                 if (ic->ic_protmode == IEEE80211_PROT_RTSCTS)
5005                         tmp |= RT2860_PROT_CTRL_RTS_CTS;
5006                 else if (ic->ic_protmode == IEEE80211_PROT_CTSONLY)
5007                         tmp |= RT2860_PROT_CTRL_CTS;
5008         }
5009         run_write(sc, RT2860_OFDM_PROT_CFG, tmp);
5010 }
5011
5012 static void
5013 run_usb_timeout_cb(void *arg)
5014 {
5015         struct ieee80211vap *vap = arg;
5016         struct run_softc *sc = vap->iv_ic->ic_ifp->if_softc;
5017
5018         RUN_LOCK_ASSERT(sc, MA_OWNED);
5019
5020         if(vap->iv_state == IEEE80211_S_RUN &&
5021             vap->iv_opmode != IEEE80211_M_STA)
5022                 run_reset_livelock(sc);
5023         else if (vap->iv_state == IEEE80211_S_SCAN) {
5024                 DPRINTF("timeout caused by scan\n");
5025                 /* cancel bgscan */
5026                 ieee80211_cancel_scan(vap);
5027         } else
5028                 DPRINTF("timeout by unknown cause\n");
5029 }
5030
5031 static void
5032 run_reset_livelock(struct run_softc *sc)
5033 {
5034         uint32_t tmp;
5035
5036         RUN_LOCK_ASSERT(sc, MA_OWNED);
5037
5038         /*
5039          * In IBSS or HostAP modes (when the hardware sends beacons), the MAC
5040          * can run into a livelock and start sending CTS-to-self frames like
5041          * crazy if protection is enabled.  Reset MAC/BBP for a while
5042          */
5043         run_read(sc, RT2860_DEBUG, &tmp);
5044         DPRINTFN(3, "debug reg %08x\n", tmp);
5045         if ((tmp & (1 << 29)) && (tmp & (1 << 7 | 1 << 5))) {
5046                 DPRINTF("CTS-to-self livelock detected\n");
5047                 run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_MAC_SRST);
5048                 run_delay(sc, 1);
5049                 run_write(sc, RT2860_MAC_SYS_CTRL,
5050                     RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
5051         }
5052 }
5053
5054 static void
5055 run_update_promisc_locked(struct ifnet *ifp)
5056 {
5057         struct run_softc *sc = ifp->if_softc;
5058         uint32_t tmp;
5059
5060         run_read(sc, RT2860_RX_FILTR_CFG, &tmp);
5061
5062         tmp |= RT2860_DROP_UC_NOME;
5063         if (ifp->if_flags & IFF_PROMISC)
5064                 tmp &= ~RT2860_DROP_UC_NOME;
5065
5066         run_write(sc, RT2860_RX_FILTR_CFG, tmp);
5067
5068         DPRINTF("%s promiscuous mode\n", (ifp->if_flags & IFF_PROMISC) ?
5069             "entering" : "leaving");
5070 }
5071
5072 static void
5073 run_update_promisc(struct ifnet *ifp)
5074 {
5075         struct run_softc *sc = ifp->if_softc;
5076
5077         if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0)
5078                 return;
5079
5080         RUN_LOCK(sc);
5081         run_update_promisc_locked(ifp);
5082         RUN_UNLOCK(sc);
5083 }
5084
5085 static void
5086 run_enable_tsf_sync(struct run_softc *sc)
5087 {
5088         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5089         struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
5090         uint32_t tmp;
5091
5092         DPRINTF("rvp_id=%d ic_opmode=%d\n", RUN_VAP(vap)->rvp_id,
5093             ic->ic_opmode);
5094
5095         run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
5096         tmp &= ~0x1fffff;
5097         tmp |= vap->iv_bss->ni_intval * 16;
5098         tmp |= RT2860_TSF_TIMER_EN | RT2860_TBTT_TIMER_EN;
5099
5100         if (ic->ic_opmode == IEEE80211_M_STA) {
5101                 /*
5102                  * Local TSF is always updated with remote TSF on beacon
5103                  * reception.
5104                  */
5105                 tmp |= 1 << RT2860_TSF_SYNC_MODE_SHIFT;
5106         } else if (ic->ic_opmode == IEEE80211_M_IBSS) {
5107                 tmp |= RT2860_BCN_TX_EN;
5108                 /*
5109                  * Local TSF is updated with remote TSF on beacon reception
5110                  * only if the remote TSF is greater than local TSF.
5111                  */
5112                 tmp |= 2 << RT2860_TSF_SYNC_MODE_SHIFT;
5113         } else if (ic->ic_opmode == IEEE80211_M_HOSTAP ||
5114                     ic->ic_opmode == IEEE80211_M_MBSS) {
5115                 tmp |= RT2860_BCN_TX_EN;
5116                 /* SYNC with nobody */
5117                 tmp |= 3 << RT2860_TSF_SYNC_MODE_SHIFT;
5118         } else {
5119                 DPRINTF("Enabling TSF failed. undefined opmode\n");
5120                 return;
5121         }
5122
5123         run_write(sc, RT2860_BCN_TIME_CFG, tmp);
5124 }
5125
5126 static void
5127 run_enable_mrr(struct run_softc *sc)
5128 {
5129 #define CCK(mcs)        (mcs)
5130 #define OFDM(mcs)       (1 << 3 | (mcs))
5131         run_write(sc, RT2860_LG_FBK_CFG0,
5132             OFDM(6) << 28 |     /* 54->48 */
5133             OFDM(5) << 24 |     /* 48->36 */
5134             OFDM(4) << 20 |     /* 36->24 */
5135             OFDM(3) << 16 |     /* 24->18 */
5136             OFDM(2) << 12 |     /* 18->12 */
5137             OFDM(1) <<  8 |     /* 12-> 9 */
5138             OFDM(0) <<  4 |     /*  9-> 6 */
5139             OFDM(0));           /*  6-> 6 */
5140
5141         run_write(sc, RT2860_LG_FBK_CFG1,
5142             CCK(2) << 12 |      /* 11->5.5 */
5143             CCK(1) <<  8 |      /* 5.5-> 2 */
5144             CCK(0) <<  4 |      /*   2-> 1 */
5145             CCK(0));            /*   1-> 1 */
5146 #undef OFDM
5147 #undef CCK
5148 }
5149
5150 static void
5151 run_set_txpreamble(struct run_softc *sc)
5152 {
5153         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5154         uint32_t tmp;
5155
5156         run_read(sc, RT2860_AUTO_RSP_CFG, &tmp);
5157         if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
5158                 tmp |= RT2860_CCK_SHORT_EN;
5159         else
5160                 tmp &= ~RT2860_CCK_SHORT_EN;
5161         run_write(sc, RT2860_AUTO_RSP_CFG, tmp);
5162 }
5163
5164 static void
5165 run_set_basicrates(struct run_softc *sc)
5166 {
5167         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5168
5169         /* set basic rates mask */
5170         if (ic->ic_curmode == IEEE80211_MODE_11B)
5171                 run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x003);
