sys/dev/usb/wlan/if_run.c

   1 /*-
   2  * Copyright (c) 2008,2010 Damien Bergamini <damien.bergamini@free.fr>
   3  * ported to FreeBSD by Akinori Furukoshi <moonlightakkiy@yahoo.ca>
   4  * USB Consulting, Hans Petter Selasky <hselasky@freebsd.org>
   5  * Copyright (c) 2013-2014 Kevin Lo
   6  *
   7  * Permission to use, copy, modify, and distribute this software for any
   8  * purpose with or without fee is hereby granted, provided that the above
   9  * copyright notice and this permission notice appear in all copies.
  10  *
  11  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  12  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  13  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
  14  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  18  */
  19
  20 #include <sys/cdefs.h>
  21 __FBSDID("$FreeBSD$");
  22
  23 /*-
  24  * Ralink Technology RT2700U/RT2800U/RT3000U/RT3900E chipset driver.
  25  * http://www.ralinktech.com/
  26  */
  27
  28 #include <sys/param.h>
  29 #include <sys/sockio.h>
  30 #include <sys/sysctl.h>
  31 #include <sys/lock.h>
  32 #include <sys/mutex.h>
  33 #include <sys/mbuf.h>
  34 #include <sys/kernel.h>
  35 #include <sys/socket.h>
  36 #include <sys/systm.h>
  37 #include <sys/malloc.h>
  38 #include <sys/module.h>
  39 #include <sys/bus.h>
  40 #include <sys/endian.h>
  41 #include <sys/linker.h>
  42 #include <sys/firmware.h>
  43 #include <sys/kdb.h>
  44
  45 #include <machine/bus.h>
  46 #include <machine/resource.h>
  47 #include <sys/rman.h>
  48
  49 #include <net/bpf.h>
  50 #include <net/if.h>
  51 #include <net/if_arp.h>
  52 #include <net/ethernet.h>
  53 #include <net/if_dl.h>
  54 #include <net/if_media.h>
  55 #include <net/if_types.h>
  56
  57 #include <netinet/in.h>
  58 #include <netinet/in_systm.h>
  59 #include <netinet/in_var.h>
  60 #include <netinet/if_ether.h>
  61 #include <netinet/ip.h>
  62
  63 #include <net80211/ieee80211_var.h>
  64 #include <net80211/ieee80211_regdomain.h>
  65 #include <net80211/ieee80211_radiotap.h>
  66 #include <net80211/ieee80211_ratectl.h>
  67
  68 #include <dev/usb/usb.h>
  69 #include <dev/usb/usbdi.h>
  70 #include "usbdevs.h"
  71
  72 #define USB_DEBUG_VAR   run_debug
  73 #include <dev/usb/usb_debug.h>
  74 #include <dev/usb/usb_msctest.h>
  75
  76 #include <dev/usb/wlan/if_runreg.h>
  77 #include <dev/usb/wlan/if_runvar.h>
  78
  79 #ifdef  USB_DEBUG
  80 #define RUN_DEBUG
  81 #endif
  82
  83 #ifdef  RUN_DEBUG
  84 int run_debug = 0;
  85 static SYSCTL_NODE(_hw_usb, OID_AUTO, run, CTLFLAG_RW, 0, "USB run");
  86 SYSCTL_INT(_hw_usb_run, OID_AUTO, debug, CTLFLAG_RW, &run_debug, 0,
  87     "run debug level");
  88 #endif
  89
  90 #define IEEE80211_HAS_ADDR4(wh) \
  91         (((wh)->i_fc[1] & IEEE80211_FC1_DIR_MASK) == IEEE80211_FC1_DIR_DSTODS)
  92
  93 /*
  94  * Because of LOR in run_key_delete(), use atomic instead.
  95  * '& RUN_CMDQ_MASQ' is to loop cmdq[].
  96  */
  97 #define RUN_CMDQ_GET(c) (atomic_fetchadd_32((c), 1) & RUN_CMDQ_MASQ)
  98
  99 static const STRUCT_USB_HOST_ID run_devs[] = {
 100 #define RUN_DEV(v,p)    { USB_VP(USB_VENDOR_##v, USB_PRODUCT_##v##_##p) }
 101 #define RUN_DEV_EJECT(v,p)      \
 102         { USB_VPI(USB_VENDOR_##v, USB_PRODUCT_##v##_##p, 0) }
 103     RUN_DEV(ABOCOM,             RT2770),
 104     RUN_DEV(ABOCOM,             RT2870),
 105     RUN_DEV(ABOCOM,             RT3070),
 106     RUN_DEV(ABOCOM,             RT3071),
 107     RUN_DEV(ABOCOM,             RT3072),
 108     RUN_DEV(ABOCOM2,            RT2870_1),
 109     RUN_DEV(ACCTON,             RT2770),
 110     RUN_DEV(ACCTON,             RT2870_1),
 111     RUN_DEV(ACCTON,             RT2870_2),
 112     RUN_DEV(ACCTON,             RT2870_3),
 113     RUN_DEV(ACCTON,             RT2870_4),
 114     RUN_DEV(ACCTON,             RT2870_5),
 115     RUN_DEV(ACCTON,             RT3070),
 116     RUN_DEV(ACCTON,             RT3070_1),
 117     RUN_DEV(ACCTON,             RT3070_2),
 118     RUN_DEV(ACCTON,             RT3070_3),
 119     RUN_DEV(ACCTON,             RT3070_4),
 120     RUN_DEV(ACCTON,             RT3070_5),
 121     RUN_DEV(AIRTIES,            RT3070),
 122     RUN_DEV(ALLWIN,             RT2070),
 123     RUN_DEV(ALLWIN,             RT2770),
 124     RUN_DEV(ALLWIN,             RT2870),
 125     RUN_DEV(ALLWIN,             RT3070),
 126     RUN_DEV(ALLWIN,             RT3071),
 127     RUN_DEV(ALLWIN,             RT3072),
 128     RUN_DEV(ALLWIN,             RT3572),
 129     RUN_DEV(AMIGO,              RT2870_1),
 130     RUN_DEV(AMIGO,              RT2870_2),
 131     RUN_DEV(AMIT,               CGWLUSB2GNR),
 132     RUN_DEV(AMIT,               RT2870_1),
 133     RUN_DEV(AMIT2,              RT2870),
 134     RUN_DEV(ASUS,               RT2870_1),
 135     RUN_DEV(ASUS,               RT2870_2),
 136     RUN_DEV(ASUS,               RT2870_3),
 137     RUN_DEV(ASUS,               RT2870_4),
 138     RUN_DEV(ASUS,               RT2870_5),
 139     RUN_DEV(ASUS,               USBN13),
 140     RUN_DEV(ASUS,               RT3070_1),
 141     RUN_DEV(ASUS,               USBN66),
 142     RUN_DEV(ASUS,               USB_N53),
 143     RUN_DEV(ASUS2,              USBN11),
 144     RUN_DEV(AZUREWAVE,          RT2870_1),
 145     RUN_DEV(AZUREWAVE,          RT2870_2),
 146     RUN_DEV(AZUREWAVE,          RT3070_1),
 147     RUN_DEV(AZUREWAVE,          RT3070_2),
 148     RUN_DEV(AZUREWAVE,          RT3070_3),
 149     RUN_DEV(BELKIN,             F9L1103),
 150     RUN_DEV(BELKIN,             F5D8053V3),
 151     RUN_DEV(BELKIN,             F5D8055),
 152     RUN_DEV(BELKIN,             F5D8055V2),
 153     RUN_DEV(BELKIN,             F6D4050V1),
 154     RUN_DEV(BELKIN,             F6D4050V2),
 155     RUN_DEV(BELKIN,             RT2870_1),
 156     RUN_DEV(BELKIN,             RT2870_2),
 157     RUN_DEV(CISCOLINKSYS,       AE1000),
 158     RUN_DEV(CISCOLINKSYS2,      RT3070),
 159     RUN_DEV(CISCOLINKSYS3,      RT3070),
 160     RUN_DEV(CONCEPTRONIC2,      RT2870_1),
 161     RUN_DEV(CONCEPTRONIC2,      RT2870_2),
 162     RUN_DEV(CONCEPTRONIC2,      RT2870_3),
 163     RUN_DEV(CONCEPTRONIC2,      RT2870_4),
 164     RUN_DEV(CONCEPTRONIC2,      RT2870_5),
 165     RUN_DEV(CONCEPTRONIC2,      RT2870_6),
 166     RUN_DEV(CONCEPTRONIC2,      RT2870_7),
 167     RUN_DEV(CONCEPTRONIC2,      RT2870_8),
 168     RUN_DEV(CONCEPTRONIC2,      RT3070_1),
 169     RUN_DEV(CONCEPTRONIC2,      RT3070_2),
 170     RUN_DEV(CONCEPTRONIC2,      VIGORN61),
 171     RUN_DEV(COREGA,             CGWLUSB300GNM),
 172     RUN_DEV(COREGA,             RT2870_1),
 173     RUN_DEV(COREGA,             RT2870_2),
 174     RUN_DEV(COREGA,             RT2870_3),
 175     RUN_DEV(COREGA,             RT3070),
 176     RUN_DEV(CYBERTAN,           RT2870),
 177     RUN_DEV(DLINK,              RT2870),
 178     RUN_DEV(DLINK,              RT3072),
 179     RUN_DEV(DLINK,              DWA127),
 180     RUN_DEV(DLINK,              DWA140B3),
 181     RUN_DEV(DLINK,              DWA160B2),
 182     RUN_DEV(DLINK,              DWA162),
 183     RUN_DEV(DLINK2,             DWA130),
 184     RUN_DEV(DLINK2,             RT2870_1),
 185     RUN_DEV(DLINK2,             RT2870_2),
 186     RUN_DEV(DLINK2,             RT3070_1),
 187     RUN_DEV(DLINK2,             RT3070_2),
 188     RUN_DEV(DLINK2,             RT3070_3),
 189     RUN_DEV(DLINK2,             RT3070_4),
 190     RUN_DEV(DLINK2,             RT3070_5),
 191     RUN_DEV(DLINK2,             RT3072),
 192     RUN_DEV(DLINK2,             RT3072_1),
 193     RUN_DEV(EDIMAX,             EW7717),
 194     RUN_DEV(EDIMAX,             EW7718),
 195     RUN_DEV(EDIMAX,             EW7733UND),
 196     RUN_DEV(EDIMAX,             RT2870_1),
 197     RUN_DEV(ENCORE,             RT3070_1),
 198     RUN_DEV(ENCORE,             RT3070_2),
 199     RUN_DEV(ENCORE,             RT3070_3),
 200     RUN_DEV(GIGABYTE,           GNWB31N),
 201     RUN_DEV(GIGABYTE,           GNWB32L),
 202     RUN_DEV(GIGABYTE,           RT2870_1),
 203     RUN_DEV(GIGASET,            RT3070_1),
 204     RUN_DEV(GIGASET,            RT3070_2),
 205     RUN_DEV(GUILLEMOT,          HWNU300),
 206     RUN_DEV(HAWKING,            HWUN2),
 207     RUN_DEV(HAWKING,            RT2870_1),
 208     RUN_DEV(HAWKING,            RT2870_2),
 209     RUN_DEV(HAWKING,            RT3070),
 210     RUN_DEV(IODATA,             RT3072_1),
 211     RUN_DEV(IODATA,             RT3072_2),
 212     RUN_DEV(IODATA,             RT3072_3),
 213     RUN_DEV(IODATA,             RT3072_4),
 214     RUN_DEV(LINKSYS4,           RT3070),
 215     RUN_DEV(LINKSYS4,           WUSB100),
 216     RUN_DEV(LINKSYS4,           WUSB54GCV3),
 217     RUN_DEV(LINKSYS4,           WUSB600N),
 218     RUN_DEV(LINKSYS4,           WUSB600NV2),
 219     RUN_DEV(LOGITEC,            RT2870_1),
 220     RUN_DEV(LOGITEC,            RT2870_2),
 221     RUN_DEV(LOGITEC,            RT2870_3),
 222     RUN_DEV(LOGITEC,            LANW300NU2),
 223     RUN_DEV(LOGITEC,            LANW150NU2),
 224     RUN_DEV(LOGITEC,            LANW300NU2S),
 225     RUN_DEV(MELCO,              RT2870_1),
 226     RUN_DEV(MELCO,              RT2870_2),
 227     RUN_DEV(MELCO,              WLIUCAG300N),
 228     RUN_DEV(MELCO,              WLIUCG300N),
 229     RUN_DEV(MELCO,              WLIUCG301N),
 230     RUN_DEV(MELCO,              WLIUCGN),
 231     RUN_DEV(MELCO,              WLIUCGNM),
 232     RUN_DEV(MELCO,              WLIUCGNM2),
 233     RUN_DEV(MOTOROLA4,          RT2770),
 234     RUN_DEV(MOTOROLA4,          RT3070),
 235     RUN_DEV(MSI,                RT3070_1),
 236     RUN_DEV(MSI,                RT3070_2),
 237     RUN_DEV(MSI,                RT3070_3),
 238     RUN_DEV(MSI,                RT3070_4),
 239     RUN_DEV(MSI,                RT3070_5),
 240     RUN_DEV(MSI,                RT3070_6),
 241     RUN_DEV(MSI,                RT3070_7),
 242     RUN_DEV(MSI,                RT3070_8),
 243     RUN_DEV(MSI,                RT3070_9),
 244     RUN_DEV(MSI,                RT3070_10),
 245     RUN_DEV(MSI,                RT3070_11),
 246     RUN_DEV(OVISLINK,           RT3072),
 247     RUN_DEV(PARA,               RT3070),
 248     RUN_DEV(PEGATRON,           RT2870),
 249     RUN_DEV(PEGATRON,           RT3070),
 250     RUN_DEV(PEGATRON,           RT3070_2),
 251     RUN_DEV(PEGATRON,           RT3070_3),
 252     RUN_DEV(PHILIPS,            RT2870),
 253     RUN_DEV(PLANEX2,            GWUS300MINIS),
 254     RUN_DEV(PLANEX2,            GWUSMICRON),
 255     RUN_DEV(PLANEX2,            RT2870),
 256     RUN_DEV(PLANEX2,            RT3070),
 257     RUN_DEV(QCOM,               RT2870),
 258     RUN_DEV(QUANTA,             RT3070),
 259     RUN_DEV(RALINK,             RT2070),
 260     RUN_DEV(RALINK,             RT2770),
 261     RUN_DEV(RALINK,             RT2870),
 262     RUN_DEV(RALINK,             RT3070),
 263     RUN_DEV(RALINK,             RT3071),
 264     RUN_DEV(RALINK,             RT3072),
 265     RUN_DEV(RALINK,             RT3370),
 266     RUN_DEV(RALINK,             RT3572),
 267     RUN_DEV(RALINK,             RT3573),
 268     RUN_DEV(RALINK,             RT5370),
 269     RUN_DEV(RALINK,             RT5572),
 270     RUN_DEV(RALINK,             RT8070),
 271     RUN_DEV(SAMSUNG,            WIS09ABGN),
 272     RUN_DEV(SAMSUNG2,           RT2870_1),
 273     RUN_DEV(SENAO,              RT2870_1),
 274     RUN_DEV(SENAO,              RT2870_2),
 275     RUN_DEV(SENAO,              RT2870_3),
 276     RUN_DEV(SENAO,              RT2870_4),
 277     RUN_DEV(SENAO,              RT3070),
 278     RUN_DEV(SENAO,              RT3071),
 279     RUN_DEV(SENAO,              RT3072_1),
 280     RUN_DEV(SENAO,              RT3072_2),
 281     RUN_DEV(SENAO,              RT3072_3),
 282     RUN_DEV(SENAO,              RT3072_4),
 283     RUN_DEV(SENAO,              RT3072_5),
 284     RUN_DEV(SITECOMEU,          RT2770),
 285     RUN_DEV(SITECOMEU,          RT2870_1),
 286     RUN_DEV(SITECOMEU,          RT2870_2),
 287     RUN_DEV(SITECOMEU,          RT2870_3),
 288     RUN_DEV(SITECOMEU,          RT2870_4),
 289     RUN_DEV(SITECOMEU,          RT3070),
 290     RUN_DEV(SITECOMEU,          RT3070_2),
 291     RUN_DEV(SITECOMEU,          RT3070_3),
 292     RUN_DEV(SITECOMEU,          RT3070_4),
 293     RUN_DEV(SITECOMEU,          RT3071),
 294     RUN_DEV(SITECOMEU,          RT3072_1),
 295     RUN_DEV(SITECOMEU,          RT3072_2),
 296     RUN_DEV(SITECOMEU,          RT3072_3),
 297     RUN_DEV(SITECOMEU,          RT3072_4),
 298     RUN_DEV(SITECOMEU,          RT3072_5),
 299     RUN_DEV(SITECOMEU,          RT3072_6),
 300     RUN_DEV(SITECOMEU,          WL608),
 301     RUN_DEV(SPARKLAN,           RT2870_1),
 302     RUN_DEV(SPARKLAN,           RT3070),
 303     RUN_DEV(SWEEX2,             LW153),
 304     RUN_DEV(SWEEX2,             LW303),
 305     RUN_DEV(SWEEX2,             LW313),
 306     RUN_DEV(TOSHIBA,            RT3070),
 307     RUN_DEV(UMEDIA,             RT2870_1),
 308     RUN_DEV(ZCOM,               RT2870_1),
 309     RUN_DEV(ZCOM,               RT2870_2),
 310     RUN_DEV(ZINWELL,            RT2870_1),
 311     RUN_DEV(ZINWELL,            RT2870_2),
 312     RUN_DEV(ZINWELL,            RT3070),
 313     RUN_DEV(ZINWELL,            RT3072_1),
 314     RUN_DEV(ZINWELL,            RT3072_2),
 315     RUN_DEV(ZYXEL,              RT2870_1),
 316     RUN_DEV(ZYXEL,              RT2870_2),
 317     RUN_DEV(ZYXEL,              NWD2705),
 318     RUN_DEV_EJECT(RALINK,       RT_STOR),
 319 #undef RUN_DEV_EJECT
 320 #undef RUN_DEV
 321 };
 322
 323 static device_probe_t   run_match;
 324 static device_attach_t  run_attach;
 325 static device_detach_t  run_detach;
 326
 327 static usb_callback_t   run_bulk_rx_callback;
 328 static usb_callback_t   run_bulk_tx_callback0;
 329 static usb_callback_t   run_bulk_tx_callback1;
 330 static usb_callback_t   run_bulk_tx_callback2;
 331 static usb_callback_t   run_bulk_tx_callback3;
 332 static usb_callback_t   run_bulk_tx_callback4;
 333 static usb_callback_t   run_bulk_tx_callback5;
 334
 335 static void     run_autoinst(void *, struct usb_device *,
 336                     struct usb_attach_arg *);
 337 static int      run_driver_loaded(struct module *, int, void *);
 338 static void     run_bulk_tx_callbackN(struct usb_xfer *xfer,
 339                     usb_error_t error, u_int index);
 340 static struct ieee80211vap *run_vap_create(struct ieee80211com *,
 341                     const char [IFNAMSIZ], int, enum ieee80211_opmode, int,
 342                     const uint8_t [IEEE80211_ADDR_LEN],
 343                     const uint8_t [IEEE80211_ADDR_LEN]);
 344 static void     run_vap_delete(struct ieee80211vap *);
 345 static void     run_cmdq_cb(void *, int);
 346 static void     run_setup_tx_list(struct run_softc *,
 347                     struct run_endpoint_queue *);
 348 static void     run_unsetup_tx_list(struct run_softc *,
 349                     struct run_endpoint_queue *);
 350 static int      run_load_microcode(struct run_softc *);
 351 static int      run_reset(struct run_softc *);
 352 static usb_error_t run_do_request(struct run_softc *,
 353                     struct usb_device_request *, void *);
 354 static int      run_read(struct run_softc *, uint16_t, uint32_t *);
 355 static int      run_read_region_1(struct run_softc *, uint16_t, uint8_t *, int);
 356 static int      run_write_2(struct run_softc *, uint16_t, uint16_t);
 357 static int      run_write(struct run_softc *, uint16_t, uint32_t);
 358 static int      run_write_region_1(struct run_softc *, uint16_t,
 359                     const uint8_t *, int);
 360 static int      run_set_region_4(struct run_softc *, uint16_t, uint32_t, int);
 361 static int      run_efuse_read(struct run_softc *, uint16_t, uint16_t *, int);
 362 static int      run_efuse_read_2(struct run_softc *, uint16_t, uint16_t *);
 363 static int      run_eeprom_read_2(struct run_softc *, uint16_t, uint16_t *);
 364 static int      run_rt2870_rf_write(struct run_softc *, uint32_t);
 365 static int      run_rt3070_rf_read(struct run_softc *, uint8_t, uint8_t *);
 366 static int      run_rt3070_rf_write(struct run_softc *, uint8_t, uint8_t);
 367 static int      run_bbp_read(struct run_softc *, uint8_t, uint8_t *);
 368 static int      run_bbp_write(struct run_softc *, uint8_t, uint8_t);
 369 static int      run_mcu_cmd(struct run_softc *, uint8_t, uint16_t);
 370 static const char *run_get_rf(uint16_t);
 371 static void     run_rt3593_get_txpower(struct run_softc *);
 372 static void     run_get_txpower(struct run_softc *);
 373 static int      run_read_eeprom(struct run_softc *);
 374 static struct ieee80211_node *run_node_alloc(struct ieee80211vap *,
 375                             const uint8_t mac[IEEE80211_ADDR_LEN]);
 376 static int      run_media_change(struct ifnet *);
 377 static int      run_newstate(struct ieee80211vap *, enum ieee80211_state, int);
 378 static int      run_wme_update(struct ieee80211com *);
 379 static void     run_wme_update_cb(void *);
 380 static void     run_key_update_begin(struct ieee80211vap *);
 381 static void     run_key_update_end(struct ieee80211vap *);
 382 static void     run_key_set_cb(void *);
 383 static int      run_key_set(struct ieee80211vap *, struct ieee80211_key *,
 384                     const uint8_t mac[IEEE80211_ADDR_LEN]);
 385 static void     run_key_delete_cb(void *);
 386 static int      run_key_delete(struct ieee80211vap *, struct ieee80211_key *);
 387 static void     run_ratectl_to(void *);
 388 static void     run_ratectl_cb(void *, int);
 389 static void     run_drain_fifo(void *);
 390 static void     run_iter_func(void *, struct ieee80211_node *);
 391 static void     run_newassoc_cb(void *);
 392 static void     run_newassoc(struct ieee80211_node *, int);
 393 static void     run_rx_frame(struct run_softc *, struct mbuf *, uint32_t);
 394 static void     run_tx_free(struct run_endpoint_queue *pq,
 395                     struct run_tx_data *, int);
 396 static void     run_set_tx_desc(struct run_softc *, struct run_tx_data *);
 397 static int      run_tx(struct run_softc *, struct mbuf *,
 398                     struct ieee80211_node *);
 399 static int      run_tx_mgt(struct run_softc *, struct mbuf *,
 400                     struct ieee80211_node *);
 401 static int      run_sendprot(struct run_softc *, const struct mbuf *,
 402                     struct ieee80211_node *, int, int);
 403 static int      run_tx_param(struct run_softc *, struct mbuf *,
 404                     struct ieee80211_node *,
 405                     const struct ieee80211_bpf_params *);
 406 static int      run_raw_xmit(struct ieee80211_node *, struct mbuf *,
 407                     const struct ieee80211_bpf_params *);
 408 static void     run_start(struct ifnet *);
 409 static int      run_ioctl(struct ifnet *, u_long, caddr_t);
 410 static void     run_iq_calib(struct run_softc *, u_int);
 411 static void     run_set_agc(struct run_softc *, uint8_t);
 412 static void     run_select_chan_group(struct run_softc *, int);
 413 static void     run_set_rx_antenna(struct run_softc *, int);
 414 static void     run_rt2870_set_chan(struct run_softc *, u_int);
 415 static void     run_rt3070_set_chan(struct run_softc *, u_int);
 416 static void     run_rt3572_set_chan(struct run_softc *, u_int);
 417 static void     run_rt3593_set_chan(struct run_softc *, u_int);
 418 static void     run_rt5390_set_chan(struct run_softc *, u_int);
 419 static void     run_rt5592_set_chan(struct run_softc *, u_int);
 420 static int      run_set_chan(struct run_softc *, struct ieee80211_channel *);
 421 static void     run_set_channel(struct ieee80211com *);
 422 static void     run_scan_start(struct ieee80211com *);
 423 static void     run_scan_end(struct ieee80211com *);
 424 static void     run_update_beacon(struct ieee80211vap *, int);
 425 static void     run_update_beacon_cb(void *);
 426 static void     run_updateprot(struct ieee80211com *);
 427 static void     run_updateprot_cb(void *);
 428 static void     run_usb_timeout_cb(void *);
 429 static void     run_reset_livelock(struct run_softc *);
 430 static void     run_enable_tsf_sync(struct run_softc *);
 431 static void     run_enable_mrr(struct run_softc *);
 432 static void     run_set_txpreamble(struct run_softc *);
 433 static void     run_set_basicrates(struct run_softc *);
 434 static void     run_set_leds(struct run_softc *, uint16_t);
 435 static void     run_set_bssid(struct run_softc *, const uint8_t *);
 436 static void     run_set_macaddr(struct run_softc *, const uint8_t *);
 437 static void     run_updateslot(struct ifnet *);
 438 static void     run_updateslot_cb(void *);
 439 static void     run_update_mcast(struct ifnet *);
 440 static int8_t   run_rssi2dbm(struct run_softc *, uint8_t, uint8_t);
 441 static void     run_update_promisc_locked(struct ifnet *);
 442 static void     run_update_promisc(struct ifnet *);
 443 static void     run_rt5390_bbp_init(struct run_softc *);
 444 static int      run_bbp_init(struct run_softc *);
 445 static int      run_rt3070_rf_init(struct run_softc *);
 446 static void     run_rt3593_rf_init(struct run_softc *);
 447 static void     run_rt5390_rf_init(struct run_softc *);
 448 static int      run_rt3070_filter_calib(struct run_softc *, uint8_t, uint8_t,
 449                     uint8_t *);
 450 static void     run_rt3070_rf_setup(struct run_softc *);
 451 static void     run_rt3593_rf_setup(struct run_softc *);
 452 static void     run_rt5390_rf_setup(struct run_softc *);
 453 static int      run_txrx_enable(struct run_softc *);
 454 static void     run_adjust_freq_offset(struct run_softc *);
 455 static void     run_init(void *);
 456 static void     run_init_locked(struct run_softc *);
 457 static void     run_stop(void *);
 458 static void     run_delay(struct run_softc *, u_int);
 459
 460 static eventhandler_tag run_etag;
 461
 462 static const struct rt2860_rate {
 463         uint8_t         rate;
 464         uint8_t         mcs;
 465         enum            ieee80211_phytype phy;
 466         uint8_t         ctl_ridx;
 467         uint16_t        sp_ack_dur;
 468         uint16_t        lp_ack_dur;
 469 } rt2860_rates[] = {
 470         {   2, 0, IEEE80211_T_DS,   0, 314, 314 },
 471         {   4, 1, IEEE80211_T_DS,   1, 258, 162 },
 472         {  11, 2, IEEE80211_T_DS,   2, 223, 127 },
 473         {  22, 3, IEEE80211_T_DS,   3, 213, 117 },
 474         {  12, 0, IEEE80211_T_OFDM, 4,  60,  60 },
 475         {  18, 1, IEEE80211_T_OFDM, 4,  52,  52 },
 476         {  24, 2, IEEE80211_T_OFDM, 6,  48,  48 },
 477         {  36, 3, IEEE80211_T_OFDM, 6,  44,  44 },
 478         {  48, 4, IEEE80211_T_OFDM, 8,  44,  44 },
 479         {  72, 5, IEEE80211_T_OFDM, 8,  40,  40 },
 480         {  96, 6, IEEE80211_T_OFDM, 8,  40,  40 },
 481         { 108, 7, IEEE80211_T_OFDM, 8,  40,  40 }
 482 };
 483
 484 static const struct {
 485         uint16_t        reg;
 486         uint32_t        val;
 487 } rt2870_def_mac[] = {
 488         RT2870_DEF_MAC
 489 };
 490
 491 static const struct {
 492         uint8_t reg;
 493         uint8_t val;
 494 } rt2860_def_bbp[] = {
 495         RT2860_DEF_BBP
 496 },rt5390_def_bbp[] = {
 497         RT5390_DEF_BBP
 498 },rt5592_def_bbp[] = {
 499         RT5592_DEF_BBP
 500 };
 501
 502 /*
 503  * Default values for BBP register R196 for RT5592.
