xref: /freebsd/sys/net80211/ieee80211_ht.c (revision bb15ca603fa442c72dde3f3cb8b46db6970e3950)
1 /*-
2  * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  */
25 
26 #include <sys/cdefs.h>
27 #ifdef __FreeBSD__
28 __FBSDID("$FreeBSD$");
29 #endif
30 
31 /*
32  * IEEE 802.11n protocol support.
33  */
34 
35 #include "opt_inet.h"
36 #include "opt_wlan.h"
37 
38 #include <sys/param.h>
39 #include <sys/kernel.h>
40 #include <sys/systm.h>
41 #include <sys/endian.h>
42 
43 #include <sys/socket.h>
44 
45 #include <net/if.h>
46 #include <net/if_media.h>
47 #include <net/ethernet.h>
48 
49 #include <net80211/ieee80211_var.h>
50 #include <net80211/ieee80211_action.h>
51 #include <net80211/ieee80211_input.h>
52 
53 /* define here, used throughout file */
54 #define	MS(_v, _f)	(((_v) & _f) >> _f##_S)
55 #define	SM(_v, _f)	(((_v) << _f##_S) & _f)
56 
57 const struct ieee80211_mcs_rates ieee80211_htrates[IEEE80211_HTRATE_MAXSIZE] = {
58 	{  13,  14,   27,   30 },	/* MCS 0 */
59 	{  26,  29,   54,   60 },	/* MCS 1 */
60 	{  39,  43,   81,   90 },	/* MCS 2 */
61 	{  52,  58,  108,  120 },	/* MCS 3 */
62 	{  78,  87,  162,  180 },	/* MCS 4 */
63 	{ 104, 116,  216,  240 },	/* MCS 5 */
64 	{ 117, 130,  243,  270 },	/* MCS 6 */
65 	{ 130, 144,  270,  300 },	/* MCS 7 */
66 	{  26,  29,   54,   60 },	/* MCS 8 */
67 	{  52,  58,  108,  120 },	/* MCS 9 */
68 	{  78,  87,  162,  180 },	/* MCS 10 */
69 	{ 104, 116,  216,  240 },	/* MCS 11 */
70 	{ 156, 173,  324,  360 },	/* MCS 12 */
71 	{ 208, 231,  432,  480 },	/* MCS 13 */
72 	{ 234, 260,  486,  540 },	/* MCS 14 */
73 	{ 260, 289,  540,  600 },	/* MCS 15 */
74 	{  39,  43,   81,   90 },	/* MCS 16 */
75 	{  78,  87,  162,  180 },	/* MCS 17 */
76 	{ 117, 130,  243,  270 },	/* MCS 18 */
77 	{ 156, 173,  324,  360 },	/* MCS 19 */
78 	{ 234, 260,  486,  540 },	/* MCS 20 */
79 	{ 312, 347,  648,  720 },	/* MCS 21 */
80 	{ 351, 390,  729,  810 },	/* MCS 22 */
81 	{ 390, 433,  810,  900 },	/* MCS 23 */
82 	{  52,  58,  108,  120 },	/* MCS 24 */
83 	{ 104, 116,  216,  240 },	/* MCS 25 */
84 	{ 156, 173,  324,  360 },	/* MCS 26 */
85 	{ 208, 231,  432,  480 },	/* MCS 27 */
86 	{ 312, 347,  648,  720 },	/* MCS 28 */
87 	{ 416, 462,  864,  960 },	/* MCS 29 */
88 	{ 468, 520,  972, 1080 },	/* MCS 30 */
89 	{ 520, 578, 1080, 1200 },	/* MCS 31 */
90 	{   0,   0,   12,   13 },	/* MCS 32 */
91 	{  78,  87,  162,  180 },	/* MCS 33 */
92 	{ 104, 116,  216,  240 },	/* MCS 34 */
93 	{ 130, 144,  270,  300 },	/* MCS 35 */
94 	{ 117, 130,  243,  270 },	/* MCS 36 */
95 	{ 156, 173,  324,  360 },	/* MCS 37 */
96 	{ 195, 217,  405,  450 },	/* MCS 38 */
97 	{ 104, 116,  216,  240 },	/* MCS 39 */
98 	{ 130, 144,  270,  300 },	/* MCS 40 */
99 	{ 130, 144,  270,  300 },	/* MCS 41 */
100 	{ 156, 173,  324,  360 },	/* MCS 42 */
101 	{ 182, 202,  378,  420 },	/* MCS 43 */
102 	{ 182, 202,  378,  420 },	/* MCS 44 */
103 	{ 208, 231,  432,  480 },	/* MCS 45 */
104 	{ 156, 173,  324,  360 },	/* MCS 46 */
105 	{ 195, 217,  405,  450 },	/* MCS 47 */
106 	{ 195, 217,  405,  450 },	/* MCS 48 */
107 	{ 234, 260,  486,  540 },	/* MCS 49 */
108 	{ 273, 303,  567,  630 },	/* MCS 50 */
109 	{ 273, 303,  567,  630 },	/* MCS 51 */
110 	{ 312, 347,  648,  720 },	/* MCS 52 */
111 	{ 130, 144,  270,  300 },	/* MCS 53 */
112 	{ 156, 173,  324,  360 },	/* MCS 54 */
113 	{ 182, 202,  378,  420 },	/* MCS 55 */
114 	{ 156, 173,  324,  360 },	/* MCS 56 */
115 	{ 182, 202,  378,  420 },	/* MCS 57 */
116 	{ 208, 231,  432,  480 },	/* MCS 58 */
117 	{ 234, 260,  486,  540 },	/* MCS 59 */
118 	{ 208, 231,  432,  480 },	/* MCS 60 */
119 	{ 234, 260,  486,  540 },	/* MCS 61 */
120 	{ 260, 289,  540,  600 },	/* MCS 62 */
121 	{ 260, 289,  540,  600 },	/* MCS 63 */
122 	{ 286, 318,  594,  660 },	/* MCS 64 */
123 	{ 195, 217,  405,  450 },	/* MCS 65 */
124 	{ 234, 260,  486,  540 },	/* MCS 66 */
125 	{ 273, 303,  567,  630 },	/* MCS 67 */
126 	{ 234, 260,  486,  540 },	/* MCS 68 */
127 	{ 273, 303,  567,  630 },	/* MCS 69 */
128 	{ 312, 347,  648,  720 },	/* MCS 70 */
129 	{ 351, 390,  729,  810 },	/* MCS 71 */
130 	{ 312, 347,  648,  720 },	/* MCS 72 */
131 	{ 351, 390,  729,  810 },	/* MCS 73 */
132 	{ 390, 433,  810,  900 },	/* MCS 74 */
133 	{ 390, 433,  810,  900 },	/* MCS 75 */
134 	{ 429, 477,  891,  990 },	/* MCS 76 */
135 };
136 
137 #ifdef IEEE80211_AMPDU_AGE
138 static	int ieee80211_ampdu_age = -1;	/* threshold for ampdu reorder q (ms) */
139 SYSCTL_PROC(_net_wlan, OID_AUTO, ampdu_age, CTLTYPE_INT | CTLFLAG_RW,
140 	&ieee80211_ampdu_age, 0, ieee80211_sysctl_msecs_ticks, "I",
141 	"AMPDU max reorder age (ms)");
142 #endif
143 
144 static	int ieee80211_recv_bar_ena = 1;
145 SYSCTL_INT(_net_wlan, OID_AUTO, recv_bar, CTLFLAG_RW, &ieee80211_recv_bar_ena,
146 	    0, "BAR frame processing (ena/dis)");
147 
148 static	int ieee80211_addba_timeout = -1;/* timeout for ADDBA response */
149 SYSCTL_PROC(_net_wlan, OID_AUTO, addba_timeout, CTLTYPE_INT | CTLFLAG_RW,
150 	&ieee80211_addba_timeout, 0, ieee80211_sysctl_msecs_ticks, "I",
151 	"ADDBA request timeout (ms)");
152 static	int ieee80211_addba_backoff = -1;/* backoff after max ADDBA requests */
153 SYSCTL_PROC(_net_wlan, OID_AUTO, addba_backoff, CTLTYPE_INT | CTLFLAG_RW,
154 	&ieee80211_addba_backoff, 0, ieee80211_sysctl_msecs_ticks, "I",
155 	"ADDBA request backoff (ms)");
156 static	int ieee80211_addba_maxtries = 3;/* max ADDBA requests before backoff */
157 SYSCTL_INT(_net_wlan, OID_AUTO, addba_maxtries, CTLTYPE_INT | CTLFLAG_RW,
158 	&ieee80211_addba_maxtries, 0, "max ADDBA requests sent before backoff");
159 
160 static	int ieee80211_bar_timeout = -1;	/* timeout waiting for BAR response */
161 static	int ieee80211_bar_maxtries = 50;/* max BAR requests before DELBA */
162 
163 static	ieee80211_recv_action_func ht_recv_action_ba_addba_request;
164 static	ieee80211_recv_action_func ht_recv_action_ba_addba_response;
165 static	ieee80211_recv_action_func ht_recv_action_ba_delba;
166 static	ieee80211_recv_action_func ht_recv_action_ht_mimopwrsave;
167 static	ieee80211_recv_action_func ht_recv_action_ht_txchwidth;
168 
169 static	ieee80211_send_action_func ht_send_action_ba_addba;
170 static	ieee80211_send_action_func ht_send_action_ba_delba;
171 static	ieee80211_send_action_func ht_send_action_ht_txchwidth;
172 
173 static void
174 ieee80211_ht_init(void)
175 {
176 	/*
177 	 * Setup HT parameters that depends on the clock frequency.
178 	 */
179 #ifdef IEEE80211_AMPDU_AGE
180 	ieee80211_ampdu_age = msecs_to_ticks(500);
181 #endif
182 	ieee80211_addba_timeout = msecs_to_ticks(250);
183 	ieee80211_addba_backoff = msecs_to_ticks(10*1000);
184 	ieee80211_bar_timeout = msecs_to_ticks(250);
185 	/*
186 	 * Register action frame handlers.
187 	 */
188 	ieee80211_recv_action_register(IEEE80211_ACTION_CAT_BA,
189 	    IEEE80211_ACTION_BA_ADDBA_REQUEST, ht_recv_action_ba_addba_request);
190 	ieee80211_recv_action_register(IEEE80211_ACTION_CAT_BA,
191 	    IEEE80211_ACTION_BA_ADDBA_RESPONSE, ht_recv_action_ba_addba_response);
192 	ieee80211_recv_action_register(IEEE80211_ACTION_CAT_BA,
193 	    IEEE80211_ACTION_BA_DELBA, ht_recv_action_ba_delba);
194 	ieee80211_recv_action_register(IEEE80211_ACTION_CAT_HT,
195 	    IEEE80211_ACTION_HT_MIMOPWRSAVE, ht_recv_action_ht_mimopwrsave);
196 	ieee80211_recv_action_register(IEEE80211_ACTION_CAT_HT,
197 	    IEEE80211_ACTION_HT_TXCHWIDTH, ht_recv_action_ht_txchwidth);
198 
199 	ieee80211_send_action_register(IEEE80211_ACTION_CAT_BA,
200 	    IEEE80211_ACTION_BA_ADDBA_REQUEST, ht_send_action_ba_addba);
201 	ieee80211_send_action_register(IEEE80211_ACTION_CAT_BA,
202 	    IEEE80211_ACTION_BA_ADDBA_RESPONSE, ht_send_action_ba_addba);
203 	ieee80211_send_action_register(IEEE80211_ACTION_CAT_BA,
204 	    IEEE80211_ACTION_BA_DELBA, ht_send_action_ba_delba);
205 	ieee80211_send_action_register(IEEE80211_ACTION_CAT_HT,
206 	    IEEE80211_ACTION_HT_TXCHWIDTH, ht_send_action_ht_txchwidth);
207 }
208 SYSINIT(wlan_ht, SI_SUB_DRIVERS, SI_ORDER_FIRST, ieee80211_ht_init, NULL);
209 
210 static int ieee80211_ampdu_enable(struct ieee80211_node *ni,
211 	struct ieee80211_tx_ampdu *tap);
212 static int ieee80211_addba_request(struct ieee80211_node *ni,
213 	struct ieee80211_tx_ampdu *tap,
214 	int dialogtoken, int baparamset, int batimeout);
215 static int ieee80211_addba_response(struct ieee80211_node *ni,
216 	struct ieee80211_tx_ampdu *tap,
217 	int code, int baparamset, int batimeout);
218 static void ieee80211_addba_stop(struct ieee80211_node *ni,
219 	struct ieee80211_tx_ampdu *tap);
220 static void null_addba_response_timeout(struct ieee80211_node *ni,
221 	struct ieee80211_tx_ampdu *tap);
222 
223 static void ieee80211_bar_response(struct ieee80211_node *ni,
224 	struct ieee80211_tx_ampdu *tap, int status);
225 static void ampdu_tx_stop(struct ieee80211_tx_ampdu *tap);
226 static void bar_stop_timer(struct ieee80211_tx_ampdu *tap);
227 static int ampdu_rx_start(struct ieee80211_node *, struct ieee80211_rx_ampdu *,
228 	int baparamset, int batimeout, int baseqctl);
229 static void ampdu_rx_stop(struct ieee80211_node *, struct ieee80211_rx_ampdu *);
230 
231 void
232 ieee80211_ht_attach(struct ieee80211com *ic)
233 {
234 	/* setup default aggregation policy */
235 	ic->ic_recv_action = ieee80211_recv_action;
236 	ic->ic_send_action = ieee80211_send_action;
237 	ic->ic_ampdu_enable = ieee80211_ampdu_enable;
238 	ic->ic_addba_request = ieee80211_addba_request;
239 	ic->ic_addba_response = ieee80211_addba_response;
240 	ic->ic_addba_response_timeout = null_addba_response_timeout;
241 	ic->ic_addba_stop = ieee80211_addba_stop;
242 	ic->ic_bar_response = ieee80211_bar_response;
243 	ic->ic_ampdu_rx_start = ampdu_rx_start;
244 	ic->ic_ampdu_rx_stop = ampdu_rx_stop;
245 
246 	ic->ic_htprotmode = IEEE80211_PROT_RTSCTS;
247 	ic->ic_curhtprotmode = IEEE80211_HTINFO_OPMODE_PURE;
248 }
249 
250 void
251 ieee80211_ht_detach(struct ieee80211com *ic)
252 {
253 }
254 
255 void
256 ieee80211_ht_vattach(struct ieee80211vap *vap)
257 {
258 
259 	/* driver can override defaults */
260 	vap->iv_ampdu_rxmax = IEEE80211_HTCAP_MAXRXAMPDU_8K;
261 	vap->iv_ampdu_density = IEEE80211_HTCAP_MPDUDENSITY_NA;
262 	vap->iv_ampdu_limit = vap->iv_ampdu_rxmax;
263 	vap->iv_amsdu_limit = vap->iv_htcaps & IEEE80211_HTCAP_MAXAMSDU;
264 	/* tx aggregation traffic thresholds */
265 	vap->iv_ampdu_mintraffic[WME_AC_BK] = 128;
266 	vap->iv_ampdu_mintraffic[WME_AC_BE] = 64;
267 	vap->iv_ampdu_mintraffic[WME_AC_VO] = 32;
268 	vap->iv_ampdu_mintraffic[WME_AC_VI] = 32;
269 
270 	if (vap->iv_htcaps & IEEE80211_HTC_HT) {
271 		/*
272 		 * Device is HT capable; enable all HT-related
273 		 * facilities by default.
274 		 * XXX these choices may be too aggressive.
