xref: /freebsd/sys/dev/usb/wlan/if_run.c (revision 13de33a5dc2304b13d595d75d48c51793958474f)
1 /*-
2  * Copyright (c) 2008,2010 Damien Bergamini <damien.bergamini@free.fr>
3  * ported to FreeBSD by Akinori Furukoshi <moonlightakkiy@yahoo.ca>
4  * USB Consulting, Hans Petter Selasky <hselasky@freebsd.org>
5  * Copyright (c) 2013 Kevin Lo
6  *
7  * Permission to use, copy, modify, and distribute this software for any
8  * purpose with or without fee is hereby granted, provided that the above
9  * copyright notice and this permission notice appear in all copies.
10  *
11  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18  */
19 
20 #include <sys/cdefs.h>
21 __FBSDID("$FreeBSD$");
22 
23 /*-
24  * Ralink Technology RT2700U/RT2800U/RT3000U/RT3900E chipset driver.
25  * http://www.ralinktech.com/
26  */
27 
28 #include <sys/param.h>
29 #include <sys/sockio.h>
30 #include <sys/sysctl.h>
31 #include <sys/lock.h>
32 #include <sys/mutex.h>
33 #include <sys/mbuf.h>
34 #include <sys/kernel.h>
35 #include <sys/socket.h>
36 #include <sys/systm.h>
37 #include <sys/malloc.h>
38 #include <sys/module.h>
39 #include <sys/bus.h>
40 #include <sys/endian.h>
41 #include <sys/linker.h>
42 #include <sys/firmware.h>
43 #include <sys/kdb.h>
44 
45 #include <machine/bus.h>
46 #include <machine/resource.h>
47 #include <sys/rman.h>
48 
49 #include <net/bpf.h>
50 #include <net/if.h>
51 #include <net/if_var.h>
52 #include <net/if_arp.h>
53 #include <net/ethernet.h>
54 #include <net/if_dl.h>
55 #include <net/if_media.h>
56 #include <net/if_types.h>
57 
58 #include <netinet/in.h>
59 #include <netinet/in_systm.h>
60 #include <netinet/in_var.h>
61 #include <netinet/if_ether.h>
62 #include <netinet/ip.h>
63 
64 #include <net80211/ieee80211_var.h>
65 #include <net80211/ieee80211_regdomain.h>
66 #include <net80211/ieee80211_radiotap.h>
67 #include <net80211/ieee80211_ratectl.h>
68 
69 #include <dev/usb/usb.h>
70 #include <dev/usb/usbdi.h>
71 #include "usbdevs.h"
72 
73 #define USB_DEBUG_VAR run_debug
74 #include <dev/usb/usb_debug.h>
75 
76 #include <dev/usb/wlan/if_runreg.h>
77 #include <dev/usb/wlan/if_runvar.h>
78 
79 #ifdef	USB_DEBUG
80 #define RUN_DEBUG
81 #endif
82 
83 #ifdef	RUN_DEBUG
84 int run_debug = 0;
85 static SYSCTL_NODE(_hw_usb, OID_AUTO, run, CTLFLAG_RW, 0, "USB run");
86 SYSCTL_INT(_hw_usb_run, OID_AUTO, debug, CTLFLAG_RW, &run_debug, 0,
87     "run debug level");
88 #endif
89 
90 #define IEEE80211_HAS_ADDR4(wh) \
91 	(((wh)->i_fc[1] & IEEE80211_FC1_DIR_MASK) == IEEE80211_FC1_DIR_DSTODS)
92 
93 /*
94  * Because of LOR in run_key_delete(), use atomic instead.
95  * '& RUN_CMDQ_MASQ' is to loop cmdq[].
96  */
97 #define RUN_CMDQ_GET(c)	(atomic_fetchadd_32((c), 1) & RUN_CMDQ_MASQ)
98 
99 static const STRUCT_USB_HOST_ID run_devs[] = {
100 #define RUN_DEV(v,p) { USB_VP(USB_VENDOR_##v, USB_PRODUCT_##v##_##p) }
101     RUN_DEV(ABOCOM,		RT2770),
102     RUN_DEV(ABOCOM,		RT2870),
103     RUN_DEV(ABOCOM,		RT3070),
104     RUN_DEV(ABOCOM,		RT3071),
105     RUN_DEV(ABOCOM,		RT3072),
106     RUN_DEV(ABOCOM2,		RT2870_1),
107     RUN_DEV(ACCTON,		RT2770),
108     RUN_DEV(ACCTON,		RT2870_1),
109     RUN_DEV(ACCTON,		RT2870_2),
110     RUN_DEV(ACCTON,		RT2870_3),
111     RUN_DEV(ACCTON,		RT2870_4),
112     RUN_DEV(ACCTON,		RT2870_5),
113     RUN_DEV(ACCTON,		RT3070),
114     RUN_DEV(ACCTON,		RT3070_1),
115     RUN_DEV(ACCTON,		RT3070_2),
116     RUN_DEV(ACCTON,		RT3070_3),
117     RUN_DEV(ACCTON,		RT3070_4),
118     RUN_DEV(ACCTON,		RT3070_5),
119     RUN_DEV(AIRTIES,		RT3070),
120     RUN_DEV(ALLWIN,		RT2070),
121     RUN_DEV(ALLWIN,		RT2770),
122     RUN_DEV(ALLWIN,		RT2870),
123     RUN_DEV(ALLWIN,		RT3070),
124     RUN_DEV(ALLWIN,		RT3071),
125     RUN_DEV(ALLWIN,		RT3072),
126     RUN_DEV(ALLWIN,		RT3572),
127     RUN_DEV(AMIGO,		RT2870_1),
128     RUN_DEV(AMIGO,		RT2870_2),
129     RUN_DEV(AMIT,		CGWLUSB2GNR),
130     RUN_DEV(AMIT,		RT2870_1),
131     RUN_DEV(AMIT2,		RT2870),
132     RUN_DEV(ASUS,		RT2870_1),
133     RUN_DEV(ASUS,		RT2870_2),
134     RUN_DEV(ASUS,		RT2870_3),
135     RUN_DEV(ASUS,		RT2870_4),
136     RUN_DEV(ASUS,		RT2870_5),
137     RUN_DEV(ASUS,		USBN13),
138     RUN_DEV(ASUS,		RT3070_1),
139     RUN_DEV(ASUS,		USB_N53),
140     RUN_DEV(ASUS2,		USBN11),
141     RUN_DEV(AZUREWAVE,		RT2870_1),
142     RUN_DEV(AZUREWAVE,		RT2870_2),
143     RUN_DEV(AZUREWAVE,		RT3070_1),
144     RUN_DEV(AZUREWAVE,		RT3070_2),
145     RUN_DEV(AZUREWAVE,		RT3070_3),
146     RUN_DEV(BELKIN,		F5D8053V3),
147     RUN_DEV(BELKIN,		F5D8055),
148     RUN_DEV(BELKIN,		F5D8055V2),
149     RUN_DEV(BELKIN,		F6D4050V1),
150     RUN_DEV(BELKIN,		F6D4050V2),
151     RUN_DEV(BELKIN,		RT2870_1),
152     RUN_DEV(BELKIN,		RT2870_2),
153     RUN_DEV(CISCOLINKSYS,	AE1000),
154     RUN_DEV(CISCOLINKSYS2,	RT3070),
155     RUN_DEV(CISCOLINKSYS3,	RT3070),
156     RUN_DEV(CONCEPTRONIC2,	RT2870_1),
157     RUN_DEV(CONCEPTRONIC2,	RT2870_2),
158     RUN_DEV(CONCEPTRONIC2,	RT2870_3),
159     RUN_DEV(CONCEPTRONIC2,	RT2870_4),
160     RUN_DEV(CONCEPTRONIC2,	RT2870_5),
161     RUN_DEV(CONCEPTRONIC2,	RT2870_6),
162     RUN_DEV(CONCEPTRONIC2,	RT2870_7),
163     RUN_DEV(CONCEPTRONIC2,	RT2870_8),
164     RUN_DEV(CONCEPTRONIC2,	RT3070_1),
165     RUN_DEV(CONCEPTRONIC2,	RT3070_2),
166     RUN_DEV(CONCEPTRONIC2,	VIGORN61),
167     RUN_DEV(COREGA,		CGWLUSB300GNM),
168     RUN_DEV(COREGA,		RT2870_1),
169     RUN_DEV(COREGA,		RT2870_2),
170     RUN_DEV(COREGA,		RT2870_3),
171     RUN_DEV(COREGA,		RT3070),
172     RUN_DEV(CYBERTAN,		RT2870),
173     RUN_DEV(DLINK,		RT2870),
174     RUN_DEV(DLINK,		RT3072),
175     RUN_DEV(DLINK,		DWA127),
176     RUN_DEV(DLINK,		DWA140B3),
177     RUN_DEV(DLINK,		DWA160B2),
178     RUN_DEV(DLINK2,		DWA130),
179     RUN_DEV(DLINK2,		RT2870_1),
180     RUN_DEV(DLINK2,		RT2870_2),
181     RUN_DEV(DLINK2,		RT3070_1),
182     RUN_DEV(DLINK2,		RT3070_2),
183     RUN_DEV(DLINK2,		RT3070_3),
184     RUN_DEV(DLINK2,		RT3070_4),
185     RUN_DEV(DLINK2,		RT3070_5),
186     RUN_DEV(DLINK2,		RT3072),
187     RUN_DEV(DLINK2,		RT3072_1),
188     RUN_DEV(EDIMAX,		EW7717),
189     RUN_DEV(EDIMAX,		EW7718),
190     RUN_DEV(EDIMAX,		RT2870_1),
191     RUN_DEV(ENCORE,		RT3070_1),
192     RUN_DEV(ENCORE,		RT3070_2),
193     RUN_DEV(ENCORE,		RT3070_3),
194     RUN_DEV(GIGABYTE,		GNWB31N),
195     RUN_DEV(GIGABYTE,		GNWB32L),
196     RUN_DEV(GIGABYTE,		RT2870_1),
197     RUN_DEV(GIGASET,		RT3070_1),
198     RUN_DEV(GIGASET,		RT3070_2),
199     RUN_DEV(GUILLEMOT,		HWNU300),
200     RUN_DEV(HAWKING,		HWUN2),
201     RUN_DEV(HAWKING,		RT2870_1),
202     RUN_DEV(HAWKING,		RT2870_2),
203     RUN_DEV(HAWKING,		RT3070),
204     RUN_DEV(IODATA,		RT3072_1),
205     RUN_DEV(IODATA,		RT3072_2),
206     RUN_DEV(IODATA,		RT3072_3),
207     RUN_DEV(IODATA,		RT3072_4),
208     RUN_DEV(LINKSYS4,		RT3070),
209     RUN_DEV(LINKSYS4,		WUSB100),
210     RUN_DEV(LINKSYS4,		WUSB54GCV3),
211     RUN_DEV(LINKSYS4,		WUSB600N),
212     RUN_DEV(LINKSYS4,		WUSB600NV2),
213     RUN_DEV(LOGITEC,		RT2870_1),
214     RUN_DEV(LOGITEC,		RT2870_2),
215     RUN_DEV(LOGITEC,		RT2870_3),
216     RUN_DEV(LOGITEC,		LANW300NU2),
217     RUN_DEV(LOGITEC,		LANW150NU2),
218     RUN_DEV(LOGITEC,		LANW300NU2S),
219     RUN_DEV(MELCO,		RT2870_1),
220     RUN_DEV(MELCO,		RT2870_2),
221     RUN_DEV(MELCO,		WLIUCAG300N),
222     RUN_DEV(MELCO,		WLIUCG300N),
223     RUN_DEV(MELCO,		WLIUCG301N),
224     RUN_DEV(MELCO,		WLIUCGN),
225     RUN_DEV(MELCO,		WLIUCGNM),
226     RUN_DEV(MELCO,		WLIUCGNM2),
227     RUN_DEV(MOTOROLA4,		RT2770),
228     RUN_DEV(MOTOROLA4,		RT3070),
229     RUN_DEV(MSI,		RT3070_1),
230     RUN_DEV(MSI,		RT3070_2),
231     RUN_DEV(MSI,		RT3070_3),
232     RUN_DEV(MSI,		RT3070_4),
233     RUN_DEV(MSI,		RT3070_5),
234     RUN_DEV(MSI,		RT3070_6),
235     RUN_DEV(MSI,		RT3070_7),
236     RUN_DEV(MSI,		RT3070_8),
237     RUN_DEV(MSI,		RT3070_9),
238     RUN_DEV(MSI,		RT3070_10),
239     RUN_DEV(MSI,		RT3070_11),
240     RUN_DEV(OVISLINK,		RT3072),
241     RUN_DEV(PARA,		RT3070),
242     RUN_DEV(PEGATRON,		RT2870),
243     RUN_DEV(PEGATRON,		RT3070),
244     RUN_DEV(PEGATRON,		RT3070_2),
245     RUN_DEV(PEGATRON,		RT3070_3),
246     RUN_DEV(PHILIPS,		RT2870),
247     RUN_DEV(PLANEX2,		GWUS300MINIS),
248     RUN_DEV(PLANEX2,		GWUSMICRON),
249     RUN_DEV(PLANEX2,		RT2870),
250     RUN_DEV(PLANEX2,		RT3070),
251     RUN_DEV(QCOM,		RT2870),
252     RUN_DEV(QUANTA,		RT3070),
253     RUN_DEV(RALINK,		RT2070),
254     RUN_DEV(RALINK,		RT2770),
255     RUN_DEV(RALINK,		RT2870),
256     RUN_DEV(RALINK,		RT3070),
257     RUN_DEV(RALINK,		RT3071),
258     RUN_DEV(RALINK,		RT3072),
259     RUN_DEV(RALINK,		RT3370),
260     RUN_DEV(RALINK,		RT3572),
261     RUN_DEV(RALINK,		RT5370),
262     RUN_DEV(RALINK,		RT5572),
263     RUN_DEV(RALINK,		RT8070),
264     RUN_DEV(SAMSUNG,		WIS09ABGN),
265     RUN_DEV(SAMSUNG2,		RT2870_1),
266     RUN_DEV(SENAO,		RT2870_1),
267     RUN_DEV(SENAO,		RT2870_2),
268     RUN_DEV(SENAO,		RT2870_3),
269     RUN_DEV(SENAO,		RT2870_4),
270     RUN_DEV(SENAO,		RT3070),
271     RUN_DEV(SENAO,		RT3071),
272     RUN_DEV(SENAO,		RT3072_1),
273     RUN_DEV(SENAO,		RT3072_2),
274     RUN_DEV(SENAO,		RT3072_3),
275     RUN_DEV(SENAO,		RT3072_4),
276     RUN_DEV(SENAO,		RT3072_5),
277     RUN_DEV(SITECOMEU,		RT2770),
278     RUN_DEV(SITECOMEU,		RT2870_1),
279     RUN_DEV(SITECOMEU,		RT2870_2),
280     RUN_DEV(SITECOMEU,		RT2870_3),
281     RUN_DEV(SITECOMEU,		RT2870_4),
282     RUN_DEV(SITECOMEU,		RT3070),
283     RUN_DEV(SITECOMEU,		RT3070_2),
284     RUN_DEV(SITECOMEU,		RT3070_3),
285     RUN_DEV(SITECOMEU,		RT3070_4),
286     RUN_DEV(SITECOMEU,		RT3071),
287     RUN_DEV(SITECOMEU,		RT3072_1),
288     RUN_DEV(SITECOMEU,		RT3072_2),
289     RUN_DEV(SITECOMEU,		RT3072_3),
290     RUN_DEV(SITECOMEU,		RT3072_4),
291     RUN_DEV(SITECOMEU,		RT3072_5),
292     RUN_DEV(SITECOMEU,		RT3072_6),
293     RUN_DEV(SITECOMEU,		WL608),
294     RUN_DEV(SPARKLAN,		RT2870_1),
295     RUN_DEV(SPARKLAN,		RT3070),
296     RUN_DEV(SWEEX2,		LW153),
297     RUN_DEV(SWEEX2,		LW303),
298     RUN_DEV(SWEEX2,		LW313),
299     RUN_DEV(TOSHIBA,		RT3070),
300     RUN_DEV(UMEDIA,		RT2870_1),
301     RUN_DEV(ZCOM,		RT2870_1),
302     RUN_DEV(ZCOM,		RT2870_2),
303     RUN_DEV(ZINWELL,		RT2870_1),
304     RUN_DEV(ZINWELL,		RT2870_2),
305     RUN_DEV(ZINWELL,		RT3070),
306     RUN_DEV(ZINWELL,		RT3072_1),
307     RUN_DEV(ZINWELL,		RT3072_2),
308     RUN_DEV(ZYXEL,		RT2870_1),
309     RUN_DEV(ZYXEL,		RT2870_2),
310 #undef RUN_DEV
311 };
312 
313 static device_probe_t	run_match;
314 static device_attach_t	run_attach;
315 static device_detach_t	run_detach;
316 
317 static usb_callback_t	run_bulk_rx_callback;
318 static usb_callback_t	run_bulk_tx_callback0;
319 static usb_callback_t	run_bulk_tx_callback1;
320 static usb_callback_t	run_bulk_tx_callback2;
321 static usb_callback_t	run_bulk_tx_callback3;
322 static usb_callback_t	run_bulk_tx_callback4;
323 static usb_callback_t	run_bulk_tx_callback5;
324 
325 static void	run_bulk_tx_callbackN(struct usb_xfer *xfer,
326 		    usb_error_t error, u_int index);
327 static struct ieee80211vap *run_vap_create(struct ieee80211com *,
328 		    const char [IFNAMSIZ], int, enum ieee80211_opmode, int,
329 		    const uint8_t [IEEE80211_ADDR_LEN],
330 		    const uint8_t [IEEE80211_ADDR_LEN]);
331 static void	run_vap_delete(struct ieee80211vap *);
332 static void	run_cmdq_cb(void *, int);
333 static void	run_setup_tx_list(struct run_softc *,
334 		    struct run_endpoint_queue *);
335 static void	run_unsetup_tx_list(struct run_softc *,
336 		    struct run_endpoint_queue *);
337 static int	run_load_microcode(struct run_softc *);
338 static int	run_reset(struct run_softc *);
339 static usb_error_t run_do_request(struct run_softc *,
340 		    struct usb_device_request *, void *);
341 static int	run_read(struct run_softc *, uint16_t, uint32_t *);
342 static int	run_read_region_1(struct run_softc *, uint16_t, uint8_t *, int);
343 static int	run_write_2(struct run_softc *, uint16_t, uint16_t);
344 static int	run_write(struct run_softc *, uint16_t, uint32_t);
345 static int	run_write_region_1(struct run_softc *, uint16_t,
346 		    const uint8_t *, int);
347 static int	run_set_region_4(struct run_softc *, uint16_t, uint32_t, int);
348 static int	run_efuse_read_2(struct run_softc *, uint16_t, uint16_t *);
349 static int	run_eeprom_read_2(struct run_softc *, uint16_t, uint16_t *);
350 static int	run_rt2870_rf_write(struct run_softc *, uint32_t);
351 static int	run_rt3070_rf_read(struct run_softc *, uint8_t, uint8_t *);
352 static int	run_rt3070_rf_write(struct run_softc *, uint8_t, uint8_t);
353 static int	run_bbp_read(struct run_softc *, uint8_t, uint8_t *);
354 static int	run_bbp_write(struct run_softc *, uint8_t, uint8_t);
355 static int	run_mcu_cmd(struct run_softc *, uint8_t, uint16_t);
356 static const char *run_get_rf(uint16_t);
357 static int	run_read_eeprom(struct run_softc *);
358 static struct ieee80211_node *run_node_alloc(struct ieee80211vap *,
359 			    const uint8_t mac[IEEE80211_ADDR_LEN]);
360 static int	run_media_change(struct ifnet *);
361 static int	run_newstate(struct ieee80211vap *, enum ieee80211_state, int);
362 static int	run_wme_update(struct ieee80211com *);
363 static void	run_wme_update_cb(void *);
364 static void	run_key_update_begin(struct ieee80211vap *);
365 static void	run_key_update_end(struct ieee80211vap *);
366 static void	run_key_set_cb(void *);
367 static int	run_key_set(struct ieee80211vap *, struct ieee80211_key *,
368 		    const uint8_t mac[IEEE80211_ADDR_LEN]);
369 static void	run_key_delete_cb(void *);
370 static int	run_key_delete(struct ieee80211vap *, struct ieee80211_key *);
371 static void	run_ratectl_to(void *);
372 static void	run_ratectl_cb(void *, int);
373 static void	run_drain_fifo(void *);
374 static void	run_iter_func(void *, struct ieee80211_node *);
375 static void	run_newassoc_cb(void *);
376 static void	run_newassoc(struct ieee80211_node *, int);
377 static void	run_rx_frame(struct run_softc *, struct mbuf *, uint32_t);
378 static void	run_tx_free(struct run_endpoint_queue *pq,
379 		    struct run_tx_data *, int);
380 static void	run_set_tx_desc(struct run_softc *, struct run_tx_data *);
381 static int	run_tx(struct run_softc *, struct mbuf *,
382 		    struct ieee80211_node *);
383 static int	run_tx_mgt(struct run_softc *, struct mbuf *,
384 		    struct ieee80211_node *);
385 static int	run_sendprot(struct run_softc *, const struct mbuf *,
386 		    struct ieee80211_node *, int, int);
387 static int	run_tx_param(struct run_softc *, struct mbuf *,
388 		    struct ieee80211_node *,
389 		    const struct ieee80211_bpf_params *);
390 static int	run_raw_xmit(struct ieee80211_node *, struct mbuf *,
391 		    const struct ieee80211_bpf_params *);
392 static void	run_start(struct ifnet *);
393 static int	run_ioctl(struct ifnet *, u_long, caddr_t);
394 static void	run_set_agc(struct run_softc *, uint8_t);
395 static void	run_select_chan_group(struct run_softc *, int);
396 static void	run_set_rx_antenna(struct run_softc *, int);
397 static void	run_rt2870_set_chan(struct run_softc *, u_int);
398 static void	run_rt3070_set_chan(struct run_softc *, u_int);
399 static void	run_rt3572_set_chan(struct run_softc *, u_int);
400 static void	run_rt5390_set_chan(struct run_softc *, u_int);
401 static void	run_rt5592_set_chan(struct run_softc *, u_int);
402 static int	run_set_chan(struct run_softc *, struct ieee80211_channel *);
403 static void	run_set_channel(struct ieee80211com *);
404 static void	run_scan_start(struct ieee80211com *);
405 static void	run_scan_end(struct ieee80211com *);
406 static void	run_update_beacon(struct ieee80211vap *, int);
407 static void	run_update_beacon_cb(void *);
408 static void	run_updateprot(struct ieee80211com *);
409 static void	run_updateprot_cb(void *);
410 static void	run_usb_timeout_cb(void *);
411 static void	run_reset_livelock(struct run_softc *);
412 static void	run_enable_tsf_sync(struct run_softc *);
413 static void	run_enable_mrr(struct run_softc *);
414 static void	run_set_txpreamble(struct run_softc *);
415 static void	run_set_basicrates(struct run_softc *);
416 static void	run_set_leds(struct run_softc *, uint16_t);
417 static void	run_set_bssid(struct run_softc *, const uint8_t *);
418 static void	run_set_macaddr(struct run_softc *, const uint8_t *);
419 static void	run_updateslot(struct ifnet *);
420 static void	run_updateslot_cb(void *);
421 static void	run_update_mcast(struct ifnet *);
422 static int8_t	run_rssi2dbm(struct run_softc *, uint8_t, uint8_t);
423 static void	run_update_promisc_locked(struct ifnet *);
424 static void	run_update_promisc(struct ifnet *);
425 static void	run_rt5390_bbp_init(struct run_softc *);
426 static int	run_bbp_init(struct run_softc *);
427 static int	run_rt3070_rf_init(struct run_softc *);
428 static void	run_rt5390_rf_init(struct run_softc *);
429 static int	run_rt3070_filter_calib(struct run_softc *, uint8_t, uint8_t,
430 		    uint8_t *);
431 static void	run_rt3070_rf_setup(struct run_softc *);
432 static int	run_txrx_enable(struct run_softc *);
433 static void	run_adjust_freq_offset(struct run_softc *);
434 static void	run_init(void *);
435 static void	run_init_locked(struct run_softc *);
436 static void	run_stop(void *);
437 static void	run_delay(struct run_softc *, u_int);
438 
439 static const struct {
440 	uint16_t	reg;
441 	uint32_t	val;
442 } rt2870_def_mac[] = {
443 	RT2870_DEF_MAC
444 };
445 
446 static const struct {
447 	uint8_t	reg;
448 	uint8_t	val;
449 } rt2860_def_bbp[] = {
450 	RT2860_DEF_BBP
451 },rt5390_def_bbp[] = {
452 	RT5390_DEF_BBP
453 },rt5592_def_bbp[] = {
454 	RT5592_DEF_BBP
455 };
456 
457 /*
458  * Default values for BBP register R196 for RT5592.
