xref: /freebsd/sys/dev/usb/wlan/if_run.c (revision 9268022b74279434ed6300244e3f977e56a8ceb5)
1 /*-
2  * Copyright (c) 2008,2010 Damien Bergamini <damien.bergamini@free.fr>
3  * ported to FreeBSD by Akinori Furukoshi <moonlightakkiy@yahoo.ca>
4  * USB Consulting, Hans Petter Selasky <hselasky@freebsd.org>
5  * Copyright (c) 2013-2014 Kevin Lo
6  *
7  * Permission to use, copy, modify, and distribute this software for any
8  * purpose with or without fee is hereby granted, provided that the above
9  * copyright notice and this permission notice appear in all copies.
10  *
11  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18  */
19 
20 #include <sys/cdefs.h>
21 __FBSDID("$FreeBSD$");
22 
23 /*-
24  * Ralink Technology RT2700U/RT2800U/RT3000U/RT3900E chipset driver.
25  * http://www.ralinktech.com/
26  */
27 
28 #include <sys/param.h>
29 #include <sys/sockio.h>
30 #include <sys/sysctl.h>
31 #include <sys/lock.h>
32 #include <sys/mutex.h>
33 #include <sys/mbuf.h>
34 #include <sys/kernel.h>
35 #include <sys/socket.h>
36 #include <sys/systm.h>
37 #include <sys/malloc.h>
38 #include <sys/module.h>
39 #include <sys/bus.h>
40 #include <sys/endian.h>
41 #include <sys/linker.h>
42 #include <sys/firmware.h>
43 #include <sys/kdb.h>
44 
45 #include <machine/bus.h>
46 #include <machine/resource.h>
47 #include <sys/rman.h>
48 
49 #include <net/bpf.h>
50 #include <net/if.h>
51 #include <net/if_var.h>
52 #include <net/if_arp.h>
53 #include <net/ethernet.h>
54 #include <net/if_dl.h>
55 #include <net/if_media.h>
56 #include <net/if_types.h>
57 
58 #include <netinet/in.h>
59 #include <netinet/in_systm.h>
60 #include <netinet/in_var.h>
61 #include <netinet/if_ether.h>
62 #include <netinet/ip.h>
63 
64 #include <net80211/ieee80211_var.h>
65 #include <net80211/ieee80211_regdomain.h>
66 #include <net80211/ieee80211_radiotap.h>
67 #include <net80211/ieee80211_ratectl.h>
68 
69 #include <dev/usb/usb.h>
70 #include <dev/usb/usbdi.h>
71 #include "usbdevs.h"
72 
73 #define	USB_DEBUG_VAR	run_debug
74 #include <dev/usb/usb_debug.h>
75 #include <dev/usb/usb_msctest.h>
76 
77 #include <dev/usb/wlan/if_runreg.h>
78 #include <dev/usb/wlan/if_runvar.h>
79 
80 #ifdef	USB_DEBUG
81 #define	RUN_DEBUG
82 #endif
83 
84 #ifdef	RUN_DEBUG
85 int run_debug = 0;
86 static SYSCTL_NODE(_hw_usb, OID_AUTO, run, CTLFLAG_RW, 0, "USB run");
87 SYSCTL_INT(_hw_usb_run, OID_AUTO, debug, CTLFLAG_RW, &run_debug, 0,
88     "run debug level");
89 #endif
90 
91 #define	IEEE80211_HAS_ADDR4(wh)	\
92 	(((wh)->i_fc[1] & IEEE80211_FC1_DIR_MASK) == IEEE80211_FC1_DIR_DSTODS)
93 
94 /*
95  * Because of LOR in run_key_delete(), use atomic instead.
96  * '& RUN_CMDQ_MASQ' is to loop cmdq[].
97  */
98 #define	RUN_CMDQ_GET(c)	(atomic_fetchadd_32((c), 1) & RUN_CMDQ_MASQ)
99 
100 static const STRUCT_USB_HOST_ID run_devs[] = {
101 #define	RUN_DEV(v,p)	{ USB_VP(USB_VENDOR_##v, USB_PRODUCT_##v##_##p) }
102 #define	RUN_DEV_EJECT(v,p)	\
103 	{ USB_VPI(USB_VENDOR_##v, USB_PRODUCT_##v##_##p, RUN_EJECT) }
104 #define	RUN_EJECT	1
105     RUN_DEV(ABOCOM,		RT2770),
106     RUN_DEV(ABOCOM,		RT2870),
107     RUN_DEV(ABOCOM,		RT3070),
108     RUN_DEV(ABOCOM,		RT3071),
109     RUN_DEV(ABOCOM,		RT3072),
110     RUN_DEV(ABOCOM2,		RT2870_1),
111     RUN_DEV(ACCTON,		RT2770),
112     RUN_DEV(ACCTON,		RT2870_1),
113     RUN_DEV(ACCTON,		RT2870_2),
114     RUN_DEV(ACCTON,		RT2870_3),
115     RUN_DEV(ACCTON,		RT2870_4),
116     RUN_DEV(ACCTON,		RT2870_5),
117     RUN_DEV(ACCTON,		RT3070),
118     RUN_DEV(ACCTON,		RT3070_1),
119     RUN_DEV(ACCTON,		RT3070_2),
120     RUN_DEV(ACCTON,		RT3070_3),
121     RUN_DEV(ACCTON,		RT3070_4),
122     RUN_DEV(ACCTON,		RT3070_5),
123     RUN_DEV(AIRTIES,		RT3070),
124     RUN_DEV(ALLWIN,		RT2070),
125     RUN_DEV(ALLWIN,		RT2770),
126     RUN_DEV(ALLWIN,		RT2870),
127     RUN_DEV(ALLWIN,		RT3070),
128     RUN_DEV(ALLWIN,		RT3071),
129     RUN_DEV(ALLWIN,		RT3072),
130     RUN_DEV(ALLWIN,		RT3572),
131     RUN_DEV(AMIGO,		RT2870_1),
132     RUN_DEV(AMIGO,		RT2870_2),
133     RUN_DEV(AMIT,		CGWLUSB2GNR),
134     RUN_DEV(AMIT,		RT2870_1),
135     RUN_DEV(AMIT2,		RT2870),
136     RUN_DEV(ASUS,		RT2870_1),
137     RUN_DEV(ASUS,		RT2870_2),
138     RUN_DEV(ASUS,		RT2870_3),
139     RUN_DEV(ASUS,		RT2870_4),
140     RUN_DEV(ASUS,		RT2870_5),
141     RUN_DEV(ASUS,		USBN13),
142     RUN_DEV(ASUS,		RT3070_1),
143     RUN_DEV(ASUS,		USBN66),
144     RUN_DEV(ASUS,		USB_N53),
145     RUN_DEV(ASUS2,		USBN11),
146     RUN_DEV(AZUREWAVE,		RT2870_1),
147     RUN_DEV(AZUREWAVE,		RT2870_2),
148     RUN_DEV(AZUREWAVE,		RT3070_1),
149     RUN_DEV(AZUREWAVE,		RT3070_2),
150     RUN_DEV(AZUREWAVE,		RT3070_3),
151     RUN_DEV(BELKIN,		F9L1103),
152     RUN_DEV(BELKIN,		F5D8053V3),
153     RUN_DEV(BELKIN,		F5D8055),
154     RUN_DEV(BELKIN,		F5D8055V2),
155     RUN_DEV(BELKIN,		F6D4050V1),
156     RUN_DEV(BELKIN,		F6D4050V2),
157     RUN_DEV(BELKIN,		RT2870_1),
158     RUN_DEV(BELKIN,		RT2870_2),
159     RUN_DEV(CISCOLINKSYS,	AE1000),
160     RUN_DEV(CISCOLINKSYS2,	RT3070),
161     RUN_DEV(CISCOLINKSYS3,	RT3070),
162     RUN_DEV(CONCEPTRONIC2,	RT2870_1),
163     RUN_DEV(CONCEPTRONIC2,	RT2870_2),
164     RUN_DEV(CONCEPTRONIC2,	RT2870_3),
165     RUN_DEV(CONCEPTRONIC2,	RT2870_4),
166     RUN_DEV(CONCEPTRONIC2,	RT2870_5),
167     RUN_DEV(CONCEPTRONIC2,	RT2870_6),
168     RUN_DEV(CONCEPTRONIC2,	RT2870_7),
169     RUN_DEV(CONCEPTRONIC2,	RT2870_8),
170     RUN_DEV(CONCEPTRONIC2,	RT3070_1),
171     RUN_DEV(CONCEPTRONIC2,	RT3070_2),
172     RUN_DEV(CONCEPTRONIC2,	VIGORN61),
173     RUN_DEV(COREGA,		CGWLUSB300GNM),
174     RUN_DEV(COREGA,		RT2870_1),
175     RUN_DEV(COREGA,		RT2870_2),
176     RUN_DEV(COREGA,		RT2870_3),
177     RUN_DEV(COREGA,		RT3070),
178     RUN_DEV(CYBERTAN,		RT2870),
179     RUN_DEV(DLINK,		RT2870),
180     RUN_DEV(DLINK,		RT3072),
181     RUN_DEV(DLINK,		DWA127),
182     RUN_DEV(DLINK,		DWA140B3),
183     RUN_DEV(DLINK,		DWA160B2),
184     RUN_DEV(DLINK,		DWA140D1),
185     RUN_DEV(DLINK,		DWA162),
186     RUN_DEV(DLINK2,		DWA130),
187     RUN_DEV(DLINK2,		RT2870_1),
188     RUN_DEV(DLINK2,		RT2870_2),
189     RUN_DEV(DLINK2,		RT3070_1),
190     RUN_DEV(DLINK2,		RT3070_2),
191     RUN_DEV(DLINK2,		RT3070_3),
192     RUN_DEV(DLINK2,		RT3070_4),
193     RUN_DEV(DLINK2,		RT3070_5),
194     RUN_DEV(DLINK2,		RT3072),
195     RUN_DEV(DLINK2,		RT3072_1),
196     RUN_DEV(EDIMAX,		EW7717),
197     RUN_DEV(EDIMAX,		EW7718),
198     RUN_DEV(EDIMAX,		EW7733UND),
199     RUN_DEV(EDIMAX,		RT2870_1),
200     RUN_DEV(ENCORE,		RT3070_1),
201     RUN_DEV(ENCORE,		RT3070_2),
202     RUN_DEV(ENCORE,		RT3070_3),
203     RUN_DEV(GIGABYTE,		GNWB31N),
204     RUN_DEV(GIGABYTE,		GNWB32L),
205     RUN_DEV(GIGABYTE,		RT2870_1),
206     RUN_DEV(GIGASET,		RT3070_1),
207     RUN_DEV(GIGASET,		RT3070_2),
208     RUN_DEV(GUILLEMOT,		HWNU300),
209     RUN_DEV(HAWKING,		HWUN2),
210     RUN_DEV(HAWKING,		RT2870_1),
211     RUN_DEV(HAWKING,		RT2870_2),
212     RUN_DEV(HAWKING,		RT3070),
213     RUN_DEV(IODATA,		RT3072_1),
214     RUN_DEV(IODATA,		RT3072_2),
215     RUN_DEV(IODATA,		RT3072_3),
216     RUN_DEV(IODATA,		RT3072_4),
217     RUN_DEV(LINKSYS4,		RT3070),
218     RUN_DEV(LINKSYS4,		WUSB100),
219     RUN_DEV(LINKSYS4,		WUSB54GCV3),
220     RUN_DEV(LINKSYS4,		WUSB600N),
221     RUN_DEV(LINKSYS4,		WUSB600NV2),
222     RUN_DEV(LOGITEC,		RT2870_1),
223     RUN_DEV(LOGITEC,		RT2870_2),
224     RUN_DEV(LOGITEC,		RT2870_3),
225     RUN_DEV(LOGITEC,		LANW300NU2),
226     RUN_DEV(LOGITEC,		LANW150NU2),
227     RUN_DEV(LOGITEC,		LANW300NU2S),
228     RUN_DEV(MELCO,		RT2870_1),
229     RUN_DEV(MELCO,		RT2870_2),
230     RUN_DEV(MELCO,		WLIUCAG300N),
231     RUN_DEV(MELCO,		WLIUCG300N),
232     RUN_DEV(MELCO,		WLIUCG301N),
233     RUN_DEV(MELCO,		WLIUCGN),
234     RUN_DEV(MELCO,		WLIUCGNM),
235     RUN_DEV(MELCO,		WLIUCGNM2),
236     RUN_DEV(MOTOROLA4,		RT2770),
237     RUN_DEV(MOTOROLA4,		RT3070),
238     RUN_DEV(MSI,		RT3070_1),
239     RUN_DEV(MSI,		RT3070_2),
240     RUN_DEV(MSI,		RT3070_3),
241     RUN_DEV(MSI,		RT3070_4),
242     RUN_DEV(MSI,		RT3070_5),
243     RUN_DEV(MSI,		RT3070_6),
244     RUN_DEV(MSI,		RT3070_7),
245     RUN_DEV(MSI,		RT3070_8),
246     RUN_DEV(MSI,		RT3070_9),
247     RUN_DEV(MSI,		RT3070_10),
248     RUN_DEV(MSI,		RT3070_11),
249     RUN_DEV(OVISLINK,		RT3072),
250     RUN_DEV(PARA,		RT3070),
251     RUN_DEV(PEGATRON,		RT2870),
252     RUN_DEV(PEGATRON,		RT3070),
253     RUN_DEV(PEGATRON,		RT3070_2),
254     RUN_DEV(PEGATRON,		RT3070_3),
255     RUN_DEV(PHILIPS,		RT2870),
256     RUN_DEV(PLANEX2,		GWUS300MINIS),
257     RUN_DEV(PLANEX2,		GWUSMICRON),
258     RUN_DEV(PLANEX2,		RT2870),
259     RUN_DEV(PLANEX2,		RT3070),
260     RUN_DEV(QCOM,		RT2870),
261     RUN_DEV(QUANTA,		RT3070),
262     RUN_DEV(RALINK,		RT2070),
263     RUN_DEV(RALINK,		RT2770),
264     RUN_DEV(RALINK,		RT2870),
265     RUN_DEV(RALINK,		RT3070),
266     RUN_DEV(RALINK,		RT3071),
267     RUN_DEV(RALINK,		RT3072),
268     RUN_DEV(RALINK,		RT3370),
269     RUN_DEV(RALINK,		RT3572),
270     RUN_DEV(RALINK,		RT3573),
271     RUN_DEV(RALINK,		RT5370),
272     RUN_DEV(RALINK,		RT5572),
273     RUN_DEV(RALINK,		RT8070),
274     RUN_DEV(SAMSUNG,		WIS09ABGN),
275     RUN_DEV(SAMSUNG2,		RT2870_1),
276     RUN_DEV(SENAO,		RT2870_1),
277     RUN_DEV(SENAO,		RT2870_2),
278     RUN_DEV(SENAO,		RT2870_3),
279     RUN_DEV(SENAO,		RT2870_4),
280     RUN_DEV(SENAO,		RT3070),
281     RUN_DEV(SENAO,		RT3071),
282     RUN_DEV(SENAO,		RT3072_1),
283     RUN_DEV(SENAO,		RT3072_2),
284     RUN_DEV(SENAO,		RT3072_3),
285     RUN_DEV(SENAO,		RT3072_4),
286     RUN_DEV(SENAO,		RT3072_5),
287     RUN_DEV(SITECOMEU,		RT2770),
288     RUN_DEV(SITECOMEU,		RT2870_1),
289     RUN_DEV(SITECOMEU,		RT2870_2),
290     RUN_DEV(SITECOMEU,		RT2870_3),
291     RUN_DEV(SITECOMEU,		RT2870_4),
292     RUN_DEV(SITECOMEU,		RT3070),
293     RUN_DEV(SITECOMEU,		RT3070_2),
294     RUN_DEV(SITECOMEU,		RT3070_3),
295     RUN_DEV(SITECOMEU,		RT3070_4),
296     RUN_DEV(SITECOMEU,		RT3071),
297     RUN_DEV(SITECOMEU,		RT3072_1),
298     RUN_DEV(SITECOMEU,		RT3072_2),
299     RUN_DEV(SITECOMEU,		RT3072_3),
300     RUN_DEV(SITECOMEU,		RT3072_4),
301     RUN_DEV(SITECOMEU,		RT3072_5),
302     RUN_DEV(SITECOMEU,		RT3072_6),
303     RUN_DEV(SITECOMEU,		WL608),
304     RUN_DEV(SPARKLAN,		RT2870_1),
305     RUN_DEV(SPARKLAN,		RT3070),
306     RUN_DEV(SWEEX2,		LW153),
307     RUN_DEV(SWEEX2,		LW303),
308     RUN_DEV(SWEEX2,		LW313),
309     RUN_DEV(TOSHIBA,		RT3070),
310     RUN_DEV(UMEDIA,		RT2870_1),
311     RUN_DEV(ZCOM,		RT2870_1),
312     RUN_DEV(ZCOM,		RT2870_2),
313     RUN_DEV(ZINWELL,		RT2870_1),
314     RUN_DEV(ZINWELL,		RT2870_2),
315     RUN_DEV(ZINWELL,		RT3070),
316     RUN_DEV(ZINWELL,		RT3072_1),
317     RUN_DEV(ZINWELL,		RT3072_2),
318     RUN_DEV(ZYXEL,		RT2870_1),
319     RUN_DEV(ZYXEL,		RT2870_2),
320     RUN_DEV(ZYXEL,		RT3070),
321     RUN_DEV_EJECT(ZYXEL,	NWD2705),
322     RUN_DEV_EJECT(RALINK,	RT_STOR),
323 #undef RUN_DEV_EJECT
324 #undef RUN_DEV
325 };
326 
327 static device_probe_t	run_match;
328 static device_attach_t	run_attach;
329 static device_detach_t	run_detach;
330 
331 static usb_callback_t	run_bulk_rx_callback;
332 static usb_callback_t	run_bulk_tx_callback0;
333 static usb_callback_t	run_bulk_tx_callback1;
334 static usb_callback_t	run_bulk_tx_callback2;
335 static usb_callback_t	run_bulk_tx_callback3;
336 static usb_callback_t	run_bulk_tx_callback4;
337 static usb_callback_t	run_bulk_tx_callback5;
338 
339 static void	run_autoinst(void *, struct usb_device *,
340 		    struct usb_attach_arg *);
341 static int	run_driver_loaded(struct module *, int, void *);
342 static void	run_bulk_tx_callbackN(struct usb_xfer *xfer,
343 		    usb_error_t error, u_int index);
344 static struct ieee80211vap *run_vap_create(struct ieee80211com *,
345 		    const char [IFNAMSIZ], int, enum ieee80211_opmode, int,
346 		    const uint8_t [IEEE80211_ADDR_LEN],
347 		    const uint8_t [IEEE80211_ADDR_LEN]);
348 static void	run_vap_delete(struct ieee80211vap *);
349 static void	run_cmdq_cb(void *, int);
350 static void	run_setup_tx_list(struct run_softc *,
351 		    struct run_endpoint_queue *);
352 static void	run_unsetup_tx_list(struct run_softc *,
353 		    struct run_endpoint_queue *);
354 static int	run_load_microcode(struct run_softc *);
355 static int	run_reset(struct run_softc *);
356 static usb_error_t run_do_request(struct run_softc *,
357 		    struct usb_device_request *, void *);
358 static int	run_read(struct run_softc *, uint16_t, uint32_t *);
359 static int	run_read_region_1(struct run_softc *, uint16_t, uint8_t *, int);
360 static int	run_write_2(struct run_softc *, uint16_t, uint16_t);
361 static int	run_write(struct run_softc *, uint16_t, uint32_t);
362 static int	run_write_region_1(struct run_softc *, uint16_t,
363 		    const uint8_t *, int);
364 static int	run_set_region_4(struct run_softc *, uint16_t, uint32_t, int);
365 static int	run_efuse_read(struct run_softc *, uint16_t, uint16_t *, int);
366 static int	run_efuse_read_2(struct run_softc *, uint16_t, uint16_t *);
367 static int	run_eeprom_read_2(struct run_softc *, uint16_t, uint16_t *);
368 static int	run_rt2870_rf_write(struct run_softc *, uint32_t);
369 static int	run_rt3070_rf_read(struct run_softc *, uint8_t, uint8_t *);
370 static int	run_rt3070_rf_write(struct run_softc *, uint8_t, uint8_t);
371 static int	run_bbp_read(struct run_softc *, uint8_t, uint8_t *);
372 static int	run_bbp_write(struct run_softc *, uint8_t, uint8_t);
373 static int	run_mcu_cmd(struct run_softc *, uint8_t, uint16_t);
374 static const char *run_get_rf(uint16_t);
375 static void	run_rt3593_get_txpower(struct run_softc *);
376 static void	run_get_txpower(struct run_softc *);
377 static int	run_read_eeprom(struct run_softc *);
378 static struct ieee80211_node *run_node_alloc(struct ieee80211vap *,
379 			    const uint8_t mac[IEEE80211_ADDR_LEN]);
380 static int	run_media_change(struct ifnet *);
381 static int	run_newstate(struct ieee80211vap *, enum ieee80211_state, int);
382 static int	run_wme_update(struct ieee80211com *);
383 static void	run_wme_update_cb(void *);
384 static void	run_key_update_begin(struct ieee80211vap *);
385 static void	run_key_update_end(struct ieee80211vap *);
386 static void	run_key_set_cb(void *);
387 static int	run_key_set(struct ieee80211vap *, struct ieee80211_key *,
388 		    const uint8_t mac[IEEE80211_ADDR_LEN]);
389 static void	run_key_delete_cb(void *);
390 static int	run_key_delete(struct ieee80211vap *, struct ieee80211_key *);
391 static void	run_ratectl_to(void *);
392 static void	run_ratectl_cb(void *, int);
393 static void	run_drain_fifo(void *);
394 static void	run_iter_func(void *, struct ieee80211_node *);
395 static void	run_newassoc_cb(void *);
396 static void	run_newassoc(struct ieee80211_node *, int);
397 static void	run_rx_frame(struct run_softc *, struct mbuf *, uint32_t);
398 static void	run_tx_free(struct run_endpoint_queue *pq,
399 		    struct run_tx_data *, int);
400 static void	run_set_tx_desc(struct run_softc *, struct run_tx_data *);
401 static int	run_tx(struct run_softc *, struct mbuf *,
402 		    struct ieee80211_node *);
403 static int	run_tx_mgt(struct run_softc *, struct mbuf *,
404 		    struct ieee80211_node *);
405 static int	run_sendprot(struct run_softc *, const struct mbuf *,
406 		    struct ieee80211_node *, int, int);
407 static int	run_tx_param(struct run_softc *, struct mbuf *,
408 		    struct ieee80211_node *,
409 		    const struct ieee80211_bpf_params *);
410 static int	run_raw_xmit(struct ieee80211_node *, struct mbuf *,
411 		    const struct ieee80211_bpf_params *);
412 static void	run_start(struct ifnet *);
413 static int	run_ioctl(struct ifnet *, u_long, caddr_t);
414 static void	run_iq_calib(struct run_softc *, u_int);
415 static void	run_set_agc(struct run_softc *, uint8_t);
416 static void	run_select_chan_group(struct run_softc *, int);
417 static void	run_set_rx_antenna(struct run_softc *, int);
418 static void	run_rt2870_set_chan(struct run_softc *, u_int);
419 static void	run_rt3070_set_chan(struct run_softc *, u_int);
420 static void	run_rt3572_set_chan(struct run_softc *, u_int);
421 static void	run_rt3593_set_chan(struct run_softc *, u_int);
422 static void	run_rt5390_set_chan(struct run_softc *, u_int);
423 static void	run_rt5592_set_chan(struct run_softc *, u_int);
424 static int	run_set_chan(struct run_softc *, struct ieee80211_channel *);
425 static void	run_set_channel(struct ieee80211com *);
426 static void	run_scan_start(struct ieee80211com *);
427 static void	run_scan_end(struct ieee80211com *);
428 static void	run_update_beacon(struct ieee80211vap *, int);
429 static void	run_update_beacon_cb(void *);
430 static void	run_updateprot(struct ieee80211com *);
431 static void	run_updateprot_cb(void *);
432 static void	run_usb_timeout_cb(void *);
433 static void	run_reset_livelock(struct run_softc *);
434 static void	run_enable_tsf_sync(struct run_softc *);
435 static void	run_enable_mrr(struct run_softc *);
436 static void	run_set_txpreamble(struct run_softc *);
437 static void	run_set_basicrates(struct run_softc *);
438 static void	run_set_leds(struct run_softc *, uint16_t);
439 static void	run_set_bssid(struct run_softc *, const uint8_t *);
440 static void	run_set_macaddr(struct run_softc *, const uint8_t *);
441 static void	run_updateslot(struct ifnet *);
442 static void	run_updateslot_cb(void *);
443 static void	run_update_mcast(struct ifnet *);
444 static int8_t	run_rssi2dbm(struct run_softc *, uint8_t, uint8_t);
445 static void	run_update_promisc_locked(struct ifnet *);
446 static void	run_update_promisc(struct ifnet *);
447 static void	run_rt5390_bbp_init(struct run_softc *);
448 static int	run_bbp_init(struct run_softc *);
449 static int	run_rt3070_rf_init(struct run_softc *);
450 static void	run_rt3593_rf_init(struct run_softc *);
451 static void	run_rt5390_rf_init(struct run_softc *);
452 static int	run_rt3070_filter_calib(struct run_softc *, uint8_t, uint8_t,
453 		    uint8_t *);
454 static void	run_rt3070_rf_setup(struct run_softc *);
455 static void	run_rt3593_rf_setup(struct run_softc *);
456 static void	run_rt5390_rf_setup(struct run_softc *);
457 static int	run_txrx_enable(struct run_softc *);
458 static void	run_adjust_freq_offset(struct run_softc *);
459 static void	run_init(void *);
460 static void	run_init_locked(struct run_softc *);
461 static void	run_stop(void *);
462 static void	run_delay(struct run_softc *, u_int);
463 
464 static eventhandler_tag run_etag;
465 
466 static const struct rt2860_rate {
467 	uint8_t		rate;
468 	uint8_t		mcs;
469 	enum		ieee80211_phytype phy;
470 	uint8_t		ctl_ridx;
471 	uint16_t	sp_ack_dur;
472 	uint16_t	lp_ack_dur;
473 } rt2860_rates[] = {
474 	{   2, 0, IEEE80211_T_DS,   0, 314, 314 },
475 	{   4, 1, IEEE80211_T_DS,   1, 258, 162 },
476 	{  11, 2, IEEE80211_T_DS,   2, 223, 127 },
477 	{  22, 3, IEEE80211_T_DS,   3, 213, 117 },
478 	{  12, 0, IEEE80211_T_OFDM, 4,  60,  60 },
479 	{  18, 1, IEEE80211_T_OFDM, 4,  52,  52 },
480 	{  24, 2, IEEE80211_T_OFDM, 6,  48,  48 },
481 	{  36, 3, IEEE80211_T_OFDM, 6,  44,  44 },
482 	{  48, 4, IEEE80211_T_OFDM, 8,  44,  44 },
483 	{  72, 5, IEEE80211_T_OFDM, 8,  40,  40 },
484 	{  96, 6, IEEE80211_T_OFDM, 8,  40,  40 },
485 	{ 108, 7, IEEE80211_T_OFDM, 8,  40,  40 }
486 };
487 
488 static const struct {
489 	uint16_t	reg;
490 	uint32_t	val;
491 } rt2870_def_mac[] = {
492 	RT2870_DEF_MAC
493 };
494 
495 static const struct {
496 	uint8_t	reg;
497 	uint8_t	val;
498 } rt2860_def_bbp[] = {
499 	RT2860_DEF_BBP
500 },rt5390_def_bbp[] = {
501 	RT5390_DEF_BBP
502 },rt5592_def_bbp[] = {
503 	RT5592_DEF_BBP
504 };
505 
506 /*
507  * Default values for BBP register R196 for RT5592.
