xref: /freebsd/sys/dev/usb/wlan/if_run.c (revision d8b88105c2ccf7686552516877f541efb54fb6c8)
1 /*-
2  * Copyright (c) 2008,2010 Damien Bergamini <damien.bergamini@free.fr>
3  * ported to FreeBSD by Akinori Furukoshi <moonlightakkiy@yahoo.ca>
4  * USB Consulting, Hans Petter Selasky <hselasky@freebsd.org>
5  * Copyright (c) 2013-2014 Kevin Lo
6  *
7  * Permission to use, copy, modify, and distribute this software for any
8  * purpose with or without fee is hereby granted, provided that the above
9  * copyright notice and this permission notice appear in all copies.
10  *
11  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18  */
19 
20 #include <sys/cdefs.h>
21 __FBSDID("$FreeBSD$");
22 
23 /*-
24  * Ralink Technology RT2700U/RT2800U/RT3000U/RT3900E chipset driver.
25  * http://www.ralinktech.com/
26  */
27 
28 #include <sys/param.h>
29 #include <sys/sockio.h>
30 #include <sys/sysctl.h>
31 #include <sys/lock.h>
32 #include <sys/mutex.h>
33 #include <sys/mbuf.h>
34 #include <sys/kernel.h>
35 #include <sys/socket.h>
36 #include <sys/systm.h>
37 #include <sys/malloc.h>
38 #include <sys/module.h>
39 #include <sys/bus.h>
40 #include <sys/endian.h>
41 #include <sys/linker.h>
42 #include <sys/firmware.h>
43 #include <sys/kdb.h>
44 
45 #include <machine/bus.h>
46 #include <machine/resource.h>
47 #include <sys/rman.h>
48 
49 #include <net/bpf.h>
50 #include <net/if.h>
51 #include <net/if_var.h>
52 #include <net/if_arp.h>
53 #include <net/ethernet.h>
54 #include <net/if_dl.h>
55 #include <net/if_media.h>
56 #include <net/if_types.h>
57 
58 #include <netinet/in.h>
59 #include <netinet/in_systm.h>
60 #include <netinet/in_var.h>
61 #include <netinet/if_ether.h>
62 #include <netinet/ip.h>
63 
64 #include <net80211/ieee80211_var.h>
65 #include <net80211/ieee80211_regdomain.h>
66 #include <net80211/ieee80211_radiotap.h>
67 #include <net80211/ieee80211_ratectl.h>
68 
69 #include <dev/usb/usb.h>
70 #include <dev/usb/usbdi.h>
71 #include "usbdevs.h"
72 
73 #define	USB_DEBUG_VAR	run_debug
74 #include <dev/usb/usb_debug.h>
75 #include <dev/usb/usb_msctest.h>
76 
77 #include <dev/usb/wlan/if_runreg.h>
78 #include <dev/usb/wlan/if_runvar.h>
79 
80 #ifdef	USB_DEBUG
81 #define	RUN_DEBUG
82 #endif
83 
84 #ifdef	RUN_DEBUG
85 int run_debug = 0;
86 static SYSCTL_NODE(_hw_usb, OID_AUTO, run, CTLFLAG_RW, 0, "USB run");
87 SYSCTL_INT(_hw_usb_run, OID_AUTO, debug, CTLFLAG_RW, &run_debug, 0,
88     "run debug level");
89 #endif
90 
91 #define	IEEE80211_HAS_ADDR4(wh)	\
92 	(((wh)->i_fc[1] & IEEE80211_FC1_DIR_MASK) == IEEE80211_FC1_DIR_DSTODS)
93 
94 /*
95  * Because of LOR in run_key_delete(), use atomic instead.
96  * '& RUN_CMDQ_MASQ' is to loop cmdq[].
97  */
98 #define	RUN_CMDQ_GET(c)	(atomic_fetchadd_32((c), 1) & RUN_CMDQ_MASQ)
99 
100 static const STRUCT_USB_HOST_ID run_devs[] = {
101 #define	RUN_DEV(v,p)	{ USB_VP(USB_VENDOR_##v, USB_PRODUCT_##v##_##p) }
102 #define	RUN_DEV_EJECT(v,p)	\
103 	{ USB_VPI(USB_VENDOR_##v, USB_PRODUCT_##v##_##p, 0) }
104     RUN_DEV(ABOCOM,		RT2770),
105     RUN_DEV(ABOCOM,		RT2870),
106     RUN_DEV(ABOCOM,		RT3070),
107     RUN_DEV(ABOCOM,		RT3071),
108     RUN_DEV(ABOCOM,		RT3072),
109     RUN_DEV(ABOCOM2,		RT2870_1),
110     RUN_DEV(ACCTON,		RT2770),
111     RUN_DEV(ACCTON,		RT2870_1),
112     RUN_DEV(ACCTON,		RT2870_2),
113     RUN_DEV(ACCTON,		RT2870_3),
114     RUN_DEV(ACCTON,		RT2870_4),
115     RUN_DEV(ACCTON,		RT2870_5),
116     RUN_DEV(ACCTON,		RT3070),
117     RUN_DEV(ACCTON,		RT3070_1),
118     RUN_DEV(ACCTON,		RT3070_2),
119     RUN_DEV(ACCTON,		RT3070_3),
120     RUN_DEV(ACCTON,		RT3070_4),
121     RUN_DEV(ACCTON,		RT3070_5),
122     RUN_DEV(AIRTIES,		RT3070),
123     RUN_DEV(ALLWIN,		RT2070),
124     RUN_DEV(ALLWIN,		RT2770),
125     RUN_DEV(ALLWIN,		RT2870),
126     RUN_DEV(ALLWIN,		RT3070),
127     RUN_DEV(ALLWIN,		RT3071),
128     RUN_DEV(ALLWIN,		RT3072),
129     RUN_DEV(ALLWIN,		RT3572),
130     RUN_DEV(AMIGO,		RT2870_1),
131     RUN_DEV(AMIGO,		RT2870_2),
132     RUN_DEV(AMIT,		CGWLUSB2GNR),
133     RUN_DEV(AMIT,		RT2870_1),
134     RUN_DEV(AMIT2,		RT2870),
135     RUN_DEV(ASUS,		RT2870_1),
136     RUN_DEV(ASUS,		RT2870_2),
137     RUN_DEV(ASUS,		RT2870_3),
138     RUN_DEV(ASUS,		RT2870_4),
139     RUN_DEV(ASUS,		RT2870_5),
140     RUN_DEV(ASUS,		USBN13),
141     RUN_DEV(ASUS,		RT3070_1),
142     RUN_DEV(ASUS,		USBN66),
143     RUN_DEV(ASUS,		USB_N53),
144     RUN_DEV(ASUS2,		USBN11),
145     RUN_DEV(AZUREWAVE,		RT2870_1),
146     RUN_DEV(AZUREWAVE,		RT2870_2),
147     RUN_DEV(AZUREWAVE,		RT3070_1),
148     RUN_DEV(AZUREWAVE,		RT3070_2),
149     RUN_DEV(AZUREWAVE,		RT3070_3),
150     RUN_DEV(BELKIN,		F9L1103),
151     RUN_DEV(BELKIN,		F5D8053V3),
152     RUN_DEV(BELKIN,		F5D8055),
153     RUN_DEV(BELKIN,		F5D8055V2),
154     RUN_DEV(BELKIN,		F6D4050V1),
155     RUN_DEV(BELKIN,		F6D4050V2),
156     RUN_DEV(BELKIN,		RT2870_1),
157     RUN_DEV(BELKIN,		RT2870_2),
158     RUN_DEV(CISCOLINKSYS,	AE1000),
159     RUN_DEV(CISCOLINKSYS2,	RT3070),
160     RUN_DEV(CISCOLINKSYS3,	RT3070),
161     RUN_DEV(CONCEPTRONIC2,	RT2870_1),
162     RUN_DEV(CONCEPTRONIC2,	RT2870_2),
163     RUN_DEV(CONCEPTRONIC2,	RT2870_3),
164     RUN_DEV(CONCEPTRONIC2,	RT2870_4),
165     RUN_DEV(CONCEPTRONIC2,	RT2870_5),
166     RUN_DEV(CONCEPTRONIC2,	RT2870_6),
167     RUN_DEV(CONCEPTRONIC2,	RT2870_7),
168     RUN_DEV(CONCEPTRONIC2,	RT2870_8),
169     RUN_DEV(CONCEPTRONIC2,	RT3070_1),
170     RUN_DEV(CONCEPTRONIC2,	RT3070_2),
171     RUN_DEV(CONCEPTRONIC2,	VIGORN61),
172     RUN_DEV(COREGA,		CGWLUSB300GNM),
173     RUN_DEV(COREGA,		RT2870_1),
174     RUN_DEV(COREGA,		RT2870_2),
175     RUN_DEV(COREGA,		RT2870_3),
176     RUN_DEV(COREGA,		RT3070),
177     RUN_DEV(CYBERTAN,		RT2870),
178     RUN_DEV(DLINK,		RT2870),
179     RUN_DEV(DLINK,		RT3072),
180     RUN_DEV(DLINK,		DWA127),
181     RUN_DEV(DLINK,		DWA140B3),
182     RUN_DEV(DLINK,		DWA160B2),
183     RUN_DEV(DLINK,		DWA162),
184     RUN_DEV(DLINK2,		DWA130),
185     RUN_DEV(DLINK2,		RT2870_1),
186     RUN_DEV(DLINK2,		RT2870_2),
187     RUN_DEV(DLINK2,		RT3070_1),
188     RUN_DEV(DLINK2,		RT3070_2),
189     RUN_DEV(DLINK2,		RT3070_3),
190     RUN_DEV(DLINK2,		RT3070_4),
191     RUN_DEV(DLINK2,		RT3070_5),
192     RUN_DEV(DLINK2,		RT3072),
193     RUN_DEV(DLINK2,		RT3072_1),
194     RUN_DEV(EDIMAX,		EW7717),
195     RUN_DEV(EDIMAX,		EW7718),
196     RUN_DEV(EDIMAX,		EW7733UND),
197     RUN_DEV(EDIMAX,		RT2870_1),
198     RUN_DEV(ENCORE,		RT3070_1),
199     RUN_DEV(ENCORE,		RT3070_2),
200     RUN_DEV(ENCORE,		RT3070_3),
201     RUN_DEV(GIGABYTE,		GNWB31N),
202     RUN_DEV(GIGABYTE,		GNWB32L),
203     RUN_DEV(GIGABYTE,		RT2870_1),
204     RUN_DEV(GIGASET,		RT3070_1),
205     RUN_DEV(GIGASET,		RT3070_2),
206     RUN_DEV(GUILLEMOT,		HWNU300),
207     RUN_DEV(HAWKING,		HWUN2),
208     RUN_DEV(HAWKING,		RT2870_1),
209     RUN_DEV(HAWKING,		RT2870_2),
210     RUN_DEV(HAWKING,		RT3070),
211     RUN_DEV(IODATA,		RT3072_1),
212     RUN_DEV(IODATA,		RT3072_2),
213     RUN_DEV(IODATA,		RT3072_3),
214     RUN_DEV(IODATA,		RT3072_4),
215     RUN_DEV(LINKSYS4,		RT3070),
216     RUN_DEV(LINKSYS4,		WUSB100),
217     RUN_DEV(LINKSYS4,		WUSB54GCV3),
218     RUN_DEV(LINKSYS4,		WUSB600N),
219     RUN_DEV(LINKSYS4,		WUSB600NV2),
220     RUN_DEV(LOGITEC,		RT2870_1),
221     RUN_DEV(LOGITEC,		RT2870_2),
222     RUN_DEV(LOGITEC,		RT2870_3),
223     RUN_DEV(LOGITEC,		LANW300NU2),
224     RUN_DEV(LOGITEC,		LANW150NU2),
225     RUN_DEV(LOGITEC,		LANW300NU2S),
226     RUN_DEV(MELCO,		RT2870_1),
227     RUN_DEV(MELCO,		RT2870_2),
228     RUN_DEV(MELCO,		WLIUCAG300N),
229     RUN_DEV(MELCO,		WLIUCG300N),
230     RUN_DEV(MELCO,		WLIUCG301N),
231     RUN_DEV(MELCO,		WLIUCGN),
232     RUN_DEV(MELCO,		WLIUCGNM),
233     RUN_DEV(MELCO,		WLIUCGNM2),
234     RUN_DEV(MOTOROLA4,		RT2770),
235     RUN_DEV(MOTOROLA4,		RT3070),
236     RUN_DEV(MSI,		RT3070_1),
237     RUN_DEV(MSI,		RT3070_2),
238     RUN_DEV(MSI,		RT3070_3),
239     RUN_DEV(MSI,		RT3070_4),
240     RUN_DEV(MSI,		RT3070_5),
241     RUN_DEV(MSI,		RT3070_6),
242     RUN_DEV(MSI,		RT3070_7),
243     RUN_DEV(MSI,		RT3070_8),
244     RUN_DEV(MSI,		RT3070_9),
245     RUN_DEV(MSI,		RT3070_10),
246     RUN_DEV(MSI,		RT3070_11),
247     RUN_DEV(OVISLINK,		RT3072),
248     RUN_DEV(PARA,		RT3070),
249     RUN_DEV(PEGATRON,		RT2870),
250     RUN_DEV(PEGATRON,		RT3070),
251     RUN_DEV(PEGATRON,		RT3070_2),
252     RUN_DEV(PEGATRON,		RT3070_3),
253     RUN_DEV(PHILIPS,		RT2870),
254     RUN_DEV(PLANEX2,		GWUS300MINIS),
255     RUN_DEV(PLANEX2,		GWUSMICRON),
256     RUN_DEV(PLANEX2,		RT2870),
257     RUN_DEV(PLANEX2,		RT3070),
258     RUN_DEV(QCOM,		RT2870),
259     RUN_DEV(QUANTA,		RT3070),
260     RUN_DEV(RALINK,		RT2070),
261     RUN_DEV(RALINK,		RT2770),
262     RUN_DEV(RALINK,		RT2870),
263     RUN_DEV(RALINK,		RT3070),
264     RUN_DEV(RALINK,		RT3071),
265     RUN_DEV(RALINK,		RT3072),
266     RUN_DEV(RALINK,		RT3370),
267     RUN_DEV(RALINK,		RT3572),
268     RUN_DEV(RALINK,		RT3573),
269     RUN_DEV(RALINK,		RT5370),
270     RUN_DEV(RALINK,		RT5572),
271     RUN_DEV(RALINK,		RT8070),
272     RUN_DEV(SAMSUNG,		WIS09ABGN),
273     RUN_DEV(SAMSUNG2,		RT2870_1),
274     RUN_DEV(SENAO,		RT2870_1),
275     RUN_DEV(SENAO,		RT2870_2),
276     RUN_DEV(SENAO,		RT2870_3),
277     RUN_DEV(SENAO,		RT2870_4),
278     RUN_DEV(SENAO,		RT3070),
279     RUN_DEV(SENAO,		RT3071),
280     RUN_DEV(SENAO,		RT3072_1),
281     RUN_DEV(SENAO,		RT3072_2),
282     RUN_DEV(SENAO,		RT3072_3),
283     RUN_DEV(SENAO,		RT3072_4),
284     RUN_DEV(SENAO,		RT3072_5),
285     RUN_DEV(SITECOMEU,		RT2770),
286     RUN_DEV(SITECOMEU,		RT2870_1),
287     RUN_DEV(SITECOMEU,		RT2870_2),
288     RUN_DEV(SITECOMEU,		RT2870_3),
289     RUN_DEV(SITECOMEU,		RT2870_4),
290     RUN_DEV(SITECOMEU,		RT3070),
291     RUN_DEV(SITECOMEU,		RT3070_2),
292     RUN_DEV(SITECOMEU,		RT3070_3),
293     RUN_DEV(SITECOMEU,		RT3070_4),
294     RUN_DEV(SITECOMEU,		RT3071),
295     RUN_DEV(SITECOMEU,		RT3072_1),
296     RUN_DEV(SITECOMEU,		RT3072_2),
297     RUN_DEV(SITECOMEU,		RT3072_3),
298     RUN_DEV(SITECOMEU,		RT3072_4),
299     RUN_DEV(SITECOMEU,		RT3072_5),
300     RUN_DEV(SITECOMEU,		RT3072_6),
301     RUN_DEV(SITECOMEU,		WL608),
302     RUN_DEV(SPARKLAN,		RT2870_1),
303     RUN_DEV(SPARKLAN,		RT3070),
304     RUN_DEV(SWEEX2,		LW153),
305     RUN_DEV(SWEEX2,		LW303),
306     RUN_DEV(SWEEX2,		LW313),
307     RUN_DEV(TOSHIBA,		RT3070),
308     RUN_DEV(UMEDIA,		RT2870_1),
309     RUN_DEV(ZCOM,		RT2870_1),
310     RUN_DEV(ZCOM,		RT2870_2),
311     RUN_DEV(ZINWELL,		RT2870_1),
312     RUN_DEV(ZINWELL,		RT2870_2),
313     RUN_DEV(ZINWELL,		RT3070),
314     RUN_DEV(ZINWELL,		RT3072_1),
315     RUN_DEV(ZINWELL,		RT3072_2),
316     RUN_DEV(ZYXEL,		RT2870_1),
317     RUN_DEV(ZYXEL,		RT2870_2),
318     RUN_DEV(ZYXEL,		NWD2705),
319     RUN_DEV_EJECT(RALINK,	RT_STOR),
320 #undef RUN_DEV_EJECT
321 #undef RUN_DEV
322 };
323 
324 static device_probe_t	run_match;
325 static device_attach_t	run_attach;
326 static device_detach_t	run_detach;
327 
328 static usb_callback_t	run_bulk_rx_callback;
329 static usb_callback_t	run_bulk_tx_callback0;
330 static usb_callback_t	run_bulk_tx_callback1;
331 static usb_callback_t	run_bulk_tx_callback2;
332 static usb_callback_t	run_bulk_tx_callback3;
333 static usb_callback_t	run_bulk_tx_callback4;
334 static usb_callback_t	run_bulk_tx_callback5;
335 
336 static void	run_autoinst(void *, struct usb_device *,
337 		    struct usb_attach_arg *);
338 static int	run_driver_loaded(struct module *, int, void *);
339 static void	run_bulk_tx_callbackN(struct usb_xfer *xfer,
340 		    usb_error_t error, u_int index);
341 static struct ieee80211vap *run_vap_create(struct ieee80211com *,
342 		    const char [IFNAMSIZ], int, enum ieee80211_opmode, int,
343 		    const uint8_t [IEEE80211_ADDR_LEN],
344 		    const uint8_t [IEEE80211_ADDR_LEN]);
345 static void	run_vap_delete(struct ieee80211vap *);
346 static void	run_cmdq_cb(void *, int);
347 static void	run_setup_tx_list(struct run_softc *,
348 		    struct run_endpoint_queue *);
349 static void	run_unsetup_tx_list(struct run_softc *,
350 		    struct run_endpoint_queue *);
351 static int	run_load_microcode(struct run_softc *);
352 static int	run_reset(struct run_softc *);
353 static usb_error_t run_do_request(struct run_softc *,
354 		    struct usb_device_request *, void *);
355 static int	run_read(struct run_softc *, uint16_t, uint32_t *);
356 static int	run_read_region_1(struct run_softc *, uint16_t, uint8_t *, int);
357 static int	run_write_2(struct run_softc *, uint16_t, uint16_t);
358 static int	run_write(struct run_softc *, uint16_t, uint32_t);
359 static int	run_write_region_1(struct run_softc *, uint16_t,
360 		    const uint8_t *, int);
361 static int	run_set_region_4(struct run_softc *, uint16_t, uint32_t, int);
362 static int	run_efuse_read(struct run_softc *, uint16_t, uint16_t *, int);
363 static int	run_efuse_read_2(struct run_softc *, uint16_t, uint16_t *);
364 static int	run_eeprom_read_2(struct run_softc *, uint16_t, uint16_t *);
365 static int	run_rt2870_rf_write(struct run_softc *, uint32_t);
366 static int	run_rt3070_rf_read(struct run_softc *, uint8_t, uint8_t *);
367 static int	run_rt3070_rf_write(struct run_softc *, uint8_t, uint8_t);
368 static int	run_bbp_read(struct run_softc *, uint8_t, uint8_t *);
369 static int	run_bbp_write(struct run_softc *, uint8_t, uint8_t);
370 static int	run_mcu_cmd(struct run_softc *, uint8_t, uint16_t);
371 static const char *run_get_rf(uint16_t);
372 static void	run_rt3593_get_txpower(struct run_softc *);
373 static void	run_get_txpower(struct run_softc *);
374 static int	run_read_eeprom(struct run_softc *);
375 static struct ieee80211_node *run_node_alloc(struct ieee80211vap *,
376 			    const uint8_t mac[IEEE80211_ADDR_LEN]);
377 static int	run_media_change(struct ifnet *);
378 static int	run_newstate(struct ieee80211vap *, enum ieee80211_state, int);
379 static int	run_wme_update(struct ieee80211com *);
380 static void	run_wme_update_cb(void *);
381 static void	run_key_update_begin(struct ieee80211vap *);
382 static void	run_key_update_end(struct ieee80211vap *);
383 static void	run_key_set_cb(void *);
384 static int	run_key_set(struct ieee80211vap *, struct ieee80211_key *,
385 		    const uint8_t mac[IEEE80211_ADDR_LEN]);
386 static void	run_key_delete_cb(void *);
387 static int	run_key_delete(struct ieee80211vap *, struct ieee80211_key *);
388 static void	run_ratectl_to(void *);
389 static void	run_ratectl_cb(void *, int);
390 static void	run_drain_fifo(void *);
391 static void	run_iter_func(void *, struct ieee80211_node *);
392 static void	run_newassoc_cb(void *);
393 static void	run_newassoc(struct ieee80211_node *, int);
394 static void	run_rx_frame(struct run_softc *, struct mbuf *, uint32_t);
395 static void	run_tx_free(struct run_endpoint_queue *pq,
396 		    struct run_tx_data *, int);
397 static void	run_set_tx_desc(struct run_softc *, struct run_tx_data *);
398 static int	run_tx(struct run_softc *, struct mbuf *,
399 		    struct ieee80211_node *);
400 static int	run_tx_mgt(struct run_softc *, struct mbuf *,
401 		    struct ieee80211_node *);
402 static int	run_sendprot(struct run_softc *, const struct mbuf *,
403 		    struct ieee80211_node *, int, int);
404 static int	run_tx_param(struct run_softc *, struct mbuf *,
405 		    struct ieee80211_node *,
406 		    const struct ieee80211_bpf_params *);
407 static int	run_raw_xmit(struct ieee80211_node *, struct mbuf *,
408 		    const struct ieee80211_bpf_params *);
409 static void	run_start(struct ifnet *);
410 static int	run_ioctl(struct ifnet *, u_long, caddr_t);
411 static void	run_iq_calib(struct run_softc *, u_int);
412 static void	run_set_agc(struct run_softc *, uint8_t);
413 static void	run_select_chan_group(struct run_softc *, int);
414 static void	run_set_rx_antenna(struct run_softc *, int);
415 static void	run_rt2870_set_chan(struct run_softc *, u_int);
416 static void	run_rt3070_set_chan(struct run_softc *, u_int);
417 static void	run_rt3572_set_chan(struct run_softc *, u_int);
418 static void	run_rt3593_set_chan(struct run_softc *, u_int);
419 static void	run_rt5390_set_chan(struct run_softc *, u_int);
420 static void	run_rt5592_set_chan(struct run_softc *, u_int);
421 static int	run_set_chan(struct run_softc *, struct ieee80211_channel *);
422 static void	run_set_channel(struct ieee80211com *);
423 static void	run_scan_start(struct ieee80211com *);
424 static void	run_scan_end(struct ieee80211com *);
425 static void	run_update_beacon(struct ieee80211vap *, int);
426 static void	run_update_beacon_cb(void *);
427 static void	run_updateprot(struct ieee80211com *);
428 static void	run_updateprot_cb(void *);
429 static void	run_usb_timeout_cb(void *);
430 static void	run_reset_livelock(struct run_softc *);
431 static void	run_enable_tsf_sync(struct run_softc *);
432 static void	run_enable_mrr(struct run_softc *);
433 static void	run_set_txpreamble(struct run_softc *);
434 static void	run_set_basicrates(struct run_softc *);
435 static void	run_set_leds(struct run_softc *, uint16_t);
436 static void	run_set_bssid(struct run_softc *, const uint8_t *);
437 static void	run_set_macaddr(struct run_softc *, const uint8_t *);
438 static void	run_updateslot(struct ifnet *);
439 static void	run_updateslot_cb(void *);
440 static void	run_update_mcast(struct ifnet *);
441 static int8_t	run_rssi2dbm(struct run_softc *, uint8_t, uint8_t);
442 static void	run_update_promisc_locked(struct ifnet *);
443 static void	run_update_promisc(struct ifnet *);
444 static void	run_rt5390_bbp_init(struct run_softc *);
445 static int	run_bbp_init(struct run_softc *);
446 static int	run_rt3070_rf_init(struct run_softc *);
447 static void	run_rt3593_rf_init(struct run_softc *);
448 static void	run_rt5390_rf_init(struct run_softc *);
449 static int	run_rt3070_filter_calib(struct run_softc *, uint8_t, uint8_t,
450 		    uint8_t *);
451 static void	run_rt3070_rf_setup(struct run_softc *);
452 static void	run_rt3593_rf_setup(struct run_softc *);
453 static void	run_rt5390_rf_setup(struct run_softc *);
454 static int	run_txrx_enable(struct run_softc *);
455 static void	run_adjust_freq_offset(struct run_softc *);
456 static void	run_init(void *);
457 static void	run_init_locked(struct run_softc *);
458 static void	run_stop(void *);
459 static void	run_delay(struct run_softc *, u_int);
460 
461 static eventhandler_tag run_etag;
462 
463 static const struct rt2860_rate {
464 	uint8_t		rate;
465 	uint8_t		mcs;
466 	enum		ieee80211_phytype phy;
467 	uint8_t		ctl_ridx;
468 	uint16_t	sp_ack_dur;
469 	uint16_t	lp_ack_dur;
470 } rt2860_rates[] = {
471 	{   2, 0, IEEE80211_T_DS,   0, 314, 314 },
472 	{   4, 1, IEEE80211_T_DS,   1, 258, 162 },
473 	{  11, 2, IEEE80211_T_DS,   2, 223, 127 },
474 	{  22, 3, IEEE80211_T_DS,   3, 213, 117 },
475 	{  12, 0, IEEE80211_T_OFDM, 4,  60,  60 },
476 	{  18, 1, IEEE80211_T_OFDM, 4,  52,  52 },
477 	{  24, 2, IEEE80211_T_OFDM, 6,  48,  48 },
478 	{  36, 3, IEEE80211_T_OFDM, 6,  44,  44 },
479 	{  48, 4, IEEE80211_T_OFDM, 8,  44,  44 },
480 	{  72, 5, IEEE80211_T_OFDM, 8,  40,  40 },
481 	{  96, 6, IEEE80211_T_OFDM, 8,  40,  40 },
482 	{ 108, 7, IEEE80211_T_OFDM, 8,  40,  40 }
483 };
484 
485 static const struct {
486 	uint16_t	reg;
487 	uint32_t	val;
488 } rt2870_def_mac[] = {
489 	RT2870_DEF_MAC
490 };
491 
492 static const struct {
493 	uint8_t	reg;
494 	uint8_t	val;
495 } rt2860_def_bbp[] = {
496 	RT2860_DEF_BBP
497 },rt5390_def_bbp[] = {
498 	RT5390_DEF_BBP
499 },rt5592_def_bbp[] = {
500 	RT5592_DEF_BBP
501 };
502 
503 /*
504  * Default values for BBP register R196 for RT5592.
