]> CyberLeo.Net >> Repos - FreeBSD/stable/10.git/blob - sys/dev/usb/wlan/if_run.c
projects / FreeBSD / stable / 10.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
MFC r267089:
[FreeBSD/stable/10.git] / sys / dev / usb / wlan / if_run.c
1 /*-
2  * Copyright (c) 2008,2010 Damien Bergamini <damien.bergamini@free.fr>
3  * ported to FreeBSD by Akinori Furukoshi <moonlightakkiy@yahoo.ca>
4  * USB Consulting, Hans Petter Selasky <hselasky@freebsd.org>
5  * Copyright (c) 2013-2014 Kevin Lo
6  *
7  * Permission to use, copy, modify, and distribute this software for any
8  * purpose with or without fee is hereby granted, provided that the above
9  * copyright notice and this permission notice appear in all copies.
10  *
11  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18  */
19
20 #include <sys/cdefs.h>
21 __FBSDID("$FreeBSD$");
22
23 /*-
24  * Ralink Technology RT2700U/RT2800U/RT3000U/RT3900E chipset driver.
25  * http://www.ralinktech.com/
26  */
27
28 #include <sys/param.h>
29 #include <sys/sockio.h>
30 #include <sys/sysctl.h>
31 #include <sys/lock.h>
32 #include <sys/mutex.h>
33 #include <sys/mbuf.h>
34 #include <sys/kernel.h>
35 #include <sys/socket.h>
36 #include <sys/systm.h>
37 #include <sys/malloc.h>
38 #include <sys/module.h>
39 #include <sys/bus.h>
40 #include <sys/endian.h>
41 #include <sys/linker.h>
42 #include <sys/firmware.h>
43 #include <sys/kdb.h>
44
45 #include <machine/bus.h>
46 #include <machine/resource.h>
47 #include <sys/rman.h>
48
49 #include <net/bpf.h>
50 #include <net/if.h>
51 #include <net/if_arp.h>
52 #include <net/ethernet.h>
53 #include <net/if_dl.h>
54 #include <net/if_media.h>
55 #include <net/if_types.h>
56
57 #include <netinet/in.h>
58 #include <netinet/in_systm.h>
59 #include <netinet/in_var.h>
60 #include <netinet/if_ether.h>
61 #include <netinet/ip.h>
62
63 #include <net80211/ieee80211_var.h>
64 #include <net80211/ieee80211_regdomain.h>
65 #include <net80211/ieee80211_radiotap.h>
66 #include <net80211/ieee80211_ratectl.h>
67
68 #include <dev/usb/usb.h>
69 #include <dev/usb/usbdi.h>
70 #include "usbdevs.h"
71
72 #define USB_DEBUG_VAR   run_debug
73 #include <dev/usb/usb_debug.h>
74 #include <dev/usb/usb_msctest.h>
75
76 #include <dev/usb/wlan/if_runreg.h>
77 #include <dev/usb/wlan/if_runvar.h>
78
79 #ifdef  USB_DEBUG
80 #define RUN_DEBUG
81 #endif
82
83 #ifdef  RUN_DEBUG
84 int run_debug = 0;
85 static SYSCTL_NODE(_hw_usb, OID_AUTO, run, CTLFLAG_RW, 0, "USB run");
86 SYSCTL_INT(_hw_usb_run, OID_AUTO, debug, CTLFLAG_RW, &run_debug, 0,
87     "run debug level");
88 #endif
89
90 #define IEEE80211_HAS_ADDR4(wh) \
91         (((wh)->i_fc[1] & IEEE80211_FC1_DIR_MASK) == IEEE80211_FC1_DIR_DSTODS)
92
93 /*
94  * Because of LOR in run_key_delete(), use atomic instead.
95  * '& RUN_CMDQ_MASQ' is to loop cmdq[].
96  */
97 #define RUN_CMDQ_GET(c) (atomic_fetchadd_32((c), 1) & RUN_CMDQ_MASQ)
98
99 static const STRUCT_USB_HOST_ID run_devs[] = {
100 #define RUN_DEV(v,p)    { USB_VP(USB_VENDOR_##v, USB_PRODUCT_##v##_##p) }
101 #define RUN_DEV_EJECT(v,p)      \
102         { USB_VPI(USB_VENDOR_##v, USB_PRODUCT_##v##_##p, RUN_EJECT) }
103 #define RUN_EJECT       1
104     RUN_DEV(ABOCOM,             RT2770),
105     RUN_DEV(ABOCOM,             RT2870),
106     RUN_DEV(ABOCOM,             RT3070),
107     RUN_DEV(ABOCOM,             RT3071),
108     RUN_DEV(ABOCOM,             RT3072),
109     RUN_DEV(ABOCOM2,            RT2870_1),
110     RUN_DEV(ACCTON,             RT2770),
111     RUN_DEV(ACCTON,             RT2870_1),
112     RUN_DEV(ACCTON,             RT2870_2),
113     RUN_DEV(ACCTON,             RT2870_3),
114     RUN_DEV(ACCTON,             RT2870_4),
115     RUN_DEV(ACCTON,             RT2870_5),
116     RUN_DEV(ACCTON,             RT3070),
117     RUN_DEV(ACCTON,             RT3070_1),
118     RUN_DEV(ACCTON,             RT3070_2),
119     RUN_DEV(ACCTON,             RT3070_3),
120     RUN_DEV(ACCTON,             RT3070_4),
121     RUN_DEV(ACCTON,             RT3070_5),
122     RUN_DEV(AIRTIES,            RT3070),
123     RUN_DEV(ALLWIN,             RT2070),
124     RUN_DEV(ALLWIN,             RT2770),
125     RUN_DEV(ALLWIN,             RT2870),
126     RUN_DEV(ALLWIN,             RT3070),
127     RUN_DEV(ALLWIN,             RT3071),
128     RUN_DEV(ALLWIN,             RT3072),
129     RUN_DEV(ALLWIN,             RT3572),
130     RUN_DEV(AMIGO,              RT2870_1),
131     RUN_DEV(AMIGO,              RT2870_2),
132     RUN_DEV(AMIT,               CGWLUSB2GNR),
133     RUN_DEV(AMIT,               RT2870_1),
134     RUN_DEV(AMIT2,              RT2870),
135     RUN_DEV(ASUS,               RT2870_1),
136     RUN_DEV(ASUS,               RT2870_2),
137     RUN_DEV(ASUS,               RT2870_3),
138     RUN_DEV(ASUS,               RT2870_4),
139     RUN_DEV(ASUS,               RT2870_5),
140     RUN_DEV(ASUS,               USBN13),
141     RUN_DEV(ASUS,               RT3070_1),
142     RUN_DEV(ASUS,               USBN66),
143     RUN_DEV(ASUS,               USB_N53),
144     RUN_DEV(ASUS2,              USBN11),
145     RUN_DEV(AZUREWAVE,          RT2870_1),
146     RUN_DEV(AZUREWAVE,          RT2870_2),
147     RUN_DEV(AZUREWAVE,          RT3070_1),
148     RUN_DEV(AZUREWAVE,          RT3070_2),
149     RUN_DEV(AZUREWAVE,          RT3070_3),
150     RUN_DEV(BELKIN,             F9L1103),
151     RUN_DEV(BELKIN,             F5D8053V3),
152     RUN_DEV(BELKIN,             F5D8055),
153     RUN_DEV(BELKIN,             F5D8055V2),
154     RUN_DEV(BELKIN,             F6D4050V1),
155     RUN_DEV(BELKIN,             F6D4050V2),
156     RUN_DEV(BELKIN,             RT2870_1),
157     RUN_DEV(BELKIN,             RT2870_2),
158     RUN_DEV(CISCOLINKSYS,       AE1000),
159     RUN_DEV(CISCOLINKSYS2,      RT3070),
160     RUN_DEV(CISCOLINKSYS3,      RT3070),
161     RUN_DEV(CONCEPTRONIC2,      RT2870_1),
162     RUN_DEV(CONCEPTRONIC2,      RT2870_2),
163     RUN_DEV(CONCEPTRONIC2,      RT2870_3),
164     RUN_DEV(CONCEPTRONIC2,      RT2870_4),
165     RUN_DEV(CONCEPTRONIC2,      RT2870_5),
166     RUN_DEV(CONCEPTRONIC2,      RT2870_6),
167     RUN_DEV(CONCEPTRONIC2,      RT2870_7),
168     RUN_DEV(CONCEPTRONIC2,      RT2870_8),
169     RUN_DEV(CONCEPTRONIC2,      RT3070_1),
170     RUN_DEV(CONCEPTRONIC2,      RT3070_2),
171     RUN_DEV(CONCEPTRONIC2,      VIGORN61),
172     RUN_DEV(COREGA,             CGWLUSB300GNM),
173     RUN_DEV(COREGA,             RT2870_1),
174     RUN_DEV(COREGA,             RT2870_2),
175     RUN_DEV(COREGA,             RT2870_3),
176     RUN_DEV(COREGA,             RT3070),
177     RUN_DEV(CYBERTAN,           RT2870),
178     RUN_DEV(DLINK,              RT2870),
179     RUN_DEV(DLINK,              RT3072),
180     RUN_DEV(DLINK,              DWA127),
181     RUN_DEV(DLINK,              DWA140B3),
182     RUN_DEV(DLINK,              DWA160B2),
183     RUN_DEV(DLINK,              DWA140D1),
184     RUN_DEV(DLINK,              DWA162),
185     RUN_DEV(DLINK2,             DWA130),
186     RUN_DEV(DLINK2,             RT2870_1),
187     RUN_DEV(DLINK2,             RT2870_2),
188     RUN_DEV(DLINK2,             RT3070_1),
189     RUN_DEV(DLINK2,             RT3070_2),
190     RUN_DEV(DLINK2,             RT3070_3),
191     RUN_DEV(DLINK2,             RT3070_4),
192     RUN_DEV(DLINK2,             RT3070_5),
193     RUN_DEV(DLINK2,             RT3072),
194     RUN_DEV(DLINK2,             RT3072_1),
195     RUN_DEV(EDIMAX,             EW7717),
196     RUN_DEV(EDIMAX,             EW7718),
197     RUN_DEV(EDIMAX,             EW7733UND),
198     RUN_DEV(EDIMAX,             RT2870_1),
199     RUN_DEV(ENCORE,             RT3070_1),
200     RUN_DEV(ENCORE,             RT3070_2),
201     RUN_DEV(ENCORE,             RT3070_3),
202     RUN_DEV(GIGABYTE,           GNWB31N),
203     RUN_DEV(GIGABYTE,           GNWB32L),
204     RUN_DEV(GIGABYTE,           RT2870_1),
205     RUN_DEV(GIGASET,            RT3070_1),
206     RUN_DEV(GIGASET,            RT3070_2),
207     RUN_DEV(GUILLEMOT,          HWNU300),
208     RUN_DEV(HAWKING,            HWUN2),
209     RUN_DEV(HAWKING,            RT2870_1),
210     RUN_DEV(HAWKING,            RT2870_2),
211     RUN_DEV(HAWKING,            RT3070),
212     RUN_DEV(IODATA,             RT3072_1),
213     RUN_DEV(IODATA,             RT3072_2),
214     RUN_DEV(IODATA,             RT3072_3),
215     RUN_DEV(IODATA,             RT3072_4),
216     RUN_DEV(LINKSYS4,           RT3070),
217     RUN_DEV(LINKSYS4,           WUSB100),
218     RUN_DEV(LINKSYS4,           WUSB54GCV3),
219     RUN_DEV(LINKSYS4,           WUSB600N),
220     RUN_DEV(LINKSYS4,           WUSB600NV2),
221     RUN_DEV(LOGITEC,            RT2870_1),
222     RUN_DEV(LOGITEC,            RT2870_2),
223     RUN_DEV(LOGITEC,            RT2870_3),
224     RUN_DEV(LOGITEC,            LANW300NU2),
225     RUN_DEV(LOGITEC,            LANW150NU2),
226     RUN_DEV(LOGITEC,            LANW300NU2S),
227     RUN_DEV(MELCO,              RT2870_1),
228     RUN_DEV(MELCO,              RT2870_2),
229     RUN_DEV(MELCO,              WLIUCAG300N),
230     RUN_DEV(MELCO,              WLIUCG300N),
231     RUN_DEV(MELCO,              WLIUCG301N),
232     RUN_DEV(MELCO,              WLIUCGN),
233     RUN_DEV(MELCO,              WLIUCGNM),
234     RUN_DEV(MELCO,              WLIUCGNM2),
235     RUN_DEV(MOTOROLA4,          RT2770),
236     RUN_DEV(MOTOROLA4,          RT3070),
237     RUN_DEV(MSI,                RT3070_1),
238     RUN_DEV(MSI,                RT3070_2),
239     RUN_DEV(MSI,                RT3070_3),
240     RUN_DEV(MSI,                RT3070_4),
241     RUN_DEV(MSI,                RT3070_5),
242     RUN_DEV(MSI,                RT3070_6),
243     RUN_DEV(MSI,                RT3070_7),
244     RUN_DEV(MSI,                RT3070_8),
245     RUN_DEV(MSI,                RT3070_9),
246     RUN_DEV(MSI,                RT3070_10),
247     RUN_DEV(MSI,                RT3070_11),
248     RUN_DEV(OVISLINK,           RT3072),
249     RUN_DEV(PARA,               RT3070),
250     RUN_DEV(PEGATRON,           RT2870),
251     RUN_DEV(PEGATRON,           RT3070),
252     RUN_DEV(PEGATRON,           RT3070_2),
253     RUN_DEV(PEGATRON,           RT3070_3),
254     RUN_DEV(PHILIPS,            RT2870),
255     RUN_DEV(PLANEX2,            GWUS300MINIS),
256     RUN_DEV(PLANEX2,            GWUSMICRON),
257     RUN_DEV(PLANEX2,            RT2870),
258     RUN_DEV(PLANEX2,            RT3070),
259     RUN_DEV(QCOM,               RT2870),
260     RUN_DEV(QUANTA,             RT3070),
261     RUN_DEV(RALINK,             RT2070),
262     RUN_DEV(RALINK,             RT2770),
263     RUN_DEV(RALINK,             RT2870),
264     RUN_DEV(RALINK,             RT3070),
265     RUN_DEV(RALINK,             RT3071),
266     RUN_DEV(RALINK,             RT3072),
267     RUN_DEV(RALINK,             RT3370),
268     RUN_DEV(RALINK,             RT3572),
269     RUN_DEV(RALINK,             RT3573),
270     RUN_DEV(RALINK,             RT5370),
271     RUN_DEV(RALINK,             RT5572),
272     RUN_DEV(RALINK,             RT8070),
273     RUN_DEV(SAMSUNG,            WIS09ABGN),
274     RUN_DEV(SAMSUNG2,           RT2870_1),
275     RUN_DEV(SENAO,              RT2870_1),
276     RUN_DEV(SENAO,              RT2870_2),
277     RUN_DEV(SENAO,              RT2870_3),
278     RUN_DEV(SENAO,              RT2870_4),
279     RUN_DEV(SENAO,              RT3070),
280     RUN_DEV(SENAO,              RT3071),
281     RUN_DEV(SENAO,              RT3072_1),
282     RUN_DEV(SENAO,              RT3072_2),
283     RUN_DEV(SENAO,              RT3072_3),
284     RUN_DEV(SENAO,              RT3072_4),
285     RUN_DEV(SENAO,              RT3072_5),
286     RUN_DEV(SITECOMEU,          RT2770),
287     RUN_DEV(SITECOMEU,          RT2870_1),
288     RUN_DEV(SITECOMEU,          RT2870_2),
289     RUN_DEV(SITECOMEU,          RT2870_3),
290     RUN_DEV(SITECOMEU,          RT2870_4),
291     RUN_DEV(SITECOMEU,          RT3070),
292     RUN_DEV(SITECOMEU,          RT3070_2),
293     RUN_DEV(SITECOMEU,          RT3070_3),
294     RUN_DEV(SITECOMEU,          RT3070_4),
295     RUN_DEV(SITECOMEU,          RT3071),
296     RUN_DEV(SITECOMEU,          RT3072_1),
297     RUN_DEV(SITECOMEU,          RT3072_2),
298     RUN_DEV(SITECOMEU,          RT3072_3),
299     RUN_DEV(SITECOMEU,          RT3072_4),
300     RUN_DEV(SITECOMEU,          RT3072_5),
301     RUN_DEV(SITECOMEU,          RT3072_6),
302     RUN_DEV(SITECOMEU,          WL608),
303     RUN_DEV(SPARKLAN,           RT2870_1),
304     RUN_DEV(SPARKLAN,           RT3070),
305     RUN_DEV(SWEEX2,             LW153),
306     RUN_DEV(SWEEX2,             LW303),
307     RUN_DEV(SWEEX2,             LW313),
308     RUN_DEV(TOSHIBA,            RT3070),
309     RUN_DEV(UMEDIA,             RT2870_1),
310     RUN_DEV(ZCOM,               RT2870_1),
311     RUN_DEV(ZCOM,               RT2870_2),
312     RUN_DEV(ZINWELL,            RT2870_1),
313     RUN_DEV(ZINWELL,            RT2870_2),
314     RUN_DEV(ZINWELL,            RT3070),
315     RUN_DEV(ZINWELL,            RT3072_1),
316     RUN_DEV(ZINWELL,            RT3072_2),
317     RUN_DEV(ZYXEL,              RT2870_1),
318     RUN_DEV(ZYXEL,              RT2870_2),
319     RUN_DEV_EJECT(ZYXEL,        NWD2705),
320     RUN_DEV_EJECT(RALINK,       RT_STOR),
321 #undef RUN_DEV_EJECT
322 #undef RUN_DEV
323 };
324
325 static device_probe_t   run_match;
326 static device_attach_t  run_attach;
327 static device_detach_t  run_detach;
328
329 static usb_callback_t   run_bulk_rx_callback;
330 static usb_callback_t   run_bulk_tx_callback0;
331 static usb_callback_t   run_bulk_tx_callback1;
332 static usb_callback_t   run_bulk_tx_callback2;
333 static usb_callback_t   run_bulk_tx_callback3;
334 static usb_callback_t   run_bulk_tx_callback4;
335 static usb_callback_t   run_bulk_tx_callback5;
336
337 static void     run_autoinst(void *, struct usb_device *,
338                     struct usb_attach_arg *);
339 static int      run_driver_loaded(struct module *, int, void *);
340 static void     run_bulk_tx_callbackN(struct usb_xfer *xfer,
341                     usb_error_t error, u_int index);
342 static struct ieee80211vap *run_vap_create(struct ieee80211com *,
343                     const char [IFNAMSIZ], int, enum ieee80211_opmode, int,
344                     const uint8_t [IEEE80211_ADDR_LEN],
345                     const uint8_t [IEEE80211_ADDR_LEN]);
346 static void     run_vap_delete(struct ieee80211vap *);
347 static void     run_cmdq_cb(void *, int);
348 static void     run_setup_tx_list(struct run_softc *,
349                     struct run_endpoint_queue *);
350 static void     run_unsetup_tx_list(struct run_softc *,
351                     struct run_endpoint_queue *);
352 static int      run_load_microcode(struct run_softc *);
353 static int      run_reset(struct run_softc *);
354 static usb_error_t run_do_request(struct run_softc *,
355                     struct usb_device_request *, void *);
356 static int      run_read(struct run_softc *, uint16_t, uint32_t *);
357 static int      run_read_region_1(struct run_softc *, uint16_t, uint8_t *, int);
358 static int      run_write_2(struct run_softc *, uint16_t, uint16_t);
359 static int      run_write(struct run_softc *, uint16_t, uint32_t);
360 static int      run_write_region_1(struct run_softc *, uint16_t,
361                     const uint8_t *, int);
362 static int      run_set_region_4(struct run_softc *, uint16_t, uint32_t, int);
363 static int      run_efuse_read(struct run_softc *, uint16_t, uint16_t *, int);
364 static int      run_efuse_read_2(struct run_softc *, uint16_t, uint16_t *);
365 static int      run_eeprom_read_2(struct run_softc *, uint16_t, uint16_t *);
366 static int      run_rt2870_rf_write(struct run_softc *, uint32_t);
367 static int      run_rt3070_rf_read(struct run_softc *, uint8_t, uint8_t *);
368 static int      run_rt3070_rf_write(struct run_softc *, uint8_t, uint8_t);
369 static int      run_bbp_read(struct run_softc *, uint8_t, uint8_t *);
370 static int      run_bbp_write(struct run_softc *, uint8_t, uint8_t);
371 static int      run_mcu_cmd(struct run_softc *, uint8_t, uint16_t);
372 static const char *run_get_rf(uint16_t);
373 static void     run_rt3593_get_txpower(struct run_softc *);
374 static void     run_get_txpower(struct run_softc *);
375 static int      run_read_eeprom(struct run_softc *);
376 static struct ieee80211_node *run_node_alloc(struct ieee80211vap *,
377                             const uint8_t mac[IEEE80211_ADDR_LEN]);
378 static int      run_media_change(struct ifnet *);
379 static int      run_newstate(struct ieee80211vap *, enum ieee80211_state, int);
380 static int      run_wme_update(struct ieee80211com *);
381 static void     run_wme_update_cb(void *);
382 static void     run_key_update_begin(struct ieee80211vap *);
383 static void     run_key_update_end(struct ieee80211vap *);
384 static void     run_key_set_cb(void *);
385 static int      run_key_set(struct ieee80211vap *, struct ieee80211_key *,
386                     const uint8_t mac[IEEE80211_ADDR_LEN]);
387 static void     run_key_delete_cb(void *);
388 static int      run_key_delete(struct ieee80211vap *, struct ieee80211_key *);
389 static void     run_ratectl_to(void *);
390 static void     run_ratectl_cb(void *, int);
391 static void     run_drain_fifo(void *);
392 static void     run_iter_func(void *, struct ieee80211_node *);
393 static void     run_newassoc_cb(void *);
394 static void     run_newassoc(struct ieee80211_node *, int);
395 static void     run_rx_frame(struct run_softc *, struct mbuf *, uint32_t);
396 static void     run_tx_free(struct run_endpoint_queue *pq,
397                     struct run_tx_data *, int);
398 static void     run_set_tx_desc(struct run_softc *, struct run_tx_data *);
399 static int      run_tx(struct run_softc *, struct mbuf *,
400                     struct ieee80211_node *);
401 static int      run_tx_mgt(struct run_softc *, struct mbuf *,
402                     struct ieee80211_node *);
403 static int      run_sendprot(struct run_softc *, const struct mbuf *,
404                     struct ieee80211_node *, int, int);
405 static int      run_tx_param(struct run_softc *, struct mbuf *,
406                     struct ieee80211_node *,
407                     const struct ieee80211_bpf_params *);
408 static int      run_raw_xmit(struct ieee80211_node *, struct mbuf *,
409                     const struct ieee80211_bpf_params *);
410 static void     run_start(struct ifnet *);
411 static int      run_ioctl(struct ifnet *, u_long, caddr_t);
412 static void     run_iq_calib(struct run_softc *, u_int);
413 static void     run_set_agc(struct run_softc *, uint8_t);
414 static void     run_select_chan_group(struct run_softc *, int);
415 static void     run_set_rx_antenna(struct run_softc *, int);
416 static void     run_rt2870_set_chan(struct run_softc *, u_int);
417 static void     run_rt3070_set_chan(struct run_softc *, u_int);
418 static void     run_rt3572_set_chan(struct run_softc *, u_int);
419 static void     run_rt3593_set_chan(struct run_softc *, u_int);
420 static void     run_rt5390_set_chan(struct run_softc *, u_int);
421 static void     run_rt5592_set_chan(struct run_softc *, u_int);
422 static int      run_set_chan(struct run_softc *, struct ieee80211_channel *);
423 static void     run_set_channel(struct ieee80211com *);
424 static void     run_scan_start(struct ieee80211com *);
425 static void     run_scan_end(struct ieee80211com *);
426 static void     run_update_beacon(struct ieee80211vap *, int);
427 static void     run_update_beacon_cb(void *);
428 static void     run_updateprot(struct ieee80211com *);
429 static void     run_updateprot_cb(void *);
430 static void     run_usb_timeout_cb(void *);
431 static void     run_reset_livelock(struct run_softc *);
432 static void     run_enable_tsf_sync(struct run_softc *);
433 static void     run_enable_mrr(struct run_softc *);
434 static void     run_set_txpreamble(struct run_softc *);
435 static void     run_set_basicrates(struct run_softc *);
436 static void     run_set_leds(struct run_softc *, uint16_t);
437 static void     run_set_bssid(struct run_softc *, const uint8_t *);
438 static void     run_set_macaddr(struct run_softc *, const uint8_t *);
439 static void     run_updateslot(struct ifnet *);
440 static void     run_updateslot_cb(void *);
441 static void     run_update_mcast(struct ifnet *);
442 static int8_t   run_rssi2dbm(struct run_softc *, uint8_t, uint8_t);
443 static void     run_update_promisc_locked(struct ifnet *);
444 static void     run_update_promisc(struct ifnet *);
445 static void     run_rt5390_bbp_init(struct run_softc *);
446 static int      run_bbp_init(struct run_softc *);
447 static int      run_rt3070_rf_init(struct run_softc *);
448 static void     run_rt3593_rf_init(struct run_softc *);
449 static void     run_rt5390_rf_init(struct run_softc *);
450 static int      run_rt3070_filter_calib(struct run_softc *, uint8_t, uint8_t,
451                     uint8_t *);
452 static void     run_rt3070_rf_setup(struct run_softc *);
453 static void     run_rt3593_rf_setup(struct run_softc *);
454 static void     run_rt5390_rf_setup(struct run_softc *);
455 static int      run_txrx_enable(struct run_softc *);
456 static void     run_adjust_freq_offset(struct run_softc *);
457 static void     run_init(void *);
458 static void     run_init_locked(struct run_softc *);
459 static void     run_stop(void *);
460 static void     run_delay(struct run_softc *, u_int);
461
462 static eventhandler_tag run_etag;
463
464 static const struct rt2860_rate {
465         uint8_t         rate;
466         uint8_t         mcs;
467         enum            ieee80211_phytype phy;
468         uint8_t         ctl_ridx;
469         uint16_t        sp_ack_dur;
470         uint16_t        lp_ack_dur;
471 } rt2860_rates[] = {
472         {   2, 0, IEEE80211_T_DS,   0, 314, 314 },
473         {   4, 1, IEEE80211_T_DS,   1, 258, 162 },
474         {  11, 2, IEEE80211_T_DS,   2, 223, 127 },
475         {  22, 3, IEEE80211_T_DS,   3, 213, 117 },
476         {  12, 0, IEEE80211_T_OFDM, 4,  60,  60 },
477         {  18, 1, IEEE80211_T_OFDM, 4,  52,  52 },
478         {  24, 2, IEEE80211_T_OFDM, 6,  48,  48 },
479         {  36, 3, IEEE80211_T_OFDM, 6,  44,  44 },
480         {  48, 4, IEEE80211_T_OFDM, 8,  44,  44 },
481         {  72, 5, IEEE80211_T_OFDM, 8,  40,  40 },
482         {  96, 6, IEEE80211_T_OFDM, 8,  40,  40 },
483         { 108, 7, IEEE80211_T_OFDM, 8,  40,  40 }
484 };
485
486 static const struct {
487         uint16_t        reg;
488         uint32_t        val;
489 } rt2870_def_mac[] = {
490         RT2870_DEF_MAC
491 };
492
493 static const struct {
494         uint8_t reg;
495         uint8_t val;
496 } rt2860_def_bbp[] = {
497         RT2860_DEF_BBP
498 },rt5390_def_bbp[] = {
499         RT5390_DEF_BBP
500 },rt5592_def_bbp[] = {
501         RT5592_DEF_BBP
502 };
503
504 /* 
505  * Default values for BBP register R196 for RT5592.
