xref: /freebsd/sys/dev/usb/wlan/if_run.c (revision 59e2ff550c448126b988150ce800cdf73bb5103e)
1 /*-
2  * Copyright (c) 2008,2010 Damien Bergamini <damien.bergamini@free.fr>
3  * ported to FreeBSD by Akinori Furukoshi <moonlightakkiy@yahoo.ca>
4  * USB Consulting, Hans Petter Selasky <hselasky@freebsd.org>
5  * Copyright (c) 2013-2014 Kevin Lo
6  *
7  * Permission to use, copy, modify, and distribute this software for any
8  * purpose with or without fee is hereby granted, provided that the above
9  * copyright notice and this permission notice appear in all copies.
10  *
11  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18  */
19 
20 #include <sys/cdefs.h>
21 __FBSDID("$FreeBSD$");
22 
23 /*-
24  * Ralink Technology RT2700U/RT2800U/RT3000U/RT3900E chipset driver.
25  * http://www.ralinktech.com/
26  */
27 
28 #include <sys/param.h>
29 #include <sys/sockio.h>
30 #include <sys/sysctl.h>
31 #include <sys/lock.h>
32 #include <sys/mutex.h>
33 #include <sys/mbuf.h>
34 #include <sys/kernel.h>
35 #include <sys/socket.h>
36 #include <sys/systm.h>
37 #include <sys/malloc.h>
38 #include <sys/module.h>
39 #include <sys/bus.h>
40 #include <sys/endian.h>
41 #include <sys/linker.h>
42 #include <sys/firmware.h>
43 #include <sys/kdb.h>
44 
45 #include <machine/bus.h>
46 #include <machine/resource.h>
47 #include <sys/rman.h>
48 
49 #include <net/bpf.h>
50 #include <net/if.h>
51 #include <net/if_var.h>
52 #include <net/if_arp.h>
53 #include <net/ethernet.h>
54 #include <net/if_dl.h>
55 #include <net/if_media.h>
56 #include <net/if_types.h>
57 
58 #include <netinet/in.h>
59 #include <netinet/in_systm.h>
60 #include <netinet/in_var.h>
61 #include <netinet/if_ether.h>
62 #include <netinet/ip.h>
63 
64 #include <net80211/ieee80211_var.h>
65 #include <net80211/ieee80211_regdomain.h>
66 #include <net80211/ieee80211_radiotap.h>
67 #include <net80211/ieee80211_ratectl.h>
68 
69 #include <dev/usb/usb.h>
70 #include <dev/usb/usbdi.h>
71 #include "usbdevs.h"
72 
73 #define	USB_DEBUG_VAR	run_debug
74 #include <dev/usb/usb_debug.h>
75 #include <dev/usb/usb_msctest.h>
76 
77 #include <dev/usb/wlan/if_runreg.h>
78 #include <dev/usb/wlan/if_runvar.h>
79 
80 #ifdef	USB_DEBUG
81 #define	RUN_DEBUG
82 #endif
83 
84 #ifdef	RUN_DEBUG
85 int run_debug = 0;
86 static SYSCTL_NODE(_hw_usb, OID_AUTO, run, CTLFLAG_RW, 0, "USB run");
87 SYSCTL_INT(_hw_usb_run, OID_AUTO, debug, CTLFLAG_RWTUN, &run_debug, 0,
88     "run debug level");
89 #endif
90 
91 #define	IEEE80211_HAS_ADDR4(wh)	IEEE80211_IS_DSTODS(wh)
92 
93 /*
94  * Because of LOR in run_key_delete(), use atomic instead.
95  * '& RUN_CMDQ_MASQ' is to loop cmdq[].
96  */
97 #define	RUN_CMDQ_GET(c)	(atomic_fetchadd_32((c), 1) & RUN_CMDQ_MASQ)
98 
99 static const STRUCT_USB_HOST_ID run_devs[] = {
100 #define	RUN_DEV(v,p)	{ USB_VP(USB_VENDOR_##v, USB_PRODUCT_##v##_##p) }
101 #define	RUN_DEV_EJECT(v,p)	\
102 	{ USB_VPI(USB_VENDOR_##v, USB_PRODUCT_##v##_##p, RUN_EJECT) }
103 #define	RUN_EJECT	1
104     RUN_DEV(ABOCOM,		RT2770),
105     RUN_DEV(ABOCOM,		RT2870),
106     RUN_DEV(ABOCOM,		RT3070),
107     RUN_DEV(ABOCOM,		RT3071),
108     RUN_DEV(ABOCOM,		RT3072),
109     RUN_DEV(ABOCOM2,		RT2870_1),
110     RUN_DEV(ACCTON,		RT2770),
111     RUN_DEV(ACCTON,		RT2870_1),
112     RUN_DEV(ACCTON,		RT2870_2),
113     RUN_DEV(ACCTON,		RT2870_3),
114     RUN_DEV(ACCTON,		RT2870_4),
115     RUN_DEV(ACCTON,		RT2870_5),
116     RUN_DEV(ACCTON,		RT3070),
117     RUN_DEV(ACCTON,		RT3070_1),
118     RUN_DEV(ACCTON,		RT3070_2),
119     RUN_DEV(ACCTON,		RT3070_3),
120     RUN_DEV(ACCTON,		RT3070_4),
121     RUN_DEV(ACCTON,		RT3070_5),
122     RUN_DEV(AIRTIES,		RT3070),
123     RUN_DEV(ALLWIN,		RT2070),
124     RUN_DEV(ALLWIN,		RT2770),
125     RUN_DEV(ALLWIN,		RT2870),
126     RUN_DEV(ALLWIN,		RT3070),
127     RUN_DEV(ALLWIN,		RT3071),
128     RUN_DEV(ALLWIN,		RT3072),
129     RUN_DEV(ALLWIN,		RT3572),
130     RUN_DEV(AMIGO,		RT2870_1),
131     RUN_DEV(AMIGO,		RT2870_2),
132     RUN_DEV(AMIT,		CGWLUSB2GNR),
133     RUN_DEV(AMIT,		RT2870_1),
134     RUN_DEV(AMIT2,		RT2870),
135     RUN_DEV(ASUS,		RT2870_1),
136     RUN_DEV(ASUS,		RT2870_2),
137     RUN_DEV(ASUS,		RT2870_3),
138     RUN_DEV(ASUS,		RT2870_4),
139     RUN_DEV(ASUS,		RT2870_5),
140     RUN_DEV(ASUS,		USBN13),
141     RUN_DEV(ASUS,		RT3070_1),
142     RUN_DEV(ASUS,		USBN66),
143     RUN_DEV(ASUS,		USB_N53),
144     RUN_DEV(ASUS2,		USBN11),
145     RUN_DEV(AZUREWAVE,		RT2870_1),
146     RUN_DEV(AZUREWAVE,		RT2870_2),
147     RUN_DEV(AZUREWAVE,		RT3070_1),
148     RUN_DEV(AZUREWAVE,		RT3070_2),
149     RUN_DEV(AZUREWAVE,		RT3070_3),
150     RUN_DEV(BELKIN,		F9L1103),
151     RUN_DEV(BELKIN,		F5D8053V3),
152     RUN_DEV(BELKIN,		F5D8055),
153     RUN_DEV(BELKIN,		F5D8055V2),
154     RUN_DEV(BELKIN,		F6D4050V1),
155     RUN_DEV(BELKIN,		F6D4050V2),
156     RUN_DEV(BELKIN,		RT2870_1),
157     RUN_DEV(BELKIN,		RT2870_2),
158     RUN_DEV(CISCOLINKSYS,	AE1000),
159     RUN_DEV(CISCOLINKSYS2,	RT3070),
160     RUN_DEV(CISCOLINKSYS3,	RT3070),
161     RUN_DEV(CONCEPTRONIC2,	RT2870_1),
162     RUN_DEV(CONCEPTRONIC2,	RT2870_2),
163     RUN_DEV(CONCEPTRONIC2,	RT2870_3),
164     RUN_DEV(CONCEPTRONIC2,	RT2870_4),
165     RUN_DEV(CONCEPTRONIC2,	RT2870_5),
166     RUN_DEV(CONCEPTRONIC2,	RT2870_6),
167     RUN_DEV(CONCEPTRONIC2,	RT2870_7),
168     RUN_DEV(CONCEPTRONIC2,	RT2870_8),
169     RUN_DEV(CONCEPTRONIC2,	RT3070_1),
170     RUN_DEV(CONCEPTRONIC2,	RT3070_2),
171     RUN_DEV(CONCEPTRONIC2,	VIGORN61),
172     RUN_DEV(COREGA,		CGWLUSB300GNM),
173     RUN_DEV(COREGA,		RT2870_1),
174     RUN_DEV(COREGA,		RT2870_2),
175     RUN_DEV(COREGA,		RT2870_3),
176     RUN_DEV(COREGA,		RT3070),
177     RUN_DEV(CYBERTAN,		RT2870),
178     RUN_DEV(DLINK,		RT2870),
179     RUN_DEV(DLINK,		RT3072),
180     RUN_DEV(DLINK,		DWA127),
181     RUN_DEV(DLINK,		DWA140B3),
182     RUN_DEV(DLINK,		DWA160B2),
183     RUN_DEV(DLINK,		DWA140D1),
184     RUN_DEV(DLINK,		DWA162),
185     RUN_DEV(DLINK2,		DWA130),
186     RUN_DEV(DLINK2,		RT2870_1),
187     RUN_DEV(DLINK2,		RT2870_2),
188     RUN_DEV(DLINK2,		RT3070_1),
189     RUN_DEV(DLINK2,		RT3070_2),
190     RUN_DEV(DLINK2,		RT3070_3),
191     RUN_DEV(DLINK2,		RT3070_4),
192     RUN_DEV(DLINK2,		RT3070_5),
193     RUN_DEV(DLINK2,		RT3072),
194     RUN_DEV(DLINK2,		RT3072_1),
195     RUN_DEV(EDIMAX,		EW7717),
196     RUN_DEV(EDIMAX,		EW7718),
197     RUN_DEV(EDIMAX,		EW7733UND),
198     RUN_DEV(EDIMAX,		RT2870_1),
199     RUN_DEV(ENCORE,		RT3070_1),
200     RUN_DEV(ENCORE,		RT3070_2),
201     RUN_DEV(ENCORE,		RT3070_3),
202     RUN_DEV(GIGABYTE,		GNWB31N),
203     RUN_DEV(GIGABYTE,		GNWB32L),
204     RUN_DEV(GIGABYTE,		RT2870_1),
205     RUN_DEV(GIGASET,		RT3070_1),
206     RUN_DEV(GIGASET,		RT3070_2),
207     RUN_DEV(GUILLEMOT,		HWNU300),
208     RUN_DEV(HAWKING,		HWUN2),
209     RUN_DEV(HAWKING,		RT2870_1),
210     RUN_DEV(HAWKING,		RT2870_2),
211     RUN_DEV(HAWKING,		RT3070),
212     RUN_DEV(IODATA,		RT3072_1),
213     RUN_DEV(IODATA,		RT3072_2),
214     RUN_DEV(IODATA,		RT3072_3),
215     RUN_DEV(IODATA,		RT3072_4),
216     RUN_DEV(LINKSYS4,		RT3070),
217     RUN_DEV(LINKSYS4,		WUSB100),
218     RUN_DEV(LINKSYS4,		WUSB54GCV3),
219     RUN_DEV(LINKSYS4,		WUSB600N),
220     RUN_DEV(LINKSYS4,		WUSB600NV2),
221     RUN_DEV(LOGITEC,		RT2870_1),
222     RUN_DEV(LOGITEC,		RT2870_2),
223     RUN_DEV(LOGITEC,		RT2870_3),
224     RUN_DEV(LOGITEC,		LANW300NU2),
225     RUN_DEV(LOGITEC,		LANW150NU2),
226     RUN_DEV(LOGITEC,		LANW300NU2S),
227     RUN_DEV(MELCO,		WLIUCG300HP),
228     RUN_DEV(MELCO,		RT2870_2),
229     RUN_DEV(MELCO,		WLIUCAG300N),
230     RUN_DEV(MELCO,		WLIUCG300N),
231     RUN_DEV(MELCO,		WLIUCG301N),
232     RUN_DEV(MELCO,		WLIUCGN),
233     RUN_DEV(MELCO,		WLIUCGNM),
234     RUN_DEV(MELCO,		WLIUCG300HPV1),
235     RUN_DEV(MELCO,		WLIUCGNM2),
236     RUN_DEV(MOTOROLA4,		RT2770),
237     RUN_DEV(MOTOROLA4,		RT3070),
238     RUN_DEV(MSI,		RT3070_1),
239     RUN_DEV(MSI,		RT3070_2),
240     RUN_DEV(MSI,		RT3070_3),
241     RUN_DEV(MSI,		RT3070_4),
242     RUN_DEV(MSI,		RT3070_5),
243     RUN_DEV(MSI,		RT3070_6),
244     RUN_DEV(MSI,		RT3070_7),
245     RUN_DEV(MSI,		RT3070_8),
246     RUN_DEV(MSI,		RT3070_9),
247     RUN_DEV(MSI,		RT3070_10),
248     RUN_DEV(MSI,		RT3070_11),
249     RUN_DEV(NETGEAR,		WNDA4100),
250     RUN_DEV(OVISLINK,		RT3072),
251     RUN_DEV(PARA,		RT3070),
252     RUN_DEV(PEGATRON,		RT2870),
253     RUN_DEV(PEGATRON,		RT3070),
254     RUN_DEV(PEGATRON,		RT3070_2),
255     RUN_DEV(PEGATRON,		RT3070_3),
256     RUN_DEV(PHILIPS,		RT2870),
257     RUN_DEV(PLANEX2,		GWUS300MINIS),
258     RUN_DEV(PLANEX2,		GWUSMICRON),
259     RUN_DEV(PLANEX2,		RT2870),
260     RUN_DEV(PLANEX2,		RT3070),
261     RUN_DEV(QCOM,		RT2870),
262     RUN_DEV(QUANTA,		RT3070),
263     RUN_DEV(RALINK,		RT2070),
264     RUN_DEV(RALINK,		RT2770),
265     RUN_DEV(RALINK,		RT2870),
266     RUN_DEV(RALINK,		RT3070),
267     RUN_DEV(RALINK,		RT3071),
268     RUN_DEV(RALINK,		RT3072),
269     RUN_DEV(RALINK,		RT3370),
270     RUN_DEV(RALINK,		RT3572),
271     RUN_DEV(RALINK,		RT3573),
272     RUN_DEV(RALINK,		RT5370),
273     RUN_DEV(RALINK,		RT5572),
274     RUN_DEV(RALINK,		RT8070),
275     RUN_DEV(SAMSUNG,		WIS09ABGN),
276     RUN_DEV(SAMSUNG2,		RT2870_1),
277     RUN_DEV(SENAO,		RT2870_1),
278     RUN_DEV(SENAO,		RT2870_2),
279     RUN_DEV(SENAO,		RT2870_3),
280     RUN_DEV(SENAO,		RT2870_4),
281     RUN_DEV(SENAO,		RT3070),
282     RUN_DEV(SENAO,		RT3071),
283     RUN_DEV(SENAO,		RT3072_1),
284     RUN_DEV(SENAO,		RT3072_2),
285     RUN_DEV(SENAO,		RT3072_3),
286     RUN_DEV(SENAO,		RT3072_4),
287     RUN_DEV(SENAO,		RT3072_5),
288     RUN_DEV(SITECOMEU,		RT2770),
289     RUN_DEV(SITECOMEU,		RT2870_1),
290     RUN_DEV(SITECOMEU,		RT2870_2),
291     RUN_DEV(SITECOMEU,		RT2870_3),
292     RUN_DEV(SITECOMEU,		RT2870_4),
293     RUN_DEV(SITECOMEU,		RT3070),
294     RUN_DEV(SITECOMEU,		RT3070_2),
295     RUN_DEV(SITECOMEU,		RT3070_3),
296     RUN_DEV(SITECOMEU,		RT3070_4),
297     RUN_DEV(SITECOMEU,		RT3071),
298     RUN_DEV(SITECOMEU,		RT3072_1),
299     RUN_DEV(SITECOMEU,		RT3072_2),
300     RUN_DEV(SITECOMEU,		RT3072_3),
301     RUN_DEV(SITECOMEU,		RT3072_4),
302     RUN_DEV(SITECOMEU,		RT3072_5),
303     RUN_DEV(SITECOMEU,		RT3072_6),
304     RUN_DEV(SITECOMEU,		WL608),
305     RUN_DEV(SPARKLAN,		RT2870_1),
306     RUN_DEV(SPARKLAN,		RT3070),
307     RUN_DEV(SWEEX2,		LW153),
308     RUN_DEV(SWEEX2,		LW303),
309     RUN_DEV(SWEEX2,		LW313),
310     RUN_DEV(TOSHIBA,		RT3070),
311     RUN_DEV(UMEDIA,		RT2870_1),
312     RUN_DEV(ZCOM,		RT2870_1),
313     RUN_DEV(ZCOM,		RT2870_2),
314     RUN_DEV(ZINWELL,		RT2870_1),
315     RUN_DEV(ZINWELL,		RT2870_2),
316     RUN_DEV(ZINWELL,		RT3070),
317     RUN_DEV(ZINWELL,		RT3072_1),
318     RUN_DEV(ZINWELL,		RT3072_2),
319     RUN_DEV(ZYXEL,		RT2870_1),
320     RUN_DEV(ZYXEL,		RT2870_2),
321     RUN_DEV(ZYXEL,		RT3070),
322     RUN_DEV_EJECT(ZYXEL,	NWD2705),
323     RUN_DEV_EJECT(RALINK,	RT_STOR),
324 #undef RUN_DEV_EJECT
325 #undef RUN_DEV
326 };
327 
328 static device_probe_t	run_match;
329 static device_attach_t	run_attach;
330 static device_detach_t	run_detach;
331 
332 static usb_callback_t	run_bulk_rx_callback;
333 static usb_callback_t	run_bulk_tx_callback0;
334 static usb_callback_t	run_bulk_tx_callback1;
335 static usb_callback_t	run_bulk_tx_callback2;
336 static usb_callback_t	run_bulk_tx_callback3;
337 static usb_callback_t	run_bulk_tx_callback4;
338 static usb_callback_t	run_bulk_tx_callback5;
339 
340 static void	run_autoinst(void *, struct usb_device *,
341 		    struct usb_attach_arg *);
342 static int	run_driver_loaded(struct module *, int, void *);
343 static void	run_bulk_tx_callbackN(struct usb_xfer *xfer,
344 		    usb_error_t error, u_int index);
345 static struct ieee80211vap *run_vap_create(struct ieee80211com *,
346 		    const char [IFNAMSIZ], int, enum ieee80211_opmode, int,
347 		    const uint8_t [IEEE80211_ADDR_LEN],
348 		    const uint8_t [IEEE80211_ADDR_LEN]);
349 static void	run_vap_delete(struct ieee80211vap *);
350 static void	run_cmdq_cb(void *, int);
351 static void	run_setup_tx_list(struct run_softc *,
352 		    struct run_endpoint_queue *);
353 static void	run_unsetup_tx_list(struct run_softc *,
354 		    struct run_endpoint_queue *);
355 static int	run_load_microcode(struct run_softc *);
356 static int	run_reset(struct run_softc *);
357 static usb_error_t run_do_request(struct run_softc *,
358 		    struct usb_device_request *, void *);
359 static int	run_read(struct run_softc *, uint16_t, uint32_t *);
360 static int	run_read_region_1(struct run_softc *, uint16_t, uint8_t *, int);
361 static int	run_write_2(struct run_softc *, uint16_t, uint16_t);
362 static int	run_write(struct run_softc *, uint16_t, uint32_t);
363 static int	run_write_region_1(struct run_softc *, uint16_t,
364 		    const uint8_t *, int);
365 static int	run_set_region_4(struct run_softc *, uint16_t, uint32_t, int);
366 static int	run_efuse_read(struct run_softc *, uint16_t, uint16_t *, int);
367 static int	run_efuse_read_2(struct run_softc *, uint16_t, uint16_t *);
368 static int	run_eeprom_read_2(struct run_softc *, uint16_t, uint16_t *);
369 static int	run_rt2870_rf_write(struct run_softc *, uint32_t);
370 static int	run_rt3070_rf_read(struct run_softc *, uint8_t, uint8_t *);
371 static int	run_rt3070_rf_write(struct run_softc *, uint8_t, uint8_t);
372 static int	run_bbp_read(struct run_softc *, uint8_t, uint8_t *);
373 static int	run_bbp_write(struct run_softc *, uint8_t, uint8_t);
374 static int	run_mcu_cmd(struct run_softc *, uint8_t, uint16_t);
375 static const char *run_get_rf(uint16_t);
376 static void	run_rt3593_get_txpower(struct run_softc *);
377 static void	run_get_txpower(struct run_softc *);
378 static int	run_read_eeprom(struct run_softc *);
379 static struct ieee80211_node *run_node_alloc(struct ieee80211vap *,
380 			    const uint8_t mac[IEEE80211_ADDR_LEN]);
381 static int	run_media_change(struct ifnet *);
382 static int	run_newstate(struct ieee80211vap *, enum ieee80211_state, int);
383 static int	run_wme_update(struct ieee80211com *);
384 static void	run_wme_update_cb(void *);
385 static void	run_key_set_cb(void *);
386 static int	run_key_set(struct ieee80211vap *, struct ieee80211_key *);
387 static void	run_key_delete_cb(void *);
388 static int	run_key_delete(struct ieee80211vap *, struct ieee80211_key *);
389 static void	run_ratectl_to(void *);
390 static void	run_ratectl_cb(void *, int);
391 static void	run_drain_fifo(void *);
392 static void	run_iter_func(void *, struct ieee80211_node *);
393 static void	run_newassoc_cb(void *);
394 static void	run_newassoc(struct ieee80211_node *, int);
395 static void	run_recv_mgmt(struct ieee80211_node *, struct mbuf *, int,
396 		    const struct ieee80211_rx_stats *, int, int);
397 static void	run_rx_frame(struct run_softc *, struct mbuf *, uint32_t);
398 static void	run_tx_free(struct run_endpoint_queue *pq,
399 		    struct run_tx_data *, int);
400 static void	run_set_tx_desc(struct run_softc *, struct run_tx_data *);
401 static int	run_tx(struct run_softc *, struct mbuf *,
402 		    struct ieee80211_node *);
403 static int	run_tx_mgt(struct run_softc *, struct mbuf *,
404 		    struct ieee80211_node *);
405 static int	run_sendprot(struct run_softc *, const struct mbuf *,
406 		    struct ieee80211_node *, int, int);
407 static int	run_tx_param(struct run_softc *, struct mbuf *,
408 		    struct ieee80211_node *,
409 		    const struct ieee80211_bpf_params *);
410 static int	run_raw_xmit(struct ieee80211_node *, struct mbuf *,
411 		    const struct ieee80211_bpf_params *);
412 static int	run_transmit(struct ieee80211com *, struct mbuf *);
413 static void	run_start(struct run_softc *);
414 static void	run_parent(struct ieee80211com *);
415 static void	run_iq_calib(struct run_softc *, u_int);
416 static void	run_set_agc(struct run_softc *, uint8_t);
417 static void	run_select_chan_group(struct run_softc *, int);
418 static void	run_set_rx_antenna(struct run_softc *, int);
419 static void	run_rt2870_set_chan(struct run_softc *, u_int);
420 static void	run_rt3070_set_chan(struct run_softc *, u_int);
421 static void	run_rt3572_set_chan(struct run_softc *, u_int);
422 static void	run_rt3593_set_chan(struct run_softc *, u_int);
423 static void	run_rt5390_set_chan(struct run_softc *, u_int);
424 static void	run_rt5592_set_chan(struct run_softc *, u_int);
425 static int	run_set_chan(struct run_softc *, struct ieee80211_channel *);
426 static void	run_set_channel(struct ieee80211com *);
427 static void	run_scan_start(struct ieee80211com *);
428 static void	run_scan_end(struct ieee80211com *);
429 static void	run_update_beacon(struct ieee80211vap *, int);
430 static void	run_update_beacon_cb(void *);
431 static void	run_updateprot(struct ieee80211com *);
432 static void	run_updateprot_cb(void *);
433 static void	run_usb_timeout_cb(void *);
434 static void	run_reset_livelock(struct run_softc *);
435 static void	run_enable_tsf_sync(struct run_softc *);
436 static void	run_enable_tsf(struct run_softc *);
437 static void	run_get_tsf(struct run_softc *, uint64_t *);
438 static void	run_enable_mrr(struct run_softc *);
439 static void	run_set_txpreamble(struct run_softc *);
440 static void	run_set_basicrates(struct run_softc *);
441 static void	run_set_leds(struct run_softc *, uint16_t);
442 static void	run_set_bssid(struct run_softc *, const uint8_t *);
443 static void	run_set_macaddr(struct run_softc *, const uint8_t *);
444 static void	run_updateslot(struct ieee80211com *);
445 static void	run_updateslot_cb(void *);
446 static void	run_update_mcast(struct ieee80211com *);
447 static int8_t	run_rssi2dbm(struct run_softc *, uint8_t, uint8_t);
448 static void	run_update_promisc_locked(struct run_softc *);
449 static void	run_update_promisc(struct ieee80211com *);
450 static void	run_rt5390_bbp_init(struct run_softc *);
451 static int	run_bbp_init(struct run_softc *);
452 static int	run_rt3070_rf_init(struct run_softc *);
453 static void	run_rt3593_rf_init(struct run_softc *);
454 static void	run_rt5390_rf_init(struct run_softc *);
455 static int	run_rt3070_filter_calib(struct run_softc *, uint8_t, uint8_t,
456 		    uint8_t *);
457 static void	run_rt3070_rf_setup(struct run_softc *);
458 static void	run_rt3593_rf_setup(struct run_softc *);
459 static void	run_rt5390_rf_setup(struct run_softc *);
460 static int	run_txrx_enable(struct run_softc *);
461 static void	run_adjust_freq_offset(struct run_softc *);
462 static void	run_init_locked(struct run_softc *);
463 static void	run_stop(void *);
464 static void	run_delay(struct run_softc *, u_int);
465 
466 static eventhandler_tag run_etag;
467 
468 static const struct rt2860_rate {
469 	uint8_t		rate;
470 	uint8_t		mcs;
471 	enum		ieee80211_phytype phy;
472 	uint8_t		ctl_ridx;
473 	uint16_t	sp_ack_dur;
474 	uint16_t	lp_ack_dur;
475 } rt2860_rates[] = {
476 	{   2, 0, IEEE80211_T_DS,   0, 314, 314 },
477 	{   4, 1, IEEE80211_T_DS,   1, 258, 162 },
478 	{  11, 2, IEEE80211_T_DS,   2, 223, 127 },
479 	{  22, 3, IEEE80211_T_DS,   3, 213, 117 },
480 	{  12, 0, IEEE80211_T_OFDM, 4,  60,  60 },
481 	{  18, 1, IEEE80211_T_OFDM, 4,  52,  52 },
482 	{  24, 2, IEEE80211_T_OFDM, 6,  48,  48 },
483 	{  36, 3, IEEE80211_T_OFDM, 6,  44,  44 },
484 	{  48, 4, IEEE80211_T_OFDM, 8,  44,  44 },
485 	{  72, 5, IEEE80211_T_OFDM, 8,  40,  40 },
486 	{  96, 6, IEEE80211_T_OFDM, 8,  40,  40 },
487 	{ 108, 7, IEEE80211_T_OFDM, 8,  40,  40 }
488 };
489 
490 static const struct {
491 	uint16_t	reg;
492 	uint32_t	val;
493 } rt2870_def_mac[] = {
494 	RT2870_DEF_MAC
495 };
496 
497 static const struct {
498 	uint8_t	reg;
499 	uint8_t	val;
500 } rt2860_def_bbp[] = {
501 	RT2860_DEF_BBP
502 },rt5390_def_bbp[] = {
503 	RT5390_DEF_BBP
504 },rt5592_def_bbp[] = {
505 	RT5592_DEF_BBP
506 };
507 
508 /*
509  * Default values for BBP register R196 for RT5592.
