xref: /freebsd/sys/dev/ral/rt2560.c (revision 282a3889ebf826db9839be296ff1dd903f6d6d6e)
1 /*	$FreeBSD$	*/
2 
3 /*-
4  * Copyright (c) 2005, 2006
5  *	Damien Bergamini <damien.bergamini@free.fr>
6  *
7  * Permission to use, copy, modify, and distribute this software for any
8  * purpose with or without fee is hereby granted, provided that the above
9  * copyright notice and this permission notice appear in all copies.
10  *
11  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18  */
19 
20 #include <sys/cdefs.h>
21 __FBSDID("$FreeBSD$");
22 
23 /*-
24  * Ralink Technology RT2560 chipset driver
25  * http://www.ralinktech.com/
26  */
27 
28 #include <sys/param.h>
29 #include <sys/sysctl.h>
30 #include <sys/sockio.h>
31 #include <sys/mbuf.h>
32 #include <sys/kernel.h>
33 #include <sys/socket.h>
34 #include <sys/systm.h>
35 #include <sys/malloc.h>
36 #include <sys/lock.h>
37 #include <sys/mutex.h>
38 #include <sys/module.h>
39 #include <sys/bus.h>
40 #include <sys/endian.h>
41 
42 #include <machine/bus.h>
43 #include <machine/resource.h>
44 #include <sys/rman.h>
45 
46 #include <net/bpf.h>
47 #include <net/if.h>
48 #include <net/if_arp.h>
49 #include <net/ethernet.h>
50 #include <net/if_dl.h>
51 #include <net/if_media.h>
52 #include <net/if_types.h>
53 
54 #include <net80211/ieee80211_var.h>
55 #include <net80211/ieee80211_radiotap.h>
56 #include <net80211/ieee80211_regdomain.h>
57 
58 #include <netinet/in.h>
59 #include <netinet/in_systm.h>
60 #include <netinet/in_var.h>
61 #include <netinet/ip.h>
62 #include <netinet/if_ether.h>
63 
64 #include <dev/ral/if_ralrate.h>
65 #include <dev/ral/rt2560reg.h>
66 #include <dev/ral/rt2560var.h>
67 
68 #define RT2560_RSSI(sc, rssi)					\
69 	((rssi) > (RT2560_NOISE_FLOOR + (sc)->rssi_corr) ?	\
70 	 ((rssi) - RT2560_NOISE_FLOOR - (sc)->rssi_corr) : 0)
71 
72 #ifdef RAL_DEBUG
73 #define DPRINTF(x)	do { if (ral_debug > 0) printf x; } while (0)
74 #define DPRINTFN(n, x)	do { if (ral_debug >= (n)) printf x; } while (0)
75 extern int ral_debug;
76 #else
77 #define DPRINTF(x)
78 #define DPRINTFN(n, x)
79 #endif
80 
81 static void		rt2560_dma_map_addr(void *, bus_dma_segment_t *, int,
82 			    int);
83 static int		rt2560_alloc_tx_ring(struct rt2560_softc *,
84 			    struct rt2560_tx_ring *, int);
85 static void		rt2560_reset_tx_ring(struct rt2560_softc *,
86 			    struct rt2560_tx_ring *);
87 static void		rt2560_free_tx_ring(struct rt2560_softc *,
88 			    struct rt2560_tx_ring *);
89 static int		rt2560_alloc_rx_ring(struct rt2560_softc *,
90 			    struct rt2560_rx_ring *, int);
91 static void		rt2560_reset_rx_ring(struct rt2560_softc *,
92 			    struct rt2560_rx_ring *);
93 static void		rt2560_free_rx_ring(struct rt2560_softc *,
94 			    struct rt2560_rx_ring *);
95 static struct		ieee80211_node *rt2560_node_alloc(
96 			    struct ieee80211_node_table *);
97 static int		rt2560_media_change(struct ifnet *);
98 static void		rt2560_iter_func(void *, struct ieee80211_node *);
99 static void		rt2560_update_rssadapt(void *);
100 static int		rt2560_newstate(struct ieee80211com *,
101 			    enum ieee80211_state, int);
102 static uint16_t		rt2560_eeprom_read(struct rt2560_softc *, uint8_t);
103 static void		rt2560_encryption_intr(struct rt2560_softc *);
104 static void		rt2560_tx_intr(struct rt2560_softc *);
105 static void		rt2560_prio_intr(struct rt2560_softc *);
106 static void		rt2560_decryption_intr(struct rt2560_softc *);
107 static void		rt2560_rx_intr(struct rt2560_softc *);
108 static void		rt2560_beacon_expire(struct rt2560_softc *);
109 static void		rt2560_wakeup_expire(struct rt2560_softc *);
110 static uint8_t		rt2560_rxrate(struct rt2560_rx_desc *);
111 static int		rt2560_ack_rate(struct ieee80211com *, int);
112 static void		rt2560_scan_start(struct ieee80211com *);
113 static void		rt2560_scan_end(struct ieee80211com *);
114 static void		rt2560_set_channel(struct ieee80211com *);
115 static uint16_t		rt2560_txtime(int, int, uint32_t);
116 static uint8_t		rt2560_plcp_signal(int);
117 static void		rt2560_setup_tx_desc(struct rt2560_softc *,
118 			    struct rt2560_tx_desc *, uint32_t, int, int, int,
119 			    bus_addr_t);
120 static int		rt2560_tx_bcn(struct rt2560_softc *, struct mbuf *,
121 			    struct ieee80211_node *);
122 static int		rt2560_tx_mgt(struct rt2560_softc *, struct mbuf *,
123 			    struct ieee80211_node *);
124 static struct		mbuf *rt2560_get_rts(struct rt2560_softc *,
125 			    struct ieee80211_frame *, uint16_t);
126 static int		rt2560_tx_data(struct rt2560_softc *, struct mbuf *,
127 			    struct ieee80211_node *);
128 static void		rt2560_start(struct ifnet *);
129 static void		rt2560_watchdog(void *);
130 static int		rt2560_reset(struct ifnet *);
131 static int		rt2560_ioctl(struct ifnet *, u_long, caddr_t);
132 static void		rt2560_bbp_write(struct rt2560_softc *, uint8_t,
133 			    uint8_t);
134 static uint8_t		rt2560_bbp_read(struct rt2560_softc *, uint8_t);
135 static void		rt2560_rf_write(struct rt2560_softc *, uint8_t,
136 			    uint32_t);
137 static void		rt2560_set_chan(struct rt2560_softc *,
138 			    struct ieee80211_channel *);
139 #if 0
140 static void		rt2560_disable_rf_tune(struct rt2560_softc *);
141 #endif
142 static void		rt2560_enable_tsf_sync(struct rt2560_softc *);
143 static void		rt2560_update_plcp(struct rt2560_softc *);
144 static void		rt2560_update_slot(struct ifnet *);
145 static void		rt2560_set_basicrates(struct rt2560_softc *);
146 static void		rt2560_update_led(struct rt2560_softc *, int, int);
147 static void		rt2560_set_bssid(struct rt2560_softc *, const uint8_t *);
148 static void		rt2560_set_macaddr(struct rt2560_softc *, uint8_t *);
149 static void		rt2560_get_macaddr(struct rt2560_softc *, uint8_t *);
150 static void		rt2560_update_promisc(struct rt2560_softc *);
151 static const char	*rt2560_get_rf(int);
152 static void		rt2560_read_eeprom(struct rt2560_softc *);
153 static int		rt2560_bbp_init(struct rt2560_softc *);
154 static void		rt2560_set_txantenna(struct rt2560_softc *, int);
155 static void		rt2560_set_rxantenna(struct rt2560_softc *, int);
156 static void		rt2560_init(void *);
157 static int		rt2560_raw_xmit(struct ieee80211_node *, struct mbuf *,
158 				const struct ieee80211_bpf_params *);
159 
160 static const struct {
161 	uint32_t	reg;
162 	uint32_t	val;
163 } rt2560_def_mac[] = {
164 	RT2560_DEF_MAC
165 };
166 
167 static const struct {
168 	uint8_t	reg;
169 	uint8_t	val;
170 } rt2560_def_bbp[] = {
171 	RT2560_DEF_BBP
172 };
173 
174 static const uint32_t rt2560_rf2522_r2[]    = RT2560_RF2522_R2;
175 static const uint32_t rt2560_rf2523_r2[]    = RT2560_RF2523_R2;
176 static const uint32_t rt2560_rf2524_r2[]    = RT2560_RF2524_R2;
177 static const uint32_t rt2560_rf2525_r2[]    = RT2560_RF2525_R2;
178 static const uint32_t rt2560_rf2525_hi_r2[] = RT2560_RF2525_HI_R2;
179 static const uint32_t rt2560_rf2525e_r2[]   = RT2560_RF2525E_R2;
180 static const uint32_t rt2560_rf2526_r2[]    = RT2560_RF2526_R2;
181 static const uint32_t rt2560_rf2526_hi_r2[] = RT2560_RF2526_HI_R2;
182 
183 static const struct {
184 	uint8_t		chan;
185 	uint32_t	r1, r2, r4;
186 } rt2560_rf5222[] = {
187 	RT2560_RF5222
188 };
189 
190 int
191 rt2560_attach(device_t dev, int id)
192 {
193 	struct rt2560_softc *sc = device_get_softc(dev);
194 	struct ieee80211com *ic = &sc->sc_ic;
195 	struct ifnet *ifp;
196 	int error, bands;
197 
198 	sc->sc_dev = dev;
199 
200 	mtx_init(&sc->sc_mtx, device_get_nameunit(dev), MTX_NETWORK_LOCK,
201 	    MTX_DEF | MTX_RECURSE);
202 
203 	callout_init_mtx(&sc->watchdog_ch, &sc->sc_mtx, 0);
204 	callout_init(&sc->rssadapt_ch, CALLOUT_MPSAFE);
205 
206 	/* retrieve RT2560 rev. no */
207 	sc->asic_rev = RAL_READ(sc, RT2560_CSR0);
208 
209 	/* retrieve MAC address */
210 	rt2560_get_macaddr(sc, ic->ic_myaddr);
211 
212 	/* retrieve RF rev. no and various other things from EEPROM */
213 	rt2560_read_eeprom(sc);
214 
215 	device_printf(dev, "MAC/BBP RT2560 (rev 0x%02x), RF %s\n",
216 	    sc->asic_rev, rt2560_get_rf(sc->rf_rev));
217 
218 	/*
219 	 * Allocate Tx and Rx rings.
220 	 */
221 	error = rt2560_alloc_tx_ring(sc, &sc->txq, RT2560_TX_RING_COUNT);
222 	if (error != 0) {
223 		device_printf(sc->sc_dev, "could not allocate Tx ring\n");
224 		goto fail1;
225 	}
226 
227 	error = rt2560_alloc_tx_ring(sc, &sc->atimq, RT2560_ATIM_RING_COUNT);
228 	if (error != 0) {
229 		device_printf(sc->sc_dev, "could not allocate ATIM ring\n");
230 		goto fail2;
231 	}
232 
233 	error = rt2560_alloc_tx_ring(sc, &sc->prioq, RT2560_PRIO_RING_COUNT);
234 	if (error != 0) {
235 		device_printf(sc->sc_dev, "could not allocate Prio ring\n");
236 		goto fail3;
237 	}
238 
239 	error = rt2560_alloc_tx_ring(sc, &sc->bcnq, RT2560_BEACON_RING_COUNT);
240 	if (error != 0) {
241 		device_printf(sc->sc_dev, "could not allocate Beacon ring\n");
242 		goto fail4;
243 	}
244 
245 	error = rt2560_alloc_rx_ring(sc, &sc->rxq, RT2560_RX_RING_COUNT);
246 	if (error != 0) {
247 		device_printf(sc->sc_dev, "could not allocate Rx ring\n");
248 		goto fail5;
249 	}
250 
251 	ifp = sc->sc_ifp = if_alloc(IFT_ETHER);
252 	if (ifp == NULL) {
253 		device_printf(sc->sc_dev, "can not if_alloc()\n");
254 		goto fail6;
255 	}
256 
257 	ifp->if_softc = sc;
258 	if_initname(ifp, device_get_name(dev), device_get_unit(dev));
259 	ifp->if_flags = IFF_BROADCAST | IFF_SIMPLEX | IFF_MULTICAST;
260 	ifp->if_init = rt2560_init;
261 	ifp->if_ioctl = rt2560_ioctl;
262 	ifp->if_start = rt2560_start;
263 	IFQ_SET_MAXLEN(&ifp->if_snd, IFQ_MAXLEN);
264 	ifp->if_snd.ifq_drv_maxlen = IFQ_MAXLEN;
265 	IFQ_SET_READY(&ifp->if_snd);
266 
267 	ic->ic_ifp = ifp;
268 	ic->ic_phytype = IEEE80211_T_OFDM; /* not only, but not used */
269 	ic->ic_opmode = IEEE80211_M_STA; /* default to BSS mode */
270 	ic->ic_state = IEEE80211_S_INIT;
271 
272 	/* set device capabilities */
273 	ic->ic_caps =
274 	    IEEE80211_C_IBSS |		/* IBSS mode supported */
275 	    IEEE80211_C_MONITOR |	/* monitor mode supported */
276 	    IEEE80211_C_HOSTAP |	/* HostAp mode supported */
277 	    IEEE80211_C_TXPMGT |	/* tx power management */
278 	    IEEE80211_C_SHPREAMBLE |	/* short preamble supported */
279 	    IEEE80211_C_SHSLOT |	/* short slot time supported */
280 	    IEEE80211_C_BGSCAN |	/* bg scanning support */
281 	    IEEE80211_C_WPA;		/* 802.11i */
282 
283 	bands = 0;
284 	setbit(&bands, IEEE80211_MODE_11B);
285 	setbit(&bands, IEEE80211_MODE_11G);
286 	if (sc->rf_rev == RT2560_RF_5222)
287 		setbit(&bands, IEEE80211_MODE_11A);
288 	ieee80211_init_channels(ic, 0, CTRY_DEFAULT, bands, 0, 1);
289 
290 	ieee80211_ifattach(ic);
291 	ic->ic_scan_start = rt2560_scan_start;
292 	ic->ic_scan_end = rt2560_scan_end;
293 	ic->ic_set_channel = rt2560_set_channel;
294 	ic->ic_node_alloc = rt2560_node_alloc;
295 	ic->ic_updateslot = rt2560_update_slot;
296 	ic->ic_reset = rt2560_reset;
297 	/* enable s/w bmiss handling in sta mode */
298 	ic->ic_flags_ext |= IEEE80211_FEXT_SWBMISS;
299 
300 	/* override state transition machine */
301 	sc->sc_newstate = ic->ic_newstate;
302 	ic->ic_newstate = rt2560_newstate;
303 	ic->ic_raw_xmit = rt2560_raw_xmit;
304 	ieee80211_media_init(ic, rt2560_media_change, ieee80211_media_status);
305 
306 	bpfattach2(ifp, DLT_IEEE802_11_RADIO,
307 	    sizeof (struct ieee80211_frame) + sizeof (sc->sc_txtap),
308 	    &sc->sc_drvbpf);
309 
310 	sc->sc_rxtap_len = sizeof sc->sc_rxtap;
311 	sc->sc_rxtap.wr_ihdr.it_len = htole16(sc->sc_rxtap_len);
312 	sc->sc_rxtap.wr_ihdr.it_present = htole32(RT2560_RX_RADIOTAP_PRESENT);
313 
314 	sc->sc_txtap_len = sizeof sc->sc_txtap;
315 	sc->sc_txtap.wt_ihdr.it_len = htole16(sc->sc_txtap_len);
316 	sc->sc_txtap.wt_ihdr.it_present = htole32(RT2560_TX_RADIOTAP_PRESENT);
317 
318 	/*
319 	 * Add a few sysctl knobs.