459  */
460 static const uint8_t rt5592_bbp_r196[] = {
461 	0xe0, 0x1f, 0x38, 0x32, 0x08, 0x28, 0x19, 0x0a, 0xff, 0x00,
462 	0x16, 0x10, 0x10, 0x0b, 0x36, 0x2c, 0x26, 0x24, 0x42, 0x36,
463 	0x30, 0x2d, 0x4c, 0x46, 0x3d, 0x40, 0x3e, 0x42, 0x3d, 0x40,
464 	0x3c, 0x34, 0x2c, 0x2f, 0x3c, 0x35, 0x2e, 0x2a, 0x49, 0x41,
465 	0x36, 0x31, 0x30, 0x30, 0x0e, 0x0d, 0x28, 0x21, 0x1c, 0x16,
466 	0x50, 0x4a, 0x43, 0x40, 0x10, 0x10, 0x10, 0x10, 0x00, 0x00,
467 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
468 	0x00, 0x00, 0x7d, 0x14, 0x32, 0x2c, 0x36, 0x4c, 0x43, 0x2c,
469 	0x2e, 0x36, 0x30, 0x6e
470 };
471 
472 static const struct rfprog {
473 	uint8_t		chan;
474 	uint32_t	r1, r2, r3, r4;
475 } rt2860_rf2850[] = {
476 	RT2860_RF2850
477 };
478 
479 struct {
480 	uint8_t	n, r, k;
481 } rt3070_freqs[] = {
482 	RT3070_RF3052
483 };
484 
485 static const struct rt5592_freqs {
486 	uint16_t	n;
487 	uint8_t		k, m, r;
488 } rt5592_freqs_20mhz[] = {
489 	RT5592_RF5592_20MHZ
490 },rt5592_freqs_40mhz[] = {
491 	RT5592_RF5592_40MHZ
492 };
493 
494 static const struct {
495 	uint8_t	reg;
496 	uint8_t	val;
497 } rt3070_def_rf[] = {
498 	RT3070_DEF_RF
499 },rt3572_def_rf[] = {
500 	RT3572_DEF_RF
501 },rt5390_def_rf[] = {
502 	RT5390_DEF_RF
503 },rt5392_def_rf[] = {
504 	RT5392_DEF_RF
505 },rt5592_def_rf[] = {
506 	RT5592_DEF_RF
507 },rt5592_2ghz_def_rf[] = {
508 	RT5592_2GHZ_DEF_RF
509 },rt5592_5ghz_def_rf[] = {
510 	RT5592_5GHZ_DEF_RF
511 };
512 
513 static const struct {
514 	u_int	firstchan;
515 	u_int	lastchan;
516 	uint8_t	reg;
517 	uint8_t	val;
518 } rt5592_chan_5ghz[] = {
519 	RT5592_CHAN_5GHZ
520 };
521 
522 static const struct usb_config run_config[RUN_N_XFER] = {
523     [RUN_BULK_TX_BE] = {
524 	.type = UE_BULK,
525 	.endpoint = UE_ADDR_ANY,
526 	.ep_index = 0,
527 	.direction = UE_DIR_OUT,
528 	.bufsize = RUN_MAX_TXSZ,
529 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
530 	.callback = run_bulk_tx_callback0,
531 	.timeout = 5000,	/* ms */
532     },
533     [RUN_BULK_TX_BK] = {
534 	.type = UE_BULK,
535 	.endpoint = UE_ADDR_ANY,
536 	.direction = UE_DIR_OUT,
537 	.ep_index = 1,
538 	.bufsize = RUN_MAX_TXSZ,
539 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
540 	.callback = run_bulk_tx_callback1,
541 	.timeout = 5000,	/* ms */
542     },
543     [RUN_BULK_TX_VI] = {
544 	.type = UE_BULK,
545 	.endpoint = UE_ADDR_ANY,
546 	.direction = UE_DIR_OUT,
547 	.ep_index = 2,
548 	.bufsize = RUN_MAX_TXSZ,
549 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
550 	.callback = run_bulk_tx_callback2,
551 	.timeout = 5000,	/* ms */
552     },
553     [RUN_BULK_TX_VO] = {
554 	.type = UE_BULK,
555 	.endpoint = UE_ADDR_ANY,
556 	.direction = UE_DIR_OUT,
557 	.ep_index = 3,
558 	.bufsize = RUN_MAX_TXSZ,
559 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
560 	.callback = run_bulk_tx_callback3,
561 	.timeout = 5000,	/* ms */
562     },
563     [RUN_BULK_TX_HCCA] = {
564 	.type = UE_BULK,
565 	.endpoint = UE_ADDR_ANY,
566 	.direction = UE_DIR_OUT,
567 	.ep_index = 4,
568 	.bufsize = RUN_MAX_TXSZ,
569 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,.no_pipe_ok = 1,},
570 	.callback = run_bulk_tx_callback4,
571 	.timeout = 5000,	/* ms */
572     },
573     [RUN_BULK_TX_PRIO] = {
574 	.type = UE_BULK,
575 	.endpoint = UE_ADDR_ANY,
576 	.direction = UE_DIR_OUT,
577 	.ep_index = 5,
578 	.bufsize = RUN_MAX_TXSZ,
579 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,.no_pipe_ok = 1,},
580 	.callback = run_bulk_tx_callback5,
581 	.timeout = 5000,	/* ms */
582     },
583     [RUN_BULK_RX] = {
584 	.type = UE_BULK,
585 	.endpoint = UE_ADDR_ANY,
586 	.direction = UE_DIR_IN,
587 	.bufsize = RUN_MAX_RXSZ,
588 	.flags = {.pipe_bof = 1,.short_xfer_ok = 1,},
589 	.callback = run_bulk_rx_callback,
590     }
591 };
592 
593 static int
594 run_match(device_t self)
595 {
596 	struct usb_attach_arg *uaa = device_get_ivars(self);
597 
598 	if (uaa->usb_mode != USB_MODE_HOST)
599 		return (ENXIO);
600 	if (uaa->info.bConfigIndex != 0)
601 		return (ENXIO);
602 	if (uaa->info.bIfaceIndex != RT2860_IFACE_INDEX)
603 		return (ENXIO);
604 
605 	return (usbd_lookup_id_by_uaa(run_devs, sizeof(run_devs), uaa));
606 }
607 
608 static int
609 run_attach(device_t self)
610 {
611 	struct run_softc *sc = device_get_softc(self);
612 	struct usb_attach_arg *uaa = device_get_ivars(self);
613 	struct ieee80211com *ic;
614 	struct ifnet *ifp;
615 	uint32_t ver;
616 	int ntries, error;
617 	uint8_t iface_index, bands;
618 
619 	device_set_usb_desc(self);
620 	sc->sc_udev = uaa->device;
621 	sc->sc_dev = self;
622 
623 	mtx_init(&sc->sc_mtx, device_get_nameunit(sc->sc_dev),
624 	    MTX_NETWORK_LOCK, MTX_DEF);
625 
626 	iface_index = RT2860_IFACE_INDEX;
627 
628 	error = usbd_transfer_setup(uaa->device, &iface_index,
629 	    sc->sc_xfer, run_config, RUN_N_XFER, sc, &sc->sc_mtx);
630 	if (error) {
631 		device_printf(self, "could not allocate USB transfers, "
632 		    "err=%s\n", usbd_errstr(error));
633 		goto detach;
634 	}
635 
636 	RUN_LOCK(sc);
637 
638 	/* wait for the chip to settle */
639 	for (ntries = 0; ntries < 100; ntries++) {
640 		if (run_read(sc, RT2860_ASIC_VER_ID, &ver) != 0) {
641 			RUN_UNLOCK(sc);
642 			goto detach;
643 		}
644 		if (ver != 0 && ver != 0xffffffff)
645 			break;
646 		run_delay(sc, 10);
647 	}
648 	if (ntries == 100) {
649 		device_printf(sc->sc_dev,
650 		    "timeout waiting for NIC to initialize\n");
651 		RUN_UNLOCK(sc);
652 		goto detach;
653 	}
654 	sc->mac_ver = ver >> 16;
655 	sc->mac_rev = ver & 0xffff;
656 
657 	/* retrieve RF rev. no and various other things from EEPROM */
658 	run_read_eeprom(sc);
659 
660 	device_printf(sc->sc_dev,
661 	    "MAC/BBP RT%04X (rev 0x%04X), RF %s (MIMO %dT%dR), address %s\n",
662 	    sc->mac_ver, sc->mac_rev, run_get_rf(sc->rf_rev),
663 	    sc->ntxchains, sc->nrxchains, ether_sprintf(sc->sc_bssid));
664 
665 	RUN_UNLOCK(sc);
666 
667 	ifp = sc->sc_ifp = if_alloc(IFT_IEEE80211);
668 	if (ifp == NULL) {
669 		device_printf(sc->sc_dev, "can not if_alloc()\n");
670 		goto detach;
671 	}
672 	ic = ifp->if_l2com;
673 
674 	ifp->if_softc = sc;
675 	if_initname(ifp, "run", device_get_unit(sc->sc_dev));
676 	ifp->if_flags = IFF_BROADCAST | IFF_SIMPLEX | IFF_MULTICAST;
677 	ifp->if_init = run_init;
678 	ifp->if_ioctl = run_ioctl;
679 	ifp->if_start = run_start;
680 	IFQ_SET_MAXLEN(&ifp->if_snd, ifqmaxlen);
681 	ifp->if_snd.ifq_drv_maxlen = ifqmaxlen;
682 	IFQ_SET_READY(&ifp->if_snd);
683 
684 	ic->ic_ifp = ifp;
685 	ic->ic_phytype = IEEE80211_T_OFDM;	/* not only, but not used */
686 	ic->ic_opmode = IEEE80211_M_STA;	/* default to BSS mode */
687 
688 	/* set device capabilities */
689 	ic->ic_caps =
690 	    IEEE80211_C_STA |		/* station mode supported */
691 	    IEEE80211_C_MONITOR |	/* monitor mode supported */
692 	    IEEE80211_C_IBSS |
693 	    IEEE80211_C_HOSTAP |
694 	    IEEE80211_C_WDS |		/* 4-address traffic works */
695 	    IEEE80211_C_MBSS |
696 	    IEEE80211_C_SHPREAMBLE |	/* short preamble supported */
697 	    IEEE80211_C_SHSLOT |	/* short slot time supported */
698 	    IEEE80211_C_WME |		/* WME */
699 	    IEEE80211_C_WPA;		/* WPA1|WPA2(RSN) */
700 
701 	ic->ic_cryptocaps =
702 	    IEEE80211_CRYPTO_WEP |
703 	    IEEE80211_CRYPTO_AES_CCM |
704 	    IEEE80211_CRYPTO_TKIPMIC |
705 	    IEEE80211_CRYPTO_TKIP;
706 
707 	ic->ic_flags |= IEEE80211_F_DATAPAD;
708 	ic->ic_flags_ext |= IEEE80211_FEXT_SWBMISS;
709 
710 	bands = 0;
711 	setbit(&bands, IEEE80211_MODE_11B);
712 	setbit(&bands, IEEE80211_MODE_11G);
713 	if (sc->rf_rev == RT2860_RF_2750 || sc->rf_rev == RT2860_RF_2850 ||
714 	    sc->rf_rev == RT3070_RF_3052 || sc->rf_rev == RT5592_RF_5592)
715 		setbit(&bands, IEEE80211_MODE_11A);
716 	ieee80211_init_channels(ic, NULL, &bands);
717 
718 	ieee80211_ifattach(ic, sc->sc_bssid);
719 
720 	ic->ic_scan_start = run_scan_start;
721 	ic->ic_scan_end = run_scan_end;
722 	ic->ic_set_channel = run_set_channel;
723 	ic->ic_node_alloc = run_node_alloc;
724 	ic->ic_newassoc = run_newassoc;
725 	ic->ic_updateslot = run_updateslot;
726 	ic->ic_update_mcast = run_update_mcast;
727 	ic->ic_wme.wme_update = run_wme_update;
728 	ic->ic_raw_xmit = run_raw_xmit;
729 	ic->ic_update_promisc = run_update_promisc;
730 
731 	ic->ic_vap_create = run_vap_create;
732 	ic->ic_vap_delete = run_vap_delete;
733 
734 	ieee80211_radiotap_attach(ic,
735 	    &sc->sc_txtap.wt_ihdr, sizeof(sc->sc_txtap),
736 		RUN_TX_RADIOTAP_PRESENT,
737 	    &sc->sc_rxtap.wr_ihdr, sizeof(sc->sc_rxtap),
738 		RUN_RX_RADIOTAP_PRESENT);
739 
740 	TASK_INIT(&sc->cmdq_task, 0, run_cmdq_cb, sc);
741 	TASK_INIT(&sc->ratectl_task, 0, run_ratectl_cb, sc);
742 	usb_callout_init_mtx(&sc->ratectl_ch, &sc->sc_mtx, 0);
743 
744 	if (bootverbose)
745 		ieee80211_announce(ic);
746 
747 	return (0);
748 
749 detach:
750 	run_detach(self);
751 	return (ENXIO);
752 }
753 
754 static int
755 run_detach(device_t self)
756 {
757 	struct run_softc *sc = device_get_softc(self);
758 	struct ifnet *ifp = sc->sc_ifp;
759 	struct ieee80211com *ic;
760 	int i;
761 
762 	RUN_LOCK(sc);
763 	sc->sc_detached = 1;
764 	RUN_UNLOCK(sc);
765 
766 	/* stop all USB transfers */
767 	usbd_transfer_unsetup(sc->sc_xfer, RUN_N_XFER);
768 
769 	RUN_LOCK(sc);
770 	sc->ratectl_run = RUN_RATECTL_OFF;
771 	sc->cmdq_run = sc->cmdq_key_set = RUN_CMDQ_ABORT;
772 
773 	/* free TX list, if any */
774 	for (i = 0; i != RUN_EP_QUEUES; i++)
775 		run_unsetup_tx_list(sc, &sc->sc_epq[i]);
776 	RUN_UNLOCK(sc);
777 
778 	if (ifp) {
779 		ic = ifp->if_l2com;
780 		/* drain tasks */
781 		usb_callout_drain(&sc->ratectl_ch);
782 		ieee80211_draintask(ic, &sc->cmdq_task);
783 		ieee80211_draintask(ic, &sc->ratectl_task);
784 		ieee80211_ifdetach(ic);
785 		if_free(ifp);
786 	}
787 
788 	mtx_destroy(&sc->sc_mtx);
789 
790 	return (0);
791 }
792 
793 static struct ieee80211vap *
794 run_vap_create(struct ieee80211com *ic, const char name[IFNAMSIZ], int unit,
795     enum ieee80211_opmode opmode, int flags,
796     const uint8_t bssid[IEEE80211_ADDR_LEN],
797     const uint8_t mac[IEEE80211_ADDR_LEN])
798 {
799 	struct ifnet *ifp = ic->ic_ifp;
800 	struct run_softc *sc = ifp->if_softc;
801 	struct run_vap *rvp;
802 	struct ieee80211vap *vap;
803 	int i;
804 
805 	if (sc->rvp_cnt >= RUN_VAP_MAX) {
806 		if_printf(ifp, "number of VAPs maxed out\n");
807 		return (NULL);
808 	}
809 
810 	switch (opmode) {
811 	case IEEE80211_M_STA:
812 		/* enable s/w bmiss handling for sta mode */
813 		flags |= IEEE80211_CLONE_NOBEACONS;
814 		/* fall though */
815 	case IEEE80211_M_IBSS:
816 	case IEEE80211_M_MONITOR:
817 	case IEEE80211_M_HOSTAP:
818 	case IEEE80211_M_MBSS:
819 		/* other than WDS vaps, only one at a time */
820 		if (!TAILQ_EMPTY(&ic->ic_vaps))
821 			return (NULL);
822 		break;
823 	case IEEE80211_M_WDS:
824 		TAILQ_FOREACH(vap, &ic->ic_vaps, iv_next){
825 			if(vap->iv_opmode != IEEE80211_M_HOSTAP)
826 				continue;
827 			/* WDS vap's always share the local mac address. */
828 			flags &= ~IEEE80211_CLONE_BSSID;
829 			break;
830 		}
831 		if (vap == NULL) {
832 			if_printf(ifp, "wds only supported in ap mode\n");
833 			return (NULL);
834 		}
835 		break;
836 	default:
837 		if_printf(ifp, "unknown opmode %d\n", opmode);
838 		return (NULL);
839 	}
840 
841 	rvp = (struct run_vap *) malloc(sizeof(struct run_vap),
842 	    M_80211_VAP, M_NOWAIT | M_ZERO);
843 	if (rvp == NULL)
844 		return (NULL);
845 	vap = &rvp->vap;
846 
847 	if (ieee80211_vap_setup(ic, vap, name, unit,
848 	    opmode, flags, bssid, mac) != 0) {
849 		/* out of memory */
850 		free(rvp, M_80211_VAP);
851 		return (NULL);
852 	}
853 
854 	vap->iv_key_update_begin = run_key_update_begin;
855 	vap->iv_key_update_end = run_key_update_end;
856 	vap->iv_update_beacon = run_update_beacon;
857 	vap->iv_max_aid = RT2870_WCID_MAX;
858 	/*
859 	 * To delete the right key from h/w, we need wcid.
860 	 * Luckily, there is unused space in ieee80211_key{}, wk_pad,
861 	 * and matching wcid will be written into there. So, cast
862 	 * some spells to remove 'const' from ieee80211_key{}
863 	 */
864 	vap->iv_key_delete = (void *)run_key_delete;
865 	vap->iv_key_set = (void *)run_key_set;
866 
867 	/* override state transition machine */
868 	rvp->newstate = vap->iv_newstate;
869 	vap->iv_newstate = run_newstate;
870 
871 	ieee80211_ratectl_init(vap);
872 	ieee80211_ratectl_setinterval(vap, 1000 /* 1 sec */);
873 
874 	/* complete setup */
875 	ieee80211_vap_attach(vap, run_media_change, ieee80211_media_status);
876 
877 	/* make sure id is always unique */
878 	for (i = 0; i < RUN_VAP_MAX; i++) {
879 		if((sc->rvp_bmap & 1 << i) == 0){
880 			sc->rvp_bmap |= 1 << i;
881 			rvp->rvp_id = i;
882 			break;
883 		}
884 	}
885 	if (sc->rvp_cnt++ == 0)
886 		ic->ic_opmode = opmode;
887 
888 	if (opmode == IEEE80211_M_HOSTAP)
889 		sc->cmdq_run = RUN_CMDQ_GO;
890 
891 	DPRINTF("rvp_id=%d bmap=%x rvp_cnt=%d\n",
892 	    rvp->rvp_id, sc->rvp_bmap, sc->rvp_cnt);
893 
894 	return (vap);
895 }
896 
897 static void
898 run_vap_delete(struct ieee80211vap *vap)
899 {
900 	struct run_vap *rvp = RUN_VAP(vap);
901 	struct ifnet *ifp;
902 	struct ieee80211com *ic;
903 	struct run_softc *sc;
904 	uint8_t rvp_id;
905 
906 	if (vap == NULL)
907 		return;
908 
909 	ic = vap->iv_ic;
910 	ifp = ic->ic_ifp;
911 
912 	sc = ifp->if_softc;
913 
914 	RUN_LOCK(sc);
915 
916 	m_freem(rvp->beacon_mbuf);
917 	rvp->beacon_mbuf = NULL;
918 
919 	rvp_id = rvp->rvp_id;
920 	sc->ratectl_run &= ~(1 << rvp_id);
921 	sc->rvp_bmap &= ~(1 << rvp_id);
922 	run_set_region_4(sc, RT2860_SKEY(rvp_id, 0), 0, 128);
923 	run_set_region_4(sc, RT2860_BCN_BASE(rvp_id), 0, 512);
924 	--sc->rvp_cnt;
925 
926 	DPRINTF("vap=%p rvp_id=%d bmap=%x rvp_cnt=%d\n",
927 	    vap, rvp_id, sc->rvp_bmap, sc->rvp_cnt);
928 
929 	RUN_UNLOCK(sc);
930 
931 	ieee80211_ratectl_deinit(vap);
932 	ieee80211_vap_detach(vap);
933 	free(rvp, M_80211_VAP);
934 }
935 
936 /*
937  * There are numbers of functions need to be called in context thread.
938  * Rather than creating taskqueue event for each of those functions,
939  * here is all-for-one taskqueue callback function. This function
940  * gurantees deferred functions are executed in the same order they
941  * were enqueued.
942  * '& RUN_CMDQ_MASQ' is to loop cmdq[].
943  */
944 static void
945 run_cmdq_cb(void *arg, int pending)
946 {
947 	struct run_softc *sc = arg;
948 	uint8_t i;
949 
950 	/* call cmdq[].func locked */
951 	RUN_LOCK(sc);
952 	for (i = sc->cmdq_exec; sc->cmdq[i].func && pending;
953 	    i = sc->cmdq_exec, pending--) {
954 		DPRINTFN(6, "cmdq_exec=%d pending=%d\n", i, pending);
955 		if (sc->cmdq_run == RUN_CMDQ_GO) {
956 			/*
957 			 * If arg0 is NULL, callback func needs more
958 			 * than one arg. So, pass ptr to cmdq struct.
959 			 */
960 			if (sc->cmdq[i].arg0)
961 				sc->cmdq[i].func(sc->cmdq[i].arg0);
962 			else
963 				sc->cmdq[i].func(&sc->cmdq[i]);
964 		}
965 		sc->cmdq[i].arg0 = NULL;
966 		sc->cmdq[i].func = NULL;
967 		sc->cmdq_exec++;
968 		sc->cmdq_exec &= RUN_CMDQ_MASQ;
969 	}
970 	RUN_UNLOCK(sc);
971 }
972 
973 static void
974 run_setup_tx_list(struct run_softc *sc, struct run_endpoint_queue *pq)
975 {
976 	struct run_tx_data *data;
977 
978 	memset(pq, 0, sizeof(*pq));
979 
980 	STAILQ_INIT(&pq->tx_qh);
981 	STAILQ_INIT(&pq->tx_fh);
982 
983 	for (data = &pq->tx_data[0];
984 	    data < &pq->tx_data[RUN_TX_RING_COUNT]; data++) {
985 		data->sc = sc;
986 		STAILQ_INSERT_TAIL(&pq->tx_fh, data, next);
987 	}
988 	pq->tx_nfree = RUN_TX_RING_COUNT;
989 }
990 
991 static void
992 run_unsetup_tx_list(struct run_softc *sc, struct run_endpoint_queue *pq)
993 {
994 	struct run_tx_data *data;
995 
996 	/* make sure any subsequent use of the queues will fail */
997 	pq->tx_nfree = 0;
998 	STAILQ_INIT(&pq->tx_fh);
999 	STAILQ_INIT(&pq->tx_qh);
1000 
1001 	/* free up all node references and mbufs */
1002 	for (data = &pq->tx_data[0];
1003 	    data < &pq->tx_data[RUN_TX_RING_COUNT]; data++) {
1004 		if (data->m != NULL) {
1005 			m_freem(data->m);
1006 			data->m = NULL;
1007 		}
1008 		if (data->ni != NULL) {
1009 			ieee80211_free_node(data->ni);
1010 			data->ni = NULL;
1011 		}
1012 	}
1013 }
1014 
1015 static int
1016 run_load_microcode(struct run_softc *sc)
1017 {
1018 	usb_device_request_t req;
1019 	const struct firmware *fw;
1020 	const u_char *base;
1021 	uint32_t tmp;
1022 	int ntries, error;
1023 	const uint64_t *temp;
1024 	uint64_t bytes;
1025 
1026 	RUN_UNLOCK(sc);
1027 	fw = firmware_get("runfw");
1028 	RUN_LOCK(sc);
1029 	if (fw == NULL) {
1030 		device_printf(sc->sc_dev,
1031 		    "failed loadfirmware of file %s\n", "runfw");
1032 		return ENOENT;
1033 	}
1034 
1035 	if (fw->datasize != 8192) {
1036 		device_printf(sc->sc_dev,
1037 		    "invalid firmware size (should be 8KB)\n");
1038 		error = EINVAL;
1039 		goto fail;
1040 	}
1041 
1042 	/*
1043 	 * RT3071/RT3072 use a different firmware
1044 	 * run-rt2870 (8KB) contains both,
1045 	 * first half (4KB) is for rt2870,
1046 	 * last half is for rt3071.
1047 	 */
1048 	base = fw->data;
1049 	if ((sc->mac_ver) != 0x2860 &&
1050 	    (sc->mac_ver) != 0x2872 &&
1051 	    (sc->mac_ver) != 0x3070) {
1052 		base += 4096;
1053 	}
1054 
1055 	/* cheap sanity check */
1056 	temp = fw->data;
1057 	bytes = *temp;
1058 	if (bytes != be64toh(0xffffff0210280210ULL)) {
1059 		device_printf(sc->sc_dev, "firmware checksum failed\n");
1060 		error = EINVAL;
1061 		goto fail;
1062 	}
1063 
1064 	/* write microcode image */
1065 	run_write_region_1(sc, RT2870_FW_BASE, base, 4096);
1066 	run_write(sc, RT2860_H2M_MAILBOX_CID, 0xffffffff);
1067 	run_write(sc, RT2860_H2M_MAILBOX_STATUS, 0xffffffff);
1068 
1069 	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1070 	req.bRequest = RT2870_RESET;
1071 	USETW(req.wValue, 8);
1072 	USETW(req.wIndex, 0);
1073 	USETW(req.wLength, 0);
1074 	if ((error = usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, NULL))
1075 	    != 0) {
1076 		device_printf(sc->sc_dev, "firmware reset failed\n");
1077 		goto fail;
1078 	}
1079 
1080 	run_delay(sc, 10);
1081 
1082 	run_write(sc, RT2860_H2M_MAILBOX, 0);
1083 	if ((error = run_mcu_cmd(sc, RT2860_MCU_CMD_RFRESET, 0)) != 0)
1084 		goto fail;
1085 
1086 	/* wait until microcontroller is ready */
1087 	for (ntries = 0; ntries < 1000; ntries++) {
1088 		if ((error = run_read(sc, RT2860_SYS_CTRL, &tmp)) != 0) {
1089 			goto fail;
1090 		}
1091 		if (tmp & RT2860_MCU_READY)
1092 			break;
1093 		run_delay(sc, 10);
1094 	}
1095 	if (ntries == 1000) {
1096 		device_printf(sc->sc_dev,
1097 		    "timeout waiting for MCU to initialize\n");
1098 		error = ETIMEDOUT;
1099 		goto fail;
1100 	}
1101 	device_printf(sc->sc_dev, "firmware %s ver. %u.%u loaded\n",
1102 	    (base == fw->data) ? "RT2870" : "RT3071",
1103 	    *(base + 4092), *(base + 4093));
1104 
1105 fail:
1106 	firmware_put(fw, FIRMWARE_UNLOAD);
1107 	return (error);
1108 }
1109 
1110 static int
1111 run_reset(struct run_softc *sc)
1112 {
1113 	usb_device_request_t req;
1114 
1115 	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1116 	req.bRequest = RT2870_RESET;
1117 	USETW(req.wValue, 1);
1118 	USETW(req.wIndex, 0);
1119 	USETW(req.wLength, 0);
1120 	return (usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, NULL));
1121 }
1122 
1123 static usb_error_t
1124 run_do_request(struct run_softc *sc,
1125     struct usb_device_request *req, void *data)
1126 {
1127 	usb_error_t err;
1128 	int ntries = 10;
1129 
1130 	RUN_LOCK_ASSERT(sc, MA_OWNED);
1131 
1132 	while (ntries--) {
1133 		err = usbd_do_request_flags(sc->sc_udev, &sc->sc_mtx,
1134 		    req, data, 0, NULL, 250 /* ms */);
1135 		if (err == 0)
1136 			break;
1137 		DPRINTFN(1, "Control request failed, %s (retrying)\n",
1138 		    usbd_errstr(err));
1139 		run_delay(sc, 10);
1140 	}
1141 	return (err);
1142 }
1143 
1144 static int
1145 run_read(struct run_softc *sc, uint16_t reg, uint32_t *val)
1146 {
1147 	uint32_t tmp;
1148 	int error;
1149 
1150 	error = run_read_region_1(sc, reg, (uint8_t *)&tmp, sizeof tmp);
1151 	if (error == 0)
1152 		*val = le32toh(tmp);
1153 	else
1154 		*val = 0xffffffff;
1155 	return (error);
1156 }
1157 
1158 static int
1159 run_read_region_1(struct run_softc *sc, uint16_t reg, uint8_t *buf, int len)
1160 {
1161 	usb_device_request_t req;
1162 
1163 	req.bmRequestType = UT_READ_VENDOR_DEVICE;
1164 	req.bRequest = RT2870_READ_REGION_1;
1165 	USETW(req.wValue, 0);
1166 	USETW(req.wIndex, reg);
1167 	USETW(req.wLength, len);
1168 
1169 	return (run_do_request(sc, &req, buf));
1170 }
1171 
1172 static int
1173 run_write_2(struct run_softc *sc, uint16_t reg, uint16_t val)
1174 {
1175 	usb_device_request_t req;
1176 
1177 	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1178 	req.bRequest = RT2870_WRITE_2;
1179 	USETW(req.wValue, val);
1180 	USETW(req.wIndex, reg);
1181 	USETW(req.wLength, 0);
1182 
1183 	return (run_do_request(sc, &req, NULL));
1184 }
1185 
1186 static int
1187 run_write(struct run_softc *sc, uint16_t reg, uint32_t val)
1188 {
1189 	int error;
1190 
1191 	if ((error = run_write_2(sc, reg, val & 0xffff)) == 0)
1192 		error = run_write_2(sc, reg + 2, val >> 16);
1193 	return (error);
1194 }
1195 
1196 static int
1197 run_write_region_1(struct run_softc *sc, uint16_t reg, const uint8_t *buf,
1198     int len)
1199 {
1200 #if 1
1201 	int i, error = 0;
1202 	/*
1203 	 * NB: the WRITE_REGION_1 command is not stable on RT2860.
1204 	 * We thus issue multiple WRITE_2 commands instead.
1205 	 */
1206 	KASSERT((len & 1) == 0, ("run_write_region_1: Data too long.\n"));
1207 	for (i = 0; i < len && error == 0; i += 2)
1208 		error = run_write_2(sc, reg + i, buf[i] | buf[i + 1] << 8);
1209 	return (error);
1210 #else
1211 	usb_device_request_t req;
1212 	int error = 0;
1213 
1214 	/*
1215 	 * NOTE: It appears the WRITE_REGION_1 command cannot be
1216 	 * passed a huge amount of data, which will crash the
1217 	 * firmware. Limit amount of data passed to 64-bytes at a
1218 	 * time.
1219 	 */
1220 	while (len > 0) {
1221 		int delta = 64;
1222 		if (delta > len)
1223 			delta = len;
1224 
1225 		req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1226 		req.bRequest = RT2870_WRITE_REGION_1;
1227 		USETW(req.wValue, 0);
1228 		USETW(req.wIndex, reg);
1229 		USETW(req.wLength, delta);
1230 		error = run_do_request(sc, &req, __DECONST(uint8_t *, buf));
1231 		if (error != 0)
1232 			break;
1233 		reg += delta;
1234 		buf += delta;
1235 		len -= delta;
1236 	}
1237 	return (error);
1238 #endif
1239 }
1240 
1241 static int
1242 run_set_region_4(struct run_softc *sc, uint16_t reg, uint32_t val, int len)
1243 {
1244 	int i, error = 0;
1245 
1246 	KASSERT((len & 3) == 0, ("run_set_region_4: Invalid data length.\n"));
1247 	for (i = 0; i < len && error == 0; i += 4)
1248 		error = run_write(sc, reg + i, val);
1249 	return (error);
1250 }
1251 
1252 /* Read 16-bit from eFUSE ROM (RT3070 only.) */
1253 static int
1254 run_efuse_read_2(struct run_softc *sc, uint16_t addr, uint16_t *val)
1255 {
1256 	uint32_t tmp;
1257 	uint16_t reg;
1258 	int error, ntries;
1259 
1260 	if ((error = run_read(sc, RT3070_EFUSE_CTRL, &tmp)) != 0)
1261 		return (error);
1262 
1263 	addr *= 2;
1264 	/*-
1265 	 * Read one 16-byte block into registers EFUSE_DATA[0-3]:
1266 	 * DATA0: F E D C
1267 	 * DATA1: B A 9 8
1268 	 * DATA2: 7 6 5 4
1269 	 * DATA3: 3 2 1 0
1270 	 */
1271 	tmp &= ~(RT3070_EFSROM_MODE_MASK | RT3070_EFSROM_AIN_MASK);
1272 	tmp |= (addr & ~0xf) << RT3070_EFSROM_AIN_SHIFT | RT3070_EFSROM_KICK;
1273 	run_write(sc, RT3070_EFUSE_CTRL, tmp);
1274 	for (ntries = 0; ntries < 100; ntries++) {
1275 		if ((error = run_read(sc, RT3070_EFUSE_CTRL, &tmp)) != 0)
1276 			return (error);
1277 		if (!(tmp & RT3070_EFSROM_KICK))
1278 			break;
1279 		run_delay(sc, 2);
1280 	}
1281 	if (ntries == 100)
1282 		return (ETIMEDOUT);
1283 
1284 	if ((tmp & RT3070_EFUSE_AOUT_MASK) == RT3070_EFUSE_AOUT_MASK) {
1285 		*val = 0xffff;	/* address not found */
1286 		return (0);
1287 	}
1288 	/* determine to which 32-bit register our 16-bit word belongs */
1289 	reg = RT3070_EFUSE_DATA3 - (addr & 0xc);
1290 	if ((error = run_read(sc, reg, &tmp)) != 0)
1291 		return (error);
1292 
1293 	*val = (addr & 2) ? tmp >> 16 : tmp & 0xffff;
1294 	return (0);
1295 }
1296 
1297 static int
1298 run_eeprom_read_2(struct run_softc *sc, uint16_t addr, uint16_t *val)
1299 {
1300 	usb_device_request_t req;
1301 	uint16_t tmp;
1302 	int error;
1303 
1304 	addr *= 2;
1305 	req.bmRequestType = UT_READ_VENDOR_DEVICE;
1306 	req.bRequest = RT2870_EEPROM_READ;
1307 	USETW(req.wValue, 0);
1308 	USETW(req.wIndex, addr);
1309 	USETW(req.wLength, sizeof tmp);
1310 
1311 	error = usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, &tmp);
1312 	if (error == 0)
1313 		*val = le16toh(tmp);
1314 	else
1315 		*val = 0xffff;
1316 	return (error);
1317 }
1318 
1319 static __inline int
1320 run_srom_read(struct run_softc *sc, uint16_t addr, uint16_t *val)
1321 {
1322 	/* either eFUSE ROM or EEPROM */
1323 	return sc->sc_srom_read(sc, addr, val);
1324 }
1325 
1326 static int
1327 run_rt2870_rf_write(struct run_softc *sc, uint32_t val)
1328 {
1329 	uint32_t tmp;
1330 	int error, ntries;
1331 
1332 	for (ntries = 0; ntries < 10; ntries++) {
1333 		if ((error = run_read(sc, RT2860_RF_CSR_CFG0, &tmp)) != 0)
1334 			return (error);
1335 		if (!(tmp & RT2860_RF_REG_CTRL))
1336 			break;
1337 	}
1338 	if (ntries == 10)
1339 		return (ETIMEDOUT);
1340 
1341 	return (run_write(sc, RT2860_RF_CSR_CFG0, val));
1342 }
1343 
1344 static int
1345 run_rt3070_rf_read(struct run_softc *sc, uint8_t reg, uint8_t *val)
1346 {
1347 	uint32_t tmp;
1348 	int error, ntries;
1349 
1350 	for (ntries = 0; ntries < 100; ntries++) {
1351 		if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1352 			return (error);
1353 		if (!(tmp & RT3070_RF_KICK))
1354 			break;
1355 	}
1356 	if (ntries == 100)
1357 		return (ETIMEDOUT);
1358 
1359 	tmp = RT3070_RF_KICK | reg << 8;
1360 	if ((error = run_write(sc, RT3070_RF_CSR_CFG, tmp)) != 0)
1361 		return (error);
1362 
1363 	for (ntries = 0; ntries < 100; ntries++) {
1364 		if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1365 			return (error);
1366 		if (!(tmp & RT3070_RF_KICK))
1367 			break;
1368 	}
1369 	if (ntries == 100)
1370 		return (ETIMEDOUT);
1371 
1372 	*val = tmp & 0xff;
1373 	return (0);
1374 }
1375 
1376 static int
1377 run_rt3070_rf_write(struct run_softc *sc, uint8_t reg, uint8_t val)
1378 {
1379 	uint32_t tmp;
1380 	int error, ntries;
1381 
1382 	for (ntries = 0; ntries < 10; ntries++) {
1383 		if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1384 			return (error);
1385 		if (!(tmp & RT3070_RF_KICK))
1386 			break;
1387 	}
1388 	if (ntries == 10)
1389 		return (ETIMEDOUT);
1390 
1391 	tmp = RT3070_RF_WRITE | RT3070_RF_KICK | reg << 8 | val;
1392 	return (run_write(sc, RT3070_RF_CSR_CFG, tmp));
1393 }
1394 
1395 static int
1396 run_bbp_read(struct run_softc *sc, uint8_t reg, uint8_t *val)
1397 {
1398 	uint32_t tmp;
1399 	int ntries, error;
1400 
1401 	for (ntries = 0; ntries < 10; ntries++) {
1402 		if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1403 			return (error);
1404 		if (!(tmp & RT2860_BBP_CSR_KICK))
1405 			break;
1406 	}
1407 	if (ntries == 10)
1408 		return (ETIMEDOUT);
1409 
1410 	tmp = RT2860_BBP_CSR_READ | RT2860_BBP_CSR_KICK | reg << 8;
1411 	if ((error = run_write(sc, RT2860_BBP_CSR_CFG, tmp)) != 0)
1412 		return (error);
1413 
1414 	for (ntries = 0; ntries < 10; ntries++) {
1415 		if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1416 			return (error);
1417 		if (!(tmp & RT2860_BBP_CSR_KICK))
1418 			break;
1419 	}
1420 	if (ntries == 10)
1421 		return (ETIMEDOUT);
1422 
1423 	*val = tmp & 0xff;
1424 	return (0);
1425 }
1426 
1427 static int
1428 run_bbp_write(struct run_softc *sc, uint8_t reg, uint8_t val)
1429 {
1430 	uint32_t tmp;
1431 	int ntries, error;
1432 
1433 	for (ntries = 0; ntries < 10; ntries++) {
1434 		if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1435 			return (error);
1436 		if (!(tmp & RT2860_BBP_CSR_KICK))
1437 			break;
1438 	}
1439 	if (ntries == 10)
1440 		return (ETIMEDOUT);
1441 
1442 	tmp = RT2860_BBP_CSR_KICK | reg << 8 | val;
1443 	return (run_write(sc, RT2860_BBP_CSR_CFG, tmp));
1444 }
1445 
1446 /*
1447  * Send a command to the 8051 microcontroller unit.
