xref: /freebsd/sys/dev/usb/wlan/if_run.c (revision 652a9748855320619e075c4e83aef2f5294412d2)
1 /*-
2  * Copyright (c) 2008,2010 Damien Bergamini <damien.bergamini@free.fr>
3  * ported to FreeBSD by Akinori Furukoshi <moonlightakkiy@yahoo.ca>
4  * USB Consulting, Hans Petter Selasky <hselasky@freebsd.org>
5  * Copyright (c) 2013-2014 Kevin Lo
6  *
7  * Permission to use, copy, modify, and distribute this software for any
8  * purpose with or without fee is hereby granted, provided that the above
9  * copyright notice and this permission notice appear in all copies.
10  *
11  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18  */
19 
20 #include <sys/cdefs.h>
21 __FBSDID("$FreeBSD$");
22 
23 /*-
24  * Ralink Technology RT2700U/RT2800U/RT3000U/RT3900E chipset driver.
25  * http://www.ralinktech.com/
26  */
27 
28 #include "opt_wlan.h"
29 
30 #include <sys/param.h>
31 #include <sys/eventhandler.h>
32 #include <sys/sockio.h>
33 #include <sys/sysctl.h>
34 #include <sys/lock.h>
35 #include <sys/mutex.h>
36 #include <sys/mbuf.h>
37 #include <sys/kernel.h>
38 #include <sys/socket.h>
39 #include <sys/systm.h>
40 #include <sys/malloc.h>
41 #include <sys/module.h>
42 #include <sys/bus.h>
43 #include <sys/endian.h>
44 #include <sys/linker.h>
45 #include <sys/firmware.h>
46 #include <sys/kdb.h>
47 
48 #include <net/bpf.h>
49 #include <net/if.h>
50 #include <net/if_var.h>
51 #include <net/if_arp.h>
52 #include <net/ethernet.h>
53 #include <net/if_dl.h>
54 #include <net/if_media.h>
55 #include <net/if_types.h>
56 
57 #include <netinet/in.h>
58 #include <netinet/in_systm.h>
59 #include <netinet/in_var.h>
60 #include <netinet/if_ether.h>
61 #include <netinet/ip.h>
62 
63 #include <net80211/ieee80211_var.h>
64 #include <net80211/ieee80211_regdomain.h>
65 #include <net80211/ieee80211_radiotap.h>
66 #include <net80211/ieee80211_ratectl.h>
67 
68 #include <dev/usb/usb.h>
69 #include <dev/usb/usbdi.h>
70 #include "usbdevs.h"
71 
72 #define	USB_DEBUG_VAR	run_debug
73 #include <dev/usb/usb_debug.h>
74 #include <dev/usb/usb_msctest.h>
75 
76 #include <dev/usb/wlan/if_runreg.h>
77 #include <dev/usb/wlan/if_runvar.h>
78 
79 #ifdef	USB_DEBUG
80 #define	RUN_DEBUG
81 #endif
82 
83 #ifdef	RUN_DEBUG
84 int run_debug = 0;
85 static SYSCTL_NODE(_hw_usb, OID_AUTO, run, CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
86     "USB run");
87 SYSCTL_INT(_hw_usb_run, OID_AUTO, debug, CTLFLAG_RWTUN, &run_debug, 0,
88     "run debug level");
89 
90 enum {
91 	RUN_DEBUG_XMIT		= 0x00000001,	/* basic xmit operation */
92 	RUN_DEBUG_XMIT_DESC	= 0x00000002,	/* xmit descriptors */
93 	RUN_DEBUG_RECV		= 0x00000004,	/* basic recv operation */
94 	RUN_DEBUG_RECV_DESC	= 0x00000008,	/* recv descriptors */
95 	RUN_DEBUG_STATE		= 0x00000010,	/* 802.11 state transitions */
96 	RUN_DEBUG_RATE		= 0x00000020,	/* rate adaptation */
97 	RUN_DEBUG_USB		= 0x00000040,	/* usb requests */
98 	RUN_DEBUG_FIRMWARE	= 0x00000080,	/* firmware(9) loading debug */
99 	RUN_DEBUG_BEACON	= 0x00000100,	/* beacon handling */
100 	RUN_DEBUG_INTR		= 0x00000200,	/* ISR */
101 	RUN_DEBUG_TEMP		= 0x00000400,	/* temperature calibration */
102 	RUN_DEBUG_ROM		= 0x00000800,	/* various ROM info */
103 	RUN_DEBUG_KEY		= 0x00001000,	/* crypto keys management */
104 	RUN_DEBUG_TXPWR		= 0x00002000,	/* dump Tx power values */
105 	RUN_DEBUG_RSSI		= 0x00004000,	/* dump RSSI lookups */
106 	RUN_DEBUG_RESET		= 0x00008000,	/* initialization progress */
107 	RUN_DEBUG_CALIB		= 0x00010000,	/* calibration progress */
108 	RUN_DEBUG_CMD		= 0x00020000,	/* command queue */
109 	RUN_DEBUG_ANY		= 0xffffffff
110 };
111 
112 #define RUN_DPRINTF(_sc, _m, ...) do {			\
113 	if (run_debug & (_m))				\
114 		device_printf((_sc)->sc_dev, __VA_ARGS__);	\
115 } while(0)
116 #else
117 #define RUN_DPRINTF(_sc, _m, ...)	do { (void) _sc; } while (0)
118 #endif
119 
120 #define	IEEE80211_HAS_ADDR4(wh)	IEEE80211_IS_DSTODS(wh)
121 
122 /*
123  * Because of LOR in run_key_delete(), use atomic instead.
124  * '& RUN_CMDQ_MASQ' is to loop cmdq[].
125  */
126 #define	RUN_CMDQ_GET(c)	(atomic_fetchadd_32((c), 1) & RUN_CMDQ_MASQ)
127 
128 static const STRUCT_USB_HOST_ID run_devs[] = {
129 #define	RUN_DEV(v,p)	{ USB_VP(USB_VENDOR_##v, USB_PRODUCT_##v##_##p) }
130 #define	RUN_DEV_EJECT(v,p)	\
131 	{ USB_VPI(USB_VENDOR_##v, USB_PRODUCT_##v##_##p, RUN_EJECT) }
132 #define	RUN_EJECT	1
133     RUN_DEV(ABOCOM,		RT2770),
134     RUN_DEV(ABOCOM,		RT2870),
135     RUN_DEV(ABOCOM,		RT3070),
136     RUN_DEV(ABOCOM,		RT3071),
137     RUN_DEV(ABOCOM,		RT3072),
138     RUN_DEV(ABOCOM2,		RT2870_1),
139     RUN_DEV(ACCTON,		RT2770),
140     RUN_DEV(ACCTON,		RT2870_1),
141     RUN_DEV(ACCTON,		RT2870_2),
142     RUN_DEV(ACCTON,		RT2870_3),
143     RUN_DEV(ACCTON,		RT2870_4),
144     RUN_DEV(ACCTON,		RT2870_5),
145     RUN_DEV(ACCTON,		RT3070),
146     RUN_DEV(ACCTON,		RT3070_1),
147     RUN_DEV(ACCTON,		RT3070_2),
148     RUN_DEV(ACCTON,		RT3070_3),
149     RUN_DEV(ACCTON,		RT3070_4),
150     RUN_DEV(ACCTON,		RT3070_5),
151     RUN_DEV(AIRTIES,		RT3070),
152     RUN_DEV(ALLWIN,		RT2070),
153     RUN_DEV(ALLWIN,		RT2770),
154     RUN_DEV(ALLWIN,		RT2870),
155     RUN_DEV(ALLWIN,		RT3070),
156     RUN_DEV(ALLWIN,		RT3071),
157     RUN_DEV(ALLWIN,		RT3072),
158     RUN_DEV(ALLWIN,		RT3572),
159     RUN_DEV(AMIGO,		RT2870_1),
160     RUN_DEV(AMIGO,		RT2870_2),
161     RUN_DEV(AMIT,		CGWLUSB2GNR),
162     RUN_DEV(AMIT,		RT2870_1),
163     RUN_DEV(AMIT2,		RT2870),
164     RUN_DEV(ASUS,		RT2870_1),
165     RUN_DEV(ASUS,		RT2870_2),
166     RUN_DEV(ASUS,		RT2870_3),
167     RUN_DEV(ASUS,		RT2870_4),
168     RUN_DEV(ASUS,		RT2870_5),
169     RUN_DEV(ASUS,		USBN13),
170     RUN_DEV(ASUS,		RT3070_1),
171     RUN_DEV(ASUS,		USBN66),
172     RUN_DEV(ASUS,		USB_N53),
173     RUN_DEV(ASUS2,		USBN11),
174     RUN_DEV(AZUREWAVE,		RT2870_1),
175     RUN_DEV(AZUREWAVE,		RT2870_2),
176     RUN_DEV(AZUREWAVE,		RT3070_1),
177     RUN_DEV(AZUREWAVE,		RT3070_2),
178     RUN_DEV(AZUREWAVE,		RT3070_3),
179     RUN_DEV(BELKIN,		F9L1103),
180     RUN_DEV(BELKIN,		F5D8053V3),
181     RUN_DEV(BELKIN,		F5D8055),
182     RUN_DEV(BELKIN,		F5D8055V2),
183     RUN_DEV(BELKIN,		F6D4050V1),
184     RUN_DEV(BELKIN,		F6D4050V2),
185     RUN_DEV(BELKIN,		RT2870_1),
186     RUN_DEV(BELKIN,		RT2870_2),
187     RUN_DEV(CISCOLINKSYS,	AE1000),
188     RUN_DEV(CISCOLINKSYS2,	RT3070),
189     RUN_DEV(CISCOLINKSYS3,	RT3070),
190     RUN_DEV(CONCEPTRONIC2,	RT2870_1),
191     RUN_DEV(CONCEPTRONIC2,	RT2870_2),
192     RUN_DEV(CONCEPTRONIC2,	RT2870_3),
193     RUN_DEV(CONCEPTRONIC2,	RT2870_4),
194     RUN_DEV(CONCEPTRONIC2,	RT2870_5),
195     RUN_DEV(CONCEPTRONIC2,	RT2870_6),
196     RUN_DEV(CONCEPTRONIC2,	RT2870_7),
197     RUN_DEV(CONCEPTRONIC2,	RT2870_8),
198     RUN_DEV(CONCEPTRONIC2,	RT3070_1),
199     RUN_DEV(CONCEPTRONIC2,	RT3070_2),
200     RUN_DEV(CONCEPTRONIC2,	VIGORN61),
201     RUN_DEV(COREGA,		CGWLUSB300GNM),
202     RUN_DEV(COREGA,		RT2870_1),
203     RUN_DEV(COREGA,		RT2870_2),
204     RUN_DEV(COREGA,		RT2870_3),
205     RUN_DEV(COREGA,		RT3070),
206     RUN_DEV(CYBERTAN,		RT2870),
207     RUN_DEV(DLINK,		RT2870),
208     RUN_DEV(DLINK,		RT3072),
209     RUN_DEV(DLINK,		DWA125A3),
210     RUN_DEV(DLINK,		DWA127),
211     RUN_DEV(DLINK,		DWA140B3),
212     RUN_DEV(DLINK,		DWA160B2),
213     RUN_DEV(DLINK,		DWA140D1),
214     RUN_DEV(DLINK,		DWA162),
215     RUN_DEV(DLINK2,		DWA130),
216     RUN_DEV(DLINK2,		RT2870_1),
217     RUN_DEV(DLINK2,		RT2870_2),
218     RUN_DEV(DLINK2,		RT3070_1),
219     RUN_DEV(DLINK2,		RT3070_2),
220     RUN_DEV(DLINK2,		RT3070_3),
221     RUN_DEV(DLINK2,		RT3070_4),
222     RUN_DEV(DLINK2,		RT3070_5),
223     RUN_DEV(DLINK2,		RT3072),
224     RUN_DEV(DLINK2,		RT3072_1),
225     RUN_DEV(EDIMAX,		EW7717),
226     RUN_DEV(EDIMAX,		EW7718),
227     RUN_DEV(EDIMAX,		EW7733UND),
228     RUN_DEV(EDIMAX,		RT2870_1),
229     RUN_DEV(ENCORE,		RT3070_1),
230     RUN_DEV(ENCORE,		RT3070_2),
231     RUN_DEV(ENCORE,		RT3070_3),
232     RUN_DEV(GIGABYTE,		GNWB31N),
233     RUN_DEV(GIGABYTE,		GNWB32L),
234     RUN_DEV(GIGABYTE,		RT2870_1),
235     RUN_DEV(GIGASET,		RT3070_1),
236     RUN_DEV(GIGASET,		RT3070_2),
237     RUN_DEV(GUILLEMOT,		HWNU300),
238     RUN_DEV(HAWKING,		HWUN2),
239     RUN_DEV(HAWKING,		RT2870_1),
240     RUN_DEV(HAWKING,		RT2870_2),
241     RUN_DEV(HAWKING,		RT3070),
242     RUN_DEV(IODATA,		RT3072_1),
243     RUN_DEV(IODATA,		RT3072_2),
244     RUN_DEV(IODATA,		RT3072_3),
245     RUN_DEV(IODATA,		RT3072_4),
246     RUN_DEV(LINKSYS4,		RT3070),
247     RUN_DEV(LINKSYS4,		WUSB100),
248     RUN_DEV(LINKSYS4,		WUSB54GCV3),
249     RUN_DEV(LINKSYS4,		WUSB600N),
250     RUN_DEV(LINKSYS4,		WUSB600NV2),
251     RUN_DEV(LOGITEC,		RT2870_1),
252     RUN_DEV(LOGITEC,		RT2870_2),
253     RUN_DEV(LOGITEC,		RT2870_3),
254     RUN_DEV(LOGITEC,		LANW300NU2),
255     RUN_DEV(LOGITEC,		LANW150NU2),
256     RUN_DEV(LOGITEC,		LANW300NU2S),
257     RUN_DEV(MELCO,		WLIUCG300HP),
258     RUN_DEV(MELCO,		RT2870_2),
259     RUN_DEV(MELCO,		WLIUCAG300N),
260     RUN_DEV(MELCO,		WLIUCG300N),
261     RUN_DEV(MELCO,		WLIUCG301N),
262     RUN_DEV(MELCO,		WLIUCGN),
263     RUN_DEV(MELCO,		WLIUCGNM),
264     RUN_DEV(MELCO,		WLIUCG300HPV1),
265     RUN_DEV(MELCO,		WLIUCGNM2),
266     RUN_DEV(MOTOROLA4,		RT2770),
267     RUN_DEV(MOTOROLA4,		RT3070),
268     RUN_DEV(MSI,		RT3070_1),
269     RUN_DEV(MSI,		RT3070_2),
270     RUN_DEV(MSI,		RT3070_3),
271     RUN_DEV(MSI,		RT3070_4),
272     RUN_DEV(MSI,		RT3070_5),
273     RUN_DEV(MSI,		RT3070_6),
274     RUN_DEV(MSI,		RT3070_7),
275     RUN_DEV(MSI,		RT3070_8),
276     RUN_DEV(MSI,		RT3070_9),
277     RUN_DEV(MSI,		RT3070_10),
278     RUN_DEV(MSI,		RT3070_11),
279     RUN_DEV(NETGEAR,		WNDA4100),
280     RUN_DEV(OVISLINK,		RT3072),
281     RUN_DEV(PARA,		RT3070),
282     RUN_DEV(PEGATRON,		RT2870),
283     RUN_DEV(PEGATRON,		RT3070),
284     RUN_DEV(PEGATRON,		RT3070_2),
285     RUN_DEV(PEGATRON,		RT3070_3),
286     RUN_DEV(PHILIPS,		RT2870),
287     RUN_DEV(PLANEX2,		GWUS300MINIS),
288     RUN_DEV(PLANEX2,		GWUSMICRON),
289     RUN_DEV(PLANEX2,		RT2870),
290     RUN_DEV(PLANEX2,		RT3070),
291     RUN_DEV(QCOM,		RT2870),
292     RUN_DEV(QUANTA,		RT3070),
293     RUN_DEV(RALINK,		RT2070),
294     RUN_DEV(RALINK,		RT2770),
295     RUN_DEV(RALINK,		RT2870),
296     RUN_DEV(RALINK,		RT3070),
297     RUN_DEV(RALINK,		RT3071),
298     RUN_DEV(RALINK,		RT3072),
299     RUN_DEV(RALINK,		RT3370),
300     RUN_DEV(RALINK,		RT3572),
301     RUN_DEV(RALINK,		RT3573),
302     RUN_DEV(RALINK,		RT5370),
303     RUN_DEV(RALINK,		RT5372),
304     RUN_DEV(RALINK,		RT5572),
305     RUN_DEV(RALINK,		RT8070),
306     RUN_DEV(SAMSUNG,		WIS09ABGN),
307     RUN_DEV(SAMSUNG2,		RT2870_1),
308     RUN_DEV(SENAO,		RT2870_1),
309     RUN_DEV(SENAO,		RT2870_2),
310     RUN_DEV(SENAO,		RT2870_3),
311     RUN_DEV(SENAO,		RT2870_4),
312     RUN_DEV(SENAO,		RT3070),
313     RUN_DEV(SENAO,		RT3071),
314     RUN_DEV(SENAO,		RT3072_1),
315     RUN_DEV(SENAO,		RT3072_2),
316     RUN_DEV(SENAO,		RT3072_3),
317     RUN_DEV(SENAO,		RT3072_4),
318     RUN_DEV(SENAO,		RT3072_5),
319     RUN_DEV(SITECOMEU,		RT2770),
320     RUN_DEV(SITECOMEU,		RT2870_1),
321     RUN_DEV(SITECOMEU,		RT2870_2),
322     RUN_DEV(SITECOMEU,		RT2870_3),
323     RUN_DEV(SITECOMEU,		RT2870_4),
324     RUN_DEV(SITECOMEU,		RT3070),
325     RUN_DEV(SITECOMEU,		RT3070_2),
326     RUN_DEV(SITECOMEU,		RT3070_3),
327     RUN_DEV(SITECOMEU,		RT3070_4),
328     RUN_DEV(SITECOMEU,		RT3071),
329     RUN_DEV(SITECOMEU,		RT3072_1),
330     RUN_DEV(SITECOMEU,		RT3072_2),
331     RUN_DEV(SITECOMEU,		RT3072_3),
332     RUN_DEV(SITECOMEU,		RT3072_4),
333     RUN_DEV(SITECOMEU,		RT3072_5),
334     RUN_DEV(SITECOMEU,		RT3072_6),
335     RUN_DEV(SITECOMEU,		WL608),
336     RUN_DEV(SPARKLAN,		RT2870_1),
337     RUN_DEV(SPARKLAN,		RT3070),
338     RUN_DEV(SWEEX2,		LW153),
339     RUN_DEV(SWEEX2,		LW303),
340     RUN_DEV(SWEEX2,		LW313),
341     RUN_DEV(TOSHIBA,		RT3070),
342     RUN_DEV(UMEDIA,		RT2870_1),
343     RUN_DEV(ZCOM,		RT2870_1),
344     RUN_DEV(ZCOM,		RT2870_2),
345     RUN_DEV(ZINWELL,		RT2870_1),
346     RUN_DEV(ZINWELL,		RT2870_2),
347     RUN_DEV(ZINWELL,		RT3070),
348     RUN_DEV(ZINWELL,		RT3072_1),
349     RUN_DEV(ZINWELL,		RT3072_2),
350     RUN_DEV(ZYXEL,		RT2870_1),
351     RUN_DEV(ZYXEL,		RT2870_2),
352     RUN_DEV(ZYXEL,		RT3070),
353     RUN_DEV_EJECT(ZYXEL,	NWD2705),
354     RUN_DEV_EJECT(RALINK,	RT_STOR),
355 #undef RUN_DEV_EJECT
356 #undef RUN_DEV
357 };
358 
359 static device_probe_t	run_match;
360 static device_attach_t	run_attach;
361 static device_detach_t	run_detach;
362 
363 static usb_callback_t	run_bulk_rx_callback;
364 static usb_callback_t	run_bulk_tx_callback0;
365 static usb_callback_t	run_bulk_tx_callback1;
366 static usb_callback_t	run_bulk_tx_callback2;
367 static usb_callback_t	run_bulk_tx_callback3;
368 static usb_callback_t	run_bulk_tx_callback4;
369 static usb_callback_t	run_bulk_tx_callback5;
370 
371 static void	run_autoinst(void *, struct usb_device *,
372 		    struct usb_attach_arg *);
373 static int	run_driver_loaded(struct module *, int, void *);
374 static void	run_bulk_tx_callbackN(struct usb_xfer *xfer,
375 		    usb_error_t error, u_int index);
376 static struct ieee80211vap *run_vap_create(struct ieee80211com *,
377 		    const char [IFNAMSIZ], int, enum ieee80211_opmode, int,
378 		    const uint8_t [IEEE80211_ADDR_LEN],
379 		    const uint8_t [IEEE80211_ADDR_LEN]);
380 static void	run_vap_delete(struct ieee80211vap *);
381 static void	run_cmdq_cb(void *, int);
382 static void	run_setup_tx_list(struct run_softc *,
383 		    struct run_endpoint_queue *);
384 static void	run_unsetup_tx_list(struct run_softc *,
385 		    struct run_endpoint_queue *);
386 static int	run_load_microcode(struct run_softc *);
387 static int	run_reset(struct run_softc *);
388 static usb_error_t run_do_request(struct run_softc *,
389 		    struct usb_device_request *, void *);
390 static int	run_read(struct run_softc *, uint16_t, uint32_t *);
391 static int	run_read_region_1(struct run_softc *, uint16_t, uint8_t *, int);
392 static int	run_write_2(struct run_softc *, uint16_t, uint16_t);
393 static int	run_write(struct run_softc *, uint16_t, uint32_t);
394 static int	run_write_region_1(struct run_softc *, uint16_t,
395 		    const uint8_t *, int);
396 static int	run_set_region_4(struct run_softc *, uint16_t, uint32_t, int);
397 static int	run_efuse_read(struct run_softc *, uint16_t, uint16_t *, int);
398 static int	run_efuse_read_2(struct run_softc *, uint16_t, uint16_t *);
399 static int	run_eeprom_read_2(struct run_softc *, uint16_t, uint16_t *);
400 static int	run_rt2870_rf_write(struct run_softc *, uint32_t);
401 static int	run_rt3070_rf_read(struct run_softc *, uint8_t, uint8_t *);
402 static int	run_rt3070_rf_write(struct run_softc *, uint8_t, uint8_t);
403 static int	run_bbp_read(struct run_softc *, uint8_t, uint8_t *);
404 static int	run_bbp_write(struct run_softc *, uint8_t, uint8_t);
405 static int	run_mcu_cmd(struct run_softc *, uint8_t, uint16_t);
406 static const char *run_get_rf(uint16_t);
407 static void	run_rt3593_get_txpower(struct run_softc *);
408 static void	run_get_txpower(struct run_softc *);
409 static int	run_read_eeprom(struct run_softc *);
410 static struct ieee80211_node *run_node_alloc(struct ieee80211vap *,
411 			    const uint8_t mac[IEEE80211_ADDR_LEN]);
412 static int	run_media_change(struct ifnet *);
413 static int	run_newstate(struct ieee80211vap *, enum ieee80211_state, int);
414 static int	run_wme_update(struct ieee80211com *);
415 static void	run_key_set_cb(void *);
416 static int	run_key_set(struct ieee80211vap *, struct ieee80211_key *);
417 static void	run_key_delete_cb(void *);
418 static int	run_key_delete(struct ieee80211vap *, struct ieee80211_key *);
419 static void	run_ratectl_to(void *);
420 static void	run_ratectl_cb(void *, int);
421 static void	run_drain_fifo(void *);
422 static void	run_iter_func(void *, struct ieee80211_node *);
423 static void	run_newassoc_cb(void *);
424 static void	run_newassoc(struct ieee80211_node *, int);
425 static void	run_recv_mgmt(struct ieee80211_node *, struct mbuf *, int,
426 		    const struct ieee80211_rx_stats *, int, int);
427 static void	run_rx_frame(struct run_softc *, struct mbuf *, uint32_t);
428 static void	run_tx_free(struct run_endpoint_queue *pq,
429 		    struct run_tx_data *, int);
430 static void	run_set_tx_desc(struct run_softc *, struct run_tx_data *);
431 static int	run_tx(struct run_softc *, struct mbuf *,
432 		    struct ieee80211_node *);
433 static int	run_tx_mgt(struct run_softc *, struct mbuf *,
434 		    struct ieee80211_node *);
435 static int	run_sendprot(struct run_softc *, const struct mbuf *,
436 		    struct ieee80211_node *, int, int);
437 static int	run_tx_param(struct run_softc *, struct mbuf *,
438 		    struct ieee80211_node *,
439 		    const struct ieee80211_bpf_params *);
440 static int	run_raw_xmit(struct ieee80211_node *, struct mbuf *,
441 		    const struct ieee80211_bpf_params *);
442 static int	run_transmit(struct ieee80211com *, struct mbuf *);
443 static void	run_start(struct run_softc *);
444 static void	run_parent(struct ieee80211com *);
445 static void	run_iq_calib(struct run_softc *, u_int);
446 static void	run_set_agc(struct run_softc *, uint8_t);
447 static void	run_select_chan_group(struct run_softc *, int);
448 static void	run_set_rx_antenna(struct run_softc *, int);
449 static void	run_rt2870_set_chan(struct run_softc *, u_int);
450 static void	run_rt3070_set_chan(struct run_softc *, u_int);
451 static void	run_rt3572_set_chan(struct run_softc *, u_int);
452 static void	run_rt3593_set_chan(struct run_softc *, u_int);
453 static void	run_rt5390_set_chan(struct run_softc *, u_int);
454 static void	run_rt5592_set_chan(struct run_softc *, u_int);
455 static int	run_set_chan(struct run_softc *, struct ieee80211_channel *);
456 static void	run_set_channel(struct ieee80211com *);
457 static void	run_getradiocaps(struct ieee80211com *, int, int *,
458 		    struct ieee80211_channel[]);
459 static void	run_scan_start(struct ieee80211com *);
460 static void	run_scan_end(struct ieee80211com *);
461 static void	run_update_beacon(struct ieee80211vap *, int);
462 static void	run_update_beacon_cb(void *);
463 static void	run_updateprot(struct ieee80211com *);
464 static void	run_updateprot_cb(void *);
465 static void	run_usb_timeout_cb(void *);
466 static void	run_reset_livelock(struct run_softc *);
467 static void	run_enable_tsf_sync(struct run_softc *);
468 static void	run_enable_tsf(struct run_softc *);
469 static void	run_disable_tsf(struct run_softc *);
470 static void	run_get_tsf(struct run_softc *, uint64_t *);
471 static void	run_enable_mrr(struct run_softc *);
472 static void	run_set_txpreamble(struct run_softc *);
473 static void	run_set_basicrates(struct run_softc *);
474 static void	run_set_leds(struct run_softc *, uint16_t);
475 static void	run_set_bssid(struct run_softc *, const uint8_t *);
476 static void	run_set_macaddr(struct run_softc *, const uint8_t *);
477 static void	run_updateslot(struct ieee80211com *);
478 static void	run_updateslot_cb(void *);
479 static void	run_update_mcast(struct ieee80211com *);
480 static int8_t	run_rssi2dbm(struct run_softc *, uint8_t, uint8_t);
481 static void	run_update_promisc_locked(struct run_softc *);
482 static void	run_update_promisc(struct ieee80211com *);
483 static void	run_rt5390_bbp_init(struct run_softc *);
484 static int	run_bbp_init(struct run_softc *);
485 static int	run_rt3070_rf_init(struct run_softc *);
486 static void	run_rt3593_rf_init(struct run_softc *);
487 static void	run_rt5390_rf_init(struct run_softc *);
488 static int	run_rt3070_filter_calib(struct run_softc *, uint8_t, uint8_t,
489 		    uint8_t *);
490 static void	run_rt3070_rf_setup(struct run_softc *);
491 static void	run_rt3593_rf_setup(struct run_softc *);
492 static void	run_rt5390_rf_setup(struct run_softc *);
493 static int	run_txrx_enable(struct run_softc *);
494 static void	run_adjust_freq_offset(struct run_softc *);
495 static void	run_init_locked(struct run_softc *);
496 static void	run_stop(void *);
497 static void	run_delay(struct run_softc *, u_int);
498 
499 static eventhandler_tag run_etag;
500 
501 static const struct rt2860_rate {
502 	uint8_t		rate;
503 	uint8_t		mcs;
504 	enum		ieee80211_phytype phy;
505 	uint8_t		ctl_ridx;
506 	uint16_t	sp_ack_dur;
507 	uint16_t	lp_ack_dur;
508 } rt2860_rates[] = {
509 	{   2, 0, IEEE80211_T_DS,   0, 314, 314 },
510 	{   4, 1, IEEE80211_T_DS,   1, 258, 162 },
511 	{  11, 2, IEEE80211_T_DS,   2, 223, 127 },
512 	{  22, 3, IEEE80211_T_DS,   3, 213, 117 },
513 	{  12, 0, IEEE80211_T_OFDM, 4,  60,  60 },
514 	{  18, 1, IEEE80211_T_OFDM, 4,  52,  52 },
515 	{  24, 2, IEEE80211_T_OFDM, 6,  48,  48 },
516 	{  36, 3, IEEE80211_T_OFDM, 6,  44,  44 },
517 	{  48, 4, IEEE80211_T_OFDM, 8,  44,  44 },
518 	{  72, 5, IEEE80211_T_OFDM, 8,  40,  40 },
519 	{  96, 6, IEEE80211_T_OFDM, 8,  40,  40 },
520 	{ 108, 7, IEEE80211_T_OFDM, 8,  40,  40 }
521 };
522 
523 static const struct {
524 	uint16_t	reg;
525 	uint32_t	val;
526 } rt2870_def_mac[] = {
527 	RT2870_DEF_MAC
528 };
529 
530 static const struct {
531 	uint8_t	reg;
532 	uint8_t	val;
533 } rt2860_def_bbp[] = {
534 	RT2860_DEF_BBP
535 },rt5390_def_bbp[] = {
536 	RT5390_DEF_BBP
537 },rt5592_def_bbp[] = {
538 	RT5592_DEF_BBP
539 };
540 
541 /*
542  * Default values for BBP register R196 for RT5592.
