xref: /freebsd/sys/dev/bwn/if_bwn.c (revision 2008043f386721d58158e37e0d7e50df8095942d)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
3  *
4  * Copyright (c) 2009-2010 Weongyo Jeong <weongyo@freebsd.org>
5  * Copyright (c) 2016 Landon Fuller <landonf@FreeBSD.org>
6  * Copyright (c) 2017 The FreeBSD Foundation
7  * All rights reserved.
8  *
9  * Portions of this software were developed by Landon Fuller
10  * under sponsorship from the FreeBSD Foundation.
11  *
12  * Redistribution and use in source and binary forms, with or without
13  * modification, are permitted provided that the following conditions
14  * are met:
15  * 1. Redistributions of source code must retain the above copyright
16  *    notice, this list of conditions and the following disclaimer,
17  *    without modification.
18  * 2. Redistributions in binary form must reproduce at minimum a disclaimer
19  *    similar to the "NO WARRANTY" disclaimer below ("Disclaimer") and any
20  *    redistribution must be conditioned upon including a substantially
21  *    similar Disclaimer requirement for further binary redistribution.
22  *
23  * NO WARRANTY
24  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
25  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
26  * LIMITED TO, THE IMPLIED WARRANTIES OF NONINFRINGEMENT, MERCHANTIBILITY
27  * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
28  * THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR SPECIAL, EXEMPLARY,
29  * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
30  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
31  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
32  * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
33  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
34  * THE POSSIBILITY OF SUCH DAMAGES.
35  */
36 
37 #include <sys/cdefs.h>
38 /*
39  * The Broadcom Wireless LAN controller driver.
40  */
41 
42 #include "opt_bwn.h"
43 #include "opt_wlan.h"
44 
45 #include <sys/param.h>
46 #include <sys/systm.h>
47 #include <sys/kernel.h>
48 #include <sys/gpio.h>
49 #include <sys/malloc.h>
50 #include <sys/module.h>
51 #include <sys/endian.h>
52 #include <sys/errno.h>
53 #include <sys/firmware.h>
54 #include <sys/lock.h>
55 #include <sys/mutex.h>
56 #include <machine/bus.h>
57 #include <machine/resource.h>
58 #include <sys/bus.h>
59 #include <sys/rman.h>
60 #include <sys/socket.h>
61 #include <sys/sockio.h>
62 
63 #include <net/ethernet.h>
64 #include <net/if.h>
65 #include <net/if_var.h>
66 #include <net/if_arp.h>
67 #include <net/if_dl.h>
68 #include <net/if_llc.h>
69 #include <net/if_media.h>
70 #include <net/if_types.h>
71 
72 #include <net80211/ieee80211_var.h>
73 #include <net80211/ieee80211_radiotap.h>
74 #include <net80211/ieee80211_regdomain.h>
75 #include <net80211/ieee80211_phy.h>
76 #include <net80211/ieee80211_ratectl.h>
77 
78 #include <dev/bhnd/bhnd.h>
79 #include <dev/bhnd/bhnd_ids.h>
80 
81 #include <dev/bhnd/cores/chipc/chipc.h>
82 #include <dev/bhnd/cores/pmu/bhnd_pmu.h>
83 
84 #include <dev/bwn/if_bwnreg.h>
85 #include <dev/bwn/if_bwnvar.h>
86 
87 #include <dev/bwn/if_bwn_debug.h>
88 #include <dev/bwn/if_bwn_misc.h>
89 #include <dev/bwn/if_bwn_util.h>
90 #include <dev/bwn/if_bwn_phy_common.h>
91 #include <dev/bwn/if_bwn_phy_g.h>
92 #include <dev/bwn/if_bwn_phy_lp.h>
93 #include <dev/bwn/if_bwn_phy_n.h>
94 
95 #include "bhnd_nvram_map.h"
96 
97 #include "gpio_if.h"
98 
99 static SYSCTL_NODE(_hw, OID_AUTO, bwn, CTLFLAG_RD | CTLFLAG_MPSAFE, 0,
100     "Broadcom driver parameters");
101 
102 /*
103  * Tunable & sysctl variables.
104  */
105 
106 #ifdef BWN_DEBUG
107 static	int bwn_debug = 0;
108 SYSCTL_INT(_hw_bwn, OID_AUTO, debug, CTLFLAG_RWTUN, &bwn_debug, 0,
109     "Broadcom debugging printfs");
110 #endif
111 
112 static int	bwn_bfp = 0;		/* use "Bad Frames Preemption" */
113 SYSCTL_INT(_hw_bwn, OID_AUTO, bfp, CTLFLAG_RW, &bwn_bfp, 0,
114     "uses Bad Frames Preemption");
115 static int	bwn_bluetooth = 1;
116 SYSCTL_INT(_hw_bwn, OID_AUTO, bluetooth, CTLFLAG_RW, &bwn_bluetooth, 0,
117     "turns on Bluetooth Coexistence");
118 static int	bwn_hwpctl = 0;
119 SYSCTL_INT(_hw_bwn, OID_AUTO, hwpctl, CTLFLAG_RW, &bwn_hwpctl, 0,
120     "uses H/W power control");
121 static int	bwn_usedma = 1;
122 SYSCTL_INT(_hw_bwn, OID_AUTO, usedma, CTLFLAG_RD, &bwn_usedma, 0,
123     "uses DMA");
124 TUNABLE_INT("hw.bwn.usedma", &bwn_usedma);
125 static int	bwn_wme = 1;
126 SYSCTL_INT(_hw_bwn, OID_AUTO, wme, CTLFLAG_RW, &bwn_wme, 0,
127     "uses WME support");
128 
129 static void	bwn_attach_pre(struct bwn_softc *);
130 static int	bwn_attach_post(struct bwn_softc *);
131 static int	bwn_retain_bus_providers(struct bwn_softc *sc);
132 static void	bwn_release_bus_providers(struct bwn_softc *sc);
133 static void	bwn_sprom_bugfixes(device_t);
134 static int	bwn_init(struct bwn_softc *);
135 static void	bwn_parent(struct ieee80211com *);
136 static void	bwn_start(struct bwn_softc *);
137 static int	bwn_transmit(struct ieee80211com *, struct mbuf *);
138 static int	bwn_attach_core(struct bwn_mac *);
139 static int	bwn_phy_getinfo(struct bwn_mac *, int);
140 static int	bwn_chiptest(struct bwn_mac *);
141 static int	bwn_setup_channels(struct bwn_mac *, int, int);
142 static void	bwn_shm_ctlword(struct bwn_mac *, uint16_t,
143 		    uint16_t);
144 static void	bwn_addchannels(struct ieee80211_channel [], int, int *,
145 		    const struct bwn_channelinfo *, const uint8_t []);
146 static int	bwn_raw_xmit(struct ieee80211_node *, struct mbuf *,
147 		    const struct ieee80211_bpf_params *);
148 static void	bwn_updateslot(struct ieee80211com *);
149 static void	bwn_update_promisc(struct ieee80211com *);
150 static void	bwn_wme_init(struct bwn_mac *);
151 static int	bwn_wme_update(struct ieee80211com *);
152 static void	bwn_wme_clear(struct bwn_softc *);
153 static void	bwn_wme_load(struct bwn_mac *);
154 static void	bwn_wme_loadparams(struct bwn_mac *,
155 		    const struct wmeParams *, uint16_t);
156 static void	bwn_scan_start(struct ieee80211com *);
157 static void	bwn_scan_end(struct ieee80211com *);
158 static void	bwn_set_channel(struct ieee80211com *);
159 static struct ieee80211vap *bwn_vap_create(struct ieee80211com *,
160 		    const char [IFNAMSIZ], int, enum ieee80211_opmode, int,
161 		    const uint8_t [IEEE80211_ADDR_LEN],
162 		    const uint8_t [IEEE80211_ADDR_LEN]);
163 static void	bwn_vap_delete(struct ieee80211vap *);
164 static void	bwn_stop(struct bwn_softc *);
165 static int	bwn_core_forceclk(struct bwn_mac *, bool);
166 static int	bwn_core_init(struct bwn_mac *);
167 static void	bwn_core_start(struct bwn_mac *);
168 static void	bwn_core_exit(struct bwn_mac *);
169 static void	bwn_bt_disable(struct bwn_mac *);
170 static int	bwn_chip_init(struct bwn_mac *);
171 static void	bwn_set_txretry(struct bwn_mac *, int, int);
172 static void	bwn_rate_init(struct bwn_mac *);
173 static void	bwn_set_phytxctl(struct bwn_mac *);
174 static void	bwn_spu_setdelay(struct bwn_mac *, int);
175 static void	bwn_bt_enable(struct bwn_mac *);
176 static void	bwn_set_macaddr(struct bwn_mac *);
177 static void	bwn_crypt_init(struct bwn_mac *);
178 static void	bwn_chip_exit(struct bwn_mac *);
179 static int	bwn_fw_fillinfo(struct bwn_mac *);
180 static int	bwn_fw_loaducode(struct bwn_mac *);
181 static int	bwn_gpio_init(struct bwn_mac *);
182 static int	bwn_fw_loadinitvals(struct bwn_mac *);
183 static int	bwn_phy_init(struct bwn_mac *);
184 static void	bwn_set_txantenna(struct bwn_mac *, int);
185 static void	bwn_set_opmode(struct bwn_mac *);
186 static void	bwn_rate_write(struct bwn_mac *, uint16_t, int);
187 static uint8_t	bwn_plcp_getcck(const uint8_t);
188 static uint8_t	bwn_plcp_getofdm(const uint8_t);
189 static void	bwn_pio_init(struct bwn_mac *);
190 static uint16_t	bwn_pio_idx2base(struct bwn_mac *, int);
191 static void	bwn_pio_set_txqueue(struct bwn_mac *, struct bwn_pio_txqueue *,
192 		    int);
193 static void	bwn_pio_setupqueue_rx(struct bwn_mac *,
194 		    struct bwn_pio_rxqueue *, int);
195 static void	bwn_destroy_queue_tx(struct bwn_pio_txqueue *);
196 static uint16_t	bwn_pio_read_2(struct bwn_mac *, struct bwn_pio_txqueue *,
197 		    uint16_t);
198 static void	bwn_pio_cancel_tx_packets(struct bwn_pio_txqueue *);
199 static int	bwn_pio_rx(struct bwn_pio_rxqueue *);
200 static uint8_t	bwn_pio_rxeof(struct bwn_pio_rxqueue *);
201 static void	bwn_pio_handle_txeof(struct bwn_mac *,
202 		    const struct bwn_txstatus *);
203 static uint16_t	bwn_pio_rx_read_2(struct bwn_pio_rxqueue *, uint16_t);
204 static uint32_t	bwn_pio_rx_read_4(struct bwn_pio_rxqueue *, uint16_t);
205 static void	bwn_pio_rx_write_2(struct bwn_pio_rxqueue *, uint16_t,
206 		    uint16_t);
207 static void	bwn_pio_rx_write_4(struct bwn_pio_rxqueue *, uint16_t,
208 		    uint32_t);
209 static int	bwn_pio_tx_start(struct bwn_mac *, struct ieee80211_node *,
210 		    struct mbuf **);
211 static struct bwn_pio_txqueue *bwn_pio_select(struct bwn_mac *, uint8_t);
212 static uint32_t	bwn_pio_write_multi_4(struct bwn_mac *,
213 		    struct bwn_pio_txqueue *, uint32_t, const void *, int);
214 static void	bwn_pio_write_4(struct bwn_mac *, struct bwn_pio_txqueue *,
215 		    uint16_t, uint32_t);
216 static uint16_t	bwn_pio_write_multi_2(struct bwn_mac *,
217 		    struct bwn_pio_txqueue *, uint16_t, const void *, int);
218 static uint16_t	bwn_pio_write_mbuf_2(struct bwn_mac *,
219 		    struct bwn_pio_txqueue *, uint16_t, struct mbuf *);
220 static struct bwn_pio_txqueue *bwn_pio_parse_cookie(struct bwn_mac *,
221 		    uint16_t, struct bwn_pio_txpkt **);
222 static void	bwn_dma_init(struct bwn_mac *);
223 static void	bwn_dma_rxdirectfifo(struct bwn_mac *, int, uint8_t);
224 static uint16_t	bwn_dma_base(int, int);
225 static void	bwn_dma_ringfree(struct bwn_dma_ring **);
226 static void	bwn_dma_32_getdesc(struct bwn_dma_ring *,
227 		    int, struct bwn_dmadesc_generic **,
228 		    struct bwn_dmadesc_meta **);
229 static void	bwn_dma_32_setdesc(struct bwn_dma_ring *,
230 		    struct bwn_dmadesc_generic *, bus_addr_t, uint16_t, int,
231 		    int, int);
232 static void	bwn_dma_32_start_transfer(struct bwn_dma_ring *, int);
233 static void	bwn_dma_32_suspend(struct bwn_dma_ring *);
234 static void	bwn_dma_32_resume(struct bwn_dma_ring *);
235 static int	bwn_dma_32_get_curslot(struct bwn_dma_ring *);
236 static void	bwn_dma_32_set_curslot(struct bwn_dma_ring *, int);
237 static void	bwn_dma_64_getdesc(struct bwn_dma_ring *,
238 		    int, struct bwn_dmadesc_generic **,
239 		    struct bwn_dmadesc_meta **);
240 static void	bwn_dma_64_setdesc(struct bwn_dma_ring *,
241 		    struct bwn_dmadesc_generic *, bus_addr_t, uint16_t, int,
242 		    int, int);
243 static void	bwn_dma_64_start_transfer(struct bwn_dma_ring *, int);
244 static void	bwn_dma_64_suspend(struct bwn_dma_ring *);
245 static void	bwn_dma_64_resume(struct bwn_dma_ring *);
246 static int	bwn_dma_64_get_curslot(struct bwn_dma_ring *);
247 static void	bwn_dma_64_set_curslot(struct bwn_dma_ring *, int);
248 static int	bwn_dma_allocringmemory(struct bwn_dma_ring *);
249 static void	bwn_dma_setup(struct bwn_dma_ring *);
250 static void	bwn_dma_free_ringmemory(struct bwn_dma_ring *);
251 static void	bwn_dma_cleanup(struct bwn_dma_ring *);
252 static void	bwn_dma_free_descbufs(struct bwn_dma_ring *);
253 static int	bwn_dma_tx_reset(struct bwn_mac *, uint16_t, int);
254 static void	bwn_dma_rx(struct bwn_dma_ring *);
255 static int	bwn_dma_rx_reset(struct bwn_mac *, uint16_t, int);
256 static void	bwn_dma_free_descbuf(struct bwn_dma_ring *,
257 		    struct bwn_dmadesc_meta *);
258 static void	bwn_dma_set_redzone(struct bwn_dma_ring *, struct mbuf *);
259 static void	bwn_dma_ring_addr(void *, bus_dma_segment_t *, int, int);
260 static int	bwn_dma_freeslot(struct bwn_dma_ring *);
261 static int	bwn_dma_nextslot(struct bwn_dma_ring *, int);
262 static void	bwn_dma_rxeof(struct bwn_dma_ring *, int *);
263 static int	bwn_dma_newbuf(struct bwn_dma_ring *,
264 		    struct bwn_dmadesc_generic *, struct bwn_dmadesc_meta *,
265 		    int);
266 static void	bwn_dma_buf_addr(void *, bus_dma_segment_t *, int,
267 		    bus_size_t, int);
268 static uint8_t	bwn_dma_check_redzone(struct bwn_dma_ring *, struct mbuf *);
269 static void	bwn_ratectl_tx_complete(const struct ieee80211_node *,
270 		    const struct bwn_txstatus *);
271 static void	bwn_dma_handle_txeof(struct bwn_mac *,
272 		    const struct bwn_txstatus *);
273 static int	bwn_dma_tx_start(struct bwn_mac *, struct ieee80211_node *,
274 		    struct mbuf **);
275 static int	bwn_dma_getslot(struct bwn_dma_ring *);
276 static struct bwn_dma_ring *bwn_dma_select(struct bwn_mac *,
277 		    uint8_t);
278 static int	bwn_dma_attach(struct bwn_mac *);
279 static struct bwn_dma_ring *bwn_dma_ringsetup(struct bwn_mac *,
280 		    int, int);
281 static struct bwn_dma_ring *bwn_dma_parse_cookie(struct bwn_mac *,
282 		    const struct bwn_txstatus *, uint16_t, int *);
283 static void	bwn_dma_free(struct bwn_mac *);
284 static int	bwn_fw_gets(struct bwn_mac *, enum bwn_fwtype);
285 static int	bwn_fw_get(struct bwn_mac *, enum bwn_fwtype,
286 		    const char *, struct bwn_fwfile *);
287 static void	bwn_release_firmware(struct bwn_mac *);
288 static void	bwn_do_release_fw(struct bwn_fwfile *);
289 static uint16_t	bwn_fwcaps_read(struct bwn_mac *);
290 static int	bwn_fwinitvals_write(struct bwn_mac *,
291 		    const struct bwn_fwinitvals *, size_t, size_t);
292 static uint16_t	bwn_ant2phy(int);
293 static void	bwn_mac_write_bssid(struct bwn_mac *);
294 static void	bwn_mac_setfilter(struct bwn_mac *, uint16_t,
295 		    const uint8_t *);
296 static void	bwn_key_dowrite(struct bwn_mac *, uint8_t, uint8_t,
297 		    const uint8_t *, size_t, const uint8_t *);
298 static void	bwn_key_macwrite(struct bwn_mac *, uint8_t,
299 		    const uint8_t *);
300 static void	bwn_key_write(struct bwn_mac *, uint8_t, uint8_t,
301 		    const uint8_t *);
302 static void	bwn_phy_exit(struct bwn_mac *);
303 static void	bwn_core_stop(struct bwn_mac *);
304 static int	bwn_switch_band(struct bwn_softc *,
305 		    struct ieee80211_channel *);
306 static int	bwn_phy_reset(struct bwn_mac *);
307 static int	bwn_newstate(struct ieee80211vap *, enum ieee80211_state, int);
308 static void	bwn_set_pretbtt(struct bwn_mac *);
309 static int	bwn_intr(void *);
310 static void	bwn_intrtask(void *, int);
311 static void	bwn_restart(struct bwn_mac *, const char *);
312 static void	bwn_intr_ucode_debug(struct bwn_mac *);
313 static void	bwn_intr_tbtt_indication(struct bwn_mac *);
314 static void	bwn_intr_atim_end(struct bwn_mac *);
315 static void	bwn_intr_beacon(struct bwn_mac *);
316 static void	bwn_intr_pmq(struct bwn_mac *);
317 static void	bwn_intr_noise(struct bwn_mac *);
318 static void	bwn_intr_txeof(struct bwn_mac *);
319 static void	bwn_hwreset(void *, int);
320 static void	bwn_handle_fwpanic(struct bwn_mac *);
321 static void	bwn_load_beacon0(struct bwn_mac *);
322 static void	bwn_load_beacon1(struct bwn_mac *);
323 static uint32_t	bwn_jssi_read(struct bwn_mac *);
324 static void	bwn_noise_gensample(struct bwn_mac *);
325 static void	bwn_handle_txeof(struct bwn_mac *,
326 		    const struct bwn_txstatus *);
327 static void	bwn_rxeof(struct bwn_mac *, struct mbuf *, const void *);
328 static void	bwn_phy_txpower_check(struct bwn_mac *, uint32_t);
329 static int	bwn_tx_start(struct bwn_softc *, struct ieee80211_node *,
330 		    struct mbuf *);
331 static int	bwn_tx_isfull(struct bwn_softc *, struct mbuf *);
332 static int	bwn_set_txhdr(struct bwn_mac *,
333 		    struct ieee80211_node *, struct mbuf *, struct bwn_txhdr *,
334 		    uint16_t);
335 static void	bwn_plcp_genhdr(struct bwn_plcp4 *, const uint16_t,
336 		    const uint8_t);
337 static uint8_t	bwn_antenna_sanitize(struct bwn_mac *, uint8_t);
338 static uint8_t	bwn_get_fbrate(uint8_t);
339 static void	bwn_txpwr(void *, int);
340 static void	bwn_tasks(void *);
341 static void	bwn_task_15s(struct bwn_mac *);
342 static void	bwn_task_30s(struct bwn_mac *);
343 static void	bwn_task_60s(struct bwn_mac *);
344 static int	bwn_plcp_get_ofdmrate(struct bwn_mac *, struct bwn_plcp6 *,
345 		    uint8_t);
346 static int	bwn_plcp_get_cckrate(struct bwn_mac *, struct bwn_plcp6 *);
347 static void	bwn_rx_radiotap(struct bwn_mac *, struct mbuf *,
348 		    const struct bwn_rxhdr4 *, struct bwn_plcp6 *, int,
349 		    int, int);
350 static void	bwn_tsf_read(struct bwn_mac *, uint64_t *);
351 static void	bwn_set_slot_time(struct bwn_mac *, uint16_t);
352 static void	bwn_watchdog(void *);
353 static void	bwn_dma_stop(struct bwn_mac *);
354 static void	bwn_pio_stop(struct bwn_mac *);
355 static void	bwn_dma_ringstop(struct bwn_dma_ring **);
356 static int	bwn_led_attach(struct bwn_mac *);
357 static void	bwn_led_newstate(struct bwn_mac *, enum ieee80211_state);
358 static void	bwn_led_event(struct bwn_mac *, int);
359 static void	bwn_led_blink_start(struct bwn_mac *, int, int);
360 static void	bwn_led_blink_next(void *);
361 static void	bwn_led_blink_end(void *);
362 static void	bwn_rfswitch(void *);
363 static void	bwn_rf_turnon(struct bwn_mac *);
364 static void	bwn_rf_turnoff(struct bwn_mac *);
365 static void	bwn_sysctl_node(struct bwn_softc *);
366 
367 static const struct bwn_channelinfo bwn_chantable_bg = {
368 	.channels = {
369 		{ 2412,  1, 30 }, { 2417,  2, 30 }, { 2422,  3, 30 },
370 		{ 2427,  4, 30 }, { 2432,  5, 30 }, { 2437,  6, 30 },
371 		{ 2442,  7, 30 }, { 2447,  8, 30 }, { 2452,  9, 30 },
372 		{ 2457, 10, 30 }, { 2462, 11, 30 }, { 2467, 12, 30 },
373 		{ 2472, 13, 30 }, { 2484, 14, 30 } },
374 	.nchannels = 14
375 };
376 
377 static const struct bwn_channelinfo bwn_chantable_a = {
378 	.channels = {
379 		{ 5170,  34, 30 }, { 5180,  36, 30 }, { 5190,  38, 30 },
380 		{ 5200,  40, 30 }, { 5210,  42, 30 }, { 5220,  44, 30 },
381 		{ 5230,  46, 30 }, { 5240,  48, 30 }, { 5260,  52, 30 },
382 		{ 5280,  56, 30 }, { 5300,  60, 30 }, { 5320,  64, 30 },
383 		{ 5500, 100, 30 }, { 5520, 104, 30 }, { 5540, 108, 30 },
384 		{ 5560, 112, 30 }, { 5580, 116, 30 }, { 5600, 120, 30 },
385 		{ 5620, 124, 30 }, { 5640, 128, 30 }, { 5660, 132, 30 },
386 		{ 5680, 136, 30 }, { 5700, 140, 30 }, { 5745, 149, 30 },
387 		{ 5765, 153, 30 }, { 5785, 157, 30 }, { 5805, 161, 30 },
388 		{ 5825, 165, 30 }, { 5920, 184, 30 }, { 5940, 188, 30 },
389 		{ 5960, 192, 30 }, { 5980, 196, 30 }, { 6000, 200, 30 },
390 		{ 6020, 204, 30 }, { 6040, 208, 30 }, { 6060, 212, 30 },
391 		{ 6080, 216, 30 } },
392 	.nchannels = 37
393 };
394 
395 #if 0
396 static const struct bwn_channelinfo bwn_chantable_n = {
397 	.channels = {
398 		{ 5160,  32, 30 }, { 5170,  34, 30 }, { 5180,  36, 30 },
399 		{ 5190,  38, 30 }, { 5200,  40, 30 }, { 5210,  42, 30 },
400 		{ 5220,  44, 30 }, { 5230,  46, 30 }, { 5240,  48, 30 },
401 		{ 5250,  50, 30 }, { 5260,  52, 30 }, { 5270,  54, 30 },
402 		{ 5280,  56, 30 }, { 5290,  58, 30 }, { 5300,  60, 30 },
403 		{ 5310,  62, 30 }, { 5320,  64, 30 }, { 5330,  66, 30 },
404 		{ 5340,  68, 30 }, { 5350,  70, 30 }, { 5360,  72, 30 },
405 		{ 5370,  74, 30 }, { 5380,  76, 30 }, { 5390,  78, 30 },
406 		{ 5400,  80, 30 }, { 5410,  82, 30 }, { 5420,  84, 30 },
407 		{ 5430,  86, 30 }, { 5440,  88, 30 }, { 5450,  90, 30 },
408 		{ 5460,  92, 30 }, { 5470,  94, 30 }, { 5480,  96, 30 },
409 		{ 5490,  98, 30 }, { 5500, 100, 30 }, { 5510, 102, 30 },
410 		{ 5520, 104, 30 }, { 5530, 106, 30 }, { 5540, 108, 30 },
411 		{ 5550, 110, 30 }, { 5560, 112, 30 }, { 5570, 114, 30 },
412 		{ 5580, 116, 30 }, { 5590, 118, 30 }, { 5600, 120, 30 },
413 		{ 5610, 122, 30 }, { 5620, 124, 30 }, { 5630, 126, 30 },
414 		{ 5640, 128, 30 }, { 5650, 130, 30 }, { 5660, 132, 30 },
415 		{ 5670, 134, 30 }, { 5680, 136, 30 }, { 5690, 138, 30 },
416 		{ 5700, 140, 30 }, { 5710, 142, 30 }, { 5720, 144, 30 },
417 		{ 5725, 145, 30 }, { 5730, 146, 30 }, { 5735, 147, 30 },
418 		{ 5740, 148, 30 }, { 5745, 149, 30 }, { 5750, 150, 30 },
419 		{ 5755, 151, 30 }, { 5760, 152, 30 }, { 5765, 153, 30 },
420 		{ 5770, 154, 30 }, { 5775, 155, 30 }, { 5780, 156, 30 },
421 		{ 5785, 157, 30 }, { 5790, 158, 30 }, { 5795, 159, 30 },
422 		{ 5800, 160, 30 }, { 5805, 161, 30 }, { 5810, 162, 30 },
423 		{ 5815, 163, 30 }, { 5820, 164, 30 }, { 5825, 165, 30 },
424 		{ 5830, 166, 30 }, { 5840, 168, 30 }, { 5850, 170, 30 },
425 		{ 5860, 172, 30 }, { 5870, 174, 30 }, { 5880, 176, 30 },
426 		{ 5890, 178, 30 }, { 5900, 180, 30 }, { 5910, 182, 30 },
427 		{ 5920, 184, 30 }, { 5930, 186, 30 }, { 5940, 188, 30 },
428 		{ 5950, 190, 30 }, { 5960, 192, 30 }, { 5970, 194, 30 },
429 		{ 5980, 196, 30 }, { 5990, 198, 30 }, { 6000, 200, 30 },
430 		{ 6010, 202, 30 }, { 6020, 204, 30 }, { 6030, 206, 30 },
431 		{ 6040, 208, 30 }, { 6050, 210, 30 }, { 6060, 212, 30 },
432 		{ 6070, 214, 30 }, { 6080, 216, 30 }, { 6090, 218, 30 },
433 		{ 6100, 220, 30 }, { 6110, 222, 30 }, { 6120, 224, 30 },
434 		{ 6130, 226, 30 }, { 6140, 228, 30 } },
435 	.nchannels = 110
436 };
437 #endif
438 
439 #define	VENDOR_LED_ACT(vendor)				\
440 {							\
441 	.vid = PCI_VENDOR_##vendor,			\
442 	.led_act = { BWN_VENDOR_LED_ACT_##vendor }	\
443 }
444 
445 static const struct {
446 	uint16_t	vid;
447 	uint8_t		led_act[BWN_LED_MAX];
448 } bwn_vendor_led_act[] = {
449 	VENDOR_LED_ACT(HP_COMPAQ),
450 	VENDOR_LED_ACT(ASUSTEK)
451 };
452 
453 static const uint8_t bwn_default_led_act[BWN_LED_MAX] =
454 	{ BWN_VENDOR_LED_ACT_DEFAULT };
455 
456 #undef VENDOR_LED_ACT
457 
458 static const char *bwn_led_vars[] = {
459 	BHND_NVAR_LEDBH0,
460 	BHND_NVAR_LEDBH1,
461 	BHND_NVAR_LEDBH2,
462 	BHND_NVAR_LEDBH3
463 };
464 
465 static const struct {
466 	int		on_dur;
467 	int		off_dur;
468 } bwn_led_duration[109] = {
469 	[0]	= { 400, 100 },
470 	[2]	= { 150, 75 },
471 	[4]	= { 90, 45 },
472 	[11]	= { 66, 34 },
473 	[12]	= { 53, 26 },
474 	[18]	= { 42, 21 },
475 	[22]	= { 35, 17 },
476 	[24]	= { 32, 16 },
477 	[36]	= { 21, 10 },
478 	[48]	= { 16, 8 },
479 	[72]	= { 11, 5 },
480 	[96]	= { 9, 4 },
481 	[108]	= { 7, 3 }
482 };
483 
484 static const uint16_t bwn_wme_shm_offsets[] = {
485 	[0] = BWN_WME_BESTEFFORT,
486 	[1] = BWN_WME_BACKGROUND,
487 	[2] = BWN_WME_VOICE,
488 	[3] = BWN_WME_VIDEO,
489 };
490 
491 /* Supported D11 core revisions */
492 #define	BWN_DEV(_hwrev)	{{					\
493 	BHND_MATCH_CORE(BHND_MFGID_BCM, BHND_COREID_D11),	\
494 	BHND_MATCH_CORE_REV(_hwrev),				\
495 }}
496 static const struct bhnd_device bwn_devices[] = {
497 	BWN_DEV(HWREV_RANGE(5, 16)),
498 	BWN_DEV(HWREV_EQ(23)),
499 	BHND_DEVICE_END
500 };
501 
502 /* D11 quirks when bridged via a PCI host bridge core */
503 static const struct bhnd_device_quirk pci_bridge_quirks[] = {
504 	BHND_CORE_QUIRK	(HWREV_LTE(10),	BWN_QUIRK_UCODE_SLOWCLOCK_WAR),
505 	BHND_DEVICE_QUIRK_END
506 };
507 
508 /* D11 quirks when bridged via a PCMCIA host bridge core */
509 static const struct bhnd_device_quirk pcmcia_bridge_quirks[] = {
510 	BHND_CORE_QUIRK	(HWREV_ANY,	BWN_QUIRK_NODMA),
511 	BHND_DEVICE_QUIRK_END
512 };
513 
514 /* Host bridge cores for which D11 quirk flags should be applied */
515 static const struct bhnd_device bridge_devices[] = {
516 	BHND_DEVICE(BCM, PCI,		NULL, pci_bridge_quirks),
517 	BHND_DEVICE(BCM, PCMCIA,	NULL, pcmcia_bridge_quirks),
518 	BHND_DEVICE_END
519 };
520 
521 static int
522 bwn_probe(device_t dev)
523 {
524 	const struct bhnd_device *id;
525 
526 	id = bhnd_device_lookup(dev, bwn_devices, sizeof(bwn_devices[0]));
527 	if (id == NULL)
528 		return (ENXIO);
529 
530 	bhnd_set_default_core_desc(dev);
531 	return (BUS_PROBE_DEFAULT);
532 }
533 
534 static int
535 bwn_attach(device_t dev)
536 {
537 	struct bwn_mac		*mac;
538 	struct bwn_softc	*sc;
539 	device_t		 parent, hostb;
540 	char			 chip_name[BHND_CHIPID_MAX_NAMELEN];
541 	int			 error;
542 
543 	sc = device_get_softc(dev);
544 	sc->sc_dev = dev;
545 #ifdef BWN_DEBUG
546 	sc->sc_debug = bwn_debug;
547 #endif
548 
549 	mac = NULL;
550 
551 	/* Determine the driver quirks applicable to this device, including any
552 	 * quirks specific to the bus host bridge core (if any) */
553 	sc->sc_quirks = bhnd_device_quirks(dev, bwn_devices,
554 	    sizeof(bwn_devices[0]));
555 
556 	parent = device_get_parent(dev);
557 	if ((hostb = bhnd_bus_find_hostb_device(parent)) != NULL) {
558 		sc->sc_quirks |= bhnd_device_quirks(hostb, bridge_devices,
559 		    sizeof(bridge_devices[0]));
560 	}
561 
562 	/* DMA explicitly disabled? */
563 	if (!bwn_usedma)
564 		sc->sc_quirks |= BWN_QUIRK_NODMA;
565 
566 	/* Fetch our chip identification and board info */
567 	sc->sc_cid = *bhnd_get_chipid(dev);
568 	if ((error = bhnd_read_board_info(dev, &sc->sc_board_info))) {
569 		device_printf(sc->sc_dev, "couldn't read board info\n");
570 		return (error);
571 	}
572 
573 	/* Allocate our D11 register block and PMU state */
574 	sc->sc_mem_rid = 0;
575 	sc->sc_mem_res = bus_alloc_resource_any(dev, SYS_RES_MEMORY,
576 	    &sc->sc_mem_rid, RF_ACTIVE);
577 	if (sc->sc_mem_res == NULL) {
578 		device_printf(sc->sc_dev, "couldn't allocate registers\n");
579 		return (error);
580 	}
581 
582 	if ((error = bhnd_alloc_pmu(sc->sc_dev))) {
583 		bus_release_resource(sc->sc_dev, SYS_RES_MEMORY,
584 		    sc->sc_mem_rid, sc->sc_mem_res);
585 		return (error);
586 	}
587 
588 	/* Retain references to all required bus service providers */
589 	if ((error = bwn_retain_bus_providers(sc)))
590 		goto fail;
591 
592 	/* Fetch mask of available antennas */
593 	error = bhnd_nvram_getvar_uint8(sc->sc_dev, BHND_NVAR_AA2G,
594 	    &sc->sc_ant2g);
595 	if (error) {
596 		device_printf(sc->sc_dev, "error determining 2GHz antenna "
597 		    "availability from NVRAM: %d\n", error);
598 		goto fail;
599 	}
600 
601 	error = bhnd_nvram_getvar_uint8(sc->sc_dev, BHND_NVAR_AA5G,
602 	    &sc->sc_ant5g);
603 	if (error) {
604 		device_printf(sc->sc_dev, "error determining 5GHz antenna "
605 		    "availability from NVRAM: %d\n", error);
606 		goto fail;
607 	}
608 
609 	if ((sc->sc_flags & BWN_FLAG_ATTACHED) == 0) {
610 		bwn_attach_pre(sc);
611 		bwn_sprom_bugfixes(dev);
612 		sc->sc_flags |= BWN_FLAG_ATTACHED;
613 	}
614 
615 	mac = malloc(sizeof(*mac), M_DEVBUF, M_WAITOK | M_ZERO);
616 	mac->mac_sc = sc;
617 	mac->mac_status = BWN_MAC_STATUS_UNINIT;
618 	if (bwn_bfp != 0)
619 		mac->mac_flags |= BWN_MAC_FLAG_BADFRAME_PREEMP;
620 
621 	TASK_INIT(&mac->mac_hwreset, 0, bwn_hwreset, mac);
622 	NET_TASK_INIT(&mac->mac_intrtask, 0, bwn_intrtask, mac);
623 	TASK_INIT(&mac->mac_txpower, 0, bwn_txpwr, mac);
624 
625 	error = bwn_attach_core(mac);
626 	if (error)
627 		goto fail;
628 	error = bwn_led_attach(mac);
629 	if (error)
630 		goto fail;
631 
632 	bhnd_format_chip_id(chip_name, sizeof(chip_name), sc->sc_cid.chip_id);
633 	device_printf(sc->sc_dev, "WLAN (%s rev %u sromrev %u) "
634 	    "PHY (analog %d type %d rev %d) RADIO (manuf %#x ver %#x rev %d)\n",
635 	    chip_name, bhnd_get_hwrev(sc->sc_dev),
636 	    sc->sc_board_info.board_srom_rev, mac->mac_phy.analog,
637 	    mac->mac_phy.type, mac->mac_phy.rev, mac->mac_phy.rf_manuf,
638 	    mac->mac_phy.rf_ver, mac->mac_phy.rf_rev);
639 	if (mac->mac_flags & BWN_MAC_FLAG_DMA)
640 		device_printf(sc->sc_dev, "DMA (%d bits)\n", mac->mac_dmatype);
641 	else
642 		device_printf(sc->sc_dev, "PIO\n");
643 
644 #ifdef	BWN_GPL_PHY
645 	device_printf(sc->sc_dev,
646 	    "Note: compiled with BWN_GPL_PHY; includes GPLv2 code\n");
647 #endif
648 
649 	mac->mac_rid_irq = 0;
650 	mac->mac_res_irq = bus_alloc_resource_any(dev, SYS_RES_IRQ,
651 	    &mac->mac_rid_irq, RF_ACTIVE | RF_SHAREABLE);
652 
653 	if (mac->mac_res_irq == NULL) {
654 		device_printf(sc->sc_dev, "couldn't allocate IRQ resource\n");
655 		error = ENXIO;
656 		goto fail;
657 	}
658 
659 	error = bus_setup_intr(dev, mac->mac_res_irq,
660 	    INTR_TYPE_NET | INTR_MPSAFE, bwn_intr, NULL, mac,
661 	    &mac->mac_intrhand);
662 	if (error != 0) {
663 		device_printf(sc->sc_dev, "couldn't setup interrupt (%d)\n",
664 		    error);
665 		goto fail;
666 	}
667 
668 	TAILQ_INSERT_TAIL(&sc->sc_maclist, mac, mac_list);
669 
670 	/*
671 	 * calls attach-post routine
672 	 */
673 	if ((sc->sc_flags & BWN_FLAG_ATTACHED) != 0)
674 		bwn_attach_post(sc);
675 
676 	return (0);
677 fail:
678 	if (mac != NULL && mac->mac_res_irq != NULL) {
679 		bus_release_resource(dev, SYS_RES_IRQ, mac->mac_rid_irq,
680 		    mac->mac_res_irq);
681 	}
682 
683 	free(mac, M_DEVBUF);
684 	bhnd_release_pmu(dev);
685 	bwn_release_bus_providers(sc);
686 
687 	if (sc->sc_mem_res != NULL) {
688 		bus_release_resource(sc->sc_dev, SYS_RES_MEMORY,
689 		    sc->sc_mem_rid, sc->sc_mem_res);
690 	}
691 
692 	return (error);
693 }
694 
695 static int
696 bwn_retain_bus_providers(struct bwn_softc *sc)
697 {
698 	struct chipc_caps *ccaps;
699 
700 	sc->sc_chipc = bhnd_retain_provider(sc->sc_dev, BHND_SERVICE_CHIPC);
701 	if (sc->sc_chipc == NULL) {
702 		device_printf(sc->sc_dev, "ChipCommon device not found\n");
703 		goto failed;
704 	}
705 
706 	ccaps = BHND_CHIPC_GET_CAPS(sc->sc_chipc);
707 
708 	sc->sc_gpio = bhnd_retain_provider(sc->sc_dev, BHND_SERVICE_GPIO);
709 	if (sc->sc_gpio == NULL) {
710 		device_printf(sc->sc_dev, "GPIO device not found\n");
711 		goto failed;
712 	}
713 
714 	if (ccaps->pmu) {
715 		sc->sc_pmu = bhnd_retain_provider(sc->sc_dev, BHND_SERVICE_PMU);
716 		if (sc->sc_pmu == NULL) {
717 			device_printf(sc->sc_dev, "PMU device not found\n");
718 			goto failed;
719 		}
720 	}
721 
722 	return (0);
723 
724 failed:
725 	bwn_release_bus_providers(sc);
726 	return (ENXIO);
727 }
728 
729 static void
730 bwn_release_bus_providers(struct bwn_softc *sc)
731 {
732 #define	BWN_RELEASE_PROV(_sc, _prov, _service)	do {			\
733 	if ((_sc)-> _prov != NULL) {					\
734 		bhnd_release_provider((_sc)->sc_dev, (_sc)-> _prov,	\
735 		    (_service));					\
736 		(_sc)-> _prov = NULL;					\
737 	}								\
738 } while (0)
739 
740 	BWN_RELEASE_PROV(sc, sc_chipc, BHND_SERVICE_CHIPC);
741 	BWN_RELEASE_PROV(sc, sc_gpio, BHND_SERVICE_GPIO);
742 	BWN_RELEASE_PROV(sc, sc_pmu, BHND_SERVICE_PMU);
743 
744 #undef	BWN_RELEASE_PROV
745 }
746 
747 static int
748 bwn_attach_post(struct bwn_softc *sc)
749 {
750 	struct ieee80211com	*ic;
751 	const char		*mac_varname;
752 	u_int			 core_unit;
753 	int			 error;
754 
755 	ic = &sc->sc_ic;
756 
757 	ic->ic_softc = sc;
758 	ic->ic_name = device_get_nameunit(sc->sc_dev);
759 	/* XXX not right but it's not used anywhere important */
760 	ic->ic_phytype = IEEE80211_T_OFDM;
761 	ic->ic_opmode = IEEE80211_M_STA;
762 	ic->ic_caps =
763 		  IEEE80211_C_STA		/* station mode supported */
764 		| IEEE80211_C_MONITOR		/* monitor mode */
765 		| IEEE80211_C_AHDEMO		/* adhoc demo mode */
766 		| IEEE80211_C_SHPREAMBLE	/* short preamble supported */
767 		| IEEE80211_C_SHSLOT		/* short slot time supported */
768 		| IEEE80211_C_WME		/* WME/WMM supported */
769 		| IEEE80211_C_WPA		/* capable of WPA1+WPA2 */
770 #if 0
771 		| IEEE80211_C_BGSCAN		/* capable of bg scanning */
772 #endif
773 		| IEEE80211_C_TXPMGT		/* capable of txpow mgt */
774 		;
775 
776 	ic->ic_flags_ext |= IEEE80211_FEXT_SWBMISS;	/* s/w bmiss */
777 
778 	/* Determine the NVRAM variable containing our MAC address */
779 	core_unit = bhnd_get_core_unit(sc->sc_dev);
780 	mac_varname = NULL;
781 	if (sc->sc_board_info.board_srom_rev <= 2) {
782 		if (core_unit == 0) {
783 			mac_varname = BHND_NVAR_IL0MACADDR;
784 		} else if (core_unit == 1) {
785 			mac_varname = BHND_NVAR_ET1MACADDR;
786 		}
787 	} else {
788 		if (core_unit == 0) {
789 			mac_varname = BHND_NVAR_MACADDR;
790 		}
791 	}
792 
793 	if (mac_varname == NULL) {
794 		device_printf(sc->sc_dev, "missing MAC address variable for "
795 		    "D11 core %u", core_unit);
796 		return (ENXIO);
797 	}
798 
799 	/* Read the MAC address from NVRAM */
800 	error = bhnd_nvram_getvar_array(sc->sc_dev, mac_varname, ic->ic_macaddr,
801 	    sizeof(ic->ic_macaddr), BHND_NVRAM_TYPE_UINT8_ARRAY);
802 	if (error) {
803 		device_printf(sc->sc_dev, "error reading %s: %d\n", mac_varname,
804 		    error);
805 		return (error);
806 	}
807 
808 	/* call MI attach routine. */
809 	ieee80211_ifattach(ic);
810 
811 	ic->ic_headroom = sizeof(struct bwn_txhdr);
812 
813 	/* override default methods */
814 	ic->ic_raw_xmit = bwn_raw_xmit;
815 	ic->ic_updateslot = bwn_updateslot;
816 	ic->ic_update_promisc = bwn_update_promisc;
817 	ic->ic_wme.wme_update = bwn_wme_update;
818 	ic->ic_scan_start = bwn_scan_start;
819 	ic->ic_scan_end = bwn_scan_end;
820 	ic->ic_set_channel = bwn_set_channel;
821 	ic->ic_vap_create = bwn_vap_create;
822 	ic->ic_vap_delete = bwn_vap_delete;
823 	ic->ic_transmit = bwn_transmit;
824 	ic->ic_parent = bwn_parent;
825 
826 	ieee80211_radiotap_attach(ic,
827 	    &sc->sc_tx_th.wt_ihdr, sizeof(sc->sc_tx_th),
828 	    BWN_TX_RADIOTAP_PRESENT,
829 	    &sc->sc_rx_th.wr_ihdr, sizeof(sc->sc_rx_th),
830 	    BWN_RX_RADIOTAP_PRESENT);
831 
832 	bwn_sysctl_node(sc);
833 
834 	if (bootverbose)
835 		ieee80211_announce(ic);
836 	return (0);
837 }
838 
839 static void
840 bwn_phy_detach(struct bwn_mac *mac)
841 {
842 
843 	if (mac->mac_phy.detach != NULL)
844 		mac->mac_phy.detach(mac);
845 }
846 
847 static int
848 bwn_detach(device_t dev)
849 {
850 	struct bwn_softc *sc = device_get_softc(dev);
851 	struct bwn_mac *mac = sc->sc_curmac;
852 	struct ieee80211com *ic = &sc->sc_ic;
853 
854 	sc->sc_flags |= BWN_FLAG_INVALID;
855 
856 	if (device_is_attached(sc->sc_dev)) {
857 		BWN_LOCK(sc);
858 		bwn_stop(sc);
859 		BWN_UNLOCK(sc);
860 		bwn_dma_free(mac);
861 		callout_drain(&sc->sc_led_blink_ch);
862 		callout_drain(&sc->sc_rfswitch_ch);
863 		callout_drain(&sc->sc_task_ch);
864 		callout_drain(&sc->sc_watchdog_ch);
865 		bwn_phy_detach(mac);
866 		ieee80211_draintask(ic, &mac->mac_hwreset);
867 		ieee80211_draintask(ic, &mac->mac_txpower);
868 		ieee80211_ifdetach(ic);
869 	}
870 	taskqueue_drain(sc->sc_tq, &mac->mac_intrtask);
871 	taskqueue_free(sc->sc_tq);
872 
873 	if (mac->mac_intrhand != NULL) {
874 		bus_teardown_intr(dev, mac->mac_res_irq, mac->mac_intrhand);
875 		mac->mac_intrhand = NULL;
876 	}
877 
878 	bhnd_release_pmu(dev);
879 	bus_release_resource(dev, SYS_RES_MEMORY, sc->sc_mem_rid,
880 	    sc->sc_mem_res);
881 	bus_release_resource(dev, SYS_RES_IRQ, mac->mac_rid_irq,
882 	    mac->mac_res_irq);
883 	mbufq_drain(&sc->sc_snd);
884 	bwn_release_firmware(mac);
885 	BWN_LOCK_DESTROY(sc);
886 
887 	bwn_release_bus_providers(sc);
888 
889 	return (0);
890 }
891 
892 static void
893 bwn_attach_pre(struct bwn_softc *sc)
894 {
895 
896 	BWN_LOCK_INIT(sc);
897 	TAILQ_INIT(&sc->sc_maclist);
898 	callout_init_mtx(&sc->sc_rfswitch_ch, &sc->sc_mtx, 0);
899 	callout_init_mtx(&sc->sc_task_ch, &sc->sc_mtx, 0);
900 	callout_init_mtx(&sc->sc_watchdog_ch, &sc->sc_mtx, 0);
901 	mbufq_init(&sc->sc_snd, ifqmaxlen);
902 	sc->sc_tq = taskqueue_create_fast("bwn_taskq", M_NOWAIT,
903 		taskqueue_thread_enqueue, &sc->sc_tq);
904 	taskqueue_start_threads(&sc->sc_tq, 1, PI_NET,
905 		"%s taskq", device_get_nameunit(sc->sc_dev));
906 }
907 
908 static void
909 bwn_sprom_bugfixes(device_t dev)
910 {
911 	struct bwn_softc *sc = device_get_softc(dev);
912 
913 #define	BWN_ISDEV(_device, _subvendor, _subdevice)		\
914 	((sc->sc_board_info.board_devid == PCI_DEVID_##_device) &&	\
915 	 (sc->sc_board_info.board_vendor == PCI_VENDOR_##_subvendor) &&	\
916 	 (sc->sc_board_info.board_type == _subdevice))
917 
918 	 /* A subset of Apple Airport Extreme (BCM4306 rev 2) devices
919 	  * were programmed with a missing PACTRL boardflag */
920 	 if (sc->sc_board_info.board_vendor == PCI_VENDOR_APPLE &&
921 	     sc->sc_board_info.board_type == 0x4e &&
922 	     sc->sc_board_info.board_rev > 0x40)
923 		 sc->sc_board_info.board_flags |= BHND_BFL_PACTRL;
924 
925 	if (BWN_ISDEV(BCM4318_D11G, ASUSTEK, 0x100f) ||
926 	    BWN_ISDEV(BCM4306_D11G, DELL, 0x0003) ||
927 	    BWN_ISDEV(BCM4306_D11G, HP, 0x12f8) ||
928 	    BWN_ISDEV(BCM4306_D11G, LINKSYS, 0x0013) ||
929 	    BWN_ISDEV(BCM4306_D11G, LINKSYS, 0x0014) ||
930 	    BWN_ISDEV(BCM4306_D11G, LINKSYS, 0x0015) ||
931 	    BWN_ISDEV(BCM4306_D11G, MOTOROLA, 0x7010))
932 		sc->sc_board_info.board_flags &= ~BHND_BFL_BTCOEX;
933 #undef	BWN_ISDEV
934 }
935 
936 static void
937 bwn_parent(struct ieee80211com *ic)
938 {
939 	struct bwn_softc *sc = ic->ic_softc;
940 	int startall = 0;
941 
942 	BWN_LOCK(sc);
943 	if (ic->ic_nrunning > 0) {
944 		if ((sc->sc_flags & BWN_FLAG_RUNNING) == 0) {
945 			bwn_init(sc);
946 			startall = 1;
947 		} else
948 			bwn_update_promisc(ic);
949 	} else if (sc->sc_flags & BWN_FLAG_RUNNING)
950 		bwn_stop(sc);
951 	BWN_UNLOCK(sc);
952 
953 	if (startall)
954 		ieee80211_start_all(ic);
955 }
956 
957 static int
958 bwn_transmit(struct ieee80211com *ic, struct mbuf *m)
959 {
960 	struct bwn_softc *sc = ic->ic_softc;
961 	int error;
962 
963 	BWN_LOCK(sc);
964 	if ((sc->sc_flags & BWN_FLAG_RUNNING) == 0) {
965 		BWN_UNLOCK(sc);
966 		return (ENXIO);
967 	}
968 	error = mbufq_enqueue(&sc->sc_snd, m);
969 	if (error) {
970 		BWN_UNLOCK(sc);
971 		return (error);
972 	}
973 	bwn_start(sc);
974 	BWN_UNLOCK(sc);
975 	return (0);
976 }
977 
978 static void
979 bwn_start(struct bwn_softc *sc)
980 {
981 	struct bwn_mac *mac = sc->sc_curmac;
982 	struct ieee80211_frame *wh;
983 	struct ieee80211_node *ni;
984 	struct ieee80211_key *k;
985 	struct mbuf *m;
986 
987 	BWN_ASSERT_LOCKED(sc);
988 
989 	if ((sc->sc_flags & BWN_FLAG_RUNNING) == 0 || mac == NULL ||
990 	    mac->mac_status < BWN_MAC_STATUS_STARTED)
991 		return;
992 
993 	while ((m = mbufq_dequeue(&sc->sc_snd)) != NULL) {
994 		if (bwn_tx_isfull(sc, m))
995 			break;
996 		ni = (struct ieee80211_node *) m->m_pkthdr.rcvif;
997 		if (ni == NULL) {
998 			device_printf(sc->sc_dev, "unexpected NULL ni\n");
999 			m_freem(m);
1000 			counter_u64_add(sc->sc_ic.ic_oerrors, 1);
1001 			continue;
1002 		}
1003 		wh = mtod(m, struct ieee80211_frame *);
1004 		if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
1005 			k = ieee80211_crypto_encap(ni, m);
1006 			if (k == NULL) {
1007 				if_inc_counter(ni->ni_vap->iv_ifp,
1008 				    IFCOUNTER_OERRORS, 1);
1009 				ieee80211_free_node(ni);
1010 				m_freem(m);
1011 				continue;
1012 			}
1013 		}
1014 		wh = NULL;	/* Catch any invalid use */
1015 		if (bwn_tx_start(sc, ni, m) != 0) {
1016 			if (ni != NULL) {
1017 				if_inc_counter(ni->ni_vap->iv_ifp,
1018 				    IFCOUNTER_OERRORS, 1);
1019 				ieee80211_free_node(ni);
1020 			}
1021 			continue;
1022 		}
1023 		sc->sc_watchdog_timer = 5;
1024 	}
1025 }
1026 
1027 static int
1028 bwn_tx_isfull(struct bwn_softc *sc, struct mbuf *m)
1029 {
1030 	struct bwn_dma_ring *dr;
1031 	struct bwn_mac *mac = sc->sc_curmac;
1032 	struct bwn_pio_txqueue *tq;
1033 	int pktlen = roundup(m->m_pkthdr.len + BWN_HDRSIZE(mac), 4);
1034 
1035 	BWN_ASSERT_LOCKED(sc);
1036 
1037 	if (mac->mac_flags & BWN_MAC_FLAG_DMA) {
1038 		dr = bwn_dma_select(mac, M_WME_GETAC(m));
1039 		if (dr->dr_stop == 1 ||
1040 		    bwn_dma_freeslot(dr) < BWN_TX_SLOTS_PER_FRAME) {
1041 			dr->dr_stop = 1;
1042 			goto full;
1043 		}
1044 	} else {
1045 		tq = bwn_pio_select(mac, M_WME_GETAC(m));
1046 		if (tq->tq_free == 0 || pktlen > tq->tq_size ||
1047 		    pktlen > (tq->tq_size - tq->tq_used))
1048 			goto full;
1049 	}
1050 	return (0);
1051 full:
1052 	mbufq_prepend(&sc->sc_snd, m);
1053 	return (1);
1054 }
1055 
1056 static int
1057 bwn_tx_start(struct bwn_softc *sc, struct ieee80211_node *ni, struct mbuf *m)
1058 {
1059 	struct bwn_mac *mac = sc->sc_curmac;
1060 	int error;
1061 
1062 	BWN_ASSERT_LOCKED(sc);
1063 
1064 	if (m->m_pkthdr.len < IEEE80211_MIN_LEN || mac == NULL) {
1065 		m_freem(m);
1066 		return (ENXIO);
1067 	}
1068 
1069 	error = (mac->mac_flags & BWN_MAC_FLAG_DMA) ?