1448  */
1449 static int
1450 run_mcu_cmd(struct run_softc *sc, uint8_t cmd, uint16_t arg)
1451 {
1452 	uint32_t tmp;
1453 	int error, ntries;
1454 
1455 	for (ntries = 0; ntries < 100; ntries++) {
1456 		if ((error = run_read(sc, RT2860_H2M_MAILBOX, &tmp)) != 0)
1457 			return error;
1458 		if (!(tmp & RT2860_H2M_BUSY))
1459 			break;
1460 	}
1461 	if (ntries == 100)
1462 		return ETIMEDOUT;
1463 
1464 	tmp = RT2860_H2M_BUSY | RT2860_TOKEN_NO_INTR << 16 | arg;
1465 	if ((error = run_write(sc, RT2860_H2M_MAILBOX, tmp)) == 0)
1466 		error = run_write(sc, RT2860_HOST_CMD, cmd);
1467 	return (error);
1468 }
1469 
1470 /*
1471  * Add `delta' (signed) to each 4-bit sub-word of a 32-bit word.
1472  * Used to adjust per-rate Tx power registers.
1473  */
1474 static __inline uint32_t
1475 b4inc(uint32_t b32, int8_t delta)
1476 {
1477 	int8_t i, b4;
1478 
1479 	for (i = 0; i < 8; i++) {
1480 		b4 = b32 & 0xf;
1481 		b4 += delta;
1482 		if (b4 < 0)
1483 			b4 = 0;
1484 		else if (b4 > 0xf)
1485 			b4 = 0xf;
1486 		b32 = b32 >> 4 | b4 << 28;
1487 	}
1488 	return (b32);
1489 }
1490 
1491 static const char *
1492 run_get_rf(uint16_t rev)
1493 {
1494 	switch (rev) {
1495 	case RT2860_RF_2820:	return "RT2820";
1496 	case RT2860_RF_2850:	return "RT2850";
1497 	case RT2860_RF_2720:	return "RT2720";
1498 	case RT2860_RF_2750:	return "RT2750";
1499 	case RT3070_RF_3020:	return "RT3020";
1500 	case RT3070_RF_2020:	return "RT2020";
1501 	case RT3070_RF_3021:	return "RT3021";
1502 	case RT3070_RF_3022:	return "RT3022";
1503 	case RT3070_RF_3052:	return "RT3052";
1504 	case RT5592_RF_5592:	return "RT5592";
1505 	case RT5390_RF_5370:	return "RT5370";
1506 	case RT5390_RF_5372:	return "RT5372";
1507 	}
1508 	return ("unknown");
1509 }
1510 
1511 static int
1512 run_read_eeprom(struct run_softc *sc)
1513 {
1514 	int8_t delta_2ghz, delta_5ghz;
1515 	uint32_t tmp;
1516 	uint16_t val;
1517 	int ridx, ant, i;
1518 
1519 	/* check whether the ROM is eFUSE ROM or EEPROM */
1520 	sc->sc_srom_read = run_eeprom_read_2;
1521 	if (sc->mac_ver >= 0x3070) {
1522 		run_read(sc, RT3070_EFUSE_CTRL, &tmp);
1523 		DPRINTF("EFUSE_CTRL=0x%08x\n", tmp);
1524 		if (tmp & RT3070_SEL_EFUSE)
1525 			sc->sc_srom_read = run_efuse_read_2;
1526 	}
1527 
1528 	/* read ROM version */
1529 	run_srom_read(sc, RT2860_EEPROM_VERSION, &val);
1530 	DPRINTF("EEPROM rev=%d, FAE=%d\n", val & 0xff, val >> 8);
1531 
1532 	/* read MAC address */
1533 	run_srom_read(sc, RT2860_EEPROM_MAC01, &val);
1534 	sc->sc_bssid[0] = val & 0xff;
1535 	sc->sc_bssid[1] = val >> 8;
1536 	run_srom_read(sc, RT2860_EEPROM_MAC23, &val);
1537 	sc->sc_bssid[2] = val & 0xff;
1538 	sc->sc_bssid[3] = val >> 8;
1539 	run_srom_read(sc, RT2860_EEPROM_MAC45, &val);
1540 	sc->sc_bssid[4] = val & 0xff;
1541 	sc->sc_bssid[5] = val >> 8;
1542 
1543 	if (sc->mac_ver < 0x5390) {
1544 		/* read vender BBP settings */
1545 		for (i = 0; i < 10; i++) {
1546 			run_srom_read(sc, RT2860_EEPROM_BBP_BASE + i, &val);
1547 			sc->bbp[i].val = val & 0xff;
1548 			sc->bbp[i].reg = val >> 8;
1549 			DPRINTF("BBP%d=0x%02x\n", sc->bbp[i].reg,
1550 			    sc->bbp[i].val);
1551 		}
1552 		if (sc->mac_ver >= 0x3071) {
1553 			/* read vendor RF settings */
1554 			for (i = 0; i < 10; i++) {
1555 				run_srom_read(sc, RT3071_EEPROM_RF_BASE + i,
1556 				   &val);
1557 				sc->rf[i].val = val & 0xff;
1558 				sc->rf[i].reg = val >> 8;
1559 				DPRINTF("RF%d=0x%02x\n", sc->rf[i].reg,
1560 				    sc->rf[i].val);
1561 			}
1562 		}
1563 	}
1564 
1565 	/* read RF frequency offset from EEPROM */
1566 	run_srom_read(sc, RT2860_EEPROM_FREQ_LEDS, &val);
1567 	sc->freq = ((val & 0xff) != 0xff) ? val & 0xff : 0;
1568 	DPRINTF("EEPROM freq offset %d\n", sc->freq & 0xff);
1569 
1570 	if (val >> 8 != 0xff) {
1571 		/* read LEDs operating mode */
1572 		sc->leds = val >> 8;
1573 		run_srom_read(sc, RT2860_EEPROM_LED1, &sc->led[0]);
1574 		run_srom_read(sc, RT2860_EEPROM_LED2, &sc->led[1]);
1575 		run_srom_read(sc, RT2860_EEPROM_LED3, &sc->led[2]);
1576 	} else {
1577 		/* broken EEPROM, use default settings */
1578 		sc->leds = 0x01;
1579 		sc->led[0] = 0x5555;
1580 		sc->led[1] = 0x2221;
1581 		sc->led[2] = 0x5627;	/* differs from RT2860 */
1582 	}
1583 	DPRINTF("EEPROM LED mode=0x%02x, LEDs=0x%04x/0x%04x/0x%04x\n",
1584 	    sc->leds, sc->led[0], sc->led[1], sc->led[2]);
1585 
1586 	/* read RF information */
1587 	if (sc->mac_ver == 0x5390 || sc->mac_ver ==0x5392)
1588 		run_srom_read(sc, 0x00, &val);
1589 	else
1590 		run_srom_read(sc, RT2860_EEPROM_ANTENNA, &val);
1591 
1592 	if (val == 0xffff) {
1593 		DPRINTF("invalid EEPROM antenna info, using default\n");
1594 		if (sc->mac_ver == 0x3572) {
1595 			/* default to RF3052 2T2R */
1596 			sc->rf_rev = RT3070_RF_3052;
1597 			sc->ntxchains = 2;
1598 			sc->nrxchains = 2;
1599 		} else if (sc->mac_ver >= 0x3070) {
1600 			/* default to RF3020 1T1R */
1601 			sc->rf_rev = RT3070_RF_3020;
1602 			sc->ntxchains = 1;
1603 			sc->nrxchains = 1;
1604 		} else {
1605 			/* default to RF2820 1T2R */
1606 			sc->rf_rev = RT2860_RF_2820;
1607 			sc->ntxchains = 1;
1608 			sc->nrxchains = 2;
1609 		}
1610 	} else {
1611 		if (sc->mac_ver == 0x5390 || sc->mac_ver ==0x5392) {
1612 			sc->rf_rev = val;
1613 			run_srom_read(sc, RT2860_EEPROM_ANTENNA, &val);
1614 		} else
1615 			sc->rf_rev = (val >> 8) & 0xf;
1616 		sc->ntxchains = (val >> 4) & 0xf;
1617 		sc->nrxchains = val & 0xf;
1618 	}
1619 	DPRINTF("EEPROM RF rev=0x%04x chains=%dT%dR\n",
1620 	    sc->rf_rev, sc->ntxchains, sc->nrxchains);
1621 
1622 	/* check if RF supports automatic Tx access gain control */
1623 	run_srom_read(sc, RT2860_EEPROM_CONFIG, &val);
1624 	DPRINTF("EEPROM CFG 0x%04x\n", val);
1625 	/* check if driver should patch the DAC issue */
1626 	if ((val >> 8) != 0xff)
1627 		sc->patch_dac = (val >> 15) & 1;
1628 	if ((val & 0xff) != 0xff) {
1629 		sc->ext_5ghz_lna = (val >> 3) & 1;
1630 		sc->ext_2ghz_lna = (val >> 2) & 1;
1631 		/* check if RF supports automatic Tx access gain control */
1632 		sc->calib_2ghz = sc->calib_5ghz = (val >> 1) & 1;
1633 		/* check if we have a hardware radio switch */
1634 		sc->rfswitch = val & 1;
1635 	}
1636 
1637 	/* read power settings for 2GHz channels */
1638 	for (i = 0; i < 14; i += 2) {
1639 		run_srom_read(sc, RT2860_EEPROM_PWR2GHZ_BASE1 + i / 2, &val);
1640 		sc->txpow1[i + 0] = (int8_t)(val & 0xff);
1641 		sc->txpow1[i + 1] = (int8_t)(val >> 8);
1642 
1643 		if (sc->mac_ver != 0x5390) {
1644 			run_srom_read(sc,
1645 			    RT2860_EEPROM_PWR2GHZ_BASE2 + i / 2, &val);
1646 			sc->txpow2[i + 0] = (int8_t)(val & 0xff);
1647 			sc->txpow2[i + 1] = (int8_t)(val >> 8);
1648 		}
1649 	}
1650 	/* fix broken Tx power entries */
1651 	for (i = 0; i < 14; i++) {
1652 		if (sc->mac_ver >= 0x5390) {
1653 			if (sc->txpow1[i] < 0 || sc->txpow1[i] > 27)
1654 				sc->txpow1[i] = 5;
1655 		} else {
1656 			if (sc->txpow1[i] < 0 || sc->txpow1[i] > 31)
1657 				sc->txpow1[i] = 5;
1658 		}
1659 		if (sc->mac_ver > 0x5390) {
1660 			if (sc->txpow2[i] < 0 || sc->txpow2[i] > 27)
1661 				sc->txpow2[i] = 5;
1662 		} else if (sc->mac_ver < 0x5390) {
1663 			if (sc->txpow2[i] < 0 || sc->txpow2[i] > 31)
1664 				sc->txpow2[i] = 5;
1665 		}
1666 		DPRINTF("chan %d: power1=%d, power2=%d\n",
1667 		    rt2860_rf2850[i].chan, sc->txpow1[i], sc->txpow2[i]);
1668 	}
1669 	/* read power settings for 5GHz channels */
1670 	for (i = 0; i < 40; i += 2) {
1671 		run_srom_read(sc, RT2860_EEPROM_PWR5GHZ_BASE1 + i / 2, &val);
1672 		sc->txpow1[i + 14] = (int8_t)(val & 0xff);
1673 		sc->txpow1[i + 15] = (int8_t)(val >> 8);
1674 
1675 		run_srom_read(sc, RT2860_EEPROM_PWR5GHZ_BASE2 + i / 2, &val);
1676 		sc->txpow2[i + 14] = (int8_t)(val & 0xff);
1677 		sc->txpow2[i + 15] = (int8_t)(val >> 8);
1678 	}
1679 	/* fix broken Tx power entries */
1680 	for (i = 0; i < 40; i++ ) {
1681 		if (sc->mac_ver != 0x5592) {
1682 			if (sc->txpow1[14 + i] < -7 || sc->txpow1[14 + i] > 15)
1683 				sc->txpow1[14 + i] = 5;
1684 			if (sc->txpow2[14 + i] < -7 || sc->txpow2[14 + i] > 15)
1685 				sc->txpow2[14 + i] = 5;
1686 		}
1687 		DPRINTF("chan %d: power1=%d, power2=%d\n",
1688 		    rt2860_rf2850[14 + i].chan, sc->txpow1[14 + i],
1689 		    sc->txpow2[14 + i]);
1690 	}
1691 
1692 	/* read Tx power compensation for each Tx rate */
1693 	run_srom_read(sc, RT2860_EEPROM_DELTAPWR, &val);
1694 	delta_2ghz = delta_5ghz = 0;
1695 	if ((val & 0xff) != 0xff && (val & 0x80)) {
1696 		delta_2ghz = val & 0xf;
1697 		if (!(val & 0x40))	/* negative number */
1698 			delta_2ghz = -delta_2ghz;
1699 	}
1700 	val >>= 8;
1701 	if ((val & 0xff) != 0xff && (val & 0x80)) {
1702 		delta_5ghz = val & 0xf;
1703 		if (!(val & 0x40))	/* negative number */
1704 			delta_5ghz = -delta_5ghz;
1705 	}
1706 	DPRINTF("power compensation=%d (2GHz), %d (5GHz)\n",
1707 	    delta_2ghz, delta_5ghz);
1708 
1709 	for (ridx = 0; ridx < 5; ridx++) {
1710 		uint32_t reg;
1711 
1712 		run_srom_read(sc, RT2860_EEPROM_RPWR + ridx * 2, &val);
1713 		reg = val;
1714 		run_srom_read(sc, RT2860_EEPROM_RPWR + ridx * 2 + 1, &val);
1715 		reg |= (uint32_t)val << 16;
1716 
1717 		sc->txpow20mhz[ridx] = reg;
1718 		sc->txpow40mhz_2ghz[ridx] = b4inc(reg, delta_2ghz);
1719 		sc->txpow40mhz_5ghz[ridx] = b4inc(reg, delta_5ghz);
1720 
1721 		DPRINTF("ridx %d: power 20MHz=0x%08x, 40MHz/2GHz=0x%08x, "
1722 		    "40MHz/5GHz=0x%08x\n", ridx, sc->txpow20mhz[ridx],
1723 		    sc->txpow40mhz_2ghz[ridx], sc->txpow40mhz_5ghz[ridx]);
1724 	}
1725 
1726 	/* read RSSI offsets and LNA gains from EEPROM */
1727 	run_srom_read(sc, RT2860_EEPROM_RSSI1_2GHZ, &val);
1728 	sc->rssi_2ghz[0] = val & 0xff;	/* Ant A */
1729 	sc->rssi_2ghz[1] = val >> 8;	/* Ant B */
1730 	run_srom_read(sc, RT2860_EEPROM_RSSI2_2GHZ, &val);
1731 	if (sc->mac_ver >= 0x3070) {
1732 		/*
1733 		 * On RT3070 chips (limited to 2 Rx chains), this ROM
1734 		 * field contains the Tx mixer gain for the 2GHz band.
1735 		 */
1736 		if ((val & 0xff) != 0xff)
1737 			sc->txmixgain_2ghz = val & 0x7;
1738 		DPRINTF("tx mixer gain=%u (2GHz)\n", sc->txmixgain_2ghz);
1739 	} else
1740 		sc->rssi_2ghz[2] = val & 0xff;	/* Ant C */
1741 	sc->lna[2] = val >> 8;		/* channel group 2 */
1742 
1743 	run_srom_read(sc, RT2860_EEPROM_RSSI1_5GHZ, &val);
1744 	sc->rssi_5ghz[0] = val & 0xff;	/* Ant A */
1745 	sc->rssi_5ghz[1] = val >> 8;	/* Ant B */
1746 	run_srom_read(sc, RT2860_EEPROM_RSSI2_5GHZ, &val);
1747 	if (sc->mac_ver == 0x3572) {
1748 		/*
1749 		 * On RT3572 chips (limited to 2 Rx chains), this ROM
1750 		 * field contains the Tx mixer gain for the 5GHz band.
1751 		 */
1752 		if ((val & 0xff) != 0xff)
1753 			sc->txmixgain_5ghz = val & 0x7;
1754 		DPRINTF("tx mixer gain=%u (5GHz)\n", sc->txmixgain_5ghz);
1755 	} else
1756 		sc->rssi_5ghz[2] = val & 0xff;	/* Ant C */
1757 	sc->lna[3] = val >> 8;		/* channel group 3 */
1758 
1759 	run_srom_read(sc, RT2860_EEPROM_LNA, &val);
1760 	sc->lna[0] = val & 0xff;	/* channel group 0 */
1761 	sc->lna[1] = val >> 8;		/* channel group 1 */
1762 
1763 	/* fix broken 5GHz LNA entries */
1764 	if (sc->lna[2] == 0 || sc->lna[2] == 0xff) {
1765 		DPRINTF("invalid LNA for channel group %d\n", 2);
1766 		sc->lna[2] = sc->lna[1];
1767 	}
1768 	if (sc->lna[3] == 0 || sc->lna[3] == 0xff) {
1769 		DPRINTF("invalid LNA for channel group %d\n", 3);
1770 		sc->lna[3] = sc->lna[1];
1771 	}
1772 
1773 	/* fix broken RSSI offset entries */
1774 	for (ant = 0; ant < 3; ant++) {
1775 		if (sc->rssi_2ghz[ant] < -10 || sc->rssi_2ghz[ant] > 10) {
1776 			DPRINTF("invalid RSSI%d offset: %d (2GHz)\n",
1777 			    ant + 1, sc->rssi_2ghz[ant]);
1778 			sc->rssi_2ghz[ant] = 0;
1779 		}
1780 		if (sc->rssi_5ghz[ant] < -10 || sc->rssi_5ghz[ant] > 10) {
1781 			DPRINTF("invalid RSSI%d offset: %d (5GHz)\n",
1782 			    ant + 1, sc->rssi_5ghz[ant]);
1783 			sc->rssi_5ghz[ant] = 0;
1784 		}
1785 	}
1786 	return (0);
1787 }
1788 
1789 static struct ieee80211_node *
1790 run_node_alloc(struct ieee80211vap *vap, const uint8_t mac[IEEE80211_ADDR_LEN])
1791 {
1792 	return malloc(sizeof (struct run_node), M_DEVBUF, M_NOWAIT | M_ZERO);
1793 }
1794 
1795 static int
1796 run_media_change(struct ifnet *ifp)
1797 {
1798 	struct ieee80211vap *vap = ifp->if_softc;
1799 	struct ieee80211com *ic = vap->iv_ic;
1800 	const struct ieee80211_txparam *tp;
1801 	struct run_softc *sc = ic->ic_ifp->if_softc;
1802 	uint8_t rate, ridx;
1803 	int error;
1804 
1805 	RUN_LOCK(sc);
1806 
1807 	error = ieee80211_media_change(ifp);
1808 	if (error != ENETRESET) {
1809 		RUN_UNLOCK(sc);
1810 		return (error);
1811 	}
1812 
1813 	tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
1814 	if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE) {
1815 		struct ieee80211_node *ni;
1816 		struct run_node	*rn;
1817 
1818 		rate = ic->ic_sup_rates[ic->ic_curmode].
1819 		    rs_rates[tp->ucastrate] & IEEE80211_RATE_VAL;
1820 		for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
1821 			if (rt2860_rates[ridx].rate == rate)
1822 				break;
1823 		ni = ieee80211_ref_node(vap->iv_bss);
1824 		rn = (struct run_node *)ni;
1825 		rn->fix_ridx = ridx;
1826 		DPRINTF("rate=%d, fix_ridx=%d\n", rate, rn->fix_ridx);
1827 		ieee80211_free_node(ni);
1828 	}
1829 
1830 #if 0
1831 	if ((ifp->if_flags & IFF_UP) &&
1832 	    (ifp->if_drv_flags &  IFF_DRV_RUNNING)){
1833 		run_init_locked(sc);
1834 	}
1835 #endif
1836 
1837 	RUN_UNLOCK(sc);
1838 
1839 	return (0);
1840 }
1841 
1842 static int
1843 run_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
1844 {
1845 	const struct ieee80211_txparam *tp;
1846 	struct ieee80211com *ic = vap->iv_ic;
1847 	struct run_softc *sc = ic->ic_ifp->if_softc;
1848 	struct run_vap *rvp = RUN_VAP(vap);
1849 	enum ieee80211_state ostate;
1850 	uint32_t sta[3];
1851 	uint32_t tmp;
1852 	uint8_t ratectl;
1853 	uint8_t restart_ratectl = 0;
1854 	uint8_t bid = 1 << rvp->rvp_id;
1855 
1856 	ostate = vap->iv_state;
1857 	DPRINTF("%s -> %s\n",
1858 		ieee80211_state_name[ostate],
1859 		ieee80211_state_name[nstate]);
1860 
1861 	IEEE80211_UNLOCK(ic);
1862 	RUN_LOCK(sc);
1863 
1864 	ratectl = sc->ratectl_run; /* remember current state */
1865 	sc->ratectl_run = RUN_RATECTL_OFF;
1866 	usb_callout_stop(&sc->ratectl_ch);
1867 
1868 	if (ostate == IEEE80211_S_RUN) {
1869 		/* turn link LED off */
1870 		run_set_leds(sc, RT2860_LED_RADIO);
1871 	}
1872 
1873 	switch (nstate) {
1874 	case IEEE80211_S_INIT:
1875 		restart_ratectl = 1;
1876 
1877 		if (ostate != IEEE80211_S_RUN)
1878 			break;
1879 
1880 		ratectl &= ~bid;
1881 		sc->runbmap &= ~bid;
1882 
1883 		/* abort TSF synchronization if there is no vap running */
1884 		if (--sc->running == 0) {
1885 			run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
1886 			run_write(sc, RT2860_BCN_TIME_CFG,
1887 			    tmp & ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
1888 			    RT2860_TBTT_TIMER_EN));
1889 		}
1890 		break;
1891 
1892 	case IEEE80211_S_RUN:
1893 		if (!(sc->runbmap & bid)) {
1894 			if(sc->running++)
1895 				restart_ratectl = 1;
1896 			sc->runbmap |= bid;
1897 		}
1898 
1899 		m_freem(rvp->beacon_mbuf);
1900 		rvp->beacon_mbuf = NULL;
1901 
1902 		switch (vap->iv_opmode) {
1903 		case IEEE80211_M_HOSTAP:
1904 		case IEEE80211_M_MBSS:
1905 			sc->ap_running |= bid;
1906 			ic->ic_opmode = vap->iv_opmode;
1907 			run_update_beacon_cb(vap);
1908 			break;
1909 		case IEEE80211_M_IBSS:
1910 			sc->adhoc_running |= bid;
1911 			if (!sc->ap_running)
1912 				ic->ic_opmode = vap->iv_opmode;
1913 			run_update_beacon_cb(vap);
1914 			break;
1915 		case IEEE80211_M_STA:
1916 			sc->sta_running |= bid;
1917 			if (!sc->ap_running && !sc->adhoc_running)
1918 				ic->ic_opmode = vap->iv_opmode;
1919 
1920 			/* read statistic counters (clear on read) */
1921 			run_read_region_1(sc, RT2860_TX_STA_CNT0,
1922 			    (uint8_t *)sta, sizeof sta);
1923 
1924 			break;
1925 		default:
1926 			ic->ic_opmode = vap->iv_opmode;
1927 			break;
1928 		}
1929 
1930 		if (vap->iv_opmode != IEEE80211_M_MONITOR) {
1931 			struct ieee80211_node *ni;
1932 
1933 			if (ic->ic_bsschan == IEEE80211_CHAN_ANYC) {
1934 				RUN_UNLOCK(sc);
1935 				IEEE80211_LOCK(ic);
1936 				return (-1);
1937 			}
1938 			run_updateslot(ic->ic_ifp);
1939 			run_enable_mrr(sc);
1940 			run_set_txpreamble(sc);
1941 			run_set_basicrates(sc);
1942 			ni = ieee80211_ref_node(vap->iv_bss);
1943 			IEEE80211_ADDR_COPY(sc->sc_bssid, ni->ni_bssid);
1944 			run_set_bssid(sc, ni->ni_bssid);
1945 			ieee80211_free_node(ni);
1946 			run_enable_tsf_sync(sc);
1947 
1948 			/* enable automatic rate adaptation */
1949 			tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
1950 			if (tp->ucastrate == IEEE80211_FIXED_RATE_NONE)
1951 				ratectl |= bid;
1952 		}
1953 
1954 		/* turn link LED on */
1955 		run_set_leds(sc, RT2860_LED_RADIO |
1956 		    (IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan) ?
1957 		     RT2860_LED_LINK_2GHZ : RT2860_LED_LINK_5GHZ));
1958 
1959 		break;
1960 	default:
1961 		DPRINTFN(6, "undefined case\n");
1962 		break;
1963 	}
1964 
1965 	/* restart amrr for running VAPs */
1966 	if ((sc->ratectl_run = ratectl) && restart_ratectl)
1967 		usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
1968 
1969 	RUN_UNLOCK(sc);
1970 	IEEE80211_LOCK(ic);
1971 
1972 	return(rvp->newstate(vap, nstate, arg));
1973 }
1974 
1975 /* ARGSUSED */
1976 static void
1977 run_wme_update_cb(void *arg)
1978 {
1979 	struct ieee80211com *ic = arg;
1980 	struct run_softc *sc = ic->ic_ifp->if_softc;
1981 	struct ieee80211_wme_state *wmesp = &ic->ic_wme;
1982 	int aci, error = 0;
1983 
1984 	RUN_LOCK_ASSERT(sc, MA_OWNED);
1985 
1986 	/* update MAC TX configuration registers */
1987 	for (aci = 0; aci < WME_NUM_AC; aci++) {
1988 		error = run_write(sc, RT2860_EDCA_AC_CFG(aci),
1989 		    wmesp->wme_params[aci].wmep_logcwmax << 16 |
1990 		    wmesp->wme_params[aci].wmep_logcwmin << 12 |
1991 		    wmesp->wme_params[aci].wmep_aifsn  <<  8 |
1992 		    wmesp->wme_params[aci].wmep_txopLimit);
1993 		if (error) goto err;
1994 	}
1995 
1996 	/* update SCH/DMA registers too */
1997 	error = run_write(sc, RT2860_WMM_AIFSN_CFG,
1998 	    wmesp->wme_params[WME_AC_VO].wmep_aifsn  << 12 |
1999 	    wmesp->wme_params[WME_AC_VI].wmep_aifsn  <<  8 |
2000 	    wmesp->wme_params[WME_AC_BK].wmep_aifsn  <<  4 |
2001 	    wmesp->wme_params[WME_AC_BE].wmep_aifsn);
2002 	if (error) goto err;
2003 	error = run_write(sc, RT2860_WMM_CWMIN_CFG,
2004 	    wmesp->wme_params[WME_AC_VO].wmep_logcwmin << 12 |
2005 	    wmesp->wme_params[WME_AC_VI].wmep_logcwmin <<  8 |
2006 	    wmesp->wme_params[WME_AC_BK].wmep_logcwmin <<  4 |
2007 	    wmesp->wme_params[WME_AC_BE].wmep_logcwmin);
2008 	if (error) goto err;
2009 	error = run_write(sc, RT2860_WMM_CWMAX_CFG,
2010 	    wmesp->wme_params[WME_AC_VO].wmep_logcwmax << 12 |
2011 	    wmesp->wme_params[WME_AC_VI].wmep_logcwmax <<  8 |
2012 	    wmesp->wme_params[WME_AC_BK].wmep_logcwmax <<  4 |
2013 	    wmesp->wme_params[WME_AC_BE].wmep_logcwmax);
2014 	if (error) goto err;
2015 	error = run_write(sc, RT2860_WMM_TXOP0_CFG,
2016 	    wmesp->wme_params[WME_AC_BK].wmep_txopLimit << 16 |
2017 	    wmesp->wme_params[WME_AC_BE].wmep_txopLimit);
2018 	if (error) goto err;
2019 	error = run_write(sc, RT2860_WMM_TXOP1_CFG,
2020 	    wmesp->wme_params[WME_AC_VO].wmep_txopLimit << 16 |
2021 	    wmesp->wme_params[WME_AC_VI].wmep_txopLimit);
2022 
2023 err:
2024 	if (error)
2025 		DPRINTF("WME update failed\n");
2026 
2027 	return;
2028 }
2029 
2030 static int
2031 run_wme_update(struct ieee80211com *ic)
2032 {
2033 	struct run_softc *sc = ic->ic_ifp->if_softc;
2034 
2035 	/* sometime called wothout lock */
2036 	if (mtx_owned(&ic->ic_comlock.mtx)) {
2037 		uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
2038 		DPRINTF("cmdq_store=%d\n", i);
2039 		sc->cmdq[i].func = run_wme_update_cb;
2040 		sc->cmdq[i].arg0 = ic;
2041 		ieee80211_runtask(ic, &sc->cmdq_task);
2042 		return (0);
2043 	}
2044 
2045 	RUN_LOCK(sc);
2046 	run_wme_update_cb(ic);
2047 	RUN_UNLOCK(sc);
2048 
2049 	/* return whatever, upper layer desn't care anyway */
2050 	return (0);
2051 }
2052 
2053 static void
2054 run_key_update_begin(struct ieee80211vap *vap)
2055 {
2056 	/*
2057 	 * To avoid out-of-order events, both run_key_set() and
2058 	 * _delete() are deferred and handled by run_cmdq_cb().
2059 	 * So, there is nothing we need to do here.
