]> CyberLeo.Net >> Repos - FreeBSD/stable/9.git/blob - sys/dev/usb/wlan/if_run.c
projects / FreeBSD / stable / 9.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
MFC r259544, r259545, r259546, r259547, r259812, r259939, r260219, r260542,
[FreeBSD/stable/9.git] / sys / dev / usb / wlan / if_run.c
1 /*-
2  * Copyright (c) 2008,2010 Damien Bergamini <damien.bergamini@free.fr>
3  * ported to FreeBSD by Akinori Furukoshi <moonlightakkiy@yahoo.ca>
4  * USB Consulting, Hans Petter Selasky <hselasky@freebsd.org>
5  * Copyright (c) 2013-2014 Kevin Lo
6  *
7  * Permission to use, copy, modify, and distribute this software for any
8  * purpose with or without fee is hereby granted, provided that the above
9  * copyright notice and this permission notice appear in all copies.
10  *
11  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18  */
19
20 #include <sys/cdefs.h>
21 __FBSDID("$FreeBSD$");
22
23 /*-
24  * Ralink Technology RT2700U/RT2800U/RT3000U/RT3900E chipset driver.
25  * http://www.ralinktech.com/
26  */
27
28 #include <sys/param.h>
29 #include <sys/sockio.h>
30 #include <sys/sysctl.h>
31 #include <sys/lock.h>
32 #include <sys/mutex.h>
33 #include <sys/mbuf.h>
34 #include <sys/kernel.h>
35 #include <sys/socket.h>
36 #include <sys/systm.h>
37 #include <sys/malloc.h>
38 #include <sys/module.h>
39 #include <sys/bus.h>
40 #include <sys/endian.h>
41 #include <sys/linker.h>
42 #include <sys/firmware.h>
43 #include <sys/kdb.h>
44
45 #include <machine/bus.h>
46 #include <machine/resource.h>
47 #include <sys/rman.h>
48
49 #include <net/bpf.h>
50 #include <net/if.h>
51 #include <net/if_arp.h>
52 #include <net/ethernet.h>
53 #include <net/if_dl.h>
54 #include <net/if_media.h>
55 #include <net/if_types.h>
56
57 #include <netinet/in.h>
58 #include <netinet/in_systm.h>
59 #include <netinet/in_var.h>
60 #include <netinet/if_ether.h>
61 #include <netinet/ip.h>
62
63 #include <net80211/ieee80211_var.h>
64 #include <net80211/ieee80211_regdomain.h>
65 #include <net80211/ieee80211_radiotap.h>
66 #include <net80211/ieee80211_ratectl.h>
67
68 #include <dev/usb/usb.h>
69 #include <dev/usb/usbdi.h>
70 #include "usbdevs.h"
71
72 #define USB_DEBUG_VAR   run_debug
73 #include <dev/usb/usb_debug.h>
74 #include <dev/usb/usb_msctest.h>
75
76 #include <dev/usb/wlan/if_runreg.h>
77 #include <dev/usb/wlan/if_runvar.h>
78
79 #ifdef  USB_DEBUG
80 #define RUN_DEBUG
81 #endif
82
83 #ifdef  RUN_DEBUG
84 int run_debug = 0;
85 static SYSCTL_NODE(_hw_usb, OID_AUTO, run, CTLFLAG_RW, 0, "USB run");
86 SYSCTL_INT(_hw_usb_run, OID_AUTO, debug, CTLFLAG_RW, &run_debug, 0,
87     "run debug level");
88 #endif
89
90 #define IEEE80211_HAS_ADDR4(wh) \
91         (((wh)->i_fc[1] & IEEE80211_FC1_DIR_MASK) == IEEE80211_FC1_DIR_DSTODS)
92
93 /*
94  * Because of LOR in run_key_delete(), use atomic instead.
95  * '& RUN_CMDQ_MASQ' is to loop cmdq[].
96  */
97 #define RUN_CMDQ_GET(c) (atomic_fetchadd_32((c), 1) & RUN_CMDQ_MASQ)
98
99 static const STRUCT_USB_HOST_ID run_devs[] = {
100 #define RUN_DEV(v,p)    { USB_VP(USB_VENDOR_##v, USB_PRODUCT_##v##_##p) }
101 #define RUN_DEV_EJECT(v,p)      \
102         { USB_VPI(USB_VENDOR_##v, USB_PRODUCT_##v##_##p, 0) }
103     RUN_DEV(ABOCOM,             RT2770),
104     RUN_DEV(ABOCOM,             RT2870),
105     RUN_DEV(ABOCOM,             RT3070),
106     RUN_DEV(ABOCOM,             RT3071),
107     RUN_DEV(ABOCOM,             RT3072),
108     RUN_DEV(ABOCOM2,            RT2870_1),
109     RUN_DEV(ACCTON,             RT2770),
110     RUN_DEV(ACCTON,             RT2870_1),
111     RUN_DEV(ACCTON,             RT2870_2),
112     RUN_DEV(ACCTON,             RT2870_3),
113     RUN_DEV(ACCTON,             RT2870_4),
114     RUN_DEV(ACCTON,             RT2870_5),
115     RUN_DEV(ACCTON,             RT3070),
116     RUN_DEV(ACCTON,             RT3070_1),
117     RUN_DEV(ACCTON,             RT3070_2),
118     RUN_DEV(ACCTON,             RT3070_3),
119     RUN_DEV(ACCTON,             RT3070_4),
120     RUN_DEV(ACCTON,             RT3070_5),
121     RUN_DEV(AIRTIES,            RT3070),
122     RUN_DEV(ALLWIN,             RT2070),
123     RUN_DEV(ALLWIN,             RT2770),
124     RUN_DEV(ALLWIN,             RT2870),
125     RUN_DEV(ALLWIN,             RT3070),
126     RUN_DEV(ALLWIN,             RT3071),
127     RUN_DEV(ALLWIN,             RT3072),
128     RUN_DEV(ALLWIN,             RT3572),
129     RUN_DEV(AMIGO,              RT2870_1),
130     RUN_DEV(AMIGO,              RT2870_2),
131     RUN_DEV(AMIT,               CGWLUSB2GNR),
132     RUN_DEV(AMIT,               RT2870_1),
133     RUN_DEV(AMIT2,              RT2870),
134     RUN_DEV(ASUS,               RT2870_1),
135     RUN_DEV(ASUS,               RT2870_2),
136     RUN_DEV(ASUS,               RT2870_3),
137     RUN_DEV(ASUS,               RT2870_4),
138     RUN_DEV(ASUS,               RT2870_5),
139     RUN_DEV(ASUS,               USBN13),
140     RUN_DEV(ASUS,               RT3070_1),
141     RUN_DEV(ASUS,               USBN66),
142     RUN_DEV(ASUS,               USB_N53),
143     RUN_DEV(ASUS2,              USBN11),
144     RUN_DEV(AZUREWAVE,          RT2870_1),
145     RUN_DEV(AZUREWAVE,          RT2870_2),
146     RUN_DEV(AZUREWAVE,          RT3070_1),
147     RUN_DEV(AZUREWAVE,          RT3070_2),
148     RUN_DEV(AZUREWAVE,          RT3070_3),
149     RUN_DEV(BELKIN,             F9L1103),
150     RUN_DEV(BELKIN,             F5D8053V3),
151     RUN_DEV(BELKIN,             F5D8055),
152     RUN_DEV(BELKIN,             F5D8055V2),
153     RUN_DEV(BELKIN,             F6D4050V1),
154     RUN_DEV(BELKIN,             F6D4050V2),
155     RUN_DEV(BELKIN,             RT2870_1),
156     RUN_DEV(BELKIN,             RT2870_2),
157     RUN_DEV(CISCOLINKSYS,       AE1000),
158     RUN_DEV(CISCOLINKSYS2,      RT3070),
159     RUN_DEV(CISCOLINKSYS3,      RT3070),
160     RUN_DEV(CONCEPTRONIC2,      RT2870_1),
161     RUN_DEV(CONCEPTRONIC2,      RT2870_2),
162     RUN_DEV(CONCEPTRONIC2,      RT2870_3),
163     RUN_DEV(CONCEPTRONIC2,      RT2870_4),
164     RUN_DEV(CONCEPTRONIC2,      RT2870_5),
165     RUN_DEV(CONCEPTRONIC2,      RT2870_6),
166     RUN_DEV(CONCEPTRONIC2,      RT2870_7),
167     RUN_DEV(CONCEPTRONIC2,      RT2870_8),
168     RUN_DEV(CONCEPTRONIC2,      RT3070_1),
169     RUN_DEV(CONCEPTRONIC2,      RT3070_2),
170     RUN_DEV(CONCEPTRONIC2,      VIGORN61),
171     RUN_DEV(COREGA,             CGWLUSB300GNM),
172     RUN_DEV(COREGA,             RT2870_1),
173     RUN_DEV(COREGA,             RT2870_2),
174     RUN_DEV(COREGA,             RT2870_3),
175     RUN_DEV(COREGA,             RT3070),
176     RUN_DEV(CYBERTAN,           RT2870),
177     RUN_DEV(DLINK,              RT2870),
178     RUN_DEV(DLINK,              RT3072),
179     RUN_DEV(DLINK,              DWA140B3),
180     RUN_DEV(DLINK,              DWA160B2),
181     RUN_DEV(DLINK,              DWA162),
182     RUN_DEV(DLINK2,             DWA130),
183     RUN_DEV(DLINK2,             RT2870_1),
184     RUN_DEV(DLINK2,             RT2870_2),
185     RUN_DEV(DLINK2,             RT3070_1),
186     RUN_DEV(DLINK2,             RT3070_2),
187     RUN_DEV(DLINK2,             RT3070_3),
188     RUN_DEV(DLINK2,             RT3070_4),
189     RUN_DEV(DLINK2,             RT3070_5),
190     RUN_DEV(DLINK2,             RT3072),
191     RUN_DEV(DLINK2,             RT3072_1),
192     RUN_DEV(EDIMAX,             EW7717),
193     RUN_DEV(EDIMAX,             EW7718),
194     RUN_DEV(EDIMAX,             EW7733UND),
195     RUN_DEV(EDIMAX,             RT2870_1),
196     RUN_DEV(ENCORE,             RT3070_1),
197     RUN_DEV(ENCORE,             RT3070_2),
198     RUN_DEV(ENCORE,             RT3070_3),
199     RUN_DEV(GIGABYTE,           GNWB31N),
200     RUN_DEV(GIGABYTE,           GNWB32L),
201     RUN_DEV(GIGABYTE,           RT2870_1),
202     RUN_DEV(GIGASET,            RT3070_1),
203     RUN_DEV(GIGASET,            RT3070_2),
204     RUN_DEV(GUILLEMOT,          HWNU300),
205     RUN_DEV(HAWKING,            HWUN2),
206     RUN_DEV(HAWKING,            RT2870_1),
207     RUN_DEV(HAWKING,            RT2870_2),
208     RUN_DEV(HAWKING,            RT3070),
209     RUN_DEV(IODATA,             RT3072_1),
210     RUN_DEV(IODATA,             RT3072_2),
211     RUN_DEV(IODATA,             RT3072_3),
212     RUN_DEV(IODATA,             RT3072_4),
213     RUN_DEV(LINKSYS4,           RT3070),
214     RUN_DEV(LINKSYS4,           WUSB100),
215     RUN_DEV(LINKSYS4,           WUSB54GCV3),
216     RUN_DEV(LINKSYS4,           WUSB600N),
217     RUN_DEV(LINKSYS4,           WUSB600NV2),
218     RUN_DEV(LOGITEC,            RT2870_1),
219     RUN_DEV(LOGITEC,            RT2870_2),
220     RUN_DEV(LOGITEC,            RT2870_3),
221     RUN_DEV(LOGITEC,            LANW300NU2),
222     RUN_DEV(LOGITEC,            LANW150NU2),
223     RUN_DEV(LOGITEC,            LANW300NU2S),
224     RUN_DEV(MELCO,              RT2870_1),
225     RUN_DEV(MELCO,              RT2870_2),
226     RUN_DEV(MELCO,              WLIUCAG300N),
227     RUN_DEV(MELCO,              WLIUCG300N),
228     RUN_DEV(MELCO,              WLIUCG301N),
229     RUN_DEV(MELCO,              WLIUCGN),
230     RUN_DEV(MELCO,              WLIUCGNM),
231     RUN_DEV(MELCO,              WLIUCGNM2),
232     RUN_DEV(MOTOROLA4,          RT2770),
233     RUN_DEV(MOTOROLA4,          RT3070),
234     RUN_DEV(MSI,                RT3070_1),
235     RUN_DEV(MSI,                RT3070_2),
236     RUN_DEV(MSI,                RT3070_3),
237     RUN_DEV(MSI,                RT3070_4),
238     RUN_DEV(MSI,                RT3070_5),
239     RUN_DEV(MSI,                RT3070_6),
240     RUN_DEV(MSI,                RT3070_7),
241     RUN_DEV(MSI,                RT3070_8),
242     RUN_DEV(MSI,                RT3070_9),
243     RUN_DEV(MSI,                RT3070_10),
244     RUN_DEV(MSI,                RT3070_11),
245     RUN_DEV(OVISLINK,           RT3072),
246     RUN_DEV(PARA,               RT3070),
247     RUN_DEV(PEGATRON,           RT2870),
248     RUN_DEV(PEGATRON,           RT3070),
249     RUN_DEV(PEGATRON,           RT3070_2),
250     RUN_DEV(PEGATRON,           RT3070_3),
251     RUN_DEV(PHILIPS,            RT2870),
252     RUN_DEV(PLANEX2,            GWUS300MINIS),
253     RUN_DEV(PLANEX2,            GWUSMICRON),
254     RUN_DEV(PLANEX2,            RT2870),
255     RUN_DEV(PLANEX2,            RT3070),
256     RUN_DEV(QCOM,               RT2870),
257     RUN_DEV(QUANTA,             RT3070),
258     RUN_DEV(RALINK,             RT2070),
259     RUN_DEV(RALINK,             RT2770),
260     RUN_DEV(RALINK,             RT2870),
261     RUN_DEV(RALINK,             RT3070),
262     RUN_DEV(RALINK,             RT3071),
263     RUN_DEV(RALINK,             RT3072),
264     RUN_DEV(RALINK,             RT3370),
265     RUN_DEV(RALINK,             RT3572),
266     RUN_DEV(RALINK,             RT3573),
267     RUN_DEV(RALINK,             RT5370),
268     RUN_DEV(RALINK,             RT5572),
269     RUN_DEV(RALINK,             RT8070),
270     RUN_DEV(SAMSUNG,            WIS09ABGN),
271     RUN_DEV(SAMSUNG2,           RT2870_1),
272     RUN_DEV(SENAO,              RT2870_1),
273     RUN_DEV(SENAO,              RT2870_2),
274     RUN_DEV(SENAO,              RT2870_3),
275     RUN_DEV(SENAO,              RT2870_4),
276     RUN_DEV(SENAO,              RT3070),
277     RUN_DEV(SENAO,              RT3071),
278     RUN_DEV(SENAO,              RT3072_1),
279     RUN_DEV(SENAO,              RT3072_2),
280     RUN_DEV(SENAO,              RT3072_3),
281     RUN_DEV(SENAO,              RT3072_4),
282     RUN_DEV(SENAO,              RT3072_5),
283     RUN_DEV(SITECOMEU,          RT2770),
284     RUN_DEV(SITECOMEU,          RT2870_1),
285     RUN_DEV(SITECOMEU,          RT2870_2),
286     RUN_DEV(SITECOMEU,          RT2870_3),
287     RUN_DEV(SITECOMEU,          RT2870_4),
288     RUN_DEV(SITECOMEU,          RT3070),
289     RUN_DEV(SITECOMEU,          RT3070_2),
290     RUN_DEV(SITECOMEU,          RT3070_3),
291     RUN_DEV(SITECOMEU,          RT3070_4),
292     RUN_DEV(SITECOMEU,          RT3071),
293     RUN_DEV(SITECOMEU,          RT3072_1),
294     RUN_DEV(SITECOMEU,          RT3072_2),
295     RUN_DEV(SITECOMEU,          RT3072_3),
296     RUN_DEV(SITECOMEU,          RT3072_4),
297     RUN_DEV(SITECOMEU,          RT3072_5),
298     RUN_DEV(SITECOMEU,          RT3072_6),
299     RUN_DEV(SITECOMEU,          WL608),
300     RUN_DEV(SPARKLAN,           RT2870_1),
301     RUN_DEV(SPARKLAN,           RT3070),
302     RUN_DEV(SWEEX2,             LW153),
303     RUN_DEV(SWEEX2,             LW303),
304     RUN_DEV(SWEEX2,             LW313),
305     RUN_DEV(TOSHIBA,            RT3070),
306     RUN_DEV(UMEDIA,             RT2870_1),
307     RUN_DEV(ZCOM,               RT2870_1),
308     RUN_DEV(ZCOM,               RT2870_2),
309     RUN_DEV(ZINWELL,            RT2870_1),
310     RUN_DEV(ZINWELL,            RT2870_2),
311     RUN_DEV(ZINWELL,            RT3070),
312     RUN_DEV(ZINWELL,            RT3072_1),
313     RUN_DEV(ZINWELL,            RT3072_2),
314     RUN_DEV(ZYXEL,              RT2870_1),
315     RUN_DEV(ZYXEL,              RT2870_2),
316     RUN_DEV(ZYXEL,              NWD2705),
317     RUN_DEV_EJECT(RALINK,       RT_STOR),
318 #undef RUN_DEV_EJECT
319 #undef RUN_DEV
320 };
321
322 static device_probe_t   run_match;
323 static device_attach_t  run_attach;
324 static device_detach_t  run_detach;
325
326 static usb_callback_t   run_bulk_rx_callback;
327 static usb_callback_t   run_bulk_tx_callback0;
328 static usb_callback_t   run_bulk_tx_callback1;
329 static usb_callback_t   run_bulk_tx_callback2;
330 static usb_callback_t   run_bulk_tx_callback3;
331 static usb_callback_t   run_bulk_tx_callback4;
332 static usb_callback_t   run_bulk_tx_callback5;
333
334 static void     run_autoinst(void *, struct usb_device *,
335                     struct usb_attach_arg *);
336 static int      run_driver_loaded(struct module *, int, void *);
337 static void     run_bulk_tx_callbackN(struct usb_xfer *xfer,
338                     usb_error_t error, u_int index);
339 static struct ieee80211vap *run_vap_create(struct ieee80211com *,
340                     const char [IFNAMSIZ], int, enum ieee80211_opmode, int,
341                     const uint8_t [IEEE80211_ADDR_LEN],
342                     const uint8_t [IEEE80211_ADDR_LEN]);
343 static void     run_vap_delete(struct ieee80211vap *);
344 static void     run_cmdq_cb(void *, int);
345 static void     run_setup_tx_list(struct run_softc *,
346                     struct run_endpoint_queue *);
347 static void     run_unsetup_tx_list(struct run_softc *,
348                     struct run_endpoint_queue *);
349 static int      run_load_microcode(struct run_softc *);
350 static int      run_reset(struct run_softc *);
351 static usb_error_t run_do_request(struct run_softc *,
352                     struct usb_device_request *, void *);
353 static int      run_read(struct run_softc *, uint16_t, uint32_t *);
354 static int      run_read_region_1(struct run_softc *, uint16_t, uint8_t *, int);
355 static int      run_write_2(struct run_softc *, uint16_t, uint16_t);
356 static int      run_write(struct run_softc *, uint16_t, uint32_t);
357 static int      run_write_region_1(struct run_softc *, uint16_t,
358                     const uint8_t *, int);
359 static int      run_set_region_4(struct run_softc *, uint16_t, uint32_t, int);
360 static int      run_efuse_read(struct run_softc *, uint16_t, uint16_t *, int);
361 static int      run_efuse_read_2(struct run_softc *, uint16_t, uint16_t *);
362 static int      run_eeprom_read_2(struct run_softc *, uint16_t, uint16_t *);
363 static int      run_rt2870_rf_write(struct run_softc *, uint32_t);
364 static int      run_rt3070_rf_read(struct run_softc *, uint8_t, uint8_t *);
365 static int      run_rt3070_rf_write(struct run_softc *, uint8_t, uint8_t);
366 static int      run_bbp_read(struct run_softc *, uint8_t, uint8_t *);
367 static int      run_bbp_write(struct run_softc *, uint8_t, uint8_t);
368 static int      run_mcu_cmd(struct run_softc *, uint8_t, uint16_t);
369 static const char *run_get_rf(uint16_t);
370 static void     run_rt3593_get_txpower(struct run_softc *);
371 static void     run_get_txpower(struct run_softc *);
372 static int      run_read_eeprom(struct run_softc *);
373 static struct ieee80211_node *run_node_alloc(struct ieee80211vap *,
374                             const uint8_t mac[IEEE80211_ADDR_LEN]);
375 static int      run_media_change(struct ifnet *);
376 static int      run_newstate(struct ieee80211vap *, enum ieee80211_state, int);
377 static int      run_wme_update(struct ieee80211com *);
378 static void     run_wme_update_cb(void *);
379 static void     run_key_update_begin(struct ieee80211vap *);
380 static void     run_key_update_end(struct ieee80211vap *);
381 static void     run_key_set_cb(void *);
382 static int      run_key_set(struct ieee80211vap *, struct ieee80211_key *,
383                     const uint8_t mac[IEEE80211_ADDR_LEN]);
384 static void     run_key_delete_cb(void *);
385 static int      run_key_delete(struct ieee80211vap *, struct ieee80211_key *);
386 static void     run_ratectl_to(void *);
387 static void     run_ratectl_cb(void *, int);
388 static void     run_drain_fifo(void *);
389 static void     run_iter_func(void *, struct ieee80211_node *);
390 static void     run_newassoc_cb(void *);
391 static void     run_newassoc(struct ieee80211_node *, int);
392 static void     run_rx_frame(struct run_softc *, struct mbuf *, uint32_t);
393 static void     run_tx_free(struct run_endpoint_queue *pq,
394                     struct run_tx_data *, int);
395 static void     run_set_tx_desc(struct run_softc *, struct run_tx_data *);
396 static int      run_tx(struct run_softc *, struct mbuf *,
397                     struct ieee80211_node *);
398 static int      run_tx_mgt(struct run_softc *, struct mbuf *,
399                     struct ieee80211_node *);
400 static int      run_sendprot(struct run_softc *, const struct mbuf *,
401                     struct ieee80211_node *, int, int);
402 static int      run_tx_param(struct run_softc *, struct mbuf *,
403                     struct ieee80211_node *,
404                     const struct ieee80211_bpf_params *);
405 static int      run_raw_xmit(struct ieee80211_node *, struct mbuf *,
406                     const struct ieee80211_bpf_params *);
407 static void     run_start(struct ifnet *);
408 static int      run_ioctl(struct ifnet *, u_long, caddr_t);
409 static void     run_iq_calib(struct run_softc *, u_int);
410 static void     run_set_agc(struct run_softc *, uint8_t);
411 static void     run_select_chan_group(struct run_softc *, int);
412 static void     run_set_rx_antenna(struct run_softc *, int);
413 static void     run_rt2870_set_chan(struct run_softc *, u_int);
414 static void     run_rt3070_set_chan(struct run_softc *, u_int);
415 static void     run_rt3572_set_chan(struct run_softc *, u_int);
416 static void     run_rt3593_set_chan(struct run_softc *, u_int);
417 static void     run_rt5390_set_chan(struct run_softc *, u_int);
418 static void     run_rt5592_set_chan(struct run_softc *, u_int);
419 static int      run_set_chan(struct run_softc *, struct ieee80211_channel *);
420 static void     run_set_channel(struct ieee80211com *);
421 static void     run_scan_start(struct ieee80211com *);
422 static void     run_scan_end(struct ieee80211com *);
423 static void     run_update_beacon(struct ieee80211vap *, int);
424 static void     run_update_beacon_cb(void *);
425 static void     run_updateprot(struct ieee80211com *);
426 static void     run_updateprot_cb(void *);
427 static void     run_usb_timeout_cb(void *);
428 static void     run_reset_livelock(struct run_softc *);
429 static void     run_enable_tsf_sync(struct run_softc *);
430 static void     run_enable_mrr(struct run_softc *);
431 static void     run_set_txpreamble(struct run_softc *);
432 static void     run_set_basicrates(struct run_softc *);
433 static void     run_set_leds(struct run_softc *, uint16_t);
434 static void     run_set_bssid(struct run_softc *, const uint8_t *);
435 static void     run_set_macaddr(struct run_softc *, const uint8_t *);
436 static void     run_updateslot(struct ifnet *);
437 static void     run_updateslot_cb(void *);
438 static void     run_update_mcast(struct ifnet *);
439 static int8_t   run_rssi2dbm(struct run_softc *, uint8_t, uint8_t);
440 static void     run_update_promisc_locked(struct ifnet *);
441 static void     run_update_promisc(struct ifnet *);
442 static void     run_rt5390_bbp_init(struct run_softc *);
443 static int      run_bbp_init(struct run_softc *);
444 static int      run_rt3070_rf_init(struct run_softc *);
445 static void     run_rt3593_rf_init(struct run_softc *);
446 static void     run_rt5390_rf_init(struct run_softc *);
447 static int      run_rt3070_filter_calib(struct run_softc *, uint8_t, uint8_t,
448                     uint8_t *);
449 static void     run_rt3070_rf_setup(struct run_softc *);
450 static void     run_rt3593_rf_setup(struct run_softc *);
451 static void     run_rt5390_rf_setup(struct run_softc *);
452 static int      run_txrx_enable(struct run_softc *);
453 static void     run_adjust_freq_offset(struct run_softc *);
454 static void     run_init(void *);
455 static void     run_init_locked(struct run_softc *);
456 static void     run_stop(void *);
457 static void     run_delay(struct run_softc *, u_int);
458
459 static eventhandler_tag run_etag;
460
461 static const struct rt2860_rate {
462         uint8_t         rate;
463         uint8_t         mcs;
464         enum            ieee80211_phytype phy;
465         uint8_t         ctl_ridx;
466         uint16_t        sp_ack_dur;
467         uint16_t        lp_ack_dur;
468 } rt2860_rates[] = {
469         {   2, 0, IEEE80211_T_DS,   0, 314, 314 },
470         {   4, 1, IEEE80211_T_DS,   1, 258, 162 },
471         {  11, 2, IEEE80211_T_DS,   2, 223, 127 },
472         {  22, 3, IEEE80211_T_DS,   3, 213, 117 },
473         {  12, 0, IEEE80211_T_OFDM, 4,  60,  60 },
474         {  18, 1, IEEE80211_T_OFDM, 4,  52,  52 },
475         {  24, 2, IEEE80211_T_OFDM, 6,  48,  48 },
476         {  36, 3, IEEE80211_T_OFDM, 6,  44,  44 },
477         {  48, 4, IEEE80211_T_OFDM, 8,  44,  44 },
478         {  72, 5, IEEE80211_T_OFDM, 8,  40,  40 },
479         {  96, 6, IEEE80211_T_OFDM, 8,  40,  40 },
480         { 108, 7, IEEE80211_T_OFDM, 8,  40,  40 }
481 };
482
483 static const struct {
484         uint16_t        reg;
485         uint32_t        val;
486 } rt2870_def_mac[] = {
487         RT2870_DEF_MAC
488 };
489
490 static const struct {
491         uint8_t reg;
492         uint8_t val;
493 } rt2860_def_bbp[] = {
494         RT2860_DEF_BBP
495 },rt5390_def_bbp[] = {
496         RT5390_DEF_BBP
497 },rt5592_def_bbp[] = {
498         RT5592_DEF_BBP
499 };
500
501 /* 
502  * Default values for BBP register R196 for RT5592.