320 	 */
321 	sc->dwelltime = 200;
322 
323 	SYSCTL_ADD_INT(device_get_sysctl_ctx(dev),
324 	    SYSCTL_CHILDREN(device_get_sysctl_tree(dev)), OID_AUTO,
325 	    "txantenna", CTLFLAG_RW, &sc->tx_ant, 0, "tx antenna (0=auto)");
326 
327 	SYSCTL_ADD_INT(device_get_sysctl_ctx(dev),
328 	    SYSCTL_CHILDREN(device_get_sysctl_tree(dev)), OID_AUTO,
329 	    "rxantenna", CTLFLAG_RW, &sc->rx_ant, 0, "rx antenna (0=auto)");
330 
331 	SYSCTL_ADD_INT(device_get_sysctl_ctx(dev),
332 	    SYSCTL_CHILDREN(device_get_sysctl_tree(dev)), OID_AUTO, "dwell",
333 	    CTLFLAG_RW, &sc->dwelltime, 0,
334 	    "channel dwell time (ms) for AP/station scanning");
335 
336 	if (bootverbose)
337 		ieee80211_announce(ic);
338 
339 	return 0;
340 
341 fail6:	rt2560_free_rx_ring(sc, &sc->rxq);
342 fail5:	rt2560_free_tx_ring(sc, &sc->bcnq);
343 fail4:	rt2560_free_tx_ring(sc, &sc->prioq);
344 fail3:	rt2560_free_tx_ring(sc, &sc->atimq);
345 fail2:	rt2560_free_tx_ring(sc, &sc->txq);
346 fail1:	mtx_destroy(&sc->sc_mtx);
347 
348 	return ENXIO;
349 }
350 
351 int
352 rt2560_detach(void *xsc)
353 {
354 	struct rt2560_softc *sc = xsc;
355 	struct ieee80211com *ic = &sc->sc_ic;
356 	struct ifnet *ifp = ic->ic_ifp;
357 
358 	rt2560_stop(sc);
359 	callout_stop(&sc->watchdog_ch);
360 	callout_stop(&sc->rssadapt_ch);
361 
362 	bpfdetach(ifp);
363 	ieee80211_ifdetach(ic);
364 
365 	rt2560_free_tx_ring(sc, &sc->txq);
366 	rt2560_free_tx_ring(sc, &sc->atimq);
367 	rt2560_free_tx_ring(sc, &sc->prioq);
368 	rt2560_free_tx_ring(sc, &sc->bcnq);
369 	rt2560_free_rx_ring(sc, &sc->rxq);
370 
371 	if_free(ifp);
372 
373 	mtx_destroy(&sc->sc_mtx);
374 
375 	return 0;
376 }
377 
378 void
379 rt2560_resume(void *xsc)
380 {
381 	struct rt2560_softc *sc = xsc;
382 	struct ifnet *ifp = sc->sc_ic.ic_ifp;
383 
384 	if (ifp->if_flags & IFF_UP) {
385 		ifp->if_init(ifp->if_softc);
386 		if (ifp->if_drv_flags & IFF_DRV_RUNNING)
387 			ifp->if_start(ifp);
388 	}
389 }
390 
391 static void
392 rt2560_dma_map_addr(void *arg, bus_dma_segment_t *segs, int nseg, int error)
393 {
394 	if (error != 0)
395 		return;
396 
397 	KASSERT(nseg == 1, ("too many DMA segments, %d should be 1", nseg));
398 
399 	*(bus_addr_t *)arg = segs[0].ds_addr;
400 }
401 
402 static int
403 rt2560_alloc_tx_ring(struct rt2560_softc *sc, struct rt2560_tx_ring *ring,
404     int count)
405 {
406 	int i, error;
407 
408 	ring->count = count;
409 	ring->queued = 0;
410 	ring->cur = ring->next = 0;
411 	ring->cur_encrypt = ring->next_encrypt = 0;
412 
413 	error = bus_dma_tag_create(bus_get_dma_tag(sc->sc_dev), 4, 0,
414 	    BUS_SPACE_MAXADDR_32BIT, BUS_SPACE_MAXADDR, NULL, NULL,
415 	    count * RT2560_TX_DESC_SIZE, 1, count * RT2560_TX_DESC_SIZE,
416 	    0, NULL, NULL, &ring->desc_dmat);
417 	if (error != 0) {
418 		device_printf(sc->sc_dev, "could not create desc DMA tag\n");
419 		goto fail;
420 	}
421 
422 	error = bus_dmamem_alloc(ring->desc_dmat, (void **)&ring->desc,
423 	    BUS_DMA_NOWAIT | BUS_DMA_ZERO, &ring->desc_map);
424 	if (error != 0) {
425 		device_printf(sc->sc_dev, "could not allocate DMA memory\n");
426 		goto fail;
427 	}
428 
429 	error = bus_dmamap_load(ring->desc_dmat, ring->desc_map, ring->desc,
430 	    count * RT2560_TX_DESC_SIZE, rt2560_dma_map_addr, &ring->physaddr,
431 	    0);
432 	if (error != 0) {
433 		device_printf(sc->sc_dev, "could not load desc DMA map\n");
434 		goto fail;
435 	}
436 
437 	ring->data = malloc(count * sizeof (struct rt2560_tx_data), M_DEVBUF,
438 	    M_NOWAIT | M_ZERO);
439 	if (ring->data == NULL) {
440 		device_printf(sc->sc_dev, "could not allocate soft data\n");
441 		error = ENOMEM;
442 		goto fail;
443 	}
444 
445 	error = bus_dma_tag_create(bus_get_dma_tag(sc->sc_dev), 1, 0,
446 	    BUS_SPACE_MAXADDR_32BIT, BUS_SPACE_MAXADDR, NULL, NULL,
447 	    MCLBYTES, RT2560_MAX_SCATTER, MCLBYTES, 0, NULL, NULL,
448 	    &ring->data_dmat);
449 	if (error != 0) {
450 		device_printf(sc->sc_dev, "could not create data DMA tag\n");
451 		goto fail;
452 	}
453 
454 	for (i = 0; i < count; i++) {
455 		error = bus_dmamap_create(ring->data_dmat, 0,
456 		    &ring->data[i].map);
457 		if (error != 0) {
458 			device_printf(sc->sc_dev, "could not create DMA map\n");
459 			goto fail;
460 		}
461 	}
462 
463 	return 0;
464 
465 fail:	rt2560_free_tx_ring(sc, ring);
466 	return error;
467 }
468 
469 static void
470 rt2560_reset_tx_ring(struct rt2560_softc *sc, struct rt2560_tx_ring *ring)
471 {
472 	struct rt2560_tx_desc *desc;
473 	struct rt2560_tx_data *data;
474 	int i;
475 
476 	for (i = 0; i < ring->count; i++) {
477 		desc = &ring->desc[i];
478 		data = &ring->data[i];
479 
480 		if (data->m != NULL) {
481 			bus_dmamap_sync(ring->data_dmat, data->map,
482 			    BUS_DMASYNC_POSTWRITE);
483 			bus_dmamap_unload(ring->data_dmat, data->map);
484 			m_freem(data->m);
485 			data->m = NULL;
486 		}
487 
488 		if (data->ni != NULL) {
489 			ieee80211_free_node(data->ni);
490 			data->ni = NULL;
491 		}
492 
493 		desc->flags = 0;
494 	}
495 
496 	bus_dmamap_sync(ring->desc_dmat, ring->desc_map, BUS_DMASYNC_PREWRITE);
497 
498 	ring->queued = 0;
499 	ring->cur = ring->next = 0;
500 	ring->cur_encrypt = ring->next_encrypt = 0;
501 }
502 
503 static void
504 rt2560_free_tx_ring(struct rt2560_softc *sc, struct rt2560_tx_ring *ring)
505 {
506 	struct rt2560_tx_data *data;
507 	int i;
508 
509 	if (ring->desc != NULL) {
510 		bus_dmamap_sync(ring->desc_dmat, ring->desc_map,
511 		    BUS_DMASYNC_POSTWRITE);
512 		bus_dmamap_unload(ring->desc_dmat, ring->desc_map);
513 		bus_dmamem_free(ring->desc_dmat, ring->desc, ring->desc_map);
514 	}
515 
516 	if (ring->desc_dmat != NULL)
517 		bus_dma_tag_destroy(ring->desc_dmat);
518 
519 	if (ring->data != NULL) {
520 		for (i = 0; i < ring->count; i++) {
521 			data = &ring->data[i];
522 
523 			if (data->m != NULL) {
524 				bus_dmamap_sync(ring->data_dmat, data->map,
525 				    BUS_DMASYNC_POSTWRITE);
526 				bus_dmamap_unload(ring->data_dmat, data->map);
527 				m_freem(data->m);
528 			}
529 
530 			if (data->ni != NULL)
531 				ieee80211_free_node(data->ni);
532 
533 			if (data->map != NULL)
534 				bus_dmamap_destroy(ring->data_dmat, data->map);
535 		}
536 
537 		free(ring->data, M_DEVBUF);
538 	}
539 
540 	if (ring->data_dmat != NULL)
541 		bus_dma_tag_destroy(ring->data_dmat);
542 }
543 
544 static int
545 rt2560_alloc_rx_ring(struct rt2560_softc *sc, struct rt2560_rx_ring *ring,
546     int count)
547 {
548 	struct rt2560_rx_desc *desc;
549 	struct rt2560_rx_data *data;
550 	bus_addr_t physaddr;
551 	int i, error;
552 
553 	ring->count = count;
554 	ring->cur = ring->next = 0;
555 	ring->cur_decrypt = 0;
556 
557 	error = bus_dma_tag_create(bus_get_dma_tag(sc->sc_dev), 4, 0,
558 	    BUS_SPACE_MAXADDR_32BIT, BUS_SPACE_MAXADDR, NULL, NULL,
559 	    count * RT2560_RX_DESC_SIZE, 1, count * RT2560_RX_DESC_SIZE,
560 	    0, NULL, NULL, &ring->desc_dmat);
561 	if (error != 0) {
562 		device_printf(sc->sc_dev, "could not create desc DMA tag\n");
563 		goto fail;
564 	}
565 
566 	error = bus_dmamem_alloc(ring->desc_dmat, (void **)&ring->desc,
567 	    BUS_DMA_NOWAIT | BUS_DMA_ZERO, &ring->desc_map);
568 	if (error != 0) {
569 		device_printf(sc->sc_dev, "could not allocate DMA memory\n");
570 		goto fail;
571 	}
572 
573 	error = bus_dmamap_load(ring->desc_dmat, ring->desc_map, ring->desc,
574 	    count * RT2560_RX_DESC_SIZE, rt2560_dma_map_addr, &ring->physaddr,
575 	    0);
576 	if (error != 0) {
577 		device_printf(sc->sc_dev, "could not load desc DMA map\n");
578 		goto fail;
579 	}
580 
581 	ring->data = malloc(count * sizeof (struct rt2560_rx_data), M_DEVBUF,
582 	    M_NOWAIT | M_ZERO);
583 	if (ring->data == NULL) {
584 		device_printf(sc->sc_dev, "could not allocate soft data\n");
585 		error = ENOMEM;
586 		goto fail;
587 	}
588 
589 	/*
590 	 * Pre-allocate Rx buffers and populate Rx ring.
591 	 */
592 	error = bus_dma_tag_create(bus_get_dma_tag(sc->sc_dev), 1, 0,
593 	    BUS_SPACE_MAXADDR_32BIT, BUS_SPACE_MAXADDR, NULL, NULL, MCLBYTES,
594 	    1, MCLBYTES, 0, NULL, NULL, &ring->data_dmat);
595 	if (error != 0) {
596 		device_printf(sc->sc_dev, "could not create data DMA tag\n");
597 		goto fail;
598 	}
599 
600 	for (i = 0; i < count; i++) {
601 		desc = &sc->rxq.desc[i];
602 		data = &sc->rxq.data[i];
603 
604 		error = bus_dmamap_create(ring->data_dmat, 0, &data->map);
605 		if (error != 0) {
606 			device_printf(sc->sc_dev, "could not create DMA map\n");
607 			goto fail;
608 		}
609 
610 		data->m = m_getcl(M_DONTWAIT, MT_DATA, M_PKTHDR);
611 		if (data->m == NULL) {
612 			device_printf(sc->sc_dev,
613 			    "could not allocate rx mbuf\n");
614 			error = ENOMEM;
615 			goto fail;
616 		}
617 
618 		error = bus_dmamap_load(ring->data_dmat, data->map,
619 		    mtod(data->m, void *), MCLBYTES, rt2560_dma_map_addr,
620 		    &physaddr, 0);
621 		if (error != 0) {
622 			device_printf(sc->sc_dev,
623 			    "could not load rx buf DMA map");
624 			goto fail;
625 		}
626 
627 		desc->flags = htole32(RT2560_RX_BUSY);
628 		desc->physaddr = htole32(physaddr);
629 	}
630 
631 	bus_dmamap_sync(ring->desc_dmat, ring->desc_map, BUS_DMASYNC_PREWRITE);
632 
633 	return 0;
634 
635 fail:	rt2560_free_rx_ring(sc, ring);
636 	return error;
637 }
638 
639 static void
640 rt2560_reset_rx_ring(struct rt2560_softc *sc, struct rt2560_rx_ring *ring)
641 {
642 	int i;
643 
644 	for (i = 0; i < ring->count; i++) {
645 		ring->desc[i].flags = htole32(RT2560_RX_BUSY);
646 		ring->data[i].drop = 0;
647 	}
648 
649 	bus_dmamap_sync(ring->desc_dmat, ring->desc_map, BUS_DMASYNC_PREWRITE);
650 
651 	ring->cur = ring->next = 0;
652 	ring->cur_decrypt = 0;
653 }
654 
655 static void
656 rt2560_free_rx_ring(struct rt2560_softc *sc, struct rt2560_rx_ring *ring)
657 {
658 	struct rt2560_rx_data *data;
659 	int i;
660 
661 	if (ring->desc != NULL) {
662 		bus_dmamap_sync(ring->desc_dmat, ring->desc_map,
663 		    BUS_DMASYNC_POSTWRITE);
664 		bus_dmamap_unload(ring->desc_dmat, ring->desc_map);
665 		bus_dmamem_free(ring->desc_dmat, ring->desc, ring->desc_map);
666 	}
667 
668 	if (ring->desc_dmat != NULL)
669 		bus_dma_tag_destroy(ring->desc_dmat);
670 
671 	if (ring->data != NULL) {
672 		for (i = 0; i < ring->count; i++) {
673 			data = &ring->data[i];
674 
675 			if (data->m != NULL) {
676 				bus_dmamap_sync(ring->data_dmat, data->map,
677 				    BUS_DMASYNC_POSTREAD);
678 				bus_dmamap_unload(ring->data_dmat, data->map);
679 				m_freem(data->m);
680 			}
681 
682 			if (data->map != NULL)
683 				bus_dmamap_destroy(ring->data_dmat, data->map);
684 		}
685 
686 		free(ring->data, M_DEVBUF);
687 	}
688 
689 	if (ring->data_dmat != NULL)
690 		bus_dma_tag_destroy(ring->data_dmat);
691 }
692 
693 static struct ieee80211_node *
694 rt2560_node_alloc(struct ieee80211_node_table *nt)
695 {
696 	struct rt2560_node *rn;
697 
698 	rn = malloc(sizeof (struct rt2560_node), M_80211_NODE,
699 	    M_NOWAIT | M_ZERO);
700 
701 	return (rn != NULL) ? &rn->ni : NULL;
702 }
703 
704 static int
705 rt2560_media_change(struct ifnet *ifp)
706 {
707 	struct rt2560_softc *sc = ifp->if_softc;
708 	int error;
709 
710 	error = ieee80211_media_change(ifp);
711 
712 	if (error == ENETRESET) {
713 		if ((ifp->if_flags & IFF_UP) &&
714 		    (ifp->if_drv_flags & IFF_DRV_RUNNING))
715 		        rt2560_init(sc);
716 	}
717 	return error;
718 }
719 
720 /*
721  * This function is called for each node present in the node station table.