510  */
511 static const uint8_t rt5592_bbp_r196[] = {
512 	0xe0, 0x1f, 0x38, 0x32, 0x08, 0x28, 0x19, 0x0a, 0xff, 0x00,
513 	0x16, 0x10, 0x10, 0x0b, 0x36, 0x2c, 0x26, 0x24, 0x42, 0x36,
514 	0x30, 0x2d, 0x4c, 0x46, 0x3d, 0x40, 0x3e, 0x42, 0x3d, 0x40,
515 	0x3c, 0x34, 0x2c, 0x2f, 0x3c, 0x35, 0x2e, 0x2a, 0x49, 0x41,
516 	0x36, 0x31, 0x30, 0x30, 0x0e, 0x0d, 0x28, 0x21, 0x1c, 0x16,
517 	0x50, 0x4a, 0x43, 0x40, 0x10, 0x10, 0x10, 0x10, 0x00, 0x00,
518 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
519 	0x00, 0x00, 0x7d, 0x14, 0x32, 0x2c, 0x36, 0x4c, 0x43, 0x2c,
520 	0x2e, 0x36, 0x30, 0x6e
521 };
522 
523 static const struct rfprog {
524 	uint8_t		chan;
525 	uint32_t	r1, r2, r3, r4;
526 } rt2860_rf2850[] = {
527 	RT2860_RF2850
528 };
529 
530 struct {
531 	uint8_t	n, r, k;
532 } rt3070_freqs[] = {
533 	RT3070_RF3052
534 };
535 
536 static const struct rt5592_freqs {
537 	uint16_t	n;
538 	uint8_t		k, m, r;
539 } rt5592_freqs_20mhz[] = {
540 	RT5592_RF5592_20MHZ
541 },rt5592_freqs_40mhz[] = {
542 	RT5592_RF5592_40MHZ
543 };
544 
545 static const struct {
546 	uint8_t	reg;
547 	uint8_t	val;
548 } rt3070_def_rf[] = {
549 	RT3070_DEF_RF
550 },rt3572_def_rf[] = {
551 	RT3572_DEF_RF
552 },rt3593_def_rf[] = {
553 	RT3593_DEF_RF
554 },rt5390_def_rf[] = {
555 	RT5390_DEF_RF
556 },rt5392_def_rf[] = {
557 	RT5392_DEF_RF
558 },rt5592_def_rf[] = {
559 	RT5592_DEF_RF
560 },rt5592_2ghz_def_rf[] = {
561 	RT5592_2GHZ_DEF_RF
562 },rt5592_5ghz_def_rf[] = {
563 	RT5592_5GHZ_DEF_RF
564 };
565 
566 static const struct {
567 	u_int	firstchan;
568 	u_int	lastchan;
569 	uint8_t	reg;
570 	uint8_t	val;
571 } rt5592_chan_5ghz[] = {
572 	RT5592_CHAN_5GHZ
573 };
574 
575 static const struct usb_config run_config[RUN_N_XFER] = {
576     [RUN_BULK_TX_BE] = {
577 	.type = UE_BULK,
578 	.endpoint = UE_ADDR_ANY,
579 	.ep_index = 0,
580 	.direction = UE_DIR_OUT,
581 	.bufsize = RUN_MAX_TXSZ,
582 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
583 	.callback = run_bulk_tx_callback0,
584 	.timeout = 5000,	/* ms */
585     },
586     [RUN_BULK_TX_BK] = {
587 	.type = UE_BULK,
588 	.endpoint = UE_ADDR_ANY,
589 	.direction = UE_DIR_OUT,
590 	.ep_index = 1,
591 	.bufsize = RUN_MAX_TXSZ,
592 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
593 	.callback = run_bulk_tx_callback1,
594 	.timeout = 5000,	/* ms */
595     },
596     [RUN_BULK_TX_VI] = {
597 	.type = UE_BULK,
598 	.endpoint = UE_ADDR_ANY,
599 	.direction = UE_DIR_OUT,
600 	.ep_index = 2,
601 	.bufsize = RUN_MAX_TXSZ,
602 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
603 	.callback = run_bulk_tx_callback2,
604 	.timeout = 5000,	/* ms */
605     },
606     [RUN_BULK_TX_VO] = {
607 	.type = UE_BULK,
608 	.endpoint = UE_ADDR_ANY,
609 	.direction = UE_DIR_OUT,
610 	.ep_index = 3,
611 	.bufsize = RUN_MAX_TXSZ,
612 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
613 	.callback = run_bulk_tx_callback3,
614 	.timeout = 5000,	/* ms */
615     },
616     [RUN_BULK_TX_HCCA] = {
617 	.type = UE_BULK,
618 	.endpoint = UE_ADDR_ANY,
619 	.direction = UE_DIR_OUT,
620 	.ep_index = 4,
621 	.bufsize = RUN_MAX_TXSZ,
622 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,.no_pipe_ok = 1,},
623 	.callback = run_bulk_tx_callback4,
624 	.timeout = 5000,	/* ms */
625     },
626     [RUN_BULK_TX_PRIO] = {
627 	.type = UE_BULK,
628 	.endpoint = UE_ADDR_ANY,
629 	.direction = UE_DIR_OUT,
630 	.ep_index = 5,
631 	.bufsize = RUN_MAX_TXSZ,
632 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,.no_pipe_ok = 1,},
633 	.callback = run_bulk_tx_callback5,
634 	.timeout = 5000,	/* ms */
635     },
636     [RUN_BULK_RX] = {
637 	.type = UE_BULK,
638 	.endpoint = UE_ADDR_ANY,
639 	.direction = UE_DIR_IN,
640 	.bufsize = RUN_MAX_RXSZ,
641 	.flags = {.pipe_bof = 1,.short_xfer_ok = 1,},
642 	.callback = run_bulk_rx_callback,
643     }
644 };
645 
646 static void
647 run_autoinst(void *arg, struct usb_device *udev,
648     struct usb_attach_arg *uaa)
649 {
650 	struct usb_interface *iface;
651 	struct usb_interface_descriptor *id;
652 
653 	if (uaa->dev_state != UAA_DEV_READY)
654 		return;
655 
656 	iface = usbd_get_iface(udev, 0);
657 	if (iface == NULL)
658 		return;
659 	id = iface->idesc;
660 	if (id == NULL || id->bInterfaceClass != UICLASS_MASS)
661 		return;
662 	if (usbd_lookup_id_by_uaa(run_devs, sizeof(run_devs), uaa))
663 		return;
664 
665 	if (usb_msc_eject(udev, 0, MSC_EJECT_STOPUNIT) == 0)
666 		uaa->dev_state = UAA_DEV_EJECTING;
667 }
668 
669 static int
670 run_driver_loaded(struct module *mod, int what, void *arg)
671 {
672 	switch (what) {
673 	case MOD_LOAD:
674 		run_etag = EVENTHANDLER_REGISTER(usb_dev_configured,
675 		    run_autoinst, NULL, EVENTHANDLER_PRI_ANY);
676 		break;
677 	case MOD_UNLOAD:
678 		EVENTHANDLER_DEREGISTER(usb_dev_configured, run_etag);
679 		break;
680 	default:
681 		return (EOPNOTSUPP);
682 	}
683 	return (0);
684 }
685 
686 static int
687 run_match(device_t self)
688 {
689 	struct usb_attach_arg *uaa = device_get_ivars(self);
690 
691 	if (uaa->usb_mode != USB_MODE_HOST)
692 		return (ENXIO);
693 	if (uaa->info.bConfigIndex != 0)
694 		return (ENXIO);
695 	if (uaa->info.bIfaceIndex != RT2860_IFACE_INDEX)
696 		return (ENXIO);
697 
698 	return (usbd_lookup_id_by_uaa(run_devs, sizeof(run_devs), uaa));
699 }
700 
701 static int
702 run_attach(device_t self)
703 {
704 	struct run_softc *sc = device_get_softc(self);
705 	struct usb_attach_arg *uaa = device_get_ivars(self);
706 	struct ieee80211com *ic = &sc->sc_ic;
707 	uint32_t ver;
708 	int ntries, error;
709 	uint8_t iface_index, bands;
710 
711 	device_set_usb_desc(self);
712 	sc->sc_udev = uaa->device;
713 	sc->sc_dev = self;
714 	if (USB_GET_DRIVER_INFO(uaa) != RUN_EJECT)
715 		sc->sc_flags |= RUN_FLAG_FWLOAD_NEEDED;
716 
717 	mtx_init(&sc->sc_mtx, device_get_nameunit(sc->sc_dev),
718 	    MTX_NETWORK_LOCK, MTX_DEF);
719 	mbufq_init(&sc->sc_snd, ifqmaxlen);
720 
721 	iface_index = RT2860_IFACE_INDEX;
722 
723 	error = usbd_transfer_setup(uaa->device, &iface_index,
724 	    sc->sc_xfer, run_config, RUN_N_XFER, sc, &sc->sc_mtx);
725 	if (error) {
726 		device_printf(self, "could not allocate USB transfers, "
727 		    "err=%s\n", usbd_errstr(error));
728 		goto detach;
729 	}
730 
731 	RUN_LOCK(sc);
732 
733 	/* wait for the chip to settle */
734 	for (ntries = 0; ntries < 100; ntries++) {
735 		if (run_read(sc, RT2860_ASIC_VER_ID, &ver) != 0) {
736 			RUN_UNLOCK(sc);
737 			goto detach;
738 		}
739 		if (ver != 0 && ver != 0xffffffff)
740 			break;
741 		run_delay(sc, 10);
742 	}
743 	if (ntries == 100) {
744 		device_printf(sc->sc_dev,
745 		    "timeout waiting for NIC to initialize\n");
746 		RUN_UNLOCK(sc);
747 		goto detach;
748 	}
749 	sc->mac_ver = ver >> 16;
750 	sc->mac_rev = ver & 0xffff;
751 
752 	/* retrieve RF rev. no and various other things from EEPROM */
753 	run_read_eeprom(sc);
754 
755 	device_printf(sc->sc_dev,
756 	    "MAC/BBP RT%04X (rev 0x%04X), RF %s (MIMO %dT%dR), address %s\n",
757 	    sc->mac_ver, sc->mac_rev, run_get_rf(sc->rf_rev),
758 	    sc->ntxchains, sc->nrxchains, ether_sprintf(ic->ic_macaddr));
759 
760 	RUN_UNLOCK(sc);
761 
762 	ic->ic_softc = sc;
763 	ic->ic_name = device_get_nameunit(self);
764 	ic->ic_phytype = IEEE80211_T_OFDM;	/* not only, but not used */
765 	ic->ic_opmode = IEEE80211_M_STA;	/* default to BSS mode */
766 
767 	/* set device capabilities */
768 	ic->ic_caps =
769 	    IEEE80211_C_STA |		/* station mode supported */
770 	    IEEE80211_C_MONITOR |	/* monitor mode supported */
771 	    IEEE80211_C_IBSS |
772 	    IEEE80211_C_HOSTAP |
773 	    IEEE80211_C_WDS |		/* 4-address traffic works */
774 	    IEEE80211_C_MBSS |
775 	    IEEE80211_C_SHPREAMBLE |	/* short preamble supported */
776 	    IEEE80211_C_SHSLOT |	/* short slot time supported */
777 	    IEEE80211_C_WME |		/* WME */
778 	    IEEE80211_C_WPA;		/* WPA1|WPA2(RSN) */
779 
780 	ic->ic_cryptocaps =
781 	    IEEE80211_CRYPTO_WEP |
782 	    IEEE80211_CRYPTO_AES_CCM |
783 	    IEEE80211_CRYPTO_TKIPMIC |
784 	    IEEE80211_CRYPTO_TKIP;
785 
786 	ic->ic_flags |= IEEE80211_F_DATAPAD;
787 	ic->ic_flags_ext |= IEEE80211_FEXT_SWBMISS;
788 
789 	bands = 0;
790 	setbit(&bands, IEEE80211_MODE_11B);
791 	setbit(&bands, IEEE80211_MODE_11G);
792 	if (sc->rf_rev == RT2860_RF_2750 || sc->rf_rev == RT2860_RF_2850 ||
793 	    sc->rf_rev == RT3070_RF_3052 || sc->rf_rev == RT3593_RF_3053 ||
794 	    sc->rf_rev == RT5592_RF_5592)
795 		setbit(&bands, IEEE80211_MODE_11A);
796 	ieee80211_init_channels(ic, NULL, &bands);
797 
798 	ieee80211_ifattach(ic);
799 
800 	ic->ic_scan_start = run_scan_start;
801 	ic->ic_scan_end = run_scan_end;
802 	ic->ic_set_channel = run_set_channel;
803 	ic->ic_node_alloc = run_node_alloc;
804 	ic->ic_newassoc = run_newassoc;
805 	ic->ic_updateslot = run_updateslot;
806 	ic->ic_update_mcast = run_update_mcast;
807 	ic->ic_wme.wme_update = run_wme_update;
808 	ic->ic_raw_xmit = run_raw_xmit;
809 	ic->ic_update_promisc = run_update_promisc;
810 	ic->ic_vap_create = run_vap_create;
811 	ic->ic_vap_delete = run_vap_delete;
812 	ic->ic_transmit = run_transmit;
813 	ic->ic_parent = run_parent;
814 
815 	ieee80211_radiotap_attach(ic,
816 	    &sc->sc_txtap.wt_ihdr, sizeof(sc->sc_txtap),
817 		RUN_TX_RADIOTAP_PRESENT,
818 	    &sc->sc_rxtap.wr_ihdr, sizeof(sc->sc_rxtap),
819 		RUN_RX_RADIOTAP_PRESENT);
820 
821 	TASK_INIT(&sc->cmdq_task, 0, run_cmdq_cb, sc);
822 	TASK_INIT(&sc->ratectl_task, 0, run_ratectl_cb, sc);
823 	usb_callout_init_mtx(&sc->ratectl_ch, &sc->sc_mtx, 0);
824 
825 	if (bootverbose)
826 		ieee80211_announce(ic);
827 
828 	return (0);
829 
830 detach:
831 	run_detach(self);
832 	return (ENXIO);
833 }
834 
835 static void
836 run_drain_mbufq(struct run_softc *sc)
837 {
838 	struct mbuf *m;
839 	struct ieee80211_node *ni;
840 
841 	RUN_LOCK_ASSERT(sc, MA_OWNED);
842 	while ((m = mbufq_dequeue(&sc->sc_snd)) != NULL) {
843 		ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
844 		m->m_pkthdr.rcvif = NULL;
845 		ieee80211_free_node(ni);
846 		m_freem(m);
847 	}
848 }
849 
850 static int
851 run_detach(device_t self)
852 {
853 	struct run_softc *sc = device_get_softc(self);
854 	struct ieee80211com *ic = &sc->sc_ic;
855 	int i;
856 
857 	RUN_LOCK(sc);
858 	sc->sc_detached = 1;
859 	RUN_UNLOCK(sc);
860 
861 	/* stop all USB transfers */
862 	usbd_transfer_unsetup(sc->sc_xfer, RUN_N_XFER);
863 
864 	RUN_LOCK(sc);
865 	sc->ratectl_run = RUN_RATECTL_OFF;
866 	sc->cmdq_run = sc->cmdq_key_set = RUN_CMDQ_ABORT;
867 
868 	/* free TX list, if any */
869 	for (i = 0; i != RUN_EP_QUEUES; i++)
870 		run_unsetup_tx_list(sc, &sc->sc_epq[i]);
871 
872 	/* Free TX queue */
873 	run_drain_mbufq(sc);
874 	RUN_UNLOCK(sc);
875 
876 	if (sc->sc_ic.ic_softc == sc) {
877 		/* drain tasks */
878 		usb_callout_drain(&sc->ratectl_ch);
879 		ieee80211_draintask(ic, &sc->cmdq_task);
880 		ieee80211_draintask(ic, &sc->ratectl_task);
881 		ieee80211_ifdetach(ic);
882 	}
883 
884 	mtx_destroy(&sc->sc_mtx);
885 
886 	return (0);
887 }
888 
889 static struct ieee80211vap *
890 run_vap_create(struct ieee80211com *ic, const char name[IFNAMSIZ], int unit,
891     enum ieee80211_opmode opmode, int flags,
892     const uint8_t bssid[IEEE80211_ADDR_LEN],
893     const uint8_t mac[IEEE80211_ADDR_LEN])
894 {
895 	struct run_softc *sc = ic->ic_softc;
896 	struct run_vap *rvp;
897 	struct ieee80211vap *vap;
898 	int i;
899 
900 	if (sc->rvp_cnt >= RUN_VAP_MAX) {
901 		device_printf(sc->sc_dev, "number of VAPs maxed out\n");
902 		return (NULL);
903 	}
904 
905 	switch (opmode) {
906 	case IEEE80211_M_STA:
907 		/* enable s/w bmiss handling for sta mode */
908 		flags |= IEEE80211_CLONE_NOBEACONS;
909 		/* fall though */
910 	case IEEE80211_M_IBSS:
911 	case IEEE80211_M_MONITOR:
912 	case IEEE80211_M_HOSTAP:
913 	case IEEE80211_M_MBSS:
914 		/* other than WDS vaps, only one at a time */
915 		if (!TAILQ_EMPTY(&ic->ic_vaps))
916 			return (NULL);
917 		break;
918 	case IEEE80211_M_WDS:
919 		TAILQ_FOREACH(vap, &ic->ic_vaps, iv_next){
920 			if(vap->iv_opmode != IEEE80211_M_HOSTAP)
921 				continue;
922 			/* WDS vap's always share the local mac address. */
923 			flags &= ~IEEE80211_CLONE_BSSID;
924 			break;
925 		}
926 		if (vap == NULL) {
927 			device_printf(sc->sc_dev,
928 			    "wds only supported in ap mode\n");
929 			return (NULL);
930 		}
931 		break;
932 	default:
933 		device_printf(sc->sc_dev, "unknown opmode %d\n", opmode);
934 		return (NULL);
935 	}
936 
937 	rvp = malloc(sizeof(struct run_vap), M_80211_VAP, M_WAITOK | M_ZERO);
938 	vap = &rvp->vap;
939 
940 	if (ieee80211_vap_setup(ic, vap, name, unit, opmode, flags,
941 	    bssid) != 0) {
942 		/* out of memory */
943 		free(rvp, M_80211_VAP);
944 		return (NULL);
945 	}
946 
947 	vap->iv_update_beacon = run_update_beacon;
948 	vap->iv_max_aid = RT2870_WCID_MAX;
949 	/*
950 	 * To delete the right key from h/w, we need wcid.
951 	 * Luckily, there is unused space in ieee80211_key{}, wk_pad,
952 	 * and matching wcid will be written into there. So, cast
953 	 * some spells to remove 'const' from ieee80211_key{}
954 	 */
955 	vap->iv_key_delete = (void *)run_key_delete;
956 	vap->iv_key_set = (void *)run_key_set;
957 
958 	/* override state transition machine */
959 	rvp->newstate = vap->iv_newstate;
960 	vap->iv_newstate = run_newstate;
961 	if (opmode == IEEE80211_M_IBSS) {
962 		rvp->recv_mgmt = vap->iv_recv_mgmt;
963 		vap->iv_recv_mgmt = run_recv_mgmt;
964 	}
965 
966 	ieee80211_ratectl_init(vap);
967 	ieee80211_ratectl_setinterval(vap, 1000 /* 1 sec */);
968 
969 	/* complete setup */
970 	ieee80211_vap_attach(vap, run_media_change, ieee80211_media_status,
971 	    mac);
972 
973 	/* make sure id is always unique */
974 	for (i = 0; i < RUN_VAP_MAX; i++) {
975 		if((sc->rvp_bmap & 1 << i) == 0){
976 			sc->rvp_bmap |= 1 << i;
977 			rvp->rvp_id = i;
978 			break;
979 		}
980 	}
981 	if (sc->rvp_cnt++ == 0)
982 		ic->ic_opmode = opmode;
983 
984 	if (opmode == IEEE80211_M_HOSTAP)
985 		sc->cmdq_run = RUN_CMDQ_GO;
986 
987 	DPRINTF("rvp_id=%d bmap=%x rvp_cnt=%d\n",
988 	    rvp->rvp_id, sc->rvp_bmap, sc->rvp_cnt);
989 
990 	return (vap);
991 }
992 
993 static void
994 run_vap_delete(struct ieee80211vap *vap)
995 {
996 	struct run_vap *rvp = RUN_VAP(vap);
997 	struct ieee80211com *ic;
998 	struct run_softc *sc;
999 	uint8_t rvp_id;
1000 
1001 	if (vap == NULL)
1002 		return;
1003 
1004 	ic = vap->iv_ic;
1005 	sc = ic->ic_softc;
1006 
1007 	RUN_LOCK(sc);
1008 
1009 	m_freem(rvp->beacon_mbuf);
1010 	rvp->beacon_mbuf = NULL;
1011 
1012 	rvp_id = rvp->rvp_id;
1013 	sc->ratectl_run &= ~(1 << rvp_id);
1014 	sc->rvp_bmap &= ~(1 << rvp_id);
1015 	run_set_region_4(sc, RT2860_SKEY(rvp_id, 0), 0, 128);
1016 	run_set_region_4(sc, RT2860_BCN_BASE(rvp_id), 0, 512);
1017 	--sc->rvp_cnt;
1018 
1019 	DPRINTF("vap=%p rvp_id=%d bmap=%x rvp_cnt=%d\n",
1020 	    vap, rvp_id, sc->rvp_bmap, sc->rvp_cnt);
1021 
1022 	RUN_UNLOCK(sc);
1023 
1024 	ieee80211_ratectl_deinit(vap);
1025 	ieee80211_vap_detach(vap);
1026 	free(rvp, M_80211_VAP);
1027 }
1028 
1029 /*
1030  * There are numbers of functions need to be called in context thread.
1031  * Rather than creating taskqueue event for each of those functions,
1032  * here is all-for-one taskqueue callback function. This function
1033  * gurantees deferred functions are executed in the same order they
1034  * were enqueued.
1035  * '& RUN_CMDQ_MASQ' is to loop cmdq[].
1036  */
1037 static void
1038 run_cmdq_cb(void *arg, int pending)
1039 {
1040 	struct run_softc *sc = arg;
1041 	uint8_t i;
1042 
1043 	/* call cmdq[].func locked */
1044 	RUN_LOCK(sc);
1045 	for (i = sc->cmdq_exec; sc->cmdq[i].func && pending;
1046 	    i = sc->cmdq_exec, pending--) {
1047 		DPRINTFN(6, "cmdq_exec=%d pending=%d\n", i, pending);
1048 		if (sc->cmdq_run == RUN_CMDQ_GO) {
1049 			/*
1050 			 * If arg0 is NULL, callback func needs more
1051 			 * than one arg. So, pass ptr to cmdq struct.
1052 			 */
1053 			if (sc->cmdq[i].arg0)
1054 				sc->cmdq[i].func(sc->cmdq[i].arg0);
1055 			else
1056 				sc->cmdq[i].func(&sc->cmdq[i]);
1057 		}
1058 		sc->cmdq[i].arg0 = NULL;
1059 		sc->cmdq[i].func = NULL;
1060 		sc->cmdq_exec++;
1061 		sc->cmdq_exec &= RUN_CMDQ_MASQ;
1062 	}
1063 	RUN_UNLOCK(sc);
1064 }
1065 
1066 static void
1067 run_setup_tx_list(struct run_softc *sc, struct run_endpoint_queue *pq)
1068 {
1069 	struct run_tx_data *data;
1070 
1071 	memset(pq, 0, sizeof(*pq));
1072 
1073 	STAILQ_INIT(&pq->tx_qh);
1074 	STAILQ_INIT(&pq->tx_fh);
1075 
1076 	for (data = &pq->tx_data[0];
1077 	    data < &pq->tx_data[RUN_TX_RING_COUNT]; data++) {
1078 		data->sc = sc;
1079 		STAILQ_INSERT_TAIL(&pq->tx_fh, data, next);
1080 	}
1081 	pq->tx_nfree = RUN_TX_RING_COUNT;
1082 }
1083 
1084 static void
1085 run_unsetup_tx_list(struct run_softc *sc, struct run_endpoint_queue *pq)
1086 {
1087 	struct run_tx_data *data;
1088 
1089 	/* make sure any subsequent use of the queues will fail */
1090 	pq->tx_nfree = 0;
1091 	STAILQ_INIT(&pq->tx_fh);
1092 	STAILQ_INIT(&pq->tx_qh);
1093 
1094 	/* free up all node references and mbufs */
1095 	for (data = &pq->tx_data[0];
1096 	    data < &pq->tx_data[RUN_TX_RING_COUNT]; data++) {
1097 		if (data->m != NULL) {
1098 			m_freem(data->m);
1099 			data->m = NULL;
1100 		}
1101 		if (data->ni != NULL) {
1102 			ieee80211_free_node(data->ni);
1103 			data->ni = NULL;
1104 		}
1105 	}
1106 }
1107 
1108 static int
1109 run_load_microcode(struct run_softc *sc)
1110 {
1111 	usb_device_request_t req;
1112 	const struct firmware *fw;
1113 	const u_char *base;
1114 	uint32_t tmp;
1115 	int ntries, error;
1116 	const uint64_t *temp;
1117 	uint64_t bytes;
1118 
1119 	RUN_UNLOCK(sc);
1120 	fw = firmware_get("runfw");
1121 	RUN_LOCK(sc);
1122 	if (fw == NULL) {
1123 		device_printf(sc->sc_dev,
1124 		    "failed loadfirmware of file %s\n", "runfw");
1125 		return ENOENT;
1126 	}
1127 
1128 	if (fw->datasize != 8192) {
1129 		device_printf(sc->sc_dev,
1130 		    "invalid firmware size (should be 8KB)\n");
1131 		error = EINVAL;
1132 		goto fail;
1133 	}
1134 
1135 	/*
1136 	 * RT3071/RT3072 use a different firmware
1137 	 * run-rt2870 (8KB) contains both,
1138 	 * first half (4KB) is for rt2870,
1139 	 * last half is for rt3071.
1140 	 */
1141 	base = fw->data;
1142 	if ((sc->mac_ver) != 0x2860 &&
1143 	    (sc->mac_ver) != 0x2872 &&
1144 	    (sc->mac_ver) != 0x3070) {
1145 		base += 4096;
1146 	}
1147 
1148 	/* cheap sanity check */
1149 	temp = fw->data;
1150 	bytes = *temp;
1151 	if (bytes != be64toh(0xffffff0210280210ULL)) {
1152 		device_printf(sc->sc_dev, "firmware checksum failed\n");
1153 		error = EINVAL;
1154 		goto fail;
1155 	}
1156 
1157 	/* write microcode image */
1158 	if (sc->sc_flags & RUN_FLAG_FWLOAD_NEEDED) {
1159 		run_write_region_1(sc, RT2870_FW_BASE, base, 4096);
1160 		run_write(sc, RT2860_H2M_MAILBOX_CID, 0xffffffff);
1161 		run_write(sc, RT2860_H2M_MAILBOX_STATUS, 0xffffffff);
1162 	}
1163 
1164 	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1165 	req.bRequest = RT2870_RESET;
1166 	USETW(req.wValue, 8);
1167 	USETW(req.wIndex, 0);
1168 	USETW(req.wLength, 0);
1169 	if ((error = usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, NULL))
1170 	    != 0) {
1171 		device_printf(sc->sc_dev, "firmware reset failed\n");
1172 		goto fail;
1173 	}
1174 
1175 	run_delay(sc, 10);
1176 
1177 	run_write(sc, RT2860_H2M_BBPAGENT, 0);
1178 	run_write(sc, RT2860_H2M_MAILBOX, 0);
1179 	run_write(sc, RT2860_H2M_INTSRC, 0);
1180 	if ((error = run_mcu_cmd(sc, RT2860_MCU_CMD_RFRESET, 0)) != 0)
1181 		goto fail;
1182 
1183 	/* wait until microcontroller is ready */
1184 	for (ntries = 0; ntries < 1000; ntries++) {
1185 		if ((error = run_read(sc, RT2860_SYS_CTRL, &tmp)) != 0)
1186 			goto fail;
1187 		if (tmp & RT2860_MCU_READY)
1188 			break;
1189 		run_delay(sc, 10);
1190 	}
1191 	if (ntries == 1000) {
1192 		device_printf(sc->sc_dev,
1193 		    "timeout waiting for MCU to initialize\n");
1194 		error = ETIMEDOUT;
1195 		goto fail;
1196 	}
1197 	device_printf(sc->sc_dev, "firmware %s ver. %u.%u loaded\n",
1198 	    (base == fw->data) ? "RT2870" : "RT3071",
1199 	    *(base + 4092), *(base + 4093));
1200 
1201 fail:
1202 	firmware_put(fw, FIRMWARE_UNLOAD);
1203 	return (error);
1204 }
1205 
1206 static int
1207 run_reset(struct run_softc *sc)
1208 {
1209 	usb_device_request_t req;
1210 
1211 	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1212 	req.bRequest = RT2870_RESET;
1213 	USETW(req.wValue, 1);
1214 	USETW(req.wIndex, 0);
1215 	USETW(req.wLength, 0);
1216 	return (usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, NULL));
1217 }
1218 
1219 static usb_error_t
1220 run_do_request(struct run_softc *sc,
1221     struct usb_device_request *req, void *data)
1222 {
1223 	usb_error_t err;
1224 	int ntries = 10;
1225 
1226 	RUN_LOCK_ASSERT(sc, MA_OWNED);
1227 
1228 	while (ntries--) {
1229 		err = usbd_do_request_flags(sc->sc_udev, &sc->sc_mtx,
1230 		    req, data, 0, NULL, 250 /* ms */);
1231 		if (err == 0)
1232 			break;
1233 		DPRINTFN(1, "Control request failed, %s (retrying)\n",
1234 		    usbd_errstr(err));
1235 		run_delay(sc, 10);
1236 	}
1237 	return (err);
1238 }
1239 
1240 static int
1241 run_read(struct run_softc *sc, uint16_t reg, uint32_t *val)
1242 {
1243 	uint32_t tmp;
1244 	int error;
1245 
1246 	error = run_read_region_1(sc, reg, (uint8_t *)&tmp, sizeof tmp);
1247 	if (error == 0)
1248 		*val = le32toh(tmp);
1249 	else
1250 		*val = 0xffffffff;
1251 	return (error);
1252 }
1253 
1254 static int
1255 run_read_region_1(struct run_softc *sc, uint16_t reg, uint8_t *buf, int len)
1256 {
1257 	usb_device_request_t req;
1258 
1259 	req.bmRequestType = UT_READ_VENDOR_DEVICE;
1260 	req.bRequest = RT2870_READ_REGION_1;
1261 	USETW(req.wValue, 0);
1262 	USETW(req.wIndex, reg);
1263 	USETW(req.wLength, len);
1264 
1265 	return (run_do_request(sc, &req, buf));
1266 }
1267 
1268 static int
1269 run_write_2(struct run_softc *sc, uint16_t reg, uint16_t val)
1270 {
1271 	usb_device_request_t req;
1272 
1273 	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1274 	req.bRequest = RT2870_WRITE_2;
1275 	USETW(req.wValue, val);
1276 	USETW(req.wIndex, reg);
1277 	USETW(req.wLength, 0);
1278 
1279 	return (run_do_request(sc, &req, NULL));
1280 }
1281 
1282 static int
1283 run_write(struct run_softc *sc, uint16_t reg, uint32_t val)
1284 {
1285 	int error;
1286 
1287 	if ((error = run_write_2(sc, reg, val & 0xffff)) == 0)
1288 		error = run_write_2(sc, reg + 2, val >> 16);
1289 	return (error);
1290 }
1291 
1292 static int
1293 run_write_region_1(struct run_softc *sc, uint16_t reg, const uint8_t *buf,
1294     int len)
1295 {
1296 #if 1
1297 	int i, error = 0;
1298 	/*
1299 	 * NB: the WRITE_REGION_1 command is not stable on RT2860.
1300 	 * We thus issue multiple WRITE_2 commands instead.
1301 	 */
1302 	KASSERT((len & 1) == 0, ("run_write_region_1: Data too long.\n"));
1303 	for (i = 0; i < len && error == 0; i += 2)
1304 		error = run_write_2(sc, reg + i, buf[i] | buf[i + 1] << 8);
1305 	return (error);
1306 #else
1307 	usb_device_request_t req;
1308 	int error = 0;
1309 
1310 	/*
1311 	 * NOTE: It appears the WRITE_REGION_1 command cannot be
1312 	 * passed a huge amount of data, which will crash the
1313 	 * firmware. Limit amount of data passed to 64-bytes at a
1314 	 * time.
1315 	 */
1316 	while (len > 0) {
1317 		int delta = 64;
1318 		if (delta > len)
1319 			delta = len;
1320 
1321 		req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1322 		req.bRequest = RT2870_WRITE_REGION_1;
1323 		USETW(req.wValue, 0);
1324 		USETW(req.wIndex, reg);
1325 		USETW(req.wLength, delta);
1326 		error = run_do_request(sc, &req, __DECONST(uint8_t *, buf));
1327 		if (error != 0)
1328 			break;
1329 		reg += delta;
1330 		buf += delta;
1331 		len -= delta;
1332 	}
1333 	return (error);
1334 #endif
1335 }
1336 
1337 static int
1338 run_set_region_4(struct run_softc *sc, uint16_t reg, uint32_t val, int len)
1339 {
1340 	int i, error = 0;
1341 
1342 	KASSERT((len & 3) == 0, ("run_set_region_4: Invalid data length.\n"));
1343 	for (i = 0; i < len && error == 0; i += 4)
1344 		error = run_write(sc, reg + i, val);
1345 	return (error);
1346 }
1347 
1348 static int
1349 run_efuse_read(struct run_softc *sc, uint16_t addr, uint16_t *val, int count)
1350 {
1351 	uint32_t tmp;
1352 	uint16_t reg;
1353 	int error, ntries;
1354 
1355 	if ((error = run_read(sc, RT3070_EFUSE_CTRL, &tmp)) != 0)
1356 		return (error);
1357 
1358 	if (count == 2)
1359 		addr *= 2;
1360 	/*-
1361 	 * Read one 16-byte block into registers EFUSE_DATA[0-3]:
1362 	 * DATA0: F E D C
1363 	 * DATA1: B A 9 8
1364 	 * DATA2: 7 6 5 4
1365 	 * DATA3: 3 2 1 0
1366 	 */
1367 	tmp &= ~(RT3070_EFSROM_MODE_MASK | RT3070_EFSROM_AIN_MASK);
1368 	tmp |= (addr & ~0xf) << RT3070_EFSROM_AIN_SHIFT | RT3070_EFSROM_KICK;
1369 	run_write(sc, RT3070_EFUSE_CTRL, tmp);
1370 	for (ntries = 0; ntries < 100; ntries++) {
1371 		if ((error = run_read(sc, RT3070_EFUSE_CTRL, &tmp)) != 0)
1372 			return (error);
1373 		if (!(tmp & RT3070_EFSROM_KICK))
1374 			break;
1375 		run_delay(sc, 2);
1376 	}
1377 	if (ntries == 100)
1378 		return (ETIMEDOUT);
1379 
1380 	if ((tmp & RT3070_EFUSE_AOUT_MASK) == RT3070_EFUSE_AOUT_MASK) {
1381 		*val = 0xffff;	/* address not found */
1382 		return (0);
1383 	}
1384 	/* determine to which 32-bit register our 16-bit word belongs */
1385 	reg = RT3070_EFUSE_DATA3 - (addr & 0xc);
1386 	if ((error = run_read(sc, reg, &tmp)) != 0)
1387 		return (error);
1388 
1389 	tmp >>= (8 * (addr & 0x3));
1390 	*val = (addr & 1) ? tmp >> 16 : tmp & 0xffff;
1391 
1392 	return (0);
1393 }
1394 
1395 /* Read 16-bit from eFUSE ROM for RT3xxx. */
1396 static int
1397 run_efuse_read_2(struct run_softc *sc, uint16_t addr, uint16_t *val)
1398 {
1399 	return (run_efuse_read(sc, addr, val, 2));
1400 }
1401 
1402 static int
1403 run_eeprom_read_2(struct run_softc *sc, uint16_t addr, uint16_t *val)
1404 {
1405 	usb_device_request_t req;
1406 	uint16_t tmp;
1407 	int error;
1408 
1409 	addr *= 2;
1410 	req.bmRequestType = UT_READ_VENDOR_DEVICE;
1411 	req.bRequest = RT2870_EEPROM_READ;
1412 	USETW(req.wValue, 0);
1413 	USETW(req.wIndex, addr);
1414 	USETW(req.wLength, sizeof(tmp));
1415 
1416 	error = usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, &tmp);
1417 	if (error == 0)
1418 		*val = le16toh(tmp);
1419 	else
1420 		*val = 0xffff;
1421 	return (error);
1422 }
1423 
1424 static __inline int
1425 run_srom_read(struct run_softc *sc, uint16_t addr, uint16_t *val)
1426 {
1427 	/* either eFUSE ROM or EEPROM */
1428 	return sc->sc_srom_read(sc, addr, val);
1429 }
1430 
1431 static int
1432 run_rt2870_rf_write(struct run_softc *sc, uint32_t val)
1433 {
1434 	uint32_t tmp;
1435 	int error, ntries;
1436 
1437 	for (ntries = 0; ntries < 10; ntries++) {
1438 		if ((error = run_read(sc, RT2860_RF_CSR_CFG0, &tmp)) != 0)
1439 			return (error);
1440 		if (!(tmp & RT2860_RF_REG_CTRL))
1441 			break;
1442 	}
1443 	if (ntries == 10)
1444 		return (ETIMEDOUT);
1445 
1446 	return (run_write(sc, RT2860_RF_CSR_CFG0, val));
1447 }
1448 
1449 static int
1450 run_rt3070_rf_read(struct run_softc *sc, uint8_t reg, uint8_t *val)
1451 {
1452 	uint32_t tmp;
1453 	int error, ntries;
1454 
1455 	for (ntries = 0; ntries < 100; ntries++) {
1456 		if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1457 			return (error);
1458 		if (!(tmp & RT3070_RF_KICK))
1459 			break;
1460 	}
1461 	if (ntries == 100)
1462 		return (ETIMEDOUT);
1463 
1464 	tmp = RT3070_RF_KICK | reg << 8;
1465 	if ((error = run_write(sc, RT3070_RF_CSR_CFG, tmp)) != 0)
1466 		return (error);
1467 
1468 	for (ntries = 0; ntries < 100; ntries++) {
1469 		if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1470 			return (error);
1471 		if (!(tmp & RT3070_RF_KICK))
1472 			break;
1473 	}
1474 	if (ntries == 100)
1475 		return (ETIMEDOUT);
1476 
1477 	*val = tmp & 0xff;
1478 	return (0);
1479 }
1480 
1481 static int
1482 run_rt3070_rf_write(struct run_softc *sc, uint8_t reg, uint8_t val)
1483 {
1484 	uint32_t tmp;
1485 	int error, ntries;
1486 
1487 	for (ntries = 0; ntries < 10; ntries++) {
1488 		if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1489 			return (error);
1490 		if (!(tmp & RT3070_RF_KICK))
1491 			break;
1492 	}
1493 	if (ntries == 10)
1494 		return (ETIMEDOUT);
1495 
1496 	tmp = RT3070_RF_WRITE | RT3070_RF_KICK | reg << 8 | val;
1497 	return (run_write(sc, RT3070_RF_CSR_CFG, tmp));
1498 }
1499 
1500 static int
1501 run_bbp_read(struct run_softc *sc, uint8_t reg, uint8_t *val)
1502 {
1503 	uint32_t tmp;
1504 	int ntries, error;
1505 
1506 	for (ntries = 0; ntries < 10; ntries++) {
1507 		if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1508 			return (error);
1509 		if (!(tmp & RT2860_BBP_CSR_KICK))
1510 			break;
1511 	}
1512 	if (ntries == 10)
1513 		return (ETIMEDOUT);
1514 
1515 	tmp = RT2860_BBP_CSR_READ | RT2860_BBP_CSR_KICK | reg << 8;
1516 	if ((error = run_write(sc, RT2860_BBP_CSR_CFG, tmp)) != 0)
1517 		return (error);
1518 
1519 	for (ntries = 0; ntries < 10; ntries++) {
1520 		if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1521 			return (error);
1522 		if (!(tmp & RT2860_BBP_CSR_KICK))
1523 			break;
1524 	}
1525 	if (ntries == 10)
1526 		return (ETIMEDOUT);
1527 
1528 	*val = tmp & 0xff;
1529 	return (0);
1530 }
1531 
1532 static int
1533 run_bbp_write(struct run_softc *sc, uint8_t reg, uint8_t val)
1534 {
1535 	uint32_t tmp;
1536 	int ntries, error;
1537 
1538 	for (ntries = 0; ntries < 10; ntries++) {
1539 		if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1540 			return (error);
1541 		if (!(tmp & RT2860_BBP_CSR_KICK))
1542 			break;
1543 	}
1544 	if (ntries == 10)
1545 		return (ETIMEDOUT);
1546 
1547 	tmp = RT2860_BBP_CSR_KICK | reg << 8 | val;
1548 	return (run_write(sc, RT2860_BBP_CSR_CFG, tmp));
1549 }
1550 
1551 /*
1552  * Send a command to the 8051 microcontroller unit.
1553  */
1554 static int
1555 run_mcu_cmd(struct run_softc *sc, uint8_t cmd, uint16_t arg)
1556 {
1557 	uint32_t tmp;
1558 	int error, ntries;
1559 
1560 	for (ntries = 0; ntries < 100; ntries++) {
1561 		if ((error = run_read(sc, RT2860_H2M_MAILBOX, &tmp)) != 0)
1562 			return error;
1563 		if (!(tmp & RT2860_H2M_BUSY))
1564 			break;
1565 	}
1566 	if (ntries == 100)
1567 		return ETIMEDOUT;
1568 
1569 	tmp = RT2860_H2M_BUSY | RT2860_TOKEN_NO_INTR << 16 | arg;
1570 	if ((error = run_write(sc, RT2860_H2M_MAILBOX, tmp)) == 0)
1571 		error = run_write(sc, RT2860_HOST_CMD, cmd);
1572 	return (error);
1573 }
1574 
1575 /*
1576  * Add `delta' (signed) to each 4-bit sub-word of a 32-bit word.