503  */
504 static const uint8_t rt5592_bbp_r196[] = {
505         0xe0, 0x1f, 0x38, 0x32, 0x08, 0x28, 0x19, 0x0a, 0xff, 0x00,
506         0x16, 0x10, 0x10, 0x0b, 0x36, 0x2c, 0x26, 0x24, 0x42, 0x36,
507         0x30, 0x2d, 0x4c, 0x46, 0x3d, 0x40, 0x3e, 0x42, 0x3d, 0x40,
508         0x3c, 0x34, 0x2c, 0x2f, 0x3c, 0x35, 0x2e, 0x2a, 0x49, 0x41,
509         0x36, 0x31, 0x30, 0x30, 0x0e, 0x0d, 0x28, 0x21, 0x1c, 0x16,
510         0x50, 0x4a, 0x43, 0x40, 0x10, 0x10, 0x10, 0x10, 0x00, 0x00,
511         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
512         0x00, 0x00, 0x7d, 0x14, 0x32, 0x2c, 0x36, 0x4c, 0x43, 0x2c,
513         0x2e, 0x36, 0x30, 0x6e
514 };
515
516 static const struct rfprog {
517         uint8_t         chan;
518         uint32_t        r1, r2, r3, r4;
519 } rt2860_rf2850[] = {
520         RT2860_RF2850
521 };
522
523 struct {
524         uint8_t n, r, k;
525 } rt3070_freqs[] = {
526         RT3070_RF3052
527 };
528
529 static const struct rt5592_freqs {
530         uint16_t        n;
531         uint8_t         k, m, r;
532 } rt5592_freqs_20mhz[] = {
533         RT5592_RF5592_20MHZ
534 },rt5592_freqs_40mhz[] = {
535         RT5592_RF5592_40MHZ
536 };
537
538 static const struct {
539         uint8_t reg;
540         uint8_t val;
541 } rt3070_def_rf[] = {
542         RT3070_DEF_RF
543 },rt3572_def_rf[] = {
544         RT3572_DEF_RF
545 },rt3593_def_rf[] = {
546         RT3593_DEF_RF
547 },rt5390_def_rf[] = {
548         RT5390_DEF_RF
549 },rt5392_def_rf[] = {
550         RT5392_DEF_RF
551 },rt5592_def_rf[] = {
552         RT5592_DEF_RF
553 },rt5592_2ghz_def_rf[] = {
554         RT5592_2GHZ_DEF_RF
555 },rt5592_5ghz_def_rf[] = {
556         RT5592_5GHZ_DEF_RF
557 };
558
559 static const struct {
560         u_int   firstchan;
561         u_int   lastchan;
562         uint8_t reg;
563         uint8_t val;
564 } rt5592_chan_5ghz[] = {
565         RT5592_CHAN_5GHZ
566 };
567
568 static const struct usb_config run_config[RUN_N_XFER] = {
569     [RUN_BULK_TX_BE] = {
570         .type = UE_BULK,
571         .endpoint = UE_ADDR_ANY,
572         .ep_index = 0,
573         .direction = UE_DIR_OUT,
574         .bufsize = RUN_MAX_TXSZ,
575         .flags = {.pipe_bof = 1,.force_short_xfer = 1,},
576         .callback = run_bulk_tx_callback0,
577         .timeout = 5000,        /* ms */
578     },
579     [RUN_BULK_TX_BK] = {
580         .type = UE_BULK,
581         .endpoint = UE_ADDR_ANY,
582         .direction = UE_DIR_OUT,
583         .ep_index = 1,
584         .bufsize = RUN_MAX_TXSZ,
585         .flags = {.pipe_bof = 1,.force_short_xfer = 1,},
586         .callback = run_bulk_tx_callback1,
587         .timeout = 5000,        /* ms */
588     },
589     [RUN_BULK_TX_VI] = {
590         .type = UE_BULK,
591         .endpoint = UE_ADDR_ANY,
592         .direction = UE_DIR_OUT,
593         .ep_index = 2,
594         .bufsize = RUN_MAX_TXSZ,
595         .flags = {.pipe_bof = 1,.force_short_xfer = 1,},
596         .callback = run_bulk_tx_callback2,
597         .timeout = 5000,        /* ms */
598     },
599     [RUN_BULK_TX_VO] = {
600         .type = UE_BULK,
601         .endpoint = UE_ADDR_ANY,
602         .direction = UE_DIR_OUT,
603         .ep_index = 3,
604         .bufsize = RUN_MAX_TXSZ,
605         .flags = {.pipe_bof = 1,.force_short_xfer = 1,},
606         .callback = run_bulk_tx_callback3,
607         .timeout = 5000,        /* ms */
608     },
609     [RUN_BULK_TX_HCCA] = {
610         .type = UE_BULK,
611         .endpoint = UE_ADDR_ANY,
612         .direction = UE_DIR_OUT,
613         .ep_index = 4,
614         .bufsize = RUN_MAX_TXSZ,
615         .flags = {.pipe_bof = 1,.force_short_xfer = 1,.no_pipe_ok = 1,},
616         .callback = run_bulk_tx_callback4,
617         .timeout = 5000,        /* ms */
618     },
619     [RUN_BULK_TX_PRIO] = {
620         .type = UE_BULK,
621         .endpoint = UE_ADDR_ANY,
622         .direction = UE_DIR_OUT,
623         .ep_index = 5,
624         .bufsize = RUN_MAX_TXSZ,
625         .flags = {.pipe_bof = 1,.force_short_xfer = 1,.no_pipe_ok = 1,},
626         .callback = run_bulk_tx_callback5,
627         .timeout = 5000,        /* ms */
628     },
629     [RUN_BULK_RX] = {
630         .type = UE_BULK,
631         .endpoint = UE_ADDR_ANY,
632         .direction = UE_DIR_IN,
633         .bufsize = RUN_MAX_RXSZ,
634         .flags = {.pipe_bof = 1,.short_xfer_ok = 1,},
635         .callback = run_bulk_rx_callback,
636     }
637 };
638
639 static void
640 run_autoinst(void *arg, struct usb_device *udev,
641     struct usb_attach_arg *uaa)
642 {
643         struct usb_interface *iface;
644         struct usb_interface_descriptor *id;
645
646         if (uaa->dev_state != UAA_DEV_READY)
647                 return;
648
649         iface = usbd_get_iface(udev, 0);
650         if (iface == NULL)
651                 return;
652         id = iface->idesc;
653         if (id == NULL || id->bInterfaceClass != UICLASS_MASS)
654                 return;
655         if (usbd_lookup_id_by_uaa(run_devs, sizeof(run_devs), uaa))
656                 return;
657
658         if (usb_msc_eject(udev, 0, MSC_EJECT_STOPUNIT) == 0)
659                 uaa->dev_state = UAA_DEV_EJECTING;
660 }
661
662 static int
663 run_driver_loaded(struct module *mod, int what, void *arg)
664 {
665         switch (what) {
666         case MOD_LOAD:
667                 run_etag = EVENTHANDLER_REGISTER(usb_dev_configured,
668                     run_autoinst, NULL, EVENTHANDLER_PRI_ANY);
669                 break;
670         case MOD_UNLOAD:
671                 EVENTHANDLER_DEREGISTER(usb_dev_configured, run_etag);
672                 break;
673         default:
674                 return (EOPNOTSUPP);
675         }
676         return (0);
677 }
678
679 static int
680 run_match(device_t self)
681 {
682         struct usb_attach_arg *uaa = device_get_ivars(self);
683
684         if (uaa->usb_mode != USB_MODE_HOST)
685                 return (ENXIO);
686         if (uaa->info.bConfigIndex != 0)
687                 return (ENXIO);
688         if (uaa->info.bIfaceIndex != RT2860_IFACE_INDEX)
689                 return (ENXIO);
690
691         return (usbd_lookup_id_by_uaa(run_devs, sizeof(run_devs), uaa));
692 }
693
694 static int
695 run_attach(device_t self)
696 {
697         struct run_softc *sc = device_get_softc(self);
698         struct usb_attach_arg *uaa = device_get_ivars(self);
699         struct ieee80211com *ic;
700         struct ifnet *ifp;
701         uint32_t ver;
702         int ntries, error;
703         uint8_t iface_index, bands;
704
705         device_set_usb_desc(self);
706         sc->sc_udev = uaa->device;
707         sc->sc_dev = self;
708
709         mtx_init(&sc->sc_mtx, device_get_nameunit(sc->sc_dev),
710             MTX_NETWORK_LOCK, MTX_DEF);
711
712         iface_index = RT2860_IFACE_INDEX;
713
714         error = usbd_transfer_setup(uaa->device, &iface_index,
715             sc->sc_xfer, run_config, RUN_N_XFER, sc, &sc->sc_mtx);
716         if (error) {
717                 device_printf(self, "could not allocate USB transfers, "
718                     "err=%s\n", usbd_errstr(error));
719                 goto detach;
720         }
721
722         RUN_LOCK(sc);
723
724         /* wait for the chip to settle */
725         for (ntries = 0; ntries < 100; ntries++) {
726                 if (run_read(sc, RT2860_ASIC_VER_ID, &ver) != 0) {
727                         RUN_UNLOCK(sc);
728                         goto detach;
729                 }
730                 if (ver != 0 && ver != 0xffffffff)
731                         break;
732                 run_delay(sc, 10);
733         }
734         if (ntries == 100) {
735                 device_printf(sc->sc_dev,
736                     "timeout waiting for NIC to initialize\n");
737                 RUN_UNLOCK(sc);
738                 goto detach;
739         }
740         sc->mac_ver = ver >> 16;
741         sc->mac_rev = ver & 0xffff;
742
743         /* retrieve RF rev. no and various other things from EEPROM */
744         run_read_eeprom(sc);
745
746         device_printf(sc->sc_dev,
747             "MAC/BBP RT%04X (rev 0x%04X), RF %s (MIMO %dT%dR), address %s\n",
748             sc->mac_ver, sc->mac_rev, run_get_rf(sc->rf_rev),
749             sc->ntxchains, sc->nrxchains, ether_sprintf(sc->sc_bssid));
750
751         RUN_UNLOCK(sc);
752
753         ifp = sc->sc_ifp = if_alloc(IFT_IEEE80211);
754         if (ifp == NULL) {
755                 device_printf(sc->sc_dev, "can not if_alloc()\n");
756                 goto detach;
757         }
758         ic = ifp->if_l2com;
759
760         ifp->if_softc = sc;
761         if_initname(ifp, "run", device_get_unit(sc->sc_dev));
762         ifp->if_flags = IFF_BROADCAST | IFF_SIMPLEX | IFF_MULTICAST;
763         ifp->if_init = run_init;
764         ifp->if_ioctl = run_ioctl;
765         ifp->if_start = run_start;
766         IFQ_SET_MAXLEN(&ifp->if_snd, ifqmaxlen);
767         ifp->if_snd.ifq_drv_maxlen = ifqmaxlen;
768         IFQ_SET_READY(&ifp->if_snd);
769
770         ic->ic_ifp = ifp;
771         ic->ic_phytype = IEEE80211_T_OFDM;      /* not only, but not used */
772         ic->ic_opmode = IEEE80211_M_STA;        /* default to BSS mode */
773
774         /* set device capabilities */
775         ic->ic_caps =
776             IEEE80211_C_STA |           /* station mode supported */
777             IEEE80211_C_MONITOR |       /* monitor mode supported */
778             IEEE80211_C_IBSS |
779             IEEE80211_C_HOSTAP |
780             IEEE80211_C_WDS |           /* 4-address traffic works */
781             IEEE80211_C_MBSS |
782             IEEE80211_C_SHPREAMBLE |    /* short preamble supported */
783             IEEE80211_C_SHSLOT |        /* short slot time supported */
784             IEEE80211_C_WME |           /* WME */
785             IEEE80211_C_WPA;            /* WPA1|WPA2(RSN) */
786
787         ic->ic_cryptocaps =
788             IEEE80211_CRYPTO_WEP |
789             IEEE80211_CRYPTO_AES_CCM |
790             IEEE80211_CRYPTO_TKIPMIC |
791             IEEE80211_CRYPTO_TKIP;
792
793         ic->ic_flags |= IEEE80211_F_DATAPAD;
794         ic->ic_flags_ext |= IEEE80211_FEXT_SWBMISS;
795
796         bands = 0;
797         setbit(&bands, IEEE80211_MODE_11B);
798         setbit(&bands, IEEE80211_MODE_11G);
799         if (sc->rf_rev == RT2860_RF_2750 || sc->rf_rev == RT2860_RF_2850 ||
800             sc->rf_rev == RT3070_RF_3052 || sc->rf_rev == RT3593_RF_3053 ||
801             sc->rf_rev == RT5592_RF_5592)
802                 setbit(&bands, IEEE80211_MODE_11A);
803         ieee80211_init_channels(ic, NULL, &bands);
804
805         ieee80211_ifattach(ic, sc->sc_bssid);
806
807         ic->ic_scan_start = run_scan_start;
808         ic->ic_scan_end = run_scan_end;
809         ic->ic_set_channel = run_set_channel;
810         ic->ic_node_alloc = run_node_alloc;
811         ic->ic_newassoc = run_newassoc;
812         ic->ic_updateslot = run_updateslot;
813         ic->ic_update_mcast = run_update_mcast;
814         ic->ic_wme.wme_update = run_wme_update;
815         ic->ic_raw_xmit = run_raw_xmit;
816         ic->ic_update_promisc = run_update_promisc;
817
818         ic->ic_vap_create = run_vap_create;
819         ic->ic_vap_delete = run_vap_delete;
820
821         ieee80211_radiotap_attach(ic,
822             &sc->sc_txtap.wt_ihdr, sizeof(sc->sc_txtap),
823                 RUN_TX_RADIOTAP_PRESENT,
824             &sc->sc_rxtap.wr_ihdr, sizeof(sc->sc_rxtap),
825                 RUN_RX_RADIOTAP_PRESENT);
826
827         TASK_INIT(&sc->cmdq_task, 0, run_cmdq_cb, sc);
828         TASK_INIT(&sc->ratectl_task, 0, run_ratectl_cb, sc);
829         usb_callout_init_mtx(&sc->ratectl_ch, &sc->sc_mtx, 0);
830
831         if (bootverbose)
832                 ieee80211_announce(ic);
833
834         return (0);
835
836 detach:
837         run_detach(self);
838         return (ENXIO);
839 }
840
841 static int
842 run_detach(device_t self)
843 {
844         struct run_softc *sc = device_get_softc(self);
845         struct ifnet *ifp = sc->sc_ifp;
846         struct ieee80211com *ic;
847         int i;
848
849         RUN_LOCK(sc);
850         sc->sc_detached = 1;
851         RUN_UNLOCK(sc);
852
853         /* stop all USB transfers */
854         usbd_transfer_unsetup(sc->sc_xfer, RUN_N_XFER);
855
856         RUN_LOCK(sc);
857         sc->ratectl_run = RUN_RATECTL_OFF;
858         sc->cmdq_run = sc->cmdq_key_set = RUN_CMDQ_ABORT;
859
860         /* free TX list, if any */
861         for (i = 0; i != RUN_EP_QUEUES; i++)
862                 run_unsetup_tx_list(sc, &sc->sc_epq[i]);
863         RUN_UNLOCK(sc);
864
865         if (ifp) {
866                 ic = ifp->if_l2com;
867                 /* drain tasks */
868                 usb_callout_drain(&sc->ratectl_ch);
869                 ieee80211_draintask(ic, &sc->cmdq_task);
870                 ieee80211_draintask(ic, &sc->ratectl_task);
871                 ieee80211_ifdetach(ic);
872                 if_free(ifp);
873         }
874
875         mtx_destroy(&sc->sc_mtx);
876
877         return (0);
878 }
879
880 static struct ieee80211vap *
881 run_vap_create(struct ieee80211com *ic, const char name[IFNAMSIZ], int unit,
882     enum ieee80211_opmode opmode, int flags,
883     const uint8_t bssid[IEEE80211_ADDR_LEN],
884     const uint8_t mac[IEEE80211_ADDR_LEN])
885 {
886         struct ifnet *ifp = ic->ic_ifp;
887         struct run_softc *sc = ifp->if_softc;
888         struct run_vap *rvp;
889         struct ieee80211vap *vap;
890         int i;
891
892         if (sc->rvp_cnt >= RUN_VAP_MAX) {
893                 if_printf(ifp, "number of VAPs maxed out\n");
894                 return (NULL);
895         }
896
897         switch (opmode) {
898         case IEEE80211_M_STA:
899                 /* enable s/w bmiss handling for sta mode */
900                 flags |= IEEE80211_CLONE_NOBEACONS; 
901                 /* fall though */
902         case IEEE80211_M_IBSS:
903         case IEEE80211_M_MONITOR:
904         case IEEE80211_M_HOSTAP:
905         case IEEE80211_M_MBSS:
906                 /* other than WDS vaps, only one at a time */
907                 if (!TAILQ_EMPTY(&ic->ic_vaps))
908                         return (NULL);
909                 break;
910         case IEEE80211_M_WDS:
911                 TAILQ_FOREACH(vap, &ic->ic_vaps, iv_next){
912                         if(vap->iv_opmode != IEEE80211_M_HOSTAP)
913                                 continue;
914                         /* WDS vap's always share the local mac address. */
915                         flags &= ~IEEE80211_CLONE_BSSID;
916                         break;
917                 }
918                 if (vap == NULL) {
919                         if_printf(ifp, "wds only supported in ap mode\n");
920                         return (NULL);
921                 }
922                 break;
923         default:
924                 if_printf(ifp, "unknown opmode %d\n", opmode);
925                 return (NULL);
926         }
927
928         rvp = (struct run_vap *) malloc(sizeof(struct run_vap),
929             M_80211_VAP, M_NOWAIT | M_ZERO);
930         if (rvp == NULL)
931                 return (NULL);
932         vap = &rvp->vap;
933
934         if (ieee80211_vap_setup(ic, vap, name, unit,
935             opmode, flags, bssid, mac) != 0) {
936                 /* out of memory */
937                 free(rvp, M_80211_VAP);
938                 return (NULL);
939         }
940
941         vap->iv_key_update_begin = run_key_update_begin;
942         vap->iv_key_update_end = run_key_update_end;
943         vap->iv_update_beacon = run_update_beacon;
944         vap->iv_max_aid = RT2870_WCID_MAX;
945         /*
946          * To delete the right key from h/w, we need wcid.
947          * Luckily, there is unused space in ieee80211_key{}, wk_pad,
948          * and matching wcid will be written into there. So, cast
949          * some spells to remove 'const' from ieee80211_key{}
950          */
951         vap->iv_key_delete = (void *)run_key_delete;
952         vap->iv_key_set = (void *)run_key_set;
953
954         /* override state transition machine */
955         rvp->newstate = vap->iv_newstate;
956         vap->iv_newstate = run_newstate;
957
958         ieee80211_ratectl_init(vap);
959         ieee80211_ratectl_setinterval(vap, 1000 /* 1 sec */);
960
961         /* complete setup */
962         ieee80211_vap_attach(vap, run_media_change, ieee80211_media_status);
963
964         /* make sure id is always unique */
965         for (i = 0; i < RUN_VAP_MAX; i++) {
966                 if((sc->rvp_bmap & 1 << i) == 0){
967                         sc->rvp_bmap |= 1 << i;
968                         rvp->rvp_id = i;
969                         break;
970                 }
971         }
972         if (sc->rvp_cnt++ == 0)
973                 ic->ic_opmode = opmode;
974
975         if (opmode == IEEE80211_M_HOSTAP)
976                 sc->cmdq_run = RUN_CMDQ_GO;
977
978         DPRINTF("rvp_id=%d bmap=%x rvp_cnt=%d\n",
979             rvp->rvp_id, sc->rvp_bmap, sc->rvp_cnt);
980
981         return (vap);
982 }
983
984 static void
985 run_vap_delete(struct ieee80211vap *vap)
986 {
987         struct run_vap *rvp = RUN_VAP(vap);
988         struct ifnet *ifp;
989         struct ieee80211com *ic;
990         struct run_softc *sc;
991         uint8_t rvp_id;
992
993         if (vap == NULL)
994                 return;
995
996         ic = vap->iv_ic;
997         ifp = ic->ic_ifp;
998
999         sc = ifp->if_softc;
1000
1001         RUN_LOCK(sc);
1002
1003         m_freem(rvp->beacon_mbuf);
1004         rvp->beacon_mbuf = NULL;
1005
1006         rvp_id = rvp->rvp_id;
1007         sc->ratectl_run &= ~(1 << rvp_id);
1008         sc->rvp_bmap &= ~(1 << rvp_id);
1009         run_set_region_4(sc, RT2860_SKEY(rvp_id, 0), 0, 128);
1010         run_set_region_4(sc, RT2860_BCN_BASE(rvp_id), 0, 512);
1011         --sc->rvp_cnt;
1012
1013         DPRINTF("vap=%p rvp_id=%d bmap=%x rvp_cnt=%d\n",
1014             vap, rvp_id, sc->rvp_bmap, sc->rvp_cnt);
1015
1016         RUN_UNLOCK(sc);
1017
1018         ieee80211_ratectl_deinit(vap);
1019         ieee80211_vap_detach(vap);
1020         free(rvp, M_80211_VAP);
1021 }
1022
1023 /*
1024  * There are numbers of functions need to be called in context thread.
1025  * Rather than creating taskqueue event for each of those functions,
1026  * here is all-for-one taskqueue callback function. This function
1027  * gurantees deferred functions are executed in the same order they
1028  * were enqueued.
1029  * '& RUN_CMDQ_MASQ' is to loop cmdq[].
1030  */
1031 static void
1032 run_cmdq_cb(void *arg, int pending)
1033 {
1034         struct run_softc *sc = arg;
1035         uint8_t i;
1036
1037         /* call cmdq[].func locked */
1038         RUN_LOCK(sc);
1039         for (i = sc->cmdq_exec; sc->cmdq[i].func && pending;
1040             i = sc->cmdq_exec, pending--) {
1041                 DPRINTFN(6, "cmdq_exec=%d pending=%d\n", i, pending);
1042                 if (sc->cmdq_run == RUN_CMDQ_GO) {
1043                         /*
1044                          * If arg0 is NULL, callback func needs more
1045                          * than one arg. So, pass ptr to cmdq struct.
1046                          */
1047                         if (sc->cmdq[i].arg0)
1048                                 sc->cmdq[i].func(sc->cmdq[i].arg0);
1049                         else
1050                                 sc->cmdq[i].func(&sc->cmdq[i]);
1051                 }
1052                 sc->cmdq[i].arg0 = NULL;
1053                 sc->cmdq[i].func = NULL;
1054                 sc->cmdq_exec++;
1055                 sc->cmdq_exec &= RUN_CMDQ_MASQ;
1056         }
1057         RUN_UNLOCK(sc);
1058 }
1059
1060 static void
1061 run_setup_tx_list(struct run_softc *sc, struct run_endpoint_queue *pq)
1062 {
1063         struct run_tx_data *data;
1064
1065         memset(pq, 0, sizeof(*pq));
1066
1067         STAILQ_INIT(&pq->tx_qh);
1068         STAILQ_INIT(&pq->tx_fh);
1069
1070         for (data = &pq->tx_data[0];
1071             data < &pq->tx_data[RUN_TX_RING_COUNT]; data++) {
1072                 data->sc = sc;
1073                 STAILQ_INSERT_TAIL(&pq->tx_fh, data, next);
1074         }
1075         pq->tx_nfree = RUN_TX_RING_COUNT;
1076 }
1077
1078 static void
1079 run_unsetup_tx_list(struct run_softc *sc, struct run_endpoint_queue *pq)
1080 {
1081         struct run_tx_data *data;
1082
1083         /* make sure any subsequent use of the queues will fail */
1084         pq->tx_nfree = 0;
1085         STAILQ_INIT(&pq->tx_fh);
1086         STAILQ_INIT(&pq->tx_qh);
1087
1088         /* free up all node references and mbufs */
1089         for (data = &pq->tx_data[0];
1090             data < &pq->tx_data[RUN_TX_RING_COUNT]; data++) {
1091                 if (data->m != NULL) {
1092                         m_freem(data->m);
1093                         data->m = NULL;
1094                 }
1095                 if (data->ni != NULL) {
1096                         ieee80211_free_node(data->ni);
1097                         data->ni = NULL;
1098                 }
1099         }
1100 }
1101
1102 static int
1103 run_load_microcode(struct run_softc *sc)
1104 {
1105         usb_device_request_t req;
1106         const struct firmware *fw;
1107         const u_char *base;
1108         uint32_t tmp;
1109         int ntries, error;
1110         const uint64_t *temp;
1111         uint64_t bytes;
1112
1113         RUN_UNLOCK(sc);
1114         fw = firmware_get("runfw");
1115         RUN_LOCK(sc);
1116         if (fw == NULL) {
1117                 device_printf(sc->sc_dev,
1118                     "failed loadfirmware of file %s\n", "runfw");
1119                 return ENOENT;
1120         }
1121
1122         if (fw->datasize != 8192) {
1123                 device_printf(sc->sc_dev,
1124                     "invalid firmware size (should be 8KB)\n");
1125                 error = EINVAL;
1126                 goto fail;
1127         }
1128
1129         /*
1130          * RT3071/RT3072 use a different firmware
1131          * run-rt2870 (8KB) contains both,
1132          * first half (4KB) is for rt2870,
1133          * last half is for rt3071.
1134          */
1135         base = fw->data;
1136         if ((sc->mac_ver) != 0x2860 &&
1137             (sc->mac_ver) != 0x2872 &&
1138             (sc->mac_ver) != 0x3070) { 
1139                 base += 4096;
1140         }
1141
1142         /* cheap sanity check */
1143         temp = fw->data;
1144         bytes = *temp;
1145         if (bytes != be64toh(0xffffff0210280210ULL)) {
1146                 device_printf(sc->sc_dev, "firmware checksum failed\n");
1147                 error = EINVAL;
1148                 goto fail;
1149         }
1150
1151         /* write microcode image */
1152         if (sc->mac_ver != 0x3593) {
1153                 run_write_region_1(sc, RT2870_FW_BASE, base, 4096);
1154                 run_write(sc, RT2860_H2M_MAILBOX_CID, 0xffffffff);
1155                 run_write(sc, RT2860_H2M_MAILBOX_STATUS, 0xffffffff);
1156         }
1157
1158         req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1159         req.bRequest = RT2870_RESET;
1160         USETW(req.wValue, 8);
1161         USETW(req.wIndex, 0);
1162         USETW(req.wLength, 0);
1163         if ((error = usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, NULL))
1164             != 0) {
1165                 device_printf(sc->sc_dev, "firmware reset failed\n");
1166                 goto fail;
1167         }
1168
1169         run_delay(sc, 10);
1170
1171         run_write(sc, RT2860_H2M_BBPAGENT, 0);
1172         run_write(sc, RT2860_H2M_MAILBOX, 0);
1173         run_write(sc, RT2860_H2M_INTSRC, 0);
1174         if ((error = run_mcu_cmd(sc, RT2860_MCU_CMD_RFRESET, 0)) != 0)
1175                 goto fail;
1176
1177         /* wait until microcontroller is ready */
1178         for (ntries = 0; ntries < 1000; ntries++) {
1179                 if ((error = run_read(sc, RT2860_SYS_CTRL, &tmp)) != 0)
1180                         goto fail;
1181                 if (tmp & RT2860_MCU_READY)
1182                         break;
1183                 run_delay(sc, 10);
1184         }
1185         if (ntries == 1000) {
1186                 device_printf(sc->sc_dev,
1187                     "timeout waiting for MCU to initialize\n");
1188                 error = ETIMEDOUT;
1189                 goto fail;
1190         }
1191         device_printf(sc->sc_dev, "firmware %s ver. %u.%u loaded\n",
1192             (base == fw->data) ? "RT2870" : "RT3071",
1193             *(base + 4092), *(base + 4093));
1194
1195 fail:
1196         firmware_put(fw, FIRMWARE_UNLOAD);
1197         return (error);
1198 }
1199
1200 static int
1201 run_reset(struct run_softc *sc)
1202 {
1203         usb_device_request_t req;
1204
1205         req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1206         req.bRequest = RT2870_RESET;
1207         USETW(req.wValue, 1);
1208         USETW(req.wIndex, 0);
1209         USETW(req.wLength, 0);
1210         return (usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, NULL));
1211 }
1212
1213 static usb_error_t
1214 run_do_request(struct run_softc *sc,
1215     struct usb_device_request *req, void *data)
1216 {
1217         usb_error_t err;
1218         int ntries = 10;
1219
1220         RUN_LOCK_ASSERT(sc, MA_OWNED);
1221
1222         while (ntries--) {
1223                 err = usbd_do_request_flags(sc->sc_udev, &sc->sc_mtx,
1224                     req, data, 0, NULL, 250 /* ms */);
1225                 if (err == 0)
1226                         break;
1227                 DPRINTFN(1, "Control request failed, %s (retrying)\n",
1228                     usbd_errstr(err));
1229                 run_delay(sc, 10);
1230         }
1231         return (err);
1232 }
1233
1234 static int
1235 run_read(struct run_softc *sc, uint16_t reg, uint32_t *val)
1236 {
1237         uint32_t tmp;
1238         int error;
1239
1240         error = run_read_region_1(sc, reg, (uint8_t *)&tmp, sizeof tmp);
1241         if (error == 0)
1242                 *val = le32toh(tmp);
1243         else
1244                 *val = 0xffffffff;
1245         return (error);
1246 }
1247
1248 static int
1249 run_read_region_1(struct run_softc *sc, uint16_t reg, uint8_t *buf, int len)
1250 {
1251         usb_device_request_t req;
1252
1253         req.bmRequestType = UT_READ_VENDOR_DEVICE;
1254         req.bRequest = RT2870_READ_REGION_1;
1255         USETW(req.wValue, 0);
1256         USETW(req.wIndex, reg);
1257         USETW(req.wLength, len);
1258
1259         return (run_do_request(sc, &req, buf));
1260 }
1261
1262 static int
1263 run_write_2(struct run_softc *sc, uint16_t reg, uint16_t val)
1264 {
1265         usb_device_request_t req;
1266
1267         req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1268         req.bRequest = RT2870_WRITE_2;
1269         USETW(req.wValue, val);
1270         USETW(req.wIndex, reg);
1271         USETW(req.wLength, 0);
1272
1273         return (run_do_request(sc, &req, NULL));
1274 }
1275
1276 static int
1277 run_write(struct run_softc *sc, uint16_t reg, uint32_t val)
1278 {
1279         int error;
1280
1281         if ((error = run_write_2(sc, reg, val & 0xffff)) == 0)
1282                 error = run_write_2(sc, reg + 2, val >> 16);
1283         return (error);
1284 }
1285
1286 static int
1287 run_write_region_1(struct run_softc *sc, uint16_t reg, const uint8_t *buf,
1288     int len)
1289 {
1290 #if 1
1291         int i, error = 0;
1292         /*
1293          * NB: the WRITE_REGION_1 command is not stable on RT2860.
1294          * We thus issue multiple WRITE_2 commands instead.
1295          */
1296         KASSERT((len & 1) == 0, ("run_write_region_1: Data too long.\n"));
1297         for (i = 0; i < len && error == 0; i += 2)
1298                 error = run_write_2(sc, reg + i, buf[i] | buf[i + 1] << 8);
1299         return (error);
1300 #else
1301         usb_device_request_t req;
1302         int error = 0;
1303
1304         /*
1305          * NOTE: It appears the WRITE_REGION_1 command cannot be
1306          * passed a huge amount of data, which will crash the
1307          * firmware. Limit amount of data passed to 64-bytes at a
1308          * time.
1309          */
1310         while (len > 0) {
1311                 int delta = 64;
1312                 if (delta > len)
1313                         delta = len;
1314
1315                 req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1316                 req.bRequest = RT2870_WRITE_REGION_1;
1317                 USETW(req.wValue, 0);
1318                 USETW(req.wIndex, reg);
1319                 USETW(req.wLength, delta);
1320                 error = run_do_request(sc, &req, __DECONST(uint8_t *, buf));
1321                 if (error != 0)
1322                         break;
1323                 reg += delta;
1324                 buf += delta;
1325                 len -= delta;
1326         }
1327         return (error);
1328 #endif
1329 }
1330
1331 static int
1332 run_set_region_4(struct run_softc *sc, uint16_t reg, uint32_t val, int len)
1333 {
1334         int i, error = 0;
1335
1336         KASSERT((len & 3) == 0, ("run_set_region_4: Invalid data length.\n"));
1337         for (i = 0; i < len && error == 0; i += 4)
1338                 error = run_write(sc, reg + i, val);
1339         return (error);
1340 }
1341
1342 static int
1343 run_efuse_read(struct run_softc *sc, uint16_t addr, uint16_t *val, int count)
1344 {
1345         uint32_t tmp;
1346         uint16_t reg;
1347         int error, ntries;
1348
1349         if ((error = run_read(sc, RT3070_EFUSE_CTRL, &tmp)) != 0)
1350                 return (error);
1351
1352         if (count == 2)
1353                 addr *= 2;
1354         /*-
1355          * Read one 16-byte block into registers EFUSE_DATA[0-3]:
1356          * DATA0: F E D C
1357          * DATA1: B A 9 8
1358          * DATA2: 7 6 5 4
1359          * DATA3: 3 2 1 0
1360          */
1361         tmp &= ~(RT3070_EFSROM_MODE_MASK | RT3070_EFSROM_AIN_MASK);
1362         tmp |= (addr & ~0xf) << RT3070_EFSROM_AIN_SHIFT | RT3070_EFSROM_KICK;
1363         run_write(sc, RT3070_EFUSE_CTRL, tmp);
1364         for (ntries = 0; ntries < 100; ntries++) {
1365                 if ((error = run_read(sc, RT3070_EFUSE_CTRL, &tmp)) != 0)
1366                         return (error);
1367                 if (!(tmp & RT3070_EFSROM_KICK))
1368                         break;
1369                 run_delay(sc, 2);
1370         }
1371         if (ntries == 100)
1372                 return (ETIMEDOUT);
1373
1374         if ((tmp & RT3070_EFUSE_AOUT_MASK) == RT3070_EFUSE_AOUT_MASK) {
1375                 *val = 0xffff;  /* address not found */
1376                 return (0);
1377         }
1378         /* determine to which 32-bit register our 16-bit word belongs */
1379         reg = RT3070_EFUSE_DATA3 - (addr & 0xc);
1380         if ((error = run_read(sc, reg, &tmp)) != 0)
1381                 return (error);
1382
1383         tmp >>= (8 * (addr & 0x3));
1384         *val = (addr & 1) ? tmp >> 16 : tmp & 0xffff;
1385
1386         return (0);
1387 }
1388
1389 /* Read 16-bit from eFUSE ROM for RT3xxx. */
1390 static int
1391 run_efuse_read_2(struct run_softc *sc, uint16_t addr, uint16_t *val)
1392 {
1393         return (run_efuse_read(sc, addr, val, 2));
1394 }
1395
1396 static int
1397 run_eeprom_read_2(struct run_softc *sc, uint16_t addr, uint16_t *val)
1398 {
1399         usb_device_request_t req;
1400         uint16_t tmp;
1401         int error;
1402
1403         addr *= 2;
1404         req.bmRequestType = UT_READ_VENDOR_DEVICE;
1405         req.bRequest = RT2870_EEPROM_READ;
1406         USETW(req.wValue, 0);
1407         USETW(req.wIndex, addr);
1408         USETW(req.wLength, sizeof(tmp));
1409
1410         error = usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, &tmp);
1411         if (error == 0)
1412                 *val = le16toh(tmp);
1413         else
1414                 *val = 0xffff;
1415         return (error);
1416 }
1417
1418 static __inline int
1419 run_srom_read(struct run_softc *sc, uint16_t addr, uint16_t *val)
1420 {
1421         /* either eFUSE ROM or EEPROM */
1422         return sc->sc_srom_read(sc, addr, val);
1423 }
1424
1425 static int
1426 run_rt2870_rf_write(struct run_softc *sc, uint32_t val)
1427 {
1428         uint32_t tmp;
1429         int error, ntries;
1430
1431         for (ntries = 0; ntries < 10; ntries++) {
1432                 if ((error = run_read(sc, RT2860_RF_CSR_CFG0, &tmp)) != 0)
1433                         return (error);
1434                 if (!(tmp & RT2860_RF_REG_CTRL))
1435                         break;
1436         }
1437         if (ntries == 10)
1438                 return (ETIMEDOUT);
1439
1440         return (run_write(sc, RT2860_RF_CSR_CFG0, val));
1441 }
1442
1443 static int
1444 run_rt3070_rf_read(struct run_softc *sc, uint8_t reg, uint8_t *val)
1445 {
1446         uint32_t tmp;
1447         int error, ntries;
1448
1449         for (ntries = 0; ntries < 100; ntries++) {
1450                 if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1451                         return (error);
1452                 if (!(tmp & RT3070_RF_KICK))
1453                         break;
1454         }
1455         if (ntries == 100)
1456                 return (ETIMEDOUT);
1457
1458         tmp = RT3070_RF_KICK | reg << 8;
1459         if ((error = run_write(sc, RT3070_RF_CSR_CFG, tmp)) != 0)
1460                 return (error);
1461
1462         for (ntries = 0; ntries < 100; ntries++) {
1463                 if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1464                         return (error);
1465                 if (!(tmp & RT3070_RF_KICK))
1466                         break;
1467         }
1468         if (ntries == 100)
1469                 return (ETIMEDOUT);
1470
1471         *val = tmp & 0xff;
1472         return (0);
1473 }
1474
1475 static int
1476 run_rt3070_rf_write(struct run_softc *sc, uint8_t reg, uint8_t val)
1477 {
1478         uint32_t tmp;
1479         int error, ntries;
1480
1481         for (ntries = 0; ntries < 10; ntries++) {
1482                 if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1483                         return (error);
1484                 if (!(tmp & RT3070_RF_KICK))
1485                         break;
1486         }
1487         if (ntries == 10)
1488                 return (ETIMEDOUT);
1489
1490         tmp = RT3070_RF_WRITE | RT3070_RF_KICK | reg << 8 | val;
1491         return (run_write(sc, RT3070_RF_CSR_CFG, tmp));
1492 }
1493
1494 static int
1495 run_bbp_read(struct run_softc *sc, uint8_t reg, uint8_t *val)
1496 {
1497         uint32_t tmp;
1498         int ntries, error;
1499
1500         for (ntries = 0; ntries < 10; ntries++) {
1501                 if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1502                         return (error);
1503                 if (!(tmp & RT2860_BBP_CSR_KICK))
1504                         break;
1505         }
1506         if (ntries == 10)
1507                 return (ETIMEDOUT);
1508
1509         tmp = RT2860_BBP_CSR_READ | RT2860_BBP_CSR_KICK | reg << 8;
1510         if ((error = run_write(sc, RT2860_BBP_CSR_CFG, tmp)) != 0)
1511                 return (error);
1512
1513         for (ntries = 0; ntries < 10; ntries++) {
1514                 if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1515                         return (error);
1516                 if (!(tmp & RT2860_BBP_CSR_KICK))
1517                         break;
1518         }
1519         if (ntries == 10)
1520                 return (ETIMEDOUT);
1521
1522         *val = tmp & 0xff;
1523         return (0);
1524 }
1525
1526 static int
1527 run_bbp_write(struct run_softc *sc, uint8_t reg, uint8_t val)
1528 {
1529         uint32_t tmp;
1530         int ntries, error;
1531
1532         for (ntries = 0; ntries < 10; ntries++) {
1533                 if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1534                         return (error);
1535                 if (!(tmp & RT2860_BBP_CSR_KICK))
1536                         break;
1537         }
1538         if (ntries == 10)
1539                 return (ETIMEDOUT);
1540
1541         tmp = RT2860_BBP_CSR_KICK | reg << 8 | val;
1542         return (run_write(sc, RT2860_BBP_CSR_CFG, tmp));
1543 }
1544
1545 /*
1546  * Send a command to the 8051 microcontroller unit.
1547  */
1548 static int
1549 run_mcu_cmd(struct run_softc *sc, uint8_t cmd, uint16_t arg)
1550 {
1551         uint32_t tmp;
1552         int error, ntries;
1553
1554         for (ntries = 0; ntries < 100; ntries++) {
1555                 if ((error = run_read(sc, RT2860_H2M_MAILBOX, &tmp)) != 0)
1556                         return error;
1557                 if (!(tmp & RT2860_H2M_BUSY))
1558                         break;
1559         }
1560         if (ntries == 100)
1561                 return ETIMEDOUT;
1562
1563         tmp = RT2860_H2M_BUSY | RT2860_TOKEN_NO_INTR << 16 | arg;
1564         if ((error = run_write(sc, RT2860_H2M_MAILBOX, tmp)) == 0)
1565                 error = run_write(sc, RT2860_HOST_CMD, cmd);
1566         return (error);
1567 }
1568
1569 /*
1570  * Add `delta' (signed) to each 4-bit sub-word of a 32-bit word.