2060 	 */
2061 }
2062 
2063 static void
2064 run_key_update_end(struct ieee80211vap *vap)
2065 {
2066 	/* null */
2067 }
2068 
2069 static void
2070 run_key_set_cb(void *arg)
2071 {
2072 	struct run_cmdq *cmdq = arg;
2073 	struct ieee80211vap *vap = cmdq->arg1;
2074 	struct ieee80211_key *k = cmdq->k;
2075 	struct ieee80211com *ic = vap->iv_ic;
2076 	struct run_softc *sc = ic->ic_ifp->if_softc;
2077 	struct ieee80211_node *ni;
2078 	uint32_t attr;
2079 	uint16_t base, associd;
2080 	uint8_t mode, wcid, iv[8];
2081 
2082 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2083 
2084 	if (vap->iv_opmode == IEEE80211_M_HOSTAP)
2085 		ni = ieee80211_find_vap_node(&ic->ic_sta, vap, cmdq->mac);
2086 	else
2087 		ni = vap->iv_bss;
2088 	associd = (ni != NULL) ? ni->ni_associd : 0;
2089 
2090 	/* map net80211 cipher to RT2860 security mode */
2091 	switch (k->wk_cipher->ic_cipher) {
2092 	case IEEE80211_CIPHER_WEP:
2093 		if(k->wk_keylen < 8)
2094 			mode = RT2860_MODE_WEP40;
2095 		else
2096 			mode = RT2860_MODE_WEP104;
2097 		break;
2098 	case IEEE80211_CIPHER_TKIP:
2099 		mode = RT2860_MODE_TKIP;
2100 		break;
2101 	case IEEE80211_CIPHER_AES_CCM:
2102 		mode = RT2860_MODE_AES_CCMP;
2103 		break;
2104 	default:
2105 		DPRINTF("undefined case\n");
2106 		return;
2107 	}
2108 
2109 	DPRINTFN(1, "associd=%x, keyix=%d, mode=%x, type=%s, tx=%s, rx=%s\n",
2110 	    associd, k->wk_keyix, mode,
2111 	    (k->wk_flags & IEEE80211_KEY_GROUP) ? "group" : "pairwise",
2112 	    (k->wk_flags & IEEE80211_KEY_XMIT) ? "on" : "off",
2113 	    (k->wk_flags & IEEE80211_KEY_RECV) ? "on" : "off");
2114 
2115 	if (k->wk_flags & IEEE80211_KEY_GROUP) {
2116 		wcid = 0;	/* NB: update WCID0 for group keys */
2117 		base = RT2860_SKEY(RUN_VAP(vap)->rvp_id, k->wk_keyix);
2118 	} else {
2119 		wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
2120 		    1 : RUN_AID2WCID(associd);
2121 		base = RT2860_PKEY(wcid);
2122 	}
2123 
2124 	if (k->wk_cipher->ic_cipher == IEEE80211_CIPHER_TKIP) {
2125 		if(run_write_region_1(sc, base, k->wk_key, 16))
2126 			return;
2127 		if(run_write_region_1(sc, base + 16, &k->wk_key[16], 8))	/* wk_txmic */
2128 			return;
2129 		if(run_write_region_1(sc, base + 24, &k->wk_key[24], 8))	/* wk_rxmic */
2130 			return;
2131 	} else {
2132 		/* roundup len to 16-bit: XXX fix write_region_1() instead */
2133 		if(run_write_region_1(sc, base, k->wk_key, (k->wk_keylen + 1) & ~1))
2134 			return;
2135 	}
2136 
2137 	if (!(k->wk_flags & IEEE80211_KEY_GROUP) ||
2138 	    (k->wk_flags & (IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV))) {
2139 		/* set initial packet number in IV+EIV */
2140 		if (k->wk_cipher == IEEE80211_CIPHER_WEP) {
2141 			memset(iv, 0, sizeof iv);
2142 			iv[3] = vap->iv_def_txkey << 6;
2143 		} else {
2144 			if (k->wk_cipher->ic_cipher == IEEE80211_CIPHER_TKIP) {
2145 				iv[0] = k->wk_keytsc >> 8;
2146 				iv[1] = (iv[0] | 0x20) & 0x7f;
2147 				iv[2] = k->wk_keytsc;
2148 			} else /* CCMP */ {
2149 				iv[0] = k->wk_keytsc;
2150 				iv[1] = k->wk_keytsc >> 8;
2151 				iv[2] = 0;
2152 			}
2153 			iv[3] = k->wk_keyix << 6 | IEEE80211_WEP_EXTIV;
2154 			iv[4] = k->wk_keytsc >> 16;
2155 			iv[5] = k->wk_keytsc >> 24;
2156 			iv[6] = k->wk_keytsc >> 32;
2157 			iv[7] = k->wk_keytsc >> 40;
2158 		}
2159 		if (run_write_region_1(sc, RT2860_IVEIV(wcid), iv, 8))
2160 			return;
2161 	}
2162 
2163 	if (k->wk_flags & IEEE80211_KEY_GROUP) {
2164 		/* install group key */
2165 		if (run_read(sc, RT2860_SKEY_MODE_0_7, &attr))
2166 			return;
2167 		attr &= ~(0xf << (k->wk_keyix * 4));
2168 		attr |= mode << (k->wk_keyix * 4);
2169 		if (run_write(sc, RT2860_SKEY_MODE_0_7, attr))
2170 			return;
2171 	} else {
2172 		/* install pairwise key */
2173 		if (run_read(sc, RT2860_WCID_ATTR(wcid), &attr))
2174 			return;
2175 		attr = (attr & ~0xf) | (mode << 1) | RT2860_RX_PKEY_EN;
2176 		if (run_write(sc, RT2860_WCID_ATTR(wcid), attr))
2177 			return;
2178 	}
2179 
2180 	/* TODO create a pass-thru key entry? */
2181 
2182 	/* need wcid to delete the right key later */
2183 	k->wk_pad = wcid;
2184 }
2185 
2186 /*
2187  * Don't have to be deferred, but in order to keep order of
2188  * execution, i.e. with run_key_delete(), defer this and let
2189  * run_cmdq_cb() maintain the order.
2190  *
2191  * return 0 on error
2192  */
2193 static int
2194 run_key_set(struct ieee80211vap *vap, struct ieee80211_key *k,
2195 		const uint8_t mac[IEEE80211_ADDR_LEN])
2196 {
2197 	struct ieee80211com *ic = vap->iv_ic;
2198 	struct run_softc *sc = ic->ic_ifp->if_softc;
2199 	uint32_t i;
2200 
2201 	i = RUN_CMDQ_GET(&sc->cmdq_store);
2202 	DPRINTF("cmdq_store=%d\n", i);
2203 	sc->cmdq[i].func = run_key_set_cb;
2204 	sc->cmdq[i].arg0 = NULL;
2205 	sc->cmdq[i].arg1 = vap;
2206 	sc->cmdq[i].k = k;
2207 	IEEE80211_ADDR_COPY(sc->cmdq[i].mac, mac);
2208 	ieee80211_runtask(ic, &sc->cmdq_task);
2209 
2210 	/*
2211 	 * To make sure key will be set when hostapd
2212 	 * calls iv_key_set() before if_init().
2213 	 */
2214 	if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
2215 		RUN_LOCK(sc);
2216 		sc->cmdq_key_set = RUN_CMDQ_GO;
2217 		RUN_UNLOCK(sc);
2218 	}
2219 
2220 	return (1);
2221 }
2222 
2223 /*
2224  * If wlan is destroyed without being brought down i.e. without
2225  * wlan down or wpa_cli terminate, this function is called after
2226  * vap is gone. Don't refer it.
2227  */
2228 static void
2229 run_key_delete_cb(void *arg)
2230 {
2231 	struct run_cmdq *cmdq = arg;
2232 	struct run_softc *sc = cmdq->arg1;
2233 	struct ieee80211_key *k = &cmdq->key;
2234 	uint32_t attr;
2235 	uint8_t wcid;
2236 
2237 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2238 
2239 	if (k->wk_flags & IEEE80211_KEY_GROUP) {
2240 		/* remove group key */
2241 		DPRINTF("removing group key\n");
2242 		run_read(sc, RT2860_SKEY_MODE_0_7, &attr);
2243 		attr &= ~(0xf << (k->wk_keyix * 4));
2244 		run_write(sc, RT2860_SKEY_MODE_0_7, attr);
2245 	} else {
2246 		/* remove pairwise key */
2247 		DPRINTF("removing key for wcid %x\n", k->wk_pad);
2248 		/* matching wcid was written to wk_pad in run_key_set() */
2249 		wcid = k->wk_pad;
2250 		run_read(sc, RT2860_WCID_ATTR(wcid), &attr);
2251 		attr &= ~0xf;
2252 		run_write(sc, RT2860_WCID_ATTR(wcid), attr);
2253 		run_set_region_4(sc, RT2860_WCID_ENTRY(wcid), 0, 8);
2254 	}
2255 
2256 	k->wk_pad = 0;
2257 }
2258 
2259 /*
2260  * return 0 on error
2261  */
2262 static int
2263 run_key_delete(struct ieee80211vap *vap, struct ieee80211_key *k)
2264 {
2265 	struct ieee80211com *ic = vap->iv_ic;
2266 	struct run_softc *sc = ic->ic_ifp->if_softc;
2267 	struct ieee80211_key *k0;
2268 	uint32_t i;
2269 
2270 	/*
2271 	 * When called back, key might be gone. So, make a copy
2272 	 * of some values need to delete keys before deferring.
2273 	 * But, because of LOR with node lock, cannot use lock here.
2274 	 * So, use atomic instead.
2275 	 */
2276 	i = RUN_CMDQ_GET(&sc->cmdq_store);
2277 	DPRINTF("cmdq_store=%d\n", i);
2278 	sc->cmdq[i].func = run_key_delete_cb;
2279 	sc->cmdq[i].arg0 = NULL;
2280 	sc->cmdq[i].arg1 = sc;
2281 	k0 = &sc->cmdq[i].key;
2282 	k0->wk_flags = k->wk_flags;
2283 	k0->wk_keyix = k->wk_keyix;
2284 	/* matching wcid was written to wk_pad in run_key_set() */
2285 	k0->wk_pad = k->wk_pad;
2286 	ieee80211_runtask(ic, &sc->cmdq_task);
2287 	return (1);	/* return fake success */
2288 
2289 }
2290 
2291 static void
2292 run_ratectl_to(void *arg)
2293 {
2294 	struct run_softc *sc = arg;
2295 
2296 	/* do it in a process context, so it can go sleep */
2297 	ieee80211_runtask(sc->sc_ifp->if_l2com, &sc->ratectl_task);
2298 	/* next timeout will be rescheduled in the callback task */
2299 }
2300 
2301 /* ARGSUSED */
2302 static void
2303 run_ratectl_cb(void *arg, int pending)
2304 {
2305 	struct run_softc *sc = arg;
2306 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
2307 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
2308 
2309 	if (vap == NULL)
2310 		return;
2311 
2312 	if (sc->rvp_cnt <= 1 && vap->iv_opmode == IEEE80211_M_STA)
2313 		run_iter_func(sc, vap->iv_bss);
2314 	else {
2315 		/*
2316 		 * run_reset_livelock() doesn't do anything with AMRR,
2317 		 * but Ralink wants us to call it every 1 sec. So, we
2318 		 * piggyback here rather than creating another callout.
2319 		 * Livelock may occur only in HOSTAP or IBSS mode
2320 		 * (when h/w is sending beacons).
2321 		 */
2322 		RUN_LOCK(sc);
2323 		run_reset_livelock(sc);
2324 		/* just in case, there are some stats to drain */
2325 		run_drain_fifo(sc);
2326 		RUN_UNLOCK(sc);
2327 		ieee80211_iterate_nodes(&ic->ic_sta, run_iter_func, sc);
2328 	}
2329 
2330 	RUN_LOCK(sc);
2331 	if(sc->ratectl_run != RUN_RATECTL_OFF)
2332 		usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2333 	RUN_UNLOCK(sc);
2334 }
2335 
2336 static void
2337 run_drain_fifo(void *arg)
2338 {
2339 	struct run_softc *sc = arg;
2340 	struct ifnet *ifp = sc->sc_ifp;
2341 	uint32_t stat;
2342 	uint16_t (*wstat)[3];
2343 	uint8_t wcid, mcs, pid;
2344 	int8_t retry;
2345 
2346 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2347 
2348 	for (;;) {
2349 		/* drain Tx status FIFO (maxsize = 16) */
2350 		run_read(sc, RT2860_TX_STAT_FIFO, &stat);
2351 		DPRINTFN(4, "tx stat 0x%08x\n", stat);
2352 		if (!(stat & RT2860_TXQ_VLD))
2353 			break;
2354 
2355 		wcid = (stat >> RT2860_TXQ_WCID_SHIFT) & 0xff;
2356 
2357 		/* if no ACK was requested, no feedback is available */
2358 		if (!(stat & RT2860_TXQ_ACKREQ) || wcid > RT2870_WCID_MAX ||
2359 		    wcid == 0)
2360 			continue;
2361 
2362 		/*
2363 		 * Even though each stat is Tx-complete-status like format,
2364 		 * the device can poll stats. Because there is no guarantee
2365 		 * that the referring node is still around when read the stats.
2366 		 * So that, if we use ieee80211_ratectl_tx_update(), we will
2367 		 * have hard time not to refer already freed node.
2368 		 *
2369 		 * To eliminate such page faults, we poll stats in softc.
2370 		 * Then, update the rates later with ieee80211_ratectl_tx_update().
2371 		 */
2372 		wstat = &(sc->wcid_stats[wcid]);
2373 		(*wstat)[RUN_TXCNT]++;
2374 		if (stat & RT2860_TXQ_OK)
2375 			(*wstat)[RUN_SUCCESS]++;
2376 		else
2377 			ifp->if_oerrors++;
2378 		/*
2379 		 * Check if there were retries, ie if the Tx success rate is
2380 		 * different from the requested rate. Note that it works only
2381 		 * because we do not allow rate fallback from OFDM to CCK.
2382 		 */
2383 		mcs = (stat >> RT2860_TXQ_MCS_SHIFT) & 0x7f;
2384 		pid = (stat >> RT2860_TXQ_PID_SHIFT) & 0xf;
2385 		if ((retry = pid -1 - mcs) > 0) {
2386 			(*wstat)[RUN_TXCNT] += retry;
2387 			(*wstat)[RUN_RETRY] += retry;
2388 		}
2389 	}
2390 	DPRINTFN(3, "count=%d\n", sc->fifo_cnt);
2391 
2392 	sc->fifo_cnt = 0;
2393 }
2394 
2395 static void
2396 run_iter_func(void *arg, struct ieee80211_node *ni)
2397 {
2398 	struct run_softc *sc = arg;
2399 	struct ieee80211vap *vap = ni->ni_vap;
2400 	struct ieee80211com *ic = ni->ni_ic;
2401 	struct ifnet *ifp = ic->ic_ifp;
2402 	struct run_node *rn = (void *)ni;
2403 	union run_stats sta[2];
2404 	uint16_t (*wstat)[3];
2405 	int txcnt, success, retrycnt, error;
2406 
2407 	RUN_LOCK(sc);
2408 
2409 	if (sc->rvp_cnt <= 1 && (vap->iv_opmode == IEEE80211_M_IBSS ||
2410 	    vap->iv_opmode == IEEE80211_M_STA)) {
2411 		/* read statistic counters (clear on read) and update AMRR state */
2412 		error = run_read_region_1(sc, RT2860_TX_STA_CNT0, (uint8_t *)sta,
2413 		    sizeof sta);
2414 		if (error != 0)
2415 			goto fail;
2416 
2417 		/* count failed TX as errors */
2418 		ifp->if_oerrors += le16toh(sta[0].error.fail);
2419 
2420 		retrycnt = le16toh(sta[1].tx.retry);
2421 		success = le16toh(sta[1].tx.success);
2422 		txcnt = retrycnt + success + le16toh(sta[0].error.fail);
2423 
2424 		DPRINTFN(3, "retrycnt=%d success=%d failcnt=%d\n",
2425 			retrycnt, success, le16toh(sta[0].error.fail));
2426 	} else {
2427 		wstat = &(sc->wcid_stats[RUN_AID2WCID(ni->ni_associd)]);
2428 
2429 		if (wstat == &(sc->wcid_stats[0]) ||
2430 		    wstat > &(sc->wcid_stats[RT2870_WCID_MAX]))
2431 			goto fail;
2432 
2433 		txcnt = (*wstat)[RUN_TXCNT];
2434 		success = (*wstat)[RUN_SUCCESS];
2435 		retrycnt = (*wstat)[RUN_RETRY];
2436 		DPRINTFN(3, "retrycnt=%d txcnt=%d success=%d\n",
2437 		    retrycnt, txcnt, success);
2438 
2439 		memset(wstat, 0, sizeof(*wstat));
2440 	}
2441 
2442 	ieee80211_ratectl_tx_update(vap, ni, &txcnt, &success, &retrycnt);
2443 	rn->amrr_ridx = ieee80211_ratectl_rate(ni, NULL, 0);
2444 
2445 fail:
2446 	RUN_UNLOCK(sc);
2447 
2448 	DPRINTFN(3, "ridx=%d\n", rn->amrr_ridx);
2449 }
2450 
2451 static void
2452 run_newassoc_cb(void *arg)
2453 {
2454 	struct run_cmdq *cmdq = arg;
2455 	struct ieee80211_node *ni = cmdq->arg1;
2456 	struct run_softc *sc = ni->ni_vap->iv_ic->ic_ifp->if_softc;
2457 	uint8_t wcid = cmdq->wcid;
2458 
2459 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2460 
2461 	run_write_region_1(sc, RT2860_WCID_ENTRY(wcid),
2462 	    ni->ni_macaddr, IEEE80211_ADDR_LEN);
2463 
2464 	memset(&(sc->wcid_stats[wcid]), 0, sizeof(sc->wcid_stats[wcid]));
2465 }
2466 
2467 static void
2468 run_newassoc(struct ieee80211_node *ni, int isnew)
2469 {
2470 	struct run_node *rn = (void *)ni;
2471 	struct ieee80211_rateset *rs = &ni->ni_rates;
2472 	struct ieee80211vap *vap = ni->ni_vap;
2473 	struct ieee80211com *ic = vap->iv_ic;
2474 	struct run_softc *sc = ic->ic_ifp->if_softc;
2475 	uint8_t rate;
2476 	uint8_t ridx;
2477 	uint8_t wcid;
2478 	int i, j;
2479 
2480 	wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
2481 	    1 : RUN_AID2WCID(ni->ni_associd);
2482 
2483 	if (wcid > RT2870_WCID_MAX) {
2484 		device_printf(sc->sc_dev, "wcid=%d out of range\n", wcid);
2485 		return;
2486 	}
2487 
2488 	/* only interested in true associations */
2489 	if (isnew && ni->ni_associd != 0) {
2490 
2491 		/*
2492 		 * This function could is called though timeout function.
2493 		 * Need to defer.
2494 		 */
2495 		uint32_t cnt = RUN_CMDQ_GET(&sc->cmdq_store);
2496 		DPRINTF("cmdq_store=%d\n", cnt);
2497 		sc->cmdq[cnt].func = run_newassoc_cb;
2498 		sc->cmdq[cnt].arg0 = NULL;
2499 		sc->cmdq[cnt].arg1 = ni;
2500 		sc->cmdq[cnt].wcid = wcid;
2501 		ieee80211_runtask(ic, &sc->cmdq_task);
2502 	}
2503 
2504 	DPRINTF("new assoc isnew=%d associd=%x addr=%s\n",
2505 	    isnew, ni->ni_associd, ether_sprintf(ni->ni_macaddr));
2506 
2507 	for (i = 0; i < rs->rs_nrates; i++) {
2508 		rate = rs->rs_rates[i] & IEEE80211_RATE_VAL;
2509 		/* convert 802.11 rate to hardware rate index */
2510 		for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2511 			if (rt2860_rates[ridx].rate == rate)
2512 				break;
2513 		rn->ridx[i] = ridx;
2514 		/* determine rate of control response frames */
2515 		for (j = i; j >= 0; j--) {
2516 			if ((rs->rs_rates[j] & IEEE80211_RATE_BASIC) &&
2517 			    rt2860_rates[rn->ridx[i]].phy ==
2518 			    rt2860_rates[rn->ridx[j]].phy)
2519 				break;
2520 		}
2521 		if (j >= 0) {
2522 			rn->ctl_ridx[i] = rn->ridx[j];
2523 		} else {
2524 			/* no basic rate found, use mandatory one */
2525 			rn->ctl_ridx[i] = rt2860_rates[ridx].ctl_ridx;
2526 		}
2527 		DPRINTF("rate=0x%02x ridx=%d ctl_ridx=%d\n",
2528 		    rs->rs_rates[i], rn->ridx[i], rn->ctl_ridx[i]);
2529 	}
2530 	rate = vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)].mgmtrate;
2531 	for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2532 		if (rt2860_rates[ridx].rate == rate)
2533 			break;
2534 	rn->mgt_ridx = ridx;
2535 	DPRINTF("rate=%d, mgmt_ridx=%d\n", rate, rn->mgt_ridx);
2536 
2537 	usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2538 }
2539 
2540 /*
2541  * Return the Rx chain with the highest RSSI for a given frame.
2542  */
2543 static __inline uint8_t
2544 run_maxrssi_chain(struct run_softc *sc, const struct rt2860_rxwi *rxwi)
2545 {
2546 	uint8_t rxchain = 0;
2547 
2548 	if (sc->nrxchains > 1) {
2549 		if (rxwi->rssi[1] > rxwi->rssi[rxchain])
2550 			rxchain = 1;
2551 		if (sc->nrxchains > 2)
2552 			if (rxwi->rssi[2] > rxwi->rssi[rxchain])
2553 				rxchain = 2;
2554 	}
2555 	return (rxchain);
2556 }
2557 
2558 static void
2559 run_rx_frame(struct run_softc *sc, struct mbuf *m, uint32_t dmalen)
2560 {
2561 	struct ifnet *ifp = sc->sc_ifp;
2562 	struct ieee80211com *ic = ifp->if_l2com;
2563 	struct ieee80211_frame *wh;
2564 	struct ieee80211_node *ni;
2565 	struct rt2870_rxd *rxd;
2566 	struct rt2860_rxwi *rxwi;
2567 	uint32_t flags;
2568 	uint16_t len, rxwisize;
2569 	uint8_t ant, rssi;
2570 	int8_t nf;
2571 
2572 	rxwi = mtod(m, struct rt2860_rxwi *);
2573 	len = le16toh(rxwi->len) & 0xfff;
2574 	rxwisize = (sc->mac_ver == 0x5592) ?
2575 	    sizeof(struct rt2860_rxwi) + sizeof(uint64_t) :
2576 	    sizeof(struct rt2860_rxwi);
2577 	if (__predict_false(len > dmalen)) {
2578 		m_freem(m);
2579 		ifp->if_ierrors++;
2580 		DPRINTF("bad RXWI length %u > %u\n", len, dmalen);
2581 		return;
2582 	}
2583 	/* Rx descriptor is located at the end */
2584 	rxd = (struct rt2870_rxd *)(mtod(m, caddr_t) + dmalen);
2585 	flags = le32toh(rxd->flags);
2586 
2587 	if (__predict_false(flags & (RT2860_RX_CRCERR | RT2860_RX_ICVERR))) {
2588 		m_freem(m);
2589 		ifp->if_ierrors++;
2590 		DPRINTF("%s error.\n", (flags & RT2860_RX_CRCERR)?"CRC":"ICV");
2591 		return;
2592 	}
2593 
2594 	m->m_data += rxwisize;
2595 	m->m_pkthdr.len = m->m_len -= rxwisize;
2596 
2597 	wh = mtod(m, struct ieee80211_frame *);
2598 
2599 	if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
2600 		wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
2601 		m->m_flags |= M_WEP;
2602 	}
2603 
2604 	if (flags & RT2860_RX_L2PAD) {
2605 		DPRINTFN(8, "received RT2860_RX_L2PAD frame\n");
2606 		len += 2;
2607 	}
2608 
2609 	ni = ieee80211_find_rxnode(ic,
2610 	    mtod(m, struct ieee80211_frame_min *));
2611 
2612 	if (__predict_false(flags & RT2860_RX_MICERR)) {
2613 		/* report MIC failures to net80211 for TKIP */
2614 		if (ni != NULL)
2615 			ieee80211_notify_michael_failure(ni->ni_vap, wh,
2616 			    rxwi->keyidx);
2617 		m_freem(m);
2618 		ifp->if_ierrors++;
2619 		DPRINTF("MIC error. Someone is lying.\n");
2620 		return;
2621 	}
2622 
2623 	ant = run_maxrssi_chain(sc, rxwi);
2624 	rssi = rxwi->rssi[ant];
2625 	nf = run_rssi2dbm(sc, rssi, ant);
2626 
2627 	m->m_pkthdr.rcvif = ifp;
2628 	m->m_pkthdr.len = m->m_len = len;
2629 
2630 	if (ni != NULL) {
2631 		(void)ieee80211_input(ni, m, rssi, nf);
2632 		ieee80211_free_node(ni);
2633 	} else {
2634 		(void)ieee80211_input_all(ic, m, rssi, nf);
2635 	}
2636 
2637 	if (__predict_false(ieee80211_radiotap_active(ic))) {
2638 		struct run_rx_radiotap_header *tap = &sc->sc_rxtap;
2639 		uint16_t phy;
2640 
2641 		tap->wr_flags = 0;
2642 		tap->wr_chan_freq = htole16(ic->ic_curchan->ic_freq);
2643 		tap->wr_chan_flags = htole16(ic->ic_curchan->ic_flags);
2644 		tap->wr_antsignal = rssi;
2645 		tap->wr_antenna = ant;
2646 		tap->wr_dbm_antsignal = run_rssi2dbm(sc, rssi, ant);
2647 		tap->wr_rate = 2;	/* in case it can't be found below */
2648 		phy = le16toh(rxwi->phy);
2649 		switch (phy & RT2860_PHY_MODE) {
2650 		case RT2860_PHY_CCK:
2651 			switch ((phy & RT2860_PHY_MCS) & ~RT2860_PHY_SHPRE) {
2652 			case 0:	tap->wr_rate =   2; break;
2653 			case 1:	tap->wr_rate =   4; break;
2654 			case 2:	tap->wr_rate =  11; break;
2655 			case 3:	tap->wr_rate =  22; break;
2656 			}
2657 			if (phy & RT2860_PHY_SHPRE)
2658 				tap->wr_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
2659 			break;
2660 		case RT2860_PHY_OFDM:
2661 			switch (phy & RT2860_PHY_MCS) {
2662 			case 0:	tap->wr_rate =  12; break;
2663 			case 1:	tap->wr_rate =  18; break;
2664 			case 2:	tap->wr_rate =  24; break;
2665 			case 3:	tap->wr_rate =  36; break;
2666 			case 4:	tap->wr_rate =  48; break;
2667 			case 5:	tap->wr_rate =  72; break;
2668 			case 6:	tap->wr_rate =  96; break;
2669 			case 7:	tap->wr_rate = 108; break;
2670 			}
2671 			break;
2672 		}
2673 	}
2674 }
2675 
2676 static void
2677 run_bulk_rx_callback(struct usb_xfer *xfer, usb_error_t error)
2678 {
2679 	struct run_softc *sc = usbd_xfer_softc(xfer);
2680 	struct ifnet *ifp = sc->sc_ifp;
2681 	struct mbuf *m = NULL;
2682 	struct mbuf *m0;
2683 	uint32_t dmalen;
2684 	uint16_t rxwisize;
2685 	int xferlen;
2686 
2687 	rxwisize = (sc->mac_ver == 0x5592) ?
2688 	    sizeof(struct rt2860_rxwi) + sizeof(uint64_t) :
2689 	    sizeof(struct rt2860_rxwi);
2690 
2691 	usbd_xfer_status(xfer, &xferlen, NULL, NULL, NULL);
2692 
2693 	switch (USB_GET_STATE(xfer)) {
2694 	case USB_ST_TRANSFERRED:
2695 
2696 		DPRINTFN(15, "rx done, actlen=%d\n", xferlen);
2697 
2698 		if (xferlen < (int)(sizeof(uint32_t) + rxwisize +
2699 		    sizeof(struct rt2870_rxd))) {
2700 			DPRINTF("xfer too short %d\n", xferlen);
2701 			goto tr_setup;
2702 		}
2703 
2704 		m = sc->rx_m;
2705 		sc->rx_m = NULL;
2706 
2707 		/* FALLTHROUGH */
2708 	case USB_ST_SETUP:
2709 tr_setup:
2710 		if (sc->rx_m == NULL) {
2711 			sc->rx_m = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR,
2712 			    MJUMPAGESIZE /* xfer can be bigger than MCLBYTES */);
2713 		}
2714 		if (sc->rx_m == NULL) {
2715 			DPRINTF("could not allocate mbuf - idle with stall\n");
2716 			ifp->if_ierrors++;
2717 			usbd_xfer_set_stall(xfer);
2718 			usbd_xfer_set_frames(xfer, 0);
2719 		} else {
2720 			/*
2721 			 * Directly loading a mbuf cluster into DMA to
2722 			 * save some data copying. This works because
2723 			 * there is only one cluster.