508  */
509 static const uint8_t rt5592_bbp_r196[] = {
510 	0xe0, 0x1f, 0x38, 0x32, 0x08, 0x28, 0x19, 0x0a, 0xff, 0x00,
511 	0x16, 0x10, 0x10, 0x0b, 0x36, 0x2c, 0x26, 0x24, 0x42, 0x36,
512 	0x30, 0x2d, 0x4c, 0x46, 0x3d, 0x40, 0x3e, 0x42, 0x3d, 0x40,
513 	0x3c, 0x34, 0x2c, 0x2f, 0x3c, 0x35, 0x2e, 0x2a, 0x49, 0x41,
514 	0x36, 0x31, 0x30, 0x30, 0x0e, 0x0d, 0x28, 0x21, 0x1c, 0x16,
515 	0x50, 0x4a, 0x43, 0x40, 0x10, 0x10, 0x10, 0x10, 0x00, 0x00,
516 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
517 	0x00, 0x00, 0x7d, 0x14, 0x32, 0x2c, 0x36, 0x4c, 0x43, 0x2c,
518 	0x2e, 0x36, 0x30, 0x6e
519 };
520 
521 static const struct rfprog {
522 	uint8_t		chan;
523 	uint32_t	r1, r2, r3, r4;
524 } rt2860_rf2850[] = {
525 	RT2860_RF2850
526 };
527 
528 struct {
529 	uint8_t	n, r, k;
530 } rt3070_freqs[] = {
531 	RT3070_RF3052
532 };
533 
534 static const struct rt5592_freqs {
535 	uint16_t	n;
536 	uint8_t		k, m, r;
537 } rt5592_freqs_20mhz[] = {
538 	RT5592_RF5592_20MHZ
539 },rt5592_freqs_40mhz[] = {
540 	RT5592_RF5592_40MHZ
541 };
542 
543 static const struct {
544 	uint8_t	reg;
545 	uint8_t	val;
546 } rt3070_def_rf[] = {
547 	RT3070_DEF_RF
548 },rt3572_def_rf[] = {
549 	RT3572_DEF_RF
550 },rt3593_def_rf[] = {
551 	RT3593_DEF_RF
552 },rt5390_def_rf[] = {
553 	RT5390_DEF_RF
554 },rt5392_def_rf[] = {
555 	RT5392_DEF_RF
556 },rt5592_def_rf[] = {
557 	RT5592_DEF_RF
558 },rt5592_2ghz_def_rf[] = {
559 	RT5592_2GHZ_DEF_RF
560 },rt5592_5ghz_def_rf[] = {
561 	RT5592_5GHZ_DEF_RF
562 };
563 
564 static const struct {
565 	u_int	firstchan;
566 	u_int	lastchan;
567 	uint8_t	reg;
568 	uint8_t	val;
569 } rt5592_chan_5ghz[] = {
570 	RT5592_CHAN_5GHZ
571 };
572 
573 static const struct usb_config run_config[RUN_N_XFER] = {
574     [RUN_BULK_TX_BE] = {
575 	.type = UE_BULK,
576 	.endpoint = UE_ADDR_ANY,
577 	.ep_index = 0,
578 	.direction = UE_DIR_OUT,
579 	.bufsize = RUN_MAX_TXSZ,
580 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
581 	.callback = run_bulk_tx_callback0,
582 	.timeout = 5000,	/* ms */
583     },
584     [RUN_BULK_TX_BK] = {
585 	.type = UE_BULK,
586 	.endpoint = UE_ADDR_ANY,
587 	.direction = UE_DIR_OUT,
588 	.ep_index = 1,
589 	.bufsize = RUN_MAX_TXSZ,
590 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
591 	.callback = run_bulk_tx_callback1,
592 	.timeout = 5000,	/* ms */
593     },
594     [RUN_BULK_TX_VI] = {
595 	.type = UE_BULK,
596 	.endpoint = UE_ADDR_ANY,
597 	.direction = UE_DIR_OUT,
598 	.ep_index = 2,
599 	.bufsize = RUN_MAX_TXSZ,
600 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
601 	.callback = run_bulk_tx_callback2,
602 	.timeout = 5000,	/* ms */
603     },
604     [RUN_BULK_TX_VO] = {
605 	.type = UE_BULK,
606 	.endpoint = UE_ADDR_ANY,
607 	.direction = UE_DIR_OUT,
608 	.ep_index = 3,
609 	.bufsize = RUN_MAX_TXSZ,
610 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
611 	.callback = run_bulk_tx_callback3,
612 	.timeout = 5000,	/* ms */
613     },
614     [RUN_BULK_TX_HCCA] = {
615 	.type = UE_BULK,
616 	.endpoint = UE_ADDR_ANY,
617 	.direction = UE_DIR_OUT,
618 	.ep_index = 4,
619 	.bufsize = RUN_MAX_TXSZ,
620 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,.no_pipe_ok = 1,},
621 	.callback = run_bulk_tx_callback4,
622 	.timeout = 5000,	/* ms */
623     },
624     [RUN_BULK_TX_PRIO] = {
625 	.type = UE_BULK,
626 	.endpoint = UE_ADDR_ANY,
627 	.direction = UE_DIR_OUT,
628 	.ep_index = 5,
629 	.bufsize = RUN_MAX_TXSZ,
630 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,.no_pipe_ok = 1,},
631 	.callback = run_bulk_tx_callback5,
632 	.timeout = 5000,	/* ms */
633     },
634     [RUN_BULK_RX] = {
635 	.type = UE_BULK,
636 	.endpoint = UE_ADDR_ANY,
637 	.direction = UE_DIR_IN,
638 	.bufsize = RUN_MAX_RXSZ,
639 	.flags = {.pipe_bof = 1,.short_xfer_ok = 1,},
640 	.callback = run_bulk_rx_callback,
641     }
642 };
643 
644 static void
645 run_autoinst(void *arg, struct usb_device *udev,
646     struct usb_attach_arg *uaa)
647 {
648 	struct usb_interface *iface;
649 	struct usb_interface_descriptor *id;
650 
651 	if (uaa->dev_state != UAA_DEV_READY)
652 		return;
653 
654 	iface = usbd_get_iface(udev, 0);
655 	if (iface == NULL)
656 		return;
657 	id = iface->idesc;
658 	if (id == NULL || id->bInterfaceClass != UICLASS_MASS)
659 		return;
660 	if (usbd_lookup_id_by_uaa(run_devs, sizeof(run_devs), uaa))
661 		return;
662 
663 	if (usb_msc_eject(udev, 0, MSC_EJECT_STOPUNIT) == 0)
664 		uaa->dev_state = UAA_DEV_EJECTING;
665 }
666 
667 static int
668 run_driver_loaded(struct module *mod, int what, void *arg)
669 {
670 	switch (what) {
671 	case MOD_LOAD:
672 		run_etag = EVENTHANDLER_REGISTER(usb_dev_configured,
673 		    run_autoinst, NULL, EVENTHANDLER_PRI_ANY);
674 		break;
675 	case MOD_UNLOAD:
676 		EVENTHANDLER_DEREGISTER(usb_dev_configured, run_etag);
677 		break;
678 	default:
679 		return (EOPNOTSUPP);
680 	}
681 	return (0);
682 }
683 
684 static int
685 run_match(device_t self)
686 {
687 	struct usb_attach_arg *uaa = device_get_ivars(self);
688 
689 	if (uaa->usb_mode != USB_MODE_HOST)
690 		return (ENXIO);
691 	if (uaa->info.bConfigIndex != 0)
692 		return (ENXIO);
693 	if (uaa->info.bIfaceIndex != RT2860_IFACE_INDEX)
694 		return (ENXIO);
695 
696 	return (usbd_lookup_id_by_uaa(run_devs, sizeof(run_devs), uaa));
697 }
698 
699 static int
700 run_attach(device_t self)
701 {
702 	struct run_softc *sc = device_get_softc(self);
703 	struct usb_attach_arg *uaa = device_get_ivars(self);
704 	struct ieee80211com *ic;
705 	struct ifnet *ifp;
706 	uint32_t ver;
707 	int ntries, error;
708 	uint8_t iface_index, bands;
709 
710 	device_set_usb_desc(self);
711 	sc->sc_udev = uaa->device;
712 	sc->sc_dev = self;
713 	if (USB_GET_DRIVER_INFO(uaa) != RUN_EJECT)
714 		sc->sc_flags |= RUN_FLAG_FWLOAD_NEEDED;
715 
716 	mtx_init(&sc->sc_mtx, device_get_nameunit(sc->sc_dev),
717 	    MTX_NETWORK_LOCK, MTX_DEF);
718 
719 	iface_index = RT2860_IFACE_INDEX;
720 
721 	error = usbd_transfer_setup(uaa->device, &iface_index,
722 	    sc->sc_xfer, run_config, RUN_N_XFER, sc, &sc->sc_mtx);
723 	if (error) {
724 		device_printf(self, "could not allocate USB transfers, "
725 		    "err=%s\n", usbd_errstr(error));
726 		goto detach;
727 	}
728 
729 	RUN_LOCK(sc);
730 
731 	/* wait for the chip to settle */
732 	for (ntries = 0; ntries < 100; ntries++) {
733 		if (run_read(sc, RT2860_ASIC_VER_ID, &ver) != 0) {
734 			RUN_UNLOCK(sc);
735 			goto detach;
736 		}
737 		if (ver != 0 && ver != 0xffffffff)
738 			break;
739 		run_delay(sc, 10);
740 	}
741 	if (ntries == 100) {
742 		device_printf(sc->sc_dev,
743 		    "timeout waiting for NIC to initialize\n");
744 		RUN_UNLOCK(sc);
745 		goto detach;
746 	}
747 	sc->mac_ver = ver >> 16;
748 	sc->mac_rev = ver & 0xffff;
749 
750 	/* retrieve RF rev. no and various other things from EEPROM */
751 	run_read_eeprom(sc);
752 
753 	device_printf(sc->sc_dev,
754 	    "MAC/BBP RT%04X (rev 0x%04X), RF %s (MIMO %dT%dR), address %s\n",
755 	    sc->mac_ver, sc->mac_rev, run_get_rf(sc->rf_rev),
756 	    sc->ntxchains, sc->nrxchains, ether_sprintf(sc->sc_bssid));
757 
758 	RUN_UNLOCK(sc);
759 
760 	ifp = sc->sc_ifp = if_alloc(IFT_IEEE80211);
761 	if (ifp == NULL) {
762 		device_printf(sc->sc_dev, "can not if_alloc()\n");
763 		goto detach;
764 	}
765 	ic = ifp->if_l2com;
766 
767 	ifp->if_softc = sc;
768 	if_initname(ifp, "run", device_get_unit(sc->sc_dev));
769 	ifp->if_flags = IFF_BROADCAST | IFF_SIMPLEX | IFF_MULTICAST;
770 	ifp->if_init = run_init;
771 	ifp->if_ioctl = run_ioctl;
772 	ifp->if_start = run_start;
773 	IFQ_SET_MAXLEN(&ifp->if_snd, ifqmaxlen);
774 	ifp->if_snd.ifq_drv_maxlen = ifqmaxlen;
775 	IFQ_SET_READY(&ifp->if_snd);
776 
777 	ic->ic_ifp = ifp;
778 	ic->ic_phytype = IEEE80211_T_OFDM;	/* not only, but not used */
779 	ic->ic_opmode = IEEE80211_M_STA;	/* default to BSS mode */
780 
781 	/* set device capabilities */
782 	ic->ic_caps =
783 	    IEEE80211_C_STA |		/* station mode supported */
784 	    IEEE80211_C_MONITOR |	/* monitor mode supported */
785 	    IEEE80211_C_IBSS |
786 	    IEEE80211_C_HOSTAP |
787 	    IEEE80211_C_WDS |		/* 4-address traffic works */
788 	    IEEE80211_C_MBSS |
789 	    IEEE80211_C_SHPREAMBLE |	/* short preamble supported */
790 	    IEEE80211_C_SHSLOT |	/* short slot time supported */
791 	    IEEE80211_C_WME |		/* WME */
792 	    IEEE80211_C_WPA;		/* WPA1|WPA2(RSN) */
793 
794 	ic->ic_cryptocaps =
795 	    IEEE80211_CRYPTO_WEP |
796 	    IEEE80211_CRYPTO_AES_CCM |
797 	    IEEE80211_CRYPTO_TKIPMIC |
798 	    IEEE80211_CRYPTO_TKIP;
799 
800 	ic->ic_flags |= IEEE80211_F_DATAPAD;
801 	ic->ic_flags_ext |= IEEE80211_FEXT_SWBMISS;
802 
803 	bands = 0;
804 	setbit(&bands, IEEE80211_MODE_11B);
805 	setbit(&bands, IEEE80211_MODE_11G);
806 	if (sc->rf_rev == RT2860_RF_2750 || sc->rf_rev == RT2860_RF_2850 ||
807 	    sc->rf_rev == RT3070_RF_3052 || sc->rf_rev == RT3593_RF_3053 ||
808 	    sc->rf_rev == RT5592_RF_5592)
809 		setbit(&bands, IEEE80211_MODE_11A);
810 	ieee80211_init_channels(ic, NULL, &bands);
811 
812 	ieee80211_ifattach(ic, sc->sc_bssid);
813 
814 	ic->ic_scan_start = run_scan_start;
815 	ic->ic_scan_end = run_scan_end;
816 	ic->ic_set_channel = run_set_channel;
817 	ic->ic_node_alloc = run_node_alloc;
818 	ic->ic_newassoc = run_newassoc;
819 	ic->ic_updateslot = run_updateslot;
820 	ic->ic_update_mcast = run_update_mcast;
821 	ic->ic_wme.wme_update = run_wme_update;
822 	ic->ic_raw_xmit = run_raw_xmit;
823 	ic->ic_update_promisc = run_update_promisc;
824 
825 	ic->ic_vap_create = run_vap_create;
826 	ic->ic_vap_delete = run_vap_delete;
827 
828 	ieee80211_radiotap_attach(ic,
829 	    &sc->sc_txtap.wt_ihdr, sizeof(sc->sc_txtap),
830 		RUN_TX_RADIOTAP_PRESENT,
831 	    &sc->sc_rxtap.wr_ihdr, sizeof(sc->sc_rxtap),
832 		RUN_RX_RADIOTAP_PRESENT);
833 
834 	TASK_INIT(&sc->cmdq_task, 0, run_cmdq_cb, sc);
835 	TASK_INIT(&sc->ratectl_task, 0, run_ratectl_cb, sc);
836 	usb_callout_init_mtx(&sc->ratectl_ch, &sc->sc_mtx, 0);
837 
838 	if (bootverbose)
839 		ieee80211_announce(ic);
840 
841 	return (0);
842 
843 detach:
844 	run_detach(self);
845 	return (ENXIO);
846 }
847 
848 static int
849 run_detach(device_t self)
850 {
851 	struct run_softc *sc = device_get_softc(self);
852 	struct ifnet *ifp = sc->sc_ifp;
853 	struct ieee80211com *ic;
854 	int i;
855 
856 	RUN_LOCK(sc);
857 	sc->sc_detached = 1;
858 	RUN_UNLOCK(sc);
859 
860 	/* stop all USB transfers */
861 	usbd_transfer_unsetup(sc->sc_xfer, RUN_N_XFER);
862 
863 	RUN_LOCK(sc);
864 	sc->ratectl_run = RUN_RATECTL_OFF;
865 	sc->cmdq_run = sc->cmdq_key_set = RUN_CMDQ_ABORT;
866 
867 	/* free TX list, if any */
868 	for (i = 0; i != RUN_EP_QUEUES; i++)
869 		run_unsetup_tx_list(sc, &sc->sc_epq[i]);
870 	RUN_UNLOCK(sc);
871 
872 	if (ifp) {
873 		ic = ifp->if_l2com;
874 		/* drain tasks */
875 		usb_callout_drain(&sc->ratectl_ch);
876 		ieee80211_draintask(ic, &sc->cmdq_task);
877 		ieee80211_draintask(ic, &sc->ratectl_task);
878 		ieee80211_ifdetach(ic);
879 		if_free(ifp);
880 	}
881 
882 	mtx_destroy(&sc->sc_mtx);
883 
884 	return (0);
885 }
886 
887 static struct ieee80211vap *
888 run_vap_create(struct ieee80211com *ic, const char name[IFNAMSIZ], int unit,
889     enum ieee80211_opmode opmode, int flags,
890     const uint8_t bssid[IEEE80211_ADDR_LEN],
891     const uint8_t mac[IEEE80211_ADDR_LEN])
892 {
893 	struct ifnet *ifp = ic->ic_ifp;
894 	struct run_softc *sc = ifp->if_softc;
895 	struct run_vap *rvp;
896 	struct ieee80211vap *vap;
897 	int i;
898 
899 	if (sc->rvp_cnt >= RUN_VAP_MAX) {
900 		if_printf(ifp, "number of VAPs maxed out\n");
901 		return (NULL);
902 	}
903 
904 	switch (opmode) {
905 	case IEEE80211_M_STA:
906 		/* enable s/w bmiss handling for sta mode */
907 		flags |= IEEE80211_CLONE_NOBEACONS;
908 		/* fall though */
909 	case IEEE80211_M_IBSS:
910 	case IEEE80211_M_MONITOR:
911 	case IEEE80211_M_HOSTAP:
912 	case IEEE80211_M_MBSS:
913 		/* other than WDS vaps, only one at a time */
914 		if (!TAILQ_EMPTY(&ic->ic_vaps))
915 			return (NULL);
916 		break;
917 	case IEEE80211_M_WDS:
918 		TAILQ_FOREACH(vap, &ic->ic_vaps, iv_next){
919 			if(vap->iv_opmode != IEEE80211_M_HOSTAP)
920 				continue;
921 			/* WDS vap's always share the local mac address. */
922 			flags &= ~IEEE80211_CLONE_BSSID;
923 			break;
924 		}
925 		if (vap == NULL) {
926 			if_printf(ifp, "wds only supported in ap mode\n");
927 			return (NULL);
928 		}
929 		break;
930 	default:
931 		if_printf(ifp, "unknown opmode %d\n", opmode);
932 		return (NULL);
933 	}
934 
935 	rvp = (struct run_vap *) malloc(sizeof(struct run_vap),
936 	    M_80211_VAP, M_NOWAIT | M_ZERO);
937 	if (rvp == NULL)
938 		return (NULL);
939 	vap = &rvp->vap;
940 
941 	if (ieee80211_vap_setup(ic, vap, name, unit,
942 	    opmode, flags, bssid, mac) != 0) {
943 		/* out of memory */
944 		free(rvp, M_80211_VAP);
945 		return (NULL);
946 	}
947 
948 	vap->iv_key_update_begin = run_key_update_begin;
949 	vap->iv_key_update_end = run_key_update_end;
950 	vap->iv_update_beacon = run_update_beacon;
951 	vap->iv_max_aid = RT2870_WCID_MAX;
952 	/*
953 	 * To delete the right key from h/w, we need wcid.
954 	 * Luckily, there is unused space in ieee80211_key{}, wk_pad,
955 	 * and matching wcid will be written into there. So, cast
956 	 * some spells to remove 'const' from ieee80211_key{}
957 	 */
958 	vap->iv_key_delete = (void *)run_key_delete;
959 	vap->iv_key_set = (void *)run_key_set;
960 
961 	/* override state transition machine */
962 	rvp->newstate = vap->iv_newstate;
963 	vap->iv_newstate = run_newstate;
964 
965 	ieee80211_ratectl_init(vap);
966 	ieee80211_ratectl_setinterval(vap, 1000 /* 1 sec */);
967 
968 	/* complete setup */
969 	ieee80211_vap_attach(vap, run_media_change, ieee80211_media_status);
970 
971 	/* make sure id is always unique */
972 	for (i = 0; i < RUN_VAP_MAX; i++) {
973 		if((sc->rvp_bmap & 1 << i) == 0){
974 			sc->rvp_bmap |= 1 << i;
975 			rvp->rvp_id = i;
976 			break;
977 		}
978 	}
979 	if (sc->rvp_cnt++ == 0)
980 		ic->ic_opmode = opmode;
981 
982 	if (opmode == IEEE80211_M_HOSTAP)
983 		sc->cmdq_run = RUN_CMDQ_GO;
984 
985 	DPRINTF("rvp_id=%d bmap=%x rvp_cnt=%d\n",
986 	    rvp->rvp_id, sc->rvp_bmap, sc->rvp_cnt);
987 
988 	return (vap);
989 }
990 
991 static void
992 run_vap_delete(struct ieee80211vap *vap)
993 {
994 	struct run_vap *rvp = RUN_VAP(vap);
995 	struct ifnet *ifp;
996 	struct ieee80211com *ic;
997 	struct run_softc *sc;
998 	uint8_t rvp_id;
999 
1000 	if (vap == NULL)
1001 		return;
1002 
1003 	ic = vap->iv_ic;
1004 	ifp = ic->ic_ifp;
1005 
1006 	sc = ifp->if_softc;
1007 
1008 	RUN_LOCK(sc);
1009 
1010 	m_freem(rvp->beacon_mbuf);
1011 	rvp->beacon_mbuf = NULL;
1012 
1013 	rvp_id = rvp->rvp_id;
1014 	sc->ratectl_run &= ~(1 << rvp_id);
1015 	sc->rvp_bmap &= ~(1 << rvp_id);
1016 	run_set_region_4(sc, RT2860_SKEY(rvp_id, 0), 0, 128);
1017 	run_set_region_4(sc, RT2860_BCN_BASE(rvp_id), 0, 512);
1018 	--sc->rvp_cnt;
1019 
1020 	DPRINTF("vap=%p rvp_id=%d bmap=%x rvp_cnt=%d\n",
1021 	    vap, rvp_id, sc->rvp_bmap, sc->rvp_cnt);
1022 
1023 	RUN_UNLOCK(sc);
1024 
1025 	ieee80211_ratectl_deinit(vap);
1026 	ieee80211_vap_detach(vap);
1027 	free(rvp, M_80211_VAP);
1028 }
1029 
1030 /*
1031  * There are numbers of functions need to be called in context thread.
1032  * Rather than creating taskqueue event for each of those functions,
1033  * here is all-for-one taskqueue callback function. This function
1034  * gurantees deferred functions are executed in the same order they
1035  * were enqueued.
1036  * '& RUN_CMDQ_MASQ' is to loop cmdq[].
1037  */
1038 static void
1039 run_cmdq_cb(void *arg, int pending)
1040 {
1041 	struct run_softc *sc = arg;
1042 	uint8_t i;
1043 
1044 	/* call cmdq[].func locked */
1045 	RUN_LOCK(sc);
1046 	for (i = sc->cmdq_exec; sc->cmdq[i].func && pending;
1047 	    i = sc->cmdq_exec, pending--) {
1048 		DPRINTFN(6, "cmdq_exec=%d pending=%d\n", i, pending);
1049 		if (sc->cmdq_run == RUN_CMDQ_GO) {
1050 			/*
1051 			 * If arg0 is NULL, callback func needs more
1052 			 * than one arg. So, pass ptr to cmdq struct.
1053 			 */
1054 			if (sc->cmdq[i].arg0)
1055 				sc->cmdq[i].func(sc->cmdq[i].arg0);
1056 			else
1057 				sc->cmdq[i].func(&sc->cmdq[i]);
1058 		}
1059 		sc->cmdq[i].arg0 = NULL;
1060 		sc->cmdq[i].func = NULL;
1061 		sc->cmdq_exec++;
1062 		sc->cmdq_exec &= RUN_CMDQ_MASQ;
1063 	}
1064 	RUN_UNLOCK(sc);
1065 }
1066 
1067 static void
1068 run_setup_tx_list(struct run_softc *sc, struct run_endpoint_queue *pq)
1069 {
1070 	struct run_tx_data *data;
1071 
1072 	memset(pq, 0, sizeof(*pq));
1073 
1074 	STAILQ_INIT(&pq->tx_qh);
1075 	STAILQ_INIT(&pq->tx_fh);
1076 
1077 	for (data = &pq->tx_data[0];
1078 	    data < &pq->tx_data[RUN_TX_RING_COUNT]; data++) {
1079 		data->sc = sc;
1080 		STAILQ_INSERT_TAIL(&pq->tx_fh, data, next);
1081 	}
1082 	pq->tx_nfree = RUN_TX_RING_COUNT;
1083 }
1084 
1085 static void
1086 run_unsetup_tx_list(struct run_softc *sc, struct run_endpoint_queue *pq)
1087 {
1088 	struct run_tx_data *data;
1089 
1090 	/* make sure any subsequent use of the queues will fail */
1091 	pq->tx_nfree = 0;
1092 	STAILQ_INIT(&pq->tx_fh);
1093 	STAILQ_INIT(&pq->tx_qh);
1094 
1095 	/* free up all node references and mbufs */
1096 	for (data = &pq->tx_data[0];
1097 	    data < &pq->tx_data[RUN_TX_RING_COUNT]; data++) {
1098 		if (data->m != NULL) {
1099 			m_freem(data->m);
1100 			data->m = NULL;
1101 		}
1102 		if (data->ni != NULL) {
1103 			ieee80211_free_node(data->ni);
1104 			data->ni = NULL;
1105 		}
1106 	}
1107 }
1108 
1109 static int
1110 run_load_microcode(struct run_softc *sc)
1111 {
1112 	usb_device_request_t req;
1113 	const struct firmware *fw;
1114 	const u_char *base;
1115 	uint32_t tmp;
1116 	int ntries, error;
1117 	const uint64_t *temp;
1118 	uint64_t bytes;
1119 
1120 	RUN_UNLOCK(sc);
1121 	fw = firmware_get("runfw");
1122 	RUN_LOCK(sc);
1123 	if (fw == NULL) {
1124 		device_printf(sc->sc_dev,
1125 		    "failed loadfirmware of file %s\n", "runfw");
1126 		return ENOENT;
1127 	}
1128 
1129 	if (fw->datasize != 8192) {
1130 		device_printf(sc->sc_dev,
1131 		    "invalid firmware size (should be 8KB)\n");
1132 		error = EINVAL;
1133 		goto fail;
1134 	}
1135 
1136 	/*
1137 	 * RT3071/RT3072 use a different firmware
1138 	 * run-rt2870 (8KB) contains both,
1139 	 * first half (4KB) is for rt2870,
1140 	 * last half is for rt3071.
1141 	 */
1142 	base = fw->data;
1143 	if ((sc->mac_ver) != 0x2860 &&
1144 	    (sc->mac_ver) != 0x2872 &&
1145 	    (sc->mac_ver) != 0x3070) {
1146 		base += 4096;
1147 	}
1148 
1149 	/* cheap sanity check */
1150 	temp = fw->data;
1151 	bytes = *temp;
1152 	if (bytes != be64toh(0xffffff0210280210ULL)) {
1153 		device_printf(sc->sc_dev, "firmware checksum failed\n");
1154 		error = EINVAL;
1155 		goto fail;
1156 	}
1157 
1158 	/* write microcode image */
1159 	if (sc->sc_flags & RUN_FLAG_FWLOAD_NEEDED) {
1160 		run_write_region_1(sc, RT2870_FW_BASE, base, 4096);
1161 		run_write(sc, RT2860_H2M_MAILBOX_CID, 0xffffffff);
1162 		run_write(sc, RT2860_H2M_MAILBOX_STATUS, 0xffffffff);
1163 	}
1164 
1165 	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1166 	req.bRequest = RT2870_RESET;
1167 	USETW(req.wValue, 8);
1168 	USETW(req.wIndex, 0);
1169 	USETW(req.wLength, 0);
1170 	if ((error = usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, NULL))
1171 	    != 0) {
1172 		device_printf(sc->sc_dev, "firmware reset failed\n");
1173 		goto fail;
1174 	}
1175 
1176 	run_delay(sc, 10);
1177 
1178 	run_write(sc, RT2860_H2M_BBPAGENT, 0);
1179 	run_write(sc, RT2860_H2M_MAILBOX, 0);
1180 	run_write(sc, RT2860_H2M_INTSRC, 0);
1181 	if ((error = run_mcu_cmd(sc, RT2860_MCU_CMD_RFRESET, 0)) != 0)
1182 		goto fail;
1183 
1184 	/* wait until microcontroller is ready */
1185 	for (ntries = 0; ntries < 1000; ntries++) {
1186 		if ((error = run_read(sc, RT2860_SYS_CTRL, &tmp)) != 0)
1187 			goto fail;
1188 		if (tmp & RT2860_MCU_READY)
1189 			break;
1190 		run_delay(sc, 10);
1191 	}
1192 	if (ntries == 1000) {
1193 		device_printf(sc->sc_dev,
1194 		    "timeout waiting for MCU to initialize\n");
1195 		error = ETIMEDOUT;
1196 		goto fail;
1197 	}
1198 	device_printf(sc->sc_dev, "firmware %s ver. %u.%u loaded\n",
1199 	    (base == fw->data) ? "RT2870" : "RT3071",
1200 	    *(base + 4092), *(base + 4093));
1201 
1202 fail:
1203 	firmware_put(fw, FIRMWARE_UNLOAD);
1204 	return (error);
1205 }
1206 
1207 static int
1208 run_reset(struct run_softc *sc)
1209 {
1210 	usb_device_request_t req;
1211 
1212 	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1213 	req.bRequest = RT2870_RESET;
1214 	USETW(req.wValue, 1);
1215 	USETW(req.wIndex, 0);
1216 	USETW(req.wLength, 0);
1217 	return (usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, NULL));
1218 }
1219 
1220 static usb_error_t
1221 run_do_request(struct run_softc *sc,
1222     struct usb_device_request *req, void *data)
1223 {
1224 	usb_error_t err;
1225 	int ntries = 10;
1226 
1227 	RUN_LOCK_ASSERT(sc, MA_OWNED);
1228 
1229 	while (ntries--) {
1230 		err = usbd_do_request_flags(sc->sc_udev, &sc->sc_mtx,
1231 		    req, data, 0, NULL, 250 /* ms */);
1232 		if (err == 0)
1233 			break;
1234 		DPRINTFN(1, "Control request failed, %s (retrying)\n",
1235 		    usbd_errstr(err));
1236 		run_delay(sc, 10);
1237 	}
1238 	return (err);
1239 }
1240 
1241 static int
1242 run_read(struct run_softc *sc, uint16_t reg, uint32_t *val)
1243 {
1244 	uint32_t tmp;
1245 	int error;
1246 
1247 	error = run_read_region_1(sc, reg, (uint8_t *)&tmp, sizeof tmp);
1248 	if (error == 0)
1249 		*val = le32toh(tmp);
1250 	else
1251 		*val = 0xffffffff;
1252 	return (error);
1253 }
1254 
1255 static int
1256 run_read_region_1(struct run_softc *sc, uint16_t reg, uint8_t *buf, int len)
1257 {
1258 	usb_device_request_t req;
1259 
1260 	req.bmRequestType = UT_READ_VENDOR_DEVICE;
1261 	req.bRequest = RT2870_READ_REGION_1;
1262 	USETW(req.wValue, 0);
1263 	USETW(req.wIndex, reg);
1264 	USETW(req.wLength, len);
1265 
1266 	return (run_do_request(sc, &req, buf));
1267 }
1268 
1269 static int
1270 run_write_2(struct run_softc *sc, uint16_t reg, uint16_t val)
1271 {
1272 	usb_device_request_t req;
1273 
1274 	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1275 	req.bRequest = RT2870_WRITE_2;
1276 	USETW(req.wValue, val);
1277 	USETW(req.wIndex, reg);
1278 	USETW(req.wLength, 0);
1279 
1280 	return (run_do_request(sc, &req, NULL));
1281 }
1282 
1283 static int
1284 run_write(struct run_softc *sc, uint16_t reg, uint32_t val)
1285 {
1286 	int error;
1287 
1288 	if ((error = run_write_2(sc, reg, val & 0xffff)) == 0)
1289 		error = run_write_2(sc, reg + 2, val >> 16);
1290 	return (error);
1291 }
1292 
1293 static int
1294 run_write_region_1(struct run_softc *sc, uint16_t reg, const uint8_t *buf,
1295     int len)
1296 {
1297 #if 1
1298 	int i, error = 0;
1299 	/*
1300 	 * NB: the WRITE_REGION_1 command is not stable on RT2860.
1301 	 * We thus issue multiple WRITE_2 commands instead.
1302 	 */
1303 	KASSERT((len & 1) == 0, ("run_write_region_1: Data too long.\n"));
1304 	for (i = 0; i < len && error == 0; i += 2)
1305 		error = run_write_2(sc, reg + i, buf[i] | buf[i + 1] << 8);
1306 	return (error);
1307 #else
1308 	usb_device_request_t req;
1309 	int error = 0;
1310 
1311 	/*
1312 	 * NOTE: It appears the WRITE_REGION_1 command cannot be
1313 	 * passed a huge amount of data, which will crash the
1314 	 * firmware. Limit amount of data passed to 64-bytes at a
1315 	 * time.
1316 	 */
1317 	while (len > 0) {
1318 		int delta = 64;
1319 		if (delta > len)
1320 			delta = len;
1321 
1322 		req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1323 		req.bRequest = RT2870_WRITE_REGION_1;
1324 		USETW(req.wValue, 0);
1325 		USETW(req.wIndex, reg);
1326 		USETW(req.wLength, delta);
1327 		error = run_do_request(sc, &req, __DECONST(uint8_t *, buf));
1328 		if (error != 0)
1329 			break;
1330 		reg += delta;
1331 		buf += delta;
1332 		len -= delta;
1333 	}
1334 	return (error);
1335 #endif
1336 }
1337 
1338 static int
1339 run_set_region_4(struct run_softc *sc, uint16_t reg, uint32_t val, int len)
1340 {
1341 	int i, error = 0;
1342 
1343 	KASSERT((len & 3) == 0, ("run_set_region_4: Invalid data length.\n"));
1344 	for (i = 0; i < len && error == 0; i += 4)
1345 		error = run_write(sc, reg + i, val);
1346 	return (error);
1347 }
1348 
1349 static int
1350 run_efuse_read(struct run_softc *sc, uint16_t addr, uint16_t *val, int count)
1351 {
1352 	uint32_t tmp;
1353 	uint16_t reg;
1354 	int error, ntries;
1355 
1356 	if ((error = run_read(sc, RT3070_EFUSE_CTRL, &tmp)) != 0)
1357 		return (error);
1358 
1359 	if (count == 2)
1360 		addr *= 2;
1361 	/*-
1362 	 * Read one 16-byte block into registers EFUSE_DATA[0-3]:
1363 	 * DATA0: F E D C
1364 	 * DATA1: B A 9 8
1365 	 * DATA2: 7 6 5 4
1366 	 * DATA3: 3 2 1 0
1367 	 */
1368 	tmp &= ~(RT3070_EFSROM_MODE_MASK | RT3070_EFSROM_AIN_MASK);
1369 	tmp |= (addr & ~0xf) << RT3070_EFSROM_AIN_SHIFT | RT3070_EFSROM_KICK;
1370 	run_write(sc, RT3070_EFUSE_CTRL, tmp);
1371 	for (ntries = 0; ntries < 100; ntries++) {
1372 		if ((error = run_read(sc, RT3070_EFUSE_CTRL, &tmp)) != 0)
1373 			return (error);
1374 		if (!(tmp & RT3070_EFSROM_KICK))
1375 			break;
1376 		run_delay(sc, 2);
1377 	}
1378 	if (ntries == 100)
1379 		return (ETIMEDOUT);
1380 
1381 	if ((tmp & RT3070_EFUSE_AOUT_MASK) == RT3070_EFUSE_AOUT_MASK) {
1382 		*val = 0xffff;	/* address not found */
1383 		return (0);
1384 	}
1385 	/* determine to which 32-bit register our 16-bit word belongs */
1386 	reg = RT3070_EFUSE_DATA3 - (addr & 0xc);
1387 	if ((error = run_read(sc, reg, &tmp)) != 0)
1388 		return (error);
1389 
1390 	tmp >>= (8 * (addr & 0x3));
1391 	*val = (addr & 1) ? tmp >> 16 : tmp & 0xffff;
1392 
1393 	return (0);
1394 }
1395 
1396 /* Read 16-bit from eFUSE ROM for RT3xxx. */
1397 static int
1398 run_efuse_read_2(struct run_softc *sc, uint16_t addr, uint16_t *val)
1399 {
1400 	return (run_efuse_read(sc, addr, val, 2));
1401 }
1402 
1403 static int
1404 run_eeprom_read_2(struct run_softc *sc, uint16_t addr, uint16_t *val)
1405 {
1406 	usb_device_request_t req;
1407 	uint16_t tmp;
1408 	int error;
1409 
1410 	addr *= 2;
1411 	req.bmRequestType = UT_READ_VENDOR_DEVICE;
1412 	req.bRequest = RT2870_EEPROM_READ;
1413 	USETW(req.wValue, 0);
1414 	USETW(req.wIndex, addr);
1415 	USETW(req.wLength, sizeof(tmp));
1416 
1417 	error = usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, &tmp);
1418 	if (error == 0)
1419 		*val = le16toh(tmp);
1420 	else
1421 		*val = 0xffff;
1422 	return (error);
1423 }
1424 
1425 static __inline int
1426 run_srom_read(struct run_softc *sc, uint16_t addr, uint16_t *val)
1427 {
1428 	/* either eFUSE ROM or EEPROM */
1429 	return sc->sc_srom_read(sc, addr, val);
1430 }
1431 
1432 static int
1433 run_rt2870_rf_write(struct run_softc *sc, uint32_t val)
1434 {
1435 	uint32_t tmp;
1436 	int error, ntries;
1437 
1438 	for (ntries = 0; ntries < 10; ntries++) {
1439 		if ((error = run_read(sc, RT2860_RF_CSR_CFG0, &tmp)) != 0)
1440 			return (error);
1441 		if (!(tmp & RT2860_RF_REG_CTRL))
1442 			break;
1443 	}
1444 	if (ntries == 10)
1445 		return (ETIMEDOUT);
1446 
1447 	return (run_write(sc, RT2860_RF_CSR_CFG0, val));
1448 }
1449 
1450 static int
1451 run_rt3070_rf_read(struct run_softc *sc, uint8_t reg, uint8_t *val)
1452 {
1453 	uint32_t tmp;
1454 	int error, ntries;
1455 
1456 	for (ntries = 0; ntries < 100; ntries++) {
1457 		if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1458 			return (error);
1459 		if (!(tmp & RT3070_RF_KICK))
1460 			break;
1461 	}
1462 	if (ntries == 100)
1463 		return (ETIMEDOUT);
1464 
1465 	tmp = RT3070_RF_KICK | reg << 8;
1466 	if ((error = run_write(sc, RT3070_RF_CSR_CFG, tmp)) != 0)
1467 		return (error);
1468 
1469 	for (ntries = 0; ntries < 100; ntries++) {
1470 		if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1471 			return (error);
1472 		if (!(tmp & RT3070_RF_KICK))
1473 			break;
1474 	}
1475 	if (ntries == 100)
1476 		return (ETIMEDOUT);
1477 
1478 	*val = tmp & 0xff;
1479 	return (0);
1480 }
1481 
1482 static int
1483 run_rt3070_rf_write(struct run_softc *sc, uint8_t reg, uint8_t val)
1484 {
1485 	uint32_t tmp;
1486 	int error, ntries;
1487 
1488 	for (ntries = 0; ntries < 10; ntries++) {
1489 		if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1490 			return (error);
1491 		if (!(tmp & RT3070_RF_KICK))
1492 			break;
1493 	}
1494 	if (ntries == 10)
1495 		return (ETIMEDOUT);
1496 
1497 	tmp = RT3070_RF_WRITE | RT3070_RF_KICK | reg << 8 | val;
1498 	return (run_write(sc, RT3070_RF_CSR_CFG, tmp));
1499 }
1500 
1501 static int
1502 run_bbp_read(struct run_softc *sc, uint8_t reg, uint8_t *val)
1503 {
1504 	uint32_t tmp;
1505 	int ntries, error;
1506 
1507 	for (ntries = 0; ntries < 10; ntries++) {
1508 		if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1509 			return (error);
1510 		if (!(tmp & RT2860_BBP_CSR_KICK))
1511 			break;
1512 	}
1513 	if (ntries == 10)
1514 		return (ETIMEDOUT);
1515 
1516 	tmp = RT2860_BBP_CSR_READ | RT2860_BBP_CSR_KICK | reg << 8;
1517 	if ((error = run_write(sc, RT2860_BBP_CSR_CFG, tmp)) != 0)
1518 		return (error);
1519 
1520 	for (ntries = 0; ntries < 10; ntries++) {
1521 		if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1522 			return (error);
1523 		if (!(tmp & RT2860_BBP_CSR_KICK))
1524 			break;
1525 	}
1526 	if (ntries == 10)
1527 		return (ETIMEDOUT);
1528 
1529 	*val = tmp & 0xff;
1530 	return (0);
1531 }
1532 
1533 static int
1534 run_bbp_write(struct run_softc *sc, uint8_t reg, uint8_t val)
1535 {
1536 	uint32_t tmp;
1537 	int ntries, error;
1538 
1539 	for (ntries = 0; ntries < 10; ntries++) {
1540 		if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1541 			return (error);
1542 		if (!(tmp & RT2860_BBP_CSR_KICK))
1543 			break;
1544 	}
1545 	if (ntries == 10)
1546 		return (ETIMEDOUT);
1547 
1548 	tmp = RT2860_BBP_CSR_KICK | reg << 8 | val;
1549 	return (run_write(sc, RT2860_BBP_CSR_CFG, tmp));
1550 }
1551 
1552 /*
1553  * Send a command to the 8051 microcontroller unit.
1554  */
1555 static int
1556 run_mcu_cmd(struct run_softc *sc, uint8_t cmd, uint16_t arg)
1557 {
1558 	uint32_t tmp;
1559 	int error, ntries;
1560 
1561 	for (ntries = 0; ntries < 100; ntries++) {
1562 		if ((error = run_read(sc, RT2860_H2M_MAILBOX, &tmp)) != 0)
1563 			return error;
1564 		if (!(tmp & RT2860_H2M_BUSY))
1565 			break;
1566 	}
1567 	if (ntries == 100)
1568 		return ETIMEDOUT;
1569 
1570 	tmp = RT2860_H2M_BUSY | RT2860_TOKEN_NO_INTR << 16 | arg;
1571 	if ((error = run_write(sc, RT2860_H2M_MAILBOX, tmp)) == 0)
1572 		error = run_write(sc, RT2860_HOST_CMD, cmd);
1573 	return (error);
1574 }
1575 
1576 /*
1577  * Add `delta' (signed) to each 4-bit sub-word of a 32-bit word.
