xref: /freebsd/sys/dev/mwl/if_mwl.c (revision 96474d2a3fa895fb9636183403fc8ca7ccf60216)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3  *
4  * Copyright (c) 2007-2009 Sam Leffler, Errno Consulting
5  * Copyright (c) 2007-2008 Marvell Semiconductor, Inc.
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer,
13  *    without modification.
14  * 2. Redistributions in binary form must reproduce at minimum a disclaimer
15  *    similar to the "NO WARRANTY" disclaimer below ("Disclaimer") and any
16  *    redistribution must be conditioned upon including a substantially
17  *    similar Disclaimer requirement for further binary redistribution.
18  *
19  * NO WARRANTY
20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22  * LIMITED TO, THE IMPLIED WARRANTIES OF NONINFRINGEMENT, MERCHANTIBILITY
23  * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
24  * THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR SPECIAL, EXEMPLARY,
25  * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
28  * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
30  * THE POSSIBILITY OF SUCH DAMAGES.
31  */
32 
33 #include <sys/cdefs.h>
34 __FBSDID("$FreeBSD$");
35 
36 /*
37  * Driver for the Marvell 88W8363 Wireless LAN controller.
38  */
39 
40 #include "opt_inet.h"
41 #include "opt_mwl.h"
42 #include "opt_wlan.h"
43 
44 #include <sys/param.h>
45 #include <sys/systm.h>
46 #include <sys/sysctl.h>
47 #include <sys/mbuf.h>
48 #include <sys/malloc.h>
49 #include <sys/lock.h>
50 #include <sys/mutex.h>
51 #include <sys/kernel.h>
52 #include <sys/socket.h>
53 #include <sys/sockio.h>
54 #include <sys/errno.h>
55 #include <sys/callout.h>
56 #include <sys/bus.h>
57 #include <sys/endian.h>
58 #include <sys/kthread.h>
59 #include <sys/taskqueue.h>
60 
61 #include <machine/bus.h>
62 
63 #include <net/if.h>
64 #include <net/if_var.h>
65 #include <net/if_dl.h>
66 #include <net/if_media.h>
67 #include <net/if_types.h>
68 #include <net/if_arp.h>
69 #include <net/ethernet.h>
70 #include <net/if_llc.h>
71 
72 #include <net/bpf.h>
73 
74 #include <net80211/ieee80211_var.h>
75 #include <net80211/ieee80211_input.h>
76 #include <net80211/ieee80211_regdomain.h>
77 
78 #ifdef INET
79 #include <netinet/in.h>
80 #include <netinet/if_ether.h>
81 #endif /* INET */
82 
83 #include <dev/mwl/if_mwlvar.h>
84 #include <dev/mwl/mwldiag.h>
85 
86 /* idiomatic shorthands: MS = mask+shift, SM = shift+mask */
87 #define	MS(v,x)	(((v) & x) >> x##_S)
88 #define	SM(v,x)	(((v) << x##_S) & x)
89 
90 static struct ieee80211vap *mwl_vap_create(struct ieee80211com *,
91 		    const char [IFNAMSIZ], int, enum ieee80211_opmode, int,
92 		    const uint8_t [IEEE80211_ADDR_LEN],
93 		    const uint8_t [IEEE80211_ADDR_LEN]);
94 static void	mwl_vap_delete(struct ieee80211vap *);
95 static int	mwl_setupdma(struct mwl_softc *);
96 static int	mwl_hal_reset(struct mwl_softc *sc);
97 static int	mwl_init(struct mwl_softc *);
98 static void	mwl_parent(struct ieee80211com *);
99 static int	mwl_reset(struct ieee80211vap *, u_long);
100 static void	mwl_stop(struct mwl_softc *);
101 static void	mwl_start(struct mwl_softc *);
102 static int	mwl_transmit(struct ieee80211com *, struct mbuf *);
103 static int	mwl_raw_xmit(struct ieee80211_node *, struct mbuf *,
104 			const struct ieee80211_bpf_params *);
105 static int	mwl_media_change(struct ifnet *);
106 static void	mwl_watchdog(void *);
107 static int	mwl_ioctl(struct ieee80211com *, u_long, void *);
108 static void	mwl_radar_proc(void *, int);
109 static void	mwl_chanswitch_proc(void *, int);
110 static void	mwl_bawatchdog_proc(void *, int);
111 static int	mwl_key_alloc(struct ieee80211vap *,
112 			struct ieee80211_key *,
113 			ieee80211_keyix *, ieee80211_keyix *);
114 static int	mwl_key_delete(struct ieee80211vap *,
115 			const struct ieee80211_key *);
116 static int	mwl_key_set(struct ieee80211vap *,
117 			const struct ieee80211_key *);
118 static int	_mwl_key_set(struct ieee80211vap *,
119 			const struct ieee80211_key *,
120 			const uint8_t mac[IEEE80211_ADDR_LEN]);
121 static int	mwl_mode_init(struct mwl_softc *);
122 static void	mwl_update_mcast(struct ieee80211com *);
123 static void	mwl_update_promisc(struct ieee80211com *);
124 static void	mwl_updateslot(struct ieee80211com *);
125 static int	mwl_beacon_setup(struct ieee80211vap *);
126 static void	mwl_beacon_update(struct ieee80211vap *, int);
127 #ifdef MWL_HOST_PS_SUPPORT
128 static void	mwl_update_ps(struct ieee80211vap *, int);
129 static int	mwl_set_tim(struct ieee80211_node *, int);
130 #endif
131 static int	mwl_dma_setup(struct mwl_softc *);
132 static void	mwl_dma_cleanup(struct mwl_softc *);
133 static struct ieee80211_node *mwl_node_alloc(struct ieee80211vap *,
134 		    const uint8_t [IEEE80211_ADDR_LEN]);
135 static void	mwl_node_cleanup(struct ieee80211_node *);
136 static void	mwl_node_drain(struct ieee80211_node *);
137 static void	mwl_node_getsignal(const struct ieee80211_node *,
138 			int8_t *, int8_t *);
139 static void	mwl_node_getmimoinfo(const struct ieee80211_node *,
140 			struct ieee80211_mimo_info *);
141 static int	mwl_rxbuf_init(struct mwl_softc *, struct mwl_rxbuf *);
142 static void	mwl_rx_proc(void *, int);
143 static void	mwl_txq_init(struct mwl_softc *sc, struct mwl_txq *, int);
144 static int	mwl_tx_setup(struct mwl_softc *, int, int);
145 static int	mwl_wme_update(struct ieee80211com *);
146 static void	mwl_tx_cleanupq(struct mwl_softc *, struct mwl_txq *);
147 static void	mwl_tx_cleanup(struct mwl_softc *);
148 static uint16_t	mwl_calcformat(uint8_t rate, const struct ieee80211_node *);
149 static int	mwl_tx_start(struct mwl_softc *, struct ieee80211_node *,
150 			     struct mwl_txbuf *, struct mbuf *);
151 static void	mwl_tx_proc(void *, int);
152 static int	mwl_chan_set(struct mwl_softc *, struct ieee80211_channel *);
153 static void	mwl_draintxq(struct mwl_softc *);
154 static void	mwl_cleartxq(struct mwl_softc *, struct ieee80211vap *);
155 static int	mwl_recv_action(struct ieee80211_node *,
156 			const struct ieee80211_frame *,
157 			const uint8_t *, const uint8_t *);
158 static int	mwl_addba_request(struct ieee80211_node *,
159 			struct ieee80211_tx_ampdu *, int dialogtoken,
160 			int baparamset, int batimeout);
161 static int	mwl_addba_response(struct ieee80211_node *,
162 			struct ieee80211_tx_ampdu *, int status,
163 			int baparamset, int batimeout);
164 static void	mwl_addba_stop(struct ieee80211_node *,
165 			struct ieee80211_tx_ampdu *);
166 static int	mwl_startrecv(struct mwl_softc *);
167 static MWL_HAL_APMODE mwl_getapmode(const struct ieee80211vap *,
168 			struct ieee80211_channel *);
169 static int	mwl_setapmode(struct ieee80211vap *, struct ieee80211_channel*);
170 static void	mwl_scan_start(struct ieee80211com *);
171 static void	mwl_scan_end(struct ieee80211com *);
172 static void	mwl_set_channel(struct ieee80211com *);
173 static int	mwl_peerstadb(struct ieee80211_node *,
174 			int aid, int staid, MWL_HAL_PEERINFO *pi);
175 static int	mwl_localstadb(struct ieee80211vap *);
176 static int	mwl_newstate(struct ieee80211vap *, enum ieee80211_state, int);
177 static int	allocstaid(struct mwl_softc *sc, int aid);
178 static void	delstaid(struct mwl_softc *sc, int staid);
179 static void	mwl_newassoc(struct ieee80211_node *, int);
180 static void	mwl_agestations(void *);
181 static int	mwl_setregdomain(struct ieee80211com *,
182 			struct ieee80211_regdomain *, int,
183 			struct ieee80211_channel []);
184 static void	mwl_getradiocaps(struct ieee80211com *, int, int *,
185 			struct ieee80211_channel []);
186 static int	mwl_getchannels(struct mwl_softc *);
187 
188 static void	mwl_sysctlattach(struct mwl_softc *);
189 static void	mwl_announce(struct mwl_softc *);
190 
191 SYSCTL_NODE(_hw, OID_AUTO, mwl, CTLFLAG_RD | CTLFLAG_MPSAFE, 0,
192     "Marvell driver parameters");
193 
194 static	int mwl_rxdesc = MWL_RXDESC;		/* # rx desc's to allocate */
195 SYSCTL_INT(_hw_mwl, OID_AUTO, rxdesc, CTLFLAG_RW, &mwl_rxdesc,
196 	    0, "rx descriptors allocated");
197 static	int mwl_rxbuf = MWL_RXBUF;		/* # rx buffers to allocate */
198 SYSCTL_INT(_hw_mwl, OID_AUTO, rxbuf, CTLFLAG_RWTUN, &mwl_rxbuf,
199 	    0, "rx buffers allocated");
200 static	int mwl_txbuf = MWL_TXBUF;		/* # tx buffers to allocate */
201 SYSCTL_INT(_hw_mwl, OID_AUTO, txbuf, CTLFLAG_RWTUN, &mwl_txbuf,
202 	    0, "tx buffers allocated");
203 static	int mwl_txcoalesce = 8;		/* # tx packets to q before poking f/w*/
204 SYSCTL_INT(_hw_mwl, OID_AUTO, txcoalesce, CTLFLAG_RWTUN, &mwl_txcoalesce,
205 	    0, "tx buffers to send at once");
206 static	int mwl_rxquota = MWL_RXBUF;		/* # max buffers to process */
207 SYSCTL_INT(_hw_mwl, OID_AUTO, rxquota, CTLFLAG_RWTUN, &mwl_rxquota,
208 	    0, "max rx buffers to process per interrupt");
209 static	int mwl_rxdmalow = 3;			/* # min buffers for wakeup */
210 SYSCTL_INT(_hw_mwl, OID_AUTO, rxdmalow, CTLFLAG_RWTUN, &mwl_rxdmalow,
211 	    0, "min free rx buffers before restarting traffic");
212 
213 #ifdef MWL_DEBUG
214 static	int mwl_debug = 0;
215 SYSCTL_INT(_hw_mwl, OID_AUTO, debug, CTLFLAG_RWTUN, &mwl_debug,
216 	    0, "control debugging printfs");
217 enum {
218 	MWL_DEBUG_XMIT		= 0x00000001,	/* basic xmit operation */
219 	MWL_DEBUG_XMIT_DESC	= 0x00000002,	/* xmit descriptors */
220 	MWL_DEBUG_RECV		= 0x00000004,	/* basic recv operation */
221 	MWL_DEBUG_RECV_DESC	= 0x00000008,	/* recv descriptors */
222 	MWL_DEBUG_RESET		= 0x00000010,	/* reset processing */
223 	MWL_DEBUG_BEACON 	= 0x00000020,	/* beacon handling */
224 	MWL_DEBUG_INTR		= 0x00000040,	/* ISR */
225 	MWL_DEBUG_TX_PROC	= 0x00000080,	/* tx ISR proc */
226 	MWL_DEBUG_RX_PROC	= 0x00000100,	/* rx ISR proc */
227 	MWL_DEBUG_KEYCACHE	= 0x00000200,	/* key cache management */
228 	MWL_DEBUG_STATE		= 0x00000400,	/* 802.11 state transitions */
229 	MWL_DEBUG_NODE		= 0x00000800,	/* node management */
230 	MWL_DEBUG_RECV_ALL	= 0x00001000,	/* trace all frames (beacons) */
231 	MWL_DEBUG_TSO		= 0x00002000,	/* TSO processing */
232 	MWL_DEBUG_AMPDU		= 0x00004000,	/* BA stream handling */
233 	MWL_DEBUG_ANY		= 0xffffffff
234 };
235 #define	IS_BEACON(wh) \
236     ((wh->i_fc[0] & (IEEE80211_FC0_TYPE_MASK|IEEE80211_FC0_SUBTYPE_MASK)) == \
237 	 (IEEE80211_FC0_TYPE_MGT|IEEE80211_FC0_SUBTYPE_BEACON))
238 #define	IFF_DUMPPKTS_RECV(sc, wh) \
239     ((sc->sc_debug & MWL_DEBUG_RECV) && \
240       ((sc->sc_debug & MWL_DEBUG_RECV_ALL) || !IS_BEACON(wh)))
241 #define	IFF_DUMPPKTS_XMIT(sc) \
242 	(sc->sc_debug & MWL_DEBUG_XMIT)
243 
244 #define	DPRINTF(sc, m, fmt, ...) do {				\
245 	if (sc->sc_debug & (m))					\
246 		printf(fmt, __VA_ARGS__);			\
247 } while (0)
248 #define	KEYPRINTF(sc, hk, mac) do {				\
249 	if (sc->sc_debug & MWL_DEBUG_KEYCACHE)			\
250 		mwl_keyprint(sc, __func__, hk, mac);		\
251 } while (0)
252 static	void mwl_printrxbuf(const struct mwl_rxbuf *bf, u_int ix);
253 static	void mwl_printtxbuf(const struct mwl_txbuf *bf, u_int qnum, u_int ix);
254 #else
255 #define	IFF_DUMPPKTS_RECV(sc, wh)	0
256 #define	IFF_DUMPPKTS_XMIT(sc)		0
257 #define	DPRINTF(sc, m, fmt, ...)	do { (void )sc; } while (0)
258 #define	KEYPRINTF(sc, k, mac)		do { (void )sc; } while (0)
259 #endif
260 
261 static MALLOC_DEFINE(M_MWLDEV, "mwldev", "mwl driver dma buffers");
262 
263 /*
264  * Each packet has fixed front matter: a 2-byte length
265  * of the payload, followed by a 4-address 802.11 header
266  * (regardless of the actual header and always w/o any
267  * QoS header).  The payload then follows.
268  */
269 struct mwltxrec {
270 	uint16_t fwlen;
271 	struct ieee80211_frame_addr4 wh;
272 } __packed;
273 
274 /*
275  * Read/Write shorthands for accesses to BAR 0.  Note
276  * that all BAR 1 operations are done in the "hal" and
277  * there should be no reference to them here.
278  */
279 #ifdef MWL_DEBUG
280 static __inline uint32_t
281 RD4(struct mwl_softc *sc, bus_size_t off)
282 {
283 	return bus_space_read_4(sc->sc_io0t, sc->sc_io0h, off);
284 }
285 #endif
286 
287 static __inline void
288 WR4(struct mwl_softc *sc, bus_size_t off, uint32_t val)
289 {
290 	bus_space_write_4(sc->sc_io0t, sc->sc_io0h, off, val);
291 }
292 
293 int
294 mwl_attach(uint16_t devid, struct mwl_softc *sc)
295 {
296 	struct ieee80211com *ic = &sc->sc_ic;
297 	struct mwl_hal *mh;
298 	int error = 0;
299 
300 	DPRINTF(sc, MWL_DEBUG_ANY, "%s: devid 0x%x\n", __func__, devid);
301 
302 	/*
303 	 * Setup the RX free list lock early, so it can be consistently
304 	 * removed.
305 	 */
306 	MWL_RXFREE_INIT(sc);
307 
308 	mh = mwl_hal_attach(sc->sc_dev, devid,
309 	    sc->sc_io1h, sc->sc_io1t, sc->sc_dmat);
310 	if (mh == NULL) {
311 		device_printf(sc->sc_dev, "unable to attach HAL\n");
312 		error = EIO;
313 		goto bad;
314 	}
315 	sc->sc_mh = mh;
316 	/*
317 	 * Load firmware so we can get setup.  We arbitrarily
318 	 * pick station firmware; we'll re-load firmware as
319 	 * needed so setting up the wrong mode isn't a big deal.
320 	 */
321 	if (mwl_hal_fwload(mh, NULL) != 0) {
322 		device_printf(sc->sc_dev, "unable to setup builtin firmware\n");
323 		error = EIO;
324 		goto bad1;
325 	}
326 	if (mwl_hal_gethwspecs(mh, &sc->sc_hwspecs) != 0) {
327 		device_printf(sc->sc_dev, "unable to fetch h/w specs\n");
328 		error = EIO;
329 		goto bad1;
330 	}
331 	error = mwl_getchannels(sc);
332 	if (error != 0)
333 		goto bad1;
334 
335 	sc->sc_txantenna = 0;		/* h/w default */
336 	sc->sc_rxantenna = 0;		/* h/w default */
337 	sc->sc_invalid = 0;		/* ready to go, enable int handling */
338 	sc->sc_ageinterval = MWL_AGEINTERVAL;
339 
340 	/*
341 	 * Allocate tx+rx descriptors and populate the lists.
342 	 * We immediately push the information to the firmware
343 	 * as otherwise it gets upset.
344 	 */
345 	error = mwl_dma_setup(sc);
346 	if (error != 0) {
347 		device_printf(sc->sc_dev, "failed to setup descriptors: %d\n",
348 		    error);
349 		goto bad1;
350 	}
351 	error = mwl_setupdma(sc);	/* push to firmware */
352 	if (error != 0)			/* NB: mwl_setupdma prints msg */
353 		goto bad1;
354 
355 	callout_init(&sc->sc_timer, 1);
356 	callout_init_mtx(&sc->sc_watchdog, &sc->sc_mtx, 0);
357 	mbufq_init(&sc->sc_snd, ifqmaxlen);
358 
359 	sc->sc_tq = taskqueue_create("mwl_taskq", M_NOWAIT,
360 		taskqueue_thread_enqueue, &sc->sc_tq);
361 	taskqueue_start_threads(&sc->sc_tq, 1, PI_NET,
362 		"%s taskq", device_get_nameunit(sc->sc_dev));
363 
364 	NET_TASK_INIT(&sc->sc_rxtask, 0, mwl_rx_proc, sc);
365 	TASK_INIT(&sc->sc_radartask, 0, mwl_radar_proc, sc);
366 	TASK_INIT(&sc->sc_chanswitchtask, 0, mwl_chanswitch_proc, sc);
367 	TASK_INIT(&sc->sc_bawatchdogtask, 0, mwl_bawatchdog_proc, sc);
368 
369 	/* NB: insure BK queue is the lowest priority h/w queue */
370 	if (!mwl_tx_setup(sc, WME_AC_BK, MWL_WME_AC_BK)) {
371 		device_printf(sc->sc_dev,
372 		    "unable to setup xmit queue for %s traffic!\n",
373 		     ieee80211_wme_acnames[WME_AC_BK]);
374 		error = EIO;
375 		goto bad2;
376 	}
377 	if (!mwl_tx_setup(sc, WME_AC_BE, MWL_WME_AC_BE) ||
378 	    !mwl_tx_setup(sc, WME_AC_VI, MWL_WME_AC_VI) ||
379 	    !mwl_tx_setup(sc, WME_AC_VO, MWL_WME_AC_VO)) {
380 		/*
381 		 * Not enough hardware tx queues to properly do WME;
382 		 * just punt and assign them all to the same h/w queue.
383 		 * We could do a better job of this if, for example,
384 		 * we allocate queues when we switch from station to
385 		 * AP mode.
386 		 */
387 		if (sc->sc_ac2q[WME_AC_VI] != NULL)
388 			mwl_tx_cleanupq(sc, sc->sc_ac2q[WME_AC_VI]);
389 		if (sc->sc_ac2q[WME_AC_BE] != NULL)
390 			mwl_tx_cleanupq(sc, sc->sc_ac2q[WME_AC_BE]);
391 		sc->sc_ac2q[WME_AC_BE] = sc->sc_ac2q[WME_AC_BK];
392 		sc->sc_ac2q[WME_AC_VI] = sc->sc_ac2q[WME_AC_BK];
393 		sc->sc_ac2q[WME_AC_VO] = sc->sc_ac2q[WME_AC_BK];
394 	}
395 	TASK_INIT(&sc->sc_txtask, 0, mwl_tx_proc, sc);
396 
397 	ic->ic_softc = sc;
398 	ic->ic_name = device_get_nameunit(sc->sc_dev);
399 	/* XXX not right but it's not used anywhere important */
400 	ic->ic_phytype = IEEE80211_T_OFDM;
401 	ic->ic_opmode = IEEE80211_M_STA;
402 	ic->ic_caps =
403 		  IEEE80211_C_STA		/* station mode supported */
404 		| IEEE80211_C_HOSTAP		/* hostap mode */
405 		| IEEE80211_C_MONITOR		/* monitor mode */
406 #if 0
407 		| IEEE80211_C_IBSS		/* ibss, nee adhoc, mode */
408 		| IEEE80211_C_AHDEMO		/* adhoc demo mode */
409 #endif
410 		| IEEE80211_C_MBSS		/* mesh point link mode */
411 		| IEEE80211_C_WDS		/* WDS supported */
412 		| IEEE80211_C_SHPREAMBLE	/* short preamble supported */
413 		| IEEE80211_C_SHSLOT		/* short slot time supported */
414 		| IEEE80211_C_WME		/* WME/WMM supported */
415 		| IEEE80211_C_BURST		/* xmit bursting supported */
416 		| IEEE80211_C_WPA		/* capable of WPA1+WPA2 */
417 		| IEEE80211_C_BGSCAN		/* capable of bg scanning */
418 		| IEEE80211_C_TXFRAG		/* handle tx frags */
419 		| IEEE80211_C_TXPMGT		/* capable of txpow mgt */
420 		| IEEE80211_C_DFS		/* DFS supported */
421 		;
422 
423 	ic->ic_htcaps =
424 		  IEEE80211_HTCAP_SMPS_ENA	/* SM PS mode enabled */
425 		| IEEE80211_HTCAP_CHWIDTH40	/* 40MHz channel width */
426 		| IEEE80211_HTCAP_SHORTGI20	/* short GI in 20MHz */
427 		| IEEE80211_HTCAP_SHORTGI40	/* short GI in 40MHz */
428 		| IEEE80211_HTCAP_RXSTBC_2STREAM/* 1-2 spatial streams */
429 #if MWL_AGGR_SIZE == 7935
430 		| IEEE80211_HTCAP_MAXAMSDU_7935	/* max A-MSDU length */
431 #else
432 		| IEEE80211_HTCAP_MAXAMSDU_3839	/* max A-MSDU length */
433 #endif
434 #if 0
435 		| IEEE80211_HTCAP_PSMP		/* PSMP supported */
436 		| IEEE80211_HTCAP_40INTOLERANT	/* 40MHz intolerant */
437 #endif
438 		/* s/w capabilities */
439 		| IEEE80211_HTC_HT		/* HT operation */
440 		| IEEE80211_HTC_AMPDU		/* tx A-MPDU */
441 		| IEEE80211_HTC_AMSDU		/* tx A-MSDU */
442 		| IEEE80211_HTC_SMPS		/* SMPS available */
443 		;
444 
445 	/*
446 	 * Mark h/w crypto support.
447 	 * XXX no way to query h/w support.
448 	 */
449 	ic->ic_cryptocaps |= IEEE80211_CRYPTO_WEP
450 			  |  IEEE80211_CRYPTO_AES_CCM
451 			  |  IEEE80211_CRYPTO_TKIP
452 			  |  IEEE80211_CRYPTO_TKIPMIC
453 			  ;
454 	/*
455 	 * Transmit requires space in the packet for a special
456 	 * format transmit record and optional padding between
457 	 * this record and the payload.  Ask the net80211 layer
458 	 * to arrange this when encapsulating packets so we can
459 	 * add it efficiently.
460 	 */
461 	ic->ic_headroom = sizeof(struct mwltxrec) -
462 		sizeof(struct ieee80211_frame);
463 
464 	IEEE80211_ADDR_COPY(ic->ic_macaddr, sc->sc_hwspecs.macAddr);
465 
466 	/* call MI attach routine. */
467 	ieee80211_ifattach(ic);
468 	ic->ic_setregdomain = mwl_setregdomain;
469 	ic->ic_getradiocaps = mwl_getradiocaps;
470 	/* override default methods */
471 	ic->ic_raw_xmit = mwl_raw_xmit;
472 	ic->ic_newassoc = mwl_newassoc;
473 	ic->ic_updateslot = mwl_updateslot;
474 	ic->ic_update_mcast = mwl_update_mcast;
475 	ic->ic_update_promisc = mwl_update_promisc;
476 	ic->ic_wme.wme_update = mwl_wme_update;
477 	ic->ic_transmit = mwl_transmit;
478 	ic->ic_ioctl = mwl_ioctl;
479 	ic->ic_parent = mwl_parent;
480 
481 	ic->ic_node_alloc = mwl_node_alloc;
482 	sc->sc_node_cleanup = ic->ic_node_cleanup;
483 	ic->ic_node_cleanup = mwl_node_cleanup;
484 	sc->sc_node_drain = ic->ic_node_drain;
485 	ic->ic_node_drain = mwl_node_drain;
486 	ic->ic_node_getsignal = mwl_node_getsignal;
487 	ic->ic_node_getmimoinfo = mwl_node_getmimoinfo;
488 
489 	ic->ic_scan_start = mwl_scan_start;
490 	ic->ic_scan_end = mwl_scan_end;
491 	ic->ic_set_channel = mwl_set_channel;
492 
493 	sc->sc_recv_action = ic->ic_recv_action;
494 	ic->ic_recv_action = mwl_recv_action;
495 	sc->sc_addba_request = ic->ic_addba_request;
496 	ic->ic_addba_request = mwl_addba_request;
497 	sc->sc_addba_response = ic->ic_addba_response;
498 	ic->ic_addba_response = mwl_addba_response;
499 	sc->sc_addba_stop = ic->ic_addba_stop;
500 	ic->ic_addba_stop = mwl_addba_stop;
501 
502 	ic->ic_vap_create = mwl_vap_create;
503 	ic->ic_vap_delete = mwl_vap_delete;
504 
505 	ieee80211_radiotap_attach(ic,
506 	    &sc->sc_tx_th.wt_ihdr, sizeof(sc->sc_tx_th),
507 		MWL_TX_RADIOTAP_PRESENT,
508 	    &sc->sc_rx_th.wr_ihdr, sizeof(sc->sc_rx_th),
509 		MWL_RX_RADIOTAP_PRESENT);
510 	/*
511 	 * Setup dynamic sysctl's now that country code and
512 	 * regdomain are available from the hal.
