xref: /freebsd/sys/dev/usb/wlan/if_uath.c (revision d8a0fe102c0cfdfcd5b818f850eff09d8536c9bc)
1 /*-
2  * SPDX-License-Identifier: (BSD-2-Clause-FreeBSD AND BSD-1-Clause)
3  *
4  * Copyright (c) 2006 Sam Leffler, Errno Consulting
5  * Copyright (c) 2008-2009 Weongyo Jeong <weongyo@freebsd.org>
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer,
13  *    without modification.
14  * 2. Redistributions in binary form must reproduce at minimum a disclaimer
15  *    similar to the "NO WARRANTY" disclaimer below ("Disclaimer") and any
16  *    redistribution must be conditioned upon including a substantially
17  *    similar Disclaimer requirement for further binary redistribution.
18  *
19  * NO WARRANTY
20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22  * LIMITED TO, THE IMPLIED WARRANTIES OF NONINFRINGEMENT, MERCHANTIBILITY
23  * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
24  * THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR SPECIAL, EXEMPLARY,
25  * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
28  * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
30  * THE POSSIBILITY OF SUCH DAMAGES.
31  */
32 
33 /*
34  * This driver is distantly derived from a driver of the same name
35  * by Damien Bergamini.  The original copyright is included below:
36  *
37  * Copyright (c) 2006
38  *	Damien Bergamini <damien.bergamini@free.fr>
39  *
40  * Permission to use, copy, modify, and distribute this software for any
41  * purpose with or without fee is hereby granted, provided that the above
42  * copyright notice and this permission notice appear in all copies.
43  *
44  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
45  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
46  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
47  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
48  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
49  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
50  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
51  */
52 
53 #include <sys/cdefs.h>
54 __FBSDID("$FreeBSD$");
55 
56 /*-
57  * Driver for Atheros AR5523 USB parts.
58  *
59  * The driver requires firmware to be loaded into the device.  This
60  * is done on device discovery from a user application (uathload)
61  * that is launched by devd when a device with suitable product ID
62  * is recognized.  Once firmware has been loaded the device will
63  * reset the USB port and re-attach with the original product ID+1
64  * and this driver will be attached.  The firmware is licensed for
65  * general use (royalty free) and may be incorporated in products.
66  * Note that the firmware normally packaged with the NDIS drivers
67  * for these devices does not work in this way and so does not work
68  * with this driver.
69  */
70 #include <sys/param.h>
71 #include <sys/sockio.h>
72 #include <sys/sysctl.h>
73 #include <sys/lock.h>
74 #include <sys/mutex.h>
75 #include <sys/mbuf.h>
76 #include <sys/kernel.h>
77 #include <sys/socket.h>
78 #include <sys/systm.h>
79 #include <sys/malloc.h>
80 #include <sys/module.h>
81 #include <sys/bus.h>
82 #include <sys/endian.h>
83 #include <sys/kdb.h>
84 
85 #include <machine/bus.h>
86 #include <machine/resource.h>
87 #include <sys/rman.h>
88 
89 #include <net/bpf.h>
90 #include <net/if.h>
91 #include <net/if_var.h>
92 #include <net/if_arp.h>
93 #include <net/ethernet.h>
94 #include <net/if_dl.h>
95 #include <net/if_media.h>
96 #include <net/if_types.h>
97 
98 #ifdef INET
99 #include <netinet/in.h>
100 #include <netinet/in_systm.h>
101 #include <netinet/in_var.h>
102 #include <netinet/if_ether.h>
103 #include <netinet/ip.h>
104 #endif
105 
106 #include <net80211/ieee80211_var.h>
107 #include <net80211/ieee80211_input.h>
108 #include <net80211/ieee80211_regdomain.h>
109 #include <net80211/ieee80211_radiotap.h>
110 
111 #include <dev/usb/usb.h>
112 #include <dev/usb/usbdi.h>
113 #include "usbdevs.h"
114 
115 #include <dev/usb/wlan/if_uathreg.h>
116 #include <dev/usb/wlan/if_uathvar.h>
117 
118 static SYSCTL_NODE(_hw_usb, OID_AUTO, uath, CTLFLAG_RW, 0, "USB Atheros");
119 
120 static	int uath_countrycode = CTRY_DEFAULT;	/* country code */
121 SYSCTL_INT(_hw_usb_uath, OID_AUTO, countrycode, CTLFLAG_RWTUN, &uath_countrycode,
122     0, "country code");
123 static	int uath_regdomain = 0;			/* regulatory domain */
124 SYSCTL_INT(_hw_usb_uath, OID_AUTO, regdomain, CTLFLAG_RD, &uath_regdomain,
125     0, "regulatory domain");
126 
127 #ifdef UATH_DEBUG
128 int uath_debug = 0;
129 SYSCTL_INT(_hw_usb_uath, OID_AUTO, debug, CTLFLAG_RWTUN, &uath_debug, 0,
130     "uath debug level");
131 enum {
132 	UATH_DEBUG_XMIT		= 0x00000001,	/* basic xmit operation */
133 	UATH_DEBUG_XMIT_DUMP	= 0x00000002,	/* xmit dump */
134 	UATH_DEBUG_RECV		= 0x00000004,	/* basic recv operation */
135 	UATH_DEBUG_TX_PROC	= 0x00000008,	/* tx ISR proc */
136 	UATH_DEBUG_RX_PROC	= 0x00000010,	/* rx ISR proc */
137 	UATH_DEBUG_RECV_ALL	= 0x00000020,	/* trace all frames (beacons) */
138 	UATH_DEBUG_INIT		= 0x00000040,	/* initialization of dev */
139 	UATH_DEBUG_DEVCAP	= 0x00000080,	/* dev caps */
140 	UATH_DEBUG_CMDS		= 0x00000100,	/* commands */
141 	UATH_DEBUG_CMDS_DUMP	= 0x00000200,	/* command buffer dump */
142 	UATH_DEBUG_RESET	= 0x00000400,	/* reset processing */
143 	UATH_DEBUG_STATE	= 0x00000800,	/* 802.11 state transitions */
144 	UATH_DEBUG_MULTICAST	= 0x00001000,	/* multicast */
145 	UATH_DEBUG_WME		= 0x00002000,	/* WME */
146 	UATH_DEBUG_CHANNEL	= 0x00004000,	/* channel */
147 	UATH_DEBUG_RATES	= 0x00008000,	/* rates */
148 	UATH_DEBUG_CRYPTO	= 0x00010000,	/* crypto */
149 	UATH_DEBUG_LED		= 0x00020000,	/* LED */
150 	UATH_DEBUG_ANY		= 0xffffffff
151 };
152 #define	DPRINTF(sc, m, fmt, ...) do {				\
153 	if (sc->sc_debug & (m))					\
154 		printf(fmt, __VA_ARGS__);			\
155 } while (0)
156 #else
157 #define	DPRINTF(sc, m, fmt, ...) do {				\
158 	(void) sc;						\
159 } while (0)
160 #endif
161 
162 /* recognized device vendors/products */
163 static const STRUCT_USB_HOST_ID uath_devs[] = {
164 #define	UATH_DEV(v,p) { USB_VP(USB_VENDOR_##v, USB_PRODUCT_##v##_##p) }
165 	UATH_DEV(ACCTON,		SMCWUSBTG2),
166 	UATH_DEV(ATHEROS,		AR5523),
167 	UATH_DEV(ATHEROS2,		AR5523_1),
168 	UATH_DEV(ATHEROS2,		AR5523_2),
169 	UATH_DEV(ATHEROS2,		AR5523_3),
170 	UATH_DEV(CONCEPTRONIC,		AR5523_1),
171 	UATH_DEV(CONCEPTRONIC,		AR5523_2),
172 	UATH_DEV(DLINK,			DWLAG122),
173 	UATH_DEV(DLINK,			DWLAG132),
174 	UATH_DEV(DLINK,			DWLG132),
175 	UATH_DEV(DLINK2,		DWA120),
176 	UATH_DEV(GIGASET,		AR5523),
177 	UATH_DEV(GIGASET,		SMCWUSBTG),
178 	UATH_DEV(GLOBALSUN,		AR5523_1),
179 	UATH_DEV(GLOBALSUN,		AR5523_2),
180 	UATH_DEV(NETGEAR,		WG111U),
181 	UATH_DEV(NETGEAR3,		WG111T),
182 	UATH_DEV(NETGEAR3,		WPN111),
183 	UATH_DEV(NETGEAR3,		WPN111_2),
184 	UATH_DEV(UMEDIA,		TEW444UBEU),
185 	UATH_DEV(UMEDIA,		AR5523_2),
186 	UATH_DEV(WISTRONNEWEB,		AR5523_1),
187 	UATH_DEV(WISTRONNEWEB,		AR5523_2),
188 	UATH_DEV(ZCOM,			AR5523)
189 #undef UATH_DEV
190 };
191 
192 static usb_callback_t uath_intr_rx_callback;
193 static usb_callback_t uath_intr_tx_callback;
194 static usb_callback_t uath_bulk_rx_callback;
195 static usb_callback_t uath_bulk_tx_callback;
196 
197 static const struct usb_config uath_usbconfig[UATH_N_XFERS] = {
198 	[UATH_INTR_RX] = {
199 		.type = UE_BULK,
200 		.endpoint = 0x1,
201 		.direction = UE_DIR_IN,
202 		.bufsize = UATH_MAX_CMDSZ,
203 		.flags = {
204 			.pipe_bof = 1,
205 			.short_xfer_ok = 1
206 		},
207 		.callback = uath_intr_rx_callback
208 	},
209 	[UATH_INTR_TX] = {
210 		.type = UE_BULK,
211 		.endpoint = 0x1,
212 		.direction = UE_DIR_OUT,
213 		.bufsize = UATH_MAX_CMDSZ * UATH_CMD_LIST_COUNT,
214 		.flags = {
215 			.force_short_xfer = 1,
216 			.pipe_bof = 1,
217 		},
218 		.callback = uath_intr_tx_callback,
219 		.timeout = UATH_CMD_TIMEOUT
220 	},
221 	[UATH_BULK_RX] = {
222 		.type = UE_BULK,
223 		.endpoint = 0x2,
224 		.direction = UE_DIR_IN,
225 		.bufsize = MCLBYTES,
226 		.flags = {
227 			.ext_buffer = 1,
228 			.pipe_bof = 1,
229 			.short_xfer_ok = 1
230 		},
231 		.callback = uath_bulk_rx_callback
232 	},
233 	[UATH_BULK_TX] = {
234 		.type = UE_BULK,
235 		.endpoint = 0x2,
236 		.direction = UE_DIR_OUT,
237 		.bufsize = UATH_MAX_TXBUFSZ * UATH_TX_DATA_LIST_COUNT,
238 		.flags = {
239 			.force_short_xfer = 1,
240 			.pipe_bof = 1
241 		},
242 		.callback = uath_bulk_tx_callback,
243 		.timeout = UATH_DATA_TIMEOUT
244 	}
245 };
246 
247 static struct ieee80211vap *uath_vap_create(struct ieee80211com *,
248 		    const char [IFNAMSIZ], int, enum ieee80211_opmode, int,
249 		    const uint8_t [IEEE80211_ADDR_LEN],
250 		    const uint8_t [IEEE80211_ADDR_LEN]);
251 static void	uath_vap_delete(struct ieee80211vap *);
252 static int	uath_alloc_cmd_list(struct uath_softc *, struct uath_cmd []);
253 static void	uath_free_cmd_list(struct uath_softc *, struct uath_cmd []);
254 static int	uath_host_available(struct uath_softc *);
255 static int	uath_get_capability(struct uath_softc *, uint32_t, uint32_t *);
256 static int	uath_get_devcap(struct uath_softc *);
257 static struct uath_cmd *
258 		uath_get_cmdbuf(struct uath_softc *);
259 static int	uath_cmd_read(struct uath_softc *, uint32_t, const void *,
260 		    int, void *, int, int);
261 static int	uath_cmd_write(struct uath_softc *, uint32_t, const void *,
262 		    int, int);
263 static void	uath_stat(void *);
264 #ifdef UATH_DEBUG
265 static void	uath_dump_cmd(const uint8_t *, int, char);
266 static const char *
267 		uath_codename(int);
268 #endif
269 static int	uath_get_devstatus(struct uath_softc *,
270 		    uint8_t macaddr[IEEE80211_ADDR_LEN]);
271 static int	uath_get_status(struct uath_softc *, uint32_t, void *, int);
272 static int	uath_alloc_rx_data_list(struct uath_softc *);
273 static int	uath_alloc_tx_data_list(struct uath_softc *);
274 static void	uath_free_rx_data_list(struct uath_softc *);
275 static void	uath_free_tx_data_list(struct uath_softc *);
276 static int	uath_init(struct uath_softc *);
277 static void	uath_stop(struct uath_softc *);
278 static void	uath_parent(struct ieee80211com *);
279 static int	uath_transmit(struct ieee80211com *, struct mbuf *);
280 static void	uath_start(struct uath_softc *);
281 static int	uath_raw_xmit(struct ieee80211_node *, struct mbuf *,
282 		    const struct ieee80211_bpf_params *);
283 static void	uath_scan_start(struct ieee80211com *);
284 static void	uath_scan_end(struct ieee80211com *);
285 static void	uath_set_channel(struct ieee80211com *);
286 static void	uath_update_mcast(struct ieee80211com *);
287 static void	uath_update_promisc(struct ieee80211com *);
288 static int	uath_config(struct uath_softc *, uint32_t, uint32_t);
289 static int	uath_config_multi(struct uath_softc *, uint32_t, const void *,
290 		    int);
291 static int	uath_switch_channel(struct uath_softc *,
292 		    struct ieee80211_channel *);
293 static int	uath_set_rxfilter(struct uath_softc *, uint32_t, uint32_t);
294 static void	uath_watchdog(void *);
295 static void	uath_abort_xfers(struct uath_softc *);
296 static int	uath_dataflush(struct uath_softc *);
297 static int	uath_cmdflush(struct uath_softc *);
298 static int	uath_flush(struct uath_softc *);
299 static int	uath_set_ledstate(struct uath_softc *, int);
300 static int	uath_set_chan(struct uath_softc *, struct ieee80211_channel *);
301 static int	uath_reset_tx_queues(struct uath_softc *);
302 static int	uath_wme_init(struct uath_softc *);
303 static struct uath_data *
304 		uath_getbuf(struct uath_softc *);
305 static int	uath_newstate(struct ieee80211vap *, enum ieee80211_state,
306 		    int);
307 static int	uath_set_key(struct uath_softc *,
308 		    const struct ieee80211_key *, int);
309 static int	uath_set_keys(struct uath_softc *, struct ieee80211vap *);
310 static void	uath_sysctl_node(struct uath_softc *);
311 
312 static int
313 uath_match(device_t dev)
314 {
315 	struct usb_attach_arg *uaa = device_get_ivars(dev);
316 
317 	if (uaa->usb_mode != USB_MODE_HOST)
318 		return (ENXIO);
319 	if (uaa->info.bConfigIndex != UATH_CONFIG_INDEX)
320 		return (ENXIO);
321 	if (uaa->info.bIfaceIndex != UATH_IFACE_INDEX)
322 		return (ENXIO);
323 
324 	return (usbd_lookup_id_by_uaa(uath_devs, sizeof(uath_devs), uaa));
325 }
326 
327 static int
328 uath_attach(device_t dev)
329 {
330 	struct uath_softc *sc = device_get_softc(dev);
331 	struct usb_attach_arg *uaa = device_get_ivars(dev);
332 	struct ieee80211com *ic = &sc->sc_ic;
333 	uint8_t bands[IEEE80211_MODE_BYTES];
334 	uint8_t iface_index = UATH_IFACE_INDEX;		/* XXX */
335 	usb_error_t error;
336 
337 	sc->sc_dev = dev;
338 	sc->sc_udev = uaa->device;
339 #ifdef UATH_DEBUG
340 	sc->sc_debug = uath_debug;
341 #endif
342 	device_set_usb_desc(dev);
343 
344 	/*
345 	 * Only post-firmware devices here.