722  */
723 static void
724 rt2560_iter_func(void *arg, struct ieee80211_node *ni)
725 {
726 	struct rt2560_node *rn = (struct rt2560_node *)ni;
727 
728 	ral_rssadapt_updatestats(&rn->rssadapt);
729 }
730 
731 /*
732  * This function is called periodically (every 100ms) in RUN state to update
733  * the rate adaptation statistics.
734  */
735 static void
736 rt2560_update_rssadapt(void *arg)
737 {
738 	struct rt2560_softc *sc = arg;
739 	struct ieee80211com *ic = &sc->sc_ic;
740 
741 	RAL_LOCK(sc);
742 
743 	ieee80211_iterate_nodes(&ic->ic_sta, rt2560_iter_func, arg);
744 	callout_reset(&sc->rssadapt_ch, hz / 10, rt2560_update_rssadapt, sc);
745 
746 	RAL_UNLOCK(sc);
747 }
748 
749 static int
750 rt2560_newstate(struct ieee80211com *ic, enum ieee80211_state nstate, int arg)
751 {
752 	struct rt2560_softc *sc = ic->ic_ifp->if_softc;
753 	enum ieee80211_state ostate;
754 	struct ieee80211_node *ni;
755 	struct mbuf *m;
756 	int error = 0;
757 
758 	ostate = ic->ic_state;
759 
760 	switch (nstate) {
761 	case IEEE80211_S_INIT:
762 		callout_stop(&sc->rssadapt_ch);
763 
764 		if (ostate == IEEE80211_S_RUN) {
765 			/* abort TSF synchronization */
766 			RAL_WRITE(sc, RT2560_CSR14, 0);
767 
768 			/* turn association led off */
769 			rt2560_update_led(sc, 0, 0);
770 		}
771 		break;
772 	case IEEE80211_S_RUN:
773 		ni = ic->ic_bss;
774 
775 		if (ic->ic_opmode != IEEE80211_M_MONITOR) {
776 			rt2560_update_plcp(sc);
777 			rt2560_set_basicrates(sc);
778 			rt2560_set_bssid(sc, ni->ni_bssid);
779 		}
780 
781 		if (ic->ic_opmode == IEEE80211_M_HOSTAP ||
782 		    ic->ic_opmode == IEEE80211_M_IBSS) {
783 			m = ieee80211_beacon_alloc(ic, ni, &sc->sc_bo);
784 			if (m == NULL) {
785 				device_printf(sc->sc_dev,
786 				    "could not allocate beacon\n");
787 				error = ENOBUFS;
788 				break;
789 			}
790 
791 			ieee80211_ref_node(ni);
792 			error = rt2560_tx_bcn(sc, m, ni);
793 			if (error != 0)
794 				break;
795 		}
796 
797 		/* turn assocation led on */
798 		rt2560_update_led(sc, 1, 0);
799 
800 		if (ic->ic_opmode != IEEE80211_M_MONITOR) {
801 			callout_reset(&sc->rssadapt_ch, hz / 10,
802 			    rt2560_update_rssadapt, sc);
803 
804 			rt2560_enable_tsf_sync(sc);
805 		}
806 		break;
807 	case IEEE80211_S_SCAN:
808 	case IEEE80211_S_AUTH:
809 	case IEEE80211_S_ASSOC:
810 		break;
811 	}
812 
813 	return (error != 0) ? error : sc->sc_newstate(ic, nstate, arg);
814 }
815 
816 /*
817  * Read 16 bits at address 'addr' from the serial EEPROM (either 93C46 or
818  * 93C66).
819  */
820 static uint16_t
821 rt2560_eeprom_read(struct rt2560_softc *sc, uint8_t addr)
822 {
823 	uint32_t tmp;
824 	uint16_t val;
825 	int n;
826 
827 	/* clock C once before the first command */
828 	RT2560_EEPROM_CTL(sc, 0);
829 
830 	RT2560_EEPROM_CTL(sc, RT2560_S);
831 	RT2560_EEPROM_CTL(sc, RT2560_S | RT2560_C);
832 	RT2560_EEPROM_CTL(sc, RT2560_S);
833 
834 	/* write start bit (1) */
835 	RT2560_EEPROM_CTL(sc, RT2560_S | RT2560_D);
836 	RT2560_EEPROM_CTL(sc, RT2560_S | RT2560_D | RT2560_C);
837 
838 	/* write READ opcode (10) */
839 	RT2560_EEPROM_CTL(sc, RT2560_S | RT2560_D);
840 	RT2560_EEPROM_CTL(sc, RT2560_S | RT2560_D | RT2560_C);
841 	RT2560_EEPROM_CTL(sc, RT2560_S);
842 	RT2560_EEPROM_CTL(sc, RT2560_S | RT2560_C);
843 
844 	/* write address (A5-A0 or A7-A0) */
845 	n = (RAL_READ(sc, RT2560_CSR21) & RT2560_93C46) ? 5 : 7;
846 	for (; n >= 0; n--) {
847 		RT2560_EEPROM_CTL(sc, RT2560_S |
848 		    (((addr >> n) & 1) << RT2560_SHIFT_D));
849 		RT2560_EEPROM_CTL(sc, RT2560_S |
850 		    (((addr >> n) & 1) << RT2560_SHIFT_D) | RT2560_C);
851 	}
852 
853 	RT2560_EEPROM_CTL(sc, RT2560_S);
854 
855 	/* read data Q15-Q0 */
856 	val = 0;
857 	for (n = 15; n >= 0; n--) {
858 		RT2560_EEPROM_CTL(sc, RT2560_S | RT2560_C);
859 		tmp = RAL_READ(sc, RT2560_CSR21);
860 		val |= ((tmp & RT2560_Q) >> RT2560_SHIFT_Q) << n;
861 		RT2560_EEPROM_CTL(sc, RT2560_S);
862 	}
863 
864 	RT2560_EEPROM_CTL(sc, 0);
865 
866 	/* clear Chip Select and clock C */
867 	RT2560_EEPROM_CTL(sc, RT2560_S);
868 	RT2560_EEPROM_CTL(sc, 0);
869 	RT2560_EEPROM_CTL(sc, RT2560_C);
870 
871 	return val;
872 }
873 
874 /*
875  * Some frames were processed by the hardware cipher engine and are ready for
876  * transmission.
877  */
878 static void
879 rt2560_encryption_intr(struct rt2560_softc *sc)
880 {
881 	struct rt2560_tx_desc *desc;
882 	int hw;
883 
884 	/* retrieve last descriptor index processed by cipher engine */
885 	hw = RAL_READ(sc, RT2560_SECCSR1) - sc->txq.physaddr;
886 	hw /= RT2560_TX_DESC_SIZE;
887 
888 	bus_dmamap_sync(sc->txq.desc_dmat, sc->txq.desc_map,
889 	    BUS_DMASYNC_POSTREAD);
890 
891 	for (; sc->txq.next_encrypt != hw;) {
892 		desc = &sc->txq.desc[sc->txq.next_encrypt];
893 
894 		if ((le32toh(desc->flags) & RT2560_TX_BUSY) ||
895 		    (le32toh(desc->flags) & RT2560_TX_CIPHER_BUSY))
896 			break;
897 
898 		/* for TKIP, swap eiv field to fix a bug in ASIC */
899 		if ((le32toh(desc->flags) & RT2560_TX_CIPHER_MASK) ==
900 		    RT2560_TX_CIPHER_TKIP)
901 			desc->eiv = bswap32(desc->eiv);
902 
903 		/* mark the frame ready for transmission */
904 		desc->flags |= htole32(RT2560_TX_BUSY | RT2560_TX_VALID);
905 
906 		DPRINTFN(15, ("encryption done idx=%u\n",
907 		    sc->txq.next_encrypt));
908 
909 		sc->txq.next_encrypt =
910 		    (sc->txq.next_encrypt + 1) % RT2560_TX_RING_COUNT;
911 	}
912 
913 	bus_dmamap_sync(sc->txq.desc_dmat, sc->txq.desc_map,
914 	    BUS_DMASYNC_PREWRITE);
915 
916 	/* kick Tx */
917 	RAL_WRITE(sc, RT2560_TXCSR0, RT2560_KICK_TX);
918 }
919 
920 static void
921 rt2560_tx_intr(struct rt2560_softc *sc)
922 {
923 	struct ieee80211com *ic = &sc->sc_ic;
924 	struct ifnet *ifp = ic->ic_ifp;
925 	struct rt2560_tx_desc *desc;
926 	struct rt2560_tx_data *data;
927 	struct rt2560_node *rn;
928 
929 	bus_dmamap_sync(sc->txq.desc_dmat, sc->txq.desc_map,
930 	    BUS_DMASYNC_POSTREAD);
931 
932 	for (;;) {
933 		desc = &sc->txq.desc[sc->txq.next];
934 		data = &sc->txq.data[sc->txq.next];
935 
936 		if ((le32toh(desc->flags) & RT2560_TX_BUSY) ||
937 		    (le32toh(desc->flags) & RT2560_TX_CIPHER_BUSY) ||
938 		    !(le32toh(desc->flags) & RT2560_TX_VALID))
939 			break;
940 
941 		rn = (struct rt2560_node *)data->ni;
942 
943 		switch (le32toh(desc->flags) & RT2560_TX_RESULT_MASK) {
944 		case RT2560_TX_SUCCESS:
945 			DPRINTFN(10, ("data frame sent successfully\n"));
946 			if (data->id.id_node != NULL) {
947 				ral_rssadapt_raise_rate(ic, &rn->rssadapt,
948 				    &data->id);
949 			}
950 			ifp->if_opackets++;
951 			break;
952 
953 		case RT2560_TX_SUCCESS_RETRY:
954 			DPRINTFN(9, ("data frame sent after %u retries\n",
955 			    (le32toh(desc->flags) >> 5) & 0x7));
956 			ifp->if_opackets++;
957 			break;
958 
959 		case RT2560_TX_FAIL_RETRY:
960 			DPRINTFN(9, ("sending data frame failed (too much "
961 			    "retries)\n"));
962 			if (data->id.id_node != NULL) {
963 				ral_rssadapt_lower_rate(ic, data->ni,
964 				    &rn->rssadapt, &data->id);
965 			}
966 			ifp->if_oerrors++;
967 			break;
968 
969 		case RT2560_TX_FAIL_INVALID:
970 		case RT2560_TX_FAIL_OTHER:
971 		default:
972 			device_printf(sc->sc_dev, "sending data frame failed "
973 			    "0x%08x\n", le32toh(desc->flags));
974 			ifp->if_oerrors++;
975 		}
976 
977 		bus_dmamap_sync(sc->txq.data_dmat, data->map,
978 		    BUS_DMASYNC_POSTWRITE);
979 		bus_dmamap_unload(sc->txq.data_dmat, data->map);
980 		m_freem(data->m);
981 		data->m = NULL;
982 		ieee80211_free_node(data->ni);
983 		data->ni = NULL;
984 
985 		/* descriptor is no longer valid */
986 		desc->flags &= ~htole32(RT2560_TX_VALID);
987 
988 		DPRINTFN(15, ("tx done idx=%u\n", sc->txq.next));
989 
990 		sc->txq.queued--;
991 		sc->txq.next = (sc->txq.next + 1) % RT2560_TX_RING_COUNT;
992 	}
993 
994 	bus_dmamap_sync(sc->txq.desc_dmat, sc->txq.desc_map,
995 	    BUS_DMASYNC_PREWRITE);
996 
997 	sc->sc_tx_timer = 0;
998 	ifp->if_drv_flags &= ~IFF_DRV_OACTIVE;
999 	rt2560_start(ifp);
1000 }
1001 
1002 static void
1003 rt2560_prio_intr(struct rt2560_softc *sc)
1004 {
1005 	struct ieee80211com *ic = &sc->sc_ic;
1006 	struct ifnet *ifp = ic->ic_ifp;
1007 	struct rt2560_tx_desc *desc;
1008 	struct rt2560_tx_data *data;
1009 	struct ieee80211_node *ni;
1010 	struct mbuf *m;
1011 	int flags;
1012 
1013 	bus_dmamap_sync(sc->prioq.desc_dmat, sc->prioq.desc_map,
1014 	    BUS_DMASYNC_POSTREAD);
1015 
1016 	for (;;) {
1017 		desc = &sc->prioq.desc[sc->prioq.next];
1018 		data = &sc->prioq.data[sc->prioq.next];
1019 
1020 		flags = le32toh(desc->flags);
1021 		if ((flags & RT2560_TX_BUSY) || (flags & RT2560_TX_VALID) == 0)
1022 			break;
1023 
1024 		switch (flags & RT2560_TX_RESULT_MASK) {
1025 		case RT2560_TX_SUCCESS:
1026 			DPRINTFN(10, ("mgt frame sent successfully\n"));
1027 			break;
1028 
1029 		case RT2560_TX_SUCCESS_RETRY:
1030 			DPRINTFN(9, ("mgt frame sent after %u retries\n",
1031 			    (flags >> 5) & 0x7));
1032 			break;
1033 
1034 		case RT2560_TX_FAIL_RETRY:
1035 			DPRINTFN(9, ("sending mgt frame failed (too much "
1036 			    "retries)\n"));
1037 			break;
1038 
1039 		case RT2560_TX_FAIL_INVALID:
1040 		case RT2560_TX_FAIL_OTHER:
1041 		default:
1042 			device_printf(sc->sc_dev, "sending mgt frame failed "
1043 			    "0x%08x\n", flags);
1044 			break;
1045 		}
1046 
1047 		bus_dmamap_sync(sc->prioq.data_dmat, data->map,
1048 		    BUS_DMASYNC_POSTWRITE);
1049 		bus_dmamap_unload(sc->prioq.data_dmat, data->map);
1050 
1051 		m = data->m;
1052 		data->m = NULL;
1053 		ni = data->ni;
1054 		data->ni = NULL;
1055 
1056 		/* descriptor is no longer valid */
1057 		desc->flags &= ~htole32(RT2560_TX_VALID);
1058 
1059 		DPRINTFN(15, ("prio done idx=%u\n", sc->prioq.next));
1060 
1061 		sc->prioq.queued--;
1062 		sc->prioq.next = (sc->prioq.next + 1) % RT2560_PRIO_RING_COUNT;
1063 
1064 		if (m->m_flags & M_TXCB)
1065 			ieee80211_process_callback(ni, m,
1066 				(flags & RT2560_TX_RESULT_MASK) &~
1067 				(RT2560_TX_SUCCESS | RT2560_TX_SUCCESS_RETRY));
1068 		m_freem(m);
1069 		ieee80211_free_node(ni);
1070 	}
1071 
1072 	bus_dmamap_sync(sc->prioq.desc_dmat, sc->prioq.desc_map,
1073 	    BUS_DMASYNC_PREWRITE);
1074 
1075 	sc->sc_tx_timer = 0;
1076 	ifp->if_drv_flags &= ~IFF_DRV_OACTIVE;
1077 	rt2560_start(ifp);
1078 }
1079 
1080 /*
1081  * Some frames were processed by the hardware cipher engine and are ready for
1082  * transmission to the IEEE802.11 layer.