 504  */
 505 static const uint8_t rt5592_bbp_r196[] = {
 506         0xe0, 0x1f, 0x38, 0x32, 0x08, 0x28, 0x19, 0x0a, 0xff, 0x00,
 507         0x16, 0x10, 0x10, 0x0b, 0x36, 0x2c, 0x26, 0x24, 0x42, 0x36,
 508         0x30, 0x2d, 0x4c, 0x46, 0x3d, 0x40, 0x3e, 0x42, 0x3d, 0x40,
 509         0x3c, 0x34, 0x2c, 0x2f, 0x3c, 0x35, 0x2e, 0x2a, 0x49, 0x41,
 510         0x36, 0x31, 0x30, 0x30, 0x0e, 0x0d, 0x28, 0x21, 0x1c, 0x16,
 511         0x50, 0x4a, 0x43, 0x40, 0x10, 0x10, 0x10, 0x10, 0x00, 0x00,
 512         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 513         0x00, 0x00, 0x7d, 0x14, 0x32, 0x2c, 0x36, 0x4c, 0x43, 0x2c,
 514         0x2e, 0x36, 0x30, 0x6e
 515 };
 516
 517 static const struct rfprog {
 518         uint8_t         chan;
 519         uint32_t        r1, r2, r3, r4;
 520 } rt2860_rf2850[] = {
 521         RT2860_RF2850
 522 };
 523
 524 struct {
 525         uint8_t n, r, k;
 526 } rt3070_freqs[] = {
 527         RT3070_RF3052
 528 };
 529
 530 static const struct rt5592_freqs {
 531         uint16_t        n;
 532         uint8_t         k, m, r;
 533 } rt5592_freqs_20mhz[] = {
 534         RT5592_RF5592_20MHZ
 535 },rt5592_freqs_40mhz[] = {
 536         RT5592_RF5592_40MHZ
 537 };
 538
 539 static const struct {
 540         uint8_t reg;
 541         uint8_t val;
 542 } rt3070_def_rf[] = {
 543         RT3070_DEF_RF
 544 },rt3572_def_rf[] = {
 545         RT3572_DEF_RF
 546 },rt3593_def_rf[] = {
 547         RT3593_DEF_RF
 548 },rt5390_def_rf[] = {
 549         RT5390_DEF_RF
 550 },rt5392_def_rf[] = {
 551         RT5392_DEF_RF
 552 },rt5592_def_rf[] = {
 553         RT5592_DEF_RF
 554 },rt5592_2ghz_def_rf[] = {
 555         RT5592_2GHZ_DEF_RF
 556 },rt5592_5ghz_def_rf[] = {
 557         RT5592_5GHZ_DEF_RF
 558 };
 559
 560 static const struct {
 561         u_int   firstchan;
 562         u_int   lastchan;
 563         uint8_t reg;
 564         uint8_t val;
 565 } rt5592_chan_5ghz[] = {
 566         RT5592_CHAN_5GHZ
 567 };
 568
 569 static const struct usb_config run_config[RUN_N_XFER] = {
 570     [RUN_BULK_TX_BE] = {
 571         .type = UE_BULK,
 572         .endpoint = UE_ADDR_ANY,
 573         .ep_index = 0,
 574         .direction = UE_DIR_OUT,
 575         .bufsize = RUN_MAX_TXSZ,
 576         .flags = {.pipe_bof = 1,.force_short_xfer = 1,},
 577         .callback = run_bulk_tx_callback0,
 578         .timeout = 5000,        /* ms */
 579     },
 580     [RUN_BULK_TX_BK] = {
 581         .type = UE_BULK,
 582         .endpoint = UE_ADDR_ANY,
 583         .direction = UE_DIR_OUT,
 584         .ep_index = 1,
 585         .bufsize = RUN_MAX_TXSZ,
 586         .flags = {.pipe_bof = 1,.force_short_xfer = 1,},
 587         .callback = run_bulk_tx_callback1,
 588         .timeout = 5000,        /* ms */
 589     },
 590     [RUN_BULK_TX_VI] = {
 591         .type = UE_BULK,
 592         .endpoint = UE_ADDR_ANY,
 593         .direction = UE_DIR_OUT,
 594         .ep_index = 2,
 595         .bufsize = RUN_MAX_TXSZ,
 596         .flags = {.pipe_bof = 1,.force_short_xfer = 1,},
 597         .callback = run_bulk_tx_callback2,
 598         .timeout = 5000,        /* ms */
 599     },
 600     [RUN_BULK_TX_VO] = {
 601         .type = UE_BULK,
 602         .endpoint = UE_ADDR_ANY,
 603         .direction = UE_DIR_OUT,
 604         .ep_index = 3,
 605         .bufsize = RUN_MAX_TXSZ,
 606         .flags = {.pipe_bof = 1,.force_short_xfer = 1,},
 607         .callback = run_bulk_tx_callback3,
 608         .timeout = 5000,        /* ms */
 609     },
 610     [RUN_BULK_TX_HCCA] = {
 611         .type = UE_BULK,
 612         .endpoint = UE_ADDR_ANY,
 613         .direction = UE_DIR_OUT,
 614         .ep_index = 4,
 615         .bufsize = RUN_MAX_TXSZ,
 616         .flags = {.pipe_bof = 1,.force_short_xfer = 1,.no_pipe_ok = 1,},
 617         .callback = run_bulk_tx_callback4,
 618         .timeout = 5000,        /* ms */
 619     },
 620     [RUN_BULK_TX_PRIO] = {
 621         .type = UE_BULK,
 622         .endpoint = UE_ADDR_ANY,
 623         .direction = UE_DIR_OUT,
 624         .ep_index = 5,
 625         .bufsize = RUN_MAX_TXSZ,
 626         .flags = {.pipe_bof = 1,.force_short_xfer = 1,.no_pipe_ok = 1,},
 627         .callback = run_bulk_tx_callback5,
 628         .timeout = 5000,        /* ms */
 629     },
 630     [RUN_BULK_RX] = {
 631         .type = UE_BULK,
 632         .endpoint = UE_ADDR_ANY,
 633         .direction = UE_DIR_IN,
 634         .bufsize = RUN_MAX_RXSZ,
 635         .flags = {.pipe_bof = 1,.short_xfer_ok = 1,},
 636         .callback = run_bulk_rx_callback,
 637     }
 638 };
 639
 640 static void
 641 run_autoinst(void *arg, struct usb_device *udev,
 642     struct usb_attach_arg *uaa)
 643 {
 644         struct usb_interface *iface;
 645         struct usb_interface_descriptor *id;
 646
 647         if (uaa->dev_state != UAA_DEV_READY)
 648                 return;
 649
 650         iface = usbd_get_iface(udev, 0);
 651         if (iface == NULL)
 652                 return;
 653         id = iface->idesc;
 654         if (id == NULL || id->bInterfaceClass != UICLASS_MASS)
 655                 return;
 656         if (usbd_lookup_id_by_uaa(run_devs, sizeof(run_devs), uaa))
 657                 return;
 658
 659         if (usb_msc_eject(udev, 0, MSC_EJECT_STOPUNIT) == 0)
 660                 uaa->dev_state = UAA_DEV_EJECTING;
 661 }
 662
 663 static int
 664 run_driver_loaded(struct module *mod, int what, void *arg)
 665 {
 666         switch (what) {
 667         case MOD_LOAD:
 668                 run_etag = EVENTHANDLER_REGISTER(usb_dev_configured,
 669                     run_autoinst, NULL, EVENTHANDLER_PRI_ANY);
 670                 break;
 671         case MOD_UNLOAD:
 672                 EVENTHANDLER_DEREGISTER(usb_dev_configured, run_etag);
 673                 break;
 674         default:
 675                 return (EOPNOTSUPP);
 676         }
 677         return (0);
 678 }
 679
 680 static int
 681 run_match(device_t self)
 682 {
 683         struct usb_attach_arg *uaa = device_get_ivars(self);
 684
 685         if (uaa->usb_mode != USB_MODE_HOST)
 686                 return (ENXIO);
 687         if (uaa->info.bConfigIndex != 0)
 688                 return (ENXIO);
 689         if (uaa->info.bIfaceIndex != RT2860_IFACE_INDEX)
 690                 return (ENXIO);
 691
 692         return (usbd_lookup_id_by_uaa(run_devs, sizeof(run_devs), uaa));
 693 }
 694
 695 static int
 696 run_attach(device_t self)
 697 {
 698         struct run_softc *sc = device_get_softc(self);
 699         struct usb_attach_arg *uaa = device_get_ivars(self);
 700         struct ieee80211com *ic;
 701         struct ifnet *ifp;
 702         uint32_t ver;
 703         int ntries, error;
 704         uint8_t iface_index, bands;
 705
 706         device_set_usb_desc(self);
 707         sc->sc_udev = uaa->device;
 708         sc->sc_dev = self;
 709
 710         mtx_init(&sc->sc_mtx, device_get_nameunit(sc->sc_dev),
 711             MTX_NETWORK_LOCK, MTX_DEF);
 712
 713         iface_index = RT2860_IFACE_INDEX;
 714
 715         error = usbd_transfer_setup(uaa->device, &iface_index,
 716             sc->sc_xfer, run_config, RUN_N_XFER, sc, &sc->sc_mtx);
 717         if (error) {
 718                 device_printf(self, "could not allocate USB transfers, "
 719                     "err=%s\n", usbd_errstr(error));
 720                 goto detach;
 721         }
 722
 723         RUN_LOCK(sc);
 724
 725         /* wait for the chip to settle */
 726         for (ntries = 0; ntries < 100; ntries++) {
 727                 if (run_read(sc, RT2860_ASIC_VER_ID, &ver) != 0) {
 728                         RUN_UNLOCK(sc);
 729                         goto detach;
 730                 }
 731                 if (ver != 0 && ver != 0xffffffff)
 732                         break;
 733                 run_delay(sc, 10);
 734         }
 735         if (ntries == 100) {
 736                 device_printf(sc->sc_dev,
 737                     "timeout waiting for NIC to initialize\n");
 738                 RUN_UNLOCK(sc);
 739                 goto detach;
 740         }
 741         sc->mac_ver = ver >> 16;
 742         sc->mac_rev = ver & 0xffff;
 743
 744         /* retrieve RF rev. no and various other things from EEPROM */
 745         run_read_eeprom(sc);
 746
 747         device_printf(sc->sc_dev,
 748             "MAC/BBP RT%04X (rev 0x%04X), RF %s (MIMO %dT%dR), address %s\n",
 749             sc->mac_ver, sc->mac_rev, run_get_rf(sc->rf_rev),
 750             sc->ntxchains, sc->nrxchains, ether_sprintf(sc->sc_bssid));
 751
 752         RUN_UNLOCK(sc);
 753
 754         ifp = sc->sc_ifp = if_alloc(IFT_IEEE80211);
 755         if (ifp == NULL) {
 756                 device_printf(sc->sc_dev, "can not if_alloc()\n");
 757                 goto detach;
 758         }
 759         ic = ifp->if_l2com;
 760
 761         ifp->if_softc = sc;
 762         if_initname(ifp, "run", device_get_unit(sc->sc_dev));
 763         ifp->if_flags = IFF_BROADCAST | IFF_SIMPLEX | IFF_MULTICAST;
 764         ifp->if_init = run_init;
 765         ifp->if_ioctl = run_ioctl;
 766         ifp->if_start = run_start;
 767         IFQ_SET_MAXLEN(&ifp->if_snd, ifqmaxlen);
 768         ifp->if_snd.ifq_drv_maxlen = ifqmaxlen;
 769         IFQ_SET_READY(&ifp->if_snd);
 770
 771         ic->ic_ifp = ifp;
 772         ic->ic_phytype = IEEE80211_T_OFDM;      /* not only, but not used */
 773         ic->ic_opmode = IEEE80211_M_STA;        /* default to BSS mode */
 774
 775         /* set device capabilities */
 776         ic->ic_caps =
 777             IEEE80211_C_STA |           /* station mode supported */
 778             IEEE80211_C_MONITOR |       /* monitor mode supported */
 779             IEEE80211_C_IBSS |
 780             IEEE80211_C_HOSTAP |
 781             IEEE80211_C_WDS |           /* 4-address traffic works */
 782             IEEE80211_C_MBSS |
 783             IEEE80211_C_SHPREAMBLE |    /* short preamble supported */
 784             IEEE80211_C_SHSLOT |        /* short slot time supported */
 785             IEEE80211_C_WME |           /* WME */
 786             IEEE80211_C_WPA;            /* WPA1|WPA2(RSN) */
 787
 788         ic->ic_cryptocaps =
 789             IEEE80211_CRYPTO_WEP |
 790             IEEE80211_CRYPTO_AES_CCM |
 791             IEEE80211_CRYPTO_TKIPMIC |
 792             IEEE80211_CRYPTO_TKIP;
 793
 794         ic->ic_flags |= IEEE80211_F_DATAPAD;
 795         ic->ic_flags_ext |= IEEE80211_FEXT_SWBMISS;
 796
 797         bands = 0;
 798         setbit(&bands, IEEE80211_MODE_11B);
 799         setbit(&bands, IEEE80211_MODE_11G);
 800         if (sc->rf_rev == RT2860_RF_2750 || sc->rf_rev == RT2860_RF_2850 ||
 801             sc->rf_rev == RT3070_RF_3052 || sc->rf_rev == RT3593_RF_3053 ||
 802             sc->rf_rev == RT5592_RF_5592)
 803                 setbit(&bands, IEEE80211_MODE_11A);
 804         ieee80211_init_channels(ic, NULL, &bands);
 805
 806         ieee80211_ifattach(ic, sc->sc_bssid);
 807
 808         ic->ic_scan_start = run_scan_start;
 809         ic->ic_scan_end = run_scan_end;
 810         ic->ic_set_channel = run_set_channel;
 811         ic->ic_node_alloc = run_node_alloc;
 812         ic->ic_newassoc = run_newassoc;
 813         ic->ic_updateslot = run_updateslot;
 814         ic->ic_update_mcast = run_update_mcast;
 815         ic->ic_wme.wme_update = run_wme_update;
 816         ic->ic_raw_xmit = run_raw_xmit;
 817         ic->ic_update_promisc = run_update_promisc;
 818
 819         ic->ic_vap_create = run_vap_create;
 820         ic->ic_vap_delete = run_vap_delete;
 821
 822         ieee80211_radiotap_attach(ic,
 823             &sc->sc_txtap.wt_ihdr, sizeof(sc->sc_txtap),
 824                 RUN_TX_RADIOTAP_PRESENT,
 825             &sc->sc_rxtap.wr_ihdr, sizeof(sc->sc_rxtap),
 826                 RUN_RX_RADIOTAP_PRESENT);
 827
 828         TASK_INIT(&sc->cmdq_task, 0, run_cmdq_cb, sc);
 829         TASK_INIT(&sc->ratectl_task, 0, run_ratectl_cb, sc);
 830         usb_callout_init_mtx(&sc->ratectl_ch, &sc->sc_mtx, 0);
 831
 832         if (bootverbose)
 833                 ieee80211_announce(ic);
 834
 835         return (0);
 836
 837 detach:
 838         run_detach(self);
 839         return (ENXIO);
 840 }
 841
 842 static int
 843 run_detach(device_t self)
 844 {
 845         struct run_softc *sc = device_get_softc(self);
 846         struct ifnet *ifp = sc->sc_ifp;
 847         struct ieee80211com *ic;
 848         int i;
 849
 850         RUN_LOCK(sc);
 851         sc->sc_detached = 1;
 852         RUN_UNLOCK(sc);
 853
 854         /* stop all USB transfers */
 855         usbd_transfer_unsetup(sc->sc_xfer, RUN_N_XFER);
 856
 857         RUN_LOCK(sc);
 858         sc->ratectl_run = RUN_RATECTL_OFF;
 859         sc->cmdq_run = sc->cmdq_key_set = RUN_CMDQ_ABORT;
 860
 861         /* free TX list, if any */
 862         for (i = 0; i != RUN_EP_QUEUES; i++)
 863                 run_unsetup_tx_list(sc, &sc->sc_epq[i]);
 864         RUN_UNLOCK(sc);
 865
 866         if (ifp) {
 867                 ic = ifp->if_l2com;
 868                 /* drain tasks */
 869                 usb_callout_drain(&sc->ratectl_ch);
 870                 ieee80211_draintask(ic, &sc->cmdq_task);
 871                 ieee80211_draintask(ic, &sc->ratectl_task);
 872                 ieee80211_ifdetach(ic);
 873                 if_free(ifp);
 874         }
 875
 876         mtx_destroy(&sc->sc_mtx);
 877
 878         return (0);
 879 }
 880
 881 static struct ieee80211vap *
 882 run_vap_create(struct ieee80211com *ic, const char name[IFNAMSIZ], int unit,
 883     enum ieee80211_opmode opmode, int flags,
 884     const uint8_t bssid[IEEE80211_ADDR_LEN],
 885     const uint8_t mac[IEEE80211_ADDR_LEN])
 886 {
 887         struct ifnet *ifp = ic->ic_ifp;
 888         struct run_softc *sc = ifp->if_softc;
 889         struct run_vap *rvp;
 890         struct ieee80211vap *vap;
 891         int i;
 892
 893         if (sc->rvp_cnt >= RUN_VAP_MAX) {
 894                 if_printf(ifp, "number of VAPs maxed out\n");
 895                 return (NULL);
 896         }
 897
 898         switch (opmode) {
 899         case IEEE80211_M_STA:
 900                 /* enable s/w bmiss handling for sta mode */
 901                 flags |= IEEE80211_CLONE_NOBEACONS;
 902                 /* fall though */
 903         case IEEE80211_M_IBSS:
 904         case IEEE80211_M_MONITOR:
 905         case IEEE80211_M_HOSTAP:
 906         case IEEE80211_M_MBSS:
 907                 /* other than WDS vaps, only one at a time */
 908                 if (!TAILQ_EMPTY(&ic->ic_vaps))
 909                         return (NULL);
 910                 break;
 911         case IEEE80211_M_WDS:
 912                 TAILQ_FOREACH(vap, &ic->ic_vaps, iv_next){
 913                         if(vap->iv_opmode != IEEE80211_M_HOSTAP)
 914                                 continue;
 915                         /* WDS vap's always share the local mac address. */
 916                         flags &= ~IEEE80211_CLONE_BSSID;
 917                         break;
 918                 }
 919                 if (vap == NULL) {
 920                         if_printf(ifp, "wds only supported in ap mode\n");
 921                         return (NULL);
 922                 }
 923                 break;
 924         default:
 925                 if_printf(ifp, "unknown opmode %d\n", opmode);
 926                 return (NULL);
 927         }
 928
 929         rvp = (struct run_vap *) malloc(sizeof(struct run_vap),
 930             M_80211_VAP, M_NOWAIT | M_ZERO);
 931         if (rvp == NULL)
 932                 return (NULL);
 933         vap = &rvp->vap;
 934
 935         if (ieee80211_vap_setup(ic, vap, name, unit,
 936             opmode, flags, bssid, mac) != 0) {
 937                 /* out of memory */
 938                 free(rvp, M_80211_VAP);
 939                 return (NULL);
 940         }
 941
 942         vap->iv_key_update_begin = run_key_update_begin;
 943         vap->iv_key_update_end = run_key_update_end;
 944         vap->iv_update_beacon = run_update_beacon;
 945         vap->iv_max_aid = RT2870_WCID_MAX;
 946         /*
 947          * To delete the right key from h/w, we need wcid.
 948          * Luckily, there is unused space in ieee80211_key{}, wk_pad,
 949          * and matching wcid will be written into there. So, cast
 950          * some spells to remove 'const' from ieee80211_key{}
 951          */
 952         vap->iv_key_delete = (void *)run_key_delete;
 953         vap->iv_key_set = (void *)run_key_set;
 954
 955         /* override state transition machine */
 956         rvp->newstate = vap->iv_newstate;
 957         vap->iv_newstate = run_newstate;
 958
 959         ieee80211_ratectl_init(vap);
 960         ieee80211_ratectl_setinterval(vap, 1000 /* 1 sec */);
 961
 962         /* complete setup */
 963         ieee80211_vap_attach(vap, run_media_change, ieee80211_media_status);
 964
 965         /* make sure id is always unique */
 966         for (i = 0; i < RUN_VAP_MAX; i++) {
 967                 if((sc->rvp_bmap & 1 << i) == 0){
 968                         sc->rvp_bmap |= 1 << i;
 969                         rvp->rvp_id = i;
 970                         break;
 971                 }
 972         }
 973         if (sc->rvp_cnt++ == 0)
 974                 ic->ic_opmode = opmode;
 975
 976         if (opmode == IEEE80211_M_HOSTAP)
 977                 sc->cmdq_run = RUN_CMDQ_GO;
 978
 979         DPRINTF("rvp_id=%d bmap=%x rvp_cnt=%d\n",
 980             rvp->rvp_id, sc->rvp_bmap, sc->rvp_cnt);
 981
 982         return (vap);
 983 }
 984
 985 static void
 986 run_vap_delete(struct ieee80211vap *vap)
 987 {
 988         struct run_vap *rvp = RUN_VAP(vap);
 989         struct ifnet *ifp;
 990         struct ieee80211com *ic;
 991         struct run_softc *sc;
 992         uint8_t rvp_id;
 993
 994         if (vap == NULL)
 995                 return;
 996
 997         ic = vap->iv_ic;
 998         ifp = ic->ic_ifp;
 999
1000         sc = ifp->if_softc;
1001
1002         RUN_LOCK(sc);
1003
1004         m_freem(rvp->beacon_mbuf);
1005         rvp->beacon_mbuf = NULL;
1006
1007         rvp_id = rvp->rvp_id;
1008         sc->ratectl_run &= ~(1 << rvp_id);
1009         sc->rvp_bmap &= ~(1 << rvp_id);
1010         run_set_region_4(sc, RT2860_SKEY(rvp_id, 0), 0, 128);
1011         run_set_region_4(sc, RT2860_BCN_BASE(rvp_id), 0, 512);
1012         --sc->rvp_cnt;
1013
1014         DPRINTF("vap=%p rvp_id=%d bmap=%x rvp_cnt=%d\n",
1015             vap, rvp_id, sc->rvp_bmap, sc->rvp_cnt);
1016
1017         RUN_UNLOCK(sc);
1018
1019         ieee80211_ratectl_deinit(vap);
1020         ieee80211_vap_detach(vap);
1021         free(rvp, M_80211_VAP);
1022 }
1023
1024 /*
1025  * There are numbers of functions need to be called in context thread.
1026  * Rather than creating taskqueue event for each of those functions,
1027  * here is all-for-one taskqueue callback function. This function
1028  * gurantees deferred functions are executed in the same order they
1029  * were enqueued.
1030  * '& RUN_CMDQ_MASQ' is to loop cmdq[].
1031  */
1032 static void
1033 run_cmdq_cb(void *arg, int pending)
1034 {
1035         struct run_softc *sc = arg;
1036         uint8_t i;
1037
1038         /* call cmdq[].func locked */
1039         RUN_LOCK(sc);
1040         for (i = sc->cmdq_exec; sc->cmdq[i].func && pending;
1041             i = sc->cmdq_exec, pending--) {
1042                 DPRINTFN(6, "cmdq_exec=%d pending=%d\n", i, pending);
1043                 if (sc->cmdq_run == RUN_CMDQ_GO) {
1044                         /*
1045                          * If arg0 is NULL, callback func needs more
1046                          * than one arg. So, pass ptr to cmdq struct.
1047                          */
1048                         if (sc->cmdq[i].arg0)
1049                                 sc->cmdq[i].func(sc->cmdq[i].arg0);
1050                         else
1051                                 sc->cmdq[i].func(&sc->cmdq[i]);
1052                 }
1053                 sc->cmdq[i].arg0 = NULL;
1054                 sc->cmdq[i].func = NULL;
1055                 sc->cmdq_exec++;
1056                 sc->cmdq_exec &= RUN_CMDQ_MASQ;
1057         }
1058         RUN_UNLOCK(sc);
1059 }
1060
1061 static void
1062 run_setup_tx_list(struct run_softc *sc, struct run_endpoint_queue *pq)
1063 {
1064         struct run_tx_data *data;
1065
1066         memset(pq, 0, sizeof(*pq));
1067
1068         STAILQ_INIT(&pq->tx_qh);
1069         STAILQ_INIT(&pq->tx_fh);
1070
1071         for (data = &pq->tx_data[0];
1072             data < &pq->tx_data[RUN_TX_RING_COUNT]; data++) {
1073                 data->sc = sc;
1074                 STAILQ_INSERT_TAIL(&pq->tx_fh, data, next);
1075         }
1076         pq->tx_nfree = RUN_TX_RING_COUNT;
1077 }
1078
1079 static void
1080 run_unsetup_tx_list(struct run_softc *sc, struct run_endpoint_queue *pq)
1081 {
1082         struct run_tx_data *data;
1083
1084         /* make sure any subsequent use of the queues will fail */
1085         pq->tx_nfree = 0;
1086         STAILQ_INIT(&pq->tx_fh);
1087         STAILQ_INIT(&pq->tx_qh);
1088
1089         /* free up all node references and mbufs */
1090         for (data = &pq->tx_data[0];
1091             data < &pq->tx_data[RUN_TX_RING_COUNT]; data++) {
1092                 if (data->m != NULL) {
1093                         m_freem(data->m);
1094                         data->m = NULL;
1095                 }
1096                 if (data->ni != NULL) {
1097                         ieee80211_free_node(data->ni);
1098                         data->ni = NULL;
1099                 }
1100         }
1101 }
1102
1103 static int
1104 run_load_microcode(struct run_softc *sc)
1105 {
1106         usb_device_request_t req;
1107         const struct firmware *fw;
1108         const u_char *base;
1109         uint32_t tmp;
1110         int ntries, error;
1111         const uint64_t *temp;
1112         uint64_t bytes;
1113
1114         RUN_UNLOCK(sc);
1115         fw = firmware_get("runfw");
1116         RUN_LOCK(sc);
1117         if (fw == NULL) {
1118                 device_printf(sc->sc_dev,
1119                     "failed loadfirmware of file %s\n", "runfw");
1120                 return ENOENT;
1121         }
1122
1123         if (fw->datasize != 8192) {
1124                 device_printf(sc->sc_dev,
1125                     "invalid firmware size (should be 8KB)\n");
1126                 error = EINVAL;
1127                 goto fail;
1128         }
1129
1130         /*
1131          * RT3071/RT3072 use a different firmware
1132          * run-rt2870 (8KB) contains both,
1133          * first half (4KB) is for rt2870,
1134          * last half is for rt3071.
1135          */
1136         base = fw->data;
1137         if ((sc->mac_ver) != 0x2860 &&
1138             (sc->mac_ver) != 0x2872 &&
1139             (sc->mac_ver) != 0x3070) {
1140                 base += 4096;
1141         }
1142
1143         /* cheap sanity check */
1144         temp = fw->data;
1145         bytes = *temp;
1146         if (bytes != be64toh(0xffffff0210280210ULL)) {
1147                 device_printf(sc->sc_dev, "firmware checksum failed\n");
1148                 error = EINVAL;
1149                 goto fail;
1150         }
1151
1152         /* write microcode image */
1153         if (sc->mac_ver != 0x3593) {
1154                 run_write_region_1(sc, RT2870_FW_BASE, base, 4096);
1155                 run_write(sc, RT2860_H2M_MAILBOX_CID, 0xffffffff);
1156                 run_write(sc, RT2860_H2M_MAILBOX_STATUS, 0xffffffff);
1157         }
1158
1159         req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1160         req.bRequest = RT2870_RESET;
1161         USETW(req.wValue, 8);
1162         USETW(req.wIndex, 0);
1163         USETW(req.wLength, 0);
1164         if ((error = usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, NULL))
1165             != 0) {
1166                 device_printf(sc->sc_dev, "firmware reset failed\n");
1167                 goto fail;
1168         }
1169
1170         run_delay(sc, 10);
1171
1172         run_write(sc, RT2860_H2M_BBPAGENT, 0);
1173         run_write(sc, RT2860_H2M_MAILBOX, 0);
1174         run_write(sc, RT2860_H2M_INTSRC, 0);
1175         if ((error = run_mcu_cmd(sc, RT2860_MCU_CMD_RFRESET, 0)) != 0)
1176                 goto fail;
1177
1178         /* wait until microcontroller is ready */
1179         for (ntries = 0; ntries < 1000; ntries++) {
1180                 if ((error = run_read(sc, RT2860_SYS_CTRL, &tmp)) != 0)
1181                         goto fail;
1182                 if (tmp & RT2860_MCU_READY)
1183                         break;
1184                 run_delay(sc, 10);
1185         }
1186         if (ntries == 1000) {
1187                 device_printf(sc->sc_dev,
1188                     "timeout waiting for MCU to initialize\n");
1189                 error = ETIMEDOUT;
1190                 goto fail;
1191         }
1192         device_printf(sc->sc_dev, "firmware %s ver. %u.%u loaded\n",
1193             (base == fw->data) ? "RT2870" : "RT3071",
1194             *(base + 4092), *(base + 4093));
1195
1196 fail:
1197         firmware_put(fw, FIRMWARE_UNLOAD);
1198         return (error);
1199 }
1200
1201 static int
1202 run_reset(struct run_softc *sc)
1203 {
1204         usb_device_request_t req;
1205
1206         req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1207         req.bRequest = RT2870_RESET;
1208         USETW(req.wValue, 1);
1209         USETW(req.wIndex, 0);
1210         USETW(req.wLength, 0);
1211         return (usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, NULL));
1212 }
1213
1214 static usb_error_t
1215 run_do_request(struct run_softc *sc,
1216     struct usb_device_request *req, void *data)
1217 {
1218         usb_error_t err;
1219         int ntries = 10;
1220
1221         RUN_LOCK_ASSERT(sc, MA_OWNED);
1222
1223         while (ntries--) {
1224                 err = usbd_do_request_flags(sc->sc_udev, &sc->sc_mtx,
1225                     req, data, 0, NULL, 250 /* ms */);
1226                 if (err == 0)
1227                         break;
1228                 DPRINTFN(1, "Control request failed, %s (retrying)\n",
1229                     usbd_errstr(err));
1230                 run_delay(sc, 10);
1231         }
1232         return (err);
1233 }
1234
1235 static int
1236 run_read(struct run_softc *sc, uint16_t reg, uint32_t *val)
1237 {
1238         uint32_t tmp;
1239         int error;
1240
1241         error = run_read_region_1(sc, reg, (uint8_t *)&tmp, sizeof tmp);
1242         if (error == 0)
1243                 *val = le32toh(tmp);
1244         else
1245                 *val = 0xffffffff;
1246         return (error);
1247 }
1248
1249 static int
1250 run_read_region_1(struct run_softc *sc, uint16_t reg, uint8_t *buf, int len)
1251 {
1252         usb_device_request_t req;
1253
1254         req.bmRequestType = UT_READ_VENDOR_DEVICE;
1255         req.bRequest = RT2870_READ_REGION_1;
1256         USETW(req.wValue, 0);
1257         USETW(req.wIndex, reg);
1258         USETW(req.wLength, len);
1259
1260         return (run_do_request(sc, &req, buf));
1261 }
1262
1263 static int
1264 run_write_2(struct run_softc *sc, uint16_t reg, uint16_t val)
1265 {
1266         usb_device_request_t req;
1267
1268         req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1269         req.bRequest = RT2870_WRITE_2;
1270         USETW(req.wValue, val);
1271         USETW(req.wIndex, reg);
1272         USETW(req.wLength, 0);
1273
1274         return (run_do_request(sc, &req, NULL));
1275 }
1276
1277 static int
1278 run_write(struct run_softc *sc, uint16_t reg, uint32_t val)
1279 {
1280         int error;
1281
1282         if ((error = run_write_2(sc, reg, val & 0xffff)) == 0)
1283                 error = run_write_2(sc, reg + 2, val >> 16);
1284         return (error);
1285 }
1286
1287 static int
1288 run_write_region_1(struct run_softc *sc, uint16_t reg, const uint8_t *buf,
1289     int len)
1290 {
1291 #if 1
1292         int i, error = 0;
1293         /*
1294          * NB: the WRITE_REGION_1 command is not stable on RT2860.
1295          * We thus issue multiple WRITE_2 commands instead.
1296          */
1297         KASSERT((len & 1) == 0, ("run_write_region_1: Data too long.\n"));
1298         for (i = 0; i < len && error == 0; i += 2)
1299                 error = run_write_2(sc, reg + i, buf[i] | buf[i + 1] << 8);
1300         return (error);
1301 #else
1302         usb_device_request_t req;
1303         int error = 0;
1304
1305         /*
1306          * NOTE: It appears the WRITE_REGION_1 command cannot be
1307          * passed a huge amount of data, which will crash the
1308          * firmware. Limit amount of data passed to 64-bytes at a
1309          * time.
1310          */
1311         while (len > 0) {
1312                 int delta = 64;
1313                 if (delta > len)
1314                         delta = len;
1315
1316                 req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1317                 req.bRequest = RT2870_WRITE_REGION_1;
1318                 USETW(req.wValue, 0);
1319                 USETW(req.wIndex, reg);
1320                 USETW(req.wLength, delta);
1321                 error = run_do_request(sc, &req, __DECONST(uint8_t *, buf));
1322                 if (error != 0)
1323                         break;
1324                 reg += delta;
1325                 buf += delta;
1326                 len -= delta;
1327         }
1328         return (error);
1329 #endif
1330 }
1331
1332 static int
1333 run_set_region_4(struct run_softc *sc, uint16_t reg, uint32_t val, int len)
1334 {
1335         int i, error = 0;
1336
1337         KASSERT((len & 3) == 0, ("run_set_region_4: Invalid data length.\n"));
1338         for (i = 0; i < len && error == 0; i += 4)
1339                 error = run_write(sc, reg + i, val);
1340         return (error);
1341 }
1342
1343 static int
1344 run_efuse_read(struct run_softc *sc, uint16_t addr, uint16_t *val, int count)
1345 {
1346         uint32_t tmp;
1347         uint16_t reg;
1348         int error, ntries;
1349
1350         if ((error = run_read(sc, RT3070_EFUSE_CTRL, &tmp)) != 0)
1351                 return (error);
1352
1353         if (count == 2)
1354                 addr *= 2;
1355         /*-
1356          * Read one 16-byte block into registers EFUSE_DATA[0-3]:
1357          * DATA0: F E D C
1358          * DATA1: B A 9 8
1359          * DATA2: 7 6 5 4
1360          * DATA3: 3 2 1 0
1361          */
1362         tmp &= ~(RT3070_EFSROM_MODE_MASK | RT3070_EFSROM_AIN_MASK);
1363         tmp |= (addr & ~0xf) << RT3070_EFSROM_AIN_SHIFT | RT3070_EFSROM_KICK;
1364         run_write(sc, RT3070_EFUSE_CTRL, tmp);
1365         for (ntries = 0; ntries < 100; ntries++) {
1366                 if ((error = run_read(sc, RT3070_EFUSE_CTRL, &tmp)) != 0)
1367                         return (error);
1368                 if (!(tmp & RT3070_EFSROM_KICK))
1369                         break;
1370                 run_delay(sc, 2);
1371         }
1372         if (ntries == 100)
1373                 return (ETIMEDOUT);
1374
1375         if ((tmp & RT3070_EFUSE_AOUT_MASK) == RT3070_EFUSE_AOUT_MASK) {
1376                 *val = 0xffff;  /* address not found */
1377                 return (0);
1378         }
1379         /* determine to which 32-bit register our 16-bit word belongs */
1380         reg = RT3070_EFUSE_DATA3 - (addr & 0xc);
1381         if ((error = run_read(sc, reg, &tmp)) != 0)
1382                 return (error);
1383
1384         tmp >>= (8 * (addr & 0x3));
1385         *val = (addr & 1) ? tmp >> 16 : tmp & 0xffff;
1386
1387         return (0);
1388 }
1389
1390 /* Read 16-bit from eFUSE ROM for RT3xxx. */
1391 static int
1392 run_efuse_read_2(struct run_softc *sc, uint16_t addr, uint16_t *val)
1393 {
1394         return (run_efuse_read(sc, addr, val, 2));
1395 }
1396
1397 static int
1398 run_eeprom_read_2(struct run_softc *sc, uint16_t addr, uint16_t *val)
1399 {
1400         usb_device_request_t req;
1401         uint16_t tmp;
1402         int error;
1403
1404         addr *= 2;
1405         req.bmRequestType = UT_READ_VENDOR_DEVICE;
1406         req.bRequest = RT2870_EEPROM_READ;
1407         USETW(req.wValue, 0);
1408         USETW(req.wIndex, addr);
1409         USETW(req.wLength, sizeof(tmp));
1410
1411         error = usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, &tmp);
1412         if (error == 0)
1413                 *val = le16toh(tmp);
1414         else
1415                 *val = 0xffff;
1416         return (error);
1417 }
1418
1419 static __inline int
1420 run_srom_read(struct run_softc *sc, uint16_t addr, uint16_t *val)
1421 {
1422         /* either eFUSE ROM or EEPROM */
1423         return sc->sc_srom_read(sc, addr, val);
1424 }
1425
1426 static int
1427 run_rt2870_rf_write(struct run_softc *sc, uint32_t val)
1428 {
1429         uint32_t tmp;
1430         int error, ntries;
1431
1432         for (ntries = 0; ntries < 10; ntries++) {
1433                 if ((error = run_read(sc, RT2860_RF_CSR_CFG0, &tmp)) != 0)
1434                         return (error);
1435                 if (!(tmp & RT2860_RF_REG_CTRL))
1436                         break;
1437         }
1438         if (ntries == 10)
1439                 return (ETIMEDOUT);
1440
1441         return (run_write(sc, RT2860_RF_CSR_CFG0, val));
1442 }
1443
1444 static int
1445 run_rt3070_rf_read(struct run_softc *sc, uint8_t reg, uint8_t *val)
1446 {
1447         uint32_t tmp;
1448         int error, ntries;
1449
1450         for (ntries = 0; ntries < 100; ntries++) {
1451                 if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1452                         return (error);
1453                 if (!(tmp & RT3070_RF_KICK))
1454                         break;
1455         }
1456         if (ntries == 100)
1457                 return (ETIMEDOUT);
1458
1459         tmp = RT3070_RF_KICK | reg << 8;
1460         if ((error = run_write(sc, RT3070_RF_CSR_CFG, tmp)) != 0)
1461                 return (error);
1462
1463         for (ntries = 0; ntries < 100; ntries++) {
1464                 if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1465                         return (error);
1466                 if (!(tmp & RT3070_RF_KICK))
1467                         break;
1468         }
1469         if (ntries == 100)
1470                 return (ETIMEDOUT);
1471
1472         *val = tmp & 0xff;
1473         return (0);
1474 }
1475
1476 static int
1477 run_rt3070_rf_write(struct run_softc *sc, uint8_t reg, uint8_t val)
1478 {
1479         uint32_t tmp;
1480         int error, ntries;
1481
1482         for (ntries = 0; ntries < 10; ntries++) {
1483                 if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1484                         return (error);
1485                 if (!(tmp & RT3070_RF_KICK))
1486                         break;
1487         }
1488         if (ntries == 10)
1489                 return (ETIMEDOUT);
1490
1491         tmp = RT3070_RF_WRITE | RT3070_RF_KICK | reg << 8 | val;
1492         return (run_write(sc, RT3070_RF_CSR_CFG, tmp));
1493 }
1494
1495 static int
1496 run_bbp_read(struct run_softc *sc, uint8_t reg, uint8_t *val)
1497 {
1498         uint32_t tmp;
1499         int ntries, error;
1500
1501         for (ntries = 0; ntries < 10; ntries++) {
1502                 if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1503                         return (error);
1504                 if (!(tmp & RT2860_BBP_CSR_KICK))
1505                         break;
1506         }
1507         if (ntries == 10)
1508                 return (ETIMEDOUT);
1509
1510         tmp = RT2860_BBP_CSR_READ | RT2860_BBP_CSR_KICK | reg << 8;
1511         if ((error = run_write(sc, RT2860_BBP_CSR_CFG, tmp)) != 0)
1512                 return (error);
1513
1514         for (ntries = 0; ntries < 10; ntries++) {
1515                 if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1516                         return (error);
1517                 if (!(tmp & RT2860_BBP_CSR_KICK))
1518                         break;
1519         }
1520         if (ntries == 10)
1521                 return (ETIMEDOUT);
1522
1523         *val = tmp & 0xff;
1524         return (0);
1525 }
1526
1527 static int
1528 run_bbp_write(struct run_softc *sc, uint8_t reg, uint8_t val)
1529 {
1530         uint32_t tmp;
1531         int ntries, error;
1532
1533         for (ntries = 0; ntries < 10; ntries++) {
1534                 if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1535                         return (error);
1536                 if (!(tmp & RT2860_BBP_CSR_KICK))
1537                         break;
1538         }
1539         if (ntries == 10)
1540                 return (ETIMEDOUT);
1541
1542         tmp = RT2860_BBP_CSR_KICK | reg << 8 | val;
1543         return (run_write(sc, RT2860_BBP_CSR_CFG, tmp));
1544 }
1545
1546 /*
1547  * Send a command to the 8051 microcontroller unit.
