xref: /freebsd/sys/dev/iwm/if_iwm.c (revision db70ff37a051dfa19f6f3f0f0c5e3571aba91982)
1 /*	$OpenBSD: if_iwm.c,v 1.167 2017/04/04 00:40:52 claudio Exp $	*/
2 
3 /*
4  * Copyright (c) 2014 genua mbh <info@genua.de>
5  * Copyright (c) 2014 Fixup Software Ltd.
6  *
7  * Permission to use, copy, modify, and distribute this software for any
8  * purpose with or without fee is hereby granted, provided that the above
9  * copyright notice and this permission notice appear in all copies.
10  *
11  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18  */
19 
20 /*-
21  * Based on BSD-licensed source modules in the Linux iwlwifi driver,
22  * which were used as the reference documentation for this implementation.
23  *
24  * Driver version we are currently based off of is
25  * Linux 3.14.3 (tag id a2df521e42b1d9a23f620ac79dbfe8655a8391dd)
26  *
27  ***********************************************************************
28  *
29  * This file is provided under a dual BSD/GPLv2 license.  When using or
30  * redistributing this file, you may do so under either license.
31  *
32  * GPL LICENSE SUMMARY
33  *
34  * Copyright(c) 2007 - 2013 Intel Corporation. All rights reserved.
35  *
36  * This program is free software; you can redistribute it and/or modify
37  * it under the terms of version 2 of the GNU General Public License as
38  * published by the Free Software Foundation.
39  *
40  * This program is distributed in the hope that it will be useful, but
41  * WITHOUT ANY WARRANTY; without even the implied warranty of
42  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
43  * General Public License for more details.
44  *
45  * You should have received a copy of the GNU General Public License
46  * along with this program; if not, write to the Free Software
47  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110,
48  * USA
49  *
50  * The full GNU General Public License is included in this distribution
51  * in the file called COPYING.
52  *
53  * Contact Information:
54  *  Intel Linux Wireless <ilw@linux.intel.com>
55  * Intel Corporation, 5200 N.E. Elam Young Parkway, Hillsboro, OR 97124-6497
56  *
57  *
58  * BSD LICENSE
59  *
60  * Copyright(c) 2005 - 2013 Intel Corporation. All rights reserved.
61  * All rights reserved.
62  *
63  * Redistribution and use in source and binary forms, with or without
64  * modification, are permitted provided that the following conditions
65  * are met:
66  *
67  *  * Redistributions of source code must retain the above copyright
68  *    notice, this list of conditions and the following disclaimer.
69  *  * Redistributions in binary form must reproduce the above copyright
70  *    notice, this list of conditions and the following disclaimer in
71  *    the documentation and/or other materials provided with the
72  *    distribution.
73  *  * Neither the name Intel Corporation nor the names of its
74  *    contributors may be used to endorse or promote products derived
75  *    from this software without specific prior written permission.
76  *
77  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
78  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
79  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
80  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
81  * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
82  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
83  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
84  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
85  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
86  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
87  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
88  */
89 
90 /*-
91  * Copyright (c) 2007-2010 Damien Bergamini <damien.bergamini@free.fr>
92  *
93  * Permission to use, copy, modify, and distribute this software for any
94  * purpose with or without fee is hereby granted, provided that the above
95  * copyright notice and this permission notice appear in all copies.
96  *
97  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
98  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
99  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
100  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
101  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
102  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
103  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
104  */
105 #include <sys/cdefs.h>
106 __FBSDID("$FreeBSD$");
107 
108 #include "opt_wlan.h"
109 #include "opt_iwm.h"
110 
111 #include <sys/param.h>
112 #include <sys/bus.h>
113 #include <sys/conf.h>
114 #include <sys/endian.h>
115 #include <sys/firmware.h>
116 #include <sys/kernel.h>
117 #include <sys/malloc.h>
118 #include <sys/mbuf.h>
119 #include <sys/mutex.h>
120 #include <sys/module.h>
121 #include <sys/proc.h>
122 #include <sys/rman.h>
123 #include <sys/socket.h>
124 #include <sys/sockio.h>
125 #include <sys/sysctl.h>
126 #include <sys/linker.h>
127 
128 #include <machine/bus.h>
129 #include <machine/endian.h>
130 #include <machine/resource.h>
131 
132 #include <dev/pci/pcivar.h>
133 #include <dev/pci/pcireg.h>
134 
135 #include <net/bpf.h>
136 
137 #include <net/if.h>
138 #include <net/if_var.h>
139 #include <net/if_arp.h>
140 #include <net/if_dl.h>
141 #include <net/if_media.h>
142 #include <net/if_types.h>
143 
144 #include <netinet/in.h>
145 #include <netinet/in_systm.h>
146 #include <netinet/if_ether.h>
147 #include <netinet/ip.h>
148 
149 #include <net80211/ieee80211_var.h>
150 #include <net80211/ieee80211_regdomain.h>
151 #include <net80211/ieee80211_ratectl.h>
152 #include <net80211/ieee80211_radiotap.h>
153 
154 #include <dev/iwm/if_iwmreg.h>
155 #include <dev/iwm/if_iwmvar.h>
156 #include <dev/iwm/if_iwm_config.h>
157 #include <dev/iwm/if_iwm_debug.h>
158 #include <dev/iwm/if_iwm_notif_wait.h>
159 #include <dev/iwm/if_iwm_util.h>
160 #include <dev/iwm/if_iwm_binding.h>
161 #include <dev/iwm/if_iwm_phy_db.h>
162 #include <dev/iwm/if_iwm_mac_ctxt.h>
163 #include <dev/iwm/if_iwm_phy_ctxt.h>
164 #include <dev/iwm/if_iwm_time_event.h>
165 #include <dev/iwm/if_iwm_power.h>
166 #include <dev/iwm/if_iwm_scan.h>
167 #include <dev/iwm/if_iwm_sf.h>
168 #include <dev/iwm/if_iwm_sta.h>
169 
170 #include <dev/iwm/if_iwm_pcie_trans.h>
171 #include <dev/iwm/if_iwm_led.h>
172 #include <dev/iwm/if_iwm_fw.h>
173 
174 /* From DragonflyBSD */
175 #define mtodoff(m, t, off)      ((t)((m)->m_data + (off)))
176 
177 const uint8_t iwm_nvm_channels[] = {
178 	/* 2.4 GHz */
179 	1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14,
180 	/* 5 GHz */
181 	36, 40, 44, 48, 52, 56, 60, 64,
182 	100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, 144,
183 	149, 153, 157, 161, 165
184 };
185 _Static_assert(nitems(iwm_nvm_channels) <= IWM_NUM_CHANNELS,
186     "IWM_NUM_CHANNELS is too small");
187 
188 const uint8_t iwm_nvm_channels_8000[] = {
189 	/* 2.4 GHz */
190 	1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14,
191 	/* 5 GHz */
192 	36, 40, 44, 48, 52, 56, 60, 64, 68, 72, 76, 80, 84, 88, 92,
193 	96, 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, 144,
194 	149, 153, 157, 161, 165, 169, 173, 177, 181
195 };
196 _Static_assert(nitems(iwm_nvm_channels_8000) <= IWM_NUM_CHANNELS_8000,
197     "IWM_NUM_CHANNELS_8000 is too small");
198 
199 #define IWM_NUM_2GHZ_CHANNELS	14
200 #define IWM_N_HW_ADDR_MASK	0xF
201 
202 /*
203  * XXX For now, there's simply a fixed set of rate table entries
204  * that are populated.
205  */
206 const struct iwm_rate {
207 	uint8_t rate;
208 	uint8_t plcp;
209 } iwm_rates[] = {
210 	{   2,	IWM_RATE_1M_PLCP  },
211 	{   4,	IWM_RATE_2M_PLCP  },
212 	{  11,	IWM_RATE_5M_PLCP  },
213 	{  22,	IWM_RATE_11M_PLCP },
214 	{  12,	IWM_RATE_6M_PLCP  },
215 	{  18,	IWM_RATE_9M_PLCP  },
216 	{  24,	IWM_RATE_12M_PLCP },
217 	{  36,	IWM_RATE_18M_PLCP },
218 	{  48,	IWM_RATE_24M_PLCP },
219 	{  72,	IWM_RATE_36M_PLCP },
220 	{  96,	IWM_RATE_48M_PLCP },
221 	{ 108,	IWM_RATE_54M_PLCP },
222 };
223 #define IWM_RIDX_CCK	0
224 #define IWM_RIDX_OFDM	4
225 #define IWM_RIDX_MAX	(nitems(iwm_rates)-1)
226 #define IWM_RIDX_IS_CCK(_i_) ((_i_) < IWM_RIDX_OFDM)
227 #define IWM_RIDX_IS_OFDM(_i_) ((_i_) >= IWM_RIDX_OFDM)
228 
229 struct iwm_nvm_section {
230 	uint16_t length;
231 	uint8_t *data;
232 };
233 
234 #define IWM_MVM_UCODE_ALIVE_TIMEOUT	hz
235 #define IWM_MVM_UCODE_CALIB_TIMEOUT	(2*hz)
236 
237 struct iwm_mvm_alive_data {
238 	int valid;
239 	uint32_t scd_base_addr;
240 };
241 
242 static int	iwm_store_cscheme(struct iwm_softc *, const uint8_t *, size_t);
243 static int	iwm_firmware_store_section(struct iwm_softc *,
244                                            enum iwm_ucode_type,
245                                            const uint8_t *, size_t);
246 static int	iwm_set_default_calib(struct iwm_softc *, const void *);
247 static void	iwm_fw_info_free(struct iwm_fw_info *);
248 static int	iwm_read_firmware(struct iwm_softc *, enum iwm_ucode_type);
249 static int	iwm_alloc_fwmem(struct iwm_softc *);
250 static int	iwm_alloc_sched(struct iwm_softc *);
251 static int	iwm_alloc_kw(struct iwm_softc *);
252 static int	iwm_alloc_ict(struct iwm_softc *);
253 static int	iwm_alloc_rx_ring(struct iwm_softc *, struct iwm_rx_ring *);
254 static void	iwm_reset_rx_ring(struct iwm_softc *, struct iwm_rx_ring *);
255 static void	iwm_free_rx_ring(struct iwm_softc *, struct iwm_rx_ring *);
256 static int	iwm_alloc_tx_ring(struct iwm_softc *, struct iwm_tx_ring *,
257                                   int);
258 static void	iwm_reset_tx_ring(struct iwm_softc *, struct iwm_tx_ring *);
259 static void	iwm_free_tx_ring(struct iwm_softc *, struct iwm_tx_ring *);
260 static void	iwm_enable_interrupts(struct iwm_softc *);
261 static void	iwm_restore_interrupts(struct iwm_softc *);
262 static void	iwm_disable_interrupts(struct iwm_softc *);
263 static void	iwm_ict_reset(struct iwm_softc *);
264 static int	iwm_allow_mcast(struct ieee80211vap *, struct iwm_softc *);
265 static void	iwm_stop_device(struct iwm_softc *);
266 static void	iwm_mvm_nic_config(struct iwm_softc *);
267 static int	iwm_nic_rx_init(struct iwm_softc *);
268 static int	iwm_nic_tx_init(struct iwm_softc *);
269 static int	iwm_nic_init(struct iwm_softc *);
270 static int	iwm_trans_pcie_fw_alive(struct iwm_softc *, uint32_t);
271 static int	iwm_nvm_read_chunk(struct iwm_softc *, uint16_t, uint16_t,
272                                    uint16_t, uint8_t *, uint16_t *);
273 static int	iwm_nvm_read_section(struct iwm_softc *, uint16_t, uint8_t *,
274 				     uint16_t *, uint32_t);
275 static uint32_t	iwm_eeprom_channel_flags(uint16_t);
276 static void	iwm_add_channel_band(struct iwm_softc *,
277 		    struct ieee80211_channel[], int, int *, int, size_t,
278 		    const uint8_t[]);
279 static void	iwm_init_channel_map(struct ieee80211com *, int, int *,
280 		    struct ieee80211_channel[]);
281 static struct iwm_nvm_data *
282 	iwm_parse_nvm_data(struct iwm_softc *, const uint16_t *,
283 			   const uint16_t *, const uint16_t *,
284 			   const uint16_t *, const uint16_t *,
285 			   const uint16_t *);
286 static void	iwm_free_nvm_data(struct iwm_nvm_data *);
287 static void	iwm_set_hw_address_family_8000(struct iwm_softc *,
288 					       struct iwm_nvm_data *,
289 					       const uint16_t *,
290 					       const uint16_t *);
291 static int	iwm_get_sku(const struct iwm_softc *, const uint16_t *,
292 			    const uint16_t *);
293 static int	iwm_get_nvm_version(const struct iwm_softc *, const uint16_t *);
294 static int	iwm_get_radio_cfg(const struct iwm_softc *, const uint16_t *,
295 				  const uint16_t *);
296 static int	iwm_get_n_hw_addrs(const struct iwm_softc *,
297 				   const uint16_t *);
298 static void	iwm_set_radio_cfg(const struct iwm_softc *,
299 				  struct iwm_nvm_data *, uint32_t);
300 static struct iwm_nvm_data *
301 	iwm_parse_nvm_sections(struct iwm_softc *, struct iwm_nvm_section *);
302 static int	iwm_nvm_init(struct iwm_softc *);
303 static int	iwm_pcie_load_section(struct iwm_softc *, uint8_t,
304 				      const struct iwm_fw_desc *);
305 static int	iwm_pcie_load_firmware_chunk(struct iwm_softc *, uint32_t,
306 					     bus_addr_t, uint32_t);
307 static int	iwm_pcie_load_cpu_sections_8000(struct iwm_softc *sc,
308 						const struct iwm_fw_sects *,
309 						int, int *);
310 static int	iwm_pcie_load_cpu_sections(struct iwm_softc *,
311 					   const struct iwm_fw_sects *,
312 					   int, int *);
313 static int	iwm_pcie_load_given_ucode_8000(struct iwm_softc *,
314 					       const struct iwm_fw_sects *);
315 static int	iwm_pcie_load_given_ucode(struct iwm_softc *,
316 					  const struct iwm_fw_sects *);
317 static int	iwm_start_fw(struct iwm_softc *, const struct iwm_fw_sects *);
318 static int	iwm_send_tx_ant_cfg(struct iwm_softc *, uint8_t);
319 static int	iwm_send_phy_cfg_cmd(struct iwm_softc *);
320 static int	iwm_mvm_load_ucode_wait_alive(struct iwm_softc *,
321                                               enum iwm_ucode_type);
322 static int	iwm_run_init_mvm_ucode(struct iwm_softc *, int);
323 static int	iwm_rx_addbuf(struct iwm_softc *, int, int);
324 static int	iwm_mvm_get_signal_strength(struct iwm_softc *,
325 					    struct iwm_rx_phy_info *);
326 static void	iwm_mvm_rx_rx_phy_cmd(struct iwm_softc *,
327                                       struct iwm_rx_packet *);
328 static int	iwm_get_noise(struct iwm_softc *,
329 		    const struct iwm_mvm_statistics_rx_non_phy *);
330 static void	iwm_mvm_handle_rx_statistics(struct iwm_softc *,
331 		    struct iwm_rx_packet *);
332 static boolean_t iwm_mvm_rx_rx_mpdu(struct iwm_softc *, struct mbuf *,
333 				    uint32_t, boolean_t);
334 static int	iwm_mvm_rx_tx_cmd_single(struct iwm_softc *,
335                                          struct iwm_rx_packet *,
336 				         struct iwm_node *);
337 static void	iwm_mvm_rx_tx_cmd(struct iwm_softc *, struct iwm_rx_packet *);
338 static void	iwm_cmd_done(struct iwm_softc *, struct iwm_rx_packet *);
339 #if 0
340 static void	iwm_update_sched(struct iwm_softc *, int, int, uint8_t,
341                                  uint16_t);
342 #endif
343 static const struct iwm_rate *
344 	iwm_tx_fill_cmd(struct iwm_softc *, struct iwm_node *,
345 			struct mbuf *, struct iwm_tx_cmd *);
346 static int	iwm_tx(struct iwm_softc *, struct mbuf *,
347                        struct ieee80211_node *, int);
348 static int	iwm_raw_xmit(struct ieee80211_node *, struct mbuf *,
349 			     const struct ieee80211_bpf_params *);
350 static int	iwm_mvm_update_quotas(struct iwm_softc *, struct iwm_vap *);
351 static int	iwm_auth(struct ieee80211vap *, struct iwm_softc *);
352 static int	iwm_release(struct iwm_softc *, struct iwm_node *);
353 static struct ieee80211_node *
354 		iwm_node_alloc(struct ieee80211vap *,
355 		               const uint8_t[IEEE80211_ADDR_LEN]);
356 static void	iwm_setrates(struct iwm_softc *, struct iwm_node *);
357 static int	iwm_media_change(struct ifnet *);
358 static int	iwm_newstate(struct ieee80211vap *, enum ieee80211_state, int);
359 static void	iwm_endscan_cb(void *, int);
360 static int	iwm_send_bt_init_conf(struct iwm_softc *);
361 static boolean_t iwm_mvm_is_lar_supported(struct iwm_softc *);
362 static boolean_t iwm_mvm_is_wifi_mcc_supported(struct iwm_softc *);
363 static int	iwm_send_update_mcc_cmd(struct iwm_softc *, const char *);
364 static void	iwm_mvm_tt_tx_backoff(struct iwm_softc *, uint32_t);
365 static int	iwm_init_hw(struct iwm_softc *);
366 static void	iwm_init(struct iwm_softc *);
367 static void	iwm_start(struct iwm_softc *);
368 static void	iwm_stop(struct iwm_softc *);
369 static void	iwm_watchdog(void *);
370 static void	iwm_parent(struct ieee80211com *);
371 #ifdef IWM_DEBUG
372 static const char *
373 		iwm_desc_lookup(uint32_t);
374 static void	iwm_nic_error(struct iwm_softc *);
375 static void	iwm_nic_umac_error(struct iwm_softc *);
376 #endif
377 static void	iwm_handle_rxb(struct iwm_softc *, struct mbuf *);
378 static void	iwm_notif_intr(struct iwm_softc *);
379 static void	iwm_intr(void *);
380 static int	iwm_attach(device_t);
381 static int	iwm_is_valid_ether_addr(uint8_t *);
382 static void	iwm_preinit(void *);
383 static int	iwm_detach_local(struct iwm_softc *sc, int);
384 static void	iwm_init_task(void *);
385 static void	iwm_radiotap_attach(struct iwm_softc *);
386 static struct ieee80211vap *
387 		iwm_vap_create(struct ieee80211com *,
388 		               const char [IFNAMSIZ], int,
389 		               enum ieee80211_opmode, int,
390 		               const uint8_t [IEEE80211_ADDR_LEN],
391 		               const uint8_t [IEEE80211_ADDR_LEN]);
392 static void	iwm_vap_delete(struct ieee80211vap *);
393 static void	iwm_xmit_queue_drain(struct iwm_softc *);
394 static void	iwm_scan_start(struct ieee80211com *);
395 static void	iwm_scan_end(struct ieee80211com *);
396 static void	iwm_update_mcast(struct ieee80211com *);
397 static void	iwm_set_channel(struct ieee80211com *);
398 static void	iwm_scan_curchan(struct ieee80211_scan_state *, unsigned long);
399 static void	iwm_scan_mindwell(struct ieee80211_scan_state *);
400 static int	iwm_detach(device_t);
401 
402 static int	iwm_lar_disable = 0;
403 TUNABLE_INT("hw.iwm.lar.disable", &iwm_lar_disable);
404 
405 /*
406  * Firmware parser.
407  */
408 
409 static int
410 iwm_store_cscheme(struct iwm_softc *sc, const uint8_t *data, size_t dlen)
411 {
412 	const struct iwm_fw_cscheme_list *l = (const void *)data;
413 
414 	if (dlen < sizeof(*l) ||
415 	    dlen < sizeof(l->size) + l->size * sizeof(*l->cs))
416 		return EINVAL;
417 
418 	/* we don't actually store anything for now, always use s/w crypto */
419 
420 	return 0;
421 }
422 
423 static int
424 iwm_firmware_store_section(struct iwm_softc *sc,
425     enum iwm_ucode_type type, const uint8_t *data, size_t dlen)
426 {
427 	struct iwm_fw_sects *fws;
428 	struct iwm_fw_desc *fwone;
429 
430 	if (type >= IWM_UCODE_TYPE_MAX)
431 		return EINVAL;
432 	if (dlen < sizeof(uint32_t))
433 		return EINVAL;
434 
435 	fws = &sc->sc_fw.fw_sects[type];
436 	if (fws->fw_count >= IWM_UCODE_SECTION_MAX)
437 		return EINVAL;
438 
439 	fwone = &fws->fw_sect[fws->fw_count];
440 
441 	/* first 32bit are device load offset */
442 	memcpy(&fwone->offset, data, sizeof(uint32_t));
443 
444 	/* rest is data */
445 	fwone->data = data + sizeof(uint32_t);
446 	fwone->len = dlen - sizeof(uint32_t);
447 
448 	fws->fw_count++;
449 
450 	return 0;
451 }
452 
453 #define IWM_DEFAULT_SCAN_CHANNELS 40
454 
455 /* iwlwifi: iwl-drv.c */
456 struct iwm_tlv_calib_data {
457 	uint32_t ucode_type;
458 	struct iwm_tlv_calib_ctrl calib;
459 } __packed;
460 
461 static int
462 iwm_set_default_calib(struct iwm_softc *sc, const void *data)
463 {
464 	const struct iwm_tlv_calib_data *def_calib = data;
465 	uint32_t ucode_type = le32toh(def_calib->ucode_type);
466 
467 	if (ucode_type >= IWM_UCODE_TYPE_MAX) {
468 		device_printf(sc->sc_dev,
469 		    "Wrong ucode_type %u for default "
470 		    "calibration.\n", ucode_type);
471 		return EINVAL;
472 	}
473 
474 	sc->sc_default_calib[ucode_type].flow_trigger =
475 	    def_calib->calib.flow_trigger;
476 	sc->sc_default_calib[ucode_type].event_trigger =
477 	    def_calib->calib.event_trigger;
478 
479 	return 0;
480 }
481 
482 static int
483 iwm_set_ucode_api_flags(struct iwm_softc *sc, const uint8_t *data,
484 			struct iwm_ucode_capabilities *capa)
485 {
486 	const struct iwm_ucode_api *ucode_api = (const void *)data;
487 	uint32_t api_index = le32toh(ucode_api->api_index);
488 	uint32_t api_flags = le32toh(ucode_api->api_flags);
489 	int i;
490 
491 	if (api_index >= howmany(IWM_NUM_UCODE_TLV_API, 32)) {
492 		device_printf(sc->sc_dev,
493 		    "api flags index %d larger than supported by driver\n",
494 		    api_index);
495 		/* don't return an error so we can load FW that has more bits */
496 		return 0;
497 	}
498 
499 	for (i = 0; i < 32; i++) {
500 		if (api_flags & (1U << i))
501 			setbit(capa->enabled_api, i + 32 * api_index);
502 	}
503 
504 	return 0;
505 }
506 
507 static int
508 iwm_set_ucode_capabilities(struct iwm_softc *sc, const uint8_t *data,
509 			   struct iwm_ucode_capabilities *capa)
510 {
511 	const struct iwm_ucode_capa *ucode_capa = (const void *)data;
512 	uint32_t api_index = le32toh(ucode_capa->api_index);
513 	uint32_t api_flags = le32toh(ucode_capa->api_capa);
514 	int i;
515 
516 	if (api_index >= howmany(IWM_NUM_UCODE_TLV_CAPA, 32)) {
517 		device_printf(sc->sc_dev,
518 		    "capa flags index %d larger than supported by driver\n",
519 		    api_index);
520 		/* don't return an error so we can load FW that has more bits */
521 		return 0;
522 	}
523 
524 	for (i = 0; i < 32; i++) {
525 		if (api_flags & (1U << i))
526 			setbit(capa->enabled_capa, i + 32 * api_index);
527 	}
528 
529 	return 0;
530 }
531 
532 static void
533 iwm_fw_info_free(struct iwm_fw_info *fw)
534 {
535 	firmware_put(fw->fw_fp, FIRMWARE_UNLOAD);
536 	fw->fw_fp = NULL;
537 	/* don't touch fw->fw_status */
538 	memset(fw->fw_sects, 0, sizeof(fw->fw_sects));
539 }
540 
541 static int
542 iwm_read_firmware(struct iwm_softc *sc, enum iwm_ucode_type ucode_type)
543 {
544 	struct iwm_fw_info *fw = &sc->sc_fw;
545 	const struct iwm_tlv_ucode_header *uhdr;
546 	const struct iwm_ucode_tlv *tlv;
547 	struct iwm_ucode_capabilities *capa = &sc->ucode_capa;
548 	enum iwm_ucode_tlv_type tlv_type;
549 	const struct firmware *fwp;
550 	const uint8_t *data;
551 	uint32_t tlv_len;
552 	uint32_t usniffer_img;
553 	const uint8_t *tlv_data;
554 	uint32_t paging_mem_size;
555 	int num_of_cpus;
556 	int error = 0;
557 	size_t len;
558 
559 	if (fw->fw_status == IWM_FW_STATUS_DONE &&
560 	    ucode_type != IWM_UCODE_INIT)
561 		return 0;
562 
563 	while (fw->fw_status == IWM_FW_STATUS_INPROGRESS)
564 		msleep(&sc->sc_fw, &sc->sc_mtx, 0, "iwmfwp", 0);
565 	fw->fw_status = IWM_FW_STATUS_INPROGRESS;
566 
567 	if (fw->fw_fp != NULL)
568 		iwm_fw_info_free(fw);
569 
570 	/*
571 	 * Load firmware into driver memory.
572 	 * fw_fp will be set.
573 	 */
574 	IWM_UNLOCK(sc);
575 	fwp = firmware_get(sc->cfg->fw_name);
576 	IWM_LOCK(sc);
577 	if (fwp == NULL) {
578 		device_printf(sc->sc_dev,
579 		    "could not read firmware %s (error %d)\n",
580 		    sc->cfg->fw_name, error);
581 		goto out;
582 	}
583 	fw->fw_fp = fwp;
584 
585 	/* (Re-)Initialize default values. */
586 	capa->flags = 0;
587 	capa->max_probe_length = IWM_DEFAULT_MAX_PROBE_LENGTH;
588 	capa->n_scan_channels = IWM_DEFAULT_SCAN_CHANNELS;
589 	memset(capa->enabled_capa, 0, sizeof(capa->enabled_capa));
590 	memset(capa->enabled_api, 0, sizeof(capa->enabled_api));
591 	memset(sc->sc_fw_mcc, 0, sizeof(sc->sc_fw_mcc));
592 
593 	/*
594 	 * Parse firmware contents
595 	 */
596 
597 	uhdr = (const void *)fw->fw_fp->data;
598 	if (*(const uint32_t *)fw->fw_fp->data != 0
599 	    || le32toh(uhdr->magic) != IWM_TLV_UCODE_MAGIC) {
600 		device_printf(sc->sc_dev, "invalid firmware %s\n",
601 		    sc->cfg->fw_name);
602 		error = EINVAL;
603 		goto out;
604 	}
605 
606 	snprintf(sc->sc_fwver, sizeof(sc->sc_fwver), "%u.%u (API ver %u)",
607 	    IWM_UCODE_MAJOR(le32toh(uhdr->ver)),
608 	    IWM_UCODE_MINOR(le32toh(uhdr->ver)),
609 	    IWM_UCODE_API(le32toh(uhdr->ver)));
610 	data = uhdr->data;
611 	len = fw->fw_fp->datasize - sizeof(*uhdr);
612 
613 	while (len >= sizeof(*tlv)) {
614 		len -= sizeof(*tlv);
615 		tlv = (const void *)data;
616 
617 		tlv_len = le32toh(tlv->length);
618 		tlv_type = le32toh(tlv->type);
619 		tlv_data = tlv->data;
620 
621 		if (len < tlv_len) {
622 			device_printf(sc->sc_dev,
623 			    "firmware too short: %zu bytes\n",
624 			    len);
625 			error = EINVAL;
626 			goto parse_out;
627 		}
628 		len -= roundup2(tlv_len, 4);
629 		data += sizeof(tlv) + roundup2(tlv_len, 4);
630 
631 		switch ((int)tlv_type) {
632 		case IWM_UCODE_TLV_PROBE_MAX_LEN:
633 			if (tlv_len != sizeof(uint32_t)) {
634 				device_printf(sc->sc_dev,
635 				    "%s: PROBE_MAX_LEN (%d) != sizeof(uint32_t)\n",
636 				    __func__,
637 				    (int) tlv_len);
638 				error = EINVAL;
639 				goto parse_out;
640 			}
641 			capa->max_probe_length =
642 			    le32_to_cpup((const uint32_t *)tlv_data);
643 			/* limit it to something sensible */
644 			if (capa->max_probe_length >
645 			    IWM_SCAN_OFFLOAD_PROBE_REQ_SIZE) {
646 				IWM_DPRINTF(sc, IWM_DEBUG_FIRMWARE_TLV,
647 				    "%s: IWM_UCODE_TLV_PROBE_MAX_LEN "
648 				    "ridiculous\n", __func__);
649 				error = EINVAL;
650 				goto parse_out;
651 			}
652 			break;
653 		case IWM_UCODE_TLV_PAN:
654 			if (tlv_len) {
655 				device_printf(sc->sc_dev,
656 				    "%s: IWM_UCODE_TLV_PAN: tlv_len (%d) > 0\n",
657 				    __func__,
658 				    (int) tlv_len);
659 				error = EINVAL;
660 				goto parse_out;
661 			}
662 			capa->flags |= IWM_UCODE_TLV_FLAGS_PAN;
663 			break;
664 		case IWM_UCODE_TLV_FLAGS:
665 			if (tlv_len < sizeof(uint32_t)) {
666 				device_printf(sc->sc_dev,
667 				    "%s: IWM_UCODE_TLV_FLAGS: tlv_len (%d) < sizeof(uint32_t)\n",
668 				    __func__,
669 				    (int) tlv_len);
670 				error = EINVAL;
671 				goto parse_out;
672 			}
673 			if (tlv_len % sizeof(uint32_t)) {
674 				device_printf(sc->sc_dev,
675 				    "%s: IWM_UCODE_TLV_FLAGS: tlv_len (%d) %% sizeof(uint32_t)\n",
676 				    __func__,
677 				    (int) tlv_len);
678 				error = EINVAL;
679 				goto parse_out;
680 			}
681 			/*
682 			 * Apparently there can be many flags, but Linux driver
683 			 * parses only the first one, and so do we.
684 			 *
685 			 * XXX: why does this override IWM_UCODE_TLV_PAN?
