xref: /freebsd/sys/dev/usb/wlan/if_uath.c (revision 1843dfb05ed80149f5a412180af882e3cb8f451b)
1 /*-
2  * SPDX-License-Identifier: (BSD-2-Clause AND BSD-1-Clause)
3  *
4  * Copyright (c) 2006 Sam Leffler, Errno Consulting
5  * Copyright (c) 2008-2009 Weongyo Jeong <weongyo@freebsd.org>
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer,
13  *    without modification.
14  * 2. Redistributions in binary form must reproduce at minimum a disclaimer
15  *    similar to the "NO WARRANTY" disclaimer below ("Disclaimer") and any
16  *    redistribution must be conditioned upon including a substantially
17  *    similar Disclaimer requirement for further binary redistribution.
18  *
19  * NO WARRANTY
20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22  * LIMITED TO, THE IMPLIED WARRANTIES OF NONINFRINGEMENT, MERCHANTIBILITY
23  * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
24  * THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR SPECIAL, EXEMPLARY,
25  * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
28  * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
30  * THE POSSIBILITY OF SUCH DAMAGES.
31  */
32 
33 /*
34  * This driver is distantly derived from a driver of the same name
35  * by Damien Bergamini.  The original copyright is included below:
36  *
37  * Copyright (c) 2006
38  *	Damien Bergamini <damien.bergamini@free.fr>
39  *
40  * Permission to use, copy, modify, and distribute this software for any
41  * purpose with or without fee is hereby granted, provided that the above
42  * copyright notice and this permission notice appear in all copies.
43  *
44  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
45  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
46  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
47  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
48  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
49  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
50  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
51  */
52 
53 #include <sys/cdefs.h>
54 /*-
55  * Driver for Atheros AR5523 USB parts.
56  *
57  * The driver requires firmware to be loaded into the device.  This
58  * is done on device discovery from a user application (uathload)
59  * that is launched by devd when a device with suitable product ID
60  * is recognized.  Once firmware has been loaded the device will
61  * reset the USB port and re-attach with the original product ID+1
62  * and this driver will be attached.  The firmware is licensed for
63  * general use (royalty free) and may be incorporated in products.
64  * Note that the firmware normally packaged with the NDIS drivers
65  * for these devices does not work in this way and so does not work
66  * with this driver.
67  */
68 
69 #include "opt_wlan.h"
70 
71 #include <sys/param.h>
72 #include <sys/sockio.h>
73 #include <sys/sysctl.h>
74 #include <sys/lock.h>
75 #include <sys/mutex.h>
76 #include <sys/mbuf.h>
77 #include <sys/kernel.h>
78 #include <sys/socket.h>
79 #include <sys/systm.h>
80 #include <sys/malloc.h>
81 #include <sys/module.h>
82 #include <sys/bus.h>
83 #include <sys/endian.h>
84 #include <sys/kdb.h>
85 
86 #include <net/bpf.h>
87 #include <net/if.h>
88 #include <net/if_var.h>
89 #include <net/if_arp.h>
90 #include <net/ethernet.h>
91 #include <net/if_dl.h>
92 #include <net/if_media.h>
93 #include <net/if_types.h>
94 
95 #ifdef INET
96 #include <netinet/in.h>
97 #include <netinet/in_systm.h>
98 #include <netinet/in_var.h>
99 #include <netinet/if_ether.h>
100 #include <netinet/ip.h>
101 #endif
102 
103 #include <net80211/ieee80211_var.h>
104 #include <net80211/ieee80211_input.h>
105 #include <net80211/ieee80211_regdomain.h>
106 #include <net80211/ieee80211_radiotap.h>
107 
108 #include <dev/usb/usb.h>
109 #include <dev/usb/usbdi.h>
110 #include "usbdevs.h"
111 
112 #include <dev/usb/wlan/if_uathreg.h>
113 #include <dev/usb/wlan/if_uathvar.h>
114 
115 static SYSCTL_NODE(_hw_usb, OID_AUTO, uath, CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
116     "USB Atheros");
117 
118 static	int uath_countrycode = CTRY_DEFAULT;	/* country code */
119 SYSCTL_INT(_hw_usb_uath, OID_AUTO, countrycode, CTLFLAG_RWTUN, &uath_countrycode,
120     0, "country code");
121 static	int uath_regdomain = 0;			/* regulatory domain */
122 SYSCTL_INT(_hw_usb_uath, OID_AUTO, regdomain, CTLFLAG_RD, &uath_regdomain,
123     0, "regulatory domain");
124 
125 #ifdef UATH_DEBUG
126 int uath_debug = 0;
127 SYSCTL_INT(_hw_usb_uath, OID_AUTO, debug, CTLFLAG_RWTUN, &uath_debug, 0,
128     "uath debug level");
129 enum {
130 	UATH_DEBUG_XMIT		= 0x00000001,	/* basic xmit operation */
131 	UATH_DEBUG_XMIT_DUMP	= 0x00000002,	/* xmit dump */
132 	UATH_DEBUG_RECV		= 0x00000004,	/* basic recv operation */
133 	UATH_DEBUG_TX_PROC	= 0x00000008,	/* tx ISR proc */
134 	UATH_DEBUG_RX_PROC	= 0x00000010,	/* rx ISR proc */
135 	UATH_DEBUG_RECV_ALL	= 0x00000020,	/* trace all frames (beacons) */
136 	UATH_DEBUG_INIT		= 0x00000040,	/* initialization of dev */
137 	UATH_DEBUG_DEVCAP	= 0x00000080,	/* dev caps */
138 	UATH_DEBUG_CMDS		= 0x00000100,	/* commands */
139 	UATH_DEBUG_CMDS_DUMP	= 0x00000200,	/* command buffer dump */
140 	UATH_DEBUG_RESET	= 0x00000400,	/* reset processing */
141 	UATH_DEBUG_STATE	= 0x00000800,	/* 802.11 state transitions */
142 	UATH_DEBUG_MULTICAST	= 0x00001000,	/* multicast */
143 	UATH_DEBUG_WME		= 0x00002000,	/* WME */
144 	UATH_DEBUG_CHANNEL	= 0x00004000,	/* channel */
145 	UATH_DEBUG_RATES	= 0x00008000,	/* rates */
146 	UATH_DEBUG_CRYPTO	= 0x00010000,	/* crypto */
147 	UATH_DEBUG_LED		= 0x00020000,	/* LED */
148 	UATH_DEBUG_ANY		= 0xffffffff
149 };
150 #define	DPRINTF(sc, m, fmt, ...) do {				\
151 	if (sc->sc_debug & (m))					\
152 		printf(fmt, __VA_ARGS__);			\
153 } while (0)
154 #else
155 #define	DPRINTF(sc, m, fmt, ...) do {				\
156 	(void) sc;						\
157 } while (0)
158 #endif
159 
160 /* recognized device vendors/products */
161 static const STRUCT_USB_HOST_ID uath_devs[] = {
162 #define	UATH_DEV(v,p) { USB_VP(USB_VENDOR_##v, USB_PRODUCT_##v##_##p) }
163 	UATH_DEV(ACCTON,		SMCWUSBTG2),
164 	UATH_DEV(ATHEROS,		AR5523),
165 	UATH_DEV(ATHEROS2,		AR5523_1),
166 	UATH_DEV(ATHEROS2,		AR5523_2),
167 	UATH_DEV(ATHEROS2,		AR5523_3),
168 	UATH_DEV(CONCEPTRONIC,		AR5523_1),
169 	UATH_DEV(CONCEPTRONIC,		AR5523_2),
170 	UATH_DEV(DLINK,			DWLAG122),
171 	UATH_DEV(DLINK,			DWLAG132),
172 	UATH_DEV(DLINK,			DWLG132),
173 	UATH_DEV(DLINK2,		DWA120),
174 	UATH_DEV(GIGASET,		AR5523),
175 	UATH_DEV(GIGASET,		SMCWUSBTG),
176 	UATH_DEV(GLOBALSUN,		AR5523_1),
177 	UATH_DEV(GLOBALSUN,		AR5523_2),
178 	UATH_DEV(NETGEAR,		WG111U),
179 	UATH_DEV(NETGEAR3,		WG111T),
180 	UATH_DEV(NETGEAR3,		WPN111),
181 	UATH_DEV(NETGEAR3,		WPN111_2),
182 	UATH_DEV(UMEDIA,		TEW444UBEU),
183 	UATH_DEV(UMEDIA,		AR5523_2),
184 	UATH_DEV(WISTRONNEWEB,		AR5523_1),
185 	UATH_DEV(WISTRONNEWEB,		AR5523_2),
186 	UATH_DEV(ZCOM,			AR5523)
187 #undef UATH_DEV
188 };
189 
190 static usb_callback_t uath_intr_rx_callback;
191 static usb_callback_t uath_intr_tx_callback;
192 static usb_callback_t uath_bulk_rx_callback;
193 static usb_callback_t uath_bulk_tx_callback;
194 
195 static const struct usb_config uath_usbconfig[UATH_N_XFERS] = {
196 	[UATH_INTR_RX] = {
197 		.type = UE_BULK,
198 		.endpoint = 0x1,
199 		.direction = UE_DIR_IN,
200 		.bufsize = UATH_MAX_CMDSZ,
201 		.flags = {
202 			.pipe_bof = 1,
203 			.short_xfer_ok = 1
204 		},
205 		.callback = uath_intr_rx_callback
206 	},
207 	[UATH_INTR_TX] = {
208 		.type = UE_BULK,
209 		.endpoint = 0x1,
210 		.direction = UE_DIR_OUT,
211 		.bufsize = UATH_MAX_CMDSZ * UATH_CMD_LIST_COUNT,
212 		.flags = {
213 			.force_short_xfer = 1,
214 			.pipe_bof = 1,
215 		},
216 		.callback = uath_intr_tx_callback,
217 		.timeout = UATH_CMD_TIMEOUT
218 	},
219 	[UATH_BULK_RX] = {
220 		.type = UE_BULK,
221 		.endpoint = 0x2,
222 		.direction = UE_DIR_IN,
223 		.bufsize = MCLBYTES,
224 		.flags = {
225 			.ext_buffer = 1,
226 			.pipe_bof = 1,
227 			.short_xfer_ok = 1
228 		},
229 		.callback = uath_bulk_rx_callback
230 	},
231 	[UATH_BULK_TX] = {
232 		.type = UE_BULK,
233 		.endpoint = 0x2,
234 		.direction = UE_DIR_OUT,
235 		.bufsize = UATH_MAX_TXBUFSZ * UATH_TX_DATA_LIST_COUNT,
236 		.flags = {
237 			.force_short_xfer = 1,
238 			.pipe_bof = 1
239 		},
240 		.callback = uath_bulk_tx_callback,
241 		.timeout = UATH_DATA_TIMEOUT
242 	}
243 };
244 
245 static struct ieee80211vap *uath_vap_create(struct ieee80211com *,
246 		    const char [IFNAMSIZ], int, enum ieee80211_opmode, int,
247 		    const uint8_t [IEEE80211_ADDR_LEN],
248 		    const uint8_t [IEEE80211_ADDR_LEN]);
249 static void	uath_vap_delete(struct ieee80211vap *);
250 static int	uath_alloc_cmd_list(struct uath_softc *, struct uath_cmd []);
251 static void	uath_free_cmd_list(struct uath_softc *, struct uath_cmd []);
252 static int	uath_host_available(struct uath_softc *);
253 static int	uath_get_capability(struct uath_softc *, uint32_t, uint32_t *);
254 static int	uath_get_devcap(struct uath_softc *);
255 static struct uath_cmd *
256 		uath_get_cmdbuf(struct uath_softc *);
257 static int	uath_cmd_read(struct uath_softc *, uint32_t, const void *,
258 		    int, void *, int, int);
259 static int	uath_cmd_write(struct uath_softc *, uint32_t, const void *,
260 		    int, int);
261 static void	uath_stat(void *);
262 #ifdef UATH_DEBUG
263 static void	uath_dump_cmd(const uint8_t *, int, char);
264 static const char *
265 		uath_codename(int);
266 #endif
267 static int	uath_get_devstatus(struct uath_softc *,
268 		    uint8_t macaddr[IEEE80211_ADDR_LEN]);
269 static int	uath_get_status(struct uath_softc *, uint32_t, void *, int);
270 static int	uath_alloc_rx_data_list(struct uath_softc *);
271 static int	uath_alloc_tx_data_list(struct uath_softc *);
272 static void	uath_free_rx_data_list(struct uath_softc *);
273 static void	uath_free_tx_data_list(struct uath_softc *);
274 static int	uath_init(struct uath_softc *);
275 static void	uath_stop(struct uath_softc *);
276 static void	uath_parent(struct ieee80211com *);
277 static int	uath_transmit(struct ieee80211com *, struct mbuf *);
278 static void	uath_start(struct uath_softc *);
279 static int	uath_raw_xmit(struct ieee80211_node *, struct mbuf *,
280 		    const struct ieee80211_bpf_params *);
281 static void	uath_scan_start(struct ieee80211com *);
282 static void	uath_scan_end(struct ieee80211com *);
283 static void	uath_set_channel(struct ieee80211com *);
284 static void	uath_update_mcast(struct ieee80211com *);
285 static void	uath_update_promisc(struct ieee80211com *);
286 static int	uath_config(struct uath_softc *, uint32_t, uint32_t);
287 static int	uath_config_multi(struct uath_softc *, uint32_t, const void *,
288 		    int);
289 static int	uath_switch_channel(struct uath_softc *,
290 		    struct ieee80211_channel *);
291 static int	uath_set_rxfilter(struct uath_softc *, uint32_t, uint32_t);
292 static void	uath_watchdog(void *);
293 static void	uath_abort_xfers(struct uath_softc *);
294 static int	uath_dataflush(struct uath_softc *);
295 static int	uath_cmdflush(struct uath_softc *);
296 static int	uath_flush(struct uath_softc *);
297 static int	uath_set_ledstate(struct uath_softc *, int);
298 static int	uath_set_chan(struct uath_softc *, struct ieee80211_channel *);
299 static int	uath_reset_tx_queues(struct uath_softc *);
300 static int	uath_wme_init(struct uath_softc *);
301 static struct uath_data *
302 		uath_getbuf(struct uath_softc *);
303 static int	uath_newstate(struct ieee80211vap *, enum ieee80211_state,
304 		    int);
305 static int	uath_set_key(struct uath_softc *,
306 		    const struct ieee80211_key *, int);
307 static int	uath_set_keys(struct uath_softc *, struct ieee80211vap *);
308 static void	uath_sysctl_node(struct uath_softc *);
309 
310 static int
311 uath_match(device_t dev)
312 {
313 	struct usb_attach_arg *uaa = device_get_ivars(dev);
314 
315 	if (uaa->usb_mode != USB_MODE_HOST)
316 		return (ENXIO);
317 	if (uaa->info.bConfigIndex != UATH_CONFIG_INDEX)
318 		return (ENXIO);
319 	if (uaa->info.bIfaceIndex != UATH_IFACE_INDEX)
320 		return (ENXIO);
321 
322 	return (usbd_lookup_id_by_uaa(uath_devs, sizeof(uath_devs), uaa));
323 }
324 
325 static int
326 uath_attach(device_t dev)
327 {
328 	struct uath_softc *sc = device_get_softc(dev);
329 	struct usb_attach_arg *uaa = device_get_ivars(dev);
330 	struct ieee80211com *ic = &sc->sc_ic;
331 	uint8_t bands[IEEE80211_MODE_BYTES];
332 	uint8_t iface_index = UATH_IFACE_INDEX;		/* XXX */
333 	usb_error_t error;
334 
335 	sc->sc_dev = dev;
336 	sc->sc_udev = uaa->device;
337 #ifdef UATH_DEBUG
338 	sc->sc_debug = uath_debug;
339 #endif
340 	device_set_usb_desc(dev);
341 
342 	/*
343 	 * Only post-firmware devices here.