513 	 */
514 	mwl_sysctlattach(sc);
515 
516 	if (bootverbose)
517 		ieee80211_announce(ic);
518 	mwl_announce(sc);
519 	return 0;
520 bad2:
521 	mwl_dma_cleanup(sc);
522 bad1:
523 	mwl_hal_detach(mh);
524 bad:
525 	MWL_RXFREE_DESTROY(sc);
526 	sc->sc_invalid = 1;
527 	return error;
528 }
529 
530 int
531 mwl_detach(struct mwl_softc *sc)
532 {
533 	struct ieee80211com *ic = &sc->sc_ic;
534 
535 	MWL_LOCK(sc);
536 	mwl_stop(sc);
537 	MWL_UNLOCK(sc);
538 	/*
539 	 * NB: the order of these is important:
540 	 * o call the 802.11 layer before detaching the hal to
541 	 *   insure callbacks into the driver to delete global
542 	 *   key cache entries can be handled
543 	 * o reclaim the tx queue data structures after calling
544 	 *   the 802.11 layer as we'll get called back to reclaim
545 	 *   node state and potentially want to use them
546 	 * o to cleanup the tx queues the hal is called, so detach
547 	 *   it last
548 	 * Other than that, it's straightforward...
549 	 */
550 	ieee80211_ifdetach(ic);
551 	callout_drain(&sc->sc_watchdog);
552 	mwl_dma_cleanup(sc);
553 	MWL_RXFREE_DESTROY(sc);
554 	mwl_tx_cleanup(sc);
555 	mwl_hal_detach(sc->sc_mh);
556 	mbufq_drain(&sc->sc_snd);
557 
558 	return 0;
559 }
560 
561 /*
562  * MAC address handling for multiple BSS on the same radio.
563  * The first vap uses the MAC address from the EEPROM.  For
564  * subsequent vap's we set the U/L bit (bit 1) in the MAC
565  * address and use the next six bits as an index.
566  */
567 static void
568 assign_address(struct mwl_softc *sc, uint8_t mac[IEEE80211_ADDR_LEN], int clone)
569 {
570 	int i;
571 
572 	if (clone && mwl_hal_ismbsscapable(sc->sc_mh)) {
573 		/* NB: we only do this if h/w supports multiple bssid */
574 		for (i = 0; i < 32; i++)
575 			if ((sc->sc_bssidmask & (1<<i)) == 0)
576 				break;
577 		if (i != 0)
578 			mac[0] |= (i << 2)|0x2;
579 	} else
580 		i = 0;
581 	sc->sc_bssidmask |= 1<<i;
582 	if (i == 0)
583 		sc->sc_nbssid0++;
584 }
585 
586 static void
587 reclaim_address(struct mwl_softc *sc, const uint8_t mac[IEEE80211_ADDR_LEN])
588 {
589 	int i = mac[0] >> 2;
590 	if (i != 0 || --sc->sc_nbssid0 == 0)
591 		sc->sc_bssidmask &= ~(1<<i);
592 }
593 
594 static struct ieee80211vap *
595 mwl_vap_create(struct ieee80211com *ic, const char name[IFNAMSIZ], int unit,
596     enum ieee80211_opmode opmode, int flags,
597     const uint8_t bssid[IEEE80211_ADDR_LEN],
598     const uint8_t mac0[IEEE80211_ADDR_LEN])
599 {
600 	struct mwl_softc *sc = ic->ic_softc;
601 	struct mwl_hal *mh = sc->sc_mh;
602 	struct ieee80211vap *vap, *apvap;
603 	struct mwl_hal_vap *hvap;
604 	struct mwl_vap *mvp;
605 	uint8_t mac[IEEE80211_ADDR_LEN];
606 
607 	IEEE80211_ADDR_COPY(mac, mac0);
608 	switch (opmode) {
609 	case IEEE80211_M_HOSTAP:
610 	case IEEE80211_M_MBSS:
611 		if ((flags & IEEE80211_CLONE_MACADDR) == 0)
612 			assign_address(sc, mac, flags & IEEE80211_CLONE_BSSID);
613 		hvap = mwl_hal_newvap(mh, MWL_HAL_AP, mac);
614 		if (hvap == NULL) {
615 			if ((flags & IEEE80211_CLONE_MACADDR) == 0)
616 				reclaim_address(sc, mac);
617 			return NULL;
618 		}
619 		break;
620 	case IEEE80211_M_STA:
621 		if ((flags & IEEE80211_CLONE_MACADDR) == 0)
622 			assign_address(sc, mac, flags & IEEE80211_CLONE_BSSID);
623 		hvap = mwl_hal_newvap(mh, MWL_HAL_STA, mac);
624 		if (hvap == NULL) {
625 			if ((flags & IEEE80211_CLONE_MACADDR) == 0)
626 				reclaim_address(sc, mac);
627 			return NULL;
628 		}
629 		/* no h/w beacon miss support; always use s/w */
630 		flags |= IEEE80211_CLONE_NOBEACONS;
631 		break;
632 	case IEEE80211_M_WDS:
633 		hvap = NULL;		/* NB: we use associated AP vap */
634 		if (sc->sc_napvaps == 0)
635 			return NULL;	/* no existing AP vap */
636 		break;
637 	case IEEE80211_M_MONITOR:
638 		hvap = NULL;
639 		break;
640 	case IEEE80211_M_IBSS:
641 	case IEEE80211_M_AHDEMO:
642 	default:
643 		return NULL;
644 	}
645 
646 	mvp = malloc(sizeof(struct mwl_vap), M_80211_VAP, M_WAITOK | M_ZERO);
647 	mvp->mv_hvap = hvap;
648 	if (opmode == IEEE80211_M_WDS) {
649 		/*
650 		 * WDS vaps must have an associated AP vap; find one.
651 		 * XXX not right.
652 		 */
653 		TAILQ_FOREACH(apvap, &ic->ic_vaps, iv_next)
654 			if (apvap->iv_opmode == IEEE80211_M_HOSTAP) {
655 				mvp->mv_ap_hvap = MWL_VAP(apvap)->mv_hvap;
656 				break;
657 			}
658 		KASSERT(mvp->mv_ap_hvap != NULL, ("no ap vap"));
659 	}
660 	vap = &mvp->mv_vap;
661 	ieee80211_vap_setup(ic, vap, name, unit, opmode, flags, bssid);
662 	/* override with driver methods */
663 	mvp->mv_newstate = vap->iv_newstate;
664 	vap->iv_newstate = mwl_newstate;
665 	vap->iv_max_keyix = 0;	/* XXX */
666 	vap->iv_key_alloc = mwl_key_alloc;
667 	vap->iv_key_delete = mwl_key_delete;
668 	vap->iv_key_set = mwl_key_set;
669 #ifdef MWL_HOST_PS_SUPPORT
670 	if (opmode == IEEE80211_M_HOSTAP || opmode == IEEE80211_M_MBSS) {
671 		vap->iv_update_ps = mwl_update_ps;
672 		mvp->mv_set_tim = vap->iv_set_tim;
673 		vap->iv_set_tim = mwl_set_tim;
674 	}
675 #endif
676 	vap->iv_reset = mwl_reset;
677 	vap->iv_update_beacon = mwl_beacon_update;
678 
679 	/* override max aid so sta's cannot assoc when we're out of sta id's */
680 	vap->iv_max_aid = MWL_MAXSTAID;
681 	/* override default A-MPDU rx parameters */
682 	vap->iv_ampdu_rxmax = IEEE80211_HTCAP_MAXRXAMPDU_64K;
683 	vap->iv_ampdu_density = IEEE80211_HTCAP_MPDUDENSITY_4;
684 
685 	/* complete setup */
686 	ieee80211_vap_attach(vap, mwl_media_change, ieee80211_media_status,
687 	    mac);
688 
689 	switch (vap->iv_opmode) {
690 	case IEEE80211_M_HOSTAP:
691 	case IEEE80211_M_MBSS:
692 	case IEEE80211_M_STA:
693 		/*
694 		 * Setup sta db entry for local address.
695 		 */
696 		mwl_localstadb(vap);
697 		if (vap->iv_opmode == IEEE80211_M_HOSTAP ||
698 		    vap->iv_opmode == IEEE80211_M_MBSS)
699 			sc->sc_napvaps++;
700 		else
701 			sc->sc_nstavaps++;
702 		break;
703 	case IEEE80211_M_WDS:
704 		sc->sc_nwdsvaps++;
705 		break;
706 	default:
707 		break;
708 	}
709 	/*
710 	 * Setup overall operating mode.
711 	 */
712 	if (sc->sc_napvaps)
713 		ic->ic_opmode = IEEE80211_M_HOSTAP;
714 	else if (sc->sc_nstavaps)
715 		ic->ic_opmode = IEEE80211_M_STA;
716 	else
717 		ic->ic_opmode = opmode;
718 
719 	return vap;
720 }
721 
722 static void
723 mwl_vap_delete(struct ieee80211vap *vap)
724 {
725 	struct mwl_vap *mvp = MWL_VAP(vap);
726 	struct mwl_softc *sc = vap->iv_ic->ic_softc;
727 	struct mwl_hal *mh = sc->sc_mh;
728 	struct mwl_hal_vap *hvap = mvp->mv_hvap;
729 	enum ieee80211_opmode opmode = vap->iv_opmode;
730 
731 	/* XXX disallow ap vap delete if WDS still present */
732 	if (sc->sc_running) {
733 		/* quiesce h/w while we remove the vap */
734 		mwl_hal_intrset(mh, 0);		/* disable interrupts */
735 	}
736 	ieee80211_vap_detach(vap);
737 	switch (opmode) {
738 	case IEEE80211_M_HOSTAP:
739 	case IEEE80211_M_MBSS:
740 	case IEEE80211_M_STA:
741 		KASSERT(hvap != NULL, ("no hal vap handle"));
742 		(void) mwl_hal_delstation(hvap, vap->iv_myaddr);
743 		mwl_hal_delvap(hvap);
744 		if (opmode == IEEE80211_M_HOSTAP || opmode == IEEE80211_M_MBSS)
745 			sc->sc_napvaps--;
746 		else
747 			sc->sc_nstavaps--;
748 		/* XXX don't do it for IEEE80211_CLONE_MACADDR */
749 		reclaim_address(sc, vap->iv_myaddr);
750 		break;
751 	case IEEE80211_M_WDS:
752 		sc->sc_nwdsvaps--;
753 		break;
754 	default:
755 		break;
756 	}
757 	mwl_cleartxq(sc, vap);
758 	free(mvp, M_80211_VAP);
759 	if (sc->sc_running)
760 		mwl_hal_intrset(mh, sc->sc_imask);
761 }
762 
763 void
764 mwl_suspend(struct mwl_softc *sc)
765 {
766 
767 	MWL_LOCK(sc);
768 	mwl_stop(sc);
769 	MWL_UNLOCK(sc);
770 }
771 
772 void
773 mwl_resume(struct mwl_softc *sc)
774 {
775 	int error = EDOOFUS;
776 
777 	MWL_LOCK(sc);
778 	if (sc->sc_ic.ic_nrunning > 0)
779 		error = mwl_init(sc);
780 	MWL_UNLOCK(sc);
781 
782 	if (error == 0)
783 		ieee80211_start_all(&sc->sc_ic);	/* start all vap's */
784 }
785 
786 void
787 mwl_shutdown(void *arg)
788 {
789 	struct mwl_softc *sc = arg;
790 
791 	MWL_LOCK(sc);
792 	mwl_stop(sc);
793 	MWL_UNLOCK(sc);
794 }
795 
796 /*
797  * Interrupt handler.  Most of the actual processing is deferred.
798  */
799 void
800 mwl_intr(void *arg)
801 {
802 	struct mwl_softc *sc = arg;
803 	struct mwl_hal *mh = sc->sc_mh;
804 	uint32_t status;
805 
806 	if (sc->sc_invalid) {
807 		/*
808 		 * The hardware is not ready/present, don't touch anything.
809 		 * Note this can happen early on if the IRQ is shared.
810 		 */
811 		DPRINTF(sc, MWL_DEBUG_ANY, "%s: invalid; ignored\n", __func__);
812 		return;
813 	}
814 	/*
815 	 * Figure out the reason(s) for the interrupt.
816 	 */
817 	mwl_hal_getisr(mh, &status);		/* NB: clears ISR too */
818 	if (status == 0)			/* must be a shared irq */
819 		return;
820 
821 	DPRINTF(sc, MWL_DEBUG_INTR, "%s: status 0x%x imask 0x%x\n",
822 	    __func__, status, sc->sc_imask);
823 	if (status & MACREG_A2HRIC_BIT_RX_RDY)
824 		taskqueue_enqueue(sc->sc_tq, &sc->sc_rxtask);
825 	if (status & MACREG_A2HRIC_BIT_TX_DONE)
826 		taskqueue_enqueue(sc->sc_tq, &sc->sc_txtask);
827 	if (status & MACREG_A2HRIC_BIT_BA_WATCHDOG)
828 		taskqueue_enqueue(sc->sc_tq, &sc->sc_bawatchdogtask);
829 	if (status & MACREG_A2HRIC_BIT_OPC_DONE)
830 		mwl_hal_cmddone(mh);
831 	if (status & MACREG_A2HRIC_BIT_MAC_EVENT) {
832 		;
833 	}
834 	if (status & MACREG_A2HRIC_BIT_ICV_ERROR) {
835 		/* TKIP ICV error */
836 		sc->sc_stats.mst_rx_badtkipicv++;
837 	}
838 	if (status & MACREG_A2HRIC_BIT_QUEUE_EMPTY) {
839 		/* 11n aggregation queue is empty, re-fill */
840 		;
841 	}
842 	if (status & MACREG_A2HRIC_BIT_QUEUE_FULL) {
843 		;
844 	}
845 	if (status & MACREG_A2HRIC_BIT_RADAR_DETECT) {
846 		/* radar detected, process event */
847 		taskqueue_enqueue(sc->sc_tq, &sc->sc_radartask);
848 	}
849 	if (status & MACREG_A2HRIC_BIT_CHAN_SWITCH) {
850 		/* DFS channel switch */
851 		taskqueue_enqueue(sc->sc_tq, &sc->sc_chanswitchtask);
852 	}
853 }
854 
855 static void
856 mwl_radar_proc(void *arg, int pending)
857 {
858 	struct mwl_softc *sc = arg;
859 	struct ieee80211com *ic = &sc->sc_ic;
860 
861 	DPRINTF(sc, MWL_DEBUG_ANY, "%s: radar detected, pending %u\n",
862 	    __func__, pending);
863 
864 	sc->sc_stats.mst_radardetect++;
865 	/* XXX stop h/w BA streams? */
866 
867 	IEEE80211_LOCK(ic);
868 	ieee80211_dfs_notify_radar(ic, ic->ic_curchan);
869 	IEEE80211_UNLOCK(ic);
870 }
871 
872 static void
873 mwl_chanswitch_proc(void *arg, int pending)
874 {
875 	struct mwl_softc *sc = arg;
876 	struct ieee80211com *ic = &sc->sc_ic;
877 
878 	DPRINTF(sc, MWL_DEBUG_ANY, "%s: channel switch notice, pending %u\n",
879 	    __func__, pending);
880 
881 	IEEE80211_LOCK(ic);
882 	sc->sc_csapending = 0;
883 	ieee80211_csa_completeswitch(ic);
884 	IEEE80211_UNLOCK(ic);
885 }
886 
887 static void
888 mwl_bawatchdog(const MWL_HAL_BASTREAM *sp)
889 {
890 	struct ieee80211_node *ni = sp->data[0];
891 
892 	/* send DELBA and drop the stream */
893 	ieee80211_ampdu_stop(ni, sp->data[1], IEEE80211_REASON_UNSPECIFIED);
894 }
895 
896 static void
897 mwl_bawatchdog_proc(void *arg, int pending)
898 {
899 	struct mwl_softc *sc = arg;
900 	struct mwl_hal *mh = sc->sc_mh;
901 	const MWL_HAL_BASTREAM *sp;
902 	uint8_t bitmap, n;
903 
904 	sc->sc_stats.mst_bawatchdog++;
905 
906 	if (mwl_hal_getwatchdogbitmap(mh, &bitmap) != 0) {
907 		DPRINTF(sc, MWL_DEBUG_AMPDU,
908 		    "%s: could not get bitmap\n", __func__);
909 		sc->sc_stats.mst_bawatchdog_failed++;
910 		return;
911 	}
912 	DPRINTF(sc, MWL_DEBUG_AMPDU, "%s: bitmap 0x%x\n", __func__, bitmap);
913 	if (bitmap == 0xff) {
914 		n = 0;
915 		/* disable all ba streams */
916 		for (bitmap = 0; bitmap < 8; bitmap++) {
917 			sp = mwl_hal_bastream_lookup(mh, bitmap);
918 			if (sp != NULL) {
919 				mwl_bawatchdog(sp);
920 				n++;
921 			}
922 		}
923 		if (n == 0) {
924 			DPRINTF(sc, MWL_DEBUG_AMPDU,
925 			    "%s: no BA streams found\n", __func__);
926 			sc->sc_stats.mst_bawatchdog_empty++;
927 		}
928 	} else if (bitmap != 0xaa) {
929 		/* disable a single ba stream */
930 		sp = mwl_hal_bastream_lookup(mh, bitmap);
931 		if (sp != NULL) {
932 			mwl_bawatchdog(sp);
933 		} else {
934 			DPRINTF(sc, MWL_DEBUG_AMPDU,
935 			    "%s: no BA stream %d\n", __func__, bitmap);
936 			sc->sc_stats.mst_bawatchdog_notfound++;
937 		}
938 	}
939 }
940 
941 /*
942  * Convert net80211 channel to a HAL channel.
943  */
944 static void
945 mwl_mapchan(MWL_HAL_CHANNEL *hc, const struct ieee80211_channel *chan)
946 {
947 	hc->channel = chan->ic_ieee;
948 
949 	*(uint32_t *)&hc->channelFlags = 0;
950 	if (IEEE80211_IS_CHAN_2GHZ(chan))
951 		hc->channelFlags.FreqBand = MWL_FREQ_BAND_2DOT4GHZ;
952 	else if (IEEE80211_IS_CHAN_5GHZ(chan))
953 		hc->channelFlags.FreqBand = MWL_FREQ_BAND_5GHZ;
954 	if (IEEE80211_IS_CHAN_HT40(chan)) {
955 		hc->channelFlags.ChnlWidth = MWL_CH_40_MHz_WIDTH;
956 		if (IEEE80211_IS_CHAN_HT40U(chan))
957 			hc->channelFlags.ExtChnlOffset = MWL_EXT_CH_ABOVE_CTRL_CH;
958 		else
959 			hc->channelFlags.ExtChnlOffset = MWL_EXT_CH_BELOW_CTRL_CH;
960 	} else
961 		hc->channelFlags.ChnlWidth = MWL_CH_20_MHz_WIDTH;
962 	/* XXX 10MHz channels */
963 }
964 
965 /*
966  * Inform firmware of our tx/rx dma setup.  The BAR 0
967  * writes below are for compatibility with older firmware.
968  * For current firmware we send this information with a
969  * cmd block via mwl_hal_sethwdma.
970  */
971 static int
972 mwl_setupdma(struct mwl_softc *sc)
973 {
974 	int error, i;
975 
976 	sc->sc_hwdma.rxDescRead = sc->sc_rxdma.dd_desc_paddr;
977 	WR4(sc, sc->sc_hwspecs.rxDescRead, sc->sc_hwdma.rxDescRead);
978 	WR4(sc, sc->sc_hwspecs.rxDescWrite, sc->sc_hwdma.rxDescRead);
979 
980 	for (i = 0; i < MWL_NUM_TX_QUEUES-MWL_NUM_ACK_QUEUES; i++) {
981 		struct mwl_txq *txq = &sc->sc_txq[i];
982 		sc->sc_hwdma.wcbBase[i] = txq->dma.dd_desc_paddr;
983 		WR4(sc, sc->sc_hwspecs.wcbBase[i], sc->sc_hwdma.wcbBase[i]);
984 	}
985 	sc->sc_hwdma.maxNumTxWcb = mwl_txbuf;
986 	sc->sc_hwdma.maxNumWCB = MWL_NUM_TX_QUEUES-MWL_NUM_ACK_QUEUES;
987 
988 	error = mwl_hal_sethwdma(sc->sc_mh, &sc->sc_hwdma);
989 	if (error != 0) {
990 		device_printf(sc->sc_dev,
991 		    "unable to setup tx/rx dma; hal status %u\n", error);
992 		/* XXX */
993 	}
994 	return error;
995 }
996 
997 /*
998  * Inform firmware of tx rate parameters.
999  * Called after a channel change.
1000  */
1001 static int
1002 mwl_setcurchanrates(struct mwl_softc *sc)
1003 {
1004 	struct ieee80211com *ic = &sc->sc_ic;
1005 	const struct ieee80211_rateset *rs;
1006 	MWL_HAL_TXRATE rates;
1007 
1008 	memset(&rates, 0, sizeof(rates));
1009 	rs = ieee80211_get_suprates(ic, ic->ic_curchan);
1010 	/* rate used to send management frames */
1011 	rates.MgtRate = rs->rs_rates[0] & IEEE80211_RATE_VAL;
1012 	/* rate used to send multicast frames */
1013 	rates.McastRate = rates.MgtRate;
1014 
1015 	return mwl_hal_settxrate_auto(sc->sc_mh, &rates);
1016 }
1017 
1018 /*
1019  * Inform firmware of tx rate parameters.  Called whenever
1020  * user-settable params change and after a channel change.
1021  */
1022 static int
1023 mwl_setrates(struct ieee80211vap *vap)
1024 {
1025 	struct mwl_vap *mvp = MWL_VAP(vap);
1026 	struct ieee80211_node *ni = vap->iv_bss;
1027 	const struct ieee80211_txparam *tp = ni->ni_txparms;
1028 	MWL_HAL_TXRATE rates;
1029 
1030 	KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
1031 
1032 	/*
1033 	 * Update the h/w rate map.
1034 	 * NB: 0x80 for MCS is passed through unchanged
1035 	 */
1036 	memset(&rates, 0, sizeof(rates));
1037 	/* rate used to send management frames */
1038 	rates.MgtRate = tp->mgmtrate;
1039 	/* rate used to send multicast frames */
1040 	rates.McastRate = tp->mcastrate;
1041 
1042 	/* while here calculate EAPOL fixed rate cookie */
1043 	mvp->mv_eapolformat = htole16(mwl_calcformat(rates.MgtRate, ni));
1044 
1045 	return mwl_hal_settxrate(mvp->mv_hvap,
1046 	    tp->ucastrate != IEEE80211_FIXED_RATE_NONE ?
1047 		RATE_FIXED : RATE_AUTO, &rates);
1048 }
1049 
1050 /*
1051  * Setup a fixed xmit rate cookie for EAPOL frames.
1052  */
1053 static void
1054 mwl_seteapolformat(struct ieee80211vap *vap)
1055 {
1056 	struct mwl_vap *mvp = MWL_VAP(vap);
1057 	struct ieee80211_node *ni = vap->iv_bss;
1058 	enum ieee80211_phymode mode;
1059 	uint8_t rate;
1060 
1061 	KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
1062 
1063 	mode = ieee80211_chan2mode(ni->ni_chan);
1064 	/*
1065 	 * Use legacy rates when operating a mixed HT+non-HT bss.
1066 	 * NB: this may violate POLA for sta and wds vap's.
1067 	 */
1068 	if (mode == IEEE80211_MODE_11NA &&
1069 	    (vap->iv_flags_ht & IEEE80211_FHT_PUREN) == 0)
1070 		rate = vap->iv_txparms[IEEE80211_MODE_11A].mgmtrate;
1071 	else if (mode == IEEE80211_MODE_11NG &&
1072 	    (vap->iv_flags_ht & IEEE80211_FHT_PUREN) == 0)
1073 		rate = vap->iv_txparms[IEEE80211_MODE_11G].mgmtrate;
1074 	else
1075 		rate = vap->iv_txparms[mode].mgmtrate;
1076 
1077 	mvp->mv_eapolformat = htole16(mwl_calcformat(rate, ni));
1078 }
1079 
1080 /*
1081  * Map SKU+country code to region code for radar bin'ing.
1082  */
1083 static int
1084 mwl_map2regioncode(const struct ieee80211_regdomain *rd)
1085 {
1086 	switch (rd->regdomain) {
1087 	case SKU_FCC:
1088 	case SKU_FCC3:
1089 		return DOMAIN_CODE_FCC;
1090 	case SKU_CA:
1091 		return DOMAIN_CODE_IC;
1092 	case SKU_ETSI:
1093 	case SKU_ETSI2:
1094 	case SKU_ETSI3:
1095 		if (rd->country == CTRY_SPAIN)
1096 			return DOMAIN_CODE_SPAIN;
1097 		if (rd->country == CTRY_FRANCE || rd->country == CTRY_FRANCE2)
1098 			return DOMAIN_CODE_FRANCE;
1099 		/* XXX force 1.3.1 radar type */
1100 		return DOMAIN_CODE_ETSI_131;
1101 	case SKU_JAPAN:
1102 		return DOMAIN_CODE_MKK;
1103 	case SKU_ROW:
1104 		return DOMAIN_CODE_DGT;	/* Taiwan */
1105 	case SKU_APAC:
1106 	case SKU_APAC2:
1107 	case SKU_APAC3:
1108 		return DOMAIN_CODE_AUS;	/* Australia */
1109 	}
1110 	/* XXX KOREA? */
1111 	return DOMAIN_CODE_FCC;			/* XXX? */
1112 }
1113 
1114 static int
1115 mwl_hal_reset(struct mwl_softc *sc)
1116 {
1117 	struct ieee80211com *ic = &sc->sc_ic;
1118 	struct mwl_hal *mh = sc->sc_mh;
1119 
1120 	mwl_hal_setantenna(mh, WL_ANTENNATYPE_RX, sc->sc_rxantenna);
1121 	mwl_hal_setantenna(mh, WL_ANTENNATYPE_TX, sc->sc_txantenna);
1122 	mwl_hal_setradio(mh, 1, WL_AUTO_PREAMBLE);
1123 	mwl_hal_setwmm(sc->sc_mh, (ic->ic_flags & IEEE80211_F_WME) != 0);
1124 	mwl_chan_set(sc, ic->ic_curchan);
1125 	/* NB: RF/RA performance tuned for indoor mode */
1126 	mwl_hal_setrateadaptmode(mh, 0);
1127 	mwl_hal_setoptimizationlevel(mh,
1128 	    (ic->ic_flags & IEEE80211_F_BURST) != 0);
1129 
1130 	mwl_hal_setregioncode(mh, mwl_map2regioncode(&ic->ic_regdomain));
1131 
1132 	mwl_hal_setaggampduratemode(mh, 1, 80);		/* XXX */
1133 	mwl_hal_setcfend(mh, 0);			/* XXX */
1134 
1135 	return 1;
1136 }
1137 
1138 static int
1139 mwl_init(struct mwl_softc *sc)
1140 {
1141 	struct mwl_hal *mh = sc->sc_mh;
1142 	int error = 0;
1143 
1144 	MWL_LOCK_ASSERT(sc);
1145 
1146 	/*
1147 	 * Stop anything previously setup.  This is safe
1148 	 * whether this is the first time through or not.
1149 	 */
1150 	mwl_stop(sc);
1151 
1152 	/*
1153 	 * Push vap-independent state to the firmware.
1154 	 */
1155 	if (!mwl_hal_reset(sc)) {
1156 		device_printf(sc->sc_dev, "unable to reset hardware\n");
1157 		return EIO;
1158 	}
1159 
1160 	/*
1161 	 * Setup recv (once); transmit is already good to go.
1162 	 */
1163 	error = mwl_startrecv(sc);
1164 	if (error != 0) {
1165 		device_printf(sc->sc_dev, "unable to start recv logic\n");
1166 		return error;
1167 	}
1168 
1169 	/*
1170 	 * Enable interrupts.