346 	 */
347 	mtx_init(&sc->sc_mtx, device_get_nameunit(sc->sc_dev), MTX_NETWORK_LOCK,
348 	    MTX_DEF);
349 	callout_init(&sc->stat_ch, 0);
350 	callout_init_mtx(&sc->watchdog_ch, &sc->sc_mtx, 0);
351 	mbufq_init(&sc->sc_snd, ifqmaxlen);
352 
353 	error = usbd_transfer_setup(uaa->device, &iface_index, sc->sc_xfer,
354 	    uath_usbconfig, UATH_N_XFERS, sc, &sc->sc_mtx);
355 	if (error) {
356 		device_printf(dev, "could not allocate USB transfers, "
357 		    "err=%s\n", usbd_errstr(error));
358 		goto fail;
359 	}
360 
361 	sc->sc_cmd_dma_buf =
362 	    usbd_xfer_get_frame_buffer(sc->sc_xfer[UATH_INTR_TX], 0);
363 	sc->sc_tx_dma_buf =
364 	    usbd_xfer_get_frame_buffer(sc->sc_xfer[UATH_BULK_TX], 0);
365 
366 	/*
367 	 * Setup buffers for firmware commands.
368 	 */
369 	error = uath_alloc_cmd_list(sc, sc->sc_cmd);
370 	if (error != 0) {
371 		device_printf(sc->sc_dev,
372 		    "could not allocate Tx command list\n");
373 		goto fail1;
374 	}
375 
376 	/*
377 	 * We're now ready to send+receive firmware commands.
378 	 */
379 	UATH_LOCK(sc);
380 	error = uath_host_available(sc);
381 	if (error != 0) {
382 		device_printf(sc->sc_dev, "could not initialize adapter\n");
383 		goto fail2;
384 	}
385 	error = uath_get_devcap(sc);
386 	if (error != 0) {
387 		device_printf(sc->sc_dev,
388 		    "could not get device capabilities\n");
389 		goto fail2;
390 	}
391 	UATH_UNLOCK(sc);
392 
393 	/* Create device sysctl node. */
394 	uath_sysctl_node(sc);
395 
396 	UATH_LOCK(sc);
397 	error = uath_get_devstatus(sc, ic->ic_macaddr);
398 	if (error != 0) {
399 		device_printf(sc->sc_dev, "could not get device status\n");
400 		goto fail2;
401 	}
402 
403 	/*
404 	 * Allocate xfers for Rx/Tx data pipes.
405 	 */
406 	error = uath_alloc_rx_data_list(sc);
407 	if (error != 0) {
408 		device_printf(sc->sc_dev, "could not allocate Rx data list\n");
409 		goto fail2;
410 	}
411 	error = uath_alloc_tx_data_list(sc);
412 	if (error != 0) {
413 		device_printf(sc->sc_dev, "could not allocate Tx data list\n");
414 		goto fail2;
415 	}
416 	UATH_UNLOCK(sc);
417 
418 	ic->ic_softc = sc;
419 	ic->ic_name = device_get_nameunit(dev);
420 	ic->ic_phytype = IEEE80211_T_OFDM;	/* not only, but not used */
421 	ic->ic_opmode = IEEE80211_M_STA;	/* default to BSS mode */
422 
423 	/* set device capabilities */
424 	ic->ic_caps =
425 	    IEEE80211_C_STA |		/* station mode */
426 	    IEEE80211_C_MONITOR |	/* monitor mode supported */
427 	    IEEE80211_C_TXPMGT |	/* tx power management */
428 	    IEEE80211_C_SHPREAMBLE |	/* short preamble supported */
429 	    IEEE80211_C_SHSLOT |	/* short slot time supported */
430 	    IEEE80211_C_WPA |		/* 802.11i */
431 	    IEEE80211_C_BGSCAN |	/* capable of bg scanning */
432 	    IEEE80211_C_TXFRAG;		/* handle tx frags */
433 
434 	/* put a regulatory domain to reveal informations.  */
435 	uath_regdomain = sc->sc_devcap.regDomain;
436 
437 	memset(bands, 0, sizeof(bands));
438 	setbit(bands, IEEE80211_MODE_11B);
439 	setbit(bands, IEEE80211_MODE_11G);
440 	if ((sc->sc_devcap.analog5GhzRevision & 0xf0) == 0x30)
441 		setbit(bands, IEEE80211_MODE_11A);
442 	/* XXX turbo */
443 	ieee80211_init_channels(ic, NULL, bands);
444 
445 	ieee80211_ifattach(ic);
446 	ic->ic_raw_xmit = uath_raw_xmit;
447 	ic->ic_scan_start = uath_scan_start;
448 	ic->ic_scan_end = uath_scan_end;
449 	ic->ic_set_channel = uath_set_channel;
450 	ic->ic_vap_create = uath_vap_create;
451 	ic->ic_vap_delete = uath_vap_delete;
452 	ic->ic_update_mcast = uath_update_mcast;
453 	ic->ic_update_promisc = uath_update_promisc;
454 	ic->ic_transmit = uath_transmit;
455 	ic->ic_parent = uath_parent;
456 
457 	ieee80211_radiotap_attach(ic,
458 	    &sc->sc_txtap.wt_ihdr, sizeof(sc->sc_txtap),
459 		UATH_TX_RADIOTAP_PRESENT,
460 	    &sc->sc_rxtap.wr_ihdr, sizeof(sc->sc_rxtap),
461 		UATH_RX_RADIOTAP_PRESENT);
462 
463 	if (bootverbose)
464 		ieee80211_announce(ic);
465 
466 	return (0);
467 
468 fail2:	UATH_UNLOCK(sc);
469 	uath_free_cmd_list(sc, sc->sc_cmd);
470 fail1:	usbd_transfer_unsetup(sc->sc_xfer, UATH_N_XFERS);
471 fail:
472 	return (error);
473 }
474 
475 static int
476 uath_detach(device_t dev)
477 {
478 	struct uath_softc *sc = device_get_softc(dev);
479 	struct ieee80211com *ic = &sc->sc_ic;
480 	unsigned int x;
481 
482 	/*
483 	 * Prevent further allocations from RX/TX/CMD
484 	 * data lists and ioctls
485 	 */
486 	UATH_LOCK(sc);
487 	sc->sc_flags |= UATH_FLAG_INVALID;
488 
489 	STAILQ_INIT(&sc->sc_rx_active);
490 	STAILQ_INIT(&sc->sc_rx_inactive);
491 
492 	STAILQ_INIT(&sc->sc_tx_active);
493 	STAILQ_INIT(&sc->sc_tx_inactive);
494 	STAILQ_INIT(&sc->sc_tx_pending);
495 
496 	STAILQ_INIT(&sc->sc_cmd_active);
497 	STAILQ_INIT(&sc->sc_cmd_pending);
498 	STAILQ_INIT(&sc->sc_cmd_waiting);
499 	STAILQ_INIT(&sc->sc_cmd_inactive);
500 
501 	uath_stop(sc);
502 	UATH_UNLOCK(sc);
503 
504 	callout_drain(&sc->stat_ch);
505 	callout_drain(&sc->watchdog_ch);
506 
507 	/* drain USB transfers */
508 	for (x = 0; x != UATH_N_XFERS; x++)
509 		usbd_transfer_drain(sc->sc_xfer[x]);
510 
511 	/* free data buffers */
512 	UATH_LOCK(sc);
513 	uath_free_rx_data_list(sc);
514 	uath_free_tx_data_list(sc);
515 	uath_free_cmd_list(sc, sc->sc_cmd);
516 	UATH_UNLOCK(sc);
517 
518 	/* free USB transfers and some data buffers */
519 	usbd_transfer_unsetup(sc->sc_xfer, UATH_N_XFERS);
520 
521 	ieee80211_ifdetach(ic);
522 	mbufq_drain(&sc->sc_snd);
523 	mtx_destroy(&sc->sc_mtx);
524 	return (0);
525 }
526 
527 static void
528 uath_free_cmd_list(struct uath_softc *sc, struct uath_cmd cmds[])
529 {
530 	int i;
531 
532 	for (i = 0; i != UATH_CMD_LIST_COUNT; i++)
533 		cmds[i].buf = NULL;
534 }
535 
536 static int
537 uath_alloc_cmd_list(struct uath_softc *sc, struct uath_cmd cmds[])
538 {
539 	int i;
540 
541 	STAILQ_INIT(&sc->sc_cmd_active);
542 	STAILQ_INIT(&sc->sc_cmd_pending);
543 	STAILQ_INIT(&sc->sc_cmd_waiting);
544 	STAILQ_INIT(&sc->sc_cmd_inactive);
545 
546 	for (i = 0; i != UATH_CMD_LIST_COUNT; i++) {
547 		struct uath_cmd *cmd = &cmds[i];
548 
549 		cmd->sc = sc;	/* backpointer for callbacks */
550 		cmd->msgid = i;
551 		cmd->buf = ((uint8_t *)sc->sc_cmd_dma_buf) +
552 		    (i * UATH_MAX_CMDSZ);
553 		STAILQ_INSERT_TAIL(&sc->sc_cmd_inactive, cmd, next);
554 		UATH_STAT_INC(sc, st_cmd_inactive);
555 	}
556 	return (0);
557 }
558 
559 static int
560 uath_host_available(struct uath_softc *sc)
561 {
562 	struct uath_cmd_host_available setup;
563 
564 	UATH_ASSERT_LOCKED(sc);
565 
566 	/* inform target the host is available */
567 	setup.sw_ver_major = htobe32(ATH_SW_VER_MAJOR);
568 	setup.sw_ver_minor = htobe32(ATH_SW_VER_MINOR);
569 	setup.sw_ver_patch = htobe32(ATH_SW_VER_PATCH);
570 	setup.sw_ver_build = htobe32(ATH_SW_VER_BUILD);
571 	return uath_cmd_read(sc, WDCMSG_HOST_AVAILABLE,
572 		&setup, sizeof setup, NULL, 0, 0);
573 }
574 
575 #ifdef UATH_DEBUG
576 static void
577 uath_dump_cmd(const uint8_t *buf, int len, char prefix)
578 {
579 	const char *sep = "";
580 	int i;
581 
582 	for (i = 0; i < len; i++) {
583 		if ((i % 16) == 0) {
584 			printf("%s%c ", sep, prefix);
585 			sep = "\n";
586 		}
587 		else if ((i % 4) == 0)
588 			printf(" ");
589 		printf("%02x", buf[i]);
590 	}
591 	printf("\n");
592 }
593 
594 static const char *
595 uath_codename(int code)
596 {
597 	static const char *names[] = {
598 	    "0x00",
599 	    "HOST_AVAILABLE",
600 	    "BIND",
601 	    "TARGET_RESET",
602 	    "TARGET_GET_CAPABILITY",
603 	    "TARGET_SET_CONFIG",
604 	    "TARGET_GET_STATUS",
605 	    "TARGET_GET_STATS",
606 	    "TARGET_START",
607 	    "TARGET_STOP",
608 	    "TARGET_ENABLE",
609 	    "TARGET_DISABLE",
610 	    "CREATE_CONNECTION",
611 	    "UPDATE_CONNECT_ATTR",
612 	    "DELETE_CONNECT",
613 	    "SEND",
614 	    "FLUSH",
615 	    "STATS_UPDATE",
616 	    "BMISS",
617 	    "DEVICE_AVAIL",
618 	    "SEND_COMPLETE",
619 	    "DATA_AVAIL",
620 	    "SET_PWR_MODE",
621 	    "BMISS_ACK",
622 	    "SET_LED_STEADY",
623 	    "SET_LED_BLINK",
624 	    "SETUP_BEACON_DESC",
625 	    "BEACON_INIT",
626 	    "RESET_KEY_CACHE",
627 	    "RESET_KEY_CACHE_ENTRY",
628 	    "SET_KEY_CACHE_ENTRY",
629 	    "SET_DECOMP_MASK",
630 	    "SET_REGULATORY_DOMAIN",
631 	    "SET_LED_STATE",
632 	    "WRITE_ASSOCID",
633 	    "SET_STA_BEACON_TIMERS",
634 	    "GET_TSF",
635 	    "RESET_TSF",
636 	    "SET_ADHOC_MODE",
637 	    "SET_BASIC_RATE",
638 	    "MIB_CONTROL",
639 	    "GET_CHANNEL_DATA",
640 	    "GET_CUR_RSSI",
641 	    "SET_ANTENNA_SWITCH",
642 	    "0x2c", "0x2d", "0x2e",
643 	    "USE_SHORT_SLOT_TIME",
644 	    "SET_POWER_MODE",
645 	    "SETUP_PSPOLL_DESC",
646 	    "SET_RX_MULTICAST_FILTER",
647 	    "RX_FILTER",
648 	    "PER_CALIBRATION",
649 	    "RESET",
650 	    "DISABLE",
651 	    "PHY_DISABLE",
652 	    "SET_TX_POWER_LIMIT",
653 	    "SET_TX_QUEUE_PARAMS",
654 	    "SETUP_TX_QUEUE",
655 	    "RELEASE_TX_QUEUE",
656 	};
657 	static char buf[8];
658 
659 	if (code < nitems(names))
660 		return names[code];
661 	if (code == WDCMSG_SET_DEFAULT_KEY)
662 		return "SET_DEFAULT_KEY";
663 	snprintf(buf, sizeof(buf), "0x%02x", code);
664 	return buf;
665 }
666 #endif
667 
668 /*
669  * Low-level function to send read or write commands to the firmware.
670  */
671 static int
672 uath_cmdsend(struct uath_softc *sc, uint32_t code, const void *idata, int ilen,
673     void *odata, int olen, int flags)
674 {
675 	struct uath_cmd_hdr *hdr;
676 	struct uath_cmd *cmd;
677 	int error;
678 
679 	UATH_ASSERT_LOCKED(sc);
680 
681 	/* grab a xfer */
682 	cmd = uath_get_cmdbuf(sc);
683 	if (cmd == NULL) {
684 		device_printf(sc->sc_dev, "%s: empty inactive queue\n",
685 		    __func__);
686 		return (ENOBUFS);
687 	}
688 	cmd->flags = flags;
689 	/* always bulk-out a multiple of 4 bytes */
690 	cmd->buflen = roundup2(sizeof(struct uath_cmd_hdr) + ilen, 4);
691 
692 	hdr = (struct uath_cmd_hdr *)cmd->buf;
693 	memset(hdr, 0, sizeof(struct uath_cmd_hdr));
694 	hdr->len   = htobe32(cmd->buflen);
695 	hdr->code  = htobe32(code);
696 	hdr->msgid = cmd->msgid;	/* don't care about endianness */
697 	hdr->magic = htobe32((cmd->flags & UATH_CMD_FLAG_MAGIC) ? 1 << 24 : 0);
698 	memcpy((uint8_t *)(hdr + 1), idata, ilen);
699 
700 #ifdef UATH_DEBUG
701 	if (sc->sc_debug & UATH_DEBUG_CMDS) {
702 		printf("%s: send  %s [flags 0x%x] olen %d\n",
703 		    __func__, uath_codename(code), cmd->flags, olen);
704 		if (sc->sc_debug & UATH_DEBUG_CMDS_DUMP)
705 			uath_dump_cmd(cmd->buf, cmd->buflen, '+');
706 	}
707 #endif
708 	cmd->odata = odata;
709 	KASSERT(odata == NULL ||
710 	    olen < UATH_MAX_CMDSZ - sizeof(*hdr) + sizeof(uint32_t),
711 	    ("odata %p olen %u", odata, olen));
712 	cmd->olen = olen;
713 
714 	STAILQ_INSERT_TAIL(&sc->sc_cmd_pending, cmd, next);
715 	UATH_STAT_INC(sc, st_cmd_pending);
716 	usbd_transfer_start(sc->sc_xfer[UATH_INTR_TX]);
717 
718 	if (cmd->flags & UATH_CMD_FLAG_READ) {
719 		usbd_transfer_start(sc->sc_xfer[UATH_INTR_RX]);
720 
721 		/* wait at most two seconds for command reply */
722 		error = mtx_sleep(cmd, &sc->sc_mtx, 0, "uathcmd", 2 * hz);
723 		cmd->odata = NULL;	/* in case reply comes too late */
724 		if (error != 0) {
725 			device_printf(sc->sc_dev, "timeout waiting for reply "
726 			    "to cmd 0x%x (%u)\n", code, code);
727 		} else if (cmd->olen != olen) {
728 			device_printf(sc->sc_dev, "unexpected reply data count "
729 			    "to cmd 0x%x (%u), got %u, expected %u\n",
730 			    code, code, cmd->olen, olen);
731 			error = EINVAL;
732 		}
733 		return (error);
734 	}
735 	return (0);
736 }
737 
738 static int
739 uath_cmd_read(struct uath_softc *sc, uint32_t code, const void *idata,
740     int ilen, void *odata, int olen, int flags)
741 {
742 
743 	flags |= UATH_CMD_FLAG_READ;
744 	return uath_cmdsend(sc, code, idata, ilen, odata, olen, flags);
745 }
746 
747 static int
748 uath_cmd_write(struct uath_softc *sc, uint32_t code, const void *data, int len,
749     int flags)
750 {
751 
752 	flags &= ~UATH_CMD_FLAG_READ;
753 	return uath_cmdsend(sc, code, data, len, NULL, 0, flags);
754 }
755 
756 static struct uath_cmd *
757 uath_get_cmdbuf(struct uath_softc *sc)
758 {
759 	struct uath_cmd *uc;
760 
761 	UATH_ASSERT_LOCKED(sc);
762 
763 	uc = STAILQ_FIRST(&sc->sc_cmd_inactive);
764 	if (uc != NULL) {
765 		STAILQ_REMOVE_HEAD(&sc->sc_cmd_inactive, next);
766 		UATH_STAT_DEC(sc, st_cmd_inactive);
767 	} else
768 		uc = NULL;
769 	if (uc == NULL)
770 		DPRINTF(sc, UATH_DEBUG_XMIT, "%s: %s\n", __func__,
771 		    "out of command xmit buffers");
772 	return (uc);
773 }
774 
775 /*
776  * This function is called periodically (every second) when associated to
777  * query device statistics.