1571  * Used to adjust per-rate Tx power registers.
1572  */
1573 static __inline uint32_t
1574 b4inc(uint32_t b32, int8_t delta)
1575 {
1576         int8_t i, b4;
1577
1578         for (i = 0; i < 8; i++) {
1579                 b4 = b32 & 0xf;
1580                 b4 += delta;
1581                 if (b4 < 0)
1582                         b4 = 0;
1583                 else if (b4 > 0xf)
1584                         b4 = 0xf;
1585                 b32 = b32 >> 4 | b4 << 28;
1586         }
1587         return (b32);
1588 }
1589
1590 static const char *
1591 run_get_rf(uint16_t rev)
1592 {
1593         switch (rev) {
1594         case RT2860_RF_2820:    return "RT2820";
1595         case RT2860_RF_2850:    return "RT2850";
1596         case RT2860_RF_2720:    return "RT2720";
1597         case RT2860_RF_2750:    return "RT2750";
1598         case RT3070_RF_3020:    return "RT3020";
1599         case RT3070_RF_2020:    return "RT2020";
1600         case RT3070_RF_3021:    return "RT3021";
1601         case RT3070_RF_3022:    return "RT3022";
1602         case RT3070_RF_3052:    return "RT3052";
1603         case RT3593_RF_3053:    return "RT3053";
1604         case RT5592_RF_5592:    return "RT5592";
1605         case RT5390_RF_5370:    return "RT5370";
1606         case RT5390_RF_5372:    return "RT5372";
1607         }
1608         return ("unknown");
1609 }
1610
1611 static void
1612 run_rt3593_get_txpower(struct run_softc *sc)
1613 {
1614         uint16_t addr, val;
1615         int i;
1616
1617         /* Read power settings for 2GHz channels. */
1618         for (i = 0; i < 14; i += 2) {
1619                 addr = (sc->ntxchains == 3) ? RT3593_EEPROM_PWR2GHZ_BASE1 :
1620                     RT2860_EEPROM_PWR2GHZ_BASE1;
1621                 run_srom_read(sc, addr + i / 2, &val);
1622                 sc->txpow1[i + 0] = (int8_t)(val & 0xff);
1623                 sc->txpow1[i + 1] = (int8_t)(val >> 8);
1624
1625                 addr = (sc->ntxchains == 3) ? RT3593_EEPROM_PWR2GHZ_BASE2 :
1626                     RT2860_EEPROM_PWR2GHZ_BASE2;
1627                 run_srom_read(sc, addr + i / 2, &val);
1628                 sc->txpow2[i + 0] = (int8_t)(val & 0xff);
1629                 sc->txpow2[i + 1] = (int8_t)(val >> 8);
1630
1631                 if (sc->ntxchains == 3) {
1632                         run_srom_read(sc, RT3593_EEPROM_PWR2GHZ_BASE3 + i / 2,
1633                             &val);
1634                         sc->txpow3[i + 0] = (int8_t)(val & 0xff);
1635                         sc->txpow3[i + 1] = (int8_t)(val >> 8);
1636                 }
1637         }
1638         /* Fix broken Tx power entries. */
1639         for (i = 0; i < 14; i++) {
1640                 if (sc->txpow1[i] > 31)
1641                         sc->txpow1[i] = 5;
1642                 if (sc->txpow2[i] > 31)
1643                         sc->txpow2[i] = 5;
1644                 if (sc->ntxchains == 3) {
1645                         if (sc->txpow3[i] > 31)
1646                                 sc->txpow3[i] = 5;
1647                 }
1648         }
1649         /* Read power settings for 5GHz channels. */
1650         for (i = 0; i < 40; i += 2) {
1651                 run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE1 + i / 2, &val);
1652                 sc->txpow1[i + 14] = (int8_t)(val & 0xff);
1653                 sc->txpow1[i + 15] = (int8_t)(val >> 8);
1654
1655                 run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE2 + i / 2, &val);
1656                 sc->txpow2[i + 14] = (int8_t)(val & 0xff);
1657                 sc->txpow2[i + 15] = (int8_t)(val >> 8);
1658
1659                 if (sc->ntxchains == 3) {
1660                         run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE3 + i / 2,
1661                             &val);
1662                         sc->txpow3[i + 14] = (int8_t)(val & 0xff);
1663                         sc->txpow3[i + 15] = (int8_t)(val >> 8);
1664                 }
1665         }
1666 }
1667
1668 static void
1669 run_get_txpower(struct run_softc *sc)
1670 {
1671         uint16_t val;
1672         int i;
1673
1674         /* Read power settings for 2GHz channels. */
1675         for (i = 0; i < 14; i += 2) {
1676                 run_srom_read(sc, RT2860_EEPROM_PWR2GHZ_BASE1 + i / 2, &val);
1677                 sc->txpow1[i + 0] = (int8_t)(val & 0xff);
1678                 sc->txpow1[i + 1] = (int8_t)(val >> 8);
1679
1680                 if (sc->mac_ver != 0x5390) {
1681                         run_srom_read(sc,
1682                             RT2860_EEPROM_PWR2GHZ_BASE2 + i / 2, &val);
1683                         sc->txpow2[i + 0] = (int8_t)(val & 0xff);
1684                         sc->txpow2[i + 1] = (int8_t)(val >> 8);
1685                 }
1686         }
1687         /* Fix broken Tx power entries. */
1688         for (i = 0; i < 14; i++) {
1689                 if (sc->mac_ver >= 0x5390) {
1690                         if (sc->txpow1[i] < 0 || sc->txpow1[i] > 27)
1691                                 sc->txpow1[i] = 5;
1692                 } else {
1693                         if (sc->txpow1[i] < 0 || sc->txpow1[i] > 31)
1694                                 sc->txpow1[i] = 5;
1695                 }
1696                 if (sc->mac_ver > 0x5390) {
1697                         if (sc->txpow2[i] < 0 || sc->txpow2[i] > 27)
1698                                 sc->txpow2[i] = 5;
1699                 } else if (sc->mac_ver < 0x5390) {
1700                         if (sc->txpow2[i] < 0 || sc->txpow2[i] > 31)
1701                                 sc->txpow2[i] = 5;
1702                 }
1703                 DPRINTF("chan %d: power1=%d, power2=%d\n",
1704                     rt2860_rf2850[i].chan, sc->txpow1[i], sc->txpow2[i]);
1705         }
1706         /* Read power settings for 5GHz channels. */
1707         for (i = 0; i < 40; i += 2) {
1708                 run_srom_read(sc, RT2860_EEPROM_PWR5GHZ_BASE1 + i / 2, &val);
1709                 sc->txpow1[i + 14] = (int8_t)(val & 0xff);
1710                 sc->txpow1[i + 15] = (int8_t)(val >> 8);
1711
1712                 run_srom_read(sc, RT2860_EEPROM_PWR5GHZ_BASE2 + i / 2, &val);
1713                 sc->txpow2[i + 14] = (int8_t)(val & 0xff);
1714                 sc->txpow2[i + 15] = (int8_t)(val >> 8);
1715         }
1716         /* Fix broken Tx power entries. */
1717         for (i = 0; i < 40; i++ ) {
1718                 if (sc->mac_ver != 0x5592) {
1719                         if (sc->txpow1[14 + i] < -7 || sc->txpow1[14 + i] > 15)
1720                                 sc->txpow1[14 + i] = 5;
1721                         if (sc->txpow2[14 + i] < -7 || sc->txpow2[14 + i] > 15)
1722                                 sc->txpow2[14 + i] = 5;
1723                 }
1724                 DPRINTF("chan %d: power1=%d, power2=%d\n",
1725                     rt2860_rf2850[14 + i].chan, sc->txpow1[14 + i],
1726                     sc->txpow2[14 + i]);
1727         }
1728 }
1729
1730 static int
1731 run_read_eeprom(struct run_softc *sc)
1732 {
1733         int8_t delta_2ghz, delta_5ghz;
1734         uint32_t tmp;
1735         uint16_t val;
1736         int ridx, ant, i;
1737
1738         /* check whether the ROM is eFUSE ROM or EEPROM */
1739         sc->sc_srom_read = run_eeprom_read_2;
1740         if (sc->mac_ver >= 0x3070) {
1741                 run_read(sc, RT3070_EFUSE_CTRL, &tmp);
1742                 DPRINTF("EFUSE_CTRL=0x%08x\n", tmp);
1743                 if ((tmp & RT3070_SEL_EFUSE) || sc->mac_ver == 0x3593)
1744                         sc->sc_srom_read = run_efuse_read_2;
1745         }
1746
1747         /* read ROM version */
1748         run_srom_read(sc, RT2860_EEPROM_VERSION, &val);
1749         DPRINTF("EEPROM rev=%d, FAE=%d\n", val & 0xff, val >> 8);
1750
1751         /* read MAC address */
1752         run_srom_read(sc, RT2860_EEPROM_MAC01, &val);
1753         sc->sc_bssid[0] = val & 0xff;
1754         sc->sc_bssid[1] = val >> 8;
1755         run_srom_read(sc, RT2860_EEPROM_MAC23, &val);
1756         sc->sc_bssid[2] = val & 0xff;
1757         sc->sc_bssid[3] = val >> 8;
1758         run_srom_read(sc, RT2860_EEPROM_MAC45, &val);
1759         sc->sc_bssid[4] = val & 0xff;
1760         sc->sc_bssid[5] = val >> 8;
1761
1762         if (sc->mac_ver < 0x3593) {
1763                 /* read vender BBP settings */
1764                 for (i = 0; i < 10; i++) {
1765                         run_srom_read(sc, RT2860_EEPROM_BBP_BASE + i, &val);
1766                         sc->bbp[i].val = val & 0xff;
1767                         sc->bbp[i].reg = val >> 8;
1768                         DPRINTF("BBP%d=0x%02x\n", sc->bbp[i].reg,
1769                             sc->bbp[i].val);
1770                 }
1771                 if (sc->mac_ver >= 0x3071) {
1772                         /* read vendor RF settings */
1773                         for (i = 0; i < 10; i++) {
1774                                 run_srom_read(sc, RT3071_EEPROM_RF_BASE + i,
1775                                    &val);
1776                                 sc->rf[i].val = val & 0xff;
1777                                 sc->rf[i].reg = val >> 8;
1778                                 DPRINTF("RF%d=0x%02x\n", sc->rf[i].reg,
1779                                     sc->rf[i].val);
1780                         }
1781                 }
1782         }
1783
1784         /* read RF frequency offset from EEPROM */
1785         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_FREQ_LEDS :
1786             RT3593_EEPROM_FREQ, &val);
1787         sc->freq = ((val & 0xff) != 0xff) ? val & 0xff : 0;
1788         DPRINTF("EEPROM freq offset %d\n", sc->freq & 0xff);
1789
1790         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_FREQ_LEDS :
1791             RT3593_EEPROM_FREQ_LEDS, &val);
1792         if (val >> 8 != 0xff) {
1793                 /* read LEDs operating mode */
1794                 sc->leds = val >> 8;
1795                 run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED1 :
1796                     RT3593_EEPROM_LED1, &sc->led[0]);
1797                 run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED2 :
1798                     RT3593_EEPROM_LED2, &sc->led[1]);
1799                 run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED3 :
1800                     RT3593_EEPROM_LED3, &sc->led[2]);
1801         } else {
1802                 /* broken EEPROM, use default settings */
1803                 sc->leds = 0x01;
1804                 sc->led[0] = 0x5555;
1805                 sc->led[1] = 0x2221;
1806                 sc->led[2] = 0x5627;    /* differs from RT2860 */
1807         }
1808         DPRINTF("EEPROM LED mode=0x%02x, LEDs=0x%04x/0x%04x/0x%04x\n",
1809             sc->leds, sc->led[0], sc->led[1], sc->led[2]);
1810
1811         /* read RF information */
1812         if (sc->mac_ver == 0x5390 || sc->mac_ver ==0x5392)
1813                 run_srom_read(sc, 0x00, &val);
1814         else
1815                 run_srom_read(sc, RT2860_EEPROM_ANTENNA, &val);
1816
1817         if (val == 0xffff) {
1818                 device_printf(sc->sc_dev,
1819                     "invalid EEPROM antenna info, using default\n");
1820                 DPRINTF("invalid EEPROM antenna info, using default\n");
1821                 if (sc->mac_ver == 0x3572) {
1822                         /* default to RF3052 2T2R */
1823                         sc->rf_rev = RT3070_RF_3052;
1824                         sc->ntxchains = 2;
1825                         sc->nrxchains = 2;
1826                 } else if (sc->mac_ver >= 0x3070) {
1827                         /* default to RF3020 1T1R */
1828                         sc->rf_rev = RT3070_RF_3020;
1829                         sc->ntxchains = 1;
1830                         sc->nrxchains = 1;
1831                 } else {
1832                         /* default to RF2820 1T2R */
1833                         sc->rf_rev = RT2860_RF_2820;
1834                         sc->ntxchains = 1;
1835                         sc->nrxchains = 2;
1836                 }
1837         } else {
1838                 if (sc->mac_ver == 0x5390 || sc->mac_ver ==0x5392) {
1839                         sc->rf_rev = val;
1840                         run_srom_read(sc, RT2860_EEPROM_ANTENNA, &val);
1841                 } else
1842                         sc->rf_rev = (val >> 8) & 0xf;
1843                 sc->ntxchains = (val >> 4) & 0xf;
1844                 sc->nrxchains = val & 0xf;
1845         }
1846         DPRINTF("EEPROM RF rev=0x%04x chains=%dT%dR\n",
1847             sc->rf_rev, sc->ntxchains, sc->nrxchains);
1848
1849         /* check if RF supports automatic Tx access gain control */
1850         run_srom_read(sc, RT2860_EEPROM_CONFIG, &val);
1851         DPRINTF("EEPROM CFG 0x%04x\n", val);
1852         /* check if driver should patch the DAC issue */
1853         if ((val >> 8) != 0xff)
1854                 sc->patch_dac = (val >> 15) & 1;
1855         if ((val & 0xff) != 0xff) {
1856                 sc->ext_5ghz_lna = (val >> 3) & 1;
1857                 sc->ext_2ghz_lna = (val >> 2) & 1;
1858                 /* check if RF supports automatic Tx access gain control */
1859                 sc->calib_2ghz = sc->calib_5ghz = (val >> 1) & 1;
1860                 /* check if we have a hardware radio switch */
1861                 sc->rfswitch = val & 1;
1862         }
1863
1864         /* Read Tx power settings. */
1865         if (sc->mac_ver == 0x3593)
1866                 run_rt3593_get_txpower(sc);
1867         else
1868                 run_get_txpower(sc);
1869
1870         /* read Tx power compensation for each Tx rate */
1871         run_srom_read(sc, RT2860_EEPROM_DELTAPWR, &val);
1872         delta_2ghz = delta_5ghz = 0;
1873         if ((val & 0xff) != 0xff && (val & 0x80)) {
1874                 delta_2ghz = val & 0xf;
1875                 if (!(val & 0x40))      /* negative number */
1876                         delta_2ghz = -delta_2ghz;
1877         }
1878         val >>= 8;
1879         if ((val & 0xff) != 0xff && (val & 0x80)) {
1880                 delta_5ghz = val & 0xf;
1881                 if (!(val & 0x40))      /* negative number */
1882                         delta_5ghz = -delta_5ghz;
1883         }
1884         DPRINTF("power compensation=%d (2GHz), %d (5GHz)\n",
1885             delta_2ghz, delta_5ghz);
1886
1887         for (ridx = 0; ridx < 5; ridx++) {
1888                 uint32_t reg;
1889
1890                 run_srom_read(sc, RT2860_EEPROM_RPWR + ridx * 2, &val);
1891                 reg = val;
1892                 run_srom_read(sc, RT2860_EEPROM_RPWR + ridx * 2 + 1, &val);
1893                 reg |= (uint32_t)val << 16;
1894
1895                 sc->txpow20mhz[ridx] = reg;
1896                 sc->txpow40mhz_2ghz[ridx] = b4inc(reg, delta_2ghz);
1897                 sc->txpow40mhz_5ghz[ridx] = b4inc(reg, delta_5ghz);
1898
1899                 DPRINTF("ridx %d: power 20MHz=0x%08x, 40MHz/2GHz=0x%08x, "
1900                     "40MHz/5GHz=0x%08x\n", ridx, sc->txpow20mhz[ridx],
1901                     sc->txpow40mhz_2ghz[ridx], sc->txpow40mhz_5ghz[ridx]);
1902         }
1903
1904         /* Read RSSI offsets and LNA gains from EEPROM. */
1905         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI1_2GHZ :
1906             RT3593_EEPROM_RSSI1_2GHZ, &val);
1907         sc->rssi_2ghz[0] = val & 0xff;  /* Ant A */
1908         sc->rssi_2ghz[1] = val >> 8;    /* Ant B */
1909         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI2_2GHZ :
1910             RT3593_EEPROM_RSSI2_2GHZ, &val);
1911         if (sc->mac_ver >= 0x3070) {
1912                 if (sc->mac_ver == 0x3593) {
1913                         sc->txmixgain_2ghz = 0;
1914                         sc->rssi_2ghz[2] = val & 0xff;  /* Ant C */
1915                 } else {
1916                         /*
1917                          * On RT3070 chips (limited to 2 Rx chains), this ROM
1918                          * field contains the Tx mixer gain for the 2GHz band.
1919                          */
1920                         if ((val & 0xff) != 0xff)
1921                                 sc->txmixgain_2ghz = val & 0x7;
1922                 }
1923                 DPRINTF("tx mixer gain=%u (2GHz)\n", sc->txmixgain_2ghz);
1924         } else
1925                 sc->rssi_2ghz[2] = val & 0xff;  /* Ant C */
1926         if (sc->mac_ver == 0x3593)
1927                 run_srom_read(sc, RT3593_EEPROM_LNA_5GHZ, &val);
1928         sc->lna[2] = val >> 8;          /* channel group 2 */
1929
1930         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI1_5GHZ :
1931             RT3593_EEPROM_RSSI1_5GHZ, &val);
1932         sc->rssi_5ghz[0] = val & 0xff;  /* Ant A */
1933         sc->rssi_5ghz[1] = val >> 8;    /* Ant B */
1934         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI2_5GHZ :
1935             RT3593_EEPROM_RSSI2_5GHZ, &val);
1936         if (sc->mac_ver == 0x3572) {
1937                 /*
1938                  * On RT3572 chips (limited to 2 Rx chains), this ROM
1939                  * field contains the Tx mixer gain for the 5GHz band.
1940                  */
1941                 if ((val & 0xff) != 0xff)
1942                         sc->txmixgain_5ghz = val & 0x7;
1943                 DPRINTF("tx mixer gain=%u (5GHz)\n", sc->txmixgain_5ghz);
1944         } else
1945                 sc->rssi_5ghz[2] = val & 0xff;  /* Ant C */
1946         if (sc->mac_ver == 0x3593) {
1947                 sc->txmixgain_5ghz = 0;
1948                 run_srom_read(sc, RT3593_EEPROM_LNA_5GHZ, &val);
1949         }
1950         sc->lna[3] = val >> 8;          /* channel group 3 */
1951
1952         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LNA :
1953             RT3593_EEPROM_LNA, &val);
1954         sc->lna[0] = val & 0xff;        /* channel group 0 */
1955         sc->lna[1] = val >> 8;          /* channel group 1 */
1956
1957         /* fix broken 5GHz LNA entries */
1958         if (sc->lna[2] == 0 || sc->lna[2] == 0xff) {
1959                 DPRINTF("invalid LNA for channel group %d\n", 2);
1960                 sc->lna[2] = sc->lna[1];
1961         }
1962         if (sc->lna[3] == 0 || sc->lna[3] == 0xff) {
1963                 DPRINTF("invalid LNA for channel group %d\n", 3);
1964                 sc->lna[3] = sc->lna[1];
1965         }
1966
1967         /* fix broken RSSI offset entries */
1968         for (ant = 0; ant < 3; ant++) {
1969                 if (sc->rssi_2ghz[ant] < -10 || sc->rssi_2ghz[ant] > 10) {
1970                         DPRINTF("invalid RSSI%d offset: %d (2GHz)\n",
1971                             ant + 1, sc->rssi_2ghz[ant]);
1972                         sc->rssi_2ghz[ant] = 0;
1973                 }
1974                 if (sc->rssi_5ghz[ant] < -10 || sc->rssi_5ghz[ant] > 10) {
1975                         DPRINTF("invalid RSSI%d offset: %d (5GHz)\n",
1976                             ant + 1, sc->rssi_5ghz[ant]);
1977                         sc->rssi_5ghz[ant] = 0;
1978                 }
1979         }
1980         return (0);
1981 }
1982
1983 static struct ieee80211_node *
1984 run_node_alloc(struct ieee80211vap *vap, const uint8_t mac[IEEE80211_ADDR_LEN])
1985 {
1986         return malloc(sizeof (struct run_node), M_DEVBUF, M_NOWAIT | M_ZERO);
1987 }
1988
1989 static int
1990 run_media_change(struct ifnet *ifp)
1991 {
1992         struct ieee80211vap *vap = ifp->if_softc;
1993         struct ieee80211com *ic = vap->iv_ic;
1994         const struct ieee80211_txparam *tp;
1995         struct run_softc *sc = ic->ic_ifp->if_softc;
1996         uint8_t rate, ridx;
1997         int error;
1998
1999         RUN_LOCK(sc);
2000
2001         error = ieee80211_media_change(ifp);
2002         if (error != ENETRESET) {
2003                 RUN_UNLOCK(sc);
2004                 return (error);
2005         }
2006
2007         tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
2008         if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE) {
2009                 struct ieee80211_node *ni;
2010                 struct run_node *rn;
2011
2012                 rate = ic->ic_sup_rates[ic->ic_curmode].
2013                     rs_rates[tp->ucastrate] & IEEE80211_RATE_VAL;
2014                 for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2015                         if (rt2860_rates[ridx].rate == rate)
2016                                 break;
2017                 ni = ieee80211_ref_node(vap->iv_bss);
2018                 rn = (struct run_node *)ni;
2019                 rn->fix_ridx = ridx;
2020                 DPRINTF("rate=%d, fix_ridx=%d\n", rate, rn->fix_ridx);
2021                 ieee80211_free_node(ni);
2022         }
2023
2024 #if 0
2025         if ((ifp->if_flags & IFF_UP) &&
2026             (ifp->if_drv_flags &  IFF_DRV_RUNNING)){
2027                 run_init_locked(sc);
2028         }
2029 #endif
2030
2031         RUN_UNLOCK(sc);
2032
2033         return (0);
2034 }
2035
2036 static int
2037 run_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
2038 {
2039         const struct ieee80211_txparam *tp;
2040         struct ieee80211com *ic = vap->iv_ic;
2041         struct run_softc *sc = ic->ic_ifp->if_softc;
2042         struct run_vap *rvp = RUN_VAP(vap);
2043         enum ieee80211_state ostate;
2044         uint32_t sta[3];
2045         uint32_t tmp;
2046         uint8_t ratectl;
2047         uint8_t restart_ratectl = 0;
2048         uint8_t bid = 1 << rvp->rvp_id;
2049
2050         ostate = vap->iv_state;
2051         DPRINTF("%s -> %s\n",
2052                 ieee80211_state_name[ostate],
2053                 ieee80211_state_name[nstate]);
2054
2055         IEEE80211_UNLOCK(ic);
2056         RUN_LOCK(sc);
2057
2058         ratectl = sc->ratectl_run; /* remember current state */
2059         sc->ratectl_run = RUN_RATECTL_OFF;
2060         usb_callout_stop(&sc->ratectl_ch);
2061
2062         if (ostate == IEEE80211_S_RUN) {
2063                 /* turn link LED off */
2064                 run_set_leds(sc, RT2860_LED_RADIO);
2065         }
2066
2067         switch (nstate) {
2068         case IEEE80211_S_INIT:
2069                 restart_ratectl = 1;
2070
2071                 if (ostate != IEEE80211_S_RUN)
2072                         break;
2073
2074                 ratectl &= ~bid;
2075                 sc->runbmap &= ~bid;
2076
2077                 /* abort TSF synchronization if there is no vap running */
2078                 if (--sc->running == 0) {
2079                         run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
2080                         run_write(sc, RT2860_BCN_TIME_CFG,
2081                             tmp & ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
2082                             RT2860_TBTT_TIMER_EN));
2083                 }
2084                 break;
2085
2086         case IEEE80211_S_RUN:
2087                 if (!(sc->runbmap & bid)) {
2088                         if(sc->running++)
2089                                 restart_ratectl = 1;
2090                         sc->runbmap |= bid;
2091                 }
2092
2093                 m_freem(rvp->beacon_mbuf);
2094                 rvp->beacon_mbuf = NULL;
2095
2096                 switch (vap->iv_opmode) {
2097                 case IEEE80211_M_HOSTAP:
2098                 case IEEE80211_M_MBSS:
2099                         sc->ap_running |= bid;
2100                         ic->ic_opmode = vap->iv_opmode;
2101                         run_update_beacon_cb(vap);
2102                         break;
2103                 case IEEE80211_M_IBSS:
2104                         sc->adhoc_running |= bid;
2105                         if (!sc->ap_running)
2106                                 ic->ic_opmode = vap->iv_opmode;
2107                         run_update_beacon_cb(vap);
2108                         break;
2109                 case IEEE80211_M_STA:
2110                         sc->sta_running |= bid;
2111                         if (!sc->ap_running && !sc->adhoc_running)
2112                                 ic->ic_opmode = vap->iv_opmode;
2113
2114                         /* read statistic counters (clear on read) */
2115                         run_read_region_1(sc, RT2860_TX_STA_CNT0,
2116                             (uint8_t *)sta, sizeof sta);
2117
2118                         break;
2119                 default:
2120                         ic->ic_opmode = vap->iv_opmode;
2121                         break;
2122                 }
2123
2124                 if (vap->iv_opmode != IEEE80211_M_MONITOR) {
2125                         struct ieee80211_node *ni;
2126
2127                         if (ic->ic_bsschan == IEEE80211_CHAN_ANYC) {
2128                                 RUN_UNLOCK(sc);
2129                                 IEEE80211_LOCK(ic);
2130                                 return (-1);
2131                         }
2132                         run_updateslot(ic->ic_ifp);
2133                         run_enable_mrr(sc);
2134                         run_set_txpreamble(sc);
2135                         run_set_basicrates(sc);
2136                         ni = ieee80211_ref_node(vap->iv_bss);
2137                         IEEE80211_ADDR_COPY(sc->sc_bssid, ni->ni_bssid);
2138                         run_set_bssid(sc, ni->ni_bssid);
2139                         ieee80211_free_node(ni);
2140                         run_enable_tsf_sync(sc);
2141
2142                         /* enable automatic rate adaptation */
2143                         tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
2144                         if (tp->ucastrate == IEEE80211_FIXED_RATE_NONE)
2145                                 ratectl |= bid;
2146                 }
2147
2148                 /* turn link LED on */
2149                 run_set_leds(sc, RT2860_LED_RADIO |
2150                     (IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan) ?
2151                      RT2860_LED_LINK_2GHZ : RT2860_LED_LINK_5GHZ));
2152
2153                 break;
2154         default:
2155                 DPRINTFN(6, "undefined case\n");
2156                 break;
2157         }
2158
2159         /* restart amrr for running VAPs */
2160         if ((sc->ratectl_run = ratectl) && restart_ratectl)
2161                 usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2162
2163         RUN_UNLOCK(sc);
2164         IEEE80211_LOCK(ic);
2165
2166         return(rvp->newstate(vap, nstate, arg));
2167 }
2168
2169 /* ARGSUSED */
2170 static void
2171 run_wme_update_cb(void *arg)
2172 {
2173         struct ieee80211com *ic = arg;
2174         struct run_softc *sc = ic->ic_ifp->if_softc;
2175         struct ieee80211_wme_state *wmesp = &ic->ic_wme;
2176         int aci, error = 0;
2177
2178         RUN_LOCK_ASSERT(sc, MA_OWNED);
2179
2180         /* update MAC TX configuration registers */
2181         for (aci = 0; aci < WME_NUM_AC; aci++) {
2182                 error = run_write(sc, RT2860_EDCA_AC_CFG(aci),
2183                     wmesp->wme_params[aci].wmep_logcwmax << 16 |
2184                     wmesp->wme_params[aci].wmep_logcwmin << 12 |
2185                     wmesp->wme_params[aci].wmep_aifsn  <<  8 |
2186                     wmesp->wme_params[aci].wmep_txopLimit);
2187                 if (error) goto err;
2188         }
2189
2190         /* update SCH/DMA registers too */
2191         error = run_write(sc, RT2860_WMM_AIFSN_CFG,
2192             wmesp->wme_params[WME_AC_VO].wmep_aifsn  << 12 |
2193             wmesp->wme_params[WME_AC_VI].wmep_aifsn  <<  8 |
2194             wmesp->wme_params[WME_AC_BK].wmep_aifsn  <<  4 |
2195             wmesp->wme_params[WME_AC_BE].wmep_aifsn);
2196         if (error) goto err;
2197         error = run_write(sc, RT2860_WMM_CWMIN_CFG,
2198             wmesp->wme_params[WME_AC_VO].wmep_logcwmin << 12 |
2199             wmesp->wme_params[WME_AC_VI].wmep_logcwmin <<  8 |
2200             wmesp->wme_params[WME_AC_BK].wmep_logcwmin <<  4 |
2201             wmesp->wme_params[WME_AC_BE].wmep_logcwmin);
2202         if (error) goto err;
2203         error = run_write(sc, RT2860_WMM_CWMAX_CFG,
2204             wmesp->wme_params[WME_AC_VO].wmep_logcwmax << 12 |
2205             wmesp->wme_params[WME_AC_VI].wmep_logcwmax <<  8 |
2206             wmesp->wme_params[WME_AC_BK].wmep_logcwmax <<  4 |
2207             wmesp->wme_params[WME_AC_BE].wmep_logcwmax);
2208         if (error) goto err;
2209         error = run_write(sc, RT2860_WMM_TXOP0_CFG,
2210             wmesp->wme_params[WME_AC_BK].wmep_txopLimit << 16 |
2211             wmesp->wme_params[WME_AC_BE].wmep_txopLimit);
2212         if (error) goto err;
2213         error = run_write(sc, RT2860_WMM_TXOP1_CFG,
2214             wmesp->wme_params[WME_AC_VO].wmep_txopLimit << 16 |
2215             wmesp->wme_params[WME_AC_VI].wmep_txopLimit);
2216
2217 err:
2218         if (error)
2219                 DPRINTF("WME update failed\n");
2220
2221         return;
2222 }
2223
2224 static int
2225 run_wme_update(struct ieee80211com *ic)
2226 {
2227         struct run_softc *sc = ic->ic_ifp->if_softc;
2228
2229         /* sometime called wothout lock */
2230         if (mtx_owned(&ic->ic_comlock.mtx)) {
2231                 uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
2232                 DPRINTF("cmdq_store=%d\n", i);
2233                 sc->cmdq[i].func = run_wme_update_cb;
2234                 sc->cmdq[i].arg0 = ic;
2235                 ieee80211_runtask(ic, &sc->cmdq_task);
2236                 return (0);
2237         }
2238
2239         RUN_LOCK(sc);
2240         run_wme_update_cb(ic);
2241         RUN_UNLOCK(sc);
2242
2243         /* return whatever, upper layer desn't care anyway */
2244         return (0);
2245 }
2246
2247 static void
2248 run_key_update_begin(struct ieee80211vap *vap)
2249 {
2250         /*
2251          * To avoid out-of-order events, both run_key_set() and
2252          * _delete() are deferred and handled by run_cmdq_cb().
2253          * So, there is nothing we need to do here.