275 		 */
276 		vap->iv_flags_ht |= IEEE80211_FHT_HT
277 				 |  IEEE80211_FHT_HTCOMPAT
278 				 ;
279 		if (vap->iv_htcaps & IEEE80211_HTCAP_SHORTGI20)
280 			vap->iv_flags_ht |= IEEE80211_FHT_SHORTGI20;
281 		/* XXX infer from channel list? */
282 		if (vap->iv_htcaps & IEEE80211_HTCAP_CHWIDTH40) {
283 			vap->iv_flags_ht |= IEEE80211_FHT_USEHT40;
284 			if (vap->iv_htcaps & IEEE80211_HTCAP_SHORTGI40)
285 				vap->iv_flags_ht |= IEEE80211_FHT_SHORTGI40;
286 		}
287 		/* enable RIFS if capable */
288 		if (vap->iv_htcaps & IEEE80211_HTC_RIFS)
289 			vap->iv_flags_ht |= IEEE80211_FHT_RIFS;
290 
291 		/* NB: A-MPDU and A-MSDU rx are mandated, these are tx only */
292 		vap->iv_flags_ht |= IEEE80211_FHT_AMPDU_RX;
293 		if (vap->iv_htcaps & IEEE80211_HTC_AMPDU)
294 			vap->iv_flags_ht |= IEEE80211_FHT_AMPDU_TX;
295 		vap->iv_flags_ht |= IEEE80211_FHT_AMSDU_RX;
296 		if (vap->iv_htcaps & IEEE80211_HTC_AMSDU)
297 			vap->iv_flags_ht |= IEEE80211_FHT_AMSDU_TX;
298 	}
299 	/* NB: disable default legacy WDS, too many issues right now */
300 	if (vap->iv_flags_ext & IEEE80211_FEXT_WDSLEGACY)
301 		vap->iv_flags_ht &= ~IEEE80211_FHT_HT;
302 }
303 
304 void
305 ieee80211_ht_vdetach(struct ieee80211vap *vap)
306 {
307 }
308 
309 static int
310 ht_getrate(struct ieee80211com *ic, int index, int mode, int ratetype)
311 {
312 	int mword, rate;
313 
314 	mword = ieee80211_rate2media(ic, index | IEEE80211_RATE_MCS, mode);
315 	if (IFM_SUBTYPE(mword) != IFM_IEEE80211_MCS)
316 		return (0);
317 	switch (ratetype) {
318 	case 0:
319 		rate = ieee80211_htrates[index].ht20_rate_800ns;
320 		break;
321 	case 1:
322 		rate = ieee80211_htrates[index].ht20_rate_400ns;
323 		break;
324 	case 2:
325 		rate = ieee80211_htrates[index].ht40_rate_800ns;
326 		break;
327 	default:
328 		rate = ieee80211_htrates[index].ht40_rate_400ns;
329 		break;
330 	}
331 	return (rate);
332 }
333 
334 static struct printranges {
335 	int	minmcs;
336 	int	maxmcs;
337 	int	txstream;
338 	int	ratetype;
339 	int	htcapflags;
340 } ranges[] = {
341 	{  0,  7, 1, 0, 0 },
342 	{  8, 15, 2, 0, 0 },
343 	{ 16, 23, 3, 0, 0 },
344 	{ 24, 31, 4, 0, 0 },
345 	{ 32,  0, 1, 2, IEEE80211_HTC_TXMCS32 },
346 	{ 33, 38, 2, 0, IEEE80211_HTC_TXUNEQUAL },
347 	{ 39, 52, 3, 0, IEEE80211_HTC_TXUNEQUAL },
348 	{ 53, 76, 4, 0, IEEE80211_HTC_TXUNEQUAL },
349 	{  0,  0, 0, 0, 0 },
350 };
351 
352 static void
353 ht_rateprint(struct ieee80211com *ic, int mode, int ratetype)
354 {
355 	struct ifnet *ifp = ic->ic_ifp;
356 	int minrate, maxrate;
357 	struct printranges *range;
358 
359 	for (range = ranges; range->txstream != 0; range++) {
360 		if (ic->ic_txstream < range->txstream)
361 			continue;
362 		if (range->htcapflags &&
363 		    (ic->ic_htcaps & range->htcapflags) == 0)
364 			continue;
365 		if (ratetype < range->ratetype)
366 			continue;
367 		minrate = ht_getrate(ic, range->minmcs, mode, ratetype);
368 		maxrate = ht_getrate(ic, range->maxmcs, mode, ratetype);
369 		if (range->maxmcs) {
370 			if_printf(ifp, "MCS %d-%d: %d%sMbps - %d%sMbps\n",
371 			    range->minmcs, range->maxmcs,
372 			    minrate/2, ((minrate & 0x1) != 0 ? ".5" : ""),
373 			    maxrate/2, ((maxrate & 0x1) != 0 ? ".5" : ""));
374 		} else {
375 			if_printf(ifp, "MCS %d: %d%sMbps\n", range->minmcs,
376 			    minrate/2, ((minrate & 0x1) != 0 ? ".5" : ""));
377 		}
378 	}
379 }
380 
381 static void
382 ht_announce(struct ieee80211com *ic, int mode)
383 {
384 	struct ifnet *ifp = ic->ic_ifp;
385 	const char *modestr = ieee80211_phymode_name[mode];
386 
387 	if_printf(ifp, "%s MCS 20MHz\n", modestr);
388 	ht_rateprint(ic, mode, 0);
389 	if (ic->ic_htcaps & IEEE80211_HTCAP_SHORTGI20) {
390 		if_printf(ifp, "%s MCS 20MHz SGI\n", modestr);
391 		ht_rateprint(ic, mode, 1);
392 	}
393 	if (ic->ic_htcaps & IEEE80211_HTCAP_CHWIDTH40) {
394 		if_printf(ifp, "%s MCS 40MHz:\n", modestr);
395 		ht_rateprint(ic, mode, 2);
396 	}
397 	if ((ic->ic_htcaps & IEEE80211_HTCAP_CHWIDTH40) &&
398 	    (ic->ic_htcaps & IEEE80211_HTCAP_SHORTGI40)) {
399 		if_printf(ifp, "%s MCS 40MHz SGI:\n", modestr);
400 		ht_rateprint(ic, mode, 3);
401 	}
402 }
403 
404 void
405 ieee80211_ht_announce(struct ieee80211com *ic)
406 {
407 	struct ifnet *ifp = ic->ic_ifp;
408 
409 	if (isset(ic->ic_modecaps, IEEE80211_MODE_11NA) ||
410 	    isset(ic->ic_modecaps, IEEE80211_MODE_11NG))
411 		if_printf(ifp, "%dT%dR\n", ic->ic_txstream, ic->ic_rxstream);
412 	if (isset(ic->ic_modecaps, IEEE80211_MODE_11NA))
413 		ht_announce(ic, IEEE80211_MODE_11NA);
414 	if (isset(ic->ic_modecaps, IEEE80211_MODE_11NG))
415 		ht_announce(ic, IEEE80211_MODE_11NG);
416 }
417 
418 static struct ieee80211_htrateset htrateset;
419 
420 const struct ieee80211_htrateset *
421 ieee80211_get_suphtrates(struct ieee80211com *ic,
422     const struct ieee80211_channel *c)
423 {
424 #define	ADDRATE(x)	do {						\
425 	htrateset.rs_rates[htrateset.rs_nrates] = x;			\
426 	htrateset.rs_nrates++;						\
427 } while (0)
428 	int i;
429 
430 	memset(&htrateset, 0, sizeof(struct ieee80211_htrateset));
431 	for (i = 0; i < ic->ic_txstream * 8; i++)
432 		ADDRATE(i);
433 	if ((ic->ic_htcaps & IEEE80211_HTCAP_CHWIDTH40) &&
434 	    (ic->ic_htcaps & IEEE80211_HTC_TXMCS32))
435 		ADDRATE(i);
436 	if (ic->ic_htcaps & IEEE80211_HTC_TXUNEQUAL) {
437 		if (ic->ic_txstream >= 2) {
438 			 for (i = 33; i <= 38; i++)
439 				ADDRATE(i);
440 		}
441 		if (ic->ic_txstream >= 3) {
442 			for (i = 39; i <= 52; i++)
443 				ADDRATE(i);
444 		}
445 		if (ic->ic_txstream == 4) {
446 			for (i = 53; i <= 76; i++)
447 				ADDRATE(i);
448 		}
449 	}
450 	return &htrateset;
451 #undef	ADDRATE
452 }
453 
454 /*
455  * Receive processing.
456  */
457 
458 /*
459  * Decap the encapsulated A-MSDU frames and dispatch all but
460  * the last for delivery.  The last frame is returned for
461  * delivery via the normal path.
462  */
463 struct mbuf *
464 ieee80211_decap_amsdu(struct ieee80211_node *ni, struct mbuf *m)
465 {
466 	struct ieee80211vap *vap = ni->ni_vap;
467 	int framelen;
468 	struct mbuf *n;
469 
470 	/* discard 802.3 header inserted by ieee80211_decap */
471 	m_adj(m, sizeof(struct ether_header));
472 
473 	vap->iv_stats.is_amsdu_decap++;
474 
475 	for (;;) {
476 		/*
477 		 * Decap the first frame, bust it apart from the
478 		 * remainder and deliver.  We leave the last frame
479 		 * delivery to the caller (for consistency with other
480 		 * code paths, could also do it here).
481 		 */
482 		m = ieee80211_decap1(m, &framelen);
483 		if (m == NULL) {
484 			IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
485 			    ni->ni_macaddr, "a-msdu", "%s", "decap failed");
486 			vap->iv_stats.is_amsdu_tooshort++;
487 			return NULL;
488 		}
489 		if (m->m_pkthdr.len == framelen)
490 			break;
491 		n = m_split(m, framelen, M_NOWAIT);
492 		if (n == NULL) {
493 			IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
494 			    ni->ni_macaddr, "a-msdu",
495 			    "%s", "unable to split encapsulated frames");
496 			vap->iv_stats.is_amsdu_split++;
497 			m_freem(m);			/* NB: must reclaim */
498 			return NULL;
499 		}
500 		vap->iv_deliver_data(vap, ni, m);
501 
502 		/*
503 		 * Remove frame contents; each intermediate frame
504 		 * is required to be aligned to a 4-byte boundary.
505 		 */
506 		m = n;
507 		m_adj(m, roundup2(framelen, 4) - framelen);	/* padding */
508 	}
509 	return m;				/* last delivered by caller */
510 }
511 
512 /*
513  * Purge all frames in the A-MPDU re-order queue.
514  */
515 static void
516 ampdu_rx_purge(struct ieee80211_rx_ampdu *rap)
517 {
518 	struct mbuf *m;
519 	int i;
520 
521 	for (i = 0; i < rap->rxa_wnd; i++) {
522 		m = rap->rxa_m[i];
523 		if (m != NULL) {
524 			rap->rxa_m[i] = NULL;
525 			rap->rxa_qbytes -= m->m_pkthdr.len;
526 			m_freem(m);
527 			if (--rap->rxa_qframes == 0)
528 				break;
529 		}
530 	}
531 	KASSERT(rap->rxa_qbytes == 0 && rap->rxa_qframes == 0,
532 	    ("lost %u data, %u frames on ampdu rx q",
533 	    rap->rxa_qbytes, rap->rxa_qframes));
534 }
535 
536 /*
537  * Start A-MPDU rx/re-order processing for the specified TID.
538  */
539 static int
540 ampdu_rx_start(struct ieee80211_node *ni, struct ieee80211_rx_ampdu *rap,
541 	int baparamset, int batimeout, int baseqctl)
542 {
543 	int bufsiz = MS(baparamset, IEEE80211_BAPS_BUFSIZ);
544 
545 	if (rap->rxa_flags & IEEE80211_AGGR_RUNNING) {
546 		/*
547 		 * AMPDU previously setup and not terminated with a DELBA,
548 		 * flush the reorder q's in case anything remains.
549 		 */
550 		ampdu_rx_purge(rap);
551 	}
552 	memset(rap, 0, sizeof(*rap));
553 	rap->rxa_wnd = (bufsiz == 0) ?
554 	    IEEE80211_AGGR_BAWMAX : min(bufsiz, IEEE80211_AGGR_BAWMAX);
555 	rap->rxa_start = MS(baseqctl, IEEE80211_BASEQ_START);
556 	rap->rxa_flags |=  IEEE80211_AGGR_RUNNING | IEEE80211_AGGR_XCHGPEND;
557 
558 	return 0;
559 }
560 
561 /*
562  * Stop A-MPDU rx processing for the specified TID.
563  */
564 static void
565 ampdu_rx_stop(struct ieee80211_node *ni, struct ieee80211_rx_ampdu *rap)
566 {
567 
568 	ampdu_rx_purge(rap);
569 	rap->rxa_flags &= ~(IEEE80211_AGGR_RUNNING | IEEE80211_AGGR_XCHGPEND);
570 }
571 
572 /*
573  * Dispatch a frame from the A-MPDU reorder queue.  The
574  * frame is fed back into ieee80211_input marked with an
575  * M_AMPDU_MPDU flag so it doesn't come back to us (it also
576  * permits ieee80211_input to optimize re-processing).
577  */
578 static __inline void
579 ampdu_dispatch(struct ieee80211_node *ni, struct mbuf *m)
580 {
581 	m->m_flags |= M_AMPDU_MPDU;	/* bypass normal processing */
582 	/* NB: rssi and noise are ignored w/ M_AMPDU_MPDU set */
583 	(void) ieee80211_input(ni, m, 0, 0);
584 }
585 
586 /*
587  * Dispatch as many frames as possible from the re-order queue.
588  * Frames will always be "at the front"; we process all frames
589  * up to the first empty slot in the window.  On completion we
590  * cleanup state if there are still pending frames in the current
591  * BA window.  We assume the frame at slot 0 is already handled
592  * by the caller; we always start at slot 1.
593  */
594 static void
595 ampdu_rx_dispatch(struct ieee80211_rx_ampdu *rap, struct ieee80211_node *ni)
596 {
597 	struct ieee80211vap *vap = ni->ni_vap;
598 	struct mbuf *m;
599 	int i;
600 
601 	/* flush run of frames */
602 	for (i = 1; i < rap->rxa_wnd; i++) {
603 		m = rap->rxa_m[i];
604 		if (m == NULL)
605 			break;
606 		rap->rxa_m[i] = NULL;
607 		rap->rxa_qbytes -= m->m_pkthdr.len;
608 		rap->rxa_qframes--;
609 
610 		ampdu_dispatch(ni, m);
611 	}
612 	/*
613 	 * If frames remain, copy the mbuf pointers down so
614 	 * they correspond to the offsets in the new window.
615 	 */
616 	if (rap->rxa_qframes != 0) {
617 		int n = rap->rxa_qframes, j;
618 		for (j = i+1; j < rap->rxa_wnd; j++) {
619 			if (rap->rxa_m[j] != NULL) {
620 				rap->rxa_m[j-i] = rap->rxa_m[j];
621 				rap->rxa_m[j] = NULL;
622 				if (--n == 0)
623 					break;
624 			}
625 		}
626 		KASSERT(n == 0, ("lost %d frames", n));
627 		vap->iv_stats.is_ampdu_rx_copy += rap->rxa_qframes;
628 	}
629 	/*
630 	 * Adjust the start of the BA window to
631 	 * reflect the frames just dispatched.
632 	 */
633 	rap->rxa_start = IEEE80211_SEQ_ADD(rap->rxa_start, i);
634 	vap->iv_stats.is_ampdu_rx_oor += i;
635 }
636 
637 #ifdef IEEE80211_AMPDU_AGE
638 /*
639  * Dispatch all frames in the A-MPDU re-order queue.
640  */
641 static void
642 ampdu_rx_flush(struct ieee80211_node *ni, struct ieee80211_rx_ampdu *rap)
643 {
644 	struct ieee80211vap *vap = ni->ni_vap;
645 	struct mbuf *m;
646 	int i;
647 
648 	for (i = 0; i < rap->rxa_wnd; i++) {
649 		m = rap->rxa_m[i];
650 		if (m == NULL)
651 			continue;
652 		rap->rxa_m[i] = NULL;
653 		rap->rxa_qbytes -= m->m_pkthdr.len;
654 		rap->rxa_qframes--;
655 		vap->iv_stats.is_ampdu_rx_oor++;
656 
657 		ampdu_dispatch(ni, m);
658 		if (rap->rxa_qframes == 0)
659 			break;
660 	}
661 }
662 #endif /* IEEE80211_AMPDU_AGE */
663 
664 /*
665  * Dispatch all frames in the A-MPDU re-order queue
666  * preceding the specified sequence number.  This logic
667  * handles window moves due to a received MSDU or BAR.
668  */
669 static void
670 ampdu_rx_flush_upto(struct ieee80211_node *ni,
671 	struct ieee80211_rx_ampdu *rap, ieee80211_seq winstart)
672 {
673 	struct ieee80211vap *vap = ni->ni_vap;
674 	struct mbuf *m;
675 	ieee80211_seq seqno;
676 	int i;
677 
678 	/*
679 	 * Flush any complete MSDU's with a sequence number lower
680 	 * than winstart.  Gaps may exist.  Note that we may actually
681 	 * dispatch frames past winstart if a run continues; this is
682 	 * an optimization that avoids having to do a separate pass
683 	 * to dispatch frames after moving the BA window start.