778  */
779 static void
780 uath_stat(void *arg)
781 {
782 	struct uath_softc *sc = arg;
783 	int error;
784 
785 	UATH_LOCK(sc);
786 	/*
787 	 * Send request for statistics asynchronously. The timer will be
788 	 * restarted when we'll get the stats notification.
789 	 */
790 	error = uath_cmd_write(sc, WDCMSG_TARGET_GET_STATS, NULL, 0,
791 	    UATH_CMD_FLAG_ASYNC);
792 	if (error != 0) {
793 		device_printf(sc->sc_dev,
794 		    "could not query stats, error %d\n", error);
795 	}
796 	UATH_UNLOCK(sc);
797 }
798 
799 static int
800 uath_get_capability(struct uath_softc *sc, uint32_t cap, uint32_t *val)
801 {
802 	int error;
803 
804 	cap = htobe32(cap);
805 	error = uath_cmd_read(sc, WDCMSG_TARGET_GET_CAPABILITY,
806 	    &cap, sizeof cap, val, sizeof(uint32_t), UATH_CMD_FLAG_MAGIC);
807 	if (error != 0) {
808 		device_printf(sc->sc_dev, "could not read capability %u\n",
809 		    be32toh(cap));
810 		return (error);
811 	}
812 	*val = be32toh(*val);
813 	return (error);
814 }
815 
816 static int
817 uath_get_devcap(struct uath_softc *sc)
818 {
819 #define	GETCAP(x, v) do {				\
820 	error = uath_get_capability(sc, x, &v);		\
821 	if (error != 0)					\
822 		return (error);				\
823 	DPRINTF(sc, UATH_DEBUG_DEVCAP,			\
824 	    "%s: %s=0x%08x\n", __func__, #x, v);	\
825 } while (0)
826 	struct uath_devcap *cap = &sc->sc_devcap;
827 	int error;
828 
829 	/* collect device capabilities */
830 	GETCAP(CAP_TARGET_VERSION, cap->targetVersion);
831 	GETCAP(CAP_TARGET_REVISION, cap->targetRevision);
832 	GETCAP(CAP_MAC_VERSION, cap->macVersion);
833 	GETCAP(CAP_MAC_REVISION, cap->macRevision);
834 	GETCAP(CAP_PHY_REVISION, cap->phyRevision);
835 	GETCAP(CAP_ANALOG_5GHz_REVISION, cap->analog5GhzRevision);
836 	GETCAP(CAP_ANALOG_2GHz_REVISION, cap->analog2GhzRevision);
837 
838 	GETCAP(CAP_REG_DOMAIN, cap->regDomain);
839 	GETCAP(CAP_REG_CAP_BITS, cap->regCapBits);
840 #if 0
841 	/* NB: not supported in rev 1.5 */
842 	GETCAP(CAP_COUNTRY_CODE, cap->countryCode);
843 #endif
844 	GETCAP(CAP_WIRELESS_MODES, cap->wirelessModes);
845 	GETCAP(CAP_CHAN_SPREAD_SUPPORT, cap->chanSpreadSupport);
846 	GETCAP(CAP_COMPRESS_SUPPORT, cap->compressSupport);
847 	GETCAP(CAP_BURST_SUPPORT, cap->burstSupport);
848 	GETCAP(CAP_FAST_FRAMES_SUPPORT, cap->fastFramesSupport);
849 	GETCAP(CAP_CHAP_TUNING_SUPPORT, cap->chapTuningSupport);
850 	GETCAP(CAP_TURBOG_SUPPORT, cap->turboGSupport);
851 	GETCAP(CAP_TURBO_PRIME_SUPPORT, cap->turboPrimeSupport);
852 	GETCAP(CAP_DEVICE_TYPE, cap->deviceType);
853 	GETCAP(CAP_WME_SUPPORT, cap->wmeSupport);
854 	GETCAP(CAP_TOTAL_QUEUES, cap->numTxQueues);
855 	GETCAP(CAP_CONNECTION_ID_MAX, cap->connectionIdMax);
856 
857 	GETCAP(CAP_LOW_5GHZ_CHAN, cap->low5GhzChan);
858 	GETCAP(CAP_HIGH_5GHZ_CHAN, cap->high5GhzChan);
859 	GETCAP(CAP_LOW_2GHZ_CHAN, cap->low2GhzChan);
860 	GETCAP(CAP_HIGH_2GHZ_CHAN, cap->high2GhzChan);
861 	GETCAP(CAP_TWICE_ANTENNAGAIN_5G, cap->twiceAntennaGain5G);
862 	GETCAP(CAP_TWICE_ANTENNAGAIN_2G, cap->twiceAntennaGain2G);
863 
864 	GETCAP(CAP_CIPHER_AES_CCM, cap->supportCipherAES_CCM);
865 	GETCAP(CAP_CIPHER_TKIP, cap->supportCipherTKIP);
866 	GETCAP(CAP_MIC_TKIP, cap->supportMicTKIP);
867 
868 	cap->supportCipherWEP = 1;	/* NB: always available */
869 
870 	return (0);
871 }
872 
873 static int
874 uath_get_devstatus(struct uath_softc *sc, uint8_t macaddr[IEEE80211_ADDR_LEN])
875 {
876 	int error;
877 
878 	/* retrieve MAC address */
879 	error = uath_get_status(sc, ST_MAC_ADDR, macaddr, IEEE80211_ADDR_LEN);
880 	if (error != 0) {
881 		device_printf(sc->sc_dev, "could not read MAC address\n");
882 		return (error);
883 	}
884 
885 	error = uath_get_status(sc, ST_SERIAL_NUMBER,
886 	    &sc->sc_serial[0], sizeof(sc->sc_serial));
887 	if (error != 0) {
888 		device_printf(sc->sc_dev,
889 		    "could not read device serial number\n");
890 		return (error);
891 	}
892 	return (0);
893 }
894 
895 static int
896 uath_get_status(struct uath_softc *sc, uint32_t which, void *odata, int olen)
897 {
898 	int error;
899 
900 	which = htobe32(which);
901 	error = uath_cmd_read(sc, WDCMSG_TARGET_GET_STATUS,
902 	    &which, sizeof(which), odata, olen, UATH_CMD_FLAG_MAGIC);
903 	if (error != 0)
904 		device_printf(sc->sc_dev,
905 		    "could not read EEPROM offset 0x%02x\n", be32toh(which));
906 	return (error);
907 }
908 
909 static void
910 uath_free_data_list(struct uath_softc *sc, struct uath_data data[], int ndata,
911     int fillmbuf)
912 {
913 	int i;
914 
915 	for (i = 0; i < ndata; i++) {
916 		struct uath_data *dp = &data[i];
917 
918 		if (fillmbuf == 1) {
919 			if (dp->m != NULL) {
920 				m_freem(dp->m);
921 				dp->m = NULL;
922 				dp->buf = NULL;
923 			}
924 		} else {
925 			dp->buf = NULL;
926 		}
927 		if (dp->ni != NULL) {
928 			ieee80211_free_node(dp->ni);
929 			dp->ni = NULL;
930 		}
931 	}
932 }
933 
934 static int
935 uath_alloc_data_list(struct uath_softc *sc, struct uath_data data[],
936     int ndata, int maxsz, void *dma_buf)
937 {
938 	int i, error;
939 
940 	for (i = 0; i < ndata; i++) {
941 		struct uath_data *dp = &data[i];
942 
943 		dp->sc = sc;
944 		if (dma_buf == NULL) {
945 			/* XXX check maxsz */
946 			dp->m = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
947 			if (dp->m == NULL) {
948 				device_printf(sc->sc_dev,
949 				    "could not allocate rx mbuf\n");
950 				error = ENOMEM;
951 				goto fail;
952 			}
953 			dp->buf = mtod(dp->m, uint8_t *);
954 		} else {
955 			dp->m = NULL;
956 			dp->buf = ((uint8_t *)dma_buf) + (i * maxsz);
957 		}
958 		dp->ni = NULL;
959 	}
960 
961 	return (0);
962 
963 fail:	uath_free_data_list(sc, data, ndata, 1 /* free mbufs */);
964 	return (error);
965 }
966 
967 static int
968 uath_alloc_rx_data_list(struct uath_softc *sc)
969 {
970 	int error, i;
971 
972 	/* XXX is it enough to store the RX packet with MCLBYTES bytes?  */
973 	error = uath_alloc_data_list(sc,
974 	    sc->sc_rx, UATH_RX_DATA_LIST_COUNT, MCLBYTES,
975 	    NULL /* setup mbufs */);
976 	if (error != 0)
977 		return (error);
978 
979 	STAILQ_INIT(&sc->sc_rx_active);
980 	STAILQ_INIT(&sc->sc_rx_inactive);
981 
982 	for (i = 0; i < UATH_RX_DATA_LIST_COUNT; i++) {
983 		STAILQ_INSERT_HEAD(&sc->sc_rx_inactive, &sc->sc_rx[i],
984 		    next);
985 		UATH_STAT_INC(sc, st_rx_inactive);
986 	}
987 
988 	return (0);
989 }
990 
991 static int
992 uath_alloc_tx_data_list(struct uath_softc *sc)
993 {
994 	int error, i;
995 
996 	error = uath_alloc_data_list(sc,
997 	    sc->sc_tx, UATH_TX_DATA_LIST_COUNT, UATH_MAX_TXBUFSZ,
998 	    sc->sc_tx_dma_buf);
999 	if (error != 0)
1000 		return (error);
1001 
1002 	STAILQ_INIT(&sc->sc_tx_active);
1003 	STAILQ_INIT(&sc->sc_tx_inactive);
1004 	STAILQ_INIT(&sc->sc_tx_pending);
1005 
1006 	for (i = 0; i < UATH_TX_DATA_LIST_COUNT; i++) {
1007 		STAILQ_INSERT_HEAD(&sc->sc_tx_inactive, &sc->sc_tx[i],
1008 		    next);
1009 		UATH_STAT_INC(sc, st_tx_inactive);
1010 	}
1011 
1012 	return (0);
1013 }
1014 
1015 static void
1016 uath_free_rx_data_list(struct uath_softc *sc)
1017 {
1018 	uath_free_data_list(sc, sc->sc_rx, UATH_RX_DATA_LIST_COUNT,
1019 	    1 /* free mbufs */);
1020 }
1021 
1022 static void
1023 uath_free_tx_data_list(struct uath_softc *sc)
1024 {
1025 	uath_free_data_list(sc, sc->sc_tx, UATH_TX_DATA_LIST_COUNT,
1026 	    0 /* no mbufs */);
1027 }
1028 
1029 static struct ieee80211vap *
1030 uath_vap_create(struct ieee80211com *ic, const char name[IFNAMSIZ], int unit,
1031     enum ieee80211_opmode opmode, int flags,
1032     const uint8_t bssid[IEEE80211_ADDR_LEN],
1033     const uint8_t mac[IEEE80211_ADDR_LEN])
1034 {
1035 	struct uath_vap *uvp;
1036 	struct ieee80211vap *vap;
1037 
1038 	if (!TAILQ_EMPTY(&ic->ic_vaps))		/* only one at a time */
1039 		return (NULL);
1040 	uvp =  malloc(sizeof(struct uath_vap), M_80211_VAP, M_WAITOK | M_ZERO);
1041 	vap = &uvp->vap;
1042 	/* enable s/w bmiss handling for sta mode */
1043 
1044 	if (ieee80211_vap_setup(ic, vap, name, unit, opmode,
1045 	    flags | IEEE80211_CLONE_NOBEACONS, bssid) != 0) {
1046 		/* out of memory */
1047 		free(uvp, M_80211_VAP);
1048 		return (NULL);
1049 	}
1050 
1051 	/* override state transition machine */
1052 	uvp->newstate = vap->iv_newstate;
1053 	vap->iv_newstate = uath_newstate;
1054 
1055 	/* complete setup */
1056 	ieee80211_vap_attach(vap, ieee80211_media_change,
1057 	    ieee80211_media_status, mac);
1058 	ic->ic_opmode = opmode;
1059 	return (vap);
1060 }
1061 
1062 static void
1063 uath_vap_delete(struct ieee80211vap *vap)
1064 {
1065 	struct uath_vap *uvp = UATH_VAP(vap);
1066 
1067 	ieee80211_vap_detach(vap);
1068 	free(uvp, M_80211_VAP);
1069 }
1070 
1071 static int
1072 uath_init(struct uath_softc *sc)
1073 {
1074 	struct ieee80211com *ic = &sc->sc_ic;
1075 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
1076 	uint32_t val;
1077 	int error;
1078 
1079 	UATH_ASSERT_LOCKED(sc);
1080 
1081 	if (sc->sc_flags & UATH_FLAG_INITDONE)
1082 		uath_stop(sc);
1083 
1084 	/* reset variables */
1085 	sc->sc_intrx_nextnum = sc->sc_msgid = 0;
1086 
1087 	val = htobe32(0);
1088 	uath_cmd_write(sc, WDCMSG_BIND, &val, sizeof val, 0);
1089 
1090 	/* set MAC address */
1091 	uath_config_multi(sc, CFG_MAC_ADDR,
1092 	    vap ? vap->iv_myaddr : ic->ic_macaddr, IEEE80211_ADDR_LEN);
1093 
1094 	/* XXX honor net80211 state */
1095 	uath_config(sc, CFG_RATE_CONTROL_ENABLE, 0x00000001);
1096 	uath_config(sc, CFG_DIVERSITY_CTL, 0x00000001);
1097 	uath_config(sc, CFG_ABOLT, 0x0000003f);
1098 	uath_config(sc, CFG_WME_ENABLED, 0x00000001);
1099 
1100 	uath_config(sc, CFG_SERVICE_TYPE, 1);
1101 	uath_config(sc, CFG_TP_SCALE, 0x00000000);
1102 	uath_config(sc, CFG_TPC_HALF_DBM5, 0x0000003c);
1103 	uath_config(sc, CFG_TPC_HALF_DBM2, 0x0000003c);
1104 	uath_config(sc, CFG_OVERRD_TX_POWER, 0x00000000);
1105 	uath_config(sc, CFG_GMODE_PROTECTION, 0x00000000);
1106 	uath_config(sc, CFG_GMODE_PROTECT_RATE_INDEX, 0x00000003);
1107 	uath_config(sc, CFG_PROTECTION_TYPE, 0x00000000);
1108 	uath_config(sc, CFG_MODE_CTS, 0x00000002);
1109 
1110 	error = uath_cmd_read(sc, WDCMSG_TARGET_START, NULL, 0,
1111 	    &val, sizeof(val), UATH_CMD_FLAG_MAGIC);
1112 	if (error) {
1113 		device_printf(sc->sc_dev,
1114 		    "could not start target, error %d\n", error);
1115 		goto fail;
1116 	}
1117 	DPRINTF(sc, UATH_DEBUG_INIT, "%s returns handle: 0x%x\n",
1118 	    uath_codename(WDCMSG_TARGET_START), be32toh(val));
1119 
1120 	/* set default channel */
1121 	error = uath_switch_channel(sc, ic->ic_curchan);
1122 	if (error) {
1123 		device_printf(sc->sc_dev,
1124 		    "could not switch channel, error %d\n", error);
1125 		goto fail;
1126 	}
1127 
1128 	val = htobe32(TARGET_DEVICE_AWAKE);
1129 	uath_cmd_write(sc, WDCMSG_SET_PWR_MODE, &val, sizeof val, 0);
1130 	/* XXX? check */