344 	 */
345 	mtx_init(&sc->sc_mtx, device_get_nameunit(sc->sc_dev), MTX_NETWORK_LOCK,
346 	    MTX_DEF);
347 	callout_init(&sc->stat_ch, 0);
348 	callout_init_mtx(&sc->watchdog_ch, &sc->sc_mtx, 0);
349 	mbufq_init(&sc->sc_snd, ifqmaxlen);
350 
351 	error = usbd_transfer_setup(uaa->device, &iface_index, sc->sc_xfer,
352 	    uath_usbconfig, UATH_N_XFERS, sc, &sc->sc_mtx);
353 	if (error) {
354 		device_printf(dev, "could not allocate USB transfers, "
355 		    "err=%s\n", usbd_errstr(error));
356 		goto fail;
357 	}
358 
359 	sc->sc_cmd_dma_buf =
360 	    usbd_xfer_get_frame_buffer(sc->sc_xfer[UATH_INTR_TX], 0);
361 	sc->sc_tx_dma_buf =
362 	    usbd_xfer_get_frame_buffer(sc->sc_xfer[UATH_BULK_TX], 0);
363 
364 	/*
365 	 * Setup buffers for firmware commands.
366 	 */
367 	error = uath_alloc_cmd_list(sc, sc->sc_cmd);
368 	if (error != 0) {
369 		device_printf(sc->sc_dev,
370 		    "could not allocate Tx command list\n");
371 		goto fail1;
372 	}
373 
374 	/*
375 	 * We're now ready to send+receive firmware commands.
376 	 */
377 	UATH_LOCK(sc);
378 	error = uath_host_available(sc);
379 	if (error != 0) {
380 		device_printf(sc->sc_dev, "could not initialize adapter\n");
381 		goto fail2;
382 	}
383 	error = uath_get_devcap(sc);
384 	if (error != 0) {
385 		device_printf(sc->sc_dev,
386 		    "could not get device capabilities\n");
387 		goto fail2;
388 	}
389 	UATH_UNLOCK(sc);
390 
391 	/* Create device sysctl node. */
392 	uath_sysctl_node(sc);
393 
394 	UATH_LOCK(sc);
395 	error = uath_get_devstatus(sc, ic->ic_macaddr);
396 	if (error != 0) {
397 		device_printf(sc->sc_dev, "could not get device status\n");
398 		goto fail2;
399 	}
400 
401 	/*
402 	 * Allocate xfers for Rx/Tx data pipes.
403 	 */
404 	error = uath_alloc_rx_data_list(sc);
405 	if (error != 0) {
406 		device_printf(sc->sc_dev, "could not allocate Rx data list\n");
407 		goto fail2;
408 	}
409 	error = uath_alloc_tx_data_list(sc);
410 	if (error != 0) {
411 		device_printf(sc->sc_dev, "could not allocate Tx data list\n");
412 		goto fail2;
413 	}
414 	UATH_UNLOCK(sc);
415 
416 	ic->ic_softc = sc;
417 	ic->ic_name = device_get_nameunit(dev);
418 	ic->ic_phytype = IEEE80211_T_OFDM;	/* not only, but not used */
419 	ic->ic_opmode = IEEE80211_M_STA;	/* default to BSS mode */
420 
421 	/* set device capabilities */
422 	ic->ic_caps =
423 	    IEEE80211_C_STA |		/* station mode */
424 	    IEEE80211_C_MONITOR |	/* monitor mode supported */
425 	    IEEE80211_C_TXPMGT |	/* tx power management */
426 	    IEEE80211_C_SHPREAMBLE |	/* short preamble supported */
427 	    IEEE80211_C_SHSLOT |	/* short slot time supported */
428 	    IEEE80211_C_WPA |		/* 802.11i */
429 	    IEEE80211_C_BGSCAN |	/* capable of bg scanning */
430 	    IEEE80211_C_TXFRAG;		/* handle tx frags */
431 
432 	/* put a regulatory domain to reveal informations.  */
433 	uath_regdomain = sc->sc_devcap.regDomain;
434 
435 	memset(bands, 0, sizeof(bands));
436 	setbit(bands, IEEE80211_MODE_11B);
437 	setbit(bands, IEEE80211_MODE_11G);
438 	if ((sc->sc_devcap.analog5GhzRevision & 0xf0) == 0x30)
439 		setbit(bands, IEEE80211_MODE_11A);
440 	/* XXX turbo */
441 	ieee80211_init_channels(ic, NULL, bands);
442 
443 	ieee80211_ifattach(ic);
444 	ic->ic_raw_xmit = uath_raw_xmit;
445 	ic->ic_scan_start = uath_scan_start;
446 	ic->ic_scan_end = uath_scan_end;
447 	ic->ic_set_channel = uath_set_channel;
448 	ic->ic_vap_create = uath_vap_create;
449 	ic->ic_vap_delete = uath_vap_delete;
450 	ic->ic_update_mcast = uath_update_mcast;
451 	ic->ic_update_promisc = uath_update_promisc;
452 	ic->ic_transmit = uath_transmit;
453 	ic->ic_parent = uath_parent;
454 
455 	ieee80211_radiotap_attach(ic,
456 	    &sc->sc_txtap.wt_ihdr, sizeof(sc->sc_txtap),
457 		UATH_TX_RADIOTAP_PRESENT,
458 	    &sc->sc_rxtap.wr_ihdr, sizeof(sc->sc_rxtap),
459 		UATH_RX_RADIOTAP_PRESENT);
460 
461 	if (bootverbose)
462 		ieee80211_announce(ic);
463 
464 	return (0);
465 
466 fail2:	UATH_UNLOCK(sc);
467 	uath_free_cmd_list(sc, sc->sc_cmd);
468 fail1:	usbd_transfer_unsetup(sc->sc_xfer, UATH_N_XFERS);
469 fail:
470 	return (error);
471 }
472 
473 static int
474 uath_detach(device_t dev)
475 {
476 	struct uath_softc *sc = device_get_softc(dev);
477 	struct ieee80211com *ic = &sc->sc_ic;
478 	unsigned x;
479 
480 	/*
481 	 * Prevent further allocations from RX/TX/CMD
482 	 * data lists and ioctls
483 	 */
484 	UATH_LOCK(sc);
485 	sc->sc_flags |= UATH_FLAG_INVALID;
486 
487 	STAILQ_INIT(&sc->sc_rx_active);
488 	STAILQ_INIT(&sc->sc_rx_inactive);
489 
490 	STAILQ_INIT(&sc->sc_tx_active);
491 	STAILQ_INIT(&sc->sc_tx_inactive);
492 	STAILQ_INIT(&sc->sc_tx_pending);
493 
494 	STAILQ_INIT(&sc->sc_cmd_active);
495 	STAILQ_INIT(&sc->sc_cmd_pending);
496 	STAILQ_INIT(&sc->sc_cmd_waiting);
497 	STAILQ_INIT(&sc->sc_cmd_inactive);
498 
499 	uath_stop(sc);
500 	UATH_UNLOCK(sc);
501 
502 	callout_drain(&sc->stat_ch);
503 	callout_drain(&sc->watchdog_ch);
504 
505 	/* drain USB transfers */
506 	for (x = 0; x != UATH_N_XFERS; x++)
507 		usbd_transfer_drain(sc->sc_xfer[x]);
508 
509 	/* free data buffers */
510 	UATH_LOCK(sc);
511 	uath_free_rx_data_list(sc);
512 	uath_free_tx_data_list(sc);
513 	uath_free_cmd_list(sc, sc->sc_cmd);
514 	UATH_UNLOCK(sc);
515 
516 	/* free USB transfers and some data buffers */
517 	usbd_transfer_unsetup(sc->sc_xfer, UATH_N_XFERS);
518 
519 	ieee80211_ifdetach(ic);
520 	mbufq_drain(&sc->sc_snd);
521 	mtx_destroy(&sc->sc_mtx);
522 	return (0);
523 }
524 
525 static void
526 uath_free_cmd_list(struct uath_softc *sc, struct uath_cmd cmds[])
527 {
528 	int i;
529 
530 	for (i = 0; i != UATH_CMD_LIST_COUNT; i++)
531 		cmds[i].buf = NULL;
532 }
533 
534 static int
535 uath_alloc_cmd_list(struct uath_softc *sc, struct uath_cmd cmds[])
536 {
537 	int i;
538 
539 	STAILQ_INIT(&sc->sc_cmd_active);
540 	STAILQ_INIT(&sc->sc_cmd_pending);
541 	STAILQ_INIT(&sc->sc_cmd_waiting);
542 	STAILQ_INIT(&sc->sc_cmd_inactive);
543 
544 	for (i = 0; i != UATH_CMD_LIST_COUNT; i++) {
545 		struct uath_cmd *cmd = &cmds[i];
546 
547 		cmd->sc = sc;	/* backpointer for callbacks */
548 		cmd->msgid = i;
549 		cmd->buf = ((uint8_t *)sc->sc_cmd_dma_buf) +
550 		    (i * UATH_MAX_CMDSZ);
551 		STAILQ_INSERT_TAIL(&sc->sc_cmd_inactive, cmd, next);
552 		UATH_STAT_INC(sc, st_cmd_inactive);
553 	}
554 	return (0);
555 }
556 
557 static int
558 uath_host_available(struct uath_softc *sc)
559 {
560 	struct uath_cmd_host_available setup;
561 
562 	UATH_ASSERT_LOCKED(sc);
563 
564 	/* inform target the host is available */
565 	setup.sw_ver_major = htobe32(ATH_SW_VER_MAJOR);
566 	setup.sw_ver_minor = htobe32(ATH_SW_VER_MINOR);
567 	setup.sw_ver_patch = htobe32(ATH_SW_VER_PATCH);
568 	setup.sw_ver_build = htobe32(ATH_SW_VER_BUILD);
569 	return uath_cmd_read(sc, WDCMSG_HOST_AVAILABLE,
570 		&setup, sizeof setup, NULL, 0, 0);
571 }
572 
573 #ifdef UATH_DEBUG
574 static void
575 uath_dump_cmd(const uint8_t *buf, int len, char prefix)
576 {
577 	const char *sep = "";
578 	int i;
579 
580 	for (i = 0; i < len; i++) {
581 		if ((i % 16) == 0) {
582 			printf("%s%c ", sep, prefix);
583 			sep = "\n";
584 		}
585 		else if ((i % 4) == 0)
586 			printf(" ");
587 		printf("%02x", buf[i]);
588 	}
589 	printf("\n");
590 }
591 
592 static const char *
593 uath_codename(int code)
594 {
595 	static const char *names[] = {
596 	    "0x00",
597 	    "HOST_AVAILABLE",
598 	    "BIND",
599 	    "TARGET_RESET",
600 	    "TARGET_GET_CAPABILITY",
601 	    "TARGET_SET_CONFIG",
602 	    "TARGET_GET_STATUS",
603 	    "TARGET_GET_STATS",
604 	    "TARGET_START",
605 	    "TARGET_STOP",
606 	    "TARGET_ENABLE",
607 	    "TARGET_DISABLE",
608 	    "CREATE_CONNECTION",
609 	    "UPDATE_CONNECT_ATTR",
610 	    "DELETE_CONNECT",
611 	    "SEND",
612 	    "FLUSH",
613 	    "STATS_UPDATE",
614 	    "BMISS",
615 	    "DEVICE_AVAIL",
616 	    "SEND_COMPLETE",
617 	    "DATA_AVAIL",
618 	    "SET_PWR_MODE",
619 	    "BMISS_ACK",
620 	    "SET_LED_STEADY",
621 	    "SET_LED_BLINK",
622 	    "SETUP_BEACON_DESC",
623 	    "BEACON_INIT",
624 	    "RESET_KEY_CACHE",
625 	    "RESET_KEY_CACHE_ENTRY",
626 	    "SET_KEY_CACHE_ENTRY",
627 	    "SET_DECOMP_MASK",
628 	    "SET_REGULATORY_DOMAIN",
629 	    "SET_LED_STATE",
630 	    "WRITE_ASSOCID",
631 	    "SET_STA_BEACON_TIMERS",
632 	    "GET_TSF",
633 	    "RESET_TSF",
634 	    "SET_ADHOC_MODE",
635 	    "SET_BASIC_RATE",
636 	    "MIB_CONTROL",
637 	    "GET_CHANNEL_DATA",
638 	    "GET_CUR_RSSI",
639 	    "SET_ANTENNA_SWITCH",
640 	    "0x2c", "0x2d", "0x2e",
641 	    "USE_SHORT_SLOT_TIME",
642 	    "SET_POWER_MODE",
643 	    "SETUP_PSPOLL_DESC",
644 	    "SET_RX_MULTICAST_FILTER",
645 	    "RX_FILTER",
646 	    "PER_CALIBRATION",
647 	    "RESET",
648 	    "DISABLE",
649 	    "PHY_DISABLE",
650 	    "SET_TX_POWER_LIMIT",
651 	    "SET_TX_QUEUE_PARAMS",
652 	    "SETUP_TX_QUEUE",
653 	    "RELEASE_TX_QUEUE",
654 	};
655 	static char buf[8];
656 
657 	if (code < nitems(names))
658 		return names[code];
659 	if (code == WDCMSG_SET_DEFAULT_KEY)
660 		return "SET_DEFAULT_KEY";
661 	snprintf(buf, sizeof(buf), "0x%02x", code);
662 	return buf;
663 }
664 #endif
665 
666 /*
667  * Low-level function to send read or write commands to the firmware.
668  */
669 static int
670 uath_cmdsend(struct uath_softc *sc, uint32_t code, const void *idata, int ilen,
671     void *odata, int olen, int flags)
672 {
673 	struct uath_cmd_hdr *hdr;
674 	struct uath_cmd *cmd;
675 	int error;
676 
677 	UATH_ASSERT_LOCKED(sc);
678 
679 	/* grab a xfer */
680 	cmd = uath_get_cmdbuf(sc);
681 	if (cmd == NULL) {
682 		device_printf(sc->sc_dev, "%s: empty inactive queue\n",
683 		    __func__);
684 		return (ENOBUFS);
685 	}
686 	cmd->flags = flags;
687 	/* always bulk-out a multiple of 4 bytes */
688 	cmd->buflen = roundup2(sizeof(struct uath_cmd_hdr) + ilen, 4);
689 
690 	hdr = (struct uath_cmd_hdr *)cmd->buf;
691 	memset(hdr, 0, sizeof(struct uath_cmd_hdr));
692 	hdr->len   = htobe32(cmd->buflen);
693 	hdr->code  = htobe32(code);
694 	hdr->msgid = cmd->msgid;	/* don't care about endianness */
695 	hdr->magic = htobe32((cmd->flags & UATH_CMD_FLAG_MAGIC) ? 1 << 24 : 0);
696 	memcpy((uint8_t *)(hdr + 1), idata, ilen);
697 
698 #ifdef UATH_DEBUG
699 	if (sc->sc_debug & UATH_DEBUG_CMDS) {
700 		printf("%s: send  %s [flags 0x%x] olen %d\n",
701 		    __func__, uath_codename(code), cmd->flags, olen);
702 		if (sc->sc_debug & UATH_DEBUG_CMDS_DUMP)
703 			uath_dump_cmd(cmd->buf, cmd->buflen, '+');
704 	}
705 #endif
706 	cmd->odata = odata;
707 	KASSERT(odata == NULL ||
708 	    olen < UATH_MAX_CMDSZ - sizeof(*hdr) + sizeof(uint32_t),
709 	    ("odata %p olen %u", odata, olen));
710 	cmd->olen = olen;
711 
712 	STAILQ_INSERT_TAIL(&sc->sc_cmd_pending, cmd, next);
713 	UATH_STAT_INC(sc, st_cmd_pending);
714 	usbd_transfer_start(sc->sc_xfer[UATH_INTR_TX]);
715 
716 	if (cmd->flags & UATH_CMD_FLAG_READ) {
717 		usbd_transfer_start(sc->sc_xfer[UATH_INTR_RX]);
718 
719 		/* wait at most two seconds for command reply */
720 		error = mtx_sleep(cmd, &sc->sc_mtx, 0, "uathcmd", 2 * hz);
721 		cmd->odata = NULL;	/* in case reply comes too late */
722 		if (error != 0) {
723 			device_printf(sc->sc_dev, "timeout waiting for reply "
724 			    "to cmd 0x%x (%u)\n", code, code);
725 		} else if (cmd->olen != olen) {
726 			device_printf(sc->sc_dev, "unexpected reply data count "
727 			    "to cmd 0x%x (%u), got %u, expected %u\n",
728 			    code, code, cmd->olen, olen);
729 			error = EINVAL;
730 		}
731 		return (error);
732 	}
733 	return (0);
734 }
735 
736 static int
737 uath_cmd_read(struct uath_softc *sc, uint32_t code, const void *idata,
738     int ilen, void *odata, int olen, int flags)
739 {
740 
741 	flags |= UATH_CMD_FLAG_READ;
742 	return uath_cmdsend(sc, code, idata, ilen, odata, olen, flags);
743 }
744 
745 static int
746 uath_cmd_write(struct uath_softc *sc, uint32_t code, const void *data, int len,
747     int flags)
748 {
749 
750 	flags &= ~UATH_CMD_FLAG_READ;
751 	return uath_cmdsend(sc, code, data, len, NULL, 0, flags);
752 }
753 
754 static struct uath_cmd *
755 uath_get_cmdbuf(struct uath_softc *sc)
756 {
757 	struct uath_cmd *uc;
758 
759 	UATH_ASSERT_LOCKED(sc);
760 
761 	uc = STAILQ_FIRST(&sc->sc_cmd_inactive);
762 	if (uc != NULL) {
763 		STAILQ_REMOVE_HEAD(&sc->sc_cmd_inactive, next);
764 		UATH_STAT_DEC(sc, st_cmd_inactive);
765 	} else
766 		uc = NULL;
767 	if (uc == NULL)
768 		DPRINTF(sc, UATH_DEBUG_XMIT, "%s: %s\n", __func__,
769 		    "out of command xmit buffers");
770 	return (uc);
771 }
772 
773 /*
774  * This function is called periodically (every second) when associated to
775  * query device statistics.