684 	 */
685 	seqno = rap->rxa_start;
686 	for (i = 0; i < rap->rxa_wnd; i++) {
687 		m = rap->rxa_m[i];
688 		if (m != NULL) {
689 			rap->rxa_m[i] = NULL;
690 			rap->rxa_qbytes -= m->m_pkthdr.len;
691 			rap->rxa_qframes--;
692 			vap->iv_stats.is_ampdu_rx_oor++;
693 
694 			ampdu_dispatch(ni, m);
695 		} else {
696 			if (!IEEE80211_SEQ_BA_BEFORE(seqno, winstart))
697 				break;
698 		}
699 		seqno = IEEE80211_SEQ_INC(seqno);
700 	}
701 	/*
702 	 * If frames remain, copy the mbuf pointers down so
703 	 * they correspond to the offsets in the new window.
704 	 */
705 	if (rap->rxa_qframes != 0) {
706 		int n = rap->rxa_qframes, j;
707 
708 		/* NB: this loop assumes i > 0 and/or rxa_m[0] is NULL */
709 		KASSERT(rap->rxa_m[0] == NULL,
710 		    ("%s: BA window slot 0 occupied", __func__));
711 		for (j = i+1; j < rap->rxa_wnd; j++) {
712 			if (rap->rxa_m[j] != NULL) {
713 				rap->rxa_m[j-i] = rap->rxa_m[j];
714 				rap->rxa_m[j] = NULL;
715 				if (--n == 0)
716 					break;
717 			}
718 		}
719 		KASSERT(n == 0, ("%s: lost %d frames, qframes %d off %d "
720 		    "BA win <%d:%d> winstart %d",
721 		    __func__, n, rap->rxa_qframes, i, rap->rxa_start,
722 		    IEEE80211_SEQ_ADD(rap->rxa_start, rap->rxa_wnd-1),
723 		    winstart));
724 		vap->iv_stats.is_ampdu_rx_copy += rap->rxa_qframes;
725 	}
726 	/*
727 	 * Move the start of the BA window; we use the
728 	 * sequence number of the last MSDU that was
729 	 * passed up the stack+1 or winstart if stopped on
730 	 * a gap in the reorder buffer.
731 	 */
732 	rap->rxa_start = seqno;
733 }
734 
735 /*
736  * Process a received QoS data frame for an HT station.  Handle
737  * A-MPDU reordering: if this frame is received out of order
738  * and falls within the BA window hold onto it.  Otherwise if
739  * this frame completes a run, flush any pending frames.  We
740  * return 1 if the frame is consumed.  A 0 is returned if
741  * the frame should be processed normally by the caller.
742  */
743 int
744 ieee80211_ampdu_reorder(struct ieee80211_node *ni, struct mbuf *m)
745 {
746 #define	IEEE80211_FC0_QOSDATA \
747 	(IEEE80211_FC0_TYPE_DATA|IEEE80211_FC0_SUBTYPE_QOS|IEEE80211_FC0_VERSION_0)
748 #define	PROCESS		0	/* caller should process frame */
749 #define	CONSUMED	1	/* frame consumed, caller does nothing */
750 	struct ieee80211vap *vap = ni->ni_vap;
751 	struct ieee80211_qosframe *wh;
752 	struct ieee80211_rx_ampdu *rap;
753 	ieee80211_seq rxseq;
754 	uint8_t tid;
755 	int off;
756 
757 	KASSERT((m->m_flags & (M_AMPDU | M_AMPDU_MPDU)) == M_AMPDU,
758 	    ("!a-mpdu or already re-ordered, flags 0x%x", m->m_flags));
759 	KASSERT(ni->ni_flags & IEEE80211_NODE_HT, ("not an HT sta"));
760 
761 	/* NB: m_len known to be sufficient */
762 	wh = mtod(m, struct ieee80211_qosframe *);
763 	if (wh->i_fc[0] != IEEE80211_FC0_QOSDATA) {
764 		/*
765 		 * Not QoS data, shouldn't get here but just
766 		 * return it to the caller for processing.
767 		 */
768 		return PROCESS;
769 	}
770 	if (IEEE80211_IS_DSTODS(wh))
771 		tid = ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0];
772 	else
773 		tid = wh->i_qos[0];
774 	tid &= IEEE80211_QOS_TID;
775 	rap = &ni->ni_rx_ampdu[tid];
776 	if ((rap->rxa_flags & IEEE80211_AGGR_XCHGPEND) == 0) {
777 		/*
778 		 * No ADDBA request yet, don't touch.
779 		 */
780 		return PROCESS;
781 	}
782 	rxseq = le16toh(*(uint16_t *)wh->i_seq);
783 	if ((rxseq & IEEE80211_SEQ_FRAG_MASK) != 0) {
784 		/*
785 		 * Fragments are not allowed; toss.
786 		 */
787 		IEEE80211_DISCARD_MAC(vap,
788 		    IEEE80211_MSG_INPUT | IEEE80211_MSG_11N, ni->ni_macaddr,
789 		    "A-MPDU", "fragment, rxseq 0x%x tid %u%s", rxseq, tid,
790 		    wh->i_fc[1] & IEEE80211_FC1_RETRY ? " (retransmit)" : "");
791 		vap->iv_stats.is_ampdu_rx_drop++;
792 		IEEE80211_NODE_STAT(ni, rx_drop);
793 		m_freem(m);
794 		return CONSUMED;
795 	}
796 	rxseq >>= IEEE80211_SEQ_SEQ_SHIFT;
797 	rap->rxa_nframes++;
798 again:
799 	if (rxseq == rap->rxa_start) {
800 		/*
801 		 * First frame in window.
802 		 */
803 		if (rap->rxa_qframes != 0) {
804 			/*
805 			 * Dispatch as many packets as we can.
806 			 */
807 			KASSERT(rap->rxa_m[0] == NULL, ("unexpected dup"));
808 			ampdu_dispatch(ni, m);
809 			ampdu_rx_dispatch(rap, ni);
810 			return CONSUMED;
811 		} else {
812 			/*
813 			 * In order; advance window and notify
814 			 * caller to dispatch directly.
815 			 */
816 			rap->rxa_start = IEEE80211_SEQ_INC(rxseq);
817 			return PROCESS;
818 		}
819 	}
820 	/*
821 	 * Frame is out of order; store if in the BA window.
822 	 */
823 	/* calculate offset in BA window */
824 	off = IEEE80211_SEQ_SUB(rxseq, rap->rxa_start);
825 	if (off < rap->rxa_wnd) {
826 		/*
827 		 * Common case (hopefully): in the BA window.
828 		 * Sec 9.10.7.6.2 a) (p.137)
829 		 */
830 #ifdef IEEE80211_AMPDU_AGE
831 		/*
832 		 * Check for frames sitting too long in the reorder queue.
833 		 * This should only ever happen if frames are not delivered
834 		 * without the sender otherwise notifying us (e.g. with a
835 		 * BAR to move the window).  Typically this happens because
836 		 * of vendor bugs that cause the sequence number to jump.
837 		 * When this happens we get a gap in the reorder queue that
838 		 * leaves frame sitting on the queue until they get pushed
839 		 * out due to window moves.  When the vendor does not send
840 		 * BAR this move only happens due to explicit packet sends
841 		 *
842 		 * NB: we only track the time of the oldest frame in the
843 		 * reorder q; this means that if we flush we might push
844 		 * frames that still "new"; if this happens then subsequent
845 		 * frames will result in BA window moves which cost something
846 		 * but is still better than a big throughput dip.
847 		 */
848 		if (rap->rxa_qframes != 0) {
849 			/* XXX honor batimeout? */
850 			if (ticks - rap->rxa_age > ieee80211_ampdu_age) {
851 				/*
852 				 * Too long since we received the first
853 				 * frame; flush the reorder buffer.
854 				 */
855 				if (rap->rxa_qframes != 0) {
856 					vap->iv_stats.is_ampdu_rx_age +=
857 					    rap->rxa_qframes;
858 					ampdu_rx_flush(ni, rap);
859 				}
860 				rap->rxa_start = IEEE80211_SEQ_INC(rxseq);
861 				return PROCESS;
862 			}
863 		} else {
864 			/*
865 			 * First frame, start aging timer.
866 			 */
867 			rap->rxa_age = ticks;
868 		}
869 #endif /* IEEE80211_AMPDU_AGE */
870 		/* save packet */
871 		if (rap->rxa_m[off] == NULL) {
872 			rap->rxa_m[off] = m;
873 			rap->rxa_qframes++;
874 			rap->rxa_qbytes += m->m_pkthdr.len;
875 			vap->iv_stats.is_ampdu_rx_reorder++;
876 		} else {
877 			IEEE80211_DISCARD_MAC(vap,
878 			    IEEE80211_MSG_INPUT | IEEE80211_MSG_11N,
879 			    ni->ni_macaddr, "a-mpdu duplicate",
880 			    "seqno %u tid %u BA win <%u:%u>",
881 			    rxseq, tid, rap->rxa_start,
882 			    IEEE80211_SEQ_ADD(rap->rxa_start, rap->rxa_wnd-1));
883 			vap->iv_stats.is_rx_dup++;
884 			IEEE80211_NODE_STAT(ni, rx_dup);
885 			m_freem(m);
886 		}
887 		return CONSUMED;
888 	}
889 	if (off < IEEE80211_SEQ_BA_RANGE) {
890 		/*
891 		 * Outside the BA window, but within range;
892 		 * flush the reorder q and move the window.
893 		 * Sec 9.10.7.6.2 b) (p.138)
894 		 */
895 		IEEE80211_NOTE(vap, IEEE80211_MSG_11N, ni,
896 		    "move BA win <%u:%u> (%u frames) rxseq %u tid %u",
897 		    rap->rxa_start,
898 		    IEEE80211_SEQ_ADD(rap->rxa_start, rap->rxa_wnd-1),
899 		    rap->rxa_qframes, rxseq, tid);
900 		vap->iv_stats.is_ampdu_rx_move++;
901 
902 		/*
903 		 * The spec says to flush frames up to but not including:
904 		 * 	WinStart_B = rxseq - rap->rxa_wnd + 1
905 		 * Then insert the frame or notify the caller to process
906 		 * it immediately.  We can safely do this by just starting
907 		 * over again because we know the frame will now be within
908 		 * the BA window.
909 		 */
910 		/* NB: rxa_wnd known to be >0 */
911 		ampdu_rx_flush_upto(ni, rap,
912 		    IEEE80211_SEQ_SUB(rxseq, rap->rxa_wnd-1));
913 		goto again;
914 	} else {
915 		/*
916 		 * Outside the BA window and out of range; toss.
917 		 * Sec 9.10.7.6.2 c) (p.138)
918 		 */
919 		IEEE80211_DISCARD_MAC(vap,
920 		    IEEE80211_MSG_INPUT | IEEE80211_MSG_11N, ni->ni_macaddr,
921 		    "MPDU", "BA win <%u:%u> (%u frames) rxseq %u tid %u%s",
922 		    rap->rxa_start,
923 		    IEEE80211_SEQ_ADD(rap->rxa_start, rap->rxa_wnd-1),
924 		    rap->rxa_qframes, rxseq, tid,
925 		    wh->i_fc[1] & IEEE80211_FC1_RETRY ? " (retransmit)" : "");
926 		vap->iv_stats.is_ampdu_rx_drop++;
927 		IEEE80211_NODE_STAT(ni, rx_drop);
928 		m_freem(m);
929 		return CONSUMED;
930 	}
931 #undef CONSUMED
932 #undef PROCESS
933 #undef IEEE80211_FC0_QOSDATA
934 }
935 
936 /*
937  * Process a BAR ctl frame.  Dispatch all frames up to
938  * the sequence number of the frame.  If this frame is
939  * out of range it's discarded.
940  */
941 void
942 ieee80211_recv_bar(struct ieee80211_node *ni, struct mbuf *m0)
943 {
944 	struct ieee80211vap *vap = ni->ni_vap;
945 	struct ieee80211_frame_bar *wh;
946 	struct ieee80211_rx_ampdu *rap;
947 	ieee80211_seq rxseq;
948 	int tid, off;
949 
950 	if (!ieee80211_recv_bar_ena) {
951 #if 0
952 		IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_11N,
953 		    ni->ni_macaddr, "BAR", "%s", "processing disabled");
954 #endif
955 		vap->iv_stats.is_ampdu_bar_bad++;
956 		return;
957 	}
958 	wh = mtod(m0, struct ieee80211_frame_bar *);
959 	/* XXX check basic BAR */
960 	tid = MS(le16toh(wh->i_ctl), IEEE80211_BAR_TID);
961 	rap = &ni->ni_rx_ampdu[tid];
962 	if ((rap->rxa_flags & IEEE80211_AGGR_XCHGPEND) == 0) {
963 		/*
964 		 * No ADDBA request yet, don't touch.
965 		 */
966 		IEEE80211_DISCARD_MAC(vap,
967 		    IEEE80211_MSG_INPUT | IEEE80211_MSG_11N,
968 		    ni->ni_macaddr, "BAR", "no BA stream, tid %u", tid);
969 		vap->iv_stats.is_ampdu_bar_bad++;
970 		return;
971 	}
972 	vap->iv_stats.is_ampdu_bar_rx++;
973 	rxseq = le16toh(wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT;
974 	if (rxseq == rap->rxa_start)
975 		return;
976 	/* calculate offset in BA window */
977 	off = IEEE80211_SEQ_SUB(rxseq, rap->rxa_start);
978 	if (off < IEEE80211_SEQ_BA_RANGE) {
979 		/*
980 		 * Flush the reorder q up to rxseq and move the window.
981 		 * Sec 9.10.7.6.3 a) (p.138)
982 		 */
983 		IEEE80211_NOTE(vap, IEEE80211_MSG_11N, ni,
984 		    "BAR moves BA win <%u:%u> (%u frames) rxseq %u tid %u",
985 		    rap->rxa_start,
986 		    IEEE80211_SEQ_ADD(rap->rxa_start, rap->rxa_wnd-1),
987 		    rap->rxa_qframes, rxseq, tid);
988 		vap->iv_stats.is_ampdu_bar_move++;
989 
990 		ampdu_rx_flush_upto(ni, rap, rxseq);
991 		if (off >= rap->rxa_wnd) {
992 			/*
993 			 * BAR specifies a window start to the right of BA
994 			 * window; we must move it explicitly since
995 			 * ampdu_rx_flush_upto will not.
996 			 */
997 			rap->rxa_start = rxseq;
998 		}
999 	} else {
1000 		/*
1001 		 * Out of range; toss.
1002 		 * Sec 9.10.7.6.3 b) (p.138)
1003 		 */
1004 		IEEE80211_DISCARD_MAC(vap,
1005 		    IEEE80211_MSG_INPUT | IEEE80211_MSG_11N, ni->ni_macaddr,
1006 		    "BAR", "BA win <%u:%u> (%u frames) rxseq %u tid %u%s",
1007 		    rap->rxa_start,
1008 		    IEEE80211_SEQ_ADD(rap->rxa_start, rap->rxa_wnd-1),
1009 		    rap->rxa_qframes, rxseq, tid,
1010 		    wh->i_fc[1] & IEEE80211_FC1_RETRY ? " (retransmit)" : "");
1011 		vap->iv_stats.is_ampdu_bar_oow++;
1012 		IEEE80211_NODE_STAT(ni, rx_drop);
1013 	}
1014 }
1015 
1016 /*
1017  * Setup HT-specific state in a node.  Called only
1018  * when HT use is negotiated so we don't do extra
1019  * work for temporary and/or legacy sta's.
1020  */
1021 void
1022 ieee80211_ht_node_init(struct ieee80211_node *ni)
1023 {
1024 	struct ieee80211_tx_ampdu *tap;
1025 	int ac;
1026 
1027 	if (ni->ni_flags & IEEE80211_NODE_HT) {
1028 		/*
1029 		 * Clean AMPDU state on re-associate.  This handles the case
1030 		 * where a station leaves w/o notifying us and then returns
1031 		 * before node is reaped for inactivity.
1032 		 */
1033 		ieee80211_ht_node_cleanup(ni);
1034 	}
1035 	for (ac = 0; ac < WME_NUM_AC; ac++) {
1036 		tap = &ni->ni_tx_ampdu[ac];
1037 		tap->txa_ac = ac;
1038 		tap->txa_ni = ni;
1039 		/* NB: further initialization deferred */
1040 	}
1041 	ni->ni_flags |= IEEE80211_NODE_HT | IEEE80211_NODE_AMPDU;
1042 }
1043 
1044 /*
1045  * Cleanup HT-specific state in a node.  Called only
1046  * when HT use has been marked.
