xref: /freebsd/sys/dev/usb/wlan/if_run.c (revision 23f6875a43f7ce365f2d52cf857da010c47fb03b)
1 /*-
2  * Copyright (c) 2008,2010 Damien Bergamini <damien.bergamini@free.fr>
3  * ported to FreeBSD by Akinori Furukoshi <moonlightakkiy@yahoo.ca>
4  * USB Consulting, Hans Petter Selasky <hselasky@freebsd.org>
5  * Copyright (c) 2013-2014 Kevin Lo
6  *
7  * Permission to use, copy, modify, and distribute this software for any
8  * purpose with or without fee is hereby granted, provided that the above
9  * copyright notice and this permission notice appear in all copies.
10  *
11  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18  */
19 
20 #include <sys/cdefs.h>
21 __FBSDID("$FreeBSD$");
22 
23 /*-
24  * Ralink Technology RT2700U/RT2800U/RT3000U/RT3900E chipset driver.
25  * http://www.ralinktech.com/
26  */
27 
28 #include <sys/param.h>
29 #include <sys/sockio.h>
30 #include <sys/sysctl.h>
31 #include <sys/lock.h>
32 #include <sys/mutex.h>
33 #include <sys/mbuf.h>
34 #include <sys/kernel.h>
35 #include <sys/socket.h>
36 #include <sys/systm.h>
37 #include <sys/malloc.h>
38 #include <sys/module.h>
39 #include <sys/bus.h>
40 #include <sys/endian.h>
41 #include <sys/linker.h>
42 #include <sys/firmware.h>
43 #include <sys/kdb.h>
44 
45 #include <machine/bus.h>
46 #include <machine/resource.h>
47 #include <sys/rman.h>
48 
49 #include <net/bpf.h>
50 #include <net/if.h>
51 #include <net/if_var.h>
52 #include <net/if_arp.h>
53 #include <net/ethernet.h>
54 #include <net/if_dl.h>
55 #include <net/if_media.h>
56 #include <net/if_types.h>
57 
58 #include <netinet/in.h>
59 #include <netinet/in_systm.h>
60 #include <netinet/in_var.h>
61 #include <netinet/if_ether.h>
62 #include <netinet/ip.h>
63 
64 #include <net80211/ieee80211_var.h>
65 #include <net80211/ieee80211_regdomain.h>
66 #include <net80211/ieee80211_radiotap.h>
67 #include <net80211/ieee80211_ratectl.h>
68 
69 #include <dev/usb/usb.h>
70 #include <dev/usb/usbdi.h>
71 #include "usbdevs.h"
72 
73 #define	USB_DEBUG_VAR	run_debug
74 #include <dev/usb/usb_debug.h>
75 #include <dev/usb/usb_msctest.h>
76 
77 #include <dev/usb/wlan/if_runreg.h>
78 #include <dev/usb/wlan/if_runvar.h>
79 
80 #ifdef	USB_DEBUG
81 #define	RUN_DEBUG
82 #endif
83 
84 #ifdef	RUN_DEBUG
85 int run_debug = 0;
86 static SYSCTL_NODE(_hw_usb, OID_AUTO, run, CTLFLAG_RW, 0, "USB run");
87 SYSCTL_INT(_hw_usb_run, OID_AUTO, debug, CTLFLAG_RWTUN, &run_debug, 0,
88     "run debug level");
89 
90 enum {
91 	RUN_DEBUG_XMIT		= 0x00000001,	/* basic xmit operation */
92 	RUN_DEBUG_XMIT_DESC	= 0x00000002,	/* xmit descriptors */
93 	RUN_DEBUG_RECV		= 0x00000004,	/* basic recv operation */
94 	RUN_DEBUG_RECV_DESC	= 0x00000008,	/* recv descriptors */
95 	RUN_DEBUG_STATE		= 0x00000010,	/* 802.11 state transitions */
96 	RUN_DEBUG_RATE		= 0x00000020,	/* rate adaptation */
97 	RUN_DEBUG_USB		= 0x00000040,	/* usb requests */
98 	RUN_DEBUG_FIRMWARE	= 0x00000080,	/* firmware(9) loading debug */
99 	RUN_DEBUG_BEACON	= 0x00000100,	/* beacon handling */
100 	RUN_DEBUG_INTR		= 0x00000200,	/* ISR */
101 	RUN_DEBUG_TEMP		= 0x00000400,	/* temperature calibration */
102 	RUN_DEBUG_ROM		= 0x00000800,	/* various ROM info */
103 	RUN_DEBUG_KEY		= 0x00001000,	/* crypto keys management */
104 	RUN_DEBUG_TXPWR		= 0x00002000,	/* dump Tx power values */
105 	RUN_DEBUG_RSSI		= 0x00004000,	/* dump RSSI lookups */
106 	RUN_DEBUG_RESET		= 0x00008000,	/* initialization progress */
107 	RUN_DEBUG_CALIB		= 0x00010000,	/* calibration progress */
108 	RUN_DEBUG_CMD		= 0x00020000,	/* command queue */
109 	RUN_DEBUG_ANY		= 0xffffffff
110 };
111 
112 #define RUN_DPRINTF(_sc, _m, ...) do {			\
113 	if (run_debug & (_m))				\
114 		device_printf((_sc)->sc_dev, __VA_ARGS__);	\
115 } while(0)
116 #else
117 #define RUN_DPRINTF(_sc, _m, ...)	do { (void) _sc; } while (0)
118 #endif
119 
120 #define	IEEE80211_HAS_ADDR4(wh)	IEEE80211_IS_DSTODS(wh)
121 
122 /*
123  * Because of LOR in run_key_delete(), use atomic instead.
124  * '& RUN_CMDQ_MASQ' is to loop cmdq[].
125  */
126 #define	RUN_CMDQ_GET(c)	(atomic_fetchadd_32((c), 1) & RUN_CMDQ_MASQ)
127 
128 static const STRUCT_USB_HOST_ID run_devs[] = {
129 #define	RUN_DEV(v,p)	{ USB_VP(USB_VENDOR_##v, USB_PRODUCT_##v##_##p) }
130 #define	RUN_DEV_EJECT(v,p)	\
131 	{ USB_VPI(USB_VENDOR_##v, USB_PRODUCT_##v##_##p, RUN_EJECT) }
132 #define	RUN_EJECT	1
133     RUN_DEV(ABOCOM,		RT2770),
134     RUN_DEV(ABOCOM,		RT2870),
135     RUN_DEV(ABOCOM,		RT3070),
136     RUN_DEV(ABOCOM,		RT3071),
137     RUN_DEV(ABOCOM,		RT3072),
138     RUN_DEV(ABOCOM2,		RT2870_1),
139     RUN_DEV(ACCTON,		RT2770),
140     RUN_DEV(ACCTON,		RT2870_1),
141     RUN_DEV(ACCTON,		RT2870_2),
142     RUN_DEV(ACCTON,		RT2870_3),
143     RUN_DEV(ACCTON,		RT2870_4),
144     RUN_DEV(ACCTON,		RT2870_5),
145     RUN_DEV(ACCTON,		RT3070),
146     RUN_DEV(ACCTON,		RT3070_1),
147     RUN_DEV(ACCTON,		RT3070_2),
148     RUN_DEV(ACCTON,		RT3070_3),
149     RUN_DEV(ACCTON,		RT3070_4),
150     RUN_DEV(ACCTON,		RT3070_5),
151     RUN_DEV(AIRTIES,		RT3070),
152     RUN_DEV(ALLWIN,		RT2070),
153     RUN_DEV(ALLWIN,		RT2770),
154     RUN_DEV(ALLWIN,		RT2870),
155     RUN_DEV(ALLWIN,		RT3070),
156     RUN_DEV(ALLWIN,		RT3071),
157     RUN_DEV(ALLWIN,		RT3072),
158     RUN_DEV(ALLWIN,		RT3572),
159     RUN_DEV(AMIGO,		RT2870_1),
160     RUN_DEV(AMIGO,		RT2870_2),
161     RUN_DEV(AMIT,		CGWLUSB2GNR),
162     RUN_DEV(AMIT,		RT2870_1),
163     RUN_DEV(AMIT2,		RT2870),
164     RUN_DEV(ASUS,		RT2870_1),
165     RUN_DEV(ASUS,		RT2870_2),
166     RUN_DEV(ASUS,		RT2870_3),
167     RUN_DEV(ASUS,		RT2870_4),
168     RUN_DEV(ASUS,		RT2870_5),
169     RUN_DEV(ASUS,		USBN13),
170     RUN_DEV(ASUS,		RT3070_1),
171     RUN_DEV(ASUS,		USBN66),
172     RUN_DEV(ASUS,		USB_N53),
173     RUN_DEV(ASUS2,		USBN11),
174     RUN_DEV(AZUREWAVE,		RT2870_1),
175     RUN_DEV(AZUREWAVE,		RT2870_2),
176     RUN_DEV(AZUREWAVE,		RT3070_1),
177     RUN_DEV(AZUREWAVE,		RT3070_2),
178     RUN_DEV(AZUREWAVE,		RT3070_3),
179     RUN_DEV(BELKIN,		F9L1103),
180     RUN_DEV(BELKIN,		F5D8053V3),
181     RUN_DEV(BELKIN,		F5D8055),
182     RUN_DEV(BELKIN,		F5D8055V2),
183     RUN_DEV(BELKIN,		F6D4050V1),
184     RUN_DEV(BELKIN,		F6D4050V2),
185     RUN_DEV(BELKIN,		RT2870_1),
186     RUN_DEV(BELKIN,		RT2870_2),
187     RUN_DEV(CISCOLINKSYS,	AE1000),
188     RUN_DEV(CISCOLINKSYS2,	RT3070),
189     RUN_DEV(CISCOLINKSYS3,	RT3070),
190     RUN_DEV(CONCEPTRONIC2,	RT2870_1),
191     RUN_DEV(CONCEPTRONIC2,	RT2870_2),
192     RUN_DEV(CONCEPTRONIC2,	RT2870_3),
193     RUN_DEV(CONCEPTRONIC2,	RT2870_4),
194     RUN_DEV(CONCEPTRONIC2,	RT2870_5),
195     RUN_DEV(CONCEPTRONIC2,	RT2870_6),
196     RUN_DEV(CONCEPTRONIC2,	RT2870_7),
197     RUN_DEV(CONCEPTRONIC2,	RT2870_8),
198     RUN_DEV(CONCEPTRONIC2,	RT3070_1),
199     RUN_DEV(CONCEPTRONIC2,	RT3070_2),
200     RUN_DEV(CONCEPTRONIC2,	VIGORN61),
201     RUN_DEV(COREGA,		CGWLUSB300GNM),
202     RUN_DEV(COREGA,		RT2870_1),
203     RUN_DEV(COREGA,		RT2870_2),
204     RUN_DEV(COREGA,		RT2870_3),
205     RUN_DEV(COREGA,		RT3070),
206     RUN_DEV(CYBERTAN,		RT2870),
207     RUN_DEV(DLINK,		RT2870),
208     RUN_DEV(DLINK,		RT3072),
209     RUN_DEV(DLINK,		DWA127),
210     RUN_DEV(DLINK,		DWA140B3),
211     RUN_DEV(DLINK,		DWA160B2),
212     RUN_DEV(DLINK,		DWA140D1),
213     RUN_DEV(DLINK,		DWA162),
214     RUN_DEV(DLINK2,		DWA130),
215     RUN_DEV(DLINK2,		RT2870_1),
216     RUN_DEV(DLINK2,		RT2870_2),
217     RUN_DEV(DLINK2,		RT3070_1),
218     RUN_DEV(DLINK2,		RT3070_2),
219     RUN_DEV(DLINK2,		RT3070_3),
220     RUN_DEV(DLINK2,		RT3070_4),
221     RUN_DEV(DLINK2,		RT3070_5),
222     RUN_DEV(DLINK2,		RT3072),
223     RUN_DEV(DLINK2,		RT3072_1),
224     RUN_DEV(EDIMAX,		EW7717),
225     RUN_DEV(EDIMAX,		EW7718),
226     RUN_DEV(EDIMAX,		EW7733UND),
227     RUN_DEV(EDIMAX,		RT2870_1),
228     RUN_DEV(ENCORE,		RT3070_1),
229     RUN_DEV(ENCORE,		RT3070_2),
230     RUN_DEV(ENCORE,		RT3070_3),
231     RUN_DEV(GIGABYTE,		GNWB31N),
232     RUN_DEV(GIGABYTE,		GNWB32L),
233     RUN_DEV(GIGABYTE,		RT2870_1),
234     RUN_DEV(GIGASET,		RT3070_1),
235     RUN_DEV(GIGASET,		RT3070_2),
236     RUN_DEV(GUILLEMOT,		HWNU300),
237     RUN_DEV(HAWKING,		HWUN2),
238     RUN_DEV(HAWKING,		RT2870_1),
239     RUN_DEV(HAWKING,		RT2870_2),
240     RUN_DEV(HAWKING,		RT3070),
241     RUN_DEV(IODATA,		RT3072_1),
242     RUN_DEV(IODATA,		RT3072_2),
243     RUN_DEV(IODATA,		RT3072_3),
244     RUN_DEV(IODATA,		RT3072_4),
245     RUN_DEV(LINKSYS4,		RT3070),
246     RUN_DEV(LINKSYS4,		WUSB100),
247     RUN_DEV(LINKSYS4,		WUSB54GCV3),
248     RUN_DEV(LINKSYS4,		WUSB600N),
249     RUN_DEV(LINKSYS4,		WUSB600NV2),
250     RUN_DEV(LOGITEC,		RT2870_1),
251     RUN_DEV(LOGITEC,		RT2870_2),
252     RUN_DEV(LOGITEC,		RT2870_3),
253     RUN_DEV(LOGITEC,		LANW300NU2),
254     RUN_DEV(LOGITEC,		LANW150NU2),
255     RUN_DEV(LOGITEC,		LANW300NU2S),
256     RUN_DEV(MELCO,		WLIUCG300HP),
257     RUN_DEV(MELCO,		RT2870_2),
258     RUN_DEV(MELCO,		WLIUCAG300N),
259     RUN_DEV(MELCO,		WLIUCG300N),
260     RUN_DEV(MELCO,		WLIUCG301N),
261     RUN_DEV(MELCO,		WLIUCGN),
262     RUN_DEV(MELCO,		WLIUCGNM),
263     RUN_DEV(MELCO,		WLIUCG300HPV1),
264     RUN_DEV(MELCO,		WLIUCGNM2),
265     RUN_DEV(MOTOROLA4,		RT2770),
266     RUN_DEV(MOTOROLA4,		RT3070),
267     RUN_DEV(MSI,		RT3070_1),
268     RUN_DEV(MSI,		RT3070_2),
269     RUN_DEV(MSI,		RT3070_3),
270     RUN_DEV(MSI,		RT3070_4),
271     RUN_DEV(MSI,		RT3070_5),
272     RUN_DEV(MSI,		RT3070_6),
273     RUN_DEV(MSI,		RT3070_7),
274     RUN_DEV(MSI,		RT3070_8),
275     RUN_DEV(MSI,		RT3070_9),
276     RUN_DEV(MSI,		RT3070_10),
277     RUN_DEV(MSI,		RT3070_11),
278     RUN_DEV(NETGEAR,		WNDA4100),
279     RUN_DEV(OVISLINK,		RT3072),
280     RUN_DEV(PARA,		RT3070),
281     RUN_DEV(PEGATRON,		RT2870),
282     RUN_DEV(PEGATRON,		RT3070),
283     RUN_DEV(PEGATRON,		RT3070_2),
284     RUN_DEV(PEGATRON,		RT3070_3),
285     RUN_DEV(PHILIPS,		RT2870),
286     RUN_DEV(PLANEX2,		GWUS300MINIS),
287     RUN_DEV(PLANEX2,		GWUSMICRON),
288     RUN_DEV(PLANEX2,		RT2870),
289     RUN_DEV(PLANEX2,		RT3070),
290     RUN_DEV(QCOM,		RT2870),
291     RUN_DEV(QUANTA,		RT3070),
292     RUN_DEV(RALINK,		RT2070),
293     RUN_DEV(RALINK,		RT2770),
294     RUN_DEV(RALINK,		RT2870),
295     RUN_DEV(RALINK,		RT3070),
296     RUN_DEV(RALINK,		RT3071),
297     RUN_DEV(RALINK,		RT3072),
298     RUN_DEV(RALINK,		RT3370),
299     RUN_DEV(RALINK,		RT3572),
300     RUN_DEV(RALINK,		RT3573),
301     RUN_DEV(RALINK,		RT5370),
302     RUN_DEV(RALINK,		RT5572),
303     RUN_DEV(RALINK,		RT8070),
304     RUN_DEV(SAMSUNG,		WIS09ABGN),
305     RUN_DEV(SAMSUNG2,		RT2870_1),
306     RUN_DEV(SENAO,		RT2870_1),
307     RUN_DEV(SENAO,		RT2870_2),
308     RUN_DEV(SENAO,		RT2870_3),
309     RUN_DEV(SENAO,		RT2870_4),
310     RUN_DEV(SENAO,		RT3070),
311     RUN_DEV(SENAO,		RT3071),
312     RUN_DEV(SENAO,		RT3072_1),
313     RUN_DEV(SENAO,		RT3072_2),
314     RUN_DEV(SENAO,		RT3072_3),
315     RUN_DEV(SENAO,		RT3072_4),
316     RUN_DEV(SENAO,		RT3072_5),
317     RUN_DEV(SITECOMEU,		RT2770),
318     RUN_DEV(SITECOMEU,		RT2870_1),
319     RUN_DEV(SITECOMEU,		RT2870_2),
320     RUN_DEV(SITECOMEU,		RT2870_3),
321     RUN_DEV(SITECOMEU,		RT2870_4),
322     RUN_DEV(SITECOMEU,		RT3070),
323     RUN_DEV(SITECOMEU,		RT3070_2),
324     RUN_DEV(SITECOMEU,		RT3070_3),
325     RUN_DEV(SITECOMEU,		RT3070_4),
326     RUN_DEV(SITECOMEU,		RT3071),
327     RUN_DEV(SITECOMEU,		RT3072_1),
328     RUN_DEV(SITECOMEU,		RT3072_2),
329     RUN_DEV(SITECOMEU,		RT3072_3),
330     RUN_DEV(SITECOMEU,		RT3072_4),
331     RUN_DEV(SITECOMEU,		RT3072_5),
332     RUN_DEV(SITECOMEU,		RT3072_6),
333     RUN_DEV(SITECOMEU,		WL608),
334     RUN_DEV(SPARKLAN,		RT2870_1),
335     RUN_DEV(SPARKLAN,		RT3070),
336     RUN_DEV(SWEEX2,		LW153),
337     RUN_DEV(SWEEX2,		LW303),
338     RUN_DEV(SWEEX2,		LW313),
339     RUN_DEV(TOSHIBA,		RT3070),
340     RUN_DEV(UMEDIA,		RT2870_1),
341     RUN_DEV(ZCOM,		RT2870_1),
342     RUN_DEV(ZCOM,		RT2870_2),
343     RUN_DEV(ZINWELL,		RT2870_1),
344     RUN_DEV(ZINWELL,		RT2870_2),
345     RUN_DEV(ZINWELL,		RT3070),
346     RUN_DEV(ZINWELL,		RT3072_1),
347     RUN_DEV(ZINWELL,		RT3072_2),
348     RUN_DEV(ZYXEL,		RT2870_1),
349     RUN_DEV(ZYXEL,		RT2870_2),
350     RUN_DEV(ZYXEL,		RT3070),
351     RUN_DEV_EJECT(ZYXEL,	NWD2705),
352     RUN_DEV_EJECT(RALINK,	RT_STOR),
353 #undef RUN_DEV_EJECT
354 #undef RUN_DEV
355 };
356 
357 static device_probe_t	run_match;
358 static device_attach_t	run_attach;
359 static device_detach_t	run_detach;
360 
361 static usb_callback_t	run_bulk_rx_callback;
362 static usb_callback_t	run_bulk_tx_callback0;
363 static usb_callback_t	run_bulk_tx_callback1;
364 static usb_callback_t	run_bulk_tx_callback2;
365 static usb_callback_t	run_bulk_tx_callback3;
366 static usb_callback_t	run_bulk_tx_callback4;
367 static usb_callback_t	run_bulk_tx_callback5;
368 
369 static void	run_autoinst(void *, struct usb_device *,
370 		    struct usb_attach_arg *);
371 static int	run_driver_loaded(struct module *, int, void *);
372 static void	run_bulk_tx_callbackN(struct usb_xfer *xfer,
373 		    usb_error_t error, u_int index);
374 static struct ieee80211vap *run_vap_create(struct ieee80211com *,
375 		    const char [IFNAMSIZ], int, enum ieee80211_opmode, int,
376 		    const uint8_t [IEEE80211_ADDR_LEN],
377 		    const uint8_t [IEEE80211_ADDR_LEN]);
378 static void	run_vap_delete(struct ieee80211vap *);
379 static void	run_cmdq_cb(void *, int);
380 static void	run_setup_tx_list(struct run_softc *,
381 		    struct run_endpoint_queue *);
382 static void	run_unsetup_tx_list(struct run_softc *,
383 		    struct run_endpoint_queue *);
384 static int	run_load_microcode(struct run_softc *);
385 static int	run_reset(struct run_softc *);
386 static usb_error_t run_do_request(struct run_softc *,
387 		    struct usb_device_request *, void *);
388 static int	run_read(struct run_softc *, uint16_t, uint32_t *);
389 static int	run_read_region_1(struct run_softc *, uint16_t, uint8_t *, int);
390 static int	run_write_2(struct run_softc *, uint16_t, uint16_t);
391 static int	run_write(struct run_softc *, uint16_t, uint32_t);
392 static int	run_write_region_1(struct run_softc *, uint16_t,
393 		    const uint8_t *, int);
394 static int	run_set_region_4(struct run_softc *, uint16_t, uint32_t, int);
395 static int	run_efuse_read(struct run_softc *, uint16_t, uint16_t *, int);
396 static int	run_efuse_read_2(struct run_softc *, uint16_t, uint16_t *);
397 static int	run_eeprom_read_2(struct run_softc *, uint16_t, uint16_t *);
398 static int	run_rt2870_rf_write(struct run_softc *, uint32_t);
399 static int	run_rt3070_rf_read(struct run_softc *, uint8_t, uint8_t *);
400 static int	run_rt3070_rf_write(struct run_softc *, uint8_t, uint8_t);
401 static int	run_bbp_read(struct run_softc *, uint8_t, uint8_t *);
402 static int	run_bbp_write(struct run_softc *, uint8_t, uint8_t);
403 static int	run_mcu_cmd(struct run_softc *, uint8_t, uint16_t);
404 static const char *run_get_rf(uint16_t);
405 static void	run_rt3593_get_txpower(struct run_softc *);
406 static void	run_get_txpower(struct run_softc *);
407 static int	run_read_eeprom(struct run_softc *);
408 static struct ieee80211_node *run_node_alloc(struct ieee80211vap *,
409 			    const uint8_t mac[IEEE80211_ADDR_LEN]);
410 static int	run_media_change(struct ifnet *);
411 static int	run_newstate(struct ieee80211vap *, enum ieee80211_state, int);
412 static int	run_wme_update(struct ieee80211com *);
413 static void	run_key_set_cb(void *);
414 static int	run_key_set(struct ieee80211vap *, struct ieee80211_key *);
415 static void	run_key_delete_cb(void *);
416 static int	run_key_delete(struct ieee80211vap *, struct ieee80211_key *);
417 static void	run_ratectl_to(void *);
418 static void	run_ratectl_cb(void *, int);
419 static void	run_drain_fifo(void *);
420 static void	run_iter_func(void *, struct ieee80211_node *);
421 static void	run_newassoc_cb(void *);
422 static void	run_newassoc(struct ieee80211_node *, int);
423 static void	run_recv_mgmt(struct ieee80211_node *, struct mbuf *, int,
424 		    const struct ieee80211_rx_stats *, int, int);
425 static void	run_rx_frame(struct run_softc *, struct mbuf *, uint32_t);
426 static void	run_tx_free(struct run_endpoint_queue *pq,
427 		    struct run_tx_data *, int);
428 static void	run_set_tx_desc(struct run_softc *, struct run_tx_data *);
429 static int	run_tx(struct run_softc *, struct mbuf *,
430 		    struct ieee80211_node *);
431 static int	run_tx_mgt(struct run_softc *, struct mbuf *,
432 		    struct ieee80211_node *);
433 static int	run_sendprot(struct run_softc *, const struct mbuf *,
434 		    struct ieee80211_node *, int, int);
435 static int	run_tx_param(struct run_softc *, struct mbuf *,
436 		    struct ieee80211_node *,
437 		    const struct ieee80211_bpf_params *);
438 static int	run_raw_xmit(struct ieee80211_node *, struct mbuf *,
439 		    const struct ieee80211_bpf_params *);
440 static int	run_transmit(struct ieee80211com *, struct mbuf *);
441 static void	run_start(struct run_softc *);
442 static void	run_parent(struct ieee80211com *);
443 static void	run_iq_calib(struct run_softc *, u_int);
444 static void	run_set_agc(struct run_softc *, uint8_t);
445 static void	run_select_chan_group(struct run_softc *, int);
446 static void	run_set_rx_antenna(struct run_softc *, int);
447 static void	run_rt2870_set_chan(struct run_softc *, u_int);
448 static void	run_rt3070_set_chan(struct run_softc *, u_int);
449 static void	run_rt3572_set_chan(struct run_softc *, u_int);
450 static void	run_rt3593_set_chan(struct run_softc *, u_int);
451 static void	run_rt5390_set_chan(struct run_softc *, u_int);
452 static void	run_rt5592_set_chan(struct run_softc *, u_int);
453 static int	run_set_chan(struct run_softc *, struct ieee80211_channel *);
454 static void	run_set_channel(struct ieee80211com *);
455 static void	run_getradiocaps(struct ieee80211com *, int, int *,
456 		    struct ieee80211_channel[]);
457 static void	run_scan_start(struct ieee80211com *);
458 static void	run_scan_end(struct ieee80211com *);
459 static void	run_update_beacon(struct ieee80211vap *, int);
460 static void	run_update_beacon_cb(void *);
461 static void	run_updateprot(struct ieee80211com *);
462 static void	run_updateprot_cb(void *);
463 static void	run_usb_timeout_cb(void *);
464 static void	run_reset_livelock(struct run_softc *);
465 static void	run_enable_tsf_sync(struct run_softc *);
466 static void	run_enable_tsf(struct run_softc *);
467 static void	run_get_tsf(struct run_softc *, uint64_t *);
468 static void	run_enable_mrr(struct run_softc *);
469 static void	run_set_txpreamble(struct run_softc *);
470 static void	run_set_basicrates(struct run_softc *);
471 static void	run_set_leds(struct run_softc *, uint16_t);
472 static void	run_set_bssid(struct run_softc *, const uint8_t *);
473 static void	run_set_macaddr(struct run_softc *, const uint8_t *);
474 static void	run_updateslot(struct ieee80211com *);
475 static void	run_updateslot_cb(void *);
476 static void	run_update_mcast(struct ieee80211com *);
477 static int8_t	run_rssi2dbm(struct run_softc *, uint8_t, uint8_t);
478 static void	run_update_promisc_locked(struct run_softc *);
479 static void	run_update_promisc(struct ieee80211com *);
480 static void	run_rt5390_bbp_init(struct run_softc *);
481 static int	run_bbp_init(struct run_softc *);
482 static int	run_rt3070_rf_init(struct run_softc *);
483 static void	run_rt3593_rf_init(struct run_softc *);
484 static void	run_rt5390_rf_init(struct run_softc *);
485 static int	run_rt3070_filter_calib(struct run_softc *, uint8_t, uint8_t,
486 		    uint8_t *);
487 static void	run_rt3070_rf_setup(struct run_softc *);
488 static void	run_rt3593_rf_setup(struct run_softc *);
489 static void	run_rt5390_rf_setup(struct run_softc *);
490 static int	run_txrx_enable(struct run_softc *);
491 static void	run_adjust_freq_offset(struct run_softc *);
492 static void	run_init_locked(struct run_softc *);
493 static void	run_stop(void *);
494 static void	run_delay(struct run_softc *, u_int);
495 
496 static eventhandler_tag run_etag;
497 
498 static const struct rt2860_rate {
499 	uint8_t		rate;
500 	uint8_t		mcs;
501 	enum		ieee80211_phytype phy;
502 	uint8_t		ctl_ridx;
503 	uint16_t	sp_ack_dur;
504 	uint16_t	lp_ack_dur;
505 } rt2860_rates[] = {
506 	{   2, 0, IEEE80211_T_DS,   0, 314, 314 },
507 	{   4, 1, IEEE80211_T_DS,   1, 258, 162 },
508 	{  11, 2, IEEE80211_T_DS,   2, 223, 127 },
509 	{  22, 3, IEEE80211_T_DS,   3, 213, 117 },
510 	{  12, 0, IEEE80211_T_OFDM, 4,  60,  60 },
511 	{  18, 1, IEEE80211_T_OFDM, 4,  52,  52 },
512 	{  24, 2, IEEE80211_T_OFDM, 6,  48,  48 },
513 	{  36, 3, IEEE80211_T_OFDM, 6,  44,  44 },
514 	{  48, 4, IEEE80211_T_OFDM, 8,  44,  44 },
515 	{  72, 5, IEEE80211_T_OFDM, 8,  40,  40 },
516 	{  96, 6, IEEE80211_T_OFDM, 8,  40,  40 },
517 	{ 108, 7, IEEE80211_T_OFDM, 8,  40,  40 }
518 };
519 
520 static const struct {
521 	uint16_t	reg;
522 	uint32_t	val;
523 } rt2870_def_mac[] = {
524 	RT2870_DEF_MAC
525 };
526 
527 static const struct {
528 	uint8_t	reg;
529 	uint8_t	val;
530 } rt2860_def_bbp[] = {
531 	RT2860_DEF_BBP
532 },rt5390_def_bbp[] = {
533 	RT5390_DEF_BBP
534 },rt5592_def_bbp[] = {
535 	RT5592_DEF_BBP
536 };
537 
538 /*
539  * Default values for BBP register R196 for RT5592.