2254          */
2255 }
2256
2257 static void
2258 run_key_update_end(struct ieee80211vap *vap)
2259 {
2260         /* null */
2261 }
2262
2263 static void
2264 run_key_set_cb(void *arg)
2265 {
2266         struct run_cmdq *cmdq = arg;
2267         struct ieee80211vap *vap = cmdq->arg1;
2268         struct ieee80211_key *k = cmdq->k;
2269         struct ieee80211com *ic = vap->iv_ic;
2270         struct run_softc *sc = ic->ic_ifp->if_softc;
2271         struct ieee80211_node *ni;
2272         uint32_t attr;
2273         uint16_t base, associd;
2274         uint8_t mode, wcid, iv[8];
2275
2276         RUN_LOCK_ASSERT(sc, MA_OWNED);
2277
2278         if (vap->iv_opmode == IEEE80211_M_HOSTAP)
2279                 ni = ieee80211_find_vap_node(&ic->ic_sta, vap, cmdq->mac);
2280         else
2281                 ni = vap->iv_bss;
2282         associd = (ni != NULL) ? ni->ni_associd : 0;
2283
2284         /* map net80211 cipher to RT2860 security mode */
2285         switch (k->wk_cipher->ic_cipher) {
2286         case IEEE80211_CIPHER_WEP:
2287                 if(k->wk_keylen < 8)
2288                         mode = RT2860_MODE_WEP40;
2289                 else
2290                         mode = RT2860_MODE_WEP104;
2291                 break;
2292         case IEEE80211_CIPHER_TKIP:
2293                 mode = RT2860_MODE_TKIP;
2294                 break;
2295         case IEEE80211_CIPHER_AES_CCM:
2296                 mode = RT2860_MODE_AES_CCMP;
2297                 break;
2298         default:
2299                 DPRINTF("undefined case\n");
2300                 return;
2301         }
2302
2303         DPRINTFN(1, "associd=%x, keyix=%d, mode=%x, type=%s, tx=%s, rx=%s\n",
2304             associd, k->wk_keyix, mode,
2305             (k->wk_flags & IEEE80211_KEY_GROUP) ? "group" : "pairwise",
2306             (k->wk_flags & IEEE80211_KEY_XMIT) ? "on" : "off",
2307             (k->wk_flags & IEEE80211_KEY_RECV) ? "on" : "off");
2308
2309         if (k->wk_flags & IEEE80211_KEY_GROUP) {
2310                 wcid = 0;       /* NB: update WCID0 for group keys */
2311                 base = RT2860_SKEY(RUN_VAP(vap)->rvp_id, k->wk_keyix);
2312         } else {
2313                 wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
2314                     1 : RUN_AID2WCID(associd);
2315                 base = RT2860_PKEY(wcid);
2316         }
2317
2318         if (k->wk_cipher->ic_cipher == IEEE80211_CIPHER_TKIP) {
2319                 if(run_write_region_1(sc, base, k->wk_key, 16))
2320                         return;
2321                 if(run_write_region_1(sc, base + 16, &k->wk_key[16], 8))        /* wk_txmic */
2322                         return;
2323                 if(run_write_region_1(sc, base + 24, &k->wk_key[24], 8))        /* wk_rxmic */
2324                         return;
2325         } else {
2326                 /* roundup len to 16-bit: XXX fix write_region_1() instead */
2327                 if(run_write_region_1(sc, base, k->wk_key, (k->wk_keylen + 1) & ~1))
2328                         return;
2329         }
2330
2331         if (!(k->wk_flags & IEEE80211_KEY_GROUP) ||
2332             (k->wk_flags & (IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV))) {
2333                 /* set initial packet number in IV+EIV */
2334                 if (k->wk_cipher == IEEE80211_CIPHER_WEP) {
2335                         memset(iv, 0, sizeof iv);
2336                         iv[3] = vap->iv_def_txkey << 6;
2337                 } else {
2338                         if (k->wk_cipher->ic_cipher == IEEE80211_CIPHER_TKIP) {
2339                                 iv[0] = k->wk_keytsc >> 8;
2340                                 iv[1] = (iv[0] | 0x20) & 0x7f;
2341                                 iv[2] = k->wk_keytsc;
2342                         } else /* CCMP */ {
2343                                 iv[0] = k->wk_keytsc;
2344                                 iv[1] = k->wk_keytsc >> 8;
2345                                 iv[2] = 0;
2346                         }
2347                         iv[3] = k->wk_keyix << 6 | IEEE80211_WEP_EXTIV;
2348                         iv[4] = k->wk_keytsc >> 16;
2349                         iv[5] = k->wk_keytsc >> 24;
2350                         iv[6] = k->wk_keytsc >> 32;
2351                         iv[7] = k->wk_keytsc >> 40;
2352                 }
2353                 if (run_write_region_1(sc, RT2860_IVEIV(wcid), iv, 8))
2354                         return;
2355         }
2356
2357         if (k->wk_flags & IEEE80211_KEY_GROUP) {
2358                 /* install group key */
2359                 if (run_read(sc, RT2860_SKEY_MODE_0_7, &attr))
2360                         return;
2361                 attr &= ~(0xf << (k->wk_keyix * 4));
2362                 attr |= mode << (k->wk_keyix * 4);
2363                 if (run_write(sc, RT2860_SKEY_MODE_0_7, attr))
2364                         return;
2365         } else {
2366                 /* install pairwise key */
2367                 if (run_read(sc, RT2860_WCID_ATTR(wcid), &attr))
2368                         return;
2369                 attr = (attr & ~0xf) | (mode << 1) | RT2860_RX_PKEY_EN;
2370                 if (run_write(sc, RT2860_WCID_ATTR(wcid), attr))
2371                         return;
2372         }
2373
2374         /* TODO create a pass-thru key entry? */
2375
2376         /* need wcid to delete the right key later */
2377         k->wk_pad = wcid;
2378 }
2379
2380 /*
2381  * Don't have to be deferred, but in order to keep order of
2382  * execution, i.e. with run_key_delete(), defer this and let
2383  * run_cmdq_cb() maintain the order.
2384  *
2385  * return 0 on error
2386  */
2387 static int
2388 run_key_set(struct ieee80211vap *vap, struct ieee80211_key *k,
2389                 const uint8_t mac[IEEE80211_ADDR_LEN])
2390 {
2391         struct ieee80211com *ic = vap->iv_ic;
2392         struct run_softc *sc = ic->ic_ifp->if_softc;
2393         uint32_t i;
2394
2395         i = RUN_CMDQ_GET(&sc->cmdq_store);
2396         DPRINTF("cmdq_store=%d\n", i);
2397         sc->cmdq[i].func = run_key_set_cb;
2398         sc->cmdq[i].arg0 = NULL;
2399         sc->cmdq[i].arg1 = vap;
2400         sc->cmdq[i].k = k;
2401         IEEE80211_ADDR_COPY(sc->cmdq[i].mac, mac);
2402         ieee80211_runtask(ic, &sc->cmdq_task);
2403
2404         /*
2405          * To make sure key will be set when hostapd
2406          * calls iv_key_set() before if_init().
2407          */
2408         if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
2409                 RUN_LOCK(sc);
2410                 sc->cmdq_key_set = RUN_CMDQ_GO;
2411                 RUN_UNLOCK(sc);
2412         }
2413
2414         return (1);
2415 }
2416
2417 /*
2418  * If wlan is destroyed without being brought down i.e. without
2419  * wlan down or wpa_cli terminate, this function is called after
2420  * vap is gone. Don't refer it.
2421  */
2422 static void
2423 run_key_delete_cb(void *arg)
2424 {
2425         struct run_cmdq *cmdq = arg;
2426         struct run_softc *sc = cmdq->arg1;
2427         struct ieee80211_key *k = &cmdq->key;
2428         uint32_t attr;
2429         uint8_t wcid;
2430
2431         RUN_LOCK_ASSERT(sc, MA_OWNED);
2432
2433         if (k->wk_flags & IEEE80211_KEY_GROUP) {
2434                 /* remove group key */
2435                 DPRINTF("removing group key\n");
2436                 run_read(sc, RT2860_SKEY_MODE_0_7, &attr);
2437                 attr &= ~(0xf << (k->wk_keyix * 4));
2438                 run_write(sc, RT2860_SKEY_MODE_0_7, attr);
2439         } else {
2440                 /* remove pairwise key */
2441                 DPRINTF("removing key for wcid %x\n", k->wk_pad);
2442                 /* matching wcid was written to wk_pad in run_key_set() */
2443                 wcid = k->wk_pad;
2444                 run_read(sc, RT2860_WCID_ATTR(wcid), &attr);
2445                 attr &= ~0xf;
2446                 run_write(sc, RT2860_WCID_ATTR(wcid), attr);
2447                 run_set_region_4(sc, RT2860_WCID_ENTRY(wcid), 0, 8);
2448         }
2449
2450         k->wk_pad = 0;
2451 }
2452
2453 /*
2454  * return 0 on error
2455  */
2456 static int
2457 run_key_delete(struct ieee80211vap *vap, struct ieee80211_key *k)
2458 {
2459         struct ieee80211com *ic = vap->iv_ic;
2460         struct run_softc *sc = ic->ic_ifp->if_softc;
2461         struct ieee80211_key *k0;
2462         uint32_t i;
2463
2464         /*
2465          * When called back, key might be gone. So, make a copy
2466          * of some values need to delete keys before deferring.
2467          * But, because of LOR with node lock, cannot use lock here.
2468          * So, use atomic instead.
2469          */
2470         i = RUN_CMDQ_GET(&sc->cmdq_store);
2471         DPRINTF("cmdq_store=%d\n", i);
2472         sc->cmdq[i].func = run_key_delete_cb;
2473         sc->cmdq[i].arg0 = NULL;
2474         sc->cmdq[i].arg1 = sc;
2475         k0 = &sc->cmdq[i].key;
2476         k0->wk_flags = k->wk_flags;
2477         k0->wk_keyix = k->wk_keyix;
2478         /* matching wcid was written to wk_pad in run_key_set() */
2479         k0->wk_pad = k->wk_pad;
2480         ieee80211_runtask(ic, &sc->cmdq_task);
2481         return (1);     /* return fake success */
2482
2483 }
2484
2485 static void
2486 run_ratectl_to(void *arg)
2487 {
2488         struct run_softc *sc = arg;
2489
2490         /* do it in a process context, so it can go sleep */
2491         ieee80211_runtask(sc->sc_ifp->if_l2com, &sc->ratectl_task);
2492         /* next timeout will be rescheduled in the callback task */
2493 }
2494
2495 /* ARGSUSED */
2496 static void
2497 run_ratectl_cb(void *arg, int pending)
2498 {
2499         struct run_softc *sc = arg;
2500         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
2501         struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
2502
2503         if (vap == NULL)
2504                 return;
2505
2506         if (sc->rvp_cnt <= 1 && vap->iv_opmode == IEEE80211_M_STA)
2507                 run_iter_func(sc, vap->iv_bss);
2508         else {
2509                 /*
2510                  * run_reset_livelock() doesn't do anything with AMRR,
2511                  * but Ralink wants us to call it every 1 sec. So, we
2512                  * piggyback here rather than creating another callout.
2513                  * Livelock may occur only in HOSTAP or IBSS mode
2514                  * (when h/w is sending beacons).
2515                  */
2516                 RUN_LOCK(sc);
2517                 run_reset_livelock(sc);
2518                 /* just in case, there are some stats to drain */
2519                 run_drain_fifo(sc);
2520                 RUN_UNLOCK(sc);
2521                 ieee80211_iterate_nodes(&ic->ic_sta, run_iter_func, sc);
2522         }
2523
2524         RUN_LOCK(sc);
2525         if(sc->ratectl_run != RUN_RATECTL_OFF)
2526                 usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2527         RUN_UNLOCK(sc);
2528 }
2529
2530 static void
2531 run_drain_fifo(void *arg)
2532 {
2533         struct run_softc *sc = arg;
2534         struct ifnet *ifp = sc->sc_ifp;
2535         uint32_t stat;
2536         uint16_t (*wstat)[3];
2537         uint8_t wcid, mcs, pid;
2538         int8_t retry;
2539
2540         RUN_LOCK_ASSERT(sc, MA_OWNED);
2541
2542         for (;;) {
2543                 /* drain Tx status FIFO (maxsize = 16) */
2544                 run_read(sc, RT2860_TX_STAT_FIFO, &stat);
2545                 DPRINTFN(4, "tx stat 0x%08x\n", stat);
2546                 if (!(stat & RT2860_TXQ_VLD))
2547                         break;
2548
2549                 wcid = (stat >> RT2860_TXQ_WCID_SHIFT) & 0xff;
2550
2551                 /* if no ACK was requested, no feedback is available */
2552                 if (!(stat & RT2860_TXQ_ACKREQ) || wcid > RT2870_WCID_MAX ||
2553                     wcid == 0)
2554                         continue;
2555
2556                 /*
2557                  * Even though each stat is Tx-complete-status like format,
2558                  * the device can poll stats. Because there is no guarantee
2559                  * that the referring node is still around when read the stats.
2560                  * So that, if we use ieee80211_ratectl_tx_update(), we will
2561                  * have hard time not to refer already freed node.
2562                  *
2563                  * To eliminate such page faults, we poll stats in softc.
2564                  * Then, update the rates later with ieee80211_ratectl_tx_update().
2565                  */
2566                 wstat = &(sc->wcid_stats[wcid]);
2567                 (*wstat)[RUN_TXCNT]++;
2568                 if (stat & RT2860_TXQ_OK)
2569                         (*wstat)[RUN_SUCCESS]++;
2570                 else
2571                         ifp->if_oerrors++;
2572                 /*
2573                  * Check if there were retries, ie if the Tx success rate is
2574                  * different from the requested rate. Note that it works only
2575                  * because we do not allow rate fallback from OFDM to CCK.
2576                  */
2577                 mcs = (stat >> RT2860_TXQ_MCS_SHIFT) & 0x7f;
2578                 pid = (stat >> RT2860_TXQ_PID_SHIFT) & 0xf;
2579                 if ((retry = pid -1 - mcs) > 0) {
2580                         (*wstat)[RUN_TXCNT] += retry;
2581                         (*wstat)[RUN_RETRY] += retry;
2582                 }
2583         }
2584         DPRINTFN(3, "count=%d\n", sc->fifo_cnt);
2585
2586         sc->fifo_cnt = 0;
2587 }
2588
2589 static void
2590 run_iter_func(void *arg, struct ieee80211_node *ni)
2591 {
2592         struct run_softc *sc = arg;
2593         struct ieee80211vap *vap = ni->ni_vap;
2594         struct ieee80211com *ic = ni->ni_ic;
2595         struct ifnet *ifp = ic->ic_ifp;
2596         struct run_node *rn = (void *)ni;
2597         union run_stats sta[2];
2598         uint16_t (*wstat)[3];
2599         int txcnt, success, retrycnt, error;
2600
2601         RUN_LOCK(sc);
2602
2603         if (sc->rvp_cnt <= 1 && (vap->iv_opmode == IEEE80211_M_IBSS ||
2604             vap->iv_opmode == IEEE80211_M_STA)) {
2605                 /* read statistic counters (clear on read) and update AMRR state */
2606                 error = run_read_region_1(sc, RT2860_TX_STA_CNT0, (uint8_t *)sta,
2607                     sizeof sta);
2608                 if (error != 0)
2609                         goto fail;
2610
2611                 /* count failed TX as errors */
2612                 ifp->if_oerrors += le16toh(sta[0].error.fail);
2613
2614                 retrycnt = le16toh(sta[1].tx.retry);
2615                 success = le16toh(sta[1].tx.success);
2616                 txcnt = retrycnt + success + le16toh(sta[0].error.fail);
2617
2618                 DPRINTFN(3, "retrycnt=%d success=%d failcnt=%d\n",
2619                         retrycnt, success, le16toh(sta[0].error.fail));
2620         } else {
2621                 wstat = &(sc->wcid_stats[RUN_AID2WCID(ni->ni_associd)]);
2622
2623                 if (wstat == &(sc->wcid_stats[0]) ||
2624                     wstat > &(sc->wcid_stats[RT2870_WCID_MAX]))
2625                         goto fail;
2626
2627                 txcnt = (*wstat)[RUN_TXCNT];
2628                 success = (*wstat)[RUN_SUCCESS];
2629                 retrycnt = (*wstat)[RUN_RETRY];
2630                 DPRINTFN(3, "retrycnt=%d txcnt=%d success=%d\n",
2631                     retrycnt, txcnt, success);
2632
2633                 memset(wstat, 0, sizeof(*wstat));
2634         }
2635
2636         ieee80211_ratectl_tx_update(vap, ni, &txcnt, &success, &retrycnt);
2637         rn->amrr_ridx = ieee80211_ratectl_rate(ni, NULL, 0);
2638
2639 fail:
2640         RUN_UNLOCK(sc);
2641
2642         DPRINTFN(3, "ridx=%d\n", rn->amrr_ridx);
2643 }
2644
2645 static void
2646 run_newassoc_cb(void *arg)
2647 {
2648         struct run_cmdq *cmdq = arg;
2649         struct ieee80211_node *ni = cmdq->arg1;
2650         struct run_softc *sc = ni->ni_vap->iv_ic->ic_ifp->if_softc;
2651         uint8_t wcid = cmdq->wcid;
2652
2653         RUN_LOCK_ASSERT(sc, MA_OWNED);
2654
2655         run_write_region_1(sc, RT2860_WCID_ENTRY(wcid),
2656             ni->ni_macaddr, IEEE80211_ADDR_LEN);
2657
2658         memset(&(sc->wcid_stats[wcid]), 0, sizeof(sc->wcid_stats[wcid]));
2659 }
2660
2661 static void
2662 run_newassoc(struct ieee80211_node *ni, int isnew)
2663 {
2664         struct run_node *rn = (void *)ni;
2665         struct ieee80211_rateset *rs = &ni->ni_rates;
2666         struct ieee80211vap *vap = ni->ni_vap;
2667         struct ieee80211com *ic = vap->iv_ic;
2668         struct run_softc *sc = ic->ic_ifp->if_softc;
2669         uint8_t rate;
2670         uint8_t ridx;
2671         uint8_t wcid;
2672         int i, j;
2673
2674         wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
2675             1 : RUN_AID2WCID(ni->ni_associd);
2676
2677         if (wcid > RT2870_WCID_MAX) {
2678                 device_printf(sc->sc_dev, "wcid=%d out of range\n", wcid);
2679                 return;
2680         }
2681
2682         /* only interested in true associations */
2683         if (isnew && ni->ni_associd != 0) {
2684
2685                 /*
2686                  * This function could is called though timeout function.
2687                  * Need to defer.
2688                  */
2689                 uint32_t cnt = RUN_CMDQ_GET(&sc->cmdq_store);
2690                 DPRINTF("cmdq_store=%d\n", cnt);
2691                 sc->cmdq[cnt].func = run_newassoc_cb;
2692                 sc->cmdq[cnt].arg0 = NULL;
2693                 sc->cmdq[cnt].arg1 = ni;
2694                 sc->cmdq[cnt].wcid = wcid;
2695                 ieee80211_runtask(ic, &sc->cmdq_task);
2696         }
2697
2698         DPRINTF("new assoc isnew=%d associd=%x addr=%s\n",
2699             isnew, ni->ni_associd, ether_sprintf(ni->ni_macaddr));
2700
2701         for (i = 0; i < rs->rs_nrates; i++) {
2702                 rate = rs->rs_rates[i] & IEEE80211_RATE_VAL;
2703                 /* convert 802.11 rate to hardware rate index */
2704                 for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2705                         if (rt2860_rates[ridx].rate == rate)
2706                                 break;
2707                 rn->ridx[i] = ridx;
2708                 /* determine rate of control response frames */
2709                 for (j = i; j >= 0; j--) {
2710                         if ((rs->rs_rates[j] & IEEE80211_RATE_BASIC) &&
2711                             rt2860_rates[rn->ridx[i]].phy ==
2712                             rt2860_rates[rn->ridx[j]].phy)
2713                                 break;
2714                 }
2715                 if (j >= 0) {
2716                         rn->ctl_ridx[i] = rn->ridx[j];
2717                 } else {
2718                         /* no basic rate found, use mandatory one */
2719                         rn->ctl_ridx[i] = rt2860_rates[ridx].ctl_ridx;
2720                 }
2721                 DPRINTF("rate=0x%02x ridx=%d ctl_ridx=%d\n",
2722                     rs->rs_rates[i], rn->ridx[i], rn->ctl_ridx[i]);
2723         }
2724         rate = vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)].mgmtrate;
2725         for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2726                 if (rt2860_rates[ridx].rate == rate)
2727                         break;
2728         rn->mgt_ridx = ridx;
2729         DPRINTF("rate=%d, mgmt_ridx=%d\n", rate, rn->mgt_ridx);
2730
2731         usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2732 }
2733
2734 /*
2735  * Return the Rx chain with the highest RSSI for a given frame.
2736  */
2737 static __inline uint8_t
2738 run_maxrssi_chain(struct run_softc *sc, const struct rt2860_rxwi *rxwi)
2739 {
2740         uint8_t rxchain = 0;
2741
2742         if (sc->nrxchains > 1) {
2743                 if (rxwi->rssi[1] > rxwi->rssi[rxchain])
2744                         rxchain = 1;
2745                 if (sc->nrxchains > 2)
2746                         if (rxwi->rssi[2] > rxwi->rssi[rxchain])
2747                                 rxchain = 2;
2748         }
2749         return (rxchain);
2750 }
2751
2752 static void
2753 run_rx_frame(struct run_softc *sc, struct mbuf *m, uint32_t dmalen)
2754 {
2755         struct ifnet *ifp = sc->sc_ifp;
2756         struct ieee80211com *ic = ifp->if_l2com;
2757         struct ieee80211_frame *wh;
2758         struct ieee80211_node *ni;
2759         struct rt2870_rxd *rxd;
2760         struct rt2860_rxwi *rxwi;
2761         uint32_t flags;
2762         uint16_t len, rxwisize;
2763         uint8_t ant, rssi;
2764         int8_t nf;
2765
2766         rxwi = mtod(m, struct rt2860_rxwi *);
2767         len = le16toh(rxwi->len) & 0xfff;
2768         rxwisize = sizeof(struct rt2860_rxwi);
2769         if (sc->mac_ver == 0x5592)
2770                 rxwisize += sizeof(uint64_t);
2771         else if (sc->mac_ver == 0x3593)
2772                 rxwisize += sizeof(uint32_t);
2773         if (__predict_false(len > dmalen)) {
2774                 m_freem(m);
2775                 ifp->if_ierrors++;
2776                 DPRINTF("bad RXWI length %u > %u\n", len, dmalen);
2777                 return;
2778         }
2779         /* Rx descriptor is located at the end */
2780         rxd = (struct rt2870_rxd *)(mtod(m, caddr_t) + dmalen);
2781         flags = le32toh(rxd->flags);
2782
2783         if (__predict_false(flags & (RT2860_RX_CRCERR | RT2860_RX_ICVERR))) {
2784                 m_freem(m);
2785                 ifp->if_ierrors++;
2786                 DPRINTF("%s error.\n", (flags & RT2860_RX_CRCERR)?"CRC":"ICV");
2787                 return;
2788         }
2789
2790         m->m_data += rxwisize;
2791         m->m_pkthdr.len = m->m_len -= rxwisize;
2792
2793         wh = mtod(m, struct ieee80211_frame *);
2794
2795         if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
2796                 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
2797                 m->m_flags |= M_WEP;
2798         }
2799
2800         if (flags & RT2860_RX_L2PAD) {
2801                 DPRINTFN(8, "received RT2860_RX_L2PAD frame\n");
2802                 len += 2;
2803         }
2804
2805         ni = ieee80211_find_rxnode(ic,
2806             mtod(m, struct ieee80211_frame_min *));
2807
2808         if (__predict_false(flags & RT2860_RX_MICERR)) {
2809                 /* report MIC failures to net80211 for TKIP */
2810                 if (ni != NULL)
2811                         ieee80211_notify_michael_failure(ni->ni_vap, wh,
2812                             rxwi->keyidx);
2813                 m_freem(m);
2814                 ifp->if_ierrors++;
2815                 DPRINTF("MIC error. Someone is lying.\n");
2816                 return;
2817         }
2818
2819         ant = run_maxrssi_chain(sc, rxwi);
2820         rssi = rxwi->rssi[ant];
2821         nf = run_rssi2dbm(sc, rssi, ant);
2822
2823         m->m_pkthdr.rcvif = ifp;
2824         m->m_pkthdr.len = m->m_len = len;
2825
2826         if (ni != NULL) {
2827                 (void)ieee80211_input(ni, m, rssi, nf);
2828                 ieee80211_free_node(ni);
2829         } else {
2830                 (void)ieee80211_input_all(ic, m, rssi, nf);
2831         }
2832
2833         if (__predict_false(ieee80211_radiotap_active(ic))) {
2834                 struct run_rx_radiotap_header *tap = &sc->sc_rxtap;
2835                 uint16_t phy;
2836
2837                 tap->wr_flags = 0;
2838                 tap->wr_chan_freq = htole16(ic->ic_curchan->ic_freq);
2839                 tap->wr_chan_flags = htole16(ic->ic_curchan->ic_flags);
2840                 tap->wr_antsignal = rssi;
2841                 tap->wr_antenna = ant;
2842                 tap->wr_dbm_antsignal = run_rssi2dbm(sc, rssi, ant);
2843                 tap->wr_rate = 2;       /* in case it can't be found below */
2844                 phy = le16toh(rxwi->phy);
2845                 switch (phy & RT2860_PHY_MODE) {
2846                 case RT2860_PHY_CCK:
2847                         switch ((phy & RT2860_PHY_MCS) & ~RT2860_PHY_SHPRE) {
2848                         case 0: tap->wr_rate =   2; break;
2849                         case 1: tap->wr_rate =   4; break;
2850                         case 2: tap->wr_rate =  11; break;
2851                         case 3: tap->wr_rate =  22; break;
2852                         }
2853                         if (phy & RT2860_PHY_SHPRE)
2854                                 tap->wr_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
2855                         break;
2856                 case RT2860_PHY_OFDM:
2857                         switch (phy & RT2860_PHY_MCS) {
2858                         case 0: tap->wr_rate =  12; break;
2859                         case 1: tap->wr_rate =  18; break;
2860                         case 2: tap->wr_rate =  24; break;
2861                         case 3: tap->wr_rate =  36; break;
2862                         case 4: tap->wr_rate =  48; break;
2863                         case 5: tap->wr_rate =  72; break;
2864                         case 6: tap->wr_rate =  96; break;
2865                         case 7: tap->wr_rate = 108; break;
2866                         }
2867                         break;
2868                 }
2869         }
2870 }
2871
2872 static void
2873 run_bulk_rx_callback(struct usb_xfer *xfer, usb_error_t error)
2874 {
2875         struct run_softc *sc = usbd_xfer_softc(xfer);
2876         struct ifnet *ifp = sc->sc_ifp;
2877         struct mbuf *m = NULL;
2878         struct mbuf *m0;
2879         uint32_t dmalen;
2880         uint16_t rxwisize;
2881         int xferlen;
2882
2883         rxwisize = sizeof(struct rt2860_rxwi);
2884         if (sc->mac_ver == 0x5592)
2885                 rxwisize += sizeof(uint64_t);
2886         else if (sc->mac_ver == 0x3593)
2887                 rxwisize += sizeof(uint32_t);
2888
2889         usbd_xfer_status(xfer, &xferlen, NULL, NULL, NULL);
2890
2891         switch (USB_GET_STATE(xfer)) {
2892         case USB_ST_TRANSFERRED:
2893
2894                 DPRINTFN(15, "rx done, actlen=%d\n", xferlen);
2895
2896                 if (xferlen < (int)(sizeof(uint32_t) + rxwisize +
2897                     sizeof(struct rt2870_rxd))) {
2898                         DPRINTF("xfer too short %d\n", xferlen);
2899                         goto tr_setup;
2900                 }
2901
2902                 m = sc->rx_m;
2903                 sc->rx_m = NULL;
2904
2905                 /* FALLTHROUGH */
2906         case USB_ST_SETUP:
2907 tr_setup:
2908                 if (sc->rx_m == NULL) {
2909                         sc->rx_m = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR,
2910                             MJUMPAGESIZE /* xfer can be bigger than MCLBYTES */);
2911                 }
2912                 if (sc->rx_m == NULL) {
2913                         DPRINTF("could not allocate mbuf - idle with stall\n");
2914                         ifp->if_ierrors++;
2915                         usbd_xfer_set_stall(xfer);
2916                         usbd_xfer_set_frames(xfer, 0);
2917                 } else {
2918                         /*
2919                          * Directly loading a mbuf cluster into DMA to
2920                          * save some data copying. This works because
2921                          * there is only one cluster.
2922                          */
2923                         usbd_xfer_set_frame_data(xfer, 0, 
2924                             mtod(sc->rx_m, caddr_t), RUN_MAX_RXSZ);
2925                         usbd_xfer_set_frames(xfer, 1);
2926                 }
2927                 usbd_transfer_submit(xfer);
2928                 break;
2929
2930         default:        /* Error */
2931                 if (error != USB_ERR_CANCELLED) {
2932                         /* try to clear stall first */
2933                         usbd_xfer_set_stall(xfer);
2934
2935                         if (error == USB_ERR_TIMEOUT)
2936                                 device_printf(sc->sc_dev, "device timeout\n");
2937
2938                         ifp->if_ierrors++;
2939
2940                         goto tr_setup;
2941                 }
2942                 if (sc->rx_m != NULL) {
2943                         m_freem(sc->rx_m);
2944                         sc->rx_m = NULL;
2945                 }
2946                 break;
2947         }
2948
2949         if (m == NULL)
2950                 return;
2951
2952         /* inputting all the frames must be last */
2953
2954         RUN_UNLOCK(sc);
2955
2956         m->m_pkthdr.len = m->m_len = xferlen;
2957
2958         /* HW can aggregate multiple 802.11 frames in a single USB xfer */
2959         for(;;) {
2960                 dmalen = le32toh(*mtod(m, uint32_t *)) & 0xffff;
2961
2962                 if ((dmalen >= (uint32_t)-8) || (dmalen == 0) ||
2963                     ((dmalen & 3) != 0)) {
2964                         DPRINTF("bad DMA length %u\n", dmalen);
2965                         break;
2966                 }
2967                 if ((dmalen + 8) > (uint32_t)xferlen) {
2968                         DPRINTF("bad DMA length %u > %d\n",
2969                         dmalen + 8, xferlen);
2970                         break;
2971                 }
2972
2973                 /* If it is the last one or a single frame, we won't copy. */
2974                 if ((xferlen -= dmalen + 8) <= 8) {
2975                         /* trim 32-bit DMA-len header */
2976                         m->m_data += 4;
2977                         m->m_pkthdr.len = m->m_len -= 4;
2978                         run_rx_frame(sc, m, dmalen);
2979                         m = NULL;       /* don't free source buffer */
2980                         break;
2981                 }
2982
2983                 /* copy aggregated frames to another mbuf */
2984                 m0 = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
2985                 if (__predict_false(m0 == NULL)) {
2986                         DPRINTF("could not allocate mbuf\n");
2987                         ifp->if_ierrors++;
2988                         break;
2989                 }
2990                 m_copydata(m, 4 /* skip 32-bit DMA-len header */,
2991                     dmalen + sizeof(struct rt2870_rxd), mtod(m0, caddr_t));
2992                 m0->m_pkthdr.len = m0->m_len =
2993                     dmalen + sizeof(struct rt2870_rxd);
2994                 run_rx_frame(sc, m0, dmalen);
2995
2996                 /* update data ptr */
2997                 m->m_data += dmalen + 8;
2998                 m->m_pkthdr.len = m->m_len -= dmalen + 8;
2999         }
3000
3001         /* make sure we free the source buffer, if any */
3002         m_freem(m);
3003
3004         RUN_LOCK(sc);
3005 }
3006
3007 static void
3008 run_tx_free(struct run_endpoint_queue *pq,
3009     struct run_tx_data *data, int txerr)
3010 {
3011         if (data->m != NULL) {
3012                 if (data->m->m_flags & M_TXCB)
3013                         ieee80211_process_callback(data->ni, data->m,
3014                             txerr ? ETIMEDOUT : 0);
3015                 m_freem(data->m);
3016                 data->m = NULL;
3017
3018                 if (data->ni == NULL) {
3019                         DPRINTF("no node\n");
3020                 } else {
3021                         ieee80211_free_node(data->ni);
3022                         data->ni = NULL;
3023                 }
3024         }
3025
3026         STAILQ_INSERT_TAIL(&pq->tx_fh, data, next);
3027         pq->tx_nfree++;
3028 }
3029
3030 static void
3031 run_bulk_tx_callbackN(struct usb_xfer *xfer, usb_error_t error, u_int index)
3032 {
3033         struct run_softc *sc = usbd_xfer_softc(xfer);
3034         struct ifnet *ifp = sc->sc_ifp;
3035         struct ieee80211com *ic = ifp->if_l2com;
3036         struct run_tx_data *data;
3037         struct ieee80211vap *vap = NULL;
3038         struct usb_page_cache *pc;
3039         struct run_endpoint_queue *pq = &sc->sc_epq[index];
3040         struct mbuf *m;
3041         usb_frlength_t size;
3042         int actlen;
3043         int sumlen;
3044
3045         usbd_xfer_status(xfer, &actlen, &sumlen, NULL, NULL);
3046
3047         switch (USB_GET_STATE(xfer)) {
3048         case USB_ST_TRANSFERRED:
3049                 DPRINTFN(11, "transfer complete: %d "
3050                     "bytes @ index %d\n", actlen, index);
3051
3052                 data = usbd_xfer_get_priv(xfer);
3053
3054                 run_tx_free(pq, data, 0);
3055                 ifp->if_drv_flags &= ~IFF_DRV_OACTIVE;
3056
3057                 usbd_xfer_set_priv(xfer, NULL);
3058
3059                 ifp->if_opackets++;
3060
3061                 /* FALLTHROUGH */
3062         case USB_ST_SETUP:
3063 tr_setup:
3064                 data = STAILQ_FIRST(&pq->tx_qh);
3065                 if (data == NULL)
3066                         break;
3067
3068                 STAILQ_REMOVE_HEAD(&pq->tx_qh, next);
3069
3070                 m = data->m;
3071                 size = (sc->mac_ver == 0x5592) ?