1047  */
1048 void
1049 ieee80211_ht_node_cleanup(struct ieee80211_node *ni)
1050 {
1051 	struct ieee80211com *ic = ni->ni_ic;
1052 	int i;
1053 
1054 	KASSERT(ni->ni_flags & IEEE80211_NODE_HT, ("not an HT node"));
1055 
1056 	/* XXX optimize this */
1057 	for (i = 0; i < WME_NUM_AC; i++) {
1058 		struct ieee80211_tx_ampdu *tap = &ni->ni_tx_ampdu[i];
1059 		if (tap->txa_flags & IEEE80211_AGGR_SETUP)
1060 			ampdu_tx_stop(tap);
1061 	}
1062 	for (i = 0; i < WME_NUM_TID; i++)
1063 		ic->ic_ampdu_rx_stop(ni, &ni->ni_rx_ampdu[i]);
1064 
1065 	ni->ni_htcap = 0;
1066 	ni->ni_flags &= ~IEEE80211_NODE_HT_ALL;
1067 }
1068 
1069 /*
1070  * Age out HT resources for a station.
1071  */
1072 void
1073 ieee80211_ht_node_age(struct ieee80211_node *ni)
1074 {
1075 #ifdef IEEE80211_AMPDU_AGE
1076 	struct ieee80211vap *vap = ni->ni_vap;
1077 	uint8_t tid;
1078 #endif
1079 
1080 	KASSERT(ni->ni_flags & IEEE80211_NODE_HT, ("not an HT sta"));
1081 
1082 #ifdef IEEE80211_AMPDU_AGE
1083 	for (tid = 0; tid < WME_NUM_TID; tid++) {
1084 		struct ieee80211_rx_ampdu *rap;
1085 
1086 		rap = &ni->ni_rx_ampdu[tid];
1087 		if ((rap->rxa_flags & IEEE80211_AGGR_XCHGPEND) == 0)
1088 			continue;
1089 		if (rap->rxa_qframes == 0)
1090 			continue;
1091 		/*
1092 		 * Check for frames sitting too long in the reorder queue.
1093 		 * See above for more details on what's happening here.
1094 		 */
1095 		/* XXX honor batimeout? */
1096 		if (ticks - rap->rxa_age > ieee80211_ampdu_age) {
1097 			/*
1098 			 * Too long since we received the first
1099 			 * frame; flush the reorder buffer.
1100 			 */
1101 			vap->iv_stats.is_ampdu_rx_age += rap->rxa_qframes;
1102 			ampdu_rx_flush(ni, rap);
1103 		}
1104 	}
1105 #endif /* IEEE80211_AMPDU_AGE */
1106 }
1107 
1108 static struct ieee80211_channel *
1109 findhtchan(struct ieee80211com *ic, struct ieee80211_channel *c, int htflags)
1110 {
1111 	return ieee80211_find_channel(ic, c->ic_freq,
1112 	    (c->ic_flags &~ IEEE80211_CHAN_HT) | htflags);
1113 }
1114 
1115 /*
1116  * Adjust a channel to be HT/non-HT according to the vap's configuration.
1117  */
1118 struct ieee80211_channel *
1119 ieee80211_ht_adjust_channel(struct ieee80211com *ic,
1120 	struct ieee80211_channel *chan, int flags)
1121 {
1122 	struct ieee80211_channel *c;
1123 
1124 	if (flags & IEEE80211_FHT_HT) {
1125 		/* promote to HT if possible */
1126 		if (flags & IEEE80211_FHT_USEHT40) {
1127 			if (!IEEE80211_IS_CHAN_HT40(chan)) {
1128 				/* NB: arbitrarily pick ht40+ over ht40- */
1129 				c = findhtchan(ic, chan, IEEE80211_CHAN_HT40U);
1130 				if (c == NULL)
1131 					c = findhtchan(ic, chan,
1132 						IEEE80211_CHAN_HT40D);
1133 				if (c == NULL)
1134 					c = findhtchan(ic, chan,
1135 						IEEE80211_CHAN_HT20);
1136 				if (c != NULL)
1137 					chan = c;
1138 			}
1139 		} else if (!IEEE80211_IS_CHAN_HT20(chan)) {
1140 			c = findhtchan(ic, chan, IEEE80211_CHAN_HT20);
1141 			if (c != NULL)
1142 				chan = c;
1143 		}
1144 	} else if (IEEE80211_IS_CHAN_HT(chan)) {
1145 		/* demote to legacy, HT use is disabled */
1146 		c = ieee80211_find_channel(ic, chan->ic_freq,
1147 		    chan->ic_flags &~ IEEE80211_CHAN_HT);
1148 		if (c != NULL)
1149 			chan = c;
1150 	}
1151 	return chan;
1152 }
1153 
1154 /*
1155  * Setup HT-specific state for a legacy WDS peer.
1156  */
1157 void
1158 ieee80211_ht_wds_init(struct ieee80211_node *ni)
1159 {
1160 	struct ieee80211vap *vap = ni->ni_vap;
1161 	struct ieee80211_tx_ampdu *tap;
1162 	int ac;
1163 
1164 	KASSERT(vap->iv_flags_ht & IEEE80211_FHT_HT, ("no HT requested"));
1165 
1166 	/* XXX check scan cache in case peer has an ap and we have info */
1167 	/*
1168 	 * If setup with a legacy channel; locate an HT channel.
1169 	 * Otherwise if the inherited channel (from a companion
1170 	 * AP) is suitable use it so we use the same location
1171 	 * for the extension channel).
1172 	 */
1173 	ni->ni_chan = ieee80211_ht_adjust_channel(ni->ni_ic,
1174 	    ni->ni_chan, ieee80211_htchanflags(ni->ni_chan));
1175 
1176 	ni->ni_htcap = 0;
1177 	if (vap->iv_flags_ht & IEEE80211_FHT_SHORTGI20)
1178 		ni->ni_htcap |= IEEE80211_HTCAP_SHORTGI20;
1179 	if (IEEE80211_IS_CHAN_HT40(ni->ni_chan)) {
1180 		ni->ni_htcap |= IEEE80211_HTCAP_CHWIDTH40;
1181 		ni->ni_chw = 40;
1182 		if (IEEE80211_IS_CHAN_HT40U(ni->ni_chan))
1183 			ni->ni_ht2ndchan = IEEE80211_HTINFO_2NDCHAN_ABOVE;
1184 		else if (IEEE80211_IS_CHAN_HT40D(ni->ni_chan))
1185 			ni->ni_ht2ndchan = IEEE80211_HTINFO_2NDCHAN_BELOW;
1186 		if (vap->iv_flags_ht & IEEE80211_FHT_SHORTGI40)
1187 			ni->ni_htcap |= IEEE80211_HTCAP_SHORTGI40;
1188 	} else {
1189 		ni->ni_chw = 20;
1190 		ni->ni_ht2ndchan = IEEE80211_HTINFO_2NDCHAN_NONE;
1191 	}
1192 	ni->ni_htctlchan = ni->ni_chan->ic_ieee;
1193 	if (vap->iv_flags_ht & IEEE80211_FHT_RIFS)
1194 		ni->ni_flags |= IEEE80211_NODE_RIFS;
1195 	/* XXX does it make sense to enable SMPS? */
1196 
1197 	ni->ni_htopmode = 0;		/* XXX need protection state */
1198 	ni->ni_htstbc = 0;		/* XXX need info */
1199 
1200 	for (ac = 0; ac < WME_NUM_AC; ac++) {
1201 		tap = &ni->ni_tx_ampdu[ac];
1202 		tap->txa_ac = ac;
1203 	}
1204 	/* NB: AMPDU tx/rx governed by IEEE80211_FHT_AMPDU_{TX,RX} */
1205 	ni->ni_flags |= IEEE80211_NODE_HT | IEEE80211_NODE_AMPDU;
1206 }
1207 
1208 /*
1209  * Notify hostap vaps of a change in the HTINFO ie.
1210  */
1211 static void
1212 htinfo_notify(struct ieee80211com *ic)
1213 {
1214 	struct ieee80211vap *vap;
1215 	int first = 1;
1216 
1217 	IEEE80211_LOCK_ASSERT(ic);
1218 
1219 	TAILQ_FOREACH(vap, &ic->ic_vaps, iv_next) {
1220 		if (vap->iv_opmode != IEEE80211_M_HOSTAP)
1221 			continue;
1222 		if (vap->iv_state != IEEE80211_S_RUN ||
1223 		    !IEEE80211_IS_CHAN_HT(vap->iv_bss->ni_chan))
1224 			continue;
1225 		if (first) {
1226 			IEEE80211_NOTE(vap,
1227 			    IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N,
1228 			    vap->iv_bss,
1229 			    "HT bss occupancy change: %d sta, %d ht, "
1230 			    "%d ht40%s, HT protmode now 0x%x"
1231 			    , ic->ic_sta_assoc
1232 			    , ic->ic_ht_sta_assoc
1233 			    , ic->ic_ht40_sta_assoc
1234 			    , (ic->ic_flags_ht & IEEE80211_FHT_NONHT_PR) ?
1235 				 ", non-HT sta present" : ""
1236 			    , ic->ic_curhtprotmode);
1237 			first = 0;
1238 		}
1239 		ieee80211_beacon_notify(vap, IEEE80211_BEACON_HTINFO);
1240 	}
1241 }
1242 
1243 /*
1244  * Calculate HT protection mode from current
1245  * state and handle updates.
1246  */
1247 static void
1248 htinfo_update(struct ieee80211com *ic)
1249 {
1250 	uint8_t protmode;
1251 
1252 	if (ic->ic_sta_assoc != ic->ic_ht_sta_assoc) {
1253 		protmode = IEEE80211_HTINFO_OPMODE_MIXED
1254 			 | IEEE80211_HTINFO_NONHT_PRESENT;
1255 	} else if (ic->ic_flags_ht & IEEE80211_FHT_NONHT_PR) {
1256 		protmode = IEEE80211_HTINFO_OPMODE_PROTOPT
1257 			 | IEEE80211_HTINFO_NONHT_PRESENT;
1258 	} else if (ic->ic_bsschan != IEEE80211_CHAN_ANYC &&
1259 	    IEEE80211_IS_CHAN_HT40(ic->ic_bsschan) &&
1260 	    ic->ic_sta_assoc != ic->ic_ht40_sta_assoc) {
1261 		protmode = IEEE80211_HTINFO_OPMODE_HT20PR;
1262 	} else {
1263 		protmode = IEEE80211_HTINFO_OPMODE_PURE;
1264 	}
1265 	if (protmode != ic->ic_curhtprotmode) {
1266 		ic->ic_curhtprotmode = protmode;
1267 		htinfo_notify(ic);
1268 	}
1269 }
1270 
1271 /*
1272  * Handle an HT station joining a BSS.
1273  */
1274 void
1275 ieee80211_ht_node_join(struct ieee80211_node *ni)
1276 {
1277 	struct ieee80211com *ic = ni->ni_ic;
1278 
1279 	IEEE80211_LOCK_ASSERT(ic);
1280 
1281 	if (ni->ni_flags & IEEE80211_NODE_HT) {
1282 		ic->ic_ht_sta_assoc++;
1283 		if (ni->ni_chw == 40)
1284 			ic->ic_ht40_sta_assoc++;
1285 	}
1286 	htinfo_update(ic);
1287 }
1288 
1289 /*
1290  * Handle an HT station leaving a BSS.
1291  */
1292 void
1293 ieee80211_ht_node_leave(struct ieee80211_node *ni)
1294 {
1295 	struct ieee80211com *ic = ni->ni_ic;
1296 
1297 	IEEE80211_LOCK_ASSERT(ic);
1298 
1299 	if (ni->ni_flags & IEEE80211_NODE_HT) {
1300 		ic->ic_ht_sta_assoc--;
1301 		if (ni->ni_chw == 40)
1302 			ic->ic_ht40_sta_assoc--;
1303 	}
1304 	htinfo_update(ic);
1305 }
1306 
1307 /*
1308  * Public version of htinfo_update; used for processing
1309  * beacon frames from overlapping bss.
1310  *
1311  * Caller can specify either IEEE80211_HTINFO_OPMODE_MIXED
1312  * (on receipt of a beacon that advertises MIXED) or
1313  * IEEE80211_HTINFO_OPMODE_PROTOPT (on receipt of a beacon
1314  * from an overlapping legacy bss).  We treat MIXED with
1315  * a higher precedence than PROTOPT (i.e. we will not change
1316  * change PROTOPT -> MIXED; only MIXED -> PROTOPT).  This
1317  * corresponds to how we handle things in htinfo_update.
1318  */
1319 void
1320 ieee80211_htprot_update(struct ieee80211com *ic, int protmode)
1321 {
1322 #define	OPMODE(x)	SM(x, IEEE80211_HTINFO_OPMODE)
1323 	IEEE80211_LOCK(ic);
1324 
1325 	/* track non-HT station presence */
1326 	KASSERT(protmode & IEEE80211_HTINFO_NONHT_PRESENT,
1327 	    ("protmode 0x%x", protmode));
1328 	ic->ic_flags_ht |= IEEE80211_FHT_NONHT_PR;
1329 	ic->ic_lastnonht = ticks;
1330 
1331 	if (protmode != ic->ic_curhtprotmode &&
1332 	    (OPMODE(ic->ic_curhtprotmode) != IEEE80211_HTINFO_OPMODE_MIXED ||
1333 	     OPMODE(protmode) == IEEE80211_HTINFO_OPMODE_PROTOPT)) {
1334 		/* push beacon update */
1335 		ic->ic_curhtprotmode = protmode;
1336 		htinfo_notify(ic);
1337 	}
1338 	IEEE80211_UNLOCK(ic);
1339 #undef OPMODE
1340 }
1341 
1342 /*
1343  * Time out presence of an overlapping bss with non-HT
1344  * stations.  When operating in hostap mode we listen for
1345  * beacons from other stations and if we identify a non-HT
1346  * station is present we update the opmode field of the
1347  * HTINFO ie.  To identify when all non-HT stations are
1348  * gone we time out this condition.
1349  */
1350 void
1351 ieee80211_ht_timeout(struct ieee80211com *ic)
1352 {
1353 	IEEE80211_LOCK_ASSERT(ic);
1354 
1355 	if ((ic->ic_flags_ht & IEEE80211_FHT_NONHT_PR) &&
1356 	    time_after(ticks, ic->ic_lastnonht + IEEE80211_NONHT_PRESENT_AGE)) {
1357 #if 0
1358 		IEEE80211_NOTE(vap, IEEE80211_MSG_11N, ni,
1359 		    "%s", "time out non-HT STA present on channel");
1360 #endif
1361 		ic->ic_flags_ht &= ~IEEE80211_FHT_NONHT_PR;
1362 		htinfo_update(ic);
1363 	}
1364 }
1365 
1366 /* unalligned little endian access */
1367 #define LE_READ_2(p)					\
1368 	((uint16_t)					\
1369 	 ((((const uint8_t *)(p))[0]      ) |		\
1370 	  (((const uint8_t *)(p))[1] <<  8)))
1371 
1372 /*
1373  * Process an 802.11n HT capabilities ie.
1374  */
1375 void
1376 ieee80211_parse_htcap(struct ieee80211_node *ni, const uint8_t *ie)
1377 {
1378 	if (ie[0] == IEEE80211_ELEMID_VENDOR) {
1379 		/*
1380 		 * Station used Vendor OUI ie to associate;
1381 		 * mark the node so when we respond we'll use
1382 		 * the Vendor OUI's and not the standard ie's.
1383 		 */
1384 		ni->ni_flags |= IEEE80211_NODE_HTCOMPAT;
1385 		ie += 4;
1386 	} else
1387 		ni->ni_flags &= ~IEEE80211_NODE_HTCOMPAT;
1388 
1389 	ni->ni_htcap = LE_READ_2(ie +
1390 		__offsetof(struct ieee80211_ie_htcap, hc_cap));
1391 	ni->ni_htparam = ie[__offsetof(struct ieee80211_ie_htcap, hc_param)];
1392 }
1393 
1394 static void
1395 htinfo_parse(struct ieee80211_node *ni,
1396 	const struct ieee80211_ie_htinfo *htinfo)
1397 {
1398 	uint16_t w;
1399 
1400 	ni->ni_htctlchan = htinfo->hi_ctrlchannel;
1401 	ni->ni_ht2ndchan = SM(htinfo->hi_byte1, IEEE80211_HTINFO_2NDCHAN);
1402 	w = LE_READ_2(&htinfo->hi_byte2);
1403 	ni->ni_htopmode = SM(w, IEEE80211_HTINFO_OPMODE);
1404 	w = LE_READ_2(&htinfo->hi_byte45);
1405 	ni->ni_htstbc = SM(w, IEEE80211_HTINFO_BASIC_STBCMCS);
1406 }
1407 
1408 /*
1409  * Parse an 802.11n HT info ie and save useful information
1410  * to the node state.  Note this does not effect any state
1411  * changes such as for channel width change.