540  */
541 static const uint8_t rt5592_bbp_r196[] = {
542 	0xe0, 0x1f, 0x38, 0x32, 0x08, 0x28, 0x19, 0x0a, 0xff, 0x00,
543 	0x16, 0x10, 0x10, 0x0b, 0x36, 0x2c, 0x26, 0x24, 0x42, 0x36,
544 	0x30, 0x2d, 0x4c, 0x46, 0x3d, 0x40, 0x3e, 0x42, 0x3d, 0x40,
545 	0x3c, 0x34, 0x2c, 0x2f, 0x3c, 0x35, 0x2e, 0x2a, 0x49, 0x41,
546 	0x36, 0x31, 0x30, 0x30, 0x0e, 0x0d, 0x28, 0x21, 0x1c, 0x16,
547 	0x50, 0x4a, 0x43, 0x40, 0x10, 0x10, 0x10, 0x10, 0x00, 0x00,
548 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
549 	0x00, 0x00, 0x7d, 0x14, 0x32, 0x2c, 0x36, 0x4c, 0x43, 0x2c,
550 	0x2e, 0x36, 0x30, 0x6e
551 };
552 
553 static const struct rfprog {
554 	uint8_t		chan;
555 	uint32_t	r1, r2, r3, r4;
556 } rt2860_rf2850[] = {
557 	RT2860_RF2850
558 };
559 
560 struct {
561 	uint8_t	n, r, k;
562 } rt3070_freqs[] = {
563 	RT3070_RF3052
564 };
565 
566 static const struct rt5592_freqs {
567 	uint16_t	n;
568 	uint8_t		k, m, r;
569 } rt5592_freqs_20mhz[] = {
570 	RT5592_RF5592_20MHZ
571 },rt5592_freqs_40mhz[] = {
572 	RT5592_RF5592_40MHZ
573 };
574 
575 static const struct {
576 	uint8_t	reg;
577 	uint8_t	val;
578 } rt3070_def_rf[] = {
579 	RT3070_DEF_RF
580 },rt3572_def_rf[] = {
581 	RT3572_DEF_RF
582 },rt3593_def_rf[] = {
583 	RT3593_DEF_RF
584 },rt5390_def_rf[] = {
585 	RT5390_DEF_RF
586 },rt5392_def_rf[] = {
587 	RT5392_DEF_RF
588 },rt5592_def_rf[] = {
589 	RT5592_DEF_RF
590 },rt5592_2ghz_def_rf[] = {
591 	RT5592_2GHZ_DEF_RF
592 },rt5592_5ghz_def_rf[] = {
593 	RT5592_5GHZ_DEF_RF
594 };
595 
596 static const struct {
597 	u_int	firstchan;
598 	u_int	lastchan;
599 	uint8_t	reg;
600 	uint8_t	val;
601 } rt5592_chan_5ghz[] = {
602 	RT5592_CHAN_5GHZ
603 };
604 
605 static const struct usb_config run_config[RUN_N_XFER] = {
606     [RUN_BULK_TX_BE] = {
607 	.type = UE_BULK,
608 	.endpoint = UE_ADDR_ANY,
609 	.ep_index = 0,
610 	.direction = UE_DIR_OUT,
611 	.bufsize = RUN_MAX_TXSZ,
612 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
613 	.callback = run_bulk_tx_callback0,
614 	.timeout = 5000,	/* ms */
615     },
616     [RUN_BULK_TX_BK] = {
617 	.type = UE_BULK,
618 	.endpoint = UE_ADDR_ANY,
619 	.direction = UE_DIR_OUT,
620 	.ep_index = 1,
621 	.bufsize = RUN_MAX_TXSZ,
622 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
623 	.callback = run_bulk_tx_callback1,
624 	.timeout = 5000,	/* ms */
625     },
626     [RUN_BULK_TX_VI] = {
627 	.type = UE_BULK,
628 	.endpoint = UE_ADDR_ANY,
629 	.direction = UE_DIR_OUT,
630 	.ep_index = 2,
631 	.bufsize = RUN_MAX_TXSZ,
632 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
633 	.callback = run_bulk_tx_callback2,
634 	.timeout = 5000,	/* ms */
635     },
636     [RUN_BULK_TX_VO] = {
637 	.type = UE_BULK,
638 	.endpoint = UE_ADDR_ANY,
639 	.direction = UE_DIR_OUT,
640 	.ep_index = 3,
641 	.bufsize = RUN_MAX_TXSZ,
642 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
643 	.callback = run_bulk_tx_callback3,
644 	.timeout = 5000,	/* ms */
645     },
646     [RUN_BULK_TX_HCCA] = {
647 	.type = UE_BULK,
648 	.endpoint = UE_ADDR_ANY,
649 	.direction = UE_DIR_OUT,
650 	.ep_index = 4,
651 	.bufsize = RUN_MAX_TXSZ,
652 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,.no_pipe_ok = 1,},
653 	.callback = run_bulk_tx_callback4,
654 	.timeout = 5000,	/* ms */
655     },
656     [RUN_BULK_TX_PRIO] = {
657 	.type = UE_BULK,
658 	.endpoint = UE_ADDR_ANY,
659 	.direction = UE_DIR_OUT,
660 	.ep_index = 5,
661 	.bufsize = RUN_MAX_TXSZ,
662 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,.no_pipe_ok = 1,},
663 	.callback = run_bulk_tx_callback5,
664 	.timeout = 5000,	/* ms */
665     },
666     [RUN_BULK_RX] = {
667 	.type = UE_BULK,
668 	.endpoint = UE_ADDR_ANY,
669 	.direction = UE_DIR_IN,
670 	.bufsize = RUN_MAX_RXSZ,
671 	.flags = {.pipe_bof = 1,.short_xfer_ok = 1,},
672 	.callback = run_bulk_rx_callback,
673     }
674 };
675 
676 static void
677 run_autoinst(void *arg, struct usb_device *udev,
678     struct usb_attach_arg *uaa)
679 {
680 	struct usb_interface *iface;
681 	struct usb_interface_descriptor *id;
682 
683 	if (uaa->dev_state != UAA_DEV_READY)
684 		return;
685 
686 	iface = usbd_get_iface(udev, 0);
687 	if (iface == NULL)
688 		return;
689 	id = iface->idesc;
690 	if (id == NULL || id->bInterfaceClass != UICLASS_MASS)
691 		return;
692 	if (usbd_lookup_id_by_uaa(run_devs, sizeof(run_devs), uaa))
693 		return;
694 
695 	if (usb_msc_eject(udev, 0, MSC_EJECT_STOPUNIT) == 0)
696 		uaa->dev_state = UAA_DEV_EJECTING;
697 }
698 
699 static int
700 run_driver_loaded(struct module *mod, int what, void *arg)
701 {
702 	switch (what) {
703 	case MOD_LOAD:
704 		run_etag = EVENTHANDLER_REGISTER(usb_dev_configured,
705 		    run_autoinst, NULL, EVENTHANDLER_PRI_ANY);
706 		break;
707 	case MOD_UNLOAD:
708 		EVENTHANDLER_DEREGISTER(usb_dev_configured, run_etag);
709 		break;
710 	default:
711 		return (EOPNOTSUPP);
712 	}
713 	return (0);
714 }
715 
716 static int
717 run_match(device_t self)
718 {
719 	struct usb_attach_arg *uaa = device_get_ivars(self);
720 
721 	if (uaa->usb_mode != USB_MODE_HOST)
722 		return (ENXIO);
723 	if (uaa->info.bConfigIndex != 0)
724 		return (ENXIO);
725 	if (uaa->info.bIfaceIndex != RT2860_IFACE_INDEX)
726 		return (ENXIO);
727 
728 	return (usbd_lookup_id_by_uaa(run_devs, sizeof(run_devs), uaa));
729 }
730 
731 static int
732 run_attach(device_t self)
733 {
734 	struct run_softc *sc = device_get_softc(self);
735 	struct usb_attach_arg *uaa = device_get_ivars(self);
736 	struct ieee80211com *ic = &sc->sc_ic;
737 	uint32_t ver;
738 	uint8_t iface_index;
739 	int ntries, error;
740 
741 	device_set_usb_desc(self);
742 	sc->sc_udev = uaa->device;
743 	sc->sc_dev = self;
744 	if (USB_GET_DRIVER_INFO(uaa) != RUN_EJECT)
745 		sc->sc_flags |= RUN_FLAG_FWLOAD_NEEDED;
746 
747 	mtx_init(&sc->sc_mtx, device_get_nameunit(sc->sc_dev),
748 	    MTX_NETWORK_LOCK, MTX_DEF);
749 	mbufq_init(&sc->sc_snd, ifqmaxlen);
750 
751 	iface_index = RT2860_IFACE_INDEX;
752 
753 	error = usbd_transfer_setup(uaa->device, &iface_index,
754 	    sc->sc_xfer, run_config, RUN_N_XFER, sc, &sc->sc_mtx);
755 	if (error) {
756 		device_printf(self, "could not allocate USB transfers, "
757 		    "err=%s\n", usbd_errstr(error));
758 		goto detach;
759 	}
760 
761 	RUN_LOCK(sc);
762 
763 	/* wait for the chip to settle */
764 	for (ntries = 0; ntries < 100; ntries++) {
765 		if (run_read(sc, RT2860_ASIC_VER_ID, &ver) != 0) {
766 			RUN_UNLOCK(sc);
767 			goto detach;
768 		}
769 		if (ver != 0 && ver != 0xffffffff)
770 			break;
771 		run_delay(sc, 10);
772 	}
773 	if (ntries == 100) {
774 		device_printf(sc->sc_dev,
775 		    "timeout waiting for NIC to initialize\n");
776 		RUN_UNLOCK(sc);
777 		goto detach;
778 	}
779 	sc->mac_ver = ver >> 16;
780 	sc->mac_rev = ver & 0xffff;
781 
782 	/* retrieve RF rev. no and various other things from EEPROM */
783 	run_read_eeprom(sc);
784 
785 	device_printf(sc->sc_dev,
786 	    "MAC/BBP RT%04X (rev 0x%04X), RF %s (MIMO %dT%dR), address %s\n",
787 	    sc->mac_ver, sc->mac_rev, run_get_rf(sc->rf_rev),
788 	    sc->ntxchains, sc->nrxchains, ether_sprintf(ic->ic_macaddr));
789 
790 	RUN_UNLOCK(sc);
791 
792 	ic->ic_softc = sc;
793 	ic->ic_name = device_get_nameunit(self);
794 	ic->ic_phytype = IEEE80211_T_OFDM;	/* not only, but not used */
795 	ic->ic_opmode = IEEE80211_M_STA;	/* default to BSS mode */
796 
797 	/* set device capabilities */
798 	ic->ic_caps =
799 	    IEEE80211_C_STA |		/* station mode supported */
800 	    IEEE80211_C_MONITOR |	/* monitor mode supported */
801 	    IEEE80211_C_IBSS |
802 	    IEEE80211_C_HOSTAP |
803 	    IEEE80211_C_WDS |		/* 4-address traffic works */
804 	    IEEE80211_C_MBSS |
805 	    IEEE80211_C_SHPREAMBLE |	/* short preamble supported */
806 	    IEEE80211_C_SHSLOT |	/* short slot time supported */
807 	    IEEE80211_C_WME |		/* WME */
808 	    IEEE80211_C_WPA;		/* WPA1|WPA2(RSN) */
809 
810 	ic->ic_cryptocaps =
811 	    IEEE80211_CRYPTO_WEP |
812 	    IEEE80211_CRYPTO_AES_CCM |
813 	    IEEE80211_CRYPTO_TKIPMIC |
814 	    IEEE80211_CRYPTO_TKIP;
815 
816 	ic->ic_flags |= IEEE80211_F_DATAPAD;
817 	ic->ic_flags_ext |= IEEE80211_FEXT_SWBMISS;
818 
819 	run_getradiocaps(ic, IEEE80211_CHAN_MAX, &ic->ic_nchans,
820 	    ic->ic_channels);
821 
822 	ieee80211_ifattach(ic);
823 
824 	ic->ic_scan_start = run_scan_start;
825 	ic->ic_scan_end = run_scan_end;
826 	ic->ic_set_channel = run_set_channel;
827 	ic->ic_getradiocaps = run_getradiocaps;
828 	ic->ic_node_alloc = run_node_alloc;
829 	ic->ic_newassoc = run_newassoc;
830 	ic->ic_updateslot = run_updateslot;
831 	ic->ic_update_mcast = run_update_mcast;
832 	ic->ic_wme.wme_update = run_wme_update;
833 	ic->ic_raw_xmit = run_raw_xmit;
834 	ic->ic_update_promisc = run_update_promisc;
835 	ic->ic_vap_create = run_vap_create;
836 	ic->ic_vap_delete = run_vap_delete;
837 	ic->ic_transmit = run_transmit;
838 	ic->ic_parent = run_parent;
839 
840 	ieee80211_radiotap_attach(ic,
841 	    &sc->sc_txtap.wt_ihdr, sizeof(sc->sc_txtap),
842 		RUN_TX_RADIOTAP_PRESENT,
843 	    &sc->sc_rxtap.wr_ihdr, sizeof(sc->sc_rxtap),
844 		RUN_RX_RADIOTAP_PRESENT);
845 
846 	TASK_INIT(&sc->cmdq_task, 0, run_cmdq_cb, sc);
847 	TASK_INIT(&sc->ratectl_task, 0, run_ratectl_cb, sc);
848 	usb_callout_init_mtx(&sc->ratectl_ch, &sc->sc_mtx, 0);
849 
850 	if (bootverbose)
851 		ieee80211_announce(ic);
852 
853 	return (0);
854 
855 detach:
856 	run_detach(self);
857 	return (ENXIO);
858 }
859 
860 static void
861 run_drain_mbufq(struct run_softc *sc)
862 {
863 	struct mbuf *m;
864 	struct ieee80211_node *ni;
865 
866 	RUN_LOCK_ASSERT(sc, MA_OWNED);
867 	while ((m = mbufq_dequeue(&sc->sc_snd)) != NULL) {
868 		ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
869 		m->m_pkthdr.rcvif = NULL;
870 		ieee80211_free_node(ni);
871 		m_freem(m);
872 	}
873 }
874 
875 static int
876 run_detach(device_t self)
877 {
878 	struct run_softc *sc = device_get_softc(self);
879 	struct ieee80211com *ic = &sc->sc_ic;
880 	int i;
881 
882 	RUN_LOCK(sc);
883 	sc->sc_detached = 1;
884 	RUN_UNLOCK(sc);
885 
886 	/* stop all USB transfers */
887 	usbd_transfer_unsetup(sc->sc_xfer, RUN_N_XFER);
888 
889 	RUN_LOCK(sc);
890 	sc->ratectl_run = RUN_RATECTL_OFF;
891 	sc->cmdq_run = sc->cmdq_key_set = RUN_CMDQ_ABORT;
892 
893 	/* free TX list, if any */
894 	for (i = 0; i != RUN_EP_QUEUES; i++)
895 		run_unsetup_tx_list(sc, &sc->sc_epq[i]);
896 
897 	/* Free TX queue */
898 	run_drain_mbufq(sc);
899 	RUN_UNLOCK(sc);
900 
901 	if (sc->sc_ic.ic_softc == sc) {
902 		/* drain tasks */
903 		usb_callout_drain(&sc->ratectl_ch);
904 		ieee80211_draintask(ic, &sc->cmdq_task);
905 		ieee80211_draintask(ic, &sc->ratectl_task);
906 		ieee80211_ifdetach(ic);
907 	}
908 
909 	mtx_destroy(&sc->sc_mtx);
910 
911 	return (0);
912 }
913 
914 static struct ieee80211vap *
915 run_vap_create(struct ieee80211com *ic, const char name[IFNAMSIZ], int unit,
916     enum ieee80211_opmode opmode, int flags,
917     const uint8_t bssid[IEEE80211_ADDR_LEN],
918     const uint8_t mac[IEEE80211_ADDR_LEN])
919 {
920 	struct run_softc *sc = ic->ic_softc;
921 	struct run_vap *rvp;
922 	struct ieee80211vap *vap;
923 	int i;
924 
925 	if (sc->rvp_cnt >= RUN_VAP_MAX) {
926 		device_printf(sc->sc_dev, "number of VAPs maxed out\n");
927 		return (NULL);
928 	}
929 
930 	switch (opmode) {
931 	case IEEE80211_M_STA:
932 		/* enable s/w bmiss handling for sta mode */
933 		flags |= IEEE80211_CLONE_NOBEACONS;
934 		/* fall though */
935 	case IEEE80211_M_IBSS:
936 	case IEEE80211_M_MONITOR:
937 	case IEEE80211_M_HOSTAP:
938 	case IEEE80211_M_MBSS:
939 		/* other than WDS vaps, only one at a time */
940 		if (!TAILQ_EMPTY(&ic->ic_vaps))
941 			return (NULL);
942 		break;
943 	case IEEE80211_M_WDS:
944 		TAILQ_FOREACH(vap, &ic->ic_vaps, iv_next){
945 			if(vap->iv_opmode != IEEE80211_M_HOSTAP)
946 				continue;
947 			/* WDS vap's always share the local mac address. */
948 			flags &= ~IEEE80211_CLONE_BSSID;
949 			break;
950 		}
951 		if (vap == NULL) {
952 			device_printf(sc->sc_dev,
953 			    "wds only supported in ap mode\n");
954 			return (NULL);
955 		}
956 		break;
957 	default:
958 		device_printf(sc->sc_dev, "unknown opmode %d\n", opmode);
959 		return (NULL);
960 	}
961 
962 	rvp = malloc(sizeof(struct run_vap), M_80211_VAP, M_WAITOK | M_ZERO);
963 	vap = &rvp->vap;
964 
965 	if (ieee80211_vap_setup(ic, vap, name, unit, opmode, flags,
966 	    bssid) != 0) {
967 		/* out of memory */
968 		free(rvp, M_80211_VAP);
969 		return (NULL);
970 	}
971 
972 	vap->iv_update_beacon = run_update_beacon;
973 	vap->iv_max_aid = RT2870_WCID_MAX;
974 	/*
975 	 * To delete the right key from h/w, we need wcid.
976 	 * Luckily, there is unused space in ieee80211_key{}, wk_pad,
977 	 * and matching wcid will be written into there. So, cast
978 	 * some spells to remove 'const' from ieee80211_key{}
979 	 */
980 	vap->iv_key_delete = (void *)run_key_delete;
981 	vap->iv_key_set = (void *)run_key_set;
982 
983 	/* override state transition machine */
984 	rvp->newstate = vap->iv_newstate;
985 	vap->iv_newstate = run_newstate;
986 	if (opmode == IEEE80211_M_IBSS) {
987 		rvp->recv_mgmt = vap->iv_recv_mgmt;
988 		vap->iv_recv_mgmt = run_recv_mgmt;
989 	}
990 
991 	ieee80211_ratectl_init(vap);
992 	ieee80211_ratectl_setinterval(vap, 1000 /* 1 sec */);
993 
994 	/* complete setup */
995 	ieee80211_vap_attach(vap, run_media_change, ieee80211_media_status,
996 	    mac);
997 
998 	/* make sure id is always unique */
999 	for (i = 0; i < RUN_VAP_MAX; i++) {
1000 		if((sc->rvp_bmap & 1 << i) == 0){
1001 			sc->rvp_bmap |= 1 << i;
1002 			rvp->rvp_id = i;
1003 			break;
1004 		}
1005 	}
1006 	if (sc->rvp_cnt++ == 0)
1007 		ic->ic_opmode = opmode;
1008 
1009 	if (opmode == IEEE80211_M_HOSTAP)
1010 		sc->cmdq_run = RUN_CMDQ_GO;
1011 
1012 	RUN_DPRINTF(sc, RUN_DEBUG_STATE, "rvp_id=%d bmap=%x rvp_cnt=%d\n",
1013 	    rvp->rvp_id, sc->rvp_bmap, sc->rvp_cnt);
1014 
1015 	return (vap);
1016 }
1017 
1018 static void
1019 run_vap_delete(struct ieee80211vap *vap)
1020 {
1021 	struct run_vap *rvp = RUN_VAP(vap);
1022 	struct ieee80211com *ic;
1023 	struct run_softc *sc;
1024 	uint8_t rvp_id;
1025 
1026 	if (vap == NULL)
1027 		return;
1028 
1029 	ic = vap->iv_ic;
1030 	sc = ic->ic_softc;
1031 
1032 	RUN_LOCK(sc);
1033 
1034 	m_freem(rvp->beacon_mbuf);
1035 	rvp->beacon_mbuf = NULL;
1036 
1037 	rvp_id = rvp->rvp_id;
1038 	sc->ratectl_run &= ~(1 << rvp_id);
1039 	sc->rvp_bmap &= ~(1 << rvp_id);
1040 	run_set_region_4(sc, RT2860_SKEY(rvp_id, 0), 0, 128);
1041 	run_set_region_4(sc, RT2860_BCN_BASE(rvp_id), 0, 512);
1042 	--sc->rvp_cnt;
1043 
1044 	RUN_DPRINTF(sc, RUN_DEBUG_STATE,
1045 	    "vap=%p rvp_id=%d bmap=%x rvp_cnt=%d\n",
1046 	    vap, rvp_id, sc->rvp_bmap, sc->rvp_cnt);
1047 
1048 	RUN_UNLOCK(sc);
1049 
1050 	ieee80211_ratectl_deinit(vap);
1051 	ieee80211_vap_detach(vap);
1052 	free(rvp, M_80211_VAP);
1053 }
1054 
1055 /*
1056  * There are numbers of functions need to be called in context thread.
1057  * Rather than creating taskqueue event for each of those functions,
1058  * here is all-for-one taskqueue callback function. This function
1059  * guarantees deferred functions are executed in the same order they
1060  * were enqueued.
1061  * '& RUN_CMDQ_MASQ' is to loop cmdq[].
1062  */
1063 static void
1064 run_cmdq_cb(void *arg, int pending)
1065 {
1066 	struct run_softc *sc = arg;
1067 	uint8_t i;
1068 
1069 	/* call cmdq[].func locked */
1070 	RUN_LOCK(sc);
1071 	for (i = sc->cmdq_exec; sc->cmdq[i].func && pending;
1072 	    i = sc->cmdq_exec, pending--) {
1073 		RUN_DPRINTF(sc, RUN_DEBUG_CMD, "cmdq_exec=%d pending=%d\n",
1074 		    i, pending);
1075 		if (sc->cmdq_run == RUN_CMDQ_GO) {
1076 			/*
1077 			 * If arg0 is NULL, callback func needs more
1078 			 * than one arg. So, pass ptr to cmdq struct.
1079 			 */
1080 			if (sc->cmdq[i].arg0)
1081 				sc->cmdq[i].func(sc->cmdq[i].arg0);
1082 			else
1083 				sc->cmdq[i].func(&sc->cmdq[i]);
1084 		}
1085 		sc->cmdq[i].arg0 = NULL;
1086 		sc->cmdq[i].func = NULL;
1087 		sc->cmdq_exec++;
1088 		sc->cmdq_exec &= RUN_CMDQ_MASQ;
1089 	}
1090 	RUN_UNLOCK(sc);
1091 }
1092 
1093 static void
1094 run_setup_tx_list(struct run_softc *sc, struct run_endpoint_queue *pq)
1095 {
1096 	struct run_tx_data *data;
1097 
1098 	memset(pq, 0, sizeof(*pq));
1099 
1100 	STAILQ_INIT(&pq->tx_qh);
1101 	STAILQ_INIT(&pq->tx_fh);
1102 
1103 	for (data = &pq->tx_data[0];
1104 	    data < &pq->tx_data[RUN_TX_RING_COUNT]; data++) {
1105 		data->sc = sc;
1106 		STAILQ_INSERT_TAIL(&pq->tx_fh, data, next);
1107 	}
1108 	pq->tx_nfree = RUN_TX_RING_COUNT;
1109 }
1110 
1111 static void
1112 run_unsetup_tx_list(struct run_softc *sc, struct run_endpoint_queue *pq)
1113 {
1114 	struct run_tx_data *data;
1115 
1116 	/* make sure any subsequent use of the queues will fail */
1117 	pq->tx_nfree = 0;
1118 	STAILQ_INIT(&pq->tx_fh);
1119 	STAILQ_INIT(&pq->tx_qh);
1120 
1121 	/* free up all node references and mbufs */
1122 	for (data = &pq->tx_data[0];
1123 	    data < &pq->tx_data[RUN_TX_RING_COUNT]; data++) {
1124 		if (data->m != NULL) {
1125 			m_freem(data->m);
1126 			data->m = NULL;
1127 		}
1128 		if (data->ni != NULL) {
1129 			ieee80211_free_node(data->ni);
1130 			data->ni = NULL;
1131 		}
1132 	}
1133 }
1134 
1135 static int
1136 run_load_microcode(struct run_softc *sc)
1137 {
1138 	usb_device_request_t req;
1139 	const struct firmware *fw;
1140 	const u_char *base;
1141 	uint32_t tmp;
1142 	int ntries, error;
1143 	const uint64_t *temp;
1144 	uint64_t bytes;
1145 
1146 	RUN_UNLOCK(sc);
1147 	fw = firmware_get("runfw");
1148 	RUN_LOCK(sc);
1149 	if (fw == NULL) {
1150 		device_printf(sc->sc_dev,
1151 		    "failed loadfirmware of file %s\n", "runfw");
1152 		return ENOENT;
1153 	}
1154 
1155 	if (fw->datasize != 8192) {
1156 		device_printf(sc->sc_dev,
1157 		    "invalid firmware size (should be 8KB)\n");
1158 		error = EINVAL;
1159 		goto fail;
1160 	}
1161 
1162 	/*
1163 	 * RT3071/RT3072 use a different firmware
1164 	 * run-rt2870 (8KB) contains both,
1165 	 * first half (4KB) is for rt2870,
1166 	 * last half is for rt3071.
1167 	 */
1168 	base = fw->data;
1169 	if ((sc->mac_ver) != 0x2860 &&
1170 	    (sc->mac_ver) != 0x2872 &&
1171 	    (sc->mac_ver) != 0x3070) {
1172 		base += 4096;
1173 	}
1174 
1175 	/* cheap sanity check */
1176 	temp = fw->data;
1177 	bytes = *temp;
1178 	if (bytes != be64toh(0xffffff0210280210ULL)) {
1179 		device_printf(sc->sc_dev, "firmware checksum failed\n");
1180 		error = EINVAL;
1181 		goto fail;
1182 	}
1183 
1184 	/* write microcode image */
1185 	if (sc->sc_flags & RUN_FLAG_FWLOAD_NEEDED) {
1186 		run_write_region_1(sc, RT2870_FW_BASE, base, 4096);
1187 		run_write(sc, RT2860_H2M_MAILBOX_CID, 0xffffffff);
1188 		run_write(sc, RT2860_H2M_MAILBOX_STATUS, 0xffffffff);
1189 	}
1190 
1191 	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1192 	req.bRequest = RT2870_RESET;
1193 	USETW(req.wValue, 8);
1194 	USETW(req.wIndex, 0);
1195 	USETW(req.wLength, 0);
1196 	if ((error = usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, NULL))
1197 	    != 0) {
1198 		device_printf(sc->sc_dev, "firmware reset failed\n");
1199 		goto fail;
1200 	}
1201 
1202 	run_delay(sc, 10);
1203 
1204 	run_write(sc, RT2860_H2M_BBPAGENT, 0);
1205 	run_write(sc, RT2860_H2M_MAILBOX, 0);
1206 	run_write(sc, RT2860_H2M_INTSRC, 0);
1207 	if ((error = run_mcu_cmd(sc, RT2860_MCU_CMD_RFRESET, 0)) != 0)
1208 		goto fail;
1209 
1210 	/* wait until microcontroller is ready */
1211 	for (ntries = 0; ntries < 1000; ntries++) {
1212 		if ((error = run_read(sc, RT2860_SYS_CTRL, &tmp)) != 0)
1213 			goto fail;
1214 		if (tmp & RT2860_MCU_READY)
1215 			break;
1216 		run_delay(sc, 10);
1217 	}
1218 	if (ntries == 1000) {
1219 		device_printf(sc->sc_dev,
1220 		    "timeout waiting for MCU to initialize\n");
1221 		error = ETIMEDOUT;
1222 		goto fail;
1223 	}
1224 	device_printf(sc->sc_dev, "firmware %s ver. %u.%u loaded\n",
1225 	    (base == fw->data) ? "RT2870" : "RT3071",
1226 	    *(base + 4092), *(base + 4093));
1227 
1228 fail:
1229 	firmware_put(fw, FIRMWARE_UNLOAD);
1230 	return (error);
1231 }
1232 
1233 static int
1234 run_reset(struct run_softc *sc)
1235 {
1236 	usb_device_request_t req;
1237 
1238 	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1239 	req.bRequest = RT2870_RESET;
1240 	USETW(req.wValue, 1);
1241 	USETW(req.wIndex, 0);
1242 	USETW(req.wLength, 0);
1243 	return (usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, NULL));
1244 }
1245 
1246 static usb_error_t
1247 run_do_request(struct run_softc *sc,
1248     struct usb_device_request *req, void *data)
1249 {
1250 	usb_error_t err;
1251 	int ntries = 10;
1252 
1253 	RUN_LOCK_ASSERT(sc, MA_OWNED);
1254 
1255 	while (ntries--) {
1256 		err = usbd_do_request_flags(sc->sc_udev, &sc->sc_mtx,
1257 		    req, data, 0, NULL, 250 /* ms */);
1258 		if (err == 0)
1259 			break;
1260 		RUN_DPRINTF(sc, RUN_DEBUG_USB,
1261 		    "Control request failed, %s (retrying)\n",
1262 		    usbd_errstr(err));
1263 		run_delay(sc, 10);
1264 	}
1265 	return (err);
1266 }
1267 
1268 static int
1269 run_read(struct run_softc *sc, uint16_t reg, uint32_t *val)
1270 {
1271 	uint32_t tmp;
1272 	int error;
1273 
1274 	error = run_read_region_1(sc, reg, (uint8_t *)&tmp, sizeof tmp);
1275 	if (error == 0)
1276 		*val = le32toh(tmp);
1277 	else
1278 		*val = 0xffffffff;
1279 	return (error);
1280 }
1281 
1282 static int
1283 run_read_region_1(struct run_softc *sc, uint16_t reg, uint8_t *buf, int len)
1284 {
1285 	usb_device_request_t req;
1286 
1287 	req.bmRequestType = UT_READ_VENDOR_DEVICE;
1288 	req.bRequest = RT2870_READ_REGION_1;
1289 	USETW(req.wValue, 0);
1290 	USETW(req.wIndex, reg);
1291 	USETW(req.wLength, len);
1292 
1293 	return (run_do_request(sc, &req, buf));
1294 }
1295 
1296 static int
1297 run_write_2(struct run_softc *sc, uint16_t reg, uint16_t val)
1298 {
1299 	usb_device_request_t req;
1300 
1301 	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1302 	req.bRequest = RT2870_WRITE_2;
1303 	USETW(req.wValue, val);
1304 	USETW(req.wIndex, reg);
1305 	USETW(req.wLength, 0);
1306 
1307 	return (run_do_request(sc, &req, NULL));
1308 }
1309 
1310 static int
1311 run_write(struct run_softc *sc, uint16_t reg, uint32_t val)
1312 {
1313 	int error;
1314 
1315 	if ((error = run_write_2(sc, reg, val & 0xffff)) == 0)
1316 		error = run_write_2(sc, reg + 2, val >> 16);
1317 	return (error);
1318 }
1319 
1320 static int
1321 run_write_region_1(struct run_softc *sc, uint16_t reg, const uint8_t *buf,
1322     int len)
1323 {
1324 #if 1
1325 	int i, error = 0;
1326 	/*
1327 	 * NB: the WRITE_REGION_1 command is not stable on RT2860.
1328 	 * We thus issue multiple WRITE_2 commands instead.
1329 	 */
1330 	KASSERT((len & 1) == 0, ("run_write_region_1: Data too long.\n"));
1331 	for (i = 0; i < len && error == 0; i += 2)
1332 		error = run_write_2(sc, reg + i, buf[i] | buf[i + 1] << 8);
1333 	return (error);
1334 #else
1335 	usb_device_request_t req;
1336 	int error = 0;
1337 
1338 	/*
1339 	 * NOTE: It appears the WRITE_REGION_1 command cannot be
1340 	 * passed a huge amount of data, which will crash the
1341 	 * firmware. Limit amount of data passed to 64-bytes at a
1342 	 * time.
1343 	 */
1344 	while (len > 0) {
1345 		int delta = 64;
1346 		if (delta > len)
1347 			delta = len;
1348 
1349 		req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1350 		req.bRequest = RT2870_WRITE_REGION_1;
1351 		USETW(req.wValue, 0);
1352 		USETW(req.wIndex, reg);
1353 		USETW(req.wLength, delta);
1354 		error = run_do_request(sc, &req, __DECONST(uint8_t *, buf));
1355 		if (error != 0)
1356 			break;
1357 		reg += delta;
1358 		buf += delta;
1359 		len -= delta;
1360 	}
1361 	return (error);
1362 #endif
1363 }
1364 
1365 static int
1366 run_set_region_4(struct run_softc *sc, uint16_t reg, uint32_t val, int len)
1367 {
1368 	int i, error = 0;
1369 
1370 	KASSERT((len & 3) == 0, ("run_set_region_4: Invalid data length.\n"));
1371 	for (i = 0; i < len && error == 0; i += 4)
1372 		error = run_write(sc, reg + i, val);
1373 	return (error);
1374 }
1375 
1376 static int
1377 run_efuse_read(struct run_softc *sc, uint16_t addr, uint16_t *val, int count)
1378 {
1379 	uint32_t tmp;
1380 	uint16_t reg;
1381 	int error, ntries;
1382 
1383 	if ((error = run_read(sc, RT3070_EFUSE_CTRL, &tmp)) != 0)
1384 		return (error);
1385 
1386 	if (count == 2)
1387 		addr *= 2;
1388 	/*-
1389 	 * Read one 16-byte block into registers EFUSE_DATA[0-3]:
1390 	 * DATA0: F E D C
1391 	 * DATA1: B A 9 8
1392 	 * DATA2: 7 6 5 4
1393 	 * DATA3: 3 2 1 0
1394 	 */
1395 	tmp &= ~(RT3070_EFSROM_MODE_MASK | RT3070_EFSROM_AIN_MASK);
1396 	tmp |= (addr & ~0xf) << RT3070_EFSROM_AIN_SHIFT | RT3070_EFSROM_KICK;
1397 	run_write(sc, RT3070_EFUSE_CTRL, tmp);
1398 	for (ntries = 0; ntries < 100; ntries++) {
1399 		if ((error = run_read(sc, RT3070_EFUSE_CTRL, &tmp)) != 0)
1400 			return (error);
1401 		if (!(tmp & RT3070_EFSROM_KICK))
1402 			break;
1403 		run_delay(sc, 2);
1404 	}
1405 	if (ntries == 100)
1406 		return (ETIMEDOUT);
1407 
1408 	if ((tmp & RT3070_EFUSE_AOUT_MASK) == RT3070_EFUSE_AOUT_MASK) {
1409 		*val = 0xffff;	/* address not found */
1410 		return (0);
1411 	}
1412 	/* determine to which 32-bit register our 16-bit word belongs */
1413 	reg = RT3070_EFUSE_DATA3 - (addr & 0xc);
1414 	if ((error = run_read(sc, reg, &tmp)) != 0)
1415 		return (error);
1416 
1417 	tmp >>= (8 * (addr & 0x3));
1418 	*val = (addr & 1) ? tmp >> 16 : tmp & 0xffff;
1419 
1420 	return (0);
1421 }
1422 
1423 /* Read 16-bit from eFUSE ROM for RT3xxx. */
1424 static int
1425 run_efuse_read_2(struct run_softc *sc, uint16_t addr, uint16_t *val)
1426 {
1427 	return (run_efuse_read(sc, addr, val, 2));
1428 }
1429 
1430 static int
1431 run_eeprom_read_2(struct run_softc *sc, uint16_t addr, uint16_t *val)
1432 {
1433 	usb_device_request_t req;
1434 	uint16_t tmp;
1435 	int error;
1436 
1437 	addr *= 2;
1438 	req.bmRequestType = UT_READ_VENDOR_DEVICE;
1439 	req.bRequest = RT2870_EEPROM_READ;
1440 	USETW(req.wValue, 0);
1441 	USETW(req.wIndex, addr);
1442 	USETW(req.wLength, sizeof(tmp));
1443 
1444 	error = usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, &tmp);
1445 	if (error == 0)
1446 		*val = le16toh(tmp);
1447 	else
1448 		*val = 0xffff;
1449 	return (error);
1450 }
1451 
1452 static __inline int
1453 run_srom_read(struct run_softc *sc, uint16_t addr, uint16_t *val)
1454 {
1455 	/* either eFUSE ROM or EEPROM */
1456 	return sc->sc_srom_read(sc, addr, val);
1457 }
1458 
1459 static int
1460 run_rt2870_rf_write(struct run_softc *sc, uint32_t val)
1461 {
1462 	uint32_t tmp;
1463 	int error, ntries;
1464 
1465 	for (ntries = 0; ntries < 10; ntries++) {
1466 		if ((error = run_read(sc, RT2860_RF_CSR_CFG0, &tmp)) != 0)
1467 			return (error);
1468 		if (!(tmp & RT2860_RF_REG_CTRL))
1469 			break;
1470 	}
1471 	if (ntries == 10)
1472 		return (ETIMEDOUT);
1473 
1474 	return (run_write(sc, RT2860_RF_CSR_CFG0, val));
1475 }
1476 
1477 static int
1478 run_rt3070_rf_read(struct run_softc *sc, uint8_t reg, uint8_t *val)
1479 {
1480 	uint32_t tmp;
1481 	int error, ntries;
1482 
1483 	for (ntries = 0; ntries < 100; ntries++) {
1484 		if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1485 			return (error);
1486 		if (!(tmp & RT3070_RF_KICK))
1487 			break;
1488 	}
1489 	if (ntries == 100)
1490 		return (ETIMEDOUT);
1491 
1492 	tmp = RT3070_RF_KICK | reg << 8;
1493 	if ((error = run_write(sc, RT3070_RF_CSR_CFG, tmp)) != 0)
1494 		return (error);
1495 
1496 	for (ntries = 0; ntries < 100; ntries++) {
1497 		if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1498 			return (error);
1499 		if (!(tmp & RT3070_RF_KICK))
1500 			break;
1501 	}
1502 	if (ntries == 100)
1503 		return (ETIMEDOUT);
1504 
1505 	*val = tmp & 0xff;
1506 	return (0);
1507 }
1508 
1509 static int
1510 run_rt3070_rf_write(struct run_softc *sc, uint8_t reg, uint8_t val)
1511 {
1512 	uint32_t tmp;
1513 	int error, ntries;
1514 
1515 	for (ntries = 0; ntries < 10; ntries++) {
1516 		if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1517 			return (error);
1518 		if (!(tmp & RT3070_RF_KICK))
1519 			break;
1520 	}
1521 	if (ntries == 10)
1522 		return (ETIMEDOUT);
1523 
1524 	tmp = RT3070_RF_WRITE | RT3070_RF_KICK | reg << 8 | val;
1525 	return (run_write(sc, RT3070_RF_CSR_CFG, tmp));
1526 }
1527 
1528 static int
1529 run_bbp_read(struct run_softc *sc, uint8_t reg, uint8_t *val)
1530 {
1531 	uint32_t tmp;
1532 	int ntries, error;
1533 
1534 	for (ntries = 0; ntries < 10; ntries++) {
1535 		if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1536 			return (error);
1537 		if (!(tmp & RT2860_BBP_CSR_KICK))
1538 			break;
1539 	}
1540 	if (ntries == 10)
1541 		return (ETIMEDOUT);
1542 
1543 	tmp = RT2860_BBP_CSR_READ | RT2860_BBP_CSR_KICK | reg << 8;
1544 	if ((error = run_write(sc, RT2860_BBP_CSR_CFG, tmp)) != 0)
1545 		return (error);
1546 
1547 	for (ntries = 0; ntries < 10; ntries++) {
1548 		if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1549 			return (error);
1550 		if (!(tmp & RT2860_BBP_CSR_KICK))
1551 			break;
1552 	}
1553 	if (ntries == 10)
1554 		return (ETIMEDOUT);
1555 
1556 	*val = tmp & 0xff;
1557 	return (0);
1558 }
1559 
1560 static int
1561 run_bbp_write(struct run_softc *sc, uint8_t reg, uint8_t val)
1562 {
1563 	uint32_t tmp;
1564 	int ntries, error;
1565 
1566 	for (ntries = 0; ntries < 10; ntries++) {
1567 		if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1568 			return (error);
1569 		if (!(tmp & RT2860_BBP_CSR_KICK))
1570 			break;
1571 	}
1572 	if (ntries == 10)
1573 		return (ETIMEDOUT);
1574 
1575 	tmp = RT2860_BBP_CSR_KICK | reg << 8 | val;
1576 	return (run_write(sc, RT2860_BBP_CSR_CFG, tmp));
1577 }
1578 
1579 /*
1580  * Send a command to the 8051 microcontroller unit.
1581  */
1582 static int
1583 run_mcu_cmd(struct run_softc *sc, uint8_t cmd, uint16_t arg)
1584 {
1585 	uint32_t tmp;
1586 	int error, ntries;
1587 
1588 	for (ntries = 0; ntries < 100; ntries++) {
1589 		if ((error = run_read(sc, RT2860_H2M_MAILBOX, &tmp)) != 0)
1590 			return error;
1591 		if (!(tmp & RT2860_H2M_BUSY))
1592 			break;
1593 	}
1594 	if (ntries == 100)
1595 		return ETIMEDOUT;
1596 
1597 	tmp = RT2860_H2M_BUSY | RT2860_TOKEN_NO_INTR << 16 | arg;
1598 	if ((error = run_write(sc, RT2860_H2M_MAILBOX, tmp)) == 0)
1599 		error = run_write(sc, RT2860_HOST_CMD, cmd);
1600 	return (error);
1601 }
1602 
1603 /*
1604  * Add `delta' (signed) to each 4-bit sub-word of a 32-bit word.