505  */
506 static const uint8_t rt5592_bbp_r196[] = {
507 	0xe0, 0x1f, 0x38, 0x32, 0x08, 0x28, 0x19, 0x0a, 0xff, 0x00,
508 	0x16, 0x10, 0x10, 0x0b, 0x36, 0x2c, 0x26, 0x24, 0x42, 0x36,
509 	0x30, 0x2d, 0x4c, 0x46, 0x3d, 0x40, 0x3e, 0x42, 0x3d, 0x40,
510 	0x3c, 0x34, 0x2c, 0x2f, 0x3c, 0x35, 0x2e, 0x2a, 0x49, 0x41,
511 	0x36, 0x31, 0x30, 0x30, 0x0e, 0x0d, 0x28, 0x21, 0x1c, 0x16,
512 	0x50, 0x4a, 0x43, 0x40, 0x10, 0x10, 0x10, 0x10, 0x00, 0x00,
513 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
514 	0x00, 0x00, 0x7d, 0x14, 0x32, 0x2c, 0x36, 0x4c, 0x43, 0x2c,
515 	0x2e, 0x36, 0x30, 0x6e
516 };
517 
518 static const struct rfprog {
519 	uint8_t		chan;
520 	uint32_t	r1, r2, r3, r4;
521 } rt2860_rf2850[] = {
522 	RT2860_RF2850
523 };
524 
525 struct {
526 	uint8_t	n, r, k;
527 } rt3070_freqs[] = {
528 	RT3070_RF3052
529 };
530 
531 static const struct rt5592_freqs {
532 	uint16_t	n;
533 	uint8_t		k, m, r;
534 } rt5592_freqs_20mhz[] = {
535 	RT5592_RF5592_20MHZ
536 },rt5592_freqs_40mhz[] = {
537 	RT5592_RF5592_40MHZ
538 };
539 
540 static const struct {
541 	uint8_t	reg;
542 	uint8_t	val;
543 } rt3070_def_rf[] = {
544 	RT3070_DEF_RF
545 },rt3572_def_rf[] = {
546 	RT3572_DEF_RF
547 },rt3593_def_rf[] = {
548 	RT3593_DEF_RF
549 },rt5390_def_rf[] = {
550 	RT5390_DEF_RF
551 },rt5392_def_rf[] = {
552 	RT5392_DEF_RF
553 },rt5592_def_rf[] = {
554 	RT5592_DEF_RF
555 },rt5592_2ghz_def_rf[] = {
556 	RT5592_2GHZ_DEF_RF
557 },rt5592_5ghz_def_rf[] = {
558 	RT5592_5GHZ_DEF_RF
559 };
560 
561 static const struct {
562 	u_int	firstchan;
563 	u_int	lastchan;
564 	uint8_t	reg;
565 	uint8_t	val;
566 } rt5592_chan_5ghz[] = {
567 	RT5592_CHAN_5GHZ
568 };
569 
570 static const struct usb_config run_config[RUN_N_XFER] = {
571     [RUN_BULK_TX_BE] = {
572 	.type = UE_BULK,
573 	.endpoint = UE_ADDR_ANY,
574 	.ep_index = 0,
575 	.direction = UE_DIR_OUT,
576 	.bufsize = RUN_MAX_TXSZ,
577 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
578 	.callback = run_bulk_tx_callback0,
579 	.timeout = 5000,	/* ms */
580     },
581     [RUN_BULK_TX_BK] = {
582 	.type = UE_BULK,
583 	.endpoint = UE_ADDR_ANY,
584 	.direction = UE_DIR_OUT,
585 	.ep_index = 1,
586 	.bufsize = RUN_MAX_TXSZ,
587 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
588 	.callback = run_bulk_tx_callback1,
589 	.timeout = 5000,	/* ms */
590     },
591     [RUN_BULK_TX_VI] = {
592 	.type = UE_BULK,
593 	.endpoint = UE_ADDR_ANY,
594 	.direction = UE_DIR_OUT,
595 	.ep_index = 2,
596 	.bufsize = RUN_MAX_TXSZ,
597 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
598 	.callback = run_bulk_tx_callback2,
599 	.timeout = 5000,	/* ms */
600     },
601     [RUN_BULK_TX_VO] = {
602 	.type = UE_BULK,
603 	.endpoint = UE_ADDR_ANY,
604 	.direction = UE_DIR_OUT,
605 	.ep_index = 3,
606 	.bufsize = RUN_MAX_TXSZ,
607 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,},
608 	.callback = run_bulk_tx_callback3,
609 	.timeout = 5000,	/* ms */
610     },
611     [RUN_BULK_TX_HCCA] = {
612 	.type = UE_BULK,
613 	.endpoint = UE_ADDR_ANY,
614 	.direction = UE_DIR_OUT,
615 	.ep_index = 4,
616 	.bufsize = RUN_MAX_TXSZ,
617 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,.no_pipe_ok = 1,},
618 	.callback = run_bulk_tx_callback4,
619 	.timeout = 5000,	/* ms */
620     },
621     [RUN_BULK_TX_PRIO] = {
622 	.type = UE_BULK,
623 	.endpoint = UE_ADDR_ANY,
624 	.direction = UE_DIR_OUT,
625 	.ep_index = 5,
626 	.bufsize = RUN_MAX_TXSZ,
627 	.flags = {.pipe_bof = 1,.force_short_xfer = 1,.no_pipe_ok = 1,},
628 	.callback = run_bulk_tx_callback5,
629 	.timeout = 5000,	/* ms */
630     },
631     [RUN_BULK_RX] = {
632 	.type = UE_BULK,
633 	.endpoint = UE_ADDR_ANY,
634 	.direction = UE_DIR_IN,
635 	.bufsize = RUN_MAX_RXSZ,
636 	.flags = {.pipe_bof = 1,.short_xfer_ok = 1,},
637 	.callback = run_bulk_rx_callback,
638     }
639 };
640 
641 static void
642 run_autoinst(void *arg, struct usb_device *udev,
643     struct usb_attach_arg *uaa)
644 {
645 	struct usb_interface *iface;
646 	struct usb_interface_descriptor *id;
647 
648 	if (uaa->dev_state != UAA_DEV_READY)
649 		return;
650 
651 	iface = usbd_get_iface(udev, 0);
652 	if (iface == NULL)
653 		return;
654 	id = iface->idesc;
655 	if (id == NULL || id->bInterfaceClass != UICLASS_MASS)
656 		return;
657 	if (usbd_lookup_id_by_uaa(run_devs, sizeof(run_devs), uaa))
658 		return;
659 
660 	if (usb_msc_eject(udev, 0, MSC_EJECT_STOPUNIT) == 0)
661 		uaa->dev_state = UAA_DEV_EJECTING;
662 }
663 
664 static int
665 run_driver_loaded(struct module *mod, int what, void *arg)
666 {
667 	switch (what) {
668 	case MOD_LOAD:
669 		run_etag = EVENTHANDLER_REGISTER(usb_dev_configured,
670 		    run_autoinst, NULL, EVENTHANDLER_PRI_ANY);
671 		break;
672 	case MOD_UNLOAD:
673 		EVENTHANDLER_DEREGISTER(usb_dev_configured, run_etag);
674 		break;
675 	default:
676 		return (EOPNOTSUPP);
677 	}
678 	return (0);
679 }
680 
681 static int
682 run_match(device_t self)
683 {
684 	struct usb_attach_arg *uaa = device_get_ivars(self);
685 
686 	if (uaa->usb_mode != USB_MODE_HOST)
687 		return (ENXIO);
688 	if (uaa->info.bConfigIndex != 0)
689 		return (ENXIO);
690 	if (uaa->info.bIfaceIndex != RT2860_IFACE_INDEX)
691 		return (ENXIO);
692 
693 	return (usbd_lookup_id_by_uaa(run_devs, sizeof(run_devs), uaa));
694 }
695 
696 static int
697 run_attach(device_t self)
698 {
699 	struct run_softc *sc = device_get_softc(self);
700 	struct usb_attach_arg *uaa = device_get_ivars(self);
701 	struct ieee80211com *ic;
702 	struct ifnet *ifp;
703 	uint32_t ver;
704 	int ntries, error;
705 	uint8_t iface_index, bands;
706 
707 	device_set_usb_desc(self);
708 	sc->sc_udev = uaa->device;
709 	sc->sc_dev = self;
710 
711 	mtx_init(&sc->sc_mtx, device_get_nameunit(sc->sc_dev),
712 	    MTX_NETWORK_LOCK, MTX_DEF);
713 
714 	iface_index = RT2860_IFACE_INDEX;
715 
716 	error = usbd_transfer_setup(uaa->device, &iface_index,
717 	    sc->sc_xfer, run_config, RUN_N_XFER, sc, &sc->sc_mtx);
718 	if (error) {
719 		device_printf(self, "could not allocate USB transfers, "
720 		    "err=%s\n", usbd_errstr(error));
721 		goto detach;
722 	}
723 
724 	RUN_LOCK(sc);
725 
726 	/* wait for the chip to settle */
727 	for (ntries = 0; ntries < 100; ntries++) {
728 		if (run_read(sc, RT2860_ASIC_VER_ID, &ver) != 0) {
729 			RUN_UNLOCK(sc);
730 			goto detach;
731 		}
732 		if (ver != 0 && ver != 0xffffffff)
733 			break;
734 		run_delay(sc, 10);
735 	}
736 	if (ntries == 100) {
737 		device_printf(sc->sc_dev,
738 		    "timeout waiting for NIC to initialize\n");
739 		RUN_UNLOCK(sc);
740 		goto detach;
741 	}
742 	sc->mac_ver = ver >> 16;
743 	sc->mac_rev = ver & 0xffff;
744 
745 	/* retrieve RF rev. no and various other things from EEPROM */
746 	run_read_eeprom(sc);
747 
748 	device_printf(sc->sc_dev,
749 	    "MAC/BBP RT%04X (rev 0x%04X), RF %s (MIMO %dT%dR), address %s\n",
750 	    sc->mac_ver, sc->mac_rev, run_get_rf(sc->rf_rev),
751 	    sc->ntxchains, sc->nrxchains, ether_sprintf(sc->sc_bssid));
752 
753 	RUN_UNLOCK(sc);
754 
755 	ifp = sc->sc_ifp = if_alloc(IFT_IEEE80211);
756 	if (ifp == NULL) {
757 		device_printf(sc->sc_dev, "can not if_alloc()\n");
758 		goto detach;
759 	}
760 	ic = ifp->if_l2com;
761 
762 	ifp->if_softc = sc;
763 	if_initname(ifp, "run", device_get_unit(sc->sc_dev));
764 	ifp->if_flags = IFF_BROADCAST | IFF_SIMPLEX | IFF_MULTICAST;
765 	ifp->if_init = run_init;
766 	ifp->if_ioctl = run_ioctl;
767 	ifp->if_start = run_start;
768 	IFQ_SET_MAXLEN(&ifp->if_snd, ifqmaxlen);
769 	ifp->if_snd.ifq_drv_maxlen = ifqmaxlen;
770 	IFQ_SET_READY(&ifp->if_snd);
771 
772 	ic->ic_ifp = ifp;
773 	ic->ic_phytype = IEEE80211_T_OFDM;	/* not only, but not used */
774 	ic->ic_opmode = IEEE80211_M_STA;	/* default to BSS mode */
775 
776 	/* set device capabilities */
777 	ic->ic_caps =
778 	    IEEE80211_C_STA |		/* station mode supported */
779 	    IEEE80211_C_MONITOR |	/* monitor mode supported */
780 	    IEEE80211_C_IBSS |
781 	    IEEE80211_C_HOSTAP |
782 	    IEEE80211_C_WDS |		/* 4-address traffic works */
783 	    IEEE80211_C_MBSS |
784 	    IEEE80211_C_SHPREAMBLE |	/* short preamble supported */
785 	    IEEE80211_C_SHSLOT |	/* short slot time supported */
786 	    IEEE80211_C_WME |		/* WME */
787 	    IEEE80211_C_WPA;		/* WPA1|WPA2(RSN) */
788 
789 	ic->ic_cryptocaps =
790 	    IEEE80211_CRYPTO_WEP |
791 	    IEEE80211_CRYPTO_AES_CCM |
792 	    IEEE80211_CRYPTO_TKIPMIC |
793 	    IEEE80211_CRYPTO_TKIP;
794 
795 	ic->ic_flags |= IEEE80211_F_DATAPAD;
796 	ic->ic_flags_ext |= IEEE80211_FEXT_SWBMISS;
797 
798 	bands = 0;
799 	setbit(&bands, IEEE80211_MODE_11B);
800 	setbit(&bands, IEEE80211_MODE_11G);
801 	if (sc->rf_rev == RT2860_RF_2750 || sc->rf_rev == RT2860_RF_2850 ||
802 	    sc->rf_rev == RT3070_RF_3052 || sc->rf_rev == RT3593_RF_3053 ||
803 	    sc->rf_rev == RT5592_RF_5592)
804 		setbit(&bands, IEEE80211_MODE_11A);
805 	ieee80211_init_channels(ic, NULL, &bands);
806 
807 	ieee80211_ifattach(ic, sc->sc_bssid);
808 
809 	ic->ic_scan_start = run_scan_start;
810 	ic->ic_scan_end = run_scan_end;
811 	ic->ic_set_channel = run_set_channel;
812 	ic->ic_node_alloc = run_node_alloc;
813 	ic->ic_newassoc = run_newassoc;
814 	ic->ic_updateslot = run_updateslot;
815 	ic->ic_update_mcast = run_update_mcast;
816 	ic->ic_wme.wme_update = run_wme_update;
817 	ic->ic_raw_xmit = run_raw_xmit;
818 	ic->ic_update_promisc = run_update_promisc;
819 
820 	ic->ic_vap_create = run_vap_create;
821 	ic->ic_vap_delete = run_vap_delete;
822 
823 	ieee80211_radiotap_attach(ic,
824 	    &sc->sc_txtap.wt_ihdr, sizeof(sc->sc_txtap),
825 		RUN_TX_RADIOTAP_PRESENT,
826 	    &sc->sc_rxtap.wr_ihdr, sizeof(sc->sc_rxtap),
827 		RUN_RX_RADIOTAP_PRESENT);
828 
829 	TASK_INIT(&sc->cmdq_task, 0, run_cmdq_cb, sc);
830 	TASK_INIT(&sc->ratectl_task, 0, run_ratectl_cb, sc);
831 	usb_callout_init_mtx(&sc->ratectl_ch, &sc->sc_mtx, 0);
832 
833 	if (bootverbose)
834 		ieee80211_announce(ic);
835 
836 	return (0);
837 
838 detach:
839 	run_detach(self);
840 	return (ENXIO);
841 }
842 
843 static int
844 run_detach(device_t self)
845 {
846 	struct run_softc *sc = device_get_softc(self);
847 	struct ifnet *ifp = sc->sc_ifp;
848 	struct ieee80211com *ic;
849 	int i;
850 
851 	RUN_LOCK(sc);
852 	sc->sc_detached = 1;
853 	RUN_UNLOCK(sc);
854 
855 	/* stop all USB transfers */
856 	usbd_transfer_unsetup(sc->sc_xfer, RUN_N_XFER);
857 
858 	RUN_LOCK(sc);
859 	sc->ratectl_run = RUN_RATECTL_OFF;
860 	sc->cmdq_run = sc->cmdq_key_set = RUN_CMDQ_ABORT;
861 
862 	/* free TX list, if any */
863 	for (i = 0; i != RUN_EP_QUEUES; i++)
864 		run_unsetup_tx_list(sc, &sc->sc_epq[i]);
865 	RUN_UNLOCK(sc);
866 
867 	if (ifp) {
868 		ic = ifp->if_l2com;
869 		/* drain tasks */
870 		usb_callout_drain(&sc->ratectl_ch);
871 		ieee80211_draintask(ic, &sc->cmdq_task);
872 		ieee80211_draintask(ic, &sc->ratectl_task);
873 		ieee80211_ifdetach(ic);
874 		if_free(ifp);
875 	}
876 
877 	mtx_destroy(&sc->sc_mtx);
878 
879 	return (0);
880 }
881 
882 static struct ieee80211vap *
883 run_vap_create(struct ieee80211com *ic, const char name[IFNAMSIZ], int unit,
884     enum ieee80211_opmode opmode, int flags,
885     const uint8_t bssid[IEEE80211_ADDR_LEN],
886     const uint8_t mac[IEEE80211_ADDR_LEN])
887 {
888 	struct ifnet *ifp = ic->ic_ifp;
889 	struct run_softc *sc = ifp->if_softc;
890 	struct run_vap *rvp;
891 	struct ieee80211vap *vap;
892 	int i;
893 
894 	if (sc->rvp_cnt >= RUN_VAP_MAX) {
895 		if_printf(ifp, "number of VAPs maxed out\n");
896 		return (NULL);
897 	}
898 
899 	switch (opmode) {
900 	case IEEE80211_M_STA:
901 		/* enable s/w bmiss handling for sta mode */
902 		flags |= IEEE80211_CLONE_NOBEACONS;
903 		/* fall though */
904 	case IEEE80211_M_IBSS:
905 	case IEEE80211_M_MONITOR:
906 	case IEEE80211_M_HOSTAP:
907 	case IEEE80211_M_MBSS:
908 		/* other than WDS vaps, only one at a time */
909 		if (!TAILQ_EMPTY(&ic->ic_vaps))
910 			return (NULL);
911 		break;
912 	case IEEE80211_M_WDS:
913 		TAILQ_FOREACH(vap, &ic->ic_vaps, iv_next){
914 			if(vap->iv_opmode != IEEE80211_M_HOSTAP)
915 				continue;
916 			/* WDS vap's always share the local mac address. */
917 			flags &= ~IEEE80211_CLONE_BSSID;
918 			break;
919 		}
920 		if (vap == NULL) {
921 			if_printf(ifp, "wds only supported in ap mode\n");
922 			return (NULL);
923 		}
924 		break;
925 	default:
926 		if_printf(ifp, "unknown opmode %d\n", opmode);
927 		return (NULL);
928 	}
929 
930 	rvp = (struct run_vap *) malloc(sizeof(struct run_vap),
931 	    M_80211_VAP, M_NOWAIT | M_ZERO);
932 	if (rvp == NULL)
933 		return (NULL);
934 	vap = &rvp->vap;
935 
936 	if (ieee80211_vap_setup(ic, vap, name, unit,
937 	    opmode, flags, bssid, mac) != 0) {
938 		/* out of memory */
939 		free(rvp, M_80211_VAP);
940 		return (NULL);
941 	}
942 
943 	vap->iv_key_update_begin = run_key_update_begin;
944 	vap->iv_key_update_end = run_key_update_end;
945 	vap->iv_update_beacon = run_update_beacon;
946 	vap->iv_max_aid = RT2870_WCID_MAX;
947 	/*
948 	 * To delete the right key from h/w, we need wcid.
949 	 * Luckily, there is unused space in ieee80211_key{}, wk_pad,
950 	 * and matching wcid will be written into there. So, cast
951 	 * some spells to remove 'const' from ieee80211_key{}
952 	 */
953 	vap->iv_key_delete = (void *)run_key_delete;
954 	vap->iv_key_set = (void *)run_key_set;
955 
956 	/* override state transition machine */
957 	rvp->newstate = vap->iv_newstate;
958 	vap->iv_newstate = run_newstate;
959 
960 	ieee80211_ratectl_init(vap);
961 	ieee80211_ratectl_setinterval(vap, 1000 /* 1 sec */);
962 
963 	/* complete setup */
964 	ieee80211_vap_attach(vap, run_media_change, ieee80211_media_status);
965 
966 	/* make sure id is always unique */
967 	for (i = 0; i < RUN_VAP_MAX; i++) {
968 		if((sc->rvp_bmap & 1 << i) == 0){
969 			sc->rvp_bmap |= 1 << i;
970 			rvp->rvp_id = i;
971 			break;
972 		}
973 	}
974 	if (sc->rvp_cnt++ == 0)
975 		ic->ic_opmode = opmode;
976 
977 	if (opmode == IEEE80211_M_HOSTAP)
978 		sc->cmdq_run = RUN_CMDQ_GO;
979 
980 	DPRINTF("rvp_id=%d bmap=%x rvp_cnt=%d\n",
981 	    rvp->rvp_id, sc->rvp_bmap, sc->rvp_cnt);
982 
983 	return (vap);
984 }
985 
986 static void
987 run_vap_delete(struct ieee80211vap *vap)
988 {
989 	struct run_vap *rvp = RUN_VAP(vap);
990 	struct ifnet *ifp;
991 	struct ieee80211com *ic;
992 	struct run_softc *sc;
993 	uint8_t rvp_id;
994 
995 	if (vap == NULL)
996 		return;
997 
998 	ic = vap->iv_ic;
999 	ifp = ic->ic_ifp;
1000 
1001 	sc = ifp->if_softc;
1002 
1003 	RUN_LOCK(sc);
1004 
1005 	m_freem(rvp->beacon_mbuf);
1006 	rvp->beacon_mbuf = NULL;
1007 
1008 	rvp_id = rvp->rvp_id;
1009 	sc->ratectl_run &= ~(1 << rvp_id);
1010 	sc->rvp_bmap &= ~(1 << rvp_id);
1011 	run_set_region_4(sc, RT2860_SKEY(rvp_id, 0), 0, 128);
1012 	run_set_region_4(sc, RT2860_BCN_BASE(rvp_id), 0, 512);
1013 	--sc->rvp_cnt;
1014 
1015 	DPRINTF("vap=%p rvp_id=%d bmap=%x rvp_cnt=%d\n",
1016 	    vap, rvp_id, sc->rvp_bmap, sc->rvp_cnt);
1017 
1018 	RUN_UNLOCK(sc);
1019 
1020 	ieee80211_ratectl_deinit(vap);
1021 	ieee80211_vap_detach(vap);
1022 	free(rvp, M_80211_VAP);
1023 }
1024 
1025 /*
1026  * There are numbers of functions need to be called in context thread.
1027  * Rather than creating taskqueue event for each of those functions,
1028  * here is all-for-one taskqueue callback function. This function
1029  * gurantees deferred functions are executed in the same order they
1030  * were enqueued.
1031  * '& RUN_CMDQ_MASQ' is to loop cmdq[].
1032  */
1033 static void
1034 run_cmdq_cb(void *arg, int pending)
1035 {
1036 	struct run_softc *sc = arg;
1037 	uint8_t i;
1038 
1039 	/* call cmdq[].func locked */
1040 	RUN_LOCK(sc);
1041 	for (i = sc->cmdq_exec; sc->cmdq[i].func && pending;
1042 	    i = sc->cmdq_exec, pending--) {
1043 		DPRINTFN(6, "cmdq_exec=%d pending=%d\n", i, pending);
1044 		if (sc->cmdq_run == RUN_CMDQ_GO) {
1045 			/*
1046 			 * If arg0 is NULL, callback func needs more
1047 			 * than one arg. So, pass ptr to cmdq struct.
1048 			 */
1049 			if (sc->cmdq[i].arg0)
1050 				sc->cmdq[i].func(sc->cmdq[i].arg0);
1051 			else
1052 				sc->cmdq[i].func(&sc->cmdq[i]);
1053 		}
1054 		sc->cmdq[i].arg0 = NULL;
1055 		sc->cmdq[i].func = NULL;
1056 		sc->cmdq_exec++;
1057 		sc->cmdq_exec &= RUN_CMDQ_MASQ;
1058 	}
1059 	RUN_UNLOCK(sc);
1060 }
1061 
1062 static void
1063 run_setup_tx_list(struct run_softc *sc, struct run_endpoint_queue *pq)
1064 {
1065 	struct run_tx_data *data;
1066 
1067 	memset(pq, 0, sizeof(*pq));
1068 
1069 	STAILQ_INIT(&pq->tx_qh);
1070 	STAILQ_INIT(&pq->tx_fh);
1071 
1072 	for (data = &pq->tx_data[0];
1073 	    data < &pq->tx_data[RUN_TX_RING_COUNT]; data++) {
1074 		data->sc = sc;
1075 		STAILQ_INSERT_TAIL(&pq->tx_fh, data, next);
1076 	}
1077 	pq->tx_nfree = RUN_TX_RING_COUNT;
1078 }
1079 
1080 static void
1081 run_unsetup_tx_list(struct run_softc *sc, struct run_endpoint_queue *pq)
1082 {
1083 	struct run_tx_data *data;
1084 
1085 	/* make sure any subsequent use of the queues will fail */
1086 	pq->tx_nfree = 0;
1087 	STAILQ_INIT(&pq->tx_fh);
1088 	STAILQ_INIT(&pq->tx_qh);
1089 
1090 	/* free up all node references and mbufs */
1091 	for (data = &pq->tx_data[0];
1092 	    data < &pq->tx_data[RUN_TX_RING_COUNT]; data++) {
1093 		if (data->m != NULL) {
1094 			m_freem(data->m);
1095 			data->m = NULL;
1096 		}
1097 		if (data->ni != NULL) {
1098 			ieee80211_free_node(data->ni);
1099 			data->ni = NULL;
1100 		}
1101 	}
1102 }
1103 
1104 static int
1105 run_load_microcode(struct run_softc *sc)
1106 {
1107 	usb_device_request_t req;
1108 	const struct firmware *fw;
1109 	const u_char *base;
1110 	uint32_t tmp;
1111 	int ntries, error;
1112 	const uint64_t *temp;
1113 	uint64_t bytes;
1114 
1115 	RUN_UNLOCK(sc);
1116 	fw = firmware_get("runfw");
1117 	RUN_LOCK(sc);
1118 	if (fw == NULL) {
1119 		device_printf(sc->sc_dev,
1120 		    "failed loadfirmware of file %s\n", "runfw");
1121 		return ENOENT;
1122 	}
1123 
1124 	if (fw->datasize != 8192) {
1125 		device_printf(sc->sc_dev,
1126 		    "invalid firmware size (should be 8KB)\n");
1127 		error = EINVAL;
1128 		goto fail;
1129 	}
1130 
1131 	/*
1132 	 * RT3071/RT3072 use a different firmware
1133 	 * run-rt2870 (8KB) contains both,
1134 	 * first half (4KB) is for rt2870,
1135 	 * last half is for rt3071.
1136 	 */
1137 	base = fw->data;
1138 	if ((sc->mac_ver) != 0x2860 &&
1139 	    (sc->mac_ver) != 0x2872 &&
1140 	    (sc->mac_ver) != 0x3070) {
1141 		base += 4096;
1142 	}
1143 
1144 	/* cheap sanity check */
1145 	temp = fw->data;
1146 	bytes = *temp;
1147 	if (bytes != be64toh(0xffffff0210280210ULL)) {
1148 		device_printf(sc->sc_dev, "firmware checksum failed\n");
1149 		error = EINVAL;
1150 		goto fail;
1151 	}
1152 
1153 	/* write microcode image */
1154 	if (sc->mac_ver != 0x3593) {
1155 		run_write_region_1(sc, RT2870_FW_BASE, base, 4096);
1156 		run_write(sc, RT2860_H2M_MAILBOX_CID, 0xffffffff);
1157 		run_write(sc, RT2860_H2M_MAILBOX_STATUS, 0xffffffff);
1158 	}
1159 
1160 	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1161 	req.bRequest = RT2870_RESET;
1162 	USETW(req.wValue, 8);
1163 	USETW(req.wIndex, 0);
1164 	USETW(req.wLength, 0);
1165 	if ((error = usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, NULL))
1166 	    != 0) {
1167 		device_printf(sc->sc_dev, "firmware reset failed\n");
1168 		goto fail;
1169 	}
1170 
1171 	run_delay(sc, 10);
1172 
1173 	run_write(sc, RT2860_H2M_BBPAGENT, 0);
1174 	run_write(sc, RT2860_H2M_MAILBOX, 0);
1175 	run_write(sc, RT2860_H2M_INTSRC, 0);
1176 	if ((error = run_mcu_cmd(sc, RT2860_MCU_CMD_RFRESET, 0)) != 0)
1177 		goto fail;
1178 
1179 	/* wait until microcontroller is ready */
1180 	for (ntries = 0; ntries < 1000; ntries++) {
1181 		if ((error = run_read(sc, RT2860_SYS_CTRL, &tmp)) != 0)
1182 			goto fail;
1183 		if (tmp & RT2860_MCU_READY)
1184 			break;
1185 		run_delay(sc, 10);
1186 	}
1187 	if (ntries == 1000) {
1188 		device_printf(sc->sc_dev,
1189 		    "timeout waiting for MCU to initialize\n");
1190 		error = ETIMEDOUT;
1191 		goto fail;
1192 	}
1193 	device_printf(sc->sc_dev, "firmware %s ver. %u.%u loaded\n",
1194 	    (base == fw->data) ? "RT2870" : "RT3071",
1195 	    *(base + 4092), *(base + 4093));
1196 
1197 fail:
1198 	firmware_put(fw, FIRMWARE_UNLOAD);
1199 	return (error);
1200 }
1201 
1202 static int
1203 run_reset(struct run_softc *sc)
1204 {
1205 	usb_device_request_t req;
1206 
1207 	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1208 	req.bRequest = RT2870_RESET;
1209 	USETW(req.wValue, 1);
1210 	USETW(req.wIndex, 0);
1211 	USETW(req.wLength, 0);
1212 	return (usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, NULL));
1213 }
1214 
1215 static usb_error_t
1216 run_do_request(struct run_softc *sc,
1217     struct usb_device_request *req, void *data)
1218 {
1219 	usb_error_t err;
1220 	int ntries = 10;
1221 
1222 	RUN_LOCK_ASSERT(sc, MA_OWNED);
1223 
1224 	while (ntries--) {
1225 		err = usbd_do_request_flags(sc->sc_udev, &sc->sc_mtx,
1226 		    req, data, 0, NULL, 250 /* ms */);
1227 		if (err == 0)
1228 			break;
1229 		DPRINTFN(1, "Control request failed, %s (retrying)\n",
1230 		    usbd_errstr(err));
1231 		run_delay(sc, 10);
1232 	}
1233 	return (err);
1234 }
1235 
1236 static int
1237 run_read(struct run_softc *sc, uint16_t reg, uint32_t *val)
1238 {
1239 	uint32_t tmp;
1240 	int error;
1241 
1242 	error = run_read_region_1(sc, reg, (uint8_t *)&tmp, sizeof tmp);
1243 	if (error == 0)
1244 		*val = le32toh(tmp);
1245 	else
1246 		*val = 0xffffffff;
1247 	return (error);
1248 }
1249 
1250 static int
1251 run_read_region_1(struct run_softc *sc, uint16_t reg, uint8_t *buf, int len)
1252 {
1253 	usb_device_request_t req;
1254 
1255 	req.bmRequestType = UT_READ_VENDOR_DEVICE;
1256 	req.bRequest = RT2870_READ_REGION_1;
1257 	USETW(req.wValue, 0);
1258 	USETW(req.wIndex, reg);
1259 	USETW(req.wLength, len);
1260 
1261 	return (run_do_request(sc, &req, buf));
1262 }
1263 
1264 static int
1265 run_write_2(struct run_softc *sc, uint16_t reg, uint16_t val)
1266 {
1267 	usb_device_request_t req;
1268 
1269 	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1270 	req.bRequest = RT2870_WRITE_2;
1271 	USETW(req.wValue, val);
1272 	USETW(req.wIndex, reg);
1273 	USETW(req.wLength, 0);
1274 
1275 	return (run_do_request(sc, &req, NULL));
1276 }
1277 
1278 static int
1279 run_write(struct run_softc *sc, uint16_t reg, uint32_t val)
1280 {
1281 	int error;
1282 
1283 	if ((error = run_write_2(sc, reg, val & 0xffff)) == 0)
1284 		error = run_write_2(sc, reg + 2, val >> 16);
1285 	return (error);
1286 }
1287 
1288 static int
1289 run_write_region_1(struct run_softc *sc, uint16_t reg, const uint8_t *buf,
1290     int len)
1291 {
1292 #if 1
1293 	int i, error = 0;
1294 	/*
1295 	 * NB: the WRITE_REGION_1 command is not stable on RT2860.
1296 	 * We thus issue multiple WRITE_2 commands instead.
1297 	 */
1298 	KASSERT((len & 1) == 0, ("run_write_region_1: Data too long.\n"));
1299 	for (i = 0; i < len && error == 0; i += 2)
1300 		error = run_write_2(sc, reg + i, buf[i] | buf[i + 1] << 8);
1301 	return (error);
1302 #else
1303 	usb_device_request_t req;
1304 	int error = 0;
1305 
1306 	/*
1307 	 * NOTE: It appears the WRITE_REGION_1 command cannot be
1308 	 * passed a huge amount of data, which will crash the
1309 	 * firmware. Limit amount of data passed to 64-bytes at a
1310 	 * time.
1311 	 */
1312 	while (len > 0) {
1313 		int delta = 64;
1314 		if (delta > len)
1315 			delta = len;
1316 
1317 		req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
1318 		req.bRequest = RT2870_WRITE_REGION_1;
1319 		USETW(req.wValue, 0);
1320 		USETW(req.wIndex, reg);
1321 		USETW(req.wLength, delta);
1322 		error = run_do_request(sc, &req, __DECONST(uint8_t *, buf));
1323 		if (error != 0)
1324 			break;
1325 		reg += delta;
1326 		buf += delta;
1327 		len -= delta;
1328 	}
1329 	return (error);
1330 #endif
1331 }
1332 
1333 static int
1334 run_set_region_4(struct run_softc *sc, uint16_t reg, uint32_t val, int len)
1335 {
1336 	int i, error = 0;
1337 
1338 	KASSERT((len & 3) == 0, ("run_set_region_4: Invalid data length.\n"));
1339 	for (i = 0; i < len && error == 0; i += 4)
1340 		error = run_write(sc, reg + i, val);
1341 	return (error);
1342 }
1343 
1344 static int
1345 run_efuse_read(struct run_softc *sc, uint16_t addr, uint16_t *val, int count)
1346 {
1347 	uint32_t tmp;
1348 	uint16_t reg;
1349 	int error, ntries;
1350 
1351 	if ((error = run_read(sc, RT3070_EFUSE_CTRL, &tmp)) != 0)
1352 		return (error);
1353 
1354 	if (count == 2)
1355 		addr *= 2;
1356 	/*-
1357 	 * Read one 16-byte block into registers EFUSE_DATA[0-3]:
1358 	 * DATA0: F E D C
1359 	 * DATA1: B A 9 8
1360 	 * DATA2: 7 6 5 4
1361 	 * DATA3: 3 2 1 0
1362 	 */
1363 	tmp &= ~(RT3070_EFSROM_MODE_MASK | RT3070_EFSROM_AIN_MASK);
1364 	tmp |= (addr & ~0xf) << RT3070_EFSROM_AIN_SHIFT | RT3070_EFSROM_KICK;
1365 	run_write(sc, RT3070_EFUSE_CTRL, tmp);
1366 	for (ntries = 0; ntries < 100; ntries++) {
1367 		if ((error = run_read(sc, RT3070_EFUSE_CTRL, &tmp)) != 0)
1368 			return (error);
1369 		if (!(tmp & RT3070_EFSROM_KICK))
1370 			break;
1371 		run_delay(sc, 2);
1372 	}
1373 	if (ntries == 100)
1374 		return (ETIMEDOUT);
1375 
1376 	if ((tmp & RT3070_EFUSE_AOUT_MASK) == RT3070_EFUSE_AOUT_MASK) {
1377 		*val = 0xffff;	/* address not found */
1378 		return (0);
1379 	}
1380 	/* determine to which 32-bit register our 16-bit word belongs */
1381 	reg = RT3070_EFUSE_DATA3 - (addr & 0xc);
1382 	if ((error = run_read(sc, reg, &tmp)) != 0)
1383 		return (error);
1384 
1385 	tmp >>= (8 * (addr & 0x3));
1386 	*val = (addr & 1) ? tmp >> 16 : tmp & 0xffff;
1387 
1388 	return (0);
1389 }
1390 
1391 /* Read 16-bit from eFUSE ROM for RT3xxx. */
1392 static int
1393 run_efuse_read_2(struct run_softc *sc, uint16_t addr, uint16_t *val)
1394 {
1395 	return (run_efuse_read(sc, addr, val, 2));
1396 }
1397 
1398 static int
1399 run_eeprom_read_2(struct run_softc *sc, uint16_t addr, uint16_t *val)
1400 {
1401 	usb_device_request_t req;
1402 	uint16_t tmp;
1403 	int error;
1404 
1405 	addr *= 2;
1406 	req.bmRequestType = UT_READ_VENDOR_DEVICE;
1407 	req.bRequest = RT2870_EEPROM_READ;
1408 	USETW(req.wValue, 0);
1409 	USETW(req.wIndex, addr);
1410 	USETW(req.wLength, sizeof(tmp));
1411 
1412 	error = usbd_do_request(sc->sc_udev, &sc->sc_mtx, &req, &tmp);
1413 	if (error == 0)
1414 		*val = le16toh(tmp);
1415 	else
1416 		*val = 0xffff;
1417 	return (error);
1418 }
1419 
1420 static __inline int
1421 run_srom_read(struct run_softc *sc, uint16_t addr, uint16_t *val)
1422 {
1423 	/* either eFUSE ROM or EEPROM */
1424 	return sc->sc_srom_read(sc, addr, val);
1425 }
1426 
1427 static int
1428 run_rt2870_rf_write(struct run_softc *sc, uint32_t val)
1429 {
1430 	uint32_t tmp;
1431 	int error, ntries;
1432 
1433 	for (ntries = 0; ntries < 10; ntries++) {
1434 		if ((error = run_read(sc, RT2860_RF_CSR_CFG0, &tmp)) != 0)
1435 			return (error);
1436 		if (!(tmp & RT2860_RF_REG_CTRL))
1437 			break;
1438 	}
1439 	if (ntries == 10)
1440 		return (ETIMEDOUT);
1441 
1442 	return (run_write(sc, RT2860_RF_CSR_CFG0, val));
1443 }
1444 
1445 static int
1446 run_rt3070_rf_read(struct run_softc *sc, uint8_t reg, uint8_t *val)
1447 {
1448 	uint32_t tmp;
1449 	int error, ntries;
1450 
1451 	for (ntries = 0; ntries < 100; ntries++) {
1452 		if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1453 			return (error);
1454 		if (!(tmp & RT3070_RF_KICK))
1455 			break;
1456 	}
1457 	if (ntries == 100)
1458 		return (ETIMEDOUT);
1459 
1460 	tmp = RT3070_RF_KICK | reg << 8;
1461 	if ((error = run_write(sc, RT3070_RF_CSR_CFG, tmp)) != 0)
1462 		return (error);
1463 
1464 	for (ntries = 0; ntries < 100; ntries++) {
1465 		if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1466 			return (error);
1467 		if (!(tmp & RT3070_RF_KICK))
1468 			break;
1469 	}
1470 	if (ntries == 100)
1471 		return (ETIMEDOUT);
1472 
1473 	*val = tmp & 0xff;
1474 	return (0);
1475 }
1476 
1477 static int
1478 run_rt3070_rf_write(struct run_softc *sc, uint8_t reg, uint8_t val)
1479 {
1480 	uint32_t tmp;
1481 	int error, ntries;
1482 
1483 	for (ntries = 0; ntries < 10; ntries++) {
1484 		if ((error = run_read(sc, RT3070_RF_CSR_CFG, &tmp)) != 0)
1485 			return (error);
1486 		if (!(tmp & RT3070_RF_KICK))
1487 			break;
1488 	}
1489 	if (ntries == 10)
1490 		return (ETIMEDOUT);
1491 
1492 	tmp = RT3070_RF_WRITE | RT3070_RF_KICK | reg << 8 | val;
1493 	return (run_write(sc, RT3070_RF_CSR_CFG, tmp));
1494 }
1495 
1496 static int
1497 run_bbp_read(struct run_softc *sc, uint8_t reg, uint8_t *val)
1498 {
1499 	uint32_t tmp;
1500 	int ntries, error;
1501 
1502 	for (ntries = 0; ntries < 10; ntries++) {
1503 		if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1504 			return (error);
1505 		if (!(tmp & RT2860_BBP_CSR_KICK))
1506 			break;
1507 	}
1508 	if (ntries == 10)
1509 		return (ETIMEDOUT);
1510 
1511 	tmp = RT2860_BBP_CSR_READ | RT2860_BBP_CSR_KICK | reg << 8;
1512 	if ((error = run_write(sc, RT2860_BBP_CSR_CFG, tmp)) != 0)
1513 		return (error);
1514 
1515 	for (ntries = 0; ntries < 10; ntries++) {
1516 		if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1517 			return (error);
1518 		if (!(tmp & RT2860_BBP_CSR_KICK))
1519 			break;
1520 	}
1521 	if (ntries == 10)
1522 		return (ETIMEDOUT);
1523 
1524 	*val = tmp & 0xff;
1525 	return (0);
1526 }
1527 
1528 static int
1529 run_bbp_write(struct run_softc *sc, uint8_t reg, uint8_t val)
1530 {
1531 	uint32_t tmp;
1532 	int ntries, error;
1533 
1534 	for (ntries = 0; ntries < 10; ntries++) {
1535 		if ((error = run_read(sc, RT2860_BBP_CSR_CFG, &tmp)) != 0)
1536 			return (error);
1537 		if (!(tmp & RT2860_BBP_CSR_KICK))
1538 			break;
1539 	}
1540 	if (ntries == 10)
1541 		return (ETIMEDOUT);
1542 
1543 	tmp = RT2860_BBP_CSR_KICK | reg << 8 | val;
1544 	return (run_write(sc, RT2860_BBP_CSR_CFG, tmp));
1545 }
1546 
1547 /*
1548  * Send a command to the 8051 microcontroller unit.
1549  */
1550 static int
1551 run_mcu_cmd(struct run_softc *sc, uint8_t cmd, uint16_t arg)
1552 {
1553 	uint32_t tmp;
1554 	int error, ntries;
1555 
1556 	for (ntries = 0; ntries < 100; ntries++) {
1557 		if ((error = run_read(sc, RT2860_H2M_MAILBOX, &tmp)) != 0)
1558 			return error;
1559 		if (!(tmp & RT2860_H2M_BUSY))
1560 			break;
1561 	}
1562 	if (ntries == 100)
1563 		return ETIMEDOUT;
1564 
1565 	tmp = RT2860_H2M_BUSY | RT2860_TOKEN_NO_INTR << 16 | arg;
1566 	if ((error = run_write(sc, RT2860_H2M_MAILBOX, tmp)) == 0)
1567 		error = run_write(sc, RT2860_HOST_CMD, cmd);
1568 	return (error);
1569 }
1570 
1571 /*
1572  * Add `delta' (signed) to each 4-bit sub-word of a 32-bit word.
1573  * Used to adjust per-rate Tx power registers.