1412  */
1413 void
1414 ieee80211_parse_htinfo(struct ieee80211_node *ni, const uint8_t *ie)
1415 {
1416 	if (ie[0] == IEEE80211_ELEMID_VENDOR)
1417 		ie += 4;
1418 	htinfo_parse(ni, (const struct ieee80211_ie_htinfo *) ie);
1419 }
1420 
1421 /*
1422  * Handle 11n channel switch.  Use the received HT ie's to
1423  * identify the right channel to use.  If we cannot locate it
1424  * in the channel table then fallback to legacy operation.
1425  * Note that we use this information to identify the node's
1426  * channel only; the caller is responsible for insuring any
1427  * required channel change is done (e.g. in sta mode when
1428  * parsing the contents of a beacon frame).
1429  */
1430 static void
1431 htinfo_update_chw(struct ieee80211_node *ni, int htflags)
1432 {
1433 	struct ieee80211com *ic = ni->ni_ic;
1434 	struct ieee80211_channel *c;
1435 	int chanflags;
1436 
1437 	chanflags = (ni->ni_chan->ic_flags &~ IEEE80211_CHAN_HT) | htflags;
1438 	if (chanflags != ni->ni_chan->ic_flags) {
1439 		/* XXX not right for ht40- */
1440 		c = ieee80211_find_channel(ic, ni->ni_chan->ic_freq, chanflags);
1441 		if (c == NULL && (htflags & IEEE80211_CHAN_HT40)) {
1442 			/*
1443 			 * No HT40 channel entry in our table; fall back
1444 			 * to HT20 operation.  This should not happen.
1445 			 */
1446 			c = findhtchan(ic, ni->ni_chan, IEEE80211_CHAN_HT20);
1447 #if 0
1448 			IEEE80211_NOTE(ni->ni_vap,
1449 			    IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni,
1450 			    "no HT40 channel (freq %u), falling back to HT20",
1451 			    ni->ni_chan->ic_freq);
1452 #endif
1453 			/* XXX stat */
1454 		}
1455 		if (c != NULL && c != ni->ni_chan) {
1456 			IEEE80211_NOTE(ni->ni_vap,
1457 			    IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni,
1458 			    "switch station to HT%d channel %u/0x%x",
1459 			    IEEE80211_IS_CHAN_HT40(c) ? 40 : 20,
1460 			    c->ic_freq, c->ic_flags);
1461 			ni->ni_chan = c;
1462 		}
1463 		/* NB: caller responsible for forcing any channel change */
1464 	}
1465 	/* update node's tx channel width */
1466 	ni->ni_chw = IEEE80211_IS_CHAN_HT40(ni->ni_chan)? 40 : 20;
1467 }
1468 
1469 /*
1470  * Update 11n MIMO PS state according to received htcap.
1471  */
1472 static __inline int
1473 htcap_update_mimo_ps(struct ieee80211_node *ni)
1474 {
1475 	uint16_t oflags = ni->ni_flags;
1476 
1477 	switch (ni->ni_htcap & IEEE80211_HTCAP_SMPS) {
1478 	case IEEE80211_HTCAP_SMPS_DYNAMIC:
1479 		ni->ni_flags |= IEEE80211_NODE_MIMO_PS;
1480 		ni->ni_flags |= IEEE80211_NODE_MIMO_RTS;
1481 		break;
1482 	case IEEE80211_HTCAP_SMPS_ENA:
1483 		ni->ni_flags |= IEEE80211_NODE_MIMO_PS;
1484 		ni->ni_flags &= ~IEEE80211_NODE_MIMO_RTS;
1485 		break;
1486 	case IEEE80211_HTCAP_SMPS_OFF:
1487 	default:		/* disable on rx of reserved value */
1488 		ni->ni_flags &= ~IEEE80211_NODE_MIMO_PS;
1489 		ni->ni_flags &= ~IEEE80211_NODE_MIMO_RTS;
1490 		break;
1491 	}
1492 	return (oflags ^ ni->ni_flags);
1493 }
1494 
1495 /*
1496  * Update short GI state according to received htcap
1497  * and local settings.
1498  */
1499 static __inline void
1500 htcap_update_shortgi(struct ieee80211_node *ni)
1501 {
1502 	struct ieee80211vap *vap = ni->ni_vap;
1503 
1504 	ni->ni_flags &= ~(IEEE80211_NODE_SGI20|IEEE80211_NODE_SGI40);
1505 	if ((ni->ni_htcap & IEEE80211_HTCAP_SHORTGI20) &&
1506 	    (vap->iv_flags_ht & IEEE80211_FHT_SHORTGI20))
1507 		ni->ni_flags |= IEEE80211_NODE_SGI20;
1508 	if ((ni->ni_htcap & IEEE80211_HTCAP_SHORTGI40) &&
1509 	    (vap->iv_flags_ht & IEEE80211_FHT_SHORTGI40))
1510 		ni->ni_flags |= IEEE80211_NODE_SGI40;
1511 }
1512 
1513 /*
1514  * Parse and update HT-related state extracted from
1515  * the HT cap and info ie's.
1516  */
1517 void
1518 ieee80211_ht_updateparams(struct ieee80211_node *ni,
1519 	const uint8_t *htcapie, const uint8_t *htinfoie)
1520 {
1521 	struct ieee80211vap *vap = ni->ni_vap;
1522 	const struct ieee80211_ie_htinfo *htinfo;
1523 	int htflags;
1524 
1525 	ieee80211_parse_htcap(ni, htcapie);
1526 	if (vap->iv_htcaps & IEEE80211_HTCAP_SMPS)
1527 		htcap_update_mimo_ps(ni);
1528 	htcap_update_shortgi(ni);
1529 
1530 	if (htinfoie[0] == IEEE80211_ELEMID_VENDOR)
1531 		htinfoie += 4;
1532 	htinfo = (const struct ieee80211_ie_htinfo *) htinfoie;
1533 	htinfo_parse(ni, htinfo);
1534 
1535 	htflags = (vap->iv_flags_ht & IEEE80211_FHT_HT) ?
1536 	    IEEE80211_CHAN_HT20 : 0;
1537 	/* NB: honor operating mode constraint */
1538 	if ((htinfo->hi_byte1 & IEEE80211_HTINFO_TXWIDTH_2040) &&
1539 	    (vap->iv_flags_ht & IEEE80211_FHT_USEHT40)) {
1540 		if (ni->ni_ht2ndchan == IEEE80211_HTINFO_2NDCHAN_ABOVE)
1541 			htflags = IEEE80211_CHAN_HT40U;
1542 		else if (ni->ni_ht2ndchan == IEEE80211_HTINFO_2NDCHAN_BELOW)
1543 			htflags = IEEE80211_CHAN_HT40D;
1544 	}
1545 	htinfo_update_chw(ni, htflags);
1546 
1547 	if ((htinfo->hi_byte1 & IEEE80211_HTINFO_RIFSMODE_PERM) &&
1548 	    (vap->iv_flags_ht & IEEE80211_FHT_RIFS))
1549 		ni->ni_flags |= IEEE80211_NODE_RIFS;
1550 	else
1551 		ni->ni_flags &= ~IEEE80211_NODE_RIFS;
1552 }
1553 
1554 /*
1555  * Parse and update HT-related state extracted from the HT cap ie
1556  * for a station joining an HT BSS.
1557  */
1558 void
1559 ieee80211_ht_updatehtcap(struct ieee80211_node *ni, const uint8_t *htcapie)
1560 {
1561 	struct ieee80211vap *vap = ni->ni_vap;
1562 	int htflags;
1563 
1564 	ieee80211_parse_htcap(ni, htcapie);
1565 	if (vap->iv_htcaps & IEEE80211_HTCAP_SMPS)
1566 		htcap_update_mimo_ps(ni);
1567 	htcap_update_shortgi(ni);
1568 
1569 	/* NB: honor operating mode constraint */
1570 	/* XXX 40 MHz intolerant */
1571 	htflags = (vap->iv_flags_ht & IEEE80211_FHT_HT) ?
1572 	    IEEE80211_CHAN_HT20 : 0;
1573 	if ((ni->ni_htcap & IEEE80211_HTCAP_CHWIDTH40) &&
1574 	    (vap->iv_flags_ht & IEEE80211_FHT_USEHT40)) {
1575 		if (IEEE80211_IS_CHAN_HT40U(vap->iv_bss->ni_chan))
1576 			htflags = IEEE80211_CHAN_HT40U;
1577 		else if (IEEE80211_IS_CHAN_HT40D(vap->iv_bss->ni_chan))
1578 			htflags = IEEE80211_CHAN_HT40D;
1579 	}
1580 	htinfo_update_chw(ni, htflags);
1581 }
1582 
1583 /*
1584  * Install received HT rate set by parsing the HT cap ie.
1585  */
1586 int
1587 ieee80211_setup_htrates(struct ieee80211_node *ni, const uint8_t *ie, int flags)
1588 {
1589 	struct ieee80211com *ic = ni->ni_ic;
1590 	struct ieee80211vap *vap = ni->ni_vap;
1591 	const struct ieee80211_ie_htcap *htcap;
1592 	struct ieee80211_htrateset *rs;
1593 	int i, maxequalmcs, maxunequalmcs;
1594 
1595 	maxequalmcs = ic->ic_txstream * 8 - 1;
1596 	if (ic->ic_htcaps & IEEE80211_HTC_TXUNEQUAL) {
1597 		if (ic->ic_txstream >= 2)
1598 			maxunequalmcs = 38;
1599 		if (ic->ic_txstream >= 3)
1600 			maxunequalmcs = 52;
1601 		if (ic->ic_txstream >= 4)
1602 			maxunequalmcs = 76;
1603 	} else
1604 		maxunequalmcs = 0;
1605 
1606 	rs = &ni->ni_htrates;
1607 	memset(rs, 0, sizeof(*rs));
1608 	if (ie != NULL) {
1609 		if (ie[0] == IEEE80211_ELEMID_VENDOR)
1610 			ie += 4;
1611 		htcap = (const struct ieee80211_ie_htcap *) ie;
1612 		for (i = 0; i < IEEE80211_HTRATE_MAXSIZE; i++) {
1613 			if (isclr(htcap->hc_mcsset, i))
1614 				continue;
1615 			if (rs->rs_nrates == IEEE80211_HTRATE_MAXSIZE) {
1616 				IEEE80211_NOTE(vap,
1617 				    IEEE80211_MSG_XRATE | IEEE80211_MSG_11N, ni,
1618 				    "WARNING, HT rate set too large; only "
1619 				    "using %u rates", IEEE80211_HTRATE_MAXSIZE);
1620 				vap->iv_stats.is_rx_rstoobig++;
1621 				break;
1622 			}
1623 			if (i <= 31 && i > maxequalmcs)
1624 				continue;
1625 			if (i == 32 &&
1626 			    (ic->ic_htcaps & IEEE80211_HTC_TXMCS32) == 0)
1627 				continue;
1628 			if (i > 32 && i > maxunequalmcs)
1629 				continue;
1630 			rs->rs_rates[rs->rs_nrates++] = i;
1631 		}
1632 	}
1633 	return ieee80211_fix_rate(ni, (struct ieee80211_rateset *) rs, flags);
1634 }
1635 
1636 /*
1637  * Mark rates in a node's HT rate set as basic according
1638  * to the information in the supplied HT info ie.
1639  */
1640 void
1641 ieee80211_setup_basic_htrates(struct ieee80211_node *ni, const uint8_t *ie)
1642 {
1643 	const struct ieee80211_ie_htinfo *htinfo;
1644 	struct ieee80211_htrateset *rs;
1645 	int i, j;
1646 
1647 	if (ie[0] == IEEE80211_ELEMID_VENDOR)
1648 		ie += 4;
1649 	htinfo = (const struct ieee80211_ie_htinfo *) ie;
1650 	rs = &ni->ni_htrates;
1651 	if (rs->rs_nrates == 0) {
1652 		IEEE80211_NOTE(ni->ni_vap,
1653 		    IEEE80211_MSG_XRATE | IEEE80211_MSG_11N, ni,
1654 		    "%s", "WARNING, empty HT rate set");
1655 		return;
1656 	}
1657 	for (i = 0; i < IEEE80211_HTRATE_MAXSIZE; i++) {
1658 		if (isclr(htinfo->hi_basicmcsset, i))
1659 			continue;
1660 		for (j = 0; j < rs->rs_nrates; j++)
1661 			if ((rs->rs_rates[j] & IEEE80211_RATE_VAL) == i)
1662 				rs->rs_rates[j] |= IEEE80211_RATE_BASIC;
1663 	}
1664 }
1665 
1666 static void
1667 ampdu_tx_setup(struct ieee80211_tx_ampdu *tap)
1668 {
1669 	callout_init(&tap->txa_timer, CALLOUT_MPSAFE);
1670 	tap->txa_flags |= IEEE80211_AGGR_SETUP;
1671 }
1672 
1673 static void
1674 ampdu_tx_stop(struct ieee80211_tx_ampdu *tap)
1675 {
1676 	struct ieee80211_node *ni = tap->txa_ni;
1677 	struct ieee80211com *ic = ni->ni_ic;
1678 
1679 	KASSERT(tap->txa_flags & IEEE80211_AGGR_SETUP,
1680 	    ("txa_flags 0x%x ac %d", tap->txa_flags, tap->txa_ac));
1681 
1682 	/*
1683 	 * Stop BA stream if setup so driver has a chance
1684 	 * to reclaim any resources it might have allocated.
1685 	 */
1686 	ic->ic_addba_stop(ni, tap);
1687 	/*
1688 	 * Stop any pending BAR transmit.
1689 	 */
1690 	bar_stop_timer(tap);
1691 
1692 	tap->txa_lastsample = 0;
1693 	tap->txa_avgpps = 0;
1694 	/* NB: clearing NAK means we may re-send ADDBA */
1695 	tap->txa_flags &= ~(IEEE80211_AGGR_SETUP | IEEE80211_AGGR_NAK);
1696 }
1697 
1698 /*
1699  * ADDBA response timeout.
1700  *
1701  * If software aggregation and per-TID queue management was done here,
1702  * that queue would be unpaused after the ADDBA timeout occurs.
1703  */
1704 static void
1705 addba_timeout(void *arg)
1706 {
1707 	struct ieee80211_tx_ampdu *tap = arg;
1708 	struct ieee80211_node *ni = tap->txa_ni;
1709 	struct ieee80211com *ic = ni->ni_ic;
1710 
1711 	/* XXX ? */
1712 	tap->txa_flags &= ~IEEE80211_AGGR_XCHGPEND;
1713 	tap->txa_attempts++;
1714 	ic->ic_addba_response_timeout(ni, tap);
1715 }
1716 
1717 static void
1718 addba_start_timeout(struct ieee80211_tx_ampdu *tap)
1719 {
1720 	/* XXX use CALLOUT_PENDING instead? */
1721 	callout_reset(&tap->txa_timer, ieee80211_addba_timeout,
1722 	    addba_timeout, tap);
1723 	tap->txa_flags |= IEEE80211_AGGR_XCHGPEND;
1724 	tap->txa_nextrequest = ticks + ieee80211_addba_timeout;
1725 }
1726 
1727 static void
1728 addba_stop_timeout(struct ieee80211_tx_ampdu *tap)
1729 {
1730 	/* XXX use CALLOUT_PENDING instead? */
1731 	if (tap->txa_flags & IEEE80211_AGGR_XCHGPEND) {
1732 		callout_stop(&tap->txa_timer);
1733 		tap->txa_flags &= ~IEEE80211_AGGR_XCHGPEND;
1734 	}
1735 }
1736 
1737 static void
1738 null_addba_response_timeout(struct ieee80211_node *ni,
1739     struct ieee80211_tx_ampdu *tap)
1740 {
1741 }
1742 
1743 /*
1744  * Default method for requesting A-MPDU tx aggregation.
1745  * We setup the specified state block and start a timer
1746  * to wait for an ADDBA response frame.
1747  */
1748 static int
1749 ieee80211_addba_request(struct ieee80211_node *ni,
1750 	struct ieee80211_tx_ampdu *tap,
1751 	int dialogtoken, int baparamset, int batimeout)
1752 {
1753 	int bufsiz;
1754 
1755 	/* XXX locking */
1756 	tap->txa_token = dialogtoken;
1757 	tap->txa_flags |= IEEE80211_AGGR_IMMEDIATE;
1758 	bufsiz = MS(baparamset, IEEE80211_BAPS_BUFSIZ);
1759 	tap->txa_wnd = (bufsiz == 0) ?