1171 	 */
1172 	sc->sc_imask = MACREG_A2HRIC_BIT_RX_RDY
1173 		     | MACREG_A2HRIC_BIT_TX_DONE
1174 		     | MACREG_A2HRIC_BIT_OPC_DONE
1175 #if 0
1176 		     | MACREG_A2HRIC_BIT_MAC_EVENT
1177 #endif
1178 		     | MACREG_A2HRIC_BIT_ICV_ERROR
1179 		     | MACREG_A2HRIC_BIT_RADAR_DETECT
1180 		     | MACREG_A2HRIC_BIT_CHAN_SWITCH
1181 #if 0
1182 		     | MACREG_A2HRIC_BIT_QUEUE_EMPTY
1183 #endif
1184 		     | MACREG_A2HRIC_BIT_BA_WATCHDOG
1185 		     | MACREQ_A2HRIC_BIT_TX_ACK
1186 		     ;
1187 
1188 	sc->sc_running = 1;
1189 	mwl_hal_intrset(mh, sc->sc_imask);
1190 	callout_reset(&sc->sc_watchdog, hz, mwl_watchdog, sc);
1191 
1192 	return 0;
1193 }
1194 
1195 static void
1196 mwl_stop(struct mwl_softc *sc)
1197 {
1198 
1199 	MWL_LOCK_ASSERT(sc);
1200 	if (sc->sc_running) {
1201 		/*
1202 		 * Shutdown the hardware and driver.
1203 		 */
1204 		sc->sc_running = 0;
1205 		callout_stop(&sc->sc_watchdog);
1206 		sc->sc_tx_timer = 0;
1207 		mwl_draintxq(sc);
1208 	}
1209 }
1210 
1211 static int
1212 mwl_reset_vap(struct ieee80211vap *vap, int state)
1213 {
1214 	struct mwl_hal_vap *hvap = MWL_VAP(vap)->mv_hvap;
1215 	struct ieee80211com *ic = vap->iv_ic;
1216 
1217 	if (state == IEEE80211_S_RUN)
1218 		mwl_setrates(vap);
1219 	/* XXX off by 1? */
1220 	mwl_hal_setrtsthreshold(hvap, vap->iv_rtsthreshold);
1221 	/* XXX auto? 20/40 split? */
1222 	mwl_hal_sethtgi(hvap, (vap->iv_flags_ht &
1223 	    (IEEE80211_FHT_SHORTGI20|IEEE80211_FHT_SHORTGI40)) ? 1 : 0);
1224 	mwl_hal_setnprot(hvap, ic->ic_htprotmode == IEEE80211_PROT_NONE ?
1225 	    HTPROTECT_NONE : HTPROTECT_AUTO);
1226 	/* XXX txpower cap */
1227 
1228 	/* re-setup beacons */
1229 	if (state == IEEE80211_S_RUN &&
1230 	    (vap->iv_opmode == IEEE80211_M_HOSTAP ||
1231 	     vap->iv_opmode == IEEE80211_M_MBSS ||
1232 	     vap->iv_opmode == IEEE80211_M_IBSS)) {
1233 		mwl_setapmode(vap, vap->iv_bss->ni_chan);
1234 		mwl_hal_setnprotmode(hvap,
1235 		    MS(ic->ic_curhtprotmode, IEEE80211_HTINFO_OPMODE));
1236 		return mwl_beacon_setup(vap);
1237 	}
1238 	return 0;
1239 }
1240 
1241 /*
1242  * Reset the hardware w/o losing operational state.
1243  * Used to reset or reload hardware state for a vap.
1244  */
1245 static int
1246 mwl_reset(struct ieee80211vap *vap, u_long cmd)
1247 {
1248 	struct mwl_hal_vap *hvap = MWL_VAP(vap)->mv_hvap;
1249 	int error = 0;
1250 
1251 	if (hvap != NULL) {			/* WDS, MONITOR, etc. */
1252 		struct ieee80211com *ic = vap->iv_ic;
1253 		struct mwl_softc *sc = ic->ic_softc;
1254 		struct mwl_hal *mh = sc->sc_mh;
1255 
1256 		/* XXX handle DWDS sta vap change */
1257 		/* XXX do we need to disable interrupts? */
1258 		mwl_hal_intrset(mh, 0);		/* disable interrupts */
1259 		error = mwl_reset_vap(vap, vap->iv_state);
1260 		mwl_hal_intrset(mh, sc->sc_imask);
1261 	}
1262 	return error;
1263 }
1264 
1265 /*
1266  * Allocate a tx buffer for sending a frame.  The
1267  * packet is assumed to have the WME AC stored so
1268  * we can use it to select the appropriate h/w queue.
1269  */
1270 static struct mwl_txbuf *
1271 mwl_gettxbuf(struct mwl_softc *sc, struct mwl_txq *txq)
1272 {
1273 	struct mwl_txbuf *bf;
1274 
1275 	/*
1276 	 * Grab a TX buffer and associated resources.
1277 	 */
1278 	MWL_TXQ_LOCK(txq);
1279 	bf = STAILQ_FIRST(&txq->free);
1280 	if (bf != NULL) {
1281 		STAILQ_REMOVE_HEAD(&txq->free, bf_list);
1282 		txq->nfree--;
1283 	}
1284 	MWL_TXQ_UNLOCK(txq);
1285 	if (bf == NULL)
1286 		DPRINTF(sc, MWL_DEBUG_XMIT,
1287 		    "%s: out of xmit buffers on q %d\n", __func__, txq->qnum);
1288 	return bf;
1289 }
1290 
1291 /*
1292  * Return a tx buffer to the queue it came from.  Note there
1293  * are two cases because we must preserve the order of buffers
1294  * as it reflects the fixed order of descriptors in memory
1295  * (the firmware pre-fetches descriptors so we cannot reorder).
1296  */
1297 static void
1298 mwl_puttxbuf_head(struct mwl_txq *txq, struct mwl_txbuf *bf)
1299 {
1300 	bf->bf_m = NULL;
1301 	bf->bf_node = NULL;
1302 	MWL_TXQ_LOCK(txq);
1303 	STAILQ_INSERT_HEAD(&txq->free, bf, bf_list);
1304 	txq->nfree++;
1305 	MWL_TXQ_UNLOCK(txq);
1306 }
1307 
1308 static void
1309 mwl_puttxbuf_tail(struct mwl_txq *txq, struct mwl_txbuf *bf)
1310 {
1311 	bf->bf_m = NULL;
1312 	bf->bf_node = NULL;
1313 	MWL_TXQ_LOCK(txq);
1314 	STAILQ_INSERT_TAIL(&txq->free, bf, bf_list);
1315 	txq->nfree++;
1316 	MWL_TXQ_UNLOCK(txq);
1317 }
1318 
1319 static int
1320 mwl_transmit(struct ieee80211com *ic, struct mbuf *m)
1321 {
1322 	struct mwl_softc *sc = ic->ic_softc;
1323 	int error;
1324 
1325 	MWL_LOCK(sc);
1326 	if (!sc->sc_running) {
1327 		MWL_UNLOCK(sc);
1328 		return (ENXIO);
1329 	}
1330 	error = mbufq_enqueue(&sc->sc_snd, m);
1331 	if (error) {
1332 		MWL_UNLOCK(sc);
1333 		return (error);
1334 	}
1335 	mwl_start(sc);
1336 	MWL_UNLOCK(sc);
1337 	return (0);
1338 }
1339 
1340 static void
1341 mwl_start(struct mwl_softc *sc)
1342 {
1343 	struct ieee80211_node *ni;
1344 	struct mwl_txbuf *bf;
1345 	struct mbuf *m;
1346 	struct mwl_txq *txq = NULL;	/* XXX silence gcc */
1347 	int nqueued;
1348 
1349 	MWL_LOCK_ASSERT(sc);
1350 	if (!sc->sc_running || sc->sc_invalid)
1351 		return;
1352 	nqueued = 0;
1353 	while ((m = mbufq_dequeue(&sc->sc_snd)) != NULL) {
1354 		/*
1355 		 * Grab the node for the destination.
1356 		 */
1357 		ni = (struct ieee80211_node *) m->m_pkthdr.rcvif;
1358 		KASSERT(ni != NULL, ("no node"));
1359 		m->m_pkthdr.rcvif = NULL;	/* committed, clear ref */
1360 		/*
1361 		 * Grab a TX buffer and associated resources.
1362 		 * We honor the classification by the 802.11 layer.
1363 		 */
1364 		txq = sc->sc_ac2q[M_WME_GETAC(m)];
1365 		bf = mwl_gettxbuf(sc, txq);
1366 		if (bf == NULL) {
1367 			m_freem(m);
1368 			ieee80211_free_node(ni);
1369 #ifdef MWL_TX_NODROP
1370 			sc->sc_stats.mst_tx_qstop++;
1371 			break;
1372 #else
1373 			DPRINTF(sc, MWL_DEBUG_XMIT,
1374 			    "%s: tail drop on q %d\n", __func__, txq->qnum);
1375 			sc->sc_stats.mst_tx_qdrop++;
1376 			continue;
1377 #endif /* MWL_TX_NODROP */
1378 		}
1379 
1380 		/*
1381 		 * Pass the frame to the h/w for transmission.
1382 		 */
1383 		if (mwl_tx_start(sc, ni, bf, m)) {
1384 			if_inc_counter(ni->ni_vap->iv_ifp,
1385 			    IFCOUNTER_OERRORS, 1);
1386 			mwl_puttxbuf_head(txq, bf);
1387 			ieee80211_free_node(ni);
1388 			continue;
1389 		}
1390 		nqueued++;
1391 		if (nqueued >= mwl_txcoalesce) {
1392 			/*
1393 			 * Poke the firmware to process queued frames;
1394 			 * see below about (lack of) locking.
1395 			 */
1396 			nqueued = 0;
1397 			mwl_hal_txstart(sc->sc_mh, 0/*XXX*/);
1398 		}
1399 	}
1400 	if (nqueued) {
1401 		/*
1402 		 * NB: We don't need to lock against tx done because
1403 		 * this just prods the firmware to check the transmit
1404 		 * descriptors.  The firmware will also start fetching
1405 		 * descriptors by itself if it notices new ones are
1406 		 * present when it goes to deliver a tx done interrupt
1407 		 * to the host. So if we race with tx done processing
1408 		 * it's ok.  Delivering the kick here rather than in
1409 		 * mwl_tx_start is an optimization to avoid poking the
1410 		 * firmware for each packet.
1411 		 *
1412 		 * NB: the queue id isn't used so 0 is ok.
1413 		 */
1414 		mwl_hal_txstart(sc->sc_mh, 0/*XXX*/);
1415 	}
1416 }
1417 
1418 static int
1419 mwl_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
1420 	const struct ieee80211_bpf_params *params)
1421 {
1422 	struct ieee80211com *ic = ni->ni_ic;
1423 	struct mwl_softc *sc = ic->ic_softc;
1424 	struct mwl_txbuf *bf;
1425 	struct mwl_txq *txq;
1426 
1427 	if (!sc->sc_running || sc->sc_invalid) {
1428 		m_freem(m);
1429 		return ENETDOWN;
1430 	}
1431 	/*
1432 	 * Grab a TX buffer and associated resources.
1433 	 * Note that we depend on the classification
1434 	 * by the 802.11 layer to get to the right h/w
1435 	 * queue.  Management frames must ALWAYS go on
1436 	 * queue 1 but we cannot just force that here
1437 	 * because we may receive non-mgt frames.
1438 	 */
1439 	txq = sc->sc_ac2q[M_WME_GETAC(m)];
1440 	bf = mwl_gettxbuf(sc, txq);
1441 	if (bf == NULL) {
1442 		sc->sc_stats.mst_tx_qstop++;
1443 		m_freem(m);
1444 		return ENOBUFS;
1445 	}
1446 	/*
1447 	 * Pass the frame to the h/w for transmission.
1448 	 */
1449 	if (mwl_tx_start(sc, ni, bf, m)) {
1450 		mwl_puttxbuf_head(txq, bf);
1451 
1452 		return EIO;		/* XXX */
1453 	}
1454 	/*
1455 	 * NB: We don't need to lock against tx done because
1456 	 * this just prods the firmware to check the transmit
1457 	 * descriptors.  The firmware will also start fetching
1458 	 * descriptors by itself if it notices new ones are
1459 	 * present when it goes to deliver a tx done interrupt
1460 	 * to the host. So if we race with tx done processing
1461 	 * it's ok.  Delivering the kick here rather than in
1462 	 * mwl_tx_start is an optimization to avoid poking the
1463 	 * firmware for each packet.
1464 	 *
1465 	 * NB: the queue id isn't used so 0 is ok.
1466 	 */
1467 	mwl_hal_txstart(sc->sc_mh, 0/*XXX*/);
1468 	return 0;
1469 }
1470 
1471 static int
1472 mwl_media_change(struct ifnet *ifp)
1473 {
1474 	struct ieee80211vap *vap;
1475 	int error;
1476 
1477 	/* NB: only the fixed rate can change and that doesn't need a reset */
1478 	error = ieee80211_media_change(ifp);
1479 	if (error != 0)
1480 		return (error);
1481 
1482 	vap = ifp->if_softc;
1483 	mwl_setrates(vap);
1484 	return (0);
1485 }
1486 
1487 #ifdef MWL_DEBUG
1488 static void
1489 mwl_keyprint(struct mwl_softc *sc, const char *tag,
1490 	const MWL_HAL_KEYVAL *hk, const uint8_t mac[IEEE80211_ADDR_LEN])
1491 {
1492 	static const char *ciphers[] = {
1493 		"WEP",
1494 		"TKIP",
1495 		"AES-CCM",
1496 	};
1497 	int i, n;
1498 
1499 	printf("%s: [%u] %-7s", tag, hk->keyIndex, ciphers[hk->keyTypeId]);
1500 	for (i = 0, n = hk->keyLen; i < n; i++)
1501 		printf(" %02x", hk->key.aes[i]);
1502 	printf(" mac %s", ether_sprintf(mac));
1503 	if (hk->keyTypeId == KEY_TYPE_ID_TKIP) {
1504 		printf(" %s", "rxmic");
1505 		for (i = 0; i < sizeof(hk->key.tkip.rxMic); i++)
1506 			printf(" %02x", hk->key.tkip.rxMic[i]);
1507 		printf(" txmic");
1508 		for (i = 0; i < sizeof(hk->key.tkip.txMic); i++)
1509 			printf(" %02x", hk->key.tkip.txMic[i]);
1510 	}
1511 	printf(" flags 0x%x\n", hk->keyFlags);
1512 }
1513 #endif
1514 
1515 /*
1516  * Allocate a key cache slot for a unicast key.  The
1517  * firmware handles key allocation and every station is
1518  * guaranteed key space so we are always successful.
1519  */
1520 static int
1521 mwl_key_alloc(struct ieee80211vap *vap, struct ieee80211_key *k,
1522 	ieee80211_keyix *keyix, ieee80211_keyix *rxkeyix)
1523 {
1524 	struct mwl_softc *sc = vap->iv_ic->ic_softc;
1525 
1526 	if (k->wk_keyix != IEEE80211_KEYIX_NONE ||
1527 	    (k->wk_flags & IEEE80211_KEY_GROUP)) {
1528 		if (!(&vap->iv_nw_keys[0] <= k &&
1529 		      k < &vap->iv_nw_keys[IEEE80211_WEP_NKID])) {
1530 			/* should not happen */
1531 			DPRINTF(sc, MWL_DEBUG_KEYCACHE,
1532 				"%s: bogus group key\n", __func__);
1533 			return 0;
1534 		}
1535 		/* give the caller what they requested */
1536 		*keyix = *rxkeyix = ieee80211_crypto_get_key_wepidx(vap, k);
1537 	} else {
1538 		/*
1539 		 * Firmware handles key allocation.
1540 		 */
1541 		*keyix = *rxkeyix = 0;
1542 	}
1543 	return 1;
1544 }
1545 
1546 /*
1547  * Delete a key entry allocated by mwl_key_alloc.
1548  */
1549 static int
1550 mwl_key_delete(struct ieee80211vap *vap, const struct ieee80211_key *k)
1551 {
1552 	struct mwl_softc *sc = vap->iv_ic->ic_softc;
1553 	struct mwl_hal_vap *hvap = MWL_VAP(vap)->mv_hvap;
1554 	MWL_HAL_KEYVAL hk;
1555 	const uint8_t bcastaddr[IEEE80211_ADDR_LEN] =
1556 	    { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
1557 
1558 	if (hvap == NULL) {
1559 		if (vap->iv_opmode != IEEE80211_M_WDS) {
1560 			/* XXX monitor mode? */
1561 			DPRINTF(sc, MWL_DEBUG_KEYCACHE,
1562 			    "%s: no hvap for opmode %d\n", __func__,
1563 			    vap->iv_opmode);
1564 			return 0;
1565 		}
1566 		hvap = MWL_VAP(vap)->mv_ap_hvap;
1567 	}
1568 
1569 	DPRINTF(sc, MWL_DEBUG_KEYCACHE, "%s: delete key %u\n",
1570 	    __func__, k->wk_keyix);
1571 
1572 	memset(&hk, 0, sizeof(hk));
1573 	hk.keyIndex = k->wk_keyix;
1574 	switch (k->wk_cipher->ic_cipher) {
1575 	case IEEE80211_CIPHER_WEP:
1576 		hk.keyTypeId = KEY_TYPE_ID_WEP;
1577 		break;
1578 	case IEEE80211_CIPHER_TKIP:
1579 		hk.keyTypeId = KEY_TYPE_ID_TKIP;
1580 		break;
1581 	case IEEE80211_CIPHER_AES_CCM:
1582 		hk.keyTypeId = KEY_TYPE_ID_AES;
1583 		break;
1584 	default:
1585 		/* XXX should not happen */
1586 		DPRINTF(sc, MWL_DEBUG_KEYCACHE, "%s: unknown cipher %d\n",
1587 		    __func__, k->wk_cipher->ic_cipher);
1588 		return 0;
1589 	}
1590 	return (mwl_hal_keyreset(hvap, &hk, bcastaddr) == 0);	/*XXX*/
1591 }
1592 
1593 static __inline int
1594 addgroupflags(MWL_HAL_KEYVAL *hk, const struct ieee80211_key *k)
1595 {
1596 	if (k->wk_flags & IEEE80211_KEY_GROUP) {
1597 		if (k->wk_flags & IEEE80211_KEY_XMIT)
1598 			hk->keyFlags |= KEY_FLAG_TXGROUPKEY;
1599 		if (k->wk_flags & IEEE80211_KEY_RECV)
1600 			hk->keyFlags |= KEY_FLAG_RXGROUPKEY;
1601 		return 1;
1602 	} else
1603 		return 0;
1604 }
1605 
1606 /*
1607  * Set the key cache contents for the specified key.  Key cache
1608  * slot(s) must already have been allocated by mwl_key_alloc.
1609  */
1610 static int
1611 mwl_key_set(struct ieee80211vap *vap, const struct ieee80211_key *k)
1612 {
1613 	return (_mwl_key_set(vap, k, k->wk_macaddr));
1614 }
1615 
1616 static int
1617 _mwl_key_set(struct ieee80211vap *vap, const struct ieee80211_key *k,
1618 	const uint8_t mac[IEEE80211_ADDR_LEN])
1619 {
1620 #define	GRPXMIT	(IEEE80211_KEY_XMIT | IEEE80211_KEY_GROUP)
1621 /* NB: static wep keys are marked GROUP+tx/rx; GTK will be tx or rx */
1622 #define	IEEE80211_IS_STATICKEY(k) \
1623 	(((k)->wk_flags & (GRPXMIT|IEEE80211_KEY_RECV)) == \
1624 	 (GRPXMIT|IEEE80211_KEY_RECV))
1625 	struct mwl_softc *sc = vap->iv_ic->ic_softc;
1626 	struct mwl_hal_vap *hvap = MWL_VAP(vap)->mv_hvap;
1627 	const struct ieee80211_cipher *cip = k->wk_cipher;
1628 	const uint8_t *macaddr;
1629 	MWL_HAL_KEYVAL hk;
1630 
1631 	KASSERT((k->wk_flags & IEEE80211_KEY_SWCRYPT) == 0,
1632 		("s/w crypto set?"));
1633 
1634 	if (hvap == NULL) {
1635 		if (vap->iv_opmode != IEEE80211_M_WDS) {
1636 			/* XXX monitor mode? */
1637 			DPRINTF(sc, MWL_DEBUG_KEYCACHE,
1638 			    "%s: no hvap for opmode %d\n", __func__,
1639 			    vap->iv_opmode);
1640 			return 0;
1641 		}
1642 		hvap = MWL_VAP(vap)->mv_ap_hvap;
1643 	}
1644 	memset(&hk, 0, sizeof(hk));
1645 	hk.keyIndex = k->wk_keyix;
1646 	switch (cip->ic_cipher) {
1647 	case IEEE80211_CIPHER_WEP:
1648 		hk.keyTypeId = KEY_TYPE_ID_WEP;
1649 		hk.keyLen = k->wk_keylen;
1650 		if (k->wk_keyix == vap->iv_def_txkey)
1651 			hk.keyFlags = KEY_FLAG_WEP_TXKEY;
1652 		if (!IEEE80211_IS_STATICKEY(k)) {
1653 			/* NB: WEP is never used for the PTK */
1654 			(void) addgroupflags(&hk, k);
1655 		}
1656 		break;
1657 	case IEEE80211_CIPHER_TKIP:
1658 		hk.keyTypeId = KEY_TYPE_ID_TKIP;
1659 		hk.key.tkip.tsc.high = (uint32_t)(k->wk_keytsc >> 16);
1660 		hk.key.tkip.tsc.low = (uint16_t)k->wk_keytsc;
1661 		hk.keyFlags = KEY_FLAG_TSC_VALID | KEY_FLAG_MICKEY_VALID;
1662 		hk.keyLen = k->wk_keylen + IEEE80211_MICBUF_SIZE;
1663 		if (!addgroupflags(&hk, k))
1664 			hk.keyFlags |= KEY_FLAG_PAIRWISE;
1665 		break;
1666 	case IEEE80211_CIPHER_AES_CCM:
1667 		hk.keyTypeId = KEY_TYPE_ID_AES;
1668 		hk.keyLen = k->wk_keylen;
1669 		if (!addgroupflags(&hk, k))
1670 			hk.keyFlags |= KEY_FLAG_PAIRWISE;
1671 		break;
1672 	default:
1673 		/* XXX should not happen */
1674 		DPRINTF(sc, MWL_DEBUG_KEYCACHE, "%s: unknown cipher %d\n",
1675 		    __func__, k->wk_cipher->ic_cipher);
1676 		return 0;
1677 	}
1678 	/*
1679 	 * NB: tkip mic keys get copied here too; the layout
1680 	 *     just happens to match that in ieee80211_key.
1681 	 */
1682 	memcpy(hk.key.aes, k->wk_key, hk.keyLen);
1683 
1684 	/*
1685 	 * Locate address of sta db entry for writing key;
1686 	 * the convention unfortunately is somewhat different
1687 	 * than how net80211, hostapd, and wpa_supplicant think.
1688 	 */
1689 	if (vap->iv_opmode == IEEE80211_M_STA) {
1690 		/*
1691 		 * NB: keys plumbed before the sta reaches AUTH state
1692 		 * will be discarded or written to the wrong sta db
1693 		 * entry because iv_bss is meaningless.  This is ok
1694 		 * (right now) because we handle deferred plumbing of
1695 		 * WEP keys when the sta reaches AUTH state.
1696 		 */
1697 		macaddr = vap->iv_bss->ni_bssid;
1698 		if ((k->wk_flags & IEEE80211_KEY_GROUP) == 0) {
1699 			/* XXX plumb to local sta db too for static key wep */
1700 			mwl_hal_keyset(hvap, &hk, vap->iv_myaddr);
1701 		}
1702 	} else if (vap->iv_opmode == IEEE80211_M_WDS &&
1703 	    vap->iv_state != IEEE80211_S_RUN) {
1704 		/*
1705 		 * Prior to RUN state a WDS vap will not it's BSS node
1706 		 * setup so we will plumb the key to the wrong mac
1707 		 * address (it'll be our local address).  Workaround
1708 		 * this for the moment by grabbing the correct address.
1709 		 */
1710 		macaddr = vap->iv_des_bssid;
1711 	} else if ((k->wk_flags & GRPXMIT) == GRPXMIT)
1712 		macaddr = vap->iv_myaddr;
1713 	else
1714 		macaddr = mac;
1715 	KEYPRINTF(sc, &hk, macaddr);
1716 	return (mwl_hal_keyset(hvap, &hk, macaddr) == 0);
1717 #undef IEEE80211_IS_STATICKEY
1718 #undef GRPXMIT
1719 }
1720 
1721 /*
1722  * Set the multicast filter contents into the hardware.
1723  * XXX f/w has no support; just defer to the os.
1724  */
1725 static void
1726 mwl_setmcastfilter(struct mwl_softc *sc)
1727 {
1728 #if 0
1729 	struct ether_multi *enm;
1730 	struct ether_multistep estep;
1731 	uint8_t macs[IEEE80211_ADDR_LEN*MWL_HAL_MCAST_MAX];/* XXX stack use */
1732 	uint8_t *mp;
1733 	int nmc;
1734 
1735 	mp = macs;
1736 	nmc = 0;
1737 	ETHER_FIRST_MULTI(estep, &sc->sc_ec, enm);
1738 	while (enm != NULL) {
1739 		/* XXX Punt on ranges. */
1740 		if (nmc == MWL_HAL_MCAST_MAX ||
1741 		    !IEEE80211_ADDR_EQ(enm->enm_addrlo, enm->enm_addrhi)) {
1742 			ifp->if_flags |= IFF_ALLMULTI;
1743 			return;
1744 		}
1745 		IEEE80211_ADDR_COPY(mp, enm->enm_addrlo);
1746 		mp += IEEE80211_ADDR_LEN, nmc++;
1747 		ETHER_NEXT_MULTI(estep, enm);
1748 	}
1749 	ifp->if_flags &= ~IFF_ALLMULTI;
1750 	mwl_hal_setmcast(sc->sc_mh, nmc, macs);
1751 #endif
1752 }
1753 
1754 static int
1755 mwl_mode_init(struct mwl_softc *sc)
1756 {
1757 	struct ieee80211com *ic = &sc->sc_ic;
1758 	struct mwl_hal *mh = sc->sc_mh;
1759 
1760 	mwl_hal_setpromisc(mh, ic->ic_promisc > 0);
1761 	mwl_setmcastfilter(sc);
1762 
1763 	return 0;
1764 }
1765 
1766 /*
1767  * Callback from the 802.11 layer after a multicast state change.
1768  */
1769 static void
1770 mwl_update_mcast(struct ieee80211com *ic)
1771 {
1772 	struct mwl_softc *sc = ic->ic_softc;
1773 
1774 	mwl_setmcastfilter(sc);
1775 }
1776 
1777 /*
1778  * Callback from the 802.11 layer after a promiscuous mode change.
1779  * Note this interface does not check the operating mode as this
1780  * is an internal callback and we are expected to honor the current
1781  * state (e.g. this is used for setting the interface in promiscuous
1782  * mode when operating in hostap mode to do ACS).
1783  */
1784 static void
1785 mwl_update_promisc(struct ieee80211com *ic)
1786 {
1787 	struct mwl_softc *sc = ic->ic_softc;
1788 
1789 	mwl_hal_setpromisc(sc->sc_mh, ic->ic_promisc > 0);
1790 }
1791 
1792 /*
1793  * Callback from the 802.11 layer to update the slot time
1794  * based on the current setting.  We use it to notify the
1795  * firmware of ERP changes and the f/w takes care of things
1796  * like slot time and preamble.
1797  */
1798 static void
1799 mwl_updateslot(struct ieee80211com *ic)
1800 {
1801 	struct mwl_softc *sc = ic->ic_softc;
1802 	struct mwl_hal *mh = sc->sc_mh;
1803 	int prot;
1804 
1805 	/* NB: can be called early; suppress needless cmds */
1806 	if (!sc->sc_running)
1807 		return;
1808 
1809 	/*
1810 	 * Calculate the ERP flags.  The firwmare will use
1811 	 * this to carry out the appropriate measures.