506  */
507 static const uint8_t rt5592_bbp_r196[] = {
508         0xe0, 0x1f, 0x38, 0x32, 0x08, 0x28, 0x19, 0x0a, 0xff, 0x00,
509         0x16, 0x10, 0x10, 0x0b, 0x36, 0x2c, 0x26, 0x24, 0x42, 0x36,
510         0x30, 0x2d, 0x4c, 0x46, 0x3d, 0x40, 0x3e, 0x42, 0x3d, 0x40,
511         0x3c, 0x34, 0x2c, 0x2f, 0x3c, 0x35, 0x2e, 0x2a, 0x49, 0x41,
512         0x36, 0x31, 0x30, 0x30, 0x0e, 0x0d, 0x28, 0x21, 0x1c, 0x16,
513         0x50, 0x4a, 0x43, 0x40, 0x10, 0x10, 0x10, 0x10, 0x00, 0x00,
514         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
515         0x00, 0x00, 0x7d, 0x14, 0x32, 0x2c, 0x36, 0x4c, 0x43, 0x2c,
516         0x2e, 0x36, 0x30, 0x6e
517 };
518
519 static const struct rfprog {
520         uint8_t         chan;
521         uint32_t        r1, r2, r3, r4;
522 } rt2860_rf2850[] = {
523         RT2860_RF2850
524 };
525
526 struct {
527         uint8_t n, r, k;
528 } rt3070_freqs[] = {
529         RT3070_RF3052
530 };
531
532 static const struct rt5592_freqs {
533         uint16_t        n;
534         uint8_t         k, m, r;
535 } rt5592_freqs_20mhz[] = {
536         RT5592_RF5592_20MHZ
537 },rt5592_freqs_40mhz[] = {
538         RT5592_RF5592_40MHZ
539 };
540
541 static const struct {
542         uint8_t reg;
543         uint8_t val;
544 } rt3070_def_rf[] = {
545         RT3070_DEF_RF
546 },rt3572_def_rf[] = {
547         RT3572_DEF_RF
548 },rt3593_def_rf[] = {
549         RT3593_DEF_RF
550 },rt5390_def_rf[] = {
551         RT5390_DEF_RF
552 },rt5392_def_rf[] = {
553         RT5392_DEF_RF
554 },rt5592_def_rf[] = {
555         RT5592_DEF_RF
556 },rt5592_2ghz_def_rf[] = {
557         RT5592_2GHZ_DEF_RF
558 },rt5592_5ghz_def_rf[] = {
559         RT5592_5GHZ_DEF_RF
560 };
561
562 static const struct {
563         u_int   firstchan;
564         u_int   lastchan;
565         uint8_t reg;
566         uint8_t val;
567 } rt5592_chan_5ghz[] = {
568         RT5592_CHAN_5GHZ
569 };
570
571 static const struct usb_config run_config[RUN_N_XFER] = {
572     [RUN_BULK_TX_BE] = {
573         .type = UE_BULK,
574         .endpoint = UE_ADDR_ANY,
575         .ep_index = 0,
576         .direction = UE_DIR_OUT,
577         .bufsize = RUN_MAX_TXSZ,
578         .flags = {.pipe_bof = 1,.force_short_xfer = 1,},
579         .callback = run_bulk_tx_callback0,
580         .timeout = 5000,        /* ms */
581     },
582     [RUN_BULK_TX_BK] = {
583         .type = UE_BULK,
584         .endpoint = UE_ADDR_ANY,
585         .direction = UE_DIR_OUT,
586         .ep_index = 1,
587         .bufsize = RUN_MAX_TXSZ,
588         .flags = {.pipe_bof = 1,.force_short_xfer = 1,},
589         .callback = run_bulk_tx_callback1,
590         .timeout = 5000,        /* ms */
591     },
592     [RUN_BULK_TX_VI] = {
593         .type = UE_BULK,
594         .endpoint = UE_ADDR_ANY,
595         .direction = UE_DIR_OUT,
596         .ep_index = 2,
597         .bufsize = RUN_MAX_TXSZ,
598         .flags = {.pipe_bof = 1,.force_short_xfer = 1,},
599         .callback = run_bulk_tx_callback2,
600         .timeout = 5000,        /* ms */
601     },
602     [RUN_BULK_TX_VO] = {
603         .type = UE_BULK,
604         .endpoint = UE_ADDR_ANY,
605         .direction = UE_DIR_OUT,
606         .ep_index = 3,
607         .bufsize = RUN_MAX_TXSZ,
608         .flags = {.pipe_bof = 1,.force_short_xfer = 1,},
609         .callback = run_bulk_tx_callback3,
610         .timeout = 5000,        /* ms */
611     },
612     [RUN_BULK_TX_HCCA] = {
613         .type = UE_BULK,
614         .endpoint = UE_ADDR_ANY,
615         .direction = UE_DIR_OUT,
616         .ep_index = 4,
617         .bufsize = RUN_MAX_TXSZ,
618         .flags = {.pipe_bof = 1,.force_short_xfer = 1,.no_pipe_ok = 1,},
619         .callback = run_bulk_tx_callback4,
620         .timeout = 5000,        /* ms */
621     },
622     [RUN_BULK_TX_PRIO] = {
623         .type = UE_BULK,
624         .endpoint = UE_ADDR_ANY,
625         .direction = UE_DIR_OUT,
626         .ep_index = 5,
627         .bufsize = RUN_MAX_TXSZ,
628         .flags = {.pipe_bof = 1,.force_short_xfer = 1,.no_pipe_ok = 1,},
629         .callback = run_bulk_tx_callback5,
630         .timeout = 5000,        /* ms */
631     },
632     [RUN_BULK_RX] = {
633         .type = UE_BULK,
634         .endpoint = UE_ADDR_ANY,
635         .direction = UE_DIR_IN,
636         .bufsize = RUN_MAX_RXSZ,
637         .flags = {.pipe_bof = 1,.short_xfer_ok = 1,},
638         .callback = run_bulk_rx_callback,
639     }
640 };
641
642 static void
643 run_autoinst(void *arg, struct usb_device *udev,
644     struct usb_attach_arg *uaa)
645 {
646         struct usb_interface *iface;
647         struct usb_interface_descriptor *id;
648
649         if (uaa->dev_state != UAA_DEV_READY)
650                 return;
651
652         iface = usbd_get_iface(udev, 0);
653         if (iface == NULL)
654                 return;
655         id = iface->idesc;
656         if (id == NULL || id->bInterfaceClass != UICLASS_MASS)
657                 return;
658         if (usbd_lookup_id_by_uaa(run_devs, sizeof(run_devs), uaa))
659                 return;
660
661         if (usb_msc_eject(udev, 0, MSC_EJECT_STOPUNIT) == 0)
662                 uaa->dev_state = UAA_DEV_EJECTING;
663 }
664
665 static int
666 run_driver_loaded(struct module *mod, int what, void *arg)
667 {
668         switch (what) {
669         case MOD_LOAD:
670                 run_etag = EVENTHANDLER_REGISTER(usb_dev_configured,
671                     run_autoinst, NULL, EVENTHANDLER_PRI_ANY);
672                 break;
673         case MOD_UNLOAD:
674                 EVENTHANDLER_DEREGISTER(usb_dev_configured, run_etag);
675                 break;
676         default:
677                 return (EOPNOTSUPP);
678         }
679         return (0);
680 }
681
682 static int
683 run_match(device_t self)
684 {
685         struct usb_attach_arg *uaa = device_get_ivars(self);
686
687         if (uaa->usb_mode != USB_MODE_HOST)
688                 return (ENXIO);
689         if (uaa->info.bConfigIndex != 0)
690                 return (ENXIO);
691         if (uaa->info.bIfaceIndex != RT2860_IFACE_INDEX)
692                 return (ENXIO);
693
694         return (usbd_lookup_id_by_uaa(run_devs, sizeof(run_devs), uaa));
695 }
696
697 static int
698 run_attach(device_t self)
699 {
700         struct run_softc *sc = device_get_softc(self);
701         struct usb_attach_arg *uaa = device_get_ivars(self);
702         struct ieee80211com *ic;
703         struct ifnet *ifp;
704         uint32_t ver;
705         int ntries, error;
706         uint8_t iface_index, bands;
707
708         device_set_usb_desc(self);
709         sc->sc_udev = uaa->device;
710         sc->sc_dev = self;
711         if (USB_GET_DRIVER_INFO(uaa) != RUN_EJECT)
712                 sc->sc_flags |= RUN_FLAG_FWLOAD_NEEDED;
713
714         mtx_init(&sc->sc_mtx, device_get_nameunit(sc->sc_dev),
715             MTX_NETWORK_LOCK, MTX_DEF);
716
717         iface_index = RT2860_IFACE_INDEX;
718
719         error = usbd_transfer_setup(uaa->device, &iface_index,
720             sc->sc_xfer, run_config, RUN_N_XFER, sc, &sc->sc_mtx);
721         if (error) {
722                 device_printf(self, "could not allocate USB transfers, "
723                     "err=%s\n", usbd_errstr(error));
724                 goto detach;
725         }
726
727         RUN_LOCK(sc);
728
729         /* wait for the chip to settle */
730         for (ntries = 0; ntries < 100; ntries++) {
731                 if (run_read(sc, RT2860_ASIC_VER_ID, &ver) != 0) {
732                         RUN_UNLOCK(sc);
733                         goto detach;
734                 }
735                 if (ver != 0 && ver != 0xffffffff)
736                         break;
737                 run_delay(sc, 10);
738         }
739         if (ntries == 100) {
740                 device_printf(sc->sc_dev,
741                     "timeout waiting for NIC to initialize\n");
742                 RUN_UNLOCK(sc);
743                 goto detach;
744         }
745         sc->mac_ver = ver >> 16;
746         sc->mac_rev = ver & 0xffff;
747
748         /* retrieve RF rev. no and various other things from EEPROM */
749         run_read_eeprom(sc);
750
751         device_printf(sc->sc_dev,
752             "MAC/BBP RT%04X (rev 0x%04X), RF %s (MIMO %dT%dR), address %s\n",
753             sc->mac_ver, sc->mac_rev, run_get_rf(sc->rf_rev),
754             sc->ntxchains, sc->nrxchains, ether_sprintf(sc->sc_bssid));
755
756         RUN_UNLOCK(sc);
757
758         ifp = sc->sc_ifp = if_alloc(IFT_IEEE80211);
759         if (ifp == NULL) {
760                 device_printf(sc->sc_dev, "can not if_alloc()\n");
761                 goto detach;
762         }
763         ic = ifp->if_l2com;
764
765         ifp->if_softc = sc;
766         if_initname(ifp, "run", device_get_unit(sc->sc_dev));
767         ifp->if_flags = IFF_BROADCAST | IFF_SIMPLEX | IFF_MULTICAST;
768         ifp->if_init = run_init;
769         ifp->if_ioctl = run_ioctl;
770         ifp->if_start = run_start;
771         IFQ_SET_MAXLEN(&ifp->if_snd, ifqmaxlen);
772         ifp->if_snd.ifq_drv_maxlen = ifqmaxlen;
773         IFQ_SET_READY(&ifp->if_snd);
774
775         ic->ic_ifp = ifp;
776         ic->ic_phytype = IEEE80211_T_OFDM;      /* not only, but not used */
777         ic->ic_opmode = IEEE80211_M_STA;        /* default to BSS mode */
778
779         /* set device capabilities */
780         ic->ic_caps =
781             IEEE80211_C_STA |           /* station mode supported */
782             IEEE80211_C_MONITOR |       /* monitor mode supported */
783             IEEE80211_C_IBSS |
784             IEEE80211_C_HOSTAP |
785             IEEE80211_C_WDS |           /* 4-address traffic works */
786             IEEE80211_C_MBSS |
787             IEEE80211_C_SHPREAMBLE |    /* short preamble supported */
788             IEEE80211_C_SHSLOT |        /* short slot time supported */
789             IEEE80211_C_WME |           /* WME */
790             IEEE80211_C_WPA;            /* WPA1|WPA2(RSN) */
791
792         ic->ic_cryptocaps =
793             IEEE80211_CRYPTO_WEP |
794             IEEE80211_CRYPTO_AES_CCM |
795             IEEE80211_CRYPTO_TKIPMIC |
796             IEEE80211_CRYPTO_TKIP;
797
798         ic->ic_flags |= IEEE80211_F_DATAPAD;
799         ic->ic_flags_ext |= IEEE80211_FEXT_SWBMISS;
800
801         bands = 0;
802         setbit(&bands, IEEE80211_MODE_11B);
803         setbit(&bands, IEEE80211_MODE_11G);
804         if (sc->rf_rev == RT2860_RF_2750 || sc->rf_rev == RT2860_RF_2850 ||
805             sc->rf_rev == RT3070_RF_3052 || sc->rf_rev == RT3593_RF_3053 ||
806             sc->rf_rev == RT5592_RF_5592)
807                 setbit(&bands, IEEE80211_MODE_11A);
808         ieee80211_init_channels(ic, NULL, &bands);
809
810         ieee80211_ifattach(ic, sc->sc_bssid);
811
812         ic->ic_scan_start = run_scan_start;
813         ic->ic_scan_end = run_scan_end;
814         ic->ic_set_channel = run_set_channel;
815         ic->ic_node_alloc = run_node_alloc;
816         ic->ic_newassoc = run_newassoc;
817         ic->ic_updateslot = run_updateslot;
818         ic->ic_update_mcast = run_update_mcast;
819         ic->ic_wme.wme_update = run_wme_update;
820         ic->ic_raw_xmit = run_raw_xmit;
821         ic->ic_update_promisc = run_update_promisc;
822
823         ic->ic_vap_create = run_vap_create;
824         ic->ic_vap_delete = run_vap_delete;
825
826         ieee80211_radiotap_attach(ic,
827             &sc->sc_txtap.wt_ihdr, sizeof(sc->sc_txtap),
828                 RUN_TX_RADIOTAP_PRESENT,
829             &sc->sc_rxtap.wr_ihdr, sizeof(sc->sc_rxtap),
830                 RUN_RX_RADIOTAP_PRESENT);
831
832         TASK_INIT(&sc->cmdq_task, 0, run_cmdq_cb, sc);
833         TASK_INIT(&sc->ratectl_task, 0, run_ratectl_cb, sc);
834         usb_callout_init_mtx(&sc->ratectl_ch, &sc->sc_mtx, 0);
835
836         if (bootverbose)
837                 ieee80211_announce(ic);
838
839         return (0);
840
841 detach:
842         run_detach(self);
843         return (ENXIO);
844 }
845
846 static int
847 run_detach(device_t self)
848 {
849         struct run_softc *sc = device_get_softc(self);
850         struct ifnet *ifp = sc->sc_ifp;
851         struct ieee80211com *ic;
852         int i;
853
854         RUN_LOCK(sc);
855         sc->sc_detached = 1;
856         RUN_UNLOCK(sc);
857
858         /* stop all USB transfers */
859         usbd_transfer_unsetup(sc->sc_xfer, RUN_N_XFER);
860
861         RUN_LOCK(sc);
862         sc->ratectl_run = RUN_RATECTL_OFF;
863         sc->cmdq_run = sc->cmdq_key_set = RUN_CMDQ_ABORT;
864
865         /* free TX list, if any */
866         for (i = 0; i != RUN_EP_QUEUES; i++)
867                 run_unsetup_tx_list(sc, &sc->sc_epq[i]);
868         RUN_UNLOCK(sc);
869
870         if (ifp) {
871                 ic = ifp->if_l2com;
872                 /* drain tasks */
873                 usb_callout_drain(&sc->ratectl_ch);
874                 ieee80211_draintask(ic, &sc->cmdq_task);
875                 ieee80211_draintask(ic, &sc->ratectl_task);
876                 ieee80211_ifdetach(ic);
877                 if_free(ifp);
878         }
879
880         mtx_destroy(&sc->sc_mtx);
881
882         return (0);
883 }
884
885 static struct ieee80211vap *
886 run_vap_create(struct ieee80211com *ic, const char name[IFNAMSIZ], int unit,
887     enum ieee80211_opmode opmode, int flags,
888     const uint8_t bssid[IEEE80211_ADDR_LEN],
889     const uint8_t mac[IEEE80211_ADDR_LEN])
890 {
891         struct ifnet *ifp = ic->ic_ifp;
892         struct run_softc *sc = ifp->if_softc;
893         struct run_vap *rvp;
894         struct ieee80211vap *vap;
895         int i;
896
897         if (sc->rvp_cnt >= RUN_VAP_MAX) {
898                 if_printf(ifp, "number of VAPs maxed out\n");
899                 return (NULL);
900         }
901
902         switch (opmode) {
903         case IEEE80211_M_STA:
904                 /* enable s/w bmiss handling for sta mode */
905                 flags |= IEEE80211_CLONE_NOBEACONS; 
906                 /* fall though */
907         case IEEE80211_M_IBSS:
908         case IEEE80211_M_MONITOR:
909         case IEEE80211_M_HOSTAP:
910         case IEEE80211_M_MBSS:
911                 /* other than WDS vaps, only one at a time */
912                 if (!TAILQ_EMPTY(&ic->ic_vaps))
913                         return (NULL);
914                 break;
915         case IEEE80211_M_WDS:
916                 TAILQ_FOREACH(vap, &ic->ic_vaps, iv_next){
917                         if(vap->iv_opmode != IEEE80211_M_HOSTAP)
918                                 continue;
919                         /* WDS vap's always share the local mac address. */
920                         flags &= ~IEEE80211_CLONE_BSSID;
921                         break;
922                 }
923                 if (vap == NULL) {
924                         if_printf(ifp, "wds only supported in ap mode\n");
925                         return (NULL);
926                 }
927                 break;
928         default:
929                 if_printf(ifp, "unknown opmode %d\n", opmode);
930                 return (NULL);
931         }
932
933         rvp = (struct run_vap *) malloc(sizeof(struct run_vap),
934             M_80211_VAP, M_NOWAIT | M_ZERO);
935         if (rvp == NULL)
936                 return (NULL);
937         vap = &rvp->vap;
938
939         if (ieee80211_vap_setup(ic, vap, name, unit,
940             opmode, flags, bssid, mac) != 0) {
941                 /* out of memory */
942                 free(rvp, M_80211_VAP);
943                 return (NULL);
944         }
945
946         vap->iv_key_update_begin = run_key_update_begin;
947         vap->iv_key_update_end = run_key_update_end;
948         vap->iv_update_beacon = run_update_beacon;
949         vap->iv_max_aid = RT2870_WCID_MAX;
950         /*
951          * To delete the right key from h/w, we need wcid.
952          * Luckily, there is unused space in ieee80211_key{}, wk_pad,
953          * and matching wcid will be written into there. So, cast
954          * some spells to remove 'const' from ieee80211_key{}
955          */
956         vap->iv_key_delete = (void *)run_key_delete;
957         vap->iv_key_set = (void *)run_key_set;
958
959         /* override state transition machine */
960         rvp->newstate = vap->iv_newstate;
961         vap->iv_newstate = run_newstate;
962
963         ieee80211_ratectl_init(vap);
964         ieee80211_ratectl_setinterval(vap, 1000 /* 1 sec */);
965
966         /* complete setup */
967         ieee80211_vap_attach(vap, run_media_change, ieee80211_media_status);
968
969         /* make sure id is always unique */
970         for (i = 0; i < RUN_VAP_MAX; i++) {
971                 if((sc->rvp_bmap & 1 << i) == 0){
972                         sc->rvp_bmap |= 1 << i;
973                         rvp->rvp_id = i;
974                         break;
975                 }
976         }
977         if (sc->rvp_cnt++ == 0)
978                 ic->ic_opmode = opmode;
979
980         if (opmode == IEEE80211_M_HOSTAP)
981                 sc->cmdq_run = RUN_CMDQ_GO;
982
983         DPRINTF("rvp_id=%d bmap=%x rvp_cnt=%d\n",
984             rvp->rvp_id, sc->rvp_bmap, sc->rvp_cnt);
985
986         return (vap);
987 }
988
989 static void
990 run_vap_delete(struct ieee80211vap *vap)
991 {
992         struct run_vap *rvp = RUN_VAP(vap);
993         struct ifnet *ifp;
994         struct ieee80211com *ic;
995         struct run_softc *sc;
996         uint8_t rvp_id;
997
998         if (vap == NULL)
999                 return;
1000
1001         ic = vap->iv_ic;
1002         ifp = ic->ic_ifp;
1003
1004         sc = ifp->if_softc;
1005
1006         RUN_LOCK(sc);
1007
1008         m_freem(rvp->beacon_mbuf);
1009         rvp->beacon_mbuf = NULL;
1010
1011         rvp_id = rvp->rvp_id;
1012         sc->ratectl_run &= ~(1 << rvp_id);
1013         sc->rvp_bmap &= ~(1 << rvp_id);
1014         run_set_region_4(sc, RT2860_SKEY(rvp_id, 0), 0, 128);
1015         run_set_region_4(sc, RT2860_BCN_BASE(rvp_id), 0, 512);
1016         --sc->rvp_cnt;
1017
1018         DPRINTF("vap=%p rvp_id=%d bmap=%x rvp_cnt=%d\n",
1019             vap, rvp_id, sc->rvp_bmap, sc->rvp_cnt);
1020
1021         RUN_UNLOCK(sc);
1022
1023         ieee80211_ratectl_deinit(vap);
1024         ieee80211_vap_detach(vap);
1025         free(rvp, M_80211_VAP);
1026 }
1027
1028 /*
1029  * There are numbers of functions need to be called in context thread.
1030  * Rather than creating taskqueue event for each of those functions,
1031  * here is all-for-one taskqueue callback function. This function
1032  * gurantees deferred functions are executed in the same order they
1033  * were enqueued.
1034  * '& RUN_CMDQ_MASQ' is to loop cmdq[].
1035  */
1036 static void
1037 run_cmdq_cb(void *arg, int pending)
1038 {
1039         struct run_softc *sc = arg;
1040         uint8_t i;
1041
1042         /* call cmdq[].func locked */
1043         RUN_LOCK(sc);
1044         for (i = sc->cmdq_exec; sc->cmdq[i].func && pending;
1045             i = sc->cmdq_exec, pending--) {
1046                 DPRINTFN(6, "cmdq_exec=%d pending=%d\n", i, pending);
1047                 if (sc->cmdq_run == RUN_CMDQ_GO) {
1048                         /*
1049                          * If arg0 is NULL, callback func needs more
1050                          * than one arg. So, pass ptr to cmdq struct.
1051                          */
1052                         if (sc->cmdq[i].arg0)
1053                                 sc->cmdq[i].func(sc->cmdq[i].arg0);
1054                         else
1055                                 sc->cmdq[i].func(&sc->cmdq[i]);
1056                 }
1057                 sc->cmdq[i].arg0 = NULL;
1058                 sc->cmdq[i].func = NULL;
1059                 sc->cmdq_exec++;
1060                 sc->cmdq_exec &= RUN_CMDQ_MASQ;
1061         }
1062         RUN_UNLOCK(sc);
1063 }
1064
1065 static void
1066 run_setup_tx_list(struct run_softc *sc, struct run_endpoint_queue *pq)
1067 {
1068         struct run_tx_data *data;
1069
1070         memset(pq, 0, sizeof(*pq));
1071
1072         STAILQ_INIT(&pq->tx_qh);
1073         STAILQ_INIT(&pq->tx_fh);
1074
1075         for (data = &pq->tx_data[0];
1076             data < &pq->tx_data[RUN_TX_RING_COUNT]; data++) {
1077                 data->sc = sc;
1078                 STAILQ_INSERT_TAIL(&pq->tx_fh, data, next);
1079         }
1080         pq->tx_nfree = RUN_TX_RING_COUNT;
1081 }
1082
1083 static void
1084 run_unsetup_tx_list(struct run_softc *sc, struct run_endpoint_queue *pq)
1085 {
1086         struct run_tx_data *data;
1087
1088         /* make sure any subsequent use of the queues will fail */
1089         pq->tx_nfree = 0;
1090         STAILQ_INIT(&pq->tx_fh);
1091         STAILQ_INIT(&pq->tx_qh);
1092
1093         /* free up all node references and mbufs */
1094         for (data = &pq->tx_data[0];
1095             data < &pq->tx_data[RUN_TX_RING_COUNT]; data++) {
1096                 if (data->m != NULL) {
1097                         m_freem(data->m);
1098                         data->m = NULL;
1099                 }
1100                 if (data->ni != NULL) {
1101                         ieee80211_free_node(data->ni);
1102                         data->ni = NULL;
1103                 }
1104         }
1105 }
1106
1107 static int
1108 run_load_microcode(struct run_softc *sc)
1109 {
1110         usb_device_request_t req;
1111         const struct firmware *fw;
1112         const u_char *base;
1113         uint32_t tmp;
1114         int ntries, error;
1115         const uint64_t *temp;
1116         uint64_t bytes;
1117
1118         RUN_UNLOCK(sc);
1119         fw = firmware_get("runfw");
1120         RUN_LOCK(sc);
1121         if (fw == NULL) {
1122                 device_printf(sc->sc_dev,
1123                     "failed loadfirmware of file %s\n", "runfw");
1124                 return ENOENT;
1125         }
1126
1127         if (fw->datasize != 8192) {
1128                 device_printf(sc->sc_dev,
1129                     "invalid firmware size (should be 8KB)\n");
1130                 error = EINVAL;
1131                 goto fail;
1132         }
1133
1134         /*
1135          * RT3071/RT3072 use a different firmware
1136          * run-rt2870 (8KB) contains both,
1137          * first half (4KB) is for rt2870,
1138          * last half is for rt3071.
1139          */
1140         base = fw->data;
1141         if ((sc->mac_ver) != 0x2860 &&
1142             (sc->mac_ver) != 0x2872 &&
1143             (sc->mac_ver) != 0x3070) { 
1144                 base += 4096;
1145         }
1146
1147         /* cheap sanity check */
1148         temp = fw->data;
1149         bytes = *temp;
1150         if (bytes != be64toh(0xffffff0210280210ULL)) {
1151                 device_printf(sc->sc_dev, "firmware checksum failed\n");
1152                 error = EINVAL;
1153                 goto fail;
1154         }
1155
1156         /* write microcode image */
1157         if (sc->sc_flags & RUN_FLAG_FWLOAD_NEEDED) {
1158                 run_write_region_1(sc, RT2870_FW_BASE, base, 4096);
1159                 run_write(sc, RT2860_H2M_MAILBOX_CID, 0xffffffff);
1160                 run_write(sc, RT2860_H2M_MAILBOX_STATUS, 0xffffffff);
1161         }
1162
1163         req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1164         req.bRequest = RT2870_RESET;
1165         USETW(req.wValue, 8);
1166         USETW(req.wIndex, 0);
1167         USETW(req.wLength, 0);
1168         if ((error = usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, NULL))
1169             != 0) {
1170                 device_printf(sc->sc_dev, "firmware reset failed\n");
1171                 goto fail;
1172         }
1173
1174         run_delay(sc, 10);
1175
1176         run_write(sc, RT2860_H2M_BBPAGENT, 0);
1177         run_write(sc, RT2860_H2M_MAILBOX, 0);
1178         run_write(sc, RT2860_H2M_INTSRC, 0);
1179         if ((error = run_mcu_cmd(sc, RT2860_MCU_CMD_RFRESET, 0)) != 0)
1180                 goto fail;
1181
1182         /* wait until microcontroller is ready */
1183         for (ntries = 0; ntries < 1000; ntries++) {
1184                 if ((error = run_read(sc, RT2860_SYS_CTRL, &tmp)) != 0)
1185                         goto fail;
1186                 if (tmp & RT2860_MCU_READY)
1187                         break;
1188                 run_delay(sc, 10);
1189         }
1190         if (ntries == 1000) {
1191                 device_printf(sc->sc_dev,
1192                     "timeout waiting for MCU to initialize\n");
1193                 error = ETIMEDOUT;
1194                 goto fail;
1195         }
1196         device_printf(sc->sc_dev, "firmware %s ver. %u.%u loaded\n",
1197             (base == fw->data) ? "RT2870" : "RT3071",
1198             *(base + 4092), *(base + 4093));
1199
1200 fail:
1201         firmware_put(fw, FIRMWARE_UNLOAD);
1202         return (error);
1203 }
1204
1205 static int
1206 run_reset(struct run_softc *sc)
1207 {
1208         usb_device_request_t req;
1209
1210         req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1211         req.bRequest = RT2870_RESET;
1212         USETW(req.wValue, 1);
1213         USETW(req.wIndex, 0);
1214         USETW(req.wLength, 0);
1215         return (usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, NULL));
1216 }
1217
1218 static usb_error_t
1219 run_do_request(struct run_softc *sc,
1220     struct usb_device_request *req, void *data)
1221 {
1222         usb_error_t err;
1223         int ntries = 10;
1224
1225         RUN_LOCK_ASSERT(sc, MA_OWNED);
1226
1227         while (ntries--) {
1228                 err = usbd_do_request_flags(sc->sc_udev, &sc->sc_mtx,
1229                     req, data, 0, NULL, 250 /* ms */);
1230                 if (err == 0)
1231                         break;
1232                 DPRINTFN(1, "Control request failed, %s (retrying)\n",
1233                     usbd_errstr(err));
1234                 run_delay(sc, 10);
1235         }
1236         return (err);
1237 }
1238
1239 static int
1240 run_read(struct run_softc *sc, uint16_t reg, uint32_t *val)
1241 {
1242         uint32_t tmp;
1243         int error;
1244
1245         error = run_read_region_1(sc, reg, (uint8_t *)&tmp, sizeof tmp);
1246         if (error == 0)
1247                 *val = le32toh(tmp);
1248         else
1249                 *val = 0xffffffff;
1250         return (error);
1251 }
1252
1253 static int
1254 run_read_region_1(struct run_softc *sc, uint16_t reg, uint8_t *buf, int len)
1255 {
1256         usb_device_request_t req;
1257
1258         req.bmRequestType = UT_READ_VENDOR_DEVICE;
1259         req.bRequest = RT2870_READ_REGION_1;
1260         USETW(req.wValue, 0);
1261         USETW(req.wIndex, reg);
1262         USETW(req.wLength, len);
1263
1264         return (run_do_request(sc, &req, buf));
1265 }
1266
1267 static int
1268 run_write_2(struct run_softc *sc, uint16_t reg, uint16_t val)
1269 {
1270         usb_device_request_t req;
1271
1272         req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1273         req.bRequest = RT2870_WRITE_2;
1274         USETW(req.wValue, val);
1275         USETW(req.wIndex, reg);
1276         USETW(req.wLength, 0);
1277
1278         return (run_do_request(sc, &req, NULL));
1279 }
1280
1281 static int
1282 run_write(struct run_softc *sc, uint16_t reg, uint32_t val)
1283 {
1284         int error;
1285
1286         if ((error = run_write_2(sc, reg, val & 0xffff)) == 0)
1287                 error = run_write_2(sc, reg + 2, val >> 16);
1288         return (error);
1289 }
1290
1291 static int
1292 run_write_region_1(struct run_softc *sc, uint16_t reg, const uint8_t *buf,
1293     int len)
1294 {
1295 #if 1
1296         int i, error = 0;
1297         /*
1298          * NB: the WRITE_REGION_1 command is not stable on RT2860.
1299          * We thus issue multiple WRITE_2 commands instead.
1300          */
1301         KASSERT((len & 1) == 0, ("run_write_region_1: Data too long.\n"));
1302         for (i = 0; i < len && error == 0; i += 2)
1303                 error = run_write_2(sc, reg + i, buf[i] | buf[i + 1] << 8);
1304         return (error);
1305 #else
1306         usb_device_request_t req;
1307         int error = 0;
1308
1309         /*
1310          * NOTE: It appears the WRITE_REGION_1 command cannot be
1311          * passed a huge amount of data, which will crash the
1312          * firmware. Limit amount of data passed to 64-bytes at a
1313          * time.
1314          */
1315         while (len > 0) {
1316                 int delta = 64;
1317                 if (delta > len)
1318                         delta = len;
1319
1320                 req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1321                 req.bRequest = RT2870_WRITE_REGION_1;
1322                 USETW(req.wValue, 0);
1323                 USETW(req.wIndex, reg);
1324                 USETW(req.wLength, delta);
1325                 error = run_do_request(sc, &req, __DECONST(uint8_t *, buf));
1326                 if (error != 0)
1327                         break;
1328                 reg += delta;
1329                 buf += delta;
1330                 len -= delta;
1331         }
1332         return (error);
1333 #endif
1334 }
1335
1336 static int
1337 run_set_region_4(struct run_softc *sc, uint16_t reg, uint32_t val, int len)
1338 {
1339         int i, error = 0;
1340
1341         KASSERT((len & 3) == 0, ("run_set_region_4: Invalid data length.\n"));
1342         for (i = 0; i < len && error == 0; i += 4)
1343                 error = run_write(sc, reg + i, val);
1344         return (error);
1345 }
1346
1347 static int
1348 run_efuse_read(struct run_softc *sc, uint16_t addr, uint16_t *val, int count)
1349 {
1350         uint32_t tmp;
1351         uint16_t reg;
1352         int error, ntries;
1353
1354         if ((error = run_read(sc, RT3070_EFUSE_CTRL, &tmp)) != 0)
1355                 return (error);
1356
1357         if (count == 2)
1358                 addr *= 2;
1359         /*-
1360          * Read one 16-byte block into registers EFUSE_DATA[0-3]:
1361          * DATA0: F E D C
1362          * DATA1: B A 9 8
1363          * DATA2: 7 6 5 4
1364          * DATA3: 3 2 1 0
1365          */
1366         tmp &= ~(RT3070_EFSROM_MODE_MASK | RT3070_EFSROM_AIN_MASK);
1367         tmp |= (addr & ~0xf) << RT3070_EFSROM_AIN_SHIFT | RT3070_EFSROM_KICK;
1368         run_write(sc, RT3070_EFUSE_CTRL, tmp);
1369         for (ntries = 0; ntries < 100; ntries++) {
1370                 if ((error = run_read(sc, RT3070_EFUSE_CTRL, &tmp)) != 0)
1371                         return (error);
1372                 if (!(tmp & RT3070_EFSROM_KICK))
1373                         break;
1374                 run_delay(sc, 2);
1375         }
1376         if (ntries == 100)
1377                 return (ETIMEDOUT);
1378
1379         if ((tmp & RT3070_EFUSE_AOUT_MASK) == RT3070_EFUSE_AOUT_MASK) {
1380                 *val = 0xffff;  /* address not found */
1381                 return (0);
1382         }
1383         /* determine to which 32-bit register our 16-bit word belongs */
1384         reg = RT3070_EFUSE_DATA3 - (addr & 0xc);
1385         if ((error = run_read(sc, reg, &tmp)) != 0)
1386                 return (error);
1387
1388         tmp >>= (8 * (addr & 0x3));
1389         *val = (addr & 1) ? tmp >> 16 : tmp & 0xffff;
1390
1391         return (0);
1392 }
1393
1394 /* Read 16-bit from eFUSE ROM for RT3xxx. */
1395 static int
1396 run_efuse_read_2(struct run_softc *sc, uint16_t addr, uint16_t *val)
1397 {
1398         return (run_efuse_read(sc, addr, val, 2));
1399 }
1400
1401 static int
1402 run_eeprom_read_2(struct run_softc *sc, uint16_t addr, uint16_t *val)
1403 {
1404         usb_device_request_t req;
1405         uint16_t tmp;
1406         int error;
1407
1408         addr *= 2;
1409         req.bmRequestType = UT_READ_VENDOR_DEVICE;
1410         req.bRequest = RT2870_EEPROM_READ;
1411         USETW(req.wValue, 0);
1412         USETW(req.wIndex, addr);
1413         USETW(req.wLength, sizeof(tmp));
1414
1415         error = usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, &tmp);
1416         if (error == 0)
1417                 *val = le16toh(tmp);
1418         else
1419                 *val = 0xffff;
1420         return (error);
1421 }
1422
1423 static __inline int
1424 run_srom_read(struct run_softc *sc, uint16_t addr, uint16_t *val)
1425 {
1426         /* either eFUSE ROM or EEPROM */
1427         return sc->sc_srom_read(sc, addr, val);
1428 }
1429
1430 static int
1431 run_rt2870_rf_write(struct run_softc *sc, uint32_t val)
1432 {
1433         uint32_t tmp;
1434         int error, ntries;
1435
1436         for (ntries = 0; ntries < 10; ntries++) {
1437                 if ((error = run_read(sc, RT2860_RF_CSR_CFG0, &tmp)) != 0)
1438                         return (error);
1439                 if (!(tmp & RT2860_RF_REG_CTRL))
1440                         break;
1441         }
1442         if (ntries == 10)
1443                 return (ETIMEDOUT);
1444
1445         return (run_write(sc, RT2860_RF_CSR_CFG0, val));
1446 }
1447
1448 static int
1449 run_rt3070_rf_read(struct run_softc *sc, uint8_t reg, uint8_t *val)
1450 {
1451         uint32_t tmp;
1452         int error, ntries;
1453
1454         for (ntries = 0; ntries < 100; ntries++) {
1455                 if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1456                         return (error);
1457                 if (!(tmp & RT3070_RF_KICK))
1458                         break;
1459         }
1460         if (ntries == 100)
1461                 return (ETIMEDOUT);
1462
1463         tmp = RT3070_RF_KICK | reg << 8;
1464         if ((error = run_write(sc, RT3070_RF_CSR_CFG, tmp)) != 0)
1465                 return (error);
1466
1467         for (ntries = 0; ntries < 100; ntries++) {
1468                 if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1469                         return (error);
1470                 if (!(tmp & RT3070_RF_KICK))
1471                         break;
1472         }
1473         if (ntries == 100)
1474                 return (ETIMEDOUT);
1475
1476         *val = tmp & 0xff;
1477         return (0);
1478 }
1479
1480 static int
1481 run_rt3070_rf_write(struct run_softc *sc, uint8_t reg, uint8_t val)
1482 {
1483         uint32_t tmp;
1484         int error, ntries;
1485
1486         for (ntries = 0; ntries < 10; ntries++) {
1487                 if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1488                         return (error);
1489                 if (!(tmp & RT3070_RF_KICK))
1490                         break;
1491         }
1492         if (ntries == 10)
1493                 return (ETIMEDOUT);
1494
1495         tmp = RT3070_RF_WRITE | RT3070_RF_KICK | reg << 8 | val;
1496         return (run_write(sc, RT3070_RF_CSR_CFG, tmp));
1497 }
1498
1499 static int
1500 run_bbp_read(struct run_softc *sc, uint8_t reg, uint8_t *val)
1501 {
1502         uint32_t tmp;
1503         int ntries, error;
1504
1505         for (ntries = 0; ntries < 10; ntries++) {
1506                 if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1507                         return (error);
1508                 if (!(tmp & RT2860_BBP_CSR_KICK))
1509                         break;
1510         }
1511         if (ntries == 10)
1512                 return (ETIMEDOUT);
1513
1514         tmp = RT2860_BBP_CSR_READ | RT2860_BBP_CSR_KICK | reg << 8;
1515         if ((error = run_write(sc, RT2860_BBP_CSR_CFG, tmp)) != 0)
1516                 return (error);
1517
1518         for (ntries = 0; ntries < 10; ntries++) {
1519                 if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1520                         return (error);
1521                 if (!(tmp & RT2860_BBP_CSR_KICK))
1522                         break;
1523         }
1524         if (ntries == 10)
1525                 return (ETIMEDOUT);
1526
1527         *val = tmp & 0xff;
1528         return (0);
1529 }
1530
1531 static int
1532 run_bbp_write(struct run_softc *sc, uint8_t reg, uint8_t val)
1533 {
1534         uint32_t tmp;
1535         int ntries, error;
1536
1537         for (ntries = 0; ntries < 10; ntries++) {
1538                 if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1539                         return (error);
1540                 if (!(tmp & RT2860_BBP_CSR_KICK))
1541                         break;
1542         }
1543         if (ntries == 10)
1544                 return (ETIMEDOUT);
1545
1546         tmp = RT2860_BBP_CSR_KICK | reg << 8 | val;
1547         return (run_write(sc, RT2860_BBP_CSR_CFG, tmp));
1548 }
1549
1550 /*
1551  * Send a command to the 8051 microcontroller unit.