1760 	    IEEE80211_AGGR_BAWMAX : min(bufsiz, IEEE80211_AGGR_BAWMAX);
1761 	addba_start_timeout(tap);
1762 	return 1;
1763 }
1764 
1765 /*
1766  * Default method for processing an A-MPDU tx aggregation
1767  * response.  We shutdown any pending timer and update the
1768  * state block according to the reply.
1769  */
1770 static int
1771 ieee80211_addba_response(struct ieee80211_node *ni,
1772 	struct ieee80211_tx_ampdu *tap,
1773 	int status, int baparamset, int batimeout)
1774 {
1775 	int bufsiz, tid;
1776 
1777 	/* XXX locking */
1778 	addba_stop_timeout(tap);
1779 	if (status == IEEE80211_STATUS_SUCCESS) {
1780 		bufsiz = MS(baparamset, IEEE80211_BAPS_BUFSIZ);
1781 		/* XXX override our request? */
1782 		tap->txa_wnd = (bufsiz == 0) ?
1783 		    IEEE80211_AGGR_BAWMAX : min(bufsiz, IEEE80211_AGGR_BAWMAX);
1784 		/* XXX AC/TID */
1785 		tid = MS(baparamset, IEEE80211_BAPS_TID);
1786 		tap->txa_flags |= IEEE80211_AGGR_RUNNING;
1787 		tap->txa_attempts = 0;
1788 	} else {
1789 		/* mark tid so we don't try again */
1790 		tap->txa_flags |= IEEE80211_AGGR_NAK;
1791 	}
1792 	return 1;
1793 }
1794 
1795 /*
1796  * Default method for stopping A-MPDU tx aggregation.
1797  * Any timer is cleared and we drain any pending frames.
1798  */
1799 static void
1800 ieee80211_addba_stop(struct ieee80211_node *ni, struct ieee80211_tx_ampdu *tap)
1801 {
1802 	/* XXX locking */
1803 	addba_stop_timeout(tap);
1804 	if (tap->txa_flags & IEEE80211_AGGR_RUNNING) {
1805 		/* XXX clear aggregation queue */
1806 		tap->txa_flags &= ~IEEE80211_AGGR_RUNNING;
1807 	}
1808 	tap->txa_attempts = 0;
1809 }
1810 
1811 /*
1812  * Process a received action frame using the default aggregation
1813  * policy.  We intercept ADDBA-related frames and use them to
1814  * update our aggregation state.  All other frames are passed up
1815  * for processing by ieee80211_recv_action.
1816  */
1817 static int
1818 ht_recv_action_ba_addba_request(struct ieee80211_node *ni,
1819 	const struct ieee80211_frame *wh,
1820 	const uint8_t *frm, const uint8_t *efrm)
1821 {
1822 	struct ieee80211com *ic = ni->ni_ic;
1823 	struct ieee80211vap *vap = ni->ni_vap;
1824 	struct ieee80211_rx_ampdu *rap;
1825 	uint8_t dialogtoken;
1826 	uint16_t baparamset, batimeout, baseqctl;
1827 	uint16_t args[5];
1828 	int tid;
1829 
1830 	dialogtoken = frm[2];
1831 	baparamset = LE_READ_2(frm+3);
1832 	batimeout = LE_READ_2(frm+5);
1833 	baseqctl = LE_READ_2(frm+7);
1834 
1835 	tid = MS(baparamset, IEEE80211_BAPS_TID);
1836 
1837 	IEEE80211_NOTE(vap, IEEE80211_MSG_ACTION | IEEE80211_MSG_11N, ni,
1838 	    "recv ADDBA request: dialogtoken %u baparamset 0x%x "
1839 	    "(tid %d bufsiz %d) batimeout %d baseqctl %d:%d",
1840 	    dialogtoken, baparamset,
1841 	    tid, MS(baparamset, IEEE80211_BAPS_BUFSIZ),
1842 	    batimeout,
1843 	    MS(baseqctl, IEEE80211_BASEQ_START),
1844 	    MS(baseqctl, IEEE80211_BASEQ_FRAG));
1845 
1846 	rap = &ni->ni_rx_ampdu[tid];
1847 
1848 	/* Send ADDBA response */
1849 	args[0] = dialogtoken;
1850 	/*
1851 	 * NB: We ack only if the sta associated with HT and
1852 	 * the ap is configured to do AMPDU rx (the latter
1853 	 * violates the 11n spec and is mostly for testing).
1854 	 */
1855 	if ((ni->ni_flags & IEEE80211_NODE_AMPDU_RX) &&
1856 	    (vap->iv_flags_ht & IEEE80211_FHT_AMPDU_RX)) {
1857 		/* XXX handle ampdu_rx_start failure */
1858 		ic->ic_ampdu_rx_start(ni, rap,
1859 		    baparamset, batimeout, baseqctl);
1860 
1861 		args[1] = IEEE80211_STATUS_SUCCESS;
1862 	} else {
1863 		IEEE80211_NOTE(vap, IEEE80211_MSG_ACTION | IEEE80211_MSG_11N,
1864 		    ni, "reject ADDBA request: %s",
1865 		    ni->ni_flags & IEEE80211_NODE_AMPDU_RX ?
1866 		       "administratively disabled" :
1867 		       "not negotiated for station");
1868 		vap->iv_stats.is_addba_reject++;
1869 		args[1] = IEEE80211_STATUS_UNSPECIFIED;
1870 	}
1871 	/* XXX honor rap flags? */
1872 	args[2] = IEEE80211_BAPS_POLICY_IMMEDIATE
1873 		| SM(tid, IEEE80211_BAPS_TID)
1874 		| SM(rap->rxa_wnd, IEEE80211_BAPS_BUFSIZ)
1875 		;
1876 	args[3] = 0;
1877 	args[4] = 0;
1878 	ic->ic_send_action(ni, IEEE80211_ACTION_CAT_BA,
1879 		IEEE80211_ACTION_BA_ADDBA_RESPONSE, args);
1880 	return 0;
1881 }
1882 
1883 static int
1884 ht_recv_action_ba_addba_response(struct ieee80211_node *ni,
1885 	const struct ieee80211_frame *wh,
1886 	const uint8_t *frm, const uint8_t *efrm)
1887 {
1888 	struct ieee80211com *ic = ni->ni_ic;
1889 	struct ieee80211vap *vap = ni->ni_vap;
1890 	struct ieee80211_tx_ampdu *tap;
1891 	uint8_t dialogtoken, policy;
1892 	uint16_t baparamset, batimeout, code;
1893 	int tid, ac, bufsiz;
1894 
1895 	dialogtoken = frm[2];
1896 	code = LE_READ_2(frm+3);
1897 	baparamset = LE_READ_2(frm+5);
1898 	tid = MS(baparamset, IEEE80211_BAPS_TID);
1899 	bufsiz = MS(baparamset, IEEE80211_BAPS_BUFSIZ);
1900 	policy = MS(baparamset, IEEE80211_BAPS_POLICY);
1901 	batimeout = LE_READ_2(frm+7);
1902 
1903 	ac = TID_TO_WME_AC(tid);
1904 	tap = &ni->ni_tx_ampdu[ac];
1905 	if ((tap->txa_flags & IEEE80211_AGGR_XCHGPEND) == 0) {
1906 		IEEE80211_DISCARD_MAC(vap,
1907 		    IEEE80211_MSG_ACTION | IEEE80211_MSG_11N,
1908 		    ni->ni_macaddr, "ADDBA response",
1909 		    "no pending ADDBA, tid %d dialogtoken %u "
1910 		    "code %d", tid, dialogtoken, code);
1911 		vap->iv_stats.is_addba_norequest++;
1912 		return 0;
1913 	}
1914 	if (dialogtoken != tap->txa_token) {
1915 		IEEE80211_DISCARD_MAC(vap,
1916 		    IEEE80211_MSG_ACTION | IEEE80211_MSG_11N,
1917 		    ni->ni_macaddr, "ADDBA response",
1918 		    "dialogtoken mismatch: waiting for %d, "
1919 		    "received %d, tid %d code %d",
1920 		    tap->txa_token, dialogtoken, tid, code);
1921 		vap->iv_stats.is_addba_badtoken++;
1922 		return 0;
1923 	}
1924 	/* NB: assumes IEEE80211_AGGR_IMMEDIATE is 1 */
1925 	if (policy != (tap->txa_flags & IEEE80211_AGGR_IMMEDIATE)) {
1926 		IEEE80211_DISCARD_MAC(vap,
1927 		    IEEE80211_MSG_ACTION | IEEE80211_MSG_11N,
1928 		    ni->ni_macaddr, "ADDBA response",
1929 		    "policy mismatch: expecting %s, "
1930 		    "received %s, tid %d code %d",
1931 		    tap->txa_flags & IEEE80211_AGGR_IMMEDIATE,
1932 		    policy, tid, code);
1933 		vap->iv_stats.is_addba_badpolicy++;
1934 		return 0;
1935 	}
1936 #if 0
1937 	/* XXX we take MIN in ieee80211_addba_response */
1938 	if (bufsiz > IEEE80211_AGGR_BAWMAX) {
1939 		IEEE80211_DISCARD_MAC(vap,
1940 		    IEEE80211_MSG_ACTION | IEEE80211_MSG_11N,
1941 		    ni->ni_macaddr, "ADDBA response",
1942 		    "BA window too large: max %d, "
1943 		    "received %d, tid %d code %d",
1944 		    bufsiz, IEEE80211_AGGR_BAWMAX, tid, code);
1945 		vap->iv_stats.is_addba_badbawinsize++;
1946 		return 0;
1947 	}
1948 #endif
1949 	IEEE80211_NOTE(vap, IEEE80211_MSG_ACTION | IEEE80211_MSG_11N, ni,
1950 	    "recv ADDBA response: dialogtoken %u code %d "
1951 	    "baparamset 0x%x (tid %d bufsiz %d) batimeout %d",
1952 	    dialogtoken, code, baparamset, tid, bufsiz,
1953 	    batimeout);
1954 	ic->ic_addba_response(ni, tap, code, baparamset, batimeout);
1955 	return 0;
1956 }
1957 
1958 static int
1959 ht_recv_action_ba_delba(struct ieee80211_node *ni,
1960 	const struct ieee80211_frame *wh,
1961 	const uint8_t *frm, const uint8_t *efrm)
1962 {
1963 	struct ieee80211com *ic = ni->ni_ic;
1964 	struct ieee80211_rx_ampdu *rap;
1965 	struct ieee80211_tx_ampdu *tap;
1966 	uint16_t baparamset, code;
1967 	int tid, ac;
1968 
1969 	baparamset = LE_READ_2(frm+2);
1970 	code = LE_READ_2(frm+4);
1971 
1972 	tid = MS(baparamset, IEEE80211_DELBAPS_TID);
1973 
1974 	IEEE80211_NOTE(ni->ni_vap, IEEE80211_MSG_ACTION | IEEE80211_MSG_11N, ni,
1975 	    "recv DELBA: baparamset 0x%x (tid %d initiator %d) "
1976 	    "code %d", baparamset, tid,
1977 	    MS(baparamset, IEEE80211_DELBAPS_INIT), code);
1978 
1979 	if ((baparamset & IEEE80211_DELBAPS_INIT) == 0) {
1980 		ac = TID_TO_WME_AC(tid);
1981 		tap = &ni->ni_tx_ampdu[ac];
1982 		ic->ic_addba_stop(ni, tap);
1983 	} else {
1984 		rap = &ni->ni_rx_ampdu[tid];
1985 		ic->ic_ampdu_rx_stop(ni, rap);
1986 	}
1987 	return 0;
1988 }
1989 
1990 static int
1991 ht_recv_action_ht_txchwidth(struct ieee80211_node *ni,
1992 	const struct ieee80211_frame *wh,
1993 	const uint8_t *frm, const uint8_t *efrm)
1994 {
1995 	int chw;
1996 
1997 	chw = (frm[2] == IEEE80211_A_HT_TXCHWIDTH_2040) ? 40 : 20;
1998 
1999 	IEEE80211_NOTE(ni->ni_vap, IEEE80211_MSG_ACTION | IEEE80211_MSG_11N, ni,
2000 	    "%s: HT txchwidth, width %d%s",
2001 	    __func__, chw, ni->ni_chw != chw ? "*" : "");
2002 	if (chw != ni->ni_chw) {
2003 		ni->ni_chw = chw;
2004 		/* XXX notify on change */
2005 	}
2006 	return 0;
2007 }
2008 
2009 static int
2010 ht_recv_action_ht_mimopwrsave(struct ieee80211_node *ni,
2011 	const struct ieee80211_frame *wh,
2012 	const uint8_t *frm, const uint8_t *efrm)
2013 {
2014 	const struct ieee80211_action_ht_mimopowersave *mps =
2015 	    (const struct ieee80211_action_ht_mimopowersave *) frm;
2016 
2017 	/* XXX check iv_htcaps */
2018 	if (mps->am_control & IEEE80211_A_HT_MIMOPWRSAVE_ENA)
2019 		ni->ni_flags |= IEEE80211_NODE_MIMO_PS;
2020 	else
2021 		ni->ni_flags &= ~IEEE80211_NODE_MIMO_PS;
2022 	if (mps->am_control & IEEE80211_A_HT_MIMOPWRSAVE_MODE)
2023 		ni->ni_flags |= IEEE80211_NODE_MIMO_RTS;
2024 	else
2025 		ni->ni_flags &= ~IEEE80211_NODE_MIMO_RTS;
2026 	/* XXX notify on change */
2027 	IEEE80211_NOTE(ni->ni_vap, IEEE80211_MSG_ACTION | IEEE80211_MSG_11N, ni,
2028 	    "%s: HT MIMO PS (%s%s)", __func__,
2029 	    (ni->ni_flags & IEEE80211_NODE_MIMO_PS) ?  "on" : "off",
2030 	    (ni->ni_flags & IEEE80211_NODE_MIMO_RTS) ?  "+rts" : ""
2031 	);
2032 	return 0;
2033 }
2034 
2035 /*
2036  * Transmit processing.
2037  */
2038 
2039 /*
2040  * Check if A-MPDU should be requested/enabled for a stream.
2041  * We require a traffic rate above a per-AC threshold and we
2042  * also handle backoff from previous failed attempts.
2043  *
2044  * Drivers may override this method to bring in information
2045  * such as link state conditions in making the decision.
2046  */
2047 static int
2048 ieee80211_ampdu_enable(struct ieee80211_node *ni,
2049 	struct ieee80211_tx_ampdu *tap)
2050 {
2051 	struct ieee80211vap *vap = ni->ni_vap;
2052 
2053 	if (tap->txa_avgpps < vap->iv_ampdu_mintraffic[tap->txa_ac])
2054 		return 0;
2055 	/* XXX check rssi? */
2056 	if (tap->txa_attempts >= ieee80211_addba_maxtries &&
2057 	    ticks < tap->txa_nextrequest) {
2058 		/*
2059 		 * Don't retry too often; txa_nextrequest is set
2060 		 * to the minimum interval we'll retry after
2061 		 * ieee80211_addba_maxtries failed attempts are made.
2062 		 */
2063 		return 0;
2064 	}
2065 	IEEE80211_NOTE(vap, IEEE80211_MSG_11N, ni,
2066 	    "enable AMPDU on %s, avgpps %d pkts %d",
2067 	    ieee80211_wme_acnames[tap->txa_ac], tap->txa_avgpps, tap->txa_pkts);
2068 	return 1;
2069 }
2070 
2071 /*
2072  * Request A-MPDU tx aggregation.  Setup local state and
2073  * issue an ADDBA request.  BA use will only happen after
2074  * the other end replies with ADDBA response.