3072                     sizeof(data->desc) + sizeof(uint32_t) : sizeof(data->desc);
3073                 if ((m->m_pkthdr.len +
3074                     size + 3 + 8) > RUN_MAX_TXSZ) {
3075                         DPRINTF("data overflow, %u bytes\n",
3076                             m->m_pkthdr.len);
3077
3078                         ifp->if_oerrors++;
3079
3080                         run_tx_free(pq, data, 1);
3081
3082                         goto tr_setup;
3083                 }
3084
3085                 pc = usbd_xfer_get_frame(xfer, 0);
3086                 usbd_copy_in(pc, 0, &data->desc, size);
3087                 usbd_m_copy_in(pc, size, m, 0, m->m_pkthdr.len);
3088                 size += m->m_pkthdr.len;
3089                 /*
3090                  * Align end on a 4-byte boundary, pad 8 bytes (CRC +
3091                  * 4-byte padding), and be sure to zero those trailing
3092                  * bytes:
3093                  */
3094                 usbd_frame_zero(pc, size, ((-size) & 3) + 8);
3095                 size += ((-size) & 3) + 8;
3096
3097                 vap = data->ni->ni_vap;
3098                 if (ieee80211_radiotap_active_vap(vap)) {
3099                         struct run_tx_radiotap_header *tap = &sc->sc_txtap;
3100                         struct rt2860_txwi *txwi = 
3101                             (struct rt2860_txwi *)(&data->desc + sizeof(struct rt2870_txd));
3102                         tap->wt_flags = 0;
3103                         tap->wt_rate = rt2860_rates[data->ridx].rate;
3104                         tap->wt_chan_freq = htole16(ic->ic_curchan->ic_freq);
3105                         tap->wt_chan_flags = htole16(ic->ic_curchan->ic_flags);
3106                         tap->wt_hwqueue = index;
3107                         if (le16toh(txwi->phy) & RT2860_PHY_SHPRE)
3108                                 tap->wt_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
3109
3110                         ieee80211_radiotap_tx(vap, m);
3111                 }
3112
3113                 DPRINTFN(11, "sending frame len=%u/%u  @ index %d\n",
3114                     m->m_pkthdr.len, size, index);
3115
3116                 usbd_xfer_set_frame_len(xfer, 0, size);
3117                 usbd_xfer_set_priv(xfer, data);
3118
3119                 usbd_transfer_submit(xfer);
3120
3121                 RUN_UNLOCK(sc);
3122                 run_start(ifp);
3123                 RUN_LOCK(sc);
3124
3125                 break;
3126
3127         default:
3128                 DPRINTF("USB transfer error, %s\n",
3129                     usbd_errstr(error));
3130
3131                 data = usbd_xfer_get_priv(xfer);
3132
3133                 ifp->if_oerrors++;
3134
3135                 if (data != NULL) {
3136                         if(data->ni != NULL)
3137                                 vap = data->ni->ni_vap;
3138                         run_tx_free(pq, data, error);
3139                         usbd_xfer_set_priv(xfer, NULL);
3140                 }
3141                 if (vap == NULL)
3142                         vap = TAILQ_FIRST(&ic->ic_vaps);
3143
3144                 if (error != USB_ERR_CANCELLED) {
3145                         if (error == USB_ERR_TIMEOUT) {
3146                                 device_printf(sc->sc_dev, "device timeout\n");
3147                                 uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
3148                                 DPRINTF("cmdq_store=%d\n", i);
3149                                 sc->cmdq[i].func = run_usb_timeout_cb;
3150                                 sc->cmdq[i].arg0 = vap;
3151                                 ieee80211_runtask(ic, &sc->cmdq_task);
3152                         }
3153
3154                         /*
3155                          * Try to clear stall first, also if other
3156                          * errors occur, hence clearing stall
3157                          * introduces a 50 ms delay:
3158                          */
3159                         usbd_xfer_set_stall(xfer);
3160                         goto tr_setup;
3161                 }
3162                 break;
3163         }
3164 }
3165
3166 static void
3167 run_bulk_tx_callback0(struct usb_xfer *xfer, usb_error_t error)
3168 {
3169         run_bulk_tx_callbackN(xfer, error, 0);
3170 }
3171
3172 static void
3173 run_bulk_tx_callback1(struct usb_xfer *xfer, usb_error_t error)
3174 {
3175         run_bulk_tx_callbackN(xfer, error, 1);
3176 }
3177
3178 static void
3179 run_bulk_tx_callback2(struct usb_xfer *xfer, usb_error_t error)
3180 {
3181         run_bulk_tx_callbackN(xfer, error, 2);
3182 }
3183
3184 static void
3185 run_bulk_tx_callback3(struct usb_xfer *xfer, usb_error_t error)
3186 {
3187         run_bulk_tx_callbackN(xfer, error, 3);
3188 }
3189
3190 static void
3191 run_bulk_tx_callback4(struct usb_xfer *xfer, usb_error_t error)
3192 {
3193         run_bulk_tx_callbackN(xfer, error, 4);
3194 }
3195
3196 static void
3197 run_bulk_tx_callback5(struct usb_xfer *xfer, usb_error_t error)
3198 {
3199         run_bulk_tx_callbackN(xfer, error, 5);
3200 }
3201
3202 static void
3203 run_set_tx_desc(struct run_softc *sc, struct run_tx_data *data)
3204 {
3205         struct mbuf *m = data->m;
3206         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
3207         struct ieee80211vap *vap = data->ni->ni_vap;
3208         struct ieee80211_frame *wh;
3209         struct rt2870_txd *txd;
3210         struct rt2860_txwi *txwi;
3211         uint16_t xferlen, txwisize;
3212         uint16_t mcs;
3213         uint8_t ridx = data->ridx;
3214         uint8_t pad;
3215
3216         /* get MCS code from rate index */
3217         mcs = rt2860_rates[ridx].mcs;
3218
3219         txwisize = (sc->mac_ver == 0x5592) ?
3220             sizeof(*txwi) + sizeof(uint32_t) : sizeof(*txwi);
3221         xferlen = txwisize + m->m_pkthdr.len;
3222
3223         /* roundup to 32-bit alignment */
3224         xferlen = (xferlen + 3) & ~3;
3225
3226         txd = (struct rt2870_txd *)&data->desc;
3227         txd->len = htole16(xferlen);
3228
3229         wh = mtod(m, struct ieee80211_frame *);
3230
3231         /*
3232          * Ether both are true or both are false, the header
3233          * are nicely aligned to 32-bit. So, no L2 padding.
3234          */
3235         if(IEEE80211_HAS_ADDR4(wh) == IEEE80211_QOS_HAS_SEQ(wh))
3236                 pad = 0;
3237         else
3238                 pad = 2;
3239
3240         /* setup TX Wireless Information */
3241         txwi = (struct rt2860_txwi *)(txd + 1);
3242         txwi->len = htole16(m->m_pkthdr.len - pad);
3243         if (rt2860_rates[ridx].phy == IEEE80211_T_DS) {
3244                 txwi->phy = htole16(RT2860_PHY_CCK);
3245                 if (ridx != RT2860_RIDX_CCK1 &&
3246                     (ic->ic_flags & IEEE80211_F_SHPREAMBLE))
3247                         mcs |= RT2860_PHY_SHPRE;
3248         } else
3249                 txwi->phy = htole16(RT2860_PHY_OFDM);
3250         txwi->phy |= htole16(mcs);
3251
3252         /* check if RTS/CTS or CTS-to-self protection is required */
3253         if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
3254             (m->m_pkthdr.len + IEEE80211_CRC_LEN > vap->iv_rtsthreshold ||
3255              ((ic->ic_flags & IEEE80211_F_USEPROT) &&
3256               rt2860_rates[ridx].phy == IEEE80211_T_OFDM)))
3257                 txwi->txop |= RT2860_TX_TXOP_HT;
3258         else
3259                 txwi->txop |= RT2860_TX_TXOP_BACKOFF;
3260
3261         if (vap->iv_opmode != IEEE80211_M_STA && !IEEE80211_QOS_HAS_SEQ(wh))
3262                 txwi->xflags |= RT2860_TX_NSEQ;
3263 }
3264
3265 /* This function must be called locked */
3266 static int
3267 run_tx(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
3268 {
3269         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
3270         struct ieee80211vap *vap = ni->ni_vap;
3271         struct ieee80211_frame *wh;
3272         struct ieee80211_channel *chan;
3273         const struct ieee80211_txparam *tp;
3274         struct run_node *rn = (void *)ni;
3275         struct run_tx_data *data;
3276         struct rt2870_txd *txd;
3277         struct rt2860_txwi *txwi;
3278         uint16_t qos;
3279         uint16_t dur;
3280         uint16_t qid;
3281         uint8_t type;
3282         uint8_t tid;
3283         uint8_t ridx;
3284         uint8_t ctl_ridx;
3285         uint8_t qflags;
3286         uint8_t xflags = 0;
3287         int hasqos;
3288
3289         RUN_LOCK_ASSERT(sc, MA_OWNED);
3290
3291         wh = mtod(m, struct ieee80211_frame *);
3292
3293         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3294
3295         /*
3296          * There are 7 bulk endpoints: 1 for RX
3297          * and 6 for TX (4 EDCAs + HCCA + Prio).
3298          * Update 03-14-2009:  some devices like the Planex GW-US300MiniS
3299          * seem to have only 4 TX bulk endpoints (Fukaumi Naoki).
3300          */
3301         if ((hasqos = IEEE80211_QOS_HAS_SEQ(wh))) {
3302                 uint8_t *frm;
3303
3304                 if(IEEE80211_HAS_ADDR4(wh))
3305                         frm = ((struct ieee80211_qosframe_addr4 *)wh)->i_qos;
3306                 else
3307                         frm =((struct ieee80211_qosframe *)wh)->i_qos;
3308
3309                 qos = le16toh(*(const uint16_t *)frm);
3310                 tid = qos & IEEE80211_QOS_TID;
3311                 qid = TID_TO_WME_AC(tid);
3312         } else {
3313                 qos = 0;
3314                 tid = 0;
3315                 qid = WME_AC_BE;
3316         }
3317         qflags = (qid < 4) ? RT2860_TX_QSEL_EDCA : RT2860_TX_QSEL_HCCA;
3318
3319         DPRINTFN(8, "qos %d\tqid %d\ttid %d\tqflags %x\n",
3320             qos, qid, tid, qflags);
3321
3322         chan = (ni->ni_chan != IEEE80211_CHAN_ANYC)?ni->ni_chan:ic->ic_curchan;
3323         tp = &vap->iv_txparms[ieee80211_chan2mode(chan)];
3324
3325         /* pickup a rate index */
3326         if (IEEE80211_IS_MULTICAST(wh->i_addr1) ||
3327             type != IEEE80211_FC0_TYPE_DATA) {
3328                 ridx = (ic->ic_curmode == IEEE80211_MODE_11A) ?
3329                     RT2860_RIDX_OFDM6 : RT2860_RIDX_CCK1;
3330                 ctl_ridx = rt2860_rates[ridx].ctl_ridx;
3331         } else {
3332                 if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE)
3333                         ridx = rn->fix_ridx;
3334                 else
3335                         ridx = rn->amrr_ridx;
3336                 ctl_ridx = rt2860_rates[ridx].ctl_ridx;
3337         }
3338
3339         if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
3340             (!hasqos || (qos & IEEE80211_QOS_ACKPOLICY) !=
3341              IEEE80211_QOS_ACKPOLICY_NOACK)) {
3342                 xflags |= RT2860_TX_ACK;
3343                 if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
3344                         dur = rt2860_rates[ctl_ridx].sp_ack_dur;
3345                 else
3346                         dur = rt2860_rates[ctl_ridx].lp_ack_dur;
3347                 USETW(wh->i_dur, dur);
3348         }
3349
3350         /* reserve slots for mgmt packets, just in case */
3351         if (sc->sc_epq[qid].tx_nfree < 3) {
3352                 DPRINTFN(10, "tx ring %d is full\n", qid);
3353                 return (-1);
3354         }
3355
3356         data = STAILQ_FIRST(&sc->sc_epq[qid].tx_fh);
3357         STAILQ_REMOVE_HEAD(&sc->sc_epq[qid].tx_fh, next);
3358         sc->sc_epq[qid].tx_nfree--;
3359
3360         txd = (struct rt2870_txd *)&data->desc;
3361         txd->flags = qflags;
3362         txwi = (struct rt2860_txwi *)(txd + 1);
3363         txwi->xflags = xflags;
3364         if (IEEE80211_IS_MULTICAST(wh->i_addr1))
3365                 txwi->wcid = 0;
3366         else
3367                 txwi->wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
3368                     1 : RUN_AID2WCID(ni->ni_associd);
3369
3370         /* clear leftover garbage bits */
3371         txwi->flags = 0;
3372         txwi->txop = 0;
3373
3374         data->m = m;
3375         data->ni = ni;
3376         data->ridx = ridx;
3377
3378         run_set_tx_desc(sc, data);
3379
3380         /*
3381          * The chip keeps track of 2 kind of Tx stats,
3382          *  * TX_STAT_FIFO, for per WCID stats, and
3383          *  * TX_STA_CNT0 for all-TX-in-one stats.
3384          *
3385          * To use FIFO stats, we need to store MCS into the driver-private
3386          * PacketID field. So that, we can tell whose stats when we read them.
3387          * We add 1 to the MCS because setting the PacketID field to 0 means
3388          * that we don't want feedback in TX_STAT_FIFO.
3389          * And, that's what we want for STA mode, since TX_STA_CNT0 does the job.
3390          *
3391          * FIFO stats doesn't count Tx with WCID 0xff, so we do this in run_tx().
3392          */
3393         if (sc->rvp_cnt > 1 || vap->iv_opmode == IEEE80211_M_HOSTAP ||
3394             vap->iv_opmode == IEEE80211_M_MBSS) {
3395                 uint16_t pid = (rt2860_rates[ridx].mcs + 1) & 0xf;
3396                 txwi->len |= htole16(pid << RT2860_TX_PID_SHIFT);
3397
3398                 /*
3399                  * Unlike PCI based devices, we don't get any interrupt from
3400                  * USB devices, so we simulate FIFO-is-full interrupt here.
3401                  * Ralink recomends to drain FIFO stats every 100 ms, but 16 slots
3402                  * quickly get fulled. To prevent overflow, increment a counter on
3403                  * every FIFO stat request, so we know how many slots are left.
3404                  * We do this only in HOSTAP or multiple vap mode since FIFO stats
3405                  * are used only in those modes.
3406                  * We just drain stats. AMRR gets updated every 1 sec by
3407                  * run_ratectl_cb() via callout.
3408                  * Call it early. Otherwise overflow.
3409                  */
3410                 if (sc->fifo_cnt++ == 10) {
3411                         /*
3412                          * With multiple vaps or if_bridge, if_start() is called
3413                          * with a non-sleepable lock, tcpinp. So, need to defer.
3414                          */
3415                         uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
3416                         DPRINTFN(6, "cmdq_store=%d\n", i);
3417                         sc->cmdq[i].func = run_drain_fifo;
3418                         sc->cmdq[i].arg0 = sc;
3419                         ieee80211_runtask(ic, &sc->cmdq_task);
3420                 }
3421         }
3422
3423         STAILQ_INSERT_TAIL(&sc->sc_epq[qid].tx_qh, data, next);
3424
3425         usbd_transfer_start(sc->sc_xfer[qid]);
3426
3427         DPRINTFN(8, "sending data frame len=%d rate=%d qid=%d\n",
3428             m->m_pkthdr.len + (int)(sizeof(struct rt2870_txd) +
3429             sizeof(struct rt2860_txwi)), rt2860_rates[ridx].rate, qid);
3430
3431         return (0);
3432 }
3433
3434 static int
3435 run_tx_mgt(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
3436 {
3437         struct ifnet *ifp = sc->sc_ifp;
3438         struct ieee80211com *ic = ifp->if_l2com;
3439         struct run_node *rn = (void *)ni;
3440         struct run_tx_data *data;
3441         struct ieee80211_frame *wh;
3442         struct rt2870_txd *txd;
3443         struct rt2860_txwi *txwi;
3444         uint16_t dur;
3445         uint8_t ridx = rn->mgt_ridx;
3446         uint8_t type;
3447         uint8_t xflags = 0;
3448         uint8_t wflags = 0;
3449
3450         RUN_LOCK_ASSERT(sc, MA_OWNED);
3451
3452         wh = mtod(m, struct ieee80211_frame *);
3453
3454         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3455
3456         /* tell hardware to add timestamp for probe responses */
3457         if ((wh->i_fc[0] &
3458             (IEEE80211_FC0_TYPE_MASK | IEEE80211_FC0_SUBTYPE_MASK)) ==
3459             (IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_RESP))
3460                 wflags |= RT2860_TX_TS;
3461         else if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
3462                 xflags |= RT2860_TX_ACK;
3463
3464                 dur = ieee80211_ack_duration(ic->ic_rt, rt2860_rates[ridx].rate, 
3465                     ic->ic_flags & IEEE80211_F_SHPREAMBLE);
3466                 USETW(wh->i_dur, dur);
3467         }
3468
3469         if (sc->sc_epq[0].tx_nfree == 0) {
3470                 /* let caller free mbuf */
3471                 ifp->if_drv_flags |= IFF_DRV_OACTIVE;
3472                 return (EIO);
3473         }
3474         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3475         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3476         sc->sc_epq[0].tx_nfree--;
3477
3478         txd = (struct rt2870_txd *)&data->desc;
3479         txd->flags = RT2860_TX_QSEL_EDCA;
3480         txwi = (struct rt2860_txwi *)(txd + 1);
3481         txwi->wcid = 0xff;
3482         txwi->flags = wflags;
3483         txwi->xflags = xflags;
3484         txwi->txop = 0; /* clear leftover garbage bits */
3485
3486         data->m = m;
3487         data->ni = ni;
3488         data->ridx = ridx;
3489
3490         run_set_tx_desc(sc, data);
3491
3492         DPRINTFN(10, "sending mgt frame len=%d rate=%d\n", m->m_pkthdr.len +
3493             (int)(sizeof(struct rt2870_txd) + sizeof(struct rt2860_txwi)),
3494             rt2860_rates[ridx].rate);
3495
3496         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3497
3498         usbd_transfer_start(sc->sc_xfer[0]);
3499
3500         return (0);
3501 }
3502
3503 static int
3504 run_sendprot(struct run_softc *sc,
3505     const struct mbuf *m, struct ieee80211_node *ni, int prot, int rate)
3506 {
3507         struct ieee80211com *ic = ni->ni_ic;
3508         struct ieee80211_frame *wh;
3509         struct run_tx_data *data;
3510         struct rt2870_txd *txd;
3511         struct rt2860_txwi *txwi;
3512         struct mbuf *mprot;
3513         int ridx;
3514         int protrate;
3515         int ackrate;
3516         int pktlen;
3517         int isshort;
3518         uint16_t dur;
3519         uint8_t type;
3520         uint8_t wflags = 0;
3521         uint8_t xflags = 0;
3522
3523         RUN_LOCK_ASSERT(sc, MA_OWNED);
3524
3525         KASSERT(prot == IEEE80211_PROT_RTSCTS || prot == IEEE80211_PROT_CTSONLY,
3526             ("protection %d", prot));
3527
3528         wh = mtod(m, struct ieee80211_frame *);
3529         pktlen = m->m_pkthdr.len + IEEE80211_CRC_LEN;
3530         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3531
3532         protrate = ieee80211_ctl_rate(ic->ic_rt, rate);
3533         ackrate = ieee80211_ack_rate(ic->ic_rt, rate);
3534
3535         isshort = (ic->ic_flags & IEEE80211_F_SHPREAMBLE) != 0;
3536         dur = ieee80211_compute_duration(ic->ic_rt, pktlen, rate, isshort)
3537             + ieee80211_ack_duration(ic->ic_rt, rate, isshort);
3538         wflags = RT2860_TX_FRAG;
3539
3540         /* check that there are free slots before allocating the mbuf */
3541         if (sc->sc_epq[0].tx_nfree == 0) {
3542                 /* let caller free mbuf */
3543                 sc->sc_ifp->if_drv_flags |= IFF_DRV_OACTIVE;
3544                 return (ENOBUFS);
3545         }
3546
3547         if (prot == IEEE80211_PROT_RTSCTS) {
3548                 /* NB: CTS is the same size as an ACK */
3549                 dur += ieee80211_ack_duration(ic->ic_rt, rate, isshort);
3550                 xflags |= RT2860_TX_ACK;
3551                 mprot = ieee80211_alloc_rts(ic, wh->i_addr1, wh->i_addr2, dur);
3552         } else {
3553                 mprot = ieee80211_alloc_cts(ic, ni->ni_vap->iv_myaddr, dur);
3554         }
3555         if (mprot == NULL) {
3556                 sc->sc_ifp->if_oerrors++;
3557                 DPRINTF("could not allocate mbuf\n");
3558                 return (ENOBUFS);
3559         }
3560
3561         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3562         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3563         sc->sc_epq[0].tx_nfree--;
3564
3565         txd = (struct rt2870_txd *)&data->desc;
3566         txd->flags = RT2860_TX_QSEL_EDCA;
3567         txwi = (struct rt2860_txwi *)(txd + 1);
3568         txwi->wcid = 0xff;
3569         txwi->flags = wflags;
3570         txwi->xflags = xflags;
3571         txwi->txop = 0; /* clear leftover garbage bits */
3572
3573         data->m = mprot;
3574         data->ni = ieee80211_ref_node(ni);
3575
3576         for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
3577                 if (rt2860_rates[ridx].rate == protrate)
3578                         break;
3579         data->ridx = ridx;
3580
3581         run_set_tx_desc(sc, data);
3582
3583         DPRINTFN(1, "sending prot len=%u rate=%u\n",
3584             m->m_pkthdr.len, rate);
3585
3586         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3587
3588         usbd_transfer_start(sc->sc_xfer[0]);
3589
3590         return (0);
3591 }
3592
3593 static int
3594 run_tx_param(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni,
3595     const struct ieee80211_bpf_params *params)
3596 {
3597         struct ieee80211com *ic = ni->ni_ic;
3598         struct ieee80211_frame *wh;
3599         struct run_tx_data *data;
3600         struct rt2870_txd *txd;
3601         struct rt2860_txwi *txwi;
3602         uint8_t type;
3603         uint8_t ridx;
3604         uint8_t rate;
3605         uint8_t opflags = 0;
3606         uint8_t xflags = 0;
3607         int error;
3608
3609         RUN_LOCK_ASSERT(sc, MA_OWNED);
3610
3611         KASSERT(params != NULL, ("no raw xmit params"));
3612
3613         wh = mtod(m, struct ieee80211_frame *);
3614         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3615
3616         rate = params->ibp_rate0;
3617         if (!ieee80211_isratevalid(ic->ic_rt, rate)) {
3618                 /* let caller free mbuf */
3619                 return (EINVAL);
3620         }
3621
3622         if ((params->ibp_flags & IEEE80211_BPF_NOACK) == 0)
3623                 xflags |= RT2860_TX_ACK;
3624         if (params->ibp_flags & (IEEE80211_BPF_RTS|IEEE80211_BPF_CTS)) {
3625                 error = run_sendprot(sc, m, ni,
3626                     params->ibp_flags & IEEE80211_BPF_RTS ?
3627                         IEEE80211_PROT_RTSCTS : IEEE80211_PROT_CTSONLY,
3628                     rate);
3629                 if (error) {
3630                         /* let caller free mbuf */
3631                         return error;
3632                 }
3633                 opflags |= /*XXX RT2573_TX_LONG_RETRY |*/ RT2860_TX_TXOP_SIFS;
3634         }
3635
3636         if (sc->sc_epq[0].tx_nfree == 0) {
3637                 /* let caller free mbuf */
3638                 sc->sc_ifp->if_drv_flags |= IFF_DRV_OACTIVE;
3639                 DPRINTF("sending raw frame, but tx ring is full\n");
3640                 return (EIO);
3641         }
3642         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3643         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3644         sc->sc_epq[0].tx_nfree--;
3645
3646         txd = (struct rt2870_txd *)&data->desc;
3647         txd->flags = RT2860_TX_QSEL_EDCA;
3648         txwi = (struct rt2860_txwi *)(txd + 1);
3649         txwi->wcid = 0xff;
3650         txwi->xflags = xflags;
3651         txwi->txop = opflags;
3652         txwi->flags = 0;        /* clear leftover garbage bits */
3653
3654         data->m = m;
3655         data->ni = ni;
3656         for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
3657                 if (rt2860_rates[ridx].rate == rate)
3658                         break;
3659         data->ridx = ridx;
3660
3661         run_set_tx_desc(sc, data);
3662
3663         DPRINTFN(10, "sending raw frame len=%u rate=%u\n",
3664             m->m_pkthdr.len, rate);
3665
3666         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3667
3668         usbd_transfer_start(sc->sc_xfer[0]);
3669
3670         return (0);
3671 }
3672
3673 static int
3674 run_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
3675     const struct ieee80211_bpf_params *params)
3676 {
3677         struct ifnet *ifp = ni->ni_ic->ic_ifp;
3678         struct run_softc *sc = ifp->if_softc;
3679         int error = 0;
3680  
3681         RUN_LOCK(sc);
3682
3683         /* prevent management frames from being sent if we're not ready */
3684         if (!(ifp->if_drv_flags & IFF_DRV_RUNNING)) {
3685                 error =  ENETDOWN;
3686                 goto done;
3687         }
3688
3689         if (params == NULL) {
3690                 /* tx mgt packet */
3691                 if ((error = run_tx_mgt(sc, m, ni)) != 0) {
3692                         ifp->if_oerrors++;
3693                         DPRINTF("mgt tx failed\n");
3694                         goto done;
3695                 }
3696         } else {
3697                 /* tx raw packet with param */
3698                 if ((error = run_tx_param(sc, m, ni, params)) != 0) {
3699                         ifp->if_oerrors++;
3700                         DPRINTF("tx with param failed\n");
3701                         goto done;
3702                 }
3703         }
3704
3705         ifp->if_opackets++;
3706
3707 done:
3708         RUN_UNLOCK(sc);
3709
3710         if (error != 0) {
3711                 if(m != NULL)
3712                         m_freem(m);
3713                 ieee80211_free_node(ni);
3714         }
3715
3716         return (error);
3717 }
3718
3719 static void
3720 run_start(struct ifnet *ifp)
3721 {
3722         struct run_softc *sc = ifp->if_softc;
3723         struct ieee80211_node *ni;
3724         struct mbuf *m;
3725
3726         RUN_LOCK(sc);
3727
3728         if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0) {
3729                 RUN_UNLOCK(sc);
3730                 return;
3731         }
3732
3733         for (;;) {
3734                 /* send data frames */
3735                 IFQ_DRV_DEQUEUE(&ifp->if_snd, m);
3736                 if (m == NULL)
3737                         break;
3738
3739                 ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
3740                 if (run_tx(sc, m, ni) != 0) {
3741                         IFQ_DRV_PREPEND(&ifp->if_snd, m);
3742                         ifp->if_drv_flags |= IFF_DRV_OACTIVE;
3743                         break;
3744                 }
3745         }
3746
3747         RUN_UNLOCK(sc);
3748 }
3749
3750 static int
3751 run_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
3752 {
3753         struct run_softc *sc = ifp->if_softc;
3754         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
3755         struct ifreq *ifr = (struct ifreq *) data;
3756         int startall = 0;
3757         int error;
3758
3759         RUN_LOCK(sc);
3760         error = sc->sc_detached ? ENXIO : 0;
3761         RUN_UNLOCK(sc);
3762         if (error)
3763                 return (error);
3764
3765         switch (cmd) {
3766         case SIOCSIFFLAGS:
3767                 RUN_LOCK(sc);
3768                 if (ifp->if_flags & IFF_UP) {
3769                         if (!(ifp->if_drv_flags & IFF_DRV_RUNNING)){
3770                                 startall = 1;
3771                                 run_init_locked(sc);
3772                         } else
3773                                 run_update_promisc_locked(ifp);
3774                 } else {
3775                         if (ifp->if_drv_flags & IFF_DRV_RUNNING &&
3776                             (ic->ic_nrunning == 0 || sc->rvp_cnt <= 1)) {
3777                                         run_stop(sc);
3778                         }
3779                 }
3780                 RUN_UNLOCK(sc);
3781                 if (startall)
3782                         ieee80211_start_all(ic);
3783                 break;
3784         case SIOCGIFMEDIA:
3785                 error = ifmedia_ioctl(ifp, ifr, &ic->ic_media, cmd);
3786                 break;
3787         case SIOCGIFADDR:
3788                 error = ether_ioctl(ifp, cmd, data);
3789                 break;
3790         default:
3791                 error = EINVAL;
3792                 break;
3793         }
3794
3795         return (error);
3796 }
3797
3798 static void
3799 run_iq_calib(struct run_softc *sc, u_int chan)
3800 {
3801         uint16_t val;
3802
3803         /* Tx0 IQ gain. */
3804         run_bbp_write(sc, 158, 0x2c);
3805         if (chan <= 14)
3806                 run_efuse_read(sc, RT5390_EEPROM_IQ_GAIN_CAL_TX0_2GHZ, &val, 1);
3807         else if (chan <= 64) {
3808                 run_efuse_read(sc,
3809                     RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH36_TO_CH64_5GHZ,
3810                     &val, 1);
3811         } else if (chan <= 138) {
3812                 run_efuse_read(sc,
3813                     RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH100_TO_CH138_5GHZ,
3814                     &val, 1);
3815         } else if (chan <= 165) {
3816                 run_efuse_read(sc,
3817             RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH140_TO_CH165_5GHZ,
3818                     &val, 1);
3819         } else
3820                 val = 0;
3821         run_bbp_write(sc, 159, val);
3822
3823         /* Tx0 IQ phase. */
3824         run_bbp_write(sc, 158, 0x2d);
3825         if (chan <= 14) {
3826                 run_efuse_read(sc, RT5390_EEPROM_IQ_PHASE_CAL_TX0_2GHZ,
3827                     &val, 1);
3828         } else if (chan <= 64) {
3829                 run_efuse_read(sc,
3830                     RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH36_TO_CH64_5GHZ,
3831                     &val, 1);
3832         } else if (chan <= 138) {
3833                 run_efuse_read(sc,
3834                     RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH100_TO_CH138_5GHZ,
3835                     &val, 1);
3836         } else if (chan <= 165) {
3837                 run_efuse_read(sc,
3838                     RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH140_TO_CH165_5GHZ,
3839                     &val, 1);
3840         } else
3841                 val = 0;
3842         run_bbp_write(sc, 159, val);
3843
3844         /* Tx1 IQ gain. */
3845         run_bbp_write(sc, 158, 0x4a);
3846         if (chan <= 14) {
3847                 run_efuse_read(sc, RT5390_EEPROM_IQ_GAIN_CAL_TX1_2GHZ,
3848                     &val, 1);
3849         } else if (chan <= 64) {
3850                 run_efuse_read(sc,
3851                     RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH36_TO_CH64_5GHZ,
3852                     &val, 1);
3853         } else if (chan <= 138) {
3854                 run_efuse_read(sc,
3855                     RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH100_TO_CH138_5GHZ,
3856                     &val, 1);
3857         } else if (chan <= 165) {
3858                 run_efuse_read(sc,
3859                     RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH140_TO_CH165_5GHZ,
3860                     &val, 1);
3861         } else
3862                 val = 0;
3863         run_bbp_write(sc, 159, val);
3864
3865         /* Tx1 IQ phase. */
3866         run_bbp_write(sc, 158, 0x4b);
3867         if (chan <= 14) {
3868                 run_efuse_read(sc, RT5390_EEPROM_IQ_PHASE_CAL_TX1_2GHZ,
3869                     &val, 1);
3870         } else if (chan <= 64) {
3871                 run_efuse_read(sc,
3872                     RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH36_TO_CH64_5GHZ,
3873                     &val, 1);
3874         } else if (chan <= 138) {
3875                 run_efuse_read(sc,
3876                     RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH100_TO_CH138_5GHZ,
3877                     &val, 1);
3878         } else if (chan <= 165) {
3879                 run_efuse_read(sc,
3880                     RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH140_TO_CH165_5GHZ,
3881                     &val, 1);
3882         } else
3883                 val = 0;
3884         run_bbp_write(sc, 159, val);
3885
3886         /* RF IQ compensation control. */
3887         run_bbp_write(sc, 158, 0x04);
3888         run_efuse_read(sc, RT5390_EEPROM_RF_IQ_COMPENSATION_CTL,