1548  */
1549 static int
1550 run_mcu_cmd(struct run_softc *sc, uint8_t cmd, uint16_t arg)
1551 {
1552         uint32_t tmp;
1553         int error, ntries;
1554
1555         for (ntries = 0; ntries < 100; ntries++) {
1556                 if ((error = run_read(sc, RT2860_H2M_MAILBOX, &tmp)) != 0)
1557                         return error;
1558                 if (!(tmp & RT2860_H2M_BUSY))
1559                         break;
1560         }
1561         if (ntries == 100)
1562                 return ETIMEDOUT;
1563
1564         tmp = RT2860_H2M_BUSY | RT2860_TOKEN_NO_INTR << 16 | arg;
1565         if ((error = run_write(sc, RT2860_H2M_MAILBOX, tmp)) == 0)
1566                 error = run_write(sc, RT2860_HOST_CMD, cmd);
1567         return (error);
1568 }
1569
1570 /*
1571  * Add `delta' (signed) to each 4-bit sub-word of a 32-bit word.
1572  * Used to adjust per-rate Tx power registers.
1573  */
1574 static __inline uint32_t
1575 b4inc(uint32_t b32, int8_t delta)
1576 {
1577         int8_t i, b4;
1578
1579         for (i = 0; i < 8; i++) {
1580                 b4 = b32 & 0xf;
1581                 b4 += delta;
1582                 if (b4 < 0)
1583                         b4 = 0;
1584                 else if (b4 > 0xf)
1585                         b4 = 0xf;
1586                 b32 = b32 >> 4 | b4 << 28;
1587         }
1588         return (b32);
1589 }
1590
1591 static const char *
1592 run_get_rf(uint16_t rev)
1593 {
1594         switch (rev) {
1595         case RT2860_RF_2820:    return "RT2820";
1596         case RT2860_RF_2850:    return "RT2850";
1597         case RT2860_RF_2720:    return "RT2720";
1598         case RT2860_RF_2750:    return "RT2750";
1599         case RT3070_RF_3020:    return "RT3020";
1600         case RT3070_RF_2020:    return "RT2020";
1601         case RT3070_RF_3021:    return "RT3021";
1602         case RT3070_RF_3022:    return "RT3022";
1603         case RT3070_RF_3052:    return "RT3052";
1604         case RT3593_RF_3053:    return "RT3053";
1605         case RT5592_RF_5592:    return "RT5592";
1606         case RT5390_RF_5370:    return "RT5370";
1607         case RT5390_RF_5372:    return "RT5372";
1608         }
1609         return ("unknown");
1610 }
1611
1612 static void
1613 run_rt3593_get_txpower(struct run_softc *sc)
1614 {
1615         uint16_t addr, val;
1616         int i;
1617
1618         /* Read power settings for 2GHz channels. */
1619         for (i = 0; i < 14; i += 2) {
1620                 addr = (sc->ntxchains == 3) ? RT3593_EEPROM_PWR2GHZ_BASE1 :
1621                     RT2860_EEPROM_PWR2GHZ_BASE1;
1622                 run_srom_read(sc, addr + i / 2, &val);
1623                 sc->txpow1[i + 0] = (int8_t)(val & 0xff);
1624                 sc->txpow1[i + 1] = (int8_t)(val >> 8);
1625
1626                 addr = (sc->ntxchains == 3) ? RT3593_EEPROM_PWR2GHZ_BASE2 :
1627                     RT2860_EEPROM_PWR2GHZ_BASE2;
1628                 run_srom_read(sc, addr + i / 2, &val);
1629                 sc->txpow2[i + 0] = (int8_t)(val & 0xff);
1630                 sc->txpow2[i + 1] = (int8_t)(val >> 8);
1631
1632                 if (sc->ntxchains == 3) {
1633                         run_srom_read(sc, RT3593_EEPROM_PWR2GHZ_BASE3 + i / 2,
1634                             &val);
1635                         sc->txpow3[i + 0] = (int8_t)(val & 0xff);
1636                         sc->txpow3[i + 1] = (int8_t)(val >> 8);
1637                 }
1638         }
1639         /* Fix broken Tx power entries. */
1640         for (i = 0; i < 14; i++) {
1641                 if (sc->txpow1[i] > 31)
1642                         sc->txpow1[i] = 5;
1643                 if (sc->txpow2[i] > 31)
1644                         sc->txpow2[i] = 5;
1645                 if (sc->ntxchains == 3) {
1646                         if (sc->txpow3[i] > 31)
1647                                 sc->txpow3[i] = 5;
1648                 }
1649         }
1650         /* Read power settings for 5GHz channels. */
1651         for (i = 0; i < 40; i += 2) {
1652                 run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE1 + i / 2, &val);
1653                 sc->txpow1[i + 14] = (int8_t)(val & 0xff);
1654                 sc->txpow1[i + 15] = (int8_t)(val >> 8);
1655
1656                 run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE2 + i / 2, &val);
1657                 sc->txpow2[i + 14] = (int8_t)(val & 0xff);
1658                 sc->txpow2[i + 15] = (int8_t)(val >> 8);
1659
1660                 if (sc->ntxchains == 3) {
1661                         run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE3 + i / 2,
1662                             &val);
1663                         sc->txpow3[i + 14] = (int8_t)(val & 0xff);
1664                         sc->txpow3[i + 15] = (int8_t)(val >> 8);
1665                 }
1666         }
1667 }
1668
1669 static void
1670 run_get_txpower(struct run_softc *sc)
1671 {
1672         uint16_t val;
1673         int i;
1674
1675         /* Read power settings for 2GHz channels. */
1676         for (i = 0; i < 14; i += 2) {
1677                 run_srom_read(sc, RT2860_EEPROM_PWR2GHZ_BASE1 + i / 2, &val);
1678                 sc->txpow1[i + 0] = (int8_t)(val & 0xff);
1679                 sc->txpow1[i + 1] = (int8_t)(val >> 8);
1680
1681                 if (sc->mac_ver != 0x5390) {
1682                         run_srom_read(sc,
1683                             RT2860_EEPROM_PWR2GHZ_BASE2 + i / 2, &val);
1684                         sc->txpow2[i + 0] = (int8_t)(val & 0xff);
1685                         sc->txpow2[i + 1] = (int8_t)(val >> 8);
1686                 }
1687         }
1688         /* Fix broken Tx power entries. */
1689         for (i = 0; i < 14; i++) {
1690                 if (sc->mac_ver >= 0x5390) {
1691                         if (sc->txpow1[i] < 0 || sc->txpow1[i] > 27)
1692                                 sc->txpow1[i] = 5;
1693                 } else {
1694                         if (sc->txpow1[i] < 0 || sc->txpow1[i] > 31)
1695                                 sc->txpow1[i] = 5;
1696                 }
1697                 if (sc->mac_ver > 0x5390) {
1698                         if (sc->txpow2[i] < 0 || sc->txpow2[i] > 27)
1699                                 sc->txpow2[i] = 5;
1700                 } else if (sc->mac_ver < 0x5390) {
1701                         if (sc->txpow2[i] < 0 || sc->txpow2[i] > 31)
1702                                 sc->txpow2[i] = 5;
1703                 }
1704                 DPRINTF("chan %d: power1=%d, power2=%d\n",
1705                     rt2860_rf2850[i].chan, sc->txpow1[i], sc->txpow2[i]);
1706         }
1707         /* Read power settings for 5GHz channels. */
1708         for (i = 0; i < 40; i += 2) {
1709                 run_srom_read(sc, RT2860_EEPROM_PWR5GHZ_BASE1 + i / 2, &val);
1710                 sc->txpow1[i + 14] = (int8_t)(val & 0xff);
1711                 sc->txpow1[i + 15] = (int8_t)(val >> 8);
1712
1713                 run_srom_read(sc, RT2860_EEPROM_PWR5GHZ_BASE2 + i / 2, &val);
1714                 sc->txpow2[i + 14] = (int8_t)(val & 0xff);
1715                 sc->txpow2[i + 15] = (int8_t)(val >> 8);
1716         }
1717         /* Fix broken Tx power entries. */
1718         for (i = 0; i < 40; i++ ) {
1719                 if (sc->mac_ver != 0x5592) {
1720                         if (sc->txpow1[14 + i] < -7 || sc->txpow1[14 + i] > 15)
1721                                 sc->txpow1[14 + i] = 5;
1722                         if (sc->txpow2[14 + i] < -7 || sc->txpow2[14 + i] > 15)
1723                                 sc->txpow2[14 + i] = 5;
1724                 }
1725                 DPRINTF("chan %d: power1=%d, power2=%d\n",
1726                     rt2860_rf2850[14 + i].chan, sc->txpow1[14 + i],
1727                     sc->txpow2[14 + i]);
1728         }
1729 }
1730
1731 static int
1732 run_read_eeprom(struct run_softc *sc)
1733 {
1734         int8_t delta_2ghz, delta_5ghz;
1735         uint32_t tmp;
1736         uint16_t val;
1737         int ridx, ant, i;
1738
1739         /* check whether the ROM is eFUSE ROM or EEPROM */
1740         sc->sc_srom_read = run_eeprom_read_2;
1741         if (sc->mac_ver >= 0x3070) {
1742                 run_read(sc, RT3070_EFUSE_CTRL, &tmp);
1743                 DPRINTF("EFUSE_CTRL=0x%08x\n", tmp);
1744                 if ((tmp & RT3070_SEL_EFUSE) || sc->mac_ver == 0x3593)
1745                         sc->sc_srom_read = run_efuse_read_2;
1746         }
1747
1748         /* read ROM version */
1749         run_srom_read(sc, RT2860_EEPROM_VERSION, &val);
1750         DPRINTF("EEPROM rev=%d, FAE=%d\n", val & 0xff, val >> 8);
1751
1752         /* read MAC address */
1753         run_srom_read(sc, RT2860_EEPROM_MAC01, &val);
1754         sc->sc_bssid[0] = val & 0xff;
1755         sc->sc_bssid[1] = val >> 8;
1756         run_srom_read(sc, RT2860_EEPROM_MAC23, &val);
1757         sc->sc_bssid[2] = val & 0xff;
1758         sc->sc_bssid[3] = val >> 8;
1759         run_srom_read(sc, RT2860_EEPROM_MAC45, &val);
1760         sc->sc_bssid[4] = val & 0xff;
1761         sc->sc_bssid[5] = val >> 8;
1762
1763         if (sc->mac_ver < 0x3593) {
1764                 /* read vender BBP settings */
1765                 for (i = 0; i < 10; i++) {
1766                         run_srom_read(sc, RT2860_EEPROM_BBP_BASE + i, &val);
1767                         sc->bbp[i].val = val & 0xff;
1768                         sc->bbp[i].reg = val >> 8;
1769                         DPRINTF("BBP%d=0x%02x\n", sc->bbp[i].reg,
1770                             sc->bbp[i].val);
1771                 }
1772                 if (sc->mac_ver >= 0x3071) {
1773                         /* read vendor RF settings */
1774                         for (i = 0; i < 10; i++) {
1775                                 run_srom_read(sc, RT3071_EEPROM_RF_BASE + i,
1776                                    &val);
1777                                 sc->rf[i].val = val & 0xff;
1778                                 sc->rf[i].reg = val >> 8;
1779                                 DPRINTF("RF%d=0x%02x\n", sc->rf[i].reg,
1780                                     sc->rf[i].val);
1781                         }
1782                 }
1783         }
1784
1785         /* read RF frequency offset from EEPROM */
1786         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_FREQ_LEDS :
1787             RT3593_EEPROM_FREQ, &val);
1788         sc->freq = ((val & 0xff) != 0xff) ? val & 0xff : 0;
1789         DPRINTF("EEPROM freq offset %d\n", sc->freq & 0xff);
1790
1791         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_FREQ_LEDS :
1792             RT3593_EEPROM_FREQ_LEDS, &val);
1793         if (val >> 8 != 0xff) {
1794                 /* read LEDs operating mode */
1795                 sc->leds = val >> 8;
1796                 run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED1 :
1797                     RT3593_EEPROM_LED1, &sc->led[0]);
1798                 run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED2 :
1799                     RT3593_EEPROM_LED2, &sc->led[1]);
1800                 run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED3 :
1801                     RT3593_EEPROM_LED3, &sc->led[2]);
1802         } else {
1803                 /* broken EEPROM, use default settings */
1804                 sc->leds = 0x01;
1805                 sc->led[0] = 0x5555;
1806                 sc->led[1] = 0x2221;
1807                 sc->led[2] = 0x5627;    /* differs from RT2860 */
1808         }
1809         DPRINTF("EEPROM LED mode=0x%02x, LEDs=0x%04x/0x%04x/0x%04x\n",
1810             sc->leds, sc->led[0], sc->led[1], sc->led[2]);
1811
1812         /* read RF information */
1813         if (sc->mac_ver == 0x5390 || sc->mac_ver ==0x5392)
1814                 run_srom_read(sc, 0x00, &val);
1815         else
1816                 run_srom_read(sc, RT2860_EEPROM_ANTENNA, &val);
1817
1818         if (val == 0xffff) {
1819                 device_printf(sc->sc_dev,
1820                     "invalid EEPROM antenna info, using default\n");
1821                 DPRINTF("invalid EEPROM antenna info, using default\n");
1822                 if (sc->mac_ver == 0x3572) {
1823                         /* default to RF3052 2T2R */
1824                         sc->rf_rev = RT3070_RF_3052;
1825                         sc->ntxchains = 2;
1826                         sc->nrxchains = 2;
1827                 } else if (sc->mac_ver >= 0x3070) {
1828                         /* default to RF3020 1T1R */
1829                         sc->rf_rev = RT3070_RF_3020;
1830                         sc->ntxchains = 1;
1831                         sc->nrxchains = 1;
1832                 } else {
1833                         /* default to RF2820 1T2R */
1834                         sc->rf_rev = RT2860_RF_2820;
1835                         sc->ntxchains = 1;
1836                         sc->nrxchains = 2;
1837                 }
1838         } else {
1839                 if (sc->mac_ver == 0x5390 || sc->mac_ver ==0x5392) {
1840                         sc->rf_rev = val;
1841                         run_srom_read(sc, RT2860_EEPROM_ANTENNA, &val);
1842                 } else
1843                         sc->rf_rev = (val >> 8) & 0xf;
1844                 sc->ntxchains = (val >> 4) & 0xf;
1845                 sc->nrxchains = val & 0xf;
1846         }
1847         DPRINTF("EEPROM RF rev=0x%04x chains=%dT%dR\n",
1848             sc->rf_rev, sc->ntxchains, sc->nrxchains);
1849
1850         /* check if RF supports automatic Tx access gain control */
1851         run_srom_read(sc, RT2860_EEPROM_CONFIG, &val);
1852         DPRINTF("EEPROM CFG 0x%04x\n", val);
1853         /* check if driver should patch the DAC issue */
1854         if ((val >> 8) != 0xff)
1855                 sc->patch_dac = (val >> 15) & 1;
1856         if ((val & 0xff) != 0xff) {
1857                 sc->ext_5ghz_lna = (val >> 3) & 1;
1858                 sc->ext_2ghz_lna = (val >> 2) & 1;
1859                 /* check if RF supports automatic Tx access gain control */
1860                 sc->calib_2ghz = sc->calib_5ghz = (val >> 1) & 1;
1861                 /* check if we have a hardware radio switch */
1862                 sc->rfswitch = val & 1;
1863         }
1864
1865         /* Read Tx power settings. */
1866         if (sc->mac_ver == 0x3593)
1867                 run_rt3593_get_txpower(sc);
1868         else
1869                 run_get_txpower(sc);
1870
1871         /* read Tx power compensation for each Tx rate */
1872         run_srom_read(sc, RT2860_EEPROM_DELTAPWR, &val);
1873         delta_2ghz = delta_5ghz = 0;
1874         if ((val & 0xff) != 0xff && (val & 0x80)) {
1875                 delta_2ghz = val & 0xf;
1876                 if (!(val & 0x40))      /* negative number */
1877                         delta_2ghz = -delta_2ghz;
1878         }
1879         val >>= 8;
1880         if ((val & 0xff) != 0xff && (val & 0x80)) {
1881                 delta_5ghz = val & 0xf;
1882                 if (!(val & 0x40))      /* negative number */
1883                         delta_5ghz = -delta_5ghz;
1884         }
1885         DPRINTF("power compensation=%d (2GHz), %d (5GHz)\n",
1886             delta_2ghz, delta_5ghz);
1887
1888         for (ridx = 0; ridx < 5; ridx++) {
1889                 uint32_t reg;
1890
1891                 run_srom_read(sc, RT2860_EEPROM_RPWR + ridx * 2, &val);
1892                 reg = val;
1893                 run_srom_read(sc, RT2860_EEPROM_RPWR + ridx * 2 + 1, &val);
1894                 reg |= (uint32_t)val << 16;
1895
1896                 sc->txpow20mhz[ridx] = reg;
1897                 sc->txpow40mhz_2ghz[ridx] = b4inc(reg, delta_2ghz);
1898                 sc->txpow40mhz_5ghz[ridx] = b4inc(reg, delta_5ghz);
1899
1900                 DPRINTF("ridx %d: power 20MHz=0x%08x, 40MHz/2GHz=0x%08x, "
1901                     "40MHz/5GHz=0x%08x\n", ridx, sc->txpow20mhz[ridx],
1902                     sc->txpow40mhz_2ghz[ridx], sc->txpow40mhz_5ghz[ridx]);
1903         }
1904
1905         /* Read RSSI offsets and LNA gains from EEPROM. */
1906         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI1_2GHZ :
1907             RT3593_EEPROM_RSSI1_2GHZ, &val);
1908         sc->rssi_2ghz[0] = val & 0xff;  /* Ant A */
1909         sc->rssi_2ghz[1] = val >> 8;    /* Ant B */
1910         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI2_2GHZ :
1911             RT3593_EEPROM_RSSI2_2GHZ, &val);
1912         if (sc->mac_ver >= 0x3070) {
1913                 if (sc->mac_ver == 0x3593) {
1914                         sc->txmixgain_2ghz = 0;
1915                         sc->rssi_2ghz[2] = val & 0xff;  /* Ant C */
1916                 } else {
1917                         /*
1918                          * On RT3070 chips (limited to 2 Rx chains), this ROM
1919                          * field contains the Tx mixer gain for the 2GHz band.
1920                          */
1921                         if ((val & 0xff) != 0xff)
1922                                 sc->txmixgain_2ghz = val & 0x7;
1923                 }
1924                 DPRINTF("tx mixer gain=%u (2GHz)\n", sc->txmixgain_2ghz);
1925         } else
1926                 sc->rssi_2ghz[2] = val & 0xff;  /* Ant C */
1927         if (sc->mac_ver == 0x3593)
1928                 run_srom_read(sc, RT3593_EEPROM_LNA_5GHZ, &val);
1929         sc->lna[2] = val >> 8;          /* channel group 2 */
1930
1931         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI1_5GHZ :
1932             RT3593_EEPROM_RSSI1_5GHZ, &val);
1933         sc->rssi_5ghz[0] = val & 0xff;  /* Ant A */
1934         sc->rssi_5ghz[1] = val >> 8;    /* Ant B */
1935         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI2_5GHZ :
1936             RT3593_EEPROM_RSSI2_5GHZ, &val);
1937         if (sc->mac_ver == 0x3572) {
1938                 /*
1939                  * On RT3572 chips (limited to 2 Rx chains), this ROM
1940                  * field contains the Tx mixer gain for the 5GHz band.
1941                  */
1942                 if ((val & 0xff) != 0xff)
1943                         sc->txmixgain_5ghz = val & 0x7;
1944                 DPRINTF("tx mixer gain=%u (5GHz)\n", sc->txmixgain_5ghz);
1945         } else
1946                 sc->rssi_5ghz[2] = val & 0xff;  /* Ant C */
1947         if (sc->mac_ver == 0x3593) {
1948                 sc->txmixgain_5ghz = 0;
1949                 run_srom_read(sc, RT3593_EEPROM_LNA_5GHZ, &val);
1950         }
1951         sc->lna[3] = val >> 8;          /* channel group 3 */
1952
1953         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LNA :
1954             RT3593_EEPROM_LNA, &val);
1955         sc->lna[0] = val & 0xff;        /* channel group 0 */
1956         sc->lna[1] = val >> 8;          /* channel group 1 */
1957
1958         /* fix broken 5GHz LNA entries */
1959         if (sc->lna[2] == 0 || sc->lna[2] == 0xff) {
1960                 DPRINTF("invalid LNA for channel group %d\n", 2);
1961                 sc->lna[2] = sc->lna[1];
1962         }
1963         if (sc->lna[3] == 0 || sc->lna[3] == 0xff) {
1964                 DPRINTF("invalid LNA for channel group %d\n", 3);
1965                 sc->lna[3] = sc->lna[1];
1966         }
1967
1968         /* fix broken RSSI offset entries */
1969         for (ant = 0; ant < 3; ant++) {
1970                 if (sc->rssi_2ghz[ant] < -10 || sc->rssi_2ghz[ant] > 10) {
1971                         DPRINTF("invalid RSSI%d offset: %d (2GHz)\n",
1972                             ant + 1, sc->rssi_2ghz[ant]);
1973                         sc->rssi_2ghz[ant] = 0;
1974                 }
1975                 if (sc->rssi_5ghz[ant] < -10 || sc->rssi_5ghz[ant] > 10) {
1976                         DPRINTF("invalid RSSI%d offset: %d (5GHz)\n",
1977                             ant + 1, sc->rssi_5ghz[ant]);
1978                         sc->rssi_5ghz[ant] = 0;
1979                 }
1980         }
1981         return (0);
1982 }
1983
1984 static struct ieee80211_node *
1985 run_node_alloc(struct ieee80211vap *vap, const uint8_t mac[IEEE80211_ADDR_LEN])
1986 {
1987         return malloc(sizeof (struct run_node), M_DEVBUF, M_NOWAIT | M_ZERO);
1988 }
1989
1990 static int
1991 run_media_change(struct ifnet *ifp)
1992 {
1993         struct ieee80211vap *vap = ifp->if_softc;
1994         struct ieee80211com *ic = vap->iv_ic;
1995         const struct ieee80211_txparam *tp;
1996         struct run_softc *sc = ic->ic_ifp->if_softc;
1997         uint8_t rate, ridx;
1998         int error;
1999
2000         RUN_LOCK(sc);
2001
2002         error = ieee80211_media_change(ifp);
2003         if (error != ENETRESET) {
2004                 RUN_UNLOCK(sc);
2005                 return (error);
2006         }
2007
2008         tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
2009         if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE) {
2010                 struct ieee80211_node *ni;
2011                 struct run_node *rn;
2012
2013                 rate = ic->ic_sup_rates[ic->ic_curmode].
2014                     rs_rates[tp->ucastrate] & IEEE80211_RATE_VAL;
2015                 for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2016                         if (rt2860_rates[ridx].rate == rate)
2017                                 break;
2018                 ni = ieee80211_ref_node(vap->iv_bss);
2019                 rn = (struct run_node *)ni;
2020                 rn->fix_ridx = ridx;
2021                 DPRINTF("rate=%d, fix_ridx=%d\n", rate, rn->fix_ridx);
2022                 ieee80211_free_node(ni);
2023         }
2024
2025 #if 0
2026         if ((ifp->if_flags & IFF_UP) &&
2027             (ifp->if_drv_flags &  IFF_DRV_RUNNING)){
2028                 run_init_locked(sc);
2029         }
2030 #endif
2031
2032         RUN_UNLOCK(sc);
2033
2034         return (0);
2035 }
2036
2037 static int
2038 run_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
2039 {
2040         const struct ieee80211_txparam *tp;
2041         struct ieee80211com *ic = vap->iv_ic;
2042         struct run_softc *sc = ic->ic_ifp->if_softc;
2043         struct run_vap *rvp = RUN_VAP(vap);
2044         enum ieee80211_state ostate;
2045         uint32_t sta[3];
2046         uint32_t tmp;
2047         uint8_t ratectl;
2048         uint8_t restart_ratectl = 0;
2049         uint8_t bid = 1 << rvp->rvp_id;
2050
2051         ostate = vap->iv_state;
2052         DPRINTF("%s -> %s\n",
2053                 ieee80211_state_name[ostate],
2054                 ieee80211_state_name[nstate]);
2055
2056         IEEE80211_UNLOCK(ic);
2057         RUN_LOCK(sc);
2058
2059         ratectl = sc->ratectl_run; /* remember current state */
2060         sc->ratectl_run = RUN_RATECTL_OFF;
2061         usb_callout_stop(&sc->ratectl_ch);
2062
2063         if (ostate == IEEE80211_S_RUN) {
2064                 /* turn link LED off */
2065                 run_set_leds(sc, RT2860_LED_RADIO);
2066         }
2067
2068         switch (nstate) {
2069         case IEEE80211_S_INIT:
2070                 restart_ratectl = 1;
2071
2072                 if (ostate != IEEE80211_S_RUN)
2073                         break;
2074
2075                 ratectl &= ~bid;
2076                 sc->runbmap &= ~bid;
2077
2078                 /* abort TSF synchronization if there is no vap running */
2079                 if (--sc->running == 0) {
2080                         run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
2081                         run_write(sc, RT2860_BCN_TIME_CFG,
2082                             tmp & ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
2083                             RT2860_TBTT_TIMER_EN));
2084                 }
2085                 break;
2086
2087         case IEEE80211_S_RUN:
2088                 if (!(sc->runbmap & bid)) {
2089                         if(sc->running++)
2090                                 restart_ratectl = 1;
2091                         sc->runbmap |= bid;
2092                 }
2093
2094                 m_freem(rvp->beacon_mbuf);
2095                 rvp->beacon_mbuf = NULL;
2096
2097                 switch (vap->iv_opmode) {
2098                 case IEEE80211_M_HOSTAP:
2099                 case IEEE80211_M_MBSS:
2100                         sc->ap_running |= bid;
2101                         ic->ic_opmode = vap->iv_opmode;
2102                         run_update_beacon_cb(vap);
2103                         break;
2104                 case IEEE80211_M_IBSS:
2105                         sc->adhoc_running |= bid;
2106                         if (!sc->ap_running)
2107                                 ic->ic_opmode = vap->iv_opmode;
2108                         run_update_beacon_cb(vap);
2109                         break;
2110                 case IEEE80211_M_STA:
2111                         sc->sta_running |= bid;
2112                         if (!sc->ap_running && !sc->adhoc_running)
2113                                 ic->ic_opmode = vap->iv_opmode;
2114
2115                         /* read statistic counters (clear on read) */
2116                         run_read_region_1(sc, RT2860_TX_STA_CNT0,
2117                             (uint8_t *)sta, sizeof sta);
2118
2119                         break;
2120                 default:
2121                         ic->ic_opmode = vap->iv_opmode;
2122                         break;
2123                 }
2124
2125                 if (vap->iv_opmode != IEEE80211_M_MONITOR) {
2126                         struct ieee80211_node *ni;
2127
2128                         if (ic->ic_bsschan == IEEE80211_CHAN_ANYC) {
2129                                 RUN_UNLOCK(sc);
2130                                 IEEE80211_LOCK(ic);
2131                                 return (-1);
2132                         }
2133                         run_updateslot(ic->ic_ifp);
2134                         run_enable_mrr(sc);
2135                         run_set_txpreamble(sc);
2136                         run_set_basicrates(sc);
2137                         ni = ieee80211_ref_node(vap->iv_bss);
2138                         IEEE80211_ADDR_COPY(sc->sc_bssid, ni->ni_bssid);
2139                         run_set_bssid(sc, ni->ni_bssid);
2140                         ieee80211_free_node(ni);
2141                         run_enable_tsf_sync(sc);
2142
2143                         /* enable automatic rate adaptation */
2144                         tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
2145                         if (tp->ucastrate == IEEE80211_FIXED_RATE_NONE)
2146                                 ratectl |= bid;
2147                 }
2148
2149                 /* turn link LED on */
2150                 run_set_leds(sc, RT2860_LED_RADIO |
2151                     (IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan) ?
2152                      RT2860_LED_LINK_2GHZ : RT2860_LED_LINK_5GHZ));
2153
2154                 break;
2155         default:
2156                 DPRINTFN(6, "undefined case\n");
2157                 break;
2158         }
2159
2160         /* restart amrr for running VAPs */
2161         if ((sc->ratectl_run = ratectl) && restart_ratectl)
2162                 usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2163
2164         RUN_UNLOCK(sc);
2165         IEEE80211_LOCK(ic);
2166
2167         return(rvp->newstate(vap, nstate, arg));
2168 }
2169
2170 /* ARGSUSED */
2171 static void
2172 run_wme_update_cb(void *arg)
2173 {
2174         struct ieee80211com *ic = arg;
2175         struct run_softc *sc = ic->ic_ifp->if_softc;
2176         struct ieee80211_wme_state *wmesp = &ic->ic_wme;
2177         int aci, error = 0;
2178
2179         RUN_LOCK_ASSERT(sc, MA_OWNED);
2180
2181         /* update MAC TX configuration registers */
2182         for (aci = 0; aci < WME_NUM_AC; aci++) {
2183                 error = run_write(sc, RT2860_EDCA_AC_CFG(aci),
2184                     wmesp->wme_params[aci].wmep_logcwmax << 16 |
2185                     wmesp->wme_params[aci].wmep_logcwmin << 12 |
2186                     wmesp->wme_params[aci].wmep_aifsn  <<  8 |
2187                     wmesp->wme_params[aci].wmep_txopLimit);
2188                 if (error) goto err;
2189         }
2190
2191         /* update SCH/DMA registers too */
2192         error = run_write(sc, RT2860_WMM_AIFSN_CFG,
2193             wmesp->wme_params[WME_AC_VO].wmep_aifsn  << 12 |
2194             wmesp->wme_params[WME_AC_VI].wmep_aifsn  <<  8 |
2195             wmesp->wme_params[WME_AC_BK].wmep_aifsn  <<  4 |
2196             wmesp->wme_params[WME_AC_BE].wmep_aifsn);
2197         if (error) goto err;
2198         error = run_write(sc, RT2860_WMM_CWMIN_CFG,
2199             wmesp->wme_params[WME_AC_VO].wmep_logcwmin << 12 |
2200             wmesp->wme_params[WME_AC_VI].wmep_logcwmin <<  8 |
2201             wmesp->wme_params[WME_AC_BK].wmep_logcwmin <<  4 |
2202             wmesp->wme_params[WME_AC_BE].wmep_logcwmin);
2203         if (error) goto err;
2204         error = run_write(sc, RT2860_WMM_CWMAX_CFG,
2205             wmesp->wme_params[WME_AC_VO].wmep_logcwmax << 12 |
2206             wmesp->wme_params[WME_AC_VI].wmep_logcwmax <<  8 |
2207             wmesp->wme_params[WME_AC_BK].wmep_logcwmax <<  4 |
2208             wmesp->wme_params[WME_AC_BE].wmep_logcwmax);
2209         if (error) goto err;
2210         error = run_write(sc, RT2860_WMM_TXOP0_CFG,
2211             wmesp->wme_params[WME_AC_BK].wmep_txopLimit << 16 |
2212             wmesp->wme_params[WME_AC_BE].wmep_txopLimit);
2213         if (error) goto err;
2214         error = run_write(sc, RT2860_WMM_TXOP1_CFG,
2215             wmesp->wme_params[WME_AC_VO].wmep_txopLimit << 16 |
2216             wmesp->wme_params[WME_AC_VI].wmep_txopLimit);
2217
2218 err:
2219         if (error)
2220                 DPRINTF("WME update failed\n");
2221
2222         return;
2223 }
2224
2225 static int
2226 run_wme_update(struct ieee80211com *ic)
2227 {
2228         struct run_softc *sc = ic->ic_ifp->if_softc;
2229
2230         /* sometime called wothout lock */
2231         if (mtx_owned(&ic->ic_comlock.mtx)) {
2232                 uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
2233                 DPRINTF("cmdq_store=%d\n", i);
2234                 sc->cmdq[i].func = run_wme_update_cb;
2235                 sc->cmdq[i].arg0 = ic;
2236                 ieee80211_runtask(ic, &sc->cmdq_task);
2237                 return (0);
2238         }
2239
2240         RUN_LOCK(sc);
2241         run_wme_update_cb(ic);
2242         RUN_UNLOCK(sc);
2243
2244         /* return whatever, upper layer desn't care anyway */
2245         return (0);
2246 }
2247
2248 static void
2249 run_key_update_begin(struct ieee80211vap *vap)
2250 {
2251         /*
2252          * To avoid out-of-order events, both run_key_set() and
2253          * _delete() are deferred and handled by run_cmdq_cb().
2254          * So, there is nothing we need to do here.