686 			 * Intentional or a bug?  Observations from
687 			 * current firmware file:
688 			 *  1) TLV_PAN is parsed first
689 			 *  2) TLV_FLAGS contains TLV_FLAGS_PAN
690 			 * ==> this resets TLV_PAN to itself... hnnnk
691 			 */
692 			capa->flags = le32_to_cpup((const uint32_t *)tlv_data);
693 			break;
694 		case IWM_UCODE_TLV_CSCHEME:
695 			if ((error = iwm_store_cscheme(sc,
696 			    tlv_data, tlv_len)) != 0) {
697 				device_printf(sc->sc_dev,
698 				    "%s: iwm_store_cscheme(): returned %d\n",
699 				    __func__,
700 				    error);
701 				goto parse_out;
702 			}
703 			break;
704 		case IWM_UCODE_TLV_NUM_OF_CPU:
705 			if (tlv_len != sizeof(uint32_t)) {
706 				device_printf(sc->sc_dev,
707 				    "%s: IWM_UCODE_TLV_NUM_OF_CPU: tlv_len (%d) != sizeof(uint32_t)\n",
708 				    __func__,
709 				    (int) tlv_len);
710 				error = EINVAL;
711 				goto parse_out;
712 			}
713 			num_of_cpus = le32_to_cpup((const uint32_t *)tlv_data);
714 			if (num_of_cpus == 2) {
715 				fw->fw_sects[IWM_UCODE_REGULAR].is_dual_cpus =
716 					TRUE;
717 				fw->fw_sects[IWM_UCODE_INIT].is_dual_cpus =
718 					TRUE;
719 				fw->fw_sects[IWM_UCODE_WOWLAN].is_dual_cpus =
720 					TRUE;
721 			} else if ((num_of_cpus > 2) || (num_of_cpus < 1)) {
722 				device_printf(sc->sc_dev,
723 				    "%s: Driver supports only 1 or 2 CPUs\n",
724 				    __func__);
725 				error = EINVAL;
726 				goto parse_out;
727 			}
728 			break;
729 		case IWM_UCODE_TLV_SEC_RT:
730 			if ((error = iwm_firmware_store_section(sc,
731 			    IWM_UCODE_REGULAR, tlv_data, tlv_len)) != 0) {
732 				device_printf(sc->sc_dev,
733 				    "%s: IWM_UCODE_REGULAR: iwm_firmware_store_section() failed; %d\n",
734 				    __func__,
735 				    error);
736 				goto parse_out;
737 			}
738 			break;
739 		case IWM_UCODE_TLV_SEC_INIT:
740 			if ((error = iwm_firmware_store_section(sc,
741 			    IWM_UCODE_INIT, tlv_data, tlv_len)) != 0) {
742 				device_printf(sc->sc_dev,
743 				    "%s: IWM_UCODE_INIT: iwm_firmware_store_section() failed; %d\n",
744 				    __func__,
745 				    error);
746 				goto parse_out;
747 			}
748 			break;
749 		case IWM_UCODE_TLV_SEC_WOWLAN:
750 			if ((error = iwm_firmware_store_section(sc,
751 			    IWM_UCODE_WOWLAN, tlv_data, tlv_len)) != 0) {
752 				device_printf(sc->sc_dev,
753 				    "%s: IWM_UCODE_WOWLAN: iwm_firmware_store_section() failed; %d\n",
754 				    __func__,
755 				    error);
756 				goto parse_out;
757 			}
758 			break;
759 		case IWM_UCODE_TLV_DEF_CALIB:
760 			if (tlv_len != sizeof(struct iwm_tlv_calib_data)) {
761 				device_printf(sc->sc_dev,
762 				    "%s: IWM_UCODE_TLV_DEV_CALIB: tlv_len (%d) < sizeof(iwm_tlv_calib_data) (%d)\n",
763 				    __func__,
764 				    (int) tlv_len,
765 				    (int) sizeof(struct iwm_tlv_calib_data));
766 				error = EINVAL;
767 				goto parse_out;
768 			}
769 			if ((error = iwm_set_default_calib(sc, tlv_data)) != 0) {
770 				device_printf(sc->sc_dev,
771 				    "%s: iwm_set_default_calib() failed: %d\n",
772 				    __func__,
773 				    error);
774 				goto parse_out;
775 			}
776 			break;
777 		case IWM_UCODE_TLV_PHY_SKU:
778 			if (tlv_len != sizeof(uint32_t)) {
779 				error = EINVAL;
780 				device_printf(sc->sc_dev,
781 				    "%s: IWM_UCODE_TLV_PHY_SKU: tlv_len (%d) < sizeof(uint32_t)\n",
782 				    __func__,
783 				    (int) tlv_len);
784 				goto parse_out;
785 			}
786 			sc->sc_fw.phy_config =
787 			    le32_to_cpup((const uint32_t *)tlv_data);
788 			sc->sc_fw.valid_tx_ant = (sc->sc_fw.phy_config &
789 						  IWM_FW_PHY_CFG_TX_CHAIN) >>
790 						  IWM_FW_PHY_CFG_TX_CHAIN_POS;
791 			sc->sc_fw.valid_rx_ant = (sc->sc_fw.phy_config &
792 						  IWM_FW_PHY_CFG_RX_CHAIN) >>
793 						  IWM_FW_PHY_CFG_RX_CHAIN_POS;
794 			break;
795 
796 		case IWM_UCODE_TLV_API_CHANGES_SET: {
797 			if (tlv_len != sizeof(struct iwm_ucode_api)) {
798 				error = EINVAL;
799 				goto parse_out;
800 			}
801 			if (iwm_set_ucode_api_flags(sc, tlv_data, capa)) {
802 				error = EINVAL;
803 				goto parse_out;
804 			}
805 			break;
806 		}
807 
808 		case IWM_UCODE_TLV_ENABLED_CAPABILITIES: {
809 			if (tlv_len != sizeof(struct iwm_ucode_capa)) {
810 				error = EINVAL;
811 				goto parse_out;
812 			}
813 			if (iwm_set_ucode_capabilities(sc, tlv_data, capa)) {
814 				error = EINVAL;
815 				goto parse_out;
816 			}
817 			break;
818 		}
819 
820 		case 48: /* undocumented TLV */
821 		case IWM_UCODE_TLV_SDIO_ADMA_ADDR:
822 		case IWM_UCODE_TLV_FW_GSCAN_CAPA:
823 			/* ignore, not used by current driver */
824 			break;
825 
826 		case IWM_UCODE_TLV_SEC_RT_USNIFFER:
827 			if ((error = iwm_firmware_store_section(sc,
828 			    IWM_UCODE_REGULAR_USNIFFER, tlv_data,
829 			    tlv_len)) != 0)
830 				goto parse_out;
831 			break;
832 
833 		case IWM_UCODE_TLV_PAGING:
834 			if (tlv_len != sizeof(uint32_t)) {
835 				error = EINVAL;
836 				goto parse_out;
837 			}
838 			paging_mem_size = le32_to_cpup((const uint32_t *)tlv_data);
839 
840 			IWM_DPRINTF(sc, IWM_DEBUG_FIRMWARE_TLV,
841 			    "%s: Paging: paging enabled (size = %u bytes)\n",
842 			    __func__, paging_mem_size);
843 			if (paging_mem_size > IWM_MAX_PAGING_IMAGE_SIZE) {
844 				device_printf(sc->sc_dev,
845 					"%s: Paging: driver supports up to %u bytes for paging image\n",
846 					__func__, IWM_MAX_PAGING_IMAGE_SIZE);
847 				error = EINVAL;
848 				goto out;
849 			}
850 			if (paging_mem_size & (IWM_FW_PAGING_SIZE - 1)) {
851 				device_printf(sc->sc_dev,
852 				    "%s: Paging: image isn't multiple %u\n",
853 				    __func__, IWM_FW_PAGING_SIZE);
854 				error = EINVAL;
855 				goto out;
856 			}
857 
858 			sc->sc_fw.fw_sects[IWM_UCODE_REGULAR].paging_mem_size =
859 			    paging_mem_size;
860 			usniffer_img = IWM_UCODE_REGULAR_USNIFFER;
861 			sc->sc_fw.fw_sects[usniffer_img].paging_mem_size =
862 			    paging_mem_size;
863 			break;
864 
865 		case IWM_UCODE_TLV_N_SCAN_CHANNELS:
866 			if (tlv_len != sizeof(uint32_t)) {
867 				error = EINVAL;
868 				goto parse_out;
869 			}
870 			capa->n_scan_channels =
871 			    le32_to_cpup((const uint32_t *)tlv_data);
872 			break;
873 
874 		case IWM_UCODE_TLV_FW_VERSION:
875 			if (tlv_len != sizeof(uint32_t) * 3) {
876 				error = EINVAL;
877 				goto parse_out;
878 			}
879 			snprintf(sc->sc_fwver, sizeof(sc->sc_fwver),
880 			    "%d.%d.%d",
881 			    le32toh(((const uint32_t *)tlv_data)[0]),
882 			    le32toh(((const uint32_t *)tlv_data)[1]),
883 			    le32toh(((const uint32_t *)tlv_data)[2]));
884 			break;
885 
886 		case IWM_UCODE_TLV_FW_MEM_SEG:
887 			break;
888 
889 		default:
890 			device_printf(sc->sc_dev,
891 			    "%s: unknown firmware section %d, abort\n",
892 			    __func__, tlv_type);
893 			error = EINVAL;
894 			goto parse_out;
895 		}
896 	}
897 
898 	KASSERT(error == 0, ("unhandled error"));
899 
900  parse_out:
901 	if (error) {
902 		device_printf(sc->sc_dev, "firmware parse error %d, "
903 		    "section type %d\n", error, tlv_type);
904 	}
905 
906  out:
907 	if (error) {
908 		fw->fw_status = IWM_FW_STATUS_NONE;
909 		if (fw->fw_fp != NULL)
910 			iwm_fw_info_free(fw);
911 	} else
912 		fw->fw_status = IWM_FW_STATUS_DONE;
913 	wakeup(&sc->sc_fw);
914 
915 	return error;
916 }
917 
918 /*
919  * DMA resource routines
920  */
921 
922 /* fwmem is used to load firmware onto the card */
923 static int
924 iwm_alloc_fwmem(struct iwm_softc *sc)
925 {
926 	/* Must be aligned on a 16-byte boundary. */
927 	return iwm_dma_contig_alloc(sc->sc_dmat, &sc->fw_dma,
928 	    IWM_FH_MEM_TB_MAX_LENGTH, 16);
929 }
930 
931 /* tx scheduler rings.  not used? */
932 static int
933 iwm_alloc_sched(struct iwm_softc *sc)
934 {
935 	/* TX scheduler rings must be aligned on a 1KB boundary. */
936 	return iwm_dma_contig_alloc(sc->sc_dmat, &sc->sched_dma,
937 	    nitems(sc->txq) * sizeof(struct iwm_agn_scd_bc_tbl), 1024);
938 }
939 
940 /* keep-warm page is used internally by the card.  see iwl-fh.h for more info */
941 static int
942 iwm_alloc_kw(struct iwm_softc *sc)
943 {
944 	return iwm_dma_contig_alloc(sc->sc_dmat, &sc->kw_dma, 4096, 4096);
945 }
946 
947 /* interrupt cause table */
948 static int
949 iwm_alloc_ict(struct iwm_softc *sc)
950 {
951 	return iwm_dma_contig_alloc(sc->sc_dmat, &sc->ict_dma,
952 	    IWM_ICT_SIZE, 1<<IWM_ICT_PADDR_SHIFT);
953 }
954 
955 static int
956 iwm_alloc_rx_ring(struct iwm_softc *sc, struct iwm_rx_ring *ring)
957 {
958 	bus_size_t size;
959 	int i, error;
960 
961 	ring->cur = 0;
962 
963 	/* Allocate RX descriptors (256-byte aligned). */
964 	size = IWM_RX_RING_COUNT * sizeof(uint32_t);
965 	error = iwm_dma_contig_alloc(sc->sc_dmat, &ring->desc_dma, size, 256);
966 	if (error != 0) {
967 		device_printf(sc->sc_dev,
968 		    "could not allocate RX ring DMA memory\n");
969 		goto fail;
970 	}
971 	ring->desc = ring->desc_dma.vaddr;
972 
973 	/* Allocate RX status area (16-byte aligned). */
974 	error = iwm_dma_contig_alloc(sc->sc_dmat, &ring->stat_dma,
975 	    sizeof(*ring->stat), 16);
976 	if (error != 0) {
977 		device_printf(sc->sc_dev,
978 		    "could not allocate RX status DMA memory\n");
979 		goto fail;
980 	}
981 	ring->stat = ring->stat_dma.vaddr;
982 
983         /* Create RX buffer DMA tag. */
984         error = bus_dma_tag_create(sc->sc_dmat, 1, 0,
985             BUS_SPACE_MAXADDR_32BIT, BUS_SPACE_MAXADDR, NULL, NULL,
986             IWM_RBUF_SIZE, 1, IWM_RBUF_SIZE, 0, NULL, NULL, &ring->data_dmat);
987         if (error != 0) {
988                 device_printf(sc->sc_dev,
989                     "%s: could not create RX buf DMA tag, error %d\n",
990                     __func__, error);
991                 goto fail;
992         }
993 
994 	/* Allocate spare bus_dmamap_t for iwm_rx_addbuf() */
995 	error = bus_dmamap_create(ring->data_dmat, 0, &ring->spare_map);
996 	if (error != 0) {
997 		device_printf(sc->sc_dev,
998 		    "%s: could not create RX buf DMA map, error %d\n",
999 		    __func__, error);
1000 		goto fail;
1001 	}
1002 	/*
1003 	 * Allocate and map RX buffers.
1004 	 */
1005 	for (i = 0; i < IWM_RX_RING_COUNT; i++) {
1006 		struct iwm_rx_data *data = &ring->data[i];
1007 		error = bus_dmamap_create(ring->data_dmat, 0, &data->map);
1008 		if (error != 0) {
1009 			device_printf(sc->sc_dev,
1010 			    "%s: could not create RX buf DMA map, error %d\n",
1011 			    __func__, error);
1012 			goto fail;
1013 		}
1014 		data->m = NULL;
1015 
1016 		if ((error = iwm_rx_addbuf(sc, IWM_RBUF_SIZE, i)) != 0) {
1017 			goto fail;
1018 		}
1019 	}
1020 	return 0;
1021 
1022 fail:	iwm_free_rx_ring(sc, ring);
1023 	return error;
1024 }
1025 
1026 static void
1027 iwm_reset_rx_ring(struct iwm_softc *sc, struct iwm_rx_ring *ring)
1028 {
1029 	/* Reset the ring state */
1030 	ring->cur = 0;
1031 
1032 	/*
1033 	 * The hw rx ring index in shared memory must also be cleared,
1034 	 * otherwise the discrepancy can cause reprocessing chaos.
1035 	 */
1036 	memset(sc->rxq.stat, 0, sizeof(*sc->rxq.stat));
1037 }
1038 
1039 static void
1040 iwm_free_rx_ring(struct iwm_softc *sc, struct iwm_rx_ring *ring)
1041 {
1042 	int i;
1043 
1044 	iwm_dma_contig_free(&ring->desc_dma);
1045 	iwm_dma_contig_free(&ring->stat_dma);
1046 
1047 	for (i = 0; i < IWM_RX_RING_COUNT; i++) {
1048 		struct iwm_rx_data *data = &ring->data[i];
1049 
1050 		if (data->m != NULL) {
1051 			bus_dmamap_sync(ring->data_dmat, data->map,
1052 			    BUS_DMASYNC_POSTREAD);
1053 			bus_dmamap_unload(ring->data_dmat, data->map);
1054 			m_freem(data->m);
1055 			data->m = NULL;
1056 		}
1057 		if (data->map != NULL) {
1058 			bus_dmamap_destroy(ring->data_dmat, data->map);
1059 			data->map = NULL;
1060 		}
1061 	}
1062 	if (ring->spare_map != NULL) {
1063 		bus_dmamap_destroy(ring->data_dmat, ring->spare_map);
1064 		ring->spare_map = NULL;
1065 	}
1066 	if (ring->data_dmat != NULL) {
1067 		bus_dma_tag_destroy(ring->data_dmat);
1068 		ring->data_dmat = NULL;
1069 	}
1070 }
1071 
1072 static int
1073 iwm_alloc_tx_ring(struct iwm_softc *sc, struct iwm_tx_ring *ring, int qid)
1074 {
1075 	bus_addr_t paddr;
1076 	bus_size_t size;
1077 	size_t maxsize;
1078 	int nsegments;
1079 	int i, error;
1080 
1081 	ring->qid = qid;
1082 	ring->queued = 0;
1083 	ring->cur = 0;
1084 
1085 	/* Allocate TX descriptors (256-byte aligned). */
1086 	size = IWM_TX_RING_COUNT * sizeof (struct iwm_tfd);
1087 	error = iwm_dma_contig_alloc(sc->sc_dmat, &ring->desc_dma, size, 256);
1088 	if (error != 0) {
1089 		device_printf(sc->sc_dev,
1090 		    "could not allocate TX ring DMA memory\n");
1091 		goto fail;
1092 	}
1093 	ring->desc = ring->desc_dma.vaddr;
1094 
1095 	/*
1096 	 * We only use rings 0 through 9 (4 EDCA + cmd) so there is no need
1097 	 * to allocate commands space for other rings.
1098 	 */
1099 	if (qid > IWM_MVM_CMD_QUEUE)
1100 		return 0;
1101 
1102 	size = IWM_TX_RING_COUNT * sizeof(struct iwm_device_cmd);
1103 	error = iwm_dma_contig_alloc(sc->sc_dmat, &ring->cmd_dma, size, 4);
1104 	if (error != 0) {
1105 		device_printf(sc->sc_dev,
1106 		    "could not allocate TX cmd DMA memory\n");
1107 		goto fail;
1108 	}
1109 	ring->cmd = ring->cmd_dma.vaddr;
1110 
1111 	/* FW commands may require more mapped space than packets. */
1112 	if (qid == IWM_MVM_CMD_QUEUE) {
1113 		maxsize = IWM_RBUF_SIZE;
1114 		nsegments = 1;
1115 	} else {
1116 		maxsize = MCLBYTES;
1117 		nsegments = IWM_MAX_SCATTER - 2;
1118 	}
1119 
1120 	error = bus_dma_tag_create(sc->sc_dmat, 1, 0,
1121 	    BUS_SPACE_MAXADDR_32BIT, BUS_SPACE_MAXADDR, NULL, NULL, maxsize,
1122             nsegments, maxsize, 0, NULL, NULL, &ring->data_dmat);
1123 	if (error != 0) {
1124 		device_printf(sc->sc_dev, "could not create TX buf DMA tag\n");
1125 		goto fail;
1126 	}
1127 
1128 	paddr = ring->cmd_dma.paddr;
1129 	for (i = 0; i < IWM_TX_RING_COUNT; i++) {
1130 		struct iwm_tx_data *data = &ring->data[i];
1131 
1132 		data->cmd_paddr = paddr;
1133 		data->scratch_paddr = paddr + sizeof(struct iwm_cmd_header)
1134 		    + offsetof(struct iwm_tx_cmd, scratch);
1135 		paddr += sizeof(struct iwm_device_cmd);
1136 
1137 		error = bus_dmamap_create(ring->data_dmat, 0, &data->map);
1138 		if (error != 0) {
1139 			device_printf(sc->sc_dev,
1140 			    "could not create TX buf DMA map\n");
1141 			goto fail;
1142 		}
1143 	}
1144 	KASSERT(paddr == ring->cmd_dma.paddr + size,
1145 	    ("invalid physical address"));
1146 	return 0;
1147 
1148 fail:	iwm_free_tx_ring(sc, ring);
1149 	return error;
1150 }
1151 
1152 static void
1153 iwm_reset_tx_ring(struct iwm_softc *sc, struct iwm_tx_ring *ring)
1154 {
1155 	int i;
1156 
1157 	for (i = 0; i < IWM_TX_RING_COUNT; i++) {
1158 		struct iwm_tx_data *data = &ring->data[i];
1159 
1160 		if (data->m != NULL) {
1161 			bus_dmamap_sync(ring->data_dmat, data->map,
1162 			    BUS_DMASYNC_POSTWRITE);
1163 			bus_dmamap_unload(ring->data_dmat, data->map);
1164 			m_freem(data->m);
1165 			data->m = NULL;
1166 		}
1167 	}
1168 	/* Clear TX descriptors. */
1169 	memset(ring->desc, 0, ring->desc_dma.size);
1170 	bus_dmamap_sync(ring->desc_dma.tag, ring->desc_dma.map,
1171 	    BUS_DMASYNC_PREWRITE);
1172 	sc->qfullmsk &= ~(1 << ring->qid);
1173 	ring->queued = 0;
1174 	ring->cur = 0;
1175 
1176 	if (ring->qid == IWM_MVM_CMD_QUEUE && sc->cmd_hold_nic_awake)
1177 		iwm_pcie_clear_cmd_in_flight(sc);
1178 }
1179 
1180 static void
1181 iwm_free_tx_ring(struct iwm_softc *sc, struct iwm_tx_ring *ring)
1182 {
1183 	int i;
1184 
1185 	iwm_dma_contig_free(&ring->desc_dma);
1186 	iwm_dma_contig_free(&ring->cmd_dma);
1187 
1188 	for (i = 0; i < IWM_TX_RING_COUNT; i++) {
1189 		struct iwm_tx_data *data = &ring->data[i];
1190 
1191 		if (data->m != NULL) {
1192 			bus_dmamap_sync(ring->data_dmat, data->map,
1193 			    BUS_DMASYNC_POSTWRITE);
1194 			bus_dmamap_unload(ring->data_dmat, data->map);
1195 			m_freem(data->m);
1196 			data->m = NULL;
1197 		}
1198 		if (data->map != NULL) {
1199 			bus_dmamap_destroy(ring->data_dmat, data->map);
1200 			data->map = NULL;
1201 		}
1202 	}
1203 	if (ring->data_dmat != NULL) {
1204 		bus_dma_tag_destroy(ring->data_dmat);
1205 		ring->data_dmat = NULL;
1206 	}
1207 }
1208 
1209 /*
1210  * High-level hardware frobbing routines
1211  */
1212 
1213 static void
1214 iwm_enable_interrupts(struct iwm_softc *sc)
1215 {
1216 	sc->sc_intmask = IWM_CSR_INI_SET_MASK;
1217 	IWM_WRITE(sc, IWM_CSR_INT_MASK, sc->sc_intmask);
1218 }
1219 
1220 static void
1221 iwm_restore_interrupts(struct iwm_softc *sc)
1222 {
1223 	IWM_WRITE(sc, IWM_CSR_INT_MASK, sc->sc_intmask);
1224 }
1225 
1226 static void
1227 iwm_disable_interrupts(struct iwm_softc *sc)
1228 {
1229 	/* disable interrupts */
1230 	IWM_WRITE(sc, IWM_CSR_INT_MASK, 0);
1231 
1232 	/* acknowledge all interrupts */
1233 	IWM_WRITE(sc, IWM_CSR_INT, ~0);
1234 	IWM_WRITE(sc, IWM_CSR_FH_INT_STATUS, ~0);
1235 }
1236 
1237 static void
1238 iwm_ict_reset(struct iwm_softc *sc)
1239 {
1240 	iwm_disable_interrupts(sc);
1241 
1242 	/* Reset ICT table. */
1243 	memset(sc->ict_dma.vaddr, 0, IWM_ICT_SIZE);
1244 	sc->ict_cur = 0;
1245 
1246 	/* Set physical address of ICT table (4KB aligned). */
1247 	IWM_WRITE(sc, IWM_CSR_DRAM_INT_TBL_REG,
1248 	    IWM_CSR_DRAM_INT_TBL_ENABLE
1249 	    | IWM_CSR_DRAM_INIT_TBL_WRITE_POINTER
1250 	    | IWM_CSR_DRAM_INIT_TBL_WRAP_CHECK
1251 	    | sc->ict_dma.paddr >> IWM_ICT_PADDR_SHIFT);
1252 
1253 	/* Switch to ICT interrupt mode in driver. */
1254 	sc->sc_flags |= IWM_FLAG_USE_ICT;
1255 
1256 	/* Re-enable interrupts. */
1257 	IWM_WRITE(sc, IWM_CSR_INT, ~0);
1258 	iwm_enable_interrupts(sc);
1259 }
1260 
1261 /* iwlwifi pcie/trans.c */
1262 
1263 /*
1264  * Since this .. hard-resets things, it's time to actually
1265  * mark the first vap (if any) as having no mac context.
1266  * It's annoying, but since the driver is potentially being
1267  * stop/start'ed whilst active (thanks openbsd port!) we
1268  * have to correctly track this.
1269  */
1270 static void
1271 iwm_stop_device(struct iwm_softc *sc)
1272 {
1273 	struct ieee80211com *ic = &sc->sc_ic;
1274 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
1275 	int chnl, qid;
1276 	uint32_t mask = 0;
1277 
1278 	/* tell the device to stop sending interrupts */
1279 	iwm_disable_interrupts(sc);
1280 
1281 	/*
1282 	 * FreeBSD-local: mark the first vap as not-uploaded,
1283 	 * so the next transition through auth/assoc
1284 	 * will correctly populate the MAC context.
1285 	 */
1286 	if (vap) {
1287 		struct iwm_vap *iv = IWM_VAP(vap);
1288 		iv->phy_ctxt = NULL;
1289 		iv->is_uploaded = 0;
1290 	}
1291 
1292 	/* device going down, Stop using ICT table */
1293 	sc->sc_flags &= ~IWM_FLAG_USE_ICT;
1294 
1295 	/* stop tx and rx.  tx and rx bits, as usual, are from if_iwn */
1296 
1297 	if (iwm_nic_lock(sc)) {
1298 		iwm_write_prph(sc, IWM_SCD_TXFACT, 0);
1299 
1300 		/* Stop each Tx DMA channel */
1301 		for (chnl = 0; chnl < IWM_FH_TCSR_CHNL_NUM; chnl++) {
1302 			IWM_WRITE(sc,
1303 			    IWM_FH_TCSR_CHNL_TX_CONFIG_REG(chnl), 0);
1304 			mask |= IWM_FH_TSSR_TX_STATUS_REG_MSK_CHNL_IDLE(chnl);
1305 		}
1306 
1307 		/* Wait for DMA channels to be idle */
1308 		if (!iwm_poll_bit(sc, IWM_FH_TSSR_TX_STATUS_REG, mask, mask,
1309 		    5000)) {
1310 			device_printf(sc->sc_dev,
1311 			    "Failing on timeout while stopping DMA channel: [0x%08x]\n",
1312 			    IWM_READ(sc, IWM_FH_TSSR_TX_STATUS_REG));
1313 		}
1314 		iwm_nic_unlock(sc);
1315 	}
1316 	iwm_pcie_rx_stop(sc);
1317 
1318 	/* Stop RX ring. */
1319 	iwm_reset_rx_ring(sc, &sc->rxq);
1320 
1321 	/* Reset all TX rings. */
1322 	for (qid = 0; qid < nitems(sc->txq); qid++)
1323 		iwm_reset_tx_ring(sc, &sc->txq[qid]);
1324 
1325 	if (sc->cfg->device_family == IWM_DEVICE_FAMILY_7000) {
1326 		/* Power-down device's busmaster DMA clocks */
1327 		if (iwm_nic_lock(sc)) {
1328 			iwm_write_prph(sc, IWM_APMG_CLK_DIS_REG,
1329 			    IWM_APMG_CLK_VAL_DMA_CLK_RQT);
1330 			iwm_nic_unlock(sc);
1331 		}
1332 		DELAY(5);
1333 	}
1334 
1335 	/* Make sure (redundant) we've released our request to stay awake */
1336 	IWM_CLRBITS(sc, IWM_CSR_GP_CNTRL,
1337 	    IWM_CSR_GP_CNTRL_REG_FLAG_MAC_ACCESS_REQ);
1338 
1339 	/* Stop the device, and put it in low power state */
1340 	iwm_apm_stop(sc);
1341 
1342 	/* Upon stop, the APM issues an interrupt if HW RF kill is set.
1343 	 * Clean again the interrupt here
1344 	 */
1345 	iwm_disable_interrupts(sc);
1346 	/* stop and reset the on-board processor */
1347 	IWM_WRITE(sc, IWM_CSR_RESET, IWM_CSR_RESET_REG_FLAG_SW_RESET);
1348 
1349 	/*
1350 	 * Even if we stop the HW, we still want the RF kill
1351 	 * interrupt
1352 	 */
1353 	iwm_enable_rfkill_int(sc);
1354 	iwm_check_rfkill(sc);
1355 }
1356 
1357 /* iwlwifi: mvm/ops.c */
1358 static void
1359 iwm_mvm_nic_config(struct iwm_softc *sc)
1360 {
1361 	uint8_t radio_cfg_type, radio_cfg_step, radio_cfg_dash;
1362 	uint32_t reg_val = 0;
1363 	uint32_t phy_config = iwm_mvm_get_phy_config(sc);
1364 
1365 	radio_cfg_type = (phy_config & IWM_FW_PHY_CFG_RADIO_TYPE) >>
1366 	    IWM_FW_PHY_CFG_RADIO_TYPE_POS;
1367 	radio_cfg_step = (phy_config & IWM_FW_PHY_CFG_RADIO_STEP) >>
1368 	    IWM_FW_PHY_CFG_RADIO_STEP_POS;
1369 	radio_cfg_dash = (phy_config & IWM_FW_PHY_CFG_RADIO_DASH) >>
1370 	    IWM_FW_PHY_CFG_RADIO_DASH_POS;
1371 
1372 	/* SKU control */
1373 	reg_val |= IWM_CSR_HW_REV_STEP(sc->sc_hw_rev) <<
1374 	    IWM_CSR_HW_IF_CONFIG_REG_POS_MAC_STEP;
1375 	reg_val |= IWM_CSR_HW_REV_DASH(sc->sc_hw_rev) <<
1376 	    IWM_CSR_HW_IF_CONFIG_REG_POS_MAC_DASH;
1377 
1378 	/* radio configuration */
1379 	reg_val |= radio_cfg_type << IWM_CSR_HW_IF_CONFIG_REG_POS_PHY_TYPE;
1380 	reg_val |= radio_cfg_step << IWM_CSR_HW_IF_CONFIG_REG_POS_PHY_STEP;
1381 	reg_val |= radio_cfg_dash << IWM_CSR_HW_IF_CONFIG_REG_POS_PHY_DASH;
1382 
1383 	IWM_WRITE(sc, IWM_CSR_HW_IF_CONFIG_REG, reg_val);
1384 
1385 	IWM_DPRINTF(sc, IWM_DEBUG_RESET,
1386 	    "Radio type=0x%x-0x%x-0x%x\n", radio_cfg_type,
1387 	    radio_cfg_step, radio_cfg_dash);
1388 
1389 	/*
1390 	 * W/A : NIC is stuck in a reset state after Early PCIe power off
1391 	 * (PCIe power is lost before PERST# is asserted), causing ME FW
1392 	 * to lose ownership and not being able to obtain it back.
1393 	 */
1394 	if (sc->cfg->device_family == IWM_DEVICE_FAMILY_7000) {
1395 		iwm_set_bits_mask_prph(sc, IWM_APMG_PS_CTRL_REG,
1396 		    IWM_APMG_PS_CTRL_EARLY_PWR_OFF_RESET_DIS,
1397 		    ~IWM_APMG_PS_CTRL_EARLY_PWR_OFF_RESET_DIS);
1398 	}
1399 }
1400 
1401 static int
1402 iwm_nic_rx_init(struct iwm_softc *sc)
1403 {
1404 	/*
1405 	 * Initialize RX ring.  This is from the iwn driver.
1406 	 */
1407 	memset(sc->rxq.stat, 0, sizeof(*sc->rxq.stat));
1408 
1409 	/* Stop Rx DMA */
1410 	iwm_pcie_rx_stop(sc);
1411 
1412 	if (!iwm_nic_lock(sc))
1413 		return EBUSY;
1414 
1415 	/* reset and flush pointers */
1416 	IWM_WRITE(sc, IWM_FH_MEM_RCSR_CHNL0_RBDCB_WPTR, 0);
1417 	IWM_WRITE(sc, IWM_FH_MEM_RCSR_CHNL0_FLUSH_RB_REQ, 0);
1418 	IWM_WRITE(sc, IWM_FH_RSCSR_CHNL0_RDPTR, 0);
1419 	IWM_WRITE(sc, IWM_FH_RSCSR_CHNL0_RBDCB_WPTR_REG, 0);
1420 
1421 	/* Set physical address of RX ring (256-byte aligned). */
1422 	IWM_WRITE(sc,
1423 	    IWM_FH_RSCSR_CHNL0_RBDCB_BASE_REG, sc->rxq.desc_dma.paddr >> 8);
1424 
1425 	/* Set physical address of RX status (16-byte aligned). */
1426 	IWM_WRITE(sc,
1427 	    IWM_FH_RSCSR_CHNL0_STTS_WPTR_REG, sc->rxq.stat_dma.paddr >> 4);
1428 
1429 	/* Enable Rx DMA
1430 	 * XXX 5000 HW isn't supported by the iwm(4) driver.
1431 	 * IWM_FH_RCSR_CHNL0_RX_IGNORE_RXF_EMPTY is set because of HW bug in
1432 	 *      the credit mechanism in 5000 HW RX FIFO
1433 	 * Direct rx interrupts to hosts
1434 	 * Rx buffer size 4 or 8k or 12k
1435 	 * RB timeout 0x10
1436 	 * 256 RBDs
1437 	 */
1438 	IWM_WRITE(sc, IWM_FH_MEM_RCSR_CHNL0_CONFIG_REG,
1439 	    IWM_FH_RCSR_RX_CONFIG_CHNL_EN_ENABLE_VAL		|
1440 	    IWM_FH_RCSR_CHNL0_RX_IGNORE_RXF_EMPTY		|  /* HW bug */
1441 	    IWM_FH_RCSR_CHNL0_RX_CONFIG_IRQ_DEST_INT_HOST_VAL	|
1442 	    IWM_FH_RCSR_RX_CONFIG_REG_VAL_RB_SIZE_4K		|
1443 	    (IWM_RX_RB_TIMEOUT << IWM_FH_RCSR_RX_CONFIG_REG_IRQ_RBTH_POS) |
1444 	    IWM_RX_QUEUE_SIZE_LOG << IWM_FH_RCSR_RX_CONFIG_RBDCB_SIZE_POS);
1445 
1446 	IWM_WRITE_1(sc, IWM_CSR_INT_COALESCING, IWM_HOST_INT_TIMEOUT_DEF);
1447 
1448 	/* W/A for interrupt coalescing bug in 7260 and 3160 */
1449 	if (sc->cfg->host_interrupt_operation_mode)
1450 		IWM_SETBITS(sc, IWM_CSR_INT_COALESCING, IWM_HOST_INT_OPER_MODE);
1451 
1452 	/*
1453 	 * Thus sayeth el jefe (iwlwifi) via a comment:
1454 	 *
1455 	 * This value should initially be 0 (before preparing any
1456 	 * RBs), should be 8 after preparing the first 8 RBs (for example)
1457 	 */
1458 	IWM_WRITE(sc, IWM_FH_RSCSR_CHNL0_WPTR, 8);
1459 
1460 	iwm_nic_unlock(sc);
1461 
1462 	return 0;
1463 }
1464 
1465 static int
1466 iwm_nic_tx_init(struct iwm_softc *sc)
1467 {
1468 	int qid;
1469 
1470 	if (!iwm_nic_lock(sc))
1471 		return EBUSY;
1472 
1473 	/* Deactivate TX scheduler. */
1474 	iwm_write_prph(sc, IWM_SCD_TXFACT, 0);
1475 
1476 	/* Set physical address of "keep warm" page (16-byte aligned). */
1477 	IWM_WRITE(sc, IWM_FH_KW_MEM_ADDR_REG, sc->kw_dma.paddr >> 4);
1478 
1479 	/* Initialize TX rings. */
1480 	for (qid = 0; qid < nitems(sc->txq); qid++) {
1481 		struct iwm_tx_ring *txq = &sc->txq[qid];
1482 
1483 		/* Set physical address of TX ring (256-byte aligned). */
1484 		IWM_WRITE(sc, IWM_FH_MEM_CBBC_QUEUE(qid),
1485 		    txq->desc_dma.paddr >> 8);
1486 		IWM_DPRINTF(sc, IWM_DEBUG_XMIT,
1487 		    "%s: loading ring %d descriptors (%p) at %lx\n",
1488 		    __func__,
1489 		    qid, txq->desc,
1490 		    (unsigned long) (txq->desc_dma.paddr >> 8));
1491 	}
1492 
1493 	iwm_write_prph(sc, IWM_SCD_GP_CTRL, IWM_SCD_GP_CTRL_AUTO_ACTIVE_MODE);
1494 
1495 	iwm_nic_unlock(sc);
1496 
1497 	return 0;
1498 }
1499 
1500 static int
1501 iwm_nic_init(struct iwm_softc *sc)
1502 {
1503 	int error;
1504 
1505 	iwm_apm_init(sc);
1506 	if (sc->cfg->device_family == IWM_DEVICE_FAMILY_7000)
1507 		iwm_set_pwr(sc);
1508 
1509 	iwm_mvm_nic_config(sc);
1510 
1511 	if ((error = iwm_nic_rx_init(sc)) != 0)
1512 		return error;
1513 
1514 	/*
1515 	 * Ditto for TX, from iwn
1516 	 */
1517 	if ((error = iwm_nic_tx_init(sc)) != 0)
1518 		return error;
1519 
1520 	IWM_DPRINTF(sc, IWM_DEBUG_RESET,
1521 	    "%s: shadow registers enabled\n", __func__);
1522 	IWM_SETBITS(sc, IWM_CSR_MAC_SHADOW_REG_CTRL, 0x800fffff);
1523 
1524 	return 0;
1525 }
1526 
1527 int
1528 iwm_enable_txq(struct iwm_softc *sc, int sta_id, int qid, int fifo)
1529 {
1530 	if (!iwm_nic_lock(sc)) {
1531 		device_printf(sc->sc_dev,
1532 		    "%s: cannot enable txq %d\n",
1533 		    __func__,
1534 		    qid);
1535 		return EBUSY;
1536 	}
1537 
1538 	IWM_WRITE(sc, IWM_HBUS_TARG_WRPTR, qid << 8 | 0);
1539 
1540 	if (qid == IWM_MVM_CMD_QUEUE) {
1541 		/* unactivate before configuration */
1542 		iwm_write_prph(sc, IWM_SCD_QUEUE_STATUS_BITS(qid),
1543 		    (0 << IWM_SCD_QUEUE_STTS_REG_POS_ACTIVE)
1544 		    | (1 << IWM_SCD_QUEUE_STTS_REG_POS_SCD_ACT_EN));
1545 
1546 		iwm_nic_unlock(sc);
1547 
1548 		iwm_clear_bits_prph(sc, IWM_SCD_AGGR_SEL, (1 << qid));
1549 
1550 		if (!iwm_nic_lock(sc)) {
1551 			device_printf(sc->sc_dev,
1552 			    "%s: cannot enable txq %d\n", __func__, qid);
1553 			return EBUSY;
1554 		}
1555 		iwm_write_prph(sc, IWM_SCD_QUEUE_RDPTR(qid), 0);
1556 		iwm_nic_unlock(sc);
1557 
1558 		iwm_write_mem32(sc, sc->scd_base_addr + IWM_SCD_CONTEXT_QUEUE_OFFSET(qid), 0);
1559 		/* Set scheduler window size and frame limit. */
1560 		iwm_write_mem32(sc,
1561 		    sc->scd_base_addr + IWM_SCD_CONTEXT_QUEUE_OFFSET(qid) +
1562 		    sizeof(uint32_t),
1563 		    ((IWM_FRAME_LIMIT << IWM_SCD_QUEUE_CTX_REG2_WIN_SIZE_POS) &
1564 		    IWM_SCD_QUEUE_CTX_REG2_WIN_SIZE_MSK) |
1565 		    ((IWM_FRAME_LIMIT << IWM_SCD_QUEUE_CTX_REG2_FRAME_LIMIT_POS) &
1566 		    IWM_SCD_QUEUE_CTX_REG2_FRAME_LIMIT_MSK));
1567 
1568 		if (!iwm_nic_lock(sc)) {
1569 			device_printf(sc->sc_dev,
1570 			    "%s: cannot enable txq %d\n", __func__, qid);
1571 			return EBUSY;
1572 		}
1573 		iwm_write_prph(sc, IWM_SCD_QUEUE_STATUS_BITS(qid),
1574 		    (1 << IWM_SCD_QUEUE_STTS_REG_POS_ACTIVE) |
1575 		    (fifo << IWM_SCD_QUEUE_STTS_REG_POS_TXF) |
1576 		    (1 << IWM_SCD_QUEUE_STTS_REG_POS_WSL) |
1577 		    IWM_SCD_QUEUE_STTS_REG_MSK);
1578 	} else {
1579 		struct iwm_scd_txq_cfg_cmd cmd;
1580 		int error;
1581 
1582 		iwm_nic_unlock(sc);
1583 
1584 		memset(&cmd, 0, sizeof(cmd));
1585 		cmd.scd_queue = qid;
1586 		cmd.enable = 1;
1587 		cmd.sta_id = sta_id;
1588 		cmd.tx_fifo = fifo;
1589 		cmd.aggregate = 0;
1590 		cmd.window = IWM_FRAME_LIMIT;
1591 
1592 		error = iwm_mvm_send_cmd_pdu(sc, IWM_SCD_QUEUE_CFG, IWM_CMD_SYNC,
1593 		    sizeof(cmd), &cmd);
1594 		if (error) {
1595 			device_printf(sc->sc_dev,
1596 			    "cannot enable txq %d\n", qid);
1597 			return error;
1598 		}
1599 
1600 		if (!iwm_nic_lock(sc))
1601 			return EBUSY;
1602 	}
1603 
1604 	iwm_write_prph(sc, IWM_SCD_EN_CTRL,
1605 	    iwm_read_prph(sc, IWM_SCD_EN_CTRL) | qid);
1606 
1607 	iwm_nic_unlock(sc);
1608 
1609 	IWM_DPRINTF(sc, IWM_DEBUG_XMIT, "%s: enabled txq %d FIFO %d\n",
1610 	    __func__, qid, fifo);
1611 
1612 	return 0;
1613 }
1614 
1615 static int
1616 iwm_trans_pcie_fw_alive(struct iwm_softc *sc, uint32_t scd_base_addr)
1617 {
1618 	int error, chnl;
1619 
1620 	int clear_dwords = (IWM_SCD_TRANS_TBL_MEM_UPPER_BOUND -
1621 	    IWM_SCD_CONTEXT_MEM_LOWER_BOUND) / sizeof(uint32_t);
1622 
1623 	if (!iwm_nic_lock(sc))
1624 		return EBUSY;
1625 
1626 	iwm_ict_reset(sc);
1627 
1628 	sc->scd_base_addr = iwm_read_prph(sc, IWM_SCD_SRAM_BASE_ADDR);
1629 	if (scd_base_addr != 0 &&
1630 	    scd_base_addr != sc->scd_base_addr) {
1631 		device_printf(sc->sc_dev,
1632 		    "%s: sched addr mismatch: alive: 0x%x prph: 0x%x\n",
1633 		    __func__, sc->scd_base_addr, scd_base_addr);
1634 	}
1635 
1636 	iwm_nic_unlock(sc);
1637 
1638 	/* reset context data, TX status and translation data */
1639 	error = iwm_write_mem(sc,
1640 	    sc->scd_base_addr + IWM_SCD_CONTEXT_MEM_LOWER_BOUND,
1641 	    NULL, clear_dwords);
1642 	if (error)
1643 		return EBUSY;
1644 
1645 	if (!iwm_nic_lock(sc))
1646 		return EBUSY;
1647 
1648 	/* Set physical address of TX scheduler rings (1KB aligned). */
1649 	iwm_write_prph(sc, IWM_SCD_DRAM_BASE_ADDR, sc->sched_dma.paddr >> 10);
1650 
1651 	iwm_write_prph(sc, IWM_SCD_CHAINEXT_EN, 0);
1652 
1653 	iwm_nic_unlock(sc);
1654 
1655 	/* enable command channel */
1656 	error = iwm_enable_txq(sc, 0 /* unused */, IWM_MVM_CMD_QUEUE, 7);
1657 	if (error)
1658 		return error;
1659 
1660 	if (!iwm_nic_lock(sc))
1661 		return EBUSY;
1662 
1663 	iwm_write_prph(sc, IWM_SCD_TXFACT, 0xff);
1664 
1665 	/* Enable DMA channels. */
1666 	for (chnl = 0; chnl < IWM_FH_TCSR_CHNL_NUM; chnl++) {
1667 		IWM_WRITE(sc, IWM_FH_TCSR_CHNL_TX_CONFIG_REG(chnl),
1668 		    IWM_FH_TCSR_TX_CONFIG_REG_VAL_DMA_CHNL_ENABLE |
1669 		    IWM_FH_TCSR_TX_CONFIG_REG_VAL_DMA_CREDIT_ENABLE);
1670 	}
1671 
1672 	IWM_SETBITS(sc, IWM_FH_TX_CHICKEN_BITS_REG,
1673 	    IWM_FH_TX_CHICKEN_BITS_SCD_AUTO_RETRY_EN);
1674 
1675 	iwm_nic_unlock(sc);
1676 
1677 	/* Enable L1-Active */
1678 	if (sc->cfg->device_family != IWM_DEVICE_FAMILY_8000) {
1679 		iwm_clear_bits_prph(sc, IWM_APMG_PCIDEV_STT_REG,
1680 		    IWM_APMG_PCIDEV_STT_VAL_L1_ACT_DIS);
1681 	}
1682 
1683 	return error;
1684 }
1685 
1686 /*
1687  * NVM read access and content parsing.  We do not support
1688  * external NVM or writing NVM.