1574  */
1575 static __inline uint32_t
1576 b4inc(uint32_t b32, int8_t delta)
1577 {
1578 	int8_t i, b4;
1579 
1580 	for (i = 0; i < 8; i++) {
1581 		b4 = b32 & 0xf;
1582 		b4 += delta;
1583 		if (b4 < 0)
1584 			b4 = 0;
1585 		else if (b4 > 0xf)
1586 			b4 = 0xf;
1587 		b32 = b32 >> 4 | b4 << 28;
1588 	}
1589 	return (b32);
1590 }
1591 
1592 static const char *
1593 run_get_rf(uint16_t rev)
1594 {
1595 	switch (rev) {
1596 	case RT2860_RF_2820:	return "RT2820";
1597 	case RT2860_RF_2850:	return "RT2850";
1598 	case RT2860_RF_2720:	return "RT2720";
1599 	case RT2860_RF_2750:	return "RT2750";
1600 	case RT3070_RF_3020:	return "RT3020";
1601 	case RT3070_RF_2020:	return "RT2020";
1602 	case RT3070_RF_3021:	return "RT3021";
1603 	case RT3070_RF_3022:	return "RT3022";
1604 	case RT3070_RF_3052:	return "RT3052";
1605 	case RT3593_RF_3053:	return "RT3053";
1606 	case RT5592_RF_5592:	return "RT5592";
1607 	case RT5390_RF_5370:	return "RT5370";
1608 	case RT5390_RF_5372:	return "RT5372";
1609 	}
1610 	return ("unknown");
1611 }
1612 
1613 static void
1614 run_rt3593_get_txpower(struct run_softc *sc)
1615 {
1616 	uint16_t addr, val;
1617 	int i;
1618 
1619 	/* Read power settings for 2GHz channels. */
1620 	for (i = 0; i < 14; i += 2) {
1621 		addr = (sc->ntxchains == 3) ? RT3593_EEPROM_PWR2GHZ_BASE1 :
1622 		    RT2860_EEPROM_PWR2GHZ_BASE1;
1623 		run_srom_read(sc, addr + i / 2, &val);
1624 		sc->txpow1[i + 0] = (int8_t)(val & 0xff);
1625 		sc->txpow1[i + 1] = (int8_t)(val >> 8);
1626 
1627 		addr = (sc->ntxchains == 3) ? RT3593_EEPROM_PWR2GHZ_BASE2 :
1628 		    RT2860_EEPROM_PWR2GHZ_BASE2;
1629 		run_srom_read(sc, addr + i / 2, &val);
1630 		sc->txpow2[i + 0] = (int8_t)(val & 0xff);
1631 		sc->txpow2[i + 1] = (int8_t)(val >> 8);
1632 
1633 		if (sc->ntxchains == 3) {
1634 			run_srom_read(sc, RT3593_EEPROM_PWR2GHZ_BASE3 + i / 2,
1635 			    &val);
1636 			sc->txpow3[i + 0] = (int8_t)(val & 0xff);
1637 			sc->txpow3[i + 1] = (int8_t)(val >> 8);
1638 		}
1639 	}
1640 	/* Fix broken Tx power entries. */
1641 	for (i = 0; i < 14; i++) {
1642 		if (sc->txpow1[i] > 31)
1643 			sc->txpow1[i] = 5;
1644 		if (sc->txpow2[i] > 31)
1645 			sc->txpow2[i] = 5;
1646 		if (sc->ntxchains == 3) {
1647 			if (sc->txpow3[i] > 31)
1648 				sc->txpow3[i] = 5;
1649 		}
1650 	}
1651 	/* Read power settings for 5GHz channels. */
1652 	for (i = 0; i < 40; i += 2) {
1653 		run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE1 + i / 2, &val);
1654 		sc->txpow1[i + 14] = (int8_t)(val & 0xff);
1655 		sc->txpow1[i + 15] = (int8_t)(val >> 8);
1656 
1657 		run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE2 + i / 2, &val);
1658 		sc->txpow2[i + 14] = (int8_t)(val & 0xff);
1659 		sc->txpow2[i + 15] = (int8_t)(val >> 8);
1660 
1661 		if (sc->ntxchains == 3) {
1662 			run_srom_read(sc, RT3593_EEPROM_PWR5GHZ_BASE3 + i / 2,
1663 			    &val);
1664 			sc->txpow3[i + 14] = (int8_t)(val & 0xff);
1665 			sc->txpow3[i + 15] = (int8_t)(val >> 8);
1666 		}
1667 	}
1668 }
1669 
1670 static void
1671 run_get_txpower(struct run_softc *sc)
1672 {
1673 	uint16_t val;
1674 	int i;
1675 
1676 	/* Read power settings for 2GHz channels. */
1677 	for (i = 0; i < 14; i += 2) {
1678 		run_srom_read(sc, RT2860_EEPROM_PWR2GHZ_BASE1 + i / 2, &val);
1679 		sc->txpow1[i + 0] = (int8_t)(val & 0xff);
1680 		sc->txpow1[i + 1] = (int8_t)(val >> 8);
1681 
1682 		if (sc->mac_ver != 0x5390) {
1683 			run_srom_read(sc,
1684 			    RT2860_EEPROM_PWR2GHZ_BASE2 + i / 2, &val);
1685 			sc->txpow2[i + 0] = (int8_t)(val & 0xff);
1686 			sc->txpow2[i + 1] = (int8_t)(val >> 8);
1687 		}
1688 	}
1689 	/* Fix broken Tx power entries. */
1690 	for (i = 0; i < 14; i++) {
1691 		if (sc->mac_ver >= 0x5390) {
1692 			if (sc->txpow1[i] < 0 || sc->txpow1[i] > 27)
1693 				sc->txpow1[i] = 5;
1694 		} else {
1695 			if (sc->txpow1[i] < 0 || sc->txpow1[i] > 31)
1696 				sc->txpow1[i] = 5;
1697 		}
1698 		if (sc->mac_ver > 0x5390) {
1699 			if (sc->txpow2[i] < 0 || sc->txpow2[i] > 27)
1700 				sc->txpow2[i] = 5;
1701 		} else if (sc->mac_ver < 0x5390) {
1702 			if (sc->txpow2[i] < 0 || sc->txpow2[i] > 31)
1703 				sc->txpow2[i] = 5;
1704 		}
1705 		DPRINTF("chan %d: power1=%d, power2=%d\n",
1706 		    rt2860_rf2850[i].chan, sc->txpow1[i], sc->txpow2[i]);
1707 	}
1708 	/* Read power settings for 5GHz channels. */
1709 	for (i = 0; i < 40; i += 2) {
1710 		run_srom_read(sc, RT2860_EEPROM_PWR5GHZ_BASE1 + i / 2, &val);
1711 		sc->txpow1[i + 14] = (int8_t)(val & 0xff);
1712 		sc->txpow1[i + 15] = (int8_t)(val >> 8);
1713 
1714 		run_srom_read(sc, RT2860_EEPROM_PWR5GHZ_BASE2 + i / 2, &val);
1715 		sc->txpow2[i + 14] = (int8_t)(val & 0xff);
1716 		sc->txpow2[i + 15] = (int8_t)(val >> 8);
1717 	}
1718 	/* Fix broken Tx power entries. */
1719 	for (i = 0; i < 40; i++ ) {
1720 		if (sc->mac_ver != 0x5592) {
1721 			if (sc->txpow1[14 + i] < -7 || sc->txpow1[14 + i] > 15)
1722 				sc->txpow1[14 + i] = 5;
1723 			if (sc->txpow2[14 + i] < -7 || sc->txpow2[14 + i] > 15)
1724 				sc->txpow2[14 + i] = 5;
1725 		}
1726 		DPRINTF("chan %d: power1=%d, power2=%d\n",
1727 		    rt2860_rf2850[14 + i].chan, sc->txpow1[14 + i],
1728 		    sc->txpow2[14 + i]);
1729 	}
1730 }
1731 
1732 static int
1733 run_read_eeprom(struct run_softc *sc)
1734 {
1735 	int8_t delta_2ghz, delta_5ghz;
1736 	uint32_t tmp;
1737 	uint16_t val;
1738 	int ridx, ant, i;
1739 
1740 	/* check whether the ROM is eFUSE ROM or EEPROM */
1741 	sc->sc_srom_read = run_eeprom_read_2;
1742 	if (sc->mac_ver >= 0x3070) {
1743 		run_read(sc, RT3070_EFUSE_CTRL, &tmp);
1744 		DPRINTF("EFUSE_CTRL=0x%08x\n", tmp);
1745 		if ((tmp & RT3070_SEL_EFUSE) || sc->mac_ver == 0x3593)
1746 			sc->sc_srom_read = run_efuse_read_2;
1747 	}
1748 
1749 	/* read ROM version */
1750 	run_srom_read(sc, RT2860_EEPROM_VERSION, &val);
1751 	DPRINTF("EEPROM rev=%d, FAE=%d\n", val & 0xff, val >> 8);
1752 
1753 	/* read MAC address */
1754 	run_srom_read(sc, RT2860_EEPROM_MAC01, &val);
1755 	sc->sc_bssid[0] = val & 0xff;
1756 	sc->sc_bssid[1] = val >> 8;
1757 	run_srom_read(sc, RT2860_EEPROM_MAC23, &val);
1758 	sc->sc_bssid[2] = val & 0xff;
1759 	sc->sc_bssid[3] = val >> 8;
1760 	run_srom_read(sc, RT2860_EEPROM_MAC45, &val);
1761 	sc->sc_bssid[4] = val & 0xff;
1762 	sc->sc_bssid[5] = val >> 8;
1763 
1764 	if (sc->mac_ver < 0x3593) {
1765 		/* read vender BBP settings */
1766 		for (i = 0; i < 10; i++) {
1767 			run_srom_read(sc, RT2860_EEPROM_BBP_BASE + i, &val);
1768 			sc->bbp[i].val = val & 0xff;
1769 			sc->bbp[i].reg = val >> 8;
1770 			DPRINTF("BBP%d=0x%02x\n", sc->bbp[i].reg,
1771 			    sc->bbp[i].val);
1772 		}
1773 		if (sc->mac_ver >= 0x3071) {
1774 			/* read vendor RF settings */
1775 			for (i = 0; i < 10; i++) {
1776 				run_srom_read(sc, RT3071_EEPROM_RF_BASE + i,
1777 				   &val);
1778 				sc->rf[i].val = val & 0xff;
1779 				sc->rf[i].reg = val >> 8;
1780 				DPRINTF("RF%d=0x%02x\n", sc->rf[i].reg,
1781 				    sc->rf[i].val);
1782 			}
1783 		}
1784 	}
1785 
1786 	/* read RF frequency offset from EEPROM */
1787 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_FREQ_LEDS :
1788 	    RT3593_EEPROM_FREQ, &val);
1789 	sc->freq = ((val & 0xff) != 0xff) ? val & 0xff : 0;
1790 	DPRINTF("EEPROM freq offset %d\n", sc->freq & 0xff);
1791 
1792 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_FREQ_LEDS :
1793 	    RT3593_EEPROM_FREQ_LEDS, &val);
1794 	if (val >> 8 != 0xff) {
1795 		/* read LEDs operating mode */
1796 		sc->leds = val >> 8;
1797 		run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED1 :
1798 		    RT3593_EEPROM_LED1, &sc->led[0]);
1799 		run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED2 :
1800 		    RT3593_EEPROM_LED2, &sc->led[1]);
1801 		run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LED3 :
1802 		    RT3593_EEPROM_LED3, &sc->led[2]);
1803 	} else {
1804 		/* broken EEPROM, use default settings */
1805 		sc->leds = 0x01;
1806 		sc->led[0] = 0x5555;
1807 		sc->led[1] = 0x2221;
1808 		sc->led[2] = 0x5627;	/* differs from RT2860 */
1809 	}
1810 	DPRINTF("EEPROM LED mode=0x%02x, LEDs=0x%04x/0x%04x/0x%04x\n",
1811 	    sc->leds, sc->led[0], sc->led[1], sc->led[2]);
1812 
1813 	/* read RF information */
1814 	if (sc->mac_ver == 0x5390 || sc->mac_ver ==0x5392)
1815 		run_srom_read(sc, 0x00, &val);
1816 	else
1817 		run_srom_read(sc, RT2860_EEPROM_ANTENNA, &val);
1818 
1819 	if (val == 0xffff) {
1820 		device_printf(sc->sc_dev,
1821 		    "invalid EEPROM antenna info, using default\n");
1822 		DPRINTF("invalid EEPROM antenna info, using default\n");
1823 		if (sc->mac_ver == 0x3572) {
1824 			/* default to RF3052 2T2R */
1825 			sc->rf_rev = RT3070_RF_3052;
1826 			sc->ntxchains = 2;
1827 			sc->nrxchains = 2;
1828 		} else if (sc->mac_ver >= 0x3070) {
1829 			/* default to RF3020 1T1R */
1830 			sc->rf_rev = RT3070_RF_3020;
1831 			sc->ntxchains = 1;
1832 			sc->nrxchains = 1;
1833 		} else {
1834 			/* default to RF2820 1T2R */
1835 			sc->rf_rev = RT2860_RF_2820;
1836 			sc->ntxchains = 1;
1837 			sc->nrxchains = 2;
1838 		}
1839 	} else {
1840 		if (sc->mac_ver == 0x5390 || sc->mac_ver ==0x5392) {
1841 			sc->rf_rev = val;
1842 			run_srom_read(sc, RT2860_EEPROM_ANTENNA, &val);
1843 		} else
1844 			sc->rf_rev = (val >> 8) & 0xf;
1845 		sc->ntxchains = (val >> 4) & 0xf;
1846 		sc->nrxchains = val & 0xf;
1847 	}
1848 	DPRINTF("EEPROM RF rev=0x%04x chains=%dT%dR\n",
1849 	    sc->rf_rev, sc->ntxchains, sc->nrxchains);
1850 
1851 	/* check if RF supports automatic Tx access gain control */
1852 	run_srom_read(sc, RT2860_EEPROM_CONFIG, &val);
1853 	DPRINTF("EEPROM CFG 0x%04x\n", val);
1854 	/* check if driver should patch the DAC issue */
1855 	if ((val >> 8) != 0xff)
1856 		sc->patch_dac = (val >> 15) & 1;
1857 	if ((val & 0xff) != 0xff) {
1858 		sc->ext_5ghz_lna = (val >> 3) & 1;
1859 		sc->ext_2ghz_lna = (val >> 2) & 1;
1860 		/* check if RF supports automatic Tx access gain control */
1861 		sc->calib_2ghz = sc->calib_5ghz = (val >> 1) & 1;
1862 		/* check if we have a hardware radio switch */
1863 		sc->rfswitch = val & 1;
1864 	}
1865 
1866 	/* Read Tx power settings. */
1867 	if (sc->mac_ver == 0x3593)
1868 		run_rt3593_get_txpower(sc);
1869 	else
1870 		run_get_txpower(sc);
1871 
1872 	/* read Tx power compensation for each Tx rate */
1873 	run_srom_read(sc, RT2860_EEPROM_DELTAPWR, &val);
1874 	delta_2ghz = delta_5ghz = 0;
1875 	if ((val & 0xff) != 0xff && (val & 0x80)) {
1876 		delta_2ghz = val & 0xf;
1877 		if (!(val & 0x40))	/* negative number */
1878 			delta_2ghz = -delta_2ghz;
1879 	}
1880 	val >>= 8;
1881 	if ((val & 0xff) != 0xff && (val & 0x80)) {
1882 		delta_5ghz = val & 0xf;
1883 		if (!(val & 0x40))	/* negative number */
1884 			delta_5ghz = -delta_5ghz;
1885 	}
1886 	DPRINTF("power compensation=%d (2GHz), %d (5GHz)\n",
1887 	    delta_2ghz, delta_5ghz);
1888 
1889 	for (ridx = 0; ridx < 5; ridx++) {
1890 		uint32_t reg;
1891 
1892 		run_srom_read(sc, RT2860_EEPROM_RPWR + ridx * 2, &val);
1893 		reg = val;
1894 		run_srom_read(sc, RT2860_EEPROM_RPWR + ridx * 2 + 1, &val);
1895 		reg |= (uint32_t)val << 16;
1896 
1897 		sc->txpow20mhz[ridx] = reg;
1898 		sc->txpow40mhz_2ghz[ridx] = b4inc(reg, delta_2ghz);
1899 		sc->txpow40mhz_5ghz[ridx] = b4inc(reg, delta_5ghz);
1900 
1901 		DPRINTF("ridx %d: power 20MHz=0x%08x, 40MHz/2GHz=0x%08x, "
1902 		    "40MHz/5GHz=0x%08x\n", ridx, sc->txpow20mhz[ridx],
1903 		    sc->txpow40mhz_2ghz[ridx], sc->txpow40mhz_5ghz[ridx]);
1904 	}
1905 
1906 	/* Read RSSI offsets and LNA gains from EEPROM. */
1907 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI1_2GHZ :
1908 	    RT3593_EEPROM_RSSI1_2GHZ, &val);
1909 	sc->rssi_2ghz[0] = val & 0xff;	/* Ant A */
1910 	sc->rssi_2ghz[1] = val >> 8;	/* Ant B */
1911 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI2_2GHZ :
1912 	    RT3593_EEPROM_RSSI2_2GHZ, &val);
1913 	if (sc->mac_ver >= 0x3070) {
1914 		if (sc->mac_ver == 0x3593) {
1915 			sc->txmixgain_2ghz = 0;
1916 			sc->rssi_2ghz[2] = val & 0xff;	/* Ant C */
1917 		} else {
1918 			/*
1919 			 * On RT3070 chips (limited to 2 Rx chains), this ROM
1920 			 * field contains the Tx mixer gain for the 2GHz band.
1921 			 */
1922 			if ((val & 0xff) != 0xff)
1923 				sc->txmixgain_2ghz = val & 0x7;
1924 		}
1925 		DPRINTF("tx mixer gain=%u (2GHz)\n", sc->txmixgain_2ghz);
1926 	} else
1927 		sc->rssi_2ghz[2] = val & 0xff;	/* Ant C */
1928 	if (sc->mac_ver == 0x3593)
1929 		run_srom_read(sc, RT3593_EEPROM_LNA_5GHZ, &val);
1930 	sc->lna[2] = val >> 8;		/* channel group 2 */
1931 
1932 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI1_5GHZ :
1933 	    RT3593_EEPROM_RSSI1_5GHZ, &val);
1934 	sc->rssi_5ghz[0] = val & 0xff;	/* Ant A */
1935 	sc->rssi_5ghz[1] = val >> 8;	/* Ant B */
1936 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_RSSI2_5GHZ :
1937 	    RT3593_EEPROM_RSSI2_5GHZ, &val);
1938 	if (sc->mac_ver == 0x3572) {
1939 		/*
1940 		 * On RT3572 chips (limited to 2 Rx chains), this ROM
1941 		 * field contains the Tx mixer gain for the 5GHz band.
1942 		 */
1943 		if ((val & 0xff) != 0xff)
1944 			sc->txmixgain_5ghz = val & 0x7;
1945 		DPRINTF("tx mixer gain=%u (5GHz)\n", sc->txmixgain_5ghz);
1946 	} else
1947 		sc->rssi_5ghz[2] = val & 0xff;	/* Ant C */
1948 	if (sc->mac_ver == 0x3593) {
1949 		sc->txmixgain_5ghz = 0;
1950 		run_srom_read(sc, RT3593_EEPROM_LNA_5GHZ, &val);
1951 	}
1952 	sc->lna[3] = val >> 8;		/* channel group 3 */
1953 
1954 	run_srom_read(sc, (sc->mac_ver != 0x3593) ? RT2860_EEPROM_LNA :
1955 	    RT3593_EEPROM_LNA, &val);
1956 	sc->lna[0] = val & 0xff;	/* channel group 0 */
1957 	sc->lna[1] = val >> 8;		/* channel group 1 */
1958 
1959 	/* fix broken 5GHz LNA entries */
1960 	if (sc->lna[2] == 0 || sc->lna[2] == 0xff) {
1961 		DPRINTF("invalid LNA for channel group %d\n", 2);
1962 		sc->lna[2] = sc->lna[1];
1963 	}
1964 	if (sc->lna[3] == 0 || sc->lna[3] == 0xff) {
1965 		DPRINTF("invalid LNA for channel group %d\n", 3);
1966 		sc->lna[3] = sc->lna[1];
1967 	}
1968 
1969 	/* fix broken RSSI offset entries */
1970 	for (ant = 0; ant < 3; ant++) {
1971 		if (sc->rssi_2ghz[ant] < -10 || sc->rssi_2ghz[ant] > 10) {
1972 			DPRINTF("invalid RSSI%d offset: %d (2GHz)\n",
1973 			    ant + 1, sc->rssi_2ghz[ant]);
1974 			sc->rssi_2ghz[ant] = 0;
1975 		}
1976 		if (sc->rssi_5ghz[ant] < -10 || sc->rssi_5ghz[ant] > 10) {
1977 			DPRINTF("invalid RSSI%d offset: %d (5GHz)\n",
1978 			    ant + 1, sc->rssi_5ghz[ant]);
1979 			sc->rssi_5ghz[ant] = 0;
1980 		}
1981 	}
1982 	return (0);
1983 }
1984 
1985 static struct ieee80211_node *
1986 run_node_alloc(struct ieee80211vap *vap, const uint8_t mac[IEEE80211_ADDR_LEN])
1987 {
1988 	return malloc(sizeof (struct run_node), M_DEVBUF, M_NOWAIT | M_ZERO);
1989 }
1990 
1991 static int
1992 run_media_change(struct ifnet *ifp)
1993 {
1994 	struct ieee80211vap *vap = ifp->if_softc;
1995 	struct ieee80211com *ic = vap->iv_ic;
1996 	const struct ieee80211_txparam *tp;
1997 	struct run_softc *sc = ic->ic_ifp->if_softc;
1998 	uint8_t rate, ridx;
1999 	int error;
2000 
2001 	RUN_LOCK(sc);
2002 
2003 	error = ieee80211_media_change(ifp);
2004 	if (error != ENETRESET) {
2005 		RUN_UNLOCK(sc);
2006 		return (error);
2007 	}
2008 
2009 	tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
2010 	if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE) {
2011 		struct ieee80211_node *ni;
2012 		struct run_node	*rn;
2013 
2014 		rate = ic->ic_sup_rates[ic->ic_curmode].
2015 		    rs_rates[tp->ucastrate] & IEEE80211_RATE_VAL;
2016 		for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2017 			if (rt2860_rates[ridx].rate == rate)
2018 				break;
2019 		ni = ieee80211_ref_node(vap->iv_bss);
2020 		rn = (struct run_node *)ni;
2021 		rn->fix_ridx = ridx;
2022 		DPRINTF("rate=%d, fix_ridx=%d\n", rate, rn->fix_ridx);
2023 		ieee80211_free_node(ni);
2024 	}
2025 
2026 #if 0
2027 	if ((ifp->if_flags & IFF_UP) &&
2028 	    (ifp->if_drv_flags &  IFF_DRV_RUNNING)){
2029 		run_init_locked(sc);
2030 	}
2031 #endif
2032 
2033 	RUN_UNLOCK(sc);
2034 
2035 	return (0);
2036 }
2037 
2038 static int
2039 run_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
2040 {
2041 	const struct ieee80211_txparam *tp;
2042 	struct ieee80211com *ic = vap->iv_ic;
2043 	struct run_softc *sc = ic->ic_ifp->if_softc;
2044 	struct run_vap *rvp = RUN_VAP(vap);
2045 	enum ieee80211_state ostate;
2046 	uint32_t sta[3];
2047 	uint32_t tmp;
2048 	uint8_t ratectl;
2049 	uint8_t restart_ratectl = 0;
2050 	uint8_t bid = 1 << rvp->rvp_id;
2051 
2052 	ostate = vap->iv_state;
2053 	DPRINTF("%s -> %s\n",
2054 		ieee80211_state_name[ostate],
2055 		ieee80211_state_name[nstate]);
2056 
2057 	IEEE80211_UNLOCK(ic);
2058 	RUN_LOCK(sc);
2059 
2060 	ratectl = sc->ratectl_run; /* remember current state */
2061 	sc->ratectl_run = RUN_RATECTL_OFF;
2062 	usb_callout_stop(&sc->ratectl_ch);
2063 
2064 	if (ostate == IEEE80211_S_RUN) {
2065 		/* turn link LED off */
2066 		run_set_leds(sc, RT2860_LED_RADIO);
2067 	}
2068 
2069 	switch (nstate) {
2070 	case IEEE80211_S_INIT:
2071 		restart_ratectl = 1;
2072 
2073 		if (ostate != IEEE80211_S_RUN)
2074 			break;
2075 
2076 		ratectl &= ~bid;
2077 		sc->runbmap &= ~bid;
2078 
2079 		/* abort TSF synchronization if there is no vap running */
2080 		if (--sc->running == 0) {
2081 			run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
2082 			run_write(sc, RT2860_BCN_TIME_CFG,
2083 			    tmp & ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
2084 			    RT2860_TBTT_TIMER_EN));
2085 		}
2086 		break;
2087 
2088 	case IEEE80211_S_RUN:
2089 		if (!(sc->runbmap & bid)) {
2090 			if(sc->running++)
2091 				restart_ratectl = 1;
2092 			sc->runbmap |= bid;
2093 		}
2094 
2095 		m_freem(rvp->beacon_mbuf);
2096 		rvp->beacon_mbuf = NULL;
2097 
2098 		switch (vap->iv_opmode) {
2099 		case IEEE80211_M_HOSTAP:
2100 		case IEEE80211_M_MBSS:
2101 			sc->ap_running |= bid;
2102 			ic->ic_opmode = vap->iv_opmode;
2103 			run_update_beacon_cb(vap);
2104 			break;
2105 		case IEEE80211_M_IBSS:
2106 			sc->adhoc_running |= bid;
2107 			if (!sc->ap_running)
2108 				ic->ic_opmode = vap->iv_opmode;
2109 			run_update_beacon_cb(vap);
2110 			break;
2111 		case IEEE80211_M_STA:
2112 			sc->sta_running |= bid;
2113 			if (!sc->ap_running && !sc->adhoc_running)
2114 				ic->ic_opmode = vap->iv_opmode;
2115 
2116 			/* read statistic counters (clear on read) */
2117 			run_read_region_1(sc, RT2860_TX_STA_CNT0,
2118 			    (uint8_t *)sta, sizeof sta);
2119 
2120 			break;
2121 		default:
2122 			ic->ic_opmode = vap->iv_opmode;
2123 			break;
2124 		}
2125 
2126 		if (vap->iv_opmode != IEEE80211_M_MONITOR) {
2127 			struct ieee80211_node *ni;
2128 
2129 			if (ic->ic_bsschan == IEEE80211_CHAN_ANYC) {
2130 				RUN_UNLOCK(sc);
2131 				IEEE80211_LOCK(ic);
2132 				return (-1);
2133 			}
2134 			run_updateslot(ic->ic_ifp);
2135 			run_enable_mrr(sc);
2136 			run_set_txpreamble(sc);
2137 			run_set_basicrates(sc);
2138 			ni = ieee80211_ref_node(vap->iv_bss);
2139 			IEEE80211_ADDR_COPY(sc->sc_bssid, ni->ni_bssid);
2140 			run_set_bssid(sc, ni->ni_bssid);
2141 			ieee80211_free_node(ni);
2142 			run_enable_tsf_sync(sc);
2143 
2144 			/* enable automatic rate adaptation */
2145 			tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
2146 			if (tp->ucastrate == IEEE80211_FIXED_RATE_NONE)
2147 				ratectl |= bid;
2148 		}
2149 
2150 		/* turn link LED on */
2151 		run_set_leds(sc, RT2860_LED_RADIO |
2152 		    (IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan) ?
2153 		     RT2860_LED_LINK_2GHZ : RT2860_LED_LINK_5GHZ));
2154 
2155 		break;
2156 	default:
2157 		DPRINTFN(6, "undefined case\n");
2158 		break;
2159 	}
2160 
2161 	/* restart amrr for running VAPs */
2162 	if ((sc->ratectl_run = ratectl) && restart_ratectl)
2163 		usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2164 
2165 	RUN_UNLOCK(sc);
2166 	IEEE80211_LOCK(ic);
2167 
2168 	return(rvp->newstate(vap, nstate, arg));
2169 }
2170 
2171 /* ARGSUSED */
2172 static void
2173 run_wme_update_cb(void *arg)
2174 {
2175 	struct ieee80211com *ic = arg;
2176 	struct run_softc *sc = ic->ic_ifp->if_softc;
2177 	struct ieee80211_wme_state *wmesp = &ic->ic_wme;
2178 	int aci, error = 0;
2179 
2180 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2181 
2182 	/* update MAC TX configuration registers */
2183 	for (aci = 0; aci < WME_NUM_AC; aci++) {
2184 		error = run_write(sc, RT2860_EDCA_AC_CFG(aci),
2185 		    wmesp->wme_params[aci].wmep_logcwmax << 16 |
2186 		    wmesp->wme_params[aci].wmep_logcwmin << 12 |
2187 		    wmesp->wme_params[aci].wmep_aifsn  <<  8 |
2188 		    wmesp->wme_params[aci].wmep_txopLimit);
2189 		if (error) goto err;
2190 	}
2191 
2192 	/* update SCH/DMA registers too */
2193 	error = run_write(sc, RT2860_WMM_AIFSN_CFG,
2194 	    wmesp->wme_params[WME_AC_VO].wmep_aifsn  << 12 |
2195 	    wmesp->wme_params[WME_AC_VI].wmep_aifsn  <<  8 |
2196 	    wmesp->wme_params[WME_AC_BK].wmep_aifsn  <<  4 |
2197 	    wmesp->wme_params[WME_AC_BE].wmep_aifsn);
2198 	if (error) goto err;
2199 	error = run_write(sc, RT2860_WMM_CWMIN_CFG,
2200 	    wmesp->wme_params[WME_AC_VO].wmep_logcwmin << 12 |
2201 	    wmesp->wme_params[WME_AC_VI].wmep_logcwmin <<  8 |
2202 	    wmesp->wme_params[WME_AC_BK].wmep_logcwmin <<  4 |
2203 	    wmesp->wme_params[WME_AC_BE].wmep_logcwmin);
2204 	if (error) goto err;
2205 	error = run_write(sc, RT2860_WMM_CWMAX_CFG,
2206 	    wmesp->wme_params[WME_AC_VO].wmep_logcwmax << 12 |
2207 	    wmesp->wme_params[WME_AC_VI].wmep_logcwmax <<  8 |
2208 	    wmesp->wme_params[WME_AC_BK].wmep_logcwmax <<  4 |
2209 	    wmesp->wme_params[WME_AC_BE].wmep_logcwmax);
2210 	if (error) goto err;
2211 	error = run_write(sc, RT2860_WMM_TXOP0_CFG,
2212 	    wmesp->wme_params[WME_AC_BK].wmep_txopLimit << 16 |
2213 	    wmesp->wme_params[WME_AC_BE].wmep_txopLimit);
2214 	if (error) goto err;
2215 	error = run_write(sc, RT2860_WMM_TXOP1_CFG,
2216 	    wmesp->wme_params[WME_AC_VO].wmep_txopLimit << 16 |
2217 	    wmesp->wme_params[WME_AC_VI].wmep_txopLimit);
2218 
2219 err:
2220 	if (error)
2221 		DPRINTF("WME update failed\n");
2222 
2223 	return;
2224 }
2225 
2226 static int
2227 run_wme_update(struct ieee80211com *ic)
2228 {
2229 	struct run_softc *sc = ic->ic_ifp->if_softc;
2230 
2231 	/* sometime called wothout lock */
2232 	if (mtx_owned(&ic->ic_comlock.mtx)) {
2233 		uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
2234 		DPRINTF("cmdq_store=%d\n", i);
2235 		sc->cmdq[i].func = run_wme_update_cb;
2236 		sc->cmdq[i].arg0 = ic;
2237 		ieee80211_runtask(ic, &sc->cmdq_task);
2238 		return (0);
2239 	}
2240 
2241 	RUN_LOCK(sc);
2242 	run_wme_update_cb(ic);
2243 	RUN_UNLOCK(sc);
2244 
2245 	/* return whatever, upper layer desn't care anyway */
2246 	return (0);
2247 }
2248 
2249 static void
2250 run_key_update_begin(struct ieee80211vap *vap)
2251 {
2252 	/*
2253 	 * To avoid out-of-order events, both run_key_set() and
2254 	 * _delete() are deferred and handled by run_cmdq_cb().
2255 	 * So, there is nothing we need to do here.
2256 	 */
2257 }
2258 
2259 static void
2260 run_key_update_end(struct ieee80211vap *vap)
2261 {
2262 	/* null */
2263 }
2264 
2265 static void
2266 run_key_set_cb(void *arg)
2267 {
2268 	struct run_cmdq *cmdq = arg;
2269 	struct ieee80211vap *vap = cmdq->arg1;
2270 	struct ieee80211_key *k = cmdq->k;
2271 	struct ieee80211com *ic = vap->iv_ic;
2272 	struct run_softc *sc = ic->ic_ifp->if_softc;
2273 	struct ieee80211_node *ni;
2274 	uint32_t attr;
2275 	uint16_t base, associd;
2276 	uint8_t mode, wcid, iv[8];
2277 
2278 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2279 
2280 	if (vap->iv_opmode == IEEE80211_M_HOSTAP)
2281 		ni = ieee80211_find_vap_node(&ic->ic_sta, vap, cmdq->mac);
2282 	else
2283 		ni = vap->iv_bss;
2284 	associd = (ni != NULL) ? ni->ni_associd : 0;
2285 
2286 	/* map net80211 cipher to RT2860 security mode */
2287 	switch (k->wk_cipher->ic_cipher) {
2288 	case IEEE80211_CIPHER_WEP:
2289 		if(k->wk_keylen < 8)
2290 			mode = RT2860_MODE_WEP40;
2291 		else
2292 			mode = RT2860_MODE_WEP104;
2293 		break;
2294 	case IEEE80211_CIPHER_TKIP:
2295 		mode = RT2860_MODE_TKIP;
2296 		break;
2297 	case IEEE80211_CIPHER_AES_CCM:
2298 		mode = RT2860_MODE_AES_CCMP;
2299 		break;
2300 	default:
2301 		DPRINTF("undefined case\n");
2302 		return;
2303 	}
2304 
2305 	DPRINTFN(1, "associd=%x, keyix=%d, mode=%x, type=%s, tx=%s, rx=%s\n",
2306 	    associd, k->wk_keyix, mode,
2307 	    (k->wk_flags & IEEE80211_KEY_GROUP) ? "group" : "pairwise",
2308 	    (k->wk_flags & IEEE80211_KEY_XMIT) ? "on" : "off",
2309 	    (k->wk_flags & IEEE80211_KEY_RECV) ? "on" : "off");
2310 
2311 	if (k->wk_flags & IEEE80211_KEY_GROUP) {
2312 		wcid = 0;	/* NB: update WCID0 for group keys */
2313 		base = RT2860_SKEY(RUN_VAP(vap)->rvp_id, k->wk_keyix);
2314 	} else {
2315 		wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
2316 		    1 : RUN_AID2WCID(associd);
2317 		base = RT2860_PKEY(wcid);
2318 	}
2319 
2320 	if (k->wk_cipher->ic_cipher == IEEE80211_CIPHER_TKIP) {
2321 		if(run_write_region_1(sc, base, k->wk_key, 16))
2322 			return;
2323 		if(run_write_region_1(sc, base + 16, &k->wk_key[16], 8))	/* wk_txmic */
2324 			return;
2325 		if(run_write_region_1(sc, base + 24, &k->wk_key[24], 8))	/* wk_rxmic */
2326 			return;
2327 	} else {
2328 		/* roundup len to 16-bit: XXX fix write_region_1() instead */
2329 		if(run_write_region_1(sc, base, k->wk_key, (k->wk_keylen + 1) & ~1))
2330 			return;
2331 	}
2332 
2333 	if (!(k->wk_flags & IEEE80211_KEY_GROUP) ||
2334 	    (k->wk_flags & (IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV))) {
2335 		/* set initial packet number in IV+EIV */
2336 		if (k->wk_cipher == IEEE80211_CIPHER_WEP) {
2337 			memset(iv, 0, sizeof iv);
2338 			iv[3] = vap->iv_def_txkey << 6;
2339 		} else {
2340 			if (k->wk_cipher->ic_cipher == IEEE80211_CIPHER_TKIP) {
2341 				iv[0] = k->wk_keytsc >> 8;
2342 				iv[1] = (iv[0] | 0x20) & 0x7f;
2343 				iv[2] = k->wk_keytsc;
2344 			} else /* CCMP */ {
2345 				iv[0] = k->wk_keytsc;
2346 				iv[1] = k->wk_keytsc >> 8;
2347 				iv[2] = 0;
2348 			}
2349 			iv[3] = k->wk_keyix << 6 | IEEE80211_WEP_EXTIV;
2350 			iv[4] = k->wk_keytsc >> 16;
2351 			iv[5] = k->wk_keytsc >> 24;
2352 			iv[6] = k->wk_keytsc >> 32;
2353 			iv[7] = k->wk_keytsc >> 40;
2354 		}
2355 		if (run_write_region_1(sc, RT2860_IVEIV(wcid), iv, 8))
2356 			return;
2357 	}
2358 
2359 	if (k->wk_flags & IEEE80211_KEY_GROUP) {
2360 		/* install group key */
2361 		if (run_read(sc, RT2860_SKEY_MODE_0_7, &attr))
2362 			return;
2363 		attr &= ~(0xf << (k->wk_keyix * 4));
2364 		attr |= mode << (k->wk_keyix * 4);
2365 		if (run_write(sc, RT2860_SKEY_MODE_0_7, attr))
2366 			return;
2367 	} else {
2368 		/* install pairwise key */
2369 		if (run_read(sc, RT2860_WCID_ATTR(wcid), &attr))
2370 			return;
2371 		attr = (attr & ~0xf) | (mode << 1) | RT2860_RX_PKEY_EN;
2372 		if (run_write(sc, RT2860_WCID_ATTR(wcid), attr))
2373 			return;
2374 	}
2375 
2376 	/* TODO create a pass-thru key entry? */
2377 
2378 	/* need wcid to delete the right key later */
2379 	k->wk_pad = wcid;
2380 }
2381 
2382 /*
2383  * Don't have to be deferred, but in order to keep order of
2384  * execution, i.e. with run_key_delete(), defer this and let
2385  * run_cmdq_cb() maintain the order.