2255          */
2256 }
2257
2258 static void
2259 run_key_update_end(struct ieee80211vap *vap)
2260 {
2261         /* null */
2262 }
2263
2264 static void
2265 run_key_set_cb(void *arg)
2266 {
2267         struct run_cmdq *cmdq = arg;
2268         struct ieee80211vap *vap = cmdq->arg1;
2269         struct ieee80211_key *k = cmdq->k;
2270         struct ieee80211com *ic = vap->iv_ic;
2271         struct run_softc *sc = ic->ic_ifp->if_softc;
2272         struct ieee80211_node *ni;
2273         uint32_t attr;
2274         uint16_t base, associd;
2275         uint8_t mode, wcid, iv[8];
2276
2277         RUN_LOCK_ASSERT(sc, MA_OWNED);
2278
2279         if (vap->iv_opmode == IEEE80211_M_HOSTAP)
2280                 ni = ieee80211_find_vap_node(&ic->ic_sta, vap, cmdq->mac);
2281         else
2282                 ni = vap->iv_bss;
2283         associd = (ni != NULL) ? ni->ni_associd : 0;
2284
2285         /* map net80211 cipher to RT2860 security mode */
2286         switch (k->wk_cipher->ic_cipher) {
2287         case IEEE80211_CIPHER_WEP:
2288                 if(k->wk_keylen < 8)
2289                         mode = RT2860_MODE_WEP40;
2290                 else
2291                         mode = RT2860_MODE_WEP104;
2292                 break;
2293         case IEEE80211_CIPHER_TKIP:
2294                 mode = RT2860_MODE_TKIP;
2295                 break;
2296         case IEEE80211_CIPHER_AES_CCM:
2297                 mode = RT2860_MODE_AES_CCMP;
2298                 break;
2299         default:
2300                 DPRINTF("undefined case\n");
2301                 return;
2302         }
2303
2304         DPRINTFN(1, "associd=%x, keyix=%d, mode=%x, type=%s, tx=%s, rx=%s\n",
2305             associd, k->wk_keyix, mode,
2306             (k->wk_flags & IEEE80211_KEY_GROUP) ? "group" : "pairwise",
2307             (k->wk_flags & IEEE80211_KEY_XMIT) ? "on" : "off",
2308             (k->wk_flags & IEEE80211_KEY_RECV) ? "on" : "off");
2309
2310         if (k->wk_flags & IEEE80211_KEY_GROUP) {
2311                 wcid = 0;       /* NB: update WCID0 for group keys */
2312                 base = RT2860_SKEY(RUN_VAP(vap)->rvp_id, k->wk_keyix);
2313         } else {
2314                 wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
2315                     1 : RUN_AID2WCID(associd);
2316                 base = RT2860_PKEY(wcid);
2317         }
2318
2319         if (k->wk_cipher->ic_cipher == IEEE80211_CIPHER_TKIP) {
2320                 if(run_write_region_1(sc, base, k->wk_key, 16))
2321                         return;
2322                 if(run_write_region_1(sc, base + 16, &k->wk_key[16], 8))        /* wk_txmic */
2323                         return;
2324                 if(run_write_region_1(sc, base + 24, &k->wk_key[24], 8))        /* wk_rxmic */
2325                         return;
2326         } else {
2327                 /* roundup len to 16-bit: XXX fix write_region_1() instead */
2328                 if(run_write_region_1(sc, base, k->wk_key, (k->wk_keylen + 1) & ~1))
2329                         return;
2330         }
2331
2332         if (!(k->wk_flags & IEEE80211_KEY_GROUP) ||
2333             (k->wk_flags & (IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV))) {
2334                 /* set initial packet number in IV+EIV */
2335                 if (k->wk_cipher == IEEE80211_CIPHER_WEP) {
2336                         memset(iv, 0, sizeof iv);
2337                         iv[3] = vap->iv_def_txkey << 6;
2338                 } else {
2339                         if (k->wk_cipher->ic_cipher == IEEE80211_CIPHER_TKIP) {
2340                                 iv[0] = k->wk_keytsc >> 8;
2341                                 iv[1] = (iv[0] | 0x20) & 0x7f;
2342                                 iv[2] = k->wk_keytsc;
2343                         } else /* CCMP */ {
2344                                 iv[0] = k->wk_keytsc;
2345                                 iv[1] = k->wk_keytsc >> 8;
2346                                 iv[2] = 0;
2347                         }
2348                         iv[3] = k->wk_keyix << 6 | IEEE80211_WEP_EXTIV;
2349                         iv[4] = k->wk_keytsc >> 16;
2350                         iv[5] = k->wk_keytsc >> 24;
2351                         iv[6] = k->wk_keytsc >> 32;
2352                         iv[7] = k->wk_keytsc >> 40;
2353                 }
2354                 if (run_write_region_1(sc, RT2860_IVEIV(wcid), iv, 8))
2355                         return;
2356         }
2357
2358         if (k->wk_flags & IEEE80211_KEY_GROUP) {
2359                 /* install group key */
2360                 if (run_read(sc, RT2860_SKEY_MODE_0_7, &attr))
2361                         return;
2362                 attr &= ~(0xf << (k->wk_keyix * 4));
2363                 attr |= mode << (k->wk_keyix * 4);
2364                 if (run_write(sc, RT2860_SKEY_MODE_0_7, attr))
2365                         return;
2366         } else {
2367                 /* install pairwise key */
2368                 if (run_read(sc, RT2860_WCID_ATTR(wcid), &attr))
2369                         return;
2370                 attr = (attr & ~0xf) | (mode << 1) | RT2860_RX_PKEY_EN;
2371                 if (run_write(sc, RT2860_WCID_ATTR(wcid), attr))
2372                         return;
2373         }
2374
2375         /* TODO create a pass-thru key entry? */
2376
2377         /* need wcid to delete the right key later */
2378         k->wk_pad = wcid;
2379 }
2380
2381 /*
2382  * Don't have to be deferred, but in order to keep order of
2383  * execution, i.e. with run_key_delete(), defer this and let
2384  * run_cmdq_cb() maintain the order.
2385  *
2386  * return 0 on error
2387  */
2388 static int
2389 run_key_set(struct ieee80211vap *vap, struct ieee80211_key *k,
2390                 const uint8_t mac[IEEE80211_ADDR_LEN])
2391 {
2392         struct ieee80211com *ic = vap->iv_ic;
2393         struct run_softc *sc = ic->ic_ifp->if_softc;
2394         uint32_t i;
2395
2396         i = RUN_CMDQ_GET(&sc->cmdq_store);
2397         DPRINTF("cmdq_store=%d\n", i);
2398         sc->cmdq[i].func = run_key_set_cb;
2399         sc->cmdq[i].arg0 = NULL;
2400         sc->cmdq[i].arg1 = vap;
2401         sc->cmdq[i].k = k;
2402         IEEE80211_ADDR_COPY(sc->cmdq[i].mac, mac);
2403         ieee80211_runtask(ic, &sc->cmdq_task);
2404
2405         /*
2406          * To make sure key will be set when hostapd
2407          * calls iv_key_set() before if_init().
2408          */
2409         if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
2410                 RUN_LOCK(sc);
2411                 sc->cmdq_key_set = RUN_CMDQ_GO;
2412                 RUN_UNLOCK(sc);
2413         }
2414
2415         return (1);
2416 }
2417
2418 /*
2419  * If wlan is destroyed without being brought down i.e. without
2420  * wlan down or wpa_cli terminate, this function is called after
2421  * vap is gone. Don't refer it.
2422  */
2423 static void
2424 run_key_delete_cb(void *arg)
2425 {
2426         struct run_cmdq *cmdq = arg;
2427         struct run_softc *sc = cmdq->arg1;
2428         struct ieee80211_key *k = &cmdq->key;
2429         uint32_t attr;
2430         uint8_t wcid;
2431
2432         RUN_LOCK_ASSERT(sc, MA_OWNED);
2433
2434         if (k->wk_flags & IEEE80211_KEY_GROUP) {
2435                 /* remove group key */
2436                 DPRINTF("removing group key\n");
2437                 run_read(sc, RT2860_SKEY_MODE_0_7, &attr);
2438                 attr &= ~(0xf << (k->wk_keyix * 4));
2439                 run_write(sc, RT2860_SKEY_MODE_0_7, attr);
2440         } else {
2441                 /* remove pairwise key */
2442                 DPRINTF("removing key for wcid %x\n", k->wk_pad);
2443                 /* matching wcid was written to wk_pad in run_key_set() */
2444                 wcid = k->wk_pad;
2445                 run_read(sc, RT2860_WCID_ATTR(wcid), &attr);
2446                 attr &= ~0xf;
2447                 run_write(sc, RT2860_WCID_ATTR(wcid), attr);
2448                 run_set_region_4(sc, RT2860_WCID_ENTRY(wcid), 0, 8);
2449         }
2450
2451         k->wk_pad = 0;
2452 }
2453
2454 /*
2455  * return 0 on error
2456  */
2457 static int
2458 run_key_delete(struct ieee80211vap *vap, struct ieee80211_key *k)
2459 {
2460         struct ieee80211com *ic = vap->iv_ic;
2461         struct run_softc *sc = ic->ic_ifp->if_softc;
2462         struct ieee80211_key *k0;
2463         uint32_t i;
2464
2465         /*
2466          * When called back, key might be gone. So, make a copy
2467          * of some values need to delete keys before deferring.
2468          * But, because of LOR with node lock, cannot use lock here.
2469          * So, use atomic instead.
2470          */
2471         i = RUN_CMDQ_GET(&sc->cmdq_store);
2472         DPRINTF("cmdq_store=%d\n", i);
2473         sc->cmdq[i].func = run_key_delete_cb;
2474         sc->cmdq[i].arg0 = NULL;
2475         sc->cmdq[i].arg1 = sc;
2476         k0 = &sc->cmdq[i].key;
2477         k0->wk_flags = k->wk_flags;
2478         k0->wk_keyix = k->wk_keyix;
2479         /* matching wcid was written to wk_pad in run_key_set() */
2480         k0->wk_pad = k->wk_pad;
2481         ieee80211_runtask(ic, &sc->cmdq_task);
2482         return (1);     /* return fake success */
2483
2484 }
2485
2486 static void
2487 run_ratectl_to(void *arg)
2488 {
2489         struct run_softc *sc = arg;
2490
2491         /* do it in a process context, so it can go sleep */
2492         ieee80211_runtask(sc->sc_ifp->if_l2com, &sc->ratectl_task);
2493         /* next timeout will be rescheduled in the callback task */
2494 }
2495
2496 /* ARGSUSED */
2497 static void
2498 run_ratectl_cb(void *arg, int pending)
2499 {
2500         struct run_softc *sc = arg;
2501         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
2502         struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
2503
2504         if (vap == NULL)
2505                 return;
2506
2507         if (sc->rvp_cnt <= 1 && vap->iv_opmode == IEEE80211_M_STA)
2508                 run_iter_func(sc, vap->iv_bss);
2509         else {
2510                 /*
2511                  * run_reset_livelock() doesn't do anything with AMRR,
2512                  * but Ralink wants us to call it every 1 sec. So, we
2513                  * piggyback here rather than creating another callout.
2514                  * Livelock may occur only in HOSTAP or IBSS mode
2515                  * (when h/w is sending beacons).
2516                  */
2517                 RUN_LOCK(sc);
2518                 run_reset_livelock(sc);
2519                 /* just in case, there are some stats to drain */
2520                 run_drain_fifo(sc);
2521                 RUN_UNLOCK(sc);
2522                 ieee80211_iterate_nodes(&ic->ic_sta, run_iter_func, sc);
2523         }
2524
2525         RUN_LOCK(sc);
2526         if(sc->ratectl_run != RUN_RATECTL_OFF)
2527                 usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2528         RUN_UNLOCK(sc);
2529 }
2530
2531 static void
2532 run_drain_fifo(void *arg)
2533 {
2534         struct run_softc *sc = arg;
2535         struct ifnet *ifp = sc->sc_ifp;
2536         uint32_t stat;
2537         uint16_t (*wstat)[3];
2538         uint8_t wcid, mcs, pid;
2539         int8_t retry;
2540
2541         RUN_LOCK_ASSERT(sc, MA_OWNED);
2542
2543         for (;;) {
2544                 /* drain Tx status FIFO (maxsize = 16) */
2545                 run_read(sc, RT2860_TX_STAT_FIFO, &stat);
2546                 DPRINTFN(4, "tx stat 0x%08x\n", stat);
2547                 if (!(stat & RT2860_TXQ_VLD))
2548                         break;
2549
2550                 wcid = (stat >> RT2860_TXQ_WCID_SHIFT) & 0xff;
2551
2552                 /* if no ACK was requested, no feedback is available */
2553                 if (!(stat & RT2860_TXQ_ACKREQ) || wcid > RT2870_WCID_MAX ||
2554                     wcid == 0)
2555                         continue;
2556
2557                 /*
2558                  * Even though each stat is Tx-complete-status like format,
2559                  * the device can poll stats. Because there is no guarantee
2560                  * that the referring node is still around when read the stats.
2561                  * So that, if we use ieee80211_ratectl_tx_update(), we will
2562                  * have hard time not to refer already freed node.
2563                  *
2564                  * To eliminate such page faults, we poll stats in softc.
2565                  * Then, update the rates later with ieee80211_ratectl_tx_update().
2566                  */
2567                 wstat = &(sc->wcid_stats[wcid]);
2568                 (*wstat)[RUN_TXCNT]++;
2569                 if (stat & RT2860_TXQ_OK)
2570                         (*wstat)[RUN_SUCCESS]++;
2571                 else
2572                         ifp->if_oerrors++;
2573                 /*
2574                  * Check if there were retries, ie if the Tx success rate is
2575                  * different from the requested rate. Note that it works only
2576                  * because we do not allow rate fallback from OFDM to CCK.
2577                  */
2578                 mcs = (stat >> RT2860_TXQ_MCS_SHIFT) & 0x7f;
2579                 pid = (stat >> RT2860_TXQ_PID_SHIFT) & 0xf;
2580                 if ((retry = pid -1 - mcs) > 0) {
2581                         (*wstat)[RUN_TXCNT] += retry;
2582                         (*wstat)[RUN_RETRY] += retry;
2583                 }
2584         }
2585         DPRINTFN(3, "count=%d\n", sc->fifo_cnt);
2586
2587         sc->fifo_cnt = 0;
2588 }
2589
2590 static void
2591 run_iter_func(void *arg, struct ieee80211_node *ni)
2592 {
2593         struct run_softc *sc = arg;
2594         struct ieee80211vap *vap = ni->ni_vap;
2595         struct ieee80211com *ic = ni->ni_ic;
2596         struct ifnet *ifp = ic->ic_ifp;
2597         struct run_node *rn = (void *)ni;
2598         union run_stats sta[2];
2599         uint16_t (*wstat)[3];
2600         int txcnt, success, retrycnt, error;
2601
2602         RUN_LOCK(sc);
2603
2604         if (sc->rvp_cnt <= 1 && (vap->iv_opmode == IEEE80211_M_IBSS ||
2605             vap->iv_opmode == IEEE80211_M_STA)) {
2606                 /* read statistic counters (clear on read) and update AMRR state */
2607                 error = run_read_region_1(sc, RT2860_TX_STA_CNT0, (uint8_t *)sta,
2608                     sizeof sta);
2609                 if (error != 0)
2610                         goto fail;
2611
2612                 /* count failed TX as errors */
2613                 ifp->if_oerrors += le16toh(sta[0].error.fail);
2614
2615                 retrycnt = le16toh(sta[1].tx.retry);
2616                 success = le16toh(sta[1].tx.success);
2617                 txcnt = retrycnt + success + le16toh(sta[0].error.fail);
2618
2619                 DPRINTFN(3, "retrycnt=%d success=%d failcnt=%d\n",
2620                         retrycnt, success, le16toh(sta[0].error.fail));
2621         } else {
2622                 wstat = &(sc->wcid_stats[RUN_AID2WCID(ni->ni_associd)]);
2623
2624                 if (wstat == &(sc->wcid_stats[0]) ||
2625                     wstat > &(sc->wcid_stats[RT2870_WCID_MAX]))
2626                         goto fail;
2627
2628                 txcnt = (*wstat)[RUN_TXCNT];
2629                 success = (*wstat)[RUN_SUCCESS];
2630                 retrycnt = (*wstat)[RUN_RETRY];
2631                 DPRINTFN(3, "retrycnt=%d txcnt=%d success=%d\n",
2632                     retrycnt, txcnt, success);
2633
2634                 memset(wstat, 0, sizeof(*wstat));
2635         }
2636
2637         ieee80211_ratectl_tx_update(vap, ni, &txcnt, &success, &retrycnt);
2638         rn->amrr_ridx = ieee80211_ratectl_rate(ni, NULL, 0);
2639
2640 fail:
2641         RUN_UNLOCK(sc);
2642
2643         DPRINTFN(3, "ridx=%d\n", rn->amrr_ridx);
2644 }
2645
2646 static void
2647 run_newassoc_cb(void *arg)
2648 {
2649         struct run_cmdq *cmdq = arg;
2650         struct ieee80211_node *ni = cmdq->arg1;
2651         struct run_softc *sc = ni->ni_vap->iv_ic->ic_ifp->if_softc;
2652         uint8_t wcid = cmdq->wcid;
2653
2654         RUN_LOCK_ASSERT(sc, MA_OWNED);
2655
2656         run_write_region_1(sc, RT2860_WCID_ENTRY(wcid),
2657             ni->ni_macaddr, IEEE80211_ADDR_LEN);
2658
2659         memset(&(sc->wcid_stats[wcid]), 0, sizeof(sc->wcid_stats[wcid]));
2660 }
2661
2662 static void
2663 run_newassoc(struct ieee80211_node *ni, int isnew)
2664 {
2665         struct run_node *rn = (void *)ni;
2666         struct ieee80211_rateset *rs = &ni->ni_rates;
2667         struct ieee80211vap *vap = ni->ni_vap;
2668         struct ieee80211com *ic = vap->iv_ic;
2669         struct run_softc *sc = ic->ic_ifp->if_softc;
2670         uint8_t rate;
2671         uint8_t ridx;
2672         uint8_t wcid;
2673         int i, j;
2674
2675         wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
2676             1 : RUN_AID2WCID(ni->ni_associd);
2677
2678         if (wcid > RT2870_WCID_MAX) {
2679                 device_printf(sc->sc_dev, "wcid=%d out of range\n", wcid);
2680                 return;
2681         }
2682
2683         /* only interested in true associations */
2684         if (isnew && ni->ni_associd != 0) {
2685
2686                 /*
2687                  * This function could is called though timeout function.
2688                  * Need to defer.
2689                  */
2690                 uint32_t cnt = RUN_CMDQ_GET(&sc->cmdq_store);
2691                 DPRINTF("cmdq_store=%d\n", cnt);
2692                 sc->cmdq[cnt].func = run_newassoc_cb;
2693                 sc->cmdq[cnt].arg0 = NULL;
2694                 sc->cmdq[cnt].arg1 = ni;
2695                 sc->cmdq[cnt].wcid = wcid;
2696                 ieee80211_runtask(ic, &sc->cmdq_task);
2697         }
2698
2699         DPRINTF("new assoc isnew=%d associd=%x addr=%s\n",
2700             isnew, ni->ni_associd, ether_sprintf(ni->ni_macaddr));
2701
2702         for (i = 0; i < rs->rs_nrates; i++) {
2703                 rate = rs->rs_rates[i] & IEEE80211_RATE_VAL;
2704                 /* convert 802.11 rate to hardware rate index */
2705                 for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2706                         if (rt2860_rates[ridx].rate == rate)
2707                                 break;
2708                 rn->ridx[i] = ridx;
2709                 /* determine rate of control response frames */
2710                 for (j = i; j >= 0; j--) {
2711                         if ((rs->rs_rates[j] & IEEE80211_RATE_BASIC) &&
2712                             rt2860_rates[rn->ridx[i]].phy ==
2713                             rt2860_rates[rn->ridx[j]].phy)
2714                                 break;
2715                 }
2716                 if (j >= 0) {
2717                         rn->ctl_ridx[i] = rn->ridx[j];
2718                 } else {
2719                         /* no basic rate found, use mandatory one */
2720                         rn->ctl_ridx[i] = rt2860_rates[ridx].ctl_ridx;
2721                 }
2722                 DPRINTF("rate=0x%02x ridx=%d ctl_ridx=%d\n",
2723                     rs->rs_rates[i], rn->ridx[i], rn->ctl_ridx[i]);
2724         }
2725         rate = vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)].mgmtrate;
2726         for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2727                 if (rt2860_rates[ridx].rate == rate)
2728                         break;
2729         rn->mgt_ridx = ridx;
2730         DPRINTF("rate=%d, mgmt_ridx=%d\n", rate, rn->mgt_ridx);
2731
2732         usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2733 }
2734
2735 /*
2736  * Return the Rx chain with the highest RSSI for a given frame.
2737  */
2738 static __inline uint8_t
2739 run_maxrssi_chain(struct run_softc *sc, const struct rt2860_rxwi *rxwi)
2740 {
2741         uint8_t rxchain = 0;
2742
2743         if (sc->nrxchains > 1) {
2744                 if (rxwi->rssi[1] > rxwi->rssi[rxchain])
2745                         rxchain = 1;
2746                 if (sc->nrxchains > 2)
2747                         if (rxwi->rssi[2] > rxwi->rssi[rxchain])
2748                                 rxchain = 2;
2749         }
2750         return (rxchain);
2751 }
2752
2753 static void
2754 run_rx_frame(struct run_softc *sc, struct mbuf *m, uint32_t dmalen)
2755 {
2756         struct ifnet *ifp = sc->sc_ifp;
2757         struct ieee80211com *ic = ifp->if_l2com;
2758         struct ieee80211_frame *wh;
2759         struct ieee80211_node *ni;
2760         struct rt2870_rxd *rxd;
2761         struct rt2860_rxwi *rxwi;
2762         uint32_t flags;
2763         uint16_t len, rxwisize;
2764         uint8_t ant, rssi;
2765         int8_t nf;
2766
2767         rxwi = mtod(m, struct rt2860_rxwi *);
2768         len = le16toh(rxwi->len) & 0xfff;
2769         rxwisize = sizeof(struct rt2860_rxwi);
2770         if (sc->mac_ver == 0x5592)
2771                 rxwisize += sizeof(uint64_t);
2772         else if (sc->mac_ver == 0x3593)
2773                 rxwisize += sizeof(uint32_t);
2774         if (__predict_false(len > dmalen)) {
2775                 m_freem(m);
2776                 ifp->if_ierrors++;
2777                 DPRINTF("bad RXWI length %u > %u\n", len, dmalen);
2778                 return;
2779         }
2780         /* Rx descriptor is located at the end */
2781         rxd = (struct rt2870_rxd *)(mtod(m, caddr_t) + dmalen);
2782         flags = le32toh(rxd->flags);
2783
2784         if (__predict_false(flags & (RT2860_RX_CRCERR | RT2860_RX_ICVERR))) {
2785                 m_freem(m);
2786                 ifp->if_ierrors++;
2787                 DPRINTF("%s error.\n", (flags & RT2860_RX_CRCERR)?"CRC":"ICV");
2788                 return;
2789         }
2790
2791         m->m_data += rxwisize;
2792         m->m_pkthdr.len = m->m_len -= rxwisize;
2793
2794         wh = mtod(m, struct ieee80211_frame *);
2795
2796         if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
2797                 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
2798                 m->m_flags |= M_WEP;
2799         }
2800
2801         if (flags & RT2860_RX_L2PAD) {
2802                 DPRINTFN(8, "received RT2860_RX_L2PAD frame\n");
2803                 len += 2;
2804         }
2805
2806         ni = ieee80211_find_rxnode(ic,
2807             mtod(m, struct ieee80211_frame_min *));
2808
2809         if (__predict_false(flags & RT2860_RX_MICERR)) {
2810                 /* report MIC failures to net80211 for TKIP */
2811                 if (ni != NULL)
2812                         ieee80211_notify_michael_failure(ni->ni_vap, wh,
2813                             rxwi->keyidx);
2814                 m_freem(m);
2815                 ifp->if_ierrors++;
2816                 DPRINTF("MIC error. Someone is lying.\n");
2817                 return;
2818         }
2819
2820         ant = run_maxrssi_chain(sc, rxwi);
2821         rssi = rxwi->rssi[ant];
2822         nf = run_rssi2dbm(sc, rssi, ant);
2823
2824         m->m_pkthdr.rcvif = ifp;
2825         m->m_pkthdr.len = m->m_len = len;
2826
2827         if (ni != NULL) {
2828                 (void)ieee80211_input(ni, m, rssi, nf);
2829                 ieee80211_free_node(ni);
2830         } else {
2831                 (void)ieee80211_input_all(ic, m, rssi, nf);
2832         }
2833
2834         if (__predict_false(ieee80211_radiotap_active(ic))) {
2835                 struct run_rx_radiotap_header *tap = &sc->sc_rxtap;
2836                 uint16_t phy;
2837
2838                 tap->wr_flags = 0;
2839                 tap->wr_chan_freq = htole16(ic->ic_curchan->ic_freq);
2840                 tap->wr_chan_flags = htole16(ic->ic_curchan->ic_flags);
2841                 tap->wr_antsignal = rssi;
2842                 tap->wr_antenna = ant;
2843                 tap->wr_dbm_antsignal = run_rssi2dbm(sc, rssi, ant);
2844                 tap->wr_rate = 2;       /* in case it can't be found below */
2845                 phy = le16toh(rxwi->phy);
2846                 switch (phy & RT2860_PHY_MODE) {
2847                 case RT2860_PHY_CCK:
2848                         switch ((phy & RT2860_PHY_MCS) & ~RT2860_PHY_SHPRE) {
2849                         case 0: tap->wr_rate =   2; break;
2850                         case 1: tap->wr_rate =   4; break;
2851                         case 2: tap->wr_rate =  11; break;
2852                         case 3: tap->wr_rate =  22; break;
2853                         }
2854                         if (phy & RT2860_PHY_SHPRE)
2855                                 tap->wr_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
2856                         break;
2857                 case RT2860_PHY_OFDM:
2858                         switch (phy & RT2860_PHY_MCS) {
2859                         case 0: tap->wr_rate =  12; break;
2860                         case 1: tap->wr_rate =  18; break;
2861                         case 2: tap->wr_rate =  24; break;
2862                         case 3: tap->wr_rate =  36; break;
2863                         case 4: tap->wr_rate =  48; break;
2864                         case 5: tap->wr_rate =  72; break;
2865                         case 6: tap->wr_rate =  96; break;
2866                         case 7: tap->wr_rate = 108; break;
2867                         }
2868                         break;
2869                 }
2870         }
2871 }
2872
2873 static void
2874 run_bulk_rx_callback(struct usb_xfer *xfer, usb_error_t error)
2875 {
2876         struct run_softc *sc = usbd_xfer_softc(xfer);
2877         struct ifnet *ifp = sc->sc_ifp;
2878         struct mbuf *m = NULL;
2879         struct mbuf *m0;
2880         uint32_t dmalen;
2881         uint16_t rxwisize;
2882         int xferlen;
2883
2884         rxwisize = sizeof(struct rt2860_rxwi);
2885         if (sc->mac_ver == 0x5592)
2886                 rxwisize += sizeof(uint64_t);
2887         else if (sc->mac_ver == 0x3593)
2888                 rxwisize += sizeof(uint32_t);
2889
2890         usbd_xfer_status(xfer, &xferlen, NULL, NULL, NULL);
2891
2892         switch (USB_GET_STATE(xfer)) {
2893         case USB_ST_TRANSFERRED:
2894
2895                 DPRINTFN(15, "rx done, actlen=%d\n", xferlen);
2896
2897                 if (xferlen < (int)(sizeof(uint32_t) + rxwisize +
2898                     sizeof(struct rt2870_rxd))) {
2899                         DPRINTF("xfer too short %d\n", xferlen);
2900                         goto tr_setup;
2901                 }
2902
2903                 m = sc->rx_m;
2904                 sc->rx_m = NULL;
2905
2906                 /* FALLTHROUGH */
2907         case USB_ST_SETUP:
2908 tr_setup:
2909                 if (sc->rx_m == NULL) {
2910                         sc->rx_m = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR,
2911                             MJUMPAGESIZE /* xfer can be bigger than MCLBYTES */);
2912                 }
2913                 if (sc->rx_m == NULL) {
2914                         DPRINTF("could not allocate mbuf - idle with stall\n");
2915                         ifp->if_ierrors++;
2916                         usbd_xfer_set_stall(xfer);
2917                         usbd_xfer_set_frames(xfer, 0);
2918                 } else {
2919                         /*
2920                          * Directly loading a mbuf cluster into DMA to
2921                          * save some data copying. This works because
2922                          * there is only one cluster.
2923                          */
2924                         usbd_xfer_set_frame_data(xfer, 0,
2925                             mtod(sc->rx_m, caddr_t), RUN_MAX_RXSZ);
2926                         usbd_xfer_set_frames(xfer, 1);
2927                 }
2928                 usbd_transfer_submit(xfer);
2929                 break;
2930
2931         default:        /* Error */
2932                 if (error != USB_ERR_CANCELLED) {
2933                         /* try to clear stall first */
2934                         usbd_xfer_set_stall(xfer);
2935
2936                         if (error == USB_ERR_TIMEOUT)
2937                                 device_printf(sc->sc_dev, "device timeout\n");
2938
2939                         ifp->if_ierrors++;
2940
2941                         goto tr_setup;
2942                 }
2943                 if (sc->rx_m != NULL) {
2944                         m_freem(sc->rx_m);
2945                         sc->rx_m = NULL;
2946                 }
2947                 break;
2948         }
2949
2950         if (m == NULL)
2951                 return;
2952
2953         /* inputting all the frames must be last */
2954
2955         RUN_UNLOCK(sc);
2956
2957         m->m_pkthdr.len = m->m_len = xferlen;
2958
2959         /* HW can aggregate multiple 802.11 frames in a single USB xfer */
2960         for(;;) {
2961                 dmalen = le32toh(*mtod(m, uint32_t *)) & 0xffff;
2962
2963                 if ((dmalen >= (uint32_t)-8) || (dmalen == 0) ||
2964                     ((dmalen & 3) != 0)) {
2965                         DPRINTF("bad DMA length %u\n", dmalen);
2966                         break;
2967                 }
2968                 if ((dmalen + 8) > (uint32_t)xferlen) {
2969                         DPRINTF("bad DMA length %u > %d\n",
2970                         dmalen + 8, xferlen);
2971                         break;
2972                 }
2973
2974                 /* If it is the last one or a single frame, we won't copy. */
2975                 if ((xferlen -= dmalen + 8) <= 8) {
2976                         /* trim 32-bit DMA-len header */
2977                         m->m_data += 4;
2978                         m->m_pkthdr.len = m->m_len -= 4;
2979                         run_rx_frame(sc, m, dmalen);
2980                         m = NULL;       /* don't free source buffer */
2981                         break;
2982                 }
2983
2984                 /* copy aggregated frames to another mbuf */
2985                 m0 = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
2986                 if (__predict_false(m0 == NULL)) {
2987                         DPRINTF("could not allocate mbuf\n");
2988                         ifp->if_ierrors++;
2989                         break;
2990                 }
2991                 m_copydata(m, 4 /* skip 32-bit DMA-len header */,
2992                     dmalen + sizeof(struct rt2870_rxd), mtod(m0, caddr_t));
2993                 m0->m_pkthdr.len = m0->m_len =
2994                     dmalen + sizeof(struct rt2870_rxd);
2995                 run_rx_frame(sc, m0, dmalen);
2996
2997                 /* update data ptr */
2998                 m->m_data += dmalen + 8;
2999                 m->m_pkthdr.len = m->m_len -= dmalen + 8;
3000         }
3001
3002         /* make sure we free the source buffer, if any */
3003         m_freem(m);
3004
3005         RUN_LOCK(sc);
3006 }
3007
3008 static void
3009 run_tx_free(struct run_endpoint_queue *pq,
3010     struct run_tx_data *data, int txerr)
3011 {
3012         if (data->m != NULL) {
3013                 if (data->m->m_flags & M_TXCB)
3014                         ieee80211_process_callback(data->ni, data->m,
3015                             txerr ? ETIMEDOUT : 0);
3016                 m_freem(data->m);
3017                 data->m = NULL;
3018
3019                 if (data->ni == NULL) {
3020                         DPRINTF("no node\n");
3021                 } else {
3022                         ieee80211_free_node(data->ni);
3023                         data->ni = NULL;
3024                 }
3025         }
3026
3027         STAILQ_INSERT_TAIL(&pq->tx_fh, data, next);
3028         pq->tx_nfree++;
3029 }
3030
3031 static void
3032 run_bulk_tx_callbackN(struct usb_xfer *xfer, usb_error_t error, u_int index)
3033 {
3034         struct run_softc *sc = usbd_xfer_softc(xfer);
3035         struct ifnet *ifp = sc->sc_ifp;
3036         struct ieee80211com *ic = ifp->if_l2com;
3037         struct run_tx_data *data;
3038         struct ieee80211vap *vap = NULL;
3039         struct usb_page_cache *pc;
3040         struct run_endpoint_queue *pq = &sc->sc_epq[index];
3041         struct mbuf *m;
3042         usb_frlength_t size;
3043         int actlen;
3044         int sumlen;
3045
3046         usbd_xfer_status(xfer, &actlen, &sumlen, NULL, NULL);
3047
3048         switch (USB_GET_STATE(xfer)) {
3049         case USB_ST_TRANSFERRED:
3050                 DPRINTFN(11, "transfer complete: %d "
3051                     "bytes @ index %d\n", actlen, index);
3052
3053                 data = usbd_xfer_get_priv(xfer);
3054
3055                 run_tx_free(pq, data, 0);
3056                 ifp->if_drv_flags &= ~IFF_DRV_OACTIVE;
3057
3058                 usbd_xfer_set_priv(xfer, NULL);
3059
3060                 ifp->if_opackets++;
3061
3062                 /* FALLTHROUGH */
3063         case USB_ST_SETUP:
3064 tr_setup:
3065                 data = STAILQ_FIRST(&pq->tx_qh);
3066                 if (data == NULL)
3067                         break;
3068
3069                 STAILQ_REMOVE_HEAD(&pq->tx_qh, next);
3070
3071                 m = data->m;
3072                 size = (sc->mac_ver == 0x5592) ?