543  */
544 static const uint8_t rt5592_bbp_r196[] = {
545 	0xe0, 0x1f, 0x38, 0x32, 0x08, 0x28, 0x19, 0x0a, 0xff, 0x00,
546 	0x16, 0x10, 0x10, 0x0b, 0x36, 0x2c, 0x26, 0x24, 0x42, 0x36,
547 	0x30, 0x2d, 0x4c, 0x46, 0x3d, 0x40, 0x3e, 0x42, 0x3d, 0x40,
548 	0x3c, 0x34, 0x2c, 0x2f, 0x3c, 0x35, 0x2e, 0x2a, 0x49, 0x41,
549 	0x36, 0x31, 0x30, 0x30, 0x0e, 0x0d, 0x28, 0x21, 0x1c, 0x16,
550 	0x50, 0x4a, 0x43, 0x40, 0x10, 0x10, 0x10, 0x10, 0x00, 0x00,
551 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
552 	0x00, 0x00, 0x7d, 0x14, 0x32, 0x2c, 0x36, 0x4c, 0x43, 0x2c,
553 	0x2e, 0x36, 0x30, 0x6e
554 };
555 
556 static const struct rfprog {
557 	uint8_t		chan;
558 	uint32_t	r1, r2, r3, r4;
559 } rt2860_rf2850[] = {
560 	RT2860_RF2850
561 };
562 
563 struct {
564 	uint8_t	n, r, k;
565 } rt3070_freqs[] = {
566 	RT3070_RF3052
567 };
568 
569 static const struct rt5592_freqs {
570 	uint16_t	n;
571 	uint8_t		k, m, r;
572 } rt5592_freqs_20mhz[] = {
573 	RT5592_RF5592_20MHZ
574 },rt5592_freqs_40mhz[] = {
575 	RT5592_RF5592_40MHZ
576 };
577 
578 static const struct {
579 	uint8_t	reg;
580 	uint8_t	val;
581 } rt3070_def_rf[] = {
582 	RT3070_DEF_RF
583 },rt3572_def_rf[] = {
584 	RT3572_DEF_RF
585 },rt3593_def_rf[] = {
586 	RT3593_DEF_RF
587 },rt5390_def_rf[] = {
588 	RT5390_DEF_RF
589 },rt5392_def_rf[] = {
590 	RT5392_DEF_RF
591 },rt5592_def_rf[] = {
592 	RT5592_DEF_RF
593 },rt5592_2ghz_def_rf[] = {
594 	RT5592_2GHZ_DEF_RF
595 },rt5592_5ghz_def_rf[] = {
596 	RT5592_5GHZ_DEF_RF
597 };
598 
599 static const struct {
600 	u_int	firstchan;
601 	u_int	lastchan;
602 	uint8_t	reg;
603 	uint8_t	val;
604 } rt5592_chan_5ghz[] = {
605 	RT5592_CHAN_5GHZ
606 };
607 
608 static const struct usb_config run_config[RUN_N_XFER] = {
609     [RUN_BULK_TX_BE] = {
610 	.type = UE_BULK,
611 	.endpoint = UE_ADDR_ANY,
612 	.ep_index = 0,
613 	.direction = UE_DIR_OUT,
614 	.bufsize = RUN_MAX_TXSZ,
615 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
616 	.callback = run_bulk_tx_callback0,
617 	.timeout = 5000,	/* ms */
618     },
619     [RUN_BULK_TX_BK] = {
620 	.type = UE_BULK,
621 	.endpoint = UE_ADDR_ANY,
622 	.direction = UE_DIR_OUT,
623 	.ep_index = 1,
624 	.bufsize = RUN_MAX_TXSZ,
625 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
626 	.callback = run_bulk_tx_callback1,
627 	.timeout = 5000,	/* ms */
628     },
629     [RUN_BULK_TX_VI] = {
630 	.type = UE_BULK,
631 	.endpoint = UE_ADDR_ANY,
632 	.direction = UE_DIR_OUT,
633 	.ep_index = 2,
634 	.bufsize = RUN_MAX_TXSZ,
635 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
636 	.callback = run_bulk_tx_callback2,
637 	.timeout = 5000,	/* ms */
638     },
639     [RUN_BULK_TX_VO] = {
640 	.type = UE_BULK,
641 	.endpoint = UE_ADDR_ANY,
642 	.direction = UE_DIR_OUT,
643 	.ep_index = 3,
644 	.bufsize = RUN_MAX_TXSZ,
645 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
646 	.callback = run_bulk_tx_callback3,
647 	.timeout = 5000,	/* ms */
648     },
649     [RUN_BULK_TX_HCCA] = {
650 	.type = UE_BULK,
651 	.endpoint = UE_ADDR_ANY,
652 	.direction = UE_DIR_OUT,
653 	.ep_index = 4,
654 	.bufsize = RUN_MAX_TXSZ,
655 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,.no_pipe_ok = 1,},
656 	.callback = run_bulk_tx_callback4,
657 	.timeout = 5000,	/* ms */
658     },
659     [RUN_BULK_TX_PRIO] = {
660 	.type = UE_BULK,
661 	.endpoint = UE_ADDR_ANY,
662 	.direction = UE_DIR_OUT,
663 	.ep_index = 5,
664 	.bufsize = RUN_MAX_TXSZ,
665 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,.no_pipe_ok = 1,},
666 	.callback = run_bulk_tx_callback5,
667 	.timeout = 5000,	/* ms */
668     },
669     [RUN_BULK_RX] = {
670 	.type = UE_BULK,
671 	.endpoint = UE_ADDR_ANY,
672 	.direction = UE_DIR_IN,
673 	.bufsize = RUN_MAX_RXSZ,
674 	.flags = {.pipe_bof = 1,.short_xfer_ok = 1,},
675 	.callback = run_bulk_rx_callback,
676     }
677 };
678 
679 static void
680 run_autoinst(void *arg, struct usb_device *udev,
681     struct usb_attach_arg *uaa)
682 {
683 	struct usb_interface *iface;
684 	struct usb_interface_descriptor *id;
685 
686 	if (uaa->dev_state != UAA_DEV_READY)
687 		return;
688 
689 	iface = usbd_get_iface(udev, 0);
690 	if (iface == NULL)
691 		return;
692 	id = iface->idesc;
693 	if (id == NULL || id->bInterfaceClass != UICLASS_MASS)
694 		return;
695 	if (usbd_lookup_id_by_uaa(run_devs, sizeof(run_devs), uaa))
696 		return;
697 
698 	if (usb_msc_eject(udev, 0, MSC_EJECT_STOPUNIT) == 0)
699 		uaa->dev_state = UAA_DEV_EJECTING;
700 }
701 
702 static int
703 run_driver_loaded(struct module *mod, int what, void *arg)
704 {
705 	switch (what) {
706 	case MOD_LOAD:
707 		run_etag = EVENTHANDLER_REGISTER(usb_dev_configured,
708 		    run_autoinst, NULL, EVENTHANDLER_PRI_ANY);
709 		break;
710 	case MOD_UNLOAD:
711 		EVENTHANDLER_DEREGISTER(usb_dev_configured, run_etag);
712 		break;
713 	default:
714 		return (EOPNOTSUPP);
715 	}
716 	return (0);
717 }
718 
719 static int
720 run_match(device_t self)
721 {
722 	struct usb_attach_arg *uaa = device_get_ivars(self);
723 
724 	if (uaa->usb_mode != USB_MODE_HOST)
725 		return (ENXIO);
726 	if (uaa->info.bConfigIndex != 0)
727 		return (ENXIO);
728 	if (uaa->info.bIfaceIndex != RT2860_IFACE_INDEX)
729 		return (ENXIO);
730 
731 	return (usbd_lookup_id_by_uaa(run_devs, sizeof(run_devs), uaa));
732 }
733 
734 static int
735 run_attach(device_t self)
736 {
737 	struct run_softc *sc = device_get_softc(self);
738 	struct usb_attach_arg *uaa = device_get_ivars(self);
739 	struct ieee80211com *ic = &sc->sc_ic;
740 	uint32_t ver;
741 	uint8_t iface_index;
742 	int ntries, error;
743 
744 	device_set_usb_desc(self);
745 	sc->sc_udev = uaa->device;
746 	sc->sc_dev = self;
747 	if (USB_GET_DRIVER_INFO(uaa) != RUN_EJECT)
748 		sc->sc_flags |= RUN_FLAG_FWLOAD_NEEDED;
749 
750 	mtx_init(&sc->sc_mtx, device_get_nameunit(sc->sc_dev),
751 	    MTX_NETWORK_LOCK, MTX_DEF);
752 	mbufq_init(&sc->sc_snd, ifqmaxlen);
753 
754 	iface_index = RT2860_IFACE_INDEX;
755 
756 	error = usbd_transfer_setup(uaa->device, &iface_index,
757 	    sc->sc_xfer, run_config, RUN_N_XFER, sc, &sc->sc_mtx);
758 	if (error) {
759 		device_printf(self, "could not allocate USB transfers, "
760 		    "err=%s\n", usbd_errstr(error));
761 		goto detach;
762 	}
763 
764 	RUN_LOCK(sc);
765 
766 	/* wait for the chip to settle */
767 	for (ntries = 0; ntries < 100; ntries++) {
768 		if (run_read(sc, RT2860_ASIC_VER_ID, &ver) != 0) {
769 			RUN_UNLOCK(sc);
770 			goto detach;
771 		}
772 		if (ver != 0 && ver != 0xffffffff)
773 			break;
774 		run_delay(sc, 10);
775 	}
776 	if (ntries == 100) {
777 		device_printf(sc->sc_dev,
778 		    "timeout waiting for NIC to initialize\n");
779 		RUN_UNLOCK(sc);
780 		goto detach;
781 	}
782 	sc->mac_ver = ver >> 16;
783 	sc->mac_rev = ver & 0xffff;
784 
785 	/* retrieve RF rev. no and various other things from EEPROM */
786 	run_read_eeprom(sc);
787 
788 	device_printf(sc->sc_dev,
789 	    "MAC/BBP RT%04X (rev 0x%04X), RF %s (MIMO %dT%dR), address %s\n",
790 	    sc->mac_ver, sc->mac_rev, run_get_rf(sc->rf_rev),
791 	    sc->ntxchains, sc->nrxchains, ether_sprintf(ic->ic_macaddr));
792 
793 	RUN_UNLOCK(sc);
794 
795 	ic->ic_softc = sc;
796 	ic->ic_name = device_get_nameunit(self);
797 	ic->ic_phytype = IEEE80211_T_OFDM;	/* not only, but not used */
798 	ic->ic_opmode = IEEE80211_M_STA;	/* default to BSS mode */
799 
800 	/* set device capabilities */
801 	ic->ic_caps =
802 	    IEEE80211_C_STA |		/* station mode supported */
803 	    IEEE80211_C_MONITOR |	/* monitor mode supported */
804 	    IEEE80211_C_IBSS |
805 	    IEEE80211_C_HOSTAP |
806 	    IEEE80211_C_WDS |		/* 4-address traffic works */
807 	    IEEE80211_C_MBSS |
808 	    IEEE80211_C_SHPREAMBLE |	/* short preamble supported */
809 	    IEEE80211_C_SHSLOT |	/* short slot time supported */
810 	    IEEE80211_C_WME |		/* WME */
811 	    IEEE80211_C_WPA;		/* WPA1|WPA2(RSN) */
812 
813 	ic->ic_cryptocaps =
814 	    IEEE80211_CRYPTO_WEP |
815 	    IEEE80211_CRYPTO_AES_CCM |
816 	    IEEE80211_CRYPTO_TKIPMIC |
817 	    IEEE80211_CRYPTO_TKIP;
818 
819 	ic->ic_flags |= IEEE80211_F_DATAPAD;
820 	ic->ic_flags_ext |= IEEE80211_FEXT_SWBMISS;
821 
822 	run_getradiocaps(ic, IEEE80211_CHAN_MAX, &ic->ic_nchans,
823 	    ic->ic_channels);
824 
825 	ieee80211_ifattach(ic);
826 
827 	ic->ic_scan_start = run_scan_start;
828 	ic->ic_scan_end = run_scan_end;
829 	ic->ic_set_channel = run_set_channel;
830 	ic->ic_getradiocaps = run_getradiocaps;
831 	ic->ic_node_alloc = run_node_alloc;
832 	ic->ic_newassoc = run_newassoc;
833 	ic->ic_updateslot = run_updateslot;
834 	ic->ic_update_mcast = run_update_mcast;
835 	ic->ic_wme.wme_update = run_wme_update;
836 	ic->ic_raw_xmit = run_raw_xmit;
837 	ic->ic_update_promisc = run_update_promisc;
838 	ic->ic_vap_create = run_vap_create;
839 	ic->ic_vap_delete = run_vap_delete;
840 	ic->ic_transmit = run_transmit;
841 	ic->ic_parent = run_parent;
842 
843 	ieee80211_radiotap_attach(ic,
844 	    &sc->sc_txtap.wt_ihdr, sizeof(sc->sc_txtap),
845 		RUN_TX_RADIOTAP_PRESENT,
846 	    &sc->sc_rxtap.wr_ihdr, sizeof(sc->sc_rxtap),
847 		RUN_RX_RADIOTAP_PRESENT);
848 
849 	TASK_INIT(&sc->cmdq_task, 0, run_cmdq_cb, sc);
850 	TASK_INIT(&sc->ratectl_task, 0, run_ratectl_cb, sc);
851 	usb_callout_init_mtx(&sc->ratectl_ch, &sc->sc_mtx, 0);
852 
853 	if (bootverbose)
854 		ieee80211_announce(ic);
855 
856 	return (0);
857 
858 detach:
859 	run_detach(self);
860 	return (ENXIO);
861 }
862 
863 static void
864 run_drain_mbufq(struct run_softc *sc)
865 {
866 	struct mbuf *m;
867 	struct ieee80211_node *ni;
868 
869 	RUN_LOCK_ASSERT(sc, MA_OWNED);
870 	while ((m = mbufq_dequeue(&sc->sc_snd)) != NULL) {
871 		ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
872 		m->m_pkthdr.rcvif = NULL;
873 		ieee80211_free_node(ni);
874 		m_freem(m);
875 	}
876 }
877 
878 static int
879 run_detach(device_t self)
880 {
881 	struct run_softc *sc = device_get_softc(self);
882 	struct ieee80211com *ic = &sc->sc_ic;
883 	int i;
884 
885 	RUN_LOCK(sc);
886 	sc->sc_detached = 1;
887 	RUN_UNLOCK(sc);
888 
889 	/* stop all USB transfers */
890 	usbd_transfer_unsetup(sc->sc_xfer, RUN_N_XFER);
891 
892 	RUN_LOCK(sc);
893 	sc->ratectl_run = RUN_RATECTL_OFF;
894 	sc->cmdq_run = sc->cmdq_key_set = RUN_CMDQ_ABORT;
895 
896 	/* free TX list, if any */
897 	for (i = 0; i != RUN_EP_QUEUES; i++)
898 		run_unsetup_tx_list(sc, &sc->sc_epq[i]);
899 
900 	/* Free TX queue */
901 	run_drain_mbufq(sc);
902 	RUN_UNLOCK(sc);
903 
904 	if (sc->sc_ic.ic_softc == sc) {
905 		/* drain tasks */
906 		usb_callout_drain(&sc->ratectl_ch);
907 		ieee80211_draintask(ic, &sc->cmdq_task);
908 		ieee80211_draintask(ic, &sc->ratectl_task);
909 		ieee80211_ifdetach(ic);
910 	}
911 
912 	mtx_destroy(&sc->sc_mtx);
913 
914 	return (0);
915 }
916 
917 static struct ieee80211vap *
918 run_vap_create(struct ieee80211com *ic, const char name[IFNAMSIZ], int unit,
919     enum ieee80211_opmode opmode, int flags,
920     const uint8_t bssid[IEEE80211_ADDR_LEN],
921     const uint8_t mac[IEEE80211_ADDR_LEN])
922 {
923 	struct run_softc *sc = ic->ic_softc;
924 	struct run_vap *rvp;
925 	struct ieee80211vap *vap;
926 	int i;
927 
928 	if (sc->rvp_cnt >= RUN_VAP_MAX) {
929 		device_printf(sc->sc_dev, "number of VAPs maxed out\n");
930 		return (NULL);
931 	}
932 
933 	switch (opmode) {
934 	case IEEE80211_M_STA:
935 		/* enable s/w bmiss handling for sta mode */
936 		flags |= IEEE80211_CLONE_NOBEACONS;
937 		/* fall though */
938 	case IEEE80211_M_IBSS:
939 	case IEEE80211_M_MONITOR:
940 	case IEEE80211_M_HOSTAP:
941 	case IEEE80211_M_MBSS:
942 		/* other than WDS vaps, only one at a time */
943 		if (!TAILQ_EMPTY(&ic->ic_vaps))
944 			return (NULL);
945 		break;
946 	case IEEE80211_M_WDS:
947 		TAILQ_FOREACH(vap, &ic->ic_vaps, iv_next){
948 			if(vap->iv_opmode != IEEE80211_M_HOSTAP)
949 				continue;
950 			/* WDS vap's always share the local mac address. */
951 			flags &= ~IEEE80211_CLONE_BSSID;
952 			break;
953 		}
954 		if (vap == NULL) {
955 			device_printf(sc->sc_dev,
956 			    "wds only supported in ap mode\n");
957 			return (NULL);
958 		}
959 		break;
960 	default:
961 		device_printf(sc->sc_dev, "unknown opmode %d\n", opmode);
962 		return (NULL);
963 	}
964 
965 	rvp = malloc(sizeof(struct run_vap), M_80211_VAP, M_WAITOK | M_ZERO);
966 	vap = &rvp->vap;
967 
968 	if (ieee80211_vap_setup(ic, vap, name, unit, opmode, flags,
969 	    bssid) != 0) {
970 		/* out of memory */
971 		free(rvp, M_80211_VAP);
972 		return (NULL);
973 	}
974 
975 	vap->iv_update_beacon = run_update_beacon;
976 	vap->iv_max_aid = RT2870_WCID_MAX;
977 	/*
978 	 * To delete the right key from h/w, we need wcid.
979 	 * Luckily, there is unused space in ieee80211_key{}, wk_pad,
980 	 * and matching wcid will be written into there. So, cast
981 	 * some spells to remove 'const' from ieee80211_key{}
982 	 */
983 	vap->iv_key_delete = (void *)run_key_delete;
984 	vap->iv_key_set = (void *)run_key_set;
985 
986 	/* override state transition machine */
987 	rvp->newstate = vap->iv_newstate;
988 	vap->iv_newstate = run_newstate;
989 	if (opmode == IEEE80211_M_IBSS) {
990 		rvp->recv_mgmt = vap->iv_recv_mgmt;
991 		vap->iv_recv_mgmt = run_recv_mgmt;
992 	}
993 
994 	ieee80211_ratectl_init(vap);
995 	ieee80211_ratectl_setinterval(vap, 1000 /* 1 sec */);
996 
997 	/* complete setup */
998 	ieee80211_vap_attach(vap, run_media_change, ieee80211_media_status,
999 	    mac);
1000 
1001 	/* make sure id is always unique */
1002 	for (i = 0; i < RUN_VAP_MAX; i++) {
1003 		if((sc->rvp_bmap & 1 << i) == 0){
1004 			sc->rvp_bmap |= 1 << i;
1005 			rvp->rvp_id = i;
1006 			break;
1007 		}
1008 	}
1009 	if (sc->rvp_cnt++ == 0)
1010 		ic->ic_opmode = opmode;
1011 
1012 	if (opmode == IEEE80211_M_HOSTAP)
1013 		sc->cmdq_run = RUN_CMDQ_GO;
1014 
1015 	RUN_DPRINTF(sc, RUN_DEBUG_STATE, "rvp_id=%d bmap=%x rvp_cnt=%d\n",
1016 	    rvp->rvp_id, sc->rvp_bmap, sc->rvp_cnt);
1017 
1018 	return (vap);
1019 }
1020 
1021 static void
1022 run_vap_delete(struct ieee80211vap *vap)
1023 {
1024 	struct run_vap *rvp = RUN_VAP(vap);
1025 	struct ieee80211com *ic;
1026 	struct run_softc *sc;
1027 	uint8_t rvp_id;
1028 
1029 	if (vap == NULL)
1030 		return;
1031 
1032 	ic = vap->iv_ic;
1033 	sc = ic->ic_softc;
1034 
1035 	RUN_LOCK(sc);
1036 
1037 	m_freem(rvp->beacon_mbuf);
1038 	rvp->beacon_mbuf = NULL;
1039 
1040 	rvp_id = rvp->rvp_id;
1041 	sc->ratectl_run &= ~(1 << rvp_id);
1042 	sc->rvp_bmap &= ~(1 << rvp_id);
1043 	run_set_region_4(sc, RT2860_SKEY(rvp_id, 0), 0, 128);
1044 	run_set_region_4(sc, RT2860_BCN_BASE(rvp_id), 0, 512);
1045 	--sc->rvp_cnt;
1046 
1047 	RUN_DPRINTF(sc, RUN_DEBUG_STATE,
1048 	    "vap=%p rvp_id=%d bmap=%x rvp_cnt=%d\n",
1049 	    vap, rvp_id, sc->rvp_bmap, sc->rvp_cnt);
1050 
1051 	RUN_UNLOCK(sc);
1052 
1053 	ieee80211_ratectl_deinit(vap);
1054 	ieee80211_vap_detach(vap);
1055 	free(rvp, M_80211_VAP);
1056 }
1057 
1058 /*
1059  * There are numbers of functions need to be called in context thread.
1060  * Rather than creating taskqueue event for each of those functions,
1061  * here is all-for-one taskqueue callback function. This function
1062  * guarantees deferred functions are executed in the same order they
1063  * were enqueued.
1064  * '& RUN_CMDQ_MASQ' is to loop cmdq[].
1065  */
1066 static void
1067 run_cmdq_cb(void *arg, int pending)
1068 {
1069 	struct run_softc *sc = arg;
1070 	uint8_t i;
1071 
1072 	/* call cmdq[].func locked */
1073 	RUN_LOCK(sc);
1074 	for (i = sc->cmdq_exec; sc->cmdq[i].func && pending;
1075 	    i = sc->cmdq_exec, pending--) {
1076 		RUN_DPRINTF(sc, RUN_DEBUG_CMD, "cmdq_exec=%d pending=%d\n",
1077 		    i, pending);
1078 		if (sc->cmdq_run == RUN_CMDQ_GO) {
1079 			/*
1080 			 * If arg0 is NULL, callback func needs more
1081 			 * than one arg. So, pass ptr to cmdq struct.
1082 			 */
1083 			if (sc->cmdq[i].arg0)
1084 				sc->cmdq[i].func(sc->cmdq[i].arg0);
1085 			else
1086 				sc->cmdq[i].func(&sc->cmdq[i]);
1087 		}
1088 		sc->cmdq[i].arg0 = NULL;
1089 		sc->cmdq[i].func = NULL;
1090 		sc->cmdq_exec++;
1091 		sc->cmdq_exec &= RUN_CMDQ_MASQ;
1092 	}
1093 	RUN_UNLOCK(sc);
1094 }
1095 
1096 static void
1097 run_setup_tx_list(struct run_softc *sc, struct run_endpoint_queue *pq)
1098 {
1099 	struct run_tx_data *data;
1100 
1101 	memset(pq, 0, sizeof(*pq));
1102 
1103 	STAILQ_INIT(&pq->tx_qh);
1104 	STAILQ_INIT(&pq->tx_fh);
1105 
1106 	for (data = &pq->tx_data[0];
1107 	    data < &pq->tx_data[RUN_TX_RING_COUNT]; data++) {
1108 		data->sc = sc;
1109 		STAILQ_INSERT_TAIL(&pq->tx_fh, data, next);
1110 	}
1111 	pq->tx_nfree = RUN_TX_RING_COUNT;
1112 }
1113 
1114 static void
1115 run_unsetup_tx_list(struct run_softc *sc, struct run_endpoint_queue *pq)
1116 {
1117 	struct run_tx_data *data;
1118 
1119 	/* make sure any subsequent use of the queues will fail */
1120 	pq->tx_nfree = 0;
1121 	STAILQ_INIT(&pq->tx_fh);
1122 	STAILQ_INIT(&pq->tx_qh);
1123 
1124 	/* free up all node references and mbufs */
1125 	for (data = &pq->tx_data[0];
1126 	    data < &pq->tx_data[RUN_TX_RING_COUNT]; data++) {
1127 		if (data->m != NULL) {
1128 			m_freem(data->m);
1129 			data->m = NULL;
1130 		}
1131 		if (data->ni != NULL) {
1132 			ieee80211_free_node(data->ni);
1133 			data->ni = NULL;
1134 		}
1135 	}
1136 }
1137 
1138 static int
1139 run_load_microcode(struct run_softc *sc)
1140 {
1141 	usb_device_request_t req;
1142 	const struct firmware *fw;
1143 	const u_char *base;
1144 	uint32_t tmp;
1145 	int ntries, error;
1146 	const uint64_t *temp;
1147 	uint64_t bytes;
1148 
1149 	RUN_UNLOCK(sc);
1150 	fw = firmware_get("runfw");
1151 	RUN_LOCK(sc);
1152 	if (fw == NULL) {
1153 		device_printf(sc->sc_dev,
1154 		    "failed loadfirmware of file %s\n", "runfw");
1155 		return ENOENT;
1156 	}
1157 
1158 	if (fw->datasize != 8192) {
1159 		device_printf(sc->sc_dev,
1160 		    "invalid firmware size (should be 8KB)\n");
1161 		error = EINVAL;
1162 		goto fail;
1163 	}
1164 
1165 	/*
1166 	 * RT3071/RT3072 use a different firmware
1167 	 * run-rt2870 (8KB) contains both,
1168 	 * first half (4KB) is for rt2870,
1169 	 * last half is for rt3071.
1170 	 */
1171 	base = fw->data;
1172 	if ((sc->mac_ver) != 0x2860 &&
1173 	    (sc->mac_ver) != 0x2872 &&
1174 	    (sc->mac_ver) != 0x3070) {
1175 		base += 4096;
1176 	}
1177 
1178 	/* cheap sanity check */
1179 	temp = fw->data;
1180 	bytes = *temp;
1181 	if (bytes != be64toh(0xffffff0210280210ULL)) {
1182 		device_printf(sc->sc_dev, "firmware checksum failed\n");
1183 		error = EINVAL;
1184 		goto fail;
1185 	}
1186 
1187 	/* write microcode image */
1188 	if (sc->sc_flags & RUN_FLAG_FWLOAD_NEEDED) {
1189 		run_write_region_1(sc, RT2870_FW_BASE, base, 4096);
1190 		run_write(sc, RT2860_H2M_MAILBOX_CID, 0xffffffff);
1191 		run_write(sc, RT2860_H2M_MAILBOX_STATUS, 0xffffffff);
1192 	}
1193 
1194 	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1195 	req.bRequest = RT2870_RESET;
1196 	USETW(req.wValue, 8);
1197 	USETW(req.wIndex, 0);
1198 	USETW(req.wLength, 0);
1199 	if ((error = usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, NULL))
1200 	    != 0) {
1201 		device_printf(sc->sc_dev, "firmware reset failed\n");
1202 		goto fail;
1203 	}
1204 
1205 	run_delay(sc, 10);
1206 
1207 	run_write(sc, RT2860_H2M_BBPAGENT, 0);
1208 	run_write(sc, RT2860_H2M_MAILBOX, 0);
1209 	run_write(sc, RT2860_H2M_INTSRC, 0);
1210 	if ((error = run_mcu_cmd(sc, RT2860_MCU_CMD_RFRESET, 0)) != 0)
1211 		goto fail;
1212 
1213 	/* wait until microcontroller is ready */
1214 	for (ntries = 0; ntries < 1000; ntries++) {
1215 		if ((error = run_read(sc, RT2860_SYS_CTRL, &tmp)) != 0)
1216 			goto fail;
1217 		if (tmp & RT2860_MCU_READY)
1218 			break;
1219 		run_delay(sc, 10);
1220 	}
1221 	if (ntries == 1000) {
1222 		device_printf(sc->sc_dev,
1223 		    "timeout waiting for MCU to initialize\n");
1224 		error = ETIMEDOUT;
1225 		goto fail;
1226 	}
1227 	device_printf(sc->sc_dev, "firmware %s ver. %u.%u loaded\n",
1228 	    (base == fw->data) ? "RT2870" : "RT3071",
1229 	    *(base + 4092), *(base + 4093));
1230 
1231 fail:
1232 	firmware_put(fw, FIRMWARE_UNLOAD);
1233 	return (error);
1234 }
1235 
1236 static int
1237 run_reset(struct run_softc *sc)
1238 {
1239 	usb_device_request_t req;
1240 
1241 	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1242 	req.bRequest = RT2870_RESET;
1243 	USETW(req.wValue, 1);
1244 	USETW(req.wIndex, 0);
1245 	USETW(req.wLength, 0);
1246 	return (usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, NULL));
1247 }
1248 
1249 static usb_error_t
1250 run_do_request(struct run_softc *sc,
1251     struct usb_device_request *req, void *data)
1252 {
1253 	usb_error_t err;
1254 	int ntries = 10;
1255 
1256 	RUN_LOCK_ASSERT(sc, MA_OWNED);
1257 
1258 	while (ntries--) {
1259 		err = usbd_do_request_flags(sc->sc_udev, &sc->sc_mtx,
1260 		    req, data, 0, NULL, 250 /* ms */);
1261 		if (err == 0)
1262 			break;
1263 		RUN_DPRINTF(sc, RUN_DEBUG_USB,
1264 		    "Control request failed, %s (retrying)\n",
1265 		    usbd_errstr(err));
1266 		run_delay(sc, 10);
1267 	}
1268 	return (err);
1269 }
1270 
1271 static int
1272 run_read(struct run_softc *sc, uint16_t reg, uint32_t *val)
1273 {
1274 	uint32_t tmp;
1275 	int error;
1276 
1277 	error = run_read_region_1(sc, reg, (uint8_t *)&tmp, sizeof tmp);
1278 	if (error == 0)
1279 		*val = le32toh(tmp);
1280 	else
1281 		*val = 0xffffffff;
1282 	return (error);
1283 }
1284 
1285 static int
1286 run_read_region_1(struct run_softc *sc, uint16_t reg, uint8_t *buf, int len)
1287 {
1288 	usb_device_request_t req;
1289 
1290 	req.bmRequestType = UT_READ_VENDOR_DEVICE;
1291 	req.bRequest = RT2870_READ_REGION_1;
1292 	USETW(req.wValue, 0);
1293 	USETW(req.wIndex, reg);
1294 	USETW(req.wLength, len);
1295 
1296 	return (run_do_request(sc, &req, buf));
1297 }
1298 
1299 static int
1300 run_write_2(struct run_softc *sc, uint16_t reg, uint16_t val)
1301 {
1302 	usb_device_request_t req;
1303 
1304 	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1305 	req.bRequest = RT2870_WRITE_2;
1306 	USETW(req.wValue, val);
1307 	USETW(req.wIndex, reg);
1308 	USETW(req.wLength, 0);
1309 
1310 	return (run_do_request(sc, &req, NULL));
1311 }
1312 
1313 static int
1314 run_write(struct run_softc *sc, uint16_t reg, uint32_t val)
1315 {
1316 	int error;
1317 
1318 	if ((error = run_write_2(sc, reg, val & 0xffff)) == 0)
1319 		error = run_write_2(sc, reg + 2, val >> 16);
1320 	return (error);
1321 }
1322 
1323 static int
1324 run_write_region_1(struct run_softc *sc, uint16_t reg, const uint8_t *buf,
1325     int len)
1326 {
1327 #if 1
1328 	int i, error = 0;
1329 	/*
1330 	 * NB: the WRITE_REGION_1 command is not stable on RT2860.
1331 	 * We thus issue multiple WRITE_2 commands instead.
1332 	 */
1333 	KASSERT((len & 1) == 0, ("run_write_region_1: Data too long.\n"));
1334 	for (i = 0; i < len && error == 0; i += 2)
1335 		error = run_write_2(sc, reg + i, buf[i] | buf[i + 1] << 8);
1336 	return (error);
1337 #else
1338 	usb_device_request_t req;
1339 	int error = 0;
1340 
1341 	/*
1342 	 * NOTE: It appears the WRITE_REGION_1 command cannot be
1343 	 * passed a huge amount of data, which will crash the
1344 	 * firmware. Limit amount of data passed to 64-bytes at a
1345 	 * time.
1346 	 */
1347 	while (len > 0) {
1348 		int delta = 64;
1349 		if (delta > len)
1350 			delta = len;
1351 
1352 		req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1353 		req.bRequest = RT2870_WRITE_REGION_1;
1354 		USETW(req.wValue, 0);
1355 		USETW(req.wIndex, reg);
1356 		USETW(req.wLength, delta);
1357 		error = run_do_request(sc, &req, __DECONST(uint8_t *, buf));
1358 		if (error != 0)
1359 			break;
1360 		reg += delta;
1361 		buf += delta;
1362 		len -= delta;
1363 	}
1364 	return (error);
1365 #endif
1366 }
1367 
1368 static int
1369 run_set_region_4(struct run_softc *sc, uint16_t reg, uint32_t val, int len)
1370 {
1371 	int i, error = 0;
1372 
1373 	KASSERT((len & 3) == 0, ("run_set_region_4: Invalid data length.\n"));
1374 	for (i = 0; i < len && error == 0; i += 4)
1375 		error = run_write(sc, reg + i, val);
1376 	return (error);
1377 }
1378 
1379 static int
1380 run_efuse_read(struct run_softc *sc, uint16_t addr, uint16_t *val, int count)
1381 {
1382 	uint32_t tmp;
1383 	uint16_t reg;
1384 	int error, ntries;
1385 
1386 	if ((error = run_read(sc, RT3070_EFUSE_CTRL, &tmp)) != 0)
1387 		return (error);
1388 
1389 	if (count == 2)
1390 		addr *= 2;
1391 	/*-
1392 	 * Read one 16-byte block into registers EFUSE_DATA[0-3]:
1393 	 * DATA0: F E D C
1394 	 * DATA1: B A 9 8
1395 	 * DATA2: 7 6 5 4
1396 	 * DATA3: 3 2 1 0
1397 	 */
1398 	tmp &= ~(RT3070_EFSROM_MODE_MASK | RT3070_EFSROM_AIN_MASK);
1399 	tmp |= (addr & ~0xf) << RT3070_EFSROM_AIN_SHIFT | RT3070_EFSROM_KICK;
1400 	run_write(sc, RT3070_EFUSE_CTRL, tmp);
1401 	for (ntries = 0; ntries < 100; ntries++) {
1402 		if ((error = run_read(sc, RT3070_EFUSE_CTRL, &tmp)) != 0)
1403 			return (error);
1404 		if (!(tmp & RT3070_EFSROM_KICK))
1405 			break;
1406 		run_delay(sc, 2);
1407 	}
1408 	if (ntries == 100)
1409 		return (ETIMEDOUT);
1410 
1411 	if ((tmp & RT3070_EFUSE_AOUT_MASK) == RT3070_EFUSE_AOUT_MASK) {
1412 		*val = 0xffff;	/* address not found */
1413 		return (0);
1414 	}
1415 	/* determine to which 32-bit register our 16-bit word belongs */
1416 	reg = RT3070_EFUSE_DATA3 - (addr & 0xc);
1417 	if ((error = run_read(sc, reg, &tmp)) != 0)
1418 		return (error);
1419 
1420 	tmp >>= (8 * (addr & 0x3));
1421 	*val = (addr & 1) ? tmp >> 16 : tmp & 0xffff;
1422 
1423 	return (0);
1424 }
1425 
1426 /* Read 16-bit from eFUSE ROM for RT3xxx. */
1427 static int
1428 run_efuse_read_2(struct run_softc *sc, uint16_t addr, uint16_t *val)
1429 {
1430 	return (run_efuse_read(sc, addr, val, 2));
1431 }
1432 
1433 static int
1434 run_eeprom_read_2(struct run_softc *sc, uint16_t addr, uint16_t *val)
1435 {
1436 	usb_device_request_t req;
1437 	uint16_t tmp;
1438 	int error;
1439 
1440 	addr *= 2;
1441 	req.bmRequestType = UT_READ_VENDOR_DEVICE;
1442 	req.bRequest = RT2870_EEPROM_READ;
1443 	USETW(req.wValue, 0);
1444 	USETW(req.wIndex, addr);
1445 	USETW(req.wLength, sizeof(tmp));
1446 
1447 	error = usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, &tmp);
1448 	if (error == 0)
1449 		*val = le16toh(tmp);
1450 	else
1451 		*val = 0xffff;
1452 	return (error);
1453 }
1454 
1455 static __inline int
1456 run_srom_read(struct run_softc *sc, uint16_t addr, uint16_t *val)
1457 {
1458 	/* either eFUSE ROM or EEPROM */
1459 	return sc->sc_srom_read(sc, addr, val);
1460 }
1461 
1462 static int
1463 run_rt2870_rf_write(struct run_softc *sc, uint32_t val)
1464 {
1465 	uint32_t tmp;
1466 	int error, ntries;
1467 
1468 	for (ntries = 0; ntries < 10; ntries++) {
1469 		if ((error = run_read(sc, RT2860_RF_CSR_CFG0, &tmp)) != 0)
1470 			return (error);
1471 		if (!(tmp & RT2860_RF_REG_CTRL))
1472 			break;
1473 	}
1474 	if (ntries == 10)
1475 		return (ETIMEDOUT);
1476 
1477 	return (run_write(sc, RT2860_RF_CSR_CFG0, val));
1478 }
1479 
1480 static int
1481 run_rt3070_rf_read(struct run_softc *sc, uint8_t reg, uint8_t *val)
1482 {
1483 	uint32_t tmp;
1484 	int error, ntries;
1485 
1486 	for (ntries = 0; ntries < 100; ntries++) {
1487 		if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1488 			return (error);
1489 		if (!(tmp & RT3070_RF_KICK))
1490 			break;
1491 	}
1492 	if (ntries == 100)
1493 		return (ETIMEDOUT);
1494 
1495 	tmp = RT3070_RF_KICK | reg << 8;
1496 	if ((error = run_write(sc, RT3070_RF_CSR_CFG, tmp)) != 0)
1497 		return (error);
1498 
1499 	for (ntries = 0; ntries < 100; ntries++) {
1500 		if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1501 			return (error);
1502 		if (!(tmp & RT3070_RF_KICK))
1503 			break;
1504 	}
1505 	if (ntries == 100)
1506 		return (ETIMEDOUT);
1507 
1508 	*val = tmp & 0xff;
1509 	return (0);
1510 }
1511 
1512 static int
1513 run_rt3070_rf_write(struct run_softc *sc, uint8_t reg, uint8_t val)
1514 {
1515 	uint32_t tmp;
1516 	int error, ntries;
1517 
1518 	for (ntries = 0; ntries < 10; ntries++) {
1519 		if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1520 			return (error);
1521 		if (!(tmp & RT3070_RF_KICK))
1522 			break;
1523 	}
1524 	if (ntries == 10)
1525 		return (ETIMEDOUT);
1526 
1527 	tmp = RT3070_RF_WRITE | RT3070_RF_KICK | reg << 8 | val;
1528 	return (run_write(sc, RT3070_RF_CSR_CFG, tmp));
1529 }
1530 
1531 static int
1532 run_bbp_read(struct run_softc *sc, uint8_t reg, uint8_t *val)
1533 {
1534 	uint32_t tmp;
1535 	int ntries, error;
1536 
1537 	for (ntries = 0; ntries < 10; ntries++) {
1538 		if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1539 			return (error);
1540 		if (!(tmp & RT2860_BBP_CSR_KICK))
1541 			break;
1542 	}
1543 	if (ntries == 10)
1544 		return (ETIMEDOUT);
1545 
1546 	tmp = RT2860_BBP_CSR_READ | RT2860_BBP_CSR_KICK | reg << 8;
1547 	if ((error = run_write(sc, RT2860_BBP_CSR_CFG, tmp)) != 0)
1548 		return (error);
1549 
1550 	for (ntries = 0; ntries < 10; ntries++) {
1551 		if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1552 			return (error);
1553 		if (!(tmp & RT2860_BBP_CSR_KICK))
1554 			break;
1555 	}
1556 	if (ntries == 10)
1557 		return (ETIMEDOUT);
1558 
1559 	*val = tmp & 0xff;
1560 	return (0);
1561 }
1562 
1563 static int
1564 run_bbp_write(struct run_softc *sc, uint8_t reg, uint8_t val)
1565 {
1566 	uint32_t tmp;
1567 	int ntries, error;
1568 
1569 	for (ntries = 0; ntries < 10; ntries++) {
1570 		if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1571 			return (error);
1572 		if (!(tmp & RT2860_BBP_CSR_KICK))
1573 			break;
1574 	}
1575 	if (ntries == 10)
1576 		return (ETIMEDOUT);
1577 
1578 	tmp = RT2860_BBP_CSR_KICK | reg << 8 | val;
1579 	return (run_write(sc, RT2860_BBP_CSR_CFG, tmp));
1580 }
1581 
1582 /*
1583  * Send a command to the 8051 microcontroller unit.