1812 	 */
1813 	prot = 0;
1814 	if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan)) {
1815 		if ((ic->ic_flags & IEEE80211_F_SHSLOT) == 0)
1816 			prot |= IEEE80211_ERP_NON_ERP_PRESENT;
1817 		if (ic->ic_flags & IEEE80211_F_USEPROT)
1818 			prot |= IEEE80211_ERP_USE_PROTECTION;
1819 		if (ic->ic_flags & IEEE80211_F_USEBARKER)
1820 			prot |= IEEE80211_ERP_LONG_PREAMBLE;
1821 	}
1822 
1823 	DPRINTF(sc, MWL_DEBUG_RESET,
1824 	    "%s: chan %u MHz/flags 0x%x %s slot, (prot 0x%x ic_flags 0x%x)\n",
1825 	    __func__, ic->ic_curchan->ic_freq, ic->ic_curchan->ic_flags,
1826 	    ic->ic_flags & IEEE80211_F_SHSLOT ? "short" : "long", prot,
1827 	    ic->ic_flags);
1828 
1829 	mwl_hal_setgprot(mh, prot);
1830 }
1831 
1832 /*
1833  * Setup the beacon frame.
1834  */
1835 static int
1836 mwl_beacon_setup(struct ieee80211vap *vap)
1837 {
1838 	struct mwl_hal_vap *hvap = MWL_VAP(vap)->mv_hvap;
1839 	struct ieee80211_node *ni = vap->iv_bss;
1840 	struct mbuf *m;
1841 
1842 	m = ieee80211_beacon_alloc(ni);
1843 	if (m == NULL)
1844 		return ENOBUFS;
1845 	mwl_hal_setbeacon(hvap, mtod(m, const void *), m->m_len);
1846 	m_free(m);
1847 
1848 	return 0;
1849 }
1850 
1851 /*
1852  * Update the beacon frame in response to a change.
1853  */
1854 static void
1855 mwl_beacon_update(struct ieee80211vap *vap, int item)
1856 {
1857 	struct mwl_hal_vap *hvap = MWL_VAP(vap)->mv_hvap;
1858 	struct ieee80211com *ic = vap->iv_ic;
1859 
1860 	KASSERT(hvap != NULL, ("no beacon"));
1861 	switch (item) {
1862 	case IEEE80211_BEACON_ERP:
1863 		mwl_updateslot(ic);
1864 		break;
1865 	case IEEE80211_BEACON_HTINFO:
1866 		mwl_hal_setnprotmode(hvap,
1867 		    MS(ic->ic_curhtprotmode, IEEE80211_HTINFO_OPMODE));
1868 		break;
1869 	case IEEE80211_BEACON_CAPS:
1870 	case IEEE80211_BEACON_WME:
1871 	case IEEE80211_BEACON_APPIE:
1872 	case IEEE80211_BEACON_CSA:
1873 		break;
1874 	case IEEE80211_BEACON_TIM:
1875 		/* NB: firmware always forms TIM */
1876 		return;
1877 	}
1878 	/* XXX retain beacon frame and update */
1879 	mwl_beacon_setup(vap);
1880 }
1881 
1882 static void
1883 mwl_load_cb(void *arg, bus_dma_segment_t *segs, int nsegs, int error)
1884 {
1885 	bus_addr_t *paddr = (bus_addr_t*) arg;
1886 	KASSERT(error == 0, ("error %u on bus_dma callback", error));
1887 	*paddr = segs->ds_addr;
1888 }
1889 
1890 #ifdef MWL_HOST_PS_SUPPORT
1891 /*
1892  * Handle power save station occupancy changes.
1893  */
1894 static void
1895 mwl_update_ps(struct ieee80211vap *vap, int nsta)
1896 {
1897 	struct mwl_vap *mvp = MWL_VAP(vap);
1898 
1899 	if (nsta == 0 || mvp->mv_last_ps_sta == 0)
1900 		mwl_hal_setpowersave_bss(mvp->mv_hvap, nsta);
1901 	mvp->mv_last_ps_sta = nsta;
1902 }
1903 
1904 /*
1905  * Handle associated station power save state changes.
1906  */
1907 static int
1908 mwl_set_tim(struct ieee80211_node *ni, int set)
1909 {
1910 	struct ieee80211vap *vap = ni->ni_vap;
1911 	struct mwl_vap *mvp = MWL_VAP(vap);
1912 
1913 	if (mvp->mv_set_tim(ni, set)) {		/* NB: state change */
1914 		mwl_hal_setpowersave_sta(mvp->mv_hvap,
1915 		    IEEE80211_AID(ni->ni_associd), set);
1916 		return 1;
1917 	} else
1918 		return 0;
1919 }
1920 #endif /* MWL_HOST_PS_SUPPORT */
1921 
1922 static int
1923 mwl_desc_setup(struct mwl_softc *sc, const char *name,
1924 	struct mwl_descdma *dd,
1925 	int nbuf, size_t bufsize, int ndesc, size_t descsize)
1926 {
1927 	uint8_t *ds;
1928 	int error;
1929 
1930 	DPRINTF(sc, MWL_DEBUG_RESET,
1931 	    "%s: %s DMA: %u bufs (%ju) %u desc/buf (%ju)\n",
1932 	    __func__, name, nbuf, (uintmax_t) bufsize,
1933 	    ndesc, (uintmax_t) descsize);
1934 
1935 	dd->dd_name = name;
1936 	dd->dd_desc_len = nbuf * ndesc * descsize;
1937 
1938 	/*
1939 	 * Setup DMA descriptor area.
1940 	 */
1941 	error = bus_dma_tag_create(bus_get_dma_tag(sc->sc_dev),	/* parent */
1942 		       PAGE_SIZE, 0,		/* alignment, bounds */
1943 		       BUS_SPACE_MAXADDR_32BIT,	/* lowaddr */
1944 		       BUS_SPACE_MAXADDR,	/* highaddr */
1945 		       NULL, NULL,		/* filter, filterarg */
1946 		       dd->dd_desc_len,		/* maxsize */
1947 		       1,			/* nsegments */
1948 		       dd->dd_desc_len,		/* maxsegsize */
1949 		       BUS_DMA_ALLOCNOW,	/* flags */
1950 		       NULL,			/* lockfunc */
1951 		       NULL,			/* lockarg */
1952 		       &dd->dd_dmat);
1953 	if (error != 0) {
1954 		device_printf(sc->sc_dev, "cannot allocate %s DMA tag\n", dd->dd_name);
1955 		return error;
1956 	}
1957 
1958 	/* allocate descriptors */
1959 	error = bus_dmamem_alloc(dd->dd_dmat, (void**) &dd->dd_desc,
1960 				 BUS_DMA_NOWAIT | BUS_DMA_COHERENT,
1961 				 &dd->dd_dmamap);
1962 	if (error != 0) {
1963 		device_printf(sc->sc_dev, "unable to alloc memory for %u %s descriptors, "
1964 			"error %u\n", nbuf * ndesc, dd->dd_name, error);
1965 		goto fail1;
1966 	}
1967 
1968 	error = bus_dmamap_load(dd->dd_dmat, dd->dd_dmamap,
1969 				dd->dd_desc, dd->dd_desc_len,
1970 				mwl_load_cb, &dd->dd_desc_paddr,
1971 				BUS_DMA_NOWAIT);
1972 	if (error != 0) {
1973 		device_printf(sc->sc_dev, "unable to map %s descriptors, error %u\n",
1974 			dd->dd_name, error);
1975 		goto fail2;
1976 	}
1977 
1978 	ds = dd->dd_desc;
1979 	memset(ds, 0, dd->dd_desc_len);
1980 	DPRINTF(sc, MWL_DEBUG_RESET,
1981 	    "%s: %s DMA map: %p (%lu) -> 0x%jx (%lu)\n",
1982 	    __func__, dd->dd_name, ds, (u_long) dd->dd_desc_len,
1983 	    (uintmax_t) dd->dd_desc_paddr, /*XXX*/ (u_long) dd->dd_desc_len);
1984 
1985 	return 0;
1986 fail2:
1987 	bus_dmamem_free(dd->dd_dmat, dd->dd_desc, dd->dd_dmamap);
1988 fail1:
1989 	bus_dma_tag_destroy(dd->dd_dmat);
1990 	memset(dd, 0, sizeof(*dd));
1991 	return error;
1992 #undef DS2PHYS
1993 }
1994 
1995 static void
1996 mwl_desc_cleanup(struct mwl_softc *sc, struct mwl_descdma *dd)
1997 {
1998 	bus_dmamap_unload(dd->dd_dmat, dd->dd_dmamap);
1999 	bus_dmamem_free(dd->dd_dmat, dd->dd_desc, dd->dd_dmamap);
2000 	bus_dma_tag_destroy(dd->dd_dmat);
2001 
2002 	memset(dd, 0, sizeof(*dd));
2003 }
2004 
2005 /*
2006  * Construct a tx q's free list.  The order of entries on
2007  * the list must reflect the physical layout of tx descriptors
2008  * because the firmware pre-fetches descriptors.
2009  *
2010  * XXX might be better to use indices into the buffer array.
2011  */
2012 static void
2013 mwl_txq_reset(struct mwl_softc *sc, struct mwl_txq *txq)
2014 {
2015 	struct mwl_txbuf *bf;
2016 	int i;
2017 
2018 	bf = txq->dma.dd_bufptr;
2019 	STAILQ_INIT(&txq->free);
2020 	for (i = 0; i < mwl_txbuf; i++, bf++)
2021 		STAILQ_INSERT_TAIL(&txq->free, bf, bf_list);
2022 	txq->nfree = i;
2023 }
2024 
2025 #define	DS2PHYS(_dd, _ds) \
2026 	((_dd)->dd_desc_paddr + ((caddr_t)(_ds) - (caddr_t)(_dd)->dd_desc))
2027 
2028 static int
2029 mwl_txdma_setup(struct mwl_softc *sc, struct mwl_txq *txq)
2030 {
2031 	int error, bsize, i;
2032 	struct mwl_txbuf *bf;
2033 	struct mwl_txdesc *ds;
2034 
2035 	error = mwl_desc_setup(sc, "tx", &txq->dma,
2036 			mwl_txbuf, sizeof(struct mwl_txbuf),
2037 			MWL_TXDESC, sizeof(struct mwl_txdesc));
2038 	if (error != 0)
2039 		return error;
2040 
2041 	/* allocate and setup tx buffers */
2042 	bsize = mwl_txbuf * sizeof(struct mwl_txbuf);
2043 	bf = malloc(bsize, M_MWLDEV, M_NOWAIT | M_ZERO);
2044 	if (bf == NULL) {
2045 		device_printf(sc->sc_dev, "malloc of %u tx buffers failed\n",
2046 			mwl_txbuf);
2047 		return ENOMEM;
2048 	}
2049 	txq->dma.dd_bufptr = bf;
2050 
2051 	ds = txq->dma.dd_desc;
2052 	for (i = 0; i < mwl_txbuf; i++, bf++, ds += MWL_TXDESC) {
2053 		bf->bf_desc = ds;
2054 		bf->bf_daddr = DS2PHYS(&txq->dma, ds);
2055 		error = bus_dmamap_create(sc->sc_dmat, BUS_DMA_NOWAIT,
2056 				&bf->bf_dmamap);
2057 		if (error != 0) {
2058 			device_printf(sc->sc_dev, "unable to create dmamap for tx "
2059 				"buffer %u, error %u\n", i, error);
2060 			return error;
2061 		}
2062 	}
2063 	mwl_txq_reset(sc, txq);
2064 	return 0;
2065 }
2066 
2067 static void
2068 mwl_txdma_cleanup(struct mwl_softc *sc, struct mwl_txq *txq)
2069 {
2070 	struct mwl_txbuf *bf;
2071 	int i;
2072 
2073 	bf = txq->dma.dd_bufptr;
2074 	for (i = 0; i < mwl_txbuf; i++, bf++) {
2075 		KASSERT(bf->bf_m == NULL, ("mbuf on free list"));
2076 		KASSERT(bf->bf_node == NULL, ("node on free list"));
2077 		if (bf->bf_dmamap != NULL)
2078 			bus_dmamap_destroy(sc->sc_dmat, bf->bf_dmamap);
2079 	}
2080 	STAILQ_INIT(&txq->free);
2081 	txq->nfree = 0;
2082 	if (txq->dma.dd_bufptr != NULL) {
2083 		free(txq->dma.dd_bufptr, M_MWLDEV);
2084 		txq->dma.dd_bufptr = NULL;
2085 	}
2086 	if (txq->dma.dd_desc_len != 0)
2087 		mwl_desc_cleanup(sc, &txq->dma);
2088 }
2089 
2090 static int
2091 mwl_rxdma_setup(struct mwl_softc *sc)
2092 {
2093 	int error, jumbosize, bsize, i;
2094 	struct mwl_rxbuf *bf;
2095 	struct mwl_jumbo *rbuf;
2096 	struct mwl_rxdesc *ds;
2097 	caddr_t data;
2098 
2099 	error = mwl_desc_setup(sc, "rx", &sc->sc_rxdma,
2100 			mwl_rxdesc, sizeof(struct mwl_rxbuf),
2101 			1, sizeof(struct mwl_rxdesc));
2102 	if (error != 0)
2103 		return error;
2104 
2105 	/*
2106 	 * Receive is done to a private pool of jumbo buffers.
2107 	 * This allows us to attach to mbuf's and avoid re-mapping
2108 	 * memory on each rx we post.  We allocate a large chunk
2109 	 * of memory and manage it in the driver.  The mbuf free
2110 	 * callback method is used to reclaim frames after sending
2111 	 * them up the stack.  By default we allocate 2x the number of
2112 	 * rx descriptors configured so we have some slop to hold
2113 	 * us while frames are processed.
2114 	 */
2115 	if (mwl_rxbuf < 2*mwl_rxdesc) {
2116 		device_printf(sc->sc_dev,
2117 		    "too few rx dma buffers (%d); increasing to %d\n",
2118 		    mwl_rxbuf, 2*mwl_rxdesc);
2119 		mwl_rxbuf = 2*mwl_rxdesc;
2120 	}
2121 	jumbosize = roundup(MWL_AGGR_SIZE, PAGE_SIZE);
2122 	sc->sc_rxmemsize = mwl_rxbuf*jumbosize;
2123 
2124 	error = bus_dma_tag_create(sc->sc_dmat,	/* parent */
2125 		       PAGE_SIZE, 0,		/* alignment, bounds */
2126 		       BUS_SPACE_MAXADDR_32BIT,	/* lowaddr */
2127 		       BUS_SPACE_MAXADDR,	/* highaddr */
2128 		       NULL, NULL,		/* filter, filterarg */
2129 		       sc->sc_rxmemsize,	/* maxsize */
2130 		       1,			/* nsegments */
2131 		       sc->sc_rxmemsize,	/* maxsegsize */
2132 		       BUS_DMA_ALLOCNOW,	/* flags */
2133 		       NULL,			/* lockfunc */
2134 		       NULL,			/* lockarg */
2135 		       &sc->sc_rxdmat);
2136 	if (error != 0) {
2137 		device_printf(sc->sc_dev, "could not create rx DMA tag\n");
2138 		return error;
2139 	}
2140 
2141 	error = bus_dmamem_alloc(sc->sc_rxdmat, (void**) &sc->sc_rxmem,
2142 				 BUS_DMA_NOWAIT | BUS_DMA_COHERENT,
2143 				 &sc->sc_rxmap);
2144 	if (error != 0) {
2145 		device_printf(sc->sc_dev, "could not alloc %ju bytes of rx DMA memory\n",
2146 		    (uintmax_t) sc->sc_rxmemsize);
2147 		return error;
2148 	}
2149 
2150 	error = bus_dmamap_load(sc->sc_rxdmat, sc->sc_rxmap,
2151 				sc->sc_rxmem, sc->sc_rxmemsize,
2152 				mwl_load_cb, &sc->sc_rxmem_paddr,
2153 				BUS_DMA_NOWAIT);
2154 	if (error != 0) {
2155 		device_printf(sc->sc_dev, "could not load rx DMA map\n");
2156 		return error;
2157 	}
2158 
2159 	/*
2160 	 * Allocate rx buffers and set them up.
2161 	 */
2162 	bsize = mwl_rxdesc * sizeof(struct mwl_rxbuf);
2163 	bf = malloc(bsize, M_MWLDEV, M_NOWAIT | M_ZERO);
2164 	if (bf == NULL) {
2165 		device_printf(sc->sc_dev, "malloc of %u rx buffers failed\n", bsize);
2166 		return error;
2167 	}
2168 	sc->sc_rxdma.dd_bufptr = bf;
2169 
2170 	STAILQ_INIT(&sc->sc_rxbuf);
2171 	ds = sc->sc_rxdma.dd_desc;
2172 	for (i = 0; i < mwl_rxdesc; i++, bf++, ds++) {
2173 		bf->bf_desc = ds;
2174 		bf->bf_daddr = DS2PHYS(&sc->sc_rxdma, ds);
2175 		/* pre-assign dma buffer */
2176 		bf->bf_data = ((uint8_t *)sc->sc_rxmem) + (i*jumbosize);
2177 		/* NB: tail is intentional to preserve descriptor order */
2178 		STAILQ_INSERT_TAIL(&sc->sc_rxbuf, bf, bf_list);
2179 	}
2180 
2181 	/*
2182 	 * Place remainder of dma memory buffers on the free list.
2183 	 */
2184 	SLIST_INIT(&sc->sc_rxfree);
2185 	for (; i < mwl_rxbuf; i++) {
2186 		data = ((uint8_t *)sc->sc_rxmem) + (i*jumbosize);
2187 		rbuf = MWL_JUMBO_DATA2BUF(data);
2188 		SLIST_INSERT_HEAD(&sc->sc_rxfree, rbuf, next);
2189 		sc->sc_nrxfree++;
2190 	}
2191 	return 0;
2192 }
2193 #undef DS2PHYS
2194 
2195 static void
2196 mwl_rxdma_cleanup(struct mwl_softc *sc)
2197 {
2198 	if (sc->sc_rxmem_paddr != 0) {
2199 		bus_dmamap_unload(sc->sc_rxdmat, sc->sc_rxmap);
2200 		sc->sc_rxmem_paddr = 0;
2201 	}
2202 	if (sc->sc_rxmem != NULL) {
2203 		bus_dmamem_free(sc->sc_rxdmat, sc->sc_rxmem, sc->sc_rxmap);
2204 		sc->sc_rxmem = NULL;
2205 	}
2206 	if (sc->sc_rxdma.dd_bufptr != NULL) {
2207 		free(sc->sc_rxdma.dd_bufptr, M_MWLDEV);
2208 		sc->sc_rxdma.dd_bufptr = NULL;
2209 	}
2210 	if (sc->sc_rxdma.dd_desc_len != 0)
2211 		mwl_desc_cleanup(sc, &sc->sc_rxdma);
2212 }
2213 
2214 static int
2215 mwl_dma_setup(struct mwl_softc *sc)
2216 {
2217 	int error, i;
2218 
2219 	error = mwl_rxdma_setup(sc);
2220 	if (error != 0) {
2221 		mwl_rxdma_cleanup(sc);
2222 		return error;
2223 	}
2224 
2225 	for (i = 0; i < MWL_NUM_TX_QUEUES; i++) {
2226 		error = mwl_txdma_setup(sc, &sc->sc_txq[i]);
2227 		if (error != 0) {
2228 			mwl_dma_cleanup(sc);
2229 			return error;
2230 		}
2231 	}
2232 	return 0;
2233 }
2234 
2235 static void
2236 mwl_dma_cleanup(struct mwl_softc *sc)
2237 {
2238 	int i;
2239 
2240 	for (i = 0; i < MWL_NUM_TX_QUEUES; i++)
2241 		mwl_txdma_cleanup(sc, &sc->sc_txq[i]);
2242 	mwl_rxdma_cleanup(sc);
2243 }
2244 
2245 static struct ieee80211_node *
2246 mwl_node_alloc(struct ieee80211vap *vap, const uint8_t mac[IEEE80211_ADDR_LEN])
2247 {
2248 	struct ieee80211com *ic = vap->iv_ic;
2249 	struct mwl_softc *sc = ic->ic_softc;
2250 	const size_t space = sizeof(struct mwl_node);
2251 	struct mwl_node *mn;
2252 
2253 	mn = malloc(space, M_80211_NODE, M_NOWAIT|M_ZERO);
2254 	if (mn == NULL) {
2255 		/* XXX stat+msg */
2256 		return NULL;
2257 	}
2258 	DPRINTF(sc, MWL_DEBUG_NODE, "%s: mn %p\n", __func__, mn);
2259 	return &mn->mn_node;
2260 }
2261 
2262 static void
2263 mwl_node_cleanup(struct ieee80211_node *ni)
2264 {
2265 	struct ieee80211com *ic = ni->ni_ic;
2266         struct mwl_softc *sc = ic->ic_softc;
2267 	struct mwl_node *mn = MWL_NODE(ni);
2268 
2269 	DPRINTF(sc, MWL_DEBUG_NODE, "%s: ni %p ic %p staid %d\n",
2270 	    __func__, ni, ni->ni_ic, mn->mn_staid);
2271 
2272 	if (mn->mn_staid != 0) {
2273 		struct ieee80211vap *vap = ni->ni_vap;
2274 
2275 		if (mn->mn_hvap != NULL) {
2276 			if (vap->iv_opmode == IEEE80211_M_STA)
2277 				mwl_hal_delstation(mn->mn_hvap, vap->iv_myaddr);
2278 			else
2279 				mwl_hal_delstation(mn->mn_hvap, ni->ni_macaddr);
2280 		}
2281 		/*
2282 		 * NB: legacy WDS peer sta db entry is installed using
2283 		 * the associate ap's hvap; use it again to delete it.
2284 		 * XXX can vap be NULL?
2285 		 */
2286 		else if (vap->iv_opmode == IEEE80211_M_WDS &&
2287 		    MWL_VAP(vap)->mv_ap_hvap != NULL)
2288 			mwl_hal_delstation(MWL_VAP(vap)->mv_ap_hvap,
2289 			    ni->ni_macaddr);
2290 		delstaid(sc, mn->mn_staid);
2291 		mn->mn_staid = 0;
2292 	}
2293 	sc->sc_node_cleanup(ni);
2294 }
2295 
2296 /*
2297  * Reclaim rx dma buffers from packets sitting on the ampdu
2298  * reorder queue for a station.  We replace buffers with a
2299  * system cluster (if available).
2300  */
2301 static void
2302 mwl_ampdu_rxdma_reclaim(struct ieee80211_rx_ampdu *rap)
2303 {
2304 #if 0
2305 	int i, n, off;
2306 	struct mbuf *m;
2307 	void *cl;
2308 
2309 	n = rap->rxa_qframes;
2310 	for (i = 0; i < rap->rxa_wnd && n > 0; i++) {
2311 		m = rap->rxa_m[i];
2312 		if (m == NULL)
2313 			continue;
2314 		n--;
2315 		/* our dma buffers have a well-known free routine */
2316 		if ((m->m_flags & M_EXT) == 0 ||
2317 		    m->m_ext.ext_free != mwl_ext_free)
2318 			continue;
2319 		/*
2320 		 * Try to allocate a cluster and move the data.
2321 		 */
2322 		off = m->m_data - m->m_ext.ext_buf;
2323 		if (off + m->m_pkthdr.len > MCLBYTES) {
2324 			/* XXX no AMSDU for now */
2325 			continue;
2326 		}
2327 		cl = pool_cache_get_paddr(&mclpool_cache, 0,
2328 		    &m->m_ext.ext_paddr);
2329 		if (cl != NULL) {
2330 			/*
2331 			 * Copy the existing data to the cluster, remove
2332 			 * the rx dma buffer, and attach the cluster in
2333 			 * its place.  Note we preserve the offset to the
2334 			 * data so frames being bridged can still prepend
2335 			 * their headers without adding another mbuf.
2336 			 */
2337 			memcpy((caddr_t) cl + off, m->m_data, m->m_pkthdr.len);
2338 			MEXTREMOVE(m);
2339 			MEXTADD(m, cl, MCLBYTES, 0, NULL, &mclpool_cache);
2340 			/* setup mbuf like _MCLGET does */
2341 			m->m_flags |= M_CLUSTER | M_EXT_RW;
2342 			_MOWNERREF(m, M_EXT | M_CLUSTER);
2343 			/* NB: m_data is clobbered by MEXTADDR, adjust */
2344 			m->m_data += off;
2345 		}
2346 	}
2347 #endif
2348 }
2349 
2350 /*
2351  * Callback to reclaim resources.  We first let the
2352  * net80211 layer do it's thing, then if we are still
2353  * blocked by a lack of rx dma buffers we walk the ampdu
2354  * reorder q's to reclaim buffers by copying to a system
2355  * cluster.
2356  */
2357 static void
2358 mwl_node_drain(struct ieee80211_node *ni)
2359 {
2360 	struct ieee80211com *ic = ni->ni_ic;
2361         struct mwl_softc *sc = ic->ic_softc;
2362 	struct mwl_node *mn = MWL_NODE(ni);
2363 
2364 	DPRINTF(sc, MWL_DEBUG_NODE, "%s: ni %p vap %p staid %d\n",
2365 	    __func__, ni, ni->ni_vap, mn->mn_staid);
2366 
2367 	/* NB: call up first to age out ampdu q's */
2368 	sc->sc_node_drain(ni);
2369 
2370 	/* XXX better to not check low water mark? */
2371 	if (sc->sc_rxblocked && mn->mn_staid != 0 &&
2372 	    (ni->ni_flags & IEEE80211_NODE_HT)) {
2373 		uint8_t tid;
2374 		/*
2375 		 * Walk the reorder q and reclaim rx dma buffers by copying
2376 		 * the packet contents into clusters.
2377 		 */
2378 		for (tid = 0; tid < WME_NUM_TID; tid++) {
2379 			struct ieee80211_rx_ampdu *rap;
2380 
2381 			rap = &ni->ni_rx_ampdu[tid];
2382 			if ((rap->rxa_flags & IEEE80211_AGGR_XCHGPEND) == 0)
2383 				continue;
2384 			if (rap->rxa_qframes)
2385 				mwl_ampdu_rxdma_reclaim(rap);
2386 		}
2387 	}
2388 }
2389 
2390 static void
2391 mwl_node_getsignal(const struct ieee80211_node *ni, int8_t *rssi, int8_t *noise)
2392 {
2393 	*rssi = ni->ni_ic->ic_node_getrssi(ni);
2394 #ifdef MWL_ANT_INFO_SUPPORT
2395 #if 0
2396 	/* XXX need to smooth data */
2397 	*noise = -MWL_NODE_CONST(ni)->mn_ai.nf;
2398 #else
2399 	*noise = -95;		/* XXX */
2400 #endif
2401 #else
2402 	*noise = -95;		/* XXX */
2403 #endif
2404 }
2405 
2406 /*
2407  * Convert Hardware per-antenna rssi info to common format:
2408  * Let a1, a2, a3 represent the amplitudes per chain
2409  * Let amax represent max[a1, a2, a3]
2410  * Rssi1_dBm = RSSI_dBm + 20*log10(a1/amax)
2411  * Rssi1_dBm = RSSI_dBm + 20*log10(a1) - 20*log10(amax)
2412  * We store a table that is 4*20*log10(idx) - the extra 4 is to store or
2413  * maintain some extra precision.
2414  *
2415  * Values are stored in .5 db format capped at 127.