1070 	    bwn_dma_tx_start(mac, ni, &m) : bwn_pio_tx_start(mac, ni, &m);
1071 	if (error) {
1072 		m_freem(m);
1073 		return (error);
1074 	}
1075 	return (0);
1076 }
1077 
1078 static int
1079 bwn_pio_tx_start(struct bwn_mac *mac, struct ieee80211_node *ni,
1080     struct mbuf **mp)
1081 {
1082 	struct bwn_pio_txpkt *tp;
1083 	struct bwn_pio_txqueue *tq;
1084 	struct bwn_softc *sc = mac->mac_sc;
1085 	struct bwn_txhdr txhdr;
1086 	struct mbuf *m, *m_new;
1087 	uint32_t ctl32;
1088 	int error;
1089 	uint16_t ctl16;
1090 
1091 	BWN_ASSERT_LOCKED(sc);
1092 
1093 	/* XXX TODO send packets after DTIM */
1094 
1095 	m = *mp;
1096 	tq = bwn_pio_select(mac, M_WME_GETAC(m));
1097 	KASSERT(!TAILQ_EMPTY(&tq->tq_pktlist), ("%s: fail", __func__));
1098 	tp = TAILQ_FIRST(&tq->tq_pktlist);
1099 	tp->tp_ni = ni;
1100 	tp->tp_m = m;
1101 
1102 	error = bwn_set_txhdr(mac, ni, m, &txhdr, BWN_PIO_COOKIE(tq, tp));
1103 	if (error) {
1104 		device_printf(sc->sc_dev, "tx fail\n");
1105 		return (error);
1106 	}
1107 
1108 	TAILQ_REMOVE(&tq->tq_pktlist, tp, tp_list);
1109 	tq->tq_used += roundup(m->m_pkthdr.len + BWN_HDRSIZE(mac), 4);
1110 	tq->tq_free--;
1111 
1112 	if (bhnd_get_hwrev(sc->sc_dev) >= 8) {
1113 		/*
1114 		 * XXX please removes m_defrag(9)
1115 		 */
1116 		m_new = m_defrag(*mp, M_NOWAIT);
1117 		if (m_new == NULL) {
1118 			device_printf(sc->sc_dev,
1119 			    "%s: can't defrag TX buffer\n",
1120 			    __func__);
1121 			return (ENOBUFS);
1122 		}
1123 		*mp = m_new;
1124 		if (m_new->m_next != NULL)
1125 			device_printf(sc->sc_dev,
1126 			    "TODO: fragmented packets for PIO\n");
1127 		tp->tp_m = m_new;
1128 
1129 		/* send HEADER */
1130 		ctl32 = bwn_pio_write_multi_4(mac, tq,
1131 		    (BWN_PIO_READ_4(mac, tq, BWN_PIO8_TXCTL) |
1132 			BWN_PIO8_TXCTL_FRAMEREADY) & ~BWN_PIO8_TXCTL_EOF,
1133 		    (const uint8_t *)&txhdr, BWN_HDRSIZE(mac));
1134 		/* send BODY */
1135 		ctl32 = bwn_pio_write_multi_4(mac, tq, ctl32,
1136 		    mtod(m_new, const void *), m_new->m_pkthdr.len);
1137 		bwn_pio_write_4(mac, tq, BWN_PIO_TXCTL,
1138 		    ctl32 | BWN_PIO8_TXCTL_EOF);
1139 	} else {
1140 		ctl16 = bwn_pio_write_multi_2(mac, tq,
1141 		    (bwn_pio_read_2(mac, tq, BWN_PIO_TXCTL) |
1142 			BWN_PIO_TXCTL_FRAMEREADY) & ~BWN_PIO_TXCTL_EOF,
1143 		    (const uint8_t *)&txhdr, BWN_HDRSIZE(mac));
1144 		ctl16 = bwn_pio_write_mbuf_2(mac, tq, ctl16, m);
1145 		BWN_PIO_WRITE_2(mac, tq, BWN_PIO_TXCTL,
1146 		    ctl16 | BWN_PIO_TXCTL_EOF);
1147 	}
1148 
1149 	return (0);
1150 }
1151 
1152 static struct bwn_pio_txqueue *
1153 bwn_pio_select(struct bwn_mac *mac, uint8_t prio)
1154 {
1155 
1156 	if ((mac->mac_flags & BWN_MAC_FLAG_WME) == 0)
1157 		return (&mac->mac_method.pio.wme[WME_AC_BE]);
1158 
1159 	switch (prio) {
1160 	case 0:
1161 		return (&mac->mac_method.pio.wme[WME_AC_BE]);
1162 	case 1:
1163 		return (&mac->mac_method.pio.wme[WME_AC_BK]);
1164 	case 2:
1165 		return (&mac->mac_method.pio.wme[WME_AC_VI]);
1166 	case 3:
1167 		return (&mac->mac_method.pio.wme[WME_AC_VO]);
1168 	}
1169 	KASSERT(0 == 1, ("%s:%d: fail", __func__, __LINE__));
1170 	return (NULL);
1171 }
1172 
1173 static int
1174 bwn_dma_tx_start(struct bwn_mac *mac, struct ieee80211_node *ni,
1175     struct mbuf **mp)
1176 {
1177 #define	BWN_GET_TXHDRCACHE(slot)					\
1178 	&(txhdr_cache[(slot / BWN_TX_SLOTS_PER_FRAME) * BWN_HDRSIZE(mac)])
1179 	struct bwn_dma *dma = &mac->mac_method.dma;
1180 	struct bwn_dma_ring *dr = bwn_dma_select(mac, M_WME_GETAC(*mp));
1181 	struct bwn_dmadesc_generic *desc;
1182 	struct bwn_dmadesc_meta *mt;
1183 	struct bwn_softc *sc = mac->mac_sc;
1184 	struct mbuf *m;
1185 	uint8_t *txhdr_cache = (uint8_t *)dr->dr_txhdr_cache;
1186 	int error, slot, backup[2] = { dr->dr_curslot, dr->dr_usedslot };
1187 
1188 	BWN_ASSERT_LOCKED(sc);
1189 	KASSERT(!dr->dr_stop, ("%s:%d: fail", __func__, __LINE__));
1190 
1191 	/* XXX send after DTIM */
1192 
1193 	m = *mp;
1194 	slot = bwn_dma_getslot(dr);
1195 	dr->getdesc(dr, slot, &desc, &mt);
1196 	KASSERT(mt->mt_txtype == BWN_DMADESC_METATYPE_HEADER,
1197 	    ("%s:%d: fail", __func__, __LINE__));
1198 
1199 	error = bwn_set_txhdr(dr->dr_mac, ni, m,
1200 	    (struct bwn_txhdr *)BWN_GET_TXHDRCACHE(slot),
1201 	    BWN_DMA_COOKIE(dr, slot));
1202 	if (error)
1203 		goto fail;
1204 	error = bus_dmamap_load(dr->dr_txring_dtag, mt->mt_dmap,
1205 	    BWN_GET_TXHDRCACHE(slot), BWN_HDRSIZE(mac), bwn_dma_ring_addr,
1206 	    &mt->mt_paddr, BUS_DMA_NOWAIT);
1207 	if (error) {
1208 		device_printf(sc->sc_dev, "%s: can't load TX buffer (1) %d\n",
1209 		    __func__, error);
1210 		goto fail;
1211 	}
1212 	bus_dmamap_sync(dr->dr_txring_dtag, mt->mt_dmap,
1213 	    BUS_DMASYNC_PREWRITE);
1214 	dr->setdesc(dr, desc, mt->mt_paddr, BWN_HDRSIZE(mac), 1, 0, 0);
1215 	bus_dmamap_sync(dr->dr_ring_dtag, dr->dr_ring_dmap,
1216 	    BUS_DMASYNC_PREWRITE);
1217 
1218 	slot = bwn_dma_getslot(dr);
1219 	dr->getdesc(dr, slot, &desc, &mt);
1220 	KASSERT(mt->mt_txtype == BWN_DMADESC_METATYPE_BODY &&
1221 	    mt->mt_islast == 1, ("%s:%d: fail", __func__, __LINE__));
1222 	mt->mt_m = m;
1223 	mt->mt_ni = ni;
1224 
1225 	error = bus_dmamap_load_mbuf(dma->txbuf_dtag, mt->mt_dmap, m,
1226 	    bwn_dma_buf_addr, &mt->mt_paddr, BUS_DMA_NOWAIT);
1227 	if (error && error != EFBIG) {
1228 		device_printf(sc->sc_dev, "%s: can't load TX buffer (1) %d\n",
1229 		    __func__, error);
1230 		goto fail;
1231 	}
1232 	if (error) {    /* error == EFBIG */
1233 		struct mbuf *m_new;
1234 
1235 		m_new = m_defrag(m, M_NOWAIT);
1236 		if (m_new == NULL) {
1237 			device_printf(sc->sc_dev,
1238 			    "%s: can't defrag TX buffer\n",
1239 			    __func__);
1240 			error = ENOBUFS;
1241 			goto fail;
1242 		}
1243 		*mp = m = m_new;
1244 
1245 		mt->mt_m = m;
1246 		error = bus_dmamap_load_mbuf(dma->txbuf_dtag, mt->mt_dmap,
1247 		    m, bwn_dma_buf_addr, &mt->mt_paddr, BUS_DMA_NOWAIT);
1248 		if (error) {
1249 			device_printf(sc->sc_dev,
1250 			    "%s: can't load TX buffer (2) %d\n",
1251 			    __func__, error);
1252 			goto fail;
1253 		}
1254 	}
1255 	bus_dmamap_sync(dma->txbuf_dtag, mt->mt_dmap, BUS_DMASYNC_PREWRITE);
1256 	dr->setdesc(dr, desc, mt->mt_paddr, m->m_pkthdr.len, 0, 1, 1);
1257 	bus_dmamap_sync(dr->dr_ring_dtag, dr->dr_ring_dmap,
1258 	    BUS_DMASYNC_PREWRITE);
1259 
1260 	/* XXX send after DTIM */
1261 
1262 	dr->start_transfer(dr, bwn_dma_nextslot(dr, slot));
1263 	return (0);
1264 fail:
1265 	dr->dr_curslot = backup[0];
1266 	dr->dr_usedslot = backup[1];
1267 	return (error);
1268 #undef BWN_GET_TXHDRCACHE
1269 }
1270 
1271 static void
1272 bwn_watchdog(void *arg)
1273 {
1274 	struct bwn_softc *sc = arg;
1275 
1276 	if (sc->sc_watchdog_timer != 0 && --sc->sc_watchdog_timer == 0) {
1277 		device_printf(sc->sc_dev, "device timeout\n");
1278 		counter_u64_add(sc->sc_ic.ic_oerrors, 1);
1279 	}
1280 	callout_schedule(&sc->sc_watchdog_ch, hz);
1281 }
1282 
1283 static int
1284 bwn_attach_core(struct bwn_mac *mac)
1285 {
1286 	struct bwn_softc *sc = mac->mac_sc;
1287 	int error, have_bg = 0, have_a = 0;
1288 	uint16_t iost;
1289 
1290 	KASSERT(bhnd_get_hwrev(sc->sc_dev) >= 5,
1291 	    ("unsupported revision %d", bhnd_get_hwrev(sc->sc_dev)));
1292 
1293 	if ((error = bwn_core_forceclk(mac, true)))
1294 		return (error);
1295 
1296 	if ((error = bhnd_read_iost(sc->sc_dev, &iost))) {
1297 		device_printf(sc->sc_dev, "error reading I/O status flags: "
1298 		    "%d\n", error);
1299 		return (error);
1300 	}
1301 
1302 	have_a = (iost & BWN_IOST_HAVE_5GHZ) ? 1 : 0;
1303 	have_bg = (iost & BWN_IOST_HAVE_2GHZ) ? 1 : 0;
1304 	if (iost & BWN_IOST_DUALPHY) {
1305 		have_bg = 1;
1306 		have_a = 1;
1307 	}
1308 
1309 #if 0
1310 	device_printf(sc->sc_dev, "%s: iost=0x%04hx, have_a=%d, have_bg=%d,"
1311 	    " deviceid=0x%04x, siba_deviceid=0x%04x\n",
1312 	    __func__,
1313 	    iost,
1314 	    have_a,
1315 	    have_bg,
1316 	    sc->sc_board_info.board_devid,
1317 	    sc->sc_cid.chip_id);
1318 #endif
1319 
1320 	/*
1321 	 * Guess at whether it has A-PHY or G-PHY.
1322 	 * This is just used for resetting the core to probe things;
1323 	 * we will re-guess once it's all up and working.
1324 	 */
1325 	error = bwn_reset_core(mac, have_bg);
1326 	if (error)
1327 		goto fail;
1328 
1329 	/*
1330 	 * Determine the DMA engine type
1331 	 */
1332 	if (iost & BHND_IOST_DMA64) {
1333 		mac->mac_dmatype = BHND_DMA_ADDR_64BIT;
1334 	} else {
1335 		uint32_t tmp;
1336 		uint16_t base;
1337 
1338 		base = bwn_dma_base(0, 0);
1339 		BWN_WRITE_4(mac, base + BWN_DMA32_TXCTL,
1340 		    BWN_DMA32_TXADDREXT_MASK);
1341 		tmp = BWN_READ_4(mac, base + BWN_DMA32_TXCTL);
1342 		if (tmp & BWN_DMA32_TXADDREXT_MASK) {
1343 			mac->mac_dmatype = BHND_DMA_ADDR_32BIT;
1344 		} else {
1345 			mac->mac_dmatype = BHND_DMA_ADDR_30BIT;
1346 		}
1347 	}
1348 
1349 	/*
1350 	 * Get the PHY version.
1351 	 */
1352 	error = bwn_phy_getinfo(mac, have_bg);
1353 	if (error)
1354 		goto fail;
1355 
1356 	/*
1357 	 * This is the whitelist of devices which we "believe"
1358 	 * the SPROM PHY config from.  The rest are "guessed".
1359 	 */
1360 	if (sc->sc_board_info.board_devid != PCI_DEVID_BCM4311_D11DUAL &&
1361 	    sc->sc_board_info.board_devid != PCI_DEVID_BCM4328_D11G &&
1362 	    sc->sc_board_info.board_devid != PCI_DEVID_BCM4318_D11DUAL &&
1363 	    sc->sc_board_info.board_devid != PCI_DEVID_BCM4306_D11DUAL &&
1364 	    sc->sc_board_info.board_devid != PCI_DEVID_BCM4321_D11N &&
1365 	    sc->sc_board_info.board_devid != PCI_DEVID_BCM4322_D11N) {
1366 		have_a = have_bg = 0;
1367 		if (mac->mac_phy.type == BWN_PHYTYPE_A)
1368 			have_a = 1;
1369 		else if (mac->mac_phy.type == BWN_PHYTYPE_G ||
1370 		    mac->mac_phy.type == BWN_PHYTYPE_N ||
1371 		    mac->mac_phy.type == BWN_PHYTYPE_LP)
1372 			have_bg = 1;
1373 		else
1374 			KASSERT(0 == 1, ("%s: unknown phy type (%d)", __func__,
1375 			    mac->mac_phy.type));
1376 	}
1377 
1378 	/*
1379 	 * XXX The PHY-G support doesn't do 5GHz operation.
1380 	 */
1381 	if (mac->mac_phy.type != BWN_PHYTYPE_LP &&
1382 	    mac->mac_phy.type != BWN_PHYTYPE_N) {
1383 		device_printf(sc->sc_dev,
1384 		    "%s: forcing 2GHz only; no dual-band support for PHY\n",
1385 		    __func__);
1386 		have_a = 0;
1387 		have_bg = 1;
1388 	}
1389 
1390 	mac->mac_phy.phy_n = NULL;
1391 
1392 	if (mac->mac_phy.type == BWN_PHYTYPE_G) {
1393 		mac->mac_phy.attach = bwn_phy_g_attach;
1394 		mac->mac_phy.detach = bwn_phy_g_detach;
1395 		mac->mac_phy.prepare_hw = bwn_phy_g_prepare_hw;
1396 		mac->mac_phy.init_pre = bwn_phy_g_init_pre;
1397 		mac->mac_phy.init = bwn_phy_g_init;
1398 		mac->mac_phy.exit = bwn_phy_g_exit;
1399 		mac->mac_phy.phy_read = bwn_phy_g_read;
1400 		mac->mac_phy.phy_write = bwn_phy_g_write;
1401 		mac->mac_phy.rf_read = bwn_phy_g_rf_read;
1402 		mac->mac_phy.rf_write = bwn_phy_g_rf_write;
1403 		mac->mac_phy.use_hwpctl = bwn_phy_g_hwpctl;
1404 		mac->mac_phy.rf_onoff = bwn_phy_g_rf_onoff;
1405 		mac->mac_phy.switch_analog = bwn_phy_switch_analog;
1406 		mac->mac_phy.switch_channel = bwn_phy_g_switch_channel;
1407 		mac->mac_phy.get_default_chan = bwn_phy_g_get_default_chan;
1408 		mac->mac_phy.set_antenna = bwn_phy_g_set_antenna;
1409 		mac->mac_phy.set_im = bwn_phy_g_im;
1410 		mac->mac_phy.recalc_txpwr = bwn_phy_g_recalc_txpwr;
1411 		mac->mac_phy.set_txpwr = bwn_phy_g_set_txpwr;
1412 		mac->mac_phy.task_15s = bwn_phy_g_task_15s;
1413 		mac->mac_phy.task_60s = bwn_phy_g_task_60s;
1414 	} else if (mac->mac_phy.type == BWN_PHYTYPE_LP) {
1415 		mac->mac_phy.init_pre = bwn_phy_lp_init_pre;
1416 		mac->mac_phy.init = bwn_phy_lp_init;
1417 		mac->mac_phy.phy_read = bwn_phy_lp_read;
1418 		mac->mac_phy.phy_write = bwn_phy_lp_write;
1419 		mac->mac_phy.phy_maskset = bwn_phy_lp_maskset;
1420 		mac->mac_phy.rf_read = bwn_phy_lp_rf_read;
1421 		mac->mac_phy.rf_write = bwn_phy_lp_rf_write;
1422 		mac->mac_phy.rf_onoff = bwn_phy_lp_rf_onoff;
1423 		mac->mac_phy.switch_analog = bwn_phy_lp_switch_analog;
1424 		mac->mac_phy.switch_channel = bwn_phy_lp_switch_channel;
1425 		mac->mac_phy.get_default_chan = bwn_phy_lp_get_default_chan;
1426 		mac->mac_phy.set_antenna = bwn_phy_lp_set_antenna;
1427 		mac->mac_phy.task_60s = bwn_phy_lp_task_60s;
1428 	} else if (mac->mac_phy.type == BWN_PHYTYPE_N) {
1429 		mac->mac_phy.attach = bwn_phy_n_attach;
1430 		mac->mac_phy.detach = bwn_phy_n_detach;
1431 		mac->mac_phy.prepare_hw = bwn_phy_n_prepare_hw;
1432 		mac->mac_phy.init_pre = bwn_phy_n_init_pre;
1433 		mac->mac_phy.init = bwn_phy_n_init;
1434 		mac->mac_phy.exit = bwn_phy_n_exit;
1435 		mac->mac_phy.phy_read = bwn_phy_n_read;
1436 		mac->mac_phy.phy_write = bwn_phy_n_write;
1437 		mac->mac_phy.rf_read = bwn_phy_n_rf_read;
1438 		mac->mac_phy.rf_write = bwn_phy_n_rf_write;
1439 		mac->mac_phy.use_hwpctl = bwn_phy_n_hwpctl;
1440 		mac->mac_phy.rf_onoff = bwn_phy_n_rf_onoff;
1441 		mac->mac_phy.switch_analog = bwn_phy_n_switch_analog;
1442 		mac->mac_phy.switch_channel = bwn_phy_n_switch_channel;
1443 		mac->mac_phy.get_default_chan = bwn_phy_n_get_default_chan;
1444 		mac->mac_phy.set_antenna = bwn_phy_n_set_antenna;
1445 		mac->mac_phy.set_im = bwn_phy_n_im;
1446 		mac->mac_phy.recalc_txpwr = bwn_phy_n_recalc_txpwr;
1447 		mac->mac_phy.set_txpwr = bwn_phy_n_set_txpwr;
1448 		mac->mac_phy.task_15s = bwn_phy_n_task_15s;
1449 		mac->mac_phy.task_60s = bwn_phy_n_task_60s;
1450 	} else {
1451 		device_printf(sc->sc_dev, "unsupported PHY type (%d)\n",
1452 		    mac->mac_phy.type);
1453 		error = ENXIO;
1454 		goto fail;
1455 	}
1456 
1457 	mac->mac_phy.gmode = have_bg;
1458 	if (mac->mac_phy.attach != NULL) {
1459 		error = mac->mac_phy.attach(mac);
1460 		if (error) {
1461 			device_printf(sc->sc_dev, "failed\n");
1462 			goto fail;
1463 		}
1464 	}
1465 
1466 	error = bwn_reset_core(mac, have_bg);
1467 	if (error)
1468 		goto fail;
1469 
1470 	error = bwn_chiptest(mac);
1471 	if (error)
1472 		goto fail;
1473 	error = bwn_setup_channels(mac, have_bg, have_a);
1474 	if (error) {
1475 		device_printf(sc->sc_dev, "failed to setup channels\n");
1476 		goto fail;
1477 	}
1478 
1479 	if (sc->sc_curmac == NULL)
1480 		sc->sc_curmac = mac;
1481 
1482 	error = bwn_dma_attach(mac);
1483 	if (error != 0) {
1484 		device_printf(sc->sc_dev, "failed to initialize DMA\n");
1485 		goto fail;
1486 	}
1487 
1488 	mac->mac_phy.switch_analog(mac, 0);
1489 
1490 fail:
1491 	bhnd_suspend_hw(sc->sc_dev, 0);
1492 	bwn_release_firmware(mac);
1493 	return (error);
1494 }
1495 
1496 /*
1497  * Reset
1498  */
1499 int
1500 bwn_reset_core(struct bwn_mac *mac, int g_mode)
1501 {
1502 	struct bwn_softc	*sc;
1503 	uint32_t		 ctl;
1504 	uint16_t		 ioctl, ioctl_mask;
1505 	int			 error;
1506 
1507 	sc = mac->mac_sc;
1508 
1509 	DPRINTF(sc, BWN_DEBUG_RESET, "%s: g_mode=%d\n", __func__, g_mode);
1510 
1511 	/* Reset core */
1512 	ioctl = (BWN_IOCTL_PHYCLOCK_ENABLE | BWN_IOCTL_PHYRESET);
1513 	if (g_mode)
1514 		ioctl |= BWN_IOCTL_SUPPORT_G;
1515 
1516 	/* XXX N-PHY only; and hard-code to 20MHz for now */
1517 	if (mac->mac_phy.type == BWN_PHYTYPE_N)
1518 		ioctl |= BWN_IOCTL_PHY_BANDWIDTH_20MHZ;
1519 
1520 	if ((error = bhnd_reset_hw(sc->sc_dev, ioctl, ioctl))) {
1521 		device_printf(sc->sc_dev, "core reset failed: %d", error);
1522 		return (error);
1523 	}
1524 
1525 	DELAY(2000);
1526 
1527 	/* Take PHY out of reset */
1528 	ioctl = BHND_IOCTL_CLK_FORCE;
1529 	ioctl_mask = BHND_IOCTL_CLK_FORCE |
1530 		     BWN_IOCTL_PHYRESET |
1531 		     BWN_IOCTL_PHYCLOCK_ENABLE;
1532 
1533 	if ((error = bhnd_write_ioctl(sc->sc_dev, ioctl, ioctl_mask))) {
1534 		device_printf(sc->sc_dev, "failed to set core ioctl flags: "
1535 		    "%d\n", error);
1536 		return (error);
1537 	}
1538 
1539 	DELAY(2000);
1540 
1541 	ioctl = BWN_IOCTL_PHYCLOCK_ENABLE;
1542 	if ((error = bhnd_write_ioctl(sc->sc_dev, ioctl, ioctl_mask))) {
1543 		device_printf(sc->sc_dev, "failed to set core ioctl flags: "
1544 		    "%d\n", error);
1545 		return (error);
1546 	}
1547 
1548 	DELAY(2000);
1549 
1550 	if (mac->mac_phy.switch_analog != NULL)
1551 		mac->mac_phy.switch_analog(mac, 1);
1552 
1553 	ctl = BWN_READ_4(mac, BWN_MACCTL) & ~BWN_MACCTL_GMODE;
1554 	if (g_mode)
1555 		ctl |= BWN_MACCTL_GMODE;
1556 	BWN_WRITE_4(mac, BWN_MACCTL, ctl | BWN_MACCTL_IHR_ON);
1557 
1558 	return (0);
1559 }
1560 
1561 static int
1562 bwn_phy_getinfo(struct bwn_mac *mac, int gmode)
1563 {
1564 	struct bwn_phy *phy = &mac->mac_phy;
1565 	struct bwn_softc *sc = mac->mac_sc;
1566 	uint32_t tmp;
1567 
1568 	/* PHY */
1569 	tmp = BWN_READ_2(mac, BWN_PHYVER);
1570 	phy->gmode = gmode;
1571 	phy->rf_on = 1;
1572 	phy->analog = (tmp & BWN_PHYVER_ANALOG) >> 12;
1573 	phy->type = (tmp & BWN_PHYVER_TYPE) >> 8;
1574 	phy->rev = (tmp & BWN_PHYVER_VERSION);
1575 	if ((phy->type == BWN_PHYTYPE_A && phy->rev >= 4) ||
1576 	    (phy->type == BWN_PHYTYPE_B && phy->rev != 2 &&
1577 		phy->rev != 4 && phy->rev != 6 && phy->rev != 7) ||
1578 	    (phy->type == BWN_PHYTYPE_G && phy->rev > 9) ||
1579 	    (phy->type == BWN_PHYTYPE_N && phy->rev > 6) ||
1580 	    (phy->type == BWN_PHYTYPE_LP && phy->rev > 2))
1581 		goto unsupphy;
1582 
1583 	/* RADIO */
1584 	BWN_WRITE_2(mac, BWN_RFCTL, BWN_RFCTL_ID);
1585 	tmp = BWN_READ_2(mac, BWN_RFDATALO);
1586 	BWN_WRITE_2(mac, BWN_RFCTL, BWN_RFCTL_ID);
1587 	tmp |= (uint32_t)BWN_READ_2(mac, BWN_RFDATAHI) << 16;
1588 
1589 	phy->rf_rev = (tmp & 0xf0000000) >> 28;
1590 	phy->rf_ver = (tmp & 0x0ffff000) >> 12;
1591 	phy->rf_manuf = (tmp & 0x00000fff);
1592 
1593 	/*
1594 	 * For now, just always do full init (ie, what bwn has traditionally
1595 	 * done)
1596 	 */
1597 	phy->phy_do_full_init = 1;
1598 
1599 	if (phy->rf_manuf != 0x17f)	/* 0x17f is broadcom */
1600 		goto unsupradio;
1601 	if ((phy->type == BWN_PHYTYPE_A && (phy->rf_ver != 0x2060 ||
1602 	     phy->rf_rev != 1 || phy->rf_manuf != 0x17f)) ||
1603 	    (phy->type == BWN_PHYTYPE_B && (phy->rf_ver & 0xfff0) != 0x2050) ||
1604 	    (phy->type == BWN_PHYTYPE_G && phy->rf_ver != 0x2050) ||
1605 	    (phy->type == BWN_PHYTYPE_N &&
1606 	     phy->rf_ver != 0x2055 && phy->rf_ver != 0x2056) ||
1607 	    (phy->type == BWN_PHYTYPE_LP &&
1608 	     phy->rf_ver != 0x2062 && phy->rf_ver != 0x2063))
1609 		goto unsupradio;
1610 
1611 	return (0);
1612 unsupphy:
1613 	device_printf(sc->sc_dev, "unsupported PHY (type %#x, rev %#x, "
1614 	    "analog %#x)\n",
1615 	    phy->type, phy->rev, phy->analog);
1616 	return (ENXIO);
1617 unsupradio:
1618 	device_printf(sc->sc_dev, "unsupported radio (manuf %#x, ver %#x, "
1619 	    "rev %#x)\n",
1620 	    phy->rf_manuf, phy->rf_ver, phy->rf_rev);
1621 	return (ENXIO);
1622 }
1623 
1624 static int
1625 bwn_chiptest(struct bwn_mac *mac)
1626 {
1627 #define	TESTVAL0	0x55aaaa55
1628 #define	TESTVAL1	0xaa5555aa
1629 	struct bwn_softc *sc = mac->mac_sc;
1630 	uint32_t v, backup;
1631 
1632 	BWN_LOCK(sc);
1633 
1634 	backup = bwn_shm_read_4(mac, BWN_SHARED, 0);
1635 
1636 	bwn_shm_write_4(mac, BWN_SHARED, 0, TESTVAL0);
1637 	if (bwn_shm_read_4(mac, BWN_SHARED, 0) != TESTVAL0)
1638 		goto error;
1639 	bwn_shm_write_4(mac, BWN_SHARED, 0, TESTVAL1);
1640 	if (bwn_shm_read_4(mac, BWN_SHARED, 0) != TESTVAL1)
1641 		goto error;
1642 
1643 	bwn_shm_write_4(mac, BWN_SHARED, 0, backup);
1644 
1645 	if ((bhnd_get_hwrev(sc->sc_dev) >= 3) &&
1646 	    (bhnd_get_hwrev(sc->sc_dev) <= 10)) {
1647 		BWN_WRITE_2(mac, BWN_TSF_CFP_START, 0xaaaa);
1648 		BWN_WRITE_4(mac, BWN_TSF_CFP_START, 0xccccbbbb);
1649 		if (BWN_READ_2(mac, BWN_TSF_CFP_START_LOW) != 0xbbbb)
1650 			goto error;
1651 		if (BWN_READ_2(mac, BWN_TSF_CFP_START_HIGH) != 0xcccc)
1652 			goto error;
1653 	}
1654 	BWN_WRITE_4(mac, BWN_TSF_CFP_START, 0);
1655 
1656 	v = BWN_READ_4(mac, BWN_MACCTL) | BWN_MACCTL_GMODE;
1657 	if (v != (BWN_MACCTL_GMODE | BWN_MACCTL_IHR_ON))
1658 		goto error;
1659 
1660 	BWN_UNLOCK(sc);
1661 	return (0);
1662 error:
1663 	BWN_UNLOCK(sc);
1664 	device_printf(sc->sc_dev, "failed to validate the chipaccess\n");
1665 	return (ENODEV);
1666 }
1667 
1668 static int
1669 bwn_setup_channels(struct bwn_mac *mac, int have_bg, int have_a)
1670 {
1671 	struct bwn_softc *sc = mac->mac_sc;
1672 	struct ieee80211com *ic = &sc->sc_ic;
1673 	uint8_t bands[IEEE80211_MODE_BYTES];
1674 
1675 	memset(ic->ic_channels, 0, sizeof(ic->ic_channels));
1676 	ic->ic_nchans = 0;
1677 
1678 	DPRINTF(sc, BWN_DEBUG_EEPROM, "%s: called; bg=%d, a=%d\n",
1679 	    __func__,
1680 	    have_bg,
1681 	    have_a);
1682 
1683 	if (have_bg) {
1684 		memset(bands, 0, sizeof(bands));
1685 		setbit(bands, IEEE80211_MODE_11B);
1686 		setbit(bands, IEEE80211_MODE_11G);
1687 		bwn_addchannels(ic->ic_channels, IEEE80211_CHAN_MAX,
1688 		    &ic->ic_nchans, &bwn_chantable_bg, bands);
1689 	}
1690 
1691 	if (have_a) {
1692 		memset(bands, 0, sizeof(bands));
1693 		setbit(bands, IEEE80211_MODE_11A);
1694 		bwn_addchannels(ic->ic_channels, IEEE80211_CHAN_MAX,
1695 		    &ic->ic_nchans, &bwn_chantable_a, bands);
1696 	}
1697 
1698 	mac->mac_phy.supports_2ghz = have_bg;
1699 	mac->mac_phy.supports_5ghz = have_a;
1700 
1701 	return (ic->ic_nchans == 0 ? ENXIO : 0);
1702 }
1703 
1704 uint32_t
1705 bwn_shm_read_4(struct bwn_mac *mac, uint16_t way, uint16_t offset)
1706 {
1707 	uint32_t ret;
1708 
1709 	BWN_ASSERT_LOCKED(mac->mac_sc);
1710 
1711 	if (way == BWN_SHARED) {
1712 		KASSERT((offset & 0x0001) == 0,
1713 		    ("%s:%d warn", __func__, __LINE__));
1714 		if (offset & 0x0003) {
1715 			bwn_shm_ctlword(mac, way, offset >> 2);
1716 			ret = BWN_READ_2(mac, BWN_SHM_DATA_UNALIGNED);
1717 			ret <<= 16;
1718 			bwn_shm_ctlword(mac, way, (offset >> 2) + 1);
1719 			ret |= BWN_READ_2(mac, BWN_SHM_DATA);
1720 			goto out;
1721 		}
1722 		offset >>= 2;
1723 	}
1724 	bwn_shm_ctlword(mac, way, offset);
1725 	ret = BWN_READ_4(mac, BWN_SHM_DATA);
1726 out:
1727 	return (ret);
1728 }
1729 
1730 uint16_t
1731 bwn_shm_read_2(struct bwn_mac *mac, uint16_t way, uint16_t offset)
1732 {
1733 	uint16_t ret;
1734 
1735 	BWN_ASSERT_LOCKED(mac->mac_sc);
1736 
1737 	if (way == BWN_SHARED) {
1738 		KASSERT((offset & 0x0001) == 0,
1739 		    ("%s:%d warn", __func__, __LINE__));
1740 		if (offset & 0x0003) {
1741 			bwn_shm_ctlword(mac, way, offset >> 2);
1742 			ret = BWN_READ_2(mac, BWN_SHM_DATA_UNALIGNED);
1743 			goto out;
1744 		}
1745 		offset >>= 2;
1746 	}
1747 	bwn_shm_ctlword(mac, way, offset);
1748 	ret = BWN_READ_2(mac, BWN_SHM_DATA);
1749 out:
1750 
1751 	return (ret);
1752 }
1753 
1754 static void
1755 bwn_shm_ctlword(struct bwn_mac *mac, uint16_t way,
1756     uint16_t offset)
1757 {
1758 	uint32_t control;
1759 
1760 	control = way;
1761 	control <<= 16;
1762 	control |= offset;
1763 	BWN_WRITE_4(mac, BWN_SHM_CONTROL, control);
1764 }
1765 
1766 void
1767 bwn_shm_write_4(struct bwn_mac *mac, uint16_t way, uint16_t offset,
1768     uint32_t value)
1769 {
1770 	BWN_ASSERT_LOCKED(mac->mac_sc);
1771 
1772 	if (way == BWN_SHARED) {
1773 		KASSERT((offset & 0x0001) == 0,
1774 		    ("%s:%d warn", __func__, __LINE__));
1775 		if (offset & 0x0003) {
1776 			bwn_shm_ctlword(mac, way, offset >> 2);
1777 			BWN_WRITE_2(mac, BWN_SHM_DATA_UNALIGNED,
1778 				    (value >> 16) & 0xffff);
1779 			bwn_shm_ctlword(mac, way, (offset >> 2) + 1);
1780 			BWN_WRITE_2(mac, BWN_SHM_DATA, value & 0xffff);
1781 			return;
1782 		}
1783 		offset >>= 2;
1784 	}
1785 	bwn_shm_ctlword(mac, way, offset);
1786 	BWN_WRITE_4(mac, BWN_SHM_DATA, value);
1787 }
1788 
1789 void
1790 bwn_shm_write_2(struct bwn_mac *mac, uint16_t way, uint16_t offset,
1791     uint16_t value)
1792 {
1793 	BWN_ASSERT_LOCKED(mac->mac_sc);
1794 
1795 	if (way == BWN_SHARED) {
1796 		KASSERT((offset & 0x0001) == 0,
1797 		    ("%s:%d warn", __func__, __LINE__));
1798 		if (offset & 0x0003) {
1799 			bwn_shm_ctlword(mac, way, offset >> 2);
1800 			BWN_WRITE_2(mac, BWN_SHM_DATA_UNALIGNED, value);
1801 			return;
1802 		}
1803 		offset >>= 2;
1804 	}
1805 	bwn_shm_ctlword(mac, way, offset);
1806 	BWN_WRITE_2(mac, BWN_SHM_DATA, value);
1807 }
1808 
1809 static void
1810 bwn_addchannels(struct ieee80211_channel chans[], int maxchans, int *nchans,
1811     const struct bwn_channelinfo *ci, const uint8_t bands[])
1812 {
1813 	int i, error;
1814 
1815 	for (i = 0, error = 0; i < ci->nchannels && error == 0; i++) {
1816 		const struct bwn_channel *hc = &ci->channels[i];
1817 
1818 		error = ieee80211_add_channel(chans, maxchans, nchans,
1819 		    hc->ieee, hc->freq, hc->maxTxPow, 0, bands);
1820 	}
1821 }
1822 
1823 static int
1824 bwn_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
1825 	const struct ieee80211_bpf_params *params)
1826 {
1827 	struct ieee80211com *ic = ni->ni_ic;
1828 	struct bwn_softc *sc = ic->ic_softc;
1829 	struct bwn_mac *mac = sc->sc_curmac;
1830 	int error;
1831 
1832 	if ((sc->sc_flags & BWN_FLAG_RUNNING) == 0 ||
1833 	    mac->mac_status < BWN_MAC_STATUS_STARTED) {
1834 		m_freem(m);
1835 		return (ENETDOWN);
1836 	}
1837 
1838 	BWN_LOCK(sc);
1839 	if (bwn_tx_isfull(sc, m)) {
1840 		m_freem(m);
1841 		BWN_UNLOCK(sc);
1842 		return (ENOBUFS);
1843 	}
1844 
1845 	error = bwn_tx_start(sc, ni, m);
1846 	if (error == 0)
1847 		sc->sc_watchdog_timer = 5;
1848 	BWN_UNLOCK(sc);
1849 	return (error);
1850 }
1851 
1852 /*
1853  * Callback from the 802.11 layer to update the slot time
1854  * based on the current setting.  We use it to notify the
1855  * firmware of ERP changes and the f/w takes care of things
1856  * like slot time and preamble.