1552  */
1553 static int
1554 run_mcu_cmd(struct run_softc *sc, uint8_t cmd, uint16_t arg)
1555 {
1556         uint32_t tmp;
1557         int error, ntries;
1558
1559         for (ntries = 0; ntries < 100; ntries++) {
1560                 if ((error = run_read(sc, RT2860_H2M_MAILBOX, &tmp)) != 0)
1561                         return error;
1562                 if (!(tmp & RT2860_H2M_BUSY))
1563                         break;
1564         }
1565         if (ntries == 100)
1566                 return ETIMEDOUT;
1567
1568         tmp = RT2860_H2M_BUSY | RT2860_TOKEN_NO_INTR << 16 | arg;
1569         if ((error = run_write(sc, RT2860_H2M_MAILBOX, tmp)) == 0)
1570                 error = run_write(sc, RT2860_HOST_CMD, cmd);
1571         return (error);
1572 }
1573
1574 /*
1575  * Add `delta' (signed) to each 4-bit sub-word of a 32-bit word.
1576  * Used to adjust per-rate Tx power registers.
1577  */
1578 static __inline uint32_t
1579 b4inc(uint32_t b32, int8_t delta)
1580 {
1581         int8_t i, b4;
1582
1583         for (i = 0; i < 8; i++) {
1584                 b4 = b32 & 0xf;
1585                 b4 += delta;
1586                 if (b4 < 0)
1587                         b4 = 0;
1588                 else if (b4 > 0xf)
1589                         b4 = 0xf;
1590                 b32 = b32 >> 4 | b4 << 28;
1591         }
1592         return (b32);
1593 }
1594
1595 static const char *
1596 run_get_rf(uint16_t rev)
1597 {
1598         switch (rev) {
1599         case RT2860_RF_2820:    return "RT2820";
1600         case RT2860_RF_2850:    return "RT2850";
1601         case RT2860_RF_2720:    return "RT2720";
1602         case RT2860_RF_2750:    return "RT2750";
1603         case RT3070_RF_3020:    return "RT3020";
1604         case RT3070_RF_2020:    return "RT2020";
1605         case RT3070_RF_3021:    return "RT3021";
1606         case RT3070_RF_3022:    return "RT3022";
1607         case RT3070_RF_3052:    return "RT3052";
1608         case RT3593_RF_3053:    return "RT3053";
1609         case RT5592_RF_5592:    return "RT5592";
1610         case RT5390_RF_5370:    return "RT5370";
1611         case RT5390_RF_5372:    return "RT5372";
1612         }
1613         return ("unknown");
1614 }
1615
1616 static void
1617 run_rt3593_get_txpower(struct run_softc *sc)
1618 {
1619         uint16_t addr, val;
1620         int i;
1621
1622         /* Read power settings for 2GHz channels. */
1623         for (i = 0; i < 14; i += 2) {
1624                 addr = (sc->ntxchains == 3) ? RT3593_EEPROM_PWR2GHZ_BASE1 :
1625                     RT2860_EEPROM_PWR2GHZ_BASE1;
1626                 run_srom_read(sc, addr + i / 2, &val);
1627                 sc->txpow1[i + 0] = (int8_t)(val & 0xff);
1628                 sc->txpow1[i + 1] = (int8_t)(val >> 8);
1629
1630                 addr = (sc->ntxchains == 3) ? RT3593_EEPROM_PWR2GHZ_BASE2 :
1631                     RT2860_EEPROM_PWR2GHZ_BASE2;
1632                 run_srom_read(sc, addr + i / 2, &val);
1633                 sc->txpow2[i + 0] = (int8_t)(val & 0xff);
1634                 sc->txpow2[i + 1] = (int8_t)(val >> 8);
1635
1636                 if (sc->ntxchains == 3) {
1637                         run_srom_read(sc, RT3593_EEPROM_PWR2GHZ_BASE3 + i / 2,
1638                             &val);
1639                         sc->txpow3[i + 0] = (int8_t)(val & 0xff);
1640                         sc->txpow3[i + 1] = (int8_t)(val >> 8);
1641                 }
1642         }
1643         /* Fix broken Tx power entries. */
1644         for (i = 0; i < 14; i++) {
1645                 if (sc->txpow1[i] > 31)
1646                         sc->txpow1[i] = 5;
1647                 if (sc->txpow2[i] > 31)
1648                         sc->txpow2[i] = 5;
1649                 if (sc->ntxchains == 3) {
1650                         if (sc->txpow3[i] > 31)
1651                                 sc->txpow3[i] = 5;
1652                 }
1653         }
1654         /* Read power settings for 5GHz channels. */
1655         for (i = 0; i < 40; i += 2) {
1656                 run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE1 + i / 2, &val);
1657                 sc->txpow1[i + 14] = (int8_t)(val & 0xff);
1658                 sc->txpow1[i + 15] = (int8_t)(val >> 8);
1659
1660                 run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE2 + i / 2, &val);
1661                 sc->txpow2[i + 14] = (int8_t)(val & 0xff);
1662                 sc->txpow2[i + 15] = (int8_t)(val >> 8);
1663
1664                 if (sc->ntxchains == 3) {
1665                         run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE3 + i / 2,
1666                             &val);
1667                         sc->txpow3[i + 14] = (int8_t)(val & 0xff);
1668                         sc->txpow3[i + 15] = (int8_t)(val >> 8);
1669                 }
1670         }
1671 }
1672
1673 static void
1674 run_get_txpower(struct run_softc *sc)
1675 {
1676         uint16_t val;
1677         int i;
1678
1679         /* Read power settings for 2GHz channels. */
1680         for (i = 0; i < 14; i += 2) {
1681                 run_srom_read(sc, RT2860_EEPROM_PWR2GHZ_BASE1 + i / 2, &val);
1682                 sc->txpow1[i + 0] = (int8_t)(val & 0xff);
1683                 sc->txpow1[i + 1] = (int8_t)(val >> 8);
1684
1685                 if (sc->mac_ver != 0x5390) {
1686                         run_srom_read(sc,
1687                             RT2860_EEPROM_PWR2GHZ_BASE2 + i / 2, &val);
1688                         sc->txpow2[i + 0] = (int8_t)(val & 0xff);
1689                         sc->txpow2[i + 1] = (int8_t)(val >> 8);
1690                 }
1691         }
1692         /* Fix broken Tx power entries. */
1693         for (i = 0; i < 14; i++) {
1694                 if (sc->mac_ver >= 0x5390) {
1695                         if (sc->txpow1[i] < 0 || sc->txpow1[i] > 27)
1696                                 sc->txpow1[i] = 5;
1697                 } else {
1698                         if (sc->txpow1[i] < 0 || sc->txpow1[i] > 31)
1699                                 sc->txpow1[i] = 5;
1700                 }
1701                 if (sc->mac_ver > 0x5390) {
1702                         if (sc->txpow2[i] < 0 || sc->txpow2[i] > 27)
1703                                 sc->txpow2[i] = 5;
1704                 } else if (sc->mac_ver < 0x5390) {
1705                         if (sc->txpow2[i] < 0 || sc->txpow2[i] > 31)
1706                                 sc->txpow2[i] = 5;
1707                 }
1708                 DPRINTF("chan %d: power1=%d, power2=%d\n",
1709                     rt2860_rf2850[i].chan, sc->txpow1[i], sc->txpow2[i]);
1710         }
1711         /* Read power settings for 5GHz channels. */
1712         for (i = 0; i < 40; i += 2) {
1713                 run_srom_read(sc, RT2860_EEPROM_PWR5GHZ_BASE1 + i / 2, &val);
1714                 sc->txpow1[i + 14] = (int8_t)(val & 0xff);
1715                 sc->txpow1[i + 15] = (int8_t)(val >> 8);
1716
1717                 run_srom_read(sc, RT2860_EEPROM_PWR5GHZ_BASE2 + i / 2, &val);
1718                 sc->txpow2[i + 14] = (int8_t)(val & 0xff);
1719                 sc->txpow2[i + 15] = (int8_t)(val >> 8);
1720         }
1721         /* Fix broken Tx power entries. */
1722         for (i = 0; i < 40; i++ ) {
1723                 if (sc->mac_ver != 0x5592) {
1724                         if (sc->txpow1[14 + i] < -7 || sc->txpow1[14 + i] > 15)
1725                                 sc->txpow1[14 + i] = 5;
1726                         if (sc->txpow2[14 + i] < -7 || sc->txpow2[14 + i] > 15)
1727                                 sc->txpow2[14 + i] = 5;
1728                 }
1729                 DPRINTF("chan %d: power1=%d, power2=%d\n",
1730                     rt2860_rf2850[14 + i].chan, sc->txpow1[14 + i],
1731                     sc->txpow2[14 + i]);
1732         }
1733 }
1734
1735 static int
1736 run_read_eeprom(struct run_softc *sc)
1737 {
1738         int8_t delta_2ghz, delta_5ghz;
1739         uint32_t tmp;
1740         uint16_t val;
1741         int ridx, ant, i;
1742
1743         /* check whether the ROM is eFUSE ROM or EEPROM */
1744         sc->sc_srom_read = run_eeprom_read_2;
1745         if (sc->mac_ver >= 0x3070) {
1746                 run_read(sc, RT3070_EFUSE_CTRL, &tmp);
1747                 DPRINTF("EFUSE_CTRL=0x%08x\n", tmp);
1748                 if ((tmp & RT3070_SEL_EFUSE) || sc->mac_ver == 0x3593)
1749                         sc->sc_srom_read = run_efuse_read_2;
1750         }
1751
1752         /* read ROM version */
1753         run_srom_read(sc, RT2860_EEPROM_VERSION, &val);
1754         DPRINTF("EEPROM rev=%d, FAE=%d\n", val & 0xff, val >> 8);
1755
1756         /* read MAC address */
1757         run_srom_read(sc, RT2860_EEPROM_MAC01, &val);
1758         sc->sc_bssid[0] = val & 0xff;
1759         sc->sc_bssid[1] = val >> 8;
1760         run_srom_read(sc, RT2860_EEPROM_MAC23, &val);
1761         sc->sc_bssid[2] = val & 0xff;
1762         sc->sc_bssid[3] = val >> 8;
1763         run_srom_read(sc, RT2860_EEPROM_MAC45, &val);
1764         sc->sc_bssid[4] = val & 0xff;
1765         sc->sc_bssid[5] = val >> 8;
1766
1767         if (sc->mac_ver < 0x3593) {
1768                 /* read vender BBP settings */
1769                 for (i = 0; i < 10; i++) {
1770                         run_srom_read(sc, RT2860_EEPROM_BBP_BASE + i, &val);
1771                         sc->bbp[i].val = val & 0xff;
1772                         sc->bbp[i].reg = val >> 8;
1773                         DPRINTF("BBP%d=0x%02x\n", sc->bbp[i].reg,
1774                             sc->bbp[i].val);
1775                 }
1776                 if (sc->mac_ver >= 0x3071) {
1777                         /* read vendor RF settings */
1778                         for (i = 0; i < 10; i++) {
1779                                 run_srom_read(sc, RT3071_EEPROM_RF_BASE + i,
1780                                    &val);
1781                                 sc->rf[i].val = val & 0xff;
1782                                 sc->rf[i].reg = val >> 8;
1783                                 DPRINTF("RF%d=0x%02x\n", sc->rf[i].reg,
1784                                     sc->rf[i].val);
1785                         }
1786                 }
1787         }
1788
1789         /* read RF frequency offset from EEPROM */
1790         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_FREQ_LEDS :
1791             RT3593_EEPROM_FREQ, &val);
1792         sc->freq = ((val & 0xff) != 0xff) ? val & 0xff : 0;
1793         DPRINTF("EEPROM freq offset %d\n", sc->freq & 0xff);
1794
1795         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_FREQ_LEDS :
1796             RT3593_EEPROM_FREQ_LEDS, &val);
1797         if (val >> 8 != 0xff) {
1798                 /* read LEDs operating mode */
1799                 sc->leds = val >> 8;
1800                 run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED1 :
1801                     RT3593_EEPROM_LED1, &sc->led[0]);
1802                 run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED2 :
1803                     RT3593_EEPROM_LED2, &sc->led[1]);
1804                 run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED3 :
1805                     RT3593_EEPROM_LED3, &sc->led[2]);
1806         } else {
1807                 /* broken EEPROM, use default settings */
1808                 sc->leds = 0x01;
1809                 sc->led[0] = 0x5555;
1810                 sc->led[1] = 0x2221;
1811                 sc->led[2] = 0x5627;    /* differs from RT2860 */
1812         }
1813         DPRINTF("EEPROM LED mode=0x%02x, LEDs=0x%04x/0x%04x/0x%04x\n",
1814             sc->leds, sc->led[0], sc->led[1], sc->led[2]);
1815
1816         /* read RF information */
1817         if (sc->mac_ver == 0x5390 || sc->mac_ver ==0x5392)
1818                 run_srom_read(sc, 0x00, &val);
1819         else
1820                 run_srom_read(sc, RT2860_EEPROM_ANTENNA, &val);
1821
1822         if (val == 0xffff) {
1823                 device_printf(sc->sc_dev,
1824                     "invalid EEPROM antenna info, using default\n");
1825                 DPRINTF("invalid EEPROM antenna info, using default\n");
1826                 if (sc->mac_ver == 0x3572) {
1827                         /* default to RF3052 2T2R */
1828                         sc->rf_rev = RT3070_RF_3052;
1829                         sc->ntxchains = 2;
1830                         sc->nrxchains = 2;
1831                 } else if (sc->mac_ver >= 0x3070) {
1832                         /* default to RF3020 1T1R */
1833                         sc->rf_rev = RT3070_RF_3020;
1834                         sc->ntxchains = 1;
1835                         sc->nrxchains = 1;
1836                 } else {
1837                         /* default to RF2820 1T2R */
1838                         sc->rf_rev = RT2860_RF_2820;
1839                         sc->ntxchains = 1;
1840                         sc->nrxchains = 2;
1841                 }
1842         } else {
1843                 if (sc->mac_ver == 0x5390 || sc->mac_ver ==0x5392) {
1844                         sc->rf_rev = val;
1845                         run_srom_read(sc, RT2860_EEPROM_ANTENNA, &val);
1846                 } else
1847                         sc->rf_rev = (val >> 8) & 0xf;
1848                 sc->ntxchains = (val >> 4) & 0xf;
1849                 sc->nrxchains = val & 0xf;
1850         }
1851         DPRINTF("EEPROM RF rev=0x%04x chains=%dT%dR\n",
1852             sc->rf_rev, sc->ntxchains, sc->nrxchains);
1853
1854         /* check if RF supports automatic Tx access gain control */
1855         run_srom_read(sc, RT2860_EEPROM_CONFIG, &val);
1856         DPRINTF("EEPROM CFG 0x%04x\n", val);
1857         /* check if driver should patch the DAC issue */
1858         if ((val >> 8) != 0xff)
1859                 sc->patch_dac = (val >> 15) & 1;
1860         if ((val & 0xff) != 0xff) {
1861                 sc->ext_5ghz_lna = (val >> 3) & 1;
1862                 sc->ext_2ghz_lna = (val >> 2) & 1;
1863                 /* check if RF supports automatic Tx access gain control */
1864                 sc->calib_2ghz = sc->calib_5ghz = (val >> 1) & 1;
1865                 /* check if we have a hardware radio switch */
1866                 sc->rfswitch = val & 1;
1867         }
1868
1869         /* Read Tx power settings. */
1870         if (sc->mac_ver == 0x3593)
1871                 run_rt3593_get_txpower(sc);
1872         else
1873                 run_get_txpower(sc);
1874
1875         /* read Tx power compensation for each Tx rate */
1876         run_srom_read(sc, RT2860_EEPROM_DELTAPWR, &val);
1877         delta_2ghz = delta_5ghz = 0;
1878         if ((val & 0xff) != 0xff && (val & 0x80)) {
1879                 delta_2ghz = val & 0xf;
1880                 if (!(val & 0x40))      /* negative number */
1881                         delta_2ghz = -delta_2ghz;
1882         }
1883         val >>= 8;
1884         if ((val & 0xff) != 0xff && (val & 0x80)) {
1885                 delta_5ghz = val & 0xf;
1886                 if (!(val & 0x40))      /* negative number */
1887                         delta_5ghz = -delta_5ghz;
1888         }
1889         DPRINTF("power compensation=%d (2GHz), %d (5GHz)\n",
1890             delta_2ghz, delta_5ghz);
1891
1892         for (ridx = 0; ridx < 5; ridx++) {
1893                 uint32_t reg;
1894
1895                 run_srom_read(sc, RT2860_EEPROM_RPWR + ridx * 2, &val);
1896                 reg = val;
1897                 run_srom_read(sc, RT2860_EEPROM_RPWR + ridx * 2 + 1, &val);
1898                 reg |= (uint32_t)val << 16;
1899
1900                 sc->txpow20mhz[ridx] = reg;
1901                 sc->txpow40mhz_2ghz[ridx] = b4inc(reg, delta_2ghz);
1902                 sc->txpow40mhz_5ghz[ridx] = b4inc(reg, delta_5ghz);
1903
1904                 DPRINTF("ridx %d: power 20MHz=0x%08x, 40MHz/2GHz=0x%08x, "
1905                     "40MHz/5GHz=0x%08x\n", ridx, sc->txpow20mhz[ridx],
1906                     sc->txpow40mhz_2ghz[ridx], sc->txpow40mhz_5ghz[ridx]);
1907         }
1908
1909         /* Read RSSI offsets and LNA gains from EEPROM. */
1910         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI1_2GHZ :
1911             RT3593_EEPROM_RSSI1_2GHZ, &val);
1912         sc->rssi_2ghz[0] = val & 0xff;  /* Ant A */
1913         sc->rssi_2ghz[1] = val >> 8;    /* Ant B */
1914         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI2_2GHZ :
1915             RT3593_EEPROM_RSSI2_2GHZ, &val);
1916         if (sc->mac_ver >= 0x3070) {
1917                 if (sc->mac_ver == 0x3593) {
1918                         sc->txmixgain_2ghz = 0;
1919                         sc->rssi_2ghz[2] = val & 0xff;  /* Ant C */
1920                 } else {
1921                         /*
1922                          * On RT3070 chips (limited to 2 Rx chains), this ROM
1923                          * field contains the Tx mixer gain for the 2GHz band.
1924                          */
1925                         if ((val & 0xff) != 0xff)
1926                                 sc->txmixgain_2ghz = val & 0x7;
1927                 }
1928                 DPRINTF("tx mixer gain=%u (2GHz)\n", sc->txmixgain_2ghz);
1929         } else
1930                 sc->rssi_2ghz[2] = val & 0xff;  /* Ant C */
1931         if (sc->mac_ver == 0x3593)
1932                 run_srom_read(sc, RT3593_EEPROM_LNA_5GHZ, &val);
1933         sc->lna[2] = val >> 8;          /* channel group 2 */
1934
1935         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI1_5GHZ :
1936             RT3593_EEPROM_RSSI1_5GHZ, &val);
1937         sc->rssi_5ghz[0] = val & 0xff;  /* Ant A */
1938         sc->rssi_5ghz[1] = val >> 8;    /* Ant B */
1939         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI2_5GHZ :
1940             RT3593_EEPROM_RSSI2_5GHZ, &val);
1941         if (sc->mac_ver == 0x3572) {
1942                 /*
1943                  * On RT3572 chips (limited to 2 Rx chains), this ROM
1944                  * field contains the Tx mixer gain for the 5GHz band.
1945                  */
1946                 if ((val & 0xff) != 0xff)
1947                         sc->txmixgain_5ghz = val & 0x7;
1948                 DPRINTF("tx mixer gain=%u (5GHz)\n", sc->txmixgain_5ghz);
1949         } else
1950                 sc->rssi_5ghz[2] = val & 0xff;  /* Ant C */
1951         if (sc->mac_ver == 0x3593) {
1952                 sc->txmixgain_5ghz = 0;
1953                 run_srom_read(sc, RT3593_EEPROM_LNA_5GHZ, &val);
1954         }
1955         sc->lna[3] = val >> 8;          /* channel group 3 */
1956
1957         run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LNA :
1958             RT3593_EEPROM_LNA, &val);
1959         sc->lna[0] = val & 0xff;        /* channel group 0 */
1960         sc->lna[1] = val >> 8;          /* channel group 1 */
1961
1962         /* fix broken 5GHz LNA entries */
1963         if (sc->lna[2] == 0 || sc->lna[2] == 0xff) {
1964                 DPRINTF("invalid LNA for channel group %d\n", 2);
1965                 sc->lna[2] = sc->lna[1];
1966         }
1967         if (sc->lna[3] == 0 || sc->lna[3] == 0xff) {
1968                 DPRINTF("invalid LNA for channel group %d\n", 3);
1969                 sc->lna[3] = sc->lna[1];
1970         }
1971
1972         /* fix broken RSSI offset entries */
1973         for (ant = 0; ant < 3; ant++) {
1974                 if (sc->rssi_2ghz[ant] < -10 || sc->rssi_2ghz[ant] > 10) {
1975                         DPRINTF("invalid RSSI%d offset: %d (2GHz)\n",
1976                             ant + 1, sc->rssi_2ghz[ant]);
1977                         sc->rssi_2ghz[ant] = 0;
1978                 }
1979                 if (sc->rssi_5ghz[ant] < -10 || sc->rssi_5ghz[ant] > 10) {
1980                         DPRINTF("invalid RSSI%d offset: %d (5GHz)\n",
1981                             ant + 1, sc->rssi_5ghz[ant]);
1982                         sc->rssi_5ghz[ant] = 0;
1983                 }
1984         }
1985         return (0);
1986 }
1987
1988 static struct ieee80211_node *
1989 run_node_alloc(struct ieee80211vap *vap, const uint8_t mac[IEEE80211_ADDR_LEN])
1990 {
1991         return malloc(sizeof (struct run_node), M_DEVBUF, M_NOWAIT | M_ZERO);
1992 }
1993
1994 static int
1995 run_media_change(struct ifnet *ifp)
1996 {
1997         struct ieee80211vap *vap = ifp->if_softc;
1998         struct ieee80211com *ic = vap->iv_ic;
1999         const struct ieee80211_txparam *tp;
2000         struct run_softc *sc = ic->ic_ifp->if_softc;
2001         uint8_t rate, ridx;
2002         int error;
2003
2004         RUN_LOCK(sc);
2005
2006         error = ieee80211_media_change(ifp);
2007         if (error != ENETRESET) {
2008                 RUN_UNLOCK(sc);
2009                 return (error);
2010         }
2011
2012         tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
2013         if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE) {
2014                 struct ieee80211_node *ni;
2015                 struct run_node *rn;
2016
2017                 rate = ic->ic_sup_rates[ic->ic_curmode].
2018                     rs_rates[tp->ucastrate] & IEEE80211_RATE_VAL;
2019                 for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2020                         if (rt2860_rates[ridx].rate == rate)
2021                                 break;
2022                 ni = ieee80211_ref_node(vap->iv_bss);
2023                 rn = (struct run_node *)ni;
2024                 rn->fix_ridx = ridx;
2025                 DPRINTF("rate=%d, fix_ridx=%d\n", rate, rn->fix_ridx);
2026                 ieee80211_free_node(ni);
2027         }
2028
2029 #if 0
2030         if ((ifp->if_flags & IFF_UP) &&
2031             (ifp->if_drv_flags &  IFF_DRV_RUNNING)){
2032                 run_init_locked(sc);
2033         }
2034 #endif
2035
2036         RUN_UNLOCK(sc);
2037
2038         return (0);
2039 }
2040
2041 static int
2042 run_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
2043 {
2044         const struct ieee80211_txparam *tp;
2045         struct ieee80211com *ic = vap->iv_ic;
2046         struct run_softc *sc = ic->ic_ifp->if_softc;
2047         struct run_vap *rvp = RUN_VAP(vap);
2048         enum ieee80211_state ostate;
2049         uint32_t sta[3];
2050         uint32_t tmp;
2051         uint8_t ratectl;
2052         uint8_t restart_ratectl = 0;
2053         uint8_t bid = 1 << rvp->rvp_id;
2054
2055         ostate = vap->iv_state;
2056         DPRINTF("%s -> %s\n",
2057                 ieee80211_state_name[ostate],
2058                 ieee80211_state_name[nstate]);
2059
2060         IEEE80211_UNLOCK(ic);
2061         RUN_LOCK(sc);
2062
2063         ratectl = sc->ratectl_run; /* remember current state */
2064         sc->ratectl_run = RUN_RATECTL_OFF;
2065         usb_callout_stop(&sc->ratectl_ch);
2066
2067         if (ostate == IEEE80211_S_RUN) {
2068                 /* turn link LED off */
2069                 run_set_leds(sc, RT2860_LED_RADIO);
2070         }
2071
2072         switch (nstate) {
2073         case IEEE80211_S_INIT:
2074                 restart_ratectl = 1;
2075
2076                 if (ostate != IEEE80211_S_RUN)
2077                         break;
2078
2079                 ratectl &= ~bid;
2080                 sc->runbmap &= ~bid;
2081
2082                 /* abort TSF synchronization if there is no vap running */
2083                 if (--sc->running == 0) {
2084                         run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
2085                         run_write(sc, RT2860_BCN_TIME_CFG,
2086                             tmp & ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
2087                             RT2860_TBTT_TIMER_EN));
2088                 }
2089                 break;
2090
2091         case IEEE80211_S_RUN:
2092                 if (!(sc->runbmap & bid)) {
2093                         if(sc->running++)
2094                                 restart_ratectl = 1;
2095                         sc->runbmap |= bid;
2096                 }
2097
2098                 m_freem(rvp->beacon_mbuf);
2099                 rvp->beacon_mbuf = NULL;
2100
2101                 switch (vap->iv_opmode) {
2102                 case IEEE80211_M_HOSTAP:
2103                 case IEEE80211_M_MBSS:
2104                         sc->ap_running |= bid;
2105                         ic->ic_opmode = vap->iv_opmode;
2106                         run_update_beacon_cb(vap);
2107                         break;
2108                 case IEEE80211_M_IBSS:
2109                         sc->adhoc_running |= bid;
2110                         if (!sc->ap_running)
2111                                 ic->ic_opmode = vap->iv_opmode;
2112                         run_update_beacon_cb(vap);
2113                         break;
2114                 case IEEE80211_M_STA:
2115                         sc->sta_running |= bid;
2116                         if (!sc->ap_running && !sc->adhoc_running)
2117                                 ic->ic_opmode = vap->iv_opmode;
2118
2119                         /* read statistic counters (clear on read) */
2120                         run_read_region_1(sc, RT2860_TX_STA_CNT0,
2121                             (uint8_t *)sta, sizeof sta);
2122
2123                         break;
2124                 default:
2125                         ic->ic_opmode = vap->iv_opmode;
2126                         break;
2127                 }
2128
2129                 if (vap->iv_opmode != IEEE80211_M_MONITOR) {
2130                         struct ieee80211_node *ni;
2131
2132                         if (ic->ic_bsschan == IEEE80211_CHAN_ANYC) {
2133                                 RUN_UNLOCK(sc);
2134                                 IEEE80211_LOCK(ic);
2135                                 return (-1);
2136                         }
2137                         run_updateslot(ic->ic_ifp);
2138                         run_enable_mrr(sc);
2139                         run_set_txpreamble(sc);
2140                         run_set_basicrates(sc);
2141                         ni = ieee80211_ref_node(vap->iv_bss);
2142                         IEEE80211_ADDR_COPY(sc->sc_bssid, ni->ni_bssid);
2143                         run_set_bssid(sc, ni->ni_bssid);
2144                         ieee80211_free_node(ni);
2145                         run_enable_tsf_sync(sc);
2146
2147                         /* enable automatic rate adaptation */
2148                         tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
2149                         if (tp->ucastrate == IEEE80211_FIXED_RATE_NONE)
2150                                 ratectl |= bid;
2151                 }
2152
2153                 /* turn link LED on */
2154                 run_set_leds(sc, RT2860_LED_RADIO |
2155                     (IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan) ?
2156                      RT2860_LED_LINK_2GHZ : RT2860_LED_LINK_5GHZ));
2157
2158                 break;
2159         default:
2160                 DPRINTFN(6, "undefined case\n");
2161                 break;
2162         }
2163
2164         /* restart amrr for running VAPs */
2165         if ((sc->ratectl_run = ratectl) && restart_ratectl)
2166                 usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2167
2168         RUN_UNLOCK(sc);
2169         IEEE80211_LOCK(ic);
2170
2171         return(rvp->newstate(vap, nstate, arg));
2172 }
2173
2174 /* ARGSUSED */
2175 static void
2176 run_wme_update_cb(void *arg)
2177 {
2178         struct ieee80211com *ic = arg;
2179         struct run_softc *sc = ic->ic_ifp->if_softc;
2180         struct ieee80211_wme_state *wmesp = &ic->ic_wme;
2181         int aci, error = 0;
2182
2183         RUN_LOCK_ASSERT(sc, MA_OWNED);
2184
2185         /* update MAC TX configuration registers */
2186         for (aci = 0; aci < WME_NUM_AC; aci++) {
2187                 error = run_write(sc, RT2860_EDCA_AC_CFG(aci),
2188                     wmesp->wme_params[aci].wmep_logcwmax << 16 |
2189                     wmesp->wme_params[aci].wmep_logcwmin << 12 |
2190                     wmesp->wme_params[aci].wmep_aifsn  <<  8 |
2191                     wmesp->wme_params[aci].wmep_txopLimit);
2192                 if (error) goto err;
2193         }
2194
2195         /* update SCH/DMA registers too */
2196         error = run_write(sc, RT2860_WMM_AIFSN_CFG,
2197             wmesp->wme_params[WME_AC_VO].wmep_aifsn  << 12 |
2198             wmesp->wme_params[WME_AC_VI].wmep_aifsn  <<  8 |
2199             wmesp->wme_params[WME_AC_BK].wmep_aifsn  <<  4 |
2200             wmesp->wme_params[WME_AC_BE].wmep_aifsn);
2201         if (error) goto err;
2202         error = run_write(sc, RT2860_WMM_CWMIN_CFG,
2203             wmesp->wme_params[WME_AC_VO].wmep_logcwmin << 12 |
2204             wmesp->wme_params[WME_AC_VI].wmep_logcwmin <<  8 |
2205             wmesp->wme_params[WME_AC_BK].wmep_logcwmin <<  4 |
2206             wmesp->wme_params[WME_AC_BE].wmep_logcwmin);
2207         if (error) goto err;
2208         error = run_write(sc, RT2860_WMM_CWMAX_CFG,
2209             wmesp->wme_params[WME_AC_VO].wmep_logcwmax << 12 |
2210             wmesp->wme_params[WME_AC_VI].wmep_logcwmax <<  8 |
2211             wmesp->wme_params[WME_AC_BK].wmep_logcwmax <<  4 |
2212             wmesp->wme_params[WME_AC_BE].wmep_logcwmax);
2213         if (error) goto err;
2214         error = run_write(sc, RT2860_WMM_TXOP0_CFG,
2215             wmesp->wme_params[WME_AC_BK].wmep_txopLimit << 16 |
2216             wmesp->wme_params[WME_AC_BE].wmep_txopLimit);
2217         if (error) goto err;
2218         error = run_write(sc, RT2860_WMM_TXOP1_CFG,
2219             wmesp->wme_params[WME_AC_VO].wmep_txopLimit << 16 |
2220             wmesp->wme_params[WME_AC_VI].wmep_txopLimit);
2221
2222 err:
2223         if (error)
2224                 DPRINTF("WME update failed\n");
2225
2226         return;
2227 }
2228
2229 static int
2230 run_wme_update(struct ieee80211com *ic)
2231 {
2232         struct run_softc *sc = ic->ic_ifp->if_softc;
2233
2234         /* sometime called wothout lock */
2235         if (mtx_owned(&ic->ic_comlock.mtx)) {
2236                 uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
2237                 DPRINTF("cmdq_store=%d\n", i);
2238                 sc->cmdq[i].func = run_wme_update_cb;
2239                 sc->cmdq[i].arg0 = ic;
2240                 ieee80211_runtask(ic, &sc->cmdq_task);
2241                 return (0);
2242         }
2243
2244         RUN_LOCK(sc);
2245         run_wme_update_cb(ic);
2246         RUN_UNLOCK(sc);
2247
2248         /* return whatever, upper layer desn't care anyway */
2249         return (0);
2250 }
2251
2252 static void
2253 run_key_update_begin(struct ieee80211vap *vap)
2254 {
2255         /*
2256          * To avoid out-of-order events, both run_key_set() and
2257          * _delete() are deferred and handled by run_cmdq_cb().
2258          * So, there is nothing we need to do here.
