xref: /linux/drivers/net/wireless/broadcom/b43/main.c (revision a3a02a52bcfcbcc4a637d4b68bf1bc391c9fad02)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 
4   Broadcom B43 wireless driver
5 
6   Copyright (c) 2005 Martin Langer <martin-langer@gmx.de>
7   Copyright (c) 2005 Stefano Brivio <stefano.brivio@polimi.it>
8   Copyright (c) 2005-2009 Michael Buesch <m@bues.ch>
9   Copyright (c) 2005 Danny van Dyk <kugelfang@gentoo.org>
10   Copyright (c) 2005 Andreas Jaggi <andreas.jaggi@waterwave.ch>
11   Copyright (c) 2010-2011 Rafał Miłecki <zajec5@gmail.com>
12 
13   SDIO support
14   Copyright (c) 2009 Albert Herranz <albert_herranz@yahoo.es>
15 
16   Some parts of the code in this file are derived from the ipw2200
17   driver  Copyright(c) 2003 - 2004 Intel Corporation.
18 
19 
20 */
21 
22 #include <linux/delay.h>
23 #include <linux/init.h>
24 #include <linux/module.h>
25 #include <linux/if_arp.h>
26 #include <linux/etherdevice.h>
27 #include <linux/firmware.h>
28 #include <linux/workqueue.h>
29 #include <linux/skbuff.h>
30 #include <linux/io.h>
31 #include <linux/dma-mapping.h>
32 #include <linux/slab.h>
33 #include <asm/unaligned.h>
34 
35 #include "b43.h"
36 #include "main.h"
37 #include "debugfs.h"
38 #include "phy_common.h"
39 #include "phy_g.h"
40 #include "phy_n.h"
41 #include "dma.h"
42 #include "pio.h"
43 #include "sysfs.h"
44 #include "xmit.h"
45 #include "lo.h"
46 #include "sdio.h"
47 #include <linux/mmc/sdio_func.h>
48 
49 MODULE_DESCRIPTION("Broadcom B43 wireless driver");
50 MODULE_AUTHOR("Martin Langer");
51 MODULE_AUTHOR("Stefano Brivio");
52 MODULE_AUTHOR("Michael Buesch");
53 MODULE_AUTHOR("Gábor Stefanik");
54 MODULE_AUTHOR("Rafał Miłecki");
55 MODULE_LICENSE("GPL");
56 
57 MODULE_FIRMWARE("b43/ucode11.fw");
58 MODULE_FIRMWARE("b43/ucode13.fw");
59 MODULE_FIRMWARE("b43/ucode14.fw");
60 MODULE_FIRMWARE("b43/ucode15.fw");
61 MODULE_FIRMWARE("b43/ucode16_lp.fw");
62 MODULE_FIRMWARE("b43/ucode16_mimo.fw");
63 MODULE_FIRMWARE("b43/ucode24_lcn.fw");
64 MODULE_FIRMWARE("b43/ucode25_lcn.fw");
65 MODULE_FIRMWARE("b43/ucode25_mimo.fw");
66 MODULE_FIRMWARE("b43/ucode26_mimo.fw");
67 MODULE_FIRMWARE("b43/ucode29_mimo.fw");
68 MODULE_FIRMWARE("b43/ucode33_lcn40.fw");
69 MODULE_FIRMWARE("b43/ucode30_mimo.fw");
70 MODULE_FIRMWARE("b43/ucode5.fw");
71 MODULE_FIRMWARE("b43/ucode40.fw");
72 MODULE_FIRMWARE("b43/ucode42.fw");
73 MODULE_FIRMWARE("b43/ucode9.fw");
74 
75 static int modparam_bad_frames_preempt;
76 module_param_named(bad_frames_preempt, modparam_bad_frames_preempt, int, 0444);
77 MODULE_PARM_DESC(bad_frames_preempt,
78 		 "enable(1) / disable(0) Bad Frames Preemption");
79 
80 static char modparam_fwpostfix[16];
81 module_param_string(fwpostfix, modparam_fwpostfix, 16, 0444);
82 MODULE_PARM_DESC(fwpostfix, "Postfix for the .fw files to load.");
83 
84 static int modparam_hwpctl;
85 module_param_named(hwpctl, modparam_hwpctl, int, 0444);
86 MODULE_PARM_DESC(hwpctl, "Enable hardware-side power control (default off)");
87 
88 static int modparam_nohwcrypt;
89 module_param_named(nohwcrypt, modparam_nohwcrypt, int, 0444);
90 MODULE_PARM_DESC(nohwcrypt, "Disable hardware encryption.");
91 
92 static int modparam_hwtkip;
93 module_param_named(hwtkip, modparam_hwtkip, int, 0444);
94 MODULE_PARM_DESC(hwtkip, "Enable hardware tkip.");
95 
96 static int modparam_qos = 1;
97 module_param_named(qos, modparam_qos, int, 0444);
98 MODULE_PARM_DESC(qos, "Enable QOS support (default on)");
99 
100 static int modparam_btcoex = 1;
101 module_param_named(btcoex, modparam_btcoex, int, 0444);
102 MODULE_PARM_DESC(btcoex, "Enable Bluetooth coexistence (default on)");
103 
104 int b43_modparam_verbose = B43_VERBOSITY_DEFAULT;
105 module_param_named(verbose, b43_modparam_verbose, int, 0644);
106 MODULE_PARM_DESC(verbose, "Log message verbosity: 0=error, 1=warn, 2=info(default), 3=debug");
107 
108 static int b43_modparam_pio;
109 module_param_named(pio, b43_modparam_pio, int, 0644);
110 MODULE_PARM_DESC(pio, "Use PIO accesses by default: 0=DMA, 1=PIO");
111 
112 static int modparam_allhwsupport = !IS_ENABLED(CONFIG_BRCMSMAC);
113 module_param_named(allhwsupport, modparam_allhwsupport, int, 0444);
114 MODULE_PARM_DESC(allhwsupport, "Enable support for all hardware (even it if overlaps with the brcmsmac driver)");
115 
116 #ifdef CONFIG_B43_BCMA
117 static const struct bcma_device_id b43_bcma_tbl[] = {
118 	BCMA_CORE(BCMA_MANUF_BCM, BCMA_CORE_80211, 0x11, BCMA_ANY_CLASS),
119 	BCMA_CORE(BCMA_MANUF_BCM, BCMA_CORE_80211, 0x15, BCMA_ANY_CLASS),
120 	BCMA_CORE(BCMA_MANUF_BCM, BCMA_CORE_80211, 0x17, BCMA_ANY_CLASS),
121 	BCMA_CORE(BCMA_MANUF_BCM, BCMA_CORE_80211, 0x18, BCMA_ANY_CLASS),
122 	BCMA_CORE(BCMA_MANUF_BCM, BCMA_CORE_80211, 0x1C, BCMA_ANY_CLASS),
123 	BCMA_CORE(BCMA_MANUF_BCM, BCMA_CORE_80211, 0x1D, BCMA_ANY_CLASS),
124 	BCMA_CORE(BCMA_MANUF_BCM, BCMA_CORE_80211, 0x1E, BCMA_ANY_CLASS),
125 	BCMA_CORE(BCMA_MANUF_BCM, BCMA_CORE_80211, 0x28, BCMA_ANY_CLASS),
126 	BCMA_CORE(BCMA_MANUF_BCM, BCMA_CORE_80211, 0x2A, BCMA_ANY_CLASS),
127 	{},
128 };
129 MODULE_DEVICE_TABLE(bcma, b43_bcma_tbl);
130 #endif
131 
132 #ifdef CONFIG_B43_SSB
133 static const struct ssb_device_id b43_ssb_tbl[] = {
134 	SSB_DEVICE(SSB_VENDOR_BROADCOM, SSB_DEV_80211, 5),
135 	SSB_DEVICE(SSB_VENDOR_BROADCOM, SSB_DEV_80211, 6),
136 	SSB_DEVICE(SSB_VENDOR_BROADCOM, SSB_DEV_80211, 7),
137 	SSB_DEVICE(SSB_VENDOR_BROADCOM, SSB_DEV_80211, 9),
138 	SSB_DEVICE(SSB_VENDOR_BROADCOM, SSB_DEV_80211, 10),
139 	SSB_DEVICE(SSB_VENDOR_BROADCOM, SSB_DEV_80211, 11),
140 	SSB_DEVICE(SSB_VENDOR_BROADCOM, SSB_DEV_80211, 12),
141 	SSB_DEVICE(SSB_VENDOR_BROADCOM, SSB_DEV_80211, 13),
142 	SSB_DEVICE(SSB_VENDOR_BROADCOM, SSB_DEV_80211, 15),
143 	SSB_DEVICE(SSB_VENDOR_BROADCOM, SSB_DEV_80211, 16),
144 	{},
145 };
146 MODULE_DEVICE_TABLE(ssb, b43_ssb_tbl);
147 #endif
148 
149 /* Channel and ratetables are shared for all devices.
150  * They can't be const, because ieee80211 puts some precalculated
151  * data in there. This data is the same for all devices, so we don't
152  * get concurrency issues */
153 #define RATETAB_ENT(_rateid, _flags) \
154 	{								\
155 		.bitrate	= B43_RATE_TO_BASE100KBPS(_rateid),	\
156 		.hw_value	= (_rateid),				\
157 		.flags		= (_flags),				\
158 	}
159 
160 /*
161  * NOTE: When changing this, sync with xmit.c's
162  *	 b43_plcp_get_bitrate_idx_* functions!
