xref: /freebsd/sys/dev/usb/wlan/if_run.c (revision c6a33c8e88c5684876e670c8189d03ad25108d8a)
1 /*-
2  * Copyright (c) 2008,2010 Damien Bergamini <damien.bergamini@free.fr>
3  * ported to FreeBSD by Akinori Furukoshi <moonlightakkiy@yahoo.ca>
4  * USB Consulting, Hans Petter Selasky <hselasky@freebsd.org>
5  * Copyright (c) 2013-2014 Kevin Lo
6  *
7  * Permission to use, copy, modify, and distribute this software for any
8  * purpose with or without fee is hereby granted, provided that the above
9  * copyright notice and this permission notice appear in all copies.
10  *
11  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18  */
19 
20 #include <sys/cdefs.h>
21 __FBSDID("$FreeBSD$");
22 
23 /*-
24  * Ralink Technology RT2700U/RT2800U/RT3000U/RT3900E chipset driver.
25  * http://www.ralinktech.com/
26  */
27 
28 #include <sys/param.h>
29 #include <sys/sockio.h>
30 #include <sys/sysctl.h>
31 #include <sys/lock.h>
32 #include <sys/mutex.h>
33 #include <sys/mbuf.h>
34 #include <sys/kernel.h>
35 #include <sys/socket.h>
36 #include <sys/systm.h>
37 #include <sys/malloc.h>
38 #include <sys/module.h>
39 #include <sys/bus.h>
40 #include <sys/endian.h>
41 #include <sys/linker.h>
42 #include <sys/firmware.h>
43 #include <sys/kdb.h>
44 
45 #include <machine/bus.h>
46 #include <machine/resource.h>
47 #include <sys/rman.h>
48 
49 #include <net/bpf.h>
50 #include <net/if.h>
51 #include <net/if_var.h>
52 #include <net/if_arp.h>
53 #include <net/ethernet.h>
54 #include <net/if_dl.h>
55 #include <net/if_media.h>
56 #include <net/if_types.h>
57 
58 #include <netinet/in.h>
59 #include <netinet/in_systm.h>
60 #include <netinet/in_var.h>
61 #include <netinet/if_ether.h>
62 #include <netinet/ip.h>
63 
64 #include <net80211/ieee80211_var.h>
65 #include <net80211/ieee80211_regdomain.h>
66 #include <net80211/ieee80211_radiotap.h>
67 #include <net80211/ieee80211_ratectl.h>
68 
69 #include <dev/usb/usb.h>
70 #include <dev/usb/usbdi.h>
71 #include "usbdevs.h"
72 
73 #define	USB_DEBUG_VAR	run_debug
74 #include <dev/usb/usb_debug.h>
75 #include <dev/usb/usb_msctest.h>
76 
77 #include <dev/usb/wlan/if_runreg.h>
78 #include <dev/usb/wlan/if_runvar.h>
79 
80 #ifdef	USB_DEBUG
81 #define	RUN_DEBUG
82 #endif
83 
84 #ifdef	RUN_DEBUG
85 int run_debug = 0;
86 static SYSCTL_NODE(_hw_usb, OID_AUTO, run, CTLFLAG_RW, 0, "USB run");
87 SYSCTL_INT(_hw_usb_run, OID_AUTO, debug, CTLFLAG_RWTUN, &run_debug, 0,
88     "run debug level");
89 #endif
90 
91 #define	IEEE80211_HAS_ADDR4(wh)	IEEE80211_IS_DSTODS(wh)
92 
93 /*
94  * Because of LOR in run_key_delete(), use atomic instead.
95  * '& RUN_CMDQ_MASQ' is to loop cmdq[].
96  */
97 #define	RUN_CMDQ_GET(c)	(atomic_fetchadd_32((c), 1) & RUN_CMDQ_MASQ)
98 
99 static const STRUCT_USB_HOST_ID run_devs[] = {
100 #define	RUN_DEV(v,p)	{ USB_VP(USB_VENDOR_##v, USB_PRODUCT_##v##_##p) }
101 #define	RUN_DEV_EJECT(v,p)	\
102 	{ USB_VPI(USB_VENDOR_##v, USB_PRODUCT_##v##_##p, RUN_EJECT) }
103 #define	RUN_EJECT	1
104     RUN_DEV(ABOCOM,		RT2770),
105     RUN_DEV(ABOCOM,		RT2870),
106     RUN_DEV(ABOCOM,		RT3070),
107     RUN_DEV(ABOCOM,		RT3071),
108     RUN_DEV(ABOCOM,		RT3072),
109     RUN_DEV(ABOCOM2,		RT2870_1),
110     RUN_DEV(ACCTON,		RT2770),
111     RUN_DEV(ACCTON,		RT2870_1),
112     RUN_DEV(ACCTON,		RT2870_2),
113     RUN_DEV(ACCTON,		RT2870_3),
114     RUN_DEV(ACCTON,		RT2870_4),
115     RUN_DEV(ACCTON,		RT2870_5),
116     RUN_DEV(ACCTON,		RT3070),
117     RUN_DEV(ACCTON,		RT3070_1),
118     RUN_DEV(ACCTON,		RT3070_2),
119     RUN_DEV(ACCTON,		RT3070_3),
120     RUN_DEV(ACCTON,		RT3070_4),
121     RUN_DEV(ACCTON,		RT3070_5),
122     RUN_DEV(AIRTIES,		RT3070),
123     RUN_DEV(ALLWIN,		RT2070),
124     RUN_DEV(ALLWIN,		RT2770),
125     RUN_DEV(ALLWIN,		RT2870),
126     RUN_DEV(ALLWIN,		RT3070),
127     RUN_DEV(ALLWIN,		RT3071),
128     RUN_DEV(ALLWIN,		RT3072),
129     RUN_DEV(ALLWIN,		RT3572),
130     RUN_DEV(AMIGO,		RT2870_1),
131     RUN_DEV(AMIGO,		RT2870_2),
132     RUN_DEV(AMIT,		CGWLUSB2GNR),
133     RUN_DEV(AMIT,		RT2870_1),
134     RUN_DEV(AMIT2,		RT2870),
135     RUN_DEV(ASUS,		RT2870_1),
136     RUN_DEV(ASUS,		RT2870_2),
137     RUN_DEV(ASUS,		RT2870_3),
138     RUN_DEV(ASUS,		RT2870_4),
139     RUN_DEV(ASUS,		RT2870_5),
140     RUN_DEV(ASUS,		USBN13),
141     RUN_DEV(ASUS,		RT3070_1),
142     RUN_DEV(ASUS,		USBN66),
143     RUN_DEV(ASUS,		USB_N53),
144     RUN_DEV(ASUS2,		USBN11),
145     RUN_DEV(AZUREWAVE,		RT2870_1),
146     RUN_DEV(AZUREWAVE,		RT2870_2),
147     RUN_DEV(AZUREWAVE,		RT3070_1),
148     RUN_DEV(AZUREWAVE,		RT3070_2),
149     RUN_DEV(AZUREWAVE,		RT3070_3),
150     RUN_DEV(BELKIN,		F9L1103),
151     RUN_DEV(BELKIN,		F5D8053V3),
152     RUN_DEV(BELKIN,		F5D8055),
153     RUN_DEV(BELKIN,		F5D8055V2),
154     RUN_DEV(BELKIN,		F6D4050V1),
155     RUN_DEV(BELKIN,		F6D4050V2),
156     RUN_DEV(BELKIN,		RT2870_1),
157     RUN_DEV(BELKIN,		RT2870_2),
158     RUN_DEV(CISCOLINKSYS,	AE1000),
159     RUN_DEV(CISCOLINKSYS2,	RT3070),
160     RUN_DEV(CISCOLINKSYS3,	RT3070),
161     RUN_DEV(CONCEPTRONIC2,	RT2870_1),
162     RUN_DEV(CONCEPTRONIC2,	RT2870_2),
163     RUN_DEV(CONCEPTRONIC2,	RT2870_3),
164     RUN_DEV(CONCEPTRONIC2,	RT2870_4),
165     RUN_DEV(CONCEPTRONIC2,	RT2870_5),
166     RUN_DEV(CONCEPTRONIC2,	RT2870_6),
167     RUN_DEV(CONCEPTRONIC2,	RT2870_7),
168     RUN_DEV(CONCEPTRONIC2,	RT2870_8),
169     RUN_DEV(CONCEPTRONIC2,	RT3070_1),
170     RUN_DEV(CONCEPTRONIC2,	RT3070_2),
171     RUN_DEV(CONCEPTRONIC2,	VIGORN61),
172     RUN_DEV(COREGA,		CGWLUSB300GNM),
173     RUN_DEV(COREGA,		RT2870_1),
174     RUN_DEV(COREGA,		RT2870_2),
175     RUN_DEV(COREGA,		RT2870_3),
176     RUN_DEV(COREGA,		RT3070),
177     RUN_DEV(CYBERTAN,		RT2870),
178     RUN_DEV(DLINK,		RT2870),
179     RUN_DEV(DLINK,		RT3072),
180     RUN_DEV(DLINK,		DWA127),
181     RUN_DEV(DLINK,		DWA140B3),
182     RUN_DEV(DLINK,		DWA160B2),
183     RUN_DEV(DLINK,		DWA140D1),
184     RUN_DEV(DLINK,		DWA162),
185     RUN_DEV(DLINK2,		DWA130),
186     RUN_DEV(DLINK2,		RT2870_1),
187     RUN_DEV(DLINK2,		RT2870_2),
188     RUN_DEV(DLINK2,		RT3070_1),
189     RUN_DEV(DLINK2,		RT3070_2),
190     RUN_DEV(DLINK2,		RT3070_3),
191     RUN_DEV(DLINK2,		RT3070_4),
192     RUN_DEV(DLINK2,		RT3070_5),
193     RUN_DEV(DLINK2,		RT3072),
194     RUN_DEV(DLINK2,		RT3072_1),
195     RUN_DEV(EDIMAX,		EW7717),
196     RUN_DEV(EDIMAX,		EW7718),
197     RUN_DEV(EDIMAX,		EW7733UND),
198     RUN_DEV(EDIMAX,		RT2870_1),
199     RUN_DEV(ENCORE,		RT3070_1),
200     RUN_DEV(ENCORE,		RT3070_2),
201     RUN_DEV(ENCORE,		RT3070_3),
202     RUN_DEV(GIGABYTE,		GNWB31N),
203     RUN_DEV(GIGABYTE,		GNWB32L),
204     RUN_DEV(GIGABYTE,		RT2870_1),
205     RUN_DEV(GIGASET,		RT3070_1),
206     RUN_DEV(GIGASET,		RT3070_2),
207     RUN_DEV(GUILLEMOT,		HWNU300),
208     RUN_DEV(HAWKING,		HWUN2),
209     RUN_DEV(HAWKING,		RT2870_1),
210     RUN_DEV(HAWKING,		RT2870_2),
211     RUN_DEV(HAWKING,		RT3070),
212     RUN_DEV(IODATA,		RT3072_1),
213     RUN_DEV(IODATA,		RT3072_2),
214     RUN_DEV(IODATA,		RT3072_3),
215     RUN_DEV(IODATA,		RT3072_4),
216     RUN_DEV(LINKSYS4,		RT3070),
217     RUN_DEV(LINKSYS4,		WUSB100),
218     RUN_DEV(LINKSYS4,		WUSB54GCV3),
219     RUN_DEV(LINKSYS4,		WUSB600N),
220     RUN_DEV(LINKSYS4,		WUSB600NV2),
221     RUN_DEV(LOGITEC,		RT2870_1),
222     RUN_DEV(LOGITEC,		RT2870_2),
223     RUN_DEV(LOGITEC,		RT2870_3),
224     RUN_DEV(LOGITEC,		LANW300NU2),
225     RUN_DEV(LOGITEC,		LANW150NU2),
226     RUN_DEV(LOGITEC,		LANW300NU2S),
227     RUN_DEV(MELCO,		WLIUCG300HP),
228     RUN_DEV(MELCO,		RT2870_2),
229     RUN_DEV(MELCO,		WLIUCAG300N),
230     RUN_DEV(MELCO,		WLIUCG300N),
231     RUN_DEV(MELCO,		WLIUCG301N),
232     RUN_DEV(MELCO,		WLIUCGN),
233     RUN_DEV(MELCO,		WLIUCGNM),
234     RUN_DEV(MELCO,		WLIUCG300HPV1),
235     RUN_DEV(MELCO,		WLIUCGNM2),
236     RUN_DEV(MOTOROLA4,		RT2770),
237     RUN_DEV(MOTOROLA4,		RT3070),
238     RUN_DEV(MSI,		RT3070_1),
239     RUN_DEV(MSI,		RT3070_2),
240     RUN_DEV(MSI,		RT3070_3),
241     RUN_DEV(MSI,		RT3070_4),
242     RUN_DEV(MSI,		RT3070_5),
243     RUN_DEV(MSI,		RT3070_6),
244     RUN_DEV(MSI,		RT3070_7),
245     RUN_DEV(MSI,		RT3070_8),
246     RUN_DEV(MSI,		RT3070_9),
247     RUN_DEV(MSI,		RT3070_10),
248     RUN_DEV(MSI,		RT3070_11),
249     RUN_DEV(NETGEAR,		WNDA4100),
250     RUN_DEV(OVISLINK,		RT3072),
251     RUN_DEV(PARA,		RT3070),
252     RUN_DEV(PEGATRON,		RT2870),
253     RUN_DEV(PEGATRON,		RT3070),
254     RUN_DEV(PEGATRON,		RT3070_2),
255     RUN_DEV(PEGATRON,		RT3070_3),
256     RUN_DEV(PHILIPS,		RT2870),
257     RUN_DEV(PLANEX2,		GWUS300MINIS),
258     RUN_DEV(PLANEX2,		GWUSMICRON),
259     RUN_DEV(PLANEX2,		RT2870),
260     RUN_DEV(PLANEX2,		RT3070),
261     RUN_DEV(QCOM,		RT2870),
262     RUN_DEV(QUANTA,		RT3070),
263     RUN_DEV(RALINK,		RT2070),
264     RUN_DEV(RALINK,		RT2770),
265     RUN_DEV(RALINK,		RT2870),
266     RUN_DEV(RALINK,		RT3070),
267     RUN_DEV(RALINK,		RT3071),
268     RUN_DEV(RALINK,		RT3072),
269     RUN_DEV(RALINK,		RT3370),
270     RUN_DEV(RALINK,		RT3572),
271     RUN_DEV(RALINK,		RT3573),
272     RUN_DEV(RALINK,		RT5370),
273     RUN_DEV(RALINK,		RT5572),
274     RUN_DEV(RALINK,		RT8070),
275     RUN_DEV(SAMSUNG,		WIS09ABGN),
276     RUN_DEV(SAMSUNG2,		RT2870_1),
277     RUN_DEV(SENAO,		RT2870_1),
278     RUN_DEV(SENAO,		RT2870_2),
279     RUN_DEV(SENAO,		RT2870_3),
280     RUN_DEV(SENAO,		RT2870_4),
281     RUN_DEV(SENAO,		RT3070),
282     RUN_DEV(SENAO,		RT3071),
283     RUN_DEV(SENAO,		RT3072_1),
284     RUN_DEV(SENAO,		RT3072_2),
285     RUN_DEV(SENAO,		RT3072_3),
286     RUN_DEV(SENAO,		RT3072_4),
287     RUN_DEV(SENAO,		RT3072_5),
288     RUN_DEV(SITECOMEU,		RT2770),
289     RUN_DEV(SITECOMEU,		RT2870_1),
290     RUN_DEV(SITECOMEU,		RT2870_2),
291     RUN_DEV(SITECOMEU,		RT2870_3),
292     RUN_DEV(SITECOMEU,		RT2870_4),
293     RUN_DEV(SITECOMEU,		RT3070),
294     RUN_DEV(SITECOMEU,		RT3070_2),
295     RUN_DEV(SITECOMEU,		RT3070_3),
296     RUN_DEV(SITECOMEU,		RT3070_4),
297     RUN_DEV(SITECOMEU,		RT3071),
298     RUN_DEV(SITECOMEU,		RT3072_1),
299     RUN_DEV(SITECOMEU,		RT3072_2),
300     RUN_DEV(SITECOMEU,		RT3072_3),
301     RUN_DEV(SITECOMEU,		RT3072_4),
302     RUN_DEV(SITECOMEU,		RT3072_5),
303     RUN_DEV(SITECOMEU,		RT3072_6),
304     RUN_DEV(SITECOMEU,		WL608),
305     RUN_DEV(SPARKLAN,		RT2870_1),
306     RUN_DEV(SPARKLAN,		RT3070),
307     RUN_DEV(SWEEX2,		LW153),
308     RUN_DEV(SWEEX2,		LW303),
309     RUN_DEV(SWEEX2,		LW313),
310     RUN_DEV(TOSHIBA,		RT3070),
311     RUN_DEV(UMEDIA,		RT2870_1),
312     RUN_DEV(ZCOM,		RT2870_1),
313     RUN_DEV(ZCOM,		RT2870_2),
314     RUN_DEV(ZINWELL,		RT2870_1),
315     RUN_DEV(ZINWELL,		RT2870_2),
316     RUN_DEV(ZINWELL,		RT3070),
317     RUN_DEV(ZINWELL,		RT3072_1),
318     RUN_DEV(ZINWELL,		RT3072_2),
319     RUN_DEV(ZYXEL,		RT2870_1),
320     RUN_DEV(ZYXEL,		RT2870_2),
321     RUN_DEV(ZYXEL,		RT3070),
322     RUN_DEV_EJECT(ZYXEL,	NWD2705),
323     RUN_DEV_EJECT(RALINK,	RT_STOR),
324 #undef RUN_DEV_EJECT
325 #undef RUN_DEV
326 };
327 
328 static device_probe_t	run_match;
329 static device_attach_t	run_attach;
330 static device_detach_t	run_detach;
331 
332 static usb_callback_t	run_bulk_rx_callback;
333 static usb_callback_t	run_bulk_tx_callback0;
334 static usb_callback_t	run_bulk_tx_callback1;
335 static usb_callback_t	run_bulk_tx_callback2;
336 static usb_callback_t	run_bulk_tx_callback3;
337 static usb_callback_t	run_bulk_tx_callback4;
338 static usb_callback_t	run_bulk_tx_callback5;
339 
340 static void	run_autoinst(void *, struct usb_device *,
341 		    struct usb_attach_arg *);
342 static int	run_driver_loaded(struct module *, int, void *);
343 static void	run_bulk_tx_callbackN(struct usb_xfer *xfer,
344 		    usb_error_t error, u_int index);
345 static struct ieee80211vap *run_vap_create(struct ieee80211com *,
346 		    const char [IFNAMSIZ], int, enum ieee80211_opmode, int,
347 		    const uint8_t [IEEE80211_ADDR_LEN],
348 		    const uint8_t [IEEE80211_ADDR_LEN]);
349 static void	run_vap_delete(struct ieee80211vap *);
350 static void	run_cmdq_cb(void *, int);
351 static void	run_setup_tx_list(struct run_softc *,
352 		    struct run_endpoint_queue *);
353 static void	run_unsetup_tx_list(struct run_softc *,
354 		    struct run_endpoint_queue *);
355 static int	run_load_microcode(struct run_softc *);
356 static int	run_reset(struct run_softc *);
357 static usb_error_t run_do_request(struct run_softc *,
358 		    struct usb_device_request *, void *);
359 static int	run_read(struct run_softc *, uint16_t, uint32_t *);
360 static int	run_read_region_1(struct run_softc *, uint16_t, uint8_t *, int);
361 static int	run_write_2(struct run_softc *, uint16_t, uint16_t);
362 static int	run_write(struct run_softc *, uint16_t, uint32_t);
363 static int	run_write_region_1(struct run_softc *, uint16_t,
364 		    const uint8_t *, int);
365 static int	run_set_region_4(struct run_softc *, uint16_t, uint32_t, int);
366 static int	run_efuse_read(struct run_softc *, uint16_t, uint16_t *, int);
367 static int	run_efuse_read_2(struct run_softc *, uint16_t, uint16_t *);
368 static int	run_eeprom_read_2(struct run_softc *, uint16_t, uint16_t *);
369 static int	run_rt2870_rf_write(struct run_softc *, uint32_t);
370 static int	run_rt3070_rf_read(struct run_softc *, uint8_t, uint8_t *);
371 static int	run_rt3070_rf_write(struct run_softc *, uint8_t, uint8_t);
372 static int	run_bbp_read(struct run_softc *, uint8_t, uint8_t *);
373 static int	run_bbp_write(struct run_softc *, uint8_t, uint8_t);
374 static int	run_mcu_cmd(struct run_softc *, uint8_t, uint16_t);
375 static const char *run_get_rf(uint16_t);
376 static void	run_rt3593_get_txpower(struct run_softc *);
377 static void	run_get_txpower(struct run_softc *);
378 static int	run_read_eeprom(struct run_softc *);
379 static struct ieee80211_node *run_node_alloc(struct ieee80211vap *,
380 			    const uint8_t mac[IEEE80211_ADDR_LEN]);
381 static int	run_media_change(struct ifnet *);
382 static int	run_newstate(struct ieee80211vap *, enum ieee80211_state, int);
383 static int	run_wme_update(struct ieee80211com *);
384 static void	run_key_set_cb(void *);
385 static int	run_key_set(struct ieee80211vap *, struct ieee80211_key *);
386 static void	run_key_delete_cb(void *);
387 static int	run_key_delete(struct ieee80211vap *, struct ieee80211_key *);
388 static void	run_ratectl_to(void *);
389 static void	run_ratectl_cb(void *, int);
390 static void	run_drain_fifo(void *);
391 static void	run_iter_func(void *, struct ieee80211_node *);
392 static void	run_newassoc_cb(void *);
393 static void	run_newassoc(struct ieee80211_node *, int);
394 static void	run_recv_mgmt(struct ieee80211_node *, struct mbuf *, int,
395 		    const struct ieee80211_rx_stats *, int, int);
396 static void	run_rx_frame(struct run_softc *, struct mbuf *, uint32_t);
397 static void	run_tx_free(struct run_endpoint_queue *pq,
398 		    struct run_tx_data *, int);
399 static void	run_set_tx_desc(struct run_softc *, struct run_tx_data *);
400 static int	run_tx(struct run_softc *, struct mbuf *,
401 		    struct ieee80211_node *);
402 static int	run_tx_mgt(struct run_softc *, struct mbuf *,
403 		    struct ieee80211_node *);
404 static int	run_sendprot(struct run_softc *, const struct mbuf *,
405 		    struct ieee80211_node *, int, int);
406 static int	run_tx_param(struct run_softc *, struct mbuf *,
407 		    struct ieee80211_node *,
408 		    const struct ieee80211_bpf_params *);
409 static int	run_raw_xmit(struct ieee80211_node *, struct mbuf *,
410 		    const struct ieee80211_bpf_params *);
411 static int	run_transmit(struct ieee80211com *, struct mbuf *);
412 static void	run_start(struct run_softc *);
413 static void	run_parent(struct ieee80211com *);
414 static void	run_iq_calib(struct run_softc *, u_int);
415 static void	run_set_agc(struct run_softc *, uint8_t);
416 static void	run_select_chan_group(struct run_softc *, int);
417 static void	run_set_rx_antenna(struct run_softc *, int);
418 static void	run_rt2870_set_chan(struct run_softc *, u_int);
419 static void	run_rt3070_set_chan(struct run_softc *, u_int);
420 static void	run_rt3572_set_chan(struct run_softc *, u_int);
421 static void	run_rt3593_set_chan(struct run_softc *, u_int);
422 static void	run_rt5390_set_chan(struct run_softc *, u_int);
423 static void	run_rt5592_set_chan(struct run_softc *, u_int);
424 static int	run_set_chan(struct run_softc *, struct ieee80211_channel *);
425 static void	run_set_channel(struct ieee80211com *);
426 static void	run_scan_start(struct ieee80211com *);
427 static void	run_scan_end(struct ieee80211com *);
428 static void	run_update_beacon(struct ieee80211vap *, int);
429 static void	run_update_beacon_cb(void *);
430 static void	run_updateprot(struct ieee80211com *);
431 static void	run_updateprot_cb(void *);
432 static void	run_usb_timeout_cb(void *);
433 static void	run_reset_livelock(struct run_softc *);
434 static void	run_enable_tsf_sync(struct run_softc *);
435 static void	run_enable_tsf(struct run_softc *);
436 static void	run_get_tsf(struct run_softc *, uint64_t *);
437 static void	run_enable_mrr(struct run_softc *);
438 static void	run_set_txpreamble(struct run_softc *);
439 static void	run_set_basicrates(struct run_softc *);
440 static void	run_set_leds(struct run_softc *, uint16_t);
441 static void	run_set_bssid(struct run_softc *, const uint8_t *);
442 static void	run_set_macaddr(struct run_softc *, const uint8_t *);
443 static void	run_updateslot(struct ieee80211com *);
444 static void	run_updateslot_cb(void *);
445 static void	run_update_mcast(struct ieee80211com *);
446 static int8_t	run_rssi2dbm(struct run_softc *, uint8_t, uint8_t);
447 static void	run_update_promisc_locked(struct run_softc *);
448 static void	run_update_promisc(struct ieee80211com *);
449 static void	run_rt5390_bbp_init(struct run_softc *);
450 static int	run_bbp_init(struct run_softc *);
451 static int	run_rt3070_rf_init(struct run_softc *);
452 static void	run_rt3593_rf_init(struct run_softc *);
453 static void	run_rt5390_rf_init(struct run_softc *);
454 static int	run_rt3070_filter_calib(struct run_softc *, uint8_t, uint8_t,
455 		    uint8_t *);
456 static void	run_rt3070_rf_setup(struct run_softc *);
457 static void	run_rt3593_rf_setup(struct run_softc *);
458 static void	run_rt5390_rf_setup(struct run_softc *);
459 static int	run_txrx_enable(struct run_softc *);
460 static void	run_adjust_freq_offset(struct run_softc *);
461 static void	run_init_locked(struct run_softc *);
462 static void	run_stop(void *);
463 static void	run_delay(struct run_softc *, u_int);
464 
465 static eventhandler_tag run_etag;
466 
467 static const struct rt2860_rate {
468 	uint8_t		rate;
469 	uint8_t		mcs;
470 	enum		ieee80211_phytype phy;
471 	uint8_t		ctl_ridx;
472 	uint16_t	sp_ack_dur;
473 	uint16_t	lp_ack_dur;
474 } rt2860_rates[] = {
475 	{   2, 0, IEEE80211_T_DS,   0, 314, 314 },
476 	{   4, 1, IEEE80211_T_DS,   1, 258, 162 },
477 	{  11, 2, IEEE80211_T_DS,   2, 223, 127 },
478 	{  22, 3, IEEE80211_T_DS,   3, 213, 117 },
479 	{  12, 0, IEEE80211_T_OFDM, 4,  60,  60 },
480 	{  18, 1, IEEE80211_T_OFDM, 4,  52,  52 },
481 	{  24, 2, IEEE80211_T_OFDM, 6,  48,  48 },
482 	{  36, 3, IEEE80211_T_OFDM, 6,  44,  44 },
483 	{  48, 4, IEEE80211_T_OFDM, 8,  44,  44 },
484 	{  72, 5, IEEE80211_T_OFDM, 8,  40,  40 },
485 	{  96, 6, IEEE80211_T_OFDM, 8,  40,  40 },
486 	{ 108, 7, IEEE80211_T_OFDM, 8,  40,  40 }
487 };
488 
489 static const struct {
490 	uint16_t	reg;
491 	uint32_t	val;
492 } rt2870_def_mac[] = {
493 	RT2870_DEF_MAC
494 };
495 
496 static const struct {
497 	uint8_t	reg;
498 	uint8_t	val;
499 } rt2860_def_bbp[] = {
500 	RT2860_DEF_BBP
501 },rt5390_def_bbp[] = {
502 	RT5390_DEF_BBP
503 },rt5592_def_bbp[] = {
504 	RT5592_DEF_BBP
505 };
506 
507 /*
508  * Default values for BBP register R196 for RT5592.