1605  * Used to adjust per-rate Tx power registers.
1606  */
1607 static __inline uint32_t
1608 b4inc(uint32_t b32, int8_t delta)
1609 {
1610 	int8_t i, b4;
1611 
1612 	for (i = 0; i < 8; i++) {
1613 		b4 = b32 & 0xf;
1614 		b4 += delta;
1615 		if (b4 < 0)
1616 			b4 = 0;
1617 		else if (b4 > 0xf)
1618 			b4 = 0xf;
1619 		b32 = b32 >> 4 | b4 << 28;
1620 	}
1621 	return (b32);
1622 }
1623 
1624 static const char *
1625 run_get_rf(uint16_t rev)
1626 {
1627 	switch (rev) {
1628 	case RT2860_RF_2820:	return "RT2820";
1629 	case RT2860_RF_2850:	return "RT2850";
1630 	case RT2860_RF_2720:	return "RT2720";
1631 	case RT2860_RF_2750:	return "RT2750";
1632 	case RT3070_RF_3020:	return "RT3020";
1633 	case RT3070_RF_2020:	return "RT2020";
1634 	case RT3070_RF_3021:	return "RT3021";
1635 	case RT3070_RF_3022:	return "RT3022";
1636 	case RT3070_RF_3052:	return "RT3052";
1637 	case RT3593_RF_3053:	return "RT3053";
1638 	case RT5592_RF_5592:	return "RT5592";
1639 	case RT5390_RF_5370:	return "RT5370";
1640 	case RT5390_RF_5372:	return "RT5372";
1641 	}
1642 	return ("unknown");
1643 }
1644 
1645 static void
1646 run_rt3593_get_txpower(struct run_softc *sc)
1647 {
1648 	uint16_t addr, val;
1649 	int i;
1650 
1651 	/* Read power settings for 2GHz channels. */
1652 	for (i = 0; i < 14; i += 2) {
1653 		addr = (sc->ntxchains == 3) ? RT3593_EEPROM_PWR2GHZ_BASE1 :
1654 		    RT2860_EEPROM_PWR2GHZ_BASE1;
1655 		run_srom_read(sc, addr + i / 2, &val);
1656 		sc->txpow1[i + 0] = (int8_t)(val & 0xff);
1657 		sc->txpow1[i + 1] = (int8_t)(val >> 8);
1658 
1659 		addr = (sc->ntxchains == 3) ? RT3593_EEPROM_PWR2GHZ_BASE2 :
1660 		    RT2860_EEPROM_PWR2GHZ_BASE2;
1661 		run_srom_read(sc, addr + i / 2, &val);
1662 		sc->txpow2[i + 0] = (int8_t)(val & 0xff);
1663 		sc->txpow2[i + 1] = (int8_t)(val >> 8);
1664 
1665 		if (sc->ntxchains == 3) {
1666 			run_srom_read(sc, RT3593_EEPROM_PWR2GHZ_BASE3 + i / 2,
1667 			    &val);
1668 			sc->txpow3[i + 0] = (int8_t)(val & 0xff);
1669 			sc->txpow3[i + 1] = (int8_t)(val >> 8);
1670 		}
1671 	}
1672 	/* Fix broken Tx power entries. */
1673 	for (i = 0; i < 14; i++) {
1674 		if (sc->txpow1[i] > 31)
1675 			sc->txpow1[i] = 5;
1676 		if (sc->txpow2[i] > 31)
1677 			sc->txpow2[i] = 5;
1678 		if (sc->ntxchains == 3) {
1679 			if (sc->txpow3[i] > 31)
1680 				sc->txpow3[i] = 5;
1681 		}
1682 	}
1683 	/* Read power settings for 5GHz channels. */
1684 	for (i = 0; i < 40; i += 2) {
1685 		run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE1 + i / 2, &val);
1686 		sc->txpow1[i + 14] = (int8_t)(val & 0xff);
1687 		sc->txpow1[i + 15] = (int8_t)(val >> 8);
1688 
1689 		run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE2 + i / 2, &val);
1690 		sc->txpow2[i + 14] = (int8_t)(val & 0xff);
1691 		sc->txpow2[i + 15] = (int8_t)(val >> 8);
1692 
1693 		if (sc->ntxchains == 3) {
1694 			run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE3 + i / 2,
1695 			    &val);
1696 			sc->txpow3[i + 14] = (int8_t)(val & 0xff);
1697 			sc->txpow3[i + 15] = (int8_t)(val >> 8);
1698 		}
1699 	}
1700 }
1701 
1702 static void
1703 run_get_txpower(struct run_softc *sc)
1704 {
1705 	uint16_t val;
1706 	int i;
1707 
1708 	/* Read power settings for 2GHz channels. */
1709 	for (i = 0; i < 14; i += 2) {
1710 		run_srom_read(sc, RT2860_EEPROM_PWR2GHZ_BASE1 + i / 2, &val);
1711 		sc->txpow1[i + 0] = (int8_t)(val & 0xff);
1712 		sc->txpow1[i + 1] = (int8_t)(val >> 8);
1713 
1714 		if (sc->mac_ver != 0x5390) {
1715 			run_srom_read(sc,
1716 			    RT2860_EEPROM_PWR2GHZ_BASE2 + i / 2, &val);
1717 			sc->txpow2[i + 0] = (int8_t)(val & 0xff);
1718 			sc->txpow2[i + 1] = (int8_t)(val >> 8);
1719 		}
1720 	}
1721 	/* Fix broken Tx power entries. */
1722 	for (i = 0; i < 14; i++) {
1723 		if (sc->mac_ver >= 0x5390) {
1724 			if (sc->txpow1[i] < 0 || sc->txpow1[i] > 39)
1725 				sc->txpow1[i] = 5;
1726 		} else {
1727 			if (sc->txpow1[i] < 0 || sc->txpow1[i] > 31)
1728 				sc->txpow1[i] = 5;
1729 		}
1730 		if (sc->mac_ver > 0x5390) {
1731 			if (sc->txpow2[i] < 0 || sc->txpow2[i] > 39)
1732 				sc->txpow2[i] = 5;
1733 		} else if (sc->mac_ver < 0x5390) {
1734 			if (sc->txpow2[i] < 0 || sc->txpow2[i] > 31)
1735 				sc->txpow2[i] = 5;
1736 		}
1737 		RUN_DPRINTF(sc, RUN_DEBUG_TXPWR,
1738 		    "chan %d: power1=%d, power2=%d\n",
1739 		    rt2860_rf2850[i].chan, sc->txpow1[i], sc->txpow2[i]);
1740 	}
1741 	/* Read power settings for 5GHz channels. */
1742 	for (i = 0; i < 40; i += 2) {
1743 		run_srom_read(sc, RT2860_EEPROM_PWR5GHZ_BASE1 + i / 2, &val);
1744 		sc->txpow1[i + 14] = (int8_t)(val & 0xff);
1745 		sc->txpow1[i + 15] = (int8_t)(val >> 8);
1746 
1747 		run_srom_read(sc, RT2860_EEPROM_PWR5GHZ_BASE2 + i / 2, &val);
1748 		sc->txpow2[i + 14] = (int8_t)(val & 0xff);
1749 		sc->txpow2[i + 15] = (int8_t)(val >> 8);
1750 	}
1751 	/* Fix broken Tx power entries. */
1752 	for (i = 0; i < 40; i++ ) {
1753 		if (sc->mac_ver != 0x5592) {
1754 			if (sc->txpow1[14 + i] < -7 || sc->txpow1[14 + i] > 15)
1755 				sc->txpow1[14 + i] = 5;
1756 			if (sc->txpow2[14 + i] < -7 || sc->txpow2[14 + i] > 15)
1757 				sc->txpow2[14 + i] = 5;
1758 		}
1759 		RUN_DPRINTF(sc, RUN_DEBUG_TXPWR,
1760 		    "chan %d: power1=%d, power2=%d\n",
1761 		    rt2860_rf2850[14 + i].chan, sc->txpow1[14 + i],
1762 		    sc->txpow2[14 + i]);
1763 	}
1764 }
1765 
1766 static int
1767 run_read_eeprom(struct run_softc *sc)
1768 {
1769 	struct ieee80211com *ic = &sc->sc_ic;
1770 	int8_t delta_2ghz, delta_5ghz;
1771 	uint32_t tmp;
1772 	uint16_t val;
1773 	int ridx, ant, i;
1774 
1775 	/* check whether the ROM is eFUSE ROM or EEPROM */
1776 	sc->sc_srom_read = run_eeprom_read_2;
1777 	if (sc->mac_ver >= 0x3070) {
1778 		run_read(sc, RT3070_EFUSE_CTRL, &tmp);
1779 		RUN_DPRINTF(sc, RUN_DEBUG_ROM, "EFUSE_CTRL=0x%08x\n", tmp);
1780 		if ((tmp & RT3070_SEL_EFUSE) || sc->mac_ver == 0x3593)
1781 			sc->sc_srom_read = run_efuse_read_2;
1782 	}
1783 
1784 	/* read ROM version */
1785 	run_srom_read(sc, RT2860_EEPROM_VERSION, &val);
1786 	RUN_DPRINTF(sc, RUN_DEBUG_ROM,
1787 	    "EEPROM rev=%d, FAE=%d\n", val >> 8, val & 0xff);
1788 
1789 	/* read MAC address */
1790 	run_srom_read(sc, RT2860_EEPROM_MAC01, &val);
1791 	ic->ic_macaddr[0] = val & 0xff;
1792 	ic->ic_macaddr[1] = val >> 8;
1793 	run_srom_read(sc, RT2860_EEPROM_MAC23, &val);
1794 	ic->ic_macaddr[2] = val & 0xff;
1795 	ic->ic_macaddr[3] = val >> 8;
1796 	run_srom_read(sc, RT2860_EEPROM_MAC45, &val);
1797 	ic->ic_macaddr[4] = val & 0xff;
1798 	ic->ic_macaddr[5] = val >> 8;
1799 
1800 	if (sc->mac_ver < 0x3593) {
1801 		/* read vender BBP settings */
1802 		for (i = 0; i < 10; i++) {
1803 			run_srom_read(sc, RT2860_EEPROM_BBP_BASE + i, &val);
1804 			sc->bbp[i].val = val & 0xff;
1805 			sc->bbp[i].reg = val >> 8;
1806 			RUN_DPRINTF(sc, RUN_DEBUG_ROM,
1807 			    "BBP%d=0x%02x\n", sc->bbp[i].reg, sc->bbp[i].val);
1808 		}
1809 		if (sc->mac_ver >= 0x3071) {
1810 			/* read vendor RF settings */
1811 			for (i = 0; i < 10; i++) {
1812 				run_srom_read(sc, RT3071_EEPROM_RF_BASE + i,
1813 				   &val);
1814 				sc->rf[i].val = val & 0xff;
1815 				sc->rf[i].reg = val >> 8;
1816 				RUN_DPRINTF(sc, RUN_DEBUG_ROM, "RF%d=0x%02x\n",
1817 				    sc->rf[i].reg, sc->rf[i].val);
1818 			}
1819 		}
1820 	}
1821 
1822 	/* read RF frequency offset from EEPROM */
1823 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_FREQ_LEDS :
1824 	    RT3593_EEPROM_FREQ, &val);
1825 	sc->freq = ((val & 0xff) != 0xff) ? val & 0xff : 0;
1826 	RUN_DPRINTF(sc, RUN_DEBUG_ROM, "EEPROM freq offset %d\n",
1827 	    sc->freq & 0xff);
1828 
1829 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_FREQ_LEDS :
1830 	    RT3593_EEPROM_FREQ_LEDS, &val);
1831 	if (val >> 8 != 0xff) {
1832 		/* read LEDs operating mode */
1833 		sc->leds = val >> 8;
1834 		run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED1 :
1835 		    RT3593_EEPROM_LED1, &sc->led[0]);
1836 		run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED2 :
1837 		    RT3593_EEPROM_LED2, &sc->led[1]);
1838 		run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED3 :
1839 		    RT3593_EEPROM_LED3, &sc->led[2]);
1840 	} else {
1841 		/* broken EEPROM, use default settings */
1842 		sc->leds = 0x01;
1843 		sc->led[0] = 0x5555;
1844 		sc->led[1] = 0x2221;
1845 		sc->led[2] = 0x5627;	/* differs from RT2860 */
1846 	}
1847 	RUN_DPRINTF(sc, RUN_DEBUG_ROM,
1848 	    "EEPROM LED mode=0x%02x, LEDs=0x%04x/0x%04x/0x%04x\n",
1849 	    sc->leds, sc->led[0], sc->led[1], sc->led[2]);
1850 
1851 	/* read RF information */
1852 	if (sc->mac_ver == 0x5390 || sc->mac_ver ==0x5392)
1853 		run_srom_read(sc, 0x00, &val);
1854 	else
1855 		run_srom_read(sc, RT2860_EEPROM_ANTENNA, &val);
1856 
1857 	if (val == 0xffff) {
1858 		device_printf(sc->sc_dev,
1859 		    "invalid EEPROM antenna info, using default\n");
1860 		if (sc->mac_ver == 0x3572) {
1861 			/* default to RF3052 2T2R */
1862 			sc->rf_rev = RT3070_RF_3052;
1863 			sc->ntxchains = 2;
1864 			sc->nrxchains = 2;
1865 		} else if (sc->mac_ver >= 0x3070) {
1866 			/* default to RF3020 1T1R */
1867 			sc->rf_rev = RT3070_RF_3020;
1868 			sc->ntxchains = 1;
1869 			sc->nrxchains = 1;
1870 		} else {
1871 			/* default to RF2820 1T2R */
1872 			sc->rf_rev = RT2860_RF_2820;
1873 			sc->ntxchains = 1;
1874 			sc->nrxchains = 2;
1875 		}
1876 	} else {
1877 		if (sc->mac_ver == 0x5390 || sc->mac_ver ==0x5392) {
1878 			sc->rf_rev = val;
1879 			run_srom_read(sc, RT2860_EEPROM_ANTENNA, &val);
1880 		} else
1881 			sc->rf_rev = (val >> 8) & 0xf;
1882 		sc->ntxchains = (val >> 4) & 0xf;
1883 		sc->nrxchains = val & 0xf;
1884 	}
1885 	RUN_DPRINTF(sc, RUN_DEBUG_ROM, "EEPROM RF rev=0x%04x chains=%dT%dR\n",
1886 	    sc->rf_rev, sc->ntxchains, sc->nrxchains);
1887 
1888 	/* check if RF supports automatic Tx access gain control */
1889 	run_srom_read(sc, RT2860_EEPROM_CONFIG, &val);
1890 	RUN_DPRINTF(sc, RUN_DEBUG_ROM, "EEPROM CFG 0x%04x\n", val);
1891 	/* check if driver should patch the DAC issue */
1892 	if ((val >> 8) != 0xff)
1893 		sc->patch_dac = (val >> 15) & 1;
1894 	if ((val & 0xff) != 0xff) {
1895 		sc->ext_5ghz_lna = (val >> 3) & 1;
1896 		sc->ext_2ghz_lna = (val >> 2) & 1;
1897 		/* check if RF supports automatic Tx access gain control */
1898 		sc->calib_2ghz = sc->calib_5ghz = (val >> 1) & 1;
1899 		/* check if we have a hardware radio switch */
1900 		sc->rfswitch = val & 1;
1901 	}
1902 
1903 	/* Read Tx power settings. */
1904 	if (sc->mac_ver == 0x3593)
1905 		run_rt3593_get_txpower(sc);
1906 	else
1907 		run_get_txpower(sc);
1908 
1909 	/* read Tx power compensation for each Tx rate */
1910 	run_srom_read(sc, RT2860_EEPROM_DELTAPWR, &val);
1911 	delta_2ghz = delta_5ghz = 0;
1912 	if ((val & 0xff) != 0xff && (val & 0x80)) {
1913 		delta_2ghz = val & 0xf;
1914 		if (!(val & 0x40))	/* negative number */
1915 			delta_2ghz = -delta_2ghz;
1916 	}
1917 	val >>= 8;
1918 	if ((val & 0xff) != 0xff && (val & 0x80)) {
1919 		delta_5ghz = val & 0xf;
1920 		if (!(val & 0x40))	/* negative number */
1921 			delta_5ghz = -delta_5ghz;
1922 	}
1923 	RUN_DPRINTF(sc, RUN_DEBUG_ROM | RUN_DEBUG_TXPWR,
1924 	    "power compensation=%d (2GHz), %d (5GHz)\n", delta_2ghz, delta_5ghz);
1925 
1926 	for (ridx = 0; ridx < 5; ridx++) {
1927 		uint32_t reg;
1928 
1929 		run_srom_read(sc, RT2860_EEPROM_RPWR + ridx * 2, &val);
1930 		reg = val;
1931 		run_srom_read(sc, RT2860_EEPROM_RPWR + ridx * 2 + 1, &val);
1932 		reg |= (uint32_t)val << 16;
1933 
1934 		sc->txpow20mhz[ridx] = reg;
1935 		sc->txpow40mhz_2ghz[ridx] = b4inc(reg, delta_2ghz);
1936 		sc->txpow40mhz_5ghz[ridx] = b4inc(reg, delta_5ghz);
1937 
1938 		RUN_DPRINTF(sc, RUN_DEBUG_ROM | RUN_DEBUG_TXPWR,
1939 		    "ridx %d: power 20MHz=0x%08x, 40MHz/2GHz=0x%08x, "
1940 		    "40MHz/5GHz=0x%08x\n", ridx, sc->txpow20mhz[ridx],
1941 		    sc->txpow40mhz_2ghz[ridx], sc->txpow40mhz_5ghz[ridx]);
1942 	}
1943 
1944 	/* Read RSSI offsets and LNA gains from EEPROM. */
1945 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI1_2GHZ :
1946 	    RT3593_EEPROM_RSSI1_2GHZ, &val);
1947 	sc->rssi_2ghz[0] = val & 0xff;	/* Ant A */
1948 	sc->rssi_2ghz[1] = val >> 8;	/* Ant B */
1949 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI2_2GHZ :
1950 	    RT3593_EEPROM_RSSI2_2GHZ, &val);
1951 	if (sc->mac_ver >= 0x3070) {
1952 		if (sc->mac_ver == 0x3593) {
1953 			sc->txmixgain_2ghz = 0;
1954 			sc->rssi_2ghz[2] = val & 0xff;	/* Ant C */
1955 		} else {
1956 			/*
1957 			 * On RT3070 chips (limited to 2 Rx chains), this ROM
1958 			 * field contains the Tx mixer gain for the 2GHz band.
1959 			 */
1960 			if ((val & 0xff) != 0xff)
1961 				sc->txmixgain_2ghz = val & 0x7;
1962 		}
1963 		RUN_DPRINTF(sc, RUN_DEBUG_ROM, "tx mixer gain=%u (2GHz)\n",
1964 		    sc->txmixgain_2ghz);
1965 	} else
1966 		sc->rssi_2ghz[2] = val & 0xff;	/* Ant C */
1967 	if (sc->mac_ver == 0x3593)
1968 		run_srom_read(sc, RT3593_EEPROM_LNA_5GHZ, &val);
1969 	sc->lna[2] = val >> 8;		/* channel group 2 */
1970 
1971 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI1_5GHZ :
1972 	    RT3593_EEPROM_RSSI1_5GHZ, &val);
1973 	sc->rssi_5ghz[0] = val & 0xff;	/* Ant A */
1974 	sc->rssi_5ghz[1] = val >> 8;	/* Ant B */
1975 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI2_5GHZ :
1976 	    RT3593_EEPROM_RSSI2_5GHZ, &val);
1977 	if (sc->mac_ver == 0x3572) {
1978 		/*
1979 		 * On RT3572 chips (limited to 2 Rx chains), this ROM
1980 		 * field contains the Tx mixer gain for the 5GHz band.
1981 		 */
1982 		if ((val & 0xff) != 0xff)
1983 			sc->txmixgain_5ghz = val & 0x7;
1984 		RUN_DPRINTF(sc, RUN_DEBUG_ROM, "tx mixer gain=%u (5GHz)\n",
1985 		    sc->txmixgain_5ghz);
1986 	} else
1987 		sc->rssi_5ghz[2] = val & 0xff;	/* Ant C */
1988 	if (sc->mac_ver == 0x3593) {
1989 		sc->txmixgain_5ghz = 0;
1990 		run_srom_read(sc, RT3593_EEPROM_LNA_5GHZ, &val);
1991 	}
1992 	sc->lna[3] = val >> 8;		/* channel group 3 */
1993 
1994 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LNA :
1995 	    RT3593_EEPROM_LNA, &val);
1996 	sc->lna[0] = val & 0xff;	/* channel group 0 */
1997 	sc->lna[1] = val >> 8;		/* channel group 1 */
1998 
1999 	/* fix broken 5GHz LNA entries */
2000 	if (sc->lna[2] == 0 || sc->lna[2] == 0xff) {
2001 		RUN_DPRINTF(sc, RUN_DEBUG_ROM,
2002 		    "invalid LNA for channel group %d\n", 2);
2003 		sc->lna[2] = sc->lna[1];
2004 	}
2005 	if (sc->lna[3] == 0 || sc->lna[3] == 0xff) {
2006 		RUN_DPRINTF(sc, RUN_DEBUG_ROM,
2007 		    "invalid LNA for channel group %d\n", 3);
2008 		sc->lna[3] = sc->lna[1];
2009 	}
2010 
2011 	/* fix broken RSSI offset entries */
2012 	for (ant = 0; ant < 3; ant++) {
2013 		if (sc->rssi_2ghz[ant] < -10 || sc->rssi_2ghz[ant] > 10) {
2014 			RUN_DPRINTF(sc, RUN_DEBUG_ROM | RUN_DEBUG_RSSI,
2015 			    "invalid RSSI%d offset: %d (2GHz)\n",
2016 			    ant + 1, sc->rssi_2ghz[ant]);
2017 			sc->rssi_2ghz[ant] = 0;
2018 		}
2019 		if (sc->rssi_5ghz[ant] < -10 || sc->rssi_5ghz[ant] > 10) {
2020 			RUN_DPRINTF(sc, RUN_DEBUG_ROM | RUN_DEBUG_RSSI,
2021 			    "invalid RSSI%d offset: %d (5GHz)\n",
2022 			    ant + 1, sc->rssi_5ghz[ant]);
2023 			sc->rssi_5ghz[ant] = 0;
2024 		}
2025 	}
2026 	return (0);
2027 }
2028 
2029 static struct ieee80211_node *
2030 run_node_alloc(struct ieee80211vap *vap, const uint8_t mac[IEEE80211_ADDR_LEN])
2031 {
2032 	return malloc(sizeof (struct run_node), M_DEVBUF, M_NOWAIT | M_ZERO);
2033 }
2034 
2035 static int
2036 run_media_change(struct ifnet *ifp)
2037 {
2038 	struct ieee80211vap *vap = ifp->if_softc;
2039 	struct ieee80211com *ic = vap->iv_ic;
2040 	const struct ieee80211_txparam *tp;
2041 	struct run_softc *sc = ic->ic_softc;
2042 	uint8_t rate, ridx;
2043 	int error;
2044 
2045 	RUN_LOCK(sc);
2046 
2047 	error = ieee80211_media_change(ifp);
2048 	if (error != ENETRESET) {
2049 		RUN_UNLOCK(sc);
2050 		return (error);
2051 	}
2052 
2053 	tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
2054 	if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE) {
2055 		struct ieee80211_node *ni;
2056 		struct run_node	*rn;
2057 
2058 		rate = ic->ic_sup_rates[ic->ic_curmode].
2059 		    rs_rates[tp->ucastrate] & IEEE80211_RATE_VAL;
2060 		for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2061 			if (rt2860_rates[ridx].rate == rate)
2062 				break;
2063 		ni = ieee80211_ref_node(vap->iv_bss);
2064 		rn = RUN_NODE(ni);
2065 		rn->fix_ridx = ridx;
2066 		RUN_DPRINTF(sc, RUN_DEBUG_RATE, "rate=%d, fix_ridx=%d\n",
2067 		    rate, rn->fix_ridx);
2068 		ieee80211_free_node(ni);
2069 	}
2070 
2071 #if 0
2072 	if ((ifp->if_flags & IFF_UP) &&
2073 	    (ifp->if_drv_flags &  RUN_RUNNING)){
2074 		run_init_locked(sc);
2075 	}
2076 #endif
2077 
2078 	RUN_UNLOCK(sc);
2079 
2080 	return (0);
2081 }
2082 
2083 static int
2084 run_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
2085 {
2086 	const struct ieee80211_txparam *tp;
2087 	struct ieee80211com *ic = vap->iv_ic;
2088 	struct run_softc *sc = ic->ic_softc;
2089 	struct run_vap *rvp = RUN_VAP(vap);
2090 	enum ieee80211_state ostate;
2091 	uint32_t sta[3];
2092 	uint32_t tmp;
2093 	uint8_t ratectl;
2094 	uint8_t restart_ratectl = 0;
2095 	uint8_t bid = 1 << rvp->rvp_id;
2096 
2097 	ostate = vap->iv_state;
2098 	RUN_DPRINTF(sc, RUN_DEBUG_STATE, "%s -> %s\n",
2099 		ieee80211_state_name[ostate],
2100 		ieee80211_state_name[nstate]);
2101 
2102 	IEEE80211_UNLOCK(ic);
2103 	RUN_LOCK(sc);
2104 
2105 	ratectl = sc->ratectl_run; /* remember current state */
2106 	sc->ratectl_run = RUN_RATECTL_OFF;
2107 	usb_callout_stop(&sc->ratectl_ch);
2108 
2109 	if (ostate == IEEE80211_S_RUN) {
2110 		/* turn link LED off */
2111 		run_set_leds(sc, RT2860_LED_RADIO);
2112 	}
2113 
2114 	switch (nstate) {
2115 	case IEEE80211_S_INIT:
2116 		restart_ratectl = 1;
2117 
2118 		if (ostate != IEEE80211_S_RUN)
2119 			break;
2120 
2121 		ratectl &= ~bid;
2122 		sc->runbmap &= ~bid;
2123 
2124 		/* abort TSF synchronization if there is no vap running */
2125 		if (--sc->running == 0) {
2126 			run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
2127 			run_write(sc, RT2860_BCN_TIME_CFG,
2128 			    tmp & ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
2129 			    RT2860_TBTT_TIMER_EN));
2130 		}
2131 		break;
2132 
2133 	case IEEE80211_S_RUN:
2134 		if (!(sc->runbmap & bid)) {
2135 			if(sc->running++)
2136 				restart_ratectl = 1;
2137 			sc->runbmap |= bid;
2138 		}
2139 
2140 		m_freem(rvp->beacon_mbuf);
2141 		rvp->beacon_mbuf = NULL;
2142 
2143 		switch (vap->iv_opmode) {
2144 		case IEEE80211_M_HOSTAP:
2145 		case IEEE80211_M_MBSS:
2146 			sc->ap_running |= bid;
2147 			ic->ic_opmode = vap->iv_opmode;
2148 			run_update_beacon_cb(vap);
2149 			break;
2150 		case IEEE80211_M_IBSS:
2151 			sc->adhoc_running |= bid;
2152 			if (!sc->ap_running)
2153 				ic->ic_opmode = vap->iv_opmode;
2154 			run_update_beacon_cb(vap);
2155 			break;
2156 		case IEEE80211_M_STA:
2157 			sc->sta_running |= bid;
2158 			if (!sc->ap_running && !sc->adhoc_running)
2159 				ic->ic_opmode = vap->iv_opmode;
2160 
2161 			/* read statistic counters (clear on read) */
2162 			run_read_region_1(sc, RT2860_TX_STA_CNT0,
2163 			    (uint8_t *)sta, sizeof sta);
2164 
2165 			break;
2166 		default:
2167 			ic->ic_opmode = vap->iv_opmode;
2168 			break;
2169 		}
2170 
2171 		if (vap->iv_opmode != IEEE80211_M_MONITOR) {
2172 			struct ieee80211_node *ni;
2173 
2174 			if (ic->ic_bsschan == IEEE80211_CHAN_ANYC) {
2175 				RUN_UNLOCK(sc);
2176 				IEEE80211_LOCK(ic);
2177 				return (-1);
2178 			}
2179 			run_updateslot(ic);
2180 			run_enable_mrr(sc);
2181 			run_set_txpreamble(sc);
2182 			run_set_basicrates(sc);
2183 			ni = ieee80211_ref_node(vap->iv_bss);
2184 			IEEE80211_ADDR_COPY(sc->sc_bssid, ni->ni_bssid);
2185 			run_set_bssid(sc, sc->sc_bssid);
2186 			ieee80211_free_node(ni);
2187 			run_enable_tsf_sync(sc);
2188 
2189 			/* enable automatic rate adaptation */
2190 			tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
2191 			if (tp->ucastrate == IEEE80211_FIXED_RATE_NONE)
2192 				ratectl |= bid;
2193 		} else
2194 			run_enable_tsf(sc);
2195 
2196 		/* turn link LED on */
2197 		run_set_leds(sc, RT2860_LED_RADIO |
2198 		    (IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan) ?
2199 		     RT2860_LED_LINK_2GHZ : RT2860_LED_LINK_5GHZ));
2200 
2201 		break;
2202 	default:
2203 		RUN_DPRINTF(sc, RUN_DEBUG_STATE, "undefined state\n");
2204 		break;
2205 	}
2206 
2207 	/* restart amrr for running VAPs */
2208 	if ((sc->ratectl_run = ratectl) && restart_ratectl)
2209 		usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2210 
2211 	RUN_UNLOCK(sc);
2212 	IEEE80211_LOCK(ic);
2213 
2214 	return(rvp->newstate(vap, nstate, arg));
2215 }
2216 
2217 static int
2218 run_wme_update(struct ieee80211com *ic)
2219 {
2220 	struct run_softc *sc = ic->ic_softc;
2221 	const struct wmeParams *ac =
2222 	    ic->ic_wme.wme_chanParams.cap_wmeParams;
2223 	int aci, error = 0;
2224 
2225 	/* update MAC TX configuration registers */
2226 	RUN_LOCK(sc);
2227 	for (aci = 0; aci < WME_NUM_AC; aci++) {
2228 		error = run_write(sc, RT2860_EDCA_AC_CFG(aci),
2229 		    ac[aci].wmep_logcwmax << 16 |
2230 		    ac[aci].wmep_logcwmin << 12 |
2231 		    ac[aci].wmep_aifsn    <<  8 |
2232 		    ac[aci].wmep_txopLimit);
2233 		if (error) goto err;
2234 	}
2235 
2236 	/* update SCH/DMA registers too */
2237 	error = run_write(sc, RT2860_WMM_AIFSN_CFG,
2238 	    ac[WME_AC_VO].wmep_aifsn  << 12 |
2239 	    ac[WME_AC_VI].wmep_aifsn  <<  8 |
2240 	    ac[WME_AC_BK].wmep_aifsn  <<  4 |
2241 	    ac[WME_AC_BE].wmep_aifsn);
2242 	if (error) goto err;
2243 	error = run_write(sc, RT2860_WMM_CWMIN_CFG,
2244 	    ac[WME_AC_VO].wmep_logcwmin << 12 |
2245 	    ac[WME_AC_VI].wmep_logcwmin <<  8 |
2246 	    ac[WME_AC_BK].wmep_logcwmin <<  4 |
2247 	    ac[WME_AC_BE].wmep_logcwmin);
2248 	if (error) goto err;
2249 	error = run_write(sc, RT2860_WMM_CWMAX_CFG,
2250 	    ac[WME_AC_VO].wmep_logcwmax << 12 |
2251 	    ac[WME_AC_VI].wmep_logcwmax <<  8 |
2252 	    ac[WME_AC_BK].wmep_logcwmax <<  4 |
2253 	    ac[WME_AC_BE].wmep_logcwmax);
2254 	if (error) goto err;
2255 	error = run_write(sc, RT2860_WMM_TXOP0_CFG,
2256 	    ac[WME_AC_BK].wmep_txopLimit << 16 |
2257 	    ac[WME_AC_BE].wmep_txopLimit);
2258 	if (error) goto err;
2259 	error = run_write(sc, RT2860_WMM_TXOP1_CFG,
2260 	    ac[WME_AC_VO].wmep_txopLimit << 16 |
2261 	    ac[WME_AC_VI].wmep_txopLimit);
2262 
2263 err:
2264 	RUN_UNLOCK(sc);
2265 	if (error)
2266 		RUN_DPRINTF(sc, RUN_DEBUG_USB, "WME update failed\n");
2267 
2268 	return (error);
2269 }
2270 
2271 static void
2272 run_key_set_cb(void *arg)
2273 {
2274 	struct run_cmdq *cmdq = arg;
2275 	struct ieee80211vap *vap = cmdq->arg1;
2276 	struct ieee80211_key *k = cmdq->k;
2277 	struct ieee80211com *ic = vap->iv_ic;
2278 	struct run_softc *sc = ic->ic_softc;
2279 	struct ieee80211_node *ni;
2280 	u_int cipher = k->wk_cipher->ic_cipher;
2281 	uint32_t attr;
2282 	uint16_t base, associd;
2283 	uint8_t mode, wcid, iv[8];
2284 
2285 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2286 
2287 	if (vap->iv_opmode == IEEE80211_M_HOSTAP)
2288 		ni = ieee80211_find_vap_node(&ic->ic_sta, vap, cmdq->mac);
2289 	else
2290 		ni = vap->iv_bss;
2291 	associd = (ni != NULL) ? ni->ni_associd : 0;
2292 
2293 	/* map net80211 cipher to RT2860 security mode */
2294 	switch (cipher) {
2295 	case IEEE80211_CIPHER_WEP:
2296 		if(k->wk_keylen < 8)
2297 			mode = RT2860_MODE_WEP40;
2298 		else
2299 			mode = RT2860_MODE_WEP104;
2300 		break;
2301 	case IEEE80211_CIPHER_TKIP:
2302 		mode = RT2860_MODE_TKIP;
2303 		break;
2304 	case IEEE80211_CIPHER_AES_CCM:
2305 		mode = RT2860_MODE_AES_CCMP;
2306 		break;
2307 	default:
2308 		RUN_DPRINTF(sc, RUN_DEBUG_KEY, "undefined case\n");
2309 		return;
2310 	}
2311 
2312 	RUN_DPRINTF(sc, RUN_DEBUG_KEY,
2313 	    "associd=%x, keyix=%d, mode=%x, type=%s, tx=%s, rx=%s\n",
2314 	    associd, k->wk_keyix, mode,
2315 	    (k->wk_flags & IEEE80211_KEY_GROUP) ? "group" : "pairwise",
2316 	    (k->wk_flags & IEEE80211_KEY_XMIT) ? "on" : "off",
2317 	    (k->wk_flags & IEEE80211_KEY_RECV) ? "on" : "off");
2318 
2319 	if (k->wk_flags & IEEE80211_KEY_GROUP) {
2320 		wcid = 0;	/* NB: update WCID0 for group keys */
2321 		base = RT2860_SKEY(RUN_VAP(vap)->rvp_id, k->wk_keyix);
2322 	} else {
2323 		wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
2324 		    1 : RUN_AID2WCID(associd);
2325 		base = RT2860_PKEY(wcid);
2326 	}
2327 
2328 	if (cipher == IEEE80211_CIPHER_TKIP) {
2329 		if(run_write_region_1(sc, base, k->wk_key, 16))
2330 			return;
2331 		if(run_write_region_1(sc, base + 16, &k->wk_key[16], 8))	/* wk_txmic */
2332 			return;
2333 		if(run_write_region_1(sc, base + 24, &k->wk_key[24], 8))	/* wk_rxmic */
2334 			return;
2335 	} else {
2336 		/* roundup len to 16-bit: XXX fix write_region_1() instead */
2337 		if(run_write_region_1(sc, base, k->wk_key, (k->wk_keylen + 1) & ~1))
2338 			return;
2339 	}
2340 
2341 	if (!(k->wk_flags & IEEE80211_KEY_GROUP) ||
2342 	    (k->wk_flags & (IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV))) {
2343 		/* set initial packet number in IV+EIV */
2344 		if (cipher == IEEE80211_CIPHER_WEP) {
2345 			memset(iv, 0, sizeof iv);
2346 			iv[3] = vap->iv_def_txkey << 6;
2347 		} else {
2348 			if (cipher == IEEE80211_CIPHER_TKIP) {
2349 				iv[0] = k->wk_keytsc >> 8;
2350 				iv[1] = (iv[0] | 0x20) & 0x7f;
2351 				iv[2] = k->wk_keytsc;
2352 			} else /* CCMP */ {
2353 				iv[0] = k->wk_keytsc;
2354 				iv[1] = k->wk_keytsc >> 8;
2355 				iv[2] = 0;
2356 			}
2357 			iv[3] = k->wk_keyix << 6 | IEEE80211_WEP_EXTIV;
2358 			iv[4] = k->wk_keytsc >> 16;
2359 			iv[5] = k->wk_keytsc >> 24;
2360 			iv[6] = k->wk_keytsc >> 32;
2361 			iv[7] = k->wk_keytsc >> 40;
2362 		}
2363 		if (run_write_region_1(sc, RT2860_IVEIV(wcid), iv, 8))
2364 			return;
2365 	}
2366 
2367 	if (k->wk_flags & IEEE80211_KEY_GROUP) {
2368 		/* install group key */
2369 		if (run_read(sc, RT2860_SKEY_MODE_0_7, &attr))
2370 			return;
2371 		attr &= ~(0xf << (k->wk_keyix * 4));
2372 		attr |= mode << (k->wk_keyix * 4);
2373 		if (run_write(sc, RT2860_SKEY_MODE_0_7, attr))
2374 			return;
2375 	} else {
2376 		/* install pairwise key */
2377 		if (run_read(sc, RT2860_WCID_ATTR(wcid), &attr))
2378 			return;
2379 		attr = (attr & ~0xf) | (mode << 1) | RT2860_RX_PKEY_EN;
2380 		if (run_write(sc, RT2860_WCID_ATTR(wcid), attr))
2381 			return;
2382 	}
2383 
2384 	/* TODO create a pass-thru key entry? */
2385 
2386 	/* need wcid to delete the right key later */
2387 	k->wk_pad = wcid;
2388 }
2389 
2390 /*
2391  * Don't have to be deferred, but in order to keep order of
2392  * execution, i.e. with run_key_delete(), defer this and let
2393  * run_cmdq_cb() maintain the order.