1584  */
1585 static int
1586 run_mcu_cmd(struct run_softc *sc, uint8_t cmd, uint16_t arg)
1587 {
1588 	uint32_t tmp;
1589 	int error, ntries;
1590 
1591 	for (ntries = 0; ntries < 100; ntries++) {
1592 		if ((error = run_read(sc, RT2860_H2M_MAILBOX, &tmp)) != 0)
1593 			return error;
1594 		if (!(tmp & RT2860_H2M_BUSY))
1595 			break;
1596 	}
1597 	if (ntries == 100)
1598 		return ETIMEDOUT;
1599 
1600 	tmp = RT2860_H2M_BUSY | RT2860_TOKEN_NO_INTR << 16 | arg;
1601 	if ((error = run_write(sc, RT2860_H2M_MAILBOX, tmp)) == 0)
1602 		error = run_write(sc, RT2860_HOST_CMD, cmd);
1603 	return (error);
1604 }
1605 
1606 /*
1607  * Add `delta' (signed) to each 4-bit sub-word of a 32-bit word.
1608  * Used to adjust per-rate Tx power registers.
1609  */
1610 static __inline uint32_t
1611 b4inc(uint32_t b32, int8_t delta)
1612 {
1613 	int8_t i, b4;
1614 
1615 	for (i = 0; i < 8; i++) {
1616 		b4 = b32 & 0xf;
1617 		b4 += delta;
1618 		if (b4 < 0)
1619 			b4 = 0;
1620 		else if (b4 > 0xf)
1621 			b4 = 0xf;
1622 		b32 = b32 >> 4 | b4 << 28;
1623 	}
1624 	return (b32);
1625 }
1626 
1627 static const char *
1628 run_get_rf(uint16_t rev)
1629 {
1630 	switch (rev) {
1631 	case RT2860_RF_2820:	return "RT2820";
1632 	case RT2860_RF_2850:	return "RT2850";
1633 	case RT2860_RF_2720:	return "RT2720";
1634 	case RT2860_RF_2750:	return "RT2750";
1635 	case RT3070_RF_3020:	return "RT3020";
1636 	case RT3070_RF_2020:	return "RT2020";
1637 	case RT3070_RF_3021:	return "RT3021";
1638 	case RT3070_RF_3022:	return "RT3022";
1639 	case RT3070_RF_3052:	return "RT3052";
1640 	case RT3593_RF_3053:	return "RT3053";
1641 	case RT5592_RF_5592:	return "RT5592";
1642 	case RT5390_RF_5370:	return "RT5370";
1643 	case RT5390_RF_5372:	return "RT5372";
1644 	}
1645 	return ("unknown");
1646 }
1647 
1648 static void
1649 run_rt3593_get_txpower(struct run_softc *sc)
1650 {
1651 	uint16_t addr, val;
1652 	int i;
1653 
1654 	/* Read power settings for 2GHz channels. */
1655 	for (i = 0; i < 14; i += 2) {
1656 		addr = (sc->ntxchains == 3) ? RT3593_EEPROM_PWR2GHZ_BASE1 :
1657 		    RT2860_EEPROM_PWR2GHZ_BASE1;
1658 		run_srom_read(sc, addr + i / 2, &val);
1659 		sc->txpow1[i + 0] = (int8_t)(val & 0xff);
1660 		sc->txpow1[i + 1] = (int8_t)(val >> 8);
1661 
1662 		addr = (sc->ntxchains == 3) ? RT3593_EEPROM_PWR2GHZ_BASE2 :
1663 		    RT2860_EEPROM_PWR2GHZ_BASE2;
1664 		run_srom_read(sc, addr + i / 2, &val);
1665 		sc->txpow2[i + 0] = (int8_t)(val & 0xff);
1666 		sc->txpow2[i + 1] = (int8_t)(val >> 8);
1667 
1668 		if (sc->ntxchains == 3) {
1669 			run_srom_read(sc, RT3593_EEPROM_PWR2GHZ_BASE3 + i / 2,
1670 			    &val);
1671 			sc->txpow3[i + 0] = (int8_t)(val & 0xff);
1672 			sc->txpow3[i + 1] = (int8_t)(val >> 8);
1673 		}
1674 	}
1675 	/* Fix broken Tx power entries. */
1676 	for (i = 0; i < 14; i++) {
1677 		if (sc->txpow1[i] > 31)
1678 			sc->txpow1[i] = 5;
1679 		if (sc->txpow2[i] > 31)
1680 			sc->txpow2[i] = 5;
1681 		if (sc->ntxchains == 3) {
1682 			if (sc->txpow3[i] > 31)
1683 				sc->txpow3[i] = 5;
1684 		}
1685 	}
1686 	/* Read power settings for 5GHz channels. */
1687 	for (i = 0; i < 40; i += 2) {
1688 		run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE1 + i / 2, &val);
1689 		sc->txpow1[i + 14] = (int8_t)(val & 0xff);
1690 		sc->txpow1[i + 15] = (int8_t)(val >> 8);
1691 
1692 		run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE2 + i / 2, &val);
1693 		sc->txpow2[i + 14] = (int8_t)(val & 0xff);
1694 		sc->txpow2[i + 15] = (int8_t)(val >> 8);
1695 
1696 		if (sc->ntxchains == 3) {
1697 			run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE3 + i / 2,
1698 			    &val);
1699 			sc->txpow3[i + 14] = (int8_t)(val & 0xff);
1700 			sc->txpow3[i + 15] = (int8_t)(val >> 8);
1701 		}
1702 	}
1703 }
1704 
1705 static void
1706 run_get_txpower(struct run_softc *sc)
1707 {
1708 	uint16_t val;
1709 	int i;
1710 
1711 	/* Read power settings for 2GHz channels. */
1712 	for (i = 0; i < 14; i += 2) {
1713 		run_srom_read(sc, RT2860_EEPROM_PWR2GHZ_BASE1 + i / 2, &val);
1714 		sc->txpow1[i + 0] = (int8_t)(val & 0xff);
1715 		sc->txpow1[i + 1] = (int8_t)(val >> 8);
1716 
1717 		if (sc->mac_ver != 0x5390) {
1718 			run_srom_read(sc,
1719 			    RT2860_EEPROM_PWR2GHZ_BASE2 + i / 2, &val);
1720 			sc->txpow2[i + 0] = (int8_t)(val & 0xff);
1721 			sc->txpow2[i + 1] = (int8_t)(val >> 8);
1722 		}
1723 	}
1724 	/* Fix broken Tx power entries. */
1725 	for (i = 0; i < 14; i++) {
1726 		if (sc->mac_ver >= 0x5390) {
1727 			if (sc->txpow1[i] < 0 || sc->txpow1[i] > 39)
1728 				sc->txpow1[i] = 5;
1729 		} else {
1730 			if (sc->txpow1[i] < 0 || sc->txpow1[i] > 31)
1731 				sc->txpow1[i] = 5;
1732 		}
1733 		if (sc->mac_ver > 0x5390) {
1734 			if (sc->txpow2[i] < 0 || sc->txpow2[i] > 39)
1735 				sc->txpow2[i] = 5;
1736 		} else if (sc->mac_ver < 0x5390) {
1737 			if (sc->txpow2[i] < 0 || sc->txpow2[i] > 31)
1738 				sc->txpow2[i] = 5;
1739 		}
1740 		RUN_DPRINTF(sc, RUN_DEBUG_TXPWR,
1741 		    "chan %d: power1=%d, power2=%d\n",
1742 		    rt2860_rf2850[i].chan, sc->txpow1[i], sc->txpow2[i]);
1743 	}
1744 	/* Read power settings for 5GHz channels. */
1745 	for (i = 0; i < 40; i += 2) {
1746 		run_srom_read(sc, RT2860_EEPROM_PWR5GHZ_BASE1 + i / 2, &val);
1747 		sc->txpow1[i + 14] = (int8_t)(val & 0xff);
1748 		sc->txpow1[i + 15] = (int8_t)(val >> 8);
1749 
1750 		run_srom_read(sc, RT2860_EEPROM_PWR5GHZ_BASE2 + i / 2, &val);
1751 		sc->txpow2[i + 14] = (int8_t)(val & 0xff);
1752 		sc->txpow2[i + 15] = (int8_t)(val >> 8);
1753 	}
1754 	/* Fix broken Tx power entries. */
1755 	for (i = 0; i < 40; i++ ) {
1756 		if (sc->mac_ver != 0x5592) {
1757 			if (sc->txpow1[14 + i] < -7 || sc->txpow1[14 + i] > 15)
1758 				sc->txpow1[14 + i] = 5;
1759 			if (sc->txpow2[14 + i] < -7 || sc->txpow2[14 + i] > 15)
1760 				sc->txpow2[14 + i] = 5;
1761 		}
1762 		RUN_DPRINTF(sc, RUN_DEBUG_TXPWR,
1763 		    "chan %d: power1=%d, power2=%d\n",
1764 		    rt2860_rf2850[14 + i].chan, sc->txpow1[14 + i],
1765 		    sc->txpow2[14 + i]);
1766 	}
1767 }
1768 
1769 static int
1770 run_read_eeprom(struct run_softc *sc)
1771 {
1772 	struct ieee80211com *ic = &sc->sc_ic;
1773 	int8_t delta_2ghz, delta_5ghz;
1774 	uint32_t tmp;
1775 	uint16_t val;
1776 	int ridx, ant, i;
1777 
1778 	/* check whether the ROM is eFUSE ROM or EEPROM */
1779 	sc->sc_srom_read = run_eeprom_read_2;
1780 	if (sc->mac_ver >= 0x3070) {
1781 		run_read(sc, RT3070_EFUSE_CTRL, &tmp);
1782 		RUN_DPRINTF(sc, RUN_DEBUG_ROM, "EFUSE_CTRL=0x%08x\n", tmp);
1783 		if ((tmp & RT3070_SEL_EFUSE) || sc->mac_ver == 0x3593)
1784 			sc->sc_srom_read = run_efuse_read_2;
1785 	}
1786 
1787 	/* read ROM version */
1788 	run_srom_read(sc, RT2860_EEPROM_VERSION, &val);
1789 	RUN_DPRINTF(sc, RUN_DEBUG_ROM,
1790 	    "EEPROM rev=%d, FAE=%d\n", val >> 8, val & 0xff);
1791 
1792 	/* read MAC address */
1793 	run_srom_read(sc, RT2860_EEPROM_MAC01, &val);
1794 	ic->ic_macaddr[0] = val & 0xff;
1795 	ic->ic_macaddr[1] = val >> 8;
1796 	run_srom_read(sc, RT2860_EEPROM_MAC23, &val);
1797 	ic->ic_macaddr[2] = val & 0xff;
1798 	ic->ic_macaddr[3] = val >> 8;
1799 	run_srom_read(sc, RT2860_EEPROM_MAC45, &val);
1800 	ic->ic_macaddr[4] = val & 0xff;
1801 	ic->ic_macaddr[5] = val >> 8;
1802 
1803 	if (sc->mac_ver < 0x3593) {
1804 		/* read vender BBP settings */
1805 		for (i = 0; i < 10; i++) {
1806 			run_srom_read(sc, RT2860_EEPROM_BBP_BASE + i, &val);
1807 			sc->bbp[i].val = val & 0xff;
1808 			sc->bbp[i].reg = val >> 8;
1809 			RUN_DPRINTF(sc, RUN_DEBUG_ROM,
1810 			    "BBP%d=0x%02x\n", sc->bbp[i].reg, sc->bbp[i].val);
1811 		}
1812 		if (sc->mac_ver >= 0x3071) {
1813 			/* read vendor RF settings */
1814 			for (i = 0; i < 10; i++) {
1815 				run_srom_read(sc, RT3071_EEPROM_RF_BASE + i,
1816 				   &val);
1817 				sc->rf[i].val = val & 0xff;
1818 				sc->rf[i].reg = val >> 8;
1819 				RUN_DPRINTF(sc, RUN_DEBUG_ROM, "RF%d=0x%02x\n",
1820 				    sc->rf[i].reg, sc->rf[i].val);
1821 			}
1822 		}
1823 	}
1824 
1825 	/* read RF frequency offset from EEPROM */
1826 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_FREQ_LEDS :
1827 	    RT3593_EEPROM_FREQ, &val);
1828 	sc->freq = ((val & 0xff) != 0xff) ? val & 0xff : 0;
1829 	RUN_DPRINTF(sc, RUN_DEBUG_ROM, "EEPROM freq offset %d\n",
1830 	    sc->freq & 0xff);
1831 
1832 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_FREQ_LEDS :
1833 	    RT3593_EEPROM_FREQ_LEDS, &val);
1834 	if (val >> 8 != 0xff) {
1835 		/* read LEDs operating mode */
1836 		sc->leds = val >> 8;
1837 		run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED1 :
1838 		    RT3593_EEPROM_LED1, &sc->led[0]);
1839 		run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED2 :
1840 		    RT3593_EEPROM_LED2, &sc->led[1]);
1841 		run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED3 :
1842 		    RT3593_EEPROM_LED3, &sc->led[2]);
1843 	} else {
1844 		/* broken EEPROM, use default settings */
1845 		sc->leds = 0x01;
1846 		sc->led[0] = 0x5555;
1847 		sc->led[1] = 0x2221;
1848 		sc->led[2] = 0x5627;	/* differs from RT2860 */
1849 	}
1850 	RUN_DPRINTF(sc, RUN_DEBUG_ROM,
1851 	    "EEPROM LED mode=0x%02x, LEDs=0x%04x/0x%04x/0x%04x\n",
1852 	    sc->leds, sc->led[0], sc->led[1], sc->led[2]);
1853 
1854 	/* read RF information */
1855 	if (sc->mac_ver == 0x5390 || sc->mac_ver ==0x5392)
1856 		run_srom_read(sc, 0x00, &val);
1857 	else
1858 		run_srom_read(sc, RT2860_EEPROM_ANTENNA, &val);
1859 
1860 	if (val == 0xffff) {
1861 		device_printf(sc->sc_dev,
1862 		    "invalid EEPROM antenna info, using default\n");
1863 		if (sc->mac_ver == 0x3572) {
1864 			/* default to RF3052 2T2R */
1865 			sc->rf_rev = RT3070_RF_3052;
1866 			sc->ntxchains = 2;
1867 			sc->nrxchains = 2;
1868 		} else if (sc->mac_ver >= 0x3070) {
1869 			/* default to RF3020 1T1R */
1870 			sc->rf_rev = RT3070_RF_3020;
1871 			sc->ntxchains = 1;
1872 			sc->nrxchains = 1;
1873 		} else {
1874 			/* default to RF2820 1T2R */
1875 			sc->rf_rev = RT2860_RF_2820;
1876 			sc->ntxchains = 1;
1877 			sc->nrxchains = 2;
1878 		}
1879 	} else {
1880 		if (sc->mac_ver == 0x5390 || sc->mac_ver ==0x5392) {
1881 			sc->rf_rev = val;
1882 			run_srom_read(sc, RT2860_EEPROM_ANTENNA, &val);
1883 		} else
1884 			sc->rf_rev = (val >> 8) & 0xf;
1885 		sc->ntxchains = (val >> 4) & 0xf;
1886 		sc->nrxchains = val & 0xf;
1887 	}
1888 	RUN_DPRINTF(sc, RUN_DEBUG_ROM, "EEPROM RF rev=0x%04x chains=%dT%dR\n",
1889 	    sc->rf_rev, sc->ntxchains, sc->nrxchains);
1890 
1891 	/* check if RF supports automatic Tx access gain control */
1892 	run_srom_read(sc, RT2860_EEPROM_CONFIG, &val);
1893 	RUN_DPRINTF(sc, RUN_DEBUG_ROM, "EEPROM CFG 0x%04x\n", val);
1894 	/* check if driver should patch the DAC issue */
1895 	if ((val >> 8) != 0xff)
1896 		sc->patch_dac = (val >> 15) & 1;
1897 	if ((val & 0xff) != 0xff) {
1898 		sc->ext_5ghz_lna = (val >> 3) & 1;
1899 		sc->ext_2ghz_lna = (val >> 2) & 1;
1900 		/* check if RF supports automatic Tx access gain control */
1901 		sc->calib_2ghz = sc->calib_5ghz = (val >> 1) & 1;
1902 		/* check if we have a hardware radio switch */
1903 		sc->rfswitch = val & 1;
1904 	}
1905 
1906 	/* Read Tx power settings. */
1907 	if (sc->mac_ver == 0x3593)
1908 		run_rt3593_get_txpower(sc);
1909 	else
1910 		run_get_txpower(sc);
1911 
1912 	/* read Tx power compensation for each Tx rate */
1913 	run_srom_read(sc, RT2860_EEPROM_DELTAPWR, &val);
1914 	delta_2ghz = delta_5ghz = 0;
1915 	if ((val & 0xff) != 0xff && (val & 0x80)) {
1916 		delta_2ghz = val & 0xf;
1917 		if (!(val & 0x40))	/* negative number */
1918 			delta_2ghz = -delta_2ghz;
1919 	}
1920 	val >>= 8;
1921 	if ((val & 0xff) != 0xff && (val & 0x80)) {
1922 		delta_5ghz = val & 0xf;
1923 		if (!(val & 0x40))	/* negative number */
1924 			delta_5ghz = -delta_5ghz;
1925 	}
1926 	RUN_DPRINTF(sc, RUN_DEBUG_ROM | RUN_DEBUG_TXPWR,
1927 	    "power compensation=%d (2GHz), %d (5GHz)\n", delta_2ghz, delta_5ghz);
1928 
1929 	for (ridx = 0; ridx < 5; ridx++) {
1930 		uint32_t reg;
1931 
1932 		run_srom_read(sc, RT2860_EEPROM_RPWR + ridx * 2, &val);
1933 		reg = val;
1934 		run_srom_read(sc, RT2860_EEPROM_RPWR + ridx * 2 + 1, &val);
1935 		reg |= (uint32_t)val << 16;
1936 
1937 		sc->txpow20mhz[ridx] = reg;
1938 		sc->txpow40mhz_2ghz[ridx] = b4inc(reg, delta_2ghz);
1939 		sc->txpow40mhz_5ghz[ridx] = b4inc(reg, delta_5ghz);
1940 
1941 		RUN_DPRINTF(sc, RUN_DEBUG_ROM | RUN_DEBUG_TXPWR,
1942 		    "ridx %d: power 20MHz=0x%08x, 40MHz/2GHz=0x%08x, "
1943 		    "40MHz/5GHz=0x%08x\n", ridx, sc->txpow20mhz[ridx],
1944 		    sc->txpow40mhz_2ghz[ridx], sc->txpow40mhz_5ghz[ridx]);
1945 	}
1946 
1947 	/* Read RSSI offsets and LNA gains from EEPROM. */
1948 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI1_2GHZ :
1949 	    RT3593_EEPROM_RSSI1_2GHZ, &val);
1950 	sc->rssi_2ghz[0] = val & 0xff;	/* Ant A */
1951 	sc->rssi_2ghz[1] = val >> 8;	/* Ant B */
1952 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI2_2GHZ :
1953 	    RT3593_EEPROM_RSSI2_2GHZ, &val);
1954 	if (sc->mac_ver >= 0x3070) {
1955 		if (sc->mac_ver == 0x3593) {
1956 			sc->txmixgain_2ghz = 0;
1957 			sc->rssi_2ghz[2] = val & 0xff;	/* Ant C */
1958 		} else {
1959 			/*
1960 			 * On RT3070 chips (limited to 2 Rx chains), this ROM
1961 			 * field contains the Tx mixer gain for the 2GHz band.
1962 			 */
1963 			if ((val & 0xff) != 0xff)
1964 				sc->txmixgain_2ghz = val & 0x7;
1965 		}
1966 		RUN_DPRINTF(sc, RUN_DEBUG_ROM, "tx mixer gain=%u (2GHz)\n",
1967 		    sc->txmixgain_2ghz);
1968 	} else
1969 		sc->rssi_2ghz[2] = val & 0xff;	/* Ant C */
1970 	if (sc->mac_ver == 0x3593)
1971 		run_srom_read(sc, RT3593_EEPROM_LNA_5GHZ, &val);
1972 	sc->lna[2] = val >> 8;		/* channel group 2 */
1973 
1974 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI1_5GHZ :
1975 	    RT3593_EEPROM_RSSI1_5GHZ, &val);
1976 	sc->rssi_5ghz[0] = val & 0xff;	/* Ant A */
1977 	sc->rssi_5ghz[1] = val >> 8;	/* Ant B */
1978 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI2_5GHZ :
1979 	    RT3593_EEPROM_RSSI2_5GHZ, &val);
1980 	if (sc->mac_ver == 0x3572) {
1981 		/*
1982 		 * On RT3572 chips (limited to 2 Rx chains), this ROM
1983 		 * field contains the Tx mixer gain for the 5GHz band.
1984 		 */
1985 		if ((val & 0xff) != 0xff)
1986 			sc->txmixgain_5ghz = val & 0x7;
1987 		RUN_DPRINTF(sc, RUN_DEBUG_ROM, "tx mixer gain=%u (5GHz)\n",
1988 		    sc->txmixgain_5ghz);
1989 	} else
1990 		sc->rssi_5ghz[2] = val & 0xff;	/* Ant C */
1991 	if (sc->mac_ver == 0x3593) {
1992 		sc->txmixgain_5ghz = 0;
1993 		run_srom_read(sc, RT3593_EEPROM_LNA_5GHZ, &val);
1994 	}
1995 	sc->lna[3] = val >> 8;		/* channel group 3 */
1996 
1997 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LNA :
1998 	    RT3593_EEPROM_LNA, &val);
1999 	sc->lna[0] = val & 0xff;	/* channel group 0 */
2000 	sc->lna[1] = val >> 8;		/* channel group 1 */
2001 
2002 	/* fix broken 5GHz LNA entries */
2003 	if (sc->lna[2] == 0 || sc->lna[2] == 0xff) {
2004 		RUN_DPRINTF(sc, RUN_DEBUG_ROM,
2005 		    "invalid LNA for channel group %d\n", 2);
2006 		sc->lna[2] = sc->lna[1];
2007 	}
2008 	if (sc->lna[3] == 0 || sc->lna[3] == 0xff) {
2009 		RUN_DPRINTF(sc, RUN_DEBUG_ROM,
2010 		    "invalid LNA for channel group %d\n", 3);
2011 		sc->lna[3] = sc->lna[1];
2012 	}
2013 
2014 	/* fix broken RSSI offset entries */
2015 	for (ant = 0; ant < 3; ant++) {
2016 		if (sc->rssi_2ghz[ant] < -10 || sc->rssi_2ghz[ant] > 10) {
2017 			RUN_DPRINTF(sc, RUN_DEBUG_ROM | RUN_DEBUG_RSSI,
2018 			    "invalid RSSI%d offset: %d (2GHz)\n",
2019 			    ant + 1, sc->rssi_2ghz[ant]);
2020 			sc->rssi_2ghz[ant] = 0;
2021 		}
2022 		if (sc->rssi_5ghz[ant] < -10 || sc->rssi_5ghz[ant] > 10) {
2023 			RUN_DPRINTF(sc, RUN_DEBUG_ROM | RUN_DEBUG_RSSI,
2024 			    "invalid RSSI%d offset: %d (5GHz)\n",
2025 			    ant + 1, sc->rssi_5ghz[ant]);
2026 			sc->rssi_5ghz[ant] = 0;
2027 		}
2028 	}
2029 	return (0);
2030 }
2031 
2032 static struct ieee80211_node *
2033 run_node_alloc(struct ieee80211vap *vap, const uint8_t mac[IEEE80211_ADDR_LEN])
2034 {
2035 	return malloc(sizeof (struct run_node), M_80211_NODE,
2036 	    M_NOWAIT | M_ZERO);
2037 }
2038 
2039 static int
2040 run_media_change(struct ifnet *ifp)
2041 {
2042 	struct ieee80211vap *vap = ifp->if_softc;
2043 	struct ieee80211com *ic = vap->iv_ic;
2044 	const struct ieee80211_txparam *tp;
2045 	struct run_softc *sc = ic->ic_softc;
2046 	uint8_t rate, ridx;
2047 	int error;
2048 
2049 	RUN_LOCK(sc);
2050 
2051 	error = ieee80211_media_change(ifp);
2052 	if (error != ENETRESET) {
2053 		RUN_UNLOCK(sc);
2054 		return (error);
2055 	}
2056 
2057 	tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
2058 	if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE) {
2059 		struct ieee80211_node *ni;
2060 		struct run_node	*rn;
2061 
2062 		rate = ic->ic_sup_rates[ic->ic_curmode].
2063 		    rs_rates[tp->ucastrate] & IEEE80211_RATE_VAL;
2064 		for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2065 			if (rt2860_rates[ridx].rate == rate)
2066 				break;
2067 		ni = ieee80211_ref_node(vap->iv_bss);
2068 		rn = RUN_NODE(ni);
2069 		rn->fix_ridx = ridx;
2070 		RUN_DPRINTF(sc, RUN_DEBUG_RATE, "rate=%d, fix_ridx=%d\n",
2071 		    rate, rn->fix_ridx);
2072 		ieee80211_free_node(ni);
2073 	}
2074 
2075 #if 0
2076 	if ((ifp->if_flags & IFF_UP) &&
2077 	    (ifp->if_drv_flags &  RUN_RUNNING)){
2078 		run_init_locked(sc);
2079 	}
2080 #endif
2081 
2082 	RUN_UNLOCK(sc);
2083 
2084 	return (0);
2085 }
2086 
2087 static int
2088 run_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
2089 {
2090 	const struct ieee80211_txparam *tp;
2091 	struct ieee80211com *ic = vap->iv_ic;
2092 	struct run_softc *sc = ic->ic_softc;
2093 	struct run_vap *rvp = RUN_VAP(vap);
2094 	enum ieee80211_state ostate;
2095 	uint32_t sta[3];
2096 	uint8_t ratectl;
2097 	uint8_t restart_ratectl = 0;
2098 	uint8_t bid = 1 << rvp->rvp_id;
2099 
2100 	ostate = vap->iv_state;
2101 	RUN_DPRINTF(sc, RUN_DEBUG_STATE, "%s -> %s\n",
2102 		ieee80211_state_name[ostate],
2103 		ieee80211_state_name[nstate]);
2104 
2105 	IEEE80211_UNLOCK(ic);
2106 	RUN_LOCK(sc);
2107 
2108 	ratectl = sc->ratectl_run; /* remember current state */
2109 	sc->ratectl_run = RUN_RATECTL_OFF;
2110 	usb_callout_stop(&sc->ratectl_ch);
2111 
2112 	if (ostate == IEEE80211_S_RUN) {
2113 		/* turn link LED off */
2114 		run_set_leds(sc, RT2860_LED_RADIO);
2115 	}
2116 
2117 	switch (nstate) {
2118 	case IEEE80211_S_INIT:
2119 		restart_ratectl = 1;
2120 
2121 		if (ostate != IEEE80211_S_RUN)
2122 			break;
2123 
2124 		ratectl &= ~bid;
2125 		sc->runbmap &= ~bid;
2126 
2127 		/* abort TSF synchronization if there is no vap running */
2128 		if (--sc->running == 0)
2129 			run_disable_tsf(sc);
2130 		break;
2131 
2132 	case IEEE80211_S_RUN:
2133 		if (!(sc->runbmap & bid)) {
2134 			if(sc->running++)
2135 				restart_ratectl = 1;
2136 			sc->runbmap |= bid;
2137 		}
2138 
2139 		m_freem(rvp->beacon_mbuf);
2140 		rvp->beacon_mbuf = NULL;
2141 
2142 		switch (vap->iv_opmode) {
2143 		case IEEE80211_M_HOSTAP:
2144 		case IEEE80211_M_MBSS:
2145 			sc->ap_running |= bid;
2146 			ic->ic_opmode = vap->iv_opmode;
2147 			run_update_beacon_cb(vap);
2148 			break;
2149 		case IEEE80211_M_IBSS:
2150 			sc->adhoc_running |= bid;
2151 			if (!sc->ap_running)
2152 				ic->ic_opmode = vap->iv_opmode;
2153 			run_update_beacon_cb(vap);
2154 			break;
2155 		case IEEE80211_M_STA:
2156 			sc->sta_running |= bid;
2157 			if (!sc->ap_running && !sc->adhoc_running)
2158 				ic->ic_opmode = vap->iv_opmode;
2159 
2160 			/* read statistic counters (clear on read) */
2161 			run_read_region_1(sc, RT2860_TX_STA_CNT0,
2162 			    (uint8_t *)sta, sizeof sta);
2163 
2164 			break;
2165 		default:
2166 			ic->ic_opmode = vap->iv_opmode;
2167 			break;
2168 		}
2169 
2170 		if (vap->iv_opmode != IEEE80211_M_MONITOR) {
2171 			struct ieee80211_node *ni;
2172 
2173 			if (ic->ic_bsschan == IEEE80211_CHAN_ANYC) {
2174 				RUN_UNLOCK(sc);
2175 				IEEE80211_LOCK(ic);
2176 				return (-1);
2177 			}
2178 			run_updateslot(ic);
2179 			run_enable_mrr(sc);
2180 			run_set_txpreamble(sc);
2181 			run_set_basicrates(sc);
2182 			ni = ieee80211_ref_node(vap->iv_bss);
2183 			IEEE80211_ADDR_COPY(sc->sc_bssid, ni->ni_bssid);
2184 			run_set_bssid(sc, sc->sc_bssid);
2185 			ieee80211_free_node(ni);
2186 			run_enable_tsf_sync(sc);
2187 
2188 			/* enable automatic rate adaptation */
2189 			tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
2190 			if (tp->ucastrate == IEEE80211_FIXED_RATE_NONE)
2191 				ratectl |= bid;
2192 		} else
2193 			run_enable_tsf(sc);
2194 
2195 		/* turn link LED on */
2196 		run_set_leds(sc, RT2860_LED_RADIO |
2197 		    (IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan) ?
2198 		     RT2860_LED_LINK_2GHZ : RT2860_LED_LINK_5GHZ));
2199 
2200 		break;
2201 	default:
2202 		RUN_DPRINTF(sc, RUN_DEBUG_STATE, "undefined state\n");
2203 		break;
2204 	}
2205 
2206 	/* restart amrr for running VAPs */
2207 	if ((sc->ratectl_run = ratectl) && restart_ratectl)
2208 		usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2209 
2210 	RUN_UNLOCK(sc);
2211 	IEEE80211_LOCK(ic);
2212 
2213 	return(rvp->newstate(vap, nstate, arg));
2214 }
2215 
2216 static int
2217 run_wme_update(struct ieee80211com *ic)
2218 {
2219 	struct chanAccParams chp;
2220 	struct run_softc *sc = ic->ic_softc;
2221 	const struct wmeParams *ac;
2222 	int aci, error = 0;
2223 
2224 	ieee80211_wme_ic_getparams(ic, &chp);
2225 	ac = chp.cap_wmeParams;
2226 
2227 	/* update MAC TX configuration registers */
2228 	RUN_LOCK(sc);
2229 	for (aci = 0; aci < WME_NUM_AC; aci++) {
2230 		error = run_write(sc, RT2860_EDCA_AC_CFG(aci),
2231 		    ac[aci].wmep_logcwmax << 16 |
2232 		    ac[aci].wmep_logcwmin << 12 |
2233 		    ac[aci].wmep_aifsn    <<  8 |
2234 		    ac[aci].wmep_txopLimit);
2235 		if (error) goto err;
2236 	}
2237 
2238 	/* update SCH/DMA registers too */
2239 	error = run_write(sc, RT2860_WMM_AIFSN_CFG,
2240 	    ac[WME_AC_VO].wmep_aifsn  << 12 |
2241 	    ac[WME_AC_VI].wmep_aifsn  <<  8 |
2242 	    ac[WME_AC_BK].wmep_aifsn  <<  4 |
2243 	    ac[WME_AC_BE].wmep_aifsn);
2244 	if (error) goto err;
2245 	error = run_write(sc, RT2860_WMM_CWMIN_CFG,
2246 	    ac[WME_AC_VO].wmep_logcwmin << 12 |
2247 	    ac[WME_AC_VI].wmep_logcwmin <<  8 |
2248 	    ac[WME_AC_BK].wmep_logcwmin <<  4 |
2249 	    ac[WME_AC_BE].wmep_logcwmin);
2250 	if (error) goto err;
2251 	error = run_write(sc, RT2860_WMM_CWMAX_CFG,
2252 	    ac[WME_AC_VO].wmep_logcwmax << 12 |
2253 	    ac[WME_AC_VI].wmep_logcwmax <<  8 |
2254 	    ac[WME_AC_BK].wmep_logcwmax <<  4 |
2255 	    ac[WME_AC_BE].wmep_logcwmax);
2256 	if (error) goto err;
2257 	error = run_write(sc, RT2860_WMM_TXOP0_CFG,
2258 	    ac[WME_AC_BK].wmep_txopLimit << 16 |
2259 	    ac[WME_AC_BE].wmep_txopLimit);
2260 	if (error) goto err;
2261 	error = run_write(sc, RT2860_WMM_TXOP1_CFG,
2262 	    ac[WME_AC_VO].wmep_txopLimit << 16 |
2263 	    ac[WME_AC_VI].wmep_txopLimit);
2264 
2265 err:
2266 	RUN_UNLOCK(sc);
2267 	if (error)
2268 		RUN_DPRINTF(sc, RUN_DEBUG_USB, "WME update failed\n");
2269 
2270 	return (error);
2271 }
2272 
2273 static void
2274 run_key_set_cb(void *arg)
2275 {
2276 	struct run_cmdq *cmdq = arg;
2277 	struct ieee80211vap *vap = cmdq->arg1;
2278 	struct ieee80211_key *k = cmdq->k;
2279 	struct ieee80211com *ic = vap->iv_ic;
2280 	struct run_softc *sc = ic->ic_softc;
2281 	struct ieee80211_node *ni;
2282 	u_int cipher = k->wk_cipher->ic_cipher;
2283 	uint32_t attr;
2284 	uint16_t base, associd;
2285 	uint8_t mode, wcid, iv[8];
2286 
2287 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2288 
2289 	if (vap->iv_opmode == IEEE80211_M_HOSTAP)
2290 		ni = ieee80211_find_vap_node(&ic->ic_sta, vap, cmdq->mac);
2291 	else
2292 		ni = vap->iv_bss;
2293 	associd = (ni != NULL) ? ni->ni_associd : 0;
2294 
2295 	/* map net80211 cipher to RT2860 security mode */
2296 	switch (cipher) {
2297 	case IEEE80211_CIPHER_WEP:
2298 		if(k->wk_keylen < 8)
2299 			mode = RT2860_MODE_WEP40;
2300 		else
2301 			mode = RT2860_MODE_WEP104;
2302 		break;
2303 	case IEEE80211_CIPHER_TKIP:
2304 		mode = RT2860_MODE_TKIP;
2305 		break;
2306 	case IEEE80211_CIPHER_AES_CCM:
2307 		mode = RT2860_MODE_AES_CCMP;
2308 		break;
2309 	default:
2310 		RUN_DPRINTF(sc, RUN_DEBUG_KEY, "undefined case\n");
2311 		return;
2312 	}
2313 
2314 	RUN_DPRINTF(sc, RUN_DEBUG_KEY,
2315 	    "associd=%x, keyix=%d, mode=%x, type=%s, tx=%s, rx=%s\n",
2316 	    associd, k->wk_keyix, mode,
2317 	    (k->wk_flags & IEEE80211_KEY_GROUP) ? "group" : "pairwise",
2318 	    (k->wk_flags & IEEE80211_KEY_XMIT) ? "on" : "off",
2319 	    (k->wk_flags & IEEE80211_KEY_RECV) ? "on" : "off");
2320 
2321 	if (k->wk_flags & IEEE80211_KEY_GROUP) {
2322 		wcid = 0;	/* NB: update WCID0 for group keys */
2323 		base = RT2860_SKEY(RUN_VAP(vap)->rvp_id, k->wk_keyix);
2324 	} else {
2325 		wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
2326 		    1 : RUN_AID2WCID(associd);
2327 		base = RT2860_PKEY(wcid);
2328 	}
2329 
2330 	if (cipher == IEEE80211_CIPHER_TKIP) {
2331 		if(run_write_region_1(sc, base, k->wk_key, 16))
2332 			return;
2333 		if(run_write_region_1(sc, base + 16, &k->wk_key[16], 8))	/* wk_txmic */
2334 			return;
2335 		if(run_write_region_1(sc, base + 24, &k->wk_key[24], 8))	/* wk_rxmic */
2336 			return;
2337 	} else {
2338 		/* roundup len to 16-bit: XXX fix write_region_1() instead */
2339 		if(run_write_region_1(sc, base, k->wk_key, (k->wk_keylen + 1) & ~1))
2340 			return;
2341 	}
2342 
2343 	if (!(k->wk_flags & IEEE80211_KEY_GROUP) ||
2344 	    (k->wk_flags & (IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV))) {
2345 		/* set initial packet number in IV+EIV */
2346 		if (cipher == IEEE80211_CIPHER_WEP) {
2347 			memset(iv, 0, sizeof iv);
2348 			iv[3] = vap->iv_def_txkey << 6;
2349 		} else {
2350 			if (cipher == IEEE80211_CIPHER_TKIP) {
2351 				iv[0] = k->wk_keytsc >> 8;
2352 				iv[1] = (iv[0] | 0x20) & 0x7f;
2353 				iv[2] = k->wk_keytsc;
2354 			} else /* CCMP */ {
2355 				iv[0] = k->wk_keytsc;
2356 				iv[1] = k->wk_keytsc >> 8;
2357 				iv[2] = 0;
2358 			}
2359 			iv[3] = k->wk_keyix << 6 | IEEE80211_WEP_EXTIV;
2360 			iv[4] = k->wk_keytsc >> 16;
2361 			iv[5] = k->wk_keytsc >> 24;
2362 			iv[6] = k->wk_keytsc >> 32;
2363 			iv[7] = k->wk_keytsc >> 40;
2364 		}
2365 		if (run_write_region_1(sc, RT2860_IVEIV(wcid), iv, 8))
2366 			return;
2367 	}
2368 
2369 	if (k->wk_flags & IEEE80211_KEY_GROUP) {
2370 		/* install group key */
2371 		if (run_read(sc, RT2860_SKEY_MODE_0_7, &attr))
2372 			return;
2373 		attr &= ~(0xf << (k->wk_keyix * 4));
2374 		attr |= mode << (k->wk_keyix * 4);
2375 		if (run_write(sc, RT2860_SKEY_MODE_0_7, attr))
2376 			return;
2377 	} else {
2378 		/* install pairwise key */
2379 		if (run_read(sc, RT2860_WCID_ATTR(wcid), &attr))
2380 			return;
2381 		attr = (attr & ~0xf) | (mode << 1) | RT2860_RX_PKEY_EN;
2382 		if (run_write(sc, RT2860_WCID_ATTR(wcid), attr))
2383 			return;
2384 	}
2385 
2386 	/* TODO create a pass-thru key entry? */
2387 
2388 	/* need wcid to delete the right key later */
2389 	k->wk_pad = wcid;
2390 }
2391 
2392 /*
2393  * Don't have to be deferred, but in order to keep order of
2394  * execution, i.e. with run_key_delete(), defer this and let
2395  * run_cmdq_cb() maintain the order.