5172         else if (ic->ic_curmode == IEEE80211_MODE_11A)
5173                 run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x150);
5174         else    /* 11g */
5175                 run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x15f);
5176 }
5177
5178 static void
5179 run_set_leds(struct run_softc *sc, uint16_t which)
5180 {
5181         (void)run_mcu_cmd(sc, RT2860_MCU_CMD_LEDS,
5182             which | (sc->leds & 0x7f));
5183 }
5184
5185 static void
5186 run_set_bssid(struct run_softc *sc, const uint8_t *bssid)
5187 {
5188         run_write(sc, RT2860_MAC_BSSID_DW0,
5189             bssid[0] | bssid[1] << 8 | bssid[2] << 16 | bssid[3] << 24);
5190         run_write(sc, RT2860_MAC_BSSID_DW1,
5191             bssid[4] | bssid[5] << 8);
5192 }
5193
5194 static void
5195 run_set_macaddr(struct run_softc *sc, const uint8_t *addr)
5196 {
5197         run_write(sc, RT2860_MAC_ADDR_DW0,
5198             addr[0] | addr[1] << 8 | addr[2] << 16 | addr[3] << 24);
5199         run_write(sc, RT2860_MAC_ADDR_DW1,
5200             addr[4] | addr[5] << 8 | 0xff << 16);
5201 }
5202
5203 static void
5204 run_updateslot(struct ifnet *ifp)
5205 {
5206         struct run_softc *sc = ifp->if_softc;
5207         struct ieee80211com *ic = ifp->if_l2com;
5208         uint32_t i;
5209
5210         i = RUN_CMDQ_GET(&sc->cmdq_store);
5211         DPRINTF("cmdq_store=%d\n", i);
5212         sc->cmdq[i].func = run_updateslot_cb;
5213         sc->cmdq[i].arg0 = ifp;
5214         ieee80211_runtask(ic, &sc->cmdq_task);
5215
5216         return;
5217 }
5218
5219 /* ARGSUSED */
5220 static void
5221 run_updateslot_cb(void *arg)
5222 {
5223         struct ifnet *ifp = arg;
5224         struct run_softc *sc = ifp->if_softc;
5225         struct ieee80211com *ic = ifp->if_l2com;
5226         uint32_t tmp;
5227
5228         run_read(sc, RT2860_BKOFF_SLOT_CFG, &tmp);
5229         tmp &= ~0xff;
5230         tmp |= (ic->ic_flags & IEEE80211_F_SHSLOT) ? 9 : 20;
5231         run_write(sc, RT2860_BKOFF_SLOT_CFG, tmp);
5232 }
5233
5234 static void
5235 run_update_mcast(struct ifnet *ifp)
5236 {
5237         /* h/w filter supports getting everything or nothing */
5238         ifp->if_flags |= IFF_ALLMULTI;
5239 }
5240
5241 static int8_t
5242 run_rssi2dbm(struct run_softc *sc, uint8_t rssi, uint8_t rxchain)
5243 {
5244         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5245         struct ieee80211_channel *c = ic->ic_curchan;
5246         int delta;
5247
5248         if (IEEE80211_IS_CHAN_5GHZ(c)) {
5249                 u_int chan = ieee80211_chan2ieee(ic, c);
5250                 delta = sc->rssi_5ghz[rxchain];
5251
5252                 /* determine channel group */
5253                 if (chan <= 64)
5254                         delta -= sc->lna[1];
5255                 else if (chan <= 128)
5256                         delta -= sc->lna[2];
5257                 else
5258                         delta -= sc->lna[3];
5259         } else
5260                 delta = sc->rssi_2ghz[rxchain] - sc->lna[0];
5261
5262         return (-12 - delta - rssi);
5263 }
5264
5265 static void
5266 run_rt5390_bbp_init(struct run_softc *sc)
5267 {
5268         int i;
5269         uint8_t bbp;
5270
5271         /* Apply maximum likelihood detection for 2 stream case. */
5272         run_bbp_read(sc, 105, &bbp);
5273         if (sc->nrxchains > 1)
5274                 run_bbp_write(sc, 105, bbp | RT5390_MLD);
5275
5276         /* Avoid data lost and CRC error. */
5277         run_bbp_read(sc, 4, &bbp);
5278         run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5279
5280         if (sc->mac_ver == 0x5592) {
5281                 for (i = 0; i < nitems(rt5592_def_bbp); i++) {
5282                         run_bbp_write(sc, rt5592_def_bbp[i].reg,
5283                             rt5592_def_bbp[i].val);
5284                 }
5285                 for (i = 0; i < nitems(rt5592_bbp_r196); i++) {
5286                         run_bbp_write(sc, 195, i + 0x80);
5287                         run_bbp_write(sc, 196, rt5592_bbp_r196[i]);
5288                 }
5289         } else {
5290                 for (i = 0; i < nitems(rt5390_def_bbp); i++) {
5291                         run_bbp_write(sc, rt5390_def_bbp[i].reg,
5292                             rt5390_def_bbp[i].val);
5293                 }
5294         }
5295         if (sc->mac_ver == 0x5392) {
5296                 run_bbp_write(sc, 88, 0x90);
5297                 run_bbp_write(sc, 95, 0x9a);
5298                 run_bbp_write(sc, 98, 0x12);
5299                 run_bbp_write(sc, 106, 0x12);
5300                 run_bbp_write(sc, 134, 0xd0);
5301                 run_bbp_write(sc, 135, 0xf6);
5302                 run_bbp_write(sc, 148, 0x84);
5303         }
5304
5305         run_bbp_read(sc, 152, &bbp);
5306         run_bbp_write(sc, 152, bbp | 0x80);
5307
5308         /* Fix BBP254 for RT5592C. */
5309         if (sc->mac_ver == 0x5592 && sc->mac_rev >= 0x0221) {
5310                 run_bbp_read(sc, 254, &bbp);
5311                 run_bbp_write(sc, 254, bbp | 0x80);
5312         }
5313
5314         /* Disable hardware antenna diversity. */
5315         if (sc->mac_ver == 0x5390)
5316                 run_bbp_write(sc, 154, 0);
5317
5318         /* Initialize Rx CCK/OFDM frequency offset report. */
5319         run_bbp_write(sc, 142, 1);
5320         run_bbp_write(sc, 143, 57);
5321 }
5322
5323 static int
5324 run_bbp_init(struct run_softc *sc)
5325 {
5326         int i, error, ntries;
5327         uint8_t bbp0;
5328
5329         /* wait for BBP to wake up */
5330         for (ntries = 0; ntries < 20; ntries++) {
5331                 if ((error = run_bbp_read(sc, 0, &bbp0)) != 0)
5332                         return error;
5333                 if (bbp0 != 0 && bbp0 != 0xff)
5334                         break;
5335         }
5336         if (ntries == 20)
5337                 return (ETIMEDOUT);
5338
5339         /* initialize BBP registers to default values */
5340         if (sc->mac_ver >= 0x5390)
5341                 run_rt5390_bbp_init(sc);
5342         else {
5343                 for (i = 0; i < nitems(rt2860_def_bbp); i++) {
5344                         run_bbp_write(sc, rt2860_def_bbp[i].reg,
5345                             rt2860_def_bbp[i].val);