509  */
510 static const uint8_t rt5592_bbp_r196[] = {
511 	0xe0, 0x1f, 0x38, 0x32, 0x08, 0x28, 0x19, 0x0a, 0xff, 0x00,
512 	0x16, 0x10, 0x10, 0x0b, 0x36, 0x2c, 0x26, 0x24, 0x42, 0x36,
513 	0x30, 0x2d, 0x4c, 0x46, 0x3d, 0x40, 0x3e, 0x42, 0x3d, 0x40,
514 	0x3c, 0x34, 0x2c, 0x2f, 0x3c, 0x35, 0x2e, 0x2a, 0x49, 0x41,
515 	0x36, 0x31, 0x30, 0x30, 0x0e, 0x0d, 0x28, 0x21, 0x1c, 0x16,
516 	0x50, 0x4a, 0x43, 0x40, 0x10, 0x10, 0x10, 0x10, 0x00, 0x00,
517 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
518 	0x00, 0x00, 0x7d, 0x14, 0x32, 0x2c, 0x36, 0x4c, 0x43, 0x2c,
519 	0x2e, 0x36, 0x30, 0x6e
520 };
521 
522 static const struct rfprog {
523 	uint8_t		chan;
524 	uint32_t	r1, r2, r3, r4;
525 } rt2860_rf2850[] = {
526 	RT2860_RF2850
527 };
528 
529 struct {
530 	uint8_t	n, r, k;
531 } rt3070_freqs[] = {
532 	RT3070_RF3052
533 };
534 
535 static const struct rt5592_freqs {
536 	uint16_t	n;
537 	uint8_t		k, m, r;
538 } rt5592_freqs_20mhz[] = {
539 	RT5592_RF5592_20MHZ
540 },rt5592_freqs_40mhz[] = {
541 	RT5592_RF5592_40MHZ
542 };
543 
544 static const struct {
545 	uint8_t	reg;
546 	uint8_t	val;
547 } rt3070_def_rf[] = {
548 	RT3070_DEF_RF
549 },rt3572_def_rf[] = {
550 	RT3572_DEF_RF
551 },rt3593_def_rf[] = {
552 	RT3593_DEF_RF
553 },rt5390_def_rf[] = {
554 	RT5390_DEF_RF
555 },rt5392_def_rf[] = {
556 	RT5392_DEF_RF
557 },rt5592_def_rf[] = {
558 	RT5592_DEF_RF
559 },rt5592_2ghz_def_rf[] = {
560 	RT5592_2GHZ_DEF_RF
561 },rt5592_5ghz_def_rf[] = {
562 	RT5592_5GHZ_DEF_RF
563 };
564 
565 static const struct {
566 	u_int	firstchan;
567 	u_int	lastchan;
568 	uint8_t	reg;
569 	uint8_t	val;
570 } rt5592_chan_5ghz[] = {
571 	RT5592_CHAN_5GHZ
572 };
573 
574 static const struct usb_config run_config[RUN_N_XFER] = {
575     [RUN_BULK_TX_BE] = {
576 	.type = UE_BULK,
577 	.endpoint = UE_ADDR_ANY,
578 	.ep_index = 0,
579 	.direction = UE_DIR_OUT,
580 	.bufsize = RUN_MAX_TXSZ,
581 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
582 	.callback = run_bulk_tx_callback0,
583 	.timeout = 5000,	/* ms */
584     },
585     [RUN_BULK_TX_BK] = {
586 	.type = UE_BULK,
587 	.endpoint = UE_ADDR_ANY,
588 	.direction = UE_DIR_OUT,
589 	.ep_index = 1,
590 	.bufsize = RUN_MAX_TXSZ,
591 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
592 	.callback = run_bulk_tx_callback1,
593 	.timeout = 5000,	/* ms */
594     },
595     [RUN_BULK_TX_VI] = {
596 	.type = UE_BULK,
597 	.endpoint = UE_ADDR_ANY,
598 	.direction = UE_DIR_OUT,
599 	.ep_index = 2,
600 	.bufsize = RUN_MAX_TXSZ,
601 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
602 	.callback = run_bulk_tx_callback2,
603 	.timeout = 5000,	/* ms */
604     },
605     [RUN_BULK_TX_VO] = {
606 	.type = UE_BULK,
607 	.endpoint = UE_ADDR_ANY,
608 	.direction = UE_DIR_OUT,
609 	.ep_index = 3,
610 	.bufsize = RUN_MAX_TXSZ,
611 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
612 	.callback = run_bulk_tx_callback3,
613 	.timeout = 5000,	/* ms */
614     },
615     [RUN_BULK_TX_HCCA] = {
616 	.type = UE_BULK,
617 	.endpoint = UE_ADDR_ANY,
618 	.direction = UE_DIR_OUT,
619 	.ep_index = 4,
620 	.bufsize = RUN_MAX_TXSZ,
621 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,.no_pipe_ok = 1,},
622 	.callback = run_bulk_tx_callback4,
623 	.timeout = 5000,	/* ms */
624     },
625     [RUN_BULK_TX_PRIO] = {
626 	.type = UE_BULK,
627 	.endpoint = UE_ADDR_ANY,
628 	.direction = UE_DIR_OUT,
629 	.ep_index = 5,
630 	.bufsize = RUN_MAX_TXSZ,
631 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,.no_pipe_ok = 1,},
632 	.callback = run_bulk_tx_callback5,
633 	.timeout = 5000,	/* ms */
634     },
635     [RUN_BULK_RX] = {
636 	.type = UE_BULK,
637 	.endpoint = UE_ADDR_ANY,
638 	.direction = UE_DIR_IN,
639 	.bufsize = RUN_MAX_RXSZ,
640 	.flags = {.pipe_bof = 1,.short_xfer_ok = 1,},
641 	.callback = run_bulk_rx_callback,
642     }
643 };
644 
645 static void
646 run_autoinst(void *arg, struct usb_device *udev,
647     struct usb_attach_arg *uaa)
648 {
649 	struct usb_interface *iface;
650 	struct usb_interface_descriptor *id;
651 
652 	if (uaa->dev_state != UAA_DEV_READY)
653 		return;
654 
655 	iface = usbd_get_iface(udev, 0);
656 	if (iface == NULL)
657 		return;
658 	id = iface->idesc;
659 	if (id == NULL || id->bInterfaceClass != UICLASS_MASS)
660 		return;
661 	if (usbd_lookup_id_by_uaa(run_devs, sizeof(run_devs), uaa))
662 		return;
663 
664 	if (usb_msc_eject(udev, 0, MSC_EJECT_STOPUNIT) == 0)
665 		uaa->dev_state = UAA_DEV_EJECTING;
666 }
667 
668 static int
669 run_driver_loaded(struct module *mod, int what, void *arg)
670 {
671 	switch (what) {
672 	case MOD_LOAD:
673 		run_etag = EVENTHANDLER_REGISTER(usb_dev_configured,
674 		    run_autoinst, NULL, EVENTHANDLER_PRI_ANY);
675 		break;
676 	case MOD_UNLOAD:
677 		EVENTHANDLER_DEREGISTER(usb_dev_configured, run_etag);
678 		break;
679 	default:
680 		return (EOPNOTSUPP);
681 	}
682 	return (0);
683 }
684 
685 static int
686 run_match(device_t self)
687 {
688 	struct usb_attach_arg *uaa = device_get_ivars(self);
689 
690 	if (uaa->usb_mode != USB_MODE_HOST)
691 		return (ENXIO);
692 	if (uaa->info.bConfigIndex != 0)
693 		return (ENXIO);
694 	if (uaa->info.bIfaceIndex != RT2860_IFACE_INDEX)
695 		return (ENXIO);
696 
697 	return (usbd_lookup_id_by_uaa(run_devs, sizeof(run_devs), uaa));
698 }
699 
700 static int
701 run_attach(device_t self)
702 {
703 	struct run_softc *sc = device_get_softc(self);
704 	struct usb_attach_arg *uaa = device_get_ivars(self);
705 	struct ieee80211com *ic = &sc->sc_ic;
706 	uint32_t ver;
707 	int ntries, error;
708 	uint8_t iface_index, bands;
709 
710 	device_set_usb_desc(self);
711 	sc->sc_udev = uaa->device;
712 	sc->sc_dev = self;
713 	if (USB_GET_DRIVER_INFO(uaa) != RUN_EJECT)
714 		sc->sc_flags |= RUN_FLAG_FWLOAD_NEEDED;
715 
716 	mtx_init(&sc->sc_mtx, device_get_nameunit(sc->sc_dev),
717 	    MTX_NETWORK_LOCK, MTX_DEF);
718 	mbufq_init(&sc->sc_snd, ifqmaxlen);
719 
720 	iface_index = RT2860_IFACE_INDEX;
721 
722 	error = usbd_transfer_setup(uaa->device, &iface_index,
723 	    sc->sc_xfer, run_config, RUN_N_XFER, sc, &sc->sc_mtx);
724 	if (error) {
725 		device_printf(self, "could not allocate USB transfers, "
726 		    "err=%s\n", usbd_errstr(error));
727 		goto detach;
728 	}
729 
730 	RUN_LOCK(sc);
731 
732 	/* wait for the chip to settle */
733 	for (ntries = 0; ntries < 100; ntries++) {
734 		if (run_read(sc, RT2860_ASIC_VER_ID, &ver) != 0) {
735 			RUN_UNLOCK(sc);
736 			goto detach;
737 		}
738 		if (ver != 0 && ver != 0xffffffff)
739 			break;
740 		run_delay(sc, 10);
741 	}
742 	if (ntries == 100) {
743 		device_printf(sc->sc_dev,
744 		    "timeout waiting for NIC to initialize\n");
745 		RUN_UNLOCK(sc);
746 		goto detach;
747 	}
748 	sc->mac_ver = ver >> 16;
749 	sc->mac_rev = ver & 0xffff;
750 
751 	/* retrieve RF rev. no and various other things from EEPROM */
752 	run_read_eeprom(sc);
753 
754 	device_printf(sc->sc_dev,
755 	    "MAC/BBP RT%04X (rev 0x%04X), RF %s (MIMO %dT%dR), address %s\n",
756 	    sc->mac_ver, sc->mac_rev, run_get_rf(sc->rf_rev),
757 	    sc->ntxchains, sc->nrxchains, ether_sprintf(ic->ic_macaddr));
758 
759 	RUN_UNLOCK(sc);
760 
761 	ic->ic_softc = sc;
762 	ic->ic_name = device_get_nameunit(self);
763 	ic->ic_phytype = IEEE80211_T_OFDM;	/* not only, but not used */
764 	ic->ic_opmode = IEEE80211_M_STA;	/* default to BSS mode */
765 
766 	/* set device capabilities */
767 	ic->ic_caps =
768 	    IEEE80211_C_STA |		/* station mode supported */
769 	    IEEE80211_C_MONITOR |	/* monitor mode supported */
770 	    IEEE80211_C_IBSS |
771 	    IEEE80211_C_HOSTAP |
772 	    IEEE80211_C_WDS |		/* 4-address traffic works */
773 	    IEEE80211_C_MBSS |
774 	    IEEE80211_C_SHPREAMBLE |	/* short preamble supported */
775 	    IEEE80211_C_SHSLOT |	/* short slot time supported */
776 	    IEEE80211_C_WME |		/* WME */
777 	    IEEE80211_C_WPA;		/* WPA1|WPA2(RSN) */
778 
779 	ic->ic_cryptocaps =
780 	    IEEE80211_CRYPTO_WEP |
781 	    IEEE80211_CRYPTO_AES_CCM |
782 	    IEEE80211_CRYPTO_TKIPMIC |
783 	    IEEE80211_CRYPTO_TKIP;
784 
785 	ic->ic_flags |= IEEE80211_F_DATAPAD;
786 	ic->ic_flags_ext |= IEEE80211_FEXT_SWBMISS;
787 
788 	bands = 0;
789 	setbit(&bands, IEEE80211_MODE_11B);
790 	setbit(&bands, IEEE80211_MODE_11G);
791 	if (sc->rf_rev == RT2860_RF_2750 || sc->rf_rev == RT2860_RF_2850 ||
792 	    sc->rf_rev == RT3070_RF_3052 || sc->rf_rev == RT3593_RF_3053 ||
793 	    sc->rf_rev == RT5592_RF_5592)
794 		setbit(&bands, IEEE80211_MODE_11A);
795 	ieee80211_init_channels(ic, NULL, &bands);
796 
797 	ieee80211_ifattach(ic);
798 
799 	ic->ic_scan_start = run_scan_start;
800 	ic->ic_scan_end = run_scan_end;
801 	ic->ic_set_channel = run_set_channel;
802 	ic->ic_node_alloc = run_node_alloc;
803 	ic->ic_newassoc = run_newassoc;
804 	ic->ic_updateslot = run_updateslot;
805 	ic->ic_update_mcast = run_update_mcast;
806 	ic->ic_wme.wme_update = run_wme_update;
807 	ic->ic_raw_xmit = run_raw_xmit;
808 	ic->ic_update_promisc = run_update_promisc;
809 	ic->ic_vap_create = run_vap_create;
810 	ic->ic_vap_delete = run_vap_delete;
811 	ic->ic_transmit = run_transmit;
812 	ic->ic_parent = run_parent;
813 
814 	ieee80211_radiotap_attach(ic,
815 	    &sc->sc_txtap.wt_ihdr, sizeof(sc->sc_txtap),
816 		RUN_TX_RADIOTAP_PRESENT,
817 	    &sc->sc_rxtap.wr_ihdr, sizeof(sc->sc_rxtap),
818 		RUN_RX_RADIOTAP_PRESENT);
819 
820 	TASK_INIT(&sc->cmdq_task, 0, run_cmdq_cb, sc);
821 	TASK_INIT(&sc->ratectl_task, 0, run_ratectl_cb, sc);
822 	usb_callout_init_mtx(&sc->ratectl_ch, &sc->sc_mtx, 0);
823 
824 	if (bootverbose)
825 		ieee80211_announce(ic);
826 
827 	return (0);
828 
829 detach:
830 	run_detach(self);
831 	return (ENXIO);
832 }
833 
834 static void
835 run_drain_mbufq(struct run_softc *sc)
836 {
837 	struct mbuf *m;
838 	struct ieee80211_node *ni;
839 
840 	RUN_LOCK_ASSERT(sc, MA_OWNED);
841 	while ((m = mbufq_dequeue(&sc->sc_snd)) != NULL) {
842 		ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
843 		m->m_pkthdr.rcvif = NULL;
844 		ieee80211_free_node(ni);
845 		m_freem(m);
846 	}
847 }
848 
849 static int
850 run_detach(device_t self)
851 {
852 	struct run_softc *sc = device_get_softc(self);
853 	struct ieee80211com *ic = &sc->sc_ic;
854 	int i;
855 
856 	RUN_LOCK(sc);
857 	sc->sc_detached = 1;
858 	RUN_UNLOCK(sc);
859 
860 	/* stop all USB transfers */
861 	usbd_transfer_unsetup(sc->sc_xfer, RUN_N_XFER);
862 
863 	RUN_LOCK(sc);
864 	sc->ratectl_run = RUN_RATECTL_OFF;
865 	sc->cmdq_run = sc->cmdq_key_set = RUN_CMDQ_ABORT;
866 
867 	/* free TX list, if any */
868 	for (i = 0; i != RUN_EP_QUEUES; i++)
869 		run_unsetup_tx_list(sc, &sc->sc_epq[i]);
870 
871 	/* Free TX queue */
872 	run_drain_mbufq(sc);
873 	RUN_UNLOCK(sc);
874 
875 	if (sc->sc_ic.ic_softc == sc) {
876 		/* drain tasks */
877 		usb_callout_drain(&sc->ratectl_ch);
878 		ieee80211_draintask(ic, &sc->cmdq_task);
879 		ieee80211_draintask(ic, &sc->ratectl_task);
880 		ieee80211_ifdetach(ic);
881 	}
882 
883 	mtx_destroy(&sc->sc_mtx);
884 
885 	return (0);
886 }
887 
888 static struct ieee80211vap *
889 run_vap_create(struct ieee80211com *ic, const char name[IFNAMSIZ], int unit,
890     enum ieee80211_opmode opmode, int flags,
891     const uint8_t bssid[IEEE80211_ADDR_LEN],
892     const uint8_t mac[IEEE80211_ADDR_LEN])
893 {
894 	struct run_softc *sc = ic->ic_softc;
895 	struct run_vap *rvp;
896 	struct ieee80211vap *vap;
897 	int i;
898 
899 	if (sc->rvp_cnt >= RUN_VAP_MAX) {
900 		device_printf(sc->sc_dev, "number of VAPs maxed out\n");
901 		return (NULL);
902 	}
903 
904 	switch (opmode) {
905 	case IEEE80211_M_STA:
906 		/* enable s/w bmiss handling for sta mode */
907 		flags |= IEEE80211_CLONE_NOBEACONS;
908 		/* fall though */
909 	case IEEE80211_M_IBSS:
910 	case IEEE80211_M_MONITOR:
911 	case IEEE80211_M_HOSTAP:
912 	case IEEE80211_M_MBSS:
913 		/* other than WDS vaps, only one at a time */
914 		if (!TAILQ_EMPTY(&ic->ic_vaps))
915 			return (NULL);
916 		break;
917 	case IEEE80211_M_WDS:
918 		TAILQ_FOREACH(vap, &ic->ic_vaps, iv_next){
919 			if(vap->iv_opmode != IEEE80211_M_HOSTAP)
920 				continue;
921 			/* WDS vap's always share the local mac address. */
922 			flags &= ~IEEE80211_CLONE_BSSID;
923 			break;
924 		}
925 		if (vap == NULL) {
926 			device_printf(sc->sc_dev,
927 			    "wds only supported in ap mode\n");
928 			return (NULL);
929 		}
930 		break;
931 	default:
932 		device_printf(sc->sc_dev, "unknown opmode %d\n", opmode);
933 		return (NULL);
934 	}
935 
936 	rvp = malloc(sizeof(struct run_vap), M_80211_VAP, M_WAITOK | M_ZERO);
937 	vap = &rvp->vap;
938 
939 	if (ieee80211_vap_setup(ic, vap, name, unit, opmode, flags,
940 	    bssid) != 0) {
941 		/* out of memory */
942 		free(rvp, M_80211_VAP);
943 		return (NULL);
944 	}
945 
946 	vap->iv_update_beacon = run_update_beacon;
947 	vap->iv_max_aid = RT2870_WCID_MAX;
948 	/*
949 	 * To delete the right key from h/w, we need wcid.
950 	 * Luckily, there is unused space in ieee80211_key{}, wk_pad,
951 	 * and matching wcid will be written into there. So, cast
952 	 * some spells to remove 'const' from ieee80211_key{}
953 	 */
954 	vap->iv_key_delete = (void *)run_key_delete;
955 	vap->iv_key_set = (void *)run_key_set;
956 
957 	/* override state transition machine */
958 	rvp->newstate = vap->iv_newstate;
959 	vap->iv_newstate = run_newstate;
960 	if (opmode == IEEE80211_M_IBSS) {
961 		rvp->recv_mgmt = vap->iv_recv_mgmt;
962 		vap->iv_recv_mgmt = run_recv_mgmt;
963 	}
964 
965 	ieee80211_ratectl_init(vap);
966 	ieee80211_ratectl_setinterval(vap, 1000 /* 1 sec */);
967 
968 	/* complete setup */
969 	ieee80211_vap_attach(vap, run_media_change, ieee80211_media_status,
970 	    mac);
971 
972 	/* make sure id is always unique */
973 	for (i = 0; i < RUN_VAP_MAX; i++) {
974 		if((sc->rvp_bmap & 1 << i) == 0){
975 			sc->rvp_bmap |= 1 << i;
976 			rvp->rvp_id = i;
977 			break;
978 		}
979 	}
980 	if (sc->rvp_cnt++ == 0)
981 		ic->ic_opmode = opmode;
982 
983 	if (opmode == IEEE80211_M_HOSTAP)
984 		sc->cmdq_run = RUN_CMDQ_GO;
985 
986 	DPRINTF("rvp_id=%d bmap=%x rvp_cnt=%d\n",
987 	    rvp->rvp_id, sc->rvp_bmap, sc->rvp_cnt);
988 
989 	return (vap);
990 }
991 
992 static void
993 run_vap_delete(struct ieee80211vap *vap)
994 {
995 	struct run_vap *rvp = RUN_VAP(vap);
996 	struct ieee80211com *ic;
997 	struct run_softc *sc;
998 	uint8_t rvp_id;
999 
1000 	if (vap == NULL)
1001 		return;
1002 
1003 	ic = vap->iv_ic;
1004 	sc = ic->ic_softc;
1005 
1006 	RUN_LOCK(sc);
1007 
1008 	m_freem(rvp->beacon_mbuf);
1009 	rvp->beacon_mbuf = NULL;
1010 
1011 	rvp_id = rvp->rvp_id;
1012 	sc->ratectl_run &= ~(1 << rvp_id);
1013 	sc->rvp_bmap &= ~(1 << rvp_id);
1014 	run_set_region_4(sc, RT2860_SKEY(rvp_id, 0), 0, 128);
1015 	run_set_region_4(sc, RT2860_BCN_BASE(rvp_id), 0, 512);
1016 	--sc->rvp_cnt;
1017 
1018 	DPRINTF("vap=%p rvp_id=%d bmap=%x rvp_cnt=%d\n",
1019 	    vap, rvp_id, sc->rvp_bmap, sc->rvp_cnt);
1020 
1021 	RUN_UNLOCK(sc);
1022 
1023 	ieee80211_ratectl_deinit(vap);
1024 	ieee80211_vap_detach(vap);
1025 	free(rvp, M_80211_VAP);
1026 }
1027 
1028 /*
1029  * There are numbers of functions need to be called in context thread.
1030  * Rather than creating taskqueue event for each of those functions,
1031  * here is all-for-one taskqueue callback function. This function
1032  * gurantees deferred functions are executed in the same order they
1033  * were enqueued.
1034  * '& RUN_CMDQ_MASQ' is to loop cmdq[].
1035  */
1036 static void
1037 run_cmdq_cb(void *arg, int pending)
1038 {
1039 	struct run_softc *sc = arg;
1040 	uint8_t i;
1041 
1042 	/* call cmdq[].func locked */
1043 	RUN_LOCK(sc);
1044 	for (i = sc->cmdq_exec; sc->cmdq[i].func && pending;
1045 	    i = sc->cmdq_exec, pending--) {
1046 		DPRINTFN(6, "cmdq_exec=%d pending=%d\n", i, pending);
1047 		if (sc->cmdq_run == RUN_CMDQ_GO) {
1048 			/*
1049 			 * If arg0 is NULL, callback func needs more
1050 			 * than one arg. So, pass ptr to cmdq struct.
1051 			 */
1052 			if (sc->cmdq[i].arg0)
1053 				sc->cmdq[i].func(sc->cmdq[i].arg0);
1054 			else
1055 				sc->cmdq[i].func(&sc->cmdq[i]);
1056 		}
1057 		sc->cmdq[i].arg0 = NULL;
1058 		sc->cmdq[i].func = NULL;
1059 		sc->cmdq_exec++;
1060 		sc->cmdq_exec &= RUN_CMDQ_MASQ;
1061 	}
1062 	RUN_UNLOCK(sc);
1063 }
1064 
1065 static void
1066 run_setup_tx_list(struct run_softc *sc, struct run_endpoint_queue *pq)
1067 {
1068 	struct run_tx_data *data;
1069 
1070 	memset(pq, 0, sizeof(*pq));
1071 
1072 	STAILQ_INIT(&pq->tx_qh);
1073 	STAILQ_INIT(&pq->tx_fh);
1074 
1075 	for (data = &pq->tx_data[0];
1076 	    data < &pq->tx_data[RUN_TX_RING_COUNT]; data++) {
1077 		data->sc = sc;
1078 		STAILQ_INSERT_TAIL(&pq->tx_fh, data, next);
1079 	}
1080 	pq->tx_nfree = RUN_TX_RING_COUNT;
1081 }
1082 
1083 static void
1084 run_unsetup_tx_list(struct run_softc *sc, struct run_endpoint_queue *pq)
1085 {
1086 	struct run_tx_data *data;
1087 
1088 	/* make sure any subsequent use of the queues will fail */
1089 	pq->tx_nfree = 0;
1090 	STAILQ_INIT(&pq->tx_fh);
1091 	STAILQ_INIT(&pq->tx_qh);
1092 
1093 	/* free up all node references and mbufs */
1094 	for (data = &pq->tx_data[0];
1095 	    data < &pq->tx_data[RUN_TX_RING_COUNT]; data++) {
1096 		if (data->m != NULL) {
1097 			m_freem(data->m);
1098 			data->m = NULL;
1099 		}
1100 		if (data->ni != NULL) {
1101 			ieee80211_free_node(data->ni);
1102 			data->ni = NULL;
1103 		}
1104 	}
1105 }
1106 
1107 static int
1108 run_load_microcode(struct run_softc *sc)
1109 {
1110 	usb_device_request_t req;
1111 	const struct firmware *fw;
1112 	const u_char *base;
1113 	uint32_t tmp;
1114 	int ntries, error;
1115 	const uint64_t *temp;
1116 	uint64_t bytes;
1117 
1118 	RUN_UNLOCK(sc);
1119 	fw = firmware_get("runfw");
1120 	RUN_LOCK(sc);
1121 	if (fw == NULL) {
1122 		device_printf(sc->sc_dev,
1123 		    "failed loadfirmware of file %s\n", "runfw");
1124 		return ENOENT;
1125 	}
1126 
1127 	if (fw->datasize != 8192) {
1128 		device_printf(sc->sc_dev,
1129 		    "invalid firmware size (should be 8KB)\n");
1130 		error = EINVAL;
1131 		goto fail;
1132 	}
1133 
1134 	/*
1135 	 * RT3071/RT3072 use a different firmware
1136 	 * run-rt2870 (8KB) contains both,
1137 	 * first half (4KB) is for rt2870,
1138 	 * last half is for rt3071.
1139 	 */
1140 	base = fw->data;
1141 	if ((sc->mac_ver) != 0x2860 &&
1142 	    (sc->mac_ver) != 0x2872 &&
1143 	    (sc->mac_ver) != 0x3070) {
1144 		base += 4096;
1145 	}
1146 
1147 	/* cheap sanity check */
1148 	temp = fw->data;
1149 	bytes = *temp;
1150 	if (bytes != be64toh(0xffffff0210280210ULL)) {
1151 		device_printf(sc->sc_dev, "firmware checksum failed\n");
1152 		error = EINVAL;
1153 		goto fail;
1154 	}
1155 
1156 	/* write microcode image */
1157 	if (sc->sc_flags & RUN_FLAG_FWLOAD_NEEDED) {
1158 		run_write_region_1(sc, RT2870_FW_BASE, base, 4096);
1159 		run_write(sc, RT2860_H2M_MAILBOX_CID, 0xffffffff);
1160 		run_write(sc, RT2860_H2M_MAILBOX_STATUS, 0xffffffff);
1161 	}
1162 
1163 	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1164 	req.bRequest = RT2870_RESET;
1165 	USETW(req.wValue, 8);
1166 	USETW(req.wIndex, 0);
1167 	USETW(req.wLength, 0);
1168 	if ((error = usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, NULL))
1169 	    != 0) {
1170 		device_printf(sc->sc_dev, "firmware reset failed\n");
1171 		goto fail;
1172 	}
1173 
1174 	run_delay(sc, 10);
1175 
1176 	run_write(sc, RT2860_H2M_BBPAGENT, 0);
1177 	run_write(sc, RT2860_H2M_MAILBOX, 0);
1178 	run_write(sc, RT2860_H2M_INTSRC, 0);
1179 	if ((error = run_mcu_cmd(sc, RT2860_MCU_CMD_RFRESET, 0)) != 0)
1180 		goto fail;
1181 
1182 	/* wait until microcontroller is ready */
1183 	for (ntries = 0; ntries < 1000; ntries++) {
1184 		if ((error = run_read(sc, RT2860_SYS_CTRL, &tmp)) != 0)
1185 			goto fail;
1186 		if (tmp & RT2860_MCU_READY)
1187 			break;
1188 		run_delay(sc, 10);
1189 	}
1190 	if (ntries == 1000) {
1191 		device_printf(sc->sc_dev,
1192 		    "timeout waiting for MCU to initialize\n");
1193 		error = ETIMEDOUT;
1194 		goto fail;
1195 	}
1196 	device_printf(sc->sc_dev, "firmware %s ver. %u.%u loaded\n",
1197 	    (base == fw->data) ? "RT2870" : "RT3071",
1198 	    *(base + 4092), *(base + 4093));
1199 
1200 fail:
1201 	firmware_put(fw, FIRMWARE_UNLOAD);
1202 	return (error);
1203 }
1204 
1205 static int
1206 run_reset(struct run_softc *sc)
1207 {
1208 	usb_device_request_t req;
1209 
1210 	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1211 	req.bRequest = RT2870_RESET;
1212 	USETW(req.wValue, 1);
1213 	USETW(req.wIndex, 0);
1214 	USETW(req.wLength, 0);
1215 	return (usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, NULL));
1216 }
1217 
1218 static usb_error_t
1219 run_do_request(struct run_softc *sc,
1220     struct usb_device_request *req, void *data)
1221 {
1222 	usb_error_t err;
1223 	int ntries = 10;
1224 
1225 	RUN_LOCK_ASSERT(sc, MA_OWNED);
1226 
1227 	while (ntries--) {
1228 		err = usbd_do_request_flags(sc->sc_udev, &sc->sc_mtx,
1229 		    req, data, 0, NULL, 250 /* ms */);
1230 		if (err == 0)
1231 			break;
1232 		DPRINTFN(1, "Control request failed, %s (retrying)\n",
1233 		    usbd_errstr(err));
1234 		run_delay(sc, 10);
1235 	}
1236 	return (err);
1237 }
1238 
1239 static int
1240 run_read(struct run_softc *sc, uint16_t reg, uint32_t *val)
1241 {
1242 	uint32_t tmp;
1243 	int error;
1244 
1245 	error = run_read_region_1(sc, reg, (uint8_t *)&tmp, sizeof tmp);
1246 	if (error == 0)
1247 		*val = le32toh(tmp);
1248 	else
1249 		*val = 0xffffffff;
1250 	return (error);
1251 }
1252 
1253 static int
1254 run_read_region_1(struct run_softc *sc, uint16_t reg, uint8_t *buf, int len)
1255 {
1256 	usb_device_request_t req;
1257 
1258 	req.bmRequestType = UT_READ_VENDOR_DEVICE;
1259 	req.bRequest = RT2870_READ_REGION_1;
1260 	USETW(req.wValue, 0);
1261 	USETW(req.wIndex, reg);
1262 	USETW(req.wLength, len);
1263 
1264 	return (run_do_request(sc, &req, buf));
1265 }
1266 
1267 static int
1268 run_write_2(struct run_softc *sc, uint16_t reg, uint16_t val)
1269 {
1270 	usb_device_request_t req;
1271 
1272 	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1273 	req.bRequest = RT2870_WRITE_2;
1274 	USETW(req.wValue, val);
1275 	USETW(req.wIndex, reg);
1276 	USETW(req.wLength, 0);
1277 
1278 	return (run_do_request(sc, &req, NULL));
1279 }
1280 
1281 static int
1282 run_write(struct run_softc *sc, uint16_t reg, uint32_t val)
1283 {
1284 	int error;
1285 
1286 	if ((error = run_write_2(sc, reg, val & 0xffff)) == 0)
1287 		error = run_write_2(sc, reg + 2, val >> 16);
1288 	return (error);
1289 }
1290 
1291 static int
1292 run_write_region_1(struct run_softc *sc, uint16_t reg, const uint8_t *buf,
1293     int len)
1294 {
1295 #if 1
1296 	int i, error = 0;
1297 	/*
1298 	 * NB: the WRITE_REGION_1 command is not stable on RT2860.
1299 	 * We thus issue multiple WRITE_2 commands instead.
1300 	 */
1301 	KASSERT((len & 1) == 0, ("run_write_region_1: Data too long.\n"));
1302 	for (i = 0; i < len && error == 0; i += 2)
1303 		error = run_write_2(sc, reg + i, buf[i] | buf[i + 1] << 8);
1304 	return (error);
1305 #else
1306 	usb_device_request_t req;
1307 	int error = 0;
1308 
1309 	/*
1310 	 * NOTE: It appears the WRITE_REGION_1 command cannot be
1311 	 * passed a huge amount of data, which will crash the
1312 	 * firmware. Limit amount of data passed to 64-bytes at a
1313 	 * time.
1314 	 */
1315 	while (len > 0) {
1316 		int delta = 64;
1317 		if (delta > len)
1318 			delta = len;
1319 
1320 		req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1321 		req.bRequest = RT2870_WRITE_REGION_1;
1322 		USETW(req.wValue, 0);
1323 		USETW(req.wIndex, reg);
1324 		USETW(req.wLength, delta);
1325 		error = run_do_request(sc, &req, __DECONST(uint8_t *, buf));
1326 		if (error != 0)
1327 			break;
1328 		reg += delta;
1329 		buf += delta;
1330 		len -= delta;
1331 	}
1332 	return (error);
1333 #endif
1334 }
1335 
1336 static int
1337 run_set_region_4(struct run_softc *sc, uint16_t reg, uint32_t val, int len)
1338 {
1339 	int i, error = 0;
1340 
1341 	KASSERT((len & 3) == 0, ("run_set_region_4: Invalid data length.\n"));
1342 	for (i = 0; i < len && error == 0; i += 4)
1343 		error = run_write(sc, reg + i, val);
1344 	return (error);
1345 }
1346 
1347 static int
1348 run_efuse_read(struct run_softc *sc, uint16_t addr, uint16_t *val, int count)
1349 {
1350 	uint32_t tmp;
1351 	uint16_t reg;
1352 	int error, ntries;
1353 
1354 	if ((error = run_read(sc, RT3070_EFUSE_CTRL, &tmp)) != 0)
1355 		return (error);
1356 
1357 	if (count == 2)
1358 		addr *= 2;
1359 	/*-
1360 	 * Read one 16-byte block into registers EFUSE_DATA[0-3]:
1361 	 * DATA0: F E D C
1362 	 * DATA1: B A 9 8
1363 	 * DATA2: 7 6 5 4
1364 	 * DATA3: 3 2 1 0
1365 	 */
1366 	tmp &= ~(RT3070_EFSROM_MODE_MASK | RT3070_EFSROM_AIN_MASK);
1367 	tmp |= (addr & ~0xf) << RT3070_EFSROM_AIN_SHIFT | RT3070_EFSROM_KICK;
1368 	run_write(sc, RT3070_EFUSE_CTRL, tmp);
1369 	for (ntries = 0; ntries < 100; ntries++) {
1370 		if ((error = run_read(sc, RT3070_EFUSE_CTRL, &tmp)) != 0)
1371 			return (error);
1372 		if (!(tmp & RT3070_EFSROM_KICK))
1373 			break;
1374 		run_delay(sc, 2);
1375 	}
1376 	if (ntries == 100)
1377 		return (ETIMEDOUT);
1378 
1379 	if ((tmp & RT3070_EFUSE_AOUT_MASK) == RT3070_EFUSE_AOUT_MASK) {
1380 		*val = 0xffff;	/* address not found */
1381 		return (0);
1382 	}
1383 	/* determine to which 32-bit register our 16-bit word belongs */
1384 	reg = RT3070_EFUSE_DATA3 - (addr & 0xc);
1385 	if ((error = run_read(sc, reg, &tmp)) != 0)
1386 		return (error);
1387 
1388 	tmp >>= (8 * (addr & 0x3));
1389 	*val = (addr & 1) ? tmp >> 16 : tmp & 0xffff;
1390 
1391 	return (0);
1392 }
1393 
1394 /* Read 16-bit from eFUSE ROM for RT3xxx. */
1395 static int
1396 run_efuse_read_2(struct run_softc *sc, uint16_t addr, uint16_t *val)
1397 {
1398 	return (run_efuse_read(sc, addr, val, 2));
1399 }
1400 
1401 static int
1402 run_eeprom_read_2(struct run_softc *sc, uint16_t addr, uint16_t *val)
1403 {
1404 	usb_device_request_t req;
1405 	uint16_t tmp;
1406 	int error;
1407 
1408 	addr *= 2;
1409 	req.bmRequestType = UT_READ_VENDOR_DEVICE;
1410 	req.bRequest = RT2870_EEPROM_READ;
1411 	USETW(req.wValue, 0);
1412 	USETW(req.wIndex, addr);
1413 	USETW(req.wLength, sizeof(tmp));
1414 
1415 	error = usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, &tmp);
1416 	if (error == 0)
1417 		*val = le16toh(tmp);
1418 	else
1419 		*val = 0xffff;
1420 	return (error);
1421 }
1422 
1423 static __inline int
1424 run_srom_read(struct run_softc *sc, uint16_t addr, uint16_t *val)
1425 {
1426 	/* either eFUSE ROM or EEPROM */
1427 	return sc->sc_srom_read(sc, addr, val);
1428 }
1429 
1430 static int
1431 run_rt2870_rf_write(struct run_softc *sc, uint32_t val)
1432 {
1433 	uint32_t tmp;
1434 	int error, ntries;
1435 
1436 	for (ntries = 0; ntries < 10; ntries++) {
1437 		if ((error = run_read(sc, RT2860_RF_CSR_CFG0, &tmp)) != 0)
1438 			return (error);
1439 		if (!(tmp & RT2860_RF_REG_CTRL))
1440 			break;
1441 	}
1442 	if (ntries == 10)
1443 		return (ETIMEDOUT);
1444 
1445 	return (run_write(sc, RT2860_RF_CSR_CFG0, val));
1446 }
1447 
1448 static int
1449 run_rt3070_rf_read(struct run_softc *sc, uint8_t reg, uint8_t *val)
1450 {
1451 	uint32_t tmp;
1452 	int error, ntries;
1453 
1454 	for (ntries = 0; ntries < 100; ntries++) {
1455 		if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1456 			return (error);
1457 		if (!(tmp & RT3070_RF_KICK))
1458 			break;
1459 	}
1460 	if (ntries == 100)
1461 		return (ETIMEDOUT);
1462 
1463 	tmp = RT3070_RF_KICK | reg << 8;
1464 	if ((error = run_write(sc, RT3070_RF_CSR_CFG, tmp)) != 0)
1465 		return (error);
1466 
1467 	for (ntries = 0; ntries < 100; ntries++) {
1468 		if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1469 			return (error);
1470 		if (!(tmp & RT3070_RF_KICK))
1471 			break;
1472 	}
1473 	if (ntries == 100)
1474 		return (ETIMEDOUT);
1475 
1476 	*val = tmp & 0xff;
1477 	return (0);
1478 }
1479 
1480 static int
1481 run_rt3070_rf_write(struct run_softc *sc, uint8_t reg, uint8_t val)
1482 {
1483 	uint32_t tmp;
1484 	int error, ntries;
1485 
1486 	for (ntries = 0; ntries < 10; ntries++) {
1487 		if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1488 			return (error);
1489 		if (!(tmp & RT3070_RF_KICK))
1490 			break;
1491 	}
1492 	if (ntries == 10)
1493 		return (ETIMEDOUT);
1494 
1495 	tmp = RT3070_RF_WRITE | RT3070_RF_KICK | reg << 8 | val;
1496 	return (run_write(sc, RT3070_RF_CSR_CFG, tmp));
1497 }
1498 
1499 static int
1500 run_bbp_read(struct run_softc *sc, uint8_t reg, uint8_t *val)
1501 {
1502 	uint32_t tmp;
1503 	int ntries, error;
1504 
1505 	for (ntries = 0; ntries < 10; ntries++) {
1506 		if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1507 			return (error);
1508 		if (!(tmp & RT2860_BBP_CSR_KICK))
1509 			break;
1510 	}
1511 	if (ntries == 10)
1512 		return (ETIMEDOUT);
1513 
1514 	tmp = RT2860_BBP_CSR_READ | RT2860_BBP_CSR_KICK | reg << 8;
1515 	if ((error = run_write(sc, RT2860_BBP_CSR_CFG, tmp)) != 0)
1516 		return (error);
1517 
1518 	for (ntries = 0; ntries < 10; ntries++) {
1519 		if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1520 			return (error);
1521 		if (!(tmp & RT2860_BBP_CSR_KICK))
1522 			break;
1523 	}
1524 	if (ntries == 10)
1525 		return (ETIMEDOUT);
1526 
1527 	*val = tmp & 0xff;
1528 	return (0);
1529 }
1530 
1531 static int
1532 run_bbp_write(struct run_softc *sc, uint8_t reg, uint8_t val)
1533 {
1534 	uint32_t tmp;
1535 	int ntries, error;
1536 
1537 	for (ntries = 0; ntries < 10; ntries++) {
1538 		if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1539 			return (error);
1540 		if (!(tmp & RT2860_BBP_CSR_KICK))
1541 			break;
1542 	}
1543 	if (ntries == 10)
1544 		return (ETIMEDOUT);
1545 
1546 	tmp = RT2860_BBP_CSR_KICK | reg << 8 | val;
1547 	return (run_write(sc, RT2860_BBP_CSR_CFG, tmp));
1548 }
1549 
1550 /*
1551  * Send a command to the 8051 microcontroller unit.
1552  */
1553 static int
1554 run_mcu_cmd(struct run_softc *sc, uint8_t cmd, uint16_t arg)
1555 {
1556 	uint32_t tmp;
1557 	int error, ntries;
1558 
1559 	for (ntries = 0; ntries < 100; ntries++) {
1560 		if ((error = run_read(sc, RT2860_H2M_MAILBOX, &tmp)) != 0)
1561 			return error;
1562 		if (!(tmp & RT2860_H2M_BUSY))
1563 			break;
1564 	}
1565 	if (ntries == 100)
1566 		return ETIMEDOUT;
1567 
1568 	tmp = RT2860_H2M_BUSY | RT2860_TOKEN_NO_INTR << 16 | arg;
1569 	if ((error = run_write(sc, RT2860_H2M_MAILBOX, tmp)) == 0)
1570 		error = run_write(sc, RT2860_HOST_CMD, cmd);
1571 	return (error);
1572 }
1573 
1574 /*
1575  * Add `delta' (signed) to each 4-bit sub-word of a 32-bit word.
