xref: /freebsd/sys/dev/usb/wlan/if_uath.c (revision da5069e1f7daaef1e7157876d6044de6f3a08ce2)
1 /*-
2  * SPDX-License-Identifier: (BSD-2-Clause-FreeBSD AND BSD-1-Clause)
3  *
4  * Copyright (c) 2006 Sam Leffler, Errno Consulting
5  * Copyright (c) 2008-2009 Weongyo Jeong <weongyo@freebsd.org>
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer,
13  *    without modification.
14  * 2. Redistributions in binary form must reproduce at minimum a disclaimer
15  *    similar to the "NO WARRANTY" disclaimer below ("Disclaimer") and any
16  *    redistribution must be conditioned upon including a substantially
17  *    similar Disclaimer requirement for further binary redistribution.
18  *
19  * NO WARRANTY
20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22  * LIMITED TO, THE IMPLIED WARRANTIES OF NONINFRINGEMENT, MERCHANTIBILITY
23  * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
24  * THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR SPECIAL, EXEMPLARY,
25  * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
28  * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
30  * THE POSSIBILITY OF SUCH DAMAGES.
31  */
32 
33 /*
34  * This driver is distantly derived from a driver of the same name
35  * by Damien Bergamini.  The original copyright is included below:
36  *
37  * Copyright (c) 2006
38  *	Damien Bergamini <damien.bergamini@free.fr>
39  *
40  * Permission to use, copy, modify, and distribute this software for any
41  * purpose with or without fee is hereby granted, provided that the above
42  * copyright notice and this permission notice appear in all copies.
43  *
44  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
45  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
46  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
47  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
48  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
49  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
50  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
51  */
52 
53 #include <sys/cdefs.h>
54 __FBSDID("$FreeBSD$");
55 
56 /*-
57  * Driver for Atheros AR5523 USB parts.
58  *
59  * The driver requires firmware to be loaded into the device.  This
60  * is done on device discovery from a user application (uathload)
61  * that is launched by devd when a device with suitable product ID
62  * is recognized.  Once firmware has been loaded the device will
63  * reset the USB port and re-attach with the original product ID+1
64  * and this driver will be attached.  The firmware is licensed for
65  * general use (royalty free) and may be incorporated in products.
66  * Note that the firmware normally packaged with the NDIS drivers
67  * for these devices does not work in this way and so does not work
68  * with this driver.
69  */
70 
71 #include "opt_wlan.h"
72 
73 #include <sys/param.h>
74 #include <sys/sockio.h>
75 #include <sys/sysctl.h>
76 #include <sys/lock.h>
77 #include <sys/mutex.h>
78 #include <sys/mbuf.h>
79 #include <sys/kernel.h>
80 #include <sys/socket.h>
81 #include <sys/systm.h>
82 #include <sys/malloc.h>
83 #include <sys/module.h>
84 #include <sys/bus.h>
85 #include <sys/endian.h>
86 #include <sys/kdb.h>
87 
88 #include <net/bpf.h>
89 #include <net/if.h>
90 #include <net/if_var.h>
91 #include <net/if_arp.h>
92 #include <net/ethernet.h>
93 #include <net/if_dl.h>
94 #include <net/if_media.h>
95 #include <net/if_types.h>
96 
97 #ifdef INET
98 #include <netinet/in.h>
99 #include <netinet/in_systm.h>
100 #include <netinet/in_var.h>
101 #include <netinet/if_ether.h>
102 #include <netinet/ip.h>
103 #endif
104 
105 #include <net80211/ieee80211_var.h>
106 #include <net80211/ieee80211_input.h>
107 #include <net80211/ieee80211_regdomain.h>
108 #include <net80211/ieee80211_radiotap.h>
109 
110 #include <dev/usb/usb.h>
111 #include <dev/usb/usbdi.h>
112 #include "usbdevs.h"
113 
114 #include <dev/usb/wlan/if_uathreg.h>
115 #include <dev/usb/wlan/if_uathvar.h>
116 
117 static SYSCTL_NODE(_hw_usb, OID_AUTO, uath, CTLFLAG_RW, 0, "USB Atheros");
118 
119 static	int uath_countrycode = CTRY_DEFAULT;	/* country code */
120 SYSCTL_INT(_hw_usb_uath, OID_AUTO, countrycode, CTLFLAG_RWTUN, &uath_countrycode,
121     0, "country code");
122 static	int uath_regdomain = 0;			/* regulatory domain */
123 SYSCTL_INT(_hw_usb_uath, OID_AUTO, regdomain, CTLFLAG_RD, &uath_regdomain,
124     0, "regulatory domain");
125 
126 #ifdef UATH_DEBUG
127 int uath_debug = 0;
128 SYSCTL_INT(_hw_usb_uath, OID_AUTO, debug, CTLFLAG_RWTUN, &uath_debug, 0,
129     "uath debug level");
130 enum {
131 	UATH_DEBUG_XMIT		= 0x00000001,	/* basic xmit operation */
132 	UATH_DEBUG_XMIT_DUMP	= 0x00000002,	/* xmit dump */
133 	UATH_DEBUG_RECV		= 0x00000004,	/* basic recv operation */
134 	UATH_DEBUG_TX_PROC	= 0x00000008,	/* tx ISR proc */
135 	UATH_DEBUG_RX_PROC	= 0x00000010,	/* rx ISR proc */
136 	UATH_DEBUG_RECV_ALL	= 0x00000020,	/* trace all frames (beacons) */
137 	UATH_DEBUG_INIT		= 0x00000040,	/* initialization of dev */
138 	UATH_DEBUG_DEVCAP	= 0x00000080,	/* dev caps */
139 	UATH_DEBUG_CMDS		= 0x00000100,	/* commands */
140 	UATH_DEBUG_CMDS_DUMP	= 0x00000200,	/* command buffer dump */
141 	UATH_DEBUG_RESET	= 0x00000400,	/* reset processing */
142 	UATH_DEBUG_STATE	= 0x00000800,	/* 802.11 state transitions */
143 	UATH_DEBUG_MULTICAST	= 0x00001000,	/* multicast */
144 	UATH_DEBUG_WME		= 0x00002000,	/* WME */
145 	UATH_DEBUG_CHANNEL	= 0x00004000,	/* channel */
146 	UATH_DEBUG_RATES	= 0x00008000,	/* rates */
147 	UATH_DEBUG_CRYPTO	= 0x00010000,	/* crypto */
148 	UATH_DEBUG_LED		= 0x00020000,	/* LED */
149 	UATH_DEBUG_ANY		= 0xffffffff
150 };
151 #define	DPRINTF(sc, m, fmt, ...) do {				\
152 	if (sc->sc_debug & (m))					\
153 		printf(fmt, __VA_ARGS__);			\
154 } while (0)
155 #else
156 #define	DPRINTF(sc, m, fmt, ...) do {				\
157 	(void) sc;						\
158 } while (0)
159 #endif
160 
161 /* recognized device vendors/products */
162 static const STRUCT_USB_HOST_ID uath_devs[] = {
163 #define	UATH_DEV(v,p) { USB_VP(USB_VENDOR_##v, USB_PRODUCT_##v##_##p) }
164 	UATH_DEV(ACCTON,		SMCWUSBTG2),
165 	UATH_DEV(ATHEROS,		AR5523),
166 	UATH_DEV(ATHEROS2,		AR5523_1),
167 	UATH_DEV(ATHEROS2,		AR5523_2),
168 	UATH_DEV(ATHEROS2,		AR5523_3),
169 	UATH_DEV(CONCEPTRONIC,		AR5523_1),
170 	UATH_DEV(CONCEPTRONIC,		AR5523_2),
171 	UATH_DEV(DLINK,			DWLAG122),
172 	UATH_DEV(DLINK,			DWLAG132),
173 	UATH_DEV(DLINK,			DWLG132),
174 	UATH_DEV(DLINK2,		DWA120),
175 	UATH_DEV(GIGASET,		AR5523),
176 	UATH_DEV(GIGASET,		SMCWUSBTG),
177 	UATH_DEV(GLOBALSUN,		AR5523_1),
178 	UATH_DEV(GLOBALSUN,		AR5523_2),
179 	UATH_DEV(NETGEAR,		WG111U),
180 	UATH_DEV(NETGEAR3,		WG111T),
181 	UATH_DEV(NETGEAR3,		WPN111),
182 	UATH_DEV(NETGEAR3,		WPN111_2),
183 	UATH_DEV(UMEDIA,		TEW444UBEU),
184 	UATH_DEV(UMEDIA,		AR5523_2),
185 	UATH_DEV(WISTRONNEWEB,		AR5523_1),
186 	UATH_DEV(WISTRONNEWEB,		AR5523_2),
187 	UATH_DEV(ZCOM,			AR5523)
188 #undef UATH_DEV
189 };
190 
191 static usb_callback_t uath_intr_rx_callback;
192 static usb_callback_t uath_intr_tx_callback;
193 static usb_callback_t uath_bulk_rx_callback;
194 static usb_callback_t uath_bulk_tx_callback;
195 
196 static const struct usb_config uath_usbconfig[UATH_N_XFERS] = {
197 	[UATH_INTR_RX] = {
198 		.type = UE_BULK,
199 		.endpoint = 0x1,
200 		.direction = UE_DIR_IN,
201 		.bufsize = UATH_MAX_CMDSZ,
202 		.flags = {
203 			.pipe_bof = 1,
204 			.short_xfer_ok = 1
205 		},
206 		.callback = uath_intr_rx_callback
207 	},
208 	[UATH_INTR_TX] = {
209 		.type = UE_BULK,
210 		.endpoint = 0x1,
211 		.direction = UE_DIR_OUT,
212 		.bufsize = UATH_MAX_CMDSZ * UATH_CMD_LIST_COUNT,
213 		.flags = {
214 			.force_short_xfer = 1,
215 			.pipe_bof = 1,
216 		},
217 		.callback = uath_intr_tx_callback,
218 		.timeout = UATH_CMD_TIMEOUT
219 	},
220 	[UATH_BULK_RX] = {
221 		.type = UE_BULK,
222 		.endpoint = 0x2,
223 		.direction = UE_DIR_IN,
224 		.bufsize = MCLBYTES,
225 		.flags = {
226 			.ext_buffer = 1,
227 			.pipe_bof = 1,
228 			.short_xfer_ok = 1
229 		},
230 		.callback = uath_bulk_rx_callback
231 	},
232 	[UATH_BULK_TX] = {
233 		.type = UE_BULK,
234 		.endpoint = 0x2,
235 		.direction = UE_DIR_OUT,
236 		.bufsize = UATH_MAX_TXBUFSZ * UATH_TX_DATA_LIST_COUNT,
237 		.flags = {
238 			.force_short_xfer = 1,
239 			.pipe_bof = 1
240 		},
241 		.callback = uath_bulk_tx_callback,
242 		.timeout = UATH_DATA_TIMEOUT
243 	}
244 };
245 
246 static struct ieee80211vap *uath_vap_create(struct ieee80211com *,
247 		    const char [IFNAMSIZ], int, enum ieee80211_opmode, int,
248 		    const uint8_t [IEEE80211_ADDR_LEN],
249 		    const uint8_t [IEEE80211_ADDR_LEN]);
250 static void	uath_vap_delete(struct ieee80211vap *);
251 static int	uath_alloc_cmd_list(struct uath_softc *, struct uath_cmd []);
252 static void	uath_free_cmd_list(struct uath_softc *, struct uath_cmd []);
253 static int	uath_host_available(struct uath_softc *);
254 static int	uath_get_capability(struct uath_softc *, uint32_t, uint32_t *);
255 static int	uath_get_devcap(struct uath_softc *);
256 static struct uath_cmd *
257 		uath_get_cmdbuf(struct uath_softc *);
258 static int	uath_cmd_read(struct uath_softc *, uint32_t, const void *,
259 		    int, void *, int, int);
260 static int	uath_cmd_write(struct uath_softc *, uint32_t, const void *,
261 		    int, int);
262 static void	uath_stat(void *);
263 #ifdef UATH_DEBUG
264 static void	uath_dump_cmd(const uint8_t *, int, char);
265 static const char *
266 		uath_codename(int);
267 #endif
268 static int	uath_get_devstatus(struct uath_softc *,
269 		    uint8_t macaddr[IEEE80211_ADDR_LEN]);
270 static int	uath_get_status(struct uath_softc *, uint32_t, void *, int);
271 static int	uath_alloc_rx_data_list(struct uath_softc *);
272 static int	uath_alloc_tx_data_list(struct uath_softc *);
273 static void	uath_free_rx_data_list(struct uath_softc *);
274 static void	uath_free_tx_data_list(struct uath_softc *);
275 static int	uath_init(struct uath_softc *);
276 static void	uath_stop(struct uath_softc *);
277 static void	uath_parent(struct ieee80211com *);
278 static int	uath_transmit(struct ieee80211com *, struct mbuf *);
279 static void	uath_start(struct uath_softc *);
280 static int	uath_raw_xmit(struct ieee80211_node *, struct mbuf *,
281 		    const struct ieee80211_bpf_params *);
282 static void	uath_scan_start(struct ieee80211com *);
283 static void	uath_scan_end(struct ieee80211com *);
284 static void	uath_set_channel(struct ieee80211com *);
285 static void	uath_update_mcast(struct ieee80211com *);
286 static void	uath_update_promisc(struct ieee80211com *);
287 static int	uath_config(struct uath_softc *, uint32_t, uint32_t);
288 static int	uath_config_multi(struct uath_softc *, uint32_t, const void *,
289 		    int);
290 static int	uath_switch_channel(struct uath_softc *,
291 		    struct ieee80211_channel *);
292 static int	uath_set_rxfilter(struct uath_softc *, uint32_t, uint32_t);
293 static void	uath_watchdog(void *);
294 static void	uath_abort_xfers(struct uath_softc *);
295 static int	uath_dataflush(struct uath_softc *);
296 static int	uath_cmdflush(struct uath_softc *);
297 static int	uath_flush(struct uath_softc *);
298 static int	uath_set_ledstate(struct uath_softc *, int);
299 static int	uath_set_chan(struct uath_softc *, struct ieee80211_channel *);
300 static int	uath_reset_tx_queues(struct uath_softc *);
301 static int	uath_wme_init(struct uath_softc *);
302 static struct uath_data *
303 		uath_getbuf(struct uath_softc *);
304 static int	uath_newstate(struct ieee80211vap *, enum ieee80211_state,
305 		    int);
306 static int	uath_set_key(struct uath_softc *,
307 		    const struct ieee80211_key *, int);
308 static int	uath_set_keys(struct uath_softc *, struct ieee80211vap *);
309 static void	uath_sysctl_node(struct uath_softc *);
310 
311 static int
312 uath_match(device_t dev)
313 {
314 	struct usb_attach_arg *uaa = device_get_ivars(dev);
315 
316 	if (uaa->usb_mode != USB_MODE_HOST)
317 		return (ENXIO);
318 	if (uaa->info.bConfigIndex != UATH_CONFIG_INDEX)
319 		return (ENXIO);
320 	if (uaa->info.bIfaceIndex != UATH_IFACE_INDEX)
321 		return (ENXIO);
322 
323 	return (usbd_lookup_id_by_uaa(uath_devs, sizeof(uath_devs), uaa));
324 }
325 
326 static int
327 uath_attach(device_t dev)
328 {
329 	struct uath_softc *sc = device_get_softc(dev);
330 	struct usb_attach_arg *uaa = device_get_ivars(dev);
331 	struct ieee80211com *ic = &sc->sc_ic;
332 	uint8_t bands[IEEE80211_MODE_BYTES];
333 	uint8_t iface_index = UATH_IFACE_INDEX;		/* XXX */
334 	usb_error_t error;
335 
336 	sc->sc_dev = dev;
337 	sc->sc_udev = uaa->device;
338 #ifdef UATH_DEBUG
339 	sc->sc_debug = uath_debug;
340 #endif
341 	device_set_usb_desc(dev);
342 
343 	/*
344 	 * Only post-firmware devices here.