163  */
164 static struct ieee80211_rate __b43_ratetable[] = {
165 	RATETAB_ENT(B43_CCK_RATE_1MB, 0),
166 	RATETAB_ENT(B43_CCK_RATE_2MB, IEEE80211_RATE_SHORT_PREAMBLE),
167 	RATETAB_ENT(B43_CCK_RATE_5MB, IEEE80211_RATE_SHORT_PREAMBLE),
168 	RATETAB_ENT(B43_CCK_RATE_11MB, IEEE80211_RATE_SHORT_PREAMBLE),
169 	RATETAB_ENT(B43_OFDM_RATE_6MB, 0),
170 	RATETAB_ENT(B43_OFDM_RATE_9MB, 0),
171 	RATETAB_ENT(B43_OFDM_RATE_12MB, 0),
172 	RATETAB_ENT(B43_OFDM_RATE_18MB, 0),
173 	RATETAB_ENT(B43_OFDM_RATE_24MB, 0),
174 	RATETAB_ENT(B43_OFDM_RATE_36MB, 0),
175 	RATETAB_ENT(B43_OFDM_RATE_48MB, 0),
176 	RATETAB_ENT(B43_OFDM_RATE_54MB, 0),
177 };
178 
179 #define b43_a_ratetable		(__b43_ratetable + 4)
180 #define b43_a_ratetable_size	8
181 #define b43_b_ratetable		(__b43_ratetable + 0)
182 #define b43_b_ratetable_size	4
183 #define b43_g_ratetable		(__b43_ratetable + 0)
184 #define b43_g_ratetable_size	12
185 
186 #define CHAN2G(_channel, _freq, _flags) {			\
187 	.band			= NL80211_BAND_2GHZ,		\
188 	.center_freq		= (_freq),			\
189 	.hw_value		= (_channel),			\
190 	.flags			= (_flags),			\
191 	.max_antenna_gain	= 0,				\
192 	.max_power		= 30,				\
193 }
194 static struct ieee80211_channel b43_2ghz_chantable[] = {
195 	CHAN2G(1, 2412, 0),
196 	CHAN2G(2, 2417, 0),
197 	CHAN2G(3, 2422, 0),
198 	CHAN2G(4, 2427, 0),
199 	CHAN2G(5, 2432, 0),
200 	CHAN2G(6, 2437, 0),
201 	CHAN2G(7, 2442, 0),
202 	CHAN2G(8, 2447, 0),
203 	CHAN2G(9, 2452, 0),
204 	CHAN2G(10, 2457, 0),
205 	CHAN2G(11, 2462, 0),
206 	CHAN2G(12, 2467, 0),
207 	CHAN2G(13, 2472, 0),
208 	CHAN2G(14, 2484, 0),
209 };
210 
211 /* No support for the last 3 channels (12, 13, 14) */
212 #define b43_2ghz_chantable_limited_size		11
213 #undef CHAN2G
214 
215 #define CHAN4G(_channel, _flags) {				\
216 	.band			= NL80211_BAND_5GHZ,		\
217 	.center_freq		= 4000 + (5 * (_channel)),	\
218 	.hw_value		= (_channel),			\
219 	.flags			= (_flags),			\
220 	.max_antenna_gain	= 0,				\
221 	.max_power		= 30,				\
222 }
223 #define CHAN5G(_channel, _flags) {				\
224 	.band			= NL80211_BAND_5GHZ,		\
225 	.center_freq		= 5000 + (5 * (_channel)),	\
226 	.hw_value		= (_channel),			\
227 	.flags			= (_flags),			\
228 	.max_antenna_gain	= 0,				\
229 	.max_power		= 30,				\
230 }
231 static struct ieee80211_channel b43_5ghz_nphy_chantable[] = {
232 	CHAN4G(184, 0),		CHAN4G(186, 0),
233 	CHAN4G(188, 0),		CHAN4G(190, 0),
234 	CHAN4G(192, 0),		CHAN4G(194, 0),
235 	CHAN4G(196, 0),		CHAN4G(198, 0),
236 	CHAN4G(200, 0),		CHAN4G(202, 0),
237 	CHAN4G(204, 0),		CHAN4G(206, 0),
238 	CHAN4G(208, 0),		CHAN4G(210, 0),
239 	CHAN4G(212, 0),		CHAN4G(214, 0),
240 	CHAN4G(216, 0),		CHAN4G(218, 0),
241 	CHAN4G(220, 0),		CHAN4G(222, 0),
242 	CHAN4G(224, 0),		CHAN4G(226, 0),
243 	CHAN4G(228, 0),
244 	CHAN5G(32, 0),		CHAN5G(34, 0),
245 	CHAN5G(36, 0),		CHAN5G(38, 0),
246 	CHAN5G(40, 0),		CHAN5G(42, 0),
247 	CHAN5G(44, 0),		CHAN5G(46, 0),
248 	CHAN5G(48, 0),		CHAN5G(50, 0),
249 	CHAN5G(52, 0),		CHAN5G(54, 0),
250 	CHAN5G(56, 0),		CHAN5G(58, 0),
251 	CHAN5G(60, 0),		CHAN5G(62, 0),
252 	CHAN5G(64, 0),		CHAN5G(66, 0),
253 	CHAN5G(68, 0),		CHAN5G(70, 0),
254 	CHAN5G(72, 0),		CHAN5G(74, 0),
255 	CHAN5G(76, 0),		CHAN5G(78, 0),
256 	CHAN5G(80, 0),		CHAN5G(82, 0),
257 	CHAN5G(84, 0),		CHAN5G(86, 0),
258 	CHAN5G(88, 0),		CHAN5G(90, 0),
259 	CHAN5G(92, 0),		CHAN5G(94, 0),
260 	CHAN5G(96, 0),		CHAN5G(98, 0),
261 	CHAN5G(100, 0),		CHAN5G(102, 0),
262 	CHAN5G(104, 0),		CHAN5G(106, 0),
263 	CHAN5G(108, 0),		CHAN5G(110, 0),
264 	CHAN5G(112, 0),		CHAN5G(114, 0),
265 	CHAN5G(116, 0),		CHAN5G(118, 0),
266 	CHAN5G(120, 0),		CHAN5G(122, 0),
267 	CHAN5G(124, 0),		CHAN5G(126, 0),
268 	CHAN5G(128, 0),		CHAN5G(130, 0),
269 	CHAN5G(132, 0),		CHAN5G(134, 0),
270 	CHAN5G(136, 0),		CHAN5G(138, 0),
271 	CHAN5G(140, 0),		CHAN5G(142, 0),
272 	CHAN5G(144, 0),		CHAN5G(145, 0),
273 	CHAN5G(146, 0),		CHAN5G(147, 0),
274 	CHAN5G(148, 0),		CHAN5G(149, 0),
275 	CHAN5G(150, 0),		CHAN5G(151, 0),
276 	CHAN5G(152, 0),		CHAN5G(153, 0),
277 	CHAN5G(154, 0),		CHAN5G(155, 0),
278 	CHAN5G(156, 0),		CHAN5G(157, 0),
279 	CHAN5G(158, 0),		CHAN5G(159, 0),
280 	CHAN5G(160, 0),		CHAN5G(161, 0),
281 	CHAN5G(162, 0),		CHAN5G(163, 0),
282 	CHAN5G(164, 0),		CHAN5G(165, 0),
283 	CHAN5G(166, 0),		CHAN5G(168, 0),
284 	CHAN5G(170, 0),		CHAN5G(172, 0),
285 	CHAN5G(174, 0),		CHAN5G(176, 0),
286 	CHAN5G(178, 0),		CHAN5G(180, 0),
287 	CHAN5G(182, 0),
288 };
289 
290 static struct ieee80211_channel b43_5ghz_nphy_chantable_limited[] = {
291 	CHAN5G(36, 0),		CHAN5G(40, 0),
292 	CHAN5G(44, 0),		CHAN5G(48, 0),
293 	CHAN5G(149, 0),		CHAN5G(153, 0),
294 	CHAN5G(157, 0),		CHAN5G(161, 0),
295 	CHAN5G(165, 0),
296 };
297 
298 static struct ieee80211_channel b43_5ghz_aphy_chantable[] = {
299 	CHAN5G(34, 0),		CHAN5G(36, 0),
300 	CHAN5G(38, 0),		CHAN5G(40, 0),
301 	CHAN5G(42, 0),		CHAN5G(44, 0),
302 	CHAN5G(46, 0),		CHAN5G(48, 0),
303 	CHAN5G(52, 0),		CHAN5G(56, 0),
304 	CHAN5G(60, 0),		CHAN5G(64, 0),
305 	CHAN5G(100, 0),		CHAN5G(104, 0),
306 	CHAN5G(108, 0),		CHAN5G(112, 0),
307 	CHAN5G(116, 0),		CHAN5G(120, 0),
308 	CHAN5G(124, 0),		CHAN5G(128, 0),
309 	CHAN5G(132, 0),		CHAN5G(136, 0),
310 	CHAN5G(140, 0),		CHAN5G(149, 0),
311 	CHAN5G(153, 0),		CHAN5G(157, 0),
312 	CHAN5G(161, 0),		CHAN5G(165, 0),
313 	CHAN5G(184, 0),		CHAN5G(188, 0),
314 	CHAN5G(192, 0),		CHAN5G(196, 0),
315 	CHAN5G(200, 0),		CHAN5G(204, 0),
316 	CHAN5G(208, 0),		CHAN5G(212, 0),
317 	CHAN5G(216, 0),
318 };
319 #undef CHAN4G
320 #undef CHAN5G
321 
322 static struct ieee80211_supported_band b43_band_5GHz_nphy = {
323 	.band		= NL80211_BAND_5GHZ,
324 	.channels	= b43_5ghz_nphy_chantable,
325 	.n_channels	= ARRAY_SIZE(b43_5ghz_nphy_chantable),
326 	.bitrates	= b43_a_ratetable,
327 	.n_bitrates	= b43_a_ratetable_size,
328 };
329 
330 static struct ieee80211_supported_band b43_band_5GHz_nphy_limited = {
331 	.band		= NL80211_BAND_5GHZ,
332 	.channels	= b43_5ghz_nphy_chantable_limited,
333 	.n_channels	= ARRAY_SIZE(b43_5ghz_nphy_chantable_limited),
334 	.bitrates	= b43_a_ratetable,
335 	.n_bitrates	= b43_a_ratetable_size,
336 };
337 
338 static struct ieee80211_supported_band b43_band_5GHz_aphy = {
339 	.band		= NL80211_BAND_5GHZ,
340 	.channels	= b43_5ghz_aphy_chantable,
341 	.n_channels	= ARRAY_SIZE(b43_5ghz_aphy_chantable),
342 	.bitrates	= b43_a_ratetable,
343 	.n_bitrates	= b43_a_ratetable_size,
344 };
345 
346 static struct ieee80211_supported_band b43_band_2GHz = {
347 	.band		= NL80211_BAND_2GHZ,
348 	.channels	= b43_2ghz_chantable,
349 	.n_channels	= ARRAY_SIZE(b43_2ghz_chantable),
350 	.bitrates	= b43_g_ratetable,
351 	.n_bitrates	= b43_g_ratetable_size,
352 };
353 
354 static struct ieee80211_supported_band b43_band_2ghz_limited = {
355 	.band		= NL80211_BAND_2GHZ,
356 	.channels	= b43_2ghz_chantable,
357 	.n_channels	= b43_2ghz_chantable_limited_size,
358 	.bitrates	= b43_g_ratetable,
359 	.n_bitrates	= b43_g_ratetable_size,
360 };
361 
362 static void b43_wireless_core_exit(struct b43_wldev *dev);
363 static int b43_wireless_core_init(struct b43_wldev *dev);
364 static struct b43_wldev * b43_wireless_core_stop(struct b43_wldev *dev);
365 static int b43_wireless_core_start(struct b43_wldev *dev);
366 static void b43_op_bss_info_changed(struct ieee80211_hw *hw,
367 				    struct ieee80211_vif *vif,
368 				    struct ieee80211_bss_conf *conf,
369 				    u64 changed);
370 
371 static int b43_ratelimit(struct b43_wl *wl)
372 {
373 	if (!wl || !wl->current_dev)
374 		return 1;
375 	if (b43_status(wl->current_dev) < B43_STAT_STARTED)
376 		return 1;
377 	/* We are up and running.