2386  *
2387  * return 0 on error
2388  */
2389 static int
2390 run_key_set(struct ieee80211vap *vap, struct ieee80211_key *k,
2391 		const uint8_t mac[IEEE80211_ADDR_LEN])
2392 {
2393 	struct ieee80211com *ic = vap->iv_ic;
2394 	struct run_softc *sc = ic->ic_ifp->if_softc;
2395 	uint32_t i;
2396 
2397 	i = RUN_CMDQ_GET(&sc->cmdq_store);
2398 	DPRINTF("cmdq_store=%d\n", i);
2399 	sc->cmdq[i].func = run_key_set_cb;
2400 	sc->cmdq[i].arg0 = NULL;
2401 	sc->cmdq[i].arg1 = vap;
2402 	sc->cmdq[i].k = k;
2403 	IEEE80211_ADDR_COPY(sc->cmdq[i].mac, mac);
2404 	ieee80211_runtask(ic, &sc->cmdq_task);
2405 
2406 	/*
2407 	 * To make sure key will be set when hostapd
2408 	 * calls iv_key_set() before if_init().
2409 	 */
2410 	if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
2411 		RUN_LOCK(sc);
2412 		sc->cmdq_key_set = RUN_CMDQ_GO;
2413 		RUN_UNLOCK(sc);
2414 	}
2415 
2416 	return (1);
2417 }
2418 
2419 /*
2420  * If wlan is destroyed without being brought down i.e. without
2421  * wlan down or wpa_cli terminate, this function is called after
2422  * vap is gone. Don't refer it.
2423  */
2424 static void
2425 run_key_delete_cb(void *arg)
2426 {
2427 	struct run_cmdq *cmdq = arg;
2428 	struct run_softc *sc = cmdq->arg1;
2429 	struct ieee80211_key *k = &cmdq->key;
2430 	uint32_t attr;
2431 	uint8_t wcid;
2432 
2433 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2434 
2435 	if (k->wk_flags & IEEE80211_KEY_GROUP) {
2436 		/* remove group key */
2437 		DPRINTF("removing group key\n");
2438 		run_read(sc, RT2860_SKEY_MODE_0_7, &attr);
2439 		attr &= ~(0xf << (k->wk_keyix * 4));
2440 		run_write(sc, RT2860_SKEY_MODE_0_7, attr);
2441 	} else {
2442 		/* remove pairwise key */
2443 		DPRINTF("removing key for wcid %x\n", k->wk_pad);
2444 		/* matching wcid was written to wk_pad in run_key_set() */
2445 		wcid = k->wk_pad;
2446 		run_read(sc, RT2860_WCID_ATTR(wcid), &attr);
2447 		attr &= ~0xf;
2448 		run_write(sc, RT2860_WCID_ATTR(wcid), attr);
2449 		run_set_region_4(sc, RT2860_WCID_ENTRY(wcid), 0, 8);
2450 	}
2451 
2452 	k->wk_pad = 0;
2453 }
2454 
2455 /*
2456  * return 0 on error
2457  */
2458 static int
2459 run_key_delete(struct ieee80211vap *vap, struct ieee80211_key *k)
2460 {
2461 	struct ieee80211com *ic = vap->iv_ic;
2462 	struct run_softc *sc = ic->ic_ifp->if_softc;
2463 	struct ieee80211_key *k0;
2464 	uint32_t i;
2465 
2466 	/*
2467 	 * When called back, key might be gone. So, make a copy
2468 	 * of some values need to delete keys before deferring.
2469 	 * But, because of LOR with node lock, cannot use lock here.
2470 	 * So, use atomic instead.
2471 	 */
2472 	i = RUN_CMDQ_GET(&sc->cmdq_store);
2473 	DPRINTF("cmdq_store=%d\n", i);
2474 	sc->cmdq[i].func = run_key_delete_cb;
2475 	sc->cmdq[i].arg0 = NULL;
2476 	sc->cmdq[i].arg1 = sc;
2477 	k0 = &sc->cmdq[i].key;
2478 	k0->wk_flags = k->wk_flags;
2479 	k0->wk_keyix = k->wk_keyix;
2480 	/* matching wcid was written to wk_pad in run_key_set() */
2481 	k0->wk_pad = k->wk_pad;
2482 	ieee80211_runtask(ic, &sc->cmdq_task);
2483 	return (1);	/* return fake success */
2484 
2485 }
2486 
2487 static void
2488 run_ratectl_to(void *arg)
2489 {
2490 	struct run_softc *sc = arg;
2491 
2492 	/* do it in a process context, so it can go sleep */
2493 	ieee80211_runtask(sc->sc_ifp->if_l2com, &sc->ratectl_task);
2494 	/* next timeout will be rescheduled in the callback task */
2495 }
2496 
2497 /* ARGSUSED */
2498 static void
2499 run_ratectl_cb(void *arg, int pending)
2500 {
2501 	struct run_softc *sc = arg;
2502 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
2503 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
2504 
2505 	if (vap == NULL)
2506 		return;
2507 
2508 	if (sc->rvp_cnt <= 1 && vap->iv_opmode == IEEE80211_M_STA)
2509 		run_iter_func(sc, vap->iv_bss);
2510 	else {
2511 		/*
2512 		 * run_reset_livelock() doesn't do anything with AMRR,
2513 		 * but Ralink wants us to call it every 1 sec. So, we
2514 		 * piggyback here rather than creating another callout.
2515 		 * Livelock may occur only in HOSTAP or IBSS mode
2516 		 * (when h/w is sending beacons).
2517 		 */
2518 		RUN_LOCK(sc);
2519 		run_reset_livelock(sc);
2520 		/* just in case, there are some stats to drain */
2521 		run_drain_fifo(sc);
2522 		RUN_UNLOCK(sc);
2523 		ieee80211_iterate_nodes(&ic->ic_sta, run_iter_func, sc);
2524 	}
2525 
2526 	RUN_LOCK(sc);
2527 	if(sc->ratectl_run != RUN_RATECTL_OFF)
2528 		usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2529 	RUN_UNLOCK(sc);
2530 }
2531 
2532 static void
2533 run_drain_fifo(void *arg)
2534 {
2535 	struct run_softc *sc = arg;
2536 	struct ifnet *ifp = sc->sc_ifp;
2537 	uint32_t stat;
2538 	uint16_t (*wstat)[3];
2539 	uint8_t wcid, mcs, pid;
2540 	int8_t retry;
2541 
2542 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2543 
2544 	for (;;) {
2545 		/* drain Tx status FIFO (maxsize = 16) */
2546 		run_read(sc, RT2860_TX_STAT_FIFO, &stat);
2547 		DPRINTFN(4, "tx stat 0x%08x\n", stat);
2548 		if (!(stat & RT2860_TXQ_VLD))
2549 			break;
2550 
2551 		wcid = (stat >> RT2860_TXQ_WCID_SHIFT) & 0xff;
2552 
2553 		/* if no ACK was requested, no feedback is available */
2554 		if (!(stat & RT2860_TXQ_ACKREQ) || wcid > RT2870_WCID_MAX ||
2555 		    wcid == 0)
2556 			continue;
2557 
2558 		/*
2559 		 * Even though each stat is Tx-complete-status like format,
2560 		 * the device can poll stats. Because there is no guarantee
2561 		 * that the referring node is still around when read the stats.
2562 		 * So that, if we use ieee80211_ratectl_tx_update(), we will
2563 		 * have hard time not to refer already freed node.
2564 		 *
2565 		 * To eliminate such page faults, we poll stats in softc.
2566 		 * Then, update the rates later with ieee80211_ratectl_tx_update().
2567 		 */
2568 		wstat = &(sc->wcid_stats[wcid]);
2569 		(*wstat)[RUN_TXCNT]++;
2570 		if (stat & RT2860_TXQ_OK)
2571 			(*wstat)[RUN_SUCCESS]++;
2572 		else
2573 			ifp->if_oerrors++;
2574 		/*
2575 		 * Check if there were retries, ie if the Tx success rate is
2576 		 * different from the requested rate. Note that it works only
2577 		 * because we do not allow rate fallback from OFDM to CCK.
2578 		 */
2579 		mcs = (stat >> RT2860_TXQ_MCS_SHIFT) & 0x7f;
2580 		pid = (stat >> RT2860_TXQ_PID_SHIFT) & 0xf;
2581 		if ((retry = pid -1 - mcs) > 0) {
2582 			(*wstat)[RUN_TXCNT] += retry;
2583 			(*wstat)[RUN_RETRY] += retry;
2584 		}
2585 	}
2586 	DPRINTFN(3, "count=%d\n", sc->fifo_cnt);
2587 
2588 	sc->fifo_cnt = 0;
2589 }
2590 
2591 static void
2592 run_iter_func(void *arg, struct ieee80211_node *ni)
2593 {
2594 	struct run_softc *sc = arg;
2595 	struct ieee80211vap *vap = ni->ni_vap;
2596 	struct ieee80211com *ic = ni->ni_ic;
2597 	struct ifnet *ifp = ic->ic_ifp;
2598 	struct run_node *rn = (void *)ni;
2599 	union run_stats sta[2];
2600 	uint16_t (*wstat)[3];
2601 	int txcnt, success, retrycnt, error;
2602 
2603 	RUN_LOCK(sc);
2604 
2605 	if (sc->rvp_cnt <= 1 && (vap->iv_opmode == IEEE80211_M_IBSS ||
2606 	    vap->iv_opmode == IEEE80211_M_STA)) {
2607 		/* read statistic counters (clear on read) and update AMRR state */
2608 		error = run_read_region_1(sc, RT2860_TX_STA_CNT0, (uint8_t *)sta,
2609 		    sizeof sta);
2610 		if (error != 0)
2611 			goto fail;
2612 
2613 		/* count failed TX as errors */
2614 		ifp->if_oerrors += le16toh(sta[0].error.fail);
2615 
2616 		retrycnt = le16toh(sta[1].tx.retry);
2617 		success = le16toh(sta[1].tx.success);
2618 		txcnt = retrycnt + success + le16toh(sta[0].error.fail);
2619 
2620 		DPRINTFN(3, "retrycnt=%d success=%d failcnt=%d\n",
2621 			retrycnt, success, le16toh(sta[0].error.fail));
2622 	} else {
2623 		wstat = &(sc->wcid_stats[RUN_AID2WCID(ni->ni_associd)]);
2624 
2625 		if (wstat == &(sc->wcid_stats[0]) ||
2626 		    wstat > &(sc->wcid_stats[RT2870_WCID_MAX]))
2627 			goto fail;
2628 
2629 		txcnt = (*wstat)[RUN_TXCNT];
2630 		success = (*wstat)[RUN_SUCCESS];
2631 		retrycnt = (*wstat)[RUN_RETRY];
2632 		DPRINTFN(3, "retrycnt=%d txcnt=%d success=%d\n",
2633 		    retrycnt, txcnt, success);
2634 
2635 		memset(wstat, 0, sizeof(*wstat));
2636 	}
2637 
2638 	ieee80211_ratectl_tx_update(vap, ni, &txcnt, &success, &retrycnt);
2639 	rn->amrr_ridx = ieee80211_ratectl_rate(ni, NULL, 0);
2640 
2641 fail:
2642 	RUN_UNLOCK(sc);
2643 
2644 	DPRINTFN(3, "ridx=%d\n", rn->amrr_ridx);
2645 }
2646 
2647 static void
2648 run_newassoc_cb(void *arg)
2649 {
2650 	struct run_cmdq *cmdq = arg;
2651 	struct ieee80211_node *ni = cmdq->arg1;
2652 	struct run_softc *sc = ni->ni_vap->iv_ic->ic_ifp->if_softc;
2653 	uint8_t wcid = cmdq->wcid;
2654 
2655 	RUN_LOCK_ASSERT(sc, MA_OWNED);
2656 
2657 	run_write_region_1(sc, RT2860_WCID_ENTRY(wcid),
2658 	    ni->ni_macaddr, IEEE80211_ADDR_LEN);
2659 
2660 	memset(&(sc->wcid_stats[wcid]), 0, sizeof(sc->wcid_stats[wcid]));
2661 }
2662 
2663 static void
2664 run_newassoc(struct ieee80211_node *ni, int isnew)
2665 {
2666 	struct run_node *rn = (void *)ni;
2667 	struct ieee80211_rateset *rs = &ni->ni_rates;
2668 	struct ieee80211vap *vap = ni->ni_vap;
2669 	struct ieee80211com *ic = vap->iv_ic;
2670 	struct run_softc *sc = ic->ic_ifp->if_softc;
2671 	uint8_t rate;
2672 	uint8_t ridx;
2673 	uint8_t wcid;
2674 	int i, j;
2675 
2676 	wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
2677 	    1 : RUN_AID2WCID(ni->ni_associd);
2678 
2679 	if (wcid > RT2870_WCID_MAX) {
2680 		device_printf(sc->sc_dev, "wcid=%d out of range\n", wcid);
2681 		return;
2682 	}
2683 
2684 	/* only interested in true associations */
2685 	if (isnew && ni->ni_associd != 0) {
2686 
2687 		/*
2688 		 * This function could is called though timeout function.
2689 		 * Need to defer.
2690 		 */
2691 		uint32_t cnt = RUN_CMDQ_GET(&sc->cmdq_store);
2692 		DPRINTF("cmdq_store=%d\n", cnt);
2693 		sc->cmdq[cnt].func = run_newassoc_cb;
2694 		sc->cmdq[cnt].arg0 = NULL;
2695 		sc->cmdq[cnt].arg1 = ni;
2696 		sc->cmdq[cnt].wcid = wcid;
2697 		ieee80211_runtask(ic, &sc->cmdq_task);
2698 	}
2699 
2700 	DPRINTF("new assoc isnew=%d associd=%x addr=%s\n",
2701 	    isnew, ni->ni_associd, ether_sprintf(ni->ni_macaddr));
2702 
2703 	for (i = 0; i < rs->rs_nrates; i++) {
2704 		rate = rs->rs_rates[i] & IEEE80211_RATE_VAL;
2705 		/* convert 802.11 rate to hardware rate index */
2706 		for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2707 			if (rt2860_rates[ridx].rate == rate)
2708 				break;
2709 		rn->ridx[i] = ridx;
2710 		/* determine rate of control response frames */
2711 		for (j = i; j >= 0; j--) {
2712 			if ((rs->rs_rates[j] & IEEE80211_RATE_BASIC) &&
2713 			    rt2860_rates[rn->ridx[i]].phy ==
2714 			    rt2860_rates[rn->ridx[j]].phy)
2715 				break;
2716 		}
2717 		if (j >= 0) {
2718 			rn->ctl_ridx[i] = rn->ridx[j];
2719 		} else {
2720 			/* no basic rate found, use mandatory one */
2721 			rn->ctl_ridx[i] = rt2860_rates[ridx].ctl_ridx;
2722 		}
2723 		DPRINTF("rate=0x%02x ridx=%d ctl_ridx=%d\n",
2724 		    rs->rs_rates[i], rn->ridx[i], rn->ctl_ridx[i]);
2725 	}
2726 	rate = vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)].mgmtrate;
2727 	for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
2728 		if (rt2860_rates[ridx].rate == rate)
2729 			break;
2730 	rn->mgt_ridx = ridx;
2731 	DPRINTF("rate=%d, mgmt_ridx=%d\n", rate, rn->mgt_ridx);
2732 
2733 	usb_callout_reset(&sc->ratectl_ch, hz, run_ratectl_to, sc);
2734 }
2735 
2736 /*
2737  * Return the Rx chain with the highest RSSI for a given frame.
2738  */
2739 static __inline uint8_t
2740 run_maxrssi_chain(struct run_softc *sc, const struct rt2860_rxwi *rxwi)
2741 {
2742 	uint8_t rxchain = 0;
2743 
2744 	if (sc->nrxchains > 1) {
2745 		if (rxwi->rssi[1] > rxwi->rssi[rxchain])
2746 			rxchain = 1;
2747 		if (sc->nrxchains > 2)
2748 			if (rxwi->rssi[2] > rxwi->rssi[rxchain])
2749 				rxchain = 2;
2750 	}
2751 	return (rxchain);
2752 }
2753 
2754 static void
2755 run_rx_frame(struct run_softc *sc, struct mbuf *m, uint32_t dmalen)
2756 {
2757 	struct ifnet *ifp = sc->sc_ifp;
2758 	struct ieee80211com *ic = ifp->if_l2com;
2759 	struct ieee80211_frame *wh;
2760 	struct ieee80211_node *ni;
2761 	struct rt2870_rxd *rxd;
2762 	struct rt2860_rxwi *rxwi;
2763 	uint32_t flags;
2764 	uint16_t len, rxwisize;
2765 	uint8_t ant, rssi;
2766 	int8_t nf;
2767 
2768 	rxwi = mtod(m, struct rt2860_rxwi *);
2769 	len = le16toh(rxwi->len) & 0xfff;
2770 	rxwisize = sizeof(struct rt2860_rxwi);
2771 	if (sc->mac_ver == 0x5592)
2772 		rxwisize += sizeof(uint64_t);
2773 	else if (sc->mac_ver == 0x3593)
2774 		rxwisize += sizeof(uint32_t);
2775 	if (__predict_false(len > dmalen)) {
2776 		m_freem(m);
2777 		ifp->if_ierrors++;
2778 		DPRINTF("bad RXWI length %u > %u\n", len, dmalen);
2779 		return;
2780 	}
2781 	/* Rx descriptor is located at the end */
2782 	rxd = (struct rt2870_rxd *)(mtod(m, caddr_t) + dmalen);
2783 	flags = le32toh(rxd->flags);
2784 
2785 	if (__predict_false(flags & (RT2860_RX_CRCERR | RT2860_RX_ICVERR))) {
2786 		m_freem(m);
2787 		ifp->if_ierrors++;
2788 		DPRINTF("%s error.\n", (flags & RT2860_RX_CRCERR)?"CRC":"ICV");
2789 		return;
2790 	}
2791 
2792 	m->m_data += rxwisize;
2793 	m->m_pkthdr.len = m->m_len -= rxwisize;
2794 
2795 	wh = mtod(m, struct ieee80211_frame *);
2796 
2797 	if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
2798 		wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
2799 		m->m_flags |= M_WEP;
2800 	}
2801 
2802 	if (flags & RT2860_RX_L2PAD) {
2803 		DPRINTFN(8, "received RT2860_RX_L2PAD frame\n");
2804 		len += 2;
2805 	}
2806 
2807 	ni = ieee80211_find_rxnode(ic,
2808 	    mtod(m, struct ieee80211_frame_min *));
2809 
2810 	if (__predict_false(flags & RT2860_RX_MICERR)) {
2811 		/* report MIC failures to net80211 for TKIP */
2812 		if (ni != NULL)
2813 			ieee80211_notify_michael_failure(ni->ni_vap, wh,
2814 			    rxwi->keyidx);
2815 		m_freem(m);
2816 		ifp->if_ierrors++;
2817 		DPRINTF("MIC error. Someone is lying.\n");
2818 		return;
2819 	}
2820 
2821 	ant = run_maxrssi_chain(sc, rxwi);
2822 	rssi = rxwi->rssi[ant];
2823 	nf = run_rssi2dbm(sc, rssi, ant);
2824 
2825 	m->m_pkthdr.rcvif = ifp;
2826 	m->m_pkthdr.len = m->m_len = len;
2827 
2828 	if (ni != NULL) {
2829 		(void)ieee80211_input(ni, m, rssi, nf);
2830 		ieee80211_free_node(ni);
2831 	} else {
2832 		(void)ieee80211_input_all(ic, m, rssi, nf);
2833 	}
2834 
2835 	if (__predict_false(ieee80211_radiotap_active(ic))) {
2836 		struct run_rx_radiotap_header *tap = &sc->sc_rxtap;
2837 		uint16_t phy;
2838 
2839 		tap->wr_flags = 0;
2840 		tap->wr_chan_freq = htole16(ic->ic_curchan->ic_freq);
2841 		tap->wr_chan_flags = htole16(ic->ic_curchan->ic_flags);
2842 		tap->wr_antsignal = rssi;
2843 		tap->wr_antenna = ant;
2844 		tap->wr_dbm_antsignal = run_rssi2dbm(sc, rssi, ant);
2845 		tap->wr_rate = 2;	/* in case it can't be found below */
2846 		phy = le16toh(rxwi->phy);
2847 		switch (phy & RT2860_PHY_MODE) {
2848 		case RT2860_PHY_CCK:
2849 			switch ((phy & RT2860_PHY_MCS) & ~RT2860_PHY_SHPRE) {
2850 			case 0:	tap->wr_rate =   2; break;
2851 			case 1:	tap->wr_rate =   4; break;
2852 			case 2:	tap->wr_rate =  11; break;
2853 			case 3:	tap->wr_rate =  22; break;
2854 			}
2855 			if (phy & RT2860_PHY_SHPRE)
2856 				tap->wr_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
2857 			break;
2858 		case RT2860_PHY_OFDM:
2859 			switch (phy & RT2860_PHY_MCS) {
2860 			case 0:	tap->wr_rate =  12; break;
2861 			case 1:	tap->wr_rate =  18; break;
2862 			case 2:	tap->wr_rate =  24; break;
2863 			case 3:	tap->wr_rate =  36; break;
2864 			case 4:	tap->wr_rate =  48; break;
2865 			case 5:	tap->wr_rate =  72; break;
2866 			case 6:	tap->wr_rate =  96; break;
2867 			case 7:	tap->wr_rate = 108; break;
2868 			}
2869 			break;
2870 		}
2871 	}
2872 }
2873 
2874 static void
2875 run_bulk_rx_callback(struct usb_xfer *xfer, usb_error_t error)
2876 {
2877 	struct run_softc *sc = usbd_xfer_softc(xfer);
2878 	struct ifnet *ifp = sc->sc_ifp;
2879 	struct mbuf *m = NULL;
2880 	struct mbuf *m0;
2881 	uint32_t dmalen;
2882 	uint16_t rxwisize;
2883 	int xferlen;
2884 
2885 	rxwisize = sizeof(struct rt2860_rxwi);
2886 	if (sc->mac_ver == 0x5592)
2887 		rxwisize += sizeof(uint64_t);
2888 	else if (sc->mac_ver == 0x3593)
2889 		rxwisize += sizeof(uint32_t);
2890 
2891 	usbd_xfer_status(xfer, &xferlen, NULL, NULL, NULL);
2892 
2893 	switch (USB_GET_STATE(xfer)) {
2894 	case USB_ST_TRANSFERRED:
2895 
2896 		DPRINTFN(15, "rx done, actlen=%d\n", xferlen);
2897 
2898 		if (xferlen < (int)(sizeof(uint32_t) + rxwisize +
2899 		    sizeof(struct rt2870_rxd))) {
2900 			DPRINTF("xfer too short %d\n", xferlen);
2901 			goto tr_setup;
2902 		}
2903 
2904 		m = sc->rx_m;
2905 		sc->rx_m = NULL;
2906 
2907 		/* FALLTHROUGH */
2908 	case USB_ST_SETUP:
2909 tr_setup:
2910 		if (sc->rx_m == NULL) {
2911 			sc->rx_m = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR,
2912 			    MJUMPAGESIZE /* xfer can be bigger than MCLBYTES */);
2913 		}
2914 		if (sc->rx_m == NULL) {
2915 			DPRINTF("could not allocate mbuf - idle with stall\n");
2916 			ifp->if_ierrors++;
2917 			usbd_xfer_set_stall(xfer);
2918 			usbd_xfer_set_frames(xfer, 0);
2919 		} else {
2920 			/*
2921 			 * Directly loading a mbuf cluster into DMA to
2922 			 * save some data copying. This works because
2923 			 * there is only one cluster.
2924 			 */
2925 			usbd_xfer_set_frame_data(xfer, 0,
2926 			    mtod(sc->rx_m, caddr_t), RUN_MAX_RXSZ);
2927 			usbd_xfer_set_frames(xfer, 1);
2928 		}
2929 		usbd_transfer_submit(xfer);
2930 		break;
2931 
2932 	default:	/* Error */
2933 		if (error != USB_ERR_CANCELLED) {
2934 			/* try to clear stall first */
2935 			usbd_xfer_set_stall(xfer);
2936 
2937 			if (error == USB_ERR_TIMEOUT)
2938 				device_printf(sc->sc_dev, "device timeout\n");
2939 
2940 			ifp->if_ierrors++;
2941 
2942 			goto tr_setup;
2943 		}
2944 		if (sc->rx_m != NULL) {
2945 			m_freem(sc->rx_m);
2946 			sc->rx_m = NULL;
2947 		}
2948 		break;
2949 	}
2950 
2951 	if (m == NULL)
2952 		return;
2953 
2954 	/* inputting all the frames must be last */
2955 
2956 	RUN_UNLOCK(sc);
2957 
2958 	m->m_pkthdr.len = m->m_len = xferlen;
2959 
2960 	/* HW can aggregate multiple 802.11 frames in a single USB xfer */
2961 	for(;;) {
2962 		dmalen = le32toh(*mtod(m, uint32_t *)) & 0xffff;
2963 
2964 		if ((dmalen >= (uint32_t)-8) || (dmalen == 0) ||
2965 		    ((dmalen & 3) != 0)) {
2966 			DPRINTF("bad DMA length %u\n", dmalen);
2967 			break;
2968 		}
2969 		if ((dmalen + 8) > (uint32_t)xferlen) {
2970 			DPRINTF("bad DMA length %u > %d\n",
2971 			dmalen + 8, xferlen);
2972 			break;
2973 		}
2974 
2975 		/* If it is the last one or a single frame, we won't copy. */
2976 		if ((xferlen -= dmalen + 8) <= 8) {
2977 			/* trim 32-bit DMA-len header */
2978 			m->m_data += 4;
2979 			m->m_pkthdr.len = m->m_len -= 4;
2980 			run_rx_frame(sc, m, dmalen);
2981 			m = NULL;	/* don't free source buffer */
2982 			break;
2983 		}
2984 
2985 		/* copy aggregated frames to another mbuf */
2986 		m0 = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
2987 		if (__predict_false(m0 == NULL)) {
2988 			DPRINTF("could not allocate mbuf\n");
2989 			ifp->if_ierrors++;
2990 			break;
2991 		}
2992 		m_copydata(m, 4 /* skip 32-bit DMA-len header */,
2993 		    dmalen + sizeof(struct rt2870_rxd), mtod(m0, caddr_t));
2994 		m0->m_pkthdr.len = m0->m_len =
2995 		    dmalen + sizeof(struct rt2870_rxd);
2996 		run_rx_frame(sc, m0, dmalen);
2997 
2998 		/* update data ptr */
2999 		m->m_data += dmalen + 8;
3000 		m->m_pkthdr.len = m->m_len -= dmalen + 8;
3001 	}
3002 
3003 	/* make sure we free the source buffer, if any */
3004 	m_freem(m);
3005 
3006 	RUN_LOCK(sc);
3007 }
3008 
3009 static void
3010 run_tx_free(struct run_endpoint_queue *pq,
3011     struct run_tx_data *data, int txerr)
3012 {
3013 	if (data->m != NULL) {
3014 		if (data->m->m_flags & M_TXCB)
3015 			ieee80211_process_callback(data->ni, data->m,
3016 			    txerr ? ETIMEDOUT : 0);
3017 		m_freem(data->m);
3018 		data->m = NULL;
3019 
3020 		if (data->ni == NULL) {
3021 			DPRINTF("no node\n");
3022 		} else {
3023 			ieee80211_free_node(data->ni);
3024 			data->ni = NULL;
3025 		}
3026 	}
3027 
3028 	STAILQ_INSERT_TAIL(&pq->tx_fh, data, next);
3029 	pq->tx_nfree++;
3030 }
3031 
3032 static void
3033 run_bulk_tx_callbackN(struct usb_xfer *xfer, usb_error_t error, u_int index)
3034 {
3035 	struct run_softc *sc = usbd_xfer_softc(xfer);
3036 	struct ifnet *ifp = sc->sc_ifp;
3037 	struct ieee80211com *ic = ifp->if_l2com;
3038 	struct run_tx_data *data;
3039 	struct ieee80211vap *vap = NULL;
3040 	struct usb_page_cache *pc;
3041 	struct run_endpoint_queue *pq = &sc->sc_epq[index];
3042 	struct mbuf *m;
3043 	usb_frlength_t size;
3044 	int actlen;
3045 	int sumlen;
3046 
3047 	usbd_xfer_status(xfer, &actlen, &sumlen, NULL, NULL);
3048 
3049 	switch (USB_GET_STATE(xfer)) {
3050 	case USB_ST_TRANSFERRED:
3051 		DPRINTFN(11, "transfer complete: %d "
3052 		    "bytes @ index %d\n", actlen, index);
3053 
3054 		data = usbd_xfer_get_priv(xfer);
3055 
3056 		run_tx_free(pq, data, 0);
3057 		ifp->if_drv_flags &= ~IFF_DRV_OACTIVE;
3058 
3059 		usbd_xfer_set_priv(xfer, NULL);
3060 
3061 		ifp->if_opackets++;
3062 
3063 		/* FALLTHROUGH */
3064 	case USB_ST_SETUP:
3065 tr_setup:
3066 		data = STAILQ_FIRST(&pq->tx_qh);
3067 		if (data == NULL)
3068 			break;
3069 
3070 		STAILQ_REMOVE_HEAD(&pq->tx_qh, next);
3071 
3072 		m = data->m;
3073 		size = (sc->mac_ver == 0x5592) ?
3074 		    RUN_MAX_TXSZ + sizeof(uint32_t) : RUN_MAX_TXSZ;
3075 		if ((m->m_pkthdr.len +
3076 		    sizeof(data->desc) + 3 + 8) > size) {
3077 			DPRINTF("data overflow, %u bytes\n",
3078 			    m->m_pkthdr.len);
3079 
3080 			ifp->if_oerrors++;
3081 
3082 			run_tx_free(pq, data, 1);
3083 
3084 			goto tr_setup;
3085 		}
3086 
3087 		pc = usbd_xfer_get_frame(xfer, 0);
3088 		size = (sc->mac_ver == 0x5592) ?