1857  */
1858 static void
1859 bwn_updateslot(struct ieee80211com *ic)
1860 {
1861 	struct bwn_softc *sc = ic->ic_softc;
1862 	struct bwn_mac *mac;
1863 
1864 	BWN_LOCK(sc);
1865 	if (sc->sc_flags & BWN_FLAG_RUNNING) {
1866 		mac = (struct bwn_mac *)sc->sc_curmac;
1867 		bwn_set_slot_time(mac, IEEE80211_GET_SLOTTIME(ic));
1868 	}
1869 	BWN_UNLOCK(sc);
1870 }
1871 
1872 /*
1873  * Callback from the 802.11 layer after a promiscuous mode change.
1874  * Note this interface does not check the operating mode as this
1875  * is an internal callback and we are expected to honor the current
1876  * state (e.g. this is used for setting the interface in promiscuous
1877  * mode when operating in hostap mode to do ACS).
1878  */
1879 static void
1880 bwn_update_promisc(struct ieee80211com *ic)
1881 {
1882 	struct bwn_softc *sc = ic->ic_softc;
1883 	struct bwn_mac *mac = sc->sc_curmac;
1884 
1885 	BWN_LOCK(sc);
1886 	mac = sc->sc_curmac;
1887 	if (mac != NULL && mac->mac_status >= BWN_MAC_STATUS_INITED) {
1888 		if (ic->ic_promisc > 0)
1889 			sc->sc_filters |= BWN_MACCTL_PROMISC;
1890 		else
1891 			sc->sc_filters &= ~BWN_MACCTL_PROMISC;
1892 		bwn_set_opmode(mac);
1893 	}
1894 	BWN_UNLOCK(sc);
1895 }
1896 
1897 /*
1898  * Callback from the 802.11 layer to update WME parameters.
1899  */
1900 static int
1901 bwn_wme_update(struct ieee80211com *ic)
1902 {
1903 	struct bwn_softc *sc = ic->ic_softc;
1904 	struct bwn_mac *mac = sc->sc_curmac;
1905 	struct chanAccParams chp;
1906 	struct wmeParams *wmep;
1907 	int i;
1908 
1909 	ieee80211_wme_ic_getparams(ic, &chp);
1910 
1911 	BWN_LOCK(sc);
1912 	mac = sc->sc_curmac;
1913 	if (mac != NULL && mac->mac_status >= BWN_MAC_STATUS_INITED) {
1914 		bwn_mac_suspend(mac);
1915 		for (i = 0; i < N(sc->sc_wmeParams); i++) {
1916 			wmep = &chp.cap_wmeParams[i];
1917 			bwn_wme_loadparams(mac, wmep, bwn_wme_shm_offsets[i]);
1918 		}
1919 		bwn_mac_enable(mac);
1920 	}
1921 	BWN_UNLOCK(sc);
1922 	return (0);
1923 }
1924 
1925 static void
1926 bwn_scan_start(struct ieee80211com *ic)
1927 {
1928 	struct bwn_softc *sc = ic->ic_softc;
1929 	struct bwn_mac *mac;
1930 
1931 	BWN_LOCK(sc);
1932 	mac = sc->sc_curmac;
1933 	if (mac != NULL && mac->mac_status >= BWN_MAC_STATUS_INITED) {
1934 		sc->sc_filters |= BWN_MACCTL_BEACON_PROMISC;
1935 		bwn_set_opmode(mac);
1936 		/* disable CFP update during scan */
1937 		bwn_hf_write(mac, bwn_hf_read(mac) | BWN_HF_SKIP_CFP_UPDATE);
1938 	}
1939 	BWN_UNLOCK(sc);
1940 }
1941 
1942 static void
1943 bwn_scan_end(struct ieee80211com *ic)
1944 {
1945 	struct bwn_softc *sc = ic->ic_softc;
1946 	struct bwn_mac *mac;
1947 
1948 	BWN_LOCK(sc);
1949 	mac = sc->sc_curmac;
1950 	if (mac != NULL && mac->mac_status >= BWN_MAC_STATUS_INITED) {
1951 		sc->sc_filters &= ~BWN_MACCTL_BEACON_PROMISC;
1952 		bwn_set_opmode(mac);
1953 		bwn_hf_write(mac, bwn_hf_read(mac) & ~BWN_HF_SKIP_CFP_UPDATE);
1954 	}
1955 	BWN_UNLOCK(sc);
1956 }
1957 
1958 static void
1959 bwn_set_channel(struct ieee80211com *ic)
1960 {
1961 	struct bwn_softc *sc = ic->ic_softc;
1962 	struct bwn_mac *mac = sc->sc_curmac;
1963 	struct bwn_phy *phy = &mac->mac_phy;
1964 	int chan, error;
1965 
1966 	BWN_LOCK(sc);
1967 
1968 	error = bwn_switch_band(sc, ic->ic_curchan);
1969 	if (error)
1970 		goto fail;
1971 	bwn_mac_suspend(mac);
1972 	bwn_set_txretry(mac, BWN_RETRY_SHORT, BWN_RETRY_LONG);
1973 	chan = ieee80211_chan2ieee(ic, ic->ic_curchan);
1974 	if (chan != phy->chan)
1975 		bwn_switch_channel(mac, chan);
1976 
1977 	/* TX power level */
1978 	if (ic->ic_curchan->ic_maxpower != 0 &&
1979 	    ic->ic_curchan->ic_maxpower != phy->txpower) {
1980 		phy->txpower = ic->ic_curchan->ic_maxpower / 2;
1981 		bwn_phy_txpower_check(mac, BWN_TXPWR_IGNORE_TIME |
1982 		    BWN_TXPWR_IGNORE_TSSI);
1983 	}
1984 
1985 	bwn_set_txantenna(mac, BWN_ANT_DEFAULT);
1986 	if (phy->set_antenna)
1987 		phy->set_antenna(mac, BWN_ANT_DEFAULT);
1988 
1989 	if (sc->sc_rf_enabled != phy->rf_on) {
1990 		if (sc->sc_rf_enabled) {
1991 			bwn_rf_turnon(mac);
1992 			if (!(mac->mac_flags & BWN_MAC_FLAG_RADIO_ON))
1993 				device_printf(sc->sc_dev,
1994 				    "please turn on the RF switch\n");
1995 		} else
1996 			bwn_rf_turnoff(mac);
1997 	}
1998 
1999 	bwn_mac_enable(mac);
2000 
2001 fail:
2002 	BWN_UNLOCK(sc);
2003 }
2004 
2005 static struct ieee80211vap *
2006 bwn_vap_create(struct ieee80211com *ic, const char name[IFNAMSIZ], int unit,
2007     enum ieee80211_opmode opmode, int flags,
2008     const uint8_t bssid[IEEE80211_ADDR_LEN],
2009     const uint8_t mac[IEEE80211_ADDR_LEN])
2010 {
2011 	struct ieee80211vap *vap;
2012 	struct bwn_vap *bvp;
2013 
2014 	switch (opmode) {
2015 	case IEEE80211_M_HOSTAP:
2016 	case IEEE80211_M_MBSS:
2017 	case IEEE80211_M_STA:
2018 	case IEEE80211_M_WDS:
2019 	case IEEE80211_M_MONITOR:
2020 	case IEEE80211_M_IBSS:
2021 	case IEEE80211_M_AHDEMO:
2022 		break;
2023 	default:
2024 		return (NULL);
2025 	}
2026 
2027 	bvp = malloc(sizeof(struct bwn_vap), M_80211_VAP, M_WAITOK | M_ZERO);
2028 	vap = &bvp->bv_vap;
2029 	ieee80211_vap_setup(ic, vap, name, unit, opmode, flags, bssid);
2030 	/* override with driver methods */
2031 	bvp->bv_newstate = vap->iv_newstate;
2032 	vap->iv_newstate = bwn_newstate;
2033 
2034 	/* override max aid so sta's cannot assoc when we're out of sta id's */
2035 	vap->iv_max_aid = BWN_STAID_MAX;
2036 
2037 	ieee80211_ratectl_init(vap);
2038 
2039 	/* complete setup */
2040 	ieee80211_vap_attach(vap, ieee80211_media_change,
2041 	    ieee80211_media_status, mac);
2042 	return (vap);
2043 }
2044 
2045 static void
2046 bwn_vap_delete(struct ieee80211vap *vap)
2047 {
2048 	struct bwn_vap *bvp = BWN_VAP(vap);
2049 
2050 	ieee80211_ratectl_deinit(vap);
2051 	ieee80211_vap_detach(vap);
2052 	free(bvp, M_80211_VAP);
2053 }
2054 
2055 static int
2056 bwn_init(struct bwn_softc *sc)
2057 {
2058 	struct bwn_mac *mac;
2059 	int error;
2060 
2061 	BWN_ASSERT_LOCKED(sc);
2062 
2063 	DPRINTF(sc, BWN_DEBUG_RESET, "%s: called\n", __func__);
2064 
2065 	bzero(sc->sc_bssid, IEEE80211_ADDR_LEN);
2066 	sc->sc_flags |= BWN_FLAG_NEED_BEACON_TP;
2067 	sc->sc_filters = 0;
2068 	bwn_wme_clear(sc);
2069 	sc->sc_beacons[0] = sc->sc_beacons[1] = 0;
2070 	sc->sc_rf_enabled = 1;
2071 
2072 	mac = sc->sc_curmac;
2073 	if (mac->mac_status == BWN_MAC_STATUS_UNINIT) {
2074 		error = bwn_core_init(mac);
2075 		if (error != 0)
2076 			return (error);
2077 	}
2078 	if (mac->mac_status == BWN_MAC_STATUS_INITED)
2079 		bwn_core_start(mac);
2080 
2081 	bwn_set_opmode(mac);
2082 	bwn_set_pretbtt(mac);
2083 	bwn_spu_setdelay(mac, 0);
2084 	bwn_set_macaddr(mac);
2085 
2086 	sc->sc_flags |= BWN_FLAG_RUNNING;
2087 	callout_reset(&sc->sc_rfswitch_ch, hz, bwn_rfswitch, sc);
2088 	callout_reset(&sc->sc_watchdog_ch, hz, bwn_watchdog, sc);
2089 
2090 	return (0);
2091 }
2092 
2093 static void
2094 bwn_stop(struct bwn_softc *sc)
2095 {
2096 	struct bwn_mac *mac = sc->sc_curmac;
2097 
2098 	BWN_ASSERT_LOCKED(sc);
2099 
2100 	DPRINTF(sc, BWN_DEBUG_RESET, "%s: called\n", __func__);
2101 
2102 	if (mac->mac_status >= BWN_MAC_STATUS_INITED) {
2103 		/* XXX FIXME opmode not based on VAP */
2104 		bwn_set_opmode(mac);
2105 		bwn_set_macaddr(mac);
2106 	}
2107 
2108 	if (mac->mac_status >= BWN_MAC_STATUS_STARTED)
2109 		bwn_core_stop(mac);
2110 
2111 	callout_stop(&sc->sc_led_blink_ch);
2112 	sc->sc_led_blinking = 0;
2113 
2114 	bwn_core_exit(mac);
2115 	sc->sc_rf_enabled = 0;
2116 
2117 	sc->sc_flags &= ~BWN_FLAG_RUNNING;
2118 }
2119 
2120 static void
2121 bwn_wme_clear(struct bwn_softc *sc)
2122 {
2123 	struct wmeParams *p;
2124 	unsigned int i;
2125 
2126 	KASSERT(N(bwn_wme_shm_offsets) == N(sc->sc_wmeParams),
2127 	    ("%s:%d: fail", __func__, __LINE__));
2128 
2129 	for (i = 0; i < N(sc->sc_wmeParams); i++) {
2130 		p = &(sc->sc_wmeParams[i]);
2131 
2132 		switch (bwn_wme_shm_offsets[i]) {
2133 		case BWN_WME_VOICE:
2134 			p->wmep_txopLimit = 0;
2135 			p->wmep_aifsn = 2;
2136 			/* XXX FIXME: log2(cwmin) */
2137 			p->wmep_logcwmin =
2138 			    _IEEE80211_MASKSHIFT(0x0001, WME_PARAM_LOGCWMIN);
2139 			p->wmep_logcwmax =
2140 			    _IEEE80211_MASKSHIFT(0x0001, WME_PARAM_LOGCWMAX);
2141 			break;
2142 		case BWN_WME_VIDEO:
2143 			p->wmep_txopLimit = 0;
2144 			p->wmep_aifsn = 2;
2145 			/* XXX FIXME: log2(cwmin) */
2146 			p->wmep_logcwmin =
2147 			    _IEEE80211_MASKSHIFT(0x0001, WME_PARAM_LOGCWMIN);
2148 			p->wmep_logcwmax =
2149 			    _IEEE80211_MASKSHIFT(0x0001, WME_PARAM_LOGCWMAX);
2150 			break;
2151 		case BWN_WME_BESTEFFORT:
2152 			p->wmep_txopLimit = 0;
2153 			p->wmep_aifsn = 3;
2154 			/* XXX FIXME: log2(cwmin) */
2155 			p->wmep_logcwmin =
2156 			    _IEEE80211_MASKSHIFT(0x0001, WME_PARAM_LOGCWMIN);
2157 			p->wmep_logcwmax =
2158 			    _IEEE80211_MASKSHIFT(0x03ff, WME_PARAM_LOGCWMAX);
2159 			break;
2160 		case BWN_WME_BACKGROUND:
2161 			p->wmep_txopLimit = 0;
2162 			p->wmep_aifsn = 7;
2163 			/* XXX FIXME: log2(cwmin) */
2164 			p->wmep_logcwmin =
2165 			    _IEEE80211_MASKSHIFT(0x0001, WME_PARAM_LOGCWMIN);
2166 			p->wmep_logcwmax =
2167 			    _IEEE80211_MASKSHIFT(0x03ff, WME_PARAM_LOGCWMAX);
2168 			break;
2169 		default:
2170 			KASSERT(0 == 1, ("%s:%d: fail", __func__, __LINE__));
2171 		}
2172 	}
2173 }
2174 
2175 static int
2176 bwn_core_forceclk(struct bwn_mac *mac, bool force)
2177 {
2178 	struct bwn_softc	*sc;
2179 	bhnd_clock		 clock;
2180 	int			 error;
2181 
2182 	sc = mac->mac_sc;
2183 
2184 	/* On PMU equipped devices, we do not need to force the HT clock */
2185 	if (sc->sc_pmu != NULL)
2186 		return (0);
2187 
2188 	/* Issue a PMU clock request */
2189 	if (force)
2190 		clock = BHND_CLOCK_HT;
2191 	else
2192 		clock = BHND_CLOCK_DYN;
2193 
2194 	if ((error = bhnd_request_clock(sc->sc_dev, clock))) {
2195 		device_printf(sc->sc_dev, "%d clock request failed: %d\n",
2196 		    clock, error);
2197 		return (error);
2198 	}
2199 
2200 	return (0);
2201 }
2202 
2203 static int
2204 bwn_core_init(struct bwn_mac *mac)
2205 {
2206 	struct bwn_softc *sc = mac->mac_sc;
2207 	uint64_t hf;
2208 	int error;
2209 
2210 	KASSERT(mac->mac_status == BWN_MAC_STATUS_UNINIT,
2211 	    ("%s:%d: fail", __func__, __LINE__));
2212 
2213 	DPRINTF(mac->mac_sc, BWN_DEBUG_RESET, "%s: called\n", __func__);
2214 
2215 	if ((error = bwn_core_forceclk(mac, true)))
2216 		return (error);
2217 
2218 	if (bhnd_is_hw_suspended(sc->sc_dev)) {
2219 		if ((error = bwn_reset_core(mac, mac->mac_phy.gmode)))
2220 			goto fail0;
2221 	}
2222 
2223 	mac->mac_flags &= ~BWN_MAC_FLAG_DFQVALID;
2224 	mac->mac_flags |= BWN_MAC_FLAG_RADIO_ON;
2225 	mac->mac_phy.hwpctl = (bwn_hwpctl) ? 1 : 0;
2226 	BWN_GETTIME(mac->mac_phy.nexttime);
2227 	mac->mac_phy.txerrors = BWN_TXERROR_MAX;
2228 	bzero(&mac->mac_stats, sizeof(mac->mac_stats));
2229 	mac->mac_stats.link_noise = -95;
2230 	mac->mac_reason_intr = 0;
2231 	bzero(mac->mac_reason, sizeof(mac->mac_reason));
2232 	mac->mac_intr_mask = BWN_INTR_MASKTEMPLATE;
2233 #ifdef BWN_DEBUG
2234 	if (sc->sc_debug & BWN_DEBUG_XMIT)
2235 		mac->mac_intr_mask &= ~BWN_INTR_PHY_TXERR;
2236 #endif
2237 	mac->mac_suspended = 1;
2238 	mac->mac_task_state = 0;
2239 	memset(&mac->mac_noise, 0, sizeof(mac->mac_noise));
2240 
2241 	mac->mac_phy.init_pre(mac);
2242 
2243 	bwn_bt_disable(mac);
2244 	if (mac->mac_phy.prepare_hw) {
2245 		error = mac->mac_phy.prepare_hw(mac);
2246 		if (error)
2247 			goto fail0;
2248 	}
2249 	DPRINTF(mac->mac_sc, BWN_DEBUG_RESET, "%s: chip_init\n", __func__);
2250 	error = bwn_chip_init(mac);
2251 	if (error)
2252 		goto fail0;
2253 	bwn_shm_write_2(mac, BWN_SHARED, BWN_SHARED_COREREV,
2254 	    bhnd_get_hwrev(sc->sc_dev));
2255 	hf = bwn_hf_read(mac);
2256 	if (mac->mac_phy.type == BWN_PHYTYPE_G) {
2257 		hf |= BWN_HF_GPHY_SYM_WORKAROUND;
2258 		if (sc->sc_board_info.board_flags & BHND_BFL_PACTRL)
2259 			hf |= BWN_HF_PAGAINBOOST_OFDM_ON;
2260 		if (mac->mac_phy.rev == 1)
2261 			hf |= BWN_HF_GPHY_DC_CANCELFILTER;
2262 	}
2263 	if (mac->mac_phy.rf_ver == 0x2050) {
2264 		if (mac->mac_phy.rf_rev < 6)
2265 			hf |= BWN_HF_FORCE_VCO_RECALC;
2266 		if (mac->mac_phy.rf_rev == 6)
2267 			hf |= BWN_HF_4318_TSSI;
2268 	}
2269 	if (sc->sc_board_info.board_flags & BHND_BFL_NOPLLDOWN)
2270 		hf |= BWN_HF_SLOWCLOCK_REQ_OFF;
2271 	if (sc->sc_quirks & BWN_QUIRK_UCODE_SLOWCLOCK_WAR)
2272 		hf |= BWN_HF_PCI_SLOWCLOCK_WORKAROUND;
2273 	hf &= ~BWN_HF_SKIP_CFP_UPDATE;
2274 	bwn_hf_write(mac, hf);
2275 
2276 	/* Tell the firmware about the MAC capabilities */
2277 	if (bhnd_get_hwrev(sc->sc_dev) >= 13) {
2278 		uint32_t cap;
2279 		cap = BWN_READ_4(mac, BWN_MAC_HW_CAP);
2280 		DPRINTF(sc, BWN_DEBUG_RESET,
2281 		    "%s: hw capabilities: 0x%08x\n",
2282 		    __func__, cap);
2283 		bwn_shm_write_2(mac, BWN_SHARED, BWN_SHARED_MACHW_L,
2284 		    cap & 0xffff);
2285 		bwn_shm_write_2(mac, BWN_SHARED, BWN_SHARED_MACHW_H,
2286 		    (cap >> 16) & 0xffff);
2287 	}
2288 
2289 	bwn_set_txretry(mac, BWN_RETRY_SHORT, BWN_RETRY_LONG);
2290 	bwn_shm_write_2(mac, BWN_SHARED, BWN_SHARED_SHORT_RETRY_FALLBACK, 3);
2291 	bwn_shm_write_2(mac, BWN_SHARED, BWN_SHARED_LONG_RETRY_FALLBACK, 2);
2292 	bwn_shm_write_2(mac, BWN_SHARED, BWN_SHARED_PROBE_RESP_MAXTIME, 1);
2293 
2294 	bwn_rate_init(mac);
2295 	bwn_set_phytxctl(mac);
2296 
2297 	bwn_shm_write_2(mac, BWN_SCRATCH, BWN_SCRATCH_CONT_MIN,
2298 	    (mac->mac_phy.type == BWN_PHYTYPE_B) ? 0x1f : 0xf);
2299 	bwn_shm_write_2(mac, BWN_SCRATCH, BWN_SCRATCH_CONT_MAX, 0x3ff);
2300 
2301 	if (sc->sc_quirks & BWN_QUIRK_NODMA)
2302 		bwn_pio_init(mac);
2303 	else
2304 		bwn_dma_init(mac);
2305 	bwn_wme_init(mac);
2306 	bwn_spu_setdelay(mac, 1);
2307 	bwn_bt_enable(mac);
2308 
2309 	DPRINTF(mac->mac_sc, BWN_DEBUG_RESET, "%s: powerup\n", __func__);
2310 	if (sc->sc_board_info.board_flags & BHND_BFL_NOPLLDOWN)
2311 		bwn_core_forceclk(mac, true);
2312 	else
2313 		bwn_core_forceclk(mac, false);
2314 
2315 	bwn_set_macaddr(mac);
2316 	bwn_crypt_init(mac);
2317 
2318 	/* XXX LED initializatin */
2319 
2320 	mac->mac_status = BWN_MAC_STATUS_INITED;
2321 
2322 	DPRINTF(mac->mac_sc, BWN_DEBUG_RESET, "%s: done\n", __func__);
2323 	return (error);
2324 
2325 fail0:
2326 	bhnd_suspend_hw(sc->sc_dev, 0);
2327 	KASSERT(mac->mac_status == BWN_MAC_STATUS_UNINIT,
2328 	    ("%s:%d: fail", __func__, __LINE__));
2329 	DPRINTF(mac->mac_sc, BWN_DEBUG_RESET, "%s: fail\n", __func__);
2330 	return (error);
2331 }
2332 
2333 static void
2334 bwn_core_start(struct bwn_mac *mac)
2335 {
2336 	struct bwn_softc *sc = mac->mac_sc;
2337 	uint32_t tmp;
2338 
2339 	KASSERT(mac->mac_status == BWN_MAC_STATUS_INITED,
2340 	    ("%s:%d: fail", __func__, __LINE__));
2341 
2342 	if (bhnd_get_hwrev(sc->sc_dev) < 5)
2343 		return;
2344 
2345 	while (1) {
2346 		tmp = BWN_READ_4(mac, BWN_XMITSTAT_0);
2347 		if (!(tmp & 0x00000001))
2348 			break;
2349 		tmp = BWN_READ_4(mac, BWN_XMITSTAT_1);
2350 	}
2351 
2352 	bwn_mac_enable(mac);
2353 	BWN_WRITE_4(mac, BWN_INTR_MASK, mac->mac_intr_mask);
2354 	callout_reset(&sc->sc_task_ch, hz * 15, bwn_tasks, mac);
2355 
2356 	mac->mac_status = BWN_MAC_STATUS_STARTED;
2357 }
2358 
2359 static void
2360 bwn_core_exit(struct bwn_mac *mac)
2361 {
2362 	struct bwn_softc *sc = mac->mac_sc;
2363 	uint32_t macctl;
2364 
2365 	BWN_ASSERT_LOCKED(mac->mac_sc);
2366 
2367 	KASSERT(mac->mac_status <= BWN_MAC_STATUS_INITED,
2368 	    ("%s:%d: fail", __func__, __LINE__));
2369 
2370 	if (mac->mac_status != BWN_MAC_STATUS_INITED)
2371 		return;
2372 	mac->mac_status = BWN_MAC_STATUS_UNINIT;
2373 
2374 	macctl = BWN_READ_4(mac, BWN_MACCTL);
2375 	macctl &= ~BWN_MACCTL_MCODE_RUN;
2376 	macctl |= BWN_MACCTL_MCODE_JMP0;
2377 	BWN_WRITE_4(mac, BWN_MACCTL, macctl);
2378 
2379 	bwn_dma_stop(mac);
2380 	bwn_pio_stop(mac);
2381 	bwn_chip_exit(mac);
2382 	mac->mac_phy.switch_analog(mac, 0);
2383 	bhnd_suspend_hw(sc->sc_dev, 0);
2384 }
2385 
2386 static void
2387 bwn_bt_disable(struct bwn_mac *mac)
2388 {
2389 	struct bwn_softc *sc = mac->mac_sc;
2390 
2391 	(void)sc;
2392 	/* XXX do nothing yet */
2393 }
2394 
2395 static int
2396 bwn_chip_init(struct bwn_mac *mac)
2397 {
2398 	struct bwn_softc *sc = mac->mac_sc;
2399 	struct bwn_phy *phy = &mac->mac_phy;
2400 	uint32_t macctl;
2401 	u_int delay;
2402 	int error;
2403 
2404 	macctl = BWN_MACCTL_IHR_ON | BWN_MACCTL_SHM_ON | BWN_MACCTL_STA;
2405 	if (phy->gmode)
2406 		macctl |= BWN_MACCTL_GMODE;
2407 	BWN_WRITE_4(mac, BWN_MACCTL, macctl);
2408 
2409 	error = bwn_fw_fillinfo(mac);
2410 	if (error)
2411 		return (error);
2412 	error = bwn_fw_loaducode(mac);
2413 	if (error)
2414 		return (error);
2415 
2416 	error = bwn_gpio_init(mac);
2417 	if (error)
2418 		return (error);
2419 
2420 	error = bwn_fw_loadinitvals(mac);
2421 	if (error)
2422 		return (error);
2423 
2424 	phy->switch_analog(mac, 1);
2425 	error = bwn_phy_init(mac);
2426 	if (error)
2427 		return (error);
2428 
2429 	if (phy->set_im)
2430 		phy->set_im(mac, BWN_IMMODE_NONE);
2431 	if (phy->set_antenna)
2432 		phy->set_antenna(mac, BWN_ANT_DEFAULT);
2433 	bwn_set_txantenna(mac, BWN_ANT_DEFAULT);
2434 
2435 	if (phy->type == BWN_PHYTYPE_B)
2436 		BWN_WRITE_2(mac, 0x005e, BWN_READ_2(mac, 0x005e) | 0x0004);
2437 	BWN_WRITE_4(mac, 0x0100, 0x01000000);
2438 	if (bhnd_get_hwrev(sc->sc_dev) < 5)
2439 		BWN_WRITE_4(mac, 0x010c, 0x01000000);
2440 
2441 	BWN_WRITE_4(mac, BWN_MACCTL,
2442 	    BWN_READ_4(mac, BWN_MACCTL) & ~BWN_MACCTL_STA);
2443 	BWN_WRITE_4(mac, BWN_MACCTL,
2444 	    BWN_READ_4(mac, BWN_MACCTL) | BWN_MACCTL_STA);
2445 	bwn_shm_write_2(mac, BWN_SHARED, 0x0074, 0x0000);
2446 
2447 	bwn_set_opmode(mac);
2448 	if (bhnd_get_hwrev(sc->sc_dev) < 3) {
2449 		BWN_WRITE_2(mac, 0x060e, 0x0000);
2450 		BWN_WRITE_2(mac, 0x0610, 0x8000);
2451 		BWN_WRITE_2(mac, 0x0604, 0x0000);
2452 		BWN_WRITE_2(mac, 0x0606, 0x0200);
2453 	} else {
2454 		BWN_WRITE_4(mac, 0x0188, 0x80000000);
2455 		BWN_WRITE_4(mac, 0x018c, 0x02000000);
2456 	}
2457 	BWN_WRITE_4(mac, BWN_INTR_REASON, 0x00004000);
2458 	BWN_WRITE_4(mac, BWN_DMA0_INTR_MASK, 0x0001dc00);
2459 	BWN_WRITE_4(mac, BWN_DMA1_INTR_MASK, 0x0000dc00);
2460 	BWN_WRITE_4(mac, BWN_DMA2_INTR_MASK, 0x0000dc00);
2461 	BWN_WRITE_4(mac, BWN_DMA3_INTR_MASK, 0x0001dc00);
2462 	BWN_WRITE_4(mac, BWN_DMA4_INTR_MASK, 0x0000dc00);
2463 	BWN_WRITE_4(mac, BWN_DMA5_INTR_MASK, 0x0000dc00);
2464 
2465 	bwn_mac_phy_clock_set(mac, true);
2466 
2467 	/* Provide the HT clock transition latency to the MAC core */
2468 	error = bhnd_get_clock_latency(sc->sc_dev, BHND_CLOCK_HT, &delay);
2469 	if (error) {
2470 		device_printf(sc->sc_dev, "failed to fetch HT clock latency: "
2471 		    "%d\n", error);
2472 		return (error);
2473 	}
2474 
2475 	if (delay > UINT16_MAX) {
2476 		device_printf(sc->sc_dev, "invalid HT clock latency: %u\n",
2477 		    delay);
2478 		return (ENXIO);
2479 	}
2480 
2481 	BWN_WRITE_2(mac, BWN_POWERUP_DELAY, delay);
2482 	return (0);
2483 }
2484 
2485 /* read hostflags */
2486 uint64_t
2487 bwn_hf_read(struct bwn_mac *mac)
2488 {
2489 	uint64_t ret;
2490 
2491 	ret = bwn_shm_read_2(mac, BWN_SHARED, BWN_SHARED_HFHI);
2492 	ret <<= 16;
2493 	ret |= bwn_shm_read_2(mac, BWN_SHARED, BWN_SHARED_HFMI);
2494 	ret <<= 16;
2495 	ret |= bwn_shm_read_2(mac, BWN_SHARED, BWN_SHARED_HFLO);
2496 	return (ret);
2497 }
2498 
2499 void
2500 bwn_hf_write(struct bwn_mac *mac, uint64_t value)
2501 {
2502 
2503 	bwn_shm_write_2(mac, BWN_SHARED, BWN_SHARED_HFLO,
2504 	    (value & 0x00000000ffffull));
2505 	bwn_shm_write_2(mac, BWN_SHARED, BWN_SHARED_HFMI,
2506 	    (value & 0x0000ffff0000ull) >> 16);
2507 	bwn_shm_write_2(mac, BWN_SHARED, BWN_SHARED_HFHI,
2508 	    (value & 0xffff00000000ULL) >> 32);
2509 }
2510 
2511 static void
2512 bwn_set_txretry(struct bwn_mac *mac, int s, int l)
2513 {
2514 
2515 	bwn_shm_write_2(mac, BWN_SCRATCH, BWN_SCRATCH_SHORT_RETRY, MIN(s, 0xf));
2516 	bwn_shm_write_2(mac, BWN_SCRATCH, BWN_SCRATCH_LONG_RETRY, MIN(l, 0xf));
2517 }
2518 
2519 static void
2520 bwn_rate_init(struct bwn_mac *mac)
2521 {
2522 
2523 	switch (mac->mac_phy.type) {
2524 	case BWN_PHYTYPE_A:
2525 	case BWN_PHYTYPE_G:
2526 	case BWN_PHYTYPE_LP:
2527 	case BWN_PHYTYPE_N:
2528 		bwn_rate_write(mac, BWN_OFDM_RATE_6MB, 1);
2529 		bwn_rate_write(mac, BWN_OFDM_RATE_12MB, 1);
2530 		bwn_rate_write(mac, BWN_OFDM_RATE_18MB, 1);
2531 		bwn_rate_write(mac, BWN_OFDM_RATE_24MB, 1);
2532 		bwn_rate_write(mac, BWN_OFDM_RATE_36MB, 1);
2533 		bwn_rate_write(mac, BWN_OFDM_RATE_48MB, 1);
2534 		bwn_rate_write(mac, BWN_OFDM_RATE_54MB, 1);
2535 		if (mac->mac_phy.type == BWN_PHYTYPE_A)
2536 			break;
2537 		/* FALLTHROUGH */
2538 	case BWN_PHYTYPE_B:
2539 		bwn_rate_write(mac, BWN_CCK_RATE_1MB, 0);
2540 		bwn_rate_write(mac, BWN_CCK_RATE_2MB, 0);
2541 		bwn_rate_write(mac, BWN_CCK_RATE_5MB, 0);
2542 		bwn_rate_write(mac, BWN_CCK_RATE_11MB, 0);
2543 		break;
2544 	default:
2545 		KASSERT(0 == 1, ("%s:%d: fail", __func__, __LINE__));
2546 	}
2547 }
2548 
2549 static void
2550 bwn_rate_write(struct bwn_mac *mac, uint16_t rate, int ofdm)
2551 {
2552 	uint16_t offset;
2553 
2554 	if (ofdm) {
2555 		offset = 0x480;
2556 		offset += (bwn_plcp_getofdm(rate) & 0x000f) * 2;
2557 	} else {
2558 		offset = 0x4c0;
2559 		offset += (bwn_plcp_getcck(rate) & 0x000f) * 2;
2560 	}
2561 	bwn_shm_write_2(mac, BWN_SHARED, offset + 0x20,
2562 	    bwn_shm_read_2(mac, BWN_SHARED, offset));
2563 }
2564 
2565 static uint8_t
2566 bwn_plcp_getcck(const uint8_t bitrate)
2567 {
2568 
2569 	switch (bitrate) {
2570 	case BWN_CCK_RATE_1MB:
2571 		return (0x0a);
2572 	case BWN_CCK_RATE_2MB:
2573 		return (0x14);
2574 	case BWN_CCK_RATE_5MB:
2575 		return (0x37);
2576 	case BWN_CCK_RATE_11MB:
2577 		return (0x6e);
2578 	}
2579 	KASSERT(0 == 1, ("%s:%d: fail", __func__, __LINE__));
2580 	return (0);
2581 }
2582 
2583 static uint8_t
2584 bwn_plcp_getofdm(const uint8_t bitrate)
2585 {
2586 
2587 	switch (bitrate) {
2588 	case BWN_OFDM_RATE_6MB:
2589 		return (0xb);
2590 	case BWN_OFDM_RATE_9MB:
2591 		return (0xf);
2592 	case BWN_OFDM_RATE_12MB:
2593 		return (0xa);
2594 	case BWN_OFDM_RATE_18MB:
2595 		return (0xe);
2596 	case BWN_OFDM_RATE_24MB:
2597 		return (0x9);
2598 	case BWN_OFDM_RATE_36MB:
2599 		return (0xd);
2600 	case BWN_OFDM_RATE_48MB:
2601 		return (0x8);
2602 	case BWN_OFDM_RATE_54MB:
2603 		return (0xc);
2604 	}
2605 	KASSERT(0 == 1, ("%s:%d: fail", __func__, __LINE__));
2606 	return (0);
2607 }
2608 
2609 static void
2610 bwn_set_phytxctl(struct bwn_mac *mac)
2611 {
2612 	uint16_t ctl;
2613 
2614 	ctl = (BWN_TX_PHY_ENC_CCK | BWN_TX_PHY_ANT01AUTO |
2615 	    BWN_TX_PHY_TXPWR);
2616 	bwn_shm_write_2(mac, BWN_SHARED, BWN_SHARED_BEACON_PHYCTL, ctl);
2617 	bwn_shm_write_2(mac, BWN_SHARED, BWN_SHARED_ACKCTS_PHYCTL, ctl);
2618 	bwn_shm_write_2(mac, BWN_SHARED, BWN_SHARED_PROBE_RESP_PHYCTL, ctl);
2619 }
2620 
2621 static void
2622 bwn_pio_init(struct bwn_mac *mac)
2623 {
2624 	struct bwn_pio *pio = &mac->mac_method.pio;
2625 
2626 	BWN_WRITE_4(mac, BWN_MACCTL, BWN_READ_4(mac, BWN_MACCTL)
2627 	    & ~BWN_MACCTL_BIGENDIAN);
2628 	bwn_shm_write_2(mac, BWN_SHARED, BWN_SHARED_RX_PADOFFSET, 0);
2629 
2630 	bwn_pio_set_txqueue(mac, &pio->wme[WME_AC_BK], 0);
2631 	bwn_pio_set_txqueue(mac, &pio->wme[WME_AC_BE], 1);
2632 	bwn_pio_set_txqueue(mac, &pio->wme[WME_AC_VI], 2);
2633 	bwn_pio_set_txqueue(mac, &pio->wme[WME_AC_VO], 3);
2634 	bwn_pio_set_txqueue(mac, &pio->mcast, 4);
2635 	bwn_pio_setupqueue_rx(mac, &pio->rx, 0);
2636 }
2637 
2638 static void
2639 bwn_pio_set_txqueue(struct bwn_mac *mac, struct bwn_pio_txqueue *tq,
2640     int index)
2641 {
2642 	struct bwn_pio_txpkt *tp;
2643 	struct bwn_softc *sc = mac->mac_sc;
2644 	unsigned int i;
2645 
2646 	tq->tq_base = bwn_pio_idx2base(mac, index) + BWN_PIO_TXQOFFSET(mac);
2647 	tq->tq_index = index;
2648 
2649 	tq->tq_free = BWN_PIO_MAX_TXPACKETS;
2650 	if (bhnd_get_hwrev(sc->sc_dev) >= 8)
2651 		tq->tq_size = 1920;
2652 	else {
2653 		tq->tq_size = bwn_pio_read_2(mac, tq, BWN_PIO_TXQBUFSIZE);
2654 		tq->tq_size -= 80;
2655 	}
2656 
2657 	TAILQ_INIT(&tq->tq_pktlist);
2658 	for (i = 0; i < N(tq->tq_pkts); i++) {
2659 		tp = &(tq->tq_pkts[i]);
2660 		tp->tp_index = i;
2661 		tp->tp_queue = tq;
2662 		TAILQ_INSERT_TAIL(&tq->tq_pktlist, tp, tp_list);
2663 	}
2664 }
2665 
2666 static uint16_t
2667 bwn_pio_idx2base(struct bwn_mac *mac, int index)
2668 {
2669 	struct bwn_softc *sc = mac->mac_sc;
2670 	static const uint16_t bases[] = {
2671 		BWN_PIO_BASE0,
2672 		BWN_PIO_BASE1,
2673 		BWN_PIO_BASE2,
2674 		BWN_PIO_BASE3,
2675 		BWN_PIO_BASE4,
2676 		BWN_PIO_BASE5,
2677 		BWN_PIO_BASE6,
2678 		BWN_PIO_BASE7,
2679 	};
2680 	static const uint16_t bases_rev11[] = {
2681 		BWN_PIO11_BASE0,
2682 		BWN_PIO11_BASE1,
2683 		BWN_PIO11_BASE2,
2684 		BWN_PIO11_BASE3,
2685 		BWN_PIO11_BASE4,
2686 		BWN_PIO11_BASE5,
2687 	};
2688 
2689 	if (bhnd_get_hwrev(sc->sc_dev) >= 11) {
2690 		if (index >= N(bases_rev11))
2691 			device_printf(sc->sc_dev, "%s: warning\n", __func__);
2692 		return (bases_rev11[index]);
2693 	}
2694 	if (index >= N(bases))
2695 		device_printf(sc->sc_dev, "%s: warning\n", __func__);
2696 	return (bases[index]);
2697 }
2698 
2699 static void
2700 bwn_pio_setupqueue_rx(struct bwn_mac *mac, struct bwn_pio_rxqueue *prq,
2701     int index)
2702 {
2703 	struct bwn_softc *sc = mac->mac_sc;
2704 
2705 	prq->prq_mac = mac;
2706 	prq->prq_rev = bhnd_get_hwrev(sc->sc_dev);
2707 	prq->prq_base = bwn_pio_idx2base(mac, index) + BWN_PIO_RXQOFFSET(mac);
2708 	bwn_dma_rxdirectfifo(mac, index, 1);
2709 }
2710 
2711 static void
2712 bwn_destroy_pioqueue_tx(struct bwn_pio_txqueue *tq)
2713 {
2714 	if (tq == NULL)
2715 		return;
2716 	bwn_pio_cancel_tx_packets(tq);
2717 }
2718 
2719 static void
2720 bwn_destroy_queue_tx(struct bwn_pio_txqueue *pio)
2721 {
2722 
2723 	bwn_destroy_pioqueue_tx(pio);
2724 }
2725 
2726 static uint16_t
2727 bwn_pio_read_2(struct bwn_mac *mac, struct bwn_pio_txqueue *tq,
2728     uint16_t offset)
2729 {
2730 
2731 	return (BWN_READ_2(mac, tq->tq_base + offset));
2732 }
2733 
2734 static void
2735 bwn_dma_rxdirectfifo(struct bwn_mac *mac, int idx, uint8_t enable)
2736 {
2737 	uint32_t ctl;
2738 	uint16_t base;
2739 
2740 	base = bwn_dma_base(mac->mac_dmatype, idx);
2741 	if (mac->mac_dmatype == BHND_DMA_ADDR_64BIT) {
2742 		ctl = BWN_READ_4(mac, base + BWN_DMA64_RXCTL);
2743 		ctl &= ~BWN_DMA64_RXDIRECTFIFO;
2744 		if (enable)
2745 			ctl |= BWN_DMA64_RXDIRECTFIFO;
2746 		BWN_WRITE_4(mac, base + BWN_DMA64_RXCTL, ctl);
2747 	} else {
2748 		ctl = BWN_READ_4(mac, base + BWN_DMA32_RXCTL);
2749 		ctl &= ~BWN_DMA32_RXDIRECTFIFO;
2750 		if (enable)
2751 			ctl |= BWN_DMA32_RXDIRECTFIFO;
2752 		BWN_WRITE_4(mac, base + BWN_DMA32_RXCTL, ctl);