378 	 * Ratelimit the messages to avoid DoS over the net. */
379 	return net_ratelimit();
380 }
381 
382 void b43info(struct b43_wl *wl, const char *fmt, ...)
383 {
384 	struct va_format vaf;
385 	va_list args;
386 
387 	if (b43_modparam_verbose < B43_VERBOSITY_INFO)
388 		return;
389 	if (!b43_ratelimit(wl))
390 		return;
391 
392 	va_start(args, fmt);
393 
394 	vaf.fmt = fmt;
395 	vaf.va = &args;
396 
397 	printk(KERN_INFO "b43-%s: %pV",
398 	       (wl && wl->hw) ? wiphy_name(wl->hw->wiphy) : "wlan", &vaf);
399 
400 	va_end(args);
401 }
402 
403 void b43err(struct b43_wl *wl, const char *fmt, ...)
404 {
405 	struct va_format vaf;
406 	va_list args;
407 
408 	if (b43_modparam_verbose < B43_VERBOSITY_ERROR)
409 		return;
410 	if (!b43_ratelimit(wl))
411 		return;
412 
413 	va_start(args, fmt);
414 
415 	vaf.fmt = fmt;
416 	vaf.va = &args;
417 
418 	printk(KERN_ERR "b43-%s ERROR: %pV",
419 	       (wl && wl->hw) ? wiphy_name(wl->hw->wiphy) : "wlan", &vaf);
420 
421 	va_end(args);
422 }
423 
424 void b43warn(struct b43_wl *wl, const char *fmt, ...)
425 {
426 	struct va_format vaf;
427 	va_list args;
428 
429 	if (b43_modparam_verbose < B43_VERBOSITY_WARN)
430 		return;
431 	if (!b43_ratelimit(wl))
432 		return;
433 
434 	va_start(args, fmt);
435 
436 	vaf.fmt = fmt;
437 	vaf.va = &args;
438 
439 	printk(KERN_WARNING "b43-%s warning: %pV",
440 	       (wl && wl->hw) ? wiphy_name(wl->hw->wiphy) : "wlan", &vaf);
441 
442 	va_end(args);
443 }
444 
445 void b43dbg(struct b43_wl *wl, const char *fmt, ...)
446 {
447 	struct va_format vaf;
448 	va_list args;
449 
450 	if (b43_modparam_verbose < B43_VERBOSITY_DEBUG)
451 		return;
452 
453 	va_start(args, fmt);
454 
455 	vaf.fmt = fmt;
456 	vaf.va = &args;
457 
458 	printk(KERN_DEBUG "b43-%s debug: %pV",
459 	       (wl && wl->hw) ? wiphy_name(wl->hw->wiphy) : "wlan", &vaf);
460 
461 	va_end(args);
462 }
463 
464 static void b43_ram_write(struct b43_wldev *dev, u16 offset, u32 val)
465 {
466 	u32 macctl;
467 
468 	B43_WARN_ON(offset % 4 != 0);
469 
470 	macctl = b43_read32(dev, B43_MMIO_MACCTL);
471 	if (macctl & B43_MACCTL_BE)
472 		val = swab32(val);
473 
474 	b43_write32(dev, B43_MMIO_RAM_CONTROL, offset);
475 	b43_write32(dev, B43_MMIO_RAM_DATA, val);
476 }
477 
478 static inline void b43_shm_control_word(struct b43_wldev *dev,
479 					u16 routing, u16 offset)
480 {
481 	u32 control;
482 
483 	/* "offset" is the WORD offset. */
484 	control = routing;
485 	control <<= 16;
486 	control |= offset;
487 	b43_write32(dev, B43_MMIO_SHM_CONTROL, control);
488 }
489 
490 u32 b43_shm_read32(struct b43_wldev *dev, u16 routing, u16 offset)
491 {
492 	u32 ret;
493 
494 	if (routing == B43_SHM_SHARED) {
495 		B43_WARN_ON(offset & 0x0001);
496 		if (offset & 0x0003) {
497 			/* Unaligned access */
498 			b43_shm_control_word(dev, routing, offset >> 2);
499 			ret = b43_read16(dev, B43_MMIO_SHM_DATA_UNALIGNED);
500 			b43_shm_control_word(dev, routing, (offset >> 2) + 1);
501 			ret |= ((u32)b43_read16(dev, B43_MMIO_SHM_DATA)) << 16;
502 
503 			goto out;
504 		}
505 		offset >>= 2;
506 	}
507 	b43_shm_control_word(dev, routing, offset);
508 	ret = b43_read32(dev, B43_MMIO_SHM_DATA);
509 out:
510 	return ret;
511 }
512 
513 u16 b43_shm_read16(struct b43_wldev *dev, u16 routing, u16 offset)
514 {
515 	u16 ret;
516 
517 	if (routing == B43_SHM_SHARED) {
518 		B43_WARN_ON(offset & 0x0001);
519 		if (offset & 0x0003) {
520 			/* Unaligned access */
521 			b43_shm_control_word(dev, routing, offset >> 2);
522 			ret = b43_read16(dev, B43_MMIO_SHM_DATA_UNALIGNED);
523 
524 			goto out;
525 		}
526 		offset >>= 2;
527 	}
528 	b43_shm_control_word(dev, routing, offset);
529 	ret = b43_read16(dev, B43_MMIO_SHM_DATA);
530 out:
531 	return ret;
532 }
533 
534 void b43_shm_write32(struct b43_wldev *dev, u16 routing, u16 offset, u32 value)
535 {
536 	if (routing == B43_SHM_SHARED) {
537 		B43_WARN_ON(offset & 0x0001);
538 		if (offset & 0x0003) {
539 			/* Unaligned access */
540 			b43_shm_control_word(dev, routing, offset >> 2);
541 			b43_write16(dev, B43_MMIO_SHM_DATA_UNALIGNED,
542 				    value & 0xFFFF);
543 			b43_shm_control_word(dev, routing, (offset >> 2) + 1);
544 			b43_write16(dev, B43_MMIO_SHM_DATA,
545 				    (value >> 16) & 0xFFFF);
546 			return;
547 		}
548 		offset >>= 2;
549 	}
550 	b43_shm_control_word(dev, routing, offset);
551 	b43_write32(dev, B43_MMIO_SHM_DATA, value);
552 }
553 
554 void b43_shm_write16(struct b43_wldev *dev, u16 routing, u16 offset, u16 value)
555 {
556 	if (routing == B43_SHM_SHARED) {
557 		B43_WARN_ON(offset & 0x0001);
558 		if (offset & 0x0003) {
559 			/* Unaligned access */
560 			b43_shm_control_word(dev, routing, offset >> 2);
561 			b43_write16(dev, B43_MMIO_SHM_DATA_UNALIGNED, value);
562 			return;
563 		}
564 		offset >>= 2;
565 	}
566 	b43_shm_control_word(dev, routing, offset);
567 	b43_write16(dev, B43_MMIO_SHM_DATA, value);
568 }
569 
570 /* Read HostFlags */
571 u64 b43_hf_read(struct b43_wldev *dev)
572 {
573 	u64 ret;
574 
575 	ret = b43_shm_read16(dev, B43_SHM_SHARED, B43_SHM_SH_HOSTF3);
576 	ret <<= 16;
577 	ret |= b43_shm_read16(dev, B43_SHM_SHARED, B43_SHM_SH_HOSTF2);
578 	ret <<= 16;
579 	ret |= b43_shm_read16(dev, B43_SHM_SHARED, B43_SHM_SH_HOSTF1);
580 
581 	return ret;
582 }
583 
584 /* Write HostFlags */
585 void b43_hf_write(struct b43_wldev *dev, u64 value)
586 {
587 	u16 lo, mi, hi;
588 
589 	lo = (value & 0x00000000FFFFULL);
590 	mi = (value & 0x0000FFFF0000ULL) >> 16;
591 	hi = (value & 0xFFFF00000000ULL) >> 32;
592 	b43_shm_write16(dev, B43_SHM_SHARED, B43_SHM_SH_HOSTF1, lo);
593 	b43_shm_write16(dev, B43_SHM_SHARED, B43_SHM_SH_HOSTF2, mi);
594 	b43_shm_write16(dev, B43_SHM_SHARED, B43_SHM_SH_HOSTF3, hi);
595 }
596 
597 /* Read the firmware capabilities bitmask (Opensource firmware only) */
598 static u16 b43_fwcapa_read(struct b43_wldev *dev)
599 {
600 	B43_WARN_ON(!dev->fw.opensource);
601 	return b43_shm_read16(dev, B43_SHM_SHARED, B43_SHM_SH_FWCAPA);
602 }
603 
604 void b43_tsf_read(struct b43_wldev *dev, u64 *tsf)
605 {
606 	u32 low, high;
607 
608 	B43_WARN_ON(dev->dev->core_rev < 3);
609 
610 	/* The hardware guarantees us an atomic read, if we
611 	 * read the low register first. */
612 	low = b43_read32(dev, B43_MMIO_REV3PLUS_TSF_LOW);
613 	high = b43_read32(dev, B43_MMIO_REV3PLUS_TSF_HIGH);
614 
615 	*tsf = high;
616 	*tsf <<= 32;
617 	*tsf |= low;
618 }
619 
620 static void b43_time_lock(struct b43_wldev *dev)
621 {
622 	b43_maskset32(dev, B43_MMIO_MACCTL, ~0, B43_MACCTL_TBTTHOLD);
623 	/* Commit the write */
624 	b43_read32(dev, B43_MMIO_MACCTL);
625 }
626 
627 static void b43_time_unlock(struct b43_wldev *dev)
628 {
629 	b43_maskset32(dev, B43_MMIO_MACCTL, ~B43_MACCTL_TBTTHOLD, 0);