1689  * iwlwifi/mvm/nvm.c
1690  */
1691 
1692 /* Default NVM size to read */
1693 #define IWM_NVM_DEFAULT_CHUNK_SIZE	(2*1024)
1694 
1695 #define IWM_NVM_WRITE_OPCODE 1
1696 #define IWM_NVM_READ_OPCODE 0
1697 
1698 /* load nvm chunk response */
1699 enum {
1700 	IWM_READ_NVM_CHUNK_SUCCEED = 0,
1701 	IWM_READ_NVM_CHUNK_NOT_VALID_ADDRESS = 1
1702 };
1703 
1704 static int
1705 iwm_nvm_read_chunk(struct iwm_softc *sc, uint16_t section,
1706 	uint16_t offset, uint16_t length, uint8_t *data, uint16_t *len)
1707 {
1708 	struct iwm_nvm_access_cmd nvm_access_cmd = {
1709 		.offset = htole16(offset),
1710 		.length = htole16(length),
1711 		.type = htole16(section),
1712 		.op_code = IWM_NVM_READ_OPCODE,
1713 	};
1714 	struct iwm_nvm_access_resp *nvm_resp;
1715 	struct iwm_rx_packet *pkt;
1716 	struct iwm_host_cmd cmd = {
1717 		.id = IWM_NVM_ACCESS_CMD,
1718 		.flags = IWM_CMD_WANT_SKB | IWM_CMD_SEND_IN_RFKILL,
1719 		.data = { &nvm_access_cmd, },
1720 	};
1721 	int ret, bytes_read, offset_read;
1722 	uint8_t *resp_data;
1723 
1724 	cmd.len[0] = sizeof(struct iwm_nvm_access_cmd);
1725 
1726 	ret = iwm_send_cmd(sc, &cmd);
1727 	if (ret) {
1728 		device_printf(sc->sc_dev,
1729 		    "Could not send NVM_ACCESS command (error=%d)\n", ret);
1730 		return ret;
1731 	}
1732 
1733 	pkt = cmd.resp_pkt;
1734 
1735 	/* Extract NVM response */
1736 	nvm_resp = (void *)pkt->data;
1737 	ret = le16toh(nvm_resp->status);
1738 	bytes_read = le16toh(nvm_resp->length);
1739 	offset_read = le16toh(nvm_resp->offset);
1740 	resp_data = nvm_resp->data;
1741 	if (ret) {
1742 		if ((offset != 0) &&
1743 		    (ret == IWM_READ_NVM_CHUNK_NOT_VALID_ADDRESS)) {
1744 			/*
1745 			 * meaning of NOT_VALID_ADDRESS:
1746 			 * driver try to read chunk from address that is
1747 			 * multiple of 2K and got an error since addr is empty.
1748 			 * meaning of (offset != 0): driver already
1749 			 * read valid data from another chunk so this case
1750 			 * is not an error.
1751 			 */
1752 			IWM_DPRINTF(sc, IWM_DEBUG_EEPROM | IWM_DEBUG_RESET,
1753 				    "NVM access command failed on offset 0x%x since that section size is multiple 2K\n",
1754 				    offset);
1755 			*len = 0;
1756 			ret = 0;
1757 		} else {
1758 			IWM_DPRINTF(sc, IWM_DEBUG_EEPROM | IWM_DEBUG_RESET,
1759 				    "NVM access command failed with status %d\n", ret);
1760 			ret = EIO;
1761 		}
1762 		goto exit;
1763 	}
1764 
1765 	if (offset_read != offset) {
1766 		device_printf(sc->sc_dev,
1767 		    "NVM ACCESS response with invalid offset %d\n",
1768 		    offset_read);
1769 		ret = EINVAL;
1770 		goto exit;
1771 	}
1772 
1773 	if (bytes_read > length) {
1774 		device_printf(sc->sc_dev,
1775 		    "NVM ACCESS response with too much data "
1776 		    "(%d bytes requested, %d bytes received)\n",
1777 		    length, bytes_read);
1778 		ret = EINVAL;
1779 		goto exit;
1780 	}
1781 
1782 	/* Write data to NVM */
1783 	memcpy(data + offset, resp_data, bytes_read);
1784 	*len = bytes_read;
1785 
1786  exit:
1787 	iwm_free_resp(sc, &cmd);
1788 	return ret;
1789 }
1790 
1791 /*
1792  * Reads an NVM section completely.
1793  * NICs prior to 7000 family don't have a real NVM, but just read
1794  * section 0 which is the EEPROM. Because the EEPROM reading is unlimited
1795  * by uCode, we need to manually check in this case that we don't
1796  * overflow and try to read more than the EEPROM size.
1797  * For 7000 family NICs, we supply the maximal size we can read, and
1798  * the uCode fills the response with as much data as we can,
1799  * without overflowing, so no check is needed.
1800  */
1801 static int
1802 iwm_nvm_read_section(struct iwm_softc *sc,
1803 	uint16_t section, uint8_t *data, uint16_t *len, uint32_t size_read)
1804 {
1805 	uint16_t seglen, length, offset = 0;
1806 	int ret;
1807 
1808 	/* Set nvm section read length */
1809 	length = IWM_NVM_DEFAULT_CHUNK_SIZE;
1810 
1811 	seglen = length;
1812 
1813 	/* Read the NVM until exhausted (reading less than requested) */
1814 	while (seglen == length) {
1815 		/* Check no memory assumptions fail and cause an overflow */
1816 		if ((size_read + offset + length) >
1817 		    sc->cfg->eeprom_size) {
1818 			device_printf(sc->sc_dev,
1819 			    "EEPROM size is too small for NVM\n");
1820 			return ENOBUFS;
1821 		}
1822 
1823 		ret = iwm_nvm_read_chunk(sc, section, offset, length, data, &seglen);
1824 		if (ret) {
1825 			IWM_DPRINTF(sc, IWM_DEBUG_EEPROM | IWM_DEBUG_RESET,
1826 				    "Cannot read NVM from section %d offset %d, length %d\n",
1827 				    section, offset, length);
1828 			return ret;
1829 		}
1830 		offset += seglen;
1831 	}
1832 
1833 	IWM_DPRINTF(sc, IWM_DEBUG_EEPROM | IWM_DEBUG_RESET,
1834 		    "NVM section %d read completed\n", section);
1835 	*len = offset;
1836 	return 0;
1837 }
1838 
1839 /*
1840  * BEGIN IWM_NVM_PARSE
1841  */
1842 
1843 /* iwlwifi/iwl-nvm-parse.c */
1844 
1845 /* NVM offsets (in words) definitions */
1846 enum iwm_nvm_offsets {
1847 	/* NVM HW-Section offset (in words) definitions */
1848 	IWM_HW_ADDR = 0x15,
1849 
1850 /* NVM SW-Section offset (in words) definitions */
1851 	IWM_NVM_SW_SECTION = 0x1C0,
1852 	IWM_NVM_VERSION = 0,
1853 	IWM_RADIO_CFG = 1,
1854 	IWM_SKU = 2,
1855 	IWM_N_HW_ADDRS = 3,
1856 	IWM_NVM_CHANNELS = 0x1E0 - IWM_NVM_SW_SECTION,
1857 
1858 /* NVM calibration section offset (in words) definitions */
1859 	IWM_NVM_CALIB_SECTION = 0x2B8,
1860 	IWM_XTAL_CALIB = 0x316 - IWM_NVM_CALIB_SECTION
1861 };
1862 
1863 enum iwm_8000_nvm_offsets {
1864 	/* NVM HW-Section offset (in words) definitions */
1865 	IWM_HW_ADDR0_WFPM_8000 = 0x12,
1866 	IWM_HW_ADDR1_WFPM_8000 = 0x16,
1867 	IWM_HW_ADDR0_PCIE_8000 = 0x8A,
1868 	IWM_HW_ADDR1_PCIE_8000 = 0x8E,
1869 	IWM_MAC_ADDRESS_OVERRIDE_8000 = 1,
1870 
1871 	/* NVM SW-Section offset (in words) definitions */
1872 	IWM_NVM_SW_SECTION_8000 = 0x1C0,
1873 	IWM_NVM_VERSION_8000 = 0,
1874 	IWM_RADIO_CFG_8000 = 0,
1875 	IWM_SKU_8000 = 2,
1876 	IWM_N_HW_ADDRS_8000 = 3,
1877 
1878 	/* NVM REGULATORY -Section offset (in words) definitions */
1879 	IWM_NVM_CHANNELS_8000 = 0,
1880 	IWM_NVM_LAR_OFFSET_8000_OLD = 0x4C7,
1881 	IWM_NVM_LAR_OFFSET_8000 = 0x507,
1882 	IWM_NVM_LAR_ENABLED_8000 = 0x7,
1883 
1884 	/* NVM calibration section offset (in words) definitions */
1885 	IWM_NVM_CALIB_SECTION_8000 = 0x2B8,
1886 	IWM_XTAL_CALIB_8000 = 0x316 - IWM_NVM_CALIB_SECTION_8000
1887 };
1888 
1889 /* SKU Capabilities (actual values from NVM definition) */
1890 enum nvm_sku_bits {
1891 	IWM_NVM_SKU_CAP_BAND_24GHZ	= (1 << 0),
1892 	IWM_NVM_SKU_CAP_BAND_52GHZ	= (1 << 1),
1893 	IWM_NVM_SKU_CAP_11N_ENABLE	= (1 << 2),
1894 	IWM_NVM_SKU_CAP_11AC_ENABLE	= (1 << 3),
1895 };
1896 
1897 /* radio config bits (actual values from NVM definition) */
1898 #define IWM_NVM_RF_CFG_DASH_MSK(x)   (x & 0x3)         /* bits 0-1   */
1899 #define IWM_NVM_RF_CFG_STEP_MSK(x)   ((x >> 2)  & 0x3) /* bits 2-3   */
1900 #define IWM_NVM_RF_CFG_TYPE_MSK(x)   ((x >> 4)  & 0x3) /* bits 4-5   */
1901 #define IWM_NVM_RF_CFG_PNUM_MSK(x)   ((x >> 6)  & 0x3) /* bits 6-7   */
1902 #define IWM_NVM_RF_CFG_TX_ANT_MSK(x) ((x >> 8)  & 0xF) /* bits 8-11  */
1903 #define IWM_NVM_RF_CFG_RX_ANT_MSK(x) ((x >> 12) & 0xF) /* bits 12-15 */
1904 
1905 #define IWM_NVM_RF_CFG_FLAVOR_MSK_8000(x)	(x & 0xF)
1906 #define IWM_NVM_RF_CFG_DASH_MSK_8000(x)		((x >> 4) & 0xF)
1907 #define IWM_NVM_RF_CFG_STEP_MSK_8000(x)		((x >> 8) & 0xF)
1908 #define IWM_NVM_RF_CFG_TYPE_MSK_8000(x)		((x >> 12) & 0xFFF)
1909 #define IWM_NVM_RF_CFG_TX_ANT_MSK_8000(x)	((x >> 24) & 0xF)
1910 #define IWM_NVM_RF_CFG_RX_ANT_MSK_8000(x)	((x >> 28) & 0xF)
1911 
1912 #define DEFAULT_MAX_TX_POWER 16
1913 
1914 /**
1915  * enum iwm_nvm_channel_flags - channel flags in NVM
1916  * @IWM_NVM_CHANNEL_VALID: channel is usable for this SKU/geo
1917  * @IWM_NVM_CHANNEL_IBSS: usable as an IBSS channel
1918  * @IWM_NVM_CHANNEL_ACTIVE: active scanning allowed
1919  * @IWM_NVM_CHANNEL_RADAR: radar detection required
1920  * XXX cannot find this (DFS) flag in iwm-nvm-parse.c
1921  * @IWM_NVM_CHANNEL_DFS: dynamic freq selection candidate
1922  * @IWM_NVM_CHANNEL_WIDE: 20 MHz channel okay (?)
1923  * @IWM_NVM_CHANNEL_40MHZ: 40 MHz channel okay (?)
1924  * @IWM_NVM_CHANNEL_80MHZ: 80 MHz channel okay (?)
1925  * @IWM_NVM_CHANNEL_160MHZ: 160 MHz channel okay (?)
1926  */
1927 enum iwm_nvm_channel_flags {
1928 	IWM_NVM_CHANNEL_VALID = (1 << 0),
1929 	IWM_NVM_CHANNEL_IBSS = (1 << 1),
1930 	IWM_NVM_CHANNEL_ACTIVE = (1 << 3),
1931 	IWM_NVM_CHANNEL_RADAR = (1 << 4),
1932 	IWM_NVM_CHANNEL_DFS = (1 << 7),
1933 	IWM_NVM_CHANNEL_WIDE = (1 << 8),
1934 	IWM_NVM_CHANNEL_40MHZ = (1 << 9),
1935 	IWM_NVM_CHANNEL_80MHZ = (1 << 10),
1936 	IWM_NVM_CHANNEL_160MHZ = (1 << 11),
1937 };
1938 
1939 /*
1940  * Translate EEPROM flags to net80211.
1941  */
1942 static uint32_t
1943 iwm_eeprom_channel_flags(uint16_t ch_flags)
1944 {
1945 	uint32_t nflags;
1946 
1947 	nflags = 0;
1948 	if ((ch_flags & IWM_NVM_CHANNEL_ACTIVE) == 0)
1949 		nflags |= IEEE80211_CHAN_PASSIVE;
1950 	if ((ch_flags & IWM_NVM_CHANNEL_IBSS) == 0)
1951 		nflags |= IEEE80211_CHAN_NOADHOC;
1952 	if (ch_flags & IWM_NVM_CHANNEL_RADAR) {
1953 		nflags |= IEEE80211_CHAN_DFS;
1954 		/* Just in case. */
1955 		nflags |= IEEE80211_CHAN_NOADHOC;
1956 	}
1957 
1958 	return (nflags);
1959 }
1960 
1961 static void
1962 iwm_add_channel_band(struct iwm_softc *sc, struct ieee80211_channel chans[],
1963     int maxchans, int *nchans, int ch_idx, size_t ch_num,
1964     const uint8_t bands[])
1965 {
1966 	const uint16_t * const nvm_ch_flags = sc->nvm_data->nvm_ch_flags;
1967 	uint32_t nflags;
1968 	uint16_t ch_flags;
1969 	uint8_t ieee;
1970 	int error;
1971 
1972 	for (; ch_idx < ch_num; ch_idx++) {
1973 		ch_flags = le16_to_cpup(nvm_ch_flags + ch_idx);
1974 		if (sc->cfg->device_family == IWM_DEVICE_FAMILY_7000)
1975 			ieee = iwm_nvm_channels[ch_idx];
1976 		else
1977 			ieee = iwm_nvm_channels_8000[ch_idx];
1978 
1979 		if (!(ch_flags & IWM_NVM_CHANNEL_VALID)) {
1980 			IWM_DPRINTF(sc, IWM_DEBUG_EEPROM,
1981 			    "Ch. %d Flags %x [%sGHz] - No traffic\n",
1982 			    ieee, ch_flags,
1983 			    (ch_idx >= IWM_NUM_2GHZ_CHANNELS) ?
1984 			    "5.2" : "2.4");
1985 			continue;
1986 		}
1987 
1988 		nflags = iwm_eeprom_channel_flags(ch_flags);
1989 		error = ieee80211_add_channel(chans, maxchans, nchans,
1990 		    ieee, 0, 0, nflags, bands);
1991 		if (error != 0)
1992 			break;
1993 
1994 		IWM_DPRINTF(sc, IWM_DEBUG_EEPROM,
1995 		    "Ch. %d Flags %x [%sGHz] - Added\n",
1996 		    ieee, ch_flags,
1997 		    (ch_idx >= IWM_NUM_2GHZ_CHANNELS) ?
1998 		    "5.2" : "2.4");
1999 	}
2000 }
2001 
2002 static void
2003 iwm_init_channel_map(struct ieee80211com *ic, int maxchans, int *nchans,
2004     struct ieee80211_channel chans[])
2005 {
2006 	struct iwm_softc *sc = ic->ic_softc;
2007 	struct iwm_nvm_data *data = sc->nvm_data;
2008 	uint8_t bands[IEEE80211_MODE_BYTES];
2009 	size_t ch_num;
2010 
2011 	memset(bands, 0, sizeof(bands));
2012 	/* 1-13: 11b/g channels. */
2013 	setbit(bands, IEEE80211_MODE_11B);
2014 	setbit(bands, IEEE80211_MODE_11G);
2015 	iwm_add_channel_band(sc, chans, maxchans, nchans, 0,
2016 	    IWM_NUM_2GHZ_CHANNELS - 1, bands);
2017 
2018 	/* 14: 11b channel only. */
2019 	clrbit(bands, IEEE80211_MODE_11G);
2020 	iwm_add_channel_band(sc, chans, maxchans, nchans,
2021 	    IWM_NUM_2GHZ_CHANNELS - 1, IWM_NUM_2GHZ_CHANNELS, bands);
2022 
2023 	if (data->sku_cap_band_52GHz_enable) {
2024 		if (sc->cfg->device_family == IWM_DEVICE_FAMILY_7000)
2025 			ch_num = nitems(iwm_nvm_channels);
2026 		else
2027 			ch_num = nitems(iwm_nvm_channels_8000);
2028 		memset(bands, 0, sizeof(bands));
2029 		setbit(bands, IEEE80211_MODE_11A);
2030 		iwm_add_channel_band(sc, chans, maxchans, nchans,
2031 		    IWM_NUM_2GHZ_CHANNELS, ch_num, bands);
2032 	}
2033 }
2034 
2035 static void
2036 iwm_set_hw_address_family_8000(struct iwm_softc *sc, struct iwm_nvm_data *data,
2037 	const uint16_t *mac_override, const uint16_t *nvm_hw)
2038 {
2039 	const uint8_t *hw_addr;
2040 
2041 	if (mac_override) {
2042 		static const uint8_t reserved_mac[] = {
2043 			0x02, 0xcc, 0xaa, 0xff, 0xee, 0x00
2044 		};
2045 
2046 		hw_addr = (const uint8_t *)(mac_override +
2047 				 IWM_MAC_ADDRESS_OVERRIDE_8000);
2048 
2049 		/*
2050 		 * Store the MAC address from MAO section.
2051 		 * No byte swapping is required in MAO section
2052 		 */
2053 		IEEE80211_ADDR_COPY(data->hw_addr, hw_addr);
2054 
2055 		/*
2056 		 * Force the use of the OTP MAC address in case of reserved MAC
2057 		 * address in the NVM, or if address is given but invalid.
2058 		 */
2059 		if (!IEEE80211_ADDR_EQ(reserved_mac, hw_addr) &&
2060 		    !IEEE80211_ADDR_EQ(ieee80211broadcastaddr, data->hw_addr) &&
2061 		    iwm_is_valid_ether_addr(data->hw_addr) &&
2062 		    !IEEE80211_IS_MULTICAST(data->hw_addr))
2063 			return;
2064 
2065 		IWM_DPRINTF(sc, IWM_DEBUG_RESET,
2066 		    "%s: mac address from nvm override section invalid\n",
2067 		    __func__);
2068 	}
2069 
2070 	if (nvm_hw) {
2071 		/* read the mac address from WFMP registers */
2072 		uint32_t mac_addr0 =
2073 		    htole32(iwm_read_prph(sc, IWM_WFMP_MAC_ADDR_0));
2074 		uint32_t mac_addr1 =
2075 		    htole32(iwm_read_prph(sc, IWM_WFMP_MAC_ADDR_1));
2076 
2077 		hw_addr = (const uint8_t *)&mac_addr0;
2078 		data->hw_addr[0] = hw_addr[3];
2079 		data->hw_addr[1] = hw_addr[2];
2080 		data->hw_addr[2] = hw_addr[1];
2081 		data->hw_addr[3] = hw_addr[0];
2082 
2083 		hw_addr = (const uint8_t *)&mac_addr1;
2084 		data->hw_addr[4] = hw_addr[1];
2085 		data->hw_addr[5] = hw_addr[0];
2086 
2087 		return;
2088 	}
2089 
2090 	device_printf(sc->sc_dev, "%s: mac address not found\n", __func__);
2091 	memset(data->hw_addr, 0, sizeof(data->hw_addr));
2092 }
2093 
2094 static int
2095 iwm_get_sku(const struct iwm_softc *sc, const uint16_t *nvm_sw,
2096 	    const uint16_t *phy_sku)
2097 {
2098 	if (sc->cfg->device_family != IWM_DEVICE_FAMILY_8000)
2099 		return le16_to_cpup(nvm_sw + IWM_SKU);
2100 
2101 	return le32_to_cpup((const uint32_t *)(phy_sku + IWM_SKU_8000));
2102 }
2103 
2104 static int
2105 iwm_get_nvm_version(const struct iwm_softc *sc, const uint16_t *nvm_sw)
2106 {
2107 	if (sc->cfg->device_family != IWM_DEVICE_FAMILY_8000)
2108 		return le16_to_cpup(nvm_sw + IWM_NVM_VERSION);
2109 	else
2110 		return le32_to_cpup((const uint32_t *)(nvm_sw +
2111 						IWM_NVM_VERSION_8000));
2112 }
2113 
2114 static int
2115 iwm_get_radio_cfg(const struct iwm_softc *sc, const uint16_t *nvm_sw,
2116 		  const uint16_t *phy_sku)
2117 {
2118         if (sc->cfg->device_family != IWM_DEVICE_FAMILY_8000)
2119                 return le16_to_cpup(nvm_sw + IWM_RADIO_CFG);
2120 
2121         return le32_to_cpup((const uint32_t *)(phy_sku + IWM_RADIO_CFG_8000));
2122 }
2123 
2124 static int
2125 iwm_get_n_hw_addrs(const struct iwm_softc *sc, const uint16_t *nvm_sw)
2126 {
2127 	int n_hw_addr;
2128 
2129 	if (sc->cfg->device_family != IWM_DEVICE_FAMILY_8000)
2130 		return le16_to_cpup(nvm_sw + IWM_N_HW_ADDRS);
2131 
2132 	n_hw_addr = le32_to_cpup((const uint32_t *)(nvm_sw + IWM_N_HW_ADDRS_8000));
2133 
2134         return n_hw_addr & IWM_N_HW_ADDR_MASK;
2135 }
2136 
2137 static void
2138 iwm_set_radio_cfg(const struct iwm_softc *sc, struct iwm_nvm_data *data,
2139 		  uint32_t radio_cfg)
2140 {
2141 	if (sc->cfg->device_family != IWM_DEVICE_FAMILY_8000) {
2142 		data->radio_cfg_type = IWM_NVM_RF_CFG_TYPE_MSK(radio_cfg);
2143 		data->radio_cfg_step = IWM_NVM_RF_CFG_STEP_MSK(radio_cfg);
2144 		data->radio_cfg_dash = IWM_NVM_RF_CFG_DASH_MSK(radio_cfg);
2145 		data->radio_cfg_pnum = IWM_NVM_RF_CFG_PNUM_MSK(radio_cfg);
2146 		return;
2147 	}
2148 
2149 	/* set the radio configuration for family 8000 */
2150 	data->radio_cfg_type = IWM_NVM_RF_CFG_TYPE_MSK_8000(radio_cfg);
2151 	data->radio_cfg_step = IWM_NVM_RF_CFG_STEP_MSK_8000(radio_cfg);
2152 	data->radio_cfg_dash = IWM_NVM_RF_CFG_DASH_MSK_8000(radio_cfg);
2153 	data->radio_cfg_pnum = IWM_NVM_RF_CFG_FLAVOR_MSK_8000(radio_cfg);
2154 	data->valid_tx_ant = IWM_NVM_RF_CFG_TX_ANT_MSK_8000(radio_cfg);
2155 	data->valid_rx_ant = IWM_NVM_RF_CFG_RX_ANT_MSK_8000(radio_cfg);
2156 }
2157 
2158 static int
2159 iwm_set_hw_address(struct iwm_softc *sc, struct iwm_nvm_data *data,
2160 		   const uint16_t *nvm_hw, const uint16_t *mac_override)
2161 {
2162 #ifdef notyet /* for FAMILY 9000 */
2163 	if (cfg->mac_addr_from_csr) {
2164 		iwm_set_hw_address_from_csr(sc, data);
2165         } else
2166 #endif
2167 	if (sc->cfg->device_family != IWM_DEVICE_FAMILY_8000) {
2168 		const uint8_t *hw_addr = (const uint8_t *)(nvm_hw + IWM_HW_ADDR);
2169 
2170 		/* The byte order is little endian 16 bit, meaning 214365 */
2171 		data->hw_addr[0] = hw_addr[1];
2172 		data->hw_addr[1] = hw_addr[0];
2173 		data->hw_addr[2] = hw_addr[3];
2174 		data->hw_addr[3] = hw_addr[2];
2175 		data->hw_addr[4] = hw_addr[5];
2176 		data->hw_addr[5] = hw_addr[4];
2177 	} else {
2178 		iwm_set_hw_address_family_8000(sc, data, mac_override, nvm_hw);
2179 	}
2180 
2181 	if (!iwm_is_valid_ether_addr(data->hw_addr)) {
2182 		device_printf(sc->sc_dev, "no valid mac address was found\n");
2183 		return EINVAL;
2184 	}
2185 
2186 	return 0;
2187 }
2188 
2189 static struct iwm_nvm_data *
2190 iwm_parse_nvm_data(struct iwm_softc *sc,
2191 		   const uint16_t *nvm_hw, const uint16_t *nvm_sw,
2192 		   const uint16_t *nvm_calib, const uint16_t *mac_override,
2193 		   const uint16_t *phy_sku, const uint16_t *regulatory)
2194 {
2195 	struct iwm_nvm_data *data;
2196 	uint32_t sku, radio_cfg;
2197 	uint16_t lar_config;
2198 
2199 	if (sc->cfg->device_family != IWM_DEVICE_FAMILY_8000) {
2200 		data = malloc(sizeof(*data) +
2201 		    IWM_NUM_CHANNELS * sizeof(uint16_t),
2202 		    M_DEVBUF, M_NOWAIT | M_ZERO);
2203 	} else {
2204 		data = malloc(sizeof(*data) +
2205 		    IWM_NUM_CHANNELS_8000 * sizeof(uint16_t),
2206 		    M_DEVBUF, M_NOWAIT | M_ZERO);
2207 	}
2208 	if (!data)
2209 		return NULL;
2210 
2211 	data->nvm_version = iwm_get_nvm_version(sc, nvm_sw);
2212 
2213 	radio_cfg = iwm_get_radio_cfg(sc, nvm_sw, phy_sku);
2214 	iwm_set_radio_cfg(sc, data, radio_cfg);
2215 
2216 	sku = iwm_get_sku(sc, nvm_sw, phy_sku);
2217 	data->sku_cap_band_24GHz_enable = sku & IWM_NVM_SKU_CAP_BAND_24GHZ;
2218 	data->sku_cap_band_52GHz_enable = sku & IWM_NVM_SKU_CAP_BAND_52GHZ;
2219 	data->sku_cap_11n_enable = 0;
2220 
2221 	data->n_hw_addrs = iwm_get_n_hw_addrs(sc, nvm_sw);
2222 
2223 	if (sc->cfg->device_family == IWM_DEVICE_FAMILY_8000) {
2224 		uint16_t lar_offset = data->nvm_version < 0xE39 ?
2225 				       IWM_NVM_LAR_OFFSET_8000_OLD :
2226 				       IWM_NVM_LAR_OFFSET_8000;
2227 
2228 		lar_config = le16_to_cpup(regulatory + lar_offset);
2229 		data->lar_enabled = !!(lar_config &
2230 				       IWM_NVM_LAR_ENABLED_8000);
2231 	}
2232 
2233 	/* If no valid mac address was found - bail out */
2234 	if (iwm_set_hw_address(sc, data, nvm_hw, mac_override)) {
2235 		free(data, M_DEVBUF);
2236 		return NULL;
2237 	}
2238 
2239 	if (sc->cfg->device_family == IWM_DEVICE_FAMILY_7000) {
2240 		memcpy(data->nvm_ch_flags, &nvm_sw[IWM_NVM_CHANNELS],
2241 		    IWM_NUM_CHANNELS * sizeof(uint16_t));
2242 	} else {
2243 		memcpy(data->nvm_ch_flags, &regulatory[IWM_NVM_CHANNELS_8000],
2244 		    IWM_NUM_CHANNELS_8000 * sizeof(uint16_t));
2245 	}
2246 
2247 	return data;
2248 }
2249 
2250 static void
2251 iwm_free_nvm_data(struct iwm_nvm_data *data)
2252 {
2253 	if (data != NULL)
2254 		free(data, M_DEVBUF);
2255 }
2256 
2257 static struct iwm_nvm_data *
2258 iwm_parse_nvm_sections(struct iwm_softc *sc, struct iwm_nvm_section *sections)
2259 {
2260 	const uint16_t *hw, *sw, *calib, *regulatory, *mac_override, *phy_sku;
2261 
2262 	/* Checking for required sections */
2263 	if (sc->cfg->device_family == IWM_DEVICE_FAMILY_7000) {
2264 		if (!sections[IWM_NVM_SECTION_TYPE_SW].data ||
2265 		    !sections[sc->cfg->nvm_hw_section_num].data) {
2266 			device_printf(sc->sc_dev,
2267 			    "Can't parse empty OTP/NVM sections\n");
2268 			return NULL;
2269 		}
2270 	} else if (sc->cfg->device_family == IWM_DEVICE_FAMILY_8000) {
2271 		/* SW and REGULATORY sections are mandatory */
2272 		if (!sections[IWM_NVM_SECTION_TYPE_SW].data ||
2273 		    !sections[IWM_NVM_SECTION_TYPE_REGULATORY].data) {
2274 			device_printf(sc->sc_dev,
2275 			    "Can't parse empty OTP/NVM sections\n");
2276 			return NULL;
2277 		}
2278 		/* MAC_OVERRIDE or at least HW section must exist */
2279 		if (!sections[sc->cfg->nvm_hw_section_num].data &&
2280 		    !sections[IWM_NVM_SECTION_TYPE_MAC_OVERRIDE].data) {
2281 			device_printf(sc->sc_dev,
2282 			    "Can't parse mac_address, empty sections\n");
2283 			return NULL;
2284 		}
2285 
2286 		/* PHY_SKU section is mandatory in B0 */
2287 		if (!sections[IWM_NVM_SECTION_TYPE_PHY_SKU].data) {
2288 			device_printf(sc->sc_dev,
2289 			    "Can't parse phy_sku in B0, empty sections\n");
2290 			return NULL;
2291 		}
2292 	} else {
2293 		panic("unknown device family %d\n", sc->cfg->device_family);
2294 	}
2295 
2296 	hw = (const uint16_t *) sections[sc->cfg->nvm_hw_section_num].data;
2297 	sw = (const uint16_t *)sections[IWM_NVM_SECTION_TYPE_SW].data;
2298 	calib = (const uint16_t *)
2299 	    sections[IWM_NVM_SECTION_TYPE_CALIBRATION].data;
2300 	regulatory = (const uint16_t *)
2301 	    sections[IWM_NVM_SECTION_TYPE_REGULATORY].data;
2302 	mac_override = (const uint16_t *)
2303 	    sections[IWM_NVM_SECTION_TYPE_MAC_OVERRIDE].data;
2304 	phy_sku = (const uint16_t *)sections[IWM_NVM_SECTION_TYPE_PHY_SKU].data;
2305 
2306 	return iwm_parse_nvm_data(sc, hw, sw, calib, mac_override,
2307 	    phy_sku, regulatory);
2308 }
2309 
2310 static int
2311 iwm_nvm_init(struct iwm_softc *sc)
2312 {
2313 	struct iwm_nvm_section nvm_sections[IWM_NVM_MAX_NUM_SECTIONS];
2314 	int i, ret, section;
2315 	uint32_t size_read = 0;
2316 	uint8_t *nvm_buffer, *temp;
2317 	uint16_t len;
2318 
2319 	memset(nvm_sections, 0, sizeof(nvm_sections));
2320 
2321 	if (sc->cfg->nvm_hw_section_num >= IWM_NVM_MAX_NUM_SECTIONS)
2322 		return EINVAL;
2323 
2324 	/* load NVM values from nic */
2325 	/* Read From FW NVM */
2326 	IWM_DPRINTF(sc, IWM_DEBUG_EEPROM, "Read from NVM\n");
2327 
2328 	nvm_buffer = malloc(sc->cfg->eeprom_size, M_DEVBUF, M_NOWAIT | M_ZERO);
2329 	if (!nvm_buffer)
2330 		return ENOMEM;
2331 	for (section = 0; section < IWM_NVM_MAX_NUM_SECTIONS; section++) {
2332 		/* we override the constness for initial read */
2333 		ret = iwm_nvm_read_section(sc, section, nvm_buffer,
2334 					   &len, size_read);
2335 		if (ret)
2336 			continue;
2337 		size_read += len;
2338 		temp = malloc(len, M_DEVBUF, M_NOWAIT);
2339 		if (!temp) {
2340 			ret = ENOMEM;
2341 			break;
2342 		}
2343 		memcpy(temp, nvm_buffer, len);
2344 
2345 		nvm_sections[section].data = temp;
2346 		nvm_sections[section].length = len;
2347 	}
2348 	if (!size_read)
2349 		device_printf(sc->sc_dev, "OTP is blank\n");
2350 	free(nvm_buffer, M_DEVBUF);
2351 
2352 	sc->nvm_data = iwm_parse_nvm_sections(sc, nvm_sections);
2353 	if (!sc->nvm_data)
2354 		return EINVAL;
2355 	IWM_DPRINTF(sc, IWM_DEBUG_EEPROM | IWM_DEBUG_RESET,
2356 		    "nvm version = %x\n", sc->nvm_data->nvm_version);
2357 
2358 	for (i = 0; i < IWM_NVM_MAX_NUM_SECTIONS; i++) {
2359 		if (nvm_sections[i].data != NULL)
2360 			free(nvm_sections[i].data, M_DEVBUF);
2361 	}
2362 
2363 	return 0;
2364 }
2365 
2366 static int
2367 iwm_pcie_load_section(struct iwm_softc *sc, uint8_t section_num,
2368 	const struct iwm_fw_desc *section)
2369 {
2370 	struct iwm_dma_info *dma = &sc->fw_dma;
2371 	uint8_t *v_addr;
2372 	bus_addr_t p_addr;
2373 	uint32_t offset, chunk_sz = MIN(IWM_FH_MEM_TB_MAX_LENGTH, section->len);
2374 	int ret = 0;
2375 
2376 	IWM_DPRINTF(sc, IWM_DEBUG_RESET,
2377 		    "%s: [%d] uCode section being loaded...\n",
2378 		    __func__, section_num);
2379 
2380 	v_addr = dma->vaddr;
2381 	p_addr = dma->paddr;
2382 
2383 	for (offset = 0; offset < section->len; offset += chunk_sz) {
2384 		uint32_t copy_size, dst_addr;
2385 		int extended_addr = FALSE;
2386 
2387 		copy_size = MIN(chunk_sz, section->len - offset);
2388 		dst_addr = section->offset + offset;
2389 
2390 		if (dst_addr >= IWM_FW_MEM_EXTENDED_START &&
2391 		    dst_addr <= IWM_FW_MEM_EXTENDED_END)
2392 			extended_addr = TRUE;
2393 
2394 		if (extended_addr)
2395 			iwm_set_bits_prph(sc, IWM_LMPM_CHICK,
2396 					  IWM_LMPM_CHICK_EXTENDED_ADDR_SPACE);
2397 
2398 		memcpy(v_addr, (const uint8_t *)section->data + offset,
2399 		    copy_size);
2400 		bus_dmamap_sync(dma->tag, dma->map, BUS_DMASYNC_PREWRITE);
2401 		ret = iwm_pcie_load_firmware_chunk(sc, dst_addr, p_addr,
2402 						   copy_size);
2403 
2404 		if (extended_addr)
2405 			iwm_clear_bits_prph(sc, IWM_LMPM_CHICK,
2406 					    IWM_LMPM_CHICK_EXTENDED_ADDR_SPACE);
2407 
2408 		if (ret) {
2409 			device_printf(sc->sc_dev,
2410 			    "%s: Could not load the [%d] uCode section\n",
2411 			    __func__, section_num);
2412 			break;
2413 		}
2414 	}
2415 
2416 	return ret;
2417 }
2418 
2419 /*
2420  * ucode
2421  */
2422 static int
2423 iwm_pcie_load_firmware_chunk(struct iwm_softc *sc, uint32_t dst_addr,
2424 			     bus_addr_t phy_addr, uint32_t byte_cnt)
2425 {
2426 	int ret;
2427 
2428 	sc->sc_fw_chunk_done = 0;
2429 
2430 	if (!iwm_nic_lock(sc))
2431 		return EBUSY;
2432 
2433 	IWM_WRITE(sc, IWM_FH_TCSR_CHNL_TX_CONFIG_REG(IWM_FH_SRVC_CHNL),
2434 	    IWM_FH_TCSR_TX_CONFIG_REG_VAL_DMA_CHNL_PAUSE);
2435 
2436 	IWM_WRITE(sc, IWM_FH_SRVC_CHNL_SRAM_ADDR_REG(IWM_FH_SRVC_CHNL),
2437 	    dst_addr);
2438 
2439 	IWM_WRITE(sc, IWM_FH_TFDIB_CTRL0_REG(IWM_FH_SRVC_CHNL),
2440 	    phy_addr & IWM_FH_MEM_TFDIB_DRAM_ADDR_LSB_MSK);
2441 
2442 	IWM_WRITE(sc, IWM_FH_TFDIB_CTRL1_REG(IWM_FH_SRVC_CHNL),
2443 	    (iwm_get_dma_hi_addr(phy_addr)
2444 	     << IWM_FH_MEM_TFDIB_REG1_ADDR_BITSHIFT) | byte_cnt);
2445 
2446 	IWM_WRITE(sc, IWM_FH_TCSR_CHNL_TX_BUF_STS_REG(IWM_FH_SRVC_CHNL),
2447 	    1 << IWM_FH_TCSR_CHNL_TX_BUF_STS_REG_POS_TB_NUM |
2448 	    1 << IWM_FH_TCSR_CHNL_TX_BUF_STS_REG_POS_TB_IDX |
2449 	    IWM_FH_TCSR_CHNL_TX_BUF_STS_REG_VAL_TFDB_VALID);
2450 
2451 	IWM_WRITE(sc, IWM_FH_TCSR_CHNL_TX_CONFIG_REG(IWM_FH_SRVC_CHNL),
2452 	    IWM_FH_TCSR_TX_CONFIG_REG_VAL_DMA_CHNL_ENABLE    |
2453 	    IWM_FH_TCSR_TX_CONFIG_REG_VAL_DMA_CREDIT_DISABLE |
2454 	    IWM_FH_TCSR_TX_CONFIG_REG_VAL_CIRQ_HOST_ENDTFD);
2455 
2456 	iwm_nic_unlock(sc);
2457 
2458 	/* wait up to 5s for this segment to load */
2459 	ret = 0;
2460 	while (!sc->sc_fw_chunk_done) {
2461 		ret = msleep(&sc->sc_fw, &sc->sc_mtx, 0, "iwmfw", hz);
2462 		if (ret)
2463 			break;
2464 	}
2465 
2466 	if (ret != 0) {
2467 		device_printf(sc->sc_dev,
2468 		    "fw chunk addr 0x%x len %d failed to load\n",
2469 		    dst_addr, byte_cnt);
2470 		return ETIMEDOUT;
2471 	}
2472 
2473 	return 0;
2474 }
2475 
2476 static int
2477 iwm_pcie_load_cpu_sections_8000(struct iwm_softc *sc,
2478 	const struct iwm_fw_sects *image, int cpu, int *first_ucode_section)
2479 {
2480 	int shift_param;
2481 	int i, ret = 0, sec_num = 0x1;
2482 	uint32_t val, last_read_idx = 0;
2483 
2484 	if (cpu == 1) {
2485 		shift_param = 0;
2486 		*first_ucode_section = 0;
2487 	} else {
2488 		shift_param = 16;
2489 		(*first_ucode_section)++;
2490 	}
2491 
2492 	for (i = *first_ucode_section; i < IWM_UCODE_SECTION_MAX; i++) {
2493 		last_read_idx = i;
2494 
2495 		/*
2496 		 * CPU1_CPU2_SEPARATOR_SECTION delimiter - separate between
2497 		 * CPU1 to CPU2.