776  */
777 static void
778 uath_stat(void *arg)
779 {
780 	struct uath_softc *sc = arg;
781 	int error;
782 
783 	UATH_LOCK(sc);
784 	/*
785 	 * Send request for statistics asynchronously. The timer will be
786 	 * restarted when we'll get the stats notification.
787 	 */
788 	error = uath_cmd_write(sc, WDCMSG_TARGET_GET_STATS, NULL, 0,
789 	    UATH_CMD_FLAG_ASYNC);
790 	if (error != 0) {
791 		device_printf(sc->sc_dev,
792 		    "could not query stats, error %d\n", error);
793 	}
794 	UATH_UNLOCK(sc);
795 }
796 
797 static int
798 uath_get_capability(struct uath_softc *sc, uint32_t cap, uint32_t *val)
799 {
800 	int error;
801 
802 	cap = htobe32(cap);
803 	error = uath_cmd_read(sc, WDCMSG_TARGET_GET_CAPABILITY,
804 	    &cap, sizeof cap, val, sizeof(uint32_t), UATH_CMD_FLAG_MAGIC);
805 	if (error != 0) {
806 		device_printf(sc->sc_dev, "could not read capability %u\n",
807 		    be32toh(cap));
808 		return (error);
809 	}
810 	*val = be32toh(*val);
811 	return (error);
812 }
813 
814 static int
815 uath_get_devcap(struct uath_softc *sc)
816 {
817 #define	GETCAP(x, v) do {				\
818 	error = uath_get_capability(sc, x, &v);		\
819 	if (error != 0)					\
820 		return (error);				\
821 	DPRINTF(sc, UATH_DEBUG_DEVCAP,			\
822 	    "%s: %s=0x%08x\n", __func__, #x, v);	\
823 } while (0)
824 	struct uath_devcap *cap = &sc->sc_devcap;
825 	int error;
826 
827 	/* collect device capabilities */
828 	GETCAP(CAP_TARGET_VERSION, cap->targetVersion);
829 	GETCAP(CAP_TARGET_REVISION, cap->targetRevision);
830 	GETCAP(CAP_MAC_VERSION, cap->macVersion);
831 	GETCAP(CAP_MAC_REVISION, cap->macRevision);
832 	GETCAP(CAP_PHY_REVISION, cap->phyRevision);
833 	GETCAP(CAP_ANALOG_5GHz_REVISION, cap->analog5GhzRevision);
834 	GETCAP(CAP_ANALOG_2GHz_REVISION, cap->analog2GhzRevision);
835 
836 	GETCAP(CAP_REG_DOMAIN, cap->regDomain);
837 	GETCAP(CAP_REG_CAP_BITS, cap->regCapBits);
838 #if 0
839 	/* NB: not supported in rev 1.5 */
840 	GETCAP(CAP_COUNTRY_CODE, cap->countryCode);
841 #endif
842 	GETCAP(CAP_WIRELESS_MODES, cap->wirelessModes);
843 	GETCAP(CAP_CHAN_SPREAD_SUPPORT, cap->chanSpreadSupport);
844 	GETCAP(CAP_COMPRESS_SUPPORT, cap->compressSupport);
845 	GETCAP(CAP_BURST_SUPPORT, cap->burstSupport);
846 	GETCAP(CAP_FAST_FRAMES_SUPPORT, cap->fastFramesSupport);
847 	GETCAP(CAP_CHAP_TUNING_SUPPORT, cap->chapTuningSupport);
848 	GETCAP(CAP_TURBOG_SUPPORT, cap->turboGSupport);
849 	GETCAP(CAP_TURBO_PRIME_SUPPORT, cap->turboPrimeSupport);
850 	GETCAP(CAP_DEVICE_TYPE, cap->deviceType);
851 	GETCAP(CAP_WME_SUPPORT, cap->wmeSupport);
852 	GETCAP(CAP_TOTAL_QUEUES, cap->numTxQueues);
853 	GETCAP(CAP_CONNECTION_ID_MAX, cap->connectionIdMax);
854 
855 	GETCAP(CAP_LOW_5GHZ_CHAN, cap->low5GhzChan);
856 	GETCAP(CAP_HIGH_5GHZ_CHAN, cap->high5GhzChan);
857 	GETCAP(CAP_LOW_2GHZ_CHAN, cap->low2GhzChan);
858 	GETCAP(CAP_HIGH_2GHZ_CHAN, cap->high2GhzChan);
859 	GETCAP(CAP_TWICE_ANTENNAGAIN_5G, cap->twiceAntennaGain5G);
860 	GETCAP(CAP_TWICE_ANTENNAGAIN_2G, cap->twiceAntennaGain2G);
861 
862 	GETCAP(CAP_CIPHER_AES_CCM, cap->supportCipherAES_CCM);
863 	GETCAP(CAP_CIPHER_TKIP, cap->supportCipherTKIP);
864 	GETCAP(CAP_MIC_TKIP, cap->supportMicTKIP);
865 
866 	cap->supportCipherWEP = 1;	/* NB: always available */
867 
868 	return (0);
869 }
870 
871 static int
872 uath_get_devstatus(struct uath_softc *sc, uint8_t macaddr[IEEE80211_ADDR_LEN])
873 {
874 	int error;
875 
876 	/* retrieve MAC address */
877 	error = uath_get_status(sc, ST_MAC_ADDR, macaddr, IEEE80211_ADDR_LEN);
878 	if (error != 0) {
879 		device_printf(sc->sc_dev, "could not read MAC address\n");
880 		return (error);
881 	}
882 
883 	error = uath_get_status(sc, ST_SERIAL_NUMBER,
884 	    &sc->sc_serial[0], sizeof(sc->sc_serial));
885 	if (error != 0) {
886 		device_printf(sc->sc_dev,
887 		    "could not read device serial number\n");
888 		return (error);
889 	}
890 	return (0);
891 }
892 
893 static int
894 uath_get_status(struct uath_softc *sc, uint32_t which, void *odata, int olen)
895 {
896 	int error;
897 
898 	which = htobe32(which);
899 	error = uath_cmd_read(sc, WDCMSG_TARGET_GET_STATUS,
900 	    &which, sizeof(which), odata, olen, UATH_CMD_FLAG_MAGIC);
901 	if (error != 0)
902 		device_printf(sc->sc_dev,
903 		    "could not read EEPROM offset 0x%02x\n", be32toh(which));
904 	return (error);
905 }
906 
907 static void
908 uath_free_data_list(struct uath_softc *sc, struct uath_data data[], int ndata,
909     int fillmbuf)
910 {
911 	int i;
912 
913 	for (i = 0; i < ndata; i++) {
914 		struct uath_data *dp = &data[i];
915 
916 		if (fillmbuf == 1) {
917 			if (dp->m != NULL) {
918 				m_freem(dp->m);
919 				dp->m = NULL;
920 				dp->buf = NULL;
921 			}
922 		} else {
923 			dp->buf = NULL;
924 		}
925 		if (dp->ni != NULL) {
926 			ieee80211_free_node(dp->ni);
927 			dp->ni = NULL;
928 		}
929 	}
930 }
931 
932 static int
933 uath_alloc_data_list(struct uath_softc *sc, struct uath_data data[],
934     int ndata, int maxsz, void *dma_buf)
935 {
936 	int i, error;
937 
938 	for (i = 0; i < ndata; i++) {
939 		struct uath_data *dp = &data[i];
940 
941 		dp->sc = sc;
942 		if (dma_buf == NULL) {
943 			/* XXX check maxsz */
944 			dp->m = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
945 			if (dp->m == NULL) {
946 				device_printf(sc->sc_dev,
947 				    "could not allocate rx mbuf\n");
948 				error = ENOMEM;
949 				goto fail;
950 			}
951 			dp->buf = mtod(dp->m, uint8_t *);
952 		} else {
953 			dp->m = NULL;
954 			dp->buf = ((uint8_t *)dma_buf) + (i * maxsz);
955 		}
956 		dp->ni = NULL;
957 	}
958 
959 	return (0);
960 
961 fail:	uath_free_data_list(sc, data, ndata, 1 /* free mbufs */);
962 	return (error);
963 }
964 
965 static int
966 uath_alloc_rx_data_list(struct uath_softc *sc)
967 {
968 	int error, i;
969 
970 	/* XXX is it enough to store the RX packet with MCLBYTES bytes?  */
971 	error = uath_alloc_data_list(sc,
972 	    sc->sc_rx, UATH_RX_DATA_LIST_COUNT, MCLBYTES,
973 	    NULL /* setup mbufs */);
974 	if (error != 0)
975 		return (error);
976 
977 	STAILQ_INIT(&sc->sc_rx_active);
978 	STAILQ_INIT(&sc->sc_rx_inactive);
979 
980 	for (i = 0; i < UATH_RX_DATA_LIST_COUNT; i++) {
981 		STAILQ_INSERT_HEAD(&sc->sc_rx_inactive, &sc->sc_rx[i],
982 		    next);
983 		UATH_STAT_INC(sc, st_rx_inactive);
984 	}
985 
986 	return (0);
987 }
988 
989 static int
990 uath_alloc_tx_data_list(struct uath_softc *sc)
991 {
992 	int error, i;
993 
994 	error = uath_alloc_data_list(sc,
995 	    sc->sc_tx, UATH_TX_DATA_LIST_COUNT, UATH_MAX_TXBUFSZ,
996 	    sc->sc_tx_dma_buf);
997 	if (error != 0)
998 		return (error);
999 
1000 	STAILQ_INIT(&sc->sc_tx_active);
1001 	STAILQ_INIT(&sc->sc_tx_inactive);
1002 	STAILQ_INIT(&sc->sc_tx_pending);
1003 
1004 	for (i = 0; i < UATH_TX_DATA_LIST_COUNT; i++) {
1005 		STAILQ_INSERT_HEAD(&sc->sc_tx_inactive, &sc->sc_tx[i],
1006 		    next);
1007 		UATH_STAT_INC(sc, st_tx_inactive);
1008 	}
1009 
1010 	return (0);
1011 }
1012 
1013 static void
1014 uath_free_rx_data_list(struct uath_softc *sc)
1015 {
1016 	uath_free_data_list(sc, sc->sc_rx, UATH_RX_DATA_LIST_COUNT,
1017 	    1 /* free mbufs */);
1018 }
1019 
1020 static void
1021 uath_free_tx_data_list(struct uath_softc *sc)
1022 {
1023 	uath_free_data_list(sc, sc->sc_tx, UATH_TX_DATA_LIST_COUNT,
1024 	    0 /* no mbufs */);
1025 }
1026 
1027 static struct ieee80211vap *
1028 uath_vap_create(struct ieee80211com *ic, const char name[IFNAMSIZ], int unit,
1029     enum ieee80211_opmode opmode, int flags,
1030     const uint8_t bssid[IEEE80211_ADDR_LEN],
1031     const uint8_t mac[IEEE80211_ADDR_LEN])
1032 {
1033 	struct uath_vap *uvp;
1034 	struct ieee80211vap *vap;
1035 
1036 	if (!TAILQ_EMPTY(&ic->ic_vaps))		/* only one at a time */
1037 		return (NULL);
1038 	uvp =  malloc(sizeof(struct uath_vap), M_80211_VAP, M_WAITOK | M_ZERO);
1039 	vap = &uvp->vap;
1040 	/* enable s/w bmiss handling for sta mode */
1041 
1042 	if (ieee80211_vap_setup(ic, vap, name, unit, opmode,
1043 	    flags | IEEE80211_CLONE_NOBEACONS, bssid) != 0) {
1044 		/* out of memory */
1045 		free(uvp, M_80211_VAP);
1046 		return (NULL);
1047 	}
1048 
1049 	/* override state transition machine */
1050 	uvp->newstate = vap->iv_newstate;
1051 	vap->iv_newstate = uath_newstate;
1052 
1053 	/* complete setup */
1054 	ieee80211_vap_attach(vap, ieee80211_media_change,
1055 	    ieee80211_media_status, mac);
1056 	ic->ic_opmode = opmode;
1057 	return (vap);
1058 }
1059 
1060 static void
1061 uath_vap_delete(struct ieee80211vap *vap)
1062 {
1063 	struct uath_vap *uvp = UATH_VAP(vap);
1064 
1065 	ieee80211_vap_detach(vap);
1066 	free(uvp, M_80211_VAP);
1067 }
1068 
1069 static int
1070 uath_init(struct uath_softc *sc)
1071 {
1072 	struct ieee80211com *ic = &sc->sc_ic;
1073 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
1074 	uint32_t val;
1075 	int error;
1076 
1077 	UATH_ASSERT_LOCKED(sc);
1078 
1079 	if (sc->sc_flags & UATH_FLAG_INITDONE)
1080 		uath_stop(sc);
1081 
1082 	/* reset variables */
1083 	sc->sc_intrx_nextnum = sc->sc_msgid = 0;
1084 
1085 	val = htobe32(0);
1086 	uath_cmd_write(sc, WDCMSG_BIND, &val, sizeof val, 0);
1087 
1088 	/* set MAC address */
1089 	uath_config_multi(sc, CFG_MAC_ADDR,
1090 	    vap ? vap->iv_myaddr : ic->ic_macaddr, IEEE80211_ADDR_LEN);
1091 
1092 	/* XXX honor net80211 state */
1093 	uath_config(sc, CFG_RATE_CONTROL_ENABLE, 0x00000001);
1094 	uath_config(sc, CFG_DIVERSITY_CTL, 0x00000001);
1095 	uath_config(sc, CFG_ABOLT, 0x0000003f);
1096 	uath_config(sc, CFG_WME_ENABLED, 0x00000001);
1097 
1098 	uath_config(sc, CFG_SERVICE_TYPE, 1);
1099 	uath_config(sc, CFG_TP_SCALE, 0x00000000);
1100 	uath_config(sc, CFG_TPC_HALF_DBM5, 0x0000003c);
1101 	uath_config(sc, CFG_TPC_HALF_DBM2, 0x0000003c);
1102 	uath_config(sc, CFG_OVERRD_TX_POWER, 0x00000000);
1103 	uath_config(sc, CFG_GMODE_PROTECTION, 0x00000000);
1104 	uath_config(sc, CFG_GMODE_PROTECT_RATE_INDEX, 0x00000003);
1105 	uath_config(sc, CFG_PROTECTION_TYPE, 0x00000000);
1106 	uath_config(sc, CFG_MODE_CTS, 0x00000002);
1107 
1108 	error = uath_cmd_read(sc, WDCMSG_TARGET_START, NULL, 0,
1109 	    &val, sizeof(val), UATH_CMD_FLAG_MAGIC);
1110 	if (error) {
1111 		device_printf(sc->sc_dev,
1112 		    "could not start target, error %d\n", error);
1113 		goto fail;
1114 	}
1115 	DPRINTF(sc, UATH_DEBUG_INIT, "%s returns handle: 0x%x\n",
1116 	    uath_codename(WDCMSG_TARGET_START), be32toh(val));
1117 
1118 	/* set default channel */
1119 	error = uath_switch_channel(sc, ic->ic_curchan);
1120 	if (error) {
1121 		device_printf(sc->sc_dev,
1122 		    "could not switch channel, error %d\n", error);
1123 		goto fail;
1124 	}
1125 
1126 	val = htobe32(TARGET_DEVICE_AWAKE);
1127 	uath_cmd_write(sc, WDCMSG_SET_PWR_MODE, &val, sizeof val, 0);
1128 	/* XXX? check */