2394  *
2395  * return 0 on error
2396  */
2397 static int
2398 run_key_set(struct ieee80211vap *vap, struct ieee80211_key *k)
2399 {
2400 	struct ieee80211com *ic = vap->iv_ic;
2401 	struct run_softc *sc = ic->ic_softc;
2402 	uint32_t i;
2403 
2404 	i = RUN_CMDQ_GET(&sc->cmdq_store);
2405 	RUN_DPRINTF(sc, RUN_DEBUG_KEY, "cmdq_store=%d\n", i);
2406 	sc->cmdq[i].func = run_key_set_cb;
2407 	sc->cmdq[i].arg0 = NULL;
2408 	sc->cmdq[i].arg1 = vap;
2409 	sc->cmdq[i].k = k;
2410 	IEEE80211_ADDR_COPY(sc->cmdq[i].mac, k->wk_macaddr);
2411 	ieee80211_runtask(ic, &sc->cmdq_task);
2412 
2413 	/*
2414 	 * To make sure key will be set when hostapd
2415 	 * calls iv_key_set() before if_init().
2416 	 */
2417 	if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
2418 		RUN_LOCK(sc);
2419 		sc->cmdq_key_set = RUN_CMDQ_GO;
2420 		RUN_UNLOCK(sc);
2421 	}
2422 
2423 	return (1);
2424 }
2425 
2426 /*
2427  * If wlan is destroyed without being brought down i.e. without
2428  * wlan down or wpa_cli terminate, this function is called after
2429  * vap is gone. Don't refer it.
2430  */
2431 static void
2432 run_key_delete_cb(void *arg)
2433 {
2434 	struct run_cmdq *cmdq = arg;
2435 	struct run_softc *sc = cmdq->arg1;
2436 	struct ieee80211_key *k = &cmdq->key;
2437 	uint32_t attr;
2438 	uint8_t wcid;
2439 
2440 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2441 
2442 	if (k->wk_flags & IEEE80211_KEY_GROUP) {
2443 		/* remove group key */
2444 		RUN_DPRINTF(sc, RUN_DEBUG_KEY, "removing group key\n");
2445 		run_read(sc, RT2860_SKEY_MODE_0_7, &attr);
2446 		attr &= ~(0xf << (k->wk_keyix * 4));
2447 		run_write(sc, RT2860_SKEY_MODE_0_7, attr);
2448 	} else {
2449 		/* remove pairwise key */
2450 		RUN_DPRINTF(sc, RUN_DEBUG_KEY,
2451 		    "removing key for wcid %x\n", k->wk_pad);
2452 		/* matching wcid was written to wk_pad in run_key_set() */
2453 		wcid = k->wk_pad;
2454 		run_read(sc, RT2860_WCID_ATTR(wcid), &attr);
2455 		attr &= ~0xf;
2456 		run_write(sc, RT2860_WCID_ATTR(wcid), attr);
2457 		run_set_region_4(sc, RT2860_WCID_ENTRY(wcid), 0, 8);
2458 	}
2459 
2460 	k->wk_pad = 0;
2461 }
2462 
2463 /*
2464  * return 0 on error
2465  */
2466 static int
2467 run_key_delete(struct ieee80211vap *vap, struct ieee80211_key *k)
2468 {
2469 	struct ieee80211com *ic = vap->iv_ic;
2470 	struct run_softc *sc = ic->ic_softc;
2471 	struct ieee80211_key *k0;
2472 	uint32_t i;
2473 
2474 	/*
2475 	 * When called back, key might be gone. So, make a copy
2476 	 * of some values need to delete keys before deferring.
2477 	 * But, because of LOR with node lock, cannot use lock here.
2478 	 * So, use atomic instead.
2479 	 */
2480 	i = RUN_CMDQ_GET(&sc->cmdq_store);
2481 	RUN_DPRINTF(sc, RUN_DEBUG_KEY, "cmdq_store=%d\n", i);
2482 	sc->cmdq[i].func = run_key_delete_cb;
2483 	sc->cmdq[i].arg0 = NULL;
2484 	sc->cmdq[i].arg1 = sc;
2485 	k0 = &sc->cmdq[i].key;
2486 	k0->wk_flags = k->wk_flags;
2487 	k0->wk_keyix = k->wk_keyix;
2488 	/* matching wcid was written to wk_pad in run_key_set() */
2489 	k0->wk_pad = k->wk_pad;
2490 	ieee80211_runtask(ic, &sc->cmdq_task);
2491 	return (1);	/* return fake success */
2492 
2493 }
2494 
2495 static void
2496 run_ratectl_to(void *arg)
2497 {
2498 	struct run_softc *sc = arg;
2499 
2500 	/* do it in a process context, so it can go sleep */
2501 	ieee80211_runtask(&sc->sc_ic, &sc->ratectl_task);
2502 	/* next timeout will be rescheduled in the callback task */
2503 }
2504 
2505 /* ARGSUSED */
2506 static void
2507 run_ratectl_cb(void *arg, int pending)
2508 {
2509 	struct run_softc *sc = arg;
2510 	struct ieee80211com *ic = &sc->sc_ic;
2511 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
2512 
2513 	if (vap == NULL)
2514 		return;
2515 
2516 	if (sc->rvp_cnt > 1 || vap->iv_opmode != IEEE80211_M_STA) {
2517 		/*
2518 		 * run_reset_livelock() doesn't do anything with AMRR,
2519 		 * but Ralink wants us to call it every 1 sec. So, we
2520 		 * piggyback here rather than creating another callout.
2521 		 * Livelock may occur only in HOSTAP or IBSS mode
2522 		 * (when h/w is sending beacons).
2523 		 */
2524 		RUN_LOCK(sc);
2525 		run_reset_livelock(sc);
2526 		/* just in case, there are some stats to drain */
2527 		run_drain_fifo(sc);
2528 		RUN_UNLOCK(sc);
2529 	}
2530 
2531 	ieee80211_iterate_nodes(&ic->ic_sta, run_iter_func, sc);
2532 
2533 	RUN_LOCK(sc);
2534 	if(sc->ratectl_run != RUN_RATECTL_OFF)
2535 		usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2536 	RUN_UNLOCK(sc);
2537 }
2538 
2539 static void
2540 run_drain_fifo(void *arg)
2541 {
2542 	struct run_softc *sc = arg;
2543 	uint32_t stat;
2544 	uint16_t (*wstat)[3];
2545 	uint8_t wcid, mcs, pid;
2546 	int8_t retry;
2547 
2548 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2549 
2550 	for (;;) {
2551 		/* drain Tx status FIFO (maxsize = 16) */
2552 		run_read(sc, RT2860_TX_STAT_FIFO, &stat);
2553 		RUN_DPRINTF(sc, RUN_DEBUG_XMIT, "tx stat 0x%08x\n", stat);
2554 		if (!(stat & RT2860_TXQ_VLD))
2555 			break;
2556 
2557 		wcid = (stat >> RT2860_TXQ_WCID_SHIFT) & 0xff;
2558 
2559 		/* if no ACK was requested, no feedback is available */
2560 		if (!(stat & RT2860_TXQ_ACKREQ) || wcid > RT2870_WCID_MAX ||
2561 		    wcid == 0)
2562 			continue;
2563 
2564 		/*
2565 		 * Even though each stat is Tx-complete-status like format,
2566 		 * the device can poll stats. Because there is no guarantee
2567 		 * that the referring node is still around when read the stats.
2568 		 * So that, if we use ieee80211_ratectl_tx_update(), we will
2569 		 * have hard time not to refer already freed node.
2570 		 *
2571 		 * To eliminate such page faults, we poll stats in softc.
2572 		 * Then, update the rates later with ieee80211_ratectl_tx_update().
2573 		 */
2574 		wstat = &(sc->wcid_stats[wcid]);
2575 		(*wstat)[RUN_TXCNT]++;
2576 		if (stat & RT2860_TXQ_OK)
2577 			(*wstat)[RUN_SUCCESS]++;
2578 		else
2579 			counter_u64_add(sc->sc_ic.ic_oerrors, 1);
2580 		/*
2581 		 * Check if there were retries, ie if the Tx success rate is
2582 		 * different from the requested rate. Note that it works only
2583 		 * because we do not allow rate fallback from OFDM to CCK.
2584 		 */
2585 		mcs = (stat >> RT2860_TXQ_MCS_SHIFT) & 0x7f;
2586 		pid = (stat >> RT2860_TXQ_PID_SHIFT) & 0xf;
2587 		if ((retry = pid -1 - mcs) > 0) {
2588 			(*wstat)[RUN_TXCNT] += retry;
2589 			(*wstat)[RUN_RETRY] += retry;
2590 		}
2591 	}
2592 	RUN_DPRINTF(sc, RUN_DEBUG_XMIT, "count=%d\n", sc->fifo_cnt);
2593 
2594 	sc->fifo_cnt = 0;
2595 }
2596 
2597 static void
2598 run_iter_func(void *arg, struct ieee80211_node *ni)
2599 {
2600 	struct run_softc *sc = arg;
2601 	struct ieee80211_ratectl_tx_stats *txs = &sc->sc_txs;
2602 	struct ieee80211vap *vap = ni->ni_vap;
2603 	struct run_node *rn = RUN_NODE(ni);
2604 	union run_stats sta[2];
2605 	uint16_t (*wstat)[3];
2606 	int error;
2607 
2608 	RUN_LOCK(sc);
2609 
2610 	/* Check for special case */
2611 	if (sc->rvp_cnt <= 1 && vap->iv_opmode == IEEE80211_M_STA &&
2612 	    ni != vap->iv_bss)
2613 		goto fail;
2614 
2615 	txs->flags = IEEE80211_RATECTL_TX_STATS_NODE |
2616 		     IEEE80211_RATECTL_TX_STATS_RETRIES;
2617 	txs->ni = ni;
2618 	if (sc->rvp_cnt <= 1 && (vap->iv_opmode == IEEE80211_M_IBSS ||
2619 	    vap->iv_opmode == IEEE80211_M_STA)) {
2620 		/* read statistic counters (clear on read) and update AMRR state */
2621 		error = run_read_region_1(sc, RT2860_TX_STA_CNT0, (uint8_t *)sta,
2622 		    sizeof sta);
2623 		if (error != 0)
2624 			goto fail;
2625 
2626 		/* count failed TX as errors */
2627 		if_inc_counter(vap->iv_ifp, IFCOUNTER_OERRORS,
2628 		    le16toh(sta[0].error.fail));
2629 
2630 		txs->nretries = le16toh(sta[1].tx.retry);
2631 		txs->nsuccess = le16toh(sta[1].tx.success);
2632 		/* nretries??? */
2633 		txs->nframes = txs->nretries + txs->nsuccess +
2634 		    le16toh(sta[0].error.fail);
2635 
2636 		RUN_DPRINTF(sc, RUN_DEBUG_RATE,
2637 		    "retrycnt=%d success=%d failcnt=%d\n",
2638 		    txs->nretries, txs->nsuccess, le16toh(sta[0].error.fail));
2639 	} else {
2640 		wstat = &(sc->wcid_stats[RUN_AID2WCID(ni->ni_associd)]);
2641 
2642 		if (wstat == &(sc->wcid_stats[0]) ||
2643 		    wstat > &(sc->wcid_stats[RT2870_WCID_MAX]))
2644 			goto fail;
2645 
2646 		txs->nretries = (*wstat)[RUN_RETRY];
2647 		txs->nsuccess = (*wstat)[RUN_SUCCESS];
2648 		txs->nframes = (*wstat)[RUN_TXCNT];
2649 		RUN_DPRINTF(sc, RUN_DEBUG_RATE,
2650 		    "retrycnt=%d txcnt=%d success=%d\n",
2651 		    txs->nretries, txs->nframes, txs->nsuccess);
2652 
2653 		memset(wstat, 0, sizeof(*wstat));
2654 	}
2655 
2656 	ieee80211_ratectl_tx_update(vap, txs);
2657 	rn->amrr_ridx = ieee80211_ratectl_rate(ni, NULL, 0);
2658 
2659 fail:
2660 	RUN_UNLOCK(sc);
2661 
2662 	RUN_DPRINTF(sc, RUN_DEBUG_RATE, "ridx=%d\n", rn->amrr_ridx);
2663 }
2664 
2665 static void
2666 run_newassoc_cb(void *arg)
2667 {
2668 	struct run_cmdq *cmdq = arg;
2669 	struct ieee80211_node *ni = cmdq->arg1;
2670 	struct run_softc *sc = ni->ni_vap->iv_ic->ic_softc;
2671 	uint8_t wcid = cmdq->wcid;
2672 
2673 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2674 
2675 	run_write_region_1(sc, RT2860_WCID_ENTRY(wcid),
2676 	    ni->ni_macaddr, IEEE80211_ADDR_LEN);
2677 
2678 	memset(&(sc->wcid_stats[wcid]), 0, sizeof(sc->wcid_stats[wcid]));
2679 }
2680 
2681 static void
2682 run_newassoc(struct ieee80211_node *ni, int isnew)
2683 {
2684 	struct run_node *rn = RUN_NODE(ni);
2685 	struct ieee80211_rateset *rs = &ni->ni_rates;
2686 	struct ieee80211vap *vap = ni->ni_vap;
2687 	struct ieee80211com *ic = vap->iv_ic;
2688 	struct run_softc *sc = ic->ic_softc;
2689 	uint8_t rate;
2690 	uint8_t ridx;
2691 	uint8_t wcid;
2692 	int i, j;
2693 
2694 	wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
2695 	    1 : RUN_AID2WCID(ni->ni_associd);
2696 
2697 	if (wcid > RT2870_WCID_MAX) {
2698 		device_printf(sc->sc_dev, "wcid=%d out of range\n", wcid);
2699 		return;
2700 	}
2701 
2702 	/* only interested in true associations */
2703 	if (isnew && ni->ni_associd != 0) {
2704 
2705 		/*
2706 		 * This function could is called though timeout function.
2707 		 * Need to defer.
2708 		 */
2709 		uint32_t cnt = RUN_CMDQ_GET(&sc->cmdq_store);
2710 		RUN_DPRINTF(sc, RUN_DEBUG_STATE, "cmdq_store=%d\n", cnt);
2711 		sc->cmdq[cnt].func = run_newassoc_cb;
2712 		sc->cmdq[cnt].arg0 = NULL;
2713 		sc->cmdq[cnt].arg1 = ni;
2714 		sc->cmdq[cnt].wcid = wcid;
2715 		ieee80211_runtask(ic, &sc->cmdq_task);
2716 	}
2717 
2718 	RUN_DPRINTF(sc, RUN_DEBUG_STATE,
2719 	    "new assoc isnew=%d associd=%x addr=%s\n",
2720 	    isnew, ni->ni_associd, ether_sprintf(ni->ni_macaddr));
2721 
2722 	for (i = 0; i < rs->rs_nrates; i++) {
2723 		rate = rs->rs_rates[i] & IEEE80211_RATE_VAL;
2724 		/* convert 802.11 rate to hardware rate index */
2725 		for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2726 			if (rt2860_rates[ridx].rate == rate)
2727 				break;
2728 		rn->ridx[i] = ridx;
2729 		/* determine rate of control response frames */
2730 		for (j = i; j >= 0; j--) {
2731 			if ((rs->rs_rates[j] & IEEE80211_RATE_BASIC) &&
2732 			    rt2860_rates[rn->ridx[i]].phy ==
2733 			    rt2860_rates[rn->ridx[j]].phy)
2734 				break;
2735 		}
2736 		if (j >= 0) {
2737 			rn->ctl_ridx[i] = rn->ridx[j];
2738 		} else {
2739 			/* no basic rate found, use mandatory one */
2740 			rn->ctl_ridx[i] = rt2860_rates[ridx].ctl_ridx;
2741 		}
2742 		RUN_DPRINTF(sc, RUN_DEBUG_STATE | RUN_DEBUG_RATE,
2743 		    "rate=0x%02x ridx=%d ctl_ridx=%d\n",
2744 		    rs->rs_rates[i], rn->ridx[i], rn->ctl_ridx[i]);
2745 	}
2746 	rate = vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)].mgmtrate;
2747 	for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2748 		if (rt2860_rates[ridx].rate == rate)
2749 			break;
2750 	rn->mgt_ridx = ridx;
2751 	RUN_DPRINTF(sc, RUN_DEBUG_STATE | RUN_DEBUG_RATE,
2752 	    "rate=%d, mgmt_ridx=%d\n", rate, rn->mgt_ridx);
2753 
2754 	RUN_LOCK(sc);
2755 	if(sc->ratectl_run != RUN_RATECTL_OFF)
2756 		usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2757 	RUN_UNLOCK(sc);
2758 }
2759 
2760 /*
2761  * Return the Rx chain with the highest RSSI for a given frame.
2762  */
2763 static __inline uint8_t
2764 run_maxrssi_chain(struct run_softc *sc, const struct rt2860_rxwi *rxwi)
2765 {
2766 	uint8_t rxchain = 0;
2767 
2768 	if (sc->nrxchains > 1) {
2769 		if (rxwi->rssi[1] > rxwi->rssi[rxchain])
2770 			rxchain = 1;
2771 		if (sc->nrxchains > 2)
2772 			if (rxwi->rssi[2] > rxwi->rssi[rxchain])
2773 				rxchain = 2;
2774 	}
2775 	return (rxchain);
2776 }
2777 
2778 static void
2779 run_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m, int subtype,
2780     const struct ieee80211_rx_stats *rxs, int rssi, int nf)
2781 {
2782 	struct ieee80211vap *vap = ni->ni_vap;
2783 	struct run_softc *sc = vap->iv_ic->ic_softc;
2784 	struct run_vap *rvp = RUN_VAP(vap);
2785 	uint64_t ni_tstamp, rx_tstamp;
2786 
2787 	rvp->recv_mgmt(ni, m, subtype, rxs, rssi, nf);
2788 
2789 	if (vap->iv_state == IEEE80211_S_RUN &&
2790 	    (subtype == IEEE80211_FC0_SUBTYPE_BEACON ||
2791 	    subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP)) {
2792 		ni_tstamp = le64toh(ni->ni_tstamp.tsf);
2793 		RUN_LOCK(sc);
2794 		run_get_tsf(sc, &rx_tstamp);
2795 		RUN_UNLOCK(sc);
2796 		rx_tstamp = le64toh(rx_tstamp);
2797 
2798 		if (ni_tstamp >= rx_tstamp) {
2799 			RUN_DPRINTF(sc, RUN_DEBUG_RECV | RUN_DEBUG_BEACON,
2800 			    "ibss merge, tsf %ju tstamp %ju\n",
2801 			    (uintmax_t)rx_tstamp, (uintmax_t)ni_tstamp);
2802 			(void) ieee80211_ibss_merge(ni);
2803 		}
2804 	}
2805 }
2806 
2807 static void
2808 run_rx_frame(struct run_softc *sc, struct mbuf *m, uint32_t dmalen)
2809 {
2810 	struct ieee80211com *ic = &sc->sc_ic;
2811 	struct ieee80211_frame *wh;
2812 	struct ieee80211_node *ni;
2813 	struct rt2870_rxd *rxd;
2814 	struct rt2860_rxwi *rxwi;
2815 	uint32_t flags;
2816 	uint16_t len, rxwisize;
2817 	uint8_t ant, rssi;
2818 	int8_t nf;
2819 
2820 	rxwi = mtod(m, struct rt2860_rxwi *);
2821 	len = le16toh(rxwi->len) & 0xfff;
2822 	rxwisize = sizeof(struct rt2860_rxwi);
2823 	if (sc->mac_ver == 0x5592)
2824 		rxwisize += sizeof(uint64_t);
2825 	else if (sc->mac_ver == 0x3593)
2826 		rxwisize += sizeof(uint32_t);
2827 	if (__predict_false(len > dmalen)) {
2828 		m_freem(m);
2829 		counter_u64_add(ic->ic_ierrors, 1);
2830 		RUN_DPRINTF(sc, RUN_DEBUG_RECV,
2831 		    "bad RXWI length %u > %u\n", len, dmalen);
2832 		return;
2833 	}
2834 	/* Rx descriptor is located at the end */
2835 	rxd = (struct rt2870_rxd *)(mtod(m, caddr_t) + dmalen);
2836 	flags = le32toh(rxd->flags);
2837 
2838 	if (__predict_false(flags & (RT2860_RX_CRCERR | RT2860_RX_ICVERR))) {
2839 		m_freem(m);
2840 		counter_u64_add(ic->ic_ierrors, 1);
2841 		RUN_DPRINTF(sc, RUN_DEBUG_RECV, "%s error.\n",
2842 		    (flags & RT2860_RX_CRCERR)?"CRC":"ICV");
2843 		return;
2844 	}
2845 
2846 	m->m_data += rxwisize;
2847 	m->m_pkthdr.len = m->m_len -= rxwisize;
2848 
2849 	wh = mtod(m, struct ieee80211_frame *);
2850 
2851 	if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
2852 		wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
2853 		m->m_flags |= M_WEP;
2854 	}
2855 
2856 	if (flags & RT2860_RX_L2PAD) {
2857 		RUN_DPRINTF(sc, RUN_DEBUG_RECV,
2858 		    "received RT2860_RX_L2PAD frame\n");
2859 		len += 2;
2860 	}
2861 
2862 	ni = ieee80211_find_rxnode(ic,
2863 	    mtod(m, struct ieee80211_frame_min *));
2864 
2865 	if (__predict_false(flags & RT2860_RX_MICERR)) {
2866 		/* report MIC failures to net80211 for TKIP */
2867 		if (ni != NULL)
2868 			ieee80211_notify_michael_failure(ni->ni_vap, wh,
2869 			    rxwi->keyidx);
2870 		m_freem(m);
2871 		counter_u64_add(ic->ic_ierrors, 1);
2872 		RUN_DPRINTF(sc, RUN_DEBUG_RECV,
2873 		    "MIC error. Someone is lying.\n");
2874 		return;
2875 	}
2876 
2877 	ant = run_maxrssi_chain(sc, rxwi);
2878 	rssi = rxwi->rssi[ant];
2879 	nf = run_rssi2dbm(sc, rssi, ant);
2880 
2881 	m->m_pkthdr.len = m->m_len = len;
2882 
2883 	if (__predict_false(ieee80211_radiotap_active(ic))) {
2884 		struct run_rx_radiotap_header *tap = &sc->sc_rxtap;
2885 		uint16_t phy;
2886 
2887 		tap->wr_flags = 0;
2888 		tap->wr_chan_freq = htole16(ic->ic_curchan->ic_freq);
2889 		tap->wr_chan_flags = htole16(ic->ic_curchan->ic_flags);
2890 		tap->wr_antsignal = rssi;
2891 		tap->wr_antenna = ant;
2892 		tap->wr_dbm_antsignal = run_rssi2dbm(sc, rssi, ant);
2893 		tap->wr_rate = 2;	/* in case it can't be found below */
2894 		RUN_LOCK(sc);
2895 		run_get_tsf(sc, &tap->wr_tsf);
2896 		RUN_UNLOCK(sc);
2897 		phy = le16toh(rxwi->phy);
2898 		switch (phy & RT2860_PHY_MODE) {
2899 		case RT2860_PHY_CCK:
2900 			switch ((phy & RT2860_PHY_MCS) & ~RT2860_PHY_SHPRE) {
2901 			case 0:	tap->wr_rate =   2; break;
2902 			case 1:	tap->wr_rate =   4; break;
2903 			case 2:	tap->wr_rate =  11; break;
2904 			case 3:	tap->wr_rate =  22; break;
2905 			}
2906 			if (phy & RT2860_PHY_SHPRE)
2907 				tap->wr_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
2908 			break;
2909 		case RT2860_PHY_OFDM:
2910 			switch (phy & RT2860_PHY_MCS) {
2911 			case 0:	tap->wr_rate =  12; break;
2912 			case 1:	tap->wr_rate =  18; break;
2913 			case 2:	tap->wr_rate =  24; break;
2914 			case 3:	tap->wr_rate =  36; break;
2915 			case 4:	tap->wr_rate =  48; break;
2916 			case 5:	tap->wr_rate =  72; break;
2917 			case 6:	tap->wr_rate =  96; break;
2918 			case 7:	tap->wr_rate = 108; break;
2919 			}
2920 			break;
2921 		}
2922 	}
2923 
2924 	if (ni != NULL) {
2925 		(void)ieee80211_input(ni, m, rssi, nf);
2926 		ieee80211_free_node(ni);
2927 	} else {
2928 		(void)ieee80211_input_all(ic, m, rssi, nf);
2929 	}
2930 }
2931 
2932 static void
2933 run_bulk_rx_callback(struct usb_xfer *xfer, usb_error_t error)
2934 {
2935 	struct run_softc *sc = usbd_xfer_softc(xfer);
2936 	struct ieee80211com *ic = &sc->sc_ic;
2937 	struct mbuf *m = NULL;
2938 	struct mbuf *m0;
2939 	uint32_t dmalen;
2940 	uint16_t rxwisize;
2941 	int xferlen;
2942 
2943 	rxwisize = sizeof(struct rt2860_rxwi);
2944 	if (sc->mac_ver == 0x5592)
2945 		rxwisize += sizeof(uint64_t);
2946 	else if (sc->mac_ver == 0x3593)
2947 		rxwisize += sizeof(uint32_t);
2948 
2949 	usbd_xfer_status(xfer, &xferlen, NULL, NULL, NULL);
2950 
2951 	switch (USB_GET_STATE(xfer)) {
2952 	case USB_ST_TRANSFERRED:
2953 
2954 		RUN_DPRINTF(sc, RUN_DEBUG_RECV,
2955 		    "rx done, actlen=%d\n", xferlen);
2956 
2957 		if (xferlen < (int)(sizeof(uint32_t) + rxwisize +
2958 		    sizeof(struct rt2870_rxd))) {
2959 			RUN_DPRINTF(sc, RUN_DEBUG_RECV_DESC | RUN_DEBUG_USB,
2960 			    "xfer too short %d\n", xferlen);
2961 			goto tr_setup;
2962 		}
2963 
2964 		m = sc->rx_m;
2965 		sc->rx_m = NULL;
2966 
2967 		/* FALLTHROUGH */
2968 	case USB_ST_SETUP:
2969 tr_setup:
2970 		if (sc->rx_m == NULL) {
2971 			sc->rx_m = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR,
2972 			    MJUMPAGESIZE /* xfer can be bigger than MCLBYTES */);
2973 		}
2974 		if (sc->rx_m == NULL) {
2975 			RUN_DPRINTF(sc, RUN_DEBUG_RECV | RUN_DEBUG_RECV_DESC,
2976 			    "could not allocate mbuf - idle with stall\n");
2977 			counter_u64_add(ic->ic_ierrors, 1);
2978 			usbd_xfer_set_stall(xfer);
2979 			usbd_xfer_set_frames(xfer, 0);
2980 		} else {
2981 			/*
2982 			 * Directly loading a mbuf cluster into DMA to
2983 			 * save some data copying. This works because
2984 			 * there is only one cluster.
2985 			 */
2986 			usbd_xfer_set_frame_data(xfer, 0,
2987 			    mtod(sc->rx_m, caddr_t), RUN_MAX_RXSZ);
2988 			usbd_xfer_set_frames(xfer, 1);
2989 		}
2990 		usbd_transfer_submit(xfer);
2991 		break;
2992 
2993 	default:	/* Error */
2994 		if (error != USB_ERR_CANCELLED) {
2995 			/* try to clear stall first */
2996 			usbd_xfer_set_stall(xfer);
2997 			if (error == USB_ERR_TIMEOUT)
2998 				device_printf(sc->sc_dev, "device timeout\n");
2999 			counter_u64_add(ic->ic_ierrors, 1);
3000 			goto tr_setup;
3001 		}
3002 		if (sc->rx_m != NULL) {
3003 			m_freem(sc->rx_m);
3004 			sc->rx_m = NULL;
3005 		}
3006 		break;
3007 	}
3008 
3009 	if (m == NULL)
3010 		return;
3011 
3012 	/* inputting all the frames must be last */
3013 
3014 	RUN_UNLOCK(sc);
3015 
3016 	m->m_pkthdr.len = m->m_len = xferlen;
3017 
3018 	/* HW can aggregate multiple 802.11 frames in a single USB xfer */
3019 	for(;;) {
3020 		dmalen = le32toh(*mtod(m, uint32_t *)) & 0xffff;
3021 
3022 		if ((dmalen >= (uint32_t)-8) || (dmalen == 0) ||
3023 		    ((dmalen & 3) != 0)) {
3024 			RUN_DPRINTF(sc, RUN_DEBUG_RECV_DESC | RUN_DEBUG_USB,
3025 			    "bad DMA length %u\n", dmalen);
3026 			break;
3027 		}
3028 		if ((dmalen + 8) > (uint32_t)xferlen) {
3029 			RUN_DPRINTF(sc, RUN_DEBUG_RECV_DESC | RUN_DEBUG_USB,
3030 			    "bad DMA length %u > %d\n",
3031 			dmalen + 8, xferlen);
3032 			break;
3033 		}
3034 
3035 		/* If it is the last one or a single frame, we won't copy. */
3036 		if ((xferlen -= dmalen + 8) <= 8) {
3037 			/* trim 32-bit DMA-len header */
3038 			m->m_data += 4;
3039 			m->m_pkthdr.len = m->m_len -= 4;
3040 			run_rx_frame(sc, m, dmalen);
3041 			m = NULL;	/* don't free source buffer */
3042 			break;
3043 		}
3044 
3045 		/* copy aggregated frames to another mbuf */
3046 		m0 = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
3047 		if (__predict_false(m0 == NULL)) {
3048 			RUN_DPRINTF(sc, RUN_DEBUG_RECV_DESC,
3049 			    "could not allocate mbuf\n");
3050 			counter_u64_add(ic->ic_ierrors, 1);
3051 			break;
3052 		}
3053 		m_copydata(m, 4 /* skip 32-bit DMA-len header */,
3054 		    dmalen + sizeof(struct rt2870_rxd), mtod(m0, caddr_t));
3055 		m0->m_pkthdr.len = m0->m_len =
3056 		    dmalen + sizeof(struct rt2870_rxd);
3057 		run_rx_frame(sc, m0, dmalen);
3058 
3059 		/* update data ptr */
3060 		m->m_data += dmalen + 8;
3061 		m->m_pkthdr.len = m->m_len -= dmalen + 8;
3062 	}
3063 
3064 	/* make sure we free the source buffer, if any */
3065 	m_freem(m);
3066 
3067 	RUN_LOCK(sc);
3068 }
3069 
3070 static void
3071 run_tx_free(struct run_endpoint_queue *pq,
3072     struct run_tx_data *data, int txerr)
3073 {
3074 
3075 	ieee80211_tx_complete(data->ni, data->m, txerr);
3076 
3077 	data->m = NULL;
3078 	data->ni = NULL;
3079 
3080 	STAILQ_INSERT_TAIL(&pq->tx_fh, data, next);
3081 	pq->tx_nfree++;
3082 }
3083 
3084 static void
3085 run_bulk_tx_callbackN(struct usb_xfer *xfer, usb_error_t error, u_int index)
3086 {
3087 	struct run_softc *sc = usbd_xfer_softc(xfer);
3088 	struct ieee80211com *ic = &sc->sc_ic;
3089 	struct run_tx_data *data;
3090 	struct ieee80211vap *vap = NULL;
3091 	struct usb_page_cache *pc;
3092 	struct run_endpoint_queue *pq = &sc->sc_epq[index];
3093 	struct mbuf *m;
3094 	usb_frlength_t size;
3095 	int actlen;
3096 	int sumlen;
3097 
3098 	usbd_xfer_status(xfer, &actlen, &sumlen, NULL, NULL);
3099 
3100 	switch (USB_GET_STATE(xfer)) {
3101 	case USB_ST_TRANSFERRED:
3102 		RUN_DPRINTF(sc, RUN_DEBUG_XMIT | RUN_DEBUG_USB,
3103 		    "transfer complete: %d bytes @ index %d\n", actlen, index);
3104 
3105 		data = usbd_xfer_get_priv(xfer);
3106 		run_tx_free(pq, data, 0);
3107 		usbd_xfer_set_priv(xfer, NULL);
3108 
3109 		/* FALLTHROUGH */
3110 	case USB_ST_SETUP:
3111 tr_setup:
3112 		data = STAILQ_FIRST(&pq->tx_qh);
3113 		if (data == NULL)
3114 			break;
3115 
3116 		STAILQ_REMOVE_HEAD(&pq->tx_qh, next);
3117 
3118 		m = data->m;
3119 		size = (sc->mac_ver == 0x5592) ?