2416  */
2417 static void
2418 mwl_node_getmimoinfo(const struct ieee80211_node *ni,
2419 	struct ieee80211_mimo_info *mi)
2420 {
2421 #define	CVT(_dst, _src) do {						\
2422 	(_dst) = rssi + ((logdbtbl[_src] - logdbtbl[rssi_max]) >> 2);	\
2423 	(_dst) = (_dst) > 64 ? 127 : ((_dst) << 1);			\
2424 } while (0)
2425 	static const int8_t logdbtbl[32] = {
2426 	       0,   0,  24,  38,  48,  56,  62,  68,
2427 	      72,  76,  80,  83,  86,  89,  92,  94,
2428 	      96,  98, 100, 102, 104, 106, 107, 109,
2429 	     110, 112, 113, 115, 116, 117, 118, 119
2430 	};
2431 	const struct mwl_node *mn = MWL_NODE_CONST(ni);
2432 	uint8_t rssi = mn->mn_ai.rsvd1/2;		/* XXX */
2433 	uint32_t rssi_max;
2434 
2435 	rssi_max = mn->mn_ai.rssi_a;
2436 	if (mn->mn_ai.rssi_b > rssi_max)
2437 		rssi_max = mn->mn_ai.rssi_b;
2438 	if (mn->mn_ai.rssi_c > rssi_max)
2439 		rssi_max = mn->mn_ai.rssi_c;
2440 
2441 	CVT(mi->ch[0].rssi[0], mn->mn_ai.rssi_a);
2442 	CVT(mi->ch[1].rssi[0], mn->mn_ai.rssi_b);
2443 	CVT(mi->ch[2].rssi[0], mn->mn_ai.rssi_c);
2444 
2445 	mi->ch[0].noise[0] = mn->mn_ai.nf_a;
2446 	mi->ch[1].noise[0] = mn->mn_ai.nf_b;
2447 	mi->ch[2].noise[0] = mn->mn_ai.nf_c;
2448 #undef CVT
2449 }
2450 
2451 static __inline void *
2452 mwl_getrxdma(struct mwl_softc *sc)
2453 {
2454 	struct mwl_jumbo *buf;
2455 	void *data;
2456 
2457 	/*
2458 	 * Allocate from jumbo pool.
2459 	 */
2460 	MWL_RXFREE_LOCK(sc);
2461 	buf = SLIST_FIRST(&sc->sc_rxfree);
2462 	if (buf == NULL) {
2463 		DPRINTF(sc, MWL_DEBUG_ANY,
2464 		    "%s: out of rx dma buffers\n", __func__);
2465 		sc->sc_stats.mst_rx_nodmabuf++;
2466 		data = NULL;
2467 	} else {
2468 		SLIST_REMOVE_HEAD(&sc->sc_rxfree, next);
2469 		sc->sc_nrxfree--;
2470 		data = MWL_JUMBO_BUF2DATA(buf);
2471 	}
2472 	MWL_RXFREE_UNLOCK(sc);
2473 	return data;
2474 }
2475 
2476 static __inline void
2477 mwl_putrxdma(struct mwl_softc *sc, void *data)
2478 {
2479 	struct mwl_jumbo *buf;
2480 
2481 	/* XXX bounds check data */
2482 	MWL_RXFREE_LOCK(sc);
2483 	buf = MWL_JUMBO_DATA2BUF(data);
2484 	SLIST_INSERT_HEAD(&sc->sc_rxfree, buf, next);
2485 	sc->sc_nrxfree++;
2486 	MWL_RXFREE_UNLOCK(sc);
2487 }
2488 
2489 static int
2490 mwl_rxbuf_init(struct mwl_softc *sc, struct mwl_rxbuf *bf)
2491 {
2492 	struct mwl_rxdesc *ds;
2493 
2494 	ds = bf->bf_desc;
2495 	if (bf->bf_data == NULL) {
2496 		bf->bf_data = mwl_getrxdma(sc);
2497 		if (bf->bf_data == NULL) {
2498 			/* mark descriptor to be skipped */
2499 			ds->RxControl = EAGLE_RXD_CTRL_OS_OWN;
2500 			/* NB: don't need PREREAD */
2501 			MWL_RXDESC_SYNC(sc, ds, BUS_DMASYNC_PREWRITE);
2502 			sc->sc_stats.mst_rxbuf_failed++;
2503 			return ENOMEM;
2504 		}
2505 	}
2506 	/*
2507 	 * NB: DMA buffer contents is known to be unmodified
2508 	 *     so there's no need to flush the data cache.
2509 	 */
2510 
2511 	/*
2512 	 * Setup descriptor.
2513 	 */
2514 	ds->QosCtrl = 0;
2515 	ds->RSSI = 0;
2516 	ds->Status = EAGLE_RXD_STATUS_IDLE;
2517 	ds->Channel = 0;
2518 	ds->PktLen = htole16(MWL_AGGR_SIZE);
2519 	ds->SQ2 = 0;
2520 	ds->pPhysBuffData = htole32(MWL_JUMBO_DMA_ADDR(sc, bf->bf_data));
2521 	/* NB: don't touch pPhysNext, set once */
2522 	ds->RxControl = EAGLE_RXD_CTRL_DRIVER_OWN;
2523 	MWL_RXDESC_SYNC(sc, ds, BUS_DMASYNC_PREREAD | BUS_DMASYNC_PREWRITE);
2524 
2525 	return 0;
2526 }
2527 
2528 static void
2529 mwl_ext_free(struct mbuf *m)
2530 {
2531 	struct mwl_softc *sc = m->m_ext.ext_arg1;
2532 
2533 	/* XXX bounds check data */
2534 	mwl_putrxdma(sc, m->m_ext.ext_buf);
2535 	/*
2536 	 * If we were previously blocked by a lack of rx dma buffers
2537 	 * check if we now have enough to restart rx interrupt handling.
2538 	 * NB: we know we are called at splvm which is above splnet.
2539 	 */
2540 	if (sc->sc_rxblocked && sc->sc_nrxfree > mwl_rxdmalow) {
2541 		sc->sc_rxblocked = 0;
2542 		mwl_hal_intrset(sc->sc_mh, sc->sc_imask);
2543 	}
2544 }
2545 
2546 struct mwl_frame_bar {
2547 	u_int8_t	i_fc[2];
2548 	u_int8_t	i_dur[2];
2549 	u_int8_t	i_ra[IEEE80211_ADDR_LEN];
2550 	u_int8_t	i_ta[IEEE80211_ADDR_LEN];
2551 	/* ctl, seq, FCS */
2552 } __packed;
2553 
2554 /*
2555  * Like ieee80211_anyhdrsize, but handles BAR frames
2556  * specially so the logic below to piece the 802.11
2557  * header together works.
2558  */
2559 static __inline int
2560 mwl_anyhdrsize(const void *data)
2561 {
2562 	const struct ieee80211_frame *wh = data;
2563 
2564 	if ((wh->i_fc[0]&IEEE80211_FC0_TYPE_MASK) == IEEE80211_FC0_TYPE_CTL) {
2565 		switch (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) {
2566 		case IEEE80211_FC0_SUBTYPE_CTS:
2567 		case IEEE80211_FC0_SUBTYPE_ACK:
2568 			return sizeof(struct ieee80211_frame_ack);
2569 		case IEEE80211_FC0_SUBTYPE_BAR:
2570 			return sizeof(struct mwl_frame_bar);
2571 		}
2572 		return sizeof(struct ieee80211_frame_min);
2573 	} else
2574 		return ieee80211_hdrsize(data);
2575 }
2576 
2577 static void
2578 mwl_handlemicerror(struct ieee80211com *ic, const uint8_t *data)
2579 {
2580 	const struct ieee80211_frame *wh;
2581 	struct ieee80211_node *ni;
2582 
2583 	wh = (const struct ieee80211_frame *)(data + sizeof(uint16_t));
2584 	ni = ieee80211_find_rxnode(ic, (const struct ieee80211_frame_min *) wh);
2585 	if (ni != NULL) {
2586 		ieee80211_notify_michael_failure(ni->ni_vap, wh, 0);
2587 		ieee80211_free_node(ni);
2588 	}
2589 }
2590 
2591 /*
2592  * Convert hardware signal strength to rssi.  The value
2593  * provided by the device has the noise floor added in;
2594  * we need to compensate for this but we don't have that
2595  * so we use a fixed value.
2596  *
2597  * The offset of 8 is good for both 2.4 and 5GHz.  The LNA
2598  * offset is already set as part of the initial gain.  This
2599  * will give at least +/- 3dB for 2.4GHz and +/- 5dB for 5GHz.
2600  */
2601 static __inline int
2602 cvtrssi(uint8_t ssi)
2603 {
2604 	int rssi = (int) ssi + 8;
2605 	/* XXX hack guess until we have a real noise floor */
2606 	rssi = 2*(87 - rssi);	/* NB: .5 dBm units */
2607 	return (rssi < 0 ? 0 : rssi > 127 ? 127 : rssi);
2608 }
2609 
2610 static void
2611 mwl_rx_proc(void *arg, int npending)
2612 {
2613 	struct epoch_tracker et;
2614 	struct mwl_softc *sc = arg;
2615 	struct ieee80211com *ic = &sc->sc_ic;
2616 	struct mwl_rxbuf *bf;
2617 	struct mwl_rxdesc *ds;
2618 	struct mbuf *m;
2619 	struct ieee80211_qosframe *wh;
2620 	struct ieee80211_node *ni;
2621 	struct mwl_node *mn;
2622 	int off, len, hdrlen, pktlen, rssi, ntodo;
2623 	uint8_t *data, status;
2624 	void *newdata;
2625 	int16_t nf;
2626 
2627 	DPRINTF(sc, MWL_DEBUG_RX_PROC, "%s: pending %u rdptr 0x%x wrptr 0x%x\n",
2628 	    __func__, npending, RD4(sc, sc->sc_hwspecs.rxDescRead),
2629 	    RD4(sc, sc->sc_hwspecs.rxDescWrite));
2630 	nf = -96;			/* XXX */
2631 	bf = sc->sc_rxnext;
2632 	for (ntodo = mwl_rxquota; ntodo > 0; ntodo--) {
2633 		if (bf == NULL)
2634 			bf = STAILQ_FIRST(&sc->sc_rxbuf);
2635 		ds = bf->bf_desc;
2636 		data = bf->bf_data;
2637 		if (data == NULL) {
2638 			/*
2639 			 * If data allocation failed previously there
2640 			 * will be no buffer; try again to re-populate it.
2641 			 * Note the firmware will not advance to the next
2642 			 * descriptor with a dma buffer so we must mimic
2643 			 * this or we'll get out of sync.
2644 			 */
2645 			DPRINTF(sc, MWL_DEBUG_ANY,
2646 			    "%s: rx buf w/o dma memory\n", __func__);
2647 			(void) mwl_rxbuf_init(sc, bf);
2648 			sc->sc_stats.mst_rx_dmabufmissing++;
2649 			break;
2650 		}
2651 		MWL_RXDESC_SYNC(sc, ds,
2652 		    BUS_DMASYNC_POSTREAD | BUS_DMASYNC_POSTWRITE);
2653 		if (ds->RxControl != EAGLE_RXD_CTRL_DMA_OWN)
2654 			break;
2655 #ifdef MWL_DEBUG
2656 		if (sc->sc_debug & MWL_DEBUG_RECV_DESC)
2657 			mwl_printrxbuf(bf, 0);
2658 #endif
2659 		status = ds->Status;
2660 		if (status & EAGLE_RXD_STATUS_DECRYPT_ERR_MASK) {
2661 			counter_u64_add(ic->ic_ierrors, 1);
2662 			sc->sc_stats.mst_rx_crypto++;
2663 			/*
2664 			 * NB: Check EAGLE_RXD_STATUS_GENERAL_DECRYPT_ERR
2665 			 *     for backwards compatibility.
2666 			 */
2667 			if (status != EAGLE_RXD_STATUS_GENERAL_DECRYPT_ERR &&
2668 			    (status & EAGLE_RXD_STATUS_TKIP_MIC_DECRYPT_ERR)) {
2669 				/*
2670 				 * MIC error, notify upper layers.
2671 				 */
2672 				bus_dmamap_sync(sc->sc_rxdmat, sc->sc_rxmap,
2673 				    BUS_DMASYNC_POSTREAD);
2674 				mwl_handlemicerror(ic, data);
2675 				sc->sc_stats.mst_rx_tkipmic++;
2676 			}
2677 			/* XXX too painful to tap packets */
2678 			goto rx_next;
2679 		}
2680 		/*
2681 		 * Sync the data buffer.
2682 		 */
2683 		len = le16toh(ds->PktLen);
2684 		bus_dmamap_sync(sc->sc_rxdmat, sc->sc_rxmap, BUS_DMASYNC_POSTREAD);
2685 		/*
2686 		 * The 802.11 header is provided all or in part at the front;
2687 		 * use it to calculate the true size of the header that we'll
2688 		 * construct below.  We use this to figure out where to copy
2689 		 * payload prior to constructing the header.
2690 		 */
2691 		hdrlen = mwl_anyhdrsize(data + sizeof(uint16_t));
2692 		off = sizeof(uint16_t) + sizeof(struct ieee80211_frame_addr4);
2693 
2694 		/* calculate rssi early so we can re-use for each aggregate */
2695 		rssi = cvtrssi(ds->RSSI);
2696 
2697 		pktlen = hdrlen + (len - off);
2698 		/*
2699 		 * NB: we know our frame is at least as large as
2700 		 * IEEE80211_MIN_LEN because there is a 4-address
2701 		 * frame at the front.  Hence there's no need to
2702 		 * vet the packet length.  If the frame in fact
2703 		 * is too small it should be discarded at the
2704 		 * net80211 layer.
2705 		 */
2706 
2707 		/*
2708 		 * Attach dma buffer to an mbuf.  We tried
2709 		 * doing this based on the packet size (i.e.
2710 		 * copying small packets) but it turns out to
2711 		 * be a net loss.  The tradeoff might be system
2712 		 * dependent (cache architecture is important).
2713 		 */
2714 		MGETHDR(m, M_NOWAIT, MT_DATA);
2715 		if (m == NULL) {
2716 			DPRINTF(sc, MWL_DEBUG_ANY,
2717 			    "%s: no rx mbuf\n", __func__);
2718 			sc->sc_stats.mst_rx_nombuf++;
2719 			goto rx_next;
2720 		}
2721 		/*
2722 		 * Acquire the replacement dma buffer before
2723 		 * processing the frame.  If we're out of dma
2724 		 * buffers we disable rx interrupts and wait
2725 		 * for the free pool to reach mlw_rxdmalow buffers
2726 		 * before starting to do work again.  If the firmware
2727 		 * runs out of descriptors then it will toss frames
2728 		 * which is better than our doing it as that can
2729 		 * starve our processing.  It is also important that
2730 		 * we always process rx'd frames in case they are
2731 		 * A-MPDU as otherwise the host's view of the BA
2732 		 * window may get out of sync with the firmware.
2733 		 */
2734 		newdata = mwl_getrxdma(sc);
2735 		if (newdata == NULL) {
2736 			/* NB: stat+msg in mwl_getrxdma */
2737 			m_free(m);
2738 			/* disable RX interrupt and mark state */
2739 			mwl_hal_intrset(sc->sc_mh,
2740 			    sc->sc_imask &~ MACREG_A2HRIC_BIT_RX_RDY);
2741 			sc->sc_rxblocked = 1;
2742 			ieee80211_drain(ic);
2743 			/* XXX check rxblocked and immediately start again? */
2744 			goto rx_stop;
2745 		}
2746 		bf->bf_data = newdata;
2747 		/*
2748 		 * Attach the dma buffer to the mbuf;
2749 		 * mwl_rxbuf_init will re-setup the rx
2750 		 * descriptor using the replacement dma
2751 		 * buffer we just installed above.
2752 		 */
2753 		m_extadd(m, data, MWL_AGGR_SIZE, mwl_ext_free, sc, NULL, 0,
2754 		    EXT_NET_DRV);
2755 		m->m_data += off - hdrlen;
2756 		m->m_pkthdr.len = m->m_len = pktlen;
2757 		/* NB: dma buffer assumed read-only */
2758 
2759 		/*
2760 		 * Piece 802.11 header together.
2761 		 */
2762 		wh = mtod(m, struct ieee80211_qosframe *);
2763 		/* NB: don't need to do this sometimes but ... */
2764 		/* XXX special case so we can memcpy after m_devget? */
2765 		ovbcopy(data + sizeof(uint16_t), wh, hdrlen);
2766 		if (IEEE80211_QOS_HAS_SEQ(wh))
2767 			*(uint16_t *)ieee80211_getqos(wh) = ds->QosCtrl;
2768 		/*
2769 		 * The f/w strips WEP header but doesn't clear
2770 		 * the WEP bit; mark the packet with M_WEP so
2771 		 * net80211 will treat the data as decrypted.
2772 		 * While here also clear the PWR_MGT bit since
2773 		 * power save is handled by the firmware and
2774 		 * passing this up will potentially cause the
2775 		 * upper layer to put a station in power save
2776 		 * (except when configured with MWL_HOST_PS_SUPPORT).
2777 		 */
2778 		if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED)
2779 			m->m_flags |= M_WEP;
2780 #ifdef MWL_HOST_PS_SUPPORT
2781 		wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
2782 #else
2783 		wh->i_fc[1] &= ~(IEEE80211_FC1_PROTECTED |
2784 		    IEEE80211_FC1_PWR_MGT);
2785 #endif
2786 
2787 		if (ieee80211_radiotap_active(ic)) {
2788 			struct mwl_rx_radiotap_header *tap = &sc->sc_rx_th;
2789 
2790 			tap->wr_flags = 0;
2791 			tap->wr_rate = ds->Rate;
2792 			tap->wr_antsignal = rssi + nf;
2793 			tap->wr_antnoise = nf;
2794 		}
2795 		if (IFF_DUMPPKTS_RECV(sc, wh)) {
2796 			ieee80211_dump_pkt(ic, mtod(m, caddr_t),
2797 			    len, ds->Rate, rssi);
2798 		}
2799 		/* dispatch */
2800 		ni = ieee80211_find_rxnode(ic,
2801 		    (const struct ieee80211_frame_min *) wh);
2802 
2803 		NET_EPOCH_ENTER(et);
2804 		if (ni != NULL) {
2805 			mn = MWL_NODE(ni);
2806 #ifdef MWL_ANT_INFO_SUPPORT
2807 			mn->mn_ai.rssi_a = ds->ai.rssi_a;
2808 			mn->mn_ai.rssi_b = ds->ai.rssi_b;
2809 			mn->mn_ai.rssi_c = ds->ai.rssi_c;
2810 			mn->mn_ai.rsvd1 = rssi;
2811 #endif
2812 			/* tag AMPDU aggregates for reorder processing */
2813 			if (ni->ni_flags & IEEE80211_NODE_HT)
2814 				m->m_flags |= M_AMPDU;
2815 			(void) ieee80211_input(ni, m, rssi, nf);
2816 			ieee80211_free_node(ni);
2817 		} else
2818 			(void) ieee80211_input_all(ic, m, rssi, nf);
2819 		NET_EPOCH_EXIT(et);
2820 rx_next:
2821 		/* NB: ignore ENOMEM so we process more descriptors */
2822 		(void) mwl_rxbuf_init(sc, bf);
2823 		bf = STAILQ_NEXT(bf, bf_list);
2824 	}
2825 rx_stop:
2826 	sc->sc_rxnext = bf;
2827 
2828 	if (mbufq_first(&sc->sc_snd) != NULL) {
2829 		/* NB: kick fw; the tx thread may have been preempted */
2830 		mwl_hal_txstart(sc->sc_mh, 0);
2831 		mwl_start(sc);
2832 	}
2833 }
2834 
2835 static void
2836 mwl_txq_init(struct mwl_softc *sc, struct mwl_txq *txq, int qnum)
2837 {
2838 	struct mwl_txbuf *bf, *bn;
2839 	struct mwl_txdesc *ds;
2840 
2841 	MWL_TXQ_LOCK_INIT(sc, txq);
2842 	txq->qnum = qnum;
2843 	txq->txpri = 0;	/* XXX */
2844 #if 0
2845 	/* NB: q setup by mwl_txdma_setup XXX */
2846 	STAILQ_INIT(&txq->free);
2847 #endif
2848 	STAILQ_FOREACH(bf, &txq->free, bf_list) {
2849 		bf->bf_txq = txq;
2850 
2851 		ds = bf->bf_desc;
2852 		bn = STAILQ_NEXT(bf, bf_list);
2853 		if (bn == NULL)
2854 			bn = STAILQ_FIRST(&txq->free);
2855 		ds->pPhysNext = htole32(bn->bf_daddr);
2856 	}
2857 	STAILQ_INIT(&txq->active);
2858 }
2859 
2860 /*
2861  * Setup a hardware data transmit queue for the specified
2862  * access control.  We record the mapping from ac's
2863  * to h/w queues for use by mwl_tx_start.
2864  */
2865 static int
2866 mwl_tx_setup(struct mwl_softc *sc, int ac, int mvtype)
2867 {
2868 	struct mwl_txq *txq;
2869 
2870 	if (ac >= nitems(sc->sc_ac2q)) {
2871 		device_printf(sc->sc_dev, "AC %u out of range, max %zu!\n",
2872 			ac, nitems(sc->sc_ac2q));
2873 		return 0;
2874 	}
2875 	if (mvtype >= MWL_NUM_TX_QUEUES) {
2876 		device_printf(sc->sc_dev, "mvtype %u out of range, max %u!\n",
2877 			mvtype, MWL_NUM_TX_QUEUES);
2878 		return 0;
2879 	}
2880 	txq = &sc->sc_txq[mvtype];
2881 	mwl_txq_init(sc, txq, mvtype);
2882 	sc->sc_ac2q[ac] = txq;
2883 	return 1;
2884 }
2885 
2886 /*
2887  * Update WME parameters for a transmit queue.
2888  */
2889 static int
2890 mwl_txq_update(struct mwl_softc *sc, int ac)
2891 {
2892 #define	MWL_EXPONENT_TO_VALUE(v)	((1<<v)-1)
2893 	struct ieee80211com *ic = &sc->sc_ic;
2894 	struct chanAccParams chp;
2895 	struct mwl_txq *txq = sc->sc_ac2q[ac];
2896 	struct wmeParams *wmep;
2897 	struct mwl_hal *mh = sc->sc_mh;
2898 	int aifs, cwmin, cwmax, txoplim;
2899 
2900 	ieee80211_wme_ic_getparams(ic, &chp);
2901 	wmep = &chp.cap_wmeParams[ac];
2902 
2903 	aifs = wmep->wmep_aifsn;
2904 	/* XXX in sta mode need to pass log values for cwmin/max */
2905 	cwmin = MWL_EXPONENT_TO_VALUE(wmep->wmep_logcwmin);
2906 	cwmax = MWL_EXPONENT_TO_VALUE(wmep->wmep_logcwmax);
2907 	txoplim = wmep->wmep_txopLimit;		/* NB: units of 32us */
2908 
2909 	if (mwl_hal_setedcaparams(mh, txq->qnum, cwmin, cwmax, aifs, txoplim)) {
2910 		device_printf(sc->sc_dev, "unable to update hardware queue "
2911 			"parameters for %s traffic!\n",
2912 			ieee80211_wme_acnames[ac]);
2913 		return 0;
2914 	}
2915 	return 1;
2916 #undef MWL_EXPONENT_TO_VALUE
2917 }
2918 
2919 /*
2920  * Callback from the 802.11 layer to update WME parameters.
2921  */
2922 static int
2923 mwl_wme_update(struct ieee80211com *ic)
2924 {
2925 	struct mwl_softc *sc = ic->ic_softc;
2926 
2927 	return !mwl_txq_update(sc, WME_AC_BE) ||
2928 	    !mwl_txq_update(sc, WME_AC_BK) ||
2929 	    !mwl_txq_update(sc, WME_AC_VI) ||
2930 	    !mwl_txq_update(sc, WME_AC_VO) ? EIO : 0;
2931 }
2932 
2933 /*
2934  * Reclaim resources for a setup queue.
2935  */
2936 static void
2937 mwl_tx_cleanupq(struct mwl_softc *sc, struct mwl_txq *txq)
2938 {
2939 	/* XXX hal work? */
2940 	MWL_TXQ_LOCK_DESTROY(txq);
2941 }
2942 
2943 /*
2944  * Reclaim all tx queue resources.
2945  */
2946 static void
2947 mwl_tx_cleanup(struct mwl_softc *sc)
2948 {
2949 	int i;
2950 
2951 	for (i = 0; i < MWL_NUM_TX_QUEUES; i++)
2952 		mwl_tx_cleanupq(sc, &sc->sc_txq[i]);
2953 }
2954 
2955 static int
2956 mwl_tx_dmasetup(struct mwl_softc *sc, struct mwl_txbuf *bf, struct mbuf *m0)
2957 {
2958 	struct mbuf *m;
2959 	int error;
2960 
2961 	/*
2962 	 * Load the DMA map so any coalescing is done.  This
2963 	 * also calculates the number of descriptors we need.
2964 	 */
2965 	error = bus_dmamap_load_mbuf_sg(sc->sc_dmat, bf->bf_dmamap, m0,
2966 				     bf->bf_segs, &bf->bf_nseg,
2967 				     BUS_DMA_NOWAIT);
2968 	if (error == EFBIG) {
2969 		/* XXX packet requires too many descriptors */
2970 		bf->bf_nseg = MWL_TXDESC+1;
2971 	} else if (error != 0) {
2972 		sc->sc_stats.mst_tx_busdma++;
2973 		m_freem(m0);
2974 		return error;
2975 	}
2976 	/*
2977 	 * Discard null packets and check for packets that
2978 	 * require too many TX descriptors.  We try to convert
2979 	 * the latter to a cluster.
2980 	 */
2981 	if (error == EFBIG) {		/* too many desc's, linearize */
2982 		sc->sc_stats.mst_tx_linear++;
2983 #if MWL_TXDESC > 1
2984 		m = m_collapse(m0, M_NOWAIT, MWL_TXDESC);
2985 #else
2986 		m = m_defrag(m0, M_NOWAIT);
2987 #endif
2988 		if (m == NULL) {
2989 			m_freem(m0);
2990 			sc->sc_stats.mst_tx_nombuf++;
2991 			return ENOMEM;
2992 		}
2993 		m0 = m;
2994 		error = bus_dmamap_load_mbuf_sg(sc->sc_dmat, bf->bf_dmamap, m0,
2995 					     bf->bf_segs, &bf->bf_nseg,
2996 					     BUS_DMA_NOWAIT);
2997 		if (error != 0) {
2998 			sc->sc_stats.mst_tx_busdma++;
2999 			m_freem(m0);
3000 			return error;
3001 		}
3002 		KASSERT(bf->bf_nseg <= MWL_TXDESC,
3003 		    ("too many segments after defrag; nseg %u", bf->bf_nseg));
3004 	} else if (bf->bf_nseg == 0) {		/* null packet, discard */
3005 		sc->sc_stats.mst_tx_nodata++;
3006 		m_freem(m0);
3007 		return EIO;
3008 	}
3009 	DPRINTF(sc, MWL_DEBUG_XMIT, "%s: m %p len %u\n",
3010 		__func__, m0, m0->m_pkthdr.len);
3011 	bus_dmamap_sync(sc->sc_dmat, bf->bf_dmamap, BUS_DMASYNC_PREWRITE);
3012 	bf->bf_m = m0;
3013 
3014 	return 0;
3015 }
3016 
3017 static __inline int
3018 mwl_cvtlegacyrate(int rate)
3019 {
3020 	switch (rate) {
3021 	case 2:	 return 0;
3022 	case 4:	 return 1;
3023 	case 11: return 2;
3024 	case 22: return 3;
3025 	case 44: return 4;
3026 	case 12: return 5;
3027 	case 18: return 6;
3028 	case 24: return 7;
3029 	case 36: return 8;
3030 	case 48: return 9;
3031 	case 72: return 10;
3032 	case 96: return 11;
3033 	case 108:return 12;
3034 	}
3035 	return 0;
3036 }
3037 
3038 /*
3039  * Calculate fixed tx rate information per client state;
3040  * this value is suitable for writing to the Format field
3041  * of a tx descriptor.