3073                     sizeof(data->desc) + sizeof(uint32_t) : sizeof(data->desc);
3074                 if ((m->m_pkthdr.len +
3075                     size + 3 + 8) > RUN_MAX_TXSZ) {
3076                         DPRINTF("data overflow, %u bytes\n",
3077                             m->m_pkthdr.len);
3078
3079                         ifp->if_oerrors++;
3080
3081                         run_tx_free(pq, data, 1);
3082
3083                         goto tr_setup;
3084                 }
3085
3086                 pc = usbd_xfer_get_frame(xfer, 0);
3087                 usbd_copy_in(pc, 0, &data->desc, size);
3088                 usbd_m_copy_in(pc, size, m, 0, m->m_pkthdr.len);
3089                 size += m->m_pkthdr.len;
3090                 /*
3091                  * Align end on a 4-byte boundary, pad 8 bytes (CRC +
3092                  * 4-byte padding), and be sure to zero those trailing
3093                  * bytes:
3094                  */
3095                 usbd_frame_zero(pc, size, ((-size) & 3) + 8);
3096                 size += ((-size) & 3) + 8;
3097
3098                 vap = data->ni->ni_vap;
3099                 if (ieee80211_radiotap_active_vap(vap)) {
3100                         struct run_tx_radiotap_header *tap = &sc->sc_txtap;
3101                         struct rt2860_txwi *txwi =
3102                             (struct rt2860_txwi *)(&data->desc + sizeof(struct rt2870_txd));
3103                         tap->wt_flags = 0;
3104                         tap->wt_rate = rt2860_rates[data->ridx].rate;
3105                         tap->wt_chan_freq = htole16(ic->ic_curchan->ic_freq);
3106                         tap->wt_chan_flags = htole16(ic->ic_curchan->ic_flags);
3107                         tap->wt_hwqueue = index;
3108                         if (le16toh(txwi->phy) & RT2860_PHY_SHPRE)
3109                                 tap->wt_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
3110
3111                         ieee80211_radiotap_tx(vap, m);
3112                 }
3113
3114                 DPRINTFN(11, "sending frame len=%u/%u  @ index %d\n",
3115                     m->m_pkthdr.len, size, index);
3116
3117                 usbd_xfer_set_frame_len(xfer, 0, size);
3118                 usbd_xfer_set_priv(xfer, data);
3119
3120                 usbd_transfer_submit(xfer);
3121
3122                 RUN_UNLOCK(sc);
3123                 run_start(ifp);
3124                 RUN_LOCK(sc);
3125
3126                 break;
3127
3128         default:
3129                 DPRINTF("USB transfer error, %s\n",
3130                     usbd_errstr(error));
3131
3132                 data = usbd_xfer_get_priv(xfer);
3133
3134                 ifp->if_oerrors++;
3135
3136                 if (data != NULL) {
3137                         if(data->ni != NULL)
3138                                 vap = data->ni->ni_vap;
3139                         run_tx_free(pq, data, error);
3140                         usbd_xfer_set_priv(xfer, NULL);
3141                 }
3142                 if (vap == NULL)
3143                         vap = TAILQ_FIRST(&ic->ic_vaps);
3144
3145                 if (error != USB_ERR_CANCELLED) {
3146                         if (error == USB_ERR_TIMEOUT) {
3147                                 device_printf(sc->sc_dev, "device timeout\n");
3148                                 uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
3149                                 DPRINTF("cmdq_store=%d\n", i);
3150                                 sc->cmdq[i].func = run_usb_timeout_cb;
3151                                 sc->cmdq[i].arg0 = vap;
3152                                 ieee80211_runtask(ic, &sc->cmdq_task);
3153                         }
3154
3155                         /*
3156                          * Try to clear stall first, also if other
3157                          * errors occur, hence clearing stall
3158                          * introduces a 50 ms delay:
3159                          */
3160                         usbd_xfer_set_stall(xfer);
3161                         goto tr_setup;
3162                 }
3163                 break;
3164         }
3165 }
3166
3167 static void
3168 run_bulk_tx_callback0(struct usb_xfer *xfer, usb_error_t error)
3169 {
3170         run_bulk_tx_callbackN(xfer, error, 0);
3171 }
3172
3173 static void
3174 run_bulk_tx_callback1(struct usb_xfer *xfer, usb_error_t error)
3175 {
3176         run_bulk_tx_callbackN(xfer, error, 1);
3177 }
3178
3179 static void
3180 run_bulk_tx_callback2(struct usb_xfer *xfer, usb_error_t error)
3181 {
3182         run_bulk_tx_callbackN(xfer, error, 2);
3183 }
3184
3185 static void
3186 run_bulk_tx_callback3(struct usb_xfer *xfer, usb_error_t error)
3187 {
3188         run_bulk_tx_callbackN(xfer, error, 3);
3189 }
3190
3191 static void
3192 run_bulk_tx_callback4(struct usb_xfer *xfer, usb_error_t error)
3193 {
3194         run_bulk_tx_callbackN(xfer, error, 4);
3195 }
3196
3197 static void
3198 run_bulk_tx_callback5(struct usb_xfer *xfer, usb_error_t error)
3199 {
3200         run_bulk_tx_callbackN(xfer, error, 5);
3201 }
3202
3203 static void
3204 run_set_tx_desc(struct run_softc *sc, struct run_tx_data *data)
3205 {
3206         struct mbuf *m = data->m;
3207         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
3208         struct ieee80211vap *vap = data->ni->ni_vap;
3209         struct ieee80211_frame *wh;
3210         struct rt2870_txd *txd;
3211         struct rt2860_txwi *txwi;
3212         uint16_t xferlen, txwisize;
3213         uint16_t mcs;
3214         uint8_t ridx = data->ridx;
3215         uint8_t pad;
3216
3217         /* get MCS code from rate index */
3218         mcs = rt2860_rates[ridx].mcs;
3219
3220         txwisize = (sc->mac_ver == 0x5592) ?
3221             sizeof(*txwi) + sizeof(uint32_t) : sizeof(*txwi);
3222         xferlen = txwisize + m->m_pkthdr.len;
3223
3224         /* roundup to 32-bit alignment */
3225         xferlen = (xferlen + 3) & ~3;
3226
3227         txd = (struct rt2870_txd *)&data->desc;
3228         txd->len = htole16(xferlen);
3229
3230         wh = mtod(m, struct ieee80211_frame *);
3231
3232         /*
3233          * Ether both are true or both are false, the header
3234          * are nicely aligned to 32-bit. So, no L2 padding.
3235          */
3236         if(IEEE80211_HAS_ADDR4(wh) == IEEE80211_QOS_HAS_SEQ(wh))
3237                 pad = 0;
3238         else
3239                 pad = 2;
3240
3241         /* setup TX Wireless Information */
3242         txwi = (struct rt2860_txwi *)(txd + 1);
3243         txwi->len = htole16(m->m_pkthdr.len - pad);
3244         if (rt2860_rates[ridx].phy == IEEE80211_T_DS) {
3245                 txwi->phy = htole16(RT2860_PHY_CCK);
3246                 if (ridx != RT2860_RIDX_CCK1 &&
3247                     (ic->ic_flags & IEEE80211_F_SHPREAMBLE))
3248                         mcs |= RT2860_PHY_SHPRE;
3249         } else
3250                 txwi->phy = htole16(RT2860_PHY_OFDM);
3251         txwi->phy |= htole16(mcs);
3252
3253         /* check if RTS/CTS or CTS-to-self protection is required */
3254         if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
3255             (m->m_pkthdr.len + IEEE80211_CRC_LEN > vap->iv_rtsthreshold ||
3256              ((ic->ic_flags & IEEE80211_F_USEPROT) &&
3257               rt2860_rates[ridx].phy == IEEE80211_T_OFDM)))
3258                 txwi->txop |= RT2860_TX_TXOP_HT;
3259         else
3260                 txwi->txop |= RT2860_TX_TXOP_BACKOFF;
3261
3262         if (vap->iv_opmode != IEEE80211_M_STA && !IEEE80211_QOS_HAS_SEQ(wh))
3263                 txwi->xflags |= RT2860_TX_NSEQ;
3264 }
3265
3266 /* This function must be called locked */
3267 static int
3268 run_tx(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
3269 {
3270         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
3271         struct ieee80211vap *vap = ni->ni_vap;
3272         struct ieee80211_frame *wh;
3273         struct ieee80211_channel *chan;
3274         const struct ieee80211_txparam *tp;
3275         struct run_node *rn = (void *)ni;
3276         struct run_tx_data *data;
3277         struct rt2870_txd *txd;
3278         struct rt2860_txwi *txwi;
3279         uint16_t qos;
3280         uint16_t dur;
3281         uint16_t qid;
3282         uint8_t type;
3283         uint8_t tid;
3284         uint8_t ridx;
3285         uint8_t ctl_ridx;
3286         uint8_t qflags;
3287         uint8_t xflags = 0;
3288         int hasqos;
3289
3290         RUN_LOCK_ASSERT(sc, MA_OWNED);
3291
3292         wh = mtod(m, struct ieee80211_frame *);
3293
3294         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3295
3296         /*
3297          * There are 7 bulk endpoints: 1 for RX
3298          * and 6 for TX (4 EDCAs + HCCA + Prio).
3299          * Update 03-14-2009:  some devices like the Planex GW-US300MiniS
3300          * seem to have only 4 TX bulk endpoints (Fukaumi Naoki).
3301          */
3302         if ((hasqos = IEEE80211_QOS_HAS_SEQ(wh))) {
3303                 uint8_t *frm;
3304
3305                 if(IEEE80211_HAS_ADDR4(wh))
3306                         frm = ((struct ieee80211_qosframe_addr4 *)wh)->i_qos;
3307                 else
3308                         frm =((struct ieee80211_qosframe *)wh)->i_qos;
3309
3310                 qos = le16toh(*(const uint16_t *)frm);
3311                 tid = qos & IEEE80211_QOS_TID;
3312                 qid = TID_TO_WME_AC(tid);
3313         } else {
3314                 qos = 0;
3315                 tid = 0;
3316                 qid = WME_AC_BE;
3317         }
3318         qflags = (qid < 4) ? RT2860_TX_QSEL_EDCA : RT2860_TX_QSEL_HCCA;
3319
3320         DPRINTFN(8, "qos %d\tqid %d\ttid %d\tqflags %x\n",
3321             qos, qid, tid, qflags);
3322
3323         chan = (ni->ni_chan != IEEE80211_CHAN_ANYC)?ni->ni_chan:ic->ic_curchan;
3324         tp = &vap->iv_txparms[ieee80211_chan2mode(chan)];
3325
3326         /* pickup a rate index */
3327         if (IEEE80211_IS_MULTICAST(wh->i_addr1) ||
3328             type != IEEE80211_FC0_TYPE_DATA) {
3329                 ridx = (ic->ic_curmode == IEEE80211_MODE_11A) ?
3330                     RT2860_RIDX_OFDM6 : RT2860_RIDX_CCK1;
3331                 ctl_ridx = rt2860_rates[ridx].ctl_ridx;
3332         } else {
3333                 if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE)
3334                         ridx = rn->fix_ridx;
3335                 else
3336                         ridx = rn->amrr_ridx;
3337                 ctl_ridx = rt2860_rates[ridx].ctl_ridx;
3338         }
3339
3340         if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
3341             (!hasqos || (qos & IEEE80211_QOS_ACKPOLICY) !=
3342              IEEE80211_QOS_ACKPOLICY_NOACK)) {
3343                 xflags |= RT2860_TX_ACK;
3344                 if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
3345                         dur = rt2860_rates[ctl_ridx].sp_ack_dur;
3346                 else
3347                         dur = rt2860_rates[ctl_ridx].lp_ack_dur;
3348                 USETW(wh->i_dur, dur);
3349         }
3350
3351         /* reserve slots for mgmt packets, just in case */
3352         if (sc->sc_epq[qid].tx_nfree < 3) {
3353                 DPRINTFN(10, "tx ring %d is full\n", qid);
3354                 return (-1);
3355         }
3356
3357         data = STAILQ_FIRST(&sc->sc_epq[qid].tx_fh);
3358         STAILQ_REMOVE_HEAD(&sc->sc_epq[qid].tx_fh, next);
3359         sc->sc_epq[qid].tx_nfree--;
3360
3361         txd = (struct rt2870_txd *)&data->desc;
3362         txd->flags = qflags;
3363         txwi = (struct rt2860_txwi *)(txd + 1);
3364         txwi->xflags = xflags;
3365         if (IEEE80211_IS_MULTICAST(wh->i_addr1))
3366                 txwi->wcid = 0;
3367         else
3368                 txwi->wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
3369                     1 : RUN_AID2WCID(ni->ni_associd);
3370
3371         /* clear leftover garbage bits */
3372         txwi->flags = 0;
3373         txwi->txop = 0;
3374
3375         data->m = m;
3376         data->ni = ni;
3377         data->ridx = ridx;
3378
3379         run_set_tx_desc(sc, data);
3380
3381         /*
3382          * The chip keeps track of 2 kind of Tx stats,
3383          *  * TX_STAT_FIFO, for per WCID stats, and
3384          *  * TX_STA_CNT0 for all-TX-in-one stats.
3385          *
3386          * To use FIFO stats, we need to store MCS into the driver-private
3387          * PacketID field. So that, we can tell whose stats when we read them.
3388          * We add 1 to the MCS because setting the PacketID field to 0 means
3389          * that we don't want feedback in TX_STAT_FIFO.
3390          * And, that's what we want for STA mode, since TX_STA_CNT0 does the job.
3391          *
3392          * FIFO stats doesn't count Tx with WCID 0xff, so we do this in run_tx().
3393          */
3394         if (sc->rvp_cnt > 1 || vap->iv_opmode == IEEE80211_M_HOSTAP ||
3395             vap->iv_opmode == IEEE80211_M_MBSS) {
3396                 uint16_t pid = (rt2860_rates[ridx].mcs + 1) & 0xf;
3397                 txwi->len |= htole16(pid << RT2860_TX_PID_SHIFT);
3398
3399                 /*
3400                  * Unlike PCI based devices, we don't get any interrupt from
3401                  * USB devices, so we simulate FIFO-is-full interrupt here.
3402                  * Ralink recomends to drain FIFO stats every 100 ms, but 16 slots
3403                  * quickly get fulled. To prevent overflow, increment a counter on
3404                  * every FIFO stat request, so we know how many slots are left.
3405                  * We do this only in HOSTAP or multiple vap mode since FIFO stats
3406                  * are used only in those modes.
3407                  * We just drain stats. AMRR gets updated every 1 sec by
3408                  * run_ratectl_cb() via callout.
3409                  * Call it early. Otherwise overflow.
3410                  */
3411                 if (sc->fifo_cnt++ == 10) {
3412                         /*
3413                          * With multiple vaps or if_bridge, if_start() is called
3414                          * with a non-sleepable lock, tcpinp. So, need to defer.
3415                          */
3416                         uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
3417                         DPRINTFN(6, "cmdq_store=%d\n", i);
3418                         sc->cmdq[i].func = run_drain_fifo;
3419                         sc->cmdq[i].arg0 = sc;
3420                         ieee80211_runtask(ic, &sc->cmdq_task);
3421                 }
3422         }
3423
3424         STAILQ_INSERT_TAIL(&sc->sc_epq[qid].tx_qh, data, next);
3425
3426         usbd_transfer_start(sc->sc_xfer[qid]);
3427
3428         DPRINTFN(8, "sending data frame len=%d rate=%d qid=%d\n",
3429             m->m_pkthdr.len + (int)(sizeof(struct rt2870_txd) +
3430             sizeof(struct rt2860_txwi)), rt2860_rates[ridx].rate, qid);
3431
3432         return (0);
3433 }
3434
3435 static int
3436 run_tx_mgt(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
3437 {
3438         struct ifnet *ifp = sc->sc_ifp;
3439         struct ieee80211com *ic = ifp->if_l2com;
3440         struct run_node *rn = (void *)ni;
3441         struct run_tx_data *data;
3442         struct ieee80211_frame *wh;
3443         struct rt2870_txd *txd;
3444         struct rt2860_txwi *txwi;
3445         uint16_t dur;
3446         uint8_t ridx = rn->mgt_ridx;
3447         uint8_t type;
3448         uint8_t xflags = 0;
3449         uint8_t wflags = 0;
3450
3451         RUN_LOCK_ASSERT(sc, MA_OWNED);
3452
3453         wh = mtod(m, struct ieee80211_frame *);
3454
3455         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3456
3457         /* tell hardware to add timestamp for probe responses */
3458         if ((wh->i_fc[0] &
3459             (IEEE80211_FC0_TYPE_MASK | IEEE80211_FC0_SUBTYPE_MASK)) ==
3460             (IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_RESP))
3461                 wflags |= RT2860_TX_TS;
3462         else if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
3463                 xflags |= RT2860_TX_ACK;
3464
3465                 dur = ieee80211_ack_duration(ic->ic_rt, rt2860_rates[ridx].rate,
3466                     ic->ic_flags & IEEE80211_F_SHPREAMBLE);
3467                 USETW(wh->i_dur, dur);
3468         }
3469
3470         if (sc->sc_epq[0].tx_nfree == 0) {
3471                 /* let caller free mbuf */
3472                 ifp->if_drv_flags |= IFF_DRV_OACTIVE;
3473                 return (EIO);
3474         }
3475         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3476         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3477         sc->sc_epq[0].tx_nfree--;
3478
3479         txd = (struct rt2870_txd *)&data->desc;
3480         txd->flags = RT2860_TX_QSEL_EDCA;
3481         txwi = (struct rt2860_txwi *)(txd + 1);
3482         txwi->wcid = 0xff;
3483         txwi->flags = wflags;
3484         txwi->xflags = xflags;
3485         txwi->txop = 0; /* clear leftover garbage bits */
3486
3487         data->m = m;
3488         data->ni = ni;
3489         data->ridx = ridx;
3490
3491         run_set_tx_desc(sc, data);
3492
3493         DPRINTFN(10, "sending mgt frame len=%d rate=%d\n", m->m_pkthdr.len +
3494             (int)(sizeof(struct rt2870_txd) + sizeof(struct rt2860_txwi)),
3495             rt2860_rates[ridx].rate);
3496
3497         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3498
3499         usbd_transfer_start(sc->sc_xfer[0]);
3500
3501         return (0);
3502 }
3503
3504 static int
3505 run_sendprot(struct run_softc *sc,
3506     const struct mbuf *m, struct ieee80211_node *ni, int prot, int rate)
3507 {
3508         struct ieee80211com *ic = ni->ni_ic;
3509         struct ieee80211_frame *wh;
3510         struct run_tx_data *data;
3511         struct rt2870_txd *txd;
3512         struct rt2860_txwi *txwi;
3513         struct mbuf *mprot;
3514         int ridx;
3515         int protrate;
3516         int ackrate;
3517         int pktlen;
3518         int isshort;
3519         uint16_t dur;
3520         uint8_t type;
3521         uint8_t wflags = 0;
3522         uint8_t xflags = 0;
3523
3524         RUN_LOCK_ASSERT(sc, MA_OWNED);
3525
3526         KASSERT(prot == IEEE80211_PROT_RTSCTS || prot == IEEE80211_PROT_CTSONLY,
3527             ("protection %d", prot));
3528
3529         wh = mtod(m, struct ieee80211_frame *);
3530         pktlen = m->m_pkthdr.len + IEEE80211_CRC_LEN;
3531         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3532
3533         protrate = ieee80211_ctl_rate(ic->ic_rt, rate);
3534         ackrate = ieee80211_ack_rate(ic->ic_rt, rate);
3535
3536         isshort = (ic->ic_flags & IEEE80211_F_SHPREAMBLE) != 0;
3537         dur = ieee80211_compute_duration(ic->ic_rt, pktlen, rate, isshort)
3538             + ieee80211_ack_duration(ic->ic_rt, rate, isshort);
3539         wflags = RT2860_TX_FRAG;
3540
3541         /* check that there are free slots before allocating the mbuf */
3542         if (sc->sc_epq[0].tx_nfree == 0) {
3543                 /* let caller free mbuf */
3544                 sc->sc_ifp->if_drv_flags |= IFF_DRV_OACTIVE;
3545                 return (ENOBUFS);
3546         }
3547
3548         if (prot == IEEE80211_PROT_RTSCTS) {
3549                 /* NB: CTS is the same size as an ACK */
3550                 dur += ieee80211_ack_duration(ic->ic_rt, rate, isshort);
3551                 xflags |= RT2860_TX_ACK;
3552                 mprot = ieee80211_alloc_rts(ic, wh->i_addr1, wh->i_addr2, dur);
3553         } else {
3554                 mprot = ieee80211_alloc_cts(ic, ni->ni_vap->iv_myaddr, dur);
3555         }
3556         if (mprot == NULL) {
3557                 sc->sc_ifp->if_oerrors++;
3558                 DPRINTF("could not allocate mbuf\n");
3559                 return (ENOBUFS);
3560         }
3561
3562         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3563         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3564         sc->sc_epq[0].tx_nfree--;
3565
3566         txd = (struct rt2870_txd *)&data->desc;
3567         txd->flags = RT2860_TX_QSEL_EDCA;
3568         txwi = (struct rt2860_txwi *)(txd + 1);
3569         txwi->wcid = 0xff;
3570         txwi->flags = wflags;
3571         txwi->xflags = xflags;
3572         txwi->txop = 0; /* clear leftover garbage bits */
3573
3574         data->m = mprot;
3575         data->ni = ieee80211_ref_node(ni);
3576
3577         for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
3578                 if (rt2860_rates[ridx].rate == protrate)
3579                         break;
3580         data->ridx = ridx;
3581
3582         run_set_tx_desc(sc, data);
3583
3584         DPRINTFN(1, "sending prot len=%u rate=%u\n",
3585             m->m_pkthdr.len, rate);
3586
3587         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3588
3589         usbd_transfer_start(sc->sc_xfer[0]);
3590
3591         return (0);
3592 }
3593
3594 static int
3595 run_tx_param(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni,
3596     const struct ieee80211_bpf_params *params)
3597 {
3598         struct ieee80211com *ic = ni->ni_ic;
3599         struct ieee80211_frame *wh;
3600         struct run_tx_data *data;
3601         struct rt2870_txd *txd;
3602         struct rt2860_txwi *txwi;
3603         uint8_t type;
3604         uint8_t ridx;
3605         uint8_t rate;
3606         uint8_t opflags = 0;
3607         uint8_t xflags = 0;
3608         int error;
3609
3610         RUN_LOCK_ASSERT(sc, MA_OWNED);
3611
3612         KASSERT(params != NULL, ("no raw xmit params"));
3613
3614         wh = mtod(m, struct ieee80211_frame *);
3615         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3616
3617         rate = params->ibp_rate0;
3618         if (!ieee80211_isratevalid(ic->ic_rt, rate)) {
3619                 /* let caller free mbuf */
3620                 return (EINVAL);
3621         }
3622
3623         if ((params->ibp_flags & IEEE80211_BPF_NOACK) == 0)
3624                 xflags |= RT2860_TX_ACK;
3625         if (params->ibp_flags & (IEEE80211_BPF_RTS|IEEE80211_BPF_CTS)) {
3626                 error = run_sendprot(sc, m, ni,
3627                     params->ibp_flags & IEEE80211_BPF_RTS ?
3628                         IEEE80211_PROT_RTSCTS : IEEE80211_PROT_CTSONLY,
3629                     rate);
3630                 if (error) {
3631                         /* let caller free mbuf */
3632                         return error;
3633                 }
3634                 opflags |= /*XXX RT2573_TX_LONG_RETRY |*/ RT2860_TX_TXOP_SIFS;
3635         }
3636
3637         if (sc->sc_epq[0].tx_nfree == 0) {
3638                 /* let caller free mbuf */
3639                 sc->sc_ifp->if_drv_flags |= IFF_DRV_OACTIVE;
3640                 DPRINTF("sending raw frame, but tx ring is full\n");
3641                 return (EIO);
3642         }
3643         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3644         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3645         sc->sc_epq[0].tx_nfree--;
3646
3647         txd = (struct rt2870_txd *)&data->desc;
3648         txd->flags = RT2860_TX_QSEL_EDCA;
3649         txwi = (struct rt2860_txwi *)(txd + 1);
3650         txwi->wcid = 0xff;
3651         txwi->xflags = xflags;
3652         txwi->txop = opflags;
3653         txwi->flags = 0;        /* clear leftover garbage bits */
3654
3655         data->m = m;
3656         data->ni = ni;
3657         for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
3658                 if (rt2860_rates[ridx].rate == rate)
3659                         break;
3660         data->ridx = ridx;
3661
3662         run_set_tx_desc(sc, data);
3663
3664         DPRINTFN(10, "sending raw frame len=%u rate=%u\n",
3665             m->m_pkthdr.len, rate);
3666
3667         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3668
3669         usbd_transfer_start(sc->sc_xfer[0]);
3670
3671         return (0);
3672 }
3673
3674 static int
3675 run_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
3676     const struct ieee80211_bpf_params *params)
3677 {
3678         struct ifnet *ifp = ni->ni_ic->ic_ifp;
3679         struct run_softc *sc = ifp->if_softc;
3680         int error = 0;
3681
3682         RUN_LOCK(sc);
3683
3684         /* prevent management frames from being sent if we're not ready */
3685         if (!(ifp->if_drv_flags & IFF_DRV_RUNNING)) {
3686                 error =  ENETDOWN;
3687                 goto done;
3688         }
3689
3690         if (params == NULL) {
3691                 /* tx mgt packet */
3692                 if ((error = run_tx_mgt(sc, m, ni)) != 0) {
3693                         ifp->if_oerrors++;
3694                         DPRINTF("mgt tx failed\n");
3695                         goto done;
3696                 }
3697         } else {
3698                 /* tx raw packet with param */
3699                 if ((error = run_tx_param(sc, m, ni, params)) != 0) {
3700                         ifp->if_oerrors++;
3701                         DPRINTF("tx with param failed\n");
3702                         goto done;
3703                 }
3704         }
3705
3706         ifp->if_opackets++;
3707
3708 done:
3709         RUN_UNLOCK(sc);
3710
3711         if (error != 0) {
3712                 if(m != NULL)
3713                         m_freem(m);
3714                 ieee80211_free_node(ni);
3715         }
3716
3717         return (error);
3718 }
3719
3720 static void
3721 run_start(struct ifnet *ifp)
3722 {
3723         struct run_softc *sc = ifp->if_softc;
3724         struct ieee80211_node *ni;
3725         struct mbuf *m;
3726
3727         RUN_LOCK(sc);
3728
3729         if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0) {
3730                 RUN_UNLOCK(sc);
3731                 return;
3732         }
3733
3734         for (;;) {
3735                 /* send data frames */
3736                 IFQ_DRV_DEQUEUE(&ifp->if_snd, m);
3737                 if (m == NULL)
3738                         break;
3739
3740                 ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
3741                 if (run_tx(sc, m, ni) != 0) {
3742                         IFQ_DRV_PREPEND(&ifp->if_snd, m);
3743                         ifp->if_drv_flags |= IFF_DRV_OACTIVE;
3744                         break;
3745                 }
3746         }
3747
3748         RUN_UNLOCK(sc);
3749 }
3750
3751 static int
3752 run_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
3753 {
3754         struct run_softc *sc = ifp->if_softc;
3755         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
3756         struct ifreq *ifr = (struct ifreq *) data;
3757         int startall = 0;
3758         int error;
3759
3760         RUN_LOCK(sc);
3761         error = sc->sc_detached ? ENXIO : 0;
3762         RUN_UNLOCK(sc);
3763         if (error)
3764                 return (error);
3765
3766         switch (cmd) {
3767         case SIOCSIFFLAGS:
3768                 RUN_LOCK(sc);
3769                 if (ifp->if_flags & IFF_UP) {
3770                         if (!(ifp->if_drv_flags & IFF_DRV_RUNNING)){
3771                                 startall = 1;
3772                                 run_init_locked(sc);
3773                         } else
3774                                 run_update_promisc_locked(ifp);
3775                 } else {
3776                         if (ifp->if_drv_flags & IFF_DRV_RUNNING &&
3777                             (ic->ic_nrunning == 0 || sc->rvp_cnt <= 1)) {
3778                                         run_stop(sc);
3779                         }
3780                 }
3781                 RUN_UNLOCK(sc);
3782                 if (startall)
3783                         ieee80211_start_all(ic);
3784                 break;
3785         case SIOCGIFMEDIA:
3786                 error = ifmedia_ioctl(ifp, ifr, &ic->ic_media, cmd);
3787                 break;
3788         case SIOCGIFADDR:
3789                 error = ether_ioctl(ifp, cmd, data);
3790                 break;
3791         default:
3792                 error = EINVAL;
3793                 break;
3794         }
3795
3796         return (error);
3797 }
3798
3799 static void
3800 run_iq_calib(struct run_softc *sc, u_int chan)
3801 {
3802         uint16_t val;
3803
3804         /* Tx0 IQ gain. */
3805         run_bbp_write(sc, 158, 0x2c);
3806         if (chan <= 14)
3807                 run_efuse_read(sc, RT5390_EEPROM_IQ_GAIN_CAL_TX0_2GHZ, &val, 1);
3808         else if (chan <= 64) {
3809                 run_efuse_read(sc,
3810                     RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH36_TO_CH64_5GHZ,
3811                     &val, 1);
3812         } else if (chan <= 138) {
3813                 run_efuse_read(sc,
3814                     RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH100_TO_CH138_5GHZ,
3815                     &val, 1);
3816         } else if (chan <= 165) {
3817                 run_efuse_read(sc,
3818             RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH140_TO_CH165_5GHZ,
3819                     &val, 1);
3820         } else
3821                 val = 0;
3822         run_bbp_write(sc, 159, val);
3823
3824         /* Tx0 IQ phase. */
3825         run_bbp_write(sc, 158, 0x2d);
3826         if (chan <= 14) {
3827                 run_efuse_read(sc, RT5390_EEPROM_IQ_PHASE_CAL_TX0_2GHZ,
3828                     &val, 1);
3829         } else if (chan <= 64) {
3830                 run_efuse_read(sc,
3831                     RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH36_TO_CH64_5GHZ,
3832                     &val, 1);
3833         } else if (chan <= 138) {
3834                 run_efuse_read(sc,
3835                     RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH100_TO_CH138_5GHZ,
3836                     &val, 1);
3837         } else if (chan <= 165) {
3838                 run_efuse_read(sc,
3839                     RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH140_TO_CH165_5GHZ,
3840                     &val, 1);
3841         } else
3842                 val = 0;
3843         run_bbp_write(sc, 159, val);
3844
3845         /* Tx1 IQ gain. */
3846         run_bbp_write(sc, 158, 0x4a);
3847         if (chan <= 14) {
3848                 run_efuse_read(sc, RT5390_EEPROM_IQ_GAIN_CAL_TX1_2GHZ,
3849                     &val, 1);
3850         } else if (chan <= 64) {
3851                 run_efuse_read(sc,
3852                     RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH36_TO_CH64_5GHZ,
3853                     &val, 1);
3854         } else if (chan <= 138) {
3855                 run_efuse_read(sc,
3856                     RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH100_TO_CH138_5GHZ,
3857                     &val, 1);
3858         } else if (chan <= 165) {
3859                 run_efuse_read(sc,
3860                     RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH140_TO_CH165_5GHZ,
3861                     &val, 1);
3862         } else
3863                 val = 0;
3864         run_bbp_write(sc, 159, val);
3865
3866         /* Tx1 IQ phase. */
3867         run_bbp_write(sc, 158, 0x4b);
3868         if (chan <= 14) {
3869                 run_efuse_read(sc, RT5390_EEPROM_IQ_PHASE_CAL_TX1_2GHZ,
3870                     &val, 1);
3871         } else if (chan <= 64) {
3872                 run_efuse_read(sc,
3873                     RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH36_TO_CH64_5GHZ,
3874                     &val, 1);
3875         } else if (chan <= 138) {
3876                 run_efuse_read(sc,
3877                     RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH100_TO_CH138_5GHZ,