3120 		    sizeof(data->desc) + sizeof(uint32_t) : sizeof(data->desc);
3121 		if ((m->m_pkthdr.len +
3122 		    size + 3 + 8) > RUN_MAX_TXSZ) {
3123 			RUN_DPRINTF(sc, RUN_DEBUG_XMIT_DESC | RUN_DEBUG_USB,
3124 			    "data overflow, %u bytes\n", m->m_pkthdr.len);
3125 			run_tx_free(pq, data, 1);
3126 			goto tr_setup;
3127 		}
3128 
3129 		pc = usbd_xfer_get_frame(xfer, 0);
3130 		usbd_copy_in(pc, 0, &data->desc, size);
3131 		usbd_m_copy_in(pc, size, m, 0, m->m_pkthdr.len);
3132 		size += m->m_pkthdr.len;
3133 		/*
3134 		 * Align end on a 4-byte boundary, pad 8 bytes (CRC +
3135 		 * 4-byte padding), and be sure to zero those trailing
3136 		 * bytes:
3137 		 */
3138 		usbd_frame_zero(pc, size, ((-size) & 3) + 8);
3139 		size += ((-size) & 3) + 8;
3140 
3141 		vap = data->ni->ni_vap;
3142 		if (ieee80211_radiotap_active_vap(vap)) {
3143 			struct run_tx_radiotap_header *tap = &sc->sc_txtap;
3144 			struct rt2860_txwi *txwi =
3145 			    (struct rt2860_txwi *)(&data->desc + sizeof(struct rt2870_txd));
3146 			tap->wt_flags = 0;
3147 			tap->wt_rate = rt2860_rates[data->ridx].rate;
3148 			tap->wt_chan_freq = htole16(ic->ic_curchan->ic_freq);
3149 			tap->wt_chan_flags = htole16(ic->ic_curchan->ic_flags);
3150 			tap->wt_hwqueue = index;
3151 			if (le16toh(txwi->phy) & RT2860_PHY_SHPRE)
3152 				tap->wt_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
3153 
3154 			ieee80211_radiotap_tx(vap, m);
3155 		}
3156 
3157 		RUN_DPRINTF(sc, RUN_DEBUG_XMIT | RUN_DEBUG_USB,
3158 		    "sending frame len=%u/%u @ index %d\n",
3159 		    m->m_pkthdr.len, size, index);
3160 
3161 		usbd_xfer_set_frame_len(xfer, 0, size);
3162 		usbd_xfer_set_priv(xfer, data);
3163 		usbd_transfer_submit(xfer);
3164 		run_start(sc);
3165 
3166 		break;
3167 
3168 	default:
3169 		RUN_DPRINTF(sc, RUN_DEBUG_XMIT | RUN_DEBUG_USB,
3170 		    "USB transfer error, %s\n", usbd_errstr(error));
3171 
3172 		data = usbd_xfer_get_priv(xfer);
3173 
3174 		if (data != NULL) {
3175 			if(data->ni != NULL)
3176 				vap = data->ni->ni_vap;
3177 			run_tx_free(pq, data, error);
3178 			usbd_xfer_set_priv(xfer, NULL);
3179 		}
3180 
3181 		if (vap == NULL)
3182 			vap = TAILQ_FIRST(&ic->ic_vaps);
3183 
3184 		if (error != USB_ERR_CANCELLED) {
3185 			if (error == USB_ERR_TIMEOUT) {
3186 				device_printf(sc->sc_dev, "device timeout\n");
3187 				uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
3188 				RUN_DPRINTF(sc, RUN_DEBUG_XMIT | RUN_DEBUG_USB,
3189 				    "cmdq_store=%d\n", i);
3190 				sc->cmdq[i].func = run_usb_timeout_cb;
3191 				sc->cmdq[i].arg0 = vap;
3192 				ieee80211_runtask(ic, &sc->cmdq_task);
3193 			}
3194 
3195 			/*
3196 			 * Try to clear stall first, also if other
3197 			 * errors occur, hence clearing stall
3198 			 * introduces a 50 ms delay:
3199 			 */
3200 			usbd_xfer_set_stall(xfer);
3201 			goto tr_setup;
3202 		}
3203 		break;
3204 	}
3205 }
3206 
3207 static void
3208 run_bulk_tx_callback0(struct usb_xfer *xfer, usb_error_t error)
3209 {
3210 	run_bulk_tx_callbackN(xfer, error, 0);
3211 }
3212 
3213 static void
3214 run_bulk_tx_callback1(struct usb_xfer *xfer, usb_error_t error)
3215 {
3216 	run_bulk_tx_callbackN(xfer, error, 1);
3217 }
3218 
3219 static void
3220 run_bulk_tx_callback2(struct usb_xfer *xfer, usb_error_t error)
3221 {
3222 	run_bulk_tx_callbackN(xfer, error, 2);
3223 }
3224 
3225 static void
3226 run_bulk_tx_callback3(struct usb_xfer *xfer, usb_error_t error)
3227 {
3228 	run_bulk_tx_callbackN(xfer, error, 3);
3229 }
3230 
3231 static void
3232 run_bulk_tx_callback4(struct usb_xfer *xfer, usb_error_t error)
3233 {
3234 	run_bulk_tx_callbackN(xfer, error, 4);
3235 }
3236 
3237 static void
3238 run_bulk_tx_callback5(struct usb_xfer *xfer, usb_error_t error)
3239 {
3240 	run_bulk_tx_callbackN(xfer, error, 5);
3241 }
3242 
3243 static void
3244 run_set_tx_desc(struct run_softc *sc, struct run_tx_data *data)
3245 {
3246 	struct mbuf *m = data->m;
3247 	struct ieee80211com *ic = &sc->sc_ic;
3248 	struct ieee80211vap *vap = data->ni->ni_vap;
3249 	struct ieee80211_frame *wh;
3250 	struct rt2870_txd *txd;
3251 	struct rt2860_txwi *txwi;
3252 	uint16_t xferlen, txwisize;
3253 	uint16_t mcs;
3254 	uint8_t ridx = data->ridx;
3255 	uint8_t pad;
3256 
3257 	/* get MCS code from rate index */
3258 	mcs = rt2860_rates[ridx].mcs;
3259 
3260 	txwisize = (sc->mac_ver == 0x5592) ?
3261 	    sizeof(*txwi) + sizeof(uint32_t) : sizeof(*txwi);
3262 	xferlen = txwisize + m->m_pkthdr.len;
3263 
3264 	/* roundup to 32-bit alignment */
3265 	xferlen = (xferlen + 3) & ~3;
3266 
3267 	txd = (struct rt2870_txd *)&data->desc;
3268 	txd->len = htole16(xferlen);
3269 
3270 	wh = mtod(m, struct ieee80211_frame *);
3271 
3272 	/*
3273 	 * Ether both are true or both are false, the header
3274 	 * are nicely aligned to 32-bit. So, no L2 padding.
3275 	 */
3276 	if(IEEE80211_HAS_ADDR4(wh) == IEEE80211_QOS_HAS_SEQ(wh))
3277 		pad = 0;
3278 	else
3279 		pad = 2;
3280 
3281 	/* setup TX Wireless Information */
3282 	txwi = (struct rt2860_txwi *)(txd + 1);
3283 	txwi->len = htole16(m->m_pkthdr.len - pad);
3284 	if (rt2860_rates[ridx].phy == IEEE80211_T_DS) {
3285 		mcs |= RT2860_PHY_CCK;
3286 		if (ridx != RT2860_RIDX_CCK1 &&
3287 		    (ic->ic_flags & IEEE80211_F_SHPREAMBLE))
3288 			mcs |= RT2860_PHY_SHPRE;
3289 	} else
3290 		mcs |= RT2860_PHY_OFDM;
3291 	txwi->phy = htole16(mcs);
3292 
3293 	/* check if RTS/CTS or CTS-to-self protection is required */
3294 	if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
3295 	    (m->m_pkthdr.len + IEEE80211_CRC_LEN > vap->iv_rtsthreshold ||
3296 	     ((ic->ic_flags & IEEE80211_F_USEPROT) &&
3297 	      rt2860_rates[ridx].phy == IEEE80211_T_OFDM)))
3298 		txwi->txop |= RT2860_TX_TXOP_HT;
3299 	else
3300 		txwi->txop |= RT2860_TX_TXOP_BACKOFF;
3301 
3302 	if (vap->iv_opmode != IEEE80211_M_STA && !IEEE80211_QOS_HAS_SEQ(wh))
3303 		txwi->xflags |= RT2860_TX_NSEQ;
3304 }
3305 
3306 /* This function must be called locked */
3307 static int
3308 run_tx(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
3309 {
3310 	struct ieee80211com *ic = &sc->sc_ic;
3311 	struct ieee80211vap *vap = ni->ni_vap;
3312 	struct ieee80211_frame *wh;
3313 	struct ieee80211_channel *chan;
3314 	const struct ieee80211_txparam *tp;
3315 	struct run_node *rn = RUN_NODE(ni);
3316 	struct run_tx_data *data;
3317 	struct rt2870_txd *txd;
3318 	struct rt2860_txwi *txwi;
3319 	uint16_t qos;
3320 	uint16_t dur;
3321 	uint16_t qid;
3322 	uint8_t type;
3323 	uint8_t tid;
3324 	uint8_t ridx;
3325 	uint8_t ctl_ridx;
3326 	uint8_t qflags;
3327 	uint8_t xflags = 0;
3328 	int hasqos;
3329 
3330 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3331 
3332 	wh = mtod(m, struct ieee80211_frame *);
3333 
3334 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3335 
3336 	/*
3337 	 * There are 7 bulk endpoints: 1 for RX
3338 	 * and 6 for TX (4 EDCAs + HCCA + Prio).
3339 	 * Update 03-14-2009:  some devices like the Planex GW-US300MiniS
3340 	 * seem to have only 4 TX bulk endpoints (Fukaumi Naoki).
3341 	 */
3342 	if ((hasqos = IEEE80211_QOS_HAS_SEQ(wh))) {
3343 		uint8_t *frm;
3344 
3345 		if(IEEE80211_HAS_ADDR4(wh))
3346 			frm = ((struct ieee80211_qosframe_addr4 *)wh)->i_qos;
3347 		else
3348 			frm =((struct ieee80211_qosframe *)wh)->i_qos;
3349 
3350 		qos = le16toh(*(const uint16_t *)frm);
3351 		tid = qos & IEEE80211_QOS_TID;
3352 		qid = TID_TO_WME_AC(tid);
3353 	} else {
3354 		qos = 0;
3355 		tid = 0;
3356 		qid = WME_AC_BE;
3357 	}
3358 	qflags = (qid < 4) ? RT2860_TX_QSEL_EDCA : RT2860_TX_QSEL_HCCA;
3359 
3360 	RUN_DPRINTF(sc, RUN_DEBUG_XMIT, "qos %d\tqid %d\ttid %d\tqflags %x\n",
3361 	    qos, qid, tid, qflags);
3362 
3363 	chan = (ni->ni_chan != IEEE80211_CHAN_ANYC)?ni->ni_chan:ic->ic_curchan;
3364 	tp = &vap->iv_txparms[ieee80211_chan2mode(chan)];
3365 
3366 	/* pickup a rate index */
3367 	if (IEEE80211_IS_MULTICAST(wh->i_addr1) ||
3368 	    type != IEEE80211_FC0_TYPE_DATA || m->m_flags & M_EAPOL) {
3369 		ridx = (ic->ic_curmode == IEEE80211_MODE_11A) ?
3370 		    RT2860_RIDX_OFDM6 : RT2860_RIDX_CCK1;
3371 		ctl_ridx = rt2860_rates[ridx].ctl_ridx;
3372 	} else {
3373 		if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE)
3374 			ridx = rn->fix_ridx;
3375 		else
3376 			ridx = rn->amrr_ridx;
3377 		ctl_ridx = rt2860_rates[ridx].ctl_ridx;
3378 	}
3379 
3380 	if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
3381 	    (!hasqos || (qos & IEEE80211_QOS_ACKPOLICY) !=
3382 	     IEEE80211_QOS_ACKPOLICY_NOACK)) {
3383 		xflags |= RT2860_TX_ACK;
3384 		if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
3385 			dur = rt2860_rates[ctl_ridx].sp_ack_dur;
3386 		else
3387 			dur = rt2860_rates[ctl_ridx].lp_ack_dur;
3388 		USETW(wh->i_dur, dur);
3389 	}
3390 
3391 	/* reserve slots for mgmt packets, just in case */
3392 	if (sc->sc_epq[qid].tx_nfree < 3) {
3393 		RUN_DPRINTF(sc, RUN_DEBUG_XMIT, "tx ring %d is full\n", qid);
3394 		return (-1);
3395 	}
3396 
3397 	data = STAILQ_FIRST(&sc->sc_epq[qid].tx_fh);
3398 	STAILQ_REMOVE_HEAD(&sc->sc_epq[qid].tx_fh, next);
3399 	sc->sc_epq[qid].tx_nfree--;
3400 
3401 	txd = (struct rt2870_txd *)&data->desc;
3402 	txd->flags = qflags;
3403 	txwi = (struct rt2860_txwi *)(txd + 1);
3404 	txwi->xflags = xflags;
3405 	if (IEEE80211_IS_MULTICAST(wh->i_addr1))
3406 		txwi->wcid = 0;
3407 	else
3408 		txwi->wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
3409 		    1 : RUN_AID2WCID(ni->ni_associd);
3410 
3411 	/* clear leftover garbage bits */
3412 	txwi->flags = 0;
3413 	txwi->txop = 0;
3414 
3415 	data->m = m;
3416 	data->ni = ni;
3417 	data->ridx = ridx;
3418 
3419 	run_set_tx_desc(sc, data);
3420 
3421 	/*
3422 	 * The chip keeps track of 2 kind of Tx stats,
3423 	 *  * TX_STAT_FIFO, for per WCID stats, and
3424 	 *  * TX_STA_CNT0 for all-TX-in-one stats.
3425 	 *
3426 	 * To use FIFO stats, we need to store MCS into the driver-private
3427  	 * PacketID field. So that, we can tell whose stats when we read them.
3428  	 * We add 1 to the MCS because setting the PacketID field to 0 means
3429  	 * that we don't want feedback in TX_STAT_FIFO.
3430  	 * And, that's what we want for STA mode, since TX_STA_CNT0 does the job.
3431  	 *
3432  	 * FIFO stats doesn't count Tx with WCID 0xff, so we do this in run_tx().
3433  	 */
3434 	if (sc->rvp_cnt > 1 || vap->iv_opmode == IEEE80211_M_HOSTAP ||
3435 	    vap->iv_opmode == IEEE80211_M_MBSS) {
3436 		uint16_t pid = (rt2860_rates[ridx].mcs + 1) & 0xf;
3437 		txwi->len |= htole16(pid << RT2860_TX_PID_SHIFT);
3438 
3439 		/*
3440 		 * Unlike PCI based devices, we don't get any interrupt from
3441 		 * USB devices, so we simulate FIFO-is-full interrupt here.
3442 		 * Ralink recommends to drain FIFO stats every 100 ms, but 16 slots
3443 		 * quickly get fulled. To prevent overflow, increment a counter on
3444 		 * every FIFO stat request, so we know how many slots are left.
3445 		 * We do this only in HOSTAP or multiple vap mode since FIFO stats
3446 		 * are used only in those modes.
3447 		 * We just drain stats. AMRR gets updated every 1 sec by
3448 		 * run_ratectl_cb() via callout.
3449 		 * Call it early. Otherwise overflow.
3450 		 */
3451 		if (sc->fifo_cnt++ == 10) {
3452 			/*
3453 			 * With multiple vaps or if_bridge, if_start() is called
3454 			 * with a non-sleepable lock, tcpinp. So, need to defer.
3455 			 */
3456 			uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
3457 			RUN_DPRINTF(sc, RUN_DEBUG_XMIT, "cmdq_store=%d\n", i);
3458 			sc->cmdq[i].func = run_drain_fifo;
3459 			sc->cmdq[i].arg0 = sc;
3460 			ieee80211_runtask(ic, &sc->cmdq_task);
3461 		}
3462 	}
3463 
3464         STAILQ_INSERT_TAIL(&sc->sc_epq[qid].tx_qh, data, next);
3465 
3466 	usbd_transfer_start(sc->sc_xfer[qid]);
3467 
3468 	RUN_DPRINTF(sc, RUN_DEBUG_XMIT,
3469 	    "sending data frame len=%d rate=%d qid=%d\n",
3470 	    m->m_pkthdr.len + (int)(sizeof(struct rt2870_txd) +
3471 	    sizeof(struct rt2860_txwi)), rt2860_rates[ridx].rate, qid);
3472 
3473 	return (0);
3474 }
3475 
3476 static int
3477 run_tx_mgt(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
3478 {
3479 	struct ieee80211com *ic = &sc->sc_ic;
3480 	struct run_node *rn = RUN_NODE(ni);
3481 	struct run_tx_data *data;
3482 	struct ieee80211_frame *wh;
3483 	struct rt2870_txd *txd;
3484 	struct rt2860_txwi *txwi;
3485 	uint16_t dur;
3486 	uint8_t ridx = rn->mgt_ridx;
3487 	uint8_t type;
3488 	uint8_t xflags = 0;
3489 	uint8_t wflags = 0;
3490 
3491 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3492 
3493 	wh = mtod(m, struct ieee80211_frame *);
3494 
3495 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3496 
3497 	/* tell hardware to add timestamp for probe responses */
3498 	if ((wh->i_fc[0] &
3499 	    (IEEE80211_FC0_TYPE_MASK | IEEE80211_FC0_SUBTYPE_MASK)) ==
3500 	    (IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_RESP))
3501 		wflags |= RT2860_TX_TS;
3502 	else if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
3503 		xflags |= RT2860_TX_ACK;
3504 
3505 		dur = ieee80211_ack_duration(ic->ic_rt, rt2860_rates[ridx].rate,
3506 		    ic->ic_flags & IEEE80211_F_SHPREAMBLE);
3507 		USETW(wh->i_dur, dur);
3508 	}
3509 
3510 	if (sc->sc_epq[0].tx_nfree == 0)
3511 		/* let caller free mbuf */
3512 		return (EIO);
3513 	data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3514 	STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3515 	sc->sc_epq[0].tx_nfree--;
3516 
3517 	txd = (struct rt2870_txd *)&data->desc;
3518 	txd->flags = RT2860_TX_QSEL_EDCA;
3519 	txwi = (struct rt2860_txwi *)(txd + 1);
3520 	txwi->wcid = 0xff;
3521 	txwi->flags = wflags;
3522 	txwi->xflags = xflags;
3523 	txwi->txop = 0;	/* clear leftover garbage bits */
3524 
3525 	data->m = m;
3526 	data->ni = ni;
3527 	data->ridx = ridx;
3528 
3529 	run_set_tx_desc(sc, data);
3530 
3531 	RUN_DPRINTF(sc, RUN_DEBUG_XMIT, "sending mgt frame len=%d rate=%d\n",
3532 	    m->m_pkthdr.len + (int)(sizeof(struct rt2870_txd) +
3533 	    sizeof(struct rt2860_txwi)), rt2860_rates[ridx].rate);
3534 
3535 	STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3536 
3537 	usbd_transfer_start(sc->sc_xfer[0]);
3538 
3539 	return (0);
3540 }
3541 
3542 static int
3543 run_sendprot(struct run_softc *sc,
3544     const struct mbuf *m, struct ieee80211_node *ni, int prot, int rate)
3545 {
3546 	struct ieee80211com *ic = ni->ni_ic;
3547 	struct ieee80211_frame *wh;
3548 	struct run_tx_data *data;
3549 	struct rt2870_txd *txd;
3550 	struct rt2860_txwi *txwi;
3551 	struct mbuf *mprot;
3552 	int ridx;
3553 	int protrate;
3554 	int ackrate;
3555 	int pktlen;
3556 	int isshort;
3557 	uint16_t dur;
3558 	uint8_t type;
3559 	uint8_t wflags = 0;
3560 	uint8_t xflags = 0;
3561 
3562 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3563 
3564 	KASSERT(prot == IEEE80211_PROT_RTSCTS || prot == IEEE80211_PROT_CTSONLY,
3565 	    ("protection %d", prot));
3566 
3567 	wh = mtod(m, struct ieee80211_frame *);
3568 	pktlen = m->m_pkthdr.len + IEEE80211_CRC_LEN;
3569 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3570 
3571 	protrate = ieee80211_ctl_rate(ic->ic_rt, rate);
3572 	ackrate = ieee80211_ack_rate(ic->ic_rt, rate);
3573 
3574 	isshort = (ic->ic_flags & IEEE80211_F_SHPREAMBLE) != 0;
3575 	dur = ieee80211_compute_duration(ic->ic_rt, pktlen, rate, isshort)
3576 	    + ieee80211_ack_duration(ic->ic_rt, rate, isshort);
3577 	wflags = RT2860_TX_FRAG;
3578 
3579 	/* check that there are free slots before allocating the mbuf */
3580 	if (sc->sc_epq[0].tx_nfree == 0)
3581 		/* let caller free mbuf */
3582 		return (ENOBUFS);
3583 
3584 	if (prot == IEEE80211_PROT_RTSCTS) {
3585 		/* NB: CTS is the same size as an ACK */
3586 		dur += ieee80211_ack_duration(ic->ic_rt, rate, isshort);
3587 		xflags |= RT2860_TX_ACK;
3588 		mprot = ieee80211_alloc_rts(ic, wh->i_addr1, wh->i_addr2, dur);
3589 	} else {
3590 		mprot = ieee80211_alloc_cts(ic, ni->ni_vap->iv_myaddr, dur);
3591 	}
3592 	if (mprot == NULL) {
3593 		if_inc_counter(ni->ni_vap->iv_ifp, IFCOUNTER_OERRORS, 1);
3594 		RUN_DPRINTF(sc, RUN_DEBUG_XMIT, "could not allocate mbuf\n");
3595 		return (ENOBUFS);
3596 	}
3597 
3598         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3599         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3600         sc->sc_epq[0].tx_nfree--;
3601 
3602 	txd = (struct rt2870_txd *)&data->desc;
3603 	txd->flags = RT2860_TX_QSEL_EDCA;
3604 	txwi = (struct rt2860_txwi *)(txd + 1);
3605 	txwi->wcid = 0xff;
3606 	txwi->flags = wflags;
3607 	txwi->xflags = xflags;
3608 	txwi->txop = 0;	/* clear leftover garbage bits */
3609 
3610 	data->m = mprot;
3611 	data->ni = ieee80211_ref_node(ni);
3612 
3613 	for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
3614 		if (rt2860_rates[ridx].rate == protrate)
3615 			break;
3616 	data->ridx = ridx;
3617 
3618 	run_set_tx_desc(sc, data);
3619 
3620         RUN_DPRINTF(sc, RUN_DEBUG_XMIT, "sending prot len=%u rate=%u\n",
3621             m->m_pkthdr.len, rate);
3622 
3623         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3624 
3625 	usbd_transfer_start(sc->sc_xfer[0]);
3626 
3627 	return (0);
3628 }
3629 
3630 static int
3631 run_tx_param(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni,
3632     const struct ieee80211_bpf_params *params)
3633 {
3634 	struct ieee80211com *ic = ni->ni_ic;
3635 	struct ieee80211_frame *wh;
3636 	struct run_tx_data *data;
3637 	struct rt2870_txd *txd;
3638 	struct rt2860_txwi *txwi;
3639 	uint8_t type;
3640 	uint8_t ridx;
3641 	uint8_t rate;
3642 	uint8_t opflags = 0;
3643 	uint8_t xflags = 0;
3644 	int error;
3645 
3646 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3647 
3648 	KASSERT(params != NULL, ("no raw xmit params"));
3649 
3650 	wh = mtod(m, struct ieee80211_frame *);
3651 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3652 
3653 	rate = params->ibp_rate0;
3654 	if (!ieee80211_isratevalid(ic->ic_rt, rate)) {
3655 		/* let caller free mbuf */
3656 		return (EINVAL);
3657 	}
3658 
3659 	if ((params->ibp_flags & IEEE80211_BPF_NOACK) == 0)
3660 		xflags |= RT2860_TX_ACK;
3661 	if (params->ibp_flags & (IEEE80211_BPF_RTS|IEEE80211_BPF_CTS)) {
3662 		error = run_sendprot(sc, m, ni,
3663 		    params->ibp_flags & IEEE80211_BPF_RTS ?
3664 			IEEE80211_PROT_RTSCTS : IEEE80211_PROT_CTSONLY,
3665 		    rate);
3666 		if (error) {
3667 			/* let caller free mbuf */
3668 			return error;
3669 		}
3670 		opflags |= /*XXX RT2573_TX_LONG_RETRY |*/ RT2860_TX_TXOP_SIFS;
3671 	}
3672 
3673 	if (sc->sc_epq[0].tx_nfree == 0) {
3674 		/* let caller free mbuf */
3675 		RUN_DPRINTF(sc, RUN_DEBUG_XMIT,
3676 		    "sending raw frame, but tx ring is full\n");
3677 		return (EIO);
3678 	}
3679         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3680         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3681         sc->sc_epq[0].tx_nfree--;
3682 
3683 	txd = (struct rt2870_txd *)&data->desc;
3684 	txd->flags = RT2860_TX_QSEL_EDCA;
3685 	txwi = (struct rt2860_txwi *)(txd + 1);
3686 	txwi->wcid = 0xff;
3687 	txwi->xflags = xflags;
3688 	txwi->txop = opflags;
3689 	txwi->flags = 0;	/* clear leftover garbage bits */
3690 
3691         data->m = m;
3692         data->ni = ni;
3693 	for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
3694 		if (rt2860_rates[ridx].rate == rate)
3695 			break;
3696 	data->ridx = ridx;
3697 
3698         run_set_tx_desc(sc, data);
3699 
3700         RUN_DPRINTF(sc, RUN_DEBUG_XMIT, "sending raw frame len=%u rate=%u\n",
3701             m->m_pkthdr.len, rate);
3702 
3703         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3704 
3705 	usbd_transfer_start(sc->sc_xfer[0]);
3706 
3707         return (0);
3708 }
3709 
3710 static int
3711 run_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
3712     const struct ieee80211_bpf_params *params)
3713 {
3714 	struct run_softc *sc = ni->ni_ic->ic_softc;
3715 	int error = 0;
3716 
3717 	RUN_LOCK(sc);
3718 
3719 	/* prevent management frames from being sent if we're not ready */
3720 	if (!(sc->sc_flags & RUN_RUNNING)) {
3721 		error = ENETDOWN;
3722 		goto done;
3723 	}
3724 
3725 	if (params == NULL) {
3726 		/* tx mgt packet */
3727 		if ((error = run_tx_mgt(sc, m, ni)) != 0) {
3728 			RUN_DPRINTF(sc, RUN_DEBUG_XMIT, "mgt tx failed\n");
3729 			goto done;
3730 		}
3731 	} else {
3732 		/* tx raw packet with param */
3733 		if ((error = run_tx_param(sc, m, ni, params)) != 0) {
3734 			RUN_DPRINTF(sc, RUN_DEBUG_XMIT, "tx with param failed\n");
3735 			goto done;
3736 		}
3737 	}
3738 
3739 done:
3740 	RUN_UNLOCK(sc);
3741 
3742 	if (error != 0) {
3743 		if(m != NULL)
3744 			m_freem(m);
3745 	}
3746 
3747 	return (error);
3748 }
3749 
3750 static int
3751 run_transmit(struct ieee80211com *ic, struct mbuf *m)
3752 {
3753 	struct run_softc *sc = ic->ic_softc;
3754 	int error;
3755 
3756 	RUN_LOCK(sc);
3757 	if ((sc->sc_flags & RUN_RUNNING) == 0) {
3758 		RUN_UNLOCK(sc);
3759 		return (ENXIO);
3760 	}
3761 	error = mbufq_enqueue(&sc->sc_snd, m);
3762 	if (error) {
3763 		RUN_UNLOCK(sc);
3764 		return (error);
3765 	}
3766 	run_start(sc);
3767 	RUN_UNLOCK(sc);
3768 
3769 	return (0);
3770 }
3771 
3772 static void
3773 run_start(struct run_softc *sc)
3774 {
3775 	struct ieee80211_node *ni;
3776 	struct mbuf *m;
3777 
3778 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3779 
3780 	if ((sc->sc_flags & RUN_RUNNING) == 0)
3781 		return;
3782 
3783 	while ((m = mbufq_dequeue(&sc->sc_snd)) != NULL) {
3784 		ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
3785 		if (run_tx(sc, m, ni) != 0) {
3786 			mbufq_prepend(&sc->sc_snd, m);
3787 			break;
3788 		}
3789 	}
3790 }
3791 
3792 static void
3793 run_parent(struct ieee80211com *ic)
3794 {
3795 	struct run_softc *sc = ic->ic_softc;
3796 	int startall = 0;
3797 
3798 	RUN_LOCK(sc);
3799 	if (sc->sc_detached) {
3800 		RUN_UNLOCK(sc);
3801 		return;
3802 	}
3803 
3804 	if (ic->ic_nrunning > 0) {
3805 		if (!(sc->sc_flags & RUN_RUNNING)) {
3806 			startall = 1;
3807 			run_init_locked(sc);
3808 		} else
3809 			run_update_promisc_locked(sc);
3810 	} else if ((sc->sc_flags & RUN_RUNNING) && sc->rvp_cnt <= 1)
3811 		run_stop(sc);
3812 	RUN_UNLOCK(sc);
3813 	if (startall)
3814 		ieee80211_start_all(ic);
3815 }
3816 
3817 static void
3818 run_iq_calib(struct run_softc *sc, u_int chan)
3819 {
3820 	uint16_t val;
3821 
3822 	/* Tx0 IQ gain. */
3823 	run_bbp_write(sc, 158, 0x2c);
3824 	if (chan <= 14)
3825 		run_efuse_read(sc, RT5390_EEPROM_IQ_GAIN_CAL_TX0_2GHZ, &val, 1);
3826 	else if (chan <= 64) {
3827 		run_efuse_read(sc,
3828 		    RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH36_TO_CH64_5GHZ,
3829 		    &val, 1);
3830 	} else if (chan <= 138) {
3831 		run_efuse_read(sc,
3832 		    RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH100_TO_CH138_5GHZ,
3833 		    &val, 1);
3834 	} else if (chan <= 165) {
3835 		run_efuse_read(sc,
3836 	    RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH140_TO_CH165_5GHZ,
3837 		    &val, 1);
3838 	} else
3839 		val = 0;
3840 	run_bbp_write(sc, 159, val);
3841 
3842 	/* Tx0 IQ phase. */
3843 	run_bbp_write(sc, 158, 0x2d);
3844 	if (chan <= 14) {
3845 		run_efuse_read(sc, RT5390_EEPROM_IQ_PHASE_CAL_TX0_2GHZ,
3846 		    &val, 1);
3847 	} else if (chan <= 64) {
3848 		run_efuse_read(sc,
3849 		    RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH36_TO_CH64_5GHZ,
3850 		    &val, 1);
3851 	} else if (chan <= 138) {
3852 		run_efuse_read(sc,
3853 		    RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH100_TO_CH138_5GHZ,
3854 		    &val, 1);
3855 	} else if (chan <= 165) {
3856 		run_efuse_read(sc,
3857 		    RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH140_TO_CH165_5GHZ,
3858 		    &val, 1);
3859 	} else
3860 		val = 0;
3861 	run_bbp_write(sc, 159, val);
3862 
3863 	/* Tx1 IQ gain. */
3864 	run_bbp_write(sc, 158, 0x4a);
3865 	if (chan <= 14) {
3866 		run_efuse_read(sc, RT5390_EEPROM_IQ_GAIN_CAL_TX1_2GHZ,
3867 		    &val, 1);
3868 	} else if (chan <= 64) {
3869 		run_efuse_read(sc,
3870 		    RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH36_TO_CH64_5GHZ,
3871 		    &val, 1);
3872 	} else if (chan <= 138) {
3873 		run_efuse_read(sc,
3874 		    RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH100_TO_CH138_5GHZ,
3875 		    &val, 1);
3876 	} else if (chan <= 165) {
3877 		run_efuse_read(sc,
3878 		    RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH140_TO_CH165_5GHZ,
3879 		    &val, 1);
3880 	} else
3881 		val = 0;
3882 	run_bbp_write(sc, 159, val);
3883 
3884 	/* Tx1 IQ phase. */
3885 	run_bbp_write(sc, 158, 0x4b);
3886 	if (chan <= 14) {
3887 		run_efuse_read(sc, RT5390_EEPROM_IQ_PHASE_CAL_TX1_2GHZ,
3888 		    &val, 1);
3889 	} else if (chan <= 64) {
3890 		run_efuse_read(sc,
3891 		    RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH36_TO_CH64_5GHZ,
3892 		    &val, 1);
3893 	} else if (chan <= 138) {
3894 		run_efuse_read(sc,
3895 		    RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH100_TO_CH138_5GHZ,
3896 		    &val, 1);
3897 	} else if (chan <= 165) {