3089 		    sizeof(data->desc) + sizeof(uint32_t) : sizeof(data->desc);
3090 		usbd_copy_in(pc, 0, &data->desc, size);
3091 		usbd_m_copy_in(pc, size, m, 0, m->m_pkthdr.len);
3092 		size += m->m_pkthdr.len;
3093 		/*
3094 		 * Align end on a 4-byte boundary, pad 8 bytes (CRC +
3095 		 * 4-byte padding), and be sure to zero those trailing
3096 		 * bytes:
3097 		 */
3098 		usbd_frame_zero(pc, size, ((-size) & 3) + 8);
3099 		size += ((-size) & 3) + 8;
3100 
3101 		vap = data->ni->ni_vap;
3102 		if (ieee80211_radiotap_active_vap(vap)) {
3103 			struct run_tx_radiotap_header *tap = &sc->sc_txtap;
3104 			struct rt2860_txwi *txwi =
3105 			    (struct rt2860_txwi *)(&data->desc + sizeof(struct rt2870_txd));
3106 			tap->wt_flags = 0;
3107 			tap->wt_rate = rt2860_rates[data->ridx].rate;
3108 			tap->wt_chan_freq = htole16(ic->ic_curchan->ic_freq);
3109 			tap->wt_chan_flags = htole16(ic->ic_curchan->ic_flags);
3110 			tap->wt_hwqueue = index;
3111 			if (le16toh(txwi->phy) & RT2860_PHY_SHPRE)
3112 				tap->wt_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
3113 
3114 			ieee80211_radiotap_tx(vap, m);
3115 		}
3116 
3117 		DPRINTFN(11, "sending frame len=%u/%u  @ index %d\n",
3118 		    m->m_pkthdr.len, size, index);
3119 
3120 		usbd_xfer_set_frame_len(xfer, 0, size);
3121 		usbd_xfer_set_priv(xfer, data);
3122 
3123 		usbd_transfer_submit(xfer);
3124 
3125 		RUN_UNLOCK(sc);
3126 		run_start(ifp);
3127 		RUN_LOCK(sc);
3128 
3129 		break;
3130 
3131 	default:
3132 		DPRINTF("USB transfer error, %s\n",
3133 		    usbd_errstr(error));
3134 
3135 		data = usbd_xfer_get_priv(xfer);
3136 
3137 		ifp->if_oerrors++;
3138 
3139 		if (data != NULL) {
3140 			if(data->ni != NULL)
3141 				vap = data->ni->ni_vap;
3142 			run_tx_free(pq, data, error);
3143 			usbd_xfer_set_priv(xfer, NULL);
3144 		}
3145 		if (vap == NULL)
3146 			vap = TAILQ_FIRST(&ic->ic_vaps);
3147 
3148 		if (error != USB_ERR_CANCELLED) {
3149 			if (error == USB_ERR_TIMEOUT) {
3150 				device_printf(sc->sc_dev, "device timeout\n");
3151 				uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
3152 				DPRINTF("cmdq_store=%d\n", i);
3153 				sc->cmdq[i].func = run_usb_timeout_cb;
3154 				sc->cmdq[i].arg0 = vap;
3155 				ieee80211_runtask(ic, &sc->cmdq_task);
3156 			}
3157 
3158 			/*
3159 			 * Try to clear stall first, also if other
3160 			 * errors occur, hence clearing stall
3161 			 * introduces a 50 ms delay:
3162 			 */
3163 			usbd_xfer_set_stall(xfer);
3164 			goto tr_setup;
3165 		}
3166 		break;
3167 	}
3168 }
3169 
3170 static void
3171 run_bulk_tx_callback0(struct usb_xfer *xfer, usb_error_t error)
3172 {
3173 	run_bulk_tx_callbackN(xfer, error, 0);
3174 }
3175 
3176 static void
3177 run_bulk_tx_callback1(struct usb_xfer *xfer, usb_error_t error)
3178 {
3179 	run_bulk_tx_callbackN(xfer, error, 1);
3180 }
3181 
3182 static void
3183 run_bulk_tx_callback2(struct usb_xfer *xfer, usb_error_t error)
3184 {
3185 	run_bulk_tx_callbackN(xfer, error, 2);
3186 }
3187 
3188 static void
3189 run_bulk_tx_callback3(struct usb_xfer *xfer, usb_error_t error)
3190 {
3191 	run_bulk_tx_callbackN(xfer, error, 3);
3192 }
3193 
3194 static void
3195 run_bulk_tx_callback4(struct usb_xfer *xfer, usb_error_t error)
3196 {
3197 	run_bulk_tx_callbackN(xfer, error, 4);
3198 }
3199 
3200 static void
3201 run_bulk_tx_callback5(struct usb_xfer *xfer, usb_error_t error)
3202 {
3203 	run_bulk_tx_callbackN(xfer, error, 5);
3204 }
3205 
3206 static void
3207 run_set_tx_desc(struct run_softc *sc, struct run_tx_data *data)
3208 {
3209 	struct mbuf *m = data->m;
3210 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
3211 	struct ieee80211vap *vap = data->ni->ni_vap;
3212 	struct ieee80211_frame *wh;
3213 	struct rt2870_txd *txd;
3214 	struct rt2860_txwi *txwi;
3215 	uint16_t xferlen, txwisize;
3216 	uint16_t mcs;
3217 	uint8_t ridx = data->ridx;
3218 	uint8_t pad;
3219 
3220 	/* get MCS code from rate index */
3221 	mcs = rt2860_rates[ridx].mcs;
3222 
3223 	txwisize = (sc->mac_ver == 0x5592) ?
3224 	    sizeof(*txwi) + sizeof(uint32_t) : sizeof(*txwi);
3225 	xferlen = txwisize + m->m_pkthdr.len;
3226 
3227 	/* roundup to 32-bit alignment */
3228 	xferlen = (xferlen + 3) & ~3;
3229 
3230 	txd = (struct rt2870_txd *)&data->desc;
3231 	txd->len = htole16(xferlen);
3232 
3233 	wh = mtod(m, struct ieee80211_frame *);
3234 
3235 	/*
3236 	 * Ether both are true or both are false, the header
3237 	 * are nicely aligned to 32-bit. So, no L2 padding.
3238 	 */
3239 	if(IEEE80211_HAS_ADDR4(wh) == IEEE80211_QOS_HAS_SEQ(wh))
3240 		pad = 0;
3241 	else
3242 		pad = 2;
3243 
3244 	/* setup TX Wireless Information */
3245 	txwi = (struct rt2860_txwi *)(txd + 1);
3246 	txwi->len = htole16(m->m_pkthdr.len - pad);
3247 	if (rt2860_rates[ridx].phy == IEEE80211_T_DS) {
3248 		txwi->phy = htole16(RT2860_PHY_CCK);
3249 		if (ridx != RT2860_RIDX_CCK1 &&
3250 		    (ic->ic_flags & IEEE80211_F_SHPREAMBLE))
3251 			mcs |= RT2860_PHY_SHPRE;
3252 	} else
3253 		txwi->phy = htole16(RT2860_PHY_OFDM);
3254 	txwi->phy |= htole16(mcs);
3255 
3256 	/* check if RTS/CTS or CTS-to-self protection is required */
3257 	if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
3258 	    (m->m_pkthdr.len + IEEE80211_CRC_LEN > vap->iv_rtsthreshold ||
3259 	     ((ic->ic_flags & IEEE80211_F_USEPROT) &&
3260 	      rt2860_rates[ridx].phy == IEEE80211_T_OFDM)))
3261 		txwi->txop |= RT2860_TX_TXOP_HT;
3262 	else
3263 		txwi->txop |= RT2860_TX_TXOP_BACKOFF;
3264 
3265 	if (vap->iv_opmode != IEEE80211_M_STA && !IEEE80211_QOS_HAS_SEQ(wh))
3266 		txwi->xflags |= RT2860_TX_NSEQ;
3267 }
3268 
3269 /* This function must be called locked */
3270 static int
3271 run_tx(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
3272 {
3273 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
3274 	struct ieee80211vap *vap = ni->ni_vap;
3275 	struct ieee80211_frame *wh;
3276 	struct ieee80211_channel *chan;
3277 	const struct ieee80211_txparam *tp;
3278 	struct run_node *rn = (void *)ni;
3279 	struct run_tx_data *data;
3280 	struct rt2870_txd *txd;
3281 	struct rt2860_txwi *txwi;
3282 	uint16_t qos;
3283 	uint16_t dur;
3284 	uint16_t qid;
3285 	uint8_t type;
3286 	uint8_t tid;
3287 	uint8_t ridx;
3288 	uint8_t ctl_ridx;
3289 	uint8_t qflags;
3290 	uint8_t xflags = 0;
3291 	int hasqos;
3292 
3293 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3294 
3295 	wh = mtod(m, struct ieee80211_frame *);
3296 
3297 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3298 
3299 	/*
3300 	 * There are 7 bulk endpoints: 1 for RX
3301 	 * and 6 for TX (4 EDCAs + HCCA + Prio).
3302 	 * Update 03-14-2009:  some devices like the Planex GW-US300MiniS
3303 	 * seem to have only 4 TX bulk endpoints (Fukaumi Naoki).
3304 	 */
3305 	if ((hasqos = IEEE80211_QOS_HAS_SEQ(wh))) {
3306 		uint8_t *frm;
3307 
3308 		if(IEEE80211_HAS_ADDR4(wh))
3309 			frm = ((struct ieee80211_qosframe_addr4 *)wh)->i_qos;
3310 		else
3311 			frm =((struct ieee80211_qosframe *)wh)->i_qos;
3312 
3313 		qos = le16toh(*(const uint16_t *)frm);
3314 		tid = qos & IEEE80211_QOS_TID;
3315 		qid = TID_TO_WME_AC(tid);
3316 	} else {
3317 		qos = 0;
3318 		tid = 0;
3319 		qid = WME_AC_BE;
3320 	}
3321 	qflags = (qid < 4) ? RT2860_TX_QSEL_EDCA : RT2860_TX_QSEL_HCCA;
3322 
3323 	DPRINTFN(8, "qos %d\tqid %d\ttid %d\tqflags %x\n",
3324 	    qos, qid, tid, qflags);
3325 
3326 	chan = (ni->ni_chan != IEEE80211_CHAN_ANYC)?ni->ni_chan:ic->ic_curchan;
3327 	tp = &vap->iv_txparms[ieee80211_chan2mode(chan)];
3328 
3329 	/* pickup a rate index */
3330 	if (IEEE80211_IS_MULTICAST(wh->i_addr1) ||
3331 	    type != IEEE80211_FC0_TYPE_DATA) {
3332 		ridx = (ic->ic_curmode == IEEE80211_MODE_11A) ?
3333 		    RT2860_RIDX_OFDM6 : RT2860_RIDX_CCK1;
3334 		ctl_ridx = rt2860_rates[ridx].ctl_ridx;
3335 	} else {
3336 		if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE)
3337 			ridx = rn->fix_ridx;
3338 		else
3339 			ridx = rn->amrr_ridx;
3340 		ctl_ridx = rt2860_rates[ridx].ctl_ridx;
3341 	}
3342 
3343 	if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
3344 	    (!hasqos || (qos & IEEE80211_QOS_ACKPOLICY) !=
3345 	     IEEE80211_QOS_ACKPOLICY_NOACK)) {
3346 		xflags |= RT2860_TX_ACK;
3347 		if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
3348 			dur = rt2860_rates[ctl_ridx].sp_ack_dur;
3349 		else
3350 			dur = rt2860_rates[ctl_ridx].lp_ack_dur;
3351 		USETW(wh->i_dur, dur);
3352 	}
3353 
3354 	/* reserve slots for mgmt packets, just in case */
3355 	if (sc->sc_epq[qid].tx_nfree < 3) {
3356 		DPRINTFN(10, "tx ring %d is full\n", qid);
3357 		return (-1);
3358 	}
3359 
3360 	data = STAILQ_FIRST(&sc->sc_epq[qid].tx_fh);
3361 	STAILQ_REMOVE_HEAD(&sc->sc_epq[qid].tx_fh, next);
3362 	sc->sc_epq[qid].tx_nfree--;
3363 
3364 	txd = (struct rt2870_txd *)&data->desc;
3365 	txd->flags = qflags;
3366 	txwi = (struct rt2860_txwi *)(txd + 1);
3367 	txwi->xflags = xflags;
3368 	if (IEEE80211_IS_MULTICAST(wh->i_addr1))
3369 		txwi->wcid = 0;
3370 	else
3371 		txwi->wcid = (vap->iv_opmode == IEEE80211_M_STA) ?
3372 		    1 : RUN_AID2WCID(ni->ni_associd);
3373 
3374 	/* clear leftover garbage bits */
3375 	txwi->flags = 0;
3376 	txwi->txop = 0;
3377 
3378 	data->m = m;
3379 	data->ni = ni;
3380 	data->ridx = ridx;
3381 
3382 	run_set_tx_desc(sc, data);
3383 
3384 	/*
3385 	 * The chip keeps track of 2 kind of Tx stats,
3386 	 *  * TX_STAT_FIFO, for per WCID stats, and
3387 	 *  * TX_STA_CNT0 for all-TX-in-one stats.
3388 	 *
3389 	 * To use FIFO stats, we need to store MCS into the driver-private
3390  	 * PacketID field. So that, we can tell whose stats when we read them.
3391  	 * We add 1 to the MCS because setting the PacketID field to 0 means
3392  	 * that we don't want feedback in TX_STAT_FIFO.
3393  	 * And, that's what we want for STA mode, since TX_STA_CNT0 does the job.
3394  	 *
3395  	 * FIFO stats doesn't count Tx with WCID 0xff, so we do this in run_tx().
3396  	 */
3397 	if (sc->rvp_cnt > 1 || vap->iv_opmode == IEEE80211_M_HOSTAP ||
3398 	    vap->iv_opmode == IEEE80211_M_MBSS) {
3399 		uint16_t pid = (rt2860_rates[ridx].mcs + 1) & 0xf;
3400 		txwi->len |= htole16(pid << RT2860_TX_PID_SHIFT);
3401 
3402 		/*
3403 		 * Unlike PCI based devices, we don't get any interrupt from
3404 		 * USB devices, so we simulate FIFO-is-full interrupt here.
3405 		 * Ralink recomends to drain FIFO stats every 100 ms, but 16 slots
3406 		 * quickly get fulled. To prevent overflow, increment a counter on
3407 		 * every FIFO stat request, so we know how many slots are left.
3408 		 * We do this only in HOSTAP or multiple vap mode since FIFO stats
3409 		 * are used only in those modes.
3410 		 * We just drain stats. AMRR gets updated every 1 sec by
3411 		 * run_ratectl_cb() via callout.
3412 		 * Call it early. Otherwise overflow.
3413 		 */
3414 		if (sc->fifo_cnt++ == 10) {
3415 			/*
3416 			 * With multiple vaps or if_bridge, if_start() is called
3417 			 * with a non-sleepable lock, tcpinp. So, need to defer.
3418 			 */
3419 			uint32_t i = RUN_CMDQ_GET(&sc->cmdq_store);
3420 			DPRINTFN(6, "cmdq_store=%d\n", i);
3421 			sc->cmdq[i].func = run_drain_fifo;
3422 			sc->cmdq[i].arg0 = sc;
3423 			ieee80211_runtask(ic, &sc->cmdq_task);
3424 		}
3425 	}
3426 
3427         STAILQ_INSERT_TAIL(&sc->sc_epq[qid].tx_qh, data, next);
3428 
3429 	usbd_transfer_start(sc->sc_xfer[qid]);
3430 
3431 	DPRINTFN(8, "sending data frame len=%d rate=%d qid=%d\n",
3432 	    m->m_pkthdr.len + (int)(sizeof(struct rt2870_txd) +
3433 	    sizeof(struct rt2860_txwi)), rt2860_rates[ridx].rate, qid);
3434 
3435 	return (0);
3436 }
3437 
3438 static int
3439 run_tx_mgt(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
3440 {
3441 	struct ifnet *ifp = sc->sc_ifp;
3442 	struct ieee80211com *ic = ifp->if_l2com;
3443 	struct run_node *rn = (void *)ni;
3444 	struct run_tx_data *data;
3445 	struct ieee80211_frame *wh;
3446 	struct rt2870_txd *txd;
3447 	struct rt2860_txwi *txwi;
3448 	uint16_t dur;
3449 	uint8_t ridx = rn->mgt_ridx;
3450 	uint8_t type;
3451 	uint8_t xflags = 0;
3452 	uint8_t wflags = 0;
3453 
3454 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3455 
3456 	wh = mtod(m, struct ieee80211_frame *);
3457 
3458 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3459 
3460 	/* tell hardware to add timestamp for probe responses */
3461 	if ((wh->i_fc[0] &
3462 	    (IEEE80211_FC0_TYPE_MASK | IEEE80211_FC0_SUBTYPE_MASK)) ==
3463 	    (IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_RESP))
3464 		wflags |= RT2860_TX_TS;
3465 	else if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
3466 		xflags |= RT2860_TX_ACK;
3467 
3468 		dur = ieee80211_ack_duration(ic->ic_rt, rt2860_rates[ridx].rate,
3469 		    ic->ic_flags & IEEE80211_F_SHPREAMBLE);
3470 		USETW(wh->i_dur, dur);
3471 	}
3472 
3473 	if (sc->sc_epq[0].tx_nfree == 0) {
3474 		/* let caller free mbuf */
3475 		ifp->if_drv_flags |= IFF_DRV_OACTIVE;
3476 		return (EIO);
3477 	}
3478 	data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3479 	STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3480 	sc->sc_epq[0].tx_nfree--;
3481 
3482 	txd = (struct rt2870_txd *)&data->desc;
3483 	txd->flags = RT2860_TX_QSEL_EDCA;
3484 	txwi = (struct rt2860_txwi *)(txd + 1);
3485 	txwi->wcid = 0xff;
3486 	txwi->flags = wflags;
3487 	txwi->xflags = xflags;
3488 	txwi->txop = 0;	/* clear leftover garbage bits */
3489 
3490 	data->m = m;
3491 	data->ni = ni;
3492 	data->ridx = ridx;
3493 
3494 	run_set_tx_desc(sc, data);
3495 
3496 	DPRINTFN(10, "sending mgt frame len=%d rate=%d\n", m->m_pkthdr.len +
3497 	    (int)(sizeof(struct rt2870_txd) + sizeof(struct rt2860_txwi)),
3498 	    rt2860_rates[ridx].rate);
3499 
3500 	STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3501 
3502 	usbd_transfer_start(sc->sc_xfer[0]);
3503 
3504 	return (0);
3505 }
3506 
3507 static int
3508 run_sendprot(struct run_softc *sc,
3509     const struct mbuf *m, struct ieee80211_node *ni, int prot, int rate)
3510 {
3511 	struct ieee80211com *ic = ni->ni_ic;
3512 	struct ieee80211_frame *wh;
3513 	struct run_tx_data *data;
3514 	struct rt2870_txd *txd;
3515 	struct rt2860_txwi *txwi;
3516 	struct mbuf *mprot;
3517 	int ridx;
3518 	int protrate;
3519 	int ackrate;
3520 	int pktlen;
3521 	int isshort;
3522 	uint16_t dur;
3523 	uint8_t type;
3524 	uint8_t wflags = 0;
3525 	uint8_t xflags = 0;
3526 
3527 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3528 
3529 	KASSERT(prot == IEEE80211_PROT_RTSCTS || prot == IEEE80211_PROT_CTSONLY,
3530 	    ("protection %d", prot));
3531 
3532 	wh = mtod(m, struct ieee80211_frame *);
3533 	pktlen = m->m_pkthdr.len + IEEE80211_CRC_LEN;
3534 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3535 
3536 	protrate = ieee80211_ctl_rate(ic->ic_rt, rate);
3537 	ackrate = ieee80211_ack_rate(ic->ic_rt, rate);
3538 
3539 	isshort = (ic->ic_flags & IEEE80211_F_SHPREAMBLE) != 0;
3540 	dur = ieee80211_compute_duration(ic->ic_rt, pktlen, rate, isshort)
3541 	    + ieee80211_ack_duration(ic->ic_rt, rate, isshort);
3542 	wflags = RT2860_TX_FRAG;
3543 
3544 	/* check that there are free slots before allocating the mbuf */
3545 	if (sc->sc_epq[0].tx_nfree == 0) {
3546 		/* let caller free mbuf */
3547 		sc->sc_ifp->if_drv_flags |= IFF_DRV_OACTIVE;
3548 		return (ENOBUFS);
3549 	}
3550 
3551 	if (prot == IEEE80211_PROT_RTSCTS) {
3552 		/* NB: CTS is the same size as an ACK */
3553 		dur += ieee80211_ack_duration(ic->ic_rt, rate, isshort);
3554 		xflags |= RT2860_TX_ACK;
3555 		mprot = ieee80211_alloc_rts(ic, wh->i_addr1, wh->i_addr2, dur);
3556 	} else {
3557 		mprot = ieee80211_alloc_cts(ic, ni->ni_vap->iv_myaddr, dur);
3558 	}
3559 	if (mprot == NULL) {
3560 		sc->sc_ifp->if_oerrors++;
3561 		DPRINTF("could not allocate mbuf\n");
3562 		return (ENOBUFS);
3563 	}
3564 
3565         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3566         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3567         sc->sc_epq[0].tx_nfree--;
3568 
3569 	txd = (struct rt2870_txd *)&data->desc;
3570 	txd->flags = RT2860_TX_QSEL_EDCA;
3571 	txwi = (struct rt2860_txwi *)(txd + 1);
3572 	txwi->wcid = 0xff;
3573 	txwi->flags = wflags;
3574 	txwi->xflags = xflags;
3575 	txwi->txop = 0;	/* clear leftover garbage bits */
3576 
3577 	data->m = mprot;
3578 	data->ni = ieee80211_ref_node(ni);
3579 
3580 	for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
3581 		if (rt2860_rates[ridx].rate == protrate)
3582 			break;
3583 	data->ridx = ridx;
3584 
3585 	run_set_tx_desc(sc, data);
3586 
3587         DPRINTFN(1, "sending prot len=%u rate=%u\n",
3588             m->m_pkthdr.len, rate);
3589 
3590         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3591 
3592 	usbd_transfer_start(sc->sc_xfer[0]);
3593 
3594 	return (0);
3595 }
3596 
3597 static int
3598 run_tx_param(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni,
3599     const struct ieee80211_bpf_params *params)
3600 {
3601 	struct ieee80211com *ic = ni->ni_ic;
3602 	struct ieee80211_frame *wh;
3603 	struct run_tx_data *data;
3604 	struct rt2870_txd *txd;
3605 	struct rt2860_txwi *txwi;
3606 	uint8_t type;
3607 	uint8_t ridx;
3608 	uint8_t rate;
3609 	uint8_t opflags = 0;
3610 	uint8_t xflags = 0;
3611 	int error;
3612 
3613 	RUN_LOCK_ASSERT(sc, MA_OWNED);
3614 
3615 	KASSERT(params != NULL, ("no raw xmit params"));
3616 
3617 	wh = mtod(m, struct ieee80211_frame *);
3618 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3619 
3620 	rate = params->ibp_rate0;
3621 	if (!ieee80211_isratevalid(ic->ic_rt, rate)) {
3622 		/* let caller free mbuf */
3623 		return (EINVAL);
3624 	}
3625 
3626 	if ((params->ibp_flags & IEEE80211_BPF_NOACK) == 0)
3627 		xflags |= RT2860_TX_ACK;
3628 	if (params->ibp_flags & (IEEE80211_BPF_RTS|IEEE80211_BPF_CTS)) {
3629 		error = run_sendprot(sc, m, ni,
3630 		    params->ibp_flags & IEEE80211_BPF_RTS ?
3631 			IEEE80211_PROT_RTSCTS : IEEE80211_PROT_CTSONLY,
3632 		    rate);
3633 		if (error) {
3634 			/* let caller free mbuf */
3635 			return error;
3636 		}
3637 		opflags |= /*XXX RT2573_TX_LONG_RETRY |*/ RT2860_TX_TXOP_SIFS;
3638 	}
3639 
3640 	if (sc->sc_epq[0].tx_nfree == 0) {
3641 		/* let caller free mbuf */
3642 		sc->sc_ifp->if_drv_flags |= IFF_DRV_OACTIVE;
3643 		DPRINTF("sending raw frame, but tx ring is full\n");
3644 		return (EIO);
3645 	}
3646         data = STAILQ_FIRST(&sc->sc_epq[0].tx_fh);
3647         STAILQ_REMOVE_HEAD(&sc->sc_epq[0].tx_fh, next);
3648         sc->sc_epq[0].tx_nfree--;
3649 
3650 	txd = (struct rt2870_txd *)&data->desc;
3651 	txd->flags = RT2860_TX_QSEL_EDCA;
3652 	txwi = (struct rt2860_txwi *)(txd + 1);
3653 	txwi->wcid = 0xff;
3654 	txwi->xflags = xflags;
3655 	txwi->txop = opflags;
3656 	txwi->flags = 0;	/* clear leftover garbage bits */
3657 
3658         data->m = m;
3659         data->ni = ni;
3660 	for (ridx = 0; ridx < RT2860_RIDX_MAX; ridx++)
3661 		if (rt2860_rates[ridx].rate == rate)
3662 			break;
3663 	data->ridx = ridx;
3664 
3665         run_set_tx_desc(sc, data);
3666 
3667         DPRINTFN(10, "sending raw frame len=%u rate=%u\n",
3668             m->m_pkthdr.len, rate);
3669 
3670         STAILQ_INSERT_TAIL(&sc->sc_epq[0].tx_qh, data, next);
3671 
3672 	usbd_transfer_start(sc->sc_xfer[0]);
3673 
3674         return (0);
3675 }
3676 
3677 static int
3678 run_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
3679     const struct ieee80211_bpf_params *params)
3680 {
3681 	struct ifnet *ifp = ni->ni_ic->ic_ifp;
3682 	struct run_softc *sc = ifp->if_softc;
3683 	int error = 0;
3684 
3685 	RUN_LOCK(sc);
3686 
3687 	/* prevent management frames from being sent if we're not ready */
3688 	if (!(ifp->if_drv_flags & IFF_DRV_RUNNING)) {
3689 		error =  ENETDOWN;
3690 		goto done;
3691 	}
3692 
3693 	if (params == NULL) {
3694 		/* tx mgt packet */
3695 		if ((error = run_tx_mgt(sc, m, ni)) != 0) {
3696 			ifp->if_oerrors++;
3697 			DPRINTF("mgt tx failed\n");
3698 			goto done;
3699 		}
3700 	} else {
3701 		/* tx raw packet with param */
3702 		if ((error = run_tx_param(sc, m, ni, params)) != 0) {
3703 			ifp->if_oerrors++;
3704 			DPRINTF("tx with param failed\n");
3705 			goto done;
3706 		}
3707 	}
3708 
3709 	ifp->if_opackets++;
3710 
3711 done:
3712 	RUN_UNLOCK(sc);
3713 
3714 	if (error != 0) {
3715 		if(m != NULL)
3716 			m_freem(m);
3717 		ieee80211_free_node(ni);
3718 	}
3719 
3720 	return (error);
3721 }
3722 
3723 static void
3724 run_start(struct ifnet *ifp)
3725 {
3726 	struct run_softc *sc = ifp->if_softc;
3727 	struct ieee80211_node *ni;
3728 	struct mbuf *m;
3729 
3730 	RUN_LOCK(sc);
3731 
3732 	if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0) {
3733 		RUN_UNLOCK(sc);
3734 		return;
3735 	}
3736 
3737 	for (;;) {
3738 		/* send data frames */
3739 		IFQ_DRV_DEQUEUE(&ifp->if_snd, m);
3740 		if (m == NULL)
3741 			break;
3742 
3743 		ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
3744 		if (run_tx(sc, m, ni) != 0) {
3745 			IFQ_DRV_PREPEND(&ifp->if_snd, m);
3746 			ifp->if_drv_flags |= IFF_DRV_OACTIVE;
3747 			break;
3748 		}
3749 	}
3750 
3751 	RUN_UNLOCK(sc);
3752 }
3753 
3754 static int
3755 run_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
3756 {
3757 	struct run_softc *sc = ifp->if_softc;
3758 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
3759 	struct ifreq *ifr = (struct ifreq *) data;
3760 	int startall = 0;
3761 	int error;
3762 
3763 	RUN_LOCK(sc);
3764 	error = sc->sc_detached ? ENXIO : 0;
3765 	RUN_UNLOCK(sc);
3766 	if (error)
3767 		return (error);
3768 
3769 	switch (cmd) {
3770 	case SIOCSIFFLAGS:
3771 		RUN_LOCK(sc);
3772 		if (ifp->if_flags & IFF_UP) {
3773 			if (!(ifp->if_drv_flags & IFF_DRV_RUNNING)){
3774 				startall = 1;
3775 				run_init_locked(sc);
3776 			} else
3777 				run_update_promisc_locked(ifp);
3778 		} else {
3779 			if (ifp->if_drv_flags & IFF_DRV_RUNNING &&
3780 			    (ic->ic_nrunning == 0 || sc->rvp_cnt <= 1)) {
3781 					run_stop(sc);
3782 			}
3783 		}
3784 		RUN_UNLOCK(sc);
3785 		if (startall)
3786 			ieee80211_start_all(ic);
3787 		break;
3788 	case SIOCGIFMEDIA:
3789 		error = ifmedia_ioctl(ifp, ifr, &ic->ic_media, cmd);
3790 		break;
3791 	case SIOCGIFADDR:
3792 		error = ether_ioctl(ifp, cmd, data);
3793 		break;
3794 	default:
3795 		error = EINVAL;
3796 		break;
3797 	}
3798 
3799 	return (error);
3800 }
3801 
3802 static void
3803 run_iq_calib(struct run_softc *sc, u_int chan)
3804 {
3805 	uint16_t val;
3806 
3807 	/* Tx0 IQ gain. */
3808 	run_bbp_write(sc, 158, 0x2c);
3809 	if (chan <= 14)
3810 		run_efuse_read(sc, RT5390_EEPROM_IQ_GAIN_CAL_TX0_2GHZ, &val, 1);
3811 	else if (chan <= 64) {
3812 		run_efuse_read(sc,
3813 		    RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH36_TO_CH64_5GHZ,
3814 		    &val, 1);
3815 	} else if (chan <= 138) {
3816 		run_efuse_read(sc,
3817 		    RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH100_TO_CH138_5GHZ,
3818 		    &val, 1);
3819 	} else if (chan <= 165) {
3820 		run_efuse_read(sc,
3821 	    RT5390_EEPROM_IQ_GAIN_CAL_TX0_CH140_TO_CH165_5GHZ,
3822 		    &val, 1);
3823 	} else
3824 		val = 0;
3825 	run_bbp_write(sc, 159, val);
3826 
3827 	/* Tx0 IQ phase. */
3828 	run_bbp_write(sc, 158, 0x2d);
3829 	if (chan <= 14) {
3830 		run_efuse_read(sc, RT5390_EEPROM_IQ_PHASE_CAL_TX0_2GHZ,
3831 		    &val, 1);
3832 	} else if (chan <= 64) {
3833 		run_efuse_read(sc,
3834 		    RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH36_TO_CH64_5GHZ,
3835 		    &val, 1);
3836 	} else if (chan <= 138) {
3837 		run_efuse_read(sc,
3838 		    RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH100_TO_CH138_5GHZ,
3839 		    &val, 1);
3840 	} else if (chan <= 165) {
3841 		run_efuse_read(sc,
3842 		    RT5390_EEPROM_IQ_PHASE_CAL_TX0_CH140_TO_CH165_5GHZ,
3843 		    &val, 1);
3844 	} else
3845 		val = 0;
3846 	run_bbp_write(sc, 159, val);
3847 
3848 	/* Tx1 IQ gain. */
3849 	run_bbp_write(sc, 158, 0x4a);
3850 	if (chan <= 14) {
3851 		run_efuse_read(sc, RT5390_EEPROM_IQ_GAIN_CAL_TX1_2GHZ,
3852 		    &val, 1);
3853 	} else if (chan <= 64) {
3854 		run_efuse_read(sc,
3855 		    RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH36_TO_CH64_5GHZ,
3856 		    &val, 1);
3857 	} else if (chan <= 138) {
3858 		run_efuse_read(sc,
3859 		    RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH100_TO_CH138_5GHZ,
3860 		    &val, 1);
3861 	} else if (chan <= 165) {
3862 		run_efuse_read(sc,
3863 		    RT5390_EEPROM_IQ_GAIN_CAL_TX1_CH140_TO_CH165_5GHZ,
3864 		    &val, 1);
3865 	} else
3866 		val = 0;
3867 	run_bbp_write(sc, 159, val);
3868 
3869 	/* Tx1 IQ phase. */
3870 	run_bbp_write(sc, 158, 0x4b);
3871 	if (chan <= 14) {
3872 		run_efuse_read(sc, RT5390_EEPROM_IQ_PHASE_CAL_TX1_2GHZ,
3873 		    &val, 1);
3874 	} else if (chan <= 64) {
3875 		run_efuse_read(sc,
3876 		    RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH36_TO_CH64_5GHZ,
3877 		    &val, 1);
3878 	} else if (chan <= 138) {
3879 		run_efuse_read(sc,
3880 		    RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH100_TO_CH138_5GHZ,
3881 		    &val, 1);
3882 	} else if (chan <= 165) {