1083  */
1084 static void
1085 rt2560_decryption_intr(struct rt2560_softc *sc)
1086 {
1087 	struct ieee80211com *ic = &sc->sc_ic;
1088 	struct ifnet *ifp = ic->ic_ifp;
1089 	struct rt2560_rx_desc *desc;
1090 	struct rt2560_rx_data *data;
1091 	bus_addr_t physaddr;
1092 	struct ieee80211_frame *wh;
1093 	struct ieee80211_node *ni;
1094 	struct rt2560_node *rn;
1095 	struct mbuf *mnew, *m;
1096 	int hw, error;
1097 
1098 	/* retrieve last decriptor index processed by cipher engine */
1099 	hw = RAL_READ(sc, RT2560_SECCSR0) - sc->rxq.physaddr;
1100 	hw /= RT2560_RX_DESC_SIZE;
1101 
1102 	bus_dmamap_sync(sc->rxq.desc_dmat, sc->rxq.desc_map,
1103 	    BUS_DMASYNC_POSTREAD);
1104 
1105 	for (; sc->rxq.cur_decrypt != hw;) {
1106 		desc = &sc->rxq.desc[sc->rxq.cur_decrypt];
1107 		data = &sc->rxq.data[sc->rxq.cur_decrypt];
1108 
1109 		if ((le32toh(desc->flags) & RT2560_RX_BUSY) ||
1110 		    (le32toh(desc->flags) & RT2560_RX_CIPHER_BUSY))
1111 			break;
1112 
1113 		if (data->drop) {
1114 			ifp->if_ierrors++;
1115 			goto skip;
1116 		}
1117 
1118 		if ((le32toh(desc->flags) & RT2560_RX_CIPHER_MASK) != 0 &&
1119 		    (le32toh(desc->flags) & RT2560_RX_ICV_ERROR)) {
1120 			ifp->if_ierrors++;
1121 			goto skip;
1122 		}
1123 
1124 		/*
1125 		 * Try to allocate a new mbuf for this ring element and load it
1126 		 * before processing the current mbuf. If the ring element
1127 		 * cannot be loaded, drop the received packet and reuse the old
1128 		 * mbuf. In the unlikely case that the old mbuf can't be
1129 		 * reloaded either, explicitly panic.
1130 		 */
1131 		mnew = m_getcl(M_DONTWAIT, MT_DATA, M_PKTHDR);
1132 		if (mnew == NULL) {
1133 			ifp->if_ierrors++;
1134 			goto skip;
1135 		}
1136 
1137 		bus_dmamap_sync(sc->rxq.data_dmat, data->map,
1138 		    BUS_DMASYNC_POSTREAD);
1139 		bus_dmamap_unload(sc->rxq.data_dmat, data->map);
1140 
1141 		error = bus_dmamap_load(sc->rxq.data_dmat, data->map,
1142 		    mtod(mnew, void *), MCLBYTES, rt2560_dma_map_addr,
1143 		    &physaddr, 0);
1144 		if (error != 0) {
1145 			m_freem(mnew);
1146 
1147 			/* try to reload the old mbuf */
1148 			error = bus_dmamap_load(sc->rxq.data_dmat, data->map,
1149 			    mtod(data->m, void *), MCLBYTES,
1150 			    rt2560_dma_map_addr, &physaddr, 0);
1151 			if (error != 0) {
1152 				/* very unlikely that it will fail... */
1153 				panic("%s: could not load old rx mbuf",
1154 				    device_get_name(sc->sc_dev));
1155 			}
1156 			ifp->if_ierrors++;
1157 			goto skip;
1158 		}
1159 
1160 		/*
1161 	 	 * New mbuf successfully loaded, update Rx ring and continue
1162 		 * processing.
1163 		 */
1164 		m = data->m;
1165 		data->m = mnew;
1166 		desc->physaddr = htole32(physaddr);
1167 
1168 		/* finalize mbuf */
1169 		m->m_pkthdr.rcvif = ifp;
1170 		m->m_pkthdr.len = m->m_len =
1171 		    (le32toh(desc->flags) >> 16) & 0xfff;
1172 
1173 		if (bpf_peers_present(sc->sc_drvbpf)) {
1174 			struct rt2560_rx_radiotap_header *tap = &sc->sc_rxtap;
1175 			uint32_t tsf_lo, tsf_hi;
1176 
1177 			/* get timestamp (low and high 32 bits) */
1178 			tsf_hi = RAL_READ(sc, RT2560_CSR17);
1179 			tsf_lo = RAL_READ(sc, RT2560_CSR16);
1180 
1181 			tap->wr_tsf =
1182 			    htole64(((uint64_t)tsf_hi << 32) | tsf_lo);
1183 			tap->wr_flags = 0;
1184 			tap->wr_rate = rt2560_rxrate(desc);
1185 			tap->wr_chan_freq = htole16(ic->ic_curchan->ic_freq);
1186 			tap->wr_chan_flags = htole16(ic->ic_curchan->ic_flags);
1187 			tap->wr_antenna = sc->rx_ant;
1188 			tap->wr_antsignal = RT2560_RSSI(sc, desc->rssi);
1189 
1190 			bpf_mtap2(sc->sc_drvbpf, tap, sc->sc_rxtap_len, m);
1191 		}
1192 
1193 		sc->sc_flags |= RAL_INPUT_RUNNING;
1194 		RAL_UNLOCK(sc);
1195 		wh = mtod(m, struct ieee80211_frame *);
1196 		ni = ieee80211_find_rxnode(ic,
1197 		    (struct ieee80211_frame_min *)wh);
1198 
1199 		/* send the frame to the 802.11 layer */
1200 		ieee80211_input(ic, m, ni, RT2560_RSSI(sc, desc->rssi),
1201 				RT2560_NOISE_FLOOR, 0);
1202 
1203 		/* give rssi to the rate adatation algorithm */
1204 		rn = (struct rt2560_node *)ni;
1205 		ral_rssadapt_input(ic, ni, &rn->rssadapt,
1206 				   RT2560_RSSI(sc, desc->rssi));
1207 
1208 		/* node is no longer needed */
1209 		ieee80211_free_node(ni);
1210 
1211 		RAL_LOCK(sc);
1212 		sc->sc_flags &= ~RAL_INPUT_RUNNING;
1213 skip:		desc->flags = htole32(RT2560_RX_BUSY);
1214 
1215 		DPRINTFN(15, ("decryption done idx=%u\n", sc->rxq.cur_decrypt));
1216 
1217 		sc->rxq.cur_decrypt =
1218 		    (sc->rxq.cur_decrypt + 1) % RT2560_RX_RING_COUNT;
1219 	}
1220 
1221 	bus_dmamap_sync(sc->rxq.desc_dmat, sc->rxq.desc_map,
1222 	    BUS_DMASYNC_PREWRITE);
1223 }
1224 
1225 /*
1226  * Some frames were received. Pass them to the hardware cipher engine before
1227  * sending them to the 802.11 layer.
1228  */
1229 static void
1230 rt2560_rx_intr(struct rt2560_softc *sc)
1231 {
1232 	struct rt2560_rx_desc *desc;
1233 	struct rt2560_rx_data *data;
1234 
1235 	bus_dmamap_sync(sc->rxq.desc_dmat, sc->rxq.desc_map,
1236 	    BUS_DMASYNC_POSTREAD);
1237 
1238 	for (;;) {
1239 		desc = &sc->rxq.desc[sc->rxq.cur];
1240 		data = &sc->rxq.data[sc->rxq.cur];
1241 
1242 		if ((le32toh(desc->flags) & RT2560_RX_BUSY) ||
1243 		    (le32toh(desc->flags) & RT2560_RX_CIPHER_BUSY))
1244 			break;
1245 
1246 		data->drop = 0;
1247 
1248 		if ((le32toh(desc->flags) & RT2560_RX_PHY_ERROR) ||
1249 		    (le32toh(desc->flags) & RT2560_RX_CRC_ERROR)) {
1250 			/*
1251 			 * This should not happen since we did not request
1252 			 * to receive those frames when we filled RXCSR0.
1253 			 */
1254 			DPRINTFN(5, ("PHY or CRC error flags 0x%08x\n",
1255 			    le32toh(desc->flags)));
1256 			data->drop = 1;
1257 		}
1258 
1259 		if (((le32toh(desc->flags) >> 16) & 0xfff) > MCLBYTES) {
1260 			DPRINTFN(5, ("bad length\n"));
1261 			data->drop = 1;
1262 		}
1263 
1264 		/* mark the frame for decryption */
1265 		desc->flags |= htole32(RT2560_RX_CIPHER_BUSY);
1266 
1267 		DPRINTFN(15, ("rx done idx=%u\n", sc->rxq.cur));
1268 
1269 		sc->rxq.cur = (sc->rxq.cur + 1) % RT2560_RX_RING_COUNT;
1270 	}
1271 
1272 	bus_dmamap_sync(sc->rxq.desc_dmat, sc->rxq.desc_map,
1273 	    BUS_DMASYNC_PREWRITE);
1274 
1275 	/* kick decrypt */
1276 	RAL_WRITE(sc, RT2560_SECCSR0, RT2560_KICK_DECRYPT);
1277 }
1278 
1279 /*
1280  * This function is called periodically in IBSS mode when a new beacon must be
1281  * sent out.
1282  */
1283 static void
1284 rt2560_beacon_expire(struct rt2560_softc *sc)
1285 {
1286 	struct ieee80211com *ic = &sc->sc_ic;
1287 	struct rt2560_tx_data *data;
1288 
1289 	if (ic->ic_opmode != IEEE80211_M_IBSS &&
1290 	    ic->ic_opmode != IEEE80211_M_HOSTAP)
1291 		return;
1292 
1293 	data = &sc->bcnq.data[sc->bcnq.next];
1294 	/*
1295 	 * Don't send beacon if bsschan isn't set
1296 	 */
1297 	if (data->ni == NULL)
1298 	        return;
1299 
1300 	bus_dmamap_sync(sc->bcnq.data_dmat, data->map, BUS_DMASYNC_POSTWRITE);
1301 	bus_dmamap_unload(sc->bcnq.data_dmat, data->map);
1302 
1303 	ieee80211_beacon_update(ic, data->ni, &sc->sc_bo, data->m, 1);
1304 
1305 	if (bpf_peers_present(ic->ic_rawbpf))
1306 		bpf_mtap(ic->ic_rawbpf, data->m);
1307 
1308 	rt2560_tx_bcn(sc, data->m, data->ni);
1309 
1310 	DPRINTFN(15, ("beacon expired\n"));
1311 
1312 	sc->bcnq.next = (sc->bcnq.next + 1) % RT2560_BEACON_RING_COUNT;
1313 }
1314 
1315 /* ARGSUSED */
1316 static void
1317 rt2560_wakeup_expire(struct rt2560_softc *sc)
1318 {
1319 	DPRINTFN(2, ("wakeup expired\n"));
1320 }
1321 
1322 void
1323 rt2560_intr(void *arg)
1324 {
1325 	struct rt2560_softc *sc = arg;
1326 	struct ifnet *ifp = sc->sc_ifp;
1327 	uint32_t r;
1328 
1329 	RAL_LOCK(sc);
1330 
1331 	/* disable interrupts */
1332 	RAL_WRITE(sc, RT2560_CSR8, 0xffffffff);
1333 
1334 	/* don't re-enable interrupts if we're shutting down */
1335 	if (!(ifp->if_drv_flags & IFF_DRV_RUNNING)) {
1336 		RAL_UNLOCK(sc);
1337 		return;
1338 	}
1339 
1340 	r = RAL_READ(sc, RT2560_CSR7);
1341 	RAL_WRITE(sc, RT2560_CSR7, r);
1342 
1343 	if (r & RT2560_BEACON_EXPIRE)
1344 		rt2560_beacon_expire(sc);
1345 
1346 	if (r & RT2560_WAKEUP_EXPIRE)
1347 		rt2560_wakeup_expire(sc);
1348 
1349 	if (r & RT2560_ENCRYPTION_DONE)
1350 		rt2560_encryption_intr(sc);
1351 
1352 	if (r & RT2560_TX_DONE)
1353 		rt2560_tx_intr(sc);
1354 
1355 	if (r & RT2560_PRIO_DONE)
1356 		rt2560_prio_intr(sc);
1357 
1358 	if (r & RT2560_DECRYPTION_DONE)
1359 		rt2560_decryption_intr(sc);
1360 
1361 	if (r & RT2560_RX_DONE)
1362 		rt2560_rx_intr(sc);
1363 
1364 	/* re-enable interrupts */
1365 	RAL_WRITE(sc, RT2560_CSR8, RT2560_INTR_MASK);
1366 
1367 	RAL_UNLOCK(sc);
1368 }
1369 
1370 /* quickly determine if a given rate is CCK or OFDM */
1371 #define RAL_RATE_IS_OFDM(rate) ((rate) >= 12 && (rate) != 22)
1372 
1373 #define RAL_ACK_SIZE	14	/* 10 + 4(FCS) */
1374 #define RAL_CTS_SIZE	14	/* 10 + 4(FCS) */
1375 
1376 #define RAL_SIFS		10	/* us */
1377 
1378 #define RT2560_TXRX_TURNAROUND	10	/* us */
1379 
1380 /*
1381  * This function is only used by the Rx radiotap code.
1382  */
1383 static uint8_t
1384 rt2560_rxrate(struct rt2560_rx_desc *desc)
1385 {
1386 	if (le32toh(desc->flags) & RT2560_RX_OFDM) {
1387 		/* reverse function of rt2560_plcp_signal */
1388 		switch (desc->rate) {
1389 		case 0xb:	return 12;
1390 		case 0xf:	return 18;
1391 		case 0xa:	return 24;
1392 		case 0xe:	return 36;
1393 		case 0x9:	return 48;
1394 		case 0xd:	return 72;
1395 		case 0x8:	return 96;
1396 		case 0xc:	return 108;
1397 		}
1398 	} else {
1399 		if (desc->rate == 10)
1400 			return 2;
1401 		if (desc->rate == 20)
1402 			return 4;
1403 		if (desc->rate == 55)
1404 			return 11;
1405 		if (desc->rate == 110)
1406 			return 22;
1407 	}
1408 	return 2;	/* should not get there */
1409 }
1410 
1411 /*
1412  * Return the expected ack rate for a frame transmitted at rate `rate'.
1413  * XXX: this should depend on the destination node basic rate set.
1414  */
1415 static int
1416 rt2560_ack_rate(struct ieee80211com *ic, int rate)
1417 {
1418 	switch (rate) {
1419 	/* CCK rates */
1420 	case 2:
1421 		return 2;
1422 	case 4:
1423 	case 11:
1424 	case 22:
1425 		return (ic->ic_curmode == IEEE80211_MODE_11B) ? 4 : rate;
1426 
1427 	/* OFDM rates */
1428 	case 12:
1429 	case 18:
1430 		return 12;
1431 	case 24:
1432 	case 36:
1433 		return 24;
1434 	case 48:
1435 	case 72:
1436 	case 96:
1437 	case 108:
1438 		return 48;
1439 	}
1440 
1441 	/* default to 1Mbps */
1442 	return 2;
1443 }
1444 
1445 /*
1446  * Compute the duration (in us) needed to transmit `len' bytes at rate `rate'.
1447  * The function automatically determines the operating mode depending on the
1448  * given rate. `flags' indicates whether short preamble is in use or not.