2753 	}
2754 }
2755 
2756 static void
2757 bwn_pio_cancel_tx_packets(struct bwn_pio_txqueue *tq)
2758 {
2759 	struct bwn_pio_txpkt *tp;
2760 	unsigned int i;
2761 
2762 	for (i = 0; i < N(tq->tq_pkts); i++) {
2763 		tp = &(tq->tq_pkts[i]);
2764 		if (tp->tp_m) {
2765 			m_freem(tp->tp_m);
2766 			tp->tp_m = NULL;
2767 		}
2768 	}
2769 }
2770 
2771 static uint16_t
2772 bwn_dma_base(int type, int controller_idx)
2773 {
2774 	static const uint16_t map64[] = {
2775 		BWN_DMA64_BASE0,
2776 		BWN_DMA64_BASE1,
2777 		BWN_DMA64_BASE2,
2778 		BWN_DMA64_BASE3,
2779 		BWN_DMA64_BASE4,
2780 		BWN_DMA64_BASE5,
2781 	};
2782 	static const uint16_t map32[] = {
2783 		BWN_DMA32_BASE0,
2784 		BWN_DMA32_BASE1,
2785 		BWN_DMA32_BASE2,
2786 		BWN_DMA32_BASE3,
2787 		BWN_DMA32_BASE4,
2788 		BWN_DMA32_BASE5,
2789 	};
2790 
2791 	if (type == BHND_DMA_ADDR_64BIT) {
2792 		KASSERT(controller_idx >= 0 && controller_idx < N(map64),
2793 		    ("%s:%d: fail", __func__, __LINE__));
2794 		return (map64[controller_idx]);
2795 	}
2796 	KASSERT(controller_idx >= 0 && controller_idx < N(map32),
2797 	    ("%s:%d: fail", __func__, __LINE__));
2798 	return (map32[controller_idx]);
2799 }
2800 
2801 static void
2802 bwn_dma_init(struct bwn_mac *mac)
2803 {
2804 	struct bwn_dma *dma = &mac->mac_method.dma;
2805 
2806 	/* setup TX DMA channels. */
2807 	bwn_dma_setup(dma->wme[WME_AC_BK]);
2808 	bwn_dma_setup(dma->wme[WME_AC_BE]);
2809 	bwn_dma_setup(dma->wme[WME_AC_VI]);
2810 	bwn_dma_setup(dma->wme[WME_AC_VO]);
2811 	bwn_dma_setup(dma->mcast);
2812 	/* setup RX DMA channel. */
2813 	bwn_dma_setup(dma->rx);
2814 }
2815 
2816 static struct bwn_dma_ring *
2817 bwn_dma_ringsetup(struct bwn_mac *mac, int controller_index,
2818     int for_tx)
2819 {
2820 	struct bwn_dma *dma = &mac->mac_method.dma;
2821 	struct bwn_dma_ring *dr;
2822 	struct bwn_dmadesc_generic *desc;
2823 	struct bwn_dmadesc_meta *mt;
2824 	struct bwn_softc *sc = mac->mac_sc;
2825 	int error, i;
2826 
2827 	dr = malloc(sizeof(*dr), M_DEVBUF, M_NOWAIT | M_ZERO);
2828 	if (dr == NULL)
2829 		goto out;
2830 	dr->dr_numslots = BWN_RXRING_SLOTS;
2831 	if (for_tx)
2832 		dr->dr_numslots = BWN_TXRING_SLOTS;
2833 
2834 	dr->dr_meta = malloc(dr->dr_numslots * sizeof(struct bwn_dmadesc_meta),
2835 	    M_DEVBUF, M_NOWAIT | M_ZERO);
2836 	if (dr->dr_meta == NULL)
2837 		goto fail0;
2838 
2839 	dr->dr_type = mac->mac_dmatype;
2840 	dr->dr_mac = mac;
2841 	dr->dr_base = bwn_dma_base(dr->dr_type, controller_index);
2842 	dr->dr_index = controller_index;
2843 	if (dr->dr_type == BHND_DMA_ADDR_64BIT) {
2844 		dr->getdesc = bwn_dma_64_getdesc;
2845 		dr->setdesc = bwn_dma_64_setdesc;
2846 		dr->start_transfer = bwn_dma_64_start_transfer;
2847 		dr->suspend = bwn_dma_64_suspend;
2848 		dr->resume = bwn_dma_64_resume;
2849 		dr->get_curslot = bwn_dma_64_get_curslot;
2850 		dr->set_curslot = bwn_dma_64_set_curslot;
2851 	} else {
2852 		dr->getdesc = bwn_dma_32_getdesc;
2853 		dr->setdesc = bwn_dma_32_setdesc;
2854 		dr->start_transfer = bwn_dma_32_start_transfer;
2855 		dr->suspend = bwn_dma_32_suspend;
2856 		dr->resume = bwn_dma_32_resume;
2857 		dr->get_curslot = bwn_dma_32_get_curslot;
2858 		dr->set_curslot = bwn_dma_32_set_curslot;
2859 	}
2860 	if (for_tx) {
2861 		dr->dr_tx = 1;
2862 		dr->dr_curslot = -1;
2863 	} else {
2864 		if (dr->dr_index == 0) {
2865 			switch (mac->mac_fw.fw_hdr_format) {
2866 			case BWN_FW_HDR_351:
2867 			case BWN_FW_HDR_410:
2868 				dr->dr_rx_bufsize =
2869 				    BWN_DMA0_RX_BUFFERSIZE_FW351;
2870 				dr->dr_frameoffset =
2871 				    BWN_DMA0_RX_FRAMEOFFSET_FW351;
2872 				break;
2873 			case BWN_FW_HDR_598:
2874 				dr->dr_rx_bufsize =
2875 				    BWN_DMA0_RX_BUFFERSIZE_FW598;
2876 				dr->dr_frameoffset =
2877 				    BWN_DMA0_RX_FRAMEOFFSET_FW598;
2878 				break;
2879 			}
2880 		} else
2881 			KASSERT(0 == 1, ("%s:%d: fail", __func__, __LINE__));
2882 	}
2883 
2884 	error = bwn_dma_allocringmemory(dr);
2885 	if (error)
2886 		goto fail2;
2887 
2888 	if (for_tx) {
2889 		/*
2890 		 * Assumption: BWN_TXRING_SLOTS can be divided by
2891 		 * BWN_TX_SLOTS_PER_FRAME
2892 		 */
2893 		KASSERT(BWN_TXRING_SLOTS % BWN_TX_SLOTS_PER_FRAME == 0,
2894 		    ("%s:%d: fail", __func__, __LINE__));
2895 
2896 		dr->dr_txhdr_cache = contigmalloc(
2897 		    (dr->dr_numslots / BWN_TX_SLOTS_PER_FRAME) *
2898 		    BWN_MAXTXHDRSIZE, M_DEVBUF, M_ZERO,
2899 		    0, BUS_SPACE_MAXADDR, 8, 0);
2900 		if (dr->dr_txhdr_cache == NULL) {
2901 			device_printf(sc->sc_dev,
2902 			    "can't allocate TX header DMA memory\n");
2903 			goto fail1;
2904 		}
2905 
2906 		/*
2907 		 * Create TX ring DMA stuffs
2908 		 */
2909 		error = bus_dma_tag_create(dma->parent_dtag,
2910 				    BWN_ALIGN, 0,
2911 				    BUS_SPACE_MAXADDR,
2912 				    BUS_SPACE_MAXADDR,
2913 				    NULL, NULL,
2914 				    BWN_HDRSIZE(mac),
2915 				    1,
2916 				    BUS_SPACE_MAXSIZE_32BIT,
2917 				    0,
2918 				    NULL, NULL,
2919 				    &dr->dr_txring_dtag);
2920 		if (error) {
2921 			device_printf(sc->sc_dev,
2922 			    "can't create TX ring DMA tag: TODO frees\n");
2923 			goto fail2;
2924 		}
2925 
2926 		for (i = 0; i < dr->dr_numslots; i += 2) {
2927 			dr->getdesc(dr, i, &desc, &mt);
2928 
2929 			mt->mt_txtype = BWN_DMADESC_METATYPE_HEADER;
2930 			mt->mt_m = NULL;
2931 			mt->mt_ni = NULL;
2932 			mt->mt_islast = 0;
2933 			error = bus_dmamap_create(dr->dr_txring_dtag, 0,
2934 			    &mt->mt_dmap);
2935 			if (error) {
2936 				device_printf(sc->sc_dev,
2937 				     "can't create RX buf DMA map\n");
2938 				goto fail2;
2939 			}
2940 
2941 			dr->getdesc(dr, i + 1, &desc, &mt);
2942 
2943 			mt->mt_txtype = BWN_DMADESC_METATYPE_BODY;
2944 			mt->mt_m = NULL;
2945 			mt->mt_ni = NULL;
2946 			mt->mt_islast = 1;
2947 			error = bus_dmamap_create(dma->txbuf_dtag, 0,
2948 			    &mt->mt_dmap);
2949 			if (error) {
2950 				device_printf(sc->sc_dev,
2951 				     "can't create RX buf DMA map\n");
2952 				goto fail2;
2953 			}
2954 		}
2955 	} else {
2956 		error = bus_dmamap_create(dma->rxbuf_dtag, 0,
2957 		    &dr->dr_spare_dmap);
2958 		if (error) {
2959 			device_printf(sc->sc_dev,
2960 			    "can't create RX buf DMA map\n");
2961 			goto out;		/* XXX wrong! */
2962 		}
2963 
2964 		for (i = 0; i < dr->dr_numslots; i++) {
2965 			dr->getdesc(dr, i, &desc, &mt);
2966 
2967 			error = bus_dmamap_create(dma->rxbuf_dtag, 0,
2968 			    &mt->mt_dmap);
2969 			if (error) {
2970 				device_printf(sc->sc_dev,
2971 				    "can't create RX buf DMA map\n");
2972 				goto out;	/* XXX wrong! */
2973 			}
2974 			error = bwn_dma_newbuf(dr, desc, mt, 1);
2975 			if (error) {
2976 				device_printf(sc->sc_dev,
2977 				    "failed to allocate RX buf\n");
2978 				goto out;	/* XXX wrong! */
2979 			}
2980 		}
2981 
2982 		bus_dmamap_sync(dr->dr_ring_dtag, dr->dr_ring_dmap,
2983 		    BUS_DMASYNC_PREWRITE);
2984 
2985 		dr->dr_usedslot = dr->dr_numslots;
2986 	}
2987 
2988       out:
2989 	return (dr);
2990 
2991 fail2:
2992 	if (dr->dr_txhdr_cache != NULL) {
2993 		contigfree(dr->dr_txhdr_cache,
2994 		    (dr->dr_numslots / BWN_TX_SLOTS_PER_FRAME) *
2995 		    BWN_MAXTXHDRSIZE, M_DEVBUF);
2996 	}
2997 fail1:
2998 	free(dr->dr_meta, M_DEVBUF);
2999 fail0:
3000 	free(dr, M_DEVBUF);
3001 	return (NULL);
3002 }
3003 
3004 static void
3005 bwn_dma_ringfree(struct bwn_dma_ring **dr)
3006 {
3007 
3008 	if (dr == NULL)
3009 		return;
3010 
3011 	bwn_dma_free_descbufs(*dr);
3012 	bwn_dma_free_ringmemory(*dr);
3013 
3014 	if ((*dr)->dr_txhdr_cache != NULL) {
3015 		contigfree((*dr)->dr_txhdr_cache,
3016 		    ((*dr)->dr_numslots / BWN_TX_SLOTS_PER_FRAME) *
3017 		    BWN_MAXTXHDRSIZE, M_DEVBUF);
3018 	}
3019 	free((*dr)->dr_meta, M_DEVBUF);
3020 	free(*dr, M_DEVBUF);
3021 
3022 	*dr = NULL;
3023 }
3024 
3025 static void
3026 bwn_dma_32_getdesc(struct bwn_dma_ring *dr, int slot,
3027     struct bwn_dmadesc_generic **gdesc, struct bwn_dmadesc_meta **meta)
3028 {
3029 	struct bwn_dmadesc32 *desc;
3030 
3031 	*meta = &(dr->dr_meta[slot]);
3032 	desc = dr->dr_ring_descbase;
3033 	desc = &(desc[slot]);
3034 
3035 	*gdesc = (struct bwn_dmadesc_generic *)desc;
3036 }
3037 
3038 static void
3039 bwn_dma_32_setdesc(struct bwn_dma_ring *dr,
3040     struct bwn_dmadesc_generic *desc, bus_addr_t dmaaddr, uint16_t bufsize,
3041     int start, int end, int irq)
3042 {
3043 	struct bwn_dmadesc32		*descbase;
3044 	struct bwn_dma			*dma;
3045 	struct bhnd_dma_translation	*dt;
3046 	uint32_t			 addr, addrext, ctl;
3047 	int				 slot;
3048 
3049 	descbase = dr->dr_ring_descbase;
3050 	dma = &dr->dr_mac->mac_method.dma;
3051 	dt = &dma->translation;
3052 
3053 	slot = (int)(&(desc->dma.dma32) - descbase);
3054 	KASSERT(slot >= 0 && slot < dr->dr_numslots,
3055 	    ("%s:%d: fail", __func__, __LINE__));
3056 
3057 	addr = (dmaaddr & dt->addr_mask) | dt->base_addr;
3058 	addrext = ((dmaaddr & dt->addrext_mask) >> dma->addrext_shift);
3059 	ctl = bufsize & BWN_DMA32_DCTL_BYTECNT;
3060 	if (slot == dr->dr_numslots - 1)
3061 		ctl |= BWN_DMA32_DCTL_DTABLEEND;
3062 	if (start)
3063 		ctl |= BWN_DMA32_DCTL_FRAMESTART;
3064 	if (end)
3065 		ctl |= BWN_DMA32_DCTL_FRAMEEND;
3066 	if (irq)
3067 		ctl |= BWN_DMA32_DCTL_IRQ;
3068 	ctl |= (addrext << BWN_DMA32_DCTL_ADDREXT_SHIFT)
3069 	    & BWN_DMA32_DCTL_ADDREXT_MASK;
3070 
3071 	desc->dma.dma32.control = htole32(ctl);
3072 	desc->dma.dma32.address = htole32(addr);
3073 }
3074 
3075 static void
3076 bwn_dma_32_start_transfer(struct bwn_dma_ring *dr, int slot)
3077 {
3078 
3079 	BWN_DMA_WRITE(dr, BWN_DMA32_TXINDEX,
3080 	    (uint32_t)(slot * sizeof(struct bwn_dmadesc32)));
3081 }
3082 
3083 static void
3084 bwn_dma_32_suspend(struct bwn_dma_ring *dr)
3085 {
3086 
3087 	BWN_DMA_WRITE(dr, BWN_DMA32_TXCTL,
3088 	    BWN_DMA_READ(dr, BWN_DMA32_TXCTL) | BWN_DMA32_TXSUSPEND);
3089 }
3090 
3091 static void
3092 bwn_dma_32_resume(struct bwn_dma_ring *dr)
3093 {
3094 
3095 	BWN_DMA_WRITE(dr, BWN_DMA32_TXCTL,
3096 	    BWN_DMA_READ(dr, BWN_DMA32_TXCTL) & ~BWN_DMA32_TXSUSPEND);
3097 }
3098 
3099 static int
3100 bwn_dma_32_get_curslot(struct bwn_dma_ring *dr)
3101 {
3102 	uint32_t val;
3103 
3104 	val = BWN_DMA_READ(dr, BWN_DMA32_RXSTATUS);
3105 	val &= BWN_DMA32_RXDPTR;
3106 
3107 	return (val / sizeof(struct bwn_dmadesc32));
3108 }
3109 
3110 static void
3111 bwn_dma_32_set_curslot(struct bwn_dma_ring *dr, int slot)
3112 {
3113 
3114 	BWN_DMA_WRITE(dr, BWN_DMA32_RXINDEX,
3115 	    (uint32_t) (slot * sizeof(struct bwn_dmadesc32)));
3116 }
3117 
3118 static void
3119 bwn_dma_64_getdesc(struct bwn_dma_ring *dr, int slot,
3120     struct bwn_dmadesc_generic **gdesc, struct bwn_dmadesc_meta **meta)
3121 {
3122 	struct bwn_dmadesc64 *desc;
3123 
3124 	*meta = &(dr->dr_meta[slot]);
3125 	desc = dr->dr_ring_descbase;
3126 	desc = &(desc[slot]);
3127 
3128 	*gdesc = (struct bwn_dmadesc_generic *)desc;
3129 }
3130 
3131 static void
3132 bwn_dma_64_setdesc(struct bwn_dma_ring *dr,
3133     struct bwn_dmadesc_generic *desc, bus_addr_t dmaaddr, uint16_t bufsize,
3134     int start, int end, int irq)
3135 {
3136 	struct bwn_dmadesc64		*descbase;
3137 	struct bwn_dma			*dma;
3138 	struct bhnd_dma_translation	*dt;
3139 	bhnd_addr_t			 addr;
3140 	uint32_t			 addrhi, addrlo;
3141 	uint32_t			 addrext;
3142 	uint32_t			 ctl0, ctl1;
3143 	int				 slot;
3144 
3145 	descbase = dr->dr_ring_descbase;
3146 	dma = &dr->dr_mac->mac_method.dma;
3147 	dt = &dma->translation;
3148 
3149 	slot = (int)(&(desc->dma.dma64) - descbase);
3150 	KASSERT(slot >= 0 && slot < dr->dr_numslots,
3151 	    ("%s:%d: fail", __func__, __LINE__));
3152 
3153 	addr = (dmaaddr & dt->addr_mask) | dt->base_addr;
3154 	addrhi = (addr >> 32);
3155 	addrlo = (addr & UINT32_MAX);
3156 	addrext = ((dmaaddr & dt->addrext_mask) >> dma->addrext_shift);
3157 
3158 	ctl0 = 0;
3159 	if (slot == dr->dr_numslots - 1)
3160 		ctl0 |= BWN_DMA64_DCTL0_DTABLEEND;
3161 	if (start)
3162 		ctl0 |= BWN_DMA64_DCTL0_FRAMESTART;
3163 	if (end)
3164 		ctl0 |= BWN_DMA64_DCTL0_FRAMEEND;
3165 	if (irq)
3166 		ctl0 |= BWN_DMA64_DCTL0_IRQ;
3167 
3168 	ctl1 = 0;
3169 	ctl1 |= bufsize & BWN_DMA64_DCTL1_BYTECNT;
3170 	ctl1 |= (addrext << BWN_DMA64_DCTL1_ADDREXT_SHIFT)
3171 	    & BWN_DMA64_DCTL1_ADDREXT_MASK;
3172 
3173 	desc->dma.dma64.control0 = htole32(ctl0);
3174 	desc->dma.dma64.control1 = htole32(ctl1);
3175 	desc->dma.dma64.address_low = htole32(addrlo);
3176 	desc->dma.dma64.address_high = htole32(addrhi);
3177 }
3178 
3179 static void
3180 bwn_dma_64_start_transfer(struct bwn_dma_ring *dr, int slot)
3181 {
3182 
3183 	BWN_DMA_WRITE(dr, BWN_DMA64_TXINDEX,
3184 	    (uint32_t)(slot * sizeof(struct bwn_dmadesc64)));
3185 }
3186 
3187 static void
3188 bwn_dma_64_suspend(struct bwn_dma_ring *dr)
3189 {
3190 
3191 	BWN_DMA_WRITE(dr, BWN_DMA64_TXCTL,
3192 	    BWN_DMA_READ(dr, BWN_DMA64_TXCTL) | BWN_DMA64_TXSUSPEND);
3193 }
3194 
3195 static void
3196 bwn_dma_64_resume(struct bwn_dma_ring *dr)
3197 {
3198 
3199 	BWN_DMA_WRITE(dr, BWN_DMA64_TXCTL,
3200 	    BWN_DMA_READ(dr, BWN_DMA64_TXCTL) & ~BWN_DMA64_TXSUSPEND);
3201 }
3202 
3203 static int
3204 bwn_dma_64_get_curslot(struct bwn_dma_ring *dr)
3205 {
3206 	uint32_t val;
3207 
3208 	val = BWN_DMA_READ(dr, BWN_DMA64_RXSTATUS);
3209 	val &= BWN_DMA64_RXSTATDPTR;
3210 
3211 	return (val / sizeof(struct bwn_dmadesc64));
3212 }
3213 
3214 static void
3215 bwn_dma_64_set_curslot(struct bwn_dma_ring *dr, int slot)
3216 {
3217 
3218 	BWN_DMA_WRITE(dr, BWN_DMA64_RXINDEX,
3219 	    (uint32_t)(slot * sizeof(struct bwn_dmadesc64)));
3220 }
3221 
3222 static int
3223 bwn_dma_allocringmemory(struct bwn_dma_ring *dr)
3224 {
3225 	struct bwn_mac *mac = dr->dr_mac;
3226 	struct bwn_dma *dma = &mac->mac_method.dma;
3227 	struct bwn_softc *sc = mac->mac_sc;
3228 	int error;
3229 
3230 	error = bus_dma_tag_create(dma->parent_dtag,
3231 			    BWN_ALIGN, 0,
3232 			    BUS_SPACE_MAXADDR,
3233 			    BUS_SPACE_MAXADDR,
3234 			    NULL, NULL,
3235 			    BWN_DMA_RINGMEMSIZE,
3236 			    1,
3237 			    BUS_SPACE_MAXSIZE_32BIT,
3238 			    0,
3239 			    NULL, NULL,
3240 			    &dr->dr_ring_dtag);
3241 	if (error) {
3242 		device_printf(sc->sc_dev,
3243 		    "can't create TX ring DMA tag: TODO frees\n");
3244 		return (-1);
3245 	}
3246 
3247 	error = bus_dmamem_alloc(dr->dr_ring_dtag,
3248 	    &dr->dr_ring_descbase, BUS_DMA_WAITOK | BUS_DMA_ZERO,
3249 	    &dr->dr_ring_dmap);
3250 	if (error) {
3251 		device_printf(sc->sc_dev,
3252 		    "can't allocate DMA mem: TODO frees\n");
3253 		return (-1);
3254 	}
3255 	error = bus_dmamap_load(dr->dr_ring_dtag, dr->dr_ring_dmap,
3256 	    dr->dr_ring_descbase, BWN_DMA_RINGMEMSIZE,
3257 	    bwn_dma_ring_addr, &dr->dr_ring_dmabase, BUS_DMA_NOWAIT);
3258 	if (error) {
3259 		device_printf(sc->sc_dev,
3260 		    "can't load DMA mem: TODO free\n");
3261 		return (-1);
3262 	}
3263 
3264 	return (0);
3265 }
3266 
3267 static void
3268 bwn_dma_setup(struct bwn_dma_ring *dr)
3269 {
3270 	struct bwn_mac			*mac;
3271 	struct bwn_dma			*dma;
3272 	struct bhnd_dma_translation	*dt;
3273 	bhnd_addr_t			 addr, paddr;
3274 	uint32_t			 addrhi, addrlo, addrext, value;
3275 
3276 	mac = dr->dr_mac;
3277 	dma = &mac->mac_method.dma;
3278 	dt = &dma->translation;
3279 
3280 	paddr = dr->dr_ring_dmabase;
3281 	addr = (paddr & dt->addr_mask) | dt->base_addr;
3282 	addrhi = (addr >> 32);
3283 	addrlo = (addr & UINT32_MAX);
3284 	addrext = ((paddr & dt->addrext_mask) >> dma->addrext_shift);
3285 
3286 	if (dr->dr_tx) {
3287 		dr->dr_curslot = -1;
3288 
3289 		if (dr->dr_type == BHND_DMA_ADDR_64BIT) {
3290 			value = BWN_DMA64_TXENABLE;
3291 			value |= BWN_DMA64_TXPARITY_DISABLE;
3292 			value |= (addrext << BWN_DMA64_TXADDREXT_SHIFT)
3293 			    & BWN_DMA64_TXADDREXT_MASK;
3294 			BWN_DMA_WRITE(dr, BWN_DMA64_TXCTL, value);
3295 			BWN_DMA_WRITE(dr, BWN_DMA64_TXRINGLO, addrlo);
3296 			BWN_DMA_WRITE(dr, BWN_DMA64_TXRINGHI, addrhi);
3297 		} else {
3298 			value = BWN_DMA32_TXENABLE;
3299 			value |= BWN_DMA32_TXPARITY_DISABLE;
3300 			value |= (addrext << BWN_DMA32_TXADDREXT_SHIFT)
3301 			    & BWN_DMA32_TXADDREXT_MASK;
3302 			BWN_DMA_WRITE(dr, BWN_DMA32_TXCTL, value);
3303 			BWN_DMA_WRITE(dr, BWN_DMA32_TXRING, addrlo);
3304 		}
3305 		return;
3306 	}
3307 
3308 	/*
3309 	 * set for RX
3310 	 */
3311 	dr->dr_usedslot = dr->dr_numslots;
3312 
3313 	if (dr->dr_type == BHND_DMA_ADDR_64BIT) {
3314 		value = (dr->dr_frameoffset << BWN_DMA64_RXFROFF_SHIFT);
3315 		value |= BWN_DMA64_RXENABLE;
3316 		value |= BWN_DMA64_RXPARITY_DISABLE;
3317 		value |= (addrext << BWN_DMA64_RXADDREXT_SHIFT)
3318 		    & BWN_DMA64_RXADDREXT_MASK;
3319 		BWN_DMA_WRITE(dr, BWN_DMA64_RXCTL, value);
3320 		BWN_DMA_WRITE(dr, BWN_DMA64_RXRINGLO, addrlo);
3321 		BWN_DMA_WRITE(dr, BWN_DMA64_RXRINGHI, addrhi);
3322 		BWN_DMA_WRITE(dr, BWN_DMA64_RXINDEX, dr->dr_numslots *
3323 		    sizeof(struct bwn_dmadesc64));
3324 	} else {
3325 		value = (dr->dr_frameoffset << BWN_DMA32_RXFROFF_SHIFT);
3326 		value |= BWN_DMA32_RXENABLE;
3327 		value |= BWN_DMA32_RXPARITY_DISABLE;
3328 		value |= (addrext << BWN_DMA32_RXADDREXT_SHIFT)
3329 		    & BWN_DMA32_RXADDREXT_MASK;
3330 		BWN_DMA_WRITE(dr, BWN_DMA32_RXCTL, value);
3331 		BWN_DMA_WRITE(dr, BWN_DMA32_RXRING, addrlo);
3332 		BWN_DMA_WRITE(dr, BWN_DMA32_RXINDEX, dr->dr_numslots *
3333 		    sizeof(struct bwn_dmadesc32));
3334 	}
3335 }
3336 
3337 static void
3338 bwn_dma_free_ringmemory(struct bwn_dma_ring *dr)
3339 {
3340 
3341 	bus_dmamap_unload(dr->dr_ring_dtag, dr->dr_ring_dmap);
3342 	bus_dmamem_free(dr->dr_ring_dtag, dr->dr_ring_descbase,
3343 	    dr->dr_ring_dmap);
3344 }
3345 
3346 static void
3347 bwn_dma_cleanup(struct bwn_dma_ring *dr)
3348 {
3349 
3350 	if (dr->dr_tx) {
3351 		bwn_dma_tx_reset(dr->dr_mac, dr->dr_base, dr->dr_type);
3352 		if (dr->dr_type == BHND_DMA_ADDR_64BIT) {
3353 			BWN_DMA_WRITE(dr, BWN_DMA64_TXRINGLO, 0);
3354 			BWN_DMA_WRITE(dr, BWN_DMA64_TXRINGHI, 0);
3355 		} else
3356 			BWN_DMA_WRITE(dr, BWN_DMA32_TXRING, 0);
3357 	} else {
3358 		bwn_dma_rx_reset(dr->dr_mac, dr->dr_base, dr->dr_type);
3359 		if (dr->dr_type == BHND_DMA_ADDR_64BIT) {
3360 			BWN_DMA_WRITE(dr, BWN_DMA64_RXRINGLO, 0);
3361 			BWN_DMA_WRITE(dr, BWN_DMA64_RXRINGHI, 0);
3362 		} else
3363 			BWN_DMA_WRITE(dr, BWN_DMA32_RXRING, 0);
3364 	}
3365 }
3366 
3367 static void
3368 bwn_dma_free_descbufs(struct bwn_dma_ring *dr)
3369 {
3370 	struct bwn_dmadesc_generic *desc;
3371 	struct bwn_dmadesc_meta *meta;
3372 	struct bwn_mac *mac = dr->dr_mac;
3373 	struct bwn_dma *dma = &mac->mac_method.dma;
3374 	struct bwn_softc *sc = mac->mac_sc;
3375 	int i;
3376 
3377 	if (!dr->dr_usedslot)
3378 		return;
3379 	for (i = 0; i < dr->dr_numslots; i++) {
3380 		dr->getdesc(dr, i, &desc, &meta);
3381 
3382 		if (meta->mt_m == NULL) {
3383 			if (!dr->dr_tx)
3384 				device_printf(sc->sc_dev, "%s: not TX?\n",
3385 				    __func__);
3386 			continue;
3387 		}
3388 		if (dr->dr_tx) {
3389 			if (meta->mt_txtype == BWN_DMADESC_METATYPE_HEADER)
3390 				bus_dmamap_unload(dr->dr_txring_dtag,
3391 				    meta->mt_dmap);
3392 			else if (meta->mt_txtype == BWN_DMADESC_METATYPE_BODY)
3393 				bus_dmamap_unload(dma->txbuf_dtag,
3394 				    meta->mt_dmap);
3395 		} else
3396 			bus_dmamap_unload(dma->rxbuf_dtag, meta->mt_dmap);
3397 		bwn_dma_free_descbuf(dr, meta);
3398 	}
3399 }
3400 
3401 static int
3402 bwn_dma_tx_reset(struct bwn_mac *mac, uint16_t base,
3403     int type)
3404 {
3405 	struct bwn_softc *sc = mac->mac_sc;
3406 	uint32_t value;
3407 	int i;
3408 	uint16_t offset;
3409 
3410 	for (i = 0; i < 10; i++) {
3411 		offset = (type == BHND_DMA_ADDR_64BIT) ? BWN_DMA64_TXSTATUS :
3412 		    BWN_DMA32_TXSTATUS;
3413 		value = BWN_READ_4(mac, base + offset);
3414 		if (type == BHND_DMA_ADDR_64BIT) {
3415 			value &= BWN_DMA64_TXSTAT;
3416 			if (value == BWN_DMA64_TXSTAT_DISABLED ||
3417 			    value == BWN_DMA64_TXSTAT_IDLEWAIT ||
3418 			    value == BWN_DMA64_TXSTAT_STOPPED)
3419 				break;
3420 		} else {
3421 			value &= BWN_DMA32_TXSTATE;
3422 			if (value == BWN_DMA32_TXSTAT_DISABLED ||
3423 			    value == BWN_DMA32_TXSTAT_IDLEWAIT ||
3424 			    value == BWN_DMA32_TXSTAT_STOPPED)
3425 				break;
3426 		}
3427 		DELAY(1000);
3428 	}
3429 	offset = (type == BHND_DMA_ADDR_64BIT) ? BWN_DMA64_TXCTL :
3430 	    BWN_DMA32_TXCTL;
3431 	BWN_WRITE_4(mac, base + offset, 0);
3432 	for (i = 0; i < 10; i++) {
3433 		offset = (type == BHND_DMA_ADDR_64BIT) ? BWN_DMA64_TXSTATUS :
3434 		    BWN_DMA32_TXSTATUS;
3435 		value = BWN_READ_4(mac, base + offset);
3436 		if (type == BHND_DMA_ADDR_64BIT) {
3437 			value &= BWN_DMA64_TXSTAT;
3438 			if (value == BWN_DMA64_TXSTAT_DISABLED) {
3439 				i = -1;
3440 				break;
3441 			}
3442 		} else {
3443 			value &= BWN_DMA32_TXSTATE;
3444 			if (value == BWN_DMA32_TXSTAT_DISABLED) {
3445 				i = -1;
3446 				break;
3447 			}
3448 		}
3449 		DELAY(1000);
3450 	}
3451 	if (i != -1) {
3452 		device_printf(sc->sc_dev, "%s: timed out\n", __func__);
3453 		return (ENODEV);
3454 	}
3455 	DELAY(1000);
3456 
3457 	return (0);
3458 }
3459 
3460 static int
3461 bwn_dma_rx_reset(struct bwn_mac *mac, uint16_t base,
3462     int type)
3463 {
3464 	struct bwn_softc *sc = mac->mac_sc;
3465 	uint32_t value;
3466 	int i;
3467 	uint16_t offset;
3468 
3469 	offset = (type == BHND_DMA_ADDR_64BIT) ? BWN_DMA64_RXCTL :
3470 	    BWN_DMA32_RXCTL;
3471 	BWN_WRITE_4(mac, base + offset, 0);
3472 	for (i = 0; i < 10; i++) {
3473 		offset = (type == BHND_DMA_ADDR_64BIT) ? BWN_DMA64_RXSTATUS :
3474 		    BWN_DMA32_RXSTATUS;
3475 		value = BWN_READ_4(mac, base + offset);
3476 		if (type == BHND_DMA_ADDR_64BIT) {
3477 			value &= BWN_DMA64_RXSTAT;
3478 			if (value == BWN_DMA64_RXSTAT_DISABLED) {
3479 				i = -1;
3480 				break;
3481 			}
3482 		} else {
3483 			value &= BWN_DMA32_RXSTATE;
3484 			if (value == BWN_DMA32_RXSTAT_DISABLED) {
3485 				i = -1;
3486 				break;
3487 			}
3488 		}
3489 		DELAY(1000);
3490 	}
3491 	if (i != -1) {
3492 		device_printf(sc->sc_dev, "%s: timed out\n", __func__);
3493 		return (ENODEV);
3494 	}
3495 
3496 	return (0);
3497 }
3498 
3499 static void
3500 bwn_dma_free_descbuf(struct bwn_dma_ring *dr,
3501     struct bwn_dmadesc_meta *meta)
3502 {
3503 
3504 	if (meta->mt_m != NULL) {
3505 		m_freem(meta->mt_m);
3506 		meta->mt_m = NULL;
3507 	}
3508 	if (meta->mt_ni != NULL) {
3509 		ieee80211_free_node(meta->mt_ni);
3510 		meta->mt_ni = NULL;
3511 	}
3512 }
3513 
3514 static void
3515 bwn_dma_set_redzone(struct bwn_dma_ring *dr, struct mbuf *m)
3516 {
3517 	struct bwn_rxhdr4 *rxhdr;
3518 	unsigned char *frame;
3519 
3520 	rxhdr = mtod(m, struct bwn_rxhdr4 *);
3521 	rxhdr->frame_len = 0;
3522 
3523 	KASSERT(dr->dr_rx_bufsize >= dr->dr_frameoffset +
3524 	    sizeof(struct bwn_plcp6) + 2,
3525 	    ("%s:%d: fail", __func__, __LINE__));
3526 	frame = mtod(m, char *) + dr->dr_frameoffset;
3527 	memset(frame, 0xff, sizeof(struct bwn_plcp6) + 2 /* padding */);
3528 }
3529 
3530 static uint8_t
3531 bwn_dma_check_redzone(struct bwn_dma_ring *dr, struct mbuf *m)
3532 {
3533 	unsigned char *f = mtod(m, char *) + dr->dr_frameoffset;
3534 
3535 	return ((f[0] & f[1] & f[2] & f[3] & f[4] & f[5] & f[6] & f[7])
3536 	    == 0xff);
3537 }
3538 
3539 static void
3540 bwn_wme_init(struct bwn_mac *mac)
3541 {
3542 
3543 	bwn_wme_load(mac);
3544 
3545 	/* enable WME support. */
3546 	bwn_hf_write(mac, bwn_hf_read(mac) | BWN_HF_EDCF);
3547 	BWN_WRITE_2(mac, BWN_IFSCTL, BWN_READ_2(mac, BWN_IFSCTL) |
3548 	    BWN_IFSCTL_USE_EDCF);
3549 }
3550 
3551 static void
3552 bwn_spu_setdelay(struct bwn_mac *mac, int idle)
3553 {
3554 	struct bwn_softc *sc = mac->mac_sc;
3555 	struct ieee80211com *ic = &sc->sc_ic;
3556 	uint16_t delay;	/* microsec */
3557 
3558 	delay = (mac->mac_phy.type == BWN_PHYTYPE_A) ? 3700 : 1050;
3559 	if (ic->ic_opmode == IEEE80211_M_IBSS || idle)
3560 		delay = 500;
3561 	if ((mac->mac_phy.rf_ver == 0x2050) && (mac->mac_phy.rf_rev == 8))
3562 		delay = max(delay, (uint16_t)2400);
3563 
3564 	bwn_shm_write_2(mac, BWN_SHARED, BWN_SHARED_SPU_WAKEUP, delay);
3565 }
3566 
3567 static void
3568 bwn_bt_enable(struct bwn_mac *mac)
3569 {
3570 	struct bwn_softc *sc = mac->mac_sc;
3571 	uint64_t hf;
3572 
3573 	if (bwn_bluetooth == 0)
3574 		return;
3575 	if ((sc->sc_board_info.board_flags & BHND_BFL_BTCOEX) == 0)
3576 		return;
3577 	if (mac->mac_phy.type != BWN_PHYTYPE_B && !mac->mac_phy.gmode)
3578 		return;
3579 
3580 	hf = bwn_hf_read(mac);
3581 	if (sc->sc_board_info.board_flags & BHND_BFL_BTC2WIRE_ALTGPIO)
3582 		hf |= BWN_HF_BT_COEXISTALT;
3583 	else
3584 		hf |= BWN_HF_BT_COEXIST;
3585 	bwn_hf_write(mac, hf);
3586 }
3587 
3588 static void
3589 bwn_set_macaddr(struct bwn_mac *mac)
3590 {
3591 
3592 	bwn_mac_write_bssid(mac);
3593 	bwn_mac_setfilter(mac, BWN_MACFILTER_SELF,
3594 	    mac->mac_sc->sc_ic.ic_macaddr);
3595 }
3596 
3597 static void
3598 bwn_clear_keys(struct bwn_mac *mac)
3599 {
3600 	int i;
3601 
3602 	for (i = 0; i < mac->mac_max_nr_keys; i++) {
3603 		KASSERT(i >= 0 && i < mac->mac_max_nr_keys,
3604 		    ("%s:%d: fail", __func__, __LINE__));
3605 
3606 		bwn_key_dowrite(mac, i, BWN_SEC_ALGO_NONE,
3607 		    NULL, BWN_SEC_KEYSIZE, NULL);
3608 		if ((i <= 3) && !BWN_SEC_NEWAPI(mac)) {
3609 			bwn_key_dowrite(mac, i + 4, BWN_SEC_ALGO_NONE,
3610 			    NULL, BWN_SEC_KEYSIZE, NULL);
3611 		}
3612 		mac->mac_key[i].keyconf = NULL;
3613 	}
3614 }
3615 
3616 static void
3617 bwn_crypt_init(struct bwn_mac *mac)
3618 {
3619 	struct bwn_softc *sc = mac->mac_sc;
3620 
3621 	mac->mac_max_nr_keys = (bhnd_get_hwrev(sc->sc_dev) >= 5) ? 58 : 20;
3622 	KASSERT(mac->mac_max_nr_keys <= N(mac->mac_key),
3623 	    ("%s:%d: fail", __func__, __LINE__));
3624 	mac->mac_ktp = bwn_shm_read_2(mac, BWN_SHARED, BWN_SHARED_KEY_TABLEP);
3625 	mac->mac_ktp *= 2;
3626 	if (bhnd_get_hwrev(sc->sc_dev) >= 5)
3627 		BWN_WRITE_2(mac, BWN_RCMTA_COUNT, mac->mac_max_nr_keys - 8);
3628 	bwn_clear_keys(mac);
3629 }
3630 
3631 static void
3632 bwn_chip_exit(struct bwn_mac *mac)
3633 {
3634 	bwn_phy_exit(mac);
3635 }
3636 
3637 static int
3638 bwn_fw_fillinfo(struct bwn_mac *mac)
3639 {
3640 	int error;
3641 
3642 	error = bwn_fw_gets(mac, BWN_FWTYPE_DEFAULT);
3643 	if (error == 0)
3644 		return (0);
3645 	error = bwn_fw_gets(mac, BWN_FWTYPE_OPENSOURCE);
3646 	if (error == 0)
3647 		return (0);
3648 	return (error);
3649 }
3650 
3651 /**
3652  * Request that the GPIO controller tristate all pins set in @p mask, granting
3653  * the MAC core control over the pins.
3654  *
3655  * @param mac	bwn MAC state.
3656  * @param pins	If the bit position for a pin number is set to one, tristate the
3657  *		pin.
