xref: /freebsd/sys/dev/usb/wlan/if_run.c (revision 46c1105fbb6fbff6d6ccd0a18571342eb992d637)
1 /*-
2  * Copyright (c) 2008,2010 Damien Bergamini <damien.bergamini@free.fr>
3  * ported to FreeBSD by Akinori Furukoshi <moonlightakkiy@yahoo.ca>
4  * USB Consulting, Hans Petter Selasky <hselasky@freebsd.org>
5  * Copyright (c) 2013-2014 Kevin Lo
6  *
7  * Permission to use, copy, modify, and distribute this software for any
8  * purpose with or without fee is hereby granted, provided that the above
9  * copyright notice and this permission notice appear in all copies.
10  *
11  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18  */
19 
20 #include <sys/cdefs.h>
21 __FBSDID("$FreeBSD$");
22 
23 /*-
24  * Ralink Technology RT2700U/RT2800U/RT3000U/RT3900E chipset driver.
25  * http://www.ralinktech.com/
26  */
27 
28 #include <sys/param.h>
29 #include <sys/sockio.h>
30 #include <sys/sysctl.h>
31 #include <sys/lock.h>
32 #include <sys/mutex.h>
33 #include <sys/mbuf.h>
34 #include <sys/kernel.h>
35 #include <sys/socket.h>
36 #include <sys/systm.h>
37 #include <sys/malloc.h>
38 #include <sys/module.h>
39 #include <sys/bus.h>
40 #include <sys/endian.h>
41 #include <sys/linker.h>
42 #include <sys/firmware.h>
43 #include <sys/kdb.h>
44 
45 #include <machine/bus.h>
46 #include <machine/resource.h>
47 #include <sys/rman.h>
48 
49 #include <net/bpf.h>
50 #include <net/if.h>
51 #include <net/if_var.h>
52 #include <net/if_arp.h>
53 #include <net/ethernet.h>
54 #include <net/if_dl.h>
55 #include <net/if_media.h>
56 #include <net/if_types.h>
57 
58 #include <netinet/in.h>
59 #include <netinet/in_systm.h>
60 #include <netinet/in_var.h>
61 #include <netinet/if_ether.h>
62 #include <netinet/ip.h>
63 
64 #include <net80211/ieee80211_var.h>
65 #include <net80211/ieee80211_regdomain.h>
66 #include <net80211/ieee80211_radiotap.h>
67 #include <net80211/ieee80211_ratectl.h>
68 
69 #include <dev/usb/usb.h>
70 #include <dev/usb/usbdi.h>
71 #include "usbdevs.h"
72 
73 #define	USB_DEBUG_VAR	run_debug
74 #include <dev/usb/usb_debug.h>
75 #include <dev/usb/usb_msctest.h>
76 
77 #include <dev/usb/wlan/if_runreg.h>
78 #include <dev/usb/wlan/if_runvar.h>
79 
80 #ifdef	USB_DEBUG
81 #define	RUN_DEBUG
82 #endif
83 
84 #ifdef	RUN_DEBUG
85 int run_debug = 0;
86 static SYSCTL_NODE(_hw_usb, OID_AUTO, run, CTLFLAG_RW, 0, "USB run");
87 SYSCTL_INT(_hw_usb_run, OID_AUTO, debug, CTLFLAG_RWTUN, &run_debug, 0,
88     "run debug level");
89 #endif
90 
91 #define	IEEE80211_HAS_ADDR4(wh)	IEEE80211_IS_DSTODS(wh)
92 
93 /*
94  * Because of LOR in run_key_delete(), use atomic instead.
95  * '& RUN_CMDQ_MASQ' is to loop cmdq[].
96  */
97 #define	RUN_CMDQ_GET(c)	(atomic_fetchadd_32((c), 1) & RUN_CMDQ_MASQ)
98 
99 static const STRUCT_USB_HOST_ID run_devs[] = {
100 #define	RUN_DEV(v,p)	{ USB_VP(USB_VENDOR_##v, USB_PRODUCT_##v##_##p) }
101 #define	RUN_DEV_EJECT(v,p)	\
102 	{ USB_VPI(USB_VENDOR_##v, USB_PRODUCT_##v##_##p, RUN_EJECT) }
103 #define	RUN_EJECT	1
104     RUN_DEV(ABOCOM,		RT2770),
105     RUN_DEV(ABOCOM,		RT2870),
106     RUN_DEV(ABOCOM,		RT3070),
107     RUN_DEV(ABOCOM,		RT3071),
108     RUN_DEV(ABOCOM,		RT3072),
109     RUN_DEV(ABOCOM2,		RT2870_1),
110     RUN_DEV(ACCTON,		RT2770),
111     RUN_DEV(ACCTON,		RT2870_1),
112     RUN_DEV(ACCTON,		RT2870_2),
113     RUN_DEV(ACCTON,		RT2870_3),
114     RUN_DEV(ACCTON,		RT2870_4),
115     RUN_DEV(ACCTON,		RT2870_5),
116     RUN_DEV(ACCTON,		RT3070),
117     RUN_DEV(ACCTON,		RT3070_1),
118     RUN_DEV(ACCTON,		RT3070_2),
119     RUN_DEV(ACCTON,		RT3070_3),
120     RUN_DEV(ACCTON,		RT3070_4),
121     RUN_DEV(ACCTON,		RT3070_5),
122     RUN_DEV(AIRTIES,		RT3070),
123     RUN_DEV(ALLWIN,		RT2070),
124     RUN_DEV(ALLWIN,		RT2770),
125     RUN_DEV(ALLWIN,		RT2870),
126     RUN_DEV(ALLWIN,		RT3070),
127     RUN_DEV(ALLWIN,		RT3071),
128     RUN_DEV(ALLWIN,		RT3072),
129     RUN_DEV(ALLWIN,		RT3572),
130     RUN_DEV(AMIGO,		RT2870_1),
131     RUN_DEV(AMIGO,		RT2870_2),
132     RUN_DEV(AMIT,		CGWLUSB2GNR),
133     RUN_DEV(AMIT,		RT2870_1),
134     RUN_DEV(AMIT2,		RT2870),
135     RUN_DEV(ASUS,		RT2870_1),
136     RUN_DEV(ASUS,		RT2870_2),
137     RUN_DEV(ASUS,		RT2870_3),
138     RUN_DEV(ASUS,		RT2870_4),
139     RUN_DEV(ASUS,		RT2870_5),
140     RUN_DEV(ASUS,		USBN13),
141     RUN_DEV(ASUS,		RT3070_1),
142     RUN_DEV(ASUS,		USBN66),
143     RUN_DEV(ASUS,		USB_N53),
144     RUN_DEV(ASUS2,		USBN11),
145     RUN_DEV(AZUREWAVE,		RT2870_1),
146     RUN_DEV(AZUREWAVE,		RT2870_2),
147     RUN_DEV(AZUREWAVE,		RT3070_1),
148     RUN_DEV(AZUREWAVE,		RT3070_2),
149     RUN_DEV(AZUREWAVE,		RT3070_3),
150     RUN_DEV(BELKIN,		F9L1103),
151     RUN_DEV(BELKIN,		F5D8053V3),
152     RUN_DEV(BELKIN,		F5D8055),
153     RUN_DEV(BELKIN,		F5D8055V2),
154     RUN_DEV(BELKIN,		F6D4050V1),
155     RUN_DEV(BELKIN,		F6D4050V2),
156     RUN_DEV(BELKIN,		RT2870_1),
157     RUN_DEV(BELKIN,		RT2870_2),
158     RUN_DEV(CISCOLINKSYS,	AE1000),
159     RUN_DEV(CISCOLINKSYS2,	RT3070),
160     RUN_DEV(CISCOLINKSYS3,	RT3070),
161     RUN_DEV(CONCEPTRONIC2,	RT2870_1),
162     RUN_DEV(CONCEPTRONIC2,	RT2870_2),
163     RUN_DEV(CONCEPTRONIC2,	RT2870_3),
164     RUN_DEV(CONCEPTRONIC2,	RT2870_4),
165     RUN_DEV(CONCEPTRONIC2,	RT2870_5),
166     RUN_DEV(CONCEPTRONIC2,	RT2870_6),
167     RUN_DEV(CONCEPTRONIC2,	RT2870_7),
168     RUN_DEV(CONCEPTRONIC2,	RT2870_8),
169     RUN_DEV(CONCEPTRONIC2,	RT3070_1),
170     RUN_DEV(CONCEPTRONIC2,	RT3070_2),
171     RUN_DEV(CONCEPTRONIC2,	VIGORN61),
172     RUN_DEV(COREGA,		CGWLUSB300GNM),
173     RUN_DEV(COREGA,		RT2870_1),
174     RUN_DEV(COREGA,		RT2870_2),
175     RUN_DEV(COREGA,		RT2870_3),
176     RUN_DEV(COREGA,		RT3070),
177     RUN_DEV(CYBERTAN,		RT2870),
178     RUN_DEV(DLINK,		RT2870),
179     RUN_DEV(DLINK,		RT3072),
180     RUN_DEV(DLINK,		DWA127),
181     RUN_DEV(DLINK,		DWA140B3),
182     RUN_DEV(DLINK,		DWA160B2),
183     RUN_DEV(DLINK,		DWA140D1),
184     RUN_DEV(DLINK,		DWA162),
185     RUN_DEV(DLINK2,		DWA130),
186     RUN_DEV(DLINK2,		RT2870_1),
187     RUN_DEV(DLINK2,		RT2870_2),
188     RUN_DEV(DLINK2,		RT3070_1),
189     RUN_DEV(DLINK2,		RT3070_2),
190     RUN_DEV(DLINK2,		RT3070_3),
191     RUN_DEV(DLINK2,		RT3070_4),
192     RUN_DEV(DLINK2,		RT3070_5),
193     RUN_DEV(DLINK2,		RT3072),
194     RUN_DEV(DLINK2,		RT3072_1),
195     RUN_DEV(EDIMAX,		EW7717),
196     RUN_DEV(EDIMAX,		EW7718),
197     RUN_DEV(EDIMAX,		EW7733UND),
198     RUN_DEV(EDIMAX,		RT2870_1),
199     RUN_DEV(ENCORE,		RT3070_1),
200     RUN_DEV(ENCORE,		RT3070_2),
201     RUN_DEV(ENCORE,		RT3070_3),
202     RUN_DEV(GIGABYTE,		GNWB31N),
203     RUN_DEV(GIGABYTE,		GNWB32L),
204     RUN_DEV(GIGABYTE,		RT2870_1),
205     RUN_DEV(GIGASET,		RT3070_1),
206     RUN_DEV(GIGASET,		RT3070_2),
207     RUN_DEV(GUILLEMOT,		HWNU300),
208     RUN_DEV(HAWKING,		HWUN2),
209     RUN_DEV(HAWKING,		RT2870_1),
210     RUN_DEV(HAWKING,		RT2870_2),
211     RUN_DEV(HAWKING,		RT3070),
212     RUN_DEV(IODATA,		RT3072_1),
213     RUN_DEV(IODATA,		RT3072_2),
214     RUN_DEV(IODATA,		RT3072_3),
215     RUN_DEV(IODATA,		RT3072_4),
216     RUN_DEV(LINKSYS4,		RT3070),
217     RUN_DEV(LINKSYS4,		WUSB100),
218     RUN_DEV(LINKSYS4,		WUSB54GCV3),
219     RUN_DEV(LINKSYS4,		WUSB600N),
220     RUN_DEV(LINKSYS4,		WUSB600NV2),
221     RUN_DEV(LOGITEC,		RT2870_1),
222     RUN_DEV(LOGITEC,		RT2870_2),
223     RUN_DEV(LOGITEC,		RT2870_3),
224     RUN_DEV(LOGITEC,		LANW300NU2),
225     RUN_DEV(LOGITEC,		LANW150NU2),
226     RUN_DEV(LOGITEC,		LANW300NU2S),
227     RUN_DEV(MELCO,		WLIUCG300HP),
228     RUN_DEV(MELCO,		RT2870_2),
229     RUN_DEV(MELCO,		WLIUCAG300N),
230     RUN_DEV(MELCO,		WLIUCG300N),
231     RUN_DEV(MELCO,		WLIUCG301N),
232     RUN_DEV(MELCO,		WLIUCGN),
233     RUN_DEV(MELCO,		WLIUCGNM),
234     RUN_DEV(MELCO,		WLIUCG300HPV1),
235     RUN_DEV(MELCO,		WLIUCGNM2),
236     RUN_DEV(MOTOROLA4,		RT2770),
237     RUN_DEV(MOTOROLA4,		RT3070),
238     RUN_DEV(MSI,		RT3070_1),
239     RUN_DEV(MSI,		RT3070_2),
240     RUN_DEV(MSI,		RT3070_3),
241     RUN_DEV(MSI,		RT3070_4),
242     RUN_DEV(MSI,		RT3070_5),
243     RUN_DEV(MSI,		RT3070_6),
244     RUN_DEV(MSI,		RT3070_7),
245     RUN_DEV(MSI,		RT3070_8),
246     RUN_DEV(MSI,		RT3070_9),
247     RUN_DEV(MSI,		RT3070_10),
248     RUN_DEV(MSI,		RT3070_11),
249     RUN_DEV(NETGEAR,		WNDA4100),
250     RUN_DEV(OVISLINK,		RT3072),
251     RUN_DEV(PARA,		RT3070),
252     RUN_DEV(PEGATRON,		RT2870),
253     RUN_DEV(PEGATRON,		RT3070),
254     RUN_DEV(PEGATRON,		RT3070_2),
255     RUN_DEV(PEGATRON,		RT3070_3),
256     RUN_DEV(PHILIPS,		RT2870),
257     RUN_DEV(PLANEX2,		GWUS300MINIS),
258     RUN_DEV(PLANEX2,		GWUSMICRON),
259     RUN_DEV(PLANEX2,		RT2870),
260     RUN_DEV(PLANEX2,		RT3070),
261     RUN_DEV(QCOM,		RT2870),
262     RUN_DEV(QUANTA,		RT3070),
263     RUN_DEV(RALINK,		RT2070),
264     RUN_DEV(RALINK,		RT2770),
265     RUN_DEV(RALINK,		RT2870),
266     RUN_DEV(RALINK,		RT3070),
267     RUN_DEV(RALINK,		RT3071),
268     RUN_DEV(RALINK,		RT3072),
269     RUN_DEV(RALINK,		RT3370),
270     RUN_DEV(RALINK,		RT3572),
271     RUN_DEV(RALINK,		RT3573),
272     RUN_DEV(RALINK,		RT5370),
273     RUN_DEV(RALINK,		RT5572),
274     RUN_DEV(RALINK,		RT8070),
275     RUN_DEV(SAMSUNG,		WIS09ABGN),
276     RUN_DEV(SAMSUNG2,		RT2870_1),
277     RUN_DEV(SENAO,		RT2870_1),
278     RUN_DEV(SENAO,		RT2870_2),
279     RUN_DEV(SENAO,		RT2870_3),
280     RUN_DEV(SENAO,		RT2870_4),
281     RUN_DEV(SENAO,		RT3070),
282     RUN_DEV(SENAO,		RT3071),
283     RUN_DEV(SENAO,		RT3072_1),
284     RUN_DEV(SENAO,		RT3072_2),
285     RUN_DEV(SENAO,		RT3072_3),
286     RUN_DEV(SENAO,		RT3072_4),
287     RUN_DEV(SENAO,		RT3072_5),
288     RUN_DEV(SITECOMEU,		RT2770),
289     RUN_DEV(SITECOMEU,		RT2870_1),
290     RUN_DEV(SITECOMEU,		RT2870_2),
291     RUN_DEV(SITECOMEU,		RT2870_3),
292     RUN_DEV(SITECOMEU,		RT2870_4),
293     RUN_DEV(SITECOMEU,		RT3070),
294     RUN_DEV(SITECOMEU,		RT3070_2),
295     RUN_DEV(SITECOMEU,		RT3070_3),
296     RUN_DEV(SITECOMEU,		RT3070_4),
297     RUN_DEV(SITECOMEU,		RT3071),
298     RUN_DEV(SITECOMEU,		RT3072_1),
299     RUN_DEV(SITECOMEU,		RT3072_2),
300     RUN_DEV(SITECOMEU,		RT3072_3),
301     RUN_DEV(SITECOMEU,		RT3072_4),
302     RUN_DEV(SITECOMEU,		RT3072_5),
303     RUN_DEV(SITECOMEU,		RT3072_6),
304     RUN_DEV(SITECOMEU,		WL608),
305     RUN_DEV(SPARKLAN,		RT2870_1),
306     RUN_DEV(SPARKLAN,		RT3070),
307     RUN_DEV(SWEEX2,		LW153),
308     RUN_DEV(SWEEX2,		LW303),
309     RUN_DEV(SWEEX2,		LW313),
310     RUN_DEV(TOSHIBA,		RT3070),
311     RUN_DEV(UMEDIA,		RT2870_1),
312     RUN_DEV(ZCOM,		RT2870_1),
313     RUN_DEV(ZCOM,		RT2870_2),
314     RUN_DEV(ZINWELL,		RT2870_1),
315     RUN_DEV(ZINWELL,		RT2870_2),
316     RUN_DEV(ZINWELL,		RT3070),
317     RUN_DEV(ZINWELL,		RT3072_1),
318     RUN_DEV(ZINWELL,		RT3072_2),
319     RUN_DEV(ZYXEL,		RT2870_1),
320     RUN_DEV(ZYXEL,		RT2870_2),
321     RUN_DEV(ZYXEL,		RT3070),
322     RUN_DEV_EJECT(ZYXEL,	NWD2705),
323     RUN_DEV_EJECT(RALINK,	RT_STOR),
324 #undef RUN_DEV_EJECT
325 #undef RUN_DEV
326 };
327 
328 static device_probe_t	run_match;
329 static device_attach_t	run_attach;
330 static device_detach_t	run_detach;
331 
332 static usb_callback_t	run_bulk_rx_callback;
333 static usb_callback_t	run_bulk_tx_callback0;
334 static usb_callback_t	run_bulk_tx_callback1;
335 static usb_callback_t	run_bulk_tx_callback2;
336 static usb_callback_t	run_bulk_tx_callback3;
337 static usb_callback_t	run_bulk_tx_callback4;
338 static usb_callback_t	run_bulk_tx_callback5;
339 
340 static void	run_autoinst(void *, struct usb_device *,
341 		    struct usb_attach_arg *);
342 static int	run_driver_loaded(struct module *, int, void *);
343 static void	run_bulk_tx_callbackN(struct usb_xfer *xfer,
344 		    usb_error_t error, u_int index);
345 static struct ieee80211vap *run_vap_create(struct ieee80211com *,
346 		    const char [IFNAMSIZ], int, enum ieee80211_opmode, int,
347 		    const uint8_t [IEEE80211_ADDR_LEN],
348 		    const uint8_t [IEEE80211_ADDR_LEN]);
349 static void	run_vap_delete(struct ieee80211vap *);
350 static void	run_cmdq_cb(void *, int);
351 static void	run_setup_tx_list(struct run_softc *,
352 		    struct run_endpoint_queue *);
353 static void	run_unsetup_tx_list(struct run_softc *,
354 		    struct run_endpoint_queue *);
355 static int	run_load_microcode(struct run_softc *);
356 static int	run_reset(struct run_softc *);
357 static usb_error_t run_do_request(struct run_softc *,
358 		    struct usb_device_request *, void *);
359 static int	run_read(struct run_softc *, uint16_t, uint32_t *);
360 static int	run_read_region_1(struct run_softc *, uint16_t, uint8_t *, int);
361 static int	run_write_2(struct run_softc *, uint16_t, uint16_t);
362 static int	run_write(struct run_softc *, uint16_t, uint32_t);
363 static int	run_write_region_1(struct run_softc *, uint16_t,
364 		    const uint8_t *, int);
365 static int	run_set_region_4(struct run_softc *, uint16_t, uint32_t, int);
366 static int	run_efuse_read(struct run_softc *, uint16_t, uint16_t *, int);
367 static int	run_efuse_read_2(struct run_softc *, uint16_t, uint16_t *);
368 static int	run_eeprom_read_2(struct run_softc *, uint16_t, uint16_t *);
369 static int	run_rt2870_rf_write(struct run_softc *, uint32_t);
370 static int	run_rt3070_rf_read(struct run_softc *, uint8_t, uint8_t *);
371 static int	run_rt3070_rf_write(struct run_softc *, uint8_t, uint8_t);
372 static int	run_bbp_read(struct run_softc *, uint8_t, uint8_t *);
373 static int	run_bbp_write(struct run_softc *, uint8_t, uint8_t);
374 static int	run_mcu_cmd(struct run_softc *, uint8_t, uint16_t);
375 static const char *run_get_rf(uint16_t);
376 static void	run_rt3593_get_txpower(struct run_softc *);
377 static void	run_get_txpower(struct run_softc *);
378 static int	run_read_eeprom(struct run_softc *);
379 static struct ieee80211_node *run_node_alloc(struct ieee80211vap *,
380 			    const uint8_t mac[IEEE80211_ADDR_LEN]);
381 static int	run_media_change(struct ifnet *);
382 static int	run_newstate(struct ieee80211vap *, enum ieee80211_state, int);
383 static int	run_wme_update(struct ieee80211com *);
384 static void	run_key_set_cb(void *);
385 static int	run_key_set(struct ieee80211vap *, struct ieee80211_key *);
386 static void	run_key_delete_cb(void *);
387 static int	run_key_delete(struct ieee80211vap *, struct ieee80211_key *);
388 static void	run_ratectl_to(void *);
389 static void	run_ratectl_cb(void *, int);
390 static void	run_drain_fifo(void *);
391 static void	run_iter_func(void *, struct ieee80211_node *);
392 static void	run_newassoc_cb(void *);
393 static void	run_newassoc(struct ieee80211_node *, int);
394 static void	run_recv_mgmt(struct ieee80211_node *, struct mbuf *, int,
395 		    const struct ieee80211_rx_stats *, int, int);
396 static void	run_rx_frame(struct run_softc *, struct mbuf *, uint32_t);
397 static void	run_tx_free(struct run_endpoint_queue *pq,
398 		    struct run_tx_data *, int);
399 static void	run_set_tx_desc(struct run_softc *, struct run_tx_data *);
400 static int	run_tx(struct run_softc *, struct mbuf *,
401 		    struct ieee80211_node *);
402 static int	run_tx_mgt(struct run_softc *, struct mbuf *,
403 		    struct ieee80211_node *);
404 static int	run_sendprot(struct run_softc *, const struct mbuf *,
405 		    struct ieee80211_node *, int, int);
406 static int	run_tx_param(struct run_softc *, struct mbuf *,
407 		    struct ieee80211_node *,
408 		    const struct ieee80211_bpf_params *);
409 static int	run_raw_xmit(struct ieee80211_node *, struct mbuf *,
410 		    const struct ieee80211_bpf_params *);
411 static int	run_transmit(struct ieee80211com *, struct mbuf *);
412 static void	run_start(struct run_softc *);
413 static void	run_parent(struct ieee80211com *);
414 static void	run_iq_calib(struct run_softc *, u_int);
415 static void	run_set_agc(struct run_softc *, uint8_t);
416 static void	run_select_chan_group(struct run_softc *, int);
417 static void	run_set_rx_antenna(struct run_softc *, int);
418 static void	run_rt2870_set_chan(struct run_softc *, u_int);
419 static void	run_rt3070_set_chan(struct run_softc *, u_int);
420 static void	run_rt3572_set_chan(struct run_softc *, u_int);
421 static void	run_rt3593_set_chan(struct run_softc *, u_int);
422 static void	run_rt5390_set_chan(struct run_softc *, u_int);
423 static void	run_rt5592_set_chan(struct run_softc *, u_int);
424 static int	run_set_chan(struct run_softc *, struct ieee80211_channel *);
425 static void	run_set_channel(struct ieee80211com *);
426 static void	run_scan_start(struct ieee80211com *);
427 static void	run_scan_end(struct ieee80211com *);
428 static void	run_update_beacon(struct ieee80211vap *, int);
429 static void	run_update_beacon_cb(void *);
430 static void	run_updateprot(struct ieee80211com *);
431 static void	run_updateprot_cb(void *);
432 static void	run_usb_timeout_cb(void *);
433 static void	run_reset_livelock(struct run_softc *);
434 static void	run_enable_tsf_sync(struct run_softc *);
435 static void	run_enable_tsf(struct run_softc *);
436 static void	run_get_tsf(struct run_softc *, uint64_t *);
437 static void	run_enable_mrr(struct run_softc *);
438 static void	run_set_txpreamble(struct run_softc *);
439 static void	run_set_basicrates(struct run_softc *);
440 static void	run_set_leds(struct run_softc *, uint16_t);
441 static void	run_set_bssid(struct run_softc *, const uint8_t *);
442 static void	run_set_macaddr(struct run_softc *, const uint8_t *);
443 static void	run_updateslot(struct ieee80211com *);
444 static void	run_updateslot_cb(void *);
445 static void	run_update_mcast(struct ieee80211com *);
446 static int8_t	run_rssi2dbm(struct run_softc *, uint8_t, uint8_t);
447 static void	run_update_promisc_locked(struct run_softc *);
448 static void	run_update_promisc(struct ieee80211com *);
449 static void	run_rt5390_bbp_init(struct run_softc *);
450 static int	run_bbp_init(struct run_softc *);
451 static int	run_rt3070_rf_init(struct run_softc *);
452 static void	run_rt3593_rf_init(struct run_softc *);
453 static void	run_rt5390_rf_init(struct run_softc *);
454 static int	run_rt3070_filter_calib(struct run_softc *, uint8_t, uint8_t,
455 		    uint8_t *);
456 static void	run_rt3070_rf_setup(struct run_softc *);
457 static void	run_rt3593_rf_setup(struct run_softc *);
458 static void	run_rt5390_rf_setup(struct run_softc *);
459 static int	run_txrx_enable(struct run_softc *);
460 static void	run_adjust_freq_offset(struct run_softc *);
461 static void	run_init_locked(struct run_softc *);
462 static void	run_stop(void *);
463 static void	run_delay(struct run_softc *, u_int);
464 
465 static eventhandler_tag run_etag;
466 
467 static const struct rt2860_rate {
468 	uint8_t		rate;
469 	uint8_t		mcs;
470 	enum		ieee80211_phytype phy;
471 	uint8_t		ctl_ridx;
472 	uint16_t	sp_ack_dur;
473 	uint16_t	lp_ack_dur;
474 } rt2860_rates[] = {
475 	{   2, 0, IEEE80211_T_DS,   0, 314, 314 },
476 	{   4, 1, IEEE80211_T_DS,   1, 258, 162 },
477 	{  11, 2, IEEE80211_T_DS,   2, 223, 127 },
478 	{  22, 3, IEEE80211_T_DS,   3, 213, 117 },
479 	{  12, 0, IEEE80211_T_OFDM, 4,  60,  60 },
480 	{  18, 1, IEEE80211_T_OFDM, 4,  52,  52 },
481 	{  24, 2, IEEE80211_T_OFDM, 6,  48,  48 },
482 	{  36, 3, IEEE80211_T_OFDM, 6,  44,  44 },
483 	{  48, 4, IEEE80211_T_OFDM, 8,  44,  44 },
484 	{  72, 5, IEEE80211_T_OFDM, 8,  40,  40 },
485 	{  96, 6, IEEE80211_T_OFDM, 8,  40,  40 },
486 	{ 108, 7, IEEE80211_T_OFDM, 8,  40,  40 }
487 };
488 
489 static const struct {
490 	uint16_t	reg;
491 	uint32_t	val;
492 } rt2870_def_mac[] = {
493 	RT2870_DEF_MAC
494 };
495 
496 static const struct {
497 	uint8_t	reg;
498 	uint8_t	val;
499 } rt2860_def_bbp[] = {
500 	RT2860_DEF_BBP
501 },rt5390_def_bbp[] = {
502 	RT5390_DEF_BBP
503 },rt5592_def_bbp[] = {
504 	RT5592_DEF_BBP
505 };
506 
507 /*
508  * Default values for BBP register R196 for RT5592.