1577  * Used to adjust per-rate Tx power registers.
1578  */
1579 static __inline uint32_t
1580 b4inc(uint32_t b32, int8_t delta)
1581 {
1582 	int8_t i, b4;
1583 
1584 	for (i = 0; i < 8; i++) {
1585 		b4 = b32 & 0xf;
1586 		b4 += delta;
1587 		if (b4 < 0)
1588 			b4 = 0;
1589 		else if (b4 > 0xf)
1590 			b4 = 0xf;
1591 		b32 = b32 >> 4 | b4 << 28;
1592 	}
1593 	return (b32);
1594 }
1595 
1596 static const char *
1597 run_get_rf(uint16_t rev)
1598 {
1599 	switch (rev) {
1600 	case RT2860_RF_2820:	return "RT2820";
1601 	case RT2860_RF_2850:	return "RT2850";
1602 	case RT2860_RF_2720:	return "RT2720";
1603 	case RT2860_RF_2750:	return "RT2750";
1604 	case RT3070_RF_3020:	return "RT3020";
1605 	case RT3070_RF_2020:	return "RT2020";
1606 	case RT3070_RF_3021:	return "RT3021";
1607 	case RT3070_RF_3022:	return "RT3022";
1608 	case RT3070_RF_3052:	return "RT3052";
1609 	case RT3593_RF_3053:	return "RT3053";
1610 	case RT5592_RF_5592:	return "RT5592";
1611 	case RT5390_RF_5370:	return "RT5370";
1612 	case RT5390_RF_5372:	return "RT5372";
1613 	}
1614 	return ("unknown");
1615 }
1616 
1617 static void
1618 run_rt3593_get_txpower(struct run_softc *sc)
1619 {
1620 	uint16_t addr, val;
1621 	int i;
1622 
1623 	/* Read power settings for 2GHz channels. */
1624 	for (i = 0; i < 14; i += 2) {
1625 		addr = (sc->ntxchains == 3) ? RT3593_EEPROM_PWR2GHZ_BASE1 :
1626 		    RT2860_EEPROM_PWR2GHZ_BASE1;
1627 		run_srom_read(sc, addr + i / 2, &val);
1628 		sc->txpow1[i + 0] = (int8_t)(val & 0xff);
1629 		sc->txpow1[i + 1] = (int8_t)(val >> 8);
1630 
1631 		addr = (sc->ntxchains == 3) ? RT3593_EEPROM_PWR2GHZ_BASE2 :
1632 		    RT2860_EEPROM_PWR2GHZ_BASE2;
1633 		run_srom_read(sc, addr + i / 2, &val);
1634 		sc->txpow2[i + 0] = (int8_t)(val & 0xff);
1635 		sc->txpow2[i + 1] = (int8_t)(val >> 8);
1636 
1637 		if (sc->ntxchains == 3) {
1638 			run_srom_read(sc, RT3593_EEPROM_PWR2GHZ_BASE3 + i / 2,
1639 			    &val);
1640 			sc->txpow3[i + 0] = (int8_t)(val & 0xff);
1641 			sc->txpow3[i + 1] = (int8_t)(val >> 8);
1642 		}
1643 	}
1644 	/* Fix broken Tx power entries. */
1645 	for (i = 0; i < 14; i++) {
1646 		if (sc->txpow1[i] > 31)
1647 			sc->txpow1[i] = 5;
1648 		if (sc->txpow2[i] > 31)
1649 			sc->txpow2[i] = 5;
1650 		if (sc->ntxchains == 3) {
1651 			if (sc->txpow3[i] > 31)
1652 				sc->txpow3[i] = 5;
1653 		}
1654 	}
1655 	/* Read power settings for 5GHz channels. */
1656 	for (i = 0; i < 40; i += 2) {
1657 		run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE1 + i / 2, &val);
1658 		sc->txpow1[i + 14] = (int8_t)(val & 0xff);
1659 		sc->txpow1[i + 15] = (int8_t)(val >> 8);
1660 
1661 		run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE2 + i / 2, &val);
1662 		sc->txpow2[i + 14] = (int8_t)(val & 0xff);
1663 		sc->txpow2[i + 15] = (int8_t)(val >> 8);
1664 
1665 		if (sc->ntxchains == 3) {
1666 			run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE3 + i / 2,
1667 			    &val);
1668 			sc->txpow3[i + 14] = (int8_t)(val & 0xff);
1669 			sc->txpow3[i + 15] = (int8_t)(val >> 8);
1670 		}
1671 	}
1672 }
1673 
1674 static void
1675 run_get_txpower(struct run_softc *sc)
1676 {
1677 	uint16_t val;
1678 	int i;
1679 
1680 	/* Read power settings for 2GHz channels. */
1681 	for (i = 0; i < 14; i += 2) {
1682 		run_srom_read(sc, RT2860_EEPROM_PWR2GHZ_BASE1 + i / 2, &val);
1683 		sc->txpow1[i + 0] = (int8_t)(val & 0xff);
1684 		sc->txpow1[i + 1] = (int8_t)(val >> 8);
1685 
1686 		if (sc->mac_ver != 0x5390) {
1687 			run_srom_read(sc,
1688 			    RT2860_EEPROM_PWR2GHZ_BASE2 + i / 2, &val);
1689 			sc->txpow2[i + 0] = (int8_t)(val & 0xff);
1690 			sc->txpow2[i + 1] = (int8_t)(val >> 8);
1691 		}
1692 	}
1693 	/* Fix broken Tx power entries. */
1694 	for (i = 0; i < 14; i++) {
1695 		if (sc->mac_ver >= 0x5390) {
1696 			if (sc->txpow1[i] < 0 || sc->txpow1[i] > 39)
1697 				sc->txpow1[i] = 5;
1698 		} else {
1699 			if (sc->txpow1[i] < 0 || sc->txpow1[i] > 31)
1700 				sc->txpow1[i] = 5;
1701 		}
1702 		if (sc->mac_ver > 0x5390) {
1703 			if (sc->txpow2[i] < 0 || sc->txpow2[i] > 39)
1704 				sc->txpow2[i] = 5;
1705 		} else if (sc->mac_ver < 0x5390) {
1706 			if (sc->txpow2[i] < 0 || sc->txpow2[i] > 31)
1707 				sc->txpow2[i] = 5;
1708 		}
1709 		DPRINTF("chan %d: power1=%d, power2=%d\n",
1710 		    rt2860_rf2850[i].chan, sc->txpow1[i], sc->txpow2[i]);
1711 	}
1712 	/* Read power settings for 5GHz channels. */
1713 	for (i = 0; i < 40; i += 2) {
1714 		run_srom_read(sc, RT2860_EEPROM_PWR5GHZ_BASE1 + i / 2, &val);
1715 		sc->txpow1[i + 14] = (int8_t)(val & 0xff);
1716 		sc->txpow1[i + 15] = (int8_t)(val >> 8);
1717 
1718 		run_srom_read(sc, RT2860_EEPROM_PWR5GHZ_BASE2 + i / 2, &val);
1719 		sc->txpow2[i + 14] = (int8_t)(val & 0xff);
1720 		sc->txpow2[i + 15] = (int8_t)(val >> 8);
1721 	}
1722 	/* Fix broken Tx power entries. */
1723 	for (i = 0; i < 40; i++ ) {
1724 		if (sc->mac_ver != 0x5592) {
1725 			if (sc->txpow1[14 + i] < -7 || sc->txpow1[14 + i] > 15)
1726 				sc->txpow1[14 + i] = 5;
1727 			if (sc->txpow2[14 + i] < -7 || sc->txpow2[14 + i] > 15)
1728 				sc->txpow2[14 + i] = 5;
1729 		}
1730 		DPRINTF("chan %d: power1=%d, power2=%d\n",
1731 		    rt2860_rf2850[14 + i].chan, sc->txpow1[14 + i],
1732 		    sc->txpow2[14 + i]);
1733 	}
1734 }
1735 
1736 static int
1737 run_read_eeprom(struct run_softc *sc)
1738 {
1739 	struct ieee80211com *ic = &sc->sc_ic;
1740 	int8_t delta_2ghz, delta_5ghz;
1741 	uint32_t tmp;
1742 	uint16_t val;
1743 	int ridx, ant, i;
1744 
1745 	/* check whether the ROM is eFUSE ROM or EEPROM */
1746 	sc->sc_srom_read = run_eeprom_read_2;
1747 	if (sc->mac_ver >= 0x3070) {
1748 		run_read(sc, RT3070_EFUSE_CTRL, &tmp);
1749 		DPRINTF("EFUSE_CTRL=0x%08x\n", tmp);
1750 		if ((tmp & RT3070_SEL_EFUSE) || sc->mac_ver == 0x3593)
1751 			sc->sc_srom_read = run_efuse_read_2;
1752 	}
1753 
1754 	/* read ROM version */
1755 	run_srom_read(sc, RT2860_EEPROM_VERSION, &val);
1756 	DPRINTF("EEPROM rev=%d, FAE=%d\n", val >> 8, val & 0xff);
1757 
1758 	/* read MAC address */
1759 	run_srom_read(sc, RT2860_EEPROM_MAC01, &val);
1760 	ic->ic_macaddr[0] = val & 0xff;
1761 	ic->ic_macaddr[1] = val >> 8;
1762 	run_srom_read(sc, RT2860_EEPROM_MAC23, &val);
1763 	ic->ic_macaddr[2] = val & 0xff;
1764 	ic->ic_macaddr[3] = val >> 8;
1765 	run_srom_read(sc, RT2860_EEPROM_MAC45, &val);
1766 	ic->ic_macaddr[4] = val & 0xff;
1767 	ic->ic_macaddr[5] = val >> 8;
1768 
1769 	if (sc->mac_ver < 0x3593) {
1770 		/* read vender BBP settings */
1771 		for (i = 0; i < 10; i++) {
1772 			run_srom_read(sc, RT2860_EEPROM_BBP_BASE + i, &val);
1773 			sc->bbp[i].val = val & 0xff;
1774 			sc->bbp[i].reg = val >> 8;
1775 			DPRINTF("BBP%d=0x%02x\n", sc->bbp[i].reg,
1776 			    sc->bbp[i].val);
1777 		}
1778 		if (sc->mac_ver >= 0x3071) {
1779 			/* read vendor RF settings */
1780 			for (i = 0; i < 10; i++) {
1781 				run_srom_read(sc, RT3071_EEPROM_RF_BASE + i,
1782 				   &val);
1783 				sc->rf[i].val = val & 0xff;
1784 				sc->rf[i].reg = val >> 8;
1785 				DPRINTF("RF%d=0x%02x\n", sc->rf[i].reg,
1786 				    sc->rf[i].val);
1787 			}
1788 		}
1789 	}
1790 
1791 	/* read RF frequency offset from EEPROM */
1792 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_FREQ_LEDS :
1793 	    RT3593_EEPROM_FREQ, &val);
1794 	sc->freq = ((val & 0xff) != 0xff) ? val & 0xff : 0;
1795 	DPRINTF("EEPROM freq offset %d\n", sc->freq & 0xff);
1796 
1797 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_FREQ_LEDS :
1798 	    RT3593_EEPROM_FREQ_LEDS, &val);
1799 	if (val >> 8 != 0xff) {
1800 		/* read LEDs operating mode */
1801 		sc->leds = val >> 8;
1802 		run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED1 :
1803 		    RT3593_EEPROM_LED1, &sc->led[0]);
1804 		run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED2 :
1805 		    RT3593_EEPROM_LED2, &sc->led[1]);
1806 		run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED3 :
1807 		    RT3593_EEPROM_LED3, &sc->led[2]);
1808 	} else {
1809 		/* broken EEPROM, use default settings */
1810 		sc->leds = 0x01;
1811 		sc->led[0] = 0x5555;
1812 		sc->led[1] = 0x2221;
1813 		sc->led[2] = 0x5627;	/* differs from RT2860 */
1814 	}
1815 	DPRINTF("EEPROM LED mode=0x%02x, LEDs=0x%04x/0x%04x/0x%04x\n",
1816 	    sc->leds, sc->led[0], sc->led[1], sc->led[2]);
1817 
1818 	/* read RF information */
1819 	if (sc->mac_ver == 0x5390 || sc->mac_ver ==0x5392)
1820 		run_srom_read(sc, 0x00, &val);
1821 	else
1822 		run_srom_read(sc, RT2860_EEPROM_ANTENNA, &val);
1823 
1824 	if (val == 0xffff) {
1825 		device_printf(sc->sc_dev,
1826 		    "invalid EEPROM antenna info, using default\n");
1827 		DPRINTF("invalid EEPROM antenna info, using default\n");
1828 		if (sc->mac_ver == 0x3572) {
1829 			/* default to RF3052 2T2R */
1830 			sc->rf_rev = RT3070_RF_3052;
1831 			sc->ntxchains = 2;
1832 			sc->nrxchains = 2;
1833 		} else if (sc->mac_ver >= 0x3070) {
1834 			/* default to RF3020 1T1R */
1835 			sc->rf_rev = RT3070_RF_3020;
1836 			sc->ntxchains = 1;
1837 			sc->nrxchains = 1;
1838 		} else {
1839 			/* default to RF2820 1T2R */
1840 			sc->rf_rev = RT2860_RF_2820;
1841 			sc->ntxchains = 1;
1842 			sc->nrxchains = 2;
1843 		}
1844 	} else {
1845 		if (sc->mac_ver == 0x5390 || sc->mac_ver ==0x5392) {
1846 			sc->rf_rev = val;
1847 			run_srom_read(sc, RT2860_EEPROM_ANTENNA, &val);
1848 		} else
1849 			sc->rf_rev = (val >> 8) & 0xf;
1850 		sc->ntxchains = (val >> 4) & 0xf;
1851 		sc->nrxchains = val & 0xf;
1852 	}
1853 	DPRINTF("EEPROM RF rev=0x%04x chains=%dT%dR\n",
1854 	    sc->rf_rev, sc->ntxchains, sc->nrxchains);
1855 
1856 	/* check if RF supports automatic Tx access gain control */
1857 	run_srom_read(sc, RT2860_EEPROM_CONFIG, &val);
1858 	DPRINTF("EEPROM CFG 0x%04x\n", val);
1859 	/* check if driver should patch the DAC issue */
1860 	if ((val >> 8) != 0xff)
1861 		sc->patch_dac = (val >> 15) & 1;
1862 	if ((val & 0xff) != 0xff) {
1863 		sc->ext_5ghz_lna = (val >> 3) & 1;
1864 		sc->ext_2ghz_lna = (val >> 2) & 1;
1865 		/* check if RF supports automatic Tx access gain control */
1866 		sc->calib_2ghz = sc->calib_5ghz = (val >> 1) & 1;
1867 		/* check if we have a hardware radio switch */
1868 		sc->rfswitch = val & 1;
1869 	}
1870 
1871 	/* Read Tx power settings. */
1872 	if (sc->mac_ver == 0x3593)
1873 		run_rt3593_get_txpower(sc);
1874 	else
1875 		run_get_txpower(sc);
1876 
1877 	/* read Tx power compensation for each Tx rate */
1878 	run_srom_read(sc, RT2860_EEPROM_DELTAPWR, &val);
1879 	delta_2ghz = delta_5ghz = 0;
1880 	if ((val & 0xff) != 0xff && (val & 0x80)) {
1881 		delta_2ghz = val & 0xf;
1882 		if (!(val & 0x40))	/* negative number */
1883 			delta_2ghz = -delta_2ghz;
1884 	}
1885 	val >>= 8;
1886 	if ((val & 0xff) != 0xff && (val & 0x80)) {
1887 		delta_5ghz = val & 0xf;
1888 		if (!(val & 0x40))	/* negative number */
1889 			delta_5ghz = -delta_5ghz;
1890 	}
1891 	DPRINTF("power compensation=%d (2GHz), %d (5GHz)\n",
1892 	    delta_2ghz, delta_5ghz);
1893 
1894 	for (ridx = 0; ridx < 5; ridx++) {
1895 		uint32_t reg;
1896 
1897 		run_srom_read(sc, RT2860_EEPROM_RPWR + ridx * 2, &val);
1898 		reg = val;
1899 		run_srom_read(sc, RT2860_EEPROM_RPWR + ridx * 2 + 1, &val);
1900 		reg |= (uint32_t)val << 16;
1901 
1902 		sc->txpow20mhz[ridx] = reg;
1903 		sc->txpow40mhz_2ghz[ridx] = b4inc(reg, delta_2ghz);
1904 		sc->txpow40mhz_5ghz[ridx] = b4inc(reg, delta_5ghz);
1905 
1906 		DPRINTF("ridx %d: power 20MHz=0x%08x, 40MHz/2GHz=0x%08x, "
1907 		    "40MHz/5GHz=0x%08x\n", ridx, sc->txpow20mhz[ridx],
1908 		    sc->txpow40mhz_2ghz[ridx], sc->txpow40mhz_5ghz[ridx]);
1909 	}
1910 
1911 	/* Read RSSI offsets and LNA gains from EEPROM. */
1912 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI1_2GHZ :
1913 	    RT3593_EEPROM_RSSI1_2GHZ, &val);
1914 	sc->rssi_2ghz[0] = val & 0xff;	/* Ant A */
1915 	sc->rssi_2ghz[1] = val >> 8;	/* Ant B */
1916 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI2_2GHZ :
1917 	    RT3593_EEPROM_RSSI2_2GHZ, &val);
1918 	if (sc->mac_ver >= 0x3070) {
1919 		if (sc->mac_ver == 0x3593) {
1920 			sc->txmixgain_2ghz = 0;
1921 			sc->rssi_2ghz[2] = val & 0xff;	/* Ant C */
1922 		} else {
1923 			/*
1924 			 * On RT3070 chips (limited to 2 Rx chains), this ROM
1925 			 * field contains the Tx mixer gain for the 2GHz band.
1926 			 */
1927 			if ((val & 0xff) != 0xff)
1928 				sc->txmixgain_2ghz = val & 0x7;
1929 		}
1930 		DPRINTF("tx mixer gain=%u (2GHz)\n", sc->txmixgain_2ghz);
1931 	} else
1932 		sc->rssi_2ghz[2] = val & 0xff;	/* Ant C */
1933 	if (sc->mac_ver == 0x3593)
1934 		run_srom_read(sc, RT3593_EEPROM_LNA_5GHZ, &val);
1935 	sc->lna[2] = val >> 8;		/* channel group 2 */
1936 
1937 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI1_5GHZ :
1938 	    RT3593_EEPROM_RSSI1_5GHZ, &val);
1939 	sc->rssi_5ghz[0] = val & 0xff;	/* Ant A */
1940 	sc->rssi_5ghz[1] = val >> 8;	/* Ant B */
1941 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI2_5GHZ :
1942 	    RT3593_EEPROM_RSSI2_5GHZ, &val);
1943 	if (sc->mac_ver == 0x3572) {
1944 		/*
1945 		 * On RT3572 chips (limited to 2 Rx chains), this ROM
1946 		 * field contains the Tx mixer gain for the 5GHz band.
1947 		 */
1948 		if ((val & 0xff) != 0xff)
1949 			sc->txmixgain_5ghz = val & 0x7;
1950 		DPRINTF("tx mixer gain=%u (5GHz)\n", sc->txmixgain_5ghz);
1951 	} else
1952 		sc->rssi_5ghz[2] = val & 0xff;	/* Ant C */
1953 	if (sc->mac_ver == 0x3593) {
1954 		sc->txmixgain_5ghz = 0;
1955 		run_srom_read(sc, RT3593_EEPROM_LNA_5GHZ, &val);
1956 	}
1957 	sc->lna[3] = val >> 8;		/* channel group 3 */
1958 
1959 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LNA :
1960 	    RT3593_EEPROM_LNA, &val);
1961 	sc->lna[0] = val & 0xff;	/* channel group 0 */
1962 	sc->lna[1] = val >> 8;		/* channel group 1 */
1963 
1964 	/* fix broken 5GHz LNA entries */
1965 	if (sc->lna[2] == 0 || sc->lna[2] == 0xff) {
1966 		DPRINTF("invalid LNA for channel group %d\n", 2);
1967 		sc->lna[2] = sc->lna[1];
1968 	}
1969 	if (sc->lna[3] == 0 || sc->lna[3] == 0xff) {
1970 		DPRINTF("invalid LNA for channel group %d\n", 3);
1971 		sc->lna[3] = sc->lna[1];
1972 	}
1973 
1974 	/* fix broken RSSI offset entries */
1975 	for (ant = 0; ant < 3; ant++) {
1976 		if (sc->rssi_2ghz[ant] < -10 || sc->rssi_2ghz[ant] > 10) {
1977 			DPRINTF("invalid RSSI%d offset: %d (2GHz)\n",
1978 			    ant + 1, sc->rssi_2ghz[ant]);
1979 			sc->rssi_2ghz[ant] = 0;
1980 		}
1981 		if (sc->rssi_5ghz[ant] < -10 || sc->rssi_5ghz[ant] > 10) {
1982 			DPRINTF("invalid RSSI%d offset: %d (5GHz)\n",
1983 			    ant + 1, sc->rssi_5ghz[ant]);
1984 			sc->rssi_5ghz[ant] = 0;
1985 		}
1986 	}
1987 	return (0);
1988 }
1989 
1990 static struct ieee80211_node *
1991 run_node_alloc(struct ieee80211vap *vap, const uint8_t mac[IEEE80211_ADDR_LEN])
1992 {
1993 	return malloc(sizeof (struct run_node), M_DEVBUF, M_NOWAIT | M_ZERO);
1994 }
1995 
1996 static int
1997 run_media_change(struct ifnet *ifp)
1998 {
1999 	struct ieee80211vap *vap = ifp->if_softc;
2000 	struct ieee80211com *ic = vap->iv_ic;
2001 	const struct ieee80211_txparam *tp;
2002 	struct run_softc *sc = ic->ic_softc;
2003 	uint8_t rate, ridx;
2004 	int error;
2005 
2006 	RUN_LOCK(sc);
2007 
2008 	error = ieee80211_media_change(ifp);
2009 	if (error != ENETRESET) {
2010 		RUN_UNLOCK(sc);
2011 		return (error);
2012 	}
2013 
2014 	tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
2015 	if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE) {
2016 		struct ieee80211_node *ni;
2017 		struct run_node	*rn;
2018 
2019 		rate = ic->ic_sup_rates[ic->ic_curmode].
2020 		    rs_rates[tp->ucastrate] & IEEE80211_RATE_VAL;
2021 		for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2022 			if (rt2860_rates[ridx].rate == rate)
2023 				break;
2024 		ni = ieee80211_ref_node(vap->iv_bss);
2025 		rn = RUN_NODE(ni);
2026 		rn->fix_ridx = ridx;
2027 		DPRINTF("rate=%d, fix_ridx=%d\n", rate, rn->fix_ridx);
2028 		ieee80211_free_node(ni);
2029 	}
2030 
2031 #if 0
2032 	if ((ifp->if_flags & IFF_UP) &&
2033 	    (ifp->if_drv_flags &  RUN_RUNNING)){
2034 		run_init_locked(sc);
2035 	}
2036 #endif
2037 
2038 	RUN_UNLOCK(sc);
2039 
2040 	return (0);
2041 }
2042 
2043 static int
2044 run_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
2045 {
2046 	const struct ieee80211_txparam *tp;
2047 	struct ieee80211com *ic = vap->iv_ic;
2048 	struct run_softc *sc = ic->ic_softc;
2049 	struct run_vap *rvp = RUN_VAP(vap);
2050 	enum ieee80211_state ostate;
2051 	uint32_t sta[3];
2052 	uint32_t tmp;
2053 	uint8_t ratectl;
2054 	uint8_t restart_ratectl = 0;
2055 	uint8_t bid = 1 << rvp->rvp_id;
2056 
2057 	ostate = vap->iv_state;
2058 	DPRINTF("%s -> %s\n",
2059 		ieee80211_state_name[ostate],
2060 		ieee80211_state_name[nstate]);
2061 
2062 	IEEE80211_UNLOCK(ic);
2063 	RUN_LOCK(sc);
2064 
2065 	ratectl = sc->ratectl_run; /* remember current state */
2066 	sc->ratectl_run = RUN_RATECTL_OFF;
2067 	usb_callout_stop(&sc->ratectl_ch);
2068 
2069 	if (ostate == IEEE80211_S_RUN) {
2070 		/* turn link LED off */
2071 		run_set_leds(sc, RT2860_LED_RADIO);
2072 	}
2073 
2074 	switch (nstate) {
2075 	case IEEE80211_S_INIT:
2076 		restart_ratectl = 1;
2077 
2078 		if (ostate != IEEE80211_S_RUN)
2079 			break;
2080 
2081 		ratectl &= ~bid;
2082 		sc->runbmap &= ~bid;
2083 
2084 		/* abort TSF synchronization if there is no vap running */
2085 		if (--sc->running == 0) {
2086 			run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
2087 			run_write(sc, RT2860_BCN_TIME_CFG,
2088 			    tmp & ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
2089 			    RT2860_TBTT_TIMER_EN));
2090 		}
2091 		break;
2092 
2093 	case IEEE80211_S_RUN:
2094 		if (!(sc->runbmap & bid)) {
2095 			if(sc->running++)
2096 				restart_ratectl = 1;
2097 			sc->runbmap |= bid;
2098 		}
2099 
2100 		m_freem(rvp->beacon_mbuf);
2101 		rvp->beacon_mbuf = NULL;
2102 
2103 		switch (vap->iv_opmode) {
2104 		case IEEE80211_M_HOSTAP:
2105 		case IEEE80211_M_MBSS:
2106 			sc->ap_running |= bid;
2107 			ic->ic_opmode = vap->iv_opmode;
2108 			run_update_beacon_cb(vap);
2109 			break;
2110 		case IEEE80211_M_IBSS:
2111 			sc->adhoc_running |= bid;
2112 			if (!sc->ap_running)
2113 				ic->ic_opmode = vap->iv_opmode;
2114 			run_update_beacon_cb(vap);
2115 			break;
2116 		case IEEE80211_M_STA:
2117 			sc->sta_running |= bid;
2118 			if (!sc->ap_running && !sc->adhoc_running)
2119 				ic->ic_opmode = vap->iv_opmode;
2120 
2121 			/* read statistic counters (clear on read) */
2122 			run_read_region_1(sc, RT2860_TX_STA_CNT0,
2123 			    (uint8_t *)sta, sizeof sta);
2124 
2125 			break;
2126 		default:
2127 			ic->ic_opmode = vap->iv_opmode;
2128 			break;
2129 		}
2130 
2131 		if (vap->iv_opmode != IEEE80211_M_MONITOR) {
2132 			struct ieee80211_node *ni;
2133 
2134 			if (ic->ic_bsschan == IEEE80211_CHAN_ANYC) {
2135 				RUN_UNLOCK(sc);
2136 				IEEE80211_LOCK(ic);
2137 				return (-1);
2138 			}
2139 			run_updateslot(ic);
2140 			run_enable_mrr(sc);
2141 			run_set_txpreamble(sc);
2142 			run_set_basicrates(sc);
2143 			ni = ieee80211_ref_node(vap->iv_bss);
2144 			IEEE80211_ADDR_COPY(ic->ic_macaddr, ni->ni_bssid);
2145 			run_set_bssid(sc, ni->ni_bssid);
2146 			ieee80211_free_node(ni);
2147 			run_enable_tsf_sync(sc);
2148 
2149 			/* enable automatic rate adaptation */
2150 			tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
2151 			if (tp->ucastrate == IEEE80211_FIXED_RATE_NONE)
2152 				ratectl |= bid;
2153 		} else
2154 			run_enable_tsf(sc);
2155 
2156 		/* turn link LED on */
2157 		run_set_leds(sc, RT2860_LED_RADIO |
2158 		    (IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan) ?
2159 		     RT2860_LED_LINK_2GHZ : RT2860_LED_LINK_5GHZ));
2160 
2161 		break;
2162 	default:
2163 		DPRINTFN(6, "undefined case\n");
2164 		break;
2165 	}
2166 
2167 	/* restart amrr for running VAPs */
2168 	if ((sc->ratectl_run = ratectl) && restart_ratectl)
2169 		usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2170 
2171 	RUN_UNLOCK(sc);
2172 	IEEE80211_LOCK(ic);
2173 
2174 	return(rvp->newstate(vap, nstate, arg));
2175 }
2176 
2177 /* ARGSUSED */
2178 static void
2179 run_wme_update_cb(void *arg)
2180 {
2181 	struct ieee80211com *ic = arg;
2182 	struct run_softc *sc = ic->ic_softc;
2183 	const struct wmeParams *ac =
2184 	    ic->ic_wme.wme_chanParams.cap_wmeParams;
2185 	int aci, error = 0;
2186 
2187 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2188 
2189 	/* update MAC TX configuration registers */
2190 	for (aci = 0; aci < WME_NUM_AC; aci++) {
2191 		error = run_write(sc, RT2860_EDCA_AC_CFG(aci),
2192 		    ac[aci].wmep_logcwmax << 16 |
2193 		    ac[aci].wmep_logcwmin << 12 |
2194 		    ac[aci].wmep_aifsn    <<  8 |
2195 		    ac[aci].wmep_txopLimit);
2196 		if (error) goto err;
2197 	}
2198 
2199 	/* update SCH/DMA registers too */
2200 	error = run_write(sc, RT2860_WMM_AIFSN_CFG,
2201 	    ac[WME_AC_VO].wmep_aifsn  << 12 |
2202 	    ac[WME_AC_VI].wmep_aifsn  <<  8 |
2203 	    ac[WME_AC_BK].wmep_aifsn  <<  4 |
2204 	    ac[WME_AC_BE].wmep_aifsn);
2205 	if (error) goto err;
2206 	error = run_write(sc, RT2860_WMM_CWMIN_CFG,
2207 	    ac[WME_AC_VO].wmep_logcwmin << 12 |
2208 	    ac[WME_AC_VI].wmep_logcwmin <<  8 |
2209 	    ac[WME_AC_BK].wmep_logcwmin <<  4 |
2210 	    ac[WME_AC_BE].wmep_logcwmin);
2211 	if (error) goto err;
2212 	error = run_write(sc, RT2860_WMM_CWMAX_CFG,
2213 	    ac[WME_AC_VO].wmep_logcwmax << 12 |
2214 	    ac[WME_AC_VI].wmep_logcwmax <<  8 |
2215 	    ac[WME_AC_BK].wmep_logcwmax <<  4 |
2216 	    ac[WME_AC_BE].wmep_logcwmax);
2217 	if (error) goto err;
2218 	error = run_write(sc, RT2860_WMM_TXOP0_CFG,
2219 	    ac[WME_AC_BK].wmep_txopLimit << 16 |
2220 	    ac[WME_AC_BE].wmep_txopLimit);
2221 	if (error) goto err;
2222 	error = run_write(sc, RT2860_WMM_TXOP1_CFG,
2223 	    ac[WME_AC_VO].wmep_txopLimit << 16 |
2224 	    ac[WME_AC_VI].wmep_txopLimit);
2225 
2226 err:
2227 	if (error)
2228 		DPRINTF("WME update failed\n");
2229 
2230 	return;
2231 }
2232 
2233 static int
2234 run_wme_update(struct ieee80211com *ic)
2235 {
2236 	struct run_softc *sc = ic->ic_softc;
2237 
2238 	/* sometime called wothout lock */
2239 	if (mtx_owned(&ic->ic_comlock.mtx)) {
2240 		uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
2241 		DPRINTF("cmdq_store=%d\n", i);
2242 		sc->cmdq[i].func = run_wme_update_cb;
2243 		sc->cmdq[i].arg0 = ic;
2244 		ieee80211_runtask(ic, &sc->cmdq_task);
2245 		return (0);
2246 	}
2247 
2248 	RUN_LOCK(sc);
2249 	run_wme_update_cb(ic);
2250 	RUN_UNLOCK(sc);
2251 
2252 	/* return whatever, upper layer doesn't care anyway */
2253 	return (0);
2254 }
2255 
2256 static void
2257 run_key_set_cb(void *arg)
2258 {
2259 	struct run_cmdq *cmdq = arg;
2260 	struct ieee80211vap *vap = cmdq->arg1;
2261 	struct ieee80211_key *k = cmdq->k;
2262 	struct ieee80211com *ic = vap->iv_ic;
2263 	struct run_softc *sc = ic->ic_softc;
2264 	struct ieee80211_node *ni;
2265 	u_int cipher = k->wk_cipher->ic_cipher;
2266 	uint32_t attr;
2267 	uint16_t base, associd;
2268 	uint8_t mode, wcid, iv[8];
2269 
2270 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2271 
2272 	if (vap->iv_opmode == IEEE80211_M_HOSTAP)
2273 		ni = ieee80211_find_vap_node(&ic->ic_sta, vap, cmdq->mac);
2274 	else
2275 		ni = vap->iv_bss;
2276 	associd = (ni != NULL) ? ni->ni_associd : 0;
2277 
2278 	/* map net80211 cipher to RT2860 security mode */
2279 	switch (cipher) {
2280 	case IEEE80211_CIPHER_WEP:
2281 		if(k->wk_keylen < 8)
2282 			mode = RT2860_MODE_WEP40;
2283 		else
2284 			mode = RT2860_MODE_WEP104;
2285 		break;
2286 	case IEEE80211_CIPHER_TKIP:
2287 		mode = RT2860_MODE_TKIP;
2288 		break;
2289 	case IEEE80211_CIPHER_AES_CCM:
2290 		mode = RT2860_MODE_AES_CCMP;
2291 		break;
2292 	default:
2293 		DPRINTF("undefined case\n");
2294 		return;
2295 	}
2296 
2297 	DPRINTFN(1, "associd=%x, keyix=%d, mode=%x, type=%s, tx=%s, rx=%s\n",
2298 	    associd, k->wk_keyix, mode,
2299 	    (k->wk_flags & IEEE80211_KEY_GROUP) ? "group" : "pairwise",
2300 	    (k->wk_flags & IEEE80211_KEY_XMIT) ? "on" : "off",
2301 	    (k->wk_flags & IEEE80211_KEY_RECV) ? "on" : "off");
2302 
2303 	if (k->wk_flags & IEEE80211_KEY_GROUP) {
2304 		wcid = 0;	/* NB: update WCID0 for group keys */
2305 		base = RT2860_SKEY(RUN_VAP(vap)->rvp_id, k->wk_keyix);
2306 	} else {
2307 		wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
2308 		    1 : RUN_AID2WCID(associd);
2309 		base = RT2860_PKEY(wcid);
2310 	}
2311 
2312 	if (cipher == IEEE80211_CIPHER_TKIP) {
2313 		if(run_write_region_1(sc, base, k->wk_key, 16))
2314 			return;
2315 		if(run_write_region_1(sc, base + 16, &k->wk_key[16], 8))	/* wk_txmic */
2316 			return;
2317 		if(run_write_region_1(sc, base + 24, &k->wk_key[24], 8))	/* wk_rxmic */
2318 			return;
2319 	} else {
2320 		/* roundup len to 16-bit: XXX fix write_region_1() instead */
2321 		if(run_write_region_1(sc, base, k->wk_key, (k->wk_keylen + 1) & ~1))
2322 			return;
2323 	}
2324 
2325 	if (!(k->wk_flags & IEEE80211_KEY_GROUP) ||
2326 	    (k->wk_flags & (IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV))) {
2327 		/* set initial packet number in IV+EIV */
2328 		if (cipher == IEEE80211_CIPHER_WEP) {
2329 			memset(iv, 0, sizeof iv);
2330 			iv[3] = vap->iv_def_txkey << 6;
2331 		} else {
2332 			if (cipher == IEEE80211_CIPHER_TKIP) {
2333 				iv[0] = k->wk_keytsc >> 8;
2334 				iv[1] = (iv[0] | 0x20) & 0x7f;
2335 				iv[2] = k->wk_keytsc;
2336 			} else /* CCMP */ {
2337 				iv[0] = k->wk_keytsc;
2338 				iv[1] = k->wk_keytsc >> 8;
2339 				iv[2] = 0;
2340 			}
2341 			iv[3] = k->wk_keyix << 6 | IEEE80211_WEP_EXTIV;
2342 			iv[4] = k->wk_keytsc >> 16;
2343 			iv[5] = k->wk_keytsc >> 24;
2344 			iv[6] = k->wk_keytsc >> 32;
2345 			iv[7] = k->wk_keytsc >> 40;
2346 		}
2347 		if (run_write_region_1(sc, RT2860_IVEIV(wcid), iv, 8))
2348 			return;
2349 	}
2350 
2351 	if (k->wk_flags & IEEE80211_KEY_GROUP) {
2352 		/* install group key */
2353 		if (run_read(sc, RT2860_SKEY_MODE_0_7, &attr))
2354 			return;
2355 		attr &= ~(0xf << (k->wk_keyix * 4));
2356 		attr |= mode << (k->wk_keyix * 4);
2357 		if (run_write(sc, RT2860_SKEY_MODE_0_7, attr))
2358 			return;
2359 	} else {
2360 		/* install pairwise key */
2361 		if (run_read(sc, RT2860_WCID_ATTR(wcid), &attr))
2362 			return;
2363 		attr = (attr & ~0xf) | (mode << 1) | RT2860_RX_PKEY_EN;
2364 		if (run_write(sc, RT2860_WCID_ATTR(wcid), attr))
2365 			return;
2366 	}
2367 
2368 	/* TODO create a pass-thru key entry? */
2369 
2370 	/* need wcid to delete the right key later */
2371 	k->wk_pad = wcid;
2372 }
2373 
2374 /*
2375  * Don't have to be deferred, but in order to keep order of
2376  * execution, i.e. with run_key_delete(), defer this and let
2377  * run_cmdq_cb() maintain the order.