1578  * Used to adjust per-rate Tx power registers.
1579  */
1580 static __inline uint32_t
1581 b4inc(uint32_t b32, int8_t delta)
1582 {
1583 	int8_t i, b4;
1584 
1585 	for (i = 0; i < 8; i++) {
1586 		b4 = b32 & 0xf;
1587 		b4 += delta;
1588 		if (b4 < 0)
1589 			b4 = 0;
1590 		else if (b4 > 0xf)
1591 			b4 = 0xf;
1592 		b32 = b32 >> 4 | b4 << 28;
1593 	}
1594 	return (b32);
1595 }
1596 
1597 static const char *
1598 run_get_rf(uint16_t rev)
1599 {
1600 	switch (rev) {
1601 	case RT2860_RF_2820:	return "RT2820";
1602 	case RT2860_RF_2850:	return "RT2850";
1603 	case RT2860_RF_2720:	return "RT2720";
1604 	case RT2860_RF_2750:	return "RT2750";
1605 	case RT3070_RF_3020:	return "RT3020";
1606 	case RT3070_RF_2020:	return "RT2020";
1607 	case RT3070_RF_3021:	return "RT3021";
1608 	case RT3070_RF_3022:	return "RT3022";
1609 	case RT3070_RF_3052:	return "RT3052";
1610 	case RT3593_RF_3053:	return "RT3053";
1611 	case RT5592_RF_5592:	return "RT5592";
1612 	case RT5390_RF_5370:	return "RT5370";
1613 	case RT5390_RF_5372:	return "RT5372";
1614 	}
1615 	return ("unknown");
1616 }
1617 
1618 static void
1619 run_rt3593_get_txpower(struct run_softc *sc)
1620 {
1621 	uint16_t addr, val;
1622 	int i;
1623 
1624 	/* Read power settings for 2GHz channels. */
1625 	for (i = 0; i < 14; i += 2) {
1626 		addr = (sc->ntxchains == 3) ? RT3593_EEPROM_PWR2GHZ_BASE1 :
1627 		    RT2860_EEPROM_PWR2GHZ_BASE1;
1628 		run_srom_read(sc, addr + i / 2, &val);
1629 		sc->txpow1[i + 0] = (int8_t)(val & 0xff);
1630 		sc->txpow1[i + 1] = (int8_t)(val >> 8);
1631 
1632 		addr = (sc->ntxchains == 3) ? RT3593_EEPROM_PWR2GHZ_BASE2 :
1633 		    RT2860_EEPROM_PWR2GHZ_BASE2;
1634 		run_srom_read(sc, addr + i / 2, &val);
1635 		sc->txpow2[i + 0] = (int8_t)(val & 0xff);
1636 		sc->txpow2[i + 1] = (int8_t)(val >> 8);
1637 
1638 		if (sc->ntxchains == 3) {
1639 			run_srom_read(sc, RT3593_EEPROM_PWR2GHZ_BASE3 + i / 2,
1640 			    &val);
1641 			sc->txpow3[i + 0] = (int8_t)(val & 0xff);
1642 			sc->txpow3[i + 1] = (int8_t)(val >> 8);
1643 		}
1644 	}
1645 	/* Fix broken Tx power entries. */
1646 	for (i = 0; i < 14; i++) {
1647 		if (sc->txpow1[i] > 31)
1648 			sc->txpow1[i] = 5;
1649 		if (sc->txpow2[i] > 31)
1650 			sc->txpow2[i] = 5;
1651 		if (sc->ntxchains == 3) {
1652 			if (sc->txpow3[i] > 31)
1653 				sc->txpow3[i] = 5;
1654 		}
1655 	}
1656 	/* Read power settings for 5GHz channels. */
1657 	for (i = 0; i < 40; i += 2) {
1658 		run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE1 + i / 2, &val);
1659 		sc->txpow1[i + 14] = (int8_t)(val & 0xff);
1660 		sc->txpow1[i + 15] = (int8_t)(val >> 8);
1661 
1662 		run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE2 + i / 2, &val);
1663 		sc->txpow2[i + 14] = (int8_t)(val & 0xff);
1664 		sc->txpow2[i + 15] = (int8_t)(val >> 8);
1665 
1666 		if (sc->ntxchains == 3) {
1667 			run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE3 + i / 2,
1668 			    &val);
1669 			sc->txpow3[i + 14] = (int8_t)(val & 0xff);
1670 			sc->txpow3[i + 15] = (int8_t)(val >> 8);
1671 		}
1672 	}
1673 }
1674 
1675 static void
1676 run_get_txpower(struct run_softc *sc)
1677 {
1678 	uint16_t val;
1679 	int i;
1680 
1681 	/* Read power settings for 2GHz channels. */
1682 	for (i = 0; i < 14; i += 2) {
1683 		run_srom_read(sc, RT2860_EEPROM_PWR2GHZ_BASE1 + i / 2, &val);
1684 		sc->txpow1[i + 0] = (int8_t)(val & 0xff);
1685 		sc->txpow1[i + 1] = (int8_t)(val >> 8);
1686 
1687 		if (sc->mac_ver != 0x5390) {
1688 			run_srom_read(sc,
1689 			    RT2860_EEPROM_PWR2GHZ_BASE2 + i / 2, &val);
1690 			sc->txpow2[i + 0] = (int8_t)(val & 0xff);
1691 			sc->txpow2[i + 1] = (int8_t)(val >> 8);
1692 		}
1693 	}
1694 	/* Fix broken Tx power entries. */
1695 	for (i = 0; i < 14; i++) {
1696 		if (sc->mac_ver >= 0x5390) {
1697 			if (sc->txpow1[i] < 0 || sc->txpow1[i] > 27)
1698 				sc->txpow1[i] = 5;
1699 		} else {
1700 			if (sc->txpow1[i] < 0 || sc->txpow1[i] > 31)
1701 				sc->txpow1[i] = 5;
1702 		}
1703 		if (sc->mac_ver > 0x5390) {
1704 			if (sc->txpow2[i] < 0 || sc->txpow2[i] > 27)
1705 				sc->txpow2[i] = 5;
1706 		} else if (sc->mac_ver < 0x5390) {
1707 			if (sc->txpow2[i] < 0 || sc->txpow2[i] > 31)
1708 				sc->txpow2[i] = 5;
1709 		}
1710 		DPRINTF("chan %d: power1=%d, power2=%d\n",
1711 		    rt2860_rf2850[i].chan, sc->txpow1[i], sc->txpow2[i]);
1712 	}
1713 	/* Read power settings for 5GHz channels. */
1714 	for (i = 0; i < 40; i += 2) {
1715 		run_srom_read(sc, RT2860_EEPROM_PWR5GHZ_BASE1 + i / 2, &val);
1716 		sc->txpow1[i + 14] = (int8_t)(val & 0xff);
1717 		sc->txpow1[i + 15] = (int8_t)(val >> 8);
1718 
1719 		run_srom_read(sc, RT2860_EEPROM_PWR5GHZ_BASE2 + i / 2, &val);
1720 		sc->txpow2[i + 14] = (int8_t)(val & 0xff);
1721 		sc->txpow2[i + 15] = (int8_t)(val >> 8);
1722 	}
1723 	/* Fix broken Tx power entries. */
1724 	for (i = 0; i < 40; i++ ) {
1725 		if (sc->mac_ver != 0x5592) {
1726 			if (sc->txpow1[14 + i] < -7 || sc->txpow1[14 + i] > 15)
1727 				sc->txpow1[14 + i] = 5;
1728 			if (sc->txpow2[14 + i] < -7 || sc->txpow2[14 + i] > 15)
1729 				sc->txpow2[14 + i] = 5;
1730 		}
1731 		DPRINTF("chan %d: power1=%d, power2=%d\n",
1732 		    rt2860_rf2850[14 + i].chan, sc->txpow1[14 + i],
1733 		    sc->txpow2[14 + i]);
1734 	}
1735 }
1736 
1737 static int
1738 run_read_eeprom(struct run_softc *sc)
1739 {
1740 	int8_t delta_2ghz, delta_5ghz;
1741 	uint32_t tmp;
1742 	uint16_t val;
1743 	int ridx, ant, i;
1744 
1745 	/* check whether the ROM is eFUSE ROM or EEPROM */
1746 	sc->sc_srom_read = run_eeprom_read_2;
1747 	if (sc->mac_ver >= 0x3070) {
1748 		run_read(sc, RT3070_EFUSE_CTRL, &tmp);
1749 		DPRINTF("EFUSE_CTRL=0x%08x\n", tmp);
1750 		if ((tmp & RT3070_SEL_EFUSE) || sc->mac_ver == 0x3593)
1751 			sc->sc_srom_read = run_efuse_read_2;
1752 	}
1753 
1754 	/* read ROM version */
1755 	run_srom_read(sc, RT2860_EEPROM_VERSION, &val);
1756 	DPRINTF("EEPROM rev=%d, FAE=%d\n", val & 0xff, val >> 8);
1757 
1758 	/* read MAC address */
1759 	run_srom_read(sc, RT2860_EEPROM_MAC01, &val);
1760 	sc->sc_bssid[0] = val & 0xff;
1761 	sc->sc_bssid[1] = val >> 8;
1762 	run_srom_read(sc, RT2860_EEPROM_MAC23, &val);
1763 	sc->sc_bssid[2] = val & 0xff;
1764 	sc->sc_bssid[3] = val >> 8;
1765 	run_srom_read(sc, RT2860_EEPROM_MAC45, &val);
1766 	sc->sc_bssid[4] = val & 0xff;
1767 	sc->sc_bssid[5] = val >> 8;
1768 
1769 	if (sc->mac_ver < 0x3593) {
1770 		/* read vender BBP settings */
1771 		for (i = 0; i < 10; i++) {
1772 			run_srom_read(sc, RT2860_EEPROM_BBP_BASE + i, &val);
1773 			sc->bbp[i].val = val & 0xff;
1774 			sc->bbp[i].reg = val >> 8;
1775 			DPRINTF("BBP%d=0x%02x\n", sc->bbp[i].reg,
1776 			    sc->bbp[i].val);
1777 		}
1778 		if (sc->mac_ver >= 0x3071) {
1779 			/* read vendor RF settings */
1780 			for (i = 0; i < 10; i++) {
1781 				run_srom_read(sc, RT3071_EEPROM_RF_BASE + i,
1782 				   &val);
1783 				sc->rf[i].val = val & 0xff;
1784 				sc->rf[i].reg = val >> 8;
1785 				DPRINTF("RF%d=0x%02x\n", sc->rf[i].reg,
1786 				    sc->rf[i].val);
1787 			}
1788 		}
1789 	}
1790 
1791 	/* read RF frequency offset from EEPROM */
1792 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_FREQ_LEDS :
1793 	    RT3593_EEPROM_FREQ, &val);
1794 	sc->freq = ((val & 0xff) != 0xff) ? val & 0xff : 0;
1795 	DPRINTF("EEPROM freq offset %d\n", sc->freq & 0xff);
1796 
1797 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_FREQ_LEDS :
1798 	    RT3593_EEPROM_FREQ_LEDS, &val);
1799 	if (val >> 8 != 0xff) {
1800 		/* read LEDs operating mode */
1801 		sc->leds = val >> 8;
1802 		run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED1 :
1803 		    RT3593_EEPROM_LED1, &sc->led[0]);
1804 		run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED2 :
1805 		    RT3593_EEPROM_LED2, &sc->led[1]);
1806 		run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED3 :
1807 		    RT3593_EEPROM_LED3, &sc->led[2]);
1808 	} else {
1809 		/* broken EEPROM, use default settings */
1810 		sc->leds = 0x01;
1811 		sc->led[0] = 0x5555;
1812 		sc->led[1] = 0x2221;
1813 		sc->led[2] = 0x5627;	/* differs from RT2860 */
1814 	}
1815 	DPRINTF("EEPROM LED mode=0x%02x, LEDs=0x%04x/0x%04x/0x%04x\n",
1816 	    sc->leds, sc->led[0], sc->led[1], sc->led[2]);
1817 
1818 	/* read RF information */
1819 	if (sc->mac_ver == 0x5390 || sc->mac_ver ==0x5392)
1820 		run_srom_read(sc, 0x00, &val);
1821 	else
1822 		run_srom_read(sc, RT2860_EEPROM_ANTENNA, &val);
1823 
1824 	if (val == 0xffff) {
1825 		device_printf(sc->sc_dev,
1826 		    "invalid EEPROM antenna info, using default\n");
1827 		DPRINTF("invalid EEPROM antenna info, using default\n");
1828 		if (sc->mac_ver == 0x3572) {
1829 			/* default to RF3052 2T2R */
1830 			sc->rf_rev = RT3070_RF_3052;
1831 			sc->ntxchains = 2;
1832 			sc->nrxchains = 2;
1833 		} else if (sc->mac_ver >= 0x3070) {
1834 			/* default to RF3020 1T1R */
1835 			sc->rf_rev = RT3070_RF_3020;
1836 			sc->ntxchains = 1;
1837 			sc->nrxchains = 1;
1838 		} else {
1839 			/* default to RF2820 1T2R */
1840 			sc->rf_rev = RT2860_RF_2820;
1841 			sc->ntxchains = 1;
1842 			sc->nrxchains = 2;
1843 		}
1844 	} else {
1845 		if (sc->mac_ver == 0x5390 || sc->mac_ver ==0x5392) {
1846 			sc->rf_rev = val;
1847 			run_srom_read(sc, RT2860_EEPROM_ANTENNA, &val);
1848 		} else
1849 			sc->rf_rev = (val >> 8) & 0xf;
1850 		sc->ntxchains = (val >> 4) & 0xf;
1851 		sc->nrxchains = val & 0xf;
1852 	}
1853 	DPRINTF("EEPROM RF rev=0x%04x chains=%dT%dR\n",
1854 	    sc->rf_rev, sc->ntxchains, sc->nrxchains);
1855 
1856 	/* check if RF supports automatic Tx access gain control */
1857 	run_srom_read(sc, RT2860_EEPROM_CONFIG, &val);
1858 	DPRINTF("EEPROM CFG 0x%04x\n", val);
1859 	/* check if driver should patch the DAC issue */
1860 	if ((val >> 8) != 0xff)
1861 		sc->patch_dac = (val >> 15) & 1;
1862 	if ((val & 0xff) != 0xff) {
1863 		sc->ext_5ghz_lna = (val >> 3) & 1;
1864 		sc->ext_2ghz_lna = (val >> 2) & 1;
1865 		/* check if RF supports automatic Tx access gain control */
1866 		sc->calib_2ghz = sc->calib_5ghz = (val >> 1) & 1;
1867 		/* check if we have a hardware radio switch */
1868 		sc->rfswitch = val & 1;
1869 	}
1870 
1871 	/* Read Tx power settings. */
1872 	if (sc->mac_ver == 0x3593)
1873 		run_rt3593_get_txpower(sc);
1874 	else
1875 		run_get_txpower(sc);
1876 
1877 	/* read Tx power compensation for each Tx rate */
1878 	run_srom_read(sc, RT2860_EEPROM_DELTAPWR, &val);
1879 	delta_2ghz = delta_5ghz = 0;
1880 	if ((val & 0xff) != 0xff && (val & 0x80)) {
1881 		delta_2ghz = val & 0xf;
1882 		if (!(val & 0x40))	/* negative number */
1883 			delta_2ghz = -delta_2ghz;
1884 	}
1885 	val >>= 8;
1886 	if ((val & 0xff) != 0xff && (val & 0x80)) {
1887 		delta_5ghz = val & 0xf;
1888 		if (!(val & 0x40))	/* negative number */
1889 			delta_5ghz = -delta_5ghz;
1890 	}
1891 	DPRINTF("power compensation=%d (2GHz), %d (5GHz)\n",
1892 	    delta_2ghz, delta_5ghz);
1893 
1894 	for (ridx = 0; ridx < 5; ridx++) {
1895 		uint32_t reg;
1896 
1897 		run_srom_read(sc, RT2860_EEPROM_RPWR + ridx * 2, &val);
1898 		reg = val;
1899 		run_srom_read(sc, RT2860_EEPROM_RPWR + ridx * 2 + 1, &val);
1900 		reg |= (uint32_t)val << 16;
1901 
1902 		sc->txpow20mhz[ridx] = reg;
1903 		sc->txpow40mhz_2ghz[ridx] = b4inc(reg, delta_2ghz);
1904 		sc->txpow40mhz_5ghz[ridx] = b4inc(reg, delta_5ghz);
1905 
1906 		DPRINTF("ridx %d: power 20MHz=0x%08x, 40MHz/2GHz=0x%08x, "
1907 		    "40MHz/5GHz=0x%08x\n", ridx, sc->txpow20mhz[ridx],
1908 		    sc->txpow40mhz_2ghz[ridx], sc->txpow40mhz_5ghz[ridx]);
1909 	}
1910 
1911 	/* Read RSSI offsets and LNA gains from EEPROM. */
1912 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI1_2GHZ :
1913 	    RT3593_EEPROM_RSSI1_2GHZ, &val);
1914 	sc->rssi_2ghz[0] = val & 0xff;	/* Ant A */
1915 	sc->rssi_2ghz[1] = val >> 8;	/* Ant B */
1916 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI2_2GHZ :
1917 	    RT3593_EEPROM_RSSI2_2GHZ, &val);
1918 	if (sc->mac_ver >= 0x3070) {
1919 		if (sc->mac_ver == 0x3593) {
1920 			sc->txmixgain_2ghz = 0;
1921 			sc->rssi_2ghz[2] = val & 0xff;	/* Ant C */
1922 		} else {
1923 			/*
1924 			 * On RT3070 chips (limited to 2 Rx chains), this ROM
1925 			 * field contains the Tx mixer gain for the 2GHz band.
1926 			 */
1927 			if ((val & 0xff) != 0xff)
1928 				sc->txmixgain_2ghz = val & 0x7;
1929 		}
1930 		DPRINTF("tx mixer gain=%u (2GHz)\n", sc->txmixgain_2ghz);
1931 	} else
1932 		sc->rssi_2ghz[2] = val & 0xff;	/* Ant C */
1933 	if (sc->mac_ver == 0x3593)
1934 		run_srom_read(sc, RT3593_EEPROM_LNA_5GHZ, &val);
1935 	sc->lna[2] = val >> 8;		/* channel group 2 */
1936 
1937 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI1_5GHZ :
1938 	    RT3593_EEPROM_RSSI1_5GHZ, &val);
1939 	sc->rssi_5ghz[0] = val & 0xff;	/* Ant A */
1940 	sc->rssi_5ghz[1] = val >> 8;	/* Ant B */
1941 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI2_5GHZ :
1942 	    RT3593_EEPROM_RSSI2_5GHZ, &val);
1943 	if (sc->mac_ver == 0x3572) {
1944 		/*
1945 		 * On RT3572 chips (limited to 2 Rx chains), this ROM
1946 		 * field contains the Tx mixer gain for the 5GHz band.
1947 		 */
1948 		if ((val & 0xff) != 0xff)
1949 			sc->txmixgain_5ghz = val & 0x7;
1950 		DPRINTF("tx mixer gain=%u (5GHz)\n", sc->txmixgain_5ghz);
1951 	} else
1952 		sc->rssi_5ghz[2] = val & 0xff;	/* Ant C */
1953 	if (sc->mac_ver == 0x3593) {
1954 		sc->txmixgain_5ghz = 0;
1955 		run_srom_read(sc, RT3593_EEPROM_LNA_5GHZ, &val);
1956 	}
1957 	sc->lna[3] = val >> 8;		/* channel group 3 */
1958 
1959 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LNA :
1960 	    RT3593_EEPROM_LNA, &val);
1961 	sc->lna[0] = val & 0xff;	/* channel group 0 */
1962 	sc->lna[1] = val >> 8;		/* channel group 1 */
1963 
1964 	/* fix broken 5GHz LNA entries */
1965 	if (sc->lna[2] == 0 || sc->lna[2] == 0xff) {
1966 		DPRINTF("invalid LNA for channel group %d\n", 2);
1967 		sc->lna[2] = sc->lna[1];
1968 	}
1969 	if (sc->lna[3] == 0 || sc->lna[3] == 0xff) {
1970 		DPRINTF("invalid LNA for channel group %d\n", 3);
1971 		sc->lna[3] = sc->lna[1];
1972 	}
1973 
1974 	/* fix broken RSSI offset entries */
1975 	for (ant = 0; ant < 3; ant++) {
1976 		if (sc->rssi_2ghz[ant] < -10 || sc->rssi_2ghz[ant] > 10) {
1977 			DPRINTF("invalid RSSI%d offset: %d (2GHz)\n",
1978 			    ant + 1, sc->rssi_2ghz[ant]);
1979 			sc->rssi_2ghz[ant] = 0;
1980 		}
1981 		if (sc->rssi_5ghz[ant] < -10 || sc->rssi_5ghz[ant] > 10) {
1982 			DPRINTF("invalid RSSI%d offset: %d (5GHz)\n",
1983 			    ant + 1, sc->rssi_5ghz[ant]);
1984 			sc->rssi_5ghz[ant] = 0;
1985 		}
1986 	}
1987 	return (0);
1988 }
1989 
1990 static struct ieee80211_node *
1991 run_node_alloc(struct ieee80211vap *vap, const uint8_t mac[IEEE80211_ADDR_LEN])
1992 {
1993 	return malloc(sizeof (struct run_node), M_DEVBUF, M_NOWAIT | M_ZERO);
1994 }
1995 
1996 static int
1997 run_media_change(struct ifnet *ifp)
1998 {
1999 	struct ieee80211vap *vap = ifp->if_softc;
2000 	struct ieee80211com *ic = vap->iv_ic;
2001 	const struct ieee80211_txparam *tp;
2002 	struct run_softc *sc = ic->ic_ifp->if_softc;
2003 	uint8_t rate, ridx;
2004 	int error;
2005 
2006 	RUN_LOCK(sc);
2007 
2008 	error = ieee80211_media_change(ifp);
2009 	if (error != ENETRESET) {
2010 		RUN_UNLOCK(sc);
2011 		return (error);
2012 	}
2013 
2014 	tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
2015 	if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE) {
2016 		struct ieee80211_node *ni;
2017 		struct run_node	*rn;
2018 
2019 		rate = ic->ic_sup_rates[ic->ic_curmode].
2020 		    rs_rates[tp->ucastrate] & IEEE80211_RATE_VAL;
2021 		for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2022 			if (rt2860_rates[ridx].rate == rate)
2023 				break;
2024 		ni = ieee80211_ref_node(vap->iv_bss);
2025 		rn = (struct run_node *)ni;
2026 		rn->fix_ridx = ridx;
2027 		DPRINTF("rate=%d, fix_ridx=%d\n", rate, rn->fix_ridx);
2028 		ieee80211_free_node(ni);
2029 	}
2030 
2031 #if 0
2032 	if ((ifp->if_flags & IFF_UP) &&
2033 	    (ifp->if_drv_flags &  IFF_DRV_RUNNING)){
2034 		run_init_locked(sc);
2035 	}
2036 #endif
2037 
2038 	RUN_UNLOCK(sc);
2039 
2040 	return (0);
2041 }
2042 
2043 static int
2044 run_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
2045 {
2046 	const struct ieee80211_txparam *tp;
2047 	struct ieee80211com *ic = vap->iv_ic;
2048 	struct run_softc *sc = ic->ic_ifp->if_softc;
2049 	struct run_vap *rvp = RUN_VAP(vap);
2050 	enum ieee80211_state ostate;
2051 	uint32_t sta[3];
2052 	uint32_t tmp;
2053 	uint8_t ratectl;
2054 	uint8_t restart_ratectl = 0;
2055 	uint8_t bid = 1 << rvp->rvp_id;
2056 
2057 	ostate = vap->iv_state;
2058 	DPRINTF("%s -> %s\n",
2059 		ieee80211_state_name[ostate],
2060 		ieee80211_state_name[nstate]);
2061 
2062 	IEEE80211_UNLOCK(ic);
2063 	RUN_LOCK(sc);
2064 
2065 	ratectl = sc->ratectl_run; /* remember current state */
2066 	sc->ratectl_run = RUN_RATECTL_OFF;
2067 	usb_callout_stop(&sc->ratectl_ch);
2068 
2069 	if (ostate == IEEE80211_S_RUN) {
2070 		/* turn link LED off */
2071 		run_set_leds(sc, RT2860_LED_RADIO);
2072 	}
2073 
2074 	switch (nstate) {
2075 	case IEEE80211_S_INIT:
2076 		restart_ratectl = 1;
2077 
2078 		if (ostate != IEEE80211_S_RUN)
2079 			break;
2080 
2081 		ratectl &= ~bid;
2082 		sc->runbmap &= ~bid;
2083 
2084 		/* abort TSF synchronization if there is no vap running */
2085 		if (--sc->running == 0) {
2086 			run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
2087 			run_write(sc, RT2860_BCN_TIME_CFG,
2088 			    tmp & ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
2089 			    RT2860_TBTT_TIMER_EN));
2090 		}
2091 		break;
2092 
2093 	case IEEE80211_S_RUN:
2094 		if (!(sc->runbmap & bid)) {
2095 			if(sc->running++)
2096 				restart_ratectl = 1;
2097 			sc->runbmap |= bid;
2098 		}
2099 
2100 		m_freem(rvp->beacon_mbuf);
2101 		rvp->beacon_mbuf = NULL;
2102 
2103 		switch (vap->iv_opmode) {
2104 		case IEEE80211_M_HOSTAP:
2105 		case IEEE80211_M_MBSS:
2106 			sc->ap_running |= bid;
2107 			ic->ic_opmode = vap->iv_opmode;
2108 			run_update_beacon_cb(vap);
2109 			break;
2110 		case IEEE80211_M_IBSS:
2111 			sc->adhoc_running |= bid;
2112 			if (!sc->ap_running)
2113 				ic->ic_opmode = vap->iv_opmode;
2114 			run_update_beacon_cb(vap);
2115 			break;
2116 		case IEEE80211_M_STA:
2117 			sc->sta_running |= bid;
2118 			if (!sc->ap_running && !sc->adhoc_running)
2119 				ic->ic_opmode = vap->iv_opmode;
2120 
2121 			/* read statistic counters (clear on read) */
2122 			run_read_region_1(sc, RT2860_TX_STA_CNT0,
2123 			    (uint8_t *)sta, sizeof sta);
2124 
2125 			break;
2126 		default:
2127 			ic->ic_opmode = vap->iv_opmode;
2128 			break;
2129 		}
2130 
2131 		if (vap->iv_opmode != IEEE80211_M_MONITOR) {
2132 			struct ieee80211_node *ni;
2133 
2134 			if (ic->ic_bsschan == IEEE80211_CHAN_ANYC) {
2135 				RUN_UNLOCK(sc);
2136 				IEEE80211_LOCK(ic);
2137 				return (-1);
2138 			}
2139 			run_updateslot(ic->ic_ifp);
2140 			run_enable_mrr(sc);
2141 			run_set_txpreamble(sc);
2142 			run_set_basicrates(sc);
2143 			ni = ieee80211_ref_node(vap->iv_bss);
2144 			IEEE80211_ADDR_COPY(sc->sc_bssid, ni->ni_bssid);
2145 			run_set_bssid(sc, ni->ni_bssid);
2146 			ieee80211_free_node(ni);
2147 			run_enable_tsf_sync(sc);
2148 
2149 			/* enable automatic rate adaptation */
2150 			tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
2151 			if (tp->ucastrate == IEEE80211_FIXED_RATE_NONE)
2152 				ratectl |= bid;
2153 		}
2154 
2155 		/* turn link LED on */
2156 		run_set_leds(sc, RT2860_LED_RADIO |
2157 		    (IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan) ?
2158 		     RT2860_LED_LINK_2GHZ : RT2860_LED_LINK_5GHZ));
2159 
2160 		break;
2161 	default:
2162 		DPRINTFN(6, "undefined case\n");
2163 		break;
2164 	}
2165 
2166 	/* restart amrr for running VAPs */
2167 	if ((sc->ratectl_run = ratectl) && restart_ratectl)
2168 		usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2169 
2170 	RUN_UNLOCK(sc);
2171 	IEEE80211_LOCK(ic);
2172 
2173 	return(rvp->newstate(vap, nstate, arg));
2174 }
2175 
2176 /* ARGSUSED */
2177 static void
2178 run_wme_update_cb(void *arg)
2179 {
2180 	struct ieee80211com *ic = arg;
2181 	struct run_softc *sc = ic->ic_ifp->if_softc;
2182 	struct ieee80211_wme_state *wmesp = &ic->ic_wme;
2183 	int aci, error = 0;
2184 
2185 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2186 
2187 	/* update MAC TX configuration registers */
2188 	for (aci = 0; aci < WME_NUM_AC; aci++) {
2189 		error = run_write(sc, RT2860_EDCA_AC_CFG(aci),
2190 		    wmesp->wme_params[aci].wmep_logcwmax << 16 |
2191 		    wmesp->wme_params[aci].wmep_logcwmin << 12 |
2192 		    wmesp->wme_params[aci].wmep_aifsn  <<  8 |
2193 		    wmesp->wme_params[aci].wmep_txopLimit);
2194 		if (error) goto err;
2195 	}
2196 
2197 	/* update SCH/DMA registers too */
2198 	error = run_write(sc, RT2860_WMM_AIFSN_CFG,
2199 	    wmesp->wme_params[WME_AC_VO].wmep_aifsn  << 12 |
2200 	    wmesp->wme_params[WME_AC_VI].wmep_aifsn  <<  8 |
2201 	    wmesp->wme_params[WME_AC_BK].wmep_aifsn  <<  4 |
2202 	    wmesp->wme_params[WME_AC_BE].wmep_aifsn);
2203 	if (error) goto err;
2204 	error = run_write(sc, RT2860_WMM_CWMIN_CFG,
2205 	    wmesp->wme_params[WME_AC_VO].wmep_logcwmin << 12 |
2206 	    wmesp->wme_params[WME_AC_VI].wmep_logcwmin <<  8 |
2207 	    wmesp->wme_params[WME_AC_BK].wmep_logcwmin <<  4 |
2208 	    wmesp->wme_params[WME_AC_BE].wmep_logcwmin);
2209 	if (error) goto err;
2210 	error = run_write(sc, RT2860_WMM_CWMAX_CFG,
2211 	    wmesp->wme_params[WME_AC_VO].wmep_logcwmax << 12 |
2212 	    wmesp->wme_params[WME_AC_VI].wmep_logcwmax <<  8 |
2213 	    wmesp->wme_params[WME_AC_BK].wmep_logcwmax <<  4 |
2214 	    wmesp->wme_params[WME_AC_BE].wmep_logcwmax);
2215 	if (error) goto err;
2216 	error = run_write(sc, RT2860_WMM_TXOP0_CFG,
2217 	    wmesp->wme_params[WME_AC_BK].wmep_txopLimit << 16 |
2218 	    wmesp->wme_params[WME_AC_BE].wmep_txopLimit);
2219 	if (error) goto err;
2220 	error = run_write(sc, RT2860_WMM_TXOP1_CFG,
2221 	    wmesp->wme_params[WME_AC_VO].wmep_txopLimit << 16 |
2222 	    wmesp->wme_params[WME_AC_VI].wmep_txopLimit);
2223 
2224 err:
2225 	if (error)
2226 		DPRINTF("WME update failed\n");
2227 
2228 	return;
2229 }
2230 
2231 static int
2232 run_wme_update(struct ieee80211com *ic)
2233 {
2234 	struct run_softc *sc = ic->ic_ifp->if_softc;
2235 
2236 	/* sometime called wothout lock */
2237 	if (mtx_owned(&ic->ic_comlock.mtx)) {
2238 		uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
2239 		DPRINTF("cmdq_store=%d\n", i);
2240 		sc->cmdq[i].func = run_wme_update_cb;
2241 		sc->cmdq[i].arg0 = ic;
2242 		ieee80211_runtask(ic, &sc->cmdq_task);
2243 		return (0);
2244 	}
2245 
2246 	RUN_LOCK(sc);
2247 	run_wme_update_cb(ic);
2248 	RUN_UNLOCK(sc);
2249 
2250 	/* return whatever, upper layer desn't care anyway */
2251 	return (0);
2252 }
2253 
2254 static void
2255 run_key_update_begin(struct ieee80211vap *vap)
2256 {
2257 	/*
2258 	 * To avoid out-of-order events, both run_key_set() and
2259 	 * _delete() are deferred and handled by run_cmdq_cb().
2260 	 * So, there is nothing we need to do here.