509  */
510 static const uint8_t rt5592_bbp_r196[] = {
511 	0xe0, 0x1f, 0x38, 0x32, 0x08, 0x28, 0x19, 0x0a, 0xff, 0x00,
512 	0x16, 0x10, 0x10, 0x0b, 0x36, 0x2c, 0x26, 0x24, 0x42, 0x36,
513 	0x30, 0x2d, 0x4c, 0x46, 0x3d, 0x40, 0x3e, 0x42, 0x3d, 0x40,
514 	0x3c, 0x34, 0x2c, 0x2f, 0x3c, 0x35, 0x2e, 0x2a, 0x49, 0x41,
515 	0x36, 0x31, 0x30, 0x30, 0x0e, 0x0d, 0x28, 0x21, 0x1c, 0x16,
516 	0x50, 0x4a, 0x43, 0x40, 0x10, 0x10, 0x10, 0x10, 0x00, 0x00,
517 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
518 	0x00, 0x00, 0x7d, 0x14, 0x32, 0x2c, 0x36, 0x4c, 0x43, 0x2c,
519 	0x2e, 0x36, 0x30, 0x6e
520 };
521 
522 static const struct rfprog {
523 	uint8_t		chan;
524 	uint32_t	r1, r2, r3, r4;
525 } rt2860_rf2850[] = {
526 	RT2860_RF2850
527 };
528 
529 struct {
530 	uint8_t	n, r, k;
531 } rt3070_freqs[] = {
532 	RT3070_RF3052
533 };
534 
535 static const struct rt5592_freqs {
536 	uint16_t	n;
537 	uint8_t		k, m, r;
538 } rt5592_freqs_20mhz[] = {
539 	RT5592_RF5592_20MHZ
540 },rt5592_freqs_40mhz[] = {
541 	RT5592_RF5592_40MHZ
542 };
543 
544 static const struct {
545 	uint8_t	reg;
546 	uint8_t	val;
547 } rt3070_def_rf[] = {
548 	RT3070_DEF_RF
549 },rt3572_def_rf[] = {
550 	RT3572_DEF_RF
551 },rt3593_def_rf[] = {
552 	RT3593_DEF_RF
553 },rt5390_def_rf[] = {
554 	RT5390_DEF_RF
555 },rt5392_def_rf[] = {
556 	RT5392_DEF_RF
557 },rt5592_def_rf[] = {
558 	RT5592_DEF_RF
559 },rt5592_2ghz_def_rf[] = {
560 	RT5592_2GHZ_DEF_RF
561 },rt5592_5ghz_def_rf[] = {
562 	RT5592_5GHZ_DEF_RF
563 };
564 
565 static const struct {
566 	u_int	firstchan;
567 	u_int	lastchan;
568 	uint8_t	reg;
569 	uint8_t	val;
570 } rt5592_chan_5ghz[] = {
571 	RT5592_CHAN_5GHZ
572 };
573 
574 static const struct usb_config run_config[RUN_N_XFER] = {
575     [RUN_BULK_TX_BE] = {
576 	.type = UE_BULK,
577 	.endpoint = UE_ADDR_ANY,
578 	.ep_index = 0,
579 	.direction = UE_DIR_OUT,
580 	.bufsize = RUN_MAX_TXSZ,
581 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
582 	.callback = run_bulk_tx_callback0,
583 	.timeout = 5000,	/* ms */
584     },
585     [RUN_BULK_TX_BK] = {
586 	.type = UE_BULK,
587 	.endpoint = UE_ADDR_ANY,
588 	.direction = UE_DIR_OUT,
589 	.ep_index = 1,
590 	.bufsize = RUN_MAX_TXSZ,
591 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
592 	.callback = run_bulk_tx_callback1,
593 	.timeout = 5000,	/* ms */
594     },
595     [RUN_BULK_TX_VI] = {
596 	.type = UE_BULK,
597 	.endpoint = UE_ADDR_ANY,
598 	.direction = UE_DIR_OUT,
599 	.ep_index = 2,
600 	.bufsize = RUN_MAX_TXSZ,
601 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
602 	.callback = run_bulk_tx_callback2,
603 	.timeout = 5000,	/* ms */
604     },
605     [RUN_BULK_TX_VO] = {
606 	.type = UE_BULK,
607 	.endpoint = UE_ADDR_ANY,
608 	.direction = UE_DIR_OUT,
609 	.ep_index = 3,
610 	.bufsize = RUN_MAX_TXSZ,
611 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
612 	.callback = run_bulk_tx_callback3,
613 	.timeout = 5000,	/* ms */
614     },
615     [RUN_BULK_TX_HCCA] = {
616 	.type = UE_BULK,
617 	.endpoint = UE_ADDR_ANY,
618 	.direction = UE_DIR_OUT,
619 	.ep_index = 4,
620 	.bufsize = RUN_MAX_TXSZ,
621 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,.no_pipe_ok = 1,},
622 	.callback = run_bulk_tx_callback4,
623 	.timeout = 5000,	/* ms */
624     },
625     [RUN_BULK_TX_PRIO] = {
626 	.type = UE_BULK,
627 	.endpoint = UE_ADDR_ANY,
628 	.direction = UE_DIR_OUT,
629 	.ep_index = 5,
630 	.bufsize = RUN_MAX_TXSZ,
631 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,.no_pipe_ok = 1,},
632 	.callback = run_bulk_tx_callback5,
633 	.timeout = 5000,	/* ms */
634     },
635     [RUN_BULK_RX] = {
636 	.type = UE_BULK,
637 	.endpoint = UE_ADDR_ANY,
638 	.direction = UE_DIR_IN,
639 	.bufsize = RUN_MAX_RXSZ,
640 	.flags = {.pipe_bof = 1,.short_xfer_ok = 1,},
641 	.callback = run_bulk_rx_callback,
642     }
643 };
644 
645 static void
646 run_autoinst(void *arg, struct usb_device *udev,
647     struct usb_attach_arg *uaa)
648 {
649 	struct usb_interface *iface;
650 	struct usb_interface_descriptor *id;
651 
652 	if (uaa->dev_state != UAA_DEV_READY)
653 		return;
654 
655 	iface = usbd_get_iface(udev, 0);
656 	if (iface == NULL)
657 		return;
658 	id = iface->idesc;
659 	if (id == NULL || id->bInterfaceClass != UICLASS_MASS)
660 		return;
661 	if (usbd_lookup_id_by_uaa(run_devs, sizeof(run_devs), uaa))
662 		return;
663 
664 	if (usb_msc_eject(udev, 0, MSC_EJECT_STOPUNIT) == 0)
665 		uaa->dev_state = UAA_DEV_EJECTING;
666 }
667 
668 static int
669 run_driver_loaded(struct module *mod, int what, void *arg)
670 {
671 	switch (what) {
672 	case MOD_LOAD:
673 		run_etag = EVENTHANDLER_REGISTER(usb_dev_configured,
674 		    run_autoinst, NULL, EVENTHANDLER_PRI_ANY);
675 		break;
676 	case MOD_UNLOAD:
677 		EVENTHANDLER_DEREGISTER(usb_dev_configured, run_etag);
678 		break;
679 	default:
680 		return (EOPNOTSUPP);
681 	}
682 	return (0);
683 }
684 
685 static int
686 run_match(device_t self)
687 {
688 	struct usb_attach_arg *uaa = device_get_ivars(self);
689 
690 	if (uaa->usb_mode != USB_MODE_HOST)
691 		return (ENXIO);
692 	if (uaa->info.bConfigIndex != 0)
693 		return (ENXIO);
694 	if (uaa->info.bIfaceIndex != RT2860_IFACE_INDEX)
695 		return (ENXIO);
696 
697 	return (usbd_lookup_id_by_uaa(run_devs, sizeof(run_devs), uaa));
698 }
699 
700 static int
701 run_attach(device_t self)
702 {
703 	struct run_softc *sc = device_get_softc(self);
704 	struct usb_attach_arg *uaa = device_get_ivars(self);
705 	struct ieee80211com *ic = &sc->sc_ic;
706 	uint32_t ver;
707 	uint8_t bands[IEEE80211_MODE_BYTES];
708 	uint8_t iface_index;
709 	int ntries, error;
710 
711 	device_set_usb_desc(self);
712 	sc->sc_udev = uaa->device;
713 	sc->sc_dev = self;
714 	if (USB_GET_DRIVER_INFO(uaa) != RUN_EJECT)
715 		sc->sc_flags |= RUN_FLAG_FWLOAD_NEEDED;
716 
717 	mtx_init(&sc->sc_mtx, device_get_nameunit(sc->sc_dev),
718 	    MTX_NETWORK_LOCK, MTX_DEF);
719 	mbufq_init(&sc->sc_snd, ifqmaxlen);
720 
721 	iface_index = RT2860_IFACE_INDEX;
722 
723 	error = usbd_transfer_setup(uaa->device, &iface_index,
724 	    sc->sc_xfer, run_config, RUN_N_XFER, sc, &sc->sc_mtx);
725 	if (error) {
726 		device_printf(self, "could not allocate USB transfers, "
727 		    "err=%s\n", usbd_errstr(error));
728 		goto detach;
729 	}
730 
731 	RUN_LOCK(sc);
732 
733 	/* wait for the chip to settle */
734 	for (ntries = 0; ntries < 100; ntries++) {
735 		if (run_read(sc, RT2860_ASIC_VER_ID, &ver) != 0) {
736 			RUN_UNLOCK(sc);
737 			goto detach;
738 		}
739 		if (ver != 0 && ver != 0xffffffff)
740 			break;
741 		run_delay(sc, 10);
742 	}
743 	if (ntries == 100) {
744 		device_printf(sc->sc_dev,
745 		    "timeout waiting for NIC to initialize\n");
746 		RUN_UNLOCK(sc);
747 		goto detach;
748 	}
749 	sc->mac_ver = ver >> 16;
750 	sc->mac_rev = ver & 0xffff;
751 
752 	/* retrieve RF rev. no and various other things from EEPROM */
753 	run_read_eeprom(sc);
754 
755 	device_printf(sc->sc_dev,
756 	    "MAC/BBP RT%04X (rev 0x%04X), RF %s (MIMO %dT%dR), address %s\n",
757 	    sc->mac_ver, sc->mac_rev, run_get_rf(sc->rf_rev),
758 	    sc->ntxchains, sc->nrxchains, ether_sprintf(ic->ic_macaddr));
759 
760 	RUN_UNLOCK(sc);
761 
762 	ic->ic_softc = sc;
763 	ic->ic_name = device_get_nameunit(self);
764 	ic->ic_phytype = IEEE80211_T_OFDM;	/* not only, but not used */
765 	ic->ic_opmode = IEEE80211_M_STA;	/* default to BSS mode */
766 
767 	/* set device capabilities */
768 	ic->ic_caps =
769 	    IEEE80211_C_STA |		/* station mode supported */
770 	    IEEE80211_C_MONITOR |	/* monitor mode supported */
771 	    IEEE80211_C_IBSS |
772 	    IEEE80211_C_HOSTAP |
773 	    IEEE80211_C_WDS |		/* 4-address traffic works */
774 	    IEEE80211_C_MBSS |
775 	    IEEE80211_C_SHPREAMBLE |	/* short preamble supported */
776 	    IEEE80211_C_SHSLOT |	/* short slot time supported */
777 	    IEEE80211_C_WME |		/* WME */
778 	    IEEE80211_C_WPA;		/* WPA1|WPA2(RSN) */
779 
780 	ic->ic_cryptocaps =
781 	    IEEE80211_CRYPTO_WEP |
782 	    IEEE80211_CRYPTO_AES_CCM |
783 	    IEEE80211_CRYPTO_TKIPMIC |
784 	    IEEE80211_CRYPTO_TKIP;
785 
786 	ic->ic_flags |= IEEE80211_F_DATAPAD;
787 	ic->ic_flags_ext |= IEEE80211_FEXT_SWBMISS;
788 
789 	memset(bands, 0, sizeof(bands));
790 	setbit(bands, IEEE80211_MODE_11B);
791 	setbit(bands, IEEE80211_MODE_11G);
792 	if (sc->rf_rev == RT2860_RF_2750 || sc->rf_rev == RT2860_RF_2850 ||
793 	    sc->rf_rev == RT3070_RF_3052 || sc->rf_rev == RT3593_RF_3053 ||
794 	    sc->rf_rev == RT5592_RF_5592)
795 		setbit(bands, IEEE80211_MODE_11A);
796 	ieee80211_init_channels(ic, NULL, bands);
797 
798 	ieee80211_ifattach(ic);
799 
800 	ic->ic_scan_start = run_scan_start;
801 	ic->ic_scan_end = run_scan_end;
802 	ic->ic_set_channel = run_set_channel;
803 	ic->ic_node_alloc = run_node_alloc;
804 	ic->ic_newassoc = run_newassoc;
805 	ic->ic_updateslot = run_updateslot;
806 	ic->ic_update_mcast = run_update_mcast;
807 	ic->ic_wme.wme_update = run_wme_update;
808 	ic->ic_raw_xmit = run_raw_xmit;
809 	ic->ic_update_promisc = run_update_promisc;
810 	ic->ic_vap_create = run_vap_create;
811 	ic->ic_vap_delete = run_vap_delete;
812 	ic->ic_transmit = run_transmit;
813 	ic->ic_parent = run_parent;
814 
815 	ieee80211_radiotap_attach(ic,
816 	    &sc->sc_txtap.wt_ihdr, sizeof(sc->sc_txtap),
817 		RUN_TX_RADIOTAP_PRESENT,
818 	    &sc->sc_rxtap.wr_ihdr, sizeof(sc->sc_rxtap),
819 		RUN_RX_RADIOTAP_PRESENT);
820 
821 	TASK_INIT(&sc->cmdq_task, 0, run_cmdq_cb, sc);
822 	TASK_INIT(&sc->ratectl_task, 0, run_ratectl_cb, sc);
823 	usb_callout_init_mtx(&sc->ratectl_ch, &sc->sc_mtx, 0);
824 
825 	if (bootverbose)
826 		ieee80211_announce(ic);
827 
828 	return (0);
829 
830 detach:
831 	run_detach(self);
832 	return (ENXIO);
833 }
834 
835 static void
836 run_drain_mbufq(struct run_softc *sc)
837 {
838 	struct mbuf *m;
839 	struct ieee80211_node *ni;
840 
841 	RUN_LOCK_ASSERT(sc, MA_OWNED);
842 	while ((m = mbufq_dequeue(&sc->sc_snd)) != NULL) {
843 		ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
844 		m->m_pkthdr.rcvif = NULL;
845 		ieee80211_free_node(ni);
846 		m_freem(m);
847 	}
848 }
849 
850 static int
851 run_detach(device_t self)
852 {
853 	struct run_softc *sc = device_get_softc(self);
854 	struct ieee80211com *ic = &sc->sc_ic;
855 	int i;
856 
857 	RUN_LOCK(sc);
858 	sc->sc_detached = 1;
859 	RUN_UNLOCK(sc);
860 
861 	/* stop all USB transfers */
862 	usbd_transfer_unsetup(sc->sc_xfer, RUN_N_XFER);
863 
864 	RUN_LOCK(sc);
865 	sc->ratectl_run = RUN_RATECTL_OFF;
866 	sc->cmdq_run = sc->cmdq_key_set = RUN_CMDQ_ABORT;
867 
868 	/* free TX list, if any */
869 	for (i = 0; i != RUN_EP_QUEUES; i++)
870 		run_unsetup_tx_list(sc, &sc->sc_epq[i]);
871 
872 	/* Free TX queue */
873 	run_drain_mbufq(sc);
874 	RUN_UNLOCK(sc);
875 
876 	if (sc->sc_ic.ic_softc == sc) {
877 		/* drain tasks */
878 		usb_callout_drain(&sc->ratectl_ch);
879 		ieee80211_draintask(ic, &sc->cmdq_task);
880 		ieee80211_draintask(ic, &sc->ratectl_task);
881 		ieee80211_ifdetach(ic);
882 	}
883 
884 	mtx_destroy(&sc->sc_mtx);
885 
886 	return (0);
887 }
888 
889 static struct ieee80211vap *
890 run_vap_create(struct ieee80211com *ic, const char name[IFNAMSIZ], int unit,
891     enum ieee80211_opmode opmode, int flags,
892     const uint8_t bssid[IEEE80211_ADDR_LEN],
893     const uint8_t mac[IEEE80211_ADDR_LEN])
894 {
895 	struct run_softc *sc = ic->ic_softc;
896 	struct run_vap *rvp;
897 	struct ieee80211vap *vap;
898 	int i;
899 
900 	if (sc->rvp_cnt >= RUN_VAP_MAX) {
901 		device_printf(sc->sc_dev, "number of VAPs maxed out\n");
902 		return (NULL);
903 	}
904 
905 	switch (opmode) {
906 	case IEEE80211_M_STA:
907 		/* enable s/w bmiss handling for sta mode */
908 		flags |= IEEE80211_CLONE_NOBEACONS;
909 		/* fall though */
910 	case IEEE80211_M_IBSS:
911 	case IEEE80211_M_MONITOR:
912 	case IEEE80211_M_HOSTAP:
913 	case IEEE80211_M_MBSS:
914 		/* other than WDS vaps, only one at a time */
915 		if (!TAILQ_EMPTY(&ic->ic_vaps))
916 			return (NULL);
917 		break;
918 	case IEEE80211_M_WDS:
919 		TAILQ_FOREACH(vap, &ic->ic_vaps, iv_next){
920 			if(vap->iv_opmode != IEEE80211_M_HOSTAP)
921 				continue;
922 			/* WDS vap's always share the local mac address. */
923 			flags &= ~IEEE80211_CLONE_BSSID;
924 			break;
925 		}
926 		if (vap == NULL) {
927 			device_printf(sc->sc_dev,
928 			    "wds only supported in ap mode\n");
929 			return (NULL);
930 		}
931 		break;
932 	default:
933 		device_printf(sc->sc_dev, "unknown opmode %d\n", opmode);
934 		return (NULL);
935 	}
936 
937 	rvp = malloc(sizeof(struct run_vap), M_80211_VAP, M_WAITOK | M_ZERO);
938 	vap = &rvp->vap;
939 
940 	if (ieee80211_vap_setup(ic, vap, name, unit, opmode, flags,
941 	    bssid) != 0) {
942 		/* out of memory */
943 		free(rvp, M_80211_VAP);
944 		return (NULL);
945 	}
946 
947 	vap->iv_update_beacon = run_update_beacon;
948 	vap->iv_max_aid = RT2870_WCID_MAX;
949 	/*
950 	 * To delete the right key from h/w, we need wcid.
951 	 * Luckily, there is unused space in ieee80211_key{}, wk_pad,
952 	 * and matching wcid will be written into there. So, cast
953 	 * some spells to remove 'const' from ieee80211_key{}
954 	 */
955 	vap->iv_key_delete = (void *)run_key_delete;
956 	vap->iv_key_set = (void *)run_key_set;
957 
958 	/* override state transition machine */
959 	rvp->newstate = vap->iv_newstate;
960 	vap->iv_newstate = run_newstate;
961 	if (opmode == IEEE80211_M_IBSS) {
962 		rvp->recv_mgmt = vap->iv_recv_mgmt;
963 		vap->iv_recv_mgmt = run_recv_mgmt;
964 	}
965 
966 	ieee80211_ratectl_init(vap);
967 	ieee80211_ratectl_setinterval(vap, 1000 /* 1 sec */);
968 
969 	/* complete setup */
970 	ieee80211_vap_attach(vap, run_media_change, ieee80211_media_status,
971 	    mac);
972 
973 	/* make sure id is always unique */
974 	for (i = 0; i < RUN_VAP_MAX; i++) {
975 		if((sc->rvp_bmap & 1 << i) == 0){
976 			sc->rvp_bmap |= 1 << i;
977 			rvp->rvp_id = i;
978 			break;
979 		}
980 	}
981 	if (sc->rvp_cnt++ == 0)
982 		ic->ic_opmode = opmode;
983 
984 	if (opmode == IEEE80211_M_HOSTAP)
985 		sc->cmdq_run = RUN_CMDQ_GO;
986 
987 	DPRINTF("rvp_id=%d bmap=%x rvp_cnt=%d\n",
988 	    rvp->rvp_id, sc->rvp_bmap, sc->rvp_cnt);
989 
990 	return (vap);
991 }
992 
993 static void
994 run_vap_delete(struct ieee80211vap *vap)
995 {
996 	struct run_vap *rvp = RUN_VAP(vap);
997 	struct ieee80211com *ic;
998 	struct run_softc *sc;
999 	uint8_t rvp_id;
1000 
1001 	if (vap == NULL)
1002 		return;
1003 
1004 	ic = vap->iv_ic;
1005 	sc = ic->ic_softc;
1006 
1007 	RUN_LOCK(sc);
1008 
1009 	m_freem(rvp->beacon_mbuf);
1010 	rvp->beacon_mbuf = NULL;
1011 
1012 	rvp_id = rvp->rvp_id;
1013 	sc->ratectl_run &= ~(1 << rvp_id);
1014 	sc->rvp_bmap &= ~(1 << rvp_id);
1015 	run_set_region_4(sc, RT2860_SKEY(rvp_id, 0), 0, 128);
1016 	run_set_region_4(sc, RT2860_BCN_BASE(rvp_id), 0, 512);
1017 	--sc->rvp_cnt;
1018 
1019 	DPRINTF("vap=%p rvp_id=%d bmap=%x rvp_cnt=%d\n",
1020 	    vap, rvp_id, sc->rvp_bmap, sc->rvp_cnt);
1021 
1022 	RUN_UNLOCK(sc);
1023 
1024 	ieee80211_ratectl_deinit(vap);
1025 	ieee80211_vap_detach(vap);
1026 	free(rvp, M_80211_VAP);
1027 }
1028 
1029 /*
1030  * There are numbers of functions need to be called in context thread.
1031  * Rather than creating taskqueue event for each of those functions,
1032  * here is all-for-one taskqueue callback function. This function
1033  * guarantees deferred functions are executed in the same order they
1034  * were enqueued.
1035  * '& RUN_CMDQ_MASQ' is to loop cmdq[].
1036  */
1037 static void
1038 run_cmdq_cb(void *arg, int pending)
1039 {
1040 	struct run_softc *sc = arg;
1041 	uint8_t i;
1042 
1043 	/* call cmdq[].func locked */
1044 	RUN_LOCK(sc);
1045 	for (i = sc->cmdq_exec; sc->cmdq[i].func && pending;
1046 	    i = sc->cmdq_exec, pending--) {
1047 		DPRINTFN(6, "cmdq_exec=%d pending=%d\n", i, pending);
1048 		if (sc->cmdq_run == RUN_CMDQ_GO) {
1049 			/*
1050 			 * If arg0 is NULL, callback func needs more
1051 			 * than one arg. So, pass ptr to cmdq struct.
1052 			 */
1053 			if (sc->cmdq[i].arg0)
1054 				sc->cmdq[i].func(sc->cmdq[i].arg0);
1055 			else
1056 				sc->cmdq[i].func(&sc->cmdq[i]);
1057 		}
1058 		sc->cmdq[i].arg0 = NULL;
1059 		sc->cmdq[i].func = NULL;
1060 		sc->cmdq_exec++;
1061 		sc->cmdq_exec &= RUN_CMDQ_MASQ;
1062 	}
1063 	RUN_UNLOCK(sc);
1064 }
1065 
1066 static void
1067 run_setup_tx_list(struct run_softc *sc, struct run_endpoint_queue *pq)
1068 {
1069 	struct run_tx_data *data;
1070 
1071 	memset(pq, 0, sizeof(*pq));
1072 
1073 	STAILQ_INIT(&pq->tx_qh);
1074 	STAILQ_INIT(&pq->tx_fh);
1075 
1076 	for (data = &pq->tx_data[0];
1077 	    data < &pq->tx_data[RUN_TX_RING_COUNT]; data++) {
1078 		data->sc = sc;
1079 		STAILQ_INSERT_TAIL(&pq->tx_fh, data, next);
1080 	}
1081 	pq->tx_nfree = RUN_TX_RING_COUNT;
1082 }
1083 
1084 static void
1085 run_unsetup_tx_list(struct run_softc *sc, struct run_endpoint_queue *pq)
1086 {
1087 	struct run_tx_data *data;
1088 
1089 	/* make sure any subsequent use of the queues will fail */
1090 	pq->tx_nfree = 0;
1091 	STAILQ_INIT(&pq->tx_fh);
1092 	STAILQ_INIT(&pq->tx_qh);
1093 
1094 	/* free up all node references and mbufs */
1095 	for (data = &pq->tx_data[0];
1096 	    data < &pq->tx_data[RUN_TX_RING_COUNT]; data++) {
1097 		if (data->m != NULL) {
1098 			m_freem(data->m);
1099 			data->m = NULL;
1100 		}
1101 		if (data->ni != NULL) {
1102 			ieee80211_free_node(data->ni);
1103 			data->ni = NULL;
1104 		}
1105 	}
1106 }
1107 
1108 static int
1109 run_load_microcode(struct run_softc *sc)
1110 {
1111 	usb_device_request_t req;
1112 	const struct firmware *fw;
1113 	const u_char *base;
1114 	uint32_t tmp;
1115 	int ntries, error;
1116 	const uint64_t *temp;
1117 	uint64_t bytes;
1118 
1119 	RUN_UNLOCK(sc);
1120 	fw = firmware_get("runfw");
1121 	RUN_LOCK(sc);
1122 	if (fw == NULL) {
1123 		device_printf(sc->sc_dev,
1124 		    "failed loadfirmware of file %s\n", "runfw");
1125 		return ENOENT;
1126 	}
1127 
1128 	if (fw->datasize != 8192) {
1129 		device_printf(sc->sc_dev,
1130 		    "invalid firmware size (should be 8KB)\n");
1131 		error = EINVAL;
1132 		goto fail;
1133 	}
1134 
1135 	/*
1136 	 * RT3071/RT3072 use a different firmware
1137 	 * run-rt2870 (8KB) contains both,
1138 	 * first half (4KB) is for rt2870,
1139 	 * last half is for rt3071.
1140 	 */
1141 	base = fw->data;
1142 	if ((sc->mac_ver) != 0x2860 &&
1143 	    (sc->mac_ver) != 0x2872 &&
1144 	    (sc->mac_ver) != 0x3070) {
1145 		base += 4096;
1146 	}
1147 
1148 	/* cheap sanity check */
1149 	temp = fw->data;
1150 	bytes = *temp;
1151 	if (bytes != be64toh(0xffffff0210280210ULL)) {
1152 		device_printf(sc->sc_dev, "firmware checksum failed\n");
1153 		error = EINVAL;
1154 		goto fail;
1155 	}
1156 
1157 	/* write microcode image */
1158 	if (sc->sc_flags & RUN_FLAG_FWLOAD_NEEDED) {
1159 		run_write_region_1(sc, RT2870_FW_BASE, base, 4096);
1160 		run_write(sc, RT2860_H2M_MAILBOX_CID, 0xffffffff);
1161 		run_write(sc, RT2860_H2M_MAILBOX_STATUS, 0xffffffff);
1162 	}
1163 
1164 	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1165 	req.bRequest = RT2870_RESET;
1166 	USETW(req.wValue, 8);
1167 	USETW(req.wIndex, 0);
1168 	USETW(req.wLength, 0);
1169 	if ((error = usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, NULL))
1170 	    != 0) {
1171 		device_printf(sc->sc_dev, "firmware reset failed\n");
1172 		goto fail;
1173 	}
1174 
1175 	run_delay(sc, 10);
1176 
1177 	run_write(sc, RT2860_H2M_BBPAGENT, 0);
1178 	run_write(sc, RT2860_H2M_MAILBOX, 0);
1179 	run_write(sc, RT2860_H2M_INTSRC, 0);
1180 	if ((error = run_mcu_cmd(sc, RT2860_MCU_CMD_RFRESET, 0)) != 0)
1181 		goto fail;
1182 
1183 	/* wait until microcontroller is ready */
1184 	for (ntries = 0; ntries < 1000; ntries++) {
1185 		if ((error = run_read(sc, RT2860_SYS_CTRL, &tmp)) != 0)
1186 			goto fail;
1187 		if (tmp & RT2860_MCU_READY)
1188 			break;
1189 		run_delay(sc, 10);
1190 	}
1191 	if (ntries == 1000) {
1192 		device_printf(sc->sc_dev,
1193 		    "timeout waiting for MCU to initialize\n");
1194 		error = ETIMEDOUT;
1195 		goto fail;
1196 	}
1197 	device_printf(sc->sc_dev, "firmware %s ver. %u.%u loaded\n",
1198 	    (base == fw->data) ? "RT2870" : "RT3071",
1199 	    *(base + 4092), *(base + 4093));
1200 
1201 fail:
1202 	firmware_put(fw, FIRMWARE_UNLOAD);
1203 	return (error);
1204 }
1205 
1206 static int
1207 run_reset(struct run_softc *sc)
1208 {
1209 	usb_device_request_t req;
1210 
1211 	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1212 	req.bRequest = RT2870_RESET;
1213 	USETW(req.wValue, 1);
1214 	USETW(req.wIndex, 0);
1215 	USETW(req.wLength, 0);
1216 	return (usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, NULL));
1217 }
1218 
1219 static usb_error_t
1220 run_do_request(struct run_softc *sc,
1221     struct usb_device_request *req, void *data)
1222 {
1223 	usb_error_t err;
1224 	int ntries = 10;
1225 
1226 	RUN_LOCK_ASSERT(sc, MA_OWNED);
1227 
1228 	while (ntries--) {
1229 		err = usbd_do_request_flags(sc->sc_udev, &sc->sc_mtx,
1230 		    req, data, 0, NULL, 250 /* ms */);
1231 		if (err == 0)
1232 			break;
1233 		DPRINTFN(1, "Control request failed, %s (retrying)\n",
1234 		    usbd_errstr(err));
1235 		run_delay(sc, 10);
1236 	}
1237 	return (err);
1238 }
1239 
1240 static int
1241 run_read(struct run_softc *sc, uint16_t reg, uint32_t *val)
1242 {
1243 	uint32_t tmp;
1244 	int error;
1245 
1246 	error = run_read_region_1(sc, reg, (uint8_t *)&tmp, sizeof tmp);
1247 	if (error == 0)
1248 		*val = le32toh(tmp);
1249 	else
1250 		*val = 0xffffffff;
1251 	return (error);
1252 }
1253 
1254 static int
1255 run_read_region_1(struct run_softc *sc, uint16_t reg, uint8_t *buf, int len)
1256 {
1257 	usb_device_request_t req;
1258 
1259 	req.bmRequestType = UT_READ_VENDOR_DEVICE;
1260 	req.bRequest = RT2870_READ_REGION_1;
1261 	USETW(req.wValue, 0);
1262 	USETW(req.wIndex, reg);
1263 	USETW(req.wLength, len);
1264 
1265 	return (run_do_request(sc, &req, buf));
1266 }
1267 
1268 static int
1269 run_write_2(struct run_softc *sc, uint16_t reg, uint16_t val)
1270 {
1271 	usb_device_request_t req;
1272 
1273 	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1274 	req.bRequest = RT2870_WRITE_2;
1275 	USETW(req.wValue, val);
1276 	USETW(req.wIndex, reg);
1277 	USETW(req.wLength, 0);
1278 
1279 	return (run_do_request(sc, &req, NULL));
1280 }
1281 
1282 static int
1283 run_write(struct run_softc *sc, uint16_t reg, uint32_t val)
1284 {
1285 	int error;
1286 
1287 	if ((error = run_write_2(sc, reg, val & 0xffff)) == 0)
1288 		error = run_write_2(sc, reg + 2, val >> 16);
1289 	return (error);
1290 }
1291 
1292 static int
1293 run_write_region_1(struct run_softc *sc, uint16_t reg, const uint8_t *buf,
1294     int len)
1295 {
1296 #if 1
1297 	int i, error = 0;
1298 	/*
1299 	 * NB: the WRITE_REGION_1 command is not stable on RT2860.
1300 	 * We thus issue multiple WRITE_2 commands instead.
1301 	 */
1302 	KASSERT((len & 1) == 0, ("run_write_region_1: Data too long.\n"));
1303 	for (i = 0; i < len && error == 0; i += 2)
1304 		error = run_write_2(sc, reg + i, buf[i] | buf[i + 1] << 8);
1305 	return (error);
1306 #else
1307 	usb_device_request_t req;
1308 	int error = 0;
1309 
1310 	/*
1311 	 * NOTE: It appears the WRITE_REGION_1 command cannot be
1312 	 * passed a huge amount of data, which will crash the
1313 	 * firmware. Limit amount of data passed to 64-bytes at a
1314 	 * time.
1315 	 */
1316 	while (len > 0) {
1317 		int delta = 64;
1318 		if (delta > len)
1319 			delta = len;
1320 
1321 		req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1322 		req.bRequest = RT2870_WRITE_REGION_1;
1323 		USETW(req.wValue, 0);
1324 		USETW(req.wIndex, reg);
1325 		USETW(req.wLength, delta);
1326 		error = run_do_request(sc, &req, __DECONST(uint8_t *, buf));
1327 		if (error != 0)
1328 			break;
1329 		reg += delta;
1330 		buf += delta;
1331 		len -= delta;
1332 	}
1333 	return (error);
1334 #endif
1335 }
1336 
1337 static int
1338 run_set_region_4(struct run_softc *sc, uint16_t reg, uint32_t val, int len)
1339 {
1340 	int i, error = 0;
1341 
1342 	KASSERT((len & 3) == 0, ("run_set_region_4: Invalid data length.\n"));
1343 	for (i = 0; i < len && error == 0; i += 4)
1344 		error = run_write(sc, reg + i, val);
1345 	return (error);
1346 }
1347 
1348 static int
1349 run_efuse_read(struct run_softc *sc, uint16_t addr, uint16_t *val, int count)
1350 {
1351 	uint32_t tmp;
1352 	uint16_t reg;
1353 	int error, ntries;
1354 
1355 	if ((error = run_read(sc, RT3070_EFUSE_CTRL, &tmp)) != 0)
1356 		return (error);
1357 
1358 	if (count == 2)
1359 		addr *= 2;
1360 	/*-
1361 	 * Read one 16-byte block into registers EFUSE_DATA[0-3]:
1362 	 * DATA0: F E D C
1363 	 * DATA1: B A 9 8
1364 	 * DATA2: 7 6 5 4
1365 	 * DATA3: 3 2 1 0
1366 	 */
1367 	tmp &= ~(RT3070_EFSROM_MODE_MASK | RT3070_EFSROM_AIN_MASK);
1368 	tmp |= (addr & ~0xf) << RT3070_EFSROM_AIN_SHIFT | RT3070_EFSROM_KICK;
1369 	run_write(sc, RT3070_EFUSE_CTRL, tmp);
1370 	for (ntries = 0; ntries < 100; ntries++) {
1371 		if ((error = run_read(sc, RT3070_EFUSE_CTRL, &tmp)) != 0)
1372 			return (error);
1373 		if (!(tmp & RT3070_EFSROM_KICK))
1374 			break;
1375 		run_delay(sc, 2);
1376 	}
1377 	if (ntries == 100)
1378 		return (ETIMEDOUT);
1379 
1380 	if ((tmp & RT3070_EFUSE_AOUT_MASK) == RT3070_EFUSE_AOUT_MASK) {
1381 		*val = 0xffff;	/* address not found */
1382 		return (0);
1383 	}
1384 	/* determine to which 32-bit register our 16-bit word belongs */
1385 	reg = RT3070_EFUSE_DATA3 - (addr & 0xc);
1386 	if ((error = run_read(sc, reg, &tmp)) != 0)
1387 		return (error);
1388 
1389 	tmp >>= (8 * (addr & 0x3));
1390 	*val = (addr & 1) ? tmp >> 16 : tmp & 0xffff;
1391 
1392 	return (0);
1393 }
1394 
1395 /* Read 16-bit from eFUSE ROM for RT3xxx. */
1396 static int
1397 run_efuse_read_2(struct run_softc *sc, uint16_t addr, uint16_t *val)
1398 {
1399 	return (run_efuse_read(sc, addr, val, 2));
1400 }
1401 
1402 static int
1403 run_eeprom_read_2(struct run_softc *sc, uint16_t addr, uint16_t *val)
1404 {
1405 	usb_device_request_t req;
1406 	uint16_t tmp;
1407 	int error;
1408 
1409 	addr *= 2;
1410 	req.bmRequestType = UT_READ_VENDOR_DEVICE;
1411 	req.bRequest = RT2870_EEPROM_READ;
1412 	USETW(req.wValue, 0);
1413 	USETW(req.wIndex, addr);
1414 	USETW(req.wLength, sizeof(tmp));
1415 
1416 	error = usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, &tmp);
1417 	if (error == 0)
1418 		*val = le16toh(tmp);
1419 	else
1420 		*val = 0xffff;
1421 	return (error);
1422 }
1423 
1424 static __inline int
1425 run_srom_read(struct run_softc *sc, uint16_t addr, uint16_t *val)
1426 {
1427 	/* either eFUSE ROM or EEPROM */
1428 	return sc->sc_srom_read(sc, addr, val);
1429 }
1430 
1431 static int
1432 run_rt2870_rf_write(struct run_softc *sc, uint32_t val)
1433 {
1434 	uint32_t tmp;
1435 	int error, ntries;
1436 
1437 	for (ntries = 0; ntries < 10; ntries++) {
1438 		if ((error = run_read(sc, RT2860_RF_CSR_CFG0, &tmp)) != 0)
1439 			return (error);
1440 		if (!(tmp & RT2860_RF_REG_CTRL))
1441 			break;
1442 	}
1443 	if (ntries == 10)
1444 		return (ETIMEDOUT);
1445 
1446 	return (run_write(sc, RT2860_RF_CSR_CFG0, val));
1447 }
1448 
1449 static int
1450 run_rt3070_rf_read(struct run_softc *sc, uint8_t reg, uint8_t *val)
1451 {
1452 	uint32_t tmp;
1453 	int error, ntries;
1454 
1455 	for (ntries = 0; ntries < 100; ntries++) {
1456 		if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1457 			return (error);
1458 		if (!(tmp & RT3070_RF_KICK))
1459 			break;
1460 	}
1461 	if (ntries == 100)
1462 		return (ETIMEDOUT);
1463 
1464 	tmp = RT3070_RF_KICK | reg << 8;
1465 	if ((error = run_write(sc, RT3070_RF_CSR_CFG, tmp)) != 0)
1466 		return (error);
1467 
1468 	for (ntries = 0; ntries < 100; ntries++) {
1469 		if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1470 			return (error);
1471 		if (!(tmp & RT3070_RF_KICK))
1472 			break;
1473 	}
1474 	if (ntries == 100)
1475 		return (ETIMEDOUT);
1476 
1477 	*val = tmp & 0xff;
1478 	return (0);
1479 }
1480 
1481 static int
1482 run_rt3070_rf_write(struct run_softc *sc, uint8_t reg, uint8_t val)
1483 {
1484 	uint32_t tmp;
1485 	int error, ntries;
1486 
1487 	for (ntries = 0; ntries < 10; ntries++) {
1488 		if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1489 			return (error);
1490 		if (!(tmp & RT3070_RF_KICK))
1491 			break;
1492 	}
1493 	if (ntries == 10)
1494 		return (ETIMEDOUT);
1495 
1496 	tmp = RT3070_RF_WRITE | RT3070_RF_KICK | reg << 8 | val;
1497 	return (run_write(sc, RT3070_RF_CSR_CFG, tmp));
1498 }
1499 
1500 static int
1501 run_bbp_read(struct run_softc *sc, uint8_t reg, uint8_t *val)
1502 {
1503 	uint32_t tmp;
1504 	int ntries, error;
1505 
1506 	for (ntries = 0; ntries < 10; ntries++) {
1507 		if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1508 			return (error);
1509 		if (!(tmp & RT2860_BBP_CSR_KICK))
1510 			break;
1511 	}
1512 	if (ntries == 10)
1513 		return (ETIMEDOUT);
1514 
1515 	tmp = RT2860_BBP_CSR_READ | RT2860_BBP_CSR_KICK | reg << 8;
1516 	if ((error = run_write(sc, RT2860_BBP_CSR_CFG, tmp)) != 0)
1517 		return (error);
1518 
1519 	for (ntries = 0; ntries < 10; ntries++) {
1520 		if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1521 			return (error);
1522 		if (!(tmp & RT2860_BBP_CSR_KICK))
1523 			break;
1524 	}
1525 	if (ntries == 10)
1526 		return (ETIMEDOUT);
1527 
1528 	*val = tmp & 0xff;
1529 	return (0);
1530 }
1531 
1532 static int
1533 run_bbp_write(struct run_softc *sc, uint8_t reg, uint8_t val)
1534 {
1535 	uint32_t tmp;
1536 	int ntries, error;
1537 
1538 	for (ntries = 0; ntries < 10; ntries++) {
1539 		if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1540 			return (error);
1541 		if (!(tmp & RT2860_BBP_CSR_KICK))
1542 			break;
1543 	}
1544 	if (ntries == 10)
1545 		return (ETIMEDOUT);
1546 
1547 	tmp = RT2860_BBP_CSR_KICK | reg << 8 | val;
1548 	return (run_write(sc, RT2860_BBP_CSR_CFG, tmp));
1549 }
1550 
1551 /*
1552  * Send a command to the 8051 microcontroller unit.