1449  */
1450 static uint16_t
1451 rt2560_txtime(int len, int rate, uint32_t flags)
1452 {
1453 	uint16_t txtime;
1454 
1455 	if (RAL_RATE_IS_OFDM(rate)) {
1456 		/* IEEE Std 802.11a-1999, pp. 37 */
1457 		txtime = (8 + 4 * len + 3 + rate - 1) / rate;
1458 		txtime = 16 + 4 + 4 * txtime + 6;
1459 	} else {
1460 		/* IEEE Std 802.11b-1999, pp. 28 */
1461 		txtime = (16 * len + rate - 1) / rate;
1462 		if (rate != 2 && (flags & IEEE80211_F_SHPREAMBLE))
1463 			txtime +=  72 + 24;
1464 		else
1465 			txtime += 144 + 48;
1466 	}
1467 
1468 	return txtime;
1469 }
1470 
1471 static uint8_t
1472 rt2560_plcp_signal(int rate)
1473 {
1474 	switch (rate) {
1475 	/* CCK rates (returned values are device-dependent) */
1476 	case 2:		return 0x0;
1477 	case 4:		return 0x1;
1478 	case 11:	return 0x2;
1479 	case 22:	return 0x3;
1480 
1481 	/* OFDM rates (cf IEEE Std 802.11a-1999, pp. 14 Table 80) */
1482 	case 12:	return 0xb;
1483 	case 18:	return 0xf;
1484 	case 24:	return 0xa;
1485 	case 36:	return 0xe;
1486 	case 48:	return 0x9;
1487 	case 72:	return 0xd;
1488 	case 96:	return 0x8;
1489 	case 108:	return 0xc;
1490 
1491 	/* unsupported rates (should not get there) */
1492 	default:	return 0xff;
1493 	}
1494 }
1495 
1496 static void
1497 rt2560_setup_tx_desc(struct rt2560_softc *sc, struct rt2560_tx_desc *desc,
1498     uint32_t flags, int len, int rate, int encrypt, bus_addr_t physaddr)
1499 {
1500 	struct ieee80211com *ic = &sc->sc_ic;
1501 	uint16_t plcp_length;
1502 	int remainder;
1503 
1504 	desc->flags = htole32(flags);
1505 	desc->flags |= htole32(len << 16);
1506 	desc->flags |= encrypt ? htole32(RT2560_TX_CIPHER_BUSY) :
1507 	    htole32(RT2560_TX_BUSY | RT2560_TX_VALID);
1508 
1509 	desc->physaddr = htole32(physaddr);
1510 	desc->wme = htole16(
1511 	    RT2560_AIFSN(2) |
1512 	    RT2560_LOGCWMIN(3) |
1513 	    RT2560_LOGCWMAX(8));
1514 
1515 	/* setup PLCP fields */
1516 	desc->plcp_signal  = rt2560_plcp_signal(rate);
1517 	desc->plcp_service = 4;
1518 
1519 	len += IEEE80211_CRC_LEN;
1520 	if (RAL_RATE_IS_OFDM(rate)) {
1521 		desc->flags |= htole32(RT2560_TX_OFDM);
1522 
1523 		plcp_length = len & 0xfff;
1524 		desc->plcp_length_hi = plcp_length >> 6;
1525 		desc->plcp_length_lo = plcp_length & 0x3f;
1526 	} else {
1527 		plcp_length = (16 * len + rate - 1) / rate;
1528 		if (rate == 22) {
1529 			remainder = (16 * len) % 22;
1530 			if (remainder != 0 && remainder < 7)
1531 				desc->plcp_service |= RT2560_PLCP_LENGEXT;
1532 		}
1533 		desc->plcp_length_hi = plcp_length >> 8;
1534 		desc->plcp_length_lo = plcp_length & 0xff;
1535 
1536 		if (rate != 2 && (ic->ic_flags & IEEE80211_F_SHPREAMBLE))
1537 			desc->plcp_signal |= 0x08;
1538 	}
1539 }
1540 
1541 static int
1542 rt2560_tx_bcn(struct rt2560_softc *sc, struct mbuf *m0,
1543     struct ieee80211_node *ni)
1544 {
1545 	struct ieee80211com *ic = &sc->sc_ic;
1546 	struct rt2560_tx_desc *desc;
1547 	struct rt2560_tx_data *data;
1548 	bus_dma_segment_t segs[RT2560_MAX_SCATTER];
1549 	int nsegs, rate, error;
1550 
1551 	desc = &sc->bcnq.desc[sc->bcnq.cur];
1552 	data = &sc->bcnq.data[sc->bcnq.cur];
1553 
1554 	rate = IEEE80211_IS_CHAN_5GHZ(ni->ni_chan) ? 12 : 2;
1555 
1556 	error = bus_dmamap_load_mbuf_sg(sc->bcnq.data_dmat, data->map, m0,
1557 	    segs, &nsegs, BUS_DMA_NOWAIT);
1558 	if (error != 0) {
1559 		device_printf(sc->sc_dev, "could not map mbuf (error %d)\n",
1560 		    error);
1561 		m_freem(m0);
1562 		return error;
1563 	}
1564 
1565 	if (bpf_peers_present(sc->sc_drvbpf)) {
1566 		struct rt2560_tx_radiotap_header *tap = &sc->sc_txtap;
1567 
1568 		tap->wt_flags = 0;
1569 		tap->wt_rate = rate;
1570 		tap->wt_chan_freq = htole16(ic->ic_curchan->ic_freq);
1571 		tap->wt_chan_flags = htole16(ic->ic_curchan->ic_flags);
1572 		tap->wt_antenna = sc->tx_ant;
1573 
1574 		bpf_mtap2(sc->sc_drvbpf, tap, sc->sc_txtap_len, m0);
1575 	}
1576 
1577 	data->m = m0;
1578 	data->ni = ni;
1579 
1580 	rt2560_setup_tx_desc(sc, desc, RT2560_TX_IFS_NEWBACKOFF |
1581 	    RT2560_TX_TIMESTAMP, m0->m_pkthdr.len, rate, 0, segs->ds_addr);
1582 
1583 	DPRINTFN(10, ("sending beacon frame len=%u idx=%u rate=%u\n",
1584 	    m0->m_pkthdr.len, sc->bcnq.cur, rate));
1585 
1586 	bus_dmamap_sync(sc->bcnq.data_dmat, data->map, BUS_DMASYNC_PREWRITE);
1587 	bus_dmamap_sync(sc->bcnq.desc_dmat, sc->bcnq.desc_map,
1588 	    BUS_DMASYNC_PREWRITE);
1589 
1590 	sc->bcnq.cur = (sc->bcnq.cur + 1) % RT2560_BEACON_RING_COUNT;
1591 
1592 	return 0;
1593 }
1594 
1595 static int
1596 rt2560_tx_mgt(struct rt2560_softc *sc, struct mbuf *m0,
1597     struct ieee80211_node *ni)
1598 {
1599 	struct ieee80211com *ic = &sc->sc_ic;
1600 	struct rt2560_tx_desc *desc;
1601 	struct rt2560_tx_data *data;
1602 	struct ieee80211_frame *wh;
1603 	bus_dma_segment_t segs[RT2560_MAX_SCATTER];
1604 	uint16_t dur;
1605 	uint32_t flags = 0;
1606 	int nsegs, rate, error;
1607 
1608 	desc = &sc->prioq.desc[sc->prioq.cur];
1609 	data = &sc->prioq.data[sc->prioq.cur];
1610 
1611 	rate = IEEE80211_IS_CHAN_5GHZ(ic->ic_curchan) ? 12 : 2;
1612 
1613 	error = bus_dmamap_load_mbuf_sg(sc->prioq.data_dmat, data->map, m0,
1614 	    segs, &nsegs, 0);
1615 	if (error != 0) {
1616 		device_printf(sc->sc_dev, "could not map mbuf (error %d)\n",
1617 		    error);
1618 		m_freem(m0);
1619 		return error;
1620 	}
1621 
1622 	if (bpf_peers_present(sc->sc_drvbpf)) {
1623 		struct rt2560_tx_radiotap_header *tap = &sc->sc_txtap;
1624 
1625 		tap->wt_flags = 0;
1626 		tap->wt_rate = rate;
1627 		tap->wt_chan_freq = htole16(ic->ic_curchan->ic_freq);
1628 		tap->wt_chan_flags = htole16(ic->ic_curchan->ic_flags);
1629 		tap->wt_antenna = sc->tx_ant;
1630 
1631 		bpf_mtap2(sc->sc_drvbpf, tap, sc->sc_txtap_len, m0);
1632 	}
1633 
1634 	data->m = m0;
1635 	data->ni = ni;
1636 
1637 	wh = mtod(m0, struct ieee80211_frame *);
1638 
1639 	if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
1640 		flags |= RT2560_TX_ACK;
1641 
1642 		dur = rt2560_txtime(RAL_ACK_SIZE, rate, ic->ic_flags) +
1643 		      RAL_SIFS;
1644 		*(uint16_t *)wh->i_dur = htole16(dur);
1645 
1646 		/* tell hardware to add timestamp for probe responses */
1647 		if ((wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) ==
1648 		    IEEE80211_FC0_TYPE_MGT &&
1649 		    (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) ==
1650 		    IEEE80211_FC0_SUBTYPE_PROBE_RESP)
1651 			flags |= RT2560_TX_TIMESTAMP;
1652 	}
1653 
1654 	rt2560_setup_tx_desc(sc, desc, flags, m0->m_pkthdr.len, rate, 0,
1655 	    segs->ds_addr);
1656 
1657 	bus_dmamap_sync(sc->prioq.data_dmat, data->map, BUS_DMASYNC_PREWRITE);
1658 	bus_dmamap_sync(sc->prioq.desc_dmat, sc->prioq.desc_map,
1659 	    BUS_DMASYNC_PREWRITE);
1660 
1661 	DPRINTFN(10, ("sending mgt frame len=%u idx=%u rate=%u\n",
1662 	    m0->m_pkthdr.len, sc->prioq.cur, rate));
1663 
1664 	/* kick prio */
1665 	sc->prioq.queued++;
1666 	sc->prioq.cur = (sc->prioq.cur + 1) % RT2560_PRIO_RING_COUNT;
1667 	RAL_WRITE(sc, RT2560_TXCSR0, RT2560_KICK_PRIO);
1668 
1669 	return 0;
1670 }
1671 
1672 static int
1673 rt2560_tx_raw(struct rt2560_softc *sc, struct mbuf *m0,
1674     struct ieee80211_node *ni, const struct ieee80211_bpf_params *params)
1675 {
1676 	struct ieee80211com *ic = &sc->sc_ic;
1677 	struct rt2560_tx_desc *desc;
1678 	struct rt2560_tx_data *data;
1679 	bus_dma_segment_t segs[RT2560_MAX_SCATTER];
1680 	uint32_t flags;
1681 	int nsegs, rate, error;
1682 
1683 	desc = &sc->prioq.desc[sc->prioq.cur];
1684 	data = &sc->prioq.data[sc->prioq.cur];
1685 
1686 	rate = params->ibp_rate0 & IEEE80211_RATE_VAL;
1687 	/* XXX validate */
1688 	if (rate == 0) {
1689 		m_freem(m0);
1690 		return EINVAL;
1691 	}
1692 
1693 	error = bus_dmamap_load_mbuf_sg(sc->prioq.data_dmat, data->map, m0,
1694 	    segs, &nsegs, 0);
1695 	if (error != 0) {
1696 		device_printf(sc->sc_dev, "could not map mbuf (error %d)\n",
1697 		    error);
1698 		m_freem(m0);
1699 		return error;
1700 	}
1701 
1702 	if (bpf_peers_present(sc->sc_drvbpf)) {
1703 		struct rt2560_tx_radiotap_header *tap = &sc->sc_txtap;
1704 
1705 		tap->wt_flags = 0;
1706 		tap->wt_rate = rate;
1707 		tap->wt_chan_freq = htole16(ic->ic_curchan->ic_freq);
1708 		tap->wt_chan_flags = htole16(ic->ic_curchan->ic_flags);
1709 		tap->wt_antenna = sc->tx_ant;
1710 
1711 		bpf_mtap2(sc->sc_drvbpf, tap, sc->sc_txtap_len, m0);
1712 	}
1713 
1714 	data->m = m0;
1715 	data->ni = ni;
1716 
1717 	flags = 0;
1718 	if ((params->ibp_flags & IEEE80211_BPF_NOACK) == 0)
1719 		flags |= RT2560_TX_ACK;
1720 
1721 	/* XXX need to setup descriptor ourself */
1722 	rt2560_setup_tx_desc(sc, desc, flags, m0->m_pkthdr.len,
1723 	    rate, (params->ibp_flags & IEEE80211_BPF_CRYPTO) != 0,
1724 	    segs->ds_addr);
1725 
1726 	bus_dmamap_sync(sc->prioq.data_dmat, data->map, BUS_DMASYNC_PREWRITE);
1727 	bus_dmamap_sync(sc->prioq.desc_dmat, sc->prioq.desc_map,
1728 	    BUS_DMASYNC_PREWRITE);
1729 
1730 	DPRINTFN(10, ("sending raw frame len=%u idx=%u rate=%u\n",
1731 	    m0->m_pkthdr.len, sc->prioq.cur, rate));
1732 
1733 	/* kick prio */
1734 	sc->prioq.queued++;
1735 	sc->prioq.cur = (sc->prioq.cur + 1) % RT2560_PRIO_RING_COUNT;
1736 	RAL_WRITE(sc, RT2560_TXCSR0, RT2560_KICK_PRIO);
1737 
1738 	return 0;
1739 }
1740 
1741 /*
1742  * Build a RTS control frame.
1743  */
1744 static struct mbuf *
1745 rt2560_get_rts(struct rt2560_softc *sc, struct ieee80211_frame *wh,
1746     uint16_t dur)
1747 {
1748 	struct ieee80211_frame_rts *rts;
1749 	struct mbuf *m;
1750 
1751 	MGETHDR(m, M_DONTWAIT, MT_DATA);
1752 	if (m == NULL) {
1753 		sc->sc_ic.ic_stats.is_tx_nobuf++;
1754 		device_printf(sc->sc_dev, "could not allocate RTS frame\n");
1755 		return NULL;
1756 	}
1757 
1758 	rts = mtod(m, struct ieee80211_frame_rts *);
1759 
1760 	rts->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL |
1761 	    IEEE80211_FC0_SUBTYPE_RTS;
1762 	rts->i_fc[1] = IEEE80211_FC1_DIR_NODS;
1763 	*(uint16_t *)rts->i_dur = htole16(dur);
1764 	IEEE80211_ADDR_COPY(rts->i_ra, wh->i_addr1);
1765 	IEEE80211_ADDR_COPY(rts->i_ta, wh->i_addr2);
1766 
1767 	m->m_pkthdr.len = m->m_len = sizeof (struct ieee80211_frame_rts);
1768 
1769 	return m;
1770 }
1771 
1772 static int
1773 rt2560_tx_data(struct rt2560_softc *sc, struct mbuf *m0,
1774     struct ieee80211_node *ni)
1775 {
1776 	struct ieee80211com *ic = &sc->sc_ic;
1777 	struct rt2560_tx_desc *desc;
1778 	struct rt2560_tx_data *data;
1779 	struct rt2560_node *rn;
1780 	struct ieee80211_frame *wh;
1781 	struct ieee80211_key *k;
1782 	struct mbuf *mnew;
1783 	bus_dma_segment_t segs[RT2560_MAX_SCATTER];
1784 	uint16_t dur;
1785 	uint32_t flags = 0;
1786 	int nsegs, rate, error;
1787 
1788 	wh = mtod(m0, struct ieee80211_frame *);
1789 
1790 	if (ic->ic_fixed_rate != IEEE80211_FIXED_RATE_NONE) {
1791 		rate = ic->ic_fixed_rate;
1792 	} else {
1793 		struct ieee80211_rateset *rs;
1794 
1795 		rs = &ni->ni_rates;
1796 		rn = (struct rt2560_node *)ni;
1797 		ni->ni_txrate = ral_rssadapt_choose(&rn->rssadapt, rs, wh,
1798 		    m0->m_pkthdr.len, NULL, 0);
1799 		rate = rs->rs_rates[ni->ni_txrate];
1800 	}
1801 	rate &= IEEE80211_RATE_VAL;
1802 
1803 	if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
1804 		k = ieee80211_crypto_encap(ic, ni, m0);
1805 		if (k == NULL) {
1806 			m_freem(m0);
1807 			return ENOBUFS;
1808 		}
1809 
1810 		/* packet header may have moved, reset our local pointer */
1811 		wh = mtod(m0, struct ieee80211_frame *);
1812 	}
1813 
1814 	/*
1815 	 * IEEE Std 802.11-1999, pp 82: "A STA shall use an RTS/CTS exchange
1816 	 * for directed frames only when the length of the MPDU is greater
1817 	 * than the length threshold indicated by [...]" ic_rtsthreshold.