3042  */
3043 static uint16_t
3044 mwl_calcformat(uint8_t rate, const struct ieee80211_node *ni)
3045 {
3046 	uint16_t fmt;
3047 
3048 	fmt = SM(3, EAGLE_TXD_ANTENNA)
3049 	    | (IEEE80211_IS_CHAN_HT40D(ni->ni_chan) ?
3050 		EAGLE_TXD_EXTCHAN_LO : EAGLE_TXD_EXTCHAN_HI);
3051 	if (rate & IEEE80211_RATE_MCS) {	/* HT MCS */
3052 		fmt |= EAGLE_TXD_FORMAT_HT
3053 		    /* NB: 0x80 implicitly stripped from ucastrate */
3054 		    | SM(rate, EAGLE_TXD_RATE);
3055 		/* XXX short/long GI may be wrong; re-check */
3056 		if (IEEE80211_IS_CHAN_HT40(ni->ni_chan)) {
3057 			fmt |= EAGLE_TXD_CHW_40
3058 			    | (ni->ni_htcap & IEEE80211_HTCAP_SHORTGI40 ?
3059 			        EAGLE_TXD_GI_SHORT : EAGLE_TXD_GI_LONG);
3060 		} else {
3061 			fmt |= EAGLE_TXD_CHW_20
3062 			    | (ni->ni_htcap & IEEE80211_HTCAP_SHORTGI20 ?
3063 			        EAGLE_TXD_GI_SHORT : EAGLE_TXD_GI_LONG);
3064 		}
3065 	} else {			/* legacy rate */
3066 		fmt |= EAGLE_TXD_FORMAT_LEGACY
3067 		    | SM(mwl_cvtlegacyrate(rate), EAGLE_TXD_RATE)
3068 		    | EAGLE_TXD_CHW_20
3069 		    /* XXX iv_flags & IEEE80211_F_SHPREAMBLE? */
3070 		    | (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE ?
3071 			EAGLE_TXD_PREAMBLE_SHORT : EAGLE_TXD_PREAMBLE_LONG);
3072 	}
3073 	return fmt;
3074 }
3075 
3076 static int
3077 mwl_tx_start(struct mwl_softc *sc, struct ieee80211_node *ni, struct mwl_txbuf *bf,
3078     struct mbuf *m0)
3079 {
3080 	struct ieee80211com *ic = &sc->sc_ic;
3081 	struct ieee80211vap *vap = ni->ni_vap;
3082 	int error, iswep, ismcast;
3083 	int hdrlen, copyhdrlen, pktlen;
3084 	struct mwl_txdesc *ds;
3085 	struct mwl_txq *txq;
3086 	struct ieee80211_frame *wh;
3087 	struct mwltxrec *tr;
3088 	struct mwl_node *mn;
3089 	uint16_t qos;
3090 #if MWL_TXDESC > 1
3091 	int i;
3092 #endif
3093 
3094 	wh = mtod(m0, struct ieee80211_frame *);
3095 	iswep = wh->i_fc[1] & IEEE80211_FC1_PROTECTED;
3096 	ismcast = IEEE80211_IS_MULTICAST(wh->i_addr1);
3097 	hdrlen = ieee80211_anyhdrsize(wh);
3098 	copyhdrlen = hdrlen;
3099 	pktlen = m0->m_pkthdr.len;
3100 	if (IEEE80211_QOS_HAS_SEQ(wh)) {
3101 		qos = *(uint16_t *)ieee80211_getqos(wh);
3102 		if (IEEE80211_IS_DSTODS(wh))
3103 			copyhdrlen -= sizeof(qos);
3104 	} else
3105 		qos = 0;
3106 
3107 	if (iswep) {
3108 		const struct ieee80211_cipher *cip;
3109 		struct ieee80211_key *k;
3110 
3111 		/*
3112 		 * Construct the 802.11 header+trailer for an encrypted
3113 		 * frame. The only reason this can fail is because of an
3114 		 * unknown or unsupported cipher/key type.
3115 		 *
3116 		 * NB: we do this even though the firmware will ignore
3117 		 *     what we've done for WEP and TKIP as we need the
3118 		 *     ExtIV filled in for CCMP and this also adjusts
3119 		 *     the headers which simplifies our work below.
3120 		 */
3121 		k = ieee80211_crypto_encap(ni, m0);
3122 		if (k == NULL) {
3123 			/*
3124 			 * This can happen when the key is yanked after the
3125 			 * frame was queued.  Just discard the frame; the
3126 			 * 802.11 layer counts failures and provides
3127 			 * debugging/diagnostics.
3128 			 */
3129 			m_freem(m0);
3130 			return EIO;
3131 		}
3132 		/*
3133 		 * Adjust the packet length for the crypto additions
3134 		 * done during encap and any other bits that the f/w
3135 		 * will add later on.
3136 		 */
3137 		cip = k->wk_cipher;
3138 		pktlen += cip->ic_header + cip->ic_miclen + cip->ic_trailer;
3139 
3140 		/* packet header may have moved, reset our local pointer */
3141 		wh = mtod(m0, struct ieee80211_frame *);
3142 	}
3143 
3144 	if (ieee80211_radiotap_active_vap(vap)) {
3145 		sc->sc_tx_th.wt_flags = 0;	/* XXX */
3146 		if (iswep)
3147 			sc->sc_tx_th.wt_flags |= IEEE80211_RADIOTAP_F_WEP;
3148 #if 0
3149 		sc->sc_tx_th.wt_rate = ds->DataRate;
3150 #endif
3151 		sc->sc_tx_th.wt_txpower = ni->ni_txpower;
3152 		sc->sc_tx_th.wt_antenna = sc->sc_txantenna;
3153 
3154 		ieee80211_radiotap_tx(vap, m0);
3155 	}
3156 	/*
3157 	 * Copy up/down the 802.11 header; the firmware requires
3158 	 * we present a 2-byte payload length followed by a
3159 	 * 4-address header (w/o QoS), followed (optionally) by
3160 	 * any WEP/ExtIV header (but only filled in for CCMP).
3161 	 * We are assured the mbuf has sufficient headroom to
3162 	 * prepend in-place by the setup of ic_headroom in
3163 	 * mwl_attach.
3164 	 */
3165 	if (hdrlen < sizeof(struct mwltxrec)) {
3166 		const int space = sizeof(struct mwltxrec) - hdrlen;
3167 		if (M_LEADINGSPACE(m0) < space) {
3168 			/* NB: should never happen */
3169 			device_printf(sc->sc_dev,
3170 			    "not enough headroom, need %d found %zd, "
3171 			    "m_flags 0x%x m_len %d\n",
3172 			    space, M_LEADINGSPACE(m0), m0->m_flags, m0->m_len);
3173 			ieee80211_dump_pkt(ic,
3174 			    mtod(m0, const uint8_t *), m0->m_len, 0, -1);
3175 			m_freem(m0);
3176 			sc->sc_stats.mst_tx_noheadroom++;
3177 			return EIO;
3178 		}
3179 		M_PREPEND(m0, space, M_NOWAIT);
3180 	}
3181 	tr = mtod(m0, struct mwltxrec *);
3182 	if (wh != (struct ieee80211_frame *) &tr->wh)
3183 		ovbcopy(wh, &tr->wh, hdrlen);
3184 	/*
3185 	 * Note: the "firmware length" is actually the length
3186 	 * of the fully formed "802.11 payload".  That is, it's
3187 	 * everything except for the 802.11 header.  In particular
3188 	 * this includes all crypto material including the MIC!
3189 	 */
3190 	tr->fwlen = htole16(pktlen - hdrlen);
3191 
3192 	/*
3193 	 * Load the DMA map so any coalescing is done.  This
3194 	 * also calculates the number of descriptors we need.
3195 	 */
3196 	error = mwl_tx_dmasetup(sc, bf, m0);
3197 	if (error != 0) {
3198 		/* NB: stat collected in mwl_tx_dmasetup */
3199 		DPRINTF(sc, MWL_DEBUG_XMIT,
3200 		    "%s: unable to setup dma\n", __func__);
3201 		return error;
3202 	}
3203 	bf->bf_node = ni;			/* NB: held reference */
3204 	m0 = bf->bf_m;				/* NB: may have changed */
3205 	tr = mtod(m0, struct mwltxrec *);
3206 	wh = (struct ieee80211_frame *)&tr->wh;
3207 
3208 	/*
3209 	 * Formulate tx descriptor.
3210 	 */
3211 	ds = bf->bf_desc;
3212 	txq = bf->bf_txq;
3213 
3214 	ds->QosCtrl = qos;			/* NB: already little-endian */
3215 #if MWL_TXDESC == 1
3216 	/*
3217 	 * NB: multiframes should be zero because the descriptors
3218 	 *     are initialized to zero.  This should handle the case
3219 	 *     where the driver is built with MWL_TXDESC=1 but we are
3220 	 *     using firmware with multi-segment support.
3221 	 */
3222 	ds->PktPtr = htole32(bf->bf_segs[0].ds_addr);
3223 	ds->PktLen = htole16(bf->bf_segs[0].ds_len);
3224 #else
3225 	ds->multiframes = htole32(bf->bf_nseg);
3226 	ds->PktLen = htole16(m0->m_pkthdr.len);
3227 	for (i = 0; i < bf->bf_nseg; i++) {
3228 		ds->PktPtrArray[i] = htole32(bf->bf_segs[i].ds_addr);
3229 		ds->PktLenArray[i] = htole16(bf->bf_segs[i].ds_len);
3230 	}
3231 #endif
3232 	/* NB: pPhysNext, DataRate, and SapPktInfo setup once, don't touch */
3233 	ds->Format = 0;
3234 	ds->pad = 0;
3235 	ds->ack_wcb_addr = 0;
3236 
3237 	mn = MWL_NODE(ni);
3238 	/*
3239 	 * Select transmit rate.
3240 	 */
3241 	switch (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) {
3242 	case IEEE80211_FC0_TYPE_MGT:
3243 		sc->sc_stats.mst_tx_mgmt++;
3244 		/* fall thru... */
3245 	case IEEE80211_FC0_TYPE_CTL:
3246 		/* NB: assign to BE q to avoid bursting */
3247 		ds->TxPriority = MWL_WME_AC_BE;
3248 		break;
3249 	case IEEE80211_FC0_TYPE_DATA:
3250 		if (!ismcast) {
3251 			const struct ieee80211_txparam *tp = ni->ni_txparms;
3252 			/*
3253 			 * EAPOL frames get forced to a fixed rate and w/o
3254 			 * aggregation; otherwise check for any fixed rate
3255 			 * for the client (may depend on association state).
3256 			 */
3257 			if (m0->m_flags & M_EAPOL) {
3258 				const struct mwl_vap *mvp = MWL_VAP_CONST(vap);
3259 				ds->Format = mvp->mv_eapolformat;
3260 				ds->pad = htole16(
3261 				    EAGLE_TXD_FIXED_RATE | EAGLE_TXD_DONT_AGGR);
3262 			} else if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE) {
3263 				/* XXX pre-calculate per node */
3264 				ds->Format = htole16(
3265 				    mwl_calcformat(tp->ucastrate, ni));
3266 				ds->pad = htole16(EAGLE_TXD_FIXED_RATE);
3267 			}
3268 			/* NB: EAPOL frames will never have qos set */
3269 			if (qos == 0)
3270 				ds->TxPriority = txq->qnum;
3271 #if MWL_MAXBA > 3
3272 			else if (mwl_bastream_match(&mn->mn_ba[3], qos))
3273 				ds->TxPriority = mn->mn_ba[3].txq;
3274 #endif
3275 #if MWL_MAXBA > 2
3276 			else if (mwl_bastream_match(&mn->mn_ba[2], qos))
3277 				ds->TxPriority = mn->mn_ba[2].txq;
3278 #endif
3279 #if MWL_MAXBA > 1
3280 			else if (mwl_bastream_match(&mn->mn_ba[1], qos))
3281 				ds->TxPriority = mn->mn_ba[1].txq;
3282 #endif
3283 #if MWL_MAXBA > 0
3284 			else if (mwl_bastream_match(&mn->mn_ba[0], qos))
3285 				ds->TxPriority = mn->mn_ba[0].txq;
3286 #endif
3287 			else
3288 				ds->TxPriority = txq->qnum;
3289 		} else
3290 			ds->TxPriority = txq->qnum;
3291 		break;
3292 	default:
3293 		device_printf(sc->sc_dev, "bogus frame type 0x%x (%s)\n",
3294 			wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK, __func__);
3295 		sc->sc_stats.mst_tx_badframetype++;
3296 		m_freem(m0);
3297 		return EIO;
3298 	}
3299 
3300 	if (IFF_DUMPPKTS_XMIT(sc))
3301 		ieee80211_dump_pkt(ic,
3302 		    mtod(m0, const uint8_t *)+sizeof(uint16_t),
3303 		    m0->m_len - sizeof(uint16_t), ds->DataRate, -1);
3304 
3305 	MWL_TXQ_LOCK(txq);
3306 	ds->Status = htole32(EAGLE_TXD_STATUS_FW_OWNED);
3307 	STAILQ_INSERT_TAIL(&txq->active, bf, bf_list);
3308 	MWL_TXDESC_SYNC(txq, ds, BUS_DMASYNC_PREREAD | BUS_DMASYNC_PREWRITE);
3309 
3310 	sc->sc_tx_timer = 5;
3311 	MWL_TXQ_UNLOCK(txq);
3312 
3313 	return 0;
3314 }
3315 
3316 static __inline int
3317 mwl_cvtlegacyrix(int rix)
3318 {
3319 	static const int ieeerates[] =
3320 	    { 2, 4, 11, 22, 44, 12, 18, 24, 36, 48, 72, 96, 108 };
3321 	return (rix < nitems(ieeerates) ? ieeerates[rix] : 0);
3322 }
3323 
3324 /*
3325  * Process completed xmit descriptors from the specified queue.
3326  */
3327 static int
3328 mwl_tx_processq(struct mwl_softc *sc, struct mwl_txq *txq)
3329 {
3330 #define	EAGLE_TXD_STATUS_MCAST \
3331 	(EAGLE_TXD_STATUS_MULTICAST_TX | EAGLE_TXD_STATUS_BROADCAST_TX)
3332 	struct ieee80211com *ic = &sc->sc_ic;
3333 	struct mwl_txbuf *bf;
3334 	struct mwl_txdesc *ds;
3335 	struct ieee80211_node *ni;
3336 	struct mwl_node *an;
3337 	int nreaped;
3338 	uint32_t status;
3339 
3340 	DPRINTF(sc, MWL_DEBUG_TX_PROC, "%s: tx queue %u\n", __func__, txq->qnum);
3341 	for (nreaped = 0;; nreaped++) {
3342 		MWL_TXQ_LOCK(txq);
3343 		bf = STAILQ_FIRST(&txq->active);
3344 		if (bf == NULL) {
3345 			MWL_TXQ_UNLOCK(txq);
3346 			break;
3347 		}
3348 		ds = bf->bf_desc;
3349 		MWL_TXDESC_SYNC(txq, ds,
3350 		    BUS_DMASYNC_POSTREAD | BUS_DMASYNC_POSTWRITE);
3351 		if (ds->Status & htole32(EAGLE_TXD_STATUS_FW_OWNED)) {
3352 			MWL_TXQ_UNLOCK(txq);
3353 			break;
3354 		}
3355 		STAILQ_REMOVE_HEAD(&txq->active, bf_list);
3356 		MWL_TXQ_UNLOCK(txq);
3357 
3358 #ifdef MWL_DEBUG
3359 		if (sc->sc_debug & MWL_DEBUG_XMIT_DESC)
3360 			mwl_printtxbuf(bf, txq->qnum, nreaped);
3361 #endif
3362 		ni = bf->bf_node;
3363 		if (ni != NULL) {
3364 			an = MWL_NODE(ni);
3365 			status = le32toh(ds->Status);
3366 			if (status & EAGLE_TXD_STATUS_OK) {
3367 				uint16_t Format = le16toh(ds->Format);
3368 				uint8_t txant = MS(Format, EAGLE_TXD_ANTENNA);
3369 
3370 				sc->sc_stats.mst_ant_tx[txant]++;
3371 				if (status & EAGLE_TXD_STATUS_OK_RETRY)
3372 					sc->sc_stats.mst_tx_retries++;
3373 				if (status & EAGLE_TXD_STATUS_OK_MORE_RETRY)
3374 					sc->sc_stats.mst_tx_mretries++;
3375 				if (txq->qnum >= MWL_WME_AC_VO)
3376 					ic->ic_wme.wme_hipri_traffic++;
3377 				ni->ni_txrate = MS(Format, EAGLE_TXD_RATE);
3378 				if ((Format & EAGLE_TXD_FORMAT_HT) == 0) {
3379 					ni->ni_txrate = mwl_cvtlegacyrix(
3380 					    ni->ni_txrate);
3381 				} else
3382 					ni->ni_txrate |= IEEE80211_RATE_MCS;
3383 				sc->sc_stats.mst_tx_rate = ni->ni_txrate;
3384 			} else {
3385 				if (status & EAGLE_TXD_STATUS_FAILED_LINK_ERROR)
3386 					sc->sc_stats.mst_tx_linkerror++;
3387 				if (status & EAGLE_TXD_STATUS_FAILED_XRETRY)
3388 					sc->sc_stats.mst_tx_xretries++;
3389 				if (status & EAGLE_TXD_STATUS_FAILED_AGING)
3390 					sc->sc_stats.mst_tx_aging++;
3391 				if (bf->bf_m->m_flags & M_FF)
3392 					sc->sc_stats.mst_ff_txerr++;
3393 			}
3394 			if (bf->bf_m->m_flags & M_TXCB)
3395 				/* XXX strip fw len in case header inspected */
3396 				m_adj(bf->bf_m, sizeof(uint16_t));
3397 			ieee80211_tx_complete(ni, bf->bf_m,
3398 			    (status & EAGLE_TXD_STATUS_OK) == 0);
3399 		} else
3400 			m_freem(bf->bf_m);
3401 		ds->Status = htole32(EAGLE_TXD_STATUS_IDLE);
3402 
3403 		bus_dmamap_sync(sc->sc_dmat, bf->bf_dmamap,
3404 		    BUS_DMASYNC_POSTWRITE);
3405 		bus_dmamap_unload(sc->sc_dmat, bf->bf_dmamap);
3406 
3407 		mwl_puttxbuf_tail(txq, bf);
3408 	}
3409 	return nreaped;
3410 #undef EAGLE_TXD_STATUS_MCAST
3411 }
3412 
3413 /*
3414  * Deferred processing of transmit interrupt; special-cased
3415  * for four hardware queues, 0-3.
3416  */
3417 static void
3418 mwl_tx_proc(void *arg, int npending)
3419 {
3420 	struct mwl_softc *sc = arg;
3421 	int nreaped;
3422 
3423 	/*
3424 	 * Process each active queue.
3425 	 */
3426 	nreaped = 0;
3427 	if (!STAILQ_EMPTY(&sc->sc_txq[0].active))
3428 		nreaped += mwl_tx_processq(sc, &sc->sc_txq[0]);
3429 	if (!STAILQ_EMPTY(&sc->sc_txq[1].active))
3430 		nreaped += mwl_tx_processq(sc, &sc->sc_txq[1]);
3431 	if (!STAILQ_EMPTY(&sc->sc_txq[2].active))
3432 		nreaped += mwl_tx_processq(sc, &sc->sc_txq[2]);
3433 	if (!STAILQ_EMPTY(&sc->sc_txq[3].active))
3434 		nreaped += mwl_tx_processq(sc, &sc->sc_txq[3]);
3435 
3436 	if (nreaped != 0) {
3437 		sc->sc_tx_timer = 0;
3438 		if (mbufq_first(&sc->sc_snd) != NULL) {
3439 			/* NB: kick fw; the tx thread may have been preempted */
3440 			mwl_hal_txstart(sc->sc_mh, 0);
3441 			mwl_start(sc);
3442 		}
3443 	}
3444 }
3445 
3446 static void
3447 mwl_tx_draintxq(struct mwl_softc *sc, struct mwl_txq *txq)
3448 {
3449 	struct ieee80211_node *ni;
3450 	struct mwl_txbuf *bf;
3451 	u_int ix;
3452 
3453 	/*
3454 	 * NB: this assumes output has been stopped and
3455 	 *     we do not need to block mwl_tx_tasklet
3456 	 */
3457 	for (ix = 0;; ix++) {
3458 		MWL_TXQ_LOCK(txq);
3459 		bf = STAILQ_FIRST(&txq->active);
3460 		if (bf == NULL) {
3461 			MWL_TXQ_UNLOCK(txq);
3462 			break;
3463 		}
3464 		STAILQ_REMOVE_HEAD(&txq->active, bf_list);
3465 		MWL_TXQ_UNLOCK(txq);
3466 #ifdef MWL_DEBUG
3467 		if (sc->sc_debug & MWL_DEBUG_RESET) {
3468 			struct ieee80211com *ic = &sc->sc_ic;
3469 			const struct mwltxrec *tr =
3470 			    mtod(bf->bf_m, const struct mwltxrec *);
3471 			mwl_printtxbuf(bf, txq->qnum, ix);
3472 			ieee80211_dump_pkt(ic, (const uint8_t *)&tr->wh,
3473 				bf->bf_m->m_len - sizeof(tr->fwlen), 0, -1);
3474 		}
3475 #endif /* MWL_DEBUG */
3476 		bus_dmamap_unload(sc->sc_dmat, bf->bf_dmamap);
3477 		ni = bf->bf_node;
3478 		if (ni != NULL) {
3479 			/*
3480 			 * Reclaim node reference.
3481 			 */
3482 			ieee80211_free_node(ni);
3483 		}
3484 		m_freem(bf->bf_m);
3485 
3486 		mwl_puttxbuf_tail(txq, bf);
3487 	}
3488 }
3489 
3490 /*
3491  * Drain the transmit queues and reclaim resources.
3492  */
3493 static void
3494 mwl_draintxq(struct mwl_softc *sc)
3495 {
3496 	int i;
3497 
3498 	for (i = 0; i < MWL_NUM_TX_QUEUES; i++)
3499 		mwl_tx_draintxq(sc, &sc->sc_txq[i]);
3500 	sc->sc_tx_timer = 0;
3501 }
3502 
3503 #ifdef MWL_DIAGAPI
3504 /*
3505  * Reset the transmit queues to a pristine state after a fw download.
3506  */
3507 static void
3508 mwl_resettxq(struct mwl_softc *sc)
3509 {
3510 	int i;
3511 
3512 	for (i = 0; i < MWL_NUM_TX_QUEUES; i++)
3513 		mwl_txq_reset(sc, &sc->sc_txq[i]);
3514 }
3515 #endif /* MWL_DIAGAPI */
3516 
3517 /*
3518  * Clear the transmit queues of any frames submitted for the
3519  * specified vap.  This is done when the vap is deleted so we
3520  * don't potentially reference the vap after it is gone.
3521  * Note we cannot remove the frames; we only reclaim the node
3522  * reference.
3523  */
3524 static void
3525 mwl_cleartxq(struct mwl_softc *sc, struct ieee80211vap *vap)
3526 {
3527 	struct mwl_txq *txq;
3528 	struct mwl_txbuf *bf;
3529 	int i;
3530 
3531 	for (i = 0; i < MWL_NUM_TX_QUEUES; i++) {
3532 		txq = &sc->sc_txq[i];
3533 		MWL_TXQ_LOCK(txq);
3534 		STAILQ_FOREACH(bf, &txq->active, bf_list) {
3535 			struct ieee80211_node *ni = bf->bf_node;
3536 			if (ni != NULL && ni->ni_vap == vap) {
3537 				bf->bf_node = NULL;
3538 				ieee80211_free_node(ni);
3539 			}
3540 		}
3541 		MWL_TXQ_UNLOCK(txq);
3542 	}
3543 }
3544 
3545 static int
3546 mwl_recv_action(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
3547 	const uint8_t *frm, const uint8_t *efrm)
3548 {
3549 	struct mwl_softc *sc = ni->ni_ic->ic_softc;
3550 	const struct ieee80211_action *ia;
3551 
3552 	ia = (const struct ieee80211_action *) frm;
3553 	if (ia->ia_category == IEEE80211_ACTION_CAT_HT &&
3554 	    ia->ia_action == IEEE80211_ACTION_HT_MIMOPWRSAVE) {
3555 		const struct ieee80211_action_ht_mimopowersave *mps =
3556 		    (const struct ieee80211_action_ht_mimopowersave *) ia;
3557 
3558 		mwl_hal_setmimops(sc->sc_mh, ni->ni_macaddr,
3559 		    mps->am_control & IEEE80211_A_HT_MIMOPWRSAVE_ENA,
3560 		    MS(mps->am_control, IEEE80211_A_HT_MIMOPWRSAVE_MODE));
3561 		return 0;
3562 	} else
3563 		return sc->sc_recv_action(ni, wh, frm, efrm);
3564 }
3565 
3566 static int
3567 mwl_addba_request(struct ieee80211_node *ni, struct ieee80211_tx_ampdu *tap,
3568 	int dialogtoken, int baparamset, int batimeout)
3569 {
3570 	struct mwl_softc *sc = ni->ni_ic->ic_softc;
3571 	struct ieee80211vap *vap = ni->ni_vap;
3572 	struct mwl_node *mn = MWL_NODE(ni);
3573 	struct mwl_bastate *bas;
3574 
3575 	bas = tap->txa_private;
3576 	if (bas == NULL) {
3577 		const MWL_HAL_BASTREAM *sp;
3578 		/*
3579 		 * Check for a free BA stream slot.
3580 		 */
3581 #if MWL_MAXBA > 3
3582 		if (mn->mn_ba[3].bastream == NULL)
3583 			bas = &mn->mn_ba[3];
3584 		else
3585 #endif
3586 #if MWL_MAXBA > 2
3587 		if (mn->mn_ba[2].bastream == NULL)
3588 			bas = &mn->mn_ba[2];
3589 		else
3590 #endif
3591 #if MWL_MAXBA > 1
3592 		if (mn->mn_ba[1].bastream == NULL)
3593 			bas = &mn->mn_ba[1];
3594 		else
3595 #endif
3596 #if MWL_MAXBA > 0
3597 		if (mn->mn_ba[0].bastream == NULL)
3598 			bas = &mn->mn_ba[0];
3599 		else
3600 #endif
3601 		{
3602 			/* sta already has max BA streams */
3603 			/* XXX assign BA stream to highest priority tid */
3604 			DPRINTF(sc, MWL_DEBUG_AMPDU,
3605 			    "%s: already has max bastreams\n", __func__);
3606 			sc->sc_stats.mst_ampdu_reject++;
3607 			return 0;
3608 		}
3609 		/* NB: no held reference to ni */
3610 		sp = mwl_hal_bastream_alloc(MWL_VAP(vap)->mv_hvap,
3611 		    (baparamset & IEEE80211_BAPS_POLICY_IMMEDIATE) != 0,
3612 		    ni->ni_macaddr, tap->txa_tid, ni->ni_htparam,
3613 		    ni, tap);
3614 		if (sp == NULL) {
3615 			/*
3616 			 * No available stream, return 0 so no
3617 			 * a-mpdu aggregation will be done.