2396  *
2397  * return 0 on error
2398  */
2399 static int
2400 run_key_set(struct ieee80211vap *vap, struct ieee80211_key *k)
2401 {
2402 	struct ieee80211com *ic = vap->iv_ic;
2403 	struct run_softc *sc = ic->ic_softc;
2404 	uint32_t i;
2405 
2406 	i = RUN_CMDQ_GET(&sc->cmdq_store);
2407 	RUN_DPRINTF(sc, RUN_DEBUG_KEY, "cmdq_store=%d\n", i);
2408 	sc->cmdq[i].func = run_key_set_cb;
2409 	sc->cmdq[i].arg0 = NULL;
2410 	sc->cmdq[i].arg1 = vap;
2411 	sc->cmdq[i].k = k;
2412 	IEEE80211_ADDR_COPY(sc->cmdq[i].mac, k->wk_macaddr);
2413 	ieee80211_runtask(ic, &sc->cmdq_task);
2414 
2415 	/*
2416 	 * To make sure key will be set when hostapd
2417 	 * calls iv_key_set() before if_init().
2418 	 */
2419 	if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
2420 		RUN_LOCK(sc);
2421 		sc->cmdq_key_set = RUN_CMDQ_GO;
2422 		RUN_UNLOCK(sc);
2423 	}
2424 
2425 	return (1);
2426 }
2427 
2428 /*
2429  * If wlan is destroyed without being brought down i.e. without
2430  * wlan down or wpa_cli terminate, this function is called after
2431  * vap is gone. Don't refer it.
2432  */
2433 static void
2434 run_key_delete_cb(void *arg)
2435 {
2436 	struct run_cmdq *cmdq = arg;
2437 	struct run_softc *sc = cmdq->arg1;
2438 	struct ieee80211_key *k = &cmdq->key;
2439 	uint32_t attr;
2440 	uint8_t wcid;
2441 
2442 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2443 
2444 	if (k->wk_flags & IEEE80211_KEY_GROUP) {
2445 		/* remove group key */
2446 		RUN_DPRINTF(sc, RUN_DEBUG_KEY, "removing group key\n");
2447 		run_read(sc, RT2860_SKEY_MODE_0_7, &attr);
2448 		attr &= ~(0xf << (k->wk_keyix * 4));
2449 		run_write(sc, RT2860_SKEY_MODE_0_7, attr);
2450 	} else {
2451 		/* remove pairwise key */
2452 		RUN_DPRINTF(sc, RUN_DEBUG_KEY,
2453 		    "removing key for wcid %x\n", k->wk_pad);
2454 		/* matching wcid was written to wk_pad in run_key_set() */
2455 		wcid = k->wk_pad;
2456 		run_read(sc, RT2860_WCID_ATTR(wcid), &attr);
2457 		attr &= ~0xf;
2458 		run_write(sc, RT2860_WCID_ATTR(wcid), attr);
2459 		run_set_region_4(sc, RT2860_WCID_ENTRY(wcid), 0, 8);
2460 	}
2461 
2462 	k->wk_pad = 0;
2463 }
2464 
2465 /*
2466  * return 0 on error
2467  */
2468 static int
2469 run_key_delete(struct ieee80211vap *vap, struct ieee80211_key *k)
2470 {
2471 	struct ieee80211com *ic = vap->iv_ic;
2472 	struct run_softc *sc = ic->ic_softc;
2473 	struct ieee80211_key *k0;
2474 	uint32_t i;
2475 
2476 	/*
2477 	 * When called back, key might be gone. So, make a copy
2478 	 * of some values need to delete keys before deferring.
2479 	 * But, because of LOR with node lock, cannot use lock here.
2480 	 * So, use atomic instead.
2481 	 */
2482 	i = RUN_CMDQ_GET(&sc->cmdq_store);
2483 	RUN_DPRINTF(sc, RUN_DEBUG_KEY, "cmdq_store=%d\n", i);
2484 	sc->cmdq[i].func = run_key_delete_cb;
2485 	sc->cmdq[i].arg0 = NULL;
2486 	sc->cmdq[i].arg1 = sc;
2487 	k0 = &sc->cmdq[i].key;
2488 	k0->wk_flags = k->wk_flags;
2489 	k0->wk_keyix = k->wk_keyix;
2490 	/* matching wcid was written to wk_pad in run_key_set() */
2491 	k0->wk_pad = k->wk_pad;
2492 	ieee80211_runtask(ic, &sc->cmdq_task);
2493 	return (1);	/* return fake success */
2494 
2495 }
2496 
2497 static void
2498 run_ratectl_to(void *arg)
2499 {
2500 	struct run_softc *sc = arg;
2501 
2502 	/* do it in a process context, so it can go sleep */
2503 	ieee80211_runtask(&sc->sc_ic, &sc->ratectl_task);
2504 	/* next timeout will be rescheduled in the callback task */
2505 }
2506 
2507 /* ARGSUSED */
2508 static void
2509 run_ratectl_cb(void *arg, int pending)
2510 {
2511 	struct run_softc *sc = arg;
2512 	struct ieee80211com *ic = &sc->sc_ic;
2513 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
2514 
2515 	if (vap == NULL)
2516 		return;
2517 
2518 	if (sc->rvp_cnt > 1 || vap->iv_opmode != IEEE80211_M_STA) {
2519 		/*
2520 		 * run_reset_livelock() doesn't do anything with AMRR,
2521 		 * but Ralink wants us to call it every 1 sec. So, we
2522 		 * piggyback here rather than creating another callout.
2523 		 * Livelock may occur only in HOSTAP or IBSS mode
2524 		 * (when h/w is sending beacons).
2525 		 */
2526 		RUN_LOCK(sc);
2527 		run_reset_livelock(sc);
2528 		/* just in case, there are some stats to drain */
2529 		run_drain_fifo(sc);
2530 		RUN_UNLOCK(sc);
2531 	}
2532 
2533 	ieee80211_iterate_nodes(&ic->ic_sta, run_iter_func, sc);
2534 
2535 	RUN_LOCK(sc);
2536 	if(sc->ratectl_run != RUN_RATECTL_OFF)
2537 		usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2538 	RUN_UNLOCK(sc);
2539 }
2540 
2541 static void
2542 run_drain_fifo(void *arg)
2543 {
2544 	struct run_softc *sc = arg;
2545 	uint32_t stat;
2546 	uint16_t (*wstat)[3];
2547 	uint8_t wcid, mcs, pid;
2548 	int8_t retry;
2549 
2550 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2551 
2552 	for (;;) {
2553 		/* drain Tx status FIFO (maxsize = 16) */
2554 		run_read(sc, RT2860_TX_STAT_FIFO, &stat);
2555 		RUN_DPRINTF(sc, RUN_DEBUG_XMIT, "tx stat 0x%08x\n", stat);
2556 		if (!(stat & RT2860_TXQ_VLD))
2557 			break;
2558 
2559 		wcid = (stat >> RT2860_TXQ_WCID_SHIFT) & 0xff;
2560 
2561 		/* if no ACK was requested, no feedback is available */
2562 		if (!(stat & RT2860_TXQ_ACKREQ) || wcid > RT2870_WCID_MAX ||
2563 		    wcid == 0)
2564 			continue;
2565 
2566 		/*
2567 		 * Even though each stat is Tx-complete-status like format,
2568 		 * the device can poll stats. Because there is no guarantee
2569 		 * that the referring node is still around when read the stats.
2570 		 * So that, if we use ieee80211_ratectl_tx_update(), we will
2571 		 * have hard time not to refer already freed node.
2572 		 *
2573 		 * To eliminate such page faults, we poll stats in softc.
2574 		 * Then, update the rates later with ieee80211_ratectl_tx_update().
2575 		 */
2576 		wstat = &(sc->wcid_stats[wcid]);
2577 		(*wstat)[RUN_TXCNT]++;
2578 		if (stat & RT2860_TXQ_OK)
2579 			(*wstat)[RUN_SUCCESS]++;
2580 		else
2581 			counter_u64_add(sc->sc_ic.ic_oerrors, 1);
2582 		/*
2583 		 * Check if there were retries, ie if the Tx success rate is
2584 		 * different from the requested rate. Note that it works only
2585 		 * because we do not allow rate fallback from OFDM to CCK.
2586 		 */
2587 		mcs = (stat >> RT2860_TXQ_MCS_SHIFT) & 0x7f;
2588 		pid = (stat >> RT2860_TXQ_PID_SHIFT) & 0xf;
2589 		if ((retry = pid -1 - mcs) > 0) {
2590 			(*wstat)[RUN_TXCNT] += retry;
2591 			(*wstat)[RUN_RETRY] += retry;
2592 		}
2593 	}
2594 	RUN_DPRINTF(sc, RUN_DEBUG_XMIT, "count=%d\n", sc->fifo_cnt);
2595 
2596 	sc->fifo_cnt = 0;
2597 }
2598 
2599 static void
2600 run_iter_func(void *arg, struct ieee80211_node *ni)
2601 {
2602 	struct run_softc *sc = arg;
2603 	struct ieee80211_ratectl_tx_stats *txs = &sc->sc_txs;
2604 	struct ieee80211vap *vap = ni->ni_vap;
2605 	struct run_node *rn = RUN_NODE(ni);
2606 	union run_stats sta[2];
2607 	uint16_t (*wstat)[3];
2608 	int error;
2609 
2610 	RUN_LOCK(sc);
2611 
2612 	/* Check for special case */
2613 	if (sc->rvp_cnt <= 1 && vap->iv_opmode == IEEE80211_M_STA &&
2614 	    ni != vap->iv_bss)
2615 		goto fail;
2616 
2617 	txs->flags = IEEE80211_RATECTL_TX_STATS_NODE |
2618 		     IEEE80211_RATECTL_TX_STATS_RETRIES;
2619 	txs->ni = ni;
2620 	if (sc->rvp_cnt <= 1 && (vap->iv_opmode == IEEE80211_M_IBSS ||
2621 	    vap->iv_opmode == IEEE80211_M_STA)) {
2622 		/* read statistic counters (clear on read) and update AMRR state */
2623 		error = run_read_region_1(sc, RT2860_TX_STA_CNT0, (uint8_t *)sta,
2624 		    sizeof sta);
2625 		if (error != 0)
2626 			goto fail;
2627 
2628 		/* count failed TX as errors */
2629 		if_inc_counter(vap->iv_ifp, IFCOUNTER_OERRORS,
2630 		    le16toh(sta[0].error.fail));
2631 
2632 		txs->nretries = le16toh(sta[1].tx.retry);
2633 		txs->nsuccess = le16toh(sta[1].tx.success);
2634 		/* nretries??? */
2635 		txs->nframes = txs->nretries + txs->nsuccess +
2636 		    le16toh(sta[0].error.fail);
2637 
2638 		RUN_DPRINTF(sc, RUN_DEBUG_RATE,
2639 		    "retrycnt=%d success=%d failcnt=%d\n",
2640 		    txs->nretries, txs->nsuccess, le16toh(sta[0].error.fail));
2641 	} else {
2642 		wstat = &(sc->wcid_stats[RUN_AID2WCID(ni->ni_associd)]);
2643 
2644 		if (wstat == &(sc->wcid_stats[0]) ||
2645 		    wstat > &(sc->wcid_stats[RT2870_WCID_MAX]))
2646 			goto fail;
2647 
2648 		txs->nretries = (*wstat)[RUN_RETRY];
2649 		txs->nsuccess = (*wstat)[RUN_SUCCESS];
2650 		txs->nframes = (*wstat)[RUN_TXCNT];
2651 		RUN_DPRINTF(sc, RUN_DEBUG_RATE,
2652 		    "retrycnt=%d txcnt=%d success=%d\n",
2653 		    txs->nretries, txs->nframes, txs->nsuccess);
2654 
2655 		memset(wstat, 0, sizeof(*wstat));
2656 	}
2657 
2658 	ieee80211_ratectl_tx_update(vap, txs);
2659 	rn->amrr_ridx = ieee80211_ratectl_rate(ni, NULL, 0);
2660 
2661 fail:
2662 	RUN_UNLOCK(sc);
2663 
2664 	RUN_DPRINTF(sc, RUN_DEBUG_RATE, "ridx=%d\n", rn->amrr_ridx);
2665 }
2666 
2667 static void
2668 run_newassoc_cb(void *arg)
2669 {
2670 	struct run_cmdq *cmdq = arg;
2671 	struct ieee80211_node *ni = cmdq->arg1;
2672 	struct run_softc *sc = ni->ni_vap->iv_ic->ic_softc;
2673 	uint8_t wcid = cmdq->wcid;
2674 
2675 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2676 
2677 	run_write_region_1(sc, RT2860_WCID_ENTRY(wcid),
2678 	    ni->ni_macaddr, IEEE80211_ADDR_LEN);
2679 
2680 	memset(&(sc->wcid_stats[wcid]), 0, sizeof(sc->wcid_stats[wcid]));
2681 }
2682 
2683 static void
2684 run_newassoc(struct ieee80211_node *ni, int isnew)
2685 {
2686 	struct run_node *rn = RUN_NODE(ni);
2687 	struct ieee80211_rateset *rs = &ni->ni_rates;
2688 	struct ieee80211vap *vap = ni->ni_vap;
2689 	struct ieee80211com *ic = vap->iv_ic;
2690 	struct run_softc *sc = ic->ic_softc;
2691 	uint8_t rate;
2692 	uint8_t ridx;
2693 	uint8_t wcid;
2694 	int i, j;
2695 
2696 	wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
2697 	    1 : RUN_AID2WCID(ni->ni_associd);
2698 
2699 	if (wcid > RT2870_WCID_MAX) {
2700 		device_printf(sc->sc_dev, "wcid=%d out of range\n", wcid);
2701 		return;
2702 	}
2703 
2704 	/* only interested in true associations */
2705 	if (isnew && ni->ni_associd != 0) {
2706 
2707 		/*
2708 		 * This function could is called though timeout function.
2709 		 * Need to defer.
2710 		 */
2711 		uint32_t cnt = RUN_CMDQ_GET(&sc->cmdq_store);
2712 		RUN_DPRINTF(sc, RUN_DEBUG_STATE, "cmdq_store=%d\n", cnt);
2713 		sc->cmdq[cnt].func = run_newassoc_cb;
2714 		sc->cmdq[cnt].arg0 = NULL;
2715 		sc->cmdq[cnt].arg1 = ni;
2716 		sc->cmdq[cnt].wcid = wcid;
2717 		ieee80211_runtask(ic, &sc->cmdq_task);
2718 	}
2719 
2720 	RUN_DPRINTF(sc, RUN_DEBUG_STATE,
2721 	    "new assoc isnew=%d associd=%x addr=%s\n",
2722 	    isnew, ni->ni_associd, ether_sprintf(ni->ni_macaddr));
2723 
2724 	for (i = 0; i < rs->rs_nrates; i++) {
2725 		rate = rs->rs_rates[i] & IEEE80211_RATE_VAL;
2726 		/* convert 802.11 rate to hardware rate index */
2727 		for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2728 			if (rt2860_rates[ridx].rate == rate)
2729 				break;
2730 		rn->ridx[i] = ridx;
2731 		/* determine rate of control response frames */
2732 		for (j = i; j >= 0; j--) {
2733 			if ((rs->rs_rates[j] & IEEE80211_RATE_BASIC) &&
2734 			    rt2860_rates[rn->ridx[i]].phy ==
2735 			    rt2860_rates[rn->ridx[j]].phy)
2736 				break;
2737 		}
2738 		if (j >= 0) {
2739 			rn->ctl_ridx[i] = rn->ridx[j];
2740 		} else {
2741 			/* no basic rate found, use mandatory one */
2742 			rn->ctl_ridx[i] = rt2860_rates[ridx].ctl_ridx;
2743 		}
2744 		RUN_DPRINTF(sc, RUN_DEBUG_STATE | RUN_DEBUG_RATE,
2745 		    "rate=0x%02x ridx=%d ctl_ridx=%d\n",
2746 		    rs->rs_rates[i], rn->ridx[i], rn->ctl_ridx[i]);
2747 	}
2748 	rate = vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)].mgmtrate;
2749 	for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2750 		if (rt2860_rates[ridx].rate == rate)
2751 			break;
2752 	rn->mgt_ridx = ridx;
2753 	RUN_DPRINTF(sc, RUN_DEBUG_STATE | RUN_DEBUG_RATE,
2754 	    "rate=%d, mgmt_ridx=%d\n", rate, rn->mgt_ridx);
2755 
2756 	RUN_LOCK(sc);
2757 	if(sc->ratectl_run != RUN_RATECTL_OFF)
2758 		usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2759 	RUN_UNLOCK(sc);
2760 }
2761 
2762 /*
2763  * Return the Rx chain with the highest RSSI for a given frame.
2764  */
2765 static __inline uint8_t
2766 run_maxrssi_chain(struct run_softc *sc, const struct rt2860_rxwi *rxwi)
2767 {
2768 	uint8_t rxchain = 0;
2769 
2770 	if (sc->nrxchains > 1) {
2771 		if (rxwi->rssi[1] > rxwi->rssi[rxchain])
2772 			rxchain = 1;
2773 		if (sc->nrxchains > 2)
2774 			if (rxwi->rssi[2] > rxwi->rssi[rxchain])
2775 				rxchain = 2;
2776 	}
2777 	return (rxchain);
2778 }
2779 
2780 static void
2781 run_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m, int subtype,
2782     const struct ieee80211_rx_stats *rxs, int rssi, int nf)
2783 {
2784 	struct ieee80211vap *vap = ni->ni_vap;
2785 	struct run_softc *sc = vap->iv_ic->ic_softc;
2786 	struct run_vap *rvp = RUN_VAP(vap);
2787 	uint64_t ni_tstamp, rx_tstamp;
2788 
2789 	rvp->recv_mgmt(ni, m, subtype, rxs, rssi, nf);
2790 
2791 	if (vap->iv_state == IEEE80211_S_RUN &&
2792 	    (subtype == IEEE80211_FC0_SUBTYPE_BEACON ||
2793 	    subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP)) {
2794 		ni_tstamp = le64toh(ni->ni_tstamp.tsf);
2795 		RUN_LOCK(sc);
2796 		run_get_tsf(sc, &rx_tstamp);
2797 		RUN_UNLOCK(sc);
2798 		rx_tstamp = le64toh(rx_tstamp);
2799 
2800 		if (ni_tstamp >= rx_tstamp) {
2801 			RUN_DPRINTF(sc, RUN_DEBUG_RECV | RUN_DEBUG_BEACON,
2802 			    "ibss merge, tsf %ju tstamp %ju\n",
2803 			    (uintmax_t)rx_tstamp, (uintmax_t)ni_tstamp);
2804 			(void) ieee80211_ibss_merge(ni);
2805 		}
2806 	}
2807 }
2808 
2809 static void
2810 run_rx_frame(struct run_softc *sc, struct mbuf *m, uint32_t dmalen)
2811 {
2812 	struct ieee80211com *ic = &sc->sc_ic;
2813 	struct ieee80211_frame *wh;
2814 	struct ieee80211_node *ni;
2815 	struct epoch_tracker et;
2816 	struct rt2870_rxd *rxd;
2817 	struct rt2860_rxwi *rxwi;
2818 	uint32_t flags;
2819 	uint16_t len, rxwisize;
2820 	uint8_t ant, rssi;
2821 	int8_t nf;
2822 
2823 	rxwisize = sizeof(struct rt2860_rxwi);
2824 	if (sc->mac_ver == 0x5592)
2825 		rxwisize += sizeof(uint64_t);
2826 	else if (sc->mac_ver == 0x3593)
2827 		rxwisize += sizeof(uint32_t);
2828 
2829 	if (__predict_false(dmalen <
2830 	    rxwisize + sizeof(struct ieee80211_frame_ack))) {
2831 		RUN_DPRINTF(sc, RUN_DEBUG_RECV,
2832 		    "payload is too short: dma length %u < %zu\n",
2833 		    dmalen, rxwisize + sizeof(struct ieee80211_frame_ack));
2834 		goto fail;
2835 	}
2836 
2837 	rxwi = mtod(m, struct rt2860_rxwi *);
2838 	len = le16toh(rxwi->len) & 0xfff;
2839 
2840 	if (__predict_false(len > dmalen - rxwisize)) {
2841 		RUN_DPRINTF(sc, RUN_DEBUG_RECV,
2842 		    "bad RXWI length %u > %u\n", len, dmalen);
2843 		goto fail;
2844 	}
2845 
2846 	/* Rx descriptor is located at the end */
2847 	rxd = (struct rt2870_rxd *)(mtod(m, caddr_t) + dmalen);
2848 	flags = le32toh(rxd->flags);
2849 
2850 	if (__predict_false(flags & (RT2860_RX_CRCERR | RT2860_RX_ICVERR))) {
2851 		RUN_DPRINTF(sc, RUN_DEBUG_RECV, "%s error.\n",
2852 		    (flags & RT2860_RX_CRCERR)?"CRC":"ICV");
2853 		goto fail;
2854 	}
2855 
2856 	if (flags & RT2860_RX_L2PAD) {
2857 		RUN_DPRINTF(sc, RUN_DEBUG_RECV,
2858 		    "received RT2860_RX_L2PAD frame\n");
2859 		len += 2;
2860 	}
2861 
2862 	m->m_data += rxwisize;
2863 	m->m_pkthdr.len = m->m_len = len;
2864 
2865 	wh = mtod(m, struct ieee80211_frame *);
2866 
2867 	if ((wh->i_fc[1] & IEEE80211_FC1_PROTECTED) != 0 &&
2868 	    (flags & RT2860_RX_DEC) != 0) {
2869 		wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
2870 		m->m_flags |= M_WEP;
2871 	}
2872 
2873 	if (len >= sizeof(struct ieee80211_frame_min)) {
2874 		ni = ieee80211_find_rxnode(ic,
2875 		    mtod(m, struct ieee80211_frame_min *));
2876 	} else
2877 		ni = NULL;
2878 
2879 	if (__predict_false(flags & RT2860_RX_MICERR)) {
2880 		/* report MIC failures to net80211 for TKIP */
2881 		if (ni != NULL)
2882 			ieee80211_notify_michael_failure(ni->ni_vap, wh,
2883 			    rxwi->keyidx);
2884 		RUN_DPRINTF(sc, RUN_DEBUG_RECV,
2885 		    "MIC error. Someone is lying.\n");
2886 		goto fail;
2887 	}
2888 
2889 	ant = run_maxrssi_chain(sc, rxwi);
2890 	rssi = rxwi->rssi[ant];
2891 	nf = run_rssi2dbm(sc, rssi, ant);
2892 
2893 	if (__predict_false(ieee80211_radiotap_active(ic))) {
2894 		struct run_rx_radiotap_header *tap = &sc->sc_rxtap;
2895 		uint16_t phy;
2896 
2897 		tap->wr_flags = 0;
2898 		if (flags & RT2860_RX_L2PAD)
2899 			tap->wr_flags |= IEEE80211_RADIOTAP_F_DATAPAD;
2900 		tap->wr_antsignal = rssi;
2901 		tap->wr_antenna = ant;
2902 		tap->wr_dbm_antsignal = run_rssi2dbm(sc, rssi, ant);
2903 		tap->wr_rate = 2;	/* in case it can't be found below */
2904 		RUN_LOCK(sc);
2905 		run_get_tsf(sc, &tap->wr_tsf);
2906 		RUN_UNLOCK(sc);
2907 		phy = le16toh(rxwi->phy);
2908 		switch (phy & RT2860_PHY_MODE) {
2909 		case RT2860_PHY_CCK:
2910 			switch ((phy & RT2860_PHY_MCS) & ~RT2860_PHY_SHPRE) {
2911 			case 0:	tap->wr_rate =   2; break;
2912 			case 1:	tap->wr_rate =   4; break;
2913 			case 2:	tap->wr_rate =  11; break;
2914 			case 3:	tap->wr_rate =  22; break;
2915 			}
2916 			if (phy & RT2860_PHY_SHPRE)
2917 				tap->wr_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
2918 			break;
2919 		case RT2860_PHY_OFDM:
2920 			switch (phy & RT2860_PHY_MCS) {
2921 			case 0:	tap->wr_rate =  12; break;
2922 			case 1:	tap->wr_rate =  18; break;
2923 			case 2:	tap->wr_rate =  24; break;
2924 			case 3:	tap->wr_rate =  36; break;
2925 			case 4:	tap->wr_rate =  48; break;
2926 			case 5:	tap->wr_rate =  72; break;
2927 			case 6:	tap->wr_rate =  96; break;
2928 			case 7:	tap->wr_rate = 108; break;
2929 			}
2930 			break;
2931 		}
2932 	}
2933 
2934 	NET_EPOCH_ENTER(et);
2935 	if (ni != NULL) {
2936 		(void)ieee80211_input(ni, m, rssi, nf);
2937 		ieee80211_free_node(ni);
2938 	} else {
2939 		(void)ieee80211_input_all(ic, m, rssi, nf);
2940 	}
2941 	NET_EPOCH_EXIT(et);
2942 
2943 	return;
2944 
2945 fail:
2946 	m_freem(m);
2947 	counter_u64_add(ic->ic_ierrors, 1);
2948 }
2949 
2950 static void
2951 run_bulk_rx_callback(struct usb_xfer *xfer, usb_error_t error)
2952 {
2953 	struct run_softc *sc = usbd_xfer_softc(xfer);
2954 	struct ieee80211com *ic = &sc->sc_ic;
2955 	struct mbuf *m = NULL;
2956 	struct mbuf *m0;
2957 	uint32_t dmalen, mbuf_len;
2958 	uint16_t rxwisize;
2959 	int xferlen;
2960 
2961 	rxwisize = sizeof(struct rt2860_rxwi);
2962 	if (sc->mac_ver == 0x5592)
2963 		rxwisize += sizeof(uint64_t);
2964 	else if (sc->mac_ver == 0x3593)
2965 		rxwisize += sizeof(uint32_t);
2966 
2967 	usbd_xfer_status(xfer, &xferlen, NULL, NULL, NULL);
2968 
2969 	switch (USB_GET_STATE(xfer)) {
2970 	case USB_ST_TRANSFERRED:
2971 
2972 		RUN_DPRINTF(sc, RUN_DEBUG_RECV,
2973 		    "rx done, actlen=%d\n", xferlen);
2974 
2975 		if (xferlen < (int)(sizeof(uint32_t) + rxwisize +
2976 		    sizeof(struct rt2870_rxd))) {
2977 			RUN_DPRINTF(sc, RUN_DEBUG_RECV_DESC | RUN_DEBUG_USB,
2978 			    "xfer too short %d\n", xferlen);
2979 			goto tr_setup;
2980 		}
2981 
2982 		m = sc->rx_m;
2983 		sc->rx_m = NULL;
2984 
2985 		/* FALLTHROUGH */
2986 	case USB_ST_SETUP:
2987 tr_setup:
2988 		if (sc->rx_m == NULL) {
2989 			sc->rx_m = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR,
2990 			    MJUMPAGESIZE /* xfer can be bigger than MCLBYTES */);
2991 		}
2992 		if (sc->rx_m == NULL) {
2993 			RUN_DPRINTF(sc, RUN_DEBUG_RECV | RUN_DEBUG_RECV_DESC,
2994 			    "could not allocate mbuf - idle with stall\n");
2995 			counter_u64_add(ic->ic_ierrors, 1);
2996 			usbd_xfer_set_stall(xfer);
2997 			usbd_xfer_set_frames(xfer, 0);
2998 		} else {
2999 			/*
3000 			 * Directly loading a mbuf cluster into DMA to
3001 			 * save some data copying. This works because
3002 			 * there is only one cluster.
3003 			 */
3004 			usbd_xfer_set_frame_data(xfer, 0,
3005 			    mtod(sc->rx_m, caddr_t), RUN_MAX_RXSZ);
3006 			usbd_xfer_set_frames(xfer, 1);
3007 		}
3008 		usbd_transfer_submit(xfer);
3009 		break;
3010 
3011 	default:	/* Error */
3012 		if (error != USB_ERR_CANCELLED) {
3013 			/* try to clear stall first */
3014 			usbd_xfer_set_stall(xfer);
3015 			if (error == USB_ERR_TIMEOUT)
3016 				device_printf(sc->sc_dev, "device timeout\n");
3017 			counter_u64_add(ic->ic_ierrors, 1);
3018 			goto tr_setup;
3019 		}
3020 		if (sc->rx_m != NULL) {
3021 			m_freem(sc->rx_m);
3022 			sc->rx_m = NULL;
3023 		}
3024 		break;
3025 	}
3026 
3027 	if (m == NULL)
3028 		return;
3029 
3030 	/* inputting all the frames must be last */
3031 
3032 	RUN_UNLOCK(sc);
3033 
3034 	m->m_pkthdr.len = m->m_len = xferlen;
3035 
3036 	/* HW can aggregate multiple 802.11 frames in a single USB xfer */
3037 	for(;;) {
3038 		dmalen = le32toh(*mtod(m, uint32_t *)) & 0xffff;
3039 
3040 		if ((dmalen >= (uint32_t)-8) || (dmalen == 0) ||
3041 		    ((dmalen & 3) != 0)) {
3042 			RUN_DPRINTF(sc, RUN_DEBUG_RECV_DESC | RUN_DEBUG_USB,
3043 			    "bad DMA length %u\n", dmalen);
3044 			break;
3045 		}
3046 		if ((dmalen + 8) > (uint32_t)xferlen) {
3047 			RUN_DPRINTF(sc, RUN_DEBUG_RECV_DESC | RUN_DEBUG_USB,
3048 			    "bad DMA length %u > %d\n",
3049 			dmalen + 8, xferlen);
3050 			break;
3051 		}
3052 
3053 		/* If it is the last one or a single frame, we won't copy. */
3054 		if ((xferlen -= dmalen + 8) <= 8) {
3055 			/* trim 32-bit DMA-len header */
3056 			m->m_data += 4;
3057 			m->m_pkthdr.len = m->m_len -= 4;
3058 			run_rx_frame(sc, m, dmalen);
3059 			m = NULL;	/* don't free source buffer */
3060 			break;
3061 		}
3062 
3063 		mbuf_len = dmalen + sizeof(struct rt2870_rxd);
3064 		if (__predict_false(mbuf_len > MCLBYTES)) {
3065 			RUN_DPRINTF(sc, RUN_DEBUG_RECV_DESC | RUN_DEBUG_USB,
3066 			    "payload is too big: mbuf_len %u\n", mbuf_len);
3067 			counter_u64_add(ic->ic_ierrors, 1);
3068 			break;
3069 		}
3070 
3071 		/* copy aggregated frames to another mbuf */
3072 		m0 = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
3073 		if (__predict_false(m0 == NULL)) {
3074 			RUN_DPRINTF(sc, RUN_DEBUG_RECV_DESC,
3075 			    "could not allocate mbuf\n");
3076 			counter_u64_add(ic->ic_ierrors, 1);
3077 			break;
3078 		}
3079 		m_copydata(m, 4 /* skip 32-bit DMA-len header */,
3080 		    mbuf_len, mtod(m0, caddr_t));
3081 		m0->m_pkthdr.len = m0->m_len = mbuf_len;
3082 		run_rx_frame(sc, m0, dmalen);
3083 
3084 		/* update data ptr */
3085 		m->m_data += mbuf_len + 4;
3086 		m->m_pkthdr.len = m->m_len -= mbuf_len + 4;
3087 	}
3088 
3089 	/* make sure we free the source buffer, if any */
3090 	m_freem(m);
3091 
3092 	RUN_LOCK(sc);
3093 }
3094 
3095 static void
3096 run_tx_free(struct run_endpoint_queue *pq,
3097     struct run_tx_data *data, int txerr)
3098 {
3099 
3100 	ieee80211_tx_complete(data->ni, data->m, txerr);
3101 
3102 	data->m = NULL;
3103 	data->ni = NULL;
3104 
3105 	STAILQ_INSERT_TAIL(&pq->tx_fh, data, next);
3106 	pq->tx_nfree++;
3107 }
3108 
3109 static void
3110 run_bulk_tx_callbackN(struct usb_xfer *xfer, usb_error_t error, u_int index)
3111 {
3112 	struct run_softc *sc = usbd_xfer_softc(xfer);
3113 	struct ieee80211com *ic = &sc->sc_ic;
3114 	struct run_tx_data *data;
3115 	struct ieee80211vap *vap = NULL;
3116 	struct usb_page_cache *pc;
3117 	struct run_endpoint_queue *pq = &sc->sc_epq[index];
3118 	struct mbuf *m;
3119 	usb_frlength_t size;
3120 	int actlen;
3121 	int sumlen;
3122 
3123 	usbd_xfer_status(xfer, &actlen, &sumlen, NULL, NULL);
3124 
3125 	switch (USB_GET_STATE(xfer)) {
3126 	case USB_ST_TRANSFERRED:
3127 		RUN_DPRINTF(sc, RUN_DEBUG_XMIT | RUN_DEBUG_USB,
3128 		    "transfer complete: %d bytes @ index %d\n", actlen, index);
3129 
3130 		data = usbd_xfer_get_priv(xfer);
3131 		run_tx_free(pq, data, 0);
3132 		usbd_xfer_set_priv(xfer, NULL);
3133 
3134 		/* FALLTHROUGH */
3135 	case USB_ST_SETUP:
3136 tr_setup:
3137 		data = STAILQ_FIRST(&pq->tx_qh);
3138 		if (data == NULL)
3139 			break;
3140 
3141 		STAILQ_REMOVE_HEAD(&pq->tx_qh, next);
3142 
3143 		m = data->m;
3144 		size = (sc->mac_ver == 0x5592) ?