5346                 }
5347         }
5348
5349         if (sc->mac_ver == 0x3593) {
5350                 run_bbp_write(sc, 79, 0x13);
5351                 run_bbp_write(sc, 80, 0x05);
5352                 run_bbp_write(sc, 81, 0x33);
5353                 run_bbp_write(sc, 86, 0x46);
5354                 run_bbp_write(sc, 137, 0x0f);
5355         }
5356
5357         /* fix BBP84 for RT2860E */
5358         if (sc->mac_ver == 0x2860 && sc->mac_rev != 0x0101)
5359                 run_bbp_write(sc, 84, 0x19);
5360
5361         if (sc->mac_ver >= 0x3070 && (sc->mac_ver != 0x3593 &&
5362             sc->mac_ver != 0x5592)) {
5363                 run_bbp_write(sc, 79, 0x13);
5364                 run_bbp_write(sc, 80, 0x05);
5365                 run_bbp_write(sc, 81, 0x33);
5366         } else if (sc->mac_ver == 0x2860 && sc->mac_rev == 0x0100) {
5367                 run_bbp_write(sc, 69, 0x16);
5368                 run_bbp_write(sc, 73, 0x12);
5369         }
5370         return (0);
5371 }
5372
5373 static int
5374 run_rt3070_rf_init(struct run_softc *sc)
5375 {
5376         uint32_t tmp;
5377         uint8_t bbp4, mingain, rf, target;
5378         int i;
5379
5380         run_rt3070_rf_read(sc, 30, &rf);
5381         /* toggle RF R30 bit 7 */
5382         run_rt3070_rf_write(sc, 30, rf | 0x80);
5383         run_delay(sc, 10);
5384         run_rt3070_rf_write(sc, 30, rf & ~0x80);
5385
5386         /* initialize RF registers to default value */
5387         if (sc->mac_ver == 0x3572) {
5388                 for (i = 0; i < nitems(rt3572_def_rf); i++) {
5389                         run_rt3070_rf_write(sc, rt3572_def_rf[i].reg,
5390                             rt3572_def_rf[i].val);
5391                 }
5392         } else {
5393                 for (i = 0; i < nitems(rt3070_def_rf); i++) {
5394                         run_rt3070_rf_write(sc, rt3070_def_rf[i].reg,
5395                             rt3070_def_rf[i].val);
5396                 }
5397         }
5398
5399         if (sc->mac_ver == 0x3070 && sc->mac_rev < 0x0201) {
5400                 /*
5401                  * Change voltage from 1.2V to 1.35V for RT3070.
5402                  * The DAC issue (RT3070_LDO_CFG0) has been fixed
5403                  * in RT3070(F).
5404                  */
5405                 run_read(sc, RT3070_LDO_CFG0, &tmp);
5406                 tmp = (tmp & ~0x0f000000) | 0x0d000000;
5407                 run_write(sc, RT3070_LDO_CFG0, tmp);
5408
5409         } else if (sc->mac_ver == 0x3071) {
5410                 run_rt3070_rf_read(sc, 6, &rf);
5411                 run_rt3070_rf_write(sc, 6, rf | 0x40);
5412                 run_rt3070_rf_write(sc, 31, 0x14);
5413
5414                 run_read(sc, RT3070_LDO_CFG0, &tmp);
5415                 tmp &= ~0x1f000000;
5416                 if (sc->mac_rev < 0x0211)
5417                         tmp |= 0x0d000000;      /* 1.3V */
5418                 else
5419                         tmp |= 0x01000000;      /* 1.2V */
5420                 run_write(sc, RT3070_LDO_CFG0, tmp);
5421
5422                 /* patch LNA_PE_G1 */
5423                 run_read(sc, RT3070_GPIO_SWITCH, &tmp);
5424                 run_write(sc, RT3070_GPIO_SWITCH, tmp & ~0x20);
5425
5426         } else if (sc->mac_ver == 0x3572) {
5427                 run_rt3070_rf_read(sc, 6, &rf);
5428                 run_rt3070_rf_write(sc, 6, rf | 0x40);
5429
5430                 /* increase voltage from 1.2V to 1.35V */
5431                 run_read(sc, RT3070_LDO_CFG0, &tmp);
5432                 tmp = (tmp & ~0x1f000000) | 0x0d000000;
5433                 run_write(sc, RT3070_LDO_CFG0, tmp);
5434
5435                 if (sc->mac_rev < 0x0211 || !sc->patch_dac) {
5436                         run_delay(sc, 1);       /* wait for 1msec */
5437                         /* decrease voltage back to 1.2V */
5438                         tmp = (tmp & ~0x1f000000) | 0x01000000;
5439                         run_write(sc, RT3070_LDO_CFG0, tmp);
5440                 }
5441         }
5442
5443         /* select 20MHz bandwidth */
5444         run_rt3070_rf_read(sc, 31, &rf);
5445         run_rt3070_rf_write(sc, 31, rf & ~0x20);
5446
5447         /* calibrate filter for 20MHz bandwidth */
5448         sc->rf24_20mhz = 0x1f;  /* default value */
5449         target = (sc->mac_ver < 0x3071) ? 0x16 : 0x13;
5450         run_rt3070_filter_calib(sc, 0x07, target, &sc->rf24_20mhz);
5451
5452         /* select 40MHz bandwidth */
5453         run_bbp_read(sc, 4, &bbp4);
5454         run_bbp_write(sc, 4, (bbp4 & ~0x18) | 0x10);
5455         run_rt3070_rf_read(sc, 31, &rf);
5456         run_rt3070_rf_write(sc, 31, rf | 0x20);
5457
5458         /* calibrate filter for 40MHz bandwidth */
5459         sc->rf24_40mhz = 0x2f;  /* default value */
5460         target = (sc->mac_ver < 0x3071) ? 0x19 : 0x15;
5461         run_rt3070_filter_calib(sc, 0x27, target, &sc->rf24_40mhz);
5462
5463         /* go back to 20MHz bandwidth */
5464         run_bbp_read(sc, 4, &bbp4);
5465         run_bbp_write(sc, 4, bbp4 & ~0x18);
5466
5467         if (sc->mac_ver == 0x3572) {
5468                 /* save default BBP registers 25 and 26 values */
5469                 run_bbp_read(sc, 25, &sc->bbp25);
5470                 run_bbp_read(sc, 26, &sc->bbp26);
5471         } else if (sc->mac_rev < 0x0201 || sc->mac_rev < 0x0211)
5472                 run_rt3070_rf_write(sc, 27, 0x03);
5473
5474         run_read(sc, RT3070_OPT_14, &tmp);
5475         run_write(sc, RT3070_OPT_14, tmp | 1);
5476
5477         if (sc->mac_ver == 0x3070 || sc->mac_ver == 0x3071) {
5478                 run_rt3070_rf_read(sc, 17, &rf);
5479                 rf &= ~RT3070_TX_LO1;
5480                 if ((sc->mac_ver == 0x3070 ||
5481                      (sc->mac_ver == 0x3071 && sc->mac_rev >= 0x0211)) &&
5482                     !sc->ext_2ghz_lna)
5483                         rf |= 0x20;     /* fix for long range Rx issue */
5484                 mingain = (sc->mac_ver == 0x3070) ? 1 : 2;
5485                 if (sc->txmixgain_2ghz >= mingain)
5486                         rf = (rf & ~0x7) | sc->txmixgain_2ghz;
5487                 run_rt3070_rf_write(sc, 17, rf);
5488         }
5489
5490         if (sc->mac_rev == 0x3071) {