3658  */
3659 int
3660 bwn_gpio_control(struct bwn_mac *mac, uint32_t pins)
3661 {
3662 	struct bwn_softc	*sc;
3663 	uint32_t		 flags[32];
3664 	int			 error;
3665 
3666 	sc = mac->mac_sc;
3667 
3668 	/* Determine desired pin flags */
3669 	for (size_t pin = 0; pin < nitems(flags); pin++) {
3670 		uint32_t pinbit = (1 << pin);
3671 
3672 		if (pins & pinbit) {
3673 			/* Tristate output */
3674 			flags[pin] = GPIO_PIN_OUTPUT|GPIO_PIN_TRISTATE;
3675 		} else {
3676 			/* Leave unmodified */
3677 			flags[pin] = 0;
3678 		}
3679 	}
3680 
3681 	/* Configure all pins */
3682 	error = GPIO_PIN_CONFIG_32(sc->sc_gpio, 0, nitems(flags), flags);
3683 	if (error) {
3684 		device_printf(sc->sc_dev, "error configuring %s pin flags: "
3685 		    "%d\n", device_get_nameunit(sc->sc_gpio), error);
3686 		return (error);
3687 	}
3688 
3689 	return (0);
3690 }
3691 
3692 static int
3693 bwn_gpio_init(struct bwn_mac *mac)
3694 {
3695 	struct bwn_softc	*sc;
3696 	uint32_t		 pins;
3697 
3698 	sc = mac->mac_sc;
3699 
3700 	pins = 0xF;
3701 
3702 	BWN_WRITE_4(mac, BWN_MACCTL,
3703 	    BWN_READ_4(mac, BWN_MACCTL) & ~BWN_MACCTL_GPOUT_MASK);
3704 	BWN_WRITE_2(mac, BWN_GPIO_MASK,
3705 	    BWN_READ_2(mac, BWN_GPIO_MASK) | pins);
3706 
3707 	if (sc->sc_board_info.board_flags & BHND_BFL_PACTRL) {
3708 		/* MAC core is responsible for toggling PAREF via gpio9 */
3709 		BWN_WRITE_2(mac, BWN_GPIO_MASK,
3710 		    BWN_READ_2(mac, BWN_GPIO_MASK) | BHND_GPIO_BOARD_PACTRL);
3711 
3712 		pins |= BHND_GPIO_BOARD_PACTRL;
3713 	}
3714 
3715 	return (bwn_gpio_control(mac, pins));
3716 }
3717 
3718 static int
3719 bwn_fw_loadinitvals(struct bwn_mac *mac)
3720 {
3721 #define	GETFWOFFSET(fwp, offset)				\
3722 	((const struct bwn_fwinitvals *)((const char *)fwp.fw->data + offset))
3723 	const size_t hdr_len = sizeof(struct bwn_fwhdr);
3724 	const struct bwn_fwhdr *hdr;
3725 	struct bwn_fw *fw = &mac->mac_fw;
3726 	int error;
3727 
3728 	hdr = (const struct bwn_fwhdr *)(fw->initvals.fw->data);
3729 	error = bwn_fwinitvals_write(mac, GETFWOFFSET(fw->initvals, hdr_len),
3730 	    be32toh(hdr->size), fw->initvals.fw->datasize - hdr_len);
3731 	if (error)
3732 		return (error);
3733 	if (fw->initvals_band.fw) {
3734 		hdr = (const struct bwn_fwhdr *)(fw->initvals_band.fw->data);
3735 		error = bwn_fwinitvals_write(mac,
3736 		    GETFWOFFSET(fw->initvals_band, hdr_len),
3737 		    be32toh(hdr->size),
3738 		    fw->initvals_band.fw->datasize - hdr_len);
3739 	}
3740 	return (error);
3741 #undef GETFWOFFSET
3742 }
3743 
3744 static int
3745 bwn_phy_init(struct bwn_mac *mac)
3746 {
3747 	struct bwn_softc *sc = mac->mac_sc;
3748 	int error;
3749 
3750 	mac->mac_phy.chan = mac->mac_phy.get_default_chan(mac);
3751 	mac->mac_phy.rf_onoff(mac, 1);
3752 	error = mac->mac_phy.init(mac);
3753 	if (error) {
3754 		device_printf(sc->sc_dev, "PHY init failed\n");
3755 		goto fail0;
3756 	}
3757 	error = bwn_switch_channel(mac,
3758 	    mac->mac_phy.get_default_chan(mac));
3759 	if (error) {
3760 		device_printf(sc->sc_dev,
3761 		    "failed to switch default channel\n");
3762 		goto fail1;
3763 	}
3764 	return (0);
3765 fail1:
3766 	if (mac->mac_phy.exit)
3767 		mac->mac_phy.exit(mac);
3768 fail0:
3769 	mac->mac_phy.rf_onoff(mac, 0);
3770 
3771 	return (error);
3772 }
3773 
3774 static void
3775 bwn_set_txantenna(struct bwn_mac *mac, int antenna)
3776 {
3777 	uint16_t ant;
3778 	uint16_t tmp;
3779 
3780 	ant = bwn_ant2phy(antenna);
3781 
3782 	/* For ACK/CTS */
3783 	tmp = bwn_shm_read_2(mac, BWN_SHARED, BWN_SHARED_ACKCTS_PHYCTL);
3784 	tmp = (tmp & ~BWN_TX_PHY_ANT) | ant;
3785 	bwn_shm_write_2(mac, BWN_SHARED, BWN_SHARED_ACKCTS_PHYCTL, tmp);
3786 	/* For Probe Resposes */
3787 	tmp = bwn_shm_read_2(mac, BWN_SHARED, BWN_SHARED_PROBE_RESP_PHYCTL);
3788 	tmp = (tmp & ~BWN_TX_PHY_ANT) | ant;
3789 	bwn_shm_write_2(mac, BWN_SHARED, BWN_SHARED_PROBE_RESP_PHYCTL, tmp);
3790 }
3791 
3792 static void
3793 bwn_set_opmode(struct bwn_mac *mac)
3794 {
3795 	struct bwn_softc *sc = mac->mac_sc;
3796 	struct ieee80211com *ic = &sc->sc_ic;
3797 	uint32_t ctl;
3798 	uint16_t cfp_pretbtt;
3799 
3800 	ctl = BWN_READ_4(mac, BWN_MACCTL);
3801 	ctl &= ~(BWN_MACCTL_HOSTAP | BWN_MACCTL_PASS_CTL |
3802 	    BWN_MACCTL_PASS_BADPLCP | BWN_MACCTL_PASS_BADFCS |
3803 	    BWN_MACCTL_PROMISC | BWN_MACCTL_BEACON_PROMISC);
3804 	ctl |= BWN_MACCTL_STA;
3805 
3806 	if (ic->ic_opmode == IEEE80211_M_HOSTAP ||
3807 	    ic->ic_opmode == IEEE80211_M_MBSS)
3808 		ctl |= BWN_MACCTL_HOSTAP;
3809 	else if (ic->ic_opmode == IEEE80211_M_IBSS)
3810 		ctl &= ~BWN_MACCTL_STA;
3811 	ctl |= sc->sc_filters;
3812 
3813 	if (bhnd_get_hwrev(sc->sc_dev) <= 4)
3814 		ctl |= BWN_MACCTL_PROMISC;
3815 
3816 	BWN_WRITE_4(mac, BWN_MACCTL, ctl);
3817 
3818 	cfp_pretbtt = 2;
3819 	if ((ctl & BWN_MACCTL_STA) && !(ctl & BWN_MACCTL_HOSTAP)) {
3820 		if (sc->sc_cid.chip_id == BHND_CHIPID_BCM4306 &&
3821 		    sc->sc_cid.chip_rev == 3)
3822 			cfp_pretbtt = 100;
3823 		else
3824 			cfp_pretbtt = 50;
3825 	}
3826 	BWN_WRITE_2(mac, 0x612, cfp_pretbtt);
3827 }
3828 
3829 static void
3830 bwn_dma_ring_addr(void *arg, bus_dma_segment_t *seg, int nseg, int error)
3831 {
3832 	if (!error) {
3833 		KASSERT(nseg == 1, ("too many segments(%d)\n", nseg));
3834 		*((bus_addr_t *)arg) = seg->ds_addr;
3835 	}
3836 }
3837 
3838 void
3839 bwn_dummy_transmission(struct bwn_mac *mac, int ofdm, int paon)
3840 {
3841 	struct bwn_phy *phy = &mac->mac_phy;
3842 	struct bwn_softc *sc = mac->mac_sc;
3843 	unsigned int i, max_loop;
3844 	uint16_t value;
3845 	uint32_t buffer[5] = {
3846 		0x00000000, 0x00d40000, 0x00000000, 0x01000000, 0x00000000
3847 	};
3848 
3849 	if (ofdm) {
3850 		max_loop = 0x1e;
3851 		buffer[0] = 0x000201cc;
3852 	} else {
3853 		max_loop = 0xfa;
3854 		buffer[0] = 0x000b846e;
3855 	}
3856 
3857 	BWN_ASSERT_LOCKED(mac->mac_sc);
3858 
3859 	for (i = 0; i < 5; i++)
3860 		bwn_ram_write(mac, i * 4, buffer[i]);
3861 
3862 	BWN_WRITE_2(mac, 0x0568, 0x0000);
3863 	BWN_WRITE_2(mac, 0x07c0,
3864 	    (bhnd_get_hwrev(sc->sc_dev) < 11) ? 0x0000 : 0x0100);
3865 
3866 	value = (ofdm ? 0x41 : 0x40);
3867 	BWN_WRITE_2(mac, 0x050c, value);
3868 
3869 	if (phy->type == BWN_PHYTYPE_N || phy->type == BWN_PHYTYPE_LP ||
3870 	    phy->type == BWN_PHYTYPE_LCN)
3871 		BWN_WRITE_2(mac, 0x0514, 0x1a02);
3872 	BWN_WRITE_2(mac, 0x0508, 0x0000);
3873 	BWN_WRITE_2(mac, 0x050a, 0x0000);
3874 	BWN_WRITE_2(mac, 0x054c, 0x0000);
3875 	BWN_WRITE_2(mac, 0x056a, 0x0014);
3876 	BWN_WRITE_2(mac, 0x0568, 0x0826);
3877 	BWN_WRITE_2(mac, 0x0500, 0x0000);
3878 
3879 	/* XXX TODO: n phy pa override? */
3880 
3881 	switch (phy->type) {
3882 	case BWN_PHYTYPE_N:
3883 	case BWN_PHYTYPE_LCN:
3884 		BWN_WRITE_2(mac, 0x0502, 0x00d0);
3885 		break;
3886 	case BWN_PHYTYPE_LP:
3887 		BWN_WRITE_2(mac, 0x0502, 0x0050);
3888 		break;
3889 	default:
3890 		BWN_WRITE_2(mac, 0x0502, 0x0030);
3891 		break;
3892 	}
3893 
3894 	/* flush */
3895 	BWN_READ_2(mac, 0x0502);
3896 
3897 	if (phy->rf_ver == 0x2050 && phy->rf_rev <= 0x5)
3898 		BWN_RF_WRITE(mac, 0x0051, 0x0017);
3899 	for (i = 0x00; i < max_loop; i++) {
3900 		value = BWN_READ_2(mac, 0x050e);
3901 		if (value & 0x0080)
3902 			break;
3903 		DELAY(10);
3904 	}
3905 	for (i = 0x00; i < 0x0a; i++) {
3906 		value = BWN_READ_2(mac, 0x050e);
3907 		if (value & 0x0400)
3908 			break;
3909 		DELAY(10);
3910 	}
3911 	for (i = 0x00; i < 0x19; i++) {
3912 		value = BWN_READ_2(mac, 0x0690);
3913 		if (!(value & 0x0100))
3914 			break;
3915 		DELAY(10);
3916 	}
3917 	if (phy->rf_ver == 0x2050 && phy->rf_rev <= 0x5)
3918 		BWN_RF_WRITE(mac, 0x0051, 0x0037);
3919 }
3920 
3921 void
3922 bwn_ram_write(struct bwn_mac *mac, uint16_t offset, uint32_t val)
3923 {
3924 	uint32_t macctl;
3925 
3926 	KASSERT(offset % 4 == 0, ("%s:%d: fail", __func__, __LINE__));
3927 
3928 	macctl = BWN_READ_4(mac, BWN_MACCTL);
3929 	if (macctl & BWN_MACCTL_BIGENDIAN)
3930 		printf("TODO: need swap\n");
3931 
3932 	BWN_WRITE_4(mac, BWN_RAM_CONTROL, offset);
3933 	BWN_BARRIER(mac, BWN_RAM_CONTROL, 4, BUS_SPACE_BARRIER_WRITE);
3934 	BWN_WRITE_4(mac, BWN_RAM_DATA, val);
3935 }
3936 
3937 void
3938 bwn_mac_suspend(struct bwn_mac *mac)
3939 {
3940 	struct bwn_softc *sc = mac->mac_sc;
3941 	int i;
3942 	uint32_t tmp;
3943 
3944 	KASSERT(mac->mac_suspended >= 0,
3945 	    ("%s:%d: fail", __func__, __LINE__));
3946 
3947 	DPRINTF(mac->mac_sc, BWN_DEBUG_RESET, "%s: suspended=%d\n",
3948 	    __func__, mac->mac_suspended);
3949 
3950 	if (mac->mac_suspended == 0) {
3951 		bwn_psctl(mac, BWN_PS_AWAKE);
3952 		BWN_WRITE_4(mac, BWN_MACCTL,
3953 			    BWN_READ_4(mac, BWN_MACCTL)
3954 			    & ~BWN_MACCTL_ON);
3955 		BWN_READ_4(mac, BWN_MACCTL);
3956 		for (i = 35; i; i--) {
3957 			tmp = BWN_READ_4(mac, BWN_INTR_REASON);
3958 			if (tmp & BWN_INTR_MAC_SUSPENDED)
3959 				goto out;
3960 			DELAY(10);
3961 		}
3962 		for (i = 40; i; i--) {
3963 			tmp = BWN_READ_4(mac, BWN_INTR_REASON);
3964 			if (tmp & BWN_INTR_MAC_SUSPENDED)
3965 				goto out;
3966 			DELAY(1000);
3967 		}
3968 		device_printf(sc->sc_dev, "MAC suspend failed\n");
3969 	}
3970 out:
3971 	mac->mac_suspended++;
3972 }
3973 
3974 void
3975 bwn_mac_enable(struct bwn_mac *mac)
3976 {
3977 	struct bwn_softc *sc = mac->mac_sc;
3978 	uint16_t state;
3979 
3980 	DPRINTF(mac->mac_sc, BWN_DEBUG_RESET, "%s: suspended=%d\n",
3981 	    __func__, mac->mac_suspended);
3982 
3983 	state = bwn_shm_read_2(mac, BWN_SHARED,
3984 	    BWN_SHARED_UCODESTAT);
3985 	if (state != BWN_SHARED_UCODESTAT_SUSPEND &&
3986 	    state != BWN_SHARED_UCODESTAT_SLEEP) {
3987 		DPRINTF(sc, BWN_DEBUG_FW,
3988 		    "%s: warn: firmware state (%d)\n",
3989 		    __func__, state);
3990 	}
3991 
3992 	mac->mac_suspended--;
3993 	KASSERT(mac->mac_suspended >= 0,
3994 	    ("%s:%d: fail", __func__, __LINE__));
3995 	if (mac->mac_suspended == 0) {
3996 		BWN_WRITE_4(mac, BWN_MACCTL,
3997 		    BWN_READ_4(mac, BWN_MACCTL) | BWN_MACCTL_ON);
3998 		BWN_WRITE_4(mac, BWN_INTR_REASON, BWN_INTR_MAC_SUSPENDED);
3999 		BWN_READ_4(mac, BWN_MACCTL);
4000 		BWN_READ_4(mac, BWN_INTR_REASON);
4001 		bwn_psctl(mac, 0);
4002 	}
4003 }
4004 
4005 void
4006 bwn_psctl(struct bwn_mac *mac, uint32_t flags)
4007 {
4008 	struct bwn_softc *sc = mac->mac_sc;
4009 	int i;
4010 	uint16_t ucstat;
4011 
4012 	KASSERT(!((flags & BWN_PS_ON) && (flags & BWN_PS_OFF)),
4013 	    ("%s:%d: fail", __func__, __LINE__));
4014 	KASSERT(!((flags & BWN_PS_AWAKE) && (flags & BWN_PS_ASLEEP)),
4015 	    ("%s:%d: fail", __func__, __LINE__));
4016 
4017 	/* XXX forcibly awake and hwps-off */
4018 
4019 	BWN_WRITE_4(mac, BWN_MACCTL,
4020 	    (BWN_READ_4(mac, BWN_MACCTL) | BWN_MACCTL_AWAKE) &
4021 	    ~BWN_MACCTL_HWPS);
4022 	BWN_READ_4(mac, BWN_MACCTL);
4023 	if (bhnd_get_hwrev(sc->sc_dev) >= 5) {
4024 		for (i = 0; i < 100; i++) {
4025 			ucstat = bwn_shm_read_2(mac, BWN_SHARED,
4026 			    BWN_SHARED_UCODESTAT);
4027 			if (ucstat != BWN_SHARED_UCODESTAT_SLEEP)
4028 				break;
4029 			DELAY(10);
4030 		}
4031 	}
4032 	DPRINTF(mac->mac_sc, BWN_DEBUG_RESET, "%s: ucstat=%d\n", __func__,
4033 	    ucstat);
4034 }
4035 
4036 static int
4037 bwn_fw_gets(struct bwn_mac *mac, enum bwn_fwtype type)
4038 {
4039 	struct bwn_softc *sc = mac->mac_sc;
4040 	struct bwn_fw *fw = &mac->mac_fw;
4041 	const uint8_t rev = bhnd_get_hwrev(sc->sc_dev);
4042 	const char *filename;
4043 	uint16_t iost;
4044 	int error;
4045 
4046 	/* microcode */
4047 	filename = NULL;
4048 	switch (rev) {
4049 	case 42:
4050 		if (mac->mac_phy.type == BWN_PHYTYPE_AC)
4051 			filename = "ucode42";
4052 		break;
4053 	case 40:
4054 		if (mac->mac_phy.type == BWN_PHYTYPE_AC)
4055 			filename = "ucode40";
4056 		break;
4057 	case 33:
4058 		if (mac->mac_phy.type == BWN_PHYTYPE_LCN40)
4059 			filename = "ucode33_lcn40";
4060 		break;
4061 	case 30:
4062 		if (mac->mac_phy.type == BWN_PHYTYPE_N)
4063 			filename = "ucode30_mimo";
4064 		break;
4065 	case 29:
4066 		if (mac->mac_phy.type == BWN_PHYTYPE_HT)
4067 			filename = "ucode29_mimo";
4068 		break;
4069 	case 26:
4070 		if (mac->mac_phy.type == BWN_PHYTYPE_HT)
4071 			filename = "ucode26_mimo";
4072 		break;
4073 	case 28:
4074 	case 25:
4075 		if (mac->mac_phy.type == BWN_PHYTYPE_N)
4076 			filename = "ucode25_mimo";
4077 		else if (mac->mac_phy.type == BWN_PHYTYPE_LCN)
4078 			filename = "ucode25_lcn";
4079 		break;
4080 	case 24:
4081 		if (mac->mac_phy.type == BWN_PHYTYPE_LCN)
4082 			filename = "ucode24_lcn";
4083 		break;
4084 	case 23:
4085 		if (mac->mac_phy.type == BWN_PHYTYPE_N)
4086 			filename = "ucode16_mimo";
4087 		break;
4088 	case 16:
4089 	case 17:
4090 	case 18:
4091 	case 19:
4092 		if (mac->mac_phy.type == BWN_PHYTYPE_N)
4093 			filename = "ucode16_mimo";
4094 		else if (mac->mac_phy.type == BWN_PHYTYPE_LP)
4095 			filename = "ucode16_lp";
4096 		break;
4097 	case 15:
4098 		filename = "ucode15";
4099 		break;
4100 	case 14:
4101 		filename = "ucode14";
4102 		break;
4103 	case 13:
4104 		filename = "ucode13";
4105 		break;
4106 	case 12:
4107 	case 11:
4108 		filename = "ucode11";
4109 		break;
4110 	case 10:
4111 	case 9:
4112 	case 8:
4113 	case 7:
4114 	case 6:
4115 	case 5:
4116 		filename = "ucode5";
4117 		break;
4118 	default:
4119 		device_printf(sc->sc_dev, "no ucode for rev %d\n", rev);
4120 		bwn_release_firmware(mac);
4121 		return (EOPNOTSUPP);
4122 	}
4123 
4124 	device_printf(sc->sc_dev, "ucode fw: %s\n", filename);
4125 	error = bwn_fw_get(mac, type, filename, &fw->ucode);
4126 	if (error) {
4127 		bwn_release_firmware(mac);
4128 		return (error);
4129 	}
4130 
4131 	/* PCM */
4132 	KASSERT(fw->no_pcmfile == 0, ("%s:%d fail", __func__, __LINE__));
4133 	if (rev >= 5 && rev <= 10) {
4134 		error = bwn_fw_get(mac, type, "pcm5", &fw->pcm);
4135 		if (error == ENOENT)
4136 			fw->no_pcmfile = 1;
4137 		else if (error) {
4138 			bwn_release_firmware(mac);
4139 			return (error);
4140 		}
4141 	} else if (rev < 11) {
4142 		device_printf(sc->sc_dev, "no PCM for rev %d\n", rev);
4143 		bwn_release_firmware(mac);
4144 		return (EOPNOTSUPP);
4145 	}
4146 
4147 	/* initvals */
4148 	error = bhnd_read_iost(sc->sc_dev, &iost);
4149 	if (error)
4150 		goto fail1;
4151 
4152 	switch (mac->mac_phy.type) {
4153 	case BWN_PHYTYPE_A:
4154 		if (rev < 5 || rev > 10)
4155 			goto fail1;
4156 		if (iost & BWN_IOST_HAVE_2GHZ)
4157 			filename = "a0g1initvals5";
4158 		else
4159 			filename = "a0g0initvals5";
4160 		break;
4161 	case BWN_PHYTYPE_G:
4162 		if (rev >= 5 && rev <= 10)
4163 			filename = "b0g0initvals5";
4164 		else if (rev >= 13)
4165 			filename = "b0g0initvals13";
4166 		else
4167 			goto fail1;
4168 		break;
4169 	case BWN_PHYTYPE_LP:
4170 		if (rev == 13)
4171 			filename = "lp0initvals13";
4172 		else if (rev == 14)
4173 			filename = "lp0initvals14";
4174 		else if (rev >= 15)
4175 			filename = "lp0initvals15";
4176 		else
4177 			goto fail1;
4178 		break;
4179 	case BWN_PHYTYPE_N:
4180 		if (rev == 30)
4181 			filename = "n16initvals30";
4182 		else if (rev == 28 || rev == 25)
4183 			filename = "n0initvals25";
4184 		else if (rev == 24)
4185 			filename = "n0initvals24";
4186 		else if (rev == 23)
4187 			filename = "n0initvals16";
4188 		else if (rev >= 16 && rev <= 18)
4189 			filename = "n0initvals16";
4190 		else if (rev >= 11 && rev <= 12)
4191 			filename = "n0initvals11";
4192 		else
4193 			goto fail1;
4194 		break;
4195 	default:
4196 		goto fail1;
4197 	}
4198 	error = bwn_fw_get(mac, type, filename, &fw->initvals);
4199 	if (error) {
4200 		bwn_release_firmware(mac);
4201 		return (error);
4202 	}
4203 
4204 	/* bandswitch initvals */
4205 	switch (mac->mac_phy.type) {
4206 	case BWN_PHYTYPE_A:
4207 		if (rev >= 5 && rev <= 10) {
4208 			if (iost & BWN_IOST_HAVE_2GHZ)
4209 				filename = "a0g1bsinitvals5";
4210 			else
4211 				filename = "a0g0bsinitvals5";
4212 		} else if (rev >= 11)
4213 			filename = NULL;
4214 		else
4215 			goto fail1;
4216 		break;
4217 	case BWN_PHYTYPE_G:
4218 		if (rev >= 5 && rev <= 10)
4219 			filename = "b0g0bsinitvals5";
4220 		else if (rev >= 11)
4221 			filename = NULL;
4222 		else
4223 			goto fail1;
4224 		break;
4225 	case BWN_PHYTYPE_LP:
4226 		if (rev == 13)
4227 			filename = "lp0bsinitvals13";
4228 		else if (rev == 14)
4229 			filename = "lp0bsinitvals14";
4230 		else if (rev >= 15)
4231 			filename = "lp0bsinitvals15";
4232 		else
4233 			goto fail1;
4234 		break;
4235 	case BWN_PHYTYPE_N:
4236 		if (rev == 30)
4237 			filename = "n16bsinitvals30";
4238 		else if (rev == 28 || rev == 25)
4239 			filename = "n0bsinitvals25";
4240 		else if (rev == 24)
4241 			filename = "n0bsinitvals24";
4242 		else if (rev == 23)
4243 			filename = "n0bsinitvals16";
4244 		else if (rev >= 16 && rev <= 18)
4245 			filename = "n0bsinitvals16";
4246 		else if (rev >= 11 && rev <= 12)
4247 			filename = "n0bsinitvals11";
4248 		else
4249 			goto fail1;
4250 		break;
4251 	default:
4252 		device_printf(sc->sc_dev, "unknown phy (%d)\n",
4253 		    mac->mac_phy.type);
4254 		goto fail1;
4255 	}
4256 	error = bwn_fw_get(mac, type, filename, &fw->initvals_band);
4257 	if (error) {
4258 		bwn_release_firmware(mac);
4259 		return (error);
4260 	}
4261 	return (0);
4262 fail1:
4263 	device_printf(sc->sc_dev, "no INITVALS for rev %d, phy.type %d\n",
4264 	    rev, mac->mac_phy.type);
4265 	bwn_release_firmware(mac);
4266 	return (EOPNOTSUPP);
4267 }
4268 
4269 static int
4270 bwn_fw_get(struct bwn_mac *mac, enum bwn_fwtype type,
4271     const char *name, struct bwn_fwfile *bfw)
4272 {
4273 	const struct bwn_fwhdr *hdr;
4274 	struct bwn_softc *sc = mac->mac_sc;
4275 	const struct firmware *fw;
4276 	char namebuf[64];
4277 
4278 	if (name == NULL) {
4279 		bwn_do_release_fw(bfw);
4280 		return (0);
4281 	}
4282 	if (bfw->filename != NULL) {
4283 		if (bfw->type == type && (strcmp(bfw->filename, name) == 0))
4284 			return (0);
4285 		bwn_do_release_fw(bfw);
4286 	}
4287 
4288 	snprintf(namebuf, sizeof(namebuf), "bwn%s_v4_%s%s",
4289 	    (type == BWN_FWTYPE_OPENSOURCE) ? "-open" : "",
4290 	    (mac->mac_phy.type == BWN_PHYTYPE_LP) ? "lp_" : "", name);
4291 	/* XXX Sleeping on "fwload" with the non-sleepable locks held */
4292 	fw = firmware_get(namebuf);
4293 	if (fw == NULL) {
4294 		device_printf(sc->sc_dev, "the fw file(%s) not found\n",
4295 		    namebuf);
4296 		return (ENOENT);
4297 	}
4298 	if (fw->datasize < sizeof(struct bwn_fwhdr))
4299 		goto fail;
4300 	hdr = (const struct bwn_fwhdr *)(fw->data);
4301 	switch (hdr->type) {
4302 	case BWN_FWTYPE_UCODE:
4303 	case BWN_FWTYPE_PCM:
4304 		if (be32toh(hdr->size) !=
4305 		    (fw->datasize - sizeof(struct bwn_fwhdr)))
4306 			goto fail;
4307 		/* FALLTHROUGH */
4308 	case BWN_FWTYPE_IV:
4309 		if (hdr->ver != 1)
4310 			goto fail;
4311 		break;
4312 	default:
4313 		goto fail;
4314 	}
4315 	bfw->filename = name;
4316 	bfw->fw = fw;
4317 	bfw->type = type;
4318 	return (0);
4319 fail:
4320 	device_printf(sc->sc_dev, "the fw file(%s) format error\n", namebuf);
4321 	if (fw != NULL)
4322 		firmware_put(fw, FIRMWARE_UNLOAD);
4323 	return (EPROTO);
4324 }
4325 
4326 static void
4327 bwn_release_firmware(struct bwn_mac *mac)
4328 {
4329 
4330 	bwn_do_release_fw(&mac->mac_fw.ucode);
4331 	bwn_do_release_fw(&mac->mac_fw.pcm);
4332 	bwn_do_release_fw(&mac->mac_fw.initvals);
4333 	bwn_do_release_fw(&mac->mac_fw.initvals_band);
4334 }
4335 
4336 static void
4337 bwn_do_release_fw(struct bwn_fwfile *bfw)
4338 {
4339 
4340 	if (bfw->fw != NULL)
4341 		firmware_put(bfw->fw, FIRMWARE_UNLOAD);
4342 	bfw->fw = NULL;
4343 	bfw->filename = NULL;
4344 }
4345 
4346 static int
4347 bwn_fw_loaducode(struct bwn_mac *mac)
4348 {
4349 #define	GETFWOFFSET(fwp, offset)	\
4350 	((const uint32_t *)((const char *)fwp.fw->data + offset))
4351 #define	GETFWSIZE(fwp, offset)	\
4352 	((fwp.fw->datasize - offset) / sizeof(uint32_t))
4353 	struct bwn_softc *sc = mac->mac_sc;
4354 	const uint32_t *data;
4355 	unsigned int i;
4356 	uint32_t ctl;
4357 	uint16_t date, fwcaps, time;
4358 	int error = 0;
4359 
4360 	ctl = BWN_READ_4(mac, BWN_MACCTL);
4361 	ctl |= BWN_MACCTL_MCODE_JMP0;
4362 	KASSERT(!(ctl & BWN_MACCTL_MCODE_RUN), ("%s:%d: fail", __func__,
4363 	    __LINE__));
4364 	BWN_WRITE_4(mac, BWN_MACCTL, ctl);
4365 	for (i = 0; i < 64; i++)
4366 		bwn_shm_write_2(mac, BWN_SCRATCH, i, 0);
4367 	for (i = 0; i < 4096; i += 2)
4368 		bwn_shm_write_2(mac, BWN_SHARED, i, 0);
4369 
4370 	data = GETFWOFFSET(mac->mac_fw.ucode, sizeof(struct bwn_fwhdr));
4371 	bwn_shm_ctlword(mac, BWN_UCODE | BWN_SHARED_AUTOINC, 0x0000);
4372 	for (i = 0; i < GETFWSIZE(mac->mac_fw.ucode, sizeof(struct bwn_fwhdr));
4373 	     i++) {
4374 		BWN_WRITE_4(mac, BWN_SHM_DATA, be32toh(data[i]));
4375 		DELAY(10);
4376 	}
4377 
4378 	if (mac->mac_fw.pcm.fw) {
4379 		data = GETFWOFFSET(mac->mac_fw.pcm, sizeof(struct bwn_fwhdr));
4380 		bwn_shm_ctlword(mac, BWN_HW, 0x01ea);
4381 		BWN_WRITE_4(mac, BWN_SHM_DATA, 0x00004000);
4382 		bwn_shm_ctlword(mac, BWN_HW, 0x01eb);
4383 		for (i = 0; i < GETFWSIZE(mac->mac_fw.pcm,
4384 		    sizeof(struct bwn_fwhdr)); i++) {
4385 			BWN_WRITE_4(mac, BWN_SHM_DATA, be32toh(data[i]));
4386 			DELAY(10);
4387 		}
4388 	}
4389 
4390 	BWN_WRITE_4(mac, BWN_INTR_REASON, BWN_INTR_ALL);
4391 	BWN_WRITE_4(mac, BWN_MACCTL,
4392 	    (BWN_READ_4(mac, BWN_MACCTL) & ~BWN_MACCTL_MCODE_JMP0) |
4393 	    BWN_MACCTL_MCODE_RUN);
4394 
4395 	for (i = 0; i < 21; i++) {
4396 		if (BWN_READ_4(mac, BWN_INTR_REASON) == BWN_INTR_MAC_SUSPENDED)
4397 			break;
4398 		if (i >= 20) {
4399 			device_printf(sc->sc_dev, "ucode timeout\n");
4400 			error = ENXIO;
4401 			goto error;
4402 		}
4403 		DELAY(50000);
4404 	}
4405 	BWN_READ_4(mac, BWN_INTR_REASON);
4406 
4407 	mac->mac_fw.rev = bwn_shm_read_2(mac, BWN_SHARED, BWN_SHARED_UCODE_REV);
4408 	if (mac->mac_fw.rev <= 0x128) {
4409 		device_printf(sc->sc_dev, "the firmware is too old\n");
4410 		error = EOPNOTSUPP;
4411 		goto error;
4412 	}
4413 
4414 	/*
4415 	 * Determine firmware header version; needed for TX/RX packet
4416 	 * handling.
4417 	 */
4418 	if (mac->mac_fw.rev >= 598)
4419 		mac->mac_fw.fw_hdr_format = BWN_FW_HDR_598;
4420 	else if (mac->mac_fw.rev >= 410)
4421 		mac->mac_fw.fw_hdr_format = BWN_FW_HDR_410;
4422 	else
4423 		mac->mac_fw.fw_hdr_format = BWN_FW_HDR_351;
4424 
4425 	/*
4426 	 * We don't support rev 598 or later; that requires
4427 	 * another round of changes to the TX/RX descriptor
4428 	 * and status layout.
4429 	 *
4430 	 * So, complain this is the case and exit out, rather
4431 	 * than attaching and then failing.
4432 	 */
4433 #if 0
4434 	if (mac->mac_fw.fw_hdr_format == BWN_FW_HDR_598) {
4435 		device_printf(sc->sc_dev,
4436 		    "firmware is too new (>=598); not supported\n");
4437 		error = EOPNOTSUPP;
4438 		goto error;
4439 	}
4440 #endif
4441 
4442 	mac->mac_fw.patch = bwn_shm_read_2(mac, BWN_SHARED,
4443 	    BWN_SHARED_UCODE_PATCH);
4444 	date = bwn_shm_read_2(mac, BWN_SHARED, BWN_SHARED_UCODE_DATE);
4445 	mac->mac_fw.opensource = (date == 0xffff);
4446 	if (bwn_wme != 0)
4447 		mac->mac_flags |= BWN_MAC_FLAG_WME;
4448 	mac->mac_flags |= BWN_MAC_FLAG_HWCRYPTO;
4449 
4450 	time = bwn_shm_read_2(mac, BWN_SHARED, BWN_SHARED_UCODE_TIME);
4451 	if (mac->mac_fw.opensource == 0) {
4452 		device_printf(sc->sc_dev,
4453 		    "firmware version (rev %u patch %u date %#x time %#x)\n",
4454 		    mac->mac_fw.rev, mac->mac_fw.patch, date, time);
4455 		if (mac->mac_fw.no_pcmfile)
4456 			device_printf(sc->sc_dev,
4457 			    "no HW crypto acceleration due to pcm5\n");
4458 	} else {
4459 		mac->mac_fw.patch = time;
4460 		fwcaps = bwn_fwcaps_read(mac);
4461 		if (!(fwcaps & BWN_FWCAPS_HWCRYPTO) || mac->mac_fw.no_pcmfile) {
4462 			device_printf(sc->sc_dev,
4463 			    "disabling HW crypto acceleration\n");
4464 			mac->mac_flags &= ~BWN_MAC_FLAG_HWCRYPTO;
4465 		}
4466 		if (!(fwcaps & BWN_FWCAPS_WME)) {
4467 			device_printf(sc->sc_dev, "disabling WME support\n");
4468 			mac->mac_flags &= ~BWN_MAC_FLAG_WME;
4469 		}
4470 	}
4471 
4472 	if (BWN_ISOLDFMT(mac))
4473 		device_printf(sc->sc_dev, "using old firmware image\n");
4474 
4475 	return (0);
4476 
4477 error:
4478 	BWN_WRITE_4(mac, BWN_MACCTL,
4479 	    (BWN_READ_4(mac, BWN_MACCTL) & ~BWN_MACCTL_MCODE_RUN) |
4480 	    BWN_MACCTL_MCODE_JMP0);
4481 
4482 	return (error);
4483 #undef GETFWSIZE
4484 #undef GETFWOFFSET
4485 }
4486 
4487 /* OpenFirmware only */
4488 static uint16_t
4489 bwn_fwcaps_read(struct bwn_mac *mac)
4490 {
4491 
4492 	KASSERT(mac->mac_fw.opensource == 1,
4493 	    ("%s:%d: fail", __func__, __LINE__));
4494 	return (bwn_shm_read_2(mac, BWN_SHARED, BWN_SHARED_FWCAPS));
4495 }
4496 
4497 static int
4498 bwn_fwinitvals_write(struct bwn_mac *mac, const struct bwn_fwinitvals *ivals,
4499     size_t count, size_t array_size)
4500 {
4501 #define	GET_NEXTIV16(iv)						\
4502 	((const struct bwn_fwinitvals *)((const uint8_t *)(iv) +	\
4503 	    sizeof(uint16_t) + sizeof(uint16_t)))
4504 #define	GET_NEXTIV32(iv)						\
4505 	((const struct bwn_fwinitvals *)((const uint8_t *)(iv) +	\
4506 	    sizeof(uint16_t) + sizeof(uint32_t)))
4507 	struct bwn_softc *sc = mac->mac_sc;
4508 	const struct bwn_fwinitvals *iv;
4509 	uint16_t offset;
4510 	size_t i;
4511 	uint8_t bit32;
4512 
4513 	KASSERT(sizeof(struct bwn_fwinitvals) == 6,
4514 	    ("%s:%d: fail", __func__, __LINE__));
4515 	iv = ivals;
4516 	for (i = 0; i < count; i++) {
4517 		if (array_size < sizeof(iv->offset_size))
4518 			goto fail;
4519 		array_size -= sizeof(iv->offset_size);
4520 		offset = be16toh(iv->offset_size);
4521 		bit32 = (offset & BWN_FWINITVALS_32BIT) ? 1 : 0;
4522 		offset &= BWN_FWINITVALS_OFFSET_MASK;
4523 		if (offset >= 0x1000)
4524 			goto fail;
4525 		if (bit32) {
4526 			if (array_size < sizeof(iv->data.d32))
4527 				goto fail;
4528 			array_size -= sizeof(iv->data.d32);
4529 			BWN_WRITE_4(mac, offset, be32toh(iv->data.d32));
4530 			iv = GET_NEXTIV32(iv);
4531 		} else {
4532 			if (array_size < sizeof(iv->data.d16))
4533 				goto fail;
4534 			array_size -= sizeof(iv->data.d16);
4535 			BWN_WRITE_2(mac, offset, be16toh(iv->data.d16));
4536 
4537 			iv = GET_NEXTIV16(iv);
4538 		}
4539 	}
4540 	if (array_size != 0)
4541 		goto fail;
4542 	return (0);
4543 fail:
4544 	device_printf(sc->sc_dev, "initvals: invalid format\n");
4545 	return (EPROTO);
4546 #undef GET_NEXTIV16
4547 #undef GET_NEXTIV32
4548 }
4549 
4550 int
4551 bwn_switch_channel(struct bwn_mac *mac, int chan)
4552 {
4553 	struct bwn_phy *phy = &(mac->mac_phy);
4554 	struct bwn_softc *sc = mac->mac_sc;
4555 	struct ieee80211com *ic = &sc->sc_ic;
4556 	uint16_t channelcookie, savedcookie;
4557 	int error;
4558 
4559 	if (chan == 0xffff)
4560 		chan = phy->get_default_chan(mac);
4561 
4562 	channelcookie = chan;
4563 	if (IEEE80211_IS_CHAN_5GHZ(ic->ic_curchan))
4564 		channelcookie |= 0x100;
4565 	savedcookie = bwn_shm_read_2(mac, BWN_SHARED, BWN_SHARED_CHAN);
4566 	bwn_shm_write_2(mac, BWN_SHARED, BWN_SHARED_CHAN, channelcookie);
4567 	error = phy->switch_channel(mac, chan);
4568 	if (error)
4569 		goto fail;
4570 
4571 	mac->mac_phy.chan = chan;
4572 	DELAY(8000);
4573 	return (0);
4574 fail:
4575 	device_printf(sc->sc_dev, "failed to switch channel\n");
4576 	bwn_shm_write_2(mac, BWN_SHARED, BWN_SHARED_CHAN, savedcookie);
4577 	return (error);
4578 }
4579 
4580 static uint16_t
4581 bwn_ant2phy(int antenna)
4582 {
4583 
4584 	switch (antenna) {
4585 	case BWN_ANT0:
4586 		return (BWN_TX_PHY_ANT0);
4587 	case BWN_ANT1:
4588 		return (BWN_TX_PHY_ANT1);
4589 	case BWN_ANT2:
4590 		return (BWN_TX_PHY_ANT2);
4591 	case BWN_ANT3:
4592 		return (BWN_TX_PHY_ANT3);
4593 	case BWN_ANTAUTO:
4594 		return (BWN_TX_PHY_ANT01AUTO);
4595 	}
4596 	KASSERT(0 == 1, ("%s:%d: fail", __func__, __LINE__));
4597 	return (0);
4598 }
4599 
4600 static void
4601 bwn_wme_load(struct bwn_mac *mac)
4602 {
4603 	struct bwn_softc *sc = mac->mac_sc;
4604 	int i;
4605 
4606 	KASSERT(N(bwn_wme_shm_offsets) == N(sc->sc_wmeParams),
4607 	    ("%s:%d: fail", __func__, __LINE__));
4608 
4609 	bwn_mac_suspend(mac);
4610 	for (i = 0; i < N(sc->sc_wmeParams); i++)
4611 		bwn_wme_loadparams(mac, &(sc->sc_wmeParams[i]),
4612 		    bwn_wme_shm_offsets[i]);
4613 	bwn_mac_enable(mac);
4614 }
4615 
4616 static void
4617 bwn_wme_loadparams(struct bwn_mac *mac,
4618     const struct wmeParams *p, uint16_t shm_offset)
4619 {
4620 	struct bwn_softc *sc = mac->mac_sc;
4621 	uint16_t params[BWN_NR_WMEPARAMS];
4622 	int slot, tmp;
4623 	unsigned int i;
4624 
4625 	slot = BWN_READ_2(mac, BWN_RNG) &
4626 	    _IEEE80211_SHIFTMASK(p->wmep_logcwmin, WME_PARAM_LOGCWMIN);
4627 
4628 	memset(&params, 0, sizeof(params));
4629 
4630 	DPRINTF(sc, BWN_DEBUG_WME, "wmep_txopLimit %d wmep_logcwmin %d "
4631 	    "wmep_logcwmax %d wmep_aifsn %d\n", p->wmep_txopLimit,
4632 	    p->wmep_logcwmin, p->wmep_logcwmax, p->wmep_aifsn);
4633 
4634 	params[BWN_WMEPARAM_TXOP] = p->wmep_txopLimit * 32;
4635 	params[BWN_WMEPARAM_CWMIN] =
4636 	    _IEEE80211_SHIFTMASK(p->wmep_logcwmin, WME_PARAM_LOGCWMIN);
4637 	params[BWN_WMEPARAM_CWMAX] =
4638 	     _IEEE80211_SHIFTMASK(p->wmep_logcwmax, WME_PARAM_LOGCWMAX);
4639 	params[BWN_WMEPARAM_CWCUR] =
4640 	     _IEEE80211_SHIFTMASK(p->wmep_logcwmin, WME_PARAM_LOGCWMIN);
4641 	params[BWN_WMEPARAM_AIFS] = p->wmep_aifsn;
4642 	params[BWN_WMEPARAM_BSLOTS] = slot;
4643 	params[BWN_WMEPARAM_REGGAP] = slot + p->wmep_aifsn;
4644 
4645 	for (i = 0; i < N(params); i++) {
4646 		if (i == BWN_WMEPARAM_STATUS) {
4647 			tmp = bwn_shm_read_2(mac, BWN_SHARED,
4648 			    shm_offset + (i * 2));
4649 			tmp |= 0x100;
4650 			bwn_shm_write_2(mac, BWN_SHARED, shm_offset + (i * 2),
4651 			    tmp);
4652 		} else {
4653 			bwn_shm_write_2(mac, BWN_SHARED, shm_offset + (i * 2),
4654 			    params[i]);
4655 		}
4656 	}
4657 }
4658 
4659 static void
4660 bwn_mac_write_bssid(struct bwn_mac *mac)
4661 {
4662 	struct bwn_softc *sc = mac->mac_sc;
4663 	uint32_t tmp;
4664 	int i;
4665 	uint8_t mac_bssid[IEEE80211_ADDR_LEN * 2];
4666 
4667 	bwn_mac_setfilter(mac, BWN_MACFILTER_BSSID, sc->sc_bssid);
4668 	memcpy(mac_bssid, sc->sc_ic.ic_macaddr, IEEE80211_ADDR_LEN);
4669 	memcpy(mac_bssid + IEEE80211_ADDR_LEN, sc->sc_bssid,
4670 	    IEEE80211_ADDR_LEN);
4671 
4672 	for (i = 0; i < N(mac_bssid); i += sizeof(uint32_t)) {
4673 		tmp = (uint32_t) (mac_bssid[i + 0]);
4674 		tmp |= (uint32_t) (mac_bssid[i + 1]) << 8;
4675 		tmp |= (uint32_t) (mac_bssid[i + 2]) << 16;
4676 		tmp |= (uint32_t) (mac_bssid[i + 3]) << 24;
4677 		bwn_ram_write(mac, 0x20 + i, tmp);
4678 	}
4679 }
4680 
4681 static void
4682 bwn_mac_setfilter(struct bwn_mac *mac, uint16_t offset,
4683     const uint8_t *macaddr)
4684 {
4685 	static const uint8_t zero[IEEE80211_ADDR_LEN] = { 0 };
4686 	uint16_t data;
4687 
4688 	if (!mac)
4689 		macaddr = zero;
4690 
4691 	offset |= 0x0020;
4692 	BWN_WRITE_2(mac, BWN_MACFILTER_CONTROL, offset);
4693 
4694 	data = macaddr[0];
4695 	data |= macaddr[1] << 8;
4696 	BWN_WRITE_2(mac, BWN_MACFILTER_DATA, data);
4697 	data = macaddr[2];
4698 	data |= macaddr[3] << 8;
4699 	BWN_WRITE_2(mac, BWN_MACFILTER_DATA, data);
4700 	data = macaddr[4];
4701 	data |= macaddr[5] << 8;
4702 	BWN_WRITE_2(mac, BWN_MACFILTER_DATA, data);
4703 }
4704 
4705 static void
4706 bwn_key_dowrite(struct bwn_mac *mac, uint8_t index, uint8_t algorithm,
4707     const uint8_t *key, size_t key_len, const uint8_t *mac_addr)
4708 {
4709 	uint8_t buf[BWN_SEC_KEYSIZE] = { 0, };
4710 	uint8_t per_sta_keys_start = 8;
4711 
4712 	if (BWN_SEC_NEWAPI(mac))
4713 		per_sta_keys_start = 4;
4714 
4715 	KASSERT(index < mac->mac_max_nr_keys,
4716 	    ("%s:%d: fail", __func__, __LINE__));
4717 	KASSERT(key_len <= BWN_SEC_KEYSIZE,
4718 	    ("%s:%d: fail", __func__, __LINE__));
4719 
4720 	if (index >= per_sta_keys_start)
4721 		bwn_key_macwrite(mac, index, NULL);
4722 	if (key)
4723 		memcpy(buf, key, key_len);
4724 	bwn_key_write(mac, index, algorithm, buf);
4725 	if (index >= per_sta_keys_start)
4726 		bwn_key_macwrite(mac, index, mac_addr);
4727 
4728 	mac->mac_key[index].algorithm = algorithm;
4729 }
4730 
4731 static void
4732 bwn_key_macwrite(struct bwn_mac *mac, uint8_t index, const uint8_t *addr)
4733 {
4734 	struct bwn_softc *sc = mac->mac_sc;
4735 	uint32_t addrtmp[2] = { 0, 0 };
4736 	uint8_t start = 8;
4737 
4738 	if (BWN_SEC_NEWAPI(mac))
4739 		start = 4;
4740 
4741 	KASSERT(index >= start,
4742 	    ("%s:%d: fail", __func__, __LINE__));
4743 	index -= start;
4744 
4745 	if (addr) {
4746 		addrtmp[0] = addr[0];
4747 		addrtmp[0] |= ((uint32_t) (addr[1]) << 8);
4748 		addrtmp[0] |= ((uint32_t) (addr[2]) << 16);
4749 		addrtmp[0] |= ((uint32_t) (addr[3]) << 24);
4750 		addrtmp[1] = addr[4];
4751 		addrtmp[1] |= ((uint32_t) (addr[5]) << 8);
4752 	}
4753 
4754 	if (bhnd_get_hwrev(sc->sc_dev) >= 5) {
4755 		bwn_shm_write_4(mac, BWN_RCMTA, (index * 2) + 0, addrtmp[0]);
4756 		bwn_shm_write_2(mac, BWN_RCMTA, (index * 2) + 1, addrtmp[1]);
4757 	} else {
4758 		if (index >= 8) {
4759 			bwn_shm_write_4(mac, BWN_SHARED,
4760 			    BWN_SHARED_PSM + (index * 6) + 0, addrtmp[0]);
4761 			bwn_shm_write_2(mac, BWN_SHARED,
4762 			    BWN_SHARED_PSM + (index * 6) + 4, addrtmp[1]);
4763 		}
4764 	}
4765 }
4766 
4767 static void
4768 bwn_key_write(struct bwn_mac *mac, uint8_t index, uint8_t algorithm,
4769     const uint8_t *key)
4770 {
4771 	unsigned int i;
4772 	uint32_t offset;
4773 	uint16_t kidx, value;
4774 
4775 	kidx = BWN_SEC_KEY2FW(mac, index);
4776 	bwn_shm_write_2(mac, BWN_SHARED,
4777 	    BWN_SHARED_KEYIDX_BLOCK + (kidx * 2), (kidx << 4) | algorithm);
4778 
4779 	offset = mac->mac_ktp + (index * BWN_SEC_KEYSIZE);
4780 	for (i = 0; i < BWN_SEC_KEYSIZE; i += 2) {
4781 		value = key[i];
4782 		value |= (uint16_t)(key[i + 1]) << 8;
4783 		bwn_shm_write_2(mac, BWN_SHARED, offset + i, value);
4784 	}
4785 }
4786 
4787 static void
4788 bwn_phy_exit(struct bwn_mac *mac)
4789 {
4790 
4791 	mac->mac_phy.rf_onoff(mac, 0);
4792 	if (mac->mac_phy.exit != NULL)
4793 		mac->mac_phy.exit(mac);
4794 }
4795 
4796 static void
4797 bwn_dma_free(struct bwn_mac *mac)
4798 {
4799 	struct bwn_dma *dma;
4800 
4801 	if ((mac->mac_flags & BWN_MAC_FLAG_DMA) == 0)
4802 		return;
4803 	dma = &mac->mac_method.dma;
4804 
4805 	bwn_dma_ringfree(&dma->rx);
4806 	bwn_dma_ringfree(&dma->wme[WME_AC_BK]);
4807 	bwn_dma_ringfree(&dma->wme[WME_AC_BE]);
4808 	bwn_dma_ringfree(&dma->wme[WME_AC_VI]);
4809 	bwn_dma_ringfree(&dma->wme[WME_AC_VO]);
4810 	bwn_dma_ringfree(&dma->mcast);
4811 }
4812 
4813 static void
4814 bwn_core_stop(struct bwn_mac *mac)
4815 {
4816 	struct bwn_softc *sc = mac->mac_sc;
4817 
4818 	BWN_ASSERT_LOCKED(sc);
4819 
4820 	if (mac->mac_status < BWN_MAC_STATUS_STARTED)
4821 		return;
4822 
4823 	callout_stop(&sc->sc_rfswitch_ch);
4824 	callout_stop(&sc->sc_task_ch);
4825 	callout_stop(&sc->sc_watchdog_ch);
4826 	sc->sc_watchdog_timer = 0;
4827 	BWN_WRITE_4(mac, BWN_INTR_MASK, 0);
4828 	BWN_READ_4(mac, BWN_INTR_MASK);
4829 	bwn_mac_suspend(mac);
4830 
4831 	mac->mac_status = BWN_MAC_STATUS_INITED;
4832 }
4833 
4834 static int
4835 bwn_switch_band(struct bwn_softc *sc, struct ieee80211_channel *chan)
4836 {
4837 	struct bwn_mac *up_dev = NULL;
4838 	struct bwn_mac *down_dev;
4839 	struct bwn_mac *mac;
4840 	int err, status;
4841 	uint8_t gmode;
4842 
4843 	BWN_ASSERT_LOCKED(sc);
4844 
4845 	TAILQ_FOREACH(mac, &sc->sc_maclist, mac_list) {
4846 		if (IEEE80211_IS_CHAN_2GHZ(chan) &&
4847 		    mac->mac_phy.supports_2ghz) {
4848 			up_dev = mac;
4849 			gmode = 1;
4850 		} else if (IEEE80211_IS_CHAN_5GHZ(chan) &&
4851 		    mac->mac_phy.supports_5ghz) {
4852 			up_dev = mac;
4853 			gmode = 0;
4854 		} else {
4855 			KASSERT(0 == 1, ("%s:%d: fail", __func__, __LINE__));
4856 			return (EINVAL);
4857 		}
4858 		if (up_dev != NULL)
4859 			break;
4860 	}
4861 	if (up_dev == NULL) {
4862 		device_printf(sc->sc_dev, "Could not find a device\n");
4863 		return (ENODEV);
4864 	}
4865 	if (up_dev == sc->sc_curmac && sc->sc_curmac->mac_phy.gmode == gmode)
4866 		return (0);
4867 
4868 	DPRINTF(sc, BWN_DEBUG_RF | BWN_DEBUG_PHY | BWN_DEBUG_RESET,
4869 	    "switching to %s-GHz band\n",
4870 	    IEEE80211_IS_CHAN_2GHZ(chan) ? "2" : "5");
4871 
4872 	down_dev = sc->sc_curmac;
4873 	status = down_dev->mac_status;
4874 	if (status >= BWN_MAC_STATUS_STARTED)
4875 		bwn_core_stop(down_dev);
4876 	if (status >= BWN_MAC_STATUS_INITED)
4877 		bwn_core_exit(down_dev);
4878 
4879 	if (down_dev != up_dev) {
4880 		err = bwn_phy_reset(down_dev);
4881 		if (err)
4882 			goto fail;
4883 	}
4884 
4885 	up_dev->mac_phy.gmode = gmode;
4886 	if (status >= BWN_MAC_STATUS_INITED) {
4887 		err = bwn_core_init(up_dev);
4888 		if (err) {
4889 			device_printf(sc->sc_dev,
4890 			    "fatal: failed to initialize for %s-GHz\n",
4891 			    IEEE80211_IS_CHAN_2GHZ(chan) ? "2" : "5");
4892 			goto fail;
4893 		}
4894 	}
4895 	if (status >= BWN_MAC_STATUS_STARTED)
4896 		bwn_core_start(up_dev);
4897 	KASSERT(up_dev->mac_status == status, ("%s: fail", __func__));
4898 	sc->sc_curmac = up_dev;
4899 
4900 	return (0);
4901 fail:
4902 	sc->sc_curmac = NULL;
4903 	return (err);
4904 }
4905 
4906 static void
4907 bwn_rf_turnon(struct bwn_mac *mac)
4908 {
4909 
4910 	DPRINTF(mac->mac_sc, BWN_DEBUG_RESET, "%s: called\n", __func__);
4911 
4912 	bwn_mac_suspend(mac);
4913 	mac->mac_phy.rf_onoff(mac, 1);
4914 	mac->mac_phy.rf_on = 1;
4915 	bwn_mac_enable(mac);
4916 }
4917 
4918 static void
4919 bwn_rf_turnoff(struct bwn_mac *mac)
4920 {
4921 
4922 	DPRINTF(mac->mac_sc, BWN_DEBUG_RESET, "%s: called\n", __func__);
4923 
4924 	bwn_mac_suspend(mac);
4925 	mac->mac_phy.rf_onoff(mac, 0);
4926 	mac->mac_phy.rf_on = 0;
4927 	bwn_mac_enable(mac);
4928 }
4929 
4930 /*
4931  * PHY reset.