2259          */
2260 }
2261
2262 static void
2263 run_key_update_end(struct ieee80211vap *vap)
2264 {
2265         /* null */
2266 }
2267
2268 static void
2269 run_key_set_cb(void *arg)
2270 {
2271         struct run_cmdq *cmdq = arg;
2272         struct ieee80211vap *vap = cmdq->arg1;
2273         struct ieee80211_key *k = cmdq->k;
2274         struct ieee80211com *ic = vap->iv_ic;
2275         struct run_softc *sc = ic->ic_ifp->if_softc;
2276         struct ieee80211_node *ni;
2277         uint32_t attr;
2278         uint16_t base, associd;
2279         uint8_t mode, wcid, iv[8];
2280
2281         RUN_LOCK_ASSERT(sc, MA_OWNED);
2282
2283         if (vap->iv_opmode == IEEE80211_M_HOSTAP)
2284                 ni = ieee80211_find_vap_node(&ic->ic_sta, vap, cmdq->mac);
2285         else
2286                 ni = vap->iv_bss;
2287         associd = (ni != NULL) ? ni->ni_associd : 0;
2288
2289         /* map net80211 cipher to RT2860 security mode */
2290         switch (k->wk_cipher->ic_cipher) {
2291         case IEEE80211_CIPHER_WEP:
2292                 if(k->wk_keylen < 8)
2293                         mode = RT2860_MODE_WEP40;
2294                 else
2295                         mode = RT2860_MODE_WEP104;
2296                 break;
2297         case IEEE80211_CIPHER_TKIP:
2298                 mode = RT2860_MODE_TKIP;
2299                 break;
2300         case IEEE80211_CIPHER_AES_CCM:
2301                 mode = RT2860_MODE_AES_CCMP;
2302                 break;
2303         default:
2304                 DPRINTF("undefined case\n");
2305                 return;
2306         }
2307
2308         DPRINTFN(1, "associd=%x, keyix=%d, mode=%x, type=%s, tx=%s, rx=%s\n",
2309             associd, k->wk_keyix, mode,
2310             (k->wk_flags & IEEE80211_KEY_GROUP) ? "group" : "pairwise",
2311             (k->wk_flags & IEEE80211_KEY_XMIT) ? "on" : "off",
2312             (k->wk_flags & IEEE80211_KEY_RECV) ? "on" : "off");
2313
2314         if (k->wk_flags & IEEE80211_KEY_GROUP) {
2315                 wcid = 0;       /* NB: update WCID0 for group keys */
2316                 base = RT2860_SKEY(RUN_VAP(vap)->rvp_id, k->wk_keyix);
2317         } else {
2318                 wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
2319                     1 : RUN_AID2WCID(associd);
2320                 base = RT2860_PKEY(wcid);
2321         }
2322
2323         if (k->wk_cipher->ic_cipher == IEEE80211_CIPHER_TKIP) {
2324                 if(run_write_region_1(sc, base, k->wk_key, 16))
2325                         return;
2326                 if(run_write_region_1(sc, base + 16, &k->wk_key[16], 8))        /* wk_txmic */
2327                         return;
2328                 if(run_write_region_1(sc, base + 24, &k->wk_key[24], 8))        /* wk_rxmic */
2329                         return;
2330         } else {
2331                 /* roundup len to 16-bit: XXX fix write_region_1() instead */
2332                 if(run_write_region_1(sc, base, k->wk_key, (k->wk_keylen + 1) & ~1))
2333                         return;
2334         }
2335
2336         if (!(k->wk_flags & IEEE80211_KEY_GROUP) ||
2337             (k->wk_flags & (IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV))) {
2338                 /* set initial packet number in IV+EIV */
2339                 if (k->wk_cipher == IEEE80211_CIPHER_WEP) {
2340                         memset(iv, 0, sizeof iv);
2341                         iv[3] = vap->iv_def_txkey << 6;
2342                 } else {
2343                         if (k->wk_cipher->ic_cipher == IEEE80211_CIPHER_TKIP) {
2344                                 iv[0] = k->wk_keytsc >> 8;
2345                                 iv[1] = (iv[0] | 0x20) & 0x7f;
2346                                 iv[2] = k->wk_keytsc;
2347                         } else /* CCMP */ {
2348                                 iv[0] = k->wk_keytsc;
2349                                 iv[1] = k->wk_keytsc >> 8;
2350                                 iv[2] = 0;
2351                         }
2352                         iv[3] = k->wk_keyix << 6 | IEEE80211_WEP_EXTIV;
2353                         iv[4] = k->wk_keytsc >> 16;
2354                         iv[5] = k->wk_keytsc >> 24;
2355                         iv[6] = k->wk_keytsc >> 32;
2356                         iv[7] = k->wk_keytsc >> 40;
2357                 }
2358                 if (run_write_region_1(sc, RT2860_IVEIV(wcid), iv, 8))
2359                         return;
2360         }
2361
2362         if (k->wk_flags & IEEE80211_KEY_GROUP) {
2363                 /* install group key */
2364                 if (run_read(sc, RT2860_SKEY_MODE_0_7, &attr))
2365                         return;
2366                 attr &= ~(0xf << (k->wk_keyix * 4));
2367                 attr |= mode << (k->wk_keyix * 4);
2368                 if (run_write(sc, RT2860_SKEY_MODE_0_7, attr))
2369                         return;
2370         } else {
2371                 /* install pairwise key */
2372                 if (run_read(sc, RT2860_WCID_ATTR(wcid), &attr))
2373                         return;
2374                 attr = (attr & ~0xf) | (mode << 1) | RT2860_RX_PKEY_EN;
2375                 if (run_write(sc, RT2860_WCID_ATTR(wcid), attr))
2376                         return;
2377         }
2378
2379         /* TODO create a pass-thru key entry? */
2380
2381         /* need wcid to delete the right key later */
2382         k->wk_pad = wcid;
2383 }
2384
2385 /*
2386  * Don't have to be deferred, but in order to keep order of
2387  * execution, i.e. with run_key_delete(), defer this and let
2388  * run_cmdq_cb() maintain the order.
2389  *
2390  * return 0 on error
2391  */
2392 static int
2393 run_key_set(struct ieee80211vap *vap, struct ieee80211_key *k,
2394                 const uint8_t mac[IEEE80211_ADDR_LEN])
2395 {
2396         struct ieee80211com *ic = vap->iv_ic;
2397         struct run_softc *sc = ic->ic_ifp->if_softc;
2398         uint32_t i;
2399
2400         i = RUN_CMDQ_GET(&sc->cmdq_store);
2401         DPRINTF("cmdq_store=%d\n", i);
2402         sc->cmdq[i].func = run_key_set_cb;
2403         sc->cmdq[i].arg0 = NULL;
2404         sc->cmdq[i].arg1 = vap;
2405         sc->cmdq[i].k = k;
2406         IEEE80211_ADDR_COPY(sc->cmdq[i].mac, mac);
2407         ieee80211_runtask(ic, &sc->cmdq_task);
2408
2409         /*
2410          * To make sure key will be set when hostapd
2411          * calls iv_key_set() before if_init().
2412          */
2413         if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
2414                 RUN_LOCK(sc);
2415                 sc->cmdq_key_set = RUN_CMDQ_GO;
2416                 RUN_UNLOCK(sc);
2417         }
2418
2419         return (1);
2420 }
2421
2422 /*
2423  * If wlan is destroyed without being brought down i.e. without
2424  * wlan down or wpa_cli terminate, this function is called after
2425  * vap is gone. Don't refer it.
2426  */
2427 static void
2428 run_key_delete_cb(void *arg)
2429 {
2430         struct run_cmdq *cmdq = arg;
2431         struct run_softc *sc = cmdq->arg1;
2432         struct ieee80211_key *k = &cmdq->key;
2433         uint32_t attr;
2434         uint8_t wcid;
2435
2436         RUN_LOCK_ASSERT(sc, MA_OWNED);
2437
2438         if (k->wk_flags & IEEE80211_KEY_GROUP) {
2439                 /* remove group key */
2440                 DPRINTF("removing group key\n");
2441                 run_read(sc, RT2860_SKEY_MODE_0_7, &attr);
2442                 attr &= ~(0xf << (k->wk_keyix * 4));
2443                 run_write(sc, RT2860_SKEY_MODE_0_7, attr);
2444         } else {
2445                 /* remove pairwise key */
2446                 DPRINTF("removing key for wcid %x\n", k->wk_pad);
2447                 /* matching wcid was written to wk_pad in run_key_set() */
2448                 wcid = k->wk_pad;
2449                 run_read(sc, RT2860_WCID_ATTR(wcid), &attr);
2450                 attr &= ~0xf;
2451                 run_write(sc, RT2860_WCID_ATTR(wcid), attr);
2452                 run_set_region_4(sc, RT2860_WCID_ENTRY(wcid), 0, 8);
2453         }
2454
2455         k->wk_pad = 0;
2456 }
2457
2458 /*
2459  * return 0 on error
2460  */
2461 static int
2462 run_key_delete(struct ieee80211vap *vap, struct ieee80211_key *k)
2463 {
2464         struct ieee80211com *ic = vap->iv_ic;
2465         struct run_softc *sc = ic->ic_ifp->if_softc;
2466         struct ieee80211_key *k0;
2467         uint32_t i;
2468
2469         /*
2470          * When called back, key might be gone. So, make a copy
2471          * of some values need to delete keys before deferring.
2472          * But, because of LOR with node lock, cannot use lock here.
2473          * So, use atomic instead.
2474          */
2475         i = RUN_CMDQ_GET(&sc->cmdq_store);
2476         DPRINTF("cmdq_store=%d\n", i);
2477         sc->cmdq[i].func = run_key_delete_cb;
2478         sc->cmdq[i].arg0 = NULL;
2479         sc->cmdq[i].arg1 = sc;
2480         k0 = &sc->cmdq[i].key;
2481         k0->wk_flags = k->wk_flags;
2482         k0->wk_keyix = k->wk_keyix;
2483         /* matching wcid was written to wk_pad in run_key_set() */
2484         k0->wk_pad = k->wk_pad;
2485         ieee80211_runtask(ic, &sc->cmdq_task);
2486         return (1);     /* return fake success */
2487
2488 }
2489
2490 static void
2491 run_ratectl_to(void *arg)
2492 {
2493         struct run_softc *sc = arg;
2494
2495         /* do it in a process context, so it can go sleep */
2496         ieee80211_runtask(sc->sc_ifp->if_l2com, &sc->ratectl_task);
2497         /* next timeout will be rescheduled in the callback task */
2498 }
2499
2500 /* ARGSUSED */
2501 static void
2502 run_ratectl_cb(void *arg, int pending)
2503 {
2504         struct run_softc *sc = arg;
2505         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
2506         struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
2507
2508         if (vap == NULL)
2509                 return;
2510
2511         if (sc->rvp_cnt > 1 || vap->iv_opmode != IEEE80211_M_STA) {
2512                 /*
2513                  * run_reset_livelock() doesn't do anything with AMRR,
2514                  * but Ralink wants us to call it every 1 sec. So, we
2515                  * piggyback here rather than creating another callout.
2516                  * Livelock may occur only in HOSTAP or IBSS mode
2517                  * (when h/w is sending beacons).
2518                  */
2519                 RUN_LOCK(sc);
2520                 run_reset_livelock(sc);
2521                 /* just in case, there are some stats to drain */
2522                 run_drain_fifo(sc);
2523                 RUN_UNLOCK(sc);
2524         }
2525
2526         ieee80211_iterate_nodes(&ic->ic_sta, run_iter_func, sc);
2527
2528         RUN_LOCK(sc);
2529         if(sc->ratectl_run != RUN_RATECTL_OFF)
2530                 usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2531         RUN_UNLOCK(sc);
2532 }
2533
2534 static void
2535 run_drain_fifo(void *arg)
2536 {
2537         struct run_softc *sc = arg;
2538         struct ifnet *ifp = sc->sc_ifp;
2539         uint32_t stat;
2540         uint16_t (*wstat)[3];
2541         uint8_t wcid, mcs, pid;
2542         int8_t retry;
2543
2544         RUN_LOCK_ASSERT(sc, MA_OWNED);
2545
2546         for (;;) {
2547                 /* drain Tx status FIFO (maxsize = 16) */
2548                 run_read(sc, RT2860_TX_STAT_FIFO, &stat);
2549                 DPRINTFN(4, "tx stat 0x%08x\n", stat);
2550                 if (!(stat & RT2860_TXQ_VLD))
2551                         break;
2552
2553                 wcid = (stat >> RT2860_TXQ_WCID_SHIFT) & 0xff;
2554
2555                 /* if no ACK was requested, no feedback is available */
2556                 if (!(stat & RT2860_TXQ_ACKREQ) || wcid > RT2870_WCID_MAX ||
2557                     wcid == 0)
2558                         continue;
2559
2560                 /*
2561                  * Even though each stat is Tx-complete-status like format,
2562                  * the device can poll stats. Because there is no guarantee
2563                  * that the referring node is still around when read the stats.
2564                  * So that, if we use ieee80211_ratectl_tx_update(), we will
2565                  * have hard time not to refer already freed node.
2566                  *
2567                  * To eliminate such page faults, we poll stats in softc.
2568                  * Then, update the rates later with ieee80211_ratectl_tx_update().
2569                  */
2570                 wstat = &(sc->wcid_stats[wcid]);
2571                 (*wstat)[RUN_TXCNT]++;
2572                 if (stat & RT2860_TXQ_OK)
2573                         (*wstat)[RUN_SUCCESS]++;
2574                 else
2575                         ifp->if_oerrors++;
2576                 /*
2577                  * Check if there were retries, ie if the Tx success rate is
2578                  * different from the requested rate. Note that it works only
2579                  * because we do not allow rate fallback from OFDM to CCK.
2580                  */
2581                 mcs = (stat >> RT2860_TXQ_MCS_SHIFT) & 0x7f;
2582                 pid = (stat >> RT2860_TXQ_PID_SHIFT) & 0xf;
2583                 if ((retry = pid -1 - mcs) > 0) {
2584                         (*wstat)[RUN_TXCNT] += retry;
2585                         (*wstat)[RUN_RETRY] += retry;
2586                 }
2587         }
2588         DPRINTFN(3, "count=%d\n", sc->fifo_cnt);
2589
2590         sc->fifo_cnt = 0;
2591 }
2592
2593 static void
2594 run_iter_func(void *arg, struct ieee80211_node *ni)
2595 {
2596         struct run_softc *sc = arg;
2597         struct ieee80211vap *vap = ni->ni_vap;
2598         struct ieee80211com *ic = ni->ni_ic;
2599         struct ifnet *ifp = ic->ic_ifp;
2600         struct run_node *rn = (void *)ni;
2601         union run_stats sta[2];
2602         uint16_t (*wstat)[3];
2603         int txcnt, success, retrycnt, error;
2604
2605         RUN_LOCK(sc);
2606
2607         /* Check for special case */
2608         if (sc->rvp_cnt <= 1 && vap->iv_opmode == IEEE80211_M_STA &&
2609             ni != vap->iv_bss)
2610                 goto fail;
2611
2612         if (sc->rvp_cnt <= 1 && (vap->iv_opmode == IEEE80211_M_IBSS ||
2613             vap->iv_opmode == IEEE80211_M_STA)) {
2614                 /* read statistic counters (clear on read) and update AMRR state */
2615                 error = run_read_region_1(sc, RT2860_TX_STA_CNT0, (uint8_t *)sta,
2616                     sizeof sta);
2617                 if (error != 0)
2618                         goto fail;
2619
2620                 /* count failed TX as errors */
2621                 ifp->if_oerrors += le16toh(sta[0].error.fail);
2622
2623                 retrycnt = le16toh(sta[1].tx.retry);
2624                 success = le16toh(sta[1].tx.success);
2625                 txcnt = retrycnt + success + le16toh(sta[0].error.fail);
2626
2627                 DPRINTFN(3, "retrycnt=%d success=%d failcnt=%d\n",
2628                         retrycnt, success, le16toh(sta[0].error.fail));
2629         } else {
2630                 wstat = &(sc->wcid_stats[RUN_AID2WCID(ni->ni_associd)]);
2631
2632                 if (wstat == &(sc->wcid_stats[0]) ||
2633                     wstat > &(sc->wcid_stats[RT2870_WCID_MAX]))
2634                         goto fail;
2635
2636                 txcnt = (*wstat)[RUN_TXCNT];
2637                 success = (*wstat)[RUN_SUCCESS];
2638                 retrycnt = (*wstat)[RUN_RETRY];
2639                 DPRINTFN(3, "retrycnt=%d txcnt=%d success=%d\n",
2640                     retrycnt, txcnt, success);
2641
2642                 memset(wstat, 0, sizeof(*wstat));
2643         }
2644
2645         ieee80211_ratectl_tx_update(vap, ni, &txcnt, &success, &retrycnt);
2646         rn->amrr_ridx = ieee80211_ratectl_rate(ni, NULL, 0);
2647
2648 fail:
2649         RUN_UNLOCK(sc);
2650
2651         DPRINTFN(3, "ridx=%d\n", rn->amrr_ridx);
2652 }
2653
2654 static void
2655 run_newassoc_cb(void *arg)
2656 {
2657         struct run_cmdq *cmdq = arg;
2658         struct ieee80211_node *ni = cmdq->arg1;
2659         struct run_softc *sc = ni->ni_vap->iv_ic->ic_ifp->if_softc;
2660         uint8_t wcid = cmdq->wcid;
2661
2662         RUN_LOCK_ASSERT(sc, MA_OWNED);
2663
2664         run_write_region_1(sc, RT2860_WCID_ENTRY(wcid),
2665             ni->ni_macaddr, IEEE80211_ADDR_LEN);
2666
2667         memset(&(sc->wcid_stats[wcid]), 0, sizeof(sc->wcid_stats[wcid]));
2668 }
2669
2670 static void
2671 run_newassoc(struct ieee80211_node *ni, int isnew)
2672 {
2673         struct run_node *rn = (void *)ni;
2674         struct ieee80211_rateset *rs = &ni->ni_rates;
2675         struct ieee80211vap *vap = ni->ni_vap;
2676         struct ieee80211com *ic = vap->iv_ic;
2677         struct run_softc *sc = ic->ic_ifp->if_softc;
2678         uint8_t rate;
2679         uint8_t ridx;
2680         uint8_t wcid;
2681         int i, j;
2682
2683         wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
2684             1 : RUN_AID2WCID(ni->ni_associd);
2685
2686         if (wcid > RT2870_WCID_MAX) {
2687                 device_printf(sc->sc_dev, "wcid=%d out of range\n", wcid);
2688                 return;
2689         }
2690
2691         /* only interested in true associations */
2692         if (isnew && ni->ni_associd != 0) {
2693
2694                 /*
2695                  * This function could is called though timeout function.
2696                  * Need to defer.
2697                  */
2698                 uint32_t cnt = RUN_CMDQ_GET(&sc->cmdq_store);
2699                 DPRINTF("cmdq_store=%d\n", cnt);
2700                 sc->cmdq[cnt].func = run_newassoc_cb;
2701                 sc->cmdq[cnt].arg0 = NULL;
2702                 sc->cmdq[cnt].arg1 = ni;
2703                 sc->cmdq[cnt].wcid = wcid;
2704                 ieee80211_runtask(ic, &sc->cmdq_task);
2705         }
2706
2707         DPRINTF("new assoc isnew=%d associd=%x addr=%s\n",
2708             isnew, ni->ni_associd, ether_sprintf(ni->ni_macaddr));
2709
2710         for (i = 0; i < rs->rs_nrates; i++) {
2711                 rate = rs->rs_rates[i] & IEEE80211_RATE_VAL;
2712                 /* convert 802.11 rate to hardware rate index */
2713                 for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2714                         if (rt2860_rates[ridx].rate == rate)
2715                                 break;
2716                 rn->ridx[i] = ridx;
2717                 /* determine rate of control response frames */
2718                 for (j = i; j >= 0; j--) {
2719                         if ((rs->rs_rates[j] & IEEE80211_RATE_BASIC) &&
2720                             rt2860_rates[rn->ridx[i]].phy ==
2721                             rt2860_rates[rn->ridx[j]].phy)
2722                                 break;
2723                 }
2724                 if (j >= 0) {
2725                         rn->ctl_ridx[i] = rn->ridx[j];
2726                 } else {
2727                         /* no basic rate found, use mandatory one */
2728                         rn->ctl_ridx[i] = rt2860_rates[ridx].ctl_ridx;
2729                 }
2730                 DPRINTF("rate=0x%02x ridx=%d ctl_ridx=%d\n",
2731                     rs->rs_rates[i], rn->ridx[i], rn->ctl_ridx[i]);
2732         }
2733         rate = vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)].mgmtrate;
2734         for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2735                 if (rt2860_rates[ridx].rate == rate)
2736                         break;
2737         rn->mgt_ridx = ridx;
2738         DPRINTF("rate=%d, mgmt_ridx=%d\n", rate, rn->mgt_ridx);
2739
2740         RUN_LOCK(sc);
2741         if(sc->ratectl_run != RUN_RATECTL_OFF)
2742                 usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2743         RUN_UNLOCK(sc);
2744 }
2745
2746 /*
2747  * Return the Rx chain with the highest RSSI for a given frame.
2748  */
2749 static __inline uint8_t
2750 run_maxrssi_chain(struct run_softc *sc, const struct rt2860_rxwi *rxwi)
2751 {
2752         uint8_t rxchain = 0;
2753
2754         if (sc->nrxchains > 1) {
2755                 if (rxwi->rssi[1] > rxwi->rssi[rxchain])
2756                         rxchain = 1;
2757                 if (sc->nrxchains > 2)
2758                         if (rxwi->rssi[2] > rxwi->rssi[rxchain])
2759                                 rxchain = 2;
2760         }
2761         return (rxchain);
2762 }
2763
2764 static void
2765 run_rx_frame(struct run_softc *sc, struct mbuf *m, uint32_t dmalen)
2766 {
2767         struct ifnet *ifp = sc->sc_ifp;
2768         struct ieee80211com *ic = ifp->if_l2com;
2769         struct ieee80211_frame *wh;
2770         struct ieee80211_node *ni;
2771         struct rt2870_rxd *rxd;
2772         struct rt2860_rxwi *rxwi;
2773         uint32_t flags;
2774         uint16_t len, rxwisize;
2775         uint8_t ant, rssi;
2776         int8_t nf;
2777
2778         rxwi = mtod(m, struct rt2860_rxwi *);
2779         len = le16toh(rxwi->len) & 0xfff;
2780         rxwisize = sizeof(struct rt2860_rxwi);
2781         if (sc->mac_ver == 0x5592)
2782                 rxwisize += sizeof(uint64_t);
2783         else if (sc->mac_ver == 0x3593)
2784                 rxwisize += sizeof(uint32_t);
2785         if (__predict_false(len > dmalen)) {
2786                 m_freem(m);
2787                 ifp->if_ierrors++;
2788                 DPRINTF("bad RXWI length %u > %u\n", len, dmalen);
2789                 return;
2790         }
2791         /* Rx descriptor is located at the end */
2792         rxd = (struct rt2870_rxd *)(mtod(m, caddr_t) + dmalen);
2793         flags = le32toh(rxd->flags);
2794
2795         if (__predict_false(flags & (RT2860_RX_CRCERR | RT2860_RX_ICVERR))) {
2796                 m_freem(m);
2797                 ifp->if_ierrors++;
2798                 DPRINTF("%s error.\n", (flags & RT2860_RX_CRCERR)?"CRC":"ICV");
2799                 return;
2800         }
2801
2802         m->m_data += rxwisize;
2803         m->m_pkthdr.len = m->m_len -= rxwisize;
2804
2805         wh = mtod(m, struct ieee80211_frame *);
2806
2807         if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
2808                 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
2809                 m->m_flags |= M_WEP;
2810         }
2811
2812         if (flags & RT2860_RX_L2PAD) {
2813                 DPRINTFN(8, "received RT2860_RX_L2PAD frame\n");
2814                 len += 2;
2815         }
2816
2817         ni = ieee80211_find_rxnode(ic,
2818             mtod(m, struct ieee80211_frame_min *));
2819
2820         if (__predict_false(flags & RT2860_RX_MICERR)) {
2821                 /* report MIC failures to net80211 for TKIP */
2822                 if (ni != NULL)
2823                         ieee80211_notify_michael_failure(ni->ni_vap, wh,
2824                             rxwi->keyidx);
2825                 m_freem(m);
2826                 ifp->if_ierrors++;
2827                 DPRINTF("MIC error. Someone is lying.\n");
2828                 return;
2829         }
2830
2831         ant = run_maxrssi_chain(sc, rxwi);
2832         rssi = rxwi->rssi[ant];
2833         nf = run_rssi2dbm(sc, rssi, ant);
2834
2835         m->m_pkthdr.rcvif = ifp;
2836         m->m_pkthdr.len = m->m_len = len;
2837
2838         if (ni != NULL) {
2839                 (void)ieee80211_input(ni, m, rssi, nf);
2840                 ieee80211_free_node(ni);
2841         } else {
2842                 (void)ieee80211_input_all(ic, m, rssi, nf);
2843         }
2844
2845         if (__predict_false(ieee80211_radiotap_active(ic))) {
2846                 struct run_rx_radiotap_header *tap = &sc->sc_rxtap;
2847                 uint16_t phy;
2848
2849                 tap->wr_flags = 0;
2850                 tap->wr_chan_freq = htole16(ic->ic_curchan->ic_freq);
2851                 tap->wr_chan_flags = htole16(ic->ic_curchan->ic_flags);
2852                 tap->wr_antsignal = rssi;
2853                 tap->wr_antenna = ant;
2854                 tap->wr_dbm_antsignal = run_rssi2dbm(sc, rssi, ant);
2855                 tap->wr_rate = 2;       /* in case it can't be found below */
2856                 phy = le16toh(rxwi->phy);
2857                 switch (phy & RT2860_PHY_MODE) {
2858                 case RT2860_PHY_CCK:
2859                         switch ((phy & RT2860_PHY_MCS) & ~RT2860_PHY_SHPRE) {
2860                         case 0: tap->wr_rate =   2; break;
2861                         case 1: tap->wr_rate =   4; break;
2862                         case 2: tap->wr_rate =  11; break;
2863                         case 3: tap->wr_rate =  22; break;
2864                         }
2865                         if (phy & RT2860_PHY_SHPRE)
2866                                 tap->wr_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
2867                         break;
2868                 case RT2860_PHY_OFDM:
2869                         switch (phy & RT2860_PHY_MCS) {
2870                         case 0: tap->wr_rate =  12; break;
2871                         case 1: tap->wr_rate =  18; break;
2872                         case 2: tap->wr_rate =  24; break;
2873                         case 3: tap->wr_rate =  36; break;
2874                         case 4: tap->wr_rate =  48; break;
2875                         case 5: tap->wr_rate =  72; break;
2876                         case 6: tap->wr_rate =  96; break;
2877                         case 7: tap->wr_rate = 108; break;
2878                         }
2879                         break;
2880                 }
2881         }
2882 }
2883
2884 static void
2885 run_bulk_rx_callback(struct usb_xfer *xfer, usb_error_t error)
2886 {
2887         struct run_softc *sc = usbd_xfer_softc(xfer);
2888         struct ifnet *ifp = sc->sc_ifp;
2889         struct mbuf *m = NULL;
2890         struct mbuf *m0;
2891         uint32_t dmalen;
2892         uint16_t rxwisize;
2893         int xferlen;
2894
2895         rxwisize = sizeof(struct rt2860_rxwi);
2896         if (sc->mac_ver == 0x5592)
2897                 rxwisize += sizeof(uint64_t);
2898         else if (sc->mac_ver == 0x3593)
2899                 rxwisize += sizeof(uint32_t);
2900
2901         usbd_xfer_status(xfer, &xferlen, NULL, NULL, NULL);
2902
2903         switch (USB_GET_STATE(xfer)) {
2904         case USB_ST_TRANSFERRED:
2905
2906                 DPRINTFN(15, "rx done, actlen=%d\n", xferlen);
2907
2908                 if (xferlen < (int)(sizeof(uint32_t) + rxwisize +
2909                     sizeof(struct rt2870_rxd))) {
2910                         DPRINTF("xfer too short %d\n", xferlen);
2911                         goto tr_setup;
2912                 }
2913
2914                 m = sc->rx_m;
2915                 sc->rx_m = NULL;
2916
2917                 /* FALLTHROUGH */
2918         case USB_ST_SETUP:
2919 tr_setup:
2920                 if (sc->rx_m == NULL) {
2921                         sc->rx_m = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR,
2922                             MJUMPAGESIZE /* xfer can be bigger than MCLBYTES */);
2923                 }
2924                 if (sc->rx_m == NULL) {
2925                         DPRINTF("could not allocate mbuf - idle with stall\n");
2926                         ifp->if_ierrors++;
2927                         usbd_xfer_set_stall(xfer);
2928                         usbd_xfer_set_frames(xfer, 0);
2929                 } else {
2930                         /*
2931                          * Directly loading a mbuf cluster into DMA to
2932                          * save some data copying. This works because
2933                          * there is only one cluster.
2934                          */
2935                         usbd_xfer_set_frame_data(xfer, 0, 
2936                             mtod(sc->rx_m, caddr_t), RUN_MAX_RXSZ);
2937                         usbd_xfer_set_frames(xfer, 1);
2938                 }
2939                 usbd_transfer_submit(xfer);
2940                 break;
2941
2942         default:        /* Error */
2943                 if (error != USB_ERR_CANCELLED) {
2944                         /* try to clear stall first */
2945                         usbd_xfer_set_stall(xfer);
2946
2947                         if (error == USB_ERR_TIMEOUT)
2948                                 device_printf(sc->sc_dev, "device timeout\n");
2949
2950                         ifp->if_ierrors++;
2951
2952                         goto tr_setup;
2953                 }
2954                 if (sc->rx_m != NULL) {
2955                         m_freem(sc->rx_m);
2956                         sc->rx_m = NULL;
2957                 }
2958                 break;
2959         }
2960
2961         if (m == NULL)
2962                 return;
2963
2964         /* inputting all the frames must be last */
2965
2966         RUN_UNLOCK(sc);
2967
2968         m->m_pkthdr.len = m->m_len = xferlen;
2969
2970         /* HW can aggregate multiple 802.11 frames in a single USB xfer */
2971         for(;;) {
2972                 dmalen = le32toh(*mtod(m, uint32_t *)) & 0xffff;
2973
2974                 if ((dmalen >= (uint32_t)-8) || (dmalen == 0) ||
2975                     ((dmalen & 3) != 0)) {
2976                         DPRINTF("bad DMA length %u\n", dmalen);
2977                         break;
2978                 }
2979                 if ((dmalen + 8) > (uint32_t)xferlen) {
2980                         DPRINTF("bad DMA length %u > %d\n",
2981                         dmalen + 8, xferlen);
2982                         break;
2983                 }
2984
2985                 /* If it is the last one or a single frame, we won't copy. */
2986                 if ((xferlen -= dmalen + 8) <= 8) {
2987                         /* trim 32-bit DMA-len header */
2988                         m->m_data += 4;
2989                         m->m_pkthdr.len = m->m_len -= 4;
2990                         run_rx_frame(sc, m, dmalen);
2991                         m = NULL;       /* don't free source buffer */
2992                         break;
2993                 }
2994
2995                 /* copy aggregated frames to another mbuf */
2996                 m0 = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
2997                 if (__predict_false(m0 == NULL)) {
2998                         DPRINTF("could not allocate mbuf\n");
2999                         ifp->if_ierrors++;
3000                         break;
3001                 }
3002                 m_copydata(m, 4 /* skip 32-bit DMA-len header */,
3003                     dmalen + sizeof(struct rt2870_rxd), mtod(m0, caddr_t));
3004                 m0->m_pkthdr.len = m0->m_len =
3005                     dmalen + sizeof(struct rt2870_rxd);
3006                 run_rx_frame(sc, m0, dmalen);
3007
3008                 /* update data ptr */
3009                 m->m_data += dmalen + 8;
3010                 m->m_pkthdr.len = m->m_len -= dmalen + 8;
3011         }
3012
3013         /* make sure we free the source buffer, if any */
3014         m_freem(m);
3015
3016         RUN_LOCK(sc);
3017 }
3018
3019 static void
3020 run_tx_free(struct run_endpoint_queue *pq,
3021     struct run_tx_data *data, int txerr)
3022 {
3023         if (data->m != NULL) {
3024                 if (data->m->m_flags & M_TXCB)
3025                         ieee80211_process_callback(data->ni, data->m,
3026                             txerr ? ETIMEDOUT : 0);
3027                 m_freem(data->m);
3028                 data->m = NULL;
3029
3030                 if (data->ni == NULL) {
3031                         DPRINTF("no node\n");
3032                 } else {
3033                         ieee80211_free_node(data->ni);
3034                         data->ni = NULL;
3035                 }
3036         }
3037
3038         STAILQ_INSERT_TAIL(&pq->tx_fh, data, next);
3039         pq->tx_nfree++;
3040 }
3041
3042 static void
3043 run_bulk_tx_callbackN(struct usb_xfer *xfer, usb_error_t error, u_int index)
3044 {
3045         struct run_softc *sc = usbd_xfer_softc(xfer);
3046         struct ifnet *ifp = sc->sc_ifp;
3047         struct ieee80211com *ic = ifp->if_l2com;
3048         struct run_tx_data *data;
3049         struct ieee80211vap *vap = NULL;
3050         struct usb_page_cache *pc;
3051         struct run_endpoint_queue *pq = &sc->sc_epq[index];
3052         struct mbuf *m;
3053         usb_frlength_t size;
3054         int actlen;
3055         int sumlen;
3056
3057         usbd_xfer_status(xfer, &actlen, &sumlen, NULL, NULL);
3058
3059         switch (USB_GET_STATE(xfer)) {
3060         case USB_ST_TRANSFERRED:
3061                 DPRINTFN(11, "transfer complete: %d "
3062                     "bytes @ index %d\n", actlen, index);
3063
3064                 data = usbd_xfer_get_priv(xfer);
3065
3066                 run_tx_free(pq, data, 0);
3067                 ifp->if_drv_flags &= ~IFF_DRV_OACTIVE;
3068
3069                 usbd_xfer_set_priv(xfer, NULL);
3070
3071                 ifp->if_opackets++;
3072
3073                 /* FALLTHROUGH */
3074         case USB_ST_SETUP:
3075 tr_setup:
3076                 data = STAILQ_FIRST(&pq->tx_qh);
3077                 if (data == NULL)
3078                         break;
3079
3080                 STAILQ_REMOVE_HEAD(&pq->tx_qh, next);
3081
3082                 m = data->m;
3083                 size = (sc->mac_ver == 0x5592) ?