630 	/* Commit the write */
631 	b43_read32(dev, B43_MMIO_MACCTL);
632 }
633 
634 static void b43_tsf_write_locked(struct b43_wldev *dev, u64 tsf)
635 {
636 	u32 low, high;
637 
638 	B43_WARN_ON(dev->dev->core_rev < 3);
639 
640 	low = tsf;
641 	high = (tsf >> 32);
642 	/* The hardware guarantees us an atomic write, if we
643 	 * write the low register first. */
644 	b43_write32(dev, B43_MMIO_REV3PLUS_TSF_LOW, low);
645 	b43_write32(dev, B43_MMIO_REV3PLUS_TSF_HIGH, high);
646 }
647 
648 void b43_tsf_write(struct b43_wldev *dev, u64 tsf)
649 {
650 	b43_time_lock(dev);
651 	b43_tsf_write_locked(dev, tsf);
652 	b43_time_unlock(dev);
653 }
654 
655 static
656 void b43_macfilter_set(struct b43_wldev *dev, u16 offset, const u8 *mac)
657 {
658 	static const u8 zero_addr[ETH_ALEN] = { 0 };
659 	u16 data;
660 
661 	if (!mac)
662 		mac = zero_addr;
663 
664 	offset |= 0x0020;
665 	b43_write16(dev, B43_MMIO_MACFILTER_CONTROL, offset);
666 
667 	data = mac[0];
668 	data |= mac[1] << 8;
669 	b43_write16(dev, B43_MMIO_MACFILTER_DATA, data);
670 	data = mac[2];
671 	data |= mac[3] << 8;
672 	b43_write16(dev, B43_MMIO_MACFILTER_DATA, data);
673 	data = mac[4];
674 	data |= mac[5] << 8;
675 	b43_write16(dev, B43_MMIO_MACFILTER_DATA, data);
676 }
677 
678 static void b43_write_mac_bssid_templates(struct b43_wldev *dev)
679 {
680 	const u8 *mac;
681 	const u8 *bssid;
682 	u8 mac_bssid[ETH_ALEN * 2];
683 	int i;
684 	u32 tmp;
685 
686 	bssid = dev->wl->bssid;
687 	mac = dev->wl->mac_addr;
688 
689 	b43_macfilter_set(dev, B43_MACFILTER_BSSID, bssid);
690 
691 	memcpy(mac_bssid, mac, ETH_ALEN);
692 	memcpy(mac_bssid + ETH_ALEN, bssid, ETH_ALEN);
693 
694 	/* Write our MAC address and BSSID to template ram */
695 	for (i = 0; i < ARRAY_SIZE(mac_bssid); i += sizeof(u32)) {
696 		tmp = (u32) (mac_bssid[i + 0]);
697 		tmp |= (u32) (mac_bssid[i + 1]) << 8;
698 		tmp |= (u32) (mac_bssid[i + 2]) << 16;
699 		tmp |= (u32) (mac_bssid[i + 3]) << 24;
700 		b43_ram_write(dev, 0x20 + i, tmp);
701 	}
702 }
703 
704 static void b43_upload_card_macaddress(struct b43_wldev *dev)
705 {
706 	b43_write_mac_bssid_templates(dev);
707 	b43_macfilter_set(dev, B43_MACFILTER_SELF, dev->wl->mac_addr);
708 }
709 
710 static void b43_set_slot_time(struct b43_wldev *dev, u16 slot_time)
711 {
712 	/* slot_time is in usec. */
713 	/* This test used to exit for all but a G PHY. */
714 	if (b43_current_band(dev->wl) == NL80211_BAND_5GHZ)
715 		return;
716 	b43_write16(dev, B43_MMIO_IFSSLOT, 510 + slot_time);
717 	/* Shared memory location 0x0010 is the slot time and should be
718 	 * set to slot_time; however, this register is initially 0 and changing
719 	 * the value adversely affects the transmit rate for BCM4311
720 	 * devices. Until this behavior is unterstood, delete this step
721 	 *
722 	 * b43_shm_write16(dev, B43_SHM_SHARED, 0x0010, slot_time);
723 	 */
724 }
725 
726 static void b43_short_slot_timing_enable(struct b43_wldev *dev)
727 {
728 	b43_set_slot_time(dev, 9);
729 }
730 
731 static void b43_short_slot_timing_disable(struct b43_wldev *dev)
732 {
733 	b43_set_slot_time(dev, 20);
734 }
735 
736 /* DummyTransmission function, as documented on
737  * https://bcm-v4.sipsolutions.net/802.11/DummyTransmission
738  */
739 void b43_dummy_transmission(struct b43_wldev *dev, bool ofdm, bool pa_on)
740 {
741 	struct b43_phy *phy = &dev->phy;
742 	unsigned int i, max_loop;
743 	u16 value;
744 	u32 buffer[5] = {
745 		0x00000000,
746 		0x00D40000,
747 		0x00000000,
748 		0x01000000,
749 		0x00000000,
750 	};
751 
752 	if (ofdm) {
753 		max_loop = 0x1E;
754 		buffer[0] = 0x000201CC;
755 	} else {
756 		max_loop = 0xFA;
757 		buffer[0] = 0x000B846E;
758 	}
759 
760 	for (i = 0; i < 5; i++)
761 		b43_ram_write(dev, i * 4, buffer[i]);
762 
763 	b43_write16(dev, B43_MMIO_XMTSEL, 0x0000);
764 
765 	if (dev->dev->core_rev < 11)
766 		b43_write16(dev, B43_MMIO_WEPCTL, 0x0000);
767 	else
768 		b43_write16(dev, B43_MMIO_WEPCTL, 0x0100);
769 
770 	value = (ofdm ? 0x41 : 0x40);
771 	b43_write16(dev, B43_MMIO_TXE0_PHYCTL, value);
772 	if (phy->type == B43_PHYTYPE_N || phy->type == B43_PHYTYPE_LP ||
773 	    phy->type == B43_PHYTYPE_LCN)
774 		b43_write16(dev, B43_MMIO_TXE0_PHYCTL1, 0x1A02);
775 
776 	b43_write16(dev, B43_MMIO_TXE0_WM_0, 0x0000);
777 	b43_write16(dev, B43_MMIO_TXE0_WM_1, 0x0000);
778 
779 	b43_write16(dev, B43_MMIO_XMTTPLATETXPTR, 0x0000);
780 	b43_write16(dev, B43_MMIO_XMTTXCNT, 0x0014);
781 	b43_write16(dev, B43_MMIO_XMTSEL, 0x0826);
782 	b43_write16(dev, B43_MMIO_TXE0_CTL, 0x0000);
783 
784 	if (!pa_on && phy->type == B43_PHYTYPE_N) {
785 		; /*b43_nphy_pa_override(dev, false) */
786 	}
787 
788 	switch (phy->type) {
789 	case B43_PHYTYPE_N:
790 	case B43_PHYTYPE_LCN:
791 		b43_write16(dev, B43_MMIO_TXE0_AUX, 0x00D0);
792 		break;
793 	case B43_PHYTYPE_LP:
794 		b43_write16(dev, B43_MMIO_TXE0_AUX, 0x0050);
795 		break;
796 	default:
797 		b43_write16(dev, B43_MMIO_TXE0_AUX, 0x0030);
798 	}
799 	b43_read16(dev, B43_MMIO_TXE0_AUX);
800 
801 	if (phy->radio_ver == 0x2050 && phy->radio_rev <= 0x5)
802 		b43_radio_write16(dev, 0x0051, 0x0017);
803 	for (i = 0x00; i < max_loop; i++) {
804 		value = b43_read16(dev, B43_MMIO_TXE0_STATUS);
805 		if (value & 0x0080)
806 			break;
807 		udelay(10);
808 	}
809 	for (i = 0x00; i < 0x0A; i++) {
810 		value = b43_read16(dev, B43_MMIO_TXE0_STATUS);
811 		if (value & 0x0400)
812 			break;
813 		udelay(10);
814 	}
815 	for (i = 0x00; i < 0x19; i++) {
816 		value = b43_read16(dev, B43_MMIO_IFSSTAT);
817 		if (!(value & 0x0100))
818 			break;
819 		udelay(10);
820 	}
821 	if (phy->radio_ver == 0x2050 && phy->radio_rev <= 0x5)
822 		b43_radio_write16(dev, 0x0051, 0x0037);
823 }
824 
825 static void key_write(struct b43_wldev *dev,
826 		      u8 index, u8 algorithm, const u8 *key)
827 {
828 	unsigned int i;
829 	u32 offset;
830 	u16 value;
831 	u16 kidx;
832 
833 	/* Key index/algo block */
834 	kidx = b43_kidx_to_fw(dev, index);
835 	value = ((kidx << 4) | algorithm);
836 	b43_shm_write16(dev, B43_SHM_SHARED,
837 			B43_SHM_SH_KEYIDXBLOCK + (kidx * 2), value);
838 
839 	/* Write the key to the Key Table Pointer offset */
840 	offset = dev->ktp + (index * B43_SEC_KEYSIZE);
841 	for (i = 0; i < B43_SEC_KEYSIZE; i += 2) {
842 		value = key[i];
843 		value |= (u16) (key[i + 1]) << 8;
844 		b43_shm_write16(dev, B43_SHM_SHARED, offset + i, value);
845 	}
846 }
847 
848 static void keymac_write(struct b43_wldev *dev, u8 index, const u8 *addr)
849 {
850 	u32 addrtmp[2] = { 0, 0, };
851 	u8 pairwise_keys_start = B43_NR_GROUP_KEYS * 2;
852 
853 	if (b43_new_kidx_api(dev))
854 		pairwise_keys_start = B43_NR_GROUP_KEYS;
855 
856 	B43_WARN_ON(index < pairwise_keys_start);
857 	/* We have four default TX keys and possibly four default RX keys.