3618 			 */
3619 			DPRINTF(sc, MWL_DEBUG_AMPDU,
3620 			    "%s: no bastream available\n", __func__);
3621 			sc->sc_stats.mst_ampdu_nostream++;
3622 			return 0;
3623 		}
3624 		DPRINTF(sc, MWL_DEBUG_AMPDU, "%s: alloc bastream %p\n",
3625 		    __func__, sp);
3626 		/* NB: qos is left zero so we won't match in mwl_tx_start */
3627 		bas->bastream = sp;
3628 		tap->txa_private = bas;
3629 	}
3630 	/* fetch current seq# from the firmware; if available */
3631 	if (mwl_hal_bastream_get_seqno(sc->sc_mh, bas->bastream,
3632 	    vap->iv_opmode == IEEE80211_M_STA ? vap->iv_myaddr : ni->ni_macaddr,
3633 	    &tap->txa_start) != 0)
3634 		tap->txa_start = 0;
3635 	return sc->sc_addba_request(ni, tap, dialogtoken, baparamset, batimeout);
3636 }
3637 
3638 static int
3639 mwl_addba_response(struct ieee80211_node *ni, struct ieee80211_tx_ampdu *tap,
3640 	int code, int baparamset, int batimeout)
3641 {
3642 	struct mwl_softc *sc = ni->ni_ic->ic_softc;
3643 	struct mwl_bastate *bas;
3644 
3645 	bas = tap->txa_private;
3646 	if (bas == NULL) {
3647 		/* XXX should not happen */
3648 		DPRINTF(sc, MWL_DEBUG_AMPDU,
3649 		    "%s: no BA stream allocated, TID %d\n",
3650 		    __func__, tap->txa_tid);
3651 		sc->sc_stats.mst_addba_nostream++;
3652 		return 0;
3653 	}
3654 	if (code == IEEE80211_STATUS_SUCCESS) {
3655 		struct ieee80211vap *vap = ni->ni_vap;
3656 		int bufsiz, error;
3657 
3658 		/*
3659 		 * Tell the firmware to setup the BA stream;
3660 		 * we know resources are available because we
3661 		 * pre-allocated one before forming the request.
3662 		 */
3663 		bufsiz = MS(baparamset, IEEE80211_BAPS_BUFSIZ);
3664 		if (bufsiz == 0)
3665 			bufsiz = IEEE80211_AGGR_BAWMAX;
3666 		error = mwl_hal_bastream_create(MWL_VAP(vap)->mv_hvap,
3667 		    bas->bastream, bufsiz, bufsiz, tap->txa_start);
3668 		if (error != 0) {
3669 			/*
3670 			 * Setup failed, return immediately so no a-mpdu
3671 			 * aggregation will be done.
3672 			 */
3673 			mwl_hal_bastream_destroy(sc->sc_mh, bas->bastream);
3674 			mwl_bastream_free(bas);
3675 			tap->txa_private = NULL;
3676 
3677 			DPRINTF(sc, MWL_DEBUG_AMPDU,
3678 			    "%s: create failed, error %d, bufsiz %d TID %d "
3679 			    "htparam 0x%x\n", __func__, error, bufsiz,
3680 			    tap->txa_tid, ni->ni_htparam);
3681 			sc->sc_stats.mst_bacreate_failed++;
3682 			return 0;
3683 		}
3684 		/* NB: cache txq to avoid ptr indirect */
3685 		mwl_bastream_setup(bas, tap->txa_tid, bas->bastream->txq);
3686 		DPRINTF(sc, MWL_DEBUG_AMPDU,
3687 		    "%s: bastream %p assigned to txq %d TID %d bufsiz %d "
3688 		    "htparam 0x%x\n", __func__, bas->bastream,
3689 		    bas->txq, tap->txa_tid, bufsiz, ni->ni_htparam);
3690 	} else {
3691 		/*
3692 		 * Other side NAK'd us; return the resources.
3693 		 */
3694 		DPRINTF(sc, MWL_DEBUG_AMPDU,
3695 		    "%s: request failed with code %d, destroy bastream %p\n",
3696 		    __func__, code, bas->bastream);
3697 		mwl_hal_bastream_destroy(sc->sc_mh, bas->bastream);
3698 		mwl_bastream_free(bas);
3699 		tap->txa_private = NULL;
3700 	}
3701 	/* NB: firmware sends BAR so we don't need to */
3702 	return sc->sc_addba_response(ni, tap, code, baparamset, batimeout);
3703 }
3704 
3705 static void
3706 mwl_addba_stop(struct ieee80211_node *ni, struct ieee80211_tx_ampdu *tap)
3707 {
3708 	struct mwl_softc *sc = ni->ni_ic->ic_softc;
3709 	struct mwl_bastate *bas;
3710 
3711 	bas = tap->txa_private;
3712 	if (bas != NULL) {
3713 		DPRINTF(sc, MWL_DEBUG_AMPDU, "%s: destroy bastream %p\n",
3714 		    __func__, bas->bastream);
3715 		mwl_hal_bastream_destroy(sc->sc_mh, bas->bastream);
3716 		mwl_bastream_free(bas);
3717 		tap->txa_private = NULL;
3718 	}
3719 	sc->sc_addba_stop(ni, tap);
3720 }
3721 
3722 /*
3723  * Setup the rx data structures.  This should only be
3724  * done once or we may get out of sync with the firmware.
3725  */
3726 static int
3727 mwl_startrecv(struct mwl_softc *sc)
3728 {
3729 	if (!sc->sc_recvsetup) {
3730 		struct mwl_rxbuf *bf, *prev;
3731 		struct mwl_rxdesc *ds;
3732 
3733 		prev = NULL;
3734 		STAILQ_FOREACH(bf, &sc->sc_rxbuf, bf_list) {
3735 			int error = mwl_rxbuf_init(sc, bf);
3736 			if (error != 0) {
3737 				DPRINTF(sc, MWL_DEBUG_RECV,
3738 					"%s: mwl_rxbuf_init failed %d\n",
3739 					__func__, error);
3740 				return error;
3741 			}
3742 			if (prev != NULL) {
3743 				ds = prev->bf_desc;
3744 				ds->pPhysNext = htole32(bf->bf_daddr);
3745 			}
3746 			prev = bf;
3747 		}
3748 		if (prev != NULL) {
3749 			ds = prev->bf_desc;
3750 			ds->pPhysNext =
3751 			    htole32(STAILQ_FIRST(&sc->sc_rxbuf)->bf_daddr);
3752 		}
3753 		sc->sc_recvsetup = 1;
3754 	}
3755 	mwl_mode_init(sc);		/* set filters, etc. */
3756 	return 0;
3757 }
3758 
3759 static MWL_HAL_APMODE
3760 mwl_getapmode(const struct ieee80211vap *vap, struct ieee80211_channel *chan)
3761 {
3762 	MWL_HAL_APMODE mode;
3763 
3764 	if (IEEE80211_IS_CHAN_HT(chan)) {
3765 		if (vap->iv_flags_ht & IEEE80211_FHT_PUREN)
3766 			mode = AP_MODE_N_ONLY;
3767 		else if (IEEE80211_IS_CHAN_5GHZ(chan))
3768 			mode = AP_MODE_AandN;
3769 		else if (vap->iv_flags & IEEE80211_F_PUREG)
3770 			mode = AP_MODE_GandN;
3771 		else
3772 			mode = AP_MODE_BandGandN;
3773 	} else if (IEEE80211_IS_CHAN_ANYG(chan)) {
3774 		if (vap->iv_flags & IEEE80211_F_PUREG)
3775 			mode = AP_MODE_G_ONLY;
3776 		else
3777 			mode = AP_MODE_MIXED;
3778 	} else if (IEEE80211_IS_CHAN_B(chan))
3779 		mode = AP_MODE_B_ONLY;
3780 	else if (IEEE80211_IS_CHAN_A(chan))
3781 		mode = AP_MODE_A_ONLY;
3782 	else
3783 		mode = AP_MODE_MIXED;		/* XXX should not happen? */
3784 	return mode;
3785 }
3786 
3787 static int
3788 mwl_setapmode(struct ieee80211vap *vap, struct ieee80211_channel *chan)
3789 {
3790 	struct mwl_hal_vap *hvap = MWL_VAP(vap)->mv_hvap;
3791 	return mwl_hal_setapmode(hvap, mwl_getapmode(vap, chan));
3792 }
3793 
3794 /*
3795  * Set/change channels.
3796  */
3797 static int
3798 mwl_chan_set(struct mwl_softc *sc, struct ieee80211_channel *chan)
3799 {
3800 	struct mwl_hal *mh = sc->sc_mh;
3801 	struct ieee80211com *ic = &sc->sc_ic;
3802 	MWL_HAL_CHANNEL hchan;
3803 	int maxtxpow;
3804 
3805 	DPRINTF(sc, MWL_DEBUG_RESET, "%s: chan %u MHz/flags 0x%x\n",
3806 	    __func__, chan->ic_freq, chan->ic_flags);
3807 
3808 	/*
3809 	 * Convert to a HAL channel description with
3810 	 * the flags constrained to reflect the current
3811 	 * operating mode.
3812 	 */
3813 	mwl_mapchan(&hchan, chan);
3814 	mwl_hal_intrset(mh, 0);		/* disable interrupts */
3815 #if 0
3816 	mwl_draintxq(sc);		/* clear pending tx frames */
3817 #endif
3818 	mwl_hal_setchannel(mh, &hchan);
3819 	/*
3820 	 * Tx power is cap'd by the regulatory setting and
3821 	 * possibly a user-set limit.  We pass the min of
3822 	 * these to the hal to apply them to the cal data
3823 	 * for this channel.
3824 	 * XXX min bound?
3825 	 */
3826 	maxtxpow = 2*chan->ic_maxregpower;
3827 	if (maxtxpow > ic->ic_txpowlimit)
3828 		maxtxpow = ic->ic_txpowlimit;
3829 	mwl_hal_settxpower(mh, &hchan, maxtxpow / 2);
3830 	/* NB: potentially change mcast/mgt rates */
3831 	mwl_setcurchanrates(sc);
3832 
3833 	/*
3834 	 * Update internal state.
3835 	 */
3836 	sc->sc_tx_th.wt_chan_freq = htole16(chan->ic_freq);
3837 	sc->sc_rx_th.wr_chan_freq = htole16(chan->ic_freq);
3838 	if (IEEE80211_IS_CHAN_A(chan)) {
3839 		sc->sc_tx_th.wt_chan_flags = htole16(IEEE80211_CHAN_A);
3840 		sc->sc_rx_th.wr_chan_flags = htole16(IEEE80211_CHAN_A);
3841 	} else if (IEEE80211_IS_CHAN_ANYG(chan)) {
3842 		sc->sc_tx_th.wt_chan_flags = htole16(IEEE80211_CHAN_G);
3843 		sc->sc_rx_th.wr_chan_flags = htole16(IEEE80211_CHAN_G);
3844 	} else {
3845 		sc->sc_tx_th.wt_chan_flags = htole16(IEEE80211_CHAN_B);
3846 		sc->sc_rx_th.wr_chan_flags = htole16(IEEE80211_CHAN_B);
3847 	}
3848 	sc->sc_curchan = hchan;
3849 	mwl_hal_intrset(mh, sc->sc_imask);
3850 
3851 	return 0;
3852 }
3853 
3854 static void
3855 mwl_scan_start(struct ieee80211com *ic)
3856 {
3857 	struct mwl_softc *sc = ic->ic_softc;
3858 
3859 	DPRINTF(sc, MWL_DEBUG_STATE, "%s\n", __func__);
3860 }
3861 
3862 static void
3863 mwl_scan_end(struct ieee80211com *ic)
3864 {
3865 	struct mwl_softc *sc = ic->ic_softc;
3866 
3867 	DPRINTF(sc, MWL_DEBUG_STATE, "%s\n", __func__);
3868 }
3869 
3870 static void
3871 mwl_set_channel(struct ieee80211com *ic)
3872 {
3873 	struct mwl_softc *sc = ic->ic_softc;
3874 
3875 	(void) mwl_chan_set(sc, ic->ic_curchan);
3876 }
3877 
3878 /*
3879  * Handle a channel switch request.  We inform the firmware
3880  * and mark the global state to suppress various actions.
3881  * NB: we issue only one request to the fw; we may be called
3882  * multiple times if there are multiple vap's.
3883  */
3884 static void
3885 mwl_startcsa(struct ieee80211vap *vap)
3886 {
3887 	struct ieee80211com *ic = vap->iv_ic;
3888 	struct mwl_softc *sc = ic->ic_softc;
3889 	MWL_HAL_CHANNEL hchan;
3890 
3891 	if (sc->sc_csapending)
3892 		return;
3893 
3894 	mwl_mapchan(&hchan, ic->ic_csa_newchan);
3895 	/* 1 =>'s quiet channel */
3896 	mwl_hal_setchannelswitchie(sc->sc_mh, &hchan, 1, ic->ic_csa_count);
3897 	sc->sc_csapending = 1;
3898 }
3899 
3900 /*
3901  * Plumb any static WEP key for the station.  This is
3902  * necessary as we must propagate the key from the
3903  * global key table of the vap to each sta db entry.
3904  */
3905 static void
3906 mwl_setanywepkey(struct ieee80211vap *vap, const uint8_t mac[IEEE80211_ADDR_LEN])
3907 {
3908 	if ((vap->iv_flags & (IEEE80211_F_PRIVACY|IEEE80211_F_WPA)) ==
3909 		IEEE80211_F_PRIVACY &&
3910 	    vap->iv_def_txkey != IEEE80211_KEYIX_NONE &&
3911 	    vap->iv_nw_keys[vap->iv_def_txkey].wk_keyix != IEEE80211_KEYIX_NONE)
3912 		(void) _mwl_key_set(vap, &vap->iv_nw_keys[vap->iv_def_txkey],
3913 				    mac);
3914 }
3915 
3916 static int
3917 mwl_peerstadb(struct ieee80211_node *ni, int aid, int staid, MWL_HAL_PEERINFO *pi)
3918 {
3919 #define	WME(ie) ((const struct ieee80211_wme_info *) ie)
3920 	struct ieee80211vap *vap = ni->ni_vap;
3921 	struct mwl_hal_vap *hvap;
3922 	int error;
3923 
3924 	if (vap->iv_opmode == IEEE80211_M_WDS) {
3925 		/*
3926 		 * WDS vap's do not have a f/w vap; instead they piggyback
3927 		 * on an AP vap and we must install the sta db entry and
3928 		 * crypto state using that AP's handle (the WDS vap has none).
3929 		 */
3930 		hvap = MWL_VAP(vap)->mv_ap_hvap;
3931 	} else
3932 		hvap = MWL_VAP(vap)->mv_hvap;
3933 	error = mwl_hal_newstation(hvap, ni->ni_macaddr,
3934 	    aid, staid, pi,
3935 	    ni->ni_flags & (IEEE80211_NODE_QOS | IEEE80211_NODE_HT),
3936 	    ni->ni_ies.wme_ie != NULL ? WME(ni->ni_ies.wme_ie)->wme_info : 0);
3937 	if (error == 0) {
3938 		/*
3939 		 * Setup security for this station.  For sta mode this is
3940 		 * needed even though do the same thing on transition to
3941 		 * AUTH state because the call to mwl_hal_newstation
3942 		 * clobbers the crypto state we setup.
3943 		 */
3944 		mwl_setanywepkey(vap, ni->ni_macaddr);
3945 	}
3946 	return error;
3947 #undef WME
3948 }
3949 
3950 static void
3951 mwl_setglobalkeys(struct ieee80211vap *vap)
3952 {
3953 	struct ieee80211_key *wk;
3954 
3955 	wk = &vap->iv_nw_keys[0];
3956 	for (; wk < &vap->iv_nw_keys[IEEE80211_WEP_NKID]; wk++)
3957 		if (wk->wk_keyix != IEEE80211_KEYIX_NONE)
3958 			(void) _mwl_key_set(vap, wk, vap->iv_myaddr);
3959 }
3960 
3961 /*
3962  * Convert a legacy rate set to a firmware bitmask.
3963  */
3964 static uint32_t
3965 get_rate_bitmap(const struct ieee80211_rateset *rs)
3966 {
3967 	uint32_t rates;
3968 	int i;
3969 
3970 	rates = 0;
3971 	for (i = 0; i < rs->rs_nrates; i++)
3972 		switch (rs->rs_rates[i] & IEEE80211_RATE_VAL) {
3973 		case 2:	  rates |= 0x001; break;
3974 		case 4:	  rates |= 0x002; break;
3975 		case 11:  rates |= 0x004; break;
3976 		case 22:  rates |= 0x008; break;
3977 		case 44:  rates |= 0x010; break;
3978 		case 12:  rates |= 0x020; break;
3979 		case 18:  rates |= 0x040; break;
3980 		case 24:  rates |= 0x080; break;
3981 		case 36:  rates |= 0x100; break;
3982 		case 48:  rates |= 0x200; break;
3983 		case 72:  rates |= 0x400; break;
3984 		case 96:  rates |= 0x800; break;
3985 		case 108: rates |= 0x1000; break;
3986 		}
3987 	return rates;
3988 }
3989 
3990 /*
3991  * Construct an HT firmware bitmask from an HT rate set.
3992  */
3993 static uint32_t
3994 get_htrate_bitmap(const struct ieee80211_htrateset *rs)
3995 {
3996 	uint32_t rates;
3997 	int i;
3998 
3999 	rates = 0;
4000 	for (i = 0; i < rs->rs_nrates; i++) {
4001 		if (rs->rs_rates[i] < 16)
4002 			rates |= 1<<rs->rs_rates[i];
4003 	}
4004 	return rates;
4005 }
4006 
4007 /*
4008  * Craft station database entry for station.
4009  * NB: use host byte order here, the hal handles byte swapping.
4010  */
4011 static MWL_HAL_PEERINFO *
4012 mkpeerinfo(MWL_HAL_PEERINFO *pi, const struct ieee80211_node *ni)
4013 {
4014 	const struct ieee80211vap *vap = ni->ni_vap;
4015 
4016 	memset(pi, 0, sizeof(*pi));
4017 	pi->LegacyRateBitMap = get_rate_bitmap(&ni->ni_rates);
4018 	pi->CapInfo = ni->ni_capinfo;
4019 	if (ni->ni_flags & IEEE80211_NODE_HT) {
4020 		/* HT capabilities, etc */
4021 		pi->HTCapabilitiesInfo = ni->ni_htcap;
4022 		/* XXX pi.HTCapabilitiesInfo */
4023 	        pi->MacHTParamInfo = ni->ni_htparam;
4024 		pi->HTRateBitMap = get_htrate_bitmap(&ni->ni_htrates);
4025 		pi->AddHtInfo.ControlChan = ni->ni_htctlchan;
4026 		pi->AddHtInfo.AddChan = ni->ni_ht2ndchan;
4027 		pi->AddHtInfo.OpMode = ni->ni_htopmode;
4028 		pi->AddHtInfo.stbc = ni->ni_htstbc;
4029 
4030 		/* constrain according to local configuration */
4031 		if ((vap->iv_flags_ht & IEEE80211_FHT_SHORTGI40) == 0)
4032 			pi->HTCapabilitiesInfo &= ~IEEE80211_HTCAP_SHORTGI40;
4033 		if ((vap->iv_flags_ht & IEEE80211_FHT_SHORTGI20) == 0)
4034 			pi->HTCapabilitiesInfo &= ~IEEE80211_HTCAP_SHORTGI20;
4035 		if (ni->ni_chw != 40)
4036 			pi->HTCapabilitiesInfo &= ~IEEE80211_HTCAP_CHWIDTH40;
4037 	}
4038 	return pi;
4039 }
4040 
4041 /*
4042  * Re-create the local sta db entry for a vap to ensure
4043  * up to date WME state is pushed to the firmware.  Because
4044  * this resets crypto state this must be followed by a
4045  * reload of any keys in the global key table.
4046  */
4047 static int
4048 mwl_localstadb(struct ieee80211vap *vap)
4049 {
4050 #define	WME(ie) ((const struct ieee80211_wme_info *) ie)
4051 	struct mwl_hal_vap *hvap = MWL_VAP(vap)->mv_hvap;
4052 	struct ieee80211_node *bss;
4053 	MWL_HAL_PEERINFO pi;
4054 	int error;
4055 
4056 	switch (vap->iv_opmode) {
4057 	case IEEE80211_M_STA:
4058 		bss = vap->iv_bss;
4059 		error = mwl_hal_newstation(hvap, vap->iv_myaddr, 0, 0,
4060 		    vap->iv_state == IEEE80211_S_RUN ?
4061 			mkpeerinfo(&pi, bss) : NULL,
4062 		    (bss->ni_flags & (IEEE80211_NODE_QOS | IEEE80211_NODE_HT)),
4063 		    bss->ni_ies.wme_ie != NULL ?
4064 			WME(bss->ni_ies.wme_ie)->wme_info : 0);
4065 		if (error == 0)
4066 			mwl_setglobalkeys(vap);
4067 		break;
4068 	case IEEE80211_M_HOSTAP:
4069 	case IEEE80211_M_MBSS:
4070 		error = mwl_hal_newstation(hvap, vap->iv_myaddr,
4071 		    0, 0, NULL, vap->iv_flags & IEEE80211_F_WME, 0);
4072 		if (error == 0)
4073 			mwl_setglobalkeys(vap);
4074 		break;
4075 	default:
4076 		error = 0;
4077 		break;
4078 	}
4079 	return error;
4080 #undef WME
4081 }
4082 
4083 static int
4084 mwl_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
4085 {
4086 	struct mwl_vap *mvp = MWL_VAP(vap);
4087 	struct mwl_hal_vap *hvap = mvp->mv_hvap;
4088 	struct ieee80211com *ic = vap->iv_ic;
4089 	struct ieee80211_node *ni = NULL;
4090 	struct mwl_softc *sc = ic->ic_softc;
4091 	struct mwl_hal *mh = sc->sc_mh;
4092 	enum ieee80211_state ostate = vap->iv_state;
4093 	int error;
4094 
4095 	DPRINTF(sc, MWL_DEBUG_STATE, "%s: %s: %s -> %s\n",
4096 	    vap->iv_ifp->if_xname, __func__,
4097 	    ieee80211_state_name[ostate], ieee80211_state_name[nstate]);
4098 
4099 	callout_stop(&sc->sc_timer);
4100 	/*
4101 	 * Clear current radar detection state.
4102 	 */
4103 	if (ostate == IEEE80211_S_CAC) {
4104 		/* stop quiet mode radar detection */
4105 		mwl_hal_setradardetection(mh, DR_CHK_CHANNEL_AVAILABLE_STOP);
4106 	} else if (sc->sc_radarena) {
4107 		/* stop in-service radar detection */
4108 		mwl_hal_setradardetection(mh, DR_DFS_DISABLE);
4109 		sc->sc_radarena = 0;
4110 	}
4111 	/*
4112 	 * Carry out per-state actions before doing net80211 work.
4113 	 */
4114 	if (nstate == IEEE80211_S_INIT) {
4115 		/* NB: only ap+sta vap's have a fw entity */
4116 		if (hvap != NULL)
4117 			mwl_hal_stop(hvap);
4118 	} else if (nstate == IEEE80211_S_SCAN) {
4119 		mwl_hal_start(hvap);
4120 		/* NB: this disables beacon frames */
4121 		mwl_hal_setinframode(hvap);
4122 	} else if (nstate == IEEE80211_S_AUTH) {
4123 		/*
4124 		 * Must create a sta db entry in case a WEP key needs to
4125 		 * be plumbed.  This entry will be overwritten if we
4126 		 * associate; otherwise it will be reclaimed on node free.
4127 		 */
4128 		ni = vap->iv_bss;
4129 		MWL_NODE(ni)->mn_hvap = hvap;
4130 		(void) mwl_peerstadb(ni, 0, 0, NULL);
4131 	} else if (nstate == IEEE80211_S_CSA) {
4132 		/* XXX move to below? */
4133 		if (vap->iv_opmode == IEEE80211_M_HOSTAP ||
4134 		    vap->iv_opmode == IEEE80211_M_MBSS)
4135 			mwl_startcsa(vap);
4136 	} else if (nstate == IEEE80211_S_CAC) {
4137 		/* XXX move to below? */
4138 		/* stop ap xmit and enable quiet mode radar detection */
4139 		mwl_hal_setradardetection(mh, DR_CHK_CHANNEL_AVAILABLE_START);
4140 	}
4141 
4142 	/*
4143 	 * Invoke the parent method to do net80211 work.
4144 	 */
4145 	error = mvp->mv_newstate(vap, nstate, arg);
4146 
4147 	/*
4148 	 * Carry out work that must be done after net80211 runs;
4149 	 * this work requires up to date state (e.g. iv_bss).
4150 	 */
4151 	if (error == 0 && nstate == IEEE80211_S_RUN) {
4152 		/* NB: collect bss node again, it may have changed */
4153 		ni = vap->iv_bss;
4154 
4155 		DPRINTF(sc, MWL_DEBUG_STATE,
4156 		    "%s: %s(RUN): iv_flags 0x%08x bintvl %d bssid %s "
4157 		    "capinfo 0x%04x chan %d\n",
4158 		    vap->iv_ifp->if_xname, __func__, vap->iv_flags,
4159 		    ni->ni_intval, ether_sprintf(ni->ni_bssid), ni->ni_capinfo,
4160 		    ieee80211_chan2ieee(ic, ic->ic_curchan));
4161 
4162 		/*
4163 		 * Recreate local sta db entry to update WME/HT state.
4164 		 */
4165 		mwl_localstadb(vap);
4166 		switch (vap->iv_opmode) {
4167 		case IEEE80211_M_HOSTAP:
4168 		case IEEE80211_M_MBSS:
4169 			if (ostate == IEEE80211_S_CAC) {
4170 				/* enable in-service radar detection */
4171 				mwl_hal_setradardetection(mh,
4172 				    DR_IN_SERVICE_MONITOR_START);
4173 				sc->sc_radarena = 1;
4174 			}
4175 			/*
4176 			 * Allocate and setup the beacon frame
4177 			 * (and related state).
4178 			 */
4179 			error = mwl_reset_vap(vap, IEEE80211_S_RUN);
4180 			if (error != 0) {
4181 				DPRINTF(sc, MWL_DEBUG_STATE,
4182 				    "%s: beacon setup failed, error %d\n",
4183 				    __func__, error);
4184 				goto bad;
4185 			}
4186 			/* NB: must be after setting up beacon */
4187 			mwl_hal_start(hvap);
4188 			break;
4189 		case IEEE80211_M_STA:
4190 			DPRINTF(sc, MWL_DEBUG_STATE, "%s: %s: aid 0x%x\n",
4191 			    vap->iv_ifp->if_xname, __func__, ni->ni_associd);
4192 			/*
4193 			 * Set state now that we're associated.
4194 			 */
4195 			mwl_hal_setassocid(hvap, ni->ni_bssid, ni->ni_associd);
4196 			mwl_setrates(vap);
4197 			mwl_hal_setrtsthreshold(hvap, vap->iv_rtsthreshold);
4198 			if ((vap->iv_flags & IEEE80211_F_DWDS) &&
4199 			    sc->sc_ndwdsvaps++ == 0)
4200 				mwl_hal_setdwds(mh, 1);
4201 			break;
4202 		case IEEE80211_M_WDS:
4203 			DPRINTF(sc, MWL_DEBUG_STATE, "%s: %s: bssid %s\n",
4204 			    vap->iv_ifp->if_xname, __func__,
4205 			    ether_sprintf(ni->ni_bssid));
4206 			mwl_seteapolformat(vap);
4207 			break;
4208 		default:
4209 			break;
4210 		}
4211 		/*
4212 		 * Set CS mode according to operating channel;
4213 		 * this mostly an optimization for 5GHz.
4214 		 *
4215 		 * NB: must follow mwl_hal_start which resets csmode
4216 		 */
4217 		if (IEEE80211_IS_CHAN_5GHZ(ic->ic_bsschan))
4218 			mwl_hal_setcsmode(mh, CSMODE_AGGRESSIVE);
4219 		else
4220 			mwl_hal_setcsmode(mh, CSMODE_AUTO_ENA);
4221 		/*
4222 		 * Start timer to prod firmware.