2378  *
2379  * return 0 on error
2380  */
2381 static int
2382 run_key_set(struct ieee80211vap *vap, struct ieee80211_key *k)
2383 {
2384 	struct ieee80211com *ic = vap->iv_ic;
2385 	struct run_softc *sc = ic->ic_softc;
2386 	uint32_t i;
2387 
2388 	i = RUN_CMDQ_GET(&sc->cmdq_store);
2389 	DPRINTF("cmdq_store=%d\n", i);
2390 	sc->cmdq[i].func = run_key_set_cb;
2391 	sc->cmdq[i].arg0 = NULL;
2392 	sc->cmdq[i].arg1 = vap;
2393 	sc->cmdq[i].k = k;
2394 	IEEE80211_ADDR_COPY(sc->cmdq[i].mac, k->wk_macaddr);
2395 	ieee80211_runtask(ic, &sc->cmdq_task);
2396 
2397 	/*
2398 	 * To make sure key will be set when hostapd
2399 	 * calls iv_key_set() before if_init().
2400 	 */
2401 	if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
2402 		RUN_LOCK(sc);
2403 		sc->cmdq_key_set = RUN_CMDQ_GO;
2404 		RUN_UNLOCK(sc);
2405 	}
2406 
2407 	return (1);
2408 }
2409 
2410 /*
2411  * If wlan is destroyed without being brought down i.e. without
2412  * wlan down or wpa_cli terminate, this function is called after
2413  * vap is gone. Don't refer it.
2414  */
2415 static void
2416 run_key_delete_cb(void *arg)
2417 {
2418 	struct run_cmdq *cmdq = arg;
2419 	struct run_softc *sc = cmdq->arg1;
2420 	struct ieee80211_key *k = &cmdq->key;
2421 	uint32_t attr;
2422 	uint8_t wcid;
2423 
2424 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2425 
2426 	if (k->wk_flags & IEEE80211_KEY_GROUP) {
2427 		/* remove group key */
2428 		DPRINTF("removing group key\n");
2429 		run_read(sc, RT2860_SKEY_MODE_0_7, &attr);
2430 		attr &= ~(0xf << (k->wk_keyix * 4));
2431 		run_write(sc, RT2860_SKEY_MODE_0_7, attr);
2432 	} else {
2433 		/* remove pairwise key */
2434 		DPRINTF("removing key for wcid %x\n", k->wk_pad);
2435 		/* matching wcid was written to wk_pad in run_key_set() */
2436 		wcid = k->wk_pad;
2437 		run_read(sc, RT2860_WCID_ATTR(wcid), &attr);
2438 		attr &= ~0xf;
2439 		run_write(sc, RT2860_WCID_ATTR(wcid), attr);
2440 		run_set_region_4(sc, RT2860_WCID_ENTRY(wcid), 0, 8);
2441 	}
2442 
2443 	k->wk_pad = 0;
2444 }
2445 
2446 /*
2447  * return 0 on error
2448  */
2449 static int
2450 run_key_delete(struct ieee80211vap *vap, struct ieee80211_key *k)
2451 {
2452 	struct ieee80211com *ic = vap->iv_ic;
2453 	struct run_softc *sc = ic->ic_softc;
2454 	struct ieee80211_key *k0;
2455 	uint32_t i;
2456 
2457 	/*
2458 	 * When called back, key might be gone. So, make a copy
2459 	 * of some values need to delete keys before deferring.
2460 	 * But, because of LOR with node lock, cannot use lock here.
2461 	 * So, use atomic instead.
2462 	 */
2463 	i = RUN_CMDQ_GET(&sc->cmdq_store);
2464 	DPRINTF("cmdq_store=%d\n", i);
2465 	sc->cmdq[i].func = run_key_delete_cb;
2466 	sc->cmdq[i].arg0 = NULL;
2467 	sc->cmdq[i].arg1 = sc;
2468 	k0 = &sc->cmdq[i].key;
2469 	k0->wk_flags = k->wk_flags;
2470 	k0->wk_keyix = k->wk_keyix;
2471 	/* matching wcid was written to wk_pad in run_key_set() */
2472 	k0->wk_pad = k->wk_pad;
2473 	ieee80211_runtask(ic, &sc->cmdq_task);
2474 	return (1);	/* return fake success */
2475 
2476 }
2477 
2478 static void
2479 run_ratectl_to(void *arg)
2480 {
2481 	struct run_softc *sc = arg;
2482 
2483 	/* do it in a process context, so it can go sleep */
2484 	ieee80211_runtask(&sc->sc_ic, &sc->ratectl_task);
2485 	/* next timeout will be rescheduled in the callback task */
2486 }
2487 
2488 /* ARGSUSED */
2489 static void
2490 run_ratectl_cb(void *arg, int pending)
2491 {
2492 	struct run_softc *sc = arg;
2493 	struct ieee80211com *ic = &sc->sc_ic;
2494 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
2495 
2496 	if (vap == NULL)
2497 		return;
2498 
2499 	if (sc->rvp_cnt > 1 || vap->iv_opmode != IEEE80211_M_STA) {
2500 		/*
2501 		 * run_reset_livelock() doesn't do anything with AMRR,
2502 		 * but Ralink wants us to call it every 1 sec. So, we
2503 		 * piggyback here rather than creating another callout.
2504 		 * Livelock may occur only in HOSTAP or IBSS mode
2505 		 * (when h/w is sending beacons).
2506 		 */
2507 		RUN_LOCK(sc);
2508 		run_reset_livelock(sc);
2509 		/* just in case, there are some stats to drain */
2510 		run_drain_fifo(sc);
2511 		RUN_UNLOCK(sc);
2512 	}
2513 
2514 	ieee80211_iterate_nodes(&ic->ic_sta, run_iter_func, sc);
2515 
2516 	RUN_LOCK(sc);
2517 	if(sc->ratectl_run != RUN_RATECTL_OFF)
2518 		usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2519 	RUN_UNLOCK(sc);
2520 }
2521 
2522 static void
2523 run_drain_fifo(void *arg)
2524 {
2525 	struct run_softc *sc = arg;
2526 	uint32_t stat;
2527 	uint16_t (*wstat)[3];
2528 	uint8_t wcid, mcs, pid;
2529 	int8_t retry;
2530 
2531 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2532 
2533 	for (;;) {
2534 		/* drain Tx status FIFO (maxsize = 16) */
2535 		run_read(sc, RT2860_TX_STAT_FIFO, &stat);
2536 		DPRINTFN(4, "tx stat 0x%08x\n", stat);
2537 		if (!(stat & RT2860_TXQ_VLD))
2538 			break;
2539 
2540 		wcid = (stat >> RT2860_TXQ_WCID_SHIFT) & 0xff;
2541 
2542 		/* if no ACK was requested, no feedback is available */
2543 		if (!(stat & RT2860_TXQ_ACKREQ) || wcid > RT2870_WCID_MAX ||
2544 		    wcid == 0)
2545 			continue;
2546 
2547 		/*
2548 		 * Even though each stat is Tx-complete-status like format,
2549 		 * the device can poll stats. Because there is no guarantee
2550 		 * that the referring node is still around when read the stats.
2551 		 * So that, if we use ieee80211_ratectl_tx_update(), we will
2552 		 * have hard time not to refer already freed node.
2553 		 *
2554 		 * To eliminate such page faults, we poll stats in softc.
2555 		 * Then, update the rates later with ieee80211_ratectl_tx_update().
2556 		 */
2557 		wstat = &(sc->wcid_stats[wcid]);
2558 		(*wstat)[RUN_TXCNT]++;
2559 		if (stat & RT2860_TXQ_OK)
2560 			(*wstat)[RUN_SUCCESS]++;
2561 		else
2562 			counter_u64_add(sc->sc_ic.ic_oerrors, 1);
2563 		/*
2564 		 * Check if there were retries, ie if the Tx success rate is
2565 		 * different from the requested rate. Note that it works only
2566 		 * because we do not allow rate fallback from OFDM to CCK.
2567 		 */
2568 		mcs = (stat >> RT2860_TXQ_MCS_SHIFT) & 0x7f;
2569 		pid = (stat >> RT2860_TXQ_PID_SHIFT) & 0xf;
2570 		if ((retry = pid -1 - mcs) > 0) {
2571 			(*wstat)[RUN_TXCNT] += retry;
2572 			(*wstat)[RUN_RETRY] += retry;
2573 		}
2574 	}
2575 	DPRINTFN(3, "count=%d\n", sc->fifo_cnt);
2576 
2577 	sc->fifo_cnt = 0;
2578 }
2579 
2580 static void
2581 run_iter_func(void *arg, struct ieee80211_node *ni)
2582 {
2583 	struct run_softc *sc = arg;
2584 	struct ieee80211vap *vap = ni->ni_vap;
2585 	struct run_node *rn = RUN_NODE(ni);
2586 	union run_stats sta[2];
2587 	uint16_t (*wstat)[3];
2588 	int txcnt, success, retrycnt, error;
2589 
2590 	RUN_LOCK(sc);
2591 
2592 	/* Check for special case */
2593 	if (sc->rvp_cnt <= 1 && vap->iv_opmode == IEEE80211_M_STA &&
2594 	    ni != vap->iv_bss)
2595 		goto fail;
2596 
2597 	if (sc->rvp_cnt <= 1 && (vap->iv_opmode == IEEE80211_M_IBSS ||
2598 	    vap->iv_opmode == IEEE80211_M_STA)) {
2599 		/* read statistic counters (clear on read) and update AMRR state */
2600 		error = run_read_region_1(sc, RT2860_TX_STA_CNT0, (uint8_t *)sta,
2601 		    sizeof sta);
2602 		if (error != 0)
2603 			goto fail;
2604 
2605 		/* count failed TX as errors */
2606 		if_inc_counter(vap->iv_ifp, IFCOUNTER_OERRORS,
2607 		    le16toh(sta[0].error.fail));
2608 
2609 		retrycnt = le16toh(sta[1].tx.retry);
2610 		success = le16toh(sta[1].tx.success);
2611 		txcnt = retrycnt + success + le16toh(sta[0].error.fail);
2612 
2613 		DPRINTFN(3, "retrycnt=%d success=%d failcnt=%d\n",
2614 			retrycnt, success, le16toh(sta[0].error.fail));
2615 	} else {
2616 		wstat = &(sc->wcid_stats[RUN_AID2WCID(ni->ni_associd)]);
2617 
2618 		if (wstat == &(sc->wcid_stats[0]) ||
2619 		    wstat > &(sc->wcid_stats[RT2870_WCID_MAX]))
2620 			goto fail;
2621 
2622 		txcnt = (*wstat)[RUN_TXCNT];
2623 		success = (*wstat)[RUN_SUCCESS];
2624 		retrycnt = (*wstat)[RUN_RETRY];
2625 		DPRINTFN(3, "retrycnt=%d txcnt=%d success=%d\n",
2626 		    retrycnt, txcnt, success);
2627 
2628 		memset(wstat, 0, sizeof(*wstat));
2629 	}
2630 
2631 	ieee80211_ratectl_tx_update(vap, ni, &txcnt, &success, &retrycnt);
2632 	rn->amrr_ridx = ieee80211_ratectl_rate(ni, NULL, 0);
2633 
2634 fail:
2635 	RUN_UNLOCK(sc);
2636 
2637 	DPRINTFN(3, "ridx=%d\n", rn->amrr_ridx);
2638 }
2639 
2640 static void
2641 run_newassoc_cb(void *arg)
2642 {
2643 	struct run_cmdq *cmdq = arg;
2644 	struct ieee80211_node *ni = cmdq->arg1;
2645 	struct run_softc *sc = ni->ni_vap->iv_ic->ic_softc;
2646 	uint8_t wcid = cmdq->wcid;
2647 
2648 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2649 
2650 	run_write_region_1(sc, RT2860_WCID_ENTRY(wcid),
2651 	    ni->ni_macaddr, IEEE80211_ADDR_LEN);
2652 
2653 	memset(&(sc->wcid_stats[wcid]), 0, sizeof(sc->wcid_stats[wcid]));
2654 }
2655 
2656 static void
2657 run_newassoc(struct ieee80211_node *ni, int isnew)
2658 {
2659 	struct run_node *rn = RUN_NODE(ni);
2660 	struct ieee80211_rateset *rs = &ni->ni_rates;
2661 	struct ieee80211vap *vap = ni->ni_vap;
2662 	struct ieee80211com *ic = vap->iv_ic;
2663 	struct run_softc *sc = ic->ic_softc;
2664 	uint8_t rate;
2665 	uint8_t ridx;
2666 	uint8_t wcid;
2667 	int i, j;
2668 
2669 	wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
2670 	    1 : RUN_AID2WCID(ni->ni_associd);
2671 
2672 	if (wcid > RT2870_WCID_MAX) {
2673 		device_printf(sc->sc_dev, "wcid=%d out of range\n", wcid);
2674 		return;
2675 	}
2676 
2677 	/* only interested in true associations */
2678 	if (isnew && ni->ni_associd != 0) {
2679 
2680 		/*
2681 		 * This function could is called though timeout function.
2682 		 * Need to defer.
2683 		 */
2684 		uint32_t cnt = RUN_CMDQ_GET(&sc->cmdq_store);
2685 		DPRINTF("cmdq_store=%d\n", cnt);
2686 		sc->cmdq[cnt].func = run_newassoc_cb;
2687 		sc->cmdq[cnt].arg0 = NULL;
2688 		sc->cmdq[cnt].arg1 = ni;
2689 		sc->cmdq[cnt].wcid = wcid;
2690 		ieee80211_runtask(ic, &sc->cmdq_task);
2691 	}
2692 
2693 	DPRINTF("new assoc isnew=%d associd=%x addr=%s\n",
2694 	    isnew, ni->ni_associd, ether_sprintf(ni->ni_macaddr));
2695 
2696 	for (i = 0; i < rs->rs_nrates; i++) {
2697 		rate = rs->rs_rates[i] & IEEE80211_RATE_VAL;
2698 		/* convert 802.11 rate to hardware rate index */
2699 		for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2700 			if (rt2860_rates[ridx].rate == rate)
2701 				break;
2702 		rn->ridx[i] = ridx;
2703 		/* determine rate of control response frames */
2704 		for (j = i; j >= 0; j--) {
2705 			if ((rs->rs_rates[j] & IEEE80211_RATE_BASIC) &&
2706 			    rt2860_rates[rn->ridx[i]].phy ==
2707 			    rt2860_rates[rn->ridx[j]].phy)
2708 				break;
2709 		}
2710 		if (j >= 0) {
2711 			rn->ctl_ridx[i] = rn->ridx[j];
2712 		} else {
2713 			/* no basic rate found, use mandatory one */
2714 			rn->ctl_ridx[i] = rt2860_rates[ridx].ctl_ridx;
2715 		}
2716 		DPRINTF("rate=0x%02x ridx=%d ctl_ridx=%d\n",
2717 		    rs->rs_rates[i], rn->ridx[i], rn->ctl_ridx[i]);
2718 	}
2719 	rate = vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)].mgmtrate;
2720 	for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2721 		if (rt2860_rates[ridx].rate == rate)
2722 			break;
2723 	rn->mgt_ridx = ridx;
2724 	DPRINTF("rate=%d, mgmt_ridx=%d\n", rate, rn->mgt_ridx);
2725 
2726 	RUN_LOCK(sc);
2727 	if(sc->ratectl_run != RUN_RATECTL_OFF)
2728 		usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2729 	RUN_UNLOCK(sc);
2730 }
2731 
2732 /*
2733  * Return the Rx chain with the highest RSSI for a given frame.
2734  */
2735 static __inline uint8_t
2736 run_maxrssi_chain(struct run_softc *sc, const struct rt2860_rxwi *rxwi)
2737 {
2738 	uint8_t rxchain = 0;
2739 
2740 	if (sc->nrxchains > 1) {
2741 		if (rxwi->rssi[1] > rxwi->rssi[rxchain])
2742 			rxchain = 1;
2743 		if (sc->nrxchains > 2)
2744 			if (rxwi->rssi[2] > rxwi->rssi[rxchain])
2745 				rxchain = 2;
2746 	}
2747 	return (rxchain);
2748 }
2749 
2750 static void
2751 run_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m, int subtype,
2752     const struct ieee80211_rx_stats *rxs, int rssi, int nf)
2753 {
2754 	struct ieee80211vap *vap = ni->ni_vap;
2755 	struct run_softc *sc = vap->iv_ic->ic_softc;
2756 	struct run_vap *rvp = RUN_VAP(vap);
2757 	uint64_t ni_tstamp, rx_tstamp;
2758 
2759 	rvp->recv_mgmt(ni, m, subtype, rxs, rssi, nf);
2760 
2761 	if (vap->iv_state == IEEE80211_S_RUN &&
2762 	    (subtype == IEEE80211_FC0_SUBTYPE_BEACON ||
2763 	    subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP)) {
2764 		ni_tstamp = le64toh(ni->ni_tstamp.tsf);
2765 		RUN_LOCK(sc);
2766 		run_get_tsf(sc, &rx_tstamp);
2767 		RUN_UNLOCK(sc);
2768 		rx_tstamp = le64toh(rx_tstamp);
2769 
2770 		if (ni_tstamp >= rx_tstamp) {
2771 			DPRINTF("ibss merge, tsf %ju tstamp %ju\n",
2772 			    (uintmax_t)rx_tstamp, (uintmax_t)ni_tstamp);
2773 			(void) ieee80211_ibss_merge(ni);
2774 		}
2775 	}
2776 }
2777 
2778 static void
2779 run_rx_frame(struct run_softc *sc, struct mbuf *m, uint32_t dmalen)
2780 {
2781 	struct ieee80211com *ic = &sc->sc_ic;
2782 	struct ieee80211_frame *wh;
2783 	struct ieee80211_node *ni;
2784 	struct rt2870_rxd *rxd;
2785 	struct rt2860_rxwi *rxwi;
2786 	uint32_t flags;
2787 	uint16_t len, rxwisize;
2788 	uint8_t ant, rssi;
2789 	int8_t nf;
2790 
2791 	rxwi = mtod(m, struct rt2860_rxwi *);
2792 	len = le16toh(rxwi->len) & 0xfff;
2793 	rxwisize = sizeof(struct rt2860_rxwi);
2794 	if (sc->mac_ver == 0x5592)
2795 		rxwisize += sizeof(uint64_t);
2796 	else if (sc->mac_ver == 0x3593)
2797 		rxwisize += sizeof(uint32_t);
2798 	if (__predict_false(len > dmalen)) {
2799 		m_freem(m);
2800 		counter_u64_add(ic->ic_ierrors, 1);
2801 		DPRINTF("bad RXWI length %u > %u\n", len, dmalen);
2802 		return;
2803 	}
2804 	/* Rx descriptor is located at the end */
2805 	rxd = (struct rt2870_rxd *)(mtod(m, caddr_t) + dmalen);
2806 	flags = le32toh(rxd->flags);
2807 
2808 	if (__predict_false(flags & (RT2860_RX_CRCERR | RT2860_RX_ICVERR))) {
2809 		m_freem(m);
2810 		counter_u64_add(ic->ic_ierrors, 1);
2811 		DPRINTF("%s error.\n", (flags & RT2860_RX_CRCERR)?"CRC":"ICV");
2812 		return;
2813 	}
2814 
2815 	m->m_data += rxwisize;
2816 	m->m_pkthdr.len = m->m_len -= rxwisize;
2817 
2818 	wh = mtod(m, struct ieee80211_frame *);
2819 
2820 	if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
2821 		wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
2822 		m->m_flags |= M_WEP;
2823 	}
2824 
2825 	if (flags & RT2860_RX_L2PAD) {
2826 		DPRINTFN(8, "received RT2860_RX_L2PAD frame\n");
2827 		len += 2;
2828 	}
2829 
2830 	ni = ieee80211_find_rxnode(ic,
2831 	    mtod(m, struct ieee80211_frame_min *));
2832 
2833 	if (__predict_false(flags & RT2860_RX_MICERR)) {
2834 		/* report MIC failures to net80211 for TKIP */
2835 		if (ni != NULL)
2836 			ieee80211_notify_michael_failure(ni->ni_vap, wh,
2837 			    rxwi->keyidx);
2838 		m_freem(m);
2839 		counter_u64_add(ic->ic_ierrors, 1);
2840 		DPRINTF("MIC error. Someone is lying.\n");
2841 		return;
2842 	}
2843 
2844 	ant = run_maxrssi_chain(sc, rxwi);
2845 	rssi = rxwi->rssi[ant];
2846 	nf = run_rssi2dbm(sc, rssi, ant);
2847 
2848 	m->m_pkthdr.len = m->m_len = len;
2849 
2850 	if (ni != NULL) {
2851 		(void)ieee80211_input(ni, m, rssi, nf);
2852 		ieee80211_free_node(ni);
2853 	} else {
2854 		(void)ieee80211_input_all(ic, m, rssi, nf);
2855 	}
2856 
2857 	if (__predict_false(ieee80211_radiotap_active(ic))) {
2858 		struct run_rx_radiotap_header *tap = &sc->sc_rxtap;
2859 		uint16_t phy;
2860 
2861 		tap->wr_flags = 0;
2862 		tap->wr_chan_freq = htole16(ic->ic_curchan->ic_freq);
2863 		tap->wr_chan_flags = htole16(ic->ic_curchan->ic_flags);
2864 		tap->wr_antsignal = rssi;
2865 		tap->wr_antenna = ant;
2866 		tap->wr_dbm_antsignal = run_rssi2dbm(sc, rssi, ant);
2867 		tap->wr_rate = 2;	/* in case it can't be found below */
2868 		run_get_tsf(sc, &tap->wr_tsf);
2869 		phy = le16toh(rxwi->phy);
2870 		switch (phy & RT2860_PHY_MODE) {
2871 		case RT2860_PHY_CCK:
2872 			switch ((phy & RT2860_PHY_MCS) & ~RT2860_PHY_SHPRE) {
2873 			case 0:	tap->wr_rate =   2; break;
2874 			case 1:	tap->wr_rate =   4; break;
2875 			case 2:	tap->wr_rate =  11; break;
2876 			case 3:	tap->wr_rate =  22; break;
2877 			}
2878 			if (phy & RT2860_PHY_SHPRE)
2879 				tap->wr_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
2880 			break;
2881 		case RT2860_PHY_OFDM:
2882 			switch (phy & RT2860_PHY_MCS) {
2883 			case 0:	tap->wr_rate =  12; break;
2884 			case 1:	tap->wr_rate =  18; break;
2885 			case 2:	tap->wr_rate =  24; break;
2886 			case 3:	tap->wr_rate =  36; break;
2887 			case 4:	tap->wr_rate =  48; break;
2888 			case 5:	tap->wr_rate =  72; break;
2889 			case 6:	tap->wr_rate =  96; break;
2890 			case 7:	tap->wr_rate = 108; break;
2891 			}
2892 			break;
2893 		}
2894 	}
2895 }
2896 
2897 static void
2898 run_bulk_rx_callback(struct usb_xfer *xfer, usb_error_t error)
2899 {
2900 	struct run_softc *sc = usbd_xfer_softc(xfer);
2901 	struct ieee80211com *ic = &sc->sc_ic;
2902 	struct mbuf *m = NULL;
2903 	struct mbuf *m0;
2904 	uint32_t dmalen;
2905 	uint16_t rxwisize;
2906 	int xferlen;
2907 
2908 	rxwisize = sizeof(struct rt2860_rxwi);
2909 	if (sc->mac_ver == 0x5592)
2910 		rxwisize += sizeof(uint64_t);
2911 	else if (sc->mac_ver == 0x3593)
2912 		rxwisize += sizeof(uint32_t);
2913 
2914 	usbd_xfer_status(xfer, &xferlen, NULL, NULL, NULL);
2915 
2916 	switch (USB_GET_STATE(xfer)) {
2917 	case USB_ST_TRANSFERRED:
2918 
2919 		DPRINTFN(15, "rx done, actlen=%d\n", xferlen);
2920 
2921 		if (xferlen < (int)(sizeof(uint32_t) + rxwisize +
2922 		    sizeof(struct rt2870_rxd))) {
2923 			DPRINTF("xfer too short %d\n", xferlen);
2924 			goto tr_setup;
2925 		}
2926 
2927 		m = sc->rx_m;
2928 		sc->rx_m = NULL;
2929 
2930 		/* FALLTHROUGH */
2931 	case USB_ST_SETUP:
2932 tr_setup:
2933 		if (sc->rx_m == NULL) {
2934 			sc->rx_m = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR,
2935 			    MJUMPAGESIZE /* xfer can be bigger than MCLBYTES */);
2936 		}
2937 		if (sc->rx_m == NULL) {
2938 			DPRINTF("could not allocate mbuf - idle with stall\n");
2939 			counter_u64_add(ic->ic_ierrors, 1);
2940 			usbd_xfer_set_stall(xfer);
2941 			usbd_xfer_set_frames(xfer, 0);
2942 		} else {
2943 			/*
2944 			 * Directly loading a mbuf cluster into DMA to
2945 			 * save some data copying. This works because
2946 			 * there is only one cluster.
2947 			 */
2948 			usbd_xfer_set_frame_data(xfer, 0,
2949 			    mtod(sc->rx_m, caddr_t), RUN_MAX_RXSZ);
2950 			usbd_xfer_set_frames(xfer, 1);
2951 		}
2952 		usbd_transfer_submit(xfer);
2953 		break;
2954 
2955 	default:	/* Error */
2956 		if (error != USB_ERR_CANCELLED) {
2957 			/* try to clear stall first */
2958 			usbd_xfer_set_stall(xfer);
2959 			if (error == USB_ERR_TIMEOUT)
2960 				device_printf(sc->sc_dev, "device timeout\n");
2961 			counter_u64_add(ic->ic_ierrors, 1);
2962 			goto tr_setup;
2963 		}
2964 		if (sc->rx_m != NULL) {
2965 			m_freem(sc->rx_m);
2966 			sc->rx_m = NULL;
2967 		}
2968 		break;
2969 	}
2970 
2971 	if (m == NULL)
2972 		return;
2973 
2974 	/* inputting all the frames must be last */
2975 
2976 	RUN_UNLOCK(sc);
2977 
2978 	m->m_pkthdr.len = m->m_len = xferlen;
2979 
2980 	/* HW can aggregate multiple 802.11 frames in a single USB xfer */
2981 	for(;;) {
2982 		dmalen = le32toh(*mtod(m, uint32_t *)) & 0xffff;
2983 
2984 		if ((dmalen >= (uint32_t)-8) || (dmalen == 0) ||
2985 		    ((dmalen & 3) != 0)) {
2986 			DPRINTF("bad DMA length %u\n", dmalen);
2987 			break;
2988 		}
2989 		if ((dmalen + 8) > (uint32_t)xferlen) {
2990 			DPRINTF("bad DMA length %u > %d\n",
2991 			dmalen + 8, xferlen);
2992 			break;
2993 		}
2994 
2995 		/* If it is the last one or a single frame, we won't copy. */
2996 		if ((xferlen -= dmalen + 8) <= 8) {
2997 			/* trim 32-bit DMA-len header */
2998 			m->m_data += 4;
2999 			m->m_pkthdr.len = m->m_len -= 4;
3000 			run_rx_frame(sc, m, dmalen);
3001 			m = NULL;	/* don't free source buffer */
3002 			break;
3003 		}
3004 
3005 		/* copy aggregated frames to another mbuf */
3006 		m0 = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
3007 		if (__predict_false(m0 == NULL)) {
3008 			DPRINTF("could not allocate mbuf\n");
3009 			counter_u64_add(ic->ic_ierrors, 1);
3010 			break;
3011 		}
3012 		m_copydata(m, 4 /* skip 32-bit DMA-len header */,
3013 		    dmalen + sizeof(struct rt2870_rxd), mtod(m0, caddr_t));
3014 		m0->m_pkthdr.len = m0->m_len =
3015 		    dmalen + sizeof(struct rt2870_rxd);
3016 		run_rx_frame(sc, m0, dmalen);
3017 
3018 		/* update data ptr */
3019 		m->m_data += dmalen + 8;
3020 		m->m_pkthdr.len = m->m_len -= dmalen + 8;
3021 	}
3022 
3023 	/* make sure we free the source buffer, if any */
3024 	m_freem(m);
3025 
3026 	RUN_LOCK(sc);
3027 }
3028 
3029 static void
3030 run_tx_free(struct run_endpoint_queue *pq,
3031     struct run_tx_data *data, int txerr)
3032 {
3033 	if (data->m != NULL) {
3034 		if (data->m->m_flags & M_TXCB)
3035 			ieee80211_process_callback(data->ni, data->m,
3036 			    txerr ? ETIMEDOUT : 0);
3037 		m_freem(data->m);
3038 		data->m = NULL;
3039 
3040 		if (data->ni == NULL) {
3041 			DPRINTF("no node\n");
3042 		} else {
3043 			ieee80211_free_node(data->ni);
3044 			data->ni = NULL;
3045 		}
3046 	}
3047 
3048 	STAILQ_INSERT_TAIL(&pq->tx_fh, data, next);
3049 	pq->tx_nfree++;
3050 }
3051 
3052 static void
3053 run_bulk_tx_callbackN(struct usb_xfer *xfer, usb_error_t error, u_int index)
3054 {
3055 	struct run_softc *sc = usbd_xfer_softc(xfer);
3056 	struct ieee80211com *ic = &sc->sc_ic;
3057 	struct run_tx_data *data;
3058 	struct ieee80211vap *vap = NULL;
3059 	struct usb_page_cache *pc;
3060 	struct run_endpoint_queue *pq = &sc->sc_epq[index];
3061 	struct mbuf *m;
3062 	usb_frlength_t size;
3063 	int actlen;
3064 	int sumlen;
3065 
3066 	usbd_xfer_status(xfer, &actlen, &sumlen, NULL, NULL);
3067 
3068 	switch (USB_GET_STATE(xfer)) {
3069 	case USB_ST_TRANSFERRED:
3070 		DPRINTFN(11, "transfer complete: %d "
3071 		    "bytes @ index %d\n", actlen, index);
3072 
3073 		data = usbd_xfer_get_priv(xfer);
3074 		run_tx_free(pq, data, 0);
3075 		usbd_xfer_set_priv(xfer, NULL);
3076 
3077 		/* FALLTHROUGH */
3078 	case USB_ST_SETUP:
3079 tr_setup:
3080 		data = STAILQ_FIRST(&pq->tx_qh);
3081 		if (data == NULL)
3082 			break;
3083 
3084 		STAILQ_REMOVE_HEAD(&pq->tx_qh, next);
3085 
3086 		m = data->m;
3087 		size = (sc->mac_ver == 0x5592) ?