345 	 */
346 	mtx_init(&sc->sc_mtx, device_get_nameunit(sc->sc_dev), MTX_NETWORK_LOCK,
347 	    MTX_DEF);
348 	callout_init(&sc->stat_ch, 0);
349 	callout_init_mtx(&sc->watchdog_ch, &sc->sc_mtx, 0);
350 	mbufq_init(&sc->sc_snd, ifqmaxlen);
351 
352 	error = usbd_transfer_setup(uaa->device, &iface_index, sc->sc_xfer,
353 	    uath_usbconfig, UATH_N_XFERS, sc, &sc->sc_mtx);
354 	if (error) {
355 		device_printf(dev, "could not allocate USB transfers, "
356 		    "err=%s\n", usbd_errstr(error));
357 		goto fail;
358 	}
359 
360 	sc->sc_cmd_dma_buf =
361 	    usbd_xfer_get_frame_buffer(sc->sc_xfer[UATH_INTR_TX], 0);
362 	sc->sc_tx_dma_buf =
363 	    usbd_xfer_get_frame_buffer(sc->sc_xfer[UATH_BULK_TX], 0);
364 
365 	/*
366 	 * Setup buffers for firmware commands.
367 	 */
368 	error = uath_alloc_cmd_list(sc, sc->sc_cmd);
369 	if (error != 0) {
370 		device_printf(sc->sc_dev,
371 		    "could not allocate Tx command list\n");
372 		goto fail1;
373 	}
374 
375 	/*
376 	 * We're now ready to send+receive firmware commands.
377 	 */
378 	UATH_LOCK(sc);
379 	error = uath_host_available(sc);
380 	if (error != 0) {
381 		device_printf(sc->sc_dev, "could not initialize adapter\n");
382 		goto fail2;
383 	}
384 	error = uath_get_devcap(sc);
385 	if (error != 0) {
386 		device_printf(sc->sc_dev,
387 		    "could not get device capabilities\n");
388 		goto fail2;
389 	}
390 	UATH_UNLOCK(sc);
391 
392 	/* Create device sysctl node. */
393 	uath_sysctl_node(sc);
394 
395 	UATH_LOCK(sc);
396 	error = uath_get_devstatus(sc, ic->ic_macaddr);
397 	if (error != 0) {
398 		device_printf(sc->sc_dev, "could not get device status\n");
399 		goto fail2;
400 	}
401 
402 	/*
403 	 * Allocate xfers for Rx/Tx data pipes.
404 	 */
405 	error = uath_alloc_rx_data_list(sc);
406 	if (error != 0) {
407 		device_printf(sc->sc_dev, "could not allocate Rx data list\n");
408 		goto fail2;
409 	}
410 	error = uath_alloc_tx_data_list(sc);
411 	if (error != 0) {
412 		device_printf(sc->sc_dev, "could not allocate Tx data list\n");
413 		goto fail2;
414 	}
415 	UATH_UNLOCK(sc);
416 
417 	ic->ic_softc = sc;
418 	ic->ic_name = device_get_nameunit(dev);
419 	ic->ic_phytype = IEEE80211_T_OFDM;	/* not only, but not used */
420 	ic->ic_opmode = IEEE80211_M_STA;	/* default to BSS mode */
421 
422 	/* set device capabilities */
423 	ic->ic_caps =
424 	    IEEE80211_C_STA |		/* station mode */
425 	    IEEE80211_C_MONITOR |	/* monitor mode supported */
426 	    IEEE80211_C_TXPMGT |	/* tx power management */
427 	    IEEE80211_C_SHPREAMBLE |	/* short preamble supported */
428 	    IEEE80211_C_SHSLOT |	/* short slot time supported */
429 	    IEEE80211_C_WPA |		/* 802.11i */
430 	    IEEE80211_C_BGSCAN |	/* capable of bg scanning */
431 	    IEEE80211_C_TXFRAG;		/* handle tx frags */
432 
433 	/* put a regulatory domain to reveal informations.  */
434 	uath_regdomain = sc->sc_devcap.regDomain;
435 
436 	memset(bands, 0, sizeof(bands));
437 	setbit(bands, IEEE80211_MODE_11B);
438 	setbit(bands, IEEE80211_MODE_11G);
439 	if ((sc->sc_devcap.analog5GhzRevision & 0xf0) == 0x30)
440 		setbit(bands, IEEE80211_MODE_11A);
441 	/* XXX turbo */
442 	ieee80211_init_channels(ic, NULL, bands);
443 
444 	ieee80211_ifattach(ic);
445 	ic->ic_raw_xmit = uath_raw_xmit;
446 	ic->ic_scan_start = uath_scan_start;
447 	ic->ic_scan_end = uath_scan_end;
448 	ic->ic_set_channel = uath_set_channel;
449 	ic->ic_vap_create = uath_vap_create;
450 	ic->ic_vap_delete = uath_vap_delete;
451 	ic->ic_update_mcast = uath_update_mcast;
452 	ic->ic_update_promisc = uath_update_promisc;
453 	ic->ic_transmit = uath_transmit;
454 	ic->ic_parent = uath_parent;
455 
456 	ieee80211_radiotap_attach(ic,
457 	    &sc->sc_txtap.wt_ihdr, sizeof(sc->sc_txtap),
458 		UATH_TX_RADIOTAP_PRESENT,
459 	    &sc->sc_rxtap.wr_ihdr, sizeof(sc->sc_rxtap),
460 		UATH_RX_RADIOTAP_PRESENT);
461 
462 	if (bootverbose)
463 		ieee80211_announce(ic);
464 
465 	return (0);
466 
467 fail2:	UATH_UNLOCK(sc);
468 	uath_free_cmd_list(sc, sc->sc_cmd);
469 fail1:	usbd_transfer_unsetup(sc->sc_xfer, UATH_N_XFERS);
470 fail:
471 	return (error);
472 }
473 
474 static int
475 uath_detach(device_t dev)
476 {
477 	struct uath_softc *sc = device_get_softc(dev);
478 	struct ieee80211com *ic = &sc->sc_ic;
479 	unsigned int x;
480 
481 	/*
482 	 * Prevent further allocations from RX/TX/CMD
483 	 * data lists and ioctls
484 	 */
485 	UATH_LOCK(sc);
486 	sc->sc_flags |= UATH_FLAG_INVALID;
487 
488 	STAILQ_INIT(&sc->sc_rx_active);
489 	STAILQ_INIT(&sc->sc_rx_inactive);
490 
491 	STAILQ_INIT(&sc->sc_tx_active);
492 	STAILQ_INIT(&sc->sc_tx_inactive);
493 	STAILQ_INIT(&sc->sc_tx_pending);
494 
495 	STAILQ_INIT(&sc->sc_cmd_active);
496 	STAILQ_INIT(&sc->sc_cmd_pending);
497 	STAILQ_INIT(&sc->sc_cmd_waiting);
498 	STAILQ_INIT(&sc->sc_cmd_inactive);
499 
500 	uath_stop(sc);
501 	UATH_UNLOCK(sc);
502 
503 	callout_drain(&sc->stat_ch);
504 	callout_drain(&sc->watchdog_ch);
505 
506 	/* drain USB transfers */
507 	for (x = 0; x != UATH_N_XFERS; x++)
508 		usbd_transfer_drain(sc->sc_xfer[x]);
509 
510 	/* free data buffers */
511 	UATH_LOCK(sc);
512 	uath_free_rx_data_list(sc);
513 	uath_free_tx_data_list(sc);
514 	uath_free_cmd_list(sc, sc->sc_cmd);
515 	UATH_UNLOCK(sc);
516 
517 	/* free USB transfers and some data buffers */
518 	usbd_transfer_unsetup(sc->sc_xfer, UATH_N_XFERS);
519 
520 	ieee80211_ifdetach(ic);
521 	mbufq_drain(&sc->sc_snd);
522 	mtx_destroy(&sc->sc_mtx);
523 	return (0);
524 }
525 
526 static void
527 uath_free_cmd_list(struct uath_softc *sc, struct uath_cmd cmds[])
528 {
529 	int i;
530 
531 	for (i = 0; i != UATH_CMD_LIST_COUNT; i++)
532 		cmds[i].buf = NULL;
533 }
534 
535 static int
536 uath_alloc_cmd_list(struct uath_softc *sc, struct uath_cmd cmds[])
537 {
538 	int i;
539 
540 	STAILQ_INIT(&sc->sc_cmd_active);
541 	STAILQ_INIT(&sc->sc_cmd_pending);
542 	STAILQ_INIT(&sc->sc_cmd_waiting);
543 	STAILQ_INIT(&sc->sc_cmd_inactive);
544 
545 	for (i = 0; i != UATH_CMD_LIST_COUNT; i++) {
546 		struct uath_cmd *cmd = &cmds[i];
547 
548 		cmd->sc = sc;	/* backpointer for callbacks */
549 		cmd->msgid = i;
550 		cmd->buf = ((uint8_t *)sc->sc_cmd_dma_buf) +
551 		    (i * UATH_MAX_CMDSZ);
552 		STAILQ_INSERT_TAIL(&sc->sc_cmd_inactive, cmd, next);
553 		UATH_STAT_INC(sc, st_cmd_inactive);
554 	}
555 	return (0);
556 }
557 
558 static int
559 uath_host_available(struct uath_softc *sc)
560 {
561 	struct uath_cmd_host_available setup;
562 
563 	UATH_ASSERT_LOCKED(sc);
564 
565 	/* inform target the host is available */
566 	setup.sw_ver_major = htobe32(ATH_SW_VER_MAJOR);
567 	setup.sw_ver_minor = htobe32(ATH_SW_VER_MINOR);
568 	setup.sw_ver_patch = htobe32(ATH_SW_VER_PATCH);
569 	setup.sw_ver_build = htobe32(ATH_SW_VER_BUILD);
570 	return uath_cmd_read(sc, WDCMSG_HOST_AVAILABLE,
571 		&setup, sizeof setup, NULL, 0, 0);
572 }
573 
574 #ifdef UATH_DEBUG
575 static void
576 uath_dump_cmd(const uint8_t *buf, int len, char prefix)
577 {
578 	const char *sep = "";
579 	int i;
580 
581 	for (i = 0; i < len; i++) {
582 		if ((i % 16) == 0) {
583 			printf("%s%c ", sep, prefix);
584 			sep = "\n";
585 		}
586 		else if ((i % 4) == 0)
587 			printf(" ");
588 		printf("%02x", buf[i]);
589 	}
590 	printf("\n");
591 }
592 
593 static const char *
594 uath_codename(int code)
595 {
596 	static const char *names[] = {
597 	    "0x00",
598 	    "HOST_AVAILABLE",
599 	    "BIND",
600 	    "TARGET_RESET",
601 	    "TARGET_GET_CAPABILITY",
602 	    "TARGET_SET_CONFIG",
603 	    "TARGET_GET_STATUS",
604 	    "TARGET_GET_STATS",
605 	    "TARGET_START",
606 	    "TARGET_STOP",
607 	    "TARGET_ENABLE",
608 	    "TARGET_DISABLE",
609 	    "CREATE_CONNECTION",
610 	    "UPDATE_CONNECT_ATTR",
611 	    "DELETE_CONNECT",
612 	    "SEND",
613 	    "FLUSH",
614 	    "STATS_UPDATE",
615 	    "BMISS",
616 	    "DEVICE_AVAIL",
617 	    "SEND_COMPLETE",
618 	    "DATA_AVAIL",
619 	    "SET_PWR_MODE",
620 	    "BMISS_ACK",
621 	    "SET_LED_STEADY",
622 	    "SET_LED_BLINK",
623 	    "SETUP_BEACON_DESC",
624 	    "BEACON_INIT",
625 	    "RESET_KEY_CACHE",
626 	    "RESET_KEY_CACHE_ENTRY",
627 	    "SET_KEY_CACHE_ENTRY",
628 	    "SET_DECOMP_MASK",
629 	    "SET_REGULATORY_DOMAIN",
630 	    "SET_LED_STATE",
631 	    "WRITE_ASSOCID",
632 	    "SET_STA_BEACON_TIMERS",
633 	    "GET_TSF",
634 	    "RESET_TSF",
635 	    "SET_ADHOC_MODE",
636 	    "SET_BASIC_RATE",
637 	    "MIB_CONTROL",
638 	    "GET_CHANNEL_DATA",
639 	    "GET_CUR_RSSI",
640 	    "SET_ANTENNA_SWITCH",
641 	    "0x2c", "0x2d", "0x2e",
642 	    "USE_SHORT_SLOT_TIME",
643 	    "SET_POWER_MODE",
644 	    "SETUP_PSPOLL_DESC",
645 	    "SET_RX_MULTICAST_FILTER",
646 	    "RX_FILTER",
647 	    "PER_CALIBRATION",
648 	    "RESET",
649 	    "DISABLE",
650 	    "PHY_DISABLE",
651 	    "SET_TX_POWER_LIMIT",
652 	    "SET_TX_QUEUE_PARAMS",
653 	    "SETUP_TX_QUEUE",
654 	    "RELEASE_TX_QUEUE",
655 	};
656 	static char buf[8];
657 
658 	if (code < nitems(names))
659 		return names[code];
660 	if (code == WDCMSG_SET_DEFAULT_KEY)
661 		return "SET_DEFAULT_KEY";
662 	snprintf(buf, sizeof(buf), "0x%02x", code);
663 	return buf;
664 }
665 #endif
666 
667 /*
668  * Low-level function to send read or write commands to the firmware.
669  */
670 static int
671 uath_cmdsend(struct uath_softc *sc, uint32_t code, const void *idata, int ilen,
672     void *odata, int olen, int flags)
673 {
674 	struct uath_cmd_hdr *hdr;
675 	struct uath_cmd *cmd;
676 	int error;
677 
678 	UATH_ASSERT_LOCKED(sc);
679 
680 	/* grab a xfer */
681 	cmd = uath_get_cmdbuf(sc);
682 	if (cmd == NULL) {
683 		device_printf(sc->sc_dev, "%s: empty inactive queue\n",
684 		    __func__);
685 		return (ENOBUFS);
686 	}
687 	cmd->flags = flags;
688 	/* always bulk-out a multiple of 4 bytes */
689 	cmd->buflen = roundup2(sizeof(struct uath_cmd_hdr) + ilen, 4);
690 
691 	hdr = (struct uath_cmd_hdr *)cmd->buf;
692 	memset(hdr, 0, sizeof(struct uath_cmd_hdr));
693 	hdr->len   = htobe32(cmd->buflen);
694 	hdr->code  = htobe32(code);
695 	hdr->msgid = cmd->msgid;	/* don't care about endianness */
696 	hdr->magic = htobe32((cmd->flags & UATH_CMD_FLAG_MAGIC) ? 1 << 24 : 0);
697 	memcpy((uint8_t *)(hdr + 1), idata, ilen);
698 
699 #ifdef UATH_DEBUG
700 	if (sc->sc_debug & UATH_DEBUG_CMDS) {
701 		printf("%s: send  %s [flags 0x%x] olen %d\n",
702 		    __func__, uath_codename(code), cmd->flags, olen);
703 		if (sc->sc_debug & UATH_DEBUG_CMDS_DUMP)
704 			uath_dump_cmd(cmd->buf, cmd->buflen, '+');
705 	}
706 #endif
707 	cmd->odata = odata;
708 	KASSERT(odata == NULL ||
709 	    olen < UATH_MAX_CMDSZ - sizeof(*hdr) + sizeof(uint32_t),
710 	    ("odata %p olen %u", odata, olen));
711 	cmd->olen = olen;
712 
713 	STAILQ_INSERT_TAIL(&sc->sc_cmd_pending, cmd, next);
714 	UATH_STAT_INC(sc, st_cmd_pending);
715 	usbd_transfer_start(sc->sc_xfer[UATH_INTR_TX]);
716 
717 	if (cmd->flags & UATH_CMD_FLAG_READ) {
718 		usbd_transfer_start(sc->sc_xfer[UATH_INTR_RX]);
719 
720 		/* wait at most two seconds for command reply */
721 		error = mtx_sleep(cmd, &sc->sc_mtx, 0, "uathcmd", 2 * hz);
722 		cmd->odata = NULL;	/* in case reply comes too late */
723 		if (error != 0) {
724 			device_printf(sc->sc_dev, "timeout waiting for reply "
725 			    "to cmd 0x%x (%u)\n", code, code);
726 		} else if (cmd->olen != olen) {
727 			device_printf(sc->sc_dev, "unexpected reply data count "
728 			    "to cmd 0x%x (%u), got %u, expected %u\n",
729 			    code, code, cmd->olen, olen);
730 			error = EINVAL;
731 		}
732 		return (error);
733 	}
734 	return (0);
735 }
736 
737 static int
738 uath_cmd_read(struct uath_softc *sc, uint32_t code, const void *idata,
739     int ilen, void *odata, int olen, int flags)
740 {
741 
742 	flags |= UATH_CMD_FLAG_READ;
743 	return uath_cmdsend(sc, code, idata, ilen, odata, olen, flags);
744 }
745 
746 static int
747 uath_cmd_write(struct uath_softc *sc, uint32_t code, const void *data, int len,
748     int flags)
749 {
750 
751 	flags &= ~UATH_CMD_FLAG_READ;
752 	return uath_cmdsend(sc, code, data, len, NULL, 0, flags);
753 }
754 
755 static struct uath_cmd *
756 uath_get_cmdbuf(struct uath_softc *sc)
757 {
758 	struct uath_cmd *uc;
759 
760 	UATH_ASSERT_LOCKED(sc);
761 
762 	uc = STAILQ_FIRST(&sc->sc_cmd_inactive);
763 	if (uc != NULL) {
764 		STAILQ_REMOVE_HEAD(&sc->sc_cmd_inactive, next);
765 		UATH_STAT_DEC(sc, st_cmd_inactive);
766 	} else
767 		uc = NULL;
768 	if (uc == NULL)
769 		DPRINTF(sc, UATH_DEBUG_XMIT, "%s: %s\n", __func__,
770 		    "out of command xmit buffers");
771 	return (uc);
772 }
773 
774 /*
775  * This function is called periodically (every second) when associated to
776  * query device statistics.