3898 		run_efuse_read(sc,
3899 		    RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH140_TO_CH165_5GHZ,
3900 		    &val, 1);
3901 	} else
3902 		val = 0;
3903 	run_bbp_write(sc, 159, val);
3904 
3905 	/* RF IQ compensation control. */
3906 	run_bbp_write(sc, 158, 0x04);
3907 	run_efuse_read(sc, RT5390_EEPROM_RF_IQ_COMPENSATION_CTL,
3908 	    &val, 1);
3909 	run_bbp_write(sc, 159, val);
3910 
3911 	/* RF IQ imbalance compensation control. */
3912 	run_bbp_write(sc, 158, 0x03);
3913 	run_efuse_read(sc,
3914 	    RT5390_EEPROM_RF_IQ_IMBALANCE_COMPENSATION_CTL, &val, 1);
3915 	run_bbp_write(sc, 159, val);
3916 }
3917 
3918 static void
3919 run_set_agc(struct run_softc *sc, uint8_t agc)
3920 {
3921 	uint8_t bbp;
3922 
3923 	if (sc->mac_ver == 0x3572) {
3924 		run_bbp_read(sc, 27, &bbp);
3925 		bbp &= ~(0x3 << 5);
3926 		run_bbp_write(sc, 27, bbp | 0 << 5);	/* select Rx0 */
3927 		run_bbp_write(sc, 66, agc);
3928 		run_bbp_write(sc, 27, bbp | 1 << 5);	/* select Rx1 */
3929 		run_bbp_write(sc, 66, agc);
3930 	} else
3931 		run_bbp_write(sc, 66, agc);
3932 }
3933 
3934 static void
3935 run_select_chan_group(struct run_softc *sc, int group)
3936 {
3937 	uint32_t tmp;
3938 	uint8_t agc;
3939 
3940 	run_bbp_write(sc, 62, 0x37 - sc->lna[group]);
3941 	run_bbp_write(sc, 63, 0x37 - sc->lna[group]);
3942 	run_bbp_write(sc, 64, 0x37 - sc->lna[group]);
3943 	if (sc->mac_ver < 0x3572)
3944 		run_bbp_write(sc, 86, 0x00);
3945 
3946 	if (sc->mac_ver == 0x3593) {
3947 		run_bbp_write(sc, 77, 0x98);
3948 		run_bbp_write(sc, 83, (group == 0) ? 0x8a : 0x9a);
3949 	}
3950 
3951 	if (group == 0) {
3952 		if (sc->ext_2ghz_lna) {
3953 			if (sc->mac_ver >= 0x5390)
3954 				run_bbp_write(sc, 75, 0x52);
3955 			else {
3956 				run_bbp_write(sc, 82, 0x62);
3957 				run_bbp_write(sc, 75, 0x46);
3958 			}
3959 		} else {
3960 			if (sc->mac_ver == 0x5592) {
3961 				run_bbp_write(sc, 79, 0x1c);
3962 				run_bbp_write(sc, 80, 0x0e);
3963 				run_bbp_write(sc, 81, 0x3a);
3964 				run_bbp_write(sc, 82, 0x62);
3965 
3966 				run_bbp_write(sc, 195, 0x80);
3967 				run_bbp_write(sc, 196, 0xe0);
3968 				run_bbp_write(sc, 195, 0x81);
3969 				run_bbp_write(sc, 196, 0x1f);
3970 				run_bbp_write(sc, 195, 0x82);
3971 				run_bbp_write(sc, 196, 0x38);
3972 				run_bbp_write(sc, 195, 0x83);
3973 				run_bbp_write(sc, 196, 0x32);
3974 				run_bbp_write(sc, 195, 0x85);
3975 				run_bbp_write(sc, 196, 0x28);
3976 				run_bbp_write(sc, 195, 0x86);
3977 				run_bbp_write(sc, 196, 0x19);
3978 			} else if (sc->mac_ver >= 0x5390)
3979 				run_bbp_write(sc, 75, 0x50);
3980 			else {
3981 				run_bbp_write(sc, 82,
3982 				    (sc->mac_ver == 0x3593) ? 0x62 : 0x84);
3983 				run_bbp_write(sc, 75, 0x50);
3984 			}
3985 		}
3986 	} else {
3987 		if (sc->mac_ver == 0x5592) {
3988 			run_bbp_write(sc, 79, 0x18);
3989 			run_bbp_write(sc, 80, 0x08);
3990 			run_bbp_write(sc, 81, 0x38);
3991 			run_bbp_write(sc, 82, 0x92);
3992 
3993 			run_bbp_write(sc, 195, 0x80);
3994 			run_bbp_write(sc, 196, 0xf0);
3995 			run_bbp_write(sc, 195, 0x81);
3996 			run_bbp_write(sc, 196, 0x1e);
3997 			run_bbp_write(sc, 195, 0x82);
3998 			run_bbp_write(sc, 196, 0x28);
3999 			run_bbp_write(sc, 195, 0x83);
4000 			run_bbp_write(sc, 196, 0x20);
4001 			run_bbp_write(sc, 195, 0x85);
4002 			run_bbp_write(sc, 196, 0x7f);
4003 			run_bbp_write(sc, 195, 0x86);
4004 			run_bbp_write(sc, 196, 0x7f);
4005 		} else if (sc->mac_ver == 0x3572)
4006 			run_bbp_write(sc, 82, 0x94);
4007 		else
4008 			run_bbp_write(sc, 82,
4009 			    (sc->mac_ver == 0x3593) ? 0x82 : 0xf2);
4010 		if (sc->ext_5ghz_lna)
4011 			run_bbp_write(sc, 75, 0x46);
4012 		else
4013 			run_bbp_write(sc, 75, 0x50);
4014 	}
4015 
4016 	run_read(sc, RT2860_TX_BAND_CFG, &tmp);
4017 	tmp &= ~(RT2860_5G_BAND_SEL_N | RT2860_5G_BAND_SEL_P);
4018 	tmp |= (group == 0) ? RT2860_5G_BAND_SEL_N : RT2860_5G_BAND_SEL_P;
4019 	run_write(sc, RT2860_TX_BAND_CFG, tmp);
4020 
4021 	/* enable appropriate Power Amplifiers and Low Noise Amplifiers */
4022 	tmp = RT2860_RFTR_EN | RT2860_TRSW_EN | RT2860_LNA_PE0_EN;
4023 	if (sc->mac_ver == 0x3593)
4024 		tmp |= 1 << 29 | 1 << 28;
4025 	if (sc->nrxchains > 1)
4026 		tmp |= RT2860_LNA_PE1_EN;
4027 	if (group == 0) {	/* 2GHz */
4028 		tmp |= RT2860_PA_PE_G0_EN;
4029 		if (sc->ntxchains > 1)
4030 			tmp |= RT2860_PA_PE_G1_EN;
4031 		if (sc->mac_ver == 0x3593) {
4032 			if (sc->ntxchains > 2)
4033 				tmp |= 1 << 25;
4034 		}
4035 	} else {		/* 5GHz */
4036 		tmp |= RT2860_PA_PE_A0_EN;
4037 		if (sc->ntxchains > 1)
4038 			tmp |= RT2860_PA_PE_A1_EN;
4039 	}
4040 	if (sc->mac_ver == 0x3572) {
4041 		run_rt3070_rf_write(sc, 8, 0x00);
4042 		run_write(sc, RT2860_TX_PIN_CFG, tmp);
4043 		run_rt3070_rf_write(sc, 8, 0x80);
4044 	} else
4045 		run_write(sc, RT2860_TX_PIN_CFG, tmp);
4046 
4047 	if (sc->mac_ver == 0x5592) {
4048 		run_bbp_write(sc, 195, 0x8d);
4049 		run_bbp_write(sc, 196, 0x1a);
4050 	}
4051 
4052 	if (sc->mac_ver == 0x3593) {
4053 		run_read(sc, RT2860_GPIO_CTRL, &tmp);
4054 		tmp &= ~0x01010000;
4055 		if (group == 0)
4056 			tmp |= 0x00010000;
4057 		tmp = (tmp & ~0x00009090) | 0x00000090;
4058 		run_write(sc, RT2860_GPIO_CTRL, tmp);
4059 	}
4060 
4061 	/* set initial AGC value */
4062 	if (group == 0) {	/* 2GHz band */
4063 		if (sc->mac_ver >= 0x3070)
4064 			agc = 0x1c + sc->lna[0] * 2;
4065 		else
4066 			agc = 0x2e + sc->lna[0];
4067 	} else {		/* 5GHz band */
4068 		if (sc->mac_ver == 0x5592)
4069 			agc = 0x24 + sc->lna[group] * 2;
4070 		else if (sc->mac_ver == 0x3572 || sc->mac_ver == 0x3593)
4071 			agc = 0x22 + (sc->lna[group] * 5) / 3;
4072 		else
4073 			agc = 0x32 + (sc->lna[group] * 5) / 3;
4074 	}
4075 	run_set_agc(sc, agc);
4076 }
4077 
4078 static void
4079 run_rt2870_set_chan(struct run_softc *sc, u_int chan)
4080 {
4081 	const struct rfprog *rfprog = rt2860_rf2850;
4082 	uint32_t r2, r3, r4;
4083 	int8_t txpow1, txpow2;
4084 	int i;
4085 
4086 	/* find the settings for this channel (we know it exists) */
4087 	for (i = 0; rfprog[i].chan != chan; i++);
4088 
4089 	r2 = rfprog[i].r2;
4090 	if (sc->ntxchains == 1)
4091 		r2 |= 1 << 14;		/* 1T: disable Tx chain 2 */
4092 	if (sc->nrxchains == 1)
4093 		r2 |= 1 << 17 | 1 << 6;	/* 1R: disable Rx chains 2 & 3 */
4094 	else if (sc->nrxchains == 2)
4095 		r2 |= 1 << 6;		/* 2R: disable Rx chain 3 */
4096 
4097 	/* use Tx power values from EEPROM */
4098 	txpow1 = sc->txpow1[i];
4099 	txpow2 = sc->txpow2[i];
4100 
4101 	/* Initialize RF R3 and R4. */
4102 	r3 = rfprog[i].r3 & 0xffffc1ff;
4103 	r4 = (rfprog[i].r4 & ~(0x001f87c0)) | (sc->freq << 15);
4104 	if (chan > 14) {
4105 		if (txpow1 >= 0) {
4106 			txpow1 = (txpow1 > 0xf) ? (0xf) : (txpow1);
4107 			r3 |= (txpow1 << 10) | (1 << 9);
4108 		} else {
4109 			txpow1 += 7;
4110 
4111 			/* txpow1 is not possible larger than 15. */
4112 			r3 |= (txpow1 << 10);
4113 		}
4114 		if (txpow2 >= 0) {
4115 			txpow2 = (txpow2 > 0xf) ? (0xf) : (txpow2);
4116 			r4 |= (txpow2 << 7) | (1 << 6);
4117 		} else {
4118 			txpow2 += 7;
4119 			r4 |= (txpow2 << 7);
4120 		}
4121 	} else {
4122 		/* Set Tx0 power. */
4123 		r3 |= (txpow1 << 9);
4124 
4125 		/* Set frequency offset and Tx1 power. */
4126 		r4 |= (txpow2 << 6);
4127 	}
4128 
4129 	run_rt2870_rf_write(sc, rfprog[i].r1);
4130 	run_rt2870_rf_write(sc, r2);
4131 	run_rt2870_rf_write(sc, r3 & ~(1 << 2));
4132 	run_rt2870_rf_write(sc, r4);
4133 
4134 	run_delay(sc, 10);
4135 
4136 	run_rt2870_rf_write(sc, rfprog[i].r1);
4137 	run_rt2870_rf_write(sc, r2);
4138 	run_rt2870_rf_write(sc, r3 | (1 << 2));
4139 	run_rt2870_rf_write(sc, r4);
4140 
4141 	run_delay(sc, 10);
4142 
4143 	run_rt2870_rf_write(sc, rfprog[i].r1);
4144 	run_rt2870_rf_write(sc, r2);
4145 	run_rt2870_rf_write(sc, r3 & ~(1 << 2));
4146 	run_rt2870_rf_write(sc, r4);
4147 }
4148 
4149 static void
4150 run_rt3070_set_chan(struct run_softc *sc, u_int chan)
4151 {
4152 	int8_t txpow1, txpow2;
4153 	uint8_t rf;
4154 	int i;
4155 
4156 	/* find the settings for this channel (we know it exists) */
4157 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4158 
4159 	/* use Tx power values from EEPROM */
4160 	txpow1 = sc->txpow1[i];
4161 	txpow2 = sc->txpow2[i];
4162 
4163 	run_rt3070_rf_write(sc, 2, rt3070_freqs[i].n);
4164 
4165 	/* RT3370/RT3390: RF R3 [7:4] is not reserved bits. */
4166 	run_rt3070_rf_read(sc, 3, &rf);
4167 	rf = (rf & ~0x0f) | rt3070_freqs[i].k;
4168 	run_rt3070_rf_write(sc, 3, rf);
4169 
4170 	run_rt3070_rf_read(sc, 6, &rf);
4171 	rf = (rf & ~0x03) | rt3070_freqs[i].r;
4172 	run_rt3070_rf_write(sc, 6, rf);
4173 
4174 	/* set Tx0 power */
4175 	run_rt3070_rf_read(sc, 12, &rf);
4176 	rf = (rf & ~0x1f) | txpow1;
4177 	run_rt3070_rf_write(sc, 12, rf);
4178 
4179 	/* set Tx1 power */
4180 	run_rt3070_rf_read(sc, 13, &rf);
4181 	rf = (rf & ~0x1f) | txpow2;
4182 	run_rt3070_rf_write(sc, 13, rf);
4183 
4184 	run_rt3070_rf_read(sc, 1, &rf);
4185 	rf &= ~0xfc;
4186 	if (sc->ntxchains == 1)
4187 		rf |= 1 << 7 | 1 << 5;	/* 1T: disable Tx chains 2 & 3 */
4188 	else if (sc->ntxchains == 2)
4189 		rf |= 1 << 7;		/* 2T: disable Tx chain 3 */
4190 	if (sc->nrxchains == 1)
4191 		rf |= 1 << 6 | 1 << 4;	/* 1R: disable Rx chains 2 & 3 */
4192 	else if (sc->nrxchains == 2)
4193 		rf |= 1 << 6;		/* 2R: disable Rx chain 3 */
4194 	run_rt3070_rf_write(sc, 1, rf);
4195 
4196 	/* set RF offset */
4197 	run_rt3070_rf_read(sc, 23, &rf);
4198 	rf = (rf & ~0x7f) | sc->freq;
4199 	run_rt3070_rf_write(sc, 23, rf);
4200 
4201 	/* program RF filter */
4202 	run_rt3070_rf_read(sc, 24, &rf);	/* Tx */
4203 	rf = (rf & ~0x3f) | sc->rf24_20mhz;
4204 	run_rt3070_rf_write(sc, 24, rf);
4205 	run_rt3070_rf_read(sc, 31, &rf);	/* Rx */
4206 	rf = (rf & ~0x3f) | sc->rf24_20mhz;
4207 	run_rt3070_rf_write(sc, 31, rf);
4208 
4209 	/* enable RF tuning */
4210 	run_rt3070_rf_read(sc, 7, &rf);
4211 	run_rt3070_rf_write(sc, 7, rf | 0x01);
4212 }
4213 
4214 static void
4215 run_rt3572_set_chan(struct run_softc *sc, u_int chan)
4216 {
4217 	int8_t txpow1, txpow2;
4218 	uint32_t tmp;
4219 	uint8_t rf;
4220 	int i;
4221 
4222 	/* find the settings for this channel (we know it exists) */
4223 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4224 
4225 	/* use Tx power values from EEPROM */
4226 	txpow1 = sc->txpow1[i];
4227 	txpow2 = sc->txpow2[i];
4228 
4229 	if (chan <= 14) {
4230 		run_bbp_write(sc, 25, sc->bbp25);
4231 		run_bbp_write(sc, 26, sc->bbp26);
4232 	} else {
4233 		/* enable IQ phase correction */
4234 		run_bbp_write(sc, 25, 0x09);
4235 		run_bbp_write(sc, 26, 0xff);
4236 	}
4237 
4238 	run_rt3070_rf_write(sc, 2, rt3070_freqs[i].n);
4239 	run_rt3070_rf_write(sc, 3, rt3070_freqs[i].k);
4240 	run_rt3070_rf_read(sc, 6, &rf);
4241 	rf  = (rf & ~0x0f) | rt3070_freqs[i].r;
4242 	rf |= (chan <= 14) ? 0x08 : 0x04;
4243 	run_rt3070_rf_write(sc, 6, rf);
4244 
4245 	/* set PLL mode */
4246 	run_rt3070_rf_read(sc, 5, &rf);
4247 	rf &= ~(0x08 | 0x04);
4248 	rf |= (chan <= 14) ? 0x04 : 0x08;
4249 	run_rt3070_rf_write(sc, 5, rf);
4250 
4251 	/* set Tx power for chain 0 */
4252 	if (chan <= 14)
4253 		rf = 0x60 | txpow1;
4254 	else
4255 		rf = 0xe0 | (txpow1 & 0xc) << 1 | (txpow1 & 0x3);
4256 	run_rt3070_rf_write(sc, 12, rf);
4257 
4258 	/* set Tx power for chain 1 */
4259 	if (chan <= 14)
4260 		rf = 0x60 | txpow2;
4261 	else
4262 		rf = 0xe0 | (txpow2 & 0xc) << 1 | (txpow2 & 0x3);
4263 	run_rt3070_rf_write(sc, 13, rf);
4264 
4265 	/* set Tx/Rx streams */
4266 	run_rt3070_rf_read(sc, 1, &rf);
4267 	rf &= ~0xfc;
4268 	if (sc->ntxchains == 1)
4269 		rf |= 1 << 7 | 1 << 5;  /* 1T: disable Tx chains 2 & 3 */
4270 	else if (sc->ntxchains == 2)
4271 		rf |= 1 << 7;           /* 2T: disable Tx chain 3 */
4272 	if (sc->nrxchains == 1)
4273 		rf |= 1 << 6 | 1 << 4;  /* 1R: disable Rx chains 2 & 3 */
4274 	else if (sc->nrxchains == 2)
4275 		rf |= 1 << 6;           /* 2R: disable Rx chain 3 */
4276 	run_rt3070_rf_write(sc, 1, rf);
4277 
4278 	/* set RF offset */
4279 	run_rt3070_rf_read(sc, 23, &rf);
4280 	rf = (rf & ~0x7f) | sc->freq;
4281 	run_rt3070_rf_write(sc, 23, rf);
4282 
4283 	/* program RF filter */
4284 	rf = sc->rf24_20mhz;
4285 	run_rt3070_rf_write(sc, 24, rf);	/* Tx */
4286 	run_rt3070_rf_write(sc, 31, rf);	/* Rx */
4287 
4288 	/* enable RF tuning */
4289 	run_rt3070_rf_read(sc, 7, &rf);
4290 	rf = (chan <= 14) ? 0xd8 : ((rf & ~0xc8) | 0x14);
4291 	run_rt3070_rf_write(sc, 7, rf);
4292 
4293 	/* TSSI */
4294 	rf = (chan <= 14) ? 0xc3 : 0xc0;
4295 	run_rt3070_rf_write(sc, 9, rf);
4296 
4297 	/* set loop filter 1 */
4298 	run_rt3070_rf_write(sc, 10, 0xf1);
4299 	/* set loop filter 2 */
4300 	run_rt3070_rf_write(sc, 11, (chan <= 14) ? 0xb9 : 0x00);
4301 
4302 	/* set tx_mx2_ic */
4303 	run_rt3070_rf_write(sc, 15, (chan <= 14) ? 0x53 : 0x43);
4304 	/* set tx_mx1_ic */
4305 	if (chan <= 14)
4306 		rf = 0x48 | sc->txmixgain_2ghz;
4307 	else
4308 		rf = 0x78 | sc->txmixgain_5ghz;
4309 	run_rt3070_rf_write(sc, 16, rf);
4310 
4311 	/* set tx_lo1 */
4312 	run_rt3070_rf_write(sc, 17, 0x23);
4313 	/* set tx_lo2 */
4314 	if (chan <= 14)
4315 		rf = 0x93;
4316 	else if (chan <= 64)
4317 		rf = 0xb7;
4318 	else if (chan <= 128)
4319 		rf = 0x74;
4320 	else
4321 		rf = 0x72;
4322 	run_rt3070_rf_write(sc, 19, rf);
4323 
4324 	/* set rx_lo1 */
4325 	if (chan <= 14)
4326 		rf = 0xb3;
4327 	else if (chan <= 64)
4328 		rf = 0xf6;
4329 	else if (chan <= 128)
4330 		rf = 0xf4;
4331 	else
4332 		rf = 0xf3;
4333 	run_rt3070_rf_write(sc, 20, rf);
4334 
4335 	/* set pfd_delay */
4336 	if (chan <= 14)
4337 		rf = 0x15;
4338 	else if (chan <= 64)
4339 		rf = 0x3d;
4340 	else
4341 		rf = 0x01;
4342 	run_rt3070_rf_write(sc, 25, rf);
4343 
4344 	/* set rx_lo2 */
4345 	run_rt3070_rf_write(sc, 26, (chan <= 14) ? 0x85 : 0x87);
4346 	/* set ldo_rf_vc */
4347 	run_rt3070_rf_write(sc, 27, (chan <= 14) ? 0x00 : 0x01);
4348 	/* set drv_cc */
4349 	run_rt3070_rf_write(sc, 29, (chan <= 14) ? 0x9b : 0x9f);
4350 
4351 	run_read(sc, RT2860_GPIO_CTRL, &tmp);
4352 	tmp &= ~0x8080;
4353 	if (chan <= 14)
4354 		tmp |= 0x80;
4355 	run_write(sc, RT2860_GPIO_CTRL, tmp);
4356 
4357 	/* enable RF tuning */
4358 	run_rt3070_rf_read(sc, 7, &rf);
4359 	run_rt3070_rf_write(sc, 7, rf | 0x01);
4360 
4361 	run_delay(sc, 2);
4362 }
4363 
4364 static void
4365 run_rt3593_set_chan(struct run_softc *sc, u_int chan)
4366 {
4367 	int8_t txpow1, txpow2, txpow3;
4368 	uint8_t h20mhz, rf;
4369 	int i;
4370 
4371 	/* find the settings for this channel (we know it exists) */
4372 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4373 
4374 	/* use Tx power values from EEPROM */
4375 	txpow1 = sc->txpow1[i];
4376 	txpow2 = sc->txpow2[i];
4377 	txpow3 = (sc->ntxchains == 3) ? sc->txpow3[i] : 0;
4378 
4379 	if (chan <= 14) {
4380 		run_bbp_write(sc, 25, sc->bbp25);
4381 		run_bbp_write(sc, 26, sc->bbp26);
4382 	} else {
4383 		/* Enable IQ phase correction. */
4384 		run_bbp_write(sc, 25, 0x09);
4385 		run_bbp_write(sc, 26, 0xff);
4386 	}
4387 
4388 	run_rt3070_rf_write(sc, 8, rt3070_freqs[i].n);
4389 	run_rt3070_rf_write(sc, 9, rt3070_freqs[i].k & 0x0f);
4390 	run_rt3070_rf_read(sc, 11, &rf);
4391 	rf = (rf & ~0x03) | (rt3070_freqs[i].r & 0x03);
4392 	run_rt3070_rf_write(sc, 11, rf);
4393 
4394 	/* Set pll_idoh. */
4395 	run_rt3070_rf_read(sc, 11, &rf);
4396 	rf &= ~0x4c;
4397 	rf |= (chan <= 14) ? 0x44 : 0x48;
4398 	run_rt3070_rf_write(sc, 11, rf);
4399 
4400 	if (chan <= 14)
4401 		rf = txpow1 & 0x1f;
4402 	else
4403 		rf = 0x40 | ((txpow1 & 0x18) << 1) | (txpow1 & 0x07);
4404 	run_rt3070_rf_write(sc, 53, rf);
4405 
4406 	if (chan <= 14)
4407 		rf = txpow2 & 0x1f;
4408 	else
4409 		rf = 0x40 | ((txpow2 & 0x18) << 1) | (txpow2 & 0x07);
4410 	run_rt3070_rf_write(sc, 55, rf);
4411 
4412 	if (chan <= 14)
4413 		rf = txpow3 & 0x1f;
4414 	else
4415 		rf = 0x40 | ((txpow3 & 0x18) << 1) | (txpow3 & 0x07);
4416 	run_rt3070_rf_write(sc, 54, rf);
4417 
4418 	rf = RT3070_RF_BLOCK | RT3070_PLL_PD;
4419 	if (sc->ntxchains == 3)
4420 		rf |= RT3070_TX0_PD | RT3070_TX1_PD | RT3070_TX2_PD;
4421 	else
4422 		rf |= RT3070_TX0_PD | RT3070_TX1_PD;
4423 	rf |= RT3070_RX0_PD | RT3070_RX1_PD | RT3070_RX2_PD;
4424 	run_rt3070_rf_write(sc, 1, rf);
4425 
4426 	run_adjust_freq_offset(sc);
4427 
4428 	run_rt3070_rf_write(sc, 31, (chan <= 14) ? 0xa0 : 0x80);
4429 
4430 	h20mhz = (sc->rf24_20mhz & 0x20) >> 5;
4431 	run_rt3070_rf_read(sc, 30, &rf);
4432 	rf = (rf & ~0x06) | (h20mhz << 1) | (h20mhz << 2);
4433 	run_rt3070_rf_write(sc, 30, rf);
4434 
4435 	run_rt3070_rf_read(sc, 36, &rf);
4436 	if (chan <= 14)
4437 		rf |= 0x80;
4438 	else
4439 		rf &= ~0x80;
4440 	run_rt3070_rf_write(sc, 36, rf);
4441 
4442 	/* Set vcolo_bs. */
4443 	run_rt3070_rf_write(sc, 34, (chan <= 14) ? 0x3c : 0x20);
4444 	/* Set pfd_delay. */
4445 	run_rt3070_rf_write(sc, 12, (chan <= 14) ? 0x1a : 0x12);
4446 
4447 	/* Set vco bias current control. */
4448 	run_rt3070_rf_read(sc, 6, &rf);
4449 	rf &= ~0xc0;
4450 	if (chan <= 14)
4451 		rf |= 0x40;
4452 	else if (chan <= 128)
4453 		rf |= 0x80;
4454 	else
4455 		rf |= 0x40;
4456 	run_rt3070_rf_write(sc, 6, rf);
4457 
4458 	run_rt3070_rf_read(sc, 30, &rf);
4459 	rf = (rf & ~0x18) | 0x10;
4460 	run_rt3070_rf_write(sc, 30, rf);
4461 
4462 	run_rt3070_rf_write(sc, 10, (chan <= 14) ? 0xd3 : 0xd8);
4463 	run_rt3070_rf_write(sc, 13, (chan <= 14) ? 0x12 : 0x23);
4464 
4465 	run_rt3070_rf_read(sc, 51, &rf);
4466 	rf = (rf & ~0x03) | 0x01;
4467 	run_rt3070_rf_write(sc, 51, rf);
4468 	/* Set tx_mx1_cc. */
4469 	run_rt3070_rf_read(sc, 51, &rf);
4470 	rf &= ~0x1c;
4471 	rf |= (chan <= 14) ? 0x14 : 0x10;
4472 	run_rt3070_rf_write(sc, 51, rf);
4473 	/* Set tx_mx1_ic. */
4474 	run_rt3070_rf_read(sc, 51, &rf);
4475 	rf &= ~0xe0;
4476 	rf |= (chan <= 14) ? 0x60 : 0x40;
4477 	run_rt3070_rf_write(sc, 51, rf);
4478 	/* Set tx_lo1_ic. */
4479 	run_rt3070_rf_read(sc, 49, &rf);
4480 	rf &= ~0x1c;
4481 	rf |= (chan <= 14) ? 0x0c : 0x08;
4482 	run_rt3070_rf_write(sc, 49, rf);
4483 	/* Set tx_lo1_en. */
4484 	run_rt3070_rf_read(sc, 50, &rf);
4485 	run_rt3070_rf_write(sc, 50, rf & ~0x20);
4486 	/* Set drv_cc. */
4487 	run_rt3070_rf_read(sc, 57, &rf);
4488 	rf &= ~0xfc;
4489 	rf |= (chan <= 14) ?  0x6c : 0x3c;
4490 	run_rt3070_rf_write(sc, 57, rf);
4491 	/* Set rx_mix1_ic, rxa_lnactr, lna_vc, lna_inbias_en and lna_en. */
4492 	run_rt3070_rf_write(sc, 44, (chan <= 14) ? 0x93 : 0x9b);
4493 	/* Set drv_gnd_a, tx_vga_cc_a and tx_mx2_gain. */
4494 	run_rt3070_rf_write(sc, 52, (chan <= 14) ? 0x45 : 0x05);
4495 	/* Enable VCO calibration. */
4496 	run_rt3070_rf_read(sc, 3, &rf);
4497 	rf &= ~RT5390_VCOCAL;
4498 	rf |= (chan <= 14) ? RT5390_VCOCAL : 0xbe;
4499 	run_rt3070_rf_write(sc, 3, rf);
4500 
4501 	if (chan <= 14)
4502 		rf = 0x23;
4503 	else if (chan <= 64)
4504 		rf = 0x36;
4505 	else if (chan <= 128)
4506 		rf = 0x32;
4507 	else
4508 		rf = 0x30;
4509 	run_rt3070_rf_write(sc, 39, rf);
4510 	if (chan <= 14)
4511 		rf = 0xbb;
4512 	else if (chan <= 64)
4513 		rf = 0xeb;
4514 	else if (chan <= 128)
4515 		rf = 0xb3;
4516 	else
4517 		rf = 0x9b;
4518 	run_rt3070_rf_write(sc, 45, rf);
4519 
4520 	/* Set FEQ/AEQ control. */
4521 	run_bbp_write(sc, 105, 0x34);
4522 }
4523 
4524 static void
4525 run_rt5390_set_chan(struct run_softc *sc, u_int chan)
4526 {
4527 	int8_t txpow1, txpow2;
4528 	uint8_t rf;
4529 	int i;
4530 
4531 	/* find the settings for this channel (we know it exists) */
4532 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4533 
4534 	/* use Tx power values from EEPROM */
4535 	txpow1 = sc->txpow1[i];
4536 	txpow2 = sc->txpow2[i];
4537 
4538 	run_rt3070_rf_write(sc, 8, rt3070_freqs[i].n);
4539 	run_rt3070_rf_write(sc, 9, rt3070_freqs[i].k & 0x0f);
4540 	run_rt3070_rf_read(sc, 11, &rf);
4541 	rf = (rf & ~0x03) | (rt3070_freqs[i].r & 0x03);
4542 	run_rt3070_rf_write(sc, 11, rf);
4543 
4544 	run_rt3070_rf_read(sc, 49, &rf);
4545 	rf = (rf & ~0x3f) | (txpow1 & 0x3f);
4546 	/* The valid range of the RF R49 is 0x00 to 0x27. */
4547 	if ((rf & 0x3f) > 0x27)
4548 		rf = (rf & ~0x3f) | 0x27;
4549 	run_rt3070_rf_write(sc, 49, rf);
4550 
4551 	if (sc->mac_ver == 0x5392) {
4552 		run_rt3070_rf_read(sc, 50, &rf);
4553 		rf = (rf & ~0x3f) | (txpow2 & 0x3f);
4554 		/* The valid range of the RF R50 is 0x00 to 0x27. */
4555 		if ((rf & 0x3f) > 0x27)
4556 			rf = (rf & ~0x3f) | 0x27;
4557 		run_rt3070_rf_write(sc, 50, rf);
4558 	}
4559 
4560 	run_rt3070_rf_read(sc, 1, &rf);
4561 	rf |= RT3070_RF_BLOCK | RT3070_PLL_PD | RT3070_RX0_PD | RT3070_TX0_PD;
4562 	if (sc->mac_ver == 0x5392)
4563 		rf |= RT3070_RX1_PD | RT3070_TX1_PD;
4564 	run_rt3070_rf_write(sc, 1, rf);
4565 
4566 	if (sc->mac_ver != 0x5392) {
4567 		run_rt3070_rf_read(sc, 2, &rf);
4568 		rf |= 0x80;
4569 		run_rt3070_rf_write(sc, 2, rf);
4570 		run_delay(sc, 10);
4571 		rf &= 0x7f;
4572 		run_rt3070_rf_write(sc, 2, rf);
4573 	}
4574 
4575 	run_adjust_freq_offset(sc);
4576 
4577 	if (sc->mac_ver == 0x5392) {
4578 		/* Fix for RT5392C. */
4579 		if (sc->mac_rev >= 0x0223) {
4580 			if (chan <= 4)
4581 				rf = 0x0f;
4582 			else if (chan >= 5 && chan <= 7)
4583 				rf = 0x0e;
4584 			else
4585 				rf = 0x0d;
4586 			run_rt3070_rf_write(sc, 23, rf);
4587 
4588 			if (chan <= 4)
4589 				rf = 0x0c;
4590 			else if (chan == 5)
4591 				rf = 0x0b;
4592 			else if (chan >= 6 && chan <= 7)
4593 				rf = 0x0a;
4594 			else if (chan >= 8 && chan <= 10)
4595 				rf = 0x09;
4596 			else
4597 				rf = 0x08;
4598 			run_rt3070_rf_write(sc, 59, rf);
4599 		} else {
4600 			if (chan <= 11)
4601 				rf = 0x0f;
4602 			else
4603 				rf = 0x0b;
4604 			run_rt3070_rf_write(sc, 59, rf);
4605 		}
4606 	} else {
4607 		/* Fix for RT5390F. */
4608 		if (sc->mac_rev >= 0x0502) {
4609 			if (chan <= 11)
4610 				rf = 0x43;
4611 			else
4612 				rf = 0x23;
4613 			run_rt3070_rf_write(sc, 55, rf);
4614 
4615 			if (chan <= 11)
4616 				rf = 0x0f;
4617 			else if (chan == 12)
4618 				rf = 0x0d;
4619 			else
4620 				rf = 0x0b;
4621 			run_rt3070_rf_write(sc, 59, rf);
4622 		} else {
4623 			run_rt3070_rf_write(sc, 55, 0x44);
4624 			run_rt3070_rf_write(sc, 59, 0x8f);
4625 		}
4626 	}
4627 
4628 	/* Enable VCO calibration. */
4629 	run_rt3070_rf_read(sc, 3, &rf);
4630 	rf |= RT5390_VCOCAL;
4631 	run_rt3070_rf_write(sc, 3, rf);
4632 }
4633 
4634 static void
4635 run_rt5592_set_chan(struct run_softc *sc, u_int chan)
4636 {
4637 	const struct rt5592_freqs *freqs;
4638 	uint32_t tmp;
4639 	uint8_t reg, rf, txpow_bound;
4640 	int8_t txpow1, txpow2;
4641 	int i;
4642 
4643 	run_read(sc, RT5592_DEBUG_INDEX, &tmp);
4644 	freqs = (tmp & RT5592_SEL_XTAL) ?
4645 	    rt5592_freqs_40mhz : rt5592_freqs_20mhz;
4646 
4647 	/* find the settings for this channel (we know it exists) */
4648 	for (i = 0; rt2860_rf2850[i].chan != chan; i++, freqs++);
4649 
4650 	/* use Tx power values from EEPROM */
4651 	txpow1 = sc->txpow1[i];
4652 	txpow2 = sc->txpow2[i];
4653 
4654 	run_read(sc, RT3070_LDO_CFG0, &tmp);
4655 	tmp &= ~0x1c000000;
4656 	if (chan > 14)
4657 		tmp |= 0x14000000;
4658 	run_write(sc, RT3070_LDO_CFG0, tmp);
4659 
4660 	/* N setting. */
4661 	run_rt3070_rf_write(sc, 8, freqs->n & 0xff);
4662 	run_rt3070_rf_read(sc, 9, &rf);
4663 	rf &= ~(1 << 4);
4664 	rf |= ((freqs->n & 0x0100) >> 8) << 4;
4665 	run_rt3070_rf_write(sc, 9, rf);
4666 
4667 	/* K setting. */
4668 	run_rt3070_rf_read(sc, 9, &rf);
4669 	rf &= ~0x0f;
4670 	rf |= (freqs->k & 0x0f);
4671 	run_rt3070_rf_write(sc, 9, rf);
4672 
4673 	/* Mode setting. */
4674 	run_rt3070_rf_read(sc, 11, &rf);
4675 	rf &= ~0x0c;
4676 	rf |= ((freqs->m - 0x8) & 0x3) << 2;
4677 	run_rt3070_rf_write(sc, 11, rf);
4678 	run_rt3070_rf_read(sc, 9, &rf);
4679 	rf &= ~(1 << 7);
4680 	rf |= (((freqs->m - 0x8) & 0x4) >> 2) << 7;
4681 	run_rt3070_rf_write(sc, 9, rf);
4682 
4683 	/* R setting. */
4684 	run_rt3070_rf_read(sc, 11, &rf);
4685 	rf &= ~0x03;
4686 	rf |= (freqs->r - 0x1);
4687 	run_rt3070_rf_write(sc, 11, rf);
4688 
4689 	if (chan <= 14) {
4690 		/* Initialize RF registers for 2GHZ. */
4691 		for (i = 0; i < nitems(rt5592_2ghz_def_rf); i++) {
4692 			run_rt3070_rf_write(sc, rt5592_2ghz_def_rf[i].reg,
4693 			    rt5592_2ghz_def_rf[i].val);
4694 		}
4695 
4696 		rf = (chan <= 10) ? 0x07 : 0x06;
4697 		run_rt3070_rf_write(sc, 23, rf);
4698 		run_rt3070_rf_write(sc, 59, rf);
4699 
4700 		run_rt3070_rf_write(sc, 55, 0x43);
4701 
4702 		/*
4703 		 * RF R49/R50 Tx power ALC code.
4704 		 * G-band bit<7:6>=1:0, bit<5:0> range from 0x0 ~ 0x27.
4705 		 */
4706 		reg = 2;
4707 		txpow_bound = 0x27;
4708 	} else {
4709 		/* Initialize RF registers for 5GHZ. */
4710 		for (i = 0; i < nitems(rt5592_5ghz_def_rf); i++) {
4711 			run_rt3070_rf_write(sc, rt5592_5ghz_def_rf[i].reg,
4712 			    rt5592_5ghz_def_rf[i].val);
4713 		}
4714 		for (i = 0; i < nitems(rt5592_chan_5ghz); i++) {
4715 			if (chan >= rt5592_chan_5ghz[i].firstchan &&
4716 			    chan <= rt5592_chan_5ghz[i].lastchan) {
4717 				run_rt3070_rf_write(sc, rt5592_chan_5ghz[i].reg,
4718 				    rt5592_chan_5ghz[i].val);
4719 			}
4720 		}
4721 
4722 		/*
4723 		 * RF R49/R50 Tx power ALC code.
4724 		 * A-band bit<7:6>=1:1, bit<5:0> range from 0x0 ~ 0x2b.