3084                     sizeof(data->desc) + sizeof(uint32_t) : sizeof(data->desc);
3085                 if ((m->m_pkthdr.len +
3086                     size + 3 + 8) > RUN_MAX_TXSZ) {
3087                         DPRINTF("data overflow, %u bytes\n",
3088                             m->m_pkthdr.len);
3089
3090                         ifp->if_oerrors++;
3091
3092                         run_tx_free(pq, data, 1);
3093
3094                         goto tr_setup;
3095                 }
3096
3097                 pc = usbd_xfer_get_frame(xfer, 0);
3098                 usbd_copy_in(pc, 0, &data->desc, size);
3099                 usbd_m_copy_in(pc, size, m, 0, m->m_pkthdr.len);
3100                 size += m->m_pkthdr.len;
3101                 /*
3102                  * Align end on a 4-byte boundary, pad 8 bytes (CRC +
3103                  * 4-byte padding), and be sure to zero those trailing
3104                  * bytes:
3105                  */
3106                 usbd_frame_zero(pc, size, ((-size) & 3) + 8);
3107                 size += ((-size) & 3) + 8;
3108
3109                 vap = data->ni->ni_vap;
3110                 if (ieee80211_radiotap_active_vap(vap)) {
3111                         struct run_tx_radiotap_header *tap = &sc->sc_txtap;
3112                         struct rt2860_txwi *txwi = 
3113                             (struct rt2860_txwi *)(&data->desc + sizeof(struct rt2870_txd));
3114                         tap->wt_flags = 0;
3115                         tap->wt_rate = rt2860_rates[data->ridx].rate;
3116                         tap->wt_chan_freq = htole16(ic->ic_curchan->ic_freq);
3117                         tap->wt_chan_flags = htole16(ic->ic_curchan->ic_flags);
3118                         tap->wt_hwqueue = index;
3119                         if (le16toh(txwi->phy) & RT2860_PHY_SHPRE)
3120                                 tap->wt_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
3121
3122                         ieee80211_radiotap_tx(vap, m);
3123                 }
3124
3125                 DPRINTFN(11, "sending frame len=%u/%u  @ index %d\n",
3126                     m->m_pkthdr.len, size, index);
3127
3128                 usbd_xfer_set_frame_len(xfer, 0, size);
3129                 usbd_xfer_set_priv(xfer, data);
3130
3131                 usbd_transfer_submit(xfer);
3132
3133                 RUN_UNLOCK(sc);
3134                 run_start(ifp);
3135                 RUN_LOCK(sc);
3136
3137                 break;
3138
3139         default:
3140                 DPRINTF("USB transfer error, %s\n",
3141                     usbd_errstr(error));
3142
3143                 data = usbd_xfer_get_priv(xfer);
3144
3145                 ifp->if_oerrors++;
3146
3147                 if (data != NULL) {
3148                         if(data->ni != NULL)
3149                                 vap = data->ni->ni_vap;
3150                         run_tx_free(pq, data, error);
3151                         usbd_xfer_set_priv(xfer, NULL);
3152                 }
3153                 if (vap == NULL)
3154                         vap = TAILQ_FIRST(&ic->ic_vaps);
3155
3156                 if (error != USB_ERR_CANCELLED) {
3157                         if (error == USB_ERR_TIMEOUT) {
3158                                 device_printf(sc->sc_dev, "device timeout\n");
3159                                 uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
3160                                 DPRINTF("cmdq_store=%d\n", i);
3161                                 sc->cmdq[i].func = run_usb_timeout_cb;
3162                                 sc->cmdq[i].arg0 = vap;
3163                                 ieee80211_runtask(ic, &sc->cmdq_task);
3164                         }
3165
3166                         /*
3167                          * Try to clear stall first, also if other
3168                          * errors occur, hence clearing stall
3169                          * introduces a 50 ms delay:
3170                          */
3171                         usbd_xfer_set_stall(xfer);
3172                         goto tr_setup;
3173                 }
3174                 break;
3175         }
3176 }
3177
3178 static void
3179 run_bulk_tx_callback0(struct usb_xfer *xfer, usb_error_t error)
3180 {
3181         run_bulk_tx_callbackN(xfer, error, 0);
3182 }
3183
3184 static void
3185 run_bulk_tx_callback1(struct usb_xfer *xfer, usb_error_t error)
3186 {
3187         run_bulk_tx_callbackN(xfer, error, 1);
3188 }
3189
3190 static void
3191 run_bulk_tx_callback2(struct usb_xfer *xfer, usb_error_t error)
3192 {
3193         run_bulk_tx_callbackN(xfer, error, 2);
3194 }
3195
3196 static void
3197 run_bulk_tx_callback3(struct usb_xfer *xfer, usb_error_t error)
3198 {
3199         run_bulk_tx_callbackN(xfer, error, 3);
3200 }
3201
3202 static void
3203 run_bulk_tx_callback4(struct usb_xfer *xfer, usb_error_t error)
3204 {
3205         run_bulk_tx_callbackN(xfer, error, 4);
3206 }
3207
3208 static void
3209 run_bulk_tx_callback5(struct usb_xfer *xfer, usb_error_t error)
3210 {
3211         run_bulk_tx_callbackN(xfer, error, 5);
3212 }
3213
3214 static void
3215 run_set_tx_desc(struct run_softc *sc, struct run_tx_data *data)
3216 {
3217         struct mbuf *m = data->m;
3218         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
3219         struct ieee80211vap *vap = data->ni->ni_vap;
3220         struct ieee80211_frame *wh;
3221         struct rt2870_txd *txd;
3222         struct rt2860_txwi *txwi;
3223         uint16_t xferlen, txwisize;
3224         uint16_t mcs;
3225         uint8_t ridx = data->ridx;
3226         uint8_t pad;
3227
3228         /* get MCS code from rate index */
3229         mcs = rt2860_rates[ridx].mcs;
3230
3231         txwisize = (sc->mac_ver == 0x5592) ?
3232             sizeof(*txwi) + sizeof(uint32_t) : sizeof(*txwi);
3233         xferlen = txwisize + m->m_pkthdr.len;
3234
3235         /* roundup to 32-bit alignment */
3236         xferlen = (xferlen + 3) & ~3;
3237
3238         txd = (struct rt2870_txd *)&data->desc;
3239         txd->len = htole16(xferlen);
3240
3241         wh = mtod(m, struct ieee80211_frame *);
3242
3243         /*
3244          * Ether both are true or both are false, the header
3245          * are nicely aligned to 32-bit. So, no L2 padding.
3246          */
3247         if(IEEE80211_HAS_ADDR4(wh) == IEEE80211_QOS_HAS_SEQ(wh))
3248                 pad = 0;
3249         else
3250                 pad = 2;
3251
3252         /* setup TX Wireless Information */
3253         txwi = (struct rt2860_txwi *)(txd + 1);
3254         txwi->len = htole16(m->m_pkthdr.len - pad);
3255         if (rt2860_rates[ridx].phy == IEEE80211_T_DS) {
3256                 txwi->phy = htole16(RT2860_PHY_CCK);
3257                 if (ridx != RT2860_RIDX_CCK1 &&
3258                     (ic->ic_flags & IEEE80211_F_SHPREAMBLE))
3259                         mcs |= RT2860_PHY_SHPRE;
3260         } else
3261                 txwi->phy = htole16(RT2860_PHY_OFDM);
3262         txwi->phy |= htole16(mcs);
3263
3264         /* check if RTS/CTS or CTS-to-self protection is required */
3265         if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
3266             (m->m_pkthdr.len + IEEE80211_CRC_LEN > vap->iv_rtsthreshold ||
3267              ((ic->ic_flags & IEEE80211_F_USEPROT) &&
3268               rt2860_rates[ridx].phy == IEEE80211_T_OFDM)))
3269                 txwi->txop |= RT2860_TX_TXOP_HT;
3270         else
3271                 txwi->txop |= RT2860_TX_TXOP_BACKOFF;
3272
3273         if (vap->iv_opmode != IEEE80211_M_STA && !IEEE80211_QOS_HAS_SEQ(wh))
3274                 txwi->xflags |= RT2860_TX_NSEQ;
3275 }
3276
3277 /* This function must be called locked */
3278 static int
3279 run_tx(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
3280 {
3281         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
3282         struct ieee80211vap *vap = ni->ni_vap;
3283         struct ieee80211_frame *wh;
3284         struct ieee80211_channel *chan;
3285         const struct ieee80211_txparam *tp;
3286         struct run_node *rn = (void *)ni;
3287         struct run_tx_data *data;
3288         struct rt2870_txd *txd;
3289         struct rt2860_txwi *txwi;
3290         uint16_t qos;
3291         uint16_t dur;
3292         uint16_t qid;
3293         uint8_t type;
3294         uint8_t tid;
3295         uint8_t ridx;
3296         uint8_t ctl_ridx;
3297         uint8_t qflags;
3298         uint8_t xflags = 0;
3299         int hasqos;
3300
3301         RUN_LOCK_ASSERT(sc, MA_OWNED);
3302
3303         wh = mtod(m, struct ieee80211_frame *);
3304
3305         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3306
3307         /*
3308          * There are 7 bulk endpoints: 1 for RX
3309          * and 6 for TX (4 EDCAs + HCCA + Prio).
3310          * Update 03-14-2009:  some devices like the Planex GW-US300MiniS
3311          * seem to have only 4 TX bulk endpoints (Fukaumi Naoki).
3312          */
3313         if ((hasqos = IEEE80211_QOS_HAS_SEQ(wh))) {
3314                 uint8_t *frm;
3315
3316                 if(IEEE80211_HAS_ADDR4(wh))
3317                         frm = ((struct ieee80211_qosframe_addr4 *)wh)->i_qos;
3318                 else
3319                         frm =((struct ieee80211_qosframe *)wh)->i_qos;
3320
3321                 qos = le16toh(*(const uint16_t *)frm);
3322                 tid = qos & IEEE80211_QOS_TID;
3323                 qid = TID_TO_WME_AC(tid);
3324         } else {
3325                 qos = 0;
3326                 tid = 0;
3327                 qid = WME_AC_BE;
3328         }
3329         qflags = (qid < 4) ? RT2860_TX_QSEL_EDCA : RT2860_TX_QSEL_HCCA;
3330
3331         DPRINTFN(8, "qos %d\tqid %d\ttid %d\tqflags %x\n",
3332             qos, qid, tid, qflags);
3333
3334         chan = (ni->ni_chan != IEEE80211_CHAN_ANYC)?ni->ni_chan:ic->ic_curchan;
3335         tp = &vap->iv_txparms[ieee80211_chan2mode(chan)];
3336
3337         /* pickup a rate index */
3338         if (IEEE80211_IS_MULTICAST(wh->i_addr1) ||
3339             type != IEEE80211_FC0_TYPE_DATA) {
3340                 ridx = (ic->ic_curmode == IEEE80211_MODE_11A) ?
3341                     RT2860_RIDX_OFDM6 : RT2860_RIDX_CCK1;
3342                 ctl_ridx = rt2860_rates[ridx].ctl_ridx;
3343         } else {
3344                 if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE)
3345                         ridx = rn->fix_ridx;
3346                 else
3347                         ridx = rn->amrr_ridx;
3348                 ctl_ridx = rt2860_rates[ridx].ctl_ridx;
3349         }
3350
3351         if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
3352             (!hasqos || (qos & IEEE80211_QOS_ACKPOLICY) !=
3353              IEEE80211_QOS_ACKPOLICY_NOACK)) {
3354                 xflags |= RT2860_TX_ACK;
3355                 if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
3356                         dur = rt2860_rates[ctl_ridx].sp_ack_dur;
3357                 else
3358                         dur = rt2860_rates[ctl_ridx].lp_ack_dur;
3359                 USETW(wh->i_dur, dur);
3360         }
3361
3362         /* reserve slots for mgmt packets, just in case */
3363         if (sc->sc_epq[qid].tx_nfree < 3) {
3364                 DPRINTFN(10, "tx ring %d is full\n", qid);
3365                 return (-1);
3366         }
3367
3368         data = STAILQ_FIRST(&sc->sc_epq[qid].tx_fh);
3369         STAILQ_REMOVE_HEAD(&sc->sc_epq[qid].tx_fh, next);
3370         sc->sc_epq[qid].tx_nfree--;
3371
3372         txd = (struct rt2870_txd *)&data->desc;
3373         txd->flags = qflags;
3374         txwi = (struct rt2860_txwi *)(txd + 1);
3375         txwi->xflags = xflags;
3376         if (IEEE80211_IS_MULTICAST(wh->i_addr1))
3377                 txwi->wcid = 0;
3378         else
3379                 txwi->wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
3380                     1 : RUN_AID2WCID(ni->ni_associd);
3381
3382         /* clear leftover garbage bits */
3383         txwi->flags = 0;
3384         txwi->txop = 0;
3385
3386         data->m = m;
3387         data->ni = ni;
3388         data->ridx = ridx;
3389
3390         run_set_tx_desc(sc, data);
3391
3392         /*
3393          * The chip keeps track of 2 kind of Tx stats,
3394          *  * TX_STAT_FIFO, for per WCID stats, and
3395          *  * TX_STA_CNT0 for all-TX-in-one stats.
3396          *
3397          * To use FIFO stats, we need to store MCS into the driver-private
3398          * PacketID field. So that, we can tell whose stats when we read them.
3399          * We add 1 to the MCS because setting the PacketID field to 0 means
3400          * that we don't want feedback in TX_STAT_FIFO.
3401          * And, that's what we want for STA mode, since TX_STA_CNT0 does the job.
3402          *
3403          * FIFO stats doesn't count Tx with WCID 0xff, so we do this in run_tx().
3404          */
3405         if (sc->rvp_cnt > 1 || vap->iv_opmode == IEEE80211_M_HOSTAP ||
3406             vap->iv_opmode == IEEE80211_M_MBSS) {
3407                 uint16_t pid = (rt2860_rates[ridx].mcs + 1) & 0xf;
3408                 txwi->len |= htole16(pid << RT2860_TX_PID_SHIFT);
3409
3410                 /*
3411                  * Unlike PCI based devices, we don't get any interrupt from
3412                  * USB devices, so we simulate FIFO-is-full interrupt here.
3413                  * Ralink recomends to drain FIFO stats every 100 ms, but 16 slots
3414                  * quickly get fulled. To prevent overflow, increment a counter on
3415                  * every FIFO stat request, so we know how many slots are left.
3416                  * We do this only in HOSTAP or multiple vap mode since FIFO stats
3417                  * are used only in those modes.
3418                  * We just drain stats. AMRR gets updated every 1 sec by
3419                  * run_ratectl_cb() via callout.
3420                  * Call it early. Otherwise overflow.
3421                  */
3422                 if (sc->fifo_cnt++ == 10) {
3423                         /*
3424                          * With multiple vaps or if_bridge, if_start() is called
3425                          * with a non-sleepable lock, tcpinp. So, need to defer.
3426                          */
3427                         uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
3428                         DPRINTFN(6, "cmdq_store=%d\n", i);
3429                         sc->cmdq[i].func = run_drain_fifo;
3430                         sc->cmdq[i].arg0 = sc;
3431                         ieee80211_runtask(ic, &sc->cmdq_task);
3432                 }
3433         }
3434
3435         STAILQ_INSERT_TAIL(&sc->sc_epq[qid].tx_qh, data, next);
3436
3437         usbd_transfer_start(sc->sc_xfer[qid]);
3438
3439         DPRINTFN(8, "sending data frame len=%d rate=%d qid=%d\n",
3440             m->m_pkthdr.len + (int)(sizeof(struct rt2870_txd) +
3441             sizeof(struct rt2860_txwi)), rt2860_rates[ridx].rate, qid);
3442
3443         return (0);
3444 }
3445
3446 static int
3447 run_tx_mgt(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
3448 {
3449         struct ifnet *ifp = sc->sc_ifp;
3450         struct ieee80211com *ic = ifp->if_l2com;
3451         struct run_node *rn = (void *)ni;
3452         struct run_tx_data *data;
3453         struct ieee80211_frame *wh;
3454         struct rt2870_txd *txd;
3455         struct rt2860_txwi *txwi;
3456         uint16_t dur;
3457         uint8_t ridx = rn->mgt_ridx;
3458         uint8_t type;
3459         uint8_t xflags = 0;
3460         uint8_t wflags = 0;
3461
3462         RUN_LOCK_ASSERT(sc, MA_OWNED);
3463
3464         wh = mtod(m, struct ieee80211_frame *);
3465
3466         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3467
3468         /* tell hardware to add timestamp for probe responses */
3469         if ((wh->i_fc[0] &
3470             (IEEE80211_FC0_TYPE_MASK | IEEE80211_FC0_SUBTYPE_MASK)) ==
3471             (IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_RESP))
3472                 wflags |= RT2860_TX_TS;
3473         else if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
3474                 xflags |= RT2860_TX_ACK;
3475
3476                 dur = ieee80211_ack_duration(ic->ic_rt, rt2860_rates[ridx].rate, 
3477                     ic->ic_flags & IEEE80211_F_SHPREAMBLE);
3478                 USETW(wh->i_dur, dur);
3479         }
3480
3481         if (sc->sc_epq[0].tx_nfree == 0) {
3482                 /* let caller free mbuf */
3483                 ifp->if_drv_flags |= IFF_DRV_OACTIVE;
3484                 return (EIO);
3485         }
3486         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3487         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3488         sc->sc_epq[0].tx_nfree--;
3489
3490         txd = (struct rt2870_txd *)&data->desc;
3491         txd->flags = RT2860_TX_QSEL_EDCA;
3492         txwi = (struct rt2860_txwi *)(txd + 1);
3493         txwi->wcid = 0xff;
3494         txwi->flags = wflags;
3495         txwi->xflags = xflags;
3496         txwi->txop = 0; /* clear leftover garbage bits */
3497
3498         data->m = m;
3499         data->ni = ni;
3500         data->ridx = ridx;
3501
3502         run_set_tx_desc(sc, data);
3503
3504         DPRINTFN(10, "sending mgt frame len=%d rate=%d\n", m->m_pkthdr.len +
3505             (int)(sizeof(struct rt2870_txd) + sizeof(struct rt2860_txwi)),
3506             rt2860_rates[ridx].rate);
3507
3508         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3509
3510         usbd_transfer_start(sc->sc_xfer[0]);
3511
3512         return (0);
3513 }
3514
3515 static int
3516 run_sendprot(struct run_softc *sc,
3517     const struct mbuf *m, struct ieee80211_node *ni, int prot, int rate)
3518 {
3519         struct ieee80211com *ic = ni->ni_ic;
3520         struct ieee80211_frame *wh;
3521         struct run_tx_data *data;
3522         struct rt2870_txd *txd;
3523         struct rt2860_txwi *txwi;
3524         struct mbuf *mprot;
3525         int ridx;
3526         int protrate;
3527         int ackrate;
3528         int pktlen;
3529         int isshort;
3530         uint16_t dur;
3531         uint8_t type;
3532         uint8_t wflags = 0;
3533         uint8_t xflags = 0;
3534
3535         RUN_LOCK_ASSERT(sc, MA_OWNED);
3536
3537         KASSERT(prot == IEEE80211_PROT_RTSCTS || prot == IEEE80211_PROT_CTSONLY,
3538             ("protection %d", prot));
3539
3540         wh = mtod(m, struct ieee80211_frame *);
3541         pktlen = m->m_pkthdr.len + IEEE80211_CRC_LEN;
3542         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3543
3544         protrate = ieee80211_ctl_rate(ic->ic_rt, rate);
3545         ackrate = ieee80211_ack_rate(ic->ic_rt, rate);
3546
3547         isshort = (ic->ic_flags & IEEE80211_F_SHPREAMBLE) != 0;
3548         dur = ieee80211_compute_duration(ic->ic_rt, pktlen, rate, isshort)
3549             + ieee80211_ack_duration(ic->ic_rt, rate, isshort);
3550         wflags = RT2860_TX_FRAG;
3551
3552         /* check that there are free slots before allocating the mbuf */
3553         if (sc->sc_epq[0].tx_nfree == 0) {
3554                 /* let caller free mbuf */
3555                 sc->sc_ifp->if_drv_flags |= IFF_DRV_OACTIVE;
3556                 return (ENOBUFS);
3557         }
3558
3559         if (prot == IEEE80211_PROT_RTSCTS) {
3560                 /* NB: CTS is the same size as an ACK */
3561                 dur += ieee80211_ack_duration(ic->ic_rt, rate, isshort);
3562                 xflags |= RT2860_TX_ACK;
3563                 mprot = ieee80211_alloc_rts(ic, wh->i_addr1, wh->i_addr2, dur);
3564         } else {
3565                 mprot = ieee80211_alloc_cts(ic, ni->ni_vap->iv_myaddr, dur);
3566         }
3567         if (mprot == NULL) {
3568                 sc->sc_ifp->if_oerrors++;
3569                 DPRINTF("could not allocate mbuf\n");
3570                 return (ENOBUFS);
3571         }
3572
3573         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3574         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3575         sc->sc_epq[0].tx_nfree--;
3576
3577         txd = (struct rt2870_txd *)&data->desc;
3578         txd->flags = RT2860_TX_QSEL_EDCA;
3579         txwi = (struct rt2860_txwi *)(txd + 1);
3580         txwi->wcid = 0xff;
3581         txwi->flags = wflags;
3582         txwi->xflags = xflags;
3583         txwi->txop = 0; /* clear leftover garbage bits */
3584
3585         data->m = mprot;
3586         data->ni = ieee80211_ref_node(ni);
3587
3588         for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
3589                 if (rt2860_rates[ridx].rate == protrate)
3590                         break;
3591         data->ridx = ridx;
3592
3593         run_set_tx_desc(sc, data);
3594
3595         DPRINTFN(1, "sending prot len=%u rate=%u\n",
3596             m->m_pkthdr.len, rate);
3597
3598         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3599
3600         usbd_transfer_start(sc->sc_xfer[0]);
3601
3602         return (0);
3603 }
3604
3605 static int
3606 run_tx_param(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni,
3607     const struct ieee80211_bpf_params *params)
3608 {
3609         struct ieee80211com *ic = ni->ni_ic;
3610         struct ieee80211_frame *wh;
3611         struct run_tx_data *data;
3612         struct rt2870_txd *txd;
3613         struct rt2860_txwi *txwi;
3614         uint8_t type;
3615         uint8_t ridx;
3616         uint8_t rate;
3617         uint8_t opflags = 0;
3618         uint8_t xflags = 0;
3619         int error;
3620
3621         RUN_LOCK_ASSERT(sc, MA_OWNED);
3622
3623         KASSERT(params != NULL, ("no raw xmit params"));
3624
3625         wh = mtod(m, struct ieee80211_frame *);
3626         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3627
3628         rate = params->ibp_rate0;
3629         if (!ieee80211_isratevalid(ic->ic_rt, rate)) {
3630                 /* let caller free mbuf */
3631                 return (EINVAL);
3632         }
3633
3634         if ((params->ibp_flags & IEEE80211_BPF_NOACK) == 0)
3635                 xflags |= RT2860_TX_ACK;
3636         if (params->ibp_flags & (IEEE80211_BPF_RTS|IEEE80211_BPF_CTS)) {
3637                 error = run_sendprot(sc, m, ni,
3638                     params->ibp_flags & IEEE80211_BPF_RTS ?
3639                         IEEE80211_PROT_RTSCTS : IEEE80211_PROT_CTSONLY,
3640                     rate);
3641                 if (error) {
3642                         /* let caller free mbuf */
3643                         return error;
3644                 }
3645                 opflags |= /*XXX RT2573_TX_LONG_RETRY |*/ RT2860_TX_TXOP_SIFS;
3646         }
3647
3648         if (sc->sc_epq[0].tx_nfree == 0) {
3649                 /* let caller free mbuf */
3650                 sc->sc_ifp->if_drv_flags |= IFF_DRV_OACTIVE;
3651                 DPRINTF("sending raw frame, but tx ring is full\n");
3652                 return (EIO);
3653         }
3654         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3655         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3656         sc->sc_epq[0].tx_nfree--;
3657
3658         txd = (struct rt2870_txd *)&data->desc;
3659         txd->flags = RT2860_TX_QSEL_EDCA;
3660         txwi = (struct rt2860_txwi *)(txd + 1);
3661         txwi->wcid = 0xff;
3662         txwi->xflags = xflags;
3663         txwi->txop = opflags;
3664         txwi->flags = 0;        /* clear leftover garbage bits */
3665
3666         data->m = m;
3667         data->ni = ni;
3668         for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
3669                 if (rt2860_rates[ridx].rate == rate)
3670                         break;
3671         data->ridx = ridx;
3672
3673         run_set_tx_desc(sc, data);
3674
3675         DPRINTFN(10, "sending raw frame len=%u rate=%u\n",
3676             m->m_pkthdr.len, rate);
3677
3678         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3679
3680         usbd_transfer_start(sc->sc_xfer[0]);
3681
3682         return (0);
3683 }
3684
3685 static int
3686 run_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
3687     const struct ieee80211_bpf_params *params)
3688 {
3689         struct ifnet *ifp = ni->ni_ic->ic_ifp;
3690         struct run_softc *sc = ifp->if_softc;
3691         int error = 0;
3692  
3693         RUN_LOCK(sc);
3694
3695         /* prevent management frames from being sent if we're not ready */
3696         if (!(ifp->if_drv_flags & IFF_DRV_RUNNING)) {
3697                 error =  ENETDOWN;
3698                 goto done;
3699         }
3700
3701         if (params == NULL) {
3702                 /* tx mgt packet */
3703                 if ((error = run_tx_mgt(sc, m, ni)) != 0) {
3704                         ifp->if_oerrors++;
3705                         DPRINTF("mgt tx failed\n");
3706                         goto done;
3707                 }
3708         } else {
3709                 /* tx raw packet with param */
3710                 if ((error = run_tx_param(sc, m, ni, params)) != 0) {
3711                         ifp->if_oerrors++;
3712                         DPRINTF("tx with param failed\n");
3713                         goto done;
3714                 }
3715         }
3716
3717         ifp->if_opackets++;
3718
3719 done:
3720         RUN_UNLOCK(sc);
3721
3722         if (error != 0) {
3723                 if(m != NULL)
3724                         m_freem(m);
3725                 ieee80211_free_node(ni);
3726         }
3727
3728         return (error);
3729 }
3730
3731 static void
3732 run_start(struct ifnet *ifp)
3733 {
3734         struct run_softc *sc = ifp->if_softc;
3735         struct ieee80211_node *ni;
3736         struct mbuf *m;
3737
3738         RUN_LOCK(sc);
3739
3740         if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0) {
3741                 RUN_UNLOCK(sc);
3742                 return;
3743         }
3744
3745         for (;;) {
3746                 /* send data frames */
3747                 IFQ_DRV_DEQUEUE(&ifp->if_snd, m);
3748                 if (m == NULL)
3749                         break;
3750
3751                 ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
3752                 if (run_tx(sc, m, ni) != 0) {
3753                         IFQ_DRV_PREPEND(&ifp->if_snd, m);
3754                         ifp->if_drv_flags |= IFF_DRV_OACTIVE;
3755                         break;
3756                 }
3757         }
3758
3759         RUN_UNLOCK(sc);
3760 }
3761
3762 static int
3763 run_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
3764 {
3765         struct run_softc *sc = ifp->if_softc;
3766         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
3767         struct ifreq *ifr = (struct ifreq *) data;
3768         int startall = 0;
3769         int error;
3770
3771         RUN_LOCK(sc);
3772         error = sc->sc_detached ? ENXIO : 0;
3773         RUN_UNLOCK(sc);
3774         if (error)
3775                 return (error);
3776
3777         switch (cmd) {
3778         case SIOCSIFFLAGS:
3779                 RUN_LOCK(sc);
3780                 if (ifp->if_flags & IFF_UP) {
3781                         if (!(ifp->if_drv_flags & IFF_DRV_RUNNING)){
3782                                 startall = 1;
3783                                 run_init_locked(sc);
3784                         } else
3785                                 run_update_promisc_locked(ifp);
3786                 } else {
3787                         if (ifp->if_drv_flags & IFF_DRV_RUNNING &&
3788                             (ic->ic_nrunning == 0 || sc->rvp_cnt <= 1)) {
3789                                         run_stop(sc);
3790                         }
3791                 }
3792                 RUN_UNLOCK(sc);
3793                 if (startall)
3794                         ieee80211_start_all(ic);
3795                 break;
3796         case SIOCGIFMEDIA:
3797                 error = ifmedia_ioctl(ifp, ifr, &ic->ic_media, cmd);
3798                 break;
3799         case SIOCGIFADDR:
3800                 error = ether_ioctl(ifp, cmd, data);
3801                 break;
3802         default:
3803                 error = EINVAL;
3804                 break;
3805         }
3806
3807         return (error);
3808 }
3809
3810 static void
3811 run_iq_calib(struct run_softc *sc, u_int chan)
3812 {
3813         uint16_t val;
3814
3815         /* Tx0 IQ gain. */
3816         run_bbp_write(sc, 158, 0x2c);
3817         if (chan <= 14)
3818                 run_efuse_read(sc, RT5390_EEPROM_IQ_GAIN_CAL_TX0_2GHZ, &val, 1);
3819         else if (chan <= 64) {
3820                 run_efuse_read(sc,
3821                     RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH36_TO_CH64_5GHZ,
3822                     &val, 1);
3823         } else if (chan <= 138) {
3824                 run_efuse_read(sc,
3825                     RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH100_TO_CH138_5GHZ,
3826                     &val, 1);
3827         } else if (chan <= 165) {
3828                 run_efuse_read(sc,
3829             RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH140_TO_CH165_5GHZ,
3830                     &val, 1);
3831         } else
3832                 val = 0;
3833         run_bbp_write(sc, 159, val);
3834
3835         /* Tx0 IQ phase. */
3836         run_bbp_write(sc, 158, 0x2d);
3837         if (chan <= 14) {
3838                 run_efuse_read(sc, RT5390_EEPROM_IQ_PHASE_CAL_TX0_2GHZ,
3839                     &val, 1);
3840         } else if (chan <= 64) {
3841                 run_efuse_read(sc,
3842                     RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH36_TO_CH64_5GHZ,
3843                     &val, 1);
3844         } else if (chan <= 138) {
3845                 run_efuse_read(sc,
3846                     RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH100_TO_CH138_5GHZ,
3847                     &val, 1);
3848         } else if (chan <= 165) {
3849                 run_efuse_read(sc,
3850                     RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH140_TO_CH165_5GHZ,
3851                     &val, 1);
3852         } else
3853                 val = 0;
3854         run_bbp_write(sc, 159, val);
3855
3856         /* Tx1 IQ gain. */
3857         run_bbp_write(sc, 158, 0x4a);
3858         if (chan <= 14) {
3859                 run_efuse_read(sc, RT5390_EEPROM_IQ_GAIN_CAL_TX1_2GHZ,
3860                     &val, 1);
3861         } else if (chan <= 64) {
3862                 run_efuse_read(sc,
3863                     RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH36_TO_CH64_5GHZ,
3864                     &val, 1);
3865         } else if (chan <= 138) {
3866                 run_efuse_read(sc,
3867                     RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH100_TO_CH138_5GHZ,
3868                     &val, 1);
3869         } else if (chan <= 165) {
3870                 run_efuse_read(sc,
3871                     RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH140_TO_CH165_5GHZ,
3872                     &val, 1);
3873         } else
3874                 val = 0;
3875         run_bbp_write(sc, 159, val);
3876
3877         /* Tx1 IQ phase. */
3878         run_bbp_write(sc, 158, 0x4b);
3879         if (chan <= 14) {
3880                 run_efuse_read(sc, RT5390_EEPROM_IQ_PHASE_CAL_TX1_2GHZ,
3881                     &val, 1);
3882         } else if (chan <= 64) {
3883                 run_efuse_read(sc,
3884                     RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH36_TO_CH64_5GHZ,
3885                     &val, 1);
3886         } else if (chan <= 138) {
3887                 run_efuse_read(sc,
3888                     RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH100_TO_CH138_5GHZ,
3889                     &val, 1);
3890         } else if (chan <= 165) {
3891                 run_efuse_read(sc,
3892                     RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH140_TO_CH165_5GHZ,
3893                     &val, 1);
3894         } else
3895                 val = 0;
3896         run_bbp_write(sc, 159, val);
3897
3898         /* RF IQ compensation control. */
3899         run_bbp_write(sc, 158, 0x04);
3900         run_efuse_read(sc, RT5390_EEPROM_RF_IQ_COMPENSATION_CTL,