2724 			 */
2725 			usbd_xfer_set_frame_data(xfer, 0,
2726 			    mtod(sc->rx_m, caddr_t), RUN_MAX_RXSZ);
2727 			usbd_xfer_set_frames(xfer, 1);
2728 		}
2729 		usbd_transfer_submit(xfer);
2730 		break;
2731 
2732 	default:	/* Error */
2733 		if (error != USB_ERR_CANCELLED) {
2734 			/* try to clear stall first */
2735 			usbd_xfer_set_stall(xfer);
2736 
2737 			if (error == USB_ERR_TIMEOUT)
2738 				device_printf(sc->sc_dev, "device timeout\n");
2739 
2740 			ifp->if_ierrors++;
2741 
2742 			goto tr_setup;
2743 		}
2744 		if (sc->rx_m != NULL) {
2745 			m_freem(sc->rx_m);
2746 			sc->rx_m = NULL;
2747 		}
2748 		break;
2749 	}
2750 
2751 	if (m == NULL)
2752 		return;
2753 
2754 	/* inputting all the frames must be last */
2755 
2756 	RUN_UNLOCK(sc);
2757 
2758 	m->m_pkthdr.len = m->m_len = xferlen;
2759 
2760 	/* HW can aggregate multiple 802.11 frames in a single USB xfer */
2761 	for(;;) {
2762 		dmalen = le32toh(*mtod(m, uint32_t *)) & 0xffff;
2763 
2764 		if ((dmalen >= (uint32_t)-8) || (dmalen == 0) ||
2765 		    ((dmalen & 3) != 0)) {
2766 			DPRINTF("bad DMA length %u\n", dmalen);
2767 			break;
2768 		}
2769 		if ((dmalen + 8) > (uint32_t)xferlen) {
2770 			DPRINTF("bad DMA length %u > %d\n",
2771 			dmalen + 8, xferlen);
2772 			break;
2773 		}
2774 
2775 		/* If it is the last one or a single frame, we won't copy. */
2776 		if ((xferlen -= dmalen + 8) <= 8) {
2777 			/* trim 32-bit DMA-len header */
2778 			m->m_data += 4;
2779 			m->m_pkthdr.len = m->m_len -= 4;
2780 			run_rx_frame(sc, m, dmalen);
2781 			m = NULL;	/* don't free source buffer */
2782 			break;
2783 		}
2784 
2785 		/* copy aggregated frames to another mbuf */
2786 		m0 = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
2787 		if (__predict_false(m0 == NULL)) {
2788 			DPRINTF("could not allocate mbuf\n");
2789 			ifp->if_ierrors++;
2790 			break;
2791 		}
2792 		m_copydata(m, 4 /* skip 32-bit DMA-len header */,
2793 		    dmalen + sizeof(struct rt2870_rxd), mtod(m0, caddr_t));
2794 		m0->m_pkthdr.len = m0->m_len =
2795 		    dmalen + sizeof(struct rt2870_rxd);
2796 		run_rx_frame(sc, m0, dmalen);
2797 
2798 		/* update data ptr */
2799 		m->m_data += dmalen + 8;
2800 		m->m_pkthdr.len = m->m_len -= dmalen + 8;
2801 	}
2802 
2803 	/* make sure we free the source buffer, if any */
2804 	m_freem(m);
2805 
2806 	RUN_LOCK(sc);
2807 }
2808 
2809 static void
2810 run_tx_free(struct run_endpoint_queue *pq,
2811     struct run_tx_data *data, int txerr)
2812 {
2813 	if (data->m != NULL) {
2814 		if (data->m->m_flags & M_TXCB)
2815 			ieee80211_process_callback(data->ni, data->m,
2816 			    txerr ? ETIMEDOUT : 0);
2817 		m_freem(data->m);
2818 		data->m = NULL;
2819 
2820 		if (data->ni == NULL) {
2821 			DPRINTF("no node\n");
2822 		} else {
2823 			ieee80211_free_node(data->ni);
2824 			data->ni = NULL;
2825 		}
2826 	}
2827 
2828 	STAILQ_INSERT_TAIL(&pq->tx_fh, data, next);
2829 	pq->tx_nfree++;
2830 }
2831 
2832 static void
2833 run_bulk_tx_callbackN(struct usb_xfer *xfer, usb_error_t error, u_int index)
2834 {
2835 	struct run_softc *sc = usbd_xfer_softc(xfer);
2836 	struct ifnet *ifp = sc->sc_ifp;
2837 	struct ieee80211com *ic = ifp->if_l2com;
2838 	struct run_tx_data *data;
2839 	struct ieee80211vap *vap = NULL;
2840 	struct usb_page_cache *pc;
2841 	struct run_endpoint_queue *pq = &sc->sc_epq[index];
2842 	struct mbuf *m;
2843 	usb_frlength_t size;
2844 	int actlen;
2845 	int sumlen;
2846 
2847 	usbd_xfer_status(xfer, &actlen, &sumlen, NULL, NULL);
2848 
2849 	switch (USB_GET_STATE(xfer)) {
2850 	case USB_ST_TRANSFERRED:
2851 		DPRINTFN(11, "transfer complete: %d "
2852 		    "bytes @ index %d\n", actlen, index);
2853 
2854 		data = usbd_xfer_get_priv(xfer);
2855 
2856 		run_tx_free(pq, data, 0);
2857 		ifp->if_drv_flags &= ~IFF_DRV_OACTIVE;
2858 
2859 		usbd_xfer_set_priv(xfer, NULL);
2860 
2861 		ifp->if_opackets++;
2862 
2863 		/* FALLTHROUGH */
2864 	case USB_ST_SETUP:
2865 tr_setup:
2866 		data = STAILQ_FIRST(&pq->tx_qh);
2867 		if (data == NULL)
2868 			break;
2869 
2870 		STAILQ_REMOVE_HEAD(&pq->tx_qh, next);
2871 
2872 		m = data->m;
2873 		size = (sc->mac_ver == 0x5592) ?
2874 		    RUN_MAX_TXSZ + sizeof(uint32_t) : RUN_MAX_TXSZ;
2875 		if ((m->m_pkthdr.len +
2876 		    sizeof(data->desc) + 3 + 8) > size) {
2877 			DPRINTF("data overflow, %u bytes\n",
2878 			    m->m_pkthdr.len);
2879 
2880 			ifp->if_oerrors++;
2881 
2882 			run_tx_free(pq, data, 1);
2883 
2884 			goto tr_setup;
2885 		}
2886 
2887 		pc = usbd_xfer_get_frame(xfer, 0);
2888 		size = (sc->mac_ver == 0x5592) ?
2889 		    sizeof(data->desc) + sizeof(uint32_t) : sizeof(data->desc);
2890 		usbd_copy_in(pc, 0, &data->desc, size);
2891 		usbd_m_copy_in(pc, size, m, 0, m->m_pkthdr.len);
2892 		size += m->m_pkthdr.len;
2893 		/*
2894 		 * Align end on a 4-byte boundary, pad 8 bytes (CRC +
2895 		 * 4-byte padding), and be sure to zero those trailing
2896 		 * bytes:
2897 		 */
2898 		usbd_frame_zero(pc, size, ((-size) & 3) + 8);
2899 		size += ((-size) & 3) + 8;
2900 
2901 		vap = data->ni->ni_vap;
2902 		if (ieee80211_radiotap_active_vap(vap)) {
2903 			struct run_tx_radiotap_header *tap = &sc->sc_txtap;
2904 			struct rt2860_txwi *txwi =
2905 			    (struct rt2860_txwi *)(&data->desc + sizeof(struct rt2870_txd));
2906 			tap->wt_flags = 0;
2907 			tap->wt_rate = rt2860_rates[data->ridx].rate;
2908 			tap->wt_chan_freq = htole16(ic->ic_curchan->ic_freq);
2909 			tap->wt_chan_flags = htole16(ic->ic_curchan->ic_flags);
2910 			tap->wt_hwqueue = index;
2911 			if (le16toh(txwi->phy) & RT2860_PHY_SHPRE)
2912 				tap->wt_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
2913 
2914 			ieee80211_radiotap_tx(vap, m);
2915 		}
2916 
2917 		DPRINTFN(11, "sending frame len=%u/%u  @ index %d\n",
2918 		    m->m_pkthdr.len, size, index);
2919 
2920 		usbd_xfer_set_frame_len(xfer, 0, size);
2921 		usbd_xfer_set_priv(xfer, data);
2922 
2923 		usbd_transfer_submit(xfer);
2924 
2925 		RUN_UNLOCK(sc);
2926 		run_start(ifp);
2927 		RUN_LOCK(sc);
2928 
2929 		break;
2930 
2931 	default:
2932 		DPRINTF("USB transfer error, %s\n",
2933 		    usbd_errstr(error));
2934 
2935 		data = usbd_xfer_get_priv(xfer);
2936 
2937 		ifp->if_oerrors++;
2938 
2939 		if (data != NULL) {
2940 			if(data->ni != NULL)
2941 				vap = data->ni->ni_vap;
2942 			run_tx_free(pq, data, error);
2943 			usbd_xfer_set_priv(xfer, NULL);
2944 		}
2945 		if (vap == NULL)
2946 			vap = TAILQ_FIRST(&ic->ic_vaps);
2947 
2948 		if (error != USB_ERR_CANCELLED) {
2949 			if (error == USB_ERR_TIMEOUT) {
2950 				device_printf(sc->sc_dev, "device timeout\n");
2951 				uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
2952 				DPRINTF("cmdq_store=%d\n", i);
2953 				sc->cmdq[i].func = run_usb_timeout_cb;
2954 				sc->cmdq[i].arg0 = vap;
2955 				ieee80211_runtask(ic, &sc->cmdq_task);
2956 			}
2957 
2958 			/*
2959 			 * Try to clear stall first, also if other
2960 			 * errors occur, hence clearing stall
2961 			 * introduces a 50 ms delay:
2962 			 */
2963 			usbd_xfer_set_stall(xfer);
2964 			goto tr_setup;
2965 		}
2966 		break;
2967 	}
2968 }
2969 
2970 static void
2971 run_bulk_tx_callback0(struct usb_xfer *xfer, usb_error_t error)
2972 {
2973 	run_bulk_tx_callbackN(xfer, error, 0);
2974 }
2975 
2976 static void
2977 run_bulk_tx_callback1(struct usb_xfer *xfer, usb_error_t error)
2978 {
2979 	run_bulk_tx_callbackN(xfer, error, 1);
2980 }
2981 
2982 static void
2983 run_bulk_tx_callback2(struct usb_xfer *xfer, usb_error_t error)
2984 {
2985 	run_bulk_tx_callbackN(xfer, error, 2);
2986 }
2987 
2988 static void
2989 run_bulk_tx_callback3(struct usb_xfer *xfer, usb_error_t error)
2990 {
2991 	run_bulk_tx_callbackN(xfer, error, 3);
2992 }
2993 
2994 static void
2995 run_bulk_tx_callback4(struct usb_xfer *xfer, usb_error_t error)
2996 {
2997 	run_bulk_tx_callbackN(xfer, error, 4);
2998 }
2999 
3000 static void
3001 run_bulk_tx_callback5(struct usb_xfer *xfer, usb_error_t error)
3002 {
3003 	run_bulk_tx_callbackN(xfer, error, 5);
3004 }
3005 
3006 static void
3007 run_set_tx_desc(struct run_softc *sc, struct run_tx_data *data)
3008 {
3009 	struct mbuf *m = data->m;
3010 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
3011 	struct ieee80211vap *vap = data->ni->ni_vap;
3012 	struct ieee80211_frame *wh;
3013 	struct rt2870_txd *txd;
3014 	struct rt2860_txwi *txwi;
3015 	uint16_t xferlen, txwisize;
3016 	uint16_t mcs;
3017 	uint8_t ridx = data->ridx;
3018 	uint8_t pad;
3019 
3020 	/* get MCS code from rate index */
3021 	mcs = rt2860_rates[ridx].mcs;
3022 
3023 	txwisize = (sc->mac_ver == 0x5592) ?
3024 	    sizeof(*txwi) + sizeof(uint32_t) : sizeof(*txwi);
3025 	xferlen = txwisize + m->m_pkthdr.len;
3026 
3027 	/* roundup to 32-bit alignment */
3028 	xferlen = (xferlen + 3) & ~3;
3029 
3030 	txd = (struct rt2870_txd *)&data->desc;
3031 	txd->len = htole16(xferlen);
3032 
3033 	wh = mtod(m, struct ieee80211_frame *);
3034 
3035 	/*
3036 	 * Ether both are true or both are false, the header
3037 	 * are nicely aligned to 32-bit. So, no L2 padding.
3038 	 */
3039 	if(IEEE80211_HAS_ADDR4(wh) == IEEE80211_QOS_HAS_SEQ(wh))
3040 		pad = 0;
3041 	else
3042 		pad = 2;
3043 
3044 	/* setup TX Wireless Information */
3045 	txwi = (struct rt2860_txwi *)(txd + 1);
3046 	txwi->len = htole16(m->m_pkthdr.len - pad);
3047 	if (rt2860_rates[ridx].phy == IEEE80211_T_DS) {
3048 		txwi->phy = htole16(RT2860_PHY_CCK);
3049 		if (ridx != RT2860_RIDX_CCK1 &&
3050 		    (ic->ic_flags & IEEE80211_F_SHPREAMBLE))
3051 			mcs |= RT2860_PHY_SHPRE;
3052 	} else
3053 		txwi->phy = htole16(RT2860_PHY_OFDM);
3054 	txwi->phy |= htole16(mcs);
3055 
3056 	/* check if RTS/CTS or CTS-to-self protection is required */
3057 	if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
3058 	    (m->m_pkthdr.len + IEEE80211_CRC_LEN > vap->iv_rtsthreshold ||
3059 	     ((ic->ic_flags & IEEE80211_F_USEPROT) &&
3060 	      rt2860_rates[ridx].phy == IEEE80211_T_OFDM)))
3061 		txwi->txop |= RT2860_TX_TXOP_HT;
3062 	else
3063 		txwi->txop |= RT2860_TX_TXOP_BACKOFF;
3064 
3065 	if (vap->iv_opmode != IEEE80211_M_STA && !IEEE80211_QOS_HAS_SEQ(wh))
3066 		txwi->xflags |= RT2860_TX_NSEQ;
3067 }
3068 
3069 /* This function must be called locked */
3070 static int
3071 run_tx(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
3072 {
3073 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
3074 	struct ieee80211vap *vap = ni->ni_vap;
3075 	struct ieee80211_frame *wh;
3076 	struct ieee80211_channel *chan;
3077 	const struct ieee80211_txparam *tp;
3078 	struct run_node *rn = (void *)ni;
3079 	struct run_tx_data *data;
3080 	struct rt2870_txd *txd;
3081 	struct rt2860_txwi *txwi;
3082 	uint16_t qos;
3083 	uint16_t dur;
3084 	uint16_t qid;
3085 	uint8_t type;
3086 	uint8_t tid;
3087 	uint8_t ridx;
3088 	uint8_t ctl_ridx;
3089 	uint8_t qflags;
3090 	uint8_t xflags = 0;
3091 	int hasqos;
3092 
3093 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3094 
3095 	wh = mtod(m, struct ieee80211_frame *);
3096 
3097 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3098 
3099 	/*
3100 	 * There are 7 bulk endpoints: 1 for RX
3101 	 * and 6 for TX (4 EDCAs + HCCA + Prio).
3102 	 * Update 03-14-2009:  some devices like the Planex GW-US300MiniS
3103 	 * seem to have only 4 TX bulk endpoints (Fukaumi Naoki).
3104 	 */
3105 	if ((hasqos = IEEE80211_QOS_HAS_SEQ(wh))) {
3106 		uint8_t *frm;
3107 
3108 		if(IEEE80211_HAS_ADDR4(wh))
3109 			frm = ((struct ieee80211_qosframe_addr4 *)wh)->i_qos;
3110 		else
3111 			frm =((struct ieee80211_qosframe *)wh)->i_qos;
3112 
3113 		qos = le16toh(*(const uint16_t *)frm);
3114 		tid = qos & IEEE80211_QOS_TID;
3115 		qid = TID_TO_WME_AC(tid);
3116 	} else {
3117 		qos = 0;
3118 		tid = 0;
3119 		qid = WME_AC_BE;
3120 	}
3121 	qflags = (qid < 4) ? RT2860_TX_QSEL_EDCA : RT2860_TX_QSEL_HCCA;
3122 
3123 	DPRINTFN(8, "qos %d\tqid %d\ttid %d\tqflags %x\n",
3124 	    qos, qid, tid, qflags);
3125 
3126 	chan = (ni->ni_chan != IEEE80211_CHAN_ANYC)?ni->ni_chan:ic->ic_curchan;
3127 	tp = &vap->iv_txparms[ieee80211_chan2mode(chan)];
3128 
3129 	/* pickup a rate index */
3130 	if (IEEE80211_IS_MULTICAST(wh->i_addr1) ||
3131 	    type != IEEE80211_FC0_TYPE_DATA) {
3132 		ridx = (ic->ic_curmode == IEEE80211_MODE_11A) ?
3133 		    RT2860_RIDX_OFDM6 : RT2860_RIDX_CCK1;
3134 		ctl_ridx = rt2860_rates[ridx].ctl_ridx;
3135 	} else {
3136 		if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE)
3137 			ridx = rn->fix_ridx;
3138 		else
3139 			ridx = rn->amrr_ridx;
3140 		ctl_ridx = rt2860_rates[ridx].ctl_ridx;
3141 	}
3142 
3143 	if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
3144 	    (!hasqos || (qos & IEEE80211_QOS_ACKPOLICY) !=
3145 	     IEEE80211_QOS_ACKPOLICY_NOACK)) {
3146 		xflags |= RT2860_TX_ACK;
3147 		if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
3148 			dur = rt2860_rates[ctl_ridx].sp_ack_dur;
3149 		else
3150 			dur = rt2860_rates[ctl_ridx].lp_ack_dur;
3151 		USETW(wh->i_dur, dur);
3152 	}
3153 
3154 	/* reserve slots for mgmt packets, just in case */
3155 	if (sc->sc_epq[qid].tx_nfree < 3) {
3156 		DPRINTFN(10, "tx ring %d is full\n", qid);
3157 		return (-1);
3158 	}
3159 
3160 	data = STAILQ_FIRST(&sc->sc_epq[qid].tx_fh);
3161 	STAILQ_REMOVE_HEAD(&sc->sc_epq[qid].tx_fh, next);
3162 	sc->sc_epq[qid].tx_nfree--;
3163 
3164 	txd = (struct rt2870_txd *)&data->desc;
3165 	txd->flags = qflags;
3166 	txwi = (struct rt2860_txwi *)(txd + 1);
3167 	txwi->xflags = xflags;
3168 	if (IEEE80211_IS_MULTICAST(wh->i_addr1))
3169 		txwi->wcid = 0;
3170 	else
3171 		txwi->wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
3172 		    1 : RUN_AID2WCID(ni->ni_associd);
3173 
3174 	/* clear leftover garbage bits */
3175 	txwi->flags = 0;
3176 	txwi->txop = 0;
3177 
3178 	data->m = m;
3179 	data->ni = ni;
3180 	data->ridx = ridx;
3181 
3182 	run_set_tx_desc(sc, data);
3183 
3184 	/*
3185 	 * The chip keeps track of 2 kind of Tx stats,
3186 	 *  * TX_STAT_FIFO, for per WCID stats, and
3187 	 *  * TX_STA_CNT0 for all-TX-in-one stats.
3188 	 *
3189 	 * To use FIFO stats, we need to store MCS into the driver-private
3190  	 * PacketID field. So that, we can tell whose stats when we read them.
3191  	 * We add 1 to the MCS because setting the PacketID field to 0 means
3192  	 * that we don't want feedback in TX_STAT_FIFO.
3193  	 * And, that's what we want for STA mode, since TX_STA_CNT0 does the job.
3194  	 *
3195  	 * FIFO stats doesn't count Tx with WCID 0xff, so we do this in run_tx().
3196  	 */
3197 	if (sc->rvp_cnt > 1 || vap->iv_opmode == IEEE80211_M_HOSTAP ||
3198 	    vap->iv_opmode == IEEE80211_M_MBSS) {
3199 		uint16_t pid = (rt2860_rates[ridx].mcs + 1) & 0xf;
3200 		txwi->len |= htole16(pid << RT2860_TX_PID_SHIFT);
3201 
3202 		/*
3203 		 * Unlike PCI based devices, we don't get any interrupt from
3204 		 * USB devices, so we simulate FIFO-is-full interrupt here.
3205 		 * Ralink recomends to drain FIFO stats every 100 ms, but 16 slots
3206 		 * quickly get fulled. To prevent overflow, increment a counter on
3207 		 * every FIFO stat request, so we know how many slots are left.
3208 		 * We do this only in HOSTAP or multiple vap mode since FIFO stats
3209 		 * are used only in those modes.
3210 		 * We just drain stats. AMRR gets updated every 1 sec by
3211 		 * run_ratectl_cb() via callout.
3212 		 * Call it early. Otherwise overflow.
3213 		 */
3214 		if (sc->fifo_cnt++ == 10) {
3215 			/*
3216 			 * With multiple vaps or if_bridge, if_start() is called
3217 			 * with a non-sleepable lock, tcpinp. So, need to defer.
3218 			 */
3219 			uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
3220 			DPRINTFN(6, "cmdq_store=%d\n", i);
3221 			sc->cmdq[i].func = run_drain_fifo;
3222 			sc->cmdq[i].arg0 = sc;
3223 			ieee80211_runtask(ic, &sc->cmdq_task);
3224 		}
3225 	}
3226 
3227         STAILQ_INSERT_TAIL(&sc->sc_epq[qid].tx_qh, data, next);
3228 
3229 	usbd_transfer_start(sc->sc_xfer[qid]);
3230 
3231 	DPRINTFN(8, "sending data frame len=%d rate=%d qid=%d\n",
3232 	    m->m_pkthdr.len + (int)(sizeof(struct rt2870_txd) +
3233 	    sizeof(struct rt2860_txwi)), rt2860_rates[ridx].rate, qid);
3234 
3235 	return (0);
3236 }
3237 
3238 static int
3239 run_tx_mgt(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
3240 {
3241 	struct ifnet *ifp = sc->sc_ifp;
3242 	struct ieee80211com *ic = ifp->if_l2com;
3243 	struct run_node *rn = (void *)ni;
3244 	struct run_tx_data *data;
3245 	struct ieee80211_frame *wh;
3246 	struct rt2870_txd *txd;
3247 	struct rt2860_txwi *txwi;
3248 	uint16_t dur;
3249 	uint8_t ridx = rn->mgt_ridx;
3250 	uint8_t type;
3251 	uint8_t xflags = 0;
3252 	uint8_t wflags = 0;
3253 
3254 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3255 
3256 	wh = mtod(m, struct ieee80211_frame *);
3257 
3258 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3259 
3260 	/* tell hardware to add timestamp for probe responses */
3261 	if ((wh->i_fc[0] &
3262 	    (IEEE80211_FC0_TYPE_MASK | IEEE80211_FC0_SUBTYPE_MASK)) ==
3263 	    (IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_RESP))
3264 		wflags |= RT2860_TX_TS;
3265 	else if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
3266 		xflags |= RT2860_TX_ACK;
3267 
3268 		dur = ieee80211_ack_duration(ic->ic_rt, rt2860_rates[ridx].rate,
3269 		    ic->ic_flags & IEEE80211_F_SHPREAMBLE);
3270 		USETW(wh->i_dur, dur);
3271 	}
3272 
3273 	if (sc->sc_epq[0].tx_nfree == 0) {
3274 		/* let caller free mbuf */
3275 		ifp->if_drv_flags |= IFF_DRV_OACTIVE;
3276 		return (EIO);
3277 	}
3278 	data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3279 	STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3280 	sc->sc_epq[0].tx_nfree--;
3281 
3282 	txd = (struct rt2870_txd *)&data->desc;
3283 	txd->flags = RT2860_TX_QSEL_EDCA;
3284 	txwi = (struct rt2860_txwi *)(txd + 1);
3285 	txwi->wcid = 0xff;
3286 	txwi->flags = wflags;
3287 	txwi->xflags = xflags;
3288 	txwi->txop = 0;	/* clear leftover garbage bits */
3289 
3290 	data->m = m;
3291 	data->ni = ni;
3292 	data->ridx = ridx;
3293 
3294 	run_set_tx_desc(sc, data);
3295 
3296 	DPRINTFN(10, "sending mgt frame len=%d rate=%d\n", m->m_pkthdr.len +
3297 	    (int)(sizeof(struct rt2870_txd) + sizeof(struct rt2860_txwi)),
3298 	    rt2860_rates[ridx].rate);
3299 
3300 	STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3301 
3302 	usbd_transfer_start(sc->sc_xfer[0]);
3303 
3304 	return (0);
3305 }
3306 
3307 static int
3308 run_sendprot(struct run_softc *sc,
3309     const struct mbuf *m, struct ieee80211_node *ni, int prot, int rate)
3310 {
3311 	struct ieee80211com *ic = ni->ni_ic;
3312 	struct ieee80211_frame *wh;
3313 	struct run_tx_data *data;
3314 	struct rt2870_txd *txd;
3315 	struct rt2860_txwi *txwi;
3316 	struct mbuf *mprot;
3317 	int ridx;
3318 	int protrate;
3319 	int ackrate;
3320 	int pktlen;
3321 	int isshort;
3322 	uint16_t dur;
3323 	uint8_t type;
3324 	uint8_t wflags = 0;
3325 	uint8_t xflags = 0;
3326 
3327 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3328 
3329 	KASSERT(prot == IEEE80211_PROT_RTSCTS || prot == IEEE80211_PROT_CTSONLY,
3330 	    ("protection %d", prot));
3331 
3332 	wh = mtod(m, struct ieee80211_frame *);
3333 	pktlen = m->m_pkthdr.len + IEEE80211_CRC_LEN;
3334 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3335 
3336 	protrate = ieee80211_ctl_rate(ic->ic_rt, rate);
3337 	ackrate = ieee80211_ack_rate(ic->ic_rt, rate);
3338 
3339 	isshort = (ic->ic_flags & IEEE80211_F_SHPREAMBLE) != 0;
3340 	dur = ieee80211_compute_duration(ic->ic_rt, pktlen, rate, isshort)
3341 	    + ieee80211_ack_duration(ic->ic_rt, rate, isshort);
3342 	wflags = RT2860_TX_FRAG;
3343 
3344 	/* check that there are free slots before allocating the mbuf */
3345 	if (sc->sc_epq[0].tx_nfree == 0) {
3346 		/* let caller free mbuf */
3347 		sc->sc_ifp->if_drv_flags |= IFF_DRV_OACTIVE;
3348 		return (ENOBUFS);
3349 	}
3350 
3351 	if (prot == IEEE80211_PROT_RTSCTS) {
3352 		/* NB: CTS is the same size as an ACK */
3353 		dur += ieee80211_ack_duration(ic->ic_rt, rate, isshort);
3354 		xflags |= RT2860_TX_ACK;
3355 		mprot = ieee80211_alloc_rts(ic, wh->i_addr1, wh->i_addr2, dur);
3356 	} else {
3357 		mprot = ieee80211_alloc_cts(ic, ni->ni_vap->iv_myaddr, dur);
3358 	}
3359 	if (mprot == NULL) {
3360 		sc->sc_ifp->if_oerrors++;
3361 		DPRINTF("could not allocate mbuf\n");
3362 		return (ENOBUFS);
3363 	}
3364 
3365         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3366         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3367         sc->sc_epq[0].tx_nfree--;
3368 
3369 	txd = (struct rt2870_txd *)&data->desc;
3370 	txd->flags = RT2860_TX_QSEL_EDCA;
3371 	txwi = (struct rt2860_txwi *)(txd + 1);
3372 	txwi->wcid = 0xff;
3373 	txwi->flags = wflags;
3374 	txwi->xflags = xflags;
3375 	txwi->txop = 0;	/* clear leftover garbage bits */
3376 
3377 	data->m = mprot;
3378 	data->ni = ieee80211_ref_node(ni);
3379 
3380 	for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
3381 		if (rt2860_rates[ridx].rate == protrate)
3382 			break;
3383 	data->ridx = ridx;
3384 
3385 	run_set_tx_desc(sc, data);
3386 
3387         DPRINTFN(1, "sending prot len=%u rate=%u\n",
3388             m->m_pkthdr.len, rate);
3389 
3390         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3391 
3392 	usbd_transfer_start(sc->sc_xfer[0]);
3393 
3394 	return (0);
3395 }
3396 
3397 static int
3398 run_tx_param(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni,
3399     const struct ieee80211_bpf_params *params)
3400 {
3401 	struct ieee80211com *ic = ni->ni_ic;
3402 	struct ieee80211_frame *wh;
3403 	struct run_tx_data *data;
3404 	struct rt2870_txd *txd;
3405 	struct rt2860_txwi *txwi;
3406 	uint8_t type;
3407 	uint8_t ridx;
3408 	uint8_t rate;
3409 	uint8_t opflags = 0;
3410 	uint8_t xflags = 0;
3411 	int error;
3412 
3413 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3414 
3415 	KASSERT(params != NULL, ("no raw xmit params"));
3416 
3417 	wh = mtod(m, struct ieee80211_frame *);
3418 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3419 
3420 	rate = params->ibp_rate0;
3421 	if (!ieee80211_isratevalid(ic->ic_rt, rate)) {
3422 		/* let caller free mbuf */
3423 		return (EINVAL);
3424 	}
3425 
3426 	if ((params->ibp_flags & IEEE80211_BPF_NOACK) == 0)
3427 		xflags |= RT2860_TX_ACK;
3428 	if (params->ibp_flags & (IEEE80211_BPF_RTS|IEEE80211_BPF_CTS)) {
3429 		error = run_sendprot(sc, m, ni,
3430 		    params->ibp_flags & IEEE80211_BPF_RTS ?