4725 		 */
4726 		reg = 3;
4727 		txpow_bound = 0x2b;
4728 	}
4729 
4730 	/* RF R49 ch0 Tx power ALC code. */
4731 	run_rt3070_rf_read(sc, 49, &rf);
4732 	rf &= ~0xc0;
4733 	rf |= (reg << 6);
4734 	rf = (rf & ~0x3f) | (txpow1 & 0x3f);
4735 	if ((rf & 0x3f) > txpow_bound)
4736 		rf = (rf & ~0x3f) | txpow_bound;
4737 	run_rt3070_rf_write(sc, 49, rf);
4738 
4739 	/* RF R50 ch1 Tx power ALC code. */
4740 	run_rt3070_rf_read(sc, 50, &rf);
4741 	rf &= ~(1 << 7 | 1 << 6);
4742 	rf |= (reg << 6);
4743 	rf = (rf & ~0x3f) | (txpow2 & 0x3f);
4744 	if ((rf & 0x3f) > txpow_bound)
4745 		rf = (rf & ~0x3f) | txpow_bound;
4746 	run_rt3070_rf_write(sc, 50, rf);
4747 
4748 	/* Enable RF_BLOCK, PLL_PD, RX0_PD, and TX0_PD. */
4749 	run_rt3070_rf_read(sc, 1, &rf);
4750 	rf |= (RT3070_RF_BLOCK | RT3070_PLL_PD | RT3070_RX0_PD | RT3070_TX0_PD);
4751 	if (sc->ntxchains > 1)
4752 		rf |= RT3070_TX1_PD;
4753 	if (sc->nrxchains > 1)
4754 		rf |= RT3070_RX1_PD;
4755 	run_rt3070_rf_write(sc, 1, rf);
4756 
4757 	run_rt3070_rf_write(sc, 6, 0xe4);
4758 
4759 	run_rt3070_rf_write(sc, 30, 0x10);
4760 	run_rt3070_rf_write(sc, 31, 0x80);
4761 	run_rt3070_rf_write(sc, 32, 0x80);
4762 
4763 	run_adjust_freq_offset(sc);
4764 
4765 	/* Enable VCO calibration. */
4766 	run_rt3070_rf_read(sc, 3, &rf);
4767 	rf |= RT5390_VCOCAL;
4768 	run_rt3070_rf_write(sc, 3, rf);
4769 }
4770 
4771 static void
4772 run_set_rx_antenna(struct run_softc *sc, int aux)
4773 {
4774 	uint32_t tmp;
4775 	uint8_t bbp152;
4776 
4777 	if (aux) {
4778 		if (sc->rf_rev == RT5390_RF_5370) {
4779 			run_bbp_read(sc, 152, &bbp152);
4780 			run_bbp_write(sc, 152, bbp152 & ~0x80);
4781 		} else {
4782 			run_mcu_cmd(sc, RT2860_MCU_CMD_ANTSEL, 0);
4783 			run_read(sc, RT2860_GPIO_CTRL, &tmp);
4784 			run_write(sc, RT2860_GPIO_CTRL, (tmp & ~0x0808) | 0x08);
4785 		}
4786 	} else {
4787 		if (sc->rf_rev == RT5390_RF_5370) {
4788 			run_bbp_read(sc, 152, &bbp152);
4789 			run_bbp_write(sc, 152, bbp152 | 0x80);
4790 		} else {
4791 			run_mcu_cmd(sc, RT2860_MCU_CMD_ANTSEL, 1);
4792 			run_read(sc, RT2860_GPIO_CTRL, &tmp);
4793 			run_write(sc, RT2860_GPIO_CTRL, tmp & ~0x0808);
4794 		}
4795 	}
4796 }
4797 
4798 static int
4799 run_set_chan(struct run_softc *sc, struct ieee80211_channel *c)
4800 {
4801 	struct ieee80211com *ic = &sc->sc_ic;
4802 	u_int chan, group;
4803 
4804 	chan = ieee80211_chan2ieee(ic, c);
4805 	if (chan == 0 || chan == IEEE80211_CHAN_ANY)
4806 		return (EINVAL);
4807 
4808 	if (sc->mac_ver == 0x5592)
4809 		run_rt5592_set_chan(sc, chan);
4810 	else if (sc->mac_ver >= 0x5390)
4811 		run_rt5390_set_chan(sc, chan);
4812 	else if (sc->mac_ver == 0x3593)
4813 		run_rt3593_set_chan(sc, chan);
4814 	else if (sc->mac_ver == 0x3572)
4815 		run_rt3572_set_chan(sc, chan);
4816 	else if (sc->mac_ver >= 0x3070)
4817 		run_rt3070_set_chan(sc, chan);
4818 	else
4819 		run_rt2870_set_chan(sc, chan);
4820 
4821 	/* determine channel group */
4822 	if (chan <= 14)
4823 		group = 0;
4824 	else if (chan <= 64)
4825 		group = 1;
4826 	else if (chan <= 128)
4827 		group = 2;
4828 	else
4829 		group = 3;
4830 
4831 	/* XXX necessary only when group has changed! */
4832 	run_select_chan_group(sc, group);
4833 
4834 	run_delay(sc, 10);
4835 
4836 	/* Perform IQ calibration. */
4837 	if (sc->mac_ver >= 0x5392)
4838 		run_iq_calib(sc, chan);
4839 
4840 	return (0);
4841 }
4842 
4843 static void
4844 run_set_channel(struct ieee80211com *ic)
4845 {
4846 	struct run_softc *sc = ic->ic_softc;
4847 
4848 	RUN_LOCK(sc);
4849 	run_set_chan(sc, ic->ic_curchan);
4850 	RUN_UNLOCK(sc);
4851 
4852 	return;
4853 }
4854 
4855 static void
4856 run_getradiocaps(struct ieee80211com *ic,
4857     int maxchans, int *nchans, struct ieee80211_channel chans[])
4858 {
4859 	struct run_softc *sc = ic->ic_softc;
4860 	uint8_t bands[IEEE80211_MODE_BYTES];
4861 
4862 	memset(bands, 0, sizeof(bands));
4863 	setbit(bands, IEEE80211_MODE_11B);
4864 	setbit(bands, IEEE80211_MODE_11G);
4865 	ieee80211_add_channel_list_2ghz(chans, maxchans, nchans,
4866 	    run_chan_2ghz, nitems(run_chan_2ghz), bands, 0);
4867 
4868 	if (sc->rf_rev == RT2860_RF_2750 || sc->rf_rev == RT2860_RF_2850 ||
4869 	    sc->rf_rev == RT3070_RF_3052 || sc->rf_rev == RT3593_RF_3053 ||
4870 	    sc->rf_rev == RT5592_RF_5592) {
4871 		setbit(bands, IEEE80211_MODE_11A);
4872 		ieee80211_add_channel_list_5ghz(chans, maxchans, nchans,
4873 		    run_chan_5ghz, nitems(run_chan_5ghz), bands, 0);
4874 	}
4875 }
4876 
4877 static void
4878 run_scan_start(struct ieee80211com *ic)
4879 {
4880 	struct run_softc *sc = ic->ic_softc;
4881 	uint32_t tmp;
4882 
4883 	RUN_LOCK(sc);
4884 
4885 	/* abort TSF synchronization */
4886 	run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
4887 	run_write(sc, RT2860_BCN_TIME_CFG,
4888 	    tmp & ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
4889 	    RT2860_TBTT_TIMER_EN));
4890 	run_set_bssid(sc, ieee80211broadcastaddr);
4891 
4892 	RUN_UNLOCK(sc);
4893 
4894 	return;
4895 }
4896 
4897 static void
4898 run_scan_end(struct ieee80211com *ic)
4899 {
4900 	struct run_softc *sc = ic->ic_softc;
4901 
4902 	RUN_LOCK(sc);
4903 
4904 	run_enable_tsf_sync(sc);
4905 	run_set_bssid(sc, sc->sc_bssid);
4906 
4907 	RUN_UNLOCK(sc);
4908 
4909 	return;
4910 }
4911 
4912 /*
4913  * Could be called from ieee80211_node_timeout()
4914  * (non-sleepable thread)
4915  */
4916 static void
4917 run_update_beacon(struct ieee80211vap *vap, int item)
4918 {
4919 	struct ieee80211com *ic = vap->iv_ic;
4920 	struct ieee80211_beacon_offsets *bo = &vap->iv_bcn_off;
4921 	struct ieee80211_node *ni = vap->iv_bss;
4922 	struct run_softc *sc = ic->ic_softc;
4923 	struct run_vap *rvp = RUN_VAP(vap);
4924 	int mcast = 0;
4925 	uint32_t i;
4926 
4927 	switch (item) {
4928 	case IEEE80211_BEACON_ERP:
4929 		run_updateslot(ic);
4930 		break;
4931 	case IEEE80211_BEACON_HTINFO:
4932 		run_updateprot(ic);
4933 		break;
4934 	case IEEE80211_BEACON_TIM:
4935 		mcast = 1;	/*TODO*/
4936 		break;
4937 	default:
4938 		break;
4939 	}
4940 
4941 	setbit(bo->bo_flags, item);
4942 	if (rvp->beacon_mbuf == NULL) {
4943 		rvp->beacon_mbuf = ieee80211_beacon_alloc(ni);
4944 		if (rvp->beacon_mbuf == NULL)
4945 			return;
4946 	}
4947 	ieee80211_beacon_update(ni, rvp->beacon_mbuf, mcast);
4948 
4949 	i = RUN_CMDQ_GET(&sc->cmdq_store);
4950 	RUN_DPRINTF(sc, RUN_DEBUG_BEACON, "cmdq_store=%d\n", i);
4951 	sc->cmdq[i].func = run_update_beacon_cb;
4952 	sc->cmdq[i].arg0 = vap;
4953 	ieee80211_runtask(ic, &sc->cmdq_task);
4954 
4955 	return;
4956 }
4957 
4958 static void
4959 run_update_beacon_cb(void *arg)
4960 {
4961 	struct ieee80211vap *vap = arg;
4962 	struct ieee80211_node *ni = vap->iv_bss;
4963 	struct run_vap *rvp = RUN_VAP(vap);
4964 	struct ieee80211com *ic = vap->iv_ic;
4965 	struct run_softc *sc = ic->ic_softc;
4966 	struct rt2860_txwi txwi;
4967 	struct mbuf *m;
4968 	uint16_t txwisize;
4969 	uint8_t ridx;
4970 
4971 	if (ni->ni_chan == IEEE80211_CHAN_ANYC)
4972 		return;
4973 	if (ic->ic_bsschan == IEEE80211_CHAN_ANYC)
4974 		return;
4975 
4976 	/*
4977 	 * No need to call ieee80211_beacon_update(), run_update_beacon()
4978 	 * is taking care of appropriate calls.
4979 	 */
4980 	if (rvp->beacon_mbuf == NULL) {
4981 		rvp->beacon_mbuf = ieee80211_beacon_alloc(ni);
4982 		if (rvp->beacon_mbuf == NULL)
4983 			return;
4984 	}
4985 	m = rvp->beacon_mbuf;
4986 
4987 	memset(&txwi, 0, sizeof(txwi));
4988 	txwi.wcid = 0xff;
4989 	txwi.len = htole16(m->m_pkthdr.len);
4990 
4991 	/* send beacons at the lowest available rate */
4992 	ridx = (ic->ic_curmode == IEEE80211_MODE_11A) ?
4993 	    RT2860_RIDX_OFDM6 : RT2860_RIDX_CCK1;
4994 	txwi.phy = htole16(rt2860_rates[ridx].mcs);
4995 	if (rt2860_rates[ridx].phy == IEEE80211_T_OFDM)
4996 		txwi.phy |= htole16(RT2860_PHY_OFDM);
4997 	txwi.txop = RT2860_TX_TXOP_HT;
4998 	txwi.flags = RT2860_TX_TS;
4999 	txwi.xflags = RT2860_TX_NSEQ;
5000 
5001 	txwisize = (sc->mac_ver == 0x5592) ?
5002 	    sizeof(txwi) + sizeof(uint32_t) : sizeof(txwi);
5003 	run_write_region_1(sc, RT2860_BCN_BASE(rvp->rvp_id), (uint8_t *)&txwi,
5004 	    txwisize);
5005 	run_write_region_1(sc, RT2860_BCN_BASE(rvp->rvp_id) + txwisize,
5006 	    mtod(m, uint8_t *), (m->m_pkthdr.len + 1) & ~1);
5007 }
5008 
5009 static void
5010 run_updateprot(struct ieee80211com *ic)
5011 {
5012 	struct run_softc *sc = ic->ic_softc;
5013 	uint32_t i;
5014 
5015 	i = RUN_CMDQ_GET(&sc->cmdq_store);
5016 	RUN_DPRINTF(sc, RUN_DEBUG_BEACON, "cmdq_store=%d\n", i);
5017 	sc->cmdq[i].func = run_updateprot_cb;
5018 	sc->cmdq[i].arg0 = ic;
5019 	ieee80211_runtask(ic, &sc->cmdq_task);
5020 }
5021 
5022 static void
5023 run_updateprot_cb(void *arg)
5024 {
5025 	struct ieee80211com *ic = arg;
5026 	struct run_softc *sc = ic->ic_softc;
5027 	uint32_t tmp;
5028 
5029 	tmp = RT2860_RTSTH_EN | RT2860_PROT_NAV_SHORT | RT2860_TXOP_ALLOW_ALL;
5030 	/* setup protection frame rate (MCS code) */
5031 	tmp |= (ic->ic_curmode == IEEE80211_MODE_11A) ?
5032 	    rt2860_rates[RT2860_RIDX_OFDM6].mcs | RT2860_PHY_OFDM :
5033 	    rt2860_rates[RT2860_RIDX_CCK11].mcs;
5034 
5035 	/* CCK frames don't require protection */
5036 	run_write(sc, RT2860_CCK_PROT_CFG, tmp);
5037 	if (ic->ic_flags & IEEE80211_F_USEPROT) {
5038 		if (ic->ic_protmode == IEEE80211_PROT_RTSCTS)
5039 			tmp |= RT2860_PROT_CTRL_RTS_CTS;
5040 		else if (ic->ic_protmode == IEEE80211_PROT_CTSONLY)
5041 			tmp |= RT2860_PROT_CTRL_CTS;
5042 	}
5043 	run_write(sc, RT2860_OFDM_PROT_CFG, tmp);
5044 }
5045 
5046 static void
5047 run_usb_timeout_cb(void *arg)
5048 {
5049 	struct ieee80211vap *vap = arg;
5050 	struct run_softc *sc = vap->iv_ic->ic_softc;
5051 
5052 	RUN_LOCK_ASSERT(sc, MA_OWNED);
5053 
5054 	if(vap->iv_state == IEEE80211_S_RUN &&
5055 	    vap->iv_opmode != IEEE80211_M_STA)
5056 		run_reset_livelock(sc);
5057 	else if (vap->iv_state == IEEE80211_S_SCAN) {
5058 		RUN_DPRINTF(sc, RUN_DEBUG_USB | RUN_DEBUG_STATE,
5059 		    "timeout caused by scan\n");
5060 		/* cancel bgscan */
5061 		ieee80211_cancel_scan(vap);
5062 	} else
5063 		RUN_DPRINTF(sc, RUN_DEBUG_USB | RUN_DEBUG_STATE,
5064 		    "timeout by unknown cause\n");
5065 }
5066 
5067 static void
5068 run_reset_livelock(struct run_softc *sc)
5069 {
5070 	uint32_t tmp;
5071 
5072 	RUN_LOCK_ASSERT(sc, MA_OWNED);
5073 
5074 	/*
5075 	 * In IBSS or HostAP modes (when the hardware sends beacons), the MAC
5076 	 * can run into a livelock and start sending CTS-to-self frames like
5077 	 * crazy if protection is enabled.  Reset MAC/BBP for a while
5078 	 */
5079 	run_read(sc, RT2860_DEBUG, &tmp);
5080 	RUN_DPRINTF(sc, RUN_DEBUG_RESET, "debug reg %08x\n", tmp);
5081 	if ((tmp & (1 << 29)) && (tmp & (1 << 7 | 1 << 5))) {
5082 		RUN_DPRINTF(sc, RUN_DEBUG_RESET,
5083 		    "CTS-to-self livelock detected\n");
5084 		run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_MAC_SRST);
5085 		run_delay(sc, 1);
5086 		run_write(sc, RT2860_MAC_SYS_CTRL,
5087 		    RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
5088 	}
5089 }
5090 
5091 static void
5092 run_update_promisc_locked(struct run_softc *sc)
5093 {
5094         uint32_t tmp;
5095 
5096 	run_read(sc, RT2860_RX_FILTR_CFG, &tmp);
5097 
5098 	tmp |= RT2860_DROP_UC_NOME;
5099         if (sc->sc_ic.ic_promisc > 0)
5100 		tmp &= ~RT2860_DROP_UC_NOME;
5101 
5102 	run_write(sc, RT2860_RX_FILTR_CFG, tmp);
5103 
5104         RUN_DPRINTF(sc, RUN_DEBUG_RECV, "%s promiscuous mode\n",
5105 	    (sc->sc_ic.ic_promisc > 0) ?  "entering" : "leaving");
5106 }
5107 
5108 static void
5109 run_update_promisc(struct ieee80211com *ic)
5110 {
5111 	struct run_softc *sc = ic->ic_softc;
5112 
5113 	if ((sc->sc_flags & RUN_RUNNING) == 0)
5114 		return;
5115 
5116 	RUN_LOCK(sc);
5117 	run_update_promisc_locked(sc);
5118 	RUN_UNLOCK(sc);
5119 }
5120 
5121 static void
5122 run_enable_tsf_sync(struct run_softc *sc)
5123 {
5124 	struct ieee80211com *ic = &sc->sc_ic;
5125 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
5126 	uint32_t tmp;
5127 
5128 	RUN_DPRINTF(sc, RUN_DEBUG_BEACON, "rvp_id=%d ic_opmode=%d\n",
5129 	    RUN_VAP(vap)->rvp_id, ic->ic_opmode);
5130 
5131 	run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
5132 	tmp &= ~0x1fffff;
5133 	tmp |= vap->iv_bss->ni_intval * 16;
5134 	tmp |= RT2860_TSF_TIMER_EN | RT2860_TBTT_TIMER_EN;
5135 
5136 	if (ic->ic_opmode == IEEE80211_M_STA) {
5137 		/*
5138 		 * Local TSF is always updated with remote TSF on beacon
5139 		 * reception.
5140 		 */
5141 		tmp |= 1 << RT2860_TSF_SYNC_MODE_SHIFT;
5142 	} else if (ic->ic_opmode == IEEE80211_M_IBSS) {
5143 	        tmp |= RT2860_BCN_TX_EN;
5144 	        /*
5145 	         * Local TSF is updated with remote TSF on beacon reception
5146 	         * only if the remote TSF is greater than local TSF.
5147 	         */
5148 	        tmp |= 2 << RT2860_TSF_SYNC_MODE_SHIFT;
5149 	} else if (ic->ic_opmode == IEEE80211_M_HOSTAP ||
5150 		    ic->ic_opmode == IEEE80211_M_MBSS) {
5151 	        tmp |= RT2860_BCN_TX_EN;
5152 	        /* SYNC with nobody */
5153 	        tmp |= 3 << RT2860_TSF_SYNC_MODE_SHIFT;
5154 	} else {
5155 		RUN_DPRINTF(sc, RUN_DEBUG_BEACON,
5156 		    "Enabling TSF failed. undefined opmode\n");
5157 		return;
5158 	}
5159 
5160 	run_write(sc, RT2860_BCN_TIME_CFG, tmp);
5161 }
5162 
5163 static void
5164 run_enable_tsf(struct run_softc *sc)
5165 {
5166 	uint32_t tmp;
5167 
5168 	if (run_read(sc, RT2860_BCN_TIME_CFG, &tmp) == 0) {
5169 		tmp &= ~(RT2860_BCN_TX_EN | RT2860_TBTT_TIMER_EN);
5170 		tmp |= RT2860_TSF_TIMER_EN;
5171 		run_write(sc, RT2860_BCN_TIME_CFG, tmp);
5172 	}
5173 }
5174 
5175 static void
5176 run_get_tsf(struct run_softc *sc, uint64_t *buf)
5177 {
5178 	run_read_region_1(sc, RT2860_TSF_TIMER_DW0, (uint8_t *)buf,
5179 	    sizeof(*buf));
5180 }
5181 
5182 static void
5183 run_enable_mrr(struct run_softc *sc)
5184 {
5185 #define	CCK(mcs)	(mcs)
5186 #define	OFDM(mcs)	(1 << 3 | (mcs))
5187 	run_write(sc, RT2860_LG_FBK_CFG0,
5188 	    OFDM(6) << 28 |	/* 54->48 */
5189 	    OFDM(5) << 24 |	/* 48->36 */
5190 	    OFDM(4) << 20 |	/* 36->24 */
5191 	    OFDM(3) << 16 |	/* 24->18 */
5192 	    OFDM(2) << 12 |	/* 18->12 */
5193 	    OFDM(1) <<  8 |	/* 12-> 9 */
5194 	    OFDM(0) <<  4 |	/*  9-> 6 */
5195 	    OFDM(0));		/*  6-> 6 */
5196 
5197 	run_write(sc, RT2860_LG_FBK_CFG1,
5198 	    CCK(2) << 12 |	/* 11->5.5 */
5199 	    CCK(1) <<  8 |	/* 5.5-> 2 */
5200 	    CCK(0) <<  4 |	/*   2-> 1 */
5201 	    CCK(0));		/*   1-> 1 */
5202 #undef OFDM
5203 #undef CCK
5204 }
5205 
5206 static void
5207 run_set_txpreamble(struct run_softc *sc)
5208 {
5209 	struct ieee80211com *ic = &sc->sc_ic;
5210 	uint32_t tmp;
5211 
5212 	run_read(sc, RT2860_AUTO_RSP_CFG, &tmp);
5213 	if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
5214 		tmp |= RT2860_CCK_SHORT_EN;
5215 	else
5216 		tmp &= ~RT2860_CCK_SHORT_EN;
5217 	run_write(sc, RT2860_AUTO_RSP_CFG, tmp);
5218 }
5219 
5220 static void
5221 run_set_basicrates(struct run_softc *sc)
5222 {
5223 	struct ieee80211com *ic = &sc->sc_ic;
5224 
5225 	/* set basic rates mask */
5226 	if (ic->ic_curmode == IEEE80211_MODE_11B)
5227 		run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x003);
5228 	else if (ic->ic_curmode == IEEE80211_MODE_11A)
5229 		run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x150);
5230 	else	/* 11g */
5231 		run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x15f);
5232 }
5233 
5234 static void
5235 run_set_leds(struct run_softc *sc, uint16_t which)
5236 {
5237 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LEDS,
5238 	    which | (sc->leds & 0x7f));
5239 }
5240 
5241 static void
5242 run_set_bssid(struct run_softc *sc, const uint8_t *bssid)
5243 {
5244 	run_write(sc, RT2860_MAC_BSSID_DW0,
5245 	    bssid[0] | bssid[1] << 8 | bssid[2] << 16 | bssid[3] << 24);
5246 	run_write(sc, RT2860_MAC_BSSID_DW1,
5247 	    bssid[4] | bssid[5] << 8);
5248 }
5249 
5250 static void
5251 run_set_macaddr(struct run_softc *sc, const uint8_t *addr)
5252 {
5253 	run_write(sc, RT2860_MAC_ADDR_DW0,
5254 	    addr[0] | addr[1] << 8 | addr[2] << 16 | addr[3] << 24);
5255 	run_write(sc, RT2860_MAC_ADDR_DW1,
5256 	    addr[4] | addr[5] << 8 | 0xff << 16);
5257 }
5258 
5259 static void
5260 run_updateslot(struct ieee80211com *ic)
5261 {
5262 	struct run_softc *sc = ic->ic_softc;
5263 	uint32_t i;
5264 
5265 	i = RUN_CMDQ_GET(&sc->cmdq_store);
5266 	RUN_DPRINTF(sc, RUN_DEBUG_BEACON, "cmdq_store=%d\n", i);
5267 	sc->cmdq[i].func = run_updateslot_cb;
5268 	sc->cmdq[i].arg0 = ic;
5269 	ieee80211_runtask(ic, &sc->cmdq_task);
5270 
5271 	return;
5272 }
5273 
5274 /* ARGSUSED */
5275 static void
5276 run_updateslot_cb(void *arg)
5277 {
5278 	struct ieee80211com *ic = arg;
5279 	struct run_softc *sc = ic->ic_softc;
5280 	uint32_t tmp;
5281 
5282 	run_read(sc, RT2860_BKOFF_SLOT_CFG, &tmp);
5283 	tmp &= ~0xff;
5284 	tmp |= IEEE80211_GET_SLOTTIME(ic);
5285 	run_write(sc, RT2860_BKOFF_SLOT_CFG, tmp);
5286 }
5287 
5288 static void
5289 run_update_mcast(struct ieee80211com *ic)
5290 {
5291 }
5292 
5293 static int8_t
5294 run_rssi2dbm(struct run_softc *sc, uint8_t rssi, uint8_t rxchain)
5295 {
5296 	struct ieee80211com *ic = &sc->sc_ic;
5297 	struct ieee80211_channel *c = ic->ic_curchan;
5298 	int delta;
5299 
5300 	if (IEEE80211_IS_CHAN_5GHZ(c)) {
5301 		u_int chan = ieee80211_chan2ieee(ic, c);
5302 		delta = sc->rssi_5ghz[rxchain];
5303 
5304 		/* determine channel group */
5305 		if (chan <= 64)
5306 			delta -= sc->lna[1];
5307 		else if (chan <= 128)
5308 			delta -= sc->lna[2];
5309 		else
5310 			delta -= sc->lna[3];
5311 	} else
5312 		delta = sc->rssi_2ghz[rxchain] - sc->lna[0];
5313 
5314 	return (-12 - delta - rssi);
5315 }
5316 
5317 static void
5318 run_rt5390_bbp_init(struct run_softc *sc)
5319 {
5320 	u_int i;
5321 	uint8_t bbp;
5322 
5323 	/* Apply maximum likelihood detection for 2 stream case. */
5324 	run_bbp_read(sc, 105, &bbp);
5325 	if (sc->nrxchains > 1)
5326 		run_bbp_write(sc, 105, bbp | RT5390_MLD);
5327 
5328 	/* Avoid data lost and CRC error. */
5329 	run_bbp_read(sc, 4, &bbp);
5330 	run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5331 
5332 	if (sc->mac_ver == 0x5592) {
5333 		for (i = 0; i < nitems(rt5592_def_bbp); i++) {
5334 			run_bbp_write(sc, rt5592_def_bbp[i].reg,
5335 			    rt5592_def_bbp[i].val);
5336 		}
5337 		for (i = 0; i < nitems(rt5592_bbp_r196); i++) {
5338 			run_bbp_write(sc, 195, i + 0x80);
5339 			run_bbp_write(sc, 196, rt5592_bbp_r196[i]);
5340 		}
5341 	} else {
5342 		for (i = 0; i < nitems(rt5390_def_bbp); i++) {
5343 			run_bbp_write(sc, rt5390_def_bbp[i].reg,
5344 			    rt5390_def_bbp[i].val);
5345 		}
5346 	}
5347 	if (sc->mac_ver == 0x5392) {
5348 		run_bbp_write(sc, 88, 0x90);
5349 		run_bbp_write(sc, 95, 0x9a);
5350 		run_bbp_write(sc, 98, 0x12);
5351 		run_bbp_write(sc, 106, 0x12);
5352 		run_bbp_write(sc, 134, 0xd0);
5353 		run_bbp_write(sc, 135, 0xf6);
5354 		run_bbp_write(sc, 148, 0x84);
5355 	}
5356 
5357 	run_bbp_read(sc, 152, &bbp);
5358 	run_bbp_write(sc, 152, bbp | 0x80);
5359 
5360 	/* Fix BBP254 for RT5592C. */
5361 	if (sc->mac_ver == 0x5592 && sc->mac_rev >= 0x0221) {
5362 		run_bbp_read(sc, 254, &bbp);
5363 		run_bbp_write(sc, 254, bbp | 0x80);
5364 	}
5365 
5366 	/* Disable hardware antenna diversity. */
5367 	if (sc->mac_ver == 0x5390)
5368 		run_bbp_write(sc, 154, 0);
5369 
5370 	/* Initialize Rx CCK/OFDM frequency offset report. */
5371 	run_bbp_write(sc, 142, 1);
5372 	run_bbp_write(sc, 143, 57);
5373 }
5374 
5375 static int
5376 run_bbp_init(struct run_softc *sc)
5377 {
5378 	int i, error, ntries;
5379 	uint8_t bbp0;
5380 
5381 	/* wait for BBP to wake up */
5382 	for (ntries = 0; ntries < 20; ntries++) {
5383 		if ((error = run_bbp_read(sc, 0, &bbp0)) != 0)
5384 			return error;
5385 		if (bbp0 != 0 && bbp0 != 0xff)
5386 			break;
5387 	}
5388 	if (ntries == 20)
5389 		return (ETIMEDOUT);
5390 
5391 	/* initialize BBP registers to default values */
5392 	if (sc->mac_ver >= 0x5390)
5393 		run_rt5390_bbp_init(sc);
5394 	else {
5395 		for (i = 0; i < nitems(rt2860_def_bbp); i++) {
5396 			run_bbp_write(sc, rt2860_def_bbp[i].reg,
5397 			    rt2860_def_bbp[i].val);
5398 		}
5399 	}
5400 
5401 	if (sc->mac_ver == 0x3593) {
5402 		run_bbp_write(sc, 79, 0x13);
5403 		run_bbp_write(sc, 80, 0x05);
5404 		run_bbp_write(sc, 81, 0x33);
5405 		run_bbp_write(sc, 86, 0x46);
5406 		run_bbp_write(sc, 137, 0x0f);
5407 	}
5408 
5409 	/* fix BBP84 for RT2860E */
5410 	if (sc->mac_ver == 0x2860 && sc->mac_rev != 0x0101)
5411 		run_bbp_write(sc, 84, 0x19);
5412 
5413 	if (sc->mac_ver >= 0x3070 && (sc->mac_ver != 0x3593 &&
5414 	    sc->mac_ver != 0x5592)) {
5415 		run_bbp_write(sc, 79, 0x13);
5416 		run_bbp_write(sc, 80, 0x05);
5417 		run_bbp_write(sc, 81, 0x33);
5418 	} else if (sc->mac_ver == 0x2860 && sc->mac_rev == 0x0100) {
5419 		run_bbp_write(sc, 69, 0x16);
5420 		run_bbp_write(sc, 73, 0x12);
5421 	}
5422 	return (0);
5423 }
5424 
5425 static int
5426 run_rt3070_rf_init(struct run_softc *sc)
5427 {
5428 	uint32_t tmp;
5429 	uint8_t bbp4, mingain, rf, target;
5430 	u_int i;
5431 
5432 	run_rt3070_rf_read(sc, 30, &rf);
5433 	/* toggle RF R30 bit 7 */
5434 	run_rt3070_rf_write(sc, 30, rf | 0x80);
5435 	run_delay(sc, 10);
5436 	run_rt3070_rf_write(sc, 30, rf & ~0x80);
5437 
5438 	/* initialize RF registers to default value */
5439 	if (sc->mac_ver == 0x3572) {
5440 		for (i = 0; i < nitems(rt3572_def_rf); i++) {
5441 			run_rt3070_rf_write(sc, rt3572_def_rf[i].reg,
5442 			    rt3572_def_rf[i].val);
5443 		}
5444 	} else {
5445 		for (i = 0; i < nitems(rt3070_def_rf); i++) {
5446 			run_rt3070_rf_write(sc, rt3070_def_rf[i].reg,
5447 			    rt3070_def_rf[i].val);
5448 		}
5449 	}
5450 
5451 	if (sc->mac_ver == 0x3070 && sc->mac_rev < 0x0201) {
5452 		/*
5453 		 * Change voltage from 1.2V to 1.35V for RT3070.
5454 		 * The DAC issue (RT3070_LDO_CFG0) has been fixed
5455 		 * in RT3070(F).
5456 		 */
5457 		run_read(sc, RT3070_LDO_CFG0, &tmp);
5458 		tmp = (tmp & ~0x0f000000) | 0x0d000000;
5459 		run_write(sc, RT3070_LDO_CFG0, tmp);
5460 
5461 	} else if (sc->mac_ver == 0x3071) {
5462 		run_rt3070_rf_read(sc, 6, &rf);
5463 		run_rt3070_rf_write(sc, 6, rf | 0x40);
5464 		run_rt3070_rf_write(sc, 31, 0x14);
5465 
5466 		run_read(sc, RT3070_LDO_CFG0, &tmp);
5467 		tmp &= ~0x1f000000;
5468 		if (sc->mac_rev < 0x0211)
5469 			tmp |= 0x0d000000;	/* 1.3V */
5470 		else
5471 			tmp |= 0x01000000;	/* 1.2V */
5472 		run_write(sc, RT3070_LDO_CFG0, tmp);
5473 
5474 		/* patch LNA_PE_G1 */
5475 		run_read(sc, RT3070_GPIO_SWITCH, &tmp);
5476 		run_write(sc, RT3070_GPIO_SWITCH, tmp & ~0x20);
5477 
5478 	} else if (sc->mac_ver == 0x3572) {
5479 		run_rt3070_rf_read(sc, 6, &rf);
5480 		run_rt3070_rf_write(sc, 6, rf | 0x40);
5481 
5482 		/* increase voltage from 1.2V to 1.35V */
5483 		run_read(sc, RT3070_LDO_CFG0, &tmp);
5484 		tmp = (tmp & ~0x1f000000) | 0x0d000000;
5485 		run_write(sc, RT3070_LDO_CFG0, tmp);
5486 
5487 		if (sc->mac_rev < 0x0211 || !sc->patch_dac) {
5488 			run_delay(sc, 1);	/* wait for 1msec */
5489 			/* decrease voltage back to 1.2V */
5490 			tmp = (tmp & ~0x1f000000) | 0x01000000;
5491 			run_write(sc, RT3070_LDO_CFG0, tmp);
5492 		}
5493 	}
5494 
5495 	/* select 20MHz bandwidth */
5496 	run_rt3070_rf_read(sc, 31, &rf);
5497 	run_rt3070_rf_write(sc, 31, rf & ~0x20);
5498 
5499 	/* calibrate filter for 20MHz bandwidth */
5500 	sc->rf24_20mhz = 0x1f;	/* default value */
5501 	target = (sc->mac_ver < 0x3071) ? 0x16 : 0x13;
5502 	run_rt3070_filter_calib(sc, 0x07, target, &sc->rf24_20mhz);
5503 
5504 	/* select 40MHz bandwidth */
5505 	run_bbp_read(sc, 4, &bbp4);
5506 	run_bbp_write(sc, 4, (bbp4 & ~0x18) | 0x10);
5507 	run_rt3070_rf_read(sc, 31, &rf);
5508 	run_rt3070_rf_write(sc, 31, rf | 0x20);
5509 
5510 	/* calibrate filter for 40MHz bandwidth */
5511 	sc->rf24_40mhz = 0x2f;	/* default value */
5512 	target = (sc->mac_ver < 0x3071) ? 0x19 : 0x15;
5513 	run_rt3070_filter_calib(sc, 0x27, target, &sc->rf24_40mhz);
5514 
5515 	/* go back to 20MHz bandwidth */
5516 	run_bbp_read(sc, 4, &bbp4);
5517 	run_bbp_write(sc, 4, bbp4 & ~0x18);
5518 
5519 	if (sc->mac_ver == 0x3572) {
5520 		/* save default BBP registers 25 and 26 values */
5521 		run_bbp_read(sc, 25, &sc->bbp25);
5522 		run_bbp_read(sc, 26, &sc->bbp26);
5523 	} else if (sc->mac_rev < 0x0201 || sc->mac_rev < 0x0211)
5524 		run_rt3070_rf_write(sc, 27, 0x03);
5525 
5526 	run_read(sc, RT3070_OPT_14, &tmp);
5527 	run_write(sc, RT3070_OPT_14, tmp | 1);
5528 
5529 	if (sc->mac_ver == 0x3070 || sc->mac_ver == 0x3071) {
5530 		run_rt3070_rf_read(sc, 17, &rf);
5531 		rf &= ~RT3070_TX_LO1;
5532 		if ((sc->mac_ver == 0x3070 ||
5533 		     (sc->mac_ver == 0x3071 && sc->mac_rev >= 0x0211)) &&
5534 		    !sc->ext_2ghz_lna)
5535 			rf |= 0x20;	/* fix for long range Rx issue */
5536 		mingain = (sc->mac_ver == 0x3070) ? 1 : 2;
5537 		if (sc->txmixgain_2ghz >= mingain)
5538 			rf = (rf & ~0x7) | sc->txmixgain_2ghz;
5539 		run_rt3070_rf_write(sc, 17, rf);
5540 	}
5541 
5542 	if (sc->mac_ver == 0x3071) {
5543 		run_rt3070_rf_read(sc, 1, &rf);
5544 		rf &= ~(RT3070_RX0_PD | RT3070_TX0_PD);
5545 		rf |= RT3070_RF_BLOCK | RT3070_RX1_PD | RT3070_TX1_PD;
5546 		run_rt3070_rf_write(sc, 1, rf);
5547 
5548 		run_rt3070_rf_read(sc, 15, &rf);
5549 		run_rt3070_rf_write(sc, 15, rf & ~RT3070_TX_LO2);
5550 
5551 		run_rt3070_rf_read(sc, 20, &rf);
5552 		run_rt3070_rf_write(sc, 20, rf & ~RT3070_RX_LO1);
5553 
5554 		run_rt3070_rf_read(sc, 21, &rf);
5555 		run_rt3070_rf_write(sc, 21, rf & ~RT3070_RX_LO2);
5556 	}
5557 
5558 	if (sc->mac_ver == 0x3070 || sc->mac_ver == 0x3071) {
5559 		/* fix Tx to Rx IQ glitch by raising RF voltage */
5560 		run_rt3070_rf_read(sc, 27, &rf);
5561 		rf &= ~0x77;
5562 		if (sc->mac_rev < 0x0211)
5563 			rf |= 0x03;
5564 		run_rt3070_rf_write(sc, 27, rf);
5565 	}
5566 	return (0);
5567 }
5568 
5569 static void
5570 run_rt3593_rf_init(struct run_softc *sc)
5571 {
5572 	uint32_t tmp;
5573 	uint8_t rf;
5574 	u_int i;
5575 
5576 	/* Disable the GPIO bits 4 and 7 for LNA PE control. */
5577 	run_read(sc, RT3070_GPIO_SWITCH, &tmp);
5578 	tmp &= ~(1 << 4 | 1 << 7);
5579 	run_write(sc, RT3070_GPIO_SWITCH, tmp);
5580 
5581 	/* Initialize RF registers to default value. */
5582 	for (i = 0; i < nitems(rt3593_def_rf); i++) {
5583 		run_rt3070_rf_write(sc, rt3593_def_rf[i].reg,
5584 		    rt3593_def_rf[i].val);
5585 	}
5586 
5587 	/* Toggle RF R2 to initiate calibration. */
5588 	run_rt3070_rf_write(sc, 2, RT5390_RESCAL);
5589 
5590 	/* Initialize RF frequency offset. */
5591 	run_adjust_freq_offset(sc);
5592 
5593 	run_rt3070_rf_read(sc, 18, &rf);
5594 	run_rt3070_rf_write(sc, 18, rf | RT3593_AUTOTUNE_BYPASS);
5595 
5596 	/*
5597 	 * Increase voltage from 1.2V to 1.35V, wait for 1 msec to
5598 	 * decrease voltage back to 1.2V.