3088 		    sizeof(data->desc) + sizeof(uint32_t) : sizeof(data->desc);
3089 		if ((m->m_pkthdr.len +
3090 		    size + 3 + 8) > RUN_MAX_TXSZ) {
3091 			DPRINTF("data overflow, %u bytes\n",
3092 			    m->m_pkthdr.len);
3093 			run_tx_free(pq, data, 1);
3094 			goto tr_setup;
3095 		}
3096 
3097 		pc = usbd_xfer_get_frame(xfer, 0);
3098 		usbd_copy_in(pc, 0, &data->desc, size);
3099 		usbd_m_copy_in(pc, size, m, 0, m->m_pkthdr.len);
3100 		size += m->m_pkthdr.len;
3101 		/*
3102 		 * Align end on a 4-byte boundary, pad 8 bytes (CRC +
3103 		 * 4-byte padding), and be sure to zero those trailing
3104 		 * bytes:
3105 		 */
3106 		usbd_frame_zero(pc, size, ((-size) & 3) + 8);
3107 		size += ((-size) & 3) + 8;
3108 
3109 		vap = data->ni->ni_vap;
3110 		if (ieee80211_radiotap_active_vap(vap)) {
3111 			struct run_tx_radiotap_header *tap = &sc->sc_txtap;
3112 			struct rt2860_txwi *txwi =
3113 			    (struct rt2860_txwi *)(&data->desc + sizeof(struct rt2870_txd));
3114 			tap->wt_flags = 0;
3115 			tap->wt_rate = rt2860_rates[data->ridx].rate;
3116 			run_get_tsf(sc, &tap->wt_tsf);
3117 			tap->wt_chan_freq = htole16(ic->ic_curchan->ic_freq);
3118 			tap->wt_chan_flags = htole16(ic->ic_curchan->ic_flags);
3119 			tap->wt_hwqueue = index;
3120 			if (le16toh(txwi->phy) & RT2860_PHY_SHPRE)
3121 				tap->wt_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
3122 
3123 			ieee80211_radiotap_tx(vap, m);
3124 		}
3125 
3126 		DPRINTFN(11, "sending frame len=%u/%u  @ index %d\n",
3127 		    m->m_pkthdr.len, size, index);
3128 
3129 		usbd_xfer_set_frame_len(xfer, 0, size);
3130 		usbd_xfer_set_priv(xfer, data);
3131 		usbd_transfer_submit(xfer);
3132 		run_start(sc);
3133 
3134 		break;
3135 
3136 	default:
3137 		DPRINTF("USB transfer error, %s\n",
3138 		    usbd_errstr(error));
3139 
3140 		data = usbd_xfer_get_priv(xfer);
3141 
3142 		if (data != NULL) {
3143 			if(data->ni != NULL)
3144 				vap = data->ni->ni_vap;
3145 			run_tx_free(pq, data, error);
3146 			usbd_xfer_set_priv(xfer, NULL);
3147 		}
3148 
3149 		if (vap == NULL)
3150 			vap = TAILQ_FIRST(&ic->ic_vaps);
3151 
3152 		if (error != USB_ERR_CANCELLED) {
3153 			if (error == USB_ERR_TIMEOUT) {
3154 				device_printf(sc->sc_dev, "device timeout\n");
3155 				uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
3156 				DPRINTF("cmdq_store=%d\n", i);
3157 				sc->cmdq[i].func = run_usb_timeout_cb;
3158 				sc->cmdq[i].arg0 = vap;
3159 				ieee80211_runtask(ic, &sc->cmdq_task);
3160 			}
3161 
3162 			/*
3163 			 * Try to clear stall first, also if other
3164 			 * errors occur, hence clearing stall
3165 			 * introduces a 50 ms delay:
3166 			 */
3167 			usbd_xfer_set_stall(xfer);
3168 			goto tr_setup;
3169 		}
3170 		break;
3171 	}
3172 }
3173 
3174 static void
3175 run_bulk_tx_callback0(struct usb_xfer *xfer, usb_error_t error)
3176 {
3177 	run_bulk_tx_callbackN(xfer, error, 0);
3178 }
3179 
3180 static void
3181 run_bulk_tx_callback1(struct usb_xfer *xfer, usb_error_t error)
3182 {
3183 	run_bulk_tx_callbackN(xfer, error, 1);
3184 }
3185 
3186 static void
3187 run_bulk_tx_callback2(struct usb_xfer *xfer, usb_error_t error)
3188 {
3189 	run_bulk_tx_callbackN(xfer, error, 2);
3190 }
3191 
3192 static void
3193 run_bulk_tx_callback3(struct usb_xfer *xfer, usb_error_t error)
3194 {
3195 	run_bulk_tx_callbackN(xfer, error, 3);
3196 }
3197 
3198 static void
3199 run_bulk_tx_callback4(struct usb_xfer *xfer, usb_error_t error)
3200 {
3201 	run_bulk_tx_callbackN(xfer, error, 4);
3202 }
3203 
3204 static void
3205 run_bulk_tx_callback5(struct usb_xfer *xfer, usb_error_t error)
3206 {
3207 	run_bulk_tx_callbackN(xfer, error, 5);
3208 }
3209 
3210 static void
3211 run_set_tx_desc(struct run_softc *sc, struct run_tx_data *data)
3212 {
3213 	struct mbuf *m = data->m;
3214 	struct ieee80211com *ic = &sc->sc_ic;
3215 	struct ieee80211vap *vap = data->ni->ni_vap;
3216 	struct ieee80211_frame *wh;
3217 	struct rt2870_txd *txd;
3218 	struct rt2860_txwi *txwi;
3219 	uint16_t xferlen, txwisize;
3220 	uint16_t mcs;
3221 	uint8_t ridx = data->ridx;
3222 	uint8_t pad;
3223 
3224 	/* get MCS code from rate index */
3225 	mcs = rt2860_rates[ridx].mcs;
3226 
3227 	txwisize = (sc->mac_ver == 0x5592) ?
3228 	    sizeof(*txwi) + sizeof(uint32_t) : sizeof(*txwi);
3229 	xferlen = txwisize + m->m_pkthdr.len;
3230 
3231 	/* roundup to 32-bit alignment */
3232 	xferlen = (xferlen + 3) & ~3;
3233 
3234 	txd = (struct rt2870_txd *)&data->desc;
3235 	txd->len = htole16(xferlen);
3236 
3237 	wh = mtod(m, struct ieee80211_frame *);
3238 
3239 	/*
3240 	 * Ether both are true or both are false, the header
3241 	 * are nicely aligned to 32-bit. So, no L2 padding.
3242 	 */
3243 	if(IEEE80211_HAS_ADDR4(wh) == IEEE80211_QOS_HAS_SEQ(wh))
3244 		pad = 0;
3245 	else
3246 		pad = 2;
3247 
3248 	/* setup TX Wireless Information */
3249 	txwi = (struct rt2860_txwi *)(txd + 1);
3250 	txwi->len = htole16(m->m_pkthdr.len - pad);
3251 	if (rt2860_rates[ridx].phy == IEEE80211_T_DS) {
3252 		mcs |= RT2860_PHY_CCK;
3253 		if (ridx != RT2860_RIDX_CCK1 &&
3254 		    (ic->ic_flags & IEEE80211_F_SHPREAMBLE))
3255 			mcs |= RT2860_PHY_SHPRE;
3256 	} else
3257 		mcs |= RT2860_PHY_OFDM;
3258 	txwi->phy = htole16(mcs);
3259 
3260 	/* check if RTS/CTS or CTS-to-self protection is required */
3261 	if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
3262 	    (m->m_pkthdr.len + IEEE80211_CRC_LEN > vap->iv_rtsthreshold ||
3263 	     ((ic->ic_flags & IEEE80211_F_USEPROT) &&
3264 	      rt2860_rates[ridx].phy == IEEE80211_T_OFDM)))
3265 		txwi->txop |= RT2860_TX_TXOP_HT;
3266 	else
3267 		txwi->txop |= RT2860_TX_TXOP_BACKOFF;
3268 
3269 	if (vap->iv_opmode != IEEE80211_M_STA && !IEEE80211_QOS_HAS_SEQ(wh))
3270 		txwi->xflags |= RT2860_TX_NSEQ;
3271 }
3272 
3273 /* This function must be called locked */
3274 static int
3275 run_tx(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
3276 {
3277 	struct ieee80211com *ic = &sc->sc_ic;
3278 	struct ieee80211vap *vap = ni->ni_vap;
3279 	struct ieee80211_frame *wh;
3280 	struct ieee80211_channel *chan;
3281 	const struct ieee80211_txparam *tp;
3282 	struct run_node *rn = RUN_NODE(ni);
3283 	struct run_tx_data *data;
3284 	struct rt2870_txd *txd;
3285 	struct rt2860_txwi *txwi;
3286 	uint16_t qos;
3287 	uint16_t dur;
3288 	uint16_t qid;
3289 	uint8_t type;
3290 	uint8_t tid;
3291 	uint8_t ridx;
3292 	uint8_t ctl_ridx;
3293 	uint8_t qflags;
3294 	uint8_t xflags = 0;
3295 	int hasqos;
3296 
3297 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3298 
3299 	wh = mtod(m, struct ieee80211_frame *);
3300 
3301 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3302 
3303 	/*
3304 	 * There are 7 bulk endpoints: 1 for RX
3305 	 * and 6 for TX (4 EDCAs + HCCA + Prio).
3306 	 * Update 03-14-2009:  some devices like the Planex GW-US300MiniS
3307 	 * seem to have only 4 TX bulk endpoints (Fukaumi Naoki).
3308 	 */
3309 	if ((hasqos = IEEE80211_QOS_HAS_SEQ(wh))) {
3310 		uint8_t *frm;
3311 
3312 		if(IEEE80211_HAS_ADDR4(wh))
3313 			frm = ((struct ieee80211_qosframe_addr4 *)wh)->i_qos;
3314 		else
3315 			frm =((struct ieee80211_qosframe *)wh)->i_qos;
3316 
3317 		qos = le16toh(*(const uint16_t *)frm);
3318 		tid = qos & IEEE80211_QOS_TID;
3319 		qid = TID_TO_WME_AC(tid);
3320 	} else {
3321 		qos = 0;
3322 		tid = 0;
3323 		qid = WME_AC_BE;
3324 	}
3325 	qflags = (qid < 4) ? RT2860_TX_QSEL_EDCA : RT2860_TX_QSEL_HCCA;
3326 
3327 	DPRINTFN(8, "qos %d\tqid %d\ttid %d\tqflags %x\n",
3328 	    qos, qid, tid, qflags);
3329 
3330 	chan = (ni->ni_chan != IEEE80211_CHAN_ANYC)?ni->ni_chan:ic->ic_curchan;
3331 	tp = &vap->iv_txparms[ieee80211_chan2mode(chan)];
3332 
3333 	/* pickup a rate index */
3334 	if (IEEE80211_IS_MULTICAST(wh->i_addr1) ||
3335 	    type != IEEE80211_FC0_TYPE_DATA || m->m_flags & M_EAPOL) {
3336 		ridx = (ic->ic_curmode == IEEE80211_MODE_11A) ?
3337 		    RT2860_RIDX_OFDM6 : RT2860_RIDX_CCK1;
3338 		ctl_ridx = rt2860_rates[ridx].ctl_ridx;
3339 	} else {
3340 		if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE)
3341 			ridx = rn->fix_ridx;
3342 		else
3343 			ridx = rn->amrr_ridx;
3344 		ctl_ridx = rt2860_rates[ridx].ctl_ridx;
3345 	}
3346 
3347 	if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
3348 	    (!hasqos || (qos & IEEE80211_QOS_ACKPOLICY) !=
3349 	     IEEE80211_QOS_ACKPOLICY_NOACK)) {
3350 		xflags |= RT2860_TX_ACK;
3351 		if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
3352 			dur = rt2860_rates[ctl_ridx].sp_ack_dur;
3353 		else
3354 			dur = rt2860_rates[ctl_ridx].lp_ack_dur;
3355 		USETW(wh->i_dur, dur);
3356 	}
3357 
3358 	/* reserve slots for mgmt packets, just in case */
3359 	if (sc->sc_epq[qid].tx_nfree < 3) {
3360 		DPRINTFN(10, "tx ring %d is full\n", qid);
3361 		return (-1);
3362 	}
3363 
3364 	data = STAILQ_FIRST(&sc->sc_epq[qid].tx_fh);
3365 	STAILQ_REMOVE_HEAD(&sc->sc_epq[qid].tx_fh, next);
3366 	sc->sc_epq[qid].tx_nfree--;
3367 
3368 	txd = (struct rt2870_txd *)&data->desc;
3369 	txd->flags = qflags;
3370 	txwi = (struct rt2860_txwi *)(txd + 1);
3371 	txwi->xflags = xflags;
3372 	if (IEEE80211_IS_MULTICAST(wh->i_addr1))
3373 		txwi->wcid = 0;
3374 	else
3375 		txwi->wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
3376 		    1 : RUN_AID2WCID(ni->ni_associd);
3377 
3378 	/* clear leftover garbage bits */
3379 	txwi->flags = 0;
3380 	txwi->txop = 0;
3381 
3382 	data->m = m;
3383 	data->ni = ni;
3384 	data->ridx = ridx;
3385 
3386 	run_set_tx_desc(sc, data);
3387 
3388 	/*
3389 	 * The chip keeps track of 2 kind of Tx stats,
3390 	 *  * TX_STAT_FIFO, for per WCID stats, and
3391 	 *  * TX_STA_CNT0 for all-TX-in-one stats.
3392 	 *
3393 	 * To use FIFO stats, we need to store MCS into the driver-private
3394  	 * PacketID field. So that, we can tell whose stats when we read them.
3395  	 * We add 1 to the MCS because setting the PacketID field to 0 means
3396  	 * that we don't want feedback in TX_STAT_FIFO.
3397  	 * And, that's what we want for STA mode, since TX_STA_CNT0 does the job.
3398  	 *
3399  	 * FIFO stats doesn't count Tx with WCID 0xff, so we do this in run_tx().
3400  	 */
3401 	if (sc->rvp_cnt > 1 || vap->iv_opmode == IEEE80211_M_HOSTAP ||
3402 	    vap->iv_opmode == IEEE80211_M_MBSS) {
3403 		uint16_t pid = (rt2860_rates[ridx].mcs + 1) & 0xf;
3404 		txwi->len |= htole16(pid << RT2860_TX_PID_SHIFT);
3405 
3406 		/*
3407 		 * Unlike PCI based devices, we don't get any interrupt from
3408 		 * USB devices, so we simulate FIFO-is-full interrupt here.
3409 		 * Ralink recomends to drain FIFO stats every 100 ms, but 16 slots
3410 		 * quickly get fulled. To prevent overflow, increment a counter on
3411 		 * every FIFO stat request, so we know how many slots are left.
3412 		 * We do this only in HOSTAP or multiple vap mode since FIFO stats
3413 		 * are used only in those modes.
3414 		 * We just drain stats. AMRR gets updated every 1 sec by
3415 		 * run_ratectl_cb() via callout.
3416 		 * Call it early. Otherwise overflow.
3417 		 */
3418 		if (sc->fifo_cnt++ == 10) {
3419 			/*
3420 			 * With multiple vaps or if_bridge, if_start() is called
3421 			 * with a non-sleepable lock, tcpinp. So, need to defer.
3422 			 */
3423 			uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
3424 			DPRINTFN(6, "cmdq_store=%d\n", i);
3425 			sc->cmdq[i].func = run_drain_fifo;
3426 			sc->cmdq[i].arg0 = sc;
3427 			ieee80211_runtask(ic, &sc->cmdq_task);
3428 		}
3429 	}
3430 
3431         STAILQ_INSERT_TAIL(&sc->sc_epq[qid].tx_qh, data, next);
3432 
3433 	usbd_transfer_start(sc->sc_xfer[qid]);
3434 
3435 	DPRINTFN(8, "sending data frame len=%d rate=%d qid=%d\n",
3436 	    m->m_pkthdr.len + (int)(sizeof(struct rt2870_txd) +
3437 	    sizeof(struct rt2860_txwi)), rt2860_rates[ridx].rate, qid);
3438 
3439 	return (0);
3440 }
3441 
3442 static int
3443 run_tx_mgt(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
3444 {
3445 	struct ieee80211com *ic = &sc->sc_ic;
3446 	struct run_node *rn = RUN_NODE(ni);
3447 	struct run_tx_data *data;
3448 	struct ieee80211_frame *wh;
3449 	struct rt2870_txd *txd;
3450 	struct rt2860_txwi *txwi;
3451 	uint16_t dur;
3452 	uint8_t ridx = rn->mgt_ridx;
3453 	uint8_t type;
3454 	uint8_t xflags = 0;
3455 	uint8_t wflags = 0;
3456 
3457 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3458 
3459 	wh = mtod(m, struct ieee80211_frame *);
3460 
3461 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3462 
3463 	/* tell hardware to add timestamp for probe responses */
3464 	if ((wh->i_fc[0] &
3465 	    (IEEE80211_FC0_TYPE_MASK | IEEE80211_FC0_SUBTYPE_MASK)) ==
3466 	    (IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_RESP))
3467 		wflags |= RT2860_TX_TS;
3468 	else if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
3469 		xflags |= RT2860_TX_ACK;
3470 
3471 		dur = ieee80211_ack_duration(ic->ic_rt, rt2860_rates[ridx].rate,
3472 		    ic->ic_flags & IEEE80211_F_SHPREAMBLE);
3473 		USETW(wh->i_dur, dur);
3474 	}
3475 
3476 	if (sc->sc_epq[0].tx_nfree == 0)
3477 		/* let caller free mbuf */
3478 		return (EIO);
3479 	data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3480 	STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3481 	sc->sc_epq[0].tx_nfree--;
3482 
3483 	txd = (struct rt2870_txd *)&data->desc;
3484 	txd->flags = RT2860_TX_QSEL_EDCA;
3485 	txwi = (struct rt2860_txwi *)(txd + 1);
3486 	txwi->wcid = 0xff;
3487 	txwi->flags = wflags;
3488 	txwi->xflags = xflags;
3489 	txwi->txop = 0;	/* clear leftover garbage bits */
3490 
3491 	data->m = m;
3492 	data->ni = ni;
3493 	data->ridx = ridx;
3494 
3495 	run_set_tx_desc(sc, data);
3496 
3497 	DPRINTFN(10, "sending mgt frame len=%d rate=%d\n", m->m_pkthdr.len +
3498 	    (int)(sizeof(struct rt2870_txd) + sizeof(struct rt2860_txwi)),
3499 	    rt2860_rates[ridx].rate);
3500 
3501 	STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3502 
3503 	usbd_transfer_start(sc->sc_xfer[0]);
3504 
3505 	return (0);
3506 }
3507 
3508 static int
3509 run_sendprot(struct run_softc *sc,
3510     const struct mbuf *m, struct ieee80211_node *ni, int prot, int rate)
3511 {
3512 	struct ieee80211com *ic = ni->ni_ic;
3513 	struct ieee80211_frame *wh;
3514 	struct run_tx_data *data;
3515 	struct rt2870_txd *txd;
3516 	struct rt2860_txwi *txwi;
3517 	struct mbuf *mprot;
3518 	int ridx;
3519 	int protrate;
3520 	int ackrate;
3521 	int pktlen;
3522 	int isshort;
3523 	uint16_t dur;
3524 	uint8_t type;
3525 	uint8_t wflags = 0;
3526 	uint8_t xflags = 0;
3527 
3528 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3529 
3530 	KASSERT(prot == IEEE80211_PROT_RTSCTS || prot == IEEE80211_PROT_CTSONLY,
3531 	    ("protection %d", prot));
3532 
3533 	wh = mtod(m, struct ieee80211_frame *);
3534 	pktlen = m->m_pkthdr.len + IEEE80211_CRC_LEN;
3535 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3536 
3537 	protrate = ieee80211_ctl_rate(ic->ic_rt, rate);
3538 	ackrate = ieee80211_ack_rate(ic->ic_rt, rate);
3539 
3540 	isshort = (ic->ic_flags & IEEE80211_F_SHPREAMBLE) != 0;
3541 	dur = ieee80211_compute_duration(ic->ic_rt, pktlen, rate, isshort)
3542 	    + ieee80211_ack_duration(ic->ic_rt, rate, isshort);
3543 	wflags = RT2860_TX_FRAG;
3544 
3545 	/* check that there are free slots before allocating the mbuf */
3546 	if (sc->sc_epq[0].tx_nfree == 0)
3547 		/* let caller free mbuf */
3548 		return (ENOBUFS);
3549 
3550 	if (prot == IEEE80211_PROT_RTSCTS) {
3551 		/* NB: CTS is the same size as an ACK */
3552 		dur += ieee80211_ack_duration(ic->ic_rt, rate, isshort);
3553 		xflags |= RT2860_TX_ACK;
3554 		mprot = ieee80211_alloc_rts(ic, wh->i_addr1, wh->i_addr2, dur);
3555 	} else {
3556 		mprot = ieee80211_alloc_cts(ic, ni->ni_vap->iv_myaddr, dur);
3557 	}
3558 	if (mprot == NULL) {
3559 		if_inc_counter(ni->ni_vap->iv_ifp, IFCOUNTER_OERRORS, 1);
3560 		DPRINTF("could not allocate mbuf\n");
3561 		return (ENOBUFS);
3562 	}
3563 
3564         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3565         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3566         sc->sc_epq[0].tx_nfree--;
3567 
3568 	txd = (struct rt2870_txd *)&data->desc;
3569 	txd->flags = RT2860_TX_QSEL_EDCA;
3570 	txwi = (struct rt2860_txwi *)(txd + 1);
3571 	txwi->wcid = 0xff;
3572 	txwi->flags = wflags;
3573 	txwi->xflags = xflags;
3574 	txwi->txop = 0;	/* clear leftover garbage bits */
3575 
3576 	data->m = mprot;
3577 	data->ni = ieee80211_ref_node(ni);
3578 
3579 	for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
3580 		if (rt2860_rates[ridx].rate == protrate)
3581 			break;
3582 	data->ridx = ridx;
3583 
3584 	run_set_tx_desc(sc, data);
3585 
3586         DPRINTFN(1, "sending prot len=%u rate=%u\n",
3587             m->m_pkthdr.len, rate);
3588 
3589         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3590 
3591 	usbd_transfer_start(sc->sc_xfer[0]);
3592 
3593 	return (0);
3594 }
3595 
3596 static int
3597 run_tx_param(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni,
3598     const struct ieee80211_bpf_params *params)
3599 {
3600 	struct ieee80211com *ic = ni->ni_ic;
3601 	struct ieee80211_frame *wh;
3602 	struct run_tx_data *data;
3603 	struct rt2870_txd *txd;
3604 	struct rt2860_txwi *txwi;
3605 	uint8_t type;
3606 	uint8_t ridx;
3607 	uint8_t rate;
3608 	uint8_t opflags = 0;
3609 	uint8_t xflags = 0;
3610 	int error;
3611 
3612 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3613 
3614 	KASSERT(params != NULL, ("no raw xmit params"));
3615 
3616 	wh = mtod(m, struct ieee80211_frame *);
3617 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3618 
3619 	rate = params->ibp_rate0;
3620 	if (!ieee80211_isratevalid(ic->ic_rt, rate)) {
3621 		/* let caller free mbuf */
3622 		return (EINVAL);
3623 	}
3624 
3625 	if ((params->ibp_flags & IEEE80211_BPF_NOACK) == 0)
3626 		xflags |= RT2860_TX_ACK;
3627 	if (params->ibp_flags & (IEEE80211_BPF_RTS|IEEE80211_BPF_CTS)) {
3628 		error = run_sendprot(sc, m, ni,
3629 		    params->ibp_flags & IEEE80211_BPF_RTS ?
3630 			IEEE80211_PROT_RTSCTS : IEEE80211_PROT_CTSONLY,
3631 		    rate);
3632 		if (error) {
3633 			/* let caller free mbuf */
3634 			return error;
3635 		}
3636 		opflags |= /*XXX RT2573_TX_LONG_RETRY |*/ RT2860_TX_TXOP_SIFS;
3637 	}
3638 
3639 	if (sc->sc_epq[0].tx_nfree == 0) {
3640 		/* let caller free mbuf */
3641 		DPRINTF("sending raw frame, but tx ring is full\n");
3642 		return (EIO);
3643 	}
3644         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3645         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3646         sc->sc_epq[0].tx_nfree--;
3647 
3648 	txd = (struct rt2870_txd *)&data->desc;
3649 	txd->flags = RT2860_TX_QSEL_EDCA;
3650 	txwi = (struct rt2860_txwi *)(txd + 1);
3651 	txwi->wcid = 0xff;
3652 	txwi->xflags = xflags;
3653 	txwi->txop = opflags;
3654 	txwi->flags = 0;	/* clear leftover garbage bits */
3655 
3656         data->m = m;
3657         data->ni = ni;
3658 	for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
3659 		if (rt2860_rates[ridx].rate == rate)
3660 			break;
3661 	data->ridx = ridx;
3662 
3663         run_set_tx_desc(sc, data);
3664 
3665         DPRINTFN(10, "sending raw frame len=%u rate=%u\n",
3666             m->m_pkthdr.len, rate);
3667 
3668         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3669 
3670 	usbd_transfer_start(sc->sc_xfer[0]);
3671 
3672         return (0);
3673 }
3674 
3675 static int
3676 run_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
3677     const struct ieee80211_bpf_params *params)
3678 {
3679 	struct run_softc *sc = ni->ni_ic->ic_softc;
3680 	int error = 0;
3681 
3682 	RUN_LOCK(sc);
3683 
3684 	/* prevent management frames from being sent if we're not ready */
3685 	if (!(sc->sc_flags & RUN_RUNNING)) {
3686 		error = ENETDOWN;
3687 		goto done;
3688 	}
3689 
3690 	if (params == NULL) {
3691 		/* tx mgt packet */
3692 		if ((error = run_tx_mgt(sc, m, ni)) != 0) {
3693 			DPRINTF("mgt tx failed\n");
3694 			goto done;
3695 		}
3696 	} else {
3697 		/* tx raw packet with param */
3698 		if ((error = run_tx_param(sc, m, ni, params)) != 0) {
3699 			DPRINTF("tx with param failed\n");
3700 			goto done;
3701 		}
3702 	}
3703 
3704 done:
3705 	RUN_UNLOCK(sc);
3706 
3707 	if (error != 0) {
3708 		if(m != NULL)
3709 			m_freem(m);
3710 	}
3711 
3712 	return (error);
3713 }
3714 
3715 static int
3716 run_transmit(struct ieee80211com *ic, struct mbuf *m)
3717 {
3718 	struct run_softc *sc = ic->ic_softc;
3719 	int error;
3720 
3721 	RUN_LOCK(sc);
3722 	if ((sc->sc_flags & RUN_RUNNING) == 0) {
3723 		RUN_UNLOCK(sc);
3724 		return (ENXIO);
3725 	}
3726 	error = mbufq_enqueue(&sc->sc_snd, m);
3727 	if (error) {
3728 		RUN_UNLOCK(sc);
3729 		return (error);
3730 	}
3731 	run_start(sc);
3732 	RUN_UNLOCK(sc);
3733 
3734 	return (0);
3735 }
3736 
3737 static void
3738 run_start(struct run_softc *sc)
3739 {
3740 	struct ieee80211_node *ni;
3741 	struct mbuf *m;
3742 
3743 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3744 
3745 	if ((sc->sc_flags & RUN_RUNNING) == 0)
3746 		return;
3747 
3748 	while ((m = mbufq_dequeue(&sc->sc_snd)) != NULL) {
3749 		ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
3750 		if (run_tx(sc, m, ni) != 0) {
3751 			mbufq_prepend(&sc->sc_snd, m);
3752 			break;
3753 		}
3754 	}
3755 }
3756 
3757 static void
3758 run_parent(struct ieee80211com *ic)
3759 {
3760 	struct run_softc *sc = ic->ic_softc;
3761 	int startall = 0;
3762 
3763 	RUN_LOCK(sc);
3764 	if (sc->sc_detached) {
3765 		RUN_UNLOCK(sc);
3766 		return;
3767 	}
3768 
3769 	if (ic->ic_nrunning > 0) {
3770 		if (!(sc->sc_flags & RUN_RUNNING)) {
3771 			startall = 1;
3772 			run_init_locked(sc);
3773 		} else
3774 			run_update_promisc_locked(sc);
3775 	} else if ((sc->sc_flags & RUN_RUNNING) && sc->rvp_cnt <= 1)
3776 		run_stop(sc);
3777 	RUN_UNLOCK(sc);
3778 	if (startall)
3779 		ieee80211_start_all(ic);
3780 }
3781 
3782 static void
3783 run_iq_calib(struct run_softc *sc, u_int chan)
3784 {
3785 	uint16_t val;
3786 
3787 	/* Tx0 IQ gain. */
3788 	run_bbp_write(sc, 158, 0x2c);
3789 	if (chan <= 14)
3790 		run_efuse_read(sc, RT5390_EEPROM_IQ_GAIN_CAL_TX0_2GHZ, &val, 1);
3791 	else if (chan <= 64) {
3792 		run_efuse_read(sc,
3793 		    RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH36_TO_CH64_5GHZ,
3794 		    &val, 1);
3795 	} else if (chan <= 138) {
3796 		run_efuse_read(sc,
3797 		    RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH100_TO_CH138_5GHZ,
3798 		    &val, 1);
3799 	} else if (chan <= 165) {
3800 		run_efuse_read(sc,
3801 	    RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH140_TO_CH165_5GHZ,
3802 		    &val, 1);
3803 	} else
3804 		val = 0;
3805 	run_bbp_write(sc, 159, val);
3806 
3807 	/* Tx0 IQ phase. */
3808 	run_bbp_write(sc, 158, 0x2d);
3809 	if (chan <= 14) {
3810 		run_efuse_read(sc, RT5390_EEPROM_IQ_PHASE_CAL_TX0_2GHZ,
3811 		    &val, 1);
3812 	} else if (chan <= 64) {
3813 		run_efuse_read(sc,
3814 		    RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH36_TO_CH64_5GHZ,
3815 		    &val, 1);
3816 	} else if (chan <= 138) {
3817 		run_efuse_read(sc,
3818 		    RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH100_TO_CH138_5GHZ,
3819 		    &val, 1);
3820 	} else if (chan <= 165) {
3821 		run_efuse_read(sc,
3822 		    RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH140_TO_CH165_5GHZ,
3823 		    &val, 1);
3824 	} else
3825 		val = 0;
3826 	run_bbp_write(sc, 159, val);
3827 
3828 	/* Tx1 IQ gain. */
3829 	run_bbp_write(sc, 158, 0x4a);
3830 	if (chan <= 14) {
3831 		run_efuse_read(sc, RT5390_EEPROM_IQ_GAIN_CAL_TX1_2GHZ,
3832 		    &val, 1);
3833 	} else if (chan <= 64) {
3834 		run_efuse_read(sc,
3835 		    RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH36_TO_CH64_5GHZ,
3836 		    &val, 1);
3837 	} else if (chan <= 138) {
3838 		run_efuse_read(sc,
3839 		    RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH100_TO_CH138_5GHZ,
3840 		    &val, 1);
3841 	} else if (chan <= 165) {
3842 		run_efuse_read(sc,
3843 		    RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH140_TO_CH165_5GHZ,
3844 		    &val, 1);
3845 	} else
3846 		val = 0;
3847 	run_bbp_write(sc, 159, val);
3848 
3849 	/* Tx1 IQ phase. */
3850 	run_bbp_write(sc, 158, 0x4b);
3851 	if (chan <= 14) {
3852 		run_efuse_read(sc, RT5390_EEPROM_IQ_PHASE_CAL_TX1_2GHZ,
3853 		    &val, 1);
3854 	} else if (chan <= 64) {
3855 		run_efuse_read(sc,
3856 		    RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH36_TO_CH64_5GHZ,
3857 		    &val, 1);
3858 	} else if (chan <= 138) {
3859 		run_efuse_read(sc,
3860 		    RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH100_TO_CH138_5GHZ,
3861 		    &val, 1);
3862 	} else if (chan <= 165) {
3863 		run_efuse_read(sc,
3864 		    RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH140_TO_CH165_5GHZ,
3865 		    &val, 1);
3866 	} else
3867 		val = 0;
3868 	run_bbp_write(sc, 159, val);