1129 	uath_cmd_write(sc, WDCMSG_RESET_KEY_CACHE, NULL, 0, 0);
1130 
1131 	usbd_transfer_start(sc->sc_xfer[UATH_BULK_RX]);
1132 	/* enable Rx */
1133 	uath_set_rxfilter(sc, 0x0, UATH_FILTER_OP_INIT);
1134 	uath_set_rxfilter(sc,
1135 	    UATH_FILTER_RX_UCAST | UATH_FILTER_RX_MCAST |
1136 	    UATH_FILTER_RX_BCAST | UATH_FILTER_RX_BEACON,
1137 	    UATH_FILTER_OP_SET);
1138 
1139 	sc->sc_flags |= UATH_FLAG_INITDONE;
1140 
1141 	callout_reset(&sc->watchdog_ch, hz, uath_watchdog, sc);
1142 
1143 	return (0);
1144 
1145 fail:
1146 	uath_stop(sc);
1147 	return (error);
1148 }
1149 
1150 static void
1151 uath_stop(struct uath_softc *sc)
1152 {
1153 
1154 	UATH_ASSERT_LOCKED(sc);
1155 
1156 	sc->sc_flags &= ~UATH_FLAG_INITDONE;
1157 
1158 	callout_stop(&sc->stat_ch);
1159 	callout_stop(&sc->watchdog_ch);
1160 	sc->sc_tx_timer = 0;
1161 	/* abort pending transmits  */
1162 	uath_abort_xfers(sc);
1163 	/* flush data & control requests into the target  */
1164 	(void)uath_flush(sc);
1165 	/* set a LED status to the disconnected.  */
1166 	uath_set_ledstate(sc, 0);
1167 	/* stop the target  */
1168 	uath_cmd_write(sc, WDCMSG_TARGET_STOP, NULL, 0, 0);
1169 }
1170 
1171 static int
1172 uath_config(struct uath_softc *sc, uint32_t reg, uint32_t val)
1173 {
1174 	struct uath_write_mac write;
1175 	int error;
1176 
1177 	write.reg = htobe32(reg);
1178 	write.len = htobe32(0);	/* 0 = single write */
1179 	*(uint32_t *)write.data = htobe32(val);
1180 
1181 	error = uath_cmd_write(sc, WDCMSG_TARGET_SET_CONFIG, &write,
1182 	    3 * sizeof (uint32_t), 0);
1183 	if (error != 0) {
1184 		device_printf(sc->sc_dev, "could not write register 0x%02x\n",
1185 		    reg);
1186 	}
1187 	return (error);
1188 }
1189 
1190 static int
1191 uath_config_multi(struct uath_softc *sc, uint32_t reg, const void *data,
1192     int len)
1193 {
1194 	struct uath_write_mac write;
1195 	int error;
1196 
1197 	write.reg = htobe32(reg);
1198 	write.len = htobe32(len);
1199 	bcopy(data, write.data, len);
1200 
1201 	/* properly handle the case where len is zero (reset) */
1202 	error = uath_cmd_write(sc, WDCMSG_TARGET_SET_CONFIG, &write,
1203 	    (len == 0) ? sizeof (uint32_t) : 2 * sizeof (uint32_t) + len, 0);
1204 	if (error != 0) {
1205 		device_printf(sc->sc_dev,
1206 		    "could not write %d bytes to register 0x%02x\n", len, reg);
1207 	}
1208 	return (error);
1209 }
1210 
1211 static int
1212 uath_switch_channel(struct uath_softc *sc, struct ieee80211_channel *c)
1213 {
1214 	int error;
1215 
1216 	UATH_ASSERT_LOCKED(sc);
1217 
1218 	/* set radio frequency */
1219 	error = uath_set_chan(sc, c);
1220 	if (error) {
1221 		device_printf(sc->sc_dev,
1222 		    "could not set channel, error %d\n", error);
1223 		goto failed;
1224 	}
1225 	/* reset Tx rings */
1226 	error = uath_reset_tx_queues(sc);
1227 	if (error) {
1228 		device_printf(sc->sc_dev,
1229 		    "could not reset Tx queues, error %d\n", error);
1230 		goto failed;
1231 	}
1232 	/* set Tx rings WME properties */
1233 	error = uath_wme_init(sc);
1234 	if (error) {
1235 		device_printf(sc->sc_dev,
1236 		    "could not init Tx queues, error %d\n", error);
1237 		goto failed;
1238 	}
1239 	error = uath_set_ledstate(sc, 0);
1240 	if (error) {
1241 		device_printf(sc->sc_dev,
1242 		    "could not set led state, error %d\n", error);
1243 		goto failed;
1244 	}
1245 	error = uath_flush(sc);
1246 	if (error) {
1247 		device_printf(sc->sc_dev,
1248 		    "could not flush pipes, error %d\n", error);
1249 		goto failed;
1250 	}
1251 failed:
1252 	return (error);
1253 }
1254 
1255 static int
1256 uath_set_rxfilter(struct uath_softc *sc, uint32_t bits, uint32_t op)
1257 {
1258 	struct uath_cmd_rx_filter rxfilter;
1259 
1260 	rxfilter.bits = htobe32(bits);
1261 	rxfilter.op = htobe32(op);
1262 
1263 	DPRINTF(sc, UATH_DEBUG_RECV | UATH_DEBUG_RECV_ALL,
1264 	    "setting Rx filter=0x%x flags=0x%x\n", bits, op);
1265 	return uath_cmd_write(sc, WDCMSG_RX_FILTER, &rxfilter,
1266 	    sizeof rxfilter, 0);
1267 }
1268 
1269 static void
1270 uath_watchdog(void *arg)
1271 {
1272 	struct uath_softc *sc = arg;
1273 	struct ieee80211com *ic = &sc->sc_ic;
1274 
1275 	if (sc->sc_tx_timer > 0) {
1276 		if (--sc->sc_tx_timer == 0) {
1277 			device_printf(sc->sc_dev, "device timeout\n");
1278 			counter_u64_add(ic->ic_oerrors, 1);
1279 			ieee80211_restart_all(ic);
1280 			return;
1281 		}
1282 		callout_reset(&sc->watchdog_ch, hz, uath_watchdog, sc);
1283 	}
1284 }
1285 
1286 static void
1287 uath_abort_xfers(struct uath_softc *sc)
1288 {
1289 	int i;
1290 
1291 	UATH_ASSERT_LOCKED(sc);
1292 	/* abort any pending transfers */
1293 	for (i = 0; i < UATH_N_XFERS; i++)
1294 		usbd_transfer_stop(sc->sc_xfer[i]);
1295 }
1296 
1297 static int
1298 uath_flush(struct uath_softc *sc)
1299 {
1300 	int error;
1301 
1302 	error = uath_dataflush(sc);
1303 	if (error != 0)
1304 		goto failed;
1305 
1306 	error = uath_cmdflush(sc);
1307 	if (error != 0)
1308 		goto failed;
1309 
1310 failed:
1311 	return (error);
1312 }
1313 
1314 static int
1315 uath_cmdflush(struct uath_softc *sc)
1316 {
1317 
1318 	return uath_cmd_write(sc, WDCMSG_FLUSH, NULL, 0, 0);
1319 }
1320 
1321 static int
1322 uath_dataflush(struct uath_softc *sc)
1323 {
1324 	struct uath_data *data;
1325 	struct uath_chunk *chunk;
1326 	struct uath_tx_desc *desc;
1327 
1328 	UATH_ASSERT_LOCKED(sc);
1329 
1330 	data = uath_getbuf(sc);
1331 	if (data == NULL)
1332 		return (ENOBUFS);
1333 	data->buflen = sizeof(struct uath_chunk) + sizeof(struct uath_tx_desc);
1334 	data->m = NULL;
1335 	data->ni = NULL;
1336 	chunk = (struct uath_chunk *)data->buf;
1337 	desc = (struct uath_tx_desc *)(chunk + 1);
1338 
1339 	/* one chunk only */
1340 	chunk->seqnum = 0;
1341 	chunk->flags = UATH_CFLAGS_FINAL;
1342 	chunk->length = htobe16(sizeof (struct uath_tx_desc));
1343 
1344 	memset(desc, 0, sizeof(struct uath_tx_desc));
1345 	desc->msglen = htobe32(sizeof(struct uath_tx_desc));
1346 	desc->msgid  = (sc->sc_msgid++) + 1; /* don't care about endianness */
1347 	desc->type   = htobe32(WDCMSG_FLUSH);
1348 	desc->txqid  = htobe32(0);
1349 	desc->connid = htobe32(0);
1350 	desc->flags  = htobe32(0);
1351 
1352 #ifdef UATH_DEBUG
1353 	if (sc->sc_debug & UATH_DEBUG_CMDS) {
1354 		DPRINTF(sc, UATH_DEBUG_RESET, "send flush ix %d\n",
1355 		    desc->msgid);
1356 		if (sc->sc_debug & UATH_DEBUG_CMDS_DUMP)
1357 			uath_dump_cmd(data->buf, data->buflen, '+');
1358 	}
1359 #endif
1360 
1361 	STAILQ_INSERT_TAIL(&sc->sc_tx_pending, data, next);
1362 	UATH_STAT_INC(sc, st_tx_pending);
1363 	sc->sc_tx_timer = 5;
1364 	usbd_transfer_start(sc->sc_xfer[UATH_BULK_TX]);
1365 
1366 	return (0);
1367 }
1368 
1369 static struct uath_data *
1370 _uath_getbuf(struct uath_softc *sc)
1371 {
1372 	struct uath_data *bf;
1373 
1374 	bf = STAILQ_FIRST(&sc->sc_tx_inactive);
1375 	if (bf != NULL) {
1376 		STAILQ_REMOVE_HEAD(&sc->sc_tx_inactive, next);
1377 		UATH_STAT_DEC(sc, st_tx_inactive);
1378 	} else
1379 		bf = NULL;
1380 	if (bf == NULL)
1381 		DPRINTF(sc, UATH_DEBUG_XMIT, "%s: %s\n", __func__,
1382 		    "out of xmit buffers");
1383 	return (bf);
1384 }
1385 
1386 static struct uath_data *
1387 uath_getbuf(struct uath_softc *sc)
1388 {
1389 	struct uath_data *bf;
1390 
1391 	UATH_ASSERT_LOCKED(sc);
1392 
1393 	bf = _uath_getbuf(sc);
1394 	if (bf == NULL)
1395 		DPRINTF(sc, UATH_DEBUG_XMIT, "%s: stop queue\n", __func__);
1396 	return (bf);
1397 }
1398 
1399 static int
1400 uath_set_ledstate(struct uath_softc *sc, int connected)
1401 {
1402 
1403 	DPRINTF(sc, UATH_DEBUG_LED,
1404 	    "set led state %sconnected\n", connected ? "" : "!");
1405 	connected = htobe32(connected);
1406 	return uath_cmd_write(sc, WDCMSG_SET_LED_STATE,
1407 	     &connected, sizeof connected, 0);
1408 }
1409 
1410 static int
1411 uath_set_chan(struct uath_softc *sc, struct ieee80211_channel *c)
1412 {
1413 #ifdef UATH_DEBUG
1414 	struct ieee80211com *ic = &sc->sc_ic;
1415 #endif
1416 	struct uath_cmd_reset reset;
1417 
1418 	memset(&reset, 0, sizeof(reset));
1419 	if (IEEE80211_IS_CHAN_2GHZ(c))
1420 		reset.flags |= htobe32(UATH_CHAN_2GHZ);
1421 	if (IEEE80211_IS_CHAN_5GHZ(c))
1422 		reset.flags |= htobe32(UATH_CHAN_5GHZ);
1423 	/* NB: 11g =>'s 11b so don't specify both OFDM and CCK */
1424 	if (IEEE80211_IS_CHAN_OFDM(c))
1425 		reset.flags |= htobe32(UATH_CHAN_OFDM);
1426 	else if (IEEE80211_IS_CHAN_CCK(c))
1427 		reset.flags |= htobe32(UATH_CHAN_CCK);
1428 	/* turbo can be used in either 2GHz or 5GHz */
1429 	if (c->ic_flags & IEEE80211_CHAN_TURBO)
1430 		reset.flags |= htobe32(UATH_CHAN_TURBO);
1431 	reset.freq = htobe32(c->ic_freq);
1432 	reset.maxrdpower = htobe32(50);	/* XXX */
1433 	reset.channelchange = htobe32(1);
1434 	reset.keeprccontent = htobe32(0);
1435 
1436 	DPRINTF(sc, UATH_DEBUG_CHANNEL, "set channel %d, flags 0x%x freq %u\n",
1437 	    ieee80211_chan2ieee(ic, c),
1438 	    be32toh(reset.flags), be32toh(reset.freq));
1439 	return uath_cmd_write(sc, WDCMSG_RESET, &reset, sizeof reset, 0);
1440 }
1441 
1442 static int
1443 uath_reset_tx_queues(struct uath_softc *sc)
1444 {
1445 	int ac, error;
1446 
1447 	DPRINTF(sc, UATH_DEBUG_RESET, "%s: reset Tx queues\n", __func__);
1448 	for (ac = 0; ac < 4; ac++) {
1449 		const uint32_t qid = htobe32(ac);
1450 
1451 		error = uath_cmd_write(sc, WDCMSG_RELEASE_TX_QUEUE, &qid,
1452 		    sizeof qid, 0);
1453 		if (error != 0)
1454 			break;
1455 	}
1456 	return (error);
1457 }
1458 
1459 static int
1460 uath_wme_init(struct uath_softc *sc)
1461 {
1462 	/* XXX get from net80211 */
1463 	static const struct uath_wme_settings uath_wme_11g[4] = {
1464 		{ 7, 4, 10,  0, 0 },	/* Background */
1465 		{ 3, 4, 10,  0, 0 },	/* Best-Effort */
1466 		{ 3, 3,  4, 26, 0 },	/* Video */
1467 		{ 2, 2,  3, 47, 0 }	/* Voice */
1468 	};
1469 	struct uath_cmd_txq_setup qinfo;
1470 	int ac, error;
1471 
1472 	DPRINTF(sc, UATH_DEBUG_WME, "%s: setup Tx queues\n", __func__);
1473 	for (ac = 0; ac < 4; ac++) {
1474 		qinfo.qid		= htobe32(ac);
1475 		qinfo.len		= htobe32(sizeof(qinfo.attr));
1476 		qinfo.attr.priority	= htobe32(ac);	/* XXX */
1477 		qinfo.attr.aifs		= htobe32(uath_wme_11g[ac].aifsn);
1478 		qinfo.attr.logcwmin	= htobe32(uath_wme_11g[ac].logcwmin);
1479 		qinfo.attr.logcwmax	= htobe32(uath_wme_11g[ac].logcwmax);
1480 		qinfo.attr.bursttime	= htobe32(IEEE80211_TXOP_TO_US(
1481 					    uath_wme_11g[ac].txop));
1482 		qinfo.attr.mode		= htobe32(uath_wme_11g[ac].acm);/*XXX? */
1483 		qinfo.attr.qflags	= htobe32(1);	/* XXX? */
1484 
1485 		error = uath_cmd_write(sc, WDCMSG_SETUP_TX_QUEUE, &qinfo,
1486 		    sizeof qinfo, 0);
1487 		if (error != 0)
1488 			break;
1489 	}
1490 	return (error);
1491 }
1492 
1493 static void
1494 uath_parent(struct ieee80211com *ic)
1495 {
1496 	struct uath_softc *sc = ic->ic_softc;