1131 	uath_cmd_write(sc, WDCMSG_RESET_KEY_CACHE, NULL, 0, 0);
1132 
1133 	usbd_transfer_start(sc->sc_xfer[UATH_BULK_RX]);
1134 	/* enable Rx */
1135 	uath_set_rxfilter(sc, 0x0, UATH_FILTER_OP_INIT);
1136 	uath_set_rxfilter(sc,
1137 	    UATH_FILTER_RX_UCAST | UATH_FILTER_RX_MCAST |
1138 	    UATH_FILTER_RX_BCAST | UATH_FILTER_RX_BEACON,
1139 	    UATH_FILTER_OP_SET);
1140 
1141 	sc->sc_flags |= UATH_FLAG_INITDONE;
1142 
1143 	callout_reset(&sc->watchdog_ch, hz, uath_watchdog, sc);
1144 
1145 	return (0);
1146 
1147 fail:
1148 	uath_stop(sc);
1149 	return (error);
1150 }
1151 
1152 static void
1153 uath_stop(struct uath_softc *sc)
1154 {
1155 
1156 	UATH_ASSERT_LOCKED(sc);
1157 
1158 	sc->sc_flags &= ~UATH_FLAG_INITDONE;
1159 
1160 	callout_stop(&sc->stat_ch);
1161 	callout_stop(&sc->watchdog_ch);
1162 	sc->sc_tx_timer = 0;
1163 	/* abort pending transmits  */
1164 	uath_abort_xfers(sc);
1165 	/* flush data & control requests into the target  */
1166 	(void)uath_flush(sc);
1167 	/* set a LED status to the disconnected.  */
1168 	uath_set_ledstate(sc, 0);
1169 	/* stop the target  */
1170 	uath_cmd_write(sc, WDCMSG_TARGET_STOP, NULL, 0, 0);
1171 }
1172 
1173 static int
1174 uath_config(struct uath_softc *sc, uint32_t reg, uint32_t val)
1175 {
1176 	struct uath_write_mac write;
1177 	int error;
1178 
1179 	write.reg = htobe32(reg);
1180 	write.len = htobe32(0);	/* 0 = single write */
1181 	*(uint32_t *)write.data = htobe32(val);
1182 
1183 	error = uath_cmd_write(sc, WDCMSG_TARGET_SET_CONFIG, &write,
1184 	    3 * sizeof (uint32_t), 0);
1185 	if (error != 0) {
1186 		device_printf(sc->sc_dev, "could not write register 0x%02x\n",
1187 		    reg);
1188 	}
1189 	return (error);
1190 }
1191 
1192 static int
1193 uath_config_multi(struct uath_softc *sc, uint32_t reg, const void *data,
1194     int len)
1195 {
1196 	struct uath_write_mac write;
1197 	int error;
1198 
1199 	write.reg = htobe32(reg);
1200 	write.len = htobe32(len);
1201 	bcopy(data, write.data, len);
1202 
1203 	/* properly handle the case where len is zero (reset) */
1204 	error = uath_cmd_write(sc, WDCMSG_TARGET_SET_CONFIG, &write,
1205 	    (len == 0) ? sizeof (uint32_t) : 2 * sizeof (uint32_t) + len, 0);
1206 	if (error != 0) {
1207 		device_printf(sc->sc_dev,
1208 		    "could not write %d bytes to register 0x%02x\n", len, reg);
1209 	}
1210 	return (error);
1211 }
1212 
1213 static int
1214 uath_switch_channel(struct uath_softc *sc, struct ieee80211_channel *c)
1215 {
1216 	int error;
1217 
1218 	UATH_ASSERT_LOCKED(sc);
1219 
1220 	/* set radio frequency */
1221 	error = uath_set_chan(sc, c);
1222 	if (error) {
1223 		device_printf(sc->sc_dev,
1224 		    "could not set channel, error %d\n", error);
1225 		goto failed;
1226 	}
1227 	/* reset Tx rings */
1228 	error = uath_reset_tx_queues(sc);
1229 	if (error) {
1230 		device_printf(sc->sc_dev,
1231 		    "could not reset Tx queues, error %d\n", error);
1232 		goto failed;
1233 	}
1234 	/* set Tx rings WME properties */
1235 	error = uath_wme_init(sc);
1236 	if (error) {
1237 		device_printf(sc->sc_dev,
1238 		    "could not init Tx queues, error %d\n", error);
1239 		goto failed;
1240 	}
1241 	error = uath_set_ledstate(sc, 0);
1242 	if (error) {
1243 		device_printf(sc->sc_dev,
1244 		    "could not set led state, error %d\n", error);
1245 		goto failed;
1246 	}
1247 	error = uath_flush(sc);
1248 	if (error) {
1249 		device_printf(sc->sc_dev,
1250 		    "could not flush pipes, error %d\n", error);
1251 		goto failed;
1252 	}
1253 failed:
1254 	return (error);
1255 }
1256 
1257 static int
1258 uath_set_rxfilter(struct uath_softc *sc, uint32_t bits, uint32_t op)
1259 {
1260 	struct uath_cmd_rx_filter rxfilter;
1261 
1262 	rxfilter.bits = htobe32(bits);
1263 	rxfilter.op = htobe32(op);
1264 
1265 	DPRINTF(sc, UATH_DEBUG_RECV | UATH_DEBUG_RECV_ALL,
1266 	    "setting Rx filter=0x%x flags=0x%x\n", bits, op);
1267 	return uath_cmd_write(sc, WDCMSG_RX_FILTER, &rxfilter,
1268 	    sizeof rxfilter, 0);
1269 }
1270 
1271 static void
1272 uath_watchdog(void *arg)
1273 {
1274 	struct uath_softc *sc = arg;
1275 	struct ieee80211com *ic = &sc->sc_ic;
1276 
1277 	if (sc->sc_tx_timer > 0) {
1278 		if (--sc->sc_tx_timer == 0) {
1279 			device_printf(sc->sc_dev, "device timeout\n");
1280 			/*uath_init(sc); XXX needs a process context! */
1281 			counter_u64_add(ic->ic_oerrors, 1);
1282 			return;
1283 		}
1284 		callout_reset(&sc->watchdog_ch, hz, uath_watchdog, sc);
1285 	}
1286 }
1287 
1288 static void
1289 uath_abort_xfers(struct uath_softc *sc)
1290 {
1291 	int i;
1292 
1293 	UATH_ASSERT_LOCKED(sc);
1294 	/* abort any pending transfers */
1295 	for (i = 0; i < UATH_N_XFERS; i++)
1296 		usbd_transfer_stop(sc->sc_xfer[i]);
1297 }
1298 
1299 static int
1300 uath_flush(struct uath_softc *sc)
1301 {
1302 	int error;
1303 
1304 	error = uath_dataflush(sc);
1305 	if (error != 0)
1306 		goto failed;
1307 
1308 	error = uath_cmdflush(sc);
1309 	if (error != 0)
1310 		goto failed;
1311 
1312 failed:
1313 	return (error);
1314 }
1315 
1316 static int
1317 uath_cmdflush(struct uath_softc *sc)
1318 {
1319 
1320 	return uath_cmd_write(sc, WDCMSG_FLUSH, NULL, 0, 0);
1321 }
1322 
1323 static int
1324 uath_dataflush(struct uath_softc *sc)
1325 {
1326 	struct uath_data *data;
1327 	struct uath_chunk *chunk;
1328 	struct uath_tx_desc *desc;
1329 
1330 	UATH_ASSERT_LOCKED(sc);
1331 
1332 	data = uath_getbuf(sc);
1333 	if (data == NULL)
1334 		return (ENOBUFS);
1335 	data->buflen = sizeof(struct uath_chunk) + sizeof(struct uath_tx_desc);
1336 	data->m = NULL;
1337 	data->ni = NULL;
1338 	chunk = (struct uath_chunk *)data->buf;
1339 	desc = (struct uath_tx_desc *)(chunk + 1);
1340 
1341 	/* one chunk only */
1342 	chunk->seqnum = 0;
1343 	chunk->flags = UATH_CFLAGS_FINAL;
1344 	chunk->length = htobe16(sizeof (struct uath_tx_desc));
1345 
1346 	memset(desc, 0, sizeof(struct uath_tx_desc));
1347 	desc->msglen = htobe32(sizeof(struct uath_tx_desc));
1348 	desc->msgid  = (sc->sc_msgid++) + 1; /* don't care about endianness */
1349 	desc->type   = htobe32(WDCMSG_FLUSH);
1350 	desc->txqid  = htobe32(0);
1351 	desc->connid = htobe32(0);
1352 	desc->flags  = htobe32(0);
1353 
1354 #ifdef UATH_DEBUG
1355 	if (sc->sc_debug & UATH_DEBUG_CMDS) {
1356 		DPRINTF(sc, UATH_DEBUG_RESET, "send flush ix %d\n",
1357 		    desc->msgid);
1358 		if (sc->sc_debug & UATH_DEBUG_CMDS_DUMP)
1359 			uath_dump_cmd(data->buf, data->buflen, '+');
1360 	}
1361 #endif
1362 
1363 	STAILQ_INSERT_TAIL(&sc->sc_tx_pending, data, next);
1364 	UATH_STAT_INC(sc, st_tx_pending);
1365 	sc->sc_tx_timer = 5;
1366 	usbd_transfer_start(sc->sc_xfer[UATH_BULK_TX]);
1367 
1368 	return (0);
1369 }
1370 
1371 static struct uath_data *
1372 _uath_getbuf(struct uath_softc *sc)
1373 {
1374 	struct uath_data *bf;
1375 
1376 	bf = STAILQ_FIRST(&sc->sc_tx_inactive);
1377 	if (bf != NULL) {
1378 		STAILQ_REMOVE_HEAD(&sc->sc_tx_inactive, next);
1379 		UATH_STAT_DEC(sc, st_tx_inactive);
1380 	} else
1381 		bf = NULL;
1382 	if (bf == NULL)
1383 		DPRINTF(sc, UATH_DEBUG_XMIT, "%s: %s\n", __func__,
1384 		    "out of xmit buffers");
1385 	return (bf);
1386 }
1387 
1388 static struct uath_data *
1389 uath_getbuf(struct uath_softc *sc)
1390 {
1391 	struct uath_data *bf;
1392 
1393 	UATH_ASSERT_LOCKED(sc);
1394 
1395 	bf = _uath_getbuf(sc);
1396 	if (bf == NULL)
1397 		DPRINTF(sc, UATH_DEBUG_XMIT, "%s: stop queue\n", __func__);
1398 	return (bf);
1399 }
1400 
1401 static int
1402 uath_set_ledstate(struct uath_softc *sc, int connected)
1403 {
1404 
1405 	DPRINTF(sc, UATH_DEBUG_LED,
1406 	    "set led state %sconnected\n", connected ? "" : "!");
1407 	connected = htobe32(connected);
1408 	return uath_cmd_write(sc, WDCMSG_SET_LED_STATE,
1409 	     &connected, sizeof connected, 0);
1410 }
1411 
1412 static int
1413 uath_set_chan(struct uath_softc *sc, struct ieee80211_channel *c)
1414 {
1415 #ifdef UATH_DEBUG
1416 	struct ieee80211com *ic = &sc->sc_ic;
1417 #endif
1418 	struct uath_cmd_reset reset;
1419 
1420 	memset(&reset, 0, sizeof(reset));
1421 	if (IEEE80211_IS_CHAN_2GHZ(c))
1422 		reset.flags |= htobe32(UATH_CHAN_2GHZ);
1423 	if (IEEE80211_IS_CHAN_5GHZ(c))
1424 		reset.flags |= htobe32(UATH_CHAN_5GHZ);
1425 	/* NB: 11g =>'s 11b so don't specify both OFDM and CCK */
1426 	if (IEEE80211_IS_CHAN_OFDM(c))
1427 		reset.flags |= htobe32(UATH_CHAN_OFDM);
1428 	else if (IEEE80211_IS_CHAN_CCK(c))
1429 		reset.flags |= htobe32(UATH_CHAN_CCK);
1430 	/* turbo can be used in either 2GHz or 5GHz */
1431 	if (c->ic_flags & IEEE80211_CHAN_TURBO)
1432 		reset.flags |= htobe32(UATH_CHAN_TURBO);
1433 	reset.freq = htobe32(c->ic_freq);
1434 	reset.maxrdpower = htobe32(50);	/* XXX */
1435 	reset.channelchange = htobe32(1);
1436 	reset.keeprccontent = htobe32(0);
1437 
1438 	DPRINTF(sc, UATH_DEBUG_CHANNEL, "set channel %d, flags 0x%x freq %u\n",
1439 	    ieee80211_chan2ieee(ic, c),
1440 	    be32toh(reset.flags), be32toh(reset.freq));
1441 	return uath_cmd_write(sc, WDCMSG_RESET, &reset, sizeof reset, 0);
1442 }
1443 
1444 static int
1445 uath_reset_tx_queues(struct uath_softc *sc)
1446 {
1447 	int ac, error;
1448 
1449 	DPRINTF(sc, UATH_DEBUG_RESET, "%s: reset Tx queues\n", __func__);
1450 	for (ac = 0; ac < 4; ac++) {
1451 		const uint32_t qid = htobe32(ac);
1452 
1453 		error = uath_cmd_write(sc, WDCMSG_RELEASE_TX_QUEUE, &qid,
1454 		    sizeof qid, 0);
1455 		if (error != 0)
1456 			break;
1457 	}
1458 	return (error);
1459 }
1460 
1461 static int
1462 uath_wme_init(struct uath_softc *sc)
1463 {
1464 	/* XXX get from net80211 */
1465 	static const struct uath_wme_settings uath_wme_11g[4] = {
1466 		{ 7, 4, 10,  0, 0 },	/* Background */
1467 		{ 3, 4, 10,  0, 0 },	/* Best-Effort */
1468 		{ 3, 3,  4, 26, 0 },	/* Video */
1469 		{ 2, 2,  3, 47, 0 }	/* Voice */
1470 	};
1471 	struct uath_cmd_txq_setup qinfo;
1472 	int ac, error;
1473 
1474 	DPRINTF(sc, UATH_DEBUG_WME, "%s: setup Tx queues\n", __func__);
1475 	for (ac = 0; ac < 4; ac++) {
1476 		qinfo.qid		= htobe32(ac);
1477 		qinfo.len		= htobe32(sizeof(qinfo.attr));
1478 		qinfo.attr.priority	= htobe32(ac);	/* XXX */
1479 		qinfo.attr.aifs		= htobe32(uath_wme_11g[ac].aifsn);
1480 		qinfo.attr.logcwmin	= htobe32(uath_wme_11g[ac].logcwmin);
1481 		qinfo.attr.logcwmax	= htobe32(uath_wme_11g[ac].logcwmax);
1482 		qinfo.attr.bursttime	= htobe32(IEEE80211_TXOP_TO_US(
1483 					    uath_wme_11g[ac].txop));
1484 		qinfo.attr.mode		= htobe32(uath_wme_11g[ac].acm);/*XXX? */
1485 		qinfo.attr.qflags	= htobe32(1);	/* XXX? */
1486 
1487 		error = uath_cmd_write(sc, WDCMSG_SETUP_TX_QUEUE, &qinfo,
1488 		    sizeof qinfo, 0);
1489 		if (error != 0)
1490 			break;
1491 	}
1492 	return (error);
1493 }
1494 
1495 static void
1496 uath_parent(struct ieee80211com *ic)
1497 {