2498 		 * PAGING_SEPARATOR_SECTION delimiter - separate between
2499 		 * CPU2 non paged to CPU2 paging sec.
2500 		 */
2501 		if (!image->fw_sect[i].data ||
2502 		    image->fw_sect[i].offset == IWM_CPU1_CPU2_SEPARATOR_SECTION ||
2503 		    image->fw_sect[i].offset == IWM_PAGING_SEPARATOR_SECTION) {
2504 			IWM_DPRINTF(sc, IWM_DEBUG_RESET,
2505 				    "Break since Data not valid or Empty section, sec = %d\n",
2506 				    i);
2507 			break;
2508 		}
2509 		ret = iwm_pcie_load_section(sc, i, &image->fw_sect[i]);
2510 		if (ret)
2511 			return ret;
2512 
2513 		/* Notify the ucode of the loaded section number and status */
2514 		if (iwm_nic_lock(sc)) {
2515 			val = IWM_READ(sc, IWM_FH_UCODE_LOAD_STATUS);
2516 			val = val | (sec_num << shift_param);
2517 			IWM_WRITE(sc, IWM_FH_UCODE_LOAD_STATUS, val);
2518 			sec_num = (sec_num << 1) | 0x1;
2519 			iwm_nic_unlock(sc);
2520 		}
2521 	}
2522 
2523 	*first_ucode_section = last_read_idx;
2524 
2525 	iwm_enable_interrupts(sc);
2526 
2527 	if (iwm_nic_lock(sc)) {
2528 		if (cpu == 1)
2529 			IWM_WRITE(sc, IWM_FH_UCODE_LOAD_STATUS, 0xFFFF);
2530 		else
2531 			IWM_WRITE(sc, IWM_FH_UCODE_LOAD_STATUS, 0xFFFFFFFF);
2532 		iwm_nic_unlock(sc);
2533 	}
2534 
2535 	return 0;
2536 }
2537 
2538 static int
2539 iwm_pcie_load_cpu_sections(struct iwm_softc *sc,
2540 	const struct iwm_fw_sects *image, int cpu, int *first_ucode_section)
2541 {
2542 	int shift_param;
2543 	int i, ret = 0;
2544 	uint32_t last_read_idx = 0;
2545 
2546 	if (cpu == 1) {
2547 		shift_param = 0;
2548 		*first_ucode_section = 0;
2549 	} else {
2550 		shift_param = 16;
2551 		(*first_ucode_section)++;
2552 	}
2553 
2554 	for (i = *first_ucode_section; i < IWM_UCODE_SECTION_MAX; i++) {
2555 		last_read_idx = i;
2556 
2557 		/*
2558 		 * CPU1_CPU2_SEPARATOR_SECTION delimiter - separate between
2559 		 * CPU1 to CPU2.
2560 		 * PAGING_SEPARATOR_SECTION delimiter - separate between
2561 		 * CPU2 non paged to CPU2 paging sec.
2562 		 */
2563 		if (!image->fw_sect[i].data ||
2564 		    image->fw_sect[i].offset == IWM_CPU1_CPU2_SEPARATOR_SECTION ||
2565 		    image->fw_sect[i].offset == IWM_PAGING_SEPARATOR_SECTION) {
2566 			IWM_DPRINTF(sc, IWM_DEBUG_RESET,
2567 				    "Break since Data not valid or Empty section, sec = %d\n",
2568 				     i);
2569 			break;
2570 		}
2571 
2572 		ret = iwm_pcie_load_section(sc, i, &image->fw_sect[i]);
2573 		if (ret)
2574 			return ret;
2575 	}
2576 
2577 	*first_ucode_section = last_read_idx;
2578 
2579 	return 0;
2580 
2581 }
2582 
2583 static int
2584 iwm_pcie_load_given_ucode(struct iwm_softc *sc,
2585 	const struct iwm_fw_sects *image)
2586 {
2587 	int ret = 0;
2588 	int first_ucode_section;
2589 
2590 	IWM_DPRINTF(sc, IWM_DEBUG_RESET, "working with %s CPU\n",
2591 		     image->is_dual_cpus ? "Dual" : "Single");
2592 
2593 	/* load to FW the binary non secured sections of CPU1 */
2594 	ret = iwm_pcie_load_cpu_sections(sc, image, 1, &first_ucode_section);
2595 	if (ret)
2596 		return ret;
2597 
2598 	if (image->is_dual_cpus) {
2599 		/* set CPU2 header address */
2600 		if (iwm_nic_lock(sc)) {
2601 			iwm_write_prph(sc,
2602 				       IWM_LMPM_SECURE_UCODE_LOAD_CPU2_HDR_ADDR,
2603 				       IWM_LMPM_SECURE_CPU2_HDR_MEM_SPACE);
2604 			iwm_nic_unlock(sc);
2605 		}
2606 
2607 		/* load to FW the binary sections of CPU2 */
2608 		ret = iwm_pcie_load_cpu_sections(sc, image, 2,
2609 						 &first_ucode_section);
2610 		if (ret)
2611 			return ret;
2612 	}
2613 
2614 	iwm_enable_interrupts(sc);
2615 
2616 	/* release CPU reset */
2617 	IWM_WRITE(sc, IWM_CSR_RESET, 0);
2618 
2619 	return 0;
2620 }
2621 
2622 int
2623 iwm_pcie_load_given_ucode_8000(struct iwm_softc *sc,
2624 	const struct iwm_fw_sects *image)
2625 {
2626 	int ret = 0;
2627 	int first_ucode_section;
2628 
2629 	IWM_DPRINTF(sc, IWM_DEBUG_RESET, "working with %s CPU\n",
2630 		    image->is_dual_cpus ? "Dual" : "Single");
2631 
2632 	/* configure the ucode to be ready to get the secured image */
2633 	/* release CPU reset */
2634 	if (iwm_nic_lock(sc)) {
2635 		iwm_write_prph(sc, IWM_RELEASE_CPU_RESET,
2636 		    IWM_RELEASE_CPU_RESET_BIT);
2637 		iwm_nic_unlock(sc);
2638 	}
2639 
2640 	/* load to FW the binary Secured sections of CPU1 */
2641 	ret = iwm_pcie_load_cpu_sections_8000(sc, image, 1,
2642 	    &first_ucode_section);
2643 	if (ret)
2644 		return ret;
2645 
2646 	/* load to FW the binary sections of CPU2 */
2647 	return iwm_pcie_load_cpu_sections_8000(sc, image, 2,
2648 	    &first_ucode_section);
2649 }
2650 
2651 /* XXX Get rid of this definition */
2652 static inline void
2653 iwm_enable_fw_load_int(struct iwm_softc *sc)
2654 {
2655 	IWM_DPRINTF(sc, IWM_DEBUG_INTR, "Enabling FW load interrupt\n");
2656 	sc->sc_intmask = IWM_CSR_INT_BIT_FH_TX;
2657 	IWM_WRITE(sc, IWM_CSR_INT_MASK, sc->sc_intmask);
2658 }
2659 
2660 /* XXX Add proper rfkill support code */
2661 static int
2662 iwm_start_fw(struct iwm_softc *sc,
2663 	const struct iwm_fw_sects *fw)
2664 {
2665 	int ret;
2666 
2667 	/* This may fail if AMT took ownership of the device */
2668 	if (iwm_prepare_card_hw(sc)) {
2669 		device_printf(sc->sc_dev,
2670 		    "%s: Exit HW not ready\n", __func__);
2671 		ret = EIO;
2672 		goto out;
2673 	}
2674 
2675 	IWM_WRITE(sc, IWM_CSR_INT, 0xFFFFFFFF);
2676 
2677 	iwm_disable_interrupts(sc);
2678 
2679 	/* make sure rfkill handshake bits are cleared */
2680 	IWM_WRITE(sc, IWM_CSR_UCODE_DRV_GP1_CLR, IWM_CSR_UCODE_SW_BIT_RFKILL);
2681 	IWM_WRITE(sc, IWM_CSR_UCODE_DRV_GP1_CLR,
2682 	    IWM_CSR_UCODE_DRV_GP1_BIT_CMD_BLOCKED);
2683 
2684 	/* clear (again), then enable host interrupts */
2685 	IWM_WRITE(sc, IWM_CSR_INT, 0xFFFFFFFF);
2686 
2687 	ret = iwm_nic_init(sc);
2688 	if (ret) {
2689 		device_printf(sc->sc_dev, "%s: Unable to init nic\n", __func__);
2690 		goto out;
2691 	}
2692 
2693 	/*
2694 	 * Now, we load the firmware and don't want to be interrupted, even
2695 	 * by the RF-Kill interrupt (hence mask all the interrupt besides the
2696 	 * FH_TX interrupt which is needed to load the firmware). If the
2697 	 * RF-Kill switch is toggled, we will find out after having loaded
2698 	 * the firmware and return the proper value to the caller.
2699 	 */
2700 	iwm_enable_fw_load_int(sc);
2701 
2702 	/* really make sure rfkill handshake bits are cleared */
2703 	/* maybe we should write a few times more?  just to make sure */
2704 	IWM_WRITE(sc, IWM_CSR_UCODE_DRV_GP1_CLR, IWM_CSR_UCODE_SW_BIT_RFKILL);
2705 	IWM_WRITE(sc, IWM_CSR_UCODE_DRV_GP1_CLR, IWM_CSR_UCODE_SW_BIT_RFKILL);
2706 
2707 	/* Load the given image to the HW */
2708 	if (sc->cfg->device_family == IWM_DEVICE_FAMILY_8000)
2709 		ret = iwm_pcie_load_given_ucode_8000(sc, fw);
2710 	else
2711 		ret = iwm_pcie_load_given_ucode(sc, fw);
2712 
2713 	/* XXX re-check RF-Kill state */
2714 
2715 out:
2716 	return ret;
2717 }
2718 
2719 static int
2720 iwm_send_tx_ant_cfg(struct iwm_softc *sc, uint8_t valid_tx_ant)
2721 {
2722 	struct iwm_tx_ant_cfg_cmd tx_ant_cmd = {
2723 		.valid = htole32(valid_tx_ant),
2724 	};
2725 
2726 	return iwm_mvm_send_cmd_pdu(sc, IWM_TX_ANT_CONFIGURATION_CMD,
2727 	    IWM_CMD_SYNC, sizeof(tx_ant_cmd), &tx_ant_cmd);
2728 }
2729 
2730 /* iwlwifi: mvm/fw.c */
2731 static int
2732 iwm_send_phy_cfg_cmd(struct iwm_softc *sc)
2733 {
2734 	struct iwm_phy_cfg_cmd phy_cfg_cmd;
2735 	enum iwm_ucode_type ucode_type = sc->cur_ucode;
2736 
2737 	/* Set parameters */
2738 	phy_cfg_cmd.phy_cfg = htole32(iwm_mvm_get_phy_config(sc));
2739 	phy_cfg_cmd.calib_control.event_trigger =
2740 	    sc->sc_default_calib[ucode_type].event_trigger;
2741 	phy_cfg_cmd.calib_control.flow_trigger =
2742 	    sc->sc_default_calib[ucode_type].flow_trigger;
2743 
2744 	IWM_DPRINTF(sc, IWM_DEBUG_CMD | IWM_DEBUG_RESET,
2745 	    "Sending Phy CFG command: 0x%x\n", phy_cfg_cmd.phy_cfg);
2746 	return iwm_mvm_send_cmd_pdu(sc, IWM_PHY_CONFIGURATION_CMD, IWM_CMD_SYNC,
2747 	    sizeof(phy_cfg_cmd), &phy_cfg_cmd);
2748 }
2749 
2750 static int
2751 iwm_alive_fn(struct iwm_softc *sc, struct iwm_rx_packet *pkt, void *data)
2752 {
2753 	struct iwm_mvm_alive_data *alive_data = data;
2754 	struct iwm_mvm_alive_resp_ver1 *palive1;
2755 	struct iwm_mvm_alive_resp_ver2 *palive2;
2756 	struct iwm_mvm_alive_resp *palive;
2757 
2758 	if (iwm_rx_packet_payload_len(pkt) == sizeof(*palive1)) {
2759 		palive1 = (void *)pkt->data;
2760 
2761 		sc->support_umac_log = FALSE;
2762                 sc->error_event_table =
2763                         le32toh(palive1->error_event_table_ptr);
2764                 sc->log_event_table =
2765                         le32toh(palive1->log_event_table_ptr);
2766                 alive_data->scd_base_addr = le32toh(palive1->scd_base_ptr);
2767 
2768                 alive_data->valid = le16toh(palive1->status) ==
2769                                     IWM_ALIVE_STATUS_OK;
2770                 IWM_DPRINTF(sc, IWM_DEBUG_RESET,
2771 			    "Alive VER1 ucode status 0x%04x revision 0x%01X 0x%01X flags 0x%01X\n",
2772 			     le16toh(palive1->status), palive1->ver_type,
2773                              palive1->ver_subtype, palive1->flags);
2774 	} else if (iwm_rx_packet_payload_len(pkt) == sizeof(*palive2)) {
2775 		palive2 = (void *)pkt->data;
2776 		sc->error_event_table =
2777 			le32toh(palive2->error_event_table_ptr);
2778 		sc->log_event_table =
2779 			le32toh(palive2->log_event_table_ptr);
2780 		alive_data->scd_base_addr = le32toh(palive2->scd_base_ptr);
2781 		sc->umac_error_event_table =
2782                         le32toh(palive2->error_info_addr);
2783 
2784 		alive_data->valid = le16toh(palive2->status) ==
2785 				    IWM_ALIVE_STATUS_OK;
2786 		if (sc->umac_error_event_table)
2787 			sc->support_umac_log = TRUE;
2788 
2789 		IWM_DPRINTF(sc, IWM_DEBUG_RESET,
2790 			    "Alive VER2 ucode status 0x%04x revision 0x%01X 0x%01X flags 0x%01X\n",
2791 			    le16toh(palive2->status), palive2->ver_type,
2792 			    palive2->ver_subtype, palive2->flags);
2793 
2794 		IWM_DPRINTF(sc, IWM_DEBUG_RESET,
2795 			    "UMAC version: Major - 0x%x, Minor - 0x%x\n",
2796 			    palive2->umac_major, palive2->umac_minor);
2797 	} else if (iwm_rx_packet_payload_len(pkt) == sizeof(*palive)) {
2798 		palive = (void *)pkt->data;
2799 
2800 		sc->error_event_table =
2801 			le32toh(palive->error_event_table_ptr);
2802 		sc->log_event_table =
2803 			le32toh(palive->log_event_table_ptr);
2804 		alive_data->scd_base_addr = le32toh(palive->scd_base_ptr);
2805 		sc->umac_error_event_table =
2806 			le32toh(palive->error_info_addr);
2807 
2808 		alive_data->valid = le16toh(palive->status) ==
2809 				    IWM_ALIVE_STATUS_OK;
2810 		if (sc->umac_error_event_table)
2811 			sc->support_umac_log = TRUE;
2812 
2813 		IWM_DPRINTF(sc, IWM_DEBUG_RESET,
2814 			    "Alive VER3 ucode status 0x%04x revision 0x%01X 0x%01X flags 0x%01X\n",
2815 			    le16toh(palive->status), palive->ver_type,
2816 			    palive->ver_subtype, palive->flags);
2817 
2818 		IWM_DPRINTF(sc, IWM_DEBUG_RESET,
2819 			    "UMAC version: Major - 0x%x, Minor - 0x%x\n",
2820 			    le32toh(palive->umac_major),
2821 			    le32toh(palive->umac_minor));
2822 	}
2823 
2824 	return TRUE;
2825 }
2826 
2827 static int
2828 iwm_wait_phy_db_entry(struct iwm_softc *sc,
2829 	struct iwm_rx_packet *pkt, void *data)
2830 {
2831 	struct iwm_phy_db *phy_db = data;
2832 
2833 	if (pkt->hdr.code != IWM_CALIB_RES_NOTIF_PHY_DB) {
2834 		if(pkt->hdr.code != IWM_INIT_COMPLETE_NOTIF) {
2835 			device_printf(sc->sc_dev, "%s: Unexpected cmd: %d\n",
2836 			    __func__, pkt->hdr.code);
2837 		}
2838 		return TRUE;
2839 	}
2840 
2841 	if (iwm_phy_db_set_section(phy_db, pkt)) {
2842 		device_printf(sc->sc_dev,
2843 		    "%s: iwm_phy_db_set_section failed\n", __func__);
2844 	}
2845 
2846 	return FALSE;
2847 }
2848 
2849 static int
2850 iwm_mvm_load_ucode_wait_alive(struct iwm_softc *sc,
2851 	enum iwm_ucode_type ucode_type)
2852 {
2853 	struct iwm_notification_wait alive_wait;
2854 	struct iwm_mvm_alive_data alive_data;
2855 	const struct iwm_fw_sects *fw;
2856 	enum iwm_ucode_type old_type = sc->cur_ucode;
2857 	int error;
2858 	static const uint16_t alive_cmd[] = { IWM_MVM_ALIVE };
2859 
2860 	if ((error = iwm_read_firmware(sc, ucode_type)) != 0) {
2861 		device_printf(sc->sc_dev, "iwm_read_firmware: failed %d\n",
2862 			error);
2863 		return error;
2864 	}
2865 	fw = &sc->sc_fw.fw_sects[ucode_type];
2866 	sc->cur_ucode = ucode_type;
2867 	sc->ucode_loaded = FALSE;
2868 
2869 	memset(&alive_data, 0, sizeof(alive_data));
2870 	iwm_init_notification_wait(sc->sc_notif_wait, &alive_wait,
2871 				   alive_cmd, nitems(alive_cmd),
2872 				   iwm_alive_fn, &alive_data);
2873 
2874 	error = iwm_start_fw(sc, fw);
2875 	if (error) {
2876 		device_printf(sc->sc_dev, "iwm_start_fw: failed %d\n", error);
2877 		sc->cur_ucode = old_type;
2878 		iwm_remove_notification(sc->sc_notif_wait, &alive_wait);
2879 		return error;
2880 	}
2881 
2882 	/*
2883 	 * Some things may run in the background now, but we
2884 	 * just wait for the ALIVE notification here.
2885 	 */
2886 	IWM_UNLOCK(sc);
2887 	error = iwm_wait_notification(sc->sc_notif_wait, &alive_wait,
2888 				      IWM_MVM_UCODE_ALIVE_TIMEOUT);
2889 	IWM_LOCK(sc);
2890 	if (error) {
2891 		if (sc->cfg->device_family == IWM_DEVICE_FAMILY_8000) {
2892 			uint32_t a = 0x5a5a5a5a, b = 0x5a5a5a5a;
2893 			if (iwm_nic_lock(sc)) {
2894 				a = iwm_read_prph(sc, IWM_SB_CPU_1_STATUS);
2895 				b = iwm_read_prph(sc, IWM_SB_CPU_2_STATUS);
2896 				iwm_nic_unlock(sc);
2897 			}
2898 			device_printf(sc->sc_dev,
2899 			    "SecBoot CPU1 Status: 0x%x, CPU2 Status: 0x%x\n",
2900 			    a, b);
2901 		}
2902 		sc->cur_ucode = old_type;
2903 		return error;
2904 	}
2905 
2906 	if (!alive_data.valid) {
2907 		device_printf(sc->sc_dev, "%s: Loaded ucode is not valid\n",
2908 		    __func__);
2909 		sc->cur_ucode = old_type;
2910 		return EIO;
2911 	}
2912 
2913 	iwm_trans_pcie_fw_alive(sc, alive_data.scd_base_addr);
2914 
2915 	/*
2916 	 * configure and operate fw paging mechanism.
2917 	 * driver configures the paging flow only once, CPU2 paging image
2918 	 * included in the IWM_UCODE_INIT image.
2919 	 */
2920 	if (fw->paging_mem_size) {
2921 		error = iwm_save_fw_paging(sc, fw);
2922 		if (error) {
2923 			device_printf(sc->sc_dev,
2924 			    "%s: failed to save the FW paging image\n",
2925 			    __func__);
2926 			return error;
2927 		}
2928 
2929 		error = iwm_send_paging_cmd(sc, fw);
2930 		if (error) {
2931 			device_printf(sc->sc_dev,
2932 			    "%s: failed to send the paging cmd\n", __func__);
2933 			iwm_free_fw_paging(sc);
2934 			return error;
2935 		}
2936 	}
2937 
2938 	if (!error)
2939 		sc->ucode_loaded = TRUE;
2940 	return error;
2941 }
2942 
2943 /*
2944  * mvm misc bits
2945  */
2946 
2947 /*
2948  * follows iwlwifi/fw.c
2949  */
2950 static int
2951 iwm_run_init_mvm_ucode(struct iwm_softc *sc, int justnvm)
2952 {
2953 	struct iwm_notification_wait calib_wait;
2954 	static const uint16_t init_complete[] = {
2955 		IWM_INIT_COMPLETE_NOTIF,
2956 		IWM_CALIB_RES_NOTIF_PHY_DB
2957 	};
2958 	int ret;
2959 
2960 	/* do not operate with rfkill switch turned on */
2961 	if ((sc->sc_flags & IWM_FLAG_RFKILL) && !justnvm) {
2962 		device_printf(sc->sc_dev,
2963 		    "radio is disabled by hardware switch\n");
2964 		return EPERM;
2965 	}
2966 
2967 	iwm_init_notification_wait(sc->sc_notif_wait,
2968 				   &calib_wait,
2969 				   init_complete,
2970 				   nitems(init_complete),
2971 				   iwm_wait_phy_db_entry,
2972 				   sc->sc_phy_db);
2973 
2974 	/* Will also start the device */
2975 	ret = iwm_mvm_load_ucode_wait_alive(sc, IWM_UCODE_INIT);
2976 	if (ret) {
2977 		device_printf(sc->sc_dev, "Failed to start INIT ucode: %d\n",
2978 		    ret);
2979 		goto error;
2980 	}
2981 
2982 	if (justnvm) {
2983 		/* Read nvm */
2984 		ret = iwm_nvm_init(sc);
2985 		if (ret) {
2986 			device_printf(sc->sc_dev, "failed to read nvm\n");
2987 			goto error;
2988 		}
2989 		IEEE80211_ADDR_COPY(sc->sc_ic.ic_macaddr, sc->nvm_data->hw_addr);
2990 		goto error;
2991 	}
2992 
2993 	ret = iwm_send_bt_init_conf(sc);
2994 	if (ret) {
2995 		device_printf(sc->sc_dev,
2996 		    "failed to send bt coex configuration: %d\n", ret);
2997 		goto error;
2998 	}
2999 
3000 	/* Send TX valid antennas before triggering calibrations */
3001 	ret = iwm_send_tx_ant_cfg(sc, iwm_mvm_get_valid_tx_ant(sc));
3002 	if (ret) {
3003 		device_printf(sc->sc_dev,
3004 		    "failed to send antennas before calibration: %d\n", ret);
3005 		goto error;
3006 	}
3007 
3008 	/*
3009 	 * Send phy configurations command to init uCode
3010 	 * to start the 16.0 uCode init image internal calibrations.
3011 	 */
3012 	ret = iwm_send_phy_cfg_cmd(sc);
3013 	if (ret) {
3014 		device_printf(sc->sc_dev,
3015 		    "%s: Failed to run INIT calibrations: %d\n",
3016 		    __func__, ret);
3017 		goto error;
3018 	}
3019 
3020 	/*
3021 	 * Nothing to do but wait for the init complete notification
3022 	 * from the firmware.
3023 	 */
3024 	IWM_UNLOCK(sc);
3025 	ret = iwm_wait_notification(sc->sc_notif_wait, &calib_wait,
3026 	    IWM_MVM_UCODE_CALIB_TIMEOUT);
3027 	IWM_LOCK(sc);
3028 
3029 
3030 	goto out;
3031 
3032 error:
3033 	iwm_remove_notification(sc->sc_notif_wait, &calib_wait);
3034 out:
3035 	return ret;
3036 }
3037 
3038 /*
3039  * receive side
3040  */
3041 
3042 /* (re)stock rx ring, called at init-time and at runtime */
3043 static int
3044 iwm_rx_addbuf(struct iwm_softc *sc, int size, int idx)
3045 {
3046 	struct iwm_rx_ring *ring = &sc->rxq;
3047 	struct iwm_rx_data *data = &ring->data[idx];
3048 	struct mbuf *m;
3049 	bus_dmamap_t dmamap;
3050 	bus_dma_segment_t seg;
3051 	int nsegs, error;
3052 
3053 	m = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR, IWM_RBUF_SIZE);
3054 	if (m == NULL)
3055 		return ENOBUFS;
3056 
3057 	m->m_len = m->m_pkthdr.len = m->m_ext.ext_size;
3058 	error = bus_dmamap_load_mbuf_sg(ring->data_dmat, ring->spare_map, m,
3059 	    &seg, &nsegs, BUS_DMA_NOWAIT);
3060 	if (error != 0) {
3061 		device_printf(sc->sc_dev,
3062 		    "%s: can't map mbuf, error %d\n", __func__, error);
3063 		m_freem(m);
3064 		return error;
3065 	}
3066 
3067 	if (data->m != NULL)
3068 		bus_dmamap_unload(ring->data_dmat, data->map);
3069 
3070 	/* Swap ring->spare_map with data->map */
3071 	dmamap = data->map;
3072 	data->map = ring->spare_map;
3073 	ring->spare_map = dmamap;
3074 
3075 	bus_dmamap_sync(ring->data_dmat, data->map, BUS_DMASYNC_PREREAD);
3076 	data->m = m;
3077 
3078 	/* Update RX descriptor. */
3079 	KASSERT((seg.ds_addr & 255) == 0, ("seg.ds_addr not aligned"));
3080 	ring->desc[idx] = htole32(seg.ds_addr >> 8);
3081 	bus_dmamap_sync(ring->desc_dma.tag, ring->desc_dma.map,
3082 	    BUS_DMASYNC_PREWRITE);
3083 
3084 	return 0;
3085 }
3086 
3087 /* iwlwifi: mvm/rx.c */
3088 /*
3089  * iwm_mvm_get_signal_strength - use new rx PHY INFO API
3090  * values are reported by the fw as positive values - need to negate
3091  * to obtain their dBM.  Account for missing antennas by replacing 0
3092  * values by -256dBm: practically 0 power and a non-feasible 8 bit value.
3093  */
3094 static int
3095 iwm_mvm_get_signal_strength(struct iwm_softc *sc, struct iwm_rx_phy_info *phy_info)
3096 {
3097 	int energy_a, energy_b, energy_c, max_energy;
3098 	uint32_t val;
3099 
3100 	val = le32toh(phy_info->non_cfg_phy[IWM_RX_INFO_ENERGY_ANT_ABC_IDX]);
3101 	energy_a = (val & IWM_RX_INFO_ENERGY_ANT_A_MSK) >>
3102 	    IWM_RX_INFO_ENERGY_ANT_A_POS;
3103 	energy_a = energy_a ? -energy_a : -256;
3104 	energy_b = (val & IWM_RX_INFO_ENERGY_ANT_B_MSK) >>
3105 	    IWM_RX_INFO_ENERGY_ANT_B_POS;
3106 	energy_b = energy_b ? -energy_b : -256;
3107 	energy_c = (val & IWM_RX_INFO_ENERGY_ANT_C_MSK) >>
3108 	    IWM_RX_INFO_ENERGY_ANT_C_POS;
3109 	energy_c = energy_c ? -energy_c : -256;
3110 	max_energy = MAX(energy_a, energy_b);
3111 	max_energy = MAX(max_energy, energy_c);
3112 
3113 	IWM_DPRINTF(sc, IWM_DEBUG_RECV,
3114 	    "energy In A %d B %d C %d , and max %d\n",
3115 	    energy_a, energy_b, energy_c, max_energy);
3116 
3117 	return max_energy;
3118 }
3119 
3120 static void
3121 iwm_mvm_rx_rx_phy_cmd(struct iwm_softc *sc, struct iwm_rx_packet *pkt)
3122 {
3123 	struct iwm_rx_phy_info *phy_info = (void *)pkt->data;
3124 
3125 	IWM_DPRINTF(sc, IWM_DEBUG_RECV, "received PHY stats\n");
3126 
3127 	memcpy(&sc->sc_last_phy_info, phy_info, sizeof(sc->sc_last_phy_info));
3128 }
3129 
3130 /*
3131  * Retrieve the average noise (in dBm) among receivers.
3132  */
3133 static int
3134 iwm_get_noise(struct iwm_softc *sc,
3135     const struct iwm_mvm_statistics_rx_non_phy *stats)
3136 {
3137 	int i, total, nbant, noise;
3138 
3139 	total = nbant = noise = 0;
3140 	for (i = 0; i < 3; i++) {
3141 		noise = le32toh(stats->beacon_silence_rssi[i]) & 0xff;
3142 		IWM_DPRINTF(sc, IWM_DEBUG_RECV, "%s: i=%d, noise=%d\n",
3143 		    __func__,
3144 		    i,
3145 		    noise);
3146 
3147 		if (noise) {
3148 			total += noise;
3149 			nbant++;
3150 		}
3151 	}
3152 
3153 	IWM_DPRINTF(sc, IWM_DEBUG_RECV, "%s: nbant=%d, total=%d\n",
3154 	    __func__, nbant, total);
3155 #if 0
3156 	/* There should be at least one antenna but check anyway. */
3157 	return (nbant == 0) ? -127 : (total / nbant) - 107;
3158 #else
3159 	/* For now, just hard-code it to -96 to be safe */
3160 	return (-96);
3161 #endif
3162 }
3163 
3164 static void
3165 iwm_mvm_handle_rx_statistics(struct iwm_softc *sc, struct iwm_rx_packet *pkt)
3166 {
3167 	struct iwm_notif_statistics_v10 *stats = (void *)&pkt->data;
3168 
3169 	memcpy(&sc->sc_stats, stats, sizeof(sc->sc_stats));
3170 	sc->sc_noise = iwm_get_noise(sc, &stats->rx.general);
3171 }
3172 
3173 /*
3174  * iwm_mvm_rx_rx_mpdu - IWM_REPLY_RX_MPDU_CMD handler
3175  *
3176  * Handles the actual data of the Rx packet from the fw
3177  */
3178 static boolean_t
3179 iwm_mvm_rx_rx_mpdu(struct iwm_softc *sc, struct mbuf *m, uint32_t offset,
3180 	boolean_t stolen)
3181 {
3182 	struct ieee80211com *ic = &sc->sc_ic;
3183 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
3184 	struct ieee80211_frame *wh;
3185 	struct ieee80211_node *ni;
3186 	struct ieee80211_rx_stats rxs;
3187 	struct iwm_rx_phy_info *phy_info;
3188 	struct iwm_rx_mpdu_res_start *rx_res;
3189 	struct iwm_rx_packet *pkt = mtodoff(m, struct iwm_rx_packet *, offset);
3190 	uint32_t len;
3191 	uint32_t rx_pkt_status;
3192 	int rssi;
3193 
3194 	phy_info = &sc->sc_last_phy_info;
3195 	rx_res = (struct iwm_rx_mpdu_res_start *)pkt->data;
3196 	wh = (struct ieee80211_frame *)(pkt->data + sizeof(*rx_res));
3197 	len = le16toh(rx_res->byte_count);
3198 	rx_pkt_status = le32toh(*(uint32_t *)(pkt->data + sizeof(*rx_res) + len));
3199 
3200 	if (__predict_false(phy_info->cfg_phy_cnt > 20)) {
3201 		device_printf(sc->sc_dev,
3202 		    "dsp size out of range [0,20]: %d\n",
3203 		    phy_info->cfg_phy_cnt);
3204 		goto fail;
3205 	}
3206 
3207 	if (!(rx_pkt_status & IWM_RX_MPDU_RES_STATUS_CRC_OK) ||
3208 	    !(rx_pkt_status & IWM_RX_MPDU_RES_STATUS_OVERRUN_OK)) {
3209 		IWM_DPRINTF(sc, IWM_DEBUG_RECV,
3210 		    "Bad CRC or FIFO: 0x%08X.\n", rx_pkt_status);
3211 		goto fail;
3212 	}
3213 
3214 	rssi = iwm_mvm_get_signal_strength(sc, phy_info);
3215 
3216 	/* Map it to relative value */
3217 	rssi = rssi - sc->sc_noise;
3218 
3219 	/* replenish ring for the buffer we're going to feed to the sharks */
3220 	if (!stolen && iwm_rx_addbuf(sc, IWM_RBUF_SIZE, sc->rxq.cur) != 0) {
3221 		device_printf(sc->sc_dev, "%s: unable to add more buffers\n",
3222 		    __func__);
3223 		goto fail;
3224 	}
3225 
3226 	m->m_data = pkt->data + sizeof(*rx_res);
3227 	m->m_pkthdr.len = m->m_len = len;
3228 
3229 	IWM_DPRINTF(sc, IWM_DEBUG_RECV,
3230 	    "%s: rssi=%d, noise=%d\n", __func__, rssi, sc->sc_noise);
3231 
3232 	ni = ieee80211_find_rxnode(ic, (struct ieee80211_frame_min *)wh);
3233 
3234 	IWM_DPRINTF(sc, IWM_DEBUG_RECV,
3235 	    "%s: phy_info: channel=%d, flags=0x%08x\n",
3236 	    __func__,
3237 	    le16toh(phy_info->channel),
3238 	    le16toh(phy_info->phy_flags));
3239 
3240 	/*
3241 	 * Populate an RX state struct with the provided information.