5491                 run_rt3070_rf_read(sc, 1, &rf);
5492                 rf &= ~(RT3070_RX0_PD | RT3070_TX0_PD);
5493                 rf |= RT3070_RF_BLOCK | RT3070_RX1_PD | RT3070_TX1_PD;
5494                 run_rt3070_rf_write(sc, 1, rf);
5495
5496                 run_rt3070_rf_read(sc, 15, &rf);
5497                 run_rt3070_rf_write(sc, 15, rf & ~RT3070_TX_LO2);
5498
5499                 run_rt3070_rf_read(sc, 20, &rf);
5500                 run_rt3070_rf_write(sc, 20, rf & ~RT3070_RX_LO1);
5501
5502                 run_rt3070_rf_read(sc, 21, &rf);
5503                 run_rt3070_rf_write(sc, 21, rf & ~RT3070_RX_LO2);
5504         }
5505
5506         if (sc->mac_ver == 0x3070 || sc->mac_ver == 0x3071) {
5507                 /* fix Tx to Rx IQ glitch by raising RF voltage */
5508                 run_rt3070_rf_read(sc, 27, &rf);
5509                 rf &= ~0x77;
5510                 if (sc->mac_rev < 0x0211)
5511                         rf |= 0x03;
5512                 run_rt3070_rf_write(sc, 27, rf);
5513         }
5514         return (0);
5515 }
5516
5517 static void
5518 run_rt3593_rf_init(struct run_softc *sc)
5519 {
5520         uint32_t tmp;
5521         uint8_t rf;
5522         int i;
5523
5524         /* Disable the GPIO bits 4 and 7 for LNA PE control. */
5525         run_read(sc, RT3070_GPIO_SWITCH, &tmp);
5526         tmp &= ~(1 << 4 | 1 << 7);
5527         run_write(sc, RT3070_GPIO_SWITCH, tmp);
5528
5529         /* Initialize RF registers to default value. */
5530         for (i = 0; i < nitems(rt3593_def_rf); i++) {
5531                 run_rt3070_rf_write(sc, rt3593_def_rf[i].reg,
5532                     rt3593_def_rf[i].val);
5533         }
5534
5535         /* Toggle RF R2 to initiate calibration. */
5536         run_rt3070_rf_write(sc, 2, RT5390_RESCAL);
5537
5538         /* Initialize RF frequency offset. */
5539         run_adjust_freq_offset(sc);
5540
5541         run_rt3070_rf_read(sc, 18, &rf);
5542         run_rt3070_rf_write(sc, 18, rf | RT3593_AUTOTUNE_BYPASS);
5543
5544         /*
5545          * Increase voltage from 1.2V to 1.35V, wait for 1 msec to
5546          * decrease voltage back to 1.2V.
5547          */
5548         run_read(sc, RT3070_LDO_CFG0, &tmp);
5549         tmp = (tmp & ~0x1f000000) | 0x0d000000;
5550         run_write(sc, RT3070_LDO_CFG0, tmp);
5551         run_delay(sc, 1);
5552         tmp = (tmp & ~0x1f000000) | 0x01000000;
5553         run_write(sc, RT3070_LDO_CFG0, tmp);
5554
5555         sc->rf24_20mhz = 0x1f;
5556         sc->rf24_40mhz = 0x2f;
5557
5558         /* Save default BBP registers 25 and 26 values. */
5559         run_bbp_read(sc, 25, &sc->bbp25);
5560         run_bbp_read(sc, 26, &sc->bbp26);
5561
5562         run_read(sc, RT3070_OPT_14, &tmp);
5563         run_write(sc, RT3070_OPT_14, tmp | 1);
5564 }
5565
5566 static void
5567 run_rt5390_rf_init(struct run_softc *sc)
5568 {
5569         uint32_t tmp;
5570         uint8_t rf;
5571         int i;
5572
5573         /* Toggle RF R2 to initiate calibration. */
5574         if (sc->mac_ver == 0x5390) {
5575                 run_rt3070_rf_read(sc, 2, &rf);
5576                 run_rt3070_rf_write(sc, 2, rf | RT5390_RESCAL);
5577                 run_delay(sc, 10);
5578                 run_rt3070_rf_write(sc, 2, rf & ~RT5390_RESCAL);
5579         } else {
5580                 run_rt3070_rf_write(sc, 2, RT5390_RESCAL);
5581                 run_delay(sc, 10);
5582         }
5583
5584         /* Initialize RF registers to default value. */
5585         if (sc->mac_ver == 0x5592) {
5586                 for (i = 0; i < nitems(rt5592_def_rf); i++) {
5587                         run_rt3070_rf_write(sc, rt5592_def_rf[i].reg,
5588                             rt5592_def_rf[i].val);
5589                 }
5590                 /* Initialize RF frequency offset. */
5591                 run_adjust_freq_offset(sc);
5592         } else if (sc->mac_ver == 0x5392) {
5593                 for (i = 0; i < nitems(rt5392_def_rf); i++) {
5594                         run_rt3070_rf_write(sc, rt5392_def_rf[i].reg,
5595                             rt5392_def_rf[i].val);
5596                 }
5597                 if (sc->mac_rev >= 0x0223) {
5598                         run_rt3070_rf_write(sc, 23, 0x0f);
5599                         run_rt3070_rf_write(sc, 24, 0x3e);
5600                         run_rt3070_rf_write(sc, 51, 0x32);
5601                         run_rt3070_rf_write(sc, 53, 0x22);
5602                         run_rt3070_rf_write(sc, 56, 0xc1);
5603                         run_rt3070_rf_write(sc, 59, 0x0f);
5604                 }
5605         } else {
5606                 for (i = 0; i < nitems(rt5390_def_rf); i++) {
5607                         run_rt3070_rf_write(sc, rt5390_def_rf[i].reg,
5608                             rt5390_def_rf[i].val);
5609                 }
5610                 if (sc->mac_rev >= 0x0502) {
5611                         run_rt3070_rf_write(sc, 6, 0xe0);
5612                         run_rt3070_rf_write(sc, 25, 0x80);
5613                         run_rt3070_rf_write(sc, 46, 0x73);
5614                         run_rt3070_rf_write(sc, 53, 0x00);
5615                         run_rt3070_rf_write(sc, 56, 0x42);
5616                         run_rt3070_rf_write(sc, 61, 0xd1);
5617                 }
5618         }
5619
5620         sc->rf24_20mhz = 0x1f;  /* default value */
5621         sc->rf24_40mhz = (sc->mac_ver == 0x5592) ? 0 : 0x2f;
5622
5623         if (sc->mac_rev < 0x0211)
5624                 run_rt3070_rf_write(sc, 27, 0x3);
5625
5626         run_read(sc, RT3070_OPT_14, &tmp);
5627         run_write(sc, RT3070_OPT_14, tmp | 1);
5628 }
5629
5630 static int
5631 run_rt3070_filter_calib(struct run_softc *sc, uint8_t init, uint8_t target,
5632     uint8_t *val)
5633 {
5634         uint8_t rf22, rf24;
5635         uint8_t bbp55_pb, bbp55_sb, delta;
5636         int ntries;
5637
5638         /* program filter */
5639         run_rt3070_rf_read(sc, 24, &rf24);
5640         rf24 = (rf24 & 0xc0) | init;    /* initial filter value */
5641         run_rt3070_rf_write(sc, 24, rf24);
5642
5643         /* enable baseband loopback mode */
5644         run_rt3070_rf_read(sc, 22, &rf22);
5645         run_rt3070_rf_write(sc, 22, rf22 | 0x01);