1553  */
1554 static int
1555 run_mcu_cmd(struct run_softc *sc, uint8_t cmd, uint16_t arg)
1556 {
1557 	uint32_t tmp;
1558 	int error, ntries;
1559 
1560 	for (ntries = 0; ntries < 100; ntries++) {
1561 		if ((error = run_read(sc, RT2860_H2M_MAILBOX, &tmp)) != 0)
1562 			return error;
1563 		if (!(tmp & RT2860_H2M_BUSY))
1564 			break;
1565 	}
1566 	if (ntries == 100)
1567 		return ETIMEDOUT;
1568 
1569 	tmp = RT2860_H2M_BUSY | RT2860_TOKEN_NO_INTR << 16 | arg;
1570 	if ((error = run_write(sc, RT2860_H2M_MAILBOX, tmp)) == 0)
1571 		error = run_write(sc, RT2860_HOST_CMD, cmd);
1572 	return (error);
1573 }
1574 
1575 /*
1576  * Add `delta' (signed) to each 4-bit sub-word of a 32-bit word.
1577  * Used to adjust per-rate Tx power registers.
1578  */
1579 static __inline uint32_t
1580 b4inc(uint32_t b32, int8_t delta)
1581 {
1582 	int8_t i, b4;
1583 
1584 	for (i = 0; i < 8; i++) {
1585 		b4 = b32 & 0xf;
1586 		b4 += delta;
1587 		if (b4 < 0)
1588 			b4 = 0;
1589 		else if (b4 > 0xf)
1590 			b4 = 0xf;
1591 		b32 = b32 >> 4 | b4 << 28;
1592 	}
1593 	return (b32);
1594 }
1595 
1596 static const char *
1597 run_get_rf(uint16_t rev)
1598 {
1599 	switch (rev) {
1600 	case RT2860_RF_2820:	return "RT2820";
1601 	case RT2860_RF_2850:	return "RT2850";
1602 	case RT2860_RF_2720:	return "RT2720";
1603 	case RT2860_RF_2750:	return "RT2750";
1604 	case RT3070_RF_3020:	return "RT3020";
1605 	case RT3070_RF_2020:	return "RT2020";
1606 	case RT3070_RF_3021:	return "RT3021";
1607 	case RT3070_RF_3022:	return "RT3022";
1608 	case RT3070_RF_3052:	return "RT3052";
1609 	case RT3593_RF_3053:	return "RT3053";
1610 	case RT5592_RF_5592:	return "RT5592";
1611 	case RT5390_RF_5370:	return "RT5370";
1612 	case RT5390_RF_5372:	return "RT5372";
1613 	}
1614 	return ("unknown");
1615 }
1616 
1617 static void
1618 run_rt3593_get_txpower(struct run_softc *sc)
1619 {
1620 	uint16_t addr, val;
1621 	int i;
1622 
1623 	/* Read power settings for 2GHz channels. */
1624 	for (i = 0; i < 14; i += 2) {
1625 		addr = (sc->ntxchains == 3) ? RT3593_EEPROM_PWR2GHZ_BASE1 :
1626 		    RT2860_EEPROM_PWR2GHZ_BASE1;
1627 		run_srom_read(sc, addr + i / 2, &val);
1628 		sc->txpow1[i + 0] = (int8_t)(val & 0xff);
1629 		sc->txpow1[i + 1] = (int8_t)(val >> 8);
1630 
1631 		addr = (sc->ntxchains == 3) ? RT3593_EEPROM_PWR2GHZ_BASE2 :
1632 		    RT2860_EEPROM_PWR2GHZ_BASE2;
1633 		run_srom_read(sc, addr + i / 2, &val);
1634 		sc->txpow2[i + 0] = (int8_t)(val & 0xff);
1635 		sc->txpow2[i + 1] = (int8_t)(val >> 8);
1636 
1637 		if (sc->ntxchains == 3) {
1638 			run_srom_read(sc, RT3593_EEPROM_PWR2GHZ_BASE3 + i / 2,
1639 			    &val);
1640 			sc->txpow3[i + 0] = (int8_t)(val & 0xff);
1641 			sc->txpow3[i + 1] = (int8_t)(val >> 8);
1642 		}
1643 	}
1644 	/* Fix broken Tx power entries. */
1645 	for (i = 0; i < 14; i++) {
1646 		if (sc->txpow1[i] > 31)
1647 			sc->txpow1[i] = 5;
1648 		if (sc->txpow2[i] > 31)
1649 			sc->txpow2[i] = 5;
1650 		if (sc->ntxchains == 3) {
1651 			if (sc->txpow3[i] > 31)
1652 				sc->txpow3[i] = 5;
1653 		}
1654 	}
1655 	/* Read power settings for 5GHz channels. */
1656 	for (i = 0; i < 40; i += 2) {
1657 		run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE1 + i / 2, &val);
1658 		sc->txpow1[i + 14] = (int8_t)(val & 0xff);
1659 		sc->txpow1[i + 15] = (int8_t)(val >> 8);
1660 
1661 		run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE2 + i / 2, &val);
1662 		sc->txpow2[i + 14] = (int8_t)(val & 0xff);
1663 		sc->txpow2[i + 15] = (int8_t)(val >> 8);
1664 
1665 		if (sc->ntxchains == 3) {
1666 			run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE3 + i / 2,
1667 			    &val);
1668 			sc->txpow3[i + 14] = (int8_t)(val & 0xff);
1669 			sc->txpow3[i + 15] = (int8_t)(val >> 8);
1670 		}
1671 	}
1672 }
1673 
1674 static void
1675 run_get_txpower(struct run_softc *sc)
1676 {
1677 	uint16_t val;
1678 	int i;
1679 
1680 	/* Read power settings for 2GHz channels. */
1681 	for (i = 0; i < 14; i += 2) {
1682 		run_srom_read(sc, RT2860_EEPROM_PWR2GHZ_BASE1 + i / 2, &val);
1683 		sc->txpow1[i + 0] = (int8_t)(val & 0xff);
1684 		sc->txpow1[i + 1] = (int8_t)(val >> 8);
1685 
1686 		if (sc->mac_ver != 0x5390) {
1687 			run_srom_read(sc,
1688 			    RT2860_EEPROM_PWR2GHZ_BASE2 + i / 2, &val);
1689 			sc->txpow2[i + 0] = (int8_t)(val & 0xff);
1690 			sc->txpow2[i + 1] = (int8_t)(val >> 8);
1691 		}
1692 	}
1693 	/* Fix broken Tx power entries. */
1694 	for (i = 0; i < 14; i++) {
1695 		if (sc->mac_ver >= 0x5390) {
1696 			if (sc->txpow1[i] < 0 || sc->txpow1[i] > 39)
1697 				sc->txpow1[i] = 5;
1698 		} else {
1699 			if (sc->txpow1[i] < 0 || sc->txpow1[i] > 31)
1700 				sc->txpow1[i] = 5;
1701 		}
1702 		if (sc->mac_ver > 0x5390) {
1703 			if (sc->txpow2[i] < 0 || sc->txpow2[i] > 39)
1704 				sc->txpow2[i] = 5;
1705 		} else if (sc->mac_ver < 0x5390) {
1706 			if (sc->txpow2[i] < 0 || sc->txpow2[i] > 31)
1707 				sc->txpow2[i] = 5;
1708 		}
1709 		DPRINTF("chan %d: power1=%d, power2=%d\n",
1710 		    rt2860_rf2850[i].chan, sc->txpow1[i], sc->txpow2[i]);
1711 	}
1712 	/* Read power settings for 5GHz channels. */
1713 	for (i = 0; i < 40; i += 2) {
1714 		run_srom_read(sc, RT2860_EEPROM_PWR5GHZ_BASE1 + i / 2, &val);
1715 		sc->txpow1[i + 14] = (int8_t)(val & 0xff);
1716 		sc->txpow1[i + 15] = (int8_t)(val >> 8);
1717 
1718 		run_srom_read(sc, RT2860_EEPROM_PWR5GHZ_BASE2 + i / 2, &val);
1719 		sc->txpow2[i + 14] = (int8_t)(val & 0xff);
1720 		sc->txpow2[i + 15] = (int8_t)(val >> 8);
1721 	}
1722 	/* Fix broken Tx power entries. */
1723 	for (i = 0; i < 40; i++ ) {
1724 		if (sc->mac_ver != 0x5592) {
1725 			if (sc->txpow1[14 + i] < -7 || sc->txpow1[14 + i] > 15)
1726 				sc->txpow1[14 + i] = 5;
1727 			if (sc->txpow2[14 + i] < -7 || sc->txpow2[14 + i] > 15)
1728 				sc->txpow2[14 + i] = 5;
1729 		}
1730 		DPRINTF("chan %d: power1=%d, power2=%d\n",
1731 		    rt2860_rf2850[14 + i].chan, sc->txpow1[14 + i],
1732 		    sc->txpow2[14 + i]);
1733 	}
1734 }
1735 
1736 static int
1737 run_read_eeprom(struct run_softc *sc)
1738 {
1739 	struct ieee80211com *ic = &sc->sc_ic;
1740 	int8_t delta_2ghz, delta_5ghz;
1741 	uint32_t tmp;
1742 	uint16_t val;
1743 	int ridx, ant, i;
1744 
1745 	/* check whether the ROM is eFUSE ROM or EEPROM */
1746 	sc->sc_srom_read = run_eeprom_read_2;
1747 	if (sc->mac_ver >= 0x3070) {
1748 		run_read(sc, RT3070_EFUSE_CTRL, &tmp);
1749 		DPRINTF("EFUSE_CTRL=0x%08x\n", tmp);
1750 		if ((tmp & RT3070_SEL_EFUSE) || sc->mac_ver == 0x3593)
1751 			sc->sc_srom_read = run_efuse_read_2;
1752 	}
1753 
1754 	/* read ROM version */
1755 	run_srom_read(sc, RT2860_EEPROM_VERSION, &val);
1756 	DPRINTF("EEPROM rev=%d, FAE=%d\n", val >> 8, val & 0xff);
1757 
1758 	/* read MAC address */
1759 	run_srom_read(sc, RT2860_EEPROM_MAC01, &val);
1760 	ic->ic_macaddr[0] = val & 0xff;
1761 	ic->ic_macaddr[1] = val >> 8;
1762 	run_srom_read(sc, RT2860_EEPROM_MAC23, &val);
1763 	ic->ic_macaddr[2] = val & 0xff;
1764 	ic->ic_macaddr[3] = val >> 8;
1765 	run_srom_read(sc, RT2860_EEPROM_MAC45, &val);
1766 	ic->ic_macaddr[4] = val & 0xff;
1767 	ic->ic_macaddr[5] = val >> 8;
1768 
1769 	if (sc->mac_ver < 0x3593) {
1770 		/* read vender BBP settings */
1771 		for (i = 0; i < 10; i++) {
1772 			run_srom_read(sc, RT2860_EEPROM_BBP_BASE + i, &val);
1773 			sc->bbp[i].val = val & 0xff;
1774 			sc->bbp[i].reg = val >> 8;
1775 			DPRINTF("BBP%d=0x%02x\n", sc->bbp[i].reg,
1776 			    sc->bbp[i].val);
1777 		}
1778 		if (sc->mac_ver >= 0x3071) {
1779 			/* read vendor RF settings */
1780 			for (i = 0; i < 10; i++) {
1781 				run_srom_read(sc, RT3071_EEPROM_RF_BASE + i,
1782 				   &val);
1783 				sc->rf[i].val = val & 0xff;
1784 				sc->rf[i].reg = val >> 8;
1785 				DPRINTF("RF%d=0x%02x\n", sc->rf[i].reg,
1786 				    sc->rf[i].val);
1787 			}
1788 		}
1789 	}
1790 
1791 	/* read RF frequency offset from EEPROM */
1792 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_FREQ_LEDS :
1793 	    RT3593_EEPROM_FREQ, &val);
1794 	sc->freq = ((val & 0xff) != 0xff) ? val & 0xff : 0;
1795 	DPRINTF("EEPROM freq offset %d\n", sc->freq & 0xff);
1796 
1797 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_FREQ_LEDS :
1798 	    RT3593_EEPROM_FREQ_LEDS, &val);
1799 	if (val >> 8 != 0xff) {
1800 		/* read LEDs operating mode */
1801 		sc->leds = val >> 8;
1802 		run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED1 :
1803 		    RT3593_EEPROM_LED1, &sc->led[0]);
1804 		run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED2 :
1805 		    RT3593_EEPROM_LED2, &sc->led[1]);
1806 		run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED3 :
1807 		    RT3593_EEPROM_LED3, &sc->led[2]);
1808 	} else {
1809 		/* broken EEPROM, use default settings */
1810 		sc->leds = 0x01;
1811 		sc->led[0] = 0x5555;
1812 		sc->led[1] = 0x2221;
1813 		sc->led[2] = 0x5627;	/* differs from RT2860 */
1814 	}
1815 	DPRINTF("EEPROM LED mode=0x%02x, LEDs=0x%04x/0x%04x/0x%04x\n",
1816 	    sc->leds, sc->led[0], sc->led[1], sc->led[2]);
1817 
1818 	/* read RF information */
1819 	if (sc->mac_ver == 0x5390 || sc->mac_ver ==0x5392)
1820 		run_srom_read(sc, 0x00, &val);
1821 	else
1822 		run_srom_read(sc, RT2860_EEPROM_ANTENNA, &val);
1823 
1824 	if (val == 0xffff) {
1825 		device_printf(sc->sc_dev,
1826 		    "invalid EEPROM antenna info, using default\n");
1827 		DPRINTF("invalid EEPROM antenna info, using default\n");
1828 		if (sc->mac_ver == 0x3572) {
1829 			/* default to RF3052 2T2R */
1830 			sc->rf_rev = RT3070_RF_3052;
1831 			sc->ntxchains = 2;
1832 			sc->nrxchains = 2;
1833 		} else if (sc->mac_ver >= 0x3070) {
1834 			/* default to RF3020 1T1R */
1835 			sc->rf_rev = RT3070_RF_3020;
1836 			sc->ntxchains = 1;
1837 			sc->nrxchains = 1;
1838 		} else {
1839 			/* default to RF2820 1T2R */
1840 			sc->rf_rev = RT2860_RF_2820;
1841 			sc->ntxchains = 1;
1842 			sc->nrxchains = 2;
1843 		}
1844 	} else {
1845 		if (sc->mac_ver == 0x5390 || sc->mac_ver ==0x5392) {
1846 			sc->rf_rev = val;
1847 			run_srom_read(sc, RT2860_EEPROM_ANTENNA, &val);
1848 		} else
1849 			sc->rf_rev = (val >> 8) & 0xf;
1850 		sc->ntxchains = (val >> 4) & 0xf;
1851 		sc->nrxchains = val & 0xf;
1852 	}
1853 	DPRINTF("EEPROM RF rev=0x%04x chains=%dT%dR\n",
1854 	    sc->rf_rev, sc->ntxchains, sc->nrxchains);
1855 
1856 	/* check if RF supports automatic Tx access gain control */
1857 	run_srom_read(sc, RT2860_EEPROM_CONFIG, &val);
1858 	DPRINTF("EEPROM CFG 0x%04x\n", val);
1859 	/* check if driver should patch the DAC issue */
1860 	if ((val >> 8) != 0xff)
1861 		sc->patch_dac = (val >> 15) & 1;
1862 	if ((val & 0xff) != 0xff) {
1863 		sc->ext_5ghz_lna = (val >> 3) & 1;
1864 		sc->ext_2ghz_lna = (val >> 2) & 1;
1865 		/* check if RF supports automatic Tx access gain control */
1866 		sc->calib_2ghz = sc->calib_5ghz = (val >> 1) & 1;
1867 		/* check if we have a hardware radio switch */
1868 		sc->rfswitch = val & 1;
1869 	}
1870 
1871 	/* Read Tx power settings. */
1872 	if (sc->mac_ver == 0x3593)
1873 		run_rt3593_get_txpower(sc);
1874 	else
1875 		run_get_txpower(sc);
1876 
1877 	/* read Tx power compensation for each Tx rate */
1878 	run_srom_read(sc, RT2860_EEPROM_DELTAPWR, &val);
1879 	delta_2ghz = delta_5ghz = 0;
1880 	if ((val & 0xff) != 0xff && (val & 0x80)) {
1881 		delta_2ghz = val & 0xf;
1882 		if (!(val & 0x40))	/* negative number */
1883 			delta_2ghz = -delta_2ghz;
1884 	}
1885 	val >>= 8;
1886 	if ((val & 0xff) != 0xff && (val & 0x80)) {
1887 		delta_5ghz = val & 0xf;
1888 		if (!(val & 0x40))	/* negative number */
1889 			delta_5ghz = -delta_5ghz;
1890 	}
1891 	DPRINTF("power compensation=%d (2GHz), %d (5GHz)\n",
1892 	    delta_2ghz, delta_5ghz);
1893 
1894 	for (ridx = 0; ridx < 5; ridx++) {
1895 		uint32_t reg;
1896 
1897 		run_srom_read(sc, RT2860_EEPROM_RPWR + ridx * 2, &val);
1898 		reg = val;
1899 		run_srom_read(sc, RT2860_EEPROM_RPWR + ridx * 2 + 1, &val);
1900 		reg |= (uint32_t)val << 16;
1901 
1902 		sc->txpow20mhz[ridx] = reg;
1903 		sc->txpow40mhz_2ghz[ridx] = b4inc(reg, delta_2ghz);
1904 		sc->txpow40mhz_5ghz[ridx] = b4inc(reg, delta_5ghz);
1905 
1906 		DPRINTF("ridx %d: power 20MHz=0x%08x, 40MHz/2GHz=0x%08x, "
1907 		    "40MHz/5GHz=0x%08x\n", ridx, sc->txpow20mhz[ridx],
1908 		    sc->txpow40mhz_2ghz[ridx], sc->txpow40mhz_5ghz[ridx]);
1909 	}
1910 
1911 	/* Read RSSI offsets and LNA gains from EEPROM. */
1912 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI1_2GHZ :
1913 	    RT3593_EEPROM_RSSI1_2GHZ, &val);
1914 	sc->rssi_2ghz[0] = val & 0xff;	/* Ant A */
1915 	sc->rssi_2ghz[1] = val >> 8;	/* Ant B */
1916 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI2_2GHZ :
1917 	    RT3593_EEPROM_RSSI2_2GHZ, &val);
1918 	if (sc->mac_ver >= 0x3070) {
1919 		if (sc->mac_ver == 0x3593) {
1920 			sc->txmixgain_2ghz = 0;
1921 			sc->rssi_2ghz[2] = val & 0xff;	/* Ant C */
1922 		} else {
1923 			/*
1924 			 * On RT3070 chips (limited to 2 Rx chains), this ROM
1925 			 * field contains the Tx mixer gain for the 2GHz band.
1926 			 */
1927 			if ((val & 0xff) != 0xff)
1928 				sc->txmixgain_2ghz = val & 0x7;
1929 		}
1930 		DPRINTF("tx mixer gain=%u (2GHz)\n", sc->txmixgain_2ghz);
1931 	} else
1932 		sc->rssi_2ghz[2] = val & 0xff;	/* Ant C */
1933 	if (sc->mac_ver == 0x3593)
1934 		run_srom_read(sc, RT3593_EEPROM_LNA_5GHZ, &val);
1935 	sc->lna[2] = val >> 8;		/* channel group 2 */
1936 
1937 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI1_5GHZ :
1938 	    RT3593_EEPROM_RSSI1_5GHZ, &val);
1939 	sc->rssi_5ghz[0] = val & 0xff;	/* Ant A */
1940 	sc->rssi_5ghz[1] = val >> 8;	/* Ant B */
1941 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI2_5GHZ :
1942 	    RT3593_EEPROM_RSSI2_5GHZ, &val);
1943 	if (sc->mac_ver == 0x3572) {
1944 		/*
1945 		 * On RT3572 chips (limited to 2 Rx chains), this ROM
1946 		 * field contains the Tx mixer gain for the 5GHz band.
1947 		 */
1948 		if ((val & 0xff) != 0xff)
1949 			sc->txmixgain_5ghz = val & 0x7;
1950 		DPRINTF("tx mixer gain=%u (5GHz)\n", sc->txmixgain_5ghz);
1951 	} else
1952 		sc->rssi_5ghz[2] = val & 0xff;	/* Ant C */
1953 	if (sc->mac_ver == 0x3593) {
1954 		sc->txmixgain_5ghz = 0;
1955 		run_srom_read(sc, RT3593_EEPROM_LNA_5GHZ, &val);
1956 	}
1957 	sc->lna[3] = val >> 8;		/* channel group 3 */
1958 
1959 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LNA :
1960 	    RT3593_EEPROM_LNA, &val);
1961 	sc->lna[0] = val & 0xff;	/* channel group 0 */
1962 	sc->lna[1] = val >> 8;		/* channel group 1 */
1963 
1964 	/* fix broken 5GHz LNA entries */
1965 	if (sc->lna[2] == 0 || sc->lna[2] == 0xff) {
1966 		DPRINTF("invalid LNA for channel group %d\n", 2);
1967 		sc->lna[2] = sc->lna[1];
1968 	}
1969 	if (sc->lna[3] == 0 || sc->lna[3] == 0xff) {
1970 		DPRINTF("invalid LNA for channel group %d\n", 3);
1971 		sc->lna[3] = sc->lna[1];
1972 	}
1973 
1974 	/* fix broken RSSI offset entries */
1975 	for (ant = 0; ant < 3; ant++) {
1976 		if (sc->rssi_2ghz[ant] < -10 || sc->rssi_2ghz[ant] > 10) {
1977 			DPRINTF("invalid RSSI%d offset: %d (2GHz)\n",
1978 			    ant + 1, sc->rssi_2ghz[ant]);
1979 			sc->rssi_2ghz[ant] = 0;
1980 		}
1981 		if (sc->rssi_5ghz[ant] < -10 || sc->rssi_5ghz[ant] > 10) {
1982 			DPRINTF("invalid RSSI%d offset: %d (5GHz)\n",
1983 			    ant + 1, sc->rssi_5ghz[ant]);
1984 			sc->rssi_5ghz[ant] = 0;
1985 		}
1986 	}
1987 	return (0);
1988 }
1989 
1990 static struct ieee80211_node *
1991 run_node_alloc(struct ieee80211vap *vap, const uint8_t mac[IEEE80211_ADDR_LEN])
1992 {
1993 	return malloc(sizeof (struct run_node), M_DEVBUF, M_NOWAIT | M_ZERO);
1994 }
1995 
1996 static int
1997 run_media_change(struct ifnet *ifp)
1998 {
1999 	struct ieee80211vap *vap = ifp->if_softc;
2000 	struct ieee80211com *ic = vap->iv_ic;
2001 	const struct ieee80211_txparam *tp;
2002 	struct run_softc *sc = ic->ic_softc;
2003 	uint8_t rate, ridx;
2004 	int error;
2005 
2006 	RUN_LOCK(sc);
2007 
2008 	error = ieee80211_media_change(ifp);
2009 	if (error != ENETRESET) {
2010 		RUN_UNLOCK(sc);
2011 		return (error);
2012 	}
2013 
2014 	tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
2015 	if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE) {
2016 		struct ieee80211_node *ni;
2017 		struct run_node	*rn;
2018 
2019 		rate = ic->ic_sup_rates[ic->ic_curmode].
2020 		    rs_rates[tp->ucastrate] & IEEE80211_RATE_VAL;
2021 		for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2022 			if (rt2860_rates[ridx].rate == rate)
2023 				break;
2024 		ni = ieee80211_ref_node(vap->iv_bss);
2025 		rn = RUN_NODE(ni);
2026 		rn->fix_ridx = ridx;
2027 		DPRINTF("rate=%d, fix_ridx=%d\n", rate, rn->fix_ridx);
2028 		ieee80211_free_node(ni);
2029 	}
2030 
2031 #if 0
2032 	if ((ifp->if_flags & IFF_UP) &&
2033 	    (ifp->if_drv_flags &  RUN_RUNNING)){
2034 		run_init_locked(sc);
2035 	}
2036 #endif
2037 
2038 	RUN_UNLOCK(sc);
2039 
2040 	return (0);
2041 }
2042 
2043 static int
2044 run_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
2045 {
2046 	const struct ieee80211_txparam *tp;
2047 	struct ieee80211com *ic = vap->iv_ic;
2048 	struct run_softc *sc = ic->ic_softc;
2049 	struct run_vap *rvp = RUN_VAP(vap);
2050 	enum ieee80211_state ostate;
2051 	uint32_t sta[3];
2052 	uint32_t tmp;
2053 	uint8_t ratectl;
2054 	uint8_t restart_ratectl = 0;
2055 	uint8_t bid = 1 << rvp->rvp_id;
2056 
2057 	ostate = vap->iv_state;
2058 	DPRINTF("%s -> %s\n",
2059 		ieee80211_state_name[ostate],
2060 		ieee80211_state_name[nstate]);
2061 
2062 	IEEE80211_UNLOCK(ic);
2063 	RUN_LOCK(sc);
2064 
2065 	ratectl = sc->ratectl_run; /* remember current state */
2066 	sc->ratectl_run = RUN_RATECTL_OFF;
2067 	usb_callout_stop(&sc->ratectl_ch);
2068 
2069 	if (ostate == IEEE80211_S_RUN) {
2070 		/* turn link LED off */
2071 		run_set_leds(sc, RT2860_LED_RADIO);
2072 	}
2073 
2074 	switch (nstate) {
2075 	case IEEE80211_S_INIT:
2076 		restart_ratectl = 1;
2077 
2078 		if (ostate != IEEE80211_S_RUN)
2079 			break;
2080 
2081 		ratectl &= ~bid;
2082 		sc->runbmap &= ~bid;
2083 
2084 		/* abort TSF synchronization if there is no vap running */
2085 		if (--sc->running == 0) {
2086 			run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
2087 			run_write(sc, RT2860_BCN_TIME_CFG,
2088 			    tmp & ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
2089 			    RT2860_TBTT_TIMER_EN));
2090 		}
2091 		break;
2092 
2093 	case IEEE80211_S_RUN:
2094 		if (!(sc->runbmap & bid)) {
2095 			if(sc->running++)
2096 				restart_ratectl = 1;
2097 			sc->runbmap |= bid;
2098 		}
2099 
2100 		m_freem(rvp->beacon_mbuf);
2101 		rvp->beacon_mbuf = NULL;
2102 
2103 		switch (vap->iv_opmode) {
2104 		case IEEE80211_M_HOSTAP:
2105 		case IEEE80211_M_MBSS:
2106 			sc->ap_running |= bid;
2107 			ic->ic_opmode = vap->iv_opmode;
2108 			run_update_beacon_cb(vap);
2109 			break;
2110 		case IEEE80211_M_IBSS:
2111 			sc->adhoc_running |= bid;
2112 			if (!sc->ap_running)
2113 				ic->ic_opmode = vap->iv_opmode;
2114 			run_update_beacon_cb(vap);
2115 			break;
2116 		case IEEE80211_M_STA:
2117 			sc->sta_running |= bid;
2118 			if (!sc->ap_running && !sc->adhoc_running)
2119 				ic->ic_opmode = vap->iv_opmode;
2120 
2121 			/* read statistic counters (clear on read) */
2122 			run_read_region_1(sc, RT2860_TX_STA_CNT0,
2123 			    (uint8_t *)sta, sizeof sta);
2124 
2125 			break;
2126 		default:
2127 			ic->ic_opmode = vap->iv_opmode;
2128 			break;
2129 		}
2130 
2131 		if (vap->iv_opmode != IEEE80211_M_MONITOR) {
2132 			struct ieee80211_node *ni;
2133 
2134 			if (ic->ic_bsschan == IEEE80211_CHAN_ANYC) {
2135 				RUN_UNLOCK(sc);
2136 				IEEE80211_LOCK(ic);
2137 				return (-1);
2138 			}
2139 			run_updateslot(ic);
2140 			run_enable_mrr(sc);
2141 			run_set_txpreamble(sc);
2142 			run_set_basicrates(sc);
2143 			ni = ieee80211_ref_node(vap->iv_bss);
2144 			IEEE80211_ADDR_COPY(sc->sc_bssid, ni->ni_bssid);
2145 			run_set_bssid(sc, sc->sc_bssid);
2146 			ieee80211_free_node(ni);
2147 			run_enable_tsf_sync(sc);
2148 
2149 			/* enable automatic rate adaptation */
2150 			tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
2151 			if (tp->ucastrate == IEEE80211_FIXED_RATE_NONE)
2152 				ratectl |= bid;
2153 		} else
2154 			run_enable_tsf(sc);
2155 
2156 		/* turn link LED on */
2157 		run_set_leds(sc, RT2860_LED_RADIO |
2158 		    (IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan) ?
2159 		     RT2860_LED_LINK_2GHZ : RT2860_LED_LINK_5GHZ));
2160 
2161 		break;
2162 	default:
2163 		DPRINTFN(6, "undefined case\n");
2164 		break;
2165 	}
2166 
2167 	/* restart amrr for running VAPs */
2168 	if ((sc->ratectl_run = ratectl) && restart_ratectl)
2169 		usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2170 
2171 	RUN_UNLOCK(sc);
2172 	IEEE80211_LOCK(ic);
2173 
2174 	return(rvp->newstate(vap, nstate, arg));
2175 }
2176 
2177 static int
2178 run_wme_update(struct ieee80211com *ic)
2179 {
2180 	struct run_softc *sc = ic->ic_softc;
2181 	const struct wmeParams *ac =
2182 	    ic->ic_wme.wme_chanParams.cap_wmeParams;
2183 	int aci, error = 0;
2184 
2185 	/* update MAC TX configuration registers */
2186 	RUN_LOCK(sc);
2187 	for (aci = 0; aci < WME_NUM_AC; aci++) {
2188 		error = run_write(sc, RT2860_EDCA_AC_CFG(aci),
2189 		    ac[aci].wmep_logcwmax << 16 |
2190 		    ac[aci].wmep_logcwmin << 12 |
2191 		    ac[aci].wmep_aifsn    <<  8 |
2192 		    ac[aci].wmep_txopLimit);
2193 		if (error) goto err;
2194 	}
2195 
2196 	/* update SCH/DMA registers too */
2197 	error = run_write(sc, RT2860_WMM_AIFSN_CFG,
2198 	    ac[WME_AC_VO].wmep_aifsn  << 12 |
2199 	    ac[WME_AC_VI].wmep_aifsn  <<  8 |
2200 	    ac[WME_AC_BK].wmep_aifsn  <<  4 |
2201 	    ac[WME_AC_BE].wmep_aifsn);
2202 	if (error) goto err;
2203 	error = run_write(sc, RT2860_WMM_CWMIN_CFG,
2204 	    ac[WME_AC_VO].wmep_logcwmin << 12 |
2205 	    ac[WME_AC_VI].wmep_logcwmin <<  8 |
2206 	    ac[WME_AC_BK].wmep_logcwmin <<  4 |
2207 	    ac[WME_AC_BE].wmep_logcwmin);
2208 	if (error) goto err;
2209 	error = run_write(sc, RT2860_WMM_CWMAX_CFG,
2210 	    ac[WME_AC_VO].wmep_logcwmax << 12 |
2211 	    ac[WME_AC_VI].wmep_logcwmax <<  8 |
2212 	    ac[WME_AC_BK].wmep_logcwmax <<  4 |
2213 	    ac[WME_AC_BE].wmep_logcwmax);
2214 	if (error) goto err;
2215 	error = run_write(sc, RT2860_WMM_TXOP0_CFG,
2216 	    ac[WME_AC_BK].wmep_txopLimit << 16 |
2217 	    ac[WME_AC_BE].wmep_txopLimit);
2218 	if (error) goto err;
2219 	error = run_write(sc, RT2860_WMM_TXOP1_CFG,
2220 	    ac[WME_AC_VO].wmep_txopLimit << 16 |
2221 	    ac[WME_AC_VI].wmep_txopLimit);
2222 
2223 err:
2224 	RUN_UNLOCK(sc);
2225 	if (error)
2226 		DPRINTF("WME update failed\n");
2227 
2228 	return (error);
2229 }
2230 
2231 static void
2232 run_key_set_cb(void *arg)
2233 {
2234 	struct run_cmdq *cmdq = arg;
2235 	struct ieee80211vap *vap = cmdq->arg1;
2236 	struct ieee80211_key *k = cmdq->k;
2237 	struct ieee80211com *ic = vap->iv_ic;
2238 	struct run_softc *sc = ic->ic_softc;
2239 	struct ieee80211_node *ni;
2240 	u_int cipher = k->wk_cipher->ic_cipher;
2241 	uint32_t attr;
2242 	uint16_t base, associd;
2243 	uint8_t mode, wcid, iv[8];
2244 
2245 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2246 
2247 	if (vap->iv_opmode == IEEE80211_M_HOSTAP)
2248 		ni = ieee80211_find_vap_node(&ic->ic_sta, vap, cmdq->mac);
2249 	else
2250 		ni = vap->iv_bss;
2251 	associd = (ni != NULL) ? ni->ni_associd : 0;
2252 
2253 	/* map net80211 cipher to RT2860 security mode */
2254 	switch (cipher) {
2255 	case IEEE80211_CIPHER_WEP:
2256 		if(k->wk_keylen < 8)
2257 			mode = RT2860_MODE_WEP40;
2258 		else
2259 			mode = RT2860_MODE_WEP104;
2260 		break;
2261 	case IEEE80211_CIPHER_TKIP:
2262 		mode = RT2860_MODE_TKIP;
2263 		break;
2264 	case IEEE80211_CIPHER_AES_CCM:
2265 		mode = RT2860_MODE_AES_CCMP;
2266 		break;
2267 	default:
2268 		DPRINTF("undefined case\n");
2269 		return;
2270 	}
2271 
2272 	DPRINTFN(1, "associd=%x, keyix=%d, mode=%x, type=%s, tx=%s, rx=%s\n",
2273 	    associd, k->wk_keyix, mode,
2274 	    (k->wk_flags & IEEE80211_KEY_GROUP) ? "group" : "pairwise",
2275 	    (k->wk_flags & IEEE80211_KEY_XMIT) ? "on" : "off",
2276 	    (k->wk_flags & IEEE80211_KEY_RECV) ? "on" : "off");
2277 
2278 	if (k->wk_flags & IEEE80211_KEY_GROUP) {
2279 		wcid = 0;	/* NB: update WCID0 for group keys */
2280 		base = RT2860_SKEY(RUN_VAP(vap)->rvp_id, k->wk_keyix);
2281 	} else {
2282 		wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
2283 		    1 : RUN_AID2WCID(associd);
2284 		base = RT2860_PKEY(wcid);
2285 	}
2286 
2287 	if (cipher == IEEE80211_CIPHER_TKIP) {
2288 		if(run_write_region_1(sc, base, k->wk_key, 16))
2289 			return;
2290 		if(run_write_region_1(sc, base + 16, &k->wk_key[16], 8))	/* wk_txmic */
2291 			return;
2292 		if(run_write_region_1(sc, base + 24, &k->wk_key[24], 8))	/* wk_rxmic */
2293 			return;
2294 	} else {
2295 		/* roundup len to 16-bit: XXX fix write_region_1() instead */
2296 		if(run_write_region_1(sc, base, k->wk_key, (k->wk_keylen + 1) & ~1))
2297 			return;
2298 	}
2299 
2300 	if (!(k->wk_flags & IEEE80211_KEY_GROUP) ||
2301 	    (k->wk_flags & (IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV))) {
2302 		/* set initial packet number in IV+EIV */
2303 		if (cipher == IEEE80211_CIPHER_WEP) {
2304 			memset(iv, 0, sizeof iv);
2305 			iv[3] = vap->iv_def_txkey << 6;
2306 		} else {
2307 			if (cipher == IEEE80211_CIPHER_TKIP) {
2308 				iv[0] = k->wk_keytsc >> 8;
2309 				iv[1] = (iv[0] | 0x20) & 0x7f;
2310 				iv[2] = k->wk_keytsc;
2311 			} else /* CCMP */ {
2312 				iv[0] = k->wk_keytsc;
2313 				iv[1] = k->wk_keytsc >> 8;
2314 				iv[2] = 0;
2315 			}
2316 			iv[3] = k->wk_keyix << 6 | IEEE80211_WEP_EXTIV;
2317 			iv[4] = k->wk_keytsc >> 16;
2318 			iv[5] = k->wk_keytsc >> 24;
2319 			iv[6] = k->wk_keytsc >> 32;
2320 			iv[7] = k->wk_keytsc >> 40;
2321 		}
2322 		if (run_write_region_1(sc, RT2860_IVEIV(wcid), iv, 8))
2323 			return;
2324 	}
2325 
2326 	if (k->wk_flags & IEEE80211_KEY_GROUP) {
2327 		/* install group key */
2328 		if (run_read(sc, RT2860_SKEY_MODE_0_7, &attr))
2329 			return;
2330 		attr &= ~(0xf << (k->wk_keyix * 4));
2331 		attr |= mode << (k->wk_keyix * 4);
2332 		if (run_write(sc, RT2860_SKEY_MODE_0_7, attr))
2333 			return;
2334 	} else {
2335 		/* install pairwise key */
2336 		if (run_read(sc, RT2860_WCID_ATTR(wcid), &attr))
2337 			return;
2338 		attr = (attr & ~0xf) | (mode << 1) | RT2860_RX_PKEY_EN;
2339 		if (run_write(sc, RT2860_WCID_ATTR(wcid), attr))
2340 			return;
2341 	}
2342 
2343 	/* TODO create a pass-thru key entry? */
2344 
2345 	/* need wcid to delete the right key later */
2346 	k->wk_pad = wcid;
2347 }
2348 
2349 /*
2350  * Don't have to be deferred, but in order to keep order of
2351  * execution, i.e. with run_key_delete(), defer this and let
2352  * run_cmdq_cb() maintain the order.