1818 	 */
1819 	if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
1820 	    m0->m_pkthdr.len > ic->ic_rtsthreshold) {
1821 		struct mbuf *m;
1822 		uint16_t dur;
1823 		int rtsrate, ackrate;
1824 
1825 		rtsrate = IEEE80211_IS_CHAN_5GHZ(ic->ic_curchan) ? 12 : 2;
1826 		ackrate = rt2560_ack_rate(ic, rate);
1827 
1828 		dur = rt2560_txtime(m0->m_pkthdr.len + 4, rate, ic->ic_flags) +
1829 		      rt2560_txtime(RAL_CTS_SIZE, rtsrate, ic->ic_flags) +
1830 		      rt2560_txtime(RAL_ACK_SIZE, ackrate, ic->ic_flags) +
1831 		      3 * RAL_SIFS;
1832 
1833 		m = rt2560_get_rts(sc, wh, dur);
1834 
1835 		desc = &sc->txq.desc[sc->txq.cur_encrypt];
1836 		data = &sc->txq.data[sc->txq.cur_encrypt];
1837 
1838 		error = bus_dmamap_load_mbuf_sg(sc->txq.data_dmat, data->map,
1839 		    m, segs, &nsegs, 0);
1840 		if (error != 0) {
1841 			device_printf(sc->sc_dev,
1842 			    "could not map mbuf (error %d)\n", error);
1843 			m_freem(m);
1844 			m_freem(m0);
1845 			return error;
1846 		}
1847 
1848 		/* avoid multiple free() of the same node for each fragment */
1849 		ieee80211_ref_node(ni);
1850 
1851 		data->m = m;
1852 		data->ni = ni;
1853 
1854 		/* RTS frames are not taken into account for rssadapt */
1855 		data->id.id_node = NULL;
1856 
1857 		rt2560_setup_tx_desc(sc, desc, RT2560_TX_ACK |
1858 		    RT2560_TX_MORE_FRAG, m->m_pkthdr.len, rtsrate, 1,
1859 		    segs->ds_addr);
1860 
1861 		bus_dmamap_sync(sc->txq.data_dmat, data->map,
1862 		    BUS_DMASYNC_PREWRITE);
1863 
1864 		sc->txq.queued++;
1865 		sc->txq.cur_encrypt =
1866 		    (sc->txq.cur_encrypt + 1) % RT2560_TX_RING_COUNT;
1867 
1868 		/*
1869 		 * IEEE Std 802.11-1999: when an RTS/CTS exchange is used, the
1870 		 * asynchronous data frame shall be transmitted after the CTS
1871 		 * frame and a SIFS period.
1872 		 */
1873 		flags |= RT2560_TX_LONG_RETRY | RT2560_TX_IFS_SIFS;
1874 	}
1875 
1876 	data = &sc->txq.data[sc->txq.cur_encrypt];
1877 	desc = &sc->txq.desc[sc->txq.cur_encrypt];
1878 
1879 	error = bus_dmamap_load_mbuf_sg(sc->txq.data_dmat, data->map, m0,
1880 	    segs, &nsegs, 0);
1881 	if (error != 0 && error != EFBIG) {
1882 		device_printf(sc->sc_dev, "could not map mbuf (error %d)\n",
1883 		    error);
1884 		m_freem(m0);
1885 		return error;
1886 	}
1887 	if (error != 0) {
1888 		mnew = m_defrag(m0, M_DONTWAIT);
1889 		if (mnew == NULL) {
1890 			device_printf(sc->sc_dev,
1891 			    "could not defragment mbuf\n");
1892 			m_freem(m0);
1893 			return ENOBUFS;
1894 		}
1895 		m0 = mnew;
1896 
1897 		error = bus_dmamap_load_mbuf_sg(sc->txq.data_dmat, data->map,
1898 		    m0, segs, &nsegs, 0);
1899 		if (error != 0) {
1900 			device_printf(sc->sc_dev,
1901 			    "could not map mbuf (error %d)\n", error);
1902 			m_freem(m0);
1903 			return error;
1904 		}
1905 
1906 		/* packet header may have moved, reset our local pointer */
1907 		wh = mtod(m0, struct ieee80211_frame *);
1908 	}
1909 
1910 	if (bpf_peers_present(sc->sc_drvbpf)) {
1911 		struct rt2560_tx_radiotap_header *tap = &sc->sc_txtap;
1912 
1913 		tap->wt_flags = 0;
1914 		tap->wt_rate = rate;
1915 		tap->wt_chan_freq = htole16(ic->ic_curchan->ic_freq);
1916 		tap->wt_chan_flags = htole16(ic->ic_curchan->ic_flags);
1917 		tap->wt_antenna = sc->tx_ant;
1918 
1919 		bpf_mtap2(sc->sc_drvbpf, tap, sc->sc_txtap_len, m0);
1920 	}
1921 
1922 	data->m = m0;
1923 	data->ni = ni;
1924 
1925 	/* remember link conditions for rate adaptation algorithm */
1926 	if (ic->ic_fixed_rate == IEEE80211_FIXED_RATE_NONE) {
1927 		data->id.id_len = m0->m_pkthdr.len;
1928 		data->id.id_rateidx = ni->ni_txrate;
1929 		data->id.id_node = ni;
1930 		data->id.id_rssi = ni->ni_rssi;
1931 	} else
1932 		data->id.id_node = NULL;
1933 
1934 	if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
1935 		flags |= RT2560_TX_ACK;
1936 
1937 		dur = rt2560_txtime(RAL_ACK_SIZE, rt2560_ack_rate(ic, rate),
1938 		    ic->ic_flags) + RAL_SIFS;
1939 		*(uint16_t *)wh->i_dur = htole16(dur);
1940 	}
1941 
1942 	rt2560_setup_tx_desc(sc, desc, flags, m0->m_pkthdr.len, rate, 1,
1943 	    segs->ds_addr);
1944 
1945 	bus_dmamap_sync(sc->txq.data_dmat, data->map, BUS_DMASYNC_PREWRITE);
1946 	bus_dmamap_sync(sc->txq.desc_dmat, sc->txq.desc_map,
1947 	    BUS_DMASYNC_PREWRITE);
1948 
1949 	DPRINTFN(10, ("sending data frame len=%u idx=%u rate=%u\n",
1950 	    m0->m_pkthdr.len, sc->txq.cur_encrypt, rate));
1951 
1952 	/* kick encrypt */
1953 	sc->txq.queued++;
1954 	sc->txq.cur_encrypt = (sc->txq.cur_encrypt + 1) % RT2560_TX_RING_COUNT;
1955 	RAL_WRITE(sc, RT2560_SECCSR1, RT2560_KICK_ENCRYPT);
1956 
1957 	return 0;
1958 }
1959 
1960 static void
1961 rt2560_start(struct ifnet *ifp)
1962 {
1963 	struct rt2560_softc *sc = ifp->if_softc;
1964 	struct ieee80211com *ic = &sc->sc_ic;
1965 	struct mbuf *m0;
1966 	struct ether_header *eh;
1967 	struct ieee80211_node *ni;
1968 
1969 	RAL_LOCK(sc);
1970 
1971 	/* prevent management frames from being sent if we're not ready */
1972 	if (!(ifp->if_drv_flags & IFF_DRV_RUNNING)) {
1973 		RAL_UNLOCK(sc);
1974 		return;
1975 	}
1976 
1977 	for (;;) {
1978 		IF_POLL(&ic->ic_mgtq, m0);
1979 		if (m0 != NULL) {
1980 			if (sc->prioq.queued >= RT2560_PRIO_RING_COUNT) {
1981 				ifp->if_drv_flags |= IFF_DRV_OACTIVE;
1982 				break;
1983 			}
1984 			IF_DEQUEUE(&ic->ic_mgtq, m0);
1985 
1986 			ni = (struct ieee80211_node *)m0->m_pkthdr.rcvif;
1987 			m0->m_pkthdr.rcvif = NULL;
1988 
1989 			if (bpf_peers_present(ic->ic_rawbpf))
1990 				bpf_mtap(ic->ic_rawbpf, m0);
1991 
1992 			if (rt2560_tx_mgt(sc, m0, ni) != 0) {
1993 				ieee80211_free_node(ni);
1994 				break;
1995 			}
1996 		} else {
1997 			if (ic->ic_state != IEEE80211_S_RUN)
1998 				break;
1999 			IFQ_DRV_DEQUEUE(&ifp->if_snd, m0);
2000 			if (m0 == NULL)
2001 				break;
2002 			if (sc->txq.queued >= RT2560_TX_RING_COUNT - 1) {
2003 				IFQ_DRV_PREPEND(&ifp->if_snd, m0);
2004 				ifp->if_drv_flags |= IFF_DRV_OACTIVE;
2005 				break;
2006 			}
2007 
2008 			if (m0->m_len < sizeof (struct ether_header) &&
2009 			    !(m0 = m_pullup(m0, sizeof (struct ether_header))))
2010 				continue;
2011 
2012 			eh = mtod(m0, struct ether_header *);
2013 			ni = ieee80211_find_txnode(ic, eh->ether_dhost);
2014 			if (ni == NULL) {
2015 				m_freem(m0);
2016 				continue;
2017 			}
2018 			if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) &&
2019 			    (m0->m_flags & M_PWR_SAV) == 0) {
2020 				/*
2021 				 * Station in power save mode; pass the frame
2022 				 * to the 802.11 layer and continue.  We'll get
2023 				 * the frame back when the time is right.
2024 				 */
2025 				ieee80211_pwrsave(ni, m0);
2026 				/*
2027 				 * If we're in power save mode 'cuz of a bg
2028 				 * scan cancel it so the traffic can flow.
2029 				 * The packet we just queued will automatically
2030 				 * get sent when we drop out of power save.
2031 				 * XXX locking
2032 				 */
2033 				if (ic->ic_flags & IEEE80211_F_SCAN)
2034 					ieee80211_cancel_scan(ic);
2035 				ieee80211_free_node(ni);
2036 				continue;
2037 
2038 			}
2039 
2040 			BPF_MTAP(ifp, m0);
2041 
2042 			m0 = ieee80211_encap(ic, m0, ni);
2043 			if (m0 == NULL) {
2044 				ieee80211_free_node(ni);
2045 				continue;
2046 			}
2047 
2048 			if (bpf_peers_present(ic->ic_rawbpf))
2049 				bpf_mtap(ic->ic_rawbpf, m0);
2050 
2051 			if (rt2560_tx_data(sc, m0, ni) != 0) {
2052 				ieee80211_free_node(ni);
2053 				ifp->if_oerrors++;
2054 				break;
2055 			}
2056 		}
2057 
2058 		sc->sc_tx_timer = 5;
2059 		callout_reset(&sc->watchdog_ch, hz, rt2560_watchdog, sc);
2060 	}
2061 
2062 	RAL_UNLOCK(sc);
2063 }
2064 
2065 static void
2066 rt2560_watchdog(void *arg)
2067 {
2068 	struct rt2560_softc *sc = arg;
2069 
2070 	if (sc->sc_tx_timer > 0) {
2071 		if (--sc->sc_tx_timer == 0) {
2072 			device_printf(sc->sc_dev, "device timeout\n");
2073 			rt2560_init(sc);
2074 			sc->sc_ifp->if_oerrors++;
2075 			return;
2076 		}
2077 		callout_reset(&sc->watchdog_ch, hz, rt2560_watchdog, sc);
2078 	}
2079 }
2080 
2081 /*
2082  * This function allows for fast channel switching in monitor mode (used by
2083  * net-mgmt/kismet). In IBSS mode, we must explicitly reset the interface to
2084  * generate a new beacon frame.