858 	 * Physical mac 0 is mapped to physical key 4 or 8, depending
859 	 * on the firmware version.
860 	 * So we must adjust the index here.
861 	 */
862 	index -= pairwise_keys_start;
863 	B43_WARN_ON(index >= B43_NR_PAIRWISE_KEYS);
864 
865 	if (addr) {
866 		addrtmp[0] = addr[0];
867 		addrtmp[0] |= ((u32) (addr[1]) << 8);
868 		addrtmp[0] |= ((u32) (addr[2]) << 16);
869 		addrtmp[0] |= ((u32) (addr[3]) << 24);
870 		addrtmp[1] = addr[4];
871 		addrtmp[1] |= ((u32) (addr[5]) << 8);
872 	}
873 
874 	/* Receive match transmitter address (RCMTA) mechanism */
875 	b43_shm_write32(dev, B43_SHM_RCMTA,
876 			(index * 2) + 0, addrtmp[0]);
877 	b43_shm_write16(dev, B43_SHM_RCMTA,
878 			(index * 2) + 1, addrtmp[1]);
879 }
880 
881 /* The ucode will use phase1 key with TEK key to decrypt rx packets.
882  * When a packet is received, the iv32 is checked.
883  * - if it doesn't the packet is returned without modification (and software
884  *   decryption can be done). That's what happen when iv16 wrap.
885  * - if it does, the rc4 key is computed, and decryption is tried.
886  *   Either it will success and B43_RX_MAC_DEC is returned,
887  *   either it fails and B43_RX_MAC_DEC|B43_RX_MAC_DECERR is returned
888  *   and the packet is not usable (it got modified by the ucode).
889  * So in order to never have B43_RX_MAC_DECERR, we should provide
890  * a iv32 and phase1key that match. Because we drop packets in case of
891  * B43_RX_MAC_DECERR, if we have a correct iv32 but a wrong phase1key, all
892  * packets will be lost without higher layer knowing (ie no resync possible
893  * until next wrap).
894  *
895  * NOTE : this should support 50 key like RCMTA because
896  * (B43_SHM_SH_KEYIDXBLOCK - B43_SHM_SH_TKIPTSCTTAK)/14 = 50
897  */
898 static void rx_tkip_phase1_write(struct b43_wldev *dev, u8 index, u32 iv32,
899 		u16 *phase1key)
900 {
901 	unsigned int i;
902 	u32 offset;
903 	u8 pairwise_keys_start = B43_NR_GROUP_KEYS * 2;
904 
905 	if (!modparam_hwtkip)
906 		return;
907 
908 	if (b43_new_kidx_api(dev))
909 		pairwise_keys_start = B43_NR_GROUP_KEYS;
910 
911 	B43_WARN_ON(index < pairwise_keys_start);
912 	/* We have four default TX keys and possibly four default RX keys.
913 	 * Physical mac 0 is mapped to physical key 4 or 8, depending
914 	 * on the firmware version.
915 	 * So we must adjust the index here.
916 	 */
917 	index -= pairwise_keys_start;
918 	B43_WARN_ON(index >= B43_NR_PAIRWISE_KEYS);
919 
920 	if (b43_debug(dev, B43_DBG_KEYS)) {
921 		b43dbg(dev->wl, "rx_tkip_phase1_write : idx 0x%x, iv32 0x%x\n",
922 				index, iv32);
923 	}
924 	/* Write the key to the  RX tkip shared mem */
925 	offset = B43_SHM_SH_TKIPTSCTTAK + index * (10 + 4);
926 	for (i = 0; i < 10; i += 2) {
927 		b43_shm_write16(dev, B43_SHM_SHARED, offset + i,
928 				phase1key ? phase1key[i / 2] : 0);
929 	}
930 	b43_shm_write16(dev, B43_SHM_SHARED, offset + i, iv32);
931 	b43_shm_write16(dev, B43_SHM_SHARED, offset + i + 2, iv32 >> 16);
932 }
933 
934 static void b43_op_update_tkip_key(struct ieee80211_hw *hw,
935 				   struct ieee80211_vif *vif,
936 				   struct ieee80211_key_conf *keyconf,
937 				   struct ieee80211_sta *sta,
938 				   u32 iv32, u16 *phase1key)
939 {
940 	struct b43_wl *wl = hw_to_b43_wl(hw);
941 	struct b43_wldev *dev;
942 	int index = keyconf->hw_key_idx;
943 
944 	if (B43_WARN_ON(!modparam_hwtkip))
945 		return;
946 
947 	/* This is only called from the RX path through mac80211, where
948 	 * our mutex is already locked. */
949 	B43_WARN_ON(!mutex_is_locked(&wl->mutex));
950 	dev = wl->current_dev;
951 	B43_WARN_ON(!dev || b43_status(dev) < B43_STAT_INITIALIZED);
952 
953 	keymac_write(dev, index, NULL);	/* First zero out mac to avoid race */
954 
955 	rx_tkip_phase1_write(dev, index, iv32, phase1key);
956 	/* only pairwise TKIP keys are supported right now */
957 	if (WARN_ON(!sta))
958 		return;
959 	keymac_write(dev, index, sta->addr);
960 }
961 
962 static void do_key_write(struct b43_wldev *dev,
963 			 u8 index, u8 algorithm,
964 			 const u8 *key, size_t key_len, const u8 *mac_addr)
965 {
966 	u8 buf[B43_SEC_KEYSIZE] = { 0, };
967 	u8 pairwise_keys_start = B43_NR_GROUP_KEYS * 2;
968 
969 	if (b43_new_kidx_api(dev))
970 		pairwise_keys_start = B43_NR_GROUP_KEYS;
971 
972 	B43_WARN_ON(index >= ARRAY_SIZE(dev->key));
973 	B43_WARN_ON(key_len > B43_SEC_KEYSIZE);
974 
975 	if (index >= pairwise_keys_start)
976 		keymac_write(dev, index, NULL);	/* First zero out mac. */
977 	if (algorithm == B43_SEC_ALGO_TKIP) {
978 		/*
979 		 * We should provide an initial iv32, phase1key pair.
980 		 * We could start with iv32=0 and compute the corresponding
981 		 * phase1key, but this means calling ieee80211_get_tkip_key
982 		 * with a fake skb (or export other tkip function).
983 		 * Because we are lazy we hope iv32 won't start with
984 		 * 0xffffffff and let's b43_op_update_tkip_key provide a
985 		 * correct pair.