3878                     &val, 1);
3879         } else if (chan <= 165) {
3880                 run_efuse_read(sc,
3881                     RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH140_TO_CH165_5GHZ,
3882                     &val, 1);
3883         } else
3884                 val = 0;
3885         run_bbp_write(sc, 159, val);
3886
3887         /* RF IQ compensation control. */
3888         run_bbp_write(sc, 158, 0x04);
3889         run_efuse_read(sc, RT5390_EEPROM_RF_IQ_COMPENSATION_CTL,
3890             &val, 1);
3891         run_bbp_write(sc, 159, val);
3892
3893         /* RF IQ imbalance compensation control. */
3894         run_bbp_write(sc, 158, 0x03);
3895         run_efuse_read(sc,
3896             RT5390_EEPROM_RF_IQ_IMBALANCE_COMPENSATION_CTL, &val, 1);
3897         run_bbp_write(sc, 159, val);
3898 }
3899
3900 static void
3901 run_set_agc(struct run_softc *sc, uint8_t agc)
3902 {
3903         uint8_t bbp;
3904
3905         if (sc->mac_ver == 0x3572) {
3906                 run_bbp_read(sc, 27, &bbp);
3907                 bbp &= ~(0x3 << 5);
3908                 run_bbp_write(sc, 27, bbp | 0 << 5);    /* select Rx0 */
3909                 run_bbp_write(sc, 66, agc);
3910                 run_bbp_write(sc, 27, bbp | 1 << 5);    /* select Rx1 */
3911                 run_bbp_write(sc, 66, agc);
3912         } else
3913                 run_bbp_write(sc, 66, agc);
3914 }
3915
3916 static void
3917 run_select_chan_group(struct run_softc *sc, int group)
3918 {
3919         uint32_t tmp;
3920         uint8_t agc;
3921
3922         run_bbp_write(sc, 62, 0x37 - sc->lna[group]);
3923         run_bbp_write(sc, 63, 0x37 - sc->lna[group]);
3924         run_bbp_write(sc, 64, 0x37 - sc->lna[group]);
3925         if (sc->mac_ver < 0x3572)
3926                 run_bbp_write(sc, 86, 0x00);
3927
3928         if (sc->mac_ver == 0x3593) {
3929                 run_bbp_write(sc, 77, 0x98);
3930                 run_bbp_write(sc, 83, (group == 0) ? 0x8a : 0x9a);
3931         }
3932
3933         if (group == 0) {
3934                 if (sc->ext_2ghz_lna) {
3935                         if (sc->mac_ver >= 0x5390)
3936                                 run_bbp_write(sc, 75, 0x52);
3937                         else {
3938                                 run_bbp_write(sc, 82, 0x62);
3939                                 run_bbp_write(sc, 75, 0x46);
3940                         }
3941                 } else {
3942                         if (sc->mac_ver == 0x5592) {
3943                                 run_bbp_write(sc, 79, 0x1c);
3944                                 run_bbp_write(sc, 80, 0x0e);
3945                                 run_bbp_write(sc, 81, 0x3a);
3946                                 run_bbp_write(sc, 82, 0x62);
3947
3948                                 run_bbp_write(sc, 195, 0x80);
3949                                 run_bbp_write(sc, 196, 0xe0);
3950                                 run_bbp_write(sc, 195, 0x81);
3951                                 run_bbp_write(sc, 196, 0x1f);
3952                                 run_bbp_write(sc, 195, 0x82);
3953                                 run_bbp_write(sc, 196, 0x38);
3954                                 run_bbp_write(sc, 195, 0x83);
3955                                 run_bbp_write(sc, 196, 0x32);
3956                                 run_bbp_write(sc, 195, 0x85);
3957                                 run_bbp_write(sc, 196, 0x28);
3958                                 run_bbp_write(sc, 195, 0x86);
3959                                 run_bbp_write(sc, 196, 0x19);
3960                         } else if (sc->mac_ver >= 0x5390)
3961                                 run_bbp_write(sc, 75, 0x50);
3962                         else {
3963                                 run_bbp_write(sc, 82,
3964                                     (sc->mac_ver == 0x3593) ? 0x62 : 0x84);
3965                                 run_bbp_write(sc, 75, 0x50);
3966                         }
3967                 }
3968         } else {
3969                 if (sc->mac_ver == 0x5592) {
3970                         run_bbp_write(sc, 79, 0x18);
3971                         run_bbp_write(sc, 80, 0x08);
3972                         run_bbp_write(sc, 81, 0x38);
3973                         run_bbp_write(sc, 82, 0x92);
3974
3975                         run_bbp_write(sc, 195, 0x80);
3976                         run_bbp_write(sc, 196, 0xf0);
3977                         run_bbp_write(sc, 195, 0x81);
3978                         run_bbp_write(sc, 196, 0x1e);
3979                         run_bbp_write(sc, 195, 0x82);
3980                         run_bbp_write(sc, 196, 0x28);
3981                         run_bbp_write(sc, 195, 0x83);
3982                         run_bbp_write(sc, 196, 0x20);
3983                         run_bbp_write(sc, 195, 0x85);
3984                         run_bbp_write(sc, 196, 0x7f);
3985                         run_bbp_write(sc, 195, 0x86);
3986                         run_bbp_write(sc, 196, 0x7f);
3987                 } else if (sc->mac_ver == 0x3572)
3988                         run_bbp_write(sc, 82, 0x94);
3989                 else
3990                         run_bbp_write(sc, 82,
3991                             (sc->mac_ver == 0x3593) ? 0x82 : 0xf2);
3992                 if (sc->ext_5ghz_lna)
3993                         run_bbp_write(sc, 75, 0x46);
3994                 else
3995                         run_bbp_write(sc, 75, 0x50);
3996         }
3997
3998         run_read(sc, RT2860_TX_BAND_CFG, &tmp);
3999         tmp &= ~(RT2860_5G_BAND_SEL_N | RT2860_5G_BAND_SEL_P);
4000         tmp |= (group == 0) ? RT2860_5G_BAND_SEL_N : RT2860_5G_BAND_SEL_P;
4001         run_write(sc, RT2860_TX_BAND_CFG, tmp);
4002
4003         /* enable appropriate Power Amplifiers and Low Noise Amplifiers */
4004         tmp = RT2860_RFTR_EN | RT2860_TRSW_EN | RT2860_LNA_PE0_EN;
4005         if (sc->mac_ver == 0x3593)
4006                 tmp |= 1 << 29 | 1 << 28;
4007         if (sc->nrxchains > 1)
4008                 tmp |= RT2860_LNA_PE1_EN;
4009         if (group == 0) {       /* 2GHz */
4010                 tmp |= RT2860_PA_PE_G0_EN;
4011                 if (sc->ntxchains > 1)
4012                         tmp |= RT2860_PA_PE_G1_EN;
4013                 if (sc->mac_ver == 0x3593) {
4014                         if (sc->ntxchains > 2)
4015                                 tmp |= 1 << 25;
4016                 }
4017         } else {                /* 5GHz */
4018                 tmp |= RT2860_PA_PE_A0_EN;
4019                 if (sc->ntxchains > 1)
4020                         tmp |= RT2860_PA_PE_A1_EN;
4021         }
4022         if (sc->mac_ver == 0x3572) {
4023                 run_rt3070_rf_write(sc, 8, 0x00);
4024                 run_write(sc, RT2860_TX_PIN_CFG, tmp);
4025                 run_rt3070_rf_write(sc, 8, 0x80);
4026         } else
4027                 run_write(sc, RT2860_TX_PIN_CFG, tmp);
4028
4029         if (sc->mac_ver == 0x5592) {
4030                 run_bbp_write(sc, 195, 0x8d);
4031                 run_bbp_write(sc, 196, 0x1a);
4032         }
4033
4034         if (sc->mac_ver == 0x3593) {
4035                 run_read(sc, RT2860_GPIO_CTRL, &tmp);
4036                 tmp &= ~0x01010000;
4037                 if (group == 0)
4038                         tmp |= 0x00010000;
4039                 tmp = (tmp & ~0x00009090) | 0x00000090;
4040                 run_write(sc, RT2860_GPIO_CTRL, tmp);
4041         }
4042
4043         /* set initial AGC value */
4044         if (group == 0) {       /* 2GHz band */
4045                 if (sc->mac_ver >= 0x3070)
4046                         agc = 0x1c + sc->lna[0] * 2;
4047                 else
4048                         agc = 0x2e + sc->lna[0];
4049         } else {                /* 5GHz band */
4050                 if (sc->mac_ver == 0x5592)
4051                         agc = 0x24 + sc->lna[group] * 2;
4052                 else if (sc->mac_ver == 0x3572 || sc->mac_ver == 0x3593)
4053                         agc = 0x22 + (sc->lna[group] * 5) / 3;
4054                 else
4055                         agc = 0x32 + (sc->lna[group] * 5) / 3;
4056         }
4057         run_set_agc(sc, agc);
4058 }
4059
4060 static void
4061 run_rt2870_set_chan(struct run_softc *sc, u_int chan)
4062 {
4063         const struct rfprog *rfprog = rt2860_rf2850;
4064         uint32_t r2, r3, r4;
4065         int8_t txpow1, txpow2;
4066         int i;
4067
4068         /* find the settings for this channel (we know it exists) */
4069         for (i = 0; rfprog[i].chan != chan; i++);
4070
4071         r2 = rfprog[i].r2;
4072         if (sc->ntxchains == 1)
4073                 r2 |= 1 << 14;          /* 1T: disable Tx chain 2 */
4074         if (sc->nrxchains == 1)
4075                 r2 |= 1 << 17 | 1 << 6; /* 1R: disable Rx chains 2 & 3 */
4076         else if (sc->nrxchains == 2)
4077                 r2 |= 1 << 6;           /* 2R: disable Rx chain 3 */
4078
4079         /* use Tx power values from EEPROM */
4080         txpow1 = sc->txpow1[i];
4081         txpow2 = sc->txpow2[i];
4082
4083         /* Initialize RF R3 and R4. */
4084         r3 = rfprog[i].r3 & 0xffffc1ff;
4085         r4 = (rfprog[i].r4 & ~(0x001f87c0)) | (sc->freq << 15);
4086         if (chan > 14) {
4087                 if (txpow1 >= 0) {
4088                         txpow1 = (txpow1 > 0xf) ? (0xf) : (txpow1);
4089                         r3 |= (txpow1 << 10) | (1 << 9);
4090                 } else {
4091                         txpow1 += 7;
4092
4093                         /* txpow1 is not possible larger than 15. */
4094                         r3 |= (txpow1 << 10);
4095                 }
4096                 if (txpow2 >= 0) {
4097                         txpow2 = (txpow2 > 0xf) ? (0xf) : (txpow2);
4098                         r4 |= (txpow2 << 7) | (1 << 6);
4099                 } else {
4100                         txpow2 += 7;
4101                         r4 |= (txpow2 << 7);
4102                 }
4103         } else {
4104                 /* Set Tx0 power. */
4105                 r3 |= (txpow1 << 9);
4106
4107                 /* Set frequency offset and Tx1 power. */
4108                 r4 |= (txpow2 << 6);
4109         }
4110
4111         run_rt2870_rf_write(sc, rfprog[i].r1);
4112         run_rt2870_rf_write(sc, r2);
4113         run_rt2870_rf_write(sc, r3 & ~(1 << 2));
4114         run_rt2870_rf_write(sc, r4);
4115
4116         run_delay(sc, 10);
4117
4118         run_rt2870_rf_write(sc, rfprog[i].r1);
4119         run_rt2870_rf_write(sc, r2);
4120         run_rt2870_rf_write(sc, r3 | (1 << 2));
4121         run_rt2870_rf_write(sc, r4);
4122
4123         run_delay(sc, 10);
4124
4125         run_rt2870_rf_write(sc, rfprog[i].r1);
4126         run_rt2870_rf_write(sc, r2);
4127         run_rt2870_rf_write(sc, r3 & ~(1 << 2));
4128         run_rt2870_rf_write(sc, r4);
4129 }
4130
4131 static void
4132 run_rt3070_set_chan(struct run_softc *sc, u_int chan)
4133 {
4134         int8_t txpow1, txpow2;
4135         uint8_t rf;
4136         int i;
4137
4138         /* find the settings for this channel (we know it exists) */
4139         for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4140
4141         /* use Tx power values from EEPROM */
4142         txpow1 = sc->txpow1[i];
4143         txpow2 = sc->txpow2[i];
4144
4145         run_rt3070_rf_write(sc, 2, rt3070_freqs[i].n);
4146
4147         /* RT3370/RT3390: RF R3 [7:4] is not reserved bits. */
4148         run_rt3070_rf_read(sc, 3, &rf);
4149         rf = (rf & ~0x0f) | rt3070_freqs[i].k;
4150         run_rt3070_rf_write(sc, 3, rf);
4151
4152         run_rt3070_rf_read(sc, 6, &rf);
4153         rf = (rf & ~0x03) | rt3070_freqs[i].r;
4154         run_rt3070_rf_write(sc, 6, rf);
4155
4156         /* set Tx0 power */
4157         run_rt3070_rf_read(sc, 12, &rf);
4158         rf = (rf & ~0x1f) | txpow1;
4159         run_rt3070_rf_write(sc, 12, rf);
4160
4161         /* set Tx1 power */
4162         run_rt3070_rf_read(sc, 13, &rf);
4163         rf = (rf & ~0x1f) | txpow2;
4164         run_rt3070_rf_write(sc, 13, rf);
4165
4166         run_rt3070_rf_read(sc, 1, &rf);
4167         rf &= ~0xfc;
4168         if (sc->ntxchains == 1)
4169                 rf |= 1 << 7 | 1 << 5;  /* 1T: disable Tx chains 2 & 3 */
4170         else if (sc->ntxchains == 2)
4171                 rf |= 1 << 7;           /* 2T: disable Tx chain 3 */
4172         if (sc->nrxchains == 1)
4173                 rf |= 1 << 6 | 1 << 4;  /* 1R: disable Rx chains 2 & 3 */
4174         else if (sc->nrxchains == 2)
4175                 rf |= 1 << 6;           /* 2R: disable Rx chain 3 */
4176         run_rt3070_rf_write(sc, 1, rf);
4177
4178         /* set RF offset */
4179         run_rt3070_rf_read(sc, 23, &rf);
4180         rf = (rf & ~0x7f) | sc->freq;
4181         run_rt3070_rf_write(sc, 23, rf);
4182
4183         /* program RF filter */
4184         run_rt3070_rf_read(sc, 24, &rf);        /* Tx */
4185         rf = (rf & ~0x3f) | sc->rf24_20mhz;
4186         run_rt3070_rf_write(sc, 24, rf);
4187         run_rt3070_rf_read(sc, 31, &rf);        /* Rx */
4188         rf = (rf & ~0x3f) | sc->rf24_20mhz;
4189         run_rt3070_rf_write(sc, 31, rf);
4190
4191         /* enable RF tuning */
4192         run_rt3070_rf_read(sc, 7, &rf);
4193         run_rt3070_rf_write(sc, 7, rf | 0x01);
4194 }
4195
4196 static void
4197 run_rt3572_set_chan(struct run_softc *sc, u_int chan)
4198 {
4199         int8_t txpow1, txpow2;
4200         uint32_t tmp;
4201         uint8_t rf;
4202         int i;
4203
4204         /* find the settings for this channel (we know it exists) */
4205         for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4206
4207         /* use Tx power values from EEPROM */
4208         txpow1 = sc->txpow1[i];
4209         txpow2 = sc->txpow2[i];
4210
4211         if (chan <= 14) {
4212                 run_bbp_write(sc, 25, sc->bbp25);
4213                 run_bbp_write(sc, 26, sc->bbp26);
4214         } else {
4215                 /* enable IQ phase correction */
4216                 run_bbp_write(sc, 25, 0x09);
4217                 run_bbp_write(sc, 26, 0xff);
4218         }
4219
4220         run_rt3070_rf_write(sc, 2, rt3070_freqs[i].n);
4221         run_rt3070_rf_write(sc, 3, rt3070_freqs[i].k);
4222         run_rt3070_rf_read(sc, 6, &rf);
4223         rf  = (rf & ~0x0f) | rt3070_freqs[i].r;
4224         rf |= (chan <= 14) ? 0x08 : 0x04;
4225         run_rt3070_rf_write(sc, 6, rf);
4226
4227         /* set PLL mode */
4228         run_rt3070_rf_read(sc, 5, &rf);
4229         rf &= ~(0x08 | 0x04);
4230         rf |= (chan <= 14) ? 0x04 : 0x08;
4231         run_rt3070_rf_write(sc, 5, rf);
4232
4233         /* set Tx power for chain 0 */
4234         if (chan <= 14)
4235                 rf = 0x60 | txpow1;
4236         else
4237                 rf = 0xe0 | (txpow1 & 0xc) << 1 | (txpow1 & 0x3);
4238         run_rt3070_rf_write(sc, 12, rf);
4239
4240         /* set Tx power for chain 1 */
4241         if (chan <= 14)
4242                 rf = 0x60 | txpow2;
4243         else
4244                 rf = 0xe0 | (txpow2 & 0xc) << 1 | (txpow2 & 0x3);
4245         run_rt3070_rf_write(sc, 13, rf);
4246
4247         /* set Tx/Rx streams */
4248         run_rt3070_rf_read(sc, 1, &rf);
4249         rf &= ~0xfc;
4250         if (sc->ntxchains == 1)
4251                 rf |= 1 << 7 | 1 << 5;  /* 1T: disable Tx chains 2 & 3 */
4252         else if (sc->ntxchains == 2)
4253                 rf |= 1 << 7;           /* 2T: disable Tx chain 3 */
4254         if (sc->nrxchains == 1)
4255                 rf |= 1 << 6 | 1 << 4;  /* 1R: disable Rx chains 2 & 3 */
4256         else if (sc->nrxchains == 2)
4257                 rf |= 1 << 6;           /* 2R: disable Rx chain 3 */
4258         run_rt3070_rf_write(sc, 1, rf);
4259
4260         /* set RF offset */
4261         run_rt3070_rf_read(sc, 23, &rf);
4262         rf = (rf & ~0x7f) | sc->freq;
4263         run_rt3070_rf_write(sc, 23, rf);
4264
4265         /* program RF filter */
4266         rf = sc->rf24_20mhz;
4267         run_rt3070_rf_write(sc, 24, rf);        /* Tx */
4268         run_rt3070_rf_write(sc, 31, rf);        /* Rx */
4269
4270         /* enable RF tuning */
4271         run_rt3070_rf_read(sc, 7, &rf);
4272         rf = (chan <= 14) ? 0xd8 : ((rf & ~0xc8) | 0x14);
4273         run_rt3070_rf_write(sc, 7, rf);
4274
4275         /* TSSI */
4276         rf = (chan <= 14) ? 0xc3 : 0xc0;
4277         run_rt3070_rf_write(sc, 9, rf);
4278
4279         /* set loop filter 1 */
4280         run_rt3070_rf_write(sc, 10, 0xf1);
4281         /* set loop filter 2 */
4282         run_rt3070_rf_write(sc, 11, (chan <= 14) ? 0xb9 : 0x00);
4283
4284         /* set tx_mx2_ic */
4285         run_rt3070_rf_write(sc, 15, (chan <= 14) ? 0x53 : 0x43);
4286         /* set tx_mx1_ic */
4287         if (chan <= 14)
4288                 rf = 0x48 | sc->txmixgain_2ghz;
4289         else
4290                 rf = 0x78 | sc->txmixgain_5ghz;
4291         run_rt3070_rf_write(sc, 16, rf);
4292
4293         /* set tx_lo1 */
4294         run_rt3070_rf_write(sc, 17, 0x23);
4295         /* set tx_lo2 */
4296         if (chan <= 14)
4297                 rf = 0x93;
4298         else if (chan <= 64)
4299                 rf = 0xb7;
4300         else if (chan <= 128)
4301                 rf = 0x74;
4302         else
4303                 rf = 0x72;
4304         run_rt3070_rf_write(sc, 19, rf);
4305
4306         /* set rx_lo1 */
4307         if (chan <= 14)
4308                 rf = 0xb3;
4309         else if (chan <= 64)
4310                 rf = 0xf6;
4311         else if (chan <= 128)
4312                 rf = 0xf4;
4313         else
4314                 rf = 0xf3;
4315         run_rt3070_rf_write(sc, 20, rf);
4316
4317         /* set pfd_delay */
4318         if (chan <= 14)
4319                 rf = 0x15;
4320         else if (chan <= 64)
4321                 rf = 0x3d;
4322         else
4323                 rf = 0x01;
4324         run_rt3070_rf_write(sc, 25, rf);
4325
4326         /* set rx_lo2 */
4327         run_rt3070_rf_write(sc, 26, (chan <= 14) ? 0x85 : 0x87);
4328         /* set ldo_rf_vc */
4329         run_rt3070_rf_write(sc, 27, (chan <= 14) ? 0x00 : 0x01);
4330         /* set drv_cc */
4331         run_rt3070_rf_write(sc, 29, (chan <= 14) ? 0x9b : 0x9f);
4332
4333         run_read(sc, RT2860_GPIO_CTRL, &tmp);
4334         tmp &= ~0x8080;
4335         if (chan <= 14)
4336                 tmp |= 0x80;
4337         run_write(sc, RT2860_GPIO_CTRL, tmp);
4338
4339         /* enable RF tuning */
4340         run_rt3070_rf_read(sc, 7, &rf);
4341         run_rt3070_rf_write(sc, 7, rf | 0x01);
4342
4343         run_delay(sc, 2);
4344 }
4345
4346 static void
4347 run_rt3593_set_chan(struct run_softc *sc, u_int chan)
4348 {
4349         int8_t txpow1, txpow2, txpow3;
4350         uint8_t h20mhz, rf;
4351         int i;
4352
4353         /* find the settings for this channel (we know it exists) */
4354         for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4355
4356         /* use Tx power values from EEPROM */
4357         txpow1 = sc->txpow1[i];
4358         txpow2 = sc->txpow2[i];
4359         txpow3 = (sc->ntxchains == 3) ? sc->txpow3[i] : 0;
4360
4361         if (chan <= 14) {
4362                 run_bbp_write(sc, 25, sc->bbp25);
4363                 run_bbp_write(sc, 26, sc->bbp26);
4364         } else {
4365                 /* Enable IQ phase correction. */
4366                 run_bbp_write(sc, 25, 0x09);
4367                 run_bbp_write(sc, 26, 0xff);
4368         }
4369
4370         run_rt3070_rf_write(sc, 8, rt3070_freqs[i].n);
4371         run_rt3070_rf_write(sc, 9, rt3070_freqs[i].k & 0x0f);
4372         run_rt3070_rf_read(sc, 11, &rf);
4373         rf = (rf & ~0x03) | (rt3070_freqs[i].r & 0x03);
4374         run_rt3070_rf_write(sc, 11, rf);
4375
4376         /* Set pll_idoh. */
4377         run_rt3070_rf_read(sc, 11, &rf);
4378         rf &= ~0x4c;
4379         rf |= (chan <= 14) ? 0x44 : 0x48;
4380         run_rt3070_rf_write(sc, 11, rf);
4381
4382         if (chan <= 14)
4383                 rf = txpow1 & 0x1f;
4384         else
4385                 rf = 0x40 | ((txpow1 & 0x18) << 1) | (txpow1 & 0x07);
4386         run_rt3070_rf_write(sc, 53, rf);
4387
4388         if (chan <= 14)
4389                 rf = txpow2 & 0x1f;
4390         else
4391                 rf = 0x40 | ((txpow2 & 0x18) << 1) | (txpow2 & 0x07);
4392         run_rt3070_rf_write(sc, 55, rf);
4393
4394         if (chan <= 14)
4395                 rf = txpow3 & 0x1f;
4396         else
4397                 rf = 0x40 | ((txpow3 & 0x18) << 1) | (txpow3 & 0x07);
4398         run_rt3070_rf_write(sc, 54, rf);
4399
4400         rf = RT3070_RF_BLOCK | RT3070_PLL_PD;
4401         if (sc->ntxchains == 3)
4402                 rf |= RT3070_TX0_PD | RT3070_TX1_PD | RT3070_TX2_PD;
4403         else
4404                 rf |= RT3070_TX0_PD | RT3070_TX1_PD;
4405         rf |= RT3070_RX0_PD | RT3070_RX1_PD | RT3070_RX2_PD;
4406         run_rt3070_rf_write(sc, 1, rf);
4407
4408         run_adjust_freq_offset(sc);
4409
4410         run_rt3070_rf_write(sc, 31, (chan <= 14) ? 0xa0 : 0x80);
4411
4412         h20mhz = (sc->rf24_20mhz & 0x20) >> 5;
4413         run_rt3070_rf_read(sc, 30, &rf);
4414         rf = (rf & ~0x06) | (h20mhz << 1) | (h20mhz << 2);
4415         run_rt3070_rf_write(sc, 30, rf);
4416
4417         run_rt3070_rf_read(sc, 36, &rf);
4418         if (chan <= 14)
4419                 rf |= 0x80;
4420         else
4421                 rf &= ~0x80;
4422         run_rt3070_rf_write(sc, 36, rf);
4423
4424         /* Set vcolo_bs. */
4425         run_rt3070_rf_write(sc, 34, (chan <= 14) ? 0x3c : 0x20);
4426         /* Set pfd_delay. */
4427         run_rt3070_rf_write(sc, 12, (chan <= 14) ? 0x1a : 0x12);
4428
4429         /* Set vco bias current control. */
4430         run_rt3070_rf_read(sc, 6, &rf);
4431         rf &= ~0xc0;
4432         if (chan <= 14)
4433                 rf |= 0x40;
4434         else if (chan <= 128)
4435                 rf |= 0x80;
4436         else
4437                 rf |= 0x40;
4438         run_rt3070_rf_write(sc, 6, rf);
4439
4440         run_rt3070_rf_read(sc, 30, &rf);
4441         rf = (rf & ~0x18) | 0x10;
4442         run_rt3070_rf_write(sc, 30, rf);
4443
4444         run_rt3070_rf_write(sc, 10, (chan <= 14) ? 0xd3 : 0xd8);
4445         run_rt3070_rf_write(sc, 13, (chan <= 14) ? 0x12 : 0x23);
4446
4447         run_rt3070_rf_read(sc, 51, &rf);
4448         rf = (rf & ~0x03) | 0x01;
4449         run_rt3070_rf_write(sc, 51, rf);
4450         /* Set tx_mx1_cc. */
4451         run_rt3070_rf_read(sc, 51, &rf);
4452         rf &= ~0x1c;
4453         rf |= (chan <= 14) ? 0x14 : 0x10;
4454         run_rt3070_rf_write(sc, 51, rf);
4455         /* Set tx_mx1_ic. */
4456         run_rt3070_rf_read(sc, 51, &rf);
4457         rf &= ~0xe0;
4458         rf |= (chan <= 14) ? 0x60 : 0x40;
4459         run_rt3070_rf_write(sc, 51, rf);
4460         /* Set tx_lo1_ic. */
4461         run_rt3070_rf_read(sc, 49, &rf);
4462         rf &= ~0x1c;
4463         rf |= (chan <= 14) ? 0x0c : 0x08;
4464         run_rt3070_rf_write(sc, 49, rf);
4465         /* Set tx_lo1_en. */
4466         run_rt3070_rf_read(sc, 50, &rf);
4467         run_rt3070_rf_write(sc, 50, rf & ~0x20);
4468         /* Set drv_cc. */
4469         run_rt3070_rf_read(sc, 57, &rf);
4470         rf &= ~0xfc;
4471         rf |= (chan <= 14) ?  0x6c : 0x3c;
4472         run_rt3070_rf_write(sc, 57, rf);
4473         /* Set rx_mix1_ic, rxa_lnactr, lna_vc, lna_inbias_en and lna_en. */
4474         run_rt3070_rf_write(sc, 44, (chan <= 14) ? 0x93 : 0x9b);
4475         /* Set drv_gnd_a, tx_vga_cc_a and tx_mx2_gain. */
4476         run_rt3070_rf_write(sc, 52, (chan <= 14) ? 0x45 : 0x05);
4477         /* Enable VCO calibration. */
4478         run_rt3070_rf_read(sc, 3, &rf);
4479         rf &= ~RT5390_VCOCAL;
4480         rf |= (chan <= 14) ? RT5390_VCOCAL : 0xbe;
4481         run_rt3070_rf_write(sc, 3, rf);
4482
4483         if (chan <= 14)
4484                 rf = 0x23;
4485         else if (chan <= 64)
4486                 rf = 0x36;
4487         else if (chan <= 128)
4488                 rf = 0x32;
4489         else
4490                 rf = 0x30;
4491         run_rt3070_rf_write(sc, 39, rf);
4492         if (chan <= 14)
4493                 rf = 0xbb;
4494         else if (chan <= 64)
4495                 rf = 0xeb;
4496         else if (chan <= 128)
4497                 rf = 0xb3;
4498         else
4499                 rf = 0x9b;
4500         run_rt3070_rf_write(sc, 45, rf);
4501
4502         /* Set FEQ/AEQ control. */
4503         run_bbp_write(sc, 105, 0x34);
4504 }
4505
4506 static void
4507 run_rt5390_set_chan(struct run_softc *sc, u_int chan)
4508 {
4509         int8_t txpow1, txpow2;
4510         uint8_t rf;
4511         int i;
4512
4513         /* find the settings for this channel (we know it exists) */
4514         for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4515
4516         /* use Tx power values from EEPROM */
4517         txpow1 = sc->txpow1[i];
4518         txpow2 = sc->txpow2[i];
4519
4520         run_rt3070_rf_write(sc, 8, rt3070_freqs[i].n);
4521         run_rt3070_rf_write(sc, 9, rt3070_freqs[i].k & 0x0f);
4522         run_rt3070_rf_read(sc, 11, &rf);
4523         rf = (rf & ~0x03) | (rt3070_freqs[i].r & 0x03);
4524         run_rt3070_rf_write(sc, 11, rf);
4525
4526         run_rt3070_rf_read(sc, 49, &rf);
4527         rf = (rf & ~0x3f) | (txpow1 & 0x3f);
4528         /* The valid range of the RF R49 is 0x00 to 0x27. */
4529         if ((rf & 0x3f) > 0x27)
4530                 rf = (rf & ~0x3f) | 0x27;
4531         run_rt3070_rf_write(sc, 49, rf);
4532
4533         if (sc->mac_ver == 0x5392) {
4534                 run_rt3070_rf_read(sc, 50, &rf);
4535                 rf = (rf & ~0x3f) | (txpow2 & 0x3f);
4536                 /* The valid range of the RF R50 is 0x00 to 0x27. */
4537                 if ((rf & 0x3f) > 0x27)
4538                         rf = (rf & ~0x3f) | 0x27;
4539                 run_rt3070_rf_write(sc, 50, rf);
4540         }
4541
4542         run_rt3070_rf_read(sc, 1, &rf);
4543         rf |= RT3070_RF_BLOCK | RT3070_PLL_PD | RT3070_RX0_PD | RT3070_TX0_PD;
4544         if (sc->mac_ver == 0x5392)
4545                 rf |= RT3070_RX1_PD | RT3070_TX1_PD;
4546         run_rt3070_rf_write(sc, 1, rf);
4547
4548         if (sc->mac_ver != 0x5392) {
4549                 run_rt3070_rf_read(sc, 2, &rf);
4550                 rf |= 0x80;
4551                 run_rt3070_rf_write(sc, 2, rf);
4552                 run_delay(sc, 10);
4553                 rf &= 0x7f;
4554                 run_rt3070_rf_write(sc, 2, rf);
4555         }
4556
4557         run_adjust_freq_offset(sc);
4558
4559         if (sc->mac_ver == 0x5392) {
4560                 /* Fix for RT5392C. */
4561                 if (sc->mac_rev >= 0x0223) {
4562                         if (chan <= 4)
4563                                 rf = 0x0f;
4564                         else if (chan >= 5 && chan <= 7)
4565                                 rf = 0x0e;
4566                         else
4567                                 rf = 0x0d;
4568                         run_rt3070_rf_write(sc, 23, rf);
4569
4570                         if (chan <= 4)
4571                                 rf = 0x0c;
4572                         else if (chan == 5)
4573                                 rf = 0x0b;
4574                         else if (chan >= 6 && chan <= 7)
4575                                 rf = 0x0a;
4576                         else if (chan >= 8 && chan <= 10)
4577                                 rf = 0x09;
4578                         else
4579                                 rf = 0x08;
4580                         run_rt3070_rf_write(sc, 59, rf);
4581                 } else {
4582                         if (chan <= 11)
4583                                 rf = 0x0f;
4584                         else
4585                                 rf = 0x0b;
4586                         run_rt3070_rf_write(sc, 59, rf);
4587                 }
4588         } else {
4589                 /* Fix for RT5390F. */
4590                 if (sc->mac_rev >= 0x0502) {
4591                         if (chan <= 11)
4592                                 rf = 0x43;
4593                         else
4594                                 rf = 0x23;
4595                         run_rt3070_rf_write(sc, 55, rf);
4596
4597                         if (chan <= 11)
4598                                 rf = 0x0f;
4599                         else if (chan == 12)
4600                                 rf = 0x0d;
4601                         else
4602                                 rf = 0x0b;
4603                         run_rt3070_rf_write(sc, 59, rf);
4604                 } else {
4605                         run_rt3070_rf_write(sc, 55, 0x44);
4606                         run_rt3070_rf_write(sc, 59, 0x8f);
4607                 }
4608         }
4609
4610         /* Enable VCO calibration. */
4611         run_rt3070_rf_read(sc, 3, &rf);
4612         rf |= RT5390_VCOCAL;
4613         run_rt3070_rf_write(sc, 3, rf);
4614 }
4615
4616 static void
4617 run_rt5592_set_chan(struct run_softc *sc, u_int chan)
4618 {
4619         const struct rt5592_freqs *freqs;
4620         uint32_t tmp;
4621         uint8_t reg, rf, txpow_bound;
4622         int8_t txpow1, txpow2;
4623         int i;
4624
4625         run_read(sc, RT5592_DEBUG_INDEX, &tmp);
4626         freqs = (tmp & RT5592_SEL_XTAL) ?
4627             rt5592_freqs_40mhz : rt5592_freqs_20mhz;
4628
4629         /* find the settings for this channel (we know it exists) */
4630         for (i = 0; rt2860_rf2850[i].chan != chan; i++, freqs++);
4631
4632         /* use Tx power values from EEPROM */
4633         txpow1 = sc->txpow1[i];
4634         txpow2 = sc->txpow2[i];
4635
4636         run_read(sc, RT3070_LDO_CFG0, &tmp);
4637         tmp &= ~0x1c000000;
4638         if (chan > 14)
4639                 tmp |= 0x14000000;
4640         run_write(sc, RT3070_LDO_CFG0, tmp);
4641
4642         /* N setting. */
4643         run_rt3070_rf_write(sc, 8, freqs->n & 0xff);
4644         run_rt3070_rf_read(sc, 9, &rf);
4645         rf &= ~(1 << 4);
4646         rf |= ((freqs->n & 0x0100) >> 8) << 4;
4647         run_rt3070_rf_write(sc, 9, rf);
4648
4649         /* K setting. */
4650         run_rt3070_rf_read(sc, 9, &rf);
4651         rf &= ~0x0f;
4652         rf |= (freqs->k & 0x0f);
4653         run_rt3070_rf_write(sc, 9, rf);
4654
4655         /* Mode setting. */
4656         run_rt3070_rf_read(sc, 11, &rf);
4657         rf &= ~0x0c;
4658         rf |= ((freqs->m - 0x8) & 0x3) << 2;
4659         run_rt3070_rf_write(sc, 11, rf);
4660         run_rt3070_rf_read(sc, 9, &rf);
4661         rf &= ~(1 << 7);
4662         rf |= (((freqs->m - 0x8) & 0x4) >> 2) << 7;
4663         run_rt3070_rf_write(sc, 9, rf);
4664
4665         /* R setting. */
4666         run_rt3070_rf_read(sc, 11, &rf);
4667         rf &= ~0x03;
4668         rf |= (freqs->r - 0x1);
4669         run_rt3070_rf_write(sc, 11, rf);
4670
4671         if (chan <= 14) {
4672                 /* Initialize RF registers for 2GHZ. */
4673                 for (i = 0; i < nitems(rt5592_2ghz_def_rf); i++) {
4674                         run_rt3070_rf_write(sc, rt5592_2ghz_def_rf[i].reg,
4675                             rt5592_2ghz_def_rf[i].val);
4676                 }
4677
4678                 rf = (chan <= 10) ? 0x07 : 0x06;
4679                 run_rt3070_rf_write(sc, 23, rf);
4680                 run_rt3070_rf_write(sc, 59, rf);
4681
4682                 run_rt3070_rf_write(sc, 55, 0x43);
4683
4684                 /*
4685                  * RF R49/R50 Tx power ALC code.
4686                  * G-band bit<7:6>=1:0, bit<5:0> range from 0x0 ~ 0x27.