3869 
3870 	/* RF IQ compensation control. */
3871 	run_bbp_write(sc, 158, 0x04);
3872 	run_efuse_read(sc, RT5390_EEPROM_RF_IQ_COMPENSATION_CTL,
3873 	    &val, 1);
3874 	run_bbp_write(sc, 159, val);
3875 
3876 	/* RF IQ imbalance compensation control. */
3877 	run_bbp_write(sc, 158, 0x03);
3878 	run_efuse_read(sc,
3879 	    RT5390_EEPROM_RF_IQ_IMBALANCE_COMPENSATION_CTL, &val, 1);
3880 	run_bbp_write(sc, 159, val);
3881 }
3882 
3883 static void
3884 run_set_agc(struct run_softc *sc, uint8_t agc)
3885 {
3886 	uint8_t bbp;
3887 
3888 	if (sc->mac_ver == 0x3572) {
3889 		run_bbp_read(sc, 27, &bbp);
3890 		bbp &= ~(0x3 << 5);
3891 		run_bbp_write(sc, 27, bbp | 0 << 5);	/* select Rx0 */
3892 		run_bbp_write(sc, 66, agc);
3893 		run_bbp_write(sc, 27, bbp | 1 << 5);	/* select Rx1 */
3894 		run_bbp_write(sc, 66, agc);
3895 	} else
3896 		run_bbp_write(sc, 66, agc);
3897 }
3898 
3899 static void
3900 run_select_chan_group(struct run_softc *sc, int group)
3901 {
3902 	uint32_t tmp;
3903 	uint8_t agc;
3904 
3905 	run_bbp_write(sc, 62, 0x37 - sc->lna[group]);
3906 	run_bbp_write(sc, 63, 0x37 - sc->lna[group]);
3907 	run_bbp_write(sc, 64, 0x37 - sc->lna[group]);
3908 	if (sc->mac_ver < 0x3572)
3909 		run_bbp_write(sc, 86, 0x00);
3910 
3911 	if (sc->mac_ver == 0x3593) {
3912 		run_bbp_write(sc, 77, 0x98);
3913 		run_bbp_write(sc, 83, (group == 0) ? 0x8a : 0x9a);
3914 	}
3915 
3916 	if (group == 0) {
3917 		if (sc->ext_2ghz_lna) {
3918 			if (sc->mac_ver >= 0x5390)
3919 				run_bbp_write(sc, 75, 0x52);
3920 			else {
3921 				run_bbp_write(sc, 82, 0x62);
3922 				run_bbp_write(sc, 75, 0x46);
3923 			}
3924 		} else {
3925 			if (sc->mac_ver == 0x5592) {
3926 				run_bbp_write(sc, 79, 0x1c);
3927 				run_bbp_write(sc, 80, 0x0e);
3928 				run_bbp_write(sc, 81, 0x3a);
3929 				run_bbp_write(sc, 82, 0x62);
3930 
3931 				run_bbp_write(sc, 195, 0x80);
3932 				run_bbp_write(sc, 196, 0xe0);
3933 				run_bbp_write(sc, 195, 0x81);
3934 				run_bbp_write(sc, 196, 0x1f);
3935 				run_bbp_write(sc, 195, 0x82);
3936 				run_bbp_write(sc, 196, 0x38);
3937 				run_bbp_write(sc, 195, 0x83);
3938 				run_bbp_write(sc, 196, 0x32);
3939 				run_bbp_write(sc, 195, 0x85);
3940 				run_bbp_write(sc, 196, 0x28);
3941 				run_bbp_write(sc, 195, 0x86);
3942 				run_bbp_write(sc, 196, 0x19);
3943 			} else if (sc->mac_ver >= 0x5390)
3944 				run_bbp_write(sc, 75, 0x50);
3945 			else {
3946 				run_bbp_write(sc, 82,
3947 				    (sc->mac_ver == 0x3593) ? 0x62 : 0x84);
3948 				run_bbp_write(sc, 75, 0x50);
3949 			}
3950 		}
3951 	} else {
3952 		if (sc->mac_ver == 0x5592) {
3953 			run_bbp_write(sc, 79, 0x18);
3954 			run_bbp_write(sc, 80, 0x08);
3955 			run_bbp_write(sc, 81, 0x38);
3956 			run_bbp_write(sc, 82, 0x92);
3957 
3958 			run_bbp_write(sc, 195, 0x80);
3959 			run_bbp_write(sc, 196, 0xf0);
3960 			run_bbp_write(sc, 195, 0x81);
3961 			run_bbp_write(sc, 196, 0x1e);
3962 			run_bbp_write(sc, 195, 0x82);
3963 			run_bbp_write(sc, 196, 0x28);
3964 			run_bbp_write(sc, 195, 0x83);
3965 			run_bbp_write(sc, 196, 0x20);
3966 			run_bbp_write(sc, 195, 0x85);
3967 			run_bbp_write(sc, 196, 0x7f);
3968 			run_bbp_write(sc, 195, 0x86);
3969 			run_bbp_write(sc, 196, 0x7f);
3970 		} else if (sc->mac_ver == 0x3572)
3971 			run_bbp_write(sc, 82, 0x94);
3972 		else
3973 			run_bbp_write(sc, 82,
3974 			    (sc->mac_ver == 0x3593) ? 0x82 : 0xf2);
3975 		if (sc->ext_5ghz_lna)
3976 			run_bbp_write(sc, 75, 0x46);
3977 		else
3978 			run_bbp_write(sc, 75, 0x50);
3979 	}
3980 
3981 	run_read(sc, RT2860_TX_BAND_CFG, &tmp);
3982 	tmp &= ~(RT2860_5G_BAND_SEL_N | RT2860_5G_BAND_SEL_P);
3983 	tmp |= (group == 0) ? RT2860_5G_BAND_SEL_N : RT2860_5G_BAND_SEL_P;
3984 	run_write(sc, RT2860_TX_BAND_CFG, tmp);
3985 
3986 	/* enable appropriate Power Amplifiers and Low Noise Amplifiers */
3987 	tmp = RT2860_RFTR_EN | RT2860_TRSW_EN | RT2860_LNA_PE0_EN;
3988 	if (sc->mac_ver == 0x3593)
3989 		tmp |= 1 << 29 | 1 << 28;
3990 	if (sc->nrxchains > 1)
3991 		tmp |= RT2860_LNA_PE1_EN;
3992 	if (group == 0) {	/* 2GHz */
3993 		tmp |= RT2860_PA_PE_G0_EN;
3994 		if (sc->ntxchains > 1)
3995 			tmp |= RT2860_PA_PE_G1_EN;
3996 		if (sc->mac_ver == 0x3593) {
3997 			if (sc->ntxchains > 2)
3998 				tmp |= 1 << 25;
3999 		}
4000 	} else {		/* 5GHz */
4001 		tmp |= RT2860_PA_PE_A0_EN;
4002 		if (sc->ntxchains > 1)
4003 			tmp |= RT2860_PA_PE_A1_EN;
4004 	}
4005 	if (sc->mac_ver == 0x3572) {
4006 		run_rt3070_rf_write(sc, 8, 0x00);
4007 		run_write(sc, RT2860_TX_PIN_CFG, tmp);
4008 		run_rt3070_rf_write(sc, 8, 0x80);
4009 	} else
4010 		run_write(sc, RT2860_TX_PIN_CFG, tmp);
4011 
4012 	if (sc->mac_ver == 0x5592) {
4013 		run_bbp_write(sc, 195, 0x8d);
4014 		run_bbp_write(sc, 196, 0x1a);
4015 	}
4016 
4017 	if (sc->mac_ver == 0x3593) {
4018 		run_read(sc, RT2860_GPIO_CTRL, &tmp);
4019 		tmp &= ~0x01010000;
4020 		if (group == 0)
4021 			tmp |= 0x00010000;
4022 		tmp = (tmp & ~0x00009090) | 0x00000090;
4023 		run_write(sc, RT2860_GPIO_CTRL, tmp);
4024 	}
4025 
4026 	/* set initial AGC value */
4027 	if (group == 0) {	/* 2GHz band */
4028 		if (sc->mac_ver >= 0x3070)
4029 			agc = 0x1c + sc->lna[0] * 2;
4030 		else
4031 			agc = 0x2e + sc->lna[0];
4032 	} else {		/* 5GHz band */
4033 		if (sc->mac_ver == 0x5592)
4034 			agc = 0x24 + sc->lna[group] * 2;
4035 		else if (sc->mac_ver == 0x3572 || sc->mac_ver == 0x3593)
4036 			agc = 0x22 + (sc->lna[group] * 5) / 3;
4037 		else
4038 			agc = 0x32 + (sc->lna[group] * 5) / 3;
4039 	}
4040 	run_set_agc(sc, agc);
4041 }
4042 
4043 static void
4044 run_rt2870_set_chan(struct run_softc *sc, u_int chan)
4045 {
4046 	const struct rfprog *rfprog = rt2860_rf2850;
4047 	uint32_t r2, r3, r4;
4048 	int8_t txpow1, txpow2;
4049 	int i;
4050 
4051 	/* find the settings for this channel (we know it exists) */
4052 	for (i = 0; rfprog[i].chan != chan; i++);
4053 
4054 	r2 = rfprog[i].r2;
4055 	if (sc->ntxchains == 1)
4056 		r2 |= 1 << 14;		/* 1T: disable Tx chain 2 */
4057 	if (sc->nrxchains == 1)
4058 		r2 |= 1 << 17 | 1 << 6;	/* 1R: disable Rx chains 2 & 3 */
4059 	else if (sc->nrxchains == 2)
4060 		r2 |= 1 << 6;		/* 2R: disable Rx chain 3 */
4061 
4062 	/* use Tx power values from EEPROM */
4063 	txpow1 = sc->txpow1[i];
4064 	txpow2 = sc->txpow2[i];
4065 
4066 	/* Initialize RF R3 and R4. */
4067 	r3 = rfprog[i].r3 & 0xffffc1ff;
4068 	r4 = (rfprog[i].r4 & ~(0x001f87c0)) | (sc->freq << 15);
4069 	if (chan > 14) {
4070 		if (txpow1 >= 0) {
4071 			txpow1 = (txpow1 > 0xf) ? (0xf) : (txpow1);
4072 			r3 |= (txpow1 << 10) | (1 << 9);
4073 		} else {
4074 			txpow1 += 7;
4075 
4076 			/* txpow1 is not possible larger than 15. */
4077 			r3 |= (txpow1 << 10);
4078 		}
4079 		if (txpow2 >= 0) {
4080 			txpow2 = (txpow2 > 0xf) ? (0xf) : (txpow2);
4081 			r4 |= (txpow2 << 7) | (1 << 6);
4082 		} else {
4083 			txpow2 += 7;
4084 			r4 |= (txpow2 << 7);
4085 		}
4086 	} else {
4087 		/* Set Tx0 power. */
4088 		r3 |= (txpow1 << 9);
4089 
4090 		/* Set frequency offset and Tx1 power. */
4091 		r4 |= (txpow2 << 6);
4092 	}
4093 
4094 	run_rt2870_rf_write(sc, rfprog[i].r1);
4095 	run_rt2870_rf_write(sc, r2);
4096 	run_rt2870_rf_write(sc, r3 & ~(1 << 2));
4097 	run_rt2870_rf_write(sc, r4);
4098 
4099 	run_delay(sc, 10);
4100 
4101 	run_rt2870_rf_write(sc, rfprog[i].r1);
4102 	run_rt2870_rf_write(sc, r2);
4103 	run_rt2870_rf_write(sc, r3 | (1 << 2));
4104 	run_rt2870_rf_write(sc, r4);
4105 
4106 	run_delay(sc, 10);
4107 
4108 	run_rt2870_rf_write(sc, rfprog[i].r1);
4109 	run_rt2870_rf_write(sc, r2);
4110 	run_rt2870_rf_write(sc, r3 & ~(1 << 2));
4111 	run_rt2870_rf_write(sc, r4);
4112 }
4113 
4114 static void
4115 run_rt3070_set_chan(struct run_softc *sc, u_int chan)
4116 {
4117 	int8_t txpow1, txpow2;
4118 	uint8_t rf;
4119 	int i;
4120 
4121 	/* find the settings for this channel (we know it exists) */
4122 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4123 
4124 	/* use Tx power values from EEPROM */
4125 	txpow1 = sc->txpow1[i];
4126 	txpow2 = sc->txpow2[i];
4127 
4128 	run_rt3070_rf_write(sc, 2, rt3070_freqs[i].n);
4129 
4130 	/* RT3370/RT3390: RF R3 [7:4] is not reserved bits. */
4131 	run_rt3070_rf_read(sc, 3, &rf);
4132 	rf = (rf & ~0x0f) | rt3070_freqs[i].k;
4133 	run_rt3070_rf_write(sc, 3, rf);
4134 
4135 	run_rt3070_rf_read(sc, 6, &rf);
4136 	rf = (rf & ~0x03) | rt3070_freqs[i].r;
4137 	run_rt3070_rf_write(sc, 6, rf);
4138 
4139 	/* set Tx0 power */
4140 	run_rt3070_rf_read(sc, 12, &rf);
4141 	rf = (rf & ~0x1f) | txpow1;
4142 	run_rt3070_rf_write(sc, 12, rf);
4143 
4144 	/* set Tx1 power */
4145 	run_rt3070_rf_read(sc, 13, &rf);
4146 	rf = (rf & ~0x1f) | txpow2;
4147 	run_rt3070_rf_write(sc, 13, rf);
4148 
4149 	run_rt3070_rf_read(sc, 1, &rf);
4150 	rf &= ~0xfc;
4151 	if (sc->ntxchains == 1)
4152 		rf |= 1 << 7 | 1 << 5;	/* 1T: disable Tx chains 2 & 3 */
4153 	else if (sc->ntxchains == 2)
4154 		rf |= 1 << 7;		/* 2T: disable Tx chain 3 */
4155 	if (sc->nrxchains == 1)
4156 		rf |= 1 << 6 | 1 << 4;	/* 1R: disable Rx chains 2 & 3 */
4157 	else if (sc->nrxchains == 2)
4158 		rf |= 1 << 6;		/* 2R: disable Rx chain 3 */
4159 	run_rt3070_rf_write(sc, 1, rf);
4160 
4161 	/* set RF offset */
4162 	run_rt3070_rf_read(sc, 23, &rf);
4163 	rf = (rf & ~0x7f) | sc->freq;
4164 	run_rt3070_rf_write(sc, 23, rf);
4165 
4166 	/* program RF filter */
4167 	run_rt3070_rf_read(sc, 24, &rf);	/* Tx */
4168 	rf = (rf & ~0x3f) | sc->rf24_20mhz;
4169 	run_rt3070_rf_write(sc, 24, rf);
4170 	run_rt3070_rf_read(sc, 31, &rf);	/* Rx */
4171 	rf = (rf & ~0x3f) | sc->rf24_20mhz;
4172 	run_rt3070_rf_write(sc, 31, rf);
4173 
4174 	/* enable RF tuning */
4175 	run_rt3070_rf_read(sc, 7, &rf);
4176 	run_rt3070_rf_write(sc, 7, rf | 0x01);
4177 }
4178 
4179 static void
4180 run_rt3572_set_chan(struct run_softc *sc, u_int chan)
4181 {
4182 	int8_t txpow1, txpow2;
4183 	uint32_t tmp;
4184 	uint8_t rf;
4185 	int i;
4186 
4187 	/* find the settings for this channel (we know it exists) */
4188 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4189 
4190 	/* use Tx power values from EEPROM */
4191 	txpow1 = sc->txpow1[i];
4192 	txpow2 = sc->txpow2[i];
4193 
4194 	if (chan <= 14) {
4195 		run_bbp_write(sc, 25, sc->bbp25);
4196 		run_bbp_write(sc, 26, sc->bbp26);
4197 	} else {
4198 		/* enable IQ phase correction */
4199 		run_bbp_write(sc, 25, 0x09);
4200 		run_bbp_write(sc, 26, 0xff);
4201 	}
4202 
4203 	run_rt3070_rf_write(sc, 2, rt3070_freqs[i].n);
4204 	run_rt3070_rf_write(sc, 3, rt3070_freqs[i].k);
4205 	run_rt3070_rf_read(sc, 6, &rf);
4206 	rf  = (rf & ~0x0f) | rt3070_freqs[i].r;
4207 	rf |= (chan <= 14) ? 0x08 : 0x04;
4208 	run_rt3070_rf_write(sc, 6, rf);
4209 
4210 	/* set PLL mode */
4211 	run_rt3070_rf_read(sc, 5, &rf);
4212 	rf &= ~(0x08 | 0x04);
4213 	rf |= (chan <= 14) ? 0x04 : 0x08;
4214 	run_rt3070_rf_write(sc, 5, rf);
4215 
4216 	/* set Tx power for chain 0 */
4217 	if (chan <= 14)
4218 		rf = 0x60 | txpow1;
4219 	else
4220 		rf = 0xe0 | (txpow1 & 0xc) << 1 | (txpow1 & 0x3);
4221 	run_rt3070_rf_write(sc, 12, rf);
4222 
4223 	/* set Tx power for chain 1 */
4224 	if (chan <= 14)
4225 		rf = 0x60 | txpow2;
4226 	else
4227 		rf = 0xe0 | (txpow2 & 0xc) << 1 | (txpow2 & 0x3);
4228 	run_rt3070_rf_write(sc, 13, rf);
4229 
4230 	/* set Tx/Rx streams */
4231 	run_rt3070_rf_read(sc, 1, &rf);
4232 	rf &= ~0xfc;
4233 	if (sc->ntxchains == 1)
4234 		rf |= 1 << 7 | 1 << 5;  /* 1T: disable Tx chains 2 & 3 */
4235 	else if (sc->ntxchains == 2)
4236 		rf |= 1 << 7;           /* 2T: disable Tx chain 3 */
4237 	if (sc->nrxchains == 1)
4238 		rf |= 1 << 6 | 1 << 4;  /* 1R: disable Rx chains 2 & 3 */
4239 	else if (sc->nrxchains == 2)
4240 		rf |= 1 << 6;           /* 2R: disable Rx chain 3 */
4241 	run_rt3070_rf_write(sc, 1, rf);
4242 
4243 	/* set RF offset */
4244 	run_rt3070_rf_read(sc, 23, &rf);
4245 	rf = (rf & ~0x7f) | sc->freq;
4246 	run_rt3070_rf_write(sc, 23, rf);
4247 
4248 	/* program RF filter */
4249 	rf = sc->rf24_20mhz;
4250 	run_rt3070_rf_write(sc, 24, rf);	/* Tx */
4251 	run_rt3070_rf_write(sc, 31, rf);	/* Rx */
4252 
4253 	/* enable RF tuning */
4254 	run_rt3070_rf_read(sc, 7, &rf);
4255 	rf = (chan <= 14) ? 0xd8 : ((rf & ~0xc8) | 0x14);
4256 	run_rt3070_rf_write(sc, 7, rf);
4257 
4258 	/* TSSI */
4259 	rf = (chan <= 14) ? 0xc3 : 0xc0;
4260 	run_rt3070_rf_write(sc, 9, rf);
4261 
4262 	/* set loop filter 1 */
4263 	run_rt3070_rf_write(sc, 10, 0xf1);
4264 	/* set loop filter 2 */
4265 	run_rt3070_rf_write(sc, 11, (chan <= 14) ? 0xb9 : 0x00);
4266 
4267 	/* set tx_mx2_ic */
4268 	run_rt3070_rf_write(sc, 15, (chan <= 14) ? 0x53 : 0x43);
4269 	/* set tx_mx1_ic */
4270 	if (chan <= 14)
4271 		rf = 0x48 | sc->txmixgain_2ghz;
4272 	else
4273 		rf = 0x78 | sc->txmixgain_5ghz;
4274 	run_rt3070_rf_write(sc, 16, rf);
4275 
4276 	/* set tx_lo1 */
4277 	run_rt3070_rf_write(sc, 17, 0x23);
4278 	/* set tx_lo2 */
4279 	if (chan <= 14)
4280 		rf = 0x93;
4281 	else if (chan <= 64)
4282 		rf = 0xb7;
4283 	else if (chan <= 128)
4284 		rf = 0x74;
4285 	else
4286 		rf = 0x72;
4287 	run_rt3070_rf_write(sc, 19, rf);
4288 
4289 	/* set rx_lo1 */
4290 	if (chan <= 14)
4291 		rf = 0xb3;
4292 	else if (chan <= 64)
4293 		rf = 0xf6;
4294 	else if (chan <= 128)
4295 		rf = 0xf4;
4296 	else
4297 		rf = 0xf3;
4298 	run_rt3070_rf_write(sc, 20, rf);
4299 
4300 	/* set pfd_delay */
4301 	if (chan <= 14)
4302 		rf = 0x15;
4303 	else if (chan <= 64)
4304 		rf = 0x3d;
4305 	else
4306 		rf = 0x01;
4307 	run_rt3070_rf_write(sc, 25, rf);
4308 
4309 	/* set rx_lo2 */
4310 	run_rt3070_rf_write(sc, 26, (chan <= 14) ? 0x85 : 0x87);
4311 	/* set ldo_rf_vc */
4312 	run_rt3070_rf_write(sc, 27, (chan <= 14) ? 0x00 : 0x01);
4313 	/* set drv_cc */
4314 	run_rt3070_rf_write(sc, 29, (chan <= 14) ? 0x9b : 0x9f);
4315 
4316 	run_read(sc, RT2860_GPIO_CTRL, &tmp);
4317 	tmp &= ~0x8080;
4318 	if (chan <= 14)
4319 		tmp |= 0x80;
4320 	run_write(sc, RT2860_GPIO_CTRL, tmp);
4321 
4322 	/* enable RF tuning */
4323 	run_rt3070_rf_read(sc, 7, &rf);
4324 	run_rt3070_rf_write(sc, 7, rf | 0x01);
4325 
4326 	run_delay(sc, 2);
4327 }
4328 
4329 static void
4330 run_rt3593_set_chan(struct run_softc *sc, u_int chan)
4331 {
4332 	int8_t txpow1, txpow2, txpow3;
4333 	uint8_t h20mhz, rf;
4334 	int i;
4335 
4336 	/* find the settings for this channel (we know it exists) */
4337 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4338 
4339 	/* use Tx power values from EEPROM */
4340 	txpow1 = sc->txpow1[i];
4341 	txpow2 = sc->txpow2[i];
4342 	txpow3 = (sc->ntxchains == 3) ? sc->txpow3[i] : 0;
4343 
4344 	if (chan <= 14) {
4345 		run_bbp_write(sc, 25, sc->bbp25);
4346 		run_bbp_write(sc, 26, sc->bbp26);
4347 	} else {
4348 		/* Enable IQ phase correction. */
4349 		run_bbp_write(sc, 25, 0x09);
4350 		run_bbp_write(sc, 26, 0xff);
4351 	}
4352 
4353 	run_rt3070_rf_write(sc, 8, rt3070_freqs[i].n);
4354 	run_rt3070_rf_write(sc, 9, rt3070_freqs[i].k & 0x0f);
4355 	run_rt3070_rf_read(sc, 11, &rf);
4356 	rf = (rf & ~0x03) | (rt3070_freqs[i].r & 0x03);
4357 	run_rt3070_rf_write(sc, 11, rf);
4358 
4359 	/* Set pll_idoh. */
4360 	run_rt3070_rf_read(sc, 11, &rf);
4361 	rf &= ~0x4c;
4362 	rf |= (chan <= 14) ? 0x44 : 0x48;
4363 	run_rt3070_rf_write(sc, 11, rf);
4364 
4365 	if (chan <= 14)
4366 		rf = txpow1 & 0x1f;
4367 	else
4368 		rf = 0x40 | ((txpow1 & 0x18) << 1) | (txpow1 & 0x07);
4369 	run_rt3070_rf_write(sc, 53, rf);
4370 
4371 	if (chan <= 14)
4372 		rf = txpow2 & 0x1f;
4373 	else
4374 		rf = 0x40 | ((txpow2 & 0x18) << 1) | (txpow2 & 0x07);
4375 	run_rt3070_rf_write(sc, 55, rf);
4376 
4377 	if (chan <= 14)
4378 		rf = txpow3 & 0x1f;
4379 	else
4380 		rf = 0x40 | ((txpow3 & 0x18) << 1) | (txpow3 & 0x07);
4381 	run_rt3070_rf_write(sc, 54, rf);
4382 
4383 	rf = RT3070_RF_BLOCK | RT3070_PLL_PD;
4384 	if (sc->ntxchains == 3)
4385 		rf |= RT3070_TX0_PD | RT3070_TX1_PD | RT3070_TX2_PD;
4386 	else
4387 		rf |= RT3070_TX0_PD | RT3070_TX1_PD;
4388 	rf |= RT3070_RX0_PD | RT3070_RX1_PD | RT3070_RX2_PD;
4389 	run_rt3070_rf_write(sc, 1, rf);
4390 
4391 	run_adjust_freq_offset(sc);
4392 
4393 	run_rt3070_rf_write(sc, 31, (chan <= 14) ? 0xa0 : 0x80);
4394 
4395 	h20mhz = (sc->rf24_20mhz & 0x20) >> 5;
4396 	run_rt3070_rf_read(sc, 30, &rf);
4397 	rf = (rf & ~0x06) | (h20mhz << 1) | (h20mhz << 2);
4398 	run_rt3070_rf_write(sc, 30, rf);
4399 
4400 	run_rt3070_rf_read(sc, 36, &rf);
4401 	if (chan <= 14)
4402 		rf |= 0x80;
4403 	else
4404 		rf &= ~0x80;
4405 	run_rt3070_rf_write(sc, 36, rf);
4406 
4407 	/* Set vcolo_bs. */
4408 	run_rt3070_rf_write(sc, 34, (chan <= 14) ? 0x3c : 0x20);
4409 	/* Set pfd_delay. */
4410 	run_rt3070_rf_write(sc, 12, (chan <= 14) ? 0x1a : 0x12);
4411 
4412 	/* Set vco bias current control. */
4413 	run_rt3070_rf_read(sc, 6, &rf);
4414 	rf &= ~0xc0;
4415 	if (chan <= 14)
4416 		rf |= 0x40;
4417 	else if (chan <= 128)
4418 		rf |= 0x80;
4419 	else
4420 		rf |= 0x40;
4421 	run_rt3070_rf_write(sc, 6, rf);
4422 
4423 	run_rt3070_rf_read(sc, 30, &rf);
4424 	rf = (rf & ~0x18) | 0x10;
4425 	run_rt3070_rf_write(sc, 30, rf);
4426 
4427 	run_rt3070_rf_write(sc, 10, (chan <= 14) ? 0xd3 : 0xd8);
4428 	run_rt3070_rf_write(sc, 13, (chan <= 14) ? 0x12 : 0x23);
4429 
4430 	run_rt3070_rf_read(sc, 51, &rf);
4431 	rf = (rf & ~0x03) | 0x01;
4432 	run_rt3070_rf_write(sc, 51, rf);
4433 	/* Set tx_mx1_cc. */
4434 	run_rt3070_rf_read(sc, 51, &rf);
4435 	rf &= ~0x1c;
4436 	rf |= (chan <= 14) ? 0x14 : 0x10;
4437 	run_rt3070_rf_write(sc, 51, rf);
4438 	/* Set tx_mx1_ic. */
4439 	run_rt3070_rf_read(sc, 51, &rf);
4440 	rf &= ~0xe0;
4441 	rf |= (chan <= 14) ? 0x60 : 0x40;
4442 	run_rt3070_rf_write(sc, 51, rf);
4443 	/* Set tx_lo1_ic. */
4444 	run_rt3070_rf_read(sc, 49, &rf);
4445 	rf &= ~0x1c;
4446 	rf |= (chan <= 14) ? 0x0c : 0x08;
4447 	run_rt3070_rf_write(sc, 49, rf);
4448 	/* Set tx_lo1_en. */
4449 	run_rt3070_rf_read(sc, 50, &rf);
4450 	run_rt3070_rf_write(sc, 50, rf & ~0x20);
4451 	/* Set drv_cc. */
4452 	run_rt3070_rf_read(sc, 57, &rf);
4453 	rf &= ~0xfc;
4454 	rf |= (chan <= 14) ?  0x6c : 0x3c;
4455 	run_rt3070_rf_write(sc, 57, rf);
4456 	/* Set rx_mix1_ic, rxa_lnactr, lna_vc, lna_inbias_en and lna_en. */
4457 	run_rt3070_rf_write(sc, 44, (chan <= 14) ? 0x93 : 0x9b);
4458 	/* Set drv_gnd_a, tx_vga_cc_a and tx_mx2_gain. */
4459 	run_rt3070_rf_write(sc, 52, (chan <= 14) ? 0x45 : 0x05);
4460 	/* Enable VCO calibration. */
4461 	run_rt3070_rf_read(sc, 3, &rf);
4462 	rf &= ~RT5390_VCOCAL;
4463 	rf |= (chan <= 14) ? RT5390_VCOCAL : 0xbe;
4464 	run_rt3070_rf_write(sc, 3, rf);
4465 
4466 	if (chan <= 14)
4467 		rf = 0x23;
4468 	else if (chan <= 64)
4469 		rf = 0x36;
4470 	else if (chan <= 128)
4471 		rf = 0x32;
4472 	else
4473 		rf = 0x30;
4474 	run_rt3070_rf_write(sc, 39, rf);
4475 	if (chan <= 14)
4476 		rf = 0xbb;
4477 	else if (chan <= 64)
4478 		rf = 0xeb;
4479 	else if (chan <= 128)
4480 		rf = 0xb3;
4481 	else
4482 		rf = 0x9b;
4483 	run_rt3070_rf_write(sc, 45, rf);
4484 
4485 	/* Set FEQ/AEQ control. */
4486 	run_bbp_write(sc, 105, 0x34);
4487 }
4488 
4489 static void
4490 run_rt5390_set_chan(struct run_softc *sc, u_int chan)
4491 {
4492 	int8_t txpow1, txpow2;
4493 	uint8_t rf;
4494 	int i;
4495 
4496 	/* find the settings for this channel (we know it exists) */
4497 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4498 
4499 	/* use Tx power values from EEPROM */
4500 	txpow1 = sc->txpow1[i];
4501 	txpow2 = sc->txpow2[i];
4502 
4503 	run_rt3070_rf_write(sc, 8, rt3070_freqs[i].n);
4504 	run_rt3070_rf_write(sc, 9, rt3070_freqs[i].k & 0x0f);
4505 	run_rt3070_rf_read(sc, 11, &rf);
4506 	rf = (rf & ~0x03) | (rt3070_freqs[i].r & 0x03);
4507 	run_rt3070_rf_write(sc, 11, rf);
4508 
4509 	run_rt3070_rf_read(sc, 49, &rf);
4510 	rf = (rf & ~0x3f) | (txpow1 & 0x3f);
4511 	/* The valid range of the RF R49 is 0x00 to 0x27. */
4512 	if ((rf & 0x3f) > 0x27)
4513 		rf = (rf & ~0x3f) | 0x27;
4514 	run_rt3070_rf_write(sc, 49, rf);
4515 
4516 	if (sc->mac_ver == 0x5392) {
4517 		run_rt3070_rf_read(sc, 50, &rf);
4518 		rf = (rf & ~0x3f) | (txpow2 & 0x3f);
4519 		/* The valid range of the RF R50 is 0x00 to 0x27. */
4520 		if ((rf & 0x3f) > 0x27)
4521 			rf = (rf & ~0x3f) | 0x27;
4522 		run_rt3070_rf_write(sc, 50, rf);
4523 	}
4524 
4525 	run_rt3070_rf_read(sc, 1, &rf);
4526 	rf |= RT3070_RF_BLOCK | RT3070_PLL_PD | RT3070_RX0_PD | RT3070_TX0_PD;
4527 	if (sc->mac_ver == 0x5392)
4528 		rf |= RT3070_RX1_PD | RT3070_TX1_PD;
4529 	run_rt3070_rf_write(sc, 1, rf);
4530 
4531 	if (sc->mac_ver != 0x5392) {
4532 		run_rt3070_rf_read(sc, 2, &rf);
4533 		rf |= 0x80;
4534 		run_rt3070_rf_write(sc, 2, rf);
4535 		run_delay(sc, 10);
4536 		rf &= 0x7f;
4537 		run_rt3070_rf_write(sc, 2, rf);
4538 	}
4539 
4540 	run_adjust_freq_offset(sc);
4541 
4542 	if (sc->mac_ver == 0x5392) {
4543 		/* Fix for RT5392C. */
4544 		if (sc->mac_rev >= 0x0223) {
4545 			if (chan <= 4)
4546 				rf = 0x0f;
4547 			else if (chan >= 5 && chan <= 7)
4548 				rf = 0x0e;
4549 			else
4550 				rf = 0x0d;
4551 			run_rt3070_rf_write(sc, 23, rf);
4552 
4553 			if (chan <= 4)
4554 				rf = 0x0c;
4555 			else if (chan == 5)
4556 				rf = 0x0b;
4557 			else if (chan >= 6 && chan <= 7)
4558 				rf = 0x0a;
4559 			else if (chan >= 8 && chan <= 10)
4560 				rf = 0x09;
4561 			else
4562 				rf = 0x08;
4563 			run_rt3070_rf_write(sc, 59, rf);
4564 		} else {
4565 			if (chan <= 11)
4566 				rf = 0x0f;
4567 			else
4568 				rf = 0x0b;
4569 			run_rt3070_rf_write(sc, 59, rf);
4570 		}
4571 	} else {
4572 		/* Fix for RT5390F. */
4573 		if (sc->mac_rev >= 0x0502) {
4574 			if (chan <= 11)
4575 				rf = 0x43;
4576 			else
4577 				rf = 0x23;
4578 			run_rt3070_rf_write(sc, 55, rf);
4579 
4580 			if (chan <= 11)
4581 				rf = 0x0f;
4582 			else if (chan == 12)
4583 				rf = 0x0d;
4584 			else
4585 				rf = 0x0b;
4586 			run_rt3070_rf_write(sc, 59, rf);
4587 		} else {
4588 			run_rt3070_rf_write(sc, 55, 0x44);
4589 			run_rt3070_rf_write(sc, 59, 0x8f);
4590 		}
4591 	}
4592 
4593 	/* Enable VCO calibration. */
4594 	run_rt3070_rf_read(sc, 3, &rf);
4595 	rf |= RT5390_VCOCAL;
4596 	run_rt3070_rf_write(sc, 3, rf);
4597 }
4598 
4599 static void
4600 run_rt5592_set_chan(struct run_softc *sc, u_int chan)
4601 {
4602 	const struct rt5592_freqs *freqs;
4603 	uint32_t tmp;
4604 	uint8_t reg, rf, txpow_bound;
4605 	int8_t txpow1, txpow2;
4606 	int i;
4607 
4608 	run_read(sc, RT5592_DEBUG_INDEX, &tmp);
4609 	freqs = (tmp & RT5592_SEL_XTAL) ?
4610 	    rt5592_freqs_40mhz : rt5592_freqs_20mhz;
4611 
4612 	/* find the settings for this channel (we know it exists) */
4613 	for (i = 0; rt2860_rf2850[i].chan != chan; i++, freqs++);
4614 
4615 	/* use Tx power values from EEPROM */
4616 	txpow1 = sc->txpow1[i];
4617 	txpow2 = sc->txpow2[i];
4618 
4619 	run_read(sc, RT3070_LDO_CFG0, &tmp);
4620 	tmp &= ~0x1c000000;
4621 	if (chan > 14)
4622 		tmp |= 0x14000000;
4623 	run_write(sc, RT3070_LDO_CFG0, tmp);
4624 
4625 	/* N setting. */
4626 	run_rt3070_rf_write(sc, 8, freqs->n & 0xff);
4627 	run_rt3070_rf_read(sc, 9, &rf);
4628 	rf &= ~(1 << 4);
4629 	rf |= ((freqs->n & 0x0100) >> 8) << 4;
4630 	run_rt3070_rf_write(sc, 9, rf);
4631 
4632 	/* K setting. */
4633 	run_rt3070_rf_read(sc, 9, &rf);
4634 	rf &= ~0x0f;
4635 	rf |= (freqs->k & 0x0f);
4636 	run_rt3070_rf_write(sc, 9, rf);
4637 
4638 	/* Mode setting. */
4639 	run_rt3070_rf_read(sc, 11, &rf);
4640 	rf &= ~0x0c;
4641 	rf |= ((freqs->m - 0x8) & 0x3) << 2;
4642 	run_rt3070_rf_write(sc, 11, rf);
4643 	run_rt3070_rf_read(sc, 9, &rf);
4644 	rf &= ~(1 << 7);
4645 	rf |= (((freqs->m - 0x8) & 0x4) >> 2) << 7;
4646 	run_rt3070_rf_write(sc, 9, rf);
4647 
4648 	/* R setting. */
4649 	run_rt3070_rf_read(sc, 11, &rf);
4650 	rf &= ~0x03;
4651 	rf |= (freqs->r - 0x1);
4652 	run_rt3070_rf_write(sc, 11, rf);
4653 
4654 	if (chan <= 14) {
4655 		/* Initialize RF registers for 2GHZ. */
4656 		for (i = 0; i < nitems(rt5592_2ghz_def_rf); i++) {
4657 			run_rt3070_rf_write(sc, rt5592_2ghz_def_rf[i].reg,
4658 			    rt5592_2ghz_def_rf[i].val);
4659 		}
4660 
4661 		rf = (chan <= 10) ? 0x07 : 0x06;
4662 		run_rt3070_rf_write(sc, 23, rf);
4663 		run_rt3070_rf_write(sc, 59, rf);
4664 
4665 		run_rt3070_rf_write(sc, 55, 0x43);
4666 
4667 		/*
4668 		 * RF R49/R50 Tx power ALC code.
4669 		 * G-band bit<7:6>=1:0, bit<5:0> range from 0x0 ~ 0x27.
4670 		 */
4671 		reg = 2;
4672 		txpow_bound = 0x27;
4673 	} else {
4674 		/* Initialize RF registers for 5GHZ. */
4675 		for (i = 0; i < nitems(rt5592_5ghz_def_rf); i++) {
4676 			run_rt3070_rf_write(sc, rt5592_5ghz_def_rf[i].reg,
4677 			    rt5592_5ghz_def_rf[i].val);
4678 		}
4679 		for (i = 0; i < nitems(rt5592_chan_5ghz); i++) {
4680 			if (chan >= rt5592_chan_5ghz[i].firstchan &&
4681 			    chan <= rt5592_chan_5ghz[i].lastchan) {
4682 				run_rt3070_rf_write(sc, rt5592_chan_5ghz[i].reg,
4683 				    rt5592_chan_5ghz[i].val);
4684 			}
4685 		}
4686 
4687 		/*
4688 		 * RF R49/R50 Tx power ALC code.
4689 		 * A-band bit<7:6>=1:1, bit<5:0> range from 0x0 ~ 0x2b.