1576  * Used to adjust per-rate Tx power registers.
1577  */
1578 static __inline uint32_t
1579 b4inc(uint32_t b32, int8_t delta)
1580 {
1581 	int8_t i, b4;
1582 
1583 	for (i = 0; i < 8; i++) {
1584 		b4 = b32 & 0xf;
1585 		b4 += delta;
1586 		if (b4 < 0)
1587 			b4 = 0;
1588 		else if (b4 > 0xf)
1589 			b4 = 0xf;
1590 		b32 = b32 >> 4 | b4 << 28;
1591 	}
1592 	return (b32);
1593 }
1594 
1595 static const char *
1596 run_get_rf(uint16_t rev)
1597 {
1598 	switch (rev) {
1599 	case RT2860_RF_2820:	return "RT2820";
1600 	case RT2860_RF_2850:	return "RT2850";
1601 	case RT2860_RF_2720:	return "RT2720";
1602 	case RT2860_RF_2750:	return "RT2750";
1603 	case RT3070_RF_3020:	return "RT3020";
1604 	case RT3070_RF_2020:	return "RT2020";
1605 	case RT3070_RF_3021:	return "RT3021";
1606 	case RT3070_RF_3022:	return "RT3022";
1607 	case RT3070_RF_3052:	return "RT3052";
1608 	case RT3593_RF_3053:	return "RT3053";
1609 	case RT5592_RF_5592:	return "RT5592";
1610 	case RT5390_RF_5370:	return "RT5370";
1611 	case RT5390_RF_5372:	return "RT5372";
1612 	}
1613 	return ("unknown");
1614 }
1615 
1616 static void
1617 run_rt3593_get_txpower(struct run_softc *sc)
1618 {
1619 	uint16_t addr, val;
1620 	int i;
1621 
1622 	/* Read power settings for 2GHz channels. */
1623 	for (i = 0; i < 14; i += 2) {
1624 		addr = (sc->ntxchains == 3) ? RT3593_EEPROM_PWR2GHZ_BASE1 :
1625 		    RT2860_EEPROM_PWR2GHZ_BASE1;
1626 		run_srom_read(sc, addr + i / 2, &val);
1627 		sc->txpow1[i + 0] = (int8_t)(val & 0xff);
1628 		sc->txpow1[i + 1] = (int8_t)(val >> 8);
1629 
1630 		addr = (sc->ntxchains == 3) ? RT3593_EEPROM_PWR2GHZ_BASE2 :
1631 		    RT2860_EEPROM_PWR2GHZ_BASE2;
1632 		run_srom_read(sc, addr + i / 2, &val);
1633 		sc->txpow2[i + 0] = (int8_t)(val & 0xff);
1634 		sc->txpow2[i + 1] = (int8_t)(val >> 8);
1635 
1636 		if (sc->ntxchains == 3) {
1637 			run_srom_read(sc, RT3593_EEPROM_PWR2GHZ_BASE3 + i / 2,
1638 			    &val);
1639 			sc->txpow3[i + 0] = (int8_t)(val & 0xff);
1640 			sc->txpow3[i + 1] = (int8_t)(val >> 8);
1641 		}
1642 	}
1643 	/* Fix broken Tx power entries. */
1644 	for (i = 0; i < 14; i++) {
1645 		if (sc->txpow1[i] > 31)
1646 			sc->txpow1[i] = 5;
1647 		if (sc->txpow2[i] > 31)
1648 			sc->txpow2[i] = 5;
1649 		if (sc->ntxchains == 3) {
1650 			if (sc->txpow3[i] > 31)
1651 				sc->txpow3[i] = 5;
1652 		}
1653 	}
1654 	/* Read power settings for 5GHz channels. */
1655 	for (i = 0; i < 40; i += 2) {
1656 		run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE1 + i / 2, &val);
1657 		sc->txpow1[i + 14] = (int8_t)(val & 0xff);
1658 		sc->txpow1[i + 15] = (int8_t)(val >> 8);
1659 
1660 		run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE2 + i / 2, &val);
1661 		sc->txpow2[i + 14] = (int8_t)(val & 0xff);
1662 		sc->txpow2[i + 15] = (int8_t)(val >> 8);
1663 
1664 		if (sc->ntxchains == 3) {
1665 			run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE3 + i / 2,
1666 			    &val);
1667 			sc->txpow3[i + 14] = (int8_t)(val & 0xff);
1668 			sc->txpow3[i + 15] = (int8_t)(val >> 8);
1669 		}
1670 	}
1671 }
1672 
1673 static void
1674 run_get_txpower(struct run_softc *sc)
1675 {
1676 	uint16_t val;
1677 	int i;
1678 
1679 	/* Read power settings for 2GHz channels. */
1680 	for (i = 0; i < 14; i += 2) {
1681 		run_srom_read(sc, RT2860_EEPROM_PWR2GHZ_BASE1 + i / 2, &val);
1682 		sc->txpow1[i + 0] = (int8_t)(val & 0xff);
1683 		sc->txpow1[i + 1] = (int8_t)(val >> 8);
1684 
1685 		if (sc->mac_ver != 0x5390) {
1686 			run_srom_read(sc,
1687 			    RT2860_EEPROM_PWR2GHZ_BASE2 + i / 2, &val);
1688 			sc->txpow2[i + 0] = (int8_t)(val & 0xff);
1689 			sc->txpow2[i + 1] = (int8_t)(val >> 8);
1690 		}
1691 	}
1692 	/* Fix broken Tx power entries. */
1693 	for (i = 0; i < 14; i++) {
1694 		if (sc->mac_ver >= 0x5390) {
1695 			if (sc->txpow1[i] < 0 || sc->txpow1[i] > 39)
1696 				sc->txpow1[i] = 5;
1697 		} else {
1698 			if (sc->txpow1[i] < 0 || sc->txpow1[i] > 31)
1699 				sc->txpow1[i] = 5;
1700 		}
1701 		if (sc->mac_ver > 0x5390) {
1702 			if (sc->txpow2[i] < 0 || sc->txpow2[i] > 39)
1703 				sc->txpow2[i] = 5;
1704 		} else if (sc->mac_ver < 0x5390) {
1705 			if (sc->txpow2[i] < 0 || sc->txpow2[i] > 31)
1706 				sc->txpow2[i] = 5;
1707 		}
1708 		DPRINTF("chan %d: power1=%d, power2=%d\n",
1709 		    rt2860_rf2850[i].chan, sc->txpow1[i], sc->txpow2[i]);
1710 	}
1711 	/* Read power settings for 5GHz channels. */
1712 	for (i = 0; i < 40; i += 2) {
1713 		run_srom_read(sc, RT2860_EEPROM_PWR5GHZ_BASE1 + i / 2, &val);
1714 		sc->txpow1[i + 14] = (int8_t)(val & 0xff);
1715 		sc->txpow1[i + 15] = (int8_t)(val >> 8);
1716 
1717 		run_srom_read(sc, RT2860_EEPROM_PWR5GHZ_BASE2 + i / 2, &val);
1718 		sc->txpow2[i + 14] = (int8_t)(val & 0xff);
1719 		sc->txpow2[i + 15] = (int8_t)(val >> 8);
1720 	}
1721 	/* Fix broken Tx power entries. */
1722 	for (i = 0; i < 40; i++ ) {
1723 		if (sc->mac_ver != 0x5592) {
1724 			if (sc->txpow1[14 + i] < -7 || sc->txpow1[14 + i] > 15)
1725 				sc->txpow1[14 + i] = 5;
1726 			if (sc->txpow2[14 + i] < -7 || sc->txpow2[14 + i] > 15)
1727 				sc->txpow2[14 + i] = 5;
1728 		}
1729 		DPRINTF("chan %d: power1=%d, power2=%d\n",
1730 		    rt2860_rf2850[14 + i].chan, sc->txpow1[14 + i],
1731 		    sc->txpow2[14 + i]);
1732 	}
1733 }
1734 
1735 static int
1736 run_read_eeprom(struct run_softc *sc)
1737 {
1738 	struct ieee80211com *ic = &sc->sc_ic;
1739 	int8_t delta_2ghz, delta_5ghz;
1740 	uint32_t tmp;
1741 	uint16_t val;
1742 	int ridx, ant, i;
1743 
1744 	/* check whether the ROM is eFUSE ROM or EEPROM */
1745 	sc->sc_srom_read = run_eeprom_read_2;
1746 	if (sc->mac_ver >= 0x3070) {
1747 		run_read(sc, RT3070_EFUSE_CTRL, &tmp);
1748 		DPRINTF("EFUSE_CTRL=0x%08x\n", tmp);
1749 		if ((tmp & RT3070_SEL_EFUSE) || sc->mac_ver == 0x3593)
1750 			sc->sc_srom_read = run_efuse_read_2;
1751 	}
1752 
1753 	/* read ROM version */
1754 	run_srom_read(sc, RT2860_EEPROM_VERSION, &val);
1755 	DPRINTF("EEPROM rev=%d, FAE=%d\n", val >> 8, val & 0xff);
1756 
1757 	/* read MAC address */
1758 	run_srom_read(sc, RT2860_EEPROM_MAC01, &val);
1759 	ic->ic_macaddr[0] = val & 0xff;
1760 	ic->ic_macaddr[1] = val >> 8;
1761 	run_srom_read(sc, RT2860_EEPROM_MAC23, &val);
1762 	ic->ic_macaddr[2] = val & 0xff;
1763 	ic->ic_macaddr[3] = val >> 8;
1764 	run_srom_read(sc, RT2860_EEPROM_MAC45, &val);
1765 	ic->ic_macaddr[4] = val & 0xff;
1766 	ic->ic_macaddr[5] = val >> 8;
1767 
1768 	if (sc->mac_ver < 0x3593) {
1769 		/* read vender BBP settings */
1770 		for (i = 0; i < 10; i++) {
1771 			run_srom_read(sc, RT2860_EEPROM_BBP_BASE + i, &val);
1772 			sc->bbp[i].val = val & 0xff;
1773 			sc->bbp[i].reg = val >> 8;
1774 			DPRINTF("BBP%d=0x%02x\n", sc->bbp[i].reg,
1775 			    sc->bbp[i].val);
1776 		}
1777 		if (sc->mac_ver >= 0x3071) {
1778 			/* read vendor RF settings */
1779 			for (i = 0; i < 10; i++) {
1780 				run_srom_read(sc, RT3071_EEPROM_RF_BASE + i,
1781 				   &val);
1782 				sc->rf[i].val = val & 0xff;
1783 				sc->rf[i].reg = val >> 8;
1784 				DPRINTF("RF%d=0x%02x\n", sc->rf[i].reg,
1785 				    sc->rf[i].val);
1786 			}
1787 		}
1788 	}
1789 
1790 	/* read RF frequency offset from EEPROM */
1791 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_FREQ_LEDS :
1792 	    RT3593_EEPROM_FREQ, &val);
1793 	sc->freq = ((val & 0xff) != 0xff) ? val & 0xff : 0;
1794 	DPRINTF("EEPROM freq offset %d\n", sc->freq & 0xff);
1795 
1796 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_FREQ_LEDS :
1797 	    RT3593_EEPROM_FREQ_LEDS, &val);
1798 	if (val >> 8 != 0xff) {
1799 		/* read LEDs operating mode */
1800 		sc->leds = val >> 8;
1801 		run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED1 :
1802 		    RT3593_EEPROM_LED1, &sc->led[0]);
1803 		run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED2 :
1804 		    RT3593_EEPROM_LED2, &sc->led[1]);
1805 		run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED3 :
1806 		    RT3593_EEPROM_LED3, &sc->led[2]);
1807 	} else {
1808 		/* broken EEPROM, use default settings */
1809 		sc->leds = 0x01;
1810 		sc->led[0] = 0x5555;
1811 		sc->led[1] = 0x2221;
1812 		sc->led[2] = 0x5627;	/* differs from RT2860 */
1813 	}
1814 	DPRINTF("EEPROM LED mode=0x%02x, LEDs=0x%04x/0x%04x/0x%04x\n",
1815 	    sc->leds, sc->led[0], sc->led[1], sc->led[2]);
1816 
1817 	/* read RF information */
1818 	if (sc->mac_ver == 0x5390 || sc->mac_ver ==0x5392)
1819 		run_srom_read(sc, 0x00, &val);
1820 	else
1821 		run_srom_read(sc, RT2860_EEPROM_ANTENNA, &val);
1822 
1823 	if (val == 0xffff) {
1824 		device_printf(sc->sc_dev,
1825 		    "invalid EEPROM antenna info, using default\n");
1826 		DPRINTF("invalid EEPROM antenna info, using default\n");
1827 		if (sc->mac_ver == 0x3572) {
1828 			/* default to RF3052 2T2R */
1829 			sc->rf_rev = RT3070_RF_3052;
1830 			sc->ntxchains = 2;
1831 			sc->nrxchains = 2;
1832 		} else if (sc->mac_ver >= 0x3070) {
1833 			/* default to RF3020 1T1R */
1834 			sc->rf_rev = RT3070_RF_3020;
1835 			sc->ntxchains = 1;
1836 			sc->nrxchains = 1;
1837 		} else {
1838 			/* default to RF2820 1T2R */
1839 			sc->rf_rev = RT2860_RF_2820;
1840 			sc->ntxchains = 1;
1841 			sc->nrxchains = 2;
1842 		}
1843 	} else {
1844 		if (sc->mac_ver == 0x5390 || sc->mac_ver ==0x5392) {
1845 			sc->rf_rev = val;
1846 			run_srom_read(sc, RT2860_EEPROM_ANTENNA, &val);
1847 		} else
1848 			sc->rf_rev = (val >> 8) & 0xf;
1849 		sc->ntxchains = (val >> 4) & 0xf;
1850 		sc->nrxchains = val & 0xf;
1851 	}
1852 	DPRINTF("EEPROM RF rev=0x%04x chains=%dT%dR\n",
1853 	    sc->rf_rev, sc->ntxchains, sc->nrxchains);
1854 
1855 	/* check if RF supports automatic Tx access gain control */
1856 	run_srom_read(sc, RT2860_EEPROM_CONFIG, &val);
1857 	DPRINTF("EEPROM CFG 0x%04x\n", val);
1858 	/* check if driver should patch the DAC issue */
1859 	if ((val >> 8) != 0xff)
1860 		sc->patch_dac = (val >> 15) & 1;
1861 	if ((val & 0xff) != 0xff) {
1862 		sc->ext_5ghz_lna = (val >> 3) & 1;
1863 		sc->ext_2ghz_lna = (val >> 2) & 1;
1864 		/* check if RF supports automatic Tx access gain control */
1865 		sc->calib_2ghz = sc->calib_5ghz = (val >> 1) & 1;
1866 		/* check if we have a hardware radio switch */
1867 		sc->rfswitch = val & 1;
1868 	}
1869 
1870 	/* Read Tx power settings. */
1871 	if (sc->mac_ver == 0x3593)
1872 		run_rt3593_get_txpower(sc);
1873 	else
1874 		run_get_txpower(sc);
1875 
1876 	/* read Tx power compensation for each Tx rate */
1877 	run_srom_read(sc, RT2860_EEPROM_DELTAPWR, &val);
1878 	delta_2ghz = delta_5ghz = 0;
1879 	if ((val & 0xff) != 0xff && (val & 0x80)) {
1880 		delta_2ghz = val & 0xf;
1881 		if (!(val & 0x40))	/* negative number */
1882 			delta_2ghz = -delta_2ghz;
1883 	}
1884 	val >>= 8;
1885 	if ((val & 0xff) != 0xff && (val & 0x80)) {
1886 		delta_5ghz = val & 0xf;
1887 		if (!(val & 0x40))	/* negative number */
1888 			delta_5ghz = -delta_5ghz;
1889 	}
1890 	DPRINTF("power compensation=%d (2GHz), %d (5GHz)\n",
1891 	    delta_2ghz, delta_5ghz);
1892 
1893 	for (ridx = 0; ridx < 5; ridx++) {
1894 		uint32_t reg;
1895 
1896 		run_srom_read(sc, RT2860_EEPROM_RPWR + ridx * 2, &val);
1897 		reg = val;
1898 		run_srom_read(sc, RT2860_EEPROM_RPWR + ridx * 2 + 1, &val);
1899 		reg |= (uint32_t)val << 16;
1900 
1901 		sc->txpow20mhz[ridx] = reg;
1902 		sc->txpow40mhz_2ghz[ridx] = b4inc(reg, delta_2ghz);
1903 		sc->txpow40mhz_5ghz[ridx] = b4inc(reg, delta_5ghz);
1904 
1905 		DPRINTF("ridx %d: power 20MHz=0x%08x, 40MHz/2GHz=0x%08x, "
1906 		    "40MHz/5GHz=0x%08x\n", ridx, sc->txpow20mhz[ridx],
1907 		    sc->txpow40mhz_2ghz[ridx], sc->txpow40mhz_5ghz[ridx]);
1908 	}
1909 
1910 	/* Read RSSI offsets and LNA gains from EEPROM. */
1911 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI1_2GHZ :
1912 	    RT3593_EEPROM_RSSI1_2GHZ, &val);
1913 	sc->rssi_2ghz[0] = val & 0xff;	/* Ant A */
1914 	sc->rssi_2ghz[1] = val >> 8;	/* Ant B */
1915 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI2_2GHZ :
1916 	    RT3593_EEPROM_RSSI2_2GHZ, &val);
1917 	if (sc->mac_ver >= 0x3070) {
1918 		if (sc->mac_ver == 0x3593) {
1919 			sc->txmixgain_2ghz = 0;
1920 			sc->rssi_2ghz[2] = val & 0xff;	/* Ant C */
1921 		} else {
1922 			/*
1923 			 * On RT3070 chips (limited to 2 Rx chains), this ROM
1924 			 * field contains the Tx mixer gain for the 2GHz band.
1925 			 */
1926 			if ((val & 0xff) != 0xff)
1927 				sc->txmixgain_2ghz = val & 0x7;
1928 		}
1929 		DPRINTF("tx mixer gain=%u (2GHz)\n", sc->txmixgain_2ghz);
1930 	} else
1931 		sc->rssi_2ghz[2] = val & 0xff;	/* Ant C */
1932 	if (sc->mac_ver == 0x3593)
1933 		run_srom_read(sc, RT3593_EEPROM_LNA_5GHZ, &val);
1934 	sc->lna[2] = val >> 8;		/* channel group 2 */
1935 
1936 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI1_5GHZ :
1937 	    RT3593_EEPROM_RSSI1_5GHZ, &val);
1938 	sc->rssi_5ghz[0] = val & 0xff;	/* Ant A */
1939 	sc->rssi_5ghz[1] = val >> 8;	/* Ant B */
1940 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI2_5GHZ :
1941 	    RT3593_EEPROM_RSSI2_5GHZ, &val);
1942 	if (sc->mac_ver == 0x3572) {
1943 		/*
1944 		 * On RT3572 chips (limited to 2 Rx chains), this ROM
1945 		 * field contains the Tx mixer gain for the 5GHz band.
1946 		 */
1947 		if ((val & 0xff) != 0xff)
1948 			sc->txmixgain_5ghz = val & 0x7;
1949 		DPRINTF("tx mixer gain=%u (5GHz)\n", sc->txmixgain_5ghz);
1950 	} else
1951 		sc->rssi_5ghz[2] = val & 0xff;	/* Ant C */
1952 	if (sc->mac_ver == 0x3593) {
1953 		sc->txmixgain_5ghz = 0;
1954 		run_srom_read(sc, RT3593_EEPROM_LNA_5GHZ, &val);
1955 	}
1956 	sc->lna[3] = val >> 8;		/* channel group 3 */
1957 
1958 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LNA :
1959 	    RT3593_EEPROM_LNA, &val);
1960 	sc->lna[0] = val & 0xff;	/* channel group 0 */
1961 	sc->lna[1] = val >> 8;		/* channel group 1 */
1962 
1963 	/* fix broken 5GHz LNA entries */
1964 	if (sc->lna[2] == 0 || sc->lna[2] == 0xff) {
1965 		DPRINTF("invalid LNA for channel group %d\n", 2);
1966 		sc->lna[2] = sc->lna[1];
1967 	}
1968 	if (sc->lna[3] == 0 || sc->lna[3] == 0xff) {
1969 		DPRINTF("invalid LNA for channel group %d\n", 3);
1970 		sc->lna[3] = sc->lna[1];
1971 	}
1972 
1973 	/* fix broken RSSI offset entries */
1974 	for (ant = 0; ant < 3; ant++) {
1975 		if (sc->rssi_2ghz[ant] < -10 || sc->rssi_2ghz[ant] > 10) {
1976 			DPRINTF("invalid RSSI%d offset: %d (2GHz)\n",
1977 			    ant + 1, sc->rssi_2ghz[ant]);
1978 			sc->rssi_2ghz[ant] = 0;
1979 		}
1980 		if (sc->rssi_5ghz[ant] < -10 || sc->rssi_5ghz[ant] > 10) {
1981 			DPRINTF("invalid RSSI%d offset: %d (5GHz)\n",
1982 			    ant + 1, sc->rssi_5ghz[ant]);
1983 			sc->rssi_5ghz[ant] = 0;
1984 		}
1985 	}
1986 	return (0);
1987 }
1988 
1989 static struct ieee80211_node *
1990 run_node_alloc(struct ieee80211vap *vap, const uint8_t mac[IEEE80211_ADDR_LEN])
1991 {
1992 	return malloc(sizeof (struct run_node), M_DEVBUF, M_NOWAIT | M_ZERO);
1993 }
1994 
1995 static int
1996 run_media_change(struct ifnet *ifp)
1997 {
1998 	struct ieee80211vap *vap = ifp->if_softc;
1999 	struct ieee80211com *ic = vap->iv_ic;
2000 	const struct ieee80211_txparam *tp;
2001 	struct run_softc *sc = ic->ic_softc;
2002 	uint8_t rate, ridx;
2003 	int error;
2004 
2005 	RUN_LOCK(sc);
2006 
2007 	error = ieee80211_media_change(ifp);
2008 	if (error != ENETRESET) {
2009 		RUN_UNLOCK(sc);
2010 		return (error);
2011 	}
2012 
2013 	tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
2014 	if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE) {
2015 		struct ieee80211_node *ni;
2016 		struct run_node	*rn;
2017 
2018 		rate = ic->ic_sup_rates[ic->ic_curmode].
2019 		    rs_rates[tp->ucastrate] & IEEE80211_RATE_VAL;
2020 		for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2021 			if (rt2860_rates[ridx].rate == rate)
2022 				break;
2023 		ni = ieee80211_ref_node(vap->iv_bss);
2024 		rn = RUN_NODE(ni);
2025 		rn->fix_ridx = ridx;
2026 		DPRINTF("rate=%d, fix_ridx=%d\n", rate, rn->fix_ridx);
2027 		ieee80211_free_node(ni);
2028 	}
2029 
2030 #if 0
2031 	if ((ifp->if_flags & IFF_UP) &&
2032 	    (ifp->if_drv_flags &  RUN_RUNNING)){
2033 		run_init_locked(sc);
2034 	}
2035 #endif
2036 
2037 	RUN_UNLOCK(sc);
2038 
2039 	return (0);
2040 }
2041 
2042 static int
2043 run_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
2044 {
2045 	const struct ieee80211_txparam *tp;
2046 	struct ieee80211com *ic = vap->iv_ic;
2047 	struct run_softc *sc = ic->ic_softc;
2048 	struct run_vap *rvp = RUN_VAP(vap);
2049 	enum ieee80211_state ostate;
2050 	uint32_t sta[3];
2051 	uint32_t tmp;
2052 	uint8_t ratectl;
2053 	uint8_t restart_ratectl = 0;
2054 	uint8_t bid = 1 << rvp->rvp_id;
2055 
2056 	ostate = vap->iv_state;
2057 	DPRINTF("%s -> %s\n",
2058 		ieee80211_state_name[ostate],
2059 		ieee80211_state_name[nstate]);
2060 
2061 	IEEE80211_UNLOCK(ic);
2062 	RUN_LOCK(sc);
2063 
2064 	ratectl = sc->ratectl_run; /* remember current state */
2065 	sc->ratectl_run = RUN_RATECTL_OFF;
2066 	usb_callout_stop(&sc->ratectl_ch);
2067 
2068 	if (ostate == IEEE80211_S_RUN) {
2069 		/* turn link LED off */
2070 		run_set_leds(sc, RT2860_LED_RADIO);
2071 	}
2072 
2073 	switch (nstate) {
2074 	case IEEE80211_S_INIT:
2075 		restart_ratectl = 1;
2076 
2077 		if (ostate != IEEE80211_S_RUN)
2078 			break;
2079 
2080 		ratectl &= ~bid;
2081 		sc->runbmap &= ~bid;
2082 
2083 		/* abort TSF synchronization if there is no vap running */
2084 		if (--sc->running == 0) {
2085 			run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
2086 			run_write(sc, RT2860_BCN_TIME_CFG,
2087 			    tmp & ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
2088 			    RT2860_TBTT_TIMER_EN));
2089 		}
2090 		break;
2091 
2092 	case IEEE80211_S_RUN:
2093 		if (!(sc->runbmap & bid)) {
2094 			if(sc->running++)
2095 				restart_ratectl = 1;
2096 			sc->runbmap |= bid;
2097 		}
2098 
2099 		m_freem(rvp->beacon_mbuf);
2100 		rvp->beacon_mbuf = NULL;
2101 
2102 		switch (vap->iv_opmode) {
2103 		case IEEE80211_M_HOSTAP:
2104 		case IEEE80211_M_MBSS:
2105 			sc->ap_running |= bid;
2106 			ic->ic_opmode = vap->iv_opmode;
2107 			run_update_beacon_cb(vap);
2108 			break;
2109 		case IEEE80211_M_IBSS:
2110 			sc->adhoc_running |= bid;
2111 			if (!sc->ap_running)
2112 				ic->ic_opmode = vap->iv_opmode;
2113 			run_update_beacon_cb(vap);
2114 			break;
2115 		case IEEE80211_M_STA:
2116 			sc->sta_running |= bid;
2117 			if (!sc->ap_running && !sc->adhoc_running)
2118 				ic->ic_opmode = vap->iv_opmode;
2119 
2120 			/* read statistic counters (clear on read) */
2121 			run_read_region_1(sc, RT2860_TX_STA_CNT0,
2122 			    (uint8_t *)sta, sizeof sta);
2123 
2124 			break;
2125 		default:
2126 			ic->ic_opmode = vap->iv_opmode;
2127 			break;
2128 		}
2129 
2130 		if (vap->iv_opmode != IEEE80211_M_MONITOR) {
2131 			struct ieee80211_node *ni;
2132 
2133 			if (ic->ic_bsschan == IEEE80211_CHAN_ANYC) {
2134 				RUN_UNLOCK(sc);
2135 				IEEE80211_LOCK(ic);
2136 				return (-1);
2137 			}
2138 			run_updateslot(ic);
2139 			run_enable_mrr(sc);
2140 			run_set_txpreamble(sc);
2141 			run_set_basicrates(sc);
2142 			ni = ieee80211_ref_node(vap->iv_bss);
2143 			IEEE80211_ADDR_COPY(ic->ic_macaddr, ni->ni_bssid);
2144 			run_set_bssid(sc, ni->ni_bssid);
2145 			ieee80211_free_node(ni);
2146 			run_enable_tsf_sync(sc);
2147 
2148 			/* enable automatic rate adaptation */
2149 			tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
2150 			if (tp->ucastrate == IEEE80211_FIXED_RATE_NONE)
2151 				ratectl |= bid;
2152 		} else
2153 			run_enable_tsf(sc);
2154 
2155 		/* turn link LED on */
2156 		run_set_leds(sc, RT2860_LED_RADIO |
2157 		    (IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan) ?
2158 		     RT2860_LED_LINK_2GHZ : RT2860_LED_LINK_5GHZ));
2159 
2160 		break;
2161 	default:
2162 		DPRINTFN(6, "undefined case\n");
2163 		break;
2164 	}
2165 
2166 	/* restart amrr for running VAPs */
2167 	if ((sc->ratectl_run = ratectl) && restart_ratectl)
2168 		usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2169 
2170 	RUN_UNLOCK(sc);
2171 	IEEE80211_LOCK(ic);
2172 
2173 	return(rvp->newstate(vap, nstate, arg));
2174 }
2175 
2176 static int
2177 run_wme_update(struct ieee80211com *ic)
2178 {
2179 	struct run_softc *sc = ic->ic_softc;
2180 	const struct wmeParams *ac =
2181 	    ic->ic_wme.wme_chanParams.cap_wmeParams;
2182 	int aci, error = 0;
2183 
2184 	/* update MAC TX configuration registers */
2185 	RUN_LOCK(sc);
2186 	for (aci = 0; aci < WME_NUM_AC; aci++) {
2187 		error = run_write(sc, RT2860_EDCA_AC_CFG(aci),
2188 		    ac[aci].wmep_logcwmax << 16 |
2189 		    ac[aci].wmep_logcwmin << 12 |
2190 		    ac[aci].wmep_aifsn    <<  8 |
2191 		    ac[aci].wmep_txopLimit);
2192 		if (error) goto err;
2193 	}
2194 
2195 	/* update SCH/DMA registers too */
2196 	error = run_write(sc, RT2860_WMM_AIFSN_CFG,
2197 	    ac[WME_AC_VO].wmep_aifsn  << 12 |
2198 	    ac[WME_AC_VI].wmep_aifsn  <<  8 |
2199 	    ac[WME_AC_BK].wmep_aifsn  <<  4 |
2200 	    ac[WME_AC_BE].wmep_aifsn);
2201 	if (error) goto err;
2202 	error = run_write(sc, RT2860_WMM_CWMIN_CFG,
2203 	    ac[WME_AC_VO].wmep_logcwmin << 12 |
2204 	    ac[WME_AC_VI].wmep_logcwmin <<  8 |
2205 	    ac[WME_AC_BK].wmep_logcwmin <<  4 |
2206 	    ac[WME_AC_BE].wmep_logcwmin);
2207 	if (error) goto err;
2208 	error = run_write(sc, RT2860_WMM_CWMAX_CFG,
2209 	    ac[WME_AC_VO].wmep_logcwmax << 12 |
2210 	    ac[WME_AC_VI].wmep_logcwmax <<  8 |
2211 	    ac[WME_AC_BK].wmep_logcwmax <<  4 |
2212 	    ac[WME_AC_BE].wmep_logcwmax);
2213 	if (error) goto err;
2214 	error = run_write(sc, RT2860_WMM_TXOP0_CFG,
2215 	    ac[WME_AC_BK].wmep_txopLimit << 16 |
2216 	    ac[WME_AC_BE].wmep_txopLimit);
2217 	if (error) goto err;
2218 	error = run_write(sc, RT2860_WMM_TXOP1_CFG,
2219 	    ac[WME_AC_VO].wmep_txopLimit << 16 |
2220 	    ac[WME_AC_VI].wmep_txopLimit);
2221 
2222 err:
2223 	RUN_UNLOCK(sc);
2224 	if (error)
2225 		DPRINTF("WME update failed\n");
2226 
2227 	return (error);
2228 }
2229 
2230 static void
2231 run_key_set_cb(void *arg)
2232 {
2233 	struct run_cmdq *cmdq = arg;
2234 	struct ieee80211vap *vap = cmdq->arg1;
2235 	struct ieee80211_key *k = cmdq->k;
2236 	struct ieee80211com *ic = vap->iv_ic;
2237 	struct run_softc *sc = ic->ic_softc;
2238 	struct ieee80211_node *ni;
2239 	u_int cipher = k->wk_cipher->ic_cipher;
2240 	uint32_t attr;
2241 	uint16_t base, associd;
2242 	uint8_t mode, wcid, iv[8];
2243 
2244 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2245 
2246 	if (vap->iv_opmode == IEEE80211_M_HOSTAP)
2247 		ni = ieee80211_find_vap_node(&ic->ic_sta, vap, cmdq->mac);
2248 	else
2249 		ni = vap->iv_bss;
2250 	associd = (ni != NULL) ? ni->ni_associd : 0;
2251 
2252 	/* map net80211 cipher to RT2860 security mode */
2253 	switch (cipher) {
2254 	case IEEE80211_CIPHER_WEP:
2255 		if(k->wk_keylen < 8)
2256 			mode = RT2860_MODE_WEP40;
2257 		else
2258 			mode = RT2860_MODE_WEP104;
2259 		break;
2260 	case IEEE80211_CIPHER_TKIP:
2261 		mode = RT2860_MODE_TKIP;
2262 		break;
2263 	case IEEE80211_CIPHER_AES_CCM:
2264 		mode = RT2860_MODE_AES_CCMP;
2265 		break;
2266 	default:
2267 		DPRINTF("undefined case\n");
2268 		return;
2269 	}
2270 
2271 	DPRINTFN(1, "associd=%x, keyix=%d, mode=%x, type=%s, tx=%s, rx=%s\n",
2272 	    associd, k->wk_keyix, mode,
2273 	    (k->wk_flags & IEEE80211_KEY_GROUP) ? "group" : "pairwise",
2274 	    (k->wk_flags & IEEE80211_KEY_XMIT) ? "on" : "off",
2275 	    (k->wk_flags & IEEE80211_KEY_RECV) ? "on" : "off");
2276 
2277 	if (k->wk_flags & IEEE80211_KEY_GROUP) {
2278 		wcid = 0;	/* NB: update WCID0 for group keys */
2279 		base = RT2860_SKEY(RUN_VAP(vap)->rvp_id, k->wk_keyix);
2280 	} else {
2281 		wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
2282 		    1 : RUN_AID2WCID(associd);
2283 		base = RT2860_PKEY(wcid);
2284 	}
2285 
2286 	if (cipher == IEEE80211_CIPHER_TKIP) {
2287 		if(run_write_region_1(sc, base, k->wk_key, 16))
2288 			return;
2289 		if(run_write_region_1(sc, base + 16, &k->wk_key[16], 8))	/* wk_txmic */
2290 			return;
2291 		if(run_write_region_1(sc, base + 24, &k->wk_key[24], 8))	/* wk_rxmic */
2292 			return;
2293 	} else {
2294 		/* roundup len to 16-bit: XXX fix write_region_1() instead */
2295 		if(run_write_region_1(sc, base, k->wk_key, (k->wk_keylen + 1) & ~1))
2296 			return;
2297 	}
2298 
2299 	if (!(k->wk_flags & IEEE80211_KEY_GROUP) ||
2300 	    (k->wk_flags & (IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV))) {
2301 		/* set initial packet number in IV+EIV */
2302 		if (cipher == IEEE80211_CIPHER_WEP) {
2303 			memset(iv, 0, sizeof iv);
2304 			iv[3] = vap->iv_def_txkey << 6;
2305 		} else {
2306 			if (cipher == IEEE80211_CIPHER_TKIP) {
2307 				iv[0] = k->wk_keytsc >> 8;
2308 				iv[1] = (iv[0] | 0x20) & 0x7f;
2309 				iv[2] = k->wk_keytsc;
2310 			} else /* CCMP */ {
2311 				iv[0] = k->wk_keytsc;
2312 				iv[1] = k->wk_keytsc >> 8;
2313 				iv[2] = 0;
2314 			}
2315 			iv[3] = k->wk_keyix << 6 | IEEE80211_WEP_EXTIV;
2316 			iv[4] = k->wk_keytsc >> 16;
2317 			iv[5] = k->wk_keytsc >> 24;
2318 			iv[6] = k->wk_keytsc >> 32;
2319 			iv[7] = k->wk_keytsc >> 40;
2320 		}
2321 		if (run_write_region_1(sc, RT2860_IVEIV(wcid), iv, 8))
2322 			return;
2323 	}
2324 
2325 	if (k->wk_flags & IEEE80211_KEY_GROUP) {
2326 		/* install group key */
2327 		if (run_read(sc, RT2860_SKEY_MODE_0_7, &attr))
2328 			return;
2329 		attr &= ~(0xf << (k->wk_keyix * 4));
2330 		attr |= mode << (k->wk_keyix * 4);
2331 		if (run_write(sc, RT2860_SKEY_MODE_0_7, attr))
2332 			return;
2333 	} else {
2334 		/* install pairwise key */
2335 		if (run_read(sc, RT2860_WCID_ATTR(wcid), &attr))
2336 			return;
2337 		attr = (attr & ~0xf) | (mode << 1) | RT2860_RX_PKEY_EN;
2338 		if (run_write(sc, RT2860_WCID_ATTR(wcid), attr))
2339 			return;
2340 	}
2341 
2342 	/* TODO create a pass-thru key entry? */
2343 
2344 	/* need wcid to delete the right key later */
2345 	k->wk_pad = wcid;
2346 }
2347 
2348 /*
2349  * Don't have to be deferred, but in order to keep order of
2350  * execution, i.e. with run_key_delete(), defer this and let
2351  * run_cmdq_cb() maintain the order.