3883 		run_efuse_read(sc,
3884 		    RT5390_EEPROM_IQ_PHASE_CAL_TX1_CH140_TO_CH165_5GHZ,
3885 		    &val, 1);
3886 	} else
3887 		val = 0;
3888 	run_bbp_write(sc, 159, val);
3889 
3890 	/* RF IQ compensation control. */
3891 	run_bbp_write(sc, 158, 0x04);
3892 	run_efuse_read(sc, RT5390_EEPROM_RF_IQ_COMPENSATION_CTL,
3893 	    &val, 1);
3894 	run_bbp_write(sc, 159, val);
3895 
3896 	/* RF IQ imbalance compensation control. */
3897 	run_bbp_write(sc, 158, 0x03);
3898 	run_efuse_read(sc,
3899 	    RT5390_EEPROM_RF_IQ_IMBALANCE_COMPENSATION_CTL, &val, 1);
3900 	run_bbp_write(sc, 159, val);
3901 }
3902 
3903 static void
3904 run_set_agc(struct run_softc *sc, uint8_t agc)
3905 {
3906 	uint8_t bbp;
3907 
3908 	if (sc->mac_ver == 0x3572) {
3909 		run_bbp_read(sc, 27, &bbp);
3910 		bbp &= ~(0x3 << 5);
3911 		run_bbp_write(sc, 27, bbp | 0 << 5);	/* select Rx0 */
3912 		run_bbp_write(sc, 66, agc);
3913 		run_bbp_write(sc, 27, bbp | 1 << 5);	/* select Rx1 */
3914 		run_bbp_write(sc, 66, agc);
3915 	} else
3916 		run_bbp_write(sc, 66, agc);
3917 }
3918 
3919 static void
3920 run_select_chan_group(struct run_softc *sc, int group)
3921 {
3922 	uint32_t tmp;
3923 	uint8_t agc;
3924 
3925 	run_bbp_write(sc, 62, 0x37 - sc->lna[group]);
3926 	run_bbp_write(sc, 63, 0x37 - sc->lna[group]);
3927 	run_bbp_write(sc, 64, 0x37 - sc->lna[group]);
3928 	if (sc->mac_ver < 0x3572)
3929 		run_bbp_write(sc, 86, 0x00);
3930 
3931 	if (sc->mac_ver == 0x3593) {
3932 		run_bbp_write(sc, 77, 0x98);
3933 		run_bbp_write(sc, 83, (group == 0) ? 0x8a : 0x9a);
3934 	}
3935 
3936 	if (group == 0) {
3937 		if (sc->ext_2ghz_lna) {
3938 			if (sc->mac_ver >= 0x5390)
3939 				run_bbp_write(sc, 75, 0x52);
3940 			else {
3941 				run_bbp_write(sc, 82, 0x62);
3942 				run_bbp_write(sc, 75, 0x46);
3943 			}
3944 		} else {
3945 			if (sc->mac_ver == 0x5592) {
3946 				run_bbp_write(sc, 79, 0x1c);
3947 				run_bbp_write(sc, 80, 0x0e);
3948 				run_bbp_write(sc, 81, 0x3a);
3949 				run_bbp_write(sc, 82, 0x62);
3950 
3951 				run_bbp_write(sc, 195, 0x80);
3952 				run_bbp_write(sc, 196, 0xe0);
3953 				run_bbp_write(sc, 195, 0x81);
3954 				run_bbp_write(sc, 196, 0x1f);
3955 				run_bbp_write(sc, 195, 0x82);
3956 				run_bbp_write(sc, 196, 0x38);
3957 				run_bbp_write(sc, 195, 0x83);
3958 				run_bbp_write(sc, 196, 0x32);
3959 				run_bbp_write(sc, 195, 0x85);
3960 				run_bbp_write(sc, 196, 0x28);
3961 				run_bbp_write(sc, 195, 0x86);
3962 				run_bbp_write(sc, 196, 0x19);
3963 			} else if (sc->mac_ver >= 0x5390)
3964 				run_bbp_write(sc, 75, 0x50);
3965 			else {
3966 				run_bbp_write(sc, 82,
3967 				    (sc->mac_ver == 0x3593) ? 0x62 : 0x84);
3968 				run_bbp_write(sc, 75, 0x50);
3969 			}
3970 		}
3971 	} else {
3972 		if (sc->mac_ver == 0x5592) {
3973 			run_bbp_write(sc, 79, 0x18);
3974 			run_bbp_write(sc, 80, 0x08);
3975 			run_bbp_write(sc, 81, 0x38);
3976 			run_bbp_write(sc, 82, 0x92);
3977 
3978 			run_bbp_write(sc, 195, 0x80);
3979 			run_bbp_write(sc, 196, 0xf0);
3980 			run_bbp_write(sc, 195, 0x81);
3981 			run_bbp_write(sc, 196, 0x1e);
3982 			run_bbp_write(sc, 195, 0x82);
3983 			run_bbp_write(sc, 196, 0x28);
3984 			run_bbp_write(sc, 195, 0x83);
3985 			run_bbp_write(sc, 196, 0x20);
3986 			run_bbp_write(sc, 195, 0x85);
3987 			run_bbp_write(sc, 196, 0x7f);
3988 			run_bbp_write(sc, 195, 0x86);
3989 			run_bbp_write(sc, 196, 0x7f);
3990 		} else if (sc->mac_ver == 0x3572)
3991 			run_bbp_write(sc, 82, 0x94);
3992 		else
3993 			run_bbp_write(sc, 82,
3994 			    (sc->mac_ver == 0x3593) ? 0x82 : 0xf2);
3995 		if (sc->ext_5ghz_lna)
3996 			run_bbp_write(sc, 75, 0x46);
3997 		else
3998 			run_bbp_write(sc, 75, 0x50);
3999 	}
4000 
4001 	run_read(sc, RT2860_TX_BAND_CFG, &tmp);
4002 	tmp &= ~(RT2860_5G_BAND_SEL_N | RT2860_5G_BAND_SEL_P);
4003 	tmp |= (group == 0) ? RT2860_5G_BAND_SEL_N : RT2860_5G_BAND_SEL_P;
4004 	run_write(sc, RT2860_TX_BAND_CFG, tmp);
4005 
4006 	/* enable appropriate Power Amplifiers and Low Noise Amplifiers */
4007 	tmp = RT2860_RFTR_EN | RT2860_TRSW_EN | RT2860_LNA_PE0_EN;
4008 	if (sc->mac_ver == 0x3593)
4009 		tmp |= 1 << 29 | 1 << 28;
4010 	if (sc->nrxchains > 1)
4011 		tmp |= RT2860_LNA_PE1_EN;
4012 	if (group == 0) {	/* 2GHz */
4013 		tmp |= RT2860_PA_PE_G0_EN;
4014 		if (sc->ntxchains > 1)
4015 			tmp |= RT2860_PA_PE_G1_EN;
4016 		if (sc->mac_ver == 0x3593) {
4017 			if (sc->ntxchains > 2)
4018 				tmp |= 1 << 25;
4019 		}
4020 	} else {		/* 5GHz */
4021 		tmp |= RT2860_PA_PE_A0_EN;
4022 		if (sc->ntxchains > 1)
4023 			tmp |= RT2860_PA_PE_A1_EN;
4024 	}
4025 	if (sc->mac_ver == 0x3572) {
4026 		run_rt3070_rf_write(sc, 8, 0x00);
4027 		run_write(sc, RT2860_TX_PIN_CFG, tmp);
4028 		run_rt3070_rf_write(sc, 8, 0x80);
4029 	} else
4030 		run_write(sc, RT2860_TX_PIN_CFG, tmp);
4031 
4032 	if (sc->mac_ver == 0x5592) {
4033 		run_bbp_write(sc, 195, 0x8d);
4034 		run_bbp_write(sc, 196, 0x1a);
4035 	}
4036 
4037 	if (sc->mac_ver == 0x3593) {
4038 		run_read(sc, RT2860_GPIO_CTRL, &tmp);
4039 		tmp &= ~0x01010000;
4040 		if (group == 0)
4041 			tmp |= 0x00010000;
4042 		tmp = (tmp & ~0x00009090) | 0x00000090;
4043 		run_write(sc, RT2860_GPIO_CTRL, tmp);
4044 	}
4045 
4046 	/* set initial AGC value */
4047 	if (group == 0) {	/* 2GHz band */
4048 		if (sc->mac_ver >= 0x3070)
4049 			agc = 0x1c + sc->lna[0] * 2;
4050 		else
4051 			agc = 0x2e + sc->lna[0];
4052 	} else {		/* 5GHz band */
4053 		if (sc->mac_ver == 0x5592)
4054 			agc = 0x24 + sc->lna[group] * 2;
4055 		else if (sc->mac_ver == 0x3572 || sc->mac_ver == 0x3593)
4056 			agc = 0x22 + (sc->lna[group] * 5) / 3;
4057 		else
4058 			agc = 0x32 + (sc->lna[group] * 5) / 3;
4059 	}
4060 	run_set_agc(sc, agc);
4061 }
4062 
4063 static void
4064 run_rt2870_set_chan(struct run_softc *sc, u_int chan)
4065 {
4066 	const struct rfprog *rfprog = rt2860_rf2850;
4067 	uint32_t r2, r3, r4;
4068 	int8_t txpow1, txpow2;
4069 	int i;
4070 
4071 	/* find the settings for this channel (we know it exists) */
4072 	for (i = 0; rfprog[i].chan != chan; i++);
4073 
4074 	r2 = rfprog[i].r2;
4075 	if (sc->ntxchains == 1)
4076 		r2 |= 1 << 14;		/* 1T: disable Tx chain 2 */
4077 	if (sc->nrxchains == 1)
4078 		r2 |= 1 << 17 | 1 << 6;	/* 1R: disable Rx chains 2 & 3 */
4079 	else if (sc->nrxchains == 2)
4080 		r2 |= 1 << 6;		/* 2R: disable Rx chain 3 */
4081 
4082 	/* use Tx power values from EEPROM */
4083 	txpow1 = sc->txpow1[i];
4084 	txpow2 = sc->txpow2[i];
4085 
4086 	/* Initialize RF R3 and R4. */
4087 	r3 = rfprog[i].r3 & 0xffffc1ff;
4088 	r4 = (rfprog[i].r4 & ~(0x001f87c0)) | (sc->freq << 15);
4089 	if (chan > 14) {
4090 		if (txpow1 >= 0) {
4091 			txpow1 = (txpow1 > 0xf) ? (0xf) : (txpow1);
4092 			r3 |= (txpow1 << 10) | (1 << 9);
4093 		} else {
4094 			txpow1 += 7;
4095 
4096 			/* txpow1 is not possible larger than 15. */
4097 			r3 |= (txpow1 << 10);
4098 		}
4099 		if (txpow2 >= 0) {
4100 			txpow2 = (txpow2 > 0xf) ? (0xf) : (txpow2);
4101 			r4 |= (txpow2 << 7) | (1 << 6);
4102 		} else {
4103 			txpow2 += 7;
4104 			r4 |= (txpow2 << 7);
4105 		}
4106 	} else {
4107 		/* Set Tx0 power. */
4108 		r3 |= (txpow1 << 9);
4109 
4110 		/* Set frequency offset and Tx1 power. */
4111 		r4 |= (txpow2 << 6);
4112 	}
4113 
4114 	run_rt2870_rf_write(sc, rfprog[i].r1);
4115 	run_rt2870_rf_write(sc, r2);
4116 	run_rt2870_rf_write(sc, r3 & ~(1 << 2));
4117 	run_rt2870_rf_write(sc, r4);
4118 
4119 	run_delay(sc, 10);
4120 
4121 	run_rt2870_rf_write(sc, rfprog[i].r1);
4122 	run_rt2870_rf_write(sc, r2);
4123 	run_rt2870_rf_write(sc, r3 | (1 << 2));
4124 	run_rt2870_rf_write(sc, r4);
4125 
4126 	run_delay(sc, 10);
4127 
4128 	run_rt2870_rf_write(sc, rfprog[i].r1);
4129 	run_rt2870_rf_write(sc, r2);
4130 	run_rt2870_rf_write(sc, r3 & ~(1 << 2));
4131 	run_rt2870_rf_write(sc, r4);
4132 }
4133 
4134 static void
4135 run_rt3070_set_chan(struct run_softc *sc, u_int chan)
4136 {
4137 	int8_t txpow1, txpow2;
4138 	uint8_t rf;
4139 	int i;
4140 
4141 	/* find the settings for this channel (we know it exists) */
4142 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4143 
4144 	/* use Tx power values from EEPROM */
4145 	txpow1 = sc->txpow1[i];
4146 	txpow2 = sc->txpow2[i];
4147 
4148 	run_rt3070_rf_write(sc, 2, rt3070_freqs[i].n);
4149 
4150 	/* RT3370/RT3390: RF R3 [7:4] is not reserved bits. */
4151 	run_rt3070_rf_read(sc, 3, &rf);
4152 	rf = (rf & ~0x0f) | rt3070_freqs[i].k;
4153 	run_rt3070_rf_write(sc, 3, rf);
4154 
4155 	run_rt3070_rf_read(sc, 6, &rf);
4156 	rf = (rf & ~0x03) | rt3070_freqs[i].r;
4157 	run_rt3070_rf_write(sc, 6, rf);
4158 
4159 	/* set Tx0 power */
4160 	run_rt3070_rf_read(sc, 12, &rf);
4161 	rf = (rf & ~0x1f) | txpow1;
4162 	run_rt3070_rf_write(sc, 12, rf);
4163 
4164 	/* set Tx1 power */
4165 	run_rt3070_rf_read(sc, 13, &rf);
4166 	rf = (rf & ~0x1f) | txpow2;
4167 	run_rt3070_rf_write(sc, 13, rf);
4168 
4169 	run_rt3070_rf_read(sc, 1, &rf);
4170 	rf &= ~0xfc;
4171 	if (sc->ntxchains == 1)
4172 		rf |= 1 << 7 | 1 << 5;	/* 1T: disable Tx chains 2 & 3 */
4173 	else if (sc->ntxchains == 2)
4174 		rf |= 1 << 7;		/* 2T: disable Tx chain 3 */
4175 	if (sc->nrxchains == 1)
4176 		rf |= 1 << 6 | 1 << 4;	/* 1R: disable Rx chains 2 & 3 */
4177 	else if (sc->nrxchains == 2)
4178 		rf |= 1 << 6;		/* 2R: disable Rx chain 3 */
4179 	run_rt3070_rf_write(sc, 1, rf);
4180 
4181 	/* set RF offset */
4182 	run_rt3070_rf_read(sc, 23, &rf);
4183 	rf = (rf & ~0x7f) | sc->freq;
4184 	run_rt3070_rf_write(sc, 23, rf);
4185 
4186 	/* program RF filter */
4187 	run_rt3070_rf_read(sc, 24, &rf);	/* Tx */
4188 	rf = (rf & ~0x3f) | sc->rf24_20mhz;
4189 	run_rt3070_rf_write(sc, 24, rf);
4190 	run_rt3070_rf_read(sc, 31, &rf);	/* Rx */
4191 	rf = (rf & ~0x3f) | sc->rf24_20mhz;
4192 	run_rt3070_rf_write(sc, 31, rf);
4193 
4194 	/* enable RF tuning */
4195 	run_rt3070_rf_read(sc, 7, &rf);
4196 	run_rt3070_rf_write(sc, 7, rf | 0x01);
4197 }
4198 
4199 static void
4200 run_rt3572_set_chan(struct run_softc *sc, u_int chan)
4201 {
4202 	int8_t txpow1, txpow2;
4203 	uint32_t tmp;
4204 	uint8_t rf;
4205 	int i;
4206 
4207 	/* find the settings for this channel (we know it exists) */
4208 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4209 
4210 	/* use Tx power values from EEPROM */
4211 	txpow1 = sc->txpow1[i];
4212 	txpow2 = sc->txpow2[i];
4213 
4214 	if (chan <= 14) {
4215 		run_bbp_write(sc, 25, sc->bbp25);
4216 		run_bbp_write(sc, 26, sc->bbp26);
4217 	} else {
4218 		/* enable IQ phase correction */
4219 		run_bbp_write(sc, 25, 0x09);
4220 		run_bbp_write(sc, 26, 0xff);
4221 	}
4222 
4223 	run_rt3070_rf_write(sc, 2, rt3070_freqs[i].n);
4224 	run_rt3070_rf_write(sc, 3, rt3070_freqs[i].k);
4225 	run_rt3070_rf_read(sc, 6, &rf);
4226 	rf  = (rf & ~0x0f) | rt3070_freqs[i].r;
4227 	rf |= (chan <= 14) ? 0x08 : 0x04;
4228 	run_rt3070_rf_write(sc, 6, rf);
4229 
4230 	/* set PLL mode */
4231 	run_rt3070_rf_read(sc, 5, &rf);
4232 	rf &= ~(0x08 | 0x04);
4233 	rf |= (chan <= 14) ? 0x04 : 0x08;
4234 	run_rt3070_rf_write(sc, 5, rf);
4235 
4236 	/* set Tx power for chain 0 */
4237 	if (chan <= 14)
4238 		rf = 0x60 | txpow1;
4239 	else
4240 		rf = 0xe0 | (txpow1 & 0xc) << 1 | (txpow1 & 0x3);
4241 	run_rt3070_rf_write(sc, 12, rf);
4242 
4243 	/* set Tx power for chain 1 */
4244 	if (chan <= 14)
4245 		rf = 0x60 | txpow2;
4246 	else
4247 		rf = 0xe0 | (txpow2 & 0xc) << 1 | (txpow2 & 0x3);
4248 	run_rt3070_rf_write(sc, 13, rf);
4249 
4250 	/* set Tx/Rx streams */
4251 	run_rt3070_rf_read(sc, 1, &rf);
4252 	rf &= ~0xfc;
4253 	if (sc->ntxchains == 1)
4254 		rf |= 1 << 7 | 1 << 5;  /* 1T: disable Tx chains 2 & 3 */
4255 	else if (sc->ntxchains == 2)
4256 		rf |= 1 << 7;           /* 2T: disable Tx chain 3 */
4257 	if (sc->nrxchains == 1)
4258 		rf |= 1 << 6 | 1 << 4;  /* 1R: disable Rx chains 2 & 3 */
4259 	else if (sc->nrxchains == 2)
4260 		rf |= 1 << 6;           /* 2R: disable Rx chain 3 */
4261 	run_rt3070_rf_write(sc, 1, rf);
4262 
4263 	/* set RF offset */
4264 	run_rt3070_rf_read(sc, 23, &rf);
4265 	rf = (rf & ~0x7f) | sc->freq;
4266 	run_rt3070_rf_write(sc, 23, rf);
4267 
4268 	/* program RF filter */
4269 	rf = sc->rf24_20mhz;
4270 	run_rt3070_rf_write(sc, 24, rf);	/* Tx */
4271 	run_rt3070_rf_write(sc, 31, rf);	/* Rx */
4272 
4273 	/* enable RF tuning */
4274 	run_rt3070_rf_read(sc, 7, &rf);
4275 	rf = (chan <= 14) ? 0xd8 : ((rf & ~0xc8) | 0x14);
4276 	run_rt3070_rf_write(sc, 7, rf);
4277 
4278 	/* TSSI */
4279 	rf = (chan <= 14) ? 0xc3 : 0xc0;
4280 	run_rt3070_rf_write(sc, 9, rf);
4281 
4282 	/* set loop filter 1 */
4283 	run_rt3070_rf_write(sc, 10, 0xf1);
4284 	/* set loop filter 2 */
4285 	run_rt3070_rf_write(sc, 11, (chan <= 14) ? 0xb9 : 0x00);
4286 
4287 	/* set tx_mx2_ic */
4288 	run_rt3070_rf_write(sc, 15, (chan <= 14) ? 0x53 : 0x43);
4289 	/* set tx_mx1_ic */
4290 	if (chan <= 14)
4291 		rf = 0x48 | sc->txmixgain_2ghz;
4292 	else
4293 		rf = 0x78 | sc->txmixgain_5ghz;
4294 	run_rt3070_rf_write(sc, 16, rf);
4295 
4296 	/* set tx_lo1 */
4297 	run_rt3070_rf_write(sc, 17, 0x23);
4298 	/* set tx_lo2 */
4299 	if (chan <= 14)
4300 		rf = 0x93;
4301 	else if (chan <= 64)
4302 		rf = 0xb7;
4303 	else if (chan <= 128)
4304 		rf = 0x74;
4305 	else
4306 		rf = 0x72;
4307 	run_rt3070_rf_write(sc, 19, rf);
4308 
4309 	/* set rx_lo1 */
4310 	if (chan <= 14)
4311 		rf = 0xb3;
4312 	else if (chan <= 64)
4313 		rf = 0xf6;
4314 	else if (chan <= 128)
4315 		rf = 0xf4;
4316 	else
4317 		rf = 0xf3;
4318 	run_rt3070_rf_write(sc, 20, rf);
4319 
4320 	/* set pfd_delay */
4321 	if (chan <= 14)
4322 		rf = 0x15;
4323 	else if (chan <= 64)
4324 		rf = 0x3d;
4325 	else
4326 		rf = 0x01;
4327 	run_rt3070_rf_write(sc, 25, rf);
4328 
4329 	/* set rx_lo2 */
4330 	run_rt3070_rf_write(sc, 26, (chan <= 14) ? 0x85 : 0x87);
4331 	/* set ldo_rf_vc */
4332 	run_rt3070_rf_write(sc, 27, (chan <= 14) ? 0x00 : 0x01);
4333 	/* set drv_cc */
4334 	run_rt3070_rf_write(sc, 29, (chan <= 14) ? 0x9b : 0x9f);
4335 
4336 	run_read(sc, RT2860_GPIO_CTRL, &tmp);
4337 	tmp &= ~0x8080;
4338 	if (chan <= 14)
4339 		tmp |= 0x80;
4340 	run_write(sc, RT2860_GPIO_CTRL, tmp);
4341 
4342 	/* enable RF tuning */
4343 	run_rt3070_rf_read(sc, 7, &rf);
4344 	run_rt3070_rf_write(sc, 7, rf | 0x01);
4345 
4346 	run_delay(sc, 2);
4347 }
4348 
4349 static void
4350 run_rt3593_set_chan(struct run_softc *sc, u_int chan)
4351 {
4352 	int8_t txpow1, txpow2, txpow3;
4353 	uint8_t h20mhz, rf;
4354 	int i;
4355 
4356 	/* find the settings for this channel (we know it exists) */
4357 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4358 
4359 	/* use Tx power values from EEPROM */
4360 	txpow1 = sc->txpow1[i];
4361 	txpow2 = sc->txpow2[i];
4362 	txpow3 = (sc->ntxchains == 3) ? sc->txpow3[i] : 0;
4363 
4364 	if (chan <= 14) {
4365 		run_bbp_write(sc, 25, sc->bbp25);
4366 		run_bbp_write(sc, 26, sc->bbp26);
4367 	} else {
4368 		/* Enable IQ phase correction. */
4369 		run_bbp_write(sc, 25, 0x09);
4370 		run_bbp_write(sc, 26, 0xff);
4371 	}
4372 
4373 	run_rt3070_rf_write(sc, 8, rt3070_freqs[i].n);
4374 	run_rt3070_rf_write(sc, 9, rt3070_freqs[i].k & 0x0f);
4375 	run_rt3070_rf_read(sc, 11, &rf);
4376 	rf = (rf & ~0x03) | (rt3070_freqs[i].r & 0x03);
4377 	run_rt3070_rf_write(sc, 11, rf);
4378 
4379 	/* Set pll_idoh. */
4380 	run_rt3070_rf_read(sc, 11, &rf);
4381 	rf &= ~0x4c;
4382 	rf |= (chan <= 14) ? 0x44 : 0x48;
4383 	run_rt3070_rf_write(sc, 11, rf);
4384 
4385 	if (chan <= 14)
4386 		rf = txpow1 & 0x1f;
4387 	else
4388 		rf = 0x40 | ((txpow1 & 0x18) << 1) | (txpow1 & 0x07);
4389 	run_rt3070_rf_write(sc, 53, rf);
4390 
4391 	if (chan <= 14)
4392 		rf = txpow2 & 0x1f;
4393 	else
4394 		rf = 0x40 | ((txpow2 & 0x18) << 1) | (txpow2 & 0x07);
4395 	run_rt3070_rf_write(sc, 55, rf);
4396 
4397 	if (chan <= 14)
4398 		rf = txpow3 & 0x1f;
4399 	else
4400 		rf = 0x40 | ((txpow3 & 0x18) << 1) | (txpow3 & 0x07);
4401 	run_rt3070_rf_write(sc, 54, rf);
4402 
4403 	rf = RT3070_RF_BLOCK | RT3070_PLL_PD;
4404 	if (sc->ntxchains == 3)
4405 		rf |= RT3070_TX0_PD | RT3070_TX1_PD | RT3070_TX2_PD;
4406 	else
4407 		rf |= RT3070_TX0_PD | RT3070_TX1_PD;
4408 	rf |= RT3070_RX0_PD | RT3070_RX1_PD | RT3070_RX2_PD;
4409 	run_rt3070_rf_write(sc, 1, rf);
4410 
4411 	run_adjust_freq_offset(sc);
4412 
4413 	run_rt3070_rf_write(sc, 31, (chan <= 14) ? 0xa0 : 0x80);
4414 
4415 	h20mhz = (sc->rf24_20mhz & 0x20) >> 5;
4416 	run_rt3070_rf_read(sc, 30, &rf);
4417 	rf = (rf & ~0x06) | (h20mhz << 1) | (h20mhz << 2);
4418 	run_rt3070_rf_write(sc, 30, rf);
4419 
4420 	run_rt3070_rf_read(sc, 36, &rf);
4421 	if (chan <= 14)
4422 		rf |= 0x80;
4423 	else
4424 		rf &= ~0x80;
4425 	run_rt3070_rf_write(sc, 36, rf);
4426 
4427 	/* Set vcolo_bs. */
4428 	run_rt3070_rf_write(sc, 34, (chan <= 14) ? 0x3c : 0x20);
4429 	/* Set pfd_delay. */
4430 	run_rt3070_rf_write(sc, 12, (chan <= 14) ? 0x1a : 0x12);
4431 
4432 	/* Set vco bias current control. */
4433 	run_rt3070_rf_read(sc, 6, &rf);
4434 	rf &= ~0xc0;
4435 	if (chan <= 14)
4436 		rf |= 0x40;
4437 	else if (chan <= 128)
4438 		rf |= 0x80;
4439 	else
4440 		rf |= 0x40;
4441 	run_rt3070_rf_write(sc, 6, rf);
4442 
4443 	run_rt3070_rf_read(sc, 30, &rf);
4444 	rf = (rf & ~0x18) | 0x10;
4445 	run_rt3070_rf_write(sc, 30, rf);
4446 
4447 	run_rt3070_rf_write(sc, 10, (chan <= 14) ? 0xd3 : 0xd8);
4448 	run_rt3070_rf_write(sc, 13, (chan <= 14) ? 0x12 : 0x23);
4449 
4450 	run_rt3070_rf_read(sc, 51, &rf);
4451 	rf = (rf & ~0x03) | 0x01;
4452 	run_rt3070_rf_write(sc, 51, rf);
4453 	/* Set tx_mx1_cc. */
4454 	run_rt3070_rf_read(sc, 51, &rf);
4455 	rf &= ~0x1c;
4456 	rf |= (chan <= 14) ? 0x14 : 0x10;
4457 	run_rt3070_rf_write(sc, 51, rf);
4458 	/* Set tx_mx1_ic. */
4459 	run_rt3070_rf_read(sc, 51, &rf);
4460 	rf &= ~0xe0;
4461 	rf |= (chan <= 14) ? 0x60 : 0x40;
4462 	run_rt3070_rf_write(sc, 51, rf);
4463 	/* Set tx_lo1_ic. */
4464 	run_rt3070_rf_read(sc, 49, &rf);
4465 	rf &= ~0x1c;
4466 	rf |= (chan <= 14) ? 0x0c : 0x08;
4467 	run_rt3070_rf_write(sc, 49, rf);
4468 	/* Set tx_lo1_en. */
4469 	run_rt3070_rf_read(sc, 50, &rf);
4470 	run_rt3070_rf_write(sc, 50, rf & ~0x20);
4471 	/* Set drv_cc. */
4472 	run_rt3070_rf_read(sc, 57, &rf);
4473 	rf &= ~0xfc;
4474 	rf |= (chan <= 14) ?  0x6c : 0x3c;
4475 	run_rt3070_rf_write(sc, 57, rf);
4476 	/* Set rx_mix1_ic, rxa_lnactr, lna_vc, lna_inbias_en and lna_en. */
4477 	run_rt3070_rf_write(sc, 44, (chan <= 14) ? 0x93 : 0x9b);
4478 	/* Set drv_gnd_a, tx_vga_cc_a and tx_mx2_gain. */
4479 	run_rt3070_rf_write(sc, 52, (chan <= 14) ? 0x45 : 0x05);
4480 	/* Enable VCO calibration. */
4481 	run_rt3070_rf_read(sc, 3, &rf);
4482 	rf &= ~RT5390_VCOCAL;
4483 	rf |= (chan <= 14) ? RT5390_VCOCAL : 0xbe;
4484 	run_rt3070_rf_write(sc, 3, rf);
4485 
4486 	if (chan <= 14)
4487 		rf = 0x23;
4488 	else if (chan <= 64)
4489 		rf = 0x36;
4490 	else if (chan <= 128)
4491 		rf = 0x32;
4492 	else
4493 		rf = 0x30;
4494 	run_rt3070_rf_write(sc, 39, rf);
4495 	if (chan <= 14)
4496 		rf = 0xbb;
4497 	else if (chan <= 64)
4498 		rf = 0xeb;
4499 	else if (chan <= 128)
4500 		rf = 0xb3;
4501 	else
4502 		rf = 0x9b;
4503 	run_rt3070_rf_write(sc, 45, rf);
4504 
4505 	/* Set FEQ/AEQ control. */
4506 	run_bbp_write(sc, 105, 0x34);
4507 }
4508 
4509 static void
4510 run_rt5390_set_chan(struct run_softc *sc, u_int chan)
4511 {
4512 	int8_t txpow1, txpow2;
4513 	uint8_t rf;
4514 	int i;
4515 
4516 	/* find the settings for this channel (we know it exists) */
4517 	for (i = 0; rt2860_rf2850[i].chan != chan; i++);
4518 
4519 	/* use Tx power values from EEPROM */
4520 	txpow1 = sc->txpow1[i];
4521 	txpow2 = sc->txpow2[i];
4522 
4523 	run_rt3070_rf_write(sc, 8, rt3070_freqs[i].n);
4524 	run_rt3070_rf_write(sc, 9, rt3070_freqs[i].k & 0x0f);
4525 	run_rt3070_rf_read(sc, 11, &rf);
4526 	rf = (rf & ~0x03) | (rt3070_freqs[i].r & 0x03);
4527 	run_rt3070_rf_write(sc, 11, rf);
4528 
4529 	run_rt3070_rf_read(sc, 49, &rf);
4530 	rf = (rf & ~0x3f) | (txpow1 & 0x3f);
4531 	/* The valid range of the RF R49 is 0x00 to 0x27. */
4532 	if ((rf & 0x3f) > 0x27)
4533 		rf = (rf & ~0x3f) | 0x27;
4534 	run_rt3070_rf_write(sc, 49, rf);
4535 
4536 	if (sc->mac_ver == 0x5392) {
4537 		run_rt3070_rf_read(sc, 50, &rf);
4538 		rf = (rf & ~0x3f) | (txpow2 & 0x3f);
4539 		/* The valid range of the RF R50 is 0x00 to 0x27. */
4540 		if ((rf & 0x3f) > 0x27)
4541 			rf = (rf & ~0x3f) | 0x27;
4542 		run_rt3070_rf_write(sc, 50, rf);
4543 	}
4544 
4545 	run_rt3070_rf_read(sc, 1, &rf);
4546 	rf |= RT3070_RF_BLOCK | RT3070_PLL_PD | RT3070_RX0_PD | RT3070_TX0_PD;
4547 	if (sc->mac_ver == 0x5392)
4548 		rf |= RT3070_RX1_PD | RT3070_TX1_PD;
4549 	run_rt3070_rf_write(sc, 1, rf);
4550 
4551 	if (sc->mac_ver != 0x5392) {
4552 		run_rt3070_rf_read(sc, 2, &rf);
4553 		rf |= 0x80;
4554 		run_rt3070_rf_write(sc, 2, rf);
4555 		run_delay(sc, 10);
4556 		rf &= 0x7f;
4557 		run_rt3070_rf_write(sc, 2, rf);
4558 	}
4559 
4560 	run_adjust_freq_offset(sc);
4561 
4562 	if (sc->mac_ver == 0x5392) {
4563 		/* Fix for RT5392C. */
4564 		if (sc->mac_rev >= 0x0223) {
4565 			if (chan <= 4)
4566 				rf = 0x0f;
4567 			else if (chan >= 5 && chan <= 7)
4568 				rf = 0x0e;
4569 			else
4570 				rf = 0x0d;
4571 			run_rt3070_rf_write(sc, 23, rf);
4572 
4573 			if (chan <= 4)
4574 				rf = 0x0c;
4575 			else if (chan == 5)
4576 				rf = 0x0b;
4577 			else if (chan >= 6 && chan <= 7)
4578 				rf = 0x0a;
4579 			else if (chan >= 8 && chan <= 10)
4580 				rf = 0x09;
4581 			else
4582 				rf = 0x08;
4583 			run_rt3070_rf_write(sc, 59, rf);
4584 		} else {
4585 			if (chan <= 11)
4586 				rf = 0x0f;
4587 			else
4588 				rf = 0x0b;
4589 			run_rt3070_rf_write(sc, 59, rf);
4590 		}
4591 	} else {
4592 		/* Fix for RT5390F. */
4593 		if (sc->mac_rev >= 0x0502) {
4594 			if (chan <= 11)
4595 				rf = 0x43;
4596 			else
4597 				rf = 0x23;
4598 			run_rt3070_rf_write(sc, 55, rf);
4599 
4600 			if (chan <= 11)
4601 				rf = 0x0f;
4602 			else if (chan == 12)
4603 				rf = 0x0d;
4604 			else
4605 				rf = 0x0b;
4606 			run_rt3070_rf_write(sc, 59, rf);
4607 		} else {
4608 			run_rt3070_rf_write(sc, 55, 0x44);
4609 			run_rt3070_rf_write(sc, 59, 0x8f);
4610 		}
4611 	}
4612 
4613 	/* Enable VCO calibration. */
4614 	run_rt3070_rf_read(sc, 3, &rf);
4615 	rf |= RT5390_VCOCAL;
4616 	run_rt3070_rf_write(sc, 3, rf);
4617 }
4618 
4619 static void
4620 run_rt5592_set_chan(struct run_softc *sc, u_int chan)
4621 {
4622 	const struct rt5592_freqs *freqs;
4623 	uint32_t tmp;
4624 	uint8_t reg, rf, txpow_bound;
4625 	int8_t txpow1, txpow2;
4626 	int i;
4627 
4628 	run_read(sc, RT5592_DEBUG_INDEX, &tmp);
4629 	freqs = (tmp & RT5592_SEL_XTAL) ?
4630 	    rt5592_freqs_40mhz : rt5592_freqs_20mhz;
4631 
4632 	/* find the settings for this channel (we know it exists) */
4633 	for (i = 0; rt2860_rf2850[i].chan != chan; i++, freqs++);
4634 
4635 	/* use Tx power values from EEPROM */
4636 	txpow1 = sc->txpow1[i];
4637 	txpow2 = sc->txpow2[i];
4638 
4639 	run_read(sc, RT3070_LDO_CFG0, &tmp);
4640 	tmp &= ~0x1c000000;
4641 	if (chan > 14)
4642 		tmp |= 0x14000000;
4643 	run_write(sc, RT3070_LDO_CFG0, tmp);
4644 
4645 	/* N setting. */
4646 	run_rt3070_rf_write(sc, 8, freqs->n & 0xff);
4647 	run_rt3070_rf_read(sc, 9, &rf);
4648 	rf &= ~(1 << 4);
4649 	rf |= ((freqs->n & 0x0100) >> 8) << 4;
4650 	run_rt3070_rf_write(sc, 9, rf);
4651 
4652 	/* K setting. */
4653 	run_rt3070_rf_read(sc, 9, &rf);
4654 	rf &= ~0x0f;
4655 	rf |= (freqs->k & 0x0f);
4656 	run_rt3070_rf_write(sc, 9, rf);
4657 
4658 	/* Mode setting. */
4659 	run_rt3070_rf_read(sc, 11, &rf);
4660 	rf &= ~0x0c;
4661 	rf |= ((freqs->m - 0x8) & 0x3) << 2;
4662 	run_rt3070_rf_write(sc, 11, rf);
4663 	run_rt3070_rf_read(sc, 9, &rf);
4664 	rf &= ~(1 << 7);
4665 	rf |= (((freqs->m - 0x8) & 0x4) >> 2) << 7;
4666 	run_rt3070_rf_write(sc, 9, rf);
4667 
4668 	/* R setting. */
4669 	run_rt3070_rf_read(sc, 11, &rf);
4670 	rf &= ~0x03;
4671 	rf |= (freqs->r - 0x1);
4672 	run_rt3070_rf_write(sc, 11, rf);
4673 
4674 	if (chan <= 14) {
4675 		/* Initialize RF registers for 2GHZ. */
4676 		for (i = 0; i < nitems(rt5592_2ghz_def_rf); i++) {
4677 			run_rt3070_rf_write(sc, rt5592_2ghz_def_rf[i].reg,
4678 			    rt5592_2ghz_def_rf[i].val);
4679 		}
4680 
4681 		rf = (chan <= 10) ? 0x07 : 0x06;
4682 		run_rt3070_rf_write(sc, 23, rf);
4683 		run_rt3070_rf_write(sc, 59, rf);
4684 
4685 		run_rt3070_rf_write(sc, 55, 0x43);
4686 
4687 		/*
4688 		 * RF R49/R50 Tx power ALC code.
4689 		 * G-band bit<7:6>=1:0, bit<5:0> range from 0x0 ~ 0x27.
4690 		 */
4691 		reg = 2;
4692 		txpow_bound = 0x27;
4693 	} else {
4694 		/* Initialize RF registers for 5GHZ. */
4695 		for (i = 0; i < nitems(rt5592_5ghz_def_rf); i++) {
4696 			run_rt3070_rf_write(sc, rt5592_5ghz_def_rf[i].reg,
4697 			    rt5592_5ghz_def_rf[i].val);
4698 		}
4699 		for (i = 0; i < nitems(rt5592_chan_5ghz); i++) {
4700 			if (chan >= rt5592_chan_5ghz[i].firstchan &&
4701 			    chan <= rt5592_chan_5ghz[i].lastchan) {
4702 				run_rt3070_rf_write(sc, rt5592_chan_5ghz[i].reg,
4703 				    rt5592_chan_5ghz[i].val);
4704 			}
4705 		}
4706 
4707 		/*
4708 		 * RF R49/R50 Tx power ALC code.
4709 		 * A-band bit<7:6>=1:1, bit<5:0> range from 0x0 ~ 0x2b.