5646
5647         /* set power and frequency of passband test tone */
5648         run_bbp_write(sc, 24, 0x00);
5649         for (ntries = 0; ntries < 100; ntries++) {
5650                 /* transmit test tone */
5651                 run_bbp_write(sc, 25, 0x90);
5652                 run_delay(sc, 10);
5653                 /* read received power */
5654                 run_bbp_read(sc, 55, &bbp55_pb);
5655                 if (bbp55_pb != 0)
5656                         break;
5657         }
5658         if (ntries == 100)
5659                 return (ETIMEDOUT);
5660
5661         /* set power and frequency of stopband test tone */
5662         run_bbp_write(sc, 24, 0x06);
5663         for (ntries = 0; ntries < 100; ntries++) {
5664                 /* transmit test tone */
5665                 run_bbp_write(sc, 25, 0x90);
5666                 run_delay(sc, 10);
5667                 /* read received power */
5668                 run_bbp_read(sc, 55, &bbp55_sb);
5669
5670                 delta = bbp55_pb - bbp55_sb;
5671                 if (delta > target)
5672                         break;
5673
5674                 /* reprogram filter */
5675                 rf24++;
5676                 run_rt3070_rf_write(sc, 24, rf24);
5677         }
5678         if (ntries < 100) {
5679                 if (rf24 != init)
5680                         rf24--; /* backtrack */
5681                 *val = rf24;
5682                 run_rt3070_rf_write(sc, 24, rf24);
5683         }
5684
5685         /* restore initial state */
5686         run_bbp_write(sc, 24, 0x00);
5687
5688         /* disable baseband loopback mode */
5689         run_rt3070_rf_read(sc, 22, &rf22);
5690         run_rt3070_rf_write(sc, 22, rf22 & ~0x01);
5691
5692         return (0);
5693 }
5694
5695 static void
5696 run_rt3070_rf_setup(struct run_softc *sc)
5697 {
5698         uint8_t bbp, rf;
5699         int i;
5700
5701         if (sc->mac_ver == 0x3572) {
5702                 /* enable DC filter */
5703                 if (sc->mac_rev >= 0x0201)
5704                         run_bbp_write(sc, 103, 0xc0);
5705
5706                 run_bbp_read(sc, 138, &bbp);
5707                 if (sc->ntxchains == 1)
5708                         bbp |= 0x20;    /* turn off DAC1 */
5709                 if (sc->nrxchains == 1)
5710                         bbp &= ~0x02;   /* turn off ADC1 */
5711                 run_bbp_write(sc, 138, bbp);
5712
5713                 if (sc->mac_rev >= 0x0211) {
5714                         /* improve power consumption */
5715                         run_bbp_read(sc, 31, &bbp);
5716                         run_bbp_write(sc, 31, bbp & ~0x03);
5717                 }
5718
5719                 run_rt3070_rf_read(sc, 16, &rf);
5720                 rf = (rf & ~0x07) | sc->txmixgain_2ghz;
5721                 run_rt3070_rf_write(sc, 16, rf);
5722
5723         } else if (sc->mac_ver == 0x3071) {
5724                 if (sc->mac_rev >= 0x0211) {
5725                         /* enable DC filter */
5726                         run_bbp_write(sc, 103, 0xc0);
5727
5728                         /* improve power consumption */
5729                         run_bbp_read(sc, 31, &bbp);
5730                         run_bbp_write(sc, 31, bbp & ~0x03);
5731                 }
5732
5733                 run_bbp_read(sc, 138, &bbp);
5734                 if (sc->ntxchains == 1)
5735                         bbp |= 0x20;    /* turn off DAC1 */
5736                 if (sc->nrxchains == 1)
5737                         bbp &= ~0x02;   /* turn off ADC1 */
5738                 run_bbp_write(sc, 138, bbp);
5739
5740                 run_write(sc, RT2860_TX_SW_CFG1, 0);
5741                 if (sc->mac_rev < 0x0211) {
5742                         run_write(sc, RT2860_TX_SW_CFG2,
5743                             sc->patch_dac ? 0x2c : 0x0f);
5744                 } else
5745                         run_write(sc, RT2860_TX_SW_CFG2, 0);
5746
5747         } else if (sc->mac_ver == 0x3070) {
5748                 if (sc->mac_rev >= 0x0201) {
5749                         /* enable DC filter */
5750                         run_bbp_write(sc, 103, 0xc0);
5751
5752                         /* improve power consumption */
5753                         run_bbp_read(sc, 31, &bbp);
5754                         run_bbp_write(sc, 31, bbp & ~0x03);
5755                 }
5756
5757                 if (sc->mac_rev < 0x0201) {
5758                         run_write(sc, RT2860_TX_SW_CFG1, 0);
5759                         run_write(sc, RT2860_TX_SW_CFG2, 0x2c);
5760                 } else
5761                         run_write(sc, RT2860_TX_SW_CFG2, 0);
5762         }
5763
5764         /* initialize RF registers from ROM for >=RT3071*/
5765         if (sc->mac_ver >= 0x3071) {
5766                 for (i = 0; i < 10; i++) {
5767                         if (sc->rf[i].reg == 0 || sc->rf[i].reg == 0xff)
5768                                 continue;
5769                         run_rt3070_rf_write(sc, sc->rf[i].reg, sc->rf[i].val);
5770                 }
5771         }
5772 }
5773
5774 static void
5775 run_rt3593_rf_setup(struct run_softc *sc)
5776 {
5777         uint8_t bbp, rf;
5778
5779         if (sc->mac_rev >= 0x0211) {
5780                 /* Enable DC filter. */
5781                 run_bbp_write(sc, 103, 0xc0);
5782         }
5783         run_write(sc, RT2860_TX_SW_CFG1, 0);
5784         if (sc->mac_rev < 0x0211) {
5785                 run_write(sc, RT2860_TX_SW_CFG2,
5786                     sc->patch_dac ? 0x2c : 0x0f);
5787         } else
5788                 run_write(sc, RT2860_TX_SW_CFG2, 0);
5789
5790         run_rt3070_rf_read(sc, 50, &rf);
5791         run_rt3070_rf_write(sc, 50, rf & ~RT3593_TX_LO2);
5792
5793         run_rt3070_rf_read(sc, 51, &rf);
5794         rf = (rf & ~(RT3593_TX_LO1 | 0x0c)) |
5795             ((sc->txmixgain_2ghz & 0x07) << 2);
5796         run_rt3070_rf_write(sc, 51, rf);
5797
5798         run_rt3070_rf_read(sc, 38, &rf);
5799         run_rt3070_rf_write(sc, 38, rf & ~RT5390_RX_LO1);
5800
5801         run_rt3070_rf_read(sc, 39, &rf);
5802         run_rt3070_rf_write(sc, 39, rf & ~RT5390_RX_LO2);
5803
5804         run_rt3070_rf_read(sc, 1, &rf);
5805         run_rt3070_rf_write(sc, 1, rf & ~(RT3070_RF_BLOCK | RT3070_PLL_PD));