2353  *
2354  * return 0 on error
2355  */
2356 static int
2357 run_key_set(struct ieee80211vap *vap, struct ieee80211_key *k)
2358 {
2359 	struct ieee80211com *ic = vap->iv_ic;
2360 	struct run_softc *sc = ic->ic_softc;
2361 	uint32_t i;
2362 
2363 	i = RUN_CMDQ_GET(&sc->cmdq_store);
2364 	DPRINTF("cmdq_store=%d\n", i);
2365 	sc->cmdq[i].func = run_key_set_cb;
2366 	sc->cmdq[i].arg0 = NULL;
2367 	sc->cmdq[i].arg1 = vap;
2368 	sc->cmdq[i].k = k;
2369 	IEEE80211_ADDR_COPY(sc->cmdq[i].mac, k->wk_macaddr);
2370 	ieee80211_runtask(ic, &sc->cmdq_task);
2371 
2372 	/*
2373 	 * To make sure key will be set when hostapd
2374 	 * calls iv_key_set() before if_init().
2375 	 */
2376 	if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
2377 		RUN_LOCK(sc);
2378 		sc->cmdq_key_set = RUN_CMDQ_GO;
2379 		RUN_UNLOCK(sc);
2380 	}
2381 
2382 	return (1);
2383 }
2384 
2385 /*
2386  * If wlan is destroyed without being brought down i.e. without
2387  * wlan down or wpa_cli terminate, this function is called after
2388  * vap is gone. Don't refer it.
2389  */
2390 static void
2391 run_key_delete_cb(void *arg)
2392 {
2393 	struct run_cmdq *cmdq = arg;
2394 	struct run_softc *sc = cmdq->arg1;
2395 	struct ieee80211_key *k = &cmdq->key;
2396 	uint32_t attr;
2397 	uint8_t wcid;
2398 
2399 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2400 
2401 	if (k->wk_flags & IEEE80211_KEY_GROUP) {
2402 		/* remove group key */
2403 		DPRINTF("removing group key\n");
2404 		run_read(sc, RT2860_SKEY_MODE_0_7, &attr);
2405 		attr &= ~(0xf << (k->wk_keyix * 4));
2406 		run_write(sc, RT2860_SKEY_MODE_0_7, attr);
2407 	} else {
2408 		/* remove pairwise key */
2409 		DPRINTF("removing key for wcid %x\n", k->wk_pad);
2410 		/* matching wcid was written to wk_pad in run_key_set() */
2411 		wcid = k->wk_pad;
2412 		run_read(sc, RT2860_WCID_ATTR(wcid), &attr);
2413 		attr &= ~0xf;
2414 		run_write(sc, RT2860_WCID_ATTR(wcid), attr);
2415 		run_set_region_4(sc, RT2860_WCID_ENTRY(wcid), 0, 8);
2416 	}
2417 
2418 	k->wk_pad = 0;
2419 }
2420 
2421 /*
2422  * return 0 on error
2423  */
2424 static int
2425 run_key_delete(struct ieee80211vap *vap, struct ieee80211_key *k)
2426 {
2427 	struct ieee80211com *ic = vap->iv_ic;
2428 	struct run_softc *sc = ic->ic_softc;
2429 	struct ieee80211_key *k0;
2430 	uint32_t i;
2431 
2432 	/*
2433 	 * When called back, key might be gone. So, make a copy
2434 	 * of some values need to delete keys before deferring.
2435 	 * But, because of LOR with node lock, cannot use lock here.
2436 	 * So, use atomic instead.
2437 	 */
2438 	i = RUN_CMDQ_GET(&sc->cmdq_store);
2439 	DPRINTF("cmdq_store=%d\n", i);
2440 	sc->cmdq[i].func = run_key_delete_cb;
2441 	sc->cmdq[i].arg0 = NULL;
2442 	sc->cmdq[i].arg1 = sc;
2443 	k0 = &sc->cmdq[i].key;
2444 	k0->wk_flags = k->wk_flags;
2445 	k0->wk_keyix = k->wk_keyix;
2446 	/* matching wcid was written to wk_pad in run_key_set() */
2447 	k0->wk_pad = k->wk_pad;
2448 	ieee80211_runtask(ic, &sc->cmdq_task);
2449 	return (1);	/* return fake success */
2450 
2451 }
2452 
2453 static void
2454 run_ratectl_to(void *arg)
2455 {
2456 	struct run_softc *sc = arg;
2457 
2458 	/* do it in a process context, so it can go sleep */
2459 	ieee80211_runtask(&sc->sc_ic, &sc->ratectl_task);
2460 	/* next timeout will be rescheduled in the callback task */
2461 }
2462 
2463 /* ARGSUSED */
2464 static void
2465 run_ratectl_cb(void *arg, int pending)
2466 {
2467 	struct run_softc *sc = arg;
2468 	struct ieee80211com *ic = &sc->sc_ic;
2469 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
2470 
2471 	if (vap == NULL)
2472 		return;
2473 
2474 	if (sc->rvp_cnt > 1 || vap->iv_opmode != IEEE80211_M_STA) {
2475 		/*
2476 		 * run_reset_livelock() doesn't do anything with AMRR,
2477 		 * but Ralink wants us to call it every 1 sec. So, we
2478 		 * piggyback here rather than creating another callout.
2479 		 * Livelock may occur only in HOSTAP or IBSS mode
2480 		 * (when h/w is sending beacons).
2481 		 */
2482 		RUN_LOCK(sc);
2483 		run_reset_livelock(sc);
2484 		/* just in case, there are some stats to drain */
2485 		run_drain_fifo(sc);
2486 		RUN_UNLOCK(sc);
2487 	}
2488 
2489 	ieee80211_iterate_nodes(&ic->ic_sta, run_iter_func, sc);
2490 
2491 	RUN_LOCK(sc);
2492 	if(sc->ratectl_run != RUN_RATECTL_OFF)
2493 		usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2494 	RUN_UNLOCK(sc);
2495 }
2496 
2497 static void
2498 run_drain_fifo(void *arg)
2499 {
2500 	struct run_softc *sc = arg;
2501 	uint32_t stat;
2502 	uint16_t (*wstat)[3];
2503 	uint8_t wcid, mcs, pid;
2504 	int8_t retry;
2505 
2506 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2507 
2508 	for (;;) {
2509 		/* drain Tx status FIFO (maxsize = 16) */
2510 		run_read(sc, RT2860_TX_STAT_FIFO, &stat);
2511 		DPRINTFN(4, "tx stat 0x%08x\n", stat);
2512 		if (!(stat & RT2860_TXQ_VLD))
2513 			break;
2514 
2515 		wcid = (stat >> RT2860_TXQ_WCID_SHIFT) & 0xff;
2516 
2517 		/* if no ACK was requested, no feedback is available */
2518 		if (!(stat & RT2860_TXQ_ACKREQ) || wcid > RT2870_WCID_MAX ||
2519 		    wcid == 0)
2520 			continue;
2521 
2522 		/*
2523 		 * Even though each stat is Tx-complete-status like format,
2524 		 * the device can poll stats. Because there is no guarantee
2525 		 * that the referring node is still around when read the stats.
2526 		 * So that, if we use ieee80211_ratectl_tx_update(), we will
2527 		 * have hard time not to refer already freed node.
2528 		 *
2529 		 * To eliminate such page faults, we poll stats in softc.
2530 		 * Then, update the rates later with ieee80211_ratectl_tx_update().
2531 		 */
2532 		wstat = &(sc->wcid_stats[wcid]);
2533 		(*wstat)[RUN_TXCNT]++;
2534 		if (stat & RT2860_TXQ_OK)
2535 			(*wstat)[RUN_SUCCESS]++;
2536 		else
2537 			counter_u64_add(sc->sc_ic.ic_oerrors, 1);
2538 		/*
2539 		 * Check if there were retries, ie if the Tx success rate is
2540 		 * different from the requested rate. Note that it works only
2541 		 * because we do not allow rate fallback from OFDM to CCK.
2542 		 */
2543 		mcs = (stat >> RT2860_TXQ_MCS_SHIFT) & 0x7f;
2544 		pid = (stat >> RT2860_TXQ_PID_SHIFT) & 0xf;
2545 		if ((retry = pid -1 - mcs) > 0) {
2546 			(*wstat)[RUN_TXCNT] += retry;
2547 			(*wstat)[RUN_RETRY] += retry;
2548 		}
2549 	}
2550 	DPRINTFN(3, "count=%d\n", sc->fifo_cnt);
2551 
2552 	sc->fifo_cnt = 0;
2553 }
2554 
2555 static void
2556 run_iter_func(void *arg, struct ieee80211_node *ni)
2557 {
2558 	struct run_softc *sc = arg;
2559 	struct ieee80211vap *vap = ni->ni_vap;
2560 	struct run_node *rn = RUN_NODE(ni);
2561 	union run_stats sta[2];
2562 	uint16_t (*wstat)[3];
2563 	int txcnt, success, retrycnt, error;
2564 
2565 	RUN_LOCK(sc);
2566 
2567 	/* Check for special case */
2568 	if (sc->rvp_cnt <= 1 && vap->iv_opmode == IEEE80211_M_STA &&
2569 	    ni != vap->iv_bss)
2570 		goto fail;
2571 
2572 	if (sc->rvp_cnt <= 1 && (vap->iv_opmode == IEEE80211_M_IBSS ||
2573 	    vap->iv_opmode == IEEE80211_M_STA)) {
2574 		/* read statistic counters (clear on read) and update AMRR state */
2575 		error = run_read_region_1(sc, RT2860_TX_STA_CNT0, (uint8_t *)sta,
2576 		    sizeof sta);
2577 		if (error != 0)
2578 			goto fail;
2579 
2580 		/* count failed TX as errors */
2581 		if_inc_counter(vap->iv_ifp, IFCOUNTER_OERRORS,
2582 		    le16toh(sta[0].error.fail));
2583 
2584 		retrycnt = le16toh(sta[1].tx.retry);
2585 		success = le16toh(sta[1].tx.success);
2586 		txcnt = retrycnt + success + le16toh(sta[0].error.fail);
2587 
2588 		DPRINTFN(3, "retrycnt=%d success=%d failcnt=%d\n",
2589 			retrycnt, success, le16toh(sta[0].error.fail));
2590 	} else {
2591 		wstat = &(sc->wcid_stats[RUN_AID2WCID(ni->ni_associd)]);
2592 
2593 		if (wstat == &(sc->wcid_stats[0]) ||
2594 		    wstat > &(sc->wcid_stats[RT2870_WCID_MAX]))
2595 			goto fail;
2596 
2597 		txcnt = (*wstat)[RUN_TXCNT];
2598 		success = (*wstat)[RUN_SUCCESS];
2599 		retrycnt = (*wstat)[RUN_RETRY];
2600 		DPRINTFN(3, "retrycnt=%d txcnt=%d success=%d\n",
2601 		    retrycnt, txcnt, success);
2602 
2603 		memset(wstat, 0, sizeof(*wstat));
2604 	}
2605 
2606 	ieee80211_ratectl_tx_update(vap, ni, &txcnt, &success, &retrycnt);
2607 	rn->amrr_ridx = ieee80211_ratectl_rate(ni, NULL, 0);
2608 
2609 fail:
2610 	RUN_UNLOCK(sc);
2611 
2612 	DPRINTFN(3, "ridx=%d\n", rn->amrr_ridx);
2613 }
2614 
2615 static void
2616 run_newassoc_cb(void *arg)
2617 {
2618 	struct run_cmdq *cmdq = arg;
2619 	struct ieee80211_node *ni = cmdq->arg1;
2620 	struct run_softc *sc = ni->ni_vap->iv_ic->ic_softc;
2621 	uint8_t wcid = cmdq->wcid;
2622 
2623 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2624 
2625 	run_write_region_1(sc, RT2860_WCID_ENTRY(wcid),
2626 	    ni->ni_macaddr, IEEE80211_ADDR_LEN);
2627 
2628 	memset(&(sc->wcid_stats[wcid]), 0, sizeof(sc->wcid_stats[wcid]));
2629 }
2630 
2631 static void
2632 run_newassoc(struct ieee80211_node *ni, int isnew)
2633 {
2634 	struct run_node *rn = RUN_NODE(ni);
2635 	struct ieee80211_rateset *rs = &ni->ni_rates;
2636 	struct ieee80211vap *vap = ni->ni_vap;
2637 	struct ieee80211com *ic = vap->iv_ic;
2638 	struct run_softc *sc = ic->ic_softc;
2639 	uint8_t rate;
2640 	uint8_t ridx;
2641 	uint8_t wcid;
2642 	int i, j;
2643 
2644 	wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
2645 	    1 : RUN_AID2WCID(ni->ni_associd);
2646 
2647 	if (wcid > RT2870_WCID_MAX) {
2648 		device_printf(sc->sc_dev, "wcid=%d out of range\n", wcid);
2649 		return;
2650 	}
2651 
2652 	/* only interested in true associations */
2653 	if (isnew && ni->ni_associd != 0) {
2654 
2655 		/*
2656 		 * This function could is called though timeout function.
2657 		 * Need to defer.
2658 		 */
2659 		uint32_t cnt = RUN_CMDQ_GET(&sc->cmdq_store);
2660 		DPRINTF("cmdq_store=%d\n", cnt);
2661 		sc->cmdq[cnt].func = run_newassoc_cb;
2662 		sc->cmdq[cnt].arg0 = NULL;
2663 		sc->cmdq[cnt].arg1 = ni;
2664 		sc->cmdq[cnt].wcid = wcid;
2665 		ieee80211_runtask(ic, &sc->cmdq_task);
2666 	}
2667 
2668 	DPRINTF("new assoc isnew=%d associd=%x addr=%s\n",
2669 	    isnew, ni->ni_associd, ether_sprintf(ni->ni_macaddr));
2670 
2671 	for (i = 0; i < rs->rs_nrates; i++) {
2672 		rate = rs->rs_rates[i] & IEEE80211_RATE_VAL;
2673 		/* convert 802.11 rate to hardware rate index */
2674 		for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2675 			if (rt2860_rates[ridx].rate == rate)
2676 				break;
2677 		rn->ridx[i] = ridx;
2678 		/* determine rate of control response frames */
2679 		for (j = i; j >= 0; j--) {
2680 			if ((rs->rs_rates[j] & IEEE80211_RATE_BASIC) &&
2681 			    rt2860_rates[rn->ridx[i]].phy ==
2682 			    rt2860_rates[rn->ridx[j]].phy)
2683 				break;
2684 		}
2685 		if (j >= 0) {
2686 			rn->ctl_ridx[i] = rn->ridx[j];
2687 		} else {
2688 			/* no basic rate found, use mandatory one */
2689 			rn->ctl_ridx[i] = rt2860_rates[ridx].ctl_ridx;
2690 		}
2691 		DPRINTF("rate=0x%02x ridx=%d ctl_ridx=%d\n",
2692 		    rs->rs_rates[i], rn->ridx[i], rn->ctl_ridx[i]);
2693 	}
2694 	rate = vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)].mgmtrate;
2695 	for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2696 		if (rt2860_rates[ridx].rate == rate)
2697 			break;
2698 	rn->mgt_ridx = ridx;
2699 	DPRINTF("rate=%d, mgmt_ridx=%d\n", rate, rn->mgt_ridx);
2700 
2701 	RUN_LOCK(sc);
2702 	if(sc->ratectl_run != RUN_RATECTL_OFF)
2703 		usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2704 	RUN_UNLOCK(sc);
2705 }
2706 
2707 /*
2708  * Return the Rx chain with the highest RSSI for a given frame.
2709  */
2710 static __inline uint8_t
2711 run_maxrssi_chain(struct run_softc *sc, const struct rt2860_rxwi *rxwi)
2712 {
2713 	uint8_t rxchain = 0;
2714 
2715 	if (sc->nrxchains > 1) {
2716 		if (rxwi->rssi[1] > rxwi->rssi[rxchain])
2717 			rxchain = 1;
2718 		if (sc->nrxchains > 2)
2719 			if (rxwi->rssi[2] > rxwi->rssi[rxchain])
2720 				rxchain = 2;
2721 	}
2722 	return (rxchain);
2723 }
2724 
2725 static void
2726 run_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m, int subtype,
2727     const struct ieee80211_rx_stats *rxs, int rssi, int nf)
2728 {
2729 	struct ieee80211vap *vap = ni->ni_vap;
2730 	struct run_softc *sc = vap->iv_ic->ic_softc;
2731 	struct run_vap *rvp = RUN_VAP(vap);
2732 	uint64_t ni_tstamp, rx_tstamp;
2733 
2734 	rvp->recv_mgmt(ni, m, subtype, rxs, rssi, nf);
2735 
2736 	if (vap->iv_state == IEEE80211_S_RUN &&
2737 	    (subtype == IEEE80211_FC0_SUBTYPE_BEACON ||
2738 	    subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP)) {
2739 		ni_tstamp = le64toh(ni->ni_tstamp.tsf);
2740 		RUN_LOCK(sc);
2741 		run_get_tsf(sc, &rx_tstamp);
2742 		RUN_UNLOCK(sc);
2743 		rx_tstamp = le64toh(rx_tstamp);
2744 
2745 		if (ni_tstamp >= rx_tstamp) {
2746 			DPRINTF("ibss merge, tsf %ju tstamp %ju\n",
2747 			    (uintmax_t)rx_tstamp, (uintmax_t)ni_tstamp);
2748 			(void) ieee80211_ibss_merge(ni);
2749 		}
2750 	}
2751 }
2752 
2753 static void
2754 run_rx_frame(struct run_softc *sc, struct mbuf *m, uint32_t dmalen)
2755 {
2756 	struct ieee80211com *ic = &sc->sc_ic;
2757 	struct ieee80211_frame *wh;
2758 	struct ieee80211_node *ni;
2759 	struct rt2870_rxd *rxd;
2760 	struct rt2860_rxwi *rxwi;
2761 	uint32_t flags;
2762 	uint16_t len, rxwisize;
2763 	uint8_t ant, rssi;
2764 	int8_t nf;
2765 
2766 	rxwi = mtod(m, struct rt2860_rxwi *);
2767 	len = le16toh(rxwi->len) & 0xfff;
2768 	rxwisize = sizeof(struct rt2860_rxwi);
2769 	if (sc->mac_ver == 0x5592)
2770 		rxwisize += sizeof(uint64_t);
2771 	else if (sc->mac_ver == 0x3593)
2772 		rxwisize += sizeof(uint32_t);
2773 	if (__predict_false(len > dmalen)) {
2774 		m_freem(m);
2775 		counter_u64_add(ic->ic_ierrors, 1);
2776 		DPRINTF("bad RXWI length %u > %u\n", len, dmalen);
2777 		return;
2778 	}
2779 	/* Rx descriptor is located at the end */
2780 	rxd = (struct rt2870_rxd *)(mtod(m, caddr_t) + dmalen);
2781 	flags = le32toh(rxd->flags);
2782 
2783 	if (__predict_false(flags & (RT2860_RX_CRCERR | RT2860_RX_ICVERR))) {
2784 		m_freem(m);
2785 		counter_u64_add(ic->ic_ierrors, 1);
2786 		DPRINTF("%s error.\n", (flags & RT2860_RX_CRCERR)?"CRC":"ICV");
2787 		return;
2788 	}
2789 
2790 	m->m_data += rxwisize;
2791 	m->m_pkthdr.len = m->m_len -= rxwisize;
2792 
2793 	wh = mtod(m, struct ieee80211_frame *);
2794 
2795 	if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
2796 		wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
2797 		m->m_flags |= M_WEP;
2798 	}
2799 
2800 	if (flags & RT2860_RX_L2PAD) {
2801 		DPRINTFN(8, "received RT2860_RX_L2PAD frame\n");
2802 		len += 2;
2803 	}
2804 
2805 	ni = ieee80211_find_rxnode(ic,
2806 	    mtod(m, struct ieee80211_frame_min *));
2807 
2808 	if (__predict_false(flags & RT2860_RX_MICERR)) {
2809 		/* report MIC failures to net80211 for TKIP */
2810 		if (ni != NULL)
2811 			ieee80211_notify_michael_failure(ni->ni_vap, wh,
2812 			    rxwi->keyidx);
2813 		m_freem(m);
2814 		counter_u64_add(ic->ic_ierrors, 1);
2815 		DPRINTF("MIC error. Someone is lying.\n");
2816 		return;
2817 	}
2818 
2819 	ant = run_maxrssi_chain(sc, rxwi);
2820 	rssi = rxwi->rssi[ant];
2821 	nf = run_rssi2dbm(sc, rssi, ant);
2822 
2823 	m->m_pkthdr.len = m->m_len = len;
2824 
2825 	if (__predict_false(ieee80211_radiotap_active(ic))) {
2826 		struct run_rx_radiotap_header *tap = &sc->sc_rxtap;
2827 		uint16_t phy;
2828 
2829 		tap->wr_flags = 0;
2830 		tap->wr_chan_freq = htole16(ic->ic_curchan->ic_freq);
2831 		tap->wr_chan_flags = htole16(ic->ic_curchan->ic_flags);
2832 		tap->wr_antsignal = rssi;
2833 		tap->wr_antenna = ant;
2834 		tap->wr_dbm_antsignal = run_rssi2dbm(sc, rssi, ant);
2835 		tap->wr_rate = 2;	/* in case it can't be found below */
2836 		run_get_tsf(sc, &tap->wr_tsf);
2837 		phy = le16toh(rxwi->phy);
2838 		switch (phy & RT2860_PHY_MODE) {
2839 		case RT2860_PHY_CCK:
2840 			switch ((phy & RT2860_PHY_MCS) & ~RT2860_PHY_SHPRE) {
2841 			case 0:	tap->wr_rate =   2; break;
2842 			case 1:	tap->wr_rate =   4; break;
2843 			case 2:	tap->wr_rate =  11; break;
2844 			case 3:	tap->wr_rate =  22; break;
2845 			}
2846 			if (phy & RT2860_PHY_SHPRE)
2847 				tap->wr_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
2848 			break;
2849 		case RT2860_PHY_OFDM:
2850 			switch (phy & RT2860_PHY_MCS) {
2851 			case 0:	tap->wr_rate =  12; break;
2852 			case 1:	tap->wr_rate =  18; break;
2853 			case 2:	tap->wr_rate =  24; break;
2854 			case 3:	tap->wr_rate =  36; break;
2855 			case 4:	tap->wr_rate =  48; break;
2856 			case 5:	tap->wr_rate =  72; break;
2857 			case 6:	tap->wr_rate =  96; break;
2858 			case 7:	tap->wr_rate = 108; break;
2859 			}
2860 			break;
2861 		}
2862 	}
2863 
2864 	if (ni != NULL) {
2865 		(void)ieee80211_input(ni, m, rssi, nf);
2866 		ieee80211_free_node(ni);
2867 	} else {
2868 		(void)ieee80211_input_all(ic, m, rssi, nf);
2869 	}
2870 }
2871 
2872 static void
2873 run_bulk_rx_callback(struct usb_xfer *xfer, usb_error_t error)
2874 {
2875 	struct run_softc *sc = usbd_xfer_softc(xfer);
2876 	struct ieee80211com *ic = &sc->sc_ic;
2877 	struct mbuf *m = NULL;
2878 	struct mbuf *m0;
2879 	uint32_t dmalen;
2880 	uint16_t rxwisize;
2881 	int xferlen;
2882 
2883 	rxwisize = sizeof(struct rt2860_rxwi);
2884 	if (sc->mac_ver == 0x5592)
2885 		rxwisize += sizeof(uint64_t);
2886 	else if (sc->mac_ver == 0x3593)
2887 		rxwisize += sizeof(uint32_t);
2888 
2889 	usbd_xfer_status(xfer, &xferlen, NULL, NULL, NULL);
2890 
2891 	switch (USB_GET_STATE(xfer)) {
2892 	case USB_ST_TRANSFERRED:
2893 
2894 		DPRINTFN(15, "rx done, actlen=%d\n", xferlen);
2895 
2896 		if (xferlen < (int)(sizeof(uint32_t) + rxwisize +
2897 		    sizeof(struct rt2870_rxd))) {
2898 			DPRINTF("xfer too short %d\n", xferlen);
2899 			goto tr_setup;
2900 		}
2901 
2902 		m = sc->rx_m;
2903 		sc->rx_m = NULL;
2904 
2905 		/* FALLTHROUGH */
2906 	case USB_ST_SETUP:
2907 tr_setup:
2908 		if (sc->rx_m == NULL) {
2909 			sc->rx_m = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR,
2910 			    MJUMPAGESIZE /* xfer can be bigger than MCLBYTES */);
2911 		}
2912 		if (sc->rx_m == NULL) {
2913 			DPRINTF("could not allocate mbuf - idle with stall\n");
2914 			counter_u64_add(ic->ic_ierrors, 1);
2915 			usbd_xfer_set_stall(xfer);
2916 			usbd_xfer_set_frames(xfer, 0);
2917 		} else {
2918 			/*
2919 			 * Directly loading a mbuf cluster into DMA to
2920 			 * save some data copying. This works because
2921 			 * there is only one cluster.
2922 			 */
2923 			usbd_xfer_set_frame_data(xfer, 0,
2924 			    mtod(sc->rx_m, caddr_t), RUN_MAX_RXSZ);
2925 			usbd_xfer_set_frames(xfer, 1);
2926 		}
2927 		usbd_transfer_submit(xfer);
2928 		break;
2929 
2930 	default:	/* Error */
2931 		if (error != USB_ERR_CANCELLED) {
2932 			/* try to clear stall first */
2933 			usbd_xfer_set_stall(xfer);
2934 			if (error == USB_ERR_TIMEOUT)
2935 				device_printf(sc->sc_dev, "device timeout\n");
2936 			counter_u64_add(ic->ic_ierrors, 1);
2937 			goto tr_setup;
2938 		}
2939 		if (sc->rx_m != NULL) {
2940 			m_freem(sc->rx_m);
2941 			sc->rx_m = NULL;
2942 		}
2943 		break;
2944 	}
2945 
2946 	if (m == NULL)
2947 		return;
2948 
2949 	/* inputting all the frames must be last */
2950 
2951 	RUN_UNLOCK(sc);
2952 
2953 	m->m_pkthdr.len = m->m_len = xferlen;
2954 
2955 	/* HW can aggregate multiple 802.11 frames in a single USB xfer */
2956 	for(;;) {
2957 		dmalen = le32toh(*mtod(m, uint32_t *)) & 0xffff;
2958 
2959 		if ((dmalen >= (uint32_t)-8) || (dmalen == 0) ||
2960 		    ((dmalen & 3) != 0)) {
2961 			DPRINTF("bad DMA length %u\n", dmalen);
2962 			break;
2963 		}
2964 		if ((dmalen + 8) > (uint32_t)xferlen) {
2965 			DPRINTF("bad DMA length %u > %d\n",
2966 			dmalen + 8, xferlen);
2967 			break;
2968 		}
2969 
2970 		/* If it is the last one or a single frame, we won't copy. */
2971 		if ((xferlen -= dmalen + 8) <= 8) {
2972 			/* trim 32-bit DMA-len header */
2973 			m->m_data += 4;
2974 			m->m_pkthdr.len = m->m_len -= 4;
2975 			run_rx_frame(sc, m, dmalen);
2976 			m = NULL;	/* don't free source buffer */
2977 			break;
2978 		}
2979 
2980 		/* copy aggregated frames to another mbuf */
2981 		m0 = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
2982 		if (__predict_false(m0 == NULL)) {
2983 			DPRINTF("could not allocate mbuf\n");
2984 			counter_u64_add(ic->ic_ierrors, 1);
2985 			break;
2986 		}
2987 		m_copydata(m, 4 /* skip 32-bit DMA-len header */,
2988 		    dmalen + sizeof(struct rt2870_rxd), mtod(m0, caddr_t));
2989 		m0->m_pkthdr.len = m0->m_len =
2990 		    dmalen + sizeof(struct rt2870_rxd);
2991 		run_rx_frame(sc, m0, dmalen);
2992 
2993 		/* update data ptr */
2994 		m->m_data += dmalen + 8;
2995 		m->m_pkthdr.len = m->m_len -= dmalen + 8;
2996 	}
2997 
2998 	/* make sure we free the source buffer, if any */
2999 	m_freem(m);
3000 
3001 	RUN_LOCK(sc);
3002 }
3003 
3004 static void
3005 run_tx_free(struct run_endpoint_queue *pq,
3006     struct run_tx_data *data, int txerr)
3007 {
3008 
3009 	ieee80211_tx_complete(data->ni, data->m, txerr);
3010 
3011 	data->m = NULL;
3012 	data->ni = NULL;
3013 
3014 	STAILQ_INSERT_TAIL(&pq->tx_fh, data, next);
3015 	pq->tx_nfree++;
3016 }
3017 
3018 static void
3019 run_bulk_tx_callbackN(struct usb_xfer *xfer, usb_error_t error, u_int index)
3020 {
3021 	struct run_softc *sc = usbd_xfer_softc(xfer);
3022 	struct ieee80211com *ic = &sc->sc_ic;
3023 	struct run_tx_data *data;
3024 	struct ieee80211vap *vap = NULL;
3025 	struct usb_page_cache *pc;
3026 	struct run_endpoint_queue *pq = &sc->sc_epq[index];
3027 	struct mbuf *m;
3028 	usb_frlength_t size;
3029 	int actlen;
3030 	int sumlen;
3031 
3032 	usbd_xfer_status(xfer, &actlen, &sumlen, NULL, NULL);
3033 
3034 	switch (USB_GET_STATE(xfer)) {
3035 	case USB_ST_TRANSFERRED:
3036 		DPRINTFN(11, "transfer complete: %d "
3037 		    "bytes @ index %d\n", actlen, index);
3038 
3039 		data = usbd_xfer_get_priv(xfer);
3040 		run_tx_free(pq, data, 0);
3041 		usbd_xfer_set_priv(xfer, NULL);
3042 
3043 		/* FALLTHROUGH */
3044 	case USB_ST_SETUP:
3045 tr_setup:
3046 		data = STAILQ_FIRST(&pq->tx_qh);
3047 		if (data == NULL)
3048 			break;
3049 
3050 		STAILQ_REMOVE_HEAD(&pq->tx_qh, next);
3051 
3052 		m = data->m;
3053 		size = (sc->mac_ver == 0x5592) ?