1497 	int startall = 0;
1498 
1499 	UATH_LOCK(sc);
1500 	if (sc->sc_flags & UATH_FLAG_INVALID) {
1501 		UATH_UNLOCK(sc);
1502 		return;
1503 	}
1504 
1505 	if (ic->ic_nrunning > 0) {
1506 		if (!(sc->sc_flags & UATH_FLAG_INITDONE)) {
1507 			uath_init(sc);
1508 			startall = 1;
1509 		}
1510 	} else if (sc->sc_flags & UATH_FLAG_INITDONE)
1511 		uath_stop(sc);
1512 	UATH_UNLOCK(sc);
1513 	if (startall)
1514 		ieee80211_start_all(ic);
1515 }
1516 
1517 static int
1518 uath_tx_start(struct uath_softc *sc, struct mbuf *m0, struct ieee80211_node *ni,
1519     struct uath_data *data)
1520 {
1521 	struct ieee80211vap *vap = ni->ni_vap;
1522 	struct uath_chunk *chunk;
1523 	struct uath_tx_desc *desc;
1524 	const struct ieee80211_frame *wh;
1525 	struct ieee80211_key *k;
1526 	int framelen, msglen;
1527 
1528 	UATH_ASSERT_LOCKED(sc);
1529 
1530 	data->ni = ni;
1531 	data->m = m0;
1532 	chunk = (struct uath_chunk *)data->buf;
1533 	desc = (struct uath_tx_desc *)(chunk + 1);
1534 
1535 	if (ieee80211_radiotap_active_vap(vap)) {
1536 		struct uath_tx_radiotap_header *tap = &sc->sc_txtap;
1537 
1538 		tap->wt_flags = 0;
1539 		if (m0->m_flags & M_FRAG)
1540 			tap->wt_flags |= IEEE80211_RADIOTAP_F_FRAG;
1541 
1542 		ieee80211_radiotap_tx(vap, m0);
1543 	}
1544 
1545 	wh = mtod(m0, struct ieee80211_frame *);
1546 	if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
1547 		k = ieee80211_crypto_encap(ni, m0);
1548 		if (k == NULL) {
1549 			m_freem(m0);
1550 			return (ENOBUFS);
1551 		}
1552 
1553 		/* packet header may have moved, reset our local pointer */
1554 		wh = mtod(m0, struct ieee80211_frame *);
1555 	}
1556 	m_copydata(m0, 0, m0->m_pkthdr.len, (uint8_t *)(desc + 1));
1557 
1558 	framelen = m0->m_pkthdr.len + IEEE80211_CRC_LEN;
1559 	msglen = framelen + sizeof (struct uath_tx_desc);
1560 	data->buflen = msglen + sizeof (struct uath_chunk);
1561 
1562 	/* one chunk only for now */
1563 	chunk->seqnum = sc->sc_seqnum++;
1564 	chunk->flags = (m0->m_flags & M_FRAG) ? 0 : UATH_CFLAGS_FINAL;
1565 	if (m0->m_flags & M_LASTFRAG)
1566 		chunk->flags |= UATH_CFLAGS_FINAL;
1567 	chunk->flags = UATH_CFLAGS_FINAL;
1568 	chunk->length = htobe16(msglen);
1569 
1570 	/* fill Tx descriptor */
1571 	desc->msglen = htobe32(msglen);
1572 	/* NB: to get UATH_TX_NOTIFY reply, `msgid' must be larger than 0  */
1573 	desc->msgid  = (sc->sc_msgid++) + 1; /* don't care about endianness */
1574 	desc->type   = htobe32(WDCMSG_SEND);
1575 	switch (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) {
1576 	case IEEE80211_FC0_TYPE_CTL:
1577 	case IEEE80211_FC0_TYPE_MGT:
1578 		/* NB: force all management frames to highest queue */
1579 		if (ni->ni_flags & IEEE80211_NODE_QOS) {
1580 			/* NB: force all management frames to highest queue */
1581 			desc->txqid = htobe32(WME_AC_VO | UATH_TXQID_MINRATE);
1582 		} else
1583 			desc->txqid = htobe32(WME_AC_BE | UATH_TXQID_MINRATE);
1584 		break;
1585 	case IEEE80211_FC0_TYPE_DATA:
1586 		/* XXX multicast frames should honor mcastrate */
1587 		desc->txqid = htobe32(M_WME_GETAC(m0));
1588 		break;
1589 	default:
1590 		device_printf(sc->sc_dev, "bogus frame type 0x%x (%s)\n",
1591 			wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK, __func__);
1592 		m_freem(m0);
1593 		return (EIO);
1594 	}
1595 	if (vap->iv_state == IEEE80211_S_AUTH ||
1596 	    vap->iv_state == IEEE80211_S_ASSOC ||
1597 	    vap->iv_state == IEEE80211_S_RUN)
1598 		desc->connid = htobe32(UATH_ID_BSS);
1599 	else
1600 		desc->connid = htobe32(UATH_ID_INVALID);
1601 	desc->flags  = htobe32(0 /* no UATH_TX_NOTIFY */);
1602 	desc->buflen = htobe32(m0->m_pkthdr.len);
1603 
1604 #ifdef UATH_DEBUG
1605 	DPRINTF(sc, UATH_DEBUG_XMIT,
1606 	    "send frame ix %u framelen %d msglen %d connid 0x%x txqid 0x%x\n",
1607 	    desc->msgid, framelen, msglen, be32toh(desc->connid),
1608 	    be32toh(desc->txqid));
1609 	if (sc->sc_debug & UATH_DEBUG_XMIT_DUMP)
1610 		uath_dump_cmd(data->buf, data->buflen, '+');
1611 #endif
1612 
1613 	STAILQ_INSERT_TAIL(&sc->sc_tx_pending, data, next);
1614 	UATH_STAT_INC(sc, st_tx_pending);
1615 	usbd_transfer_start(sc->sc_xfer[UATH_BULK_TX]);
1616 
1617 	return (0);
1618 }
1619 
1620 /*
1621  * Cleanup driver resources when we run out of buffers while processing
1622  * fragments; return the tx buffers allocated and drop node references.
1623  */
1624 static void
1625 uath_txfrag_cleanup(struct uath_softc *sc,
1626     uath_datahead *frags, struct ieee80211_node *ni)
1627 {
1628 	struct uath_data *bf, *next;
1629 
1630 	UATH_ASSERT_LOCKED(sc);
1631 
1632 	STAILQ_FOREACH_SAFE(bf, frags, next, next) {
1633 		/* NB: bf assumed clean */
1634 		STAILQ_REMOVE_HEAD(frags, next);
1635 		STAILQ_INSERT_HEAD(&sc->sc_tx_inactive, bf, next);
1636 		UATH_STAT_INC(sc, st_tx_inactive);
1637 		ieee80211_node_decref(ni);
1638 	}
1639 }
1640 
1641 /*
1642  * Setup xmit of a fragmented frame.  Allocate a buffer for each frag and bump
1643  * the node reference count to reflect the held reference to be setup by
1644  * uath_tx_start.
1645  */
1646 static int
1647 uath_txfrag_setup(struct uath_softc *sc, uath_datahead *frags,
1648     struct mbuf *m0, struct ieee80211_node *ni)
1649 {
1650 	struct mbuf *m;
1651 	struct uath_data *bf;
1652 
1653 	UATH_ASSERT_LOCKED(sc);
1654 	for (m = m0->m_nextpkt; m != NULL; m = m->m_nextpkt) {
1655 		bf = uath_getbuf(sc);
1656 		if (bf == NULL) {       /* out of buffers, cleanup */
1657 			uath_txfrag_cleanup(sc, frags, ni);
1658 			break;
1659 		}
1660 		ieee80211_node_incref(ni);
1661 		STAILQ_INSERT_TAIL(frags, bf, next);
1662 	}
1663 
1664 	return !STAILQ_EMPTY(frags);
1665 }
1666 
1667 static int
1668 uath_transmit(struct ieee80211com *ic, struct mbuf *m)
1669 {
1670 	struct uath_softc *sc = ic->ic_softc;
1671 	int error;
1672 
1673 	UATH_LOCK(sc);
1674 	if ((sc->sc_flags & UATH_FLAG_INITDONE) == 0) {
1675 		UATH_UNLOCK(sc);
1676 		return (ENXIO);
1677 	}
1678 	error = mbufq_enqueue(&sc->sc_snd, m);
1679 	if (error) {
1680 		UATH_UNLOCK(sc);
1681 		return (error);
1682 	}
1683 	uath_start(sc);
1684 	UATH_UNLOCK(sc);
1685 
1686 	return (0);
1687 }
1688 
1689 static void
1690 uath_start(struct uath_softc *sc)
1691 {
1692 	struct uath_data *bf;
1693 	struct ieee80211_node *ni;
1694 	struct mbuf *m, *next;
1695 	uath_datahead frags;
1696 
1697 	UATH_ASSERT_LOCKED(sc);
1698 
1699 	if ((sc->sc_flags & UATH_FLAG_INITDONE) == 0 ||
1700 	    (sc->sc_flags & UATH_FLAG_INVALID))
1701 		return;
1702 
1703 	while ((m = mbufq_dequeue(&sc->sc_snd)) != NULL) {
1704 		bf = uath_getbuf(sc);
1705 		if (bf == NULL) {
1706 			mbufq_prepend(&sc->sc_snd, m);
1707 			break;
1708 		}
1709 
1710 		ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
1711 		m->m_pkthdr.rcvif = NULL;
1712 
1713 		/*
1714 		 * Check for fragmentation.  If this frame has been broken up
1715 		 * verify we have enough buffers to send all the fragments
1716 		 * so all go out or none...
1717 		 */
1718 		STAILQ_INIT(&frags);
1719 		if ((m->m_flags & M_FRAG) &&
1720 		    !uath_txfrag_setup(sc, &frags, m, ni)) {
1721 			DPRINTF(sc, UATH_DEBUG_XMIT,
1722 			    "%s: out of txfrag buffers\n", __func__);
1723 			ieee80211_free_mbuf(m);
1724 			goto bad;
1725 		}
1726 		sc->sc_seqnum = 0;
1727 	nextfrag:
1728 		/*
1729 		 * Pass the frame to the h/w for transmission.
1730 		 * Fragmented frames have each frag chained together
1731 		 * with m_nextpkt.  We know there are sufficient uath_data's
1732 		 * to send all the frags because of work done by
1733 		 * uath_txfrag_setup.
1734 		 */
1735 		next = m->m_nextpkt;
1736 		if (uath_tx_start(sc, m, ni, bf) != 0) {
1737 	bad:
1738 			if_inc_counter(ni->ni_vap->iv_ifp,
1739 			    IFCOUNTER_OERRORS, 1);
1740 	reclaim:
1741 			STAILQ_INSERT_HEAD(&sc->sc_tx_inactive, bf, next);
1742 			UATH_STAT_INC(sc, st_tx_inactive);
1743 			uath_txfrag_cleanup(sc, &frags, ni);
1744 			ieee80211_free_node(ni);
1745 			continue;
1746 		}
1747 
1748 		if (next != NULL) {
1749 			/*
1750 			 * Beware of state changing between frags.
1751 			 XXX check sta power-save state?
1752 			*/
1753 			if (ni->ni_vap->iv_state != IEEE80211_S_RUN) {
1754 				DPRINTF(sc, UATH_DEBUG_XMIT,
1755 				    "%s: flush fragmented packet, state %s\n",
1756 				    __func__,
1757 				    ieee80211_state_name[ni->ni_vap->iv_state]);
1758 				ieee80211_free_mbuf(next);
1759 				goto reclaim;
1760 			}
1761 			m = next;
1762 			bf = STAILQ_FIRST(&frags);
1763 			KASSERT(bf != NULL, ("no buf for txfrag"));
1764 			STAILQ_REMOVE_HEAD(&frags, next);
1765 			goto nextfrag;
1766 		}
1767 
1768 		sc->sc_tx_timer = 5;
1769 	}
1770 }
1771 
1772 static int
1773 uath_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
1774     const struct ieee80211_bpf_params *params)
1775 {
1776 	struct ieee80211com *ic = ni->ni_ic;
1777 	struct uath_data *bf;
1778 	struct uath_softc *sc = ic->ic_softc;
1779 
1780 	UATH_LOCK(sc);
1781 	/* prevent management frames from being sent if we're not ready */
1782 	if ((sc->sc_flags & UATH_FLAG_INVALID) ||
1783 	    !(sc->sc_flags & UATH_FLAG_INITDONE)) {
1784 		m_freem(m);
1785 		UATH_UNLOCK(sc);
1786 		return (ENETDOWN);
1787 	}
1788 
1789 	/* grab a TX buffer  */
1790 	bf = uath_getbuf(sc);
1791 	if (bf == NULL) {
1792 		m_freem(m);
1793 		UATH_UNLOCK(sc);
1794 		return (ENOBUFS);
1795 	}
1796 
1797 	sc->sc_seqnum = 0;
1798 	if (uath_tx_start(sc, m, ni, bf) != 0) {
1799 		STAILQ_INSERT_HEAD(&sc->sc_tx_inactive, bf, next);
1800 		UATH_STAT_INC(sc, st_tx_inactive);
1801 		UATH_UNLOCK(sc);
1802 		return (EIO);
1803 	}
1804 	UATH_UNLOCK(sc);
1805 
1806 	sc->sc_tx_timer = 5;
1807 	return (0);
1808 }
1809 
1810 static void
1811 uath_scan_start(struct ieee80211com *ic)
1812 {
1813 	/* do nothing  */
1814 }
1815 
1816 static void
1817 uath_scan_end(struct ieee80211com *ic)
1818 {
1819 	/* do nothing  */
1820 }
1821 
1822 static void
1823 uath_set_channel(struct ieee80211com *ic)
1824 {
1825 	struct uath_softc *sc = ic->ic_softc;
1826 
1827 	UATH_LOCK(sc);
1828 	if ((sc->sc_flags & UATH_FLAG_INVALID) ||
1829 	    (sc->sc_flags & UATH_FLAG_INITDONE) == 0) {
1830 		UATH_UNLOCK(sc);
1831 		return;
1832 	}
1833 	(void)uath_switch_channel(sc, ic->ic_curchan);
1834 	UATH_UNLOCK(sc);
1835 }
1836 
1837 static int
1838 uath_set_rxmulti_filter(struct uath_softc *sc)
1839 {
1840 	/* XXX broken */
1841 	return (0);
1842 }
1843 static void
1844 uath_update_mcast(struct ieee80211com *ic)
1845 {
1846 	struct uath_softc *sc = ic->ic_softc;
1847 
1848 	UATH_LOCK(sc);
1849 	if ((sc->sc_flags & UATH_FLAG_INVALID) ||
1850 	    (sc->sc_flags & UATH_FLAG_INITDONE) == 0) {
1851 		UATH_UNLOCK(sc);
1852 		return;
1853 	}
1854 	/*
1855 	 * this is for avoiding the race condition when we're try to
1856 	 * connect to the AP with WPA.