5806
5807         run_rt3070_rf_read(sc, 30, &rf);
5808         rf = (rf & ~0x18) | 0x10;
5809         run_rt3070_rf_write(sc, 30, rf);
5810
5811         /* Apply maximum likelihood detection for 2 stream case. */
5812         run_bbp_read(sc, 105, &bbp);
5813         if (sc->nrxchains > 1)
5814                 run_bbp_write(sc, 105, bbp | RT5390_MLD);
5815
5816         /* Avoid data lost and CRC error. */
5817         run_bbp_read(sc, 4, &bbp);
5818         run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5819
5820         run_bbp_write(sc, 92, 0x02);
5821         run_bbp_write(sc, 82, 0x82);
5822         run_bbp_write(sc, 106, 0x05);
5823         run_bbp_write(sc, 104, 0x92);
5824         run_bbp_write(sc, 88, 0x90);
5825         run_bbp_write(sc, 148, 0xc8);
5826         run_bbp_write(sc, 47, 0x48);
5827         run_bbp_write(sc, 120, 0x50);
5828
5829         run_bbp_write(sc, 163, 0x9d);
5830
5831         /* SNR mapping. */
5832         run_bbp_write(sc, 142, 0x06);
5833         run_bbp_write(sc, 143, 0xa0);
5834         run_bbp_write(sc, 142, 0x07);
5835         run_bbp_write(sc, 143, 0xa1);
5836         run_bbp_write(sc, 142, 0x08);
5837         run_bbp_write(sc, 143, 0xa2);
5838
5839         run_bbp_write(sc, 31, 0x08);
5840         run_bbp_write(sc, 68, 0x0b);
5841         run_bbp_write(sc, 105, 0x04);
5842 }
5843
5844 static void
5845 run_rt5390_rf_setup(struct run_softc *sc)
5846 {
5847         uint8_t bbp, rf;
5848
5849         if (sc->mac_rev >= 0x0211) {
5850                 /* Enable DC filter. */
5851                 run_bbp_write(sc, 103, 0xc0);
5852
5853                 if (sc->mac_ver != 0x5592) {
5854                         /* Improve power consumption. */
5855                         run_bbp_read(sc, 31, &bbp);
5856                         run_bbp_write(sc, 31, bbp & ~0x03);
5857                 }
5858         }
5859
5860         run_bbp_read(sc, 138, &bbp);
5861         if (sc->ntxchains == 1)
5862                 bbp |= 0x20;    /* turn off DAC1 */
5863         if (sc->nrxchains == 1)
5864                 bbp &= ~0x02;   /* turn off ADC1 */
5865         run_bbp_write(sc, 138, bbp);
5866
5867         run_rt3070_rf_read(sc, 38, &rf);
5868         run_rt3070_rf_write(sc, 38, rf & ~RT5390_RX_LO1);
5869
5870         run_rt3070_rf_read(sc, 39, &rf);
5871         run_rt3070_rf_write(sc, 39, rf & ~RT5390_RX_LO2);
5872
5873         /* Avoid data lost and CRC error. */
5874         run_bbp_read(sc, 4, &bbp);
5875         run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5876
5877         run_rt3070_rf_read(sc, 30, &rf);
5878         rf = (rf & ~0x18) | 0x10;
5879         run_rt3070_rf_write(sc, 30, rf);
5880
5881         if (sc->mac_ver != 0x5592) {
5882                 run_write(sc, RT2860_TX_SW_CFG1, 0);
5883                 if (sc->mac_rev < 0x0211) {
5884                         run_write(sc, RT2860_TX_SW_CFG2,
5885                             sc->patch_dac ? 0x2c : 0x0f);
5886                 } else
5887                         run_write(sc, RT2860_TX_SW_CFG2, 0);
5888         }
5889 }
5890
5891 static int
5892 run_txrx_enable(struct run_softc *sc)
5893 {
5894         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5895         uint32_t tmp;
5896         int error, ntries;
5897
5898         run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_MAC_TX_EN);
5899         for (ntries = 0; ntries < 200; ntries++) {
5900                 if ((error = run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp)) != 0)
5901                         return (error);
5902                 if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
5903                         break;
5904                 run_delay(sc, 50);
5905         }
5906         if (ntries == 200)
5907                 return (ETIMEDOUT);
5908
5909         run_delay(sc, 50);
5910
5911         tmp |= RT2860_RX_DMA_EN | RT2860_TX_DMA_EN | RT2860_TX_WB_DDONE;
5912         run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
5913
5914         /* enable Rx bulk aggregation (set timeout and limit) */
5915         tmp = RT2860_USB_TX_EN | RT2860_USB_RX_EN | RT2860_USB_RX_AGG_EN |
5916             RT2860_USB_RX_AGG_TO(128) | RT2860_USB_RX_AGG_LMT(2);
5917         run_write(sc, RT2860_USB_DMA_CFG, tmp);
5918
5919         /* set Rx filter */
5920         tmp = RT2860_DROP_CRC_ERR | RT2860_DROP_PHY_ERR;
5921         if (ic->ic_opmode != IEEE80211_M_MONITOR) {
5922                 tmp |= RT2860_DROP_UC_NOME | RT2860_DROP_DUPL |
5923                     RT2860_DROP_CTS | RT2860_DROP_BA | RT2860_DROP_ACK |
5924                     RT2860_DROP_VER_ERR | RT2860_DROP_CTRL_RSV |
5925                     RT2860_DROP_CFACK | RT2860_DROP_CFEND;
5926                 if (ic->ic_opmode == IEEE80211_M_STA)
5927                         tmp |= RT2860_DROP_RTS | RT2860_DROP_PSPOLL;
5928         }
5929         run_write(sc, RT2860_RX_FILTR_CFG, tmp);
5930
5931         run_write(sc, RT2860_MAC_SYS_CTRL,
5932             RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
5933
5934         return (0);
5935 }
5936
5937 static void
5938 run_adjust_freq_offset(struct run_softc *sc)
5939 {
5940         uint8_t rf, tmp;
5941
5942         run_rt3070_rf_read(sc, 17, &rf);
5943         tmp = rf;
5944         rf = (rf & ~0x7f) | (sc->freq & 0x7f);
5945         rf = MIN(rf, 0x5f);
5946
5947         if (tmp != rf)
5948                 run_mcu_cmd(sc, 0x74, (tmp << 8 ) | rf);
5949 }
5950
5951 static void
5952 run_init_locked(struct run_softc *sc)
5953 {
5954         struct ifnet *ifp = sc->sc_ifp;
5955         struct ieee80211com *ic = ifp->if_l2com;
5956         uint32_t tmp;
5957         uint8_t bbp1, bbp3;
5958         int i;
5959         int ridx;
5960         int ntries;
5961
5962         if (ic->ic_nrunning > 1)
5963                 return;
5964
5965         run_stop(sc);
5966
5967         if (run_load_microcode(sc) != 0) {
5968                 device_printf(sc->sc_dev, "could not load 8051 microcode\n");
5969                 goto fail;
5970         }
5971
5972         for (ntries = 0; ntries < 100; ntries++) {
5973                 if (run_read(sc, RT2860_ASIC_VER_ID, &tmp) != 0)
5974                         goto fail;
5975                 if (tmp != 0 && tmp != 0xffffffff)