2075  */
2076 int
2077 ieee80211_ampdu_request(struct ieee80211_node *ni,
2078 	struct ieee80211_tx_ampdu *tap)
2079 {
2080 	struct ieee80211com *ic = ni->ni_ic;
2081 	uint16_t args[5];
2082 	int tid, dialogtoken;
2083 	static int tokens = 0;	/* XXX */
2084 
2085 	/* XXX locking */
2086 	if ((tap->txa_flags & IEEE80211_AGGR_SETUP) == 0) {
2087 		/* do deferred setup of state */
2088 		ampdu_tx_setup(tap);
2089 	}
2090 	/* XXX hack for not doing proper locking */
2091 	tap->txa_flags &= ~IEEE80211_AGGR_NAK;
2092 
2093 	dialogtoken = (tokens+1) % 63;		/* XXX */
2094 	tid = WME_AC_TO_TID(tap->txa_ac);
2095 	tap->txa_start = ni->ni_txseqs[tid];
2096 
2097 	args[0] = dialogtoken;
2098 	args[1] = 0;	/* NB: status code not used */
2099 	args[2]	= IEEE80211_BAPS_POLICY_IMMEDIATE
2100 		| SM(tid, IEEE80211_BAPS_TID)
2101 		| SM(IEEE80211_AGGR_BAWMAX, IEEE80211_BAPS_BUFSIZ)
2102 		;
2103 	args[3] = 0;	/* batimeout */
2104 	/* NB: do first so there's no race against reply */
2105 	if (!ic->ic_addba_request(ni, tap, dialogtoken, args[2], args[3])) {
2106 		/* unable to setup state, don't make request */
2107 		IEEE80211_NOTE(ni->ni_vap, IEEE80211_MSG_11N,
2108 		    ni, "%s: could not setup BA stream for AC %d",
2109 		    __func__, tap->txa_ac);
2110 		/* defer next try so we don't slam the driver with requests */
2111 		tap->txa_attempts = ieee80211_addba_maxtries;
2112 		/* NB: check in case driver wants to override */
2113 		if (tap->txa_nextrequest <= ticks)
2114 			tap->txa_nextrequest = ticks + ieee80211_addba_backoff;
2115 		return 0;
2116 	}
2117 	tokens = dialogtoken;			/* allocate token */
2118 	/* NB: after calling ic_addba_request so driver can set txa_start */
2119 	args[4] = SM(tap->txa_start, IEEE80211_BASEQ_START)
2120 		| SM(0, IEEE80211_BASEQ_FRAG)
2121 		;
2122 	return ic->ic_send_action(ni, IEEE80211_ACTION_CAT_BA,
2123 		IEEE80211_ACTION_BA_ADDBA_REQUEST, args);
2124 }
2125 
2126 /*
2127  * Terminate an AMPDU tx stream.  State is reclaimed
2128  * and the peer notified with a DelBA Action frame.
2129  */
2130 void
2131 ieee80211_ampdu_stop(struct ieee80211_node *ni, struct ieee80211_tx_ampdu *tap,
2132 	int reason)
2133 {
2134 	struct ieee80211com *ic = ni->ni_ic;
2135 	struct ieee80211vap *vap = ni->ni_vap;
2136 	uint16_t args[4];
2137 
2138 	/* XXX locking */
2139 	tap->txa_flags &= ~IEEE80211_AGGR_BARPEND;
2140 	if (IEEE80211_AMPDU_RUNNING(tap)) {
2141 		IEEE80211_NOTE(vap, IEEE80211_MSG_ACTION | IEEE80211_MSG_11N,
2142 		    ni, "%s: stop BA stream for AC %d (reason %d)",
2143 		    __func__, tap->txa_ac, reason);
2144 		vap->iv_stats.is_ampdu_stop++;
2145 
2146 		ic->ic_addba_stop(ni, tap);
2147 		args[0] = WME_AC_TO_TID(tap->txa_ac);
2148 		args[1] = IEEE80211_DELBAPS_INIT;
2149 		args[2] = reason;			/* XXX reason code */
2150 		ic->ic_send_action(ni, IEEE80211_ACTION_CAT_BA,
2151 			IEEE80211_ACTION_BA_DELBA, args);
2152 	} else {
2153 		IEEE80211_NOTE(vap, IEEE80211_MSG_ACTION | IEEE80211_MSG_11N,
2154 		    ni, "%s: BA stream for AC %d not running (reason %d)",
2155 		    __func__, tap->txa_ac, reason);
2156 		vap->iv_stats.is_ampdu_stop_failed++;
2157 	}
2158 }
2159 
2160 static void
2161 bar_timeout(void *arg)
2162 {
2163 	struct ieee80211_tx_ampdu *tap = arg;
2164 	struct ieee80211_node *ni = tap->txa_ni;
2165 
2166 	KASSERT((tap->txa_flags & IEEE80211_AGGR_XCHGPEND) == 0,
2167 	    ("bar/addba collision, flags 0x%x", tap->txa_flags));
2168 
2169 	IEEE80211_NOTE(ni->ni_vap, IEEE80211_MSG_11N,
2170 	    ni, "%s: tid %u flags 0x%x attempts %d", __func__,
2171 	    tap->txa_ac, tap->txa_flags, tap->txa_attempts);
2172 
2173 	/* guard against race with bar_tx_complete */
2174 	if ((tap->txa_flags & IEEE80211_AGGR_BARPEND) == 0)
2175 		return;
2176 	/* XXX ? */
2177 	if (tap->txa_attempts >= ieee80211_bar_maxtries)
2178 		ieee80211_ampdu_stop(ni, tap, IEEE80211_REASON_TIMEOUT);
2179 	else
2180 		ieee80211_send_bar(ni, tap, tap->txa_seqpending);
2181 }
2182 
2183 static void
2184 bar_start_timer(struct ieee80211_tx_ampdu *tap)
2185 {
2186 	callout_reset(&tap->txa_timer, ieee80211_bar_timeout, bar_timeout, tap);
2187 }
2188 
2189 static void
2190 bar_stop_timer(struct ieee80211_tx_ampdu *tap)
2191 {
2192 	callout_stop(&tap->txa_timer);
2193 }
2194 
2195 static void
2196 bar_tx_complete(struct ieee80211_node *ni, void *arg, int status)
2197 {
2198 	struct ieee80211_tx_ampdu *tap = arg;
2199 
2200 	IEEE80211_NOTE(ni->ni_vap, IEEE80211_MSG_11N,
2201 	    ni, "%s: tid %u flags 0x%x pending %d status %d",
2202 	    __func__, tap->txa_ac, tap->txa_flags,
2203 	    callout_pending(&tap->txa_timer), status);
2204 
2205 	/* XXX locking */
2206 	if ((tap->txa_flags & IEEE80211_AGGR_BARPEND) &&
2207 	    callout_pending(&tap->txa_timer)) {
2208 		struct ieee80211com *ic = ni->ni_ic;
2209 
2210 		if (status == 0)		/* ACK'd */
2211 			bar_stop_timer(tap);
2212 		ic->ic_bar_response(ni, tap, status);
2213 		/* NB: just let timer expire so we pace requests */
2214 	}
2215 }
2216 
2217 static void
2218 ieee80211_bar_response(struct ieee80211_node *ni,
2219 	struct ieee80211_tx_ampdu *tap, int status)
2220 {
2221 
2222 	if (status == 0) {		/* got ACK */
2223 		IEEE80211_NOTE(ni->ni_vap, IEEE80211_MSG_11N,
2224 		    ni, "BAR moves BA win <%u:%u> (%u frames) txseq %u tid %u",
2225 		    tap->txa_start,
2226 		    IEEE80211_SEQ_ADD(tap->txa_start, tap->txa_wnd-1),
2227 		    tap->txa_qframes, tap->txa_seqpending,
2228 		    WME_AC_TO_TID(tap->txa_ac));
2229 
2230 		/* NB: timer already stopped in bar_tx_complete */
2231 		tap->txa_start = tap->txa_seqpending;
2232 		tap->txa_flags &= ~IEEE80211_AGGR_BARPEND;
2233 	}
2234 }
2235 
2236 /*
2237  * Transmit a BAR frame to the specified node.  The
2238  * BAR contents are drawn from the supplied aggregation
2239  * state associated with the node.
2240  *
2241  * NB: we only handle immediate ACK w/ compressed bitmap.
2242  */
2243 int
2244 ieee80211_send_bar(struct ieee80211_node *ni,
2245 	struct ieee80211_tx_ampdu *tap, ieee80211_seq seq)
2246 {
2247 #define	senderr(_x, _v)	do { vap->iv_stats._v++; ret = _x; goto bad; } while (0)
2248 	struct ieee80211vap *vap = ni->ni_vap;
2249 	struct ieee80211com *ic = ni->ni_ic;
2250 	struct ieee80211_frame_bar *bar;
2251 	struct mbuf *m;
2252 	uint16_t barctl, barseqctl;
2253 	uint8_t *frm;
2254 	int tid, ret;
2255 
2256 	if ((tap->txa_flags & IEEE80211_AGGR_RUNNING) == 0) {
2257 		/* no ADDBA response, should not happen */
2258 		/* XXX stat+msg */
2259 		return EINVAL;
2260 	}
2261 	/* XXX locking */
2262 	bar_stop_timer(tap);
2263 
2264 	ieee80211_ref_node(ni);
2265 
2266 	m = ieee80211_getmgtframe(&frm, ic->ic_headroom, sizeof(*bar));
2267 	if (m == NULL)
2268 		senderr(ENOMEM, is_tx_nobuf);
2269 
2270 	if (!ieee80211_add_callback(m, bar_tx_complete, tap)) {
2271 		m_freem(m);
2272 		senderr(ENOMEM, is_tx_nobuf);	/* XXX */
2273 		/* NOTREACHED */
2274 	}
2275 
2276 	bar = mtod(m, struct ieee80211_frame_bar *);
2277 	bar->i_fc[0] = IEEE80211_FC0_VERSION_0 |
2278 		IEEE80211_FC0_TYPE_CTL | IEEE80211_FC0_SUBTYPE_BAR;
2279 	bar->i_fc[1] = 0;
2280 	IEEE80211_ADDR_COPY(bar->i_ra, ni->ni_macaddr);
2281 	IEEE80211_ADDR_COPY(bar->i_ta, vap->iv_myaddr);
2282 
2283 	tid = WME_AC_TO_TID(tap->txa_ac);
2284 	barctl 	= (tap->txa_flags & IEEE80211_AGGR_IMMEDIATE ?
2285 			0 : IEEE80211_BAR_NOACK)
2286 		| IEEE80211_BAR_COMP
2287 		| SM(tid, IEEE80211_BAR_TID)
2288 		;
2289 	barseqctl = SM(seq, IEEE80211_BAR_SEQ_START);
2290 	/* NB: known to have proper alignment */
2291 	bar->i_ctl = htole16(barctl);
2292 	bar->i_seq = htole16(barseqctl);
2293 	m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_bar);
2294 
2295 	M_WME_SETAC(m, WME_AC_VO);
2296 
2297 	IEEE80211_NODE_STAT(ni, tx_mgmt);	/* XXX tx_ctl? */
2298 
2299 	/* XXX locking */
2300 	/* init/bump attempts counter */
2301 	if ((tap->txa_flags & IEEE80211_AGGR_BARPEND) == 0)
2302 		tap->txa_attempts = 1;
2303 	else
2304 		tap->txa_attempts++;
2305 	tap->txa_seqpending = seq;
2306 	tap->txa_flags |= IEEE80211_AGGR_BARPEND;
2307 
2308 	IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_11N,
2309 	    ni, "send BAR: tid %u ctl 0x%x start %u (attempt %d)",
2310 	    tid, barctl, seq, tap->txa_attempts);
2311 
2312 	/*
2313 	 * ic_raw_xmit will free the node reference
2314 	 * regardless of queue/TX success or failure.
2315 	 */
2316 	ret = ic->ic_raw_xmit(ni, m, NULL);
2317 	if (ret != 0) {
2318 		/* xmit failed, clear state flag */
2319 		tap->txa_flags &= ~IEEE80211_AGGR_BARPEND;
2320 		return ret;
2321 	}
2322 	/* XXX hack against tx complete happening before timer is started */
2323 	if (tap->txa_flags & IEEE80211_AGGR_BARPEND)
2324 		bar_start_timer(tap);
2325 	return 0;
2326 bad:
2327 	ieee80211_free_node(ni);
2328 	return ret;
2329 #undef senderr
2330 }
2331 
2332 static int
2333 ht_action_output(struct ieee80211_node *ni, struct mbuf *m)
2334 {
2335 	struct ieee80211_bpf_params params;
2336 
2337 	memset(&params, 0, sizeof(params));
2338 	params.ibp_pri = WME_AC_VO;
2339 	params.ibp_rate0 = ni->ni_txparms->mgmtrate;
2340 	/* NB: we know all frames are unicast */
2341 	params.ibp_try0 = ni->ni_txparms->maxretry;
2342 	params.ibp_power = ni->ni_txpower;
2343 	return ieee80211_mgmt_output(ni, m, IEEE80211_FC0_SUBTYPE_ACTION,
2344 	     &params);
2345 }
2346 
2347 #define	ADDSHORT(frm, v) do {			\
2348 	frm[0] = (v) & 0xff;			\
2349 	frm[1] = (v) >> 8;			\
2350 	frm += 2;				\
2351 } while (0)
2352 
2353 /*
2354  * Send an action management frame.  The arguments are stuff
2355  * into a frame without inspection; the caller is assumed to
2356  * prepare them carefully (e.g. based on the aggregation state).
2357  */
2358 static int
2359 ht_send_action_ba_addba(struct ieee80211_node *ni,
2360 	int category, int action, void *arg0)
2361 {
2362 	struct ieee80211vap *vap = ni->ni_vap;
2363 	struct ieee80211com *ic = ni->ni_ic;
2364 	uint16_t *args = arg0;
2365 	struct mbuf *m;
2366 	uint8_t *frm;
2367 
2368 	IEEE80211_NOTE(vap, IEEE80211_MSG_ACTION | IEEE80211_MSG_11N, ni,
2369 	    "send ADDBA %s: dialogtoken %d status %d "
2370 	    "baparamset 0x%x (tid %d) batimeout 0x%x baseqctl 0x%x",
2371 	    (action == IEEE80211_ACTION_BA_ADDBA_REQUEST) ?
2372 		"request" : "response",
2373 	    args[0], args[1], args[2], MS(args[2], IEEE80211_BAPS_TID),
2374 	    args[3], args[4]);
2375 
2376 	IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE,
2377 	    "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n", __func__, __LINE__,
2378 	    ni, ether_sprintf(ni->ni_macaddr), ieee80211_node_refcnt(ni)+1);
2379 	ieee80211_ref_node(ni);
2380 
2381 	m = ieee80211_getmgtframe(&frm,
2382 	    ic->ic_headroom + sizeof(struct ieee80211_frame),
2383 	    sizeof(uint16_t)	/* action+category */
2384 	    /* XXX may action payload */
2385 	    + sizeof(struct ieee80211_action_ba_addbaresponse)
2386 	);
2387 	if (m != NULL) {
2388 		*frm++ = category;
2389 		*frm++ = action;
2390 		*frm++ = args[0];		/* dialog token */
2391 		if (action == IEEE80211_ACTION_BA_ADDBA_RESPONSE)
2392 			ADDSHORT(frm, args[1]);	/* status code */
2393 		ADDSHORT(frm, args[2]);		/* baparamset */
2394 		ADDSHORT(frm, args[3]);		/* batimeout */
2395 		if (action == IEEE80211_ACTION_BA_ADDBA_REQUEST)
2396 			ADDSHORT(frm, args[4]);	/* baseqctl */
2397 		m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *);
2398 		return ht_action_output(ni, m);
2399 	} else {
2400 		vap->iv_stats.is_tx_nobuf++;
2401 		ieee80211_free_node(ni);
2402 		return ENOMEM;
2403 	}
2404 }
2405 
2406 static int
2407 ht_send_action_ba_delba(struct ieee80211_node *ni,
2408 	int category, int action, void *arg0)
2409 {
2410 	struct ieee80211vap *vap = ni->ni_vap;
2411 	struct ieee80211com *ic = ni->ni_ic;
2412 	uint16_t *args = arg0;
2413 	struct mbuf *m;
2414 	uint16_t baparamset;
2415 	uint8_t *frm;
2416 
2417 	baparamset = SM(args[0], IEEE80211_DELBAPS_TID)
2418 		   | args[1]
2419 		   ;
2420 	IEEE80211_NOTE(vap, IEEE80211_MSG_ACTION | IEEE80211_MSG_11N, ni,
2421 	    "send DELBA action: tid %d, initiator %d reason %d",
2422 	    args[0], args[1], args[2]);
2423 
2424 	IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE,
2425 	    "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n", __func__, __LINE__,
2426 	    ni, ether_sprintf(ni->ni_macaddr), ieee80211_node_refcnt(ni)+1);
2427 	ieee80211_ref_node(ni);
2428 
2429 	m = ieee80211_getmgtframe(&frm,
2430 	    ic->ic_headroom + sizeof(struct ieee80211_frame),
2431 	    sizeof(uint16_t)	/* action+category */
2432 	    /* XXX may action payload */
2433 	    + sizeof(struct ieee80211_action_ba_addbaresponse)
2434 	);
2435 	if (m != NULL) {
2436 		*frm++ = category;
2437 		*frm++ = action;
2438 		ADDSHORT(frm, baparamset);
2439 		ADDSHORT(frm, args[2]);		/* reason code */
2440 		m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *);
2441 		return ht_action_output(ni, m);
2442 	} else {
2443 		vap->iv_stats.is_tx_nobuf++;
2444 		ieee80211_free_node(ni);
2445 		return ENOMEM;
2446 	}
2447 }
2448 
2449 static int
2450 ht_send_action_ht_txchwidth(struct ieee80211_node *ni,
2451 	int category, int action, void *arg0)
2452 {
2453 	struct ieee80211vap *vap = ni->ni_vap;
2454 	struct ieee80211com *ic = ni->ni_ic;
2455 	struct mbuf *m;
2456 	uint8_t *frm;
2457 
2458 	IEEE80211_NOTE(vap, IEEE80211_MSG_ACTION | IEEE80211_MSG_11N, ni,
2459 	    "send HT txchwidth: width %d",
2460 	    IEEE80211_IS_CHAN_HT40(ni->ni_chan) ? 40 : 20);
2461 
2462 	IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE,
2463 	    "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n", __func__, __LINE__,
2464 	    ni, ether_sprintf(ni->ni_macaddr), ieee80211_node_refcnt(ni)+1);
2465 	ieee80211_ref_node(ni);
2466 
2467 	m = ieee80211_getmgtframe(&frm,
2468 	    ic->ic_headroom + sizeof(struct ieee80211_frame),
2469 	    sizeof(uint16_t)	/* action+category */
2470 	    /* XXX may action payload */
2471 	    + sizeof(struct ieee80211_action_ba_addbaresponse)
2472 	);
2473 	if (m != NULL) {
2474 		*frm++ = category;
2475 		*frm++ = action;
2476 		*frm++ = IEEE80211_IS_CHAN_HT40(ni->ni_chan) ?