777  */
778 static void
779 uath_stat(void *arg)
780 {
781 	struct uath_softc *sc = arg;
782 	int error;
783 
784 	UATH_LOCK(sc);
785 	/*
786 	 * Send request for statistics asynchronously. The timer will be
787 	 * restarted when we'll get the stats notification.
788 	 */
789 	error = uath_cmd_write(sc, WDCMSG_TARGET_GET_STATS, NULL, 0,
790 	    UATH_CMD_FLAG_ASYNC);
791 	if (error != 0) {
792 		device_printf(sc->sc_dev,
793 		    "could not query stats, error %d\n", error);
794 	}
795 	UATH_UNLOCK(sc);
796 }
797 
798 static int
799 uath_get_capability(struct uath_softc *sc, uint32_t cap, uint32_t *val)
800 {
801 	int error;
802 
803 	cap = htobe32(cap);
804 	error = uath_cmd_read(sc, WDCMSG_TARGET_GET_CAPABILITY,
805 	    &cap, sizeof cap, val, sizeof(uint32_t), UATH_CMD_FLAG_MAGIC);
806 	if (error != 0) {
807 		device_printf(sc->sc_dev, "could not read capability %u\n",
808 		    be32toh(cap));
809 		return (error);
810 	}
811 	*val = be32toh(*val);
812 	return (error);
813 }
814 
815 static int
816 uath_get_devcap(struct uath_softc *sc)
817 {
818 #define	GETCAP(x, v) do {				\
819 	error = uath_get_capability(sc, x, &v);		\
820 	if (error != 0)					\
821 		return (error);				\
822 	DPRINTF(sc, UATH_DEBUG_DEVCAP,			\
823 	    "%s: %s=0x%08x\n", __func__, #x, v);	\
824 } while (0)
825 	struct uath_devcap *cap = &sc->sc_devcap;
826 	int error;
827 
828 	/* collect device capabilities */
829 	GETCAP(CAP_TARGET_VERSION, cap->targetVersion);
830 	GETCAP(CAP_TARGET_REVISION, cap->targetRevision);
831 	GETCAP(CAP_MAC_VERSION, cap->macVersion);
832 	GETCAP(CAP_MAC_REVISION, cap->macRevision);
833 	GETCAP(CAP_PHY_REVISION, cap->phyRevision);
834 	GETCAP(CAP_ANALOG_5GHz_REVISION, cap->analog5GhzRevision);
835 	GETCAP(CAP_ANALOG_2GHz_REVISION, cap->analog2GhzRevision);
836 
837 	GETCAP(CAP_REG_DOMAIN, cap->regDomain);
838 	GETCAP(CAP_REG_CAP_BITS, cap->regCapBits);
839 #if 0
840 	/* NB: not supported in rev 1.5 */
841 	GETCAP(CAP_COUNTRY_CODE, cap->countryCode);
842 #endif
843 	GETCAP(CAP_WIRELESS_MODES, cap->wirelessModes);
844 	GETCAP(CAP_CHAN_SPREAD_SUPPORT, cap->chanSpreadSupport);
845 	GETCAP(CAP_COMPRESS_SUPPORT, cap->compressSupport);
846 	GETCAP(CAP_BURST_SUPPORT, cap->burstSupport);
847 	GETCAP(CAP_FAST_FRAMES_SUPPORT, cap->fastFramesSupport);
848 	GETCAP(CAP_CHAP_TUNING_SUPPORT, cap->chapTuningSupport);
849 	GETCAP(CAP_TURBOG_SUPPORT, cap->turboGSupport);
850 	GETCAP(CAP_TURBO_PRIME_SUPPORT, cap->turboPrimeSupport);
851 	GETCAP(CAP_DEVICE_TYPE, cap->deviceType);
852 	GETCAP(CAP_WME_SUPPORT, cap->wmeSupport);
853 	GETCAP(CAP_TOTAL_QUEUES, cap->numTxQueues);
854 	GETCAP(CAP_CONNECTION_ID_MAX, cap->connectionIdMax);
855 
856 	GETCAP(CAP_LOW_5GHZ_CHAN, cap->low5GhzChan);
857 	GETCAP(CAP_HIGH_5GHZ_CHAN, cap->high5GhzChan);
858 	GETCAP(CAP_LOW_2GHZ_CHAN, cap->low2GhzChan);
859 	GETCAP(CAP_HIGH_2GHZ_CHAN, cap->high2GhzChan);
860 	GETCAP(CAP_TWICE_ANTENNAGAIN_5G, cap->twiceAntennaGain5G);
861 	GETCAP(CAP_TWICE_ANTENNAGAIN_2G, cap->twiceAntennaGain2G);
862 
863 	GETCAP(CAP_CIPHER_AES_CCM, cap->supportCipherAES_CCM);
864 	GETCAP(CAP_CIPHER_TKIP, cap->supportCipherTKIP);
865 	GETCAP(CAP_MIC_TKIP, cap->supportMicTKIP);
866 
867 	cap->supportCipherWEP = 1;	/* NB: always available */
868 
869 	return (0);
870 }
871 
872 static int
873 uath_get_devstatus(struct uath_softc *sc, uint8_t macaddr[IEEE80211_ADDR_LEN])
874 {
875 	int error;
876 
877 	/* retrieve MAC address */
878 	error = uath_get_status(sc, ST_MAC_ADDR, macaddr, IEEE80211_ADDR_LEN);
879 	if (error != 0) {
880 		device_printf(sc->sc_dev, "could not read MAC address\n");
881 		return (error);
882 	}
883 
884 	error = uath_get_status(sc, ST_SERIAL_NUMBER,
885 	    &sc->sc_serial[0], sizeof(sc->sc_serial));
886 	if (error != 0) {
887 		device_printf(sc->sc_dev,
888 		    "could not read device serial number\n");
889 		return (error);
890 	}
891 	return (0);
892 }
893 
894 static int
895 uath_get_status(struct uath_softc *sc, uint32_t which, void *odata, int olen)
896 {
897 	int error;
898 
899 	which = htobe32(which);
900 	error = uath_cmd_read(sc, WDCMSG_TARGET_GET_STATUS,
901 	    &which, sizeof(which), odata, olen, UATH_CMD_FLAG_MAGIC);
902 	if (error != 0)
903 		device_printf(sc->sc_dev,
904 		    "could not read EEPROM offset 0x%02x\n", be32toh(which));
905 	return (error);
906 }
907 
908 static void
909 uath_free_data_list(struct uath_softc *sc, struct uath_data data[], int ndata,
910     int fillmbuf)
911 {
912 	int i;
913 
914 	for (i = 0; i < ndata; i++) {
915 		struct uath_data *dp = &data[i];
916 
917 		if (fillmbuf == 1) {
918 			if (dp->m != NULL) {
919 				m_freem(dp->m);
920 				dp->m = NULL;
921 				dp->buf = NULL;
922 			}
923 		} else {
924 			dp->buf = NULL;
925 		}
926 		if (dp->ni != NULL) {
927 			ieee80211_free_node(dp->ni);
928 			dp->ni = NULL;
929 		}
930 	}
931 }
932 
933 static int
934 uath_alloc_data_list(struct uath_softc *sc, struct uath_data data[],
935     int ndata, int maxsz, void *dma_buf)
936 {
937 	int i, error;
938 
939 	for (i = 0; i < ndata; i++) {
940 		struct uath_data *dp = &data[i];
941 
942 		dp->sc = sc;
943 		if (dma_buf == NULL) {
944 			/* XXX check maxsz */
945 			dp->m = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
946 			if (dp->m == NULL) {
947 				device_printf(sc->sc_dev,
948 				    "could not allocate rx mbuf\n");
949 				error = ENOMEM;
950 				goto fail;
951 			}
952 			dp->buf = mtod(dp->m, uint8_t *);
953 		} else {
954 			dp->m = NULL;
955 			dp->buf = ((uint8_t *)dma_buf) + (i * maxsz);
956 		}
957 		dp->ni = NULL;
958 	}
959 
960 	return (0);
961 
962 fail:	uath_free_data_list(sc, data, ndata, 1 /* free mbufs */);
963 	return (error);
964 }
965 
966 static int
967 uath_alloc_rx_data_list(struct uath_softc *sc)
968 {
969 	int error, i;
970 
971 	/* XXX is it enough to store the RX packet with MCLBYTES bytes?  */
972 	error = uath_alloc_data_list(sc,
973 	    sc->sc_rx, UATH_RX_DATA_LIST_COUNT, MCLBYTES,
974 	    NULL /* setup mbufs */);
975 	if (error != 0)
976 		return (error);
977 
978 	STAILQ_INIT(&sc->sc_rx_active);
979 	STAILQ_INIT(&sc->sc_rx_inactive);
980 
981 	for (i = 0; i < UATH_RX_DATA_LIST_COUNT; i++) {
982 		STAILQ_INSERT_HEAD(&sc->sc_rx_inactive, &sc->sc_rx[i],
983 		    next);
984 		UATH_STAT_INC(sc, st_rx_inactive);
985 	}
986 
987 	return (0);
988 }
989 
990 static int
991 uath_alloc_tx_data_list(struct uath_softc *sc)
992 {
993 	int error, i;
994 
995 	error = uath_alloc_data_list(sc,
996 	    sc->sc_tx, UATH_TX_DATA_LIST_COUNT, UATH_MAX_TXBUFSZ,
997 	    sc->sc_tx_dma_buf);
998 	if (error != 0)
999 		return (error);
1000 
1001 	STAILQ_INIT(&sc->sc_tx_active);
1002 	STAILQ_INIT(&sc->sc_tx_inactive);
1003 	STAILQ_INIT(&sc->sc_tx_pending);
1004 
1005 	for (i = 0; i < UATH_TX_DATA_LIST_COUNT; i++) {
1006 		STAILQ_INSERT_HEAD(&sc->sc_tx_inactive, &sc->sc_tx[i],
1007 		    next);
1008 		UATH_STAT_INC(sc, st_tx_inactive);
1009 	}
1010 
1011 	return (0);
1012 }
1013 
1014 static void
1015 uath_free_rx_data_list(struct uath_softc *sc)
1016 {
1017 	uath_free_data_list(sc, sc->sc_rx, UATH_RX_DATA_LIST_COUNT,
1018 	    1 /* free mbufs */);
1019 }
1020 
1021 static void
1022 uath_free_tx_data_list(struct uath_softc *sc)
1023 {
1024 	uath_free_data_list(sc, sc->sc_tx, UATH_TX_DATA_LIST_COUNT,
1025 	    0 /* no mbufs */);
1026 }
1027 
1028 static struct ieee80211vap *
1029 uath_vap_create(struct ieee80211com *ic, const char name[IFNAMSIZ], int unit,
1030     enum ieee80211_opmode opmode, int flags,
1031     const uint8_t bssid[IEEE80211_ADDR_LEN],
1032     const uint8_t mac[IEEE80211_ADDR_LEN])
1033 {
1034 	struct uath_vap *uvp;
1035 	struct ieee80211vap *vap;
1036 
1037 	if (!TAILQ_EMPTY(&ic->ic_vaps))		/* only one at a time */
1038 		return (NULL);
1039 	uvp =  malloc(sizeof(struct uath_vap), M_80211_VAP, M_WAITOK | M_ZERO);
1040 	vap = &uvp->vap;
1041 	/* enable s/w bmiss handling for sta mode */
1042 
1043 	if (ieee80211_vap_setup(ic, vap, name, unit, opmode,
1044 	    flags | IEEE80211_CLONE_NOBEACONS, bssid) != 0) {
1045 		/* out of memory */
1046 		free(uvp, M_80211_VAP);
1047 		return (NULL);
1048 	}
1049 
1050 	/* override state transition machine */
1051 	uvp->newstate = vap->iv_newstate;
1052 	vap->iv_newstate = uath_newstate;
1053 
1054 	/* complete setup */
1055 	ieee80211_vap_attach(vap, ieee80211_media_change,
1056 	    ieee80211_media_status, mac);
1057 	ic->ic_opmode = opmode;
1058 	return (vap);
1059 }
1060 
1061 static void
1062 uath_vap_delete(struct ieee80211vap *vap)
1063 {
1064 	struct uath_vap *uvp = UATH_VAP(vap);
1065 
1066 	ieee80211_vap_detach(vap);
1067 	free(uvp, M_80211_VAP);
1068 }
1069 
1070 static int
1071 uath_init(struct uath_softc *sc)
1072 {
1073 	struct ieee80211com *ic = &sc->sc_ic;
1074 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
1075 	uint32_t val;
1076 	int error;
1077 
1078 	UATH_ASSERT_LOCKED(sc);
1079 
1080 	if (sc->sc_flags & UATH_FLAG_INITDONE)
1081 		uath_stop(sc);
1082 
1083 	/* reset variables */
1084 	sc->sc_intrx_nextnum = sc->sc_msgid = 0;
1085 
1086 	val = htobe32(0);
1087 	uath_cmd_write(sc, WDCMSG_BIND, &val, sizeof val, 0);
1088 
1089 	/* set MAC address */
1090 	uath_config_multi(sc, CFG_MAC_ADDR,
1091 	    vap ? vap->iv_myaddr : ic->ic_macaddr, IEEE80211_ADDR_LEN);
1092 
1093 	/* XXX honor net80211 state */
1094 	uath_config(sc, CFG_RATE_CONTROL_ENABLE, 0x00000001);
1095 	uath_config(sc, CFG_DIVERSITY_CTL, 0x00000001);
1096 	uath_config(sc, CFG_ABOLT, 0x0000003f);
1097 	uath_config(sc, CFG_WME_ENABLED, 0x00000001);
1098 
1099 	uath_config(sc, CFG_SERVICE_TYPE, 1);
1100 	uath_config(sc, CFG_TP_SCALE, 0x00000000);
1101 	uath_config(sc, CFG_TPC_HALF_DBM5, 0x0000003c);
1102 	uath_config(sc, CFG_TPC_HALF_DBM2, 0x0000003c);
1103 	uath_config(sc, CFG_OVERRD_TX_POWER, 0x00000000);
1104 	uath_config(sc, CFG_GMODE_PROTECTION, 0x00000000);
1105 	uath_config(sc, CFG_GMODE_PROTECT_RATE_INDEX, 0x00000003);
1106 	uath_config(sc, CFG_PROTECTION_TYPE, 0x00000000);
1107 	uath_config(sc, CFG_MODE_CTS, 0x00000002);
1108 
1109 	error = uath_cmd_read(sc, WDCMSG_TARGET_START, NULL, 0,
1110 	    &val, sizeof(val), UATH_CMD_FLAG_MAGIC);
1111 	if (error) {
1112 		device_printf(sc->sc_dev,
1113 		    "could not start target, error %d\n", error);
1114 		goto fail;
1115 	}
1116 	DPRINTF(sc, UATH_DEBUG_INIT, "%s returns handle: 0x%x\n",
1117 	    uath_codename(WDCMSG_TARGET_START), be32toh(val));
1118 
1119 	/* set default channel */
1120 	error = uath_switch_channel(sc, ic->ic_curchan);
1121 	if (error) {
1122 		device_printf(sc->sc_dev,
1123 		    "could not switch channel, error %d\n", error);
1124 		goto fail;
1125 	}
1126 
1127 	val = htobe32(TARGET_DEVICE_AWAKE);
1128 	uath_cmd_write(sc, WDCMSG_SET_PWR_MODE, &val, sizeof val, 0);
1129 	/* XXX? check */