3242 	 */
3243 	bzero(&rxs, sizeof(rxs));
3244 	rxs.r_flags |= IEEE80211_R_IEEE | IEEE80211_R_FREQ;
3245 	rxs.r_flags |= IEEE80211_R_NF | IEEE80211_R_RSSI;
3246 	rxs.c_ieee = le16toh(phy_info->channel);
3247 	if (le16toh(phy_info->phy_flags & IWM_RX_RES_PHY_FLAGS_BAND_24)) {
3248 		rxs.c_freq = ieee80211_ieee2mhz(rxs.c_ieee, IEEE80211_CHAN_2GHZ);
3249 	} else {
3250 		rxs.c_freq = ieee80211_ieee2mhz(rxs.c_ieee, IEEE80211_CHAN_5GHZ);
3251 	}
3252 
3253 	/* rssi is in 1/2db units */
3254 	rxs.c_rssi = rssi * 2;
3255 	rxs.c_nf = sc->sc_noise;
3256 	if (ieee80211_add_rx_params(m, &rxs) == 0) {
3257 		if (ni)
3258 			ieee80211_free_node(ni);
3259 		goto fail;
3260 	}
3261 
3262 	if (ieee80211_radiotap_active_vap(vap)) {
3263 		struct iwm_rx_radiotap_header *tap = &sc->sc_rxtap;
3264 
3265 		tap->wr_flags = 0;
3266 		if (phy_info->phy_flags & htole16(IWM_PHY_INFO_FLAG_SHPREAMBLE))
3267 			tap->wr_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
3268 		tap->wr_chan_freq = htole16(rxs.c_freq);
3269 		/* XXX only if ic->ic_curchan->ic_ieee == rxs.c_ieee */
3270 		tap->wr_chan_flags = htole16(ic->ic_curchan->ic_flags);
3271 		tap->wr_dbm_antsignal = (int8_t)rssi;
3272 		tap->wr_dbm_antnoise = (int8_t)sc->sc_noise;
3273 		tap->wr_tsft = phy_info->system_timestamp;
3274 		switch (phy_info->rate) {
3275 		/* CCK rates. */
3276 		case  10: tap->wr_rate =   2; break;
3277 		case  20: tap->wr_rate =   4; break;
3278 		case  55: tap->wr_rate =  11; break;
3279 		case 110: tap->wr_rate =  22; break;
3280 		/* OFDM rates. */
3281 		case 0xd: tap->wr_rate =  12; break;
3282 		case 0xf: tap->wr_rate =  18; break;
3283 		case 0x5: tap->wr_rate =  24; break;
3284 		case 0x7: tap->wr_rate =  36; break;
3285 		case 0x9: tap->wr_rate =  48; break;
3286 		case 0xb: tap->wr_rate =  72; break;
3287 		case 0x1: tap->wr_rate =  96; break;
3288 		case 0x3: tap->wr_rate = 108; break;
3289 		/* Unknown rate: should not happen. */
3290 		default:  tap->wr_rate =   0;
3291 		}
3292 	}
3293 
3294 	IWM_UNLOCK(sc);
3295 	if (ni != NULL) {
3296 		IWM_DPRINTF(sc, IWM_DEBUG_RECV, "input m %p\n", m);
3297 		ieee80211_input_mimo(ni, m);
3298 		ieee80211_free_node(ni);
3299 	} else {
3300 		IWM_DPRINTF(sc, IWM_DEBUG_RECV, "inputall m %p\n", m);
3301 		ieee80211_input_mimo_all(ic, m);
3302 	}
3303 	IWM_LOCK(sc);
3304 
3305 	return TRUE;
3306 
3307 fail:
3308 	counter_u64_add(ic->ic_ierrors, 1);
3309 	return FALSE;
3310 }
3311 
3312 static int
3313 iwm_mvm_rx_tx_cmd_single(struct iwm_softc *sc, struct iwm_rx_packet *pkt,
3314 	struct iwm_node *in)
3315 {
3316 	struct iwm_mvm_tx_resp *tx_resp = (void *)pkt->data;
3317 	struct ieee80211_ratectl_tx_status *txs = &sc->sc_txs;
3318 	struct ieee80211_node *ni = &in->in_ni;
3319 	int status = le16toh(tx_resp->status.status) & IWM_TX_STATUS_MSK;
3320 
3321 	KASSERT(tx_resp->frame_count == 1, ("too many frames"));
3322 
3323 	/* Update rate control statistics. */
3324 	IWM_DPRINTF(sc, IWM_DEBUG_XMIT, "%s: status=0x%04x, seq=%d, fc=%d, btc=%d, frts=%d, ff=%d, irate=%08x, wmt=%d\n",
3325 	    __func__,
3326 	    (int) le16toh(tx_resp->status.status),
3327 	    (int) le16toh(tx_resp->status.sequence),
3328 	    tx_resp->frame_count,
3329 	    tx_resp->bt_kill_count,
3330 	    tx_resp->failure_rts,
3331 	    tx_resp->failure_frame,
3332 	    le32toh(tx_resp->initial_rate),
3333 	    (int) le16toh(tx_resp->wireless_media_time));
3334 
3335 	txs->flags = IEEE80211_RATECTL_STATUS_SHORT_RETRY |
3336 		     IEEE80211_RATECTL_STATUS_LONG_RETRY;
3337 	txs->short_retries = tx_resp->failure_rts;
3338 	txs->long_retries = tx_resp->failure_frame;
3339 	if (status != IWM_TX_STATUS_SUCCESS &&
3340 	    status != IWM_TX_STATUS_DIRECT_DONE) {
3341 		switch (status) {
3342 		case IWM_TX_STATUS_FAIL_SHORT_LIMIT:
3343 			txs->status = IEEE80211_RATECTL_TX_FAIL_SHORT;
3344 			break;
3345 		case IWM_TX_STATUS_FAIL_LONG_LIMIT:
3346 			txs->status = IEEE80211_RATECTL_TX_FAIL_LONG;
3347 			break;
3348 		case IWM_TX_STATUS_FAIL_LIFE_EXPIRE:
3349 			txs->status = IEEE80211_RATECTL_TX_FAIL_EXPIRED;
3350 			break;
3351 		default:
3352 			txs->status = IEEE80211_RATECTL_TX_FAIL_UNSPECIFIED;
3353 			break;
3354 		}
3355 	} else {
3356 		txs->status = IEEE80211_RATECTL_TX_SUCCESS;
3357 	}
3358 	ieee80211_ratectl_tx_complete(ni, txs);
3359 
3360 	return (txs->status != IEEE80211_RATECTL_TX_SUCCESS);
3361 }
3362 
3363 static void
3364 iwm_mvm_rx_tx_cmd(struct iwm_softc *sc, struct iwm_rx_packet *pkt)
3365 {
3366 	struct iwm_cmd_header *cmd_hdr = &pkt->hdr;
3367 	int idx = cmd_hdr->idx;
3368 	int qid = cmd_hdr->qid;
3369 	struct iwm_tx_ring *ring = &sc->txq[qid];
3370 	struct iwm_tx_data *txd = &ring->data[idx];
3371 	struct iwm_node *in = txd->in;
3372 	struct mbuf *m = txd->m;
3373 	int status;
3374 
3375 	KASSERT(txd->done == 0, ("txd not done"));
3376 	KASSERT(txd->in != NULL, ("txd without node"));
3377 	KASSERT(txd->m != NULL, ("txd without mbuf"));
3378 
3379 	sc->sc_tx_timer = 0;
3380 
3381 	status = iwm_mvm_rx_tx_cmd_single(sc, pkt, in);
3382 
3383 	/* Unmap and free mbuf. */
3384 	bus_dmamap_sync(ring->data_dmat, txd->map, BUS_DMASYNC_POSTWRITE);
3385 	bus_dmamap_unload(ring->data_dmat, txd->map);
3386 
3387 	IWM_DPRINTF(sc, IWM_DEBUG_XMIT,
3388 	    "free txd %p, in %p\n", txd, txd->in);
3389 	txd->done = 1;
3390 	txd->m = NULL;
3391 	txd->in = NULL;
3392 
3393 	ieee80211_tx_complete(&in->in_ni, m, status);
3394 
3395 	if (--ring->queued < IWM_TX_RING_LOMARK) {
3396 		sc->qfullmsk &= ~(1 << ring->qid);
3397 		if (sc->qfullmsk == 0) {
3398 			iwm_start(sc);
3399 		}
3400 	}
3401 }
3402 
3403 /*
3404  * transmit side
3405  */
3406 
3407 /*
3408  * Process a "command done" firmware notification.  This is where we wakeup
3409  * processes waiting for a synchronous command completion.
3410  * from if_iwn
3411  */
3412 static void
3413 iwm_cmd_done(struct iwm_softc *sc, struct iwm_rx_packet *pkt)
3414 {
3415 	struct iwm_tx_ring *ring = &sc->txq[IWM_MVM_CMD_QUEUE];
3416 	struct iwm_tx_data *data;
3417 
3418 	if (pkt->hdr.qid != IWM_MVM_CMD_QUEUE) {
3419 		return;	/* Not a command ack. */
3420 	}
3421 
3422 	/* XXX wide commands? */
3423 	IWM_DPRINTF(sc, IWM_DEBUG_CMD,
3424 	    "cmd notification type 0x%x qid %d idx %d\n",
3425 	    pkt->hdr.code, pkt->hdr.qid, pkt->hdr.idx);
3426 
3427 	data = &ring->data[pkt->hdr.idx];
3428 
3429 	/* If the command was mapped in an mbuf, free it. */
3430 	if (data->m != NULL) {
3431 		bus_dmamap_sync(ring->data_dmat, data->map,
3432 		    BUS_DMASYNC_POSTWRITE);
3433 		bus_dmamap_unload(ring->data_dmat, data->map);
3434 		m_freem(data->m);
3435 		data->m = NULL;
3436 	}
3437 	wakeup(&ring->desc[pkt->hdr.idx]);
3438 
3439 	if (((pkt->hdr.idx + ring->queued) % IWM_TX_RING_COUNT) != ring->cur) {
3440 		device_printf(sc->sc_dev,
3441 		    "%s: Some HCMDs skipped?: idx=%d queued=%d cur=%d\n",
3442 		    __func__, pkt->hdr.idx, ring->queued, ring->cur);
3443 		/* XXX call iwm_force_nmi() */
3444 	}
3445 
3446 	KASSERT(ring->queued > 0, ("ring->queued is empty?"));
3447 	ring->queued--;
3448 	if (ring->queued == 0)
3449 		iwm_pcie_clear_cmd_in_flight(sc);
3450 }
3451 
3452 #if 0
3453 /*
3454  * necessary only for block ack mode
3455  */
3456 void
3457 iwm_update_sched(struct iwm_softc *sc, int qid, int idx, uint8_t sta_id,
3458 	uint16_t len)
3459 {
3460 	struct iwm_agn_scd_bc_tbl *scd_bc_tbl;
3461 	uint16_t w_val;
3462 
3463 	scd_bc_tbl = sc->sched_dma.vaddr;
3464 
3465 	len += 8; /* magic numbers came naturally from paris */
3466 	len = roundup(len, 4) / 4;
3467 
3468 	w_val = htole16(sta_id << 12 | len);
3469 
3470 	/* Update TX scheduler. */
3471 	scd_bc_tbl[qid].tfd_offset[idx] = w_val;
3472 	bus_dmamap_sync(sc->sched_dma.tag, sc->sched_dma.map,
3473 	    BUS_DMASYNC_PREWRITE);
3474 
3475 	/* I really wonder what this is ?!? */
3476 	if (idx < IWM_TFD_QUEUE_SIZE_BC_DUP) {
3477 		scd_bc_tbl[qid].tfd_offset[IWM_TFD_QUEUE_SIZE_MAX + idx] = w_val;
3478 		bus_dmamap_sync(sc->sched_dma.tag, sc->sched_dma.map,
3479 		    BUS_DMASYNC_PREWRITE);
3480 	}
3481 }
3482 #endif
3483 
3484 /*
3485  * Take an 802.11 (non-n) rate, find the relevant rate
3486  * table entry.  return the index into in_ridx[].
3487  *
3488  * The caller then uses that index back into in_ridx
3489  * to figure out the rate index programmed /into/
3490  * the firmware for this given node.
3491  */
3492 static int
3493 iwm_tx_rateidx_lookup(struct iwm_softc *sc, struct iwm_node *in,
3494     uint8_t rate)
3495 {
3496 	int i;
3497 	uint8_t r;
3498 
3499 	for (i = 0; i < nitems(in->in_ridx); i++) {
3500 		r = iwm_rates[in->in_ridx[i]].rate;
3501 		if (rate == r)
3502 			return (i);
3503 	}
3504 
3505 	IWM_DPRINTF(sc, IWM_DEBUG_XMIT | IWM_DEBUG_TXRATE,
3506 	    "%s: couldn't find an entry for rate=%d\n",
3507 	    __func__,
3508 	    rate);
3509 
3510 	/* XXX Return the first */
3511 	/* XXX TODO: have it return the /lowest/ */
3512 	return (0);
3513 }
3514 
3515 static int
3516 iwm_tx_rateidx_global_lookup(struct iwm_softc *sc, uint8_t rate)
3517 {
3518 	int i;
3519 
3520 	for (i = 0; i < nitems(iwm_rates); i++) {
3521 		if (iwm_rates[i].rate == rate)
3522 			return (i);
3523 	}
3524 	/* XXX error? */
3525 	IWM_DPRINTF(sc, IWM_DEBUG_XMIT | IWM_DEBUG_TXRATE,
3526 	    "%s: couldn't find an entry for rate=%d\n",
3527 	    __func__,
3528 	    rate);
3529 	return (0);
3530 }
3531 
3532 /*
3533  * Fill in the rate related information for a transmit command.
3534  */
3535 static const struct iwm_rate *
3536 iwm_tx_fill_cmd(struct iwm_softc *sc, struct iwm_node *in,
3537 	struct mbuf *m, struct iwm_tx_cmd *tx)
3538 {
3539 	struct ieee80211_node *ni = &in->in_ni;
3540 	struct ieee80211_frame *wh;
3541 	const struct ieee80211_txparam *tp = ni->ni_txparms;
3542 	const struct iwm_rate *rinfo;
3543 	int type;
3544 	int ridx, rate_flags;
3545 
3546 	wh = mtod(m, struct ieee80211_frame *);
3547 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3548 
3549 	tx->rts_retry_limit = IWM_RTS_DFAULT_RETRY_LIMIT;
3550 	tx->data_retry_limit = IWM_DEFAULT_TX_RETRY;
3551 
3552 	if (type == IEEE80211_FC0_TYPE_MGT ||
3553 	    type == IEEE80211_FC0_TYPE_CTL ||
3554 	    (m->m_flags & M_EAPOL) != 0) {
3555 		ridx = iwm_tx_rateidx_global_lookup(sc, tp->mgmtrate);
3556 		IWM_DPRINTF(sc, IWM_DEBUG_TXRATE,
3557 		    "%s: MGT (%d)\n", __func__, tp->mgmtrate);
3558 	} else if (IEEE80211_IS_MULTICAST(wh->i_addr1)) {
3559 		ridx = iwm_tx_rateidx_global_lookup(sc, tp->mcastrate);
3560 		IWM_DPRINTF(sc, IWM_DEBUG_TXRATE,
3561 		    "%s: MCAST (%d)\n", __func__, tp->mcastrate);
3562 	} else if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE) {
3563 		ridx = iwm_tx_rateidx_global_lookup(sc, tp->ucastrate);
3564 		IWM_DPRINTF(sc, IWM_DEBUG_TXRATE,
3565 		    "%s: FIXED_RATE (%d)\n", __func__, tp->ucastrate);
3566 	} else {
3567 		int i;
3568 
3569 		/* for data frames, use RS table */
3570 		IWM_DPRINTF(sc, IWM_DEBUG_TXRATE, "%s: DATA\n", __func__);
3571 		/* XXX pass pktlen */
3572 		(void) ieee80211_ratectl_rate(ni, NULL, 0);
3573 		i = iwm_tx_rateidx_lookup(sc, in, ni->ni_txrate);
3574 		ridx = in->in_ridx[i];
3575 
3576 		/* This is the index into the programmed table */
3577 		tx->initial_rate_index = i;
3578 		tx->tx_flags |= htole32(IWM_TX_CMD_FLG_STA_RATE);
3579 
3580 		IWM_DPRINTF(sc, IWM_DEBUG_XMIT | IWM_DEBUG_TXRATE,
3581 		    "%s: start with i=%d, txrate %d\n",
3582 		    __func__, i, iwm_rates[ridx].rate);
3583 	}
3584 
3585 	IWM_DPRINTF(sc, IWM_DEBUG_XMIT | IWM_DEBUG_TXRATE,
3586 	    "%s: frame type=%d txrate %d\n",
3587 	        __func__, type, iwm_rates[ridx].rate);
3588 
3589 	rinfo = &iwm_rates[ridx];
3590 
3591 	IWM_DPRINTF(sc, IWM_DEBUG_TXRATE, "%s: ridx=%d; rate=%d, CCK=%d\n",
3592 	    __func__, ridx,
3593 	    rinfo->rate,
3594 	    !! (IWM_RIDX_IS_CCK(ridx))
3595 	    );
3596 
3597 	/* XXX TODO: hard-coded TX antenna? */
3598 	rate_flags = 1 << IWM_RATE_MCS_ANT_POS;
3599 	if (IWM_RIDX_IS_CCK(ridx))
3600 		rate_flags |= IWM_RATE_MCS_CCK_MSK;
3601 	tx->rate_n_flags = htole32(rate_flags | rinfo->plcp);
3602 
3603 	return rinfo;
3604 }
3605 
3606 #define TB0_SIZE 16
3607 static int
3608 iwm_tx(struct iwm_softc *sc, struct mbuf *m, struct ieee80211_node *ni, int ac)
3609 {
3610 	struct ieee80211com *ic = &sc->sc_ic;
3611 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
3612 	struct iwm_node *in = IWM_NODE(ni);
3613 	struct iwm_tx_ring *ring;
3614 	struct iwm_tx_data *data;
3615 	struct iwm_tfd *desc;
3616 	struct iwm_device_cmd *cmd;
3617 	struct iwm_tx_cmd *tx;
3618 	struct ieee80211_frame *wh;
3619 	struct ieee80211_key *k = NULL;
3620 	struct mbuf *m1;
3621 	const struct iwm_rate *rinfo;
3622 	uint32_t flags;
3623 	u_int hdrlen;
3624 	bus_dma_segment_t *seg, segs[IWM_MAX_SCATTER];
3625 	int nsegs;
3626 	uint8_t tid, type;
3627 	int i, totlen, error, pad;
3628 
3629 	wh = mtod(m, struct ieee80211_frame *);
3630 	hdrlen = ieee80211_anyhdrsize(wh);
3631 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3632 	tid = 0;
3633 	ring = &sc->txq[ac];
3634 	desc = &ring->desc[ring->cur];
3635 	memset(desc, 0, sizeof(*desc));
3636 	data = &ring->data[ring->cur];
3637 
3638 	/* Fill out iwm_tx_cmd to send to the firmware */
3639 	cmd = &ring->cmd[ring->cur];
3640 	cmd->hdr.code = IWM_TX_CMD;
3641 	cmd->hdr.flags = 0;
3642 	cmd->hdr.qid = ring->qid;
3643 	cmd->hdr.idx = ring->cur;
3644 
3645 	tx = (void *)cmd->data;
3646 	memset(tx, 0, sizeof(*tx));
3647 
3648 	rinfo = iwm_tx_fill_cmd(sc, in, m, tx);
3649 
3650 	/* Encrypt the frame if need be. */
3651 	if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
3652 		/* Retrieve key for TX && do software encryption. */
3653 		k = ieee80211_crypto_encap(ni, m);
3654 		if (k == NULL) {
3655 			m_freem(m);
3656 			return (ENOBUFS);
3657 		}
3658 		/* 802.11 header may have moved. */
3659 		wh = mtod(m, struct ieee80211_frame *);
3660 	}
3661 
3662 	if (ieee80211_radiotap_active_vap(vap)) {
3663 		struct iwm_tx_radiotap_header *tap = &sc->sc_txtap;
3664 
3665 		tap->wt_flags = 0;
3666 		tap->wt_chan_freq = htole16(ni->ni_chan->ic_freq);
3667 		tap->wt_chan_flags = htole16(ni->ni_chan->ic_flags);
3668 		tap->wt_rate = rinfo->rate;
3669 		if (k != NULL)
3670 			tap->wt_flags |= IEEE80211_RADIOTAP_F_WEP;
3671 		ieee80211_radiotap_tx(vap, m);
3672 	}
3673 
3674 
3675 	totlen = m->m_pkthdr.len;
3676 
3677 	flags = 0;
3678 	if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
3679 		flags |= IWM_TX_CMD_FLG_ACK;
3680 	}
3681 
3682 	if (type == IEEE80211_FC0_TYPE_DATA
3683 	    && (totlen + IEEE80211_CRC_LEN > vap->iv_rtsthreshold)
3684 	    && !IEEE80211_IS_MULTICAST(wh->i_addr1)) {
3685 		flags |= IWM_TX_CMD_FLG_PROT_REQUIRE;
3686 	}
3687 
3688 	if (IEEE80211_IS_MULTICAST(wh->i_addr1) ||
3689 	    type != IEEE80211_FC0_TYPE_DATA)
3690 		tx->sta_id = sc->sc_aux_sta.sta_id;
3691 	else
3692 		tx->sta_id = IWM_STATION_ID;
3693 
3694 	if (type == IEEE80211_FC0_TYPE_MGT) {
3695 		uint8_t subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
3696 
3697 		if (subtype == IEEE80211_FC0_SUBTYPE_ASSOC_REQ ||
3698 		    subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
3699 			tx->pm_frame_timeout = htole16(IWM_PM_FRAME_ASSOC);
3700 		} else if (subtype == IEEE80211_FC0_SUBTYPE_ACTION) {
3701 			tx->pm_frame_timeout = htole16(IWM_PM_FRAME_NONE);
3702 		} else {
3703 			tx->pm_frame_timeout = htole16(IWM_PM_FRAME_MGMT);
3704 		}
3705 	} else {
3706 		tx->pm_frame_timeout = htole16(IWM_PM_FRAME_NONE);
3707 	}
3708 
3709 	if (hdrlen & 3) {
3710 		/* First segment length must be a multiple of 4. */
3711 		flags |= IWM_TX_CMD_FLG_MH_PAD;
3712 		pad = 4 - (hdrlen & 3);
3713 	} else
3714 		pad = 0;
3715 
3716 	tx->driver_txop = 0;
3717 	tx->next_frame_len = 0;
3718 
3719 	tx->len = htole16(totlen);
3720 	tx->tid_tspec = tid;
3721 	tx->life_time = htole32(IWM_TX_CMD_LIFE_TIME_INFINITE);
3722 
3723 	/* Set physical address of "scratch area". */
3724 	tx->dram_lsb_ptr = htole32(data->scratch_paddr);
3725 	tx->dram_msb_ptr = iwm_get_dma_hi_addr(data->scratch_paddr);
3726 
3727 	/* Copy 802.11 header in TX command. */
3728 	memcpy(((uint8_t *)tx) + sizeof(*tx), wh, hdrlen);
3729 
3730 	flags |= IWM_TX_CMD_FLG_BT_DIS | IWM_TX_CMD_FLG_SEQ_CTL;
3731 
3732 	tx->sec_ctl = 0;
3733 	tx->tx_flags |= htole32(flags);
3734 
3735 	/* Trim 802.11 header. */
3736 	m_adj(m, hdrlen);
3737 	error = bus_dmamap_load_mbuf_sg(ring->data_dmat, data->map, m,
3738 	    segs, &nsegs, BUS_DMA_NOWAIT);
3739 	if (error != 0) {
3740 		if (error != EFBIG) {
3741 			device_printf(sc->sc_dev, "can't map mbuf (error %d)\n",
3742 			    error);
3743 			m_freem(m);
3744 			return error;
3745 		}
3746 		/* Too many DMA segments, linearize mbuf. */
3747 		m1 = m_collapse(m, M_NOWAIT, IWM_MAX_SCATTER - 2);
3748 		if (m1 == NULL) {
3749 			device_printf(sc->sc_dev,
3750 			    "%s: could not defrag mbuf\n", __func__);
3751 			m_freem(m);
3752 			return (ENOBUFS);
3753 		}
3754 		m = m1;
3755 
3756 		error = bus_dmamap_load_mbuf_sg(ring->data_dmat, data->map, m,
3757 		    segs, &nsegs, BUS_DMA_NOWAIT);
3758 		if (error != 0) {
3759 			device_printf(sc->sc_dev, "can't map mbuf (error %d)\n",
3760 			    error);
3761 			m_freem(m);
3762 			return error;
3763 		}
3764 	}
3765 	data->m = m;
3766 	data->in = in;
3767 	data->done = 0;
3768 
3769 	IWM_DPRINTF(sc, IWM_DEBUG_XMIT,
3770 	    "sending txd %p, in %p\n", data, data->in);
3771 	KASSERT(data->in != NULL, ("node is NULL"));
3772 
3773 	IWM_DPRINTF(sc, IWM_DEBUG_XMIT,
3774 	    "sending data: qid=%d idx=%d len=%d nsegs=%d txflags=0x%08x rate_n_flags=0x%08x rateidx=%u\n",
3775 	    ring->qid, ring->cur, totlen, nsegs,
3776 	    le32toh(tx->tx_flags),
3777 	    le32toh(tx->rate_n_flags),
3778 	    tx->initial_rate_index
3779 	    );
3780 
3781 	/* Fill TX descriptor. */
3782 	desc->num_tbs = 2 + nsegs;
3783 
3784 	desc->tbs[0].lo = htole32(data->cmd_paddr);
3785 	desc->tbs[0].hi_n_len = htole16(iwm_get_dma_hi_addr(data->cmd_paddr)) |
3786 	    (TB0_SIZE << 4);
3787 	desc->tbs[1].lo = htole32(data->cmd_paddr + TB0_SIZE);
3788 	desc->tbs[1].hi_n_len = htole16(iwm_get_dma_hi_addr(data->cmd_paddr)) |
3789 	    ((sizeof(struct iwm_cmd_header) + sizeof(*tx)
3790 	      + hdrlen + pad - TB0_SIZE) << 4);
3791 
3792 	/* Other DMA segments are for data payload. */
3793 	for (i = 0; i < nsegs; i++) {
3794 		seg = &segs[i];
3795 		desc->tbs[i+2].lo = htole32(seg->ds_addr);
3796 		desc->tbs[i+2].hi_n_len = \
3797 		    htole16(iwm_get_dma_hi_addr(seg->ds_addr))
3798 		    | ((seg->ds_len) << 4);
3799 	}
3800 
3801 	bus_dmamap_sync(ring->data_dmat, data->map,
3802 	    BUS_DMASYNC_PREWRITE);
3803 	bus_dmamap_sync(ring->cmd_dma.tag, ring->cmd_dma.map,
3804 	    BUS_DMASYNC_PREWRITE);
3805 	bus_dmamap_sync(ring->desc_dma.tag, ring->desc_dma.map,
3806 	    BUS_DMASYNC_PREWRITE);
3807 
3808 #if 0
3809 	iwm_update_sched(sc, ring->qid, ring->cur, tx->sta_id, le16toh(tx->len));
3810 #endif
3811 
3812 	/* Kick TX ring. */
3813 	ring->cur = (ring->cur + 1) % IWM_TX_RING_COUNT;
3814 	IWM_WRITE(sc, IWM_HBUS_TARG_WRPTR, ring->qid << 8 | ring->cur);
3815 
3816 	/* Mark TX ring as full if we reach a certain threshold. */
3817 	if (++ring->queued > IWM_TX_RING_HIMARK) {
3818 		sc->qfullmsk |= 1 << ring->qid;
3819 	}
3820 
3821 	return 0;
3822 }
3823 
3824 static int
3825 iwm_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
3826     const struct ieee80211_bpf_params *params)
3827 {
3828 	struct ieee80211com *ic = ni->ni_ic;
3829 	struct iwm_softc *sc = ic->ic_softc;
3830 	int error = 0;
3831 
3832 	IWM_DPRINTF(sc, IWM_DEBUG_XMIT,
3833 	    "->%s begin\n", __func__);
3834 
3835 	if ((sc->sc_flags & IWM_FLAG_HW_INITED) == 0) {
3836 		m_freem(m);
3837 		IWM_DPRINTF(sc, IWM_DEBUG_XMIT,
3838 		    "<-%s not RUNNING\n", __func__);
3839 		return (ENETDOWN);
3840         }
3841 
3842 	IWM_LOCK(sc);
3843 	/* XXX fix this */
3844         if (params == NULL) {
3845 		error = iwm_tx(sc, m, ni, 0);
3846 	} else {
3847 		error = iwm_tx(sc, m, ni, 0);
3848 	}
3849 	sc->sc_tx_timer = 5;
3850 	IWM_UNLOCK(sc);
3851 
3852         return (error);
3853 }
3854 
3855 /*
3856  * mvm/tx.c
3857  */
3858 
3859 /*
3860  * Note that there are transports that buffer frames before they reach
3861  * the firmware. This means that after flush_tx_path is called, the
3862  * queue might not be empty. The race-free way to handle this is to:
3863  * 1) set the station as draining
3864  * 2) flush the Tx path
3865  * 3) wait for the transport queues to be empty
3866  */
3867 int
3868 iwm_mvm_flush_tx_path(struct iwm_softc *sc, uint32_t tfd_msk, uint32_t flags)
3869 {
3870 	int ret;
3871 	struct iwm_tx_path_flush_cmd flush_cmd = {
3872 		.queues_ctl = htole32(tfd_msk),
3873 		.flush_ctl = htole16(IWM_DUMP_TX_FIFO_FLUSH),
3874 	};
3875 
3876 	ret = iwm_mvm_send_cmd_pdu(sc, IWM_TXPATH_FLUSH, flags,
3877 	    sizeof(flush_cmd), &flush_cmd);
3878 	if (ret)
3879                 device_printf(sc->sc_dev,
3880 		    "Flushing tx queue failed: %d\n", ret);
3881 	return ret;
3882 }
3883 
3884 /*
3885  * BEGIN mvm/quota.c
3886  */
3887 
3888 static int
3889 iwm_mvm_update_quotas(struct iwm_softc *sc, struct iwm_vap *ivp)
3890 {
3891 	struct iwm_time_quota_cmd cmd;
3892 	int i, idx, ret, num_active_macs, quota, quota_rem;
3893 	int colors[IWM_MAX_BINDINGS] = { -1, -1, -1, -1, };
3894 	int n_ifs[IWM_MAX_BINDINGS] = {0, };
3895 	uint16_t id;
3896 
3897 	memset(&cmd, 0, sizeof(cmd));
3898 
3899 	/* currently, PHY ID == binding ID */
3900 	if (ivp) {
3901 		id = ivp->phy_ctxt->id;
3902 		KASSERT(id < IWM_MAX_BINDINGS, ("invalid id"));
3903 		colors[id] = ivp->phy_ctxt->color;
3904 
3905 		if (1)
3906 			n_ifs[id] = 1;
3907 	}
3908 
3909 	/*
3910 	 * The FW's scheduling session consists of
3911 	 * IWM_MVM_MAX_QUOTA fragments. Divide these fragments
3912 	 * equally between all the bindings that require quota
3913 	 */
3914 	num_active_macs = 0;
3915 	for (i = 0; i < IWM_MAX_BINDINGS; i++) {
3916 		cmd.quotas[i].id_and_color = htole32(IWM_FW_CTXT_INVALID);
3917 		num_active_macs += n_ifs[i];
3918 	}
3919 
3920 	quota = 0;
3921 	quota_rem = 0;
3922 	if (num_active_macs) {
3923 		quota = IWM_MVM_MAX_QUOTA / num_active_macs;
3924 		quota_rem = IWM_MVM_MAX_QUOTA % num_active_macs;
3925 	}
3926 
3927 	for (idx = 0, i = 0; i < IWM_MAX_BINDINGS; i++) {
3928 		if (colors[i] < 0)
3929 			continue;
3930 
3931 		cmd.quotas[idx].id_and_color =
3932 			htole32(IWM_FW_CMD_ID_AND_COLOR(i, colors[i]));
3933 
3934 		if (n_ifs[i] <= 0) {
3935 			cmd.quotas[idx].quota = htole32(0);
3936 			cmd.quotas[idx].max_duration = htole32(0);
3937 		} else {
3938 			cmd.quotas[idx].quota = htole32(quota * n_ifs[i]);
3939 			cmd.quotas[idx].max_duration = htole32(0);
3940 		}
3941 		idx++;
3942 	}
3943 
3944 	/* Give the remainder of the session to the first binding */
3945 	cmd.quotas[0].quota = htole32(le32toh(cmd.quotas[0].quota) + quota_rem);
3946 
3947 	ret = iwm_mvm_send_cmd_pdu(sc, IWM_TIME_QUOTA_CMD, IWM_CMD_SYNC,
3948 	    sizeof(cmd), &cmd);
3949 	if (ret)
3950 		device_printf(sc->sc_dev,
3951 		    "%s: Failed to send quota: %d\n", __func__, ret);
3952 	return ret;
3953 }
3954 
3955 /*
3956  * END mvm/quota.c
3957  */
3958 
3959 /*
3960  * ieee80211 routines
3961  */
3962 
3963 /*
3964  * Change to AUTH state in 80211 state machine.  Roughly matches what
3965  * Linux does in bss_info_changed().
3966  */
3967 static int
3968 iwm_auth(struct ieee80211vap *vap, struct iwm_softc *sc)
3969 {
3970 	struct ieee80211_node *ni;
3971 	struct iwm_node *in;
3972 	struct iwm_vap *iv = IWM_VAP(vap);
3973 	uint32_t duration;
3974 	int error;
3975 
3976 	/*
3977 	 * XXX i have a feeling that the vap node is being
3978 	 * freed from underneath us. Grr.
3979 	 */
3980 	ni = ieee80211_ref_node(vap->iv_bss);
3981 	in = IWM_NODE(ni);
3982 	IWM_DPRINTF(sc, IWM_DEBUG_RESET | IWM_DEBUG_STATE,
3983 	    "%s: called; vap=%p, bss ni=%p\n",
3984 	    __func__,
3985 	    vap,
3986 	    ni);
3987 
3988 	in->in_assoc = 0;
3989 
3990 	/*
3991 	 * Firmware bug - it'll crash if the beacon interval is less
3992 	 * than 16. We can't avoid connecting at all, so refuse the
3993 	 * station state change, this will cause net80211 to abandon
3994 	 * attempts to connect to this AP, and eventually wpa_s will
3995 	 * blacklist the AP...