3901             &val, 1);
3902         run_bbp_write(sc, 159, val);
3903
3904         /* RF IQ imbalance compensation control. */
3905         run_bbp_write(sc, 158, 0x03);
3906         run_efuse_read(sc,
3907             RT5390_EEPROM_RF_IQ_IMBALANCE_COMPENSATION_CTL, &val, 1);
3908         run_bbp_write(sc, 159, val);
3909 }
3910
3911 static void
3912 run_set_agc(struct run_softc *sc, uint8_t agc)
3913 {
3914         uint8_t bbp;
3915
3916         if (sc->mac_ver == 0x3572) {
3917                 run_bbp_read(sc, 27, &bbp);
3918                 bbp &= ~(0x3 << 5);
3919                 run_bbp_write(sc, 27, bbp | 0 << 5);    /* select Rx0 */
3920                 run_bbp_write(sc, 66, agc);
3921                 run_bbp_write(sc, 27, bbp | 1 << 5);    /* select Rx1 */
3922                 run_bbp_write(sc, 66, agc);
3923         } else
3924                 run_bbp_write(sc, 66, agc);
3925 }
3926
3927 static void
3928 run_select_chan_group(struct run_softc *sc, int group)
3929 {
3930         uint32_t tmp;
3931         uint8_t agc;
3932
3933         run_bbp_write(sc, 62, 0x37 - sc->lna[group]);
3934         run_bbp_write(sc, 63, 0x37 - sc->lna[group]);
3935         run_bbp_write(sc, 64, 0x37 - sc->lna[group]);
3936         if (sc->mac_ver < 0x3572)
3937                 run_bbp_write(sc, 86, 0x00);
3938
3939         if (sc->mac_ver == 0x3593) {
3940                 run_bbp_write(sc, 77, 0x98);
3941                 run_bbp_write(sc, 83, (group == 0) ? 0x8a : 0x9a);
3942         }
3943
3944         if (group == 0) {
3945                 if (sc->ext_2ghz_lna) {
3946                         if (sc->mac_ver >= 0x5390)
3947                                 run_bbp_write(sc, 75, 0x52);
3948                         else {
3949                                 run_bbp_write(sc, 82, 0x62);
3950                                 run_bbp_write(sc, 75, 0x46);
3951                         }
3952                 } else {
3953                         if (sc->mac_ver == 0x5592) {
3954                                 run_bbp_write(sc, 79, 0x1c);
3955                                 run_bbp_write(sc, 80, 0x0e);
3956                                 run_bbp_write(sc, 81, 0x3a);
3957                                 run_bbp_write(sc, 82, 0x62);
3958
3959                                 run_bbp_write(sc, 195, 0x80);
3960                                 run_bbp_write(sc, 196, 0xe0);
3961                                 run_bbp_write(sc, 195, 0x81);
3962                                 run_bbp_write(sc, 196, 0x1f);
3963                                 run_bbp_write(sc, 195, 0x82);
3964                                 run_bbp_write(sc, 196, 0x38);
3965                                 run_bbp_write(sc, 195, 0x83);
3966                                 run_bbp_write(sc, 196, 0x32);
3967                                 run_bbp_write(sc, 195, 0x85);
3968                                 run_bbp_write(sc, 196, 0x28);
3969                                 run_bbp_write(sc, 195, 0x86);
3970                                 run_bbp_write(sc, 196, 0x19);
3971                         } else if (sc->mac_ver >= 0x5390)
3972                                 run_bbp_write(sc, 75, 0x50);
3973                         else {
3974                                 run_bbp_write(sc, 82,
3975                                     (sc->mac_ver == 0x3593) ? 0x62 : 0x84);
3976                                 run_bbp_write(sc, 75, 0x50);
3977                         }
3978                 }
3979         } else {
3980                 if (sc->mac_ver == 0x5592) {
3981                         run_bbp_write(sc, 79, 0x18);
3982                         run_bbp_write(sc, 80, 0x08);
3983                         run_bbp_write(sc, 81, 0x38);
3984                         run_bbp_write(sc, 82, 0x92);
3985
3986                         run_bbp_write(sc, 195, 0x80);
3987                         run_bbp_write(sc, 196, 0xf0);
3988                         run_bbp_write(sc, 195, 0x81);
3989                         run_bbp_write(sc, 196, 0x1e);
3990                         run_bbp_write(sc, 195, 0x82);
3991                         run_bbp_write(sc, 196, 0x28);
3992                         run_bbp_write(sc, 195, 0x83);
3993                         run_bbp_write(sc, 196, 0x20);
3994                         run_bbp_write(sc, 195, 0x85);
3995                         run_bbp_write(sc, 196, 0x7f);
3996                         run_bbp_write(sc, 195, 0x86);
3997                         run_bbp_write(sc, 196, 0x7f);
3998                 } else if (sc->mac_ver == 0x3572)
3999                         run_bbp_write(sc, 82, 0x94);
4000                 else
4001                         run_bbp_write(sc, 82,
4002                             (sc->mac_ver == 0x3593) ? 0x82 : 0xf2);
4003                 if (sc->ext_5ghz_lna)
4004                         run_bbp_write(sc, 75, 0x46);
4005                 else 
4006                         run_bbp_write(sc, 75, 0x50);
4007         }
4008
4009         run_read(sc, RT2860_TX_BAND_CFG, &tmp);
4010         tmp &= ~(RT2860_5G_BAND_SEL_N | RT2860_5G_BAND_SEL_P);
4011         tmp |= (group == 0) ? RT2860_5G_BAND_SEL_N : RT2860_5G_BAND_SEL_P;
4012         run_write(sc, RT2860_TX_BAND_CFG, tmp);
4013
4014         /* enable appropriate Power Amplifiers and Low Noise Amplifiers */
4015         tmp = RT2860_RFTR_EN | RT2860_TRSW_EN | RT2860_LNA_PE0_EN;
4016         if (sc->mac_ver == 0x3593)
4017                 tmp |= 1 << 29 | 1 << 28;
4018         if (sc->nrxchains > 1)
4019                 tmp |= RT2860_LNA_PE1_EN;
4020         if (group == 0) {       /* 2GHz */
4021                 tmp |= RT2860_PA_PE_G0_EN;
4022                 if (sc->ntxchains > 1)
4023                         tmp |= RT2860_PA_PE_G1_EN;
4024                 if (sc->mac_ver == 0x3593) {
4025                         if (sc->ntxchains > 2)
4026                                 tmp |= 1 << 25;
4027                 }
4028         } else {                /* 5GHz */
4029                 tmp |= RT2860_PA_PE_A0_EN;
4030                 if (sc->ntxchains > 1)
4031                         tmp |= RT2860_PA_PE_A1_EN;
4032         }
4033         if (sc->mac_ver == 0x3572) {
4034                 run_rt3070_rf_write(sc, 8, 0x00);
4035                 run_write(sc, RT2860_TX_PIN_CFG, tmp);
4036                 run_rt3070_rf_write(sc, 8, 0x80);
4037         } else
4038                 run_write(sc, RT2860_TX_PIN_CFG, tmp);
4039
4040         if (sc->mac_ver == 0x5592) {
4041                 run_bbp_write(sc, 195, 0x8d);
4042                 run_bbp_write(sc, 196, 0x1a);
4043         }
4044
4045         if (sc->mac_ver == 0x3593) {
4046                 run_read(sc, RT2860_GPIO_CTRL, &tmp);
4047                 tmp &= ~0x01010000;
4048                 if (group == 0)
4049                         tmp |= 0x00010000;
4050                 tmp = (tmp & ~0x00009090) | 0x00000090;
4051                 run_write(sc, RT2860_GPIO_CTRL, tmp);
4052         }
4053
4054         /* set initial AGC value */
4055         if (group == 0) {       /* 2GHz band */
4056                 if (sc->mac_ver >= 0x3070)
4057                         agc = 0x1c + sc->lna[0] * 2;
4058                 else
4059                         agc = 0x2e + sc->lna[0];
4060         } else {                /* 5GHz band */
4061                 if (sc->mac_ver == 0x5592)
4062                         agc = 0x24 + sc->lna[group] * 2;
4063                 else if (sc->mac_ver == 0x3572 || sc->mac_ver == 0x3593)
4064                         agc = 0x22 + (sc->lna[group] * 5) / 3;
4065                 else
4066                         agc = 0x32 + (sc->lna[group] * 5) / 3;
4067         }
4068         run_set_agc(sc, agc);
4069 }
4070
4071 static void
4072 run_rt2870_set_chan(struct run_softc *sc, u_int chan)
4073 {
4074         const struct rfprog *rfprog = rt2860_rf2850;
4075         uint32_t r2, r3, r4;
4076         int8_t txpow1, txpow2;
4077         int i;
4078
4079         /* find the settings for this channel (we know it exists) */
4080         for (i = 0; rfprog[i].chan != chan; i++);
4081
4082         r2 = rfprog[i].r2;
4083         if (sc->ntxchains == 1)
4084                 r2 |= 1 << 14;          /* 1T: disable Tx chain 2 */
4085         if (sc->nrxchains == 1)
4086                 r2 |= 1 << 17 | 1 << 6; /* 1R: disable Rx chains 2 & 3 */
4087         else if (sc->nrxchains == 2)
4088                 r2 |= 1 << 6;           /* 2R: disable Rx chain 3 */
4089
4090         /* use Tx power values from EEPROM */
4091         txpow1 = sc->txpow1[i];
4092         txpow2 = sc->txpow2[i];
4093
4094         /* Initialize RF R3 and R4. */
4095         r3 = rfprog[i].r3 & 0xffffc1ff;
4096         r4 = (rfprog[i].r4 & ~(0x001f87c0)) | (sc->freq << 15);
4097         if (chan > 14) {
4098                 if (txpow1 >= 0) {
4099                         txpow1 = (txpow1 > 0xf) ? (0xf) : (txpow1);
4100                         r3 |= (txpow1 << 10) | (1 << 9);
4101                 } else {
4102                         txpow1 += 7;
4103
4104                         /* txpow1 is not possible larger than 15. */
4105                         r3 |= (txpow1 << 10);
4106                 }
4107                 if (txpow2 >= 0) {
4108                         txpow2 = (txpow2 > 0xf) ? (0xf) : (txpow2);
4109                         r4 |= (txpow2 << 7) | (1 << 6);
4110                 } else {
4111                         txpow2 += 7;
4112                         r4 |= (txpow2 << 7);
4113                 }
4114         } else {
4115                 /* Set Tx0 power. */
4116                 r3 |= (txpow1 << 9);
4117
4118                 /* Set frequency offset and Tx1 power. */
4119                 r4 |= (txpow2 << 6);
4120         }
4121
4122         run_rt2870_rf_write(sc, rfprog[i].r1);
4123         run_rt2870_rf_write(sc, r2);
4124         run_rt2870_rf_write(sc, r3 & ~(1 << 2));
4125         run_rt2870_rf_write(sc, r4);
4126
4127         run_delay(sc, 10);
4128
4129         run_rt2870_rf_write(sc, rfprog[i].r1);
4130         run_rt2870_rf_write(sc, r2);
4131         run_rt2870_rf_write(sc, r3 | (1 << 2));
4132         run_rt2870_rf_write(sc, r4);
4133
4134         run_delay(sc, 10);
4135
4136         run_rt2870_rf_write(sc, rfprog[i].r1);
4137         run_rt2870_rf_write(sc, r2);
4138         run_rt2870_rf_write(sc, r3 & ~(1 << 2));
4139         run_rt2870_rf_write(sc, r4);
4140 }
4141
4142 static void
4143 run_rt3070_set_chan(struct run_softc *sc, u_int chan)
4144 {
4145         int8_t txpow1, txpow2;
4146         uint8_t rf;
4147         int i;
4148
4149         /* find the settings for this channel (we know it exists) */
4150         for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4151
4152         /* use Tx power values from EEPROM */
4153         txpow1 = sc->txpow1[i];
4154         txpow2 = sc->txpow2[i];
4155
4156         run_rt3070_rf_write(sc, 2, rt3070_freqs[i].n);
4157
4158         /* RT3370/RT3390: RF R3 [7:4] is not reserved bits. */
4159         run_rt3070_rf_read(sc, 3, &rf);
4160         rf = (rf & ~0x0f) | rt3070_freqs[i].k;
4161         run_rt3070_rf_write(sc, 3, rf);
4162
4163         run_rt3070_rf_read(sc, 6, &rf);
4164         rf = (rf & ~0x03) | rt3070_freqs[i].r;
4165         run_rt3070_rf_write(sc, 6, rf);
4166
4167         /* set Tx0 power */
4168         run_rt3070_rf_read(sc, 12, &rf);
4169         rf = (rf & ~0x1f) | txpow1;
4170         run_rt3070_rf_write(sc, 12, rf);
4171
4172         /* set Tx1 power */
4173         run_rt3070_rf_read(sc, 13, &rf);
4174         rf = (rf & ~0x1f) | txpow2;
4175         run_rt3070_rf_write(sc, 13, rf);
4176
4177         run_rt3070_rf_read(sc, 1, &rf);
4178         rf &= ~0xfc;
4179         if (sc->ntxchains == 1)
4180                 rf |= 1 << 7 | 1 << 5;  /* 1T: disable Tx chains 2 & 3 */
4181         else if (sc->ntxchains == 2)
4182                 rf |= 1 << 7;           /* 2T: disable Tx chain 3 */
4183         if (sc->nrxchains == 1)
4184                 rf |= 1 << 6 | 1 << 4;  /* 1R: disable Rx chains 2 & 3 */
4185         else if (sc->nrxchains == 2)
4186                 rf |= 1 << 6;           /* 2R: disable Rx chain 3 */
4187         run_rt3070_rf_write(sc, 1, rf);
4188
4189         /* set RF offset */
4190         run_rt3070_rf_read(sc, 23, &rf);
4191         rf = (rf & ~0x7f) | sc->freq;
4192         run_rt3070_rf_write(sc, 23, rf);
4193
4194         /* program RF filter */
4195         run_rt3070_rf_read(sc, 24, &rf);        /* Tx */
4196         rf = (rf & ~0x3f) | sc->rf24_20mhz;
4197         run_rt3070_rf_write(sc, 24, rf);
4198         run_rt3070_rf_read(sc, 31, &rf);        /* Rx */
4199         rf = (rf & ~0x3f) | sc->rf24_20mhz;
4200         run_rt3070_rf_write(sc, 31, rf);
4201
4202         /* enable RF tuning */
4203         run_rt3070_rf_read(sc, 7, &rf);
4204         run_rt3070_rf_write(sc, 7, rf | 0x01);
4205 }
4206
4207 static void
4208 run_rt3572_set_chan(struct run_softc *sc, u_int chan)
4209 {
4210         int8_t txpow1, txpow2;
4211         uint32_t tmp;
4212         uint8_t rf;
4213         int i;
4214
4215         /* find the settings for this channel (we know it exists) */
4216         for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4217
4218         /* use Tx power values from EEPROM */
4219         txpow1 = sc->txpow1[i];
4220         txpow2 = sc->txpow2[i];
4221
4222         if (chan <= 14) {
4223                 run_bbp_write(sc, 25, sc->bbp25);
4224                 run_bbp_write(sc, 26, sc->bbp26);
4225         } else {
4226                 /* enable IQ phase correction */
4227                 run_bbp_write(sc, 25, 0x09);
4228                 run_bbp_write(sc, 26, 0xff);
4229         }
4230
4231         run_rt3070_rf_write(sc, 2, rt3070_freqs[i].n);
4232         run_rt3070_rf_write(sc, 3, rt3070_freqs[i].k);
4233         run_rt3070_rf_read(sc, 6, &rf);
4234         rf  = (rf & ~0x0f) | rt3070_freqs[i].r;
4235         rf |= (chan <= 14) ? 0x08 : 0x04;
4236         run_rt3070_rf_write(sc, 6, rf);
4237
4238         /* set PLL mode */
4239         run_rt3070_rf_read(sc, 5, &rf);
4240         rf &= ~(0x08 | 0x04);
4241         rf |= (chan <= 14) ? 0x04 : 0x08;
4242         run_rt3070_rf_write(sc, 5, rf);
4243
4244         /* set Tx power for chain 0 */
4245         if (chan <= 14)
4246                 rf = 0x60 | txpow1;
4247         else
4248                 rf = 0xe0 | (txpow1 & 0xc) << 1 | (txpow1 & 0x3);
4249         run_rt3070_rf_write(sc, 12, rf);
4250
4251         /* set Tx power for chain 1 */
4252         if (chan <= 14)
4253                 rf = 0x60 | txpow2;
4254         else
4255                 rf = 0xe0 | (txpow2 & 0xc) << 1 | (txpow2 & 0x3);
4256         run_rt3070_rf_write(sc, 13, rf);
4257
4258         /* set Tx/Rx streams */
4259         run_rt3070_rf_read(sc, 1, &rf);
4260         rf &= ~0xfc;
4261         if (sc->ntxchains == 1)
4262                 rf |= 1 << 7 | 1 << 5;  /* 1T: disable Tx chains 2 & 3 */
4263         else if (sc->ntxchains == 2)
4264                 rf |= 1 << 7;           /* 2T: disable Tx chain 3 */
4265         if (sc->nrxchains == 1)
4266                 rf |= 1 << 6 | 1 << 4;  /* 1R: disable Rx chains 2 & 3 */
4267         else if (sc->nrxchains == 2)
4268                 rf |= 1 << 6;           /* 2R: disable Rx chain 3 */
4269         run_rt3070_rf_write(sc, 1, rf);
4270
4271         /* set RF offset */
4272         run_rt3070_rf_read(sc, 23, &rf);
4273         rf = (rf & ~0x7f) | sc->freq;
4274         run_rt3070_rf_write(sc, 23, rf);
4275
4276         /* program RF filter */
4277         rf = sc->rf24_20mhz;
4278         run_rt3070_rf_write(sc, 24, rf);        /* Tx */
4279         run_rt3070_rf_write(sc, 31, rf);        /* Rx */
4280
4281         /* enable RF tuning */
4282         run_rt3070_rf_read(sc, 7, &rf);
4283         rf = (chan <= 14) ? 0xd8 : ((rf & ~0xc8) | 0x14);
4284         run_rt3070_rf_write(sc, 7, rf);
4285
4286         /* TSSI */
4287         rf = (chan <= 14) ? 0xc3 : 0xc0;
4288         run_rt3070_rf_write(sc, 9, rf);
4289
4290         /* set loop filter 1 */
4291         run_rt3070_rf_write(sc, 10, 0xf1);
4292         /* set loop filter 2 */
4293         run_rt3070_rf_write(sc, 11, (chan <= 14) ? 0xb9 : 0x00);
4294
4295         /* set tx_mx2_ic */
4296         run_rt3070_rf_write(sc, 15, (chan <= 14) ? 0x53 : 0x43);
4297         /* set tx_mx1_ic */
4298         if (chan <= 14)
4299                 rf = 0x48 | sc->txmixgain_2ghz;
4300         else
4301                 rf = 0x78 | sc->txmixgain_5ghz;
4302         run_rt3070_rf_write(sc, 16, rf);
4303
4304         /* set tx_lo1 */
4305         run_rt3070_rf_write(sc, 17, 0x23);
4306         /* set tx_lo2 */
4307         if (chan <= 14)
4308                 rf = 0x93;
4309         else if (chan <= 64)
4310                 rf = 0xb7;
4311         else if (chan <= 128)
4312                 rf = 0x74;
4313         else
4314                 rf = 0x72;
4315         run_rt3070_rf_write(sc, 19, rf);
4316
4317         /* set rx_lo1 */
4318         if (chan <= 14)
4319                 rf = 0xb3;
4320         else if (chan <= 64)
4321                 rf = 0xf6;
4322         else if (chan <= 128)
4323                 rf = 0xf4;
4324         else
4325                 rf = 0xf3;
4326         run_rt3070_rf_write(sc, 20, rf);
4327
4328         /* set pfd_delay */
4329         if (chan <= 14)
4330                 rf = 0x15;
4331         else if (chan <= 64)
4332                 rf = 0x3d;
4333         else
4334                 rf = 0x01;
4335         run_rt3070_rf_write(sc, 25, rf);
4336
4337         /* set rx_lo2 */
4338         run_rt3070_rf_write(sc, 26, (chan <= 14) ? 0x85 : 0x87);
4339         /* set ldo_rf_vc */
4340         run_rt3070_rf_write(sc, 27, (chan <= 14) ? 0x00 : 0x01);
4341         /* set drv_cc */
4342         run_rt3070_rf_write(sc, 29, (chan <= 14) ? 0x9b : 0x9f);
4343
4344         run_read(sc, RT2860_GPIO_CTRL, &tmp);
4345         tmp &= ~0x8080;
4346         if (chan <= 14)
4347                 tmp |= 0x80;
4348         run_write(sc, RT2860_GPIO_CTRL, tmp);
4349
4350         /* enable RF tuning */
4351         run_rt3070_rf_read(sc, 7, &rf);
4352         run_rt3070_rf_write(sc, 7, rf | 0x01);
4353
4354         run_delay(sc, 2);
4355 }
4356
4357 static void
4358 run_rt3593_set_chan(struct run_softc *sc, u_int chan)
4359 {
4360         int8_t txpow1, txpow2, txpow3;
4361         uint8_t h20mhz, rf;
4362         int i;
4363
4364         /* find the settings for this channel (we know it exists) */
4365         for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4366
4367         /* use Tx power values from EEPROM */
4368         txpow1 = sc->txpow1[i];
4369         txpow2 = sc->txpow2[i];
4370         txpow3 = (sc->ntxchains == 3) ? sc->txpow3[i] : 0;
4371
4372         if (chan <= 14) {
4373                 run_bbp_write(sc, 25, sc->bbp25);
4374                 run_bbp_write(sc, 26, sc->bbp26);
4375         } else {
4376                 /* Enable IQ phase correction. */
4377                 run_bbp_write(sc, 25, 0x09);
4378                 run_bbp_write(sc, 26, 0xff);
4379         }
4380
4381         run_rt3070_rf_write(sc, 8, rt3070_freqs[i].n);
4382         run_rt3070_rf_write(sc, 9, rt3070_freqs[i].k & 0x0f);
4383         run_rt3070_rf_read(sc, 11, &rf);
4384         rf = (rf & ~0x03) | (rt3070_freqs[i].r & 0x03);
4385         run_rt3070_rf_write(sc, 11, rf);
4386
4387         /* Set pll_idoh. */
4388         run_rt3070_rf_read(sc, 11, &rf);
4389         rf &= ~0x4c;
4390         rf |= (chan <= 14) ? 0x44 : 0x48;
4391         run_rt3070_rf_write(sc, 11, rf);
4392
4393         if (chan <= 14)
4394                 rf = txpow1 & 0x1f;
4395         else
4396                 rf = 0x40 | ((txpow1 & 0x18) << 1) | (txpow1 & 0x07);
4397         run_rt3070_rf_write(sc, 53, rf);
4398
4399         if (chan <= 14)
4400                 rf = txpow2 & 0x1f;
4401         else
4402                 rf = 0x40 | ((txpow2 & 0x18) << 1) | (txpow2 & 0x07);
4403         run_rt3070_rf_write(sc, 55, rf);
4404
4405         if (chan <= 14)
4406                 rf = txpow3 & 0x1f;
4407         else
4408                 rf = 0x40 | ((txpow3 & 0x18) << 1) | (txpow3 & 0x07);
4409         run_rt3070_rf_write(sc, 54, rf);
4410
4411         rf = RT3070_RF_BLOCK | RT3070_PLL_PD;
4412         if (sc->ntxchains == 3)
4413                 rf |= RT3070_TX0_PD | RT3070_TX1_PD | RT3070_TX2_PD;
4414         else
4415                 rf |= RT3070_TX0_PD | RT3070_TX1_PD;
4416         rf |= RT3070_RX0_PD | RT3070_RX1_PD | RT3070_RX2_PD;
4417         run_rt3070_rf_write(sc, 1, rf);
4418
4419         run_adjust_freq_offset(sc);
4420
4421         run_rt3070_rf_write(sc, 31, (chan <= 14) ? 0xa0 : 0x80);
4422
4423         h20mhz = (sc->rf24_20mhz & 0x20) >> 5; 
4424         run_rt3070_rf_read(sc, 30, &rf);
4425         rf = (rf & ~0x06) | (h20mhz << 1) | (h20mhz << 2);
4426         run_rt3070_rf_write(sc, 30, rf);
4427
4428         run_rt3070_rf_read(sc, 36, &rf);
4429         if (chan <= 14)
4430                 rf |= 0x80;
4431         else
4432                 rf &= ~0x80;
4433         run_rt3070_rf_write(sc, 36, rf);
4434
4435         /* Set vcolo_bs. */
4436         run_rt3070_rf_write(sc, 34, (chan <= 14) ? 0x3c : 0x20);
4437         /* Set pfd_delay. */
4438         run_rt3070_rf_write(sc, 12, (chan <= 14) ? 0x1a : 0x12);
4439
4440         /* Set vco bias current control. */
4441         run_rt3070_rf_read(sc, 6, &rf);
4442         rf &= ~0xc0;
4443         if (chan <= 14)
4444                 rf |= 0x40;
4445         else if (chan <= 128)
4446                 rf |= 0x80;
4447         else
4448                 rf |= 0x40;
4449         run_rt3070_rf_write(sc, 6, rf);
4450                 
4451         run_rt3070_rf_read(sc, 30, &rf);
4452         rf = (rf & ~0x18) | 0x10;
4453         run_rt3070_rf_write(sc, 30, rf);
4454
4455         run_rt3070_rf_write(sc, 10, (chan <= 14) ? 0xd3 : 0xd8);
4456         run_rt3070_rf_write(sc, 13, (chan <= 14) ? 0x12 : 0x23);
4457
4458         run_rt3070_rf_read(sc, 51, &rf);
4459         rf = (rf & ~0x03) | 0x01;
4460         run_rt3070_rf_write(sc, 51, rf);
4461         /* Set tx_mx1_cc. */
4462         run_rt3070_rf_read(sc, 51, &rf);
4463         rf &= ~0x1c;
4464         rf |= (chan <= 14) ? 0x14 : 0x10;
4465         run_rt3070_rf_write(sc, 51, rf);
4466         /* Set tx_mx1_ic. */
4467         run_rt3070_rf_read(sc, 51, &rf);
4468         rf &= ~0xe0;
4469         rf |= (chan <= 14) ? 0x60 : 0x40;
4470         run_rt3070_rf_write(sc, 51, rf);
4471         /* Set tx_lo1_ic. */
4472         run_rt3070_rf_read(sc, 49, &rf);
4473         rf &= ~0x1c;
4474         rf |= (chan <= 14) ? 0x0c : 0x08;
4475         run_rt3070_rf_write(sc, 49, rf);
4476         /* Set tx_lo1_en. */
4477         run_rt3070_rf_read(sc, 50, &rf);
4478         run_rt3070_rf_write(sc, 50, rf & ~0x20);
4479         /* Set drv_cc. */
4480         run_rt3070_rf_read(sc, 57, &rf);
4481         rf &= ~0xfc;
4482         rf |= (chan <= 14) ?  0x6c : 0x3c;
4483         run_rt3070_rf_write(sc, 57, rf);
4484         /* Set rx_mix1_ic, rxa_lnactr, lna_vc, lna_inbias_en and lna_en. */
4485         run_rt3070_rf_write(sc, 44, (chan <= 14) ? 0x93 : 0x9b);
4486         /* Set drv_gnd_a, tx_vga_cc_a and tx_mx2_gain. */
4487         run_rt3070_rf_write(sc, 52, (chan <= 14) ? 0x45 : 0x05);
4488         /* Enable VCO calibration. */
4489         run_rt3070_rf_read(sc, 3, &rf);
4490         rf &= ~RT5390_VCOCAL;
4491         rf |= (chan <= 14) ? RT5390_VCOCAL : 0xbe;
4492         run_rt3070_rf_write(sc, 3, rf);
4493
4494         if (chan <= 14)
4495                 rf = 0x23;
4496         else if (chan <= 64)
4497                 rf = 0x36;
4498         else if (chan <= 128)
4499                 rf = 0x32;
4500         else
4501                 rf = 0x30;
4502         run_rt3070_rf_write(sc, 39, rf);
4503         if (chan <= 14)
4504                 rf = 0xbb;
4505         else if (chan <= 64)
4506                 rf = 0xeb;
4507         else if (chan <= 128)
4508                 rf = 0xb3;
4509         else
4510                 rf = 0x9b;
4511         run_rt3070_rf_write(sc, 45, rf);
4512
4513         /* Set FEQ/AEQ control. */
4514         run_bbp_write(sc, 105, 0x34);
4515 }
4516
4517 static void
4518 run_rt5390_set_chan(struct run_softc *sc, u_int chan)
4519 {
4520         int8_t txpow1, txpow2;
4521         uint8_t rf;
4522         int i;
4523
4524         /* find the settings for this channel (we know it exists) */
4525         for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4526
4527         /* use Tx power values from EEPROM */
4528         txpow1 = sc->txpow1[i];
4529         txpow2 = sc->txpow2[i];
4530
4531         run_rt3070_rf_write(sc, 8, rt3070_freqs[i].n);
4532         run_rt3070_rf_write(sc, 9, rt3070_freqs[i].k & 0x0f);
4533         run_rt3070_rf_read(sc, 11, &rf);
4534         rf = (rf & ~0x03) | (rt3070_freqs[i].r & 0x03);
4535         run_rt3070_rf_write(sc, 11, rf);
4536
4537         run_rt3070_rf_read(sc, 49, &rf);
4538         rf = (rf & ~0x3f) | (txpow1 & 0x3f);
4539         /* The valid range of the RF R49 is 0x00 to 0x27. */
4540         if ((rf & 0x3f) > 0x27)
4541                 rf = (rf & ~0x3f) | 0x27;
4542         run_rt3070_rf_write(sc, 49, rf);
4543
4544         if (sc->mac_ver == 0x5392) {
4545                 run_rt3070_rf_read(sc, 50, &rf);
4546                 rf = (rf & ~0x3f) | (txpow2 & 0x3f);
4547                 /* The valid range of the RF R50 is 0x00 to 0x27. */
4548                 if ((rf & 0x3f) > 0x27)
4549                         rf = (rf & ~0x3f) | 0x27;
4550                 run_rt3070_rf_write(sc, 50, rf);
4551         }
4552
4553         run_rt3070_rf_read(sc, 1, &rf);
4554         rf |= RT3070_RF_BLOCK | RT3070_PLL_PD | RT3070_RX0_PD | RT3070_TX0_PD;
4555         if (sc->mac_ver == 0x5392)
4556                 rf |= RT3070_RX1_PD | RT3070_TX1_PD;
4557         run_rt3070_rf_write(sc, 1, rf);
4558
4559         if (sc->mac_ver != 0x5392) {
4560                 run_rt3070_rf_read(sc, 2, &rf);
4561                 rf |= 0x80;
4562                 run_rt3070_rf_write(sc, 2, rf);
4563                 run_delay(sc, 10);
4564                 rf &= 0x7f;
4565                 run_rt3070_rf_write(sc, 2, rf);
4566         }
4567
4568         run_adjust_freq_offset(sc);
4569
4570         if (sc->mac_ver == 0x5392) {
4571                 /* Fix for RT5392C. */
4572                 if (sc->mac_rev >= 0x0223) {
4573                         if (chan <= 4)
4574                                 rf = 0x0f;
4575                         else if (chan >= 5 && chan <= 7)
4576                                 rf = 0x0e;
4577                         else
4578                                 rf = 0x0d;
4579                         run_rt3070_rf_write(sc, 23, rf);
4580
4581                         if (chan <= 4)
4582                                 rf = 0x0c;
4583                         else if (chan == 5)
4584                                 rf = 0x0b;
4585                         else if (chan >= 6 && chan <= 7)
4586                                 rf = 0x0a;
4587                         else if (chan >= 8 && chan <= 10)
4588                                 rf = 0x09;
4589                         else
4590                                 rf = 0x08;
4591                         run_rt3070_rf_write(sc, 59, rf);
4592                 } else {
4593                         if (chan <= 11)
4594                                 rf = 0x0f;
4595                         else
4596                                 rf = 0x0b;
4597                         run_rt3070_rf_write(sc, 59, rf);
4598                 }
4599         } else {
4600                 /* Fix for RT5390F. */
4601                 if (sc->mac_rev >= 0x0502) {
4602                         if (chan <= 11)
4603                                 rf = 0x43;
4604                         else
4605                                 rf = 0x23;
4606                         run_rt3070_rf_write(sc, 55, rf);
4607
4608                         if (chan <= 11)
4609                                 rf = 0x0f;
4610                         else if (chan == 12)
4611                                 rf = 0x0d;
4612                         else
4613                                 rf = 0x0b;
4614                         run_rt3070_rf_write(sc, 59, rf);
4615                 } else {
4616                         run_rt3070_rf_write(sc, 55, 0x44);
4617                         run_rt3070_rf_write(sc, 59, 0x8f);
4618                 }
4619         }
4620
4621         /* Enable VCO calibration. */
4622         run_rt3070_rf_read(sc, 3, &rf);
4623         rf |= RT5390_VCOCAL;
4624         run_rt3070_rf_write(sc, 3, rf);
4625 }
4626
4627 static void
4628 run_rt5592_set_chan(struct run_softc *sc, u_int chan)
4629 {
4630         const struct rt5592_freqs *freqs;
4631         uint32_t tmp;
4632         uint8_t reg, rf, txpow_bound;
4633         int8_t txpow1, txpow2;
4634         int i;
4635
4636         run_read(sc, RT5592_DEBUG_INDEX, &tmp);
4637         freqs = (tmp & RT5592_SEL_XTAL) ?
4638             rt5592_freqs_40mhz : rt5592_freqs_20mhz;
4639
4640         /* find the settings for this channel (we know it exists) */
4641         for (i = 0; rt2860_rf2850[i].chan != chan; i++, freqs++);
4642
4643         /* use Tx power values from EEPROM */
4644         txpow1 = sc->txpow1[i];
4645         txpow2 = sc->txpow2[i];
4646
4647         run_read(sc, RT3070_LDO_CFG0, &tmp);
4648         tmp &= ~0x1c000000;
4649         if (chan > 14)
4650                 tmp |= 0x14000000;
4651         run_write(sc, RT3070_LDO_CFG0, tmp);
4652
4653         /* N setting. */
4654         run_rt3070_rf_write(sc, 8, freqs->n & 0xff);
4655         run_rt3070_rf_read(sc, 9, &rf);
4656         rf &= ~(1 << 4);
4657         rf |= ((freqs->n & 0x0100) >> 8) << 4;
4658         run_rt3070_rf_write(sc, 9, rf);
4659
4660         /* K setting. */
4661         run_rt3070_rf_read(sc, 9, &rf);
4662         rf &= ~0x0f;
4663         rf |= (freqs->k & 0x0f);
4664         run_rt3070_rf_write(sc, 9, rf);
4665
4666         /* Mode setting. */
4667         run_rt3070_rf_read(sc, 11, &rf);
4668         rf &= ~0x0c;
4669         rf |= ((freqs->m - 0x8) & 0x3) << 2;
4670         run_rt3070_rf_write(sc, 11, rf);
4671         run_rt3070_rf_read(sc, 9, &rf);
4672         rf &= ~(1 << 7);
4673         rf |= (((freqs->m - 0x8) & 0x4) >> 2) << 7;
4674         run_rt3070_rf_write(sc, 9, rf);
4675
4676         /* R setting. */
4677         run_rt3070_rf_read(sc, 11, &rf);
4678         rf &= ~0x03;
4679         rf |= (freqs->r - 0x1);
4680         run_rt3070_rf_write(sc, 11, rf);
4681
4682         if (chan <= 14) {
4683                 /* Initialize RF registers for 2GHZ. */
4684                 for (i = 0; i < nitems(rt5592_2ghz_def_rf); i++) {
4685                         run_rt3070_rf_write(sc, rt5592_2ghz_def_rf[i].reg,
4686                             rt5592_2ghz_def_rf[i].val);
4687                 }
4688
4689                 rf = (chan <= 10) ? 0x07 : 0x06;
4690                 run_rt3070_rf_write(sc, 23, rf);
4691                 run_rt3070_rf_write(sc, 59, rf);
4692
4693                 run_rt3070_rf_write(sc, 55, 0x43);
4694
4695                 /* 
4696                  * RF R49/R50 Tx power ALC code.
4697                  * G-band bit<7:6>=1:0, bit<5:0> range from 0x0 ~ 0x27.
4698                  */
4699                 reg = 2;
4700                 txpow_bound = 0x27;
4701         } else {
4702                 /* Initialize RF registers for 5GHZ. */
4703                 for (i = 0; i < nitems(rt5592_5ghz_def_rf); i++) {
4704                         run_rt3070_rf_write(sc, rt5592_5ghz_def_rf[i].reg,
4705                             rt5592_5ghz_def_rf[i].val);
4706                 }
4707                 for (i = 0; i < nitems(rt5592_chan_5ghz); i++) {
4708                         if (chan >= rt5592_chan_5ghz[i].firstchan &&
4709                             chan <= rt5592_chan_5ghz[i].lastchan) {
4710                                 run_rt3070_rf_write(sc, rt5592_chan_5ghz[i].reg,
4711                                     rt5592_chan_5ghz[i].val);
4712                         }
4713                 }
4714
4715                 /* 
4716                  * RF R49/R50 Tx power ALC code.