1498 	struct uath_softc *sc = ic->ic_softc;
1499 	int startall = 0;
1500 
1501 	UATH_LOCK(sc);
1502 	if (sc->sc_flags & UATH_FLAG_INVALID) {
1503 		UATH_UNLOCK(sc);
1504 		return;
1505 	}
1506 
1507 	if (ic->ic_nrunning > 0) {
1508 		if (!(sc->sc_flags & UATH_FLAG_INITDONE)) {
1509 			uath_init(sc);
1510 			startall = 1;
1511 		}
1512 	} else if (sc->sc_flags & UATH_FLAG_INITDONE)
1513 		uath_stop(sc);
1514 	UATH_UNLOCK(sc);
1515 	if (startall)
1516 		ieee80211_start_all(ic);
1517 }
1518 
1519 static int
1520 uath_tx_start(struct uath_softc *sc, struct mbuf *m0, struct ieee80211_node *ni,
1521     struct uath_data *data)
1522 {
1523 	struct ieee80211vap *vap = ni->ni_vap;
1524 	struct uath_chunk *chunk;
1525 	struct uath_tx_desc *desc;
1526 	const struct ieee80211_frame *wh;
1527 	struct ieee80211_key *k;
1528 	int framelen, msglen;
1529 
1530 	UATH_ASSERT_LOCKED(sc);
1531 
1532 	data->ni = ni;
1533 	data->m = m0;
1534 	chunk = (struct uath_chunk *)data->buf;
1535 	desc = (struct uath_tx_desc *)(chunk + 1);
1536 
1537 	if (ieee80211_radiotap_active_vap(vap)) {
1538 		struct uath_tx_radiotap_header *tap = &sc->sc_txtap;
1539 
1540 		tap->wt_flags = 0;
1541 		if (m0->m_flags & M_FRAG)
1542 			tap->wt_flags |= IEEE80211_RADIOTAP_F_FRAG;
1543 
1544 		ieee80211_radiotap_tx(vap, m0);
1545 	}
1546 
1547 	wh = mtod(m0, struct ieee80211_frame *);
1548 	if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
1549 		k = ieee80211_crypto_encap(ni, m0);
1550 		if (k == NULL) {
1551 			m_freem(m0);
1552 			return (ENOBUFS);
1553 		}
1554 
1555 		/* packet header may have moved, reset our local pointer */
1556 		wh = mtod(m0, struct ieee80211_frame *);
1557 	}
1558 	m_copydata(m0, 0, m0->m_pkthdr.len, (uint8_t *)(desc + 1));
1559 
1560 	framelen = m0->m_pkthdr.len + IEEE80211_CRC_LEN;
1561 	msglen = framelen + sizeof (struct uath_tx_desc);
1562 	data->buflen = msglen + sizeof (struct uath_chunk);
1563 
1564 	/* one chunk only for now */
1565 	chunk->seqnum = sc->sc_seqnum++;
1566 	chunk->flags = (m0->m_flags & M_FRAG) ? 0 : UATH_CFLAGS_FINAL;
1567 	if (m0->m_flags & M_LASTFRAG)
1568 		chunk->flags |= UATH_CFLAGS_FINAL;
1569 	chunk->flags = UATH_CFLAGS_FINAL;
1570 	chunk->length = htobe16(msglen);
1571 
1572 	/* fill Tx descriptor */
1573 	desc->msglen = htobe32(msglen);
1574 	/* NB: to get UATH_TX_NOTIFY reply, `msgid' must be larger than 0  */
1575 	desc->msgid  = (sc->sc_msgid++) + 1; /* don't care about endianness */
1576 	desc->type   = htobe32(WDCMSG_SEND);
1577 	switch (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) {
1578 	case IEEE80211_FC0_TYPE_CTL:
1579 	case IEEE80211_FC0_TYPE_MGT:
1580 		/* NB: force all management frames to highest queue */
1581 		if (ni->ni_flags & IEEE80211_NODE_QOS) {
1582 			/* NB: force all management frames to highest queue */
1583 			desc->txqid = htobe32(WME_AC_VO | UATH_TXQID_MINRATE);
1584 		} else
1585 			desc->txqid = htobe32(WME_AC_BE | UATH_TXQID_MINRATE);
1586 		break;
1587 	case IEEE80211_FC0_TYPE_DATA:
1588 		/* XXX multicast frames should honor mcastrate */
1589 		desc->txqid = htobe32(M_WME_GETAC(m0));
1590 		break;
1591 	default:
1592 		device_printf(sc->sc_dev, "bogus frame type 0x%x (%s)\n",
1593 			wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK, __func__);
1594 		m_freem(m0);
1595 		return (EIO);
1596 	}
1597 	if (vap->iv_state == IEEE80211_S_AUTH ||
1598 	    vap->iv_state == IEEE80211_S_ASSOC ||
1599 	    vap->iv_state == IEEE80211_S_RUN)
1600 		desc->connid = htobe32(UATH_ID_BSS);
1601 	else
1602 		desc->connid = htobe32(UATH_ID_INVALID);
1603 	desc->flags  = htobe32(0 /* no UATH_TX_NOTIFY */);
1604 	desc->buflen = htobe32(m0->m_pkthdr.len);
1605 
1606 #ifdef UATH_DEBUG
1607 	DPRINTF(sc, UATH_DEBUG_XMIT,
1608 	    "send frame ix %u framelen %d msglen %d connid 0x%x txqid 0x%x\n",
1609 	    desc->msgid, framelen, msglen, be32toh(desc->connid),
1610 	    be32toh(desc->txqid));
1611 	if (sc->sc_debug & UATH_DEBUG_XMIT_DUMP)
1612 		uath_dump_cmd(data->buf, data->buflen, '+');
1613 #endif
1614 
1615 	STAILQ_INSERT_TAIL(&sc->sc_tx_pending, data, next);
1616 	UATH_STAT_INC(sc, st_tx_pending);
1617 	usbd_transfer_start(sc->sc_xfer[UATH_BULK_TX]);
1618 
1619 	return (0);
1620 }
1621 
1622 /*
1623  * Cleanup driver resources when we run out of buffers while processing
1624  * fragments; return the tx buffers allocated and drop node references.
1625  */
1626 static void
1627 uath_txfrag_cleanup(struct uath_softc *sc,
1628     uath_datahead *frags, struct ieee80211_node *ni)
1629 {
1630 	struct uath_data *bf, *next;
1631 
1632 	UATH_ASSERT_LOCKED(sc);
1633 
1634 	STAILQ_FOREACH_SAFE(bf, frags, next, next) {
1635 		/* NB: bf assumed clean */
1636 		STAILQ_REMOVE_HEAD(frags, next);
1637 		STAILQ_INSERT_HEAD(&sc->sc_tx_inactive, bf, next);
1638 		UATH_STAT_INC(sc, st_tx_inactive);
1639 		ieee80211_node_decref(ni);
1640 	}
1641 }
1642 
1643 /*
1644  * Setup xmit of a fragmented frame.  Allocate a buffer for each frag and bump
1645  * the node reference count to reflect the held reference to be setup by
1646  * uath_tx_start.
1647  */
1648 static int
1649 uath_txfrag_setup(struct uath_softc *sc, uath_datahead *frags,
1650     struct mbuf *m0, struct ieee80211_node *ni)
1651 {
1652 	struct mbuf *m;
1653 	struct uath_data *bf;
1654 
1655 	UATH_ASSERT_LOCKED(sc);
1656 	for (m = m0->m_nextpkt; m != NULL; m = m->m_nextpkt) {
1657 		bf = uath_getbuf(sc);
1658 		if (bf == NULL) {       /* out of buffers, cleanup */
1659 			uath_txfrag_cleanup(sc, frags, ni);
1660 			break;
1661 		}
1662 		ieee80211_node_incref(ni);
1663 		STAILQ_INSERT_TAIL(frags, bf, next);
1664 	}
1665 
1666 	return !STAILQ_EMPTY(frags);
1667 }
1668 
1669 static int
1670 uath_transmit(struct ieee80211com *ic, struct mbuf *m)
1671 {
1672 	struct uath_softc *sc = ic->ic_softc;
1673 	int error;
1674 
1675 	UATH_LOCK(sc);
1676 	if ((sc->sc_flags & UATH_FLAG_INITDONE) == 0) {
1677 		UATH_UNLOCK(sc);
1678 		return (ENXIO);
1679 	}
1680 	error = mbufq_enqueue(&sc->sc_snd, m);
1681 	if (error) {
1682 		UATH_UNLOCK(sc);
1683 		return (error);
1684 	}
1685 	uath_start(sc);
1686 	UATH_UNLOCK(sc);
1687 
1688 	return (0);
1689 }
1690 
1691 static void
1692 uath_start(struct uath_softc *sc)
1693 {
1694 	struct uath_data *bf;
1695 	struct ieee80211_node *ni;
1696 	struct mbuf *m, *next;
1697 	uath_datahead frags;
1698 
1699 	UATH_ASSERT_LOCKED(sc);
1700 
1701 	if ((sc->sc_flags & UATH_FLAG_INITDONE) == 0 ||
1702 	    (sc->sc_flags & UATH_FLAG_INVALID))
1703 		return;
1704 
1705 	while ((m = mbufq_dequeue(&sc->sc_snd)) != NULL) {
1706 		bf = uath_getbuf(sc);
1707 		if (bf == NULL) {
1708 			mbufq_prepend(&sc->sc_snd, m);
1709 			break;
1710 		}
1711 
1712 		ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
1713 		m->m_pkthdr.rcvif = NULL;
1714 
1715 		/*
1716 		 * Check for fragmentation.  If this frame has been broken up
1717 		 * verify we have enough buffers to send all the fragments
1718 		 * so all go out or none...
1719 		 */
1720 		STAILQ_INIT(&frags);
1721 		if ((m->m_flags & M_FRAG) &&
1722 		    !uath_txfrag_setup(sc, &frags, m, ni)) {
1723 			DPRINTF(sc, UATH_DEBUG_XMIT,
1724 			    "%s: out of txfrag buffers\n", __func__);
1725 			ieee80211_free_mbuf(m);
1726 			goto bad;
1727 		}
1728 		sc->sc_seqnum = 0;
1729 	nextfrag:
1730 		/*
1731 		 * Pass the frame to the h/w for transmission.
1732 		 * Fragmented frames have each frag chained together
1733 		 * with m_nextpkt.  We know there are sufficient uath_data's
1734 		 * to send all the frags because of work done by
1735 		 * uath_txfrag_setup.
1736 		 */
1737 		next = m->m_nextpkt;
1738 		if (uath_tx_start(sc, m, ni, bf) != 0) {
1739 	bad:
1740 			if_inc_counter(ni->ni_vap->iv_ifp,
1741 			    IFCOUNTER_OERRORS, 1);
1742 	reclaim:
1743 			STAILQ_INSERT_HEAD(&sc->sc_tx_inactive, bf, next);
1744 			UATH_STAT_INC(sc, st_tx_inactive);
1745 			uath_txfrag_cleanup(sc, &frags, ni);
1746 			ieee80211_free_node(ni);
1747 			continue;
1748 		}
1749 
1750 		if (next != NULL) {
1751 			/*
1752 			 * Beware of state changing between frags.
1753 			 XXX check sta power-save state?
1754 			*/
1755 			if (ni->ni_vap->iv_state != IEEE80211_S_RUN) {
1756 				DPRINTF(sc, UATH_DEBUG_XMIT,
1757 				    "%s: flush fragmented packet, state %s\n",
1758 				    __func__,
1759 				    ieee80211_state_name[ni->ni_vap->iv_state]);
1760 				ieee80211_free_mbuf(next);
1761 				goto reclaim;
1762 			}
1763 			m = next;
1764 			bf = STAILQ_FIRST(&frags);
1765 			KASSERT(bf != NULL, ("no buf for txfrag"));
1766 			STAILQ_REMOVE_HEAD(&frags, next);
1767 			goto nextfrag;
1768 		}
1769 
1770 		sc->sc_tx_timer = 5;
1771 	}
1772 }
1773 
1774 static int
1775 uath_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
1776     const struct ieee80211_bpf_params *params)
1777 {
1778 	struct ieee80211com *ic = ni->ni_ic;
1779 	struct uath_data *bf;
1780 	struct uath_softc *sc = ic->ic_softc;
1781 
1782 	UATH_LOCK(sc);
1783 	/* prevent management frames from being sent if we're not ready */
1784 	if ((sc->sc_flags & UATH_FLAG_INVALID) ||
1785 	    !(sc->sc_flags & UATH_FLAG_INITDONE)) {
1786 		m_freem(m);
1787 		UATH_UNLOCK(sc);
1788 		return (ENETDOWN);
1789 	}
1790 
1791 	/* grab a TX buffer  */
1792 	bf = uath_getbuf(sc);
1793 	if (bf == NULL) {
1794 		m_freem(m);
1795 		UATH_UNLOCK(sc);
1796 		return (ENOBUFS);
1797 	}
1798 
1799 	sc->sc_seqnum = 0;
1800 	if (uath_tx_start(sc, m, ni, bf) != 0) {
1801 		STAILQ_INSERT_HEAD(&sc->sc_tx_inactive, bf, next);
1802 		UATH_STAT_INC(sc, st_tx_inactive);
1803 		UATH_UNLOCK(sc);
1804 		return (EIO);
1805 	}
1806 	UATH_UNLOCK(sc);
1807 
1808 	sc->sc_tx_timer = 5;
1809 	return (0);
1810 }
1811 
1812 static void
1813 uath_scan_start(struct ieee80211com *ic)
1814 {
1815 	/* do nothing  */
1816 }
1817 
1818 static void
1819 uath_scan_end(struct ieee80211com *ic)
1820 {
1821 	/* do nothing  */
1822 }
1823 
1824 static void
1825 uath_set_channel(struct ieee80211com *ic)
1826 {
1827 	struct uath_softc *sc = ic->ic_softc;
1828 
1829 	UATH_LOCK(sc);
1830 	if ((sc->sc_flags & UATH_FLAG_INVALID) ||
1831 	    (sc->sc_flags & UATH_FLAG_INITDONE) == 0) {
1832 		UATH_UNLOCK(sc);
1833 		return;
1834 	}
1835 	(void)uath_switch_channel(sc, ic->ic_curchan);
1836 	UATH_UNLOCK(sc);
1837 }
1838 
1839 static int
1840 uath_set_rxmulti_filter(struct uath_softc *sc)
1841 {
1842 	/* XXX broken */
1843 	return (0);
1844 }
1845 static void
1846 uath_update_mcast(struct ieee80211com *ic)
1847 {
1848 	struct uath_softc *sc = ic->ic_softc;
1849 
1850 	UATH_LOCK(sc);
1851 	if ((sc->sc_flags & UATH_FLAG_INVALID) ||
1852 	    (sc->sc_flags & UATH_FLAG_INITDONE) == 0) {
1853 		UATH_UNLOCK(sc);
1854 		return;
1855 	}
1856 	/*
1857 	 * this is for avoiding the race condition when we're try to
1858 	 * connect to the AP with WPA.