4710 		 */
4711 		reg = 3;
4712 		txpow_bound = 0x2b;
4713 	}
4714 
4715 	/* RF R49 ch0 Tx power ALC code. */
4716 	run_rt3070_rf_read(sc, 49, &rf);
4717 	rf &= ~0xc0;
4718 	rf |= (reg << 6);
4719 	rf = (rf & ~0x3f) | (txpow1 & 0x3f);
4720 	if ((rf & 0x3f) > txpow_bound)
4721 		rf = (rf & ~0x3f) | txpow_bound;
4722 	run_rt3070_rf_write(sc, 49, rf);
4723 
4724 	/* RF R50 ch1 Tx power ALC code. */
4725 	run_rt3070_rf_read(sc, 50, &rf);
4726 	rf &= ~(1 << 7 | 1 << 6);
4727 	rf |= (reg << 6);
4728 	rf = (rf & ~0x3f) | (txpow2 & 0x3f);
4729 	if ((rf & 0x3f) > txpow_bound)
4730 		rf = (rf & ~0x3f) | txpow_bound;
4731 	run_rt3070_rf_write(sc, 50, rf);
4732 
4733 	/* Enable RF_BLOCK, PLL_PD, RX0_PD, and TX0_PD. */
4734 	run_rt3070_rf_read(sc, 1, &rf);
4735 	rf |= (RT3070_RF_BLOCK | RT3070_PLL_PD | RT3070_RX0_PD | RT3070_TX0_PD);
4736 	if (sc->ntxchains > 1)
4737 		rf |= RT3070_TX1_PD;
4738 	if (sc->nrxchains > 1)
4739 		rf |= RT3070_RX1_PD;
4740 	run_rt3070_rf_write(sc, 1, rf);
4741 
4742 	run_rt3070_rf_write(sc, 6, 0xe4);
4743 
4744 	run_rt3070_rf_write(sc, 30, 0x10);
4745 	run_rt3070_rf_write(sc, 31, 0x80);
4746 	run_rt3070_rf_write(sc, 32, 0x80);
4747 
4748 	run_adjust_freq_offset(sc);
4749 
4750 	/* Enable VCO calibration. */
4751 	run_rt3070_rf_read(sc, 3, &rf);
4752 	rf |= RT5390_VCOCAL;
4753 	run_rt3070_rf_write(sc, 3, rf);
4754 }
4755 
4756 static void
4757 run_set_rx_antenna(struct run_softc *sc, int aux)
4758 {
4759 	uint32_t tmp;
4760 	uint8_t bbp152;
4761 
4762 	if (aux) {
4763 		if (sc->rf_rev == RT5390_RF_5370) {
4764 			run_bbp_read(sc, 152, &bbp152);
4765 			run_bbp_write(sc, 152, bbp152 & ~0x80);
4766 		} else {
4767 			run_mcu_cmd(sc, RT2860_MCU_CMD_ANTSEL, 0);
4768 			run_read(sc, RT2860_GPIO_CTRL, &tmp);
4769 			run_write(sc, RT2860_GPIO_CTRL, (tmp & ~0x0808) | 0x08);
4770 		}
4771 	} else {
4772 		if (sc->rf_rev == RT5390_RF_5370) {
4773 			run_bbp_read(sc, 152, &bbp152);
4774 			run_bbp_write(sc, 152, bbp152 | 0x80);
4775 		} else {
4776 			run_mcu_cmd(sc, RT2860_MCU_CMD_ANTSEL, 1);
4777 			run_read(sc, RT2860_GPIO_CTRL, &tmp);
4778 			run_write(sc, RT2860_GPIO_CTRL, tmp & ~0x0808);
4779 		}
4780 	}
4781 }
4782 
4783 static int
4784 run_set_chan(struct run_softc *sc, struct ieee80211_channel *c)
4785 {
4786 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
4787 	u_int chan, group;
4788 
4789 	chan = ieee80211_chan2ieee(ic, c);
4790 	if (chan == 0 || chan == IEEE80211_CHAN_ANY)
4791 		return (EINVAL);
4792 
4793 	if (sc->mac_ver == 0x5592)
4794 		run_rt5592_set_chan(sc, chan);
4795 	else if (sc->mac_ver >= 0x5390)
4796 		run_rt5390_set_chan(sc, chan);
4797 	else if (sc->mac_ver == 0x3593)
4798 		run_rt3593_set_chan(sc, chan);
4799 	else if (sc->mac_ver == 0x3572)
4800 		run_rt3572_set_chan(sc, chan);
4801 	else if (sc->mac_ver >= 0x3070)
4802 		run_rt3070_set_chan(sc, chan);
4803 	else
4804 		run_rt2870_set_chan(sc, chan);
4805 
4806 	/* determine channel group */
4807 	if (chan <= 14)
4808 		group = 0;
4809 	else if (chan <= 64)
4810 		group = 1;
4811 	else if (chan <= 128)
4812 		group = 2;
4813 	else
4814 		group = 3;
4815 
4816 	/* XXX necessary only when group has changed! */
4817 	run_select_chan_group(sc, group);
4818 
4819 	run_delay(sc, 10);
4820 
4821 	/* Perform IQ calibration. */
4822 	if (sc->mac_ver >= 0x5392)
4823 		run_iq_calib(sc, chan);
4824 
4825 	return (0);
4826 }
4827 
4828 static void
4829 run_set_channel(struct ieee80211com *ic)
4830 {
4831 	struct run_softc *sc = ic->ic_ifp->if_softc;
4832 
4833 	RUN_LOCK(sc);
4834 	run_set_chan(sc, ic->ic_curchan);
4835 	RUN_UNLOCK(sc);
4836 
4837 	return;
4838 }
4839 
4840 static void
4841 run_scan_start(struct ieee80211com *ic)
4842 {
4843 	struct run_softc *sc = ic->ic_ifp->if_softc;
4844 	uint32_t tmp;
4845 
4846 	RUN_LOCK(sc);
4847 
4848 	/* abort TSF synchronization */
4849 	run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
4850 	run_write(sc, RT2860_BCN_TIME_CFG,
4851 	    tmp & ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
4852 	    RT2860_TBTT_TIMER_EN));
4853 	run_set_bssid(sc, sc->sc_ifp->if_broadcastaddr);
4854 
4855 	RUN_UNLOCK(sc);
4856 
4857 	return;
4858 }
4859 
4860 static void
4861 run_scan_end(struct ieee80211com *ic)
4862 {
4863 	struct run_softc *sc = ic->ic_ifp->if_softc;
4864 
4865 	RUN_LOCK(sc);
4866 
4867 	run_enable_tsf_sync(sc);
4868 	/* XXX keep local copy */
4869 	run_set_bssid(sc, sc->sc_bssid);
4870 
4871 	RUN_UNLOCK(sc);
4872 
4873 	return;
4874 }
4875 
4876 /*
4877  * Could be called from ieee80211_node_timeout()
4878  * (non-sleepable thread)
4879  */
4880 static void
4881 run_update_beacon(struct ieee80211vap *vap, int item)
4882 {
4883 	struct ieee80211com *ic = vap->iv_ic;
4884 	struct run_softc *sc = ic->ic_ifp->if_softc;
4885 	struct run_vap *rvp = RUN_VAP(vap);
4886 	int mcast = 0;
4887 	uint32_t i;
4888 
4889 	KASSERT(vap != NULL, ("no beacon"));
4890 
4891 	switch (item) {
4892 	case IEEE80211_BEACON_ERP:
4893 		run_updateslot(ic->ic_ifp);
4894 		break;
4895 	case IEEE80211_BEACON_HTINFO:
4896 		run_updateprot(ic);
4897 		break;
4898 	case IEEE80211_BEACON_TIM:
4899 		mcast = 1;	/*TODO*/
4900 		break;
4901 	default:
4902 		break;
4903 	}
4904 
4905 	setbit(rvp->bo.bo_flags, item);
4906 	ieee80211_beacon_update(vap->iv_bss, &rvp->bo, rvp->beacon_mbuf, mcast);
4907 
4908 	i = RUN_CMDQ_GET(&sc->cmdq_store);
4909 	DPRINTF("cmdq_store=%d\n", i);
4910 	sc->cmdq[i].func = run_update_beacon_cb;
4911 	sc->cmdq[i].arg0 = vap;
4912 	ieee80211_runtask(ic, &sc->cmdq_task);
4913 
4914 	return;
4915 }
4916 
4917 static void
4918 run_update_beacon_cb(void *arg)
4919 {
4920 	struct ieee80211vap *vap = arg;
4921 	struct run_vap *rvp = RUN_VAP(vap);
4922 	struct ieee80211com *ic = vap->iv_ic;
4923 	struct run_softc *sc = ic->ic_ifp->if_softc;
4924 	struct rt2860_txwi txwi;
4925 	struct mbuf *m;
4926 	uint16_t txwisize;
4927 	uint8_t ridx;
4928 
4929 	if (vap->iv_bss->ni_chan == IEEE80211_CHAN_ANYC)
4930 		return;
4931 	if (ic->ic_bsschan == IEEE80211_CHAN_ANYC)
4932 		return;
4933 
4934 	/*
4935 	 * No need to call ieee80211_beacon_update(), run_update_beacon()
4936 	 * is taking care of apropriate calls.
4937 	 */
4938 	if (rvp->beacon_mbuf == NULL) {
4939 		rvp->beacon_mbuf = ieee80211_beacon_alloc(vap->iv_bss,
4940 		    &rvp->bo);
4941 		if (rvp->beacon_mbuf == NULL)
4942 			return;
4943 	}
4944 	m = rvp->beacon_mbuf;
4945 
4946 	memset(&txwi, 0, sizeof(txwi));
4947 	txwi.wcid = 0xff;
4948 	txwi.len = htole16(m->m_pkthdr.len);
4949 
4950 	/* send beacons at the lowest available rate */
4951 	ridx = (ic->ic_curmode == IEEE80211_MODE_11A) ?
4952 	    RT2860_RIDX_OFDM6 : RT2860_RIDX_CCK1;
4953 	txwi.phy = htole16(rt2860_rates[ridx].mcs);
4954 	if (rt2860_rates[ridx].phy == IEEE80211_T_OFDM)
4955 		txwi.phy |= htole16(RT2860_PHY_OFDM);
4956 	txwi.txop = RT2860_TX_TXOP_HT;
4957 	txwi.flags = RT2860_TX_TS;
4958 	txwi.xflags = RT2860_TX_NSEQ;
4959 
4960 	txwisize = (sc->mac_ver == 0x5592) ?
4961 	    sizeof(txwi) + sizeof(uint32_t) : sizeof(txwi);
4962 	run_write_region_1(sc, RT2860_BCN_BASE(rvp->rvp_id), (uint8_t *)&txwi,
4963 	    txwisize);
4964 	run_write_region_1(sc, RT2860_BCN_BASE(rvp->rvp_id) + txwisize,
4965 	    mtod(m, uint8_t *), (m->m_pkthdr.len + 1) & ~1);
4966 }
4967 
4968 static void
4969 run_updateprot(struct ieee80211com *ic)
4970 {
4971 	struct run_softc *sc = ic->ic_ifp->if_softc;
4972 	uint32_t i;
4973 
4974 	i = RUN_CMDQ_GET(&sc->cmdq_store);
4975 	DPRINTF("cmdq_store=%d\n", i);
4976 	sc->cmdq[i].func = run_updateprot_cb;
4977 	sc->cmdq[i].arg0 = ic;
4978 	ieee80211_runtask(ic, &sc->cmdq_task);
4979 }
4980 
4981 static void
4982 run_updateprot_cb(void *arg)
4983 {
4984 	struct ieee80211com *ic = arg;
4985 	struct run_softc *sc = ic->ic_ifp->if_softc;
4986 	uint32_t tmp;
4987 
4988 	tmp = RT2860_RTSTH_EN | RT2860_PROT_NAV_SHORT | RT2860_TXOP_ALLOW_ALL;
4989 	/* setup protection frame rate (MCS code) */
4990 	tmp |= (ic->ic_curmode == IEEE80211_MODE_11A) ?
4991 	    rt2860_rates[RT2860_RIDX_OFDM6].mcs :
4992 	    rt2860_rates[RT2860_RIDX_CCK11].mcs;
4993 
4994 	/* CCK frames don't require protection */
4995 	run_write(sc, RT2860_CCK_PROT_CFG, tmp);
4996 	if (ic->ic_flags & IEEE80211_F_USEPROT) {
4997 		if (ic->ic_protmode == IEEE80211_PROT_RTSCTS)
4998 			tmp |= RT2860_PROT_CTRL_RTS_CTS;
4999 		else if (ic->ic_protmode == IEEE80211_PROT_CTSONLY)
5000 			tmp |= RT2860_PROT_CTRL_CTS;
5001 	}
5002 	run_write(sc, RT2860_OFDM_PROT_CFG, tmp);
5003 }
5004 
5005 static void
5006 run_usb_timeout_cb(void *arg)
5007 {
5008 	struct ieee80211vap *vap = arg;
5009 	struct run_softc *sc = vap->iv_ic->ic_ifp->if_softc;
5010 
5011 	RUN_LOCK_ASSERT(sc, MA_OWNED);
5012 
5013 	if(vap->iv_state == IEEE80211_S_RUN &&
5014 	    vap->iv_opmode != IEEE80211_M_STA)
5015 		run_reset_livelock(sc);
5016 	else if (vap->iv_state == IEEE80211_S_SCAN) {
5017 		DPRINTF("timeout caused by scan\n");
5018 		/* cancel bgscan */
5019 		ieee80211_cancel_scan(vap);
5020 	} else
5021 		DPRINTF("timeout by unknown cause\n");
5022 }
5023 
5024 static void
5025 run_reset_livelock(struct run_softc *sc)
5026 {
5027 	uint32_t tmp;
5028 
5029 	RUN_LOCK_ASSERT(sc, MA_OWNED);
5030 
5031 	/*
5032 	 * In IBSS or HostAP modes (when the hardware sends beacons), the MAC
5033 	 * can run into a livelock and start sending CTS-to-self frames like
5034 	 * crazy if protection is enabled.  Reset MAC/BBP for a while
5035 	 */
5036 	run_read(sc, RT2860_DEBUG, &tmp);
5037 	DPRINTFN(3, "debug reg %08x\n", tmp);
5038 	if ((tmp & (1 << 29)) && (tmp & (1 << 7 | 1 << 5))) {
5039 		DPRINTF("CTS-to-self livelock detected\n");
5040 		run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_MAC_SRST);
5041 		run_delay(sc, 1);
5042 		run_write(sc, RT2860_MAC_SYS_CTRL,
5043 		    RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
5044 	}
5045 }
5046 
5047 static void
5048 run_update_promisc_locked(struct ifnet *ifp)
5049 {
5050 	struct run_softc *sc = ifp->if_softc;
5051         uint32_t tmp;
5052 
5053 	run_read(sc, RT2860_RX_FILTR_CFG, &tmp);
5054 
5055 	tmp |= RT2860_DROP_UC_NOME;
5056         if (ifp->if_flags & IFF_PROMISC)
5057 		tmp &= ~RT2860_DROP_UC_NOME;
5058 
5059 	run_write(sc, RT2860_RX_FILTR_CFG, tmp);
5060 
5061         DPRINTF("%s promiscuous mode\n", (ifp->if_flags & IFF_PROMISC) ?
5062             "entering" : "leaving");
5063 }
5064 
5065 static void
5066 run_update_promisc(struct ifnet *ifp)
5067 {
5068 	struct run_softc *sc = ifp->if_softc;
5069 
5070 	if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0)
5071 		return;
5072 
5073 	RUN_LOCK(sc);
5074 	run_update_promisc_locked(ifp);
5075 	RUN_UNLOCK(sc);
5076 }
5077 
5078 static void
5079 run_enable_tsf_sync(struct run_softc *sc)
5080 {
5081 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5082 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
5083 	uint32_t tmp;
5084 
5085 	DPRINTF("rvp_id=%d ic_opmode=%d\n", RUN_VAP(vap)->rvp_id,
5086 	    ic->ic_opmode);
5087 
5088 	run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
5089 	tmp &= ~0x1fffff;
5090 	tmp |= vap->iv_bss->ni_intval * 16;
5091 	tmp |= RT2860_TSF_TIMER_EN | RT2860_TBTT_TIMER_EN;
5092 
5093 	if (ic->ic_opmode == IEEE80211_M_STA) {
5094 		/*
5095 		 * Local TSF is always updated with remote TSF on beacon
5096 		 * reception.
5097 		 */
5098 		tmp |= 1 << RT2860_TSF_SYNC_MODE_SHIFT;
5099 	} else if (ic->ic_opmode == IEEE80211_M_IBSS) {
5100 	        tmp |= RT2860_BCN_TX_EN;
5101 	        /*
5102 	         * Local TSF is updated with remote TSF on beacon reception
5103 	         * only if the remote TSF is greater than local TSF.
5104 	         */
5105 	        tmp |= 2 << RT2860_TSF_SYNC_MODE_SHIFT;
5106 	} else if (ic->ic_opmode == IEEE80211_M_HOSTAP ||
5107 		    ic->ic_opmode == IEEE80211_M_MBSS) {
5108 	        tmp |= RT2860_BCN_TX_EN;
5109 	        /* SYNC with nobody */
5110 	        tmp |= 3 << RT2860_TSF_SYNC_MODE_SHIFT;
5111 	} else {
5112 		DPRINTF("Enabling TSF failed. undefined opmode\n");
5113 		return;
5114 	}
5115 
5116 	run_write(sc, RT2860_BCN_TIME_CFG, tmp);
5117 }
5118 
5119 static void
5120 run_enable_mrr(struct run_softc *sc)
5121 {
5122 #define	CCK(mcs)	(mcs)
5123 #define	OFDM(mcs)	(1 << 3 | (mcs))
5124 	run_write(sc, RT2860_LG_FBK_CFG0,
5125 	    OFDM(6) << 28 |	/* 54->48 */
5126 	    OFDM(5) << 24 |	/* 48->36 */
5127 	    OFDM(4) << 20 |	/* 36->24 */
5128 	    OFDM(3) << 16 |	/* 24->18 */
5129 	    OFDM(2) << 12 |	/* 18->12 */
5130 	    OFDM(1) <<  8 |	/* 12-> 9 */
5131 	    OFDM(0) <<  4 |	/*  9-> 6 */
5132 	    OFDM(0));		/*  6-> 6 */
5133 
5134 	run_write(sc, RT2860_LG_FBK_CFG1,
5135 	    CCK(2) << 12 |	/* 11->5.5 */
5136 	    CCK(1) <<  8 |	/* 5.5-> 2 */
5137 	    CCK(0) <<  4 |	/*   2-> 1 */
5138 	    CCK(0));		/*   1-> 1 */
5139 #undef OFDM
5140 #undef CCK
5141 }
5142 
5143 static void
5144 run_set_txpreamble(struct run_softc *sc)
5145 {
5146 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5147 	uint32_t tmp;
5148 
5149 	run_read(sc, RT2860_AUTO_RSP_CFG, &tmp);
5150 	if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
5151 		tmp |= RT2860_CCK_SHORT_EN;
5152 	else
5153 		tmp &= ~RT2860_CCK_SHORT_EN;
5154 	run_write(sc, RT2860_AUTO_RSP_CFG, tmp);
5155 }
5156 
5157 static void
5158 run_set_basicrates(struct run_softc *sc)
5159 {
5160 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5161 
5162 	/* set basic rates mask */
5163 	if (ic->ic_curmode == IEEE80211_MODE_11B)
5164 		run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x003);
5165 	else if (ic->ic_curmode == IEEE80211_MODE_11A)
5166 		run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x150);
5167 	else	/* 11g */
5168 		run_write(sc, RT2860_LEGACY_BASIC_RATE, 0x15f);
5169 }
5170 
5171 static void
5172 run_set_leds(struct run_softc *sc, uint16_t which)
5173 {
5174 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LEDS,
5175 	    which | (sc->leds & 0x7f));
5176 }
5177 
5178 static void
5179 run_set_bssid(struct run_softc *sc, const uint8_t *bssid)
5180 {
5181 	run_write(sc, RT2860_MAC_BSSID_DW0,
5182 	    bssid[0] | bssid[1] << 8 | bssid[2] << 16 | bssid[3] << 24);
5183 	run_write(sc, RT2860_MAC_BSSID_DW1,
5184 	    bssid[4] | bssid[5] << 8);
5185 }
5186 
5187 static void
5188 run_set_macaddr(struct run_softc *sc, const uint8_t *addr)
5189 {
5190 	run_write(sc, RT2860_MAC_ADDR_DW0,
5191 	    addr[0] | addr[1] << 8 | addr[2] << 16 | addr[3] << 24);
5192 	run_write(sc, RT2860_MAC_ADDR_DW1,
5193 	    addr[4] | addr[5] << 8 | 0xff << 16);
5194 }
5195 
5196 static void
5197 run_updateslot(struct ifnet *ifp)
5198 {
5199 	struct run_softc *sc = ifp->if_softc;
5200 	struct ieee80211com *ic = ifp->if_l2com;
5201 	uint32_t i;
5202 
5203 	i = RUN_CMDQ_GET(&sc->cmdq_store);
5204 	DPRINTF("cmdq_store=%d\n", i);
5205 	sc->cmdq[i].func = run_updateslot_cb;
5206 	sc->cmdq[i].arg0 = ifp;
5207 	ieee80211_runtask(ic, &sc->cmdq_task);
5208 
5209 	return;
5210 }
5211 
5212 /* ARGSUSED */
5213 static void
5214 run_updateslot_cb(void *arg)
5215 {
5216 	struct ifnet *ifp = arg;
5217 	struct run_softc *sc = ifp->if_softc;
5218 	struct ieee80211com *ic = ifp->if_l2com;
5219 	uint32_t tmp;
5220 
5221 	run_read(sc, RT2860_BKOFF_SLOT_CFG, &tmp);
5222 	tmp &= ~0xff;
5223 	tmp |= (ic->ic_flags & IEEE80211_F_SHSLOT) ? 9 : 20;
5224 	run_write(sc, RT2860_BKOFF_SLOT_CFG, tmp);
5225 }
5226 
5227 static void
5228 run_update_mcast(struct ifnet *ifp)
5229 {
5230 	/* h/w filter supports getting everything or nothing */
5231 	ifp->if_flags |= IFF_ALLMULTI;
5232 }
5233 
5234 static int8_t
5235 run_rssi2dbm(struct run_softc *sc, uint8_t rssi, uint8_t rxchain)
5236 {
5237 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5238 	struct ieee80211_channel *c = ic->ic_curchan;
5239 	int delta;
5240 
5241 	if (IEEE80211_IS_CHAN_5GHZ(c)) {
5242 		u_int chan = ieee80211_chan2ieee(ic, c);
5243 		delta = sc->rssi_5ghz[rxchain];
5244 
5245 		/* determine channel group */
5246 		if (chan <= 64)
5247 			delta -= sc->lna[1];
5248 		else if (chan <= 128)
5249 			delta -= sc->lna[2];
5250 		else
5251 			delta -= sc->lna[3];
5252 	} else
5253 		delta = sc->rssi_2ghz[rxchain] - sc->lna[0];
5254 
5255 	return (-12 - delta - rssi);
5256 }
5257 
5258 static void
5259 run_rt5390_bbp_init(struct run_softc *sc)
5260 {
5261 	int i;
5262 	uint8_t bbp;
5263 
5264 	/* Apply maximum likelihood detection for 2 stream case. */
5265 	run_bbp_read(sc, 105, &bbp);
5266 	if (sc->nrxchains > 1)
5267 		run_bbp_write(sc, 105, bbp | RT5390_MLD);
5268 
5269 	/* Avoid data lost and CRC error. */
5270 	run_bbp_read(sc, 4, &bbp);
5271 	run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5272 
5273 	if (sc->mac_ver == 0x5592) {
5274 		for (i = 0; i < nitems(rt5592_def_bbp); i++) {
5275 			run_bbp_write(sc, rt5592_def_bbp[i].reg,
5276 			    rt5592_def_bbp[i].val);
5277 		}
5278 		for (i = 0; i < nitems(rt5592_bbp_r196); i++) {
5279 			run_bbp_write(sc, 195, i + 0x80);
5280 			run_bbp_write(sc, 196, rt5592_bbp_r196[i]);
5281 		}
5282 	} else {
5283 		for (i = 0; i < nitems(rt5390_def_bbp); i++) {
5284 			run_bbp_write(sc, rt5390_def_bbp[i].reg,
5285 			    rt5390_def_bbp[i].val);
5286 		}
5287 	}
5288 	if (sc->mac_ver == 0x5392) {
5289 		run_bbp_write(sc, 88, 0x90);
5290 		run_bbp_write(sc, 95, 0x9a);
5291 		run_bbp_write(sc, 98, 0x12);
5292 		run_bbp_write(sc, 106, 0x12);
5293 		run_bbp_write(sc, 134, 0xd0);
5294 		run_bbp_write(sc, 135, 0xf6);
5295 		run_bbp_write(sc, 148, 0x84);
5296 	}
5297 
5298 	run_bbp_read(sc, 152, &bbp);
5299 	run_bbp_write(sc, 152, bbp | 0x80);
5300 
5301 	/* Fix BBP254 for RT5592C. */
5302 	if (sc->mac_ver == 0x5592 && sc->mac_rev >= 0x0221) {
5303 		run_bbp_read(sc, 254, &bbp);
5304 		run_bbp_write(sc, 254, bbp | 0x80);
5305 	}
5306 
5307 	/* Disable hardware antenna diversity. */
5308 	if (sc->mac_ver == 0x5390)
5309 		run_bbp_write(sc, 154, 0);
5310 
5311 	/* Initialize Rx CCK/OFDM frequency offset report. */
5312 	run_bbp_write(sc, 142, 1);
5313 	run_bbp_write(sc, 143, 57);
5314 }
5315 
5316 static int
5317 run_bbp_init(struct run_softc *sc)
5318 {
5319 	int i, error, ntries;
5320 	uint8_t bbp0;
5321 
5322 	/* wait for BBP to wake up */
5323 	for (ntries = 0; ntries < 20; ntries++) {
5324 		if ((error = run_bbp_read(sc, 0, &bbp0)) != 0)
5325 			return error;
5326 		if (bbp0 != 0 && bbp0 != 0xff)
5327 			break;
5328 	}
5329 	if (ntries == 20)
5330 		return (ETIMEDOUT);
5331 
5332 	/* initialize BBP registers to default values */
5333 	if (sc->mac_ver >= 0x5390)
5334 		run_rt5390_bbp_init(sc);
5335 	else {
5336 		for (i = 0; i < nitems(rt2860_def_bbp); i++) {
5337 			run_bbp_write(sc, rt2860_def_bbp[i].reg,
5338 			    rt2860_def_bbp[i].val);
5339 		}
5340 	}
5341 
5342 	if (sc->mac_ver == 0x3593) {
5343 		run_bbp_write(sc, 79, 0x13);
5344 		run_bbp_write(sc, 80, 0x05);
5345 		run_bbp_write(sc, 81, 0x33);
5346 		run_bbp_write(sc, 86, 0x46);
5347 		run_bbp_write(sc, 137, 0x0f);
5348 	}
5349 
5350 	/* fix BBP84 for RT2860E */
5351 	if (sc->mac_ver == 0x2860 && sc->mac_rev != 0x0101)
5352 		run_bbp_write(sc, 84, 0x19);
5353 
5354 	if (sc->mac_ver >= 0x3070 && (sc->mac_ver != 0x3593 &&
5355 	    sc->mac_ver != 0x5592)) {
5356 		run_bbp_write(sc, 79, 0x13);
5357 		run_bbp_write(sc, 80, 0x05);
5358 		run_bbp_write(sc, 81, 0x33);
5359 	} else if (sc->mac_ver == 0x2860 && sc->mac_rev == 0x0100) {
5360 		run_bbp_write(sc, 69, 0x16);
5361 		run_bbp_write(sc, 73, 0x12);
5362 	}
5363 	return (0);
5364 }
5365 
5366 static int
5367 run_rt3070_rf_init(struct run_softc *sc)
5368 {
5369 	uint32_t tmp;
5370 	uint8_t bbp4, mingain, rf, target;
5371 	int i;
5372 
5373 	run_rt3070_rf_read(sc, 30, &rf);
5374 	/* toggle RF R30 bit 7 */
5375 	run_rt3070_rf_write(sc, 30, rf | 0x80);
5376 	run_delay(sc, 10);
5377 	run_rt3070_rf_write(sc, 30, rf & ~0x80);
5378 
5379 	/* initialize RF registers to default value */
5380 	if (sc->mac_ver == 0x3572) {
5381 		for (i = 0; i < nitems(rt3572_def_rf); i++) {
5382 			run_rt3070_rf_write(sc, rt3572_def_rf[i].reg,
5383 			    rt3572_def_rf[i].val);
5384 		}
5385 	} else {
5386 		for (i = 0; i < nitems(rt3070_def_rf); i++) {
5387 			run_rt3070_rf_write(sc, rt3070_def_rf[i].reg,
5388 			    rt3070_def_rf[i].val);
5389 		}
5390 	}
5391 
5392 	if (sc->mac_ver == 0x3070 && sc->mac_rev < 0x0201) {
5393 		/*
5394 		 * Change voltage from 1.2V to 1.35V for RT3070.
5395 		 * The DAC issue (RT3070_LDO_CFG0) has been fixed
5396 		 * in RT3070(F).
5397 		 */
5398 		run_read(sc, RT3070_LDO_CFG0, &tmp);
5399 		tmp = (tmp & ~0x0f000000) | 0x0d000000;
5400 		run_write(sc, RT3070_LDO_CFG0, tmp);
5401 
5402 	} else if (sc->mac_ver == 0x3071) {
5403 		run_rt3070_rf_read(sc, 6, &rf);
5404 		run_rt3070_rf_write(sc, 6, rf | 0x40);
5405 		run_rt3070_rf_write(sc, 31, 0x14);
5406 
5407 		run_read(sc, RT3070_LDO_CFG0, &tmp);
5408 		tmp &= ~0x1f000000;
5409 		if (sc->mac_rev < 0x0211)
5410 			tmp |= 0x0d000000;	/* 1.3V */
5411 		else
5412 			tmp |= 0x01000000;	/* 1.2V */
5413 		run_write(sc, RT3070_LDO_CFG0, tmp);
5414 
5415 		/* patch LNA_PE_G1 */
5416 		run_read(sc, RT3070_GPIO_SWITCH, &tmp);
5417 		run_write(sc, RT3070_GPIO_SWITCH, tmp & ~0x20);
5418 
5419 	} else if (sc->mac_ver == 0x3572) {
5420 		run_rt3070_rf_read(sc, 6, &rf);
5421 		run_rt3070_rf_write(sc, 6, rf | 0x40);
5422 
5423 		/* increase voltage from 1.2V to 1.35V */
5424 		run_read(sc, RT3070_LDO_CFG0, &tmp);
5425 		tmp = (tmp & ~0x1f000000) | 0x0d000000;
5426 		run_write(sc, RT3070_LDO_CFG0, tmp);
5427 
5428 		if (sc->mac_rev < 0x0211 || !sc->patch_dac) {
5429 			run_delay(sc, 1);	/* wait for 1msec */
5430 			/* decrease voltage back to 1.2V */
5431 			tmp = (tmp & ~0x1f000000) | 0x01000000;
5432 			run_write(sc, RT3070_LDO_CFG0, tmp);
5433 		}
5434 	}
5435 
5436 	/* select 20MHz bandwidth */
5437 	run_rt3070_rf_read(sc, 31, &rf);
5438 	run_rt3070_rf_write(sc, 31, rf & ~0x20);
5439 
5440 	/* calibrate filter for 20MHz bandwidth */
5441 	sc->rf24_20mhz = 0x1f;	/* default value */
5442 	target = (sc->mac_ver < 0x3071) ? 0x16 : 0x13;
5443 	run_rt3070_filter_calib(sc, 0x07, target, &sc->rf24_20mhz);
5444 
5445 	/* select 40MHz bandwidth */
5446 	run_bbp_read(sc, 4, &bbp4);
5447 	run_bbp_write(sc, 4, (bbp4 & ~0x18) | 0x10);
5448 	run_rt3070_rf_read(sc, 31, &rf);
5449 	run_rt3070_rf_write(sc, 31, rf | 0x20);
5450 
5451 	/* calibrate filter for 40MHz bandwidth */
5452 	sc->rf24_40mhz = 0x2f;	/* default value */
5453 	target = (sc->mac_ver < 0x3071) ? 0x19 : 0x15;
5454 	run_rt3070_filter_calib(sc, 0x27, target, &sc->rf24_40mhz);
5455 
5456 	/* go back to 20MHz bandwidth */
5457 	run_bbp_read(sc, 4, &bbp4);
5458 	run_bbp_write(sc, 4, bbp4 & ~0x18);
5459 
5460 	if (sc->mac_ver == 0x3572) {
5461 		/* save default BBP registers 25 and 26 values */
5462 		run_bbp_read(sc, 25, &sc->bbp25);
5463 		run_bbp_read(sc, 26, &sc->bbp26);
5464 	} else if (sc->mac_rev < 0x0201 || sc->mac_rev < 0x0211)
5465 		run_rt3070_rf_write(sc, 27, 0x03);
5466 
5467 	run_read(sc, RT3070_OPT_14, &tmp);
5468 	run_write(sc, RT3070_OPT_14, tmp | 1);
5469 
5470 	if (sc->mac_ver == 0x3070 || sc->mac_ver == 0x3071) {
5471 		run_rt3070_rf_read(sc, 17, &rf);
5472 		rf &= ~RT3070_TX_LO1;
5473 		if ((sc->mac_ver == 0x3070 ||
5474 		     (sc->mac_ver == 0x3071 && sc->mac_rev >= 0x0211)) &&
5475 		    !sc->ext_2ghz_lna)
5476 			rf |= 0x20;	/* fix for long range Rx issue */
5477 		mingain = (sc->mac_ver == 0x3070) ? 1 : 2;
5478 		if (sc->txmixgain_2ghz >= mingain)
5479 			rf = (rf & ~0x7) | sc->txmixgain_2ghz;
5480 		run_rt3070_rf_write(sc, 17, rf);
5481 	}
5482 
5483 	if (sc->mac_rev == 0x3071) {
5484 		run_rt3070_rf_read(sc, 1, &rf);
5485 		rf &= ~(RT3070_RX0_PD | RT3070_TX0_PD);
5486 		rf |= RT3070_RF_BLOCK | RT3070_RX1_PD | RT3070_TX1_PD;
5487 		run_rt3070_rf_write(sc, 1, rf);
5488 
5489 		run_rt3070_rf_read(sc, 15, &rf);
5490 		run_rt3070_rf_write(sc, 15, rf & ~RT3070_TX_LO2);
5491 
5492 		run_rt3070_rf_read(sc, 20, &rf);
5493 		run_rt3070_rf_write(sc, 20, rf & ~RT3070_RX_LO1);
5494 
5495 		run_rt3070_rf_read(sc, 21, &rf);
5496 		run_rt3070_rf_write(sc, 21, rf & ~RT3070_RX_LO2);
5497 	}
5498 
5499 	if (sc->mac_ver == 0x3070 || sc->mac_ver == 0x3071) {
5500 		/* fix Tx to Rx IQ glitch by raising RF voltage */
5501 		run_rt3070_rf_read(sc, 27, &rf);
5502 		rf &= ~0x77;
5503 		if (sc->mac_rev < 0x0211)
5504 			rf |= 0x03;
5505 		run_rt3070_rf_write(sc, 27, rf);
5506 	}
5507 	return (0);
5508 }
5509 
5510 static void
5511 run_rt3593_rf_init(struct run_softc *sc)
5512 {
5513 	uint32_t tmp;
5514 	uint8_t rf;
5515 	int i;
5516 
5517 	/* Disable the GPIO bits 4 and 7 for LNA PE control. */
5518 	run_read(sc, RT3070_GPIO_SWITCH, &tmp);
5519 	tmp &= ~(1 << 4 | 1 << 7);
5520 	run_write(sc, RT3070_GPIO_SWITCH, tmp);
5521 
5522 	/* Initialize RF registers to default value. */
5523 	for (i = 0; i < nitems(rt3593_def_rf); i++) {
5524 		run_rt3070_rf_write(sc, rt3593_def_rf[i].reg,
5525 		    rt3593_def_rf[i].val);
5526 	}
5527 
5528 	/* Toggle RF R2 to initiate calibration. */
5529 	run_rt3070_rf_write(sc, 2, RT5390_RESCAL);
5530 
5531 	/* Initialize RF frequency offset. */
5532 	run_adjust_freq_offset(sc);
5533 
5534 	run_rt3070_rf_read(sc, 18, &rf);
5535 	run_rt3070_rf_write(sc, 18, rf | RT3593_AUTOTUNE_BYPASS);
5536 
5537 	/*
5538 	 * Increase voltage from 1.2V to 1.35V, wait for 1 msec to
5539 	 * decrease voltage back to 1.2V.