1857 	 */
1858 	if (sc->sc_flags & UATH_FLAG_INITDONE)
1859 		(void)uath_set_rxmulti_filter(sc);
1860 	UATH_UNLOCK(sc);
1861 }
1862 
1863 static void
1864 uath_update_promisc(struct ieee80211com *ic)
1865 {
1866 	struct uath_softc *sc = ic->ic_softc;
1867 
1868 	UATH_LOCK(sc);
1869 	if ((sc->sc_flags & UATH_FLAG_INVALID) ||
1870 	    (sc->sc_flags & UATH_FLAG_INITDONE) == 0) {
1871 		UATH_UNLOCK(sc);
1872 		return;
1873 	}
1874 	if (sc->sc_flags & UATH_FLAG_INITDONE) {
1875 		uath_set_rxfilter(sc,
1876 		    UATH_FILTER_RX_UCAST | UATH_FILTER_RX_MCAST |
1877 		    UATH_FILTER_RX_BCAST | UATH_FILTER_RX_BEACON |
1878 		    UATH_FILTER_RX_PROM, UATH_FILTER_OP_SET);
1879 	}
1880 	UATH_UNLOCK(sc);
1881 }
1882 
1883 static int
1884 uath_create_connection(struct uath_softc *sc, uint32_t connid)
1885 {
1886 	const struct ieee80211_rateset *rs;
1887 	struct ieee80211com *ic = &sc->sc_ic;
1888 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
1889 	struct ieee80211_node *ni;
1890 	struct uath_cmd_create_connection create;
1891 
1892 	ni = ieee80211_ref_node(vap->iv_bss);
1893 	memset(&create, 0, sizeof(create));
1894 	create.connid = htobe32(connid);
1895 	create.bssid = htobe32(0);
1896 	/* XXX packed or not?  */
1897 	create.size = htobe32(sizeof(struct uath_cmd_rateset));
1898 
1899 	rs = &ni->ni_rates;
1900 	create.connattr.rateset.length = rs->rs_nrates;
1901 	bcopy(rs->rs_rates, &create.connattr.rateset.set[0],
1902 	    rs->rs_nrates);
1903 
1904 	/* XXX turbo */
1905 	if (IEEE80211_IS_CHAN_A(ni->ni_chan))
1906 		create.connattr.wlanmode = htobe32(WLAN_MODE_11a);
1907 	else if (IEEE80211_IS_CHAN_ANYG(ni->ni_chan))
1908 		create.connattr.wlanmode = htobe32(WLAN_MODE_11g);
1909 	else
1910 		create.connattr.wlanmode = htobe32(WLAN_MODE_11b);
1911 	ieee80211_free_node(ni);
1912 
1913 	return uath_cmd_write(sc, WDCMSG_CREATE_CONNECTION, &create,
1914 	    sizeof create, 0);
1915 }
1916 
1917 static int
1918 uath_set_rates(struct uath_softc *sc, const struct ieee80211_rateset *rs)
1919 {
1920 	struct uath_cmd_rates rates;
1921 
1922 	memset(&rates, 0, sizeof(rates));
1923 	rates.connid = htobe32(UATH_ID_BSS);		/* XXX */
1924 	rates.size   = htobe32(sizeof(struct uath_cmd_rateset));
1925 	/* XXX bounds check rs->rs_nrates */
1926 	rates.rateset.length = rs->rs_nrates;
1927 	bcopy(rs->rs_rates, &rates.rateset.set[0], rs->rs_nrates);
1928 
1929 	DPRINTF(sc, UATH_DEBUG_RATES,
1930 	    "setting supported rates nrates=%d\n", rs->rs_nrates);
1931 	return uath_cmd_write(sc, WDCMSG_SET_BASIC_RATE,
1932 	    &rates, sizeof rates, 0);
1933 }
1934 
1935 static int
1936 uath_write_associd(struct uath_softc *sc)
1937 {
1938 	struct ieee80211com *ic = &sc->sc_ic;
1939 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
1940 	struct ieee80211_node *ni;
1941 	struct uath_cmd_set_associd associd;
1942 
1943 	ni = ieee80211_ref_node(vap->iv_bss);
1944 	memset(&associd, 0, sizeof(associd));
1945 	associd.defaultrateix = htobe32(1);	/* XXX */
1946 	associd.associd = htobe32(ni->ni_associd);
1947 	associd.timoffset = htobe32(0x3b);	/* XXX */
1948 	IEEE80211_ADDR_COPY(associd.bssid, ni->ni_bssid);
1949 	ieee80211_free_node(ni);
1950 	return uath_cmd_write(sc, WDCMSG_WRITE_ASSOCID, &associd,
1951 	    sizeof associd, 0);
1952 }
1953 
1954 static int
1955 uath_set_ledsteady(struct uath_softc *sc, int lednum, int ledmode)
1956 {
1957 	struct uath_cmd_ledsteady led;
1958 
1959 	led.lednum = htobe32(lednum);
1960 	led.ledmode = htobe32(ledmode);
1961 
1962 	DPRINTF(sc, UATH_DEBUG_LED, "set %s led %s (steady)\n",
1963 	    (lednum == UATH_LED_LINK) ? "link" : "activity",
1964 	    ledmode ? "on" : "off");
1965 	return uath_cmd_write(sc, WDCMSG_SET_LED_STEADY, &led, sizeof led, 0);
1966 }
1967 
1968 static int
1969 uath_set_ledblink(struct uath_softc *sc, int lednum, int ledmode,
1970 	int blinkrate, int slowmode)
1971 {
1972 	struct uath_cmd_ledblink led;
1973 
1974 	led.lednum = htobe32(lednum);
1975 	led.ledmode = htobe32(ledmode);
1976 	led.blinkrate = htobe32(blinkrate);
1977 	led.slowmode = htobe32(slowmode);
1978 
1979 	DPRINTF(sc, UATH_DEBUG_LED, "set %s led %s (blink)\n",
1980 	    (lednum == UATH_LED_LINK) ? "link" : "activity",
1981 	    ledmode ? "on" : "off");
1982 	return uath_cmd_write(sc, WDCMSG_SET_LED_BLINK, &led, sizeof led, 0);
1983 }
1984 
1985 static int
1986 uath_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
1987 {
1988 	enum ieee80211_state ostate = vap->iv_state;
1989 	int error;
1990 	struct ieee80211_node *ni;
1991 	struct ieee80211com *ic = vap->iv_ic;
1992 	struct uath_softc *sc = ic->ic_softc;
1993 	struct uath_vap *uvp = UATH_VAP(vap);
1994 
1995 	DPRINTF(sc, UATH_DEBUG_STATE,
1996 	    "%s: %s -> %s\n", __func__, ieee80211_state_name[vap->iv_state],
1997 	    ieee80211_state_name[nstate]);
1998 
1999 	IEEE80211_UNLOCK(ic);
2000 	UATH_LOCK(sc);
2001 	callout_stop(&sc->stat_ch);
2002 	callout_stop(&sc->watchdog_ch);
2003 	ni = ieee80211_ref_node(vap->iv_bss);
2004 
2005 	switch (nstate) {
2006 	case IEEE80211_S_INIT:
2007 		if (ostate == IEEE80211_S_RUN) {
2008 			/* turn link and activity LEDs off */
2009 			uath_set_ledstate(sc, 0);
2010 		}
2011 		break;
2012 
2013 	case IEEE80211_S_SCAN:
2014 		break;
2015 
2016 	case IEEE80211_S_AUTH:
2017 		/* XXX good place?  set RTS threshold  */
2018 		uath_config(sc, CFG_USER_RTS_THRESHOLD, vap->iv_rtsthreshold);
2019 		/* XXX bad place  */
2020 		error = uath_set_keys(sc, vap);
2021 		if (error != 0) {
2022 			device_printf(sc->sc_dev,
2023 			    "could not set crypto keys, error %d\n", error);
2024 			break;
2025 		}
2026 		if (uath_switch_channel(sc, ni->ni_chan) != 0) {
2027 			device_printf(sc->sc_dev, "could not switch channel\n");
2028 			break;
2029 		}
2030 		if (uath_create_connection(sc, UATH_ID_BSS) != 0) {
2031 			device_printf(sc->sc_dev,
2032 			    "could not create connection\n");
2033 			break;
2034 		}
2035 		break;
2036 
2037 	case IEEE80211_S_ASSOC:
2038 		if (uath_set_rates(sc, &ni->ni_rates) != 0) {
2039 			device_printf(sc->sc_dev,
2040 			    "could not set negotiated rate set\n");
2041 			break;
2042 		}
2043 		break;
2044 
2045 	case IEEE80211_S_RUN:
2046 		/* XXX monitor mode doesn't be tested  */
2047 		if (ic->ic_opmode == IEEE80211_M_MONITOR) {
2048 			uath_set_ledstate(sc, 1);
2049 			break;
2050 		}
2051 
2052 		/*
2053 		 * Tx rate is controlled by firmware, report the maximum
2054 		 * negotiated rate in ifconfig output.
2055 		 */
2056 		ni->ni_txrate = ni->ni_rates.rs_rates[ni->ni_rates.rs_nrates-1];
2057 
2058 		if (uath_write_associd(sc) != 0) {
2059 			device_printf(sc->sc_dev,
2060 			    "could not write association id\n");
2061 			break;
2062 		}
2063 		/* turn link LED on */
2064 		uath_set_ledsteady(sc, UATH_LED_LINK, UATH_LED_ON);
2065 		/* make activity LED blink */
2066 		uath_set_ledblink(sc, UATH_LED_ACTIVITY, UATH_LED_ON, 1, 2);
2067 		/* set state to associated */
2068 		uath_set_ledstate(sc, 1);
2069 
2070 		/* start statistics timer */
2071 		callout_reset(&sc->stat_ch, hz, uath_stat, sc);
2072 		break;
2073 	default:
2074 		break;
2075 	}
2076 	ieee80211_free_node(ni);
2077 	UATH_UNLOCK(sc);
2078 	IEEE80211_LOCK(ic);
2079 	return (uvp->newstate(vap, nstate, arg));
2080 }
2081 
2082 static int
2083 uath_set_key(struct uath_softc *sc, const struct ieee80211_key *wk,
2084     int index)
2085 {
2086 #if 0
2087 	struct uath_cmd_crypto crypto;
2088 	int i;
2089 
2090 	memset(&crypto, 0, sizeof(crypto));
2091 	crypto.keyidx = htobe32(index);
2092 	crypto.magic1 = htobe32(1);
2093 	crypto.size   = htobe32(368);
2094 	crypto.mask   = htobe32(0xffff);
2095 	crypto.flags  = htobe32(0x80000068);
2096 	if (index != UATH_DEFAULT_KEY)
2097 		crypto.flags |= htobe32(index << 16);
2098 	memset(crypto.magic2, 0xff, sizeof(crypto.magic2));
2099 
2100 	/*
2101 	 * Each byte of the key must be XOR'ed with 10101010 before being
2102 	 * transmitted to the firmware.
2103 	 */
2104 	for (i = 0; i < wk->wk_keylen; i++)
2105 		crypto.key[i] = wk->wk_key[i] ^ 0xaa;
2106 
2107 	DPRINTF(sc, UATH_DEBUG_CRYPTO,
2108 	    "setting crypto key index=%d len=%d\n", index, wk->wk_keylen);
2109 	return uath_cmd_write(sc, WDCMSG_SET_KEY_CACHE_ENTRY, &crypto,
2110 	    sizeof crypto, 0);
2111 #else
2112 	/* XXX support H/W cryto  */
2113 	return (0);
2114 #endif
2115 }
2116 
2117 static int
2118 uath_set_keys(struct uath_softc *sc, struct ieee80211vap *vap)
2119 {
2120 	int i, error;
2121 
2122 	error = 0;
2123 	for (i = 0; i < IEEE80211_WEP_NKID; i++) {
2124 		const struct ieee80211_key *wk = &vap->iv_nw_keys[i];
2125 
2126 		if (wk->wk_flags & (IEEE80211_KEY_XMIT|IEEE80211_KEY_RECV)) {
2127 			error = uath_set_key(sc, wk, i);
2128 			if (error)
2129 				return (error);
2130 		}
2131 	}
2132 	if (vap->iv_def_txkey != IEEE80211_KEYIX_NONE) {
2133 		error = uath_set_key(sc, &vap->iv_nw_keys[vap->iv_def_txkey],
2134 			UATH_DEFAULT_KEY);
2135 	}
2136 	return (error);
2137 }
2138 
2139 #define	UATH_SYSCTL_STAT_ADD32(c, h, n, p, d)	\
2140 	    SYSCTL_ADD_UINT(c, h, OID_AUTO, n, CTLFLAG_RD, p, 0, d)
2141 
2142 static void
2143 uath_sysctl_node(struct uath_softc *sc)
2144 {
2145 	struct sysctl_ctx_list *ctx;
2146 	struct sysctl_oid_list *child;
2147 	struct sysctl_oid *tree;
2148 	struct uath_stat *stats;
2149 
2150 	stats = &sc->sc_stat;
2151 	ctx = device_get_sysctl_ctx(sc->sc_dev);
2152 	child = SYSCTL_CHILDREN(device_get_sysctl_tree(sc->sc_dev));
2153 
2154 	tree = SYSCTL_ADD_NODE(ctx, child, OID_AUTO, "stats",
2155 	    CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, "UATH statistics");
2156 	child = SYSCTL_CHILDREN(tree);
2157 	UATH_SYSCTL_STAT_ADD32(ctx, child, "badchunkseqnum",
2158 	    &stats->st_badchunkseqnum, "Bad chunk sequence numbers");
2159 	UATH_SYSCTL_STAT_ADD32(ctx, child, "invalidlen", &stats->st_invalidlen,
2160 	    "Invalid length");
2161 	UATH_SYSCTL_STAT_ADD32(ctx, child, "multichunk", &stats->st_multichunk,
2162 	    "Multi chunks");
2163 	UATH_SYSCTL_STAT_ADD32(ctx, child, "toobigrxpkt",
2164 	    &stats->st_toobigrxpkt, "Too big rx packets");
2165 	UATH_SYSCTL_STAT_ADD32(ctx, child, "stopinprogress",
2166 	    &stats->st_stopinprogress, "Stop in progress");
2167 	UATH_SYSCTL_STAT_ADD32(ctx, child, "crcerrs", &stats->st_crcerr,
2168 	    "CRC errors");
2169 	UATH_SYSCTL_STAT_ADD32(ctx, child, "phyerr", &stats->st_phyerr,
2170 	    "PHY errors");
2171 	UATH_SYSCTL_STAT_ADD32(ctx, child, "decrypt_crcerr",
2172 	    &stats->st_decrypt_crcerr, "Decryption CRC errors");
2173 	UATH_SYSCTL_STAT_ADD32(ctx, child, "decrypt_micerr",
2174 	    &stats->st_decrypt_micerr, "Decryption Misc errors");
2175 	UATH_SYSCTL_STAT_ADD32(ctx, child, "decomperr", &stats->st_decomperr,
2176 	    "Decomp errors");
2177 	UATH_SYSCTL_STAT_ADD32(ctx, child, "keyerr", &stats->st_keyerr,
2178 	    "Key errors");
2179 	UATH_SYSCTL_STAT_ADD32(ctx, child, "err", &stats->st_err,
2180 	    "Unknown errors");
2181 
2182 	UATH_SYSCTL_STAT_ADD32(ctx, child, "cmd_active",
2183 	    &stats->st_cmd_active, "Active numbers in Command queue");
2184 	UATH_SYSCTL_STAT_ADD32(ctx, child, "cmd_inactive",
2185 	    &stats->st_cmd_inactive, "Inactive numbers in Command queue");
2186 	UATH_SYSCTL_STAT_ADD32(ctx, child, "cmd_pending",
2187 	    &stats->st_cmd_pending, "Pending numbers in Command queue");
2188 	UATH_SYSCTL_STAT_ADD32(ctx, child, "cmd_waiting",
2189 	    &stats->st_cmd_waiting, "Waiting numbers in Command queue");
2190 	UATH_SYSCTL_STAT_ADD32(ctx, child, "rx_active",
2191 	    &stats->st_rx_active, "Active numbers in RX queue");
2192 	UATH_SYSCTL_STAT_ADD32(ctx, child, "rx_inactive",
2193 	    &stats->st_rx_inactive, "Inactive numbers in RX queue");
2194 	UATH_SYSCTL_STAT_ADD32(ctx, child, "tx_active",
2195 	    &stats->st_tx_active, "Active numbers in TX queue");
2196 	UATH_SYSCTL_STAT_ADD32(ctx, child, "tx_inactive",
2197 	    &stats->st_tx_inactive, "Inactive numbers in TX queue");
2198 	UATH_SYSCTL_STAT_ADD32(ctx, child, "tx_pending",
2199 	    &stats->st_tx_pending, "Pending numbers in TX queue");
2200 }
2201 
2202 #undef UATH_SYSCTL_STAT_ADD32
2203 
2204 CTASSERT(sizeof(u_int) >= sizeof(uint32_t));
2205 
2206 static void
2207 uath_cmdeof(struct uath_softc *sc, struct uath_cmd *cmd)
2208 {
2209 	struct uath_cmd_hdr *hdr;
2210 	uint32_t dlen;
2211 
2212 	hdr = (struct uath_cmd_hdr *)cmd->buf;
2213 	/* NB: msgid is passed thru w/o byte swapping */
2214 #ifdef UATH_DEBUG
2215 	if (sc->sc_debug & UATH_DEBUG_CMDS) {
2216 		uint32_t len = be32toh(hdr->len);
2217 		printf("%s: %s [ix %u] len %u status %u\n",
2218 		    __func__, uath_codename(be32toh(hdr->code)),
2219 		    hdr->msgid, len, be32toh(hdr->magic));
2220 		if (sc->sc_debug & UATH_DEBUG_CMDS_DUMP)
2221 			uath_dump_cmd(cmd->buf,
2222 			    len > UATH_MAX_CMDSZ ? sizeof(*hdr) : len, '-');
2223 	}
2224 #endif
2225 	hdr->code = be32toh(hdr->code);
2226 	hdr->len = be32toh(hdr->len);
2227 	hdr->magic = be32toh(hdr->magic);	/* target status on return */
2228 
2229 	switch (hdr->code & 0xff) {
2230 	/* reply to a read command */
2231 	default:
2232 		DPRINTF(sc, UATH_DEBUG_RX_PROC | UATH_DEBUG_RECV_ALL,
2233 		    "%s: code %d hdr len %u\n",
2234 		    __func__, hdr->code & 0xff, hdr->len);
2235 		/*
2236 		 * The first response from the target after the
2237 		 * HOST_AVAILABLE has an invalid msgid so we must
2238 		 * treat it specially.