3431 			IEEE80211_PROT_RTSCTS : IEEE80211_PROT_CTSONLY,
3432 		    rate);
3433 		if (error) {
3434 			/* let caller free mbuf */
3435 			return error;
3436 		}
3437 		opflags |= /*XXX RT2573_TX_LONG_RETRY |*/ RT2860_TX_TXOP_SIFS;
3438 	}
3439 
3440 	if (sc->sc_epq[0].tx_nfree == 0) {
3441 		/* let caller free mbuf */
3442 		sc->sc_ifp->if_drv_flags |= IFF_DRV_OACTIVE;
3443 		DPRINTF("sending raw frame, but tx ring is full\n");
3444 		return (EIO);
3445 	}
3446         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3447         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3448         sc->sc_epq[0].tx_nfree--;
3449 
3450 	txd = (struct rt2870_txd *)&data->desc;
3451 	txd->flags = RT2860_TX_QSEL_EDCA;
3452 	txwi = (struct rt2860_txwi *)(txd + 1);
3453 	txwi->wcid = 0xff;
3454 	txwi->xflags = xflags;
3455 	txwi->txop = opflags;
3456 	txwi->flags = 0;	/* clear leftover garbage bits */
3457 
3458         data->m = m;
3459         data->ni = ni;
3460 	for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
3461 		if (rt2860_rates[ridx].rate == rate)
3462 			break;
3463 	data->ridx = ridx;
3464 
3465         run_set_tx_desc(sc, data);
3466 
3467         DPRINTFN(10, "sending raw frame len=%u rate=%u\n",
3468             m->m_pkthdr.len, rate);
3469 
3470         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3471 
3472 	usbd_transfer_start(sc->sc_xfer[0]);
3473 
3474         return (0);
3475 }
3476 
3477 static int
3478 run_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
3479     const struct ieee80211_bpf_params *params)
3480 {
3481 	struct ifnet *ifp = ni->ni_ic->ic_ifp;
3482 	struct run_softc *sc = ifp->if_softc;
3483 	int error = 0;
3484 
3485 	RUN_LOCK(sc);
3486 
3487 	/* prevent management frames from being sent if we're not ready */
3488 	if (!(ifp->if_drv_flags & IFF_DRV_RUNNING)) {
3489 		error =  ENETDOWN;
3490 		goto done;
3491 	}
3492 
3493 	if (params == NULL) {
3494 		/* tx mgt packet */
3495 		if ((error = run_tx_mgt(sc, m, ni)) != 0) {
3496 			ifp->if_oerrors++;
3497 			DPRINTF("mgt tx failed\n");
3498 			goto done;
3499 		}
3500 	} else {
3501 		/* tx raw packet with param */
3502 		if ((error = run_tx_param(sc, m, ni, params)) != 0) {
3503 			ifp->if_oerrors++;
3504 			DPRINTF("tx with param failed\n");
3505 			goto done;
3506 		}
3507 	}
3508 
3509 	ifp->if_opackets++;
3510 
3511 done:
3512 	RUN_UNLOCK(sc);
3513 
3514 	if (error != 0) {
3515 		if(m != NULL)
3516 			m_freem(m);
3517 		ieee80211_free_node(ni);
3518 	}
3519 
3520 	return (error);
3521 }
3522 
3523 static void
3524 run_start(struct ifnet *ifp)
3525 {
3526 	struct run_softc *sc = ifp->if_softc;
3527 	struct ieee80211_node *ni;
3528 	struct mbuf *m;
3529 
3530 	RUN_LOCK(sc);
3531 
3532 	if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0) {
3533 		RUN_UNLOCK(sc);
3534 		return;
3535 	}
3536 
3537 	for (;;) {
3538 		/* send data frames */
3539 		IFQ_DRV_DEQUEUE(&ifp->if_snd, m);
3540 		if (m == NULL)
3541 			break;
3542 
3543 		ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
3544 		if (run_tx(sc, m, ni) != 0) {
3545 			IFQ_DRV_PREPEND(&ifp->if_snd, m);
3546 			ifp->if_drv_flags |= IFF_DRV_OACTIVE;
3547 			break;
3548 		}
3549 	}
3550 
3551 	RUN_UNLOCK(sc);
3552 }
3553 
3554 static int
3555 run_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
3556 {
3557 	struct run_softc *sc = ifp->if_softc;
3558 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
3559 	struct ifreq *ifr = (struct ifreq *) data;
3560 	int startall = 0;
3561 	int error;
3562 
3563 	RUN_LOCK(sc);
3564 	error = sc->sc_detached ? ENXIO : 0;
3565 	RUN_UNLOCK(sc);
3566 	if (error)
3567 		return (error);
3568 
3569 	switch (cmd) {
3570 	case SIOCSIFFLAGS:
3571 		RUN_LOCK(sc);
3572 		if (ifp->if_flags & IFF_UP) {
3573 			if (!(ifp->if_drv_flags & IFF_DRV_RUNNING)){
3574 				startall = 1;
3575 				run_init_locked(sc);
3576 			} else
3577 				run_update_promisc_locked(ifp);
3578 		} else {
3579 			if (ifp->if_drv_flags & IFF_DRV_RUNNING &&
3580 			    (ic->ic_nrunning == 0 || sc->rvp_cnt <= 1)) {
3581 					run_stop(sc);
3582 			}
3583 		}
3584 		RUN_UNLOCK(sc);
3585 		if (startall)
3586 			ieee80211_start_all(ic);
3587 		break;
3588 	case SIOCGIFMEDIA:
3589 		error = ifmedia_ioctl(ifp, ifr, &ic->ic_media, cmd);
3590 		break;
3591 	case SIOCGIFADDR:
3592 		error = ether_ioctl(ifp, cmd, data);
3593 		break;
3594 	default:
3595 		error = EINVAL;
3596 		break;
3597 	}
3598 
3599 	return (error);
3600 }
3601 
3602 static void
3603 run_set_agc(struct run_softc *sc, uint8_t agc)
3604 {
3605 	uint8_t bbp;
3606 
3607 	if (sc->mac_ver == 0x3572) {
3608 		run_bbp_read(sc, 27, &bbp);
3609 		bbp &= ~(0x3 << 5);
3610 		run_bbp_write(sc, 27, bbp | 0 << 5);	/* select Rx0 */
3611 		run_bbp_write(sc, 66, agc);
3612 		run_bbp_write(sc, 27, bbp | 1 << 5);	/* select Rx1 */
3613 		run_bbp_write(sc, 66, agc);
3614 	} else
3615 		run_bbp_write(sc, 66, agc);
3616 }
3617 
3618 static void
3619 run_select_chan_group(struct run_softc *sc, int group)
3620 {
3621 	uint32_t tmp;
3622 	uint8_t agc;
3623 
3624 	run_bbp_write(sc, 62, 0x37 - sc->lna[group]);
3625 	run_bbp_write(sc, 63, 0x37 - sc->lna[group]);
3626 	run_bbp_write(sc, 64, 0x37 - sc->lna[group]);
3627 	if (sc->mac_ver < 0x3572)
3628 		run_bbp_write(sc, 86, 0x00);
3629 
3630 	if (group == 0) {
3631 		if (sc->ext_2ghz_lna) {
3632 			if (sc->mac_ver >= 0x5390)
3633 				run_bbp_write(sc, 75, 0x52);
3634 			else {
3635 				run_bbp_write(sc, 82, 0x62);
3636 				run_bbp_write(sc, 75, 0x46);
3637 			}
3638 		} else {
3639 			if (sc->mac_ver == 0x5592) {
3640 				run_bbp_write(sc, 79, 0x1c);
3641 				run_bbp_write(sc, 80, 0x0e);
3642 				run_bbp_write(sc, 81, 0x3a);
3643 				run_bbp_write(sc, 82, 0x62);
3644 
3645 				run_bbp_write(sc, 195, 0x80);
3646 				run_bbp_write(sc, 196, 0xe0);
3647 				run_bbp_write(sc, 195, 0x81);
3648 				run_bbp_write(sc, 196, 0x1f);
3649 				run_bbp_write(sc, 195, 0x82);
3650 				run_bbp_write(sc, 196, 0x38);
3651 				run_bbp_write(sc, 195, 0x83);
3652 				run_bbp_write(sc, 196, 0x32);
3653 				run_bbp_write(sc, 195, 0x85);
3654 				run_bbp_write(sc, 196, 0x28);
3655 				run_bbp_write(sc, 195, 0x86);
3656 				run_bbp_write(sc, 196, 0x19);
3657 			} else if (sc->mac_ver >= 0x5390)
3658 				run_bbp_write(sc, 75, 0x50);
3659 			else {
3660 				run_bbp_write(sc, 82, 0x84);
3661 				run_bbp_write(sc, 75, 0x50);
3662 			}
3663 		}
3664 	} else {
3665 		if (sc->mac_ver == 0x5592) {
3666 			run_bbp_write(sc, 79, 0x18);
3667 			run_bbp_write(sc, 80, 0x08);
3668 			run_bbp_write(sc, 81, 0x38);
3669 			run_bbp_write(sc, 82, 0x92);
3670 
3671 			run_bbp_write(sc, 195, 0x80);
3672 			run_bbp_write(sc, 196, 0xf0);
3673 			run_bbp_write(sc, 195, 0x81);
3674 			run_bbp_write(sc, 196, 0x1e);
3675 			run_bbp_write(sc, 195, 0x82);
3676 			run_bbp_write(sc, 196, 0x28);
3677 			run_bbp_write(sc, 195, 0x83);
3678 			run_bbp_write(sc, 196, 0x20);
3679 			run_bbp_write(sc, 195, 0x85);
3680 			run_bbp_write(sc, 196, 0x7f);
3681 			run_bbp_write(sc, 195, 0x86);
3682 			run_bbp_write(sc, 196, 0x7f);
3683 		} else if (sc->mac_ver == 0x3572)
3684 			run_bbp_write(sc, 82, 0x94);
3685 		else
3686 			run_bbp_write(sc, 82, 0xf2);
3687 		if (sc->ext_5ghz_lna)
3688 			run_bbp_write(sc, 75, 0x46);
3689 		else
3690 			run_bbp_write(sc, 75, 0x50);
3691 	}
3692 
3693 	run_read(sc, RT2860_TX_BAND_CFG, &tmp);
3694 	tmp &= ~(RT2860_5G_BAND_SEL_N | RT2860_5G_BAND_SEL_P);
3695 	tmp |= (group == 0) ? RT2860_5G_BAND_SEL_N : RT2860_5G_BAND_SEL_P;
3696 	run_write(sc, RT2860_TX_BAND_CFG, tmp);
3697 
3698 	/* enable appropriate Power Amplifiers and Low Noise Amplifiers */
3699 	tmp = RT2860_RFTR_EN | RT2860_TRSW_EN | RT2860_LNA_PE0_EN;
3700 	if (sc->nrxchains > 1)
3701 		tmp |= RT2860_LNA_PE1_EN;
3702 	if (group == 0) {	/* 2GHz */
3703 		tmp |= RT2860_PA_PE_G0_EN;
3704 		if (sc->ntxchains > 1)
3705 			tmp |= RT2860_PA_PE_G1_EN;
3706 	} else {		/* 5GHz */
3707 		tmp |= RT2860_PA_PE_A0_EN;
3708 		if (sc->ntxchains > 1)
3709 			tmp |= RT2860_PA_PE_A1_EN;
3710 	}
3711 	if (sc->mac_ver == 0x3572) {
3712 		run_rt3070_rf_write(sc, 8, 0x00);
3713 		run_write(sc, RT2860_TX_PIN_CFG, tmp);
3714 		run_rt3070_rf_write(sc, 8, 0x80);
3715 	} else
3716 		run_write(sc, RT2860_TX_PIN_CFG, tmp);
3717 
3718 	if (sc->mac_ver == 0x5592) {
3719 		run_bbp_write(sc, 195, 0x8d);
3720 		run_bbp_write(sc, 196, 0x1a);
3721 	}
3722 
3723 	/* set initial AGC value */
3724 	if (group == 0) {	/* 2GHz band */
3725 		if (sc->mac_ver >= 0x3070)
3726 			agc = 0x1c + sc->lna[0] * 2;
3727 		else
3728 			agc = 0x2e + sc->lna[0];
3729 	} else {		/* 5GHz band */
3730 		if (sc->mac_ver == 0x5592)
3731 			agc = 0x24 + sc->lna[group] * 2;
3732 		else if (sc->mac_ver == 0x3572)
3733 			agc = 0x22 + (sc->lna[group] * 5) / 3;
3734 		else
3735 			agc = 0x32 + (sc->lna[group] * 5) / 3;
3736 	}
3737 	run_set_agc(sc, agc);
3738 }
3739 
3740 static void
3741 run_rt2870_set_chan(struct run_softc *sc, u_int chan)
3742 {
3743 	const struct rfprog *rfprog = rt2860_rf2850;
3744 	uint32_t r2, r3, r4;
3745 	int8_t txpow1, txpow2;
3746 	int i;
3747 
3748 	/* find the settings for this channel (we know it exists) */
3749 	for (i = 0; rfprog[i].chan != chan; i++);
3750 
3751 	r2 = rfprog[i].r2;
3752 	if (sc->ntxchains == 1)
3753 		r2 |= 1 << 14;		/* 1T: disable Tx chain 2 */
3754 	if (sc->nrxchains == 1)
3755 		r2 |= 1 << 17 | 1 << 6;	/* 1R: disable Rx chains 2 & 3 */
3756 	else if (sc->nrxchains == 2)
3757 		r2 |= 1 << 6;		/* 2R: disable Rx chain 3 */
3758 
3759 	/* use Tx power values from EEPROM */
3760 	txpow1 = sc->txpow1[i];
3761 	txpow2 = sc->txpow2[i];
3762 
3763 	/* Initialize RF R3 and R4. */
3764 	r3 = rfprog[i].r3 & 0xffffc1ff;
3765 	r4 = (rfprog[i].r4 & ~(0x001f87c0)) | (sc->freq << 15);
3766 	if (chan > 14) {
3767 		if (txpow1 >= 0) {
3768 			txpow1 = (txpow1 > 0xf) ? (0xf) : (txpow1);
3769 			r3 |= (txpow1 << 10) | (1 << 9);
3770 		} else {
3771 			txpow1 += 7;
3772 
3773 			/* txpow1 is not possible larger than 15. */
3774 			r3 |= (txpow1 << 10);
3775 		}
3776 		if (txpow2 >= 0) {
3777 			txpow2 = (txpow2 > 0xf) ? (0xf) : (txpow2);
3778 			r4 |= (txpow2 << 7) | (1 << 6);
3779 		} else {
3780 			txpow2 += 7;
3781 			r4 |= (txpow2 << 7);
3782 		}
3783 	} else {
3784 		/* Set Tx0 power. */
3785 		r3 |= (txpow1 << 9);
3786 
3787 		/* Set frequency offset and Tx1 power. */
3788 		r4 |= (txpow2 << 6);
3789 	}
3790 
3791 	run_rt2870_rf_write(sc, rfprog[i].r1);
3792 	run_rt2870_rf_write(sc, r2);
3793 	run_rt2870_rf_write(sc, r3 & ~(1 << 2));
3794 	run_rt2870_rf_write(sc, r4);
3795 
3796 	run_delay(sc, 10);
3797 
3798 	run_rt2870_rf_write(sc, rfprog[i].r1);
3799 	run_rt2870_rf_write(sc, r2);
3800 	run_rt2870_rf_write(sc, r3 | (1 << 2));
3801 	run_rt2870_rf_write(sc, r4);
3802 
3803 	run_delay(sc, 10);
3804 
3805 	run_rt2870_rf_write(sc, rfprog[i].r1);
3806 	run_rt2870_rf_write(sc, r2);
3807 	run_rt2870_rf_write(sc, r3 & ~(1 << 2));
3808 	run_rt2870_rf_write(sc, r4);
3809 }
3810 
3811 static void
3812 run_rt3070_set_chan(struct run_softc *sc, u_int chan)
3813 {
3814 	int8_t txpow1, txpow2;
3815 	uint8_t rf;
3816 	int i;
3817 
3818 	/* find the settings for this channel (we know it exists) */
3819 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
3820 
3821 	/* use Tx power values from EEPROM */
3822 	txpow1 = sc->txpow1[i];
3823 	txpow2 = sc->txpow2[i];
3824 
3825 	run_rt3070_rf_write(sc, 2, rt3070_freqs[i].n);
3826 
3827 	/* RT3370/RT3390: RF R3 [7:4] is not reserved bits. */
3828 	run_rt3070_rf_read(sc, 3, &rf);
3829 	rf = (rf & ~0x0f) | rt3070_freqs[i].k;
3830 	run_rt3070_rf_write(sc, 3, rf);
3831 
3832 	run_rt3070_rf_read(sc, 6, &rf);
3833 	rf = (rf & ~0x03) | rt3070_freqs[i].r;
3834 	run_rt3070_rf_write(sc, 6, rf);
3835 
3836 	/* set Tx0 power */
3837 	run_rt3070_rf_read(sc, 12, &rf);
3838 	rf = (rf & ~0x1f) | txpow1;
3839 	run_rt3070_rf_write(sc, 12, rf);
3840 
3841 	/* set Tx1 power */
3842 	run_rt3070_rf_read(sc, 13, &rf);
3843 	rf = (rf & ~0x1f) | txpow2;
3844 	run_rt3070_rf_write(sc, 13, rf);
3845 
3846 	run_rt3070_rf_read(sc, 1, &rf);
3847 	rf &= ~0xfc;
3848 	if (sc->ntxchains == 1)
3849 		rf |= 1 << 7 | 1 << 5;	/* 1T: disable Tx chains 2 & 3 */
3850 	else if (sc->ntxchains == 2)
3851 		rf |= 1 << 7;		/* 2T: disable Tx chain 3 */
3852 	if (sc->nrxchains == 1)
3853 		rf |= 1 << 6 | 1 << 4;	/* 1R: disable Rx chains 2 & 3 */
3854 	else if (sc->nrxchains == 2)
3855 		rf |= 1 << 6;		/* 2R: disable Rx chain 3 */
3856 	run_rt3070_rf_write(sc, 1, rf);
3857 
3858 	/* set RF offset */
3859 	run_rt3070_rf_read(sc, 23, &rf);
3860 	rf = (rf & ~0x7f) | sc->freq;
3861 	run_rt3070_rf_write(sc, 23, rf);
3862 
3863 	/* program RF filter */
3864 	run_rt3070_rf_read(sc, 24, &rf);	/* Tx */
3865 	rf = (rf & ~0x3f) | sc->rf24_20mhz;
3866 	run_rt3070_rf_write(sc, 24, rf);
3867 	run_rt3070_rf_read(sc, 31, &rf);	/* Rx */
3868 	rf = (rf & ~0x3f) | sc->rf24_20mhz;
3869 	run_rt3070_rf_write(sc, 31, rf);
3870 
3871 	/* enable RF tuning */
3872 	run_rt3070_rf_read(sc, 7, &rf);
3873 	run_rt3070_rf_write(sc, 7, rf | 0x01);
3874 }
3875 
3876 static void
3877 run_rt3572_set_chan(struct run_softc *sc, u_int chan)
3878 {
3879 	int8_t txpow1, txpow2;
3880 	uint32_t tmp;
3881 	uint8_t rf;
3882 	int i;
3883 
3884 	/* find the settings for this channel (we know it exists) */
3885 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
3886 
3887 	/* use Tx power values from EEPROM */
3888 	txpow1 = sc->txpow1[i];
3889 	txpow2 = sc->txpow2[i];
3890 
3891 	if (chan <= 14) {
3892 		run_bbp_write(sc, 25, sc->bbp25);
3893 		run_bbp_write(sc, 26, sc->bbp26);
3894 	} else {
3895 		/* enable IQ phase correction */
3896 		run_bbp_write(sc, 25, 0x09);
3897 		run_bbp_write(sc, 26, 0xff);
3898 	}
3899 
3900 	run_rt3070_rf_write(sc, 2, rt3070_freqs[i].n);
3901 	run_rt3070_rf_write(sc, 3, rt3070_freqs[i].k);
3902 	run_rt3070_rf_read(sc, 6, &rf);
3903 	rf  = (rf & ~0x0f) | rt3070_freqs[i].r;
3904 	rf |= (chan <= 14) ? 0x08 : 0x04;
3905 	run_rt3070_rf_write(sc, 6, rf);
3906 
3907 	/* set PLL mode */
3908 	run_rt3070_rf_read(sc, 5, &rf);
3909 	rf &= ~(0x08 | 0x04);
3910 	rf |= (chan <= 14) ? 0x04 : 0x08;
3911 	run_rt3070_rf_write(sc, 5, rf);
3912 
3913 	/* set Tx power for chain 0 */
3914 	if (chan <= 14)
3915 		rf = 0x60 | txpow1;
3916 	else
3917 		rf = 0xe0 | (txpow1 & 0xc) << 1 | (txpow1 & 0x3);
3918 	run_rt3070_rf_write(sc, 12, rf);
3919 
3920 	/* set Tx power for chain 1 */
3921 	if (chan <= 14)
3922 		rf = 0x60 | txpow2;
3923 	else
3924 		rf = 0xe0 | (txpow2 & 0xc) << 1 | (txpow2 & 0x3);
3925 	run_rt3070_rf_write(sc, 13, rf);
3926 
3927 	/* set Tx/Rx streams */
3928 	run_rt3070_rf_read(sc, 1, &rf);
3929 	rf &= ~0xfc;
3930 	if (sc->ntxchains == 1)
3931 		rf |= 1 << 7 | 1 << 5;  /* 1T: disable Tx chains 2 & 3 */
3932 	else if (sc->ntxchains == 2)
3933 		rf |= 1 << 7;           /* 2T: disable Tx chain 3 */
3934 	if (sc->nrxchains == 1)
3935 		rf |= 1 << 6 | 1 << 4;  /* 1R: disable Rx chains 2 & 3 */
3936 	else if (sc->nrxchains == 2)
3937 		rf |= 1 << 6;           /* 2R: disable Rx chain 3 */
3938 	run_rt3070_rf_write(sc, 1, rf);
3939 
3940 	/* set RF offset */
3941 	run_rt3070_rf_read(sc, 23, &rf);
3942 	rf = (rf & ~0x7f) | sc->freq;
3943 	run_rt3070_rf_write(sc, 23, rf);
3944 
3945 	/* program RF filter */
3946 	rf = sc->rf24_20mhz;
3947 	run_rt3070_rf_write(sc, 24, rf);	/* Tx */
3948 	run_rt3070_rf_write(sc, 31, rf);	/* Rx */
3949 
3950 	/* enable RF tuning */
3951 	run_rt3070_rf_read(sc, 7, &rf);
3952 	rf = (chan <= 14) ? 0xd8 : ((rf & ~0xc8) | 0x14);
3953 	run_rt3070_rf_write(sc, 7, rf);
3954 
3955 	/* TSSI */
3956 	rf = (chan <= 14) ? 0xc3 : 0xc0;
3957 	run_rt3070_rf_write(sc, 9, rf);
3958 
3959 	/* set loop filter 1 */
3960 	run_rt3070_rf_write(sc, 10, 0xf1);
3961 	/* set loop filter 2 */
3962 	run_rt3070_rf_write(sc, 11, (chan <= 14) ? 0xb9 : 0x00);
3963 
3964 	/* set tx_mx2_ic */
3965 	run_rt3070_rf_write(sc, 15, (chan <= 14) ? 0x53 : 0x43);
3966 	/* set tx_mx1_ic */
3967 	if (chan <= 14)
3968 		rf = 0x48 | sc->txmixgain_2ghz;
3969 	else
3970 		rf = 0x78 | sc->txmixgain_5ghz;
3971 	run_rt3070_rf_write(sc, 16, rf);
3972 
3973 	/* set tx_lo1 */
3974 	run_rt3070_rf_write(sc, 17, 0x23);
3975 	/* set tx_lo2 */
3976 	if (chan <= 14)
3977 		rf = 0x93;
3978 	else if (chan <= 64)
3979 		rf = 0xb7;
3980 	else if (chan <= 128)
3981 		rf = 0x74;
3982 	else
3983 		rf = 0x72;
3984 	run_rt3070_rf_write(sc, 19, rf);
3985 
3986 	/* set rx_lo1 */
3987 	if (chan <= 14)
3988 		rf = 0xb3;
3989 	else if (chan <= 64)
3990 		rf = 0xf6;
3991 	else if (chan <= 128)
3992 		rf = 0xf4;
3993 	else
3994 		rf = 0xf3;
3995 	run_rt3070_rf_write(sc, 20, rf);
3996 
3997 	/* set pfd_delay */
3998 	if (chan <= 14)
3999 		rf = 0x15;
4000 	else if (chan <= 64)
4001 		rf = 0x3d;
4002 	else
4003 		rf = 0x01;
4004 	run_rt3070_rf_write(sc, 25, rf);
4005 
4006 	/* set rx_lo2 */
4007 	run_rt3070_rf_write(sc, 26, (chan <= 14) ? 0x85 : 0x87);
4008 	/* set ldo_rf_vc */
4009 	run_rt3070_rf_write(sc, 27, (chan <= 14) ? 0x00 : 0x01);
4010 	/* set drv_cc */
4011 	run_rt3070_rf_write(sc, 29, (chan <= 14) ? 0x9b : 0x9f);
4012 
4013 	run_read(sc, RT2860_GPIO_CTRL, &tmp);
4014 	tmp &= ~0x8080;
4015 	if (chan <= 14)
4016 		tmp |= 0x80;
4017 	run_write(sc, RT2860_GPIO_CTRL, tmp);
4018 
4019 	/* enable RF tuning */
4020 	run_rt3070_rf_read(sc, 7, &rf);
4021 	run_rt3070_rf_write(sc, 7, rf | 0x01);
4022 
4023 	run_delay(sc, 2);
4024 }
4025 
4026 static void
4027 run_rt5390_set_chan(struct run_softc *sc, u_int chan)
4028 {
4029 	int8_t txpow1, txpow2;
4030 	uint8_t rf;
4031 	int i;
4032 
4033 	/* find the settings for this channel (we know it exists) */
4034 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4035 
4036 	/* use Tx power values from EEPROM */
4037 	txpow1 = sc->txpow1[i];
4038 	txpow2 = sc->txpow2[i];
4039 
4040 	run_rt3070_rf_write(sc, 8, rt3070_freqs[i].n);
4041 	run_rt3070_rf_write(sc, 9, rt3070_freqs[i].k & 0x0f);
4042 	run_rt3070_rf_read(sc, 11, &rf);
4043 	rf = (rf & ~0x03) | (rt3070_freqs[i].r & 0x03);
4044 	run_rt3070_rf_write(sc, 11, rf);
4045 
4046 	run_rt3070_rf_read(sc, 49, &rf);
4047 	rf = (rf & ~0x3f) | (txpow1 & 0x3f);
4048 	/* The valid range of the RF R49 is 0x00 to 0x27. */
4049 	if ((rf & 0x3f) > 0x27)
4050 		rf = (rf & ~0x3f) | 0x27;
4051 	run_rt3070_rf_write(sc, 49, rf);
4052 
4053 	if (sc->mac_ver == 0x5392) {
4054 		run_rt3070_rf_read(sc, 50, &rf);
4055 		rf = (rf & ~0x3f) | (txpow2 & 0x3f);
4056 		/* The valid range of the RF R50 is 0x00 to 0x27. */
4057 		if ((rf & 0x3f) > 0x27)
4058 			rf = (rf & ~0x3f) | 0x27;
4059 		run_rt3070_rf_write(sc, 50, rf);
4060 	}
4061 
4062 	run_rt3070_rf_read(sc, 1, &rf);
4063 	rf |= RT3070_RF_BLOCK | RT3070_PLL_PD | RT3070_RX0_PD | RT3070_TX0_PD;
4064 	if (sc->mac_ver == 0x5392)
4065 		rf |= RT3070_RX1_PD | RT3070_TX1_PD;
4066 	run_rt3070_rf_write(sc, 1, rf);
4067 
4068 	if (sc->mac_ver != 0x5392) {
4069 		run_rt3070_rf_read(sc, 2, &rf);
4070 		rf |= 0x80;
4071 		run_rt3070_rf_write(sc, 2, rf);
4072 		run_delay(sc, 10);
4073 		rf &= 0x7f;
4074 		run_rt3070_rf_write(sc, 2, rf);
4075 	}
4076 
4077 	run_adjust_freq_offset(sc);
4078 
4079 	if (sc->mac_ver == 0x5392) {
4080 		/* Fix for RT5392C. */
4081 		if (sc->mac_rev >= 0x0223) {
4082 			if (chan <= 4)
4083 				rf = 0x0f;
4084 			else if (chan >= 5 && chan <= 7)
4085 				rf = 0x0e;
4086 			else
4087 				rf = 0x0d;
4088 			run_rt3070_rf_write(sc, 23, rf);
4089 
4090 			if (chan <= 4)
4091 				rf = 0x0c;
4092 			else if (chan == 5)
4093 				rf = 0x0b;
4094 			else if (chan >= 6 && chan <= 7)
4095 				rf = 0x0a;
4096 			else if (chan >= 8 && chan <= 10)
4097 				rf = 0x09;
4098 			else
4099 				rf = 0x08;
4100 			run_rt3070_rf_write(sc, 59, rf);
4101 		} else {
4102 			if (chan <= 11)
4103 				rf = 0x0f;
4104 			else
4105 				rf = 0x0b;
4106 			run_rt3070_rf_write(sc, 59, rf);
4107 		}
4108 	} else {
4109 		/* Fix for RT5390F. */
4110 		if (sc->mac_rev >= 0x0502) {
4111 			if (chan <= 11)
4112 				rf = 0x43;
4113 			else
4114 				rf = 0x23;
4115 			run_rt3070_rf_write(sc, 55, rf);
4116 
4117 			if (chan <= 11)
4118 				rf = 0x0f;
4119 			else if (chan == 12)
4120 				rf = 0x0d;
4121 			else
4122 				rf = 0x0b;
4123 			run_rt3070_rf_write(sc, 59, rf);
4124 		} else {
4125 			run_rt3070_rf_write(sc, 55, 0x44);
4126 			run_rt3070_rf_write(sc, 59, 0x8f);
4127 		}
4128 	}
4129 
4130 	/* Enable VCO calibration. */
4131 	run_rt3070_rf_read(sc, 3, &rf);
4132 	rf |= RT5390_VCOCAL;
4133 	run_rt3070_rf_write(sc, 3, rf);
4134 }
4135 
4136 static void
4137 run_rt5592_set_chan(struct run_softc *sc, u_int chan)
4138 {
4139 	const struct rt5592_freqs *freqs;
4140 	uint32_t tmp;
4141 	uint8_t reg, rf, txpow_bound;
4142 	int8_t txpow1, txpow2;
4143 	int i;
4144 
4145 	run_read(sc, RT5592_DEBUG_INDEX, &tmp);
4146 	freqs = (tmp & RT5592_SEL_XTAL) ?
4147 	    rt5592_freqs_40mhz : rt5592_freqs_20mhz;
4148 
4149 	/* find the settings for this channel (we know it exists) */
4150 	for (i = 0; rt2860_rf2850[i].chan != chan; i++, freqs++);
4151 
4152 	/* use Tx power values from EEPROM */
4153 	txpow1 = sc->txpow1[i];
4154 	txpow2 = sc->txpow2[i];
4155 
4156 	run_read(sc, RT3070_LDO_CFG0, &tmp);
4157 	tmp &= ~0x1c000000;
4158 	if (chan > 14)
4159 		tmp |= 0x14000000;
4160 	run_write(sc, RT3070_LDO_CFG0, tmp);
4161 
4162 	/* N setting. */
4163 	run_rt3070_rf_write(sc, 8, freqs->n & 0xff);
4164 	run_rt3070_rf_read(sc, 9, &rf);
4165 	rf &= ~(1 << 4);
4166 	rf |= ((freqs->n & 0x0100) >> 8) << 4;
4167 	run_rt3070_rf_write(sc, 9, rf);
4168 
4169 	/* K setting. */
4170 	run_rt3070_rf_read(sc, 9, &rf);
4171 	rf &= ~0x0f;
4172 	rf |= (freqs->k & 0x0f);
4173 	run_rt3070_rf_write(sc, 9, rf);
4174 
4175 	/* Mode setting. */
4176 	run_rt3070_rf_read(sc, 11, &rf);
4177 	rf &= ~0x0c;
4178 	rf |= ((freqs->m - 0x8) & 0x3) << 2;
4179 	run_rt3070_rf_write(sc, 11, rf);
4180 	run_rt3070_rf_read(sc, 9, &rf);
4181 	rf &= ~(1 << 7);
4182 	rf |= (((freqs->m - 0x8) & 0x4) >> 2) << 7;
4183 	run_rt3070_rf_write(sc, 9, rf);
4184 
4185 	/* R setting. */
4186 	run_rt3070_rf_read(sc, 11, &rf);
4187 	rf &= ~0x03;
4188 	rf |= (freqs->r - 0x1);
4189 	run_rt3070_rf_write(sc, 11, rf);
4190 
4191 	if (chan <= 14) {
4192 		/* Initialize RF registers for 2GHZ. */
4193 		for (i = 0; i < nitems(rt5592_2ghz_def_rf); i++) {
4194 			run_rt3070_rf_write(sc, rt5592_2ghz_def_rf[i].reg,
4195 			    rt5592_2ghz_def_rf[i].val);
4196 		}
4197 
4198 		rf = (chan <= 10) ? 0x07 : 0x06;
4199 		run_rt3070_rf_write(sc, 23, rf);
4200 		run_rt3070_rf_write(sc, 59, rf);
4201 
4202 		run_rt3070_rf_write(sc, 55, 0x43);
4203 
4204 		/*
4205 		 * RF R49/R50 Tx power ALC code.
4206 		 * G-band bit<7:6>=1:0, bit<5:0> range from 0x0 ~ 0x27.
4207 		 */
4208 		reg = 2;
4209 		txpow_bound = 0x27;
4210 	} else {
4211 		/* Initialize RF registers for 5GHZ. */
4212 		for (i = 0; i < nitems(rt5592_5ghz_def_rf); i++) {
4213 			run_rt3070_rf_write(sc, rt5592_5ghz_def_rf[i].reg,
4214 			    rt5592_5ghz_def_rf[i].val);
4215 		}
4216 		for (i = 0; i < nitems(rt5592_chan_5ghz); i++) {
4217 			if (chan >= rt5592_chan_5ghz[i].firstchan &&
4218 			    chan <= rt5592_chan_5ghz[i].lastchan) {
4219 				run_rt3070_rf_write(sc, rt5592_chan_5ghz[i].reg,
4220 				    rt5592_chan_5ghz[i].val);
4221 			}
4222 		}
4223 
4224 		/*
4225 		 * RF R49/R50 Tx power ALC code.
4226 		 * A-band bit<7:6>=1:1, bit<5:0> range from 0x0 ~ 0x2b.