2352  *
2353  * return 0 on error
2354  */
2355 static int
2356 run_key_set(struct ieee80211vap *vap, struct ieee80211_key *k)
2357 {
2358 	struct ieee80211com *ic = vap->iv_ic;
2359 	struct run_softc *sc = ic->ic_softc;
2360 	uint32_t i;
2361 
2362 	i = RUN_CMDQ_GET(&sc->cmdq_store);
2363 	DPRINTF("cmdq_store=%d\n", i);
2364 	sc->cmdq[i].func = run_key_set_cb;
2365 	sc->cmdq[i].arg0 = NULL;
2366 	sc->cmdq[i].arg1 = vap;
2367 	sc->cmdq[i].k = k;
2368 	IEEE80211_ADDR_COPY(sc->cmdq[i].mac, k->wk_macaddr);
2369 	ieee80211_runtask(ic, &sc->cmdq_task);
2370 
2371 	/*
2372 	 * To make sure key will be set when hostapd
2373 	 * calls iv_key_set() before if_init().
2374 	 */
2375 	if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
2376 		RUN_LOCK(sc);
2377 		sc->cmdq_key_set = RUN_CMDQ_GO;
2378 		RUN_UNLOCK(sc);
2379 	}
2380 
2381 	return (1);
2382 }
2383 
2384 /*
2385  * If wlan is destroyed without being brought down i.e. without
2386  * wlan down or wpa_cli terminate, this function is called after
2387  * vap is gone. Don't refer it.
2388  */
2389 static void
2390 run_key_delete_cb(void *arg)
2391 {
2392 	struct run_cmdq *cmdq = arg;
2393 	struct run_softc *sc = cmdq->arg1;
2394 	struct ieee80211_key *k = &cmdq->key;
2395 	uint32_t attr;
2396 	uint8_t wcid;
2397 
2398 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2399 
2400 	if (k->wk_flags & IEEE80211_KEY_GROUP) {
2401 		/* remove group key */
2402 		DPRINTF("removing group key\n");
2403 		run_read(sc, RT2860_SKEY_MODE_0_7, &attr);
2404 		attr &= ~(0xf << (k->wk_keyix * 4));
2405 		run_write(sc, RT2860_SKEY_MODE_0_7, attr);
2406 	} else {
2407 		/* remove pairwise key */
2408 		DPRINTF("removing key for wcid %x\n", k->wk_pad);
2409 		/* matching wcid was written to wk_pad in run_key_set() */
2410 		wcid = k->wk_pad;
2411 		run_read(sc, RT2860_WCID_ATTR(wcid), &attr);
2412 		attr &= ~0xf;
2413 		run_write(sc, RT2860_WCID_ATTR(wcid), attr);
2414 		run_set_region_4(sc, RT2860_WCID_ENTRY(wcid), 0, 8);
2415 	}
2416 
2417 	k->wk_pad = 0;
2418 }
2419 
2420 /*
2421  * return 0 on error
2422  */
2423 static int
2424 run_key_delete(struct ieee80211vap *vap, struct ieee80211_key *k)
2425 {
2426 	struct ieee80211com *ic = vap->iv_ic;
2427 	struct run_softc *sc = ic->ic_softc;
2428 	struct ieee80211_key *k0;
2429 	uint32_t i;
2430 
2431 	/*
2432 	 * When called back, key might be gone. So, make a copy
2433 	 * of some values need to delete keys before deferring.
2434 	 * But, because of LOR with node lock, cannot use lock here.
2435 	 * So, use atomic instead.
2436 	 */
2437 	i = RUN_CMDQ_GET(&sc->cmdq_store);
2438 	DPRINTF("cmdq_store=%d\n", i);
2439 	sc->cmdq[i].func = run_key_delete_cb;
2440 	sc->cmdq[i].arg0 = NULL;
2441 	sc->cmdq[i].arg1 = sc;
2442 	k0 = &sc->cmdq[i].key;
2443 	k0->wk_flags = k->wk_flags;
2444 	k0->wk_keyix = k->wk_keyix;
2445 	/* matching wcid was written to wk_pad in run_key_set() */
2446 	k0->wk_pad = k->wk_pad;
2447 	ieee80211_runtask(ic, &sc->cmdq_task);
2448 	return (1);	/* return fake success */
2449 
2450 }
2451 
2452 static void
2453 run_ratectl_to(void *arg)
2454 {
2455 	struct run_softc *sc = arg;
2456 
2457 	/* do it in a process context, so it can go sleep */
2458 	ieee80211_runtask(&sc->sc_ic, &sc->ratectl_task);
2459 	/* next timeout will be rescheduled in the callback task */
2460 }
2461 
2462 /* ARGSUSED */
2463 static void
2464 run_ratectl_cb(void *arg, int pending)
2465 {
2466 	struct run_softc *sc = arg;
2467 	struct ieee80211com *ic = &sc->sc_ic;
2468 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
2469 
2470 	if (vap == NULL)
2471 		return;
2472 
2473 	if (sc->rvp_cnt > 1 || vap->iv_opmode != IEEE80211_M_STA) {
2474 		/*
2475 		 * run_reset_livelock() doesn't do anything with AMRR,
2476 		 * but Ralink wants us to call it every 1 sec. So, we
2477 		 * piggyback here rather than creating another callout.
2478 		 * Livelock may occur only in HOSTAP or IBSS mode
2479 		 * (when h/w is sending beacons).
2480 		 */
2481 		RUN_LOCK(sc);
2482 		run_reset_livelock(sc);
2483 		/* just in case, there are some stats to drain */
2484 		run_drain_fifo(sc);
2485 		RUN_UNLOCK(sc);
2486 	}
2487 
2488 	ieee80211_iterate_nodes(&ic->ic_sta, run_iter_func, sc);
2489 
2490 	RUN_LOCK(sc);
2491 	if(sc->ratectl_run != RUN_RATECTL_OFF)
2492 		usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2493 	RUN_UNLOCK(sc);
2494 }
2495 
2496 static void
2497 run_drain_fifo(void *arg)
2498 {
2499 	struct run_softc *sc = arg;
2500 	uint32_t stat;
2501 	uint16_t (*wstat)[3];
2502 	uint8_t wcid, mcs, pid;
2503 	int8_t retry;
2504 
2505 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2506 
2507 	for (;;) {
2508 		/* drain Tx status FIFO (maxsize = 16) */
2509 		run_read(sc, RT2860_TX_STAT_FIFO, &stat);
2510 		DPRINTFN(4, "tx stat 0x%08x\n", stat);
2511 		if (!(stat & RT2860_TXQ_VLD))
2512 			break;
2513 
2514 		wcid = (stat >> RT2860_TXQ_WCID_SHIFT) & 0xff;
2515 
2516 		/* if no ACK was requested, no feedback is available */
2517 		if (!(stat & RT2860_TXQ_ACKREQ) || wcid > RT2870_WCID_MAX ||
2518 		    wcid == 0)
2519 			continue;
2520 
2521 		/*
2522 		 * Even though each stat is Tx-complete-status like format,
2523 		 * the device can poll stats. Because there is no guarantee
2524 		 * that the referring node is still around when read the stats.
2525 		 * So that, if we use ieee80211_ratectl_tx_update(), we will
2526 		 * have hard time not to refer already freed node.
2527 		 *
2528 		 * To eliminate such page faults, we poll stats in softc.
2529 		 * Then, update the rates later with ieee80211_ratectl_tx_update().
2530 		 */
2531 		wstat = &(sc->wcid_stats[wcid]);
2532 		(*wstat)[RUN_TXCNT]++;
2533 		if (stat & RT2860_TXQ_OK)
2534 			(*wstat)[RUN_SUCCESS]++;
2535 		else
2536 			counter_u64_add(sc->sc_ic.ic_oerrors, 1);
2537 		/*
2538 		 * Check if there were retries, ie if the Tx success rate is
2539 		 * different from the requested rate. Note that it works only
2540 		 * because we do not allow rate fallback from OFDM to CCK.
2541 		 */
2542 		mcs = (stat >> RT2860_TXQ_MCS_SHIFT) & 0x7f;
2543 		pid = (stat >> RT2860_TXQ_PID_SHIFT) & 0xf;
2544 		if ((retry = pid -1 - mcs) > 0) {
2545 			(*wstat)[RUN_TXCNT] += retry;
2546 			(*wstat)[RUN_RETRY] += retry;
2547 		}
2548 	}
2549 	DPRINTFN(3, "count=%d\n", sc->fifo_cnt);
2550 
2551 	sc->fifo_cnt = 0;
2552 }
2553 
2554 static void
2555 run_iter_func(void *arg, struct ieee80211_node *ni)
2556 {
2557 	struct run_softc *sc = arg;
2558 	struct ieee80211vap *vap = ni->ni_vap;
2559 	struct run_node *rn = RUN_NODE(ni);
2560 	union run_stats sta[2];
2561 	uint16_t (*wstat)[3];
2562 	int txcnt, success, retrycnt, error;
2563 
2564 	RUN_LOCK(sc);
2565 
2566 	/* Check for special case */
2567 	if (sc->rvp_cnt <= 1 && vap->iv_opmode == IEEE80211_M_STA &&
2568 	    ni != vap->iv_bss)
2569 		goto fail;
2570 
2571 	if (sc->rvp_cnt <= 1 && (vap->iv_opmode == IEEE80211_M_IBSS ||
2572 	    vap->iv_opmode == IEEE80211_M_STA)) {
2573 		/* read statistic counters (clear on read) and update AMRR state */
2574 		error = run_read_region_1(sc, RT2860_TX_STA_CNT0, (uint8_t *)sta,
2575 		    sizeof sta);
2576 		if (error != 0)
2577 			goto fail;
2578 
2579 		/* count failed TX as errors */
2580 		if_inc_counter(vap->iv_ifp, IFCOUNTER_OERRORS,
2581 		    le16toh(sta[0].error.fail));
2582 
2583 		retrycnt = le16toh(sta[1].tx.retry);
2584 		success = le16toh(sta[1].tx.success);
2585 		txcnt = retrycnt + success + le16toh(sta[0].error.fail);
2586 
2587 		DPRINTFN(3, "retrycnt=%d success=%d failcnt=%d\n",
2588 			retrycnt, success, le16toh(sta[0].error.fail));
2589 	} else {
2590 		wstat = &(sc->wcid_stats[RUN_AID2WCID(ni->ni_associd)]);
2591 
2592 		if (wstat == &(sc->wcid_stats[0]) ||
2593 		    wstat > &(sc->wcid_stats[RT2870_WCID_MAX]))
2594 			goto fail;
2595 
2596 		txcnt = (*wstat)[RUN_TXCNT];
2597 		success = (*wstat)[RUN_SUCCESS];
2598 		retrycnt = (*wstat)[RUN_RETRY];
2599 		DPRINTFN(3, "retrycnt=%d txcnt=%d success=%d\n",
2600 		    retrycnt, txcnt, success);
2601 
2602 		memset(wstat, 0, sizeof(*wstat));
2603 	}
2604 
2605 	ieee80211_ratectl_tx_update(vap, ni, &txcnt, &success, &retrycnt);
2606 	rn->amrr_ridx = ieee80211_ratectl_rate(ni, NULL, 0);
2607 
2608 fail:
2609 	RUN_UNLOCK(sc);
2610 
2611 	DPRINTFN(3, "ridx=%d\n", rn->amrr_ridx);
2612 }
2613 
2614 static void
2615 run_newassoc_cb(void *arg)
2616 {
2617 	struct run_cmdq *cmdq = arg;
2618 	struct ieee80211_node *ni = cmdq->arg1;
2619 	struct run_softc *sc = ni->ni_vap->iv_ic->ic_softc;
2620 	uint8_t wcid = cmdq->wcid;
2621 
2622 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2623 
2624 	run_write_region_1(sc, RT2860_WCID_ENTRY(wcid),
2625 	    ni->ni_macaddr, IEEE80211_ADDR_LEN);
2626 
2627 	memset(&(sc->wcid_stats[wcid]), 0, sizeof(sc->wcid_stats[wcid]));
2628 }
2629 
2630 static void
2631 run_newassoc(struct ieee80211_node *ni, int isnew)
2632 {
2633 	struct run_node *rn = RUN_NODE(ni);
2634 	struct ieee80211_rateset *rs = &ni->ni_rates;
2635 	struct ieee80211vap *vap = ni->ni_vap;
2636 	struct ieee80211com *ic = vap->iv_ic;
2637 	struct run_softc *sc = ic->ic_softc;
2638 	uint8_t rate;
2639 	uint8_t ridx;
2640 	uint8_t wcid;
2641 	int i, j;
2642 
2643 	wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
2644 	    1 : RUN_AID2WCID(ni->ni_associd);
2645 
2646 	if (wcid > RT2870_WCID_MAX) {
2647 		device_printf(sc->sc_dev, "wcid=%d out of range\n", wcid);
2648 		return;
2649 	}
2650 
2651 	/* only interested in true associations */
2652 	if (isnew && ni->ni_associd != 0) {
2653 
2654 		/*
2655 		 * This function could is called though timeout function.
2656 		 * Need to defer.
2657 		 */
2658 		uint32_t cnt = RUN_CMDQ_GET(&sc->cmdq_store);
2659 		DPRINTF("cmdq_store=%d\n", cnt);
2660 		sc->cmdq[cnt].func = run_newassoc_cb;
2661 		sc->cmdq[cnt].arg0 = NULL;
2662 		sc->cmdq[cnt].arg1 = ni;
2663 		sc->cmdq[cnt].wcid = wcid;
2664 		ieee80211_runtask(ic, &sc->cmdq_task);
2665 	}
2666 
2667 	DPRINTF("new assoc isnew=%d associd=%x addr=%s\n",
2668 	    isnew, ni->ni_associd, ether_sprintf(ni->ni_macaddr));
2669 
2670 	for (i = 0; i < rs->rs_nrates; i++) {
2671 		rate = rs->rs_rates[i] & IEEE80211_RATE_VAL;
2672 		/* convert 802.11 rate to hardware rate index */
2673 		for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2674 			if (rt2860_rates[ridx].rate == rate)
2675 				break;
2676 		rn->ridx[i] = ridx;
2677 		/* determine rate of control response frames */
2678 		for (j = i; j >= 0; j--) {
2679 			if ((rs->rs_rates[j] & IEEE80211_RATE_BASIC) &&
2680 			    rt2860_rates[rn->ridx[i]].phy ==
2681 			    rt2860_rates[rn->ridx[j]].phy)
2682 				break;
2683 		}
2684 		if (j >= 0) {
2685 			rn->ctl_ridx[i] = rn->ridx[j];
2686 		} else {
2687 			/* no basic rate found, use mandatory one */
2688 			rn->ctl_ridx[i] = rt2860_rates[ridx].ctl_ridx;
2689 		}
2690 		DPRINTF("rate=0x%02x ridx=%d ctl_ridx=%d\n",
2691 		    rs->rs_rates[i], rn->ridx[i], rn->ctl_ridx[i]);
2692 	}
2693 	rate = vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)].mgmtrate;
2694 	for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2695 		if (rt2860_rates[ridx].rate == rate)
2696 			break;
2697 	rn->mgt_ridx = ridx;
2698 	DPRINTF("rate=%d, mgmt_ridx=%d\n", rate, rn->mgt_ridx);
2699 
2700 	RUN_LOCK(sc);
2701 	if(sc->ratectl_run != RUN_RATECTL_OFF)
2702 		usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2703 	RUN_UNLOCK(sc);
2704 }
2705 
2706 /*
2707  * Return the Rx chain with the highest RSSI for a given frame.
2708  */
2709 static __inline uint8_t
2710 run_maxrssi_chain(struct run_softc *sc, const struct rt2860_rxwi *rxwi)
2711 {
2712 	uint8_t rxchain = 0;
2713 
2714 	if (sc->nrxchains > 1) {
2715 		if (rxwi->rssi[1] > rxwi->rssi[rxchain])
2716 			rxchain = 1;
2717 		if (sc->nrxchains > 2)
2718 			if (rxwi->rssi[2] > rxwi->rssi[rxchain])
2719 				rxchain = 2;
2720 	}
2721 	return (rxchain);
2722 }
2723 
2724 static void
2725 run_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m, int subtype,
2726     const struct ieee80211_rx_stats *rxs, int rssi, int nf)
2727 {
2728 	struct ieee80211vap *vap = ni->ni_vap;
2729 	struct run_softc *sc = vap->iv_ic->ic_softc;
2730 	struct run_vap *rvp = RUN_VAP(vap);
2731 	uint64_t ni_tstamp, rx_tstamp;
2732 
2733 	rvp->recv_mgmt(ni, m, subtype, rxs, rssi, nf);
2734 
2735 	if (vap->iv_state == IEEE80211_S_RUN &&
2736 	    (subtype == IEEE80211_FC0_SUBTYPE_BEACON ||
2737 	    subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP)) {
2738 		ni_tstamp = le64toh(ni->ni_tstamp.tsf);
2739 		RUN_LOCK(sc);
2740 		run_get_tsf(sc, &rx_tstamp);
2741 		RUN_UNLOCK(sc);
2742 		rx_tstamp = le64toh(rx_tstamp);
2743 
2744 		if (ni_tstamp >= rx_tstamp) {
2745 			DPRINTF("ibss merge, tsf %ju tstamp %ju\n",
2746 			    (uintmax_t)rx_tstamp, (uintmax_t)ni_tstamp);
2747 			(void) ieee80211_ibss_merge(ni);
2748 		}
2749 	}
2750 }
2751 
2752 static void
2753 run_rx_frame(struct run_softc *sc, struct mbuf *m, uint32_t dmalen)
2754 {
2755 	struct ieee80211com *ic = &sc->sc_ic;
2756 	struct ieee80211_frame *wh;
2757 	struct ieee80211_node *ni;
2758 	struct rt2870_rxd *rxd;
2759 	struct rt2860_rxwi *rxwi;
2760 	uint32_t flags;
2761 	uint16_t len, rxwisize;
2762 	uint8_t ant, rssi;
2763 	int8_t nf;
2764 
2765 	rxwi = mtod(m, struct rt2860_rxwi *);
2766 	len = le16toh(rxwi->len) & 0xfff;
2767 	rxwisize = sizeof(struct rt2860_rxwi);
2768 	if (sc->mac_ver == 0x5592)
2769 		rxwisize += sizeof(uint64_t);
2770 	else if (sc->mac_ver == 0x3593)
2771 		rxwisize += sizeof(uint32_t);
2772 	if (__predict_false(len > dmalen)) {
2773 		m_freem(m);
2774 		counter_u64_add(ic->ic_ierrors, 1);
2775 		DPRINTF("bad RXWI length %u > %u\n", len, dmalen);
2776 		return;
2777 	}
2778 	/* Rx descriptor is located at the end */
2779 	rxd = (struct rt2870_rxd *)(mtod(m, caddr_t) + dmalen);
2780 	flags = le32toh(rxd->flags);
2781 
2782 	if (__predict_false(flags & (RT2860_RX_CRCERR | RT2860_RX_ICVERR))) {
2783 		m_freem(m);
2784 		counter_u64_add(ic->ic_ierrors, 1);
2785 		DPRINTF("%s error.\n", (flags & RT2860_RX_CRCERR)?"CRC":"ICV");
2786 		return;
2787 	}
2788 
2789 	m->m_data += rxwisize;
2790 	m->m_pkthdr.len = m->m_len -= rxwisize;
2791 
2792 	wh = mtod(m, struct ieee80211_frame *);
2793 
2794 	if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
2795 		wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
2796 		m->m_flags |= M_WEP;
2797 	}
2798 
2799 	if (flags & RT2860_RX_L2PAD) {
2800 		DPRINTFN(8, "received RT2860_RX_L2PAD frame\n");
2801 		len += 2;
2802 	}
2803 
2804 	ni = ieee80211_find_rxnode(ic,
2805 	    mtod(m, struct ieee80211_frame_min *));
2806 
2807 	if (__predict_false(flags & RT2860_RX_MICERR)) {
2808 		/* report MIC failures to net80211 for TKIP */
2809 		if (ni != NULL)
2810 			ieee80211_notify_michael_failure(ni->ni_vap, wh,
2811 			    rxwi->keyidx);
2812 		m_freem(m);
2813 		counter_u64_add(ic->ic_ierrors, 1);
2814 		DPRINTF("MIC error. Someone is lying.\n");
2815 		return;
2816 	}
2817 
2818 	ant = run_maxrssi_chain(sc, rxwi);
2819 	rssi = rxwi->rssi[ant];
2820 	nf = run_rssi2dbm(sc, rssi, ant);
2821 
2822 	m->m_pkthdr.len = m->m_len = len;
2823 
2824 	if (__predict_false(ieee80211_radiotap_active(ic))) {
2825 		struct run_rx_radiotap_header *tap = &sc->sc_rxtap;
2826 		uint16_t phy;
2827 
2828 		tap->wr_flags = 0;
2829 		tap->wr_chan_freq = htole16(ic->ic_curchan->ic_freq);
2830 		tap->wr_chan_flags = htole16(ic->ic_curchan->ic_flags);
2831 		tap->wr_antsignal = rssi;
2832 		tap->wr_antenna = ant;
2833 		tap->wr_dbm_antsignal = run_rssi2dbm(sc, rssi, ant);
2834 		tap->wr_rate = 2;	/* in case it can't be found below */
2835 		run_get_tsf(sc, &tap->wr_tsf);
2836 		phy = le16toh(rxwi->phy);
2837 		switch (phy & RT2860_PHY_MODE) {
2838 		case RT2860_PHY_CCK:
2839 			switch ((phy & RT2860_PHY_MCS) & ~RT2860_PHY_SHPRE) {
2840 			case 0:	tap->wr_rate =   2; break;
2841 			case 1:	tap->wr_rate =   4; break;
2842 			case 2:	tap->wr_rate =  11; break;
2843 			case 3:	tap->wr_rate =  22; break;
2844 			}
2845 			if (phy & RT2860_PHY_SHPRE)
2846 				tap->wr_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
2847 			break;
2848 		case RT2860_PHY_OFDM:
2849 			switch (phy & RT2860_PHY_MCS) {
2850 			case 0:	tap->wr_rate =  12; break;
2851 			case 1:	tap->wr_rate =  18; break;
2852 			case 2:	tap->wr_rate =  24; break;
2853 			case 3:	tap->wr_rate =  36; break;
2854 			case 4:	tap->wr_rate =  48; break;
2855 			case 5:	tap->wr_rate =  72; break;
2856 			case 6:	tap->wr_rate =  96; break;
2857 			case 7:	tap->wr_rate = 108; break;
2858 			}
2859 			break;
2860 		}
2861 	}
2862 
2863 	if (ni != NULL) {
2864 		(void)ieee80211_input(ni, m, rssi, nf);
2865 		ieee80211_free_node(ni);
2866 	} else {
2867 		(void)ieee80211_input_all(ic, m, rssi, nf);
2868 	}
2869 }
2870 
2871 static void
2872 run_bulk_rx_callback(struct usb_xfer *xfer, usb_error_t error)
2873 {
2874 	struct run_softc *sc = usbd_xfer_softc(xfer);
2875 	struct ieee80211com *ic = &sc->sc_ic;
2876 	struct mbuf *m = NULL;
2877 	struct mbuf *m0;
2878 	uint32_t dmalen;
2879 	uint16_t rxwisize;
2880 	int xferlen;
2881 
2882 	rxwisize = sizeof(struct rt2860_rxwi);
2883 	if (sc->mac_ver == 0x5592)
2884 		rxwisize += sizeof(uint64_t);
2885 	else if (sc->mac_ver == 0x3593)
2886 		rxwisize += sizeof(uint32_t);
2887 
2888 	usbd_xfer_status(xfer, &xferlen, NULL, NULL, NULL);
2889 
2890 	switch (USB_GET_STATE(xfer)) {
2891 	case USB_ST_TRANSFERRED:
2892 
2893 		DPRINTFN(15, "rx done, actlen=%d\n", xferlen);
2894 
2895 		if (xferlen < (int)(sizeof(uint32_t) + rxwisize +
2896 		    sizeof(struct rt2870_rxd))) {
2897 			DPRINTF("xfer too short %d\n", xferlen);
2898 			goto tr_setup;
2899 		}
2900 
2901 		m = sc->rx_m;
2902 		sc->rx_m = NULL;
2903 
2904 		/* FALLTHROUGH */
2905 	case USB_ST_SETUP:
2906 tr_setup:
2907 		if (sc->rx_m == NULL) {
2908 			sc->rx_m = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR,
2909 			    MJUMPAGESIZE /* xfer can be bigger than MCLBYTES */);
2910 		}
2911 		if (sc->rx_m == NULL) {
2912 			DPRINTF("could not allocate mbuf - idle with stall\n");
2913 			counter_u64_add(ic->ic_ierrors, 1);
2914 			usbd_xfer_set_stall(xfer);
2915 			usbd_xfer_set_frames(xfer, 0);
2916 		} else {
2917 			/*
2918 			 * Directly loading a mbuf cluster into DMA to
2919 			 * save some data copying. This works because
2920 			 * there is only one cluster.
2921 			 */
2922 			usbd_xfer_set_frame_data(xfer, 0,
2923 			    mtod(sc->rx_m, caddr_t), RUN_MAX_RXSZ);
2924 			usbd_xfer_set_frames(xfer, 1);
2925 		}
2926 		usbd_transfer_submit(xfer);
2927 		break;
2928 
2929 	default:	/* Error */
2930 		if (error != USB_ERR_CANCELLED) {
2931 			/* try to clear stall first */
2932 			usbd_xfer_set_stall(xfer);
2933 			if (error == USB_ERR_TIMEOUT)
2934 				device_printf(sc->sc_dev, "device timeout\n");
2935 			counter_u64_add(ic->ic_ierrors, 1);
2936 			goto tr_setup;
2937 		}
2938 		if (sc->rx_m != NULL) {
2939 			m_freem(sc->rx_m);
2940 			sc->rx_m = NULL;
2941 		}
2942 		break;
2943 	}
2944 
2945 	if (m == NULL)
2946 		return;
2947 
2948 	/* inputting all the frames must be last */
2949 
2950 	RUN_UNLOCK(sc);
2951 
2952 	m->m_pkthdr.len = m->m_len = xferlen;
2953 
2954 	/* HW can aggregate multiple 802.11 frames in a single USB xfer */
2955 	for(;;) {
2956 		dmalen = le32toh(*mtod(m, uint32_t *)) & 0xffff;
2957 
2958 		if ((dmalen >= (uint32_t)-8) || (dmalen == 0) ||
2959 		    ((dmalen & 3) != 0)) {
2960 			DPRINTF("bad DMA length %u\n", dmalen);
2961 			break;
2962 		}
2963 		if ((dmalen + 8) > (uint32_t)xferlen) {
2964 			DPRINTF("bad DMA length %u > %d\n",
2965 			dmalen + 8, xferlen);
2966 			break;
2967 		}
2968 
2969 		/* If it is the last one or a single frame, we won't copy. */
2970 		if ((xferlen -= dmalen + 8) <= 8) {
2971 			/* trim 32-bit DMA-len header */
2972 			m->m_data += 4;
2973 			m->m_pkthdr.len = m->m_len -= 4;
2974 			run_rx_frame(sc, m, dmalen);
2975 			m = NULL;	/* don't free source buffer */
2976 			break;
2977 		}
2978 
2979 		/* copy aggregated frames to another mbuf */
2980 		m0 = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
2981 		if (__predict_false(m0 == NULL)) {
2982 			DPRINTF("could not allocate mbuf\n");
2983 			counter_u64_add(ic->ic_ierrors, 1);
2984 			break;
2985 		}
2986 		m_copydata(m, 4 /* skip 32-bit DMA-len header */,
2987 		    dmalen + sizeof(struct rt2870_rxd), mtod(m0, caddr_t));
2988 		m0->m_pkthdr.len = m0->m_len =
2989 		    dmalen + sizeof(struct rt2870_rxd);
2990 		run_rx_frame(sc, m0, dmalen);
2991 
2992 		/* update data ptr */
2993 		m->m_data += dmalen + 8;
2994 		m->m_pkthdr.len = m->m_len -= dmalen + 8;
2995 	}
2996 
2997 	/* make sure we free the source buffer, if any */
2998 	m_freem(m);
2999 
3000 	RUN_LOCK(sc);
3001 }
3002 
3003 static void
3004 run_tx_free(struct run_endpoint_queue *pq,
3005     struct run_tx_data *data, int txerr)
3006 {
3007 
3008 	ieee80211_tx_complete(data->ni, data->m, txerr);
3009 
3010 	data->m = NULL;
3011 	data->ni = NULL;
3012 
3013 	STAILQ_INSERT_TAIL(&pq->tx_fh, data, next);
3014 	pq->tx_nfree++;
3015 }
3016 
3017 static void
3018 run_bulk_tx_callbackN(struct usb_xfer *xfer, usb_error_t error, u_int index)
3019 {
3020 	struct run_softc *sc = usbd_xfer_softc(xfer);
3021 	struct ieee80211com *ic = &sc->sc_ic;
3022 	struct run_tx_data *data;
3023 	struct ieee80211vap *vap = NULL;
3024 	struct usb_page_cache *pc;
3025 	struct run_endpoint_queue *pq = &sc->sc_epq[index];
3026 	struct mbuf *m;
3027 	usb_frlength_t size;
3028 	int actlen;
3029 	int sumlen;
3030 
3031 	usbd_xfer_status(xfer, &actlen, &sumlen, NULL, NULL);
3032 
3033 	switch (USB_GET_STATE(xfer)) {
3034 	case USB_ST_TRANSFERRED:
3035 		DPRINTFN(11, "transfer complete: %d "
3036 		    "bytes @ index %d\n", actlen, index);
3037 
3038 		data = usbd_xfer_get_priv(xfer);
3039 		run_tx_free(pq, data, 0);
3040 		usbd_xfer_set_priv(xfer, NULL);
3041 
3042 		/* FALLTHROUGH */
3043 	case USB_ST_SETUP:
3044 tr_setup:
3045 		data = STAILQ_FIRST(&pq->tx_qh);
3046 		if (data == NULL)
3047 			break;
3048 
3049 		STAILQ_REMOVE_HEAD(&pq->tx_qh, next);
3050 
3051 		m = data->m;
3052 		size = (sc->mac_ver == 0x5592) ?