3889             &val, 1);
3890         run_bbp_write(sc, 159, val);
3891
3892         /* RF IQ imbalance compensation control. */
3893         run_bbp_write(sc, 158, 0x03);
3894         run_efuse_read(sc,
3895             RT5390_EEPROM_RF_IQ_IMBALANCE_COMPENSATION_CTL, &val, 1);
3896         run_bbp_write(sc, 159, val);
3897 }
3898
3899 static void
3900 run_set_agc(struct run_softc *sc, uint8_t agc)
3901 {
3902         uint8_t bbp;
3903
3904         if (sc->mac_ver == 0x3572) {
3905                 run_bbp_read(sc, 27, &bbp);
3906                 bbp &= ~(0x3 << 5);
3907                 run_bbp_write(sc, 27, bbp | 0 << 5);    /* select Rx0 */
3908                 run_bbp_write(sc, 66, agc);
3909                 run_bbp_write(sc, 27, bbp | 1 << 5);    /* select Rx1 */
3910                 run_bbp_write(sc, 66, agc);
3911         } else
3912                 run_bbp_write(sc, 66, agc);
3913 }
3914
3915 static void
3916 run_select_chan_group(struct run_softc *sc, int group)
3917 {
3918         uint32_t tmp;
3919         uint8_t agc;
3920
3921         run_bbp_write(sc, 62, 0x37 - sc->lna[group]);
3922         run_bbp_write(sc, 63, 0x37 - sc->lna[group]);
3923         run_bbp_write(sc, 64, 0x37 - sc->lna[group]);
3924         if (sc->mac_ver < 0x3572)
3925                 run_bbp_write(sc, 86, 0x00);
3926
3927         if (sc->mac_ver == 0x3593) {
3928                 run_bbp_write(sc, 77, 0x98);
3929                 run_bbp_write(sc, 83, (group == 0) ? 0x8a : 0x9a);
3930         }
3931
3932         if (group == 0) {
3933                 if (sc->ext_2ghz_lna) {
3934                         if (sc->mac_ver >= 0x5390)
3935                                 run_bbp_write(sc, 75, 0x52);
3936                         else {
3937                                 run_bbp_write(sc, 82, 0x62);
3938                                 run_bbp_write(sc, 75, 0x46);
3939                         }
3940                 } else {
3941                         if (sc->mac_ver == 0x5592) {
3942                                 run_bbp_write(sc, 79, 0x1c);
3943                                 run_bbp_write(sc, 80, 0x0e);
3944                                 run_bbp_write(sc, 81, 0x3a);
3945                                 run_bbp_write(sc, 82, 0x62);
3946
3947                                 run_bbp_write(sc, 195, 0x80);
3948                                 run_bbp_write(sc, 196, 0xe0);
3949                                 run_bbp_write(sc, 195, 0x81);
3950                                 run_bbp_write(sc, 196, 0x1f);
3951                                 run_bbp_write(sc, 195, 0x82);
3952                                 run_bbp_write(sc, 196, 0x38);
3953                                 run_bbp_write(sc, 195, 0x83);
3954                                 run_bbp_write(sc, 196, 0x32);
3955                                 run_bbp_write(sc, 195, 0x85);
3956                                 run_bbp_write(sc, 196, 0x28);
3957                                 run_bbp_write(sc, 195, 0x86);
3958                                 run_bbp_write(sc, 196, 0x19);
3959                         } else if (sc->mac_ver >= 0x5390)
3960                                 run_bbp_write(sc, 75, 0x50);
3961                         else {
3962                                 run_bbp_write(sc, 82,
3963                                     (sc->mac_ver == 0x3593) ? 0x62 : 0x84);
3964                                 run_bbp_write(sc, 75, 0x50);
3965                         }
3966                 }
3967         } else {
3968                 if (sc->mac_ver == 0x5592) {
3969                         run_bbp_write(sc, 79, 0x18);
3970                         run_bbp_write(sc, 80, 0x08);
3971                         run_bbp_write(sc, 81, 0x38);
3972                         run_bbp_write(sc, 82, 0x92);
3973
3974                         run_bbp_write(sc, 195, 0x80);
3975                         run_bbp_write(sc, 196, 0xf0);
3976                         run_bbp_write(sc, 195, 0x81);
3977                         run_bbp_write(sc, 196, 0x1e);
3978                         run_bbp_write(sc, 195, 0x82);
3979                         run_bbp_write(sc, 196, 0x28);
3980                         run_bbp_write(sc, 195, 0x83);
3981                         run_bbp_write(sc, 196, 0x20);
3982                         run_bbp_write(sc, 195, 0x85);
3983                         run_bbp_write(sc, 196, 0x7f);
3984                         run_bbp_write(sc, 195, 0x86);
3985                         run_bbp_write(sc, 196, 0x7f);
3986                 } else if (sc->mac_ver == 0x3572)
3987                         run_bbp_write(sc, 82, 0x94);
3988                 else
3989                         run_bbp_write(sc, 82,
3990                             (sc->mac_ver == 0x3593) ? 0x82 : 0xf2);
3991                 if (sc->ext_5ghz_lna)
3992                         run_bbp_write(sc, 75, 0x46);
3993                 else 
3994                         run_bbp_write(sc, 75, 0x50);
3995         }
3996
3997         run_read(sc, RT2860_TX_BAND_CFG, &tmp);
3998         tmp &= ~(RT2860_5G_BAND_SEL_N | RT2860_5G_BAND_SEL_P);
3999         tmp |= (group == 0) ? RT2860_5G_BAND_SEL_N : RT2860_5G_BAND_SEL_P;
4000         run_write(sc, RT2860_TX_BAND_CFG, tmp);
4001
4002         /* enable appropriate Power Amplifiers and Low Noise Amplifiers */
4003         tmp = RT2860_RFTR_EN | RT2860_TRSW_EN | RT2860_LNA_PE0_EN;
4004         if (sc->mac_ver == 0x3593)
4005                 tmp |= 1 << 29 | 1 << 28;
4006         if (sc->nrxchains > 1)
4007                 tmp |= RT2860_LNA_PE1_EN;
4008         if (group == 0) {       /* 2GHz */
4009                 tmp |= RT2860_PA_PE_G0_EN;
4010                 if (sc->ntxchains > 1)
4011                         tmp |= RT2860_PA_PE_G1_EN;
4012                 if (sc->mac_ver == 0x3593) {
4013                         if (sc->ntxchains > 2)
4014                                 tmp |= 1 << 25;
4015                 }
4016         } else {                /* 5GHz */
4017                 tmp |= RT2860_PA_PE_A0_EN;
4018                 if (sc->ntxchains > 1)
4019                         tmp |= RT2860_PA_PE_A1_EN;
4020         }
4021         if (sc->mac_ver == 0x3572) {
4022                 run_rt3070_rf_write(sc, 8, 0x00);
4023                 run_write(sc, RT2860_TX_PIN_CFG, tmp);
4024                 run_rt3070_rf_write(sc, 8, 0x80);
4025         } else
4026                 run_write(sc, RT2860_TX_PIN_CFG, tmp);
4027
4028         if (sc->mac_ver == 0x5592) {
4029                 run_bbp_write(sc, 195, 0x8d);
4030                 run_bbp_write(sc, 196, 0x1a);
4031         }
4032
4033         if (sc->mac_ver == 0x3593) {
4034                 run_read(sc, RT2860_GPIO_CTRL, &tmp);
4035                 tmp &= ~0x01010000;
4036                 if (group == 0)
4037                         tmp |= 0x00010000;
4038                 tmp = (tmp & ~0x00009090) | 0x00000090;
4039                 run_write(sc, RT2860_GPIO_CTRL, tmp);
4040         }
4041
4042         /* set initial AGC value */
4043         if (group == 0) {       /* 2GHz band */
4044                 if (sc->mac_ver >= 0x3070)
4045                         agc = 0x1c + sc->lna[0] * 2;
4046                 else
4047                         agc = 0x2e + sc->lna[0];
4048         } else {                /* 5GHz band */
4049                 if (sc->mac_ver == 0x5592)
4050                         agc = 0x24 + sc->lna[group] * 2;
4051                 else if (sc->mac_ver == 0x3572 || sc->mac_ver == 0x3593)
4052                         agc = 0x22 + (sc->lna[group] * 5) / 3;
4053                 else
4054                         agc = 0x32 + (sc->lna[group] * 5) / 3;
4055         }
4056         run_set_agc(sc, agc);
4057 }
4058
4059 static void
4060 run_rt2870_set_chan(struct run_softc *sc, u_int chan)
4061 {
4062         const struct rfprog *rfprog = rt2860_rf2850;
4063         uint32_t r2, r3, r4;
4064         int8_t txpow1, txpow2;
4065         int i;
4066
4067         /* find the settings for this channel (we know it exists) */
4068         for (i = 0; rfprog[i].chan != chan; i++);
4069
4070         r2 = rfprog[i].r2;
4071         if (sc->ntxchains == 1)
4072                 r2 |= 1 << 14;          /* 1T: disable Tx chain 2 */
4073         if (sc->nrxchains == 1)
4074                 r2 |= 1 << 17 | 1 << 6; /* 1R: disable Rx chains 2 & 3 */
4075         else if (sc->nrxchains == 2)
4076                 r2 |= 1 << 6;           /* 2R: disable Rx chain 3 */
4077
4078         /* use Tx power values from EEPROM */
4079         txpow1 = sc->txpow1[i];
4080         txpow2 = sc->txpow2[i];
4081
4082         /* Initialize RF R3 and R4. */
4083         r3 = rfprog[i].r3 & 0xffffc1ff;
4084         r4 = (rfprog[i].r4 & ~(0x001f87c0)) | (sc->freq << 15);
4085         if (chan > 14) {
4086                 if (txpow1 >= 0) {
4087                         txpow1 = (txpow1 > 0xf) ? (0xf) : (txpow1);
4088                         r3 |= (txpow1 << 10) | (1 << 9);
4089                 } else {
4090                         txpow1 += 7;
4091
4092                         /* txpow1 is not possible larger than 15. */
4093                         r3 |= (txpow1 << 10);
4094                 }
4095                 if (txpow2 >= 0) {
4096                         txpow2 = (txpow2 > 0xf) ? (0xf) : (txpow2);
4097                         r4 |= (txpow2 << 7) | (1 << 6);
4098                 } else {
4099                         txpow2 += 7;
4100                         r4 |= (txpow2 << 7);
4101                 }
4102         } else {
4103                 /* Set Tx0 power. */
4104                 r3 |= (txpow1 << 9);
4105
4106                 /* Set frequency offset and Tx1 power. */
4107                 r4 |= (txpow2 << 6);
4108         }
4109
4110         run_rt2870_rf_write(sc, rfprog[i].r1);
4111         run_rt2870_rf_write(sc, r2);
4112         run_rt2870_rf_write(sc, r3 & ~(1 << 2));
4113         run_rt2870_rf_write(sc, r4);
4114
4115         run_delay(sc, 10);
4116
4117         run_rt2870_rf_write(sc, rfprog[i].r1);
4118         run_rt2870_rf_write(sc, r2);
4119         run_rt2870_rf_write(sc, r3 | (1 << 2));
4120         run_rt2870_rf_write(sc, r4);
4121
4122         run_delay(sc, 10);
4123
4124         run_rt2870_rf_write(sc, rfprog[i].r1);
4125         run_rt2870_rf_write(sc, r2);
4126         run_rt2870_rf_write(sc, r3 & ~(1 << 2));
4127         run_rt2870_rf_write(sc, r4);
4128 }
4129
4130 static void
4131 run_rt3070_set_chan(struct run_softc *sc, u_int chan)
4132 {
4133         int8_t txpow1, txpow2;
4134         uint8_t rf;
4135         int i;
4136
4137         /* find the settings for this channel (we know it exists) */
4138         for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4139
4140         /* use Tx power values from EEPROM */
4141         txpow1 = sc->txpow1[i];
4142         txpow2 = sc->txpow2[i];
4143
4144         run_rt3070_rf_write(sc, 2, rt3070_freqs[i].n);
4145
4146         /* RT3370/RT3390: RF R3 [7:4] is not reserved bits. */
4147         run_rt3070_rf_read(sc, 3, &rf);
4148         rf = (rf & ~0x0f) | rt3070_freqs[i].k;
4149         run_rt3070_rf_write(sc, 3, rf);
4150
4151         run_rt3070_rf_read(sc, 6, &rf);
4152         rf = (rf & ~0x03) | rt3070_freqs[i].r;
4153         run_rt3070_rf_write(sc, 6, rf);
4154
4155         /* set Tx0 power */
4156         run_rt3070_rf_read(sc, 12, &rf);
4157         rf = (rf & ~0x1f) | txpow1;
4158         run_rt3070_rf_write(sc, 12, rf);
4159
4160         /* set Tx1 power */
4161         run_rt3070_rf_read(sc, 13, &rf);
4162         rf = (rf & ~0x1f) | txpow2;
4163         run_rt3070_rf_write(sc, 13, rf);
4164
4165         run_rt3070_rf_read(sc, 1, &rf);
4166         rf &= ~0xfc;
4167         if (sc->ntxchains == 1)
4168                 rf |= 1 << 7 | 1 << 5;  /* 1T: disable Tx chains 2 & 3 */
4169         else if (sc->ntxchains == 2)
4170                 rf |= 1 << 7;           /* 2T: disable Tx chain 3 */
4171         if (sc->nrxchains == 1)
4172                 rf |= 1 << 6 | 1 << 4;  /* 1R: disable Rx chains 2 & 3 */
4173         else if (sc->nrxchains == 2)
4174                 rf |= 1 << 6;           /* 2R: disable Rx chain 3 */
4175         run_rt3070_rf_write(sc, 1, rf);
4176
4177         /* set RF offset */
4178         run_rt3070_rf_read(sc, 23, &rf);
4179         rf = (rf & ~0x7f) | sc->freq;
4180         run_rt3070_rf_write(sc, 23, rf);
4181
4182         /* program RF filter */
4183         run_rt3070_rf_read(sc, 24, &rf);        /* Tx */
4184         rf = (rf & ~0x3f) | sc->rf24_20mhz;
4185         run_rt3070_rf_write(sc, 24, rf);
4186         run_rt3070_rf_read(sc, 31, &rf);        /* Rx */
4187         rf = (rf & ~0x3f) | sc->rf24_20mhz;
4188         run_rt3070_rf_write(sc, 31, rf);
4189
4190         /* enable RF tuning */
4191         run_rt3070_rf_read(sc, 7, &rf);
4192         run_rt3070_rf_write(sc, 7, rf | 0x01);
4193 }
4194
4195 static void
4196 run_rt3572_set_chan(struct run_softc *sc, u_int chan)
4197 {
4198         int8_t txpow1, txpow2;
4199         uint32_t tmp;
4200         uint8_t rf;
4201         int i;
4202
4203         /* find the settings for this channel (we know it exists) */
4204         for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4205
4206         /* use Tx power values from EEPROM */
4207         txpow1 = sc->txpow1[i];
4208         txpow2 = sc->txpow2[i];
4209
4210         if (chan <= 14) {
4211                 run_bbp_write(sc, 25, sc->bbp25);
4212                 run_bbp_write(sc, 26, sc->bbp26);
4213         } else {
4214                 /* enable IQ phase correction */
4215                 run_bbp_write(sc, 25, 0x09);
4216                 run_bbp_write(sc, 26, 0xff);
4217         }
4218
4219         run_rt3070_rf_write(sc, 2, rt3070_freqs[i].n);
4220         run_rt3070_rf_write(sc, 3, rt3070_freqs[i].k);
4221         run_rt3070_rf_read(sc, 6, &rf);
4222         rf  = (rf & ~0x0f) | rt3070_freqs[i].r;
4223         rf |= (chan <= 14) ? 0x08 : 0x04;
4224         run_rt3070_rf_write(sc, 6, rf);
4225
4226         /* set PLL mode */
4227         run_rt3070_rf_read(sc, 5, &rf);
4228         rf &= ~(0x08 | 0x04);
4229         rf |= (chan <= 14) ? 0x04 : 0x08;
4230         run_rt3070_rf_write(sc, 5, rf);
4231
4232         /* set Tx power for chain 0 */
4233         if (chan <= 14)
4234                 rf = 0x60 | txpow1;
4235         else
4236                 rf = 0xe0 | (txpow1 & 0xc) << 1 | (txpow1 & 0x3);
4237         run_rt3070_rf_write(sc, 12, rf);
4238
4239         /* set Tx power for chain 1 */
4240         if (chan <= 14)
4241                 rf = 0x60 | txpow2;
4242         else
4243                 rf = 0xe0 | (txpow2 & 0xc) << 1 | (txpow2 & 0x3);
4244         run_rt3070_rf_write(sc, 13, rf);
4245
4246         /* set Tx/Rx streams */
4247         run_rt3070_rf_read(sc, 1, &rf);
4248         rf &= ~0xfc;
4249         if (sc->ntxchains == 1)
4250                 rf |= 1 << 7 | 1 << 5;  /* 1T: disable Tx chains 2 & 3 */
4251         else if (sc->ntxchains == 2)
4252                 rf |= 1 << 7;           /* 2T: disable Tx chain 3 */
4253         if (sc->nrxchains == 1)
4254                 rf |= 1 << 6 | 1 << 4;  /* 1R: disable Rx chains 2 & 3 */
4255         else if (sc->nrxchains == 2)
4256                 rf |= 1 << 6;           /* 2R: disable Rx chain 3 */
4257         run_rt3070_rf_write(sc, 1, rf);
4258
4259         /* set RF offset */
4260         run_rt3070_rf_read(sc, 23, &rf);
4261         rf = (rf & ~0x7f) | sc->freq;
4262         run_rt3070_rf_write(sc, 23, rf);
4263
4264         /* program RF filter */
4265         rf = sc->rf24_20mhz;
4266         run_rt3070_rf_write(sc, 24, rf);        /* Tx */
4267         run_rt3070_rf_write(sc, 31, rf);        /* Rx */
4268
4269         /* enable RF tuning */
4270         run_rt3070_rf_read(sc, 7, &rf);
4271         rf = (chan <= 14) ? 0xd8 : ((rf & ~0xc8) | 0x14);
4272         run_rt3070_rf_write(sc, 7, rf);
4273
4274         /* TSSI */
4275         rf = (chan <= 14) ? 0xc3 : 0xc0;
4276         run_rt3070_rf_write(sc, 9, rf);
4277
4278         /* set loop filter 1 */
4279         run_rt3070_rf_write(sc, 10, 0xf1);
4280         /* set loop filter 2 */
4281         run_rt3070_rf_write(sc, 11, (chan <= 14) ? 0xb9 : 0x00);
4282
4283         /* set tx_mx2_ic */
4284         run_rt3070_rf_write(sc, 15, (chan <= 14) ? 0x53 : 0x43);
4285         /* set tx_mx1_ic */
4286         if (chan <= 14)
4287                 rf = 0x48 | sc->txmixgain_2ghz;
4288         else
4289                 rf = 0x78 | sc->txmixgain_5ghz;
4290         run_rt3070_rf_write(sc, 16, rf);
4291
4292         /* set tx_lo1 */
4293         run_rt3070_rf_write(sc, 17, 0x23);
4294         /* set tx_lo2 */
4295         if (chan <= 14)
4296                 rf = 0x93;
4297         else if (chan <= 64)
4298                 rf = 0xb7;
4299         else if (chan <= 128)
4300                 rf = 0x74;
4301         else
4302                 rf = 0x72;
4303         run_rt3070_rf_write(sc, 19, rf);
4304
4305         /* set rx_lo1 */
4306         if (chan <= 14)
4307                 rf = 0xb3;
4308         else if (chan <= 64)
4309                 rf = 0xf6;
4310         else if (chan <= 128)
4311                 rf = 0xf4;
4312         else
4313                 rf = 0xf3;
4314         run_rt3070_rf_write(sc, 20, rf);
4315
4316         /* set pfd_delay */
4317         if (chan <= 14)
4318                 rf = 0x15;
4319         else if (chan <= 64)
4320                 rf = 0x3d;
4321         else
4322                 rf = 0x01;
4323         run_rt3070_rf_write(sc, 25, rf);
4324
4325         /* set rx_lo2 */
4326         run_rt3070_rf_write(sc, 26, (chan <= 14) ? 0x85 : 0x87);
4327         /* set ldo_rf_vc */
4328         run_rt3070_rf_write(sc, 27, (chan <= 14) ? 0x00 : 0x01);
4329         /* set drv_cc */
4330         run_rt3070_rf_write(sc, 29, (chan <= 14) ? 0x9b : 0x9f);
4331
4332         run_read(sc, RT2860_GPIO_CTRL, &tmp);
4333         tmp &= ~0x8080;
4334         if (chan <= 14)
4335                 tmp |= 0x80;
4336         run_write(sc, RT2860_GPIO_CTRL, tmp);
4337
4338         /* enable RF tuning */
4339         run_rt3070_rf_read(sc, 7, &rf);
4340         run_rt3070_rf_write(sc, 7, rf | 0x01);
4341
4342         run_delay(sc, 2);
4343 }
4344
4345 static void
4346 run_rt3593_set_chan(struct run_softc *sc, u_int chan)
4347 {
4348         int8_t txpow1, txpow2, txpow3;
4349         uint8_t h20mhz, rf;
4350         int i;
4351
4352         /* find the settings for this channel (we know it exists) */
4353         for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4354
4355         /* use Tx power values from EEPROM */
4356         txpow1 = sc->txpow1[i];
4357         txpow2 = sc->txpow2[i];
4358         txpow3 = (sc->ntxchains == 3) ? sc->txpow3[i] : 0;
4359
4360         if (chan <= 14) {
4361                 run_bbp_write(sc, 25, sc->bbp25);
4362                 run_bbp_write(sc, 26, sc->bbp26);
4363         } else {
4364                 /* Enable IQ phase correction. */
4365                 run_bbp_write(sc, 25, 0x09);
4366                 run_bbp_write(sc, 26, 0xff);
4367         }
4368
4369         run_rt3070_rf_write(sc, 8, rt3070_freqs[i].n);
4370         run_rt3070_rf_write(sc, 9, rt3070_freqs[i].k & 0x0f);
4371         run_rt3070_rf_read(sc, 11, &rf);
4372         rf = (rf & ~0x03) | (rt3070_freqs[i].r & 0x03);
4373         run_rt3070_rf_write(sc, 11, rf);
4374
4375         /* Set pll_idoh. */
4376         run_rt3070_rf_read(sc, 11, &rf);
4377         rf &= ~0x4c;
4378         rf |= (chan <= 14) ? 0x44 : 0x48;
4379         run_rt3070_rf_write(sc, 11, rf);
4380
4381         if (chan <= 14)
4382                 rf = txpow1 & 0x1f;
4383         else
4384                 rf = 0x40 | ((txpow1 & 0x18) << 1) | (txpow1 & 0x07);
4385         run_rt3070_rf_write(sc, 53, rf);
4386
4387         if (chan <= 14)
4388                 rf = txpow2 & 0x1f;
4389         else
4390                 rf = 0x40 | ((txpow2 & 0x18) << 1) | (txpow2 & 0x07);
4391         run_rt3070_rf_write(sc, 55, rf);
4392
4393         if (chan <= 14)
4394                 rf = txpow3 & 0x1f;
4395         else
4396                 rf = 0x40 | ((txpow3 & 0x18) << 1) | (txpow3 & 0x07);
4397         run_rt3070_rf_write(sc, 54, rf);
4398
4399         rf = RT3070_RF_BLOCK | RT3070_PLL_PD;
4400         if (sc->ntxchains == 3)
4401                 rf |= RT3070_TX0_PD | RT3070_TX1_PD | RT3070_TX2_PD;
4402         else
4403                 rf |= RT3070_TX0_PD | RT3070_TX1_PD;
4404         rf |= RT3070_RX0_PD | RT3070_RX1_PD | RT3070_RX2_PD;
4405         run_rt3070_rf_write(sc, 1, rf);
4406
4407         run_adjust_freq_offset(sc);
4408
4409         run_rt3070_rf_write(sc, 31, (chan <= 14) ? 0xa0 : 0x80);
4410
4411         h20mhz = (sc->rf24_20mhz & 0x20) >> 5; 
4412         run_rt3070_rf_read(sc, 30, &rf);
4413         rf = (rf & ~0x06) | (h20mhz << 1) | (h20mhz << 2);
4414         run_rt3070_rf_write(sc, 30, rf);
4415
4416         run_rt3070_rf_read(sc, 36, &rf);
4417         if (chan <= 14)
4418                 rf |= 0x80;
4419         else
4420                 rf &= ~0x80;
4421         run_rt3070_rf_write(sc, 36, rf);
4422
4423         /* Set vcolo_bs. */
4424         run_rt3070_rf_write(sc, 34, (chan <= 14) ? 0x3c : 0x20);
4425         /* Set pfd_delay. */
4426         run_rt3070_rf_write(sc, 12, (chan <= 14) ? 0x1a : 0x12);
4427
4428         /* Set vco bias current control. */
4429         run_rt3070_rf_read(sc, 6, &rf);
4430         rf &= ~0xc0;
4431         if (chan <= 14)
4432                 rf |= 0x40;
4433         else if (chan <= 128)
4434                 rf |= 0x80;
4435         else
4436                 rf |= 0x40;
4437         run_rt3070_rf_write(sc, 6, rf);
4438                 
4439         run_rt3070_rf_read(sc, 30, &rf);
4440         rf = (rf & ~0x18) | 0x10;
4441         run_rt3070_rf_write(sc, 30, rf);
4442
4443         run_rt3070_rf_write(sc, 10, (chan <= 14) ? 0xd3 : 0xd8);
4444         run_rt3070_rf_write(sc, 13, (chan <= 14) ? 0x12 : 0x23);
4445
4446         run_rt3070_rf_read(sc, 51, &rf);
4447         rf = (rf & ~0x03) | 0x01;
4448         run_rt3070_rf_write(sc, 51, rf);
4449         /* Set tx_mx1_cc. */
4450         run_rt3070_rf_read(sc, 51, &rf);
4451         rf &= ~0x1c;
4452         rf |= (chan <= 14) ? 0x14 : 0x10;
4453         run_rt3070_rf_write(sc, 51, rf);
4454         /* Set tx_mx1_ic. */
4455         run_rt3070_rf_read(sc, 51, &rf);
4456         rf &= ~0xe0;
4457         rf |= (chan <= 14) ? 0x60 : 0x40;
4458         run_rt3070_rf_write(sc, 51, rf);
4459         /* Set tx_lo1_ic. */
4460         run_rt3070_rf_read(sc, 49, &rf);
4461         rf &= ~0x1c;
4462         rf |= (chan <= 14) ? 0x0c : 0x08;
4463         run_rt3070_rf_write(sc, 49, rf);
4464         /* Set tx_lo1_en. */
4465         run_rt3070_rf_read(sc, 50, &rf);
4466         run_rt3070_rf_write(sc, 50, rf & ~0x20);
4467         /* Set drv_cc. */
4468         run_rt3070_rf_read(sc, 57, &rf);
4469         rf &= ~0xfc;
4470         rf |= (chan <= 14) ?  0x6c : 0x3c;
4471         run_rt3070_rf_write(sc, 57, rf);
4472         /* Set rx_mix1_ic, rxa_lnactr, lna_vc, lna_inbias_en and lna_en. */
4473         run_rt3070_rf_write(sc, 44, (chan <= 14) ? 0x93 : 0x9b);
4474         /* Set drv_gnd_a, tx_vga_cc_a and tx_mx2_gain. */
4475         run_rt3070_rf_write(sc, 52, (chan <= 14) ? 0x45 : 0x05);
4476         /* Enable VCO calibration. */
4477         run_rt3070_rf_read(sc, 3, &rf);
4478         rf &= ~RT5390_VCOCAL;
4479         rf |= (chan <= 14) ? RT5390_VCOCAL : 0xbe;
4480         run_rt3070_rf_write(sc, 3, rf);
4481
4482         if (chan <= 14)
4483                 rf = 0x23;
4484         else if (chan <= 64)
4485                 rf = 0x36;
4486         else if (chan <= 128)
4487                 rf = 0x32;
4488         else
4489                 rf = 0x30;
4490         run_rt3070_rf_write(sc, 39, rf);
4491         if (chan <= 14)
4492                 rf = 0xbb;
4493         else if (chan <= 64)
4494                 rf = 0xeb;
4495         else if (chan <= 128)
4496                 rf = 0xb3;
4497         else
4498                 rf = 0x9b;
4499         run_rt3070_rf_write(sc, 45, rf);
4500
4501         /* Set FEQ/AEQ control. */
4502         run_bbp_write(sc, 105, 0x34);
4503 }
4504
4505 static void
4506 run_rt5390_set_chan(struct run_softc *sc, u_int chan)
4507 {
4508         int8_t txpow1, txpow2;
4509         uint8_t rf;
4510         int i;
4511
4512         /* find the settings for this channel (we know it exists) */
4513         for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4514
4515         /* use Tx power values from EEPROM */
4516         txpow1 = sc->txpow1[i];
4517         txpow2 = sc->txpow2[i];
4518
4519         run_rt3070_rf_write(sc, 8, rt3070_freqs[i].n);
4520         run_rt3070_rf_write(sc, 9, rt3070_freqs[i].k & 0x0f);
4521         run_rt3070_rf_read(sc, 11, &rf);
4522         rf = (rf & ~0x03) | (rt3070_freqs[i].r & 0x03);
4523         run_rt3070_rf_write(sc, 11, rf);
4524
4525         run_rt3070_rf_read(sc, 49, &rf);
4526         rf = (rf & ~0x3f) | (txpow1 & 0x3f);
4527         /* The valid range of the RF R49 is 0x00 to 0x27. */
4528         if ((rf & 0x3f) > 0x27)
4529                 rf = (rf & ~0x3f) | 0x27;
4530         run_rt3070_rf_write(sc, 49, rf);
4531
4532         if (sc->mac_ver == 0x5392) {
4533                 run_rt3070_rf_read(sc, 50, &rf);
4534                 rf = (rf & ~0x3f) | (txpow2 & 0x3f);
4535                 /* The valid range of the RF R50 is 0x00 to 0x27. */
4536                 if ((rf & 0x3f) > 0x27)
4537                         rf = (rf & ~0x3f) | 0x27;
4538                 run_rt3070_rf_write(sc, 50, rf);
4539         }
4540
4541         run_rt3070_rf_read(sc, 1, &rf);
4542         rf |= RT3070_RF_BLOCK | RT3070_PLL_PD | RT3070_RX0_PD | RT3070_TX0_PD;
4543         if (sc->mac_ver == 0x5392)
4544                 rf |= RT3070_RX1_PD | RT3070_TX1_PD;
4545         run_rt3070_rf_write(sc, 1, rf);
4546
4547         if (sc->mac_ver != 0x5392) {
4548                 run_rt3070_rf_read(sc, 2, &rf);
4549                 rf |= 0x80;
4550                 run_rt3070_rf_write(sc, 2, rf);
4551                 run_delay(sc, 10);
4552                 rf &= 0x7f;
4553                 run_rt3070_rf_write(sc, 2, rf);
4554         }
4555
4556         run_adjust_freq_offset(sc);
4557
4558         if (sc->mac_ver == 0x5392) {
4559                 /* Fix for RT5392C. */
4560                 if (sc->mac_rev >= 0x0223) {
4561                         if (chan <= 4)
4562                                 rf = 0x0f;
4563                         else if (chan >= 5 && chan <= 7)
4564                                 rf = 0x0e;
4565                         else
4566                                 rf = 0x0d;
4567                         run_rt3070_rf_write(sc, 23, rf);
4568
4569                         if (chan <= 4)
4570                                 rf = 0x0c;
4571                         else if (chan == 5)
4572                                 rf = 0x0b;
4573                         else if (chan >= 6 && chan <= 7)
4574                                 rf = 0x0a;
4575                         else if (chan >= 8 && chan <= 10)
4576                                 rf = 0x09;
4577                         else
4578                                 rf = 0x08;
4579                         run_rt3070_rf_write(sc, 59, rf);
4580                 } else {
4581                         if (chan <= 11)
4582                                 rf = 0x0f;
4583                         else
4584                                 rf = 0x0b;
4585                         run_rt3070_rf_write(sc, 59, rf);
4586                 }
4587         } else {
4588                 /* Fix for RT5390F. */
4589                 if (sc->mac_rev >= 0x0502) {
4590                         if (chan <= 11)
4591                                 rf = 0x43;
4592                         else
4593                                 rf = 0x23;
4594                         run_rt3070_rf_write(sc, 55, rf);
4595
4596                         if (chan <= 11)
4597                                 rf = 0x0f;
4598                         else if (chan == 12)
4599                                 rf = 0x0d;
4600                         else
4601                                 rf = 0x0b;
4602                         run_rt3070_rf_write(sc, 59, rf);
4603                 } else {
4604                         run_rt3070_rf_write(sc, 55, 0x44);
4605                         run_rt3070_rf_write(sc, 59, 0x8f);
4606                 }
4607         }
4608
4609         /* Enable VCO calibration. */
4610         run_rt3070_rf_read(sc, 3, &rf);
4611         rf |= RT5390_VCOCAL;
4612         run_rt3070_rf_write(sc, 3, rf);
4613 }
4614
4615 static void
4616 run_rt5592_set_chan(struct run_softc *sc, u_int chan)
4617 {
4618         const struct rt5592_freqs *freqs;
4619         uint32_t tmp;
4620         uint8_t reg, rf, txpow_bound;
4621         int8_t txpow1, txpow2;
4622         int i;
4623
4624         run_read(sc, RT5592_DEBUG_INDEX, &tmp);
4625         freqs = (tmp & RT5592_SEL_XTAL) ?
4626             rt5592_freqs_40mhz : rt5592_freqs_20mhz;
4627
4628         /* find the settings for this channel (we know it exists) */
4629         for (i = 0; rt2860_rf2850[i].chan != chan; i++, freqs++);
4630
4631         /* use Tx power values from EEPROM */
4632         txpow1 = sc->txpow1[i];
4633         txpow2 = sc->txpow2[i];
4634
4635         run_read(sc, RT3070_LDO_CFG0, &tmp);
4636         tmp &= ~0x1c000000;
4637         if (chan > 14)
4638                 tmp |= 0x14000000;
4639         run_write(sc, RT3070_LDO_CFG0, tmp);
4640
4641         /* N setting. */
4642         run_rt3070_rf_write(sc, 8, freqs->n & 0xff);
4643         run_rt3070_rf_read(sc, 9, &rf);
4644         rf &= ~(1 << 4);
4645         rf |= ((freqs->n & 0x0100) >> 8) << 4;
4646         run_rt3070_rf_write(sc, 9, rf);
4647
4648         /* K setting. */
4649         run_rt3070_rf_read(sc, 9, &rf);
4650         rf &= ~0x0f;
4651         rf |= (freqs->k & 0x0f);
4652         run_rt3070_rf_write(sc, 9, rf);
4653
4654         /* Mode setting. */
4655         run_rt3070_rf_read(sc, 11, &rf);
4656         rf &= ~0x0c;
4657         rf |= ((freqs->m - 0x8) & 0x3) << 2;
4658         run_rt3070_rf_write(sc, 11, rf);
4659         run_rt3070_rf_read(sc, 9, &rf);
4660         rf &= ~(1 << 7);
4661         rf |= (((freqs->m - 0x8) & 0x4) >> 2) << 7;
4662         run_rt3070_rf_write(sc, 9, rf);
4663
4664         /* R setting. */
4665         run_rt3070_rf_read(sc, 11, &rf);
4666         rf &= ~0x03;
4667         rf |= (freqs->r - 0x1);
4668         run_rt3070_rf_write(sc, 11, rf);
4669
4670         if (chan <= 14) {
4671                 /* Initialize RF registers for 2GHZ. */
4672                 for (i = 0; i < nitems(rt5592_2ghz_def_rf); i++) {
4673                         run_rt3070_rf_write(sc, rt5592_2ghz_def_rf[i].reg,
4674                             rt5592_2ghz_def_rf[i].val);
4675                 }
4676
4677                 rf = (chan <= 10) ? 0x07 : 0x06;
4678                 run_rt3070_rf_write(sc, 23, rf);
4679                 run_rt3070_rf_write(sc, 59, rf);
4680
4681                 run_rt3070_rf_write(sc, 55, 0x43);
4682
4683                 /* 
4684                  * RF R49/R50 Tx power ALC code.
4685                  * G-band bit<7:6>=1:0, bit<5:0> range from 0x0 ~ 0x27.
4686                  */
4687                 reg = 2;
4688                 txpow_bound = 0x27;
4689         } else {
4690                 /* Initialize RF registers for 5GHZ. */
4691                 for (i = 0; i < nitems(rt5592_5ghz_def_rf); i++) {
4692                         run_rt3070_rf_write(sc, rt5592_5ghz_def_rf[i].reg,
4693                             rt5592_5ghz_def_rf[i].val);
4694                 }
4695                 for (i = 0; i < nitems(rt5592_chan_5ghz); i++) {
4696                         if (chan >= rt5592_chan_5ghz[i].firstchan &&
4697                             chan <= rt5592_chan_5ghz[i].lastchan) {
4698                                 run_rt3070_rf_write(sc, rt5592_chan_5ghz[i].reg,
4699                                     rt5592_chan_5ghz[i].val);
4700                         }
4701                 }
4702
4703                 /* 
4704                  * RF R49/R50 Tx power ALC code.