3054 		    sizeof(data->desc) + sizeof(uint32_t) : sizeof(data->desc);
3055 		if ((m->m_pkthdr.len +
3056 		    size + 3 + 8) > RUN_MAX_TXSZ) {
3057 			DPRINTF("data overflow, %u bytes\n",
3058 			    m->m_pkthdr.len);
3059 			run_tx_free(pq, data, 1);
3060 			goto tr_setup;
3061 		}
3062 
3063 		pc = usbd_xfer_get_frame(xfer, 0);
3064 		usbd_copy_in(pc, 0, &data->desc, size);
3065 		usbd_m_copy_in(pc, size, m, 0, m->m_pkthdr.len);
3066 		size += m->m_pkthdr.len;
3067 		/*
3068 		 * Align end on a 4-byte boundary, pad 8 bytes (CRC +
3069 		 * 4-byte padding), and be sure to zero those trailing
3070 		 * bytes:
3071 		 */
3072 		usbd_frame_zero(pc, size, ((-size) & 3) + 8);
3073 		size += ((-size) & 3) + 8;
3074 
3075 		vap = data->ni->ni_vap;
3076 		if (ieee80211_radiotap_active_vap(vap)) {
3077 			struct run_tx_radiotap_header *tap = &sc->sc_txtap;
3078 			struct rt2860_txwi *txwi =
3079 			    (struct rt2860_txwi *)(&data->desc + sizeof(struct rt2870_txd));
3080 			tap->wt_flags = 0;
3081 			tap->wt_rate = rt2860_rates[data->ridx].rate;
3082 			run_get_tsf(sc, &tap->wt_tsf);
3083 			tap->wt_chan_freq = htole16(ic->ic_curchan->ic_freq);
3084 			tap->wt_chan_flags = htole16(ic->ic_curchan->ic_flags);
3085 			tap->wt_hwqueue = index;
3086 			if (le16toh(txwi->phy) & RT2860_PHY_SHPRE)
3087 				tap->wt_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
3088 
3089 			ieee80211_radiotap_tx(vap, m);
3090 		}
3091 
3092 		DPRINTFN(11, "sending frame len=%u/%u  @ index %d\n",
3093 		    m->m_pkthdr.len, size, index);
3094 
3095 		usbd_xfer_set_frame_len(xfer, 0, size);
3096 		usbd_xfer_set_priv(xfer, data);
3097 		usbd_transfer_submit(xfer);
3098 		run_start(sc);
3099 
3100 		break;
3101 
3102 	default:
3103 		DPRINTF("USB transfer error, %s\n",
3104 		    usbd_errstr(error));
3105 
3106 		data = usbd_xfer_get_priv(xfer);
3107 
3108 		if (data != NULL) {
3109 			if(data->ni != NULL)
3110 				vap = data->ni->ni_vap;
3111 			run_tx_free(pq, data, error);
3112 			usbd_xfer_set_priv(xfer, NULL);
3113 		}
3114 
3115 		if (vap == NULL)
3116 			vap = TAILQ_FIRST(&ic->ic_vaps);
3117 
3118 		if (error != USB_ERR_CANCELLED) {
3119 			if (error == USB_ERR_TIMEOUT) {
3120 				device_printf(sc->sc_dev, "device timeout\n");
3121 				uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
3122 				DPRINTF("cmdq_store=%d\n", i);
3123 				sc->cmdq[i].func = run_usb_timeout_cb;
3124 				sc->cmdq[i].arg0 = vap;
3125 				ieee80211_runtask(ic, &sc->cmdq_task);
3126 			}
3127 
3128 			/*
3129 			 * Try to clear stall first, also if other
3130 			 * errors occur, hence clearing stall
3131 			 * introduces a 50 ms delay:
3132 			 */
3133 			usbd_xfer_set_stall(xfer);
3134 			goto tr_setup;
3135 		}
3136 		break;
3137 	}
3138 }
3139 
3140 static void
3141 run_bulk_tx_callback0(struct usb_xfer *xfer, usb_error_t error)
3142 {
3143 	run_bulk_tx_callbackN(xfer, error, 0);
3144 }
3145 
3146 static void
3147 run_bulk_tx_callback1(struct usb_xfer *xfer, usb_error_t error)
3148 {
3149 	run_bulk_tx_callbackN(xfer, error, 1);
3150 }
3151 
3152 static void
3153 run_bulk_tx_callback2(struct usb_xfer *xfer, usb_error_t error)
3154 {
3155 	run_bulk_tx_callbackN(xfer, error, 2);
3156 }
3157 
3158 static void
3159 run_bulk_tx_callback3(struct usb_xfer *xfer, usb_error_t error)
3160 {
3161 	run_bulk_tx_callbackN(xfer, error, 3);
3162 }
3163 
3164 static void
3165 run_bulk_tx_callback4(struct usb_xfer *xfer, usb_error_t error)
3166 {
3167 	run_bulk_tx_callbackN(xfer, error, 4);
3168 }
3169 
3170 static void
3171 run_bulk_tx_callback5(struct usb_xfer *xfer, usb_error_t error)
3172 {
3173 	run_bulk_tx_callbackN(xfer, error, 5);
3174 }
3175 
3176 static void
3177 run_set_tx_desc(struct run_softc *sc, struct run_tx_data *data)
3178 {
3179 	struct mbuf *m = data->m;
3180 	struct ieee80211com *ic = &sc->sc_ic;
3181 	struct ieee80211vap *vap = data->ni->ni_vap;
3182 	struct ieee80211_frame *wh;
3183 	struct rt2870_txd *txd;
3184 	struct rt2860_txwi *txwi;
3185 	uint16_t xferlen, txwisize;
3186 	uint16_t mcs;
3187 	uint8_t ridx = data->ridx;
3188 	uint8_t pad;
3189 
3190 	/* get MCS code from rate index */
3191 	mcs = rt2860_rates[ridx].mcs;
3192 
3193 	txwisize = (sc->mac_ver == 0x5592) ?
3194 	    sizeof(*txwi) + sizeof(uint32_t) : sizeof(*txwi);
3195 	xferlen = txwisize + m->m_pkthdr.len;
3196 
3197 	/* roundup to 32-bit alignment */
3198 	xferlen = (xferlen + 3) & ~3;
3199 
3200 	txd = (struct rt2870_txd *)&data->desc;
3201 	txd->len = htole16(xferlen);
3202 
3203 	wh = mtod(m, struct ieee80211_frame *);
3204 
3205 	/*
3206 	 * Ether both are true or both are false, the header
3207 	 * are nicely aligned to 32-bit. So, no L2 padding.
3208 	 */
3209 	if(IEEE80211_HAS_ADDR4(wh) == IEEE80211_QOS_HAS_SEQ(wh))
3210 		pad = 0;
3211 	else
3212 		pad = 2;
3213 
3214 	/* setup TX Wireless Information */
3215 	txwi = (struct rt2860_txwi *)(txd + 1);
3216 	txwi->len = htole16(m->m_pkthdr.len - pad);
3217 	if (rt2860_rates[ridx].phy == IEEE80211_T_DS) {
3218 		mcs |= RT2860_PHY_CCK;
3219 		if (ridx != RT2860_RIDX_CCK1 &&
3220 		    (ic->ic_flags & IEEE80211_F_SHPREAMBLE))
3221 			mcs |= RT2860_PHY_SHPRE;
3222 	} else
3223 		mcs |= RT2860_PHY_OFDM;
3224 	txwi->phy = htole16(mcs);
3225 
3226 	/* check if RTS/CTS or CTS-to-self protection is required */
3227 	if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
3228 	    (m->m_pkthdr.len + IEEE80211_CRC_LEN > vap->iv_rtsthreshold ||
3229 	     ((ic->ic_flags & IEEE80211_F_USEPROT) &&
3230 	      rt2860_rates[ridx].phy == IEEE80211_T_OFDM)))
3231 		txwi->txop |= RT2860_TX_TXOP_HT;
3232 	else
3233 		txwi->txop |= RT2860_TX_TXOP_BACKOFF;
3234 
3235 	if (vap->iv_opmode != IEEE80211_M_STA && !IEEE80211_QOS_HAS_SEQ(wh))
3236 		txwi->xflags |= RT2860_TX_NSEQ;
3237 }
3238 
3239 /* This function must be called locked */
3240 static int
3241 run_tx(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
3242 {
3243 	struct ieee80211com *ic = &sc->sc_ic;
3244 	struct ieee80211vap *vap = ni->ni_vap;
3245 	struct ieee80211_frame *wh;
3246 	struct ieee80211_channel *chan;
3247 	const struct ieee80211_txparam *tp;
3248 	struct run_node *rn = RUN_NODE(ni);
3249 	struct run_tx_data *data;
3250 	struct rt2870_txd *txd;
3251 	struct rt2860_txwi *txwi;
3252 	uint16_t qos;
3253 	uint16_t dur;
3254 	uint16_t qid;
3255 	uint8_t type;
3256 	uint8_t tid;
3257 	uint8_t ridx;
3258 	uint8_t ctl_ridx;
3259 	uint8_t qflags;
3260 	uint8_t xflags = 0;
3261 	int hasqos;
3262 
3263 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3264 
3265 	wh = mtod(m, struct ieee80211_frame *);
3266 
3267 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3268 
3269 	/*
3270 	 * There are 7 bulk endpoints: 1 for RX
3271 	 * and 6 for TX (4 EDCAs + HCCA + Prio).
3272 	 * Update 03-14-2009:  some devices like the Planex GW-US300MiniS
3273 	 * seem to have only 4 TX bulk endpoints (Fukaumi Naoki).
3274 	 */
3275 	if ((hasqos = IEEE80211_QOS_HAS_SEQ(wh))) {
3276 		uint8_t *frm;
3277 
3278 		if(IEEE80211_HAS_ADDR4(wh))
3279 			frm = ((struct ieee80211_qosframe_addr4 *)wh)->i_qos;
3280 		else
3281 			frm =((struct ieee80211_qosframe *)wh)->i_qos;
3282 
3283 		qos = le16toh(*(const uint16_t *)frm);
3284 		tid = qos & IEEE80211_QOS_TID;
3285 		qid = TID_TO_WME_AC(tid);
3286 	} else {
3287 		qos = 0;
3288 		tid = 0;
3289 		qid = WME_AC_BE;
3290 	}
3291 	qflags = (qid < 4) ? RT2860_TX_QSEL_EDCA : RT2860_TX_QSEL_HCCA;
3292 
3293 	DPRINTFN(8, "qos %d\tqid %d\ttid %d\tqflags %x\n",
3294 	    qos, qid, tid, qflags);
3295 
3296 	chan = (ni->ni_chan != IEEE80211_CHAN_ANYC)?ni->ni_chan:ic->ic_curchan;
3297 	tp = &vap->iv_txparms[ieee80211_chan2mode(chan)];
3298 
3299 	/* pickup a rate index */
3300 	if (IEEE80211_IS_MULTICAST(wh->i_addr1) ||
3301 	    type != IEEE80211_FC0_TYPE_DATA || m->m_flags & M_EAPOL) {
3302 		ridx = (ic->ic_curmode == IEEE80211_MODE_11A) ?
3303 		    RT2860_RIDX_OFDM6 : RT2860_RIDX_CCK1;
3304 		ctl_ridx = rt2860_rates[ridx].ctl_ridx;
3305 	} else {
3306 		if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE)
3307 			ridx = rn->fix_ridx;
3308 		else
3309 			ridx = rn->amrr_ridx;
3310 		ctl_ridx = rt2860_rates[ridx].ctl_ridx;
3311 	}
3312 
3313 	if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
3314 	    (!hasqos || (qos & IEEE80211_QOS_ACKPOLICY) !=
3315 	     IEEE80211_QOS_ACKPOLICY_NOACK)) {
3316 		xflags |= RT2860_TX_ACK;
3317 		if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
3318 			dur = rt2860_rates[ctl_ridx].sp_ack_dur;
3319 		else
3320 			dur = rt2860_rates[ctl_ridx].lp_ack_dur;
3321 		USETW(wh->i_dur, dur);
3322 	}
3323 
3324 	/* reserve slots for mgmt packets, just in case */
3325 	if (sc->sc_epq[qid].tx_nfree < 3) {
3326 		DPRINTFN(10, "tx ring %d is full\n", qid);
3327 		return (-1);
3328 	}
3329 
3330 	data = STAILQ_FIRST(&sc->sc_epq[qid].tx_fh);
3331 	STAILQ_REMOVE_HEAD(&sc->sc_epq[qid].tx_fh, next);
3332 	sc->sc_epq[qid].tx_nfree--;
3333 
3334 	txd = (struct rt2870_txd *)&data->desc;
3335 	txd->flags = qflags;
3336 	txwi = (struct rt2860_txwi *)(txd + 1);
3337 	txwi->xflags = xflags;
3338 	if (IEEE80211_IS_MULTICAST(wh->i_addr1))
3339 		txwi->wcid = 0;
3340 	else
3341 		txwi->wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
3342 		    1 : RUN_AID2WCID(ni->ni_associd);
3343 
3344 	/* clear leftover garbage bits */
3345 	txwi->flags = 0;
3346 	txwi->txop = 0;
3347 
3348 	data->m = m;
3349 	data->ni = ni;
3350 	data->ridx = ridx;
3351 
3352 	run_set_tx_desc(sc, data);
3353 
3354 	/*
3355 	 * The chip keeps track of 2 kind of Tx stats,
3356 	 *  * TX_STAT_FIFO, for per WCID stats, and
3357 	 *  * TX_STA_CNT0 for all-TX-in-one stats.
3358 	 *
3359 	 * To use FIFO stats, we need to store MCS into the driver-private
3360  	 * PacketID field. So that, we can tell whose stats when we read them.
3361  	 * We add 1 to the MCS because setting the PacketID field to 0 means
3362  	 * that we don't want feedback in TX_STAT_FIFO.
3363  	 * And, that's what we want for STA mode, since TX_STA_CNT0 does the job.
3364  	 *
3365  	 * FIFO stats doesn't count Tx with WCID 0xff, so we do this in run_tx().
3366  	 */
3367 	if (sc->rvp_cnt > 1 || vap->iv_opmode == IEEE80211_M_HOSTAP ||
3368 	    vap->iv_opmode == IEEE80211_M_MBSS) {
3369 		uint16_t pid = (rt2860_rates[ridx].mcs + 1) & 0xf;
3370 		txwi->len |= htole16(pid << RT2860_TX_PID_SHIFT);
3371 
3372 		/*
3373 		 * Unlike PCI based devices, we don't get any interrupt from
3374 		 * USB devices, so we simulate FIFO-is-full interrupt here.
3375 		 * Ralink recommends to drain FIFO stats every 100 ms, but 16 slots
3376 		 * quickly get fulled. To prevent overflow, increment a counter on
3377 		 * every FIFO stat request, so we know how many slots are left.
3378 		 * We do this only in HOSTAP or multiple vap mode since FIFO stats
3379 		 * are used only in those modes.
3380 		 * We just drain stats. AMRR gets updated every 1 sec by
3381 		 * run_ratectl_cb() via callout.
3382 		 * Call it early. Otherwise overflow.
3383 		 */
3384 		if (sc->fifo_cnt++ == 10) {
3385 			/*
3386 			 * With multiple vaps or if_bridge, if_start() is called
3387 			 * with a non-sleepable lock, tcpinp. So, need to defer.
3388 			 */
3389 			uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
3390 			DPRINTFN(6, "cmdq_store=%d\n", i);
3391 			sc->cmdq[i].func = run_drain_fifo;
3392 			sc->cmdq[i].arg0 = sc;
3393 			ieee80211_runtask(ic, &sc->cmdq_task);
3394 		}
3395 	}
3396 
3397         STAILQ_INSERT_TAIL(&sc->sc_epq[qid].tx_qh, data, next);
3398 
3399 	usbd_transfer_start(sc->sc_xfer[qid]);
3400 
3401 	DPRINTFN(8, "sending data frame len=%d rate=%d qid=%d\n",
3402 	    m->m_pkthdr.len + (int)(sizeof(struct rt2870_txd) +
3403 	    sizeof(struct rt2860_txwi)), rt2860_rates[ridx].rate, qid);
3404 
3405 	return (0);
3406 }
3407 
3408 static int
3409 run_tx_mgt(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
3410 {
3411 	struct ieee80211com *ic = &sc->sc_ic;
3412 	struct run_node *rn = RUN_NODE(ni);
3413 	struct run_tx_data *data;
3414 	struct ieee80211_frame *wh;
3415 	struct rt2870_txd *txd;
3416 	struct rt2860_txwi *txwi;
3417 	uint16_t dur;
3418 	uint8_t ridx = rn->mgt_ridx;
3419 	uint8_t type;
3420 	uint8_t xflags = 0;
3421 	uint8_t wflags = 0;
3422 
3423 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3424 
3425 	wh = mtod(m, struct ieee80211_frame *);
3426 
3427 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3428 
3429 	/* tell hardware to add timestamp for probe responses */
3430 	if ((wh->i_fc[0] &
3431 	    (IEEE80211_FC0_TYPE_MASK | IEEE80211_FC0_SUBTYPE_MASK)) ==
3432 	    (IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_RESP))
3433 		wflags |= RT2860_TX_TS;
3434 	else if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
3435 		xflags |= RT2860_TX_ACK;
3436 
3437 		dur = ieee80211_ack_duration(ic->ic_rt, rt2860_rates[ridx].rate,
3438 		    ic->ic_flags & IEEE80211_F_SHPREAMBLE);
3439 		USETW(wh->i_dur, dur);
3440 	}
3441 
3442 	if (sc->sc_epq[0].tx_nfree == 0)
3443 		/* let caller free mbuf */
3444 		return (EIO);
3445 	data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3446 	STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3447 	sc->sc_epq[0].tx_nfree--;
3448 
3449 	txd = (struct rt2870_txd *)&data->desc;
3450 	txd->flags = RT2860_TX_QSEL_EDCA;
3451 	txwi = (struct rt2860_txwi *)(txd + 1);
3452 	txwi->wcid = 0xff;
3453 	txwi->flags = wflags;
3454 	txwi->xflags = xflags;
3455 	txwi->txop = 0;	/* clear leftover garbage bits */
3456 
3457 	data->m = m;
3458 	data->ni = ni;
3459 	data->ridx = ridx;
3460 
3461 	run_set_tx_desc(sc, data);
3462 
3463 	DPRINTFN(10, "sending mgt frame len=%d rate=%d\n", m->m_pkthdr.len +
3464 	    (int)(sizeof(struct rt2870_txd) + sizeof(struct rt2860_txwi)),
3465 	    rt2860_rates[ridx].rate);
3466 
3467 	STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3468 
3469 	usbd_transfer_start(sc->sc_xfer[0]);
3470 
3471 	return (0);
3472 }
3473 
3474 static int
3475 run_sendprot(struct run_softc *sc,
3476     const struct mbuf *m, struct ieee80211_node *ni, int prot, int rate)
3477 {
3478 	struct ieee80211com *ic = ni->ni_ic;
3479 	struct ieee80211_frame *wh;
3480 	struct run_tx_data *data;
3481 	struct rt2870_txd *txd;
3482 	struct rt2860_txwi *txwi;
3483 	struct mbuf *mprot;
3484 	int ridx;
3485 	int protrate;
3486 	int ackrate;
3487 	int pktlen;
3488 	int isshort;
3489 	uint16_t dur;
3490 	uint8_t type;
3491 	uint8_t wflags = 0;
3492 	uint8_t xflags = 0;
3493 
3494 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3495 
3496 	KASSERT(prot == IEEE80211_PROT_RTSCTS || prot == IEEE80211_PROT_CTSONLY,
3497 	    ("protection %d", prot));
3498 
3499 	wh = mtod(m, struct ieee80211_frame *);
3500 	pktlen = m->m_pkthdr.len + IEEE80211_CRC_LEN;
3501 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3502 
3503 	protrate = ieee80211_ctl_rate(ic->ic_rt, rate);
3504 	ackrate = ieee80211_ack_rate(ic->ic_rt, rate);
3505 
3506 	isshort = (ic->ic_flags & IEEE80211_F_SHPREAMBLE) != 0;
3507 	dur = ieee80211_compute_duration(ic->ic_rt, pktlen, rate, isshort)
3508 	    + ieee80211_ack_duration(ic->ic_rt, rate, isshort);
3509 	wflags = RT2860_TX_FRAG;
3510 
3511 	/* check that there are free slots before allocating the mbuf */
3512 	if (sc->sc_epq[0].tx_nfree == 0)
3513 		/* let caller free mbuf */
3514 		return (ENOBUFS);
3515 
3516 	if (prot == IEEE80211_PROT_RTSCTS) {
3517 		/* NB: CTS is the same size as an ACK */
3518 		dur += ieee80211_ack_duration(ic->ic_rt, rate, isshort);
3519 		xflags |= RT2860_TX_ACK;
3520 		mprot = ieee80211_alloc_rts(ic, wh->i_addr1, wh->i_addr2, dur);
3521 	} else {
3522 		mprot = ieee80211_alloc_cts(ic, ni->ni_vap->iv_myaddr, dur);
3523 	}
3524 	if (mprot == NULL) {
3525 		if_inc_counter(ni->ni_vap->iv_ifp, IFCOUNTER_OERRORS, 1);
3526 		DPRINTF("could not allocate mbuf\n");
3527 		return (ENOBUFS);
3528 	}
3529 
3530         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3531         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3532         sc->sc_epq[0].tx_nfree--;
3533 
3534 	txd = (struct rt2870_txd *)&data->desc;
3535 	txd->flags = RT2860_TX_QSEL_EDCA;
3536 	txwi = (struct rt2860_txwi *)(txd + 1);
3537 	txwi->wcid = 0xff;
3538 	txwi->flags = wflags;
3539 	txwi->xflags = xflags;
3540 	txwi->txop = 0;	/* clear leftover garbage bits */
3541 
3542 	data->m = mprot;
3543 	data->ni = ieee80211_ref_node(ni);
3544 
3545 	for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
3546 		if (rt2860_rates[ridx].rate == protrate)
3547 			break;
3548 	data->ridx = ridx;
3549 
3550 	run_set_tx_desc(sc, data);
3551 
3552         DPRINTFN(1, "sending prot len=%u rate=%u\n",
3553             m->m_pkthdr.len, rate);
3554 
3555         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3556 
3557 	usbd_transfer_start(sc->sc_xfer[0]);
3558 
3559 	return (0);
3560 }
3561 
3562 static int
3563 run_tx_param(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni,
3564     const struct ieee80211_bpf_params *params)
3565 {
3566 	struct ieee80211com *ic = ni->ni_ic;
3567 	struct ieee80211_frame *wh;
3568 	struct run_tx_data *data;
3569 	struct rt2870_txd *txd;
3570 	struct rt2860_txwi *txwi;
3571 	uint8_t type;
3572 	uint8_t ridx;
3573 	uint8_t rate;
3574 	uint8_t opflags = 0;
3575 	uint8_t xflags = 0;
3576 	int error;
3577 
3578 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3579 
3580 	KASSERT(params != NULL, ("no raw xmit params"));
3581 
3582 	wh = mtod(m, struct ieee80211_frame *);
3583 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3584 
3585 	rate = params->ibp_rate0;
3586 	if (!ieee80211_isratevalid(ic->ic_rt, rate)) {
3587 		/* let caller free mbuf */
3588 		return (EINVAL);
3589 	}
3590 
3591 	if ((params->ibp_flags & IEEE80211_BPF_NOACK) == 0)
3592 		xflags |= RT2860_TX_ACK;
3593 	if (params->ibp_flags & (IEEE80211_BPF_RTS|IEEE80211_BPF_CTS)) {
3594 		error = run_sendprot(sc, m, ni,
3595 		    params->ibp_flags & IEEE80211_BPF_RTS ?
3596 			IEEE80211_PROT_RTSCTS : IEEE80211_PROT_CTSONLY,
3597 		    rate);
3598 		if (error) {
3599 			/* let caller free mbuf */
3600 			return error;
3601 		}
3602 		opflags |= /*XXX RT2573_TX_LONG_RETRY |*/ RT2860_TX_TXOP_SIFS;
3603 	}
3604 
3605 	if (sc->sc_epq[0].tx_nfree == 0) {
3606 		/* let caller free mbuf */
3607 		DPRINTF("sending raw frame, but tx ring is full\n");
3608 		return (EIO);
3609 	}
3610         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3611         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3612         sc->sc_epq[0].tx_nfree--;
3613 
3614 	txd = (struct rt2870_txd *)&data->desc;
3615 	txd->flags = RT2860_TX_QSEL_EDCA;
3616 	txwi = (struct rt2860_txwi *)(txd + 1);
3617 	txwi->wcid = 0xff;
3618 	txwi->xflags = xflags;
3619 	txwi->txop = opflags;
3620 	txwi->flags = 0;	/* clear leftover garbage bits */
3621 
3622         data->m = m;
3623         data->ni = ni;
3624 	for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
3625 		if (rt2860_rates[ridx].rate == rate)
3626 			break;
3627 	data->ridx = ridx;
3628 
3629         run_set_tx_desc(sc, data);
3630 
3631         DPRINTFN(10, "sending raw frame len=%u rate=%u\n",
3632             m->m_pkthdr.len, rate);
3633 
3634         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3635 
3636 	usbd_transfer_start(sc->sc_xfer[0]);
3637 
3638         return (0);
3639 }
3640 
3641 static int
3642 run_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
3643     const struct ieee80211_bpf_params *params)
3644 {
3645 	struct run_softc *sc = ni->ni_ic->ic_softc;
3646 	int error = 0;
3647 
3648 	RUN_LOCK(sc);
3649 
3650 	/* prevent management frames from being sent if we're not ready */
3651 	if (!(sc->sc_flags & RUN_RUNNING)) {
3652 		error = ENETDOWN;
3653 		goto done;
3654 	}
3655 
3656 	if (params == NULL) {
3657 		/* tx mgt packet */
3658 		if ((error = run_tx_mgt(sc, m, ni)) != 0) {
3659 			DPRINTF("mgt tx failed\n");
3660 			goto done;
3661 		}
3662 	} else {
3663 		/* tx raw packet with param */
3664 		if ((error = run_tx_param(sc, m, ni, params)) != 0) {
3665 			DPRINTF("tx with param failed\n");
3666 			goto done;
3667 		}
3668 	}
3669 
3670 done:
3671 	RUN_UNLOCK(sc);
3672 
3673 	if (error != 0) {
3674 		if(m != NULL)
3675 			m_freem(m);
3676 	}
3677 
3678 	return (error);
3679 }
3680 
3681 static int
3682 run_transmit(struct ieee80211com *ic, struct mbuf *m)
3683 {
3684 	struct run_softc *sc = ic->ic_softc;
3685 	int error;
3686 
3687 	RUN_LOCK(sc);
3688 	if ((sc->sc_flags & RUN_RUNNING) == 0) {
3689 		RUN_UNLOCK(sc);
3690 		return (ENXIO);
3691 	}
3692 	error = mbufq_enqueue(&sc->sc_snd, m);
3693 	if (error) {
3694 		RUN_UNLOCK(sc);
3695 		return (error);
3696 	}
3697 	run_start(sc);
3698 	RUN_UNLOCK(sc);
3699 
3700 	return (0);
3701 }
3702 
3703 static void
3704 run_start(struct run_softc *sc)
3705 {
3706 	struct ieee80211_node *ni;
3707 	struct mbuf *m;
3708 
3709 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3710 
3711 	if ((sc->sc_flags & RUN_RUNNING) == 0)
3712 		return;
3713 
3714 	while ((m = mbufq_dequeue(&sc->sc_snd)) != NULL) {
3715 		ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
3716 		if (run_tx(sc, m, ni) != 0) {
3717 			mbufq_prepend(&sc->sc_snd, m);
3718 			break;
3719 		}
3720 	}
3721 }
3722 
3723 static void
3724 run_parent(struct ieee80211com *ic)
3725 {
3726 	struct run_softc *sc = ic->ic_softc;
3727 	int startall = 0;
3728 
3729 	RUN_LOCK(sc);
3730 	if (sc->sc_detached) {
3731 		RUN_UNLOCK(sc);
3732 		return;
3733 	}
3734 
3735 	if (ic->ic_nrunning > 0) {
3736 		if (!(sc->sc_flags & RUN_RUNNING)) {
3737 			startall = 1;
3738 			run_init_locked(sc);
3739 		} else
3740 			run_update_promisc_locked(sc);
3741 	} else if ((sc->sc_flags & RUN_RUNNING) && sc->rvp_cnt <= 1)
3742 		run_stop(sc);
3743 	RUN_UNLOCK(sc);
3744 	if (startall)
3745 		ieee80211_start_all(ic);
3746 }
3747 
3748 static void
3749 run_iq_calib(struct run_softc *sc, u_int chan)
3750 {
3751 	uint16_t val;
3752 
3753 	/* Tx0 IQ gain. */
3754 	run_bbp_write(sc, 158, 0x2c);
3755 	if (chan <= 14)
3756 		run_efuse_read(sc, RT5390_EEPROM_IQ_GAIN_CAL_TX0_2GHZ, &val, 1);
3757 	else if (chan <= 64) {
3758 		run_efuse_read(sc,
3759 		    RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH36_TO_CH64_5GHZ,
3760 		    &val, 1);
3761 	} else if (chan <= 138) {
3762 		run_efuse_read(sc,
3763 		    RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH100_TO_CH138_5GHZ,
3764 		    &val, 1);
3765 	} else if (chan <= 165) {
3766 		run_efuse_read(sc,
3767 	    RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH140_TO_CH165_5GHZ,
3768 		    &val, 1);
3769 	} else
3770 		val = 0;
3771 	run_bbp_write(sc, 159, val);
3772 
3773 	/* Tx0 IQ phase. */
3774 	run_bbp_write(sc, 158, 0x2d);
3775 	if (chan <= 14) {
3776 		run_efuse_read(sc, RT5390_EEPROM_IQ_PHASE_CAL_TX0_2GHZ,
3777 		    &val, 1);
3778 	} else if (chan <= 64) {
3779 		run_efuse_read(sc,
3780 		    RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH36_TO_CH64_5GHZ,
3781 		    &val, 1);
3782 	} else if (chan <= 138) {
3783 		run_efuse_read(sc,
3784 		    RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH100_TO_CH138_5GHZ,
3785 		    &val, 1);
3786 	} else if (chan <= 165) {
3787 		run_efuse_read(sc,
3788 		    RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH140_TO_CH165_5GHZ,
3789 		    &val, 1);
3790 	} else
3791 		val = 0;
3792 	run_bbp_write(sc, 159, val);
3793 
3794 	/* Tx1 IQ gain. */
3795 	run_bbp_write(sc, 158, 0x4a);
3796 	if (chan <= 14) {
3797 		run_efuse_read(sc, RT5390_EEPROM_IQ_GAIN_CAL_TX1_2GHZ,
3798 		    &val, 1);
3799 	} else if (chan <= 64) {
3800 		run_efuse_read(sc,
3801 		    RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH36_TO_CH64_5GHZ,
3802 		    &val, 1);
3803 	} else if (chan <= 138) {
3804 		run_efuse_read(sc,
3805 		    RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH100_TO_CH138_5GHZ,
3806 		    &val, 1);
3807 	} else if (chan <= 165) {
3808 		run_efuse_read(sc,
3809 		    RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH140_TO_CH165_5GHZ,
3810 		    &val, 1);
3811 	} else
3812 		val = 0;
3813 	run_bbp_write(sc, 159, val);
3814 
3815 	/* Tx1 IQ phase. */
3816 	run_bbp_write(sc, 158, 0x4b);
3817 	if (chan <= 14) {
3818 		run_efuse_read(sc, RT5390_EEPROM_IQ_PHASE_CAL_TX1_2GHZ,
3819 		    &val, 1);
3820 	} else if (chan <= 64) {
3821 		run_efuse_read(sc,
3822 		    RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH36_TO_CH64_5GHZ,
3823 		    &val, 1);
3824 	} else if (chan <= 138) {
3825 		run_efuse_read(sc,
3826 		    RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH100_TO_CH138_5GHZ,
3827 		    &val, 1);
3828 	} else if (chan <= 165) {
3829 		run_efuse_read(sc,
3830 		    RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH140_TO_CH165_5GHZ,
3831 		    &val, 1);
3832 	} else
3833 		val = 0;
3834 	run_bbp_write(sc, 159, val);