4687                  */
4688                 reg = 2;
4689                 txpow_bound = 0x27;
4690         } else {
4691                 /* Initialize RF registers for 5GHZ. */
4692                 for (i = 0; i < nitems(rt5592_5ghz_def_rf); i++) {
4693                         run_rt3070_rf_write(sc, rt5592_5ghz_def_rf[i].reg,
4694                             rt5592_5ghz_def_rf[i].val);
4695                 }
4696                 for (i = 0; i < nitems(rt5592_chan_5ghz); i++) {
4697                         if (chan >= rt5592_chan_5ghz[i].firstchan &&
4698                             chan <= rt5592_chan_5ghz[i].lastchan) {
4699                                 run_rt3070_rf_write(sc, rt5592_chan_5ghz[i].reg,
4700                                     rt5592_chan_5ghz[i].val);
4701                         }
4702                 }
4703
4704                 /*
4705                  * RF R49/R50 Tx power ALC code.
4706                  * A-band bit<7:6>=1:1, bit<5:0> range from 0x0 ~ 0x2b.
4707                  */
4708                 reg = 3;
4709                 txpow_bound = 0x2b;
4710         }
4711
4712         /* RF R49 ch0 Tx power ALC code. */
4713         run_rt3070_rf_read(sc, 49, &rf);
4714         rf &= ~0xc0;
4715         rf |= (reg << 6);
4716         rf = (rf & ~0x3f) | (txpow1 & 0x3f);
4717         if ((rf & 0x3f) > txpow_bound)
4718                 rf = (rf & ~0x3f) | txpow_bound;
4719         run_rt3070_rf_write(sc, 49, rf);
4720
4721         /* RF R50 ch1 Tx power ALC code. */
4722         run_rt3070_rf_read(sc, 50, &rf);
4723         rf &= ~(1 << 7 | 1 << 6);
4724         rf |= (reg << 6);
4725         rf = (rf & ~0x3f) | (txpow2 & 0x3f);
4726         if ((rf & 0x3f) > txpow_bound)
4727                 rf = (rf & ~0x3f) | txpow_bound;
4728         run_rt3070_rf_write(sc, 50, rf);
4729
4730         /* Enable RF_BLOCK, PLL_PD, RX0_PD, and TX0_PD. */
4731         run_rt3070_rf_read(sc, 1, &rf);
4732         rf |= (RT3070_RF_BLOCK | RT3070_PLL_PD | RT3070_RX0_PD | RT3070_TX0_PD);
4733         if (sc->ntxchains > 1)
4734                 rf |= RT3070_TX1_PD;
4735         if (sc->nrxchains > 1)
4736                 rf |= RT3070_RX1_PD;
4737         run_rt3070_rf_write(sc, 1, rf);
4738
4739         run_rt3070_rf_write(sc, 6, 0xe4);
4740
4741         run_rt3070_rf_write(sc, 30, 0x10);
4742         run_rt3070_rf_write(sc, 31, 0x80);
4743         run_rt3070_rf_write(sc, 32, 0x80);
4744
4745         run_adjust_freq_offset(sc);
4746
4747         /* Enable VCO calibration. */
4748         run_rt3070_rf_read(sc, 3, &rf);
4749         rf |= RT5390_VCOCAL;
4750         run_rt3070_rf_write(sc, 3, rf);
4751 }
4752
4753 static void
4754 run_set_rx_antenna(struct run_softc *sc, int aux)
4755 {
4756         uint32_t tmp;
4757         uint8_t bbp152;
4758
4759         if (aux) {
4760                 if (sc->rf_rev == RT5390_RF_5370) {
4761                         run_bbp_read(sc, 152, &bbp152);
4762                         run_bbp_write(sc, 152, bbp152 & ~0x80);
4763                 } else {
4764                         run_mcu_cmd(sc, RT2860_MCU_CMD_ANTSEL, 0);
4765                         run_read(sc, RT2860_GPIO_CTRL, &tmp);
4766                         run_write(sc, RT2860_GPIO_CTRL, (tmp & ~0x0808) | 0x08);
4767                 }
4768         } else {
4769                 if (sc->rf_rev == RT5390_RF_5370) {
4770                         run_bbp_read(sc, 152, &bbp152);
4771                         run_bbp_write(sc, 152, bbp152 | 0x80);
4772                 } else {
4773                         run_mcu_cmd(sc, RT2860_MCU_CMD_ANTSEL, 1);
4774                         run_read(sc, RT2860_GPIO_CTRL, &tmp);
4775                         run_write(sc, RT2860_GPIO_CTRL, tmp & ~0x0808);
4776                 }
4777         }
4778 }
4779
4780 static int
4781 run_set_chan(struct run_softc *sc, struct ieee80211_channel *c)
4782 {
4783         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
4784         u_int chan, group;
4785
4786         chan = ieee80211_chan2ieee(ic, c);
4787         if (chan == 0 || chan == IEEE80211_CHAN_ANY)
4788                 return (EINVAL);
4789
4790         if (sc->mac_ver == 0x5592)
4791                 run_rt5592_set_chan(sc, chan);
4792         else if (sc->mac_ver >= 0x5390)
4793                 run_rt5390_set_chan(sc, chan);
4794         else if (sc->mac_ver == 0x3593)
4795                 run_rt3593_set_chan(sc, chan);
4796         else if (sc->mac_ver == 0x3572)
4797                 run_rt3572_set_chan(sc, chan);
4798         else if (sc->mac_ver >= 0x3070)
4799                 run_rt3070_set_chan(sc, chan);
4800         else
4801                 run_rt2870_set_chan(sc, chan);
4802
4803         /* determine channel group */
4804         if (chan <= 14)
4805                 group = 0;
4806         else if (chan <= 64)
4807                 group = 1;
4808         else if (chan <= 128)
4809                 group = 2;
4810         else
4811                 group = 3;
4812
4813         /* XXX necessary only when group has changed! */
4814         run_select_chan_group(sc, group);
4815
4816         run_delay(sc, 10);
4817
4818         /* Perform IQ calibration. */
4819         if (sc->mac_ver >= 0x5392)
4820                 run_iq_calib(sc, chan);
4821
4822         return (0);
4823 }
4824
4825 static void
4826 run_set_channel(struct ieee80211com *ic)
4827 {
4828         struct run_softc *sc = ic->ic_ifp->if_softc;
4829
4830         RUN_LOCK(sc);
4831         run_set_chan(sc, ic->ic_curchan);
4832         RUN_UNLOCK(sc);
4833
4834         return;
4835 }
4836
4837 static void
4838 run_scan_start(struct ieee80211com *ic)
4839 {
4840         struct run_softc *sc = ic->ic_ifp->if_softc;
4841         uint32_t tmp;
4842
4843         RUN_LOCK(sc);
4844
4845         /* abort TSF synchronization */
4846         run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
4847         run_write(sc, RT2860_BCN_TIME_CFG,
4848             tmp & ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
4849             RT2860_TBTT_TIMER_EN));
4850         run_set_bssid(sc, sc->sc_ifp->if_broadcastaddr);
4851
4852         RUN_UNLOCK(sc);
4853
4854         return;
4855 }
4856
4857 static void
4858 run_scan_end(struct ieee80211com *ic)
4859 {
4860         struct run_softc *sc = ic->ic_ifp->if_softc;
4861
4862         RUN_LOCK(sc);
4863
4864         run_enable_tsf_sync(sc);
4865         /* XXX keep local copy */
4866         run_set_bssid(sc, sc->sc_bssid);
4867
4868         RUN_UNLOCK(sc);
4869
4870         return;
4871 }
4872
4873 /*
4874  * Could be called from ieee80211_node_timeout()
4875  * (non-sleepable thread)
4876  */
4877 static void
4878 run_update_beacon(struct ieee80211vap *vap, int item)
4879 {
4880         struct ieee80211com *ic = vap->iv_ic;
4881         struct run_softc *sc = ic->ic_ifp->if_softc;
4882         struct run_vap *rvp = RUN_VAP(vap);
4883         int mcast = 0;
4884         uint32_t i;
4885
4886         KASSERT(vap != NULL, ("no beacon"));
4887
4888         switch (item) {
4889         case IEEE80211_BEACON_ERP:
4890                 run_updateslot(ic->ic_ifp);
4891                 break;
4892         case IEEE80211_BEACON_HTINFO:
4893                 run_updateprot(ic);
4894                 break;
4895         case IEEE80211_BEACON_TIM:
4896                 mcast = 1;      /*TODO*/
4897                 break;
4898         default:
4899                 break;
4900         }
4901
4902         setbit(rvp->bo.bo_flags, item);
4903         ieee80211_beacon_update(vap->iv_bss, &rvp->bo, rvp->beacon_mbuf, mcast);
4904
4905         i = RUN_CMDQ_GET(&sc->cmdq_store);
4906         DPRINTF("cmdq_store=%d\n", i);
4907         sc->cmdq[i].func = run_update_beacon_cb;
4908         sc->cmdq[i].arg0 = vap;
4909         ieee80211_runtask(ic, &sc->cmdq_task);
4910
4911         return;
4912 }
4913
4914 static void
4915 run_update_beacon_cb(void *arg)
4916 {
4917         struct ieee80211vap *vap = arg;
4918         struct run_vap *rvp = RUN_VAP(vap);
4919         struct ieee80211com *ic = vap->iv_ic;
4920         struct run_softc *sc = ic->ic_ifp->if_softc;
4921         struct rt2860_txwi txwi;
4922         struct mbuf *m;
4923         uint16_t txwisize;
4924         uint8_t ridx;
4925
4926         if (vap->iv_bss->ni_chan == IEEE80211_CHAN_ANYC)
4927                 return;
4928         if (ic->ic_bsschan == IEEE80211_CHAN_ANYC)
4929                 return;
4930
4931         /*
4932          * No need to call ieee80211_beacon_update(), run_update_beacon()
4933          * is taking care of apropriate calls.
4934          */
4935         if (rvp->beacon_mbuf == NULL) {
4936                 rvp->beacon_mbuf = ieee80211_beacon_alloc(vap->iv_bss,
4937                     &rvp->bo);
4938                 if (rvp->beacon_mbuf == NULL)
4939                         return;
4940         }
4941         m = rvp->beacon_mbuf;
4942
4943         memset(&txwi, 0, sizeof(txwi));
4944         txwi.wcid = 0xff;
4945         txwi.len = htole16(m->m_pkthdr.len);
4946
4947         /* send beacons at the lowest available rate */
4948         ridx = (ic->ic_curmode == IEEE80211_MODE_11A) ?
4949             RT2860_RIDX_OFDM6 : RT2860_RIDX_CCK1;
4950         txwi.phy = htole16(rt2860_rates[ridx].mcs);
4951         if (rt2860_rates[ridx].phy == IEEE80211_T_OFDM)
4952                 txwi.phy |= htole16(RT2860_PHY_OFDM);
4953         txwi.txop = RT2860_TX_TXOP_HT;
4954         txwi.flags = RT2860_TX_TS;
4955         txwi.xflags = RT2860_TX_NSEQ;
4956
4957         txwisize = (sc->mac_ver == 0x5592) ?
4958             sizeof(txwi) + sizeof(uint32_t) : sizeof(txwi);
4959         run_write_region_1(sc, RT2860_BCN_BASE(rvp->rvp_id), (uint8_t *)&txwi,
4960             txwisize);
4961         run_write_region_1(sc, RT2860_BCN_BASE(rvp->rvp_id) + txwisize,
4962             mtod(m, uint8_t *), (m->m_pkthdr.len + 1) & ~1);
4963 }
4964
4965 static void
4966 run_updateprot(struct ieee80211com *ic)
4967 {
4968         struct run_softc *sc = ic->ic_ifp->if_softc;
4969         uint32_t i;
4970
4971         i = RUN_CMDQ_GET(&sc->cmdq_store);
4972         DPRINTF("cmdq_store=%d\n", i);
4973         sc->cmdq[i].func = run_updateprot_cb;
4974         sc->cmdq[i].arg0 = ic;
4975         ieee80211_runtask(ic, &sc->cmdq_task);
4976 }
4977
4978 static void
4979 run_updateprot_cb(void *arg)
4980 {
4981         struct ieee80211com *ic = arg;
4982         struct run_softc *sc = ic->ic_ifp->if_softc;
4983         uint32_t tmp;
4984
4985         tmp = RT2860_RTSTH_EN | RT2860_PROT_NAV_SHORT | RT2860_TXOP_ALLOW_ALL;
4986         /* setup protection frame rate (MCS code) */
4987         tmp |= (ic->ic_curmode == IEEE80211_MODE_11A) ?
4988             rt2860_rates[RT2860_RIDX_OFDM6].mcs :
4989             rt2860_rates[RT2860_RIDX_CCK11].mcs;
4990
4991         /* CCK frames don't require protection */
4992         run_write(sc, RT2860_CCK_PROT_CFG, tmp);
4993         if (ic->ic_flags & IEEE80211_F_USEPROT) {
4994                 if (ic->ic_protmode == IEEE80211_PROT_RTSCTS)
4995                         tmp |= RT2860_PROT_CTRL_RTS_CTS;
4996                 else if (ic->ic_protmode == IEEE80211_PROT_CTSONLY)
4997                         tmp |= RT2860_PROT_CTRL_CTS;
4998         }
4999         run_write(sc, RT2860_OFDM_PROT_CFG, tmp);
5000 }
5001
5002 static void
5003 run_usb_timeout_cb(void *arg)
5004 {
5005         struct ieee80211vap *vap = arg;
5006         struct run_softc *sc = vap->iv_ic->ic_ifp->if_softc;
5007
5008         RUN_LOCK_ASSERT(sc, MA_OWNED);
5009
5010         if(vap->iv_state == IEEE80211_S_RUN &&
5011             vap->iv_opmode != IEEE80211_M_STA)
5012                 run_reset_livelock(sc);
5013         else if (vap->iv_state == IEEE80211_S_SCAN) {
5014                 DPRINTF("timeout caused by scan\n");
5015                 /* cancel bgscan */
5016                 ieee80211_cancel_scan(vap);
5017         } else
5018                 DPRINTF("timeout by unknown cause\n");
5019 }
5020
5021 static void
5022 run_reset_livelock(struct run_softc *sc)
5023 {
5024         uint32_t tmp;
5025
5026         RUN_LOCK_ASSERT(sc, MA_OWNED);
5027
5028         /*
5029          * In IBSS or HostAP modes (when the hardware sends beacons), the MAC
5030          * can run into a livelock and start sending CTS-to-self frames like
5031          * crazy if protection is enabled.  Reset MAC/BBP for a while
5032          */
5033         run_read(sc, RT2860_DEBUG, &tmp);
5034         DPRINTFN(3, "debug reg %08x\n", tmp);
5035         if ((tmp & (1 << 29)) && (tmp & (1 << 7 | 1 << 5))) {
5036                 DPRINTF("CTS-to-self livelock detected\n");
5037                 run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_MAC_SRST);
5038                 run_delay(sc, 1);
5039                 run_write(sc, RT2860_MAC_SYS_CTRL,
5040                     RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
5041         }
5042 }
5043
5044 static void
5045 run_update_promisc_locked(struct ifnet *ifp)
5046 {
5047         struct run_softc *sc = ifp->if_softc;
5048         uint32_t tmp;
5049
5050         run_read(sc, RT2860_RX_FILTR_CFG, &tmp);
5051
5052         tmp |= RT2860_DROP_UC_NOME;
5053         if (ifp->if_flags & IFF_PROMISC)
5054                 tmp &= ~RT2860_DROP_UC_NOME;
5055
5056         run_write(sc, RT2860_RX_FILTR_CFG, tmp);
5057
5058         DPRINTF("%s promiscuous mode\n", (ifp->if_flags & IFF_PROMISC) ?
5059             "entering" : "leaving");
5060 }
5061
5062 static void
5063 run_update_promisc(struct ifnet *ifp)
5064 {
5065         struct run_softc *sc = ifp->if_softc;
5066
5067         if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0)
5068                 return;
5069
5070         RUN_LOCK(sc);
5071         run_update_promisc_locked(ifp);
5072         RUN_UNLOCK(sc);
5073 }
5074
5075 static void
5076 run_enable_tsf_sync(struct run_softc *sc)
5077 {
5078         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5079         struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
5080         uint32_t tmp;
5081
5082         DPRINTF("rvp_id=%d ic_opmode=%d\n", RUN_VAP(vap)->rvp_id,
5083             ic->ic_opmode);
5084
5085         run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
5086         tmp &= ~0x1fffff;
5087         tmp |= vap->iv_bss->ni_intval * 16;
5088         tmp |= RT2860_TSF_TIMER_EN | RT2860_TBTT_TIMER_EN;
5089
5090         if (ic->ic_opmode == IEEE80211_M_STA) {
5091                 /*
5092                  * Local TSF is always updated with remote TSF on beacon
5093                  * reception.
5094                  */
5095                 tmp |= 1 << RT2860_TSF_SYNC_MODE_SHIFT;
5096         } else if (ic->ic_opmode == IEEE80211_M_IBSS) {
5097                 tmp |= RT2860_BCN_TX_EN;
5098                 /*
5099                  * Local TSF is updated with remote TSF on beacon reception
5100                  * only if the remote TSF is greater than local TSF.
5101                  */
5102                 tmp |= 2 << RT2860_TSF_SYNC_MODE_SHIFT;
5103         } else if (ic->ic_opmode == IEEE80211_M_HOSTAP ||
5104                     ic->ic_opmode == IEEE80211_M_MBSS) {
5105                 tmp |= RT2860_BCN_TX_EN;
5106                 /* SYNC with nobody */
5107                 tmp |= 3 << RT2860_TSF_SYNC_MODE_SHIFT;
5108         } else {
5109                 DPRINTF("Enabling TSF failed. undefined opmode\n");
5110                 return;
5111         }
5112
5113         run_write(sc, RT2860_BCN_TIME_CFG, tmp);
5114 }
5115
5116 static void
5117 run_enable_mrr(struct run_softc *sc)
5118 {
5119 #define CCK(mcs)        (mcs)
5120 #define OFDM(mcs)       (1 << 3 | (mcs))
5121         run_write(sc, RT2860_LG_FBK_CFG0,
5122             OFDM(6) << 28 |     /* 54->48 */
5123             OFDM(5) << 24 |     /* 48->36 */
5124             OFDM(4) << 20 |     /* 36->24 */
5125             OFDM(3) << 16 |     /* 24->18 */
5126             OFDM(2) << 12 |     /* 18->12 */
5127             OFDM(1) <<  8 |     /* 12-> 9 */
5128             OFDM(0) <<  4 |     /*  9-> 6 */
5129             OFDM(0));           /*  6-> 6 */
5130
5131         run_write(sc, RT2860_LG_FBK_CFG1,
5132             CCK(2) << 12 |      /* 11->5.5 */
5133             CCK(1) <<  8 |      /* 5.5-> 2 */
5134             CCK(0) <<  4 |      /*   2-> 1 */
5135             CCK(0));            /*   1-> 1 */
5136 #undef OFDM
5137 #undef CCK
5138 }
5139
5140 static void
5141 run_set_txpreamble(struct run_softc *sc)
5142 {
5143         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5144         uint32_t tmp;
5145
5146         run_read(sc, RT2860_AUTO_RSP_CFG, &tmp);
5147         if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
5148                 tmp |= RT2860_CCK_SHORT_EN;
5149         else
5150                 tmp &= ~RT2860_CCK_SHORT_EN;
5151         run_write(sc, RT2860_AUTO_RSP_CFG, tmp);
5152 }
5153
5154 static void
5155 run_set_basicrates(struct run_softc *sc)
5156 {
5157         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5158
5159         /* set basic rates mask */
5160         if (ic->ic_curmode == IEEE80211_MODE_11B)
5161                 run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x003);
5162         else if (ic->ic_curmode == IEEE80211_MODE_11A)
5163                 run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x150);
5164         else    /* 11g */
5165                 run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x15f);
5166 }
5167
5168 static void
5169 run_set_leds(struct run_softc *sc, uint16_t which)
5170 {
5171         (void)run_mcu_cmd(sc, RT2860_MCU_CMD_LEDS,
5172             which | (sc->leds & 0x7f));
5173 }
5174
5175 static void
5176 run_set_bssid(struct run_softc *sc, const uint8_t *bssid)
5177 {
5178         run_write(sc, RT2860_MAC_BSSID_DW0,
5179             bssid[0] | bssid[1] << 8 | bssid[2] << 16 | bssid[3] << 24);
5180         run_write(sc, RT2860_MAC_BSSID_DW1,
5181             bssid[4] | bssid[5] << 8);
5182 }
5183
5184 static void
5185 run_set_macaddr(struct run_softc *sc, const uint8_t *addr)
5186 {
5187         run_write(sc, RT2860_MAC_ADDR_DW0,
5188             addr[0] | addr[1] << 8 | addr[2] << 16 | addr[3] << 24);
5189         run_write(sc, RT2860_MAC_ADDR_DW1,
5190             addr[4] | addr[5] << 8 | 0xff << 16);
5191 }
5192
5193 static void
5194 run_updateslot(struct ifnet *ifp)
5195 {
5196         struct run_softc *sc = ifp->if_softc;
5197         struct ieee80211com *ic = ifp->if_l2com;
5198         uint32_t i;
5199
5200         i = RUN_CMDQ_GET(&sc->cmdq_store);
5201         DPRINTF("cmdq_store=%d\n", i);
5202         sc->cmdq[i].func = run_updateslot_cb;
5203         sc->cmdq[i].arg0 = ifp;
5204         ieee80211_runtask(ic, &sc->cmdq_task);
5205
5206         return;
5207 }
5208
5209 /* ARGSUSED */
5210 static void
5211 run_updateslot_cb(void *arg)
5212 {
5213         struct ifnet *ifp = arg;
5214         struct run_softc *sc = ifp->if_softc;
5215         struct ieee80211com *ic = ifp->if_l2com;
5216         uint32_t tmp;
5217
5218         run_read(sc, RT2860_BKOFF_SLOT_CFG, &tmp);
5219         tmp &= ~0xff;
5220         tmp |= (ic->ic_flags & IEEE80211_F_SHSLOT) ? 9 : 20;
5221         run_write(sc, RT2860_BKOFF_SLOT_CFG, tmp);
5222 }
5223
5224 static void
5225 run_update_mcast(struct ifnet *ifp)
5226 {
5227         /* h/w filter supports getting everything or nothing */
5228         ifp->if_flags |= IFF_ALLMULTI;
5229 }
5230
5231 static int8_t
5232 run_rssi2dbm(struct run_softc *sc, uint8_t rssi, uint8_t rxchain)
5233 {
5234         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5235         struct ieee80211_channel *c = ic->ic_curchan;
5236         int delta;
5237
5238         if (IEEE80211_IS_CHAN_5GHZ(c)) {
5239                 u_int chan = ieee80211_chan2ieee(ic, c);
5240                 delta = sc->rssi_5ghz[rxchain];
5241
5242                 /* determine channel group */
5243                 if (chan <= 64)
5244                         delta -= sc->lna[1];
5245                 else if (chan <= 128)
5246                         delta -= sc->lna[2];
5247                 else
5248                         delta -= sc->lna[3];
5249         } else
5250                 delta = sc->rssi_2ghz[rxchain] - sc->lna[0];
5251
5252         return (-12 - delta - rssi);
5253 }
5254
5255 static void
5256 run_rt5390_bbp_init(struct run_softc *sc)
5257 {
5258         int i;
5259         uint8_t bbp;
5260
5261         /* Apply maximum likelihood detection for 2 stream case. */
5262         run_bbp_read(sc, 105, &bbp);
5263         if (sc->nrxchains > 1)
5264                 run_bbp_write(sc, 105, bbp | RT5390_MLD);
5265
5266         /* Avoid data lost and CRC error. */
5267         run_bbp_read(sc, 4, &bbp);
5268         run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5269
5270         if (sc->mac_ver == 0x5592) {
5271                 for (i = 0; i < nitems(rt5592_def_bbp); i++) {
5272                         run_bbp_write(sc, rt5592_def_bbp[i].reg,
5273                             rt5592_def_bbp[i].val);
5274                 }
5275                 for (i = 0; i < nitems(rt5592_bbp_r196); i++) {
5276                         run_bbp_write(sc, 195, i + 0x80);
5277                         run_bbp_write(sc, 196, rt5592_bbp_r196[i]);
5278                 }
5279         } else {
5280                 for (i = 0; i < nitems(rt5390_def_bbp); i++) {
5281                         run_bbp_write(sc, rt5390_def_bbp[i].reg,
5282                             rt5390_def_bbp[i].val);
5283                 }
5284         }
5285         if (sc->mac_ver == 0x5392) {
5286                 run_bbp_write(sc, 88, 0x90);
5287                 run_bbp_write(sc, 95, 0x9a);
5288                 run_bbp_write(sc, 98, 0x12);
5289                 run_bbp_write(sc, 106, 0x12);
5290                 run_bbp_write(sc, 134, 0xd0);
5291                 run_bbp_write(sc, 135, 0xf6);
5292                 run_bbp_write(sc, 148, 0x84);
5293         }
5294
5295         run_bbp_read(sc, 152, &bbp);
5296         run_bbp_write(sc, 152, bbp | 0x80);
5297
5298         /* Fix BBP254 for RT5592C. */
5299         if (sc->mac_ver == 0x5592 && sc->mac_rev >= 0x0221) {
5300                 run_bbp_read(sc, 254, &bbp);
5301                 run_bbp_write(sc, 254, bbp | 0x80);
5302         }
5303
5304         /* Disable hardware antenna diversity. */
5305         if (sc->mac_ver == 0x5390)
5306                 run_bbp_write(sc, 154, 0);
5307
5308         /* Initialize Rx CCK/OFDM frequency offset report. */
5309         run_bbp_write(sc, 142, 1);
5310         run_bbp_write(sc, 143, 57);
5311 }
5312
5313 static int
5314 run_bbp_init(struct run_softc *sc)
5315 {
5316         int i, error, ntries;
5317         uint8_t bbp0;
5318
5319         /* wait for BBP to wake up */
5320         for (ntries = 0; ntries < 20; ntries++) {
5321                 if ((error = run_bbp_read(sc, 0, &bbp0)) != 0)
5322                         return error;
5323                 if (bbp0 != 0 && bbp0 != 0xff)
5324                         break;
5325         }
5326         if (ntries == 20)
5327                 return (ETIMEDOUT);
5328
5329         /* initialize BBP registers to default values */
5330         if (sc->mac_ver >= 0x5390)
5331                 run_rt5390_bbp_init(sc);
5332         else {
5333                 for (i = 0; i < nitems(rt2860_def_bbp); i++) {
5334                         run_bbp_write(sc, rt2860_def_bbp[i].reg,
5335                             rt2860_def_bbp[i].val);
5336                 }
5337         }
5338
5339         if (sc->mac_ver == 0x3593) {
5340                 run_bbp_write(sc, 79, 0x13);
5341                 run_bbp_write(sc, 80, 0x05);
5342                 run_bbp_write(sc, 81, 0x33);
5343                 run_bbp_write(sc, 86, 0x46);
5344                 run_bbp_write(sc, 137, 0x0f);
5345         }
5346
5347         /* fix BBP84 for RT2860E */
5348         if (sc->mac_ver == 0x2860 && sc->mac_rev != 0x0101)
5349                 run_bbp_write(sc, 84, 0x19);
5350
5351         if (sc->mac_ver >= 0x3070 && (sc->mac_ver != 0x3593 &&
5352             sc->mac_ver != 0x5592)) {
5353                 run_bbp_write(sc, 79, 0x13);
5354                 run_bbp_write(sc, 80, 0x05);
5355                 run_bbp_write(sc, 81, 0x33);
5356         } else if (sc->mac_ver == 0x2860 && sc->mac_rev == 0x0100) {
5357                 run_bbp_write(sc, 69, 0x16);
5358                 run_bbp_write(sc, 73, 0x12);
5359         }
5360         return (0);
5361 }
5362
5363 static int
5364 run_rt3070_rf_init(struct run_softc *sc)
5365 {
5366         uint32_t tmp;
5367         uint8_t bbp4, mingain, rf, target;
5368         int i;
5369
5370         run_rt3070_rf_read(sc, 30, &rf);
5371         /* toggle RF R30 bit 7 */
5372         run_rt3070_rf_write(sc, 30, rf | 0x80);
5373         run_delay(sc, 10);
5374         run_rt3070_rf_write(sc, 30, rf & ~0x80);
5375
5376         /* initialize RF registers to default value */
5377         if (sc->mac_ver == 0x3572) {
5378                 for (i = 0; i < nitems(rt3572_def_rf); i++) {
5379                         run_rt3070_rf_write(sc, rt3572_def_rf[i].reg,
5380                             rt3572_def_rf[i].val);
5381                 }
5382         } else {
5383                 for (i = 0; i < nitems(rt3070_def_rf); i++) {
5384                         run_rt3070_rf_write(sc, rt3070_def_rf[i].reg,
5385                             rt3070_def_rf[i].val);
5386                 }
5387         }
5388
5389         if (sc->mac_ver == 0x3070 && sc->mac_rev < 0x0201) {
5390                 /*
5391                  * Change voltage from 1.2V to 1.35V for RT3070.
5392                  * The DAC issue (RT3070_LDO_CFG0) has been fixed
5393                  * in RT3070(F).
5394                  */
5395                 run_read(sc, RT3070_LDO_CFG0, &tmp);
5396                 tmp = (tmp & ~0x0f000000) | 0x0d000000;
5397                 run_write(sc, RT3070_LDO_CFG0, tmp);
5398
5399         } else if (sc->mac_ver == 0x3071) {
5400                 run_rt3070_rf_read(sc, 6, &rf);
5401                 run_rt3070_rf_write(sc, 6, rf | 0x40);
5402                 run_rt3070_rf_write(sc, 31, 0x14);
5403
5404                 run_read(sc, RT3070_LDO_CFG0, &tmp);
5405                 tmp &= ~0x1f000000;
5406                 if (sc->mac_rev < 0x0211)
5407                         tmp |= 0x0d000000;      /* 1.3V */
5408                 else
5409                         tmp |= 0x01000000;      /* 1.2V */
5410                 run_write(sc, RT3070_LDO_CFG0, tmp);
5411
5412                 /* patch LNA_PE_G1 */
5413                 run_read(sc, RT3070_GPIO_SWITCH, &tmp);
5414                 run_write(sc, RT3070_GPIO_SWITCH, tmp & ~0x20);
5415
5416         } else if (sc->mac_ver == 0x3572) {
5417                 run_rt3070_rf_read(sc, 6, &rf);
5418                 run_rt3070_rf_write(sc, 6, rf | 0x40);
5419
5420                 /* increase voltage from 1.2V to 1.35V */
5421                 run_read(sc, RT3070_LDO_CFG0, &tmp);
5422                 tmp = (tmp & ~0x1f000000) | 0x0d000000;
5423                 run_write(sc, RT3070_LDO_CFG0, tmp);
5424
5425                 if (sc->mac_rev < 0x0211 || !sc->patch_dac) {
5426                         run_delay(sc, 1);       /* wait for 1msec */
5427                         /* decrease voltage back to 1.2V */
5428                         tmp = (tmp & ~0x1f000000) | 0x01000000;
5429                         run_write(sc, RT3070_LDO_CFG0, tmp);
5430                 }
5431         }
5432
5433         /* select 20MHz bandwidth */
5434         run_rt3070_rf_read(sc, 31, &rf);
5435         run_rt3070_rf_write(sc, 31, rf & ~0x20);
5436
5437         /* calibrate filter for 20MHz bandwidth */
5438         sc->rf24_20mhz = 0x1f;  /* default value */
5439         target = (sc->mac_ver < 0x3071) ? 0x16 : 0x13;
5440         run_rt3070_filter_calib(sc, 0x07, target, &sc->rf24_20mhz);
5441
5442         /* select 40MHz bandwidth */
5443         run_bbp_read(sc, 4, &bbp4);
5444         run_bbp_write(sc, 4, (bbp4 & ~0x18) | 0x10);
5445         run_rt3070_rf_read(sc, 31, &rf);
5446         run_rt3070_rf_write(sc, 31, rf | 0x20);
5447
5448         /* calibrate filter for 40MHz bandwidth */
5449         sc->rf24_40mhz = 0x2f;  /* default value */
5450         target = (sc->mac_ver < 0x3071) ? 0x19 : 0x15;
5451         run_rt3070_filter_calib(sc, 0x27, target, &sc->rf24_40mhz);
5452
5453         /* go back to 20MHz bandwidth */
5454         run_bbp_read(sc, 4, &bbp4);
5455         run_bbp_write(sc, 4, bbp4 & ~0x18);
5456
5457         if (sc->mac_ver == 0x3572) {
5458                 /* save default BBP registers 25 and 26 values */
5459                 run_bbp_read(sc, 25, &sc->bbp25);
5460                 run_bbp_read(sc, 26, &sc->bbp26);
5461         } else if (sc->mac_rev < 0x0201 || sc->mac_rev < 0x0211)
5462                 run_rt3070_rf_write(sc, 27, 0x03);
5463
5464         run_read(sc, RT3070_OPT_14, &tmp);
5465         run_write(sc, RT3070_OPT_14, tmp | 1);
5466
5467         if (sc->mac_ver == 0x3070 || sc->mac_ver == 0x3071) {
5468                 run_rt3070_rf_read(sc, 17, &rf);
5469                 rf &= ~RT3070_TX_LO1;
5470                 if ((sc->mac_ver == 0x3070 ||
5471                      (sc->mac_ver == 0x3071 && sc->mac_rev >= 0x0211)) &&
5472                     !sc->ext_2ghz_lna)
5473                         rf |= 0x20;     /* fix for long range Rx issue */
5474                 mingain = (sc->mac_ver == 0x3070) ? 1 : 2;
5475                 if (sc->txmixgain_2ghz >= mingain)
5476                         rf = (rf & ~0x7) | sc->txmixgain_2ghz;
5477                 run_rt3070_rf_write(sc, 17, rf);
5478         }
5479
5480         if (sc->mac_rev == 0x3071) {
5481                 run_rt3070_rf_read(sc, 1, &rf);
5482                 rf &= ~(RT3070_RX0_PD | RT3070_TX0_PD);
5483                 rf |= RT3070_RF_BLOCK | RT3070_RX1_PD | RT3070_TX1_PD;
5484                 run_rt3070_rf_write(sc, 1, rf);
5485
5486                 run_rt3070_rf_read(sc, 15, &rf);
5487                 run_rt3070_rf_write(sc, 15, rf & ~RT3070_TX_LO2);
5488
5489                 run_rt3070_rf_read(sc, 20, &rf);
5490                 run_rt3070_rf_write(sc, 20, rf & ~RT3070_RX_LO1);
5491
5492                 run_rt3070_rf_read(sc, 21, &rf);
5493                 run_rt3070_rf_write(sc, 21, rf & ~RT3070_RX_LO2);
5494         }
5495
5496         if (sc->mac_ver == 0x3070 || sc->mac_ver == 0x3071) {
5497                 /* fix Tx to Rx IQ glitch by raising RF voltage */
5498                 run_rt3070_rf_read(sc, 27, &rf);
5499                 rf &= ~0x77;
5500                 if (sc->mac_rev < 0x0211)
5501                         rf |= 0x03;
5502                 run_rt3070_rf_write(sc, 27, rf);
5503         }
5504         return (0);
5505 }
5506
5507 static void
5508 run_rt3593_rf_init(struct run_softc *sc)
5509 {
5510         uint32_t tmp;
5511         uint8_t rf;
5512         int i;
5513
5514         /* Disable the GPIO bits 4 and 7 for LNA PE control. */
5515         run_read(sc, RT3070_GPIO_SWITCH, &tmp);
5516         tmp &= ~(1 << 4 | 1 << 7);
5517         run_write(sc, RT3070_GPIO_SWITCH, tmp);
5518
5519         /* Initialize RF registers to default value. */
5520         for (i = 0; i < nitems(rt3593_def_rf); i++) {
5521                 run_rt3070_rf_write(sc, rt3593_def_rf[i].reg,
5522                     rt3593_def_rf[i].val);
5523         }
5524
5525         /* Toggle RF R2 to initiate calibration. */
5526         run_rt3070_rf_write(sc, 2, RT5390_RESCAL);
5527
5528         /* Initialize RF frequency offset. */
5529         run_adjust_freq_offset(sc);
5530
5531         run_rt3070_rf_read(sc, 18, &rf);
5532         run_rt3070_rf_write(sc, 18, rf | RT3593_AUTOTUNE_BYPASS);
5533
5534         /*
5535          * Increase voltage from 1.2V to 1.35V, wait for 1 msec to
5536          * decrease voltage back to 1.2V.