986 		 */
987 		rx_tkip_phase1_write(dev, index, 0xffffffff, (u16*)buf);
988 	} else if (index >= pairwise_keys_start) /* clear it */
989 		rx_tkip_phase1_write(dev, index, 0, NULL);
990 	if (key)
991 		memcpy(buf, key, key_len);
992 	key_write(dev, index, algorithm, buf);
993 	if (index >= pairwise_keys_start)
994 		keymac_write(dev, index, mac_addr);
995 
996 	dev->key[index].algorithm = algorithm;
997 }
998 
999 static int b43_key_write(struct b43_wldev *dev,
1000 			 int index, u8 algorithm,
1001 			 const u8 *key, size_t key_len,
1002 			 const u8 *mac_addr,
1003 			 struct ieee80211_key_conf *keyconf)
1004 {
1005 	int i;
1006 	int pairwise_keys_start;
1007 
1008 	/* For ALG_TKIP the key is encoded as a 256-bit (32 byte) data block:
1009 	 * 	- Temporal Encryption Key (128 bits)
1010 	 * 	- Temporal Authenticator Tx MIC Key (64 bits)
1011 	 * 	- Temporal Authenticator Rx MIC Key (64 bits)
1012 	 *
1013 	 * 	Hardware only store TEK
1014 	 */
1015 	if (algorithm == B43_SEC_ALGO_TKIP && key_len == 32)
1016 		key_len = 16;
1017 	if (key_len > B43_SEC_KEYSIZE)
1018 		return -EINVAL;
1019 	for (i = 0; i < ARRAY_SIZE(dev->key); i++) {
1020 		/* Check that we don't already have this key. */
1021 		B43_WARN_ON(dev->key[i].keyconf == keyconf);
1022 	}
1023 	if (index < 0) {
1024 		/* Pairwise key. Get an empty slot for the key. */
1025 		if (b43_new_kidx_api(dev))
1026 			pairwise_keys_start = B43_NR_GROUP_KEYS;
1027 		else
1028 			pairwise_keys_start = B43_NR_GROUP_KEYS * 2;
1029 		for (i = pairwise_keys_start;
1030 		     i < pairwise_keys_start + B43_NR_PAIRWISE_KEYS;
1031 		     i++) {
1032 			B43_WARN_ON(i >= ARRAY_SIZE(dev->key));
1033 			if (!dev->key[i].keyconf) {
1034 				/* found empty */
1035 				index = i;
1036 				break;
1037 			}
1038 		}
1039 		if (index < 0) {
1040 			b43warn(dev->wl, "Out of hardware key memory\n");
1041 			return -ENOSPC;
1042 		}
1043 	} else
1044 		B43_WARN_ON(index > 3);
1045 
1046 	do_key_write(dev, index, algorithm, key, key_len, mac_addr);
1047 	if ((index <= 3) && !b43_new_kidx_api(dev)) {
1048 		/* Default RX key */
1049 		B43_WARN_ON(mac_addr);
1050 		do_key_write(dev, index + 4, algorithm, key, key_len, NULL);
1051 	}
1052 	keyconf->hw_key_idx = index;
1053 	dev->key[index].keyconf = keyconf;
1054 
1055 	return 0;
1056 }
1057 
1058 static int b43_key_clear(struct b43_wldev *dev, int index)
1059 {
1060 	if (B43_WARN_ON((index < 0) || (index >= ARRAY_SIZE(dev->key))))
1061 		return -EINVAL;
1062 	do_key_write(dev, index, B43_SEC_ALGO_NONE,
1063 		     NULL, B43_SEC_KEYSIZE, NULL);
1064 	if ((index <= 3) && !b43_new_kidx_api(dev)) {
1065 		do_key_write(dev, index + 4, B43_SEC_ALGO_NONE,
1066 			     NULL, B43_SEC_KEYSIZE, NULL);
1067 	}
1068 	dev->key[index].keyconf = NULL;
1069 
1070 	return 0;
1071 }
1072 
1073 static void b43_clear_keys(struct b43_wldev *dev)
1074 {
1075 	int i, count;
1076 
1077 	if (b43_new_kidx_api(dev))
1078 		count = B43_NR_GROUP_KEYS + B43_NR_PAIRWISE_KEYS;
1079 	else
1080 		count = B43_NR_GROUP_KEYS * 2 + B43_NR_PAIRWISE_KEYS;
1081 	for (i = 0; i < count; i++)
1082 		b43_key_clear(dev, i);
1083 }
1084 
1085 static void b43_dump_keymemory(struct b43_wldev *dev)
1086 {
1087 	unsigned int i, index, count, offset, pairwise_keys_start;
1088 	u8 mac[ETH_ALEN];
1089 	u16 algo;
1090 	u32 rcmta0;
1091 	u16 rcmta1;
1092 	u64 hf;
1093 	struct b43_key *key;
1094 
1095 	if (!b43_debug(dev, B43_DBG_KEYS))
1096 		return;
1097 
1098 	hf = b43_hf_read(dev);
1099 	b43dbg(dev->wl, "Hardware key memory dump:  USEDEFKEYS=%u\n",
1100 	       !!(hf & B43_HF_USEDEFKEYS));
1101 	if (b43_new_kidx_api(dev)) {
1102 		pairwise_keys_start = B43_NR_GROUP_KEYS;
1103 		count = B43_NR_GROUP_KEYS + B43_NR_PAIRWISE_KEYS;
1104 	} else {
1105 		pairwise_keys_start = B43_NR_GROUP_KEYS * 2;
1106 		count = B43_NR_GROUP_KEYS * 2 + B43_NR_PAIRWISE_KEYS;
1107 	}
1108 	for (index = 0; index < count; index++) {
1109 		key = &(dev->key[index]);
1110 		printk(KERN_DEBUG "Key slot %02u: %s",
1111 		       index, (key->keyconf == NULL) ? " " : "*");
1112 		offset = dev->ktp + (index * B43_SEC_KEYSIZE);
1113 		for (i = 0; i < B43_SEC_KEYSIZE; i += 2) {
1114 			u16 tmp = b43_shm_read16(dev, B43_SHM_SHARED, offset + i);
1115 			printk("%02X%02X", (tmp & 0xFF), ((tmp >> 8) & 0xFF));
1116 		}
1117 
1118 		algo = b43_shm_read16(dev, B43_SHM_SHARED,
1119 				      B43_SHM_SH_KEYIDXBLOCK + (index * 2));
1120 		printk("   Algo: %04X/%02X", algo, key->algorithm);
1121 
1122 		if (index >= pairwise_keys_start) {
1123 			if (key->algorithm == B43_SEC_ALGO_TKIP) {
1124 				printk("   TKIP: ");
1125 				offset = B43_SHM_SH_TKIPTSCTTAK + (index - 4) * (10 + 4);
1126 				for (i = 0; i < 14; i += 2) {
1127 					u16 tmp = b43_shm_read16(dev, B43_SHM_SHARED, offset + i);
1128 					printk("%02X%02X", (tmp & 0xFF), ((tmp >> 8) & 0xFF));
1129 				}
1130 			}
1131 			rcmta0 = b43_shm_read32(dev, B43_SHM_RCMTA,
1132 						((index - pairwise_keys_start) * 2) + 0);
1133 			rcmta1 = b43_shm_read16(dev, B43_SHM_RCMTA,
1134 						((index - pairwise_keys_start) * 2) + 1);
1135 			*((__le32 *)(&mac[0])) = cpu_to_le32(rcmta0);
1136 			*((__le16 *)(&mac[4])) = cpu_to_le16(rcmta1);
1137 			printk("   MAC: %pM", mac);
1138 		} else
1139 			printk("   DEFAULT KEY");
1140 		printk("\n");
1141 	}
1142 }
1143 
1144 void b43_power_saving_ctl_bits(struct b43_wldev *dev, unsigned int ps_flags)
1145 {
1146 	u32 macctl;
1147 	u16 ucstat;
1148 	bool hwps;
1149 	bool awake;
1150 	int i;
1151 
1152 	B43_WARN_ON((ps_flags & B43_PS_ENABLED) &&
1153 		    (ps_flags & B43_PS_DISABLED));
1154 	B43_WARN_ON((ps_flags & B43_PS_AWAKE) && (ps_flags & B43_PS_ASLEEP));
1155 
1156 	if (ps_flags & B43_PS_ENABLED) {
1157 		hwps = true;
1158 	} else if (ps_flags & B43_PS_DISABLED) {
1159 		hwps = false;
1160 	} else {
1161 		//TODO: If powersave is not off and FIXME is not set and we are not in adhoc
1162 		//      and thus is not an AP and we are associated, set bit 25
1163 	}
1164 	if (ps_flags & B43_PS_AWAKE) {
1165 		awake = true;
1166 	} else if (ps_flags & B43_PS_ASLEEP) {
1167 		awake = false;
1168 	} else {
1169 		//TODO: If the device is awake or this is an AP, or we are scanning, or FIXME,