2239 		 */
2240 		if (hdr->msgid < UATH_CMD_LIST_COUNT) {
2241 			uint32_t *rp = (uint32_t *)(hdr+1);
2242 			u_int olen;
2243 
2244 			if (sizeof(*hdr) > hdr->len ||
2245 			    hdr->len > UATH_MAX_CMDSZ) {
2246 				device_printf(sc->sc_dev,
2247 				    "%s: invalid WDC msg length %u; "
2248 				    "msg ignored\n", __func__, hdr->len);
2249 				return;
2250 			}
2251 			/*
2252 			 * Calculate return/receive payload size; the
2253 			 * first word, if present, always gives the
2254 			 * number of bytes--unless it's 0 in which
2255 			 * case a single 32-bit word should be present.
2256 			 */
2257 			dlen = hdr->len - sizeof(*hdr);
2258 			if (dlen >= sizeof(uint32_t)) {
2259 				olen = be32toh(rp[0]);
2260 				dlen -= sizeof(uint32_t);
2261 				if (olen == 0) {
2262 					/* convention is 0 =>'s one word */
2263 					olen = sizeof(uint32_t);
2264 					/* XXX KASSERT(olen == dlen ) */
2265 				}
2266 			} else
2267 				olen = 0;
2268 			if (cmd->odata != NULL) {
2269 				/* NB: cmd->olen validated in uath_cmd */
2270 				if (olen > (u_int)cmd->olen) {
2271 					/* XXX complain? */
2272 					device_printf(sc->sc_dev,
2273 					    "%s: cmd 0x%x olen %u cmd olen %u\n",
2274 					    __func__, hdr->code, olen,
2275 					    cmd->olen);
2276 					olen = cmd->olen;
2277 				}
2278 				if (olen > dlen) {
2279 					/* XXX complain, shouldn't happen */
2280 					device_printf(sc->sc_dev,
2281 					    "%s: cmd 0x%x olen %u dlen %u\n",
2282 					    __func__, hdr->code, olen, dlen);
2283 					olen = dlen;
2284 				}
2285 				/* XXX have submitter do this */
2286 				/* copy answer into caller's supplied buffer */
2287 				bcopy(&rp[1], cmd->odata, olen);
2288 				cmd->olen = olen;
2289 			}
2290 		}
2291 		wakeup_one(cmd);		/* wake up caller */
2292 		break;
2293 
2294 	case WDCMSG_TARGET_START:
2295 		if (hdr->msgid >= UATH_CMD_LIST_COUNT) {
2296 			/* XXX */
2297 			return;
2298 		}
2299 		dlen = hdr->len - sizeof(*hdr);
2300 		if (dlen != sizeof(uint32_t)) {
2301 			device_printf(sc->sc_dev,
2302 			    "%s: dlen (%u) != %zu!\n",
2303 			    __func__, dlen, sizeof(uint32_t));
2304 			return;
2305 		}
2306 		/* XXX have submitter do this */
2307 		/* copy answer into caller's supplied buffer */
2308 		bcopy(hdr+1, cmd->odata, sizeof(uint32_t));
2309 		cmd->olen = sizeof(uint32_t);
2310 		wakeup_one(cmd);		/* wake up caller */
2311 		break;
2312 
2313 	case WDCMSG_SEND_COMPLETE:
2314 		/* this notification is sent when UATH_TX_NOTIFY is set */
2315 		DPRINTF(sc, UATH_DEBUG_RX_PROC | UATH_DEBUG_RECV_ALL,
2316 		    "%s: received Tx notification\n", __func__);
2317 		break;
2318 
2319 	case WDCMSG_TARGET_GET_STATS:
2320 		DPRINTF(sc, UATH_DEBUG_RX_PROC | UATH_DEBUG_RECV_ALL,
2321 		    "%s: received device statistics\n", __func__);
2322 		callout_reset(&sc->stat_ch, hz, uath_stat, sc);
2323 		break;
2324 	}
2325 }
2326 
2327 static void
2328 uath_intr_rx_callback(struct usb_xfer *xfer, usb_error_t error)
2329 {
2330 	struct uath_softc *sc = usbd_xfer_softc(xfer);
2331 	struct uath_cmd *cmd;
2332 	struct uath_cmd_hdr *hdr;
2333 	struct usb_page_cache *pc;
2334 	int actlen;
2335 
2336 	usbd_xfer_status(xfer, &actlen, NULL, NULL, NULL);
2337 
2338 	UATH_ASSERT_LOCKED(sc);
2339 
2340 	switch (USB_GET_STATE(xfer)) {
2341 	case USB_ST_TRANSFERRED:
2342 		cmd = STAILQ_FIRST(&sc->sc_cmd_waiting);
2343 		if (cmd == NULL)
2344 			goto setup;
2345 		STAILQ_REMOVE_HEAD(&sc->sc_cmd_waiting, next);
2346 		UATH_STAT_DEC(sc, st_cmd_waiting);
2347 		STAILQ_INSERT_TAIL(&sc->sc_cmd_inactive, cmd, next);
2348 		UATH_STAT_INC(sc, st_cmd_inactive);
2349 
2350 		if (actlen < sizeof(struct uath_cmd_hdr)) {
2351 			device_printf(sc->sc_dev,
2352 			    "%s: short xfer error (actlen %d)\n",
2353 			    __func__, actlen);
2354 			goto setup;
2355 		}
2356 
2357 		pc = usbd_xfer_get_frame(xfer, 0);
2358 		usbd_copy_out(pc, 0, cmd->buf, actlen);
2359 
2360 		hdr = (struct uath_cmd_hdr *)cmd->buf;
2361 		if (be32toh(hdr->len) > (uint32_t)actlen) {
2362 			device_printf(sc->sc_dev,
2363 			    "%s: truncated xfer (len %u, actlen %d)\n",
2364 			    __func__, be32toh(hdr->len), actlen);
2365 			goto setup;
2366 		}
2367 
2368 		uath_cmdeof(sc, cmd);
2369 	case USB_ST_SETUP:
2370 setup:
2371 		usbd_xfer_set_frame_len(xfer, 0, usbd_xfer_max_len(xfer));
2372 		usbd_transfer_submit(xfer);
2373 		break;
2374 	default:
2375 		if (error != USB_ERR_CANCELLED) {
2376 			usbd_xfer_set_stall(xfer);
2377 			goto setup;
2378 		}
2379 		break;
2380 	}
2381 }
2382 
2383 static void
2384 uath_intr_tx_callback(struct usb_xfer *xfer, usb_error_t error)
2385 {
2386 	struct uath_softc *sc = usbd_xfer_softc(xfer);
2387 	struct uath_cmd *cmd;
2388 
2389 	UATH_ASSERT_LOCKED(sc);
2390 
2391 	cmd = STAILQ_FIRST(&sc->sc_cmd_active);
2392 	if (cmd != NULL && USB_GET_STATE(xfer) != USB_ST_SETUP) {
2393 		STAILQ_REMOVE_HEAD(&sc->sc_cmd_active, next);
2394 		UATH_STAT_DEC(sc, st_cmd_active);
2395 		STAILQ_INSERT_TAIL((cmd->flags & UATH_CMD_FLAG_READ) ?
2396 		    &sc->sc_cmd_waiting : &sc->sc_cmd_inactive, cmd, next);
2397 		if (cmd->flags & UATH_CMD_FLAG_READ)
2398 			UATH_STAT_INC(sc, st_cmd_waiting);
2399 		else
2400 			UATH_STAT_INC(sc, st_cmd_inactive);
2401 	}
2402 
2403 	switch (USB_GET_STATE(xfer)) {
2404 	case USB_ST_TRANSFERRED:
2405 	case USB_ST_SETUP:
2406 setup:
2407 		cmd = STAILQ_FIRST(&sc->sc_cmd_pending);
2408 		if (cmd == NULL) {
2409 			DPRINTF(sc, UATH_DEBUG_XMIT, "%s: empty pending queue\n",
2410 			    __func__);
2411 			return;
2412 		}
2413 		STAILQ_REMOVE_HEAD(&sc->sc_cmd_pending, next);
2414 		UATH_STAT_DEC(sc, st_cmd_pending);
2415 		STAILQ_INSERT_TAIL((cmd->flags & UATH_CMD_FLAG_ASYNC) ?
2416 		    &sc->sc_cmd_inactive : &sc->sc_cmd_active, cmd, next);
2417 		if (cmd->flags & UATH_CMD_FLAG_ASYNC)
2418 			UATH_STAT_INC(sc, st_cmd_inactive);
2419 		else
2420 			UATH_STAT_INC(sc, st_cmd_active);
2421 
2422 		usbd_xfer_set_frame_data(xfer, 0, cmd->buf, cmd->buflen);
2423 		usbd_transfer_submit(xfer);
2424 		break;
2425 	default:
2426 		if (error != USB_ERR_CANCELLED) {
2427 			usbd_xfer_set_stall(xfer);
2428 			goto setup;
2429 		}
2430 		break;
2431 	}
2432 }
2433 
2434 static void
2435 uath_update_rxstat(struct uath_softc *sc, uint32_t status)
2436 {
2437 
2438 	switch (status) {
2439 	case UATH_STATUS_STOP_IN_PROGRESS:
2440 		UATH_STAT_INC(sc, st_stopinprogress);
2441 		break;
2442 	case UATH_STATUS_CRC_ERR:
2443 		UATH_STAT_INC(sc, st_crcerr);
2444 		break;
2445 	case UATH_STATUS_PHY_ERR:
2446 		UATH_STAT_INC(sc, st_phyerr);
2447 		break;
2448 	case UATH_STATUS_DECRYPT_CRC_ERR:
2449 		UATH_STAT_INC(sc, st_decrypt_crcerr);
2450 		break;
2451 	case UATH_STATUS_DECRYPT_MIC_ERR:
2452 		UATH_STAT_INC(sc, st_decrypt_micerr);
2453 		break;
2454 	case UATH_STATUS_DECOMP_ERR:
2455 		UATH_STAT_INC(sc, st_decomperr);
2456 		break;
2457 	case UATH_STATUS_KEY_ERR:
2458 		UATH_STAT_INC(sc, st_keyerr);
2459 		break;
2460 	case UATH_STATUS_ERR:
2461 		UATH_STAT_INC(sc, st_err);
2462 		break;
2463 	default:
2464 		break;
2465 	}
2466 }
2467 
2468 CTASSERT(UATH_MIN_RXBUFSZ >= sizeof(struct uath_chunk));
2469 
2470 static struct mbuf *
2471 uath_data_rxeof(struct usb_xfer *xfer, struct uath_data *data,
2472     struct uath_rx_desc **pdesc)
2473 {
2474 	struct uath_softc *sc = usbd_xfer_softc(xfer);
2475 	struct ieee80211com *ic = &sc->sc_ic;
2476 	struct uath_chunk *chunk;
2477 	struct uath_rx_desc *desc;
2478 	struct mbuf *m = data->m, *mnew, *mp;
2479 	uint16_t chunklen;
2480 	int actlen;
2481 
2482 	usbd_xfer_status(xfer, &actlen, NULL, NULL, NULL);
2483 
2484 	if (actlen < (int)UATH_MIN_RXBUFSZ) {
2485 		DPRINTF(sc, UATH_DEBUG_RECV | UATH_DEBUG_RECV_ALL,
2486 		    "%s: wrong xfer size (len=%d)\n", __func__, actlen);
2487 		counter_u64_add(ic->ic_ierrors, 1);
2488 		return (NULL);
2489 	}
2490 
2491 	chunk = (struct uath_chunk *)data->buf;
2492 	chunklen = be16toh(chunk->length);
2493 	if (chunk->seqnum == 0 && chunk->flags == 0 && chunklen == 0) {
2494 		device_printf(sc->sc_dev, "%s: strange response\n", __func__);
2495 		counter_u64_add(ic->ic_ierrors, 1);
2496 		UATH_RESET_INTRX(sc);
2497 		return (NULL);
2498 	}
2499 
2500 	if (chunklen > actlen) {
2501 		device_printf(sc->sc_dev,
2502 		    "%s: invalid chunk length (len %u > actlen %d)\n",
2503 		    __func__, chunklen, actlen);
2504 		counter_u64_add(ic->ic_ierrors, 1);
2505 		/* XXX cleanup? */
2506 		UATH_RESET_INTRX(sc);
2507 		return (NULL);
2508 	}
2509 
2510 	if (chunk->seqnum != sc->sc_intrx_nextnum) {
2511 		DPRINTF(sc, UATH_DEBUG_XMIT, "invalid seqnum %d, expected %d\n",
2512 		    chunk->seqnum, sc->sc_intrx_nextnum);
2513 		UATH_STAT_INC(sc, st_badchunkseqnum);
2514 		if (sc->sc_intrx_head != NULL)
2515 			m_freem(sc->sc_intrx_head);
2516 		UATH_RESET_INTRX(sc);
2517 		return (NULL);
2518 	}
2519 
2520 	/* check multi-chunk frames  */
2521 	if ((chunk->seqnum == 0 && !(chunk->flags & UATH_CFLAGS_FINAL)) ||
2522 	    (chunk->seqnum != 0 && (chunk->flags & UATH_CFLAGS_FINAL)) ||
2523 	    chunk->flags & UATH_CFLAGS_RXMSG)
2524 		UATH_STAT_INC(sc, st_multichunk);
2525 
2526 	if (chunk->flags & UATH_CFLAGS_FINAL) {
2527 		if (chunklen < sizeof(struct uath_rx_desc)) {
2528 			device_printf(sc->sc_dev,
2529 			    "%s: invalid chunk length %d\n",
2530 			    __func__, chunklen);
2531 			counter_u64_add(ic->ic_ierrors, 1);
2532 			if (sc->sc_intrx_head != NULL)
2533 				m_freem(sc->sc_intrx_head);
2534 			UATH_RESET_INTRX(sc);
2535 			return (NULL);
2536 		}
2537 		chunklen -= sizeof(struct uath_rx_desc);
2538 	}
2539 
2540 	if (chunklen > 0 &&
2541 	    (!(chunk->flags & UATH_CFLAGS_FINAL) || !(chunk->seqnum == 0))) {
2542 		/* we should use intermediate RX buffer  */
2543 		if (chunk->seqnum == 0)
2544 			UATH_RESET_INTRX(sc);
2545 		if ((sc->sc_intrx_len + sizeof(struct uath_rx_desc) +
2546 		    chunklen) > UATH_MAX_INTRX_SIZE) {
2547 			UATH_STAT_INC(sc, st_invalidlen);
2548 			counter_u64_add(ic->ic_ierrors, 1);
2549 			if (sc->sc_intrx_head != NULL)
2550 				m_freem(sc->sc_intrx_head);
2551 			UATH_RESET_INTRX(sc);
2552 			return (NULL);
2553 		}
2554 
2555 		m->m_len = chunklen;
2556 		m->m_data += sizeof(struct uath_chunk);
2557 
2558 		if (sc->sc_intrx_head == NULL) {
2559 			sc->sc_intrx_head = m;
2560 			sc->sc_intrx_tail = m;
2561 		} else {
2562 			m->m_flags &= ~M_PKTHDR;
2563 			sc->sc_intrx_tail->m_next = m;
2564 			sc->sc_intrx_tail = m;
2565 		}
2566 	}
2567 	sc->sc_intrx_len += chunklen;
2568 
2569 	mnew = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
2570 	if (mnew == NULL) {
2571 		DPRINTF(sc, UATH_DEBUG_RECV | UATH_DEBUG_RECV_ALL,
2572 		    "%s: can't get new mbuf, drop frame\n", __func__);
2573 		counter_u64_add(ic->ic_ierrors, 1);
2574 		if (sc->sc_intrx_head != NULL)
2575 			m_freem(sc->sc_intrx_head);
2576 		UATH_RESET_INTRX(sc);
2577 		return (NULL);
2578 	}
2579 
2580 	data->m = mnew;
2581 	data->buf = mtod(mnew, uint8_t *);
2582 
2583 	/* if the frame is not final continue the transfer  */
2584 	if (!(chunk->flags & UATH_CFLAGS_FINAL)) {
2585 		sc->sc_intrx_nextnum++;
2586 		UATH_RESET_INTRX(sc);
2587 		return (NULL);
2588 	}
2589 
2590 	/*
2591 	 * if the frame is not set UATH_CFLAGS_RXMSG, then rx descriptor is
2592 	 * located at the end, 32-bit aligned
2593 	 */
2594 	desc = (chunk->flags & UATH_CFLAGS_RXMSG) ?