3053 		    sizeof(data->desc) + sizeof(uint32_t) : sizeof(data->desc);
3054 		if ((m->m_pkthdr.len +
3055 		    size + 3 + 8) > RUN_MAX_TXSZ) {
3056 			DPRINTF("data overflow, %u bytes\n",
3057 			    m->m_pkthdr.len);
3058 			run_tx_free(pq, data, 1);
3059 			goto tr_setup;
3060 		}
3061 
3062 		pc = usbd_xfer_get_frame(xfer, 0);
3063 		usbd_copy_in(pc, 0, &data->desc, size);
3064 		usbd_m_copy_in(pc, size, m, 0, m->m_pkthdr.len);
3065 		size += m->m_pkthdr.len;
3066 		/*
3067 		 * Align end on a 4-byte boundary, pad 8 bytes (CRC +
3068 		 * 4-byte padding), and be sure to zero those trailing
3069 		 * bytes:
3070 		 */
3071 		usbd_frame_zero(pc, size, ((-size) & 3) + 8);
3072 		size += ((-size) & 3) + 8;
3073 
3074 		vap = data->ni->ni_vap;
3075 		if (ieee80211_radiotap_active_vap(vap)) {
3076 			struct run_tx_radiotap_header *tap = &sc->sc_txtap;
3077 			struct rt2860_txwi *txwi =
3078 			    (struct rt2860_txwi *)(&data->desc + sizeof(struct rt2870_txd));
3079 			tap->wt_flags = 0;
3080 			tap->wt_rate = rt2860_rates[data->ridx].rate;
3081 			run_get_tsf(sc, &tap->wt_tsf);
3082 			tap->wt_chan_freq = htole16(ic->ic_curchan->ic_freq);
3083 			tap->wt_chan_flags = htole16(ic->ic_curchan->ic_flags);
3084 			tap->wt_hwqueue = index;
3085 			if (le16toh(txwi->phy) & RT2860_PHY_SHPRE)
3086 				tap->wt_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
3087 
3088 			ieee80211_radiotap_tx(vap, m);
3089 		}
3090 
3091 		DPRINTFN(11, "sending frame len=%u/%u  @ index %d\n",
3092 		    m->m_pkthdr.len, size, index);
3093 
3094 		usbd_xfer_set_frame_len(xfer, 0, size);
3095 		usbd_xfer_set_priv(xfer, data);
3096 		usbd_transfer_submit(xfer);
3097 		run_start(sc);
3098 
3099 		break;
3100 
3101 	default:
3102 		DPRINTF("USB transfer error, %s\n",
3103 		    usbd_errstr(error));
3104 
3105 		data = usbd_xfer_get_priv(xfer);
3106 
3107 		if (data != NULL) {
3108 			if(data->ni != NULL)
3109 				vap = data->ni->ni_vap;
3110 			run_tx_free(pq, data, error);
3111 			usbd_xfer_set_priv(xfer, NULL);
3112 		}
3113 
3114 		if (vap == NULL)
3115 			vap = TAILQ_FIRST(&ic->ic_vaps);
3116 
3117 		if (error != USB_ERR_CANCELLED) {
3118 			if (error == USB_ERR_TIMEOUT) {
3119 				device_printf(sc->sc_dev, "device timeout\n");
3120 				uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
3121 				DPRINTF("cmdq_store=%d\n", i);
3122 				sc->cmdq[i].func = run_usb_timeout_cb;
3123 				sc->cmdq[i].arg0 = vap;
3124 				ieee80211_runtask(ic, &sc->cmdq_task);
3125 			}
3126 
3127 			/*
3128 			 * Try to clear stall first, also if other
3129 			 * errors occur, hence clearing stall
3130 			 * introduces a 50 ms delay:
3131 			 */
3132 			usbd_xfer_set_stall(xfer);
3133 			goto tr_setup;
3134 		}
3135 		break;
3136 	}
3137 }
3138 
3139 static void
3140 run_bulk_tx_callback0(struct usb_xfer *xfer, usb_error_t error)
3141 {
3142 	run_bulk_tx_callbackN(xfer, error, 0);
3143 }
3144 
3145 static void
3146 run_bulk_tx_callback1(struct usb_xfer *xfer, usb_error_t error)
3147 {
3148 	run_bulk_tx_callbackN(xfer, error, 1);
3149 }
3150 
3151 static void
3152 run_bulk_tx_callback2(struct usb_xfer *xfer, usb_error_t error)
3153 {
3154 	run_bulk_tx_callbackN(xfer, error, 2);
3155 }
3156 
3157 static void
3158 run_bulk_tx_callback3(struct usb_xfer *xfer, usb_error_t error)
3159 {
3160 	run_bulk_tx_callbackN(xfer, error, 3);
3161 }
3162 
3163 static void
3164 run_bulk_tx_callback4(struct usb_xfer *xfer, usb_error_t error)
3165 {
3166 	run_bulk_tx_callbackN(xfer, error, 4);
3167 }
3168 
3169 static void
3170 run_bulk_tx_callback5(struct usb_xfer *xfer, usb_error_t error)
3171 {
3172 	run_bulk_tx_callbackN(xfer, error, 5);
3173 }
3174 
3175 static void
3176 run_set_tx_desc(struct run_softc *sc, struct run_tx_data *data)
3177 {
3178 	struct mbuf *m = data->m;
3179 	struct ieee80211com *ic = &sc->sc_ic;
3180 	struct ieee80211vap *vap = data->ni->ni_vap;
3181 	struct ieee80211_frame *wh;
3182 	struct rt2870_txd *txd;
3183 	struct rt2860_txwi *txwi;
3184 	uint16_t xferlen, txwisize;
3185 	uint16_t mcs;
3186 	uint8_t ridx = data->ridx;
3187 	uint8_t pad;
3188 
3189 	/* get MCS code from rate index */
3190 	mcs = rt2860_rates[ridx].mcs;
3191 
3192 	txwisize = (sc->mac_ver == 0x5592) ?
3193 	    sizeof(*txwi) + sizeof(uint32_t) : sizeof(*txwi);
3194 	xferlen = txwisize + m->m_pkthdr.len;
3195 
3196 	/* roundup to 32-bit alignment */
3197 	xferlen = (xferlen + 3) & ~3;
3198 
3199 	txd = (struct rt2870_txd *)&data->desc;
3200 	txd->len = htole16(xferlen);
3201 
3202 	wh = mtod(m, struct ieee80211_frame *);
3203 
3204 	/*
3205 	 * Ether both are true or both are false, the header
3206 	 * are nicely aligned to 32-bit. So, no L2 padding.
3207 	 */
3208 	if(IEEE80211_HAS_ADDR4(wh) == IEEE80211_QOS_HAS_SEQ(wh))
3209 		pad = 0;
3210 	else
3211 		pad = 2;
3212 
3213 	/* setup TX Wireless Information */
3214 	txwi = (struct rt2860_txwi *)(txd + 1);
3215 	txwi->len = htole16(m->m_pkthdr.len - pad);
3216 	if (rt2860_rates[ridx].phy == IEEE80211_T_DS) {
3217 		mcs |= RT2860_PHY_CCK;
3218 		if (ridx != RT2860_RIDX_CCK1 &&
3219 		    (ic->ic_flags & IEEE80211_F_SHPREAMBLE))
3220 			mcs |= RT2860_PHY_SHPRE;
3221 	} else
3222 		mcs |= RT2860_PHY_OFDM;
3223 	txwi->phy = htole16(mcs);
3224 
3225 	/* check if RTS/CTS or CTS-to-self protection is required */
3226 	if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
3227 	    (m->m_pkthdr.len + IEEE80211_CRC_LEN > vap->iv_rtsthreshold ||
3228 	     ((ic->ic_flags & IEEE80211_F_USEPROT) &&
3229 	      rt2860_rates[ridx].phy == IEEE80211_T_OFDM)))
3230 		txwi->txop |= RT2860_TX_TXOP_HT;
3231 	else
3232 		txwi->txop |= RT2860_TX_TXOP_BACKOFF;
3233 
3234 	if (vap->iv_opmode != IEEE80211_M_STA && !IEEE80211_QOS_HAS_SEQ(wh))
3235 		txwi->xflags |= RT2860_TX_NSEQ;
3236 }
3237 
3238 /* This function must be called locked */
3239 static int
3240 run_tx(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
3241 {
3242 	struct ieee80211com *ic = &sc->sc_ic;
3243 	struct ieee80211vap *vap = ni->ni_vap;
3244 	struct ieee80211_frame *wh;
3245 	struct ieee80211_channel *chan;
3246 	const struct ieee80211_txparam *tp;
3247 	struct run_node *rn = RUN_NODE(ni);
3248 	struct run_tx_data *data;
3249 	struct rt2870_txd *txd;
3250 	struct rt2860_txwi *txwi;
3251 	uint16_t qos;
3252 	uint16_t dur;
3253 	uint16_t qid;
3254 	uint8_t type;
3255 	uint8_t tid;
3256 	uint8_t ridx;
3257 	uint8_t ctl_ridx;
3258 	uint8_t qflags;
3259 	uint8_t xflags = 0;
3260 	int hasqos;
3261 
3262 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3263 
3264 	wh = mtod(m, struct ieee80211_frame *);
3265 
3266 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3267 
3268 	/*
3269 	 * There are 7 bulk endpoints: 1 for RX
3270 	 * and 6 for TX (4 EDCAs + HCCA + Prio).
3271 	 * Update 03-14-2009:  some devices like the Planex GW-US300MiniS
3272 	 * seem to have only 4 TX bulk endpoints (Fukaumi Naoki).
3273 	 */
3274 	if ((hasqos = IEEE80211_QOS_HAS_SEQ(wh))) {
3275 		uint8_t *frm;
3276 
3277 		if(IEEE80211_HAS_ADDR4(wh))
3278 			frm = ((struct ieee80211_qosframe_addr4 *)wh)->i_qos;
3279 		else
3280 			frm =((struct ieee80211_qosframe *)wh)->i_qos;
3281 
3282 		qos = le16toh(*(const uint16_t *)frm);
3283 		tid = qos & IEEE80211_QOS_TID;
3284 		qid = TID_TO_WME_AC(tid);
3285 	} else {
3286 		qos = 0;
3287 		tid = 0;
3288 		qid = WME_AC_BE;
3289 	}
3290 	qflags = (qid < 4) ? RT2860_TX_QSEL_EDCA : RT2860_TX_QSEL_HCCA;
3291 
3292 	DPRINTFN(8, "qos %d\tqid %d\ttid %d\tqflags %x\n",
3293 	    qos, qid, tid, qflags);
3294 
3295 	chan = (ni->ni_chan != IEEE80211_CHAN_ANYC)?ni->ni_chan:ic->ic_curchan;
3296 	tp = &vap->iv_txparms[ieee80211_chan2mode(chan)];
3297 
3298 	/* pickup a rate index */
3299 	if (IEEE80211_IS_MULTICAST(wh->i_addr1) ||
3300 	    type != IEEE80211_FC0_TYPE_DATA || m->m_flags & M_EAPOL) {
3301 		ridx = (ic->ic_curmode == IEEE80211_MODE_11A) ?
3302 		    RT2860_RIDX_OFDM6 : RT2860_RIDX_CCK1;
3303 		ctl_ridx = rt2860_rates[ridx].ctl_ridx;
3304 	} else {
3305 		if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE)
3306 			ridx = rn->fix_ridx;
3307 		else
3308 			ridx = rn->amrr_ridx;
3309 		ctl_ridx = rt2860_rates[ridx].ctl_ridx;
3310 	}
3311 
3312 	if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
3313 	    (!hasqos || (qos & IEEE80211_QOS_ACKPOLICY) !=
3314 	     IEEE80211_QOS_ACKPOLICY_NOACK)) {
3315 		xflags |= RT2860_TX_ACK;
3316 		if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
3317 			dur = rt2860_rates[ctl_ridx].sp_ack_dur;
3318 		else
3319 			dur = rt2860_rates[ctl_ridx].lp_ack_dur;
3320 		USETW(wh->i_dur, dur);
3321 	}
3322 
3323 	/* reserve slots for mgmt packets, just in case */
3324 	if (sc->sc_epq[qid].tx_nfree < 3) {
3325 		DPRINTFN(10, "tx ring %d is full\n", qid);
3326 		return (-1);
3327 	}
3328 
3329 	data = STAILQ_FIRST(&sc->sc_epq[qid].tx_fh);
3330 	STAILQ_REMOVE_HEAD(&sc->sc_epq[qid].tx_fh, next);
3331 	sc->sc_epq[qid].tx_nfree--;
3332 
3333 	txd = (struct rt2870_txd *)&data->desc;
3334 	txd->flags = qflags;
3335 	txwi = (struct rt2860_txwi *)(txd + 1);
3336 	txwi->xflags = xflags;
3337 	if (IEEE80211_IS_MULTICAST(wh->i_addr1))
3338 		txwi->wcid = 0;
3339 	else
3340 		txwi->wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
3341 		    1 : RUN_AID2WCID(ni->ni_associd);
3342 
3343 	/* clear leftover garbage bits */
3344 	txwi->flags = 0;
3345 	txwi->txop = 0;
3346 
3347 	data->m = m;
3348 	data->ni = ni;
3349 	data->ridx = ridx;
3350 
3351 	run_set_tx_desc(sc, data);
3352 
3353 	/*
3354 	 * The chip keeps track of 2 kind of Tx stats,
3355 	 *  * TX_STAT_FIFO, for per WCID stats, and
3356 	 *  * TX_STA_CNT0 for all-TX-in-one stats.
3357 	 *
3358 	 * To use FIFO stats, we need to store MCS into the driver-private
3359  	 * PacketID field. So that, we can tell whose stats when we read them.
3360  	 * We add 1 to the MCS because setting the PacketID field to 0 means
3361  	 * that we don't want feedback in TX_STAT_FIFO.
3362  	 * And, that's what we want for STA mode, since TX_STA_CNT0 does the job.
3363  	 *
3364  	 * FIFO stats doesn't count Tx with WCID 0xff, so we do this in run_tx().
3365  	 */
3366 	if (sc->rvp_cnt > 1 || vap->iv_opmode == IEEE80211_M_HOSTAP ||
3367 	    vap->iv_opmode == IEEE80211_M_MBSS) {
3368 		uint16_t pid = (rt2860_rates[ridx].mcs + 1) & 0xf;
3369 		txwi->len |= htole16(pid << RT2860_TX_PID_SHIFT);
3370 
3371 		/*
3372 		 * Unlike PCI based devices, we don't get any interrupt from
3373 		 * USB devices, so we simulate FIFO-is-full interrupt here.
3374 		 * Ralink recomends to drain FIFO stats every 100 ms, but 16 slots
3375 		 * quickly get fulled. To prevent overflow, increment a counter on
3376 		 * every FIFO stat request, so we know how many slots are left.
3377 		 * We do this only in HOSTAP or multiple vap mode since FIFO stats
3378 		 * are used only in those modes.
3379 		 * We just drain stats. AMRR gets updated every 1 sec by
3380 		 * run_ratectl_cb() via callout.
3381 		 * Call it early. Otherwise overflow.
3382 		 */
3383 		if (sc->fifo_cnt++ == 10) {
3384 			/*
3385 			 * With multiple vaps or if_bridge, if_start() is called
3386 			 * with a non-sleepable lock, tcpinp. So, need to defer.
3387 			 */
3388 			uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
3389 			DPRINTFN(6, "cmdq_store=%d\n", i);
3390 			sc->cmdq[i].func = run_drain_fifo;
3391 			sc->cmdq[i].arg0 = sc;
3392 			ieee80211_runtask(ic, &sc->cmdq_task);
3393 		}
3394 	}
3395 
3396         STAILQ_INSERT_TAIL(&sc->sc_epq[qid].tx_qh, data, next);
3397 
3398 	usbd_transfer_start(sc->sc_xfer[qid]);
3399 
3400 	DPRINTFN(8, "sending data frame len=%d rate=%d qid=%d\n",
3401 	    m->m_pkthdr.len + (int)(sizeof(struct rt2870_txd) +
3402 	    sizeof(struct rt2860_txwi)), rt2860_rates[ridx].rate, qid);
3403 
3404 	return (0);
3405 }
3406 
3407 static int
3408 run_tx_mgt(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
3409 {
3410 	struct ieee80211com *ic = &sc->sc_ic;
3411 	struct run_node *rn = RUN_NODE(ni);
3412 	struct run_tx_data *data;
3413 	struct ieee80211_frame *wh;
3414 	struct rt2870_txd *txd;
3415 	struct rt2860_txwi *txwi;
3416 	uint16_t dur;
3417 	uint8_t ridx = rn->mgt_ridx;
3418 	uint8_t type;
3419 	uint8_t xflags = 0;
3420 	uint8_t wflags = 0;
3421 
3422 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3423 
3424 	wh = mtod(m, struct ieee80211_frame *);
3425 
3426 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3427 
3428 	/* tell hardware to add timestamp for probe responses */
3429 	if ((wh->i_fc[0] &
3430 	    (IEEE80211_FC0_TYPE_MASK | IEEE80211_FC0_SUBTYPE_MASK)) ==
3431 	    (IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_RESP))
3432 		wflags |= RT2860_TX_TS;
3433 	else if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
3434 		xflags |= RT2860_TX_ACK;
3435 
3436 		dur = ieee80211_ack_duration(ic->ic_rt, rt2860_rates[ridx].rate,
3437 		    ic->ic_flags & IEEE80211_F_SHPREAMBLE);
3438 		USETW(wh->i_dur, dur);
3439 	}
3440 
3441 	if (sc->sc_epq[0].tx_nfree == 0)
3442 		/* let caller free mbuf */
3443 		return (EIO);
3444 	data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3445 	STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3446 	sc->sc_epq[0].tx_nfree--;
3447 
3448 	txd = (struct rt2870_txd *)&data->desc;
3449 	txd->flags = RT2860_TX_QSEL_EDCA;
3450 	txwi = (struct rt2860_txwi *)(txd + 1);
3451 	txwi->wcid = 0xff;
3452 	txwi->flags = wflags;
3453 	txwi->xflags = xflags;
3454 	txwi->txop = 0;	/* clear leftover garbage bits */
3455 
3456 	data->m = m;
3457 	data->ni = ni;
3458 	data->ridx = ridx;
3459 
3460 	run_set_tx_desc(sc, data);
3461 
3462 	DPRINTFN(10, "sending mgt frame len=%d rate=%d\n", m->m_pkthdr.len +
3463 	    (int)(sizeof(struct rt2870_txd) + sizeof(struct rt2860_txwi)),
3464 	    rt2860_rates[ridx].rate);
3465 
3466 	STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3467 
3468 	usbd_transfer_start(sc->sc_xfer[0]);
3469 
3470 	return (0);
3471 }
3472 
3473 static int
3474 run_sendprot(struct run_softc *sc,
3475     const struct mbuf *m, struct ieee80211_node *ni, int prot, int rate)
3476 {
3477 	struct ieee80211com *ic = ni->ni_ic;
3478 	struct ieee80211_frame *wh;
3479 	struct run_tx_data *data;
3480 	struct rt2870_txd *txd;
3481 	struct rt2860_txwi *txwi;
3482 	struct mbuf *mprot;
3483 	int ridx;
3484 	int protrate;
3485 	int ackrate;
3486 	int pktlen;
3487 	int isshort;
3488 	uint16_t dur;
3489 	uint8_t type;
3490 	uint8_t wflags = 0;
3491 	uint8_t xflags = 0;
3492 
3493 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3494 
3495 	KASSERT(prot == IEEE80211_PROT_RTSCTS || prot == IEEE80211_PROT_CTSONLY,
3496 	    ("protection %d", prot));
3497 
3498 	wh = mtod(m, struct ieee80211_frame *);
3499 	pktlen = m->m_pkthdr.len + IEEE80211_CRC_LEN;
3500 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3501 
3502 	protrate = ieee80211_ctl_rate(ic->ic_rt, rate);
3503 	ackrate = ieee80211_ack_rate(ic->ic_rt, rate);
3504 
3505 	isshort = (ic->ic_flags & IEEE80211_F_SHPREAMBLE) != 0;
3506 	dur = ieee80211_compute_duration(ic->ic_rt, pktlen, rate, isshort)
3507 	    + ieee80211_ack_duration(ic->ic_rt, rate, isshort);
3508 	wflags = RT2860_TX_FRAG;
3509 
3510 	/* check that there are free slots before allocating the mbuf */
3511 	if (sc->sc_epq[0].tx_nfree == 0)
3512 		/* let caller free mbuf */
3513 		return (ENOBUFS);
3514 
3515 	if (prot == IEEE80211_PROT_RTSCTS) {
3516 		/* NB: CTS is the same size as an ACK */
3517 		dur += ieee80211_ack_duration(ic->ic_rt, rate, isshort);
3518 		xflags |= RT2860_TX_ACK;
3519 		mprot = ieee80211_alloc_rts(ic, wh->i_addr1, wh->i_addr2, dur);
3520 	} else {
3521 		mprot = ieee80211_alloc_cts(ic, ni->ni_vap->iv_myaddr, dur);
3522 	}
3523 	if (mprot == NULL) {
3524 		if_inc_counter(ni->ni_vap->iv_ifp, IFCOUNTER_OERRORS, 1);
3525 		DPRINTF("could not allocate mbuf\n");
3526 		return (ENOBUFS);
3527 	}
3528 
3529         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3530         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3531         sc->sc_epq[0].tx_nfree--;
3532 
3533 	txd = (struct rt2870_txd *)&data->desc;
3534 	txd->flags = RT2860_TX_QSEL_EDCA;
3535 	txwi = (struct rt2860_txwi *)(txd + 1);
3536 	txwi->wcid = 0xff;
3537 	txwi->flags = wflags;
3538 	txwi->xflags = xflags;
3539 	txwi->txop = 0;	/* clear leftover garbage bits */
3540 
3541 	data->m = mprot;
3542 	data->ni = ieee80211_ref_node(ni);
3543 
3544 	for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
3545 		if (rt2860_rates[ridx].rate == protrate)
3546 			break;
3547 	data->ridx = ridx;
3548 
3549 	run_set_tx_desc(sc, data);
3550 
3551         DPRINTFN(1, "sending prot len=%u rate=%u\n",
3552             m->m_pkthdr.len, rate);
3553 
3554         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3555 
3556 	usbd_transfer_start(sc->sc_xfer[0]);
3557 
3558 	return (0);
3559 }
3560 
3561 static int
3562 run_tx_param(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni,
3563     const struct ieee80211_bpf_params *params)
3564 {
3565 	struct ieee80211com *ic = ni->ni_ic;
3566 	struct ieee80211_frame *wh;
3567 	struct run_tx_data *data;
3568 	struct rt2870_txd *txd;
3569 	struct rt2860_txwi *txwi;
3570 	uint8_t type;
3571 	uint8_t ridx;
3572 	uint8_t rate;
3573 	uint8_t opflags = 0;
3574 	uint8_t xflags = 0;
3575 	int error;
3576 
3577 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3578 
3579 	KASSERT(params != NULL, ("no raw xmit params"));
3580 
3581 	wh = mtod(m, struct ieee80211_frame *);
3582 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3583 
3584 	rate = params->ibp_rate0;
3585 	if (!ieee80211_isratevalid(ic->ic_rt, rate)) {
3586 		/* let caller free mbuf */
3587 		return (EINVAL);
3588 	}
3589 
3590 	if ((params->ibp_flags & IEEE80211_BPF_NOACK) == 0)
3591 		xflags |= RT2860_TX_ACK;
3592 	if (params->ibp_flags & (IEEE80211_BPF_RTS|IEEE80211_BPF_CTS)) {
3593 		error = run_sendprot(sc, m, ni,
3594 		    params->ibp_flags & IEEE80211_BPF_RTS ?
3595 			IEEE80211_PROT_RTSCTS : IEEE80211_PROT_CTSONLY,
3596 		    rate);
3597 		if (error) {
3598 			/* let caller free mbuf */
3599 			return error;
3600 		}
3601 		opflags |= /*XXX RT2573_TX_LONG_RETRY |*/ RT2860_TX_TXOP_SIFS;
3602 	}
3603 
3604 	if (sc->sc_epq[0].tx_nfree == 0) {
3605 		/* let caller free mbuf */
3606 		DPRINTF("sending raw frame, but tx ring is full\n");
3607 		return (EIO);
3608 	}
3609         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3610         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3611         sc->sc_epq[0].tx_nfree--;
3612 
3613 	txd = (struct rt2870_txd *)&data->desc;
3614 	txd->flags = RT2860_TX_QSEL_EDCA;
3615 	txwi = (struct rt2860_txwi *)(txd + 1);
3616 	txwi->wcid = 0xff;
3617 	txwi->xflags = xflags;
3618 	txwi->txop = opflags;
3619 	txwi->flags = 0;	/* clear leftover garbage bits */
3620 
3621         data->m = m;
3622         data->ni = ni;
3623 	for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
3624 		if (rt2860_rates[ridx].rate == rate)
3625 			break;
3626 	data->ridx = ridx;
3627 
3628         run_set_tx_desc(sc, data);
3629 
3630         DPRINTFN(10, "sending raw frame len=%u rate=%u\n",
3631             m->m_pkthdr.len, rate);
3632 
3633         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3634 
3635 	usbd_transfer_start(sc->sc_xfer[0]);
3636 
3637         return (0);
3638 }
3639 
3640 static int
3641 run_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
3642     const struct ieee80211_bpf_params *params)
3643 {
3644 	struct run_softc *sc = ni->ni_ic->ic_softc;
3645 	int error = 0;
3646 
3647 	RUN_LOCK(sc);
3648 
3649 	/* prevent management frames from being sent if we're not ready */
3650 	if (!(sc->sc_flags & RUN_RUNNING)) {
3651 		error = ENETDOWN;
3652 		goto done;
3653 	}
3654 
3655 	if (params == NULL) {
3656 		/* tx mgt packet */
3657 		if ((error = run_tx_mgt(sc, m, ni)) != 0) {
3658 			DPRINTF("mgt tx failed\n");
3659 			goto done;
3660 		}
3661 	} else {
3662 		/* tx raw packet with param */
3663 		if ((error = run_tx_param(sc, m, ni, params)) != 0) {
3664 			DPRINTF("tx with param failed\n");
3665 			goto done;
3666 		}
3667 	}
3668 
3669 done:
3670 	RUN_UNLOCK(sc);
3671 
3672 	if (error != 0) {
3673 		if(m != NULL)
3674 			m_freem(m);
3675 	}
3676 
3677 	return (error);
3678 }
3679 
3680 static int
3681 run_transmit(struct ieee80211com *ic, struct mbuf *m)
3682 {
3683 	struct run_softc *sc = ic->ic_softc;
3684 	int error;
3685 
3686 	RUN_LOCK(sc);
3687 	if ((sc->sc_flags & RUN_RUNNING) == 0) {
3688 		RUN_UNLOCK(sc);
3689 		return (ENXIO);
3690 	}
3691 	error = mbufq_enqueue(&sc->sc_snd, m);
3692 	if (error) {
3693 		RUN_UNLOCK(sc);
3694 		return (error);
3695 	}
3696 	run_start(sc);
3697 	RUN_UNLOCK(sc);
3698 
3699 	return (0);
3700 }
3701 
3702 static void
3703 run_start(struct run_softc *sc)
3704 {
3705 	struct ieee80211_node *ni;
3706 	struct mbuf *m;
3707 
3708 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3709 
3710 	if ((sc->sc_flags & RUN_RUNNING) == 0)
3711 		return;
3712 
3713 	while ((m = mbufq_dequeue(&sc->sc_snd)) != NULL) {
3714 		ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
3715 		if (run_tx(sc, m, ni) != 0) {
3716 			mbufq_prepend(&sc->sc_snd, m);
3717 			break;
3718 		}
3719 	}
3720 }
3721 
3722 static void
3723 run_parent(struct ieee80211com *ic)
3724 {
3725 	struct run_softc *sc = ic->ic_softc;
3726 	int startall = 0;
3727 
3728 	RUN_LOCK(sc);
3729 	if (sc->sc_detached) {
3730 		RUN_UNLOCK(sc);
3731 		return;
3732 	}
3733 
3734 	if (ic->ic_nrunning > 0) {
3735 		if (!(sc->sc_flags & RUN_RUNNING)) {
3736 			startall = 1;
3737 			run_init_locked(sc);
3738 		} else
3739 			run_update_promisc_locked(sc);
3740 	} else if ((sc->sc_flags & RUN_RUNNING) && sc->rvp_cnt <= 1)
3741 		run_stop(sc);
3742 	RUN_UNLOCK(sc);
3743 	if (startall)
3744 		ieee80211_start_all(ic);
3745 }
3746 
3747 static void
3748 run_iq_calib(struct run_softc *sc, u_int chan)
3749 {
3750 	uint16_t val;
3751 
3752 	/* Tx0 IQ gain. */
3753 	run_bbp_write(sc, 158, 0x2c);
3754 	if (chan <= 14)
3755 		run_efuse_read(sc, RT5390_EEPROM_IQ_GAIN_CAL_TX0_2GHZ, &val, 1);
3756 	else if (chan <= 64) {
3757 		run_efuse_read(sc,
3758 		    RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH36_TO_CH64_5GHZ,
3759 		    &val, 1);
3760 	} else if (chan <= 138) {
3761 		run_efuse_read(sc,
3762 		    RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH100_TO_CH138_5GHZ,
3763 		    &val, 1);
3764 	} else if (chan <= 165) {
3765 		run_efuse_read(sc,
3766 	    RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH140_TO_CH165_5GHZ,
3767 		    &val, 1);
3768 	} else
3769 		val = 0;
3770 	run_bbp_write(sc, 159, val);
3771 
3772 	/* Tx0 IQ phase. */
3773 	run_bbp_write(sc, 158, 0x2d);
3774 	if (chan <= 14) {
3775 		run_efuse_read(sc, RT5390_EEPROM_IQ_PHASE_CAL_TX0_2GHZ,
3776 		    &val, 1);
3777 	} else if (chan <= 64) {
3778 		run_efuse_read(sc,
3779 		    RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH36_TO_CH64_5GHZ,
3780 		    &val, 1);
3781 	} else if (chan <= 138) {
3782 		run_efuse_read(sc,
3783 		    RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH100_TO_CH138_5GHZ,
3784 		    &val, 1);
3785 	} else if (chan <= 165) {
3786 		run_efuse_read(sc,
3787 		    RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH140_TO_CH165_5GHZ,
3788 		    &val, 1);
3789 	} else
3790 		val = 0;
3791 	run_bbp_write(sc, 159, val);
3792 
3793 	/* Tx1 IQ gain. */
3794 	run_bbp_write(sc, 158, 0x4a);
3795 	if (chan <= 14) {
3796 		run_efuse_read(sc, RT5390_EEPROM_IQ_GAIN_CAL_TX1_2GHZ,
3797 		    &val, 1);
3798 	} else if (chan <= 64) {
3799 		run_efuse_read(sc,
3800 		    RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH36_TO_CH64_5GHZ,
3801 		    &val, 1);
3802 	} else if (chan <= 138) {
3803 		run_efuse_read(sc,
3804 		    RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH100_TO_CH138_5GHZ,
3805 		    &val, 1);
3806 	} else if (chan <= 165) {
3807 		run_efuse_read(sc,
3808 		    RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH140_TO_CH165_5GHZ,
3809 		    &val, 1);
3810 	} else
3811 		val = 0;
3812 	run_bbp_write(sc, 159, val);
3813 
3814 	/* Tx1 IQ phase. */
3815 	run_bbp_write(sc, 158, 0x4b);
3816 	if (chan <= 14) {
3817 		run_efuse_read(sc, RT5390_EEPROM_IQ_PHASE_CAL_TX1_2GHZ,
3818 		    &val, 1);
3819 	} else if (chan <= 64) {
3820 		run_efuse_read(sc,
3821 		    RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH36_TO_CH64_5GHZ,
3822 		    &val, 1);
3823 	} else if (chan <= 138) {
3824 		run_efuse_read(sc,
3825 		    RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH100_TO_CH138_5GHZ,
3826 		    &val, 1);
3827 	} else if (chan <= 165) {
3828 		run_efuse_read(sc,
3829 		    RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH140_TO_CH165_5GHZ,
3830 		    &val, 1);
3831 	} else
3832 		val = 0;
3833 	run_bbp_write(sc, 159, val);