1130 	uath_cmd_write(sc, WDCMSG_RESET_KEY_CACHE, NULL, 0, 0);
1131 
1132 	usbd_transfer_start(sc->sc_xfer[UATH_BULK_RX]);
1133 	/* enable Rx */
1134 	uath_set_rxfilter(sc, 0x0, UATH_FILTER_OP_INIT);
1135 	uath_set_rxfilter(sc,
1136 	    UATH_FILTER_RX_UCAST | UATH_FILTER_RX_MCAST |
1137 	    UATH_FILTER_RX_BCAST | UATH_FILTER_RX_BEACON,
1138 	    UATH_FILTER_OP_SET);
1139 
1140 	sc->sc_flags |= UATH_FLAG_INITDONE;
1141 
1142 	callout_reset(&sc->watchdog_ch, hz, uath_watchdog, sc);
1143 
1144 	return (0);
1145 
1146 fail:
1147 	uath_stop(sc);
1148 	return (error);
1149 }
1150 
1151 static void
1152 uath_stop(struct uath_softc *sc)
1153 {
1154 
1155 	UATH_ASSERT_LOCKED(sc);
1156 
1157 	sc->sc_flags &= ~UATH_FLAG_INITDONE;
1158 
1159 	callout_stop(&sc->stat_ch);
1160 	callout_stop(&sc->watchdog_ch);
1161 	sc->sc_tx_timer = 0;
1162 	/* abort pending transmits  */
1163 	uath_abort_xfers(sc);
1164 	/* flush data & control requests into the target  */
1165 	(void)uath_flush(sc);
1166 	/* set a LED status to the disconnected.  */
1167 	uath_set_ledstate(sc, 0);
1168 	/* stop the target  */
1169 	uath_cmd_write(sc, WDCMSG_TARGET_STOP, NULL, 0, 0);
1170 }
1171 
1172 static int
1173 uath_config(struct uath_softc *sc, uint32_t reg, uint32_t val)
1174 {
1175 	struct uath_write_mac write;
1176 	int error;
1177 
1178 	write.reg = htobe32(reg);
1179 	write.len = htobe32(0);	/* 0 = single write */
1180 	*(uint32_t *)write.data = htobe32(val);
1181 
1182 	error = uath_cmd_write(sc, WDCMSG_TARGET_SET_CONFIG, &write,
1183 	    3 * sizeof (uint32_t), 0);
1184 	if (error != 0) {
1185 		device_printf(sc->sc_dev, "could not write register 0x%02x\n",
1186 		    reg);
1187 	}
1188 	return (error);
1189 }
1190 
1191 static int
1192 uath_config_multi(struct uath_softc *sc, uint32_t reg, const void *data,
1193     int len)
1194 {
1195 	struct uath_write_mac write;
1196 	int error;
1197 
1198 	write.reg = htobe32(reg);
1199 	write.len = htobe32(len);
1200 	bcopy(data, write.data, len);
1201 
1202 	/* properly handle the case where len is zero (reset) */
1203 	error = uath_cmd_write(sc, WDCMSG_TARGET_SET_CONFIG, &write,
1204 	    (len == 0) ? sizeof (uint32_t) : 2 * sizeof (uint32_t) + len, 0);
1205 	if (error != 0) {
1206 		device_printf(sc->sc_dev,
1207 		    "could not write %d bytes to register 0x%02x\n", len, reg);
1208 	}
1209 	return (error);
1210 }
1211 
1212 static int
1213 uath_switch_channel(struct uath_softc *sc, struct ieee80211_channel *c)
1214 {
1215 	int error;
1216 
1217 	UATH_ASSERT_LOCKED(sc);
1218 
1219 	/* set radio frequency */
1220 	error = uath_set_chan(sc, c);
1221 	if (error) {
1222 		device_printf(sc->sc_dev,
1223 		    "could not set channel, error %d\n", error);
1224 		goto failed;
1225 	}
1226 	/* reset Tx rings */
1227 	error = uath_reset_tx_queues(sc);
1228 	if (error) {
1229 		device_printf(sc->sc_dev,
1230 		    "could not reset Tx queues, error %d\n", error);
1231 		goto failed;
1232 	}
1233 	/* set Tx rings WME properties */
1234 	error = uath_wme_init(sc);
1235 	if (error) {
1236 		device_printf(sc->sc_dev,
1237 		    "could not init Tx queues, error %d\n", error);
1238 		goto failed;
1239 	}
1240 	error = uath_set_ledstate(sc, 0);
1241 	if (error) {
1242 		device_printf(sc->sc_dev,
1243 		    "could not set led state, error %d\n", error);
1244 		goto failed;
1245 	}
1246 	error = uath_flush(sc);
1247 	if (error) {
1248 		device_printf(sc->sc_dev,
1249 		    "could not flush pipes, error %d\n", error);
1250 		goto failed;
1251 	}
1252 failed:
1253 	return (error);
1254 }
1255 
1256 static int
1257 uath_set_rxfilter(struct uath_softc *sc, uint32_t bits, uint32_t op)
1258 {
1259 	struct uath_cmd_rx_filter rxfilter;
1260 
1261 	rxfilter.bits = htobe32(bits);
1262 	rxfilter.op = htobe32(op);
1263 
1264 	DPRINTF(sc, UATH_DEBUG_RECV | UATH_DEBUG_RECV_ALL,
1265 	    "setting Rx filter=0x%x flags=0x%x\n", bits, op);
1266 	return uath_cmd_write(sc, WDCMSG_RX_FILTER, &rxfilter,
1267 	    sizeof rxfilter, 0);
1268 }
1269 
1270 static void
1271 uath_watchdog(void *arg)
1272 {
1273 	struct uath_softc *sc = arg;
1274 	struct ieee80211com *ic = &sc->sc_ic;
1275 
1276 	if (sc->sc_tx_timer > 0) {
1277 		if (--sc->sc_tx_timer == 0) {
1278 			device_printf(sc->sc_dev, "device timeout\n");
1279 			counter_u64_add(ic->ic_oerrors, 1);
1280 			ieee80211_restart_all(ic);
1281 			return;
1282 		}
1283 		callout_reset(&sc->watchdog_ch, hz, uath_watchdog, sc);
1284 	}
1285 }
1286 
1287 static void
1288 uath_abort_xfers(struct uath_softc *sc)
1289 {
1290 	int i;
1291 
1292 	UATH_ASSERT_LOCKED(sc);
1293 	/* abort any pending transfers */
1294 	for (i = 0; i < UATH_N_XFERS; i++)
1295 		usbd_transfer_stop(sc->sc_xfer[i]);
1296 }
1297 
1298 static int
1299 uath_flush(struct uath_softc *sc)
1300 {
1301 	int error;
1302 
1303 	error = uath_dataflush(sc);
1304 	if (error != 0)
1305 		goto failed;
1306 
1307 	error = uath_cmdflush(sc);
1308 	if (error != 0)
1309 		goto failed;
1310 
1311 failed:
1312 	return (error);
1313 }
1314 
1315 static int
1316 uath_cmdflush(struct uath_softc *sc)
1317 {
1318 
1319 	return uath_cmd_write(sc, WDCMSG_FLUSH, NULL, 0, 0);
1320 }
1321 
1322 static int
1323 uath_dataflush(struct uath_softc *sc)
1324 {
1325 	struct uath_data *data;
1326 	struct uath_chunk *chunk;
1327 	struct uath_tx_desc *desc;
1328 
1329 	UATH_ASSERT_LOCKED(sc);
1330 
1331 	data = uath_getbuf(sc);
1332 	if (data == NULL)
1333 		return (ENOBUFS);
1334 	data->buflen = sizeof(struct uath_chunk) + sizeof(struct uath_tx_desc);
1335 	data->m = NULL;
1336 	data->ni = NULL;
1337 	chunk = (struct uath_chunk *)data->buf;
1338 	desc = (struct uath_tx_desc *)(chunk + 1);
1339 
1340 	/* one chunk only */
1341 	chunk->seqnum = 0;
1342 	chunk->flags = UATH_CFLAGS_FINAL;
1343 	chunk->length = htobe16(sizeof (struct uath_tx_desc));
1344 
1345 	memset(desc, 0, sizeof(struct uath_tx_desc));
1346 	desc->msglen = htobe32(sizeof(struct uath_tx_desc));
1347 	desc->msgid  = (sc->sc_msgid++) + 1; /* don't care about endianness */
1348 	desc->type   = htobe32(WDCMSG_FLUSH);
1349 	desc->txqid  = htobe32(0);
1350 	desc->connid = htobe32(0);
1351 	desc->flags  = htobe32(0);
1352 
1353 #ifdef UATH_DEBUG
1354 	if (sc->sc_debug & UATH_DEBUG_CMDS) {
1355 		DPRINTF(sc, UATH_DEBUG_RESET, "send flush ix %d\n",
1356 		    desc->msgid);
1357 		if (sc->sc_debug & UATH_DEBUG_CMDS_DUMP)
1358 			uath_dump_cmd(data->buf, data->buflen, '+');
1359 	}
1360 #endif
1361 
1362 	STAILQ_INSERT_TAIL(&sc->sc_tx_pending, data, next);
1363 	UATH_STAT_INC(sc, st_tx_pending);
1364 	sc->sc_tx_timer = 5;
1365 	usbd_transfer_start(sc->sc_xfer[UATH_BULK_TX]);
1366 
1367 	return (0);
1368 }
1369 
1370 static struct uath_data *
1371 _uath_getbuf(struct uath_softc *sc)
1372 {
1373 	struct uath_data *bf;
1374 
1375 	bf = STAILQ_FIRST(&sc->sc_tx_inactive);
1376 	if (bf != NULL) {
1377 		STAILQ_REMOVE_HEAD(&sc->sc_tx_inactive, next);
1378 		UATH_STAT_DEC(sc, st_tx_inactive);
1379 	} else
1380 		bf = NULL;
1381 	if (bf == NULL)
1382 		DPRINTF(sc, UATH_DEBUG_XMIT, "%s: %s\n", __func__,
1383 		    "out of xmit buffers");
1384 	return (bf);
1385 }
1386 
1387 static struct uath_data *
1388 uath_getbuf(struct uath_softc *sc)
1389 {
1390 	struct uath_data *bf;
1391 
1392 	UATH_ASSERT_LOCKED(sc);
1393 
1394 	bf = _uath_getbuf(sc);
1395 	if (bf == NULL)
1396 		DPRINTF(sc, UATH_DEBUG_XMIT, "%s: stop queue\n", __func__);
1397 	return (bf);
1398 }
1399 
1400 static int
1401 uath_set_ledstate(struct uath_softc *sc, int connected)
1402 {
1403 
1404 	DPRINTF(sc, UATH_DEBUG_LED,
1405 	    "set led state %sconnected\n", connected ? "" : "!");
1406 	connected = htobe32(connected);
1407 	return uath_cmd_write(sc, WDCMSG_SET_LED_STATE,
1408 	     &connected, sizeof connected, 0);
1409 }
1410 
1411 static int
1412 uath_set_chan(struct uath_softc *sc, struct ieee80211_channel *c)
1413 {
1414 #ifdef UATH_DEBUG
1415 	struct ieee80211com *ic = &sc->sc_ic;
1416 #endif
1417 	struct uath_cmd_reset reset;
1418 
1419 	memset(&reset, 0, sizeof(reset));
1420 	if (IEEE80211_IS_CHAN_2GHZ(c))
1421 		reset.flags |= htobe32(UATH_CHAN_2GHZ);
1422 	if (IEEE80211_IS_CHAN_5GHZ(c))
1423 		reset.flags |= htobe32(UATH_CHAN_5GHZ);
1424 	/* NB: 11g =>'s 11b so don't specify both OFDM and CCK */
1425 	if (IEEE80211_IS_CHAN_OFDM(c))
1426 		reset.flags |= htobe32(UATH_CHAN_OFDM);
1427 	else if (IEEE80211_IS_CHAN_CCK(c))
1428 		reset.flags |= htobe32(UATH_CHAN_CCK);
1429 	/* turbo can be used in either 2GHz or 5GHz */
1430 	if (c->ic_flags & IEEE80211_CHAN_TURBO)
1431 		reset.flags |= htobe32(UATH_CHAN_TURBO);
1432 	reset.freq = htobe32(c->ic_freq);
1433 	reset.maxrdpower = htobe32(50);	/* XXX */
1434 	reset.channelchange = htobe32(1);
1435 	reset.keeprccontent = htobe32(0);
1436 
1437 	DPRINTF(sc, UATH_DEBUG_CHANNEL, "set channel %d, flags 0x%x freq %u\n",
1438 	    ieee80211_chan2ieee(ic, c),
1439 	    be32toh(reset.flags), be32toh(reset.freq));
1440 	return uath_cmd_write(sc, WDCMSG_RESET, &reset, sizeof reset, 0);
1441 }
1442 
1443 static int
1444 uath_reset_tx_queues(struct uath_softc *sc)
1445 {
1446 	int ac, error;
1447 
1448 	DPRINTF(sc, UATH_DEBUG_RESET, "%s: reset Tx queues\n", __func__);
1449 	for (ac = 0; ac < 4; ac++) {
1450 		const uint32_t qid = htobe32(ac);
1451 
1452 		error = uath_cmd_write(sc, WDCMSG_RELEASE_TX_QUEUE, &qid,
1453 		    sizeof qid, 0);
1454 		if (error != 0)
1455 			break;
1456 	}
1457 	return (error);
1458 }
1459 
1460 static int
1461 uath_wme_init(struct uath_softc *sc)
1462 {
1463 	/* XXX get from net80211 */
1464 	static const struct uath_wme_settings uath_wme_11g[4] = {
1465 		{ 7, 4, 10,  0, 0 },	/* Background */
1466 		{ 3, 4, 10,  0, 0 },	/* Best-Effort */
1467 		{ 3, 3,  4, 26, 0 },	/* Video */
1468 		{ 2, 2,  3, 47, 0 }	/* Voice */
1469 	};
1470 	struct uath_cmd_txq_setup qinfo;
1471 	int ac, error;
1472 
1473 	DPRINTF(sc, UATH_DEBUG_WME, "%s: setup Tx queues\n", __func__);
1474 	for (ac = 0; ac < 4; ac++) {
1475 		qinfo.qid		= htobe32(ac);
1476 		qinfo.len		= htobe32(sizeof(qinfo.attr));
1477 		qinfo.attr.priority	= htobe32(ac);	/* XXX */
1478 		qinfo.attr.aifs		= htobe32(uath_wme_11g[ac].aifsn);
1479 		qinfo.attr.logcwmin	= htobe32(uath_wme_11g[ac].logcwmin);
1480 		qinfo.attr.logcwmax	= htobe32(uath_wme_11g[ac].logcwmax);
1481 		qinfo.attr.bursttime	= htobe32(IEEE80211_TXOP_TO_US(
1482 					    uath_wme_11g[ac].txop));
1483 		qinfo.attr.mode		= htobe32(uath_wme_11g[ac].acm);/*XXX? */
1484 		qinfo.attr.qflags	= htobe32(1);	/* XXX? */
1485 
1486 		error = uath_cmd_write(sc, WDCMSG_SETUP_TX_QUEUE, &qinfo,
1487 		    sizeof qinfo, 0);
1488 		if (error != 0)
1489 			break;
1490 	}
1491 	return (error);
1492 }
1493 
1494 static void
1495 uath_parent(struct ieee80211com *ic)
1496 {
1497 	struct uath_softc *sc = ic->ic_softc;