2595 		(struct uath_rx_desc *)(chunk + 1) :
2596 		(struct uath_rx_desc *)(((uint8_t *)chunk) +
2597 		    sizeof(struct uath_chunk) + be16toh(chunk->length) -
2598 		    sizeof(struct uath_rx_desc));
2599 	if ((uint8_t *)chunk + actlen - sizeof(struct uath_rx_desc) <
2600 	    (uint8_t *)desc) {
2601 		device_printf(sc->sc_dev,
2602 		    "%s: wrong Rx descriptor pointer "
2603 		    "(desc %p chunk %p actlen %d)\n",
2604 		    __func__, desc, chunk, actlen);
2605 		counter_u64_add(ic->ic_ierrors, 1);
2606 		if (sc->sc_intrx_head != NULL)
2607 			m_freem(sc->sc_intrx_head);
2608 		UATH_RESET_INTRX(sc);
2609 		return (NULL);
2610 	}
2611 
2612 	*pdesc = desc;
2613 
2614 	DPRINTF(sc, UATH_DEBUG_RECV | UATH_DEBUG_RECV_ALL,
2615 	    "%s: frame len %u code %u status %u rate %u antenna %u "
2616 	    "rssi %d channel %u phyerror %u connix %u decrypterror %u "
2617 	    "keycachemiss %u\n", __func__, be32toh(desc->framelen)
2618 	    , be32toh(desc->code), be32toh(desc->status), be32toh(desc->rate)
2619 	    , be32toh(desc->antenna), be32toh(desc->rssi), be32toh(desc->channel)
2620 	    , be32toh(desc->phyerror), be32toh(desc->connix)
2621 	    , be32toh(desc->decrypterror), be32toh(desc->keycachemiss));
2622 
2623 	if (be32toh(desc->len) > MCLBYTES) {
2624 		DPRINTF(sc, UATH_DEBUG_RECV | UATH_DEBUG_RECV_ALL,
2625 		    "%s: bad descriptor (len=%d)\n", __func__,
2626 		    be32toh(desc->len));
2627 		counter_u64_add(ic->ic_ierrors, 1);
2628 		UATH_STAT_INC(sc, st_toobigrxpkt);
2629 		if (sc->sc_intrx_head != NULL)
2630 			m_freem(sc->sc_intrx_head);
2631 		UATH_RESET_INTRX(sc);
2632 		return (NULL);
2633 	}
2634 
2635 	uath_update_rxstat(sc, be32toh(desc->status));
2636 
2637 	/* finalize mbuf */
2638 	if (sc->sc_intrx_head == NULL) {
2639 		uint32_t framelen;
2640 
2641 		if (be32toh(desc->framelen) < UATH_RX_DUMMYSIZE) {
2642 			device_printf(sc->sc_dev,
2643 			    "%s: framelen too small (%u)\n",
2644 			    __func__, be32toh(desc->framelen));
2645 			counter_u64_add(ic->ic_ierrors, 1);
2646 			if (sc->sc_intrx_head != NULL)
2647 				m_freem(sc->sc_intrx_head);
2648 			UATH_RESET_INTRX(sc);
2649 			return (NULL);
2650 		}
2651 
2652 		framelen = be32toh(desc->framelen) - UATH_RX_DUMMYSIZE;
2653 		if (framelen > actlen - sizeof(struct uath_chunk) ||
2654 		    framelen < sizeof(struct ieee80211_frame_ack)) {
2655 			device_printf(sc->sc_dev,
2656 			    "%s: wrong frame length (%u, actlen %d)!\n",
2657 			    __func__, framelen, actlen);
2658 			counter_u64_add(ic->ic_ierrors, 1);
2659 			if (sc->sc_intrx_head != NULL)
2660 				m_freem(sc->sc_intrx_head);
2661 			UATH_RESET_INTRX(sc);
2662 			return (NULL);
2663 		}
2664 
2665 		m->m_pkthdr.len = m->m_len = framelen;
2666 		m->m_data += sizeof(struct uath_chunk);
2667 	} else {
2668 		mp = sc->sc_intrx_head;
2669 		mp->m_flags |= M_PKTHDR;
2670 		mp->m_pkthdr.len = sc->sc_intrx_len;
2671 		m = mp;
2672 	}
2673 
2674 	/* there are a lot more fields in the RX descriptor */
2675 	if ((sc->sc_flags & UATH_FLAG_INVALID) == 0 &&
2676 	    ieee80211_radiotap_active(ic)) {
2677 		struct uath_rx_radiotap_header *tap = &sc->sc_rxtap;
2678 		uint32_t tsf_hi = be32toh(desc->tstamp_high);
2679 		uint32_t tsf_lo = be32toh(desc->tstamp_low);
2680 
2681 		/* XXX only get low order 24bits of tsf from h/w */
2682 		tap->wr_tsf = htole64(((uint64_t)tsf_hi << 32) | tsf_lo);
2683 		tap->wr_flags = 0;
2684 		if (be32toh(desc->status) == UATH_STATUS_CRC_ERR)
2685 			tap->wr_flags |= IEEE80211_RADIOTAP_F_BADFCS;
2686 		/* XXX map other status to BADFCS? */
2687 		/* XXX ath h/w rate code, need to map */
2688 		tap->wr_rate = be32toh(desc->rate);
2689 		tap->wr_antenna = be32toh(desc->antenna);
2690 		tap->wr_antsignal = -95 + be32toh(desc->rssi);
2691 		tap->wr_antnoise = -95;
2692 	}
2693 
2694 	UATH_RESET_INTRX(sc);
2695 
2696 	return (m);
2697 }
2698 
2699 static void
2700 uath_bulk_rx_callback(struct usb_xfer *xfer, usb_error_t error)
2701 {
2702 	struct uath_softc *sc = usbd_xfer_softc(xfer);
2703 	struct ieee80211com *ic = &sc->sc_ic;
2704 	struct ieee80211_frame *wh;
2705 	struct ieee80211_node *ni;
2706 	struct epoch_tracker et;
2707 	struct mbuf *m = NULL;
2708 	struct uath_data *data;
2709 	struct uath_rx_desc *desc = NULL;
2710 	int8_t nf;
2711 
2712 	UATH_ASSERT_LOCKED(sc);
2713 
2714 	switch (USB_GET_STATE(xfer)) {
2715 	case USB_ST_TRANSFERRED:
2716 		data = STAILQ_FIRST(&sc->sc_rx_active);
2717 		if (data == NULL)
2718 			goto setup;
2719 		STAILQ_REMOVE_HEAD(&sc->sc_rx_active, next);
2720 		UATH_STAT_DEC(sc, st_rx_active);
2721 		m = uath_data_rxeof(xfer, data, &desc);
2722 		STAILQ_INSERT_TAIL(&sc->sc_rx_inactive, data, next);
2723 		UATH_STAT_INC(sc, st_rx_inactive);
2724 		/* FALLTHROUGH */
2725 	case USB_ST_SETUP:
2726 setup:
2727 		data = STAILQ_FIRST(&sc->sc_rx_inactive);
2728 		if (data == NULL)
2729 			return;
2730 		STAILQ_REMOVE_HEAD(&sc->sc_rx_inactive, next);
2731 		UATH_STAT_DEC(sc, st_rx_inactive);
2732 		STAILQ_INSERT_TAIL(&sc->sc_rx_active, data, next);
2733 		UATH_STAT_INC(sc, st_rx_active);
2734 		usbd_xfer_set_frame_data(xfer, 0, data->buf, MCLBYTES);
2735 		usbd_transfer_submit(xfer);
2736 
2737 		/*
2738 		 * To avoid LOR we should unlock our private mutex here to call
2739 		 * ieee80211_input() because here is at the end of a USB
2740 		 * callback and safe to unlock.
2741 		 */
2742 		if (sc->sc_flags & UATH_FLAG_INVALID) {
2743 			if (m != NULL)
2744 				m_freem(m);
2745 			return;
2746 		}
2747 		UATH_UNLOCK(sc);
2748 		if (m != NULL && desc != NULL) {
2749 			wh = mtod(m, struct ieee80211_frame *);
2750 			ni = ieee80211_find_rxnode(ic,
2751 			    (struct ieee80211_frame_min *)wh);
2752 			nf = -95;	/* XXX */
2753 			NET_EPOCH_ENTER(et);
2754 			if (ni != NULL) {
2755 				(void) ieee80211_input(ni, m,
2756 				    (int)be32toh(desc->rssi), nf);
2757 				/* node is no longer needed */
2758 				ieee80211_free_node(ni);
2759 			} else
2760 				(void) ieee80211_input_all(ic, m,
2761 				    (int)be32toh(desc->rssi), nf);
2762 			NET_EPOCH_EXIT(et);
2763 			m = NULL;
2764 			desc = NULL;
2765 		}
2766 		UATH_LOCK(sc);
2767 		uath_start(sc);
2768 		break;
2769 	default:
2770 		/* needs it to the inactive queue due to a error.  */
2771 		data = STAILQ_FIRST(&sc->sc_rx_active);
2772 		if (data != NULL) {
2773 			STAILQ_REMOVE_HEAD(&sc->sc_rx_active, next);
2774 			UATH_STAT_DEC(sc, st_rx_active);
2775 			STAILQ_INSERT_TAIL(&sc->sc_rx_inactive, data, next);
2776 			UATH_STAT_INC(sc, st_rx_inactive);
2777 		}
2778 		if (error != USB_ERR_CANCELLED) {
2779 			usbd_xfer_set_stall(xfer);
2780 			counter_u64_add(ic->ic_ierrors, 1);
2781 			goto setup;
2782 		}
2783 		break;
2784 	}
2785 }
2786 
2787 static void
2788 uath_data_txeof(struct usb_xfer *xfer, struct uath_data *data)
2789 {
2790 	struct uath_softc *sc = usbd_xfer_softc(xfer);
2791 
2792 	UATH_ASSERT_LOCKED(sc);
2793 
2794 	if (data->m) {
2795 		/* XXX status? */
2796 		ieee80211_tx_complete(data->ni, data->m, 0);
2797 		data->m = NULL;
2798 		data->ni = NULL;
2799 	}
2800 	sc->sc_tx_timer = 0;
2801 }
2802 
2803 static void
2804 uath_bulk_tx_callback(struct usb_xfer *xfer, usb_error_t error)
2805 {
2806 	struct uath_softc *sc = usbd_xfer_softc(xfer);
2807 	struct uath_data *data;
2808 
2809 	UATH_ASSERT_LOCKED(sc);
2810 
2811 	switch (USB_GET_STATE(xfer)) {
2812 	case USB_ST_TRANSFERRED:
2813 		data = STAILQ_FIRST(&sc->sc_tx_active);
2814 		if (data == NULL)
2815 			goto setup;
2816 		STAILQ_REMOVE_HEAD(&sc->sc_tx_active, next);
2817 		UATH_STAT_DEC(sc, st_tx_active);
2818 		uath_data_txeof(xfer, data);
2819 		STAILQ_INSERT_TAIL(&sc->sc_tx_inactive, data, next);
2820 		UATH_STAT_INC(sc, st_tx_inactive);
2821 		/* FALLTHROUGH */
2822 	case USB_ST_SETUP:
2823 setup:
2824 		data = STAILQ_FIRST(&sc->sc_tx_pending);
2825 		if (data == NULL) {
2826 			DPRINTF(sc, UATH_DEBUG_XMIT, "%s: empty pending queue\n",
2827 			    __func__);
2828 			return;
2829 		}
2830 		STAILQ_REMOVE_HEAD(&sc->sc_tx_pending, next);
2831 		UATH_STAT_DEC(sc, st_tx_pending);
2832 		STAILQ_INSERT_TAIL(&sc->sc_tx_active, data, next);
2833 		UATH_STAT_INC(sc, st_tx_active);
2834 
2835 		usbd_xfer_set_frame_data(xfer, 0, data->buf, data->buflen);
2836 		usbd_transfer_submit(xfer);
2837 
2838 		uath_start(sc);
2839 		break;
2840 	default:
2841 		data = STAILQ_FIRST(&sc->sc_tx_active);
2842 		if (data == NULL)
2843 			goto setup;
2844 		if (data->ni != NULL) {
2845 			if_inc_counter(data->ni->ni_vap->iv_ifp,
2846 			    IFCOUNTER_OERRORS, 1);
2847 			if ((sc->sc_flags & UATH_FLAG_INVALID) == 0)
2848 				ieee80211_free_node(data->ni);
2849 			data->ni = NULL;
2850 		}
2851 		if (error != USB_ERR_CANCELLED) {
2852 			usbd_xfer_set_stall(xfer);
2853 			goto setup;
2854 		}
2855 		break;
2856 	}
2857 }
2858 
2859 static device_method_t uath_methods[] = {
2860 	DEVMETHOD(device_probe, uath_match),
2861 	DEVMETHOD(device_attach, uath_attach),
2862 	DEVMETHOD(device_detach, uath_detach),
2863 	DEVMETHOD_END
2864 };
2865 
2866 static driver_t uath_driver = {
2867 	.name = "uath",
2868 	.methods = uath_methods,
2869 	.size = sizeof(struct uath_softc)
2870 };
2871 
2872 DRIVER_MODULE(uath, uhub, uath_driver, NULL, NULL);
2873 MODULE_DEPEND(uath, wlan, 1, 1, 1);
2874 MODULE_DEPEND(uath, usb, 1, 1, 1);
2875 MODULE_VERSION(uath, 1);
2876 USB_PNP_HOST_INFO(uath_devs);
2877