4690 		 */
4691 		reg = 3;
4692 		txpow_bound = 0x2b;
4693 	}
4694 
4695 	/* RF R49 ch0 Tx power ALC code. */
4696 	run_rt3070_rf_read(sc, 49, &rf);
4697 	rf &= ~0xc0;
4698 	rf |= (reg << 6);
4699 	rf = (rf & ~0x3f) | (txpow1 & 0x3f);
4700 	if ((rf & 0x3f) > txpow_bound)
4701 		rf = (rf & ~0x3f) | txpow_bound;
4702 	run_rt3070_rf_write(sc, 49, rf);
4703 
4704 	/* RF R50 ch1 Tx power ALC code. */
4705 	run_rt3070_rf_read(sc, 50, &rf);
4706 	rf &= ~(1 << 7 | 1 << 6);
4707 	rf |= (reg << 6);
4708 	rf = (rf & ~0x3f) | (txpow2 & 0x3f);
4709 	if ((rf & 0x3f) > txpow_bound)
4710 		rf = (rf & ~0x3f) | txpow_bound;
4711 	run_rt3070_rf_write(sc, 50, rf);
4712 
4713 	/* Enable RF_BLOCK, PLL_PD, RX0_PD, and TX0_PD. */
4714 	run_rt3070_rf_read(sc, 1, &rf);
4715 	rf |= (RT3070_RF_BLOCK | RT3070_PLL_PD | RT3070_RX0_PD | RT3070_TX0_PD);
4716 	if (sc->ntxchains > 1)
4717 		rf |= RT3070_TX1_PD;
4718 	if (sc->nrxchains > 1)
4719 		rf |= RT3070_RX1_PD;
4720 	run_rt3070_rf_write(sc, 1, rf);
4721 
4722 	run_rt3070_rf_write(sc, 6, 0xe4);
4723 
4724 	run_rt3070_rf_write(sc, 30, 0x10);
4725 	run_rt3070_rf_write(sc, 31, 0x80);
4726 	run_rt3070_rf_write(sc, 32, 0x80);
4727 
4728 	run_adjust_freq_offset(sc);
4729 
4730 	/* Enable VCO calibration. */
4731 	run_rt3070_rf_read(sc, 3, &rf);
4732 	rf |= RT5390_VCOCAL;
4733 	run_rt3070_rf_write(sc, 3, rf);
4734 }
4735 
4736 static void
4737 run_set_rx_antenna(struct run_softc *sc, int aux)
4738 {
4739 	uint32_t tmp;
4740 	uint8_t bbp152;
4741 
4742 	if (aux) {
4743 		if (sc->rf_rev == RT5390_RF_5370) {
4744 			run_bbp_read(sc, 152, &bbp152);
4745 			run_bbp_write(sc, 152, bbp152 & ~0x80);
4746 		} else {
4747 			run_mcu_cmd(sc, RT2860_MCU_CMD_ANTSEL, 0);
4748 			run_read(sc, RT2860_GPIO_CTRL, &tmp);
4749 			run_write(sc, RT2860_GPIO_CTRL, (tmp & ~0x0808) | 0x08);
4750 		}
4751 	} else {
4752 		if (sc->rf_rev == RT5390_RF_5370) {
4753 			run_bbp_read(sc, 152, &bbp152);
4754 			run_bbp_write(sc, 152, bbp152 | 0x80);
4755 		} else {
4756 			run_mcu_cmd(sc, RT2860_MCU_CMD_ANTSEL, 1);
4757 			run_read(sc, RT2860_GPIO_CTRL, &tmp);
4758 			run_write(sc, RT2860_GPIO_CTRL, tmp & ~0x0808);
4759 		}
4760 	}
4761 }
4762 
4763 static int
4764 run_set_chan(struct run_softc *sc, struct ieee80211_channel *c)
4765 {
4766 	struct ieee80211com *ic = &sc->sc_ic;
4767 	u_int chan, group;
4768 
4769 	chan = ieee80211_chan2ieee(ic, c);
4770 	if (chan == 0 || chan == IEEE80211_CHAN_ANY)
4771 		return (EINVAL);
4772 
4773 	if (sc->mac_ver == 0x5592)
4774 		run_rt5592_set_chan(sc, chan);
4775 	else if (sc->mac_ver >= 0x5390)
4776 		run_rt5390_set_chan(sc, chan);
4777 	else if (sc->mac_ver == 0x3593)
4778 		run_rt3593_set_chan(sc, chan);
4779 	else if (sc->mac_ver == 0x3572)
4780 		run_rt3572_set_chan(sc, chan);
4781 	else if (sc->mac_ver >= 0x3070)
4782 		run_rt3070_set_chan(sc, chan);
4783 	else
4784 		run_rt2870_set_chan(sc, chan);
4785 
4786 	/* determine channel group */
4787 	if (chan <= 14)
4788 		group = 0;
4789 	else if (chan <= 64)
4790 		group = 1;
4791 	else if (chan <= 128)
4792 		group = 2;
4793 	else
4794 		group = 3;
4795 
4796 	/* XXX necessary only when group has changed! */
4797 	run_select_chan_group(sc, group);
4798 
4799 	run_delay(sc, 10);
4800 
4801 	/* Perform IQ calibration. */
4802 	if (sc->mac_ver >= 0x5392)
4803 		run_iq_calib(sc, chan);
4804 
4805 	return (0);
4806 }
4807 
4808 static void
4809 run_set_channel(struct ieee80211com *ic)
4810 {
4811 	struct run_softc *sc = ic->ic_softc;
4812 
4813 	RUN_LOCK(sc);
4814 	run_set_chan(sc, ic->ic_curchan);
4815 	RUN_UNLOCK(sc);
4816 
4817 	return;
4818 }
4819 
4820 static void
4821 run_scan_start(struct ieee80211com *ic)
4822 {
4823 	struct run_softc *sc = ic->ic_softc;
4824 	uint32_t tmp;
4825 
4826 	RUN_LOCK(sc);
4827 
4828 	/* abort TSF synchronization */
4829 	run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
4830 	run_write(sc, RT2860_BCN_TIME_CFG,
4831 	    tmp & ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
4832 	    RT2860_TBTT_TIMER_EN));
4833 	run_set_bssid(sc, ieee80211broadcastaddr);
4834 
4835 	RUN_UNLOCK(sc);
4836 
4837 	return;
4838 }
4839 
4840 static void
4841 run_scan_end(struct ieee80211com *ic)
4842 {
4843 	struct run_softc *sc = ic->ic_softc;
4844 
4845 	RUN_LOCK(sc);
4846 
4847 	run_enable_tsf_sync(sc);
4848 	/* XXX keep local copy */
4849 	run_set_bssid(sc, ic->ic_macaddr);
4850 
4851 	RUN_UNLOCK(sc);
4852 
4853 	return;
4854 }
4855 
4856 /*
4857  * Could be called from ieee80211_node_timeout()
4858  * (non-sleepable thread)
4859  */
4860 static void
4861 run_update_beacon(struct ieee80211vap *vap, int item)
4862 {
4863 	struct ieee80211com *ic = vap->iv_ic;
4864 	struct ieee80211_beacon_offsets *bo = &vap->iv_bcn_off;
4865 	struct ieee80211_node *ni = vap->iv_bss;
4866 	struct run_softc *sc = ic->ic_softc;
4867 	struct run_vap *rvp = RUN_VAP(vap);
4868 	int mcast = 0;
4869 	uint32_t i;
4870 
4871 	switch (item) {
4872 	case IEEE80211_BEACON_ERP:
4873 		run_updateslot(ic);
4874 		break;
4875 	case IEEE80211_BEACON_HTINFO:
4876 		run_updateprot(ic);
4877 		break;
4878 	case IEEE80211_BEACON_TIM:
4879 		mcast = 1;	/*TODO*/
4880 		break;
4881 	default:
4882 		break;
4883 	}
4884 
4885 	setbit(bo->bo_flags, item);
4886 	if (rvp->beacon_mbuf == NULL) {
4887 		rvp->beacon_mbuf = ieee80211_beacon_alloc(ni);
4888 		if (rvp->beacon_mbuf == NULL)
4889 			return;
4890 	}
4891 	ieee80211_beacon_update(ni, rvp->beacon_mbuf, mcast);
4892 
4893 	i = RUN_CMDQ_GET(&sc->cmdq_store);
4894 	DPRINTF("cmdq_store=%d\n", i);
4895 	sc->cmdq[i].func = run_update_beacon_cb;
4896 	sc->cmdq[i].arg0 = vap;
4897 	ieee80211_runtask(ic, &sc->cmdq_task);
4898 
4899 	return;
4900 }
4901 
4902 static void
4903 run_update_beacon_cb(void *arg)
4904 {
4905 	struct ieee80211vap *vap = arg;
4906 	struct ieee80211_node *ni = vap->iv_bss;
4907 	struct run_vap *rvp = RUN_VAP(vap);
4908 	struct ieee80211com *ic = vap->iv_ic;
4909 	struct run_softc *sc = ic->ic_softc;
4910 	struct rt2860_txwi txwi;
4911 	struct mbuf *m;
4912 	uint16_t txwisize;
4913 	uint8_t ridx;
4914 
4915 	if (ni->ni_chan == IEEE80211_CHAN_ANYC)
4916 		return;
4917 	if (ic->ic_bsschan == IEEE80211_CHAN_ANYC)
4918 		return;
4919 
4920 	/*
4921 	 * No need to call ieee80211_beacon_update(), run_update_beacon()
4922 	 * is taking care of apropriate calls.
4923 	 */
4924 	if (rvp->beacon_mbuf == NULL) {
4925 		rvp->beacon_mbuf = ieee80211_beacon_alloc(ni);
4926 		if (rvp->beacon_mbuf == NULL)
4927 			return;
4928 	}
4929 	m = rvp->beacon_mbuf;
4930 
4931 	memset(&txwi, 0, sizeof(txwi));
4932 	txwi.wcid = 0xff;
4933 	txwi.len = htole16(m->m_pkthdr.len);
4934 
4935 	/* send beacons at the lowest available rate */
4936 	ridx = (ic->ic_curmode == IEEE80211_MODE_11A) ?
4937 	    RT2860_RIDX_OFDM6 : RT2860_RIDX_CCK1;
4938 	txwi.phy = htole16(rt2860_rates[ridx].mcs);
4939 	if (rt2860_rates[ridx].phy == IEEE80211_T_OFDM)
4940 		txwi.phy |= htole16(RT2860_PHY_OFDM);
4941 	txwi.txop = RT2860_TX_TXOP_HT;
4942 	txwi.flags = RT2860_TX_TS;
4943 	txwi.xflags = RT2860_TX_NSEQ;
4944 
4945 	txwisize = (sc->mac_ver == 0x5592) ?
4946 	    sizeof(txwi) + sizeof(uint32_t) : sizeof(txwi);
4947 	run_write_region_1(sc, RT2860_BCN_BASE(rvp->rvp_id), (uint8_t *)&txwi,
4948 	    txwisize);
4949 	run_write_region_1(sc, RT2860_BCN_BASE(rvp->rvp_id) + txwisize,
4950 	    mtod(m, uint8_t *), (m->m_pkthdr.len + 1) & ~1);
4951 }
4952 
4953 static void
4954 run_updateprot(struct ieee80211com *ic)
4955 {
4956 	struct run_softc *sc = ic->ic_softc;
4957 	uint32_t i;
4958 
4959 	i = RUN_CMDQ_GET(&sc->cmdq_store);
4960 	DPRINTF("cmdq_store=%d\n", i);
4961 	sc->cmdq[i].func = run_updateprot_cb;
4962 	sc->cmdq[i].arg0 = ic;
4963 	ieee80211_runtask(ic, &sc->cmdq_task);
4964 }
4965 
4966 static void
4967 run_updateprot_cb(void *arg)
4968 {
4969 	struct ieee80211com *ic = arg;
4970 	struct run_softc *sc = ic->ic_softc;
4971 	uint32_t tmp;
4972 
4973 	tmp = RT2860_RTSTH_EN | RT2860_PROT_NAV_SHORT | RT2860_TXOP_ALLOW_ALL;
4974 	/* setup protection frame rate (MCS code) */
4975 	tmp |= (ic->ic_curmode == IEEE80211_MODE_11A) ?
4976 	    rt2860_rates[RT2860_RIDX_OFDM6].mcs | RT2860_PHY_OFDM :
4977 	    rt2860_rates[RT2860_RIDX_CCK11].mcs;
4978 
4979 	/* CCK frames don't require protection */
4980 	run_write(sc, RT2860_CCK_PROT_CFG, tmp);
4981 	if (ic->ic_flags & IEEE80211_F_USEPROT) {
4982 		if (ic->ic_protmode == IEEE80211_PROT_RTSCTS)
4983 			tmp |= RT2860_PROT_CTRL_RTS_CTS;
4984 		else if (ic->ic_protmode == IEEE80211_PROT_CTSONLY)
4985 			tmp |= RT2860_PROT_CTRL_CTS;
4986 	}
4987 	run_write(sc, RT2860_OFDM_PROT_CFG, tmp);
4988 }
4989 
4990 static void
4991 run_usb_timeout_cb(void *arg)
4992 {
4993 	struct ieee80211vap *vap = arg;
4994 	struct run_softc *sc = vap->iv_ic->ic_softc;
4995 
4996 	RUN_LOCK_ASSERT(sc, MA_OWNED);
4997 
4998 	if(vap->iv_state == IEEE80211_S_RUN &&
4999 	    vap->iv_opmode != IEEE80211_M_STA)
5000 		run_reset_livelock(sc);
5001 	else if (vap->iv_state == IEEE80211_S_SCAN) {
5002 		DPRINTF("timeout caused by scan\n");
5003 		/* cancel bgscan */
5004 		ieee80211_cancel_scan(vap);
5005 	} else
5006 		DPRINTF("timeout by unknown cause\n");
5007 }
5008 
5009 static void
5010 run_reset_livelock(struct run_softc *sc)
5011 {
5012 	uint32_t tmp;
5013 
5014 	RUN_LOCK_ASSERT(sc, MA_OWNED);
5015 
5016 	/*
5017 	 * In IBSS or HostAP modes (when the hardware sends beacons), the MAC
5018 	 * can run into a livelock and start sending CTS-to-self frames like
5019 	 * crazy if protection is enabled.  Reset MAC/BBP for a while
5020 	 */
5021 	run_read(sc, RT2860_DEBUG, &tmp);
5022 	DPRINTFN(3, "debug reg %08x\n", tmp);
5023 	if ((tmp & (1 << 29)) && (tmp & (1 << 7 | 1 << 5))) {
5024 		DPRINTF("CTS-to-self livelock detected\n");
5025 		run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_MAC_SRST);
5026 		run_delay(sc, 1);
5027 		run_write(sc, RT2860_MAC_SYS_CTRL,
5028 		    RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
5029 	}
5030 }
5031 
5032 static void
5033 run_update_promisc_locked(struct run_softc *sc)
5034 {
5035         uint32_t tmp;
5036 
5037 	run_read(sc, RT2860_RX_FILTR_CFG, &tmp);
5038 
5039 	tmp |= RT2860_DROP_UC_NOME;
5040         if (sc->sc_ic.ic_promisc > 0)
5041 		tmp &= ~RT2860_DROP_UC_NOME;
5042 
5043 	run_write(sc, RT2860_RX_FILTR_CFG, tmp);
5044 
5045         DPRINTF("%s promiscuous mode\n", (sc->sc_ic.ic_promisc > 0) ?
5046             "entering" : "leaving");
5047 }
5048 
5049 static void
5050 run_update_promisc(struct ieee80211com *ic)
5051 {
5052 	struct run_softc *sc = ic->ic_softc;
5053 
5054 	if ((sc->sc_flags & RUN_RUNNING) == 0)
5055 		return;
5056 
5057 	RUN_LOCK(sc);
5058 	run_update_promisc_locked(sc);
5059 	RUN_UNLOCK(sc);
5060 }
5061 
5062 static void
5063 run_enable_tsf_sync(struct run_softc *sc)
5064 {
5065 	struct ieee80211com *ic = &sc->sc_ic;
5066 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
5067 	uint32_t tmp;
5068 
5069 	DPRINTF("rvp_id=%d ic_opmode=%d\n", RUN_VAP(vap)->rvp_id,
5070 	    ic->ic_opmode);
5071 
5072 	run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
5073 	tmp &= ~0x1fffff;
5074 	tmp |= vap->iv_bss->ni_intval * 16;
5075 	tmp |= RT2860_TSF_TIMER_EN | RT2860_TBTT_TIMER_EN;
5076 
5077 	if (ic->ic_opmode == IEEE80211_M_STA) {
5078 		/*
5079 		 * Local TSF is always updated with remote TSF on beacon
5080 		 * reception.
5081 		 */
5082 		tmp |= 1 << RT2860_TSF_SYNC_MODE_SHIFT;
5083 	} else if (ic->ic_opmode == IEEE80211_M_IBSS) {
5084 	        tmp |= RT2860_BCN_TX_EN;
5085 	        /*
5086 	         * Local TSF is updated with remote TSF on beacon reception
5087 	         * only if the remote TSF is greater than local TSF.
5088 	         */
5089 	        tmp |= 2 << RT2860_TSF_SYNC_MODE_SHIFT;
5090 	} else if (ic->ic_opmode == IEEE80211_M_HOSTAP ||
5091 		    ic->ic_opmode == IEEE80211_M_MBSS) {
5092 	        tmp |= RT2860_BCN_TX_EN;
5093 	        /* SYNC with nobody */
5094 	        tmp |= 3 << RT2860_TSF_SYNC_MODE_SHIFT;
5095 	} else {
5096 		DPRINTF("Enabling TSF failed. undefined opmode\n");
5097 		return;
5098 	}
5099 
5100 	run_write(sc, RT2860_BCN_TIME_CFG, tmp);
5101 }
5102 
5103 static void
5104 run_enable_tsf(struct run_softc *sc)
5105 {
5106 	uint32_t tmp;
5107 
5108 	if (run_read(sc, RT2860_BCN_TIME_CFG, &tmp) == 0) {
5109 		tmp &= ~(RT2860_BCN_TX_EN | RT2860_TBTT_TIMER_EN);
5110 		tmp |= RT2860_TSF_TIMER_EN;
5111 		run_write(sc, RT2860_BCN_TIME_CFG, tmp);
5112 	}
5113 }
5114 
5115 static void
5116 run_get_tsf(struct run_softc *sc, uint64_t *buf)
5117 {
5118 	run_read_region_1(sc, RT2860_TSF_TIMER_DW0, (uint8_t *)buf,
5119 	    sizeof(*buf));
5120 }
5121 
5122 static void
5123 run_enable_mrr(struct run_softc *sc)
5124 {
5125 #define	CCK(mcs)	(mcs)
5126 #define	OFDM(mcs)	(1 << 3 | (mcs))
5127 	run_write(sc, RT2860_LG_FBK_CFG0,
5128 	    OFDM(6) << 28 |	/* 54->48 */
5129 	    OFDM(5) << 24 |	/* 48->36 */
5130 	    OFDM(4) << 20 |	/* 36->24 */
5131 	    OFDM(3) << 16 |	/* 24->18 */
5132 	    OFDM(2) << 12 |	/* 18->12 */
5133 	    OFDM(1) <<  8 |	/* 12-> 9 */
5134 	    OFDM(0) <<  4 |	/*  9-> 6 */
5135 	    OFDM(0));		/*  6-> 6 */
5136 
5137 	run_write(sc, RT2860_LG_FBK_CFG1,
5138 	    CCK(2) << 12 |	/* 11->5.5 */
5139 	    CCK(1) <<  8 |	/* 5.5-> 2 */
5140 	    CCK(0) <<  4 |	/*   2-> 1 */
5141 	    CCK(0));		/*   1-> 1 */
5142 #undef OFDM
5143 #undef CCK
5144 }
5145 
5146 static void
5147 run_set_txpreamble(struct run_softc *sc)
5148 {
5149 	struct ieee80211com *ic = &sc->sc_ic;
5150 	uint32_t tmp;
5151 
5152 	run_read(sc, RT2860_AUTO_RSP_CFG, &tmp);
5153 	if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
5154 		tmp |= RT2860_CCK_SHORT_EN;
5155 	else
5156 		tmp &= ~RT2860_CCK_SHORT_EN;
5157 	run_write(sc, RT2860_AUTO_RSP_CFG, tmp);
5158 }
5159 
5160 static void
5161 run_set_basicrates(struct run_softc *sc)
5162 {
5163 	struct ieee80211com *ic = &sc->sc_ic;
5164 
5165 	/* set basic rates mask */
5166 	if (ic->ic_curmode == IEEE80211_MODE_11B)
5167 		run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x003);
5168 	else if (ic->ic_curmode == IEEE80211_MODE_11A)
5169 		run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x150);
5170 	else	/* 11g */
5171 		run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x15f);
5172 }
5173 
5174 static void
5175 run_set_leds(struct run_softc *sc, uint16_t which)
5176 {
5177 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LEDS,
5178 	    which | (sc->leds & 0x7f));
5179 }
5180 
5181 static void
5182 run_set_bssid(struct run_softc *sc, const uint8_t *bssid)
5183 {
5184 	run_write(sc, RT2860_MAC_BSSID_DW0,
5185 	    bssid[0] | bssid[1] << 8 | bssid[2] << 16 | bssid[3] << 24);
5186 	run_write(sc, RT2860_MAC_BSSID_DW1,
5187 	    bssid[4] | bssid[5] << 8);
5188 }
5189 
5190 static void
5191 run_set_macaddr(struct run_softc *sc, const uint8_t *addr)
5192 {
5193 	run_write(sc, RT2860_MAC_ADDR_DW0,
5194 	    addr[0] | addr[1] << 8 | addr[2] << 16 | addr[3] << 24);
5195 	run_write(sc, RT2860_MAC_ADDR_DW1,
5196 	    addr[4] | addr[5] << 8 | 0xff << 16);
5197 }
5198 
5199 static void
5200 run_updateslot(struct ieee80211com *ic)
5201 {
5202 	struct run_softc *sc = ic->ic_softc;
5203 	uint32_t i;
5204 
5205 	i = RUN_CMDQ_GET(&sc->cmdq_store);
5206 	DPRINTF("cmdq_store=%d\n", i);
5207 	sc->cmdq[i].func = run_updateslot_cb;
5208 	sc->cmdq[i].arg0 = ic;
5209 	ieee80211_runtask(ic, &sc->cmdq_task);
5210 
5211 	return;
5212 }
5213 
5214 /* ARGSUSED */
5215 static void
5216 run_updateslot_cb(void *arg)
5217 {
5218 	struct ieee80211com *ic = arg;
5219 	struct run_softc *sc = ic->ic_softc;
5220 	uint32_t tmp;
5221 
5222 	run_read(sc, RT2860_BKOFF_SLOT_CFG, &tmp);
5223 	tmp &= ~0xff;
5224 	tmp |= (ic->ic_flags & IEEE80211_F_SHSLOT) ? 9 : 20;
5225 	run_write(sc, RT2860_BKOFF_SLOT_CFG, tmp);
5226 }
5227 
5228 static void
5229 run_update_mcast(struct ieee80211com *ic)
5230 {
5231 }
5232 
5233 static int8_t
5234 run_rssi2dbm(struct run_softc *sc, uint8_t rssi, uint8_t rxchain)
5235 {
5236 	struct ieee80211com *ic = &sc->sc_ic;
5237 	struct ieee80211_channel *c = ic->ic_curchan;
5238 	int delta;
5239 
5240 	if (IEEE80211_IS_CHAN_5GHZ(c)) {
5241 		u_int chan = ieee80211_chan2ieee(ic, c);
5242 		delta = sc->rssi_5ghz[rxchain];
5243 
5244 		/* determine channel group */
5245 		if (chan <= 64)
5246 			delta -= sc->lna[1];
5247 		else if (chan <= 128)
5248 			delta -= sc->lna[2];
5249 		else
5250 			delta -= sc->lna[3];
5251 	} else
5252 		delta = sc->rssi_2ghz[rxchain] - sc->lna[0];
5253 
5254 	return (-12 - delta - rssi);
5255 }
5256 
5257 static void
5258 run_rt5390_bbp_init(struct run_softc *sc)
5259 {
5260 	int i;
5261 	uint8_t bbp;
5262 
5263 	/* Apply maximum likelihood detection for 2 stream case. */
5264 	run_bbp_read(sc, 105, &bbp);
5265 	if (sc->nrxchains > 1)
5266 		run_bbp_write(sc, 105, bbp | RT5390_MLD);
5267 
5268 	/* Avoid data lost and CRC error. */
5269 	run_bbp_read(sc, 4, &bbp);
5270 	run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5271 
5272 	if (sc->mac_ver == 0x5592) {
5273 		for (i = 0; i < nitems(rt5592_def_bbp); i++) {
5274 			run_bbp_write(sc, rt5592_def_bbp[i].reg,
5275 			    rt5592_def_bbp[i].val);
5276 		}
5277 		for (i = 0; i < nitems(rt5592_bbp_r196); i++) {
5278 			run_bbp_write(sc, 195, i + 0x80);
5279 			run_bbp_write(sc, 196, rt5592_bbp_r196[i]);
5280 		}
5281 	} else {
5282 		for (i = 0; i < nitems(rt5390_def_bbp); i++) {
5283 			run_bbp_write(sc, rt5390_def_bbp[i].reg,
5284 			    rt5390_def_bbp[i].val);
5285 		}
5286 	}
5287 	if (sc->mac_ver == 0x5392) {
5288 		run_bbp_write(sc, 88, 0x90);
5289 		run_bbp_write(sc, 95, 0x9a);
5290 		run_bbp_write(sc, 98, 0x12);
5291 		run_bbp_write(sc, 106, 0x12);
5292 		run_bbp_write(sc, 134, 0xd0);
5293 		run_bbp_write(sc, 135, 0xf6);
5294 		run_bbp_write(sc, 148, 0x84);
5295 	}
5296 
5297 	run_bbp_read(sc, 152, &bbp);
5298 	run_bbp_write(sc, 152, bbp | 0x80);
5299 
5300 	/* Fix BBP254 for RT5592C. */
5301 	if (sc->mac_ver == 0x5592 && sc->mac_rev >= 0x0221) {
5302 		run_bbp_read(sc, 254, &bbp);
5303 		run_bbp_write(sc, 254, bbp | 0x80);
5304 	}
5305 
5306 	/* Disable hardware antenna diversity. */
5307 	if (sc->mac_ver == 0x5390)
5308 		run_bbp_write(sc, 154, 0);
5309 
5310 	/* Initialize Rx CCK/OFDM frequency offset report. */
5311 	run_bbp_write(sc, 142, 1);
5312 	run_bbp_write(sc, 143, 57);
5313 }
5314 
5315 static int
5316 run_bbp_init(struct run_softc *sc)
5317 {
5318 	int i, error, ntries;
5319 	uint8_t bbp0;
5320 
5321 	/* wait for BBP to wake up */
5322 	for (ntries = 0; ntries < 20; ntries++) {
5323 		if ((error = run_bbp_read(sc, 0, &bbp0)) != 0)
5324 			return error;
5325 		if (bbp0 != 0 && bbp0 != 0xff)
5326 			break;
5327 	}
5328 	if (ntries == 20)
5329 		return (ETIMEDOUT);
5330 
5331 	/* initialize BBP registers to default values */
5332 	if (sc->mac_ver >= 0x5390)
5333 		run_rt5390_bbp_init(sc);
5334 	else {
5335 		for (i = 0; i < nitems(rt2860_def_bbp); i++) {
5336 			run_bbp_write(sc, rt2860_def_bbp[i].reg,
5337 			    rt2860_def_bbp[i].val);
5338 		}
5339 	}
5340 
5341 	if (sc->mac_ver == 0x3593) {
5342 		run_bbp_write(sc, 79, 0x13);
5343 		run_bbp_write(sc, 80, 0x05);
5344 		run_bbp_write(sc, 81, 0x33);
5345 		run_bbp_write(sc, 86, 0x46);
5346 		run_bbp_write(sc, 137, 0x0f);
5347 	}
5348 
5349 	/* fix BBP84 for RT2860E */
5350 	if (sc->mac_ver == 0x2860 && sc->mac_rev != 0x0101)
5351 		run_bbp_write(sc, 84, 0x19);
5352 
5353 	if (sc->mac_ver >= 0x3070 && (sc->mac_ver != 0x3593 &&
5354 	    sc->mac_ver != 0x5592)) {
5355 		run_bbp_write(sc, 79, 0x13);
5356 		run_bbp_write(sc, 80, 0x05);
5357 		run_bbp_write(sc, 81, 0x33);
5358 	} else if (sc->mac_ver == 0x2860 && sc->mac_rev == 0x0100) {
5359 		run_bbp_write(sc, 69, 0x16);
5360 		run_bbp_write(sc, 73, 0x12);
5361 	}
5362 	return (0);
5363 }
5364 
5365 static int
5366 run_rt3070_rf_init(struct run_softc *sc)
5367 {
5368 	uint32_t tmp;
5369 	uint8_t bbp4, mingain, rf, target;
5370 	int i;
5371 
5372 	run_rt3070_rf_read(sc, 30, &rf);
5373 	/* toggle RF R30 bit 7 */
5374 	run_rt3070_rf_write(sc, 30, rf | 0x80);
5375 	run_delay(sc, 10);
5376 	run_rt3070_rf_write(sc, 30, rf & ~0x80);
5377 
5378 	/* initialize RF registers to default value */
5379 	if (sc->mac_ver == 0x3572) {
5380 		for (i = 0; i < nitems(rt3572_def_rf); i++) {
5381 			run_rt3070_rf_write(sc, rt3572_def_rf[i].reg,
5382 			    rt3572_def_rf[i].val);
5383 		}
5384 	} else {
5385 		for (i = 0; i < nitems(rt3070_def_rf); i++) {
5386 			run_rt3070_rf_write(sc, rt3070_def_rf[i].reg,
5387 			    rt3070_def_rf[i].val);
5388 		}
5389 	}
5390 
5391 	if (sc->mac_ver == 0x3070 && sc->mac_rev < 0x0201) {
5392 		/*
5393 		 * Change voltage from 1.2V to 1.35V for RT3070.
5394 		 * The DAC issue (RT3070_LDO_CFG0) has been fixed
5395 		 * in RT3070(F).
5396 		 */
5397 		run_read(sc, RT3070_LDO_CFG0, &tmp);
5398 		tmp = (tmp & ~0x0f000000) | 0x0d000000;
5399 		run_write(sc, RT3070_LDO_CFG0, tmp);
5400 
5401 	} else if (sc->mac_ver == 0x3071) {
5402 		run_rt3070_rf_read(sc, 6, &rf);
5403 		run_rt3070_rf_write(sc, 6, rf | 0x40);
5404 		run_rt3070_rf_write(sc, 31, 0x14);
5405 
5406 		run_read(sc, RT3070_LDO_CFG0, &tmp);
5407 		tmp &= ~0x1f000000;
5408 		if (sc->mac_rev < 0x0211)
5409 			tmp |= 0x0d000000;	/* 1.3V */
5410 		else
5411 			tmp |= 0x01000000;	/* 1.2V */
5412 		run_write(sc, RT3070_LDO_CFG0, tmp);
5413 
5414 		/* patch LNA_PE_G1 */
5415 		run_read(sc, RT3070_GPIO_SWITCH, &tmp);
5416 		run_write(sc, RT3070_GPIO_SWITCH, tmp & ~0x20);
5417 
5418 	} else if (sc->mac_ver == 0x3572) {
5419 		run_rt3070_rf_read(sc, 6, &rf);
5420 		run_rt3070_rf_write(sc, 6, rf | 0x40);
5421 
5422 		/* increase voltage from 1.2V to 1.35V */
5423 		run_read(sc, RT3070_LDO_CFG0, &tmp);
5424 		tmp = (tmp & ~0x1f000000) | 0x0d000000;
5425 		run_write(sc, RT3070_LDO_CFG0, tmp);
5426 
5427 		if (sc->mac_rev < 0x0211 || !sc->patch_dac) {
5428 			run_delay(sc, 1);	/* wait for 1msec */
5429 			/* decrease voltage back to 1.2V */
5430 			tmp = (tmp & ~0x1f000000) | 0x01000000;
5431 			run_write(sc, RT3070_LDO_CFG0, tmp);
5432 		}
5433 	}
5434 
5435 	/* select 20MHz bandwidth */
5436 	run_rt3070_rf_read(sc, 31, &rf);
5437 	run_rt3070_rf_write(sc, 31, rf & ~0x20);
5438 
5439 	/* calibrate filter for 20MHz bandwidth */
5440 	sc->rf24_20mhz = 0x1f;	/* default value */
5441 	target = (sc->mac_ver < 0x3071) ? 0x16 : 0x13;
5442 	run_rt3070_filter_calib(sc, 0x07, target, &sc->rf24_20mhz);
5443 
5444 	/* select 40MHz bandwidth */
5445 	run_bbp_read(sc, 4, &bbp4);
5446 	run_bbp_write(sc, 4, (bbp4 & ~0x18) | 0x10);
5447 	run_rt3070_rf_read(sc, 31, &rf);
5448 	run_rt3070_rf_write(sc, 31, rf | 0x20);
5449 
5450 	/* calibrate filter for 40MHz bandwidth */
5451 	sc->rf24_40mhz = 0x2f;	/* default value */
5452 	target = (sc->mac_ver < 0x3071) ? 0x19 : 0x15;
5453 	run_rt3070_filter_calib(sc, 0x27, target, &sc->rf24_40mhz);
5454 
5455 	/* go back to 20MHz bandwidth */
5456 	run_bbp_read(sc, 4, &bbp4);
5457 	run_bbp_write(sc, 4, bbp4 & ~0x18);
5458 
5459 	if (sc->mac_ver == 0x3572) {
5460 		/* save default BBP registers 25 and 26 values */
5461 		run_bbp_read(sc, 25, &sc->bbp25);
5462 		run_bbp_read(sc, 26, &sc->bbp26);
5463 	} else if (sc->mac_rev < 0x0201 || sc->mac_rev < 0x0211)
5464 		run_rt3070_rf_write(sc, 27, 0x03);
5465 
5466 	run_read(sc, RT3070_OPT_14, &tmp);
5467 	run_write(sc, RT3070_OPT_14, tmp | 1);
5468 
5469 	if (sc->mac_ver == 0x3070 || sc->mac_ver == 0x3071) {
5470 		run_rt3070_rf_read(sc, 17, &rf);
5471 		rf &= ~RT3070_TX_LO1;
5472 		if ((sc->mac_ver == 0x3070 ||
5473 		     (sc->mac_ver == 0x3071 && sc->mac_rev >= 0x0211)) &&
5474 		    !sc->ext_2ghz_lna)
5475 			rf |= 0x20;	/* fix for long range Rx issue */
5476 		mingain = (sc->mac_ver == 0x3070) ? 1 : 2;
5477 		if (sc->txmixgain_2ghz >= mingain)
5478 			rf = (rf & ~0x7) | sc->txmixgain_2ghz;
5479 		run_rt3070_rf_write(sc, 17, rf);
5480 	}
5481 
5482 	if (sc->mac_ver == 0x3071) {
5483 		run_rt3070_rf_read(sc, 1, &rf);
5484 		rf &= ~(RT3070_RX0_PD | RT3070_TX0_PD);
5485 		rf |= RT3070_RF_BLOCK | RT3070_RX1_PD | RT3070_TX1_PD;
5486 		run_rt3070_rf_write(sc, 1, rf);
5487 
5488 		run_rt3070_rf_read(sc, 15, &rf);
5489 		run_rt3070_rf_write(sc, 15, rf & ~RT3070_TX_LO2);
5490 
5491 		run_rt3070_rf_read(sc, 20, &rf);
5492 		run_rt3070_rf_write(sc, 20, rf & ~RT3070_RX_LO1);
5493 
5494 		run_rt3070_rf_read(sc, 21, &rf);
5495 		run_rt3070_rf_write(sc, 21, rf & ~RT3070_RX_LO2);
5496 	}
5497 
5498 	if (sc->mac_ver == 0x3070 || sc->mac_ver == 0x3071) {
5499 		/* fix Tx to Rx IQ glitch by raising RF voltage */
5500 		run_rt3070_rf_read(sc, 27, &rf);
5501 		rf &= ~0x77;
5502 		if (sc->mac_rev < 0x0211)
5503 			rf |= 0x03;
5504 		run_rt3070_rf_write(sc, 27, rf);
5505 	}
5506 	return (0);
5507 }
5508 
5509 static void
5510 run_rt3593_rf_init(struct run_softc *sc)
5511 {
5512 	uint32_t tmp;
5513 	uint8_t rf;
5514 	int i;
5515 
5516 	/* Disable the GPIO bits 4 and 7 for LNA PE control. */
5517 	run_read(sc, RT3070_GPIO_SWITCH, &tmp);
5518 	tmp &= ~(1 << 4 | 1 << 7);
5519 	run_write(sc, RT3070_GPIO_SWITCH, tmp);
5520 
5521 	/* Initialize RF registers to default value. */
5522 	for (i = 0; i < nitems(rt3593_def_rf); i++) {
5523 		run_rt3070_rf_write(sc, rt3593_def_rf[i].reg,
5524 		    rt3593_def_rf[i].val);
5525 	}
5526 
5527 	/* Toggle RF R2 to initiate calibration. */
5528 	run_rt3070_rf_write(sc, 2, RT5390_RESCAL);
5529 
5530 	/* Initialize RF frequency offset. */
5531 	run_adjust_freq_offset(sc);
5532 
5533 	run_rt3070_rf_read(sc, 18, &rf);
5534 	run_rt3070_rf_write(sc, 18, rf | RT3593_AUTOTUNE_BYPASS);
5535 
5536 	/*
5537 	 * Increase voltage from 1.2V to 1.35V, wait for 1 msec to
5538 	 * decrease voltage back to 1.2V.