3145 		    sizeof(data->desc) + sizeof(uint32_t) : sizeof(data->desc);
3146 		if ((m->m_pkthdr.len +
3147 		    size + 3 + 8) > RUN_MAX_TXSZ) {
3148 			RUN_DPRINTF(sc, RUN_DEBUG_XMIT_DESC | RUN_DEBUG_USB,
3149 			    "data overflow, %u bytes\n", m->m_pkthdr.len);
3150 			run_tx_free(pq, data, 1);
3151 			goto tr_setup;
3152 		}
3153 
3154 		pc = usbd_xfer_get_frame(xfer, 0);
3155 		usbd_copy_in(pc, 0, &data->desc, size);
3156 		usbd_m_copy_in(pc, size, m, 0, m->m_pkthdr.len);
3157 		size += m->m_pkthdr.len;
3158 		/*
3159 		 * Align end on a 4-byte boundary, pad 8 bytes (CRC +
3160 		 * 4-byte padding), and be sure to zero those trailing
3161 		 * bytes:
3162 		 */
3163 		usbd_frame_zero(pc, size, ((-size) & 3) + 8);
3164 		size += ((-size) & 3) + 8;
3165 
3166 		vap = data->ni->ni_vap;
3167 		if (ieee80211_radiotap_active_vap(vap)) {
3168 			const struct ieee80211_frame *wh;
3169 			struct run_tx_radiotap_header *tap = &sc->sc_txtap;
3170 			struct rt2860_txwi *txwi =
3171 			    (struct rt2860_txwi *)(&data->desc + sizeof(struct rt2870_txd));
3172 			int has_l2pad;
3173 
3174 			wh = mtod(m, struct ieee80211_frame *);
3175 			has_l2pad = IEEE80211_HAS_ADDR4(wh) !=
3176 			    IEEE80211_QOS_HAS_SEQ(wh);
3177 
3178 			tap->wt_flags = 0;
3179 			tap->wt_rate = rt2860_rates[data->ridx].rate;
3180 			tap->wt_hwqueue = index;
3181 			if (le16toh(txwi->phy) & RT2860_PHY_SHPRE)
3182 				tap->wt_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
3183 			if (has_l2pad)
3184 				tap->wt_flags |= IEEE80211_RADIOTAP_F_DATAPAD;
3185 
3186 			ieee80211_radiotap_tx(vap, m);
3187 		}
3188 
3189 		RUN_DPRINTF(sc, RUN_DEBUG_XMIT | RUN_DEBUG_USB,
3190 		    "sending frame len=%u/%u @ index %d\n",
3191 		    m->m_pkthdr.len, size, index);
3192 
3193 		usbd_xfer_set_frame_len(xfer, 0, size);
3194 		usbd_xfer_set_priv(xfer, data);
3195 		usbd_transfer_submit(xfer);
3196 		run_start(sc);
3197 
3198 		break;
3199 
3200 	default:
3201 		RUN_DPRINTF(sc, RUN_DEBUG_XMIT | RUN_DEBUG_USB,
3202 		    "USB transfer error, %s\n", usbd_errstr(error));
3203 
3204 		data = usbd_xfer_get_priv(xfer);
3205 
3206 		if (data != NULL) {
3207 			if(data->ni != NULL)
3208 				vap = data->ni->ni_vap;
3209 			run_tx_free(pq, data, error);
3210 			usbd_xfer_set_priv(xfer, NULL);
3211 		}
3212 
3213 		if (vap == NULL)
3214 			vap = TAILQ_FIRST(&ic->ic_vaps);
3215 
3216 		if (error != USB_ERR_CANCELLED) {
3217 			if (error == USB_ERR_TIMEOUT) {
3218 				device_printf(sc->sc_dev, "device timeout\n");
3219 				uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
3220 				RUN_DPRINTF(sc, RUN_DEBUG_XMIT | RUN_DEBUG_USB,
3221 				    "cmdq_store=%d\n", i);
3222 				sc->cmdq[i].func = run_usb_timeout_cb;
3223 				sc->cmdq[i].arg0 = vap;
3224 				ieee80211_runtask(ic, &sc->cmdq_task);
3225 			}
3226 
3227 			/*
3228 			 * Try to clear stall first, also if other
3229 			 * errors occur, hence clearing stall
3230 			 * introduces a 50 ms delay:
3231 			 */
3232 			usbd_xfer_set_stall(xfer);
3233 			goto tr_setup;
3234 		}
3235 		break;
3236 	}
3237 }
3238 
3239 static void
3240 run_bulk_tx_callback0(struct usb_xfer *xfer, usb_error_t error)
3241 {
3242 	run_bulk_tx_callbackN(xfer, error, 0);
3243 }
3244 
3245 static void
3246 run_bulk_tx_callback1(struct usb_xfer *xfer, usb_error_t error)
3247 {
3248 	run_bulk_tx_callbackN(xfer, error, 1);
3249 }
3250 
3251 static void
3252 run_bulk_tx_callback2(struct usb_xfer *xfer, usb_error_t error)
3253 {
3254 	run_bulk_tx_callbackN(xfer, error, 2);
3255 }
3256 
3257 static void
3258 run_bulk_tx_callback3(struct usb_xfer *xfer, usb_error_t error)
3259 {
3260 	run_bulk_tx_callbackN(xfer, error, 3);
3261 }
3262 
3263 static void
3264 run_bulk_tx_callback4(struct usb_xfer *xfer, usb_error_t error)
3265 {
3266 	run_bulk_tx_callbackN(xfer, error, 4);
3267 }
3268 
3269 static void
3270 run_bulk_tx_callback5(struct usb_xfer *xfer, usb_error_t error)
3271 {
3272 	run_bulk_tx_callbackN(xfer, error, 5);
3273 }
3274 
3275 static void
3276 run_set_tx_desc(struct run_softc *sc, struct run_tx_data *data)
3277 {
3278 	struct mbuf *m = data->m;
3279 	struct ieee80211com *ic = &sc->sc_ic;
3280 	struct ieee80211vap *vap = data->ni->ni_vap;
3281 	struct ieee80211_frame *wh;
3282 	struct rt2870_txd *txd;
3283 	struct rt2860_txwi *txwi;
3284 	uint16_t xferlen, txwisize;
3285 	uint16_t mcs;
3286 	uint8_t ridx = data->ridx;
3287 	uint8_t pad;
3288 
3289 	/* get MCS code from rate index */
3290 	mcs = rt2860_rates[ridx].mcs;
3291 
3292 	txwisize = (sc->mac_ver == 0x5592) ?
3293 	    sizeof(*txwi) + sizeof(uint32_t) : sizeof(*txwi);
3294 	xferlen = txwisize + m->m_pkthdr.len;
3295 
3296 	/* roundup to 32-bit alignment */
3297 	xferlen = (xferlen + 3) & ~3;
3298 
3299 	txd = (struct rt2870_txd *)&data->desc;
3300 	txd->len = htole16(xferlen);
3301 
3302 	wh = mtod(m, struct ieee80211_frame *);
3303 
3304 	/*
3305 	 * Ether both are true or both are false, the header
3306 	 * are nicely aligned to 32-bit. So, no L2 padding.
3307 	 */
3308 	if(IEEE80211_HAS_ADDR4(wh) == IEEE80211_QOS_HAS_SEQ(wh))
3309 		pad = 0;
3310 	else
3311 		pad = 2;
3312 
3313 	/* setup TX Wireless Information */
3314 	txwi = (struct rt2860_txwi *)(txd + 1);
3315 	txwi->len = htole16(m->m_pkthdr.len - pad);
3316 	if (rt2860_rates[ridx].phy == IEEE80211_T_DS) {
3317 		mcs |= RT2860_PHY_CCK;
3318 		if (ridx != RT2860_RIDX_CCK1 &&
3319 		    (ic->ic_flags & IEEE80211_F_SHPREAMBLE))
3320 			mcs |= RT2860_PHY_SHPRE;
3321 	} else
3322 		mcs |= RT2860_PHY_OFDM;
3323 	txwi->phy = htole16(mcs);
3324 
3325 	/* check if RTS/CTS or CTS-to-self protection is required */
3326 	if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
3327 	    (m->m_pkthdr.len + IEEE80211_CRC_LEN > vap->iv_rtsthreshold ||
3328 	     ((ic->ic_flags & IEEE80211_F_USEPROT) &&
3329 	      rt2860_rates[ridx].phy == IEEE80211_T_OFDM)))
3330 		txwi->txop |= RT2860_TX_TXOP_HT;
3331 	else
3332 		txwi->txop |= RT2860_TX_TXOP_BACKOFF;
3333 
3334 	if (vap->iv_opmode != IEEE80211_M_STA && !IEEE80211_QOS_HAS_SEQ(wh))
3335 		txwi->xflags |= RT2860_TX_NSEQ;
3336 }
3337 
3338 /* This function must be called locked */
3339 static int
3340 run_tx(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
3341 {
3342 	struct ieee80211com *ic = &sc->sc_ic;
3343 	struct ieee80211vap *vap = ni->ni_vap;
3344 	struct ieee80211_frame *wh;
3345 	const struct ieee80211_txparam *tp = ni->ni_txparms;
3346 	struct run_node *rn = RUN_NODE(ni);
3347 	struct run_tx_data *data;
3348 	struct rt2870_txd *txd;
3349 	struct rt2860_txwi *txwi;
3350 	uint16_t qos;
3351 	uint16_t dur;
3352 	uint16_t qid;
3353 	uint8_t type;
3354 	uint8_t tid;
3355 	uint8_t ridx;
3356 	uint8_t ctl_ridx;
3357 	uint8_t qflags;
3358 	uint8_t xflags = 0;
3359 	int hasqos;
3360 
3361 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3362 
3363 	wh = mtod(m, struct ieee80211_frame *);
3364 
3365 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3366 
3367 	/*
3368 	 * There are 7 bulk endpoints: 1 for RX
3369 	 * and 6 for TX (4 EDCAs + HCCA + Prio).
3370 	 * Update 03-14-2009:  some devices like the Planex GW-US300MiniS
3371 	 * seem to have only 4 TX bulk endpoints (Fukaumi Naoki).
3372 	 */
3373 	if ((hasqos = IEEE80211_QOS_HAS_SEQ(wh))) {
3374 		uint8_t *frm;
3375 
3376 		frm = ieee80211_getqos(wh);
3377 		qos = le16toh(*(const uint16_t *)frm);
3378 		tid = qos & IEEE80211_QOS_TID;
3379 		qid = TID_TO_WME_AC(tid);
3380 	} else {
3381 		qos = 0;
3382 		tid = 0;
3383 		qid = WME_AC_BE;
3384 	}
3385 	qflags = (qid < 4) ? RT2860_TX_QSEL_EDCA : RT2860_TX_QSEL_HCCA;
3386 
3387 	RUN_DPRINTF(sc, RUN_DEBUG_XMIT, "qos %d\tqid %d\ttid %d\tqflags %x\n",
3388 	    qos, qid, tid, qflags);
3389 
3390 	/* pickup a rate index */
3391 	if (IEEE80211_IS_MULTICAST(wh->i_addr1) ||
3392 	    type != IEEE80211_FC0_TYPE_DATA || m->m_flags & M_EAPOL) {
3393 		ridx = (ic->ic_curmode == IEEE80211_MODE_11A) ?
3394 		    RT2860_RIDX_OFDM6 : RT2860_RIDX_CCK1;
3395 		ctl_ridx = rt2860_rates[ridx].ctl_ridx;
3396 	} else {
3397 		if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE)
3398 			ridx = rn->fix_ridx;
3399 		else
3400 			ridx = rn->amrr_ridx;
3401 		ctl_ridx = rt2860_rates[ridx].ctl_ridx;
3402 	}
3403 
3404 	if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
3405 	    (!hasqos || (qos & IEEE80211_QOS_ACKPOLICY) !=
3406 	     IEEE80211_QOS_ACKPOLICY_NOACK)) {
3407 		xflags |= RT2860_TX_ACK;
3408 		if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
3409 			dur = rt2860_rates[ctl_ridx].sp_ack_dur;
3410 		else
3411 			dur = rt2860_rates[ctl_ridx].lp_ack_dur;
3412 		USETW(wh->i_dur, dur);
3413 	}
3414 
3415 	/* reserve slots for mgmt packets, just in case */
3416 	if (sc->sc_epq[qid].tx_nfree < 3) {
3417 		RUN_DPRINTF(sc, RUN_DEBUG_XMIT, "tx ring %d is full\n", qid);
3418 		return (-1);
3419 	}
3420 
3421 	data = STAILQ_FIRST(&sc->sc_epq[qid].tx_fh);
3422 	STAILQ_REMOVE_HEAD(&sc->sc_epq[qid].tx_fh, next);
3423 	sc->sc_epq[qid].tx_nfree--;
3424 
3425 	txd = (struct rt2870_txd *)&data->desc;
3426 	txd->flags = qflags;
3427 	txwi = (struct rt2860_txwi *)(txd + 1);
3428 	txwi->xflags = xflags;
3429 	if (IEEE80211_IS_MULTICAST(wh->i_addr1))
3430 		txwi->wcid = 0;
3431 	else
3432 		txwi->wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
3433 		    1 : RUN_AID2WCID(ni->ni_associd);
3434 
3435 	/* clear leftover garbage bits */
3436 	txwi->flags = 0;
3437 	txwi->txop = 0;
3438 
3439 	data->m = m;
3440 	data->ni = ni;
3441 	data->ridx = ridx;
3442 
3443 	run_set_tx_desc(sc, data);
3444 
3445 	/*
3446 	 * The chip keeps track of 2 kind of Tx stats,
3447 	 *  * TX_STAT_FIFO, for per WCID stats, and
3448 	 *  * TX_STA_CNT0 for all-TX-in-one stats.
3449 	 *
3450 	 * To use FIFO stats, we need to store MCS into the driver-private
3451  	 * PacketID field. So that, we can tell whose stats when we read them.
3452  	 * We add 1 to the MCS because setting the PacketID field to 0 means
3453  	 * that we don't want feedback in TX_STAT_FIFO.
3454  	 * And, that's what we want for STA mode, since TX_STA_CNT0 does the job.
3455  	 *
3456  	 * FIFO stats doesn't count Tx with WCID 0xff, so we do this in run_tx().
3457  	 */
3458 	if (sc->rvp_cnt > 1 || vap->iv_opmode == IEEE80211_M_HOSTAP ||
3459 	    vap->iv_opmode == IEEE80211_M_MBSS) {
3460 		uint16_t pid = (rt2860_rates[ridx].mcs + 1) & 0xf;
3461 		txwi->len |= htole16(pid << RT2860_TX_PID_SHIFT);
3462 
3463 		/*
3464 		 * Unlike PCI based devices, we don't get any interrupt from
3465 		 * USB devices, so we simulate FIFO-is-full interrupt here.
3466 		 * Ralink recommends to drain FIFO stats every 100 ms, but 16 slots
3467 		 * quickly get fulled. To prevent overflow, increment a counter on
3468 		 * every FIFO stat request, so we know how many slots are left.
3469 		 * We do this only in HOSTAP or multiple vap mode since FIFO stats
3470 		 * are used only in those modes.
3471 		 * We just drain stats. AMRR gets updated every 1 sec by
3472 		 * run_ratectl_cb() via callout.
3473 		 * Call it early. Otherwise overflow.
3474 		 */
3475 		if (sc->fifo_cnt++ == 10) {
3476 			/*
3477 			 * With multiple vaps or if_bridge, if_start() is called
3478 			 * with a non-sleepable lock, tcpinp. So, need to defer.
3479 			 */
3480 			uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
3481 			RUN_DPRINTF(sc, RUN_DEBUG_XMIT, "cmdq_store=%d\n", i);
3482 			sc->cmdq[i].func = run_drain_fifo;
3483 			sc->cmdq[i].arg0 = sc;
3484 			ieee80211_runtask(ic, &sc->cmdq_task);
3485 		}
3486 	}
3487 
3488         STAILQ_INSERT_TAIL(&sc->sc_epq[qid].tx_qh, data, next);
3489 
3490 	usbd_transfer_start(sc->sc_xfer[qid]);
3491 
3492 	RUN_DPRINTF(sc, RUN_DEBUG_XMIT,
3493 	    "sending data frame len=%d rate=%d qid=%d\n",
3494 	    m->m_pkthdr.len + (int)(sizeof(struct rt2870_txd) +
3495 	    sizeof(struct rt2860_txwi)), rt2860_rates[ridx].rate, qid);
3496 
3497 	return (0);
3498 }
3499 
3500 static int
3501 run_tx_mgt(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
3502 {
3503 	struct ieee80211com *ic = &sc->sc_ic;
3504 	struct run_node *rn = RUN_NODE(ni);
3505 	struct run_tx_data *data;
3506 	struct ieee80211_frame *wh;
3507 	struct rt2870_txd *txd;
3508 	struct rt2860_txwi *txwi;
3509 	uint16_t dur;
3510 	uint8_t ridx = rn->mgt_ridx;
3511 	uint8_t xflags = 0;
3512 	uint8_t wflags = 0;
3513 
3514 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3515 
3516 	wh = mtod(m, struct ieee80211_frame *);
3517 
3518 	/* tell hardware to add timestamp for probe responses */
3519 	if ((wh->i_fc[0] &
3520 	    (IEEE80211_FC0_TYPE_MASK | IEEE80211_FC0_SUBTYPE_MASK)) ==
3521 	    (IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_RESP))
3522 		wflags |= RT2860_TX_TS;
3523 	else if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
3524 		xflags |= RT2860_TX_ACK;
3525 
3526 		dur = ieee80211_ack_duration(ic->ic_rt, rt2860_rates[ridx].rate,
3527 		    ic->ic_flags & IEEE80211_F_SHPREAMBLE);
3528 		USETW(wh->i_dur, dur);
3529 	}
3530 
3531 	if (sc->sc_epq[0].tx_nfree == 0)
3532 		/* let caller free mbuf */
3533 		return (EIO);
3534 	data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3535 	STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3536 	sc->sc_epq[0].tx_nfree--;
3537 
3538 	txd = (struct rt2870_txd *)&data->desc;
3539 	txd->flags = RT2860_TX_QSEL_EDCA;
3540 	txwi = (struct rt2860_txwi *)(txd + 1);
3541 	txwi->wcid = 0xff;
3542 	txwi->flags = wflags;
3543 	txwi->xflags = xflags;
3544 	txwi->txop = 0;	/* clear leftover garbage bits */
3545 
3546 	data->m = m;
3547 	data->ni = ni;
3548 	data->ridx = ridx;
3549 
3550 	run_set_tx_desc(sc, data);
3551 
3552 	RUN_DPRINTF(sc, RUN_DEBUG_XMIT, "sending mgt frame len=%d rate=%d\n",
3553 	    m->m_pkthdr.len + (int)(sizeof(struct rt2870_txd) +
3554 	    sizeof(struct rt2860_txwi)), rt2860_rates[ridx].rate);
3555 
3556 	STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3557 
3558 	usbd_transfer_start(sc->sc_xfer[0]);
3559 
3560 	return (0);
3561 }
3562 
3563 static int
3564 run_sendprot(struct run_softc *sc,
3565     const struct mbuf *m, struct ieee80211_node *ni, int prot, int rate)
3566 {
3567 	struct ieee80211com *ic = ni->ni_ic;
3568 	struct run_tx_data *data;
3569 	struct rt2870_txd *txd;
3570 	struct rt2860_txwi *txwi;
3571 	struct mbuf *mprot;
3572 	int ridx;
3573 	int protrate;
3574 	uint8_t wflags = 0;
3575 	uint8_t xflags = 0;
3576 
3577 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3578 
3579 	/* check that there are free slots before allocating the mbuf */
3580 	if (sc->sc_epq[0].tx_nfree == 0)
3581 		/* let caller free mbuf */
3582 		return (ENOBUFS);
3583 
3584 	mprot = ieee80211_alloc_prot(ni, m, rate, prot);
3585 	if (mprot == NULL) {
3586 		if_inc_counter(ni->ni_vap->iv_ifp, IFCOUNTER_OERRORS, 1);
3587 		RUN_DPRINTF(sc, RUN_DEBUG_XMIT, "could not allocate mbuf\n");
3588 		return (ENOBUFS);
3589 	}
3590 
3591 	protrate = ieee80211_ctl_rate(ic->ic_rt, rate);
3592 	wflags = RT2860_TX_FRAG;
3593 	xflags = 0;
3594 	if (prot == IEEE80211_PROT_RTSCTS)
3595 		xflags |= RT2860_TX_ACK;
3596 
3597         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3598         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3599         sc->sc_epq[0].tx_nfree--;
3600 
3601 	txd = (struct rt2870_txd *)&data->desc;
3602 	txd->flags = RT2860_TX_QSEL_EDCA;
3603 	txwi = (struct rt2860_txwi *)(txd + 1);
3604 	txwi->wcid = 0xff;
3605 	txwi->flags = wflags;
3606 	txwi->xflags = xflags;
3607 	txwi->txop = 0;	/* clear leftover garbage bits */
3608 
3609 	data->m = mprot;
3610 	data->ni = ieee80211_ref_node(ni);
3611 
3612 	for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
3613 		if (rt2860_rates[ridx].rate == protrate)
3614 			break;
3615 	data->ridx = ridx;
3616 
3617 	run_set_tx_desc(sc, data);
3618 
3619         RUN_DPRINTF(sc, RUN_DEBUG_XMIT, "sending prot len=%u rate=%u\n",
3620             m->m_pkthdr.len, rate);
3621 
3622         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3623 
3624 	usbd_transfer_start(sc->sc_xfer[0]);
3625 
3626 	return (0);
3627 }
3628 
3629 static int
3630 run_tx_param(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni,
3631     const struct ieee80211_bpf_params *params)
3632 {
3633 	struct ieee80211com *ic = ni->ni_ic;
3634 	struct run_tx_data *data;
3635 	struct rt2870_txd *txd;
3636 	struct rt2860_txwi *txwi;
3637 	uint8_t ridx;
3638 	uint8_t rate;
3639 	uint8_t opflags = 0;
3640 	uint8_t xflags = 0;
3641 	int error;
3642 
3643 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3644 
3645 	KASSERT(params != NULL, ("no raw xmit params"));
3646 
3647 	rate = params->ibp_rate0;
3648 	if (!ieee80211_isratevalid(ic->ic_rt, rate)) {
3649 		/* let caller free mbuf */
3650 		return (EINVAL);
3651 	}
3652 
3653 	if ((params->ibp_flags & IEEE80211_BPF_NOACK) == 0)
3654 		xflags |= RT2860_TX_ACK;
3655 	if (params->ibp_flags & (IEEE80211_BPF_RTS|IEEE80211_BPF_CTS)) {
3656 		error = run_sendprot(sc, m, ni,
3657 		    params->ibp_flags & IEEE80211_BPF_RTS ?
3658 			IEEE80211_PROT_RTSCTS : IEEE80211_PROT_CTSONLY,
3659 		    rate);
3660 		if (error) {
3661 			/* let caller free mbuf */
3662 			return error;
3663 		}
3664 		opflags |= /*XXX RT2573_TX_LONG_RETRY |*/ RT2860_TX_TXOP_SIFS;
3665 	}
3666 
3667 	if (sc->sc_epq[0].tx_nfree == 0) {
3668 		/* let caller free mbuf */
3669 		RUN_DPRINTF(sc, RUN_DEBUG_XMIT,
3670 		    "sending raw frame, but tx ring is full\n");
3671 		return (EIO);
3672 	}
3673         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3674         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3675         sc->sc_epq[0].tx_nfree--;
3676 
3677 	txd = (struct rt2870_txd *)&data->desc;
3678 	txd->flags = RT2860_TX_QSEL_EDCA;
3679 	txwi = (struct rt2860_txwi *)(txd + 1);
3680 	txwi->wcid = 0xff;
3681 	txwi->xflags = xflags;
3682 	txwi->txop = opflags;
3683 	txwi->flags = 0;	/* clear leftover garbage bits */
3684 
3685         data->m = m;
3686         data->ni = ni;
3687 	for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
3688 		if (rt2860_rates[ridx].rate == rate)
3689 			break;
3690 	data->ridx = ridx;
3691 
3692         run_set_tx_desc(sc, data);
3693 
3694         RUN_DPRINTF(sc, RUN_DEBUG_XMIT, "sending raw frame len=%u rate=%u\n",
3695             m->m_pkthdr.len, rate);
3696 
3697         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3698 
3699 	usbd_transfer_start(sc->sc_xfer[0]);
3700 
3701         return (0);
3702 }
3703 
3704 static int
3705 run_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
3706     const struct ieee80211_bpf_params *params)
3707 {
3708 	struct run_softc *sc = ni->ni_ic->ic_softc;
3709 	int error = 0;
3710 
3711 	RUN_LOCK(sc);
3712 
3713 	/* prevent management frames from being sent if we're not ready */
3714 	if (!(sc->sc_flags & RUN_RUNNING)) {
3715 		error = ENETDOWN;
3716 		goto done;
3717 	}
3718 
3719 	if (params == NULL) {
3720 		/* tx mgt packet */
3721 		if ((error = run_tx_mgt(sc, m, ni)) != 0) {
3722 			RUN_DPRINTF(sc, RUN_DEBUG_XMIT, "mgt tx failed\n");
3723 			goto done;
3724 		}
3725 	} else {
3726 		/* tx raw packet with param */
3727 		if ((error = run_tx_param(sc, m, ni, params)) != 0) {
3728 			RUN_DPRINTF(sc, RUN_DEBUG_XMIT, "tx with param failed\n");
3729 			goto done;
3730 		}
3731 	}
3732 
3733 done:
3734 	RUN_UNLOCK(sc);
3735 
3736 	if (error != 0) {
3737 		if(m != NULL)
3738 			m_freem(m);
3739 	}
3740 
3741 	return (error);
3742 }
3743 
3744 static int
3745 run_transmit(struct ieee80211com *ic, struct mbuf *m)
3746 {
3747 	struct run_softc *sc = ic->ic_softc;
3748 	int error;
3749 
3750 	RUN_LOCK(sc);
3751 	if ((sc->sc_flags & RUN_RUNNING) == 0) {
3752 		RUN_UNLOCK(sc);
3753 		return (ENXIO);
3754 	}
3755 	error = mbufq_enqueue(&sc->sc_snd, m);
3756 	if (error) {
3757 		RUN_UNLOCK(sc);
3758 		return (error);
3759 	}
3760 	run_start(sc);
3761 	RUN_UNLOCK(sc);
3762 
3763 	return (0);
3764 }
3765 
3766 static void
3767 run_start(struct run_softc *sc)
3768 {
3769 	struct ieee80211_node *ni;
3770 	struct mbuf *m;
3771 
3772 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3773 
3774 	if ((sc->sc_flags & RUN_RUNNING) == 0)
3775 		return;
3776 
3777 	while ((m = mbufq_dequeue(&sc->sc_snd)) != NULL) {
3778 		ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
3779 		if (run_tx(sc, m, ni) != 0) {
3780 			mbufq_prepend(&sc->sc_snd, m);
3781 			break;
3782 		}
3783 	}
3784 }
3785 
3786 static void
3787 run_parent(struct ieee80211com *ic)
3788 {
3789 	struct run_softc *sc = ic->ic_softc;
3790 	int startall = 0;
3791 
3792 	RUN_LOCK(sc);
3793 	if (sc->sc_detached) {
3794 		RUN_UNLOCK(sc);
3795 		return;
3796 	}
3797 
3798 	if (ic->ic_nrunning > 0) {
3799 		if (!(sc->sc_flags & RUN_RUNNING)) {
3800 			startall = 1;
3801 			run_init_locked(sc);
3802 		} else
3803 			run_update_promisc_locked(sc);
3804 	} else if ((sc->sc_flags & RUN_RUNNING) && sc->rvp_cnt <= 1)
3805 		run_stop(sc);
3806 	RUN_UNLOCK(sc);
3807 	if (startall)
3808 		ieee80211_start_all(ic);
3809 }
3810 
3811 static void
3812 run_iq_calib(struct run_softc *sc, u_int chan)
3813 {
3814 	uint16_t val;
3815 
3816 	/* Tx0 IQ gain. */
3817 	run_bbp_write(sc, 158, 0x2c);
3818 	if (chan <= 14)
3819 		run_efuse_read(sc, RT5390_EEPROM_IQ_GAIN_CAL_TX0_2GHZ, &val, 1);
3820 	else if (chan <= 64) {
3821 		run_efuse_read(sc,
3822 		    RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH36_TO_CH64_5GHZ,
3823 		    &val, 1);
3824 	} else if (chan <= 138) {
3825 		run_efuse_read(sc,
3826 		    RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH100_TO_CH138_5GHZ,
3827 		    &val, 1);
3828 	} else if (chan <= 165) {
3829 		run_efuse_read(sc,
3830 	    RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH140_TO_CH165_5GHZ,
3831 		    &val, 1);
3832 	} else
3833 		val = 0;
3834 	run_bbp_write(sc, 159, val);
3835 
3836 	/* Tx0 IQ phase. */
3837 	run_bbp_write(sc, 158, 0x2d);
3838 	if (chan <= 14) {
3839 		run_efuse_read(sc, RT5390_EEPROM_IQ_PHASE_CAL_TX0_2GHZ,
3840 		    &val, 1);
3841 	} else if (chan <= 64) {
3842 		run_efuse_read(sc,
3843 		    RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH36_TO_CH64_5GHZ,
3844 		    &val, 1);
3845 	} else if (chan <= 138) {
3846 		run_efuse_read(sc,
3847 		    RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH100_TO_CH138_5GHZ,
3848 		    &val, 1);
3849 	} else if (chan <= 165) {
3850 		run_efuse_read(sc,
3851 		    RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH140_TO_CH165_5GHZ,
3852 		    &val, 1);
3853 	} else
3854 		val = 0;
3855 	run_bbp_write(sc, 159, val);
3856 
3857 	/* Tx1 IQ gain. */
3858 	run_bbp_write(sc, 158, 0x4a);
3859 	if (chan <= 14) {
3860 		run_efuse_read(sc, RT5390_EEPROM_IQ_GAIN_CAL_TX1_2GHZ,
3861 		    &val, 1);
3862 	} else if (chan <= 64) {
3863 		run_efuse_read(sc,
3864 		    RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH36_TO_CH64_5GHZ,
3865 		    &val, 1);
3866 	} else if (chan <= 138) {
3867 		run_efuse_read(sc,
3868 		    RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH100_TO_CH138_5GHZ,
3869 		    &val, 1);
3870 	} else if (chan <= 165) {
3871 		run_efuse_read(sc,
3872 		    RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH140_TO_CH165_5GHZ,
3873 		    &val, 1);
3874 	} else
3875 		val = 0;
3876 	run_bbp_write(sc, 159, val);
3877 
3878 	/* Tx1 IQ phase. */
3879 	run_bbp_write(sc, 158, 0x4b);
3880 	if (chan <= 14) {
3881 		run_efuse_read(sc, RT5390_EEPROM_IQ_PHASE_CAL_TX1_2GHZ,
3882 		    &val, 1);
3883 	} else if (chan <= 64) {
3884 		run_efuse_read(sc,
3885 		    RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH36_TO_CH64_5GHZ,
3886 		    &val, 1);
3887 	} else if (chan <= 138) {
3888 		run_efuse_read(sc,
3889 		    RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH100_TO_CH138_5GHZ,
3890 		    &val, 1);
3891 	} else if (chan <= 165) {
3892 		run_efuse_read(sc,
3893 		    RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH140_TO_CH165_5GHZ,
3894 		    &val, 1);
3895 	} else
3896 		val = 0;
3897 	run_bbp_write(sc, 159, val);
3898 
3899 	/* RF IQ compensation control. */
3900 	run_bbp_write(sc, 158, 0x04);
3901 	run_efuse_read(sc, RT5390_EEPROM_RF_IQ_COMPENSATION_CTL,
3902 	    &val, 1);
3903 	run_bbp_write(sc, 159, val);
3904 
3905 	/* RF IQ imbalance compensation control. */
3906 	run_bbp_write(sc, 158, 0x03);
3907 	run_efuse_read(sc,
3908 	    RT5390_EEPROM_RF_IQ_IMBALANCE_COMPENSATION_CTL, &val, 1);
3909 	run_bbp_write(sc, 159, val);
3910 }