1498 	int startall = 0;
1499 
1500 	UATH_LOCK(sc);
1501 	if (sc->sc_flags & UATH_FLAG_INVALID) {
1502 		UATH_UNLOCK(sc);
1503 		return;
1504 	}
1505 
1506 	if (ic->ic_nrunning > 0) {
1507 		if (!(sc->sc_flags & UATH_FLAG_INITDONE)) {
1508 			uath_init(sc);
1509 			startall = 1;
1510 		}
1511 	} else if (sc->sc_flags & UATH_FLAG_INITDONE)
1512 		uath_stop(sc);
1513 	UATH_UNLOCK(sc);
1514 	if (startall)
1515 		ieee80211_start_all(ic);
1516 }
1517 
1518 static int
1519 uath_tx_start(struct uath_softc *sc, struct mbuf *m0, struct ieee80211_node *ni,
1520     struct uath_data *data)
1521 {
1522 	struct ieee80211vap *vap = ni->ni_vap;
1523 	struct uath_chunk *chunk;
1524 	struct uath_tx_desc *desc;
1525 	const struct ieee80211_frame *wh;
1526 	struct ieee80211_key *k;
1527 	int framelen, msglen;
1528 
1529 	UATH_ASSERT_LOCKED(sc);
1530 
1531 	data->ni = ni;
1532 	data->m = m0;
1533 	chunk = (struct uath_chunk *)data->buf;
1534 	desc = (struct uath_tx_desc *)(chunk + 1);
1535 
1536 	if (ieee80211_radiotap_active_vap(vap)) {
1537 		struct uath_tx_radiotap_header *tap = &sc->sc_txtap;
1538 
1539 		tap->wt_flags = 0;
1540 		if (m0->m_flags & M_FRAG)
1541 			tap->wt_flags |= IEEE80211_RADIOTAP_F_FRAG;
1542 
1543 		ieee80211_radiotap_tx(vap, m0);
1544 	}
1545 
1546 	wh = mtod(m0, struct ieee80211_frame *);
1547 	if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
1548 		k = ieee80211_crypto_encap(ni, m0);
1549 		if (k == NULL) {
1550 			m_freem(m0);
1551 			return (ENOBUFS);
1552 		}
1553 
1554 		/* packet header may have moved, reset our local pointer */
1555 		wh = mtod(m0, struct ieee80211_frame *);
1556 	}
1557 	m_copydata(m0, 0, m0->m_pkthdr.len, (uint8_t *)(desc + 1));
1558 
1559 	framelen = m0->m_pkthdr.len + IEEE80211_CRC_LEN;
1560 	msglen = framelen + sizeof (struct uath_tx_desc);
1561 	data->buflen = msglen + sizeof (struct uath_chunk);
1562 
1563 	/* one chunk only for now */
1564 	chunk->seqnum = sc->sc_seqnum++;
1565 	chunk->flags = (m0->m_flags & M_FRAG) ? 0 : UATH_CFLAGS_FINAL;
1566 	if (m0->m_flags & M_LASTFRAG)
1567 		chunk->flags |= UATH_CFLAGS_FINAL;
1568 	chunk->flags = UATH_CFLAGS_FINAL;
1569 	chunk->length = htobe16(msglen);
1570 
1571 	/* fill Tx descriptor */
1572 	desc->msglen = htobe32(msglen);
1573 	/* NB: to get UATH_TX_NOTIFY reply, `msgid' must be larger than 0  */
1574 	desc->msgid  = (sc->sc_msgid++) + 1; /* don't care about endianness */
1575 	desc->type   = htobe32(WDCMSG_SEND);
1576 	switch (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) {
1577 	case IEEE80211_FC0_TYPE_CTL:
1578 	case IEEE80211_FC0_TYPE_MGT:
1579 		/* NB: force all management frames to highest queue */
1580 		if (ni->ni_flags & IEEE80211_NODE_QOS) {
1581 			/* NB: force all management frames to highest queue */
1582 			desc->txqid = htobe32(WME_AC_VO | UATH_TXQID_MINRATE);
1583 		} else
1584 			desc->txqid = htobe32(WME_AC_BE | UATH_TXQID_MINRATE);
1585 		break;
1586 	case IEEE80211_FC0_TYPE_DATA:
1587 		/* XXX multicast frames should honor mcastrate */
1588 		desc->txqid = htobe32(M_WME_GETAC(m0));
1589 		break;
1590 	default:
1591 		device_printf(sc->sc_dev, "bogus frame type 0x%x (%s)\n",
1592 			wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK, __func__);
1593 		m_freem(m0);
1594 		return (EIO);
1595 	}
1596 	if (vap->iv_state == IEEE80211_S_AUTH ||
1597 	    vap->iv_state == IEEE80211_S_ASSOC ||
1598 	    vap->iv_state == IEEE80211_S_RUN)
1599 		desc->connid = htobe32(UATH_ID_BSS);
1600 	else
1601 		desc->connid = htobe32(UATH_ID_INVALID);
1602 	desc->flags  = htobe32(0 /* no UATH_TX_NOTIFY */);
1603 	desc->buflen = htobe32(m0->m_pkthdr.len);
1604 
1605 #ifdef UATH_DEBUG
1606 	DPRINTF(sc, UATH_DEBUG_XMIT,
1607 	    "send frame ix %u framelen %d msglen %d connid 0x%x txqid 0x%x\n",
1608 	    desc->msgid, framelen, msglen, be32toh(desc->connid),
1609 	    be32toh(desc->txqid));
1610 	if (sc->sc_debug & UATH_DEBUG_XMIT_DUMP)
1611 		uath_dump_cmd(data->buf, data->buflen, '+');
1612 #endif
1613 
1614 	STAILQ_INSERT_TAIL(&sc->sc_tx_pending, data, next);
1615 	UATH_STAT_INC(sc, st_tx_pending);
1616 	usbd_transfer_start(sc->sc_xfer[UATH_BULK_TX]);
1617 
1618 	return (0);
1619 }
1620 
1621 /*
1622  * Cleanup driver resources when we run out of buffers while processing
1623  * fragments; return the tx buffers allocated and drop node references.
1624  */
1625 static void
1626 uath_txfrag_cleanup(struct uath_softc *sc,
1627     uath_datahead *frags, struct ieee80211_node *ni)
1628 {
1629 	struct uath_data *bf, *next;
1630 
1631 	UATH_ASSERT_LOCKED(sc);
1632 
1633 	STAILQ_FOREACH_SAFE(bf, frags, next, next) {
1634 		/* NB: bf assumed clean */
1635 		STAILQ_REMOVE_HEAD(frags, next);
1636 		STAILQ_INSERT_HEAD(&sc->sc_tx_inactive, bf, next);
1637 		UATH_STAT_INC(sc, st_tx_inactive);
1638 		ieee80211_node_decref(ni);
1639 	}
1640 }
1641 
1642 /*
1643  * Setup xmit of a fragmented frame.  Allocate a buffer for each frag and bump
1644  * the node reference count to reflect the held reference to be setup by
1645  * uath_tx_start.
1646  */
1647 static int
1648 uath_txfrag_setup(struct uath_softc *sc, uath_datahead *frags,
1649     struct mbuf *m0, struct ieee80211_node *ni)
1650 {
1651 	struct mbuf *m;
1652 	struct uath_data *bf;
1653 
1654 	UATH_ASSERT_LOCKED(sc);
1655 	for (m = m0->m_nextpkt; m != NULL; m = m->m_nextpkt) {
1656 		bf = uath_getbuf(sc);
1657 		if (bf == NULL) {       /* out of buffers, cleanup */
1658 			uath_txfrag_cleanup(sc, frags, ni);
1659 			break;
1660 		}
1661 		ieee80211_node_incref(ni);
1662 		STAILQ_INSERT_TAIL(frags, bf, next);
1663 	}
1664 
1665 	return !STAILQ_EMPTY(frags);
1666 }
1667 
1668 static int
1669 uath_transmit(struct ieee80211com *ic, struct mbuf *m)
1670 {
1671 	struct uath_softc *sc = ic->ic_softc;
1672 	int error;
1673 
1674 	UATH_LOCK(sc);
1675 	if ((sc->sc_flags & UATH_FLAG_INITDONE) == 0) {
1676 		UATH_UNLOCK(sc);
1677 		return (ENXIO);
1678 	}
1679 	error = mbufq_enqueue(&sc->sc_snd, m);
1680 	if (error) {
1681 		UATH_UNLOCK(sc);
1682 		return (error);
1683 	}
1684 	uath_start(sc);
1685 	UATH_UNLOCK(sc);
1686 
1687 	return (0);
1688 }
1689 
1690 static void
1691 uath_start(struct uath_softc *sc)
1692 {
1693 	struct uath_data *bf;
1694 	struct ieee80211_node *ni;
1695 	struct mbuf *m, *next;
1696 	uath_datahead frags;
1697 
1698 	UATH_ASSERT_LOCKED(sc);
1699 
1700 	if ((sc->sc_flags & UATH_FLAG_INITDONE) == 0 ||
1701 	    (sc->sc_flags & UATH_FLAG_INVALID))
1702 		return;
1703 
1704 	while ((m = mbufq_dequeue(&sc->sc_snd)) != NULL) {
1705 		bf = uath_getbuf(sc);
1706 		if (bf == NULL) {
1707 			mbufq_prepend(&sc->sc_snd, m);
1708 			break;
1709 		}
1710 
1711 		ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
1712 		m->m_pkthdr.rcvif = NULL;
1713 
1714 		/*
1715 		 * Check for fragmentation.  If this frame has been broken up
1716 		 * verify we have enough buffers to send all the fragments
1717 		 * so all go out or none...
1718 		 */
1719 		STAILQ_INIT(&frags);
1720 		if ((m->m_flags & M_FRAG) &&
1721 		    !uath_txfrag_setup(sc, &frags, m, ni)) {
1722 			DPRINTF(sc, UATH_DEBUG_XMIT,
1723 			    "%s: out of txfrag buffers\n", __func__);
1724 			ieee80211_free_mbuf(m);
1725 			goto bad;
1726 		}
1727 		sc->sc_seqnum = 0;
1728 	nextfrag:
1729 		/*
1730 		 * Pass the frame to the h/w for transmission.
1731 		 * Fragmented frames have each frag chained together
1732 		 * with m_nextpkt.  We know there are sufficient uath_data's
1733 		 * to send all the frags because of work done by
1734 		 * uath_txfrag_setup.
1735 		 */
1736 		next = m->m_nextpkt;
1737 		if (uath_tx_start(sc, m, ni, bf) != 0) {
1738 	bad:
1739 			if_inc_counter(ni->ni_vap->iv_ifp,
1740 			    IFCOUNTER_OERRORS, 1);
1741 	reclaim:
1742 			STAILQ_INSERT_HEAD(&sc->sc_tx_inactive, bf, next);
1743 			UATH_STAT_INC(sc, st_tx_inactive);
1744 			uath_txfrag_cleanup(sc, &frags, ni);
1745 			ieee80211_free_node(ni);
1746 			continue;
1747 		}
1748 
1749 		if (next != NULL) {
1750 			/*
1751 			 * Beware of state changing between frags.
1752 			 XXX check sta power-save state?
1753 			*/
1754 			if (ni->ni_vap->iv_state != IEEE80211_S_RUN) {
1755 				DPRINTF(sc, UATH_DEBUG_XMIT,
1756 				    "%s: flush fragmented packet, state %s\n",
1757 				    __func__,
1758 				    ieee80211_state_name[ni->ni_vap->iv_state]);
1759 				ieee80211_free_mbuf(next);
1760 				goto reclaim;
1761 			}
1762 			m = next;
1763 			bf = STAILQ_FIRST(&frags);
1764 			KASSERT(bf != NULL, ("no buf for txfrag"));
1765 			STAILQ_REMOVE_HEAD(&frags, next);
1766 			goto nextfrag;
1767 		}
1768 
1769 		sc->sc_tx_timer = 5;
1770 	}
1771 }
1772 
1773 static int
1774 uath_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
1775     const struct ieee80211_bpf_params *params)
1776 {
1777 	struct ieee80211com *ic = ni->ni_ic;
1778 	struct uath_data *bf;
1779 	struct uath_softc *sc = ic->ic_softc;
1780 
1781 	UATH_LOCK(sc);
1782 	/* prevent management frames from being sent if we're not ready */
1783 	if ((sc->sc_flags & UATH_FLAG_INVALID) ||
1784 	    !(sc->sc_flags & UATH_FLAG_INITDONE)) {
1785 		m_freem(m);
1786 		UATH_UNLOCK(sc);
1787 		return (ENETDOWN);
1788 	}
1789 
1790 	/* grab a TX buffer  */
1791 	bf = uath_getbuf(sc);
1792 	if (bf == NULL) {
1793 		m_freem(m);
1794 		UATH_UNLOCK(sc);
1795 		return (ENOBUFS);
1796 	}
1797 
1798 	sc->sc_seqnum = 0;
1799 	if (uath_tx_start(sc, m, ni, bf) != 0) {
1800 		STAILQ_INSERT_HEAD(&sc->sc_tx_inactive, bf, next);
1801 		UATH_STAT_INC(sc, st_tx_inactive);
1802 		UATH_UNLOCK(sc);
1803 		return (EIO);
1804 	}
1805 	UATH_UNLOCK(sc);
1806 
1807 	sc->sc_tx_timer = 5;
1808 	return (0);
1809 }
1810 
1811 static void
1812 uath_scan_start(struct ieee80211com *ic)
1813 {
1814 	/* do nothing  */
1815 }
1816 
1817 static void
1818 uath_scan_end(struct ieee80211com *ic)
1819 {
1820 	/* do nothing  */
1821 }
1822 
1823 static void
1824 uath_set_channel(struct ieee80211com *ic)
1825 {
1826 	struct uath_softc *sc = ic->ic_softc;
1827 
1828 	UATH_LOCK(sc);
1829 	if ((sc->sc_flags & UATH_FLAG_INVALID) ||
1830 	    (sc->sc_flags & UATH_FLAG_INITDONE) == 0) {
1831 		UATH_UNLOCK(sc);
1832 		return;
1833 	}
1834 	(void)uath_switch_channel(sc, ic->ic_curchan);
1835 	UATH_UNLOCK(sc);
1836 }
1837 
1838 static int
1839 uath_set_rxmulti_filter(struct uath_softc *sc)
1840 {
1841 	/* XXX broken */
1842 	return (0);
1843 }
1844 static void
1845 uath_update_mcast(struct ieee80211com *ic)
1846 {
1847 	struct uath_softc *sc = ic->ic_softc;
1848 
1849 	UATH_LOCK(sc);
1850 	if ((sc->sc_flags & UATH_FLAG_INVALID) ||
1851 	    (sc->sc_flags & UATH_FLAG_INITDONE) == 0) {
1852 		UATH_UNLOCK(sc);
1853 		return;
1854 	}
1855 	/*
1856 	 * this is for avoiding the race condition when we're try to
1857 	 * connect to the AP with WPA.