2477 			IEEE80211_A_HT_TXCHWIDTH_2040 :
2478 			IEEE80211_A_HT_TXCHWIDTH_20;
2479 		m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *);
2480 		return ht_action_output(ni, m);
2481 	} else {
2482 		vap->iv_stats.is_tx_nobuf++;
2483 		ieee80211_free_node(ni);
2484 		return ENOMEM;
2485 	}
2486 }
2487 #undef ADDSHORT
2488 
2489 /*
2490  * Construct the MCS bit mask for inclusion in an HT capabilities
2491  * information element.
2492  */
2493 static void
2494 ieee80211_set_mcsset(struct ieee80211com *ic, uint8_t *frm)
2495 {
2496 	int i;
2497 	uint8_t txparams;
2498 
2499 	KASSERT((ic->ic_rxstream > 0 && ic->ic_rxstream <= 4),
2500 	    ("ic_rxstream %d out of range", ic->ic_rxstream));
2501 	KASSERT((ic->ic_txstream > 0 && ic->ic_txstream <= 4),
2502 	    ("ic_txstream %d out of range", ic->ic_txstream));
2503 
2504 	for (i = 0; i < ic->ic_rxstream * 8; i++)
2505 		setbit(frm, i);
2506 	if ((ic->ic_htcaps & IEEE80211_HTCAP_CHWIDTH40) &&
2507 	    (ic->ic_htcaps & IEEE80211_HTC_RXMCS32))
2508 		setbit(frm, 32);
2509 	if (ic->ic_htcaps & IEEE80211_HTC_RXUNEQUAL) {
2510 		if (ic->ic_rxstream >= 2) {
2511 			for (i = 33; i <= 38; i++)
2512 				setbit(frm, i);
2513 		}
2514 		if (ic->ic_rxstream >= 3) {
2515 			for (i = 39; i <= 52; i++)
2516 				setbit(frm, i);
2517 		}
2518 		if (ic->ic_txstream >= 4) {
2519 			for (i = 53; i <= 76; i++)
2520 				setbit(frm, i);
2521 		}
2522 	}
2523 
2524 	if (ic->ic_rxstream != ic->ic_txstream) {
2525 		txparams = 0x1;			/* TX MCS set defined */
2526 		txparams |= 0x2;		/* TX RX MCS not equal */
2527 		txparams |= (ic->ic_txstream - 1) << 2;	/* num TX streams */
2528 		if (ic->ic_htcaps & IEEE80211_HTC_TXUNEQUAL)
2529 			txparams |= 0x16;	/* TX unequal modulation sup */
2530 	} else
2531 		txparams = 0;
2532 	frm[12] = txparams;
2533 }
2534 
2535 /*
2536  * Add body of an HTCAP information element.
2537  */
2538 static uint8_t *
2539 ieee80211_add_htcap_body(uint8_t *frm, struct ieee80211_node *ni)
2540 {
2541 #define	ADDSHORT(frm, v) do {			\
2542 	frm[0] = (v) & 0xff;			\
2543 	frm[1] = (v) >> 8;			\
2544 	frm += 2;				\
2545 } while (0)
2546 	struct ieee80211com *ic = ni->ni_ic;
2547 	struct ieee80211vap *vap = ni->ni_vap;
2548 	uint16_t caps, extcaps;
2549 	int rxmax, density;
2550 
2551 	/* HT capabilities */
2552 	caps = vap->iv_htcaps & 0xffff;
2553 	/*
2554 	 * Note channel width depends on whether we are operating as
2555 	 * a sta or not.  When operating as a sta we are generating
2556 	 * a request based on our desired configuration.  Otherwise
2557 	 * we are operational and the channel attributes identify
2558 	 * how we've been setup (which might be different if a fixed
2559 	 * channel is specified).
2560 	 */
2561 	if (vap->iv_opmode == IEEE80211_M_STA) {
2562 		/* override 20/40 use based on config */
2563 		if (vap->iv_flags_ht & IEEE80211_FHT_USEHT40)
2564 			caps |= IEEE80211_HTCAP_CHWIDTH40;
2565 		else
2566 			caps &= ~IEEE80211_HTCAP_CHWIDTH40;
2567 		/* use advertised setting (XXX locally constraint) */
2568 		rxmax = MS(ni->ni_htparam, IEEE80211_HTCAP_MAXRXAMPDU);
2569 		density = MS(ni->ni_htparam, IEEE80211_HTCAP_MPDUDENSITY);
2570 
2571 		/*
2572 		 * NB: Hardware might support HT40 on some but not all
2573 		 * channels. We can't determine this earlier because only
2574 		 * after association the channel is upgraded to HT based
2575 		 * on the negotiated capabilities.
2576 		 */
2577 		if (ni->ni_chan != IEEE80211_CHAN_ANYC &&
2578 		    findhtchan(ic, ni->ni_chan, IEEE80211_CHAN_HT40U) == NULL &&
2579 		    findhtchan(ic, ni->ni_chan, IEEE80211_CHAN_HT40D) == NULL)
2580 			caps &= ~IEEE80211_HTCAP_CHWIDTH40;
2581 	} else {
2582 		/* override 20/40 use based on current channel */
2583 		if (IEEE80211_IS_CHAN_HT40(ni->ni_chan))
2584 			caps |= IEEE80211_HTCAP_CHWIDTH40;
2585 		else
2586 			caps &= ~IEEE80211_HTCAP_CHWIDTH40;
2587 		rxmax = vap->iv_ampdu_rxmax;
2588 		density = vap->iv_ampdu_density;
2589 	}
2590 	/* adjust short GI based on channel and config */
2591 	if ((vap->iv_flags_ht & IEEE80211_FHT_SHORTGI20) == 0)
2592 		caps &= ~IEEE80211_HTCAP_SHORTGI20;
2593 	if ((vap->iv_flags_ht & IEEE80211_FHT_SHORTGI40) == 0 ||
2594 	    (caps & IEEE80211_HTCAP_CHWIDTH40) == 0)
2595 		caps &= ~IEEE80211_HTCAP_SHORTGI40;
2596 	ADDSHORT(frm, caps);
2597 
2598 	/* HT parameters */
2599 	*frm = SM(rxmax, IEEE80211_HTCAP_MAXRXAMPDU)
2600 	     | SM(density, IEEE80211_HTCAP_MPDUDENSITY)
2601 	     ;
2602 	frm++;
2603 
2604 	/* pre-zero remainder of ie */
2605 	memset(frm, 0, sizeof(struct ieee80211_ie_htcap) -
2606 		__offsetof(struct ieee80211_ie_htcap, hc_mcsset));
2607 
2608 	/* supported MCS set */
2609 	/*
2610 	 * XXX: For sta mode the rate set should be restricted based
2611 	 * on the AP's capabilities, but ni_htrates isn't setup when
2612 	 * we're called to form an AssocReq frame so for now we're
2613 	 * restricted to the device capabilities.
2614 	 */
2615 	ieee80211_set_mcsset(ni->ni_ic, frm);
2616 
2617 	frm += __offsetof(struct ieee80211_ie_htcap, hc_extcap) -
2618 		__offsetof(struct ieee80211_ie_htcap, hc_mcsset);
2619 
2620 	/* HT extended capabilities */
2621 	extcaps = vap->iv_htextcaps & 0xffff;
2622 
2623 	ADDSHORT(frm, extcaps);
2624 
2625 	frm += sizeof(struct ieee80211_ie_htcap) -
2626 		__offsetof(struct ieee80211_ie_htcap, hc_txbf);
2627 
2628 	return frm;
2629 #undef ADDSHORT
2630 }
2631 
2632 /*
2633  * Add 802.11n HT capabilities information element
2634  */
2635 uint8_t *
2636 ieee80211_add_htcap(uint8_t *frm, struct ieee80211_node *ni)
2637 {
2638 	frm[0] = IEEE80211_ELEMID_HTCAP;
2639 	frm[1] = sizeof(struct ieee80211_ie_htcap) - 2;
2640 	return ieee80211_add_htcap_body(frm + 2, ni);
2641 }
2642 
2643 /*
2644  * Add Broadcom OUI wrapped standard HTCAP ie; this is
2645  * used for compatibility w/ pre-draft implementations.
2646  */
2647 uint8_t *
2648 ieee80211_add_htcap_vendor(uint8_t *frm, struct ieee80211_node *ni)
2649 {
2650 	frm[0] = IEEE80211_ELEMID_VENDOR;
2651 	frm[1] = 4 + sizeof(struct ieee80211_ie_htcap) - 2;
2652 	frm[2] = (BCM_OUI >> 0) & 0xff;
2653 	frm[3] = (BCM_OUI >> 8) & 0xff;
2654 	frm[4] = (BCM_OUI >> 16) & 0xff;
2655 	frm[5] = BCM_OUI_HTCAP;
2656 	return ieee80211_add_htcap_body(frm + 6, ni);
2657 }
2658 
2659 /*
2660  * Construct the MCS bit mask of basic rates
2661  * for inclusion in an HT information element.
2662  */
2663 static void
2664 ieee80211_set_basic_htrates(uint8_t *frm, const struct ieee80211_htrateset *rs)
2665 {
2666 	int i;
2667 
2668 	for (i = 0; i < rs->rs_nrates; i++) {
2669 		int r = rs->rs_rates[i] & IEEE80211_RATE_VAL;
2670 		if ((rs->rs_rates[i] & IEEE80211_RATE_BASIC) &&
2671 		    r < IEEE80211_HTRATE_MAXSIZE) {
2672 			/* NB: this assumes a particular implementation */
2673 			setbit(frm, r);
2674 		}
2675 	}
2676 }
2677 
2678 /*
2679  * Update the HTINFO ie for a beacon frame.
2680  */
2681 void
2682 ieee80211_ht_update_beacon(struct ieee80211vap *vap,
2683 	struct ieee80211_beacon_offsets *bo)
2684 {
2685 #define	PROTMODE	(IEEE80211_HTINFO_OPMODE|IEEE80211_HTINFO_NONHT_PRESENT)
2686 	const struct ieee80211_channel *bsschan = vap->iv_bss->ni_chan;
2687 	struct ieee80211com *ic = vap->iv_ic;
2688 	struct ieee80211_ie_htinfo *ht =
2689 	   (struct ieee80211_ie_htinfo *) bo->bo_htinfo;
2690 
2691 	/* XXX only update on channel change */
2692 	ht->hi_ctrlchannel = ieee80211_chan2ieee(ic, bsschan);
2693 	if (vap->iv_flags_ht & IEEE80211_FHT_RIFS)
2694 		ht->hi_byte1 = IEEE80211_HTINFO_RIFSMODE_PERM;
2695 	else
2696 		ht->hi_byte1 = IEEE80211_HTINFO_RIFSMODE_PROH;
2697 	if (IEEE80211_IS_CHAN_HT40U(bsschan))
2698 		ht->hi_byte1 |= IEEE80211_HTINFO_2NDCHAN_ABOVE;
2699 	else if (IEEE80211_IS_CHAN_HT40D(bsschan))
2700 		ht->hi_byte1 |= IEEE80211_HTINFO_2NDCHAN_BELOW;
2701 	else
2702 		ht->hi_byte1 |= IEEE80211_HTINFO_2NDCHAN_NONE;
2703 	if (IEEE80211_IS_CHAN_HT40(bsschan))
2704 		ht->hi_byte1 |= IEEE80211_HTINFO_TXWIDTH_2040;
2705 
2706 	/* protection mode */
2707 	ht->hi_byte2 = (ht->hi_byte2 &~ PROTMODE) | ic->ic_curhtprotmode;
2708 
2709 	/* XXX propagate to vendor ie's */
2710 #undef PROTMODE
2711 }
2712 
2713 /*
2714  * Add body of an HTINFO information element.
2715  *
2716  * NB: We don't use struct ieee80211_ie_htinfo because we can
2717  * be called to fillin both a standard ie and a compat ie that
2718  * has a vendor OUI at the front.
2719  */
2720 static uint8_t *
2721 ieee80211_add_htinfo_body(uint8_t *frm, struct ieee80211_node *ni)
2722 {
2723 	struct ieee80211vap *vap = ni->ni_vap;
2724 	struct ieee80211com *ic = ni->ni_ic;
2725 
2726 	/* pre-zero remainder of ie */
2727 	memset(frm, 0, sizeof(struct ieee80211_ie_htinfo) - 2);
2728 
2729 	/* primary/control channel center */
2730 	*frm++ = ieee80211_chan2ieee(ic, ni->ni_chan);
2731 
2732 	if (vap->iv_flags_ht & IEEE80211_FHT_RIFS)
2733 		frm[0] = IEEE80211_HTINFO_RIFSMODE_PERM;
2734 	else
2735 		frm[0] = IEEE80211_HTINFO_RIFSMODE_PROH;
2736 	if (IEEE80211_IS_CHAN_HT40U(ni->ni_chan))
2737 		frm[0] |= IEEE80211_HTINFO_2NDCHAN_ABOVE;
2738 	else if (IEEE80211_IS_CHAN_HT40D(ni->ni_chan))
2739 		frm[0] |= IEEE80211_HTINFO_2NDCHAN_BELOW;
2740 	else
2741 		frm[0] |= IEEE80211_HTINFO_2NDCHAN_NONE;
2742 	if (IEEE80211_IS_CHAN_HT40(ni->ni_chan))
2743 		frm[0] |= IEEE80211_HTINFO_TXWIDTH_2040;
2744 
2745 	frm[1] = ic->ic_curhtprotmode;
2746 
2747 	frm += 5;
2748 
2749 	/* basic MCS set */
2750 	ieee80211_set_basic_htrates(frm, &ni->ni_htrates);
2751 	frm += sizeof(struct ieee80211_ie_htinfo) -
2752 		__offsetof(struct ieee80211_ie_htinfo, hi_basicmcsset);
2753 	return frm;
2754 }
2755 
2756 /*
2757  * Add 802.11n HT information information element.
2758  */
2759 uint8_t *
2760 ieee80211_add_htinfo(uint8_t *frm, struct ieee80211_node *ni)
2761 {
2762 	frm[0] = IEEE80211_ELEMID_HTINFO;
2763 	frm[1] = sizeof(struct ieee80211_ie_htinfo) - 2;
2764 	return ieee80211_add_htinfo_body(frm + 2, ni);
2765 }
2766 
2767 /*
2768  * Add Broadcom OUI wrapped standard HTINFO ie; this is
2769  * used for compatibility w/ pre-draft implementations.
2770  */
2771 uint8_t *
2772 ieee80211_add_htinfo_vendor(uint8_t *frm, struct ieee80211_node *ni)
2773 {
2774 	frm[0] = IEEE80211_ELEMID_VENDOR;
2775 	frm[1] = 4 + sizeof(struct ieee80211_ie_htinfo) - 2;
2776 	frm[2] = (BCM_OUI >> 0) & 0xff;
2777 	frm[3] = (BCM_OUI >> 8) & 0xff;
2778 	frm[4] = (BCM_OUI >> 16) & 0xff;
2779 	frm[5] = BCM_OUI_HTINFO;
2780 	return ieee80211_add_htinfo_body(frm + 6, ni);
2781 }
2782