1170 		//      or we are associated, or FIXME, or the latest PS-Poll packet sent was
1171 		//      successful, set bit26
1172 	}
1173 
1174 /* FIXME: For now we force awake-on and hwps-off */
1175 	hwps = false;
1176 	awake = true;
1177 
1178 	macctl = b43_read32(dev, B43_MMIO_MACCTL);
1179 	if (hwps)
1180 		macctl |= B43_MACCTL_HWPS;
1181 	else
1182 		macctl &= ~B43_MACCTL_HWPS;
1183 	if (awake)
1184 		macctl |= B43_MACCTL_AWAKE;
1185 	else
1186 		macctl &= ~B43_MACCTL_AWAKE;
1187 	b43_write32(dev, B43_MMIO_MACCTL, macctl);
1188 	/* Commit write */
1189 	b43_read32(dev, B43_MMIO_MACCTL);
1190 	if (awake && dev->dev->core_rev >= 5) {
1191 		/* Wait for the microcode to wake up. */
1192 		for (i = 0; i < 100; i++) {
1193 			ucstat = b43_shm_read16(dev, B43_SHM_SHARED,
1194 						B43_SHM_SH_UCODESTAT);
1195 			if (ucstat != B43_SHM_SH_UCODESTAT_SLEEP)
1196 				break;
1197 			udelay(10);
1198 		}
1199 	}
1200 }
1201 
1202 /* https://bcm-v4.sipsolutions.net/802.11/PHY/BmacCorePllReset */
1203 void b43_wireless_core_phy_pll_reset(struct b43_wldev *dev)
1204 {
1205 	struct bcma_drv_cc *bcma_cc __maybe_unused;
1206 	struct ssb_chipcommon *ssb_cc __maybe_unused;
1207 
1208 	switch (dev->dev->bus_type) {
1209 #ifdef CONFIG_B43_BCMA
1210 	case B43_BUS_BCMA:
1211 		bcma_cc = &dev->dev->bdev->bus->drv_cc;
1212 
1213 		bcma_cc_write32(bcma_cc, BCMA_CC_PMU_CHIPCTL_ADDR, 0);
1214 		bcma_cc_mask32(bcma_cc, BCMA_CC_PMU_CHIPCTL_DATA, ~0x4);
1215 		bcma_cc_set32(bcma_cc, BCMA_CC_PMU_CHIPCTL_DATA, 0x4);
1216 		bcma_cc_mask32(bcma_cc, BCMA_CC_PMU_CHIPCTL_DATA, ~0x4);
1217 		break;
1218 #endif
1219 #ifdef CONFIG_B43_SSB
1220 	case B43_BUS_SSB:
1221 		ssb_cc = &dev->dev->sdev->bus->chipco;
1222 
1223 		chipco_write32(ssb_cc, SSB_CHIPCO_CHIPCTL_ADDR, 0);
1224 		chipco_mask32(ssb_cc, SSB_CHIPCO_CHIPCTL_DATA, ~0x4);
1225 		chipco_set32(ssb_cc, SSB_CHIPCO_CHIPCTL_DATA, 0x4);
1226 		chipco_mask32(ssb_cc, SSB_CHIPCO_CHIPCTL_DATA, ~0x4);
1227 		break;
1228 #endif
1229 	}
1230 }
1231 
1232 #ifdef CONFIG_B43_BCMA
1233 static void b43_bcma_phy_reset(struct b43_wldev *dev)
1234 {
1235 	u32 flags;
1236 
1237 	/* Put PHY into reset */
1238 	flags = bcma_aread32(dev->dev->bdev, BCMA_IOCTL);
1239 	flags |= B43_BCMA_IOCTL_PHY_RESET;
1240 	flags |= B43_BCMA_IOCTL_PHY_BW_20MHZ; /* Make 20 MHz def */
1241 	bcma_awrite32(dev->dev->bdev, BCMA_IOCTL, flags);
1242 	udelay(2);
1243 
1244 	b43_phy_take_out_of_reset(dev);
1245 }
1246 
1247 static void b43_bcma_wireless_core_reset(struct b43_wldev *dev, bool gmode)
1248 {
1249 	u32 req = B43_BCMA_CLKCTLST_80211_PLL_REQ |
1250 		  B43_BCMA_CLKCTLST_PHY_PLL_REQ;
1251 	u32 status = B43_BCMA_CLKCTLST_80211_PLL_ST |
1252 		     B43_BCMA_CLKCTLST_PHY_PLL_ST;
1253 	u32 flags;
1254 
1255 	flags = B43_BCMA_IOCTL_PHY_CLKEN;
1256 	if (gmode)
1257 		flags |= B43_BCMA_IOCTL_GMODE;
1258 	b43_device_enable(dev, flags);
1259 
1260 	if (dev->phy.type == B43_PHYTYPE_AC) {
1261 		u16 tmp;
1262 
1263 		tmp = bcma_aread32(dev->dev->bdev, BCMA_IOCTL);
1264 		tmp &= ~B43_BCMA_IOCTL_DAC;
1265 		tmp |= 0x100;
1266 		bcma_awrite32(dev->dev->bdev, BCMA_IOCTL, tmp);
1267 
1268 		tmp = bcma_aread32(dev->dev->bdev, BCMA_IOCTL);
1269 		tmp &= ~B43_BCMA_IOCTL_PHY_CLKEN;
1270 		bcma_awrite32(dev->dev->bdev, BCMA_IOCTL, tmp);
1271 
1272 		tmp = bcma_aread32(dev->dev->bdev, BCMA_IOCTL);
1273 		tmp |= B43_BCMA_IOCTL_PHY_CLKEN;
1274 		bcma_awrite32(dev->dev->bdev, BCMA_IOCTL, tmp);
1275 	}
1276 
1277 	bcma_core_set_clockmode(dev->dev->bdev, BCMA_CLKMODE_FAST);
1278 	b43_bcma_phy_reset(dev);
1279 	bcma_core_pll_ctl(dev->dev->bdev, req, status, true);
1280 }
1281 #endif
1282 
1283 #ifdef CONFIG_B43_SSB
1284 static void b43_ssb_wireless_core_reset(struct b43_wldev *dev, bool gmode)
1285 {
1286 	u32 flags = 0;
1287 
1288 	if (gmode)
1289 		flags |= B43_TMSLOW_GMODE;
1290 	flags |= B43_TMSLOW_PHYCLKEN;
1291 	flags |= B43_TMSLOW_PHYRESET;
1292 	if (dev->phy.type == B43_PHYTYPE_N)
1293 		flags |= B43_TMSLOW_PHY_BANDWIDTH_20MHZ; /* Make 20 MHz def */
1294 	b43_device_enable(dev, flags);
1295 	msleep(2);		/* Wait for the PLL to turn on. */
1296 
1297 	b43_phy_take_out_of_reset(dev);
1298 }
1299 #endif
1300 
1301 void b43_wireless_core_reset(struct b43_wldev *dev, bool gmode)
1302 {
1303 	u32 macctl;
1304 
1305 	switch (dev->dev->bus_type) {
1306 #ifdef CONFIG_B43_BCMA
1307 	case B43_BUS_BCMA:
1308 		b43_bcma_wireless_core_reset(dev, gmode);
1309 		break;
1310 #endif
1311 #ifdef CONFIG_B43_SSB
1312 	case B43_BUS_SSB:
1313 		b43_ssb_wireless_core_reset(dev, gmode);
1314 		break;
1315 #endif
1316 	}
1317 
1318 	/* Turn Analog ON, but only if we already know the PHY-type.
1319 	 * This protects against very early setup where we don't know the
1320 	 * PHY-type, yet. wireless_core_reset will be called once again later,
1321 	 * when we know the PHY-type. */
1322 	if (dev->phy.ops)
1323 		dev->phy.ops->switch_analog(dev, 1);
1324 
1325 	macctl = b43_read32(dev, B43_MMIO_MACCTL);
1326 	macctl &= ~B43_MACCTL_GMODE;
1327 	if (gmode)
1328 		macctl |= B43_MACCTL_GMODE;
1329 	macctl |= B43_MACCTL_IHR_ENABLED;
1330 	b43_write32(dev, B43_MMIO_MACCTL, macctl);
1331 }
1332 
1333 static void handle_irq_transmit_status(struct b43_wldev *dev)
1334 {
1335 	u32 v0, v1;
1336 	u16 tmp;
1337 	struct b43_txstatus stat;
1338 
1339 	while (1) {
1340 		v0 = b43_read32(dev, B43_MMIO_XMITSTAT_0);
1341 		if (!(v0 & 0x00000001))
1342 			break;
1343 		v1 = b43_read32(dev, B43_MMIO_XMITSTAT_1);
1344 
1345 		stat.cookie = (v0 >> 16);
1346 		stat.seq = (v1 & 0x0000FFFF);
1347 		stat.phy_stat = ((v1 & 0x00FF0000) >> 16);
1348 		tmp = (v0 & 0x0000FFFF);
1349 		stat.frame_count = ((tmp & 0xF000) >> 12);
1350 		stat.rts_count = ((tmp & 0x0F00) >> 8);
1351 		stat.supp_reason = ((tmp & 0x001C) >> 2);
1352 		stat.pm_indicated = !!(tmp & 0x0080);
1353 		stat.intermediate = !!(tmp & 0x0040);
1354 		stat.for_ampdu = !!(tmp & 0x0020);
1355 		stat.acked = !!(tmp & 0x0002);
1356 
1357 		b43_handle_txstatus(dev, &stat);
1358 	}
1359 }
1360 
1361 static void drain_txstatus_queue(struct b43_wldev *dev)
1362 {
1363 	u32 dummy;
1364 
1365 	if (dev->dev->core_rev < 5)
1366 		return;
1367 	/* Read all entries from the microcode TXstatus FIFO
1368 	 * and throw them away.