2261 	 */
2262 }
2263 
2264 static void
2265 run_key_update_end(struct ieee80211vap *vap)
2266 {
2267 	/* null */
2268 }
2269 
2270 static void
2271 run_key_set_cb(void *arg)
2272 {
2273 	struct run_cmdq *cmdq = arg;
2274 	struct ieee80211vap *vap = cmdq->arg1;
2275 	struct ieee80211_key *k = cmdq->k;
2276 	struct ieee80211com *ic = vap->iv_ic;
2277 	struct run_softc *sc = ic->ic_ifp->if_softc;
2278 	struct ieee80211_node *ni;
2279 	uint32_t attr;
2280 	uint16_t base, associd;
2281 	uint8_t mode, wcid, iv[8];
2282 
2283 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2284 
2285 	if (vap->iv_opmode == IEEE80211_M_HOSTAP)
2286 		ni = ieee80211_find_vap_node(&ic->ic_sta, vap, cmdq->mac);
2287 	else
2288 		ni = vap->iv_bss;
2289 	associd = (ni != NULL) ? ni->ni_associd : 0;
2290 
2291 	/* map net80211 cipher to RT2860 security mode */
2292 	switch (k->wk_cipher->ic_cipher) {
2293 	case IEEE80211_CIPHER_WEP:
2294 		if(k->wk_keylen < 8)
2295 			mode = RT2860_MODE_WEP40;
2296 		else
2297 			mode = RT2860_MODE_WEP104;
2298 		break;
2299 	case IEEE80211_CIPHER_TKIP:
2300 		mode = RT2860_MODE_TKIP;
2301 		break;
2302 	case IEEE80211_CIPHER_AES_CCM:
2303 		mode = RT2860_MODE_AES_CCMP;
2304 		break;
2305 	default:
2306 		DPRINTF("undefined case\n");
2307 		return;
2308 	}
2309 
2310 	DPRINTFN(1, "associd=%x, keyix=%d, mode=%x, type=%s, tx=%s, rx=%s\n",
2311 	    associd, k->wk_keyix, mode,
2312 	    (k->wk_flags & IEEE80211_KEY_GROUP) ? "group" : "pairwise",
2313 	    (k->wk_flags & IEEE80211_KEY_XMIT) ? "on" : "off",
2314 	    (k->wk_flags & IEEE80211_KEY_RECV) ? "on" : "off");
2315 
2316 	if (k->wk_flags & IEEE80211_KEY_GROUP) {
2317 		wcid = 0;	/* NB: update WCID0 for group keys */
2318 		base = RT2860_SKEY(RUN_VAP(vap)->rvp_id, k->wk_keyix);
2319 	} else {
2320 		wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
2321 		    1 : RUN_AID2WCID(associd);
2322 		base = RT2860_PKEY(wcid);
2323 	}
2324 
2325 	if (k->wk_cipher->ic_cipher == IEEE80211_CIPHER_TKIP) {
2326 		if(run_write_region_1(sc, base, k->wk_key, 16))
2327 			return;
2328 		if(run_write_region_1(sc, base + 16, &k->wk_key[16], 8))	/* wk_txmic */
2329 			return;
2330 		if(run_write_region_1(sc, base + 24, &k->wk_key[24], 8))	/* wk_rxmic */
2331 			return;
2332 	} else {
2333 		/* roundup len to 16-bit: XXX fix write_region_1() instead */
2334 		if(run_write_region_1(sc, base, k->wk_key, (k->wk_keylen + 1) & ~1))
2335 			return;
2336 	}
2337 
2338 	if (!(k->wk_flags & IEEE80211_KEY_GROUP) ||
2339 	    (k->wk_flags & (IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV))) {
2340 		/* set initial packet number in IV+EIV */
2341 		if (k->wk_cipher == IEEE80211_CIPHER_WEP) {
2342 			memset(iv, 0, sizeof iv);
2343 			iv[3] = vap->iv_def_txkey << 6;
2344 		} else {
2345 			if (k->wk_cipher->ic_cipher == IEEE80211_CIPHER_TKIP) {
2346 				iv[0] = k->wk_keytsc >> 8;
2347 				iv[1] = (iv[0] | 0x20) & 0x7f;
2348 				iv[2] = k->wk_keytsc;
2349 			} else /* CCMP */ {
2350 				iv[0] = k->wk_keytsc;
2351 				iv[1] = k->wk_keytsc >> 8;
2352 				iv[2] = 0;
2353 			}
2354 			iv[3] = k->wk_keyix << 6 | IEEE80211_WEP_EXTIV;
2355 			iv[4] = k->wk_keytsc >> 16;
2356 			iv[5] = k->wk_keytsc >> 24;
2357 			iv[6] = k->wk_keytsc >> 32;
2358 			iv[7] = k->wk_keytsc >> 40;
2359 		}
2360 		if (run_write_region_1(sc, RT2860_IVEIV(wcid), iv, 8))
2361 			return;
2362 	}
2363 
2364 	if (k->wk_flags & IEEE80211_KEY_GROUP) {
2365 		/* install group key */
2366 		if (run_read(sc, RT2860_SKEY_MODE_0_7, &attr))
2367 			return;
2368 		attr &= ~(0xf << (k->wk_keyix * 4));
2369 		attr |= mode << (k->wk_keyix * 4);
2370 		if (run_write(sc, RT2860_SKEY_MODE_0_7, attr))
2371 			return;
2372 	} else {
2373 		/* install pairwise key */
2374 		if (run_read(sc, RT2860_WCID_ATTR(wcid), &attr))
2375 			return;
2376 		attr = (attr & ~0xf) | (mode << 1) | RT2860_RX_PKEY_EN;
2377 		if (run_write(sc, RT2860_WCID_ATTR(wcid), attr))
2378 			return;
2379 	}
2380 
2381 	/* TODO create a pass-thru key entry? */
2382 
2383 	/* need wcid to delete the right key later */
2384 	k->wk_pad = wcid;
2385 }
2386 
2387 /*
2388  * Don't have to be deferred, but in order to keep order of
2389  * execution, i.e. with run_key_delete(), defer this and let
2390  * run_cmdq_cb() maintain the order.
2391  *
2392  * return 0 on error
2393  */
2394 static int
2395 run_key_set(struct ieee80211vap *vap, struct ieee80211_key *k,
2396 		const uint8_t mac[IEEE80211_ADDR_LEN])
2397 {
2398 	struct ieee80211com *ic = vap->iv_ic;
2399 	struct run_softc *sc = ic->ic_ifp->if_softc;
2400 	uint32_t i;
2401 
2402 	i = RUN_CMDQ_GET(&sc->cmdq_store);
2403 	DPRINTF("cmdq_store=%d\n", i);
2404 	sc->cmdq[i].func = run_key_set_cb;
2405 	sc->cmdq[i].arg0 = NULL;
2406 	sc->cmdq[i].arg1 = vap;
2407 	sc->cmdq[i].k = k;
2408 	IEEE80211_ADDR_COPY(sc->cmdq[i].mac, mac);
2409 	ieee80211_runtask(ic, &sc->cmdq_task);
2410 
2411 	/*
2412 	 * To make sure key will be set when hostapd
2413 	 * calls iv_key_set() before if_init().
2414 	 */
2415 	if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
2416 		RUN_LOCK(sc);
2417 		sc->cmdq_key_set = RUN_CMDQ_GO;
2418 		RUN_UNLOCK(sc);
2419 	}
2420 
2421 	return (1);
2422 }
2423 
2424 /*
2425  * If wlan is destroyed without being brought down i.e. without
2426  * wlan down or wpa_cli terminate, this function is called after
2427  * vap is gone. Don't refer it.
2428  */
2429 static void
2430 run_key_delete_cb(void *arg)
2431 {
2432 	struct run_cmdq *cmdq = arg;
2433 	struct run_softc *sc = cmdq->arg1;
2434 	struct ieee80211_key *k = &cmdq->key;
2435 	uint32_t attr;
2436 	uint8_t wcid;
2437 
2438 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2439 
2440 	if (k->wk_flags & IEEE80211_KEY_GROUP) {
2441 		/* remove group key */
2442 		DPRINTF("removing group key\n");
2443 		run_read(sc, RT2860_SKEY_MODE_0_7, &attr);
2444 		attr &= ~(0xf << (k->wk_keyix * 4));
2445 		run_write(sc, RT2860_SKEY_MODE_0_7, attr);
2446 	} else {
2447 		/* remove pairwise key */
2448 		DPRINTF("removing key for wcid %x\n", k->wk_pad);
2449 		/* matching wcid was written to wk_pad in run_key_set() */
2450 		wcid = k->wk_pad;
2451 		run_read(sc, RT2860_WCID_ATTR(wcid), &attr);
2452 		attr &= ~0xf;
2453 		run_write(sc, RT2860_WCID_ATTR(wcid), attr);
2454 		run_set_region_4(sc, RT2860_WCID_ENTRY(wcid), 0, 8);
2455 	}
2456 
2457 	k->wk_pad = 0;
2458 }
2459 
2460 /*
2461  * return 0 on error
2462  */
2463 static int
2464 run_key_delete(struct ieee80211vap *vap, struct ieee80211_key *k)
2465 {
2466 	struct ieee80211com *ic = vap->iv_ic;
2467 	struct run_softc *sc = ic->ic_ifp->if_softc;
2468 	struct ieee80211_key *k0;
2469 	uint32_t i;
2470 
2471 	/*
2472 	 * When called back, key might be gone. So, make a copy
2473 	 * of some values need to delete keys before deferring.
2474 	 * But, because of LOR with node lock, cannot use lock here.
2475 	 * So, use atomic instead.
2476 	 */
2477 	i = RUN_CMDQ_GET(&sc->cmdq_store);
2478 	DPRINTF("cmdq_store=%d\n", i);
2479 	sc->cmdq[i].func = run_key_delete_cb;
2480 	sc->cmdq[i].arg0 = NULL;
2481 	sc->cmdq[i].arg1 = sc;
2482 	k0 = &sc->cmdq[i].key;
2483 	k0->wk_flags = k->wk_flags;
2484 	k0->wk_keyix = k->wk_keyix;
2485 	/* matching wcid was written to wk_pad in run_key_set() */
2486 	k0->wk_pad = k->wk_pad;
2487 	ieee80211_runtask(ic, &sc->cmdq_task);
2488 	return (1);	/* return fake success */
2489 
2490 }
2491 
2492 static void
2493 run_ratectl_to(void *arg)
2494 {
2495 	struct run_softc *sc = arg;
2496 
2497 	/* do it in a process context, so it can go sleep */
2498 	ieee80211_runtask(sc->sc_ifp->if_l2com, &sc->ratectl_task);
2499 	/* next timeout will be rescheduled in the callback task */
2500 }
2501 
2502 /* ARGSUSED */
2503 static void
2504 run_ratectl_cb(void *arg, int pending)
2505 {
2506 	struct run_softc *sc = arg;
2507 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
2508 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
2509 
2510 	if (vap == NULL)
2511 		return;
2512 
2513 	if (sc->rvp_cnt > 1 || vap->iv_opmode != IEEE80211_M_STA) {
2514 		/*
2515 		 * run_reset_livelock() doesn't do anything with AMRR,
2516 		 * but Ralink wants us to call it every 1 sec. So, we
2517 		 * piggyback here rather than creating another callout.
2518 		 * Livelock may occur only in HOSTAP or IBSS mode
2519 		 * (when h/w is sending beacons).
2520 		 */
2521 		RUN_LOCK(sc);
2522 		run_reset_livelock(sc);
2523 		/* just in case, there are some stats to drain */
2524 		run_drain_fifo(sc);
2525 		RUN_UNLOCK(sc);
2526 	}
2527 
2528 	ieee80211_iterate_nodes(&ic->ic_sta, run_iter_func, sc);
2529 
2530 	RUN_LOCK(sc);
2531 	if(sc->ratectl_run != RUN_RATECTL_OFF)
2532 		usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2533 	RUN_UNLOCK(sc);
2534 }
2535 
2536 static void
2537 run_drain_fifo(void *arg)
2538 {
2539 	struct run_softc *sc = arg;
2540 	struct ifnet *ifp = sc->sc_ifp;
2541 	uint32_t stat;
2542 	uint16_t (*wstat)[3];
2543 	uint8_t wcid, mcs, pid;
2544 	int8_t retry;
2545 
2546 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2547 
2548 	for (;;) {
2549 		/* drain Tx status FIFO (maxsize = 16) */
2550 		run_read(sc, RT2860_TX_STAT_FIFO, &stat);
2551 		DPRINTFN(4, "tx stat 0x%08x\n", stat);
2552 		if (!(stat & RT2860_TXQ_VLD))
2553 			break;
2554 
2555 		wcid = (stat >> RT2860_TXQ_WCID_SHIFT) & 0xff;
2556 
2557 		/* if no ACK was requested, no feedback is available */
2558 		if (!(stat & RT2860_TXQ_ACKREQ) || wcid > RT2870_WCID_MAX ||
2559 		    wcid == 0)
2560 			continue;
2561 
2562 		/*
2563 		 * Even though each stat is Tx-complete-status like format,
2564 		 * the device can poll stats. Because there is no guarantee
2565 		 * that the referring node is still around when read the stats.
2566 		 * So that, if we use ieee80211_ratectl_tx_update(), we will
2567 		 * have hard time not to refer already freed node.
2568 		 *
2569 		 * To eliminate such page faults, we poll stats in softc.
2570 		 * Then, update the rates later with ieee80211_ratectl_tx_update().
2571 		 */
2572 		wstat = &(sc->wcid_stats[wcid]);
2573 		(*wstat)[RUN_TXCNT]++;
2574 		if (stat & RT2860_TXQ_OK)
2575 			(*wstat)[RUN_SUCCESS]++;
2576 		else
2577 			if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
2578 		/*
2579 		 * Check if there were retries, ie if the Tx success rate is
2580 		 * different from the requested rate. Note that it works only
2581 		 * because we do not allow rate fallback from OFDM to CCK.
2582 		 */
2583 		mcs = (stat >> RT2860_TXQ_MCS_SHIFT) & 0x7f;
2584 		pid = (stat >> RT2860_TXQ_PID_SHIFT) & 0xf;
2585 		if ((retry = pid -1 - mcs) > 0) {
2586 			(*wstat)[RUN_TXCNT] += retry;
2587 			(*wstat)[RUN_RETRY] += retry;
2588 		}
2589 	}
2590 	DPRINTFN(3, "count=%d\n", sc->fifo_cnt);
2591 
2592 	sc->fifo_cnt = 0;
2593 }
2594 
2595 static void
2596 run_iter_func(void *arg, struct ieee80211_node *ni)
2597 {
2598 	struct run_softc *sc = arg;
2599 	struct ieee80211vap *vap = ni->ni_vap;
2600 	struct ieee80211com *ic = ni->ni_ic;
2601 	struct ifnet *ifp = ic->ic_ifp;
2602 	struct run_node *rn = (void *)ni;
2603 	union run_stats sta[2];
2604 	uint16_t (*wstat)[3];
2605 	int txcnt, success, retrycnt, error;
2606 
2607 	RUN_LOCK(sc);
2608 
2609 	/* Check for special case */
2610 	if (sc->rvp_cnt <= 1 && vap->iv_opmode == IEEE80211_M_STA &&
2611 	    ni != vap->iv_bss)
2612 		goto fail;
2613 
2614 	if (sc->rvp_cnt <= 1 && (vap->iv_opmode == IEEE80211_M_IBSS ||
2615 	    vap->iv_opmode == IEEE80211_M_STA)) {
2616 		/* read statistic counters (clear on read) and update AMRR state */
2617 		error = run_read_region_1(sc, RT2860_TX_STA_CNT0, (uint8_t *)sta,
2618 		    sizeof sta);
2619 		if (error != 0)
2620 			goto fail;
2621 
2622 		/* count failed TX as errors */
2623 		if_inc_counter(ifp, IFCOUNTER_OERRORS, le16toh(sta[0].error.fail));
2624 
2625 		retrycnt = le16toh(sta[1].tx.retry);
2626 		success = le16toh(sta[1].tx.success);
2627 		txcnt = retrycnt + success + le16toh(sta[0].error.fail);
2628 
2629 		DPRINTFN(3, "retrycnt=%d success=%d failcnt=%d\n",
2630 			retrycnt, success, le16toh(sta[0].error.fail));
2631 	} else {
2632 		wstat = &(sc->wcid_stats[RUN_AID2WCID(ni->ni_associd)]);
2633 
2634 		if (wstat == &(sc->wcid_stats[0]) ||
2635 		    wstat > &(sc->wcid_stats[RT2870_WCID_MAX]))
2636 			goto fail;
2637 
2638 		txcnt = (*wstat)[RUN_TXCNT];
2639 		success = (*wstat)[RUN_SUCCESS];
2640 		retrycnt = (*wstat)[RUN_RETRY];
2641 		DPRINTFN(3, "retrycnt=%d txcnt=%d success=%d\n",
2642 		    retrycnt, txcnt, success);
2643 
2644 		memset(wstat, 0, sizeof(*wstat));
2645 	}
2646 
2647 	ieee80211_ratectl_tx_update(vap, ni, &txcnt, &success, &retrycnt);
2648 	rn->amrr_ridx = ieee80211_ratectl_rate(ni, NULL, 0);
2649 
2650 fail:
2651 	RUN_UNLOCK(sc);
2652 
2653 	DPRINTFN(3, "ridx=%d\n", rn->amrr_ridx);
2654 }
2655 
2656 static void
2657 run_newassoc_cb(void *arg)
2658 {
2659 	struct run_cmdq *cmdq = arg;
2660 	struct ieee80211_node *ni = cmdq->arg1;
2661 	struct run_softc *sc = ni->ni_vap->iv_ic->ic_ifp->if_softc;
2662 	uint8_t wcid = cmdq->wcid;
2663 
2664 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2665 
2666 	run_write_region_1(sc, RT2860_WCID_ENTRY(wcid),
2667 	    ni->ni_macaddr, IEEE80211_ADDR_LEN);
2668 
2669 	memset(&(sc->wcid_stats[wcid]), 0, sizeof(sc->wcid_stats[wcid]));
2670 }
2671 
2672 static void
2673 run_newassoc(struct ieee80211_node *ni, int isnew)
2674 {
2675 	struct run_node *rn = (void *)ni;
2676 	struct ieee80211_rateset *rs = &ni->ni_rates;
2677 	struct ieee80211vap *vap = ni->ni_vap;
2678 	struct ieee80211com *ic = vap->iv_ic;
2679 	struct run_softc *sc = ic->ic_ifp->if_softc;
2680 	uint8_t rate;
2681 	uint8_t ridx;
2682 	uint8_t wcid;
2683 	int i, j;
2684 
2685 	wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
2686 	    1 : RUN_AID2WCID(ni->ni_associd);
2687 
2688 	if (wcid > RT2870_WCID_MAX) {
2689 		device_printf(sc->sc_dev, "wcid=%d out of range\n", wcid);
2690 		return;
2691 	}
2692 
2693 	/* only interested in true associations */
2694 	if (isnew && ni->ni_associd != 0) {
2695 
2696 		/*
2697 		 * This function could is called though timeout function.
2698 		 * Need to defer.
2699 		 */
2700 		uint32_t cnt = RUN_CMDQ_GET(&sc->cmdq_store);
2701 		DPRINTF("cmdq_store=%d\n", cnt);
2702 		sc->cmdq[cnt].func = run_newassoc_cb;
2703 		sc->cmdq[cnt].arg0 = NULL;
2704 		sc->cmdq[cnt].arg1 = ni;
2705 		sc->cmdq[cnt].wcid = wcid;
2706 		ieee80211_runtask(ic, &sc->cmdq_task);
2707 	}
2708 
2709 	DPRINTF("new assoc isnew=%d associd=%x addr=%s\n",
2710 	    isnew, ni->ni_associd, ether_sprintf(ni->ni_macaddr));
2711 
2712 	for (i = 0; i < rs->rs_nrates; i++) {
2713 		rate = rs->rs_rates[i] & IEEE80211_RATE_VAL;
2714 		/* convert 802.11 rate to hardware rate index */
2715 		for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2716 			if (rt2860_rates[ridx].rate == rate)
2717 				break;
2718 		rn->ridx[i] = ridx;
2719 		/* determine rate of control response frames */
2720 		for (j = i; j >= 0; j--) {
2721 			if ((rs->rs_rates[j] & IEEE80211_RATE_BASIC) &&
2722 			    rt2860_rates[rn->ridx[i]].phy ==
2723 			    rt2860_rates[rn->ridx[j]].phy)
2724 				break;
2725 		}
2726 		if (j >= 0) {
2727 			rn->ctl_ridx[i] = rn->ridx[j];
2728 		} else {
2729 			/* no basic rate found, use mandatory one */
2730 			rn->ctl_ridx[i] = rt2860_rates[ridx].ctl_ridx;
2731 		}
2732 		DPRINTF("rate=0x%02x ridx=%d ctl_ridx=%d\n",
2733 		    rs->rs_rates[i], rn->ridx[i], rn->ctl_ridx[i]);
2734 	}
2735 	rate = vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)].mgmtrate;
2736 	for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2737 		if (rt2860_rates[ridx].rate == rate)
2738 			break;
2739 	rn->mgt_ridx = ridx;
2740 	DPRINTF("rate=%d, mgmt_ridx=%d\n", rate, rn->mgt_ridx);
2741 
2742 	RUN_LOCK(sc);
2743 	if(sc->ratectl_run != RUN_RATECTL_OFF)
2744 		usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2745 	RUN_UNLOCK(sc);
2746 }
2747 
2748 /*
2749  * Return the Rx chain with the highest RSSI for a given frame.
2750  */
2751 static __inline uint8_t
2752 run_maxrssi_chain(struct run_softc *sc, const struct rt2860_rxwi *rxwi)
2753 {
2754 	uint8_t rxchain = 0;
2755 
2756 	if (sc->nrxchains > 1) {
2757 		if (rxwi->rssi[1] > rxwi->rssi[rxchain])
2758 			rxchain = 1;
2759 		if (sc->nrxchains > 2)
2760 			if (rxwi->rssi[2] > rxwi->rssi[rxchain])
2761 				rxchain = 2;
2762 	}
2763 	return (rxchain);
2764 }
2765 
2766 static void
2767 run_rx_frame(struct run_softc *sc, struct mbuf *m, uint32_t dmalen)
2768 {
2769 	struct ifnet *ifp = sc->sc_ifp;
2770 	struct ieee80211com *ic = ifp->if_l2com;
2771 	struct ieee80211_frame *wh;
2772 	struct ieee80211_node *ni;
2773 	struct rt2870_rxd *rxd;
2774 	struct rt2860_rxwi *rxwi;
2775 	uint32_t flags;
2776 	uint16_t len, rxwisize;
2777 	uint8_t ant, rssi;
2778 	int8_t nf;
2779 
2780 	rxwi = mtod(m, struct rt2860_rxwi *);
2781 	len = le16toh(rxwi->len) & 0xfff;
2782 	rxwisize = sizeof(struct rt2860_rxwi);
2783 	if (sc->mac_ver == 0x5592)
2784 		rxwisize += sizeof(uint64_t);
2785 	else if (sc->mac_ver == 0x3593)
2786 		rxwisize += sizeof(uint32_t);
2787 	if (__predict_false(len > dmalen)) {
2788 		m_freem(m);
2789 		if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
2790 		DPRINTF("bad RXWI length %u > %u\n", len, dmalen);
2791 		return;
2792 	}
2793 	/* Rx descriptor is located at the end */
2794 	rxd = (struct rt2870_rxd *)(mtod(m, caddr_t) + dmalen);
2795 	flags = le32toh(rxd->flags);
2796 
2797 	if (__predict_false(flags & (RT2860_RX_CRCERR | RT2860_RX_ICVERR))) {
2798 		m_freem(m);
2799 		if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
2800 		DPRINTF("%s error.\n", (flags & RT2860_RX_CRCERR)?"CRC":"ICV");
2801 		return;
2802 	}
2803 
2804 	m->m_data += rxwisize;
2805 	m->m_pkthdr.len = m->m_len -= rxwisize;
2806 
2807 	wh = mtod(m, struct ieee80211_frame *);
2808 
2809 	if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
2810 		wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
2811 		m->m_flags |= M_WEP;
2812 	}
2813 
2814 	if (flags & RT2860_RX_L2PAD) {
2815 		DPRINTFN(8, "received RT2860_RX_L2PAD frame\n");
2816 		len += 2;
2817 	}
2818 
2819 	ni = ieee80211_find_rxnode(ic,
2820 	    mtod(m, struct ieee80211_frame_min *));
2821 
2822 	if (__predict_false(flags & RT2860_RX_MICERR)) {
2823 		/* report MIC failures to net80211 for TKIP */
2824 		if (ni != NULL)
2825 			ieee80211_notify_michael_failure(ni->ni_vap, wh,
2826 			    rxwi->keyidx);
2827 		m_freem(m);
2828 		if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
2829 		DPRINTF("MIC error. Someone is lying.\n");
2830 		return;
2831 	}
2832 
2833 	ant = run_maxrssi_chain(sc, rxwi);
2834 	rssi = rxwi->rssi[ant];
2835 	nf = run_rssi2dbm(sc, rssi, ant);
2836 
2837 	m->m_pkthdr.rcvif = ifp;
2838 	m->m_pkthdr.len = m->m_len = len;
2839 
2840 	if (ni != NULL) {
2841 		(void)ieee80211_input(ni, m, rssi, nf);
2842 		ieee80211_free_node(ni);
2843 	} else {
2844 		(void)ieee80211_input_all(ic, m, rssi, nf);
2845 	}
2846 
2847 	if (__predict_false(ieee80211_radiotap_active(ic))) {
2848 		struct run_rx_radiotap_header *tap = &sc->sc_rxtap;
2849 		uint16_t phy;
2850 
2851 		tap->wr_flags = 0;
2852 		tap->wr_chan_freq = htole16(ic->ic_curchan->ic_freq);
2853 		tap->wr_chan_flags = htole16(ic->ic_curchan->ic_flags);
2854 		tap->wr_antsignal = rssi;
2855 		tap->wr_antenna = ant;
2856 		tap->wr_dbm_antsignal = run_rssi2dbm(sc, rssi, ant);
2857 		tap->wr_rate = 2;	/* in case it can't be found below */
2858 		phy = le16toh(rxwi->phy);
2859 		switch (phy & RT2860_PHY_MODE) {
2860 		case RT2860_PHY_CCK:
2861 			switch ((phy & RT2860_PHY_MCS) & ~RT2860_PHY_SHPRE) {
2862 			case 0:	tap->wr_rate =   2; break;
2863 			case 1:	tap->wr_rate =   4; break;
2864 			case 2:	tap->wr_rate =  11; break;
2865 			case 3:	tap->wr_rate =  22; break;
2866 			}
2867 			if (phy & RT2860_PHY_SHPRE)
2868 				tap->wr_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
2869 			break;
2870 		case RT2860_PHY_OFDM:
2871 			switch (phy & RT2860_PHY_MCS) {
2872 			case 0:	tap->wr_rate =  12; break;
2873 			case 1:	tap->wr_rate =  18; break;
2874 			case 2:	tap->wr_rate =  24; break;
2875 			case 3:	tap->wr_rate =  36; break;
2876 			case 4:	tap->wr_rate =  48; break;
2877 			case 5:	tap->wr_rate =  72; break;
2878 			case 6:	tap->wr_rate =  96; break;
2879 			case 7:	tap->wr_rate = 108; break;
2880 			}
2881 			break;
2882 		}
2883 	}
2884 }
2885 
2886 static void
2887 run_bulk_rx_callback(struct usb_xfer *xfer, usb_error_t error)
2888 {
2889 	struct run_softc *sc = usbd_xfer_softc(xfer);
2890 	struct ifnet *ifp = sc->sc_ifp;
2891 	struct mbuf *m = NULL;
2892 	struct mbuf *m0;
2893 	uint32_t dmalen;
2894 	uint16_t rxwisize;
2895 	int xferlen;
2896 
2897 	rxwisize = sizeof(struct rt2860_rxwi);
2898 	if (sc->mac_ver == 0x5592)
2899 		rxwisize += sizeof(uint64_t);
2900 	else if (sc->mac_ver == 0x3593)
2901 		rxwisize += sizeof(uint32_t);
2902 
2903 	usbd_xfer_status(xfer, &xferlen, NULL, NULL, NULL);
2904 
2905 	switch (USB_GET_STATE(xfer)) {
2906 	case USB_ST_TRANSFERRED:
2907 
2908 		DPRINTFN(15, "rx done, actlen=%d\n", xferlen);
2909 
2910 		if (xferlen < (int)(sizeof(uint32_t) + rxwisize +
2911 		    sizeof(struct rt2870_rxd))) {
2912 			DPRINTF("xfer too short %d\n", xferlen);
2913 			goto tr_setup;
2914 		}
2915 
2916 		m = sc->rx_m;
2917 		sc->rx_m = NULL;
2918 
2919 		/* FALLTHROUGH */
2920 	case USB_ST_SETUP:
2921 tr_setup:
2922 		if (sc->rx_m == NULL) {
2923 			sc->rx_m = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR,
2924 			    MJUMPAGESIZE /* xfer can be bigger than MCLBYTES */);
2925 		}
2926 		if (sc->rx_m == NULL) {
2927 			DPRINTF("could not allocate mbuf - idle with stall\n");
2928 			if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
2929 			usbd_xfer_set_stall(xfer);
2930 			usbd_xfer_set_frames(xfer, 0);
2931 		} else {
2932 			/*
2933 			 * Directly loading a mbuf cluster into DMA to
2934 			 * save some data copying. This works because
2935 			 * there is only one cluster.
2936 			 */
2937 			usbd_xfer_set_frame_data(xfer, 0,
2938 			    mtod(sc->rx_m, caddr_t), RUN_MAX_RXSZ);
2939 			usbd_xfer_set_frames(xfer, 1);
2940 		}
2941 		usbd_transfer_submit(xfer);
2942 		break;
2943 
2944 	default:	/* Error */
2945 		if (error != USB_ERR_CANCELLED) {
2946 			/* try to clear stall first */
2947 			usbd_xfer_set_stall(xfer);
2948 
2949 			if (error == USB_ERR_TIMEOUT)
2950 				device_printf(sc->sc_dev, "device timeout\n");
2951 
2952 			if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
2953 
2954 			goto tr_setup;
2955 		}
2956 		if (sc->rx_m != NULL) {
2957 			m_freem(sc->rx_m);
2958 			sc->rx_m = NULL;
2959 		}
2960 		break;
2961 	}
2962 
2963 	if (m == NULL)
2964 		return;
2965 
2966 	/* inputting all the frames must be last */
2967 
2968 	RUN_UNLOCK(sc);
2969 
2970 	m->m_pkthdr.len = m->m_len = xferlen;
2971 
2972 	/* HW can aggregate multiple 802.11 frames in a single USB xfer */
2973 	for(;;) {
2974 		dmalen = le32toh(*mtod(m, uint32_t *)) & 0xffff;
2975 
2976 		if ((dmalen >= (uint32_t)-8) || (dmalen == 0) ||
2977 		    ((dmalen & 3) != 0)) {
2978 			DPRINTF("bad DMA length %u\n", dmalen);
2979 			break;
2980 		}
2981 		if ((dmalen + 8) > (uint32_t)xferlen) {
2982 			DPRINTF("bad DMA length %u > %d\n",
2983 			dmalen + 8, xferlen);
2984 			break;
2985 		}
2986 
2987 		/* If it is the last one or a single frame, we won't copy. */
2988 		if ((xferlen -= dmalen + 8) <= 8) {
2989 			/* trim 32-bit DMA-len header */
2990 			m->m_data += 4;
2991 			m->m_pkthdr.len = m->m_len -= 4;
2992 			run_rx_frame(sc, m, dmalen);
2993 			m = NULL;	/* don't free source buffer */
2994 			break;
2995 		}
2996 
2997 		/* copy aggregated frames to another mbuf */
2998 		m0 = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
2999 		if (__predict_false(m0 == NULL)) {
3000 			DPRINTF("could not allocate mbuf\n");
3001 			if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
3002 			break;
3003 		}
3004 		m_copydata(m, 4 /* skip 32-bit DMA-len header */,
3005 		    dmalen + sizeof(struct rt2870_rxd), mtod(m0, caddr_t));
3006 		m0->m_pkthdr.len = m0->m_len =
3007 		    dmalen + sizeof(struct rt2870_rxd);
3008 		run_rx_frame(sc, m0, dmalen);
3009 
3010 		/* update data ptr */
3011 		m->m_data += dmalen + 8;
3012 		m->m_pkthdr.len = m->m_len -= dmalen + 8;
3013 	}
3014 
3015 	/* make sure we free the source buffer, if any */
3016 	m_freem(m);
3017 
3018 	RUN_LOCK(sc);
3019 }
3020 
3021 static void
3022 run_tx_free(struct run_endpoint_queue *pq,
3023     struct run_tx_data *data, int txerr)
3024 {
3025 	if (data->m != NULL) {
3026 		if (data->m->m_flags & M_TXCB)
3027 			ieee80211_process_callback(data->ni, data->m,
3028 			    txerr ? ETIMEDOUT : 0);
3029 		m_freem(data->m);
3030 		data->m = NULL;
3031 
3032 		if (data->ni == NULL) {
3033 			DPRINTF("no node\n");
3034 		} else {
3035 			ieee80211_free_node(data->ni);
3036 			data->ni = NULL;
3037 		}
3038 	}
3039 
3040 	STAILQ_INSERT_TAIL(&pq->tx_fh, data, next);
3041 	pq->tx_nfree++;
3042 }
3043 
3044 static void
3045 run_bulk_tx_callbackN(struct usb_xfer *xfer, usb_error_t error, u_int index)
3046 {
3047 	struct run_softc *sc = usbd_xfer_softc(xfer);
3048 	struct ifnet *ifp = sc->sc_ifp;
3049 	struct ieee80211com *ic = ifp->if_l2com;
3050 	struct run_tx_data *data;
3051 	struct ieee80211vap *vap = NULL;
3052 	struct usb_page_cache *pc;
3053 	struct run_endpoint_queue *pq = &sc->sc_epq[index];
3054 	struct mbuf *m;
3055 	usb_frlength_t size;
3056 	int actlen;
3057 	int sumlen;
3058 
3059 	usbd_xfer_status(xfer, &actlen, &sumlen, NULL, NULL);
3060 
3061 	switch (USB_GET_STATE(xfer)) {
3062 	case USB_ST_TRANSFERRED:
3063 		DPRINTFN(11, "transfer complete: %d "
3064 		    "bytes @ index %d\n", actlen, index);
3065 
3066 		data = usbd_xfer_get_priv(xfer);
3067 
3068 		run_tx_free(pq, data, 0);
3069 		ifp->if_drv_flags &= ~IFF_DRV_OACTIVE;
3070 
3071 		usbd_xfer_set_priv(xfer, NULL);
3072 
3073 		if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1);
3074 
3075 		/* FALLTHROUGH */
3076 	case USB_ST_SETUP:
3077 tr_setup:
3078 		data = STAILQ_FIRST(&pq->tx_qh);
3079 		if (data == NULL)
3080 			break;
3081 
3082 		STAILQ_REMOVE_HEAD(&pq->tx_qh, next);
3083 
3084 		m = data->m;
3085 		size = (sc->mac_ver == 0x5592) ?