3835 
3836 	/* RF IQ compensation control. */
3837 	run_bbp_write(sc, 158, 0x04);
3838 	run_efuse_read(sc, RT5390_EEPROM_RF_IQ_COMPENSATION_CTL,
3839 	    &val, 1);
3840 	run_bbp_write(sc, 159, val);
3841 
3842 	/* RF IQ imbalance compensation control. */
3843 	run_bbp_write(sc, 158, 0x03);
3844 	run_efuse_read(sc,
3845 	    RT5390_EEPROM_RF_IQ_IMBALANCE_COMPENSATION_CTL, &val, 1);
3846 	run_bbp_write(sc, 159, val);
3847 }
3848 
3849 static void
3850 run_set_agc(struct run_softc *sc, uint8_t agc)
3851 {
3852 	uint8_t bbp;
3853 
3854 	if (sc->mac_ver == 0x3572) {
3855 		run_bbp_read(sc, 27, &bbp);
3856 		bbp &= ~(0x3 << 5);
3857 		run_bbp_write(sc, 27, bbp | 0 << 5);	/* select Rx0 */
3858 		run_bbp_write(sc, 66, agc);
3859 		run_bbp_write(sc, 27, bbp | 1 << 5);	/* select Rx1 */
3860 		run_bbp_write(sc, 66, agc);
3861 	} else
3862 		run_bbp_write(sc, 66, agc);
3863 }
3864 
3865 static void
3866 run_select_chan_group(struct run_softc *sc, int group)
3867 {
3868 	uint32_t tmp;
3869 	uint8_t agc;
3870 
3871 	run_bbp_write(sc, 62, 0x37 - sc->lna[group]);
3872 	run_bbp_write(sc, 63, 0x37 - sc->lna[group]);
3873 	run_bbp_write(sc, 64, 0x37 - sc->lna[group]);
3874 	if (sc->mac_ver < 0x3572)
3875 		run_bbp_write(sc, 86, 0x00);
3876 
3877 	if (sc->mac_ver == 0x3593) {
3878 		run_bbp_write(sc, 77, 0x98);
3879 		run_bbp_write(sc, 83, (group == 0) ? 0x8a : 0x9a);
3880 	}
3881 
3882 	if (group == 0) {
3883 		if (sc->ext_2ghz_lna) {
3884 			if (sc->mac_ver >= 0x5390)
3885 				run_bbp_write(sc, 75, 0x52);
3886 			else {
3887 				run_bbp_write(sc, 82, 0x62);
3888 				run_bbp_write(sc, 75, 0x46);
3889 			}
3890 		} else {
3891 			if (sc->mac_ver == 0x5592) {
3892 				run_bbp_write(sc, 79, 0x1c);
3893 				run_bbp_write(sc, 80, 0x0e);
3894 				run_bbp_write(sc, 81, 0x3a);
3895 				run_bbp_write(sc, 82, 0x62);
3896 
3897 				run_bbp_write(sc, 195, 0x80);
3898 				run_bbp_write(sc, 196, 0xe0);
3899 				run_bbp_write(sc, 195, 0x81);
3900 				run_bbp_write(sc, 196, 0x1f);
3901 				run_bbp_write(sc, 195, 0x82);
3902 				run_bbp_write(sc, 196, 0x38);
3903 				run_bbp_write(sc, 195, 0x83);
3904 				run_bbp_write(sc, 196, 0x32);
3905 				run_bbp_write(sc, 195, 0x85);
3906 				run_bbp_write(sc, 196, 0x28);
3907 				run_bbp_write(sc, 195, 0x86);
3908 				run_bbp_write(sc, 196, 0x19);
3909 			} else if (sc->mac_ver >= 0x5390)
3910 				run_bbp_write(sc, 75, 0x50);
3911 			else {
3912 				run_bbp_write(sc, 82,
3913 				    (sc->mac_ver == 0x3593) ? 0x62 : 0x84);
3914 				run_bbp_write(sc, 75, 0x50);
3915 			}
3916 		}
3917 	} else {
3918 		if (sc->mac_ver == 0x5592) {
3919 			run_bbp_write(sc, 79, 0x18);
3920 			run_bbp_write(sc, 80, 0x08);
3921 			run_bbp_write(sc, 81, 0x38);
3922 			run_bbp_write(sc, 82, 0x92);
3923 
3924 			run_bbp_write(sc, 195, 0x80);
3925 			run_bbp_write(sc, 196, 0xf0);
3926 			run_bbp_write(sc, 195, 0x81);
3927 			run_bbp_write(sc, 196, 0x1e);
3928 			run_bbp_write(sc, 195, 0x82);
3929 			run_bbp_write(sc, 196, 0x28);
3930 			run_bbp_write(sc, 195, 0x83);
3931 			run_bbp_write(sc, 196, 0x20);
3932 			run_bbp_write(sc, 195, 0x85);
3933 			run_bbp_write(sc, 196, 0x7f);
3934 			run_bbp_write(sc, 195, 0x86);
3935 			run_bbp_write(sc, 196, 0x7f);
3936 		} else if (sc->mac_ver == 0x3572)
3937 			run_bbp_write(sc, 82, 0x94);
3938 		else
3939 			run_bbp_write(sc, 82,
3940 			    (sc->mac_ver == 0x3593) ? 0x82 : 0xf2);
3941 		if (sc->ext_5ghz_lna)
3942 			run_bbp_write(sc, 75, 0x46);
3943 		else
3944 			run_bbp_write(sc, 75, 0x50);
3945 	}
3946 
3947 	run_read(sc, RT2860_TX_BAND_CFG, &tmp);
3948 	tmp &= ~(RT2860_5G_BAND_SEL_N | RT2860_5G_BAND_SEL_P);
3949 	tmp |= (group == 0) ? RT2860_5G_BAND_SEL_N : RT2860_5G_BAND_SEL_P;
3950 	run_write(sc, RT2860_TX_BAND_CFG, tmp);
3951 
3952 	/* enable appropriate Power Amplifiers and Low Noise Amplifiers */
3953 	tmp = RT2860_RFTR_EN | RT2860_TRSW_EN | RT2860_LNA_PE0_EN;
3954 	if (sc->mac_ver == 0x3593)
3955 		tmp |= 1 << 29 | 1 << 28;
3956 	if (sc->nrxchains > 1)
3957 		tmp |= RT2860_LNA_PE1_EN;
3958 	if (group == 0) {	/* 2GHz */
3959 		tmp |= RT2860_PA_PE_G0_EN;
3960 		if (sc->ntxchains > 1)
3961 			tmp |= RT2860_PA_PE_G1_EN;
3962 		if (sc->mac_ver == 0x3593) {
3963 			if (sc->ntxchains > 2)
3964 				tmp |= 1 << 25;
3965 		}
3966 	} else {		/* 5GHz */
3967 		tmp |= RT2860_PA_PE_A0_EN;
3968 		if (sc->ntxchains > 1)
3969 			tmp |= RT2860_PA_PE_A1_EN;
3970 	}
3971 	if (sc->mac_ver == 0x3572) {
3972 		run_rt3070_rf_write(sc, 8, 0x00);
3973 		run_write(sc, RT2860_TX_PIN_CFG, tmp);
3974 		run_rt3070_rf_write(sc, 8, 0x80);
3975 	} else
3976 		run_write(sc, RT2860_TX_PIN_CFG, tmp);
3977 
3978 	if (sc->mac_ver == 0x5592) {
3979 		run_bbp_write(sc, 195, 0x8d);
3980 		run_bbp_write(sc, 196, 0x1a);
3981 	}
3982 
3983 	if (sc->mac_ver == 0x3593) {
3984 		run_read(sc, RT2860_GPIO_CTRL, &tmp);
3985 		tmp &= ~0x01010000;
3986 		if (group == 0)
3987 			tmp |= 0x00010000;
3988 		tmp = (tmp & ~0x00009090) | 0x00000090;
3989 		run_write(sc, RT2860_GPIO_CTRL, tmp);
3990 	}
3991 
3992 	/* set initial AGC value */
3993 	if (group == 0) {	/* 2GHz band */
3994 		if (sc->mac_ver >= 0x3070)
3995 			agc = 0x1c + sc->lna[0] * 2;
3996 		else
3997 			agc = 0x2e + sc->lna[0];
3998 	} else {		/* 5GHz band */
3999 		if (sc->mac_ver == 0x5592)
4000 			agc = 0x24 + sc->lna[group] * 2;
4001 		else if (sc->mac_ver == 0x3572 || sc->mac_ver == 0x3593)
4002 			agc = 0x22 + (sc->lna[group] * 5) / 3;
4003 		else
4004 			agc = 0x32 + (sc->lna[group] * 5) / 3;
4005 	}
4006 	run_set_agc(sc, agc);
4007 }
4008 
4009 static void
4010 run_rt2870_set_chan(struct run_softc *sc, u_int chan)
4011 {
4012 	const struct rfprog *rfprog = rt2860_rf2850;
4013 	uint32_t r2, r3, r4;
4014 	int8_t txpow1, txpow2;
4015 	int i;
4016 
4017 	/* find the settings for this channel (we know it exists) */
4018 	for (i = 0; rfprog[i].chan != chan; i++);
4019 
4020 	r2 = rfprog[i].r2;
4021 	if (sc->ntxchains == 1)
4022 		r2 |= 1 << 14;		/* 1T: disable Tx chain 2 */
4023 	if (sc->nrxchains == 1)
4024 		r2 |= 1 << 17 | 1 << 6;	/* 1R: disable Rx chains 2 & 3 */
4025 	else if (sc->nrxchains == 2)
4026 		r2 |= 1 << 6;		/* 2R: disable Rx chain 3 */
4027 
4028 	/* use Tx power values from EEPROM */
4029 	txpow1 = sc->txpow1[i];
4030 	txpow2 = sc->txpow2[i];
4031 
4032 	/* Initialize RF R3 and R4. */
4033 	r3 = rfprog[i].r3 & 0xffffc1ff;
4034 	r4 = (rfprog[i].r4 & ~(0x001f87c0)) | (sc->freq << 15);
4035 	if (chan > 14) {
4036 		if (txpow1 >= 0) {
4037 			txpow1 = (txpow1 > 0xf) ? (0xf) : (txpow1);
4038 			r3 |= (txpow1 << 10) | (1 << 9);
4039 		} else {
4040 			txpow1 += 7;
4041 
4042 			/* txpow1 is not possible larger than 15. */
4043 			r3 |= (txpow1 << 10);
4044 		}
4045 		if (txpow2 >= 0) {
4046 			txpow2 = (txpow2 > 0xf) ? (0xf) : (txpow2);
4047 			r4 |= (txpow2 << 7) | (1 << 6);
4048 		} else {
4049 			txpow2 += 7;
4050 			r4 |= (txpow2 << 7);
4051 		}
4052 	} else {
4053 		/* Set Tx0 power. */
4054 		r3 |= (txpow1 << 9);
4055 
4056 		/* Set frequency offset and Tx1 power. */
4057 		r4 |= (txpow2 << 6);
4058 	}
4059 
4060 	run_rt2870_rf_write(sc, rfprog[i].r1);
4061 	run_rt2870_rf_write(sc, r2);
4062 	run_rt2870_rf_write(sc, r3 & ~(1 << 2));
4063 	run_rt2870_rf_write(sc, r4);
4064 
4065 	run_delay(sc, 10);
4066 
4067 	run_rt2870_rf_write(sc, rfprog[i].r1);
4068 	run_rt2870_rf_write(sc, r2);
4069 	run_rt2870_rf_write(sc, r3 | (1 << 2));
4070 	run_rt2870_rf_write(sc, r4);
4071 
4072 	run_delay(sc, 10);
4073 
4074 	run_rt2870_rf_write(sc, rfprog[i].r1);
4075 	run_rt2870_rf_write(sc, r2);
4076 	run_rt2870_rf_write(sc, r3 & ~(1 << 2));
4077 	run_rt2870_rf_write(sc, r4);
4078 }
4079 
4080 static void
4081 run_rt3070_set_chan(struct run_softc *sc, u_int chan)
4082 {
4083 	int8_t txpow1, txpow2;
4084 	uint8_t rf;
4085 	int i;
4086 
4087 	/* find the settings for this channel (we know it exists) */
4088 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4089 
4090 	/* use Tx power values from EEPROM */
4091 	txpow1 = sc->txpow1[i];
4092 	txpow2 = sc->txpow2[i];
4093 
4094 	run_rt3070_rf_write(sc, 2, rt3070_freqs[i].n);
4095 
4096 	/* RT3370/RT3390: RF R3 [7:4] is not reserved bits. */
4097 	run_rt3070_rf_read(sc, 3, &rf);
4098 	rf = (rf & ~0x0f) | rt3070_freqs[i].k;
4099 	run_rt3070_rf_write(sc, 3, rf);
4100 
4101 	run_rt3070_rf_read(sc, 6, &rf);
4102 	rf = (rf & ~0x03) | rt3070_freqs[i].r;
4103 	run_rt3070_rf_write(sc, 6, rf);
4104 
4105 	/* set Tx0 power */
4106 	run_rt3070_rf_read(sc, 12, &rf);
4107 	rf = (rf & ~0x1f) | txpow1;
4108 	run_rt3070_rf_write(sc, 12, rf);
4109 
4110 	/* set Tx1 power */
4111 	run_rt3070_rf_read(sc, 13, &rf);
4112 	rf = (rf & ~0x1f) | txpow2;
4113 	run_rt3070_rf_write(sc, 13, rf);
4114 
4115 	run_rt3070_rf_read(sc, 1, &rf);
4116 	rf &= ~0xfc;
4117 	if (sc->ntxchains == 1)
4118 		rf |= 1 << 7 | 1 << 5;	/* 1T: disable Tx chains 2 & 3 */
4119 	else if (sc->ntxchains == 2)
4120 		rf |= 1 << 7;		/* 2T: disable Tx chain 3 */
4121 	if (sc->nrxchains == 1)
4122 		rf |= 1 << 6 | 1 << 4;	/* 1R: disable Rx chains 2 & 3 */
4123 	else if (sc->nrxchains == 2)
4124 		rf |= 1 << 6;		/* 2R: disable Rx chain 3 */
4125 	run_rt3070_rf_write(sc, 1, rf);
4126 
4127 	/* set RF offset */
4128 	run_rt3070_rf_read(sc, 23, &rf);
4129 	rf = (rf & ~0x7f) | sc->freq;
4130 	run_rt3070_rf_write(sc, 23, rf);
4131 
4132 	/* program RF filter */
4133 	run_rt3070_rf_read(sc, 24, &rf);	/* Tx */
4134 	rf = (rf & ~0x3f) | sc->rf24_20mhz;
4135 	run_rt3070_rf_write(sc, 24, rf);
4136 	run_rt3070_rf_read(sc, 31, &rf);	/* Rx */
4137 	rf = (rf & ~0x3f) | sc->rf24_20mhz;
4138 	run_rt3070_rf_write(sc, 31, rf);
4139 
4140 	/* enable RF tuning */
4141 	run_rt3070_rf_read(sc, 7, &rf);
4142 	run_rt3070_rf_write(sc, 7, rf | 0x01);
4143 }
4144 
4145 static void
4146 run_rt3572_set_chan(struct run_softc *sc, u_int chan)
4147 {
4148 	int8_t txpow1, txpow2;
4149 	uint32_t tmp;
4150 	uint8_t rf;
4151 	int i;
4152 
4153 	/* find the settings for this channel (we know it exists) */
4154 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4155 
4156 	/* use Tx power values from EEPROM */
4157 	txpow1 = sc->txpow1[i];
4158 	txpow2 = sc->txpow2[i];
4159 
4160 	if (chan <= 14) {
4161 		run_bbp_write(sc, 25, sc->bbp25);
4162 		run_bbp_write(sc, 26, sc->bbp26);
4163 	} else {
4164 		/* enable IQ phase correction */
4165 		run_bbp_write(sc, 25, 0x09);
4166 		run_bbp_write(sc, 26, 0xff);
4167 	}
4168 
4169 	run_rt3070_rf_write(sc, 2, rt3070_freqs[i].n);
4170 	run_rt3070_rf_write(sc, 3, rt3070_freqs[i].k);
4171 	run_rt3070_rf_read(sc, 6, &rf);
4172 	rf  = (rf & ~0x0f) | rt3070_freqs[i].r;
4173 	rf |= (chan <= 14) ? 0x08 : 0x04;
4174 	run_rt3070_rf_write(sc, 6, rf);
4175 
4176 	/* set PLL mode */
4177 	run_rt3070_rf_read(sc, 5, &rf);
4178 	rf &= ~(0x08 | 0x04);
4179 	rf |= (chan <= 14) ? 0x04 : 0x08;
4180 	run_rt3070_rf_write(sc, 5, rf);
4181 
4182 	/* set Tx power for chain 0 */
4183 	if (chan <= 14)
4184 		rf = 0x60 | txpow1;
4185 	else
4186 		rf = 0xe0 | (txpow1 & 0xc) << 1 | (txpow1 & 0x3);
4187 	run_rt3070_rf_write(sc, 12, rf);
4188 
4189 	/* set Tx power for chain 1 */
4190 	if (chan <= 14)
4191 		rf = 0x60 | txpow2;
4192 	else
4193 		rf = 0xe0 | (txpow2 & 0xc) << 1 | (txpow2 & 0x3);
4194 	run_rt3070_rf_write(sc, 13, rf);
4195 
4196 	/* set Tx/Rx streams */
4197 	run_rt3070_rf_read(sc, 1, &rf);
4198 	rf &= ~0xfc;
4199 	if (sc->ntxchains == 1)
4200 		rf |= 1 << 7 | 1 << 5;  /* 1T: disable Tx chains 2 & 3 */
4201 	else if (sc->ntxchains == 2)
4202 		rf |= 1 << 7;           /* 2T: disable Tx chain 3 */
4203 	if (sc->nrxchains == 1)
4204 		rf |= 1 << 6 | 1 << 4;  /* 1R: disable Rx chains 2 & 3 */
4205 	else if (sc->nrxchains == 2)
4206 		rf |= 1 << 6;           /* 2R: disable Rx chain 3 */
4207 	run_rt3070_rf_write(sc, 1, rf);
4208 
4209 	/* set RF offset */
4210 	run_rt3070_rf_read(sc, 23, &rf);
4211 	rf = (rf & ~0x7f) | sc->freq;
4212 	run_rt3070_rf_write(sc, 23, rf);
4213 
4214 	/* program RF filter */
4215 	rf = sc->rf24_20mhz;
4216 	run_rt3070_rf_write(sc, 24, rf);	/* Tx */
4217 	run_rt3070_rf_write(sc, 31, rf);	/* Rx */
4218 
4219 	/* enable RF tuning */
4220 	run_rt3070_rf_read(sc, 7, &rf);
4221 	rf = (chan <= 14) ? 0xd8 : ((rf & ~0xc8) | 0x14);
4222 	run_rt3070_rf_write(sc, 7, rf);
4223 
4224 	/* TSSI */
4225 	rf = (chan <= 14) ? 0xc3 : 0xc0;
4226 	run_rt3070_rf_write(sc, 9, rf);
4227 
4228 	/* set loop filter 1 */
4229 	run_rt3070_rf_write(sc, 10, 0xf1);
4230 	/* set loop filter 2 */
4231 	run_rt3070_rf_write(sc, 11, (chan <= 14) ? 0xb9 : 0x00);
4232 
4233 	/* set tx_mx2_ic */
4234 	run_rt3070_rf_write(sc, 15, (chan <= 14) ? 0x53 : 0x43);
4235 	/* set tx_mx1_ic */
4236 	if (chan <= 14)
4237 		rf = 0x48 | sc->txmixgain_2ghz;
4238 	else
4239 		rf = 0x78 | sc->txmixgain_5ghz;
4240 	run_rt3070_rf_write(sc, 16, rf);
4241 
4242 	/* set tx_lo1 */
4243 	run_rt3070_rf_write(sc, 17, 0x23);
4244 	/* set tx_lo2 */
4245 	if (chan <= 14)
4246 		rf = 0x93;
4247 	else if (chan <= 64)
4248 		rf = 0xb7;
4249 	else if (chan <= 128)
4250 		rf = 0x74;
4251 	else
4252 		rf = 0x72;
4253 	run_rt3070_rf_write(sc, 19, rf);
4254 
4255 	/* set rx_lo1 */
4256 	if (chan <= 14)
4257 		rf = 0xb3;
4258 	else if (chan <= 64)
4259 		rf = 0xf6;
4260 	else if (chan <= 128)
4261 		rf = 0xf4;
4262 	else
4263 		rf = 0xf3;
4264 	run_rt3070_rf_write(sc, 20, rf);
4265 
4266 	/* set pfd_delay */
4267 	if (chan <= 14)
4268 		rf = 0x15;
4269 	else if (chan <= 64)
4270 		rf = 0x3d;
4271 	else
4272 		rf = 0x01;
4273 	run_rt3070_rf_write(sc, 25, rf);
4274 
4275 	/* set rx_lo2 */
4276 	run_rt3070_rf_write(sc, 26, (chan <= 14) ? 0x85 : 0x87);
4277 	/* set ldo_rf_vc */
4278 	run_rt3070_rf_write(sc, 27, (chan <= 14) ? 0x00 : 0x01);
4279 	/* set drv_cc */
4280 	run_rt3070_rf_write(sc, 29, (chan <= 14) ? 0x9b : 0x9f);
4281 
4282 	run_read(sc, RT2860_GPIO_CTRL, &tmp);
4283 	tmp &= ~0x8080;
4284 	if (chan <= 14)
4285 		tmp |= 0x80;
4286 	run_write(sc, RT2860_GPIO_CTRL, tmp);
4287 
4288 	/* enable RF tuning */
4289 	run_rt3070_rf_read(sc, 7, &rf);
4290 	run_rt3070_rf_write(sc, 7, rf | 0x01);
4291 
4292 	run_delay(sc, 2);
4293 }
4294 
4295 static void
4296 run_rt3593_set_chan(struct run_softc *sc, u_int chan)
4297 {
4298 	int8_t txpow1, txpow2, txpow3;
4299 	uint8_t h20mhz, rf;
4300 	int i;
4301 
4302 	/* find the settings for this channel (we know it exists) */
4303 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4304 
4305 	/* use Tx power values from EEPROM */
4306 	txpow1 = sc->txpow1[i];
4307 	txpow2 = sc->txpow2[i];
4308 	txpow3 = (sc->ntxchains == 3) ? sc->txpow3[i] : 0;
4309 
4310 	if (chan <= 14) {
4311 		run_bbp_write(sc, 25, sc->bbp25);
4312 		run_bbp_write(sc, 26, sc->bbp26);
4313 	} else {
4314 		/* Enable IQ phase correction. */
4315 		run_bbp_write(sc, 25, 0x09);
4316 		run_bbp_write(sc, 26, 0xff);
4317 	}
4318 
4319 	run_rt3070_rf_write(sc, 8, rt3070_freqs[i].n);
4320 	run_rt3070_rf_write(sc, 9, rt3070_freqs[i].k & 0x0f);
4321 	run_rt3070_rf_read(sc, 11, &rf);
4322 	rf = (rf & ~0x03) | (rt3070_freqs[i].r & 0x03);
4323 	run_rt3070_rf_write(sc, 11, rf);
4324 
4325 	/* Set pll_idoh. */
4326 	run_rt3070_rf_read(sc, 11, &rf);
4327 	rf &= ~0x4c;
4328 	rf |= (chan <= 14) ? 0x44 : 0x48;
4329 	run_rt3070_rf_write(sc, 11, rf);
4330 
4331 	if (chan <= 14)
4332 		rf = txpow1 & 0x1f;
4333 	else
4334 		rf = 0x40 | ((txpow1 & 0x18) << 1) | (txpow1 & 0x07);
4335 	run_rt3070_rf_write(sc, 53, rf);
4336 
4337 	if (chan <= 14)
4338 		rf = txpow2 & 0x1f;
4339 	else
4340 		rf = 0x40 | ((txpow2 & 0x18) << 1) | (txpow2 & 0x07);
4341 	run_rt3070_rf_write(sc, 55, rf);
4342 
4343 	if (chan <= 14)
4344 		rf = txpow3 & 0x1f;
4345 	else
4346 		rf = 0x40 | ((txpow3 & 0x18) << 1) | (txpow3 & 0x07);
4347 	run_rt3070_rf_write(sc, 54, rf);
4348 
4349 	rf = RT3070_RF_BLOCK | RT3070_PLL_PD;
4350 	if (sc->ntxchains == 3)
4351 		rf |= RT3070_TX0_PD | RT3070_TX1_PD | RT3070_TX2_PD;
4352 	else
4353 		rf |= RT3070_TX0_PD | RT3070_TX1_PD;
4354 	rf |= RT3070_RX0_PD | RT3070_RX1_PD | RT3070_RX2_PD;
4355 	run_rt3070_rf_write(sc, 1, rf);
4356 
4357 	run_adjust_freq_offset(sc);
4358 
4359 	run_rt3070_rf_write(sc, 31, (chan <= 14) ? 0xa0 : 0x80);
4360 
4361 	h20mhz = (sc->rf24_20mhz & 0x20) >> 5;
4362 	run_rt3070_rf_read(sc, 30, &rf);
4363 	rf = (rf & ~0x06) | (h20mhz << 1) | (h20mhz << 2);
4364 	run_rt3070_rf_write(sc, 30, rf);
4365 
4366 	run_rt3070_rf_read(sc, 36, &rf);
4367 	if (chan <= 14)
4368 		rf |= 0x80;
4369 	else
4370 		rf &= ~0x80;
4371 	run_rt3070_rf_write(sc, 36, rf);
4372 
4373 	/* Set vcolo_bs. */
4374 	run_rt3070_rf_write(sc, 34, (chan <= 14) ? 0x3c : 0x20);
4375 	/* Set pfd_delay. */
4376 	run_rt3070_rf_write(sc, 12, (chan <= 14) ? 0x1a : 0x12);
4377 
4378 	/* Set vco bias current control. */
4379 	run_rt3070_rf_read(sc, 6, &rf);
4380 	rf &= ~0xc0;
4381 	if (chan <= 14)
4382 		rf |= 0x40;
4383 	else if (chan <= 128)
4384 		rf |= 0x80;
4385 	else
4386 		rf |= 0x40;
4387 	run_rt3070_rf_write(sc, 6, rf);
4388 
4389 	run_rt3070_rf_read(sc, 30, &rf);
4390 	rf = (rf & ~0x18) | 0x10;
4391 	run_rt3070_rf_write(sc, 30, rf);
4392 
4393 	run_rt3070_rf_write(sc, 10, (chan <= 14) ? 0xd3 : 0xd8);
4394 	run_rt3070_rf_write(sc, 13, (chan <= 14) ? 0x12 : 0x23);
4395 
4396 	run_rt3070_rf_read(sc, 51, &rf);
4397 	rf = (rf & ~0x03) | 0x01;
4398 	run_rt3070_rf_write(sc, 51, rf);
4399 	/* Set tx_mx1_cc. */
4400 	run_rt3070_rf_read(sc, 51, &rf);
4401 	rf &= ~0x1c;
4402 	rf |= (chan <= 14) ? 0x14 : 0x10;
4403 	run_rt3070_rf_write(sc, 51, rf);
4404 	/* Set tx_mx1_ic. */
4405 	run_rt3070_rf_read(sc, 51, &rf);
4406 	rf &= ~0xe0;
4407 	rf |= (chan <= 14) ? 0x60 : 0x40;
4408 	run_rt3070_rf_write(sc, 51, rf);
4409 	/* Set tx_lo1_ic. */
4410 	run_rt3070_rf_read(sc, 49, &rf);
4411 	rf &= ~0x1c;
4412 	rf |= (chan <= 14) ? 0x0c : 0x08;
4413 	run_rt3070_rf_write(sc, 49, rf);
4414 	/* Set tx_lo1_en. */
4415 	run_rt3070_rf_read(sc, 50, &rf);
4416 	run_rt3070_rf_write(sc, 50, rf & ~0x20);
4417 	/* Set drv_cc. */
4418 	run_rt3070_rf_read(sc, 57, &rf);
4419 	rf &= ~0xfc;
4420 	rf |= (chan <= 14) ?  0x6c : 0x3c;
4421 	run_rt3070_rf_write(sc, 57, rf);
4422 	/* Set rx_mix1_ic, rxa_lnactr, lna_vc, lna_inbias_en and lna_en. */
4423 	run_rt3070_rf_write(sc, 44, (chan <= 14) ? 0x93 : 0x9b);
4424 	/* Set drv_gnd_a, tx_vga_cc_a and tx_mx2_gain. */
4425 	run_rt3070_rf_write(sc, 52, (chan <= 14) ? 0x45 : 0x05);
4426 	/* Enable VCO calibration. */
4427 	run_rt3070_rf_read(sc, 3, &rf);
4428 	rf &= ~RT5390_VCOCAL;
4429 	rf |= (chan <= 14) ? RT5390_VCOCAL : 0xbe;
4430 	run_rt3070_rf_write(sc, 3, rf);
4431 
4432 	if (chan <= 14)
4433 		rf = 0x23;
4434 	else if (chan <= 64)
4435 		rf = 0x36;
4436 	else if (chan <= 128)
4437 		rf = 0x32;
4438 	else
4439 		rf = 0x30;
4440 	run_rt3070_rf_write(sc, 39, rf);
4441 	if (chan <= 14)
4442 		rf = 0xbb;
4443 	else if (chan <= 64)
4444 		rf = 0xeb;
4445 	else if (chan <= 128)
4446 		rf = 0xb3;
4447 	else
4448 		rf = 0x9b;
4449 	run_rt3070_rf_write(sc, 45, rf);
4450 
4451 	/* Set FEQ/AEQ control. */
4452 	run_bbp_write(sc, 105, 0x34);
4453 }
4454 
4455 static void
4456 run_rt5390_set_chan(struct run_softc *sc, u_int chan)
4457 {
4458 	int8_t txpow1, txpow2;
4459 	uint8_t rf;
4460 	int i;
4461 
4462 	/* find the settings for this channel (we know it exists) */
4463 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4464 
4465 	/* use Tx power values from EEPROM */
4466 	txpow1 = sc->txpow1[i];
4467 	txpow2 = sc->txpow2[i];
4468 
4469 	run_rt3070_rf_write(sc, 8, rt3070_freqs[i].n);
4470 	run_rt3070_rf_write(sc, 9, rt3070_freqs[i].k & 0x0f);
4471 	run_rt3070_rf_read(sc, 11, &rf);
4472 	rf = (rf & ~0x03) | (rt3070_freqs[i].r & 0x03);
4473 	run_rt3070_rf_write(sc, 11, rf);
4474 
4475 	run_rt3070_rf_read(sc, 49, &rf);
4476 	rf = (rf & ~0x3f) | (txpow1 & 0x3f);
4477 	/* The valid range of the RF R49 is 0x00 to 0x27. */
4478 	if ((rf & 0x3f) > 0x27)
4479 		rf = (rf & ~0x3f) | 0x27;
4480 	run_rt3070_rf_write(sc, 49, rf);
4481 
4482 	if (sc->mac_ver == 0x5392) {
4483 		run_rt3070_rf_read(sc, 50, &rf);
4484 		rf = (rf & ~0x3f) | (txpow2 & 0x3f);
4485 		/* The valid range of the RF R50 is 0x00 to 0x27. */
4486 		if ((rf & 0x3f) > 0x27)
4487 			rf = (rf & ~0x3f) | 0x27;
4488 		run_rt3070_rf_write(sc, 50, rf);
4489 	}
4490 
4491 	run_rt3070_rf_read(sc, 1, &rf);
4492 	rf |= RT3070_RF_BLOCK | RT3070_PLL_PD | RT3070_RX0_PD | RT3070_TX0_PD;
4493 	if (sc->mac_ver == 0x5392)
4494 		rf |= RT3070_RX1_PD | RT3070_TX1_PD;
4495 	run_rt3070_rf_write(sc, 1, rf);
4496 
4497 	if (sc->mac_ver != 0x5392) {
4498 		run_rt3070_rf_read(sc, 2, &rf);
4499 		rf |= 0x80;
4500 		run_rt3070_rf_write(sc, 2, rf);
4501 		run_delay(sc, 10);
4502 		rf &= 0x7f;
4503 		run_rt3070_rf_write(sc, 2, rf);
4504 	}
4505 
4506 	run_adjust_freq_offset(sc);
4507 
4508 	if (sc->mac_ver == 0x5392) {
4509 		/* Fix for RT5392C. */
4510 		if (sc->mac_rev >= 0x0223) {
4511 			if (chan <= 4)
4512 				rf = 0x0f;
4513 			else if (chan >= 5 && chan <= 7)
4514 				rf = 0x0e;
4515 			else
4516 				rf = 0x0d;
4517 			run_rt3070_rf_write(sc, 23, rf);
4518 
4519 			if (chan <= 4)
4520 				rf = 0x0c;
4521 			else if (chan == 5)
4522 				rf = 0x0b;
4523 			else if (chan >= 6 && chan <= 7)
4524 				rf = 0x0a;
4525 			else if (chan >= 8 && chan <= 10)
4526 				rf = 0x09;
4527 			else
4528 				rf = 0x08;
4529 			run_rt3070_rf_write(sc, 59, rf);
4530 		} else {
4531 			if (chan <= 11)
4532 				rf = 0x0f;
4533 			else
4534 				rf = 0x0b;
4535 			run_rt3070_rf_write(sc, 59, rf);
4536 		}
4537 	} else {
4538 		/* Fix for RT5390F. */
4539 		if (sc->mac_rev >= 0x0502) {
4540 			if (chan <= 11)
4541 				rf = 0x43;
4542 			else
4543 				rf = 0x23;
4544 			run_rt3070_rf_write(sc, 55, rf);
4545 
4546 			if (chan <= 11)
4547 				rf = 0x0f;
4548 			else if (chan == 12)
4549 				rf = 0x0d;
4550 			else
4551 				rf = 0x0b;
4552 			run_rt3070_rf_write(sc, 59, rf);
4553 		} else {
4554 			run_rt3070_rf_write(sc, 55, 0x44);
4555 			run_rt3070_rf_write(sc, 59, 0x8f);
4556 		}
4557 	}
4558 
4559 	/* Enable VCO calibration. */
4560 	run_rt3070_rf_read(sc, 3, &rf);
4561 	rf |= RT5390_VCOCAL;
4562 	run_rt3070_rf_write(sc, 3, rf);
4563 }
4564 
4565 static void
4566 run_rt5592_set_chan(struct run_softc *sc, u_int chan)
4567 {
4568 	const struct rt5592_freqs *freqs;
4569 	uint32_t tmp;
4570 	uint8_t reg, rf, txpow_bound;
4571 	int8_t txpow1, txpow2;
4572 	int i;
4573 
4574 	run_read(sc, RT5592_DEBUG_INDEX, &tmp);
4575 	freqs = (tmp & RT5592_SEL_XTAL) ?
4576 	    rt5592_freqs_40mhz : rt5592_freqs_20mhz;
4577 
4578 	/* find the settings for this channel (we know it exists) */
4579 	for (i = 0; rt2860_rf2850[i].chan != chan; i++, freqs++);
4580 
4581 	/* use Tx power values from EEPROM */
4582 	txpow1 = sc->txpow1[i];
4583 	txpow2 = sc->txpow2[i];
4584 
4585 	run_read(sc, RT3070_LDO_CFG0, &tmp);
4586 	tmp &= ~0x1c000000;
4587 	if (chan > 14)
4588 		tmp |= 0x14000000;
4589 	run_write(sc, RT3070_LDO_CFG0, tmp);
4590 
4591 	/* N setting. */
4592 	run_rt3070_rf_write(sc, 8, freqs->n & 0xff);
4593 	run_rt3070_rf_read(sc, 9, &rf);
4594 	rf &= ~(1 << 4);
4595 	rf |= ((freqs->n & 0x0100) >> 8) << 4;
4596 	run_rt3070_rf_write(sc, 9, rf);
4597 
4598 	/* K setting. */
4599 	run_rt3070_rf_read(sc, 9, &rf);
4600 	rf &= ~0x0f;
4601 	rf |= (freqs->k & 0x0f);
4602 	run_rt3070_rf_write(sc, 9, rf);
4603 
4604 	/* Mode setting. */
4605 	run_rt3070_rf_read(sc, 11, &rf);
4606 	rf &= ~0x0c;
4607 	rf |= ((freqs->m - 0x8) & 0x3) << 2;
4608 	run_rt3070_rf_write(sc, 11, rf);
4609 	run_rt3070_rf_read(sc, 9, &rf);
4610 	rf &= ~(1 << 7);
4611 	rf |= (((freqs->m - 0x8) & 0x4) >> 2) << 7;
4612 	run_rt3070_rf_write(sc, 9, rf);
4613 
4614 	/* R setting. */
4615 	run_rt3070_rf_read(sc, 11, &rf);
4616 	rf &= ~0x03;
4617 	rf |= (freqs->r - 0x1);
4618 	run_rt3070_rf_write(sc, 11, rf);
4619 
4620 	if (chan <= 14) {
4621 		/* Initialize RF registers for 2GHZ. */
4622 		for (i = 0; i < nitems(rt5592_2ghz_def_rf); i++) {
4623 			run_rt3070_rf_write(sc, rt5592_2ghz_def_rf[i].reg,
4624 			    rt5592_2ghz_def_rf[i].val);
4625 		}
4626 
4627 		rf = (chan <= 10) ? 0x07 : 0x06;
4628 		run_rt3070_rf_write(sc, 23, rf);
4629 		run_rt3070_rf_write(sc, 59, rf);
4630 
4631 		run_rt3070_rf_write(sc, 55, 0x43);
4632 
4633 		/*
4634 		 * RF R49/R50 Tx power ALC code.
4635 		 * G-band bit<7:6>=1:0, bit<5:0> range from 0x0 ~ 0x27.
4636 		 */
4637 		reg = 2;
4638 		txpow_bound = 0x27;
4639 	} else {
4640 		/* Initialize RF registers for 5GHZ. */
4641 		for (i = 0; i < nitems(rt5592_5ghz_def_rf); i++) {
4642 			run_rt3070_rf_write(sc, rt5592_5ghz_def_rf[i].reg,
4643 			    rt5592_5ghz_def_rf[i].val);
4644 		}
4645 		for (i = 0; i < nitems(rt5592_chan_5ghz); i++) {
4646 			if (chan >= rt5592_chan_5ghz[i].firstchan &&
4647 			    chan <= rt5592_chan_5ghz[i].lastchan) {
4648 				run_rt3070_rf_write(sc, rt5592_chan_5ghz[i].reg,
4649 				    rt5592_chan_5ghz[i].val);
4650 			}
4651 		}
4652 
4653 		/*
4654 		 * RF R49/R50 Tx power ALC code.
4655 		 * A-band bit<7:6>=1:1, bit<5:0> range from 0x0 ~ 0x2b.