3834 
3835 	/* RF IQ compensation control. */
3836 	run_bbp_write(sc, 158, 0x04);
3837 	run_efuse_read(sc, RT5390_EEPROM_RF_IQ_COMPENSATION_CTL,
3838 	    &val, 1);
3839 	run_bbp_write(sc, 159, val);
3840 
3841 	/* RF IQ imbalance compensation control. */
3842 	run_bbp_write(sc, 158, 0x03);
3843 	run_efuse_read(sc,
3844 	    RT5390_EEPROM_RF_IQ_IMBALANCE_COMPENSATION_CTL, &val, 1);
3845 	run_bbp_write(sc, 159, val);
3846 }
3847 
3848 static void
3849 run_set_agc(struct run_softc *sc, uint8_t agc)
3850 {
3851 	uint8_t bbp;
3852 
3853 	if (sc->mac_ver == 0x3572) {
3854 		run_bbp_read(sc, 27, &bbp);
3855 		bbp &= ~(0x3 << 5);
3856 		run_bbp_write(sc, 27, bbp | 0 << 5);	/* select Rx0 */
3857 		run_bbp_write(sc, 66, agc);
3858 		run_bbp_write(sc, 27, bbp | 1 << 5);	/* select Rx1 */
3859 		run_bbp_write(sc, 66, agc);
3860 	} else
3861 		run_bbp_write(sc, 66, agc);
3862 }
3863 
3864 static void
3865 run_select_chan_group(struct run_softc *sc, int group)
3866 {
3867 	uint32_t tmp;
3868 	uint8_t agc;
3869 
3870 	run_bbp_write(sc, 62, 0x37 - sc->lna[group]);
3871 	run_bbp_write(sc, 63, 0x37 - sc->lna[group]);
3872 	run_bbp_write(sc, 64, 0x37 - sc->lna[group]);
3873 	if (sc->mac_ver < 0x3572)
3874 		run_bbp_write(sc, 86, 0x00);
3875 
3876 	if (sc->mac_ver == 0x3593) {
3877 		run_bbp_write(sc, 77, 0x98);
3878 		run_bbp_write(sc, 83, (group == 0) ? 0x8a : 0x9a);
3879 	}
3880 
3881 	if (group == 0) {
3882 		if (sc->ext_2ghz_lna) {
3883 			if (sc->mac_ver >= 0x5390)
3884 				run_bbp_write(sc, 75, 0x52);
3885 			else {
3886 				run_bbp_write(sc, 82, 0x62);
3887 				run_bbp_write(sc, 75, 0x46);
3888 			}
3889 		} else {
3890 			if (sc->mac_ver == 0x5592) {
3891 				run_bbp_write(sc, 79, 0x1c);
3892 				run_bbp_write(sc, 80, 0x0e);
3893 				run_bbp_write(sc, 81, 0x3a);
3894 				run_bbp_write(sc, 82, 0x62);
3895 
3896 				run_bbp_write(sc, 195, 0x80);
3897 				run_bbp_write(sc, 196, 0xe0);
3898 				run_bbp_write(sc, 195, 0x81);
3899 				run_bbp_write(sc, 196, 0x1f);
3900 				run_bbp_write(sc, 195, 0x82);
3901 				run_bbp_write(sc, 196, 0x38);
3902 				run_bbp_write(sc, 195, 0x83);
3903 				run_bbp_write(sc, 196, 0x32);
3904 				run_bbp_write(sc, 195, 0x85);
3905 				run_bbp_write(sc, 196, 0x28);
3906 				run_bbp_write(sc, 195, 0x86);
3907 				run_bbp_write(sc, 196, 0x19);
3908 			} else if (sc->mac_ver >= 0x5390)
3909 				run_bbp_write(sc, 75, 0x50);
3910 			else {
3911 				run_bbp_write(sc, 82,
3912 				    (sc->mac_ver == 0x3593) ? 0x62 : 0x84);
3913 				run_bbp_write(sc, 75, 0x50);
3914 			}
3915 		}
3916 	} else {
3917 		if (sc->mac_ver == 0x5592) {
3918 			run_bbp_write(sc, 79, 0x18);
3919 			run_bbp_write(sc, 80, 0x08);
3920 			run_bbp_write(sc, 81, 0x38);
3921 			run_bbp_write(sc, 82, 0x92);
3922 
3923 			run_bbp_write(sc, 195, 0x80);
3924 			run_bbp_write(sc, 196, 0xf0);
3925 			run_bbp_write(sc, 195, 0x81);
3926 			run_bbp_write(sc, 196, 0x1e);
3927 			run_bbp_write(sc, 195, 0x82);
3928 			run_bbp_write(sc, 196, 0x28);
3929 			run_bbp_write(sc, 195, 0x83);
3930 			run_bbp_write(sc, 196, 0x20);
3931 			run_bbp_write(sc, 195, 0x85);
3932 			run_bbp_write(sc, 196, 0x7f);
3933 			run_bbp_write(sc, 195, 0x86);
3934 			run_bbp_write(sc, 196, 0x7f);
3935 		} else if (sc->mac_ver == 0x3572)
3936 			run_bbp_write(sc, 82, 0x94);
3937 		else
3938 			run_bbp_write(sc, 82,
3939 			    (sc->mac_ver == 0x3593) ? 0x82 : 0xf2);
3940 		if (sc->ext_5ghz_lna)
3941 			run_bbp_write(sc, 75, 0x46);
3942 		else
3943 			run_bbp_write(sc, 75, 0x50);
3944 	}
3945 
3946 	run_read(sc, RT2860_TX_BAND_CFG, &tmp);
3947 	tmp &= ~(RT2860_5G_BAND_SEL_N | RT2860_5G_BAND_SEL_P);
3948 	tmp |= (group == 0) ? RT2860_5G_BAND_SEL_N : RT2860_5G_BAND_SEL_P;
3949 	run_write(sc, RT2860_TX_BAND_CFG, tmp);
3950 
3951 	/* enable appropriate Power Amplifiers and Low Noise Amplifiers */
3952 	tmp = RT2860_RFTR_EN | RT2860_TRSW_EN | RT2860_LNA_PE0_EN;
3953 	if (sc->mac_ver == 0x3593)
3954 		tmp |= 1 << 29 | 1 << 28;
3955 	if (sc->nrxchains > 1)
3956 		tmp |= RT2860_LNA_PE1_EN;
3957 	if (group == 0) {	/* 2GHz */
3958 		tmp |= RT2860_PA_PE_G0_EN;
3959 		if (sc->ntxchains > 1)
3960 			tmp |= RT2860_PA_PE_G1_EN;
3961 		if (sc->mac_ver == 0x3593) {
3962 			if (sc->ntxchains > 2)
3963 				tmp |= 1 << 25;
3964 		}
3965 	} else {		/* 5GHz */
3966 		tmp |= RT2860_PA_PE_A0_EN;
3967 		if (sc->ntxchains > 1)
3968 			tmp |= RT2860_PA_PE_A1_EN;
3969 	}
3970 	if (sc->mac_ver == 0x3572) {
3971 		run_rt3070_rf_write(sc, 8, 0x00);
3972 		run_write(sc, RT2860_TX_PIN_CFG, tmp);
3973 		run_rt3070_rf_write(sc, 8, 0x80);
3974 	} else
3975 		run_write(sc, RT2860_TX_PIN_CFG, tmp);
3976 
3977 	if (sc->mac_ver == 0x5592) {
3978 		run_bbp_write(sc, 195, 0x8d);
3979 		run_bbp_write(sc, 196, 0x1a);
3980 	}
3981 
3982 	if (sc->mac_ver == 0x3593) {
3983 		run_read(sc, RT2860_GPIO_CTRL, &tmp);
3984 		tmp &= ~0x01010000;
3985 		if (group == 0)
3986 			tmp |= 0x00010000;
3987 		tmp = (tmp & ~0x00009090) | 0x00000090;
3988 		run_write(sc, RT2860_GPIO_CTRL, tmp);
3989 	}
3990 
3991 	/* set initial AGC value */
3992 	if (group == 0) {	/* 2GHz band */
3993 		if (sc->mac_ver >= 0x3070)
3994 			agc = 0x1c + sc->lna[0] * 2;
3995 		else
3996 			agc = 0x2e + sc->lna[0];
3997 	} else {		/* 5GHz band */
3998 		if (sc->mac_ver == 0x5592)
3999 			agc = 0x24 + sc->lna[group] * 2;
4000 		else if (sc->mac_ver == 0x3572 || sc->mac_ver == 0x3593)
4001 			agc = 0x22 + (sc->lna[group] * 5) / 3;
4002 		else
4003 			agc = 0x32 + (sc->lna[group] * 5) / 3;
4004 	}
4005 	run_set_agc(sc, agc);
4006 }
4007 
4008 static void
4009 run_rt2870_set_chan(struct run_softc *sc, u_int chan)
4010 {
4011 	const struct rfprog *rfprog = rt2860_rf2850;
4012 	uint32_t r2, r3, r4;
4013 	int8_t txpow1, txpow2;
4014 	int i;
4015 
4016 	/* find the settings for this channel (we know it exists) */
4017 	for (i = 0; rfprog[i].chan != chan; i++);
4018 
4019 	r2 = rfprog[i].r2;
4020 	if (sc->ntxchains == 1)
4021 		r2 |= 1 << 14;		/* 1T: disable Tx chain 2 */
4022 	if (sc->nrxchains == 1)
4023 		r2 |= 1 << 17 | 1 << 6;	/* 1R: disable Rx chains 2 & 3 */
4024 	else if (sc->nrxchains == 2)
4025 		r2 |= 1 << 6;		/* 2R: disable Rx chain 3 */
4026 
4027 	/* use Tx power values from EEPROM */
4028 	txpow1 = sc->txpow1[i];
4029 	txpow2 = sc->txpow2[i];
4030 
4031 	/* Initialize RF R3 and R4. */
4032 	r3 = rfprog[i].r3 & 0xffffc1ff;
4033 	r4 = (rfprog[i].r4 & ~(0x001f87c0)) | (sc->freq << 15);
4034 	if (chan > 14) {
4035 		if (txpow1 >= 0) {
4036 			txpow1 = (txpow1 > 0xf) ? (0xf) : (txpow1);
4037 			r3 |= (txpow1 << 10) | (1 << 9);
4038 		} else {
4039 			txpow1 += 7;
4040 
4041 			/* txpow1 is not possible larger than 15. */
4042 			r3 |= (txpow1 << 10);
4043 		}
4044 		if (txpow2 >= 0) {
4045 			txpow2 = (txpow2 > 0xf) ? (0xf) : (txpow2);
4046 			r4 |= (txpow2 << 7) | (1 << 6);
4047 		} else {
4048 			txpow2 += 7;
4049 			r4 |= (txpow2 << 7);
4050 		}
4051 	} else {
4052 		/* Set Tx0 power. */
4053 		r3 |= (txpow1 << 9);
4054 
4055 		/* Set frequency offset and Tx1 power. */
4056 		r4 |= (txpow2 << 6);
4057 	}
4058 
4059 	run_rt2870_rf_write(sc, rfprog[i].r1);
4060 	run_rt2870_rf_write(sc, r2);
4061 	run_rt2870_rf_write(sc, r3 & ~(1 << 2));
4062 	run_rt2870_rf_write(sc, r4);
4063 
4064 	run_delay(sc, 10);
4065 
4066 	run_rt2870_rf_write(sc, rfprog[i].r1);
4067 	run_rt2870_rf_write(sc, r2);
4068 	run_rt2870_rf_write(sc, r3 | (1 << 2));
4069 	run_rt2870_rf_write(sc, r4);
4070 
4071 	run_delay(sc, 10);
4072 
4073 	run_rt2870_rf_write(sc, rfprog[i].r1);
4074 	run_rt2870_rf_write(sc, r2);
4075 	run_rt2870_rf_write(sc, r3 & ~(1 << 2));
4076 	run_rt2870_rf_write(sc, r4);
4077 }
4078 
4079 static void
4080 run_rt3070_set_chan(struct run_softc *sc, u_int chan)
4081 {
4082 	int8_t txpow1, txpow2;
4083 	uint8_t rf;
4084 	int i;
4085 
4086 	/* find the settings for this channel (we know it exists) */
4087 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4088 
4089 	/* use Tx power values from EEPROM */
4090 	txpow1 = sc->txpow1[i];
4091 	txpow2 = sc->txpow2[i];
4092 
4093 	run_rt3070_rf_write(sc, 2, rt3070_freqs[i].n);
4094 
4095 	/* RT3370/RT3390: RF R3 [7:4] is not reserved bits. */
4096 	run_rt3070_rf_read(sc, 3, &rf);
4097 	rf = (rf & ~0x0f) | rt3070_freqs[i].k;
4098 	run_rt3070_rf_write(sc, 3, rf);
4099 
4100 	run_rt3070_rf_read(sc, 6, &rf);
4101 	rf = (rf & ~0x03) | rt3070_freqs[i].r;
4102 	run_rt3070_rf_write(sc, 6, rf);
4103 
4104 	/* set Tx0 power */
4105 	run_rt3070_rf_read(sc, 12, &rf);
4106 	rf = (rf & ~0x1f) | txpow1;
4107 	run_rt3070_rf_write(sc, 12, rf);
4108 
4109 	/* set Tx1 power */
4110 	run_rt3070_rf_read(sc, 13, &rf);
4111 	rf = (rf & ~0x1f) | txpow2;
4112 	run_rt3070_rf_write(sc, 13, rf);
4113 
4114 	run_rt3070_rf_read(sc, 1, &rf);
4115 	rf &= ~0xfc;
4116 	if (sc->ntxchains == 1)
4117 		rf |= 1 << 7 | 1 << 5;	/* 1T: disable Tx chains 2 & 3 */
4118 	else if (sc->ntxchains == 2)
4119 		rf |= 1 << 7;		/* 2T: disable Tx chain 3 */
4120 	if (sc->nrxchains == 1)
4121 		rf |= 1 << 6 | 1 << 4;	/* 1R: disable Rx chains 2 & 3 */
4122 	else if (sc->nrxchains == 2)
4123 		rf |= 1 << 6;		/* 2R: disable Rx chain 3 */
4124 	run_rt3070_rf_write(sc, 1, rf);
4125 
4126 	/* set RF offset */
4127 	run_rt3070_rf_read(sc, 23, &rf);
4128 	rf = (rf & ~0x7f) | sc->freq;
4129 	run_rt3070_rf_write(sc, 23, rf);
4130 
4131 	/* program RF filter */
4132 	run_rt3070_rf_read(sc, 24, &rf);	/* Tx */
4133 	rf = (rf & ~0x3f) | sc->rf24_20mhz;
4134 	run_rt3070_rf_write(sc, 24, rf);
4135 	run_rt3070_rf_read(sc, 31, &rf);	/* Rx */
4136 	rf = (rf & ~0x3f) | sc->rf24_20mhz;
4137 	run_rt3070_rf_write(sc, 31, rf);
4138 
4139 	/* enable RF tuning */
4140 	run_rt3070_rf_read(sc, 7, &rf);
4141 	run_rt3070_rf_write(sc, 7, rf | 0x01);
4142 }
4143 
4144 static void
4145 run_rt3572_set_chan(struct run_softc *sc, u_int chan)
4146 {
4147 	int8_t txpow1, txpow2;
4148 	uint32_t tmp;
4149 	uint8_t rf;
4150 	int i;
4151 
4152 	/* find the settings for this channel (we know it exists) */
4153 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4154 
4155 	/* use Tx power values from EEPROM */
4156 	txpow1 = sc->txpow1[i];
4157 	txpow2 = sc->txpow2[i];
4158 
4159 	if (chan <= 14) {
4160 		run_bbp_write(sc, 25, sc->bbp25);
4161 		run_bbp_write(sc, 26, sc->bbp26);
4162 	} else {
4163 		/* enable IQ phase correction */
4164 		run_bbp_write(sc, 25, 0x09);
4165 		run_bbp_write(sc, 26, 0xff);
4166 	}
4167 
4168 	run_rt3070_rf_write(sc, 2, rt3070_freqs[i].n);
4169 	run_rt3070_rf_write(sc, 3, rt3070_freqs[i].k);
4170 	run_rt3070_rf_read(sc, 6, &rf);
4171 	rf  = (rf & ~0x0f) | rt3070_freqs[i].r;
4172 	rf |= (chan <= 14) ? 0x08 : 0x04;
4173 	run_rt3070_rf_write(sc, 6, rf);
4174 
4175 	/* set PLL mode */
4176 	run_rt3070_rf_read(sc, 5, &rf);
4177 	rf &= ~(0x08 | 0x04);
4178 	rf |= (chan <= 14) ? 0x04 : 0x08;
4179 	run_rt3070_rf_write(sc, 5, rf);
4180 
4181 	/* set Tx power for chain 0 */
4182 	if (chan <= 14)
4183 		rf = 0x60 | txpow1;
4184 	else
4185 		rf = 0xe0 | (txpow1 & 0xc) << 1 | (txpow1 & 0x3);
4186 	run_rt3070_rf_write(sc, 12, rf);
4187 
4188 	/* set Tx power for chain 1 */
4189 	if (chan <= 14)
4190 		rf = 0x60 | txpow2;
4191 	else
4192 		rf = 0xe0 | (txpow2 & 0xc) << 1 | (txpow2 & 0x3);
4193 	run_rt3070_rf_write(sc, 13, rf);
4194 
4195 	/* set Tx/Rx streams */
4196 	run_rt3070_rf_read(sc, 1, &rf);
4197 	rf &= ~0xfc;
4198 	if (sc->ntxchains == 1)
4199 		rf |= 1 << 7 | 1 << 5;  /* 1T: disable Tx chains 2 & 3 */
4200 	else if (sc->ntxchains == 2)
4201 		rf |= 1 << 7;           /* 2T: disable Tx chain 3 */
4202 	if (sc->nrxchains == 1)
4203 		rf |= 1 << 6 | 1 << 4;  /* 1R: disable Rx chains 2 & 3 */
4204 	else if (sc->nrxchains == 2)
4205 		rf |= 1 << 6;           /* 2R: disable Rx chain 3 */
4206 	run_rt3070_rf_write(sc, 1, rf);
4207 
4208 	/* set RF offset */
4209 	run_rt3070_rf_read(sc, 23, &rf);
4210 	rf = (rf & ~0x7f) | sc->freq;
4211 	run_rt3070_rf_write(sc, 23, rf);
4212 
4213 	/* program RF filter */
4214 	rf = sc->rf24_20mhz;
4215 	run_rt3070_rf_write(sc, 24, rf);	/* Tx */
4216 	run_rt3070_rf_write(sc, 31, rf);	/* Rx */
4217 
4218 	/* enable RF tuning */
4219 	run_rt3070_rf_read(sc, 7, &rf);
4220 	rf = (chan <= 14) ? 0xd8 : ((rf & ~0xc8) | 0x14);
4221 	run_rt3070_rf_write(sc, 7, rf);
4222 
4223 	/* TSSI */
4224 	rf = (chan <= 14) ? 0xc3 : 0xc0;
4225 	run_rt3070_rf_write(sc, 9, rf);
4226 
4227 	/* set loop filter 1 */
4228 	run_rt3070_rf_write(sc, 10, 0xf1);
4229 	/* set loop filter 2 */
4230 	run_rt3070_rf_write(sc, 11, (chan <= 14) ? 0xb9 : 0x00);
4231 
4232 	/* set tx_mx2_ic */
4233 	run_rt3070_rf_write(sc, 15, (chan <= 14) ? 0x53 : 0x43);
4234 	/* set tx_mx1_ic */
4235 	if (chan <= 14)
4236 		rf = 0x48 | sc->txmixgain_2ghz;
4237 	else
4238 		rf = 0x78 | sc->txmixgain_5ghz;
4239 	run_rt3070_rf_write(sc, 16, rf);
4240 
4241 	/* set tx_lo1 */
4242 	run_rt3070_rf_write(sc, 17, 0x23);
4243 	/* set tx_lo2 */
4244 	if (chan <= 14)
4245 		rf = 0x93;
4246 	else if (chan <= 64)
4247 		rf = 0xb7;
4248 	else if (chan <= 128)
4249 		rf = 0x74;
4250 	else
4251 		rf = 0x72;
4252 	run_rt3070_rf_write(sc, 19, rf);
4253 
4254 	/* set rx_lo1 */
4255 	if (chan <= 14)
4256 		rf = 0xb3;
4257 	else if (chan <= 64)
4258 		rf = 0xf6;
4259 	else if (chan <= 128)
4260 		rf = 0xf4;
4261 	else
4262 		rf = 0xf3;
4263 	run_rt3070_rf_write(sc, 20, rf);
4264 
4265 	/* set pfd_delay */
4266 	if (chan <= 14)
4267 		rf = 0x15;
4268 	else if (chan <= 64)
4269 		rf = 0x3d;
4270 	else
4271 		rf = 0x01;
4272 	run_rt3070_rf_write(sc, 25, rf);
4273 
4274 	/* set rx_lo2 */
4275 	run_rt3070_rf_write(sc, 26, (chan <= 14) ? 0x85 : 0x87);
4276 	/* set ldo_rf_vc */
4277 	run_rt3070_rf_write(sc, 27, (chan <= 14) ? 0x00 : 0x01);
4278 	/* set drv_cc */
4279 	run_rt3070_rf_write(sc, 29, (chan <= 14) ? 0x9b : 0x9f);
4280 
4281 	run_read(sc, RT2860_GPIO_CTRL, &tmp);
4282 	tmp &= ~0x8080;
4283 	if (chan <= 14)
4284 		tmp |= 0x80;
4285 	run_write(sc, RT2860_GPIO_CTRL, tmp);
4286 
4287 	/* enable RF tuning */
4288 	run_rt3070_rf_read(sc, 7, &rf);
4289 	run_rt3070_rf_write(sc, 7, rf | 0x01);
4290 
4291 	run_delay(sc, 2);
4292 }
4293 
4294 static void
4295 run_rt3593_set_chan(struct run_softc *sc, u_int chan)
4296 {
4297 	int8_t txpow1, txpow2, txpow3;
4298 	uint8_t h20mhz, rf;
4299 	int i;
4300 
4301 	/* find the settings for this channel (we know it exists) */
4302 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4303 
4304 	/* use Tx power values from EEPROM */
4305 	txpow1 = sc->txpow1[i];
4306 	txpow2 = sc->txpow2[i];
4307 	txpow3 = (sc->ntxchains == 3) ? sc->txpow3[i] : 0;
4308 
4309 	if (chan <= 14) {
4310 		run_bbp_write(sc, 25, sc->bbp25);
4311 		run_bbp_write(sc, 26, sc->bbp26);
4312 	} else {
4313 		/* Enable IQ phase correction. */
4314 		run_bbp_write(sc, 25, 0x09);
4315 		run_bbp_write(sc, 26, 0xff);
4316 	}
4317 
4318 	run_rt3070_rf_write(sc, 8, rt3070_freqs[i].n);
4319 	run_rt3070_rf_write(sc, 9, rt3070_freqs[i].k & 0x0f);
4320 	run_rt3070_rf_read(sc, 11, &rf);
4321 	rf = (rf & ~0x03) | (rt3070_freqs[i].r & 0x03);
4322 	run_rt3070_rf_write(sc, 11, rf);
4323 
4324 	/* Set pll_idoh. */
4325 	run_rt3070_rf_read(sc, 11, &rf);
4326 	rf &= ~0x4c;
4327 	rf |= (chan <= 14) ? 0x44 : 0x48;
4328 	run_rt3070_rf_write(sc, 11, rf);
4329 
4330 	if (chan <= 14)
4331 		rf = txpow1 & 0x1f;
4332 	else
4333 		rf = 0x40 | ((txpow1 & 0x18) << 1) | (txpow1 & 0x07);
4334 	run_rt3070_rf_write(sc, 53, rf);
4335 
4336 	if (chan <= 14)
4337 		rf = txpow2 & 0x1f;
4338 	else
4339 		rf = 0x40 | ((txpow2 & 0x18) << 1) | (txpow2 & 0x07);
4340 	run_rt3070_rf_write(sc, 55, rf);
4341 
4342 	if (chan <= 14)
4343 		rf = txpow3 & 0x1f;
4344 	else
4345 		rf = 0x40 | ((txpow3 & 0x18) << 1) | (txpow3 & 0x07);
4346 	run_rt3070_rf_write(sc, 54, rf);
4347 
4348 	rf = RT3070_RF_BLOCK | RT3070_PLL_PD;
4349 	if (sc->ntxchains == 3)
4350 		rf |= RT3070_TX0_PD | RT3070_TX1_PD | RT3070_TX2_PD;
4351 	else
4352 		rf |= RT3070_TX0_PD | RT3070_TX1_PD;
4353 	rf |= RT3070_RX0_PD | RT3070_RX1_PD | RT3070_RX2_PD;
4354 	run_rt3070_rf_write(sc, 1, rf);
4355 
4356 	run_adjust_freq_offset(sc);
4357 
4358 	run_rt3070_rf_write(sc, 31, (chan <= 14) ? 0xa0 : 0x80);
4359 
4360 	h20mhz = (sc->rf24_20mhz & 0x20) >> 5;
4361 	run_rt3070_rf_read(sc, 30, &rf);
4362 	rf = (rf & ~0x06) | (h20mhz << 1) | (h20mhz << 2);
4363 	run_rt3070_rf_write(sc, 30, rf);
4364 
4365 	run_rt3070_rf_read(sc, 36, &rf);
4366 	if (chan <= 14)
4367 		rf |= 0x80;
4368 	else
4369 		rf &= ~0x80;
4370 	run_rt3070_rf_write(sc, 36, rf);
4371 
4372 	/* Set vcolo_bs. */
4373 	run_rt3070_rf_write(sc, 34, (chan <= 14) ? 0x3c : 0x20);
4374 	/* Set pfd_delay. */
4375 	run_rt3070_rf_write(sc, 12, (chan <= 14) ? 0x1a : 0x12);
4376 
4377 	/* Set vco bias current control. */
4378 	run_rt3070_rf_read(sc, 6, &rf);
4379 	rf &= ~0xc0;
4380 	if (chan <= 14)
4381 		rf |= 0x40;
4382 	else if (chan <= 128)
4383 		rf |= 0x80;
4384 	else
4385 		rf |= 0x40;
4386 	run_rt3070_rf_write(sc, 6, rf);
4387 
4388 	run_rt3070_rf_read(sc, 30, &rf);
4389 	rf = (rf & ~0x18) | 0x10;
4390 	run_rt3070_rf_write(sc, 30, rf);
4391 
4392 	run_rt3070_rf_write(sc, 10, (chan <= 14) ? 0xd3 : 0xd8);
4393 	run_rt3070_rf_write(sc, 13, (chan <= 14) ? 0x12 : 0x23);
4394 
4395 	run_rt3070_rf_read(sc, 51, &rf);
4396 	rf = (rf & ~0x03) | 0x01;
4397 	run_rt3070_rf_write(sc, 51, rf);
4398 	/* Set tx_mx1_cc. */
4399 	run_rt3070_rf_read(sc, 51, &rf);
4400 	rf &= ~0x1c;
4401 	rf |= (chan <= 14) ? 0x14 : 0x10;
4402 	run_rt3070_rf_write(sc, 51, rf);
4403 	/* Set tx_mx1_ic. */
4404 	run_rt3070_rf_read(sc, 51, &rf);
4405 	rf &= ~0xe0;
4406 	rf |= (chan <= 14) ? 0x60 : 0x40;
4407 	run_rt3070_rf_write(sc, 51, rf);
4408 	/* Set tx_lo1_ic. */
4409 	run_rt3070_rf_read(sc, 49, &rf);
4410 	rf &= ~0x1c;
4411 	rf |= (chan <= 14) ? 0x0c : 0x08;
4412 	run_rt3070_rf_write(sc, 49, rf);
4413 	/* Set tx_lo1_en. */
4414 	run_rt3070_rf_read(sc, 50, &rf);
4415 	run_rt3070_rf_write(sc, 50, rf & ~0x20);
4416 	/* Set drv_cc. */
4417 	run_rt3070_rf_read(sc, 57, &rf);
4418 	rf &= ~0xfc;
4419 	rf |= (chan <= 14) ?  0x6c : 0x3c;
4420 	run_rt3070_rf_write(sc, 57, rf);
4421 	/* Set rx_mix1_ic, rxa_lnactr, lna_vc, lna_inbias_en and lna_en. */
4422 	run_rt3070_rf_write(sc, 44, (chan <= 14) ? 0x93 : 0x9b);
4423 	/* Set drv_gnd_a, tx_vga_cc_a and tx_mx2_gain. */
4424 	run_rt3070_rf_write(sc, 52, (chan <= 14) ? 0x45 : 0x05);
4425 	/* Enable VCO calibration. */
4426 	run_rt3070_rf_read(sc, 3, &rf);
4427 	rf &= ~RT5390_VCOCAL;
4428 	rf |= (chan <= 14) ? RT5390_VCOCAL : 0xbe;
4429 	run_rt3070_rf_write(sc, 3, rf);
4430 
4431 	if (chan <= 14)
4432 		rf = 0x23;
4433 	else if (chan <= 64)
4434 		rf = 0x36;
4435 	else if (chan <= 128)
4436 		rf = 0x32;
4437 	else
4438 		rf = 0x30;
4439 	run_rt3070_rf_write(sc, 39, rf);
4440 	if (chan <= 14)
4441 		rf = 0xbb;
4442 	else if (chan <= 64)
4443 		rf = 0xeb;
4444 	else if (chan <= 128)
4445 		rf = 0xb3;
4446 	else
4447 		rf = 0x9b;
4448 	run_rt3070_rf_write(sc, 45, rf);
4449 
4450 	/* Set FEQ/AEQ control. */
4451 	run_bbp_write(sc, 105, 0x34);
4452 }
4453 
4454 static void
4455 run_rt5390_set_chan(struct run_softc *sc, u_int chan)
4456 {
4457 	int8_t txpow1, txpow2;
4458 	uint8_t rf;
4459 	int i;
4460 
4461 	/* find the settings for this channel (we know it exists) */
4462 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4463 
4464 	/* use Tx power values from EEPROM */
4465 	txpow1 = sc->txpow1[i];
4466 	txpow2 = sc->txpow2[i];
4467 
4468 	run_rt3070_rf_write(sc, 8, rt3070_freqs[i].n);
4469 	run_rt3070_rf_write(sc, 9, rt3070_freqs[i].k & 0x0f);
4470 	run_rt3070_rf_read(sc, 11, &rf);
4471 	rf = (rf & ~0x03) | (rt3070_freqs[i].r & 0x03);
4472 	run_rt3070_rf_write(sc, 11, rf);
4473 
4474 	run_rt3070_rf_read(sc, 49, &rf);
4475 	rf = (rf & ~0x3f) | (txpow1 & 0x3f);
4476 	/* The valid range of the RF R49 is 0x00 to 0x27. */
4477 	if ((rf & 0x3f) > 0x27)
4478 		rf = (rf & ~0x3f) | 0x27;
4479 	run_rt3070_rf_write(sc, 49, rf);
4480 
4481 	if (sc->mac_ver == 0x5392) {
4482 		run_rt3070_rf_read(sc, 50, &rf);
4483 		rf = (rf & ~0x3f) | (txpow2 & 0x3f);
4484 		/* The valid range of the RF R50 is 0x00 to 0x27. */
4485 		if ((rf & 0x3f) > 0x27)
4486 			rf = (rf & ~0x3f) | 0x27;
4487 		run_rt3070_rf_write(sc, 50, rf);
4488 	}
4489 
4490 	run_rt3070_rf_read(sc, 1, &rf);
4491 	rf |= RT3070_RF_BLOCK | RT3070_PLL_PD | RT3070_RX0_PD | RT3070_TX0_PD;
4492 	if (sc->mac_ver == 0x5392)
4493 		rf |= RT3070_RX1_PD | RT3070_TX1_PD;
4494 	run_rt3070_rf_write(sc, 1, rf);
4495 
4496 	if (sc->mac_ver != 0x5392) {
4497 		run_rt3070_rf_read(sc, 2, &rf);
4498 		rf |= 0x80;
4499 		run_rt3070_rf_write(sc, 2, rf);
4500 		run_delay(sc, 10);
4501 		rf &= 0x7f;
4502 		run_rt3070_rf_write(sc, 2, rf);
4503 	}
4504 
4505 	run_adjust_freq_offset(sc);
4506 
4507 	if (sc->mac_ver == 0x5392) {
4508 		/* Fix for RT5392C. */
4509 		if (sc->mac_rev >= 0x0223) {
4510 			if (chan <= 4)
4511 				rf = 0x0f;
4512 			else if (chan >= 5 && chan <= 7)
4513 				rf = 0x0e;
4514 			else
4515 				rf = 0x0d;
4516 			run_rt3070_rf_write(sc, 23, rf);
4517 
4518 			if (chan <= 4)
4519 				rf = 0x0c;
4520 			else if (chan == 5)
4521 				rf = 0x0b;
4522 			else if (chan >= 6 && chan <= 7)
4523 				rf = 0x0a;
4524 			else if (chan >= 8 && chan <= 10)
4525 				rf = 0x09;
4526 			else
4527 				rf = 0x08;
4528 			run_rt3070_rf_write(sc, 59, rf);
4529 		} else {
4530 			if (chan <= 11)
4531 				rf = 0x0f;
4532 			else
4533 				rf = 0x0b;
4534 			run_rt3070_rf_write(sc, 59, rf);
4535 		}
4536 	} else {
4537 		/* Fix for RT5390F. */
4538 		if (sc->mac_rev >= 0x0502) {
4539 			if (chan <= 11)
4540 				rf = 0x43;
4541 			else
4542 				rf = 0x23;
4543 			run_rt3070_rf_write(sc, 55, rf);
4544 
4545 			if (chan <= 11)
4546 				rf = 0x0f;
4547 			else if (chan == 12)
4548 				rf = 0x0d;
4549 			else
4550 				rf = 0x0b;
4551 			run_rt3070_rf_write(sc, 59, rf);
4552 		} else {
4553 			run_rt3070_rf_write(sc, 55, 0x44);
4554 			run_rt3070_rf_write(sc, 59, 0x8f);
4555 		}
4556 	}
4557 
4558 	/* Enable VCO calibration. */
4559 	run_rt3070_rf_read(sc, 3, &rf);
4560 	rf |= RT5390_VCOCAL;
4561 	run_rt3070_rf_write(sc, 3, rf);
4562 }
4563 
4564 static void
4565 run_rt5592_set_chan(struct run_softc *sc, u_int chan)
4566 {
4567 	const struct rt5592_freqs *freqs;
4568 	uint32_t tmp;
4569 	uint8_t reg, rf, txpow_bound;
4570 	int8_t txpow1, txpow2;
4571 	int i;
4572 
4573 	run_read(sc, RT5592_DEBUG_INDEX, &tmp);
4574 	freqs = (tmp & RT5592_SEL_XTAL) ?
4575 	    rt5592_freqs_40mhz : rt5592_freqs_20mhz;
4576 
4577 	/* find the settings for this channel (we know it exists) */
4578 	for (i = 0; rt2860_rf2850[i].chan != chan; i++, freqs++);
4579 
4580 	/* use Tx power values from EEPROM */
4581 	txpow1 = sc->txpow1[i];
4582 	txpow2 = sc->txpow2[i];
4583 
4584 	run_read(sc, RT3070_LDO_CFG0, &tmp);
4585 	tmp &= ~0x1c000000;
4586 	if (chan > 14)
4587 		tmp |= 0x14000000;
4588 	run_write(sc, RT3070_LDO_CFG0, tmp);
4589 
4590 	/* N setting. */
4591 	run_rt3070_rf_write(sc, 8, freqs->n & 0xff);
4592 	run_rt3070_rf_read(sc, 9, &rf);
4593 	rf &= ~(1 << 4);
4594 	rf |= ((freqs->n & 0x0100) >> 8) << 4;
4595 	run_rt3070_rf_write(sc, 9, rf);
4596 
4597 	/* K setting. */
4598 	run_rt3070_rf_read(sc, 9, &rf);
4599 	rf &= ~0x0f;
4600 	rf |= (freqs->k & 0x0f);
4601 	run_rt3070_rf_write(sc, 9, rf);
4602 
4603 	/* Mode setting. */
4604 	run_rt3070_rf_read(sc, 11, &rf);
4605 	rf &= ~0x0c;
4606 	rf |= ((freqs->m - 0x8) & 0x3) << 2;
4607 	run_rt3070_rf_write(sc, 11, rf);
4608 	run_rt3070_rf_read(sc, 9, &rf);
4609 	rf &= ~(1 << 7);
4610 	rf |= (((freqs->m - 0x8) & 0x4) >> 2) << 7;
4611 	run_rt3070_rf_write(sc, 9, rf);
4612 
4613 	/* R setting. */
4614 	run_rt3070_rf_read(sc, 11, &rf);
4615 	rf &= ~0x03;
4616 	rf |= (freqs->r - 0x1);
4617 	run_rt3070_rf_write(sc, 11, rf);
4618 
4619 	if (chan <= 14) {
4620 		/* Initialize RF registers for 2GHZ. */
4621 		for (i = 0; i < nitems(rt5592_2ghz_def_rf); i++) {
4622 			run_rt3070_rf_write(sc, rt5592_2ghz_def_rf[i].reg,
4623 			    rt5592_2ghz_def_rf[i].val);
4624 		}
4625 
4626 		rf = (chan <= 10) ? 0x07 : 0x06;
4627 		run_rt3070_rf_write(sc, 23, rf);
4628 		run_rt3070_rf_write(sc, 59, rf);
4629 
4630 		run_rt3070_rf_write(sc, 55, 0x43);
4631 
4632 		/*
4633 		 * RF R49/R50 Tx power ALC code.
4634 		 * G-band bit<7:6>=1:0, bit<5:0> range from 0x0 ~ 0x27.
4635 		 */
4636 		reg = 2;
4637 		txpow_bound = 0x27;
4638 	} else {
4639 		/* Initialize RF registers for 5GHZ. */
4640 		for (i = 0; i < nitems(rt5592_5ghz_def_rf); i++) {
4641 			run_rt3070_rf_write(sc, rt5592_5ghz_def_rf[i].reg,
4642 			    rt5592_5ghz_def_rf[i].val);
4643 		}
4644 		for (i = 0; i < nitems(rt5592_chan_5ghz); i++) {
4645 			if (chan >= rt5592_chan_5ghz[i].firstchan &&
4646 			    chan <= rt5592_chan_5ghz[i].lastchan) {
4647 				run_rt3070_rf_write(sc, rt5592_chan_5ghz[i].reg,
4648 				    rt5592_chan_5ghz[i].val);
4649 			}
4650 		}
4651 
4652 		/*
4653 		 * RF R49/R50 Tx power ALC code.
4654 		 * A-band bit<7:6>=1:1, bit<5:0> range from 0x0 ~ 0x2b.