3086 		    sizeof(data->desc) + sizeof(uint32_t) : sizeof(data->desc);
3087 		if ((m->m_pkthdr.len +
3088 		    size + 3 + 8) > RUN_MAX_TXSZ) {
3089 			DPRINTF("data overflow, %u bytes\n",
3090 			    m->m_pkthdr.len);
3091 
3092 			if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
3093 
3094 			run_tx_free(pq, data, 1);
3095 
3096 			goto tr_setup;
3097 		}
3098 
3099 		pc = usbd_xfer_get_frame(xfer, 0);
3100 		usbd_copy_in(pc, 0, &data->desc, size);
3101 		usbd_m_copy_in(pc, size, m, 0, m->m_pkthdr.len);
3102 		size += m->m_pkthdr.len;
3103 		/*
3104 		 * Align end on a 4-byte boundary, pad 8 bytes (CRC +
3105 		 * 4-byte padding), and be sure to zero those trailing
3106 		 * bytes:
3107 		 */
3108 		usbd_frame_zero(pc, size, ((-size) & 3) + 8);
3109 		size += ((-size) & 3) + 8;
3110 
3111 		vap = data->ni->ni_vap;
3112 		if (ieee80211_radiotap_active_vap(vap)) {
3113 			struct run_tx_radiotap_header *tap = &sc->sc_txtap;
3114 			struct rt2860_txwi *txwi =
3115 			    (struct rt2860_txwi *)(&data->desc + sizeof(struct rt2870_txd));
3116 			tap->wt_flags = 0;
3117 			tap->wt_rate = rt2860_rates[data->ridx].rate;
3118 			tap->wt_chan_freq = htole16(ic->ic_curchan->ic_freq);
3119 			tap->wt_chan_flags = htole16(ic->ic_curchan->ic_flags);
3120 			tap->wt_hwqueue = index;
3121 			if (le16toh(txwi->phy) & RT2860_PHY_SHPRE)
3122 				tap->wt_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
3123 
3124 			ieee80211_radiotap_tx(vap, m);
3125 		}
3126 
3127 		DPRINTFN(11, "sending frame len=%u/%u  @ index %d\n",
3128 		    m->m_pkthdr.len, size, index);
3129 
3130 		usbd_xfer_set_frame_len(xfer, 0, size);
3131 		usbd_xfer_set_priv(xfer, data);
3132 
3133 		usbd_transfer_submit(xfer);
3134 
3135 		RUN_UNLOCK(sc);
3136 		run_start(ifp);
3137 		RUN_LOCK(sc);
3138 
3139 		break;
3140 
3141 	default:
3142 		DPRINTF("USB transfer error, %s\n",
3143 		    usbd_errstr(error));
3144 
3145 		data = usbd_xfer_get_priv(xfer);
3146 
3147 		if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
3148 
3149 		if (data != NULL) {
3150 			if(data->ni != NULL)
3151 				vap = data->ni->ni_vap;
3152 			run_tx_free(pq, data, error);
3153 			usbd_xfer_set_priv(xfer, NULL);
3154 		}
3155 		if (vap == NULL)
3156 			vap = TAILQ_FIRST(&ic->ic_vaps);
3157 
3158 		if (error != USB_ERR_CANCELLED) {
3159 			if (error == USB_ERR_TIMEOUT) {
3160 				device_printf(sc->sc_dev, "device timeout\n");
3161 				uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
3162 				DPRINTF("cmdq_store=%d\n", i);
3163 				sc->cmdq[i].func = run_usb_timeout_cb;
3164 				sc->cmdq[i].arg0 = vap;
3165 				ieee80211_runtask(ic, &sc->cmdq_task);
3166 			}
3167 
3168 			/*
3169 			 * Try to clear stall first, also if other
3170 			 * errors occur, hence clearing stall
3171 			 * introduces a 50 ms delay:
3172 			 */
3173 			usbd_xfer_set_stall(xfer);
3174 			goto tr_setup;
3175 		}
3176 		break;
3177 	}
3178 }
3179 
3180 static void
3181 run_bulk_tx_callback0(struct usb_xfer *xfer, usb_error_t error)
3182 {
3183 	run_bulk_tx_callbackN(xfer, error, 0);
3184 }
3185 
3186 static void
3187 run_bulk_tx_callback1(struct usb_xfer *xfer, usb_error_t error)
3188 {
3189 	run_bulk_tx_callbackN(xfer, error, 1);
3190 }
3191 
3192 static void
3193 run_bulk_tx_callback2(struct usb_xfer *xfer, usb_error_t error)
3194 {
3195 	run_bulk_tx_callbackN(xfer, error, 2);
3196 }
3197 
3198 static void
3199 run_bulk_tx_callback3(struct usb_xfer *xfer, usb_error_t error)
3200 {
3201 	run_bulk_tx_callbackN(xfer, error, 3);
3202 }
3203 
3204 static void
3205 run_bulk_tx_callback4(struct usb_xfer *xfer, usb_error_t error)
3206 {
3207 	run_bulk_tx_callbackN(xfer, error, 4);
3208 }
3209 
3210 static void
3211 run_bulk_tx_callback5(struct usb_xfer *xfer, usb_error_t error)
3212 {
3213 	run_bulk_tx_callbackN(xfer, error, 5);
3214 }
3215 
3216 static void
3217 run_set_tx_desc(struct run_softc *sc, struct run_tx_data *data)
3218 {
3219 	struct mbuf *m = data->m;
3220 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
3221 	struct ieee80211vap *vap = data->ni->ni_vap;
3222 	struct ieee80211_frame *wh;
3223 	struct rt2870_txd *txd;
3224 	struct rt2860_txwi *txwi;
3225 	uint16_t xferlen, txwisize;
3226 	uint16_t mcs;
3227 	uint8_t ridx = data->ridx;
3228 	uint8_t pad;
3229 
3230 	/* get MCS code from rate index */
3231 	mcs = rt2860_rates[ridx].mcs;
3232 
3233 	txwisize = (sc->mac_ver == 0x5592) ?
3234 	    sizeof(*txwi) + sizeof(uint32_t) : sizeof(*txwi);
3235 	xferlen = txwisize + m->m_pkthdr.len;
3236 
3237 	/* roundup to 32-bit alignment */
3238 	xferlen = (xferlen + 3) & ~3;
3239 
3240 	txd = (struct rt2870_txd *)&data->desc;
3241 	txd->len = htole16(xferlen);
3242 
3243 	wh = mtod(m, struct ieee80211_frame *);
3244 
3245 	/*
3246 	 * Ether both are true or both are false, the header
3247 	 * are nicely aligned to 32-bit. So, no L2 padding.
3248 	 */
3249 	if(IEEE80211_HAS_ADDR4(wh) == IEEE80211_QOS_HAS_SEQ(wh))
3250 		pad = 0;
3251 	else
3252 		pad = 2;
3253 
3254 	/* setup TX Wireless Information */
3255 	txwi = (struct rt2860_txwi *)(txd + 1);
3256 	txwi->len = htole16(m->m_pkthdr.len - pad);
3257 	if (rt2860_rates[ridx].phy == IEEE80211_T_DS) {
3258 		mcs |= RT2860_PHY_CCK;
3259 		if (ridx != RT2860_RIDX_CCK1 &&
3260 		    (ic->ic_flags & IEEE80211_F_SHPREAMBLE))
3261 			mcs |= RT2860_PHY_SHPRE;
3262 	} else
3263 		mcs |= RT2860_PHY_OFDM;
3264 	txwi->phy = htole16(mcs);
3265 
3266 	/* check if RTS/CTS or CTS-to-self protection is required */
3267 	if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
3268 	    (m->m_pkthdr.len + IEEE80211_CRC_LEN > vap->iv_rtsthreshold ||
3269 	     ((ic->ic_flags & IEEE80211_F_USEPROT) &&
3270 	      rt2860_rates[ridx].phy == IEEE80211_T_OFDM)))
3271 		txwi->txop |= RT2860_TX_TXOP_HT;
3272 	else
3273 		txwi->txop |= RT2860_TX_TXOP_BACKOFF;
3274 
3275 	if (vap->iv_opmode != IEEE80211_M_STA && !IEEE80211_QOS_HAS_SEQ(wh))
3276 		txwi->xflags |= RT2860_TX_NSEQ;
3277 }
3278 
3279 /* This function must be called locked */
3280 static int
3281 run_tx(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
3282 {
3283 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
3284 	struct ieee80211vap *vap = ni->ni_vap;
3285 	struct ieee80211_frame *wh;
3286 	struct ieee80211_channel *chan;
3287 	const struct ieee80211_txparam *tp;
3288 	struct run_node *rn = (void *)ni;
3289 	struct run_tx_data *data;
3290 	struct rt2870_txd *txd;
3291 	struct rt2860_txwi *txwi;
3292 	uint16_t qos;
3293 	uint16_t dur;
3294 	uint16_t qid;
3295 	uint8_t type;
3296 	uint8_t tid;
3297 	uint8_t ridx;
3298 	uint8_t ctl_ridx;
3299 	uint8_t qflags;
3300 	uint8_t xflags = 0;
3301 	int hasqos;
3302 
3303 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3304 
3305 	wh = mtod(m, struct ieee80211_frame *);
3306 
3307 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3308 
3309 	/*
3310 	 * There are 7 bulk endpoints: 1 for RX
3311 	 * and 6 for TX (4 EDCAs + HCCA + Prio).
3312 	 * Update 03-14-2009:  some devices like the Planex GW-US300MiniS
3313 	 * seem to have only 4 TX bulk endpoints (Fukaumi Naoki).
3314 	 */
3315 	if ((hasqos = IEEE80211_QOS_HAS_SEQ(wh))) {
3316 		uint8_t *frm;
3317 
3318 		if(IEEE80211_HAS_ADDR4(wh))
3319 			frm = ((struct ieee80211_qosframe_addr4 *)wh)->i_qos;
3320 		else
3321 			frm =((struct ieee80211_qosframe *)wh)->i_qos;
3322 
3323 		qos = le16toh(*(const uint16_t *)frm);
3324 		tid = qos & IEEE80211_QOS_TID;
3325 		qid = TID_TO_WME_AC(tid);
3326 	} else {
3327 		qos = 0;
3328 		tid = 0;
3329 		qid = WME_AC_BE;
3330 	}
3331 	qflags = (qid < 4) ? RT2860_TX_QSEL_EDCA : RT2860_TX_QSEL_HCCA;
3332 
3333 	DPRINTFN(8, "qos %d\tqid %d\ttid %d\tqflags %x\n",
3334 	    qos, qid, tid, qflags);
3335 
3336 	chan = (ni->ni_chan != IEEE80211_CHAN_ANYC)?ni->ni_chan:ic->ic_curchan;
3337 	tp = &vap->iv_txparms[ieee80211_chan2mode(chan)];
3338 
3339 	/* pickup a rate index */
3340 	if (IEEE80211_IS_MULTICAST(wh->i_addr1) ||
3341 	    type != IEEE80211_FC0_TYPE_DATA || m->m_flags & M_EAPOL) {
3342 		ridx = (ic->ic_curmode == IEEE80211_MODE_11A) ?
3343 		    RT2860_RIDX_OFDM6 : RT2860_RIDX_CCK1;
3344 		ctl_ridx = rt2860_rates[ridx].ctl_ridx;
3345 	} else {
3346 		if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE)
3347 			ridx = rn->fix_ridx;
3348 		else
3349 			ridx = rn->amrr_ridx;
3350 		ctl_ridx = rt2860_rates[ridx].ctl_ridx;
3351 	}
3352 
3353 	if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
3354 	    (!hasqos || (qos & IEEE80211_QOS_ACKPOLICY) !=
3355 	     IEEE80211_QOS_ACKPOLICY_NOACK)) {
3356 		xflags |= RT2860_TX_ACK;
3357 		if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
3358 			dur = rt2860_rates[ctl_ridx].sp_ack_dur;
3359 		else
3360 			dur = rt2860_rates[ctl_ridx].lp_ack_dur;
3361 		USETW(wh->i_dur, dur);
3362 	}
3363 
3364 	/* reserve slots for mgmt packets, just in case */
3365 	if (sc->sc_epq[qid].tx_nfree < 3) {
3366 		DPRINTFN(10, "tx ring %d is full\n", qid);
3367 		return (-1);
3368 	}
3369 
3370 	data = STAILQ_FIRST(&sc->sc_epq[qid].tx_fh);
3371 	STAILQ_REMOVE_HEAD(&sc->sc_epq[qid].tx_fh, next);
3372 	sc->sc_epq[qid].tx_nfree--;
3373 
3374 	txd = (struct rt2870_txd *)&data->desc;
3375 	txd->flags = qflags;
3376 	txwi = (struct rt2860_txwi *)(txd + 1);
3377 	txwi->xflags = xflags;
3378 	if (IEEE80211_IS_MULTICAST(wh->i_addr1))
3379 		txwi->wcid = 0;
3380 	else
3381 		txwi->wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
3382 		    1 : RUN_AID2WCID(ni->ni_associd);
3383 
3384 	/* clear leftover garbage bits */
3385 	txwi->flags = 0;
3386 	txwi->txop = 0;
3387 
3388 	data->m = m;
3389 	data->ni = ni;
3390 	data->ridx = ridx;
3391 
3392 	run_set_tx_desc(sc, data);
3393 
3394 	/*
3395 	 * The chip keeps track of 2 kind of Tx stats,
3396 	 *  * TX_STAT_FIFO, for per WCID stats, and
3397 	 *  * TX_STA_CNT0 for all-TX-in-one stats.
3398 	 *
3399 	 * To use FIFO stats, we need to store MCS into the driver-private
3400  	 * PacketID field. So that, we can tell whose stats when we read them.
3401  	 * We add 1 to the MCS because setting the PacketID field to 0 means
3402  	 * that we don't want feedback in TX_STAT_FIFO.
3403  	 * And, that's what we want for STA mode, since TX_STA_CNT0 does the job.
3404  	 *
3405  	 * FIFO stats doesn't count Tx with WCID 0xff, so we do this in run_tx().
3406  	 */
3407 	if (sc->rvp_cnt > 1 || vap->iv_opmode == IEEE80211_M_HOSTAP ||
3408 	    vap->iv_opmode == IEEE80211_M_MBSS) {
3409 		uint16_t pid = (rt2860_rates[ridx].mcs + 1) & 0xf;
3410 		txwi->len |= htole16(pid << RT2860_TX_PID_SHIFT);
3411 
3412 		/*
3413 		 * Unlike PCI based devices, we don't get any interrupt from
3414 		 * USB devices, so we simulate FIFO-is-full interrupt here.
3415 		 * Ralink recomends to drain FIFO stats every 100 ms, but 16 slots
3416 		 * quickly get fulled. To prevent overflow, increment a counter on
3417 		 * every FIFO stat request, so we know how many slots are left.
3418 		 * We do this only in HOSTAP or multiple vap mode since FIFO stats
3419 		 * are used only in those modes.
3420 		 * We just drain stats. AMRR gets updated every 1 sec by
3421 		 * run_ratectl_cb() via callout.
3422 		 * Call it early. Otherwise overflow.
3423 		 */
3424 		if (sc->fifo_cnt++ == 10) {
3425 			/*
3426 			 * With multiple vaps or if_bridge, if_start() is called
3427 			 * with a non-sleepable lock, tcpinp. So, need to defer.
3428 			 */
3429 			uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
3430 			DPRINTFN(6, "cmdq_store=%d\n", i);
3431 			sc->cmdq[i].func = run_drain_fifo;
3432 			sc->cmdq[i].arg0 = sc;
3433 			ieee80211_runtask(ic, &sc->cmdq_task);
3434 		}
3435 	}
3436 
3437         STAILQ_INSERT_TAIL(&sc->sc_epq[qid].tx_qh, data, next);
3438 
3439 	usbd_transfer_start(sc->sc_xfer[qid]);
3440 
3441 	DPRINTFN(8, "sending data frame len=%d rate=%d qid=%d\n",
3442 	    m->m_pkthdr.len + (int)(sizeof(struct rt2870_txd) +
3443 	    sizeof(struct rt2860_txwi)), rt2860_rates[ridx].rate, qid);
3444 
3445 	return (0);
3446 }
3447 
3448 static int
3449 run_tx_mgt(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
3450 {
3451 	struct ifnet *ifp = sc->sc_ifp;
3452 	struct ieee80211com *ic = ifp->if_l2com;
3453 	struct run_node *rn = (void *)ni;
3454 	struct run_tx_data *data;
3455 	struct ieee80211_frame *wh;
3456 	struct rt2870_txd *txd;
3457 	struct rt2860_txwi *txwi;
3458 	uint16_t dur;
3459 	uint8_t ridx = rn->mgt_ridx;
3460 	uint8_t type;
3461 	uint8_t xflags = 0;
3462 	uint8_t wflags = 0;
3463 
3464 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3465 
3466 	wh = mtod(m, struct ieee80211_frame *);
3467 
3468 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3469 
3470 	/* tell hardware to add timestamp for probe responses */
3471 	if ((wh->i_fc[0] &
3472 	    (IEEE80211_FC0_TYPE_MASK | IEEE80211_FC0_SUBTYPE_MASK)) ==
3473 	    (IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_RESP))
3474 		wflags |= RT2860_TX_TS;
3475 	else if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
3476 		xflags |= RT2860_TX_ACK;
3477 
3478 		dur = ieee80211_ack_duration(ic->ic_rt, rt2860_rates[ridx].rate,
3479 		    ic->ic_flags & IEEE80211_F_SHPREAMBLE);
3480 		USETW(wh->i_dur, dur);
3481 	}
3482 
3483 	if (sc->sc_epq[0].tx_nfree == 0) {
3484 		/* let caller free mbuf */
3485 		ifp->if_drv_flags |= IFF_DRV_OACTIVE;
3486 		return (EIO);
3487 	}
3488 	data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3489 	STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3490 	sc->sc_epq[0].tx_nfree--;
3491 
3492 	txd = (struct rt2870_txd *)&data->desc;
3493 	txd->flags = RT2860_TX_QSEL_EDCA;
3494 	txwi = (struct rt2860_txwi *)(txd + 1);
3495 	txwi->wcid = 0xff;
3496 	txwi->flags = wflags;
3497 	txwi->xflags = xflags;
3498 	txwi->txop = 0;	/* clear leftover garbage bits */
3499 
3500 	data->m = m;
3501 	data->ni = ni;
3502 	data->ridx = ridx;
3503 
3504 	run_set_tx_desc(sc, data);
3505 
3506 	DPRINTFN(10, "sending mgt frame len=%d rate=%d\n", m->m_pkthdr.len +
3507 	    (int)(sizeof(struct rt2870_txd) + sizeof(struct rt2860_txwi)),
3508 	    rt2860_rates[ridx].rate);
3509 
3510 	STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3511 
3512 	usbd_transfer_start(sc->sc_xfer[0]);
3513 
3514 	return (0);
3515 }
3516 
3517 static int
3518 run_sendprot(struct run_softc *sc,
3519     const struct mbuf *m, struct ieee80211_node *ni, int prot, int rate)
3520 {
3521 	struct ieee80211com *ic = ni->ni_ic;
3522 	struct ieee80211_frame *wh;
3523 	struct run_tx_data *data;
3524 	struct rt2870_txd *txd;
3525 	struct rt2860_txwi *txwi;
3526 	struct mbuf *mprot;
3527 	int ridx;
3528 	int protrate;
3529 	int ackrate;
3530 	int pktlen;
3531 	int isshort;
3532 	uint16_t dur;
3533 	uint8_t type;
3534 	uint8_t wflags = 0;
3535 	uint8_t xflags = 0;
3536 
3537 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3538 
3539 	KASSERT(prot == IEEE80211_PROT_RTSCTS || prot == IEEE80211_PROT_CTSONLY,
3540 	    ("protection %d", prot));
3541 
3542 	wh = mtod(m, struct ieee80211_frame *);
3543 	pktlen = m->m_pkthdr.len + IEEE80211_CRC_LEN;
3544 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3545 
3546 	protrate = ieee80211_ctl_rate(ic->ic_rt, rate);
3547 	ackrate = ieee80211_ack_rate(ic->ic_rt, rate);
3548 
3549 	isshort = (ic->ic_flags & IEEE80211_F_SHPREAMBLE) != 0;
3550 	dur = ieee80211_compute_duration(ic->ic_rt, pktlen, rate, isshort)
3551 	    + ieee80211_ack_duration(ic->ic_rt, rate, isshort);
3552 	wflags = RT2860_TX_FRAG;
3553 
3554 	/* check that there are free slots before allocating the mbuf */
3555 	if (sc->sc_epq[0].tx_nfree == 0) {
3556 		/* let caller free mbuf */
3557 		sc->sc_ifp->if_drv_flags |= IFF_DRV_OACTIVE;
3558 		return (ENOBUFS);
3559 	}
3560 
3561 	if (prot == IEEE80211_PROT_RTSCTS) {
3562 		/* NB: CTS is the same size as an ACK */
3563 		dur += ieee80211_ack_duration(ic->ic_rt, rate, isshort);
3564 		xflags |= RT2860_TX_ACK;
3565 		mprot = ieee80211_alloc_rts(ic, wh->i_addr1, wh->i_addr2, dur);
3566 	} else {
3567 		mprot = ieee80211_alloc_cts(ic, ni->ni_vap->iv_myaddr, dur);
3568 	}
3569 	if (mprot == NULL) {
3570 		if_inc_counter(sc->sc_ifp, IFCOUNTER_OERRORS, 1);
3571 		DPRINTF("could not allocate mbuf\n");
3572 		return (ENOBUFS);
3573 	}
3574 
3575         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3576         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3577         sc->sc_epq[0].tx_nfree--;
3578 
3579 	txd = (struct rt2870_txd *)&data->desc;
3580 	txd->flags = RT2860_TX_QSEL_EDCA;
3581 	txwi = (struct rt2860_txwi *)(txd + 1);
3582 	txwi->wcid = 0xff;
3583 	txwi->flags = wflags;
3584 	txwi->xflags = xflags;
3585 	txwi->txop = 0;	/* clear leftover garbage bits */
3586 
3587 	data->m = mprot;
3588 	data->ni = ieee80211_ref_node(ni);
3589 
3590 	for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
3591 		if (rt2860_rates[ridx].rate == protrate)
3592 			break;
3593 	data->ridx = ridx;
3594 
3595 	run_set_tx_desc(sc, data);
3596 
3597         DPRINTFN(1, "sending prot len=%u rate=%u\n",
3598             m->m_pkthdr.len, rate);
3599 
3600         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3601 
3602 	usbd_transfer_start(sc->sc_xfer[0]);
3603 
3604 	return (0);
3605 }
3606 
3607 static int
3608 run_tx_param(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni,
3609     const struct ieee80211_bpf_params *params)
3610 {
3611 	struct ieee80211com *ic = ni->ni_ic;
3612 	struct ieee80211_frame *wh;
3613 	struct run_tx_data *data;
3614 	struct rt2870_txd *txd;
3615 	struct rt2860_txwi *txwi;
3616 	uint8_t type;
3617 	uint8_t ridx;
3618 	uint8_t rate;
3619 	uint8_t opflags = 0;
3620 	uint8_t xflags = 0;
3621 	int error;
3622 
3623 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3624 
3625 	KASSERT(params != NULL, ("no raw xmit params"));
3626 
3627 	wh = mtod(m, struct ieee80211_frame *);
3628 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3629 
3630 	rate = params->ibp_rate0;
3631 	if (!ieee80211_isratevalid(ic->ic_rt, rate)) {
3632 		/* let caller free mbuf */
3633 		return (EINVAL);
3634 	}
3635 
3636 	if ((params->ibp_flags & IEEE80211_BPF_NOACK) == 0)
3637 		xflags |= RT2860_TX_ACK;
3638 	if (params->ibp_flags & (IEEE80211_BPF_RTS|IEEE80211_BPF_CTS)) {
3639 		error = run_sendprot(sc, m, ni,
3640 		    params->ibp_flags & IEEE80211_BPF_RTS ?
3641 			IEEE80211_PROT_RTSCTS : IEEE80211_PROT_CTSONLY,
3642 		    rate);
3643 		if (error) {
3644 			/* let caller free mbuf */
3645 			return error;
3646 		}
3647 		opflags |= /*XXX RT2573_TX_LONG_RETRY |*/ RT2860_TX_TXOP_SIFS;
3648 	}
3649 
3650 	if (sc->sc_epq[0].tx_nfree == 0) {
3651 		/* let caller free mbuf */
3652 		sc->sc_ifp->if_drv_flags |= IFF_DRV_OACTIVE;
3653 		DPRINTF("sending raw frame, but tx ring is full\n");
3654 		return (EIO);
3655 	}
3656         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3657         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3658         sc->sc_epq[0].tx_nfree--;
3659 
3660 	txd = (struct rt2870_txd *)&data->desc;
3661 	txd->flags = RT2860_TX_QSEL_EDCA;
3662 	txwi = (struct rt2860_txwi *)(txd + 1);
3663 	txwi->wcid = 0xff;
3664 	txwi->xflags = xflags;
3665 	txwi->txop = opflags;
3666 	txwi->flags = 0;	/* clear leftover garbage bits */
3667 
3668         data->m = m;
3669         data->ni = ni;
3670 	for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
3671 		if (rt2860_rates[ridx].rate == rate)
3672 			break;
3673 	data->ridx = ridx;
3674 
3675         run_set_tx_desc(sc, data);
3676 
3677         DPRINTFN(10, "sending raw frame len=%u rate=%u\n",
3678             m->m_pkthdr.len, rate);
3679 
3680         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3681 
3682 	usbd_transfer_start(sc->sc_xfer[0]);
3683 
3684         return (0);
3685 }
3686 
3687 static int
3688 run_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
3689     const struct ieee80211_bpf_params *params)
3690 {
3691 	struct ifnet *ifp = ni->ni_ic->ic_ifp;
3692 	struct run_softc *sc = ifp->if_softc;
3693 	int error = 0;
3694 
3695 	RUN_LOCK(sc);
3696 
3697 	/* prevent management frames from being sent if we're not ready */
3698 	if (!(ifp->if_drv_flags & IFF_DRV_RUNNING)) {
3699 		error =  ENETDOWN;
3700 		goto done;
3701 	}
3702 
3703 	if (params == NULL) {
3704 		/* tx mgt packet */
3705 		if ((error = run_tx_mgt(sc, m, ni)) != 0) {
3706 			if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
3707 			DPRINTF("mgt tx failed\n");
3708 			goto done;
3709 		}
3710 	} else {
3711 		/* tx raw packet with param */
3712 		if ((error = run_tx_param(sc, m, ni, params)) != 0) {
3713 			if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
3714 			DPRINTF("tx with param failed\n");
3715 			goto done;
3716 		}
3717 	}
3718 
3719 	if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1);
3720 
3721 done:
3722 	RUN_UNLOCK(sc);
3723 
3724 	if (error != 0) {
3725 		if(m != NULL)
3726 			m_freem(m);
3727 		ieee80211_free_node(ni);
3728 	}
3729 
3730 	return (error);
3731 }
3732 
3733 static void
3734 run_start(struct ifnet *ifp)
3735 {
3736 	struct run_softc *sc = ifp->if_softc;
3737 	struct ieee80211_node *ni;
3738 	struct mbuf *m;
3739 
3740 	RUN_LOCK(sc);
3741 
3742 	if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0) {
3743 		RUN_UNLOCK(sc);
3744 		return;
3745 	}
3746 
3747 	for (;;) {
3748 		/* send data frames */
3749 		IFQ_DRV_DEQUEUE(&ifp->if_snd, m);
3750 		if (m == NULL)
3751 			break;
3752 
3753 		ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
3754 		if (run_tx(sc, m, ni) != 0) {
3755 			IFQ_DRV_PREPEND(&ifp->if_snd, m);
3756 			ifp->if_drv_flags |= IFF_DRV_OACTIVE;
3757 			break;
3758 		}
3759 	}
3760 
3761 	RUN_UNLOCK(sc);
3762 }
3763 
3764 static int
3765 run_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
3766 {
3767 	struct run_softc *sc = ifp->if_softc;
3768 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
3769 	struct ifreq *ifr = (struct ifreq *) data;
3770 	int startall = 0;
3771 	int error;
3772 
3773 	RUN_LOCK(sc);
3774 	error = sc->sc_detached ? ENXIO : 0;
3775 	RUN_UNLOCK(sc);
3776 	if (error)
3777 		return (error);
3778 
3779 	switch (cmd) {
3780 	case SIOCSIFFLAGS:
3781 		RUN_LOCK(sc);
3782 		if (ifp->if_flags & IFF_UP) {
3783 			if (!(ifp->if_drv_flags & IFF_DRV_RUNNING)){
3784 				startall = 1;
3785 				run_init_locked(sc);
3786 			} else
3787 				run_update_promisc_locked(ifp);
3788 		} else {
3789 			if (ifp->if_drv_flags & IFF_DRV_RUNNING &&
3790 			    (ic->ic_nrunning == 0 || sc->rvp_cnt <= 1)) {
3791 					run_stop(sc);
3792 			}
3793 		}
3794 		RUN_UNLOCK(sc);
3795 		if (startall)
3796 			ieee80211_start_all(ic);
3797 		break;
3798 	case SIOCGIFMEDIA:
3799 		error = ifmedia_ioctl(ifp, ifr, &ic->ic_media, cmd);
3800 		break;
3801 	case SIOCGIFADDR:
3802 		error = ether_ioctl(ifp, cmd, data);
3803 		break;
3804 	default:
3805 		error = EINVAL;
3806 		break;
3807 	}
3808 
3809 	return (error);
3810 }
3811 
3812 static void
3813 run_iq_calib(struct run_softc *sc, u_int chan)
3814 {
3815 	uint16_t val;
3816 
3817 	/* Tx0 IQ gain. */
3818 	run_bbp_write(sc, 158, 0x2c);
3819 	if (chan <= 14)
3820 		run_efuse_read(sc, RT5390_EEPROM_IQ_GAIN_CAL_TX0_2GHZ, &val, 1);
3821 	else if (chan <= 64) {
3822 		run_efuse_read(sc,
3823 		    RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH36_TO_CH64_5GHZ,
3824 		    &val, 1);
3825 	} else if (chan <= 138) {
3826 		run_efuse_read(sc,
3827 		    RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH100_TO_CH138_5GHZ,
3828 		    &val, 1);
3829 	} else if (chan <= 165) {
3830 		run_efuse_read(sc,
3831 	    RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH140_TO_CH165_5GHZ,
3832 		    &val, 1);
3833 	} else
3834 		val = 0;
3835 	run_bbp_write(sc, 159, val);
3836 
3837 	/* Tx0 IQ phase. */
3838 	run_bbp_write(sc, 158, 0x2d);
3839 	if (chan <= 14) {
3840 		run_efuse_read(sc, RT5390_EEPROM_IQ_PHASE_CAL_TX0_2GHZ,
3841 		    &val, 1);
3842 	} else if (chan <= 64) {
3843 		run_efuse_read(sc,
3844 		    RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH36_TO_CH64_5GHZ,
3845 		    &val, 1);
3846 	} else if (chan <= 138) {
3847 		run_efuse_read(sc,
3848 		    RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH100_TO_CH138_5GHZ,
3849 		    &val, 1);
3850 	} else if (chan <= 165) {
3851 		run_efuse_read(sc,
3852 		    RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH140_TO_CH165_5GHZ,
3853 		    &val, 1);
3854 	} else
3855 		val = 0;
3856 	run_bbp_write(sc, 159, val);
3857 
3858 	/* Tx1 IQ gain. */
3859 	run_bbp_write(sc, 158, 0x4a);
3860 	if (chan <= 14) {
3861 		run_efuse_read(sc, RT5390_EEPROM_IQ_GAIN_CAL_TX1_2GHZ,
3862 		    &val, 1);
3863 	} else if (chan <= 64) {
3864 		run_efuse_read(sc,
3865 		    RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH36_TO_CH64_5GHZ,
3866 		    &val, 1);
3867 	} else if (chan <= 138) {
3868 		run_efuse_read(sc,
3869 		    RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH100_TO_CH138_5GHZ,
3870 		    &val, 1);
3871 	} else if (chan <= 165) {
3872 		run_efuse_read(sc,
3873 		    RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH140_TO_CH165_5GHZ,
3874 		    &val, 1);
3875 	} else
3876 		val = 0;
3877 	run_bbp_write(sc, 159, val);
3878 
3879 	/* Tx1 IQ phase. */
3880 	run_bbp_write(sc, 158, 0x4b);
3881 	if (chan <= 14) {
3882 		run_efuse_read(sc, RT5390_EEPROM_IQ_PHASE_CAL_TX1_2GHZ,
3883 		    &val, 1);
3884 	} else if (chan <= 64) {