5599 	 */
5600 	run_read(sc, RT3070_LDO_CFG0, &tmp);
5601 	tmp = (tmp & ~0x1f000000) | 0x0d000000;
5602 	run_write(sc, RT3070_LDO_CFG0, tmp);
5603 	run_delay(sc, 1);
5604 	tmp = (tmp & ~0x1f000000) | 0x01000000;
5605 	run_write(sc, RT3070_LDO_CFG0, tmp);
5606 
5607 	sc->rf24_20mhz = 0x1f;
5608 	sc->rf24_40mhz = 0x2f;
5609 
5610 	/* Save default BBP registers 25 and 26 values. */
5611 	run_bbp_read(sc, 25, &sc->bbp25);
5612 	run_bbp_read(sc, 26, &sc->bbp26);
5613 
5614 	run_read(sc, RT3070_OPT_14, &tmp);
5615 	run_write(sc, RT3070_OPT_14, tmp | 1);
5616 }
5617 
5618 static void
5619 run_rt5390_rf_init(struct run_softc *sc)
5620 {
5621 	uint32_t tmp;
5622 	uint8_t rf;
5623 	u_int i;
5624 
5625 	/* Toggle RF R2 to initiate calibration. */
5626 	if (sc->mac_ver == 0x5390) {
5627 		run_rt3070_rf_read(sc, 2, &rf);
5628 		run_rt3070_rf_write(sc, 2, rf | RT5390_RESCAL);
5629 		run_delay(sc, 10);
5630 		run_rt3070_rf_write(sc, 2, rf & ~RT5390_RESCAL);
5631 	} else {
5632 		run_rt3070_rf_write(sc, 2, RT5390_RESCAL);
5633 		run_delay(sc, 10);
5634 	}
5635 
5636 	/* Initialize RF registers to default value. */
5637 	if (sc->mac_ver == 0x5592) {
5638 		for (i = 0; i < nitems(rt5592_def_rf); i++) {
5639 			run_rt3070_rf_write(sc, rt5592_def_rf[i].reg,
5640 			    rt5592_def_rf[i].val);
5641 		}
5642 		/* Initialize RF frequency offset. */
5643 		run_adjust_freq_offset(sc);
5644 	} else if (sc->mac_ver == 0x5392) {
5645 		for (i = 0; i < nitems(rt5392_def_rf); i++) {
5646 			run_rt3070_rf_write(sc, rt5392_def_rf[i].reg,
5647 			    rt5392_def_rf[i].val);
5648 		}
5649 		if (sc->mac_rev >= 0x0223) {
5650 			run_rt3070_rf_write(sc, 23, 0x0f);
5651 			run_rt3070_rf_write(sc, 24, 0x3e);
5652 			run_rt3070_rf_write(sc, 51, 0x32);
5653 			run_rt3070_rf_write(sc, 53, 0x22);
5654 			run_rt3070_rf_write(sc, 56, 0xc1);
5655 			run_rt3070_rf_write(sc, 59, 0x0f);
5656 		}
5657 	} else {
5658 		for (i = 0; i < nitems(rt5390_def_rf); i++) {
5659 			run_rt3070_rf_write(sc, rt5390_def_rf[i].reg,
5660 			    rt5390_def_rf[i].val);
5661 		}
5662 		if (sc->mac_rev >= 0x0502) {
5663 			run_rt3070_rf_write(sc, 6, 0xe0);
5664 			run_rt3070_rf_write(sc, 25, 0x80);
5665 			run_rt3070_rf_write(sc, 46, 0x73);
5666 			run_rt3070_rf_write(sc, 53, 0x00);
5667 			run_rt3070_rf_write(sc, 56, 0x42);
5668 			run_rt3070_rf_write(sc, 61, 0xd1);
5669 		}
5670 	}
5671 
5672 	sc->rf24_20mhz = 0x1f;	/* default value */
5673 	sc->rf24_40mhz = (sc->mac_ver == 0x5592) ? 0 : 0x2f;
5674 
5675 	if (sc->mac_rev < 0x0211)
5676 		run_rt3070_rf_write(sc, 27, 0x3);
5677 
5678 	run_read(sc, RT3070_OPT_14, &tmp);
5679 	run_write(sc, RT3070_OPT_14, tmp | 1);
5680 }
5681 
5682 static int
5683 run_rt3070_filter_calib(struct run_softc *sc, uint8_t init, uint8_t target,
5684     uint8_t *val)
5685 {
5686 	uint8_t rf22, rf24;
5687 	uint8_t bbp55_pb, bbp55_sb, delta;
5688 	int ntries;
5689 
5690 	/* program filter */
5691 	run_rt3070_rf_read(sc, 24, &rf24);
5692 	rf24 = (rf24 & 0xc0) | init;	/* initial filter value */
5693 	run_rt3070_rf_write(sc, 24, rf24);
5694 
5695 	/* enable baseband loopback mode */
5696 	run_rt3070_rf_read(sc, 22, &rf22);
5697 	run_rt3070_rf_write(sc, 22, rf22 | 0x01);
5698 
5699 	/* set power and frequency of passband test tone */
5700 	run_bbp_write(sc, 24, 0x00);
5701 	for (ntries = 0; ntries < 100; ntries++) {
5702 		/* transmit test tone */
5703 		run_bbp_write(sc, 25, 0x90);
5704 		run_delay(sc, 10);
5705 		/* read received power */
5706 		run_bbp_read(sc, 55, &bbp55_pb);
5707 		if (bbp55_pb != 0)
5708 			break;
5709 	}
5710 	if (ntries == 100)
5711 		return (ETIMEDOUT);
5712 
5713 	/* set power and frequency of stopband test tone */
5714 	run_bbp_write(sc, 24, 0x06);
5715 	for (ntries = 0; ntries < 100; ntries++) {
5716 		/* transmit test tone */
5717 		run_bbp_write(sc, 25, 0x90);
5718 		run_delay(sc, 10);
5719 		/* read received power */
5720 		run_bbp_read(sc, 55, &bbp55_sb);
5721 
5722 		delta = bbp55_pb - bbp55_sb;
5723 		if (delta > target)
5724 			break;
5725 
5726 		/* reprogram filter */
5727 		rf24++;
5728 		run_rt3070_rf_write(sc, 24, rf24);
5729 	}
5730 	if (ntries < 100) {
5731 		if (rf24 != init)
5732 			rf24--;	/* backtrack */
5733 		*val = rf24;
5734 		run_rt3070_rf_write(sc, 24, rf24);
5735 	}
5736 
5737 	/* restore initial state */
5738 	run_bbp_write(sc, 24, 0x00);
5739 
5740 	/* disable baseband loopback mode */
5741 	run_rt3070_rf_read(sc, 22, &rf22);
5742 	run_rt3070_rf_write(sc, 22, rf22 & ~0x01);
5743 
5744 	return (0);
5745 }
5746 
5747 static void
5748 run_rt3070_rf_setup(struct run_softc *sc)
5749 {
5750 	uint8_t bbp, rf;
5751 	int i;
5752 
5753 	if (sc->mac_ver == 0x3572) {
5754 		/* enable DC filter */
5755 		if (sc->mac_rev >= 0x0201)
5756 			run_bbp_write(sc, 103, 0xc0);
5757 
5758 		run_bbp_read(sc, 138, &bbp);
5759 		if (sc->ntxchains == 1)
5760 			bbp |= 0x20;	/* turn off DAC1 */
5761 		if (sc->nrxchains == 1)
5762 			bbp &= ~0x02;	/* turn off ADC1 */
5763 		run_bbp_write(sc, 138, bbp);
5764 
5765 		if (sc->mac_rev >= 0x0211) {
5766 			/* improve power consumption */
5767 			run_bbp_read(sc, 31, &bbp);
5768 			run_bbp_write(sc, 31, bbp & ~0x03);
5769 		}
5770 
5771 		run_rt3070_rf_read(sc, 16, &rf);
5772 		rf = (rf & ~0x07) | sc->txmixgain_2ghz;
5773 		run_rt3070_rf_write(sc, 16, rf);
5774 
5775 	} else if (sc->mac_ver == 0x3071) {
5776 		if (sc->mac_rev >= 0x0211) {
5777 			/* enable DC filter */
5778 			run_bbp_write(sc, 103, 0xc0);
5779 
5780 			/* improve power consumption */
5781 			run_bbp_read(sc, 31, &bbp);
5782 			run_bbp_write(sc, 31, bbp & ~0x03);
5783 		}
5784 
5785 		run_bbp_read(sc, 138, &bbp);
5786 		if (sc->ntxchains == 1)
5787 			bbp |= 0x20;	/* turn off DAC1 */
5788 		if (sc->nrxchains == 1)
5789 			bbp &= ~0x02;	/* turn off ADC1 */
5790 		run_bbp_write(sc, 138, bbp);
5791 
5792 		run_write(sc, RT2860_TX_SW_CFG1, 0);
5793 		if (sc->mac_rev < 0x0211) {
5794 			run_write(sc, RT2860_TX_SW_CFG2,
5795 			    sc->patch_dac ? 0x2c : 0x0f);
5796 		} else
5797 			run_write(sc, RT2860_TX_SW_CFG2, 0);
5798 
5799 	} else if (sc->mac_ver == 0x3070) {
5800 		if (sc->mac_rev >= 0x0201) {
5801 			/* enable DC filter */
5802 			run_bbp_write(sc, 103, 0xc0);
5803 
5804 			/* improve power consumption */
5805 			run_bbp_read(sc, 31, &bbp);
5806 			run_bbp_write(sc, 31, bbp & ~0x03);
5807 		}
5808 
5809 		if (sc->mac_rev < 0x0201) {
5810 			run_write(sc, RT2860_TX_SW_CFG1, 0);
5811 			run_write(sc, RT2860_TX_SW_CFG2, 0x2c);
5812 		} else
5813 			run_write(sc, RT2860_TX_SW_CFG2, 0);
5814 	}
5815 
5816 	/* initialize RF registers from ROM for >=RT3071*/
5817 	if (sc->mac_ver >= 0x3071) {
5818 		for (i = 0; i < 10; i++) {
5819 			if (sc->rf[i].reg == 0 || sc->rf[i].reg == 0xff)
5820 				continue;
5821 			run_rt3070_rf_write(sc, sc->rf[i].reg, sc->rf[i].val);
5822 		}
5823 	}
5824 }
5825 
5826 static void
5827 run_rt3593_rf_setup(struct run_softc *sc)
5828 {
5829 	uint8_t bbp, rf;
5830 
5831 	if (sc->mac_rev >= 0x0211) {
5832 		/* Enable DC filter. */
5833 		run_bbp_write(sc, 103, 0xc0);
5834 	}
5835 	run_write(sc, RT2860_TX_SW_CFG1, 0);
5836 	if (sc->mac_rev < 0x0211) {
5837 		run_write(sc, RT2860_TX_SW_CFG2,
5838 		    sc->patch_dac ? 0x2c : 0x0f);
5839 	} else
5840 		run_write(sc, RT2860_TX_SW_CFG2, 0);
5841 
5842 	run_rt3070_rf_read(sc, 50, &rf);
5843 	run_rt3070_rf_write(sc, 50, rf & ~RT3593_TX_LO2);
5844 
5845 	run_rt3070_rf_read(sc, 51, &rf);
5846 	rf = (rf & ~(RT3593_TX_LO1 | 0x0c)) |
5847 	    ((sc->txmixgain_2ghz & 0x07) << 2);
5848 	run_rt3070_rf_write(sc, 51, rf);
5849 
5850 	run_rt3070_rf_read(sc, 38, &rf);
5851 	run_rt3070_rf_write(sc, 38, rf & ~RT5390_RX_LO1);
5852 
5853 	run_rt3070_rf_read(sc, 39, &rf);
5854 	run_rt3070_rf_write(sc, 39, rf & ~RT5390_RX_LO2);
5855 
5856 	run_rt3070_rf_read(sc, 1, &rf);
5857 	run_rt3070_rf_write(sc, 1, rf & ~(RT3070_RF_BLOCK | RT3070_PLL_PD));
5858 
5859 	run_rt3070_rf_read(sc, 30, &rf);
5860 	rf = (rf & ~0x18) | 0x10;
5861 	run_rt3070_rf_write(sc, 30, rf);
5862 
5863 	/* Apply maximum likelihood detection for 2 stream case. */
5864 	run_bbp_read(sc, 105, &bbp);
5865 	if (sc->nrxchains > 1)
5866 		run_bbp_write(sc, 105, bbp | RT5390_MLD);
5867 
5868 	/* Avoid data lost and CRC error. */
5869 	run_bbp_read(sc, 4, &bbp);
5870 	run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5871 
5872 	run_bbp_write(sc, 92, 0x02);
5873 	run_bbp_write(sc, 82, 0x82);
5874 	run_bbp_write(sc, 106, 0x05);
5875 	run_bbp_write(sc, 104, 0x92);
5876 	run_bbp_write(sc, 88, 0x90);
5877 	run_bbp_write(sc, 148, 0xc8);
5878 	run_bbp_write(sc, 47, 0x48);
5879 	run_bbp_write(sc, 120, 0x50);
5880 
5881 	run_bbp_write(sc, 163, 0x9d);
5882 
5883 	/* SNR mapping. */
5884 	run_bbp_write(sc, 142, 0x06);
5885 	run_bbp_write(sc, 143, 0xa0);
5886 	run_bbp_write(sc, 142, 0x07);
5887 	run_bbp_write(sc, 143, 0xa1);
5888 	run_bbp_write(sc, 142, 0x08);
5889 	run_bbp_write(sc, 143, 0xa2);
5890 
5891 	run_bbp_write(sc, 31, 0x08);
5892 	run_bbp_write(sc, 68, 0x0b);
5893 	run_bbp_write(sc, 105, 0x04);
5894 }
5895 
5896 static void
5897 run_rt5390_rf_setup(struct run_softc *sc)
5898 {
5899 	uint8_t bbp, rf;
5900 
5901 	if (sc->mac_rev >= 0x0211) {
5902 		/* Enable DC filter. */
5903 		run_bbp_write(sc, 103, 0xc0);
5904 
5905 		if (sc->mac_ver != 0x5592) {
5906 			/* Improve power consumption. */
5907 			run_bbp_read(sc, 31, &bbp);
5908 			run_bbp_write(sc, 31, bbp & ~0x03);
5909 		}
5910 	}
5911 
5912 	run_bbp_read(sc, 138, &bbp);
5913 	if (sc->ntxchains == 1)
5914 		bbp |= 0x20;	/* turn off DAC1 */
5915 	if (sc->nrxchains == 1)
5916 		bbp &= ~0x02;	/* turn off ADC1 */
5917 	run_bbp_write(sc, 138, bbp);
5918 
5919 	run_rt3070_rf_read(sc, 38, &rf);
5920 	run_rt3070_rf_write(sc, 38, rf & ~RT5390_RX_LO1);
5921 
5922 	run_rt3070_rf_read(sc, 39, &rf);
5923 	run_rt3070_rf_write(sc, 39, rf & ~RT5390_RX_LO2);
5924 
5925 	/* Avoid data lost and CRC error. */
5926 	run_bbp_read(sc, 4, &bbp);
5927 	run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5928 
5929 	run_rt3070_rf_read(sc, 30, &rf);
5930 	rf = (rf & ~0x18) | 0x10;
5931 	run_rt3070_rf_write(sc, 30, rf);
5932 
5933 	if (sc->mac_ver != 0x5592) {
5934 		run_write(sc, RT2860_TX_SW_CFG1, 0);
5935 		if (sc->mac_rev < 0x0211) {
5936 			run_write(sc, RT2860_TX_SW_CFG2,
5937 			    sc->patch_dac ? 0x2c : 0x0f);
5938 		} else
5939 			run_write(sc, RT2860_TX_SW_CFG2, 0);
5940 	}
5941 }
5942 
5943 static int
5944 run_txrx_enable(struct run_softc *sc)
5945 {
5946 	struct ieee80211com *ic = &sc->sc_ic;
5947 	uint32_t tmp;
5948 	int error, ntries;
5949 
5950 	run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_MAC_TX_EN);
5951 	for (ntries = 0; ntries < 200; ntries++) {
5952 		if ((error = run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp)) != 0)
5953 			return (error);
5954 		if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
5955 			break;
5956 		run_delay(sc, 50);
5957 	}
5958 	if (ntries == 200)
5959 		return (ETIMEDOUT);
5960 
5961 	run_delay(sc, 50);
5962 
5963 	tmp |= RT2860_RX_DMA_EN | RT2860_TX_DMA_EN | RT2860_TX_WB_DDONE;
5964 	run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
5965 
5966 	/* enable Rx bulk aggregation (set timeout and limit) */
5967 	tmp = RT2860_USB_TX_EN | RT2860_USB_RX_EN | RT2860_USB_RX_AGG_EN |
5968 	    RT2860_USB_RX_AGG_TO(128) | RT2860_USB_RX_AGG_LMT(2);
5969 	run_write(sc, RT2860_USB_DMA_CFG, tmp);
5970 
5971 	/* set Rx filter */
5972 	tmp = RT2860_DROP_CRC_ERR | RT2860_DROP_PHY_ERR;
5973 	if (ic->ic_opmode != IEEE80211_M_MONITOR) {
5974 		tmp |= RT2860_DROP_UC_NOME | RT2860_DROP_DUPL |
5975 		    RT2860_DROP_CTS | RT2860_DROP_BA | RT2860_DROP_ACK |
5976 		    RT2860_DROP_VER_ERR | RT2860_DROP_CTRL_RSV |
5977 		    RT2860_DROP_CFACK | RT2860_DROP_CFEND;
5978 		if (ic->ic_opmode == IEEE80211_M_STA)
5979 			tmp |= RT2860_DROP_RTS | RT2860_DROP_PSPOLL;
5980 	}
5981 	run_write(sc, RT2860_RX_FILTR_CFG, tmp);
5982 
5983 	run_write(sc, RT2860_MAC_SYS_CTRL,
5984 	    RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
5985 
5986 	return (0);
5987 }
5988 
5989 static void
5990 run_adjust_freq_offset(struct run_softc *sc)
5991 {
5992 	uint8_t rf, tmp;
5993 
5994 	run_rt3070_rf_read(sc, 17, &rf);
5995 	tmp = rf;
5996 	rf = (rf & ~0x7f) | (sc->freq & 0x7f);
5997 	rf = MIN(rf, 0x5f);
5998 
5999 	if (tmp != rf)
6000 		run_mcu_cmd(sc, 0x74, (tmp << 8 ) | rf);
6001 }
6002 
6003 static void
6004 run_init_locked(struct run_softc *sc)
6005 {
6006 	struct ieee80211com *ic = &sc->sc_ic;
6007 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
6008 	uint32_t tmp;
6009 	uint8_t bbp1, bbp3;
6010 	int i;
6011 	int ridx;
6012 	int ntries;
6013 
6014 	if (ic->ic_nrunning > 1)
6015 		return;
6016 
6017 	run_stop(sc);
6018 
6019 	if (run_load_microcode(sc) != 0) {
6020 		device_printf(sc->sc_dev, "could not load 8051 microcode\n");
6021 		goto fail;
6022 	}
6023 
6024 	for (ntries = 0; ntries < 100; ntries++) {
6025 		if (run_read(sc, RT2860_ASIC_VER_ID, &tmp) != 0)
6026 			goto fail;
6027 		if (tmp != 0 && tmp != 0xffffffff)
6028 			break;
6029 		run_delay(sc, 10);
6030 	}
6031 	if (ntries == 100)
6032 		goto fail;
6033 
6034 	for (i = 0; i != RUN_EP_QUEUES; i++)
6035 		run_setup_tx_list(sc, &sc->sc_epq[i]);
6036 
6037 	run_set_macaddr(sc, vap ? vap->iv_myaddr : ic->ic_macaddr);
6038 
6039 	for (ntries = 0; ntries < 100; ntries++) {
6040 		if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
6041 			goto fail;
6042 		if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
6043 			break;
6044 		run_delay(sc, 10);
6045 	}
6046 	if (ntries == 100) {
6047 		device_printf(sc->sc_dev, "timeout waiting for DMA engine\n");
6048 		goto fail;
6049 	}
6050 	tmp &= 0xff0;
6051 	tmp |= RT2860_TX_WB_DDONE;
6052 	run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
6053 
6054 	/* turn off PME_OEN to solve high-current issue */
6055 	run_read(sc, RT2860_SYS_CTRL, &tmp);
6056 	run_write(sc, RT2860_SYS_CTRL, tmp & ~RT2860_PME_OEN);
6057 
6058 	run_write(sc, RT2860_MAC_SYS_CTRL,
6059 	    RT2860_BBP_HRST | RT2860_MAC_SRST);
6060 	run_write(sc, RT2860_USB_DMA_CFG, 0);
6061 
6062 	if (run_reset(sc) != 0) {
6063 		device_printf(sc->sc_dev, "could not reset chipset\n");
6064 		goto fail;
6065 	}
6066 
6067 	run_write(sc, RT2860_MAC_SYS_CTRL, 0);
6068 
6069 	/* init Tx power for all Tx rates (from EEPROM) */
6070 	for (ridx = 0; ridx < 5; ridx++) {
6071 		if (sc->txpow20mhz[ridx] == 0xffffffff)
6072 			continue;
6073 		run_write(sc, RT2860_TX_PWR_CFG(ridx), sc->txpow20mhz[ridx]);
6074 	}
6075 
6076 	for (i = 0; i < nitems(rt2870_def_mac); i++)
6077 		run_write(sc, rt2870_def_mac[i].reg, rt2870_def_mac[i].val);
6078 	run_write(sc, RT2860_WMM_AIFSN_CFG, 0x00002273);
6079 	run_write(sc, RT2860_WMM_CWMIN_CFG, 0x00002344);
6080 	run_write(sc, RT2860_WMM_CWMAX_CFG, 0x000034aa);
6081 
6082 	if (sc->mac_ver >= 0x5390) {
6083 		run_write(sc, RT2860_TX_SW_CFG0,
6084 		    4 << RT2860_DLY_PAPE_EN_SHIFT | 4);
6085 		if (sc->mac_ver >= 0x5392) {
6086 			run_write(sc, RT2860_MAX_LEN_CFG, 0x00002fff);
6087 			if (sc->mac_ver == 0x5592) {
6088 				run_write(sc, RT2860_HT_FBK_CFG1, 0xedcba980);
6089 				run_write(sc, RT2860_TXOP_HLDR_ET, 0x00000082);
6090 			} else {
6091 				run_write(sc, RT2860_HT_FBK_CFG1, 0xedcb4980);
6092 				run_write(sc, RT2860_LG_FBK_CFG0, 0xedcba322);
6093 			}
6094 		}
6095 	} else if (sc->mac_ver == 0x3593) {
6096 		run_write(sc, RT2860_TX_SW_CFG0,
6097 		    4 << RT2860_DLY_PAPE_EN_SHIFT | 2);
6098 	} else if (sc->mac_ver >= 0x3070) {
6099 		/* set delay of PA_PE assertion to 1us (unit of 0.25us) */
6100 		run_write(sc, RT2860_TX_SW_CFG0,
6101 		    4 << RT2860_DLY_PAPE_EN_SHIFT);
6102 	}
6103 
6104 	/* wait while MAC is busy */
6105 	for (ntries = 0; ntries < 100; ntries++) {
6106 		if (run_read(sc, RT2860_MAC_STATUS_REG, &tmp) != 0)
6107 			goto fail;
6108 		if (!(tmp & (RT2860_RX_STATUS_BUSY | RT2860_TX_STATUS_BUSY)))
6109 			break;
6110 		run_delay(sc, 10);
6111 	}
6112 	if (ntries == 100)
6113 		goto fail;
6114 
6115 	/* clear Host to MCU mailbox */
6116 	run_write(sc, RT2860_H2M_BBPAGENT, 0);
6117 	run_write(sc, RT2860_H2M_MAILBOX, 0);
6118 	run_delay(sc, 10);
6119 
6120 	if (run_bbp_init(sc) != 0) {
6121 		device_printf(sc->sc_dev, "could not initialize BBP\n");
6122 		goto fail;
6123 	}
6124 
6125 	/* abort TSF synchronization */
6126 	run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
6127 	tmp &= ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
6128 	    RT2860_TBTT_TIMER_EN);
6129 	run_write(sc, RT2860_BCN_TIME_CFG, tmp);
6130 
6131 	/* clear RX WCID search table */
6132 	run_set_region_4(sc, RT2860_WCID_ENTRY(0), 0, 512);
6133 	/* clear WCID attribute table */
6134 	run_set_region_4(sc, RT2860_WCID_ATTR(0), 0, 8 * 32);
6135 
6136 	/* hostapd sets a key before init. So, don't clear it. */
6137 	if (sc->cmdq_key_set != RUN_CMDQ_GO) {
6138 		/* clear shared key table */
6139 		run_set_region_4(sc, RT2860_SKEY(0, 0), 0, 8 * 32);
6140 		/* clear shared key mode */
6141 		run_set_region_4(sc, RT2860_SKEY_MODE_0_7, 0, 4);
6142 	}
6143 
6144 	run_read(sc, RT2860_US_CYC_CNT, &tmp);
6145 	tmp = (tmp & ~0xff) | 0x1e;
6146 	run_write(sc, RT2860_US_CYC_CNT, tmp);
6147 
6148 	if (sc->mac_rev != 0x0101)
6149 		run_write(sc, RT2860_TXOP_CTRL_CFG, 0x0000583f);
6150 
6151 	run_write(sc, RT2860_WMM_TXOP0_CFG, 0);
6152 	run_write(sc, RT2860_WMM_TXOP1_CFG, 48 << 16 | 96);
6153 
6154 	/* write vendor-specific BBP values (from EEPROM) */
6155 	if (sc->mac_ver < 0x3593) {
6156 		for (i = 0; i < 10; i++) {
6157 			if (sc->bbp[i].reg == 0 || sc->bbp[i].reg == 0xff)
6158 				continue;
6159 			run_bbp_write(sc, sc->bbp[i].reg, sc->bbp[i].val);
6160 		}
6161 	}
6162 
6163 	/* select Main antenna for 1T1R devices */
6164 	if (sc->rf_rev == RT3070_RF_3020 || sc->rf_rev == RT5390_RF_5370)
6165 		run_set_rx_antenna(sc, 0);
6166 
6167 	/* send LEDs operating mode to microcontroller */
6168 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED1, sc->led[0]);
6169 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED2, sc->led[1]);
6170 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED3, sc->led[2]);
6171 
6172 	if (sc->mac_ver >= 0x5390)
6173 		run_rt5390_rf_init(sc);
6174 	else if (sc->mac_ver == 0x3593)
6175 		run_rt3593_rf_init(sc);
6176 	else if (sc->mac_ver >= 0x3070)
6177 		run_rt3070_rf_init(sc);
6178 
6179 	/* disable non-existing Rx chains */
6180 	run_bbp_read(sc, 3, &bbp3);
6181 	bbp3 &= ~(1 << 3 | 1 << 4);
6182 	if (sc->nrxchains == 2)
6183 		bbp3 |= 1 << 3;
6184 	else if (sc->nrxchains == 3)
6185 		bbp3 |= 1 << 4;
6186 	run_bbp_write(sc, 3, bbp3);
6187 
6188 	/* disable non-existing Tx chains */
6189 	run_bbp_read(sc, 1, &bbp1);
6190 	if (sc->ntxchains == 1)
6191 		bbp1 &= ~(1 << 3 | 1 << 4);
6192 	run_bbp_write(sc, 1, bbp1);
6193 
6194 	if (sc->mac_ver >= 0x5390)
6195 		run_rt5390_rf_setup(sc);
6196 	else if (sc->mac_ver == 0x3593)
6197 		run_rt3593_rf_setup(sc);
6198 	else if (sc->mac_ver >= 0x3070)
6199 		run_rt3070_rf_setup(sc);
6200 
6201 	/* select default channel */
6202 	run_set_chan(sc, ic->ic_curchan);
6203 
6204 	/* setup initial protection mode */
6205 	run_updateprot_cb(ic);
6206 
6207 	/* turn radio LED on */
6208 	run_set_leds(sc, RT2860_LED_RADIO);
6209 
6210 	sc->sc_flags |= RUN_RUNNING;
6211 	sc->cmdq_run = RUN_CMDQ_GO;
6212 
6213 	for (i = 0; i != RUN_N_XFER; i++)
6214 		usbd_xfer_set_stall(sc->sc_xfer[i]);
6215 
6216 	usbd_transfer_start(sc->sc_xfer[RUN_BULK_RX]);
6217 
6218 	if (run_txrx_enable(sc) != 0)
6219 		goto fail;
6220 
6221 	return;
6222 
6223 fail:
6224 	run_stop(sc);
6225 }
6226 
6227 static void
6228 run_stop(void *arg)
6229 {
6230 	struct run_softc *sc = (struct run_softc *)arg;
6231 	uint32_t tmp;
6232 	int i;
6233 	int ntries;
6234 
6235 	RUN_LOCK_ASSERT(sc, MA_OWNED);
6236 
6237 	if (sc->sc_flags & RUN_RUNNING)
6238 		run_set_leds(sc, 0);	/* turn all LEDs off */
6239 
6240 	sc->sc_flags &= ~RUN_RUNNING;
6241 
6242 	sc->ratectl_run = RUN_RATECTL_OFF;
6243 	sc->cmdq_run = sc->cmdq_key_set;
6244 
6245 	RUN_UNLOCK(sc);
6246 
6247 	for(i = 0; i < RUN_N_XFER; i++)
6248 		usbd_transfer_drain(sc->sc_xfer[i]);
6249 
6250 	RUN_LOCK(sc);
6251 
6252 	run_drain_mbufq(sc);
6253 
6254 	if (sc->rx_m != NULL) {
6255 		m_free(sc->rx_m);
6256 		sc->rx_m = NULL;
6257 	}
6258 
6259 	/* Disable Tx/Rx DMA. */
6260 	if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
6261 		return;
6262 	tmp &= ~(RT2860_RX_DMA_EN | RT2860_TX_DMA_EN);
6263 	run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
6264 
6265 	for (ntries = 0; ntries < 100; ntries++) {
6266 		if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
6267 			return;
6268 		if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
6269 				break;
6270 		run_delay(sc, 10);
6271 	}
6272 	if (ntries == 100) {
6273 		device_printf(sc->sc_dev, "timeout waiting for DMA engine\n");
6274 		return;
6275 	}
6276 
6277 	/* disable Tx/Rx */
6278 	run_read(sc, RT2860_MAC_SYS_CTRL, &tmp);
6279 	tmp &= ~(RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
6280 	run_write(sc, RT2860_MAC_SYS_CTRL, tmp);
6281 
6282 	/* wait for pending Tx to complete */
6283 	for (ntries = 0; ntries < 100; ntries++) {
6284 		if (run_read(sc, RT2860_TXRXQ_PCNT, &tmp) != 0) {
6285 			RUN_DPRINTF(sc, RUN_DEBUG_XMIT | RUN_DEBUG_RESET,
6286 			    "Cannot read Tx queue count\n");
6287 			break;
6288 		}
6289 		if ((tmp & RT2860_TX2Q_PCNT_MASK) == 0) {
6290 			RUN_DPRINTF(sc, RUN_DEBUG_XMIT | RUN_DEBUG_RESET,
6291 			    "All Tx cleared\n");
6292 			break;
6293 		}
6294 		run_delay(sc, 10);
6295 	}
6296 	if (ntries >= 100)
6297 		RUN_DPRINTF(sc, RUN_DEBUG_XMIT | RUN_DEBUG_RESET,
6298 		    "There are still pending Tx\n");
6299 	run_delay(sc, 10);
6300 	run_write(sc, RT2860_USB_DMA_CFG, 0);
6301 
6302 	run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_BBP_HRST | RT2860_MAC_SRST);
6303 	run_write(sc, RT2860_MAC_SYS_CTRL, 0);
6304 
6305 	for (i = 0; i != RUN_EP_QUEUES; i++)
6306 		run_unsetup_tx_list(sc, &sc->sc_epq[i]);
6307 }
6308 
6309 static void
6310 run_delay(struct run_softc *sc, u_int ms)
6311 {
6312 	usb_pause_mtx(mtx_owned(&sc->sc_mtx) ?
6313 	    &sc->sc_mtx : NULL, USB_MS_TO_TICKS(ms));
6314 }
6315 
6316 static device_method_t run_methods[] = {
6317 	/* Device interface */
6318 	DEVMETHOD(device_probe,		run_match),
6319 	DEVMETHOD(device_attach,	run_attach),
6320 	DEVMETHOD(device_detach,	run_detach),
6321 	DEVMETHOD_END
6322 };
6323 
6324 static driver_t run_driver = {
6325 	.name = "run",
6326 	.methods = run_methods,
6327 	.size = sizeof(struct run_softc)
6328 };
6329 
6330 static devclass_t run_devclass;
6331 
6332 DRIVER_MODULE(run, uhub, run_driver, run_devclass, run_driver_loaded, NULL);
6333 MODULE_DEPEND(run, wlan, 1, 1, 1);
6334 MODULE_DEPEND(run, usb, 1, 1, 1);
6335 MODULE_DEPEND(run, firmware, 1, 1, 1);
6336 MODULE_VERSION(run, 1);
6337 USB_PNP_HOST_INFO(run_devs);
6338