3996 	 */
3997 	if (ni->ni_intval < 16) {
3998 		device_printf(sc->sc_dev,
3999 		    "AP %s beacon interval is %d, refusing due to firmware bug!\n",
4000 		    ether_sprintf(ni->ni_bssid), ni->ni_intval);
4001 		error = EINVAL;
4002 		goto out;
4003 	}
4004 
4005 	error = iwm_allow_mcast(vap, sc);
4006 	if (error) {
4007 		device_printf(sc->sc_dev,
4008 		    "%s: failed to set multicast\n", __func__);
4009 		goto out;
4010 	}
4011 
4012 	/*
4013 	 * This is where it deviates from what Linux does.
4014 	 *
4015 	 * Linux iwlwifi doesn't reset the nic each time, nor does it
4016 	 * call ctxt_add() here.  Instead, it adds it during vap creation,
4017 	 * and always does a mac_ctx_changed().
4018 	 *
4019 	 * The openbsd port doesn't attempt to do that - it reset things
4020 	 * at odd states and does the add here.
4021 	 *
4022 	 * So, until the state handling is fixed (ie, we never reset
4023 	 * the NIC except for a firmware failure, which should drag
4024 	 * the NIC back to IDLE, re-setup and re-add all the mac/phy
4025 	 * contexts that are required), let's do a dirty hack here.
4026 	 */
4027 	if (iv->is_uploaded) {
4028 		if ((error = iwm_mvm_mac_ctxt_changed(sc, vap)) != 0) {
4029 			device_printf(sc->sc_dev,
4030 			    "%s: failed to update MAC\n", __func__);
4031 			goto out;
4032 		}
4033 	} else {
4034 		if ((error = iwm_mvm_mac_ctxt_add(sc, vap)) != 0) {
4035 			device_printf(sc->sc_dev,
4036 			    "%s: failed to add MAC\n", __func__);
4037 			goto out;
4038 		}
4039 	}
4040 
4041 	if ((error = iwm_mvm_phy_ctxt_changed(sc, &sc->sc_phyctxt[0],
4042 	    in->in_ni.ni_chan, 1, 1)) != 0) {
4043 		device_printf(sc->sc_dev,
4044 		    "%s: failed update phy ctxt\n", __func__);
4045 		goto out;
4046 	}
4047 	iv->phy_ctxt = &sc->sc_phyctxt[0];
4048 
4049 	if ((error = iwm_mvm_binding_add_vif(sc, iv)) != 0) {
4050 		device_printf(sc->sc_dev,
4051 		    "%s: binding update cmd\n", __func__);
4052 		goto out;
4053 	}
4054 	/*
4055 	 * Authentication becomes unreliable when powersaving is left enabled
4056 	 * here. Powersaving will be activated again when association has
4057 	 * finished or is aborted.
4058 	 */
4059 	iv->ps_disabled = TRUE;
4060 	error = iwm_mvm_power_update_mac(sc);
4061 	iv->ps_disabled = FALSE;
4062 	if (error != 0) {
4063 		device_printf(sc->sc_dev,
4064 		    "%s: failed to update power management\n",
4065 		    __func__);
4066 		goto out;
4067 	}
4068 	if ((error = iwm_mvm_add_sta(sc, in)) != 0) {
4069 		device_printf(sc->sc_dev,
4070 		    "%s: failed to add sta\n", __func__);
4071 		goto out;
4072 	}
4073 
4074 	/*
4075 	 * Prevent the FW from wandering off channel during association
4076 	 * by "protecting" the session with a time event.
4077 	 */
4078 	/* XXX duration is in units of TU, not MS */
4079 	duration = IWM_MVM_TE_SESSION_PROTECTION_MAX_TIME_MS;
4080 	iwm_mvm_protect_session(sc, iv, duration, 500 /* XXX magic number */);
4081 	DELAY(100);
4082 
4083 	error = 0;
4084 out:
4085 	ieee80211_free_node(ni);
4086 	return (error);
4087 }
4088 
4089 static int
4090 iwm_release(struct iwm_softc *sc, struct iwm_node *in)
4091 {
4092 	uint32_t tfd_msk;
4093 
4094 	/*
4095 	 * Ok, so *technically* the proper set of calls for going
4096 	 * from RUN back to SCAN is:
4097 	 *
4098 	 * iwm_mvm_power_mac_disable(sc, in);
4099 	 * iwm_mvm_mac_ctxt_changed(sc, vap);
4100 	 * iwm_mvm_rm_sta(sc, in);
4101 	 * iwm_mvm_update_quotas(sc, NULL);
4102 	 * iwm_mvm_mac_ctxt_changed(sc, in);
4103 	 * iwm_mvm_binding_remove_vif(sc, IWM_VAP(in->in_ni.ni_vap));
4104 	 * iwm_mvm_mac_ctxt_remove(sc, in);
4105 	 *
4106 	 * However, that freezes the device not matter which permutations
4107 	 * and modifications are attempted.  Obviously, this driver is missing
4108 	 * something since it works in the Linux driver, but figuring out what
4109 	 * is missing is a little more complicated.  Now, since we're going
4110 	 * back to nothing anyway, we'll just do a complete device reset.
4111 	 * Up your's, device!
4112 	 */
4113 	/*
4114 	 * Just using 0xf for the queues mask is fine as long as we only
4115 	 * get here from RUN state.
4116 	 */
4117 	tfd_msk = 0xf;
4118 	iwm_xmit_queue_drain(sc);
4119 	iwm_mvm_flush_tx_path(sc, tfd_msk, IWM_CMD_SYNC);
4120 	/*
4121 	 * We seem to get away with just synchronously sending the
4122 	 * IWM_TXPATH_FLUSH command.
4123 	 */
4124 //	iwm_trans_wait_tx_queue_empty(sc, tfd_msk);
4125 	iwm_stop_device(sc);
4126 	iwm_init_hw(sc);
4127 	if (in)
4128 		in->in_assoc = 0;
4129 	return 0;
4130 
4131 #if 0
4132 	int error;
4133 
4134 	iwm_mvm_power_mac_disable(sc, in);
4135 
4136 	if ((error = iwm_mvm_mac_ctxt_changed(sc, vap)) != 0) {
4137 		device_printf(sc->sc_dev, "mac ctxt change fail 1 %d\n", error);
4138 		return error;
4139 	}
4140 
4141 	if ((error = iwm_mvm_rm_sta(sc, in)) != 0) {
4142 		device_printf(sc->sc_dev, "sta remove fail %d\n", error);
4143 		return error;
4144 	}
4145 	error = iwm_mvm_rm_sta(sc, in);
4146 	in->in_assoc = 0;
4147 	iwm_mvm_update_quotas(sc, NULL);
4148 	if ((error = iwm_mvm_mac_ctxt_changed(sc, vap)) != 0) {
4149 		device_printf(sc->sc_dev, "mac ctxt change fail 2 %d\n", error);
4150 		return error;
4151 	}
4152 	iwm_mvm_binding_remove_vif(sc, IWM_VAP(in->in_ni.ni_vap));
4153 
4154 	iwm_mvm_mac_ctxt_remove(sc, in);
4155 
4156 	return error;
4157 #endif
4158 }
4159 
4160 static struct ieee80211_node *
4161 iwm_node_alloc(struct ieee80211vap *vap, const uint8_t mac[IEEE80211_ADDR_LEN])
4162 {
4163 	return malloc(sizeof (struct iwm_node), M_80211_NODE,
4164 	    M_NOWAIT | M_ZERO);
4165 }
4166 
4167 uint8_t
4168 iwm_ridx2rate(struct ieee80211_rateset *rs, int ridx)
4169 {
4170 	int i;
4171 	uint8_t rval;
4172 
4173 	for (i = 0; i < rs->rs_nrates; i++) {
4174 		rval = (rs->rs_rates[i] & IEEE80211_RATE_VAL);
4175 		if (rval == iwm_rates[ridx].rate)
4176 			return rs->rs_rates[i];
4177 	}
4178 
4179 	return 0;
4180 }
4181 
4182 static void
4183 iwm_setrates(struct iwm_softc *sc, struct iwm_node *in)
4184 {
4185 	struct ieee80211_node *ni = &in->in_ni;
4186 	struct iwm_lq_cmd *lq = &in->in_lq;
4187 	int nrates = ni->ni_rates.rs_nrates;
4188 	int i, ridx, tab = 0;
4189 //	int txant = 0;
4190 
4191 	if (nrates > nitems(lq->rs_table)) {
4192 		device_printf(sc->sc_dev,
4193 		    "%s: node supports %d rates, driver handles "
4194 		    "only %zu\n", __func__, nrates, nitems(lq->rs_table));
4195 		return;
4196 	}
4197 	if (nrates == 0) {
4198 		device_printf(sc->sc_dev,
4199 		    "%s: node supports 0 rates, odd!\n", __func__);
4200 		return;
4201 	}
4202 
4203 	/*
4204 	 * XXX .. and most of iwm_node is not initialised explicitly;
4205 	 * it's all just 0x0 passed to the firmware.
4206 	 */
4207 
4208 	/* first figure out which rates we should support */
4209 	/* XXX TODO: this isn't 11n aware /at all/ */
4210 	memset(&in->in_ridx, -1, sizeof(in->in_ridx));
4211 	IWM_DPRINTF(sc, IWM_DEBUG_TXRATE,
4212 	    "%s: nrates=%d\n", __func__, nrates);
4213 
4214 	/*
4215 	 * Loop over nrates and populate in_ridx from the highest
4216 	 * rate to the lowest rate.  Remember, in_ridx[] has
4217 	 * IEEE80211_RATE_MAXSIZE entries!
4218 	 */
4219 	for (i = 0; i < min(nrates, IEEE80211_RATE_MAXSIZE); i++) {
4220 		int rate = ni->ni_rates.rs_rates[(nrates - 1) - i] & IEEE80211_RATE_VAL;
4221 
4222 		/* Map 802.11 rate to HW rate index. */
4223 		for (ridx = 0; ridx <= IWM_RIDX_MAX; ridx++)
4224 			if (iwm_rates[ridx].rate == rate)
4225 				break;
4226 		if (ridx > IWM_RIDX_MAX) {
4227 			device_printf(sc->sc_dev,
4228 			    "%s: WARNING: device rate for %d not found!\n",
4229 			    __func__, rate);
4230 		} else {
4231 			IWM_DPRINTF(sc, IWM_DEBUG_TXRATE,
4232 			    "%s: rate: i: %d, rate=%d, ridx=%d\n",
4233 			    __func__,
4234 			    i,
4235 			    rate,
4236 			    ridx);
4237 			in->in_ridx[i] = ridx;
4238 		}
4239 	}
4240 
4241 	/* then construct a lq_cmd based on those */
4242 	memset(lq, 0, sizeof(*lq));
4243 	lq->sta_id = IWM_STATION_ID;
4244 
4245 	/* For HT, always enable RTS/CTS to avoid excessive retries. */
4246 	if (ni->ni_flags & IEEE80211_NODE_HT)
4247 		lq->flags |= IWM_LQ_FLAG_USE_RTS_MSK;
4248 
4249 	/*
4250 	 * are these used? (we don't do SISO or MIMO)
4251 	 * need to set them to non-zero, though, or we get an error.
4252 	 */
4253 	lq->single_stream_ant_msk = 1;
4254 	lq->dual_stream_ant_msk = 1;
4255 
4256 	/*
4257 	 * Build the actual rate selection table.
4258 	 * The lowest bits are the rates.  Additionally,
4259 	 * CCK needs bit 9 to be set.  The rest of the bits
4260 	 * we add to the table select the tx antenna
4261 	 * Note that we add the rates in the highest rate first
4262 	 * (opposite of ni_rates).
4263 	 */
4264 	/*
4265 	 * XXX TODO: this should be looping over the min of nrates
4266 	 * and LQ_MAX_RETRY_NUM.  Sigh.
4267 	 */
4268 	for (i = 0; i < nrates; i++) {
4269 		int nextant;
4270 
4271 #if 0
4272 		if (txant == 0)
4273 			txant = iwm_mvm_get_valid_tx_ant(sc);
4274 		nextant = 1<<(ffs(txant)-1);
4275 		txant &= ~nextant;
4276 #else
4277 		nextant = iwm_mvm_get_valid_tx_ant(sc);
4278 #endif
4279 		/*
4280 		 * Map the rate id into a rate index into
4281 		 * our hardware table containing the
4282 		 * configuration to use for this rate.
4283 		 */
4284 		ridx = in->in_ridx[i];
4285 		tab = iwm_rates[ridx].plcp;
4286 		tab |= nextant << IWM_RATE_MCS_ANT_POS;
4287 		if (IWM_RIDX_IS_CCK(ridx))
4288 			tab |= IWM_RATE_MCS_CCK_MSK;
4289 		IWM_DPRINTF(sc, IWM_DEBUG_TXRATE,
4290 		    "station rate i=%d, rate=%d, hw=%x\n",
4291 		    i, iwm_rates[ridx].rate, tab);
4292 		lq->rs_table[i] = htole32(tab);
4293 	}
4294 	/* then fill the rest with the lowest possible rate */
4295 	for (i = nrates; i < nitems(lq->rs_table); i++) {
4296 		KASSERT(tab != 0, ("invalid tab"));
4297 		lq->rs_table[i] = htole32(tab);
4298 	}
4299 }
4300 
4301 static int
4302 iwm_media_change(struct ifnet *ifp)
4303 {
4304 	struct ieee80211vap *vap = ifp->if_softc;
4305 	struct ieee80211com *ic = vap->iv_ic;
4306 	struct iwm_softc *sc = ic->ic_softc;
4307 	int error;
4308 
4309 	error = ieee80211_media_change(ifp);
4310 	if (error != ENETRESET)
4311 		return error;
4312 
4313 	IWM_LOCK(sc);
4314 	if (ic->ic_nrunning > 0) {
4315 		iwm_stop(sc);
4316 		iwm_init(sc);
4317 	}
4318 	IWM_UNLOCK(sc);
4319 	return error;
4320 }
4321 
4322 
4323 static int
4324 iwm_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
4325 {
4326 	struct iwm_vap *ivp = IWM_VAP(vap);
4327 	struct ieee80211com *ic = vap->iv_ic;
4328 	struct iwm_softc *sc = ic->ic_softc;
4329 	struct iwm_node *in;
4330 	int error;
4331 
4332 	IWM_DPRINTF(sc, IWM_DEBUG_STATE,
4333 	    "switching state %s -> %s\n",
4334 	    ieee80211_state_name[vap->iv_state],
4335 	    ieee80211_state_name[nstate]);
4336 	IEEE80211_UNLOCK(ic);
4337 	IWM_LOCK(sc);
4338 
4339 	if (vap->iv_state == IEEE80211_S_SCAN && nstate != vap->iv_state)
4340 		iwm_led_blink_stop(sc);
4341 
4342 	/* disable beacon filtering if we're hopping out of RUN */
4343 	if (vap->iv_state == IEEE80211_S_RUN && nstate != vap->iv_state) {
4344 		iwm_mvm_disable_beacon_filter(sc);
4345 
4346 		if (((in = IWM_NODE(vap->iv_bss)) != NULL))
4347 			in->in_assoc = 0;
4348 
4349 		if (nstate == IEEE80211_S_INIT) {
4350 			IWM_UNLOCK(sc);
4351 			IEEE80211_LOCK(ic);
4352 			error = ivp->iv_newstate(vap, nstate, arg);
4353 			IEEE80211_UNLOCK(ic);
4354 			IWM_LOCK(sc);
4355 			iwm_release(sc, NULL);
4356 			IWM_UNLOCK(sc);
4357 			IEEE80211_LOCK(ic);
4358 			return error;
4359 		}
4360 
4361 		/*
4362 		 * It's impossible to directly go RUN->SCAN. If we iwm_release()
4363 		 * above then the card will be completely reinitialized,
4364 		 * so the driver must do everything necessary to bring the card
4365 		 * from INIT to SCAN.
4366 		 *
4367 		 * Additionally, upon receiving deauth frame from AP,
4368 		 * OpenBSD 802.11 stack puts the driver in IEEE80211_S_AUTH
4369 		 * state. This will also fail with this driver, so bring the FSM
4370 		 * from IEEE80211_S_RUN to IEEE80211_S_SCAN in this case as well.
4371 		 *
4372 		 * XXX TODO: fix this for FreeBSD!
4373 		 */
4374 		if (nstate == IEEE80211_S_SCAN ||
4375 		    nstate == IEEE80211_S_AUTH ||
4376 		    nstate == IEEE80211_S_ASSOC) {
4377 			IWM_DPRINTF(sc, IWM_DEBUG_STATE,
4378 			    "Force transition to INIT; MGT=%d\n", arg);
4379 			IWM_UNLOCK(sc);
4380 			IEEE80211_LOCK(ic);
4381 			/* Always pass arg as -1 since we can't Tx right now. */
4382 			/*
4383 			 * XXX arg is just ignored anyway when transitioning
4384 			 *     to IEEE80211_S_INIT.
4385 			 */
4386 			vap->iv_newstate(vap, IEEE80211_S_INIT, -1);
4387 			IWM_DPRINTF(sc, IWM_DEBUG_STATE,
4388 			    "Going INIT->SCAN\n");
4389 			nstate = IEEE80211_S_SCAN;
4390 			IEEE80211_UNLOCK(ic);
4391 			IWM_LOCK(sc);
4392 		}
4393 	}
4394 
4395 	switch (nstate) {
4396 	case IEEE80211_S_INIT:
4397 	case IEEE80211_S_SCAN:
4398 		if (vap->iv_state == IEEE80211_S_AUTH ||
4399 		    vap->iv_state == IEEE80211_S_ASSOC) {
4400 			int myerr;
4401 			IWM_UNLOCK(sc);
4402 			IEEE80211_LOCK(ic);
4403 			myerr = ivp->iv_newstate(vap, nstate, arg);
4404 			IEEE80211_UNLOCK(ic);
4405 			IWM_LOCK(sc);
4406 			error = iwm_mvm_rm_sta(sc, vap, FALSE);
4407                         if (error) {
4408                                 device_printf(sc->sc_dev,
4409 				    "%s: Failed to remove station: %d\n",
4410 				    __func__, error);
4411 			}
4412 			error = iwm_mvm_mac_ctxt_changed(sc, vap);
4413                         if (error) {
4414                                 device_printf(sc->sc_dev,
4415                                     "%s: Failed to change mac context: %d\n",
4416                                     __func__, error);
4417                         }
4418                         error = iwm_mvm_binding_remove_vif(sc, ivp);
4419                         if (error) {
4420                                 device_printf(sc->sc_dev,
4421                                     "%s: Failed to remove channel ctx: %d\n",
4422                                     __func__, error);
4423                         }
4424 			ivp->phy_ctxt = NULL;
4425 			error = iwm_mvm_power_update_mac(sc);
4426 			if (error != 0) {
4427 				device_printf(sc->sc_dev,
4428 				    "%s: failed to update power management\n",
4429 				    __func__);
4430 			}
4431 			IWM_UNLOCK(sc);
4432 			IEEE80211_LOCK(ic);
4433 			return myerr;
4434 		}
4435 		break;
4436 
4437 	case IEEE80211_S_AUTH:
4438 		if ((error = iwm_auth(vap, sc)) != 0) {
4439 			device_printf(sc->sc_dev,
4440 			    "%s: could not move to auth state: %d\n",
4441 			    __func__, error);
4442 		}
4443 		break;
4444 
4445 	case IEEE80211_S_ASSOC:
4446 		/*
4447 		 * EBS may be disabled due to previous failures reported by FW.
4448 		 * Reset EBS status here assuming environment has been changed.
4449 		 */
4450 		sc->last_ebs_successful = TRUE;
4451 		break;
4452 
4453 	case IEEE80211_S_RUN:
4454 		in = IWM_NODE(vap->iv_bss);
4455 		/* Update the association state, now we have it all */
4456 		/* (eg associd comes in at this point */
4457 		error = iwm_mvm_update_sta(sc, in);
4458 		if (error != 0) {
4459 			device_printf(sc->sc_dev,
4460 			    "%s: failed to update STA\n", __func__);
4461 			IWM_UNLOCK(sc);
4462 			IEEE80211_LOCK(ic);
4463 			return error;
4464 		}
4465 		in->in_assoc = 1;
4466 		error = iwm_mvm_mac_ctxt_changed(sc, vap);
4467 		if (error != 0) {
4468 			device_printf(sc->sc_dev,
4469 			    "%s: failed to update MAC: %d\n", __func__, error);
4470 		}
4471 
4472 		iwm_mvm_sf_update(sc, vap, FALSE);
4473 		iwm_mvm_enable_beacon_filter(sc, ivp);
4474 		iwm_mvm_power_update_mac(sc);
4475 		iwm_mvm_update_quotas(sc, ivp);
4476 		iwm_setrates(sc, in);
4477 
4478 		if ((error = iwm_mvm_send_lq_cmd(sc, &in->in_lq, TRUE)) != 0) {
4479 			device_printf(sc->sc_dev,
4480 			    "%s: IWM_LQ_CMD failed: %d\n", __func__, error);
4481 		}
4482 
4483 		iwm_mvm_led_enable(sc);
4484 		break;
4485 
4486 	default:
4487 		break;
4488 	}
4489 	IWM_UNLOCK(sc);
4490 	IEEE80211_LOCK(ic);
4491 
4492 	return (ivp->iv_newstate(vap, nstate, arg));
4493 }
4494 
4495 void
4496 iwm_endscan_cb(void *arg, int pending)
4497 {
4498 	struct iwm_softc *sc = arg;
4499 	struct ieee80211com *ic = &sc->sc_ic;
4500 
4501 	IWM_DPRINTF(sc, IWM_DEBUG_SCAN | IWM_DEBUG_TRACE,
4502 	    "%s: scan ended\n",
4503 	    __func__);
4504 
4505 	ieee80211_scan_done(TAILQ_FIRST(&ic->ic_vaps));
4506 }
4507 
4508 static int
4509 iwm_send_bt_init_conf(struct iwm_softc *sc)
4510 {
4511 	struct iwm_bt_coex_cmd bt_cmd;
4512 
4513 	bt_cmd.mode = htole32(IWM_BT_COEX_WIFI);
4514 	bt_cmd.enabled_modules = htole32(IWM_BT_COEX_HIGH_BAND_RET);
4515 
4516 	return iwm_mvm_send_cmd_pdu(sc, IWM_BT_CONFIG, 0, sizeof(bt_cmd),
4517 	    &bt_cmd);
4518 }
4519 
4520 static boolean_t
4521 iwm_mvm_is_lar_supported(struct iwm_softc *sc)
4522 {
4523 	boolean_t nvm_lar = sc->nvm_data->lar_enabled;
4524 	boolean_t tlv_lar = fw_has_capa(&sc->ucode_capa,
4525 					IWM_UCODE_TLV_CAPA_LAR_SUPPORT);
4526 
4527 	if (iwm_lar_disable)
4528 		return FALSE;
4529 
4530 	/*
4531 	 * Enable LAR only if it is supported by the FW (TLV) &&
4532 	 * enabled in the NVM
4533 	 */
4534 	if (sc->cfg->device_family == IWM_DEVICE_FAMILY_8000)
4535 		return nvm_lar && tlv_lar;
4536 	else
4537 		return tlv_lar;
4538 }
4539 
4540 static boolean_t
4541 iwm_mvm_is_wifi_mcc_supported(struct iwm_softc *sc)
4542 {
4543 	return fw_has_api(&sc->ucode_capa,
4544 			  IWM_UCODE_TLV_API_WIFI_MCC_UPDATE) ||
4545 	       fw_has_capa(&sc->ucode_capa,
4546 			   IWM_UCODE_TLV_CAPA_LAR_MULTI_MCC);
4547 }
4548 
4549 static int
4550 iwm_send_update_mcc_cmd(struct iwm_softc *sc, const char *alpha2)
4551 {
4552 	struct iwm_mcc_update_cmd mcc_cmd;
4553 	struct iwm_host_cmd hcmd = {
4554 		.id = IWM_MCC_UPDATE_CMD,
4555 		.flags = (IWM_CMD_SYNC | IWM_CMD_WANT_SKB),
4556 		.data = { &mcc_cmd },
4557 	};
4558 	int ret;
4559 #ifdef IWM_DEBUG
4560 	struct iwm_rx_packet *pkt;
4561 	struct iwm_mcc_update_resp_v1 *mcc_resp_v1 = NULL;
4562 	struct iwm_mcc_update_resp *mcc_resp;
4563 	int n_channels;
4564 	uint16_t mcc;
4565 #endif
4566 	int resp_v2 = fw_has_capa(&sc->ucode_capa,
4567 	    IWM_UCODE_TLV_CAPA_LAR_SUPPORT_V2);
4568 
4569 	if (!iwm_mvm_is_lar_supported(sc)) {
4570 		IWM_DPRINTF(sc, IWM_DEBUG_LAR, "%s: no LAR support\n",
4571 		    __func__);
4572 		return 0;
4573 	}
4574 
4575 	memset(&mcc_cmd, 0, sizeof(mcc_cmd));
4576 	mcc_cmd.mcc = htole16(alpha2[0] << 8 | alpha2[1]);
4577 	if (iwm_mvm_is_wifi_mcc_supported(sc))
4578 		mcc_cmd.source_id = IWM_MCC_SOURCE_GET_CURRENT;
4579 	else
4580 		mcc_cmd.source_id = IWM_MCC_SOURCE_OLD_FW;
4581 
4582 	if (resp_v2)
4583 		hcmd.len[0] = sizeof(struct iwm_mcc_update_cmd);
4584 	else
4585 		hcmd.len[0] = sizeof(struct iwm_mcc_update_cmd_v1);
4586 
4587 	IWM_DPRINTF(sc, IWM_DEBUG_LAR,
4588 	    "send MCC update to FW with '%c%c' src = %d\n",
4589 	    alpha2[0], alpha2[1], mcc_cmd.source_id);
4590 
4591 	ret = iwm_send_cmd(sc, &hcmd);
4592 	if (ret)
4593 		return ret;
4594 
4595 #ifdef IWM_DEBUG
4596 	pkt = hcmd.resp_pkt;
4597 
4598 	/* Extract MCC response */
4599 	if (resp_v2) {
4600 		mcc_resp = (void *)pkt->data;
4601 		mcc = mcc_resp->mcc;
4602 		n_channels =  le32toh(mcc_resp->n_channels);
4603 	} else {
4604 		mcc_resp_v1 = (void *)pkt->data;
4605 		mcc = mcc_resp_v1->mcc;
4606 		n_channels =  le32toh(mcc_resp_v1->n_channels);
4607 	}
4608 
4609 	/* W/A for a FW/NVM issue - returns 0x00 for the world domain */
4610 	if (mcc == 0)
4611 		mcc = 0x3030;  /* "00" - world */
4612 
4613 	IWM_DPRINTF(sc, IWM_DEBUG_LAR,
4614 	    "regulatory domain '%c%c' (%d channels available)\n",
4615 	    mcc >> 8, mcc & 0xff, n_channels);
4616 #endif
4617 	iwm_free_resp(sc, &hcmd);
4618 
4619 	return 0;
4620 }
4621 
4622 static void
4623 iwm_mvm_tt_tx_backoff(struct iwm_softc *sc, uint32_t backoff)
4624 {
4625 	struct iwm_host_cmd cmd = {
4626 		.id = IWM_REPLY_THERMAL_MNG_BACKOFF,
4627 		.len = { sizeof(uint32_t), },
4628 		.data = { &backoff, },
4629 	};
4630 
4631 	if (iwm_send_cmd(sc, &cmd) != 0) {
4632 		device_printf(sc->sc_dev,
4633 		    "failed to change thermal tx backoff\n");
4634 	}
4635 }
4636 
4637 static int
4638 iwm_init_hw(struct iwm_softc *sc)
4639 {
4640 	struct ieee80211com *ic = &sc->sc_ic;
4641 	int error, i, ac;
4642 
4643 	sc->sf_state = IWM_SF_UNINIT;
4644 
4645 	if ((error = iwm_start_hw(sc)) != 0) {
4646 		printf("iwm_start_hw: failed %d\n", error);
4647 		return error;
4648 	}
4649 
4650 	if ((error = iwm_run_init_mvm_ucode(sc, 0)) != 0) {
4651 		printf("iwm_run_init_mvm_ucode: failed %d\n", error);
4652 		return error;
4653 	}
4654 
4655 	/*
4656 	 * should stop and start HW since that INIT
4657 	 * image just loaded
4658 	 */
4659 	iwm_stop_device(sc);
4660 	sc->sc_ps_disabled = FALSE;
4661 	if ((error = iwm_start_hw(sc)) != 0) {
4662 		device_printf(sc->sc_dev, "could not initialize hardware\n");
4663 		return error;
4664 	}
4665 
4666 	/* omstart, this time with the regular firmware */
4667 	error = iwm_mvm_load_ucode_wait_alive(sc, IWM_UCODE_REGULAR);
4668 	if (error) {
4669 		device_printf(sc->sc_dev, "could not load firmware\n");
4670 		goto error;
4671 	}
4672 
4673 	error = iwm_mvm_sf_update(sc, NULL, FALSE);
4674 	if (error)
4675 		device_printf(sc->sc_dev, "Failed to initialize Smart Fifo\n");
4676 
4677 	if ((error = iwm_send_bt_init_conf(sc)) != 0) {
4678 		device_printf(sc->sc_dev, "bt init conf failed\n");
4679 		goto error;
4680 	}
4681 
4682 	error = iwm_send_tx_ant_cfg(sc, iwm_mvm_get_valid_tx_ant(sc));
4683 	if (error != 0) {
4684 		device_printf(sc->sc_dev, "antenna config failed\n");
4685 		goto error;
4686 	}
4687 
4688 	/* Send phy db control command and then phy db calibration */
4689 	if ((error = iwm_send_phy_db_data(sc->sc_phy_db)) != 0)
4690 		goto error;
4691 
4692 	if ((error = iwm_send_phy_cfg_cmd(sc)) != 0) {
4693 		device_printf(sc->sc_dev, "phy_cfg_cmd failed\n");
4694 		goto error;
4695 	}
4696 
4697 	/* Add auxiliary station for scanning */
4698 	if ((error = iwm_mvm_add_aux_sta(sc)) != 0) {
4699 		device_printf(sc->sc_dev, "add_aux_sta failed\n");
4700 		goto error;
4701 	}
4702 
4703 	for (i = 0; i < IWM_NUM_PHY_CTX; i++) {
4704 		/*
4705 		 * The channel used here isn't relevant as it's
4706 		 * going to be overwritten in the other flows.
4707 		 * For now use the first channel we have.
4708 		 */
4709 		if ((error = iwm_mvm_phy_ctxt_add(sc,
4710 		    &sc->sc_phyctxt[i], &ic->ic_channels[1], 1, 1)) != 0)
4711 			goto error;
4712 	}
4713 
4714 	/* Initialize tx backoffs to the minimum. */
4715 	if (sc->cfg->device_family == IWM_DEVICE_FAMILY_7000)
4716 		iwm_mvm_tt_tx_backoff(sc, 0);
4717 
4718 	error = iwm_mvm_power_update_device(sc);
4719 	if (error)
4720 		goto error;
4721 
4722 	if ((error = iwm_send_update_mcc_cmd(sc, "ZZ")) != 0)
4723 		goto error;
4724 
4725 	if (fw_has_capa(&sc->ucode_capa, IWM_UCODE_TLV_CAPA_UMAC_SCAN)) {
4726 		if ((error = iwm_mvm_config_umac_scan(sc)) != 0)
4727 			goto error;
4728 	}
4729 
4730 	/* Enable Tx queues. */
4731 	for (ac = 0; ac < WME_NUM_AC; ac++) {
4732 		error = iwm_enable_txq(sc, IWM_STATION_ID, ac,
4733 		    iwm_mvm_ac_to_tx_fifo[ac]);
4734 		if (error)
4735 			goto error;
4736 	}
4737 
4738 	if ((error = iwm_mvm_disable_beacon_filter(sc)) != 0) {
4739 		device_printf(sc->sc_dev, "failed to disable beacon filter\n");
4740 		goto error;
4741 	}
4742 
4743 	return 0;
4744 
4745  error:
4746 	iwm_stop_device(sc);
4747 	return error;
4748 }
4749 
4750 /* Allow multicast from our BSSID. */
4751 static int
4752 iwm_allow_mcast(struct ieee80211vap *vap, struct iwm_softc *sc)
4753 {
4754 	struct ieee80211_node *ni = vap->iv_bss;
4755 	struct iwm_mcast_filter_cmd *cmd;
4756 	size_t size;
4757 	int error;
4758 
4759 	size = roundup(sizeof(*cmd), 4);
4760 	cmd = malloc(size, M_DEVBUF, M_NOWAIT | M_ZERO);
4761 	if (cmd == NULL)
4762 		return ENOMEM;
4763 	cmd->filter_own = 1;
4764 	cmd->port_id = 0;
4765 	cmd->count = 0;
4766 	cmd->pass_all = 1;
4767 	IEEE80211_ADDR_COPY(cmd->bssid, ni->ni_bssid);
4768 
4769 	error = iwm_mvm_send_cmd_pdu(sc, IWM_MCAST_FILTER_CMD,
4770 	    IWM_CMD_SYNC, size, cmd);
4771 	free(cmd, M_DEVBUF);
4772 
4773 	return (error);
4774 }
4775 
4776 /*
4777  * ifnet interfaces
4778  */
4779 
4780 static void
4781 iwm_init(struct iwm_softc *sc)
4782 {
4783 	int error;
4784 
4785 	if (sc->sc_flags & IWM_FLAG_HW_INITED) {
4786 		return;
4787 	}
4788 	sc->sc_generation++;
4789 	sc->sc_flags &= ~IWM_FLAG_STOPPED;
4790 
4791 	if ((error = iwm_init_hw(sc)) != 0) {
4792 		printf("iwm_init_hw failed %d\n", error);
4793 		iwm_stop(sc);
4794 		return;
4795 	}
4796 
4797 	/*
4798 	 * Ok, firmware loaded and we are jogging
4799 	 */
4800 	sc->sc_flags |= IWM_FLAG_HW_INITED;
4801 	callout_reset(&sc->sc_watchdog_to, hz, iwm_watchdog, sc);
4802 }
4803 
4804 static int
4805 iwm_transmit(struct ieee80211com *ic, struct mbuf *m)
4806 {
4807 	struct iwm_softc *sc;
4808 	int error;
4809 
4810 	sc = ic->ic_softc;
4811 
4812 	IWM_LOCK(sc);
4813 	if ((sc->sc_flags & IWM_FLAG_HW_INITED) == 0) {
4814 		IWM_UNLOCK(sc);
4815 		return (ENXIO);
4816 	}
4817 	error = mbufq_enqueue(&sc->sc_snd, m);
4818 	if (error) {
4819 		IWM_UNLOCK(sc);
4820 		return (error);
4821 	}
4822 	iwm_start(sc);
4823 	IWM_UNLOCK(sc);
4824 	return (0);
4825 }
4826 
4827 /*
4828  * Dequeue packets from sendq and call send.
4829  */
4830 static void
4831 iwm_start(struct iwm_softc *sc)
4832 {
4833 	struct ieee80211_node *ni;
4834 	struct mbuf *m;
4835 	int ac = 0;
4836 
4837 	IWM_DPRINTF(sc, IWM_DEBUG_XMIT | IWM_DEBUG_TRACE, "->%s\n", __func__);
4838 	while (sc->qfullmsk == 0 &&
4839 		(m = mbufq_dequeue(&sc->sc_snd)) != NULL) {
4840 		ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
4841 		if (iwm_tx(sc, m, ni, ac) != 0) {
4842 			if_inc_counter(ni->ni_vap->iv_ifp,
4843 			    IFCOUNTER_OERRORS, 1);
4844 			ieee80211_free_node(ni);
4845 			continue;
4846 		}
4847 		sc->sc_tx_timer = 15;
4848 	}
4849 	IWM_DPRINTF(sc, IWM_DEBUG_XMIT | IWM_DEBUG_TRACE, "<-%s\n", __func__);
4850 }
4851 
4852 static void
4853 iwm_stop(struct iwm_softc *sc)
4854 {
4855 
4856 	sc->sc_flags &= ~IWM_FLAG_HW_INITED;
4857 	sc->sc_flags |= IWM_FLAG_STOPPED;
4858 	sc->sc_generation++;
4859 	iwm_led_blink_stop(sc);
4860 	sc->sc_tx_timer = 0;
4861 	iwm_stop_device(sc);
4862 	sc->sc_flags &= ~IWM_FLAG_SCAN_RUNNING;
4863 }
4864 
4865 static void
4866 iwm_watchdog(void *arg)
4867 {
4868 	struct iwm_softc *sc = arg;
4869 	struct ieee80211com *ic = &sc->sc_ic;
4870 
4871 	if (sc->sc_tx_timer > 0) {
4872 		if (--sc->sc_tx_timer == 0) {
4873 			device_printf(sc->sc_dev, "device timeout\n");
4874 #ifdef IWM_DEBUG
4875 			iwm_nic_error(sc);
4876 #endif
4877 			ieee80211_restart_all(ic);
4878 			counter_u64_add(sc->sc_ic.ic_oerrors, 1);
4879 			return;
4880 		}
4881 	}
4882 	callout_reset(&sc->sc_watchdog_to, hz, iwm_watchdog, sc);
4883 }
4884 
4885 static void
4886 iwm_parent(struct ieee80211com *ic)
4887 {
4888 	struct iwm_softc *sc = ic->ic_softc;
4889 	int startall = 0;
4890 
4891 	IWM_LOCK(sc);
4892 	if (ic->ic_nrunning > 0) {
4893 		if (!(sc->sc_flags & IWM_FLAG_HW_INITED)) {
4894 			iwm_init(sc);
4895 			startall = 1;
4896 		}
4897 	} else if (sc->sc_flags & IWM_FLAG_HW_INITED)
4898 		iwm_stop(sc);
4899 	IWM_UNLOCK(sc);
4900 	if (startall)
4901 		ieee80211_start_all(ic);
4902 }
4903 
4904 /*
4905  * The interrupt side of things
4906  */
4907 
4908 /*
4909  * error dumping routines are from iwlwifi/mvm/utils.c
4910  */
4911 
4912 /*
4913  * Note: This structure is read from the device with IO accesses,
4914  * and the reading already does the endian conversion. As it is
4915  * read with uint32_t-sized accesses, any members with a different size
4916  * need to be ordered correctly though!