3885 		run_efuse_read(sc,
3886 		    RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH36_TO_CH64_5GHZ,
3887 		    &val, 1);
3888 	} else if (chan <= 138) {
3889 		run_efuse_read(sc,
3890 		    RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH100_TO_CH138_5GHZ,
3891 		    &val, 1);
3892 	} else if (chan <= 165) {
3893 		run_efuse_read(sc,
3894 		    RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH140_TO_CH165_5GHZ,
3895 		    &val, 1);
3896 	} else
3897 		val = 0;
3898 	run_bbp_write(sc, 159, val);
3899 
3900 	/* RF IQ compensation control. */
3901 	run_bbp_write(sc, 158, 0x04);
3902 	run_efuse_read(sc, RT5390_EEPROM_RF_IQ_COMPENSATION_CTL,
3903 	    &val, 1);
3904 	run_bbp_write(sc, 159, val);
3905 
3906 	/* RF IQ imbalance compensation control. */
3907 	run_bbp_write(sc, 158, 0x03);
3908 	run_efuse_read(sc,
3909 	    RT5390_EEPROM_RF_IQ_IMBALANCE_COMPENSATION_CTL, &val, 1);
3910 	run_bbp_write(sc, 159, val);
3911 }
3912 
3913 static void
3914 run_set_agc(struct run_softc *sc, uint8_t agc)
3915 {
3916 	uint8_t bbp;
3917 
3918 	if (sc->mac_ver == 0x3572) {
3919 		run_bbp_read(sc, 27, &bbp);
3920 		bbp &= ~(0x3 << 5);
3921 		run_bbp_write(sc, 27, bbp | 0 << 5);	/* select Rx0 */
3922 		run_bbp_write(sc, 66, agc);
3923 		run_bbp_write(sc, 27, bbp | 1 << 5);	/* select Rx1 */
3924 		run_bbp_write(sc, 66, agc);
3925 	} else
3926 		run_bbp_write(sc, 66, agc);
3927 }
3928 
3929 static void
3930 run_select_chan_group(struct run_softc *sc, int group)
3931 {
3932 	uint32_t tmp;
3933 	uint8_t agc;
3934 
3935 	run_bbp_write(sc, 62, 0x37 - sc->lna[group]);
3936 	run_bbp_write(sc, 63, 0x37 - sc->lna[group]);
3937 	run_bbp_write(sc, 64, 0x37 - sc->lna[group]);
3938 	if (sc->mac_ver < 0x3572)
3939 		run_bbp_write(sc, 86, 0x00);
3940 
3941 	if (sc->mac_ver == 0x3593) {
3942 		run_bbp_write(sc, 77, 0x98);
3943 		run_bbp_write(sc, 83, (group == 0) ? 0x8a : 0x9a);
3944 	}
3945 
3946 	if (group == 0) {
3947 		if (sc->ext_2ghz_lna) {
3948 			if (sc->mac_ver >= 0x5390)
3949 				run_bbp_write(sc, 75, 0x52);
3950 			else {
3951 				run_bbp_write(sc, 82, 0x62);
3952 				run_bbp_write(sc, 75, 0x46);
3953 			}
3954 		} else {
3955 			if (sc->mac_ver == 0x5592) {
3956 				run_bbp_write(sc, 79, 0x1c);
3957 				run_bbp_write(sc, 80, 0x0e);
3958 				run_bbp_write(sc, 81, 0x3a);
3959 				run_bbp_write(sc, 82, 0x62);
3960 
3961 				run_bbp_write(sc, 195, 0x80);
3962 				run_bbp_write(sc, 196, 0xe0);
3963 				run_bbp_write(sc, 195, 0x81);
3964 				run_bbp_write(sc, 196, 0x1f);
3965 				run_bbp_write(sc, 195, 0x82);
3966 				run_bbp_write(sc, 196, 0x38);
3967 				run_bbp_write(sc, 195, 0x83);
3968 				run_bbp_write(sc, 196, 0x32);
3969 				run_bbp_write(sc, 195, 0x85);
3970 				run_bbp_write(sc, 196, 0x28);
3971 				run_bbp_write(sc, 195, 0x86);
3972 				run_bbp_write(sc, 196, 0x19);
3973 			} else if (sc->mac_ver >= 0x5390)
3974 				run_bbp_write(sc, 75, 0x50);
3975 			else {
3976 				run_bbp_write(sc, 82,
3977 				    (sc->mac_ver == 0x3593) ? 0x62 : 0x84);
3978 				run_bbp_write(sc, 75, 0x50);
3979 			}
3980 		}
3981 	} else {
3982 		if (sc->mac_ver == 0x5592) {
3983 			run_bbp_write(sc, 79, 0x18);
3984 			run_bbp_write(sc, 80, 0x08);
3985 			run_bbp_write(sc, 81, 0x38);
3986 			run_bbp_write(sc, 82, 0x92);
3987 
3988 			run_bbp_write(sc, 195, 0x80);
3989 			run_bbp_write(sc, 196, 0xf0);
3990 			run_bbp_write(sc, 195, 0x81);
3991 			run_bbp_write(sc, 196, 0x1e);
3992 			run_bbp_write(sc, 195, 0x82);
3993 			run_bbp_write(sc, 196, 0x28);
3994 			run_bbp_write(sc, 195, 0x83);
3995 			run_bbp_write(sc, 196, 0x20);
3996 			run_bbp_write(sc, 195, 0x85);
3997 			run_bbp_write(sc, 196, 0x7f);
3998 			run_bbp_write(sc, 195, 0x86);
3999 			run_bbp_write(sc, 196, 0x7f);
4000 		} else if (sc->mac_ver == 0x3572)
4001 			run_bbp_write(sc, 82, 0x94);
4002 		else
4003 			run_bbp_write(sc, 82,
4004 			    (sc->mac_ver == 0x3593) ? 0x82 : 0xf2);
4005 		if (sc->ext_5ghz_lna)
4006 			run_bbp_write(sc, 75, 0x46);
4007 		else
4008 			run_bbp_write(sc, 75, 0x50);
4009 	}
4010 
4011 	run_read(sc, RT2860_TX_BAND_CFG, &tmp);
4012 	tmp &= ~(RT2860_5G_BAND_SEL_N | RT2860_5G_BAND_SEL_P);
4013 	tmp |= (group == 0) ? RT2860_5G_BAND_SEL_N : RT2860_5G_BAND_SEL_P;
4014 	run_write(sc, RT2860_TX_BAND_CFG, tmp);
4015 
4016 	/* enable appropriate Power Amplifiers and Low Noise Amplifiers */
4017 	tmp = RT2860_RFTR_EN | RT2860_TRSW_EN | RT2860_LNA_PE0_EN;
4018 	if (sc->mac_ver == 0x3593)
4019 		tmp |= 1 << 29 | 1 << 28;
4020 	if (sc->nrxchains > 1)
4021 		tmp |= RT2860_LNA_PE1_EN;
4022 	if (group == 0) {	/* 2GHz */
4023 		tmp |= RT2860_PA_PE_G0_EN;
4024 		if (sc->ntxchains > 1)
4025 			tmp |= RT2860_PA_PE_G1_EN;
4026 		if (sc->mac_ver == 0x3593) {
4027 			if (sc->ntxchains > 2)
4028 				tmp |= 1 << 25;
4029 		}
4030 	} else {		/* 5GHz */
4031 		tmp |= RT2860_PA_PE_A0_EN;
4032 		if (sc->ntxchains > 1)
4033 			tmp |= RT2860_PA_PE_A1_EN;
4034 	}
4035 	if (sc->mac_ver == 0x3572) {
4036 		run_rt3070_rf_write(sc, 8, 0x00);
4037 		run_write(sc, RT2860_TX_PIN_CFG, tmp);
4038 		run_rt3070_rf_write(sc, 8, 0x80);
4039 	} else
4040 		run_write(sc, RT2860_TX_PIN_CFG, tmp);
4041 
4042 	if (sc->mac_ver == 0x5592) {
4043 		run_bbp_write(sc, 195, 0x8d);
4044 		run_bbp_write(sc, 196, 0x1a);
4045 	}
4046 
4047 	if (sc->mac_ver == 0x3593) {
4048 		run_read(sc, RT2860_GPIO_CTRL, &tmp);
4049 		tmp &= ~0x01010000;
4050 		if (group == 0)
4051 			tmp |= 0x00010000;
4052 		tmp = (tmp & ~0x00009090) | 0x00000090;
4053 		run_write(sc, RT2860_GPIO_CTRL, tmp);
4054 	}
4055 
4056 	/* set initial AGC value */
4057 	if (group == 0) {	/* 2GHz band */
4058 		if (sc->mac_ver >= 0x3070)
4059 			agc = 0x1c + sc->lna[0] * 2;
4060 		else
4061 			agc = 0x2e + sc->lna[0];
4062 	} else {		/* 5GHz band */
4063 		if (sc->mac_ver == 0x5592)
4064 			agc = 0x24 + sc->lna[group] * 2;
4065 		else if (sc->mac_ver == 0x3572 || sc->mac_ver == 0x3593)
4066 			agc = 0x22 + (sc->lna[group] * 5) / 3;
4067 		else
4068 			agc = 0x32 + (sc->lna[group] * 5) / 3;
4069 	}
4070 	run_set_agc(sc, agc);
4071 }
4072 
4073 static void
4074 run_rt2870_set_chan(struct run_softc *sc, u_int chan)
4075 {
4076 	const struct rfprog *rfprog = rt2860_rf2850;
4077 	uint32_t r2, r3, r4;
4078 	int8_t txpow1, txpow2;
4079 	int i;
4080 
4081 	/* find the settings for this channel (we know it exists) */
4082 	for (i = 0; rfprog[i].chan != chan; i++);
4083 
4084 	r2 = rfprog[i].r2;
4085 	if (sc->ntxchains == 1)
4086 		r2 |= 1 << 14;		/* 1T: disable Tx chain 2 */
4087 	if (sc->nrxchains == 1)
4088 		r2 |= 1 << 17 | 1 << 6;	/* 1R: disable Rx chains 2 & 3 */
4089 	else if (sc->nrxchains == 2)
4090 		r2 |= 1 << 6;		/* 2R: disable Rx chain 3 */
4091 
4092 	/* use Tx power values from EEPROM */
4093 	txpow1 = sc->txpow1[i];
4094 	txpow2 = sc->txpow2[i];
4095 
4096 	/* Initialize RF R3 and R4. */
4097 	r3 = rfprog[i].r3 & 0xffffc1ff;
4098 	r4 = (rfprog[i].r4 & ~(0x001f87c0)) | (sc->freq << 15);
4099 	if (chan > 14) {
4100 		if (txpow1 >= 0) {
4101 			txpow1 = (txpow1 > 0xf) ? (0xf) : (txpow1);
4102 			r3 |= (txpow1 << 10) | (1 << 9);
4103 		} else {
4104 			txpow1 += 7;
4105 
4106 			/* txpow1 is not possible larger than 15. */
4107 			r3 |= (txpow1 << 10);
4108 		}
4109 		if (txpow2 >= 0) {
4110 			txpow2 = (txpow2 > 0xf) ? (0xf) : (txpow2);
4111 			r4 |= (txpow2 << 7) | (1 << 6);
4112 		} else {
4113 			txpow2 += 7;
4114 			r4 |= (txpow2 << 7);
4115 		}
4116 	} else {
4117 		/* Set Tx0 power. */
4118 		r3 |= (txpow1 << 9);
4119 
4120 		/* Set frequency offset and Tx1 power. */
4121 		r4 |= (txpow2 << 6);
4122 	}
4123 
4124 	run_rt2870_rf_write(sc, rfprog[i].r1);
4125 	run_rt2870_rf_write(sc, r2);
4126 	run_rt2870_rf_write(sc, r3 & ~(1 << 2));
4127 	run_rt2870_rf_write(sc, r4);
4128 
4129 	run_delay(sc, 10);
4130 
4131 	run_rt2870_rf_write(sc, rfprog[i].r1);
4132 	run_rt2870_rf_write(sc, r2);
4133 	run_rt2870_rf_write(sc, r3 | (1 << 2));
4134 	run_rt2870_rf_write(sc, r4);
4135 
4136 	run_delay(sc, 10);
4137 
4138 	run_rt2870_rf_write(sc, rfprog[i].r1);
4139 	run_rt2870_rf_write(sc, r2);
4140 	run_rt2870_rf_write(sc, r3 & ~(1 << 2));
4141 	run_rt2870_rf_write(sc, r4);
4142 }
4143 
4144 static void
4145 run_rt3070_set_chan(struct run_softc *sc, u_int chan)
4146 {
4147 	int8_t txpow1, txpow2;
4148 	uint8_t rf;
4149 	int i;
4150 
4151 	/* find the settings for this channel (we know it exists) */
4152 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4153 
4154 	/* use Tx power values from EEPROM */
4155 	txpow1 = sc->txpow1[i];
4156 	txpow2 = sc->txpow2[i];
4157 
4158 	run_rt3070_rf_write(sc, 2, rt3070_freqs[i].n);
4159 
4160 	/* RT3370/RT3390: RF R3 [7:4] is not reserved bits. */
4161 	run_rt3070_rf_read(sc, 3, &rf);
4162 	rf = (rf & ~0x0f) | rt3070_freqs[i].k;
4163 	run_rt3070_rf_write(sc, 3, rf);
4164 
4165 	run_rt3070_rf_read(sc, 6, &rf);
4166 	rf = (rf & ~0x03) | rt3070_freqs[i].r;
4167 	run_rt3070_rf_write(sc, 6, rf);
4168 
4169 	/* set Tx0 power */
4170 	run_rt3070_rf_read(sc, 12, &rf);
4171 	rf = (rf & ~0x1f) | txpow1;
4172 	run_rt3070_rf_write(sc, 12, rf);
4173 
4174 	/* set Tx1 power */
4175 	run_rt3070_rf_read(sc, 13, &rf);
4176 	rf = (rf & ~0x1f) | txpow2;
4177 	run_rt3070_rf_write(sc, 13, rf);
4178 
4179 	run_rt3070_rf_read(sc, 1, &rf);
4180 	rf &= ~0xfc;
4181 	if (sc->ntxchains == 1)
4182 		rf |= 1 << 7 | 1 << 5;	/* 1T: disable Tx chains 2 & 3 */
4183 	else if (sc->ntxchains == 2)
4184 		rf |= 1 << 7;		/* 2T: disable Tx chain 3 */
4185 	if (sc->nrxchains == 1)
4186 		rf |= 1 << 6 | 1 << 4;	/* 1R: disable Rx chains 2 & 3 */
4187 	else if (sc->nrxchains == 2)
4188 		rf |= 1 << 6;		/* 2R: disable Rx chain 3 */
4189 	run_rt3070_rf_write(sc, 1, rf);
4190 
4191 	/* set RF offset */
4192 	run_rt3070_rf_read(sc, 23, &rf);
4193 	rf = (rf & ~0x7f) | sc->freq;
4194 	run_rt3070_rf_write(sc, 23, rf);
4195 
4196 	/* program RF filter */
4197 	run_rt3070_rf_read(sc, 24, &rf);	/* Tx */
4198 	rf = (rf & ~0x3f) | sc->rf24_20mhz;
4199 	run_rt3070_rf_write(sc, 24, rf);
4200 	run_rt3070_rf_read(sc, 31, &rf);	/* Rx */
4201 	rf = (rf & ~0x3f) | sc->rf24_20mhz;
4202 	run_rt3070_rf_write(sc, 31, rf);
4203 
4204 	/* enable RF tuning */
4205 	run_rt3070_rf_read(sc, 7, &rf);
4206 	run_rt3070_rf_write(sc, 7, rf | 0x01);
4207 }
4208 
4209 static void
4210 run_rt3572_set_chan(struct run_softc *sc, u_int chan)
4211 {
4212 	int8_t txpow1, txpow2;
4213 	uint32_t tmp;
4214 	uint8_t rf;
4215 	int i;
4216 
4217 	/* find the settings for this channel (we know it exists) */
4218 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4219 
4220 	/* use Tx power values from EEPROM */
4221 	txpow1 = sc->txpow1[i];
4222 	txpow2 = sc->txpow2[i];
4223 
4224 	if (chan <= 14) {
4225 		run_bbp_write(sc, 25, sc->bbp25);
4226 		run_bbp_write(sc, 26, sc->bbp26);
4227 	} else {
4228 		/* enable IQ phase correction */
4229 		run_bbp_write(sc, 25, 0x09);
4230 		run_bbp_write(sc, 26, 0xff);
4231 	}
4232 
4233 	run_rt3070_rf_write(sc, 2, rt3070_freqs[i].n);
4234 	run_rt3070_rf_write(sc, 3, rt3070_freqs[i].k);
4235 	run_rt3070_rf_read(sc, 6, &rf);
4236 	rf  = (rf & ~0x0f) | rt3070_freqs[i].r;
4237 	rf |= (chan <= 14) ? 0x08 : 0x04;
4238 	run_rt3070_rf_write(sc, 6, rf);
4239 
4240 	/* set PLL mode */
4241 	run_rt3070_rf_read(sc, 5, &rf);
4242 	rf &= ~(0x08 | 0x04);
4243 	rf |= (chan <= 14) ? 0x04 : 0x08;
4244 	run_rt3070_rf_write(sc, 5, rf);
4245 
4246 	/* set Tx power for chain 0 */
4247 	if (chan <= 14)
4248 		rf = 0x60 | txpow1;
4249 	else
4250 		rf = 0xe0 | (txpow1 & 0xc) << 1 | (txpow1 & 0x3);
4251 	run_rt3070_rf_write(sc, 12, rf);
4252 
4253 	/* set Tx power for chain 1 */
4254 	if (chan <= 14)
4255 		rf = 0x60 | txpow2;
4256 	else
4257 		rf = 0xe0 | (txpow2 & 0xc) << 1 | (txpow2 & 0x3);
4258 	run_rt3070_rf_write(sc, 13, rf);
4259 
4260 	/* set Tx/Rx streams */
4261 	run_rt3070_rf_read(sc, 1, &rf);
4262 	rf &= ~0xfc;
4263 	if (sc->ntxchains == 1)
4264 		rf |= 1 << 7 | 1 << 5;  /* 1T: disable Tx chains 2 & 3 */
4265 	else if (sc->ntxchains == 2)
4266 		rf |= 1 << 7;           /* 2T: disable Tx chain 3 */
4267 	if (sc->nrxchains == 1)
4268 		rf |= 1 << 6 | 1 << 4;  /* 1R: disable Rx chains 2 & 3 */
4269 	else if (sc->nrxchains == 2)
4270 		rf |= 1 << 6;           /* 2R: disable Rx chain 3 */
4271 	run_rt3070_rf_write(sc, 1, rf);
4272 
4273 	/* set RF offset */
4274 	run_rt3070_rf_read(sc, 23, &rf);
4275 	rf = (rf & ~0x7f) | sc->freq;
4276 	run_rt3070_rf_write(sc, 23, rf);
4277 
4278 	/* program RF filter */
4279 	rf = sc->rf24_20mhz;
4280 	run_rt3070_rf_write(sc, 24, rf);	/* Tx */
4281 	run_rt3070_rf_write(sc, 31, rf);	/* Rx */
4282 
4283 	/* enable RF tuning */
4284 	run_rt3070_rf_read(sc, 7, &rf);
4285 	rf = (chan <= 14) ? 0xd8 : ((rf & ~0xc8) | 0x14);
4286 	run_rt3070_rf_write(sc, 7, rf);
4287 
4288 	/* TSSI */
4289 	rf = (chan <= 14) ? 0xc3 : 0xc0;
4290 	run_rt3070_rf_write(sc, 9, rf);
4291 
4292 	/* set loop filter 1 */
4293 	run_rt3070_rf_write(sc, 10, 0xf1);
4294 	/* set loop filter 2 */
4295 	run_rt3070_rf_write(sc, 11, (chan <= 14) ? 0xb9 : 0x00);
4296 
4297 	/* set tx_mx2_ic */
4298 	run_rt3070_rf_write(sc, 15, (chan <= 14) ? 0x53 : 0x43);
4299 	/* set tx_mx1_ic */
4300 	if (chan <= 14)
4301 		rf = 0x48 | sc->txmixgain_2ghz;
4302 	else
4303 		rf = 0x78 | sc->txmixgain_5ghz;
4304 	run_rt3070_rf_write(sc, 16, rf);
4305 
4306 	/* set tx_lo1 */
4307 	run_rt3070_rf_write(sc, 17, 0x23);
4308 	/* set tx_lo2 */
4309 	if (chan <= 14)
4310 		rf = 0x93;
4311 	else if (chan <= 64)
4312 		rf = 0xb7;
4313 	else if (chan <= 128)
4314 		rf = 0x74;
4315 	else
4316 		rf = 0x72;
4317 	run_rt3070_rf_write(sc, 19, rf);
4318 
4319 	/* set rx_lo1 */
4320 	if (chan <= 14)
4321 		rf = 0xb3;
4322 	else if (chan <= 64)
4323 		rf = 0xf6;
4324 	else if (chan <= 128)
4325 		rf = 0xf4;
4326 	else
4327 		rf = 0xf3;
4328 	run_rt3070_rf_write(sc, 20, rf);
4329 
4330 	/* set pfd_delay */
4331 	if (chan <= 14)
4332 		rf = 0x15;
4333 	else if (chan <= 64)
4334 		rf = 0x3d;
4335 	else
4336 		rf = 0x01;
4337 	run_rt3070_rf_write(sc, 25, rf);
4338 
4339 	/* set rx_lo2 */
4340 	run_rt3070_rf_write(sc, 26, (chan <= 14) ? 0x85 : 0x87);
4341 	/* set ldo_rf_vc */
4342 	run_rt3070_rf_write(sc, 27, (chan <= 14) ? 0x00 : 0x01);
4343 	/* set drv_cc */
4344 	run_rt3070_rf_write(sc, 29, (chan <= 14) ? 0x9b : 0x9f);
4345 
4346 	run_read(sc, RT2860_GPIO_CTRL, &tmp);
4347 	tmp &= ~0x8080;
4348 	if (chan <= 14)
4349 		tmp |= 0x80;
4350 	run_write(sc, RT2860_GPIO_CTRL, tmp);
4351 
4352 	/* enable RF tuning */
4353 	run_rt3070_rf_read(sc, 7, &rf);
4354 	run_rt3070_rf_write(sc, 7, rf | 0x01);
4355 
4356 	run_delay(sc, 2);
4357 }
4358 
4359 static void
4360 run_rt3593_set_chan(struct run_softc *sc, u_int chan)
4361 {
4362 	int8_t txpow1, txpow2, txpow3;
4363 	uint8_t h20mhz, rf;
4364 	int i;
4365 
4366 	/* find the settings for this channel (we know it exists) */
4367 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4368 
4369 	/* use Tx power values from EEPROM */
4370 	txpow1 = sc->txpow1[i];
4371 	txpow2 = sc->txpow2[i];
4372 	txpow3 = (sc->ntxchains == 3) ? sc->txpow3[i] : 0;
4373 
4374 	if (chan <= 14) {
4375 		run_bbp_write(sc, 25, sc->bbp25);
4376 		run_bbp_write(sc, 26, sc->bbp26);
4377 	} else {
4378 		/* Enable IQ phase correction. */
4379 		run_bbp_write(sc, 25, 0x09);
4380 		run_bbp_write(sc, 26, 0xff);
4381 	}
4382 
4383 	run_rt3070_rf_write(sc, 8, rt3070_freqs[i].n);
4384 	run_rt3070_rf_write(sc, 9, rt3070_freqs[i].k & 0x0f);
4385 	run_rt3070_rf_read(sc, 11, &rf);
4386 	rf = (rf & ~0x03) | (rt3070_freqs[i].r & 0x03);
4387 	run_rt3070_rf_write(sc, 11, rf);
4388 
4389 	/* Set pll_idoh. */
4390 	run_rt3070_rf_read(sc, 11, &rf);
4391 	rf &= ~0x4c;
4392 	rf |= (chan <= 14) ? 0x44 : 0x48;
4393 	run_rt3070_rf_write(sc, 11, rf);
4394 
4395 	if (chan <= 14)
4396 		rf = txpow1 & 0x1f;
4397 	else
4398 		rf = 0x40 | ((txpow1 & 0x18) << 1) | (txpow1 & 0x07);
4399 	run_rt3070_rf_write(sc, 53, rf);
4400 
4401 	if (chan <= 14)
4402 		rf = txpow2 & 0x1f;
4403 	else
4404 		rf = 0x40 | ((txpow2 & 0x18) << 1) | (txpow2 & 0x07);
4405 	run_rt3070_rf_write(sc, 55, rf);
4406 
4407 	if (chan <= 14)
4408 		rf = txpow3 & 0x1f;
4409 	else
4410 		rf = 0x40 | ((txpow3 & 0x18) << 1) | (txpow3 & 0x07);
4411 	run_rt3070_rf_write(sc, 54, rf);
4412 
4413 	rf = RT3070_RF_BLOCK | RT3070_PLL_PD;
4414 	if (sc->ntxchains == 3)
4415 		rf |= RT3070_TX0_PD | RT3070_TX1_PD | RT3070_TX2_PD;
4416 	else
4417 		rf |= RT3070_TX0_PD | RT3070_TX1_PD;
4418 	rf |= RT3070_RX0_PD | RT3070_RX1_PD | RT3070_RX2_PD;
4419 	run_rt3070_rf_write(sc, 1, rf);
4420 
4421 	run_adjust_freq_offset(sc);
4422 
4423 	run_rt3070_rf_write(sc, 31, (chan <= 14) ? 0xa0 : 0x80);
4424 
4425 	h20mhz = (sc->rf24_20mhz & 0x20) >> 5;
4426 	run_rt3070_rf_read(sc, 30, &rf);
4427 	rf = (rf & ~0x06) | (h20mhz << 1) | (h20mhz << 2);
4428 	run_rt3070_rf_write(sc, 30, rf);
4429 
4430 	run_rt3070_rf_read(sc, 36, &rf);
4431 	if (chan <= 14)
4432 		rf |= 0x80;
4433 	else
4434 		rf &= ~0x80;
4435 	run_rt3070_rf_write(sc, 36, rf);
4436 
4437 	/* Set vcolo_bs. */
4438 	run_rt3070_rf_write(sc, 34, (chan <= 14) ? 0x3c : 0x20);
4439 	/* Set pfd_delay. */
4440 	run_rt3070_rf_write(sc, 12, (chan <= 14) ? 0x1a : 0x12);
4441 
4442 	/* Set vco bias current control. */
4443 	run_rt3070_rf_read(sc, 6, &rf);
4444 	rf &= ~0xc0;
4445 	if (chan <= 14)
4446 		rf |= 0x40;
4447 	else if (chan <= 128)
4448 		rf |= 0x80;
4449 	else
4450 		rf |= 0x40;
4451 	run_rt3070_rf_write(sc, 6, rf);
4452 
4453 	run_rt3070_rf_read(sc, 30, &rf);
4454 	rf = (rf & ~0x18) | 0x10;
4455 	run_rt3070_rf_write(sc, 30, rf);
4456 
4457 	run_rt3070_rf_write(sc, 10, (chan <= 14) ? 0xd3 : 0xd8);
4458 	run_rt3070_rf_write(sc, 13, (chan <= 14) ? 0x12 : 0x23);
4459 
4460 	run_rt3070_rf_read(sc, 51, &rf);
4461 	rf = (rf & ~0x03) | 0x01;
4462 	run_rt3070_rf_write(sc, 51, rf);
4463 	/* Set tx_mx1_cc. */
4464 	run_rt3070_rf_read(sc, 51, &rf);
4465 	rf &= ~0x1c;
4466 	rf |= (chan <= 14) ? 0x14 : 0x10;
4467 	run_rt3070_rf_write(sc, 51, rf);
4468 	/* Set tx_mx1_ic. */
4469 	run_rt3070_rf_read(sc, 51, &rf);
4470 	rf &= ~0xe0;
4471 	rf |= (chan <= 14) ? 0x60 : 0x40;
4472 	run_rt3070_rf_write(sc, 51, rf);
4473 	/* Set tx_lo1_ic. */
4474 	run_rt3070_rf_read(sc, 49, &rf);
4475 	rf &= ~0x1c;
4476 	rf |= (chan <= 14) ? 0x0c : 0x08;
4477 	run_rt3070_rf_write(sc, 49, rf);
4478 	/* Set tx_lo1_en. */
4479 	run_rt3070_rf_read(sc, 50, &rf);
4480 	run_rt3070_rf_write(sc, 50, rf & ~0x20);
4481 	/* Set drv_cc. */
4482 	run_rt3070_rf_read(sc, 57, &rf);
4483 	rf &= ~0xfc;
4484 	rf |= (chan <= 14) ?  0x6c : 0x3c;
4485 	run_rt3070_rf_write(sc, 57, rf);
4486 	/* Set rx_mix1_ic, rxa_lnactr, lna_vc, lna_inbias_en and lna_en. */
4487 	run_rt3070_rf_write(sc, 44, (chan <= 14) ? 0x93 : 0x9b);
4488 	/* Set drv_gnd_a, tx_vga_cc_a and tx_mx2_gain. */
4489 	run_rt3070_rf_write(sc, 52, (chan <= 14) ? 0x45 : 0x05);
4490 	/* Enable VCO calibration. */
4491 	run_rt3070_rf_read(sc, 3, &rf);
4492 	rf &= ~RT5390_VCOCAL;
4493 	rf |= (chan <= 14) ? RT5390_VCOCAL : 0xbe;
4494 	run_rt3070_rf_write(sc, 3, rf);
4495 
4496 	if (chan <= 14)
4497 		rf = 0x23;
4498 	else if (chan <= 64)
4499 		rf = 0x36;
4500 	else if (chan <= 128)
4501 		rf = 0x32;
4502 	else
4503 		rf = 0x30;
4504 	run_rt3070_rf_write(sc, 39, rf);
4505 	if (chan <= 14)
4506 		rf = 0xbb;
4507 	else if (chan <= 64)
4508 		rf = 0xeb;
4509 	else if (chan <= 128)
4510 		rf = 0xb3;
4511 	else
4512 		rf = 0x9b;
4513 	run_rt3070_rf_write(sc, 45, rf);
4514 
4515 	/* Set FEQ/AEQ control. */
4516 	run_bbp_write(sc, 105, 0x34);
4517 }
4518 
4519 static void
4520 run_rt5390_set_chan(struct run_softc *sc, u_int chan)
4521 {
4522 	int8_t txpow1, txpow2;
4523 	uint8_t rf;
4524 	int i;
4525 
4526 	/* find the settings for this channel (we know it exists) */
4527 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4528 
4529 	/* use Tx power values from EEPROM */
4530 	txpow1 = sc->txpow1[i];
4531 	txpow2 = sc->txpow2[i];
4532 
4533 	run_rt3070_rf_write(sc, 8, rt3070_freqs[i].n);
4534 	run_rt3070_rf_write(sc, 9, rt3070_freqs[i].k & 0x0f);
4535 	run_rt3070_rf_read(sc, 11, &rf);
4536 	rf = (rf & ~0x03) | (rt3070_freqs[i].r & 0x03);
4537 	run_rt3070_rf_write(sc, 11, rf);
4538 
4539 	run_rt3070_rf_read(sc, 49, &rf);
4540 	rf = (rf & ~0x3f) | (txpow1 & 0x3f);
4541 	/* The valid range of the RF R49 is 0x00 to 0x27. */
4542 	if ((rf & 0x3f) > 0x27)
4543 		rf = (rf & ~0x3f) | 0x27;
4544 	run_rt3070_rf_write(sc, 49, rf);
4545 
4546 	if (sc->mac_ver == 0x5392) {
4547 		run_rt3070_rf_read(sc, 50, &rf);
4548 		rf = (rf & ~0x3f) | (txpow2 & 0x3f);
4549 		/* The valid range of the RF R50 is 0x00 to 0x27. */
4550 		if ((rf & 0x3f) > 0x27)
4551 			rf = (rf & ~0x3f) | 0x27;
4552 		run_rt3070_rf_write(sc, 50, rf);
4553 	}
4554 
4555 	run_rt3070_rf_read(sc, 1, &rf);
4556 	rf |= RT3070_RF_BLOCK | RT3070_PLL_PD | RT3070_RX0_PD | RT3070_TX0_PD;
4557 	if (sc->mac_ver == 0x5392)
4558 		rf |= RT3070_RX1_PD | RT3070_TX1_PD;
4559 	run_rt3070_rf_write(sc, 1, rf);
4560 
4561 	if (sc->mac_ver != 0x5392) {
4562 		run_rt3070_rf_read(sc, 2, &rf);
4563 		rf |= 0x80;
4564 		run_rt3070_rf_write(sc, 2, rf);
4565 		run_delay(sc, 10);
4566 		rf &= 0x7f;
4567 		run_rt3070_rf_write(sc, 2, rf);
4568 	}
4569 
4570 	run_adjust_freq_offset(sc);
4571 
4572 	if (sc->mac_ver == 0x5392) {
4573 		/* Fix for RT5392C. */
4574 		if (sc->mac_rev >= 0x0223) {
4575 			if (chan <= 4)
4576 				rf = 0x0f;
4577 			else if (chan >= 5 && chan <= 7)
4578 				rf = 0x0e;
4579 			else
4580 				rf = 0x0d;
4581 			run_rt3070_rf_write(sc, 23, rf);
4582 
4583 			if (chan <= 4)
4584 				rf = 0x0c;
4585 			else if (chan == 5)
4586 				rf = 0x0b;
4587 			else if (chan >= 6 && chan <= 7)
4588 				rf = 0x0a;
4589 			else if (chan >= 8 && chan <= 10)
4590 				rf = 0x09;
4591 			else
4592 				rf = 0x08;
4593 			run_rt3070_rf_write(sc, 59, rf);
4594 		} else {
4595 			if (chan <= 11)
4596 				rf = 0x0f;
4597 			else
4598 				rf = 0x0b;
4599 			run_rt3070_rf_write(sc, 59, rf);
4600 		}
4601 	} else {
4602 		/* Fix for RT5390F. */
4603 		if (sc->mac_rev >= 0x0502) {
4604 			if (chan <= 11)
4605 				rf = 0x43;
4606 			else
4607 				rf = 0x23;
4608 			run_rt3070_rf_write(sc, 55, rf);
4609 
4610 			if (chan <= 11)
4611 				rf = 0x0f;
4612 			else if (chan == 12)
4613 				rf = 0x0d;
4614 			else
4615 				rf = 0x0b;
4616 			run_rt3070_rf_write(sc, 59, rf);
4617 		} else {
4618 			run_rt3070_rf_write(sc, 55, 0x44);
4619 			run_rt3070_rf_write(sc, 59, 0x8f);
4620 		}
4621 	}
4622 
4623 	/* Enable VCO calibration. */
4624 	run_rt3070_rf_read(sc, 3, &rf);
4625 	rf |= RT5390_VCOCAL;
4626 	run_rt3070_rf_write(sc, 3, rf);
4627 }
4628 
4629 static void
4630 run_rt5592_set_chan(struct run_softc *sc, u_int chan)
4631 {
4632 	const struct rt5592_freqs *freqs;
4633 	uint32_t tmp;
4634 	uint8_t reg, rf, txpow_bound;
4635 	int8_t txpow1, txpow2;
4636 	int i;
4637 
4638 	run_read(sc, RT5592_DEBUG_INDEX, &tmp);
4639 	freqs = (tmp & RT5592_SEL_XTAL) ?
4640 	    rt5592_freqs_40mhz : rt5592_freqs_20mhz;
4641 
4642 	/* find the settings for this channel (we know it exists) */
4643 	for (i = 0; rt2860_rf2850[i].chan != chan; i++, freqs++);
4644 
4645 	/* use Tx power values from EEPROM */
4646 	txpow1 = sc->txpow1[i];
4647 	txpow2 = sc->txpow2[i];
4648 
4649 	run_read(sc, RT3070_LDO_CFG0, &tmp);
4650 	tmp &= ~0x1c000000;
4651 	if (chan > 14)
4652 		tmp |= 0x14000000;
4653 	run_write(sc, RT3070_LDO_CFG0, tmp);
4654 
4655 	/* N setting. */
4656 	run_rt3070_rf_write(sc, 8, freqs->n & 0xff);
4657 	run_rt3070_rf_read(sc, 9, &rf);
4658 	rf &= ~(1 << 4);
4659 	rf |= ((freqs->n & 0x0100) >> 8) << 4;
4660 	run_rt3070_rf_write(sc, 9, rf);
4661 
4662 	/* K setting. */
4663 	run_rt3070_rf_read(sc, 9, &rf);
4664 	rf &= ~0x0f;
4665 	rf |= (freqs->k & 0x0f);
4666 	run_rt3070_rf_write(sc, 9, rf);
4667 
4668 	/* Mode setting. */
4669 	run_rt3070_rf_read(sc, 11, &rf);
4670 	rf &= ~0x0c;
4671 	rf |= ((freqs->m - 0x8) & 0x3) << 2;
4672 	run_rt3070_rf_write(sc, 11, rf);
4673 	run_rt3070_rf_read(sc, 9, &rf);
4674 	rf &= ~(1 << 7);
4675 	rf |= (((freqs->m - 0x8) & 0x4) >> 2) << 7;
4676 	run_rt3070_rf_write(sc, 9, rf);
4677 
4678 	/* R setting. */
4679 	run_rt3070_rf_read(sc, 11, &rf);
4680 	rf &= ~0x03;
4681 	rf |= (freqs->r - 0x1);
4682 	run_rt3070_rf_write(sc, 11, rf);
4683 
4684 	if (chan <= 14) {
4685 		/* Initialize RF registers for 2GHZ. */
4686 		for (i = 0; i < nitems(rt5592_2ghz_def_rf); i++) {
4687 			run_rt3070_rf_write(sc, rt5592_2ghz_def_rf[i].reg,
4688 			    rt5592_2ghz_def_rf[i].val);
4689 		}
4690 
4691 		rf = (chan <= 10) ? 0x07 : 0x06;
4692 		run_rt3070_rf_write(sc, 23, rf);
4693 		run_rt3070_rf_write(sc, 59, rf);
4694 
4695 		run_rt3070_rf_write(sc, 55, 0x43);
4696 
4697 		/*
4698 		 * RF R49/R50 Tx power ALC code.
4699 		 * G-band bit<7:6>=1:0, bit<5:0> range from 0x0 ~ 0x27.
4700 		 */
4701 		reg = 2;
4702 		txpow_bound = 0x27;
4703 	} else {
4704 		/* Initialize RF registers for 5GHZ. */
4705 		for (i = 0; i < nitems(rt5592_5ghz_def_rf); i++) {
4706 			run_rt3070_rf_write(sc, rt5592_5ghz_def_rf[i].reg,
4707 			    rt5592_5ghz_def_rf[i].val);
4708 		}
4709 		for (i = 0; i < nitems(rt5592_chan_5ghz); i++) {
4710 			if (chan >= rt5592_chan_5ghz[i].firstchan &&
4711 			    chan <= rt5592_chan_5ghz[i].lastchan) {
4712 				run_rt3070_rf_write(sc, rt5592_chan_5ghz[i].reg,
4713 				    rt5592_chan_5ghz[i].val);
4714 			}
4715 		}
4716 
4717 		/*
4718 		 * RF R49/R50 Tx power ALC code.
4719 		 * A-band bit<7:6>=1:1, bit<5:0> range from 0x0 ~ 0x2b.