4223 		 */
4224 		if (sc->sc_ageinterval != 0)
4225 			callout_reset(&sc->sc_timer, sc->sc_ageinterval*hz,
4226 			    mwl_agestations, sc);
4227 	} else if (nstate == IEEE80211_S_SLEEP) {
4228 		/* XXX set chip in power save */
4229 	} else if ((vap->iv_flags & IEEE80211_F_DWDS) &&
4230 	    --sc->sc_ndwdsvaps == 0)
4231 		mwl_hal_setdwds(mh, 0);
4232 bad:
4233 	return error;
4234 }
4235 
4236 /*
4237  * Manage station id's; these are separate from AID's
4238  * as AID's may have values out of the range of possible
4239  * station id's acceptable to the firmware.
4240  */
4241 static int
4242 allocstaid(struct mwl_softc *sc, int aid)
4243 {
4244 	int staid;
4245 
4246 	if (!(0 < aid && aid < MWL_MAXSTAID) || isset(sc->sc_staid, aid)) {
4247 		/* NB: don't use 0 */
4248 		for (staid = 1; staid < MWL_MAXSTAID; staid++)
4249 			if (isclr(sc->sc_staid, staid))
4250 				break;
4251 	} else
4252 		staid = aid;
4253 	setbit(sc->sc_staid, staid);
4254 	return staid;
4255 }
4256 
4257 static void
4258 delstaid(struct mwl_softc *sc, int staid)
4259 {
4260 	clrbit(sc->sc_staid, staid);
4261 }
4262 
4263 /*
4264  * Setup driver-specific state for a newly associated node.
4265  * Note that we're called also on a re-associate, the isnew
4266  * param tells us if this is the first time or not.
4267  */
4268 static void
4269 mwl_newassoc(struct ieee80211_node *ni, int isnew)
4270 {
4271 	struct ieee80211vap *vap = ni->ni_vap;
4272         struct mwl_softc *sc = vap->iv_ic->ic_softc;
4273 	struct mwl_node *mn = MWL_NODE(ni);
4274 	MWL_HAL_PEERINFO pi;
4275 	uint16_t aid;
4276 	int error;
4277 
4278 	aid = IEEE80211_AID(ni->ni_associd);
4279 	if (isnew) {
4280 		mn->mn_staid = allocstaid(sc, aid);
4281 		mn->mn_hvap = MWL_VAP(vap)->mv_hvap;
4282 	} else {
4283 		mn = MWL_NODE(ni);
4284 		/* XXX reset BA stream? */
4285 	}
4286 	DPRINTF(sc, MWL_DEBUG_NODE, "%s: mac %s isnew %d aid %d staid %d\n",
4287 	    __func__, ether_sprintf(ni->ni_macaddr), isnew, aid, mn->mn_staid);
4288 	error = mwl_peerstadb(ni, aid, mn->mn_staid, mkpeerinfo(&pi, ni));
4289 	if (error != 0) {
4290 		DPRINTF(sc, MWL_DEBUG_NODE,
4291 		    "%s: error %d creating sta db entry\n",
4292 		    __func__, error);
4293 		/* XXX how to deal with error? */
4294 	}
4295 }
4296 
4297 /*
4298  * Periodically poke the firmware to age out station state
4299  * (power save queues, pending tx aggregates).
4300  */
4301 static void
4302 mwl_agestations(void *arg)
4303 {
4304 	struct mwl_softc *sc = arg;
4305 
4306 	mwl_hal_setkeepalive(sc->sc_mh);
4307 	if (sc->sc_ageinterval != 0)		/* NB: catch dynamic changes */
4308 		callout_schedule(&sc->sc_timer, sc->sc_ageinterval*hz);
4309 }
4310 
4311 static const struct mwl_hal_channel *
4312 findhalchannel(const MWL_HAL_CHANNELINFO *ci, int ieee)
4313 {
4314 	int i;
4315 
4316 	for (i = 0; i < ci->nchannels; i++) {
4317 		const struct mwl_hal_channel *hc = &ci->channels[i];
4318 		if (hc->ieee == ieee)
4319 			return hc;
4320 	}
4321 	return NULL;
4322 }
4323 
4324 static int
4325 mwl_setregdomain(struct ieee80211com *ic, struct ieee80211_regdomain *rd,
4326 	int nchan, struct ieee80211_channel chans[])
4327 {
4328 	struct mwl_softc *sc = ic->ic_softc;
4329 	struct mwl_hal *mh = sc->sc_mh;
4330 	const MWL_HAL_CHANNELINFO *ci;
4331 	int i;
4332 
4333 	for (i = 0; i < nchan; i++) {
4334 		struct ieee80211_channel *c = &chans[i];
4335 		const struct mwl_hal_channel *hc;
4336 
4337 		if (IEEE80211_IS_CHAN_2GHZ(c)) {
4338 			mwl_hal_getchannelinfo(mh, MWL_FREQ_BAND_2DOT4GHZ,
4339 			    IEEE80211_IS_CHAN_HT40(c) ?
4340 				MWL_CH_40_MHz_WIDTH : MWL_CH_20_MHz_WIDTH, &ci);
4341 		} else if (IEEE80211_IS_CHAN_5GHZ(c)) {
4342 			mwl_hal_getchannelinfo(mh, MWL_FREQ_BAND_5GHZ,
4343 			    IEEE80211_IS_CHAN_HT40(c) ?
4344 				MWL_CH_40_MHz_WIDTH : MWL_CH_20_MHz_WIDTH, &ci);
4345 		} else {
4346 			device_printf(sc->sc_dev,
4347 			    "%s: channel %u freq %u/0x%x not 2.4/5GHz\n",
4348 			    __func__, c->ic_ieee, c->ic_freq, c->ic_flags);
4349 			return EINVAL;
4350 		}
4351 		/*
4352 		 * Verify channel has cal data and cap tx power.
4353 		 */
4354 		hc = findhalchannel(ci, c->ic_ieee);
4355 		if (hc != NULL) {
4356 			if (c->ic_maxpower > 2*hc->maxTxPow)
4357 				c->ic_maxpower = 2*hc->maxTxPow;
4358 			goto next;
4359 		}
4360 		if (IEEE80211_IS_CHAN_HT40(c)) {
4361 			/*
4362 			 * Look for the extension channel since the
4363 			 * hal table only has the primary channel.
4364 			 */
4365 			hc = findhalchannel(ci, c->ic_extieee);
4366 			if (hc != NULL) {
4367 				if (c->ic_maxpower > 2*hc->maxTxPow)
4368 					c->ic_maxpower = 2*hc->maxTxPow;
4369 				goto next;
4370 			}
4371 		}
4372 		device_printf(sc->sc_dev,
4373 		    "%s: no cal data for channel %u ext %u freq %u/0x%x\n",
4374 		    __func__, c->ic_ieee, c->ic_extieee,
4375 		    c->ic_freq, c->ic_flags);
4376 		return EINVAL;
4377 	next:
4378 		;
4379 	}
4380 	return 0;
4381 }
4382 
4383 #define	IEEE80211_CHAN_HTG	(IEEE80211_CHAN_HT|IEEE80211_CHAN_G)
4384 #define	IEEE80211_CHAN_HTA	(IEEE80211_CHAN_HT|IEEE80211_CHAN_A)
4385 
4386 static void
4387 addht40channels(struct ieee80211_channel chans[], int maxchans, int *nchans,
4388 	const MWL_HAL_CHANNELINFO *ci, int flags)
4389 {
4390 	int i, error;
4391 
4392 	for (i = 0; i < ci->nchannels; i++) {
4393 		const struct mwl_hal_channel *hc = &ci->channels[i];
4394 
4395 		error = ieee80211_add_channel_ht40(chans, maxchans, nchans,
4396 		    hc->ieee, hc->maxTxPow, flags);
4397 		if (error != 0 && error != ENOENT)
4398 			break;
4399 	}
4400 }
4401 
4402 static void
4403 addchannels(struct ieee80211_channel chans[], int maxchans, int *nchans,
4404 	const MWL_HAL_CHANNELINFO *ci, const uint8_t bands[])
4405 {
4406 	int i, error;
4407 
4408 	error = 0;
4409 	for (i = 0; i < ci->nchannels && error == 0; i++) {
4410 		const struct mwl_hal_channel *hc = &ci->channels[i];
4411 
4412 		error = ieee80211_add_channel(chans, maxchans, nchans,
4413 		    hc->ieee, hc->freq, hc->maxTxPow, 0, bands);
4414 	}
4415 }
4416 
4417 static void
4418 getchannels(struct mwl_softc *sc, int maxchans, int *nchans,
4419 	struct ieee80211_channel chans[])
4420 {
4421 	const MWL_HAL_CHANNELINFO *ci;
4422 	uint8_t bands[IEEE80211_MODE_BYTES];
4423 
4424 	/*
4425 	 * Use the channel info from the hal to craft the
4426 	 * channel list.  Note that we pass back an unsorted
4427 	 * list; the caller is required to sort it for us
4428 	 * (if desired).
4429 	 */
4430 	*nchans = 0;
4431 	if (mwl_hal_getchannelinfo(sc->sc_mh,
4432 	    MWL_FREQ_BAND_2DOT4GHZ, MWL_CH_20_MHz_WIDTH, &ci) == 0) {
4433 		memset(bands, 0, sizeof(bands));
4434 		setbit(bands, IEEE80211_MODE_11B);
4435 		setbit(bands, IEEE80211_MODE_11G);
4436 		setbit(bands, IEEE80211_MODE_11NG);
4437 		addchannels(chans, maxchans, nchans, ci, bands);
4438 	}
4439 	if (mwl_hal_getchannelinfo(sc->sc_mh,
4440 	    MWL_FREQ_BAND_5GHZ, MWL_CH_20_MHz_WIDTH, &ci) == 0) {
4441 		memset(bands, 0, sizeof(bands));
4442 		setbit(bands, IEEE80211_MODE_11A);
4443 		setbit(bands, IEEE80211_MODE_11NA);
4444 		addchannels(chans, maxchans, nchans, ci, bands);
4445 	}
4446 	if (mwl_hal_getchannelinfo(sc->sc_mh,
4447 	    MWL_FREQ_BAND_2DOT4GHZ, MWL_CH_40_MHz_WIDTH, &ci) == 0)
4448 		addht40channels(chans, maxchans, nchans, ci, IEEE80211_CHAN_HTG);
4449 	if (mwl_hal_getchannelinfo(sc->sc_mh,
4450 	    MWL_FREQ_BAND_5GHZ, MWL_CH_40_MHz_WIDTH, &ci) == 0)
4451 		addht40channels(chans, maxchans, nchans, ci, IEEE80211_CHAN_HTA);
4452 }
4453 
4454 static void
4455 mwl_getradiocaps(struct ieee80211com *ic,
4456 	int maxchans, int *nchans, struct ieee80211_channel chans[])
4457 {
4458 	struct mwl_softc *sc = ic->ic_softc;
4459 
4460 	getchannels(sc, maxchans, nchans, chans);
4461 }
4462 
4463 static int
4464 mwl_getchannels(struct mwl_softc *sc)
4465 {
4466 	struct ieee80211com *ic = &sc->sc_ic;
4467 
4468 	/*
4469 	 * Use the channel info from the hal to craft the
4470 	 * channel list for net80211.  Note that we pass up
4471 	 * an unsorted list; net80211 will sort it for us.
4472 	 */
4473 	memset(ic->ic_channels, 0, sizeof(ic->ic_channels));
4474 	ic->ic_nchans = 0;
4475 	getchannels(sc, IEEE80211_CHAN_MAX, &ic->ic_nchans, ic->ic_channels);
4476 
4477 	ic->ic_regdomain.regdomain = SKU_DEBUG;
4478 	ic->ic_regdomain.country = CTRY_DEFAULT;
4479 	ic->ic_regdomain.location = 'I';
4480 	ic->ic_regdomain.isocc[0] = ' ';	/* XXX? */
4481 	ic->ic_regdomain.isocc[1] = ' ';
4482 	return (ic->ic_nchans == 0 ? EIO : 0);
4483 }
4484 #undef IEEE80211_CHAN_HTA
4485 #undef IEEE80211_CHAN_HTG
4486 
4487 #ifdef MWL_DEBUG
4488 static void
4489 mwl_printrxbuf(const struct mwl_rxbuf *bf, u_int ix)
4490 {
4491 	const struct mwl_rxdesc *ds = bf->bf_desc;
4492 	uint32_t status = le32toh(ds->Status);
4493 
4494 	printf("R[%2u] (DS.V:%p DS.P:0x%jx) NEXT:%08x DATA:%08x RC:%02x%s\n"
4495 	       "      STAT:%02x LEN:%04x RSSI:%02x CHAN:%02x RATE:%02x QOS:%04x HT:%04x\n",
4496 	    ix, ds, (uintmax_t)bf->bf_daddr, le32toh(ds->pPhysNext),
4497 	    le32toh(ds->pPhysBuffData), ds->RxControl,
4498 	    ds->RxControl != EAGLE_RXD_CTRL_DRIVER_OWN ?
4499 	        "" : (status & EAGLE_RXD_STATUS_OK) ? " *" : " !",
4500 	    ds->Status, le16toh(ds->PktLen), ds->RSSI, ds->Channel,
4501 	    ds->Rate, le16toh(ds->QosCtrl), le16toh(ds->HtSig2));
4502 }
4503 
4504 static void
4505 mwl_printtxbuf(const struct mwl_txbuf *bf, u_int qnum, u_int ix)
4506 {
4507 	const struct mwl_txdesc *ds = bf->bf_desc;
4508 	uint32_t status = le32toh(ds->Status);
4509 
4510 	printf("Q%u[%3u]", qnum, ix);
4511 	printf(" (DS.V:%p DS.P:0x%jx)\n", ds, (uintmax_t)bf->bf_daddr);
4512 	printf("    NEXT:%08x DATA:%08x LEN:%04x STAT:%08x%s\n",
4513 	    le32toh(ds->pPhysNext),
4514 	    le32toh(ds->PktPtr), le16toh(ds->PktLen), status,
4515 	    status & EAGLE_TXD_STATUS_USED ?
4516 		"" : (status & 3) != 0 ? " *" : " !");
4517 	printf("    RATE:%02x PRI:%x QOS:%04x SAP:%08x FORMAT:%04x\n",
4518 	    ds->DataRate, ds->TxPriority, le16toh(ds->QosCtrl),
4519 	    le32toh(ds->SapPktInfo), le16toh(ds->Format));
4520 #if MWL_TXDESC > 1
4521 	printf("    MULTIFRAMES:%u LEN:%04x %04x %04x %04x %04x %04x\n"
4522 	    , le32toh(ds->multiframes)
4523 	    , le16toh(ds->PktLenArray[0]), le16toh(ds->PktLenArray[1])
4524 	    , le16toh(ds->PktLenArray[2]), le16toh(ds->PktLenArray[3])
4525 	    , le16toh(ds->PktLenArray[4]), le16toh(ds->PktLenArray[5])
4526 	);
4527 	printf("    DATA:%08x %08x %08x %08x %08x %08x\n"
4528 	    , le32toh(ds->PktPtrArray[0]), le32toh(ds->PktPtrArray[1])
4529 	    , le32toh(ds->PktPtrArray[2]), le32toh(ds->PktPtrArray[3])
4530 	    , le32toh(ds->PktPtrArray[4]), le32toh(ds->PktPtrArray[5])
4531 	);
4532 #endif
4533 #if 0
4534 { const uint8_t *cp = (const uint8_t *) ds;
4535   int i;
4536   for (i = 0; i < sizeof(struct mwl_txdesc); i++) {
4537 	printf("%02x ", cp[i]);
4538 	if (((i+1) % 16) == 0)
4539 		printf("\n");
4540   }
4541   printf("\n");
4542 }
4543 #endif
4544 }
4545 #endif /* MWL_DEBUG */
4546 
4547 #if 0
4548 static void
4549 mwl_txq_dump(struct mwl_txq *txq)
4550 {
4551 	struct mwl_txbuf *bf;
4552 	int i = 0;
4553 
4554 	MWL_TXQ_LOCK(txq);
4555 	STAILQ_FOREACH(bf, &txq->active, bf_list) {
4556 		struct mwl_txdesc *ds = bf->bf_desc;
4557 		MWL_TXDESC_SYNC(txq, ds,
4558 		    BUS_DMASYNC_POSTREAD | BUS_DMASYNC_POSTWRITE);
4559 #ifdef MWL_DEBUG
4560 		mwl_printtxbuf(bf, txq->qnum, i);
4561 #endif
4562 		i++;
4563 	}
4564 	MWL_TXQ_UNLOCK(txq);
4565 }
4566 #endif
4567 
4568 static void
4569 mwl_watchdog(void *arg)
4570 {
4571 	struct mwl_softc *sc = arg;
4572 
4573 	callout_reset(&sc->sc_watchdog, hz, mwl_watchdog, sc);
4574 	if (sc->sc_tx_timer == 0 || --sc->sc_tx_timer > 0)
4575 		return;
4576 
4577 	if (sc->sc_running && !sc->sc_invalid) {
4578 		if (mwl_hal_setkeepalive(sc->sc_mh))
4579 			device_printf(sc->sc_dev,
4580 			    "transmit timeout (firmware hung?)\n");
4581 		else
4582 			device_printf(sc->sc_dev,
4583 			    "transmit timeout\n");
4584 #if 0
4585 		mwl_reset(sc);
4586 mwl_txq_dump(&sc->sc_txq[0]);/*XXX*/
4587 #endif
4588 		counter_u64_add(sc->sc_ic.ic_oerrors, 1);
4589 		sc->sc_stats.mst_watchdog++;
4590 	}
4591 }
4592 
4593 #ifdef MWL_DIAGAPI
4594 /*
4595  * Diagnostic interface to the HAL.  This is used by various
4596  * tools to do things like retrieve register contents for
4597  * debugging.  The mechanism is intentionally opaque so that
4598  * it can change frequently w/o concern for compatibility.
4599  */
4600 static int
4601 mwl_ioctl_diag(struct mwl_softc *sc, struct mwl_diag *md)
4602 {
4603 	struct mwl_hal *mh = sc->sc_mh;
4604 	u_int id = md->md_id & MWL_DIAG_ID;
4605 	void *indata = NULL;
4606 	void *outdata = NULL;
4607 	u_int32_t insize = md->md_in_size;
4608 	u_int32_t outsize = md->md_out_size;
4609 	int error = 0;
4610 
4611 	if (md->md_id & MWL_DIAG_IN) {
4612 		/*
4613 		 * Copy in data.
4614 		 */
4615 		indata = malloc(insize, M_TEMP, M_NOWAIT);
4616 		if (indata == NULL) {
4617 			error = ENOMEM;
4618 			goto bad;
4619 		}
4620 		error = copyin(md->md_in_data, indata, insize);
4621 		if (error)
4622 			goto bad;
4623 	}
4624 	if (md->md_id & MWL_DIAG_DYN) {
4625 		/*
4626 		 * Allocate a buffer for the results (otherwise the HAL
4627 		 * returns a pointer to a buffer where we can read the
4628 		 * results).  Note that we depend on the HAL leaving this
4629 		 * pointer for us to use below in reclaiming the buffer;
4630 		 * may want to be more defensive.
4631 		 */
4632 		outdata = malloc(outsize, M_TEMP, M_NOWAIT);
4633 		if (outdata == NULL) {
4634 			error = ENOMEM;
4635 			goto bad;
4636 		}
4637 	}
4638 	if (mwl_hal_getdiagstate(mh, id, indata, insize, &outdata, &outsize)) {
4639 		if (outsize < md->md_out_size)
4640 			md->md_out_size = outsize;
4641 		if (outdata != NULL)
4642 			error = copyout(outdata, md->md_out_data,
4643 					md->md_out_size);
4644 	} else {
4645 		error = EINVAL;
4646 	}
4647 bad:
4648 	if ((md->md_id & MWL_DIAG_IN) && indata != NULL)
4649 		free(indata, M_TEMP);
4650 	if ((md->md_id & MWL_DIAG_DYN) && outdata != NULL)
4651 		free(outdata, M_TEMP);
4652 	return error;
4653 }
4654 
4655 static int
4656 mwl_ioctl_reset(struct mwl_softc *sc, struct mwl_diag *md)
4657 {
4658 	struct mwl_hal *mh = sc->sc_mh;
4659 	int error;
4660 
4661 	MWL_LOCK_ASSERT(sc);
4662 
4663 	if (md->md_id == 0 && mwl_hal_fwload(mh, NULL) != 0) {
4664 		device_printf(sc->sc_dev, "unable to load firmware\n");
4665 		return EIO;
4666 	}
4667 	if (mwl_hal_gethwspecs(mh, &sc->sc_hwspecs) != 0) {
4668 		device_printf(sc->sc_dev, "unable to fetch h/w specs\n");
4669 		return EIO;
4670 	}
4671 	error = mwl_setupdma(sc);
4672 	if (error != 0) {
4673 		/* NB: mwl_setupdma prints a msg */
4674 		return error;
4675 	}
4676 	/*
4677 	 * Reset tx/rx data structures; after reload we must
4678 	 * re-start the driver's notion of the next xmit/recv.
4679 	 */
4680 	mwl_draintxq(sc);		/* clear pending frames */
4681 	mwl_resettxq(sc);		/* rebuild tx q lists */
4682 	sc->sc_rxnext = NULL;		/* force rx to start at the list head */
4683 	return 0;
4684 }
4685 #endif /* MWL_DIAGAPI */
4686 
4687 static void
4688 mwl_parent(struct ieee80211com *ic)
4689 {
4690 	struct mwl_softc *sc = ic->ic_softc;
4691 	int startall = 0;
4692 
4693 	MWL_LOCK(sc);
4694 	if (ic->ic_nrunning > 0) {
4695 		if (sc->sc_running) {
4696 			/*
4697 			 * To avoid rescanning another access point,
4698 			 * do not call mwl_init() here.  Instead,
4699 			 * only reflect promisc mode settings.
4700 			 */
4701 			mwl_mode_init(sc);
4702 		} else {
4703 			/*
4704 			 * Beware of being called during attach/detach
4705 			 * to reset promiscuous mode.  In that case we
4706 			 * will still be marked UP but not RUNNING.
4707 			 * However trying to re-init the interface
4708 			 * is the wrong thing to do as we've already
4709 			 * torn down much of our state.  There's
4710 			 * probably a better way to deal with this.
4711 			 */
4712 			if (!sc->sc_invalid) {
4713 				mwl_init(sc);	/* XXX lose error */
4714 				startall = 1;
4715 			}
4716 		}
4717 	} else
4718 		mwl_stop(sc);
4719 	MWL_UNLOCK(sc);
4720 	if (startall)
4721 		ieee80211_start_all(ic);
4722 }
4723 
4724 static int
4725 mwl_ioctl(struct ieee80211com *ic, u_long cmd, void *data)
4726 {
4727 	struct mwl_softc *sc = ic->ic_softc;
4728 	struct ifreq *ifr = data;
4729 	int error = 0;
4730 
4731 	switch (cmd) {
4732 	case SIOCGMVSTATS:
4733 		mwl_hal_gethwstats(sc->sc_mh, &sc->sc_stats.hw_stats);
4734 #if 0
4735 		/* NB: embed these numbers to get a consistent view */
4736 		sc->sc_stats.mst_tx_packets =
4737 		    ifp->if_get_counter(ifp, IFCOUNTER_OPACKETS);
4738 		sc->sc_stats.mst_rx_packets =
4739 		    ifp->if_get_counter(ifp, IFCOUNTER_IPACKETS);
4740 #endif
4741 		/*
4742 		 * NB: Drop the softc lock in case of a page fault;
4743 		 * we'll accept any potential inconsisentcy in the
4744 		 * statistics.  The alternative is to copy the data
4745 		 * to a local structure.
4746 		 */
4747 		return (copyout(&sc->sc_stats, ifr_data_get_ptr(ifr),
4748 		    sizeof (sc->sc_stats)));
4749 #ifdef MWL_DIAGAPI
4750 	case SIOCGMVDIAG:
4751 		/* XXX check privs */
4752 		return mwl_ioctl_diag(sc, (struct mwl_diag *) ifr);
4753 	case SIOCGMVRESET:
4754 		/* XXX check privs */
4755 		MWL_LOCK(sc);
4756 		error = mwl_ioctl_reset(sc,(struct mwl_diag *) ifr);
4757 		MWL_UNLOCK(sc);
4758 		break;
4759 #endif /* MWL_DIAGAPI */
4760 	default:
4761 		error = ENOTTY;
4762 		break;
4763 	}
4764 	return (error);
4765 }
4766 
4767 #ifdef	MWL_DEBUG
4768 static int
4769 mwl_sysctl_debug(SYSCTL_HANDLER_ARGS)
4770 {
4771 	struct mwl_softc *sc = arg1;
4772 	int debug, error;
4773 
4774 	debug = sc->sc_debug | (mwl_hal_getdebug(sc->sc_mh) << 24);
4775 	error = sysctl_handle_int(oidp, &debug, 0, req);
4776 	if (error || !req->newptr)
4777 		return error;
4778 	mwl_hal_setdebug(sc->sc_mh, debug >> 24);
4779 	sc->sc_debug = debug & 0x00ffffff;
4780 	return 0;
4781 }
4782 #endif /* MWL_DEBUG */
4783 
4784 static void
4785 mwl_sysctlattach(struct mwl_softc *sc)
4786 {
4787 #ifdef	MWL_DEBUG
4788 	struct sysctl_ctx_list *ctx = device_get_sysctl_ctx(sc->sc_dev);
4789 	struct sysctl_oid *tree = device_get_sysctl_tree(sc->sc_dev);
4790 
4791 	sc->sc_debug = mwl_debug;
4792 	SYSCTL_ADD_PROC(ctx, SYSCTL_CHILDREN(tree), OID_AUTO, "debug",
4793 	    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_NEEDGIANT, sc, 0,
4794 	    mwl_sysctl_debug, "I", "control debugging printfs");
4795 #endif
4796 }
4797 
4798 /*
4799  * Announce various information on device/driver attach.
4800  */
4801 static void
4802 mwl_announce(struct mwl_softc *sc)
4803 {
4804 
4805 	device_printf(sc->sc_dev, "Rev A%d hardware, v%d.%d.%d.%d firmware (regioncode %d)\n",
4806 		sc->sc_hwspecs.hwVersion,
4807 		(sc->sc_hwspecs.fwReleaseNumber>>24) & 0xff,
4808 		(sc->sc_hwspecs.fwReleaseNumber>>16) & 0xff,
4809 		(sc->sc_hwspecs.fwReleaseNumber>>8) & 0xff,
4810 		(sc->sc_hwspecs.fwReleaseNumber>>0) & 0xff,
4811 		sc->sc_hwspecs.regionCode);
4812 	sc->sc_fwrelease = sc->sc_hwspecs.fwReleaseNumber;
4813 
4814 	if (bootverbose) {
4815 		int i;
4816 		for (i = 0; i <= WME_AC_VO; i++) {
4817 			struct mwl_txq *txq = sc->sc_ac2q[i];
4818 			device_printf(sc->sc_dev, "Use hw queue %u for %s traffic\n",
4819 				txq->qnum, ieee80211_wme_acnames[i]);
4820 		}
4821 	}
4822 	if (bootverbose || mwl_rxdesc != MWL_RXDESC)
4823 		device_printf(sc->sc_dev, "using %u rx descriptors\n", mwl_rxdesc);
4824 	if (bootverbose || mwl_rxbuf != MWL_RXBUF)
4825 		device_printf(sc->sc_dev, "using %u rx buffers\n", mwl_rxbuf);
4826 	if (bootverbose || mwl_txbuf != MWL_TXBUF)
4827 		device_printf(sc->sc_dev, "using %u tx buffers\n", mwl_txbuf);
4828 	if (bootverbose && mwl_hal_ismbsscapable(sc->sc_mh))
4829 		device_printf(sc->sc_dev, "multi-bss support\n");
4830 #ifdef MWL_TX_NODROP
4831 	if (bootverbose)
4832 		device_printf(sc->sc_dev, "no tx drop\n");
4833 #endif
4834 }
4835