1859 	 */
1860 	if (sc->sc_flags & UATH_FLAG_INITDONE)
1861 		(void)uath_set_rxmulti_filter(sc);
1862 	UATH_UNLOCK(sc);
1863 }
1864 
1865 static void
1866 uath_update_promisc(struct ieee80211com *ic)
1867 {
1868 	struct uath_softc *sc = ic->ic_softc;
1869 
1870 	UATH_LOCK(sc);
1871 	if ((sc->sc_flags & UATH_FLAG_INVALID) ||
1872 	    (sc->sc_flags & UATH_FLAG_INITDONE) == 0) {
1873 		UATH_UNLOCK(sc);
1874 		return;
1875 	}
1876 	if (sc->sc_flags & UATH_FLAG_INITDONE) {
1877 		uath_set_rxfilter(sc,
1878 		    UATH_FILTER_RX_UCAST | UATH_FILTER_RX_MCAST |
1879 		    UATH_FILTER_RX_BCAST | UATH_FILTER_RX_BEACON |
1880 		    UATH_FILTER_RX_PROM, UATH_FILTER_OP_SET);
1881 	}
1882 	UATH_UNLOCK(sc);
1883 }
1884 
1885 static int
1886 uath_create_connection(struct uath_softc *sc, uint32_t connid)
1887 {
1888 	const struct ieee80211_rateset *rs;
1889 	struct ieee80211com *ic = &sc->sc_ic;
1890 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
1891 	struct ieee80211_node *ni;
1892 	struct uath_cmd_create_connection create;
1893 
1894 	ni = ieee80211_ref_node(vap->iv_bss);
1895 	memset(&create, 0, sizeof(create));
1896 	create.connid = htobe32(connid);
1897 	create.bssid = htobe32(0);
1898 	/* XXX packed or not?  */
1899 	create.size = htobe32(sizeof(struct uath_cmd_rateset));
1900 
1901 	rs = &ni->ni_rates;
1902 	create.connattr.rateset.length = rs->rs_nrates;
1903 	bcopy(rs->rs_rates, &create.connattr.rateset.set[0],
1904 	    rs->rs_nrates);
1905 
1906 	/* XXX turbo */
1907 	if (IEEE80211_IS_CHAN_A(ni->ni_chan))
1908 		create.connattr.wlanmode = htobe32(WLAN_MODE_11a);
1909 	else if (IEEE80211_IS_CHAN_ANYG(ni->ni_chan))
1910 		create.connattr.wlanmode = htobe32(WLAN_MODE_11g);
1911 	else
1912 		create.connattr.wlanmode = htobe32(WLAN_MODE_11b);
1913 	ieee80211_free_node(ni);
1914 
1915 	return uath_cmd_write(sc, WDCMSG_CREATE_CONNECTION, &create,
1916 	    sizeof create, 0);
1917 }
1918 
1919 static int
1920 uath_set_rates(struct uath_softc *sc, const struct ieee80211_rateset *rs)
1921 {
1922 	struct uath_cmd_rates rates;
1923 
1924 	memset(&rates, 0, sizeof(rates));
1925 	rates.connid = htobe32(UATH_ID_BSS);		/* XXX */
1926 	rates.size   = htobe32(sizeof(struct uath_cmd_rateset));
1927 	/* XXX bounds check rs->rs_nrates */
1928 	rates.rateset.length = rs->rs_nrates;
1929 	bcopy(rs->rs_rates, &rates.rateset.set[0], rs->rs_nrates);
1930 
1931 	DPRINTF(sc, UATH_DEBUG_RATES,
1932 	    "setting supported rates nrates=%d\n", rs->rs_nrates);
1933 	return uath_cmd_write(sc, WDCMSG_SET_BASIC_RATE,
1934 	    &rates, sizeof rates, 0);
1935 }
1936 
1937 static int
1938 uath_write_associd(struct uath_softc *sc)
1939 {
1940 	struct ieee80211com *ic = &sc->sc_ic;
1941 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
1942 	struct ieee80211_node *ni;
1943 	struct uath_cmd_set_associd associd;
1944 
1945 	ni = ieee80211_ref_node(vap->iv_bss);
1946 	memset(&associd, 0, sizeof(associd));
1947 	associd.defaultrateix = htobe32(1);	/* XXX */
1948 	associd.associd = htobe32(ni->ni_associd);
1949 	associd.timoffset = htobe32(0x3b);	/* XXX */
1950 	IEEE80211_ADDR_COPY(associd.bssid, ni->ni_bssid);
1951 	ieee80211_free_node(ni);
1952 	return uath_cmd_write(sc, WDCMSG_WRITE_ASSOCID, &associd,
1953 	    sizeof associd, 0);
1954 }
1955 
1956 static int
1957 uath_set_ledsteady(struct uath_softc *sc, int lednum, int ledmode)
1958 {
1959 	struct uath_cmd_ledsteady led;
1960 
1961 	led.lednum = htobe32(lednum);
1962 	led.ledmode = htobe32(ledmode);
1963 
1964 	DPRINTF(sc, UATH_DEBUG_LED, "set %s led %s (steady)\n",
1965 	    (lednum == UATH_LED_LINK) ? "link" : "activity",
1966 	    ledmode ? "on" : "off");
1967 	return uath_cmd_write(sc, WDCMSG_SET_LED_STEADY, &led, sizeof led, 0);
1968 }
1969 
1970 static int
1971 uath_set_ledblink(struct uath_softc *sc, int lednum, int ledmode,
1972 	int blinkrate, int slowmode)
1973 {
1974 	struct uath_cmd_ledblink led;
1975 
1976 	led.lednum = htobe32(lednum);
1977 	led.ledmode = htobe32(ledmode);
1978 	led.blinkrate = htobe32(blinkrate);
1979 	led.slowmode = htobe32(slowmode);
1980 
1981 	DPRINTF(sc, UATH_DEBUG_LED, "set %s led %s (blink)\n",
1982 	    (lednum == UATH_LED_LINK) ? "link" : "activity",
1983 	    ledmode ? "on" : "off");
1984 	return uath_cmd_write(sc, WDCMSG_SET_LED_BLINK, &led, sizeof led, 0);
1985 }
1986 
1987 static int
1988 uath_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
1989 {
1990 	enum ieee80211_state ostate = vap->iv_state;
1991 	int error;
1992 	struct ieee80211_node *ni;
1993 	struct ieee80211com *ic = vap->iv_ic;
1994 	struct uath_softc *sc = ic->ic_softc;
1995 	struct uath_vap *uvp = UATH_VAP(vap);
1996 
1997 	DPRINTF(sc, UATH_DEBUG_STATE,
1998 	    "%s: %s -> %s\n", __func__, ieee80211_state_name[vap->iv_state],
1999 	    ieee80211_state_name[nstate]);
2000 
2001 	IEEE80211_UNLOCK(ic);
2002 	UATH_LOCK(sc);
2003 	callout_stop(&sc->stat_ch);
2004 	callout_stop(&sc->watchdog_ch);
2005 	ni = ieee80211_ref_node(vap->iv_bss);
2006 
2007 	switch (nstate) {
2008 	case IEEE80211_S_INIT:
2009 		if (ostate == IEEE80211_S_RUN) {
2010 			/* turn link and activity LEDs off */
2011 			uath_set_ledstate(sc, 0);
2012 		}
2013 		break;
2014 
2015 	case IEEE80211_S_SCAN:
2016 		break;
2017 
2018 	case IEEE80211_S_AUTH:
2019 		/* XXX good place?  set RTS threshold  */
2020 		uath_config(sc, CFG_USER_RTS_THRESHOLD, vap->iv_rtsthreshold);
2021 		/* XXX bad place  */
2022 		error = uath_set_keys(sc, vap);
2023 		if (error != 0) {
2024 			device_printf(sc->sc_dev,
2025 			    "could not set crypto keys, error %d\n", error);
2026 			break;
2027 		}
2028 		if (uath_switch_channel(sc, ni->ni_chan) != 0) {
2029 			device_printf(sc->sc_dev, "could not switch channel\n");
2030 			break;
2031 		}
2032 		if (uath_create_connection(sc, UATH_ID_BSS) != 0) {
2033 			device_printf(sc->sc_dev,
2034 			    "could not create connection\n");
2035 			break;
2036 		}
2037 		break;
2038 
2039 	case IEEE80211_S_ASSOC:
2040 		if (uath_set_rates(sc, &ni->ni_rates) != 0) {
2041 			device_printf(sc->sc_dev,
2042 			    "could not set negotiated rate set\n");
2043 			break;
2044 		}
2045 		break;
2046 
2047 	case IEEE80211_S_RUN:
2048 		/* XXX monitor mode doesn't be tested  */
2049 		if (ic->ic_opmode == IEEE80211_M_MONITOR) {
2050 			uath_set_ledstate(sc, 1);
2051 			break;
2052 		}
2053 
2054 		/*
2055 		 * Tx rate is controlled by firmware, report the maximum
2056 		 * negotiated rate in ifconfig output.
2057 		 */
2058 		ni->ni_txrate = ni->ni_rates.rs_rates[ni->ni_rates.rs_nrates-1];
2059 
2060 		if (uath_write_associd(sc) != 0) {
2061 			device_printf(sc->sc_dev,
2062 			    "could not write association id\n");
2063 			break;
2064 		}
2065 		/* turn link LED on */
2066 		uath_set_ledsteady(sc, UATH_LED_LINK, UATH_LED_ON);
2067 		/* make activity LED blink */
2068 		uath_set_ledblink(sc, UATH_LED_ACTIVITY, UATH_LED_ON, 1, 2);
2069 		/* set state to associated */
2070 		uath_set_ledstate(sc, 1);
2071 
2072 		/* start statistics timer */
2073 		callout_reset(&sc->stat_ch, hz, uath_stat, sc);
2074 		break;
2075 	default:
2076 		break;
2077 	}
2078 	ieee80211_free_node(ni);
2079 	UATH_UNLOCK(sc);
2080 	IEEE80211_LOCK(ic);
2081 	return (uvp->newstate(vap, nstate, arg));
2082 }
2083 
2084 static int
2085 uath_set_key(struct uath_softc *sc, const struct ieee80211_key *wk,
2086     int index)
2087 {
2088 #if 0
2089 	struct uath_cmd_crypto crypto;
2090 	int i;
2091 
2092 	memset(&crypto, 0, sizeof(crypto));
2093 	crypto.keyidx = htobe32(index);
2094 	crypto.magic1 = htobe32(1);
2095 	crypto.size   = htobe32(368);
2096 	crypto.mask   = htobe32(0xffff);
2097 	crypto.flags  = htobe32(0x80000068);
2098 	if (index != UATH_DEFAULT_KEY)
2099 		crypto.flags |= htobe32(index << 16);
2100 	memset(crypto.magic2, 0xff, sizeof(crypto.magic2));
2101 
2102 	/*
2103 	 * Each byte of the key must be XOR'ed with 10101010 before being
2104 	 * transmitted to the firmware.
2105 	 */
2106 	for (i = 0; i < wk->wk_keylen; i++)
2107 		crypto.key[i] = wk->wk_key[i] ^ 0xaa;
2108 
2109 	DPRINTF(sc, UATH_DEBUG_CRYPTO,
2110 	    "setting crypto key index=%d len=%d\n", index, wk->wk_keylen);
2111 	return uath_cmd_write(sc, WDCMSG_SET_KEY_CACHE_ENTRY, &crypto,
2112 	    sizeof crypto, 0);
2113 #else
2114 	/* XXX support H/W cryto  */
2115 	return (0);
2116 #endif
2117 }
2118 
2119 static int
2120 uath_set_keys(struct uath_softc *sc, struct ieee80211vap *vap)
2121 {
2122 	int i, error;
2123 
2124 	error = 0;
2125 	for (i = 0; i < IEEE80211_WEP_NKID; i++) {
2126 		const struct ieee80211_key *wk = &vap->iv_nw_keys[i];
2127 
2128 		if (wk->wk_flags & (IEEE80211_KEY_XMIT|IEEE80211_KEY_RECV)) {
2129 			error = uath_set_key(sc, wk, i);
2130 			if (error)
2131 				return (error);
2132 		}
2133 	}
2134 	if (vap->iv_def_txkey != IEEE80211_KEYIX_NONE) {
2135 		error = uath_set_key(sc, &vap->iv_nw_keys[vap->iv_def_txkey],
2136 			UATH_DEFAULT_KEY);
2137 	}
2138 	return (error);
2139 }
2140 
2141 #define	UATH_SYSCTL_STAT_ADD32(c, h, n, p, d)	\
2142 	    SYSCTL_ADD_UINT(c, h, OID_AUTO, n, CTLFLAG_RD, p, 0, d)
2143 
2144 static void
2145 uath_sysctl_node(struct uath_softc *sc)
2146 {
2147 	struct sysctl_ctx_list *ctx;
2148 	struct sysctl_oid_list *child;
2149 	struct sysctl_oid *tree;
2150 	struct uath_stat *stats;
2151 
2152 	stats = &sc->sc_stat;
2153 	ctx = device_get_sysctl_ctx(sc->sc_dev);
2154 	child = SYSCTL_CHILDREN(device_get_sysctl_tree(sc->sc_dev));
2155 
2156 	tree = SYSCTL_ADD_NODE(ctx, child, OID_AUTO, "stats", CTLFLAG_RD,
2157 	    NULL, "UATH statistics");
2158 	child = SYSCTL_CHILDREN(tree);
2159 	UATH_SYSCTL_STAT_ADD32(ctx, child, "badchunkseqnum",
2160 	    &stats->st_badchunkseqnum, "Bad chunk sequence numbers");
2161 	UATH_SYSCTL_STAT_ADD32(ctx, child, "invalidlen", &stats->st_invalidlen,
2162 	    "Invalid length");
2163 	UATH_SYSCTL_STAT_ADD32(ctx, child, "multichunk", &stats->st_multichunk,
2164 	    "Multi chunks");
2165 	UATH_SYSCTL_STAT_ADD32(ctx, child, "toobigrxpkt",
2166 	    &stats->st_toobigrxpkt, "Too big rx packets");
2167 	UATH_SYSCTL_STAT_ADD32(ctx, child, "stopinprogress",
2168 	    &stats->st_stopinprogress, "Stop in progress");
2169 	UATH_SYSCTL_STAT_ADD32(ctx, child, "crcerrs", &stats->st_crcerr,
2170 	    "CRC errors");
2171 	UATH_SYSCTL_STAT_ADD32(ctx, child, "phyerr", &stats->st_phyerr,
2172 	    "PHY errors");
2173 	UATH_SYSCTL_STAT_ADD32(ctx, child, "decrypt_crcerr",
2174 	    &stats->st_decrypt_crcerr, "Decryption CRC errors");
2175 	UATH_SYSCTL_STAT_ADD32(ctx, child, "decrypt_micerr",
2176 	    &stats->st_decrypt_micerr, "Decryption Misc errors");
2177 	UATH_SYSCTL_STAT_ADD32(ctx, child, "decomperr", &stats->st_decomperr,
2178 	    "Decomp errors");
2179 	UATH_SYSCTL_STAT_ADD32(ctx, child, "keyerr", &stats->st_keyerr,
2180 	    "Key errors");
2181 	UATH_SYSCTL_STAT_ADD32(ctx, child, "err", &stats->st_err,
2182 	    "Unknown errors");
2183 
2184 	UATH_SYSCTL_STAT_ADD32(ctx, child, "cmd_active",
2185 	    &stats->st_cmd_active, "Active numbers in Command queue");
2186 	UATH_SYSCTL_STAT_ADD32(ctx, child, "cmd_inactive",
2187 	    &stats->st_cmd_inactive, "Inactive numbers in Command queue");
2188 	UATH_SYSCTL_STAT_ADD32(ctx, child, "cmd_pending",
2189 	    &stats->st_cmd_pending, "Pending numbers in Command queue");
2190 	UATH_SYSCTL_STAT_ADD32(ctx, child, "cmd_waiting",
2191 	    &stats->st_cmd_waiting, "Waiting numbers in Command queue");
2192 	UATH_SYSCTL_STAT_ADD32(ctx, child, "rx_active",
2193 	    &stats->st_rx_active, "Active numbers in RX queue");
2194 	UATH_SYSCTL_STAT_ADD32(ctx, child, "rx_inactive",
2195 	    &stats->st_rx_inactive, "Inactive numbers in RX queue");
2196 	UATH_SYSCTL_STAT_ADD32(ctx, child, "tx_active",
2197 	    &stats->st_tx_active, "Active numbers in TX queue");
2198 	UATH_SYSCTL_STAT_ADD32(ctx, child, "tx_inactive",
2199 	    &stats->st_tx_inactive, "Inactive numbers in TX queue");
2200 	UATH_SYSCTL_STAT_ADD32(ctx, child, "tx_pending",
2201 	    &stats->st_tx_pending, "Pending numbers in TX queue");
2202 }
2203 
2204 #undef UATH_SYSCTL_STAT_ADD32
2205 
2206 CTASSERT(sizeof(u_int) >= sizeof(uint32_t));
2207 
2208 static void
2209 uath_cmdeof(struct uath_softc *sc, struct uath_cmd *cmd)
2210 {
2211 	struct uath_cmd_hdr *hdr;
2212 	uint32_t dlen;
2213 
2214 	hdr = (struct uath_cmd_hdr *)cmd->buf;
2215 	/* NB: msgid is passed thru w/o byte swapping */
2216 #ifdef UATH_DEBUG
2217 	if (sc->sc_debug & UATH_DEBUG_CMDS) {
2218 		uint32_t len = be32toh(hdr->len);
2219 		printf("%s: %s [ix %u] len %u status %u\n",
2220 		    __func__, uath_codename(be32toh(hdr->code)),
2221 		    hdr->msgid, len, be32toh(hdr->magic));
2222 		if (sc->sc_debug & UATH_DEBUG_CMDS_DUMP)
2223 			uath_dump_cmd(cmd->buf,
2224 			    len > UATH_MAX_CMDSZ ? sizeof(*hdr) : len, '-');
2225 	}
2226 #endif
2227 	hdr->code = be32toh(hdr->code);
2228 	hdr->len = be32toh(hdr->len);
2229 	hdr->magic = be32toh(hdr->magic);	/* target status on return */
2230 
2231 	switch (hdr->code & 0xff) {
2232 	/* reply to a read command */
2233 	default:
2234 		DPRINTF(sc, UATH_DEBUG_RX_PROC | UATH_DEBUG_RECV_ALL,
2235 		    "%s: code %d hdr len %u\n",
2236 		    __func__, hdr->code & 0xff, hdr->len);
2237 		/*
2238 		 * The first response from the target after the
2239 		 * HOST_AVAILABLE has an invalid msgid so we must
2240 		 * treat it specially.