4656 		 */
4657 		reg = 3;
4658 		txpow_bound = 0x2b;
4659 	}
4660 
4661 	/* RF R49 ch0 Tx power ALC code. */
4662 	run_rt3070_rf_read(sc, 49, &rf);
4663 	rf &= ~0xc0;
4664 	rf |= (reg << 6);
4665 	rf = (rf & ~0x3f) | (txpow1 & 0x3f);
4666 	if ((rf & 0x3f) > txpow_bound)
4667 		rf = (rf & ~0x3f) | txpow_bound;
4668 	run_rt3070_rf_write(sc, 49, rf);
4669 
4670 	/* RF R50 ch1 Tx power ALC code. */
4671 	run_rt3070_rf_read(sc, 50, &rf);
4672 	rf &= ~(1 << 7 | 1 << 6);
4673 	rf |= (reg << 6);
4674 	rf = (rf & ~0x3f) | (txpow2 & 0x3f);
4675 	if ((rf & 0x3f) > txpow_bound)
4676 		rf = (rf & ~0x3f) | txpow_bound;
4677 	run_rt3070_rf_write(sc, 50, rf);
4678 
4679 	/* Enable RF_BLOCK, PLL_PD, RX0_PD, and TX0_PD. */
4680 	run_rt3070_rf_read(sc, 1, &rf);
4681 	rf |= (RT3070_RF_BLOCK | RT3070_PLL_PD | RT3070_RX0_PD | RT3070_TX0_PD);
4682 	if (sc->ntxchains > 1)
4683 		rf |= RT3070_TX1_PD;
4684 	if (sc->nrxchains > 1)
4685 		rf |= RT3070_RX1_PD;
4686 	run_rt3070_rf_write(sc, 1, rf);
4687 
4688 	run_rt3070_rf_write(sc, 6, 0xe4);
4689 
4690 	run_rt3070_rf_write(sc, 30, 0x10);
4691 	run_rt3070_rf_write(sc, 31, 0x80);
4692 	run_rt3070_rf_write(sc, 32, 0x80);
4693 
4694 	run_adjust_freq_offset(sc);
4695 
4696 	/* Enable VCO calibration. */
4697 	run_rt3070_rf_read(sc, 3, &rf);
4698 	rf |= RT5390_VCOCAL;
4699 	run_rt3070_rf_write(sc, 3, rf);
4700 }
4701 
4702 static void
4703 run_set_rx_antenna(struct run_softc *sc, int aux)
4704 {
4705 	uint32_t tmp;
4706 	uint8_t bbp152;
4707 
4708 	if (aux) {
4709 		if (sc->rf_rev == RT5390_RF_5370) {
4710 			run_bbp_read(sc, 152, &bbp152);
4711 			run_bbp_write(sc, 152, bbp152 & ~0x80);
4712 		} else {
4713 			run_mcu_cmd(sc, RT2860_MCU_CMD_ANTSEL, 0);
4714 			run_read(sc, RT2860_GPIO_CTRL, &tmp);
4715 			run_write(sc, RT2860_GPIO_CTRL, (tmp & ~0x0808) | 0x08);
4716 		}
4717 	} else {
4718 		if (sc->rf_rev == RT5390_RF_5370) {
4719 			run_bbp_read(sc, 152, &bbp152);
4720 			run_bbp_write(sc, 152, bbp152 | 0x80);
4721 		} else {
4722 			run_mcu_cmd(sc, RT2860_MCU_CMD_ANTSEL, 1);
4723 			run_read(sc, RT2860_GPIO_CTRL, &tmp);
4724 			run_write(sc, RT2860_GPIO_CTRL, tmp & ~0x0808);
4725 		}
4726 	}
4727 }
4728 
4729 static int
4730 run_set_chan(struct run_softc *sc, struct ieee80211_channel *c)
4731 {
4732 	struct ieee80211com *ic = &sc->sc_ic;
4733 	u_int chan, group;
4734 
4735 	chan = ieee80211_chan2ieee(ic, c);
4736 	if (chan == 0 || chan == IEEE80211_CHAN_ANY)
4737 		return (EINVAL);
4738 
4739 	if (sc->mac_ver == 0x5592)
4740 		run_rt5592_set_chan(sc, chan);
4741 	else if (sc->mac_ver >= 0x5390)
4742 		run_rt5390_set_chan(sc, chan);
4743 	else if (sc->mac_ver == 0x3593)
4744 		run_rt3593_set_chan(sc, chan);
4745 	else if (sc->mac_ver == 0x3572)
4746 		run_rt3572_set_chan(sc, chan);
4747 	else if (sc->mac_ver >= 0x3070)
4748 		run_rt3070_set_chan(sc, chan);
4749 	else
4750 		run_rt2870_set_chan(sc, chan);
4751 
4752 	/* determine channel group */
4753 	if (chan <= 14)
4754 		group = 0;
4755 	else if (chan <= 64)
4756 		group = 1;
4757 	else if (chan <= 128)
4758 		group = 2;
4759 	else
4760 		group = 3;
4761 
4762 	/* XXX necessary only when group has changed! */
4763 	run_select_chan_group(sc, group);
4764 
4765 	run_delay(sc, 10);
4766 
4767 	/* Perform IQ calibration. */
4768 	if (sc->mac_ver >= 0x5392)
4769 		run_iq_calib(sc, chan);
4770 
4771 	return (0);
4772 }
4773 
4774 static void
4775 run_set_channel(struct ieee80211com *ic)
4776 {
4777 	struct run_softc *sc = ic->ic_softc;
4778 
4779 	RUN_LOCK(sc);
4780 	run_set_chan(sc, ic->ic_curchan);
4781 	RUN_UNLOCK(sc);
4782 
4783 	return;
4784 }
4785 
4786 static void
4787 run_scan_start(struct ieee80211com *ic)
4788 {
4789 	struct run_softc *sc = ic->ic_softc;
4790 	uint32_t tmp;
4791 
4792 	RUN_LOCK(sc);
4793 
4794 	/* abort TSF synchronization */
4795 	run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
4796 	run_write(sc, RT2860_BCN_TIME_CFG,
4797 	    tmp & ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
4798 	    RT2860_TBTT_TIMER_EN));
4799 	run_set_bssid(sc, ieee80211broadcastaddr);
4800 
4801 	RUN_UNLOCK(sc);
4802 
4803 	return;
4804 }
4805 
4806 static void
4807 run_scan_end(struct ieee80211com *ic)
4808 {
4809 	struct run_softc *sc = ic->ic_softc;
4810 
4811 	RUN_LOCK(sc);
4812 
4813 	run_enable_tsf_sync(sc);
4814 	run_set_bssid(sc, sc->sc_bssid);
4815 
4816 	RUN_UNLOCK(sc);
4817 
4818 	return;
4819 }
4820 
4821 /*
4822  * Could be called from ieee80211_node_timeout()
4823  * (non-sleepable thread)
4824  */
4825 static void
4826 run_update_beacon(struct ieee80211vap *vap, int item)
4827 {
4828 	struct ieee80211com *ic = vap->iv_ic;
4829 	struct ieee80211_beacon_offsets *bo = &vap->iv_bcn_off;
4830 	struct ieee80211_node *ni = vap->iv_bss;
4831 	struct run_softc *sc = ic->ic_softc;
4832 	struct run_vap *rvp = RUN_VAP(vap);
4833 	int mcast = 0;
4834 	uint32_t i;
4835 
4836 	switch (item) {
4837 	case IEEE80211_BEACON_ERP:
4838 		run_updateslot(ic);
4839 		break;
4840 	case IEEE80211_BEACON_HTINFO:
4841 		run_updateprot(ic);
4842 		break;
4843 	case IEEE80211_BEACON_TIM:
4844 		mcast = 1;	/*TODO*/
4845 		break;
4846 	default:
4847 		break;
4848 	}
4849 
4850 	setbit(bo->bo_flags, item);
4851 	if (rvp->beacon_mbuf == NULL) {
4852 		rvp->beacon_mbuf = ieee80211_beacon_alloc(ni);
4853 		if (rvp->beacon_mbuf == NULL)
4854 			return;
4855 	}
4856 	ieee80211_beacon_update(ni, rvp->beacon_mbuf, mcast);
4857 
4858 	i = RUN_CMDQ_GET(&sc->cmdq_store);
4859 	DPRINTF("cmdq_store=%d\n", i);
4860 	sc->cmdq[i].func = run_update_beacon_cb;
4861 	sc->cmdq[i].arg0 = vap;
4862 	ieee80211_runtask(ic, &sc->cmdq_task);
4863 
4864 	return;
4865 }
4866 
4867 static void
4868 run_update_beacon_cb(void *arg)
4869 {
4870 	struct ieee80211vap *vap = arg;
4871 	struct ieee80211_node *ni = vap->iv_bss;
4872 	struct run_vap *rvp = RUN_VAP(vap);
4873 	struct ieee80211com *ic = vap->iv_ic;
4874 	struct run_softc *sc = ic->ic_softc;
4875 	struct rt2860_txwi txwi;
4876 	struct mbuf *m;
4877 	uint16_t txwisize;
4878 	uint8_t ridx;
4879 
4880 	if (ni->ni_chan == IEEE80211_CHAN_ANYC)
4881 		return;
4882 	if (ic->ic_bsschan == IEEE80211_CHAN_ANYC)
4883 		return;
4884 
4885 	/*
4886 	 * No need to call ieee80211_beacon_update(), run_update_beacon()
4887 	 * is taking care of appropriate calls.
4888 	 */
4889 	if (rvp->beacon_mbuf == NULL) {
4890 		rvp->beacon_mbuf = ieee80211_beacon_alloc(ni);
4891 		if (rvp->beacon_mbuf == NULL)
4892 			return;
4893 	}
4894 	m = rvp->beacon_mbuf;
4895 
4896 	memset(&txwi, 0, sizeof(txwi));
4897 	txwi.wcid = 0xff;
4898 	txwi.len = htole16(m->m_pkthdr.len);
4899 
4900 	/* send beacons at the lowest available rate */
4901 	ridx = (ic->ic_curmode == IEEE80211_MODE_11A) ?
4902 	    RT2860_RIDX_OFDM6 : RT2860_RIDX_CCK1;
4903 	txwi.phy = htole16(rt2860_rates[ridx].mcs);
4904 	if (rt2860_rates[ridx].phy == IEEE80211_T_OFDM)
4905 		txwi.phy |= htole16(RT2860_PHY_OFDM);
4906 	txwi.txop = RT2860_TX_TXOP_HT;
4907 	txwi.flags = RT2860_TX_TS;
4908 	txwi.xflags = RT2860_TX_NSEQ;
4909 
4910 	txwisize = (sc->mac_ver == 0x5592) ?
4911 	    sizeof(txwi) + sizeof(uint32_t) : sizeof(txwi);
4912 	run_write_region_1(sc, RT2860_BCN_BASE(rvp->rvp_id), (uint8_t *)&txwi,
4913 	    txwisize);
4914 	run_write_region_1(sc, RT2860_BCN_BASE(rvp->rvp_id) + txwisize,
4915 	    mtod(m, uint8_t *), (m->m_pkthdr.len + 1) & ~1);
4916 }
4917 
4918 static void
4919 run_updateprot(struct ieee80211com *ic)
4920 {
4921 	struct run_softc *sc = ic->ic_softc;
4922 	uint32_t i;
4923 
4924 	i = RUN_CMDQ_GET(&sc->cmdq_store);
4925 	DPRINTF("cmdq_store=%d\n", i);
4926 	sc->cmdq[i].func = run_updateprot_cb;
4927 	sc->cmdq[i].arg0 = ic;
4928 	ieee80211_runtask(ic, &sc->cmdq_task);
4929 }
4930 
4931 static void
4932 run_updateprot_cb(void *arg)
4933 {
4934 	struct ieee80211com *ic = arg;
4935 	struct run_softc *sc = ic->ic_softc;
4936 	uint32_t tmp;
4937 
4938 	tmp = RT2860_RTSTH_EN | RT2860_PROT_NAV_SHORT | RT2860_TXOP_ALLOW_ALL;
4939 	/* setup protection frame rate (MCS code) */
4940 	tmp |= (ic->ic_curmode == IEEE80211_MODE_11A) ?
4941 	    rt2860_rates[RT2860_RIDX_OFDM6].mcs | RT2860_PHY_OFDM :
4942 	    rt2860_rates[RT2860_RIDX_CCK11].mcs;
4943 
4944 	/* CCK frames don't require protection */
4945 	run_write(sc, RT2860_CCK_PROT_CFG, tmp);
4946 	if (ic->ic_flags & IEEE80211_F_USEPROT) {
4947 		if (ic->ic_protmode == IEEE80211_PROT_RTSCTS)
4948 			tmp |= RT2860_PROT_CTRL_RTS_CTS;
4949 		else if (ic->ic_protmode == IEEE80211_PROT_CTSONLY)
4950 			tmp |= RT2860_PROT_CTRL_CTS;
4951 	}
4952 	run_write(sc, RT2860_OFDM_PROT_CFG, tmp);
4953 }
4954 
4955 static void
4956 run_usb_timeout_cb(void *arg)
4957 {
4958 	struct ieee80211vap *vap = arg;
4959 	struct run_softc *sc = vap->iv_ic->ic_softc;
4960 
4961 	RUN_LOCK_ASSERT(sc, MA_OWNED);
4962 
4963 	if(vap->iv_state == IEEE80211_S_RUN &&
4964 	    vap->iv_opmode != IEEE80211_M_STA)
4965 		run_reset_livelock(sc);
4966 	else if (vap->iv_state == IEEE80211_S_SCAN) {
4967 		DPRINTF("timeout caused by scan\n");
4968 		/* cancel bgscan */
4969 		ieee80211_cancel_scan(vap);
4970 	} else
4971 		DPRINTF("timeout by unknown cause\n");
4972 }
4973 
4974 static void
4975 run_reset_livelock(struct run_softc *sc)
4976 {
4977 	uint32_t tmp;
4978 
4979 	RUN_LOCK_ASSERT(sc, MA_OWNED);
4980 
4981 	/*
4982 	 * In IBSS or HostAP modes (when the hardware sends beacons), the MAC
4983 	 * can run into a livelock and start sending CTS-to-self frames like
4984 	 * crazy if protection is enabled.  Reset MAC/BBP for a while
4985 	 */
4986 	run_read(sc, RT2860_DEBUG, &tmp);
4987 	DPRINTFN(3, "debug reg %08x\n", tmp);
4988 	if ((tmp & (1 << 29)) && (tmp & (1 << 7 | 1 << 5))) {
4989 		DPRINTF("CTS-to-self livelock detected\n");
4990 		run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_MAC_SRST);
4991 		run_delay(sc, 1);
4992 		run_write(sc, RT2860_MAC_SYS_CTRL,
4993 		    RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
4994 	}
4995 }
4996 
4997 static void
4998 run_update_promisc_locked(struct run_softc *sc)
4999 {
5000         uint32_t tmp;
5001 
5002 	run_read(sc, RT2860_RX_FILTR_CFG, &tmp);
5003 
5004 	tmp |= RT2860_DROP_UC_NOME;
5005         if (sc->sc_ic.ic_promisc > 0)
5006 		tmp &= ~RT2860_DROP_UC_NOME;
5007 
5008 	run_write(sc, RT2860_RX_FILTR_CFG, tmp);
5009 
5010         DPRINTF("%s promiscuous mode\n", (sc->sc_ic.ic_promisc > 0) ?
5011             "entering" : "leaving");
5012 }
5013 
5014 static void
5015 run_update_promisc(struct ieee80211com *ic)
5016 {
5017 	struct run_softc *sc = ic->ic_softc;
5018 
5019 	if ((sc->sc_flags & RUN_RUNNING) == 0)
5020 		return;
5021 
5022 	RUN_LOCK(sc);
5023 	run_update_promisc_locked(sc);
5024 	RUN_UNLOCK(sc);
5025 }
5026 
5027 static void
5028 run_enable_tsf_sync(struct run_softc *sc)
5029 {
5030 	struct ieee80211com *ic = &sc->sc_ic;
5031 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
5032 	uint32_t tmp;
5033 
5034 	DPRINTF("rvp_id=%d ic_opmode=%d\n", RUN_VAP(vap)->rvp_id,
5035 	    ic->ic_opmode);
5036 
5037 	run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
5038 	tmp &= ~0x1fffff;
5039 	tmp |= vap->iv_bss->ni_intval * 16;
5040 	tmp |= RT2860_TSF_TIMER_EN | RT2860_TBTT_TIMER_EN;
5041 
5042 	if (ic->ic_opmode == IEEE80211_M_STA) {
5043 		/*
5044 		 * Local TSF is always updated with remote TSF on beacon
5045 		 * reception.
5046 		 */
5047 		tmp |= 1 << RT2860_TSF_SYNC_MODE_SHIFT;
5048 	} else if (ic->ic_opmode == IEEE80211_M_IBSS) {
5049 	        tmp |= RT2860_BCN_TX_EN;
5050 	        /*
5051 	         * Local TSF is updated with remote TSF on beacon reception
5052 	         * only if the remote TSF is greater than local TSF.
5053 	         */
5054 	        tmp |= 2 << RT2860_TSF_SYNC_MODE_SHIFT;
5055 	} else if (ic->ic_opmode == IEEE80211_M_HOSTAP ||
5056 		    ic->ic_opmode == IEEE80211_M_MBSS) {
5057 	        tmp |= RT2860_BCN_TX_EN;
5058 	        /* SYNC with nobody */
5059 	        tmp |= 3 << RT2860_TSF_SYNC_MODE_SHIFT;
5060 	} else {
5061 		DPRINTF("Enabling TSF failed. undefined opmode\n");
5062 		return;
5063 	}
5064 
5065 	run_write(sc, RT2860_BCN_TIME_CFG, tmp);
5066 }
5067 
5068 static void
5069 run_enable_tsf(struct run_softc *sc)
5070 {
5071 	uint32_t tmp;
5072 
5073 	if (run_read(sc, RT2860_BCN_TIME_CFG, &tmp) == 0) {
5074 		tmp &= ~(RT2860_BCN_TX_EN | RT2860_TBTT_TIMER_EN);
5075 		tmp |= RT2860_TSF_TIMER_EN;
5076 		run_write(sc, RT2860_BCN_TIME_CFG, tmp);
5077 	}
5078 }
5079 
5080 static void
5081 run_get_tsf(struct run_softc *sc, uint64_t *buf)
5082 {
5083 	run_read_region_1(sc, RT2860_TSF_TIMER_DW0, (uint8_t *)buf,
5084 	    sizeof(*buf));
5085 }
5086 
5087 static void
5088 run_enable_mrr(struct run_softc *sc)
5089 {
5090 #define	CCK(mcs)	(mcs)
5091 #define	OFDM(mcs)	(1 << 3 | (mcs))
5092 	run_write(sc, RT2860_LG_FBK_CFG0,
5093 	    OFDM(6) << 28 |	/* 54->48 */
5094 	    OFDM(5) << 24 |	/* 48->36 */
5095 	    OFDM(4) << 20 |	/* 36->24 */
5096 	    OFDM(3) << 16 |	/* 24->18 */
5097 	    OFDM(2) << 12 |	/* 18->12 */
5098 	    OFDM(1) <<  8 |	/* 12-> 9 */
5099 	    OFDM(0) <<  4 |	/*  9-> 6 */
5100 	    OFDM(0));		/*  6-> 6 */
5101 
5102 	run_write(sc, RT2860_LG_FBK_CFG1,
5103 	    CCK(2) << 12 |	/* 11->5.5 */
5104 	    CCK(1) <<  8 |	/* 5.5-> 2 */
5105 	    CCK(0) <<  4 |	/*   2-> 1 */
5106 	    CCK(0));		/*   1-> 1 */
5107 #undef OFDM
5108 #undef CCK
5109 }
5110 
5111 static void
5112 run_set_txpreamble(struct run_softc *sc)
5113 {
5114 	struct ieee80211com *ic = &sc->sc_ic;
5115 	uint32_t tmp;
5116 
5117 	run_read(sc, RT2860_AUTO_RSP_CFG, &tmp);
5118 	if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
5119 		tmp |= RT2860_CCK_SHORT_EN;
5120 	else
5121 		tmp &= ~RT2860_CCK_SHORT_EN;
5122 	run_write(sc, RT2860_AUTO_RSP_CFG, tmp);
5123 }
5124 
5125 static void
5126 run_set_basicrates(struct run_softc *sc)
5127 {
5128 	struct ieee80211com *ic = &sc->sc_ic;
5129 
5130 	/* set basic rates mask */
5131 	if (ic->ic_curmode == IEEE80211_MODE_11B)
5132 		run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x003);
5133 	else if (ic->ic_curmode == IEEE80211_MODE_11A)
5134 		run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x150);
5135 	else	/* 11g */
5136 		run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x15f);
5137 }
5138 
5139 static void
5140 run_set_leds(struct run_softc *sc, uint16_t which)
5141 {
5142 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LEDS,
5143 	    which | (sc->leds & 0x7f));
5144 }
5145 
5146 static void
5147 run_set_bssid(struct run_softc *sc, const uint8_t *bssid)
5148 {
5149 	run_write(sc, RT2860_MAC_BSSID_DW0,
5150 	    bssid[0] | bssid[1] << 8 | bssid[2] << 16 | bssid[3] << 24);
5151 	run_write(sc, RT2860_MAC_BSSID_DW1,
5152 	    bssid[4] | bssid[5] << 8);
5153 }
5154 
5155 static void
5156 run_set_macaddr(struct run_softc *sc, const uint8_t *addr)
5157 {
5158 	run_write(sc, RT2860_MAC_ADDR_DW0,
5159 	    addr[0] | addr[1] << 8 | addr[2] << 16 | addr[3] << 24);
5160 	run_write(sc, RT2860_MAC_ADDR_DW1,
5161 	    addr[4] | addr[5] << 8 | 0xff << 16);
5162 }
5163 
5164 static void
5165 run_updateslot(struct ieee80211com *ic)
5166 {
5167 	struct run_softc *sc = ic->ic_softc;
5168 	uint32_t i;
5169 
5170 	i = RUN_CMDQ_GET(&sc->cmdq_store);
5171 	DPRINTF("cmdq_store=%d\n", i);
5172 	sc->cmdq[i].func = run_updateslot_cb;
5173 	sc->cmdq[i].arg0 = ic;
5174 	ieee80211_runtask(ic, &sc->cmdq_task);
5175 
5176 	return;
5177 }
5178 
5179 /* ARGSUSED */
5180 static void
5181 run_updateslot_cb(void *arg)
5182 {
5183 	struct ieee80211com *ic = arg;
5184 	struct run_softc *sc = ic->ic_softc;
5185 	uint32_t tmp;
5186 
5187 	run_read(sc, RT2860_BKOFF_SLOT_CFG, &tmp);
5188 	tmp &= ~0xff;
5189 	tmp |= IEEE80211_GET_SLOTTIME(ic);
5190 	run_write(sc, RT2860_BKOFF_SLOT_CFG, tmp);
5191 }
5192 
5193 static void
5194 run_update_mcast(struct ieee80211com *ic)
5195 {
5196 }
5197 
5198 static int8_t
5199 run_rssi2dbm(struct run_softc *sc, uint8_t rssi, uint8_t rxchain)
5200 {
5201 	struct ieee80211com *ic = &sc->sc_ic;
5202 	struct ieee80211_channel *c = ic->ic_curchan;
5203 	int delta;
5204 
5205 	if (IEEE80211_IS_CHAN_5GHZ(c)) {
5206 		u_int chan = ieee80211_chan2ieee(ic, c);
5207 		delta = sc->rssi_5ghz[rxchain];
5208 
5209 		/* determine channel group */
5210 		if (chan <= 64)
5211 			delta -= sc->lna[1];
5212 		else if (chan <= 128)
5213 			delta -= sc->lna[2];
5214 		else
5215 			delta -= sc->lna[3];
5216 	} else
5217 		delta = sc->rssi_2ghz[rxchain] - sc->lna[0];
5218 
5219 	return (-12 - delta - rssi);
5220 }
5221 
5222 static void
5223 run_rt5390_bbp_init(struct run_softc *sc)
5224 {
5225 	u_int i;
5226 	uint8_t bbp;
5227 
5228 	/* Apply maximum likelihood detection for 2 stream case. */
5229 	run_bbp_read(sc, 105, &bbp);
5230 	if (sc->nrxchains > 1)
5231 		run_bbp_write(sc, 105, bbp | RT5390_MLD);
5232 
5233 	/* Avoid data lost and CRC error. */
5234 	run_bbp_read(sc, 4, &bbp);
5235 	run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5236 
5237 	if (sc->mac_ver == 0x5592) {
5238 		for (i = 0; i < nitems(rt5592_def_bbp); i++) {
5239 			run_bbp_write(sc, rt5592_def_bbp[i].reg,
5240 			    rt5592_def_bbp[i].val);
5241 		}
5242 		for (i = 0; i < nitems(rt5592_bbp_r196); i++) {
5243 			run_bbp_write(sc, 195, i + 0x80);
5244 			run_bbp_write(sc, 196, rt5592_bbp_r196[i]);
5245 		}
5246 	} else {
5247 		for (i = 0; i < nitems(rt5390_def_bbp); i++) {
5248 			run_bbp_write(sc, rt5390_def_bbp[i].reg,
5249 			    rt5390_def_bbp[i].val);
5250 		}
5251 	}
5252 	if (sc->mac_ver == 0x5392) {
5253 		run_bbp_write(sc, 88, 0x90);
5254 		run_bbp_write(sc, 95, 0x9a);
5255 		run_bbp_write(sc, 98, 0x12);
5256 		run_bbp_write(sc, 106, 0x12);
5257 		run_bbp_write(sc, 134, 0xd0);
5258 		run_bbp_write(sc, 135, 0xf6);
5259 		run_bbp_write(sc, 148, 0x84);
5260 	}
5261 
5262 	run_bbp_read(sc, 152, &bbp);
5263 	run_bbp_write(sc, 152, bbp | 0x80);
5264 
5265 	/* Fix BBP254 for RT5592C. */
5266 	if (sc->mac_ver == 0x5592 && sc->mac_rev >= 0x0221) {
5267 		run_bbp_read(sc, 254, &bbp);
5268 		run_bbp_write(sc, 254, bbp | 0x80);
5269 	}
5270 
5271 	/* Disable hardware antenna diversity. */
5272 	if (sc->mac_ver == 0x5390)
5273 		run_bbp_write(sc, 154, 0);
5274 
5275 	/* Initialize Rx CCK/OFDM frequency offset report. */
5276 	run_bbp_write(sc, 142, 1);
5277 	run_bbp_write(sc, 143, 57);
5278 }
5279 
5280 static int
5281 run_bbp_init(struct run_softc *sc)
5282 {
5283 	int i, error, ntries;
5284 	uint8_t bbp0;
5285 
5286 	/* wait for BBP to wake up */
5287 	for (ntries = 0; ntries < 20; ntries++) {
5288 		if ((error = run_bbp_read(sc, 0, &bbp0)) != 0)
5289 			return error;
5290 		if (bbp0 != 0 && bbp0 != 0xff)
5291 			break;
5292 	}
5293 	if (ntries == 20)
5294 		return (ETIMEDOUT);
5295 
5296 	/* initialize BBP registers to default values */
5297 	if (sc->mac_ver >= 0x5390)
5298 		run_rt5390_bbp_init(sc);
5299 	else {
5300 		for (i = 0; i < nitems(rt2860_def_bbp); i++) {
5301 			run_bbp_write(sc, rt2860_def_bbp[i].reg,
5302 			    rt2860_def_bbp[i].val);
5303 		}
5304 	}
5305 
5306 	if (sc->mac_ver == 0x3593) {
5307 		run_bbp_write(sc, 79, 0x13);
5308 		run_bbp_write(sc, 80, 0x05);
5309 		run_bbp_write(sc, 81, 0x33);
5310 		run_bbp_write(sc, 86, 0x46);
5311 		run_bbp_write(sc, 137, 0x0f);
5312 	}
5313 
5314 	/* fix BBP84 for RT2860E */
5315 	if (sc->mac_ver == 0x2860 && sc->mac_rev != 0x0101)
5316 		run_bbp_write(sc, 84, 0x19);
5317 
5318 	if (sc->mac_ver >= 0x3070 && (sc->mac_ver != 0x3593 &&
5319 	    sc->mac_ver != 0x5592)) {
5320 		run_bbp_write(sc, 79, 0x13);
5321 		run_bbp_write(sc, 80, 0x05);
5322 		run_bbp_write(sc, 81, 0x33);
5323 	} else if (sc->mac_ver == 0x2860 && sc->mac_rev == 0x0100) {
5324 		run_bbp_write(sc, 69, 0x16);
5325 		run_bbp_write(sc, 73, 0x12);
5326 	}
5327 	return (0);
5328 }
5329 
5330 static int
5331 run_rt3070_rf_init(struct run_softc *sc)
5332 {
5333 	uint32_t tmp;
5334 	uint8_t bbp4, mingain, rf, target;
5335 	u_int i;
5336 
5337 	run_rt3070_rf_read(sc, 30, &rf);
5338 	/* toggle RF R30 bit 7 */
5339 	run_rt3070_rf_write(sc, 30, rf | 0x80);
5340 	run_delay(sc, 10);
5341 	run_rt3070_rf_write(sc, 30, rf & ~0x80);
5342 
5343 	/* initialize RF registers to default value */
5344 	if (sc->mac_ver == 0x3572) {
5345 		for (i = 0; i < nitems(rt3572_def_rf); i++) {
5346 			run_rt3070_rf_write(sc, rt3572_def_rf[i].reg,
5347 			    rt3572_def_rf[i].val);
5348 		}
5349 	} else {
5350 		for (i = 0; i < nitems(rt3070_def_rf); i++) {
5351 			run_rt3070_rf_write(sc, rt3070_def_rf[i].reg,
5352 			    rt3070_def_rf[i].val);
5353 		}
5354 	}
5355 
5356 	if (sc->mac_ver == 0x3070 && sc->mac_rev < 0x0201) {
5357 		/*
5358 		 * Change voltage from 1.2V to 1.35V for RT3070.
5359 		 * The DAC issue (RT3070_LDO_CFG0) has been fixed
5360 		 * in RT3070(F).
5361 		 */
5362 		run_read(sc, RT3070_LDO_CFG0, &tmp);
5363 		tmp = (tmp & ~0x0f000000) | 0x0d000000;
5364 		run_write(sc, RT3070_LDO_CFG0, tmp);
5365 
5366 	} else if (sc->mac_ver == 0x3071) {
5367 		run_rt3070_rf_read(sc, 6, &rf);
5368 		run_rt3070_rf_write(sc, 6, rf | 0x40);
5369 		run_rt3070_rf_write(sc, 31, 0x14);
5370 
5371 		run_read(sc, RT3070_LDO_CFG0, &tmp);
5372 		tmp &= ~0x1f000000;
5373 		if (sc->mac_rev < 0x0211)
5374 			tmp |= 0x0d000000;	/* 1.3V */
5375 		else
5376 			tmp |= 0x01000000;	/* 1.2V */
5377 		run_write(sc, RT3070_LDO_CFG0, tmp);
5378 
5379 		/* patch LNA_PE_G1 */
5380 		run_read(sc, RT3070_GPIO_SWITCH, &tmp);
5381 		run_write(sc, RT3070_GPIO_SWITCH, tmp & ~0x20);
5382 
5383 	} else if (sc->mac_ver == 0x3572) {
5384 		run_rt3070_rf_read(sc, 6, &rf);
5385 		run_rt3070_rf_write(sc, 6, rf | 0x40);
5386 
5387 		/* increase voltage from 1.2V to 1.35V */
5388 		run_read(sc, RT3070_LDO_CFG0, &tmp);
5389 		tmp = (tmp & ~0x1f000000) | 0x0d000000;
5390 		run_write(sc, RT3070_LDO_CFG0, tmp);
5391 
5392 		if (sc->mac_rev < 0x0211 || !sc->patch_dac) {
5393 			run_delay(sc, 1);	/* wait for 1msec */
5394 			/* decrease voltage back to 1.2V */
5395 			tmp = (tmp & ~0x1f000000) | 0x01000000;
5396 			run_write(sc, RT3070_LDO_CFG0, tmp);
5397 		}
5398 	}
5399 
5400 	/* select 20MHz bandwidth */
5401 	run_rt3070_rf_read(sc, 31, &rf);
5402 	run_rt3070_rf_write(sc, 31, rf & ~0x20);
5403 
5404 	/* calibrate filter for 20MHz bandwidth */
5405 	sc->rf24_20mhz = 0x1f;	/* default value */
5406 	target = (sc->mac_ver < 0x3071) ? 0x16 : 0x13;
5407 	run_rt3070_filter_calib(sc, 0x07, target, &sc->rf24_20mhz);
5408 
5409 	/* select 40MHz bandwidth */
5410 	run_bbp_read(sc, 4, &bbp4);
5411 	run_bbp_write(sc, 4, (bbp4 & ~0x18) | 0x10);
5412 	run_rt3070_rf_read(sc, 31, &rf);
5413 	run_rt3070_rf_write(sc, 31, rf | 0x20);
5414 
5415 	/* calibrate filter for 40MHz bandwidth */
5416 	sc->rf24_40mhz = 0x2f;	/* default value */
5417 	target = (sc->mac_ver < 0x3071) ? 0x19 : 0x15;
5418 	run_rt3070_filter_calib(sc, 0x27, target, &sc->rf24_40mhz);
5419 
5420 	/* go back to 20MHz bandwidth */
5421 	run_bbp_read(sc, 4, &bbp4);
5422 	run_bbp_write(sc, 4, bbp4 & ~0x18);
5423 
5424 	if (sc->mac_ver == 0x3572) {
5425 		/* save default BBP registers 25 and 26 values */
5426 		run_bbp_read(sc, 25, &sc->bbp25);
5427 		run_bbp_read(sc, 26, &sc->bbp26);
5428 	} else if (sc->mac_rev < 0x0201 || sc->mac_rev < 0x0211)
5429 		run_rt3070_rf_write(sc, 27, 0x03);
5430 
5431 	run_read(sc, RT3070_OPT_14, &tmp);
5432 	run_write(sc, RT3070_OPT_14, tmp | 1);
5433 
5434 	if (sc->mac_ver == 0x3070 || sc->mac_ver == 0x3071) {
5435 		run_rt3070_rf_read(sc, 17, &rf);
5436 		rf &= ~RT3070_TX_LO1;
5437 		if ((sc->mac_ver == 0x3070 ||
5438 		     (sc->mac_ver == 0x3071 && sc->mac_rev >= 0x0211)) &&
5439 		    !sc->ext_2ghz_lna)
5440 			rf |= 0x20;	/* fix for long range Rx issue */
5441 		mingain = (sc->mac_ver == 0x3070) ? 1 : 2;
5442 		if (sc->txmixgain_2ghz >= mingain)
5443 			rf = (rf & ~0x7) | sc->txmixgain_2ghz;
5444 		run_rt3070_rf_write(sc, 17, rf);
5445 	}
5446 
5447 	if (sc->mac_ver == 0x3071) {
5448 		run_rt3070_rf_read(sc, 1, &rf);
5449 		rf &= ~(RT3070_RX0_PD | RT3070_TX0_PD);
5450 		rf |= RT3070_RF_BLOCK | RT3070_RX1_PD | RT3070_TX1_PD;
5451 		run_rt3070_rf_write(sc, 1, rf);
5452 
5453 		run_rt3070_rf_read(sc, 15, &rf);
5454 		run_rt3070_rf_write(sc, 15, rf & ~RT3070_TX_LO2);
5455 
5456 		run_rt3070_rf_read(sc, 20, &rf);
5457 		run_rt3070_rf_write(sc, 20, rf & ~RT3070_RX_LO1);
5458 
5459 		run_rt3070_rf_read(sc, 21, &rf);
5460 		run_rt3070_rf_write(sc, 21, rf & ~RT3070_RX_LO2);
5461 	}
5462 
5463 	if (sc->mac_ver == 0x3070 || sc->mac_ver == 0x3071) {
5464 		/* fix Tx to Rx IQ glitch by raising RF voltage */
5465 		run_rt3070_rf_read(sc, 27, &rf);
5466 		rf &= ~0x77;
5467 		if (sc->mac_rev < 0x0211)
5468 			rf |= 0x03;
5469 		run_rt3070_rf_write(sc, 27, rf);
5470 	}
5471 	return (0);
5472 }
5473 
5474 static void
5475 run_rt3593_rf_init(struct run_softc *sc)
5476 {
5477 	uint32_t tmp;
5478 	uint8_t rf;
5479 	u_int i;
5480 
5481 	/* Disable the GPIO bits 4 and 7 for LNA PE control. */
5482 	run_read(sc, RT3070_GPIO_SWITCH, &tmp);
5483 	tmp &= ~(1 << 4 | 1 << 7);
5484 	run_write(sc, RT3070_GPIO_SWITCH, tmp);
5485 
5486 	/* Initialize RF registers to default value. */
5487 	for (i = 0; i < nitems(rt3593_def_rf); i++) {
5488 		run_rt3070_rf_write(sc, rt3593_def_rf[i].reg,
5489 		    rt3593_def_rf[i].val);
5490 	}
5491 
5492 	/* Toggle RF R2 to initiate calibration. */
5493 	run_rt3070_rf_write(sc, 2, RT5390_RESCAL);
5494 
5495 	/* Initialize RF frequency offset. */
5496 	run_adjust_freq_offset(sc);
5497 
5498 	run_rt3070_rf_read(sc, 18, &rf);
5499 	run_rt3070_rf_write(sc, 18, rf | RT3593_AUTOTUNE_BYPASS);
5500 
5501 	/*
5502 	 * Increase voltage from 1.2V to 1.35V, wait for 1 msec to
5503 	 * decrease voltage back to 1.2V.