5537          */
5538         run_read(sc, RT3070_LDO_CFG0, &tmp);
5539         tmp = (tmp & ~0x1f000000) | 0x0d000000;
5540         run_write(sc, RT3070_LDO_CFG0, tmp);
5541         run_delay(sc, 1);
5542         tmp = (tmp & ~0x1f000000) | 0x01000000;
5543         run_write(sc, RT3070_LDO_CFG0, tmp);
5544
5545         sc->rf24_20mhz = 0x1f;
5546         sc->rf24_40mhz = 0x2f;
5547
5548         /* Save default BBP registers 25 and 26 values. */
5549         run_bbp_read(sc, 25, &sc->bbp25);
5550         run_bbp_read(sc, 26, &sc->bbp26);
5551
5552         run_read(sc, RT3070_OPT_14, &tmp);
5553         run_write(sc, RT3070_OPT_14, tmp | 1);
5554 }
5555
5556 static void
5557 run_rt5390_rf_init(struct run_softc *sc)
5558 {
5559         uint32_t tmp;
5560         uint8_t rf;
5561         int i;
5562
5563         /* Toggle RF R2 to initiate calibration. */
5564         if (sc->mac_ver == 0x5390) {
5565                 run_rt3070_rf_read(sc, 2, &rf);
5566                 run_rt3070_rf_write(sc, 2, rf | RT5390_RESCAL);
5567                 run_delay(sc, 10);
5568                 run_rt3070_rf_write(sc, 2, rf & ~RT5390_RESCAL);
5569         } else {
5570                 run_rt3070_rf_write(sc, 2, RT5390_RESCAL);
5571                 run_delay(sc, 10);
5572         }
5573
5574         /* Initialize RF registers to default value. */
5575         if (sc->mac_ver == 0x5592) {
5576                 for (i = 0; i < nitems(rt5592_def_rf); i++) {
5577                         run_rt3070_rf_write(sc, rt5592_def_rf[i].reg,
5578                             rt5592_def_rf[i].val);
5579                 }
5580                 /* Initialize RF frequency offset. */
5581                 run_adjust_freq_offset(sc);
5582         } else if (sc->mac_ver == 0x5392) {
5583                 for (i = 0; i < nitems(rt5392_def_rf); i++) {
5584                         run_rt3070_rf_write(sc, rt5392_def_rf[i].reg,
5585                             rt5392_def_rf[i].val);
5586                 }
5587                 if (sc->mac_rev >= 0x0223) {
5588                         run_rt3070_rf_write(sc, 23, 0x0f);
5589                         run_rt3070_rf_write(sc, 24, 0x3e);
5590                         run_rt3070_rf_write(sc, 51, 0x32);
5591                         run_rt3070_rf_write(sc, 53, 0x22);
5592                         run_rt3070_rf_write(sc, 56, 0xc1);
5593                         run_rt3070_rf_write(sc, 59, 0x0f);
5594                 }
5595         } else {
5596                 for (i = 0; i < nitems(rt5390_def_rf); i++) {
5597                         run_rt3070_rf_write(sc, rt5390_def_rf[i].reg,
5598                             rt5390_def_rf[i].val);
5599                 }
5600                 if (sc->mac_rev >= 0x0502) {
5601                         run_rt3070_rf_write(sc, 6, 0xe0);
5602                         run_rt3070_rf_write(sc, 25, 0x80);
5603                         run_rt3070_rf_write(sc, 46, 0x73);
5604                         run_rt3070_rf_write(sc, 53, 0x00);
5605                         run_rt3070_rf_write(sc, 56, 0x42);
5606                         run_rt3070_rf_write(sc, 61, 0xd1);
5607                 }
5608         }
5609
5610         sc->rf24_20mhz = 0x1f;  /* default value */
5611         sc->rf24_40mhz = (sc->mac_ver == 0x5592) ? 0 : 0x2f;
5612
5613         if (sc->mac_rev < 0x0211)
5614                 run_rt3070_rf_write(sc, 27, 0x3);
5615
5616         run_read(sc, RT3070_OPT_14, &tmp);
5617         run_write(sc, RT3070_OPT_14, tmp | 1);
5618 }
5619
5620 static int
5621 run_rt3070_filter_calib(struct run_softc *sc, uint8_t init, uint8_t target,
5622     uint8_t *val)
5623 {
5624         uint8_t rf22, rf24;
5625         uint8_t bbp55_pb, bbp55_sb, delta;
5626         int ntries;
5627
5628         /* program filter */
5629         run_rt3070_rf_read(sc, 24, &rf24);
5630         rf24 = (rf24 & 0xc0) | init;    /* initial filter value */
5631         run_rt3070_rf_write(sc, 24, rf24);
5632
5633         /* enable baseband loopback mode */
5634         run_rt3070_rf_read(sc, 22, &rf22);
5635         run_rt3070_rf_write(sc, 22, rf22 | 0x01);
5636
5637         /* set power and frequency of passband test tone */
5638         run_bbp_write(sc, 24, 0x00);
5639         for (ntries = 0; ntries < 100; ntries++) {
5640                 /* transmit test tone */
5641                 run_bbp_write(sc, 25, 0x90);
5642                 run_delay(sc, 10);
5643                 /* read received power */
5644                 run_bbp_read(sc, 55, &bbp55_pb);
5645                 if (bbp55_pb != 0)
5646                         break;
5647         }
5648         if (ntries == 100)
5649                 return (ETIMEDOUT);
5650
5651         /* set power and frequency of stopband test tone */
5652         run_bbp_write(sc, 24, 0x06);
5653         for (ntries = 0; ntries < 100; ntries++) {
5654                 /* transmit test tone */
5655                 run_bbp_write(sc, 25, 0x90);
5656                 run_delay(sc, 10);
5657                 /* read received power */
5658                 run_bbp_read(sc, 55, &bbp55_sb);
5659
5660                 delta = bbp55_pb - bbp55_sb;
5661                 if (delta > target)
5662                         break;
5663
5664                 /* reprogram filter */
5665                 rf24++;
5666                 run_rt3070_rf_write(sc, 24, rf24);
5667         }
5668         if (ntries < 100) {
5669                 if (rf24 != init)
5670                         rf24--; /* backtrack */
5671                 *val = rf24;
5672                 run_rt3070_rf_write(sc, 24, rf24);
5673         }
5674
5675         /* restore initial state */
5676         run_bbp_write(sc, 24, 0x00);
5677
5678         /* disable baseband loopback mode */
5679         run_rt3070_rf_read(sc, 22, &rf22);
5680         run_rt3070_rf_write(sc, 22, rf22 & ~0x01);
5681
5682         return (0);
5683 }
5684
5685 static void
5686 run_rt3070_rf_setup(struct run_softc *sc)
5687 {
5688         uint8_t bbp, rf;
5689         int i;
5690
5691         if (sc->mac_ver == 0x3572) {
5692                 /* enable DC filter */
5693                 if (sc->mac_rev >= 0x0201)
5694                         run_bbp_write(sc, 103, 0xc0);
5695
5696                 run_bbp_read(sc, 138, &bbp);
5697                 if (sc->ntxchains == 1)
5698                         bbp |= 0x20;    /* turn off DAC1 */
5699                 if (sc->nrxchains == 1)
5700                         bbp &= ~0x02;   /* turn off ADC1 */
5701                 run_bbp_write(sc, 138, bbp);
5702
5703                 if (sc->mac_rev >= 0x0211) {
5704                         /* improve power consumption */
5705                         run_bbp_read(sc, 31, &bbp);
5706                         run_bbp_write(sc, 31, bbp & ~0x03);
5707                 }
5708
5709                 run_rt3070_rf_read(sc, 16, &rf);
5710                 rf = (rf & ~0x07) | sc->txmixgain_2ghz;
5711                 run_rt3070_rf_write(sc, 16, rf);
5712
5713         } else if (sc->mac_ver == 0x3071) {
5714                 if (sc->mac_rev >= 0x0211) {
5715                         /* enable DC filter */
5716                         run_bbp_write(sc, 103, 0xc0);
5717
5718                         /* improve power consumption */
5719                         run_bbp_read(sc, 31, &bbp);
5720                         run_bbp_write(sc, 31, bbp & ~0x03);
5721                 }
5722
5723                 run_bbp_read(sc, 138, &bbp);
5724                 if (sc->ntxchains == 1)
5725                         bbp |= 0x20;    /* turn off DAC1 */
5726                 if (sc->nrxchains == 1)
5727                         bbp &= ~0x02;   /* turn off ADC1 */
5728                 run_bbp_write(sc, 138, bbp);
5729
5730                 run_write(sc, RT2860_TX_SW_CFG1, 0);
5731                 if (sc->mac_rev < 0x0211) {
5732                         run_write(sc, RT2860_TX_SW_CFG2,
5733                             sc->patch_dac ? 0x2c : 0x0f);
5734                 } else
5735                         run_write(sc, RT2860_TX_SW_CFG2, 0);
5736
5737         } else if (sc->mac_ver == 0x3070) {
5738                 if (sc->mac_rev >= 0x0201) {
5739                         /* enable DC filter */
5740                         run_bbp_write(sc, 103, 0xc0);
5741
5742                         /* improve power consumption */
5743                         run_bbp_read(sc, 31, &bbp);
5744                         run_bbp_write(sc, 31, bbp & ~0x03);
5745                 }
5746
5747                 if (sc->mac_rev < 0x0201) {
5748                         run_write(sc, RT2860_TX_SW_CFG1, 0);
5749                         run_write(sc, RT2860_TX_SW_CFG2, 0x2c);
5750                 } else
5751                         run_write(sc, RT2860_TX_SW_CFG2, 0);
5752         }
5753
5754         /* initialize RF registers from ROM for >=RT3071*/
5755         if (sc->mac_ver >= 0x3071) {
5756                 for (i = 0; i < 10; i++) {
5757                         if (sc->rf[i].reg == 0 || sc->rf[i].reg == 0xff)
5758                                 continue;
5759                         run_rt3070_rf_write(sc, sc->rf[i].reg, sc->rf[i].val);
5760                 }
5761         }
5762 }
5763
5764 static void
5765 run_rt3593_rf_setup(struct run_softc *sc)
5766 {
5767         uint8_t bbp, rf;
5768
5769         if (sc->mac_rev >= 0x0211) {
5770                 /* Enable DC filter. */
5771                 run_bbp_write(sc, 103, 0xc0);
5772         }
5773         run_write(sc, RT2860_TX_SW_CFG1, 0);
5774         if (sc->mac_rev < 0x0211) {
5775                 run_write(sc, RT2860_TX_SW_CFG2,
5776                     sc->patch_dac ? 0x2c : 0x0f);
5777         } else
5778                 run_write(sc, RT2860_TX_SW_CFG2, 0);
5779
5780         run_rt3070_rf_read(sc, 50, &rf);
5781         run_rt3070_rf_write(sc, 50, rf & ~RT3593_TX_LO2);
5782
5783         run_rt3070_rf_read(sc, 51, &rf);
5784         rf = (rf & ~(RT3593_TX_LO1 | 0x0c)) |
5785             ((sc->txmixgain_2ghz & 0x07) << 2);
5786         run_rt3070_rf_write(sc, 51, rf);
5787
5788         run_rt3070_rf_read(sc, 38, &rf);
5789         run_rt3070_rf_write(sc, 38, rf & ~RT5390_RX_LO1);
5790
5791         run_rt3070_rf_read(sc, 39, &rf);
5792         run_rt3070_rf_write(sc, 39, rf & ~RT5390_RX_LO2);
5793
5794         run_rt3070_rf_read(sc, 1, &rf);
5795         run_rt3070_rf_write(sc, 1, rf & ~(RT3070_RF_BLOCK | RT3070_PLL_PD));
5796
5797         run_rt3070_rf_read(sc, 30, &rf);
5798         rf = (rf & ~0x18) | 0x10;
5799         run_rt3070_rf_write(sc, 30, rf);
5800
5801         /* Apply maximum likelihood detection for 2 stream case. */
5802         run_bbp_read(sc, 105, &bbp);
5803         if (sc->nrxchains > 1)
5804                 run_bbp_write(sc, 105, bbp | RT5390_MLD);
5805
5806         /* Avoid data lost and CRC error. */
5807         run_bbp_read(sc, 4, &bbp);
5808         run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5809
5810         run_bbp_write(sc, 92, 0x02);
5811         run_bbp_write(sc, 82, 0x82);
5812         run_bbp_write(sc, 106, 0x05);
5813         run_bbp_write(sc, 104, 0x92);
5814         run_bbp_write(sc, 88, 0x90);
5815         run_bbp_write(sc, 148, 0xc8);
5816         run_bbp_write(sc, 47, 0x48);
5817         run_bbp_write(sc, 120, 0x50);
5818
5819         run_bbp_write(sc, 163, 0x9d);
5820
5821         /* SNR mapping. */
5822         run_bbp_write(sc, 142, 0x06);
5823         run_bbp_write(sc, 143, 0xa0);
5824         run_bbp_write(sc, 142, 0x07);
5825         run_bbp_write(sc, 143, 0xa1);
5826         run_bbp_write(sc, 142, 0x08);
5827         run_bbp_write(sc, 143, 0xa2);
5828
5829         run_bbp_write(sc, 31, 0x08);
5830         run_bbp_write(sc, 68, 0x0b);
5831         run_bbp_write(sc, 105, 0x04);
5832 }
5833
5834 static void
5835 run_rt5390_rf_setup(struct run_softc *sc)
5836 {
5837         uint8_t bbp, rf;
5838
5839         if (sc->mac_rev >= 0x0211) {
5840                 /* Enable DC filter. */
5841                 run_bbp_write(sc, 103, 0xc0);
5842
5843                 if (sc->mac_ver != 0x5592) {
5844                         /* Improve power consumption. */
5845                         run_bbp_read(sc, 31, &bbp);
5846                         run_bbp_write(sc, 31, bbp & ~0x03);
5847                 }
5848         }
5849
5850         run_bbp_read(sc, 138, &bbp);
5851         if (sc->ntxchains == 1)
5852                 bbp |= 0x20;    /* turn off DAC1 */
5853         if (sc->nrxchains == 1)
5854                 bbp &= ~0x02;   /* turn off ADC1 */
5855         run_bbp_write(sc, 138, bbp);
5856
5857         run_rt3070_rf_read(sc, 38, &rf);
5858         run_rt3070_rf_write(sc, 38, rf & ~RT5390_RX_LO1);
5859
5860         run_rt3070_rf_read(sc, 39, &rf);
5861         run_rt3070_rf_write(sc, 39, rf & ~RT5390_RX_LO2);
5862
5863         /* Avoid data lost and CRC error. */
5864         run_bbp_read(sc, 4, &bbp);
5865         run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5866
5867         run_rt3070_rf_read(sc, 30, &rf);
5868         rf = (rf & ~0x18) | 0x10;
5869         run_rt3070_rf_write(sc, 30, rf);
5870
5871         if (sc->mac_ver != 0x5592) {
5872                 run_write(sc, RT2860_TX_SW_CFG1, 0);
5873                 if (sc->mac_rev < 0x0211) {
5874                         run_write(sc, RT2860_TX_SW_CFG2,
5875                             sc->patch_dac ? 0x2c : 0x0f);
5876                 } else
5877                         run_write(sc, RT2860_TX_SW_CFG2, 0);
5878         }
5879 }
5880
5881 static int
5882 run_txrx_enable(struct run_softc *sc)
5883 {
5884         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5885         uint32_t tmp;
5886         int error, ntries;
5887
5888         run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_MAC_TX_EN);
5889         for (ntries = 0; ntries < 200; ntries++) {
5890                 if ((error = run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp)) != 0)
5891                         return (error);
5892                 if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
5893                         break;
5894                 run_delay(sc, 50);
5895         }
5896         if (ntries == 200)
5897                 return (ETIMEDOUT);
5898
5899         run_delay(sc, 50);
5900
5901         tmp |= RT2860_RX_DMA_EN | RT2860_TX_DMA_EN | RT2860_TX_WB_DDONE;
5902         run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
5903
5904         /* enable Rx bulk aggregation (set timeout and limit) */
5905         tmp = RT2860_USB_TX_EN | RT2860_USB_RX_EN | RT2860_USB_RX_AGG_EN |
5906             RT2860_USB_RX_AGG_TO(128) | RT2860_USB_RX_AGG_LMT(2);
5907         run_write(sc, RT2860_USB_DMA_CFG, tmp);
5908
5909         /* set Rx filter */
5910         tmp = RT2860_DROP_CRC_ERR | RT2860_DROP_PHY_ERR;
5911         if (ic->ic_opmode != IEEE80211_M_MONITOR) {
5912                 tmp |= RT2860_DROP_UC_NOME | RT2860_DROP_DUPL |
5913                     RT2860_DROP_CTS | RT2860_DROP_BA | RT2860_DROP_ACK |
5914                     RT2860_DROP_VER_ERR | RT2860_DROP_CTRL_RSV |
5915                     RT2860_DROP_CFACK | RT2860_DROP_CFEND;
5916                 if (ic->ic_opmode == IEEE80211_M_STA)
5917                         tmp |= RT2860_DROP_RTS | RT2860_DROP_PSPOLL;
5918         }
5919         run_write(sc, RT2860_RX_FILTR_CFG, tmp);
5920
5921         run_write(sc, RT2860_MAC_SYS_CTRL,
5922             RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
5923
5924         return (0);
5925 }
5926
5927 static void
5928 run_adjust_freq_offset(struct run_softc *sc)
5929 {
5930         uint8_t rf, tmp;
5931
5932         run_rt3070_rf_read(sc, 17, &rf);
5933         tmp = rf;
5934         rf = (rf & ~0x7f) | (sc->freq & 0x7f);
5935         rf = MIN(rf, 0x5f);
5936
5937         if (tmp != rf)
5938                 run_mcu_cmd(sc, 0x74, (tmp << 8 ) | rf);
5939 }
5940
5941 static void
5942 run_init_locked(struct run_softc *sc)
5943 {
5944         struct ifnet *ifp = sc->sc_ifp;
5945         struct ieee80211com *ic = ifp->if_l2com;
5946         uint32_t tmp;
5947         uint8_t bbp1, bbp3;
5948         int i;
5949         int ridx;
5950         int ntries;
5951
5952         if (ic->ic_nrunning > 1)
5953                 return;
5954
5955         run_stop(sc);
5956
5957         if (run_load_microcode(sc) != 0) {
5958                 device_printf(sc->sc_dev, "could not load 8051 microcode\n");
5959                 goto fail;
5960         }
5961
5962         for (ntries = 0; ntries < 100; ntries++) {
5963                 if (run_read(sc, RT2860_ASIC_VER_ID, &tmp) != 0)
5964                         goto fail;
5965                 if (tmp != 0 && tmp != 0xffffffff)
5966                         break;
5967                 run_delay(sc, 10);
5968         }
5969         if (ntries == 100)
5970                 goto fail;
5971
5972         for (i = 0; i != RUN_EP_QUEUES; i++)
5973                 run_setup_tx_list(sc, &sc->sc_epq[i]);
5974
5975         run_set_macaddr(sc, IF_LLADDR(ifp));
5976
5977         for (ntries = 0; ntries < 100; ntries++) {
5978                 if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
5979                         goto fail;
5980                 if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
5981                         break;
5982                 run_delay(sc, 10);
5983         }
5984         if (ntries == 100) {
5985                 device_printf(sc->sc_dev, "timeout waiting for DMA engine\n");
5986                 goto fail;
5987         }
5988         tmp &= 0xff0;
5989         tmp |= RT2860_TX_WB_DDONE;
5990         run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
5991
5992         /* turn off PME_OEN to solve high-current issue */
5993         run_read(sc, RT2860_SYS_CTRL, &tmp);
5994         run_write(sc, RT2860_SYS_CTRL, tmp & ~RT2860_PME_OEN);
5995
5996         run_write(sc, RT2860_MAC_SYS_CTRL,
5997             RT2860_BBP_HRST | RT2860_MAC_SRST);
5998         run_write(sc, RT2860_USB_DMA_CFG, 0);
5999
6000         if (run_reset(sc) != 0) {
6001                 device_printf(sc->sc_dev, "could not reset chipset\n");
6002                 goto fail;
6003         }
6004
6005         run_write(sc, RT2860_MAC_SYS_CTRL, 0);
6006
6007         /* init Tx power for all Tx rates (from EEPROM) */
6008         for (ridx = 0; ridx < 5; ridx++) {
6009                 if (sc->txpow20mhz[ridx] == 0xffffffff)
6010                         continue;
6011                 run_write(sc, RT2860_TX_PWR_CFG(ridx), sc->txpow20mhz[ridx]);
6012         }
6013
6014         for (i = 0; i < nitems(rt2870_def_mac); i++)
6015                 run_write(sc, rt2870_def_mac[i].reg, rt2870_def_mac[i].val);
6016         run_write(sc, RT2860_WMM_AIFSN_CFG, 0x00002273);
6017         run_write(sc, RT2860_WMM_CWMIN_CFG, 0x00002344);
6018         run_write(sc, RT2860_WMM_CWMAX_CFG, 0x000034aa);
6019
6020         if (sc->mac_ver >= 0x5390) {
6021                 run_write(sc, RT2860_TX_SW_CFG0,
6022                     4 << RT2860_DLY_PAPE_EN_SHIFT | 4);
6023                 if (sc->mac_ver >= 0x5392) {
6024                         run_write(sc, RT2860_MAX_LEN_CFG, 0x00002fff);
6025                         if (sc->mac_ver == 0x5592) {
6026                                 run_write(sc, RT2860_HT_FBK_CFG1, 0xedcba980);
6027                                 run_write(sc, RT2860_TXOP_HLDR_ET, 0x00000082);
6028                         } else {
6029                                 run_write(sc, RT2860_HT_FBK_CFG1, 0xedcb4980);
6030                                 run_write(sc, RT2860_LG_FBK_CFG0, 0xedcba322);
6031                         }
6032                 }
6033         } else if (sc->mac_ver == 0x3593) {
6034                 run_write(sc, RT2860_TX_SW_CFG0,
6035                     4 << RT2860_DLY_PAPE_EN_SHIFT | 2);
6036         } else if (sc->mac_ver >= 0x3070) {
6037                 /* set delay of PA_PE assertion to 1us (unit of 0.25us) */
6038                 run_write(sc, RT2860_TX_SW_CFG0,
6039                     4 << RT2860_DLY_PAPE_EN_SHIFT);
6040         }
6041
6042         /* wait while MAC is busy */
6043         for (ntries = 0; ntries < 100; ntries++) {
6044                 if (run_read(sc, RT2860_MAC_STATUS_REG, &tmp) != 0)
6045                         goto fail;
6046                 if (!(tmp & (RT2860_RX_STATUS_BUSY | RT2860_TX_STATUS_BUSY)))
6047                         break;
6048                 run_delay(sc, 10);
6049         }
6050         if (ntries == 100)
6051                 goto fail;
6052
6053         /* clear Host to MCU mailbox */
6054         run_write(sc, RT2860_H2M_BBPAGENT, 0);
6055         run_write(sc, RT2860_H2M_MAILBOX, 0);
6056         run_delay(sc, 10);
6057
6058         if (run_bbp_init(sc) != 0) {
6059                 device_printf(sc->sc_dev, "could not initialize BBP\n");
6060                 goto fail;
6061         }
6062
6063         /* abort TSF synchronization */
6064         run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
6065         tmp &= ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
6066             RT2860_TBTT_TIMER_EN);
6067         run_write(sc, RT2860_BCN_TIME_CFG, tmp);
6068
6069         /* clear RX WCID search table */
6070         run_set_region_4(sc, RT2860_WCID_ENTRY(0), 0, 512);
6071         /* clear WCID attribute table */
6072         run_set_region_4(sc, RT2860_WCID_ATTR(0), 0, 8 * 32);
6073
6074         /* hostapd sets a key before init. So, don't clear it. */
6075         if (sc->cmdq_key_set != RUN_CMDQ_GO) {
6076                 /* clear shared key table */
6077                 run_set_region_4(sc, RT2860_SKEY(0, 0), 0, 8 * 32);
6078                 /* clear shared key mode */
6079                 run_set_region_4(sc, RT2860_SKEY_MODE_0_7, 0, 4);
6080         }
6081
6082         run_read(sc, RT2860_US_CYC_CNT, &tmp);
6083         tmp = (tmp & ~0xff) | 0x1e;
6084         run_write(sc, RT2860_US_CYC_CNT, tmp);
6085
6086         if (sc->mac_rev != 0x0101)
6087                 run_write(sc, RT2860_TXOP_CTRL_CFG, 0x0000583f);
6088
6089         run_write(sc, RT2860_WMM_TXOP0_CFG, 0);
6090         run_write(sc, RT2860_WMM_TXOP1_CFG, 48 << 16 | 96);
6091
6092         /* write vendor-specific BBP values (from EEPROM) */
6093         if (sc->mac_ver < 0x3593) {
6094                 for (i = 0; i < 10; i++) {
6095                         if (sc->bbp[i].reg == 0 || sc->bbp[i].reg == 0xff)
6096                                 continue;
6097                         run_bbp_write(sc, sc->bbp[i].reg, sc->bbp[i].val);
6098                 }
6099         }
6100
6101         /* select Main antenna for 1T1R devices */
6102         if (sc->rf_rev == RT3070_RF_3020 || sc->rf_rev == RT5390_RF_5370)
6103                 run_set_rx_antenna(sc, 0);
6104
6105         /* send LEDs operating mode to microcontroller */
6106         (void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED1, sc->led[0]);
6107         (void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED2, sc->led[1]);
6108         (void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED3, sc->led[2]);
6109
6110         if (sc->mac_ver >= 0x5390)
6111                 run_rt5390_rf_init(sc);
6112         else if (sc->mac_ver == 0x3593)
6113                 run_rt3593_rf_init(sc);
6114         else if (sc->mac_ver >= 0x3070)
6115                 run_rt3070_rf_init(sc);
6116
6117         /* disable non-existing Rx chains */
6118         run_bbp_read(sc, 3, &bbp3);
6119         bbp3 &= ~(1 << 3 | 1 << 4);
6120         if (sc->nrxchains == 2)
6121                 bbp3 |= 1 << 3;
6122         else if (sc->nrxchains == 3)
6123                 bbp3 |= 1 << 4;
6124         run_bbp_write(sc, 3, bbp3);
6125
6126         /* disable non-existing Tx chains */
6127         run_bbp_read(sc, 1, &bbp1);
6128         if (sc->ntxchains == 1)
6129                 bbp1 &= ~(1 << 3 | 1 << 4);
6130         run_bbp_write(sc, 1, bbp1);
6131
6132         if (sc->mac_ver >= 0x5390)
6133                 run_rt5390_rf_setup(sc);
6134         else if (sc->mac_ver == 0x3593)
6135                 run_rt3593_rf_setup(sc);
6136         else if (sc->mac_ver >= 0x3070)
6137                 run_rt3070_rf_setup(sc);
6138
6139         /* select default channel */
6140         run_set_chan(sc, ic->ic_curchan);
6141
6142         /* setup initial protection mode */
6143         run_updateprot_cb(ic);
6144
6145         /* turn radio LED on */
6146         run_set_leds(sc, RT2860_LED_RADIO);
6147
6148         ifp->if_drv_flags &= ~IFF_DRV_OACTIVE;
6149         ifp->if_drv_flags |= IFF_DRV_RUNNING;
6150         sc->cmdq_run = RUN_CMDQ_GO;
6151
6152         for (i = 0; i != RUN_N_XFER; i++)
6153                 usbd_xfer_set_stall(sc->sc_xfer[i]);
6154
6155         usbd_transfer_start(sc->sc_xfer[RUN_BULK_RX]);
6156
6157         if (run_txrx_enable(sc) != 0)
6158                 goto fail;
6159
6160         return;
6161
6162 fail:
6163         run_stop(sc);
6164 }
6165
6166 static void
6167 run_init(void *arg)
6168 {
6169         struct run_softc *sc = arg;
6170         struct ifnet *ifp = sc->sc_ifp;
6171         struct ieee80211com *ic = ifp->if_l2com;
6172
6173         RUN_LOCK(sc);
6174         run_init_locked(sc);
6175         RUN_UNLOCK(sc);
6176
6177         if (ifp->if_drv_flags & IFF_DRV_RUNNING)
6178                 ieee80211_start_all(ic);
6179 }
6180
6181 static void
6182 run_stop(void *arg)
6183 {
6184         struct run_softc *sc = (struct run_softc *)arg;
6185         struct ifnet *ifp = sc->sc_ifp;
6186         uint32_t tmp;
6187         int i;
6188         int ntries;
6189
6190         RUN_LOCK_ASSERT(sc, MA_OWNED);
6191
6192         if (ifp->if_drv_flags & IFF_DRV_RUNNING)
6193                 run_set_leds(sc, 0);    /* turn all LEDs off */
6194
6195         ifp->if_drv_flags &= ~(IFF_DRV_RUNNING | IFF_DRV_OACTIVE);
6196
6197         sc->ratectl_run = RUN_RATECTL_OFF;
6198         sc->cmdq_run = sc->cmdq_key_set;
6199
6200         RUN_UNLOCK(sc);
6201
6202         for(i = 0; i < RUN_N_XFER; i++)
6203                 usbd_transfer_drain(sc->sc_xfer[i]);
6204
6205         RUN_LOCK(sc);
6206
6207         if (sc->rx_m != NULL) {
6208                 m_free(sc->rx_m);
6209                 sc->rx_m = NULL;
6210         }
6211
6212         /* Disable Tx/Rx DMA. */
6213         if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
6214                 return;
6215         tmp &= ~(RT2860_RX_DMA_EN | RT2860_TX_DMA_EN);
6216         run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
6217
6218         for (ntries = 0; ntries < 100; ntries++) {
6219                 if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
6220                         return;
6221                 if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
6222                                 break;
6223                 run_delay(sc, 10);
6224         }
6225         if (ntries == 100) {
6226                 device_printf(sc->sc_dev, "timeout waiting for DMA engine\n");
6227                 return;
6228         }
6229
6230         /* disable Tx/Rx */
6231         run_read(sc, RT2860_MAC_SYS_CTRL, &tmp);
6232         tmp &= ~(RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
6233         run_write(sc, RT2860_MAC_SYS_CTRL, tmp);
6234
6235         /* wait for pending Tx to complete */
6236         for (ntries = 0; ntries < 100; ntries++) {
6237                 if (run_read(sc, RT2860_TXRXQ_PCNT, &tmp) != 0) {
6238                         DPRINTF("Cannot read Tx queue count\n");
6239                         break;
6240                 }
6241                 if ((tmp & RT2860_TX2Q_PCNT_MASK) == 0) {
6242                         DPRINTF("All Tx cleared\n");
6243                         break;
6244                 }
6245                 run_delay(sc, 10);
6246         }
6247         if (ntries >= 100)
6248                 DPRINTF("There are still pending Tx\n");
6249         run_delay(sc, 10);
6250         run_write(sc, RT2860_USB_DMA_CFG, 0);
6251
6252         run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_BBP_HRST | RT2860_MAC_SRST);
6253         run_write(sc, RT2860_MAC_SYS_CTRL, 0);
6254
6255         for (i = 0; i != RUN_EP_QUEUES; i++)
6256                 run_unsetup_tx_list(sc, &sc->sc_epq[i]);
6257 }
6258
6259 static void
6260 run_delay(struct run_softc *sc, u_int ms)
6261 {
6262         usb_pause_mtx(mtx_owned(&sc->sc_mtx) ?
6263             &sc->sc_mtx : NULL, USB_MS_TO_TICKS(ms));
6264 }
6265
6266 static device_method_t run_methods[] = {
6267         /* Device interface */
6268         DEVMETHOD(device_probe,         run_match),
6269         DEVMETHOD(device_attach,        run_attach),
6270         DEVMETHOD(device_detach,        run_detach),
6271         DEVMETHOD_END
6272 };
6273
6274 static driver_t run_driver = {
6275         .name = "run",
6276         .methods = run_methods,
6277         .size = sizeof(struct run_softc)
6278 };
6279
6280 static devclass_t run_devclass;
6281
6282 DRIVER_MODULE(run, uhub, run_driver, run_devclass, run_driver_loaded, NULL);
6283 MODULE_DEPEND(run, wlan, 1, 1, 1);
6284 MODULE_DEPEND(run, usb, 1, 1, 1);
6285 MODULE_DEPEND(run, firmware, 1, 1, 1);
6286 MODULE_VERSION(run, 1);