2241 		 */
2242 		if (hdr->msgid < UATH_CMD_LIST_COUNT) {
2243 			uint32_t *rp = (uint32_t *)(hdr+1);
2244 			u_int olen;
2245 
2246 			if (sizeof(*hdr) > hdr->len ||
2247 			    hdr->len >= UATH_MAX_CMDSZ) {
2248 				device_printf(sc->sc_dev,
2249 				    "%s: invalid WDC msg length %u; "
2250 				    "msg ignored\n", __func__, hdr->len);
2251 				return;
2252 			}
2253 			/*
2254 			 * Calculate return/receive payload size; the
2255 			 * first word, if present, always gives the
2256 			 * number of bytes--unless it's 0 in which
2257 			 * case a single 32-bit word should be present.
2258 			 */
2259 			dlen = hdr->len - sizeof(*hdr);
2260 			if (dlen >= sizeof(uint32_t)) {
2261 				olen = be32toh(rp[0]);
2262 				dlen -= sizeof(uint32_t);
2263 				if (olen == 0) {
2264 					/* convention is 0 =>'s one word */
2265 					olen = sizeof(uint32_t);
2266 					/* XXX KASSERT(olen == dlen ) */
2267 				}
2268 			} else
2269 				olen = 0;
2270 			if (cmd->odata != NULL) {
2271 				/* NB: cmd->olen validated in uath_cmd */
2272 				if (olen > (u_int)cmd->olen) {
2273 					/* XXX complain? */
2274 					device_printf(sc->sc_dev,
2275 					    "%s: cmd 0x%x olen %u cmd olen %u\n",
2276 					    __func__, hdr->code, olen,
2277 					    cmd->olen);
2278 					olen = cmd->olen;
2279 				}
2280 				if (olen > dlen) {
2281 					/* XXX complain, shouldn't happen */
2282 					device_printf(sc->sc_dev,
2283 					    "%s: cmd 0x%x olen %u dlen %u\n",
2284 					    __func__, hdr->code, olen, dlen);
2285 					olen = dlen;
2286 				}
2287 				/* XXX have submitter do this */
2288 				/* copy answer into caller's supplied buffer */
2289 				bcopy(&rp[1], cmd->odata, olen);
2290 				cmd->olen = olen;
2291 			}
2292 		}
2293 		wakeup_one(cmd);		/* wake up caller */
2294 		break;
2295 
2296 	case WDCMSG_TARGET_START:
2297 		if (hdr->msgid >= UATH_CMD_LIST_COUNT) {
2298 			/* XXX */
2299 			return;
2300 		}
2301 		dlen = hdr->len - sizeof(*hdr);
2302 		if (dlen != sizeof(uint32_t)) {
2303 			device_printf(sc->sc_dev,
2304 			    "%s: dlen (%u) != %zu!\n",
2305 			    __func__, dlen, sizeof(uint32_t));
2306 			return;
2307 		}
2308 		/* XXX have submitter do this */
2309 		/* copy answer into caller's supplied buffer */
2310 		bcopy(hdr+1, cmd->odata, sizeof(uint32_t));
2311 		cmd->olen = sizeof(uint32_t);
2312 		wakeup_one(cmd);		/* wake up caller */
2313 		break;
2314 
2315 	case WDCMSG_SEND_COMPLETE:
2316 		/* this notification is sent when UATH_TX_NOTIFY is set */
2317 		DPRINTF(sc, UATH_DEBUG_RX_PROC | UATH_DEBUG_RECV_ALL,
2318 		    "%s: received Tx notification\n", __func__);
2319 		break;
2320 
2321 	case WDCMSG_TARGET_GET_STATS:
2322 		DPRINTF(sc, UATH_DEBUG_RX_PROC | UATH_DEBUG_RECV_ALL,
2323 		    "%s: received device statistics\n", __func__);
2324 		callout_reset(&sc->stat_ch, hz, uath_stat, sc);
2325 		break;
2326 	}
2327 }
2328 
2329 static void
2330 uath_intr_rx_callback(struct usb_xfer *xfer, usb_error_t error)
2331 {
2332 	struct uath_softc *sc = usbd_xfer_softc(xfer);
2333 	struct uath_cmd *cmd;
2334 	struct uath_cmd_hdr *hdr;
2335 	struct usb_page_cache *pc;
2336 	int actlen;
2337 
2338 	usbd_xfer_status(xfer, &actlen, NULL, NULL, NULL);
2339 
2340 	UATH_ASSERT_LOCKED(sc);
2341 
2342 	switch (USB_GET_STATE(xfer)) {
2343 	case USB_ST_TRANSFERRED:
2344 		cmd = STAILQ_FIRST(&sc->sc_cmd_waiting);
2345 		if (cmd == NULL)
2346 			goto setup;
2347 		STAILQ_REMOVE_HEAD(&sc->sc_cmd_waiting, next);
2348 		UATH_STAT_DEC(sc, st_cmd_waiting);
2349 		STAILQ_INSERT_TAIL(&sc->sc_cmd_inactive, cmd, next);
2350 		UATH_STAT_INC(sc, st_cmd_inactive);
2351 
2352 		if (actlen < sizeof(struct uath_cmd_hdr)) {
2353 			device_printf(sc->sc_dev,
2354 			    "%s: short xfer error (actlen %d)\n",
2355 			    __func__, actlen);
2356 			goto setup;
2357 		}
2358 
2359 		pc = usbd_xfer_get_frame(xfer, 0);
2360 		usbd_copy_out(pc, 0, cmd->buf, actlen);
2361 
2362 		hdr = (struct uath_cmd_hdr *)cmd->buf;
2363 		hdr->len = be32toh(hdr->len);
2364 		if (hdr->len > (uint32_t)actlen) {
2365 			device_printf(sc->sc_dev,
2366 			    "%s: truncated xfer (len %u, actlen %d)\n",
2367 			    __func__, hdr->len, actlen);
2368 			goto setup;
2369 		}
2370 
2371 		uath_cmdeof(sc, cmd);
2372 	case USB_ST_SETUP:
2373 setup:
2374 		usbd_xfer_set_frame_len(xfer, 0, usbd_xfer_max_len(xfer));
2375 		usbd_transfer_submit(xfer);
2376 		break;
2377 	default:
2378 		if (error != USB_ERR_CANCELLED) {
2379 			usbd_xfer_set_stall(xfer);
2380 			goto setup;
2381 		}
2382 		break;
2383 	}
2384 }
2385 
2386 static void
2387 uath_intr_tx_callback(struct usb_xfer *xfer, usb_error_t error)
2388 {
2389 	struct uath_softc *sc = usbd_xfer_softc(xfer);
2390 	struct uath_cmd *cmd;
2391 
2392 	UATH_ASSERT_LOCKED(sc);
2393 
2394 	cmd = STAILQ_FIRST(&sc->sc_cmd_active);
2395 	if (cmd != NULL && USB_GET_STATE(xfer) != USB_ST_SETUP) {
2396 		STAILQ_REMOVE_HEAD(&sc->sc_cmd_active, next);
2397 		UATH_STAT_DEC(sc, st_cmd_active);
2398 		STAILQ_INSERT_TAIL((cmd->flags & UATH_CMD_FLAG_READ) ?
2399 		    &sc->sc_cmd_waiting : &sc->sc_cmd_inactive, cmd, next);
2400 		if (cmd->flags & UATH_CMD_FLAG_READ)
2401 			UATH_STAT_INC(sc, st_cmd_waiting);
2402 		else
2403 			UATH_STAT_INC(sc, st_cmd_inactive);
2404 	}
2405 
2406 	switch (USB_GET_STATE(xfer)) {
2407 	case USB_ST_TRANSFERRED:
2408 	case USB_ST_SETUP:
2409 setup:
2410 		cmd = STAILQ_FIRST(&sc->sc_cmd_pending);
2411 		if (cmd == NULL) {
2412 			DPRINTF(sc, UATH_DEBUG_XMIT, "%s: empty pending queue\n",
2413 			    __func__);
2414 			return;
2415 		}
2416 		STAILQ_REMOVE_HEAD(&sc->sc_cmd_pending, next);
2417 		UATH_STAT_DEC(sc, st_cmd_pending);
2418 		STAILQ_INSERT_TAIL((cmd->flags & UATH_CMD_FLAG_ASYNC) ?
2419 		    &sc->sc_cmd_inactive : &sc->sc_cmd_active, cmd, next);
2420 		if (cmd->flags & UATH_CMD_FLAG_ASYNC)
2421 			UATH_STAT_INC(sc, st_cmd_inactive);
2422 		else
2423 			UATH_STAT_INC(sc, st_cmd_active);
2424 
2425 		usbd_xfer_set_frame_data(xfer, 0, cmd->buf, cmd->buflen);
2426 		usbd_transfer_submit(xfer);
2427 		break;
2428 	default:
2429 		if (error != USB_ERR_CANCELLED) {
2430 			usbd_xfer_set_stall(xfer);
2431 			goto setup;
2432 		}
2433 		break;
2434 	}
2435 }
2436 
2437 static void
2438 uath_update_rxstat(struct uath_softc *sc, uint32_t status)
2439 {
2440 
2441 	switch (status) {
2442 	case UATH_STATUS_STOP_IN_PROGRESS:
2443 		UATH_STAT_INC(sc, st_stopinprogress);
2444 		break;
2445 	case UATH_STATUS_CRC_ERR:
2446 		UATH_STAT_INC(sc, st_crcerr);
2447 		break;
2448 	case UATH_STATUS_PHY_ERR:
2449 		UATH_STAT_INC(sc, st_phyerr);
2450 		break;
2451 	case UATH_STATUS_DECRYPT_CRC_ERR:
2452 		UATH_STAT_INC(sc, st_decrypt_crcerr);
2453 		break;
2454 	case UATH_STATUS_DECRYPT_MIC_ERR:
2455 		UATH_STAT_INC(sc, st_decrypt_micerr);
2456 		break;
2457 	case UATH_STATUS_DECOMP_ERR:
2458 		UATH_STAT_INC(sc, st_decomperr);
2459 		break;
2460 	case UATH_STATUS_KEY_ERR:
2461 		UATH_STAT_INC(sc, st_keyerr);
2462 		break;
2463 	case UATH_STATUS_ERR:
2464 		UATH_STAT_INC(sc, st_err);
2465 		break;
2466 	default:
2467 		break;
2468 	}
2469 }
2470 
2471 CTASSERT(UATH_MIN_RXBUFSZ >= sizeof(struct uath_chunk));
2472 
2473 static struct mbuf *
2474 uath_data_rxeof(struct usb_xfer *xfer, struct uath_data *data,
2475     struct uath_rx_desc **pdesc)
2476 {
2477 	struct uath_softc *sc = usbd_xfer_softc(xfer);
2478 	struct ieee80211com *ic = &sc->sc_ic;
2479 	struct uath_chunk *chunk;
2480 	struct uath_rx_desc *desc;
2481 	struct mbuf *m = data->m, *mnew, *mp;
2482 	uint16_t chunklen;
2483 	int actlen;
2484 
2485 	usbd_xfer_status(xfer, &actlen, NULL, NULL, NULL);
2486 
2487 	if (actlen < (int)UATH_MIN_RXBUFSZ) {
2488 		DPRINTF(sc, UATH_DEBUG_RECV | UATH_DEBUG_RECV_ALL,
2489 		    "%s: wrong xfer size (len=%d)\n", __func__, actlen);
2490 		counter_u64_add(ic->ic_ierrors, 1);
2491 		return (NULL);
2492 	}
2493 
2494 	chunk = (struct uath_chunk *)data->buf;
2495 	chunklen = be16toh(chunk->length);
2496 	if (chunk->seqnum == 0 && chunk->flags == 0 && chunklen == 0) {
2497 		device_printf(sc->sc_dev, "%s: strange response\n", __func__);
2498 		counter_u64_add(ic->ic_ierrors, 1);
2499 		UATH_RESET_INTRX(sc);
2500 		return (NULL);
2501 	}
2502 
2503 	if (chunklen > actlen) {
2504 		device_printf(sc->sc_dev,
2505 		    "%s: invalid chunk length (len %u > actlen %d)\n",
2506 		    __func__, chunklen, actlen);
2507 		counter_u64_add(ic->ic_ierrors, 1);
2508 		/* XXX cleanup? */
2509 		UATH_RESET_INTRX(sc);
2510 		return (NULL);
2511 	}
2512 
2513 	if (chunk->seqnum != sc->sc_intrx_nextnum) {
2514 		DPRINTF(sc, UATH_DEBUG_XMIT, "invalid seqnum %d, expected %d\n",
2515 		    chunk->seqnum, sc->sc_intrx_nextnum);
2516 		UATH_STAT_INC(sc, st_badchunkseqnum);
2517 		if (sc->sc_intrx_head != NULL)
2518 			m_freem(sc->sc_intrx_head);
2519 		UATH_RESET_INTRX(sc);
2520 		return (NULL);
2521 	}
2522 
2523 	/* check multi-chunk frames  */
2524 	if ((chunk->seqnum == 0 && !(chunk->flags & UATH_CFLAGS_FINAL)) ||
2525 	    (chunk->seqnum != 0 && (chunk->flags & UATH_CFLAGS_FINAL)) ||
2526 	    chunk->flags & UATH_CFLAGS_RXMSG)
2527 		UATH_STAT_INC(sc, st_multichunk);
2528 
2529 	if (chunk->flags & UATH_CFLAGS_FINAL) {
2530 		if (chunklen < sizeof(struct uath_rx_desc)) {
2531 			device_printf(sc->sc_dev,
2532 			    "%s: invalid chunk length %d\n",
2533 			    __func__, chunklen);
2534 			counter_u64_add(ic->ic_ierrors, 1);
2535 			if (sc->sc_intrx_head != NULL)
2536 				m_freem(sc->sc_intrx_head);
2537 			UATH_RESET_INTRX(sc);
2538 			return (NULL);
2539 		}
2540 		chunklen -= sizeof(struct uath_rx_desc);
2541 	}
2542 
2543 	if (chunklen > 0 &&
2544 	    (!(chunk->flags & UATH_CFLAGS_FINAL) || !(chunk->seqnum == 0))) {
2545 		/* we should use intermediate RX buffer  */
2546 		if (chunk->seqnum == 0)
2547 			UATH_RESET_INTRX(sc);
2548 		if ((sc->sc_intrx_len + sizeof(struct uath_rx_desc) +
2549 		    chunklen) > UATH_MAX_INTRX_SIZE) {
2550 			UATH_STAT_INC(sc, st_invalidlen);
2551 			counter_u64_add(ic->ic_ierrors, 1);
2552 			if (sc->sc_intrx_head != NULL)
2553 				m_freem(sc->sc_intrx_head);
2554 			UATH_RESET_INTRX(sc);
2555 			return (NULL);
2556 		}
2557 
2558 		m->m_len = chunklen;
2559 		m->m_data += sizeof(struct uath_chunk);
2560 
2561 		if (sc->sc_intrx_head == NULL) {
2562 			sc->sc_intrx_head = m;
2563 			sc->sc_intrx_tail = m;
2564 		} else {
2565 			m->m_flags &= ~M_PKTHDR;
2566 			sc->sc_intrx_tail->m_next = m;
2567 			sc->sc_intrx_tail = m;
2568 		}
2569 	}
2570 	sc->sc_intrx_len += chunklen;
2571 
2572 	mnew = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
2573 	if (mnew == NULL) {
2574 		DPRINTF(sc, UATH_DEBUG_RECV | UATH_DEBUG_RECV_ALL,
2575 		    "%s: can't get new mbuf, drop frame\n", __func__);
2576 		counter_u64_add(ic->ic_ierrors, 1);
2577 		if (sc->sc_intrx_head != NULL)
2578 			m_freem(sc->sc_intrx_head);
2579 		UATH_RESET_INTRX(sc);
2580 		return (NULL);
2581 	}
2582 
2583 	data->m = mnew;
2584 	data->buf = mtod(mnew, uint8_t *);
2585 
2586 	/* if the frame is not final continue the transfer  */
2587 	if (!(chunk->flags & UATH_CFLAGS_FINAL)) {
2588 		sc->sc_intrx_nextnum++;
2589 		UATH_RESET_INTRX(sc);
2590 		return (NULL);
2591 	}
2592 
2593 	/*
2594 	 * if the frame is not set UATH_CFLAGS_RXMSG, then rx descriptor is
2595 	 * located at the end, 32-bit aligned
2596 	 */
2597 	desc = (chunk->flags & UATH_CFLAGS_RXMSG) ?