4932  */
4933 static int
4934 bwn_phy_reset(struct bwn_mac *mac)
4935 {
4936 	struct bwn_softc	*sc;
4937 	uint16_t		 iost, mask;
4938 	int			 error;
4939 
4940 	sc = mac->mac_sc;
4941 
4942 	iost = BWN_IOCTL_PHYRESET | BHND_IOCTL_CLK_FORCE;
4943 	mask = iost | BWN_IOCTL_SUPPORT_G;
4944 
4945 	if ((error = bhnd_write_ioctl(sc->sc_dev, iost, mask)))
4946 		return (error);
4947 
4948 	DELAY(1000);
4949 
4950 	iost &= ~BHND_IOCTL_CLK_FORCE;
4951 
4952 	if ((error = bhnd_write_ioctl(sc->sc_dev, iost, mask)))
4953 		return (error);
4954 
4955 	DELAY(1000);
4956 
4957 	return (0);
4958 }
4959 
4960 static int
4961 bwn_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
4962 {
4963 	struct bwn_vap *bvp = BWN_VAP(vap);
4964 	struct ieee80211com *ic= vap->iv_ic;
4965 	enum ieee80211_state ostate = vap->iv_state;
4966 	struct bwn_softc *sc = ic->ic_softc;
4967 	struct bwn_mac *mac = sc->sc_curmac;
4968 	int error;
4969 
4970 	DPRINTF(sc, BWN_DEBUG_STATE, "%s: %s -> %s\n", __func__,
4971 	    ieee80211_state_name[vap->iv_state],
4972 	    ieee80211_state_name[nstate]);
4973 
4974 	error = bvp->bv_newstate(vap, nstate, arg);
4975 	if (error != 0)
4976 		return (error);
4977 
4978 	BWN_LOCK(sc);
4979 
4980 	bwn_led_newstate(mac, nstate);
4981 
4982 	/*
4983 	 * Clear the BSSID when we stop a STA
4984 	 */
4985 	if (vap->iv_opmode == IEEE80211_M_STA) {
4986 		if (ostate == IEEE80211_S_RUN && nstate != IEEE80211_S_RUN) {
4987 			/*
4988 			 * Clear out the BSSID.  If we reassociate to
4989 			 * the same AP, this will reinialize things
4990 			 * correctly...
4991 			 */
4992 			if (ic->ic_opmode == IEEE80211_M_STA &&
4993 			    (sc->sc_flags & BWN_FLAG_INVALID) == 0) {
4994 				memset(sc->sc_bssid, 0, IEEE80211_ADDR_LEN);
4995 				bwn_set_macaddr(mac);
4996 			}
4997 		}
4998 	}
4999 
5000 	if (vap->iv_opmode == IEEE80211_M_MONITOR ||
5001 	    vap->iv_opmode == IEEE80211_M_AHDEMO) {
5002 		/* XXX nothing to do? */
5003 	} else if (nstate == IEEE80211_S_RUN) {
5004 		memcpy(sc->sc_bssid, vap->iv_bss->ni_bssid, IEEE80211_ADDR_LEN);
5005 		bwn_set_opmode(mac);
5006 		bwn_set_pretbtt(mac);
5007 		bwn_spu_setdelay(mac, 0);
5008 		bwn_set_macaddr(mac);
5009 	}
5010 
5011 	BWN_UNLOCK(sc);
5012 
5013 	return (error);
5014 }
5015 
5016 static void
5017 bwn_set_pretbtt(struct bwn_mac *mac)
5018 {
5019 	struct bwn_softc *sc = mac->mac_sc;
5020 	struct ieee80211com *ic = &sc->sc_ic;
5021 	uint16_t pretbtt;
5022 
5023 	if (ic->ic_opmode == IEEE80211_M_IBSS)
5024 		pretbtt = 2;
5025 	else
5026 		pretbtt = (mac->mac_phy.type == BWN_PHYTYPE_A) ? 120 : 250;
5027 	bwn_shm_write_2(mac, BWN_SHARED, BWN_SHARED_PRETBTT, pretbtt);
5028 	BWN_WRITE_2(mac, BWN_TSF_CFP_PRETBTT, pretbtt);
5029 }
5030 
5031 static int
5032 bwn_intr(void *arg)
5033 {
5034 	struct bwn_mac *mac = arg;
5035 	struct bwn_softc *sc = mac->mac_sc;
5036 	uint32_t reason;
5037 
5038 	if (mac->mac_status < BWN_MAC_STATUS_STARTED ||
5039 	    (sc->sc_flags & BWN_FLAG_INVALID))
5040 		return (FILTER_STRAY);
5041 
5042 	DPRINTF(sc, BWN_DEBUG_INTR, "%s: called\n", __func__);
5043 
5044 	reason = BWN_READ_4(mac, BWN_INTR_REASON);
5045 	if (reason == 0xffffffff)	/* shared IRQ */
5046 		return (FILTER_STRAY);
5047 	reason &= mac->mac_intr_mask;
5048 	if (reason == 0)
5049 		return (FILTER_HANDLED);
5050 	DPRINTF(sc, BWN_DEBUG_INTR, "%s: reason=0x%08x\n", __func__, reason);
5051 
5052 	mac->mac_reason[0] = BWN_READ_4(mac, BWN_DMA0_REASON) & 0x0001dc00;
5053 	mac->mac_reason[1] = BWN_READ_4(mac, BWN_DMA1_REASON) & 0x0000dc00;
5054 	mac->mac_reason[2] = BWN_READ_4(mac, BWN_DMA2_REASON) & 0x0000dc00;
5055 	mac->mac_reason[3] = BWN_READ_4(mac, BWN_DMA3_REASON) & 0x0001dc00;
5056 	mac->mac_reason[4] = BWN_READ_4(mac, BWN_DMA4_REASON) & 0x0000dc00;
5057 	BWN_WRITE_4(mac, BWN_INTR_REASON, reason);
5058 	BWN_WRITE_4(mac, BWN_DMA0_REASON, mac->mac_reason[0]);
5059 	BWN_WRITE_4(mac, BWN_DMA1_REASON, mac->mac_reason[1]);
5060 	BWN_WRITE_4(mac, BWN_DMA2_REASON, mac->mac_reason[2]);
5061 	BWN_WRITE_4(mac, BWN_DMA3_REASON, mac->mac_reason[3]);
5062 	BWN_WRITE_4(mac, BWN_DMA4_REASON, mac->mac_reason[4]);
5063 
5064 	/* Disable interrupts. */
5065 	BWN_WRITE_4(mac, BWN_INTR_MASK, 0);
5066 
5067 	mac->mac_reason_intr = reason;
5068 
5069 	BWN_BARRIER(mac, 0, 0, BUS_SPACE_BARRIER_READ|BUS_SPACE_BARRIER_WRITE);
5070 
5071 	taskqueue_enqueue(sc->sc_tq, &mac->mac_intrtask);
5072 	return (FILTER_HANDLED);
5073 }
5074 
5075 static void
5076 bwn_intrtask(void *arg, int npending)
5077 {
5078 	struct epoch_tracker et;
5079 	struct bwn_mac *mac = arg;
5080 	struct bwn_softc *sc = mac->mac_sc;
5081 	uint32_t merged = 0;
5082 	int i, tx = 0, rx = 0;
5083 
5084 	BWN_LOCK(sc);
5085 	if (mac->mac_status < BWN_MAC_STATUS_STARTED ||
5086 	    (sc->sc_flags & BWN_FLAG_INVALID)) {
5087 		BWN_UNLOCK(sc);
5088 		return;
5089 	}
5090 
5091 	for (i = 0; i < N(mac->mac_reason); i++)
5092 		merged |= mac->mac_reason[i];
5093 
5094 	if (mac->mac_reason_intr & BWN_INTR_MAC_TXERR)
5095 		device_printf(sc->sc_dev, "MAC trans error\n");
5096 
5097 	if (mac->mac_reason_intr & BWN_INTR_PHY_TXERR) {
5098 		DPRINTF(sc, BWN_DEBUG_INTR, "%s: PHY trans error\n", __func__);
5099 		mac->mac_phy.txerrors--;
5100 		if (mac->mac_phy.txerrors == 0) {
5101 			mac->mac_phy.txerrors = BWN_TXERROR_MAX;
5102 			bwn_restart(mac, "PHY TX errors");
5103 		}
5104 	}
5105 
5106 	if (merged & (BWN_DMAINTR_FATALMASK | BWN_DMAINTR_NONFATALMASK)) {
5107 		if (merged & BWN_DMAINTR_FATALMASK) {
5108 			device_printf(sc->sc_dev,
5109 			    "Fatal DMA error: %#x %#x %#x %#x %#x %#x\n",
5110 			    mac->mac_reason[0], mac->mac_reason[1],
5111 			    mac->mac_reason[2], mac->mac_reason[3],
5112 			    mac->mac_reason[4], mac->mac_reason[5]);
5113 			bwn_restart(mac, "DMA error");
5114 			BWN_UNLOCK(sc);
5115 			return;
5116 		}
5117 		if (merged & BWN_DMAINTR_NONFATALMASK) {
5118 			device_printf(sc->sc_dev,
5119 			    "DMA error: %#x %#x %#x %#x %#x %#x\n",
5120 			    mac->mac_reason[0], mac->mac_reason[1],
5121 			    mac->mac_reason[2], mac->mac_reason[3],
5122 			    mac->mac_reason[4], mac->mac_reason[5]);
5123 		}
5124 	}
5125 
5126 	if (mac->mac_reason_intr & BWN_INTR_UCODE_DEBUG)
5127 		bwn_intr_ucode_debug(mac);
5128 	if (mac->mac_reason_intr & BWN_INTR_TBTT_INDI)
5129 		bwn_intr_tbtt_indication(mac);
5130 	if (mac->mac_reason_intr & BWN_INTR_ATIM_END)
5131 		bwn_intr_atim_end(mac);
5132 	if (mac->mac_reason_intr & BWN_INTR_BEACON)
5133 		bwn_intr_beacon(mac);
5134 	if (mac->mac_reason_intr & BWN_INTR_PMQ)
5135 		bwn_intr_pmq(mac);
5136 	if (mac->mac_reason_intr & BWN_INTR_NOISESAMPLE_OK)
5137 		bwn_intr_noise(mac);
5138 
5139 	NET_EPOCH_ENTER(et);
5140 	if (mac->mac_flags & BWN_MAC_FLAG_DMA) {
5141 		if (mac->mac_reason[0] & BWN_DMAINTR_RX_DONE) {
5142 			bwn_dma_rx(mac->mac_method.dma.rx);
5143 			rx = 1;
5144 		}
5145 	} else
5146 		rx = bwn_pio_rx(&mac->mac_method.pio.rx);
5147 	NET_EPOCH_EXIT(et);
5148 
5149 	KASSERT(!(mac->mac_reason[1] & BWN_DMAINTR_RX_DONE), ("%s", __func__));
5150 	KASSERT(!(mac->mac_reason[2] & BWN_DMAINTR_RX_DONE), ("%s", __func__));
5151 	KASSERT(!(mac->mac_reason[3] & BWN_DMAINTR_RX_DONE), ("%s", __func__));
5152 	KASSERT(!(mac->mac_reason[4] & BWN_DMAINTR_RX_DONE), ("%s", __func__));
5153 	KASSERT(!(mac->mac_reason[5] & BWN_DMAINTR_RX_DONE), ("%s", __func__));
5154 
5155 	if (mac->mac_reason_intr & BWN_INTR_TX_OK) {
5156 		bwn_intr_txeof(mac);
5157 		tx = 1;
5158 	}
5159 
5160 	BWN_WRITE_4(mac, BWN_INTR_MASK, mac->mac_intr_mask);
5161 
5162 	if (sc->sc_blink_led != NULL && sc->sc_led_blink) {
5163 		int evt = BWN_LED_EVENT_NONE;
5164 
5165 		if (tx && rx) {
5166 			if (sc->sc_rx_rate > sc->sc_tx_rate)
5167 				evt = BWN_LED_EVENT_RX;
5168 			else
5169 				evt = BWN_LED_EVENT_TX;
5170 		} else if (tx) {
5171 			evt = BWN_LED_EVENT_TX;
5172 		} else if (rx) {
5173 			evt = BWN_LED_EVENT_RX;
5174 		} else if (rx == 0) {
5175 			evt = BWN_LED_EVENT_POLL;
5176 		}
5177 
5178 		if (evt != BWN_LED_EVENT_NONE)
5179 			bwn_led_event(mac, evt);
5180        }
5181 
5182 	if (mbufq_first(&sc->sc_snd) != NULL)
5183 		bwn_start(sc);
5184 
5185 	BWN_BARRIER(mac, 0, 0, BUS_SPACE_BARRIER_READ|BUS_SPACE_BARRIER_WRITE);
5186 
5187 	BWN_UNLOCK(sc);
5188 }
5189 
5190 static void
5191 bwn_restart(struct bwn_mac *mac, const char *msg)
5192 {
5193 	struct bwn_softc *sc = mac->mac_sc;
5194 	struct ieee80211com *ic = &sc->sc_ic;
5195 
5196 	if (mac->mac_status < BWN_MAC_STATUS_INITED)
5197 		return;
5198 
5199 	device_printf(sc->sc_dev, "HW reset: %s\n", msg);
5200 	ieee80211_runtask(ic, &mac->mac_hwreset);
5201 }
5202 
5203 static void
5204 bwn_intr_ucode_debug(struct bwn_mac *mac)
5205 {
5206 	struct bwn_softc *sc = mac->mac_sc;
5207 	uint16_t reason;
5208 
5209 	if (mac->mac_fw.opensource == 0)
5210 		return;
5211 
5212 	reason = bwn_shm_read_2(mac, BWN_SCRATCH, BWN_DEBUGINTR_REASON_REG);
5213 	switch (reason) {
5214 	case BWN_DEBUGINTR_PANIC:
5215 		bwn_handle_fwpanic(mac);
5216 		break;
5217 	case BWN_DEBUGINTR_DUMP_SHM:
5218 		device_printf(sc->sc_dev, "BWN_DEBUGINTR_DUMP_SHM\n");
5219 		break;
5220 	case BWN_DEBUGINTR_DUMP_REGS:
5221 		device_printf(sc->sc_dev, "BWN_DEBUGINTR_DUMP_REGS\n");
5222 		break;
5223 	case BWN_DEBUGINTR_MARKER:
5224 		device_printf(sc->sc_dev, "BWN_DEBUGINTR_MARKER\n");
5225 		break;
5226 	default:
5227 		device_printf(sc->sc_dev,
5228 		    "ucode debug unknown reason: %#x\n", reason);
5229 	}
5230 
5231 	bwn_shm_write_2(mac, BWN_SCRATCH, BWN_DEBUGINTR_REASON_REG,
5232 	    BWN_DEBUGINTR_ACK);
5233 }
5234 
5235 static void
5236 bwn_intr_tbtt_indication(struct bwn_mac *mac)
5237 {
5238 	struct bwn_softc *sc = mac->mac_sc;
5239 	struct ieee80211com *ic = &sc->sc_ic;
5240 
5241 	if (ic->ic_opmode != IEEE80211_M_HOSTAP)
5242 		bwn_psctl(mac, 0);
5243 	if (ic->ic_opmode == IEEE80211_M_IBSS)
5244 		mac->mac_flags |= BWN_MAC_FLAG_DFQVALID;
5245 }
5246 
5247 static void
5248 bwn_intr_atim_end(struct bwn_mac *mac)
5249 {
5250 
5251 	if (mac->mac_flags & BWN_MAC_FLAG_DFQVALID) {
5252 		BWN_WRITE_4(mac, BWN_MACCMD,
5253 		    BWN_READ_4(mac, BWN_MACCMD) | BWN_MACCMD_DFQ_VALID);
5254 		mac->mac_flags &= ~BWN_MAC_FLAG_DFQVALID;
5255 	}
5256 }
5257 
5258 static void
5259 bwn_intr_beacon(struct bwn_mac *mac)
5260 {
5261 	struct bwn_softc *sc = mac->mac_sc;
5262 	struct ieee80211com *ic = &sc->sc_ic;
5263 	uint32_t cmd, beacon0, beacon1;
5264 
5265 	if (ic->ic_opmode == IEEE80211_M_HOSTAP ||
5266 	    ic->ic_opmode == IEEE80211_M_MBSS)
5267 		return;
5268 
5269 	mac->mac_intr_mask &= ~BWN_INTR_BEACON;
5270 
5271 	cmd = BWN_READ_4(mac, BWN_MACCMD);
5272 	beacon0 = (cmd & BWN_MACCMD_BEACON0_VALID);
5273 	beacon1 = (cmd & BWN_MACCMD_BEACON1_VALID);
5274 
5275 	if (beacon0 && beacon1) {
5276 		BWN_WRITE_4(mac, BWN_INTR_REASON, BWN_INTR_BEACON);
5277 		mac->mac_intr_mask |= BWN_INTR_BEACON;
5278 		return;
5279 	}
5280 
5281 	if (sc->sc_flags & BWN_FLAG_NEED_BEACON_TP) {
5282 		sc->sc_flags &= ~BWN_FLAG_NEED_BEACON_TP;
5283 		bwn_load_beacon0(mac);
5284 		bwn_load_beacon1(mac);
5285 		cmd = BWN_READ_4(mac, BWN_MACCMD);
5286 		cmd |= BWN_MACCMD_BEACON0_VALID;
5287 		BWN_WRITE_4(mac, BWN_MACCMD, cmd);
5288 	} else {
5289 		if (!beacon0) {
5290 			bwn_load_beacon0(mac);
5291 			cmd = BWN_READ_4(mac, BWN_MACCMD);
5292 			cmd |= BWN_MACCMD_BEACON0_VALID;
5293 			BWN_WRITE_4(mac, BWN_MACCMD, cmd);
5294 		} else if (!beacon1) {
5295 			bwn_load_beacon1(mac);
5296 			cmd = BWN_READ_4(mac, BWN_MACCMD);
5297 			cmd |= BWN_MACCMD_BEACON1_VALID;
5298 			BWN_WRITE_4(mac, BWN_MACCMD, cmd);
5299 		}
5300 	}
5301 }
5302 
5303 static void
5304 bwn_intr_pmq(struct bwn_mac *mac)
5305 {
5306 	uint32_t tmp;
5307 
5308 	while (1) {
5309 		tmp = BWN_READ_4(mac, BWN_PS_STATUS);
5310 		if (!(tmp & 0x00000008))
5311 			break;
5312 	}
5313 	BWN_WRITE_2(mac, BWN_PS_STATUS, 0x0002);
5314 }
5315 
5316 static void
5317 bwn_intr_noise(struct bwn_mac *mac)
5318 {
5319 	struct bwn_phy_g *pg = &mac->mac_phy.phy_g;
5320 	uint16_t tmp;
5321 	uint8_t noise[4];
5322 	uint8_t i, j;
5323 	int32_t average;
5324 
5325 	if (mac->mac_phy.type != BWN_PHYTYPE_G)
5326 		return;
5327 
5328 	KASSERT(mac->mac_noise.noi_running, ("%s: fail", __func__));
5329 	*((uint32_t *)noise) = htole32(bwn_jssi_read(mac));
5330 	if (noise[0] == 0x7f || noise[1] == 0x7f || noise[2] == 0x7f ||
5331 	    noise[3] == 0x7f)
5332 		goto new;
5333 
5334 	KASSERT(mac->mac_noise.noi_nsamples < 8,
5335 	    ("%s:%d: fail", __func__, __LINE__));
5336 	i = mac->mac_noise.noi_nsamples;
5337 	noise[0] = MIN(MAX(noise[0], 0), N(pg->pg_nrssi_lt) - 1);
5338 	noise[1] = MIN(MAX(noise[1], 0), N(pg->pg_nrssi_lt) - 1);
5339 	noise[2] = MIN(MAX(noise[2], 0), N(pg->pg_nrssi_lt) - 1);
5340 	noise[3] = MIN(MAX(noise[3], 0), N(pg->pg_nrssi_lt) - 1);
5341 	mac->mac_noise.noi_samples[i][0] = pg->pg_nrssi_lt[noise[0]];
5342 	mac->mac_noise.noi_samples[i][1] = pg->pg_nrssi_lt[noise[1]];
5343 	mac->mac_noise.noi_samples[i][2] = pg->pg_nrssi_lt[noise[2]];
5344 	mac->mac_noise.noi_samples[i][3] = pg->pg_nrssi_lt[noise[3]];
5345 	mac->mac_noise.noi_nsamples++;
5346 	if (mac->mac_noise.noi_nsamples == 8) {
5347 		average = 0;
5348 		for (i = 0; i < 8; i++) {
5349 			for (j = 0; j < 4; j++)
5350 				average += mac->mac_noise.noi_samples[i][j];
5351 		}
5352 		average = (((average / 32) * 125) + 64) / 128;
5353 		tmp = (bwn_shm_read_2(mac, BWN_SHARED, 0x40c) / 128) & 0x1f;
5354 		if (tmp >= 8)
5355 			average += 2;
5356 		else
5357 			average -= 25;
5358 		average -= (tmp == 8) ? 72 : 48;
5359 
5360 		mac->mac_stats.link_noise = average;
5361 		mac->mac_noise.noi_running = 0;
5362 		return;
5363 	}
5364 new:
5365 	bwn_noise_gensample(mac);
5366 }
5367 
5368 static int
5369 bwn_pio_rx(struct bwn_pio_rxqueue *prq)
5370 {
5371 	struct bwn_mac *mac = prq->prq_mac;
5372 	struct bwn_softc *sc = mac->mac_sc;
5373 	unsigned int i;
5374 
5375 	BWN_ASSERT_LOCKED(sc);
5376 
5377 	if (mac->mac_status < BWN_MAC_STATUS_STARTED)
5378 		return (0);
5379 
5380 	for (i = 0; i < 5000; i++) {
5381 		if (bwn_pio_rxeof(prq) == 0)
5382 			break;
5383 	}
5384 	if (i >= 5000)
5385 		device_printf(sc->sc_dev, "too many RX frames in PIO mode\n");
5386 	return ((i > 0) ? 1 : 0);
5387 }
5388 
5389 static void
5390 bwn_dma_rx(struct bwn_dma_ring *dr)
5391 {
5392 	int slot, curslot;
5393 
5394 	KASSERT(!dr->dr_tx, ("%s:%d: fail", __func__, __LINE__));
5395 	curslot = dr->get_curslot(dr);
5396 	KASSERT(curslot >= 0 && curslot < dr->dr_numslots,
5397 	    ("%s:%d: fail", __func__, __LINE__));
5398 
5399 	slot = dr->dr_curslot;
5400 	for (; slot != curslot; slot = bwn_dma_nextslot(dr, slot))
5401 		bwn_dma_rxeof(dr, &slot);
5402 
5403 	bus_dmamap_sync(dr->dr_ring_dtag, dr->dr_ring_dmap,
5404 	    BUS_DMASYNC_PREWRITE);
5405 
5406 	dr->set_curslot(dr, slot);
5407 	dr->dr_curslot = slot;
5408 }
5409 
5410 static void
5411 bwn_intr_txeof(struct bwn_mac *mac)
5412 {
5413 	struct bwn_txstatus stat;
5414 	uint32_t stat0, stat1;
5415 	uint16_t tmp;
5416 
5417 	BWN_ASSERT_LOCKED(mac->mac_sc);
5418 
5419 	while (1) {
5420 		stat0 = BWN_READ_4(mac, BWN_XMITSTAT_0);
5421 		if (!(stat0 & 0x00000001))
5422 			break;
5423 		stat1 = BWN_READ_4(mac, BWN_XMITSTAT_1);
5424 
5425 		DPRINTF(mac->mac_sc, BWN_DEBUG_XMIT,
5426 		    "%s: stat0=0x%08x, stat1=0x%08x\n",
5427 		    __func__,
5428 		    stat0,
5429 		    stat1);
5430 
5431 		stat.cookie = (stat0 >> 16);
5432 		stat.seq = (stat1 & 0x0000ffff);
5433 		stat.phy_stat = ((stat1 & 0x00ff0000) >> 16);
5434 		tmp = (stat0 & 0x0000ffff);
5435 		stat.framecnt = ((tmp & 0xf000) >> 12);
5436 		stat.rtscnt = ((tmp & 0x0f00) >> 8);
5437 		stat.sreason = ((tmp & 0x001c) >> 2);
5438 		stat.pm = (tmp & 0x0080) ? 1 : 0;
5439 		stat.im = (tmp & 0x0040) ? 1 : 0;
5440 		stat.ampdu = (tmp & 0x0020) ? 1 : 0;
5441 		stat.ack = (tmp & 0x0002) ? 1 : 0;
5442 
5443 		DPRINTF(mac->mac_sc, BWN_DEBUG_XMIT,
5444 		    "%s: cookie=%d, seq=%d, phystat=0x%02x, framecnt=%d, "
5445 		    "rtscnt=%d, sreason=%d, pm=%d, im=%d, ampdu=%d, ack=%d\n",
5446 		    __func__,
5447 		    stat.cookie,
5448 		    stat.seq,
5449 		    stat.phy_stat,
5450 		    stat.framecnt,
5451 		    stat.rtscnt,
5452 		    stat.sreason,
5453 		    stat.pm,
5454 		    stat.im,
5455 		    stat.ampdu,
5456 		    stat.ack);
5457 
5458 		bwn_handle_txeof(mac, &stat);
5459 	}
5460 }
5461 
5462 static void
5463 bwn_hwreset(void *arg, int npending)
5464 {
5465 	struct bwn_mac *mac = arg;
5466 	struct bwn_softc *sc = mac->mac_sc;
5467 	int error = 0;
5468 	int prev_status;
5469 
5470 	BWN_LOCK(sc);
5471 
5472 	prev_status = mac->mac_status;
5473 	if (prev_status >= BWN_MAC_STATUS_STARTED)
5474 		bwn_core_stop(mac);
5475 	if (prev_status >= BWN_MAC_STATUS_INITED)
5476 		bwn_core_exit(mac);
5477 
5478 	if (prev_status >= BWN_MAC_STATUS_INITED) {
5479 		error = bwn_core_init(mac);
5480 		if (error)
5481 			goto out;
5482 	}
5483 	if (prev_status >= BWN_MAC_STATUS_STARTED)
5484 		bwn_core_start(mac);
5485 out:
5486 	if (error) {
5487 		device_printf(sc->sc_dev, "%s: failed (%d)\n", __func__, error);
5488 		sc->sc_curmac = NULL;
5489 	}
5490 	BWN_UNLOCK(sc);
5491 }
5492 
5493 static void
5494 bwn_handle_fwpanic(struct bwn_mac *mac)
5495 {
5496 	struct bwn_softc *sc = mac->mac_sc;
5497 	uint16_t reason;
5498 
5499 	reason = bwn_shm_read_2(mac, BWN_SCRATCH, BWN_FWPANIC_REASON_REG);
5500 	device_printf(sc->sc_dev,"fw panic (%u)\n", reason);
5501 
5502 	if (reason == BWN_FWPANIC_RESTART)
5503 		bwn_restart(mac, "ucode panic");
5504 }
5505 
5506 static void
5507 bwn_load_beacon0(struct bwn_mac *mac)
5508 {
5509 
5510 	KASSERT(0 == 1, ("%s:%d: fail", __func__, __LINE__));
5511 }
5512 
5513 static void
5514 bwn_load_beacon1(struct bwn_mac *mac)
5515 {
5516 
5517 	KASSERT(0 == 1, ("%s:%d: fail", __func__, __LINE__));
5518 }
5519 
5520 static uint32_t
5521 bwn_jssi_read(struct bwn_mac *mac)
5522 {
5523 	uint32_t val = 0;
5524 
5525 	val = bwn_shm_read_2(mac, BWN_SHARED, 0x08a);
5526 	val <<= 16;
5527 	val |= bwn_shm_read_2(mac, BWN_SHARED, 0x088);
5528 
5529 	return (val);
5530 }
5531 
5532 static void
5533 bwn_noise_gensample(struct bwn_mac *mac)
5534 {
5535 	uint32_t jssi = 0x7f7f7f7f;
5536 
5537 	bwn_shm_write_2(mac, BWN_SHARED, 0x088, (jssi & 0x0000ffff));
5538 	bwn_shm_write_2(mac, BWN_SHARED, 0x08a, (jssi & 0xffff0000) >> 16);
5539 	BWN_WRITE_4(mac, BWN_MACCMD,
5540 	    BWN_READ_4(mac, BWN_MACCMD) | BWN_MACCMD_BGNOISE);
5541 }
5542 
5543 static int
5544 bwn_dma_freeslot(struct bwn_dma_ring *dr)
5545 {
5546 	BWN_ASSERT_LOCKED(dr->dr_mac->mac_sc);
5547 
5548 	return (dr->dr_numslots - dr->dr_usedslot);
5549 }
5550 
5551 static int
5552 bwn_dma_nextslot(struct bwn_dma_ring *dr, int slot)
5553 {
5554 	BWN_ASSERT_LOCKED(dr->dr_mac->mac_sc);
5555 
5556 	KASSERT(slot >= -1 && slot <= dr->dr_numslots - 1,
5557 	    ("%s:%d: fail", __func__, __LINE__));
5558 	if (slot == dr->dr_numslots - 1)
5559 		return (0);
5560 	return (slot + 1);
5561 }
5562 
5563 static void
5564 bwn_dma_rxeof(struct bwn_dma_ring *dr, int *slot)
5565 {
5566 	struct bwn_mac *mac = dr->dr_mac;
5567 	struct bwn_softc *sc = mac->mac_sc;
5568 	struct bwn_dma *dma = &mac->mac_method.dma;
5569 	struct bwn_dmadesc_generic *desc;
5570 	struct bwn_dmadesc_meta *meta;
5571 	struct bwn_rxhdr4 *rxhdr;
5572 	struct mbuf *m;
5573 	uint32_t macstat;
5574 	int32_t tmp;
5575 	int cnt = 0;
5576 	uint16_t len;
5577 
5578 	dr->getdesc(dr, *slot, &desc, &meta);
5579 
5580 	bus_dmamap_sync(dma->rxbuf_dtag, meta->mt_dmap, BUS_DMASYNC_POSTREAD);
5581 	m = meta->mt_m;
5582 
5583 	if (bwn_dma_newbuf(dr, desc, meta, 0)) {
5584 		counter_u64_add(sc->sc_ic.ic_ierrors, 1);
5585 		return;
5586 	}
5587 
5588 	rxhdr = mtod(m, struct bwn_rxhdr4 *);
5589 	len = le16toh(rxhdr->frame_len);
5590 	if (len <= 0) {
5591 		counter_u64_add(sc->sc_ic.ic_ierrors, 1);
5592 		return;
5593 	}
5594 	if (bwn_dma_check_redzone(dr, m)) {
5595 		device_printf(sc->sc_dev, "redzone error.\n");
5596 		bwn_dma_set_redzone(dr, m);
5597 		bus_dmamap_sync(dma->rxbuf_dtag, meta->mt_dmap,
5598 		    BUS_DMASYNC_PREWRITE);
5599 		return;
5600 	}
5601 	if (len > dr->dr_rx_bufsize) {
5602 		tmp = len;
5603 		while (1) {
5604 			dr->getdesc(dr, *slot, &desc, &meta);
5605 			bwn_dma_set_redzone(dr, meta->mt_m);
5606 			bus_dmamap_sync(dma->rxbuf_dtag, meta->mt_dmap,
5607 			    BUS_DMASYNC_PREWRITE);
5608 			*slot = bwn_dma_nextslot(dr, *slot);
5609 			cnt++;
5610 			tmp -= dr->dr_rx_bufsize;
5611 			if (tmp <= 0)
5612 				break;
5613 		}
5614 		device_printf(sc->sc_dev, "too small buffer "
5615 		       "(len %u buffer %u dropped %d)\n",
5616 		       len, dr->dr_rx_bufsize, cnt);
5617 		return;
5618 	}
5619 
5620 	switch (mac->mac_fw.fw_hdr_format) {
5621 	case BWN_FW_HDR_351:
5622 	case BWN_FW_HDR_410:
5623 		macstat = le32toh(rxhdr->ps4.r351.mac_status);
5624 		break;
5625 	case BWN_FW_HDR_598:
5626 		macstat = le32toh(rxhdr->ps4.r598.mac_status);
5627 		break;
5628 	}
5629 
5630 	if (macstat & BWN_RX_MAC_FCSERR) {
5631 		if (!(mac->mac_sc->sc_filters & BWN_MACCTL_PASS_BADFCS)) {
5632 			device_printf(sc->sc_dev, "RX drop\n");
5633 			return;
5634 		}
5635 	}
5636 
5637 	m->m_len = m->m_pkthdr.len = len + dr->dr_frameoffset;
5638 	m_adj(m, dr->dr_frameoffset);
5639 
5640 	bwn_rxeof(dr->dr_mac, m, rxhdr);
5641 }
5642 
5643 static void
5644 bwn_handle_txeof(struct bwn_mac *mac, const struct bwn_txstatus *status)
5645 {
5646 	struct bwn_softc *sc = mac->mac_sc;
5647 	struct bwn_stats *stats = &mac->mac_stats;
5648 
5649 	BWN_ASSERT_LOCKED(mac->mac_sc);
5650 
5651 	if (status->im)
5652 		device_printf(sc->sc_dev, "TODO: STATUS IM\n");
5653 	if (status->ampdu)
5654 		device_printf(sc->sc_dev, "TODO: STATUS AMPDU\n");
5655 	if (status->rtscnt) {
5656 		if (status->rtscnt == 0xf)
5657 			stats->rtsfail++;
5658 		else
5659 			stats->rts++;
5660 	}
5661 
5662 	if (mac->mac_flags & BWN_MAC_FLAG_DMA) {
5663 		bwn_dma_handle_txeof(mac, status);
5664 	} else {
5665 		bwn_pio_handle_txeof(mac, status);
5666 	}
5667 
5668 	bwn_phy_txpower_check(mac, 0);
5669 }
5670 
5671 static uint8_t
5672 bwn_pio_rxeof(struct bwn_pio_rxqueue *prq)
5673 {
5674 	struct bwn_mac *mac = prq->prq_mac;
5675 	struct bwn_softc *sc = mac->mac_sc;
5676 	struct bwn_rxhdr4 rxhdr;
5677 	struct mbuf *m;
5678 	uint32_t ctl32, macstat, v32;
5679 	unsigned int i, padding;
5680 	uint16_t ctl16, len, totlen, v16;
5681 	unsigned char *mp;
5682 	char *data;
5683 
5684 	memset(&rxhdr, 0, sizeof(rxhdr));
5685 
5686 	if (prq->prq_rev >= 8) {
5687 		ctl32 = bwn_pio_rx_read_4(prq, BWN_PIO8_RXCTL);
5688 		if (!(ctl32 & BWN_PIO8_RXCTL_FRAMEREADY))
5689 			return (0);
5690 		bwn_pio_rx_write_4(prq, BWN_PIO8_RXCTL,
5691 		    BWN_PIO8_RXCTL_FRAMEREADY);
5692 		for (i = 0; i < 10; i++) {
5693 			ctl32 = bwn_pio_rx_read_4(prq, BWN_PIO8_RXCTL);
5694 			if (ctl32 & BWN_PIO8_RXCTL_DATAREADY)
5695 				goto ready;
5696 			DELAY(10);
5697 		}
5698 	} else {
5699 		ctl16 = bwn_pio_rx_read_2(prq, BWN_PIO_RXCTL);
5700 		if (!(ctl16 & BWN_PIO_RXCTL_FRAMEREADY))
5701 			return (0);
5702 		bwn_pio_rx_write_2(prq, BWN_PIO_RXCTL,
5703 		    BWN_PIO_RXCTL_FRAMEREADY);
5704 		for (i = 0; i < 10; i++) {
5705 			ctl16 = bwn_pio_rx_read_2(prq, BWN_PIO_RXCTL);
5706 			if (ctl16 & BWN_PIO_RXCTL_DATAREADY)
5707 				goto ready;
5708 			DELAY(10);
5709 		}
5710 	}
5711 	device_printf(sc->sc_dev, "%s: timed out\n", __func__);
5712 	return (1);
5713 ready:
5714 	if (prq->prq_rev >= 8) {
5715 		bus_read_multi_4(sc->sc_mem_res,
5716 		    prq->prq_base + BWN_PIO8_RXDATA, (void *)&rxhdr,
5717 		    sizeof(rxhdr));
5718 	} else {
5719 		bus_read_multi_2(sc->sc_mem_res,
5720 		    prq->prq_base + BWN_PIO_RXDATA, (void *)&rxhdr,
5721 		    sizeof(rxhdr));
5722 	}
5723 	len = le16toh(rxhdr.frame_len);
5724 	if (len > 0x700) {
5725 		device_printf(sc->sc_dev, "%s: len is too big\n", __func__);
5726 		goto error;
5727 	}
5728 	if (len == 0) {
5729 		device_printf(sc->sc_dev, "%s: len is 0\n", __func__);
5730 		goto error;
5731 	}
5732 
5733 	switch (mac->mac_fw.fw_hdr_format) {
5734 	case BWN_FW_HDR_351:
5735 	case BWN_FW_HDR_410:
5736 		macstat = le32toh(rxhdr.ps4.r351.mac_status);
5737 		break;
5738 	case BWN_FW_HDR_598:
5739 		macstat = le32toh(rxhdr.ps4.r598.mac_status);
5740 		break;
5741 	}
5742 
5743 	if (macstat & BWN_RX_MAC_FCSERR) {
5744 		if (!(mac->mac_sc->sc_filters & BWN_MACCTL_PASS_BADFCS)) {
5745 			device_printf(sc->sc_dev, "%s: FCS error", __func__);
5746 			goto error;
5747 		}
5748 	}
5749 
5750 	padding = (macstat & BWN_RX_MAC_PADDING) ? 2 : 0;
5751 	totlen = len + padding;
5752 	KASSERT(totlen <= MCLBYTES, ("too big..\n"));
5753 	m = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
5754 	if (m == NULL) {
5755 		device_printf(sc->sc_dev, "%s: out of memory", __func__);
5756 		goto error;
5757 	}
5758 	mp = mtod(m, unsigned char *);
5759 	if (prq->prq_rev >= 8) {
5760 		bus_read_multi_4(sc->sc_mem_res,
5761 		    prq->prq_base + BWN_PIO8_RXDATA, (void *)mp, (totlen & ~3));
5762 		if (totlen & 3) {
5763 			v32 = bwn_pio_rx_read_4(prq, BWN_PIO8_RXDATA);
5764 			data = &(mp[totlen - 1]);
5765 			switch (totlen & 3) {
5766 			case 3:
5767 				*data = (v32 >> 16);
5768 				data--;
5769 			case 2:
5770 				*data = (v32 >> 8);
5771 				data--;
5772 			case 1:
5773 				*data = v32;
5774 			}
5775 		}
5776 	} else {
5777 		bus_read_multi_2(sc->sc_mem_res,
5778 		    prq->prq_base + BWN_PIO_RXDATA, (void *)mp, (totlen & ~1));
5779 		if (totlen & 1) {
5780 			v16 = bwn_pio_rx_read_2(prq, BWN_PIO_RXDATA);
5781 			mp[totlen - 1] = v16;
5782 		}
5783 	}
5784 
5785 	m->m_len = m->m_pkthdr.len = totlen;
5786 
5787 	bwn_rxeof(prq->prq_mac, m, &rxhdr);
5788 
5789 	return (1);
5790 error:
5791 	if (prq->prq_rev >= 8)
5792 		bwn_pio_rx_write_4(prq, BWN_PIO8_RXCTL,
5793 		    BWN_PIO8_RXCTL_DATAREADY);
5794 	else
5795 		bwn_pio_rx_write_2(prq, BWN_PIO_RXCTL, BWN_PIO_RXCTL_DATAREADY);
5796 	return (1);
5797 }
5798 
5799 static int
5800 bwn_dma_newbuf(struct bwn_dma_ring *dr, struct bwn_dmadesc_generic *desc,
5801     struct bwn_dmadesc_meta *meta, int init)
5802 {
5803 	struct bwn_mac *mac = dr->dr_mac;
5804 	struct bwn_dma *dma = &mac->mac_method.dma;
5805 	struct bwn_rxhdr4 *hdr;
5806 	bus_dmamap_t map;
5807 	bus_addr_t paddr;
5808 	struct mbuf *m;
5809 	int error;
5810 
5811 	m = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
5812 	if (m == NULL) {
5813 		error = ENOBUFS;
5814 
5815 		/*
5816 		 * If the NIC is up and running, we need to:
5817 		 * - Clear RX buffer's header.