4917  */
4918 struct iwm_error_event_table {
4919 	uint32_t valid;		/* (nonzero) valid, (0) log is empty */
4920 	uint32_t error_id;		/* type of error */
4921 	uint32_t trm_hw_status0;	/* TRM HW status */
4922 	uint32_t trm_hw_status1;	/* TRM HW status */
4923 	uint32_t blink2;		/* branch link */
4924 	uint32_t ilink1;		/* interrupt link */
4925 	uint32_t ilink2;		/* interrupt link */
4926 	uint32_t data1;		/* error-specific data */
4927 	uint32_t data2;		/* error-specific data */
4928 	uint32_t data3;		/* error-specific data */
4929 	uint32_t bcon_time;		/* beacon timer */
4930 	uint32_t tsf_low;		/* network timestamp function timer */
4931 	uint32_t tsf_hi;		/* network timestamp function timer */
4932 	uint32_t gp1;		/* GP1 timer register */
4933 	uint32_t gp2;		/* GP2 timer register */
4934 	uint32_t fw_rev_type;	/* firmware revision type */
4935 	uint32_t major;		/* uCode version major */
4936 	uint32_t minor;		/* uCode version minor */
4937 	uint32_t hw_ver;		/* HW Silicon version */
4938 	uint32_t brd_ver;		/* HW board version */
4939 	uint32_t log_pc;		/* log program counter */
4940 	uint32_t frame_ptr;		/* frame pointer */
4941 	uint32_t stack_ptr;		/* stack pointer */
4942 	uint32_t hcmd;		/* last host command header */
4943 	uint32_t isr0;		/* isr status register LMPM_NIC_ISR0:
4944 				 * rxtx_flag */
4945 	uint32_t isr1;		/* isr status register LMPM_NIC_ISR1:
4946 				 * host_flag */
4947 	uint32_t isr2;		/* isr status register LMPM_NIC_ISR2:
4948 				 * enc_flag */
4949 	uint32_t isr3;		/* isr status register LMPM_NIC_ISR3:
4950 				 * time_flag */
4951 	uint32_t isr4;		/* isr status register LMPM_NIC_ISR4:
4952 				 * wico interrupt */
4953 	uint32_t last_cmd_id;	/* last HCMD id handled by the firmware */
4954 	uint32_t wait_event;		/* wait event() caller address */
4955 	uint32_t l2p_control;	/* L2pControlField */
4956 	uint32_t l2p_duration;	/* L2pDurationField */
4957 	uint32_t l2p_mhvalid;	/* L2pMhValidBits */
4958 	uint32_t l2p_addr_match;	/* L2pAddrMatchStat */
4959 	uint32_t lmpm_pmg_sel;	/* indicate which clocks are turned on
4960 				 * (LMPM_PMG_SEL) */
4961 	uint32_t u_timestamp;	/* indicate when the date and time of the
4962 				 * compilation */
4963 	uint32_t flow_handler;	/* FH read/write pointers, RX credit */
4964 } __packed /* LOG_ERROR_TABLE_API_S_VER_3 */;
4965 
4966 /*
4967  * UMAC error struct - relevant starting from family 8000 chip.
4968  * Note: This structure is read from the device with IO accesses,
4969  * and the reading already does the endian conversion. As it is
4970  * read with u32-sized accesses, any members with a different size
4971  * need to be ordered correctly though!
4972  */
4973 struct iwm_umac_error_event_table {
4974 	uint32_t valid;		/* (nonzero) valid, (0) log is empty */
4975 	uint32_t error_id;	/* type of error */
4976 	uint32_t blink1;	/* branch link */
4977 	uint32_t blink2;	/* branch link */
4978 	uint32_t ilink1;	/* interrupt link */
4979 	uint32_t ilink2;	/* interrupt link */
4980 	uint32_t data1;		/* error-specific data */
4981 	uint32_t data2;		/* error-specific data */
4982 	uint32_t data3;		/* error-specific data */
4983 	uint32_t umac_major;
4984 	uint32_t umac_minor;
4985 	uint32_t frame_pointer;	/* core register 27*/
4986 	uint32_t stack_pointer;	/* core register 28 */
4987 	uint32_t cmd_header;	/* latest host cmd sent to UMAC */
4988 	uint32_t nic_isr_pref;	/* ISR status register */
4989 } __packed;
4990 
4991 #define ERROR_START_OFFSET  (1 * sizeof(uint32_t))
4992 #define ERROR_ELEM_SIZE     (7 * sizeof(uint32_t))
4993 
4994 #ifdef IWM_DEBUG
4995 struct {
4996 	const char *name;
4997 	uint8_t num;
4998 } advanced_lookup[] = {
4999 	{ "NMI_INTERRUPT_WDG", 0x34 },
5000 	{ "SYSASSERT", 0x35 },
5001 	{ "UCODE_VERSION_MISMATCH", 0x37 },
5002 	{ "BAD_COMMAND", 0x38 },
5003 	{ "NMI_INTERRUPT_DATA_ACTION_PT", 0x3C },
5004 	{ "FATAL_ERROR", 0x3D },
5005 	{ "NMI_TRM_HW_ERR", 0x46 },
5006 	{ "NMI_INTERRUPT_TRM", 0x4C },
5007 	{ "NMI_INTERRUPT_BREAK_POINT", 0x54 },
5008 	{ "NMI_INTERRUPT_WDG_RXF_FULL", 0x5C },
5009 	{ "NMI_INTERRUPT_WDG_NO_RBD_RXF_FULL", 0x64 },
5010 	{ "NMI_INTERRUPT_HOST", 0x66 },
5011 	{ "NMI_INTERRUPT_ACTION_PT", 0x7C },
5012 	{ "NMI_INTERRUPT_UNKNOWN", 0x84 },
5013 	{ "NMI_INTERRUPT_INST_ACTION_PT", 0x86 },
5014 	{ "ADVANCED_SYSASSERT", 0 },
5015 };
5016 
5017 static const char *
5018 iwm_desc_lookup(uint32_t num)
5019 {
5020 	int i;
5021 
5022 	for (i = 0; i < nitems(advanced_lookup) - 1; i++)
5023 		if (advanced_lookup[i].num == num)
5024 			return advanced_lookup[i].name;
5025 
5026 	/* No entry matches 'num', so it is the last: ADVANCED_SYSASSERT */
5027 	return advanced_lookup[i].name;
5028 }
5029 
5030 static void
5031 iwm_nic_umac_error(struct iwm_softc *sc)
5032 {
5033 	struct iwm_umac_error_event_table table;
5034 	uint32_t base;
5035 
5036 	base = sc->umac_error_event_table;
5037 
5038 	if (base < 0x800000) {
5039 		device_printf(sc->sc_dev, "Invalid error log pointer 0x%08x\n",
5040 		    base);
5041 		return;
5042 	}
5043 
5044 	if (iwm_read_mem(sc, base, &table, sizeof(table)/sizeof(uint32_t))) {
5045 		device_printf(sc->sc_dev, "reading errlog failed\n");
5046 		return;
5047 	}
5048 
5049 	if (ERROR_START_OFFSET <= table.valid * ERROR_ELEM_SIZE) {
5050 		device_printf(sc->sc_dev, "Start UMAC Error Log Dump:\n");
5051 		device_printf(sc->sc_dev, "Status: 0x%x, count: %d\n",
5052 		    sc->sc_flags, table.valid);
5053 	}
5054 
5055 	device_printf(sc->sc_dev, "0x%08X | %s\n", table.error_id,
5056 		iwm_desc_lookup(table.error_id));
5057 	device_printf(sc->sc_dev, "0x%08X | umac branchlink1\n", table.blink1);
5058 	device_printf(sc->sc_dev, "0x%08X | umac branchlink2\n", table.blink2);
5059 	device_printf(sc->sc_dev, "0x%08X | umac interruptlink1\n",
5060 	    table.ilink1);
5061 	device_printf(sc->sc_dev, "0x%08X | umac interruptlink2\n",
5062 	    table.ilink2);
5063 	device_printf(sc->sc_dev, "0x%08X | umac data1\n", table.data1);
5064 	device_printf(sc->sc_dev, "0x%08X | umac data2\n", table.data2);
5065 	device_printf(sc->sc_dev, "0x%08X | umac data3\n", table.data3);
5066 	device_printf(sc->sc_dev, "0x%08X | umac major\n", table.umac_major);
5067 	device_printf(sc->sc_dev, "0x%08X | umac minor\n", table.umac_minor);
5068 	device_printf(sc->sc_dev, "0x%08X | frame pointer\n",
5069 	    table.frame_pointer);
5070 	device_printf(sc->sc_dev, "0x%08X | stack pointer\n",
5071 	    table.stack_pointer);
5072 	device_printf(sc->sc_dev, "0x%08X | last host cmd\n", table.cmd_header);
5073 	device_printf(sc->sc_dev, "0x%08X | isr status reg\n",
5074 	    table.nic_isr_pref);
5075 }
5076 
5077 /*
5078  * Support for dumping the error log seemed like a good idea ...
5079  * but it's mostly hex junk and the only sensible thing is the
5080  * hw/ucode revision (which we know anyway).  Since it's here,
5081  * I'll just leave it in, just in case e.g. the Intel guys want to
5082  * help us decipher some "ADVANCED_SYSASSERT" later.
5083  */
5084 static void
5085 iwm_nic_error(struct iwm_softc *sc)
5086 {
5087 	struct iwm_error_event_table table;
5088 	uint32_t base;
5089 
5090 	device_printf(sc->sc_dev, "dumping device error log\n");
5091 	base = sc->error_event_table;
5092 	if (base < 0x800000) {
5093 		device_printf(sc->sc_dev,
5094 		    "Invalid error log pointer 0x%08x\n", base);
5095 		return;
5096 	}
5097 
5098 	if (iwm_read_mem(sc, base, &table, sizeof(table)/sizeof(uint32_t))) {
5099 		device_printf(sc->sc_dev, "reading errlog failed\n");
5100 		return;
5101 	}
5102 
5103 	if (!table.valid) {
5104 		device_printf(sc->sc_dev, "errlog not found, skipping\n");
5105 		return;
5106 	}
5107 
5108 	if (ERROR_START_OFFSET <= table.valid * ERROR_ELEM_SIZE) {
5109 		device_printf(sc->sc_dev, "Start Error Log Dump:\n");
5110 		device_printf(sc->sc_dev, "Status: 0x%x, count: %d\n",
5111 		    sc->sc_flags, table.valid);
5112 	}
5113 
5114 	device_printf(sc->sc_dev, "0x%08X | %-28s\n", table.error_id,
5115 	    iwm_desc_lookup(table.error_id));
5116 	device_printf(sc->sc_dev, "%08X | trm_hw_status0\n",
5117 	    table.trm_hw_status0);
5118 	device_printf(sc->sc_dev, "%08X | trm_hw_status1\n",
5119 	    table.trm_hw_status1);
5120 	device_printf(sc->sc_dev, "%08X | branchlink2\n", table.blink2);
5121 	device_printf(sc->sc_dev, "%08X | interruptlink1\n", table.ilink1);
5122 	device_printf(sc->sc_dev, "%08X | interruptlink2\n", table.ilink2);
5123 	device_printf(sc->sc_dev, "%08X | data1\n", table.data1);
5124 	device_printf(sc->sc_dev, "%08X | data2\n", table.data2);
5125 	device_printf(sc->sc_dev, "%08X | data3\n", table.data3);
5126 	device_printf(sc->sc_dev, "%08X | beacon time\n", table.bcon_time);
5127 	device_printf(sc->sc_dev, "%08X | tsf low\n", table.tsf_low);
5128 	device_printf(sc->sc_dev, "%08X | tsf hi\n", table.tsf_hi);
5129 	device_printf(sc->sc_dev, "%08X | time gp1\n", table.gp1);
5130 	device_printf(sc->sc_dev, "%08X | time gp2\n", table.gp2);
5131 	device_printf(sc->sc_dev, "%08X | uCode revision type\n",
5132 	    table.fw_rev_type);
5133 	device_printf(sc->sc_dev, "%08X | uCode version major\n", table.major);
5134 	device_printf(sc->sc_dev, "%08X | uCode version minor\n", table.minor);
5135 	device_printf(sc->sc_dev, "%08X | hw version\n", table.hw_ver);
5136 	device_printf(sc->sc_dev, "%08X | board version\n", table.brd_ver);
5137 	device_printf(sc->sc_dev, "%08X | hcmd\n", table.hcmd);
5138 	device_printf(sc->sc_dev, "%08X | isr0\n", table.isr0);
5139 	device_printf(sc->sc_dev, "%08X | isr1\n", table.isr1);
5140 	device_printf(sc->sc_dev, "%08X | isr2\n", table.isr2);
5141 	device_printf(sc->sc_dev, "%08X | isr3\n", table.isr3);
5142 	device_printf(sc->sc_dev, "%08X | isr4\n", table.isr4);
5143 	device_printf(sc->sc_dev, "%08X | last cmd Id\n", table.last_cmd_id);
5144 	device_printf(sc->sc_dev, "%08X | wait_event\n", table.wait_event);
5145 	device_printf(sc->sc_dev, "%08X | l2p_control\n", table.l2p_control);
5146 	device_printf(sc->sc_dev, "%08X | l2p_duration\n", table.l2p_duration);
5147 	device_printf(sc->sc_dev, "%08X | l2p_mhvalid\n", table.l2p_mhvalid);
5148 	device_printf(sc->sc_dev, "%08X | l2p_addr_match\n", table.l2p_addr_match);
5149 	device_printf(sc->sc_dev, "%08X | lmpm_pmg_sel\n", table.lmpm_pmg_sel);
5150 	device_printf(sc->sc_dev, "%08X | timestamp\n", table.u_timestamp);
5151 	device_printf(sc->sc_dev, "%08X | flow_handler\n", table.flow_handler);
5152 
5153 	if (sc->umac_error_event_table)
5154 		iwm_nic_umac_error(sc);
5155 }
5156 #endif
5157 
5158 static void
5159 iwm_handle_rxb(struct iwm_softc *sc, struct mbuf *m)
5160 {
5161 	struct ieee80211com *ic = &sc->sc_ic;
5162 	struct iwm_cmd_response *cresp;
5163 	struct mbuf *m1;
5164 	uint32_t offset = 0;
5165 	uint32_t maxoff = IWM_RBUF_SIZE;
5166 	uint32_t nextoff;
5167 	boolean_t stolen = FALSE;
5168 
5169 #define HAVEROOM(a)	\
5170     ((a) + sizeof(uint32_t) + sizeof(struct iwm_cmd_header) < maxoff)
5171 
5172 	while (HAVEROOM(offset)) {
5173 		struct iwm_rx_packet *pkt = mtodoff(m, struct iwm_rx_packet *,
5174 		    offset);
5175 		int qid, idx, code, len;
5176 
5177 		qid = pkt->hdr.qid;
5178 		idx = pkt->hdr.idx;
5179 
5180 		code = IWM_WIDE_ID(pkt->hdr.flags, pkt->hdr.code);
5181 
5182 		/*
5183 		 * randomly get these from the firmware, no idea why.
5184 		 * they at least seem harmless, so just ignore them for now
5185 		 */
5186 		if ((pkt->hdr.code == 0 && (qid & ~0x80) == 0 && idx == 0) ||
5187 		    pkt->len_n_flags == htole32(IWM_FH_RSCSR_FRAME_INVALID)) {
5188 			break;
5189 		}
5190 
5191 		IWM_DPRINTF(sc, IWM_DEBUG_INTR,
5192 		    "rx packet qid=%d idx=%d type=%x\n",
5193 		    qid & ~0x80, pkt->hdr.idx, code);
5194 
5195 		len = iwm_rx_packet_len(pkt);
5196 		len += sizeof(uint32_t); /* account for status word */
5197 		nextoff = offset + roundup2(len, IWM_FH_RSCSR_FRAME_ALIGN);
5198 
5199 		iwm_notification_wait_notify(sc->sc_notif_wait, code, pkt);
5200 
5201 		switch (code) {
5202 		case IWM_REPLY_RX_PHY_CMD:
5203 			iwm_mvm_rx_rx_phy_cmd(sc, pkt);
5204 			break;
5205 
5206 		case IWM_REPLY_RX_MPDU_CMD: {
5207 			/*
5208 			 * If this is the last frame in the RX buffer, we
5209 			 * can directly feed the mbuf to the sharks here.
5210 			 */
5211 			struct iwm_rx_packet *nextpkt = mtodoff(m,
5212 			    struct iwm_rx_packet *, nextoff);
5213 			if (!HAVEROOM(nextoff) ||
5214 			    (nextpkt->hdr.code == 0 &&
5215 			     (nextpkt->hdr.qid & ~0x80) == 0 &&
5216 			     nextpkt->hdr.idx == 0) ||
5217 			    (nextpkt->len_n_flags ==
5218 			     htole32(IWM_FH_RSCSR_FRAME_INVALID))) {
5219 				if (iwm_mvm_rx_rx_mpdu(sc, m, offset, stolen)) {
5220 					stolen = FALSE;
5221 					/* Make sure we abort the loop */
5222 					nextoff = maxoff;
5223 				}
5224 				break;
5225 			}
5226 
5227 			/*
5228 			 * Use m_copym instead of m_split, because that
5229 			 * makes it easier to keep a valid rx buffer in
5230 			 * the ring, when iwm_mvm_rx_rx_mpdu() fails.
5231 			 *
5232 			 * We need to start m_copym() at offset 0, to get the
5233 			 * M_PKTHDR flag preserved.
5234 			 */
5235 			m1 = m_copym(m, 0, M_COPYALL, M_NOWAIT);
5236 			if (m1) {
5237 				if (iwm_mvm_rx_rx_mpdu(sc, m1, offset, stolen))
5238 					stolen = TRUE;
5239 				else
5240 					m_freem(m1);
5241 			}
5242 			break;
5243 		}
5244 
5245 		case IWM_TX_CMD:
5246 			iwm_mvm_rx_tx_cmd(sc, pkt);
5247 			break;
5248 
5249 		case IWM_MISSED_BEACONS_NOTIFICATION: {
5250 			struct iwm_missed_beacons_notif *resp;
5251 			int missed;
5252 
5253 			/* XXX look at mac_id to determine interface ID */
5254 			struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
5255 
5256 			resp = (void *)pkt->data;
5257 			missed = le32toh(resp->consec_missed_beacons);
5258 
5259 			IWM_DPRINTF(sc, IWM_DEBUG_BEACON | IWM_DEBUG_STATE,
5260 			    "%s: MISSED_BEACON: mac_id=%d, "
5261 			    "consec_since_last_rx=%d, consec=%d, num_expect=%d "
5262 			    "num_rx=%d\n",
5263 			    __func__,
5264 			    le32toh(resp->mac_id),
5265 			    le32toh(resp->consec_missed_beacons_since_last_rx),
5266 			    le32toh(resp->consec_missed_beacons),
5267 			    le32toh(resp->num_expected_beacons),
5268 			    le32toh(resp->num_recvd_beacons));
5269 
5270 			/* Be paranoid */
5271 			if (vap == NULL)
5272 				break;
5273 
5274 			/* XXX no net80211 locking? */
5275 			if (vap->iv_state == IEEE80211_S_RUN &&
5276 			    (ic->ic_flags & IEEE80211_F_SCAN) == 0) {
5277 				if (missed > vap->iv_bmissthreshold) {
5278 					/* XXX bad locking; turn into task */
5279 					IWM_UNLOCK(sc);
5280 					ieee80211_beacon_miss(ic);
5281 					IWM_LOCK(sc);
5282 				}
5283 			}
5284 
5285 			break;
5286 		}
5287 
5288 		case IWM_MFUART_LOAD_NOTIFICATION:
5289 			break;
5290 
5291 		case IWM_MVM_ALIVE:
5292 			break;
5293 
5294 		case IWM_CALIB_RES_NOTIF_PHY_DB:
5295 			break;
5296 
5297 		case IWM_STATISTICS_NOTIFICATION:
5298 			iwm_mvm_handle_rx_statistics(sc, pkt);
5299 			break;
5300 
5301 		case IWM_NVM_ACCESS_CMD:
5302 		case IWM_MCC_UPDATE_CMD:
5303 			if (sc->sc_wantresp == (((qid & ~0x80) << 16) | idx)) {
5304 				memcpy(sc->sc_cmd_resp,
5305 				    pkt, sizeof(sc->sc_cmd_resp));
5306 			}
5307 			break;
5308 
5309 		case IWM_MCC_CHUB_UPDATE_CMD: {
5310 			struct iwm_mcc_chub_notif *notif;
5311 			notif = (void *)pkt->data;
5312 
5313 			sc->sc_fw_mcc[0] = (notif->mcc & 0xff00) >> 8;
5314 			sc->sc_fw_mcc[1] = notif->mcc & 0xff;
5315 			sc->sc_fw_mcc[2] = '\0';
5316 			IWM_DPRINTF(sc, IWM_DEBUG_LAR,
5317 			    "fw source %d sent CC '%s'\n",
5318 			    notif->source_id, sc->sc_fw_mcc);
5319 			break;
5320 		}
5321 
5322 		case IWM_DTS_MEASUREMENT_NOTIFICATION:
5323 		case IWM_WIDE_ID(IWM_PHY_OPS_GROUP,
5324 				 IWM_DTS_MEASUREMENT_NOTIF_WIDE): {
5325 			struct iwm_dts_measurement_notif_v1 *notif;
5326 
5327 			if (iwm_rx_packet_payload_len(pkt) < sizeof(*notif)) {
5328 				device_printf(sc->sc_dev,
5329 				    "Invalid DTS_MEASUREMENT_NOTIFICATION\n");
5330 				break;
5331 			}
5332 			notif = (void *)pkt->data;
5333 			IWM_DPRINTF(sc, IWM_DEBUG_TEMP,
5334 			    "IWM_DTS_MEASUREMENT_NOTIFICATION - %d\n",
5335 			    notif->temp);
5336 			break;
5337 		}
5338 
5339 		case IWM_PHY_CONFIGURATION_CMD:
5340 		case IWM_TX_ANT_CONFIGURATION_CMD:
5341 		case IWM_ADD_STA:
5342 		case IWM_MAC_CONTEXT_CMD:
5343 		case IWM_REPLY_SF_CFG_CMD:
5344 		case IWM_POWER_TABLE_CMD:
5345 		case IWM_PHY_CONTEXT_CMD:
5346 		case IWM_BINDING_CONTEXT_CMD:
5347 		case IWM_TIME_EVENT_CMD:
5348 		case IWM_WIDE_ID(IWM_ALWAYS_LONG_GROUP, IWM_SCAN_CFG_CMD):
5349 		case IWM_WIDE_ID(IWM_ALWAYS_LONG_GROUP, IWM_SCAN_REQ_UMAC):
5350 		case IWM_WIDE_ID(IWM_ALWAYS_LONG_GROUP, IWM_SCAN_ABORT_UMAC):
5351 		case IWM_SCAN_OFFLOAD_REQUEST_CMD:
5352 		case IWM_SCAN_OFFLOAD_ABORT_CMD:
5353 		case IWM_REPLY_BEACON_FILTERING_CMD:
5354 		case IWM_MAC_PM_POWER_TABLE:
5355 		case IWM_TIME_QUOTA_CMD:
5356 		case IWM_REMOVE_STA:
5357 		case IWM_TXPATH_FLUSH:
5358 		case IWM_LQ_CMD:
5359 		case IWM_WIDE_ID(IWM_ALWAYS_LONG_GROUP,
5360 				 IWM_FW_PAGING_BLOCK_CMD):
5361 		case IWM_BT_CONFIG:
5362 		case IWM_REPLY_THERMAL_MNG_BACKOFF:
5363 			cresp = (void *)pkt->data;
5364 			if (sc->sc_wantresp == (((qid & ~0x80) << 16) | idx)) {
5365 				memcpy(sc->sc_cmd_resp,
5366 				    pkt, sizeof(*pkt)+sizeof(*cresp));
5367 			}
5368 			break;
5369 
5370 		/* ignore */
5371 		case IWM_PHY_DB_CMD:
5372 			break;
5373 
5374 		case IWM_INIT_COMPLETE_NOTIF:
5375 			break;
5376 
5377 		case IWM_SCAN_OFFLOAD_COMPLETE:
5378 			iwm_mvm_rx_lmac_scan_complete_notif(sc, pkt);
5379 			if (sc->sc_flags & IWM_FLAG_SCAN_RUNNING) {
5380 				sc->sc_flags &= ~IWM_FLAG_SCAN_RUNNING;
5381 				ieee80211_runtask(ic, &sc->sc_es_task);
5382 			}
5383 			break;
5384 
5385 		case IWM_SCAN_ITERATION_COMPLETE: {
5386 			struct iwm_lmac_scan_complete_notif *notif;
5387 			notif = (void *)pkt->data;
5388 			break;
5389 		}
5390 
5391 		case IWM_SCAN_COMPLETE_UMAC:
5392 			iwm_mvm_rx_umac_scan_complete_notif(sc, pkt);
5393 			if (sc->sc_flags & IWM_FLAG_SCAN_RUNNING) {
5394 				sc->sc_flags &= ~IWM_FLAG_SCAN_RUNNING;
5395 				ieee80211_runtask(ic, &sc->sc_es_task);
5396 			}
5397 			break;
5398 
5399 		case IWM_SCAN_ITERATION_COMPLETE_UMAC: {
5400 			struct iwm_umac_scan_iter_complete_notif *notif;
5401 			notif = (void *)pkt->data;
5402 
5403 			IWM_DPRINTF(sc, IWM_DEBUG_SCAN, "UMAC scan iteration "
5404 			    "complete, status=0x%x, %d channels scanned\n",
5405 			    notif->status, notif->scanned_channels);
5406 			break;
5407 		}
5408 
5409 		case IWM_REPLY_ERROR: {
5410 			struct iwm_error_resp *resp;
5411 			resp = (void *)pkt->data;
5412 
5413 			device_printf(sc->sc_dev,
5414 			    "firmware error 0x%x, cmd 0x%x\n",
5415 			    le32toh(resp->error_type),
5416 			    resp->cmd_id);
5417 			break;
5418 		}
5419 
5420 		case IWM_TIME_EVENT_NOTIFICATION: {
5421 			struct iwm_time_event_notif *notif;
5422 			notif = (void *)pkt->data;
5423 
5424 			IWM_DPRINTF(sc, IWM_DEBUG_INTR,
5425 			    "TE notif status = 0x%x action = 0x%x\n",
5426 			    notif->status, notif->action);
5427 			break;
5428 		}
5429 
5430 		/*
5431 		 * Firmware versions 21 and 22 generate some DEBUG_LOG_MSG
5432 		 * messages. Just ignore them for now.
5433 		 */
5434 		case IWM_DEBUG_LOG_MSG:
5435 			break;
5436 
5437 		case IWM_MCAST_FILTER_CMD:
5438 			break;
5439 
5440 		case IWM_SCD_QUEUE_CFG: {
5441 			struct iwm_scd_txq_cfg_rsp *rsp;
5442 			rsp = (void *)pkt->data;
5443 
5444 			IWM_DPRINTF(sc, IWM_DEBUG_CMD,
5445 			    "queue cfg token=0x%x sta_id=%d "
5446 			    "tid=%d scd_queue=%d\n",
5447 			    rsp->token, rsp->sta_id, rsp->tid,
5448 			    rsp->scd_queue);
5449 			break;
5450 		}
5451 
5452 		default:
5453 			device_printf(sc->sc_dev,
5454 			    "frame %d/%d %x UNHANDLED (this should "
5455 			    "not happen)\n", qid & ~0x80, idx,
5456 			    pkt->len_n_flags);
5457 			break;
5458 		}
5459 
5460 		/*
5461 		 * Why test bit 0x80?  The Linux driver:
5462 		 *
5463 		 * There is one exception:  uCode sets bit 15 when it
5464 		 * originates the response/notification, i.e. when the
5465 		 * response/notification is not a direct response to a
5466 		 * command sent by the driver.  For example, uCode issues
5467 		 * IWM_REPLY_RX when it sends a received frame to the driver;
5468 		 * it is not a direct response to any driver command.
5469 		 *
5470 		 * Ok, so since when is 7 == 15?  Well, the Linux driver
5471 		 * uses a slightly different format for pkt->hdr, and "qid"
5472 		 * is actually the upper byte of a two-byte field.
5473 		 */
5474 		if (!(qid & (1 << 7)))
5475 			iwm_cmd_done(sc, pkt);
5476 
5477 		offset = nextoff;
5478 	}
5479 	if (stolen)
5480 		m_freem(m);
5481 #undef HAVEROOM
5482 }
5483 
5484 /*
5485  * Process an IWM_CSR_INT_BIT_FH_RX or IWM_CSR_INT_BIT_SW_RX interrupt.
5486  * Basic structure from if_iwn
5487  */
5488 static void
5489 iwm_notif_intr(struct iwm_softc *sc)
5490 {
5491 	uint16_t hw;
5492 
5493 	bus_dmamap_sync(sc->rxq.stat_dma.tag, sc->rxq.stat_dma.map,
5494 	    BUS_DMASYNC_POSTREAD);
5495 
5496 	hw = le16toh(sc->rxq.stat->closed_rb_num) & 0xfff;
5497 
5498 	/*
5499 	 * Process responses
5500 	 */
5501 	while (sc->rxq.cur != hw) {
5502 		struct iwm_rx_ring *ring = &sc->rxq;
5503 		struct iwm_rx_data *data = &ring->data[ring->cur];
5504 
5505 		bus_dmamap_sync(ring->data_dmat, data->map,
5506 		    BUS_DMASYNC_POSTREAD);
5507 
5508 		IWM_DPRINTF(sc, IWM_DEBUG_INTR,
5509 		    "%s: hw = %d cur = %d\n", __func__, hw, ring->cur);
5510 		iwm_handle_rxb(sc, data->m);
5511 
5512 		ring->cur = (ring->cur + 1) % IWM_RX_RING_COUNT;
5513 	}
5514 
5515 	/*
5516 	 * Tell the firmware that it can reuse the ring entries that
5517 	 * we have just processed.
5518 	 * Seems like the hardware gets upset unless we align
5519 	 * the write by 8??
5520 	 */
5521 	hw = (hw == 0) ? IWM_RX_RING_COUNT - 1 : hw - 1;
5522 	IWM_WRITE(sc, IWM_FH_RSCSR_CHNL0_WPTR, rounddown2(hw, 8));
5523 }
5524 
5525 static void
5526 iwm_intr(void *arg)
5527 {
5528 	struct iwm_softc *sc = arg;
5529 	int handled = 0;
5530 	int r1, r2, rv = 0;
5531 	int isperiodic = 0;
5532 
5533 	IWM_LOCK(sc);
5534 	IWM_WRITE(sc, IWM_CSR_INT_MASK, 0);
5535 
5536 	if (sc->sc_flags & IWM_FLAG_USE_ICT) {
5537 		uint32_t *ict = sc->ict_dma.vaddr;
5538 		int tmp;
5539 
5540 		tmp = htole32(ict[sc->ict_cur]);
5541 		if (!tmp)
5542 			goto out_ena;
5543 
5544 		/*
5545 		 * ok, there was something.  keep plowing until we have all.
5546 		 */
5547 		r1 = r2 = 0;
5548 		while (tmp) {
5549 			r1 |= tmp;
5550 			ict[sc->ict_cur] = 0;
5551 			sc->ict_cur = (sc->ict_cur+1) % IWM_ICT_COUNT;
5552 			tmp = htole32(ict[sc->ict_cur]);
5553 		}
5554 
5555 		/* this is where the fun begins.  don't ask */
5556 		if (r1 == 0xffffffff)
5557 			r1 = 0;
5558 
5559 		/* i am not expected to understand this */
5560 		if (r1 & 0xc0000)
5561 			r1 |= 0x8000;
5562 		r1 = (0xff & r1) | ((0xff00 & r1) << 16);
5563 	} else {
5564 		r1 = IWM_READ(sc, IWM_CSR_INT);
5565 		/* "hardware gone" (where, fishing?) */
5566 		if (r1 == 0xffffffff || (r1 & 0xfffffff0) == 0xa5a5a5a0)
5567 			goto out;
5568 		r2 = IWM_READ(sc, IWM_CSR_FH_INT_STATUS);
5569 	}
5570 	if (r1 == 0 && r2 == 0) {
5571 		goto out_ena;
5572 	}
5573 
5574 	IWM_WRITE(sc, IWM_CSR_INT, r1 | ~sc->sc_intmask);
5575 
5576 	/* Safely ignore these bits for debug checks below */
5577 	r1 &= ~(IWM_CSR_INT_BIT_ALIVE | IWM_CSR_INT_BIT_SCD);
5578 
5579 	if (r1 & IWM_CSR_INT_BIT_SW_ERR) {
5580 		int i;
5581 		struct ieee80211com *ic = &sc->sc_ic;
5582 		struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
5583 
5584 #ifdef IWM_DEBUG
5585 		iwm_nic_error(sc);
5586 #endif
5587 		/* Dump driver status (TX and RX rings) while we're here. */
5588 		device_printf(sc->sc_dev, "driver status:\n");
5589 		for (i = 0; i < IWM_MVM_MAX_QUEUES; i++) {
5590 			struct iwm_tx_ring *ring = &sc->txq[i];
5591 			device_printf(sc->sc_dev,
5592 			    "  tx ring %2d: qid=%-2d cur=%-3d "
5593 			    "queued=%-3d\n",
5594 			    i, ring->qid, ring->cur, ring->queued);
5595 		}
5596 		device_printf(sc->sc_dev,
5597 		    "  rx ring: cur=%d\n", sc->rxq.cur);
5598 		device_printf(sc->sc_dev,
5599 		    "  802.11 state %d\n", (vap == NULL) ? -1 : vap->iv_state);
5600 
5601 		/* Don't stop the device; just do a VAP restart */
5602 		IWM_UNLOCK(sc);
5603 
5604 		if (vap == NULL) {
5605 			printf("%s: null vap\n", __func__);
5606 			return;
5607 		}
5608 
5609 		device_printf(sc->sc_dev, "%s: controller panicked, iv_state = %d; "
5610 		    "restarting\n", __func__, vap->iv_state);
5611 
5612 		ieee80211_restart_all(ic);
5613 		return;
5614 	}
5615 
5616 	if (r1 & IWM_CSR_INT_BIT_HW_ERR) {
5617 		handled |= IWM_CSR_INT_BIT_HW_ERR;
5618 		device_printf(sc->sc_dev, "hardware error, stopping device\n");
5619 		iwm_stop(sc);
5620 		rv = 1;
5621 		goto out;
5622 	}
5623 
5624 	/* firmware chunk loaded */
5625 	if (r1 & IWM_CSR_INT_BIT_FH_TX) {
5626 		IWM_WRITE(sc, IWM_CSR_FH_INT_STATUS, IWM_CSR_FH_INT_TX_MASK);
5627 		handled |= IWM_CSR_INT_BIT_FH_TX;
5628 		sc->sc_fw_chunk_done = 1;
5629 		wakeup(&sc->sc_fw);
5630 	}
5631 
5632 	if (r1 & IWM_CSR_INT_BIT_RF_KILL) {
5633 		handled |= IWM_CSR_INT_BIT_RF_KILL;
5634 		if (iwm_check_rfkill(sc)) {
5635 			device_printf(sc->sc_dev,
5636 			    "%s: rfkill switch, disabling interface\n",
5637 			    __func__);
5638 			iwm_stop(sc);
5639 		}
5640 	}
5641 
5642 	/*
5643 	 * The Linux driver uses periodic interrupts to avoid races.