5540 	 */
5541 	run_read(sc, RT3070_LDO_CFG0, &tmp);
5542 	tmp = (tmp & ~0x1f000000) | 0x0d000000;
5543 	run_write(sc, RT3070_LDO_CFG0, tmp);
5544 	run_delay(sc, 1);
5545 	tmp = (tmp & ~0x1f000000) | 0x01000000;
5546 	run_write(sc, RT3070_LDO_CFG0, tmp);
5547 
5548 	sc->rf24_20mhz = 0x1f;
5549 	sc->rf24_40mhz = 0x2f;
5550 
5551 	/* Save default BBP registers 25 and 26 values. */
5552 	run_bbp_read(sc, 25, &sc->bbp25);
5553 	run_bbp_read(sc, 26, &sc->bbp26);
5554 
5555 	run_read(sc, RT3070_OPT_14, &tmp);
5556 	run_write(sc, RT3070_OPT_14, tmp | 1);
5557 }
5558 
5559 static void
5560 run_rt5390_rf_init(struct run_softc *sc)
5561 {
5562 	uint32_t tmp;
5563 	uint8_t rf;
5564 	int i;
5565 
5566 	/* Toggle RF R2 to initiate calibration. */
5567 	if (sc->mac_ver == 0x5390) {
5568 		run_rt3070_rf_read(sc, 2, &rf);
5569 		run_rt3070_rf_write(sc, 2, rf | RT5390_RESCAL);
5570 		run_delay(sc, 10);
5571 		run_rt3070_rf_write(sc, 2, rf & ~RT5390_RESCAL);
5572 	} else {
5573 		run_rt3070_rf_write(sc, 2, RT5390_RESCAL);
5574 		run_delay(sc, 10);
5575 	}
5576 
5577 	/* Initialize RF registers to default value. */
5578 	if (sc->mac_ver == 0x5592) {
5579 		for (i = 0; i < nitems(rt5592_def_rf); i++) {
5580 			run_rt3070_rf_write(sc, rt5592_def_rf[i].reg,
5581 			    rt5592_def_rf[i].val);
5582 		}
5583 		/* Initialize RF frequency offset. */
5584 		run_adjust_freq_offset(sc);
5585 	} else if (sc->mac_ver == 0x5392) {
5586 		for (i = 0; i < nitems(rt5392_def_rf); i++) {
5587 			run_rt3070_rf_write(sc, rt5392_def_rf[i].reg,
5588 			    rt5392_def_rf[i].val);
5589 		}
5590 		if (sc->mac_rev >= 0x0223) {
5591 			run_rt3070_rf_write(sc, 23, 0x0f);
5592 			run_rt3070_rf_write(sc, 24, 0x3e);
5593 			run_rt3070_rf_write(sc, 51, 0x32);
5594 			run_rt3070_rf_write(sc, 53, 0x22);
5595 			run_rt3070_rf_write(sc, 56, 0xc1);
5596 			run_rt3070_rf_write(sc, 59, 0x0f);
5597 		}
5598 	} else {
5599 		for (i = 0; i < nitems(rt5390_def_rf); i++) {
5600 			run_rt3070_rf_write(sc, rt5390_def_rf[i].reg,
5601 			    rt5390_def_rf[i].val);
5602 		}
5603 		if (sc->mac_rev >= 0x0502) {
5604 			run_rt3070_rf_write(sc, 6, 0xe0);
5605 			run_rt3070_rf_write(sc, 25, 0x80);
5606 			run_rt3070_rf_write(sc, 46, 0x73);
5607 			run_rt3070_rf_write(sc, 53, 0x00);
5608 			run_rt3070_rf_write(sc, 56, 0x42);
5609 			run_rt3070_rf_write(sc, 61, 0xd1);
5610 		}
5611 	}
5612 
5613 	sc->rf24_20mhz = 0x1f;	/* default value */
5614 	sc->rf24_40mhz = (sc->mac_ver == 0x5592) ? 0 : 0x2f;
5615 
5616 	if (sc->mac_rev < 0x0211)
5617 		run_rt3070_rf_write(sc, 27, 0x3);
5618 
5619 	run_read(sc, RT3070_OPT_14, &tmp);
5620 	run_write(sc, RT3070_OPT_14, tmp | 1);
5621 }
5622 
5623 static int
5624 run_rt3070_filter_calib(struct run_softc *sc, uint8_t init, uint8_t target,
5625     uint8_t *val)
5626 {
5627 	uint8_t rf22, rf24;
5628 	uint8_t bbp55_pb, bbp55_sb, delta;
5629 	int ntries;
5630 
5631 	/* program filter */
5632 	run_rt3070_rf_read(sc, 24, &rf24);
5633 	rf24 = (rf24 & 0xc0) | init;	/* initial filter value */
5634 	run_rt3070_rf_write(sc, 24, rf24);
5635 
5636 	/* enable baseband loopback mode */
5637 	run_rt3070_rf_read(sc, 22, &rf22);
5638 	run_rt3070_rf_write(sc, 22, rf22 | 0x01);
5639 
5640 	/* set power and frequency of passband test tone */
5641 	run_bbp_write(sc, 24, 0x00);
5642 	for (ntries = 0; ntries < 100; ntries++) {
5643 		/* transmit test tone */
5644 		run_bbp_write(sc, 25, 0x90);
5645 		run_delay(sc, 10);
5646 		/* read received power */
5647 		run_bbp_read(sc, 55, &bbp55_pb);
5648 		if (bbp55_pb != 0)
5649 			break;
5650 	}
5651 	if (ntries == 100)
5652 		return (ETIMEDOUT);
5653 
5654 	/* set power and frequency of stopband test tone */
5655 	run_bbp_write(sc, 24, 0x06);
5656 	for (ntries = 0; ntries < 100; ntries++) {
5657 		/* transmit test tone */
5658 		run_bbp_write(sc, 25, 0x90);
5659 		run_delay(sc, 10);
5660 		/* read received power */
5661 		run_bbp_read(sc, 55, &bbp55_sb);
5662 
5663 		delta = bbp55_pb - bbp55_sb;
5664 		if (delta > target)
5665 			break;
5666 
5667 		/* reprogram filter */
5668 		rf24++;
5669 		run_rt3070_rf_write(sc, 24, rf24);
5670 	}
5671 	if (ntries < 100) {
5672 		if (rf24 != init)
5673 			rf24--;	/* backtrack */
5674 		*val = rf24;
5675 		run_rt3070_rf_write(sc, 24, rf24);
5676 	}
5677 
5678 	/* restore initial state */
5679 	run_bbp_write(sc, 24, 0x00);
5680 
5681 	/* disable baseband loopback mode */
5682 	run_rt3070_rf_read(sc, 22, &rf22);
5683 	run_rt3070_rf_write(sc, 22, rf22 & ~0x01);
5684 
5685 	return (0);
5686 }
5687 
5688 static void
5689 run_rt3070_rf_setup(struct run_softc *sc)
5690 {
5691 	uint8_t bbp, rf;
5692 	int i;
5693 
5694 	if (sc->mac_ver == 0x3572) {
5695 		/* enable DC filter */
5696 		if (sc->mac_rev >= 0x0201)
5697 			run_bbp_write(sc, 103, 0xc0);
5698 
5699 		run_bbp_read(sc, 138, &bbp);
5700 		if (sc->ntxchains == 1)
5701 			bbp |= 0x20;	/* turn off DAC1 */
5702 		if (sc->nrxchains == 1)
5703 			bbp &= ~0x02;	/* turn off ADC1 */
5704 		run_bbp_write(sc, 138, bbp);
5705 
5706 		if (sc->mac_rev >= 0x0211) {
5707 			/* improve power consumption */
5708 			run_bbp_read(sc, 31, &bbp);
5709 			run_bbp_write(sc, 31, bbp & ~0x03);
5710 		}
5711 
5712 		run_rt3070_rf_read(sc, 16, &rf);
5713 		rf = (rf & ~0x07) | sc->txmixgain_2ghz;
5714 		run_rt3070_rf_write(sc, 16, rf);
5715 
5716 	} else if (sc->mac_ver == 0x3071) {
5717 		if (sc->mac_rev >= 0x0211) {
5718 			/* enable DC filter */
5719 			run_bbp_write(sc, 103, 0xc0);
5720 
5721 			/* improve power consumption */
5722 			run_bbp_read(sc, 31, &bbp);
5723 			run_bbp_write(sc, 31, bbp & ~0x03);
5724 		}
5725 
5726 		run_bbp_read(sc, 138, &bbp);
5727 		if (sc->ntxchains == 1)
5728 			bbp |= 0x20;	/* turn off DAC1 */
5729 		if (sc->nrxchains == 1)
5730 			bbp &= ~0x02;	/* turn off ADC1 */
5731 		run_bbp_write(sc, 138, bbp);
5732 
5733 		run_write(sc, RT2860_TX_SW_CFG1, 0);
5734 		if (sc->mac_rev < 0x0211) {
5735 			run_write(sc, RT2860_TX_SW_CFG2,
5736 			    sc->patch_dac ? 0x2c : 0x0f);
5737 		} else
5738 			run_write(sc, RT2860_TX_SW_CFG2, 0);
5739 
5740 	} else if (sc->mac_ver == 0x3070) {
5741 		if (sc->mac_rev >= 0x0201) {
5742 			/* enable DC filter */
5743 			run_bbp_write(sc, 103, 0xc0);
5744 
5745 			/* improve power consumption */
5746 			run_bbp_read(sc, 31, &bbp);
5747 			run_bbp_write(sc, 31, bbp & ~0x03);
5748 		}
5749 
5750 		if (sc->mac_rev < 0x0201) {
5751 			run_write(sc, RT2860_TX_SW_CFG1, 0);
5752 			run_write(sc, RT2860_TX_SW_CFG2, 0x2c);
5753 		} else
5754 			run_write(sc, RT2860_TX_SW_CFG2, 0);
5755 	}
5756 
5757 	/* initialize RF registers from ROM for >=RT3071*/
5758 	if (sc->mac_ver >= 0x3071) {
5759 		for (i = 0; i < 10; i++) {
5760 			if (sc->rf[i].reg == 0 || sc->rf[i].reg == 0xff)
5761 				continue;
5762 			run_rt3070_rf_write(sc, sc->rf[i].reg, sc->rf[i].val);
5763 		}
5764 	}
5765 }
5766 
5767 static void
5768 run_rt3593_rf_setup(struct run_softc *sc)
5769 {
5770 	uint8_t bbp, rf;
5771 
5772 	if (sc->mac_rev >= 0x0211) {
5773 		/* Enable DC filter. */
5774 		run_bbp_write(sc, 103, 0xc0);
5775 	}
5776 	run_write(sc, RT2860_TX_SW_CFG1, 0);
5777 	if (sc->mac_rev < 0x0211) {
5778 		run_write(sc, RT2860_TX_SW_CFG2,
5779 		    sc->patch_dac ? 0x2c : 0x0f);
5780 	} else
5781 		run_write(sc, RT2860_TX_SW_CFG2, 0);
5782 
5783 	run_rt3070_rf_read(sc, 50, &rf);
5784 	run_rt3070_rf_write(sc, 50, rf & ~RT3593_TX_LO2);
5785 
5786 	run_rt3070_rf_read(sc, 51, &rf);
5787 	rf = (rf & ~(RT3593_TX_LO1 | 0x0c)) |
5788 	    ((sc->txmixgain_2ghz & 0x07) << 2);
5789 	run_rt3070_rf_write(sc, 51, rf);
5790 
5791 	run_rt3070_rf_read(sc, 38, &rf);
5792 	run_rt3070_rf_write(sc, 38, rf & ~RT5390_RX_LO1);
5793 
5794 	run_rt3070_rf_read(sc, 39, &rf);
5795 	run_rt3070_rf_write(sc, 39, rf & ~RT5390_RX_LO2);
5796 
5797 	run_rt3070_rf_read(sc, 1, &rf);
5798 	run_rt3070_rf_write(sc, 1, rf & ~(RT3070_RF_BLOCK | RT3070_PLL_PD));
5799 
5800 	run_rt3070_rf_read(sc, 30, &rf);
5801 	rf = (rf & ~0x18) | 0x10;
5802 	run_rt3070_rf_write(sc, 30, rf);
5803 
5804 	/* Apply maximum likelihood detection for 2 stream case. */
5805 	run_bbp_read(sc, 105, &bbp);
5806 	if (sc->nrxchains > 1)
5807 		run_bbp_write(sc, 105, bbp | RT5390_MLD);
5808 
5809 	/* Avoid data lost and CRC error. */
5810 	run_bbp_read(sc, 4, &bbp);
5811 	run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5812 
5813 	run_bbp_write(sc, 92, 0x02);
5814 	run_bbp_write(sc, 82, 0x82);
5815 	run_bbp_write(sc, 106, 0x05);
5816 	run_bbp_write(sc, 104, 0x92);
5817 	run_bbp_write(sc, 88, 0x90);
5818 	run_bbp_write(sc, 148, 0xc8);
5819 	run_bbp_write(sc, 47, 0x48);
5820 	run_bbp_write(sc, 120, 0x50);
5821 
5822 	run_bbp_write(sc, 163, 0x9d);
5823 
5824 	/* SNR mapping. */
5825 	run_bbp_write(sc, 142, 0x06);
5826 	run_bbp_write(sc, 143, 0xa0);
5827 	run_bbp_write(sc, 142, 0x07);
5828 	run_bbp_write(sc, 143, 0xa1);
5829 	run_bbp_write(sc, 142, 0x08);
5830 	run_bbp_write(sc, 143, 0xa2);
5831 
5832 	run_bbp_write(sc, 31, 0x08);
5833 	run_bbp_write(sc, 68, 0x0b);
5834 	run_bbp_write(sc, 105, 0x04);
5835 }
5836 
5837 static void
5838 run_rt5390_rf_setup(struct run_softc *sc)
5839 {
5840 	uint8_t bbp, rf;
5841 
5842 	if (sc->mac_rev >= 0x0211) {
5843 		/* Enable DC filter. */
5844 		run_bbp_write(sc, 103, 0xc0);
5845 
5846 		if (sc->mac_ver != 0x5592) {
5847 			/* Improve power consumption. */
5848 			run_bbp_read(sc, 31, &bbp);
5849 			run_bbp_write(sc, 31, bbp & ~0x03);
5850 		}
5851 	}
5852 
5853 	run_bbp_read(sc, 138, &bbp);
5854 	if (sc->ntxchains == 1)
5855 		bbp |= 0x20;	/* turn off DAC1 */
5856 	if (sc->nrxchains == 1)
5857 		bbp &= ~0x02;	/* turn off ADC1 */
5858 	run_bbp_write(sc, 138, bbp);
5859 
5860 	run_rt3070_rf_read(sc, 38, &rf);
5861 	run_rt3070_rf_write(sc, 38, rf & ~RT5390_RX_LO1);
5862 
5863 	run_rt3070_rf_read(sc, 39, &rf);
5864 	run_rt3070_rf_write(sc, 39, rf & ~RT5390_RX_LO2);
5865 
5866 	/* Avoid data lost and CRC error. */
5867 	run_bbp_read(sc, 4, &bbp);
5868 	run_bbp_write(sc, 4, bbp | RT5390_MAC_IF_CTRL);
5869 
5870 	run_rt3070_rf_read(sc, 30, &rf);
5871 	rf = (rf & ~0x18) | 0x10;
5872 	run_rt3070_rf_write(sc, 30, rf);
5873 
5874 	if (sc->mac_ver != 0x5592) {
5875 		run_write(sc, RT2860_TX_SW_CFG1, 0);
5876 		if (sc->mac_rev < 0x0211) {
5877 			run_write(sc, RT2860_TX_SW_CFG2,
5878 			    sc->patch_dac ? 0x2c : 0x0f);
5879 		} else
5880 			run_write(sc, RT2860_TX_SW_CFG2, 0);
5881 	}
5882 }
5883 
5884 static int
5885 run_txrx_enable(struct run_softc *sc)
5886 {
5887 	struct ieee80211com *ic = sc->sc_ifp->if_l2com;
5888 	uint32_t tmp;
5889 	int error, ntries;
5890 
5891 	run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_MAC_TX_EN);
5892 	for (ntries = 0; ntries < 200; ntries++) {
5893 		if ((error = run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp)) != 0)
5894 			return (error);
5895 		if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
5896 			break;
5897 		run_delay(sc, 50);
5898 	}
5899 	if (ntries == 200)
5900 		return (ETIMEDOUT);
5901 
5902 	run_delay(sc, 50);
5903 
5904 	tmp |= RT2860_RX_DMA_EN | RT2860_TX_DMA_EN | RT2860_TX_WB_DDONE;
5905 	run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
5906 
5907 	/* enable Rx bulk aggregation (set timeout and limit) */
5908 	tmp = RT2860_USB_TX_EN | RT2860_USB_RX_EN | RT2860_USB_RX_AGG_EN |
5909 	    RT2860_USB_RX_AGG_TO(128) | RT2860_USB_RX_AGG_LMT(2);
5910 	run_write(sc, RT2860_USB_DMA_CFG, tmp);
5911 
5912 	/* set Rx filter */
5913 	tmp = RT2860_DROP_CRC_ERR | RT2860_DROP_PHY_ERR;
5914 	if (ic->ic_opmode != IEEE80211_M_MONITOR) {
5915 		tmp |= RT2860_DROP_UC_NOME | RT2860_DROP_DUPL |
5916 		    RT2860_DROP_CTS | RT2860_DROP_BA | RT2860_DROP_ACK |
5917 		    RT2860_DROP_VER_ERR | RT2860_DROP_CTRL_RSV |
5918 		    RT2860_DROP_CFACK | RT2860_DROP_CFEND;
5919 		if (ic->ic_opmode == IEEE80211_M_STA)
5920 			tmp |= RT2860_DROP_RTS | RT2860_DROP_PSPOLL;
5921 	}
5922 	run_write(sc, RT2860_RX_FILTR_CFG, tmp);
5923 
5924 	run_write(sc, RT2860_MAC_SYS_CTRL,
5925 	    RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
5926 
5927 	return (0);
5928 }
5929 
5930 static void
5931 run_adjust_freq_offset(struct run_softc *sc)
5932 {
5933 	uint8_t rf, tmp;
5934 
5935 	run_rt3070_rf_read(sc, 17, &rf);
5936 	tmp = rf;
5937 	rf = (rf & ~0x7f) | (sc->freq & 0x7f);
5938 	rf = MIN(rf, 0x5f);
5939 
5940 	if (tmp != rf)
5941 		run_mcu_cmd(sc, 0x74, (tmp << 8 ) | rf);
5942 }
5943 
5944 static void
5945 run_init_locked(struct run_softc *sc)
5946 {
5947 	struct ifnet *ifp = sc->sc_ifp;
5948 	struct ieee80211com *ic = ifp->if_l2com;
5949 	uint32_t tmp;
5950 	uint8_t bbp1, bbp3;
5951 	int i;
5952 	int ridx;
5953 	int ntries;
5954 
5955 	if (ic->ic_nrunning > 1)
5956 		return;
5957 
5958 	run_stop(sc);
5959 
5960 	if (run_load_microcode(sc) != 0) {
5961 		device_printf(sc->sc_dev, "could not load 8051 microcode\n");
5962 		goto fail;
5963 	}
5964 
5965 	for (ntries = 0; ntries < 100; ntries++) {
5966 		if (run_read(sc, RT2860_ASIC_VER_ID, &tmp) != 0)
5967 			goto fail;
5968 		if (tmp != 0 && tmp != 0xffffffff)
5969 			break;
5970 		run_delay(sc, 10);
5971 	}
5972 	if (ntries == 100)
5973 		goto fail;
5974 
5975 	for (i = 0; i != RUN_EP_QUEUES; i++)
5976 		run_setup_tx_list(sc, &sc->sc_epq[i]);
5977 
5978 	run_set_macaddr(sc, IF_LLADDR(ifp));
5979 
5980 	for (ntries = 0; ntries < 100; ntries++) {
5981 		if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
5982 			goto fail;
5983 		if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
5984 			break;
5985 		run_delay(sc, 10);
5986 	}
5987 	if (ntries == 100) {
5988 		device_printf(sc->sc_dev, "timeout waiting for DMA engine\n");
5989 		goto fail;
5990 	}
5991 	tmp &= 0xff0;
5992 	tmp |= RT2860_TX_WB_DDONE;
5993 	run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
5994 
5995 	/* turn off PME_OEN to solve high-current issue */
5996 	run_read(sc, RT2860_SYS_CTRL, &tmp);
5997 	run_write(sc, RT2860_SYS_CTRL, tmp & ~RT2860_PME_OEN);
5998 
5999 	run_write(sc, RT2860_MAC_SYS_CTRL,
6000 	    RT2860_BBP_HRST | RT2860_MAC_SRST);
6001 	run_write(sc, RT2860_USB_DMA_CFG, 0);
6002 
6003 	if (run_reset(sc) != 0) {
6004 		device_printf(sc->sc_dev, "could not reset chipset\n");
6005 		goto fail;
6006 	}
6007 
6008 	run_write(sc, RT2860_MAC_SYS_CTRL, 0);
6009 
6010 	/* init Tx power for all Tx rates (from EEPROM) */
6011 	for (ridx = 0; ridx < 5; ridx++) {
6012 		if (sc->txpow20mhz[ridx] == 0xffffffff)
6013 			continue;
6014 		run_write(sc, RT2860_TX_PWR_CFG(ridx), sc->txpow20mhz[ridx]);
6015 	}
6016 
6017 	for (i = 0; i < nitems(rt2870_def_mac); i++)
6018 		run_write(sc, rt2870_def_mac[i].reg, rt2870_def_mac[i].val);
6019 	run_write(sc, RT2860_WMM_AIFSN_CFG, 0x00002273);
6020 	run_write(sc, RT2860_WMM_CWMIN_CFG, 0x00002344);
6021 	run_write(sc, RT2860_WMM_CWMAX_CFG, 0x000034aa);
6022 
6023 	if (sc->mac_ver >= 0x5390) {
6024 		run_write(sc, RT2860_TX_SW_CFG0,
6025 		    4 << RT2860_DLY_PAPE_EN_SHIFT | 4);
6026 		if (sc->mac_ver >= 0x5392) {
6027 			run_write(sc, RT2860_MAX_LEN_CFG, 0x00002fff);
6028 			if (sc->mac_ver == 0x5592) {
6029 				run_write(sc, RT2860_HT_FBK_CFG1, 0xedcba980);
6030 				run_write(sc, RT2860_TXOP_HLDR_ET, 0x00000082);
6031 			} else {
6032 				run_write(sc, RT2860_HT_FBK_CFG1, 0xedcb4980);
6033 				run_write(sc, RT2860_LG_FBK_CFG0, 0xedcba322);
6034 			}
6035 		}
6036 	} else if (sc->mac_ver == 0x3593) {
6037 		run_write(sc, RT2860_TX_SW_CFG0,
6038 		    4 << RT2860_DLY_PAPE_EN_SHIFT | 2);
6039 	} else if (sc->mac_ver >= 0x3070) {
6040 		/* set delay of PA_PE assertion to 1us (unit of 0.25us) */
6041 		run_write(sc, RT2860_TX_SW_CFG0,
6042 		    4 << RT2860_DLY_PAPE_EN_SHIFT);
6043 	}
6044 
6045 	/* wait while MAC is busy */
6046 	for (ntries = 0; ntries < 100; ntries++) {
6047 		if (run_read(sc, RT2860_MAC_STATUS_REG, &tmp) != 0)
6048 			goto fail;
6049 		if (!(tmp & (RT2860_RX_STATUS_BUSY | RT2860_TX_STATUS_BUSY)))
6050 			break;
6051 		run_delay(sc, 10);
6052 	}
6053 	if (ntries == 100)
6054 		goto fail;
6055 
6056 	/* clear Host to MCU mailbox */
6057 	run_write(sc, RT2860_H2M_BBPAGENT, 0);
6058 	run_write(sc, RT2860_H2M_MAILBOX, 0);
6059 	run_delay(sc, 10);
6060 
6061 	if (run_bbp_init(sc) != 0) {
6062 		device_printf(sc->sc_dev, "could not initialize BBP\n");
6063 		goto fail;
6064 	}
6065 
6066 	/* abort TSF synchronization */
6067 	run_read(sc, RT2860_BCN_TIME_CFG, &tmp);
6068 	tmp &= ~(RT2860_BCN_TX_EN | RT2860_TSF_TIMER_EN |
6069 	    RT2860_TBTT_TIMER_EN);
6070 	run_write(sc, RT2860_BCN_TIME_CFG, tmp);
6071 
6072 	/* clear RX WCID search table */
6073 	run_set_region_4(sc, RT2860_WCID_ENTRY(0), 0, 512);
6074 	/* clear WCID attribute table */
6075 	run_set_region_4(sc, RT2860_WCID_ATTR(0), 0, 8 * 32);
6076 
6077 	/* hostapd sets a key before init. So, don't clear it. */
6078 	if (sc->cmdq_key_set != RUN_CMDQ_GO) {
6079 		/* clear shared key table */
6080 		run_set_region_4(sc, RT2860_SKEY(0, 0), 0, 8 * 32);
6081 		/* clear shared key mode */
6082 		run_set_region_4(sc, RT2860_SKEY_MODE_0_7, 0, 4);
6083 	}
6084 
6085 	run_read(sc, RT2860_US_CYC_CNT, &tmp);
6086 	tmp = (tmp & ~0xff) | 0x1e;
6087 	run_write(sc, RT2860_US_CYC_CNT, tmp);
6088 
6089 	if (sc->mac_rev != 0x0101)
6090 		run_write(sc, RT2860_TXOP_CTRL_CFG, 0x0000583f);
6091 
6092 	run_write(sc, RT2860_WMM_TXOP0_CFG, 0);
6093 	run_write(sc, RT2860_WMM_TXOP1_CFG, 48 << 16 | 96);
6094 
6095 	/* write vendor-specific BBP values (from EEPROM) */
6096 	if (sc->mac_ver < 0x3593) {
6097 		for (i = 0; i < 10; i++) {
6098 			if (sc->bbp[i].reg == 0 || sc->bbp[i].reg == 0xff)
6099 				continue;
6100 			run_bbp_write(sc, sc->bbp[i].reg, sc->bbp[i].val);
6101 		}
6102 	}
6103 
6104 	/* select Main antenna for 1T1R devices */
6105 	if (sc->rf_rev == RT3070_RF_3020 || sc->rf_rev == RT5390_RF_5370)
6106 		run_set_rx_antenna(sc, 0);
6107 
6108 	/* send LEDs operating mode to microcontroller */
6109 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED1, sc->led[0]);
6110 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED2, sc->led[1]);
6111 	(void)run_mcu_cmd(sc, RT2860_MCU_CMD_LED3, sc->led[2]);
6112 
6113 	if (sc->mac_ver >= 0x5390)
6114 		run_rt5390_rf_init(sc);
6115 	else if (sc->mac_ver == 0x3593)
6116 		run_rt3593_rf_init(sc);
6117 	else if (sc->mac_ver >= 0x3070)
6118 		run_rt3070_rf_init(sc);
6119 
6120 	/* disable non-existing Rx chains */
6121 	run_bbp_read(sc, 3, &bbp3);
6122 	bbp3 &= ~(1 << 3 | 1 << 4);
6123 	if (sc->nrxchains == 2)
6124 		bbp3 |= 1 << 3;
6125 	else if (sc->nrxchains == 3)
6126 		bbp3 |= 1 << 4;
6127 	run_bbp_write(sc, 3, bbp3);
6128 
6129 	/* disable non-existing Tx chains */
6130 	run_bbp_read(sc, 1, &bbp1);
6131 	if (sc->ntxchains == 1)
6132 		bbp1 &= ~(1 << 3 | 1 << 4);
6133 	run_bbp_write(sc, 1, bbp1);
6134 
6135 	if (sc->mac_ver >= 0x5390)
6136 		run_rt5390_rf_setup(sc);
6137 	else if (sc->mac_ver == 0x3593)
6138 		run_rt3593_rf_setup(sc);
6139 	else if (sc->mac_ver >= 0x3070)
6140 		run_rt3070_rf_setup(sc);
6141 
6142 	/* select default channel */
6143 	run_set_chan(sc, ic->ic_curchan);
6144 
6145 	/* setup initial protection mode */
6146 	run_updateprot_cb(ic);
6147 
6148 	/* turn radio LED on */
6149 	run_set_leds(sc, RT2860_LED_RADIO);
6150 
6151 	ifp->if_drv_flags &= ~IFF_DRV_OACTIVE;
6152 	ifp->if_drv_flags |= IFF_DRV_RUNNING;
6153 	sc->cmdq_run = RUN_CMDQ_GO;
6154 
6155 	for (i = 0; i != RUN_N_XFER; i++)
6156 		usbd_xfer_set_stall(sc->sc_xfer[i]);
6157 
6158 	usbd_transfer_start(sc->sc_xfer[RUN_BULK_RX]);
6159 
6160 	if (run_txrx_enable(sc) != 0)
6161 		goto fail;
6162 
6163 	return;
6164 
6165 fail:
6166 	run_stop(sc);
6167 }
6168 
6169 static void
6170 run_init(void *arg)
6171 {
6172 	struct run_softc *sc = arg;
6173 	struct ifnet *ifp = sc->sc_ifp;
6174 	struct ieee80211com *ic = ifp->if_l2com;
6175 
6176 	RUN_LOCK(sc);
6177 	run_init_locked(sc);
6178 	RUN_UNLOCK(sc);
6179 
6180 	if (ifp->if_drv_flags & IFF_DRV_RUNNING)
6181 		ieee80211_start_all(ic);
6182 }
6183 
6184 static void
6185 run_stop(void *arg)
6186 {
6187 	struct run_softc *sc = (struct run_softc *)arg;
6188 	struct ifnet *ifp = sc->sc_ifp;
6189 	uint32_t tmp;
6190 	int i;
6191 	int ntries;
6192 
6193 	RUN_LOCK_ASSERT(sc, MA_OWNED);
6194 
6195 	if (ifp->if_drv_flags & IFF_DRV_RUNNING)
6196 		run_set_leds(sc, 0);	/* turn all LEDs off */
6197 
6198 	ifp->if_drv_flags &= ~(IFF_DRV_RUNNING | IFF_DRV_OACTIVE);
6199 
6200 	sc->ratectl_run = RUN_RATECTL_OFF;
6201 	sc->cmdq_run = sc->cmdq_key_set;
6202 
6203 	RUN_UNLOCK(sc);
6204 
6205 	for(i = 0; i < RUN_N_XFER; i++)
6206 		usbd_transfer_drain(sc->sc_xfer[i]);
6207 
6208 	RUN_LOCK(sc);
6209 
6210 	if (sc->rx_m != NULL) {
6211 		m_free(sc->rx_m);
6212 		sc->rx_m = NULL;
6213 	}
6214 
6215 	/* Disable Tx/Rx DMA. */
6216 	if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
6217 		return;
6218 	tmp &= ~(RT2860_RX_DMA_EN | RT2860_TX_DMA_EN);
6219 	run_write(sc, RT2860_WPDMA_GLO_CFG, tmp);
6220 
6221 	for (ntries = 0; ntries < 100; ntries++) {
6222 		if (run_read(sc, RT2860_WPDMA_GLO_CFG, &tmp) != 0)
6223 			return;
6224 		if ((tmp & (RT2860_TX_DMA_BUSY | RT2860_RX_DMA_BUSY)) == 0)
6225 				break;
6226 		run_delay(sc, 10);
6227 	}
6228 	if (ntries == 100) {
6229 		device_printf(sc->sc_dev, "timeout waiting for DMA engine\n");
6230 		return;
6231 	}
6232 
6233 	/* disable Tx/Rx */
6234 	run_read(sc, RT2860_MAC_SYS_CTRL, &tmp);
6235 	tmp &= ~(RT2860_MAC_RX_EN | RT2860_MAC_TX_EN);
6236 	run_write(sc, RT2860_MAC_SYS_CTRL, tmp);
6237 
6238 	/* wait for pending Tx to complete */
6239 	for (ntries = 0; ntries < 100; ntries++) {
6240 		if (run_read(sc, RT2860_TXRXQ_PCNT, &tmp) != 0) {
6241 			DPRINTF("Cannot read Tx queue count\n");
6242 			break;
6243 		}
6244 		if ((tmp & RT2860_TX2Q_PCNT_MASK) == 0) {
6245 			DPRINTF("All Tx cleared\n");
6246 			break;
6247 		}
6248 		run_delay(sc, 10);
6249 	}
6250 	if (ntries >= 100)
6251 		DPRINTF("There are still pending Tx\n");
6252 	run_delay(sc, 10);
6253 	run_write(sc, RT2860_USB_DMA_CFG, 0);
6254 
6255 	run_write(sc, RT2860_MAC_SYS_CTRL, RT2860_BBP_HRST | RT2860_MAC_SRST);
6256 	run_write(sc, RT2860_MAC_SYS_CTRL, 0);
6257 
6258 	for (i = 0; i != RUN_EP_QUEUES; i++)
6259 		run_unsetup_tx_list(sc, &sc->sc_epq[i]);
6260 }
6261 
6262 static void
6263 run_delay(struct run_softc *sc, u_int ms)
6264 {
6265 	usb_pause_mtx(mtx_owned(&sc->sc_mtx) ?
6266 	    &sc->sc_mtx : NULL, USB_MS_TO_TICKS(ms));
6267 }
6268 
6269 static device_method_t run_methods[] = {
6270 	/* Device interface */
6271 	DEVMETHOD(device_probe,		run_match),
6272 	DEVMETHOD(device_attach,	run_attach),
6273 	DEVMETHOD(device_detach,	run_detach),
6274 	DEVMETHOD_END
6275 };
6276 
6277 static driver_t run_driver = {
6278 	.name = "run",
6279 	.methods = run_methods,
6280 	.size = sizeof(struct run_softc)
6281 };
6282 
6283 static devclass_t run_devclass;
6284 
6285 DRIVER_MODULE(run, uhub, run_driver, run_devclass, run_driver_loaded, NULL);
6286 MODULE_DEPEND(run, wlan, 1, 1, 1);
6287 MODULE_DEPEND(run, usb, 1, 1, 1);
6288 MODULE_DEPEND(run, firmware, 1, 1, 1);
6289 MODULE_VERSION(run, 1);
6290