5818 		 * - Restore RX descriptor settings.
5819 		 */
5820 		if (init)
5821 			return (error);
5822 		else
5823 			goto back;
5824 	}
5825 	m->m_len = m->m_pkthdr.len = MCLBYTES;
5826 
5827 	bwn_dma_set_redzone(dr, m);
5828 
5829 	/*
5830 	 * Try to load RX buf into temporary DMA map
5831 	 */
5832 	error = bus_dmamap_load_mbuf(dma->rxbuf_dtag, dr->dr_spare_dmap, m,
5833 	    bwn_dma_buf_addr, &paddr, BUS_DMA_NOWAIT);
5834 	if (error) {
5835 		m_freem(m);
5836 
5837 		/*
5838 		 * See the comment above
5839 		 */
5840 		if (init)
5841 			return (error);
5842 		else
5843 			goto back;
5844 	}
5845 
5846 	if (!init)
5847 		bus_dmamap_unload(dma->rxbuf_dtag, meta->mt_dmap);
5848 	meta->mt_m = m;
5849 	meta->mt_paddr = paddr;
5850 
5851 	/*
5852 	 * Swap RX buf's DMA map with the loaded temporary one
5853 	 */
5854 	map = meta->mt_dmap;
5855 	meta->mt_dmap = dr->dr_spare_dmap;
5856 	dr->dr_spare_dmap = map;
5857 
5858 back:
5859 	/*
5860 	 * Clear RX buf header
5861 	 */
5862 	hdr = mtod(meta->mt_m, struct bwn_rxhdr4 *);
5863 	bzero(hdr, sizeof(*hdr));
5864 	bus_dmamap_sync(dma->rxbuf_dtag, meta->mt_dmap,
5865 	    BUS_DMASYNC_PREWRITE);
5866 
5867 	/*
5868 	 * Setup RX buf descriptor
5869 	 */
5870 	dr->setdesc(dr, desc, meta->mt_paddr, meta->mt_m->m_len -
5871 	    sizeof(*hdr), 0, 0, 0);
5872 	return (error);
5873 }
5874 
5875 static void
5876 bwn_dma_buf_addr(void *arg, bus_dma_segment_t *seg, int nseg,
5877 		 bus_size_t mapsz __unused, int error)
5878 {
5879 
5880 	if (!error) {
5881 		KASSERT(nseg == 1, ("too many segments(%d)\n", nseg));
5882 		*((bus_addr_t *)arg) = seg->ds_addr;
5883 	}
5884 }
5885 
5886 static int
5887 bwn_hwrate2ieeerate(int rate)
5888 {
5889 
5890 	switch (rate) {
5891 	case BWN_CCK_RATE_1MB:
5892 		return (2);
5893 	case BWN_CCK_RATE_2MB:
5894 		return (4);
5895 	case BWN_CCK_RATE_5MB:
5896 		return (11);
5897 	case BWN_CCK_RATE_11MB:
5898 		return (22);
5899 	case BWN_OFDM_RATE_6MB:
5900 		return (12);
5901 	case BWN_OFDM_RATE_9MB:
5902 		return (18);
5903 	case BWN_OFDM_RATE_12MB:
5904 		return (24);
5905 	case BWN_OFDM_RATE_18MB:
5906 		return (36);
5907 	case BWN_OFDM_RATE_24MB:
5908 		return (48);
5909 	case BWN_OFDM_RATE_36MB:
5910 		return (72);
5911 	case BWN_OFDM_RATE_48MB:
5912 		return (96);
5913 	case BWN_OFDM_RATE_54MB:
5914 		return (108);
5915 	default:
5916 		printf("Ooops\n");
5917 		return (0);
5918 	}
5919 }
5920 
5921 /*
5922  * Post process the RX provided RSSI.
5923  *
5924  * Valid for A, B, G, LP PHYs.
5925  */
5926 static int8_t
5927 bwn_rx_rssi_calc(struct bwn_mac *mac, uint8_t in_rssi,
5928     int ofdm, int adjust_2053, int adjust_2050)
5929 {
5930 	struct bwn_phy *phy = &mac->mac_phy;
5931 	struct bwn_phy_g *gphy = &phy->phy_g;
5932 	int tmp;
5933 
5934 	switch (phy->rf_ver) {
5935 	case 0x2050:
5936 		if (ofdm) {
5937 			tmp = in_rssi;
5938 			if (tmp > 127)
5939 				tmp -= 256;
5940 			tmp = tmp * 73 / 64;
5941 			if (adjust_2050)
5942 				tmp += 25;
5943 			else
5944 				tmp -= 3;
5945 		} else {
5946 			if (mac->mac_sc->sc_board_info.board_flags
5947 			    & BHND_BFL_ADCDIV) {
5948 				if (in_rssi > 63)
5949 					in_rssi = 63;
5950 				tmp = gphy->pg_nrssi_lt[in_rssi];
5951 				tmp = (31 - tmp) * -131 / 128 - 57;
5952 			} else {
5953 				tmp = in_rssi;
5954 				tmp = (31 - tmp) * -149 / 128 - 68;
5955 			}
5956 			if (phy->type == BWN_PHYTYPE_G && adjust_2050)
5957 				tmp += 25;
5958 		}
5959 		break;
5960 	case 0x2060:
5961 		if (in_rssi > 127)
5962 			tmp = in_rssi - 256;
5963 		else
5964 			tmp = in_rssi;
5965 		break;
5966 	default:
5967 		tmp = in_rssi;
5968 		tmp = (tmp - 11) * 103 / 64;
5969 		if (adjust_2053)
5970 			tmp -= 109;
5971 		else
5972 			tmp -= 83;
5973 	}
5974 
5975 	return (tmp);
5976 }
5977 
5978 static void
5979 bwn_rxeof(struct bwn_mac *mac, struct mbuf *m, const void *_rxhdr)
5980 {
5981 	const struct bwn_rxhdr4 *rxhdr = _rxhdr;
5982 	struct bwn_plcp6 *plcp;
5983 	struct bwn_softc *sc = mac->mac_sc;
5984 	struct ieee80211_frame_min *wh;
5985 	struct ieee80211_node *ni;
5986 	struct ieee80211com *ic = &sc->sc_ic;
5987 	uint32_t macstat;
5988 	int padding, rate, rssi = 0, noise = 0;
5989 	uint16_t phytype, phystat0, phystat3, chanstat;
5990 	unsigned char *mp = mtod(m, unsigned char *);
5991 
5992 	BWN_ASSERT_LOCKED(sc);
5993 
5994 	phystat0 = le16toh(rxhdr->phy_status0);
5995 
5996 	/*
5997 	 * XXX Note: phy_status3 doesn't exist for HT-PHY; it's only
5998 	 * used for LP-PHY.
5999 	 */
6000 	phystat3 = le16toh(rxhdr->ps3.lp.phy_status3);
6001 
6002 	switch (mac->mac_fw.fw_hdr_format) {
6003 	case BWN_FW_HDR_351:
6004 	case BWN_FW_HDR_410:
6005 		macstat = le32toh(rxhdr->ps4.r351.mac_status);
6006 		chanstat = le16toh(rxhdr->ps4.r351.channel);
6007 		break;
6008 	case BWN_FW_HDR_598:
6009 		macstat = le32toh(rxhdr->ps4.r598.mac_status);
6010 		chanstat = le16toh(rxhdr->ps4.r598.channel);
6011 		break;
6012 	}
6013 
6014 	phytype = chanstat & BWN_RX_CHAN_PHYTYPE;
6015 
6016 	if (macstat & BWN_RX_MAC_FCSERR)
6017 		device_printf(sc->sc_dev, "TODO RX: RX_FLAG_FAILED_FCS_CRC\n");
6018 	if (phystat0 & (BWN_RX_PHYST0_PLCPHCF | BWN_RX_PHYST0_PLCPFV))
6019 		device_printf(sc->sc_dev, "TODO RX: RX_FLAG_FAILED_PLCP_CRC\n");
6020 	if (macstat & BWN_RX_MAC_DECERR)
6021 		goto drop;
6022 
6023 	padding = (macstat & BWN_RX_MAC_PADDING) ? 2 : 0;
6024 	if (m->m_pkthdr.len < (sizeof(struct bwn_plcp6) + padding)) {
6025 		device_printf(sc->sc_dev, "frame too short (length=%d)\n",
6026 		    m->m_pkthdr.len);
6027 		goto drop;
6028 	}
6029 	plcp = (struct bwn_plcp6 *)(mp + padding);
6030 	m_adj(m, sizeof(struct bwn_plcp6) + padding);
6031 	if (m->m_pkthdr.len < IEEE80211_MIN_LEN) {
6032 		device_printf(sc->sc_dev, "frame too short (length=%d)\n",
6033 		    m->m_pkthdr.len);
6034 		goto drop;
6035 	}
6036 	wh = mtod(m, struct ieee80211_frame_min *);
6037 
6038 	if (macstat & BWN_RX_MAC_DEC) {
6039 		DPRINTF(sc, BWN_DEBUG_HWCRYPTO,
6040 		    "RX decryption attempted (old %d keyidx %#x)\n",
6041 		    BWN_ISOLDFMT(mac),
6042 		    (macstat & BWN_RX_MAC_KEYIDX) >> BWN_RX_MAC_KEYIDX_SHIFT);
6043 	}
6044 
6045 	if (phystat0 & BWN_RX_PHYST0_OFDM)
6046 		rate = bwn_plcp_get_ofdmrate(mac, plcp,
6047 		    phytype == BWN_PHYTYPE_A);
6048 	else
6049 		rate = bwn_plcp_get_cckrate(mac, plcp);
6050 	if (rate == -1) {
6051 		if (!(mac->mac_sc->sc_filters & BWN_MACCTL_PASS_BADPLCP))
6052 			goto drop;
6053 	}
6054 	sc->sc_rx_rate = bwn_hwrate2ieeerate(rate);
6055 
6056 	/* rssi/noise */
6057 	switch (phytype) {
6058 	case BWN_PHYTYPE_A:
6059 	case BWN_PHYTYPE_B:
6060 	case BWN_PHYTYPE_G:
6061 	case BWN_PHYTYPE_LP:
6062 		rssi = bwn_rx_rssi_calc(mac, rxhdr->phy.abg.rssi,
6063 		    !! (phystat0 & BWN_RX_PHYST0_OFDM),
6064 		    !! (phystat0 & BWN_RX_PHYST0_GAINCTL),
6065 		    !! (phystat3 & BWN_RX_PHYST3_TRSTATE));
6066 		break;
6067 	case BWN_PHYTYPE_N:
6068 		/* Broadcom has code for min/avg, but always used max */
6069 		if (rxhdr->phy.n.power0 == 16 || rxhdr->phy.n.power0 == 32)
6070 			rssi = max(rxhdr->phy.n.power1, rxhdr->ps2.n.power2);
6071 		else
6072 			rssi = max(rxhdr->phy.n.power0, rxhdr->phy.n.power1);
6073 #if 0
6074 		DPRINTF(mac->mac_sc, BWN_DEBUG_RECV,
6075 		    "%s: power0=%d, power1=%d, power2=%d\n",
6076 		    __func__,
6077 		    rxhdr->phy.n.power0,
6078 		    rxhdr->phy.n.power1,
6079 		    rxhdr->ps2.n.power2);
6080 #endif
6081 		break;
6082 	default:
6083 		/* XXX TODO: implement rssi for other PHYs */
6084 		break;
6085 	}
6086 
6087 	/*
6088 	 * RSSI here is absolute, not relative to the noise floor.
6089 	 */
6090 	noise = mac->mac_stats.link_noise;
6091 	rssi = rssi - noise;
6092 
6093 	/* RX radio tap */
6094 	if (ieee80211_radiotap_active(ic))
6095 		bwn_rx_radiotap(mac, m, rxhdr, plcp, rate, rssi, noise);
6096 	m_adj(m, -IEEE80211_CRC_LEN);
6097 
6098 	BWN_UNLOCK(sc);
6099 
6100 	ni = ieee80211_find_rxnode(ic, wh);
6101 	if (ni != NULL) {
6102 		ieee80211_input(ni, m, rssi, noise);
6103 		ieee80211_free_node(ni);
6104 	} else
6105 		ieee80211_input_all(ic, m, rssi, noise);
6106 
6107 	BWN_LOCK(sc);
6108 	return;
6109 drop:
6110 	device_printf(sc->sc_dev, "%s: dropped\n", __func__);
6111 }
6112 
6113 static void
6114 bwn_ratectl_tx_complete(const struct ieee80211_node *ni,
6115     const struct bwn_txstatus *status)
6116 {
6117 	struct ieee80211_ratectl_tx_status txs;
6118 	int retrycnt = 0;
6119 
6120 	/*
6121 	 * If we don't get an ACK, then we should log the
6122 	 * full framecnt.  That may be 0 if it's a PHY
6123 	 * failure, so ensure that gets logged as some
6124 	 * retry attempt.
6125 	 */
6126 	txs.flags = IEEE80211_RATECTL_STATUS_LONG_RETRY;
6127 	if (status->ack) {
6128 		txs.status = IEEE80211_RATECTL_TX_SUCCESS;
6129 		retrycnt = status->framecnt - 1;
6130 	} else {
6131 		txs.status = IEEE80211_RATECTL_TX_FAIL_UNSPECIFIED;
6132 		retrycnt = status->framecnt;
6133 		if (retrycnt == 0)
6134 			retrycnt = 1;
6135 	}
6136 	txs.long_retries = retrycnt;
6137 	ieee80211_ratectl_tx_complete(ni, &txs);
6138 }
6139 
6140 static void
6141 bwn_dma_handle_txeof(struct bwn_mac *mac,
6142     const struct bwn_txstatus *status)
6143 {
6144 	struct bwn_dma *dma = &mac->mac_method.dma;
6145 	struct bwn_dma_ring *dr;
6146 	struct bwn_dmadesc_generic *desc;
6147 	struct bwn_dmadesc_meta *meta;
6148 	struct bwn_softc *sc = mac->mac_sc;
6149 	int slot;
6150 
6151 	BWN_ASSERT_LOCKED(sc);
6152 
6153 	dr = bwn_dma_parse_cookie(mac, status, status->cookie, &slot);
6154 	if (dr == NULL) {
6155 		device_printf(sc->sc_dev, "failed to parse cookie\n");
6156 		return;
6157 	}
6158 	KASSERT(dr->dr_tx, ("%s:%d: fail", __func__, __LINE__));
6159 
6160 	while (1) {
6161 		KASSERT(slot >= 0 && slot < dr->dr_numslots,
6162 		    ("%s:%d: fail", __func__, __LINE__));
6163 		dr->getdesc(dr, slot, &desc, &meta);
6164 
6165 		if (meta->mt_txtype == BWN_DMADESC_METATYPE_HEADER)
6166 			bus_dmamap_unload(dr->dr_txring_dtag, meta->mt_dmap);
6167 		else if (meta->mt_txtype == BWN_DMADESC_METATYPE_BODY)
6168 			bus_dmamap_unload(dma->txbuf_dtag, meta->mt_dmap);
6169 
6170 		if (meta->mt_islast) {
6171 			KASSERT(meta->mt_m != NULL,
6172 			    ("%s:%d: fail", __func__, __LINE__));
6173 
6174 			bwn_ratectl_tx_complete(meta->mt_ni, status);
6175 			ieee80211_tx_complete(meta->mt_ni, meta->mt_m, 0);
6176 			meta->mt_ni = NULL;
6177 			meta->mt_m = NULL;
6178 		} else
6179 			KASSERT(meta->mt_m == NULL,
6180 			    ("%s:%d: fail", __func__, __LINE__));
6181 
6182 		dr->dr_usedslot--;
6183 		if (meta->mt_islast)
6184 			break;
6185 		slot = bwn_dma_nextslot(dr, slot);
6186 	}
6187 	sc->sc_watchdog_timer = 0;
6188 	if (dr->dr_stop) {
6189 		KASSERT(bwn_dma_freeslot(dr) >= BWN_TX_SLOTS_PER_FRAME,
6190 		    ("%s:%d: fail", __func__, __LINE__));
6191 		dr->dr_stop = 0;
6192 	}
6193 }
6194 
6195 static void
6196 bwn_pio_handle_txeof(struct bwn_mac *mac,
6197     const struct bwn_txstatus *status)
6198 {
6199 	struct bwn_pio_txqueue *tq;
6200 	struct bwn_pio_txpkt *tp = NULL;
6201 	struct bwn_softc *sc = mac->mac_sc;
6202 
6203 	BWN_ASSERT_LOCKED(sc);
6204 
6205 	tq = bwn_pio_parse_cookie(mac, status->cookie, &tp);
6206 	if (tq == NULL)
6207 		return;
6208 
6209 	tq->tq_used -= roundup(tp->tp_m->m_pkthdr.len + BWN_HDRSIZE(mac), 4);
6210 	tq->tq_free++;
6211 
6212 	if (tp->tp_ni != NULL) {
6213 		/*
6214 		 * Do any tx complete callback.  Note this must
6215 		 * be done before releasing the node reference.
6216 		 */
6217 		bwn_ratectl_tx_complete(tp->tp_ni, status);
6218 	}
6219 	ieee80211_tx_complete(tp->tp_ni, tp->tp_m, 0);
6220 	tp->tp_ni = NULL;
6221 	tp->tp_m = NULL;
6222 	TAILQ_INSERT_TAIL(&tq->tq_pktlist, tp, tp_list);
6223 
6224 	sc->sc_watchdog_timer = 0;
6225 }
6226 
6227 static void
6228 bwn_phy_txpower_check(struct bwn_mac *mac, uint32_t flags)
6229 {
6230 	struct bwn_softc *sc = mac->mac_sc;
6231 	struct bwn_phy *phy = &mac->mac_phy;
6232 	struct ieee80211com *ic = &sc->sc_ic;
6233 	unsigned long now;
6234 	bwn_txpwr_result_t result;
6235 
6236 	BWN_GETTIME(now);
6237 
6238 	if (!(flags & BWN_TXPWR_IGNORE_TIME) && ieee80211_time_before(now, phy->nexttime))
6239 		return;
6240 	phy->nexttime = now + 2 * 1000;
6241 
6242 	if (sc->sc_board_info.board_vendor == PCI_VENDOR_BROADCOM &&
6243 	    sc->sc_board_info.board_type == BHND_BOARD_BU4306)
6244 		return;
6245 
6246 	if (phy->recalc_txpwr != NULL) {
6247 		result = phy->recalc_txpwr(mac,
6248 		    (flags & BWN_TXPWR_IGNORE_TSSI) ? 1 : 0);
6249 		if (result == BWN_TXPWR_RES_DONE)
6250 			return;
6251 		KASSERT(result == BWN_TXPWR_RES_NEED_ADJUST,
6252 		    ("%s: fail", __func__));
6253 		KASSERT(phy->set_txpwr != NULL, ("%s: fail", __func__));
6254 
6255 		ieee80211_runtask(ic, &mac->mac_txpower);
6256 	}
6257 }
6258 
6259 static uint16_t
6260 bwn_pio_rx_read_2(struct bwn_pio_rxqueue *prq, uint16_t offset)
6261 {
6262 
6263 	return (BWN_READ_2(prq->prq_mac, prq->prq_base + offset));
6264 }
6265 
6266 static uint32_t
6267 bwn_pio_rx_read_4(struct bwn_pio_rxqueue *prq, uint16_t offset)
6268 {
6269 
6270 	return (BWN_READ_4(prq->prq_mac, prq->prq_base + offset));
6271 }
6272 
6273 static void
6274 bwn_pio_rx_write_2(struct bwn_pio_rxqueue *prq, uint16_t offset, uint16_t value)
6275 {
6276 
6277 	BWN_WRITE_2(prq->prq_mac, prq->prq_base + offset, value);
6278 }
6279 
6280 static void
6281 bwn_pio_rx_write_4(struct bwn_pio_rxqueue *prq, uint16_t offset, uint32_t value)
6282 {
6283 
6284 	BWN_WRITE_4(prq->prq_mac, prq->prq_base + offset, value);
6285 }
6286 
6287 static int
6288 bwn_ieeerate2hwrate(struct bwn_softc *sc, int rate)
6289 {
6290 
6291 	switch (rate) {
6292 	/* OFDM rates (cf IEEE Std 802.11a-1999, pp. 14 Table 80) */
6293 	case 12:
6294 		return (BWN_OFDM_RATE_6MB);
6295 	case 18:
6296 		return (BWN_OFDM_RATE_9MB);
6297 	case 24:
6298 		return (BWN_OFDM_RATE_12MB);
6299 	case 36:
6300 		return (BWN_OFDM_RATE_18MB);
6301 	case 48:
6302 		return (BWN_OFDM_RATE_24MB);
6303 	case 72:
6304 		return (BWN_OFDM_RATE_36MB);
6305 	case 96:
6306 		return (BWN_OFDM_RATE_48MB);
6307 	case 108:
6308 		return (BWN_OFDM_RATE_54MB);
6309 	/* CCK rates (NB: not IEEE std, device-specific) */
6310 	case 2:
6311 		return (BWN_CCK_RATE_1MB);
6312 	case 4:
6313 		return (BWN_CCK_RATE_2MB);
6314 	case 11:
6315 		return (BWN_CCK_RATE_5MB);
6316 	case 22:
6317 		return (BWN_CCK_RATE_11MB);
6318 	}
6319 
6320 	device_printf(sc->sc_dev, "unsupported rate %d\n", rate);
6321 	return (BWN_CCK_RATE_1MB);
6322 }
6323 
6324 static uint16_t
6325 bwn_set_txhdr_phyctl1(struct bwn_mac *mac, uint8_t bitrate)
6326 {
6327 	struct bwn_phy *phy = &mac->mac_phy;
6328 	uint16_t control = 0;
6329 	uint16_t bw;
6330 
6331 	/* XXX TODO: this is for LP phy, what about N-PHY, etc? */
6332 	bw = BWN_TXH_PHY1_BW_20;
6333 
6334 	if (BWN_ISCCKRATE(bitrate) && phy->type != BWN_PHYTYPE_LP) {
6335 		control = bw;
6336 	} else {
6337 		control = bw;
6338 		/* Figure out coding rate and modulation */
6339 		/* XXX TODO: table-ize, for MCS transmit */
6340 		/* Note: this is BWN_*_RATE values */
6341 		switch (bitrate) {
6342 		case BWN_CCK_RATE_1MB:
6343 			control |= 0;
6344 			break;
6345 		case BWN_CCK_RATE_2MB:
6346 			control |= 1;
6347 			break;
6348 		case BWN_CCK_RATE_5MB:
6349 			control |= 2;
6350 			break;
6351 		case BWN_CCK_RATE_11MB:
6352 			control |= 3;
6353 			break;
6354 		case BWN_OFDM_RATE_6MB:
6355 			control |= BWN_TXH_PHY1_CRATE_1_2;
6356 			control |= BWN_TXH_PHY1_MODUL_BPSK;
6357 			break;
6358 		case BWN_OFDM_RATE_9MB:
6359 			control |= BWN_TXH_PHY1_CRATE_3_4;
6360 			control |= BWN_TXH_PHY1_MODUL_BPSK;
6361 			break;
6362 		case BWN_OFDM_RATE_12MB:
6363 			control |= BWN_TXH_PHY1_CRATE_1_2;
6364 			control |= BWN_TXH_PHY1_MODUL_QPSK;
6365 			break;
6366 		case BWN_OFDM_RATE_18MB:
6367 			control |= BWN_TXH_PHY1_CRATE_3_4;
6368 			control |= BWN_TXH_PHY1_MODUL_QPSK;
6369 			break;
6370 		case BWN_OFDM_RATE_24MB:
6371 			control |= BWN_TXH_PHY1_CRATE_1_2;
6372 			control |= BWN_TXH_PHY1_MODUL_QAM16;
6373 			break;
6374 		case BWN_OFDM_RATE_36MB:
6375 			control |= BWN_TXH_PHY1_CRATE_3_4;
6376 			control |= BWN_TXH_PHY1_MODUL_QAM16;
6377 			break;
6378 		case BWN_OFDM_RATE_48MB:
6379 			control |= BWN_TXH_PHY1_CRATE_1_2;
6380 			control |= BWN_TXH_PHY1_MODUL_QAM64;
6381 			break;
6382 		case BWN_OFDM_RATE_54MB:
6383 			control |= BWN_TXH_PHY1_CRATE_3_4;
6384 			control |= BWN_TXH_PHY1_MODUL_QAM64;
6385 			break;
6386 		default:
6387 			break;
6388 		}
6389 		control |= BWN_TXH_PHY1_MODE_SISO;
6390 	}
6391 
6392 	return control;
6393 }
6394 
6395 static int
6396 bwn_set_txhdr(struct bwn_mac *mac, struct ieee80211_node *ni,
6397     struct mbuf *m, struct bwn_txhdr *txhdr, uint16_t cookie)
6398 {
6399 	const struct bwn_phy *phy = &mac->mac_phy;
6400 	struct bwn_softc *sc = mac->mac_sc;
6401 	struct ieee80211_frame *wh;
6402 	struct ieee80211_frame *protwh;
6403 	const struct ieee80211_txparam *tp = ni->ni_txparms;
6404 	struct ieee80211vap *vap = ni->ni_vap;
6405 	struct ieee80211com *ic = &sc->sc_ic;
6406 	struct mbuf *mprot;
6407 	uint8_t *prot_ptr;
6408 	unsigned int len;
6409 	uint32_t macctl = 0;
6410 	int rts_rate, rts_rate_fb, ismcast, isshort, rix, type;
6411 	uint16_t phyctl = 0;
6412 	uint8_t rate, rate_fb;
6413 	int fill_phy_ctl1 = 0;
6414 
6415 	wh = mtod(m, struct ieee80211_frame *);
6416 	memset(txhdr, 0, sizeof(*txhdr));
6417 
6418 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
6419 	ismcast = IEEE80211_IS_MULTICAST(wh->i_addr1);
6420 	isshort = (ic->ic_flags & IEEE80211_F_SHPREAMBLE) != 0;
6421 
6422 	if ((phy->type == BWN_PHYTYPE_N) || (phy->type == BWN_PHYTYPE_LP)
6423 	    || (phy->type == BWN_PHYTYPE_HT))
6424 		fill_phy_ctl1 = 1;
6425 
6426 	/*
6427 	 * Find TX rate
6428 	 */
6429 	if (type != IEEE80211_FC0_TYPE_DATA || (m->m_flags & M_EAPOL))
6430 		rate = rate_fb = tp->mgmtrate;
6431 	else if (ismcast)
6432 		rate = rate_fb = tp->mcastrate;
6433 	else if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE)
6434 		rate = rate_fb = tp->ucastrate;
6435 	else {
6436 		rix = ieee80211_ratectl_rate(ni, NULL, 0);
6437 		rate = ni->ni_txrate;
6438 
6439 		if (rix > 0)
6440 			rate_fb = ni->ni_rates.rs_rates[rix - 1] &
6441 			    IEEE80211_RATE_VAL;
6442 		else
6443 			rate_fb = rate;
6444 	}
6445 
6446 	sc->sc_tx_rate = rate;
6447 
6448 	/* Note: this maps the select ieee80211 rate to hardware rate */
6449 	rate = bwn_ieeerate2hwrate(sc, rate);
6450 	rate_fb = bwn_ieeerate2hwrate(sc, rate_fb);
6451 
6452 	txhdr->phyrate = (BWN_ISOFDMRATE(rate)) ? bwn_plcp_getofdm(rate) :
6453 	    bwn_plcp_getcck(rate);
6454 	bcopy(wh->i_fc, txhdr->macfc, sizeof(txhdr->macfc));
6455 	bcopy(wh->i_addr1, txhdr->addr1, IEEE80211_ADDR_LEN);
6456 
6457 	/* XXX rate/rate_fb is the hardware rate */
6458 	if ((rate_fb == rate) ||
6459 	    (*(u_int16_t *)wh->i_dur & htole16(0x8000)) ||
6460 	    (*(u_int16_t *)wh->i_dur == htole16(0)))
6461 		txhdr->dur_fb = *(u_int16_t *)wh->i_dur;
6462 	else
6463 		txhdr->dur_fb = ieee80211_compute_duration(ic->ic_rt,
6464 		    m->m_pkthdr.len, rate, isshort);
6465 
6466 	/* XXX TX encryption */
6467 
6468 	switch (mac->mac_fw.fw_hdr_format) {
6469 	case BWN_FW_HDR_351:
6470 		bwn_plcp_genhdr((struct bwn_plcp4 *)(&txhdr->body.r351.plcp),
6471 		    m->m_pkthdr.len + IEEE80211_CRC_LEN, rate);
6472 		break;
6473 	case BWN_FW_HDR_410:
6474 		bwn_plcp_genhdr((struct bwn_plcp4 *)(&txhdr->body.r410.plcp),
6475 		    m->m_pkthdr.len + IEEE80211_CRC_LEN, rate);
6476 		break;
6477 	case BWN_FW_HDR_598:
6478 		bwn_plcp_genhdr((struct bwn_plcp4 *)(&txhdr->body.r598.plcp),
6479 		    m->m_pkthdr.len + IEEE80211_CRC_LEN, rate);
6480 		break;
6481 	}
6482 
6483 	bwn_plcp_genhdr((struct bwn_plcp4 *)(&txhdr->plcp_fb),
6484 	    m->m_pkthdr.len + IEEE80211_CRC_LEN, rate_fb);
6485 
6486 	txhdr->eftypes |= (BWN_ISOFDMRATE(rate_fb)) ? BWN_TX_EFT_FB_OFDM :
6487 	    BWN_TX_EFT_FB_CCK;
6488 	txhdr->chan = phy->chan;
6489 	phyctl |= (BWN_ISOFDMRATE(rate)) ? BWN_TX_PHY_ENC_OFDM :
6490 	    BWN_TX_PHY_ENC_CCK;
6491 	/* XXX preamble? obey net80211 */
6492 	if (isshort && (rate == BWN_CCK_RATE_2MB || rate == BWN_CCK_RATE_5MB ||
6493 	     rate == BWN_CCK_RATE_11MB))
6494 		phyctl |= BWN_TX_PHY_SHORTPRMBL;
6495 
6496 	if (! phy->gmode)
6497 		macctl |= BWN_TX_MAC_5GHZ;
6498 
6499 	/* XXX TX antenna selection */
6500 
6501 	switch (bwn_antenna_sanitize(mac, 0)) {
6502 	case 0:
6503 		phyctl |= BWN_TX_PHY_ANT01AUTO;
6504 		break;
6505 	case 1:
6506 		phyctl |= BWN_TX_PHY_ANT0;
6507 		break;
6508 	case 2:
6509 		phyctl |= BWN_TX_PHY_ANT1;
6510 		break;
6511 	case 3:
6512 		phyctl |= BWN_TX_PHY_ANT2;
6513 		break;
6514 	case 4:
6515 		phyctl |= BWN_TX_PHY_ANT3;
6516 		break;
6517 	default:
6518 		KASSERT(0 == 1, ("%s:%d: fail", __func__, __LINE__));
6519 	}
6520 
6521 	if (!ismcast)
6522 		macctl |= BWN_TX_MAC_ACK;
6523 
6524 	macctl |= (BWN_TX_MAC_HWSEQ | BWN_TX_MAC_START_MSDU);
6525 	if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
6526 	    m->m_pkthdr.len + IEEE80211_CRC_LEN > vap->iv_rtsthreshold)
6527 		macctl |= BWN_TX_MAC_LONGFRAME;
6528 
6529 	if ((ic->ic_flags & IEEE80211_F_USEPROT) &&
6530 	    ic->ic_protmode != IEEE80211_PROT_NONE) {
6531 		/* Note: don't fall back to CCK rates for 5G */
6532 		if (phy->gmode)
6533 			rts_rate = BWN_CCK_RATE_1MB;
6534 		else
6535 			rts_rate = BWN_OFDM_RATE_6MB;
6536 		rts_rate_fb = bwn_get_fbrate(rts_rate);
6537 
6538 		/* XXX 'rate' here is hardware rate now, not the net80211 rate */
6539 		mprot = ieee80211_alloc_prot(ni, m, rate, ic->ic_protmode);
6540 		if (mprot == NULL) {
6541 			if_inc_counter(vap->iv_ifp, IFCOUNTER_OERRORS, 1);
6542 			device_printf(sc->sc_dev,
6543 			    "could not allocate mbuf for protection mode %d\n",
6544 			    ic->ic_protmode);
6545 			return (ENOBUFS);
6546 		}
6547 
6548 		switch (mac->mac_fw.fw_hdr_format) {
6549 		case BWN_FW_HDR_351:
6550 			prot_ptr = txhdr->body.r351.rts_frame;
6551 			break;
6552 		case BWN_FW_HDR_410:
6553 			prot_ptr = txhdr->body.r410.rts_frame;
6554 			break;
6555 		case BWN_FW_HDR_598:
6556 			prot_ptr = txhdr->body.r598.rts_frame;
6557 			break;
6558 		}
6559 
6560 		bcopy(mtod(mprot, uint8_t *), prot_ptr, mprot->m_pkthdr.len);
6561 		m_freem(mprot);
6562 
6563 		if (ic->ic_protmode == IEEE80211_PROT_CTSONLY) {
6564 			macctl |= BWN_TX_MAC_SEND_CTSTOSELF;
6565 			len = sizeof(struct ieee80211_frame_cts);
6566 		} else {
6567 			macctl |= BWN_TX_MAC_SEND_RTSCTS;
6568 			len = sizeof(struct ieee80211_frame_rts);
6569 		}
6570 		len += IEEE80211_CRC_LEN;
6571 
6572 		switch (mac->mac_fw.fw_hdr_format) {
6573 		case BWN_FW_HDR_351:
6574 			bwn_plcp_genhdr((struct bwn_plcp4 *)
6575 			    &txhdr->body.r351.rts_plcp, len, rts_rate);
6576 			break;
6577 		case BWN_FW_HDR_410:
6578 			bwn_plcp_genhdr((struct bwn_plcp4 *)
6579 			    &txhdr->body.r410.rts_plcp, len, rts_rate);
6580 			break;
6581 		case BWN_FW_HDR_598:
6582 			bwn_plcp_genhdr((struct bwn_plcp4 *)
6583 			    &txhdr->body.r598.rts_plcp, len, rts_rate);
6584 			break;
6585 		}
6586 
6587 		bwn_plcp_genhdr((struct bwn_plcp4 *)&txhdr->rts_plcp_fb, len,
6588 		    rts_rate_fb);
6589 
6590 		switch (mac->mac_fw.fw_hdr_format) {
6591 		case BWN_FW_HDR_351:
6592 			protwh = (struct ieee80211_frame *)
6593 			    &txhdr->body.r351.rts_frame;
6594 			break;
6595 		case BWN_FW_HDR_410:
6596 			protwh = (struct ieee80211_frame *)
6597 			    &txhdr->body.r410.rts_frame;
6598 			break;
6599 		case BWN_FW_HDR_598:
6600 			protwh = (struct ieee80211_frame *)
6601 			    &txhdr->body.r598.rts_frame;
6602 			break;
6603 		}
6604 
6605 		txhdr->rts_dur_fb = *(u_int16_t *)protwh->i_dur;
6606 
6607 		if (BWN_ISOFDMRATE(rts_rate)) {
6608 			txhdr->eftypes |= BWN_TX_EFT_RTS_OFDM;
6609 			txhdr->phyrate_rts = bwn_plcp_getofdm(rts_rate);
6610 		} else {
6611 			txhdr->eftypes |= BWN_TX_EFT_RTS_CCK;
6612 			txhdr->phyrate_rts = bwn_plcp_getcck(rts_rate);
6613 		}
6614 		txhdr->eftypes |= (BWN_ISOFDMRATE(rts_rate_fb)) ?
6615 		    BWN_TX_EFT_RTS_FBOFDM : BWN_TX_EFT_RTS_FBCCK;
6616 
6617 		if (fill_phy_ctl1) {
6618 			txhdr->phyctl_1rts = htole16(bwn_set_txhdr_phyctl1(mac, rts_rate));
6619 			txhdr->phyctl_1rtsfb = htole16(bwn_set_txhdr_phyctl1(mac, rts_rate_fb));
6620 		}
6621 	}
6622 
6623 	if (fill_phy_ctl1) {
6624 		txhdr->phyctl_1 = htole16(bwn_set_txhdr_phyctl1(mac, rate));
6625 		txhdr->phyctl_1fb = htole16(bwn_set_txhdr_phyctl1(mac, rate_fb));
6626 	}
6627 
6628 	switch (mac->mac_fw.fw_hdr_format) {
6629 	case BWN_FW_HDR_351:
6630 		txhdr->body.r351.cookie = htole16(cookie);
6631 		break;
6632 	case BWN_FW_HDR_410:
6633 		txhdr->body.r410.cookie = htole16(cookie);
6634 		break;
6635 	case BWN_FW_HDR_598:
6636 		txhdr->body.r598.cookie = htole16(cookie);
6637 		break;
6638 	}
6639 
6640 	txhdr->macctl = htole32(macctl);
6641 	txhdr->phyctl = htole16(phyctl);
6642 
6643 	/*
6644 	 * TX radio tap
6645 	 */
6646 	if (ieee80211_radiotap_active_vap(vap)) {
6647 		sc->sc_tx_th.wt_flags = 0;
6648 		if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED)
6649 			sc->sc_tx_th.wt_flags |= IEEE80211_RADIOTAP_F_WEP;
6650 		if (isshort &&
6651 		    (rate == BWN_CCK_RATE_2MB || rate == BWN_CCK_RATE_5MB ||
6652 		     rate == BWN_CCK_RATE_11MB))
6653 			sc->sc_tx_th.wt_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
6654 		sc->sc_tx_th.wt_rate = rate;
6655 
6656 		ieee80211_radiotap_tx(vap, m);
6657 	}
6658 
6659 	return (0);
6660 }
6661 
6662 static void
6663 bwn_plcp_genhdr(struct bwn_plcp4 *plcp, const uint16_t octets,
6664     const uint8_t rate)
6665 {
6666 	uint32_t d, plen;
6667 	uint8_t *raw = plcp->o.raw;
6668 
6669 	if (BWN_ISOFDMRATE(rate)) {
6670 		d = bwn_plcp_getofdm(rate);
6671 		KASSERT(!(octets & 0xf000),
6672 		    ("%s:%d: fail", __func__, __LINE__));
6673 		d |= (octets << 5);
6674 		plcp->o.data = htole32(d);
6675 	} else {
6676 		plen = octets * 16 / rate;
6677 		if ((octets * 16 % rate) > 0) {
6678 			plen++;
6679 			if ((rate == BWN_CCK_RATE_11MB)
6680 			    && ((octets * 8 % 11) < 4)) {
6681 				raw[1] = 0x84;
6682 			} else
6683 				raw[1] = 0x04;
6684 		} else
6685 			raw[1] = 0x04;
6686 		plcp->o.data |= htole32(plen << 16);
6687 		raw[0] = bwn_plcp_getcck(rate);
6688 	}
6689 }
6690 
6691 static uint8_t
6692 bwn_antenna_sanitize(struct bwn_mac *mac, uint8_t n)
6693 {
6694 	struct bwn_softc *sc = mac->mac_sc;
6695 	uint8_t mask;
6696 
6697 	if (n == 0)
6698 		return (0);
6699 	if (mac->mac_phy.gmode)
6700 		mask = sc->sc_ant2g;
6701 	else
6702 		mask = sc->sc_ant5g;
6703 	if (!(mask & (1 << (n - 1))))
6704 		return (0);
6705 	return (n);
6706 }
6707 
6708 /*
6709  * Return a fallback rate for the given rate.