2085  */
2086 static int
2087 rt2560_reset(struct ifnet *ifp)
2088 {
2089 	struct rt2560_softc *sc = ifp->if_softc;
2090 	struct ieee80211com *ic = &sc->sc_ic;
2091 
2092 	if (ic->ic_opmode != IEEE80211_M_MONITOR)
2093 		return ENETRESET;
2094 
2095 	rt2560_set_chan(sc, ic->ic_curchan);
2096 
2097 	return 0;
2098 }
2099 
2100 static int
2101 rt2560_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
2102 {
2103 	struct rt2560_softc *sc = ifp->if_softc;
2104 	struct ieee80211com *ic = &sc->sc_ic;
2105 	int error = 0;
2106 
2107 
2108 
2109 	switch (cmd) {
2110 	case SIOCSIFFLAGS:
2111 		if (ifp->if_flags & IFF_UP) {
2112 			RAL_LOCK(sc);
2113 			if (ifp->if_drv_flags & IFF_DRV_RUNNING)
2114 				rt2560_update_promisc(sc);
2115 			else
2116 				rt2560_init(sc);
2117 			RAL_UNLOCK(sc);
2118 		} else {
2119 			if (ifp->if_drv_flags & IFF_DRV_RUNNING)
2120 				rt2560_stop(sc);
2121 		}
2122 
2123 		break;
2124 
2125 	default:
2126 		error = ieee80211_ioctl(ic, cmd, data);
2127 	}
2128 
2129 	if (error == ENETRESET) {
2130 		if ((ifp->if_flags & IFF_UP) &&
2131 		    (ifp->if_drv_flags & IFF_DRV_RUNNING) &&
2132 		    (ic->ic_roaming != IEEE80211_ROAMING_MANUAL))
2133 			rt2560_init(sc);
2134 		error = 0;
2135 	}
2136 
2137 
2138 	return error;
2139 }
2140 
2141 static void
2142 rt2560_bbp_write(struct rt2560_softc *sc, uint8_t reg, uint8_t val)
2143 {
2144 	uint32_t tmp;
2145 	int ntries;
2146 
2147 	for (ntries = 0; ntries < 100; ntries++) {
2148 		if (!(RAL_READ(sc, RT2560_BBPCSR) & RT2560_BBP_BUSY))
2149 			break;
2150 		DELAY(1);
2151 	}
2152 	if (ntries == 100) {
2153 		device_printf(sc->sc_dev, "could not write to BBP\n");
2154 		return;
2155 	}
2156 
2157 	tmp = RT2560_BBP_WRITE | RT2560_BBP_BUSY | reg << 8 | val;
2158 	RAL_WRITE(sc, RT2560_BBPCSR, tmp);
2159 
2160 	DPRINTFN(15, ("BBP R%u <- 0x%02x\n", reg, val));
2161 }
2162 
2163 static uint8_t
2164 rt2560_bbp_read(struct rt2560_softc *sc, uint8_t reg)
2165 {
2166 	uint32_t val;
2167 	int ntries;
2168 
2169 	val = RT2560_BBP_BUSY | reg << 8;
2170 	RAL_WRITE(sc, RT2560_BBPCSR, val);
2171 
2172 	for (ntries = 0; ntries < 100; ntries++) {
2173 		val = RAL_READ(sc, RT2560_BBPCSR);
2174 		if (!(val & RT2560_BBP_BUSY))
2175 			return val & 0xff;
2176 		DELAY(1);
2177 	}
2178 
2179 	device_printf(sc->sc_dev, "could not read from BBP\n");
2180 	return 0;
2181 }
2182 
2183 static void
2184 rt2560_rf_write(struct rt2560_softc *sc, uint8_t reg, uint32_t val)
2185 {
2186 	uint32_t tmp;
2187 	int ntries;
2188 
2189 	for (ntries = 0; ntries < 100; ntries++) {
2190 		if (!(RAL_READ(sc, RT2560_RFCSR) & RT2560_RF_BUSY))
2191 			break;
2192 		DELAY(1);
2193 	}
2194 	if (ntries == 100) {
2195 		device_printf(sc->sc_dev, "could not write to RF\n");
2196 		return;
2197 	}
2198 
2199 	tmp = RT2560_RF_BUSY | RT2560_RF_20BIT | (val & 0xfffff) << 2 |
2200 	    (reg & 0x3);
2201 	RAL_WRITE(sc, RT2560_RFCSR, tmp);
2202 
2203 	/* remember last written value in sc */
2204 	sc->rf_regs[reg] = val;
2205 
2206 	DPRINTFN(15, ("RF R[%u] <- 0x%05x\n", reg & 0x3, val & 0xfffff));
2207 }
2208 
2209 static void
2210 rt2560_set_chan(struct rt2560_softc *sc, struct ieee80211_channel *c)
2211 {
2212 	struct ieee80211com *ic = &sc->sc_ic;
2213 	uint8_t power, tmp;
2214 	u_int i, chan;
2215 
2216 	chan = ieee80211_chan2ieee(ic, c);
2217 	if (chan == 0 || chan == IEEE80211_CHAN_ANY)
2218 		return;
2219 
2220 	if (IEEE80211_IS_CHAN_2GHZ(c))
2221 		power = min(sc->txpow[chan - 1], 31);
2222 	else
2223 		power = 31;
2224 
2225 	/* adjust txpower using ifconfig settings */
2226 	power -= (100 - ic->ic_txpowlimit) / 8;
2227 
2228 	DPRINTFN(2, ("setting channel to %u, txpower to %u\n", chan, power));
2229 
2230 	switch (sc->rf_rev) {
2231 	case RT2560_RF_2522:
2232 		rt2560_rf_write(sc, RAL_RF1, 0x00814);
2233 		rt2560_rf_write(sc, RAL_RF2, rt2560_rf2522_r2[chan - 1]);
2234 		rt2560_rf_write(sc, RAL_RF3, power << 7 | 0x00040);
2235 		break;
2236 
2237 	case RT2560_RF_2523:
2238 		rt2560_rf_write(sc, RAL_RF1, 0x08804);
2239 		rt2560_rf_write(sc, RAL_RF2, rt2560_rf2523_r2[chan - 1]);
2240 		rt2560_rf_write(sc, RAL_RF3, power << 7 | 0x38044);
2241 		rt2560_rf_write(sc, RAL_RF4, (chan == 14) ? 0x00280 : 0x00286);
2242 		break;
2243 
2244 	case RT2560_RF_2524:
2245 		rt2560_rf_write(sc, RAL_RF1, 0x0c808);
2246 		rt2560_rf_write(sc, RAL_RF2, rt2560_rf2524_r2[chan - 1]);
2247 		rt2560_rf_write(sc, RAL_RF3, power << 7 | 0x00040);
2248 		rt2560_rf_write(sc, RAL_RF4, (chan == 14) ? 0x00280 : 0x00286);
2249 		break;
2250 
2251 	case RT2560_RF_2525:
2252 		rt2560_rf_write(sc, RAL_RF1, 0x08808);
2253 		rt2560_rf_write(sc, RAL_RF2, rt2560_rf2525_hi_r2[chan - 1]);
2254 		rt2560_rf_write(sc, RAL_RF3, power << 7 | 0x18044);
2255 		rt2560_rf_write(sc, RAL_RF4, (chan == 14) ? 0x00280 : 0x00286);
2256 
2257 		rt2560_rf_write(sc, RAL_RF1, 0x08808);
2258 		rt2560_rf_write(sc, RAL_RF2, rt2560_rf2525_r2[chan - 1]);
2259 		rt2560_rf_write(sc, RAL_RF3, power << 7 | 0x18044);
2260 		rt2560_rf_write(sc, RAL_RF4, (chan == 14) ? 0x00280 : 0x00286);
2261 		break;
2262 
2263 	case RT2560_RF_2525E:
2264 		rt2560_rf_write(sc, RAL_RF1, 0x08808);
2265 		rt2560_rf_write(sc, RAL_RF2, rt2560_rf2525e_r2[chan - 1]);
2266 		rt2560_rf_write(sc, RAL_RF3, power << 7 | 0x18044);
2267 		rt2560_rf_write(sc, RAL_RF4, (chan == 14) ? 0x00286 : 0x00282);
2268 		break;
2269 
2270 	case RT2560_RF_2526:
2271 		rt2560_rf_write(sc, RAL_RF2, rt2560_rf2526_hi_r2[chan - 1]);
2272 		rt2560_rf_write(sc, RAL_RF4, (chan & 1) ? 0x00386 : 0x00381);
2273 		rt2560_rf_write(sc, RAL_RF1, 0x08804);
2274 
2275 		rt2560_rf_write(sc, RAL_RF2, rt2560_rf2526_r2[chan - 1]);
2276 		rt2560_rf_write(sc, RAL_RF3, power << 7 | 0x18044);
2277 		rt2560_rf_write(sc, RAL_RF4, (chan & 1) ? 0x00386 : 0x00381);
2278 		break;
2279 
2280 	/* dual-band RF */
2281 	case RT2560_RF_5222:
2282 		for (i = 0; rt2560_rf5222[i].chan != chan; i++);
2283 
2284 		rt2560_rf_write(sc, RAL_RF1, rt2560_rf5222[i].r1);
2285 		rt2560_rf_write(sc, RAL_RF2, rt2560_rf5222[i].r2);
2286 		rt2560_rf_write(sc, RAL_RF3, power << 7 | 0x00040);
2287 		rt2560_rf_write(sc, RAL_RF4, rt2560_rf5222[i].r4);
2288 		break;
2289 	default:
2290  	        printf("unknown ral rev=%d\n", sc->rf_rev);
2291 	}
2292 
2293 	if (ic->ic_state != IEEE80211_S_SCAN) {
2294 		/* set Japan filter bit for channel 14 */
2295 		tmp = rt2560_bbp_read(sc, 70);
2296 
2297 		tmp &= ~RT2560_JAPAN_FILTER;
2298 		if (chan == 14)
2299 			tmp |= RT2560_JAPAN_FILTER;
2300 
2301 		rt2560_bbp_write(sc, 70, tmp);
2302 
2303 		/* clear CRC errors */
2304 		RAL_READ(sc, RT2560_CNT0);
2305 	}
2306 }
2307 
2308 static void
2309 rt2560_set_channel(struct ieee80211com *ic)
2310 {
2311 	struct ifnet *ifp = ic->ic_ifp;
2312 	struct rt2560_softc *sc = ifp->if_softc;
2313 
2314 	RAL_LOCK(sc);
2315 	rt2560_set_chan(sc, ic->ic_curchan);
2316 	RAL_UNLOCK(sc);
2317 
2318 }
2319 
2320 #if 0
2321 /*
2322  * Disable RF auto-tuning.
2323  */
2324 static void
2325 rt2560_disable_rf_tune(struct rt2560_softc *sc)
2326 {
2327 	uint32_t tmp;
2328 
2329 	if (sc->rf_rev != RT2560_RF_2523) {
2330 		tmp = sc->rf_regs[RAL_RF1] & ~RAL_RF1_AUTOTUNE;
2331 		rt2560_rf_write(sc, RAL_RF1, tmp);
2332 	}
2333 
2334 	tmp = sc->rf_regs[RAL_RF3] & ~RAL_RF3_AUTOTUNE;
2335 	rt2560_rf_write(sc, RAL_RF3, tmp);
2336 
2337 	DPRINTFN(2, ("disabling RF autotune\n"));
2338 }
2339 #endif
2340 
2341 /*
2342  * Refer to IEEE Std 802.11-1999 pp. 123 for more information on TSF
2343  * synchronization.
2344  */
2345 static void
2346 rt2560_enable_tsf_sync(struct rt2560_softc *sc)
2347 {
2348 	struct ieee80211com *ic = &sc->sc_ic;
2349 	uint16_t logcwmin, preload;
2350 	uint32_t tmp;
2351 
2352 	/* first, disable TSF synchronization */
2353 	RAL_WRITE(sc, RT2560_CSR14, 0);
2354 
2355 	tmp = 16 * ic->ic_bss->ni_intval;
2356 	RAL_WRITE(sc, RT2560_CSR12, tmp);
2357 
2358 	RAL_WRITE(sc, RT2560_CSR13, 0);
2359 
2360 	logcwmin = 5;
2361 	preload = (ic->ic_opmode == IEEE80211_M_STA) ? 384 : 1024;
2362 	tmp = logcwmin << 16 | preload;
2363 	RAL_WRITE(sc, RT2560_BCNOCSR, tmp);
2364 
2365 	/* finally, enable TSF synchronization */
2366 	tmp = RT2560_ENABLE_TSF | RT2560_ENABLE_TBCN;
2367 	if (ic->ic_opmode == IEEE80211_M_STA)
2368 		tmp |= RT2560_ENABLE_TSF_SYNC(1);
2369 	else
2370 		tmp |= RT2560_ENABLE_TSF_SYNC(2) |
2371 		       RT2560_ENABLE_BEACON_GENERATOR;
2372 	RAL_WRITE(sc, RT2560_CSR14, tmp);
2373 
2374 	DPRINTF(("enabling TSF synchronization\n"));
2375 }
2376 
2377 static void
2378 rt2560_update_plcp(struct rt2560_softc *sc)
2379 {
2380 	struct ieee80211com *ic = &sc->sc_ic;
2381 
2382 	/* no short preamble for 1Mbps */
2383 	RAL_WRITE(sc, RT2560_PLCP1MCSR, 0x00700400);
2384 
2385 	if (!(ic->ic_flags & IEEE80211_F_SHPREAMBLE)) {
2386 		/* values taken from the reference driver */
2387 		RAL_WRITE(sc, RT2560_PLCP2MCSR,   0x00380401);
2388 		RAL_WRITE(sc, RT2560_PLCP5p5MCSR, 0x00150402);
2389 		RAL_WRITE(sc, RT2560_PLCP11MCSR,  0x000b8403);
2390 	} else {
2391 		/* same values as above or'ed 0x8 */
2392 		RAL_WRITE(sc, RT2560_PLCP2MCSR,   0x00380409);
2393 		RAL_WRITE(sc, RT2560_PLCP5p5MCSR, 0x0015040a);
2394 		RAL_WRITE(sc, RT2560_PLCP11MCSR,  0x000b840b);
2395 	}
2396 
2397 	DPRINTF(("updating PLCP for %s preamble\n",
2398 	    (ic->ic_flags & IEEE80211_F_SHPREAMBLE) ? "short" : "long"));
2399 }
2400 
2401 /*
2402  * This function can be called by ieee80211_set_shortslottime(). Refer to
2403  * IEEE Std 802.11-1999 pp. 85 to know how these values are computed.
2404  */
2405 static void
2406 rt2560_update_slot(struct ifnet *ifp)
2407 {
2408 	struct rt2560_softc *sc = ifp->if_softc;
2409 	struct ieee80211com *ic = &sc->sc_ic;
2410 	uint8_t slottime;
2411 	uint16_t tx_sifs, tx_pifs, tx_difs, eifs;
2412 	uint32_t tmp;
2413 
2414 	slottime = (ic->ic_flags & IEEE80211_F_SHSLOT) ? 9 : 20;
2415 
2416 	/* update the MAC slot boundaries */
2417 	tx_sifs = RAL_SIFS - RT2560_TXRX_TURNAROUND;
2418 	tx_pifs = tx_sifs + slottime;
2419 	tx_difs = tx_sifs + 2 * slottime;
2420 	eifs = (ic->ic_curmode == IEEE80211_MODE_11B) ? 364 : 60;
2421 
2422 	tmp = RAL_READ(sc, RT2560_CSR11);
2423 	tmp = (tmp & ~0x1f00) | slottime << 8;
2424 	RAL_WRITE(sc, RT2560_CSR11, tmp);
2425 
2426 	tmp = tx_pifs << 16 | tx_sifs;
2427 	RAL_WRITE(sc, RT2560_CSR18, tmp);
2428 
2429 	tmp = eifs << 16 | tx_difs;
2430 	RAL_WRITE(sc, RT2560_CSR19, tmp);
2431 
2432 	DPRINTF(("setting slottime to %uus\n", slottime));
2433 }
2434 
2435 static void
2436 rt2560_set_basicrates(struct rt2560_softc *sc)
2437 {
2438 	struct ieee80211com *ic = &sc->sc_ic;
2439 
2440 	/* update basic rate set */
2441 	if (ic->ic_curmode == IEEE80211_MODE_11B) {
2442 		/* 11b basic rates: 1, 2Mbps */
2443 		RAL_WRITE(sc, RT2560_ARSP_PLCP_1, 0x3);
2444 	} else if (IEEE80211_IS_CHAN_5GHZ(ic->ic_curchan)) {
2445 		/* 11a basic rates: 6, 12, 24Mbps */
2446 		RAL_WRITE(sc, RT2560_ARSP_PLCP_1, 0x150);
2447 	} else {
2448 		/* 11g basic rates: 1, 2, 5.5, 11, 6, 12, 24Mbps */
2449 		RAL_WRITE(sc, RT2560_ARSP_PLCP_1, 0x15f);
2450 	}
2451 }
2452 
2453 static void
2454 rt2560_update_led(struct rt2560_softc *sc, int led1, int led2)
2455 {
2456 	uint32_t tmp;
2457 
2458 	/* set ON period to 70ms and OFF period to 30ms */
2459 	tmp = led1 << 16 | led2 << 17 | 70 << 8 | 30;
2460 	RAL_WRITE(sc, RT2560_LEDCSR, tmp);
2461 }
2462 
2463 static void
2464 rt2560_set_bssid(struct rt2560_softc *sc, const uint8_t *bssid)
2465 {
2466 	uint32_t tmp;
2467 
2468 	tmp = bssid[0] | bssid[1] << 8 | bssid[2] << 16 | bssid[3] << 24;
2469 	RAL_WRITE(sc, RT2560_CSR5, tmp);
2470 
2471 	tmp = bssid[4] | bssid[5] << 8;
2472 	RAL_WRITE(sc, RT2560_CSR6, tmp);
2473 
2474 	DPRINTF(("setting BSSID to %6D\n", bssid, ":"));
2475 }
2476 
2477 static void
2478 rt2560_set_macaddr(struct rt2560_softc *sc, uint8_t *addr)
2479 {
2480 	uint32_t tmp;
2481 
2482 	tmp = addr[0] | addr[1] << 8 | addr[2] << 16 | addr[3] << 24;
2483 	RAL_WRITE(sc, RT2560_CSR3, tmp);
2484 
2485 	tmp = addr[4] | addr[5] << 8;
2486 	RAL_WRITE(sc, RT2560_CSR4, tmp);
2487 
2488 	DPRINTF(("setting MAC address to %6D\n", addr, ":"));
2489 }
2490 
2491 static void
2492 rt2560_get_macaddr(struct rt2560_softc *sc, uint8_t *addr)
2493 {
2494 	uint32_t tmp;
2495 
2496 	tmp = RAL_READ(sc, RT2560_CSR3);
2497 	addr[0] = tmp & 0xff;
2498 	addr[1] = (tmp >>  8) & 0xff;
2499 	addr[2] = (tmp >> 16) & 0xff;
2500 	addr[3] = (tmp >> 24);
2501 
2502 	tmp = RAL_READ(sc, RT2560_CSR4);
2503 	addr[4] = tmp & 0xff;
2504 	addr[5] = (tmp >> 8) & 0xff;
2505 }
2506 
2507 static void
2508 rt2560_update_promisc(struct rt2560_softc *sc)
2509 {
2510 	struct ifnet *ifp = sc->sc_ic.ic_ifp;
2511 	uint32_t tmp;
2512 
2513 	tmp = RAL_READ(sc, RT2560_RXCSR0);
2514 
2515 	tmp &= ~RT2560_DROP_NOT_TO_ME;
2516 	if (!(ifp->if_flags & IFF_PROMISC))
2517 		tmp |= RT2560_DROP_NOT_TO_ME;