5976                         break;
5977                 run_delay(sc, 10);
5978         }
5979         if (ntries == 100)
5980                 goto fail;
5981
5982         for (i = 0; i != RUN_EP_QUEUES; i++)
5983                 run_setup_tx_list(sc, &sc->sc_epq[i]);
5984
5985         run_set_macaddr(sc, IF_LLADDR(ifp));
5986
5987         for (ntries = 0; ntries < 100; ntries++) {
5988                 if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
5989                         goto fail;
5990                 if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
5991                         break;
5992                 run_delay(sc, 10);
5993         }
5994         if (ntries == 100) {
5995                 device_printf(sc->sc_dev, "timeout waiting for DMA engine\n");
5996                 goto fail;
5997         }
5998         tmp &= 0xff0;
5999         tmp |= RT2860_TX_WB_DDONE;
6000         run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
6001
6002         /* turn off PME_OEN to solve high-current issue */
6003         run_read(sc, RT2860_SYS_CTRL, &tmp);
6004         run_write(sc, RT2860_SYS_CTRL, tmp & ~RT2860_PME_OEN);
6005
6006         run_write(sc, RT2860_MAC_SYS_CTRL,
6007             RT2860_BBP_HRST | RT2860_MAC_SRST);
6008         run_write(sc, RT2860_USB_DMA_CFG, 0);
6009
6010         if (run_reset(sc) != 0) {
6011                 device_printf(sc->sc_dev, "could not reset chipset\n");
6012                 goto fail;
6013         }
6014
6015         run_write(sc, RT2860_MAC_SYS_CTRL, 0);
6016
6017         /* init Tx power for all Tx rates (from EEPROM) */
6018         for (ridx = 0; ridx < 5; ridx++) {
6019                 if (sc->txpow20mhz[ridx] == 0xffffffff)
6020                         continue;
6021                 run_write(sc, RT2860_TX_PWR_CFG(ridx), sc->txpow20mhz[ridx]);
6022         }
6023
6024         for (i = 0; i < nitems(rt2870_def_mac); i++)
6025                 run_write(sc, rt2870_def_mac[i].reg, rt2870_def_mac[i].val);
6026         run_write(sc, RT2860_WMM_AIFSN_CFG, 0x00002273);
6027         run_write(sc, RT2860_WMM_CWMIN_CFG, 0x00002344);
6028         run_write(sc, RT2860_WMM_CWMAX_CFG, 0x000034aa);
6029
6030         if (sc->mac_ver >= 0x5390) {
6031                 run_write(sc, RT2860_TX_SW_CFG0,
6032                     4 << RT2860_DLY_PAPE_EN_SHIFT | 4);
6033                 if (sc->mac_ver >= 0x5392) {
6034                         run_write(sc, RT2860_MAX_LEN_CFG, 0x00002fff);
6035                         if (sc->mac_ver == 0x5592) {
6036                                 run_write(sc, RT2860_HT_FBK_CFG1, 0xedcba980);
6037                                 run_write(sc, RT2860_TXOP_HLDR_ET, 0x00000082);
6038                         } else {
6039                                 run_write(sc, RT2860_HT_FBK_CFG1, 0xedcb4980);
6040                                 run_write(sc, RT2860_LG_FBK_CFG0, 0xedcba322);
6041                         }
6042                 }
6043         } else if (sc->mac_ver == 0x3593) {
6044                 run_write(sc, RT2860_TX_SW_CFG0,
6045                     4 << RT2860_DLY_PAPE_EN_SHIFT | 2);
6046         } else if (sc->mac_ver >= 0x3070) {
6047                 /* set delay of PA_PE assertion to 1us (unit of 0.25us) */
6048                 run_write(sc, RT2860_TX_SW_CFG0,
6049                     4 << RT2860_DLY_PAPE_EN_SHIFT);
6050         }
6051
6052         /* wait while MAC is busy */
6053         for (ntries = 0; ntries < 100; ntries++) {
6054                 if (run_read(sc, RT2860_MAC_STATUS_REG, &tmp) != 0)
6055                         goto fail;
6056                 if (!(tmp & (RT2860_RX_STATUS_BUSY | RT2860_TX_STATUS_BUSY)))
6057                         break;
6058                 run_delay(sc, 10);
6059         }
6060         if (ntries == 100)
6061                 goto fail;
6062
6063         /* clear Host to MCU mailbox */
6064         run_write(sc, RT2860_H2M_BBPAGENT, 0);
6065         run_write(sc, RT2860_H2M_MAILBOX, 0);
6066         run_delay(sc, 10);
6067
6068         if (run_bbp_init(sc) != 0) {
6069                 device_printf(sc->sc_dev, "could not initialize BBP\n");
6070                 goto fail;
6071         }
6072
6073         /* abort TSF synchronization */
6074         run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
6075         tmp &= ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
6076             RT2860_TBTT_TIMER_EN);
6077         run_write(sc, RT2860_BCN_TIME_CFG, tmp);
6078
6079         /* clear RX WCID search table */
6080         run_set_region_4(sc, RT2860_WCID_ENTRY(0), 0, 512);
6081         /* clear WCID attribute table */
6082         run_set_region_4(sc, RT2860_WCID_ATTR(0), 0, 8 * 32);
6083
6084         /* hostapd sets a key before init. So, don't clear it. */
6085         if (sc->cmdq_key_set != RUN_CMDQ_GO) {
6086                 /* clear shared key table */
6087                 run_set_region_4(sc, RT2860_SKEY(0, 0), 0, 8 * 32);
6088                 /* clear shared key mode */
6089                 run_set_region_4(sc, RT2860_SKEY_MODE_0_7, 0, 4);
6090         }
6091
6092         run_read(sc, RT2860_US_CYC_CNT, &tmp);
6093         tmp = (tmp & ~0xff) | 0x1e;
6094         run_write(sc, RT2860_US_CYC_CNT, tmp);
6095
6096         if (sc->mac_rev != 0x0101)
6097                 run_write(sc, RT2860_TXOP_CTRL_CFG, 0x0000583f);
6098
6099         run_write(sc, RT2860_WMM_TXOP0_CFG, 0);
6100         run_write(sc, RT2860_WMM_TXOP1_CFG, 48 << 16 | 96);
6101
6102         /* write vendor-specific BBP values (from EEPROM) */
6103         if (sc->mac_ver < 0x3593) {
6104                 for (i = 0; i < 10; i++) {
6105                         if (sc->bbp[i].reg == 0 || sc->bbp[i].reg == 0xff)
6106                                 continue;
6107                         run_bbp_write(sc, sc->bbp[i].reg, sc->bbp[i].val);
6108                 }
6109         }
6110
6111         /* select Main antenna for 1T1R devices */
6112         if (sc->rf_rev == RT3070_RF_3020 || sc->rf_rev == RT5390_RF_5370)
6113                 run_set_rx_antenna(sc, 0);
6114
6115         /* send LEDs operating mode to microcontroller */
6116         (void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED1, sc->led[0]);