5539 	 */
5540 	run_read(sc, RT3070_LDO_CFG0, &tmp);
5541 	tmp = (tmp & ~0x1f000000) | 0x0d000000;
5542 	run_write(sc, RT3070_LDO_CFG0, tmp);
5543 	run_delay(sc, 1);
5544 	tmp = (tmp & ~0x1f000000) | 0x01000000;
5545 	run_write(sc, RT3070_LDO_CFG0, tmp);
5546 
5547 	sc->rf24_20mhz = 0x1f;
5548 	sc->rf24_40mhz = 0x2f;
5549 
5550 	/* Save default BBP registers 25 and 26 values. */
5551 	run_bbp_read(sc, 25, &sc->bbp25);
5552 	run_bbp_read(sc, 26, &sc->bbp26);
5553 
5554 	run_read(sc, RT3070_OPT_14, &tmp);
5555 	run_write(sc, RT3070_OPT_14, tmp | 1);
5556 }
5557 
5558 static void
5559 run_rt5390_rf_init(struct run_softc *sc)
5560 {
5561 	uint32_t tmp;
5562 	uint8_t rf;
5563 	int i;
5564 
5565 	/* Toggle RF R2 to initiate calibration. */
5566 	if (sc->mac_ver == 0x5390) {
5567 		run_rt3070_rf_read(sc, 2, &rf);
5568 		run_rt3070_rf_write(sc, 2, rf | RT5390_RESCAL);
5569 		run_delay(sc, 10);
5570 		run_rt3070_rf_write(sc, 2, rf & ~RT5390_RESCAL);
5571 	} else {
5572 		run_rt3070_rf_write(sc, 2, RT5390_RESCAL);
5573 		run_delay(sc, 10);
5574 	}
5575 
5576 	/* Initialize RF registers to default value. */
5577 	if (sc->mac_ver == 0x5592) {
5578 		for (i = 0; i < nitems(rt5592_def_rf); i++) {
5579 			run_rt3070_rf_write(sc, rt5592_def_rf[i].reg,
5580 			    rt5592_def_rf[i].val);
5581 		}
5582 		/* Initialize RF frequency offset. */
5583 		run_adjust_freq_offset(sc);
5584 	} else if (sc->mac_ver == 0x5392) {
5585 		for (i = 0; i < nitems(rt5392_def_rf); i++) {
5586 			run_rt3070_rf_write(sc, rt5392_def_rf[i].reg,
5587 			    rt5392_def_rf[i].val);
5588 		}
5589 		if (sc->mac_rev >= 0x0223) {
5590 			run_rt3070_rf_write(sc, 23, 0x0f);
5591 			run_rt3070_rf_write(sc, 24, 0x3e);
5592 			run_rt3070_rf_write(sc, 51, 0x32);
5593 			run_rt3070_rf_write(sc, 53, 0x22);
5594 			run_rt3070_rf_write(sc, 56, 0xc1);
5595 			run_rt3070_rf_write(sc, 59, 0x0f);
5596 		}
5597 	} else {
5598 		for (i = 0; i < nitems(rt5390_def_rf); i++) {
5599 			run_rt3070_rf_write(sc, rt5390_def_rf[i].reg,
5600 			    rt5390_def_rf[i].val);
5601 		}
5602 		if (sc->mac_rev >= 0x0502) {
5603 			run_rt3070_rf_write(sc, 6, 0xe0);
5604 			run_rt3070_rf_write(sc, 25, 0x80);
5605 			run_rt3070_rf_write(sc, 46, 0x73);
5606 			run_rt3070_rf_write(sc, 53, 0x00);
5607 			run_rt3070_rf_write(sc, 56, 0x42);
5608 			run_rt3070_rf_write(sc, 61, 0xd1);
5609 		}
5610 	}
5611 
5612 	sc->rf24_20mhz = 0x1f;	/* default value */
5613 	sc->rf24_40mhz = (sc->mac_ver == 0x5592) ? 0 : 0x2f;
5614 
5615 	if (sc->mac_rev < 0x0211)
5616 		run_rt3070_rf_write(sc, 27, 0x3);
5617 
5618 	run_read(sc, RT3070_OPT_14, &tmp);
5619 	run_write(sc, RT3070_OPT_14, tmp | 1);
5620 }
5621 
5622 static int
5623 run_rt3070_filter_calib(struct run_softc *sc, uint8_t init, uint8_t target,
5624     uint8_t *val)
5625 {
5626 	uint8_t rf22, rf24;
5627 	uint8_t bbp55_pb, bbp55_sb, delta;
5628 	int ntries;
5629 
5630 	/* program filter */
5631 	run_rt3070_rf_read(sc, 24, &rf24);
5632 	rf24 = (rf24 & 0xc0) | init;	/* initial filter value */
5633 	run_rt3070_rf_write(sc, 24, rf24);
5634 
5635 	/* enable baseband loopback mode */
5636 	run_rt3070_rf_read(sc, 22, &rf22);
5637 	run_rt3070_rf_write(sc, 22, rf22 | 0x01);
5638 
5639 	/* set power and frequency of passband test tone */
5640 	run_bbp_write(sc, 24, 0x00);
5641 	for (ntries = 0; ntries < 100; ntries++) {
5642 		/* transmit test tone */
5643 		run_bbp_write(sc, 25, 0x90);
5644 		run_delay(sc, 10);
5645 		/* read received power */
5646 		run_bbp_read(sc, 55, &bbp55_pb);
5647 		if (bbp55_pb != 0)
5648 			break;
5649 	}
5650 	if (ntries == 100)
5651 		return (ETIMEDOUT);
5652 
5653 	/* set power and frequency of stopband test tone */
5654 	run_bbp_write(sc, 24, 0x06);
5655 	for (ntries = 0; ntries < 100; ntries++) {
5656 		/* transmit test tone */
5657 		run_bbp_write(sc, 25, 0x90);
5658 		run_delay(sc, 10);
5659 		/* read received power */
5660 		run_bbp_read(sc, 55, &bbp55_sb);
5661 
5662 		delta = bbp55_pb - bbp55_sb;
5663 		if (delta > target)
5664 			break;
5665 
5666 		/* reprogram filter */
5667 		rf24++;
5668 		run_rt3070_rf_write(sc, 24, rf24);
5669 	}
5670 	if (ntries < 100) {
5671 		if (rf24 != init)
5672 			rf24--;	/* backtrack */
5673 		*val = rf24;
5674 		run_rt3070_rf_write(sc, 24, rf24);
5675 	}
5676 
5677 	/* restore initial state */
5678 	run_bbp_write(sc, 24, 0x00);
5679 
5680 	/* disable baseband loopback mode */
5681 	run_rt3070_rf_read(sc, 22, &rf22);
5682 	run_rt3070_rf_write(sc, 22, rf22 & ~0x01);
5683 
5684 	return (0);
5685 }
5686 
5687 static void
5688 run_rt3070_rf_setup(struct run_softc *sc)
5689 {
5690 	uint8_t bbp, rf;
5691 	int i;
5692 
5693 	if (sc->mac_ver == 0x3572) {
5694 		/* enable DC filter */
5695 		if (sc->mac_rev >= 0x0201)
5696 			run_bbp_write(sc, 103, 0xc0);
5697 
5698 		run_bbp_read(sc, 138, &bbp);
5699 		if (sc->ntxchains == 1)
5700 			bbp |= 0x20;	/* turn off DAC1 */
5701 		if (sc->nrxchains == 1)
5702 			bbp &= ~0x02;	/* turn off ADC1 */
5703 		run_bbp_write(sc, 138, bbp);
5704 
5705 		if (sc->mac_rev >= 0x0211) {
5706 			/* improve power consumption */
5707 			run_bbp_read(sc, 31, &bbp);
5708 			run_bbp_write(sc, 31, bbp & ~0x03);
5709 		}
5710 
5711 		run_rt3070_rf_read(sc, 16, &rf);
5712 		rf = (rf & ~0x07) | sc->txmixgain_2ghz;
5713 		run_rt3070_rf_write(sc, 16, rf);
5714 
5715 	} else if (sc->mac_ver == 0x3071) {
5716 		if (sc->mac_rev >= 0x0211) {
5717 			/* enable DC filter */
5718 			run_bbp_write(sc, 103, 0xc0);
5719 
5720 			/* improve power consumption */
5721 			run_bbp_read(sc, 31, &bbp);
5722 			run_bbp_write(sc, 31, bbp & ~0x03);
5723 		}
5724 
5725 		run_bbp_read(sc, 138, &bbp);
5726 		if (sc->ntxchains == 1)
5727 			bbp |= 0x20;	/* turn off DAC1 */
5728 		if (sc->nrxchains == 1)
5729 			bbp &= ~0x02;	/* turn off ADC1 */
5730 		run_bbp_write(sc, 138, bbp);
5731 
5732 		run_write(sc, RT2860_TX_SW_CFG1, 0);
5733 		if (sc->mac_rev < 0x0211) {
5734 			run_write(sc, RT2860_TX_SW_CFG2,
5735 			    sc->patch_dac ? 0x2c : 0x0f);
5736 		} else
5737 			run_write(sc, RT2860_TX_SW_CFG2, 0);
5738 
5739 	} else if (sc->mac_ver == 0x3070) {
5740 		if (sc->mac_rev >= 0x0201) {
5741 			/* enable DC filter */
5742 			run_bbp_write(sc, 103, 0xc0);
5743 
5744 			/* improve power consumption */
5745 			run_bbp_read(sc, 31, &bbp);
5746 			run_bbp_write(sc, 31, bbp & ~0x03);
5747 		}
5748 
5749 		if (sc->mac_rev < 0x0201) {
5750 			run_write(sc, RT2860_TX_SW_CFG1, 0);
5751 			run_write(sc, RT2860_TX_SW_CFG2, 0x2c);
5752 		} else
5753 			run_write(sc, RT2860_TX_SW_CFG2, 0);
5754 	}
5755 
5756 	/* initialize RF registers from ROM for >=RT3071*/
5757 	if (sc->mac_ver >= 0x3071) {
5758 		for (i = 0; i < 10; i++) {
5759 			if (sc->rf[i].reg == 0 || sc->rf[i].reg == 0xff)
5760 				continue;
5761 			run_rt3070_rf_write(sc, sc->rf[i].reg, sc->rf[i].val);
5762 		}
5763 	}
5764 }
5765 
5766 static void
5767 run_rt3593_rf_setup(struct run_softc *sc)
5768 {
5769 	uint8_t bbp, rf;
5770 
5771 	if (sc->mac_rev >= 0x0211) {
5772 		/* Enable DC filter. */
5773 		run_bbp_write(sc, 103, 0xc0);
5774 	}
5775 	run_write(sc, RT2860_TX_SW_CFG1, 0);
5776 	if (sc->mac_rev < 0x0211) {
5777 		run_write(sc, RT2860_TX_SW_CFG2,
5778 		    sc->patch_dac ? 0x2c : 0x0f);
5779 	} else
5780 		run_write(sc, RT2860_TX_SW_CFG2, 0);
5781 
5782 	run_rt3070_rf_read(sc, 50, &rf);
5783 	run_rt3070_rf_write(sc, 50, rf & ~RT3593_TX_LO2);
5784 
5785 	run_rt3070_rf_read(sc, 51, &rf);
5786 	rf = (rf & ~(RT3593_TX_LO1 | 0x0c)) |
5787 	    ((sc->txmixgain_2ghz & 0x07) << 2);
5788 	run_rt3070_rf_write(sc, 51, rf);
5789 
5790 	run_rt3070_rf_read(sc, 38, &rf);
5791 	run_rt3070_rf_write(sc, 38, rf & ~RT5390_RX_LO1);
5792 
5793 	run_rt3070_rf_read(sc, 39, &rf);
5794 	run_rt3070_rf_write(sc, 39, rf & ~RT5390_RX_LO2);
5795 
5796 	run_rt3070_rf_read(sc, 1, &rf);
5797 	run_rt3070_rf_write(sc, 1, rf & ~(RT3070_RF_BLOCK | RT3070_PLL_PD));
5798 
5799 	run_rt3070_rf_read(sc, 30, &rf);
5800 	rf = (rf & ~0x18) | 0x10;
5801 	run_rt3070_rf_write(sc, 30, rf);
5802 
5803 	/* Apply maximum likelihood detection for 2 stream case. */
5804 	run_bbp_read(sc, 105, &bbp);
5805 	if (sc->nrxchains > 1)
5806 		run_bbp_write(sc, 105, bbp | RT5390_MLD);
5807 
5808 	/* Avoid data lost and CRC error. */
5809 	run_bbp_read(sc, 4, &bbp);
5810 	run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5811 
5812 	run_bbp_write(sc, 92, 0x02);
5813 	run_bbp_write(sc, 82, 0x82);
5814 	run_bbp_write(sc, 106, 0x05);
5815 	run_bbp_write(sc, 104, 0x92);
5816 	run_bbp_write(sc, 88, 0x90);
5817 	run_bbp_write(sc, 148, 0xc8);
5818 	run_bbp_write(sc, 47, 0x48);
5819 	run_bbp_write(sc, 120, 0x50);
5820 
5821 	run_bbp_write(sc, 163, 0x9d);
5822 
5823 	/* SNR mapping. */
5824 	run_bbp_write(sc, 142, 0x06);
5825 	run_bbp_write(sc, 143, 0xa0);
5826 	run_bbp_write(sc, 142, 0x07);
5827 	run_bbp_write(sc, 143, 0xa1);
5828 	run_bbp_write(sc, 142, 0x08);
5829 	run_bbp_write(sc, 143, 0xa2);
5830 
5831 	run_bbp_write(sc, 31, 0x08);
5832 	run_bbp_write(sc, 68, 0x0b);
5833 	run_bbp_write(sc, 105, 0x04);
5834 }
5835 
5836 static void
5837 run_rt5390_rf_setup(struct run_softc *sc)
5838 {
5839 	uint8_t bbp, rf;
5840 
5841 	if (sc->mac_rev >= 0x0211) {
5842 		/* Enable DC filter. */
5843 		run_bbp_write(sc, 103, 0xc0);
5844 
5845 		if (sc->mac_ver != 0x5592) {
5846 			/* Improve power consumption. */
5847 			run_bbp_read(sc, 31, &bbp);
5848 			run_bbp_write(sc, 31, bbp & ~0x03);
5849 		}
5850 	}
5851 
5852 	run_bbp_read(sc, 138, &bbp);
5853 	if (sc->ntxchains == 1)
5854 		bbp |= 0x20;	/* turn off DAC1 */
5855 	if (sc->nrxchains == 1)
5856 		bbp &= ~0x02;	/* turn off ADC1 */
5857 	run_bbp_write(sc, 138, bbp);
5858 
5859 	run_rt3070_rf_read(sc, 38, &rf);
5860 	run_rt3070_rf_write(sc, 38, rf & ~RT5390_RX_LO1);
5861 
5862 	run_rt3070_rf_read(sc, 39, &rf);
5863 	run_rt3070_rf_write(sc, 39, rf & ~RT5390_RX_LO2);
5864 
5865 	/* Avoid data lost and CRC error. */
5866 	run_bbp_read(sc, 4, &bbp);
5867 	run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5868 
5869 	run_rt3070_rf_read(sc, 30, &rf);
5870 	rf = (rf & ~0x18) | 0x10;
5871 	run_rt3070_rf_write(sc, 30, rf);
5872 
5873 	if (sc->mac_ver != 0x5592) {
5874 		run_write(sc, RT2860_TX_SW_CFG1, 0);
5875 		if (sc->mac_rev < 0x0211) {
5876 			run_write(sc, RT2860_TX_SW_CFG2,
5877 			    sc->patch_dac ? 0x2c : 0x0f);
5878 		} else
5879 			run_write(sc, RT2860_TX_SW_CFG2, 0);
5880 	}
5881 }
5882 
5883 static int
5884 run_txrx_enable(struct run_softc *sc)
5885 {
5886 	struct ieee80211com *ic = &sc->sc_ic;
5887 	uint32_t tmp;
5888 	int error, ntries;
5889 
5890 	run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_MAC_TX_EN);
5891 	for (ntries = 0; ntries < 200; ntries++) {
5892 		if ((error = run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp)) != 0)
5893 			return (error);
5894 		if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
5895 			break;
5896 		run_delay(sc, 50);
5897 	}
5898 	if (ntries == 200)
5899 		return (ETIMEDOUT);
5900 
5901 	run_delay(sc, 50);
5902 
5903 	tmp |= RT2860_RX_DMA_EN | RT2860_TX_DMA_EN | RT2860_TX_WB_DDONE;
5904 	run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
5905 
5906 	/* enable Rx bulk aggregation (set timeout and limit) */
5907 	tmp = RT2860_USB_TX_EN | RT2860_USB_RX_EN | RT2860_USB_RX_AGG_EN |
5908 	    RT2860_USB_RX_AGG_TO(128) | RT2860_USB_RX_AGG_LMT(2);
5909 	run_write(sc, RT2860_USB_DMA_CFG, tmp);
5910 
5911 	/* set Rx filter */
5912 	tmp = RT2860_DROP_CRC_ERR | RT2860_DROP_PHY_ERR;
5913 	if (ic->ic_opmode != IEEE80211_M_MONITOR) {
5914 		tmp |= RT2860_DROP_UC_NOME | RT2860_DROP_DUPL |
5915 		    RT2860_DROP_CTS | RT2860_DROP_BA | RT2860_DROP_ACK |
5916 		    RT2860_DROP_VER_ERR | RT2860_DROP_CTRL_RSV |
5917 		    RT2860_DROP_CFACK | RT2860_DROP_CFEND;
5918 		if (ic->ic_opmode == IEEE80211_M_STA)
5919 			tmp |= RT2860_DROP_RTS | RT2860_DROP_PSPOLL;
5920 	}
5921 	run_write(sc, RT2860_RX_FILTR_CFG, tmp);
5922 
5923 	run_write(sc, RT2860_MAC_SYS_CTRL,
5924 	    RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
5925 
5926 	return (0);
5927 }
5928 
5929 static void
5930 run_adjust_freq_offset(struct run_softc *sc)
5931 {
5932 	uint8_t rf, tmp;
5933 
5934 	run_rt3070_rf_read(sc, 17, &rf);
5935 	tmp = rf;
5936 	rf = (rf & ~0x7f) | (sc->freq & 0x7f);
5937 	rf = MIN(rf, 0x5f);
5938 
5939 	if (tmp != rf)
5940 		run_mcu_cmd(sc, 0x74, (tmp << 8 ) | rf);
5941 }
5942 
5943 static void
5944 run_init_locked(struct run_softc *sc)
5945 {
5946 	struct ieee80211com *ic = &sc->sc_ic;
5947 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
5948 	uint32_t tmp;
5949 	uint8_t bbp1, bbp3;
5950 	int i;
5951 	int ridx;
5952 	int ntries;
5953 
5954 	if (ic->ic_nrunning > 1)
5955 		return;
5956 
5957 	run_stop(sc);
5958 
5959 	if (run_load_microcode(sc) != 0) {
5960 		device_printf(sc->sc_dev, "could not load 8051 microcode\n");
5961 		goto fail;
5962 	}
5963 
5964 	for (ntries = 0; ntries < 100; ntries++) {
5965 		if (run_read(sc, RT2860_ASIC_VER_ID, &tmp) != 0)
5966 			goto fail;
5967 		if (tmp != 0 && tmp != 0xffffffff)
5968 			break;
5969 		run_delay(sc, 10);
5970 	}
5971 	if (ntries == 100)
5972 		goto fail;
5973 
5974 	for (i = 0; i != RUN_EP_QUEUES; i++)
5975 		run_setup_tx_list(sc, &sc->sc_epq[i]);
5976 
5977 	run_set_macaddr(sc, vap ? vap->iv_myaddr : ic->ic_macaddr);
5978 
5979 	for (ntries = 0; ntries < 100; ntries++) {
5980 		if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
5981 			goto fail;
5982 		if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
5983 			break;
5984 		run_delay(sc, 10);
5985 	}
5986 	if (ntries == 100) {
5987 		device_printf(sc->sc_dev, "timeout waiting for DMA engine\n");
5988 		goto fail;
5989 	}
5990 	tmp &= 0xff0;
5991 	tmp |= RT2860_TX_WB_DDONE;
5992 	run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
5993 
5994 	/* turn off PME_OEN to solve high-current issue */
5995 	run_read(sc, RT2860_SYS_CTRL, &tmp);
5996 	run_write(sc, RT2860_SYS_CTRL, tmp & ~RT2860_PME_OEN);
5997 
5998 	run_write(sc, RT2860_MAC_SYS_CTRL,
5999 	    RT2860_BBP_HRST | RT2860_MAC_SRST);
6000 	run_write(sc, RT2860_USB_DMA_CFG, 0);
6001 
6002 	if (run_reset(sc) != 0) {
6003 		device_printf(sc->sc_dev, "could not reset chipset\n");
6004 		goto fail;
6005 	}
6006 
6007 	run_write(sc, RT2860_MAC_SYS_CTRL, 0);
6008 
6009 	/* init Tx power for all Tx rates (from EEPROM) */
6010 	for (ridx = 0; ridx < 5; ridx++) {
6011 		if (sc->txpow20mhz[ridx] == 0xffffffff)
6012 			continue;
6013 		run_write(sc, RT2860_TX_PWR_CFG(ridx), sc->txpow20mhz[ridx]);
6014 	}
6015 
6016 	for (i = 0; i < nitems(rt2870_def_mac); i++)
6017 		run_write(sc, rt2870_def_mac[i].reg, rt2870_def_mac[i].val);
6018 	run_write(sc, RT2860_WMM_AIFSN_CFG, 0x00002273);
6019 	run_write(sc, RT2860_WMM_CWMIN_CFG, 0x00002344);
6020 	run_write(sc, RT2860_WMM_CWMAX_CFG, 0x000034aa);
6021 
6022 	if (sc->mac_ver >= 0x5390) {
6023 		run_write(sc, RT2860_TX_SW_CFG0,
6024 		    4 << RT2860_DLY_PAPE_EN_SHIFT | 4);
6025 		if (sc->mac_ver >= 0x5392) {
6026 			run_write(sc, RT2860_MAX_LEN_CFG, 0x00002fff);
6027 			if (sc->mac_ver == 0x5592) {
6028 				run_write(sc, RT2860_HT_FBK_CFG1, 0xedcba980);
6029 				run_write(sc, RT2860_TXOP_HLDR_ET, 0x00000082);
6030 			} else {
6031 				run_write(sc, RT2860_HT_FBK_CFG1, 0xedcb4980);
6032 				run_write(sc, RT2860_LG_FBK_CFG0, 0xedcba322);
6033 			}
6034 		}
6035 	} else if (sc->mac_ver == 0x3593) {
6036 		run_write(sc, RT2860_TX_SW_CFG0,
6037 		    4 << RT2860_DLY_PAPE_EN_SHIFT | 2);
6038 	} else if (sc->mac_ver >= 0x3070) {
6039 		/* set delay of PA_PE assertion to 1us (unit of 0.25us) */
6040 		run_write(sc, RT2860_TX_SW_CFG0,
6041 		    4 << RT2860_DLY_PAPE_EN_SHIFT);
6042 	}
6043 
6044 	/* wait while MAC is busy */
6045 	for (ntries = 0; ntries < 100; ntries++) {
6046 		if (run_read(sc, RT2860_MAC_STATUS_REG, &tmp) != 0)
6047 			goto fail;
6048 		if (!(tmp & (RT2860_RX_STATUS_BUSY | RT2860_TX_STATUS_BUSY)))
6049 			break;
6050 		run_delay(sc, 10);
6051 	}
6052 	if (ntries == 100)
6053 		goto fail;
6054 
6055 	/* clear Host to MCU mailbox */
6056 	run_write(sc, RT2860_H2M_BBPAGENT, 0);
6057 	run_write(sc, RT2860_H2M_MAILBOX, 0);
6058 	run_delay(sc, 10);
6059 
6060 	if (run_bbp_init(sc) != 0) {
6061 		device_printf(sc->sc_dev, "could not initialize BBP\n");
6062 		goto fail;
6063 	}
6064 
6065 	/* abort TSF synchronization */
6066 	run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
6067 	tmp &= ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
6068 	    RT2860_TBTT_TIMER_EN);
6069 	run_write(sc, RT2860_BCN_TIME_CFG, tmp);
6070 
6071 	/* clear RX WCID search table */
6072 	run_set_region_4(sc, RT2860_WCID_ENTRY(0), 0, 512);
6073 	/* clear WCID attribute table */
6074 	run_set_region_4(sc, RT2860_WCID_ATTR(0), 0, 8 * 32);
6075 
6076 	/* hostapd sets a key before init. So, don't clear it. */
6077 	if (sc->cmdq_key_set != RUN_CMDQ_GO) {
6078 		/* clear shared key table */
6079 		run_set_region_4(sc, RT2860_SKEY(0, 0), 0, 8 * 32);
6080 		/* clear shared key mode */
6081 		run_set_region_4(sc, RT2860_SKEY_MODE_0_7, 0, 4);
6082 	}
6083 
6084 	run_read(sc, RT2860_US_CYC_CNT, &tmp);
6085 	tmp = (tmp & ~0xff) | 0x1e;
6086 	run_write(sc, RT2860_US_CYC_CNT, tmp);
6087 
6088 	if (sc->mac_rev != 0x0101)
6089 		run_write(sc, RT2860_TXOP_CTRL_CFG, 0x0000583f);
6090 
6091 	run_write(sc, RT2860_WMM_TXOP0_CFG, 0);
6092 	run_write(sc, RT2860_WMM_TXOP1_CFG, 48 << 16 | 96);
6093 
6094 	/* write vendor-specific BBP values (from EEPROM) */
6095 	if (sc->mac_ver < 0x3593) {
6096 		for (i = 0; i < 10; i++) {
6097 			if (sc->bbp[i].reg == 0 || sc->bbp[i].reg == 0xff)
6098 				continue;
6099 			run_bbp_write(sc, sc->bbp[i].reg, sc->bbp[i].val);
6100 		}
6101 	}
6102 
6103 	/* select Main antenna for 1T1R devices */
6104 	if (sc->rf_rev == RT3070_RF_3020 || sc->rf_rev == RT5390_RF_5370)
6105 		run_set_rx_antenna(sc, 0);
6106 
6107 	/* send LEDs operating mode to microcontroller */
6108 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED1, sc->led[0]);
6109 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED2, sc->led[1]);
6110 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED3, sc->led[2]);
6111 
6112 	if (sc->mac_ver >= 0x5390)
6113 		run_rt5390_rf_init(sc);
6114 	else if (sc->mac_ver == 0x3593)
6115 		run_rt3593_rf_init(sc);
6116 	else if (sc->mac_ver >= 0x3070)
6117 		run_rt3070_rf_init(sc);
6118 
6119 	/* disable non-existing Rx chains */
6120 	run_bbp_read(sc, 3, &bbp3);
6121 	bbp3 &= ~(1 << 3 | 1 << 4);
6122 	if (sc->nrxchains == 2)
6123 		bbp3 |= 1 << 3;
6124 	else if (sc->nrxchains == 3)
6125 		bbp3 |= 1 << 4;
6126 	run_bbp_write(sc, 3, bbp3);
6127 
6128 	/* disable non-existing Tx chains */
6129 	run_bbp_read(sc, 1, &bbp1);
6130 	if (sc->ntxchains == 1)
6131 		bbp1 &= ~(1 << 3 | 1 << 4);
6132 	run_bbp_write(sc, 1, bbp1);
6133 
6134 	if (sc->mac_ver >= 0x5390)
6135 		run_rt5390_rf_setup(sc);
6136 	else if (sc->mac_ver == 0x3593)
6137 		run_rt3593_rf_setup(sc);
6138 	else if (sc->mac_ver >= 0x3070)
6139 		run_rt3070_rf_setup(sc);
6140 
6141 	/* select default channel */
6142 	run_set_chan(sc, ic->ic_curchan);
6143 
6144 	/* setup initial protection mode */
6145 	run_updateprot_cb(ic);
6146 
6147 	/* turn radio LED on */
6148 	run_set_leds(sc, RT2860_LED_RADIO);
6149 
6150 	sc->sc_flags |= RUN_RUNNING;
6151 	sc->cmdq_run = RUN_CMDQ_GO;
6152 
6153 	for (i = 0; i != RUN_N_XFER; i++)
6154 		usbd_xfer_set_stall(sc->sc_xfer[i]);
6155 
6156 	usbd_transfer_start(sc->sc_xfer[RUN_BULK_RX]);
6157 
6158 	if (run_txrx_enable(sc) != 0)
6159 		goto fail;
6160 
6161 	return;
6162 
6163 fail:
6164 	run_stop(sc);
6165 }
6166 
6167 static void
6168 run_stop(void *arg)
6169 {
6170 	struct run_softc *sc = (struct run_softc *)arg;
6171 	uint32_t tmp;
6172 	int i;
6173 	int ntries;
6174 
6175 	RUN_LOCK_ASSERT(sc, MA_OWNED);
6176 
6177 	if (sc->sc_flags & RUN_RUNNING)
6178 		run_set_leds(sc, 0);	/* turn all LEDs off */
6179 
6180 	sc->sc_flags &= ~RUN_RUNNING;
6181 
6182 	sc->ratectl_run = RUN_RATECTL_OFF;
6183 	sc->cmdq_run = sc->cmdq_key_set;
6184 
6185 	RUN_UNLOCK(sc);
6186 
6187 	for(i = 0; i < RUN_N_XFER; i++)
6188 		usbd_transfer_drain(sc->sc_xfer[i]);
6189 
6190 	RUN_LOCK(sc);
6191 
6192 	run_drain_mbufq(sc);
6193 
6194 	if (sc->rx_m != NULL) {
6195 		m_free(sc->rx_m);
6196 		sc->rx_m = NULL;
6197 	}
6198 
6199 	/* Disable Tx/Rx DMA. */
6200 	if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
6201 		return;
6202 	tmp &= ~(RT2860_RX_DMA_EN | RT2860_TX_DMA_EN);
6203 	run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
6204 
6205 	for (ntries = 0; ntries < 100; ntries++) {
6206 		if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
6207 			return;
6208 		if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
6209 				break;
6210 		run_delay(sc, 10);
6211 	}
6212 	if (ntries == 100) {
6213 		device_printf(sc->sc_dev, "timeout waiting for DMA engine\n");
6214 		return;
6215 	}
6216 
6217 	/* disable Tx/Rx */
6218 	run_read(sc, RT2860_MAC_SYS_CTRL, &tmp);
6219 	tmp &= ~(RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
6220 	run_write(sc, RT2860_MAC_SYS_CTRL, tmp);
6221 
6222 	/* wait for pending Tx to complete */
6223 	for (ntries = 0; ntries < 100; ntries++) {
6224 		if (run_read(sc, RT2860_TXRXQ_PCNT, &tmp) != 0) {
6225 			DPRINTF("Cannot read Tx queue count\n");
6226 			break;
6227 		}
6228 		if ((tmp & RT2860_TX2Q_PCNT_MASK) == 0) {
6229 			DPRINTF("All Tx cleared\n");
6230 			break;
6231 		}
6232 		run_delay(sc, 10);
6233 	}
6234 	if (ntries >= 100)
6235 		DPRINTF("There are still pending Tx\n");
6236 	run_delay(sc, 10);
6237 	run_write(sc, RT2860_USB_DMA_CFG, 0);
6238 
6239 	run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_BBP_HRST | RT2860_MAC_SRST);
6240 	run_write(sc, RT2860_MAC_SYS_CTRL, 0);
6241 
6242 	for (i = 0; i != RUN_EP_QUEUES; i++)
6243 		run_unsetup_tx_list(sc, &sc->sc_epq[i]);
6244 }
6245 
6246 static void
6247 run_delay(struct run_softc *sc, u_int ms)
6248 {
6249 	usb_pause_mtx(mtx_owned(&sc->sc_mtx) ?
6250 	    &sc->sc_mtx : NULL, USB_MS_TO_TICKS(ms));
6251 }
6252 
6253 static device_method_t run_methods[] = {
6254 	/* Device interface */
6255 	DEVMETHOD(device_probe,		run_match),
6256 	DEVMETHOD(device_attach,	run_attach),
6257 	DEVMETHOD(device_detach,	run_detach),
6258 	DEVMETHOD_END
6259 };
6260 
6261 static driver_t run_driver = {
6262 	.name = "run",
6263 	.methods = run_methods,
6264 	.size = sizeof(struct run_softc)
6265 };
6266 
6267 static devclass_t run_devclass;
6268 
6269 DRIVER_MODULE(run, uhub, run_driver, run_devclass, run_driver_loaded, NULL);
6270 MODULE_DEPEND(run, wlan, 1, 1, 1);
6271 MODULE_DEPEND(run, usb, 1, 1, 1);
6272 MODULE_DEPEND(run, firmware, 1, 1, 1);
6273 MODULE_VERSION(run, 1);
6274