4717                  * A-band bit<7:6>=1:1, bit<5:0> range from 0x0 ~ 0x2b.
4718                  */
4719                 reg = 3;
4720                 txpow_bound = 0x2b;
4721         }
4722
4723         /* RF R49 ch0 Tx power ALC code. */
4724         run_rt3070_rf_read(sc, 49, &rf);
4725         rf &= ~0xc0;
4726         rf |= (reg << 6);
4727         rf = (rf & ~0x3f) | (txpow1 & 0x3f);
4728         if ((rf & 0x3f) > txpow_bound)
4729                 rf = (rf & ~0x3f) | txpow_bound;
4730         run_rt3070_rf_write(sc, 49, rf);
4731
4732         /* RF R50 ch1 Tx power ALC code. */
4733         run_rt3070_rf_read(sc, 50, &rf);
4734         rf &= ~(1 << 7 | 1 << 6);
4735         rf |= (reg << 6);
4736         rf = (rf & ~0x3f) | (txpow2 & 0x3f);
4737         if ((rf & 0x3f) > txpow_bound)
4738                 rf = (rf & ~0x3f) | txpow_bound;
4739         run_rt3070_rf_write(sc, 50, rf);
4740
4741         /* Enable RF_BLOCK, PLL_PD, RX0_PD, and TX0_PD. */
4742         run_rt3070_rf_read(sc, 1, &rf);
4743         rf |= (RT3070_RF_BLOCK | RT3070_PLL_PD | RT3070_RX0_PD | RT3070_TX0_PD);
4744         if (sc->ntxchains > 1)
4745                 rf |= RT3070_TX1_PD;
4746         if (sc->nrxchains > 1)
4747                 rf |= RT3070_RX1_PD;
4748         run_rt3070_rf_write(sc, 1, rf);
4749
4750         run_rt3070_rf_write(sc, 6, 0xe4);
4751
4752         run_rt3070_rf_write(sc, 30, 0x10);
4753         run_rt3070_rf_write(sc, 31, 0x80);
4754         run_rt3070_rf_write(sc, 32, 0x80);
4755
4756         run_adjust_freq_offset(sc);
4757
4758         /* Enable VCO calibration. */
4759         run_rt3070_rf_read(sc, 3, &rf);
4760         rf |= RT5390_VCOCAL;
4761         run_rt3070_rf_write(sc, 3, rf);
4762 }
4763
4764 static void
4765 run_set_rx_antenna(struct run_softc *sc, int aux)
4766 {
4767         uint32_t tmp;
4768         uint8_t bbp152;
4769
4770         if (aux) {
4771                 if (sc->rf_rev == RT5390_RF_5370) {
4772                         run_bbp_read(sc, 152, &bbp152);
4773                         run_bbp_write(sc, 152, bbp152 & ~0x80);
4774                 } else {
4775                         run_mcu_cmd(sc, RT2860_MCU_CMD_ANTSEL, 0);
4776                         run_read(sc, RT2860_GPIO_CTRL, &tmp);
4777                         run_write(sc, RT2860_GPIO_CTRL, (tmp & ~0x0808) | 0x08);
4778                 }
4779         } else {
4780                 if (sc->rf_rev == RT5390_RF_5370) {
4781                         run_bbp_read(sc, 152, &bbp152);
4782                         run_bbp_write(sc, 152, bbp152 | 0x80);
4783                 } else {
4784                         run_mcu_cmd(sc, RT2860_MCU_CMD_ANTSEL, 1);
4785                         run_read(sc, RT2860_GPIO_CTRL, &tmp);
4786                         run_write(sc, RT2860_GPIO_CTRL, tmp & ~0x0808);
4787                 }
4788         }
4789 }
4790
4791 static int
4792 run_set_chan(struct run_softc *sc, struct ieee80211_channel *c)
4793 {
4794         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
4795         u_int chan, group;
4796
4797         chan = ieee80211_chan2ieee(ic, c);
4798         if (chan == 0 || chan == IEEE80211_CHAN_ANY)
4799                 return (EINVAL);
4800
4801         if (sc->mac_ver == 0x5592)
4802                 run_rt5592_set_chan(sc, chan);
4803         else if (sc->mac_ver >= 0x5390)
4804                 run_rt5390_set_chan(sc, chan);
4805         else if (sc->mac_ver == 0x3593)
4806                 run_rt3593_set_chan(sc, chan);
4807         else if (sc->mac_ver == 0x3572)
4808                 run_rt3572_set_chan(sc, chan);
4809         else if (sc->mac_ver >= 0x3070)
4810                 run_rt3070_set_chan(sc, chan);
4811         else
4812                 run_rt2870_set_chan(sc, chan);
4813
4814         /* determine channel group */
4815         if (chan <= 14)
4816                 group = 0;
4817         else if (chan <= 64)
4818                 group = 1;
4819         else if (chan <= 128)
4820                 group = 2;
4821         else
4822                 group = 3;
4823
4824         /* XXX necessary only when group has changed! */
4825         run_select_chan_group(sc, group);
4826
4827         run_delay(sc, 10);
4828
4829         /* Perform IQ calibration. */
4830         if (sc->mac_ver >= 0x5392)
4831                 run_iq_calib(sc, chan);
4832
4833         return (0);
4834 }
4835
4836 static void
4837 run_set_channel(struct ieee80211com *ic)
4838 {
4839         struct run_softc *sc = ic->ic_ifp->if_softc;
4840
4841         RUN_LOCK(sc);
4842         run_set_chan(sc, ic->ic_curchan);
4843         RUN_UNLOCK(sc);
4844
4845         return;
4846 }
4847
4848 static void
4849 run_scan_start(struct ieee80211com *ic)
4850 {
4851         struct run_softc *sc = ic->ic_ifp->if_softc;
4852         uint32_t tmp;
4853
4854         RUN_LOCK(sc);
4855
4856         /* abort TSF synchronization */
4857         run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
4858         run_write(sc, RT2860_BCN_TIME_CFG,
4859             tmp & ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
4860             RT2860_TBTT_TIMER_EN));
4861         run_set_bssid(sc, sc->sc_ifp->if_broadcastaddr);
4862
4863         RUN_UNLOCK(sc);
4864
4865         return;
4866 }
4867
4868 static void
4869 run_scan_end(struct ieee80211com *ic)
4870 {
4871         struct run_softc *sc = ic->ic_ifp->if_softc;
4872
4873         RUN_LOCK(sc);
4874
4875         run_enable_tsf_sync(sc);
4876         /* XXX keep local copy */
4877         run_set_bssid(sc, sc->sc_bssid);
4878
4879         RUN_UNLOCK(sc);
4880
4881         return;
4882 }
4883
4884 /*
4885  * Could be called from ieee80211_node_timeout()
4886  * (non-sleepable thread)
4887  */
4888 static void
4889 run_update_beacon(struct ieee80211vap *vap, int item)
4890 {
4891         struct ieee80211com *ic = vap->iv_ic;
4892         struct run_softc *sc = ic->ic_ifp->if_softc;
4893         struct run_vap *rvp = RUN_VAP(vap);
4894         int mcast = 0;
4895         uint32_t i;
4896
4897         KASSERT(vap != NULL, ("no beacon"));
4898
4899         switch (item) {
4900         case IEEE80211_BEACON_ERP:
4901                 run_updateslot(ic->ic_ifp);
4902                 break;
4903         case IEEE80211_BEACON_HTINFO:
4904                 run_updateprot(ic);
4905                 break;
4906         case IEEE80211_BEACON_TIM:
4907                 mcast = 1;      /*TODO*/
4908                 break;
4909         default:
4910                 break;
4911         }
4912
4913         setbit(rvp->bo.bo_flags, item);
4914         ieee80211_beacon_update(vap->iv_bss, &rvp->bo, rvp->beacon_mbuf, mcast);
4915
4916         i = RUN_CMDQ_GET(&sc->cmdq_store);
4917         DPRINTF("cmdq_store=%d\n", i);
4918         sc->cmdq[i].func = run_update_beacon_cb;
4919         sc->cmdq[i].arg0 = vap;
4920         ieee80211_runtask(ic, &sc->cmdq_task);
4921
4922         return;
4923 }
4924
4925 static void
4926 run_update_beacon_cb(void *arg)
4927 {
4928         struct ieee80211vap *vap = arg;
4929         struct run_vap *rvp = RUN_VAP(vap);
4930         struct ieee80211com *ic = vap->iv_ic;
4931         struct run_softc *sc = ic->ic_ifp->if_softc;
4932         struct rt2860_txwi txwi;
4933         struct mbuf *m;
4934         uint16_t txwisize;
4935         uint8_t ridx;
4936
4937         if (vap->iv_bss->ni_chan == IEEE80211_CHAN_ANYC)
4938                 return;
4939         if (ic->ic_bsschan == IEEE80211_CHAN_ANYC)
4940                 return;
4941
4942         /*
4943          * No need to call ieee80211_beacon_update(), run_update_beacon()
4944          * is taking care of apropriate calls.
4945          */
4946         if (rvp->beacon_mbuf == NULL) {
4947                 rvp->beacon_mbuf = ieee80211_beacon_alloc(vap->iv_bss,
4948                     &rvp->bo);
4949                 if (rvp->beacon_mbuf == NULL)
4950                         return;
4951         }
4952         m = rvp->beacon_mbuf;
4953
4954         memset(&txwi, 0, sizeof(txwi));
4955         txwi.wcid = 0xff;
4956         txwi.len = htole16(m->m_pkthdr.len);
4957
4958         /* send beacons at the lowest available rate */
4959         ridx = (ic->ic_curmode == IEEE80211_MODE_11A) ?
4960             RT2860_RIDX_OFDM6 : RT2860_RIDX_CCK1;
4961         txwi.phy = htole16(rt2860_rates[ridx].mcs);
4962         if (rt2860_rates[ridx].phy == IEEE80211_T_OFDM)
4963                 txwi.phy |= htole16(RT2860_PHY_OFDM);
4964         txwi.txop = RT2860_TX_TXOP_HT;
4965         txwi.flags = RT2860_TX_TS;
4966         txwi.xflags = RT2860_TX_NSEQ;
4967
4968         txwisize = (sc->mac_ver == 0x5592) ?
4969             sizeof(txwi) + sizeof(uint32_t) : sizeof(txwi);
4970         run_write_region_1(sc, RT2860_BCN_BASE(rvp->rvp_id), (uint8_t *)&txwi,
4971             txwisize);
4972         run_write_region_1(sc, RT2860_BCN_BASE(rvp->rvp_id) + txwisize,
4973             mtod(m, uint8_t *), (m->m_pkthdr.len + 1) & ~1);
4974 }
4975
4976 static void
4977 run_updateprot(struct ieee80211com *ic)
4978 {
4979         struct run_softc *sc = ic->ic_ifp->if_softc;
4980         uint32_t i;
4981
4982         i = RUN_CMDQ_GET(&sc->cmdq_store);
4983         DPRINTF("cmdq_store=%d\n", i);
4984         sc->cmdq[i].func = run_updateprot_cb;
4985         sc->cmdq[i].arg0 = ic;
4986         ieee80211_runtask(ic, &sc->cmdq_task);
4987 }
4988
4989 static void
4990 run_updateprot_cb(void *arg)
4991 {
4992         struct ieee80211com *ic = arg;
4993         struct run_softc *sc = ic->ic_ifp->if_softc;
4994         uint32_t tmp;
4995
4996         tmp = RT2860_RTSTH_EN | RT2860_PROT_NAV_SHORT | RT2860_TXOP_ALLOW_ALL;
4997         /* setup protection frame rate (MCS code) */
4998         tmp |= (ic->ic_curmode == IEEE80211_MODE_11A) ?
4999             rt2860_rates[RT2860_RIDX_OFDM6].mcs :
5000             rt2860_rates[RT2860_RIDX_CCK11].mcs;
5001
5002         /* CCK frames don't require protection */
5003         run_write(sc, RT2860_CCK_PROT_CFG, tmp);
5004         if (ic->ic_flags & IEEE80211_F_USEPROT) {
5005                 if (ic->ic_protmode == IEEE80211_PROT_RTSCTS)
5006                         tmp |= RT2860_PROT_CTRL_RTS_CTS;
5007                 else if (ic->ic_protmode == IEEE80211_PROT_CTSONLY)
5008                         tmp |= RT2860_PROT_CTRL_CTS;
5009         }
5010         run_write(sc, RT2860_OFDM_PROT_CFG, tmp);
5011 }
5012
5013 static void
5014 run_usb_timeout_cb(void *arg)
5015 {
5016         struct ieee80211vap *vap = arg;
5017         struct run_softc *sc = vap->iv_ic->ic_ifp->if_softc;
5018
5019         RUN_LOCK_ASSERT(sc, MA_OWNED);
5020
5021         if(vap->iv_state == IEEE80211_S_RUN &&
5022             vap->iv_opmode != IEEE80211_M_STA)
5023                 run_reset_livelock(sc);
5024         else if (vap->iv_state == IEEE80211_S_SCAN) {
5025                 DPRINTF("timeout caused by scan\n");
5026                 /* cancel bgscan */
5027                 ieee80211_cancel_scan(vap);
5028         } else
5029                 DPRINTF("timeout by unknown cause\n");
5030 }
5031
5032 static void
5033 run_reset_livelock(struct run_softc *sc)
5034 {
5035         uint32_t tmp;
5036
5037         RUN_LOCK_ASSERT(sc, MA_OWNED);
5038
5039         /*
5040          * In IBSS or HostAP modes (when the hardware sends beacons), the MAC
5041          * can run into a livelock and start sending CTS-to-self frames like
5042          * crazy if protection is enabled.  Reset MAC/BBP for a while
5043          */
5044         run_read(sc, RT2860_DEBUG, &tmp);
5045         DPRINTFN(3, "debug reg %08x\n", tmp);
5046         if ((tmp & (1 << 29)) && (tmp & (1 << 7 | 1 << 5))) {
5047                 DPRINTF("CTS-to-self livelock detected\n");
5048                 run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_MAC_SRST);
5049                 run_delay(sc, 1);
5050                 run_write(sc, RT2860_MAC_SYS_CTRL,
5051                     RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
5052         }
5053 }
5054
5055 static void
5056 run_update_promisc_locked(struct ifnet *ifp)
5057 {
5058         struct run_softc *sc = ifp->if_softc;
5059         uint32_t tmp;
5060
5061         run_read(sc, RT2860_RX_FILTR_CFG, &tmp);
5062
5063         tmp |= RT2860_DROP_UC_NOME;
5064         if (ifp->if_flags & IFF_PROMISC)
5065                 tmp &= ~RT2860_DROP_UC_NOME;
5066
5067         run_write(sc, RT2860_RX_FILTR_CFG, tmp);
5068
5069         DPRINTF("%s promiscuous mode\n", (ifp->if_flags & IFF_PROMISC) ?
5070             "entering" : "leaving");
5071 }
5072
5073 static void
5074 run_update_promisc(struct ifnet *ifp)
5075 {
5076         struct run_softc *sc = ifp->if_softc;
5077
5078         if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0)
5079                 return;
5080
5081         RUN_LOCK(sc);
5082         run_update_promisc_locked(ifp);
5083         RUN_UNLOCK(sc);
5084 }
5085
5086 static void
5087 run_enable_tsf_sync(struct run_softc *sc)
5088 {
5089         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5090         struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
5091         uint32_t tmp;
5092
5093         DPRINTF("rvp_id=%d ic_opmode=%d\n", RUN_VAP(vap)->rvp_id,
5094             ic->ic_opmode);
5095
5096         run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
5097         tmp &= ~0x1fffff;
5098         tmp |= vap->iv_bss->ni_intval * 16;
5099         tmp |= RT2860_TSF_TIMER_EN | RT2860_TBTT_TIMER_EN;
5100
5101         if (ic->ic_opmode == IEEE80211_M_STA) {
5102                 /*
5103                  * Local TSF is always updated with remote TSF on beacon
5104                  * reception.
5105                  */
5106                 tmp |= 1 << RT2860_TSF_SYNC_MODE_SHIFT;
5107         } else if (ic->ic_opmode == IEEE80211_M_IBSS) {
5108                 tmp |= RT2860_BCN_TX_EN;
5109                 /*
5110                  * Local TSF is updated with remote TSF on beacon reception
5111                  * only if the remote TSF is greater than local TSF.
5112                  */
5113                 tmp |= 2 << RT2860_TSF_SYNC_MODE_SHIFT;
5114         } else if (ic->ic_opmode == IEEE80211_M_HOSTAP ||
5115                     ic->ic_opmode == IEEE80211_M_MBSS) {
5116                 tmp |= RT2860_BCN_TX_EN;
5117                 /* SYNC with nobody */
5118                 tmp |= 3 << RT2860_TSF_SYNC_MODE_SHIFT;
5119         } else {
5120                 DPRINTF("Enabling TSF failed. undefined opmode\n");
5121                 return;
5122         }
5123
5124         run_write(sc, RT2860_BCN_TIME_CFG, tmp);
5125 }
5126
5127 static void
5128 run_enable_mrr(struct run_softc *sc)
5129 {
5130 #define CCK(mcs)        (mcs)
5131 #define OFDM(mcs)       (1 << 3 | (mcs))
5132         run_write(sc, RT2860_LG_FBK_CFG0,
5133             OFDM(6) << 28 |     /* 54->48 */
5134             OFDM(5) << 24 |     /* 48->36 */
5135             OFDM(4) << 20 |     /* 36->24 */
5136             OFDM(3) << 16 |     /* 24->18 */
5137             OFDM(2) << 12 |     /* 18->12 */
5138             OFDM(1) <<  8 |     /* 12-> 9 */
5139             OFDM(0) <<  4 |     /*  9-> 6 */
5140             OFDM(0));           /*  6-> 6 */
5141
5142         run_write(sc, RT2860_LG_FBK_CFG1,
5143             CCK(2) << 12 |      /* 11->5.5 */
5144             CCK(1) <<  8 |      /* 5.5-> 2 */
5145             CCK(0) <<  4 |      /*   2-> 1 */
5146             CCK(0));            /*   1-> 1 */
5147 #undef OFDM
5148 #undef CCK
5149 }
5150
5151 static void
5152 run_set_txpreamble(struct run_softc *sc)
5153 {
5154         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5155         uint32_t tmp;
5156
5157         run_read(sc, RT2860_AUTO_RSP_CFG, &tmp);
5158         if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
5159                 tmp |= RT2860_CCK_SHORT_EN;
5160         else
5161                 tmp &= ~RT2860_CCK_SHORT_EN;
5162         run_write(sc, RT2860_AUTO_RSP_CFG, tmp);
5163 }
5164
5165 static void
5166 run_set_basicrates(struct run_softc *sc)
5167 {
5168         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5169
5170         /* set basic rates mask */
5171         if (ic->ic_curmode == IEEE80211_MODE_11B)
5172                 run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x003);
5173         else if (ic->ic_curmode == IEEE80211_MODE_11A)
5174                 run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x150);
5175         else    /* 11g */
5176                 run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x15f);
5177 }
5178
5179 static void
5180 run_set_leds(struct run_softc *sc, uint16_t which)
5181 {
5182         (void)run_mcu_cmd(sc, RT2860_MCU_CMD_LEDS,
5183             which | (sc->leds & 0x7f));
5184 }
5185
5186 static void
5187 run_set_bssid(struct run_softc *sc, const uint8_t *bssid)
5188 {
5189         run_write(sc, RT2860_MAC_BSSID_DW0,
5190             bssid[0] | bssid[1] << 8 | bssid[2] << 16 | bssid[3] << 24);
5191         run_write(sc, RT2860_MAC_BSSID_DW1,
5192             bssid[4] | bssid[5] << 8);
5193 }
5194
5195 static void
5196 run_set_macaddr(struct run_softc *sc, const uint8_t *addr)
5197 {
5198         run_write(sc, RT2860_MAC_ADDR_DW0,
5199             addr[0] | addr[1] << 8 | addr[2] << 16 | addr[3] << 24);
5200         run_write(sc, RT2860_MAC_ADDR_DW1,
5201             addr[4] | addr[5] << 8 | 0xff << 16);
5202 }
5203
5204 static void
5205 run_updateslot(struct ifnet *ifp)
5206 {
5207         struct run_softc *sc = ifp->if_softc;
5208         struct ieee80211com *ic = ifp->if_l2com;
5209         uint32_t i;
5210
5211         i = RUN_CMDQ_GET(&sc->cmdq_store);
5212         DPRINTF("cmdq_store=%d\n", i);
5213         sc->cmdq[i].func = run_updateslot_cb;
5214         sc->cmdq[i].arg0 = ifp;
5215         ieee80211_runtask(ic, &sc->cmdq_task);
5216
5217         return;
5218 }
5219
5220 /* ARGSUSED */
5221 static void
5222 run_updateslot_cb(void *arg)
5223 {
5224         struct ifnet *ifp = arg;
5225         struct run_softc *sc = ifp->if_softc;
5226         struct ieee80211com *ic = ifp->if_l2com;
5227         uint32_t tmp;
5228
5229         run_read(sc, RT2860_BKOFF_SLOT_CFG, &tmp);
5230         tmp &= ~0xff;
5231         tmp |= (ic->ic_flags & IEEE80211_F_SHSLOT) ? 9 : 20;
5232         run_write(sc, RT2860_BKOFF_SLOT_CFG, tmp);
5233 }
5234
5235 static void
5236 run_update_mcast(struct ifnet *ifp)
5237 {
5238         /* h/w filter supports getting everything or nothing */
5239         ifp->if_flags |= IFF_ALLMULTI;
5240 }
5241
5242 static int8_t
5243 run_rssi2dbm(struct run_softc *sc, uint8_t rssi, uint8_t rxchain)
5244 {
5245         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5246         struct ieee80211_channel *c = ic->ic_curchan;
5247         int delta;
5248
5249         if (IEEE80211_IS_CHAN_5GHZ(c)) {
5250                 u_int chan = ieee80211_chan2ieee(ic, c);
5251                 delta = sc->rssi_5ghz[rxchain];
5252
5253                 /* determine channel group */
5254                 if (chan <= 64)
5255                         delta -= sc->lna[1];
5256                 else if (chan <= 128)
5257                         delta -= sc->lna[2];
5258                 else
5259                         delta -= sc->lna[3];
5260         } else
5261                 delta = sc->rssi_2ghz[rxchain] - sc->lna[0];
5262
5263         return (-12 - delta - rssi);
5264 }
5265
5266 static void
5267 run_rt5390_bbp_init(struct run_softc *sc)
5268 {
5269         int i;
5270         uint8_t bbp;
5271
5272         /* Apply maximum likelihood detection for 2 stream case. */
5273         run_bbp_read(sc, 105, &bbp);
5274         if (sc->nrxchains > 1)
5275                 run_bbp_write(sc, 105, bbp | RT5390_MLD);
5276
5277         /* Avoid data lost and CRC error. */
5278         run_bbp_read(sc, 4, &bbp);
5279         run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5280
5281         if (sc->mac_ver == 0x5592) {
5282                 for (i = 0; i < nitems(rt5592_def_bbp); i++) {
5283                         run_bbp_write(sc, rt5592_def_bbp[i].reg,
5284                             rt5592_def_bbp[i].val);
5285                 }
5286                 for (i = 0; i < nitems(rt5592_bbp_r196); i++) {
5287                         run_bbp_write(sc, 195, i + 0x80);
5288                         run_bbp_write(sc, 196, rt5592_bbp_r196[i]);
5289                 }
5290         } else {
5291                 for (i = 0; i < nitems(rt5390_def_bbp); i++) {
5292                         run_bbp_write(sc, rt5390_def_bbp[i].reg,
5293                             rt5390_def_bbp[i].val);
5294                 }
5295         }
5296         if (sc->mac_ver == 0x5392) {
5297                 run_bbp_write(sc, 88, 0x90);
5298                 run_bbp_write(sc, 95, 0x9a);
5299                 run_bbp_write(sc, 98, 0x12);
5300                 run_bbp_write(sc, 106, 0x12);
5301                 run_bbp_write(sc, 134, 0xd0);
5302                 run_bbp_write(sc, 135, 0xf6);
5303                 run_bbp_write(sc, 148, 0x84);
5304         }
5305
5306         run_bbp_read(sc, 152, &bbp);
5307         run_bbp_write(sc, 152, bbp | 0x80);
5308
5309         /* Fix BBP254 for RT5592C. */
5310         if (sc->mac_ver == 0x5592 && sc->mac_rev >= 0x0221) {
5311                 run_bbp_read(sc, 254, &bbp);
5312                 run_bbp_write(sc, 254, bbp | 0x80);
5313         }
5314
5315         /* Disable hardware antenna diversity. */
5316         if (sc->mac_ver == 0x5390)
5317                 run_bbp_write(sc, 154, 0);
5318
5319         /* Initialize Rx CCK/OFDM frequency offset report. */
5320         run_bbp_write(sc, 142, 1);
5321         run_bbp_write(sc, 143, 57);
5322 }
5323
5324 static int
5325 run_bbp_init(struct run_softc *sc)
5326 {
5327         int i, error, ntries;
5328         uint8_t bbp0;
5329
5330         /* wait for BBP to wake up */
5331         for (ntries = 0; ntries < 20; ntries++) {
5332                 if ((error = run_bbp_read(sc, 0, &bbp0)) != 0)
5333                         return error;
5334                 if (bbp0 != 0 && bbp0 != 0xff)
5335                         break;
5336         }
5337         if (ntries == 20)
5338                 return (ETIMEDOUT);
5339
5340         /* initialize BBP registers to default values */
5341         if (sc->mac_ver >= 0x5390)
5342                 run_rt5390_bbp_init(sc);
5343         else {
5344                 for (i = 0; i < nitems(rt2860_def_bbp); i++) {
5345                         run_bbp_write(sc, rt2860_def_bbp[i].reg,
5346                             rt2860_def_bbp[i].val);
5347                 }
5348         }
5349
5350         if (sc->mac_ver == 0x3593) {
5351                 run_bbp_write(sc, 79, 0x13);
5352                 run_bbp_write(sc, 80, 0x05);
5353                 run_bbp_write(sc, 81, 0x33);
5354                 run_bbp_write(sc, 86, 0x46);
5355                 run_bbp_write(sc, 137, 0x0f);
5356         }
5357                 
5358         /* fix BBP84 for RT2860E */
5359         if (sc->mac_ver == 0x2860 && sc->mac_rev != 0x0101)
5360                 run_bbp_write(sc, 84, 0x19);
5361
5362         if (sc->mac_ver >= 0x3070 && (sc->mac_ver != 0x3593 &&
5363             sc->mac_ver != 0x5592)) {
5364                 run_bbp_write(sc, 79, 0x13);
5365                 run_bbp_write(sc, 80, 0x05);
5366                 run_bbp_write(sc, 81, 0x33);
5367         } else if (sc->mac_ver == 0x2860 && sc->mac_rev == 0x0100) {
5368                 run_bbp_write(sc, 69, 0x16);
5369                 run_bbp_write(sc, 73, 0x12);
5370         }
5371         return (0);
5372 }
5373
5374 static int
5375 run_rt3070_rf_init(struct run_softc *sc)
5376 {
5377         uint32_t tmp;
5378         uint8_t bbp4, mingain, rf, target;
5379         int i;
5380
5381         run_rt3070_rf_read(sc, 30, &rf);
5382         /* toggle RF R30 bit 7 */
5383         run_rt3070_rf_write(sc, 30, rf | 0x80);
5384         run_delay(sc, 10);
5385         run_rt3070_rf_write(sc, 30, rf & ~0x80);
5386
5387         /* initialize RF registers to default value */
5388         if (sc->mac_ver == 0x3572) {
5389                 for (i = 0; i < nitems(rt3572_def_rf); i++) {
5390                         run_rt3070_rf_write(sc, rt3572_def_rf[i].reg,
5391                             rt3572_def_rf[i].val);
5392                 }
5393         } else {
5394                 for (i = 0; i < nitems(rt3070_def_rf); i++) {
5395                         run_rt3070_rf_write(sc, rt3070_def_rf[i].reg,
5396                             rt3070_def_rf[i].val);
5397                 }
5398         }
5399
5400         if (sc->mac_ver == 0x3070 && sc->mac_rev < 0x0201) {
5401                 /* 
5402                  * Change voltage from 1.2V to 1.35V for RT3070.
5403                  * The DAC issue (RT3070_LDO_CFG0) has been fixed
5404                  * in RT3070(F).
5405                  */
5406                 run_read(sc, RT3070_LDO_CFG0, &tmp);
5407                 tmp = (tmp & ~0x0f000000) | 0x0d000000;
5408                 run_write(sc, RT3070_LDO_CFG0, tmp);
5409
5410         } else if (sc->mac_ver == 0x3071) {
5411                 run_rt3070_rf_read(sc, 6, &rf);
5412                 run_rt3070_rf_write(sc, 6, rf | 0x40);
5413                 run_rt3070_rf_write(sc, 31, 0x14);
5414
5415                 run_read(sc, RT3070_LDO_CFG0, &tmp);
5416                 tmp &= ~0x1f000000;
5417                 if (sc->mac_rev < 0x0211)
5418                         tmp |= 0x0d000000;      /* 1.3V */
5419                 else
5420                         tmp |= 0x01000000;      /* 1.2V */
5421                 run_write(sc, RT3070_LDO_CFG0, tmp);
5422
5423                 /* patch LNA_PE_G1 */
5424                 run_read(sc, RT3070_GPIO_SWITCH, &tmp);
5425                 run_write(sc, RT3070_GPIO_SWITCH, tmp & ~0x20);
5426
5427         } else if (sc->mac_ver == 0x3572) {
5428                 run_rt3070_rf_read(sc, 6, &rf);
5429                 run_rt3070_rf_write(sc, 6, rf | 0x40);
5430
5431                 /* increase voltage from 1.2V to 1.35V */
5432                 run_read(sc, RT3070_LDO_CFG0, &tmp);
5433                 tmp = (tmp & ~0x1f000000) | 0x0d000000;
5434                 run_write(sc, RT3070_LDO_CFG0, tmp);
5435
5436                 if (sc->mac_rev < 0x0211 || !sc->patch_dac) {
5437                         run_delay(sc, 1);       /* wait for 1msec */
5438                         /* decrease voltage back to 1.2V */
5439                         tmp = (tmp & ~0x1f000000) | 0x01000000;
5440                         run_write(sc, RT3070_LDO_CFG0, tmp);
5441                 }
5442         }
5443
5444         /* select 20MHz bandwidth */
5445         run_rt3070_rf_read(sc, 31, &rf);
5446         run_rt3070_rf_write(sc, 31, rf & ~0x20);
5447
5448         /* calibrate filter for 20MHz bandwidth */
5449         sc->rf24_20mhz = 0x1f;  /* default value */
5450         target = (sc->mac_ver < 0x3071) ? 0x16 : 0x13;
5451         run_rt3070_filter_calib(sc, 0x07, target, &sc->rf24_20mhz);
5452
5453         /* select 40MHz bandwidth */
5454         run_bbp_read(sc, 4, &bbp4);
5455         run_bbp_write(sc, 4, (bbp4 & ~0x18) | 0x10);
5456         run_rt3070_rf_read(sc, 31, &rf);
5457         run_rt3070_rf_write(sc, 31, rf | 0x20);
5458
5459         /* calibrate filter for 40MHz bandwidth */
5460         sc->rf24_40mhz = 0x2f;  /* default value */
5461         target = (sc->mac_ver < 0x3071) ? 0x19 : 0x15;
5462         run_rt3070_filter_calib(sc, 0x27, target, &sc->rf24_40mhz);
5463
5464         /* go back to 20MHz bandwidth */
5465         run_bbp_read(sc, 4, &bbp4);
5466         run_bbp_write(sc, 4, bbp4 & ~0x18);
5467
5468         if (sc->mac_ver == 0x3572) {
5469                 /* save default BBP registers 25 and 26 values */
5470                 run_bbp_read(sc, 25, &sc->bbp25);
5471                 run_bbp_read(sc, 26, &sc->bbp26);
5472         } else if (sc->mac_rev < 0x0201 || sc->mac_rev < 0x0211)
5473                 run_rt3070_rf_write(sc, 27, 0x03);
5474
5475         run_read(sc, RT3070_OPT_14, &tmp);
5476         run_write(sc, RT3070_OPT_14, tmp | 1);
5477
5478         if (sc->mac_ver == 0x3070 || sc->mac_ver == 0x3071) {
5479                 run_rt3070_rf_read(sc, 17, &rf);
5480                 rf &= ~RT3070_TX_LO1;
5481                 if ((sc->mac_ver == 0x3070 ||
5482                      (sc->mac_ver == 0x3071 && sc->mac_rev >= 0x0211)) &&
5483                     !sc->ext_2ghz_lna)
5484                         rf |= 0x20;     /* fix for long range Rx issue */
5485                 mingain = (sc->mac_ver == 0x3070) ? 1 : 2;
5486                 if (sc->txmixgain_2ghz >= mingain)
5487                         rf = (rf & ~0x7) | sc->txmixgain_2ghz;
5488                 run_rt3070_rf_write(sc, 17, rf);
5489         }
5490
5491         if (sc->mac_rev == 0x3071) {
5492                 run_rt3070_rf_read(sc, 1, &rf);
5493                 rf &= ~(RT3070_RX0_PD | RT3070_TX0_PD);
5494                 rf |= RT3070_RF_BLOCK | RT3070_RX1_PD | RT3070_TX1_PD;
5495                 run_rt3070_rf_write(sc, 1, rf);
5496
5497                 run_rt3070_rf_read(sc, 15, &rf);
5498                 run_rt3070_rf_write(sc, 15, rf & ~RT3070_TX_LO2);
5499
5500                 run_rt3070_rf_read(sc, 20, &rf);
5501                 run_rt3070_rf_write(sc, 20, rf & ~RT3070_RX_LO1);
5502
5503                 run_rt3070_rf_read(sc, 21, &rf);
5504                 run_rt3070_rf_write(sc, 21, rf & ~RT3070_RX_LO2);
5505         }
5506
5507         if (sc->mac_ver == 0x3070 || sc->mac_ver == 0x3071) {
5508                 /* fix Tx to Rx IQ glitch by raising RF voltage */
5509                 run_rt3070_rf_read(sc, 27, &rf);
5510                 rf &= ~0x77;
5511                 if (sc->mac_rev < 0x0211)
5512                         rf |= 0x03;
5513                 run_rt3070_rf_write(sc, 27, rf);
5514         }
5515         return (0);
5516 }
5517
5518 static void
5519 run_rt3593_rf_init(struct run_softc *sc)
5520 {
5521         uint32_t tmp;
5522         uint8_t rf;
5523         int i;
5524
5525         /* Disable the GPIO bits 4 and 7 for LNA PE control. */
5526         run_read(sc, RT3070_GPIO_SWITCH, &tmp);
5527         tmp &= ~(1 << 4 | 1 << 7);
5528         run_write(sc, RT3070_GPIO_SWITCH, tmp);
5529
5530         /* Initialize RF registers to default value. */
5531         for (i = 0; i < nitems(rt3593_def_rf); i++) {
5532                 run_rt3070_rf_write(sc, rt3593_def_rf[i].reg,
5533                     rt3593_def_rf[i].val);
5534         }
5535
5536         /* Toggle RF R2 to initiate calibration. */
5537         run_rt3070_rf_write(sc, 2, RT5390_RESCAL);
5538
5539         /* Initialize RF frequency offset. */
5540         run_adjust_freq_offset(sc);
5541
5542         run_rt3070_rf_read(sc, 18, &rf);
5543         run_rt3070_rf_write(sc, 18, rf | RT3593_AUTOTUNE_BYPASS);
5544
5545         /*
5546          * Increase voltage from 1.2V to 1.35V, wait for 1 msec to
5547          * decrease voltage back to 1.2V.