3911 
3912 static void
3913 run_set_agc(struct run_softc *sc, uint8_t agc)
3914 {
3915 	uint8_t bbp;
3916 
3917 	if (sc->mac_ver == 0x3572) {
3918 		run_bbp_read(sc, 27, &bbp);
3919 		bbp &= ~(0x3 << 5);
3920 		run_bbp_write(sc, 27, bbp | 0 << 5);	/* select Rx0 */
3921 		run_bbp_write(sc, 66, agc);
3922 		run_bbp_write(sc, 27, bbp | 1 << 5);	/* select Rx1 */
3923 		run_bbp_write(sc, 66, agc);
3924 	} else
3925 		run_bbp_write(sc, 66, agc);
3926 }
3927 
3928 static void
3929 run_select_chan_group(struct run_softc *sc, int group)
3930 {
3931 	uint32_t tmp;
3932 	uint8_t agc;
3933 
3934 	run_bbp_write(sc, 62, 0x37 - sc->lna[group]);
3935 	run_bbp_write(sc, 63, 0x37 - sc->lna[group]);
3936 	run_bbp_write(sc, 64, 0x37 - sc->lna[group]);
3937 	if (sc->mac_ver < 0x3572)
3938 		run_bbp_write(sc, 86, 0x00);
3939 
3940 	if (sc->mac_ver == 0x3593) {
3941 		run_bbp_write(sc, 77, 0x98);
3942 		run_bbp_write(sc, 83, (group == 0) ? 0x8a : 0x9a);
3943 	}
3944 
3945 	if (group == 0) {
3946 		if (sc->ext_2ghz_lna) {
3947 			if (sc->mac_ver >= 0x5390)
3948 				run_bbp_write(sc, 75, 0x52);
3949 			else {
3950 				run_bbp_write(sc, 82, 0x62);
3951 				run_bbp_write(sc, 75, 0x46);
3952 			}
3953 		} else {
3954 			if (sc->mac_ver == 0x5592) {
3955 				run_bbp_write(sc, 79, 0x1c);
3956 				run_bbp_write(sc, 80, 0x0e);
3957 				run_bbp_write(sc, 81, 0x3a);
3958 				run_bbp_write(sc, 82, 0x62);
3959 
3960 				run_bbp_write(sc, 195, 0x80);
3961 				run_bbp_write(sc, 196, 0xe0);
3962 				run_bbp_write(sc, 195, 0x81);
3963 				run_bbp_write(sc, 196, 0x1f);
3964 				run_bbp_write(sc, 195, 0x82);
3965 				run_bbp_write(sc, 196, 0x38);
3966 				run_bbp_write(sc, 195, 0x83);
3967 				run_bbp_write(sc, 196, 0x32);
3968 				run_bbp_write(sc, 195, 0x85);
3969 				run_bbp_write(sc, 196, 0x28);
3970 				run_bbp_write(sc, 195, 0x86);
3971 				run_bbp_write(sc, 196, 0x19);
3972 			} else if (sc->mac_ver >= 0x5390)
3973 				run_bbp_write(sc, 75, 0x50);
3974 			else {
3975 				run_bbp_write(sc, 82,
3976 				    (sc->mac_ver == 0x3593) ? 0x62 : 0x84);
3977 				run_bbp_write(sc, 75, 0x50);
3978 			}
3979 		}
3980 	} else {
3981 		if (sc->mac_ver == 0x5592) {
3982 			run_bbp_write(sc, 79, 0x18);
3983 			run_bbp_write(sc, 80, 0x08);
3984 			run_bbp_write(sc, 81, 0x38);
3985 			run_bbp_write(sc, 82, 0x92);
3986 
3987 			run_bbp_write(sc, 195, 0x80);
3988 			run_bbp_write(sc, 196, 0xf0);
3989 			run_bbp_write(sc, 195, 0x81);
3990 			run_bbp_write(sc, 196, 0x1e);
3991 			run_bbp_write(sc, 195, 0x82);
3992 			run_bbp_write(sc, 196, 0x28);
3993 			run_bbp_write(sc, 195, 0x83);
3994 			run_bbp_write(sc, 196, 0x20);
3995 			run_bbp_write(sc, 195, 0x85);
3996 			run_bbp_write(sc, 196, 0x7f);
3997 			run_bbp_write(sc, 195, 0x86);
3998 			run_bbp_write(sc, 196, 0x7f);
3999 		} else if (sc->mac_ver == 0x3572)
4000 			run_bbp_write(sc, 82, 0x94);
4001 		else
4002 			run_bbp_write(sc, 82,
4003 			    (sc->mac_ver == 0x3593) ? 0x82 : 0xf2);
4004 		if (sc->ext_5ghz_lna)
4005 			run_bbp_write(sc, 75, 0x46);
4006 		else
4007 			run_bbp_write(sc, 75, 0x50);
4008 	}
4009 
4010 	run_read(sc, RT2860_TX_BAND_CFG, &tmp);
4011 	tmp &= ~(RT2860_5G_BAND_SEL_N | RT2860_5G_BAND_SEL_P);
4012 	tmp |= (group == 0) ? RT2860_5G_BAND_SEL_N : RT2860_5G_BAND_SEL_P;
4013 	run_write(sc, RT2860_TX_BAND_CFG, tmp);
4014 
4015 	/* enable appropriate Power Amplifiers and Low Noise Amplifiers */
4016 	tmp = RT2860_RFTR_EN | RT2860_TRSW_EN | RT2860_LNA_PE0_EN;
4017 	if (sc->mac_ver == 0x3593)
4018 		tmp |= 1 << 29 | 1 << 28;
4019 	if (sc->nrxchains > 1)
4020 		tmp |= RT2860_LNA_PE1_EN;
4021 	if (group == 0) {	/* 2GHz */
4022 		tmp |= RT2860_PA_PE_G0_EN;
4023 		if (sc->ntxchains > 1)
4024 			tmp |= RT2860_PA_PE_G1_EN;
4025 		if (sc->mac_ver == 0x3593) {
4026 			if (sc->ntxchains > 2)
4027 				tmp |= 1 << 25;
4028 		}
4029 	} else {		/* 5GHz */
4030 		tmp |= RT2860_PA_PE_A0_EN;
4031 		if (sc->ntxchains > 1)
4032 			tmp |= RT2860_PA_PE_A1_EN;
4033 	}
4034 	if (sc->mac_ver == 0x3572) {
4035 		run_rt3070_rf_write(sc, 8, 0x00);
4036 		run_write(sc, RT2860_TX_PIN_CFG, tmp);
4037 		run_rt3070_rf_write(sc, 8, 0x80);
4038 	} else
4039 		run_write(sc, RT2860_TX_PIN_CFG, tmp);
4040 
4041 	if (sc->mac_ver == 0x5592) {
4042 		run_bbp_write(sc, 195, 0x8d);
4043 		run_bbp_write(sc, 196, 0x1a);
4044 	}
4045 
4046 	if (sc->mac_ver == 0x3593) {
4047 		run_read(sc, RT2860_GPIO_CTRL, &tmp);
4048 		tmp &= ~0x01010000;
4049 		if (group == 0)
4050 			tmp |= 0x00010000;
4051 		tmp = (tmp & ~0x00009090) | 0x00000090;
4052 		run_write(sc, RT2860_GPIO_CTRL, tmp);
4053 	}
4054 
4055 	/* set initial AGC value */
4056 	if (group == 0) {	/* 2GHz band */
4057 		if (sc->mac_ver >= 0x3070)
4058 			agc = 0x1c + sc->lna[0] * 2;
4059 		else
4060 			agc = 0x2e + sc->lna[0];
4061 	} else {		/* 5GHz band */
4062 		if (sc->mac_ver == 0x5592)
4063 			agc = 0x24 + sc->lna[group] * 2;
4064 		else if (sc->mac_ver == 0x3572 || sc->mac_ver == 0x3593)
4065 			agc = 0x22 + (sc->lna[group] * 5) / 3;
4066 		else
4067 			agc = 0x32 + (sc->lna[group] * 5) / 3;
4068 	}
4069 	run_set_agc(sc, agc);
4070 }
4071 
4072 static void
4073 run_rt2870_set_chan(struct run_softc *sc, u_int chan)
4074 {
4075 	const struct rfprog *rfprog = rt2860_rf2850;
4076 	uint32_t r2, r3, r4;
4077 	int8_t txpow1, txpow2;
4078 	int i;
4079 
4080 	/* find the settings for this channel (we know it exists) */
4081 	for (i = 0; rfprog[i].chan != chan; i++);
4082 
4083 	r2 = rfprog[i].r2;
4084 	if (sc->ntxchains == 1)
4085 		r2 |= 1 << 14;		/* 1T: disable Tx chain 2 */
4086 	if (sc->nrxchains == 1)
4087 		r2 |= 1 << 17 | 1 << 6;	/* 1R: disable Rx chains 2 & 3 */
4088 	else if (sc->nrxchains == 2)
4089 		r2 |= 1 << 6;		/* 2R: disable Rx chain 3 */
4090 
4091 	/* use Tx power values from EEPROM */
4092 	txpow1 = sc->txpow1[i];
4093 	txpow2 = sc->txpow2[i];
4094 
4095 	/* Initialize RF R3 and R4. */
4096 	r3 = rfprog[i].r3 & 0xffffc1ff;
4097 	r4 = (rfprog[i].r4 & ~(0x001f87c0)) | (sc->freq << 15);
4098 	if (chan > 14) {
4099 		if (txpow1 >= 0) {
4100 			txpow1 = (txpow1 > 0xf) ? (0xf) : (txpow1);
4101 			r3 |= (txpow1 << 10) | (1 << 9);
4102 		} else {
4103 			txpow1 += 7;
4104 
4105 			/* txpow1 is not possible larger than 15. */
4106 			r3 |= (txpow1 << 10);
4107 		}
4108 		if (txpow2 >= 0) {
4109 			txpow2 = (txpow2 > 0xf) ? (0xf) : (txpow2);
4110 			r4 |= (txpow2 << 7) | (1 << 6);
4111 		} else {
4112 			txpow2 += 7;
4113 			r4 |= (txpow2 << 7);
4114 		}
4115 	} else {
4116 		/* Set Tx0 power. */
4117 		r3 |= (txpow1 << 9);
4118 
4119 		/* Set frequency offset and Tx1 power. */
4120 		r4 |= (txpow2 << 6);
4121 	}
4122 
4123 	run_rt2870_rf_write(sc, rfprog[i].r1);
4124 	run_rt2870_rf_write(sc, r2);
4125 	run_rt2870_rf_write(sc, r3 & ~(1 << 2));
4126 	run_rt2870_rf_write(sc, r4);
4127 
4128 	run_delay(sc, 10);
4129 
4130 	run_rt2870_rf_write(sc, rfprog[i].r1);
4131 	run_rt2870_rf_write(sc, r2);
4132 	run_rt2870_rf_write(sc, r3 | (1 << 2));
4133 	run_rt2870_rf_write(sc, r4);
4134 
4135 	run_delay(sc, 10);
4136 
4137 	run_rt2870_rf_write(sc, rfprog[i].r1);
4138 	run_rt2870_rf_write(sc, r2);
4139 	run_rt2870_rf_write(sc, r3 & ~(1 << 2));
4140 	run_rt2870_rf_write(sc, r4);
4141 }
4142 
4143 static void
4144 run_rt3070_set_chan(struct run_softc *sc, u_int chan)
4145 {
4146 	int8_t txpow1, txpow2;
4147 	uint8_t rf;
4148 	int i;
4149 
4150 	/* find the settings for this channel (we know it exists) */
4151 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4152 
4153 	/* use Tx power values from EEPROM */
4154 	txpow1 = sc->txpow1[i];
4155 	txpow2 = sc->txpow2[i];
4156 
4157 	run_rt3070_rf_write(sc, 2, rt3070_freqs[i].n);
4158 
4159 	/* RT3370/RT3390: RF R3 [7:4] is not reserved bits. */
4160 	run_rt3070_rf_read(sc, 3, &rf);
4161 	rf = (rf & ~0x0f) | rt3070_freqs[i].k;
4162 	run_rt3070_rf_write(sc, 3, rf);
4163 
4164 	run_rt3070_rf_read(sc, 6, &rf);
4165 	rf = (rf & ~0x03) | rt3070_freqs[i].r;
4166 	run_rt3070_rf_write(sc, 6, rf);
4167 
4168 	/* set Tx0 power */
4169 	run_rt3070_rf_read(sc, 12, &rf);
4170 	rf = (rf & ~0x1f) | txpow1;
4171 	run_rt3070_rf_write(sc, 12, rf);
4172 
4173 	/* set Tx1 power */
4174 	run_rt3070_rf_read(sc, 13, &rf);
4175 	rf = (rf & ~0x1f) | txpow2;
4176 	run_rt3070_rf_write(sc, 13, rf);
4177 
4178 	run_rt3070_rf_read(sc, 1, &rf);
4179 	rf &= ~0xfc;
4180 	if (sc->ntxchains == 1)
4181 		rf |= 1 << 7 | 1 << 5;	/* 1T: disable Tx chains 2 & 3 */
4182 	else if (sc->ntxchains == 2)
4183 		rf |= 1 << 7;		/* 2T: disable Tx chain 3 */
4184 	if (sc->nrxchains == 1)
4185 		rf |= 1 << 6 | 1 << 4;	/* 1R: disable Rx chains 2 & 3 */
4186 	else if (sc->nrxchains == 2)
4187 		rf |= 1 << 6;		/* 2R: disable Rx chain 3 */
4188 	run_rt3070_rf_write(sc, 1, rf);
4189 
4190 	/* set RF offset */
4191 	run_rt3070_rf_read(sc, 23, &rf);
4192 	rf = (rf & ~0x7f) | sc->freq;
4193 	run_rt3070_rf_write(sc, 23, rf);
4194 
4195 	/* program RF filter */
4196 	run_rt3070_rf_read(sc, 24, &rf);	/* Tx */
4197 	rf = (rf & ~0x3f) | sc->rf24_20mhz;
4198 	run_rt3070_rf_write(sc, 24, rf);
4199 	run_rt3070_rf_read(sc, 31, &rf);	/* Rx */
4200 	rf = (rf & ~0x3f) | sc->rf24_20mhz;
4201 	run_rt3070_rf_write(sc, 31, rf);
4202 
4203 	/* enable RF tuning */
4204 	run_rt3070_rf_read(sc, 7, &rf);
4205 	run_rt3070_rf_write(sc, 7, rf | 0x01);
4206 }
4207 
4208 static void
4209 run_rt3572_set_chan(struct run_softc *sc, u_int chan)
4210 {
4211 	int8_t txpow1, txpow2;
4212 	uint32_t tmp;
4213 	uint8_t rf;
4214 	int i;
4215 
4216 	/* find the settings for this channel (we know it exists) */
4217 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4218 
4219 	/* use Tx power values from EEPROM */
4220 	txpow1 = sc->txpow1[i];
4221 	txpow2 = sc->txpow2[i];
4222 
4223 	if (chan <= 14) {
4224 		run_bbp_write(sc, 25, sc->bbp25);
4225 		run_bbp_write(sc, 26, sc->bbp26);
4226 	} else {
4227 		/* enable IQ phase correction */
4228 		run_bbp_write(sc, 25, 0x09);
4229 		run_bbp_write(sc, 26, 0xff);
4230 	}
4231 
4232 	run_rt3070_rf_write(sc, 2, rt3070_freqs[i].n);
4233 	run_rt3070_rf_write(sc, 3, rt3070_freqs[i].k);
4234 	run_rt3070_rf_read(sc, 6, &rf);
4235 	rf  = (rf & ~0x0f) | rt3070_freqs[i].r;
4236 	rf |= (chan <= 14) ? 0x08 : 0x04;
4237 	run_rt3070_rf_write(sc, 6, rf);
4238 
4239 	/* set PLL mode */
4240 	run_rt3070_rf_read(sc, 5, &rf);
4241 	rf &= ~(0x08 | 0x04);
4242 	rf |= (chan <= 14) ? 0x04 : 0x08;
4243 	run_rt3070_rf_write(sc, 5, rf);
4244 
4245 	/* set Tx power for chain 0 */
4246 	if (chan <= 14)
4247 		rf = 0x60 | txpow1;
4248 	else
4249 		rf = 0xe0 | (txpow1 & 0xc) << 1 | (txpow1 & 0x3);
4250 	run_rt3070_rf_write(sc, 12, rf);
4251 
4252 	/* set Tx power for chain 1 */
4253 	if (chan <= 14)
4254 		rf = 0x60 | txpow2;
4255 	else
4256 		rf = 0xe0 | (txpow2 & 0xc) << 1 | (txpow2 & 0x3);
4257 	run_rt3070_rf_write(sc, 13, rf);
4258 
4259 	/* set Tx/Rx streams */
4260 	run_rt3070_rf_read(sc, 1, &rf);
4261 	rf &= ~0xfc;
4262 	if (sc->ntxchains == 1)
4263 		rf |= 1 << 7 | 1 << 5;  /* 1T: disable Tx chains 2 & 3 */
4264 	else if (sc->ntxchains == 2)
4265 		rf |= 1 << 7;           /* 2T: disable Tx chain 3 */
4266 	if (sc->nrxchains == 1)
4267 		rf |= 1 << 6 | 1 << 4;  /* 1R: disable Rx chains 2 & 3 */
4268 	else if (sc->nrxchains == 2)
4269 		rf |= 1 << 6;           /* 2R: disable Rx chain 3 */
4270 	run_rt3070_rf_write(sc, 1, rf);
4271 
4272 	/* set RF offset */
4273 	run_rt3070_rf_read(sc, 23, &rf);
4274 	rf = (rf & ~0x7f) | sc->freq;
4275 	run_rt3070_rf_write(sc, 23, rf);
4276 
4277 	/* program RF filter */
4278 	rf = sc->rf24_20mhz;
4279 	run_rt3070_rf_write(sc, 24, rf);	/* Tx */
4280 	run_rt3070_rf_write(sc, 31, rf);	/* Rx */
4281 
4282 	/* enable RF tuning */
4283 	run_rt3070_rf_read(sc, 7, &rf);
4284 	rf = (chan <= 14) ? 0xd8 : ((rf & ~0xc8) | 0x14);
4285 	run_rt3070_rf_write(sc, 7, rf);
4286 
4287 	/* TSSI */
4288 	rf = (chan <= 14) ? 0xc3 : 0xc0;
4289 	run_rt3070_rf_write(sc, 9, rf);
4290 
4291 	/* set loop filter 1 */
4292 	run_rt3070_rf_write(sc, 10, 0xf1);
4293 	/* set loop filter 2 */
4294 	run_rt3070_rf_write(sc, 11, (chan <= 14) ? 0xb9 : 0x00);
4295 
4296 	/* set tx_mx2_ic */
4297 	run_rt3070_rf_write(sc, 15, (chan <= 14) ? 0x53 : 0x43);
4298 	/* set tx_mx1_ic */
4299 	if (chan <= 14)
4300 		rf = 0x48 | sc->txmixgain_2ghz;
4301 	else
4302 		rf = 0x78 | sc->txmixgain_5ghz;
4303 	run_rt3070_rf_write(sc, 16, rf);
4304 
4305 	/* set tx_lo1 */
4306 	run_rt3070_rf_write(sc, 17, 0x23);
4307 	/* set tx_lo2 */
4308 	if (chan <= 14)
4309 		rf = 0x93;
4310 	else if (chan <= 64)
4311 		rf = 0xb7;
4312 	else if (chan <= 128)
4313 		rf = 0x74;
4314 	else
4315 		rf = 0x72;
4316 	run_rt3070_rf_write(sc, 19, rf);
4317 
4318 	/* set rx_lo1 */
4319 	if (chan <= 14)
4320 		rf = 0xb3;
4321 	else if (chan <= 64)
4322 		rf = 0xf6;
4323 	else if (chan <= 128)
4324 		rf = 0xf4;
4325 	else
4326 		rf = 0xf3;
4327 	run_rt3070_rf_write(sc, 20, rf);
4328 
4329 	/* set pfd_delay */
4330 	if (chan <= 14)
4331 		rf = 0x15;
4332 	else if (chan <= 64)
4333 		rf = 0x3d;
4334 	else
4335 		rf = 0x01;
4336 	run_rt3070_rf_write(sc, 25, rf);
4337 
4338 	/* set rx_lo2 */
4339 	run_rt3070_rf_write(sc, 26, (chan <= 14) ? 0x85 : 0x87);
4340 	/* set ldo_rf_vc */
4341 	run_rt3070_rf_write(sc, 27, (chan <= 14) ? 0x00 : 0x01);
4342 	/* set drv_cc */
4343 	run_rt3070_rf_write(sc, 29, (chan <= 14) ? 0x9b : 0x9f);
4344 
4345 	run_read(sc, RT2860_GPIO_CTRL, &tmp);
4346 	tmp &= ~0x8080;
4347 	if (chan <= 14)
4348 		tmp |= 0x80;
4349 	run_write(sc, RT2860_GPIO_CTRL, tmp);
4350 
4351 	/* enable RF tuning */
4352 	run_rt3070_rf_read(sc, 7, &rf);
4353 	run_rt3070_rf_write(sc, 7, rf | 0x01);
4354 
4355 	run_delay(sc, 2);
4356 }
4357 
4358 static void
4359 run_rt3593_set_chan(struct run_softc *sc, u_int chan)
4360 {
4361 	int8_t txpow1, txpow2, txpow3;
4362 	uint8_t h20mhz, rf;
4363 	int i;
4364 
4365 	/* find the settings for this channel (we know it exists) */
4366 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4367 
4368 	/* use Tx power values from EEPROM */
4369 	txpow1 = sc->txpow1[i];
4370 	txpow2 = sc->txpow2[i];
4371 	txpow3 = (sc->ntxchains == 3) ? sc->txpow3[i] : 0;
4372 
4373 	if (chan <= 14) {
4374 		run_bbp_write(sc, 25, sc->bbp25);
4375 		run_bbp_write(sc, 26, sc->bbp26);
4376 	} else {
4377 		/* Enable IQ phase correction. */
4378 		run_bbp_write(sc, 25, 0x09);
4379 		run_bbp_write(sc, 26, 0xff);
4380 	}
4381 
4382 	run_rt3070_rf_write(sc, 8, rt3070_freqs[i].n);
4383 	run_rt3070_rf_write(sc, 9, rt3070_freqs[i].k & 0x0f);
4384 	run_rt3070_rf_read(sc, 11, &rf);
4385 	rf = (rf & ~0x03) | (rt3070_freqs[i].r & 0x03);
4386 	run_rt3070_rf_write(sc, 11, rf);
4387 
4388 	/* Set pll_idoh. */
4389 	run_rt3070_rf_read(sc, 11, &rf);
4390 	rf &= ~0x4c;
4391 	rf |= (chan <= 14) ? 0x44 : 0x48;
4392 	run_rt3070_rf_write(sc, 11, rf);
4393 
4394 	if (chan <= 14)
4395 		rf = txpow1 & 0x1f;
4396 	else
4397 		rf = 0x40 | ((txpow1 & 0x18) << 1) | (txpow1 & 0x07);
4398 	run_rt3070_rf_write(sc, 53, rf);
4399 
4400 	if (chan <= 14)
4401 		rf = txpow2 & 0x1f;
4402 	else
4403 		rf = 0x40 | ((txpow2 & 0x18) << 1) | (txpow2 & 0x07);
4404 	run_rt3070_rf_write(sc, 55, rf);
4405 
4406 	if (chan <= 14)
4407 		rf = txpow3 & 0x1f;
4408 	else
4409 		rf = 0x40 | ((txpow3 & 0x18) << 1) | (txpow3 & 0x07);
4410 	run_rt3070_rf_write(sc, 54, rf);
4411 
4412 	rf = RT3070_RF_BLOCK | RT3070_PLL_PD;
4413 	if (sc->ntxchains == 3)
4414 		rf |= RT3070_TX0_PD | RT3070_TX1_PD | RT3070_TX2_PD;
4415 	else
4416 		rf |= RT3070_TX0_PD | RT3070_TX1_PD;
4417 	rf |= RT3070_RX0_PD | RT3070_RX1_PD | RT3070_RX2_PD;
4418 	run_rt3070_rf_write(sc, 1, rf);
4419 
4420 	run_adjust_freq_offset(sc);
4421 
4422 	run_rt3070_rf_write(sc, 31, (chan <= 14) ? 0xa0 : 0x80);
4423 
4424 	h20mhz = (sc->rf24_20mhz & 0x20) >> 5;
4425 	run_rt3070_rf_read(sc, 30, &rf);
4426 	rf = (rf & ~0x06) | (h20mhz << 1) | (h20mhz << 2);
4427 	run_rt3070_rf_write(sc, 30, rf);
4428 
4429 	run_rt3070_rf_read(sc, 36, &rf);
4430 	if (chan <= 14)
4431 		rf |= 0x80;
4432 	else
4433 		rf &= ~0x80;
4434 	run_rt3070_rf_write(sc, 36, rf);
4435 
4436 	/* Set vcolo_bs. */
4437 	run_rt3070_rf_write(sc, 34, (chan <= 14) ? 0x3c : 0x20);
4438 	/* Set pfd_delay. */
4439 	run_rt3070_rf_write(sc, 12, (chan <= 14) ? 0x1a : 0x12);
4440 
4441 	/* Set vco bias current control. */
4442 	run_rt3070_rf_read(sc, 6, &rf);
4443 	rf &= ~0xc0;
4444 	if (chan <= 14)
4445 		rf |= 0x40;
4446 	else if (chan <= 128)
4447 		rf |= 0x80;
4448 	else
4449 		rf |= 0x40;
4450 	run_rt3070_rf_write(sc, 6, rf);
4451 
4452 	run_rt3070_rf_read(sc, 30, &rf);
4453 	rf = (rf & ~0x18) | 0x10;
4454 	run_rt3070_rf_write(sc, 30, rf);
4455 
4456 	run_rt3070_rf_write(sc, 10, (chan <= 14) ? 0xd3 : 0xd8);
4457 	run_rt3070_rf_write(sc, 13, (chan <= 14) ? 0x12 : 0x23);
4458 
4459 	run_rt3070_rf_read(sc, 51, &rf);
4460 	rf = (rf & ~0x03) | 0x01;
4461 	run_rt3070_rf_write(sc, 51, rf);
4462 	/* Set tx_mx1_cc. */
4463 	run_rt3070_rf_read(sc, 51, &rf);
4464 	rf &= ~0x1c;
4465 	rf |= (chan <= 14) ? 0x14 : 0x10;
4466 	run_rt3070_rf_write(sc, 51, rf);
4467 	/* Set tx_mx1_ic. */
4468 	run_rt3070_rf_read(sc, 51, &rf);
4469 	rf &= ~0xe0;
4470 	rf |= (chan <= 14) ? 0x60 : 0x40;
4471 	run_rt3070_rf_write(sc, 51, rf);
4472 	/* Set tx_lo1_ic. */
4473 	run_rt3070_rf_read(sc, 49, &rf);
4474 	rf &= ~0x1c;
4475 	rf |= (chan <= 14) ? 0x0c : 0x08;
4476 	run_rt3070_rf_write(sc, 49, rf);
4477 	/* Set tx_lo1_en. */
4478 	run_rt3070_rf_read(sc, 50, &rf);
4479 	run_rt3070_rf_write(sc, 50, rf & ~0x20);
4480 	/* Set drv_cc. */
4481 	run_rt3070_rf_read(sc, 57, &rf);
4482 	rf &= ~0xfc;
4483 	rf |= (chan <= 14) ?  0x6c : 0x3c;
4484 	run_rt3070_rf_write(sc, 57, rf);
4485 	/* Set rx_mix1_ic, rxa_lnactr, lna_vc, lna_inbias_en and lna_en. */
4486 	run_rt3070_rf_write(sc, 44, (chan <= 14) ? 0x93 : 0x9b);
4487 	/* Set drv_gnd_a, tx_vga_cc_a and tx_mx2_gain. */
4488 	run_rt3070_rf_write(sc, 52, (chan <= 14) ? 0x45 : 0x05);
4489 	/* Enable VCO calibration. */
4490 	run_rt3070_rf_read(sc, 3, &rf);
4491 	rf &= ~RT5390_VCOCAL;
4492 	rf |= (chan <= 14) ? RT5390_VCOCAL : 0xbe;
4493 	run_rt3070_rf_write(sc, 3, rf);
4494 
4495 	if (chan <= 14)
4496 		rf = 0x23;
4497 	else if (chan <= 64)
4498 		rf = 0x36;
4499 	else if (chan <= 128)
4500 		rf = 0x32;
4501 	else
4502 		rf = 0x30;
4503 	run_rt3070_rf_write(sc, 39, rf);
4504 	if (chan <= 14)
4505 		rf = 0xbb;
4506 	else if (chan <= 64)
4507 		rf = 0xeb;
4508 	else if (chan <= 128)
4509 		rf = 0xb3;
4510 	else
4511 		rf = 0x9b;
4512 	run_rt3070_rf_write(sc, 45, rf);
4513 
4514 	/* Set FEQ/AEQ control. */
4515 	run_bbp_write(sc, 105, 0x34);
4516 }
4517 
4518 static void
4519 run_rt5390_set_chan(struct run_softc *sc, u_int chan)
4520 {
4521 	int8_t txpow1, txpow2;
4522 	uint8_t rf;
4523 	int i;
4524 
4525 	/* find the settings for this channel (we know it exists) */
4526 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4527 
4528 	/* use Tx power values from EEPROM */
4529 	txpow1 = sc->txpow1[i];
4530 	txpow2 = sc->txpow2[i];
4531 
4532 	run_rt3070_rf_write(sc, 8, rt3070_freqs[i].n);
4533 	run_rt3070_rf_write(sc, 9, rt3070_freqs[i].k & 0x0f);
4534 	run_rt3070_rf_read(sc, 11, &rf);
4535 	rf = (rf & ~0x03) | (rt3070_freqs[i].r & 0x03);
4536 	run_rt3070_rf_write(sc, 11, rf);
4537 
4538 	run_rt3070_rf_read(sc, 49, &rf);
4539 	rf = (rf & ~0x3f) | (txpow1 & 0x3f);
4540 	/* The valid range of the RF R49 is 0x00 to 0x27. */
4541 	if ((rf & 0x3f) > 0x27)
4542 		rf = (rf & ~0x3f) | 0x27;
4543 	run_rt3070_rf_write(sc, 49, rf);
4544 
4545 	if (sc->mac_ver == 0x5392) {
4546 		run_rt3070_rf_read(sc, 50, &rf);
4547 		rf = (rf & ~0x3f) | (txpow2 & 0x3f);
4548 		/* The valid range of the RF R50 is 0x00 to 0x27. */
4549 		if ((rf & 0x3f) > 0x27)
4550 			rf = (rf & ~0x3f) | 0x27;
4551 		run_rt3070_rf_write(sc, 50, rf);
4552 	}
4553 
4554 	run_rt3070_rf_read(sc, 1, &rf);
4555 	rf |= RT3070_RF_BLOCK | RT3070_PLL_PD | RT3070_RX0_PD | RT3070_TX0_PD;
4556 	if (sc->mac_ver == 0x5392)
4557 		rf |= RT3070_RX1_PD | RT3070_TX1_PD;
4558 	run_rt3070_rf_write(sc, 1, rf);
4559 
4560 	if (sc->mac_ver != 0x5392) {
4561 		run_rt3070_rf_read(sc, 2, &rf);
4562 		rf |= 0x80;
4563 		run_rt3070_rf_write(sc, 2, rf);
4564 		run_delay(sc, 10);
4565 		rf &= 0x7f;
4566 		run_rt3070_rf_write(sc, 2, rf);
4567 	}
4568 
4569 	run_adjust_freq_offset(sc);
4570 
4571 	if (sc->mac_ver == 0x5392) {
4572 		/* Fix for RT5392C. */
4573 		if (sc->mac_rev >= 0x0223) {
4574 			if (chan <= 4)
4575 				rf = 0x0f;
4576 			else if (chan >= 5 && chan <= 7)
4577 				rf = 0x0e;
4578 			else
4579 				rf = 0x0d;
4580 			run_rt3070_rf_write(sc, 23, rf);
4581 
4582 			if (chan <= 4)
4583 				rf = 0x0c;
4584 			else if (chan == 5)
4585 				rf = 0x0b;
4586 			else if (chan >= 6 && chan <= 7)
4587 				rf = 0x0a;
4588 			else if (chan >= 8 && chan <= 10)
4589 				rf = 0x09;
4590 			else
4591 				rf = 0x08;
4592 			run_rt3070_rf_write(sc, 59, rf);
4593 		} else {
4594 			if (chan <= 11)
4595 				rf = 0x0f;
4596 			else
4597 				rf = 0x0b;
4598 			run_rt3070_rf_write(sc, 59, rf);
4599 		}
4600 	} else {
4601 		/* Fix for RT5390F. */
4602 		if (sc->mac_rev >= 0x0502) {
4603 			if (chan <= 11)
4604 				rf = 0x43;
4605 			else
4606 				rf = 0x23;
4607 			run_rt3070_rf_write(sc, 55, rf);
4608 
4609 			if (chan <= 11)
4610 				rf = 0x0f;
4611 			else if (chan == 12)
4612 				rf = 0x0d;
4613 			else
4614 				rf = 0x0b;
4615 			run_rt3070_rf_write(sc, 59, rf);
4616 		} else {
4617 			run_rt3070_rf_write(sc, 55, 0x44);
4618 			run_rt3070_rf_write(sc, 59, 0x8f);
4619 		}
4620 	}
4621 
4622 	/* Enable VCO calibration. */
4623 	run_rt3070_rf_read(sc, 3, &rf);
4624 	rf |= RT5390_VCOCAL;
4625 	run_rt3070_rf_write(sc, 3, rf);
4626 }
4627 
4628 static void
4629 run_rt5592_set_chan(struct run_softc *sc, u_int chan)
4630 {
4631 	const struct rt5592_freqs *freqs;
4632 	uint32_t tmp;
4633 	uint8_t reg, rf, txpow_bound;
4634 	int8_t txpow1, txpow2;
4635 	int i;
4636 
4637 	run_read(sc, RT5592_DEBUG_INDEX, &tmp);
4638 	freqs = (tmp & RT5592_SEL_XTAL) ?
4639 	    rt5592_freqs_40mhz : rt5592_freqs_20mhz;
4640 
4641 	/* find the settings for this channel (we know it exists) */
4642 	for (i = 0; rt2860_rf2850[i].chan != chan; i++, freqs++);
4643 
4644 	/* use Tx power values from EEPROM */
4645 	txpow1 = sc->txpow1[i];
4646 	txpow2 = sc->txpow2[i];
4647 
4648 	run_read(sc, RT3070_LDO_CFG0, &tmp);
4649 	tmp &= ~0x1c000000;
4650 	if (chan > 14)
4651 		tmp |= 0x14000000;
4652 	run_write(sc, RT3070_LDO_CFG0, tmp);
4653 
4654 	/* N setting. */
4655 	run_rt3070_rf_write(sc, 8, freqs->n & 0xff);
4656 	run_rt3070_rf_read(sc, 9, &rf);
4657 	rf &= ~(1 << 4);
4658 	rf |= ((freqs->n & 0x0100) >> 8) << 4;
4659 	run_rt3070_rf_write(sc, 9, rf);
4660 
4661 	/* K setting. */
4662 	run_rt3070_rf_read(sc, 9, &rf);
4663 	rf &= ~0x0f;
4664 	rf |= (freqs->k & 0x0f);
4665 	run_rt3070_rf_write(sc, 9, rf);
4666 
4667 	/* Mode setting. */
4668 	run_rt3070_rf_read(sc, 11, &rf);
4669 	rf &= ~0x0c;
4670 	rf |= ((freqs->m - 0x8) & 0x3) << 2;
4671 	run_rt3070_rf_write(sc, 11, rf);
4672 	run_rt3070_rf_read(sc, 9, &rf);
4673 	rf &= ~(1 << 7);
4674 	rf |= (((freqs->m - 0x8) & 0x4) >> 2) << 7;
4675 	run_rt3070_rf_write(sc, 9, rf);
4676 
4677 	/* R setting. */
4678 	run_rt3070_rf_read(sc, 11, &rf);
4679 	rf &= ~0x03;
4680 	rf |= (freqs->r - 0x1);
4681 	run_rt3070_rf_write(sc, 11, rf);
4682 
4683 	if (chan <= 14) {
4684 		/* Initialize RF registers for 2GHZ. */
4685 		for (i = 0; i < nitems(rt5592_2ghz_def_rf); i++) {
4686 			run_rt3070_rf_write(sc, rt5592_2ghz_def_rf[i].reg,
4687 			    rt5592_2ghz_def_rf[i].val);
4688 		}
4689 
4690 		rf = (chan <= 10) ? 0x07 : 0x06;
4691 		run_rt3070_rf_write(sc, 23, rf);
4692 		run_rt3070_rf_write(sc, 59, rf);
4693 
4694 		run_rt3070_rf_write(sc, 55, 0x43);
4695 
4696 		/*
4697 		 * RF R49/R50 Tx power ALC code.
4698 		 * G-band bit<7:6>=1:0, bit<5:0> range from 0x0 ~ 0x27.
4699 		 */
4700 		reg = 2;
4701 		txpow_bound = 0x27;
4702 	} else {
4703 		/* Initialize RF registers for 5GHZ. */
4704 		for (i = 0; i < nitems(rt5592_5ghz_def_rf); i++) {
4705 			run_rt3070_rf_write(sc, rt5592_5ghz_def_rf[i].reg,
4706 			    rt5592_5ghz_def_rf[i].val);
4707 		}
4708 		for (i = 0; i < nitems(rt5592_chan_5ghz); i++) {
4709 			if (chan >= rt5592_chan_5ghz[i].firstchan &&
4710 			    chan <= rt5592_chan_5ghz[i].lastchan) {
4711 				run_rt3070_rf_write(sc, rt5592_chan_5ghz[i].reg,
4712 				    rt5592_chan_5ghz[i].val);
4713 			}
4714 		}
4715 
4716 		/*
4717 		 * RF R49/R50 Tx power ALC code.
4718 		 * A-band bit<7:6>=1:1, bit<5:0> range from 0x0 ~ 0x2b.