2518 
2519 	RAL_WRITE(sc, RT2560_RXCSR0, tmp);
2520 
2521 	DPRINTF(("%s promiscuous mode\n", (ifp->if_flags & IFF_PROMISC) ?
2522 	    "entering" : "leaving"));
2523 }
2524 
2525 static const char *
2526 rt2560_get_rf(int rev)
2527 {
2528 	switch (rev) {
2529 	case RT2560_RF_2522:	return "RT2522";
2530 	case RT2560_RF_2523:	return "RT2523";
2531 	case RT2560_RF_2524:	return "RT2524";
2532 	case RT2560_RF_2525:	return "RT2525";
2533 	case RT2560_RF_2525E:	return "RT2525e";
2534 	case RT2560_RF_2526:	return "RT2526";
2535 	case RT2560_RF_5222:	return "RT5222";
2536 	default:		return "unknown";
2537 	}
2538 }
2539 
2540 static void
2541 rt2560_read_eeprom(struct rt2560_softc *sc)
2542 {
2543 	uint16_t val;
2544 	int i;
2545 
2546 	val = rt2560_eeprom_read(sc, RT2560_EEPROM_CONFIG0);
2547 	sc->rf_rev =   (val >> 11) & 0x7;
2548 	sc->hw_radio = (val >> 10) & 0x1;
2549 	sc->led_mode = (val >> 6)  & 0x7;
2550 	sc->rx_ant =   (val >> 4)  & 0x3;
2551 	sc->tx_ant =   (val >> 2)  & 0x3;
2552 	sc->nb_ant =   val & 0x3;
2553 
2554 	/* read default values for BBP registers */
2555 	for (i = 0; i < 16; i++) {
2556 		val = rt2560_eeprom_read(sc, RT2560_EEPROM_BBP_BASE + i);
2557 		sc->bbp_prom[i].reg = val >> 8;
2558 		sc->bbp_prom[i].val = val & 0xff;
2559 	}
2560 
2561 	/* read Tx power for all b/g channels */
2562 	for (i = 0; i < 14 / 2; i++) {
2563 		val = rt2560_eeprom_read(sc, RT2560_EEPROM_TXPOWER + i);
2564 		sc->txpow[i * 2] = val >> 8;
2565 		sc->txpow[i * 2 + 1] = val & 0xff;
2566 	}
2567 
2568 	val = rt2560_eeprom_read(sc, RT2560_EEPROM_CALIBRATE);
2569 	if ((val & 0xff) == 0xff)
2570 		sc->rssi_corr = RT2560_DEFAULT_RSSI_CORR;
2571 	else
2572 		sc->rssi_corr = val & 0xff;
2573 	DPRINTF(("rssi correction %d, calibrate 0x%02x\n",
2574 		 sc->rssi_corr, val));
2575 }
2576 
2577 
2578 static void
2579 rt2560_scan_start(struct ieee80211com *ic)
2580 {
2581 	struct ifnet *ifp = ic->ic_ifp;
2582 	struct rt2560_softc *sc = ifp->if_softc;
2583 
2584 	/* abort TSF synchronization */
2585 	RAL_WRITE(sc, RT2560_CSR14, 0);
2586 	rt2560_set_bssid(sc, ifp->if_broadcastaddr);
2587 }
2588 
2589 static void
2590 rt2560_scan_end(struct ieee80211com *ic)
2591 {
2592 	struct ifnet *ifp = ic->ic_ifp;
2593 	struct rt2560_softc *sc = ifp->if_softc;
2594 
2595 	rt2560_enable_tsf_sync(sc);
2596 	/* XXX keep local copy */
2597 	rt2560_set_bssid(sc, ic->ic_bss->ni_bssid);
2598 }
2599 
2600 static int
2601 rt2560_bbp_init(struct rt2560_softc *sc)
2602 {
2603 #define N(a)	(sizeof (a) / sizeof ((a)[0]))
2604 	int i, ntries;
2605 
2606 	/* wait for BBP to be ready */
2607 	for (ntries = 0; ntries < 100; ntries++) {
2608 		if (rt2560_bbp_read(sc, RT2560_BBP_VERSION) != 0)
2609 			break;
2610 		DELAY(1);
2611 	}
2612 	if (ntries == 100) {
2613 		device_printf(sc->sc_dev, "timeout waiting for BBP\n");
2614 		return EIO;
2615 	}
2616 
2617 	/* initialize BBP registers to default values */
2618 	for (i = 0; i < N(rt2560_def_bbp); i++) {
2619 		rt2560_bbp_write(sc, rt2560_def_bbp[i].reg,
2620 		    rt2560_def_bbp[i].val);
2621 	}
2622 #if 0
2623 	/* initialize BBP registers to values stored in EEPROM */
2624 	for (i = 0; i < 16; i++) {
2625 		if (sc->bbp_prom[i].reg == 0xff)
2626 			continue;
2627 		rt2560_bbp_write(sc, sc->bbp_prom[i].reg, sc->bbp_prom[i].val);
2628 	}
2629 #endif
2630 
2631 	return 0;
2632 #undef N
2633 }
2634 
2635 static void
2636 rt2560_set_txantenna(struct rt2560_softc *sc, int antenna)
2637 {
2638 	uint32_t tmp;
2639 	uint8_t tx;
2640 
2641 	tx = rt2560_bbp_read(sc, RT2560_BBP_TX) & ~RT2560_BBP_ANTMASK;
2642 	if (antenna == 1)
2643 		tx |= RT2560_BBP_ANTA;
2644 	else if (antenna == 2)
2645 		tx |= RT2560_BBP_ANTB;
2646 	else
2647 		tx |= RT2560_BBP_DIVERSITY;
2648 
2649 	/* need to force I/Q flip for RF 2525e, 2526 and 5222 */
2650 	if (sc->rf_rev == RT2560_RF_2525E || sc->rf_rev == RT2560_RF_2526 ||
2651 	    sc->rf_rev == RT2560_RF_5222)
2652 		tx |= RT2560_BBP_FLIPIQ;
2653 
2654 	rt2560_bbp_write(sc, RT2560_BBP_TX, tx);
2655 
2656 	/* update values for CCK and OFDM in BBPCSR1 */
2657 	tmp = RAL_READ(sc, RT2560_BBPCSR1) & ~0x00070007;
2658 	tmp |= (tx & 0x7) << 16 | (tx & 0x7);
2659 	RAL_WRITE(sc, RT2560_BBPCSR1, tmp);
2660 }
2661 
2662 static void
2663 rt2560_set_rxantenna(struct rt2560_softc *sc, int antenna)
2664 {
2665 	uint8_t rx;
2666 
2667 	rx = rt2560_bbp_read(sc, RT2560_BBP_RX) & ~RT2560_BBP_ANTMASK;
2668 	if (antenna == 1)
2669 		rx |= RT2560_BBP_ANTA;
2670 	else if (antenna == 2)
2671 		rx |= RT2560_BBP_ANTB;
2672 	else
2673 		rx |= RT2560_BBP_DIVERSITY;
2674 
2675 	/* need to force no I/Q flip for RF 2525e and 2526 */
2676 	if (sc->rf_rev == RT2560_RF_2525E || sc->rf_rev == RT2560_RF_2526)
2677 		rx &= ~RT2560_BBP_FLIPIQ;
2678 
2679 	rt2560_bbp_write(sc, RT2560_BBP_RX, rx);
2680 }
2681 
2682 static void
2683 rt2560_init(void *priv)
2684 {
2685 #define N(a)	(sizeof (a) / sizeof ((a)[0]))
2686 	struct rt2560_softc *sc = priv;
2687 	struct ieee80211com *ic = &sc->sc_ic;
2688 	struct ifnet *ifp = ic->ic_ifp;
2689 	uint32_t tmp;
2690 	int i;
2691 
2692 
2693 
2694 	rt2560_stop(sc);
2695 
2696 	RAL_LOCK(sc);
2697 	/* setup tx rings */
2698 	tmp = RT2560_PRIO_RING_COUNT << 24 |
2699 	      RT2560_ATIM_RING_COUNT << 16 |
2700 	      RT2560_TX_RING_COUNT   <<  8 |
2701 	      RT2560_TX_DESC_SIZE;
2702 
2703 	/* rings must be initialized in this exact order */
2704 	RAL_WRITE(sc, RT2560_TXCSR2, tmp);
2705 	RAL_WRITE(sc, RT2560_TXCSR3, sc->txq.physaddr);
2706 	RAL_WRITE(sc, RT2560_TXCSR5, sc->prioq.physaddr);
2707 	RAL_WRITE(sc, RT2560_TXCSR4, sc->atimq.physaddr);
2708 	RAL_WRITE(sc, RT2560_TXCSR6, sc->bcnq.physaddr);
2709 
2710 	/* setup rx ring */
2711 	tmp = RT2560_RX_RING_COUNT << 8 | RT2560_RX_DESC_SIZE;
2712 
2713 	RAL_WRITE(sc, RT2560_RXCSR1, tmp);
2714 	RAL_WRITE(sc, RT2560_RXCSR2, sc->rxq.physaddr);
2715 
2716 	/* initialize MAC registers to default values */
2717 	for (i = 0; i < N(rt2560_def_mac); i++)
2718 		RAL_WRITE(sc, rt2560_def_mac[i].reg, rt2560_def_mac[i].val);
2719 
2720 	IEEE80211_ADDR_COPY(ic->ic_myaddr, IF_LLADDR(ifp));
2721 	rt2560_set_macaddr(sc, ic->ic_myaddr);
2722 
2723 	/* set basic rate set (will be updated later) */
2724 	RAL_WRITE(sc, RT2560_ARSP_PLCP_1, 0x153);
2725 
2726 	rt2560_set_txantenna(sc, sc->tx_ant);
2727 	rt2560_set_rxantenna(sc, sc->rx_ant);
2728 	rt2560_update_slot(ifp);
2729 	rt2560_update_plcp(sc);
2730 	rt2560_update_led(sc, 0, 0);
2731 
2732 	RAL_WRITE(sc, RT2560_CSR1, RT2560_RESET_ASIC);
2733 	RAL_WRITE(sc, RT2560_CSR1, RT2560_HOST_READY);
2734 
2735 	if (rt2560_bbp_init(sc) != 0) {
2736 		rt2560_stop(sc);
2737 		RAL_UNLOCK(sc);
2738 		return;
2739 	}
2740 
2741 	/* set default BSS channel */
2742 	rt2560_set_chan(sc, ic->ic_curchan);
2743 
2744 	/* kick Rx */
2745 	tmp = RT2560_DROP_PHY_ERROR | RT2560_DROP_CRC_ERROR;
2746 	if (ic->ic_opmode != IEEE80211_M_MONITOR) {
2747 		tmp |= RT2560_DROP_CTL | RT2560_DROP_VERSION_ERROR;
2748 		if (ic->ic_opmode != IEEE80211_M_HOSTAP)
2749 			tmp |= RT2560_DROP_TODS;
2750 		if (!(ifp->if_flags & IFF_PROMISC))
2751 			tmp |= RT2560_DROP_NOT_TO_ME;
2752 	}
2753 	RAL_WRITE(sc, RT2560_RXCSR0, tmp);
2754 
2755 	/* clear old FCS and Rx FIFO errors */
2756 	RAL_READ(sc, RT2560_CNT0);
2757 	RAL_READ(sc, RT2560_CNT4);
2758 
2759 	/* clear any pending interrupts */
2760 	RAL_WRITE(sc, RT2560_CSR7, 0xffffffff);
2761 
2762 	/* enable interrupts */
2763 	RAL_WRITE(sc, RT2560_CSR8, RT2560_INTR_MASK);
2764 
2765 	ifp->if_drv_flags &= ~IFF_DRV_OACTIVE;
2766 	ifp->if_drv_flags |= IFF_DRV_RUNNING;
2767 
2768 	if (ic->ic_opmode != IEEE80211_M_MONITOR) {
2769 		if (ic->ic_roaming != IEEE80211_ROAMING_MANUAL)
2770 			ieee80211_new_state(ic, IEEE80211_S_SCAN, -1);
2771 	} else
2772 		ieee80211_new_state(ic, IEEE80211_S_RUN, -1);
2773 
2774 	RAL_UNLOCK(sc);
2775 #undef N
2776 }
2777 
2778 void
2779 rt2560_stop(void *arg)
2780 {
2781 	struct rt2560_softc *sc = arg;
2782 	struct ieee80211com *ic = &sc->sc_ic;
2783 	struct ifnet *ifp = ic->ic_ifp;
2784 	volatile int *flags = &sc->sc_flags;
2785 
2786 	while (*flags & RAL_INPUT_RUNNING) {
2787 		tsleep(sc, 0, "ralrunning", hz/10);
2788 	}
2789 
2790 	RAL_LOCK(sc);
2791 	if (ifp->if_drv_flags & IFF_DRV_RUNNING) {
2792 		ieee80211_new_state(ic, IEEE80211_S_INIT, -1);
2793 		sc->sc_tx_timer = 0;
2794 		ifp->if_drv_flags &= ~(IFF_DRV_RUNNING | IFF_DRV_OACTIVE);
2795 
2796 		/* abort Tx */
2797 		RAL_WRITE(sc, RT2560_TXCSR0, RT2560_ABORT_TX);
2798 
2799 		/* disable Rx */
2800 		RAL_WRITE(sc, RT2560_RXCSR0, RT2560_DISABLE_RX);
2801 
2802 		/* reset ASIC (imply reset BBP) */
2803 		RAL_WRITE(sc, RT2560_CSR1, RT2560_RESET_ASIC);
2804 		RAL_WRITE(sc, RT2560_CSR1, 0);
2805 
2806 		/* disable interrupts */
2807 		RAL_WRITE(sc, RT2560_CSR8, 0xffffffff);
2808 
2809 		/* reset Tx and Rx rings */
2810 		rt2560_reset_tx_ring(sc, &sc->txq);
2811 		rt2560_reset_tx_ring(sc, &sc->atimq);
2812 		rt2560_reset_tx_ring(sc, &sc->prioq);
2813 		rt2560_reset_tx_ring(sc, &sc->bcnq);
2814 		rt2560_reset_rx_ring(sc, &sc->rxq);
2815 	}
2816 	RAL_UNLOCK(sc);
2817 }
2818 
2819 static int
2820 rt2560_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
2821 	const struct ieee80211_bpf_params *params)
2822 {
2823 	struct ieee80211com *ic = ni->ni_ic;
2824 	struct ifnet *ifp = ic->ic_ifp;
2825 	struct rt2560_softc *sc = ifp->if_softc;
2826 
2827 	RAL_LOCK(sc);
2828 
2829 	/* prevent management frames from being sent if we're not ready */
2830 	if (!(ifp->if_drv_flags & IFF_DRV_RUNNING)) {
2831 		RAL_UNLOCK(sc);
2832 		m_freem(m);
2833 		ieee80211_free_node(ni);
2834 		return ENETDOWN;
2835 	}
2836 	if (sc->prioq.queued >= RT2560_PRIO_RING_COUNT) {
2837 		ifp->if_drv_flags |= IFF_DRV_OACTIVE;
2838 		RAL_UNLOCK(sc);
2839 		m_freem(m);
2840 		ieee80211_free_node(ni);
2841 		return ENOBUFS;		/* XXX */
2842 	}
2843 
2844 	if (bpf_peers_present(ic->ic_rawbpf))
2845 		bpf_mtap(ic->ic_rawbpf, m);
2846 
2847 	ifp->if_opackets++;
2848 
2849 	if (params == NULL) {
2850 		/*
2851 		 * Legacy path; interpret frame contents to decide
2852 		 * precisely how to send the frame.
2853 		 */
2854 		if (rt2560_tx_mgt(sc, m, ni) != 0)
2855 			goto bad;
2856 	} else {
2857 		/*
2858 		 * Caller supplied explicit parameters to use in
2859 		 * sending the frame.
2860 		 */
2861 		if (rt2560_tx_raw(sc, m, ni, params))
2862 			goto bad;
2863 	}
2864 	sc->sc_tx_timer = 5;
2865 	callout_reset(&sc->watchdog_ch, hz, rt2560_watchdog, sc);
2866 
2867 	RAL_UNLOCK(sc);
2868 
2869 	return 0;
2870 bad:
2871 	ifp->if_oerrors++;
2872 	ieee80211_free_node(ni);
2873 	RAL_UNLOCK(sc);
2874 	return EIO;		/* XXX */
2875 }
2876 
2877