1858 	 */
1859 	if (sc->sc_flags & UATH_FLAG_INITDONE)
1860 		(void)uath_set_rxmulti_filter(sc);
1861 	UATH_UNLOCK(sc);
1862 }
1863 
1864 static void
1865 uath_update_promisc(struct ieee80211com *ic)
1866 {
1867 	struct uath_softc *sc = ic->ic_softc;
1868 
1869 	UATH_LOCK(sc);
1870 	if ((sc->sc_flags & UATH_FLAG_INVALID) ||
1871 	    (sc->sc_flags & UATH_FLAG_INITDONE) == 0) {
1872 		UATH_UNLOCK(sc);
1873 		return;
1874 	}
1875 	if (sc->sc_flags & UATH_FLAG_INITDONE) {
1876 		uath_set_rxfilter(sc,
1877 		    UATH_FILTER_RX_UCAST | UATH_FILTER_RX_MCAST |
1878 		    UATH_FILTER_RX_BCAST | UATH_FILTER_RX_BEACON |
1879 		    UATH_FILTER_RX_PROM, UATH_FILTER_OP_SET);
1880 	}
1881 	UATH_UNLOCK(sc);
1882 }
1883 
1884 static int
1885 uath_create_connection(struct uath_softc *sc, uint32_t connid)
1886 {
1887 	const struct ieee80211_rateset *rs;
1888 	struct ieee80211com *ic = &sc->sc_ic;
1889 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
1890 	struct ieee80211_node *ni;
1891 	struct uath_cmd_create_connection create;
1892 
1893 	ni = ieee80211_ref_node(vap->iv_bss);
1894 	memset(&create, 0, sizeof(create));
1895 	create.connid = htobe32(connid);
1896 	create.bssid = htobe32(0);
1897 	/* XXX packed or not?  */
1898 	create.size = htobe32(sizeof(struct uath_cmd_rateset));
1899 
1900 	rs = &ni->ni_rates;
1901 	create.connattr.rateset.length = rs->rs_nrates;
1902 	bcopy(rs->rs_rates, &create.connattr.rateset.set[0],
1903 	    rs->rs_nrates);
1904 
1905 	/* XXX turbo */
1906 	if (IEEE80211_IS_CHAN_A(ni->ni_chan))
1907 		create.connattr.wlanmode = htobe32(WLAN_MODE_11a);
1908 	else if (IEEE80211_IS_CHAN_ANYG(ni->ni_chan))
1909 		create.connattr.wlanmode = htobe32(WLAN_MODE_11g);
1910 	else
1911 		create.connattr.wlanmode = htobe32(WLAN_MODE_11b);
1912 	ieee80211_free_node(ni);
1913 
1914 	return uath_cmd_write(sc, WDCMSG_CREATE_CONNECTION, &create,
1915 	    sizeof create, 0);
1916 }
1917 
1918 static int
1919 uath_set_rates(struct uath_softc *sc, const struct ieee80211_rateset *rs)
1920 {
1921 	struct uath_cmd_rates rates;
1922 
1923 	memset(&rates, 0, sizeof(rates));
1924 	rates.connid = htobe32(UATH_ID_BSS);		/* XXX */
1925 	rates.size   = htobe32(sizeof(struct uath_cmd_rateset));
1926 	/* XXX bounds check rs->rs_nrates */
1927 	rates.rateset.length = rs->rs_nrates;
1928 	bcopy(rs->rs_rates, &rates.rateset.set[0], rs->rs_nrates);
1929 
1930 	DPRINTF(sc, UATH_DEBUG_RATES,
1931 	    "setting supported rates nrates=%d\n", rs->rs_nrates);
1932 	return uath_cmd_write(sc, WDCMSG_SET_BASIC_RATE,
1933 	    &rates, sizeof rates, 0);
1934 }
1935 
1936 static int
1937 uath_write_associd(struct uath_softc *sc)
1938 {
1939 	struct ieee80211com *ic = &sc->sc_ic;
1940 	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
1941 	struct ieee80211_node *ni;
1942 	struct uath_cmd_set_associd associd;
1943 
1944 	ni = ieee80211_ref_node(vap->iv_bss);
1945 	memset(&associd, 0, sizeof(associd));
1946 	associd.defaultrateix = htobe32(1);	/* XXX */
1947 	associd.associd = htobe32(ni->ni_associd);
1948 	associd.timoffset = htobe32(0x3b);	/* XXX */
1949 	IEEE80211_ADDR_COPY(associd.bssid, ni->ni_bssid);
1950 	ieee80211_free_node(ni);
1951 	return uath_cmd_write(sc, WDCMSG_WRITE_ASSOCID, &associd,
1952 	    sizeof associd, 0);
1953 }
1954 
1955 static int
1956 uath_set_ledsteady(struct uath_softc *sc, int lednum, int ledmode)
1957 {
1958 	struct uath_cmd_ledsteady led;
1959 
1960 	led.lednum = htobe32(lednum);
1961 	led.ledmode = htobe32(ledmode);
1962 
1963 	DPRINTF(sc, UATH_DEBUG_LED, "set %s led %s (steady)\n",
1964 	    (lednum == UATH_LED_LINK) ? "link" : "activity",
1965 	    ledmode ? "on" : "off");
1966 	return uath_cmd_write(sc, WDCMSG_SET_LED_STEADY, &led, sizeof led, 0);
1967 }
1968 
1969 static int
1970 uath_set_ledblink(struct uath_softc *sc, int lednum, int ledmode,
1971 	int blinkrate, int slowmode)
1972 {
1973 	struct uath_cmd_ledblink led;
1974 
1975 	led.lednum = htobe32(lednum);
1976 	led.ledmode = htobe32(ledmode);
1977 	led.blinkrate = htobe32(blinkrate);
1978 	led.slowmode = htobe32(slowmode);
1979 
1980 	DPRINTF(sc, UATH_DEBUG_LED, "set %s led %s (blink)\n",
1981 	    (lednum == UATH_LED_LINK) ? "link" : "activity",
1982 	    ledmode ? "on" : "off");
1983 	return uath_cmd_write(sc, WDCMSG_SET_LED_BLINK, &led, sizeof led, 0);
1984 }
1985 
1986 static int
1987 uath_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
1988 {
1989 	enum ieee80211_state ostate = vap->iv_state;
1990 	int error;
1991 	struct ieee80211_node *ni;
1992 	struct ieee80211com *ic = vap->iv_ic;
1993 	struct uath_softc *sc = ic->ic_softc;
1994 	struct uath_vap *uvp = UATH_VAP(vap);
1995 
1996 	DPRINTF(sc, UATH_DEBUG_STATE,
1997 	    "%s: %s -> %s\n", __func__, ieee80211_state_name[vap->iv_state],
1998 	    ieee80211_state_name[nstate]);
1999 
2000 	IEEE80211_UNLOCK(ic);
2001 	UATH_LOCK(sc);
2002 	callout_stop(&sc->stat_ch);
2003 	callout_stop(&sc->watchdog_ch);
2004 	ni = ieee80211_ref_node(vap->iv_bss);
2005 
2006 	switch (nstate) {
2007 	case IEEE80211_S_INIT:
2008 		if (ostate == IEEE80211_S_RUN) {
2009 			/* turn link and activity LEDs off */
2010 			uath_set_ledstate(sc, 0);
2011 		}
2012 		break;
2013 
2014 	case IEEE80211_S_SCAN:
2015 		break;
2016 
2017 	case IEEE80211_S_AUTH:
2018 		/* XXX good place?  set RTS threshold  */
2019 		uath_config(sc, CFG_USER_RTS_THRESHOLD, vap->iv_rtsthreshold);
2020 		/* XXX bad place  */
2021 		error = uath_set_keys(sc, vap);
2022 		if (error != 0) {
2023 			device_printf(sc->sc_dev,
2024 			    "could not set crypto keys, error %d\n", error);
2025 			break;
2026 		}
2027 		if (uath_switch_channel(sc, ni->ni_chan) != 0) {
2028 			device_printf(sc->sc_dev, "could not switch channel\n");
2029 			break;
2030 		}
2031 		if (uath_create_connection(sc, UATH_ID_BSS) != 0) {
2032 			device_printf(sc->sc_dev,
2033 			    "could not create connection\n");
2034 			break;
2035 		}
2036 		break;
2037 
2038 	case IEEE80211_S_ASSOC:
2039 		if (uath_set_rates(sc, &ni->ni_rates) != 0) {
2040 			device_printf(sc->sc_dev,
2041 			    "could not set negotiated rate set\n");
2042 			break;
2043 		}
2044 		break;
2045 
2046 	case IEEE80211_S_RUN:
2047 		/* XXX monitor mode doesn't be tested  */
2048 		if (ic->ic_opmode == IEEE80211_M_MONITOR) {
2049 			uath_set_ledstate(sc, 1);
2050 			break;
2051 		}
2052 
2053 		/*
2054 		 * Tx rate is controlled by firmware, report the maximum
2055 		 * negotiated rate in ifconfig output.
2056 		 */
2057 		ni->ni_txrate = ni->ni_rates.rs_rates[ni->ni_rates.rs_nrates-1];
2058 
2059 		if (uath_write_associd(sc) != 0) {
2060 			device_printf(sc->sc_dev,
2061 			    "could not write association id\n");
2062 			break;
2063 		}
2064 		/* turn link LED on */
2065 		uath_set_ledsteady(sc, UATH_LED_LINK, UATH_LED_ON);
2066 		/* make activity LED blink */
2067 		uath_set_ledblink(sc, UATH_LED_ACTIVITY, UATH_LED_ON, 1, 2);
2068 		/* set state to associated */
2069 		uath_set_ledstate(sc, 1);
2070 
2071 		/* start statistics timer */
2072 		callout_reset(&sc->stat_ch, hz, uath_stat, sc);
2073 		break;
2074 	default:
2075 		break;
2076 	}
2077 	ieee80211_free_node(ni);
2078 	UATH_UNLOCK(sc);
2079 	IEEE80211_LOCK(ic);
2080 	return (uvp->newstate(vap, nstate, arg));
2081 }
2082 
2083 static int
2084 uath_set_key(struct uath_softc *sc, const struct ieee80211_key *wk,
2085     int index)
2086 {
2087 #if 0
2088 	struct uath_cmd_crypto crypto;
2089 	int i;
2090 
2091 	memset(&crypto, 0, sizeof(crypto));
2092 	crypto.keyidx = htobe32(index);
2093 	crypto.magic1 = htobe32(1);
2094 	crypto.size   = htobe32(368);
2095 	crypto.mask   = htobe32(0xffff);
2096 	crypto.flags  = htobe32(0x80000068);
2097 	if (index != UATH_DEFAULT_KEY)
2098 		crypto.flags |= htobe32(index << 16);
2099 	memset(crypto.magic2, 0xff, sizeof(crypto.magic2));
2100 
2101 	/*
2102 	 * Each byte of the key must be XOR'ed with 10101010 before being
2103 	 * transmitted to the firmware.
2104 	 */
2105 	for (i = 0; i < wk->wk_keylen; i++)
2106 		crypto.key[i] = wk->wk_key[i] ^ 0xaa;
2107 
2108 	DPRINTF(sc, UATH_DEBUG_CRYPTO,
2109 	    "setting crypto key index=%d len=%d\n", index, wk->wk_keylen);
2110 	return uath_cmd_write(sc, WDCMSG_SET_KEY_CACHE_ENTRY, &crypto,
2111 	    sizeof crypto, 0);
2112 #else
2113 	/* XXX support H/W cryto  */
2114 	return (0);
2115 #endif
2116 }
2117 
2118 static int
2119 uath_set_keys(struct uath_softc *sc, struct ieee80211vap *vap)
2120 {
2121 	int i, error;
2122 
2123 	error = 0;
2124 	for (i = 0; i < IEEE80211_WEP_NKID; i++) {
2125 		const struct ieee80211_key *wk = &vap->iv_nw_keys[i];
2126 
2127 		if (wk->wk_flags & (IEEE80211_KEY_XMIT|IEEE80211_KEY_RECV)) {
2128 			error = uath_set_key(sc, wk, i);
2129 			if (error)
2130 				return (error);
2131 		}
2132 	}
2133 	if (vap->iv_def_txkey != IEEE80211_KEYIX_NONE) {
2134 		error = uath_set_key(sc, &vap->iv_nw_keys[vap->iv_def_txkey],
2135 			UATH_DEFAULT_KEY);
2136 	}
2137 	return (error);
2138 }
2139 
2140 #define	UATH_SYSCTL_STAT_ADD32(c, h, n, p, d)	\
2141 	    SYSCTL_ADD_UINT(c, h, OID_AUTO, n, CTLFLAG_RD, p, 0, d)
2142 
2143 static void
2144 uath_sysctl_node(struct uath_softc *sc)
2145 {
2146 	struct sysctl_ctx_list *ctx;
2147 	struct sysctl_oid_list *child;
2148 	struct sysctl_oid *tree;
2149 	struct uath_stat *stats;
2150 
2151 	stats = &sc->sc_stat;
2152 	ctx = device_get_sysctl_ctx(sc->sc_dev);
2153 	child = SYSCTL_CHILDREN(device_get_sysctl_tree(sc->sc_dev));
2154 
2155 	tree = SYSCTL_ADD_NODE(ctx, child, OID_AUTO, "stats", CTLFLAG_RD,
2156 	    NULL, "UATH statistics");
2157 	child = SYSCTL_CHILDREN(tree);
2158 	UATH_SYSCTL_STAT_ADD32(ctx, child, "badchunkseqnum",
2159 	    &stats->st_badchunkseqnum, "Bad chunk sequence numbers");
2160 	UATH_SYSCTL_STAT_ADD32(ctx, child, "invalidlen", &stats->st_invalidlen,
2161 	    "Invalid length");
2162 	UATH_SYSCTL_STAT_ADD32(ctx, child, "multichunk", &stats->st_multichunk,
2163 	    "Multi chunks");
2164 	UATH_SYSCTL_STAT_ADD32(ctx, child, "toobigrxpkt",
2165 	    &stats->st_toobigrxpkt, "Too big rx packets");
2166 	UATH_SYSCTL_STAT_ADD32(ctx, child, "stopinprogress",
2167 	    &stats->st_stopinprogress, "Stop in progress");
2168 	UATH_SYSCTL_STAT_ADD32(ctx, child, "crcerrs", &stats->st_crcerr,
2169 	    "CRC errors");
2170 	UATH_SYSCTL_STAT_ADD32(ctx, child, "phyerr", &stats->st_phyerr,
2171 	    "PHY errors");
2172 	UATH_SYSCTL_STAT_ADD32(ctx, child, "decrypt_crcerr",
2173 	    &stats->st_decrypt_crcerr, "Decryption CRC errors");
2174 	UATH_SYSCTL_STAT_ADD32(ctx, child, "decrypt_micerr",
2175 	    &stats->st_decrypt_micerr, "Decryption Misc errors");
2176 	UATH_SYSCTL_STAT_ADD32(ctx, child, "decomperr", &stats->st_decomperr,
2177 	    "Decomp errors");
2178 	UATH_SYSCTL_STAT_ADD32(ctx, child, "keyerr", &stats->st_keyerr,
2179 	    "Key errors");
2180 	UATH_SYSCTL_STAT_ADD32(ctx, child, "err", &stats->st_err,
2181 	    "Unknown errors");
2182 
2183 	UATH_SYSCTL_STAT_ADD32(ctx, child, "cmd_active",
2184 	    &stats->st_cmd_active, "Active numbers in Command queue");
2185 	UATH_SYSCTL_STAT_ADD32(ctx, child, "cmd_inactive",
2186 	    &stats->st_cmd_inactive, "Inactive numbers in Command queue");
2187 	UATH_SYSCTL_STAT_ADD32(ctx, child, "cmd_pending",
2188 	    &stats->st_cmd_pending, "Pending numbers in Command queue");
2189 	UATH_SYSCTL_STAT_ADD32(ctx, child, "cmd_waiting",
2190 	    &stats->st_cmd_waiting, "Waiting numbers in Command queue");
2191 	UATH_SYSCTL_STAT_ADD32(ctx, child, "rx_active",
2192 	    &stats->st_rx_active, "Active numbers in RX queue");
2193 	UATH_SYSCTL_STAT_ADD32(ctx, child, "rx_inactive",
2194 	    &stats->st_rx_inactive, "Inactive numbers in RX queue");
2195 	UATH_SYSCTL_STAT_ADD32(ctx, child, "tx_active",
2196 	    &stats->st_tx_active, "Active numbers in TX queue");
2197 	UATH_SYSCTL_STAT_ADD32(ctx, child, "tx_inactive",
2198 	    &stats->st_tx_inactive, "Inactive numbers in TX queue");
2199 	UATH_SYSCTL_STAT_ADD32(ctx, child, "tx_pending",
2200 	    &stats->st_tx_pending, "Pending numbers in TX queue");
2201 }
2202 
2203 #undef UATH_SYSCTL_STAT_ADD32
2204 
2205 CTASSERT(sizeof(u_int) >= sizeof(uint32_t));
2206 
2207 static void
2208 uath_cmdeof(struct uath_softc *sc, struct uath_cmd *cmd)
2209 {
2210 	struct uath_cmd_hdr *hdr;
2211 	uint32_t dlen;
2212 
2213 	hdr = (struct uath_cmd_hdr *)cmd->buf;
2214 	/* NB: msgid is passed thru w/o byte swapping */
2215 #ifdef UATH_DEBUG
2216 	if (sc->sc_debug & UATH_DEBUG_CMDS) {
2217 		uint32_t len = be32toh(hdr->len);
2218 		printf("%s: %s [ix %u] len %u status %u\n",
2219 		    __func__, uath_codename(be32toh(hdr->code)),
2220 		    hdr->msgid, len, be32toh(hdr->magic));
2221 		if (sc->sc_debug & UATH_DEBUG_CMDS_DUMP)
2222 			uath_dump_cmd(cmd->buf,
2223 			    len > UATH_MAX_CMDSZ ? sizeof(*hdr) : len, '-');
2224 	}
2225 #endif
2226 	hdr->code = be32toh(hdr->code);
2227 	hdr->len = be32toh(hdr->len);
2228 	hdr->magic = be32toh(hdr->magic);	/* target status on return */
2229 
2230 	switch (hdr->code & 0xff) {
2231 	/* reply to a read command */
2232 	default:
2233 		DPRINTF(sc, UATH_DEBUG_RX_PROC | UATH_DEBUG_RECV_ALL,
2234 		    "%s: code %d hdr len %u\n",
2235 		    __func__, hdr->code & 0xff, hdr->len);
2236 		/*
2237 		 * The first response from the target after the
2238 		 * HOST_AVAILABLE has an invalid msgid so we must
2239 		 * treat it specially.