4705                  * A-band bit<7:6>=1:1, bit<5:0> range from 0x0 ~ 0x2b.
4706                  */
4707                 reg = 3;
4708                 txpow_bound = 0x2b;
4709         }
4710
4711         /* RF R49 ch0 Tx power ALC code. */
4712         run_rt3070_rf_read(sc, 49, &rf);
4713         rf &= ~0xc0;
4714         rf |= (reg << 6);
4715         rf = (rf & ~0x3f) | (txpow1 & 0x3f);
4716         if ((rf & 0x3f) > txpow_bound)
4717                 rf = (rf & ~0x3f) | txpow_bound;
4718         run_rt3070_rf_write(sc, 49, rf);
4719
4720         /* RF R50 ch1 Tx power ALC code. */
4721         run_rt3070_rf_read(sc, 50, &rf);
4722         rf &= ~(1 << 7 | 1 << 6);
4723         rf |= (reg << 6);
4724         rf = (rf & ~0x3f) | (txpow2 & 0x3f);
4725         if ((rf & 0x3f) > txpow_bound)
4726                 rf = (rf & ~0x3f) | txpow_bound;
4727         run_rt3070_rf_write(sc, 50, rf);
4728
4729         /* Enable RF_BLOCK, PLL_PD, RX0_PD, and TX0_PD. */
4730         run_rt3070_rf_read(sc, 1, &rf);
4731         rf |= (RT3070_RF_BLOCK | RT3070_PLL_PD | RT3070_RX0_PD | RT3070_TX0_PD);
4732         if (sc->ntxchains > 1)
4733                 rf |= RT3070_TX1_PD;
4734         if (sc->nrxchains > 1)
4735                 rf |= RT3070_RX1_PD;
4736         run_rt3070_rf_write(sc, 1, rf);
4737
4738         run_rt3070_rf_write(sc, 6, 0xe4);
4739
4740         run_rt3070_rf_write(sc, 30, 0x10);
4741         run_rt3070_rf_write(sc, 31, 0x80);
4742         run_rt3070_rf_write(sc, 32, 0x80);
4743
4744         run_adjust_freq_offset(sc);
4745
4746         /* Enable VCO calibration. */
4747         run_rt3070_rf_read(sc, 3, &rf);
4748         rf |= RT5390_VCOCAL;
4749         run_rt3070_rf_write(sc, 3, rf);
4750 }
4751
4752 static void
4753 run_set_rx_antenna(struct run_softc *sc, int aux)
4754 {
4755         uint32_t tmp;
4756         uint8_t bbp152;
4757
4758         if (aux) {
4759                 if (sc->rf_rev == RT5390_RF_5370) {
4760                         run_bbp_read(sc, 152, &bbp152);
4761                         run_bbp_write(sc, 152, bbp152 & ~0x80);
4762                 } else {
4763                         run_mcu_cmd(sc, RT2860_MCU_CMD_ANTSEL, 0);
4764                         run_read(sc, RT2860_GPIO_CTRL, &tmp);
4765                         run_write(sc, RT2860_GPIO_CTRL, (tmp & ~0x0808) | 0x08);
4766                 }
4767         } else {
4768                 if (sc->rf_rev == RT5390_RF_5370) {
4769                         run_bbp_read(sc, 152, &bbp152);
4770                         run_bbp_write(sc, 152, bbp152 | 0x80);
4771                 } else {
4772                         run_mcu_cmd(sc, RT2860_MCU_CMD_ANTSEL, 1);
4773                         run_read(sc, RT2860_GPIO_CTRL, &tmp);
4774                         run_write(sc, RT2860_GPIO_CTRL, tmp & ~0x0808);
4775                 }
4776         }
4777 }
4778
4779 static int
4780 run_set_chan(struct run_softc *sc, struct ieee80211_channel *c)
4781 {
4782         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
4783         u_int chan, group;
4784
4785         chan = ieee80211_chan2ieee(ic, c);
4786         if (chan == 0 || chan == IEEE80211_CHAN_ANY)
4787                 return (EINVAL);
4788
4789         if (sc->mac_ver == 0x5592)
4790                 run_rt5592_set_chan(sc, chan);
4791         else if (sc->mac_ver >= 0x5390)
4792                 run_rt5390_set_chan(sc, chan);
4793         else if (sc->mac_ver == 0x3593)
4794                 run_rt3593_set_chan(sc, chan);
4795         else if (sc->mac_ver == 0x3572)
4796                 run_rt3572_set_chan(sc, chan);
4797         else if (sc->mac_ver >= 0x3070)
4798                 run_rt3070_set_chan(sc, chan);
4799         else
4800                 run_rt2870_set_chan(sc, chan);
4801
4802         /* determine channel group */
4803         if (chan <= 14)
4804                 group = 0;
4805         else if (chan <= 64)
4806                 group = 1;
4807         else if (chan <= 128)
4808                 group = 2;
4809         else
4810                 group = 3;
4811
4812         /* XXX necessary only when group has changed! */
4813         run_select_chan_group(sc, group);
4814
4815         run_delay(sc, 10);
4816
4817         /* Perform IQ calibration. */
4818         if (sc->mac_ver >= 0x5392)
4819                 run_iq_calib(sc, chan);
4820
4821         return (0);
4822 }
4823
4824 static void
4825 run_set_channel(struct ieee80211com *ic)
4826 {
4827         struct run_softc *sc = ic->ic_ifp->if_softc;
4828
4829         RUN_LOCK(sc);
4830         run_set_chan(sc, ic->ic_curchan);
4831         RUN_UNLOCK(sc);
4832
4833         return;
4834 }
4835
4836 static void
4837 run_scan_start(struct ieee80211com *ic)
4838 {
4839         struct run_softc *sc = ic->ic_ifp->if_softc;
4840         uint32_t tmp;
4841
4842         RUN_LOCK(sc);
4843
4844         /* abort TSF synchronization */
4845         run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
4846         run_write(sc, RT2860_BCN_TIME_CFG,
4847             tmp & ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
4848             RT2860_TBTT_TIMER_EN));
4849         run_set_bssid(sc, sc->sc_ifp->if_broadcastaddr);
4850
4851         RUN_UNLOCK(sc);
4852
4853         return;
4854 }
4855
4856 static void
4857 run_scan_end(struct ieee80211com *ic)
4858 {
4859         struct run_softc *sc = ic->ic_ifp->if_softc;
4860
4861         RUN_LOCK(sc);
4862
4863         run_enable_tsf_sync(sc);
4864         /* XXX keep local copy */
4865         run_set_bssid(sc, sc->sc_bssid);
4866
4867         RUN_UNLOCK(sc);
4868
4869         return;
4870 }
4871
4872 /*
4873  * Could be called from ieee80211_node_timeout()
4874  * (non-sleepable thread)
4875  */
4876 static void
4877 run_update_beacon(struct ieee80211vap *vap, int item)
4878 {
4879         struct ieee80211com *ic = vap->iv_ic;
4880         struct run_softc *sc = ic->ic_ifp->if_softc;
4881         struct run_vap *rvp = RUN_VAP(vap);
4882         int mcast = 0;
4883         uint32_t i;
4884
4885         KASSERT(vap != NULL, ("no beacon"));
4886
4887         switch (item) {
4888         case IEEE80211_BEACON_ERP:
4889                 run_updateslot(ic->ic_ifp);
4890                 break;
4891         case IEEE80211_BEACON_HTINFO:
4892                 run_updateprot(ic);
4893                 break;
4894         case IEEE80211_BEACON_TIM:
4895                 mcast = 1;      /*TODO*/
4896                 break;
4897         default:
4898                 break;
4899         }
4900
4901         setbit(rvp->bo.bo_flags, item);
4902         ieee80211_beacon_update(vap->iv_bss, &rvp->bo, rvp->beacon_mbuf, mcast);
4903
4904         i = RUN_CMDQ_GET(&sc->cmdq_store);
4905         DPRINTF("cmdq_store=%d\n", i);
4906         sc->cmdq[i].func = run_update_beacon_cb;
4907         sc->cmdq[i].arg0 = vap;
4908         ieee80211_runtask(ic, &sc->cmdq_task);
4909
4910         return;
4911 }
4912
4913 static void
4914 run_update_beacon_cb(void *arg)
4915 {
4916         struct ieee80211vap *vap = arg;
4917         struct run_vap *rvp = RUN_VAP(vap);
4918         struct ieee80211com *ic = vap->iv_ic;
4919         struct run_softc *sc = ic->ic_ifp->if_softc;
4920         struct rt2860_txwi txwi;
4921         struct mbuf *m;
4922         uint16_t txwisize;
4923         uint8_t ridx;
4924
4925         if (vap->iv_bss->ni_chan == IEEE80211_CHAN_ANYC)
4926                 return;
4927         if (ic->ic_bsschan == IEEE80211_CHAN_ANYC)
4928                 return;
4929
4930         /*
4931          * No need to call ieee80211_beacon_update(), run_update_beacon()
4932          * is taking care of apropriate calls.
4933          */
4934         if (rvp->beacon_mbuf == NULL) {
4935                 rvp->beacon_mbuf = ieee80211_beacon_alloc(vap->iv_bss,
4936                     &rvp->bo);
4937                 if (rvp->beacon_mbuf == NULL)
4938                         return;
4939         }
4940         m = rvp->beacon_mbuf;
4941
4942         memset(&txwi, 0, sizeof(txwi));
4943         txwi.wcid = 0xff;
4944         txwi.len = htole16(m->m_pkthdr.len);
4945
4946         /* send beacons at the lowest available rate */
4947         ridx = (ic->ic_curmode == IEEE80211_MODE_11A) ?
4948             RT2860_RIDX_OFDM6 : RT2860_RIDX_CCK1;
4949         txwi.phy = htole16(rt2860_rates[ridx].mcs);
4950         if (rt2860_rates[ridx].phy == IEEE80211_T_OFDM)
4951                 txwi.phy |= htole16(RT2860_PHY_OFDM);
4952         txwi.txop = RT2860_TX_TXOP_HT;
4953         txwi.flags = RT2860_TX_TS;
4954         txwi.xflags = RT2860_TX_NSEQ;
4955
4956         txwisize = (sc->mac_ver == 0x5592) ?
4957             sizeof(txwi) + sizeof(uint32_t) : sizeof(txwi);
4958         run_write_region_1(sc, RT2860_BCN_BASE(rvp->rvp_id), (uint8_t *)&txwi,
4959             txwisize);
4960         run_write_region_1(sc, RT2860_BCN_BASE(rvp->rvp_id) + txwisize,
4961             mtod(m, uint8_t *), (m->m_pkthdr.len + 1) & ~1);
4962 }
4963
4964 static void
4965 run_updateprot(struct ieee80211com *ic)
4966 {
4967         struct run_softc *sc = ic->ic_ifp->if_softc;
4968         uint32_t i;
4969
4970         i = RUN_CMDQ_GET(&sc->cmdq_store);
4971         DPRINTF("cmdq_store=%d\n", i);
4972         sc->cmdq[i].func = run_updateprot_cb;
4973         sc->cmdq[i].arg0 = ic;
4974         ieee80211_runtask(ic, &sc->cmdq_task);
4975 }
4976
4977 static void
4978 run_updateprot_cb(void *arg)
4979 {
4980         struct ieee80211com *ic = arg;
4981         struct run_softc *sc = ic->ic_ifp->if_softc;
4982         uint32_t tmp;
4983
4984         tmp = RT2860_RTSTH_EN | RT2860_PROT_NAV_SHORT | RT2860_TXOP_ALLOW_ALL;
4985         /* setup protection frame rate (MCS code) */
4986         tmp |= (ic->ic_curmode == IEEE80211_MODE_11A) ?
4987             rt2860_rates[RT2860_RIDX_OFDM6].mcs :
4988             rt2860_rates[RT2860_RIDX_CCK11].mcs;
4989
4990         /* CCK frames don't require protection */
4991         run_write(sc, RT2860_CCK_PROT_CFG, tmp);
4992         if (ic->ic_flags & IEEE80211_F_USEPROT) {
4993                 if (ic->ic_protmode == IEEE80211_PROT_RTSCTS)
4994                         tmp |= RT2860_PROT_CTRL_RTS_CTS;
4995                 else if (ic->ic_protmode == IEEE80211_PROT_CTSONLY)
4996                         tmp |= RT2860_PROT_CTRL_CTS;
4997         }
4998         run_write(sc, RT2860_OFDM_PROT_CFG, tmp);
4999 }
5000
5001 static void
5002 run_usb_timeout_cb(void *arg)
5003 {
5004         struct ieee80211vap *vap = arg;
5005         struct run_softc *sc = vap->iv_ic->ic_ifp->if_softc;
5006
5007         RUN_LOCK_ASSERT(sc, MA_OWNED);
5008
5009         if(vap->iv_state == IEEE80211_S_RUN &&
5010             vap->iv_opmode != IEEE80211_M_STA)
5011                 run_reset_livelock(sc);
5012         else if (vap->iv_state == IEEE80211_S_SCAN) {
5013                 DPRINTF("timeout caused by scan\n");
5014                 /* cancel bgscan */
5015                 ieee80211_cancel_scan(vap);
5016         } else
5017                 DPRINTF("timeout by unknown cause\n");
5018 }
5019
5020 static void
5021 run_reset_livelock(struct run_softc *sc)
5022 {
5023         uint32_t tmp;
5024
5025         RUN_LOCK_ASSERT(sc, MA_OWNED);
5026
5027         /*
5028          * In IBSS or HostAP modes (when the hardware sends beacons), the MAC
5029          * can run into a livelock and start sending CTS-to-self frames like
5030          * crazy if protection is enabled.  Reset MAC/BBP for a while
5031          */
5032         run_read(sc, RT2860_DEBUG, &tmp);
5033         DPRINTFN(3, "debug reg %08x\n", tmp);
5034         if ((tmp & (1 << 29)) && (tmp & (1 << 7 | 1 << 5))) {
5035                 DPRINTF("CTS-to-self livelock detected\n");
5036                 run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_MAC_SRST);
5037                 run_delay(sc, 1);
5038                 run_write(sc, RT2860_MAC_SYS_CTRL,
5039                     RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
5040         }
5041 }
5042
5043 static void
5044 run_update_promisc_locked(struct ifnet *ifp)
5045 {
5046         struct run_softc *sc = ifp->if_softc;
5047         uint32_t tmp;
5048
5049         run_read(sc, RT2860_RX_FILTR_CFG, &tmp);
5050
5051         tmp |= RT2860_DROP_UC_NOME;
5052         if (ifp->if_flags & IFF_PROMISC)
5053                 tmp &= ~RT2860_DROP_UC_NOME;
5054
5055         run_write(sc, RT2860_RX_FILTR_CFG, tmp);
5056
5057         DPRINTF("%s promiscuous mode\n", (ifp->if_flags & IFF_PROMISC) ?
5058             "entering" : "leaving");
5059 }
5060
5061 static void
5062 run_update_promisc(struct ifnet *ifp)
5063 {
5064         struct run_softc *sc = ifp->if_softc;
5065
5066         if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0)
5067                 return;
5068
5069         RUN_LOCK(sc);
5070         run_update_promisc_locked(ifp);
5071         RUN_UNLOCK(sc);
5072 }
5073
5074 static void
5075 run_enable_tsf_sync(struct run_softc *sc)
5076 {
5077         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5078         struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
5079         uint32_t tmp;
5080
5081         DPRINTF("rvp_id=%d ic_opmode=%d\n", RUN_VAP(vap)->rvp_id,
5082             ic->ic_opmode);
5083
5084         run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
5085         tmp &= ~0x1fffff;
5086         tmp |= vap->iv_bss->ni_intval * 16;
5087         tmp |= RT2860_TSF_TIMER_EN | RT2860_TBTT_TIMER_EN;
5088
5089         if (ic->ic_opmode == IEEE80211_M_STA) {
5090                 /*
5091                  * Local TSF is always updated with remote TSF on beacon
5092                  * reception.
5093                  */
5094                 tmp |= 1 << RT2860_TSF_SYNC_MODE_SHIFT;
5095         } else if (ic->ic_opmode == IEEE80211_M_IBSS) {
5096                 tmp |= RT2860_BCN_TX_EN;
5097                 /*
5098                  * Local TSF is updated with remote TSF on beacon reception
5099                  * only if the remote TSF is greater than local TSF.
5100                  */
5101                 tmp |= 2 << RT2860_TSF_SYNC_MODE_SHIFT;
5102         } else if (ic->ic_opmode == IEEE80211_M_HOSTAP ||
5103                     ic->ic_opmode == IEEE80211_M_MBSS) {
5104                 tmp |= RT2860_BCN_TX_EN;
5105                 /* SYNC with nobody */
5106                 tmp |= 3 << RT2860_TSF_SYNC_MODE_SHIFT;
5107         } else {
5108                 DPRINTF("Enabling TSF failed. undefined opmode\n");
5109                 return;
5110         }
5111
5112         run_write(sc, RT2860_BCN_TIME_CFG, tmp);
5113 }
5114
5115 static void
5116 run_enable_mrr(struct run_softc *sc)
5117 {
5118 #define CCK(mcs)        (mcs)
5119 #define OFDM(mcs)       (1 << 3 | (mcs))
5120         run_write(sc, RT2860_LG_FBK_CFG0,
5121             OFDM(6) << 28 |     /* 54->48 */
5122             OFDM(5) << 24 |     /* 48->36 */
5123             OFDM(4) << 20 |     /* 36->24 */
5124             OFDM(3) << 16 |     /* 24->18 */
5125             OFDM(2) << 12 |     /* 18->12 */
5126             OFDM(1) <<  8 |     /* 12-> 9 */
5127             OFDM(0) <<  4 |     /*  9-> 6 */
5128             OFDM(0));           /*  6-> 6 */
5129
5130         run_write(sc, RT2860_LG_FBK_CFG1,
5131             CCK(2) << 12 |      /* 11->5.5 */
5132             CCK(1) <<  8 |      /* 5.5-> 2 */
5133             CCK(0) <<  4 |      /*   2-> 1 */
5134             CCK(0));            /*   1-> 1 */
5135 #undef OFDM
5136 #undef CCK
5137 }
5138
5139 static void
5140 run_set_txpreamble(struct run_softc *sc)
5141 {
5142         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5143         uint32_t tmp;
5144
5145         run_read(sc, RT2860_AUTO_RSP_CFG, &tmp);
5146         if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
5147                 tmp |= RT2860_CCK_SHORT_EN;
5148         else
5149                 tmp &= ~RT2860_CCK_SHORT_EN;
5150         run_write(sc, RT2860_AUTO_RSP_CFG, tmp);
5151 }
5152
5153 static void
5154 run_set_basicrates(struct run_softc *sc)
5155 {
5156         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5157
5158         /* set basic rates mask */
5159         if (ic->ic_curmode == IEEE80211_MODE_11B)
5160                 run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x003);
5161         else if (ic->ic_curmode == IEEE80211_MODE_11A)
5162                 run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x150);
5163         else    /* 11g */
5164                 run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x15f);
5165 }
5166
5167 static void
5168 run_set_leds(struct run_softc *sc, uint16_t which)
5169 {
5170         (void)run_mcu_cmd(sc, RT2860_MCU_CMD_LEDS,
5171             which | (sc->leds & 0x7f));
5172 }
5173
5174 static void
5175 run_set_bssid(struct run_softc *sc, const uint8_t *bssid)
5176 {
5177         run_write(sc, RT2860_MAC_BSSID_DW0,
5178             bssid[0] | bssid[1] << 8 | bssid[2] << 16 | bssid[3] << 24);
5179         run_write(sc, RT2860_MAC_BSSID_DW1,
5180             bssid[4] | bssid[5] << 8);
5181 }
5182
5183 static void
5184 run_set_macaddr(struct run_softc *sc, const uint8_t *addr)
5185 {
5186         run_write(sc, RT2860_MAC_ADDR_DW0,
5187             addr[0] | addr[1] << 8 | addr[2] << 16 | addr[3] << 24);
5188         run_write(sc, RT2860_MAC_ADDR_DW1,
5189             addr[4] | addr[5] << 8 | 0xff << 16);
5190 }
5191
5192 static void
5193 run_updateslot(struct ifnet *ifp)
5194 {
5195         struct run_softc *sc = ifp->if_softc;
5196         struct ieee80211com *ic = ifp->if_l2com;
5197         uint32_t i;
5198
5199         i = RUN_CMDQ_GET(&sc->cmdq_store);
5200         DPRINTF("cmdq_store=%d\n", i);
5201         sc->cmdq[i].func = run_updateslot_cb;
5202         sc->cmdq[i].arg0 = ifp;
5203         ieee80211_runtask(ic, &sc->cmdq_task);
5204
5205         return;
5206 }
5207
5208 /* ARGSUSED */
5209 static void
5210 run_updateslot_cb(void *arg)
5211 {
5212         struct ifnet *ifp = arg;
5213         struct run_softc *sc = ifp->if_softc;
5214         struct ieee80211com *ic = ifp->if_l2com;
5215         uint32_t tmp;
5216
5217         run_read(sc, RT2860_BKOFF_SLOT_CFG, &tmp);
5218         tmp &= ~0xff;
5219         tmp |= (ic->ic_flags & IEEE80211_F_SHSLOT) ? 9 : 20;
5220         run_write(sc, RT2860_BKOFF_SLOT_CFG, tmp);
5221 }
5222
5223 static void
5224 run_update_mcast(struct ifnet *ifp)
5225 {
5226         /* h/w filter supports getting everything or nothing */
5227         ifp->if_flags |= IFF_ALLMULTI;
5228 }
5229
5230 static int8_t
5231 run_rssi2dbm(struct run_softc *sc, uint8_t rssi, uint8_t rxchain)
5232 {
5233         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5234         struct ieee80211_channel *c = ic->ic_curchan;
5235         int delta;
5236
5237         if (IEEE80211_IS_CHAN_5GHZ(c)) {
5238                 u_int chan = ieee80211_chan2ieee(ic, c);
5239                 delta = sc->rssi_5ghz[rxchain];
5240
5241                 /* determine channel group */
5242                 if (chan <= 64)
5243                         delta -= sc->lna[1];
5244                 else if (chan <= 128)
5245                         delta -= sc->lna[2];
5246                 else
5247                         delta -= sc->lna[3];
5248         } else
5249                 delta = sc->rssi_2ghz[rxchain] - sc->lna[0];
5250
5251         return (-12 - delta - rssi);
5252 }
5253
5254 static void
5255 run_rt5390_bbp_init(struct run_softc *sc)
5256 {
5257         int i;
5258         uint8_t bbp;
5259
5260         /* Apply maximum likelihood detection for 2 stream case. */
5261         run_bbp_read(sc, 105, &bbp);
5262         if (sc->nrxchains > 1)
5263                 run_bbp_write(sc, 105, bbp | RT5390_MLD);
5264
5265         /* Avoid data lost and CRC error. */
5266         run_bbp_read(sc, 4, &bbp);
5267         run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5268
5269         if (sc->mac_ver == 0x5592) {
5270                 for (i = 0; i < nitems(rt5592_def_bbp); i++) {
5271                         run_bbp_write(sc, rt5592_def_bbp[i].reg,
5272                             rt5592_def_bbp[i].val);
5273                 }
5274                 for (i = 0; i < nitems(rt5592_bbp_r196); i++) {
5275                         run_bbp_write(sc, 195, i + 0x80);
5276                         run_bbp_write(sc, 196, rt5592_bbp_r196[i]);
5277                 }
5278         } else {
5279                 for (i = 0; i < nitems(rt5390_def_bbp); i++) {
5280                         run_bbp_write(sc, rt5390_def_bbp[i].reg,
5281                             rt5390_def_bbp[i].val);
5282                 }
5283         }
5284         if (sc->mac_ver == 0x5392) {
5285                 run_bbp_write(sc, 88, 0x90);
5286                 run_bbp_write(sc, 95, 0x9a);
5287                 run_bbp_write(sc, 98, 0x12);
5288                 run_bbp_write(sc, 106, 0x12);
5289                 run_bbp_write(sc, 134, 0xd0);
5290                 run_bbp_write(sc, 135, 0xf6);
5291                 run_bbp_write(sc, 148, 0x84);
5292         }
5293
5294         run_bbp_read(sc, 152, &bbp);
5295         run_bbp_write(sc, 152, bbp | 0x80);
5296
5297         /* Fix BBP254 for RT5592C. */
5298         if (sc->mac_ver == 0x5592 && sc->mac_rev >= 0x0221) {
5299                 run_bbp_read(sc, 254, &bbp);
5300                 run_bbp_write(sc, 254, bbp | 0x80);
5301         }
5302
5303         /* Disable hardware antenna diversity. */
5304         if (sc->mac_ver == 0x5390)
5305                 run_bbp_write(sc, 154, 0);
5306
5307         /* Initialize Rx CCK/OFDM frequency offset report. */
5308         run_bbp_write(sc, 142, 1);
5309         run_bbp_write(sc, 143, 57);
5310 }
5311
5312 static int
5313 run_bbp_init(struct run_softc *sc)
5314 {
5315         int i, error, ntries;
5316         uint8_t bbp0;
5317
5318         /* wait for BBP to wake up */
5319         for (ntries = 0; ntries < 20; ntries++) {
5320                 if ((error = run_bbp_read(sc, 0, &bbp0)) != 0)
5321                         return error;
5322                 if (bbp0 != 0 && bbp0 != 0xff)
5323                         break;
5324         }
5325         if (ntries == 20)
5326                 return (ETIMEDOUT);
5327
5328         /* initialize BBP registers to default values */
5329         if (sc->mac_ver >= 0x5390)
5330                 run_rt5390_bbp_init(sc);
5331         else {
5332                 for (i = 0; i < nitems(rt2860_def_bbp); i++) {
5333                         run_bbp_write(sc, rt2860_def_bbp[i].reg,
5334                             rt2860_def_bbp[i].val);
5335                 }
5336         }
5337
5338         if (sc->mac_ver == 0x3593) {
5339                 run_bbp_write(sc, 79, 0x13);
5340                 run_bbp_write(sc, 80, 0x05);
5341                 run_bbp_write(sc, 81, 0x33);
5342                 run_bbp_write(sc, 86, 0x46);
5343                 run_bbp_write(sc, 137, 0x0f);
5344         }
5345                 
5346         /* fix BBP84 for RT2860E */
5347         if (sc->mac_ver == 0x2860 && sc->mac_rev != 0x0101)
5348                 run_bbp_write(sc, 84, 0x19);
5349
5350         if (sc->mac_ver >= 0x3070 && (sc->mac_ver != 0x3593 &&
5351             sc->mac_ver != 0x5592)) {
5352                 run_bbp_write(sc, 79, 0x13);
5353                 run_bbp_write(sc, 80, 0x05);
5354                 run_bbp_write(sc, 81, 0x33);
5355         } else if (sc->mac_ver == 0x2860 && sc->mac_rev == 0x0100) {
5356                 run_bbp_write(sc, 69, 0x16);
5357                 run_bbp_write(sc, 73, 0x12);
5358         }
5359         return (0);
5360 }
5361
5362 static int
5363 run_rt3070_rf_init(struct run_softc *sc)
5364 {
5365         uint32_t tmp;
5366         uint8_t bbp4, mingain, rf, target;
5367         int i;
5368
5369         run_rt3070_rf_read(sc, 30, &rf);
5370         /* toggle RF R30 bit 7 */
5371         run_rt3070_rf_write(sc, 30, rf | 0x80);
5372         run_delay(sc, 10);
5373         run_rt3070_rf_write(sc, 30, rf & ~0x80);
5374
5375         /* initialize RF registers to default value */
5376         if (sc->mac_ver == 0x3572) {
5377                 for (i = 0; i < nitems(rt3572_def_rf); i++) {
5378                         run_rt3070_rf_write(sc, rt3572_def_rf[i].reg,
5379                             rt3572_def_rf[i].val);
5380                 }
5381         } else {
5382                 for (i = 0; i < nitems(rt3070_def_rf); i++) {
5383                         run_rt3070_rf_write(sc, rt3070_def_rf[i].reg,
5384                             rt3070_def_rf[i].val);
5385                 }
5386         }
5387
5388         if (sc->mac_ver == 0x3070 && sc->mac_rev < 0x0201) {
5389                 /* 
5390                  * Change voltage from 1.2V to 1.35V for RT3070.
5391                  * The DAC issue (RT3070_LDO_CFG0) has been fixed
5392                  * in RT3070(F).
5393                  */
5394                 run_read(sc, RT3070_LDO_CFG0, &tmp);
5395                 tmp = (tmp & ~0x0f000000) | 0x0d000000;
5396                 run_write(sc, RT3070_LDO_CFG0, tmp);
5397
5398         } else if (sc->mac_ver == 0x3071) {
5399                 run_rt3070_rf_read(sc, 6, &rf);
5400                 run_rt3070_rf_write(sc, 6, rf | 0x40);
5401                 run_rt3070_rf_write(sc, 31, 0x14);
5402
5403                 run_read(sc, RT3070_LDO_CFG0, &tmp);
5404                 tmp &= ~0x1f000000;
5405                 if (sc->mac_rev < 0x0211)
5406                         tmp |= 0x0d000000;      /* 1.3V */
5407                 else
5408                         tmp |= 0x01000000;      /* 1.2V */
5409                 run_write(sc, RT3070_LDO_CFG0, tmp);
5410
5411                 /* patch LNA_PE_G1 */
5412                 run_read(sc, RT3070_GPIO_SWITCH, &tmp);
5413                 run_write(sc, RT3070_GPIO_SWITCH, tmp & ~0x20);
5414
5415         } else if (sc->mac_ver == 0x3572) {
5416                 run_rt3070_rf_read(sc, 6, &rf);
5417                 run_rt3070_rf_write(sc, 6, rf | 0x40);
5418
5419                 /* increase voltage from 1.2V to 1.35V */
5420                 run_read(sc, RT3070_LDO_CFG0, &tmp);
5421                 tmp = (tmp & ~0x1f000000) | 0x0d000000;
5422                 run_write(sc, RT3070_LDO_CFG0, tmp);
5423
5424                 if (sc->mac_rev < 0x0211 || !sc->patch_dac) {
5425                         run_delay(sc, 1);       /* wait for 1msec */
5426                         /* decrease voltage back to 1.2V */
5427                         tmp = (tmp & ~0x1f000000) | 0x01000000;
5428                         run_write(sc, RT3070_LDO_CFG0, tmp);
5429                 }
5430         }
5431
5432         /* select 20MHz bandwidth */
5433         run_rt3070_rf_read(sc, 31, &rf);
5434         run_rt3070_rf_write(sc, 31, rf & ~0x20);
5435
5436         /* calibrate filter for 20MHz bandwidth */
5437         sc->rf24_20mhz = 0x1f;  /* default value */
5438         target = (sc->mac_ver < 0x3071) ? 0x16 : 0x13;
5439         run_rt3070_filter_calib(sc, 0x07, target, &sc->rf24_20mhz);
5440
5441         /* select 40MHz bandwidth */
5442         run_bbp_read(sc, 4, &bbp4);
5443         run_bbp_write(sc, 4, (bbp4 & ~0x18) | 0x10);
5444         run_rt3070_rf_read(sc, 31, &rf);
5445         run_rt3070_rf_write(sc, 31, rf | 0x20);
5446
5447         /* calibrate filter for 40MHz bandwidth */
5448         sc->rf24_40mhz = 0x2f;  /* default value */
5449         target = (sc->mac_ver < 0x3071) ? 0x19 : 0x15;
5450         run_rt3070_filter_calib(sc, 0x27, target, &sc->rf24_40mhz);
5451
5452         /* go back to 20MHz bandwidth */
5453         run_bbp_read(sc, 4, &bbp4);
5454         run_bbp_write(sc, 4, bbp4 & ~0x18);
5455
5456         if (sc->mac_ver == 0x3572) {
5457                 /* save default BBP registers 25 and 26 values */
5458                 run_bbp_read(sc, 25, &sc->bbp25);
5459                 run_bbp_read(sc, 26, &sc->bbp26);
5460         } else if (sc->mac_rev < 0x0201 || sc->mac_rev < 0x0211)
5461                 run_rt3070_rf_write(sc, 27, 0x03);
5462
5463         run_read(sc, RT3070_OPT_14, &tmp);
5464         run_write(sc, RT3070_OPT_14, tmp | 1);
5465
5466         if (sc->mac_ver == 0x3070 || sc->mac_ver == 0x3071) {
5467                 run_rt3070_rf_read(sc, 17, &rf);
5468                 rf &= ~RT3070_TX_LO1;
5469                 if ((sc->mac_ver == 0x3070 ||
5470                      (sc->mac_ver == 0x3071 && sc->mac_rev >= 0x0211)) &&
5471                     !sc->ext_2ghz_lna)
5472                         rf |= 0x20;     /* fix for long range Rx issue */
5473                 mingain = (sc->mac_ver == 0x3070) ? 1 : 2;
5474                 if (sc->txmixgain_2ghz >= mingain)
5475                         rf = (rf & ~0x7) | sc->txmixgain_2ghz;
5476                 run_rt3070_rf_write(sc, 17, rf);
5477         }
5478
5479         if (sc->mac_rev == 0x3071) {
5480                 run_rt3070_rf_read(sc, 1, &rf);
5481                 rf &= ~(RT3070_RX0_PD | RT3070_TX0_PD);
5482                 rf |= RT3070_RF_BLOCK | RT3070_RX1_PD | RT3070_TX1_PD;
5483                 run_rt3070_rf_write(sc, 1, rf);
5484
5485                 run_rt3070_rf_read(sc, 15, &rf);
5486                 run_rt3070_rf_write(sc, 15, rf & ~RT3070_TX_LO2);
5487
5488                 run_rt3070_rf_read(sc, 20, &rf);
5489                 run_rt3070_rf_write(sc, 20, rf & ~RT3070_RX_LO1);
5490
5491                 run_rt3070_rf_read(sc, 21, &rf);
5492                 run_rt3070_rf_write(sc, 21, rf & ~RT3070_RX_LO2);
5493         }
5494
5495         if (sc->mac_ver == 0x3070 || sc->mac_ver == 0x3071) {
5496                 /* fix Tx to Rx IQ glitch by raising RF voltage */
5497                 run_rt3070_rf_read(sc, 27, &rf);
5498                 rf &= ~0x77;
5499                 if (sc->mac_rev < 0x0211)
5500                         rf |= 0x03;
5501                 run_rt3070_rf_write(sc, 27, rf);
5502         }
5503         return (0);
5504 }
5505
5506 static void
5507 run_rt3593_rf_init(struct run_softc *sc)
5508 {
5509         uint32_t tmp;
5510         uint8_t rf;
5511         int i;
5512
5513         /* Disable the GPIO bits 4 and 7 for LNA PE control. */
5514         run_read(sc, RT3070_GPIO_SWITCH, &tmp);
5515         tmp &= ~(1 << 4 | 1 << 7);
5516         run_write(sc, RT3070_GPIO_SWITCH, tmp);
5517
5518         /* Initialize RF registers to default value. */
5519         for (i = 0; i < nitems(rt3593_def_rf); i++) {
5520                 run_rt3070_rf_write(sc, rt3593_def_rf[i].reg,
5521                     rt3593_def_rf[i].val);
5522         }
5523
5524         /* Toggle RF R2 to initiate calibration. */
5525         run_rt3070_rf_write(sc, 2, RT5390_RESCAL);
5526
5527         /* Initialize RF frequency offset. */
5528         run_adjust_freq_offset(sc);
5529
5530         run_rt3070_rf_read(sc, 18, &rf);
5531         run_rt3070_rf_write(sc, 18, rf | RT3593_AUTOTUNE_BYPASS);
5532
5533         /*
5534          * Increase voltage from 1.2V to 1.35V, wait for 1 msec to
5535          * decrease voltage back to 1.2V.