6710  *
6711  * Note: Don't fall back from OFDM to CCK.
6712  */
6713 static uint8_t
6714 bwn_get_fbrate(uint8_t bitrate)
6715 {
6716 	switch (bitrate) {
6717 	/* CCK */
6718 	case BWN_CCK_RATE_1MB:
6719 		return (BWN_CCK_RATE_1MB);
6720 	case BWN_CCK_RATE_2MB:
6721 		return (BWN_CCK_RATE_1MB);
6722 	case BWN_CCK_RATE_5MB:
6723 		return (BWN_CCK_RATE_2MB);
6724 	case BWN_CCK_RATE_11MB:
6725 		return (BWN_CCK_RATE_5MB);
6726 
6727 	/* OFDM */
6728 	case BWN_OFDM_RATE_6MB:
6729 		return (BWN_OFDM_RATE_6MB);
6730 	case BWN_OFDM_RATE_9MB:
6731 		return (BWN_OFDM_RATE_6MB);
6732 	case BWN_OFDM_RATE_12MB:
6733 		return (BWN_OFDM_RATE_9MB);
6734 	case BWN_OFDM_RATE_18MB:
6735 		return (BWN_OFDM_RATE_12MB);
6736 	case BWN_OFDM_RATE_24MB:
6737 		return (BWN_OFDM_RATE_18MB);
6738 	case BWN_OFDM_RATE_36MB:
6739 		return (BWN_OFDM_RATE_24MB);
6740 	case BWN_OFDM_RATE_48MB:
6741 		return (BWN_OFDM_RATE_36MB);
6742 	case BWN_OFDM_RATE_54MB:
6743 		return (BWN_OFDM_RATE_48MB);
6744 	}
6745 	KASSERT(0 == 1, ("%s:%d: fail", __func__, __LINE__));
6746 	return (0);
6747 }
6748 
6749 static uint32_t
6750 bwn_pio_write_multi_4(struct bwn_mac *mac, struct bwn_pio_txqueue *tq,
6751     uint32_t ctl, const void *_data, int len)
6752 {
6753 	struct bwn_softc *sc = mac->mac_sc;
6754 	uint32_t value = 0;
6755 	const uint8_t *data = _data;
6756 
6757 	ctl |= BWN_PIO8_TXCTL_0_7 | BWN_PIO8_TXCTL_8_15 |
6758 	    BWN_PIO8_TXCTL_16_23 | BWN_PIO8_TXCTL_24_31;
6759 	bwn_pio_write_4(mac, tq, BWN_PIO8_TXCTL, ctl);
6760 
6761 	bus_write_multi_4(sc->sc_mem_res, tq->tq_base + BWN_PIO8_TXDATA,
6762 	    __DECONST(void *, data), (len & ~3));
6763 	if (len & 3) {
6764 		ctl &= ~(BWN_PIO8_TXCTL_8_15 | BWN_PIO8_TXCTL_16_23 |
6765 		    BWN_PIO8_TXCTL_24_31);
6766 		data = &(data[len - 1]);
6767 		switch (len & 3) {
6768 		case 3:
6769 			ctl |= BWN_PIO8_TXCTL_16_23;
6770 			value |= (uint32_t)(*data) << 16;
6771 			data--;
6772 		case 2:
6773 			ctl |= BWN_PIO8_TXCTL_8_15;
6774 			value |= (uint32_t)(*data) << 8;
6775 			data--;
6776 		case 1:
6777 			value |= (uint32_t)(*data);
6778 		}
6779 		bwn_pio_write_4(mac, tq, BWN_PIO8_TXCTL, ctl);
6780 		bwn_pio_write_4(mac, tq, BWN_PIO8_TXDATA, value);
6781 	}
6782 
6783 	return (ctl);
6784 }
6785 
6786 static void
6787 bwn_pio_write_4(struct bwn_mac *mac, struct bwn_pio_txqueue *tq,
6788     uint16_t offset, uint32_t value)
6789 {
6790 
6791 	BWN_WRITE_4(mac, tq->tq_base + offset, value);
6792 }
6793 
6794 static uint16_t
6795 bwn_pio_write_multi_2(struct bwn_mac *mac, struct bwn_pio_txqueue *tq,
6796     uint16_t ctl, const void *_data, int len)
6797 {
6798 	struct bwn_softc *sc = mac->mac_sc;
6799 	const uint8_t *data = _data;
6800 
6801 	ctl |= BWN_PIO_TXCTL_WRITELO | BWN_PIO_TXCTL_WRITEHI;
6802 	BWN_PIO_WRITE_2(mac, tq, BWN_PIO_TXCTL, ctl);
6803 
6804 	bus_write_multi_2(sc->sc_mem_res, tq->tq_base + BWN_PIO_TXDATA,
6805 	    __DECONST(void *, data), (len & ~1));
6806 	if (len & 1) {
6807 		ctl &= ~BWN_PIO_TXCTL_WRITEHI;
6808 		BWN_PIO_WRITE_2(mac, tq, BWN_PIO_TXCTL, ctl);
6809 		BWN_PIO_WRITE_2(mac, tq, BWN_PIO_TXDATA, data[len - 1]);
6810 	}
6811 
6812 	return (ctl);
6813 }
6814 
6815 static uint16_t
6816 bwn_pio_write_mbuf_2(struct bwn_mac *mac, struct bwn_pio_txqueue *tq,
6817     uint16_t ctl, struct mbuf *m0)
6818 {
6819 	int i, j = 0;
6820 	uint16_t data = 0;
6821 	const uint8_t *buf;
6822 	struct mbuf *m = m0;
6823 
6824 	ctl |= BWN_PIO_TXCTL_WRITELO | BWN_PIO_TXCTL_WRITEHI;
6825 	BWN_PIO_WRITE_2(mac, tq, BWN_PIO_TXCTL, ctl);
6826 
6827 	for (; m != NULL; m = m->m_next) {
6828 		buf = mtod(m, const uint8_t *);
6829 		for (i = 0; i < m->m_len; i++) {
6830 			if (!((j++) % 2))
6831 				data |= buf[i];
6832 			else {
6833 				data |= (buf[i] << 8);
6834 				BWN_PIO_WRITE_2(mac, tq, BWN_PIO_TXDATA, data);
6835 				data = 0;
6836 			}
6837 		}
6838 	}
6839 	if (m0->m_pkthdr.len % 2) {
6840 		ctl &= ~BWN_PIO_TXCTL_WRITEHI;
6841 		BWN_PIO_WRITE_2(mac, tq, BWN_PIO_TXCTL, ctl);
6842 		BWN_PIO_WRITE_2(mac, tq, BWN_PIO_TXDATA, data);
6843 	}
6844 
6845 	return (ctl);
6846 }
6847 
6848 static void
6849 bwn_set_slot_time(struct bwn_mac *mac, uint16_t time)
6850 {
6851 
6852 	/* XXX should exit if 5GHz band .. */
6853 	if (mac->mac_phy.type != BWN_PHYTYPE_G)
6854 		return;
6855 
6856 	BWN_WRITE_2(mac, 0x684, 510 + time);
6857 	/* Disabled in Linux b43, can adversely effect performance */
6858 #if 0
6859 	bwn_shm_write_2(mac, BWN_SHARED, 0x0010, time);
6860 #endif
6861 }
6862 
6863 static struct bwn_dma_ring *
6864 bwn_dma_select(struct bwn_mac *mac, uint8_t prio)
6865 {
6866 
6867 	if ((mac->mac_flags & BWN_MAC_FLAG_WME) == 0)
6868 		return (mac->mac_method.dma.wme[WME_AC_BE]);
6869 
6870 	switch (prio) {
6871 	case 3:
6872 		return (mac->mac_method.dma.wme[WME_AC_VO]);
6873 	case 2:
6874 		return (mac->mac_method.dma.wme[WME_AC_VI]);
6875 	case 0:
6876 		return (mac->mac_method.dma.wme[WME_AC_BE]);
6877 	case 1:
6878 		return (mac->mac_method.dma.wme[WME_AC_BK]);
6879 	}
6880 	KASSERT(0 == 1, ("%s:%d: fail", __func__, __LINE__));
6881 	return (NULL);
6882 }
6883 
6884 static int
6885 bwn_dma_getslot(struct bwn_dma_ring *dr)
6886 {
6887 	int slot;
6888 
6889 	BWN_ASSERT_LOCKED(dr->dr_mac->mac_sc);
6890 
6891 	KASSERT(dr->dr_tx, ("%s:%d: fail", __func__, __LINE__));
6892 	KASSERT(!(dr->dr_stop), ("%s:%d: fail", __func__, __LINE__));
6893 	KASSERT(bwn_dma_freeslot(dr) != 0, ("%s:%d: fail", __func__, __LINE__));
6894 
6895 	slot = bwn_dma_nextslot(dr, dr->dr_curslot);
6896 	KASSERT(!(slot & ~0x0fff), ("%s:%d: fail", __func__, __LINE__));
6897 	dr->dr_curslot = slot;
6898 	dr->dr_usedslot++;
6899 
6900 	return (slot);
6901 }
6902 
6903 static struct bwn_pio_txqueue *
6904 bwn_pio_parse_cookie(struct bwn_mac *mac, uint16_t cookie,
6905     struct bwn_pio_txpkt **pack)
6906 {
6907 	struct bwn_pio *pio = &mac->mac_method.pio;
6908 	struct bwn_pio_txqueue *tq = NULL;
6909 	unsigned int index;
6910 
6911 	switch (cookie & 0xf000) {
6912 	case 0x1000:
6913 		tq = &pio->wme[WME_AC_BK];
6914 		break;
6915 	case 0x2000:
6916 		tq = &pio->wme[WME_AC_BE];
6917 		break;
6918 	case 0x3000:
6919 		tq = &pio->wme[WME_AC_VI];
6920 		break;
6921 	case 0x4000:
6922 		tq = &pio->wme[WME_AC_VO];
6923 		break;
6924 	case 0x5000:
6925 		tq = &pio->mcast;
6926 		break;
6927 	}
6928 	KASSERT(tq != NULL, ("%s:%d: fail", __func__, __LINE__));
6929 	if (tq == NULL)
6930 		return (NULL);
6931 	index = (cookie & 0x0fff);
6932 	KASSERT(index < N(tq->tq_pkts), ("%s:%d: fail", __func__, __LINE__));
6933 	if (index >= N(tq->tq_pkts))
6934 		return (NULL);
6935 	*pack = &tq->tq_pkts[index];
6936 	KASSERT(*pack != NULL, ("%s:%d: fail", __func__, __LINE__));
6937 	return (tq);
6938 }
6939 
6940 static void
6941 bwn_txpwr(void *arg, int npending)
6942 {
6943 	struct bwn_mac *mac = arg;
6944 	struct bwn_softc *sc;
6945 
6946 	if (mac == NULL)
6947 		return;
6948 
6949 	sc = mac->mac_sc;
6950 
6951 	BWN_LOCK(sc);
6952 	if (mac->mac_status >= BWN_MAC_STATUS_STARTED &&
6953 	    mac->mac_phy.set_txpwr != NULL)
6954 		mac->mac_phy.set_txpwr(mac);
6955 	BWN_UNLOCK(sc);
6956 }
6957 
6958 static void
6959 bwn_task_15s(struct bwn_mac *mac)
6960 {
6961 	uint16_t reg;
6962 
6963 	if (mac->mac_fw.opensource) {
6964 		reg = bwn_shm_read_2(mac, BWN_SCRATCH, BWN_WATCHDOG_REG);
6965 		if (reg) {
6966 			bwn_restart(mac, "fw watchdog");
6967 			return;
6968 		}
6969 		bwn_shm_write_2(mac, BWN_SCRATCH, BWN_WATCHDOG_REG, 1);
6970 	}
6971 	if (mac->mac_phy.task_15s)
6972 		mac->mac_phy.task_15s(mac);
6973 
6974 	mac->mac_phy.txerrors = BWN_TXERROR_MAX;
6975 }
6976 
6977 static void
6978 bwn_task_30s(struct bwn_mac *mac)
6979 {
6980 
6981 	if (mac->mac_phy.type != BWN_PHYTYPE_G || mac->mac_noise.noi_running)
6982 		return;
6983 	mac->mac_noise.noi_running = 1;
6984 	mac->mac_noise.noi_nsamples = 0;
6985 
6986 	bwn_noise_gensample(mac);
6987 }
6988 
6989 static void
6990 bwn_task_60s(struct bwn_mac *mac)
6991 {
6992 
6993 	if (mac->mac_phy.task_60s)
6994 		mac->mac_phy.task_60s(mac);
6995 	bwn_phy_txpower_check(mac, BWN_TXPWR_IGNORE_TIME);
6996 }
6997 
6998 static void
6999 bwn_tasks(void *arg)
7000 {
7001 	struct bwn_mac *mac = arg;
7002 	struct bwn_softc *sc = mac->mac_sc;
7003 
7004 	BWN_ASSERT_LOCKED(sc);
7005 	if (mac->mac_status != BWN_MAC_STATUS_STARTED)
7006 		return;
7007 
7008 	if (mac->mac_task_state % 4 == 0)
7009 		bwn_task_60s(mac);
7010 	if (mac->mac_task_state % 2 == 0)
7011 		bwn_task_30s(mac);
7012 	bwn_task_15s(mac);
7013 
7014 	mac->mac_task_state++;
7015 	callout_reset(&sc->sc_task_ch, hz * 15, bwn_tasks, mac);
7016 }
7017 
7018 static int
7019 bwn_plcp_get_ofdmrate(struct bwn_mac *mac, struct bwn_plcp6 *plcp, uint8_t a)
7020 {
7021 	struct bwn_softc *sc = mac->mac_sc;
7022 
7023 	KASSERT(a == 0, ("not support APHY\n"));
7024 
7025 	switch (plcp->o.raw[0] & 0xf) {
7026 	case 0xb:
7027 		return (BWN_OFDM_RATE_6MB);
7028 	case 0xf:
7029 		return (BWN_OFDM_RATE_9MB);
7030 	case 0xa:
7031 		return (BWN_OFDM_RATE_12MB);
7032 	case 0xe:
7033 		return (BWN_OFDM_RATE_18MB);
7034 	case 0x9:
7035 		return (BWN_OFDM_RATE_24MB);
7036 	case 0xd:
7037 		return (BWN_OFDM_RATE_36MB);
7038 	case 0x8:
7039 		return (BWN_OFDM_RATE_48MB);
7040 	case 0xc:
7041 		return (BWN_OFDM_RATE_54MB);
7042 	}
7043 	device_printf(sc->sc_dev, "incorrect OFDM rate %d\n",
7044 	    plcp->o.raw[0] & 0xf);
7045 	return (-1);
7046 }
7047 
7048 static int
7049 bwn_plcp_get_cckrate(struct bwn_mac *mac, struct bwn_plcp6 *plcp)
7050 {
7051 	struct bwn_softc *sc = mac->mac_sc;
7052 
7053 	switch (plcp->o.raw[0]) {
7054 	case 0x0a:
7055 		return (BWN_CCK_RATE_1MB);
7056 	case 0x14:
7057 		return (BWN_CCK_RATE_2MB);
7058 	case 0x37:
7059 		return (BWN_CCK_RATE_5MB);
7060 	case 0x6e:
7061 		return (BWN_CCK_RATE_11MB);
7062 	}
7063 	device_printf(sc->sc_dev, "incorrect CCK rate %d\n", plcp->o.raw[0]);
7064 	return (-1);
7065 }
7066 
7067 static void
7068 bwn_rx_radiotap(struct bwn_mac *mac, struct mbuf *m,
7069     const struct bwn_rxhdr4 *rxhdr, struct bwn_plcp6 *plcp, int rate,
7070     int rssi, int noise)
7071 {
7072 	struct bwn_softc *sc = mac->mac_sc;
7073 	const struct ieee80211_frame_min *wh;
7074 	uint64_t tsf;
7075 	uint16_t low_mactime_now;
7076 	uint16_t mt;
7077 
7078 	if (htole16(rxhdr->phy_status0) & BWN_RX_PHYST0_SHORTPRMBL)
7079 		sc->sc_rx_th.wr_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
7080 
7081 	wh = mtod(m, const struct ieee80211_frame_min *);
7082 	if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED)
7083 		sc->sc_rx_th.wr_flags |= IEEE80211_RADIOTAP_F_WEP;
7084 
7085 	bwn_tsf_read(mac, &tsf);
7086 	low_mactime_now = tsf;
7087 	tsf = tsf & ~0xffffULL;
7088 
7089 	switch (mac->mac_fw.fw_hdr_format) {
7090 	case BWN_FW_HDR_351:
7091 	case BWN_FW_HDR_410:
7092 		mt = le16toh(rxhdr->ps4.r351.mac_time);
7093 		break;
7094 	case BWN_FW_HDR_598:
7095 		mt = le16toh(rxhdr->ps4.r598.mac_time);
7096 		break;
7097 	}
7098 
7099 	tsf += mt;
7100 	if (low_mactime_now < mt)
7101 		tsf -= 0x10000;
7102 
7103 	sc->sc_rx_th.wr_tsf = tsf;
7104 	sc->sc_rx_th.wr_rate = rate;
7105 	sc->sc_rx_th.wr_antsignal = rssi;
7106 	sc->sc_rx_th.wr_antnoise = noise;
7107 }
7108 
7109 static void
7110 bwn_tsf_read(struct bwn_mac *mac, uint64_t *tsf)
7111 {
7112 	uint32_t low, high;
7113 
7114 	KASSERT(bhnd_get_hwrev(mac->mac_sc->sc_dev) >= 3,
7115 	    ("%s:%d: fail", __func__, __LINE__));
7116 
7117 	low = BWN_READ_4(mac, BWN_REV3PLUS_TSF_LOW);
7118 	high = BWN_READ_4(mac, BWN_REV3PLUS_TSF_HIGH);
7119 	*tsf = high;
7120 	*tsf <<= 32;
7121 	*tsf |= low;
7122 }
7123 
7124 static int
7125 bwn_dma_attach(struct bwn_mac *mac)
7126 {
7127 	struct bwn_dma			*dma;
7128 	struct bwn_softc		*sc;
7129 	struct bhnd_dma_translation	*dt, dma_translation;
7130 	bhnd_addr_t			 addrext_req;
7131 	bus_dma_tag_t			 dmat;
7132 	bus_addr_t			 lowaddr;
7133 	u_int				 addrext_shift, addr_width;
7134 	int				 error;
7135 
7136 	dma = &mac->mac_method.dma;
7137 	sc = mac->mac_sc;
7138 	dt = NULL;
7139 
7140 	if (sc->sc_quirks & BWN_QUIRK_NODMA)
7141 		return (0);
7142 
7143 	KASSERT(bhnd_get_hwrev(sc->sc_dev) >= 5, ("%s: fail", __func__));
7144 
7145 	/* Use the DMA engine's maximum host address width to determine the
7146 	 * addrext constraints, and supported device address width. */
7147 	switch (mac->mac_dmatype) {
7148 	case BHND_DMA_ADDR_30BIT:
7149 		/* 32-bit engine without addrext support */
7150 		addrext_req = 0x0;
7151 		addrext_shift = 0;
7152 
7153 		/* We can address the full 32-bit device address space */
7154 		addr_width = BHND_DMA_ADDR_32BIT;
7155 		break;
7156 
7157 	case BHND_DMA_ADDR_32BIT:
7158 		/* 32-bit engine with addrext support */
7159 		addrext_req = BWN_DMA32_ADDREXT_MASK;
7160 		addrext_shift = BWN_DMA32_ADDREXT_SHIFT;
7161 		addr_width = BHND_DMA_ADDR_32BIT;
7162 		break;
7163 
7164 	case BHND_DMA_ADDR_64BIT:
7165 		/* 64-bit engine with addrext support */
7166 		addrext_req = BWN_DMA64_ADDREXT_MASK;
7167 		addrext_shift = BWN_DMA64_ADDREXT_SHIFT;
7168 		addr_width = BHND_DMA_ADDR_64BIT;
7169 		break;
7170 
7171 	default:
7172 		device_printf(sc->sc_dev, "unsupported DMA address width: %d\n",
7173 		    mac->mac_dmatype);
7174 		return (ENXIO);
7175 	}
7176 
7177 	/* Fetch our device->host DMA translation and tag */
7178 	error = bhnd_get_dma_translation(sc->sc_dev, addr_width, 0, &dmat,
7179 	    &dma_translation);
7180 	if (error) {
7181 		device_printf(sc->sc_dev, "error fetching DMA translation: "
7182 		    "%d\n", error);
7183 		return (error);
7184 	}
7185 
7186 	/* Verify that our DMA engine's addrext constraints are compatible with
7187 	 * our DMA translation */
7188 	if (addrext_req != 0x0 &&
7189 	    (dma_translation.addrext_mask & addrext_req) != addrext_req)
7190 	{
7191 		device_printf(sc->sc_dev, "bus addrext mask %#jx incompatible "
7192 		    "with device addrext mask %#jx, disabling extended address "
7193 		    "support\n", (uintmax_t)dma_translation.addrext_mask,
7194 		    (uintmax_t)addrext_req);
7195 
7196 		addrext_req = 0x0;
7197 		addrext_shift = 0;
7198 	}
7199 
7200 	/* Apply our addrext translation constraint */
7201 	dma_translation.addrext_mask = addrext_req;
7202 
7203 	/* Initialize our DMA engine configuration */
7204 	mac->mac_flags |= BWN_MAC_FLAG_DMA;
7205 
7206 	dma->addrext_shift = addrext_shift;
7207 	dma->translation = dma_translation;
7208 
7209 	dt = &dma->translation;
7210 
7211 	/* Dermine our translation's maximum supported address */
7212 	lowaddr = MIN((dt->addr_mask | dt->addrext_mask), BUS_SPACE_MAXADDR);
7213 
7214 	/*
7215 	 * Create top level DMA tag
7216 	 */
7217 	error = bus_dma_tag_create(dmat,		/* parent */
7218 			       BWN_ALIGN, 0,		/* alignment, bounds */
7219 			       lowaddr,			/* lowaddr */
7220 			       BUS_SPACE_MAXADDR,	/* highaddr */
7221 			       NULL, NULL,		/* filter, filterarg */
7222 			       BUS_SPACE_MAXSIZE,	/* maxsize */
7223 			       BUS_SPACE_UNRESTRICTED,	/* nsegments */
7224 			       BUS_SPACE_MAXSIZE,	/* maxsegsize */
7225 			       0,			/* flags */
7226 			       NULL, NULL,		/* lockfunc, lockarg */
7227 			       &dma->parent_dtag);
7228 	if (error) {
7229 		device_printf(sc->sc_dev, "can't create parent DMA tag\n");
7230 		return (error);
7231 	}
7232 
7233 	/*
7234 	 * Create TX/RX mbuf DMA tag
7235 	 */
7236 	error = bus_dma_tag_create(dma->parent_dtag,
7237 				1,
7238 				0,
7239 				BUS_SPACE_MAXADDR,
7240 				BUS_SPACE_MAXADDR,
7241 				NULL, NULL,
7242 				MCLBYTES,
7243 				1,
7244 				BUS_SPACE_MAXSIZE_32BIT,
7245 				0,
7246 				NULL, NULL,
7247 				&dma->rxbuf_dtag);
7248 	if (error) {
7249 		device_printf(sc->sc_dev, "can't create mbuf DMA tag\n");
7250 		goto fail0;
7251 	}
7252 	error = bus_dma_tag_create(dma->parent_dtag,
7253 				1,
7254 				0,
7255 				BUS_SPACE_MAXADDR,
7256 				BUS_SPACE_MAXADDR,
7257 				NULL, NULL,
7258 				MCLBYTES,
7259 				1,
7260 				BUS_SPACE_MAXSIZE_32BIT,
7261 				0,
7262 				NULL, NULL,
7263 				&dma->txbuf_dtag);
7264 	if (error) {
7265 		device_printf(sc->sc_dev, "can't create mbuf DMA tag\n");
7266 		goto fail1;
7267 	}
7268 
7269 	dma->wme[WME_AC_BK] = bwn_dma_ringsetup(mac, 0, 1);
7270 	if (!dma->wme[WME_AC_BK])
7271 		goto fail2;
7272 
7273 	dma->wme[WME_AC_BE] = bwn_dma_ringsetup(mac, 1, 1);
7274 	if (!dma->wme[WME_AC_BE])
7275 		goto fail3;
7276 
7277 	dma->wme[WME_AC_VI] = bwn_dma_ringsetup(mac, 2, 1);
7278 	if (!dma->wme[WME_AC_VI])
7279 		goto fail4;
7280 
7281 	dma->wme[WME_AC_VO] = bwn_dma_ringsetup(mac, 3, 1);
7282 	if (!dma->wme[WME_AC_VO])
7283 		goto fail5;
7284 
7285 	dma->mcast = bwn_dma_ringsetup(mac, 4, 1);
7286 	if (!dma->mcast)
7287 		goto fail6;
7288 	dma->rx = bwn_dma_ringsetup(mac, 0, 0);
7289 	if (!dma->rx)
7290 		goto fail7;
7291 
7292 	return (error);
7293 
7294 fail7:	bwn_dma_ringfree(&dma->mcast);
7295 fail6:	bwn_dma_ringfree(&dma->wme[WME_AC_VO]);
7296 fail5:	bwn_dma_ringfree(&dma->wme[WME_AC_VI]);
7297 fail4:	bwn_dma_ringfree(&dma->wme[WME_AC_BE]);
7298 fail3:	bwn_dma_ringfree(&dma->wme[WME_AC_BK]);
7299 fail2:	bus_dma_tag_destroy(dma->txbuf_dtag);
7300 fail1:	bus_dma_tag_destroy(dma->rxbuf_dtag);
7301 fail0:	bus_dma_tag_destroy(dma->parent_dtag);
7302 	return (error);
7303 }
7304 
7305 static struct bwn_dma_ring *
7306 bwn_dma_parse_cookie(struct bwn_mac *mac, const struct bwn_txstatus *status,
7307     uint16_t cookie, int *slot)
7308 {
7309 	struct bwn_dma *dma = &mac->mac_method.dma;
7310 	struct bwn_dma_ring *dr;
7311 	struct bwn_softc *sc = mac->mac_sc;
7312 
7313 	BWN_ASSERT_LOCKED(mac->mac_sc);
7314 
7315 	switch (cookie & 0xf000) {
7316 	case 0x1000:
7317 		dr = dma->wme[WME_AC_BK];
7318 		break;
7319 	case 0x2000:
7320 		dr = dma->wme[WME_AC_BE];
7321 		break;
7322 	case 0x3000:
7323 		dr = dma->wme[WME_AC_VI];
7324 		break;
7325 	case 0x4000:
7326 		dr = dma->wme[WME_AC_VO];
7327 		break;
7328 	case 0x5000:
7329 		dr = dma->mcast;
7330 		break;
7331 	default:
7332 		dr = NULL;
7333 		KASSERT(0 == 1,
7334 		    ("invalid cookie value %d", cookie & 0xf000));
7335 	}
7336 	*slot = (cookie & 0x0fff);
7337 	if (*slot < 0 || *slot >= dr->dr_numslots) {
7338 		/*
7339 		 * XXX FIXME: sometimes H/W returns TX DONE events duplicately
7340 		 * that it occurs events which have same H/W sequence numbers.
7341 		 * When it's occurred just prints a WARNING msgs and ignores.
7342 		 */
7343 		KASSERT(status->seq == dma->lastseq,
7344 		    ("%s:%d: fail", __func__, __LINE__));
7345 		device_printf(sc->sc_dev,
7346 		    "out of slot ranges (0 < %d < %d)\n", *slot,
7347 		    dr->dr_numslots);
7348 		return (NULL);
7349 	}
7350 	dma->lastseq = status->seq;
7351 	return (dr);
7352 }
7353 
7354 static void
7355 bwn_dma_stop(struct bwn_mac *mac)
7356 {
7357 	struct bwn_dma *dma;
7358 
7359 	if ((mac->mac_flags & BWN_MAC_FLAG_DMA) == 0)
7360 		return;
7361 	dma = &mac->mac_method.dma;
7362 
7363 	bwn_dma_ringstop(&dma->rx);
7364 	bwn_dma_ringstop(&dma->wme[WME_AC_BK]);
7365 	bwn_dma_ringstop(&dma->wme[WME_AC_BE]);
7366 	bwn_dma_ringstop(&dma->wme[WME_AC_VI]);
7367 	bwn_dma_ringstop(&dma->wme[WME_AC_VO]);
7368 	bwn_dma_ringstop(&dma->mcast);
7369 }
7370 
7371 static void
7372 bwn_dma_ringstop(struct bwn_dma_ring **dr)
7373 {
7374 
7375 	if (dr == NULL)
7376 		return;
7377 
7378 	bwn_dma_cleanup(*dr);
7379 }
7380 
7381 static void
7382 bwn_pio_stop(struct bwn_mac *mac)
7383 {
7384 	struct bwn_pio *pio;
7385 
7386 	if (mac->mac_flags & BWN_MAC_FLAG_DMA)
7387 		return;
7388 	pio = &mac->mac_method.pio;
7389 
7390 	bwn_destroy_queue_tx(&pio->mcast);
7391 	bwn_destroy_queue_tx(&pio->wme[WME_AC_VO]);
7392 	bwn_destroy_queue_tx(&pio->wme[WME_AC_VI]);
7393 	bwn_destroy_queue_tx(&pio->wme[WME_AC_BE]);
7394 	bwn_destroy_queue_tx(&pio->wme[WME_AC_BK]);
7395 }
7396 
7397 static int
7398 bwn_led_attach(struct bwn_mac *mac)
7399 {
7400 	struct bwn_softc *sc = mac->mac_sc;
7401 	const uint8_t *led_act = NULL;
7402 	int error;
7403 	int i;
7404 
7405 	sc->sc_led_idle = (2350 * hz) / 1000;
7406 	sc->sc_led_blink = 1;
7407 
7408 	for (i = 0; i < N(bwn_vendor_led_act); ++i) {
7409 		if (sc->sc_board_info.board_vendor ==
7410 		    bwn_vendor_led_act[i].vid) {
7411 			led_act = bwn_vendor_led_act[i].led_act;
7412 			break;
7413 		}
7414 	}
7415 	if (led_act == NULL)
7416 		led_act = bwn_default_led_act;
7417 
7418 	_Static_assert(nitems(bwn_led_vars) == BWN_LED_MAX,
7419 	    "invalid NVRAM variable name array");
7420 
7421 	for (i = 0; i < BWN_LED_MAX; ++i) {
7422 		struct bwn_led	*led;
7423 		uint8_t		 val;
7424 
7425 		led = &sc->sc_leds[i];
7426 
7427 		KASSERT(i < nitems(bwn_led_vars), ("unknown LED index"));
7428 		error = bhnd_nvram_getvar_uint8(sc->sc_dev, bwn_led_vars[i],
7429 		    &val);
7430 		if (error) {
7431 			if (error != ENOENT) {
7432 				device_printf(sc->sc_dev, "NVRAM variable %s "
7433 				    "unreadable: %d", bwn_led_vars[i], error);
7434 				return (error);
7435 			}
7436 
7437 			/* Not found; use default */
7438 			led->led_act = led_act[i];
7439 		} else {
7440 			if (val & BWN_LED_ACT_LOW)
7441 				led->led_flags |= BWN_LED_F_ACTLOW;
7442 			led->led_act = val & BWN_LED_ACT_MASK;
7443 		}
7444 		led->led_mask = (1 << i);
7445 
7446 		if (led->led_act == BWN_LED_ACT_BLINK_SLOW ||
7447 		    led->led_act == BWN_LED_ACT_BLINK_POLL ||
7448 		    led->led_act == BWN_LED_ACT_BLINK) {
7449 			led->led_flags |= BWN_LED_F_BLINK;
7450 			if (led->led_act == BWN_LED_ACT_BLINK_POLL)
7451 				led->led_flags |= BWN_LED_F_POLLABLE;
7452 			else if (led->led_act == BWN_LED_ACT_BLINK_SLOW)
7453 				led->led_flags |= BWN_LED_F_SLOW;
7454 
7455 			if (sc->sc_blink_led == NULL) {
7456 				sc->sc_blink_led = led;
7457 				if (led->led_flags & BWN_LED_F_SLOW)
7458 					BWN_LED_SLOWDOWN(sc->sc_led_idle);
7459 			}
7460 		}
7461 
7462 		DPRINTF(sc, BWN_DEBUG_LED,
7463 		    "%dth led, act %d, lowact %d\n", i,
7464 		    led->led_act, led->led_flags & BWN_LED_F_ACTLOW);
7465 	}
7466 	callout_init_mtx(&sc->sc_led_blink_ch, &sc->sc_mtx, 0);
7467 
7468 	return (0);
7469 }
7470 
7471 static __inline uint16_t
7472 bwn_led_onoff(const struct bwn_led *led, uint16_t val, int on)
7473 {
7474 
7475 	if (led->led_flags & BWN_LED_F_ACTLOW)
7476 		on = !on;
7477 	if (on)
7478 		val |= led->led_mask;
7479 	else
7480 		val &= ~led->led_mask;
7481 	return val;
7482 }
7483 
7484 static void
7485 bwn_led_newstate(struct bwn_mac *mac, enum ieee80211_state nstate)
7486 {
7487 	struct bwn_softc *sc = mac->mac_sc;
7488 	struct ieee80211com *ic = &sc->sc_ic;
7489 	uint16_t val;
7490 	int i;
7491 
7492 	if (nstate == IEEE80211_S_INIT) {
7493 		callout_stop(&sc->sc_led_blink_ch);
7494 		sc->sc_led_blinking = 0;
7495 	}
7496 
7497 	if ((sc->sc_flags & BWN_FLAG_RUNNING) == 0)
7498 		return;
7499 
7500 	val = BWN_READ_2(mac, BWN_GPIO_CONTROL);
7501 	for (i = 0; i < BWN_LED_MAX; ++i) {
7502 		struct bwn_led *led = &sc->sc_leds[i];
7503 		int on;
7504 
7505 		if (led->led_act == BWN_LED_ACT_UNKN ||
7506 		    led->led_act == BWN_LED_ACT_NULL)
7507 			continue;
7508 
7509 		if ((led->led_flags & BWN_LED_F_BLINK) &&
7510 		    nstate != IEEE80211_S_INIT)
7511 			continue;
7512 
7513 		switch (led->led_act) {
7514 		case BWN_LED_ACT_ON:    /* Always on */
7515 			on = 1;
7516 			break;
7517 		case BWN_LED_ACT_OFF:   /* Always off */
7518 		case BWN_LED_ACT_5GHZ:  /* TODO: 11A */
7519 			on = 0;
7520 			break;
7521 		default:
7522 			on = 1;
7523 			switch (nstate) {
7524 			case IEEE80211_S_INIT:
7525 				on = 0;
7526 				break;
7527 			case IEEE80211_S_RUN:
7528 				if (led->led_act == BWN_LED_ACT_11G &&
7529 				    ic->ic_curmode != IEEE80211_MODE_11G)
7530 					on = 0;
7531 				break;
7532 			default:
7533 				if (led->led_act == BWN_LED_ACT_ASSOC)
7534 					on = 0;
7535 				break;
7536 			}
7537 			break;
7538 		}
7539 
7540 		val = bwn_led_onoff(led, val, on);
7541 	}
7542 	BWN_WRITE_2(mac, BWN_GPIO_CONTROL, val);
7543 }
7544 
7545 static void
7546 bwn_led_event(struct bwn_mac *mac, int event)
7547 {
7548 	struct bwn_softc *sc = mac->mac_sc;
7549 	struct bwn_led *led = sc->sc_blink_led;
7550 	int rate;
7551 
7552 	if (event == BWN_LED_EVENT_POLL) {
7553 		if ((led->led_flags & BWN_LED_F_POLLABLE) == 0)
7554 			return;
7555 		if (ticks - sc->sc_led_ticks < sc->sc_led_idle)
7556 			return;
7557 	}
7558 
7559 	sc->sc_led_ticks = ticks;
7560 	if (sc->sc_led_blinking)
7561 		return;
7562 
7563 	switch (event) {
7564 	case BWN_LED_EVENT_RX:
7565 		rate = sc->sc_rx_rate;
7566 		break;
7567 	case BWN_LED_EVENT_TX:
7568 		rate = sc->sc_tx_rate;
7569 		break;
7570 	case BWN_LED_EVENT_POLL:
7571 		rate = 0;
7572 		break;
7573 	default:
7574 		panic("unknown LED event %d\n", event);
7575 		break;
7576 	}
7577 	bwn_led_blink_start(mac, bwn_led_duration[rate].on_dur,
7578 	    bwn_led_duration[rate].off_dur);
7579 }
7580 
7581 static void
7582 bwn_led_blink_start(struct bwn_mac *mac, int on_dur, int off_dur)
7583 {
7584 	struct bwn_softc *sc = mac->mac_sc;
7585 	struct bwn_led *led = sc->sc_blink_led;
7586 	uint16_t val;
7587 
7588 	val = BWN_READ_2(mac, BWN_GPIO_CONTROL);
7589 	val = bwn_led_onoff(led, val, 1);
7590 	BWN_WRITE_2(mac, BWN_GPIO_CONTROL, val);
7591 
7592 	if (led->led_flags & BWN_LED_F_SLOW) {
7593 		BWN_LED_SLOWDOWN(on_dur);
7594 		BWN_LED_SLOWDOWN(off_dur);
7595 	}
7596 
7597 	sc->sc_led_blinking = 1;
7598 	sc->sc_led_blink_offdur = off_dur;
7599 
7600 	callout_reset(&sc->sc_led_blink_ch, on_dur, bwn_led_blink_next, mac);
7601 }
7602 
7603 static void
7604 bwn_led_blink_next(void *arg)
7605 {
7606 	struct bwn_mac *mac = arg;
7607 	struct bwn_softc *sc = mac->mac_sc;
7608 	uint16_t val;
7609 
7610 	val = BWN_READ_2(mac, BWN_GPIO_CONTROL);
7611 	val = bwn_led_onoff(sc->sc_blink_led, val, 0);
7612 	BWN_WRITE_2(mac, BWN_GPIO_CONTROL, val);
7613 
7614 	callout_reset(&sc->sc_led_blink_ch, sc->sc_led_blink_offdur,
7615 	    bwn_led_blink_end, mac);
7616 }
7617 
7618 static void
7619 bwn_led_blink_end(void *arg)
7620 {
7621 	struct bwn_mac *mac = arg;
7622 	struct bwn_softc *sc = mac->mac_sc;
7623 
7624 	sc->sc_led_blinking = 0;
7625 }
7626 
7627 static int
7628 bwn_suspend(device_t dev)
7629 {
7630 	struct bwn_softc *sc = device_get_softc(dev);
7631 
7632 	BWN_LOCK(sc);
7633 	bwn_stop(sc);
7634 	BWN_UNLOCK(sc);
7635 	return (0);
7636 }
7637 
7638 static int
7639 bwn_resume(device_t dev)
7640 {
7641 	struct bwn_softc *sc = device_get_softc(dev);
7642 	int error = EDOOFUS;
7643 
7644 	BWN_LOCK(sc);
7645 	if (sc->sc_ic.ic_nrunning > 0)
7646 		error = bwn_init(sc);
7647 	BWN_UNLOCK(sc);
7648 	if (error == 0)
7649 		ieee80211_start_all(&sc->sc_ic);
7650 	return (0);
7651 }
7652 
7653 static void
7654 bwn_rfswitch(void *arg)
7655 {
7656 	struct bwn_softc *sc = arg;
7657 	struct bwn_mac *mac = sc->sc_curmac;
7658 	int cur = 0, prev = 0;
7659 
7660 	KASSERT(mac->mac_status >= BWN_MAC_STATUS_STARTED,
7661 	    ("%s: invalid MAC status %d", __func__, mac->mac_status));
7662 
7663 	if (mac->mac_phy.rev >= 3 || mac->mac_phy.type == BWN_PHYTYPE_LP
7664 	    || mac->mac_phy.type == BWN_PHYTYPE_N) {
7665 		if (!(BWN_READ_4(mac, BWN_RF_HWENABLED_HI)
7666 			& BWN_RF_HWENABLED_HI_MASK))
7667 			cur = 1;
7668 	} else {
7669 		if (BWN_READ_2(mac, BWN_RF_HWENABLED_LO)
7670 		    & BWN_RF_HWENABLED_LO_MASK)
7671 			cur = 1;
7672 	}
7673 
7674 	if (mac->mac_flags & BWN_MAC_FLAG_RADIO_ON)
7675 		prev = 1;
7676 
7677 	DPRINTF(sc, BWN_DEBUG_RESET, "%s: called; cur=%d, prev=%d\n",
7678 	    __func__, cur, prev);
7679 
7680 	if (cur != prev) {
7681 		if (cur)
7682 			mac->mac_flags |= BWN_MAC_FLAG_RADIO_ON;
7683 		else
7684 			mac->mac_flags &= ~BWN_MAC_FLAG_RADIO_ON;
7685 
7686 		device_printf(sc->sc_dev,
7687 		    "status of RF switch is changed to %s\n",
7688 		    cur ? "ON" : "OFF");
7689 		if (cur != mac->mac_phy.rf_on) {
7690 			if (cur)
7691 				bwn_rf_turnon(mac);
7692 			else
7693 				bwn_rf_turnoff(mac);
7694 		}
7695 	}
7696 
7697 	callout_schedule(&sc->sc_rfswitch_ch, hz);
7698 }
7699 
7700 static void
7701 bwn_sysctl_node(struct bwn_softc *sc)
7702 {
7703 	device_t dev = sc->sc_dev;
7704 	struct bwn_mac *mac;
7705 	struct bwn_stats *stats;
7706 
7707 	/* XXX assume that count of MAC is only 1. */
7708 
7709 	if ((mac = sc->sc_curmac) == NULL)
7710 		return;
7711 	stats = &mac->mac_stats;
7712 
7713 	SYSCTL_ADD_INT(device_get_sysctl_ctx(dev),
7714 	    SYSCTL_CHILDREN(device_get_sysctl_tree(dev)), OID_AUTO,
7715 	    "linknoise", CTLFLAG_RW, &stats->rts, 0, "Noise level");
7716 	SYSCTL_ADD_INT(device_get_sysctl_ctx(dev),
7717 	    SYSCTL_CHILDREN(device_get_sysctl_tree(dev)), OID_AUTO,
7718 	    "rts", CTLFLAG_RW, &stats->rts, 0, "RTS");
7719 	SYSCTL_ADD_INT(device_get_sysctl_ctx(dev),
7720 	    SYSCTL_CHILDREN(device_get_sysctl_tree(dev)), OID_AUTO,
7721 	    "rtsfail", CTLFLAG_RW, &stats->rtsfail, 0, "RTS failed to send");
7722 
7723 #ifdef BWN_DEBUG
7724 	SYSCTL_ADD_UINT(device_get_sysctl_ctx(dev),
7725 	    SYSCTL_CHILDREN(device_get_sysctl_tree(dev)), OID_AUTO,
7726 	    "debug", CTLFLAG_RW, &sc->sc_debug, 0, "Debug flags");
7727 #endif
7728 }
7729 
7730 static device_method_t bwn_methods[] = {
7731 	/* Device interface */
7732 	DEVMETHOD(device_probe,		bwn_probe),
7733 	DEVMETHOD(device_attach,	bwn_attach),
7734 	DEVMETHOD(device_detach,	bwn_detach),
7735 	DEVMETHOD(device_suspend,	bwn_suspend),
7736 	DEVMETHOD(device_resume,	bwn_resume),
7737 	DEVMETHOD_END
7738 };
7739 
7740 static driver_t bwn_driver = {
7741 	"bwn",
7742 	bwn_methods,
7743 	sizeof(struct bwn_softc)
7744 };
7745 
7746 DRIVER_MODULE(bwn, bhnd, bwn_driver, 0, 0);
7747 MODULE_DEPEND(bwn, bhnd, 1, 1, 1);
7748 MODULE_DEPEND(bwn, gpiobus, 1, 1, 1);
7749 MODULE_DEPEND(bwn, wlan, 1, 1, 1);		/* 802.11 media layer */
7750 MODULE_DEPEND(bwn, firmware, 1, 1, 1);		/* firmware support */
7751 MODULE_DEPEND(bwn, wlan_amrr, 1, 1, 1);
7752 MODULE_VERSION(bwn, 1);
7753