4655 		 */
4656 		reg = 3;
4657 		txpow_bound = 0x2b;
4658 	}
4659 
4660 	/* RF R49 ch0 Tx power ALC code. */
4661 	run_rt3070_rf_read(sc, 49, &rf);
4662 	rf &= ~0xc0;
4663 	rf |= (reg << 6);
4664 	rf = (rf & ~0x3f) | (txpow1 & 0x3f);
4665 	if ((rf & 0x3f) > txpow_bound)
4666 		rf = (rf & ~0x3f) | txpow_bound;
4667 	run_rt3070_rf_write(sc, 49, rf);
4668 
4669 	/* RF R50 ch1 Tx power ALC code. */
4670 	run_rt3070_rf_read(sc, 50, &rf);
4671 	rf &= ~(1 << 7 | 1 << 6);
4672 	rf |= (reg << 6);
4673 	rf = (rf & ~0x3f) | (txpow2 & 0x3f);
4674 	if ((rf & 0x3f) > txpow_bound)
4675 		rf = (rf & ~0x3f) | txpow_bound;
4676 	run_rt3070_rf_write(sc, 50, rf);
4677 
4678 	/* Enable RF_BLOCK, PLL_PD, RX0_PD, and TX0_PD. */
4679 	run_rt3070_rf_read(sc, 1, &rf);
4680 	rf |= (RT3070_RF_BLOCK | RT3070_PLL_PD | RT3070_RX0_PD | RT3070_TX0_PD);
4681 	if (sc->ntxchains > 1)
4682 		rf |= RT3070_TX1_PD;
4683 	if (sc->nrxchains > 1)
4684 		rf |= RT3070_RX1_PD;
4685 	run_rt3070_rf_write(sc, 1, rf);
4686 
4687 	run_rt3070_rf_write(sc, 6, 0xe4);
4688 
4689 	run_rt3070_rf_write(sc, 30, 0x10);
4690 	run_rt3070_rf_write(sc, 31, 0x80);
4691 	run_rt3070_rf_write(sc, 32, 0x80);
4692 
4693 	run_adjust_freq_offset(sc);
4694 
4695 	/* Enable VCO calibration. */
4696 	run_rt3070_rf_read(sc, 3, &rf);
4697 	rf |= RT5390_VCOCAL;
4698 	run_rt3070_rf_write(sc, 3, rf);
4699 }
4700 
4701 static void
4702 run_set_rx_antenna(struct run_softc *sc, int aux)
4703 {
4704 	uint32_t tmp;
4705 	uint8_t bbp152;
4706 
4707 	if (aux) {
4708 		if (sc->rf_rev == RT5390_RF_5370) {
4709 			run_bbp_read(sc, 152, &bbp152);
4710 			run_bbp_write(sc, 152, bbp152 & ~0x80);
4711 		} else {
4712 			run_mcu_cmd(sc, RT2860_MCU_CMD_ANTSEL, 0);
4713 			run_read(sc, RT2860_GPIO_CTRL, &tmp);
4714 			run_write(sc, RT2860_GPIO_CTRL, (tmp & ~0x0808) | 0x08);
4715 		}
4716 	} else {
4717 		if (sc->rf_rev == RT5390_RF_5370) {
4718 			run_bbp_read(sc, 152, &bbp152);
4719 			run_bbp_write(sc, 152, bbp152 | 0x80);
4720 		} else {
4721 			run_mcu_cmd(sc, RT2860_MCU_CMD_ANTSEL, 1);
4722 			run_read(sc, RT2860_GPIO_CTRL, &tmp);
4723 			run_write(sc, RT2860_GPIO_CTRL, tmp & ~0x0808);
4724 		}
4725 	}
4726 }
4727 
4728 static int
4729 run_set_chan(struct run_softc *sc, struct ieee80211_channel *c)
4730 {
4731 	struct ieee80211com *ic = &sc->sc_ic;
4732 	u_int chan, group;
4733 
4734 	chan = ieee80211_chan2ieee(ic, c);
4735 	if (chan == 0 || chan == IEEE80211_CHAN_ANY)
4736 		return (EINVAL);
4737 
4738 	if (sc->mac_ver == 0x5592)
4739 		run_rt5592_set_chan(sc, chan);
4740 	else if (sc->mac_ver >= 0x5390)
4741 		run_rt5390_set_chan(sc, chan);
4742 	else if (sc->mac_ver == 0x3593)
4743 		run_rt3593_set_chan(sc, chan);
4744 	else if (sc->mac_ver == 0x3572)
4745 		run_rt3572_set_chan(sc, chan);
4746 	else if (sc->mac_ver >= 0x3070)
4747 		run_rt3070_set_chan(sc, chan);
4748 	else
4749 		run_rt2870_set_chan(sc, chan);
4750 
4751 	/* determine channel group */
4752 	if (chan <= 14)
4753 		group = 0;
4754 	else if (chan <= 64)
4755 		group = 1;
4756 	else if (chan <= 128)
4757 		group = 2;
4758 	else
4759 		group = 3;
4760 
4761 	/* XXX necessary only when group has changed! */
4762 	run_select_chan_group(sc, group);
4763 
4764 	run_delay(sc, 10);
4765 
4766 	/* Perform IQ calibration. */
4767 	if (sc->mac_ver >= 0x5392)
4768 		run_iq_calib(sc, chan);
4769 
4770 	return (0);
4771 }
4772 
4773 static void
4774 run_set_channel(struct ieee80211com *ic)
4775 {
4776 	struct run_softc *sc = ic->ic_softc;
4777 
4778 	RUN_LOCK(sc);
4779 	run_set_chan(sc, ic->ic_curchan);
4780 	RUN_UNLOCK(sc);
4781 
4782 	return;
4783 }
4784 
4785 static void
4786 run_scan_start(struct ieee80211com *ic)
4787 {
4788 	struct run_softc *sc = ic->ic_softc;
4789 	uint32_t tmp;
4790 
4791 	RUN_LOCK(sc);
4792 
4793 	/* abort TSF synchronization */
4794 	run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
4795 	run_write(sc, RT2860_BCN_TIME_CFG,
4796 	    tmp & ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
4797 	    RT2860_TBTT_TIMER_EN));
4798 	run_set_bssid(sc, ieee80211broadcastaddr);
4799 
4800 	RUN_UNLOCK(sc);
4801 
4802 	return;
4803 }
4804 
4805 static void
4806 run_scan_end(struct ieee80211com *ic)
4807 {
4808 	struct run_softc *sc = ic->ic_softc;
4809 
4810 	RUN_LOCK(sc);
4811 
4812 	run_enable_tsf_sync(sc);
4813 	/* XXX keep local copy */
4814 	run_set_bssid(sc, ic->ic_macaddr);
4815 
4816 	RUN_UNLOCK(sc);
4817 
4818 	return;
4819 }
4820 
4821 /*
4822  * Could be called from ieee80211_node_timeout()
4823  * (non-sleepable thread)
4824  */
4825 static void
4826 run_update_beacon(struct ieee80211vap *vap, int item)
4827 {
4828 	struct ieee80211com *ic = vap->iv_ic;
4829 	struct ieee80211_beacon_offsets *bo = &vap->iv_bcn_off;
4830 	struct ieee80211_node *ni = vap->iv_bss;
4831 	struct run_softc *sc = ic->ic_softc;
4832 	struct run_vap *rvp = RUN_VAP(vap);
4833 	int mcast = 0;
4834 	uint32_t i;
4835 
4836 	switch (item) {
4837 	case IEEE80211_BEACON_ERP:
4838 		run_updateslot(ic);
4839 		break;
4840 	case IEEE80211_BEACON_HTINFO:
4841 		run_updateprot(ic);
4842 		break;
4843 	case IEEE80211_BEACON_TIM:
4844 		mcast = 1;	/*TODO*/
4845 		break;
4846 	default:
4847 		break;
4848 	}
4849 
4850 	setbit(bo->bo_flags, item);
4851 	if (rvp->beacon_mbuf == NULL) {
4852 		rvp->beacon_mbuf = ieee80211_beacon_alloc(ni);
4853 		if (rvp->beacon_mbuf == NULL)
4854 			return;
4855 	}
4856 	ieee80211_beacon_update(ni, rvp->beacon_mbuf, mcast);
4857 
4858 	i = RUN_CMDQ_GET(&sc->cmdq_store);
4859 	DPRINTF("cmdq_store=%d\n", i);
4860 	sc->cmdq[i].func = run_update_beacon_cb;
4861 	sc->cmdq[i].arg0 = vap;
4862 	ieee80211_runtask(ic, &sc->cmdq_task);
4863 
4864 	return;
4865 }
4866 
4867 static void
4868 run_update_beacon_cb(void *arg)
4869 {
4870 	struct ieee80211vap *vap = arg;
4871 	struct ieee80211_node *ni = vap->iv_bss;
4872 	struct run_vap *rvp = RUN_VAP(vap);
4873 	struct ieee80211com *ic = vap->iv_ic;
4874 	struct run_softc *sc = ic->ic_softc;
4875 	struct rt2860_txwi txwi;
4876 	struct mbuf *m;
4877 	uint16_t txwisize;
4878 	uint8_t ridx;
4879 
4880 	if (ni->ni_chan == IEEE80211_CHAN_ANYC)
4881 		return;
4882 	if (ic->ic_bsschan == IEEE80211_CHAN_ANYC)
4883 		return;
4884 
4885 	/*
4886 	 * No need to call ieee80211_beacon_update(), run_update_beacon()
4887 	 * is taking care of apropriate calls.
4888 	 */
4889 	if (rvp->beacon_mbuf == NULL) {
4890 		rvp->beacon_mbuf = ieee80211_beacon_alloc(ni);
4891 		if (rvp->beacon_mbuf == NULL)
4892 			return;
4893 	}
4894 	m = rvp->beacon_mbuf;
4895 
4896 	memset(&txwi, 0, sizeof(txwi));
4897 	txwi.wcid = 0xff;
4898 	txwi.len = htole16(m->m_pkthdr.len);
4899 
4900 	/* send beacons at the lowest available rate */
4901 	ridx = (ic->ic_curmode == IEEE80211_MODE_11A) ?
4902 	    RT2860_RIDX_OFDM6 : RT2860_RIDX_CCK1;
4903 	txwi.phy = htole16(rt2860_rates[ridx].mcs);
4904 	if (rt2860_rates[ridx].phy == IEEE80211_T_OFDM)
4905 		txwi.phy |= htole16(RT2860_PHY_OFDM);
4906 	txwi.txop = RT2860_TX_TXOP_HT;
4907 	txwi.flags = RT2860_TX_TS;
4908 	txwi.xflags = RT2860_TX_NSEQ;
4909 
4910 	txwisize = (sc->mac_ver == 0x5592) ?
4911 	    sizeof(txwi) + sizeof(uint32_t) : sizeof(txwi);
4912 	run_write_region_1(sc, RT2860_BCN_BASE(rvp->rvp_id), (uint8_t *)&txwi,
4913 	    txwisize);
4914 	run_write_region_1(sc, RT2860_BCN_BASE(rvp->rvp_id) + txwisize,
4915 	    mtod(m, uint8_t *), (m->m_pkthdr.len + 1) & ~1);
4916 }
4917 
4918 static void
4919 run_updateprot(struct ieee80211com *ic)
4920 {
4921 	struct run_softc *sc = ic->ic_softc;
4922 	uint32_t i;
4923 
4924 	i = RUN_CMDQ_GET(&sc->cmdq_store);
4925 	DPRINTF("cmdq_store=%d\n", i);
4926 	sc->cmdq[i].func = run_updateprot_cb;
4927 	sc->cmdq[i].arg0 = ic;
4928 	ieee80211_runtask(ic, &sc->cmdq_task);
4929 }
4930 
4931 static void
4932 run_updateprot_cb(void *arg)
4933 {
4934 	struct ieee80211com *ic = arg;
4935 	struct run_softc *sc = ic->ic_softc;
4936 	uint32_t tmp;
4937 
4938 	tmp = RT2860_RTSTH_EN | RT2860_PROT_NAV_SHORT | RT2860_TXOP_ALLOW_ALL;
4939 	/* setup protection frame rate (MCS code) */
4940 	tmp |= (ic->ic_curmode == IEEE80211_MODE_11A) ?
4941 	    rt2860_rates[RT2860_RIDX_OFDM6].mcs | RT2860_PHY_OFDM :
4942 	    rt2860_rates[RT2860_RIDX_CCK11].mcs;
4943 
4944 	/* CCK frames don't require protection */
4945 	run_write(sc, RT2860_CCK_PROT_CFG, tmp);
4946 	if (ic->ic_flags & IEEE80211_F_USEPROT) {
4947 		if (ic->ic_protmode == IEEE80211_PROT_RTSCTS)
4948 			tmp |= RT2860_PROT_CTRL_RTS_CTS;
4949 		else if (ic->ic_protmode == IEEE80211_PROT_CTSONLY)
4950 			tmp |= RT2860_PROT_CTRL_CTS;
4951 	}
4952 	run_write(sc, RT2860_OFDM_PROT_CFG, tmp);
4953 }
4954 
4955 static void
4956 run_usb_timeout_cb(void *arg)
4957 {
4958 	struct ieee80211vap *vap = arg;
4959 	struct run_softc *sc = vap->iv_ic->ic_softc;
4960 
4961 	RUN_LOCK_ASSERT(sc, MA_OWNED);
4962 
4963 	if(vap->iv_state == IEEE80211_S_RUN &&
4964 	    vap->iv_opmode != IEEE80211_M_STA)
4965 		run_reset_livelock(sc);
4966 	else if (vap->iv_state == IEEE80211_S_SCAN) {
4967 		DPRINTF("timeout caused by scan\n");
4968 		/* cancel bgscan */
4969 		ieee80211_cancel_scan(vap);
4970 	} else
4971 		DPRINTF("timeout by unknown cause\n");
4972 }
4973 
4974 static void
4975 run_reset_livelock(struct run_softc *sc)
4976 {
4977 	uint32_t tmp;
4978 
4979 	RUN_LOCK_ASSERT(sc, MA_OWNED);
4980 
4981 	/*
4982 	 * In IBSS or HostAP modes (when the hardware sends beacons), the MAC
4983 	 * can run into a livelock and start sending CTS-to-self frames like
4984 	 * crazy if protection is enabled.  Reset MAC/BBP for a while
4985 	 */
4986 	run_read(sc, RT2860_DEBUG, &tmp);
4987 	DPRINTFN(3, "debug reg %08x\n", tmp);
4988 	if ((tmp & (1 << 29)) && (tmp & (1 << 7 | 1 << 5))) {
4989 		DPRINTF("CTS-to-self livelock detected\n");
4990 		run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_MAC_SRST);
4991 		run_delay(sc, 1);
4992 		run_write(sc, RT2860_MAC_SYS_CTRL,
4993 		    RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
4994 	}
4995 }
4996 
4997 static void
4998 run_update_promisc_locked(struct run_softc *sc)
4999 {
5000         uint32_t tmp;
5001 
5002 	run_read(sc, RT2860_RX_FILTR_CFG, &tmp);
5003 
5004 	tmp |= RT2860_DROP_UC_NOME;
5005         if (sc->sc_ic.ic_promisc > 0)
5006 		tmp &= ~RT2860_DROP_UC_NOME;
5007 
5008 	run_write(sc, RT2860_RX_FILTR_CFG, tmp);
5009 
5010         DPRINTF("%s promiscuous mode\n", (sc->sc_ic.ic_promisc > 0) ?
5011             "entering" : "leaving");
5012 }
5013 
5014 static void
5015 run_update_promisc(struct ieee80211com *ic)
5016 {
5017 	struct run_softc *sc = ic->ic_softc;
5018 
5019 	if ((sc->sc_flags & RUN_RUNNING) == 0)
5020 		return;
5021 
5022 	RUN_LOCK(sc);
5023 	run_update_promisc_locked(sc);
5024 	RUN_UNLOCK(sc);
5025 }
5026 
5027 static void
5028 run_enable_tsf_sync(struct run_softc *sc)
5029 {
5030 	struct ieee80211com *ic = &sc->sc_ic;
5031 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
5032 	uint32_t tmp;
5033 
5034 	DPRINTF("rvp_id=%d ic_opmode=%d\n", RUN_VAP(vap)->rvp_id,
5035 	    ic->ic_opmode);
5036 
5037 	run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
5038 	tmp &= ~0x1fffff;
5039 	tmp |= vap->iv_bss->ni_intval * 16;
5040 	tmp |= RT2860_TSF_TIMER_EN | RT2860_TBTT_TIMER_EN;
5041 
5042 	if (ic->ic_opmode == IEEE80211_M_STA) {
5043 		/*
5044 		 * Local TSF is always updated with remote TSF on beacon
5045 		 * reception.
5046 		 */
5047 		tmp |= 1 << RT2860_TSF_SYNC_MODE_SHIFT;
5048 	} else if (ic->ic_opmode == IEEE80211_M_IBSS) {
5049 	        tmp |= RT2860_BCN_TX_EN;
5050 	        /*
5051 	         * Local TSF is updated with remote TSF on beacon reception
5052 	         * only if the remote TSF is greater than local TSF.
5053 	         */
5054 	        tmp |= 2 << RT2860_TSF_SYNC_MODE_SHIFT;
5055 	} else if (ic->ic_opmode == IEEE80211_M_HOSTAP ||
5056 		    ic->ic_opmode == IEEE80211_M_MBSS) {
5057 	        tmp |= RT2860_BCN_TX_EN;
5058 	        /* SYNC with nobody */
5059 	        tmp |= 3 << RT2860_TSF_SYNC_MODE_SHIFT;
5060 	} else {
5061 		DPRINTF("Enabling TSF failed. undefined opmode\n");
5062 		return;
5063 	}
5064 
5065 	run_write(sc, RT2860_BCN_TIME_CFG, tmp);
5066 }
5067 
5068 static void
5069 run_enable_tsf(struct run_softc *sc)
5070 {
5071 	uint32_t tmp;
5072 
5073 	if (run_read(sc, RT2860_BCN_TIME_CFG, &tmp) == 0) {
5074 		tmp &= ~(RT2860_BCN_TX_EN | RT2860_TBTT_TIMER_EN);
5075 		tmp |= RT2860_TSF_TIMER_EN;
5076 		run_write(sc, RT2860_BCN_TIME_CFG, tmp);
5077 	}
5078 }
5079 
5080 static void
5081 run_get_tsf(struct run_softc *sc, uint64_t *buf)
5082 {
5083 	run_read_region_1(sc, RT2860_TSF_TIMER_DW0, (uint8_t *)buf,
5084 	    sizeof(*buf));
5085 }
5086 
5087 static void
5088 run_enable_mrr(struct run_softc *sc)
5089 {
5090 #define	CCK(mcs)	(mcs)
5091 #define	OFDM(mcs)	(1 << 3 | (mcs))
5092 	run_write(sc, RT2860_LG_FBK_CFG0,
5093 	    OFDM(6) << 28 |	/* 54->48 */
5094 	    OFDM(5) << 24 |	/* 48->36 */
5095 	    OFDM(4) << 20 |	/* 36->24 */
5096 	    OFDM(3) << 16 |	/* 24->18 */
5097 	    OFDM(2) << 12 |	/* 18->12 */
5098 	    OFDM(1) <<  8 |	/* 12-> 9 */
5099 	    OFDM(0) <<  4 |	/*  9-> 6 */
5100 	    OFDM(0));		/*  6-> 6 */
5101 
5102 	run_write(sc, RT2860_LG_FBK_CFG1,
5103 	    CCK(2) << 12 |	/* 11->5.5 */
5104 	    CCK(1) <<  8 |	/* 5.5-> 2 */
5105 	    CCK(0) <<  4 |	/*   2-> 1 */
5106 	    CCK(0));		/*   1-> 1 */
5107 #undef OFDM
5108 #undef CCK
5109 }
5110 
5111 static void
5112 run_set_txpreamble(struct run_softc *sc)
5113 {
5114 	struct ieee80211com *ic = &sc->sc_ic;
5115 	uint32_t tmp;
5116 
5117 	run_read(sc, RT2860_AUTO_RSP_CFG, &tmp);
5118 	if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
5119 		tmp |= RT2860_CCK_SHORT_EN;
5120 	else
5121 		tmp &= ~RT2860_CCK_SHORT_EN;
5122 	run_write(sc, RT2860_AUTO_RSP_CFG, tmp);
5123 }
5124 
5125 static void
5126 run_set_basicrates(struct run_softc *sc)
5127 {
5128 	struct ieee80211com *ic = &sc->sc_ic;
5129 
5130 	/* set basic rates mask */
5131 	if (ic->ic_curmode == IEEE80211_MODE_11B)
5132 		run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x003);
5133 	else if (ic->ic_curmode == IEEE80211_MODE_11A)
5134 		run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x150);
5135 	else	/* 11g */
5136 		run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x15f);
5137 }
5138 
5139 static void
5140 run_set_leds(struct run_softc *sc, uint16_t which)
5141 {
5142 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LEDS,
5143 	    which | (sc->leds & 0x7f));
5144 }
5145 
5146 static void
5147 run_set_bssid(struct run_softc *sc, const uint8_t *bssid)
5148 {
5149 	run_write(sc, RT2860_MAC_BSSID_DW0,
5150 	    bssid[0] | bssid[1] << 8 | bssid[2] << 16 | bssid[3] << 24);
5151 	run_write(sc, RT2860_MAC_BSSID_DW1,
5152 	    bssid[4] | bssid[5] << 8);
5153 }
5154 
5155 static void
5156 run_set_macaddr(struct run_softc *sc, const uint8_t *addr)
5157 {
5158 	run_write(sc, RT2860_MAC_ADDR_DW0,
5159 	    addr[0] | addr[1] << 8 | addr[2] << 16 | addr[3] << 24);
5160 	run_write(sc, RT2860_MAC_ADDR_DW1,
5161 	    addr[4] | addr[5] << 8 | 0xff << 16);
5162 }
5163 
5164 static void
5165 run_updateslot(struct ieee80211com *ic)
5166 {
5167 	struct run_softc *sc = ic->ic_softc;
5168 	uint32_t i;
5169 
5170 	i = RUN_CMDQ_GET(&sc->cmdq_store);
5171 	DPRINTF("cmdq_store=%d\n", i);
5172 	sc->cmdq[i].func = run_updateslot_cb;
5173 	sc->cmdq[i].arg0 = ic;
5174 	ieee80211_runtask(ic, &sc->cmdq_task);
5175 
5176 	return;
5177 }
5178 
5179 /* ARGSUSED */
5180 static void
5181 run_updateslot_cb(void *arg)
5182 {
5183 	struct ieee80211com *ic = arg;
5184 	struct run_softc *sc = ic->ic_softc;
5185 	uint32_t tmp;
5186 
5187 	run_read(sc, RT2860_BKOFF_SLOT_CFG, &tmp);
5188 	tmp &= ~0xff;
5189 	tmp |= (ic->ic_flags & IEEE80211_F_SHSLOT) ? 9 : 20;
5190 	run_write(sc, RT2860_BKOFF_SLOT_CFG, tmp);
5191 }
5192 
5193 static void
5194 run_update_mcast(struct ieee80211com *ic)
5195 {
5196 }
5197 
5198 static int8_t
5199 run_rssi2dbm(struct run_softc *sc, uint8_t rssi, uint8_t rxchain)
5200 {
5201 	struct ieee80211com *ic = &sc->sc_ic;
5202 	struct ieee80211_channel *c = ic->ic_curchan;
5203 	int delta;
5204 
5205 	if (IEEE80211_IS_CHAN_5GHZ(c)) {
5206 		u_int chan = ieee80211_chan2ieee(ic, c);
5207 		delta = sc->rssi_5ghz[rxchain];
5208 
5209 		/* determine channel group */
5210 		if (chan <= 64)
5211 			delta -= sc->lna[1];
5212 		else if (chan <= 128)
5213 			delta -= sc->lna[2];
5214 		else
5215 			delta -= sc->lna[3];
5216 	} else
5217 		delta = sc->rssi_2ghz[rxchain] - sc->lna[0];
5218 
5219 	return (-12 - delta - rssi);
5220 }
5221 
5222 static void
5223 run_rt5390_bbp_init(struct run_softc *sc)
5224 {
5225 	int i;
5226 	uint8_t bbp;
5227 
5228 	/* Apply maximum likelihood detection for 2 stream case. */
5229 	run_bbp_read(sc, 105, &bbp);
5230 	if (sc->nrxchains > 1)
5231 		run_bbp_write(sc, 105, bbp | RT5390_MLD);
5232 
5233 	/* Avoid data lost and CRC error. */
5234 	run_bbp_read(sc, 4, &bbp);
5235 	run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5236 
5237 	if (sc->mac_ver == 0x5592) {
5238 		for (i = 0; i < nitems(rt5592_def_bbp); i++) {
5239 			run_bbp_write(sc, rt5592_def_bbp[i].reg,
5240 			    rt5592_def_bbp[i].val);
5241 		}
5242 		for (i = 0; i < nitems(rt5592_bbp_r196); i++) {
5243 			run_bbp_write(sc, 195, i + 0x80);
5244 			run_bbp_write(sc, 196, rt5592_bbp_r196[i]);
5245 		}
5246 	} else {
5247 		for (i = 0; i < nitems(rt5390_def_bbp); i++) {
5248 			run_bbp_write(sc, rt5390_def_bbp[i].reg,
5249 			    rt5390_def_bbp[i].val);
5250 		}
5251 	}
5252 	if (sc->mac_ver == 0x5392) {
5253 		run_bbp_write(sc, 88, 0x90);
5254 		run_bbp_write(sc, 95, 0x9a);
5255 		run_bbp_write(sc, 98, 0x12);
5256 		run_bbp_write(sc, 106, 0x12);
5257 		run_bbp_write(sc, 134, 0xd0);
5258 		run_bbp_write(sc, 135, 0xf6);
5259 		run_bbp_write(sc, 148, 0x84);
5260 	}
5261 
5262 	run_bbp_read(sc, 152, &bbp);
5263 	run_bbp_write(sc, 152, bbp | 0x80);
5264 
5265 	/* Fix BBP254 for RT5592C. */
5266 	if (sc->mac_ver == 0x5592 && sc->mac_rev >= 0x0221) {
5267 		run_bbp_read(sc, 254, &bbp);
5268 		run_bbp_write(sc, 254, bbp | 0x80);
5269 	}
5270 
5271 	/* Disable hardware antenna diversity. */
5272 	if (sc->mac_ver == 0x5390)
5273 		run_bbp_write(sc, 154, 0);
5274 
5275 	/* Initialize Rx CCK/OFDM frequency offset report. */
5276 	run_bbp_write(sc, 142, 1);
5277 	run_bbp_write(sc, 143, 57);
5278 }
5279 
5280 static int
5281 run_bbp_init(struct run_softc *sc)
5282 {
5283 	int i, error, ntries;
5284 	uint8_t bbp0;
5285 
5286 	/* wait for BBP to wake up */
5287 	for (ntries = 0; ntries < 20; ntries++) {
5288 		if ((error = run_bbp_read(sc, 0, &bbp0)) != 0)
5289 			return error;
5290 		if (bbp0 != 0 && bbp0 != 0xff)
5291 			break;
5292 	}
5293 	if (ntries == 20)
5294 		return (ETIMEDOUT);
5295 
5296 	/* initialize BBP registers to default values */
5297 	if (sc->mac_ver >= 0x5390)
5298 		run_rt5390_bbp_init(sc);
5299 	else {
5300 		for (i = 0; i < nitems(rt2860_def_bbp); i++) {
5301 			run_bbp_write(sc, rt2860_def_bbp[i].reg,
5302 			    rt2860_def_bbp[i].val);
5303 		}
5304 	}
5305 
5306 	if (sc->mac_ver == 0x3593) {
5307 		run_bbp_write(sc, 79, 0x13);
5308 		run_bbp_write(sc, 80, 0x05);
5309 		run_bbp_write(sc, 81, 0x33);
5310 		run_bbp_write(sc, 86, 0x46);
5311 		run_bbp_write(sc, 137, 0x0f);
5312 	}
5313 
5314 	/* fix BBP84 for RT2860E */
5315 	if (sc->mac_ver == 0x2860 && sc->mac_rev != 0x0101)
5316 		run_bbp_write(sc, 84, 0x19);
5317 
5318 	if (sc->mac_ver >= 0x3070 && (sc->mac_ver != 0x3593 &&
5319 	    sc->mac_ver != 0x5592)) {
5320 		run_bbp_write(sc, 79, 0x13);
5321 		run_bbp_write(sc, 80, 0x05);
5322 		run_bbp_write(sc, 81, 0x33);
5323 	} else if (sc->mac_ver == 0x2860 && sc->mac_rev == 0x0100) {
5324 		run_bbp_write(sc, 69, 0x16);
5325 		run_bbp_write(sc, 73, 0x12);
5326 	}
5327 	return (0);
5328 }
5329 
5330 static int
5331 run_rt3070_rf_init(struct run_softc *sc)
5332 {
5333 	uint32_t tmp;
5334 	uint8_t bbp4, mingain, rf, target;
5335 	int i;
5336 
5337 	run_rt3070_rf_read(sc, 30, &rf);
5338 	/* toggle RF R30 bit 7 */
5339 	run_rt3070_rf_write(sc, 30, rf | 0x80);
5340 	run_delay(sc, 10);
5341 	run_rt3070_rf_write(sc, 30, rf & ~0x80);
5342 
5343 	/* initialize RF registers to default value */
5344 	if (sc->mac_ver == 0x3572) {
5345 		for (i = 0; i < nitems(rt3572_def_rf); i++) {
5346 			run_rt3070_rf_write(sc, rt3572_def_rf[i].reg,
5347 			    rt3572_def_rf[i].val);
5348 		}
5349 	} else {
5350 		for (i = 0; i < nitems(rt3070_def_rf); i++) {
5351 			run_rt3070_rf_write(sc, rt3070_def_rf[i].reg,
5352 			    rt3070_def_rf[i].val);
5353 		}
5354 	}
5355 
5356 	if (sc->mac_ver == 0x3070 && sc->mac_rev < 0x0201) {
5357 		/*
5358 		 * Change voltage from 1.2V to 1.35V for RT3070.
5359 		 * The DAC issue (RT3070_LDO_CFG0) has been fixed
5360 		 * in RT3070(F).
5361 		 */
5362 		run_read(sc, RT3070_LDO_CFG0, &tmp);
5363 		tmp = (tmp & ~0x0f000000) | 0x0d000000;
5364 		run_write(sc, RT3070_LDO_CFG0, tmp);
5365 
5366 	} else if (sc->mac_ver == 0x3071) {
5367 		run_rt3070_rf_read(sc, 6, &rf);
5368 		run_rt3070_rf_write(sc, 6, rf | 0x40);
5369 		run_rt3070_rf_write(sc, 31, 0x14);
5370 
5371 		run_read(sc, RT3070_LDO_CFG0, &tmp);
5372 		tmp &= ~0x1f000000;
5373 		if (sc->mac_rev < 0x0211)
5374 			tmp |= 0x0d000000;	/* 1.3V */
5375 		else
5376 			tmp |= 0x01000000;	/* 1.2V */
5377 		run_write(sc, RT3070_LDO_CFG0, tmp);
5378 
5379 		/* patch LNA_PE_G1 */
5380 		run_read(sc, RT3070_GPIO_SWITCH, &tmp);
5381 		run_write(sc, RT3070_GPIO_SWITCH, tmp & ~0x20);
5382 
5383 	} else if (sc->mac_ver == 0x3572) {
5384 		run_rt3070_rf_read(sc, 6, &rf);
5385 		run_rt3070_rf_write(sc, 6, rf | 0x40);
5386 
5387 		/* increase voltage from 1.2V to 1.35V */
5388 		run_read(sc, RT3070_LDO_CFG0, &tmp);
5389 		tmp = (tmp & ~0x1f000000) | 0x0d000000;
5390 		run_write(sc, RT3070_LDO_CFG0, tmp);
5391 
5392 		if (sc->mac_rev < 0x0211 || !sc->patch_dac) {
5393 			run_delay(sc, 1);	/* wait for 1msec */
5394 			/* decrease voltage back to 1.2V */
5395 			tmp = (tmp & ~0x1f000000) | 0x01000000;
5396 			run_write(sc, RT3070_LDO_CFG0, tmp);
5397 		}
5398 	}
5399 
5400 	/* select 20MHz bandwidth */
5401 	run_rt3070_rf_read(sc, 31, &rf);
5402 	run_rt3070_rf_write(sc, 31, rf & ~0x20);
5403 
5404 	/* calibrate filter for 20MHz bandwidth */
5405 	sc->rf24_20mhz = 0x1f;	/* default value */
5406 	target = (sc->mac_ver < 0x3071) ? 0x16 : 0x13;
5407 	run_rt3070_filter_calib(sc, 0x07, target, &sc->rf24_20mhz);
5408 
5409 	/* select 40MHz bandwidth */
5410 	run_bbp_read(sc, 4, &bbp4);
5411 	run_bbp_write(sc, 4, (bbp4 & ~0x18) | 0x10);
5412 	run_rt3070_rf_read(sc, 31, &rf);
5413 	run_rt3070_rf_write(sc, 31, rf | 0x20);
5414 
5415 	/* calibrate filter for 40MHz bandwidth */
5416 	sc->rf24_40mhz = 0x2f;	/* default value */
5417 	target = (sc->mac_ver < 0x3071) ? 0x19 : 0x15;
5418 	run_rt3070_filter_calib(sc, 0x27, target, &sc->rf24_40mhz);
5419 
5420 	/* go back to 20MHz bandwidth */
5421 	run_bbp_read(sc, 4, &bbp4);
5422 	run_bbp_write(sc, 4, bbp4 & ~0x18);
5423 
5424 	if (sc->mac_ver == 0x3572) {
5425 		/* save default BBP registers 25 and 26 values */
5426 		run_bbp_read(sc, 25, &sc->bbp25);
5427 		run_bbp_read(sc, 26, &sc->bbp26);
5428 	} else if (sc->mac_rev < 0x0201 || sc->mac_rev < 0x0211)
5429 		run_rt3070_rf_write(sc, 27, 0x03);
5430 
5431 	run_read(sc, RT3070_OPT_14, &tmp);
5432 	run_write(sc, RT3070_OPT_14, tmp | 1);
5433 
5434 	if (sc->mac_ver == 0x3070 || sc->mac_ver == 0x3071) {
5435 		run_rt3070_rf_read(sc, 17, &rf);
5436 		rf &= ~RT3070_TX_LO1;
5437 		if ((sc->mac_ver == 0x3070 ||
5438 		     (sc->mac_ver == 0x3071 && sc->mac_rev >= 0x0211)) &&
5439 		    !sc->ext_2ghz_lna)
5440 			rf |= 0x20;	/* fix for long range Rx issue */
5441 		mingain = (sc->mac_ver == 0x3070) ? 1 : 2;
5442 		if (sc->txmixgain_2ghz >= mingain)
5443 			rf = (rf & ~0x7) | sc->txmixgain_2ghz;
5444 		run_rt3070_rf_write(sc, 17, rf);
5445 	}
5446 
5447 	if (sc->mac_ver == 0x3071) {
5448 		run_rt3070_rf_read(sc, 1, &rf);
5449 		rf &= ~(RT3070_RX0_PD | RT3070_TX0_PD);
5450 		rf |= RT3070_RF_BLOCK | RT3070_RX1_PD | RT3070_TX1_PD;
5451 		run_rt3070_rf_write(sc, 1, rf);
5452 
5453 		run_rt3070_rf_read(sc, 15, &rf);
5454 		run_rt3070_rf_write(sc, 15, rf & ~RT3070_TX_LO2);
5455 
5456 		run_rt3070_rf_read(sc, 20, &rf);
5457 		run_rt3070_rf_write(sc, 20, rf & ~RT3070_RX_LO1);
5458 
5459 		run_rt3070_rf_read(sc, 21, &rf);
5460 		run_rt3070_rf_write(sc, 21, rf & ~RT3070_RX_LO2);
5461 	}
5462 
5463 	if (sc->mac_ver == 0x3070 || sc->mac_ver == 0x3071) {
5464 		/* fix Tx to Rx IQ glitch by raising RF voltage */
5465 		run_rt3070_rf_read(sc, 27, &rf);
5466 		rf &= ~0x77;
5467 		if (sc->mac_rev < 0x0211)
5468 			rf |= 0x03;
5469 		run_rt3070_rf_write(sc, 27, rf);
5470 	}
5471 	return (0);
5472 }
5473 
5474 static void
5475 run_rt3593_rf_init(struct run_softc *sc)
5476 {
5477 	uint32_t tmp;
5478 	uint8_t rf;
5479 	int i;
5480 
5481 	/* Disable the GPIO bits 4 and 7 for LNA PE control. */
5482 	run_read(sc, RT3070_GPIO_SWITCH, &tmp);
5483 	tmp &= ~(1 << 4 | 1 << 7);
5484 	run_write(sc, RT3070_GPIO_SWITCH, tmp);
5485 
5486 	/* Initialize RF registers to default value. */
5487 	for (i = 0; i < nitems(rt3593_def_rf); i++) {
5488 		run_rt3070_rf_write(sc, rt3593_def_rf[i].reg,
5489 		    rt3593_def_rf[i].val);
5490 	}
5491 
5492 	/* Toggle RF R2 to initiate calibration. */
5493 	run_rt3070_rf_write(sc, 2, RT5390_RESCAL);
5494 
5495 	/* Initialize RF frequency offset. */
5496 	run_adjust_freq_offset(sc);
5497 
5498 	run_rt3070_rf_read(sc, 18, &rf);
5499 	run_rt3070_rf_write(sc, 18, rf | RT3593_AUTOTUNE_BYPASS);
5500 
5501 	/*
5502 	 * Increase voltage from 1.2V to 1.35V, wait for 1 msec to
5503 	 * decrease voltage back to 1.2V.