5536          */
5537         run_read(sc, RT3070_LDO_CFG0, &tmp);
5538         tmp = (tmp & ~0x1f000000) | 0x0d000000;
5539         run_write(sc, RT3070_LDO_CFG0, tmp);
5540         run_delay(sc, 1);
5541         tmp = (tmp & ~0x1f000000) | 0x01000000;
5542         run_write(sc, RT3070_LDO_CFG0, tmp);
5543
5544         sc->rf24_20mhz = 0x1f;
5545         sc->rf24_40mhz = 0x2f;
5546
5547         /* Save default BBP registers 25 and 26 values. */
5548         run_bbp_read(sc, 25, &sc->bbp25);
5549         run_bbp_read(sc, 26, &sc->bbp26);
5550
5551         run_read(sc, RT3070_OPT_14, &tmp);
5552         run_write(sc, RT3070_OPT_14, tmp | 1);
5553 }
5554
5555 static void
5556 run_rt5390_rf_init(struct run_softc *sc)
5557 {
5558         uint32_t tmp;
5559         uint8_t rf;
5560         int i;
5561
5562         /* Toggle RF R2 to initiate calibration. */
5563         if (sc->mac_ver == 0x5390) {
5564                 run_rt3070_rf_read(sc, 2, &rf);
5565                 run_rt3070_rf_write(sc, 2, rf | RT5390_RESCAL);
5566                 run_delay(sc, 10);
5567                 run_rt3070_rf_write(sc, 2, rf & ~RT5390_RESCAL);
5568         } else {
5569                 run_rt3070_rf_write(sc, 2, RT5390_RESCAL);
5570                 run_delay(sc, 10);
5571         }
5572
5573         /* Initialize RF registers to default value. */
5574         if (sc->mac_ver == 0x5592) {
5575                 for (i = 0; i < nitems(rt5592_def_rf); i++) {
5576                         run_rt3070_rf_write(sc, rt5592_def_rf[i].reg,
5577                             rt5592_def_rf[i].val);
5578                 }
5579                 /* Initialize RF frequency offset. */
5580                 run_adjust_freq_offset(sc);
5581         } else if (sc->mac_ver == 0x5392) {
5582                 for (i = 0; i < nitems(rt5392_def_rf); i++) {
5583                         run_rt3070_rf_write(sc, rt5392_def_rf[i].reg,
5584                             rt5392_def_rf[i].val);
5585                 }
5586                 if (sc->mac_rev >= 0x0223) {
5587                         run_rt3070_rf_write(sc, 23, 0x0f);
5588                         run_rt3070_rf_write(sc, 24, 0x3e);
5589                         run_rt3070_rf_write(sc, 51, 0x32);
5590                         run_rt3070_rf_write(sc, 53, 0x22);
5591                         run_rt3070_rf_write(sc, 56, 0xc1);
5592                         run_rt3070_rf_write(sc, 59, 0x0f);
5593                 }
5594         } else {
5595                 for (i = 0; i < nitems(rt5390_def_rf); i++) {
5596                         run_rt3070_rf_write(sc, rt5390_def_rf[i].reg,
5597                             rt5390_def_rf[i].val);
5598                 }
5599                 if (sc->mac_rev >= 0x0502) {
5600                         run_rt3070_rf_write(sc, 6, 0xe0);
5601                         run_rt3070_rf_write(sc, 25, 0x80);
5602                         run_rt3070_rf_write(sc, 46, 0x73);
5603                         run_rt3070_rf_write(sc, 53, 0x00);
5604                         run_rt3070_rf_write(sc, 56, 0x42);
5605                         run_rt3070_rf_write(sc, 61, 0xd1);
5606                 }
5607         }
5608
5609         sc->rf24_20mhz = 0x1f;  /* default value */
5610         sc->rf24_40mhz = (sc->mac_ver == 0x5592) ? 0 : 0x2f;
5611
5612         if (sc->mac_rev < 0x0211)
5613                 run_rt3070_rf_write(sc, 27, 0x3);
5614
5615         run_read(sc, RT3070_OPT_14, &tmp);
5616         run_write(sc, RT3070_OPT_14, tmp | 1);
5617 }
5618
5619 static int
5620 run_rt3070_filter_calib(struct run_softc *sc, uint8_t init, uint8_t target,
5621     uint8_t *val)
5622 {
5623         uint8_t rf22, rf24;
5624         uint8_t bbp55_pb, bbp55_sb, delta;
5625         int ntries;
5626
5627         /* program filter */
5628         run_rt3070_rf_read(sc, 24, &rf24);
5629         rf24 = (rf24 & 0xc0) | init;    /* initial filter value */
5630         run_rt3070_rf_write(sc, 24, rf24);
5631
5632         /* enable baseband loopback mode */
5633         run_rt3070_rf_read(sc, 22, &rf22);
5634         run_rt3070_rf_write(sc, 22, rf22 | 0x01);
5635
5636         /* set power and frequency of passband test tone */
5637         run_bbp_write(sc, 24, 0x00);
5638         for (ntries = 0; ntries < 100; ntries++) {
5639                 /* transmit test tone */
5640                 run_bbp_write(sc, 25, 0x90);
5641                 run_delay(sc, 10);
5642                 /* read received power */
5643                 run_bbp_read(sc, 55, &bbp55_pb);
5644                 if (bbp55_pb != 0)
5645                         break;
5646         }
5647         if (ntries == 100)
5648                 return (ETIMEDOUT);
5649
5650         /* set power and frequency of stopband test tone */
5651         run_bbp_write(sc, 24, 0x06);
5652         for (ntries = 0; ntries < 100; ntries++) {
5653                 /* transmit test tone */
5654                 run_bbp_write(sc, 25, 0x90);
5655                 run_delay(sc, 10);
5656                 /* read received power */
5657                 run_bbp_read(sc, 55, &bbp55_sb);
5658
5659                 delta = bbp55_pb - bbp55_sb;
5660                 if (delta > target)
5661                         break;
5662
5663                 /* reprogram filter */
5664                 rf24++;
5665                 run_rt3070_rf_write(sc, 24, rf24);
5666         }
5667         if (ntries < 100) {
5668                 if (rf24 != init)
5669                         rf24--; /* backtrack */
5670                 *val = rf24;
5671                 run_rt3070_rf_write(sc, 24, rf24);
5672         }
5673
5674         /* restore initial state */
5675         run_bbp_write(sc, 24, 0x00);
5676
5677         /* disable baseband loopback mode */
5678         run_rt3070_rf_read(sc, 22, &rf22);
5679         run_rt3070_rf_write(sc, 22, rf22 & ~0x01);
5680
5681         return (0);
5682 }
5683
5684 static void
5685 run_rt3070_rf_setup(struct run_softc *sc)
5686 {
5687         uint8_t bbp, rf;
5688         int i;
5689
5690         if (sc->mac_ver == 0x3572) {
5691                 /* enable DC filter */
5692                 if (sc->mac_rev >= 0x0201)
5693                         run_bbp_write(sc, 103, 0xc0);
5694
5695                 run_bbp_read(sc, 138, &bbp);
5696                 if (sc->ntxchains == 1)
5697                         bbp |= 0x20;    /* turn off DAC1 */
5698                 if (sc->nrxchains == 1)
5699                         bbp &= ~0x02;   /* turn off ADC1 */
5700                 run_bbp_write(sc, 138, bbp);
5701
5702                 if (sc->mac_rev >= 0x0211) {
5703                         /* improve power consumption */
5704                         run_bbp_read(sc, 31, &bbp);
5705                         run_bbp_write(sc, 31, bbp & ~0x03);
5706                 }
5707
5708                 run_rt3070_rf_read(sc, 16, &rf);
5709                 rf = (rf & ~0x07) | sc->txmixgain_2ghz;
5710                 run_rt3070_rf_write(sc, 16, rf);
5711
5712         } else if (sc->mac_ver == 0x3071) {
5713                 if (sc->mac_rev >= 0x0211) {
5714                         /* enable DC filter */
5715                         run_bbp_write(sc, 103, 0xc0);
5716
5717                         /* improve power consumption */
5718                         run_bbp_read(sc, 31, &bbp);
5719                         run_bbp_write(sc, 31, bbp & ~0x03);
5720                 }
5721
5722                 run_bbp_read(sc, 138, &bbp);
5723                 if (sc->ntxchains == 1)
5724                         bbp |= 0x20;    /* turn off DAC1 */
5725                 if (sc->nrxchains == 1)
5726                         bbp &= ~0x02;   /* turn off ADC1 */
5727                 run_bbp_write(sc, 138, bbp);
5728
5729                 run_write(sc, RT2860_TX_SW_CFG1, 0);
5730                 if (sc->mac_rev < 0x0211) {
5731                         run_write(sc, RT2860_TX_SW_CFG2,
5732                             sc->patch_dac ? 0x2c : 0x0f);
5733                 } else
5734                         run_write(sc, RT2860_TX_SW_CFG2, 0);
5735
5736         } else if (sc->mac_ver == 0x3070) {
5737                 if (sc->mac_rev >= 0x0201) {
5738                         /* enable DC filter */
5739                         run_bbp_write(sc, 103, 0xc0);
5740
5741                         /* improve power consumption */
5742                         run_bbp_read(sc, 31, &bbp);
5743                         run_bbp_write(sc, 31, bbp & ~0x03);
5744                 }
5745
5746                 if (sc->mac_rev < 0x0201) {
5747                         run_write(sc, RT2860_TX_SW_CFG1, 0);
5748                         run_write(sc, RT2860_TX_SW_CFG2, 0x2c);
5749                 } else
5750                         run_write(sc, RT2860_TX_SW_CFG2, 0);
5751         }
5752
5753         /* initialize RF registers from ROM for >=RT3071*/
5754         if (sc->mac_ver >= 0x3071) {
5755                 for (i = 0; i < 10; i++) {
5756                         if (sc->rf[i].reg == 0 || sc->rf[i].reg == 0xff)
5757                                 continue;
5758                         run_rt3070_rf_write(sc, sc->rf[i].reg, sc->rf[i].val);
5759                 }
5760         }
5761 }
5762
5763 static void
5764 run_rt3593_rf_setup(struct run_softc *sc)
5765 {
5766         uint8_t bbp, rf;
5767
5768         if (sc->mac_rev >= 0x0211) {
5769                 /* Enable DC filter. */
5770                 run_bbp_write(sc, 103, 0xc0);
5771         }
5772         run_write(sc, RT2860_TX_SW_CFG1, 0);
5773         if (sc->mac_rev < 0x0211) {
5774                 run_write(sc, RT2860_TX_SW_CFG2,
5775                     sc->patch_dac ? 0x2c : 0x0f);
5776         } else
5777                 run_write(sc, RT2860_TX_SW_CFG2, 0);
5778
5779         run_rt3070_rf_read(sc, 50, &rf);
5780         run_rt3070_rf_write(sc, 50, rf & ~RT3593_TX_LO2);
5781
5782         run_rt3070_rf_read(sc, 51, &rf);
5783         rf = (rf & ~(RT3593_TX_LO1 | 0x0c)) |
5784             ((sc->txmixgain_2ghz & 0x07) << 2);
5785         run_rt3070_rf_write(sc, 51, rf);
5786
5787         run_rt3070_rf_read(sc, 38, &rf);
5788         run_rt3070_rf_write(sc, 38, rf & ~RT5390_RX_LO1);
5789
5790         run_rt3070_rf_read(sc, 39, &rf);
5791         run_rt3070_rf_write(sc, 39, rf & ~RT5390_RX_LO2);
5792
5793         run_rt3070_rf_read(sc, 1, &rf);
5794         run_rt3070_rf_write(sc, 1, rf & ~(RT3070_RF_BLOCK | RT3070_PLL_PD));
5795
5796         run_rt3070_rf_read(sc, 30, &rf);
5797         rf = (rf & ~0x18) | 0x10;
5798         run_rt3070_rf_write(sc, 30, rf);
5799
5800         /* Apply maximum likelihood detection for 2 stream case. */
5801         run_bbp_read(sc, 105, &bbp);
5802         if (sc->nrxchains > 1)
5803                 run_bbp_write(sc, 105, bbp | RT5390_MLD);
5804
5805         /* Avoid data lost and CRC error. */
5806         run_bbp_read(sc, 4, &bbp);
5807         run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5808
5809         run_bbp_write(sc, 92, 0x02);
5810         run_bbp_write(sc, 82, 0x82);
5811         run_bbp_write(sc, 106, 0x05);
5812         run_bbp_write(sc, 104, 0x92);
5813         run_bbp_write(sc, 88, 0x90);
5814         run_bbp_write(sc, 148, 0xc8);
5815         run_bbp_write(sc, 47, 0x48);
5816         run_bbp_write(sc, 120, 0x50);
5817
5818         run_bbp_write(sc, 163, 0x9d);
5819
5820         /* SNR mapping. */
5821         run_bbp_write(sc, 142, 0x06);
5822         run_bbp_write(sc, 143, 0xa0);
5823         run_bbp_write(sc, 142, 0x07);
5824         run_bbp_write(sc, 143, 0xa1);
5825         run_bbp_write(sc, 142, 0x08);
5826         run_bbp_write(sc, 143, 0xa2);
5827
5828         run_bbp_write(sc, 31, 0x08);
5829         run_bbp_write(sc, 68, 0x0b);
5830         run_bbp_write(sc, 105, 0x04);
5831 }
5832
5833 static void
5834 run_rt5390_rf_setup(struct run_softc *sc)
5835 {
5836         uint8_t bbp, rf;
5837
5838         if (sc->mac_rev >= 0x0211) {
5839                 /* Enable DC filter. */
5840                 run_bbp_write(sc, 103, 0xc0);
5841
5842                 if (sc->mac_ver != 0x5592) {
5843                         /* Improve power consumption. */
5844                         run_bbp_read(sc, 31, &bbp);
5845                         run_bbp_write(sc, 31, bbp & ~0x03);
5846                 }
5847         }
5848
5849         run_bbp_read(sc, 138, &bbp);
5850         if (sc->ntxchains == 1)
5851                 bbp |= 0x20;    /* turn off DAC1 */
5852         if (sc->nrxchains == 1)
5853                 bbp &= ~0x02;   /* turn off ADC1 */
5854         run_bbp_write(sc, 138, bbp);
5855
5856         run_rt3070_rf_read(sc, 38, &rf);
5857         run_rt3070_rf_write(sc, 38, rf & ~RT5390_RX_LO1);
5858
5859         run_rt3070_rf_read(sc, 39, &rf);
5860         run_rt3070_rf_write(sc, 39, rf & ~RT5390_RX_LO2);
5861
5862         /* Avoid data lost and CRC error. */
5863         run_bbp_read(sc, 4, &bbp);
5864         run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5865
5866         run_rt3070_rf_read(sc, 30, &rf);
5867         rf = (rf & ~0x18) | 0x10;
5868         run_rt3070_rf_write(sc, 30, rf);
5869
5870         if (sc->mac_ver != 0x5592) {
5871                 run_write(sc, RT2860_TX_SW_CFG1, 0);
5872                 if (sc->mac_rev < 0x0211) {
5873                         run_write(sc, RT2860_TX_SW_CFG2,
5874                             sc->patch_dac ? 0x2c : 0x0f);
5875                 } else
5876                         run_write(sc, RT2860_TX_SW_CFG2, 0);
5877         }
5878 }
5879
5880 static int
5881 run_txrx_enable(struct run_softc *sc)
5882 {
5883         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5884         uint32_t tmp;
5885         int error, ntries;
5886
5887         run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_MAC_TX_EN);
5888         for (ntries = 0; ntries < 200; ntries++) {
5889                 if ((error = run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp)) != 0)
5890                         return (error);
5891                 if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
5892                         break;
5893                 run_delay(sc, 50);
5894         }
5895         if (ntries == 200)
5896                 return (ETIMEDOUT);
5897
5898         run_delay(sc, 50);
5899
5900         tmp |= RT2860_RX_DMA_EN | RT2860_TX_DMA_EN | RT2860_TX_WB_DDONE;
5901         run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
5902
5903         /* enable Rx bulk aggregation (set timeout and limit) */
5904         tmp = RT2860_USB_TX_EN | RT2860_USB_RX_EN | RT2860_USB_RX_AGG_EN |
5905             RT2860_USB_RX_AGG_TO(128) | RT2860_USB_RX_AGG_LMT(2);
5906         run_write(sc, RT2860_USB_DMA_CFG, tmp);
5907
5908         /* set Rx filter */
5909         tmp = RT2860_DROP_CRC_ERR | RT2860_DROP_PHY_ERR;
5910         if (ic->ic_opmode != IEEE80211_M_MONITOR) {
5911                 tmp |= RT2860_DROP_UC_NOME | RT2860_DROP_DUPL |
5912                     RT2860_DROP_CTS | RT2860_DROP_BA | RT2860_DROP_ACK |
5913                     RT2860_DROP_VER_ERR | RT2860_DROP_CTRL_RSV |
5914                     RT2860_DROP_CFACK | RT2860_DROP_CFEND;
5915                 if (ic->ic_opmode == IEEE80211_M_STA)
5916                         tmp |= RT2860_DROP_RTS | RT2860_DROP_PSPOLL;
5917         }
5918         run_write(sc, RT2860_RX_FILTR_CFG, tmp);
5919
5920         run_write(sc, RT2860_MAC_SYS_CTRL,
5921             RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
5922
5923         return (0);
5924 }
5925
5926 static void
5927 run_adjust_freq_offset(struct run_softc *sc)
5928 {
5929         uint8_t rf, tmp;
5930
5931         run_rt3070_rf_read(sc, 17, &rf);
5932         tmp = rf;
5933         rf = (rf & ~0x7f) | (sc->freq & 0x7f);
5934         rf = MIN(rf, 0x5f);
5935
5936         if (tmp != rf)
5937                 run_mcu_cmd(sc, 0x74, (tmp << 8 ) | rf);
5938 }
5939
5940 static void
5941 run_init_locked(struct run_softc *sc)
5942 {
5943         struct ifnet *ifp = sc->sc_ifp;
5944         struct ieee80211com *ic = ifp->if_l2com;
5945         uint32_t tmp;
5946         uint8_t bbp1, bbp3;
5947         int i;
5948         int ridx;
5949         int ntries;
5950
5951         if (ic->ic_nrunning > 1)
5952                 return;
5953
5954         run_stop(sc);
5955
5956         if (run_load_microcode(sc) != 0) {
5957                 device_printf(sc->sc_dev, "could not load 8051 microcode\n");
5958                 goto fail;
5959         }
5960
5961         for (ntries = 0; ntries < 100; ntries++) {
5962                 if (run_read(sc, RT2860_ASIC_VER_ID, &tmp) != 0)
5963                         goto fail;
5964                 if (tmp != 0 && tmp != 0xffffffff)
5965                         break;
5966                 run_delay(sc, 10);
5967         }
5968         if (ntries == 100)
5969                 goto fail;
5970
5971         for (i = 0; i != RUN_EP_QUEUES; i++)
5972                 run_setup_tx_list(sc, &sc->sc_epq[i]);
5973
5974         run_set_macaddr(sc, IF_LLADDR(ifp));
5975
5976         for (ntries = 0; ntries < 100; ntries++) {
5977                 if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
5978                         goto fail;
5979                 if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
5980                         break;
5981                 run_delay(sc, 10);
5982         }
5983         if (ntries == 100) {
5984                 device_printf(sc->sc_dev, "timeout waiting for DMA engine\n");
5985                 goto fail;
5986         }
5987         tmp &= 0xff0;
5988         tmp |= RT2860_TX_WB_DDONE;
5989         run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
5990
5991         /* turn off PME_OEN to solve high-current issue */
5992         run_read(sc, RT2860_SYS_CTRL, &tmp);
5993         run_write(sc, RT2860_SYS_CTRL, tmp & ~RT2860_PME_OEN);
5994
5995         run_write(sc, RT2860_MAC_SYS_CTRL,
5996             RT2860_BBP_HRST | RT2860_MAC_SRST);
5997         run_write(sc, RT2860_USB_DMA_CFG, 0);
5998
5999         if (run_reset(sc) != 0) {
6000                 device_printf(sc->sc_dev, "could not reset chipset\n");
6001                 goto fail;
6002         }
6003
6004         run_write(sc, RT2860_MAC_SYS_CTRL, 0);
6005
6006         /* init Tx power for all Tx rates (from EEPROM) */
6007         for (ridx = 0; ridx < 5; ridx++) {
6008                 if (sc->txpow20mhz[ridx] == 0xffffffff)
6009                         continue;
6010                 run_write(sc, RT2860_TX_PWR_CFG(ridx), sc->txpow20mhz[ridx]);
6011         }
6012
6013         for (i = 0; i < nitems(rt2870_def_mac); i++)
6014                 run_write(sc, rt2870_def_mac[i].reg, rt2870_def_mac[i].val);
6015         run_write(sc, RT2860_WMM_AIFSN_CFG, 0x00002273);
6016         run_write(sc, RT2860_WMM_CWMIN_CFG, 0x00002344);
6017         run_write(sc, RT2860_WMM_CWMAX_CFG, 0x000034aa);
6018
6019         if (sc->mac_ver >= 0x5390) {
6020                 run_write(sc, RT2860_TX_SW_CFG0,
6021                     4 << RT2860_DLY_PAPE_EN_SHIFT | 4);
6022                 if (sc->mac_ver >= 0x5392) {
6023                         run_write(sc, RT2860_MAX_LEN_CFG, 0x00002fff);
6024                         if (sc->mac_ver == 0x5592) {
6025                                 run_write(sc, RT2860_HT_FBK_CFG1, 0xedcba980);
6026                                 run_write(sc, RT2860_TXOP_HLDR_ET, 0x00000082);
6027                         } else {
6028                                 run_write(sc, RT2860_HT_FBK_CFG1, 0xedcb4980);
6029                                 run_write(sc, RT2860_LG_FBK_CFG0, 0xedcba322);
6030                         }
6031                 }
6032         } else if (sc->mac_ver == 0x3593) {
6033                 run_write(sc, RT2860_TX_SW_CFG0,
6034                     4 << RT2860_DLY_PAPE_EN_SHIFT | 2);
6035         } else if (sc->mac_ver >= 0x3070) {
6036                 /* set delay of PA_PE assertion to 1us (unit of 0.25us) */
6037                 run_write(sc, RT2860_TX_SW_CFG0,
6038                     4 << RT2860_DLY_PAPE_EN_SHIFT);
6039         }
6040
6041         /* wait while MAC is busy */
6042         for (ntries = 0; ntries < 100; ntries++) {
6043                 if (run_read(sc, RT2860_MAC_STATUS_REG, &tmp) != 0)
6044                         goto fail;
6045                 if (!(tmp & (RT2860_RX_STATUS_BUSY | RT2860_TX_STATUS_BUSY)))
6046                         break;
6047                 run_delay(sc, 10);
6048         }
6049         if (ntries == 100)
6050                 goto fail;
6051
6052         /* clear Host to MCU mailbox */
6053         run_write(sc, RT2860_H2M_BBPAGENT, 0);
6054         run_write(sc, RT2860_H2M_MAILBOX, 0);
6055         run_delay(sc, 10);
6056
6057         if (run_bbp_init(sc) != 0) {
6058                 device_printf(sc->sc_dev, "could not initialize BBP\n");
6059                 goto fail;
6060         }
6061
6062         /* abort TSF synchronization */
6063         run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
6064         tmp &= ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
6065             RT2860_TBTT_TIMER_EN);
6066         run_write(sc, RT2860_BCN_TIME_CFG, tmp);
6067
6068         /* clear RX WCID search table */
6069         run_set_region_4(sc, RT2860_WCID_ENTRY(0), 0, 512);
6070         /* clear WCID attribute table */
6071         run_set_region_4(sc, RT2860_WCID_ATTR(0), 0, 8 * 32);
6072
6073         /* hostapd sets a key before init. So, don't clear it. */
6074         if (sc->cmdq_key_set != RUN_CMDQ_GO) {
6075                 /* clear shared key table */
6076                 run_set_region_4(sc, RT2860_SKEY(0, 0), 0, 8 * 32);
6077                 /* clear shared key mode */
6078                 run_set_region_4(sc, RT2860_SKEY_MODE_0_7, 0, 4);
6079         }
6080
6081         run_read(sc, RT2860_US_CYC_CNT, &tmp);
6082         tmp = (tmp & ~0xff) | 0x1e;
6083         run_write(sc, RT2860_US_CYC_CNT, tmp);
6084
6085         if (sc->mac_rev != 0x0101)
6086                 run_write(sc, RT2860_TXOP_CTRL_CFG, 0x0000583f);
6087
6088         run_write(sc, RT2860_WMM_TXOP0_CFG, 0);
6089         run_write(sc, RT2860_WMM_TXOP1_CFG, 48 << 16 | 96);
6090
6091         /* write vendor-specific BBP values (from EEPROM) */
6092         if (sc->mac_ver < 0x3593) {
6093                 for (i = 0; i < 10; i++) {
6094                         if (sc->bbp[i].reg == 0 || sc->bbp[i].reg == 0xff)
6095                                 continue;
6096                         run_bbp_write(sc, sc->bbp[i].reg, sc->bbp[i].val);
6097                 }
6098         }
6099
6100         /* select Main antenna for 1T1R devices */
6101         if (sc->rf_rev == RT3070_RF_3020 || sc->rf_rev == RT5390_RF_5370)
6102                 run_set_rx_antenna(sc, 0);
6103
6104         /* send LEDs operating mode to microcontroller */
6105         (void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED1, sc->led[0]);
6106         (void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED2, sc->led[1]);
6107         (void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED3, sc->led[2]);
6108
6109         if (sc->mac_ver >= 0x5390)
6110                 run_rt5390_rf_init(sc);
6111         else if (sc->mac_ver == 0x3593)
6112                 run_rt3593_rf_init(sc);
6113         else if (sc->mac_ver >= 0x3070)
6114                 run_rt3070_rf_init(sc);
6115
6116         /* disable non-existing Rx chains */
6117         run_bbp_read(sc, 3, &bbp3);
6118         bbp3 &= ~(1 << 3 | 1 << 4);
6119         if (sc->nrxchains == 2)
6120                 bbp3 |= 1 << 3;
6121         else if (sc->nrxchains == 3)
6122                 bbp3 |= 1 << 4;
6123         run_bbp_write(sc, 3, bbp3);
6124
6125         /* disable non-existing Tx chains */
6126         run_bbp_read(sc, 1, &bbp1);
6127         if (sc->ntxchains == 1)
6128                 bbp1 &= ~(1 << 3 | 1 << 4);
6129         run_bbp_write(sc, 1, bbp1);
6130
6131         if (sc->mac_ver >= 0x5390)
6132                 run_rt5390_rf_setup(sc);
6133         else if (sc->mac_ver == 0x3593)
6134                 run_rt3593_rf_setup(sc);
6135         else if (sc->mac_ver >= 0x3070)
6136                 run_rt3070_rf_setup(sc);
6137
6138         /* select default channel */
6139         run_set_chan(sc, ic->ic_curchan);
6140
6141         /* setup initial protection mode */
6142         run_updateprot_cb(ic);
6143
6144         /* turn radio LED on */
6145         run_set_leds(sc, RT2860_LED_RADIO);
6146
6147         ifp->if_drv_flags &= ~IFF_DRV_OACTIVE;
6148         ifp->if_drv_flags |= IFF_DRV_RUNNING;
6149         sc->cmdq_run = RUN_CMDQ_GO;
6150
6151         for (i = 0; i != RUN_N_XFER; i++)
6152                 usbd_xfer_set_stall(sc->sc_xfer[i]);
6153
6154         usbd_transfer_start(sc->sc_xfer[RUN_BULK_RX]);
6155
6156         if (run_txrx_enable(sc) != 0)
6157                 goto fail;
6158
6159         return;
6160
6161 fail:
6162         run_stop(sc);
6163 }
6164
6165 static void
6166 run_init(void *arg)
6167 {
6168         struct run_softc *sc = arg;
6169         struct ifnet *ifp = sc->sc_ifp;
6170         struct ieee80211com *ic = ifp->if_l2com;
6171
6172         RUN_LOCK(sc);
6173         run_init_locked(sc);
6174         RUN_UNLOCK(sc);
6175
6176         if (ifp->if_drv_flags & IFF_DRV_RUNNING)
6177                 ieee80211_start_all(ic);
6178 }
6179
6180 static void
6181 run_stop(void *arg)
6182 {
6183         struct run_softc *sc = (struct run_softc *)arg;
6184         struct ifnet *ifp = sc->sc_ifp;
6185         uint32_t tmp;
6186         int i;
6187         int ntries;
6188
6189         RUN_LOCK_ASSERT(sc, MA_OWNED);
6190
6191         if (ifp->if_drv_flags & IFF_DRV_RUNNING)
6192                 run_set_leds(sc, 0);    /* turn all LEDs off */
6193
6194         ifp->if_drv_flags &= ~(IFF_DRV_RUNNING | IFF_DRV_OACTIVE);
6195
6196         sc->ratectl_run = RUN_RATECTL_OFF;
6197         sc->cmdq_run = sc->cmdq_key_set;
6198
6199         RUN_UNLOCK(sc);
6200
6201         for(i = 0; i < RUN_N_XFER; i++)
6202                 usbd_transfer_drain(sc->sc_xfer[i]);
6203
6204         RUN_LOCK(sc);
6205
6206         if (sc->rx_m != NULL) {
6207                 m_free(sc->rx_m);
6208                 sc->rx_m = NULL;
6209         }
6210
6211         /* Disable Tx/Rx DMA. */
6212         if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
6213                 return;
6214         tmp &= ~(RT2860_RX_DMA_EN | RT2860_TX_DMA_EN);
6215         run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
6216
6217         for (ntries = 0; ntries < 100; ntries++) {
6218                 if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
6219                         return;
6220                 if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
6221                                 break;
6222                 run_delay(sc, 10);
6223         }
6224         if (ntries == 100) {
6225                 device_printf(sc->sc_dev, "timeout waiting for DMA engine\n");
6226                 return;
6227         }
6228
6229         /* disable Tx/Rx */
6230         run_read(sc, RT2860_MAC_SYS_CTRL, &tmp);
6231         tmp &= ~(RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
6232         run_write(sc, RT2860_MAC_SYS_CTRL, tmp);
6233
6234         /* wait for pending Tx to complete */
6235         for (ntries = 0; ntries < 100; ntries++) {
6236                 if (run_read(sc, RT2860_TXRXQ_PCNT, &tmp) != 0) {
6237                         DPRINTF("Cannot read Tx queue count\n");
6238                         break;
6239                 }
6240                 if ((tmp & RT2860_TX2Q_PCNT_MASK) == 0) {
6241                         DPRINTF("All Tx cleared\n");
6242                         break;
6243                 }
6244                 run_delay(sc, 10);
6245         }
6246         if (ntries >= 100)
6247                 DPRINTF("There are still pending Tx\n");
6248         run_delay(sc, 10);
6249         run_write(sc, RT2860_USB_DMA_CFG, 0);
6250
6251         run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_BBP_HRST | RT2860_MAC_SRST);
6252         run_write(sc, RT2860_MAC_SYS_CTRL, 0);
6253
6254         for (i = 0; i != RUN_EP_QUEUES; i++)
6255                 run_unsetup_tx_list(sc, &sc->sc_epq[i]);
6256 }
6257
6258 static void
6259 run_delay(struct run_softc *sc, u_int ms)
6260 {
6261         usb_pause_mtx(mtx_owned(&sc->sc_mtx) ? 
6262             &sc->sc_mtx : NULL, USB_MS_TO_TICKS(ms));
6263 }
6264
6265 static device_method_t run_methods[] = {
6266         /* Device interface */
6267         DEVMETHOD(device_probe,         run_match),
6268         DEVMETHOD(device_attach,        run_attach),
6269         DEVMETHOD(device_detach,        run_detach),
6270         DEVMETHOD_END
6271 };
6272
6273 static driver_t run_driver = {
6274         .name = "run",
6275         .methods = run_methods,
6276         .size = sizeof(struct run_softc)
6277 };
6278
6279 static devclass_t run_devclass;
6280
6281 DRIVER_MODULE(run, uhub, run_driver, run_devclass, run_driver_loaded, NULL);
6282 MODULE_DEPEND(run, wlan, 1, 1, 1);
6283 MODULE_DEPEND(run, usb, 1, 1, 1);
6284 MODULE_DEPEND(run, firmware, 1, 1, 1);
6285 MODULE_VERSION(run, 1);
9-STABLE