2598 		(struct uath_rx_desc *)(chunk + 1) :
2599 		(struct uath_rx_desc *)(((uint8_t *)chunk) +
2600 		    sizeof(struct uath_chunk) + be16toh(chunk->length) -
2601 		    sizeof(struct uath_rx_desc));
2602 	if ((uint8_t *)chunk + actlen - sizeof(struct uath_rx_desc) <
2603 	    (uint8_t *)desc) {
2604 		device_printf(sc->sc_dev,
2605 		    "%s: wrong Rx descriptor pointer "
2606 		    "(desc %p chunk %p actlen %d)\n",
2607 		    __func__, desc, chunk, actlen);
2608 		counter_u64_add(ic->ic_ierrors, 1);
2609 		if (sc->sc_intrx_head != NULL)
2610 			m_freem(sc->sc_intrx_head);
2611 		UATH_RESET_INTRX(sc);
2612 		return (NULL);
2613 	}
2614 
2615 	*pdesc = desc;
2616 
2617 	DPRINTF(sc, UATH_DEBUG_RECV | UATH_DEBUG_RECV_ALL,
2618 	    "%s: frame len %u code %u status %u rate %u antenna %u "
2619 	    "rssi %d channel %u phyerror %u connix %u decrypterror %u "
2620 	    "keycachemiss %u\n", __func__, be32toh(desc->framelen)
2621 	    , be32toh(desc->code), be32toh(desc->status), be32toh(desc->rate)
2622 	    , be32toh(desc->antenna), be32toh(desc->rssi), be32toh(desc->channel)
2623 	    , be32toh(desc->phyerror), be32toh(desc->connix)
2624 	    , be32toh(desc->decrypterror), be32toh(desc->keycachemiss));
2625 
2626 	if (be32toh(desc->len) > MCLBYTES) {
2627 		DPRINTF(sc, UATH_DEBUG_RECV | UATH_DEBUG_RECV_ALL,
2628 		    "%s: bad descriptor (len=%d)\n", __func__,
2629 		    be32toh(desc->len));
2630 		counter_u64_add(ic->ic_ierrors, 1);
2631 		UATH_STAT_INC(sc, st_toobigrxpkt);
2632 		if (sc->sc_intrx_head != NULL)
2633 			m_freem(sc->sc_intrx_head);
2634 		UATH_RESET_INTRX(sc);
2635 		return (NULL);
2636 	}
2637 
2638 	uath_update_rxstat(sc, be32toh(desc->status));
2639 
2640 	/* finalize mbuf */
2641 	if (sc->sc_intrx_head == NULL) {
2642 		uint32_t framelen;
2643 
2644 		if (be32toh(desc->framelen) < UATH_RX_DUMMYSIZE) {
2645 			device_printf(sc->sc_dev,
2646 			    "%s: framelen too small (%u)\n",
2647 			    __func__, be32toh(desc->framelen));
2648 			counter_u64_add(ic->ic_ierrors, 1);
2649 			if (sc->sc_intrx_head != NULL)
2650 				m_freem(sc->sc_intrx_head);
2651 			UATH_RESET_INTRX(sc);
2652 			return (NULL);
2653 		}
2654 
2655 		framelen = be32toh(desc->framelen) - UATH_RX_DUMMYSIZE;
2656 		if (framelen > actlen - sizeof(struct uath_chunk) ||
2657 		    framelen < sizeof(struct ieee80211_frame_ack)) {
2658 			device_printf(sc->sc_dev,
2659 			    "%s: wrong frame length (%u, actlen %d)!\n",
2660 			    __func__, framelen, actlen);
2661 			counter_u64_add(ic->ic_ierrors, 1);
2662 			if (sc->sc_intrx_head != NULL)
2663 				m_freem(sc->sc_intrx_head);
2664 			UATH_RESET_INTRX(sc);
2665 			return (NULL);
2666 		}
2667 
2668 		m->m_pkthdr.len = m->m_len = framelen;
2669 		m->m_data += sizeof(struct uath_chunk);
2670 	} else {
2671 		mp = sc->sc_intrx_head;
2672 		mp->m_flags |= M_PKTHDR;
2673 		mp->m_pkthdr.len = sc->sc_intrx_len;
2674 		m = mp;
2675 	}
2676 
2677 	/* there are a lot more fields in the RX descriptor */
2678 	if ((sc->sc_flags & UATH_FLAG_INVALID) == 0 &&
2679 	    ieee80211_radiotap_active(ic)) {
2680 		struct uath_rx_radiotap_header *tap = &sc->sc_rxtap;
2681 		uint32_t tsf_hi = be32toh(desc->tstamp_high);
2682 		uint32_t tsf_lo = be32toh(desc->tstamp_low);
2683 
2684 		/* XXX only get low order 24bits of tsf from h/w */
2685 		tap->wr_tsf = htole64(((uint64_t)tsf_hi << 32) | tsf_lo);
2686 		tap->wr_flags = 0;
2687 		if (be32toh(desc->status) == UATH_STATUS_CRC_ERR)
2688 			tap->wr_flags |= IEEE80211_RADIOTAP_F_BADFCS;
2689 		/* XXX map other status to BADFCS? */
2690 		/* XXX ath h/w rate code, need to map */
2691 		tap->wr_rate = be32toh(desc->rate);
2692 		tap->wr_antenna = be32toh(desc->antenna);
2693 		tap->wr_antsignal = -95 + be32toh(desc->rssi);
2694 		tap->wr_antnoise = -95;
2695 	}
2696 
2697 	UATH_RESET_INTRX(sc);
2698 
2699 	return (m);
2700 }
2701 
2702 static void
2703 uath_bulk_rx_callback(struct usb_xfer *xfer, usb_error_t error)
2704 {
2705 	struct uath_softc *sc = usbd_xfer_softc(xfer);
2706 	struct ieee80211com *ic = &sc->sc_ic;
2707 	struct ieee80211_frame *wh;
2708 	struct ieee80211_node *ni;
2709 	struct mbuf *m = NULL;
2710 	struct uath_data *data;
2711 	struct uath_rx_desc *desc = NULL;
2712 	int8_t nf;
2713 
2714 	UATH_ASSERT_LOCKED(sc);
2715 
2716 	switch (USB_GET_STATE(xfer)) {
2717 	case USB_ST_TRANSFERRED:
2718 		data = STAILQ_FIRST(&sc->sc_rx_active);
2719 		if (data == NULL)
2720 			goto setup;
2721 		STAILQ_REMOVE_HEAD(&sc->sc_rx_active, next);
2722 		UATH_STAT_DEC(sc, st_rx_active);
2723 		m = uath_data_rxeof(xfer, data, &desc);
2724 		STAILQ_INSERT_TAIL(&sc->sc_rx_inactive, data, next);
2725 		UATH_STAT_INC(sc, st_rx_inactive);
2726 		/* FALLTHROUGH */
2727 	case USB_ST_SETUP:
2728 setup:
2729 		data = STAILQ_FIRST(&sc->sc_rx_inactive);
2730 		if (data == NULL)
2731 			return;
2732 		STAILQ_REMOVE_HEAD(&sc->sc_rx_inactive, next);
2733 		UATH_STAT_DEC(sc, st_rx_inactive);
2734 		STAILQ_INSERT_TAIL(&sc->sc_rx_active, data, next);
2735 		UATH_STAT_INC(sc, st_rx_active);
2736 		usbd_xfer_set_frame_data(xfer, 0, data->buf, MCLBYTES);
2737 		usbd_transfer_submit(xfer);
2738 
2739 		/*
2740 		 * To avoid LOR we should unlock our private mutex here to call
2741 		 * ieee80211_input() because here is at the end of a USB
2742 		 * callback and safe to unlock.
2743 		 */
2744 		if (sc->sc_flags & UATH_FLAG_INVALID) {
2745 			if (m != NULL)
2746 				m_freem(m);
2747 			return;
2748 		}
2749 		UATH_UNLOCK(sc);
2750 		if (m != NULL && desc != NULL) {
2751 			wh = mtod(m, struct ieee80211_frame *);
2752 			ni = ieee80211_find_rxnode(ic,
2753 			    (struct ieee80211_frame_min *)wh);
2754 			nf = -95;	/* XXX */
2755 			if (ni != NULL) {
2756 				(void) ieee80211_input(ni, m,
2757 				    (int)be32toh(desc->rssi), nf);
2758 				/* node is no longer needed */
2759 				ieee80211_free_node(ni);
2760 			} else
2761 				(void) ieee80211_input_all(ic, m,
2762 				    (int)be32toh(desc->rssi), nf);
2763 			m = NULL;
2764 			desc = NULL;
2765 		}
2766 		UATH_LOCK(sc);
2767 		uath_start(sc);
2768 		break;
2769 	default:
2770 		/* needs it to the inactive queue due to a error.  */
2771 		data = STAILQ_FIRST(&sc->sc_rx_active);
2772 		if (data != NULL) {
2773 			STAILQ_REMOVE_HEAD(&sc->sc_rx_active, next);
2774 			UATH_STAT_DEC(sc, st_rx_active);
2775 			STAILQ_INSERT_TAIL(&sc->sc_rx_inactive, data, next);
2776 			UATH_STAT_INC(sc, st_rx_inactive);
2777 		}
2778 		if (error != USB_ERR_CANCELLED) {
2779 			usbd_xfer_set_stall(xfer);
2780 			counter_u64_add(ic->ic_ierrors, 1);
2781 			goto setup;
2782 		}
2783 		break;
2784 	}
2785 }
2786 
2787 static void
2788 uath_data_txeof(struct usb_xfer *xfer, struct uath_data *data)
2789 {
2790 	struct uath_softc *sc = usbd_xfer_softc(xfer);
2791 
2792 	UATH_ASSERT_LOCKED(sc);
2793 
2794 	if (data->m) {
2795 		/* XXX status? */
2796 		ieee80211_tx_complete(data->ni, data->m, 0);
2797 		data->m = NULL;
2798 		data->ni = NULL;
2799 	}
2800 	sc->sc_tx_timer = 0;
2801 }
2802 
2803 static void
2804 uath_bulk_tx_callback(struct usb_xfer *xfer, usb_error_t error)
2805 {
2806 	struct uath_softc *sc = usbd_xfer_softc(xfer);
2807 	struct uath_data *data;
2808 
2809 	UATH_ASSERT_LOCKED(sc);
2810 
2811 	switch (USB_GET_STATE(xfer)) {
2812 	case USB_ST_TRANSFERRED:
2813 		data = STAILQ_FIRST(&sc->sc_tx_active);
2814 		if (data == NULL)
2815 			goto setup;
2816 		STAILQ_REMOVE_HEAD(&sc->sc_tx_active, next);
2817 		UATH_STAT_DEC(sc, st_tx_active);
2818 		uath_data_txeof(xfer, data);
2819 		STAILQ_INSERT_TAIL(&sc->sc_tx_inactive, data, next);
2820 		UATH_STAT_INC(sc, st_tx_inactive);
2821 		/* FALLTHROUGH */
2822 	case USB_ST_SETUP:
2823 setup:
2824 		data = STAILQ_FIRST(&sc->sc_tx_pending);
2825 		if (data == NULL) {
2826 			DPRINTF(sc, UATH_DEBUG_XMIT, "%s: empty pending queue\n",
2827 			    __func__);
2828 			return;
2829 		}
2830 		STAILQ_REMOVE_HEAD(&sc->sc_tx_pending, next);
2831 		UATH_STAT_DEC(sc, st_tx_pending);
2832 		STAILQ_INSERT_TAIL(&sc->sc_tx_active, data, next);
2833 		UATH_STAT_INC(sc, st_tx_active);
2834 
2835 		usbd_xfer_set_frame_data(xfer, 0, data->buf, data->buflen);
2836 		usbd_transfer_submit(xfer);
2837 
2838 		uath_start(sc);
2839 		break;
2840 	default:
2841 		data = STAILQ_FIRST(&sc->sc_tx_active);
2842 		if (data == NULL)
2843 			goto setup;
2844 		if (data->ni != NULL) {
2845 			if_inc_counter(data->ni->ni_vap->iv_ifp,
2846 			    IFCOUNTER_OERRORS, 1);
2847 			if ((sc->sc_flags & UATH_FLAG_INVALID) == 0)
2848 				ieee80211_free_node(data->ni);
2849 			data->ni = NULL;
2850 		}
2851 		if (error != USB_ERR_CANCELLED) {
2852 			usbd_xfer_set_stall(xfer);
2853 			goto setup;
2854 		}
2855 		break;
2856 	}
2857 }
2858 
2859 static device_method_t uath_methods[] = {
2860 	DEVMETHOD(device_probe, uath_match),
2861 	DEVMETHOD(device_attach, uath_attach),
2862 	DEVMETHOD(device_detach, uath_detach),
2863 	DEVMETHOD_END
2864 };
2865 static driver_t uath_driver = {
2866 	.name = "uath",
2867 	.methods = uath_methods,
2868 	.size = sizeof(struct uath_softc)
2869 };
2870 static devclass_t uath_devclass;
2871 
2872 DRIVER_MODULE(uath, uhub, uath_driver, uath_devclass, NULL, 0);
2873 MODULE_DEPEND(uath, wlan, 1, 1, 1);
2874 MODULE_DEPEND(uath, usb, 1, 1, 1);
2875 MODULE_VERSION(uath, 1);
2876 USB_PNP_HOST_INFO(uath_devs);
2877