4719 		 */
4720 		reg = 3;
4721 		txpow_bound = 0x2b;
4722 	}
4723 
4724 	/* RF R49 ch0 Tx power ALC code. */
4725 	run_rt3070_rf_read(sc, 49, &rf);
4726 	rf &= ~0xc0;
4727 	rf |= (reg << 6);
4728 	rf = (rf & ~0x3f) | (txpow1 & 0x3f);
4729 	if ((rf & 0x3f) > txpow_bound)
4730 		rf = (rf & ~0x3f) | txpow_bound;
4731 	run_rt3070_rf_write(sc, 49, rf);
4732 
4733 	/* RF R50 ch1 Tx power ALC code. */
4734 	run_rt3070_rf_read(sc, 50, &rf);
4735 	rf &= ~(1 << 7 | 1 << 6);
4736 	rf |= (reg << 6);
4737 	rf = (rf & ~0x3f) | (txpow2 & 0x3f);
4738 	if ((rf & 0x3f) > txpow_bound)
4739 		rf = (rf & ~0x3f) | txpow_bound;
4740 	run_rt3070_rf_write(sc, 50, rf);
4741 
4742 	/* Enable RF_BLOCK, PLL_PD, RX0_PD, and TX0_PD. */
4743 	run_rt3070_rf_read(sc, 1, &rf);
4744 	rf |= (RT3070_RF_BLOCK | RT3070_PLL_PD | RT3070_RX0_PD | RT3070_TX0_PD);
4745 	if (sc->ntxchains > 1)
4746 		rf |= RT3070_TX1_PD;
4747 	if (sc->nrxchains > 1)
4748 		rf |= RT3070_RX1_PD;
4749 	run_rt3070_rf_write(sc, 1, rf);
4750 
4751 	run_rt3070_rf_write(sc, 6, 0xe4);
4752 
4753 	run_rt3070_rf_write(sc, 30, 0x10);
4754 	run_rt3070_rf_write(sc, 31, 0x80);
4755 	run_rt3070_rf_write(sc, 32, 0x80);
4756 
4757 	run_adjust_freq_offset(sc);
4758 
4759 	/* Enable VCO calibration. */
4760 	run_rt3070_rf_read(sc, 3, &rf);
4761 	rf |= RT5390_VCOCAL;
4762 	run_rt3070_rf_write(sc, 3, rf);
4763 }
4764 
4765 static void
4766 run_set_rx_antenna(struct run_softc *sc, int aux)
4767 {
4768 	uint32_t tmp;
4769 	uint8_t bbp152;
4770 
4771 	if (aux) {
4772 		if (sc->rf_rev == RT5390_RF_5370) {
4773 			run_bbp_read(sc, 152, &bbp152);
4774 			run_bbp_write(sc, 152, bbp152 & ~0x80);
4775 		} else {
4776 			run_mcu_cmd(sc, RT2860_MCU_CMD_ANTSEL, 0);
4777 			run_read(sc, RT2860_GPIO_CTRL, &tmp);
4778 			run_write(sc, RT2860_GPIO_CTRL, (tmp & ~0x0808) | 0x08);
4779 		}
4780 	} else {
4781 		if (sc->rf_rev == RT5390_RF_5370) {
4782 			run_bbp_read(sc, 152, &bbp152);
4783 			run_bbp_write(sc, 152, bbp152 | 0x80);
4784 		} else {
4785 			run_mcu_cmd(sc, RT2860_MCU_CMD_ANTSEL, 1);
4786 			run_read(sc, RT2860_GPIO_CTRL, &tmp);
4787 			run_write(sc, RT2860_GPIO_CTRL, tmp & ~0x0808);
4788 		}
4789 	}
4790 }
4791 
4792 static int
4793 run_set_chan(struct run_softc *sc, struct ieee80211_channel *c)
4794 {
4795 	struct ieee80211com *ic = &sc->sc_ic;
4796 	u_int chan, group;
4797 
4798 	chan = ieee80211_chan2ieee(ic, c);
4799 	if (chan == 0 || chan == IEEE80211_CHAN_ANY)
4800 		return (EINVAL);
4801 
4802 	if (sc->mac_ver == 0x5592)
4803 		run_rt5592_set_chan(sc, chan);
4804 	else if (sc->mac_ver >= 0x5390)
4805 		run_rt5390_set_chan(sc, chan);
4806 	else if (sc->mac_ver == 0x3593)
4807 		run_rt3593_set_chan(sc, chan);
4808 	else if (sc->mac_ver == 0x3572)
4809 		run_rt3572_set_chan(sc, chan);
4810 	else if (sc->mac_ver >= 0x3070)
4811 		run_rt3070_set_chan(sc, chan);
4812 	else
4813 		run_rt2870_set_chan(sc, chan);
4814 
4815 	/* determine channel group */
4816 	if (chan <= 14)
4817 		group = 0;
4818 	else if (chan <= 64)
4819 		group = 1;
4820 	else if (chan <= 128)
4821 		group = 2;
4822 	else
4823 		group = 3;
4824 
4825 	/* XXX necessary only when group has changed! */
4826 	run_select_chan_group(sc, group);
4827 
4828 	run_delay(sc, 10);
4829 
4830 	/* Perform IQ calibration. */
4831 	if (sc->mac_ver >= 0x5392)
4832 		run_iq_calib(sc, chan);
4833 
4834 	return (0);
4835 }
4836 
4837 static void
4838 run_set_channel(struct ieee80211com *ic)
4839 {
4840 	struct run_softc *sc = ic->ic_softc;
4841 
4842 	RUN_LOCK(sc);
4843 	run_set_chan(sc, ic->ic_curchan);
4844 	RUN_UNLOCK(sc);
4845 
4846 	return;
4847 }
4848 
4849 static void
4850 run_getradiocaps(struct ieee80211com *ic,
4851     int maxchans, int *nchans, struct ieee80211_channel chans[])
4852 {
4853 	struct run_softc *sc = ic->ic_softc;
4854 	uint8_t bands[IEEE80211_MODE_BYTES];
4855 
4856 	memset(bands, 0, sizeof(bands));
4857 	setbit(bands, IEEE80211_MODE_11B);
4858 	setbit(bands, IEEE80211_MODE_11G);
4859 	ieee80211_add_channels_default_2ghz(chans, maxchans, nchans, bands, 0);
4860 
4861 	if (sc->rf_rev == RT2860_RF_2750 || sc->rf_rev == RT2860_RF_2850 ||
4862 	    sc->rf_rev == RT3070_RF_3052 || sc->rf_rev == RT3593_RF_3053 ||
4863 	    sc->rf_rev == RT5592_RF_5592) {
4864 		setbit(bands, IEEE80211_MODE_11A);
4865 		ieee80211_add_channel_list_5ghz(chans, maxchans, nchans,
4866 		    run_chan_5ghz, nitems(run_chan_5ghz), bands, 0);
4867 	}
4868 }
4869 
4870 static void
4871 run_scan_start(struct ieee80211com *ic)
4872 {
4873 	struct run_softc *sc = ic->ic_softc;
4874 
4875 	RUN_LOCK(sc);
4876 
4877 	/* abort TSF synchronization */
4878 	run_disable_tsf(sc);
4879 	run_set_bssid(sc, ieee80211broadcastaddr);
4880 
4881 	RUN_UNLOCK(sc);
4882 
4883 	return;
4884 }
4885 
4886 static void
4887 run_scan_end(struct ieee80211com *ic)
4888 {
4889 	struct run_softc *sc = ic->ic_softc;
4890 
4891 	RUN_LOCK(sc);
4892 
4893 	run_enable_tsf_sync(sc);
4894 	run_set_bssid(sc, sc->sc_bssid);
4895 
4896 	RUN_UNLOCK(sc);
4897 
4898 	return;
4899 }
4900 
4901 /*
4902  * Could be called from ieee80211_node_timeout()
4903  * (non-sleepable thread)
4904  */
4905 static void
4906 run_update_beacon(struct ieee80211vap *vap, int item)
4907 {
4908 	struct ieee80211com *ic = vap->iv_ic;
4909 	struct ieee80211_beacon_offsets *bo = &vap->iv_bcn_off;
4910 	struct ieee80211_node *ni = vap->iv_bss;
4911 	struct run_softc *sc = ic->ic_softc;
4912 	struct run_vap *rvp = RUN_VAP(vap);
4913 	int mcast = 0;
4914 	uint32_t i;
4915 
4916 	switch (item) {
4917 	case IEEE80211_BEACON_ERP:
4918 		run_updateslot(ic);
4919 		break;
4920 	case IEEE80211_BEACON_HTINFO:
4921 		run_updateprot(ic);
4922 		break;
4923 	case IEEE80211_BEACON_TIM:
4924 		mcast = 1;	/*TODO*/
4925 		break;
4926 	default:
4927 		break;
4928 	}
4929 
4930 	setbit(bo->bo_flags, item);
4931 	if (rvp->beacon_mbuf == NULL) {
4932 		rvp->beacon_mbuf = ieee80211_beacon_alloc(ni);
4933 		if (rvp->beacon_mbuf == NULL)
4934 			return;
4935 	}
4936 	ieee80211_beacon_update(ni, rvp->beacon_mbuf, mcast);
4937 
4938 	i = RUN_CMDQ_GET(&sc->cmdq_store);
4939 	RUN_DPRINTF(sc, RUN_DEBUG_BEACON, "cmdq_store=%d\n", i);
4940 	sc->cmdq[i].func = run_update_beacon_cb;
4941 	sc->cmdq[i].arg0 = vap;
4942 	ieee80211_runtask(ic, &sc->cmdq_task);
4943 
4944 	return;
4945 }
4946 
4947 static void
4948 run_update_beacon_cb(void *arg)
4949 {
4950 	struct ieee80211vap *vap = arg;
4951 	struct ieee80211_node *ni = vap->iv_bss;
4952 	struct run_vap *rvp = RUN_VAP(vap);
4953 	struct ieee80211com *ic = vap->iv_ic;
4954 	struct run_softc *sc = ic->ic_softc;
4955 	struct rt2860_txwi txwi;
4956 	struct mbuf *m;
4957 	uint16_t txwisize;
4958 	uint8_t ridx;
4959 
4960 	if (ni->ni_chan == IEEE80211_CHAN_ANYC)
4961 		return;
4962 	if (ic->ic_bsschan == IEEE80211_CHAN_ANYC)
4963 		return;
4964 
4965 	/*
4966 	 * No need to call ieee80211_beacon_update(), run_update_beacon()
4967 	 * is taking care of appropriate calls.
4968 	 */
4969 	if (rvp->beacon_mbuf == NULL) {
4970 		rvp->beacon_mbuf = ieee80211_beacon_alloc(ni);
4971 		if (rvp->beacon_mbuf == NULL)
4972 			return;
4973 	}
4974 	m = rvp->beacon_mbuf;
4975 
4976 	memset(&txwi, 0, sizeof(txwi));
4977 	txwi.wcid = 0xff;
4978 	txwi.len = htole16(m->m_pkthdr.len);
4979 
4980 	/* send beacons at the lowest available rate */
4981 	ridx = (ic->ic_curmode == IEEE80211_MODE_11A) ?
4982 	    RT2860_RIDX_OFDM6 : RT2860_RIDX_CCK1;
4983 	txwi.phy = htole16(rt2860_rates[ridx].mcs);
4984 	if (rt2860_rates[ridx].phy == IEEE80211_T_OFDM)
4985 		txwi.phy |= htole16(RT2860_PHY_OFDM);
4986 	txwi.txop = RT2860_TX_TXOP_HT;
4987 	txwi.flags = RT2860_TX_TS;
4988 	txwi.xflags = RT2860_TX_NSEQ;
4989 
4990 	txwisize = (sc->mac_ver == 0x5592) ?
4991 	    sizeof(txwi) + sizeof(uint32_t) : sizeof(txwi);
4992 	run_write_region_1(sc, RT2860_BCN_BASE(rvp->rvp_id), (uint8_t *)&txwi,
4993 	    txwisize);
4994 	run_write_region_1(sc, RT2860_BCN_BASE(rvp->rvp_id) + txwisize,
4995 	    mtod(m, uint8_t *), (m->m_pkthdr.len + 1) & ~1);
4996 }
4997 
4998 static void
4999 run_updateprot(struct ieee80211com *ic)
5000 {
5001 	struct run_softc *sc = ic->ic_softc;
5002 	uint32_t i;
5003 
5004 	i = RUN_CMDQ_GET(&sc->cmdq_store);
5005 	RUN_DPRINTF(sc, RUN_DEBUG_BEACON, "cmdq_store=%d\n", i);
5006 	sc->cmdq[i].func = run_updateprot_cb;
5007 	sc->cmdq[i].arg0 = ic;
5008 	ieee80211_runtask(ic, &sc->cmdq_task);
5009 }
5010 
5011 static void
5012 run_updateprot_cb(void *arg)
5013 {
5014 	struct ieee80211com *ic = arg;
5015 	struct run_softc *sc = ic->ic_softc;
5016 	uint32_t tmp;
5017 
5018 	tmp = RT2860_RTSTH_EN | RT2860_PROT_NAV_SHORT | RT2860_TXOP_ALLOW_ALL;
5019 	/* setup protection frame rate (MCS code) */
5020 	tmp |= (ic->ic_curmode == IEEE80211_MODE_11A) ?
5021 	    rt2860_rates[RT2860_RIDX_OFDM6].mcs | RT2860_PHY_OFDM :
5022 	    rt2860_rates[RT2860_RIDX_CCK11].mcs;
5023 
5024 	/* CCK frames don't require protection */
5025 	run_write(sc, RT2860_CCK_PROT_CFG, tmp);
5026 	if (ic->ic_flags & IEEE80211_F_USEPROT) {
5027 		if (ic->ic_protmode == IEEE80211_PROT_RTSCTS)
5028 			tmp |= RT2860_PROT_CTRL_RTS_CTS;
5029 		else if (ic->ic_protmode == IEEE80211_PROT_CTSONLY)
5030 			tmp |= RT2860_PROT_CTRL_CTS;
5031 	}
5032 	run_write(sc, RT2860_OFDM_PROT_CFG, tmp);
5033 }
5034 
5035 static void
5036 run_usb_timeout_cb(void *arg)
5037 {
5038 	struct ieee80211vap *vap = arg;
5039 	struct run_softc *sc = vap->iv_ic->ic_softc;
5040 
5041 	RUN_LOCK_ASSERT(sc, MA_OWNED);
5042 
5043 	if(vap->iv_state == IEEE80211_S_RUN &&
5044 	    vap->iv_opmode != IEEE80211_M_STA)
5045 		run_reset_livelock(sc);
5046 	else if (vap->iv_state == IEEE80211_S_SCAN) {
5047 		RUN_DPRINTF(sc, RUN_DEBUG_USB | RUN_DEBUG_STATE,
5048 		    "timeout caused by scan\n");
5049 		/* cancel bgscan */
5050 		ieee80211_cancel_scan(vap);
5051 	} else
5052 		RUN_DPRINTF(sc, RUN_DEBUG_USB | RUN_DEBUG_STATE,
5053 		    "timeout by unknown cause\n");
5054 }
5055 
5056 static void
5057 run_reset_livelock(struct run_softc *sc)
5058 {
5059 	uint32_t tmp;
5060 
5061 	RUN_LOCK_ASSERT(sc, MA_OWNED);
5062 
5063 	/*
5064 	 * In IBSS or HostAP modes (when the hardware sends beacons), the MAC
5065 	 * can run into a livelock and start sending CTS-to-self frames like
5066 	 * crazy if protection is enabled.  Reset MAC/BBP for a while
5067 	 */
5068 	run_read(sc, RT2860_DEBUG, &tmp);
5069 	RUN_DPRINTF(sc, RUN_DEBUG_RESET, "debug reg %08x\n", tmp);
5070 	if ((tmp & (1 << 29)) && (tmp & (1 << 7 | 1 << 5))) {
5071 		RUN_DPRINTF(sc, RUN_DEBUG_RESET,
5072 		    "CTS-to-self livelock detected\n");
5073 		run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_MAC_SRST);
5074 		run_delay(sc, 1);
5075 		run_write(sc, RT2860_MAC_SYS_CTRL,
5076 		    RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
5077 	}
5078 }
5079 
5080 static void
5081 run_update_promisc_locked(struct run_softc *sc)
5082 {
5083         uint32_t tmp;
5084 
5085 	run_read(sc, RT2860_RX_FILTR_CFG, &tmp);
5086 
5087 	tmp |= RT2860_DROP_UC_NOME;
5088         if (sc->sc_ic.ic_promisc > 0)
5089 		tmp &= ~RT2860_DROP_UC_NOME;
5090 
5091 	run_write(sc, RT2860_RX_FILTR_CFG, tmp);
5092 
5093         RUN_DPRINTF(sc, RUN_DEBUG_RECV, "%s promiscuous mode\n",
5094 	    (sc->sc_ic.ic_promisc > 0) ?  "entering" : "leaving");
5095 }
5096 
5097 static void
5098 run_update_promisc(struct ieee80211com *ic)
5099 {
5100 	struct run_softc *sc = ic->ic_softc;
5101 
5102 	if ((sc->sc_flags & RUN_RUNNING) == 0)
5103 		return;
5104 
5105 	RUN_LOCK(sc);
5106 	run_update_promisc_locked(sc);
5107 	RUN_UNLOCK(sc);
5108 }
5109 
5110 static void
5111 run_enable_tsf_sync(struct run_softc *sc)
5112 {
5113 	struct ieee80211com *ic = &sc->sc_ic;
5114 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
5115 	uint32_t tmp;
5116 
5117 	RUN_DPRINTF(sc, RUN_DEBUG_BEACON, "rvp_id=%d ic_opmode=%d\n",
5118 	    RUN_VAP(vap)->rvp_id, ic->ic_opmode);
5119 
5120 	run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
5121 	tmp &= ~0x1fffff;
5122 	tmp |= vap->iv_bss->ni_intval * 16;
5123 	tmp |= RT2860_TSF_TIMER_EN | RT2860_TBTT_TIMER_EN;
5124 
5125 	if (ic->ic_opmode == IEEE80211_M_STA) {
5126 		/*
5127 		 * Local TSF is always updated with remote TSF on beacon
5128 		 * reception.
5129 		 */
5130 		tmp |= 1 << RT2860_TSF_SYNC_MODE_SHIFT;
5131 	} else if (ic->ic_opmode == IEEE80211_M_IBSS) {
5132 	        tmp |= RT2860_BCN_TX_EN;
5133 	        /*
5134 	         * Local TSF is updated with remote TSF on beacon reception
5135 	         * only if the remote TSF is greater than local TSF.
5136 	         */
5137 	        tmp |= 2 << RT2860_TSF_SYNC_MODE_SHIFT;
5138 	} else if (ic->ic_opmode == IEEE80211_M_HOSTAP ||
5139 		    ic->ic_opmode == IEEE80211_M_MBSS) {
5140 	        tmp |= RT2860_BCN_TX_EN;
5141 	        /* SYNC with nobody */
5142 	        tmp |= 3 << RT2860_TSF_SYNC_MODE_SHIFT;
5143 	} else {
5144 		RUN_DPRINTF(sc, RUN_DEBUG_BEACON,
5145 		    "Enabling TSF failed. undefined opmode\n");
5146 		return;
5147 	}
5148 
5149 	run_write(sc, RT2860_BCN_TIME_CFG, tmp);
5150 }
5151 
5152 static void
5153 run_enable_tsf(struct run_softc *sc)
5154 {
5155 	uint32_t tmp;
5156 
5157 	if (run_read(sc, RT2860_BCN_TIME_CFG, &tmp) == 0) {
5158 		tmp &= ~(RT2860_BCN_TX_EN | RT2860_TBTT_TIMER_EN);
5159 		tmp |= RT2860_TSF_TIMER_EN;
5160 		run_write(sc, RT2860_BCN_TIME_CFG, tmp);
5161 	}
5162 }
5163 
5164 static void
5165 run_disable_tsf(struct run_softc *sc)
5166 {
5167 	uint32_t tmp;
5168 
5169 	if (run_read(sc, RT2860_BCN_TIME_CFG, &tmp) == 0) {
5170 		tmp &= ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
5171 		    RT2860_TBTT_TIMER_EN);
5172 		run_write(sc, RT2860_BCN_TIME_CFG, tmp);
5173 	}
5174 }
5175 
5176 static void
5177 run_get_tsf(struct run_softc *sc, uint64_t *buf)
5178 {
5179 	run_read_region_1(sc, RT2860_TSF_TIMER_DW0, (uint8_t *)buf,
5180 	    sizeof(*buf));
5181 }
5182 
5183 static void
5184 run_enable_mrr(struct run_softc *sc)
5185 {
5186 #define	CCK(mcs)	(mcs)
5187 #define	OFDM(mcs)	(1 << 3 | (mcs))
5188 	run_write(sc, RT2860_LG_FBK_CFG0,
5189 	    OFDM(6) << 28 |	/* 54->48 */
5190 	    OFDM(5) << 24 |	/* 48->36 */
5191 	    OFDM(4) << 20 |	/* 36->24 */
5192 	    OFDM(3) << 16 |	/* 24->18 */
5193 	    OFDM(2) << 12 |	/* 18->12 */
5194 	    OFDM(1) <<  8 |	/* 12-> 9 */
5195 	    OFDM(0) <<  4 |	/*  9-> 6 */
5196 	    OFDM(0));		/*  6-> 6 */
5197 
5198 	run_write(sc, RT2860_LG_FBK_CFG1,
5199 	    CCK(2) << 12 |	/* 11->5.5 */
5200 	    CCK(1) <<  8 |	/* 5.5-> 2 */
5201 	    CCK(0) <<  4 |	/*   2-> 1 */
5202 	    CCK(0));		/*   1-> 1 */
5203 #undef OFDM
5204 #undef CCK
5205 }
5206 
5207 static void
5208 run_set_txpreamble(struct run_softc *sc)
5209 {
5210 	struct ieee80211com *ic = &sc->sc_ic;
5211 	uint32_t tmp;
5212 
5213 	run_read(sc, RT2860_AUTO_RSP_CFG, &tmp);
5214 	if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
5215 		tmp |= RT2860_CCK_SHORT_EN;
5216 	else
5217 		tmp &= ~RT2860_CCK_SHORT_EN;
5218 	run_write(sc, RT2860_AUTO_RSP_CFG, tmp);
5219 }
5220 
5221 static void
5222 run_set_basicrates(struct run_softc *sc)
5223 {
5224 	struct ieee80211com *ic = &sc->sc_ic;
5225 
5226 	/* set basic rates mask */
5227 	if (ic->ic_curmode == IEEE80211_MODE_11B)
5228 		run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x003);
5229 	else if (ic->ic_curmode == IEEE80211_MODE_11A)
5230 		run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x150);
5231 	else	/* 11g */
5232 		run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x15f);
5233 }
5234 
5235 static void
5236 run_set_leds(struct run_softc *sc, uint16_t which)
5237 {
5238 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LEDS,
5239 	    which | (sc->leds & 0x7f));
5240 }
5241 
5242 static void
5243 run_set_bssid(struct run_softc *sc, const uint8_t *bssid)
5244 {
5245 	run_write(sc, RT2860_MAC_BSSID_DW0,
5246 	    bssid[0] | bssid[1] << 8 | bssid[2] << 16 | bssid[3] << 24);
5247 	run_write(sc, RT2860_MAC_BSSID_DW1,
5248 	    bssid[4] | bssid[5] << 8);
5249 }
5250 
5251 static void
5252 run_set_macaddr(struct run_softc *sc, const uint8_t *addr)
5253 {
5254 	run_write(sc, RT2860_MAC_ADDR_DW0,
5255 	    addr[0] | addr[1] << 8 | addr[2] << 16 | addr[3] << 24);
5256 	run_write(sc, RT2860_MAC_ADDR_DW1,
5257 	    addr[4] | addr[5] << 8 | 0xff << 16);
5258 }
5259 
5260 static void
5261 run_updateslot(struct ieee80211com *ic)
5262 {
5263 	struct run_softc *sc = ic->ic_softc;
5264 	uint32_t i;
5265 
5266 	i = RUN_CMDQ_GET(&sc->cmdq_store);
5267 	RUN_DPRINTF(sc, RUN_DEBUG_BEACON, "cmdq_store=%d\n", i);
5268 	sc->cmdq[i].func = run_updateslot_cb;
5269 	sc->cmdq[i].arg0 = ic;
5270 	ieee80211_runtask(ic, &sc->cmdq_task);
5271 
5272 	return;
5273 }
5274 
5275 /* ARGSUSED */
5276 static void
5277 run_updateslot_cb(void *arg)
5278 {
5279 	struct ieee80211com *ic = arg;
5280 	struct run_softc *sc = ic->ic_softc;
5281 	uint32_t tmp;
5282 
5283 	run_read(sc, RT2860_BKOFF_SLOT_CFG, &tmp);
5284 	tmp &= ~0xff;
5285 	tmp |= IEEE80211_GET_SLOTTIME(ic);
5286 	run_write(sc, RT2860_BKOFF_SLOT_CFG, tmp);
5287 }
5288 
5289 static void
5290 run_update_mcast(struct ieee80211com *ic)
5291 {
5292 }
5293 
5294 static int8_t
5295 run_rssi2dbm(struct run_softc *sc, uint8_t rssi, uint8_t rxchain)
5296 {
5297 	struct ieee80211com *ic = &sc->sc_ic;
5298 	struct ieee80211_channel *c = ic->ic_curchan;
5299 	int delta;
5300 
5301 	if (IEEE80211_IS_CHAN_5GHZ(c)) {
5302 		u_int chan = ieee80211_chan2ieee(ic, c);
5303 		delta = sc->rssi_5ghz[rxchain];
5304 
5305 		/* determine channel group */
5306 		if (chan <= 64)
5307 			delta -= sc->lna[1];
5308 		else if (chan <= 128)
5309 			delta -= sc->lna[2];
5310 		else
5311 			delta -= sc->lna[3];
5312 	} else
5313 		delta = sc->rssi_2ghz[rxchain] - sc->lna[0];
5314 
5315 	return (-12 - delta - rssi);
5316 }
5317 
5318 static void
5319 run_rt5390_bbp_init(struct run_softc *sc)
5320 {
5321 	u_int i;
5322 	uint8_t bbp;
5323 
5324 	/* Apply maximum likelihood detection for 2 stream case. */
5325 	run_bbp_read(sc, 105, &bbp);
5326 	if (sc->nrxchains > 1)
5327 		run_bbp_write(sc, 105, bbp | RT5390_MLD);
5328 
5329 	/* Avoid data lost and CRC error. */
5330 	run_bbp_read(sc, 4, &bbp);
5331 	run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5332 
5333 	if (sc->mac_ver == 0x5592) {
5334 		for (i = 0; i < nitems(rt5592_def_bbp); i++) {
5335 			run_bbp_write(sc, rt5592_def_bbp[i].reg,
5336 			    rt5592_def_bbp[i].val);
5337 		}
5338 		for (i = 0; i < nitems(rt5592_bbp_r196); i++) {
5339 			run_bbp_write(sc, 195, i + 0x80);
5340 			run_bbp_write(sc, 196, rt5592_bbp_r196[i]);
5341 		}
5342 	} else {
5343 		for (i = 0; i < nitems(rt5390_def_bbp); i++) {
5344 			run_bbp_write(sc, rt5390_def_bbp[i].reg,
5345 			    rt5390_def_bbp[i].val);
5346 		}
5347 	}
5348 	if (sc->mac_ver == 0x5392) {
5349 		run_bbp_write(sc, 88, 0x90);
5350 		run_bbp_write(sc, 95, 0x9a);
5351 		run_bbp_write(sc, 98, 0x12);
5352 		run_bbp_write(sc, 106, 0x12);
5353 		run_bbp_write(sc, 134, 0xd0);
5354 		run_bbp_write(sc, 135, 0xf6);
5355 		run_bbp_write(sc, 148, 0x84);
5356 	}
5357 
5358 	run_bbp_read(sc, 152, &bbp);
5359 	run_bbp_write(sc, 152, bbp | 0x80);
5360 
5361 	/* Fix BBP254 for RT5592C. */
5362 	if (sc->mac_ver == 0x5592 && sc->mac_rev >= 0x0221) {
5363 		run_bbp_read(sc, 254, &bbp);
5364 		run_bbp_write(sc, 254, bbp | 0x80);
5365 	}
5366 
5367 	/* Disable hardware antenna diversity. */
5368 	if (sc->mac_ver == 0x5390)
5369 		run_bbp_write(sc, 154, 0);
5370 
5371 	/* Initialize Rx CCK/OFDM frequency offset report. */
5372 	run_bbp_write(sc, 142, 1);
5373 	run_bbp_write(sc, 143, 57);
5374 }
5375 
5376 static int
5377 run_bbp_init(struct run_softc *sc)
5378 {
5379 	int i, error, ntries;
5380 	uint8_t bbp0;
5381 
5382 	/* wait for BBP to wake up */
5383 	for (ntries = 0; ntries < 20; ntries++) {
5384 		if ((error = run_bbp_read(sc, 0, &bbp0)) != 0)
5385 			return error;
5386 		if (bbp0 != 0 && bbp0 != 0xff)
5387 			break;
5388 	}
5389 	if (ntries == 20)
5390 		return (ETIMEDOUT);
5391 
5392 	/* initialize BBP registers to default values */
5393 	if (sc->mac_ver >= 0x5390)
5394 		run_rt5390_bbp_init(sc);
5395 	else {
5396 		for (i = 0; i < nitems(rt2860_def_bbp); i++) {
5397 			run_bbp_write(sc, rt2860_def_bbp[i].reg,
5398 			    rt2860_def_bbp[i].val);
5399 		}
5400 	}
5401 
5402 	if (sc->mac_ver == 0x3593) {
5403 		run_bbp_write(sc, 79, 0x13);
5404 		run_bbp_write(sc, 80, 0x05);
5405 		run_bbp_write(sc, 81, 0x33);
5406 		run_bbp_write(sc, 86, 0x46);
5407 		run_bbp_write(sc, 137, 0x0f);
5408 	}
5409 
5410 	/* fix BBP84 for RT2860E */
5411 	if (sc->mac_ver == 0x2860 && sc->mac_rev != 0x0101)
5412 		run_bbp_write(sc, 84, 0x19);
5413 
5414 	if (sc->mac_ver >= 0x3070 && (sc->mac_ver != 0x3593 &&
5415 	    sc->mac_ver != 0x5592)) {
5416 		run_bbp_write(sc, 79, 0x13);
5417 		run_bbp_write(sc, 80, 0x05);
5418 		run_bbp_write(sc, 81, 0x33);
5419 	} else if (sc->mac_ver == 0x2860 && sc->mac_rev == 0x0100) {
5420 		run_bbp_write(sc, 69, 0x16);
5421 		run_bbp_write(sc, 73, 0x12);
5422 	}
5423 	return (0);
5424 }
5425 
5426 static int
5427 run_rt3070_rf_init(struct run_softc *sc)
5428 {
5429 	uint32_t tmp;
5430 	uint8_t bbp4, mingain, rf, target;
5431 	u_int i;
5432 
5433 	run_rt3070_rf_read(sc, 30, &rf);
5434 	/* toggle RF R30 bit 7 */
5435 	run_rt3070_rf_write(sc, 30, rf | 0x80);
5436 	run_delay(sc, 10);
5437 	run_rt3070_rf_write(sc, 30, rf & ~0x80);
5438 
5439 	/* initialize RF registers to default value */
5440 	if (sc->mac_ver == 0x3572) {
5441 		for (i = 0; i < nitems(rt3572_def_rf); i++) {
5442 			run_rt3070_rf_write(sc, rt3572_def_rf[i].reg,
5443 			    rt3572_def_rf[i].val);
5444 		}
5445 	} else {
5446 		for (i = 0; i < nitems(rt3070_def_rf); i++) {
5447 			run_rt3070_rf_write(sc, rt3070_def_rf[i].reg,
5448 			    rt3070_def_rf[i].val);
5449 		}
5450 	}
5451 
5452 	if (sc->mac_ver == 0x3070 && sc->mac_rev < 0x0201) {
5453 		/*
5454 		 * Change voltage from 1.2V to 1.35V for RT3070.
5455 		 * The DAC issue (RT3070_LDO_CFG0) has been fixed
5456 		 * in RT3070(F).
5457 		 */
5458 		run_read(sc, RT3070_LDO_CFG0, &tmp);
5459 		tmp = (tmp & ~0x0f000000) | 0x0d000000;
5460 		run_write(sc, RT3070_LDO_CFG0, tmp);
5461 
5462 	} else if (sc->mac_ver == 0x3071) {
5463 		run_rt3070_rf_read(sc, 6, &rf);
5464 		run_rt3070_rf_write(sc, 6, rf | 0x40);
5465 		run_rt3070_rf_write(sc, 31, 0x14);
5466 
5467 		run_read(sc, RT3070_LDO_CFG0, &tmp);
5468 		tmp &= ~0x1f000000;
5469 		if (sc->mac_rev < 0x0211)
5470 			tmp |= 0x0d000000;	/* 1.3V */
5471 		else
5472 			tmp |= 0x01000000;	/* 1.2V */
5473 		run_write(sc, RT3070_LDO_CFG0, tmp);
5474 
5475 		/* patch LNA_PE_G1 */
5476 		run_read(sc, RT3070_GPIO_SWITCH, &tmp);
5477 		run_write(sc, RT3070_GPIO_SWITCH, tmp & ~0x20);
5478 
5479 	} else if (sc->mac_ver == 0x3572) {
5480 		run_rt3070_rf_read(sc, 6, &rf);
5481 		run_rt3070_rf_write(sc, 6, rf | 0x40);
5482 
5483 		/* increase voltage from 1.2V to 1.35V */
5484 		run_read(sc, RT3070_LDO_CFG0, &tmp);
5485 		tmp = (tmp & ~0x1f000000) | 0x0d000000;
5486 		run_write(sc, RT3070_LDO_CFG0, tmp);
5487 
5488 		if (sc->mac_rev < 0x0211 || !sc->patch_dac) {
5489 			run_delay(sc, 1);	/* wait for 1msec */
5490 			/* decrease voltage back to 1.2V */
5491 			tmp = (tmp & ~0x1f000000) | 0x01000000;
5492 			run_write(sc, RT3070_LDO_CFG0, tmp);
5493 		}
5494 	}
5495 
5496 	/* select 20MHz bandwidth */
5497 	run_rt3070_rf_read(sc, 31, &rf);
5498 	run_rt3070_rf_write(sc, 31, rf & ~0x20);
5499 
5500 	/* calibrate filter for 20MHz bandwidth */
5501 	sc->rf24_20mhz = 0x1f;	/* default value */
5502 	target = (sc->mac_ver < 0x3071) ? 0x16 : 0x13;
5503 	run_rt3070_filter_calib(sc, 0x07, target, &sc->rf24_20mhz);
5504 
5505 	/* select 40MHz bandwidth */
5506 	run_bbp_read(sc, 4, &bbp4);
5507 	run_bbp_write(sc, 4, (bbp4 & ~0x18) | 0x10);
5508 	run_rt3070_rf_read(sc, 31, &rf);
5509 	run_rt3070_rf_write(sc, 31, rf | 0x20);
5510 
5511 	/* calibrate filter for 40MHz bandwidth */
5512 	sc->rf24_40mhz = 0x2f;	/* default value */
5513 	target = (sc->mac_ver < 0x3071) ? 0x19 : 0x15;
5514 	run_rt3070_filter_calib(sc, 0x27, target, &sc->rf24_40mhz);
5515 
5516 	/* go back to 20MHz bandwidth */
5517 	run_bbp_read(sc, 4, &bbp4);
5518 	run_bbp_write(sc, 4, bbp4 & ~0x18);
5519 
5520 	if (sc->mac_ver == 0x3572) {
5521 		/* save default BBP registers 25 and 26 values */
5522 		run_bbp_read(sc, 25, &sc->bbp25);
5523 		run_bbp_read(sc, 26, &sc->bbp26);
5524 	} else if (sc->mac_rev < 0x0201 || sc->mac_rev < 0x0211)
5525 		run_rt3070_rf_write(sc, 27, 0x03);
5526 
5527 	run_read(sc, RT3070_OPT_14, &tmp);
5528 	run_write(sc, RT3070_OPT_14, tmp | 1);
5529 
5530 	if (sc->mac_ver == 0x3070 || sc->mac_ver == 0x3071) {
5531 		run_rt3070_rf_read(sc, 17, &rf);
5532 		rf &= ~RT3070_TX_LO1;
5533 		if ((sc->mac_ver == 0x3070 ||
5534 		     (sc->mac_ver == 0x3071 && sc->mac_rev >= 0x0211)) &&
5535 		    !sc->ext_2ghz_lna)
5536 			rf |= 0x20;	/* fix for long range Rx issue */
5537 		mingain = (sc->mac_ver == 0x3070) ? 1 : 2;
5538 		if (sc->txmixgain_2ghz >= mingain)
5539 			rf = (rf & ~0x7) | sc->txmixgain_2ghz;
5540 		run_rt3070_rf_write(sc, 17, rf);
5541 	}
5542 
5543 	if (sc->mac_ver == 0x3071) {
5544 		run_rt3070_rf_read(sc, 1, &rf);
5545 		rf &= ~(RT3070_RX0_PD | RT3070_TX0_PD);
5546 		rf |= RT3070_RF_BLOCK | RT3070_RX1_PD | RT3070_TX1_PD;
5547 		run_rt3070_rf_write(sc, 1, rf);
5548 
5549 		run_rt3070_rf_read(sc, 15, &rf);
5550 		run_rt3070_rf_write(sc, 15, rf & ~RT3070_TX_LO2);
5551 
5552 		run_rt3070_rf_read(sc, 20, &rf);
5553 		run_rt3070_rf_write(sc, 20, rf & ~RT3070_RX_LO1);
5554 
5555 		run_rt3070_rf_read(sc, 21, &rf);
5556 		run_rt3070_rf_write(sc, 21, rf & ~RT3070_RX_LO2);
5557 	}
5558 
5559 	if (sc->mac_ver == 0x3070 || sc->mac_ver == 0x3071) {
5560 		/* fix Tx to Rx IQ glitch by raising RF voltage */
5561 		run_rt3070_rf_read(sc, 27, &rf);
5562 		rf &= ~0x77;
5563 		if (sc->mac_rev < 0x0211)
5564 			rf |= 0x03;
5565 		run_rt3070_rf_write(sc, 27, rf);
5566 	}
5567 	return (0);
5568 }
5569 
5570 static void
5571 run_rt3593_rf_init(struct run_softc *sc)
5572 {
5573 	uint32_t tmp;
5574 	uint8_t rf;
5575 	u_int i;
5576 
5577 	/* Disable the GPIO bits 4 and 7 for LNA PE control. */
5578 	run_read(sc, RT3070_GPIO_SWITCH, &tmp);
5579 	tmp &= ~(1 << 4 | 1 << 7);
5580 	run_write(sc, RT3070_GPIO_SWITCH, tmp);
5581 
5582 	/* Initialize RF registers to default value. */
5583 	for (i = 0; i < nitems(rt3593_def_rf); i++) {
5584 		run_rt3070_rf_write(sc, rt3593_def_rf[i].reg,
5585 		    rt3593_def_rf[i].val);
5586 	}
5587 
5588 	/* Toggle RF R2 to initiate calibration. */
5589 	run_rt3070_rf_write(sc, 2, RT5390_RESCAL);
5590 
5591 	/* Initialize RF frequency offset. */
5592 	run_adjust_freq_offset(sc);
5593 
5594 	run_rt3070_rf_read(sc, 18, &rf);
5595 	run_rt3070_rf_write(sc, 18, rf | RT3593_AUTOTUNE_BYPASS);
5596 
5597 	/*
5598 	 * Increase voltage from 1.2V to 1.35V, wait for 1 msec to
5599 	 * decrease voltage back to 1.2V.