6117         (void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED2, sc->led[1]);
6118         (void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED3, sc->led[2]);
6119
6120         if (sc->mac_ver >= 0x5390)
6121                 run_rt5390_rf_init(sc);
6122         else if (sc->mac_ver == 0x3593)
6123                 run_rt3593_rf_init(sc);
6124         else if (sc->mac_ver >= 0x3070)
6125                 run_rt3070_rf_init(sc);
6126
6127         /* disable non-existing Rx chains */
6128         run_bbp_read(sc, 3, &bbp3);
6129         bbp3 &= ~(1 << 3 | 1 << 4);
6130         if (sc->nrxchains == 2)
6131                 bbp3 |= 1 << 3;
6132         else if (sc->nrxchains == 3)
6133                 bbp3 |= 1 << 4;
6134         run_bbp_write(sc, 3, bbp3);
6135
6136         /* disable non-existing Tx chains */
6137         run_bbp_read(sc, 1, &bbp1);
6138         if (sc->ntxchains == 1)
6139                 bbp1 &= ~(1 << 3 | 1 << 4);
6140         run_bbp_write(sc, 1, bbp1);
6141
6142         if (sc->mac_ver >= 0x5390)
6143                 run_rt5390_rf_setup(sc);
6144         else if (sc->mac_ver == 0x3593)
6145                 run_rt3593_rf_setup(sc);
6146         else if (sc->mac_ver >= 0x3070)
6147                 run_rt3070_rf_setup(sc);
6148
6149         /* select default channel */
6150         run_set_chan(sc, ic->ic_curchan);
6151
6152         /* setup initial protection mode */
6153         run_updateprot_cb(ic);
6154
6155         /* turn radio LED on */
6156         run_set_leds(sc, RT2860_LED_RADIO);
6157
6158         ifp->if_drv_flags &= ~IFF_DRV_OACTIVE;
6159         ifp->if_drv_flags |= IFF_DRV_RUNNING;
6160         sc->cmdq_run = RUN_CMDQ_GO;
6161
6162         for (i = 0; i != RUN_N_XFER; i++)
6163                 usbd_xfer_set_stall(sc->sc_xfer[i]);
6164
6165         usbd_transfer_start(sc->sc_xfer[RUN_BULK_RX]);
6166
6167         if (run_txrx_enable(sc) != 0)
6168                 goto fail;
6169
6170         return;
6171
6172 fail:
6173         run_stop(sc);
6174 }
6175
6176 static void
6177 run_init(void *arg)
6178 {
6179         struct run_softc *sc = arg;
6180         struct ifnet *ifp = sc->sc_ifp;
6181         struct ieee80211com *ic = ifp->if_l2com;
6182
6183         RUN_LOCK(sc);
6184         run_init_locked(sc);
6185         RUN_UNLOCK(sc);
6186
6187         if (ifp->if_drv_flags & IFF_DRV_RUNNING)
6188                 ieee80211_start_all(ic);
6189 }
6190
6191 static void
6192 run_stop(void *arg)
6193 {
6194         struct run_softc *sc = (struct run_softc *)arg;
6195         struct ifnet *ifp = sc->sc_ifp;
6196         uint32_t tmp;
6197         int i;
6198         int ntries;
6199
6200         RUN_LOCK_ASSERT(sc, MA_OWNED);
6201
6202         if (ifp->if_drv_flags & IFF_DRV_RUNNING)
6203                 run_set_leds(sc, 0);    /* turn all LEDs off */
6204
6205         ifp->if_drv_flags &= ~(IFF_DRV_RUNNING | IFF_DRV_OACTIVE);
6206
6207         sc->ratectl_run = RUN_RATECTL_OFF;
6208         sc->cmdq_run = sc->cmdq_key_set;
6209
6210         RUN_UNLOCK(sc);
6211
6212         for(i = 0; i < RUN_N_XFER; i++)
6213                 usbd_transfer_drain(sc->sc_xfer[i]);
6214
6215         RUN_LOCK(sc);
6216
6217         if (sc->rx_m != NULL) {
6218                 m_free(sc->rx_m);
6219                 sc->rx_m = NULL;
6220         }
6221
6222         /* Disable Tx/Rx DMA. */
6223         if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
6224                 return;
6225         tmp &= ~(RT2860_RX_DMA_EN | RT2860_TX_DMA_EN);
6226         run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
6227
6228         for (ntries = 0; ntries < 100; ntries++) {
6229                 if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
6230                         return;
6231                 if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
6232                                 break;
6233                 run_delay(sc, 10);
6234         }
6235         if (ntries == 100) {
6236                 device_printf(sc->sc_dev, "timeout waiting for DMA engine\n");
6237                 return;
6238         }
6239
6240         /* disable Tx/Rx */
6241         run_read(sc, RT2860_MAC_SYS_CTRL, &tmp);
6242         tmp &= ~(RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
6243         run_write(sc, RT2860_MAC_SYS_CTRL, tmp);
6244
6245         /* wait for pending Tx to complete */
6246         for (ntries = 0; ntries < 100; ntries++) {
6247                 if (run_read(sc, RT2860_TXRXQ_PCNT, &tmp) != 0) {
6248                         DPRINTF("Cannot read Tx queue count\n");
6249                         break;
6250                 }
6251                 if ((tmp & RT2860_TX2Q_PCNT_MASK) == 0) {
6252                         DPRINTF("All Tx cleared\n");
6253                         break;
6254                 }
6255                 run_delay(sc, 10);
6256         }
6257         if (ntries >= 100)
6258                 DPRINTF("There are still pending Tx\n");
6259         run_delay(sc, 10);
6260         run_write(sc, RT2860_USB_DMA_CFG, 0);
6261
6262         run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_BBP_HRST | RT2860_MAC_SRST);
6263         run_write(sc, RT2860_MAC_SYS_CTRL, 0);
6264
6265         for (i = 0; i != RUN_EP_QUEUES; i++)
6266                 run_unsetup_tx_list(sc, &sc->sc_epq[i]);
6267 }
6268
6269 static void
6270 run_delay(struct run_softc *sc, u_int ms)
6271 {
6272         usb_pause_mtx(mtx_owned(&sc->sc_mtx) ?
6273             &sc->sc_mtx : NULL, USB_MS_TO_TICKS(ms));
6274 }
6275
6276 static device_method_t run_methods[] = {
6277         /* Device interface */
6278         DEVMETHOD(device_probe,         run_match),
6279         DEVMETHOD(device_attach,        run_attach),
6280         DEVMETHOD(device_detach,        run_detach),
6281         DEVMETHOD_END
6282 };
6283
6284 static driver_t run_driver = {
6285         .name = "run",
6286         .methods = run_methods,
6287         .size = sizeof(struct run_softc)
6288 };
6289
6290 static devclass_t run_devclass;
6291
6292 DRIVER_MODULE(run, uhub, run_driver, run_devclass, run_driver_loaded, NULL);
6293 MODULE_DEPEND(run, wlan, 1, 1, 1);
6294 MODULE_DEPEND(run, usb, 1, 1, 1);
6295 MODULE_DEPEND(run, firmware, 1, 1, 1);
6296 MODULE_VERSION(run, 1);