5504 	 */
5505 	run_read(sc, RT3070_LDO_CFG0, &tmp);
5506 	tmp = (tmp & ~0x1f000000) | 0x0d000000;
5507 	run_write(sc, RT3070_LDO_CFG0, tmp);
5508 	run_delay(sc, 1);
5509 	tmp = (tmp & ~0x1f000000) | 0x01000000;
5510 	run_write(sc, RT3070_LDO_CFG0, tmp);
5511 
5512 	sc->rf24_20mhz = 0x1f;
5513 	sc->rf24_40mhz = 0x2f;
5514 
5515 	/* Save default BBP registers 25 and 26 values. */
5516 	run_bbp_read(sc, 25, &sc->bbp25);
5517 	run_bbp_read(sc, 26, &sc->bbp26);
5518 
5519 	run_read(sc, RT3070_OPT_14, &tmp);
5520 	run_write(sc, RT3070_OPT_14, tmp | 1);
5521 }
5522 
5523 static void
5524 run_rt5390_rf_init(struct run_softc *sc)
5525 {
5526 	uint32_t tmp;
5527 	uint8_t rf;
5528 	int i;
5529 
5530 	/* Toggle RF R2 to initiate calibration. */
5531 	if (sc->mac_ver == 0x5390) {
5532 		run_rt3070_rf_read(sc, 2, &rf);
5533 		run_rt3070_rf_write(sc, 2, rf | RT5390_RESCAL);
5534 		run_delay(sc, 10);
5535 		run_rt3070_rf_write(sc, 2, rf & ~RT5390_RESCAL);
5536 	} else {
5537 		run_rt3070_rf_write(sc, 2, RT5390_RESCAL);
5538 		run_delay(sc, 10);
5539 	}
5540 
5541 	/* Initialize RF registers to default value. */
5542 	if (sc->mac_ver == 0x5592) {
5543 		for (i = 0; i < nitems(rt5592_def_rf); i++) {
5544 			run_rt3070_rf_write(sc, rt5592_def_rf[i].reg,
5545 			    rt5592_def_rf[i].val);
5546 		}
5547 		/* Initialize RF frequency offset. */
5548 		run_adjust_freq_offset(sc);
5549 	} else if (sc->mac_ver == 0x5392) {
5550 		for (i = 0; i < nitems(rt5392_def_rf); i++) {
5551 			run_rt3070_rf_write(sc, rt5392_def_rf[i].reg,
5552 			    rt5392_def_rf[i].val);
5553 		}
5554 		if (sc->mac_rev >= 0x0223) {
5555 			run_rt3070_rf_write(sc, 23, 0x0f);
5556 			run_rt3070_rf_write(sc, 24, 0x3e);
5557 			run_rt3070_rf_write(sc, 51, 0x32);
5558 			run_rt3070_rf_write(sc, 53, 0x22);
5559 			run_rt3070_rf_write(sc, 56, 0xc1);
5560 			run_rt3070_rf_write(sc, 59, 0x0f);
5561 		}
5562 	} else {
5563 		for (i = 0; i < nitems(rt5390_def_rf); i++) {
5564 			run_rt3070_rf_write(sc, rt5390_def_rf[i].reg,
5565 			    rt5390_def_rf[i].val);
5566 		}
5567 		if (sc->mac_rev >= 0x0502) {
5568 			run_rt3070_rf_write(sc, 6, 0xe0);
5569 			run_rt3070_rf_write(sc, 25, 0x80);
5570 			run_rt3070_rf_write(sc, 46, 0x73);
5571 			run_rt3070_rf_write(sc, 53, 0x00);
5572 			run_rt3070_rf_write(sc, 56, 0x42);
5573 			run_rt3070_rf_write(sc, 61, 0xd1);
5574 		}
5575 	}
5576 
5577 	sc->rf24_20mhz = 0x1f;	/* default value */
5578 	sc->rf24_40mhz = (sc->mac_ver == 0x5592) ? 0 : 0x2f;
5579 
5580 	if (sc->mac_rev < 0x0211)
5581 		run_rt3070_rf_write(sc, 27, 0x3);
5582 
5583 	run_read(sc, RT3070_OPT_14, &tmp);
5584 	run_write(sc, RT3070_OPT_14, tmp | 1);
5585 }
5586 
5587 static int
5588 run_rt3070_filter_calib(struct run_softc *sc, uint8_t init, uint8_t target,
5589     uint8_t *val)
5590 {
5591 	uint8_t rf22, rf24;
5592 	uint8_t bbp55_pb, bbp55_sb, delta;
5593 	int ntries;
5594 
5595 	/* program filter */
5596 	run_rt3070_rf_read(sc, 24, &rf24);
5597 	rf24 = (rf24 & 0xc0) | init;	/* initial filter value */
5598 	run_rt3070_rf_write(sc, 24, rf24);
5599 
5600 	/* enable baseband loopback mode */
5601 	run_rt3070_rf_read(sc, 22, &rf22);
5602 	run_rt3070_rf_write(sc, 22, rf22 | 0x01);
5603 
5604 	/* set power and frequency of passband test tone */
5605 	run_bbp_write(sc, 24, 0x00);
5606 	for (ntries = 0; ntries < 100; ntries++) {
5607 		/* transmit test tone */
5608 		run_bbp_write(sc, 25, 0x90);
5609 		run_delay(sc, 10);
5610 		/* read received power */
5611 		run_bbp_read(sc, 55, &bbp55_pb);
5612 		if (bbp55_pb != 0)
5613 			break;
5614 	}
5615 	if (ntries == 100)
5616 		return (ETIMEDOUT);
5617 
5618 	/* set power and frequency of stopband test tone */
5619 	run_bbp_write(sc, 24, 0x06);
5620 	for (ntries = 0; ntries < 100; ntries++) {
5621 		/* transmit test tone */
5622 		run_bbp_write(sc, 25, 0x90);
5623 		run_delay(sc, 10);
5624 		/* read received power */
5625 		run_bbp_read(sc, 55, &bbp55_sb);
5626 
5627 		delta = bbp55_pb - bbp55_sb;
5628 		if (delta > target)
5629 			break;
5630 
5631 		/* reprogram filter */
5632 		rf24++;
5633 		run_rt3070_rf_write(sc, 24, rf24);
5634 	}
5635 	if (ntries < 100) {
5636 		if (rf24 != init)
5637 			rf24--;	/* backtrack */
5638 		*val = rf24;
5639 		run_rt3070_rf_write(sc, 24, rf24);
5640 	}
5641 
5642 	/* restore initial state */
5643 	run_bbp_write(sc, 24, 0x00);
5644 
5645 	/* disable baseband loopback mode */
5646 	run_rt3070_rf_read(sc, 22, &rf22);
5647 	run_rt3070_rf_write(sc, 22, rf22 & ~0x01);
5648 
5649 	return (0);
5650 }
5651 
5652 static void
5653 run_rt3070_rf_setup(struct run_softc *sc)
5654 {
5655 	uint8_t bbp, rf;
5656 	int i;
5657 
5658 	if (sc->mac_ver == 0x3572) {
5659 		/* enable DC filter */
5660 		if (sc->mac_rev >= 0x0201)
5661 			run_bbp_write(sc, 103, 0xc0);
5662 
5663 		run_bbp_read(sc, 138, &bbp);
5664 		if (sc->ntxchains == 1)
5665 			bbp |= 0x20;	/* turn off DAC1 */
5666 		if (sc->nrxchains == 1)
5667 			bbp &= ~0x02;	/* turn off ADC1 */
5668 		run_bbp_write(sc, 138, bbp);
5669 
5670 		if (sc->mac_rev >= 0x0211) {
5671 			/* improve power consumption */
5672 			run_bbp_read(sc, 31, &bbp);
5673 			run_bbp_write(sc, 31, bbp & ~0x03);
5674 		}
5675 
5676 		run_rt3070_rf_read(sc, 16, &rf);
5677 		rf = (rf & ~0x07) | sc->txmixgain_2ghz;
5678 		run_rt3070_rf_write(sc, 16, rf);
5679 
5680 	} else if (sc->mac_ver == 0x3071) {
5681 		if (sc->mac_rev >= 0x0211) {
5682 			/* enable DC filter */
5683 			run_bbp_write(sc, 103, 0xc0);
5684 
5685 			/* improve power consumption */
5686 			run_bbp_read(sc, 31, &bbp);
5687 			run_bbp_write(sc, 31, bbp & ~0x03);
5688 		}
5689 
5690 		run_bbp_read(sc, 138, &bbp);
5691 		if (sc->ntxchains == 1)
5692 			bbp |= 0x20;	/* turn off DAC1 */
5693 		if (sc->nrxchains == 1)
5694 			bbp &= ~0x02;	/* turn off ADC1 */
5695 		run_bbp_write(sc, 138, bbp);
5696 
5697 		run_write(sc, RT2860_TX_SW_CFG1, 0);
5698 		if (sc->mac_rev < 0x0211) {
5699 			run_write(sc, RT2860_TX_SW_CFG2,
5700 			    sc->patch_dac ? 0x2c : 0x0f);
5701 		} else
5702 			run_write(sc, RT2860_TX_SW_CFG2, 0);
5703 
5704 	} else if (sc->mac_ver == 0x3070) {
5705 		if (sc->mac_rev >= 0x0201) {
5706 			/* enable DC filter */
5707 			run_bbp_write(sc, 103, 0xc0);
5708 
5709 			/* improve power consumption */
5710 			run_bbp_read(sc, 31, &bbp);
5711 			run_bbp_write(sc, 31, bbp & ~0x03);
5712 		}
5713 
5714 		if (sc->mac_rev < 0x0201) {
5715 			run_write(sc, RT2860_TX_SW_CFG1, 0);
5716 			run_write(sc, RT2860_TX_SW_CFG2, 0x2c);
5717 		} else
5718 			run_write(sc, RT2860_TX_SW_CFG2, 0);
5719 	}
5720 
5721 	/* initialize RF registers from ROM for >=RT3071*/
5722 	if (sc->mac_ver >= 0x3071) {
5723 		for (i = 0; i < 10; i++) {
5724 			if (sc->rf[i].reg == 0 || sc->rf[i].reg == 0xff)
5725 				continue;
5726 			run_rt3070_rf_write(sc, sc->rf[i].reg, sc->rf[i].val);
5727 		}
5728 	}
5729 }
5730 
5731 static void
5732 run_rt3593_rf_setup(struct run_softc *sc)
5733 {
5734 	uint8_t bbp, rf;
5735 
5736 	if (sc->mac_rev >= 0x0211) {
5737 		/* Enable DC filter. */
5738 		run_bbp_write(sc, 103, 0xc0);
5739 	}
5740 	run_write(sc, RT2860_TX_SW_CFG1, 0);
5741 	if (sc->mac_rev < 0x0211) {
5742 		run_write(sc, RT2860_TX_SW_CFG2,
5743 		    sc->patch_dac ? 0x2c : 0x0f);
5744 	} else
5745 		run_write(sc, RT2860_TX_SW_CFG2, 0);
5746 
5747 	run_rt3070_rf_read(sc, 50, &rf);
5748 	run_rt3070_rf_write(sc, 50, rf & ~RT3593_TX_LO2);
5749 
5750 	run_rt3070_rf_read(sc, 51, &rf);
5751 	rf = (rf & ~(RT3593_TX_LO1 | 0x0c)) |
5752 	    ((sc->txmixgain_2ghz & 0x07) << 2);
5753 	run_rt3070_rf_write(sc, 51, rf);
5754 
5755 	run_rt3070_rf_read(sc, 38, &rf);
5756 	run_rt3070_rf_write(sc, 38, rf & ~RT5390_RX_LO1);
5757 
5758 	run_rt3070_rf_read(sc, 39, &rf);
5759 	run_rt3070_rf_write(sc, 39, rf & ~RT5390_RX_LO2);
5760 
5761 	run_rt3070_rf_read(sc, 1, &rf);
5762 	run_rt3070_rf_write(sc, 1, rf & ~(RT3070_RF_BLOCK | RT3070_PLL_PD));
5763 
5764 	run_rt3070_rf_read(sc, 30, &rf);
5765 	rf = (rf & ~0x18) | 0x10;
5766 	run_rt3070_rf_write(sc, 30, rf);
5767 
5768 	/* Apply maximum likelihood detection for 2 stream case. */
5769 	run_bbp_read(sc, 105, &bbp);
5770 	if (sc->nrxchains > 1)
5771 		run_bbp_write(sc, 105, bbp | RT5390_MLD);
5772 
5773 	/* Avoid data lost and CRC error. */
5774 	run_bbp_read(sc, 4, &bbp);
5775 	run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5776 
5777 	run_bbp_write(sc, 92, 0x02);
5778 	run_bbp_write(sc, 82, 0x82);
5779 	run_bbp_write(sc, 106, 0x05);
5780 	run_bbp_write(sc, 104, 0x92);
5781 	run_bbp_write(sc, 88, 0x90);
5782 	run_bbp_write(sc, 148, 0xc8);
5783 	run_bbp_write(sc, 47, 0x48);
5784 	run_bbp_write(sc, 120, 0x50);
5785 
5786 	run_bbp_write(sc, 163, 0x9d);
5787 
5788 	/* SNR mapping. */
5789 	run_bbp_write(sc, 142, 0x06);
5790 	run_bbp_write(sc, 143, 0xa0);
5791 	run_bbp_write(sc, 142, 0x07);
5792 	run_bbp_write(sc, 143, 0xa1);
5793 	run_bbp_write(sc, 142, 0x08);
5794 	run_bbp_write(sc, 143, 0xa2);
5795 
5796 	run_bbp_write(sc, 31, 0x08);
5797 	run_bbp_write(sc, 68, 0x0b);
5798 	run_bbp_write(sc, 105, 0x04);
5799 }
5800 
5801 static void
5802 run_rt5390_rf_setup(struct run_softc *sc)
5803 {
5804 	uint8_t bbp, rf;
5805 
5806 	if (sc->mac_rev >= 0x0211) {
5807 		/* Enable DC filter. */
5808 		run_bbp_write(sc, 103, 0xc0);
5809 
5810 		if (sc->mac_ver != 0x5592) {
5811 			/* Improve power consumption. */
5812 			run_bbp_read(sc, 31, &bbp);
5813 			run_bbp_write(sc, 31, bbp & ~0x03);
5814 		}
5815 	}
5816 
5817 	run_bbp_read(sc, 138, &bbp);
5818 	if (sc->ntxchains == 1)
5819 		bbp |= 0x20;	/* turn off DAC1 */
5820 	if (sc->nrxchains == 1)
5821 		bbp &= ~0x02;	/* turn off ADC1 */
5822 	run_bbp_write(sc, 138, bbp);
5823 
5824 	run_rt3070_rf_read(sc, 38, &rf);
5825 	run_rt3070_rf_write(sc, 38, rf & ~RT5390_RX_LO1);
5826 
5827 	run_rt3070_rf_read(sc, 39, &rf);
5828 	run_rt3070_rf_write(sc, 39, rf & ~RT5390_RX_LO2);
5829 
5830 	/* Avoid data lost and CRC error. */
5831 	run_bbp_read(sc, 4, &bbp);
5832 	run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5833 
5834 	run_rt3070_rf_read(sc, 30, &rf);
5835 	rf = (rf & ~0x18) | 0x10;
5836 	run_rt3070_rf_write(sc, 30, rf);
5837 
5838 	if (sc->mac_ver != 0x5592) {
5839 		run_write(sc, RT2860_TX_SW_CFG1, 0);
5840 		if (sc->mac_rev < 0x0211) {
5841 			run_write(sc, RT2860_TX_SW_CFG2,
5842 			    sc->patch_dac ? 0x2c : 0x0f);
5843 		} else
5844 			run_write(sc, RT2860_TX_SW_CFG2, 0);
5845 	}
5846 }
5847 
5848 static int
5849 run_txrx_enable(struct run_softc *sc)
5850 {
5851 	struct ieee80211com *ic = &sc->sc_ic;
5852 	uint32_t tmp;
5853 	int error, ntries;
5854 
5855 	run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_MAC_TX_EN);
5856 	for (ntries = 0; ntries < 200; ntries++) {
5857 		if ((error = run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp)) != 0)
5858 			return (error);
5859 		if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
5860 			break;
5861 		run_delay(sc, 50);
5862 	}
5863 	if (ntries == 200)
5864 		return (ETIMEDOUT);
5865 
5866 	run_delay(sc, 50);
5867 
5868 	tmp |= RT2860_RX_DMA_EN | RT2860_TX_DMA_EN | RT2860_TX_WB_DDONE;
5869 	run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
5870 
5871 	/* enable Rx bulk aggregation (set timeout and limit) */
5872 	tmp = RT2860_USB_TX_EN | RT2860_USB_RX_EN | RT2860_USB_RX_AGG_EN |
5873 	    RT2860_USB_RX_AGG_TO(128) | RT2860_USB_RX_AGG_LMT(2);
5874 	run_write(sc, RT2860_USB_DMA_CFG, tmp);
5875 
5876 	/* set Rx filter */
5877 	tmp = RT2860_DROP_CRC_ERR | RT2860_DROP_PHY_ERR;
5878 	if (ic->ic_opmode != IEEE80211_M_MONITOR) {
5879 		tmp |= RT2860_DROP_UC_NOME | RT2860_DROP_DUPL |
5880 		    RT2860_DROP_CTS | RT2860_DROP_BA | RT2860_DROP_ACK |
5881 		    RT2860_DROP_VER_ERR | RT2860_DROP_CTRL_RSV |
5882 		    RT2860_DROP_CFACK | RT2860_DROP_CFEND;
5883 		if (ic->ic_opmode == IEEE80211_M_STA)
5884 			tmp |= RT2860_DROP_RTS | RT2860_DROP_PSPOLL;
5885 	}
5886 	run_write(sc, RT2860_RX_FILTR_CFG, tmp);
5887 
5888 	run_write(sc, RT2860_MAC_SYS_CTRL,
5889 	    RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
5890 
5891 	return (0);
5892 }
5893 
5894 static void
5895 run_adjust_freq_offset(struct run_softc *sc)
5896 {
5897 	uint8_t rf, tmp;
5898 
5899 	run_rt3070_rf_read(sc, 17, &rf);
5900 	tmp = rf;
5901 	rf = (rf & ~0x7f) | (sc->freq & 0x7f);
5902 	rf = MIN(rf, 0x5f);
5903 
5904 	if (tmp != rf)
5905 		run_mcu_cmd(sc, 0x74, (tmp << 8 ) | rf);
5906 }
5907 
5908 static void
5909 run_init_locked(struct run_softc *sc)
5910 {
5911 	struct ieee80211com *ic = &sc->sc_ic;
5912 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
5913 	uint32_t tmp;
5914 	uint8_t bbp1, bbp3;
5915 	int i;
5916 	int ridx;
5917 	int ntries;
5918 
5919 	if (ic->ic_nrunning > 1)
5920 		return;
5921 
5922 	run_stop(sc);
5923 
5924 	if (run_load_microcode(sc) != 0) {
5925 		device_printf(sc->sc_dev, "could not load 8051 microcode\n");
5926 		goto fail;
5927 	}
5928 
5929 	for (ntries = 0; ntries < 100; ntries++) {
5930 		if (run_read(sc, RT2860_ASIC_VER_ID, &tmp) != 0)
5931 			goto fail;
5932 		if (tmp != 0 && tmp != 0xffffffff)
5933 			break;
5934 		run_delay(sc, 10);
5935 	}
5936 	if (ntries == 100)
5937 		goto fail;
5938 
5939 	for (i = 0; i != RUN_EP_QUEUES; i++)
5940 		run_setup_tx_list(sc, &sc->sc_epq[i]);
5941 
5942 	run_set_macaddr(sc, vap ? vap->iv_myaddr : ic->ic_macaddr);
5943 
5944 	for (ntries = 0; ntries < 100; ntries++) {
5945 		if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
5946 			goto fail;
5947 		if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
5948 			break;
5949 		run_delay(sc, 10);
5950 	}
5951 	if (ntries == 100) {
5952 		device_printf(sc->sc_dev, "timeout waiting for DMA engine\n");
5953 		goto fail;
5954 	}
5955 	tmp &= 0xff0;
5956 	tmp |= RT2860_TX_WB_DDONE;
5957 	run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
5958 
5959 	/* turn off PME_OEN to solve high-current issue */
5960 	run_read(sc, RT2860_SYS_CTRL, &tmp);
5961 	run_write(sc, RT2860_SYS_CTRL, tmp & ~RT2860_PME_OEN);
5962 
5963 	run_write(sc, RT2860_MAC_SYS_CTRL,
5964 	    RT2860_BBP_HRST | RT2860_MAC_SRST);
5965 	run_write(sc, RT2860_USB_DMA_CFG, 0);
5966 
5967 	if (run_reset(sc) != 0) {
5968 		device_printf(sc->sc_dev, "could not reset chipset\n");
5969 		goto fail;
5970 	}
5971 
5972 	run_write(sc, RT2860_MAC_SYS_CTRL, 0);
5973 
5974 	/* init Tx power for all Tx rates (from EEPROM) */
5975 	for (ridx = 0; ridx < 5; ridx++) {
5976 		if (sc->txpow20mhz[ridx] == 0xffffffff)
5977 			continue;
5978 		run_write(sc, RT2860_TX_PWR_CFG(ridx), sc->txpow20mhz[ridx]);
5979 	}
5980 
5981 	for (i = 0; i < nitems(rt2870_def_mac); i++)
5982 		run_write(sc, rt2870_def_mac[i].reg, rt2870_def_mac[i].val);
5983 	run_write(sc, RT2860_WMM_AIFSN_CFG, 0x00002273);
5984 	run_write(sc, RT2860_WMM_CWMIN_CFG, 0x00002344);
5985 	run_write(sc, RT2860_WMM_CWMAX_CFG, 0x000034aa);
5986 
5987 	if (sc->mac_ver >= 0x5390) {
5988 		run_write(sc, RT2860_TX_SW_CFG0,
5989 		    4 << RT2860_DLY_PAPE_EN_SHIFT | 4);
5990 		if (sc->mac_ver >= 0x5392) {
5991 			run_write(sc, RT2860_MAX_LEN_CFG, 0x00002fff);
5992 			if (sc->mac_ver == 0x5592) {
5993 				run_write(sc, RT2860_HT_FBK_CFG1, 0xedcba980);
5994 				run_write(sc, RT2860_TXOP_HLDR_ET, 0x00000082);
5995 			} else {
5996 				run_write(sc, RT2860_HT_FBK_CFG1, 0xedcb4980);
5997 				run_write(sc, RT2860_LG_FBK_CFG0, 0xedcba322);
5998 			}
5999 		}
6000 	} else if (sc->mac_ver == 0x3593) {
6001 		run_write(sc, RT2860_TX_SW_CFG0,
6002 		    4 << RT2860_DLY_PAPE_EN_SHIFT | 2);
6003 	} else if (sc->mac_ver >= 0x3070) {
6004 		/* set delay of PA_PE assertion to 1us (unit of 0.25us) */
6005 		run_write(sc, RT2860_TX_SW_CFG0,
6006 		    4 << RT2860_DLY_PAPE_EN_SHIFT);
6007 	}
6008 
6009 	/* wait while MAC is busy */
6010 	for (ntries = 0; ntries < 100; ntries++) {
6011 		if (run_read(sc, RT2860_MAC_STATUS_REG, &tmp) != 0)
6012 			goto fail;
6013 		if (!(tmp & (RT2860_RX_STATUS_BUSY | RT2860_TX_STATUS_BUSY)))
6014 			break;
6015 		run_delay(sc, 10);
6016 	}
6017 	if (ntries == 100)
6018 		goto fail;
6019 
6020 	/* clear Host to MCU mailbox */
6021 	run_write(sc, RT2860_H2M_BBPAGENT, 0);
6022 	run_write(sc, RT2860_H2M_MAILBOX, 0);
6023 	run_delay(sc, 10);
6024 
6025 	if (run_bbp_init(sc) != 0) {
6026 		device_printf(sc->sc_dev, "could not initialize BBP\n");
6027 		goto fail;
6028 	}
6029 
6030 	/* abort TSF synchronization */
6031 	run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
6032 	tmp &= ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
6033 	    RT2860_TBTT_TIMER_EN);
6034 	run_write(sc, RT2860_BCN_TIME_CFG, tmp);
6035 
6036 	/* clear RX WCID search table */
6037 	run_set_region_4(sc, RT2860_WCID_ENTRY(0), 0, 512);
6038 	/* clear WCID attribute table */
6039 	run_set_region_4(sc, RT2860_WCID_ATTR(0), 0, 8 * 32);
6040 
6041 	/* hostapd sets a key before init. So, don't clear it. */
6042 	if (sc->cmdq_key_set != RUN_CMDQ_GO) {
6043 		/* clear shared key table */
6044 		run_set_region_4(sc, RT2860_SKEY(0, 0), 0, 8 * 32);
6045 		/* clear shared key mode */
6046 		run_set_region_4(sc, RT2860_SKEY_MODE_0_7, 0, 4);
6047 	}
6048 
6049 	run_read(sc, RT2860_US_CYC_CNT, &tmp);
6050 	tmp = (tmp & ~0xff) | 0x1e;
6051 	run_write(sc, RT2860_US_CYC_CNT, tmp);
6052 
6053 	if (sc->mac_rev != 0x0101)
6054 		run_write(sc, RT2860_TXOP_CTRL_CFG, 0x0000583f);
6055 
6056 	run_write(sc, RT2860_WMM_TXOP0_CFG, 0);
6057 	run_write(sc, RT2860_WMM_TXOP1_CFG, 48 << 16 | 96);
6058 
6059 	/* write vendor-specific BBP values (from EEPROM) */
6060 	if (sc->mac_ver < 0x3593) {
6061 		for (i = 0; i < 10; i++) {
6062 			if (sc->bbp[i].reg == 0 || sc->bbp[i].reg == 0xff)
6063 				continue;
6064 			run_bbp_write(sc, sc->bbp[i].reg, sc->bbp[i].val);
6065 		}
6066 	}
6067 
6068 	/* select Main antenna for 1T1R devices */
6069 	if (sc->rf_rev == RT3070_RF_3020 || sc->rf_rev == RT5390_RF_5370)
6070 		run_set_rx_antenna(sc, 0);
6071 
6072 	/* send LEDs operating mode to microcontroller */
6073 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED1, sc->led[0]);
6074 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED2, sc->led[1]);
6075 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED3, sc->led[2]);
6076 
6077 	if (sc->mac_ver >= 0x5390)
6078 		run_rt5390_rf_init(sc);
6079 	else if (sc->mac_ver == 0x3593)
6080 		run_rt3593_rf_init(sc);
6081 	else if (sc->mac_ver >= 0x3070)
6082 		run_rt3070_rf_init(sc);
6083 
6084 	/* disable non-existing Rx chains */
6085 	run_bbp_read(sc, 3, &bbp3);
6086 	bbp3 &= ~(1 << 3 | 1 << 4);
6087 	if (sc->nrxchains == 2)
6088 		bbp3 |= 1 << 3;
6089 	else if (sc->nrxchains == 3)
6090 		bbp3 |= 1 << 4;
6091 	run_bbp_write(sc, 3, bbp3);
6092 
6093 	/* disable non-existing Tx chains */
6094 	run_bbp_read(sc, 1, &bbp1);
6095 	if (sc->ntxchains == 1)
6096 		bbp1 &= ~(1 << 3 | 1 << 4);
6097 	run_bbp_write(sc, 1, bbp1);
6098 
6099 	if (sc->mac_ver >= 0x5390)
6100 		run_rt5390_rf_setup(sc);
6101 	else if (sc->mac_ver == 0x3593)
6102 		run_rt3593_rf_setup(sc);
6103 	else if (sc->mac_ver >= 0x3070)
6104 		run_rt3070_rf_setup(sc);
6105 
6106 	/* select default channel */
6107 	run_set_chan(sc, ic->ic_curchan);
6108 
6109 	/* setup initial protection mode */
6110 	run_updateprot_cb(ic);
6111 
6112 	/* turn radio LED on */
6113 	run_set_leds(sc, RT2860_LED_RADIO);
6114 
6115 	sc->sc_flags |= RUN_RUNNING;
6116 	sc->cmdq_run = RUN_CMDQ_GO;
6117 
6118 	for (i = 0; i != RUN_N_XFER; i++)
6119 		usbd_xfer_set_stall(sc->sc_xfer[i]);
6120 
6121 	usbd_transfer_start(sc->sc_xfer[RUN_BULK_RX]);
6122 
6123 	if (run_txrx_enable(sc) != 0)
6124 		goto fail;
6125 
6126 	return;
6127 
6128 fail:
6129 	run_stop(sc);
6130 }
6131 
6132 static void
6133 run_stop(void *arg)
6134 {
6135 	struct run_softc *sc = (struct run_softc *)arg;
6136 	uint32_t tmp;
6137 	int i;
6138 	int ntries;
6139 
6140 	RUN_LOCK_ASSERT(sc, MA_OWNED);
6141 
6142 	if (sc->sc_flags & RUN_RUNNING)
6143 		run_set_leds(sc, 0);	/* turn all LEDs off */
6144 
6145 	sc->sc_flags &= ~RUN_RUNNING;
6146 
6147 	sc->ratectl_run = RUN_RATECTL_OFF;
6148 	sc->cmdq_run = sc->cmdq_key_set;
6149 
6150 	RUN_UNLOCK(sc);
6151 
6152 	for(i = 0; i < RUN_N_XFER; i++)
6153 		usbd_transfer_drain(sc->sc_xfer[i]);
6154 
6155 	RUN_LOCK(sc);
6156 
6157 	run_drain_mbufq(sc);
6158 
6159 	if (sc->rx_m != NULL) {
6160 		m_free(sc->rx_m);
6161 		sc->rx_m = NULL;
6162 	}
6163 
6164 	/* Disable Tx/Rx DMA. */
6165 	if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
6166 		return;
6167 	tmp &= ~(RT2860_RX_DMA_EN | RT2860_TX_DMA_EN);
6168 	run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
6169 
6170 	for (ntries = 0; ntries < 100; ntries++) {
6171 		if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
6172 			return;
6173 		if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
6174 				break;
6175 		run_delay(sc, 10);
6176 	}
6177 	if (ntries == 100) {
6178 		device_printf(sc->sc_dev, "timeout waiting for DMA engine\n");
6179 		return;
6180 	}
6181 
6182 	/* disable Tx/Rx */
6183 	run_read(sc, RT2860_MAC_SYS_CTRL, &tmp);
6184 	tmp &= ~(RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
6185 	run_write(sc, RT2860_MAC_SYS_CTRL, tmp);
6186 
6187 	/* wait for pending Tx to complete */
6188 	for (ntries = 0; ntries < 100; ntries++) {
6189 		if (run_read(sc, RT2860_TXRXQ_PCNT, &tmp) != 0) {
6190 			DPRINTF("Cannot read Tx queue count\n");
6191 			break;
6192 		}
6193 		if ((tmp & RT2860_TX2Q_PCNT_MASK) == 0) {
6194 			DPRINTF("All Tx cleared\n");
6195 			break;
6196 		}
6197 		run_delay(sc, 10);
6198 	}
6199 	if (ntries >= 100)
6200 		DPRINTF("There are still pending Tx\n");
6201 	run_delay(sc, 10);
6202 	run_write(sc, RT2860_USB_DMA_CFG, 0);
6203 
6204 	run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_BBP_HRST | RT2860_MAC_SRST);
6205 	run_write(sc, RT2860_MAC_SYS_CTRL, 0);
6206 
6207 	for (i = 0; i != RUN_EP_QUEUES; i++)
6208 		run_unsetup_tx_list(sc, &sc->sc_epq[i]);
6209 }
6210 
6211 static void
6212 run_delay(struct run_softc *sc, u_int ms)
6213 {
6214 	usb_pause_mtx(mtx_owned(&sc->sc_mtx) ?
6215 	    &sc->sc_mtx : NULL, USB_MS_TO_TICKS(ms));
6216 }
6217 
6218 static device_method_t run_methods[] = {
6219 	/* Device interface */
6220 	DEVMETHOD(device_probe,		run_match),
6221 	DEVMETHOD(device_attach,	run_attach),
6222 	DEVMETHOD(device_detach,	run_detach),
6223 	DEVMETHOD_END
6224 };
6225 
6226 static driver_t run_driver = {
6227 	.name = "run",
6228 	.methods = run_methods,
6229 	.size = sizeof(struct run_softc)
6230 };
6231 
6232 static devclass_t run_devclass;
6233 
6234 DRIVER_MODULE(run, uhub, run_driver, run_devclass, run_driver_loaded, NULL);
6235 MODULE_DEPEND(run, wlan, 1, 1, 1);
6236 MODULE_DEPEND(run, usb, 1, 1, 1);
6237 MODULE_DEPEND(run, firmware, 1, 1, 1);
6238 MODULE_VERSION(run, 1);
6239