5504 	 */
5505 	run_read(sc, RT3070_LDO_CFG0, &tmp);
5506 	tmp = (tmp & ~0x1f000000) | 0x0d000000;
5507 	run_write(sc, RT3070_LDO_CFG0, tmp);
5508 	run_delay(sc, 1);
5509 	tmp = (tmp & ~0x1f000000) | 0x01000000;
5510 	run_write(sc, RT3070_LDO_CFG0, tmp);
5511 
5512 	sc->rf24_20mhz = 0x1f;
5513 	sc->rf24_40mhz = 0x2f;
5514 
5515 	/* Save default BBP registers 25 and 26 values. */
5516 	run_bbp_read(sc, 25, &sc->bbp25);
5517 	run_bbp_read(sc, 26, &sc->bbp26);
5518 
5519 	run_read(sc, RT3070_OPT_14, &tmp);
5520 	run_write(sc, RT3070_OPT_14, tmp | 1);
5521 }
5522 
5523 static void
5524 run_rt5390_rf_init(struct run_softc *sc)
5525 {
5526 	uint32_t tmp;
5527 	uint8_t rf;
5528 	u_int i;
5529 
5530 	/* Toggle RF R2 to initiate calibration. */
5531 	if (sc->mac_ver == 0x5390) {
5532 		run_rt3070_rf_read(sc, 2, &rf);
5533 		run_rt3070_rf_write(sc, 2, rf | RT5390_RESCAL);
5534 		run_delay(sc, 10);
5535 		run_rt3070_rf_write(sc, 2, rf & ~RT5390_RESCAL);
5536 	} else {
5537 		run_rt3070_rf_write(sc, 2, RT5390_RESCAL);
5538 		run_delay(sc, 10);
5539 	}
5540 
5541 	/* Initialize RF registers to default value. */
5542 	if (sc->mac_ver == 0x5592) {
5543 		for (i = 0; i < nitems(rt5592_def_rf); i++) {
5544 			run_rt3070_rf_write(sc, rt5592_def_rf[i].reg,
5545 			    rt5592_def_rf[i].val);
5546 		}
5547 		/* Initialize RF frequency offset. */
5548 		run_adjust_freq_offset(sc);
5549 	} else if (sc->mac_ver == 0x5392) {
5550 		for (i = 0; i < nitems(rt5392_def_rf); i++) {
5551 			run_rt3070_rf_write(sc, rt5392_def_rf[i].reg,
5552 			    rt5392_def_rf[i].val);
5553 		}
5554 		if (sc->mac_rev >= 0x0223) {
5555 			run_rt3070_rf_write(sc, 23, 0x0f);
5556 			run_rt3070_rf_write(sc, 24, 0x3e);
5557 			run_rt3070_rf_write(sc, 51, 0x32);
5558 			run_rt3070_rf_write(sc, 53, 0x22);
5559 			run_rt3070_rf_write(sc, 56, 0xc1);
5560 			run_rt3070_rf_write(sc, 59, 0x0f);
5561 		}
5562 	} else {
5563 		for (i = 0; i < nitems(rt5390_def_rf); i++) {
5564 			run_rt3070_rf_write(sc, rt5390_def_rf[i].reg,
5565 			    rt5390_def_rf[i].val);
5566 		}
5567 		if (sc->mac_rev >= 0x0502) {
5568 			run_rt3070_rf_write(sc, 6, 0xe0);
5569 			run_rt3070_rf_write(sc, 25, 0x80);
5570 			run_rt3070_rf_write(sc, 46, 0x73);
5571 			run_rt3070_rf_write(sc, 53, 0x00);
5572 			run_rt3070_rf_write(sc, 56, 0x42);
5573 			run_rt3070_rf_write(sc, 61, 0xd1);
5574 		}
5575 	}
5576 
5577 	sc->rf24_20mhz = 0x1f;	/* default value */
5578 	sc->rf24_40mhz = (sc->mac_ver == 0x5592) ? 0 : 0x2f;
5579 
5580 	if (sc->mac_rev < 0x0211)
5581 		run_rt3070_rf_write(sc, 27, 0x3);
5582 
5583 	run_read(sc, RT3070_OPT_14, &tmp);
5584 	run_write(sc, RT3070_OPT_14, tmp | 1);
5585 }
5586 
5587 static int
5588 run_rt3070_filter_calib(struct run_softc *sc, uint8_t init, uint8_t target,
5589     uint8_t *val)
5590 {
5591 	uint8_t rf22, rf24;
5592 	uint8_t bbp55_pb, bbp55_sb, delta;
5593 	int ntries;
5594 
5595 	/* program filter */
5596 	run_rt3070_rf_read(sc, 24, &rf24);
5597 	rf24 = (rf24 & 0xc0) | init;	/* initial filter value */
5598 	run_rt3070_rf_write(sc, 24, rf24);
5599 
5600 	/* enable baseband loopback mode */
5601 	run_rt3070_rf_read(sc, 22, &rf22);
5602 	run_rt3070_rf_write(sc, 22, rf22 | 0x01);
5603 
5604 	/* set power and frequency of passband test tone */
5605 	run_bbp_write(sc, 24, 0x00);
5606 	for (ntries = 0; ntries < 100; ntries++) {
5607 		/* transmit test tone */
5608 		run_bbp_write(sc, 25, 0x90);
5609 		run_delay(sc, 10);
5610 		/* read received power */
5611 		run_bbp_read(sc, 55, &bbp55_pb);
5612 		if (bbp55_pb != 0)
5613 			break;
5614 	}
5615 	if (ntries == 100)
5616 		return (ETIMEDOUT);
5617 
5618 	/* set power and frequency of stopband test tone */
5619 	run_bbp_write(sc, 24, 0x06);
5620 	for (ntries = 0; ntries < 100; ntries++) {
5621 		/* transmit test tone */
5622 		run_bbp_write(sc, 25, 0x90);
5623 		run_delay(sc, 10);
5624 		/* read received power */
5625 		run_bbp_read(sc, 55, &bbp55_sb);
5626 
5627 		delta = bbp55_pb - bbp55_sb;
5628 		if (delta > target)
5629 			break;
5630 
5631 		/* reprogram filter */
5632 		rf24++;
5633 		run_rt3070_rf_write(sc, 24, rf24);
5634 	}
5635 	if (ntries < 100) {
5636 		if (rf24 != init)
5637 			rf24--;	/* backtrack */
5638 		*val = rf24;
5639 		run_rt3070_rf_write(sc, 24, rf24);
5640 	}
5641 
5642 	/* restore initial state */
5643 	run_bbp_write(sc, 24, 0x00);
5644 
5645 	/* disable baseband loopback mode */
5646 	run_rt3070_rf_read(sc, 22, &rf22);
5647 	run_rt3070_rf_write(sc, 22, rf22 & ~0x01);
5648 
5649 	return (0);
5650 }
5651 
5652 static void
5653 run_rt3070_rf_setup(struct run_softc *sc)
5654 {
5655 	uint8_t bbp, rf;
5656 	int i;
5657 
5658 	if (sc->mac_ver == 0x3572) {
5659 		/* enable DC filter */
5660 		if (sc->mac_rev >= 0x0201)
5661 			run_bbp_write(sc, 103, 0xc0);
5662 
5663 		run_bbp_read(sc, 138, &bbp);
5664 		if (sc->ntxchains == 1)
5665 			bbp |= 0x20;	/* turn off DAC1 */
5666 		if (sc->nrxchains == 1)
5667 			bbp &= ~0x02;	/* turn off ADC1 */
5668 		run_bbp_write(sc, 138, bbp);
5669 
5670 		if (sc->mac_rev >= 0x0211) {
5671 			/* improve power consumption */
5672 			run_bbp_read(sc, 31, &bbp);
5673 			run_bbp_write(sc, 31, bbp & ~0x03);
5674 		}
5675 
5676 		run_rt3070_rf_read(sc, 16, &rf);
5677 		rf = (rf & ~0x07) | sc->txmixgain_2ghz;
5678 		run_rt3070_rf_write(sc, 16, rf);
5679 
5680 	} else if (sc->mac_ver == 0x3071) {
5681 		if (sc->mac_rev >= 0x0211) {
5682 			/* enable DC filter */
5683 			run_bbp_write(sc, 103, 0xc0);
5684 
5685 			/* improve power consumption */
5686 			run_bbp_read(sc, 31, &bbp);
5687 			run_bbp_write(sc, 31, bbp & ~0x03);
5688 		}
5689 
5690 		run_bbp_read(sc, 138, &bbp);
5691 		if (sc->ntxchains == 1)
5692 			bbp |= 0x20;	/* turn off DAC1 */
5693 		if (sc->nrxchains == 1)
5694 			bbp &= ~0x02;	/* turn off ADC1 */
5695 		run_bbp_write(sc, 138, bbp);
5696 
5697 		run_write(sc, RT2860_TX_SW_CFG1, 0);
5698 		if (sc->mac_rev < 0x0211) {
5699 			run_write(sc, RT2860_TX_SW_CFG2,
5700 			    sc->patch_dac ? 0x2c : 0x0f);
5701 		} else
5702 			run_write(sc, RT2860_TX_SW_CFG2, 0);
5703 
5704 	} else if (sc->mac_ver == 0x3070) {
5705 		if (sc->mac_rev >= 0x0201) {
5706 			/* enable DC filter */
5707 			run_bbp_write(sc, 103, 0xc0);
5708 
5709 			/* improve power consumption */
5710 			run_bbp_read(sc, 31, &bbp);
5711 			run_bbp_write(sc, 31, bbp & ~0x03);
5712 		}
5713 
5714 		if (sc->mac_rev < 0x0201) {
5715 			run_write(sc, RT2860_TX_SW_CFG1, 0);
5716 			run_write(sc, RT2860_TX_SW_CFG2, 0x2c);
5717 		} else
5718 			run_write(sc, RT2860_TX_SW_CFG2, 0);
5719 	}
5720 
5721 	/* initialize RF registers from ROM for >=RT3071*/
5722 	if (sc->mac_ver >= 0x3071) {
5723 		for (i = 0; i < 10; i++) {
5724 			if (sc->rf[i].reg == 0 || sc->rf[i].reg == 0xff)
5725 				continue;
5726 			run_rt3070_rf_write(sc, sc->rf[i].reg, sc->rf[i].val);
5727 		}
5728 	}
5729 }
5730 
5731 static void
5732 run_rt3593_rf_setup(struct run_softc *sc)
5733 {
5734 	uint8_t bbp, rf;
5735 
5736 	if (sc->mac_rev >= 0x0211) {
5737 		/* Enable DC filter. */
5738 		run_bbp_write(sc, 103, 0xc0);
5739 	}
5740 	run_write(sc, RT2860_TX_SW_CFG1, 0);
5741 	if (sc->mac_rev < 0x0211) {
5742 		run_write(sc, RT2860_TX_SW_CFG2,
5743 		    sc->patch_dac ? 0x2c : 0x0f);
5744 	} else
5745 		run_write(sc, RT2860_TX_SW_CFG2, 0);
5746 
5747 	run_rt3070_rf_read(sc, 50, &rf);
5748 	run_rt3070_rf_write(sc, 50, rf & ~RT3593_TX_LO2);
5749 
5750 	run_rt3070_rf_read(sc, 51, &rf);
5751 	rf = (rf & ~(RT3593_TX_LO1 | 0x0c)) |
5752 	    ((sc->txmixgain_2ghz & 0x07) << 2);
5753 	run_rt3070_rf_write(sc, 51, rf);
5754 
5755 	run_rt3070_rf_read(sc, 38, &rf);
5756 	run_rt3070_rf_write(sc, 38, rf & ~RT5390_RX_LO1);
5757 
5758 	run_rt3070_rf_read(sc, 39, &rf);
5759 	run_rt3070_rf_write(sc, 39, rf & ~RT5390_RX_LO2);
5760 
5761 	run_rt3070_rf_read(sc, 1, &rf);
5762 	run_rt3070_rf_write(sc, 1, rf & ~(RT3070_RF_BLOCK | RT3070_PLL_PD));
5763 
5764 	run_rt3070_rf_read(sc, 30, &rf);
5765 	rf = (rf & ~0x18) | 0x10;
5766 	run_rt3070_rf_write(sc, 30, rf);
5767 
5768 	/* Apply maximum likelihood detection for 2 stream case. */
5769 	run_bbp_read(sc, 105, &bbp);
5770 	if (sc->nrxchains > 1)
5771 		run_bbp_write(sc, 105, bbp | RT5390_MLD);
5772 
5773 	/* Avoid data lost and CRC error. */
5774 	run_bbp_read(sc, 4, &bbp);
5775 	run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5776 
5777 	run_bbp_write(sc, 92, 0x02);
5778 	run_bbp_write(sc, 82, 0x82);
5779 	run_bbp_write(sc, 106, 0x05);
5780 	run_bbp_write(sc, 104, 0x92);
5781 	run_bbp_write(sc, 88, 0x90);
5782 	run_bbp_write(sc, 148, 0xc8);
5783 	run_bbp_write(sc, 47, 0x48);
5784 	run_bbp_write(sc, 120, 0x50);
5785 
5786 	run_bbp_write(sc, 163, 0x9d);
5787 
5788 	/* SNR mapping. */
5789 	run_bbp_write(sc, 142, 0x06);
5790 	run_bbp_write(sc, 143, 0xa0);
5791 	run_bbp_write(sc, 142, 0x07);
5792 	run_bbp_write(sc, 143, 0xa1);
5793 	run_bbp_write(sc, 142, 0x08);
5794 	run_bbp_write(sc, 143, 0xa2);
5795 
5796 	run_bbp_write(sc, 31, 0x08);
5797 	run_bbp_write(sc, 68, 0x0b);
5798 	run_bbp_write(sc, 105, 0x04);
5799 }
5800 
5801 static void
5802 run_rt5390_rf_setup(struct run_softc *sc)
5803 {
5804 	uint8_t bbp, rf;
5805 
5806 	if (sc->mac_rev >= 0x0211) {
5807 		/* Enable DC filter. */
5808 		run_bbp_write(sc, 103, 0xc0);
5809 
5810 		if (sc->mac_ver != 0x5592) {
5811 			/* Improve power consumption. */
5812 			run_bbp_read(sc, 31, &bbp);
5813 			run_bbp_write(sc, 31, bbp & ~0x03);
5814 		}
5815 	}
5816 
5817 	run_bbp_read(sc, 138, &bbp);
5818 	if (sc->ntxchains == 1)
5819 		bbp |= 0x20;	/* turn off DAC1 */
5820 	if (sc->nrxchains == 1)
5821 		bbp &= ~0x02;	/* turn off ADC1 */
5822 	run_bbp_write(sc, 138, bbp);
5823 
5824 	run_rt3070_rf_read(sc, 38, &rf);
5825 	run_rt3070_rf_write(sc, 38, rf & ~RT5390_RX_LO1);
5826 
5827 	run_rt3070_rf_read(sc, 39, &rf);
5828 	run_rt3070_rf_write(sc, 39, rf & ~RT5390_RX_LO2);
5829 
5830 	/* Avoid data lost and CRC error. */
5831 	run_bbp_read(sc, 4, &bbp);
5832 	run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5833 
5834 	run_rt3070_rf_read(sc, 30, &rf);
5835 	rf = (rf & ~0x18) | 0x10;
5836 	run_rt3070_rf_write(sc, 30, rf);
5837 
5838 	if (sc->mac_ver != 0x5592) {
5839 		run_write(sc, RT2860_TX_SW_CFG1, 0);
5840 		if (sc->mac_rev < 0x0211) {
5841 			run_write(sc, RT2860_TX_SW_CFG2,
5842 			    sc->patch_dac ? 0x2c : 0x0f);
5843 		} else
5844 			run_write(sc, RT2860_TX_SW_CFG2, 0);
5845 	}
5846 }
5847 
5848 static int
5849 run_txrx_enable(struct run_softc *sc)
5850 {
5851 	struct ieee80211com *ic = &sc->sc_ic;
5852 	uint32_t tmp;
5853 	int error, ntries;
5854 
5855 	run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_MAC_TX_EN);
5856 	for (ntries = 0; ntries < 200; ntries++) {
5857 		if ((error = run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp)) != 0)
5858 			return (error);
5859 		if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
5860 			break;
5861 		run_delay(sc, 50);
5862 	}
5863 	if (ntries == 200)
5864 		return (ETIMEDOUT);
5865 
5866 	run_delay(sc, 50);
5867 
5868 	tmp |= RT2860_RX_DMA_EN | RT2860_TX_DMA_EN | RT2860_TX_WB_DDONE;
5869 	run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
5870 
5871 	/* enable Rx bulk aggregation (set timeout and limit) */
5872 	tmp = RT2860_USB_TX_EN | RT2860_USB_RX_EN | RT2860_USB_RX_AGG_EN |
5873 	    RT2860_USB_RX_AGG_TO(128) | RT2860_USB_RX_AGG_LMT(2);
5874 	run_write(sc, RT2860_USB_DMA_CFG, tmp);
5875 
5876 	/* set Rx filter */
5877 	tmp = RT2860_DROP_CRC_ERR | RT2860_DROP_PHY_ERR;
5878 	if (ic->ic_opmode != IEEE80211_M_MONITOR) {
5879 		tmp |= RT2860_DROP_UC_NOME | RT2860_DROP_DUPL |
5880 		    RT2860_DROP_CTS | RT2860_DROP_BA | RT2860_DROP_ACK |
5881 		    RT2860_DROP_VER_ERR | RT2860_DROP_CTRL_RSV |
5882 		    RT2860_DROP_CFACK | RT2860_DROP_CFEND;
5883 		if (ic->ic_opmode == IEEE80211_M_STA)
5884 			tmp |= RT2860_DROP_RTS | RT2860_DROP_PSPOLL;
5885 	}
5886 	run_write(sc, RT2860_RX_FILTR_CFG, tmp);
5887 
5888 	run_write(sc, RT2860_MAC_SYS_CTRL,
5889 	    RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
5890 
5891 	return (0);
5892 }
5893 
5894 static void
5895 run_adjust_freq_offset(struct run_softc *sc)
5896 {
5897 	uint8_t rf, tmp;
5898 
5899 	run_rt3070_rf_read(sc, 17, &rf);
5900 	tmp = rf;
5901 	rf = (rf & ~0x7f) | (sc->freq & 0x7f);
5902 	rf = MIN(rf, 0x5f);
5903 
5904 	if (tmp != rf)
5905 		run_mcu_cmd(sc, 0x74, (tmp << 8 ) | rf);
5906 }
5907 
5908 static void
5909 run_init_locked(struct run_softc *sc)
5910 {
5911 	struct ieee80211com *ic = &sc->sc_ic;
5912 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
5913 	uint32_t tmp;
5914 	uint8_t bbp1, bbp3;
5915 	int i;
5916 	int ridx;
5917 	int ntries;
5918 
5919 	if (ic->ic_nrunning > 1)
5920 		return;
5921 
5922 	run_stop(sc);
5923 
5924 	if (run_load_microcode(sc) != 0) {
5925 		device_printf(sc->sc_dev, "could not load 8051 microcode\n");
5926 		goto fail;
5927 	}
5928 
5929 	for (ntries = 0; ntries < 100; ntries++) {
5930 		if (run_read(sc, RT2860_ASIC_VER_ID, &tmp) != 0)
5931 			goto fail;
5932 		if (tmp != 0 && tmp != 0xffffffff)
5933 			break;
5934 		run_delay(sc, 10);
5935 	}
5936 	if (ntries == 100)
5937 		goto fail;
5938 
5939 	for (i = 0; i != RUN_EP_QUEUES; i++)
5940 		run_setup_tx_list(sc, &sc->sc_epq[i]);
5941 
5942 	run_set_macaddr(sc, vap ? vap->iv_myaddr : ic->ic_macaddr);
5943 
5944 	for (ntries = 0; ntries < 100; ntries++) {
5945 		if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
5946 			goto fail;
5947 		if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
5948 			break;
5949 		run_delay(sc, 10);
5950 	}
5951 	if (ntries == 100) {
5952 		device_printf(sc->sc_dev, "timeout waiting for DMA engine\n");
5953 		goto fail;
5954 	}
5955 	tmp &= 0xff0;
5956 	tmp |= RT2860_TX_WB_DDONE;
5957 	run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
5958 
5959 	/* turn off PME_OEN to solve high-current issue */
5960 	run_read(sc, RT2860_SYS_CTRL, &tmp);
5961 	run_write(sc, RT2860_SYS_CTRL, tmp & ~RT2860_PME_OEN);
5962 
5963 	run_write(sc, RT2860_MAC_SYS_CTRL,
5964 	    RT2860_BBP_HRST | RT2860_MAC_SRST);
5965 	run_write(sc, RT2860_USB_DMA_CFG, 0);
5966 
5967 	if (run_reset(sc) != 0) {
5968 		device_printf(sc->sc_dev, "could not reset chipset\n");
5969 		goto fail;
5970 	}
5971 
5972 	run_write(sc, RT2860_MAC_SYS_CTRL, 0);
5973 
5974 	/* init Tx power for all Tx rates (from EEPROM) */
5975 	for (ridx = 0; ridx < 5; ridx++) {
5976 		if (sc->txpow20mhz[ridx] == 0xffffffff)
5977 			continue;
5978 		run_write(sc, RT2860_TX_PWR_CFG(ridx), sc->txpow20mhz[ridx]);
5979 	}
5980 
5981 	for (i = 0; i < nitems(rt2870_def_mac); i++)
5982 		run_write(sc, rt2870_def_mac[i].reg, rt2870_def_mac[i].val);
5983 	run_write(sc, RT2860_WMM_AIFSN_CFG, 0x00002273);
5984 	run_write(sc, RT2860_WMM_CWMIN_CFG, 0x00002344);
5985 	run_write(sc, RT2860_WMM_CWMAX_CFG, 0x000034aa);
5986 
5987 	if (sc->mac_ver >= 0x5390) {
5988 		run_write(sc, RT2860_TX_SW_CFG0,
5989 		    4 << RT2860_DLY_PAPE_EN_SHIFT | 4);
5990 		if (sc->mac_ver >= 0x5392) {
5991 			run_write(sc, RT2860_MAX_LEN_CFG, 0x00002fff);
5992 			if (sc->mac_ver == 0x5592) {
5993 				run_write(sc, RT2860_HT_FBK_CFG1, 0xedcba980);
5994 				run_write(sc, RT2860_TXOP_HLDR_ET, 0x00000082);
5995 			} else {
5996 				run_write(sc, RT2860_HT_FBK_CFG1, 0xedcb4980);
5997 				run_write(sc, RT2860_LG_FBK_CFG0, 0xedcba322);
5998 			}
5999 		}
6000 	} else if (sc->mac_ver == 0x3593) {
6001 		run_write(sc, RT2860_TX_SW_CFG0,
6002 		    4 << RT2860_DLY_PAPE_EN_SHIFT | 2);
6003 	} else if (sc->mac_ver >= 0x3070) {
6004 		/* set delay of PA_PE assertion to 1us (unit of 0.25us) */
6005 		run_write(sc, RT2860_TX_SW_CFG0,
6006 		    4 << RT2860_DLY_PAPE_EN_SHIFT);
6007 	}
6008 
6009 	/* wait while MAC is busy */
6010 	for (ntries = 0; ntries < 100; ntries++) {
6011 		if (run_read(sc, RT2860_MAC_STATUS_REG, &tmp) != 0)
6012 			goto fail;
6013 		if (!(tmp & (RT2860_RX_STATUS_BUSY | RT2860_TX_STATUS_BUSY)))
6014 			break;
6015 		run_delay(sc, 10);
6016 	}
6017 	if (ntries == 100)
6018 		goto fail;
6019 
6020 	/* clear Host to MCU mailbox */
6021 	run_write(sc, RT2860_H2M_BBPAGENT, 0);
6022 	run_write(sc, RT2860_H2M_MAILBOX, 0);
6023 	run_delay(sc, 10);
6024 
6025 	if (run_bbp_init(sc) != 0) {
6026 		device_printf(sc->sc_dev, "could not initialize BBP\n");
6027 		goto fail;
6028 	}
6029 
6030 	/* abort TSF synchronization */
6031 	run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
6032 	tmp &= ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
6033 	    RT2860_TBTT_TIMER_EN);
6034 	run_write(sc, RT2860_BCN_TIME_CFG, tmp);
6035 
6036 	/* clear RX WCID search table */
6037 	run_set_region_4(sc, RT2860_WCID_ENTRY(0), 0, 512);
6038 	/* clear WCID attribute table */
6039 	run_set_region_4(sc, RT2860_WCID_ATTR(0), 0, 8 * 32);
6040 
6041 	/* hostapd sets a key before init. So, don't clear it. */
6042 	if (sc->cmdq_key_set != RUN_CMDQ_GO) {
6043 		/* clear shared key table */
6044 		run_set_region_4(sc, RT2860_SKEY(0, 0), 0, 8 * 32);
6045 		/* clear shared key mode */
6046 		run_set_region_4(sc, RT2860_SKEY_MODE_0_7, 0, 4);
6047 	}
6048 
6049 	run_read(sc, RT2860_US_CYC_CNT, &tmp);
6050 	tmp = (tmp & ~0xff) | 0x1e;
6051 	run_write(sc, RT2860_US_CYC_CNT, tmp);
6052 
6053 	if (sc->mac_rev != 0x0101)
6054 		run_write(sc, RT2860_TXOP_CTRL_CFG, 0x0000583f);
6055 
6056 	run_write(sc, RT2860_WMM_TXOP0_CFG, 0);
6057 	run_write(sc, RT2860_WMM_TXOP1_CFG, 48 << 16 | 96);
6058 
6059 	/* write vendor-specific BBP values (from EEPROM) */
6060 	if (sc->mac_ver < 0x3593) {
6061 		for (i = 0; i < 10; i++) {
6062 			if (sc->bbp[i].reg == 0 || sc->bbp[i].reg == 0xff)
6063 				continue;
6064 			run_bbp_write(sc, sc->bbp[i].reg, sc->bbp[i].val);
6065 		}
6066 	}
6067 
6068 	/* select Main antenna for 1T1R devices */
6069 	if (sc->rf_rev == RT3070_RF_3020 || sc->rf_rev == RT5390_RF_5370)
6070 		run_set_rx_antenna(sc, 0);
6071 
6072 	/* send LEDs operating mode to microcontroller */
6073 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED1, sc->led[0]);
6074 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED2, sc->led[1]);
6075 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED3, sc->led[2]);
6076 
6077 	if (sc->mac_ver >= 0x5390)
6078 		run_rt5390_rf_init(sc);
6079 	else if (sc->mac_ver == 0x3593)
6080 		run_rt3593_rf_init(sc);
6081 	else if (sc->mac_ver >= 0x3070)
6082 		run_rt3070_rf_init(sc);
6083 
6084 	/* disable non-existing Rx chains */
6085 	run_bbp_read(sc, 3, &bbp3);
6086 	bbp3 &= ~(1 << 3 | 1 << 4);
6087 	if (sc->nrxchains == 2)
6088 		bbp3 |= 1 << 3;
6089 	else if (sc->nrxchains == 3)
6090 		bbp3 |= 1 << 4;
6091 	run_bbp_write(sc, 3, bbp3);
6092 
6093 	/* disable non-existing Tx chains */
6094 	run_bbp_read(sc, 1, &bbp1);
6095 	if (sc->ntxchains == 1)
6096 		bbp1 &= ~(1 << 3 | 1 << 4);
6097 	run_bbp_write(sc, 1, bbp1);
6098 
6099 	if (sc->mac_ver >= 0x5390)
6100 		run_rt5390_rf_setup(sc);
6101 	else if (sc->mac_ver == 0x3593)
6102 		run_rt3593_rf_setup(sc);
6103 	else if (sc->mac_ver >= 0x3070)
6104 		run_rt3070_rf_setup(sc);
6105 
6106 	/* select default channel */
6107 	run_set_chan(sc, ic->ic_curchan);
6108 
6109 	/* setup initial protection mode */
6110 	run_updateprot_cb(ic);
6111 
6112 	/* turn radio LED on */
6113 	run_set_leds(sc, RT2860_LED_RADIO);
6114 
6115 	sc->sc_flags |= RUN_RUNNING;
6116 	sc->cmdq_run = RUN_CMDQ_GO;
6117 
6118 	for (i = 0; i != RUN_N_XFER; i++)
6119 		usbd_xfer_set_stall(sc->sc_xfer[i]);
6120 
6121 	usbd_transfer_start(sc->sc_xfer[RUN_BULK_RX]);
6122 
6123 	if (run_txrx_enable(sc) != 0)
6124 		goto fail;
6125 
6126 	return;
6127 
6128 fail:
6129 	run_stop(sc);
6130 }
6131 
6132 static void
6133 run_stop(void *arg)
6134 {
6135 	struct run_softc *sc = (struct run_softc *)arg;
6136 	uint32_t tmp;
6137 	int i;
6138 	int ntries;
6139 
6140 	RUN_LOCK_ASSERT(sc, MA_OWNED);
6141 
6142 	if (sc->sc_flags & RUN_RUNNING)
6143 		run_set_leds(sc, 0);	/* turn all LEDs off */
6144 
6145 	sc->sc_flags &= ~RUN_RUNNING;
6146 
6147 	sc->ratectl_run = RUN_RATECTL_OFF;
6148 	sc->cmdq_run = sc->cmdq_key_set;
6149 
6150 	RUN_UNLOCK(sc);
6151 
6152 	for(i = 0; i < RUN_N_XFER; i++)
6153 		usbd_transfer_drain(sc->sc_xfer[i]);
6154 
6155 	RUN_LOCK(sc);
6156 
6157 	run_drain_mbufq(sc);
6158 
6159 	if (sc->rx_m != NULL) {
6160 		m_free(sc->rx_m);
6161 		sc->rx_m = NULL;
6162 	}
6163 
6164 	/* Disable Tx/Rx DMA. */
6165 	if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
6166 		return;
6167 	tmp &= ~(RT2860_RX_DMA_EN | RT2860_TX_DMA_EN);
6168 	run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
6169 
6170 	for (ntries = 0; ntries < 100; ntries++) {
6171 		if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
6172 			return;
6173 		if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
6174 				break;
6175 		run_delay(sc, 10);
6176 	}
6177 	if (ntries == 100) {
6178 		device_printf(sc->sc_dev, "timeout waiting for DMA engine\n");
6179 		return;
6180 	}
6181 
6182 	/* disable Tx/Rx */
6183 	run_read(sc, RT2860_MAC_SYS_CTRL, &tmp);
6184 	tmp &= ~(RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
6185 	run_write(sc, RT2860_MAC_SYS_CTRL, tmp);
6186 
6187 	/* wait for pending Tx to complete */
6188 	for (ntries = 0; ntries < 100; ntries++) {
6189 		if (run_read(sc, RT2860_TXRXQ_PCNT, &tmp) != 0) {
6190 			DPRINTF("Cannot read Tx queue count\n");
6191 			break;
6192 		}
6193 		if ((tmp & RT2860_TX2Q_PCNT_MASK) == 0) {
6194 			DPRINTF("All Tx cleared\n");
6195 			break;
6196 		}
6197 		run_delay(sc, 10);
6198 	}
6199 	if (ntries >= 100)
6200 		DPRINTF("There are still pending Tx\n");
6201 	run_delay(sc, 10);
6202 	run_write(sc, RT2860_USB_DMA_CFG, 0);
6203 
6204 	run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_BBP_HRST | RT2860_MAC_SRST);
6205 	run_write(sc, RT2860_MAC_SYS_CTRL, 0);
6206 
6207 	for (i = 0; i != RUN_EP_QUEUES; i++)
6208 		run_unsetup_tx_list(sc, &sc->sc_epq[i]);
6209 }
6210 
6211 static void
6212 run_delay(struct run_softc *sc, u_int ms)
6213 {
6214 	usb_pause_mtx(mtx_owned(&sc->sc_mtx) ?
6215 	    &sc->sc_mtx : NULL, USB_MS_TO_TICKS(ms));
6216 }
6217 
6218 static device_method_t run_methods[] = {
6219 	/* Device interface */
6220 	DEVMETHOD(device_probe,		run_match),
6221 	DEVMETHOD(device_attach,	run_attach),
6222 	DEVMETHOD(device_detach,	run_detach),
6223 	DEVMETHOD_END
6224 };
6225 
6226 static driver_t run_driver = {
6227 	.name = "run",
6228 	.methods = run_methods,
6229 	.size = sizeof(struct run_softc)
6230 };
6231 
6232 static devclass_t run_devclass;
6233 
6234 DRIVER_MODULE(run, uhub, run_driver, run_devclass, run_driver_loaded, NULL);
6235 MODULE_DEPEND(run, wlan, 1, 1, 1);
6236 MODULE_DEPEND(run, usb, 1, 1, 1);
6237 MODULE_DEPEND(run, firmware, 1, 1, 1);
6238 MODULE_VERSION(run, 1);
6239 USB_PNP_HOST_INFO(run_devs);
6240