5644 	 * We cargo-cult like it's going out of fashion.
5645 	 */
5646 	if (r1 & IWM_CSR_INT_BIT_RX_PERIODIC) {
5647 		handled |= IWM_CSR_INT_BIT_RX_PERIODIC;
5648 		IWM_WRITE(sc, IWM_CSR_INT, IWM_CSR_INT_BIT_RX_PERIODIC);
5649 		if ((r1 & (IWM_CSR_INT_BIT_FH_RX | IWM_CSR_INT_BIT_SW_RX)) == 0)
5650 			IWM_WRITE_1(sc,
5651 			    IWM_CSR_INT_PERIODIC_REG, IWM_CSR_INT_PERIODIC_DIS);
5652 		isperiodic = 1;
5653 	}
5654 
5655 	if ((r1 & (IWM_CSR_INT_BIT_FH_RX | IWM_CSR_INT_BIT_SW_RX)) || isperiodic) {
5656 		handled |= (IWM_CSR_INT_BIT_FH_RX | IWM_CSR_INT_BIT_SW_RX);
5657 		IWM_WRITE(sc, IWM_CSR_FH_INT_STATUS, IWM_CSR_FH_INT_RX_MASK);
5658 
5659 		iwm_notif_intr(sc);
5660 
5661 		/* enable periodic interrupt, see above */
5662 		if (r1 & (IWM_CSR_INT_BIT_FH_RX | IWM_CSR_INT_BIT_SW_RX) && !isperiodic)
5663 			IWM_WRITE_1(sc, IWM_CSR_INT_PERIODIC_REG,
5664 			    IWM_CSR_INT_PERIODIC_ENA);
5665 	}
5666 
5667 	if (__predict_false(r1 & ~handled))
5668 		IWM_DPRINTF(sc, IWM_DEBUG_INTR,
5669 		    "%s: unhandled interrupts: %x\n", __func__, r1);
5670 	rv = 1;
5671 
5672  out_ena:
5673 	iwm_restore_interrupts(sc);
5674  out:
5675 	IWM_UNLOCK(sc);
5676 	return;
5677 }
5678 
5679 /*
5680  * Autoconf glue-sniffing
5681  */
5682 #define	PCI_VENDOR_INTEL		0x8086
5683 #define	PCI_PRODUCT_INTEL_WL_3160_1	0x08b3
5684 #define	PCI_PRODUCT_INTEL_WL_3160_2	0x08b4
5685 #define	PCI_PRODUCT_INTEL_WL_3165_1	0x3165
5686 #define	PCI_PRODUCT_INTEL_WL_3165_2	0x3166
5687 #define	PCI_PRODUCT_INTEL_WL_3168_1	0x24fb
5688 #define	PCI_PRODUCT_INTEL_WL_7260_1	0x08b1
5689 #define	PCI_PRODUCT_INTEL_WL_7260_2	0x08b2
5690 #define	PCI_PRODUCT_INTEL_WL_7265_1	0x095a
5691 #define	PCI_PRODUCT_INTEL_WL_7265_2	0x095b
5692 #define	PCI_PRODUCT_INTEL_WL_8260_1	0x24f3
5693 #define	PCI_PRODUCT_INTEL_WL_8260_2	0x24f4
5694 #define	PCI_PRODUCT_INTEL_WL_8265_1	0x24fd
5695 
5696 static const struct iwm_devices {
5697 	uint16_t		device;
5698 	const struct iwm_cfg	*cfg;
5699 } iwm_devices[] = {
5700 	{ PCI_PRODUCT_INTEL_WL_3160_1, &iwm3160_cfg },
5701 	{ PCI_PRODUCT_INTEL_WL_3160_2, &iwm3160_cfg },
5702 	{ PCI_PRODUCT_INTEL_WL_3165_1, &iwm3165_cfg },
5703 	{ PCI_PRODUCT_INTEL_WL_3165_2, &iwm3165_cfg },
5704 	{ PCI_PRODUCT_INTEL_WL_3168_1, &iwm3168_cfg },
5705 	{ PCI_PRODUCT_INTEL_WL_7260_1, &iwm7260_cfg },
5706 	{ PCI_PRODUCT_INTEL_WL_7260_2, &iwm7260_cfg },
5707 	{ PCI_PRODUCT_INTEL_WL_7265_1, &iwm7265_cfg },
5708 	{ PCI_PRODUCT_INTEL_WL_7265_2, &iwm7265_cfg },
5709 	{ PCI_PRODUCT_INTEL_WL_8260_1, &iwm8260_cfg },
5710 	{ PCI_PRODUCT_INTEL_WL_8260_2, &iwm8260_cfg },
5711 	{ PCI_PRODUCT_INTEL_WL_8265_1, &iwm8265_cfg },
5712 };
5713 
5714 static int
5715 iwm_probe(device_t dev)
5716 {
5717 	int i;
5718 
5719 	for (i = 0; i < nitems(iwm_devices); i++) {
5720 		if (pci_get_vendor(dev) == PCI_VENDOR_INTEL &&
5721 		    pci_get_device(dev) == iwm_devices[i].device) {
5722 			device_set_desc(dev, iwm_devices[i].cfg->name);
5723 			return (BUS_PROBE_DEFAULT);
5724 		}
5725 	}
5726 
5727 	return (ENXIO);
5728 }
5729 
5730 static int
5731 iwm_dev_check(device_t dev)
5732 {
5733 	struct iwm_softc *sc;
5734 	uint16_t devid;
5735 	int i;
5736 
5737 	sc = device_get_softc(dev);
5738 
5739 	devid = pci_get_device(dev);
5740 	for (i = 0; i < nitems(iwm_devices); i++) {
5741 		if (iwm_devices[i].device == devid) {
5742 			sc->cfg = iwm_devices[i].cfg;
5743 			return (0);
5744 		}
5745 	}
5746 	device_printf(dev, "unknown adapter type\n");
5747 	return ENXIO;
5748 }
5749 
5750 /* PCI registers */
5751 #define PCI_CFG_RETRY_TIMEOUT	0x041
5752 
5753 static int
5754 iwm_pci_attach(device_t dev)
5755 {
5756 	struct iwm_softc *sc;
5757 	int count, error, rid;
5758 	uint16_t reg;
5759 
5760 	sc = device_get_softc(dev);
5761 
5762 	/* We disable the RETRY_TIMEOUT register (0x41) to keep
5763 	 * PCI Tx retries from interfering with C3 CPU state */
5764 	pci_write_config(dev, PCI_CFG_RETRY_TIMEOUT, 0x00, 1);
5765 
5766 	/* Enable bus-mastering and hardware bug workaround. */
5767 	pci_enable_busmaster(dev);
5768 	reg = pci_read_config(dev, PCIR_STATUS, sizeof(reg));
5769 	/* if !MSI */
5770 	if (reg & PCIM_STATUS_INTxSTATE) {
5771 		reg &= ~PCIM_STATUS_INTxSTATE;
5772 	}
5773 	pci_write_config(dev, PCIR_STATUS, reg, sizeof(reg));
5774 
5775 	rid = PCIR_BAR(0);
5776 	sc->sc_mem = bus_alloc_resource_any(dev, SYS_RES_MEMORY, &rid,
5777 	    RF_ACTIVE);
5778 	if (sc->sc_mem == NULL) {
5779 		device_printf(sc->sc_dev, "can't map mem space\n");
5780 		return (ENXIO);
5781 	}
5782 	sc->sc_st = rman_get_bustag(sc->sc_mem);
5783 	sc->sc_sh = rman_get_bushandle(sc->sc_mem);
5784 
5785 	/* Install interrupt handler. */
5786 	count = 1;
5787 	rid = 0;
5788 	if (pci_alloc_msi(dev, &count) == 0)
5789 		rid = 1;
5790 	sc->sc_irq = bus_alloc_resource_any(dev, SYS_RES_IRQ, &rid, RF_ACTIVE |
5791 	    (rid != 0 ? 0 : RF_SHAREABLE));
5792 	if (sc->sc_irq == NULL) {
5793 		device_printf(dev, "can't map interrupt\n");
5794 			return (ENXIO);
5795 	}
5796 	error = bus_setup_intr(dev, sc->sc_irq, INTR_TYPE_NET | INTR_MPSAFE,
5797 	    NULL, iwm_intr, sc, &sc->sc_ih);
5798 	if (sc->sc_ih == NULL) {
5799 		device_printf(dev, "can't establish interrupt");
5800 			return (ENXIO);
5801 	}
5802 	sc->sc_dmat = bus_get_dma_tag(sc->sc_dev);
5803 
5804 	return (0);
5805 }
5806 
5807 static void
5808 iwm_pci_detach(device_t dev)
5809 {
5810 	struct iwm_softc *sc = device_get_softc(dev);
5811 
5812 	if (sc->sc_irq != NULL) {
5813 		bus_teardown_intr(dev, sc->sc_irq, sc->sc_ih);
5814 		bus_release_resource(dev, SYS_RES_IRQ,
5815 		    rman_get_rid(sc->sc_irq), sc->sc_irq);
5816 		pci_release_msi(dev);
5817         }
5818 	if (sc->sc_mem != NULL)
5819 		bus_release_resource(dev, SYS_RES_MEMORY,
5820 		    rman_get_rid(sc->sc_mem), sc->sc_mem);
5821 }
5822 
5823 
5824 
5825 static int
5826 iwm_attach(device_t dev)
5827 {
5828 	struct iwm_softc *sc = device_get_softc(dev);
5829 	struct ieee80211com *ic = &sc->sc_ic;
5830 	int error;
5831 	int txq_i, i;
5832 
5833 	sc->sc_dev = dev;
5834 	sc->sc_attached = 1;
5835 	IWM_LOCK_INIT(sc);
5836 	mbufq_init(&sc->sc_snd, ifqmaxlen);
5837 	callout_init_mtx(&sc->sc_watchdog_to, &sc->sc_mtx, 0);
5838 	callout_init_mtx(&sc->sc_led_blink_to, &sc->sc_mtx, 0);
5839 	TASK_INIT(&sc->sc_es_task, 0, iwm_endscan_cb, sc);
5840 
5841 	sc->sc_notif_wait = iwm_notification_wait_init(sc);
5842 	if (sc->sc_notif_wait == NULL) {
5843 		device_printf(dev, "failed to init notification wait struct\n");
5844 		goto fail;
5845 	}
5846 
5847 	sc->sf_state = IWM_SF_UNINIT;
5848 
5849 	/* Init phy db */
5850 	sc->sc_phy_db = iwm_phy_db_init(sc);
5851 	if (!sc->sc_phy_db) {
5852 		device_printf(dev, "Cannot init phy_db\n");
5853 		goto fail;
5854 	}
5855 
5856 	/* Set EBS as successful as long as not stated otherwise by the FW. */
5857 	sc->last_ebs_successful = TRUE;
5858 
5859 	/* PCI attach */
5860 	error = iwm_pci_attach(dev);
5861 	if (error != 0)
5862 		goto fail;
5863 
5864 	sc->sc_wantresp = -1;
5865 
5866 	/* Check device type */
5867 	error = iwm_dev_check(dev);
5868 	if (error != 0)
5869 		goto fail;
5870 
5871 	sc->sc_hw_rev = IWM_READ(sc, IWM_CSR_HW_REV);
5872 	/*
5873 	 * In the 8000 HW family the format of the 4 bytes of CSR_HW_REV have
5874 	 * changed, and now the revision step also includes bit 0-1 (no more
5875 	 * "dash" value). To keep hw_rev backwards compatible - we'll store it
5876 	 * in the old format.
5877 	 */
5878 	if (sc->cfg->device_family == IWM_DEVICE_FAMILY_8000)
5879 		sc->sc_hw_rev = (sc->sc_hw_rev & 0xfff0) |
5880 				(IWM_CSR_HW_REV_STEP(sc->sc_hw_rev << 2) << 2);
5881 
5882 	if (iwm_prepare_card_hw(sc) != 0) {
5883 		device_printf(dev, "could not initialize hardware\n");
5884 		goto fail;
5885 	}
5886 
5887 	if (sc->cfg->device_family == IWM_DEVICE_FAMILY_8000) {
5888 		int ret;
5889 		uint32_t hw_step;
5890 
5891 		/*
5892 		 * In order to recognize C step the driver should read the
5893 		 * chip version id located at the AUX bus MISC address.
5894 		 */
5895 		IWM_SETBITS(sc, IWM_CSR_GP_CNTRL,
5896 			    IWM_CSR_GP_CNTRL_REG_FLAG_INIT_DONE);
5897 		DELAY(2);
5898 
5899 		ret = iwm_poll_bit(sc, IWM_CSR_GP_CNTRL,
5900 				   IWM_CSR_GP_CNTRL_REG_FLAG_MAC_CLOCK_READY,
5901 				   IWM_CSR_GP_CNTRL_REG_FLAG_MAC_CLOCK_READY,
5902 				   25000);
5903 		if (!ret) {
5904 			device_printf(sc->sc_dev,
5905 			    "Failed to wake up the nic\n");
5906 			goto fail;
5907 		}
5908 
5909 		if (iwm_nic_lock(sc)) {
5910 			hw_step = iwm_read_prph(sc, IWM_WFPM_CTRL_REG);
5911 			hw_step |= IWM_ENABLE_WFPM;
5912 			iwm_write_prph(sc, IWM_WFPM_CTRL_REG, hw_step);
5913 			hw_step = iwm_read_prph(sc, IWM_AUX_MISC_REG);
5914 			hw_step = (hw_step >> IWM_HW_STEP_LOCATION_BITS) & 0xF;
5915 			if (hw_step == 0x3)
5916 				sc->sc_hw_rev = (sc->sc_hw_rev & 0xFFFFFFF3) |
5917 						(IWM_SILICON_C_STEP << 2);
5918 			iwm_nic_unlock(sc);
5919 		} else {
5920 			device_printf(sc->sc_dev, "Failed to lock the nic\n");
5921 			goto fail;
5922 		}
5923 	}
5924 
5925 	/* special-case 7265D, it has the same PCI IDs. */
5926 	if (sc->cfg == &iwm7265_cfg &&
5927 	    (sc->sc_hw_rev & IWM_CSR_HW_REV_TYPE_MSK) == IWM_CSR_HW_REV_TYPE_7265D) {
5928 		sc->cfg = &iwm7265d_cfg;
5929 	}
5930 
5931 	/* Allocate DMA memory for firmware transfers. */
5932 	if ((error = iwm_alloc_fwmem(sc)) != 0) {
5933 		device_printf(dev, "could not allocate memory for firmware\n");
5934 		goto fail;
5935 	}
5936 
5937 	/* Allocate "Keep Warm" page. */
5938 	if ((error = iwm_alloc_kw(sc)) != 0) {
5939 		device_printf(dev, "could not allocate keep warm page\n");
5940 		goto fail;
5941 	}
5942 
5943 	/* We use ICT interrupts */
5944 	if ((error = iwm_alloc_ict(sc)) != 0) {
5945 		device_printf(dev, "could not allocate ICT table\n");
5946 		goto fail;
5947 	}
5948 
5949 	/* Allocate TX scheduler "rings". */
5950 	if ((error = iwm_alloc_sched(sc)) != 0) {
5951 		device_printf(dev, "could not allocate TX scheduler rings\n");
5952 		goto fail;
5953 	}
5954 
5955 	/* Allocate TX rings */
5956 	for (txq_i = 0; txq_i < nitems(sc->txq); txq_i++) {
5957 		if ((error = iwm_alloc_tx_ring(sc,
5958 		    &sc->txq[txq_i], txq_i)) != 0) {
5959 			device_printf(dev,
5960 			    "could not allocate TX ring %d\n",
5961 			    txq_i);
5962 			goto fail;
5963 		}
5964 	}
5965 
5966 	/* Allocate RX ring. */
5967 	if ((error = iwm_alloc_rx_ring(sc, &sc->rxq)) != 0) {
5968 		device_printf(dev, "could not allocate RX ring\n");
5969 		goto fail;
5970 	}
5971 
5972 	/* Clear pending interrupts. */
5973 	IWM_WRITE(sc, IWM_CSR_INT, 0xffffffff);
5974 
5975 	ic->ic_softc = sc;
5976 	ic->ic_name = device_get_nameunit(sc->sc_dev);
5977 	ic->ic_phytype = IEEE80211_T_OFDM;	/* not only, but not used */
5978 	ic->ic_opmode = IEEE80211_M_STA;	/* default to BSS mode */
5979 
5980 	/* Set device capabilities. */
5981 	ic->ic_caps =
5982 	    IEEE80211_C_STA |
5983 	    IEEE80211_C_WPA |		/* WPA/RSN */
5984 	    IEEE80211_C_WME |
5985 	    IEEE80211_C_PMGT |
5986 	    IEEE80211_C_SHSLOT |	/* short slot time supported */
5987 	    IEEE80211_C_SHPREAMBLE	/* short preamble supported */
5988 //	    IEEE80211_C_BGSCAN		/* capable of bg scanning */
5989 	    ;
5990 	/* Advertise full-offload scanning */
5991 	ic->ic_flags_ext = IEEE80211_FEXT_SCAN_OFFLOAD;
5992 	for (i = 0; i < nitems(sc->sc_phyctxt); i++) {
5993 		sc->sc_phyctxt[i].id = i;
5994 		sc->sc_phyctxt[i].color = 0;
5995 		sc->sc_phyctxt[i].ref = 0;
5996 		sc->sc_phyctxt[i].channel = NULL;
5997 	}
5998 
5999 	/* Default noise floor */
6000 	sc->sc_noise = -96;
6001 
6002 	/* Max RSSI */
6003 	sc->sc_max_rssi = IWM_MAX_DBM - IWM_MIN_DBM;
6004 
6005 	sc->sc_preinit_hook.ich_func = iwm_preinit;
6006 	sc->sc_preinit_hook.ich_arg = sc;
6007 	if (config_intrhook_establish(&sc->sc_preinit_hook) != 0) {
6008 		device_printf(dev, "config_intrhook_establish failed\n");
6009 		goto fail;
6010 	}
6011 
6012 #ifdef IWM_DEBUG
6013 	SYSCTL_ADD_INT(device_get_sysctl_ctx(dev),
6014 	    SYSCTL_CHILDREN(device_get_sysctl_tree(dev)), OID_AUTO, "debug",
6015 	    CTLFLAG_RW, &sc->sc_debug, 0, "control debugging");
6016 #endif
6017 
6018 	IWM_DPRINTF(sc, IWM_DEBUG_RESET | IWM_DEBUG_TRACE,
6019 	    "<-%s\n", __func__);
6020 
6021 	return 0;
6022 
6023 	/* Free allocated memory if something failed during attachment. */
6024 fail:
6025 	iwm_detach_local(sc, 0);
6026 
6027 	return ENXIO;
6028 }
6029 
6030 static int
6031 iwm_is_valid_ether_addr(uint8_t *addr)
6032 {
6033 	char zero_addr[IEEE80211_ADDR_LEN] = { 0, 0, 0, 0, 0, 0 };
6034 
6035 	if ((addr[0] & 1) || IEEE80211_ADDR_EQ(zero_addr, addr))
6036 		return (FALSE);
6037 
6038 	return (TRUE);
6039 }
6040 
6041 static int
6042 iwm_wme_update(struct ieee80211com *ic)
6043 {
6044 #define IWM_EXP2(x)	((1 << (x)) - 1)	/* CWmin = 2^ECWmin - 1 */
6045 	struct iwm_softc *sc = ic->ic_softc;
6046 	struct chanAccParams chp;
6047 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
6048 	struct iwm_vap *ivp = IWM_VAP(vap);
6049 	struct iwm_node *in;
6050 	struct wmeParams tmp[WME_NUM_AC];
6051 	int aci, error;
6052 
6053 	if (vap == NULL)
6054 		return (0);
6055 
6056 	ieee80211_wme_ic_getparams(ic, &chp);
6057 
6058 	IEEE80211_LOCK(ic);
6059 	for (aci = 0; aci < WME_NUM_AC; aci++)
6060 		tmp[aci] = chp.cap_wmeParams[aci];
6061 	IEEE80211_UNLOCK(ic);
6062 
6063 	IWM_LOCK(sc);
6064 	for (aci = 0; aci < WME_NUM_AC; aci++) {
6065 		const struct wmeParams *ac = &tmp[aci];
6066 		ivp->queue_params[aci].aifsn = ac->wmep_aifsn;
6067 		ivp->queue_params[aci].cw_min = IWM_EXP2(ac->wmep_logcwmin);
6068 		ivp->queue_params[aci].cw_max = IWM_EXP2(ac->wmep_logcwmax);
6069 		ivp->queue_params[aci].edca_txop =
6070 		    IEEE80211_TXOP_TO_US(ac->wmep_txopLimit);
6071 	}
6072 	ivp->have_wme = TRUE;
6073 	if (ivp->is_uploaded && vap->iv_bss != NULL) {
6074 		in = IWM_NODE(vap->iv_bss);
6075 		if (in->in_assoc) {
6076 			if ((error = iwm_mvm_mac_ctxt_changed(sc, vap)) != 0) {
6077 				device_printf(sc->sc_dev,
6078 				    "%s: failed to update MAC\n", __func__);
6079 			}
6080 		}
6081 	}
6082 	IWM_UNLOCK(sc);
6083 
6084 	return (0);
6085 #undef IWM_EXP2
6086 }
6087 
6088 static void
6089 iwm_preinit(void *arg)
6090 {
6091 	struct iwm_softc *sc = arg;
6092 	device_t dev = sc->sc_dev;
6093 	struct ieee80211com *ic = &sc->sc_ic;
6094 	int error;
6095 
6096 	IWM_DPRINTF(sc, IWM_DEBUG_RESET | IWM_DEBUG_TRACE,
6097 	    "->%s\n", __func__);
6098 
6099 	IWM_LOCK(sc);
6100 	if ((error = iwm_start_hw(sc)) != 0) {
6101 		device_printf(dev, "could not initialize hardware\n");
6102 		IWM_UNLOCK(sc);
6103 		goto fail;
6104 	}
6105 
6106 	error = iwm_run_init_mvm_ucode(sc, 1);
6107 	iwm_stop_device(sc);
6108 	if (error) {
6109 		IWM_UNLOCK(sc);
6110 		goto fail;
6111 	}
6112 	device_printf(dev,
6113 	    "hw rev 0x%x, fw ver %s, address %s\n",
6114 	    sc->sc_hw_rev & IWM_CSR_HW_REV_TYPE_MSK,
6115 	    sc->sc_fwver, ether_sprintf(sc->nvm_data->hw_addr));
6116 
6117 	/* not all hardware can do 5GHz band */
6118 	if (!sc->nvm_data->sku_cap_band_52GHz_enable)
6119 		memset(&ic->ic_sup_rates[IEEE80211_MODE_11A], 0,
6120 		    sizeof(ic->ic_sup_rates[IEEE80211_MODE_11A]));
6121 	IWM_UNLOCK(sc);
6122 
6123 	iwm_init_channel_map(ic, IEEE80211_CHAN_MAX, &ic->ic_nchans,
6124 	    ic->ic_channels);
6125 
6126 	/*
6127 	 * At this point we've committed - if we fail to do setup,
6128 	 * we now also have to tear down the net80211 state.
6129 	 */
6130 	ieee80211_ifattach(ic);
6131 	ic->ic_vap_create = iwm_vap_create;
6132 	ic->ic_vap_delete = iwm_vap_delete;
6133 	ic->ic_raw_xmit = iwm_raw_xmit;
6134 	ic->ic_node_alloc = iwm_node_alloc;
6135 	ic->ic_scan_start = iwm_scan_start;
6136 	ic->ic_scan_end = iwm_scan_end;
6137 	ic->ic_update_mcast = iwm_update_mcast;
6138 	ic->ic_getradiocaps = iwm_init_channel_map;
6139 	ic->ic_set_channel = iwm_set_channel;
6140 	ic->ic_scan_curchan = iwm_scan_curchan;
6141 	ic->ic_scan_mindwell = iwm_scan_mindwell;
6142 	ic->ic_wme.wme_update = iwm_wme_update;
6143 	ic->ic_parent = iwm_parent;
6144 	ic->ic_transmit = iwm_transmit;
6145 	iwm_radiotap_attach(sc);
6146 	if (bootverbose)
6147 		ieee80211_announce(ic);
6148 
6149 	IWM_DPRINTF(sc, IWM_DEBUG_RESET | IWM_DEBUG_TRACE,
6150 	    "<-%s\n", __func__);
6151 	config_intrhook_disestablish(&sc->sc_preinit_hook);
6152 
6153 	return;
6154 fail:
6155 	config_intrhook_disestablish(&sc->sc_preinit_hook);
6156 	iwm_detach_local(sc, 0);
6157 }
6158 
6159 /*
6160  * Attach the interface to 802.11 radiotap.
6161  */
6162 static void
6163 iwm_radiotap_attach(struct iwm_softc *sc)
6164 {
6165         struct ieee80211com *ic = &sc->sc_ic;
6166 
6167 	IWM_DPRINTF(sc, IWM_DEBUG_RESET | IWM_DEBUG_TRACE,
6168 	    "->%s begin\n", __func__);
6169         ieee80211_radiotap_attach(ic,
6170             &sc->sc_txtap.wt_ihdr, sizeof(sc->sc_txtap),
6171                 IWM_TX_RADIOTAP_PRESENT,
6172             &sc->sc_rxtap.wr_ihdr, sizeof(sc->sc_rxtap),
6173                 IWM_RX_RADIOTAP_PRESENT);
6174 	IWM_DPRINTF(sc, IWM_DEBUG_RESET | IWM_DEBUG_TRACE,
6175 	    "->%s end\n", __func__);
6176 }
6177 
6178 static struct ieee80211vap *
6179 iwm_vap_create(struct ieee80211com *ic, const char name[IFNAMSIZ], int unit,
6180     enum ieee80211_opmode opmode, int flags,
6181     const uint8_t bssid[IEEE80211_ADDR_LEN],
6182     const uint8_t mac[IEEE80211_ADDR_LEN])
6183 {
6184 	struct iwm_vap *ivp;
6185 	struct ieee80211vap *vap;
6186 
6187 	if (!TAILQ_EMPTY(&ic->ic_vaps))         /* only one at a time */
6188 		return NULL;
6189 	ivp = malloc(sizeof(struct iwm_vap), M_80211_VAP, M_WAITOK | M_ZERO);
6190 	vap = &ivp->iv_vap;
6191 	ieee80211_vap_setup(ic, vap, name, unit, opmode, flags, bssid);
6192 	vap->iv_bmissthreshold = 10;            /* override default */
6193 	/* Override with driver methods. */
6194 	ivp->iv_newstate = vap->iv_newstate;
6195 	vap->iv_newstate = iwm_newstate;
6196 
6197 	ivp->id = IWM_DEFAULT_MACID;
6198 	ivp->color = IWM_DEFAULT_COLOR;
6199 
6200 	ivp->have_wme = FALSE;
6201 	ivp->ps_disabled = FALSE;
6202 
6203 	ieee80211_ratectl_init(vap);
6204 	/* Complete setup. */
6205 	ieee80211_vap_attach(vap, iwm_media_change, ieee80211_media_status,
6206 	    mac);
6207 	ic->ic_opmode = opmode;
6208 
6209 	return vap;
6210 }
6211 
6212 static void
6213 iwm_vap_delete(struct ieee80211vap *vap)
6214 {
6215 	struct iwm_vap *ivp = IWM_VAP(vap);
6216 
6217 	ieee80211_ratectl_deinit(vap);
6218 	ieee80211_vap_detach(vap);
6219 	free(ivp, M_80211_VAP);
6220 }
6221 
6222 static void
6223 iwm_xmit_queue_drain(struct iwm_softc *sc)
6224 {
6225 	struct mbuf *m;
6226 	struct ieee80211_node *ni;
6227 
6228 	while ((m = mbufq_dequeue(&sc->sc_snd)) != NULL) {
6229 		ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
6230 		ieee80211_free_node(ni);
6231 		m_freem(m);
6232 	}
6233 }
6234 
6235 static void
6236 iwm_scan_start(struct ieee80211com *ic)
6237 {
6238 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
6239 	struct iwm_softc *sc = ic->ic_softc;
6240 	int error;
6241 
6242 	IWM_LOCK(sc);
6243 	if (sc->sc_flags & IWM_FLAG_SCAN_RUNNING) {
6244 		/* This should not be possible */
6245 		device_printf(sc->sc_dev,
6246 		    "%s: Previous scan not completed yet\n", __func__);
6247 	}
6248 	if (fw_has_capa(&sc->ucode_capa, IWM_UCODE_TLV_CAPA_UMAC_SCAN))
6249 		error = iwm_mvm_umac_scan(sc);
6250 	else
6251 		error = iwm_mvm_lmac_scan(sc);
6252 	if (error != 0) {
6253 		device_printf(sc->sc_dev, "could not initiate scan\n");
6254 		IWM_UNLOCK(sc);
6255 		ieee80211_cancel_scan(vap);
6256 	} else {
6257 		sc->sc_flags |= IWM_FLAG_SCAN_RUNNING;
6258 		iwm_led_blink_start(sc);
6259 		IWM_UNLOCK(sc);
6260 	}
6261 }
6262 
6263 static void
6264 iwm_scan_end(struct ieee80211com *ic)
6265 {
6266 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
6267 	struct iwm_softc *sc = ic->ic_softc;
6268 
6269 	IWM_LOCK(sc);
6270 	iwm_led_blink_stop(sc);
6271 	if (vap->iv_state == IEEE80211_S_RUN)
6272 		iwm_mvm_led_enable(sc);
6273 	if (sc->sc_flags & IWM_FLAG_SCAN_RUNNING) {
6274 		/*
6275 		 * Removing IWM_FLAG_SCAN_RUNNING now, is fine because
6276 		 * both iwm_scan_end and iwm_scan_start run in the ic->ic_tq
6277 		 * taskqueue.
6278 		 */
6279 		sc->sc_flags &= ~IWM_FLAG_SCAN_RUNNING;
6280 		iwm_mvm_scan_stop_wait(sc);
6281 	}
6282 	IWM_UNLOCK(sc);
6283 
6284 	/*
6285 	 * Make sure we don't race, if sc_es_task is still enqueued here.
6286 	 * This is to make sure that it won't call ieee80211_scan_done
6287 	 * when we have already started the next scan.
6288 	 */
6289 	taskqueue_cancel(ic->ic_tq, &sc->sc_es_task, NULL);
6290 }
6291 
6292 static void
6293 iwm_update_mcast(struct ieee80211com *ic)
6294 {
6295 }
6296 
6297 static void
6298 iwm_set_channel(struct ieee80211com *ic)
6299 {
6300 }
6301 
6302 static void
6303 iwm_scan_curchan(struct ieee80211_scan_state *ss, unsigned long maxdwell)
6304 {
6305 }
6306 
6307 static void
6308 iwm_scan_mindwell(struct ieee80211_scan_state *ss)
6309 {
6310 	return;
6311 }
6312 
6313 void
6314 iwm_init_task(void *arg1)
6315 {
6316 	struct iwm_softc *sc = arg1;
6317 
6318 	IWM_LOCK(sc);
6319 	while (sc->sc_flags & IWM_FLAG_BUSY)
6320 		msleep(&sc->sc_flags, &sc->sc_mtx, 0, "iwmpwr", 0);
6321 	sc->sc_flags |= IWM_FLAG_BUSY;
6322 	iwm_stop(sc);
6323 	if (sc->sc_ic.ic_nrunning > 0)
6324 		iwm_init(sc);
6325 	sc->sc_flags &= ~IWM_FLAG_BUSY;
6326 	wakeup(&sc->sc_flags);
6327 	IWM_UNLOCK(sc);
6328 }
6329 
6330 static int
6331 iwm_resume(device_t dev)
6332 {
6333 	struct iwm_softc *sc = device_get_softc(dev);
6334 	int do_reinit = 0;
6335 
6336 	/*
6337 	 * We disable the RETRY_TIMEOUT register (0x41) to keep
6338 	 * PCI Tx retries from interfering with C3 CPU state.
6339 	 */
6340 	pci_write_config(dev, PCI_CFG_RETRY_TIMEOUT, 0x00, 1);
6341 	iwm_init_task(device_get_softc(dev));
6342 
6343 	IWM_LOCK(sc);
6344 	if (sc->sc_flags & IWM_FLAG_SCANNING) {
6345 		sc->sc_flags &= ~IWM_FLAG_SCANNING;
6346 		do_reinit = 1;
6347 	}
6348 	IWM_UNLOCK(sc);
6349 
6350 	if (do_reinit)
6351 		ieee80211_resume_all(&sc->sc_ic);
6352 
6353 	return 0;
6354 }
6355 
6356 static int
6357 iwm_suspend(device_t dev)
6358 {
6359 	int do_stop = 0;
6360 	struct iwm_softc *sc = device_get_softc(dev);
6361 
6362 	do_stop = !! (sc->sc_ic.ic_nrunning > 0);
6363 
6364 	ieee80211_suspend_all(&sc->sc_ic);
6365 
6366 	if (do_stop) {
6367 		IWM_LOCK(sc);
6368 		iwm_stop(sc);
6369 		sc->sc_flags |= IWM_FLAG_SCANNING;
6370 		IWM_UNLOCK(sc);
6371 	}
6372 
6373 	return (0);
6374 }
6375 
6376 static int
6377 iwm_detach_local(struct iwm_softc *sc, int do_net80211)
6378 {
6379 	struct iwm_fw_info *fw = &sc->sc_fw;
6380 	device_t dev = sc->sc_dev;
6381 	int i;
6382 
6383 	if (!sc->sc_attached)
6384 		return 0;
6385 	sc->sc_attached = 0;
6386 
6387 	if (do_net80211)
6388 		ieee80211_draintask(&sc->sc_ic, &sc->sc_es_task);
6389 
6390 	callout_drain(&sc->sc_led_blink_to);
6391 	callout_drain(&sc->sc_watchdog_to);
6392 	iwm_stop_device(sc);
6393 	if (do_net80211) {
6394 		IWM_LOCK(sc);
6395 		iwm_xmit_queue_drain(sc);
6396 		IWM_UNLOCK(sc);
6397 		ieee80211_ifdetach(&sc->sc_ic);
6398 	}
6399 
6400 	iwm_phy_db_free(sc->sc_phy_db);
6401 	sc->sc_phy_db = NULL;
6402 
6403 	iwm_free_nvm_data(sc->nvm_data);
6404 
6405 	/* Free descriptor rings */
6406 	iwm_free_rx_ring(sc, &sc->rxq);
6407 	for (i = 0; i < nitems(sc->txq); i++)
6408 		iwm_free_tx_ring(sc, &sc->txq[i]);
6409 
6410 	/* Free firmware */
6411 	if (fw->fw_fp != NULL)
6412 		iwm_fw_info_free(fw);
6413 
6414 	/* Free scheduler */
6415 	iwm_dma_contig_free(&sc->sched_dma);
6416 	iwm_dma_contig_free(&sc->ict_dma);
6417 	iwm_dma_contig_free(&sc->kw_dma);
6418 	iwm_dma_contig_free(&sc->fw_dma);
6419 
6420 	iwm_free_fw_paging(sc);
6421 
6422 	/* Finished with the hardware - detach things */
6423 	iwm_pci_detach(dev);
6424 
6425 	if (sc->sc_notif_wait != NULL) {
6426 		iwm_notification_wait_free(sc->sc_notif_wait);
6427 		sc->sc_notif_wait = NULL;
6428 	}
6429 
6430 	IWM_LOCK_DESTROY(sc);
6431 
6432 	return (0);
6433 }
6434 
6435 static int
6436 iwm_detach(device_t dev)
6437 {
6438 	struct iwm_softc *sc = device_get_softc(dev);
6439 
6440 	return (iwm_detach_local(sc, 1));
6441 }
6442 
6443 static device_method_t iwm_pci_methods[] = {
6444         /* Device interface */
6445         DEVMETHOD(device_probe,         iwm_probe),
6446         DEVMETHOD(device_attach,        iwm_attach),
6447         DEVMETHOD(device_detach,        iwm_detach),
6448         DEVMETHOD(device_suspend,       iwm_suspend),
6449         DEVMETHOD(device_resume,        iwm_resume),
6450 
6451         DEVMETHOD_END
6452 };
6453 
6454 static driver_t iwm_pci_driver = {
6455         "iwm",
6456         iwm_pci_methods,
6457         sizeof (struct iwm_softc)
6458 };
6459 
6460 static devclass_t iwm_devclass;
6461 
6462 DRIVER_MODULE(iwm, pci, iwm_pci_driver, iwm_devclass, NULL, NULL);
6463 MODULE_PNP_INFO("U16:device;P:#;T:vendor=0x8086", pci, iwm_pci_driver,
6464     iwm_devices, nitems(iwm_devices));
6465 MODULE_DEPEND(iwm, firmware, 1, 1, 1);
6466 MODULE_DEPEND(iwm, pci, 1, 1, 1);
6467 MODULE_DEPEND(iwm, wlan, 1, 1, 1);
6468