4720 		 */
4721 		reg = 3;
4722 		txpow_bound = 0x2b;
4723 	}
4724 
4725 	/* RF R49 ch0 Tx power ALC code. */
4726 	run_rt3070_rf_read(sc, 49, &rf);
4727 	rf &= ~0xc0;
4728 	rf |= (reg << 6);
4729 	rf = (rf & ~0x3f) | (txpow1 & 0x3f);
4730 	if ((rf & 0x3f) > txpow_bound)
4731 		rf = (rf & ~0x3f) | txpow_bound;
4732 	run_rt3070_rf_write(sc, 49, rf);
4733 
4734 	/* RF R50 ch1 Tx power ALC code. */
4735 	run_rt3070_rf_read(sc, 50, &rf);
4736 	rf &= ~(1 << 7 | 1 << 6);
4737 	rf |= (reg << 6);
4738 	rf = (rf & ~0x3f) | (txpow2 & 0x3f);
4739 	if ((rf & 0x3f) > txpow_bound)
4740 		rf = (rf & ~0x3f) | txpow_bound;
4741 	run_rt3070_rf_write(sc, 50, rf);
4742 
4743 	/* Enable RF_BLOCK, PLL_PD, RX0_PD, and TX0_PD. */
4744 	run_rt3070_rf_read(sc, 1, &rf);
4745 	rf |= (RT3070_RF_BLOCK | RT3070_PLL_PD | RT3070_RX0_PD | RT3070_TX0_PD);
4746 	if (sc->ntxchains > 1)
4747 		rf |= RT3070_TX1_PD;
4748 	if (sc->nrxchains > 1)
4749 		rf |= RT3070_RX1_PD;
4750 	run_rt3070_rf_write(sc, 1, rf);
4751 
4752 	run_rt3070_rf_write(sc, 6, 0xe4);
4753 
4754 	run_rt3070_rf_write(sc, 30, 0x10);
4755 	run_rt3070_rf_write(sc, 31, 0x80);
4756 	run_rt3070_rf_write(sc, 32, 0x80);
4757 
4758 	run_adjust_freq_offset(sc);
4759 
4760 	/* Enable VCO calibration. */
4761 	run_rt3070_rf_read(sc, 3, &rf);
4762 	rf |= RT5390_VCOCAL;
4763 	run_rt3070_rf_write(sc, 3, rf);
4764 }
4765 
4766 static void
4767 run_set_rx_antenna(struct run_softc *sc, int aux)
4768 {
4769 	uint32_t tmp;
4770 	uint8_t bbp152;
4771 
4772 	if (aux) {
4773 		if (sc->rf_rev == RT5390_RF_5370) {
4774 			run_bbp_read(sc, 152, &bbp152);
4775 			run_bbp_write(sc, 152, bbp152 & ~0x80);
4776 		} else {
4777 			run_mcu_cmd(sc, RT2860_MCU_CMD_ANTSEL, 0);
4778 			run_read(sc, RT2860_GPIO_CTRL, &tmp);
4779 			run_write(sc, RT2860_GPIO_CTRL, (tmp & ~0x0808) | 0x08);
4780 		}
4781 	} else {
4782 		if (sc->rf_rev == RT5390_RF_5370) {
4783 			run_bbp_read(sc, 152, &bbp152);
4784 			run_bbp_write(sc, 152, bbp152 | 0x80);
4785 		} else {
4786 			run_mcu_cmd(sc, RT2860_MCU_CMD_ANTSEL, 1);
4787 			run_read(sc, RT2860_GPIO_CTRL, &tmp);
4788 			run_write(sc, RT2860_GPIO_CTRL, tmp & ~0x0808);
4789 		}
4790 	}
4791 }
4792 
4793 static int
4794 run_set_chan(struct run_softc *sc, struct ieee80211_channel *c)
4795 {
4796 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
4797 	u_int chan, group;
4798 
4799 	chan = ieee80211_chan2ieee(ic, c);
4800 	if (chan == 0 || chan == IEEE80211_CHAN_ANY)
4801 		return (EINVAL);
4802 
4803 	if (sc->mac_ver == 0x5592)
4804 		run_rt5592_set_chan(sc, chan);
4805 	else if (sc->mac_ver >= 0x5390)
4806 		run_rt5390_set_chan(sc, chan);
4807 	else if (sc->mac_ver == 0x3593)
4808 		run_rt3593_set_chan(sc, chan);
4809 	else if (sc->mac_ver == 0x3572)
4810 		run_rt3572_set_chan(sc, chan);
4811 	else if (sc->mac_ver >= 0x3070)
4812 		run_rt3070_set_chan(sc, chan);
4813 	else
4814 		run_rt2870_set_chan(sc, chan);
4815 
4816 	/* determine channel group */
4817 	if (chan <= 14)
4818 		group = 0;
4819 	else if (chan <= 64)
4820 		group = 1;
4821 	else if (chan <= 128)
4822 		group = 2;
4823 	else
4824 		group = 3;
4825 
4826 	/* XXX necessary only when group has changed! */
4827 	run_select_chan_group(sc, group);
4828 
4829 	run_delay(sc, 10);
4830 
4831 	/* Perform IQ calibration. */
4832 	if (sc->mac_ver >= 0x5392)
4833 		run_iq_calib(sc, chan);
4834 
4835 	return (0);
4836 }
4837 
4838 static void
4839 run_set_channel(struct ieee80211com *ic)
4840 {
4841 	struct run_softc *sc = ic->ic_ifp->if_softc;
4842 
4843 	RUN_LOCK(sc);
4844 	run_set_chan(sc, ic->ic_curchan);
4845 	RUN_UNLOCK(sc);
4846 
4847 	return;
4848 }
4849 
4850 static void
4851 run_scan_start(struct ieee80211com *ic)
4852 {
4853 	struct run_softc *sc = ic->ic_ifp->if_softc;
4854 	uint32_t tmp;
4855 
4856 	RUN_LOCK(sc);
4857 
4858 	/* abort TSF synchronization */
4859 	run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
4860 	run_write(sc, RT2860_BCN_TIME_CFG,
4861 	    tmp & ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
4862 	    RT2860_TBTT_TIMER_EN));
4863 	run_set_bssid(sc, sc->sc_ifp->if_broadcastaddr);
4864 
4865 	RUN_UNLOCK(sc);
4866 
4867 	return;
4868 }
4869 
4870 static void
4871 run_scan_end(struct ieee80211com *ic)
4872 {
4873 	struct run_softc *sc = ic->ic_ifp->if_softc;
4874 
4875 	RUN_LOCK(sc);
4876 
4877 	run_enable_tsf_sync(sc);
4878 	/* XXX keep local copy */
4879 	run_set_bssid(sc, sc->sc_bssid);
4880 
4881 	RUN_UNLOCK(sc);
4882 
4883 	return;
4884 }
4885 
4886 /*
4887  * Could be called from ieee80211_node_timeout()
4888  * (non-sleepable thread)
4889  */
4890 static void
4891 run_update_beacon(struct ieee80211vap *vap, int item)
4892 {
4893 	struct ieee80211com *ic = vap->iv_ic;
4894 	struct run_softc *sc = ic->ic_ifp->if_softc;
4895 	struct run_vap *rvp = RUN_VAP(vap);
4896 	int mcast = 0;
4897 	uint32_t i;
4898 
4899 	KASSERT(vap != NULL, ("no beacon"));
4900 
4901 	switch (item) {
4902 	case IEEE80211_BEACON_ERP:
4903 		run_updateslot(ic->ic_ifp);
4904 		break;
4905 	case IEEE80211_BEACON_HTINFO:
4906 		run_updateprot(ic);
4907 		break;
4908 	case IEEE80211_BEACON_TIM:
4909 		mcast = 1;	/*TODO*/
4910 		break;
4911 	default:
4912 		break;
4913 	}
4914 
4915 	setbit(rvp->bo.bo_flags, item);
4916 	if (rvp->beacon_mbuf == NULL) {
4917 		rvp->beacon_mbuf = ieee80211_beacon_alloc(vap->iv_bss,
4918 		    &rvp->bo);
4919 		if (rvp->beacon_mbuf == NULL)
4920 			return;
4921 	}
4922 	ieee80211_beacon_update(vap->iv_bss, &rvp->bo, rvp->beacon_mbuf, mcast);
4923 
4924 	i = RUN_CMDQ_GET(&sc->cmdq_store);
4925 	DPRINTF("cmdq_store=%d\n", i);
4926 	sc->cmdq[i].func = run_update_beacon_cb;
4927 	sc->cmdq[i].arg0 = vap;
4928 	ieee80211_runtask(ic, &sc->cmdq_task);
4929 
4930 	return;
4931 }
4932 
4933 static void
4934 run_update_beacon_cb(void *arg)
4935 {
4936 	struct ieee80211vap *vap = arg;
4937 	struct run_vap *rvp = RUN_VAP(vap);
4938 	struct ieee80211com *ic = vap->iv_ic;
4939 	struct run_softc *sc = ic->ic_ifp->if_softc;
4940 	struct rt2860_txwi txwi;
4941 	struct mbuf *m;
4942 	uint16_t txwisize;
4943 	uint8_t ridx;
4944 
4945 	if (vap->iv_bss->ni_chan == IEEE80211_CHAN_ANYC)
4946 		return;
4947 	if (ic->ic_bsschan == IEEE80211_CHAN_ANYC)
4948 		return;
4949 
4950 	/*
4951 	 * No need to call ieee80211_beacon_update(), run_update_beacon()
4952 	 * is taking care of apropriate calls.
4953 	 */
4954 	if (rvp->beacon_mbuf == NULL) {
4955 		rvp->beacon_mbuf = ieee80211_beacon_alloc(vap->iv_bss,
4956 		    &rvp->bo);
4957 		if (rvp->beacon_mbuf == NULL)
4958 			return;
4959 	}
4960 	m = rvp->beacon_mbuf;
4961 
4962 	memset(&txwi, 0, sizeof(txwi));
4963 	txwi.wcid = 0xff;
4964 	txwi.len = htole16(m->m_pkthdr.len);
4965 
4966 	/* send beacons at the lowest available rate */
4967 	ridx = (ic->ic_curmode == IEEE80211_MODE_11A) ?
4968 	    RT2860_RIDX_OFDM6 : RT2860_RIDX_CCK1;
4969 	txwi.phy = htole16(rt2860_rates[ridx].mcs);
4970 	if (rt2860_rates[ridx].phy == IEEE80211_T_OFDM)
4971 		txwi.phy |= htole16(RT2860_PHY_OFDM);
4972 	txwi.txop = RT2860_TX_TXOP_HT;
4973 	txwi.flags = RT2860_TX_TS;
4974 	txwi.xflags = RT2860_TX_NSEQ;
4975 
4976 	txwisize = (sc->mac_ver == 0x5592) ?
4977 	    sizeof(txwi) + sizeof(uint32_t) : sizeof(txwi);
4978 	run_write_region_1(sc, RT2860_BCN_BASE(rvp->rvp_id), (uint8_t *)&txwi,
4979 	    txwisize);
4980 	run_write_region_1(sc, RT2860_BCN_BASE(rvp->rvp_id) + txwisize,
4981 	    mtod(m, uint8_t *), (m->m_pkthdr.len + 1) & ~1);
4982 }
4983 
4984 static void
4985 run_updateprot(struct ieee80211com *ic)
4986 {
4987 	struct run_softc *sc = ic->ic_ifp->if_softc;
4988 	uint32_t i;
4989 
4990 	i = RUN_CMDQ_GET(&sc->cmdq_store);
4991 	DPRINTF("cmdq_store=%d\n", i);
4992 	sc->cmdq[i].func = run_updateprot_cb;
4993 	sc->cmdq[i].arg0 = ic;
4994 	ieee80211_runtask(ic, &sc->cmdq_task);
4995 }
4996 
4997 static void
4998 run_updateprot_cb(void *arg)
4999 {
5000 	struct ieee80211com *ic = arg;
5001 	struct run_softc *sc = ic->ic_ifp->if_softc;
5002 	uint32_t tmp;
5003 
5004 	tmp = RT2860_RTSTH_EN | RT2860_PROT_NAV_SHORT | RT2860_TXOP_ALLOW_ALL;
5005 	/* setup protection frame rate (MCS code) */
5006 	tmp |= (ic->ic_curmode == IEEE80211_MODE_11A) ?
5007 	    rt2860_rates[RT2860_RIDX_OFDM6].mcs | RT2860_PHY_OFDM :
5008 	    rt2860_rates[RT2860_RIDX_CCK11].mcs;
5009 
5010 	/* CCK frames don't require protection */
5011 	run_write(sc, RT2860_CCK_PROT_CFG, tmp);
5012 	if (ic->ic_flags & IEEE80211_F_USEPROT) {
5013 		if (ic->ic_protmode == IEEE80211_PROT_RTSCTS)
5014 			tmp |= RT2860_PROT_CTRL_RTS_CTS;
5015 		else if (ic->ic_protmode == IEEE80211_PROT_CTSONLY)
5016 			tmp |= RT2860_PROT_CTRL_CTS;
5017 	}
5018 	run_write(sc, RT2860_OFDM_PROT_CFG, tmp);
5019 }
5020 
5021 static void
5022 run_usb_timeout_cb(void *arg)
5023 {
5024 	struct ieee80211vap *vap = arg;
5025 	struct run_softc *sc = vap->iv_ic->ic_ifp->if_softc;
5026 
5027 	RUN_LOCK_ASSERT(sc, MA_OWNED);
5028 
5029 	if(vap->iv_state == IEEE80211_S_RUN &&
5030 	    vap->iv_opmode != IEEE80211_M_STA)
5031 		run_reset_livelock(sc);
5032 	else if (vap->iv_state == IEEE80211_S_SCAN) {
5033 		DPRINTF("timeout caused by scan\n");
5034 		/* cancel bgscan */
5035 		ieee80211_cancel_scan(vap);
5036 	} else
5037 		DPRINTF("timeout by unknown cause\n");
5038 }
5039 
5040 static void
5041 run_reset_livelock(struct run_softc *sc)
5042 {
5043 	uint32_t tmp;
5044 
5045 	RUN_LOCK_ASSERT(sc, MA_OWNED);
5046 
5047 	/*
5048 	 * In IBSS or HostAP modes (when the hardware sends beacons), the MAC
5049 	 * can run into a livelock and start sending CTS-to-self frames like
5050 	 * crazy if protection is enabled.  Reset MAC/BBP for a while
5051 	 */
5052 	run_read(sc, RT2860_DEBUG, &tmp);
5053 	DPRINTFN(3, "debug reg %08x\n", tmp);
5054 	if ((tmp & (1 << 29)) && (tmp & (1 << 7 | 1 << 5))) {
5055 		DPRINTF("CTS-to-self livelock detected\n");
5056 		run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_MAC_SRST);
5057 		run_delay(sc, 1);
5058 		run_write(sc, RT2860_MAC_SYS_CTRL,
5059 		    RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
5060 	}
5061 }
5062 
5063 static void
5064 run_update_promisc_locked(struct ifnet *ifp)
5065 {
5066 	struct run_softc *sc = ifp->if_softc;
5067         uint32_t tmp;
5068 
5069 	run_read(sc, RT2860_RX_FILTR_CFG, &tmp);
5070 
5071 	tmp |= RT2860_DROP_UC_NOME;
5072         if (ifp->if_flags & IFF_PROMISC)
5073 		tmp &= ~RT2860_DROP_UC_NOME;
5074 
5075 	run_write(sc, RT2860_RX_FILTR_CFG, tmp);
5076 
5077         DPRINTF("%s promiscuous mode\n", (ifp->if_flags & IFF_PROMISC) ?
5078             "entering" : "leaving");
5079 }
5080 
5081 static void
5082 run_update_promisc(struct ifnet *ifp)
5083 {
5084 	struct run_softc *sc = ifp->if_softc;
5085 
5086 	if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0)
5087 		return;
5088 
5089 	RUN_LOCK(sc);
5090 	run_update_promisc_locked(ifp);
5091 	RUN_UNLOCK(sc);
5092 }
5093 
5094 static void
5095 run_enable_tsf_sync(struct run_softc *sc)
5096 {
5097 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5098 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
5099 	uint32_t tmp;
5100 
5101 	DPRINTF("rvp_id=%d ic_opmode=%d\n", RUN_VAP(vap)->rvp_id,
5102 	    ic->ic_opmode);
5103 
5104 	run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
5105 	tmp &= ~0x1fffff;
5106 	tmp |= vap->iv_bss->ni_intval * 16;
5107 	tmp |= RT2860_TSF_TIMER_EN | RT2860_TBTT_TIMER_EN;
5108 
5109 	if (ic->ic_opmode == IEEE80211_M_STA) {
5110 		/*
5111 		 * Local TSF is always updated with remote TSF on beacon
5112 		 * reception.
5113 		 */
5114 		tmp |= 1 << RT2860_TSF_SYNC_MODE_SHIFT;
5115 	} else if (ic->ic_opmode == IEEE80211_M_IBSS) {
5116 	        tmp |= RT2860_BCN_TX_EN;
5117 	        /*
5118 	         * Local TSF is updated with remote TSF on beacon reception
5119 	         * only if the remote TSF is greater than local TSF.
5120 	         */
5121 	        tmp |= 2 << RT2860_TSF_SYNC_MODE_SHIFT;
5122 	} else if (ic->ic_opmode == IEEE80211_M_HOSTAP ||
5123 		    ic->ic_opmode == IEEE80211_M_MBSS) {
5124 	        tmp |= RT2860_BCN_TX_EN;
5125 	        /* SYNC with nobody */
5126 	        tmp |= 3 << RT2860_TSF_SYNC_MODE_SHIFT;
5127 	} else {
5128 		DPRINTF("Enabling TSF failed. undefined opmode\n");
5129 		return;
5130 	}
5131 
5132 	run_write(sc, RT2860_BCN_TIME_CFG, tmp);
5133 }
5134 
5135 static void
5136 run_enable_mrr(struct run_softc *sc)
5137 {
5138 #define	CCK(mcs)	(mcs)
5139 #define	OFDM(mcs)	(1 << 3 | (mcs))
5140 	run_write(sc, RT2860_LG_FBK_CFG0,
5141 	    OFDM(6) << 28 |	/* 54->48 */
5142 	    OFDM(5) << 24 |	/* 48->36 */
5143 	    OFDM(4) << 20 |	/* 36->24 */
5144 	    OFDM(3) << 16 |	/* 24->18 */
5145 	    OFDM(2) << 12 |	/* 18->12 */
5146 	    OFDM(1) <<  8 |	/* 12-> 9 */
5147 	    OFDM(0) <<  4 |	/*  9-> 6 */
5148 	    OFDM(0));		/*  6-> 6 */
5149 
5150 	run_write(sc, RT2860_LG_FBK_CFG1,
5151 	    CCK(2) << 12 |	/* 11->5.5 */
5152 	    CCK(1) <<  8 |	/* 5.5-> 2 */
5153 	    CCK(0) <<  4 |	/*   2-> 1 */
5154 	    CCK(0));		/*   1-> 1 */
5155 #undef OFDM
5156 #undef CCK
5157 }
5158 
5159 static void
5160 run_set_txpreamble(struct run_softc *sc)
5161 {
5162 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5163 	uint32_t tmp;
5164 
5165 	run_read(sc, RT2860_AUTO_RSP_CFG, &tmp);
5166 	if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
5167 		tmp |= RT2860_CCK_SHORT_EN;
5168 	else
5169 		tmp &= ~RT2860_CCK_SHORT_EN;
5170 	run_write(sc, RT2860_AUTO_RSP_CFG, tmp);
5171 }
5172 
5173 static void
5174 run_set_basicrates(struct run_softc *sc)
5175 {
5176 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5177 
5178 	/* set basic rates mask */
5179 	if (ic->ic_curmode == IEEE80211_MODE_11B)
5180 		run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x003);
5181 	else if (ic->ic_curmode == IEEE80211_MODE_11A)
5182 		run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x150);
5183 	else	/* 11g */
5184 		run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x15f);
5185 }
5186 
5187 static void
5188 run_set_leds(struct run_softc *sc, uint16_t which)
5189 {
5190 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LEDS,
5191 	    which | (sc->leds & 0x7f));
5192 }
5193 
5194 static void
5195 run_set_bssid(struct run_softc *sc, const uint8_t *bssid)
5196 {
5197 	run_write(sc, RT2860_MAC_BSSID_DW0,
5198 	    bssid[0] | bssid[1] << 8 | bssid[2] << 16 | bssid[3] << 24);
5199 	run_write(sc, RT2860_MAC_BSSID_DW1,
5200 	    bssid[4] | bssid[5] << 8);
5201 }
5202 
5203 static void
5204 run_set_macaddr(struct run_softc *sc, const uint8_t *addr)
5205 {
5206 	run_write(sc, RT2860_MAC_ADDR_DW0,
5207 	    addr[0] | addr[1] << 8 | addr[2] << 16 | addr[3] << 24);
5208 	run_write(sc, RT2860_MAC_ADDR_DW1,
5209 	    addr[4] | addr[5] << 8 | 0xff << 16);
5210 }
5211 
5212 static void
5213 run_updateslot(struct ifnet *ifp)
5214 {
5215 	struct run_softc *sc = ifp->if_softc;
5216 	struct ieee80211com *ic = ifp->if_l2com;
5217 	uint32_t i;
5218 
5219 	i = RUN_CMDQ_GET(&sc->cmdq_store);
5220 	DPRINTF("cmdq_store=%d\n", i);
5221 	sc->cmdq[i].func = run_updateslot_cb;
5222 	sc->cmdq[i].arg0 = ifp;
5223 	ieee80211_runtask(ic, &sc->cmdq_task);
5224 
5225 	return;
5226 }
5227 
5228 /* ARGSUSED */
5229 static void
5230 run_updateslot_cb(void *arg)
5231 {
5232 	struct ifnet *ifp = arg;
5233 	struct run_softc *sc = ifp->if_softc;
5234 	struct ieee80211com *ic = ifp->if_l2com;
5235 	uint32_t tmp;
5236 
5237 	run_read(sc, RT2860_BKOFF_SLOT_CFG, &tmp);
5238 	tmp &= ~0xff;
5239 	tmp |= (ic->ic_flags & IEEE80211_F_SHSLOT) ? 9 : 20;
5240 	run_write(sc, RT2860_BKOFF_SLOT_CFG, tmp);
5241 }
5242 
5243 static void
5244 run_update_mcast(struct ifnet *ifp)
5245 {
5246 	/* h/w filter supports getting everything or nothing */
5247 	ifp->if_flags |= IFF_ALLMULTI;
5248 }
5249 
5250 static int8_t
5251 run_rssi2dbm(struct run_softc *sc, uint8_t rssi, uint8_t rxchain)
5252 {
5253 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5254 	struct ieee80211_channel *c = ic->ic_curchan;
5255 	int delta;
5256 
5257 	if (IEEE80211_IS_CHAN_5GHZ(c)) {
5258 		u_int chan = ieee80211_chan2ieee(ic, c);
5259 		delta = sc->rssi_5ghz[rxchain];
5260 
5261 		/* determine channel group */
5262 		if (chan <= 64)
5263 			delta -= sc->lna[1];
5264 		else if (chan <= 128)
5265 			delta -= sc->lna[2];
5266 		else
5267 			delta -= sc->lna[3];
5268 	} else
5269 		delta = sc->rssi_2ghz[rxchain] - sc->lna[0];
5270 
5271 	return (-12 - delta - rssi);
5272 }
5273 
5274 static void
5275 run_rt5390_bbp_init(struct run_softc *sc)
5276 {
5277 	int i;
5278 	uint8_t bbp;
5279 
5280 	/* Apply maximum likelihood detection for 2 stream case. */
5281 	run_bbp_read(sc, 105, &bbp);
5282 	if (sc->nrxchains > 1)
5283 		run_bbp_write(sc, 105, bbp | RT5390_MLD);
5284 
5285 	/* Avoid data lost and CRC error. */
5286 	run_bbp_read(sc, 4, &bbp);
5287 	run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5288 
5289 	if (sc->mac_ver == 0x5592) {
5290 		for (i = 0; i < nitems(rt5592_def_bbp); i++) {
5291 			run_bbp_write(sc, rt5592_def_bbp[i].reg,
5292 			    rt5592_def_bbp[i].val);
5293 		}
5294 		for (i = 0; i < nitems(rt5592_bbp_r196); i++) {
5295 			run_bbp_write(sc, 195, i + 0x80);
5296 			run_bbp_write(sc, 196, rt5592_bbp_r196[i]);
5297 		}
5298 	} else {
5299 		for (i = 0; i < nitems(rt5390_def_bbp); i++) {
5300 			run_bbp_write(sc, rt5390_def_bbp[i].reg,
5301 			    rt5390_def_bbp[i].val);
5302 		}
5303 	}
5304 	if (sc->mac_ver == 0x5392) {
5305 		run_bbp_write(sc, 88, 0x90);
5306 		run_bbp_write(sc, 95, 0x9a);
5307 		run_bbp_write(sc, 98, 0x12);
5308 		run_bbp_write(sc, 106, 0x12);
5309 		run_bbp_write(sc, 134, 0xd0);
5310 		run_bbp_write(sc, 135, 0xf6);
5311 		run_bbp_write(sc, 148, 0x84);
5312 	}
5313 
5314 	run_bbp_read(sc, 152, &bbp);
5315 	run_bbp_write(sc, 152, bbp | 0x80);
5316 
5317 	/* Fix BBP254 for RT5592C. */
5318 	if (sc->mac_ver == 0x5592 && sc->mac_rev >= 0x0221) {
5319 		run_bbp_read(sc, 254, &bbp);
5320 		run_bbp_write(sc, 254, bbp | 0x80);
5321 	}
5322 
5323 	/* Disable hardware antenna diversity. */
5324 	if (sc->mac_ver == 0x5390)
5325 		run_bbp_write(sc, 154, 0);
5326 
5327 	/* Initialize Rx CCK/OFDM frequency offset report. */
5328 	run_bbp_write(sc, 142, 1);
5329 	run_bbp_write(sc, 143, 57);
5330 }
5331 
5332 static int
5333 run_bbp_init(struct run_softc *sc)
5334 {
5335 	int i, error, ntries;
5336 	uint8_t bbp0;
5337 
5338 	/* wait for BBP to wake up */
5339 	for (ntries = 0; ntries < 20; ntries++) {
5340 		if ((error = run_bbp_read(sc, 0, &bbp0)) != 0)
5341 			return error;
5342 		if (bbp0 != 0 && bbp0 != 0xff)
5343 			break;
5344 	}
5345 	if (ntries == 20)
5346 		return (ETIMEDOUT);
5347 
5348 	/* initialize BBP registers to default values */
5349 	if (sc->mac_ver >= 0x5390)
5350 		run_rt5390_bbp_init(sc);
5351 	else {
5352 		for (i = 0; i < nitems(rt2860_def_bbp); i++) {
5353 			run_bbp_write(sc, rt2860_def_bbp[i].reg,
5354 			    rt2860_def_bbp[i].val);
5355 		}
5356 	}
5357 
5358 	if (sc->mac_ver == 0x3593) {
5359 		run_bbp_write(sc, 79, 0x13);
5360 		run_bbp_write(sc, 80, 0x05);
5361 		run_bbp_write(sc, 81, 0x33);
5362 		run_bbp_write(sc, 86, 0x46);
5363 		run_bbp_write(sc, 137, 0x0f);
5364 	}
5365 
5366 	/* fix BBP84 for RT2860E */
5367 	if (sc->mac_ver == 0x2860 && sc->mac_rev != 0x0101)
5368 		run_bbp_write(sc, 84, 0x19);
5369 
5370 	if (sc->mac_ver >= 0x3070 && (sc->mac_ver != 0x3593 &&
5371 	    sc->mac_ver != 0x5592)) {
5372 		run_bbp_write(sc, 79, 0x13);
5373 		run_bbp_write(sc, 80, 0x05);
5374 		run_bbp_write(sc, 81, 0x33);
5375 	} else if (sc->mac_ver == 0x2860 && sc->mac_rev == 0x0100) {
5376 		run_bbp_write(sc, 69, 0x16);
5377 		run_bbp_write(sc, 73, 0x12);
5378 	}
5379 	return (0);
5380 }
5381 
5382 static int
5383 run_rt3070_rf_init(struct run_softc *sc)
5384 {
5385 	uint32_t tmp;
5386 	uint8_t bbp4, mingain, rf, target;
5387 	int i;
5388 
5389 	run_rt3070_rf_read(sc, 30, &rf);
5390 	/* toggle RF R30 bit 7 */
5391 	run_rt3070_rf_write(sc, 30, rf | 0x80);
5392 	run_delay(sc, 10);
5393 	run_rt3070_rf_write(sc, 30, rf & ~0x80);
5394 
5395 	/* initialize RF registers to default value */
5396 	if (sc->mac_ver == 0x3572) {
5397 		for (i = 0; i < nitems(rt3572_def_rf); i++) {
5398 			run_rt3070_rf_write(sc, rt3572_def_rf[i].reg,
5399 			    rt3572_def_rf[i].val);
5400 		}
5401 	} else {
5402 		for (i = 0; i < nitems(rt3070_def_rf); i++) {
5403 			run_rt3070_rf_write(sc, rt3070_def_rf[i].reg,
5404 			    rt3070_def_rf[i].val);
5405 		}
5406 	}
5407 
5408 	if (sc->mac_ver == 0x3070 && sc->mac_rev < 0x0201) {
5409 		/*
5410 		 * Change voltage from 1.2V to 1.35V for RT3070.
5411 		 * The DAC issue (RT3070_LDO_CFG0) has been fixed
5412 		 * in RT3070(F).
5413 		 */
5414 		run_read(sc, RT3070_LDO_CFG0, &tmp);
5415 		tmp = (tmp & ~0x0f000000) | 0x0d000000;
5416 		run_write(sc, RT3070_LDO_CFG0, tmp);
5417 
5418 	} else if (sc->mac_ver == 0x3071) {
5419 		run_rt3070_rf_read(sc, 6, &rf);
5420 		run_rt3070_rf_write(sc, 6, rf | 0x40);
5421 		run_rt3070_rf_write(sc, 31, 0x14);
5422 
5423 		run_read(sc, RT3070_LDO_CFG0, &tmp);
5424 		tmp &= ~0x1f000000;
5425 		if (sc->mac_rev < 0x0211)
5426 			tmp |= 0x0d000000;	/* 1.3V */
5427 		else
5428 			tmp |= 0x01000000;	/* 1.2V */
5429 		run_write(sc, RT3070_LDO_CFG0, tmp);
5430 
5431 		/* patch LNA_PE_G1 */
5432 		run_read(sc, RT3070_GPIO_SWITCH, &tmp);
5433 		run_write(sc, RT3070_GPIO_SWITCH, tmp & ~0x20);
5434 
5435 	} else if (sc->mac_ver == 0x3572) {
5436 		run_rt3070_rf_read(sc, 6, &rf);
5437 		run_rt3070_rf_write(sc, 6, rf | 0x40);
5438 
5439 		/* increase voltage from 1.2V to 1.35V */
5440 		run_read(sc, RT3070_LDO_CFG0, &tmp);
5441 		tmp = (tmp & ~0x1f000000) | 0x0d000000;
5442 		run_write(sc, RT3070_LDO_CFG0, tmp);
5443 
5444 		if (sc->mac_rev < 0x0211 || !sc->patch_dac) {
5445 			run_delay(sc, 1);	/* wait for 1msec */
5446 			/* decrease voltage back to 1.2V */
5447 			tmp = (tmp & ~0x1f000000) | 0x01000000;
5448 			run_write(sc, RT3070_LDO_CFG0, tmp);
5449 		}
5450 	}
5451 
5452 	/* select 20MHz bandwidth */
5453 	run_rt3070_rf_read(sc, 31, &rf);
5454 	run_rt3070_rf_write(sc, 31, rf & ~0x20);
5455 
5456 	/* calibrate filter for 20MHz bandwidth */
5457 	sc->rf24_20mhz = 0x1f;	/* default value */
5458 	target = (sc->mac_ver < 0x3071) ? 0x16 : 0x13;
5459 	run_rt3070_filter_calib(sc, 0x07, target, &sc->rf24_20mhz);
5460 
5461 	/* select 40MHz bandwidth */
5462 	run_bbp_read(sc, 4, &bbp4);
5463 	run_bbp_write(sc, 4, (bbp4 & ~0x18) | 0x10);
5464 	run_rt3070_rf_read(sc, 31, &rf);
5465 	run_rt3070_rf_write(sc, 31, rf | 0x20);
5466 
5467 	/* calibrate filter for 40MHz bandwidth */
5468 	sc->rf24_40mhz = 0x2f;	/* default value */
5469 	target = (sc->mac_ver < 0x3071) ? 0x19 : 0x15;
5470 	run_rt3070_filter_calib(sc, 0x27, target, &sc->rf24_40mhz);
5471 
5472 	/* go back to 20MHz bandwidth */
5473 	run_bbp_read(sc, 4, &bbp4);
5474 	run_bbp_write(sc, 4, bbp4 & ~0x18);
5475 
5476 	if (sc->mac_ver == 0x3572) {
5477 		/* save default BBP registers 25 and 26 values */
5478 		run_bbp_read(sc, 25, &sc->bbp25);
5479 		run_bbp_read(sc, 26, &sc->bbp26);
5480 	} else if (sc->mac_rev < 0x0201 || sc->mac_rev < 0x0211)
5481 		run_rt3070_rf_write(sc, 27, 0x03);
5482 
5483 	run_read(sc, RT3070_OPT_14, &tmp);
5484 	run_write(sc, RT3070_OPT_14, tmp | 1);
5485 
5486 	if (sc->mac_ver == 0x3070 || sc->mac_ver == 0x3071) {
5487 		run_rt3070_rf_read(sc, 17, &rf);
5488 		rf &= ~RT3070_TX_LO1;
5489 		if ((sc->mac_ver == 0x3070 ||
5490 		     (sc->mac_ver == 0x3071 && sc->mac_rev >= 0x0211)) &&
5491 		    !sc->ext_2ghz_lna)
5492 			rf |= 0x20;	/* fix for long range Rx issue */
5493 		mingain = (sc->mac_ver == 0x3070) ? 1 : 2;
5494 		if (sc->txmixgain_2ghz >= mingain)
5495 			rf = (rf & ~0x7) | sc->txmixgain_2ghz;
5496 		run_rt3070_rf_write(sc, 17, rf);
5497 	}
5498 
5499 	if (sc->mac_ver == 0x3071) {
5500 		run_rt3070_rf_read(sc, 1, &rf);
5501 		rf &= ~(RT3070_RX0_PD | RT3070_TX0_PD);
5502 		rf |= RT3070_RF_BLOCK | RT3070_RX1_PD | RT3070_TX1_PD;
5503 		run_rt3070_rf_write(sc, 1, rf);
5504 
5505 		run_rt3070_rf_read(sc, 15, &rf);
5506 		run_rt3070_rf_write(sc, 15, rf & ~RT3070_TX_LO2);
5507 
5508 		run_rt3070_rf_read(sc, 20, &rf);
5509 		run_rt3070_rf_write(sc, 20, rf & ~RT3070_RX_LO1);
5510 
5511 		run_rt3070_rf_read(sc, 21, &rf);
5512 		run_rt3070_rf_write(sc, 21, rf & ~RT3070_RX_LO2);
5513 	}
5514 
5515 	if (sc->mac_ver == 0x3070 || sc->mac_ver == 0x3071) {
5516 		/* fix Tx to Rx IQ glitch by raising RF voltage */
5517 		run_rt3070_rf_read(sc, 27, &rf);
5518 		rf &= ~0x77;
5519 		if (sc->mac_rev < 0x0211)
5520 			rf |= 0x03;
5521 		run_rt3070_rf_write(sc, 27, rf);
5522 	}
5523 	return (0);
5524 }
5525 
5526 static void
5527 run_rt3593_rf_init(struct run_softc *sc)
5528 {
5529 	uint32_t tmp;
5530 	uint8_t rf;
5531 	int i;
5532 
5533 	/* Disable the GPIO bits 4 and 7 for LNA PE control. */
5534 	run_read(sc, RT3070_GPIO_SWITCH, &tmp);
5535 	tmp &= ~(1 << 4 | 1 << 7);
5536 	run_write(sc, RT3070_GPIO_SWITCH, tmp);
5537 
5538 	/* Initialize RF registers to default value. */
5539 	for (i = 0; i < nitems(rt3593_def_rf); i++) {
5540 		run_rt3070_rf_write(sc, rt3593_def_rf[i].reg,
5541 		    rt3593_def_rf[i].val);
5542 	}
5543 
5544 	/* Toggle RF R2 to initiate calibration. */
5545 	run_rt3070_rf_write(sc, 2, RT5390_RESCAL);
5546 
5547 	/* Initialize RF frequency offset. */
5548 	run_adjust_freq_offset(sc);
5549 
5550 	run_rt3070_rf_read(sc, 18, &rf);
5551 	run_rt3070_rf_write(sc, 18, rf | RT3593_AUTOTUNE_BYPASS);
5552 
5553 	/*
5554 	 * Increase voltage from 1.2V to 1.35V, wait for 1 msec to
5555 	 * decrease voltage back to 1.2V.