4227 		 */
4228 		reg = 3;
4229 		txpow_bound = 0x2b;
4230 	}
4231 
4232 	/* RF R49 ch0 Tx power ALC code. */
4233 	run_rt3070_rf_read(sc, 49, &rf);
4234 	rf &= ~0xc0;
4235 	rf |= (reg << 6);
4236 	rf = (rf & ~0x3f) | (txpow1 & 0x3f);
4237 	if ((rf & 0x3f) > txpow_bound)
4238 		rf = (rf & ~0x3f) | txpow_bound;
4239 	run_rt3070_rf_write(sc, 49, rf);
4240 
4241 	/* RF R50 ch1 Tx power ALC code. */
4242 	run_rt3070_rf_read(sc, 50, &rf);
4243 	rf &= ~(1 << 7 | 1 << 6);
4244 	rf |= (reg << 6);
4245 	rf = (rf & ~0x3f) | (txpow2 & 0x3f);
4246 	if ((rf & 0x3f) > txpow_bound)
4247 		rf = (rf & ~0x3f) | txpow_bound;
4248 	run_rt3070_rf_write(sc, 50, rf);
4249 
4250 	/* Enable RF_BLOCK, PLL_PD, RX0_PD, and TX0_PD. */
4251 	run_rt3070_rf_read(sc, 1, &rf);
4252 	rf |= (RT3070_RF_BLOCK | RT3070_PLL_PD | RT3070_RX0_PD | RT3070_TX0_PD);
4253 	if (sc->ntxchains > 1)
4254 		rf |= RT3070_TX1_PD;
4255 	if (sc->nrxchains > 1)
4256 		rf |= RT3070_RX1_PD;
4257 	run_rt3070_rf_write(sc, 1, rf);
4258 
4259 	run_rt3070_rf_write(sc, 6, 0xe4);
4260 
4261 	run_rt3070_rf_write(sc, 30, 0x10);
4262 	run_rt3070_rf_write(sc, 31, 0x80);
4263 	run_rt3070_rf_write(sc, 32, 0x80);
4264 
4265 	run_adjust_freq_offset(sc);
4266 
4267 	/* Enable VCO calibration. */
4268 	run_rt3070_rf_read(sc, 3, &rf);
4269 	rf |= RT5390_VCOCAL;
4270 	run_rt3070_rf_write(sc, 3, rf);
4271 }
4272 
4273 static void
4274 run_set_rx_antenna(struct run_softc *sc, int aux)
4275 {
4276 	uint32_t tmp;
4277 	uint8_t bbp152;
4278 
4279 	if (aux) {
4280 		if (sc->rf_rev == RT5390_RF_5370) {
4281 			run_bbp_read(sc, 152, &bbp152);
4282 			run_bbp_write(sc, 152, bbp152 & ~0x80);
4283 		} else {
4284 			run_mcu_cmd(sc, RT2860_MCU_CMD_ANTSEL, 0);
4285 			run_read(sc, RT2860_GPIO_CTRL, &tmp);
4286 			run_write(sc, RT2860_GPIO_CTRL, (tmp & ~0x0808) | 0x08);
4287 		}
4288 	} else {
4289 		if (sc->rf_rev == RT5390_RF_5370) {
4290 			run_bbp_read(sc, 152, &bbp152);
4291 			run_bbp_write(sc, 152, bbp152 | 0x80);
4292 		} else {
4293 			run_mcu_cmd(sc, RT2860_MCU_CMD_ANTSEL, 1);
4294 			run_read(sc, RT2860_GPIO_CTRL, &tmp);
4295 			run_write(sc, RT2860_GPIO_CTRL, tmp & ~0x0808);
4296 		}
4297 	}
4298 }
4299 
4300 static int
4301 run_set_chan(struct run_softc *sc, struct ieee80211_channel *c)
4302 {
4303 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
4304 	u_int chan, group;
4305 
4306 	chan = ieee80211_chan2ieee(ic, c);
4307 	if (chan == 0 || chan == IEEE80211_CHAN_ANY)
4308 		return (EINVAL);
4309 
4310 	if (sc->mac_ver == 0x5592)
4311 		run_rt5592_set_chan(sc, chan);
4312 	else if (sc->mac_ver >= 0x5390)
4313 		run_rt5390_set_chan(sc, chan);
4314 	else if (sc->mac_ver == 0x3572)
4315 		run_rt3572_set_chan(sc, chan);
4316 	else if (sc->mac_ver >= 0x3070)
4317 		run_rt3070_set_chan(sc, chan);
4318 	else
4319 		run_rt2870_set_chan(sc, chan);
4320 
4321 	/* determine channel group */
4322 	if (chan <= 14)
4323 		group = 0;
4324 	else if (chan <= 64)
4325 		group = 1;
4326 	else if (chan <= 128)
4327 		group = 2;
4328 	else
4329 		group = 3;
4330 
4331 	/* XXX necessary only when group has changed! */
4332 	run_select_chan_group(sc, group);
4333 
4334 	run_delay(sc, 10);
4335 
4336 	return (0);
4337 }
4338 
4339 static void
4340 run_set_channel(struct ieee80211com *ic)
4341 {
4342 	struct run_softc *sc = ic->ic_ifp->if_softc;
4343 
4344 	RUN_LOCK(sc);
4345 	run_set_chan(sc, ic->ic_curchan);
4346 	RUN_UNLOCK(sc);
4347 
4348 	return;
4349 }
4350 
4351 static void
4352 run_scan_start(struct ieee80211com *ic)
4353 {
4354 	struct run_softc *sc = ic->ic_ifp->if_softc;
4355 	uint32_t tmp;
4356 
4357 	RUN_LOCK(sc);
4358 
4359 	/* abort TSF synchronization */
4360 	run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
4361 	run_write(sc, RT2860_BCN_TIME_CFG,
4362 	    tmp & ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
4363 	    RT2860_TBTT_TIMER_EN));
4364 	run_set_bssid(sc, sc->sc_ifp->if_broadcastaddr);
4365 
4366 	RUN_UNLOCK(sc);
4367 
4368 	return;
4369 }
4370 
4371 static void
4372 run_scan_end(struct ieee80211com *ic)
4373 {
4374 	struct run_softc *sc = ic->ic_ifp->if_softc;
4375 
4376 	RUN_LOCK(sc);
4377 
4378 	run_enable_tsf_sync(sc);
4379 	/* XXX keep local copy */
4380 	run_set_bssid(sc, sc->sc_bssid);
4381 
4382 	RUN_UNLOCK(sc);
4383 
4384 	return;
4385 }
4386 
4387 /*
4388  * Could be called from ieee80211_node_timeout()
4389  * (non-sleepable thread)
4390  */
4391 static void
4392 run_update_beacon(struct ieee80211vap *vap, int item)
4393 {
4394 	struct ieee80211com *ic = vap->iv_ic;
4395 	struct run_softc *sc = ic->ic_ifp->if_softc;
4396 	struct run_vap *rvp = RUN_VAP(vap);
4397 	int mcast = 0;
4398 	uint32_t i;
4399 
4400 	KASSERT(vap != NULL, ("no beacon"));
4401 
4402 	switch (item) {
4403 	case IEEE80211_BEACON_ERP:
4404 		run_updateslot(ic->ic_ifp);
4405 		break;
4406 	case IEEE80211_BEACON_HTINFO:
4407 		run_updateprot(ic);
4408 		break;
4409 	case IEEE80211_BEACON_TIM:
4410 		mcast = 1;	/*TODO*/
4411 		break;
4412 	default:
4413 		break;
4414 	}
4415 
4416 	setbit(rvp->bo.bo_flags, item);
4417 	ieee80211_beacon_update(vap->iv_bss, &rvp->bo, rvp->beacon_mbuf, mcast);
4418 
4419 	i = RUN_CMDQ_GET(&sc->cmdq_store);
4420 	DPRINTF("cmdq_store=%d\n", i);
4421 	sc->cmdq[i].func = run_update_beacon_cb;
4422 	sc->cmdq[i].arg0 = vap;
4423 	ieee80211_runtask(ic, &sc->cmdq_task);
4424 
4425 	return;
4426 }
4427 
4428 static void
4429 run_update_beacon_cb(void *arg)
4430 {
4431 	struct ieee80211vap *vap = arg;
4432 	struct run_vap *rvp = RUN_VAP(vap);
4433 	struct ieee80211com *ic = vap->iv_ic;
4434 	struct run_softc *sc = ic->ic_ifp->if_softc;
4435 	struct rt2860_txwi txwi;
4436 	struct mbuf *m;
4437 	uint16_t txwisize;
4438 	uint8_t ridx;
4439 
4440 	if (vap->iv_bss->ni_chan == IEEE80211_CHAN_ANYC)
4441 		return;
4442 	if (ic->ic_bsschan == IEEE80211_CHAN_ANYC)
4443 		return;
4444 
4445 	/*
4446 	 * No need to call ieee80211_beacon_update(), run_update_beacon()
4447 	 * is taking care of apropriate calls.
4448 	 */
4449 	if (rvp->beacon_mbuf == NULL) {
4450 		rvp->beacon_mbuf = ieee80211_beacon_alloc(vap->iv_bss,
4451 		    &rvp->bo);
4452 		if (rvp->beacon_mbuf == NULL)
4453 			return;
4454 	}
4455 	m = rvp->beacon_mbuf;
4456 
4457 	memset(&txwi, 0, sizeof(txwi));
4458 	txwi.wcid = 0xff;
4459 	txwi.len = htole16(m->m_pkthdr.len);
4460 
4461 	/* send beacons at the lowest available rate */
4462 	ridx = (ic->ic_curmode == IEEE80211_MODE_11A) ?
4463 	    RT2860_RIDX_OFDM6 : RT2860_RIDX_CCK1;
4464 	txwi.phy = htole16(rt2860_rates[ridx].mcs);
4465 	if (rt2860_rates[ridx].phy == IEEE80211_T_OFDM)
4466 		txwi.phy |= htole16(RT2860_PHY_OFDM);
4467 	txwi.txop = RT2860_TX_TXOP_HT;
4468 	txwi.flags = RT2860_TX_TS;
4469 	txwi.xflags = RT2860_TX_NSEQ;
4470 
4471 	txwisize = (sc->mac_ver == 0x5592) ?
4472 	    sizeof(txwi) + sizeof(uint32_t) : sizeof(txwi);
4473 	run_write_region_1(sc, RT2860_BCN_BASE(rvp->rvp_id), (uint8_t *)&txwi,
4474 	    txwisize);
4475 	run_write_region_1(sc, RT2860_BCN_BASE(rvp->rvp_id) + txwisize,
4476 	    mtod(m, uint8_t *), (m->m_pkthdr.len + 1) & ~1);
4477 }
4478 
4479 static void
4480 run_updateprot(struct ieee80211com *ic)
4481 {
4482 	struct run_softc *sc = ic->ic_ifp->if_softc;
4483 	uint32_t i;
4484 
4485 	i = RUN_CMDQ_GET(&sc->cmdq_store);
4486 	DPRINTF("cmdq_store=%d\n", i);
4487 	sc->cmdq[i].func = run_updateprot_cb;
4488 	sc->cmdq[i].arg0 = ic;
4489 	ieee80211_runtask(ic, &sc->cmdq_task);
4490 }
4491 
4492 static void
4493 run_updateprot_cb(void *arg)
4494 {
4495 	struct ieee80211com *ic = arg;
4496 	struct run_softc *sc = ic->ic_ifp->if_softc;
4497 	uint32_t tmp;
4498 
4499 	tmp = RT2860_RTSTH_EN | RT2860_PROT_NAV_SHORT | RT2860_TXOP_ALLOW_ALL;
4500 	/* setup protection frame rate (MCS code) */
4501 	tmp |= (ic->ic_curmode == IEEE80211_MODE_11A) ?
4502 	    rt2860_rates[RT2860_RIDX_OFDM6].mcs :
4503 	    rt2860_rates[RT2860_RIDX_CCK11].mcs;
4504 
4505 	/* CCK frames don't require protection */
4506 	run_write(sc, RT2860_CCK_PROT_CFG, tmp);
4507 	if (ic->ic_flags & IEEE80211_F_USEPROT) {
4508 		if (ic->ic_protmode == IEEE80211_PROT_RTSCTS)
4509 			tmp |= RT2860_PROT_CTRL_RTS_CTS;
4510 		else if (ic->ic_protmode == IEEE80211_PROT_CTSONLY)
4511 			tmp |= RT2860_PROT_CTRL_CTS;
4512 	}
4513 	run_write(sc, RT2860_OFDM_PROT_CFG, tmp);
4514 }
4515 
4516 static void
4517 run_usb_timeout_cb(void *arg)
4518 {
4519 	struct ieee80211vap *vap = arg;
4520 	struct run_softc *sc = vap->iv_ic->ic_ifp->if_softc;
4521 
4522 	RUN_LOCK_ASSERT(sc, MA_OWNED);
4523 
4524 	if(vap->iv_state == IEEE80211_S_RUN &&
4525 	    vap->iv_opmode != IEEE80211_M_STA)
4526 		run_reset_livelock(sc);
4527 	else if (vap->iv_state == IEEE80211_S_SCAN) {
4528 		DPRINTF("timeout caused by scan\n");
4529 		/* cancel bgscan */
4530 		ieee80211_cancel_scan(vap);
4531 	} else
4532 		DPRINTF("timeout by unknown cause\n");
4533 }
4534 
4535 static void
4536 run_reset_livelock(struct run_softc *sc)
4537 {
4538 	uint32_t tmp;
4539 
4540 	RUN_LOCK_ASSERT(sc, MA_OWNED);
4541 
4542 	/*
4543 	 * In IBSS or HostAP modes (when the hardware sends beacons), the MAC
4544 	 * can run into a livelock and start sending CTS-to-self frames like
4545 	 * crazy if protection is enabled.  Reset MAC/BBP for a while
4546 	 */
4547 	run_read(sc, RT2860_DEBUG, &tmp);
4548 	DPRINTFN(3, "debug reg %08x\n", tmp);
4549 	if ((tmp & (1 << 29)) && (tmp & (1 << 7 | 1 << 5))) {
4550 		DPRINTF("CTS-to-self livelock detected\n");
4551 		run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_MAC_SRST);
4552 		run_delay(sc, 1);
4553 		run_write(sc, RT2860_MAC_SYS_CTRL,
4554 		    RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
4555 	}
4556 }
4557 
4558 static void
4559 run_update_promisc_locked(struct ifnet *ifp)
4560 {
4561 	struct run_softc *sc = ifp->if_softc;
4562         uint32_t tmp;
4563 
4564 	run_read(sc, RT2860_RX_FILTR_CFG, &tmp);
4565 
4566 	tmp |= RT2860_DROP_UC_NOME;
4567         if (ifp->if_flags & IFF_PROMISC)
4568 		tmp &= ~RT2860_DROP_UC_NOME;
4569 
4570 	run_write(sc, RT2860_RX_FILTR_CFG, tmp);
4571 
4572         DPRINTF("%s promiscuous mode\n", (ifp->if_flags & IFF_PROMISC) ?
4573             "entering" : "leaving");
4574 }
4575 
4576 static void
4577 run_update_promisc(struct ifnet *ifp)
4578 {
4579 	struct run_softc *sc = ifp->if_softc;
4580 
4581 	if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0)
4582 		return;
4583 
4584 	RUN_LOCK(sc);
4585 	run_update_promisc_locked(ifp);
4586 	RUN_UNLOCK(sc);
4587 }
4588 
4589 static void
4590 run_enable_tsf_sync(struct run_softc *sc)
4591 {
4592 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
4593 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
4594 	uint32_t tmp;
4595 
4596 	DPRINTF("rvp_id=%d ic_opmode=%d\n", RUN_VAP(vap)->rvp_id,
4597 	    ic->ic_opmode);
4598 
4599 	run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
4600 	tmp &= ~0x1fffff;
4601 	tmp |= vap->iv_bss->ni_intval * 16;
4602 	tmp |= RT2860_TSF_TIMER_EN | RT2860_TBTT_TIMER_EN;
4603 
4604 	if (ic->ic_opmode == IEEE80211_M_STA) {
4605 		/*
4606 		 * Local TSF is always updated with remote TSF on beacon
4607 		 * reception.
4608 		 */
4609 		tmp |= 1 << RT2860_TSF_SYNC_MODE_SHIFT;
4610 	} else if (ic->ic_opmode == IEEE80211_M_IBSS) {
4611 	        tmp |= RT2860_BCN_TX_EN;
4612 	        /*
4613 	         * Local TSF is updated with remote TSF on beacon reception
4614 	         * only if the remote TSF is greater than local TSF.
4615 	         */
4616 	        tmp |= 2 << RT2860_TSF_SYNC_MODE_SHIFT;
4617 	} else if (ic->ic_opmode == IEEE80211_M_HOSTAP ||
4618 		    ic->ic_opmode == IEEE80211_M_MBSS) {
4619 	        tmp |= RT2860_BCN_TX_EN;
4620 	        /* SYNC with nobody */
4621 	        tmp |= 3 << RT2860_TSF_SYNC_MODE_SHIFT;
4622 	} else {
4623 		DPRINTF("Enabling TSF failed. undefined opmode\n");
4624 		return;
4625 	}
4626 
4627 	run_write(sc, RT2860_BCN_TIME_CFG, tmp);
4628 }
4629 
4630 static void
4631 run_enable_mrr(struct run_softc *sc)
4632 {
4633 #define CCK(mcs)	(mcs)
4634 #define OFDM(mcs)	(1 << 3 | (mcs))
4635 	run_write(sc, RT2860_LG_FBK_CFG0,
4636 	    OFDM(6) << 28 |	/* 54->48 */
4637 	    OFDM(5) << 24 |	/* 48->36 */
4638 	    OFDM(4) << 20 |	/* 36->24 */
4639 	    OFDM(3) << 16 |	/* 24->18 */
4640 	    OFDM(2) << 12 |	/* 18->12 */
4641 	    OFDM(1) <<  8 |	/* 12-> 9 */
4642 	    OFDM(0) <<  4 |	/*  9-> 6 */
4643 	    OFDM(0));		/*  6-> 6 */
4644 
4645 	run_write(sc, RT2860_LG_FBK_CFG1,
4646 	    CCK(2) << 12 |	/* 11->5.5 */
4647 	    CCK(1) <<  8 |	/* 5.5-> 2 */
4648 	    CCK(0) <<  4 |	/*   2-> 1 */
4649 	    CCK(0));		/*   1-> 1 */
4650 #undef OFDM
4651 #undef CCK
4652 }
4653 
4654 static void
4655 run_set_txpreamble(struct run_softc *sc)
4656 {
4657 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
4658 	uint32_t tmp;
4659 
4660 	run_read(sc, RT2860_AUTO_RSP_CFG, &tmp);
4661 	if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
4662 		tmp |= RT2860_CCK_SHORT_EN;
4663 	else
4664 		tmp &= ~RT2860_CCK_SHORT_EN;
4665 	run_write(sc, RT2860_AUTO_RSP_CFG, tmp);
4666 }
4667 
4668 static void
4669 run_set_basicrates(struct run_softc *sc)
4670 {
4671 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
4672 
4673 	/* set basic rates mask */
4674 	if (ic->ic_curmode == IEEE80211_MODE_11B)
4675 		run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x003);
4676 	else if (ic->ic_curmode == IEEE80211_MODE_11A)
4677 		run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x150);
4678 	else	/* 11g */
4679 		run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x15f);
4680 }
4681 
4682 static void
4683 run_set_leds(struct run_softc *sc, uint16_t which)
4684 {
4685 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LEDS,
4686 	    which | (sc->leds & 0x7f));
4687 }
4688 
4689 static void
4690 run_set_bssid(struct run_softc *sc, const uint8_t *bssid)
4691 {
4692 	run_write(sc, RT2860_MAC_BSSID_DW0,
4693 	    bssid[0] | bssid[1] << 8 | bssid[2] << 16 | bssid[3] << 24);
4694 	run_write(sc, RT2860_MAC_BSSID_DW1,
4695 	    bssid[4] | bssid[5] << 8);
4696 }
4697 
4698 static void
4699 run_set_macaddr(struct run_softc *sc, const uint8_t *addr)
4700 {
4701 	run_write(sc, RT2860_MAC_ADDR_DW0,
4702 	    addr[0] | addr[1] << 8 | addr[2] << 16 | addr[3] << 24);
4703 	run_write(sc, RT2860_MAC_ADDR_DW1,
4704 	    addr[4] | addr[5] << 8 | 0xff << 16);
4705 }
4706 
4707 static void
4708 run_updateslot(struct ifnet *ifp)
4709 {
4710 	struct run_softc *sc = ifp->if_softc;
4711 	struct ieee80211com *ic = ifp->if_l2com;
4712 	uint32_t i;
4713 
4714 	i = RUN_CMDQ_GET(&sc->cmdq_store);
4715 	DPRINTF("cmdq_store=%d\n", i);
4716 	sc->cmdq[i].func = run_updateslot_cb;
4717 	sc->cmdq[i].arg0 = ifp;
4718 	ieee80211_runtask(ic, &sc->cmdq_task);
4719 
4720 	return;
4721 }
4722 
4723 /* ARGSUSED */
4724 static void
4725 run_updateslot_cb(void *arg)
4726 {
4727 	struct ifnet *ifp = arg;
4728 	struct run_softc *sc = ifp->if_softc;
4729 	struct ieee80211com *ic = ifp->if_l2com;
4730 	uint32_t tmp;
4731 
4732 	run_read(sc, RT2860_BKOFF_SLOT_CFG, &tmp);
4733 	tmp &= ~0xff;
4734 	tmp |= (ic->ic_flags & IEEE80211_F_SHSLOT) ? 9 : 20;
4735 	run_write(sc, RT2860_BKOFF_SLOT_CFG, tmp);
4736 }
4737 
4738 static void
4739 run_update_mcast(struct ifnet *ifp)
4740 {
4741 	/* h/w filter supports getting everything or nothing */
4742 	ifp->if_flags |= IFF_ALLMULTI;
4743 }
4744 
4745 static int8_t
4746 run_rssi2dbm(struct run_softc *sc, uint8_t rssi, uint8_t rxchain)
4747 {
4748 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
4749 	struct ieee80211_channel *c = ic->ic_curchan;
4750 	int delta;
4751 
4752 	if (IEEE80211_IS_CHAN_5GHZ(c)) {
4753 		u_int chan = ieee80211_chan2ieee(ic, c);
4754 		delta = sc->rssi_5ghz[rxchain];
4755 
4756 		/* determine channel group */
4757 		if (chan <= 64)
4758 			delta -= sc->lna[1];
4759 		else if (chan <= 128)
4760 			delta -= sc->lna[2];
4761 		else
4762 			delta -= sc->lna[3];
4763 	} else
4764 		delta = sc->rssi_2ghz[rxchain] - sc->lna[0];
4765 
4766 	return (-12 - delta - rssi);
4767 }
4768 
4769 static void
4770 run_rt5390_bbp_init(struct run_softc *sc)
4771 {
4772 	int i;
4773 	uint8_t bbp;
4774 
4775 	/* Apply maximum likelihood detection for 2 stream case. */
4776 	run_bbp_read(sc, 105, &bbp);
4777 	if (sc->nrxchains > 1)
4778 		run_bbp_write(sc, 105, bbp | RT5390_MLD);
4779 
4780 	/* Avoid data lost and CRC error. */
4781 	run_bbp_read(sc, 4, &bbp);
4782 	run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
4783 
4784 	if (sc->mac_ver == 0x5592) {
4785 		for (i = 0; i < nitems(rt5592_def_bbp); i++) {
4786 			run_bbp_write(sc, rt5592_def_bbp[i].reg,
4787 			    rt5592_def_bbp[i].val);
4788 		}
4789 		for (i = 0; i < nitems(rt5592_bbp_r196); i++) {
4790 			run_bbp_write(sc, 195, i + 0x80);
4791 			run_bbp_write(sc, 196, rt5592_bbp_r196[i]);
4792 		}
4793 	} else {
4794 		for (i = 0; i < nitems(rt5390_def_bbp); i++) {
4795 			run_bbp_write(sc, rt5390_def_bbp[i].reg,
4796 			    rt5390_def_bbp[i].val);
4797 		}
4798 	}
4799 	if (sc->mac_ver == 0x5392) {
4800 		run_bbp_write(sc, 88, 0x90);
4801 		run_bbp_write(sc, 95, 0x9a);
4802 		run_bbp_write(sc, 98, 0x12);
4803 		run_bbp_write(sc, 106, 0x12);
4804 		run_bbp_write(sc, 134, 0xd0);
4805 		run_bbp_write(sc, 135, 0xf6);
4806 		run_bbp_write(sc, 148, 0x84);
4807 	}
4808 
4809 	run_bbp_read(sc, 152, &bbp);
4810 	run_bbp_write(sc, 152, bbp | 0x80);
4811 
4812 	/* Fix BBP254 for RT5592C. */
4813 	if (sc->mac_ver == 0x5592 && sc->mac_rev >= 0x0221) {
4814 		run_bbp_read(sc, 254, &bbp);
4815 		run_bbp_write(sc, 254, bbp | 0x80);
4816 	}
4817 
4818 	/* Disable hardware antenna diversity. */
4819 	if (sc->mac_ver == 0x5390)
4820 		run_bbp_write(sc, 154, 0);
4821 
4822 	/* Initialize Rx CCK/OFDM frequency offset report. */
4823 	run_bbp_write(sc, 142, 1);
4824 	run_bbp_write(sc, 143, 57);
4825 }
4826 
4827 static int
4828 run_bbp_init(struct run_softc *sc)
4829 {
4830 	int i, error, ntries;
4831 	uint8_t bbp0;
4832 
4833 	/* wait for BBP to wake up */
4834 	for (ntries = 0; ntries < 20; ntries++) {
4835 		if ((error = run_bbp_read(sc, 0, &bbp0)) != 0)
4836 			return error;
4837 		if (bbp0 != 0 && bbp0 != 0xff)
4838 			break;
4839 	}
4840 	if (ntries == 20)
4841 		return (ETIMEDOUT);
4842 
4843 	/* initialize BBP registers to default values */
4844 	if (sc->mac_ver >= 0x5390)
4845 		run_rt5390_bbp_init(sc);
4846 	else {
4847 		for (i = 0; i < nitems(rt2860_def_bbp); i++) {
4848 			run_bbp_write(sc, rt2860_def_bbp[i].reg,
4849 			    rt2860_def_bbp[i].val);
4850 		}
4851 	}
4852 
4853 	/* fix BBP84 for RT2860E */
4854 	if (sc->mac_ver == 0x2860 && sc->mac_rev != 0x0101)
4855 		run_bbp_write(sc, 84, 0x19);
4856 
4857 	if (sc->mac_ver >= 0x3070 && sc->mac_ver != 0x5592) {
4858 		run_bbp_write(sc, 79, 0x13);
4859 		run_bbp_write(sc, 80, 0x05);
4860 		run_bbp_write(sc, 81, 0x33);
4861 	} else if (sc->mac_ver == 0x2860 && sc->mac_rev == 0x0100) {
4862 		run_bbp_write(sc, 69, 0x16);
4863 		run_bbp_write(sc, 73, 0x12);
4864 	}
4865 	return (0);
4866 }
4867 
4868 static int
4869 run_rt3070_rf_init(struct run_softc *sc)
4870 {
4871 	uint32_t tmp;
4872 	uint8_t bbp4, mingain, rf, target;
4873 	int i;
4874 
4875 	run_rt3070_rf_read(sc, 30, &rf);
4876 	/* toggle RF R30 bit 7 */
4877 	run_rt3070_rf_write(sc, 30, rf | 0x80);
4878 	run_delay(sc, 10);
4879 	run_rt3070_rf_write(sc, 30, rf & ~0x80);
4880 
4881 	/* initialize RF registers to default value */
4882 	if (sc->mac_ver == 0x3572) {
4883 		for (i = 0; i < nitems(rt3572_def_rf); i++) {
4884 			run_rt3070_rf_write(sc, rt3572_def_rf[i].reg,
4885 			    rt3572_def_rf[i].val);
4886 		}
4887 	} else {
4888 		for (i = 0; i < nitems(rt3070_def_rf); i++) {
4889 			run_rt3070_rf_write(sc, rt3070_def_rf[i].reg,
4890 			    rt3070_def_rf[i].val);
4891 		}
4892 	}
4893 
4894 	if (sc->mac_ver == 0x3070 && sc->mac_rev < 0x0201) {
4895 		/*
4896 		 * Change voltage from 1.2V to 1.35V for RT3070.
4897 		 * The DAC issue (RT3070_LDO_CFG0) has been fixed
4898 		 * in RT3070(F).