5548          */
5549         run_read(sc, RT3070_LDO_CFG0, &tmp);
5550         tmp = (tmp & ~0x1f000000) | 0x0d000000;
5551         run_write(sc, RT3070_LDO_CFG0, tmp);
5552         run_delay(sc, 1);
5553         tmp = (tmp & ~0x1f000000) | 0x01000000;
5554         run_write(sc, RT3070_LDO_CFG0, tmp);
5555
5556         sc->rf24_20mhz = 0x1f;
5557         sc->rf24_40mhz = 0x2f;
5558
5559         /* Save default BBP registers 25 and 26 values. */
5560         run_bbp_read(sc, 25, &sc->bbp25);
5561         run_bbp_read(sc, 26, &sc->bbp26);
5562
5563         run_read(sc, RT3070_OPT_14, &tmp);
5564         run_write(sc, RT3070_OPT_14, tmp | 1);
5565 }
5566
5567 static void
5568 run_rt5390_rf_init(struct run_softc *sc)
5569 {
5570         uint32_t tmp;
5571         uint8_t rf;
5572         int i;
5573
5574         /* Toggle RF R2 to initiate calibration. */
5575         if (sc->mac_ver == 0x5390) {
5576                 run_rt3070_rf_read(sc, 2, &rf);
5577                 run_rt3070_rf_write(sc, 2, rf | RT5390_RESCAL);
5578                 run_delay(sc, 10);
5579                 run_rt3070_rf_write(sc, 2, rf & ~RT5390_RESCAL);
5580         } else {
5581                 run_rt3070_rf_write(sc, 2, RT5390_RESCAL);
5582                 run_delay(sc, 10);
5583         }
5584
5585         /* Initialize RF registers to default value. */
5586         if (sc->mac_ver == 0x5592) {
5587                 for (i = 0; i < nitems(rt5592_def_rf); i++) {
5588                         run_rt3070_rf_write(sc, rt5592_def_rf[i].reg,
5589                             rt5592_def_rf[i].val);
5590                 }
5591                 /* Initialize RF frequency offset. */
5592                 run_adjust_freq_offset(sc);
5593         } else if (sc->mac_ver == 0x5392) {
5594                 for (i = 0; i < nitems(rt5392_def_rf); i++) {
5595                         run_rt3070_rf_write(sc, rt5392_def_rf[i].reg,
5596                             rt5392_def_rf[i].val);
5597                 }
5598                 if (sc->mac_rev >= 0x0223) {
5599                         run_rt3070_rf_write(sc, 23, 0x0f);
5600                         run_rt3070_rf_write(sc, 24, 0x3e);
5601                         run_rt3070_rf_write(sc, 51, 0x32);
5602                         run_rt3070_rf_write(sc, 53, 0x22);
5603                         run_rt3070_rf_write(sc, 56, 0xc1);
5604                         run_rt3070_rf_write(sc, 59, 0x0f);
5605                 }
5606         } else {
5607                 for (i = 0; i < nitems(rt5390_def_rf); i++) {
5608                         run_rt3070_rf_write(sc, rt5390_def_rf[i].reg,
5609                             rt5390_def_rf[i].val);
5610                 }
5611                 if (sc->mac_rev >= 0x0502) {
5612                         run_rt3070_rf_write(sc, 6, 0xe0);
5613                         run_rt3070_rf_write(sc, 25, 0x80);
5614                         run_rt3070_rf_write(sc, 46, 0x73);
5615                         run_rt3070_rf_write(sc, 53, 0x00);
5616                         run_rt3070_rf_write(sc, 56, 0x42);
5617                         run_rt3070_rf_write(sc, 61, 0xd1);
5618                 }
5619         }
5620
5621         sc->rf24_20mhz = 0x1f;  /* default value */
5622         sc->rf24_40mhz = (sc->mac_ver == 0x5592) ? 0 : 0x2f;
5623
5624         if (sc->mac_rev < 0x0211)
5625                 run_rt3070_rf_write(sc, 27, 0x3);
5626
5627         run_read(sc, RT3070_OPT_14, &tmp);
5628         run_write(sc, RT3070_OPT_14, tmp | 1);
5629 }
5630
5631 static int
5632 run_rt3070_filter_calib(struct run_softc *sc, uint8_t init, uint8_t target,
5633     uint8_t *val)
5634 {
5635         uint8_t rf22, rf24;
5636         uint8_t bbp55_pb, bbp55_sb, delta;
5637         int ntries;
5638
5639         /* program filter */
5640         run_rt3070_rf_read(sc, 24, &rf24);
5641         rf24 = (rf24 & 0xc0) | init;    /* initial filter value */
5642         run_rt3070_rf_write(sc, 24, rf24);
5643
5644         /* enable baseband loopback mode */
5645         run_rt3070_rf_read(sc, 22, &rf22);
5646         run_rt3070_rf_write(sc, 22, rf22 | 0x01);
5647
5648         /* set power and frequency of passband test tone */
5649         run_bbp_write(sc, 24, 0x00);
5650         for (ntries = 0; ntries < 100; ntries++) {
5651                 /* transmit test tone */
5652                 run_bbp_write(sc, 25, 0x90);
5653                 run_delay(sc, 10);
5654                 /* read received power */
5655                 run_bbp_read(sc, 55, &bbp55_pb);
5656                 if (bbp55_pb != 0)
5657                         break;
5658         }
5659         if (ntries == 100)
5660                 return (ETIMEDOUT);
5661
5662         /* set power and frequency of stopband test tone */
5663         run_bbp_write(sc, 24, 0x06);
5664         for (ntries = 0; ntries < 100; ntries++) {
5665                 /* transmit test tone */
5666                 run_bbp_write(sc, 25, 0x90);
5667                 run_delay(sc, 10);
5668                 /* read received power */
5669                 run_bbp_read(sc, 55, &bbp55_sb);
5670
5671                 delta = bbp55_pb - bbp55_sb;
5672                 if (delta > target)
5673                         break;
5674
5675                 /* reprogram filter */
5676                 rf24++;
5677                 run_rt3070_rf_write(sc, 24, rf24);
5678         }
5679         if (ntries < 100) {
5680                 if (rf24 != init)
5681                         rf24--; /* backtrack */
5682                 *val = rf24;
5683                 run_rt3070_rf_write(sc, 24, rf24);
5684         }
5685
5686         /* restore initial state */
5687         run_bbp_write(sc, 24, 0x00);
5688
5689         /* disable baseband loopback mode */
5690         run_rt3070_rf_read(sc, 22, &rf22);
5691         run_rt3070_rf_write(sc, 22, rf22 & ~0x01);
5692
5693         return (0);
5694 }
5695
5696 static void
5697 run_rt3070_rf_setup(struct run_softc *sc)
5698 {
5699         uint8_t bbp, rf;
5700         int i;
5701
5702         if (sc->mac_ver == 0x3572) {
5703                 /* enable DC filter */
5704                 if (sc->mac_rev >= 0x0201)
5705                         run_bbp_write(sc, 103, 0xc0);
5706
5707                 run_bbp_read(sc, 138, &bbp);
5708                 if (sc->ntxchains == 1)
5709                         bbp |= 0x20;    /* turn off DAC1 */
5710                 if (sc->nrxchains == 1)
5711                         bbp &= ~0x02;   /* turn off ADC1 */
5712                 run_bbp_write(sc, 138, bbp);
5713
5714                 if (sc->mac_rev >= 0x0211) {
5715                         /* improve power consumption */
5716                         run_bbp_read(sc, 31, &bbp);
5717                         run_bbp_write(sc, 31, bbp & ~0x03);
5718                 }
5719
5720                 run_rt3070_rf_read(sc, 16, &rf);
5721                 rf = (rf & ~0x07) | sc->txmixgain_2ghz;
5722                 run_rt3070_rf_write(sc, 16, rf);
5723
5724         } else if (sc->mac_ver == 0x3071) {
5725                 if (sc->mac_rev >= 0x0211) {
5726                         /* enable DC filter */
5727                         run_bbp_write(sc, 103, 0xc0);
5728
5729                         /* improve power consumption */
5730                         run_bbp_read(sc, 31, &bbp);
5731                         run_bbp_write(sc, 31, bbp & ~0x03);
5732                 }
5733
5734                 run_bbp_read(sc, 138, &bbp);
5735                 if (sc->ntxchains == 1)
5736                         bbp |= 0x20;    /* turn off DAC1 */
5737                 if (sc->nrxchains == 1)
5738                         bbp &= ~0x02;   /* turn off ADC1 */
5739                 run_bbp_write(sc, 138, bbp);
5740
5741                 run_write(sc, RT2860_TX_SW_CFG1, 0);
5742                 if (sc->mac_rev < 0x0211) {
5743                         run_write(sc, RT2860_TX_SW_CFG2,
5744                             sc->patch_dac ? 0x2c : 0x0f);
5745                 } else
5746                         run_write(sc, RT2860_TX_SW_CFG2, 0);
5747
5748         } else if (sc->mac_ver == 0x3070) {
5749                 if (sc->mac_rev >= 0x0201) {
5750                         /* enable DC filter */
5751                         run_bbp_write(sc, 103, 0xc0);
5752
5753                         /* improve power consumption */
5754                         run_bbp_read(sc, 31, &bbp);
5755                         run_bbp_write(sc, 31, bbp & ~0x03);
5756                 }
5757
5758                 if (sc->mac_rev < 0x0201) {
5759                         run_write(sc, RT2860_TX_SW_CFG1, 0);
5760                         run_write(sc, RT2860_TX_SW_CFG2, 0x2c);
5761                 } else
5762                         run_write(sc, RT2860_TX_SW_CFG2, 0);
5763         }
5764
5765         /* initialize RF registers from ROM for >=RT3071*/
5766         if (sc->mac_ver >= 0x3071) {
5767                 for (i = 0; i < 10; i++) {
5768                         if (sc->rf[i].reg == 0 || sc->rf[i].reg == 0xff)
5769                                 continue;
5770                         run_rt3070_rf_write(sc, sc->rf[i].reg, sc->rf[i].val);
5771                 }
5772         }
5773 }
5774
5775 static void
5776 run_rt3593_rf_setup(struct run_softc *sc)
5777 {
5778         uint8_t bbp, rf;
5779
5780         if (sc->mac_rev >= 0x0211) {
5781                 /* Enable DC filter. */
5782                 run_bbp_write(sc, 103, 0xc0);
5783         }
5784         run_write(sc, RT2860_TX_SW_CFG1, 0);
5785         if (sc->mac_rev < 0x0211) {
5786                 run_write(sc, RT2860_TX_SW_CFG2,
5787                     sc->patch_dac ? 0x2c : 0x0f);
5788         } else
5789                 run_write(sc, RT2860_TX_SW_CFG2, 0);
5790
5791         run_rt3070_rf_read(sc, 50, &rf);
5792         run_rt3070_rf_write(sc, 50, rf & ~RT3593_TX_LO2);
5793
5794         run_rt3070_rf_read(sc, 51, &rf);
5795         rf = (rf & ~(RT3593_TX_LO1 | 0x0c)) |
5796             ((sc->txmixgain_2ghz & 0x07) << 2);
5797         run_rt3070_rf_write(sc, 51, rf);
5798
5799         run_rt3070_rf_read(sc, 38, &rf);
5800         run_rt3070_rf_write(sc, 38, rf & ~RT5390_RX_LO1);
5801
5802         run_rt3070_rf_read(sc, 39, &rf);
5803         run_rt3070_rf_write(sc, 39, rf & ~RT5390_RX_LO2);
5804
5805         run_rt3070_rf_read(sc, 1, &rf);
5806         run_rt3070_rf_write(sc, 1, rf & ~(RT3070_RF_BLOCK | RT3070_PLL_PD));
5807
5808         run_rt3070_rf_read(sc, 30, &rf);
5809         rf = (rf & ~0x18) | 0x10;
5810         run_rt3070_rf_write(sc, 30, rf);
5811
5812         /* Apply maximum likelihood detection for 2 stream case. */
5813         run_bbp_read(sc, 105, &bbp);
5814         if (sc->nrxchains > 1)
5815                 run_bbp_write(sc, 105, bbp | RT5390_MLD);
5816
5817         /* Avoid data lost and CRC error. */
5818         run_bbp_read(sc, 4, &bbp);
5819         run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5820
5821         run_bbp_write(sc, 92, 0x02);
5822         run_bbp_write(sc, 82, 0x82);
5823         run_bbp_write(sc, 106, 0x05);
5824         run_bbp_write(sc, 104, 0x92);
5825         run_bbp_write(sc, 88, 0x90);
5826         run_bbp_write(sc, 148, 0xc8);
5827         run_bbp_write(sc, 47, 0x48);
5828         run_bbp_write(sc, 120, 0x50);
5829
5830         run_bbp_write(sc, 163, 0x9d);
5831
5832         /* SNR mapping. */
5833         run_bbp_write(sc, 142, 0x06);
5834         run_bbp_write(sc, 143, 0xa0);
5835         run_bbp_write(sc, 142, 0x07);
5836         run_bbp_write(sc, 143, 0xa1);
5837         run_bbp_write(sc, 142, 0x08);
5838         run_bbp_write(sc, 143, 0xa2);
5839
5840         run_bbp_write(sc, 31, 0x08);
5841         run_bbp_write(sc, 68, 0x0b);
5842         run_bbp_write(sc, 105, 0x04);
5843 }
5844
5845 static void
5846 run_rt5390_rf_setup(struct run_softc *sc)
5847 {
5848         uint8_t bbp, rf;
5849
5850         if (sc->mac_rev >= 0x0211) {
5851                 /* Enable DC filter. */
5852                 run_bbp_write(sc, 103, 0xc0);
5853
5854                 if (sc->mac_ver != 0x5592) {
5855                         /* Improve power consumption. */
5856                         run_bbp_read(sc, 31, &bbp);
5857                         run_bbp_write(sc, 31, bbp & ~0x03);
5858                 }
5859         }
5860
5861         run_bbp_read(sc, 138, &bbp);
5862         if (sc->ntxchains == 1)
5863                 bbp |= 0x20;    /* turn off DAC1 */
5864         if (sc->nrxchains == 1)
5865                 bbp &= ~0x02;   /* turn off ADC1 */
5866         run_bbp_write(sc, 138, bbp);
5867
5868         run_rt3070_rf_read(sc, 38, &rf);
5869         run_rt3070_rf_write(sc, 38, rf & ~RT5390_RX_LO1);
5870
5871         run_rt3070_rf_read(sc, 39, &rf);
5872         run_rt3070_rf_write(sc, 39, rf & ~RT5390_RX_LO2);
5873
5874         /* Avoid data lost and CRC error. */
5875         run_bbp_read(sc, 4, &bbp);
5876         run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5877
5878         run_rt3070_rf_read(sc, 30, &rf);
5879         rf = (rf & ~0x18) | 0x10;
5880         run_rt3070_rf_write(sc, 30, rf);
5881
5882         if (sc->mac_ver != 0x5592) {
5883                 run_write(sc, RT2860_TX_SW_CFG1, 0);
5884                 if (sc->mac_rev < 0x0211) {
5885                         run_write(sc, RT2860_TX_SW_CFG2,
5886                             sc->patch_dac ? 0x2c : 0x0f);
5887                 } else
5888                         run_write(sc, RT2860_TX_SW_CFG2, 0);
5889         }
5890 }
5891
5892 static int
5893 run_txrx_enable(struct run_softc *sc)
5894 {
5895         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5896         uint32_t tmp;
5897         int error, ntries;
5898
5899         run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_MAC_TX_EN);
5900         for (ntries = 0; ntries < 200; ntries++) {
5901                 if ((error = run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp)) != 0)
5902                         return (error);
5903                 if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
5904                         break;
5905                 run_delay(sc, 50);
5906         }
5907         if (ntries == 200)
5908                 return (ETIMEDOUT);
5909
5910         run_delay(sc, 50);
5911
5912         tmp |= RT2860_RX_DMA_EN | RT2860_TX_DMA_EN | RT2860_TX_WB_DDONE;
5913         run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
5914
5915         /* enable Rx bulk aggregation (set timeout and limit) */
5916         tmp = RT2860_USB_TX_EN | RT2860_USB_RX_EN | RT2860_USB_RX_AGG_EN |
5917             RT2860_USB_RX_AGG_TO(128) | RT2860_USB_RX_AGG_LMT(2);
5918         run_write(sc, RT2860_USB_DMA_CFG, tmp);
5919
5920         /* set Rx filter */
5921         tmp = RT2860_DROP_CRC_ERR | RT2860_DROP_PHY_ERR;
5922         if (ic->ic_opmode != IEEE80211_M_MONITOR) {
5923                 tmp |= RT2860_DROP_UC_NOME | RT2860_DROP_DUPL |
5924                     RT2860_DROP_CTS | RT2860_DROP_BA | RT2860_DROP_ACK |
5925                     RT2860_DROP_VER_ERR | RT2860_DROP_CTRL_RSV |
5926                     RT2860_DROP_CFACK | RT2860_DROP_CFEND;
5927                 if (ic->ic_opmode == IEEE80211_M_STA)
5928                         tmp |= RT2860_DROP_RTS | RT2860_DROP_PSPOLL;
5929         }
5930         run_write(sc, RT2860_RX_FILTR_CFG, tmp);
5931
5932         run_write(sc, RT2860_MAC_SYS_CTRL,
5933             RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
5934
5935         return (0);
5936 }
5937
5938 static void
5939 run_adjust_freq_offset(struct run_softc *sc)
5940 {
5941         uint8_t rf, tmp;
5942
5943         run_rt3070_rf_read(sc, 17, &rf);
5944         tmp = rf;
5945         rf = (rf & ~0x7f) | (sc->freq & 0x7f);
5946         rf = MIN(rf, 0x5f);
5947
5948         if (tmp != rf)
5949                 run_mcu_cmd(sc, 0x74, (tmp << 8 ) | rf);
5950 }
5951
5952 static void
5953 run_init_locked(struct run_softc *sc)
5954 {
5955         struct ifnet *ifp = sc->sc_ifp;
5956         struct ieee80211com *ic = ifp->if_l2com;
5957         uint32_t tmp;
5958         uint8_t bbp1, bbp3;
5959         int i;
5960         int ridx;
5961         int ntries;
5962
5963         if (ic->ic_nrunning > 1)
5964                 return;
5965
5966         run_stop(sc);
5967
5968         if (run_load_microcode(sc) != 0) {
5969                 device_printf(sc->sc_dev, "could not load 8051 microcode\n");
5970                 goto fail;
5971         }
5972
5973         for (ntries = 0; ntries < 100; ntries++) {
5974                 if (run_read(sc, RT2860_ASIC_VER_ID, &tmp) != 0)
5975                         goto fail;
5976                 if (tmp != 0 && tmp != 0xffffffff)
5977                         break;
5978                 run_delay(sc, 10);
5979         }
5980         if (ntries == 100)
5981                 goto fail;
5982
5983         for (i = 0; i != RUN_EP_QUEUES; i++)
5984                 run_setup_tx_list(sc, &sc->sc_epq[i]);
5985
5986         run_set_macaddr(sc, IF_LLADDR(ifp));
5987
5988         for (ntries = 0; ntries < 100; ntries++) {
5989                 if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
5990                         goto fail;
5991                 if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
5992                         break;
5993                 run_delay(sc, 10);
5994         }
5995         if (ntries == 100) {
5996                 device_printf(sc->sc_dev, "timeout waiting for DMA engine\n");
5997                 goto fail;
5998         }
5999         tmp &= 0xff0;
6000         tmp |= RT2860_TX_WB_DDONE;
6001         run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
6002
6003         /* turn off PME_OEN to solve high-current issue */
6004         run_read(sc, RT2860_SYS_CTRL, &tmp);
6005         run_write(sc, RT2860_SYS_CTRL, tmp & ~RT2860_PME_OEN);
6006
6007         run_write(sc, RT2860_MAC_SYS_CTRL,
6008             RT2860_BBP_HRST | RT2860_MAC_SRST);
6009         run_write(sc, RT2860_USB_DMA_CFG, 0);
6010
6011         if (run_reset(sc) != 0) {
6012                 device_printf(sc->sc_dev, "could not reset chipset\n");
6013                 goto fail;
6014         }
6015
6016         run_write(sc, RT2860_MAC_SYS_CTRL, 0);
6017
6018         /* init Tx power for all Tx rates (from EEPROM) */
6019         for (ridx = 0; ridx < 5; ridx++) {
6020                 if (sc->txpow20mhz[ridx] == 0xffffffff)
6021                         continue;
6022                 run_write(sc, RT2860_TX_PWR_CFG(ridx), sc->txpow20mhz[ridx]);
6023         }
6024
6025         for (i = 0; i < nitems(rt2870_def_mac); i++)
6026                 run_write(sc, rt2870_def_mac[i].reg, rt2870_def_mac[i].val);
6027         run_write(sc, RT2860_WMM_AIFSN_CFG, 0x00002273);
6028         run_write(sc, RT2860_WMM_CWMIN_CFG, 0x00002344);
6029         run_write(sc, RT2860_WMM_CWMAX_CFG, 0x000034aa);
6030
6031         if (sc->mac_ver >= 0x5390) {
6032                 run_write(sc, RT2860_TX_SW_CFG0,
6033                     4 << RT2860_DLY_PAPE_EN_SHIFT | 4);
6034                 if (sc->mac_ver >= 0x5392) {
6035                         run_write(sc, RT2860_MAX_LEN_CFG, 0x00002fff);
6036                         if (sc->mac_ver == 0x5592) {
6037                                 run_write(sc, RT2860_HT_FBK_CFG1, 0xedcba980);
6038                                 run_write(sc, RT2860_TXOP_HLDR_ET, 0x00000082);
6039                         } else {
6040                                 run_write(sc, RT2860_HT_FBK_CFG1, 0xedcb4980);
6041                                 run_write(sc, RT2860_LG_FBK_CFG0, 0xedcba322);
6042                         }
6043                 }
6044         } else if (sc->mac_ver == 0x3593) {
6045                 run_write(sc, RT2860_TX_SW_CFG0,
6046                     4 << RT2860_DLY_PAPE_EN_SHIFT | 2);
6047         } else if (sc->mac_ver >= 0x3070) {
6048                 /* set delay of PA_PE assertion to 1us (unit of 0.25us) */
6049                 run_write(sc, RT2860_TX_SW_CFG0,
6050                     4 << RT2860_DLY_PAPE_EN_SHIFT);
6051         }
6052
6053         /* wait while MAC is busy */
6054         for (ntries = 0; ntries < 100; ntries++) {
6055                 if (run_read(sc, RT2860_MAC_STATUS_REG, &tmp) != 0)
6056                         goto fail;
6057                 if (!(tmp & (RT2860_RX_STATUS_BUSY | RT2860_TX_STATUS_BUSY)))
6058                         break;
6059                 run_delay(sc, 10);
6060         }
6061         if (ntries == 100)
6062                 goto fail;
6063
6064         /* clear Host to MCU mailbox */
6065         run_write(sc, RT2860_H2M_BBPAGENT, 0);
6066         run_write(sc, RT2860_H2M_MAILBOX, 0);
6067         run_delay(sc, 10);
6068
6069         if (run_bbp_init(sc) != 0) {
6070                 device_printf(sc->sc_dev, "could not initialize BBP\n");
6071                 goto fail;
6072         }
6073
6074         /* abort TSF synchronization */
6075         run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
6076         tmp &= ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
6077             RT2860_TBTT_TIMER_EN);
6078         run_write(sc, RT2860_BCN_TIME_CFG, tmp);
6079
6080         /* clear RX WCID search table */
6081         run_set_region_4(sc, RT2860_WCID_ENTRY(0), 0, 512);
6082         /* clear WCID attribute table */
6083         run_set_region_4(sc, RT2860_WCID_ATTR(0), 0, 8 * 32);
6084
6085         /* hostapd sets a key before init. So, don't clear it. */
6086         if (sc->cmdq_key_set != RUN_CMDQ_GO) {
6087                 /* clear shared key table */
6088                 run_set_region_4(sc, RT2860_SKEY(0, 0), 0, 8 * 32);
6089                 /* clear shared key mode */
6090                 run_set_region_4(sc, RT2860_SKEY_MODE_0_7, 0, 4);
6091         }
6092
6093         run_read(sc, RT2860_US_CYC_CNT, &tmp);
6094         tmp = (tmp & ~0xff) | 0x1e;
6095         run_write(sc, RT2860_US_CYC_CNT, tmp);
6096
6097         if (sc->mac_rev != 0x0101)
6098                 run_write(sc, RT2860_TXOP_CTRL_CFG, 0x0000583f);
6099
6100         run_write(sc, RT2860_WMM_TXOP0_CFG, 0);
6101         run_write(sc, RT2860_WMM_TXOP1_CFG, 48 << 16 | 96);
6102
6103         /* write vendor-specific BBP values (from EEPROM) */
6104         if (sc->mac_ver < 0x3593) {
6105                 for (i = 0; i < 10; i++) {
6106                         if (sc->bbp[i].reg == 0 || sc->bbp[i].reg == 0xff)
6107                                 continue;
6108                         run_bbp_write(sc, sc->bbp[i].reg, sc->bbp[i].val);
6109                 }
6110         }
6111
6112         /* select Main antenna for 1T1R devices */
6113         if (sc->rf_rev == RT3070_RF_3020 || sc->rf_rev == RT5390_RF_5370)
6114                 run_set_rx_antenna(sc, 0);
6115
6116         /* send LEDs operating mode to microcontroller */
6117         (void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED1, sc->led[0]);
6118         (void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED2, sc->led[1]);
6119         (void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED3, sc->led[2]);
6120
6121         if (sc->mac_ver >= 0x5390)
6122                 run_rt5390_rf_init(sc);
6123         else if (sc->mac_ver == 0x3593)
6124                 run_rt3593_rf_init(sc);
6125         else if (sc->mac_ver >= 0x3070)
6126                 run_rt3070_rf_init(sc);
6127
6128         /* disable non-existing Rx chains */
6129         run_bbp_read(sc, 3, &bbp3);
6130         bbp3 &= ~(1 << 3 | 1 << 4);
6131         if (sc->nrxchains == 2)
6132                 bbp3 |= 1 << 3;
6133         else if (sc->nrxchains == 3)
6134                 bbp3 |= 1 << 4;
6135         run_bbp_write(sc, 3, bbp3);
6136
6137         /* disable non-existing Tx chains */
6138         run_bbp_read(sc, 1, &bbp1);
6139         if (sc->ntxchains == 1)
6140                 bbp1 &= ~(1 << 3 | 1 << 4);
6141         run_bbp_write(sc, 1, bbp1);
6142
6143         if (sc->mac_ver >= 0x5390)
6144                 run_rt5390_rf_setup(sc);
6145         else if (sc->mac_ver == 0x3593)
6146                 run_rt3593_rf_setup(sc);
6147         else if (sc->mac_ver >= 0x3070)
6148                 run_rt3070_rf_setup(sc);
6149
6150         /* select default channel */
6151         run_set_chan(sc, ic->ic_curchan);
6152
6153         /* setup initial protection mode */
6154         run_updateprot_cb(ic);
6155
6156         /* turn radio LED on */
6157         run_set_leds(sc, RT2860_LED_RADIO);
6158
6159         ifp->if_drv_flags &= ~IFF_DRV_OACTIVE;
6160         ifp->if_drv_flags |= IFF_DRV_RUNNING;
6161         sc->cmdq_run = RUN_CMDQ_GO;
6162
6163         for (i = 0; i != RUN_N_XFER; i++)
6164                 usbd_xfer_set_stall(sc->sc_xfer[i]);
6165
6166         usbd_transfer_start(sc->sc_xfer[RUN_BULK_RX]);
6167
6168         if (run_txrx_enable(sc) != 0)
6169                 goto fail;
6170
6171         return;
6172
6173 fail:
6174         run_stop(sc);
6175 }
6176
6177 static void
6178 run_init(void *arg)
6179 {
6180         struct run_softc *sc = arg;
6181         struct ifnet *ifp = sc->sc_ifp;
6182         struct ieee80211com *ic = ifp->if_l2com;
6183
6184         RUN_LOCK(sc);
6185         run_init_locked(sc);
6186         RUN_UNLOCK(sc);
6187
6188         if (ifp->if_drv_flags & IFF_DRV_RUNNING)
6189                 ieee80211_start_all(ic);
6190 }
6191
6192 static void
6193 run_stop(void *arg)
6194 {
6195         struct run_softc *sc = (struct run_softc *)arg;
6196         struct ifnet *ifp = sc->sc_ifp;
6197         uint32_t tmp;
6198         int i;
6199         int ntries;
6200
6201         RUN_LOCK_ASSERT(sc, MA_OWNED);
6202
6203         if (ifp->if_drv_flags & IFF_DRV_RUNNING)
6204                 run_set_leds(sc, 0);    /* turn all LEDs off */
6205
6206         ifp->if_drv_flags &= ~(IFF_DRV_RUNNING | IFF_DRV_OACTIVE);
6207
6208         sc->ratectl_run = RUN_RATECTL_OFF;
6209         sc->cmdq_run = sc->cmdq_key_set;
6210
6211         RUN_UNLOCK(sc);
6212
6213         for(i = 0; i < RUN_N_XFER; i++)
6214                 usbd_transfer_drain(sc->sc_xfer[i]);
6215
6216         RUN_LOCK(sc);
6217
6218         if (sc->rx_m != NULL) {
6219                 m_free(sc->rx_m);
6220                 sc->rx_m = NULL;
6221         }
6222
6223         /* Disable Tx/Rx DMA. */
6224         if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
6225                 return;
6226         tmp &= ~(RT2860_RX_DMA_EN | RT2860_TX_DMA_EN);
6227         run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
6228
6229         for (ntries = 0; ntries < 100; ntries++) {
6230                 if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
6231                         return;
6232                 if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
6233                                 break;
6234                 run_delay(sc, 10);
6235         }
6236         if (ntries == 100) {
6237                 device_printf(sc->sc_dev, "timeout waiting for DMA engine\n");
6238                 return;
6239         }
6240
6241         /* disable Tx/Rx */
6242         run_read(sc, RT2860_MAC_SYS_CTRL, &tmp);
6243         tmp &= ~(RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
6244         run_write(sc, RT2860_MAC_SYS_CTRL, tmp);
6245
6246         /* wait for pending Tx to complete */
6247         for (ntries = 0; ntries < 100; ntries++) {
6248                 if (run_read(sc, RT2860_TXRXQ_PCNT, &tmp) != 0) {
6249                         DPRINTF("Cannot read Tx queue count\n");
6250                         break;
6251                 }
6252                 if ((tmp & RT2860_TX2Q_PCNT_MASK) == 0) {
6253                         DPRINTF("All Tx cleared\n");
6254                         break;
6255                 }
6256                 run_delay(sc, 10);
6257         }
6258         if (ntries >= 100)
6259                 DPRINTF("There are still pending Tx\n");
6260         run_delay(sc, 10);
6261         run_write(sc, RT2860_USB_DMA_CFG, 0);
6262
6263         run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_BBP_HRST | RT2860_MAC_SRST);
6264         run_write(sc, RT2860_MAC_SYS_CTRL, 0);
6265
6266         for (i = 0; i != RUN_EP_QUEUES; i++)
6267                 run_unsetup_tx_list(sc, &sc->sc_epq[i]);
6268 }
6269
6270 static void
6271 run_delay(struct run_softc *sc, u_int ms)
6272 {
6273         usb_pause_mtx(mtx_owned(&sc->sc_mtx) ? 
6274             &sc->sc_mtx : NULL, USB_MS_TO_TICKS(ms));
6275 }
6276
6277 static device_method_t run_methods[] = {
6278         /* Device interface */
6279         DEVMETHOD(device_probe,         run_match),
6280         DEVMETHOD(device_attach,        run_attach),
6281         DEVMETHOD(device_detach,        run_detach),
6282         DEVMETHOD_END
6283 };
6284
6285 static driver_t run_driver = {
6286         .name = "run",
6287         .methods = run_methods,
6288         .size = sizeof(struct run_softc)
6289 };
6290
6291 static devclass_t run_devclass;
6292
6293 DRIVER_MODULE(run, uhub, run_driver, run_devclass, run_driver_loaded, NULL);
6294 MODULE_DEPEND(run, wlan, 1, 1, 1);
6295 MODULE_DEPEND(run, usb, 1, 1, 1);
6296 MODULE_DEPEND(run, firmware, 1, 1, 1);
6297 MODULE_VERSION(run, 1);
10-STABLE