5556 	 */
5557 	run_read(sc, RT3070_LDO_CFG0, &tmp);
5558 	tmp = (tmp & ~0x1f000000) | 0x0d000000;
5559 	run_write(sc, RT3070_LDO_CFG0, tmp);
5560 	run_delay(sc, 1);
5561 	tmp = (tmp & ~0x1f000000) | 0x01000000;
5562 	run_write(sc, RT3070_LDO_CFG0, tmp);
5563 
5564 	sc->rf24_20mhz = 0x1f;
5565 	sc->rf24_40mhz = 0x2f;
5566 
5567 	/* Save default BBP registers 25 and 26 values. */
5568 	run_bbp_read(sc, 25, &sc->bbp25);
5569 	run_bbp_read(sc, 26, &sc->bbp26);
5570 
5571 	run_read(sc, RT3070_OPT_14, &tmp);
5572 	run_write(sc, RT3070_OPT_14, tmp | 1);
5573 }
5574 
5575 static void
5576 run_rt5390_rf_init(struct run_softc *sc)
5577 {
5578 	uint32_t tmp;
5579 	uint8_t rf;
5580 	int i;
5581 
5582 	/* Toggle RF R2 to initiate calibration. */
5583 	if (sc->mac_ver == 0x5390) {
5584 		run_rt3070_rf_read(sc, 2, &rf);
5585 		run_rt3070_rf_write(sc, 2, rf | RT5390_RESCAL);
5586 		run_delay(sc, 10);
5587 		run_rt3070_rf_write(sc, 2, rf & ~RT5390_RESCAL);
5588 	} else {
5589 		run_rt3070_rf_write(sc, 2, RT5390_RESCAL);
5590 		run_delay(sc, 10);
5591 	}
5592 
5593 	/* Initialize RF registers to default value. */
5594 	if (sc->mac_ver == 0x5592) {
5595 		for (i = 0; i < nitems(rt5592_def_rf); i++) {
5596 			run_rt3070_rf_write(sc, rt5592_def_rf[i].reg,
5597 			    rt5592_def_rf[i].val);
5598 		}
5599 		/* Initialize RF frequency offset. */
5600 		run_adjust_freq_offset(sc);
5601 	} else if (sc->mac_ver == 0x5392) {
5602 		for (i = 0; i < nitems(rt5392_def_rf); i++) {
5603 			run_rt3070_rf_write(sc, rt5392_def_rf[i].reg,
5604 			    rt5392_def_rf[i].val);
5605 		}
5606 		if (sc->mac_rev >= 0x0223) {
5607 			run_rt3070_rf_write(sc, 23, 0x0f);
5608 			run_rt3070_rf_write(sc, 24, 0x3e);
5609 			run_rt3070_rf_write(sc, 51, 0x32);
5610 			run_rt3070_rf_write(sc, 53, 0x22);
5611 			run_rt3070_rf_write(sc, 56, 0xc1);
5612 			run_rt3070_rf_write(sc, 59, 0x0f);
5613 		}
5614 	} else {
5615 		for (i = 0; i < nitems(rt5390_def_rf); i++) {
5616 			run_rt3070_rf_write(sc, rt5390_def_rf[i].reg,
5617 			    rt5390_def_rf[i].val);
5618 		}
5619 		if (sc->mac_rev >= 0x0502) {
5620 			run_rt3070_rf_write(sc, 6, 0xe0);
5621 			run_rt3070_rf_write(sc, 25, 0x80);
5622 			run_rt3070_rf_write(sc, 46, 0x73);
5623 			run_rt3070_rf_write(sc, 53, 0x00);
5624 			run_rt3070_rf_write(sc, 56, 0x42);
5625 			run_rt3070_rf_write(sc, 61, 0xd1);
5626 		}
5627 	}
5628 
5629 	sc->rf24_20mhz = 0x1f;	/* default value */
5630 	sc->rf24_40mhz = (sc->mac_ver == 0x5592) ? 0 : 0x2f;
5631 
5632 	if (sc->mac_rev < 0x0211)
5633 		run_rt3070_rf_write(sc, 27, 0x3);
5634 
5635 	run_read(sc, RT3070_OPT_14, &tmp);
5636 	run_write(sc, RT3070_OPT_14, tmp | 1);
5637 }
5638 
5639 static int
5640 run_rt3070_filter_calib(struct run_softc *sc, uint8_t init, uint8_t target,
5641     uint8_t *val)
5642 {
5643 	uint8_t rf22, rf24;
5644 	uint8_t bbp55_pb, bbp55_sb, delta;
5645 	int ntries;
5646 
5647 	/* program filter */
5648 	run_rt3070_rf_read(sc, 24, &rf24);
5649 	rf24 = (rf24 & 0xc0) | init;	/* initial filter value */
5650 	run_rt3070_rf_write(sc, 24, rf24);
5651 
5652 	/* enable baseband loopback mode */
5653 	run_rt3070_rf_read(sc, 22, &rf22);
5654 	run_rt3070_rf_write(sc, 22, rf22 | 0x01);
5655 
5656 	/* set power and frequency of passband test tone */
5657 	run_bbp_write(sc, 24, 0x00);
5658 	for (ntries = 0; ntries < 100; ntries++) {
5659 		/* transmit test tone */
5660 		run_bbp_write(sc, 25, 0x90);
5661 		run_delay(sc, 10);
5662 		/* read received power */
5663 		run_bbp_read(sc, 55, &bbp55_pb);
5664 		if (bbp55_pb != 0)
5665 			break;
5666 	}
5667 	if (ntries == 100)
5668 		return (ETIMEDOUT);
5669 
5670 	/* set power and frequency of stopband test tone */
5671 	run_bbp_write(sc, 24, 0x06);
5672 	for (ntries = 0; ntries < 100; ntries++) {
5673 		/* transmit test tone */
5674 		run_bbp_write(sc, 25, 0x90);
5675 		run_delay(sc, 10);
5676 		/* read received power */
5677 		run_bbp_read(sc, 55, &bbp55_sb);
5678 
5679 		delta = bbp55_pb - bbp55_sb;
5680 		if (delta > target)
5681 			break;
5682 
5683 		/* reprogram filter */
5684 		rf24++;
5685 		run_rt3070_rf_write(sc, 24, rf24);
5686 	}
5687 	if (ntries < 100) {
5688 		if (rf24 != init)
5689 			rf24--;	/* backtrack */
5690 		*val = rf24;
5691 		run_rt3070_rf_write(sc, 24, rf24);
5692 	}
5693 
5694 	/* restore initial state */
5695 	run_bbp_write(sc, 24, 0x00);
5696 
5697 	/* disable baseband loopback mode */
5698 	run_rt3070_rf_read(sc, 22, &rf22);
5699 	run_rt3070_rf_write(sc, 22, rf22 & ~0x01);
5700 
5701 	return (0);
5702 }
5703 
5704 static void
5705 run_rt3070_rf_setup(struct run_softc *sc)
5706 {
5707 	uint8_t bbp, rf;
5708 	int i;
5709 
5710 	if (sc->mac_ver == 0x3572) {
5711 		/* enable DC filter */
5712 		if (sc->mac_rev >= 0x0201)
5713 			run_bbp_write(sc, 103, 0xc0);
5714 
5715 		run_bbp_read(sc, 138, &bbp);
5716 		if (sc->ntxchains == 1)
5717 			bbp |= 0x20;	/* turn off DAC1 */
5718 		if (sc->nrxchains == 1)
5719 			bbp &= ~0x02;	/* turn off ADC1 */
5720 		run_bbp_write(sc, 138, bbp);
5721 
5722 		if (sc->mac_rev >= 0x0211) {
5723 			/* improve power consumption */
5724 			run_bbp_read(sc, 31, &bbp);
5725 			run_bbp_write(sc, 31, bbp & ~0x03);
5726 		}
5727 
5728 		run_rt3070_rf_read(sc, 16, &rf);
5729 		rf = (rf & ~0x07) | sc->txmixgain_2ghz;
5730 		run_rt3070_rf_write(sc, 16, rf);
5731 
5732 	} else if (sc->mac_ver == 0x3071) {
5733 		if (sc->mac_rev >= 0x0211) {
5734 			/* enable DC filter */
5735 			run_bbp_write(sc, 103, 0xc0);
5736 
5737 			/* improve power consumption */
5738 			run_bbp_read(sc, 31, &bbp);
5739 			run_bbp_write(sc, 31, bbp & ~0x03);
5740 		}
5741 
5742 		run_bbp_read(sc, 138, &bbp);
5743 		if (sc->ntxchains == 1)
5744 			bbp |= 0x20;	/* turn off DAC1 */
5745 		if (sc->nrxchains == 1)
5746 			bbp &= ~0x02;	/* turn off ADC1 */
5747 		run_bbp_write(sc, 138, bbp);
5748 
5749 		run_write(sc, RT2860_TX_SW_CFG1, 0);
5750 		if (sc->mac_rev < 0x0211) {
5751 			run_write(sc, RT2860_TX_SW_CFG2,
5752 			    sc->patch_dac ? 0x2c : 0x0f);
5753 		} else
5754 			run_write(sc, RT2860_TX_SW_CFG2, 0);
5755 
5756 	} else if (sc->mac_ver == 0x3070) {
5757 		if (sc->mac_rev >= 0x0201) {
5758 			/* enable DC filter */
5759 			run_bbp_write(sc, 103, 0xc0);
5760 
5761 			/* improve power consumption */
5762 			run_bbp_read(sc, 31, &bbp);
5763 			run_bbp_write(sc, 31, bbp & ~0x03);
5764 		}
5765 
5766 		if (sc->mac_rev < 0x0201) {
5767 			run_write(sc, RT2860_TX_SW_CFG1, 0);
5768 			run_write(sc, RT2860_TX_SW_CFG2, 0x2c);
5769 		} else
5770 			run_write(sc, RT2860_TX_SW_CFG2, 0);
5771 	}
5772 
5773 	/* initialize RF registers from ROM for >=RT3071*/
5774 	if (sc->mac_ver >= 0x3071) {
5775 		for (i = 0; i < 10; i++) {
5776 			if (sc->rf[i].reg == 0 || sc->rf[i].reg == 0xff)
5777 				continue;
5778 			run_rt3070_rf_write(sc, sc->rf[i].reg, sc->rf[i].val);
5779 		}
5780 	}
5781 }
5782 
5783 static void
5784 run_rt3593_rf_setup(struct run_softc *sc)
5785 {
5786 	uint8_t bbp, rf;
5787 
5788 	if (sc->mac_rev >= 0x0211) {
5789 		/* Enable DC filter. */
5790 		run_bbp_write(sc, 103, 0xc0);
5791 	}
5792 	run_write(sc, RT2860_TX_SW_CFG1, 0);
5793 	if (sc->mac_rev < 0x0211) {
5794 		run_write(sc, RT2860_TX_SW_CFG2,
5795 		    sc->patch_dac ? 0x2c : 0x0f);
5796 	} else
5797 		run_write(sc, RT2860_TX_SW_CFG2, 0);
5798 
5799 	run_rt3070_rf_read(sc, 50, &rf);
5800 	run_rt3070_rf_write(sc, 50, rf & ~RT3593_TX_LO2);
5801 
5802 	run_rt3070_rf_read(sc, 51, &rf);
5803 	rf = (rf & ~(RT3593_TX_LO1 | 0x0c)) |
5804 	    ((sc->txmixgain_2ghz & 0x07) << 2);
5805 	run_rt3070_rf_write(sc, 51, rf);
5806 
5807 	run_rt3070_rf_read(sc, 38, &rf);
5808 	run_rt3070_rf_write(sc, 38, rf & ~RT5390_RX_LO1);
5809 
5810 	run_rt3070_rf_read(sc, 39, &rf);
5811 	run_rt3070_rf_write(sc, 39, rf & ~RT5390_RX_LO2);
5812 
5813 	run_rt3070_rf_read(sc, 1, &rf);
5814 	run_rt3070_rf_write(sc, 1, rf & ~(RT3070_RF_BLOCK | RT3070_PLL_PD));
5815 
5816 	run_rt3070_rf_read(sc, 30, &rf);
5817 	rf = (rf & ~0x18) | 0x10;
5818 	run_rt3070_rf_write(sc, 30, rf);
5819 
5820 	/* Apply maximum likelihood detection for 2 stream case. */
5821 	run_bbp_read(sc, 105, &bbp);
5822 	if (sc->nrxchains > 1)
5823 		run_bbp_write(sc, 105, bbp | RT5390_MLD);
5824 
5825 	/* Avoid data lost and CRC error. */
5826 	run_bbp_read(sc, 4, &bbp);
5827 	run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5828 
5829 	run_bbp_write(sc, 92, 0x02);
5830 	run_bbp_write(sc, 82, 0x82);
5831 	run_bbp_write(sc, 106, 0x05);
5832 	run_bbp_write(sc, 104, 0x92);
5833 	run_bbp_write(sc, 88, 0x90);
5834 	run_bbp_write(sc, 148, 0xc8);
5835 	run_bbp_write(sc, 47, 0x48);
5836 	run_bbp_write(sc, 120, 0x50);
5837 
5838 	run_bbp_write(sc, 163, 0x9d);
5839 
5840 	/* SNR mapping. */
5841 	run_bbp_write(sc, 142, 0x06);
5842 	run_bbp_write(sc, 143, 0xa0);
5843 	run_bbp_write(sc, 142, 0x07);
5844 	run_bbp_write(sc, 143, 0xa1);
5845 	run_bbp_write(sc, 142, 0x08);
5846 	run_bbp_write(sc, 143, 0xa2);
5847 
5848 	run_bbp_write(sc, 31, 0x08);
5849 	run_bbp_write(sc, 68, 0x0b);
5850 	run_bbp_write(sc, 105, 0x04);
5851 }
5852 
5853 static void
5854 run_rt5390_rf_setup(struct run_softc *sc)
5855 {
5856 	uint8_t bbp, rf;
5857 
5858 	if (sc->mac_rev >= 0x0211) {
5859 		/* Enable DC filter. */
5860 		run_bbp_write(sc, 103, 0xc0);
5861 
5862 		if (sc->mac_ver != 0x5592) {
5863 			/* Improve power consumption. */
5864 			run_bbp_read(sc, 31, &bbp);
5865 			run_bbp_write(sc, 31, bbp & ~0x03);
5866 		}
5867 	}
5868 
5869 	run_bbp_read(sc, 138, &bbp);
5870 	if (sc->ntxchains == 1)
5871 		bbp |= 0x20;	/* turn off DAC1 */
5872 	if (sc->nrxchains == 1)
5873 		bbp &= ~0x02;	/* turn off ADC1 */
5874 	run_bbp_write(sc, 138, bbp);
5875 
5876 	run_rt3070_rf_read(sc, 38, &rf);
5877 	run_rt3070_rf_write(sc, 38, rf & ~RT5390_RX_LO1);
5878 
5879 	run_rt3070_rf_read(sc, 39, &rf);
5880 	run_rt3070_rf_write(sc, 39, rf & ~RT5390_RX_LO2);
5881 
5882 	/* Avoid data lost and CRC error. */
5883 	run_bbp_read(sc, 4, &bbp);
5884 	run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5885 
5886 	run_rt3070_rf_read(sc, 30, &rf);
5887 	rf = (rf & ~0x18) | 0x10;
5888 	run_rt3070_rf_write(sc, 30, rf);
5889 
5890 	if (sc->mac_ver != 0x5592) {
5891 		run_write(sc, RT2860_TX_SW_CFG1, 0);
5892 		if (sc->mac_rev < 0x0211) {
5893 			run_write(sc, RT2860_TX_SW_CFG2,
5894 			    sc->patch_dac ? 0x2c : 0x0f);
5895 		} else
5896 			run_write(sc, RT2860_TX_SW_CFG2, 0);
5897 	}
5898 }
5899 
5900 static int
5901 run_txrx_enable(struct run_softc *sc)
5902 {
5903 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5904 	uint32_t tmp;
5905 	int error, ntries;
5906 
5907 	run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_MAC_TX_EN);
5908 	for (ntries = 0; ntries < 200; ntries++) {
5909 		if ((error = run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp)) != 0)
5910 			return (error);
5911 		if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
5912 			break;
5913 		run_delay(sc, 50);
5914 	}
5915 	if (ntries == 200)
5916 		return (ETIMEDOUT);
5917 
5918 	run_delay(sc, 50);
5919 
5920 	tmp |= RT2860_RX_DMA_EN | RT2860_TX_DMA_EN | RT2860_TX_WB_DDONE;
5921 	run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
5922 
5923 	/* enable Rx bulk aggregation (set timeout and limit) */
5924 	tmp = RT2860_USB_TX_EN | RT2860_USB_RX_EN | RT2860_USB_RX_AGG_EN |
5925 	    RT2860_USB_RX_AGG_TO(128) | RT2860_USB_RX_AGG_LMT(2);
5926 	run_write(sc, RT2860_USB_DMA_CFG, tmp);
5927 
5928 	/* set Rx filter */
5929 	tmp = RT2860_DROP_CRC_ERR | RT2860_DROP_PHY_ERR;
5930 	if (ic->ic_opmode != IEEE80211_M_MONITOR) {
5931 		tmp |= RT2860_DROP_UC_NOME | RT2860_DROP_DUPL |
5932 		    RT2860_DROP_CTS | RT2860_DROP_BA | RT2860_DROP_ACK |
5933 		    RT2860_DROP_VER_ERR | RT2860_DROP_CTRL_RSV |
5934 		    RT2860_DROP_CFACK | RT2860_DROP_CFEND;
5935 		if (ic->ic_opmode == IEEE80211_M_STA)
5936 			tmp |= RT2860_DROP_RTS | RT2860_DROP_PSPOLL;
5937 	}
5938 	run_write(sc, RT2860_RX_FILTR_CFG, tmp);
5939 
5940 	run_write(sc, RT2860_MAC_SYS_CTRL,
5941 	    RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
5942 
5943 	return (0);
5944 }
5945 
5946 static void
5947 run_adjust_freq_offset(struct run_softc *sc)
5948 {
5949 	uint8_t rf, tmp;
5950 
5951 	run_rt3070_rf_read(sc, 17, &rf);
5952 	tmp = rf;
5953 	rf = (rf & ~0x7f) | (sc->freq & 0x7f);
5954 	rf = MIN(rf, 0x5f);
5955 
5956 	if (tmp != rf)
5957 		run_mcu_cmd(sc, 0x74, (tmp << 8 ) | rf);
5958 }
5959 
5960 static void
5961 run_init_locked(struct run_softc *sc)
5962 {
5963 	struct ifnet *ifp = sc->sc_ifp;
5964 	struct ieee80211com *ic = ifp->if_l2com;
5965 	uint32_t tmp;
5966 	uint8_t bbp1, bbp3;
5967 	int i;
5968 	int ridx;
5969 	int ntries;
5970 
5971 	if (ic->ic_nrunning > 1)
5972 		return;
5973 
5974 	run_stop(sc);
5975 
5976 	if (run_load_microcode(sc) != 0) {
5977 		device_printf(sc->sc_dev, "could not load 8051 microcode\n");
5978 		goto fail;
5979 	}
5980 
5981 	for (ntries = 0; ntries < 100; ntries++) {
5982 		if (run_read(sc, RT2860_ASIC_VER_ID, &tmp) != 0)
5983 			goto fail;
5984 		if (tmp != 0 && tmp != 0xffffffff)
5985 			break;
5986 		run_delay(sc, 10);
5987 	}
5988 	if (ntries == 100)
5989 		goto fail;
5990 
5991 	for (i = 0; i != RUN_EP_QUEUES; i++)
5992 		run_setup_tx_list(sc, &sc->sc_epq[i]);
5993 
5994 	run_set_macaddr(sc, IF_LLADDR(ifp));
5995 
5996 	for (ntries = 0; ntries < 100; ntries++) {
5997 		if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
5998 			goto fail;
5999 		if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
6000 			break;
6001 		run_delay(sc, 10);
6002 	}
6003 	if (ntries == 100) {
6004 		device_printf(sc->sc_dev, "timeout waiting for DMA engine\n");
6005 		goto fail;
6006 	}
6007 	tmp &= 0xff0;
6008 	tmp |= RT2860_TX_WB_DDONE;
6009 	run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
6010 
6011 	/* turn off PME_OEN to solve high-current issue */
6012 	run_read(sc, RT2860_SYS_CTRL, &tmp);
6013 	run_write(sc, RT2860_SYS_CTRL, tmp & ~RT2860_PME_OEN);
6014 
6015 	run_write(sc, RT2860_MAC_SYS_CTRL,
6016 	    RT2860_BBP_HRST | RT2860_MAC_SRST);
6017 	run_write(sc, RT2860_USB_DMA_CFG, 0);
6018 
6019 	if (run_reset(sc) != 0) {
6020 		device_printf(sc->sc_dev, "could not reset chipset\n");
6021 		goto fail;
6022 	}
6023 
6024 	run_write(sc, RT2860_MAC_SYS_CTRL, 0);
6025 
6026 	/* init Tx power for all Tx rates (from EEPROM) */
6027 	for (ridx = 0; ridx < 5; ridx++) {
6028 		if (sc->txpow20mhz[ridx] == 0xffffffff)
6029 			continue;
6030 		run_write(sc, RT2860_TX_PWR_CFG(ridx), sc->txpow20mhz[ridx]);
6031 	}
6032 
6033 	for (i = 0; i < nitems(rt2870_def_mac); i++)
6034 		run_write(sc, rt2870_def_mac[i].reg, rt2870_def_mac[i].val);
6035 	run_write(sc, RT2860_WMM_AIFSN_CFG, 0x00002273);
6036 	run_write(sc, RT2860_WMM_CWMIN_CFG, 0x00002344);
6037 	run_write(sc, RT2860_WMM_CWMAX_CFG, 0x000034aa);
6038 
6039 	if (sc->mac_ver >= 0x5390) {
6040 		run_write(sc, RT2860_TX_SW_CFG0,
6041 		    4 << RT2860_DLY_PAPE_EN_SHIFT | 4);
6042 		if (sc->mac_ver >= 0x5392) {
6043 			run_write(sc, RT2860_MAX_LEN_CFG, 0x00002fff);
6044 			if (sc->mac_ver == 0x5592) {
6045 				run_write(sc, RT2860_HT_FBK_CFG1, 0xedcba980);
6046 				run_write(sc, RT2860_TXOP_HLDR_ET, 0x00000082);
6047 			} else {
6048 				run_write(sc, RT2860_HT_FBK_CFG1, 0xedcb4980);
6049 				run_write(sc, RT2860_LG_FBK_CFG0, 0xedcba322);
6050 			}
6051 		}
6052 	} else if (sc->mac_ver == 0x3593) {
6053 		run_write(sc, RT2860_TX_SW_CFG0,
6054 		    4 << RT2860_DLY_PAPE_EN_SHIFT | 2);
6055 	} else if (sc->mac_ver >= 0x3070) {
6056 		/* set delay of PA_PE assertion to 1us (unit of 0.25us) */
6057 		run_write(sc, RT2860_TX_SW_CFG0,
6058 		    4 << RT2860_DLY_PAPE_EN_SHIFT);
6059 	}
6060 
6061 	/* wait while MAC is busy */
6062 	for (ntries = 0; ntries < 100; ntries++) {
6063 		if (run_read(sc, RT2860_MAC_STATUS_REG, &tmp) != 0)
6064 			goto fail;
6065 		if (!(tmp & (RT2860_RX_STATUS_BUSY | RT2860_TX_STATUS_BUSY)))
6066 			break;
6067 		run_delay(sc, 10);
6068 	}
6069 	if (ntries == 100)
6070 		goto fail;
6071 
6072 	/* clear Host to MCU mailbox */
6073 	run_write(sc, RT2860_H2M_BBPAGENT, 0);
6074 	run_write(sc, RT2860_H2M_MAILBOX, 0);
6075 	run_delay(sc, 10);
6076 
6077 	if (run_bbp_init(sc) != 0) {
6078 		device_printf(sc->sc_dev, "could not initialize BBP\n");
6079 		goto fail;
6080 	}
6081 
6082 	/* abort TSF synchronization */
6083 	run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
6084 	tmp &= ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
6085 	    RT2860_TBTT_TIMER_EN);
6086 	run_write(sc, RT2860_BCN_TIME_CFG, tmp);
6087 
6088 	/* clear RX WCID search table */
6089 	run_set_region_4(sc, RT2860_WCID_ENTRY(0), 0, 512);
6090 	/* clear WCID attribute table */
6091 	run_set_region_4(sc, RT2860_WCID_ATTR(0), 0, 8 * 32);
6092 
6093 	/* hostapd sets a key before init. So, don't clear it. */
6094 	if (sc->cmdq_key_set != RUN_CMDQ_GO) {
6095 		/* clear shared key table */
6096 		run_set_region_4(sc, RT2860_SKEY(0, 0), 0, 8 * 32);
6097 		/* clear shared key mode */
6098 		run_set_region_4(sc, RT2860_SKEY_MODE_0_7, 0, 4);
6099 	}
6100 
6101 	run_read(sc, RT2860_US_CYC_CNT, &tmp);
6102 	tmp = (tmp & ~0xff) | 0x1e;
6103 	run_write(sc, RT2860_US_CYC_CNT, tmp);
6104 
6105 	if (sc->mac_rev != 0x0101)
6106 		run_write(sc, RT2860_TXOP_CTRL_CFG, 0x0000583f);
6107 
6108 	run_write(sc, RT2860_WMM_TXOP0_CFG, 0);
6109 	run_write(sc, RT2860_WMM_TXOP1_CFG, 48 << 16 | 96);
6110 
6111 	/* write vendor-specific BBP values (from EEPROM) */
6112 	if (sc->mac_ver < 0x3593) {
6113 		for (i = 0; i < 10; i++) {
6114 			if (sc->bbp[i].reg == 0 || sc->bbp[i].reg == 0xff)
6115 				continue;
6116 			run_bbp_write(sc, sc->bbp[i].reg, sc->bbp[i].val);
6117 		}
6118 	}
6119 
6120 	/* select Main antenna for 1T1R devices */
6121 	if (sc->rf_rev == RT3070_RF_3020 || sc->rf_rev == RT5390_RF_5370)
6122 		run_set_rx_antenna(sc, 0);
6123 
6124 	/* send LEDs operating mode to microcontroller */
6125 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED1, sc->led[0]);
6126 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED2, sc->led[1]);
6127 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED3, sc->led[2]);
6128 
6129 	if (sc->mac_ver >= 0x5390)
6130 		run_rt5390_rf_init(sc);
6131 	else if (sc->mac_ver == 0x3593)
6132 		run_rt3593_rf_init(sc);
6133 	else if (sc->mac_ver >= 0x3070)
6134 		run_rt3070_rf_init(sc);
6135 
6136 	/* disable non-existing Rx chains */
6137 	run_bbp_read(sc, 3, &bbp3);
6138 	bbp3 &= ~(1 << 3 | 1 << 4);
6139 	if (sc->nrxchains == 2)
6140 		bbp3 |= 1 << 3;
6141 	else if (sc->nrxchains == 3)
6142 		bbp3 |= 1 << 4;
6143 	run_bbp_write(sc, 3, bbp3);
6144 
6145 	/* disable non-existing Tx chains */
6146 	run_bbp_read(sc, 1, &bbp1);
6147 	if (sc->ntxchains == 1)
6148 		bbp1 &= ~(1 << 3 | 1 << 4);
6149 	run_bbp_write(sc, 1, bbp1);
6150 
6151 	if (sc->mac_ver >= 0x5390)
6152 		run_rt5390_rf_setup(sc);
6153 	else if (sc->mac_ver == 0x3593)
6154 		run_rt3593_rf_setup(sc);
6155 	else if (sc->mac_ver >= 0x3070)
6156 		run_rt3070_rf_setup(sc);
6157 
6158 	/* select default channel */
6159 	run_set_chan(sc, ic->ic_curchan);
6160 
6161 	/* setup initial protection mode */
6162 	run_updateprot_cb(ic);
6163 
6164 	/* turn radio LED on */
6165 	run_set_leds(sc, RT2860_LED_RADIO);
6166 
6167 	ifp->if_drv_flags &= ~IFF_DRV_OACTIVE;
6168 	ifp->if_drv_flags |= IFF_DRV_RUNNING;
6169 	sc->cmdq_run = RUN_CMDQ_GO;
6170 
6171 	for (i = 0; i != RUN_N_XFER; i++)
6172 		usbd_xfer_set_stall(sc->sc_xfer[i]);
6173 
6174 	usbd_transfer_start(sc->sc_xfer[RUN_BULK_RX]);
6175 
6176 	if (run_txrx_enable(sc) != 0)
6177 		goto fail;
6178 
6179 	return;
6180 
6181 fail:
6182 	run_stop(sc);
6183 }
6184 
6185 static void
6186 run_init(void *arg)
6187 {
6188 	struct run_softc *sc = arg;
6189 	struct ifnet *ifp = sc->sc_ifp;
6190 	struct ieee80211com *ic = ifp->if_l2com;
6191 
6192 	RUN_LOCK(sc);
6193 	run_init_locked(sc);
6194 	RUN_UNLOCK(sc);
6195 
6196 	if (ifp->if_drv_flags & IFF_DRV_RUNNING)
6197 		ieee80211_start_all(ic);
6198 }
6199 
6200 static void
6201 run_stop(void *arg)
6202 {
6203 	struct run_softc *sc = (struct run_softc *)arg;
6204 	struct ifnet *ifp = sc->sc_ifp;
6205 	uint32_t tmp;
6206 	int i;
6207 	int ntries;
6208 
6209 	RUN_LOCK_ASSERT(sc, MA_OWNED);
6210 
6211 	if (ifp->if_drv_flags & IFF_DRV_RUNNING)
6212 		run_set_leds(sc, 0);	/* turn all LEDs off */
6213 
6214 	ifp->if_drv_flags &= ~(IFF_DRV_RUNNING | IFF_DRV_OACTIVE);
6215 
6216 	sc->ratectl_run = RUN_RATECTL_OFF;
6217 	sc->cmdq_run = sc->cmdq_key_set;
6218 
6219 	RUN_UNLOCK(sc);
6220 
6221 	for(i = 0; i < RUN_N_XFER; i++)
6222 		usbd_transfer_drain(sc->sc_xfer[i]);
6223 
6224 	RUN_LOCK(sc);
6225 
6226 	if (sc->rx_m != NULL) {
6227 		m_free(sc->rx_m);
6228 		sc->rx_m = NULL;
6229 	}
6230 
6231 	/* Disable Tx/Rx DMA. */
6232 	if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
6233 		return;
6234 	tmp &= ~(RT2860_RX_DMA_EN | RT2860_TX_DMA_EN);
6235 	run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
6236 
6237 	for (ntries = 0; ntries < 100; ntries++) {
6238 		if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
6239 			return;
6240 		if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
6241 				break;
6242 		run_delay(sc, 10);
6243 	}
6244 	if (ntries == 100) {
6245 		device_printf(sc->sc_dev, "timeout waiting for DMA engine\n");
6246 		return;
6247 	}
6248 
6249 	/* disable Tx/Rx */
6250 	run_read(sc, RT2860_MAC_SYS_CTRL, &tmp);
6251 	tmp &= ~(RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
6252 	run_write(sc, RT2860_MAC_SYS_CTRL, tmp);
6253 
6254 	/* wait for pending Tx to complete */
6255 	for (ntries = 0; ntries < 100; ntries++) {
6256 		if (run_read(sc, RT2860_TXRXQ_PCNT, &tmp) != 0) {
6257 			DPRINTF("Cannot read Tx queue count\n");
6258 			break;
6259 		}
6260 		if ((tmp & RT2860_TX2Q_PCNT_MASK) == 0) {
6261 			DPRINTF("All Tx cleared\n");
6262 			break;
6263 		}
6264 		run_delay(sc, 10);
6265 	}
6266 	if (ntries >= 100)
6267 		DPRINTF("There are still pending Tx\n");
6268 	run_delay(sc, 10);
6269 	run_write(sc, RT2860_USB_DMA_CFG, 0);
6270 
6271 	run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_BBP_HRST | RT2860_MAC_SRST);
6272 	run_write(sc, RT2860_MAC_SYS_CTRL, 0);
6273 
6274 	for (i = 0; i != RUN_EP_QUEUES; i++)
6275 		run_unsetup_tx_list(sc, &sc->sc_epq[i]);
6276 }
6277 
6278 static void
6279 run_delay(struct run_softc *sc, u_int ms)
6280 {
6281 	usb_pause_mtx(mtx_owned(&sc->sc_mtx) ?
6282 	    &sc->sc_mtx : NULL, USB_MS_TO_TICKS(ms));
6283 }
6284 
6285 static device_method_t run_methods[] = {
6286 	/* Device interface */
6287 	DEVMETHOD(device_probe,		run_match),
6288 	DEVMETHOD(device_attach,	run_attach),
6289 	DEVMETHOD(device_detach,	run_detach),
6290 	DEVMETHOD_END
6291 };
6292 
6293 static driver_t run_driver = {
6294 	.name = "run",
6295 	.methods = run_methods,
6296 	.size = sizeof(struct run_softc)
6297 };
6298 
6299 static devclass_t run_devclass;
6300 
6301 DRIVER_MODULE(run, uhub, run_driver, run_devclass, run_driver_loaded, NULL);
6302 MODULE_DEPEND(run, wlan, 1, 1, 1);
6303 MODULE_DEPEND(run, usb, 1, 1, 1);
6304 MODULE_DEPEND(run, firmware, 1, 1, 1);
6305 MODULE_VERSION(run, 1);
6306