5600 	 */
5601 	run_read(sc, RT3070_LDO_CFG0, &tmp);
5602 	tmp = (tmp & ~0x1f000000) | 0x0d000000;
5603 	run_write(sc, RT3070_LDO_CFG0, tmp);
5604 	run_delay(sc, 1);
5605 	tmp = (tmp & ~0x1f000000) | 0x01000000;
5606 	run_write(sc, RT3070_LDO_CFG0, tmp);
5607 
5608 	sc->rf24_20mhz = 0x1f;
5609 	sc->rf24_40mhz = 0x2f;
5610 
5611 	/* Save default BBP registers 25 and 26 values. */
5612 	run_bbp_read(sc, 25, &sc->bbp25);
5613 	run_bbp_read(sc, 26, &sc->bbp26);
5614 
5615 	run_read(sc, RT3070_OPT_14, &tmp);
5616 	run_write(sc, RT3070_OPT_14, tmp | 1);
5617 }
5618 
5619 static void
5620 run_rt5390_rf_init(struct run_softc *sc)
5621 {
5622 	uint32_t tmp;
5623 	uint8_t rf;
5624 	u_int i;
5625 
5626 	/* Toggle RF R2 to initiate calibration. */
5627 	if (sc->mac_ver == 0x5390) {
5628 		run_rt3070_rf_read(sc, 2, &rf);
5629 		run_rt3070_rf_write(sc, 2, rf | RT5390_RESCAL);
5630 		run_delay(sc, 10);
5631 		run_rt3070_rf_write(sc, 2, rf & ~RT5390_RESCAL);
5632 	} else {
5633 		run_rt3070_rf_write(sc, 2, RT5390_RESCAL);
5634 		run_delay(sc, 10);
5635 	}
5636 
5637 	/* Initialize RF registers to default value. */
5638 	if (sc->mac_ver == 0x5592) {
5639 		for (i = 0; i < nitems(rt5592_def_rf); i++) {
5640 			run_rt3070_rf_write(sc, rt5592_def_rf[i].reg,
5641 			    rt5592_def_rf[i].val);
5642 		}
5643 		/* Initialize RF frequency offset. */
5644 		run_adjust_freq_offset(sc);
5645 	} else if (sc->mac_ver == 0x5392) {
5646 		for (i = 0; i < nitems(rt5392_def_rf); i++) {
5647 			run_rt3070_rf_write(sc, rt5392_def_rf[i].reg,
5648 			    rt5392_def_rf[i].val);
5649 		}
5650 		if (sc->mac_rev >= 0x0223) {
5651 			run_rt3070_rf_write(sc, 23, 0x0f);
5652 			run_rt3070_rf_write(sc, 24, 0x3e);
5653 			run_rt3070_rf_write(sc, 51, 0x32);
5654 			run_rt3070_rf_write(sc, 53, 0x22);
5655 			run_rt3070_rf_write(sc, 56, 0xc1);
5656 			run_rt3070_rf_write(sc, 59, 0x0f);
5657 		}
5658 	} else {
5659 		for (i = 0; i < nitems(rt5390_def_rf); i++) {
5660 			run_rt3070_rf_write(sc, rt5390_def_rf[i].reg,
5661 			    rt5390_def_rf[i].val);
5662 		}
5663 		if (sc->mac_rev >= 0x0502) {
5664 			run_rt3070_rf_write(sc, 6, 0xe0);
5665 			run_rt3070_rf_write(sc, 25, 0x80);
5666 			run_rt3070_rf_write(sc, 46, 0x73);
5667 			run_rt3070_rf_write(sc, 53, 0x00);
5668 			run_rt3070_rf_write(sc, 56, 0x42);
5669 			run_rt3070_rf_write(sc, 61, 0xd1);
5670 		}
5671 	}
5672 
5673 	sc->rf24_20mhz = 0x1f;	/* default value */
5674 	sc->rf24_40mhz = (sc->mac_ver == 0x5592) ? 0 : 0x2f;
5675 
5676 	if (sc->mac_rev < 0x0211)
5677 		run_rt3070_rf_write(sc, 27, 0x3);
5678 
5679 	run_read(sc, RT3070_OPT_14, &tmp);
5680 	run_write(sc, RT3070_OPT_14, tmp | 1);
5681 }
5682 
5683 static int
5684 run_rt3070_filter_calib(struct run_softc *sc, uint8_t init, uint8_t target,
5685     uint8_t *val)
5686 {
5687 	uint8_t rf22, rf24;
5688 	uint8_t bbp55_pb, bbp55_sb, delta;
5689 	int ntries;
5690 
5691 	/* program filter */
5692 	run_rt3070_rf_read(sc, 24, &rf24);
5693 	rf24 = (rf24 & 0xc0) | init;	/* initial filter value */
5694 	run_rt3070_rf_write(sc, 24, rf24);
5695 
5696 	/* enable baseband loopback mode */
5697 	run_rt3070_rf_read(sc, 22, &rf22);
5698 	run_rt3070_rf_write(sc, 22, rf22 | 0x01);
5699 
5700 	/* set power and frequency of passband test tone */
5701 	run_bbp_write(sc, 24, 0x00);
5702 	for (ntries = 0; ntries < 100; ntries++) {
5703 		/* transmit test tone */
5704 		run_bbp_write(sc, 25, 0x90);
5705 		run_delay(sc, 10);
5706 		/* read received power */
5707 		run_bbp_read(sc, 55, &bbp55_pb);
5708 		if (bbp55_pb != 0)
5709 			break;
5710 	}
5711 	if (ntries == 100)
5712 		return (ETIMEDOUT);
5713 
5714 	/* set power and frequency of stopband test tone */
5715 	run_bbp_write(sc, 24, 0x06);
5716 	for (ntries = 0; ntries < 100; ntries++) {
5717 		/* transmit test tone */
5718 		run_bbp_write(sc, 25, 0x90);
5719 		run_delay(sc, 10);
5720 		/* read received power */
5721 		run_bbp_read(sc, 55, &bbp55_sb);
5722 
5723 		delta = bbp55_pb - bbp55_sb;
5724 		if (delta > target)
5725 			break;
5726 
5727 		/* reprogram filter */
5728 		rf24++;
5729 		run_rt3070_rf_write(sc, 24, rf24);
5730 	}
5731 	if (ntries < 100) {
5732 		if (rf24 != init)
5733 			rf24--;	/* backtrack */
5734 		*val = rf24;
5735 		run_rt3070_rf_write(sc, 24, rf24);
5736 	}
5737 
5738 	/* restore initial state */
5739 	run_bbp_write(sc, 24, 0x00);
5740 
5741 	/* disable baseband loopback mode */
5742 	run_rt3070_rf_read(sc, 22, &rf22);
5743 	run_rt3070_rf_write(sc, 22, rf22 & ~0x01);
5744 
5745 	return (0);
5746 }
5747 
5748 static void
5749 run_rt3070_rf_setup(struct run_softc *sc)
5750 {
5751 	uint8_t bbp, rf;
5752 	int i;
5753 
5754 	if (sc->mac_ver == 0x3572) {
5755 		/* enable DC filter */
5756 		if (sc->mac_rev >= 0x0201)
5757 			run_bbp_write(sc, 103, 0xc0);
5758 
5759 		run_bbp_read(sc, 138, &bbp);
5760 		if (sc->ntxchains == 1)
5761 			bbp |= 0x20;	/* turn off DAC1 */
5762 		if (sc->nrxchains == 1)
5763 			bbp &= ~0x02;	/* turn off ADC1 */
5764 		run_bbp_write(sc, 138, bbp);
5765 
5766 		if (sc->mac_rev >= 0x0211) {
5767 			/* improve power consumption */
5768 			run_bbp_read(sc, 31, &bbp);
5769 			run_bbp_write(sc, 31, bbp & ~0x03);
5770 		}
5771 
5772 		run_rt3070_rf_read(sc, 16, &rf);
5773 		rf = (rf & ~0x07) | sc->txmixgain_2ghz;
5774 		run_rt3070_rf_write(sc, 16, rf);
5775 
5776 	} else if (sc->mac_ver == 0x3071) {
5777 		if (sc->mac_rev >= 0x0211) {
5778 			/* enable DC filter */
5779 			run_bbp_write(sc, 103, 0xc0);
5780 
5781 			/* improve power consumption */
5782 			run_bbp_read(sc, 31, &bbp);
5783 			run_bbp_write(sc, 31, bbp & ~0x03);
5784 		}
5785 
5786 		run_bbp_read(sc, 138, &bbp);
5787 		if (sc->ntxchains == 1)
5788 			bbp |= 0x20;	/* turn off DAC1 */
5789 		if (sc->nrxchains == 1)
5790 			bbp &= ~0x02;	/* turn off ADC1 */
5791 		run_bbp_write(sc, 138, bbp);
5792 
5793 		run_write(sc, RT2860_TX_SW_CFG1, 0);
5794 		if (sc->mac_rev < 0x0211) {
5795 			run_write(sc, RT2860_TX_SW_CFG2,
5796 			    sc->patch_dac ? 0x2c : 0x0f);
5797 		} else
5798 			run_write(sc, RT2860_TX_SW_CFG2, 0);
5799 
5800 	} else if (sc->mac_ver == 0x3070) {
5801 		if (sc->mac_rev >= 0x0201) {
5802 			/* enable DC filter */
5803 			run_bbp_write(sc, 103, 0xc0);
5804 
5805 			/* improve power consumption */
5806 			run_bbp_read(sc, 31, &bbp);
5807 			run_bbp_write(sc, 31, bbp & ~0x03);
5808 		}
5809 
5810 		if (sc->mac_rev < 0x0201) {
5811 			run_write(sc, RT2860_TX_SW_CFG1, 0);
5812 			run_write(sc, RT2860_TX_SW_CFG2, 0x2c);
5813 		} else
5814 			run_write(sc, RT2860_TX_SW_CFG2, 0);
5815 	}
5816 
5817 	/* initialize RF registers from ROM for >=RT3071*/
5818 	if (sc->mac_ver >= 0x3071) {
5819 		for (i = 0; i < 10; i++) {
5820 			if (sc->rf[i].reg == 0 || sc->rf[i].reg == 0xff)
5821 				continue;
5822 			run_rt3070_rf_write(sc, sc->rf[i].reg, sc->rf[i].val);
5823 		}
5824 	}
5825 }
5826 
5827 static void
5828 run_rt3593_rf_setup(struct run_softc *sc)
5829 {
5830 	uint8_t bbp, rf;
5831 
5832 	if (sc->mac_rev >= 0x0211) {
5833 		/* Enable DC filter. */
5834 		run_bbp_write(sc, 103, 0xc0);
5835 	}
5836 	run_write(sc, RT2860_TX_SW_CFG1, 0);
5837 	if (sc->mac_rev < 0x0211) {
5838 		run_write(sc, RT2860_TX_SW_CFG2,
5839 		    sc->patch_dac ? 0x2c : 0x0f);
5840 	} else
5841 		run_write(sc, RT2860_TX_SW_CFG2, 0);
5842 
5843 	run_rt3070_rf_read(sc, 50, &rf);
5844 	run_rt3070_rf_write(sc, 50, rf & ~RT3593_TX_LO2);
5845 
5846 	run_rt3070_rf_read(sc, 51, &rf);
5847 	rf = (rf & ~(RT3593_TX_LO1 | 0x0c)) |
5848 	    ((sc->txmixgain_2ghz & 0x07) << 2);
5849 	run_rt3070_rf_write(sc, 51, rf);
5850 
5851 	run_rt3070_rf_read(sc, 38, &rf);
5852 	run_rt3070_rf_write(sc, 38, rf & ~RT5390_RX_LO1);
5853 
5854 	run_rt3070_rf_read(sc, 39, &rf);
5855 	run_rt3070_rf_write(sc, 39, rf & ~RT5390_RX_LO2);
5856 
5857 	run_rt3070_rf_read(sc, 1, &rf);
5858 	run_rt3070_rf_write(sc, 1, rf & ~(RT3070_RF_BLOCK | RT3070_PLL_PD));
5859 
5860 	run_rt3070_rf_read(sc, 30, &rf);
5861 	rf = (rf & ~0x18) | 0x10;
5862 	run_rt3070_rf_write(sc, 30, rf);
5863 
5864 	/* Apply maximum likelihood detection for 2 stream case. */
5865 	run_bbp_read(sc, 105, &bbp);
5866 	if (sc->nrxchains > 1)
5867 		run_bbp_write(sc, 105, bbp | RT5390_MLD);
5868 
5869 	/* Avoid data lost and CRC error. */
5870 	run_bbp_read(sc, 4, &bbp);
5871 	run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5872 
5873 	run_bbp_write(sc, 92, 0x02);
5874 	run_bbp_write(sc, 82, 0x82);
5875 	run_bbp_write(sc, 106, 0x05);
5876 	run_bbp_write(sc, 104, 0x92);
5877 	run_bbp_write(sc, 88, 0x90);
5878 	run_bbp_write(sc, 148, 0xc8);
5879 	run_bbp_write(sc, 47, 0x48);
5880 	run_bbp_write(sc, 120, 0x50);
5881 
5882 	run_bbp_write(sc, 163, 0x9d);
5883 
5884 	/* SNR mapping. */
5885 	run_bbp_write(sc, 142, 0x06);
5886 	run_bbp_write(sc, 143, 0xa0);
5887 	run_bbp_write(sc, 142, 0x07);
5888 	run_bbp_write(sc, 143, 0xa1);
5889 	run_bbp_write(sc, 142, 0x08);
5890 	run_bbp_write(sc, 143, 0xa2);
5891 
5892 	run_bbp_write(sc, 31, 0x08);
5893 	run_bbp_write(sc, 68, 0x0b);
5894 	run_bbp_write(sc, 105, 0x04);
5895 }
5896 
5897 static void
5898 run_rt5390_rf_setup(struct run_softc *sc)
5899 {
5900 	uint8_t bbp, rf;
5901 
5902 	if (sc->mac_rev >= 0x0211) {
5903 		/* Enable DC filter. */
5904 		run_bbp_write(sc, 103, 0xc0);
5905 
5906 		if (sc->mac_ver != 0x5592) {
5907 			/* Improve power consumption. */
5908 			run_bbp_read(sc, 31, &bbp);
5909 			run_bbp_write(sc, 31, bbp & ~0x03);
5910 		}
5911 	}
5912 
5913 	run_bbp_read(sc, 138, &bbp);
5914 	if (sc->ntxchains == 1)
5915 		bbp |= 0x20;	/* turn off DAC1 */
5916 	if (sc->nrxchains == 1)
5917 		bbp &= ~0x02;	/* turn off ADC1 */
5918 	run_bbp_write(sc, 138, bbp);
5919 
5920 	run_rt3070_rf_read(sc, 38, &rf);
5921 	run_rt3070_rf_write(sc, 38, rf & ~RT5390_RX_LO1);
5922 
5923 	run_rt3070_rf_read(sc, 39, &rf);
5924 	run_rt3070_rf_write(sc, 39, rf & ~RT5390_RX_LO2);
5925 
5926 	/* Avoid data lost and CRC error. */
5927 	run_bbp_read(sc, 4, &bbp);
5928 	run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5929 
5930 	run_rt3070_rf_read(sc, 30, &rf);
5931 	rf = (rf & ~0x18) | 0x10;
5932 	run_rt3070_rf_write(sc, 30, rf);
5933 
5934 	if (sc->mac_ver != 0x5592) {
5935 		run_write(sc, RT2860_TX_SW_CFG1, 0);
5936 		if (sc->mac_rev < 0x0211) {
5937 			run_write(sc, RT2860_TX_SW_CFG2,
5938 			    sc->patch_dac ? 0x2c : 0x0f);
5939 		} else
5940 			run_write(sc, RT2860_TX_SW_CFG2, 0);
5941 	}
5942 }
5943 
5944 static int
5945 run_txrx_enable(struct run_softc *sc)
5946 {
5947 	struct ieee80211com *ic = &sc->sc_ic;
5948 	uint32_t tmp;
5949 	int error, ntries;
5950 
5951 	run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_MAC_TX_EN);
5952 	for (ntries = 0; ntries < 200; ntries++) {
5953 		if ((error = run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp)) != 0)
5954 			return (error);
5955 		if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
5956 			break;
5957 		run_delay(sc, 50);
5958 	}
5959 	if (ntries == 200)
5960 		return (ETIMEDOUT);
5961 
5962 	run_delay(sc, 50);
5963 
5964 	tmp |= RT2860_RX_DMA_EN | RT2860_TX_DMA_EN | RT2860_TX_WB_DDONE;
5965 	run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
5966 
5967 	/* enable Rx bulk aggregation (set timeout and limit) */
5968 	tmp = RT2860_USB_TX_EN | RT2860_USB_RX_EN | RT2860_USB_RX_AGG_EN |
5969 	    RT2860_USB_RX_AGG_TO(128) | RT2860_USB_RX_AGG_LMT(2);
5970 	run_write(sc, RT2860_USB_DMA_CFG, tmp);
5971 
5972 	/* set Rx filter */
5973 	tmp = RT2860_DROP_CRC_ERR | RT2860_DROP_PHY_ERR;
5974 	if (ic->ic_opmode != IEEE80211_M_MONITOR) {
5975 		tmp |= RT2860_DROP_UC_NOME | RT2860_DROP_DUPL |
5976 		    RT2860_DROP_CTS | RT2860_DROP_BA | RT2860_DROP_ACK |
5977 		    RT2860_DROP_VER_ERR | RT2860_DROP_CTRL_RSV |
5978 		    RT2860_DROP_CFACK | RT2860_DROP_CFEND;
5979 		if (ic->ic_opmode == IEEE80211_M_STA)
5980 			tmp |= RT2860_DROP_RTS | RT2860_DROP_PSPOLL;
5981 	}
5982 	run_write(sc, RT2860_RX_FILTR_CFG, tmp);
5983 
5984 	run_write(sc, RT2860_MAC_SYS_CTRL,
5985 	    RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
5986 
5987 	return (0);
5988 }
5989 
5990 static void
5991 run_adjust_freq_offset(struct run_softc *sc)
5992 {
5993 	uint8_t rf, tmp;
5994 
5995 	run_rt3070_rf_read(sc, 17, &rf);
5996 	tmp = rf;
5997 	rf = (rf & ~0x7f) | (sc->freq & 0x7f);
5998 	rf = MIN(rf, 0x5f);
5999 
6000 	if (tmp != rf)
6001 		run_mcu_cmd(sc, 0x74, (tmp << 8 ) | rf);
6002 }
6003 
6004 static void
6005 run_init_locked(struct run_softc *sc)
6006 {
6007 	struct ieee80211com *ic = &sc->sc_ic;
6008 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
6009 	uint32_t tmp;
6010 	uint8_t bbp1, bbp3;
6011 	int i;
6012 	int ridx;
6013 	int ntries;
6014 
6015 	if (ic->ic_nrunning > 1)
6016 		return;
6017 
6018 	run_stop(sc);
6019 
6020 	if (run_load_microcode(sc) != 0) {
6021 		device_printf(sc->sc_dev, "could not load 8051 microcode\n");
6022 		goto fail;
6023 	}
6024 
6025 	for (ntries = 0; ntries < 100; ntries++) {
6026 		if (run_read(sc, RT2860_ASIC_VER_ID, &tmp) != 0)
6027 			goto fail;
6028 		if (tmp != 0 && tmp != 0xffffffff)
6029 			break;
6030 		run_delay(sc, 10);
6031 	}
6032 	if (ntries == 100)
6033 		goto fail;
6034 
6035 	for (i = 0; i != RUN_EP_QUEUES; i++)
6036 		run_setup_tx_list(sc, &sc->sc_epq[i]);
6037 
6038 	run_set_macaddr(sc, vap ? vap->iv_myaddr : ic->ic_macaddr);
6039 
6040 	for (ntries = 0; ntries < 100; ntries++) {
6041 		if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
6042 			goto fail;
6043 		if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
6044 			break;
6045 		run_delay(sc, 10);
6046 	}
6047 	if (ntries == 100) {
6048 		device_printf(sc->sc_dev, "timeout waiting for DMA engine\n");
6049 		goto fail;
6050 	}
6051 	tmp &= 0xff0;
6052 	tmp |= RT2860_TX_WB_DDONE;
6053 	run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
6054 
6055 	/* turn off PME_OEN to solve high-current issue */
6056 	run_read(sc, RT2860_SYS_CTRL, &tmp);
6057 	run_write(sc, RT2860_SYS_CTRL, tmp & ~RT2860_PME_OEN);
6058 
6059 	run_write(sc, RT2860_MAC_SYS_CTRL,
6060 	    RT2860_BBP_HRST | RT2860_MAC_SRST);
6061 	run_write(sc, RT2860_USB_DMA_CFG, 0);
6062 
6063 	if (run_reset(sc) != 0) {
6064 		device_printf(sc->sc_dev, "could not reset chipset\n");
6065 		goto fail;
6066 	}
6067 
6068 	run_write(sc, RT2860_MAC_SYS_CTRL, 0);
6069 
6070 	/* init Tx power for all Tx rates (from EEPROM) */
6071 	for (ridx = 0; ridx < 5; ridx++) {
6072 		if (sc->txpow20mhz[ridx] == 0xffffffff)
6073 			continue;
6074 		run_write(sc, RT2860_TX_PWR_CFG(ridx), sc->txpow20mhz[ridx]);
6075 	}
6076 
6077 	for (i = 0; i < nitems(rt2870_def_mac); i++)
6078 		run_write(sc, rt2870_def_mac[i].reg, rt2870_def_mac[i].val);
6079 	run_write(sc, RT2860_WMM_AIFSN_CFG, 0x00002273);
6080 	run_write(sc, RT2860_WMM_CWMIN_CFG, 0x00002344);
6081 	run_write(sc, RT2860_WMM_CWMAX_CFG, 0x000034aa);
6082 
6083 	if (sc->mac_ver >= 0x5390) {
6084 		run_write(sc, RT2860_TX_SW_CFG0,
6085 		    4 << RT2860_DLY_PAPE_EN_SHIFT | 4);
6086 		if (sc->mac_ver >= 0x5392) {
6087 			run_write(sc, RT2860_MAX_LEN_CFG, 0x00002fff);
6088 			if (sc->mac_ver == 0x5592) {
6089 				run_write(sc, RT2860_HT_FBK_CFG1, 0xedcba980);
6090 				run_write(sc, RT2860_TXOP_HLDR_ET, 0x00000082);
6091 			} else {
6092 				run_write(sc, RT2860_HT_FBK_CFG1, 0xedcb4980);
6093 				run_write(sc, RT2860_LG_FBK_CFG0, 0xedcba322);
6094 			}
6095 		}
6096 	} else if (sc->mac_ver == 0x3593) {
6097 		run_write(sc, RT2860_TX_SW_CFG0,
6098 		    4 << RT2860_DLY_PAPE_EN_SHIFT | 2);
6099 	} else if (sc->mac_ver >= 0x3070) {
6100 		/* set delay of PA_PE assertion to 1us (unit of 0.25us) */
6101 		run_write(sc, RT2860_TX_SW_CFG0,
6102 		    4 << RT2860_DLY_PAPE_EN_SHIFT);
6103 	}
6104 
6105 	/* wait while MAC is busy */
6106 	for (ntries = 0; ntries < 100; ntries++) {
6107 		if (run_read(sc, RT2860_MAC_STATUS_REG, &tmp) != 0)
6108 			goto fail;
6109 		if (!(tmp & (RT2860_RX_STATUS_BUSY | RT2860_TX_STATUS_BUSY)))
6110 			break;
6111 		run_delay(sc, 10);
6112 	}
6113 	if (ntries == 100)
6114 		goto fail;
6115 
6116 	/* clear Host to MCU mailbox */
6117 	run_write(sc, RT2860_H2M_BBPAGENT, 0);
6118 	run_write(sc, RT2860_H2M_MAILBOX, 0);
6119 	run_delay(sc, 10);
6120 
6121 	if (run_bbp_init(sc) != 0) {
6122 		device_printf(sc->sc_dev, "could not initialize BBP\n");
6123 		goto fail;
6124 	}
6125 
6126 	/* abort TSF synchronization */
6127 	run_disable_tsf(sc);
6128 
6129 	/* clear RX WCID search table */
6130 	run_set_region_4(sc, RT2860_WCID_ENTRY(0), 0, 512);
6131 	/* clear WCID attribute table */
6132 	run_set_region_4(sc, RT2860_WCID_ATTR(0), 0, 8 * 32);
6133 
6134 	/* hostapd sets a key before init. So, don't clear it. */
6135 	if (sc->cmdq_key_set != RUN_CMDQ_GO) {
6136 		/* clear shared key table */
6137 		run_set_region_4(sc, RT2860_SKEY(0, 0), 0, 8 * 32);
6138 		/* clear shared key mode */
6139 		run_set_region_4(sc, RT2860_SKEY_MODE_0_7, 0, 4);
6140 	}
6141 
6142 	run_read(sc, RT2860_US_CYC_CNT, &tmp);
6143 	tmp = (tmp & ~0xff) | 0x1e;
6144 	run_write(sc, RT2860_US_CYC_CNT, tmp);
6145 
6146 	if (sc->mac_rev != 0x0101)
6147 		run_write(sc, RT2860_TXOP_CTRL_CFG, 0x0000583f);
6148 
6149 	run_write(sc, RT2860_WMM_TXOP0_CFG, 0);
6150 	run_write(sc, RT2860_WMM_TXOP1_CFG, 48 << 16 | 96);
6151 
6152 	/* write vendor-specific BBP values (from EEPROM) */
6153 	if (sc->mac_ver < 0x3593) {
6154 		for (i = 0; i < 10; i++) {
6155 			if (sc->bbp[i].reg == 0 || sc->bbp[i].reg == 0xff)
6156 				continue;
6157 			run_bbp_write(sc, sc->bbp[i].reg, sc->bbp[i].val);
6158 		}
6159 	}
6160 
6161 	/* select Main antenna for 1T1R devices */
6162 	if (sc->rf_rev == RT3070_RF_3020 || sc->rf_rev == RT5390_RF_5370)
6163 		run_set_rx_antenna(sc, 0);
6164 
6165 	/* send LEDs operating mode to microcontroller */
6166 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED1, sc->led[0]);
6167 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED2, sc->led[1]);
6168 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED3, sc->led[2]);
6169 
6170 	if (sc->mac_ver >= 0x5390)
6171 		run_rt5390_rf_init(sc);
6172 	else if (sc->mac_ver == 0x3593)
6173 		run_rt3593_rf_init(sc);
6174 	else if (sc->mac_ver >= 0x3070)
6175 		run_rt3070_rf_init(sc);
6176 
6177 	/* disable non-existing Rx chains */
6178 	run_bbp_read(sc, 3, &bbp3);
6179 	bbp3 &= ~(1 << 3 | 1 << 4);
6180 	if (sc->nrxchains == 2)
6181 		bbp3 |= 1 << 3;
6182 	else if (sc->nrxchains == 3)
6183 		bbp3 |= 1 << 4;
6184 	run_bbp_write(sc, 3, bbp3);
6185 
6186 	/* disable non-existing Tx chains */
6187 	run_bbp_read(sc, 1, &bbp1);
6188 	if (sc->ntxchains == 1)
6189 		bbp1 &= ~(1 << 3 | 1 << 4);
6190 	run_bbp_write(sc, 1, bbp1);
6191 
6192 	if (sc->mac_ver >= 0x5390)
6193 		run_rt5390_rf_setup(sc);
6194 	else if (sc->mac_ver == 0x3593)
6195 		run_rt3593_rf_setup(sc);
6196 	else if (sc->mac_ver >= 0x3070)
6197 		run_rt3070_rf_setup(sc);
6198 
6199 	/* select default channel */
6200 	run_set_chan(sc, ic->ic_curchan);
6201 
6202 	/* setup initial protection mode */
6203 	run_updateprot_cb(ic);
6204 
6205 	/* turn radio LED on */
6206 	run_set_leds(sc, RT2860_LED_RADIO);
6207 
6208 	sc->sc_flags |= RUN_RUNNING;
6209 	sc->cmdq_run = RUN_CMDQ_GO;
6210 
6211 	for (i = 0; i != RUN_N_XFER; i++)
6212 		usbd_xfer_set_stall(sc->sc_xfer[i]);
6213 
6214 	usbd_transfer_start(sc->sc_xfer[RUN_BULK_RX]);
6215 
6216 	if (run_txrx_enable(sc) != 0)
6217 		goto fail;
6218 
6219 	return;
6220 
6221 fail:
6222 	run_stop(sc);
6223 }
6224 
6225 static void
6226 run_stop(void *arg)
6227 {
6228 	struct run_softc *sc = (struct run_softc *)arg;
6229 	uint32_t tmp;
6230 	int i;
6231 	int ntries;
6232 
6233 	RUN_LOCK_ASSERT(sc, MA_OWNED);
6234 
6235 	if (sc->sc_flags & RUN_RUNNING)
6236 		run_set_leds(sc, 0);	/* turn all LEDs off */
6237 
6238 	sc->sc_flags &= ~RUN_RUNNING;
6239 
6240 	sc->ratectl_run = RUN_RATECTL_OFF;
6241 	sc->cmdq_run = sc->cmdq_key_set;
6242 
6243 	RUN_UNLOCK(sc);
6244 
6245 	for(i = 0; i < RUN_N_XFER; i++)
6246 		usbd_transfer_drain(sc->sc_xfer[i]);
6247 
6248 	RUN_LOCK(sc);
6249 
6250 	run_drain_mbufq(sc);
6251 
6252 	if (sc->rx_m != NULL) {
6253 		m_free(sc->rx_m);
6254 		sc->rx_m = NULL;
6255 	}
6256 
6257 	/* Disable Tx/Rx DMA. */
6258 	if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
6259 		return;
6260 	tmp &= ~(RT2860_RX_DMA_EN | RT2860_TX_DMA_EN);
6261 	run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
6262 
6263 	for (ntries = 0; ntries < 100; ntries++) {
6264 		if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
6265 			return;
6266 		if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
6267 				break;
6268 		run_delay(sc, 10);
6269 	}
6270 	if (ntries == 100) {
6271 		device_printf(sc->sc_dev, "timeout waiting for DMA engine\n");
6272 		return;
6273 	}
6274 
6275 	/* disable Tx/Rx */
6276 	run_read(sc, RT2860_MAC_SYS_CTRL, &tmp);
6277 	tmp &= ~(RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
6278 	run_write(sc, RT2860_MAC_SYS_CTRL, tmp);
6279 
6280 	/* wait for pending Tx to complete */
6281 	for (ntries = 0; ntries < 100; ntries++) {
6282 		if (run_read(sc, RT2860_TXRXQ_PCNT, &tmp) != 0) {
6283 			RUN_DPRINTF(sc, RUN_DEBUG_XMIT | RUN_DEBUG_RESET,
6284 			    "Cannot read Tx queue count\n");
6285 			break;
6286 		}
6287 		if ((tmp & RT2860_TX2Q_PCNT_MASK) == 0) {
6288 			RUN_DPRINTF(sc, RUN_DEBUG_XMIT | RUN_DEBUG_RESET,
6289 			    "All Tx cleared\n");
6290 			break;
6291 		}
6292 		run_delay(sc, 10);
6293 	}
6294 	if (ntries >= 100)
6295 		RUN_DPRINTF(sc, RUN_DEBUG_XMIT | RUN_DEBUG_RESET,
6296 		    "There are still pending Tx\n");
6297 	run_delay(sc, 10);
6298 	run_write(sc, RT2860_USB_DMA_CFG, 0);
6299 
6300 	run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_BBP_HRST | RT2860_MAC_SRST);
6301 	run_write(sc, RT2860_MAC_SYS_CTRL, 0);
6302 
6303 	for (i = 0; i != RUN_EP_QUEUES; i++)
6304 		run_unsetup_tx_list(sc, &sc->sc_epq[i]);
6305 }
6306 
6307 static void
6308 run_delay(struct run_softc *sc, u_int ms)
6309 {
6310 	usb_pause_mtx(mtx_owned(&sc->sc_mtx) ?
6311 	    &sc->sc_mtx : NULL, USB_MS_TO_TICKS(ms));
6312 }
6313 
6314 static device_method_t run_methods[] = {
6315 	/* Device interface */
6316 	DEVMETHOD(device_probe,		run_match),
6317 	DEVMETHOD(device_attach,	run_attach),
6318 	DEVMETHOD(device_detach,	run_detach),
6319 	DEVMETHOD_END
6320 };
6321 
6322 static driver_t run_driver = {
6323 	.name = "run",
6324 	.methods = run_methods,
6325 	.size = sizeof(struct run_softc)
6326 };
6327 
6328 static devclass_t run_devclass;
6329 
6330 DRIVER_MODULE(run, uhub, run_driver, run_devclass, run_driver_loaded, NULL);
6331 MODULE_DEPEND(run, wlan, 1, 1, 1);
6332 MODULE_DEPEND(run, usb, 1, 1, 1);
6333 MODULE_DEPEND(run, firmware, 1, 1, 1);
6334 MODULE_VERSION(run, 1);
6335 USB_PNP_HOST_INFO(run_devs);
6336