2240 		 */
2241 		if (hdr->msgid < UATH_CMD_LIST_COUNT) {
2242 			uint32_t *rp = (uint32_t *)(hdr+1);
2243 			u_int olen;
2244 
2245 			if (sizeof(*hdr) > hdr->len ||
2246 			    hdr->len >= UATH_MAX_CMDSZ) {
2247 				device_printf(sc->sc_dev,
2248 				    "%s: invalid WDC msg length %u; "
2249 				    "msg ignored\n", __func__, hdr->len);
2250 				return;
2251 			}
2252 			/*
2253 			 * Calculate return/receive payload size; the
2254 			 * first word, if present, always gives the
2255 			 * number of bytes--unless it's 0 in which
2256 			 * case a single 32-bit word should be present.
2257 			 */
2258 			dlen = hdr->len - sizeof(*hdr);
2259 			if (dlen >= sizeof(uint32_t)) {
2260 				olen = be32toh(rp[0]);
2261 				dlen -= sizeof(uint32_t);
2262 				if (olen == 0) {
2263 					/* convention is 0 =>'s one word */
2264 					olen = sizeof(uint32_t);
2265 					/* XXX KASSERT(olen == dlen ) */
2266 				}
2267 			} else
2268 				olen = 0;
2269 			if (cmd->odata != NULL) {
2270 				/* NB: cmd->olen validated in uath_cmd */
2271 				if (olen > (u_int)cmd->olen) {
2272 					/* XXX complain? */
2273 					device_printf(sc->sc_dev,
2274 					    "%s: cmd 0x%x olen %u cmd olen %u\n",
2275 					    __func__, hdr->code, olen,
2276 					    cmd->olen);
2277 					olen = cmd->olen;
2278 				}
2279 				if (olen > dlen) {
2280 					/* XXX complain, shouldn't happen */
2281 					device_printf(sc->sc_dev,
2282 					    "%s: cmd 0x%x olen %u dlen %u\n",
2283 					    __func__, hdr->code, olen, dlen);
2284 					olen = dlen;
2285 				}
2286 				/* XXX have submitter do this */
2287 				/* copy answer into caller's supplied buffer */
2288 				bcopy(&rp[1], cmd->odata, olen);
2289 				cmd->olen = olen;
2290 			}
2291 		}
2292 		wakeup_one(cmd);		/* wake up caller */
2293 		break;
2294 
2295 	case WDCMSG_TARGET_START:
2296 		if (hdr->msgid >= UATH_CMD_LIST_COUNT) {
2297 			/* XXX */
2298 			return;
2299 		}
2300 		dlen = hdr->len - sizeof(*hdr);
2301 		if (dlen != sizeof(uint32_t)) {
2302 			device_printf(sc->sc_dev,
2303 			    "%s: dlen (%u) != %zu!\n",
2304 			    __func__, dlen, sizeof(uint32_t));
2305 			return;
2306 		}
2307 		/* XXX have submitter do this */
2308 		/* copy answer into caller's supplied buffer */
2309 		bcopy(hdr+1, cmd->odata, sizeof(uint32_t));
2310 		cmd->olen = sizeof(uint32_t);
2311 		wakeup_one(cmd);		/* wake up caller */
2312 		break;
2313 
2314 	case WDCMSG_SEND_COMPLETE:
2315 		/* this notification is sent when UATH_TX_NOTIFY is set */
2316 		DPRINTF(sc, UATH_DEBUG_RX_PROC | UATH_DEBUG_RECV_ALL,
2317 		    "%s: received Tx notification\n", __func__);
2318 		break;
2319 
2320 	case WDCMSG_TARGET_GET_STATS:
2321 		DPRINTF(sc, UATH_DEBUG_RX_PROC | UATH_DEBUG_RECV_ALL,
2322 		    "%s: received device statistics\n", __func__);
2323 		callout_reset(&sc->stat_ch, hz, uath_stat, sc);
2324 		break;
2325 	}
2326 }
2327 
2328 static void
2329 uath_intr_rx_callback(struct usb_xfer *xfer, usb_error_t error)
2330 {
2331 	struct uath_softc *sc = usbd_xfer_softc(xfer);
2332 	struct uath_cmd *cmd;
2333 	struct uath_cmd_hdr *hdr;
2334 	struct usb_page_cache *pc;
2335 	int actlen;
2336 
2337 	usbd_xfer_status(xfer, &actlen, NULL, NULL, NULL);
2338 
2339 	UATH_ASSERT_LOCKED(sc);
2340 
2341 	switch (USB_GET_STATE(xfer)) {
2342 	case USB_ST_TRANSFERRED:
2343 		cmd = STAILQ_FIRST(&sc->sc_cmd_waiting);
2344 		if (cmd == NULL)
2345 			goto setup;
2346 		STAILQ_REMOVE_HEAD(&sc->sc_cmd_waiting, next);
2347 		UATH_STAT_DEC(sc, st_cmd_waiting);
2348 		STAILQ_INSERT_TAIL(&sc->sc_cmd_inactive, cmd, next);
2349 		UATH_STAT_INC(sc, st_cmd_inactive);
2350 
2351 		if (actlen < sizeof(struct uath_cmd_hdr)) {
2352 			device_printf(sc->sc_dev,
2353 			    "%s: short xfer error (actlen %d)\n",
2354 			    __func__, actlen);
2355 			goto setup;
2356 		}
2357 
2358 		pc = usbd_xfer_get_frame(xfer, 0);
2359 		usbd_copy_out(pc, 0, cmd->buf, actlen);
2360 
2361 		hdr = (struct uath_cmd_hdr *)cmd->buf;
2362 		hdr->len = be32toh(hdr->len);
2363 		if (hdr->len > (uint32_t)actlen) {
2364 			device_printf(sc->sc_dev,
2365 			    "%s: truncated xfer (len %u, actlen %d)\n",
2366 			    __func__, hdr->len, actlen);
2367 			goto setup;
2368 		}
2369 
2370 		uath_cmdeof(sc, cmd);
2371 	case USB_ST_SETUP:
2372 setup:
2373 		usbd_xfer_set_frame_len(xfer, 0, usbd_xfer_max_len(xfer));
2374 		usbd_transfer_submit(xfer);
2375 		break;
2376 	default:
2377 		if (error != USB_ERR_CANCELLED) {
2378 			usbd_xfer_set_stall(xfer);
2379 			goto setup;
2380 		}
2381 		break;
2382 	}
2383 }
2384 
2385 static void
2386 uath_intr_tx_callback(struct usb_xfer *xfer, usb_error_t error)
2387 {
2388 	struct uath_softc *sc = usbd_xfer_softc(xfer);
2389 	struct uath_cmd *cmd;
2390 
2391 	UATH_ASSERT_LOCKED(sc);
2392 
2393 	cmd = STAILQ_FIRST(&sc->sc_cmd_active);
2394 	if (cmd != NULL && USB_GET_STATE(xfer) != USB_ST_SETUP) {
2395 		STAILQ_REMOVE_HEAD(&sc->sc_cmd_active, next);
2396 		UATH_STAT_DEC(sc, st_cmd_active);
2397 		STAILQ_INSERT_TAIL((cmd->flags & UATH_CMD_FLAG_READ) ?
2398 		    &sc->sc_cmd_waiting : &sc->sc_cmd_inactive, cmd, next);
2399 		if (cmd->flags & UATH_CMD_FLAG_READ)
2400 			UATH_STAT_INC(sc, st_cmd_waiting);
2401 		else
2402 			UATH_STAT_INC(sc, st_cmd_inactive);
2403 	}
2404 
2405 	switch (USB_GET_STATE(xfer)) {
2406 	case USB_ST_TRANSFERRED:
2407 	case USB_ST_SETUP:
2408 setup:
2409 		cmd = STAILQ_FIRST(&sc->sc_cmd_pending);
2410 		if (cmd == NULL) {
2411 			DPRINTF(sc, UATH_DEBUG_XMIT, "%s: empty pending queue\n",
2412 			    __func__);
2413 			return;
2414 		}
2415 		STAILQ_REMOVE_HEAD(&sc->sc_cmd_pending, next);
2416 		UATH_STAT_DEC(sc, st_cmd_pending);
2417 		STAILQ_INSERT_TAIL((cmd->flags & UATH_CMD_FLAG_ASYNC) ?
2418 		    &sc->sc_cmd_inactive : &sc->sc_cmd_active, cmd, next);
2419 		if (cmd->flags & UATH_CMD_FLAG_ASYNC)
2420 			UATH_STAT_INC(sc, st_cmd_inactive);
2421 		else
2422 			UATH_STAT_INC(sc, st_cmd_active);
2423 
2424 		usbd_xfer_set_frame_data(xfer, 0, cmd->buf, cmd->buflen);
2425 		usbd_transfer_submit(xfer);
2426 		break;
2427 	default:
2428 		if (error != USB_ERR_CANCELLED) {
2429 			usbd_xfer_set_stall(xfer);
2430 			goto setup;
2431 		}
2432 		break;
2433 	}
2434 }
2435 
2436 static void
2437 uath_update_rxstat(struct uath_softc *sc, uint32_t status)
2438 {
2439 
2440 	switch (status) {
2441 	case UATH_STATUS_STOP_IN_PROGRESS:
2442 		UATH_STAT_INC(sc, st_stopinprogress);
2443 		break;
2444 	case UATH_STATUS_CRC_ERR:
2445 		UATH_STAT_INC(sc, st_crcerr);
2446 		break;
2447 	case UATH_STATUS_PHY_ERR:
2448 		UATH_STAT_INC(sc, st_phyerr);
2449 		break;
2450 	case UATH_STATUS_DECRYPT_CRC_ERR:
2451 		UATH_STAT_INC(sc, st_decrypt_crcerr);
2452 		break;
2453 	case UATH_STATUS_DECRYPT_MIC_ERR:
2454 		UATH_STAT_INC(sc, st_decrypt_micerr);
2455 		break;
2456 	case UATH_STATUS_DECOMP_ERR:
2457 		UATH_STAT_INC(sc, st_decomperr);
2458 		break;
2459 	case UATH_STATUS_KEY_ERR:
2460 		UATH_STAT_INC(sc, st_keyerr);
2461 		break;
2462 	case UATH_STATUS_ERR:
2463 		UATH_STAT_INC(sc, st_err);
2464 		break;
2465 	default:
2466 		break;
2467 	}
2468 }
2469 
2470 CTASSERT(UATH_MIN_RXBUFSZ >= sizeof(struct uath_chunk));
2471 
2472 static struct mbuf *
2473 uath_data_rxeof(struct usb_xfer *xfer, struct uath_data *data,
2474     struct uath_rx_desc **pdesc)
2475 {
2476 	struct uath_softc *sc = usbd_xfer_softc(xfer);
2477 	struct ieee80211com *ic = &sc->sc_ic;
2478 	struct uath_chunk *chunk;
2479 	struct uath_rx_desc *desc;
2480 	struct mbuf *m = data->m, *mnew, *mp;
2481 	uint16_t chunklen;
2482 	int actlen;
2483 
2484 	usbd_xfer_status(xfer, &actlen, NULL, NULL, NULL);
2485 
2486 	if (actlen < (int)UATH_MIN_RXBUFSZ) {
2487 		DPRINTF(sc, UATH_DEBUG_RECV | UATH_DEBUG_RECV_ALL,
2488 		    "%s: wrong xfer size (len=%d)\n", __func__, actlen);
2489 		counter_u64_add(ic->ic_ierrors, 1);
2490 		return (NULL);
2491 	}
2492 
2493 	chunk = (struct uath_chunk *)data->buf;
2494 	chunklen = be16toh(chunk->length);
2495 	if (chunk->seqnum == 0 && chunk->flags == 0 && chunklen == 0) {
2496 		device_printf(sc->sc_dev, "%s: strange response\n", __func__);
2497 		counter_u64_add(ic->ic_ierrors, 1);
2498 		UATH_RESET_INTRX(sc);
2499 		return (NULL);
2500 	}
2501 
2502 	if (chunklen > actlen) {
2503 		device_printf(sc->sc_dev,
2504 		    "%s: invalid chunk length (len %u > actlen %d)\n",
2505 		    __func__, chunklen, actlen);
2506 		counter_u64_add(ic->ic_ierrors, 1);
2507 		/* XXX cleanup? */
2508 		UATH_RESET_INTRX(sc);
2509 		return (NULL);
2510 	}
2511 
2512 	if (chunk->seqnum != sc->sc_intrx_nextnum) {
2513 		DPRINTF(sc, UATH_DEBUG_XMIT, "invalid seqnum %d, expected %d\n",
2514 		    chunk->seqnum, sc->sc_intrx_nextnum);
2515 		UATH_STAT_INC(sc, st_badchunkseqnum);
2516 		if (sc->sc_intrx_head != NULL)
2517 			m_freem(sc->sc_intrx_head);
2518 		UATH_RESET_INTRX(sc);
2519 		return (NULL);
2520 	}
2521 
2522 	/* check multi-chunk frames  */
2523 	if ((chunk->seqnum == 0 && !(chunk->flags & UATH_CFLAGS_FINAL)) ||
2524 	    (chunk->seqnum != 0 && (chunk->flags & UATH_CFLAGS_FINAL)) ||
2525 	    chunk->flags & UATH_CFLAGS_RXMSG)
2526 		UATH_STAT_INC(sc, st_multichunk);
2527 
2528 	if (chunk->flags & UATH_CFLAGS_FINAL) {
2529 		if (chunklen < sizeof(struct uath_rx_desc)) {
2530 			device_printf(sc->sc_dev,
2531 			    "%s: invalid chunk length %d\n",
2532 			    __func__, chunklen);
2533 			counter_u64_add(ic->ic_ierrors, 1);
2534 			if (sc->sc_intrx_head != NULL)
2535 				m_freem(sc->sc_intrx_head);
2536 			UATH_RESET_INTRX(sc);
2537 			return (NULL);
2538 		}
2539 		chunklen -= sizeof(struct uath_rx_desc);
2540 	}
2541 
2542 	if (chunklen > 0 &&
2543 	    (!(chunk->flags & UATH_CFLAGS_FINAL) || !(chunk->seqnum == 0))) {
2544 		/* we should use intermediate RX buffer  */
2545 		if (chunk->seqnum == 0)
2546 			UATH_RESET_INTRX(sc);
2547 		if ((sc->sc_intrx_len + sizeof(struct uath_rx_desc) +
2548 		    chunklen) > UATH_MAX_INTRX_SIZE) {
2549 			UATH_STAT_INC(sc, st_invalidlen);
2550 			counter_u64_add(ic->ic_ierrors, 1);
2551 			if (sc->sc_intrx_head != NULL)
2552 				m_freem(sc->sc_intrx_head);
2553 			UATH_RESET_INTRX(sc);
2554 			return (NULL);
2555 		}
2556 
2557 		m->m_len = chunklen;
2558 		m->m_data += sizeof(struct uath_chunk);
2559 
2560 		if (sc->sc_intrx_head == NULL) {
2561 			sc->sc_intrx_head = m;
2562 			sc->sc_intrx_tail = m;
2563 		} else {
2564 			m->m_flags &= ~M_PKTHDR;
2565 			sc->sc_intrx_tail->m_next = m;
2566 			sc->sc_intrx_tail = m;
2567 		}
2568 	}
2569 	sc->sc_intrx_len += chunklen;
2570 
2571 	mnew = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
2572 	if (mnew == NULL) {
2573 		DPRINTF(sc, UATH_DEBUG_RECV | UATH_DEBUG_RECV_ALL,
2574 		    "%s: can't get new mbuf, drop frame\n", __func__);
2575 		counter_u64_add(ic->ic_ierrors, 1);
2576 		if (sc->sc_intrx_head != NULL)
2577 			m_freem(sc->sc_intrx_head);
2578 		UATH_RESET_INTRX(sc);
2579 		return (NULL);
2580 	}
2581 
2582 	data->m = mnew;
2583 	data->buf = mtod(mnew, uint8_t *);
2584 
2585 	/* if the frame is not final continue the transfer  */
2586 	if (!(chunk->flags & UATH_CFLAGS_FINAL)) {
2587 		sc->sc_intrx_nextnum++;
2588 		UATH_RESET_INTRX(sc);
2589 		return (NULL);
2590 	}
2591 
2592 	/*
2593 	 * if the frame is not set UATH_CFLAGS_RXMSG, then rx descriptor is
2594 	 * located at the end, 32-bit aligned
2595 	 */
2596 	desc = (chunk->flags & UATH_CFLAGS_RXMSG) ?