4899 		 */
4900 		run_read(sc, RT3070_LDO_CFG0, &tmp);
4901 		tmp = (tmp & ~0x0f000000) | 0x0d000000;
4902 		run_write(sc, RT3070_LDO_CFG0, tmp);
4903 
4904 	} else if (sc->mac_ver == 0x3071) {
4905 		run_rt3070_rf_read(sc, 6, &rf);
4906 		run_rt3070_rf_write(sc, 6, rf | 0x40);
4907 		run_rt3070_rf_write(sc, 31, 0x14);
4908 
4909 		run_read(sc, RT3070_LDO_CFG0, &tmp);
4910 		tmp &= ~0x1f000000;
4911 		if (sc->mac_rev < 0x0211)
4912 			tmp |= 0x0d000000;	/* 1.3V */
4913 		else
4914 			tmp |= 0x01000000;	/* 1.2V */
4915 		run_write(sc, RT3070_LDO_CFG0, tmp);
4916 
4917 		/* patch LNA_PE_G1 */
4918 		run_read(sc, RT3070_GPIO_SWITCH, &tmp);
4919 		run_write(sc, RT3070_GPIO_SWITCH, tmp & ~0x20);
4920 
4921 	} else if (sc->mac_ver == 0x3572) {
4922 		run_rt3070_rf_read(sc, 6, &rf);
4923 		run_rt3070_rf_write(sc, 6, rf | 0x40);
4924 
4925 		/* increase voltage from 1.2V to 1.35V */
4926 		run_read(sc, RT3070_LDO_CFG0, &tmp);
4927 		tmp = (tmp & ~0x1f000000) | 0x0d000000;
4928 		run_write(sc, RT3070_LDO_CFG0, tmp);
4929 
4930 		if (sc->mac_rev < 0x0211 || !sc->patch_dac) {
4931 			run_delay(sc, 1);	/* wait for 1msec */
4932 			/* decrease voltage back to 1.2V */
4933 			tmp = (tmp & ~0x1f000000) | 0x01000000;
4934 			run_write(sc, RT3070_LDO_CFG0, tmp);
4935 		}
4936 	}
4937 
4938 	/* select 20MHz bandwidth */
4939 	run_rt3070_rf_read(sc, 31, &rf);
4940 	run_rt3070_rf_write(sc, 31, rf & ~0x20);
4941 
4942 	/* calibrate filter for 20MHz bandwidth */
4943 	sc->rf24_20mhz = 0x1f;	/* default value */
4944 	target = (sc->mac_ver < 0x3071) ? 0x16 : 0x13;
4945 	run_rt3070_filter_calib(sc, 0x07, target, &sc->rf24_20mhz);
4946 
4947 	/* select 40MHz bandwidth */
4948 	run_bbp_read(sc, 4, &bbp4);
4949 	run_bbp_write(sc, 4, (bbp4 & ~0x18) | 0x10);
4950 	run_rt3070_rf_read(sc, 31, &rf);
4951 	run_rt3070_rf_write(sc, 31, rf | 0x20);
4952 
4953 	/* calibrate filter for 40MHz bandwidth */
4954 	sc->rf24_40mhz = 0x2f;	/* default value */
4955 	target = (sc->mac_ver < 0x3071) ? 0x19 : 0x15;
4956 	run_rt3070_filter_calib(sc, 0x27, target, &sc->rf24_40mhz);
4957 
4958 	/* go back to 20MHz bandwidth */
4959 	run_bbp_read(sc, 4, &bbp4);
4960 	run_bbp_write(sc, 4, bbp4 & ~0x18);
4961 
4962 	if (sc->mac_ver == 0x3572) {
4963 		/* save default BBP registers 25 and 26 values */
4964 		run_bbp_read(sc, 25, &sc->bbp25);
4965 		run_bbp_read(sc, 26, &sc->bbp26);
4966 	} else if (sc->mac_rev < 0x0201 || sc->mac_rev < 0x0211)
4967 		run_rt3070_rf_write(sc, 27, 0x03);
4968 
4969 	run_read(sc, RT3070_OPT_14, &tmp);
4970 	run_write(sc, RT3070_OPT_14, tmp | 1);
4971 
4972 	if (sc->mac_ver == 0x3070 || sc->mac_ver == 0x3071) {
4973 		run_rt3070_rf_read(sc, 17, &rf);
4974 		rf &= ~RT3070_TX_LO1;
4975 		if ((sc->mac_ver == 0x3070 ||
4976 		     (sc->mac_ver == 0x3071 && sc->mac_rev >= 0x0211)) &&
4977 		    !sc->ext_2ghz_lna)
4978 			rf |= 0x20;	/* fix for long range Rx issue */
4979 		mingain = (sc->mac_ver == 0x3070) ? 1 : 2;
4980 		if (sc->txmixgain_2ghz >= mingain)
4981 			rf = (rf & ~0x7) | sc->txmixgain_2ghz;
4982 		run_rt3070_rf_write(sc, 17, rf);
4983 	}
4984 
4985 	if (sc->mac_rev == 0x3071) {
4986 		run_rt3070_rf_read(sc, 1, &rf);
4987 		rf &= ~(RT3070_RX0_PD | RT3070_TX0_PD);
4988 		rf |= RT3070_RF_BLOCK | RT3070_RX1_PD | RT3070_TX1_PD;
4989 		run_rt3070_rf_write(sc, 1, rf);
4990 
4991 		run_rt3070_rf_read(sc, 15, &rf);
4992 		run_rt3070_rf_write(sc, 15, rf & ~RT3070_TX_LO2);
4993 
4994 		run_rt3070_rf_read(sc, 20, &rf);
4995 		run_rt3070_rf_write(sc, 20, rf & ~RT3070_RX_LO1);
4996 
4997 		run_rt3070_rf_read(sc, 21, &rf);
4998 		run_rt3070_rf_write(sc, 21, rf & ~RT3070_RX_LO2);
4999 	}
5000 
5001 	if (sc->mac_ver == 0x3070 || sc->mac_ver == 0x3071) {
5002 		/* fix Tx to Rx IQ glitch by raising RF voltage */
5003 		run_rt3070_rf_read(sc, 27, &rf);
5004 		rf &= ~0x77;
5005 		if (sc->mac_rev < 0x0211)
5006 			rf |= 0x03;
5007 		run_rt3070_rf_write(sc, 27, rf);
5008 	}
5009 	return (0);
5010 }
5011 
5012 static void
5013 run_rt5390_rf_init(struct run_softc *sc)
5014 {
5015 	uint32_t tmp;
5016 	uint8_t rf;
5017 	int i;
5018 
5019 	/* Toggle RF R2 to initiate calibration. */
5020 	if (sc->mac_ver == 0x5390) {
5021 		run_rt3070_rf_read(sc, 2, &rf);
5022 		run_rt3070_rf_write(sc, 2, rf | RT5390_RESCAL);
5023 		run_delay(sc, 10);
5024 		run_rt3070_rf_write(sc, 2, rf & ~RT5390_RESCAL);
5025 	} else {
5026 		run_rt3070_rf_write(sc, 2, RT5390_RESCAL);
5027 		run_delay(sc, 10);
5028 	}
5029 
5030 	/* Initialize RF registers to default value. */
5031 	if (sc->mac_ver == 0x5592) {
5032 		for (i = 0; i < nitems(rt5592_def_rf); i++) {
5033 			run_rt3070_rf_write(sc, rt5592_def_rf[i].reg,
5034 			    rt5592_def_rf[i].val);
5035 		}
5036 		/* Initialize RF frequency offset. */
5037 		run_adjust_freq_offset(sc);
5038 	} else if (sc->mac_ver == 0x5392) {
5039 		for (i = 0; i < nitems(rt5392_def_rf); i++) {
5040 			run_rt3070_rf_write(sc, rt5392_def_rf[i].reg,
5041 			    rt5392_def_rf[i].val);
5042 		}
5043 		if (sc->mac_rev >= 0x0223) {
5044 			run_rt3070_rf_write(sc, 23, 0x0f);
5045 			run_rt3070_rf_write(sc, 24, 0x3e);
5046 			run_rt3070_rf_write(sc, 51, 0x32);
5047 			run_rt3070_rf_write(sc, 53, 0x22);
5048 			run_rt3070_rf_write(sc, 56, 0xc1);
5049 			run_rt3070_rf_write(sc, 59, 0x0f);
5050 		}
5051 	} else {
5052 		for (i = 0; i < nitems(rt5390_def_rf); i++) {
5053 			run_rt3070_rf_write(sc, rt5390_def_rf[i].reg,
5054 			    rt5390_def_rf[i].val);
5055 		}
5056 		if (sc->mac_rev >= 0x0502) {
5057 			run_rt3070_rf_write(sc, 6, 0xe0);
5058 			run_rt3070_rf_write(sc, 25, 0x80);
5059 			run_rt3070_rf_write(sc, 46, 0x73);
5060 			run_rt3070_rf_write(sc, 53, 0x00);
5061 			run_rt3070_rf_write(sc, 56, 0x42);
5062 			run_rt3070_rf_write(sc, 61, 0xd1);
5063 		}
5064 	}
5065 
5066 	sc->rf24_20mhz = 0x1f;	/* default value */
5067 	sc->rf24_40mhz = (sc->mac_ver == 0x5592) ? 0 : 0x2f;
5068 
5069 	if (sc->mac_rev < 0x0211)
5070 		run_rt3070_rf_write(sc, 27, 0x3);
5071 
5072 	run_read(sc, RT3070_OPT_14, &tmp);
5073 	run_write(sc, RT3070_OPT_14, tmp | 1);
5074 }
5075 
5076 static int
5077 run_rt3070_filter_calib(struct run_softc *sc, uint8_t init, uint8_t target,
5078     uint8_t *val)
5079 {
5080 	uint8_t rf22, rf24;
5081 	uint8_t bbp55_pb, bbp55_sb, delta;
5082 	int ntries;
5083 
5084 	/* program filter */
5085 	run_rt3070_rf_read(sc, 24, &rf24);
5086 	rf24 = (rf24 & 0xc0) | init;	/* initial filter value */
5087 	run_rt3070_rf_write(sc, 24, rf24);
5088 
5089 	/* enable baseband loopback mode */
5090 	run_rt3070_rf_read(sc, 22, &rf22);
5091 	run_rt3070_rf_write(sc, 22, rf22 | 0x01);
5092 
5093 	/* set power and frequency of passband test tone */
5094 	run_bbp_write(sc, 24, 0x00);
5095 	for (ntries = 0; ntries < 100; ntries++) {
5096 		/* transmit test tone */
5097 		run_bbp_write(sc, 25, 0x90);
5098 		run_delay(sc, 10);
5099 		/* read received power */
5100 		run_bbp_read(sc, 55, &bbp55_pb);
5101 		if (bbp55_pb != 0)
5102 			break;
5103 	}
5104 	if (ntries == 100)
5105 		return (ETIMEDOUT);
5106 
5107 	/* set power and frequency of stopband test tone */
5108 	run_bbp_write(sc, 24, 0x06);
5109 	for (ntries = 0; ntries < 100; ntries++) {
5110 		/* transmit test tone */
5111 		run_bbp_write(sc, 25, 0x90);
5112 		run_delay(sc, 10);
5113 		/* read received power */
5114 		run_bbp_read(sc, 55, &bbp55_sb);
5115 
5116 		delta = bbp55_pb - bbp55_sb;
5117 		if (delta > target)
5118 			break;
5119 
5120 		/* reprogram filter */
5121 		rf24++;
5122 		run_rt3070_rf_write(sc, 24, rf24);
5123 	}
5124 	if (ntries < 100) {
5125 		if (rf24 != init)
5126 			rf24--;	/* backtrack */
5127 		*val = rf24;
5128 		run_rt3070_rf_write(sc, 24, rf24);
5129 	}
5130 
5131 	/* restore initial state */
5132 	run_bbp_write(sc, 24, 0x00);
5133 
5134 	/* disable baseband loopback mode */
5135 	run_rt3070_rf_read(sc, 22, &rf22);
5136 	run_rt3070_rf_write(sc, 22, rf22 & ~0x01);
5137 
5138 	return (0);
5139 }
5140 
5141 static void
5142 run_rt3070_rf_setup(struct run_softc *sc)
5143 {
5144 	uint8_t bbp, rf;
5145 	int i;
5146 
5147 	if (sc->mac_ver >= 0x5390) {
5148 		if (sc->mac_rev >= 0x0211) {
5149 			/* Enable DC filter. */
5150 			run_bbp_write(sc, 103, 0xc0);
5151 
5152 			if (sc->mac_ver != 0x5592) {
5153 				/* Improve power consumption. */
5154 				run_bbp_read(sc, 31, &bbp);
5155 				run_bbp_write(sc, 31, bbp & ~0x03);
5156 			}
5157 		}
5158 
5159 		run_bbp_read(sc, 138, &bbp);
5160 		if (sc->ntxchains == 1)
5161 			bbp |= 0x20;	/* turn off DAC1 */
5162 		if (sc->nrxchains == 1)
5163 			bbp &= ~0x02;	/* turn off ADC1 */
5164 		run_bbp_write(sc, 138, bbp);
5165 
5166 		run_rt3070_rf_read(sc, 38, &rf);
5167 		run_rt3070_rf_write(sc, 38, rf & ~RT5390_RX_LO1);
5168 
5169 		run_rt3070_rf_read(sc, 39, &rf);
5170 		run_rt3070_rf_write(sc, 39, rf & ~RT5390_RX_LO2);
5171 
5172 		/* Avoid data lost and CRC error. */
5173 		run_bbp_read(sc, 4, &bbp);
5174 		run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5175 
5176 		run_rt3070_rf_read(sc, 30, &rf);
5177 		rf = (rf & ~0x18) | 0x10;
5178 		run_rt3070_rf_write(sc, 30, rf);
5179 
5180 		if (sc->mac_ver != 0x5592) {
5181 			run_write(sc, RT2860_TX_SW_CFG1, 0);
5182 			if (sc->mac_rev < 0x0211) {
5183 				run_write(sc, RT2860_TX_SW_CFG2,
5184 				    sc->patch_dac ? 0x2c : 0x0f);
5185 			} else
5186 				run_write(sc, RT2860_TX_SW_CFG2, 0);
5187 		}
5188 
5189 	} else if (sc->mac_ver == 0x3572) {
5190 		/* enable DC filter */
5191 		if (sc->mac_rev >= 0x0201)
5192 			run_bbp_write(sc, 103, 0xc0);
5193 
5194 		run_bbp_read(sc, 138, &bbp);
5195 		if (sc->ntxchains == 1)
5196 			bbp |= 0x20;	/* turn off DAC1 */
5197 		if (sc->nrxchains == 1)
5198 			bbp &= ~0x02;	/* turn off ADC1 */
5199 		run_bbp_write(sc, 138, bbp);
5200 
5201 		if (sc->mac_rev >= 0x0211) {
5202 			/* improve power consumption */
5203 			run_bbp_read(sc, 31, &bbp);
5204 			run_bbp_write(sc, 31, bbp & ~0x03);
5205 		}
5206 
5207 		run_rt3070_rf_read(sc, 16, &rf);
5208 		rf = (rf & ~0x07) | sc->txmixgain_2ghz;
5209 		run_rt3070_rf_write(sc, 16, rf);
5210 
5211 	} else if (sc->mac_ver == 0x3071) {
5212 		if (sc->mac_rev >= 0x0211) {
5213 			/* enable DC filter */
5214 			run_bbp_write(sc, 103, 0xc0);
5215 
5216 			/* improve power consumption */
5217 			run_bbp_read(sc, 31, &bbp);
5218 			run_bbp_write(sc, 31, bbp & ~0x03);
5219 		}
5220 
5221 		run_bbp_read(sc, 138, &bbp);
5222 		if (sc->ntxchains == 1)
5223 			bbp |= 0x20;	/* turn off DAC1 */
5224 		if (sc->nrxchains == 1)
5225 			bbp &= ~0x02;	/* turn off ADC1 */
5226 		run_bbp_write(sc, 138, bbp);
5227 
5228 		run_write(sc, RT2860_TX_SW_CFG1, 0);
5229 		if (sc->mac_rev < 0x0211) {
5230 			run_write(sc, RT2860_TX_SW_CFG2,
5231 			    sc->patch_dac ? 0x2c : 0x0f);
5232 		} else
5233 			run_write(sc, RT2860_TX_SW_CFG2, 0);
5234 
5235 	} else if (sc->mac_ver == 0x3070) {
5236 		if (sc->mac_rev >= 0x0201) {
5237 			/* enable DC filter */
5238 			run_bbp_write(sc, 103, 0xc0);
5239 
5240 			/* improve power consumption */
5241 			run_bbp_read(sc, 31, &bbp);
5242 			run_bbp_write(sc, 31, bbp & ~0x03);
5243 		}
5244 
5245 		if (sc->mac_rev < 0x0201) {
5246 			run_write(sc, RT2860_TX_SW_CFG1, 0);
5247 			run_write(sc, RT2860_TX_SW_CFG2, 0x2c);
5248 		} else
5249 			run_write(sc, RT2860_TX_SW_CFG2, 0);
5250 	}
5251 
5252 	/* initialize RF registers from ROM for >=RT3071*/
5253 	if (sc->mac_ver >= 0x3071 && sc->mac_ver < 0x5390) {
5254 		for (i = 0; i < 10; i++) {
5255 			if (sc->rf[i].reg == 0 || sc->rf[i].reg == 0xff)
5256 				continue;
5257 			run_rt3070_rf_write(sc, sc->rf[i].reg, sc->rf[i].val);
5258 		}
5259 	}
5260 }
5261 
5262 static int
5263 run_txrx_enable(struct run_softc *sc)
5264 {
5265 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5266 	uint32_t tmp;
5267 	int error, ntries;
5268 
5269 	run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_MAC_TX_EN);
5270 	for (ntries = 0; ntries < 200; ntries++) {
5271 		if ((error = run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp)) != 0)
5272 			return (error);
5273 		if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
5274 			break;
5275 		run_delay(sc, 50);
5276 	}
5277 	if (ntries == 200)
5278 		return (ETIMEDOUT);
5279 
5280 	run_delay(sc, 50);
5281 
5282 	tmp |= RT2860_RX_DMA_EN | RT2860_TX_DMA_EN | RT2860_TX_WB_DDONE;
5283 	run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
5284 
5285 	/* enable Rx bulk aggregation (set timeout and limit) */
5286 	tmp = RT2860_USB_TX_EN | RT2860_USB_RX_EN | RT2860_USB_RX_AGG_EN |
5287 	    RT2860_USB_RX_AGG_TO(128) | RT2860_USB_RX_AGG_LMT(2);
5288 	run_write(sc, RT2860_USB_DMA_CFG, tmp);
5289 
5290 	/* set Rx filter */
5291 	tmp = RT2860_DROP_CRC_ERR | RT2860_DROP_PHY_ERR;
5292 	if (ic->ic_opmode != IEEE80211_M_MONITOR) {
5293 		tmp |= RT2860_DROP_UC_NOME | RT2860_DROP_DUPL |
5294 		    RT2860_DROP_CTS | RT2860_DROP_BA | RT2860_DROP_ACK |
5295 		    RT2860_DROP_VER_ERR | RT2860_DROP_CTRL_RSV |
5296 		    RT2860_DROP_CFACK | RT2860_DROP_CFEND;
5297 		if (ic->ic_opmode == IEEE80211_M_STA)
5298 			tmp |= RT2860_DROP_RTS | RT2860_DROP_PSPOLL;
5299 	}
5300 	run_write(sc, RT2860_RX_FILTR_CFG, tmp);
5301 
5302 	run_write(sc, RT2860_MAC_SYS_CTRL,
5303 	    RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
5304 
5305 	return (0);
5306 }
5307 
5308 static void
5309 run_adjust_freq_offset(struct run_softc *sc)
5310 {
5311 	uint8_t rf, tmp;
5312 
5313 	run_rt3070_rf_read(sc, 17, &rf);
5314 	tmp = rf;
5315 	rf = (rf & ~0x7f) | (sc->freq & 0x7f);
5316 	rf = MIN(rf, 0x5f);
5317 
5318 	if (tmp != rf)
5319 		run_mcu_cmd(sc, 0x74, (tmp << 8 ) | rf);
5320 }
5321 
5322 static void
5323 run_init_locked(struct run_softc *sc)
5324 {
5325 	struct ifnet *ifp = sc->sc_ifp;
5326 	struct ieee80211com *ic = ifp->if_l2com;
5327 	uint32_t tmp;
5328 	uint8_t bbp1, bbp3;
5329 	int i;
5330 	int ridx;
5331 	int ntries;
5332 
5333 	if (ic->ic_nrunning > 1)
5334 		return;
5335 
5336 	run_stop(sc);
5337 
5338 	if (run_load_microcode(sc) != 0) {
5339 		device_printf(sc->sc_dev, "could not load 8051 microcode\n");
5340 		goto fail;
5341 	}
5342 
5343 	for (ntries = 0; ntries < 100; ntries++) {
5344 		if (run_read(sc, RT2860_ASIC_VER_ID, &tmp) != 0)
5345 			goto fail;
5346 		if (tmp != 0 && tmp != 0xffffffff)
5347 			break;
5348 		run_delay(sc, 10);
5349 	}
5350 	if (ntries == 100)
5351 		goto fail;
5352 
5353 	for (i = 0; i != RUN_EP_QUEUES; i++)
5354 		run_setup_tx_list(sc, &sc->sc_epq[i]);
5355 
5356 	run_set_macaddr(sc, IF_LLADDR(ifp));
5357 
5358 	for (ntries = 0; ntries < 100; ntries++) {
5359 		if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
5360 			goto fail;
5361 		if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
5362 			break;
5363 		run_delay(sc, 10);
5364 	}
5365 	if (ntries == 100) {
5366 		device_printf(sc->sc_dev, "timeout waiting for DMA engine\n");
5367 		goto fail;
5368 	}
5369 	tmp &= 0xff0;
5370 	tmp |= RT2860_TX_WB_DDONE;
5371 	run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
5372 
5373 	/* turn off PME_OEN to solve high-current issue */
5374 	run_read(sc, RT2860_SYS_CTRL, &tmp);
5375 	run_write(sc, RT2860_SYS_CTRL, tmp & ~RT2860_PME_OEN);
5376 
5377 	run_write(sc, RT2860_MAC_SYS_CTRL,
5378 	    RT2860_BBP_HRST | RT2860_MAC_SRST);
5379 	run_write(sc, RT2860_USB_DMA_CFG, 0);
5380 
5381 	if (run_reset(sc) != 0) {
5382 		device_printf(sc->sc_dev, "could not reset chipset\n");
5383 		goto fail;
5384 	}
5385 
5386 	run_write(sc, RT2860_MAC_SYS_CTRL, 0);
5387 
5388 	/* init Tx power for all Tx rates (from EEPROM) */
5389 	for (ridx = 0; ridx < 5; ridx++) {
5390 		if (sc->txpow20mhz[ridx] == 0xffffffff)
5391 			continue;
5392 		run_write(sc, RT2860_TX_PWR_CFG(ridx), sc->txpow20mhz[ridx]);
5393 	}
5394 
5395 	for (i = 0; i < nitems(rt2870_def_mac); i++)
5396 		run_write(sc, rt2870_def_mac[i].reg, rt2870_def_mac[i].val);
5397 	run_write(sc, RT2860_WMM_AIFSN_CFG, 0x00002273);
5398 	run_write(sc, RT2860_WMM_CWMIN_CFG, 0x00002344);
5399 	run_write(sc, RT2860_WMM_CWMAX_CFG, 0x000034aa);
5400 
5401 	if (sc->mac_ver >= 0x5390) {
5402 		run_write(sc, RT2860_TX_SW_CFG0,
5403 		    4 << RT2860_DLY_PAPE_EN_SHIFT | 4);
5404 		if (sc->mac_ver >= 0x5392) {
5405 			run_write(sc, RT2860_MAX_LEN_CFG, 0x00002fff);
5406 			if (sc->mac_ver == 0x5592) {
5407 				run_write(sc, RT2860_HT_FBK_CFG1, 0xedcba980);
5408 				run_write(sc, RT2860_TXOP_HLDR_ET, 0x00000082);
5409 			} else {
5410 				run_write(sc, RT2860_HT_FBK_CFG1, 0xedcb4980);
5411 				run_write(sc, RT2860_LG_FBK_CFG0, 0xedcba322);
5412 			}
5413 		}
5414 	} else if (sc->mac_ver >= 0x3070) {
5415 		/* set delay of PA_PE assertion to 1us (unit of 0.25us) */
5416 		run_write(sc, RT2860_TX_SW_CFG0,
5417 		    4 << RT2860_DLY_PAPE_EN_SHIFT);
5418 	}
5419 
5420 	/* wait while MAC is busy */
5421 	for (ntries = 0; ntries < 100; ntries++) {
5422 		if (run_read(sc, RT2860_MAC_STATUS_REG, &tmp) != 0)
5423 			goto fail;
5424 		if (!(tmp & (RT2860_RX_STATUS_BUSY | RT2860_TX_STATUS_BUSY)))
5425 			break;
5426 		run_delay(sc, 10);
5427 	}
5428 	if (ntries == 100)
5429 		goto fail;
5430 
5431 	/* clear Host to MCU mailbox */
5432 	run_write(sc, RT2860_H2M_BBPAGENT, 0);
5433 	run_write(sc, RT2860_H2M_MAILBOX, 0);
5434 	run_delay(sc, 10);
5435 
5436 	if (run_bbp_init(sc) != 0) {
5437 		device_printf(sc->sc_dev, "could not initialize BBP\n");
5438 		goto fail;
5439 	}
5440 
5441 	/* abort TSF synchronization */
5442 	run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
5443 	tmp &= ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
5444 	    RT2860_TBTT_TIMER_EN);
5445 	run_write(sc, RT2860_BCN_TIME_CFG, tmp);
5446 
5447 	/* clear RX WCID search table */
5448 	run_set_region_4(sc, RT2860_WCID_ENTRY(0), 0, 512);
5449 	/* clear WCID attribute table */
5450 	run_set_region_4(sc, RT2860_WCID_ATTR(0), 0, 8 * 32);
5451 
5452 	/* hostapd sets a key before init. So, don't clear it. */
5453 	if (sc->cmdq_key_set != RUN_CMDQ_GO) {
5454 		/* clear shared key table */
5455 		run_set_region_4(sc, RT2860_SKEY(0, 0), 0, 8 * 32);
5456 		/* clear shared key mode */
5457 		run_set_region_4(sc, RT2860_SKEY_MODE_0_7, 0, 4);
5458 	}
5459 
5460 	run_read(sc, RT2860_US_CYC_CNT, &tmp);
5461 	tmp = (tmp & ~0xff) | 0x1e;
5462 	run_write(sc, RT2860_US_CYC_CNT, tmp);
5463 
5464 	if (sc->mac_rev != 0x0101)
5465 		run_write(sc, RT2860_TXOP_CTRL_CFG, 0x0000583f);
5466 
5467 	run_write(sc, RT2860_WMM_TXOP0_CFG, 0);
5468 	run_write(sc, RT2860_WMM_TXOP1_CFG, 48 << 16 | 96);
5469 
5470 	/* write vendor-specific BBP values (from EEPROM) */
5471 	if (sc->mac_ver < 0x5390) {
5472 		for (i = 0; i < 10; i++) {
5473 			if (sc->bbp[i].reg == 0 || sc->bbp[i].reg == 0xff)
5474 				continue;
5475 			run_bbp_write(sc, sc->bbp[i].reg, sc->bbp[i].val);
5476 		}
5477 	}
5478 
5479 	/* select Main antenna for 1T1R devices */
5480 	if (sc->rf_rev == RT3070_RF_3020 || sc->rf_rev == RT5390_RF_5370)
5481 		run_set_rx_antenna(sc, 0);
5482 
5483 	/* send LEDs operating mode to microcontroller */
5484 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED1, sc->led[0]);
5485 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED2, sc->led[1]);
5486 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED3, sc->led[2]);
5487 
5488 	if (sc->mac_ver >= 0x5390)
5489 		run_rt5390_rf_init(sc);
5490 	else if (sc->mac_ver >= 0x3070)
5491 		run_rt3070_rf_init(sc);
5492 
5493 	/* disable non-existing Rx chains */
5494 	run_bbp_read(sc, 3, &bbp3);
5495 	bbp3 &= ~(1 << 3 | 1 << 4);
5496 	if (sc->nrxchains == 2)
5497 		bbp3 |= 1 << 3;
5498 	else if (sc->nrxchains == 3)
5499 		bbp3 |= 1 << 4;
5500 	run_bbp_write(sc, 3, bbp3);
5501 
5502 	/* disable non-existing Tx chains */
5503 	run_bbp_read(sc, 1, &bbp1);
5504 	if (sc->ntxchains == 1)
5505 		bbp1 &= ~(1 << 3 | 1 << 4);
5506 	run_bbp_write(sc, 1, bbp1);
5507 
5508 	if (sc->mac_ver >= 0x3070)
5509 		run_rt3070_rf_setup(sc);
5510 
5511 	/* select default channel */
5512 	run_set_chan(sc, ic->ic_curchan);
5513 
5514 	/* setup initial protection mode */
5515 	run_updateprot_cb(ic);
5516 
5517 	/* turn radio LED on */
5518 	run_set_leds(sc, RT2860_LED_RADIO);
5519 
5520 	ifp->if_drv_flags &= ~IFF_DRV_OACTIVE;
5521 	ifp->if_drv_flags |= IFF_DRV_RUNNING;
5522 	sc->cmdq_run = RUN_CMDQ_GO;
5523 
5524 	for (i = 0; i != RUN_N_XFER; i++)
5525 		usbd_xfer_set_stall(sc->sc_xfer[i]);
5526 
5527 	usbd_transfer_start(sc->sc_xfer[RUN_BULK_RX]);
5528 
5529 	if (run_txrx_enable(sc) != 0)
5530 		goto fail;
5531 
5532 	return;
5533 
5534 fail:
5535 	run_stop(sc);
5536 }
5537 
5538 static void
5539 run_init(void *arg)
5540 {
5541 	struct run_softc *sc = arg;
5542 	struct ifnet *ifp = sc->sc_ifp;
5543 	struct ieee80211com *ic = ifp->if_l2com;
5544 
5545 	RUN_LOCK(sc);
5546 	run_init_locked(sc);
5547 	RUN_UNLOCK(sc);
5548 
5549 	if (ifp->if_drv_flags & IFF_DRV_RUNNING)
5550 		ieee80211_start_all(ic);
5551 }
5552 
5553 static void
5554 run_stop(void *arg)
5555 {
5556 	struct run_softc *sc = (struct run_softc *)arg;
5557 	struct ifnet *ifp = sc->sc_ifp;
5558 	uint32_t tmp;
5559 	int i;
5560 	int ntries;
5561 
5562 	RUN_LOCK_ASSERT(sc, MA_OWNED);
5563 
5564 	if (ifp->if_drv_flags & IFF_DRV_RUNNING)
5565 		run_set_leds(sc, 0);	/* turn all LEDs off */
5566 
5567 	ifp->if_drv_flags &= ~(IFF_DRV_RUNNING | IFF_DRV_OACTIVE);
5568 
5569 	sc->ratectl_run = RUN_RATECTL_OFF;
5570 	sc->cmdq_run = sc->cmdq_key_set;
5571 
5572 	RUN_UNLOCK(sc);
5573 
5574 	for(i = 0; i < RUN_N_XFER; i++)
5575 		usbd_transfer_drain(sc->sc_xfer[i]);
5576 
5577 	RUN_LOCK(sc);
5578 
5579 	if (sc->rx_m != NULL) {
5580 		m_free(sc->rx_m);
5581 		sc->rx_m = NULL;
5582 	}
5583 
5584 	/* Disable Tx/Rx DMA. */
5585 	if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
5586 		return;
5587 	tmp &= ~(RT2860_RX_DMA_EN | RT2860_TX_DMA_EN);
5588 	run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
5589 
5590 	for (ntries = 0; ntries < 100; ntries++) {
5591 		if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
5592 			return;
5593 		if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
5594 				break;
5595 		run_delay(sc, 10);
5596 	}
5597 	if (ntries == 100) {
5598 		device_printf(sc->sc_dev, "timeout waiting for DMA engine\n");
5599 		return;
5600 	}
5601 
5602 	/* disable Tx/Rx */
5603 	run_read(sc, RT2860_MAC_SYS_CTRL, &tmp);
5604 	tmp &= ~(RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
5605 	run_write(sc, RT2860_MAC_SYS_CTRL, tmp);
5606 
5607 	/* wait for pending Tx to complete */
5608 	for (ntries = 0; ntries < 100; ntries++) {
5609 		if (run_read(sc, RT2860_TXRXQ_PCNT, &tmp) != 0) {
5610 			DPRINTF("Cannot read Tx queue count\n");
5611 			break;
5612 		}
5613 		if ((tmp & RT2860_TX2Q_PCNT_MASK) == 0) {
5614 			DPRINTF("All Tx cleared\n");
5615 			break;
5616 		}
5617 		run_delay(sc, 10);
5618 	}
5619 	if (ntries >= 100)
5620 		DPRINTF("There are still pending Tx\n");
5621 	run_delay(sc, 10);
5622 	run_write(sc, RT2860_USB_DMA_CFG, 0);
5623 
5624 	run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_BBP_HRST | RT2860_MAC_SRST);
5625 	run_write(sc, RT2860_MAC_SYS_CTRL, 0);
5626 
5627 	for (i = 0; i != RUN_EP_QUEUES; i++)
5628 		run_unsetup_tx_list(sc, &sc->sc_epq[i]);
5629 }
5630 
5631 static void
5632 run_delay(struct run_softc *sc, u_int ms)
5633 {
5634 	usb_pause_mtx(mtx_owned(&sc->sc_mtx) ?
5635 	    &sc->sc_mtx : NULL, USB_MS_TO_TICKS(ms));
5636 }
5637 
5638 static device_method_t run_methods[] = {
5639 	/* Device interface */
5640 	DEVMETHOD(device_probe,		run_match),
5641 	DEVMETHOD(device_attach,	run_attach),
5642 	DEVMETHOD(device_detach,	run_detach),
5643 	DEVMETHOD_END
5644 };
5645 
5646 static driver_t run_driver = {
5647 	.name = "run",
5648 	.methods = run_methods,
5649 	.size = sizeof(struct run_softc)
5650 };
5651 
5652 static devclass_t run_devclass;
5653 
5654 DRIVER_MODULE(run, uhub, run_driver, run_devclass, NULL, NULL);
5655 MODULE_DEPEND(run, wlan, 1, 1, 1);
5656 MODULE_DEPEND(run, usb, 1, 1, 1);
5657 MODULE_DEPEND(run, firmware, 1, 1, 1);
5658 MODULE_VERSION(run, 1);
5659