2597 		(struct uath_rx_desc *)(chunk + 1) :
2598 		(struct uath_rx_desc *)(((uint8_t *)chunk) +
2599 		    sizeof(struct uath_chunk) + be16toh(chunk->length) -
2600 		    sizeof(struct uath_rx_desc));
2601 	if ((uint8_t *)chunk + actlen - sizeof(struct uath_rx_desc) <
2602 	    (uint8_t *)desc) {
2603 		device_printf(sc->sc_dev,
2604 		    "%s: wrong Rx descriptor pointer "
2605 		    "(desc %p chunk %p actlen %d)\n",
2606 		    __func__, desc, chunk, actlen);
2607 		counter_u64_add(ic->ic_ierrors, 1);
2608 		if (sc->sc_intrx_head != NULL)
2609 			m_freem(sc->sc_intrx_head);
2610 		UATH_RESET_INTRX(sc);
2611 		return (NULL);
2612 	}
2613 
2614 	*pdesc = desc;
2615 
2616 	DPRINTF(sc, UATH_DEBUG_RECV | UATH_DEBUG_RECV_ALL,
2617 	    "%s: frame len %u code %u status %u rate %u antenna %u "
2618 	    "rssi %d channel %u phyerror %u connix %u decrypterror %u "
2619 	    "keycachemiss %u\n", __func__, be32toh(desc->framelen)
2620 	    , be32toh(desc->code), be32toh(desc->status), be32toh(desc->rate)
2621 	    , be32toh(desc->antenna), be32toh(desc->rssi), be32toh(desc->channel)
2622 	    , be32toh(desc->phyerror), be32toh(desc->connix)
2623 	    , be32toh(desc->decrypterror), be32toh(desc->keycachemiss));
2624 
2625 	if (be32toh(desc->len) > MCLBYTES) {
2626 		DPRINTF(sc, UATH_DEBUG_RECV | UATH_DEBUG_RECV_ALL,
2627 		    "%s: bad descriptor (len=%d)\n", __func__,
2628 		    be32toh(desc->len));
2629 		counter_u64_add(ic->ic_ierrors, 1);
2630 		UATH_STAT_INC(sc, st_toobigrxpkt);
2631 		if (sc->sc_intrx_head != NULL)
2632 			m_freem(sc->sc_intrx_head);
2633 		UATH_RESET_INTRX(sc);
2634 		return (NULL);
2635 	}
2636 
2637 	uath_update_rxstat(sc, be32toh(desc->status));
2638 
2639 	/* finalize mbuf */
2640 	if (sc->sc_intrx_head == NULL) {
2641 		uint32_t framelen;
2642 
2643 		if (be32toh(desc->framelen) < UATH_RX_DUMMYSIZE) {
2644 			device_printf(sc->sc_dev,
2645 			    "%s: framelen too small (%u)\n",
2646 			    __func__, be32toh(desc->framelen));
2647 			counter_u64_add(ic->ic_ierrors, 1);
2648 			if (sc->sc_intrx_head != NULL)
2649 				m_freem(sc->sc_intrx_head);
2650 			UATH_RESET_INTRX(sc);
2651 			return (NULL);
2652 		}
2653 
2654 		framelen = be32toh(desc->framelen) - UATH_RX_DUMMYSIZE;
2655 		if (framelen > actlen - sizeof(struct uath_chunk) ||
2656 		    framelen < sizeof(struct ieee80211_frame_ack)) {
2657 			device_printf(sc->sc_dev,
2658 			    "%s: wrong frame length (%u, actlen %d)!\n",
2659 			    __func__, framelen, actlen);
2660 			counter_u64_add(ic->ic_ierrors, 1);
2661 			if (sc->sc_intrx_head != NULL)
2662 				m_freem(sc->sc_intrx_head);
2663 			UATH_RESET_INTRX(sc);
2664 			return (NULL);
2665 		}
2666 
2667 		m->m_pkthdr.len = m->m_len = framelen;
2668 		m->m_data += sizeof(struct uath_chunk);
2669 	} else {
2670 		mp = sc->sc_intrx_head;
2671 		mp->m_flags |= M_PKTHDR;
2672 		mp->m_pkthdr.len = sc->sc_intrx_len;
2673 		m = mp;
2674 	}
2675 
2676 	/* there are a lot more fields in the RX descriptor */
2677 	if ((sc->sc_flags & UATH_FLAG_INVALID) == 0 &&
2678 	    ieee80211_radiotap_active(ic)) {
2679 		struct uath_rx_radiotap_header *tap = &sc->sc_rxtap;
2680 		uint32_t tsf_hi = be32toh(desc->tstamp_high);
2681 		uint32_t tsf_lo = be32toh(desc->tstamp_low);
2682 
2683 		/* XXX only get low order 24bits of tsf from h/w */
2684 		tap->wr_tsf = htole64(((uint64_t)tsf_hi << 32) | tsf_lo);
2685 		tap->wr_flags = 0;
2686 		if (be32toh(desc->status) == UATH_STATUS_CRC_ERR)
2687 			tap->wr_flags |= IEEE80211_RADIOTAP_F_BADFCS;
2688 		/* XXX map other status to BADFCS? */
2689 		/* XXX ath h/w rate code, need to map */
2690 		tap->wr_rate = be32toh(desc->rate);
2691 		tap->wr_antenna = be32toh(desc->antenna);
2692 		tap->wr_antsignal = -95 + be32toh(desc->rssi);
2693 		tap->wr_antnoise = -95;
2694 	}
2695 
2696 	UATH_RESET_INTRX(sc);
2697 
2698 	return (m);
2699 }
2700 
2701 static void
2702 uath_bulk_rx_callback(struct usb_xfer *xfer, usb_error_t error)
2703 {
2704 	struct uath_softc *sc = usbd_xfer_softc(xfer);
2705 	struct ieee80211com *ic = &sc->sc_ic;
2706 	struct ieee80211_frame *wh;
2707 	struct ieee80211_node *ni;
2708 	struct mbuf *m = NULL;
2709 	struct uath_data *data;
2710 	struct uath_rx_desc *desc = NULL;
2711 	int8_t nf;
2712 
2713 	UATH_ASSERT_LOCKED(sc);
2714 
2715 	switch (USB_GET_STATE(xfer)) {
2716 	case USB_ST_TRANSFERRED:
2717 		data = STAILQ_FIRST(&sc->sc_rx_active);
2718 		if (data == NULL)
2719 			goto setup;
2720 		STAILQ_REMOVE_HEAD(&sc->sc_rx_active, next);
2721 		UATH_STAT_DEC(sc, st_rx_active);
2722 		m = uath_data_rxeof(xfer, data, &desc);
2723 		STAILQ_INSERT_TAIL(&sc->sc_rx_inactive, data, next);
2724 		UATH_STAT_INC(sc, st_rx_inactive);
2725 		/* FALLTHROUGH */
2726 	case USB_ST_SETUP:
2727 setup:
2728 		data = STAILQ_FIRST(&sc->sc_rx_inactive);
2729 		if (data == NULL)
2730 			return;
2731 		STAILQ_REMOVE_HEAD(&sc->sc_rx_inactive, next);
2732 		UATH_STAT_DEC(sc, st_rx_inactive);
2733 		STAILQ_INSERT_TAIL(&sc->sc_rx_active, data, next);
2734 		UATH_STAT_INC(sc, st_rx_active);
2735 		usbd_xfer_set_frame_data(xfer, 0, data->buf, MCLBYTES);
2736 		usbd_transfer_submit(xfer);
2737 
2738 		/*
2739 		 * To avoid LOR we should unlock our private mutex here to call
2740 		 * ieee80211_input() because here is at the end of a USB
2741 		 * callback and safe to unlock.
2742 		 */
2743 		if (sc->sc_flags & UATH_FLAG_INVALID) {
2744 			if (m != NULL)
2745 				m_freem(m);
2746 			return;
2747 		}
2748 		UATH_UNLOCK(sc);
2749 		if (m != NULL && desc != NULL) {
2750 			wh = mtod(m, struct ieee80211_frame *);
2751 			ni = ieee80211_find_rxnode(ic,
2752 			    (struct ieee80211_frame_min *)wh);
2753 			nf = -95;	/* XXX */
2754 			if (ni != NULL) {
2755 				(void) ieee80211_input(ni, m,
2756 				    (int)be32toh(desc->rssi), nf);
2757 				/* node is no longer needed */
2758 				ieee80211_free_node(ni);
2759 			} else
2760 				(void) ieee80211_input_all(ic, m,
2761 				    (int)be32toh(desc->rssi), nf);
2762 			m = NULL;
2763 			desc = NULL;
2764 		}
2765 		UATH_LOCK(sc);
2766 		uath_start(sc);
2767 		break;
2768 	default:
2769 		/* needs it to the inactive queue due to a error.  */
2770 		data = STAILQ_FIRST(&sc->sc_rx_active);
2771 		if (data != NULL) {
2772 			STAILQ_REMOVE_HEAD(&sc->sc_rx_active, next);
2773 			UATH_STAT_DEC(sc, st_rx_active);
2774 			STAILQ_INSERT_TAIL(&sc->sc_rx_inactive, data, next);
2775 			UATH_STAT_INC(sc, st_rx_inactive);
2776 		}
2777 		if (error != USB_ERR_CANCELLED) {
2778 			usbd_xfer_set_stall(xfer);
2779 			counter_u64_add(ic->ic_ierrors, 1);
2780 			goto setup;
2781 		}
2782 		break;
2783 	}
2784 }
2785 
2786 static void
2787 uath_data_txeof(struct usb_xfer *xfer, struct uath_data *data)
2788 {
2789 	struct uath_softc *sc = usbd_xfer_softc(xfer);
2790 
2791 	UATH_ASSERT_LOCKED(sc);
2792 
2793 	if (data->m) {
2794 		/* XXX status? */
2795 		ieee80211_tx_complete(data->ni, data->m, 0);
2796 		data->m = NULL;
2797 		data->ni = NULL;
2798 	}
2799 	sc->sc_tx_timer = 0;
2800 }
2801 
2802 static void
2803 uath_bulk_tx_callback(struct usb_xfer *xfer, usb_error_t error)
2804 {
2805 	struct uath_softc *sc = usbd_xfer_softc(xfer);
2806 	struct uath_data *data;
2807 
2808 	UATH_ASSERT_LOCKED(sc);
2809 
2810 	switch (USB_GET_STATE(xfer)) {
2811 	case USB_ST_TRANSFERRED:
2812 		data = STAILQ_FIRST(&sc->sc_tx_active);
2813 		if (data == NULL)
2814 			goto setup;
2815 		STAILQ_REMOVE_HEAD(&sc->sc_tx_active, next);
2816 		UATH_STAT_DEC(sc, st_tx_active);
2817 		uath_data_txeof(xfer, data);
2818 		STAILQ_INSERT_TAIL(&sc->sc_tx_inactive, data, next);
2819 		UATH_STAT_INC(sc, st_tx_inactive);
2820 		/* FALLTHROUGH */
2821 	case USB_ST_SETUP:
2822 setup:
2823 		data = STAILQ_FIRST(&sc->sc_tx_pending);
2824 		if (data == NULL) {
2825 			DPRINTF(sc, UATH_DEBUG_XMIT, "%s: empty pending queue\n",
2826 			    __func__);
2827 			return;
2828 		}
2829 		STAILQ_REMOVE_HEAD(&sc->sc_tx_pending, next);
2830 		UATH_STAT_DEC(sc, st_tx_pending);
2831 		STAILQ_INSERT_TAIL(&sc->sc_tx_active, data, next);
2832 		UATH_STAT_INC(sc, st_tx_active);
2833 
2834 		usbd_xfer_set_frame_data(xfer, 0, data->buf, data->buflen);
2835 		usbd_transfer_submit(xfer);
2836 
2837 		uath_start(sc);
2838 		break;
2839 	default:
2840 		data = STAILQ_FIRST(&sc->sc_tx_active);
2841 		if (data == NULL)
2842 			goto setup;
2843 		if (data->ni != NULL) {
2844 			if_inc_counter(data->ni->ni_vap->iv_ifp,
2845 			    IFCOUNTER_OERRORS, 1);
2846 			if ((sc->sc_flags & UATH_FLAG_INVALID) == 0)
2847 				ieee80211_free_node(data->ni);
2848 			data->ni = NULL;
2849 		}
2850 		if (error != USB_ERR_CANCELLED) {
2851 			usbd_xfer_set_stall(xfer);
2852 			goto setup;
2853 		}
2854 		break;
2855 	}
2856 }
2857 
2858 static device_method_t uath_methods[] = {
2859 	DEVMETHOD(device_probe, uath_match),
2860 	DEVMETHOD(device_attach, uath_attach),
2861 	DEVMETHOD(device_detach, uath_detach),
2862 	DEVMETHOD_END
2863 };
2864 static driver_t uath_driver = {
2865 	.name = "uath",
2866 	.methods = uath_methods,
2867 	.size = sizeof(struct uath_softc)
2868 };
2869 static devclass_t uath_devclass;
2870 
2871 DRIVER_MODULE(uath, uhub, uath_driver, uath_devclass, NULL, 0);
2872 MODULE_DEPEND(uath, wlan, 1, 1, 1);
2873 MODULE_DEPEND(uath, usb, 1, 1, 1);
2874 MODULE_VERSION(uath, 1);
2875 USB_PNP_HOST_INFO(uath_devs);
2876