1369 	 */
1370 	while (1) {
1371 		dummy = b43_read32(dev, B43_MMIO_XMITSTAT_0);
1372 		if (!(dummy & 0x00000001))
1373 			break;
1374 		dummy = b43_read32(dev, B43_MMIO_XMITSTAT_1);
1375 	}
1376 }
1377 
1378 static u32 b43_jssi_read(struct b43_wldev *dev)
1379 {
1380 	u32 val = 0;
1381 
1382 	val = b43_shm_read16(dev, B43_SHM_SHARED, B43_SHM_SH_JSSI1);
1383 	val <<= 16;
1384 	val |= b43_shm_read16(dev, B43_SHM_SHARED, B43_SHM_SH_JSSI0);
1385 
1386 	return val;
1387 }
1388 
1389 static void b43_jssi_write(struct b43_wldev *dev, u32 jssi)
1390 {
1391 	b43_shm_write16(dev, B43_SHM_SHARED, B43_SHM_SH_JSSI0,
1392 			(jssi & 0x0000FFFF));
1393 	b43_shm_write16(dev, B43_SHM_SHARED, B43_SHM_SH_JSSI1,
1394 			(jssi & 0xFFFF0000) >> 16);
1395 }
1396 
1397 static void b43_generate_noise_sample(struct b43_wldev *dev)
1398 {
1399 	b43_jssi_write(dev, 0x7F7F7F7F);
1400 	b43_write32(dev, B43_MMIO_MACCMD,
1401 		    b43_read32(dev, B43_MMIO_MACCMD) | B43_MACCMD_BGNOISE);
1402 }
1403 
1404 static void b43_calculate_link_quality(struct b43_wldev *dev)
1405 {
1406 	/* Top half of Link Quality calculation. */
1407 
1408 	if (dev->phy.type != B43_PHYTYPE_G)
1409 		return;
1410 	if (dev->noisecalc.calculation_running)
1411 		return;
1412 	dev->noisecalc.calculation_running = true;
1413 	dev->noisecalc.nr_samples = 0;
1414 
1415 	b43_generate_noise_sample(dev);
1416 }
1417 
1418 static void handle_irq_noise(struct b43_wldev *dev)
1419 {
1420 	struct b43_phy_g *phy = dev->phy.g;
1421 	u16 tmp;
1422 	u8 noise[4];
1423 	u8 i, j;
1424 	s32 average;
1425 
1426 	/* Bottom half of Link Quality calculation. */
1427 
1428 	if (dev->phy.type != B43_PHYTYPE_G)
1429 		return;
1430 
1431 	/* Possible race condition: It might be possible that the user
1432 	 * changed to a different channel in the meantime since we
1433 	 * started the calculation. We ignore that fact, since it's
1434 	 * not really that much of a problem. The background noise is
1435 	 * an estimation only anyway. Slightly wrong results will get damped
1436 	 * by the averaging of the 8 sample rounds. Additionally the
1437 	 * value is shortlived. So it will be replaced by the next noise
1438 	 * calculation round soon. */
1439 
1440 	B43_WARN_ON(!dev->noisecalc.calculation_running);
1441 	*((__le32 *)noise) = cpu_to_le32(b43_jssi_read(dev));
1442 	if (noise[0] == 0x7F || noise[1] == 0x7F ||
1443 	    noise[2] == 0x7F || noise[3] == 0x7F)
1444 		goto generate_new;
1445 
1446 	/* Get the noise samples. */
1447 	B43_WARN_ON(dev->noisecalc.nr_samples >= 8);
1448 	i = dev->noisecalc.nr_samples;
1449 	noise[0] = clamp_val(noise[0], 0, ARRAY_SIZE(phy->nrssi_lt) - 1);
1450 	noise[1] = clamp_val(noise[1], 0, ARRAY_SIZE(phy->nrssi_lt) - 1);
1451 	noise[2] = clamp_val(noise[2], 0, ARRAY_SIZE(phy->nrssi_lt) - 1);
1452 	noise[3] = clamp_val(noise[3], 0, ARRAY_SIZE(phy->nrssi_lt) - 1);
1453 	dev->noisecalc.samples[i][0] = phy->nrssi_lt[noise[0]];
1454 	dev->noisecalc.samples[i][1] = phy->nrssi_lt[noise[1]];
1455 	dev->noisecalc.samples[i][2] = phy->nrssi_lt[noise[2]];
1456 	dev->noisecalc.samples[i][3] = phy->nrssi_lt[noise[3]];
1457 	dev->noisecalc.nr_samples++;
1458 	if (dev->noisecalc.nr_samples == 8) {
1459 		/* Calculate the Link Quality by the noise samples. */
1460 		average = 0;
1461 		for (i = 0; i < 8; i++) {
1462 			for (j = 0; j < 4; j++)
1463 				average += dev->noisecalc.samples[i][j];
1464 		}
1465 		average /= (8 * 4);
1466 		average *= 125;
1467 		average += 64;
1468 		average /= 128;
1469 		tmp = b43_shm_read16(dev, B43_SHM_SHARED, 0x40C);
1470 		tmp = (tmp / 128) & 0x1F;
1471 		if (tmp >= 8)
1472 			average += 2;
1473 		else
1474 			average -= 25;
1475 		if (tmp == 8)
1476 			average -= 72;
1477 		else
1478 			average -= 48;
1479 
1480 		dev->stats.link_noise = average;
1481 		dev->noisecalc.calculation_running = false;
1482 		return;
1483 	}
1484 generate_new:
1485 	b43_generate_noise_sample(dev);
1486 }
1487 
1488 static void handle_irq_tbtt_indication(struct b43_wldev *dev)
1489 {
1490 	if (b43_is_mode(dev->wl, NL80211_IFTYPE_AP)) {
1491 		///TODO: PS TBTT
1492 	} else {
1493 		if (1 /*FIXME: the last PSpoll frame was sent successfully */ )
1494 			b43_power_saving_ctl_bits(dev, 0);
1495 	}
1496 	if (b43_is_mode(dev->wl, NL80211_IFTYPE_ADHOC))
1497 		dev->dfq_valid = true;
1498 }
1499 
1500 static void handle_irq_atim_end(struct b43_wldev *dev)
1501 {
1502 	if (dev->dfq_valid) {
1503 		b43_write32(dev, B43_MMIO_MACCMD,
1504 			    b43_read32(dev, B43_MMIO_MACCMD)
1505 			    | B43_MACCMD_DFQ_VALID);
1506 		dev->dfq_valid = false;
1507 	}
1508 }
1509 
1510 static void handle_irq_pmq(struct b43_wldev *dev)
1511 {
1512 	u32 tmp;
1513 
1514 	//TODO: AP mode.
1515 
1516 	while (1) {
1517 		tmp = b43_read32(dev, B43_MMIO_PS_STATUS);
1518 		if (!(tmp & 0x00000008))
1519 			break;
1520 	}
1521 	/* 16bit write is odd, but correct. */
1522 	b43_write16(dev, B43_MMIO_PS_STATUS, 0x0002);
1523 }
1524 
1525 static void b43_write_template_common(struct b43_wldev *dev,
1526 				      const u8 *data, u16 size,
1527 				      u16 ram_offset,
1528 				      u16 shm_size_offset, u8 rate)
1529 {
1530 	u32 i, tmp;
1531 	struct b43_plcp_hdr4 plcp;
1532 
1533 	plcp.data = 0;
1534 	b43_generate_plcp_hdr(&plcp, size + FCS_LEN, rate);
1535 	b43_ram_write(dev, ram_offset, le32_to_cpu(plcp.data));
1536 	ram_offset += sizeof(u32);
1537 	/* The PLCP is 6 bytes long, but we only wrote 4 bytes, yet.
1538 	 * So leave the first two bytes of the next write blank.
1539 	 */
1540 	tmp = (u32) (data[0]) << 16;
1541 	tmp |= (u32) (data[1]) << 24;
1542 	b43_ram_write(dev, ram_offset, tmp);
1543 	ram_offset += sizeof(u32);
1544 	for (i = 2; i < size; i += sizeof(u32)) {
1545 		tmp = (u32) (data[i + 0]);
1546 		if (i + 1 < size)
1547 			tmp |= (u32) (data[i + 1]) << 8;
1548 		if (i + 2 < size)
1549 			tmp |= (u32) (data[i + 2]) << 16;
1550 		if (i + 3 < size)
1551 			tmp |= (u32) (data[i + 3]) << 24;
1552 		b43_ram_write(dev, ram_offset + i - 2, tmp);
1553 	}
1554 	b43_shm_write16(dev, B43_SHM_SHARED, shm_size_offset,
1555 			size + sizeof(struct b43_plcp_hdr6));
1556 }
1557 
1558 /* Check if the use of the antenna that ieee80211 told us to
1559  * use is possible. This will fall back to DEFAULT.
1560  * "antenna_nr" is the antenna identifier we got from ieee80211. */
1561 u8 b43_ieee80211_antenna_sanitize(struct b43_wldev *dev,
1562 				  u8 antenna_nr)
1563 {
1564 	u8 antenna_mask;
1565 
1566 	if (antenna_nr == 0) {
1567 		/* Zero means "use default antenna". That's always OK. */
1568 		return 0;
1569 	}
1570 
1571 	/* Get the mask of available antennas. */
1572 	if (dev->phy.gmode)
1573 		antenna_mask = dev->dev->bus_sprom->ant_available_bg;
1574 	else
1575 		antenna_mask = dev->dev->bus_sprom->ant_available_a;
1576 
1577 	if (!(antenna_mask & (1 << (antenna_nr - 1)))) {
1578 		/* This antenna is not available. Fall back to default. */
1579 		return 0;
1580 	}
1581 
1582 	return antenna_nr;
1583 }
1584 
1585 /* Convert a b43 antenna number value to the PHY TX control value. */
1586 static u16 b43_antenna_to_phyctl(int antenna)
1587 {
1588 	switch (antenna) {
1589 	case B43_ANTENNA0:
1590 		return B43_TXH_PHY_ANT0;
1591 	case B43_ANTENNA1:
1592 		return B43_TXH_PHY_ANT1;
1593 	case B43_ANTENNA2:
1594 		return B43_TXH_PHY_ANT2;
1595 	case B43_ANTENNA3:
1596 		return B43_TXH_PHY_ANT3;
1597 	case B43_ANTENNA_AUTO0:
1598 	case B43_ANTENNA_AUTO1:
1599 		return B43_TXH_PHY_ANT01AUTO;
1600 	}
1601 	B43_WARN_ON(1);
1602 	return 0;
1603 }
1604 
1605 static void b43_write_beacon_template(struct b43_wldev *dev,
1606 				      u16 ram_offset,
1607 				      u16 shm_size_offset)
1608 {
1609 	unsigned int i, len, variable_len;
1610 	const struct ieee80211_mgmt *bcn;
1611 	const u8 *ie;
1612 	bool tim_found = false;
1613 	unsigned int rate;
1614 	u16 ctl;
1615 	int antenna;
1616 	struct ieee80211_tx_info *info;
1617 	unsigned long flags;
1618 	struct sk_buff *beacon_skb;
1619 
1620 	spin_lock_irqsave(&dev->wl->beacon_lock, flags);
1621 	info = IEEE80211_SKB_CB(dev->wl->current_beacon);
1622 	rate = ieee80211_get_tx_rate(dev->wl->hw, info)->hw_value;
1623 	/* Clone the beacon, so it cannot go away, while we write it to hw. */
1624 	beacon_skb = skb_clone(dev->wl->current_beacon, GFP_ATOMIC);
1625 	spin_unlock_irqrestore(&dev->wl->beacon_lock, flags);
1626 
1627 	if (!beacon_skb) {
1628 		b43dbg(dev->wl, "Could not upload beacon. "
1629 		       "Failed to clone beacon skb.");
1630 		return;
1631 	}
1632 
1633 	bcn = (const struct ieee80211_mgmt *)(beacon_skb->data);
1634 	len = min_t(size_t, beacon_skb->len,
1635 		    0x200 - sizeof(struct b43_plcp_hdr6));
1636 
1637 	b43_write_template_common(dev, (const u8 *)bcn,
1638 				  len, ram_offset, shm_size_offset, rate);
1639 
1640 	/* Write the PHY TX control parameters. */
1641 	antenna = B43_ANTENNA_DEFAULT;
1642 	antenna = b43_antenna_to_phyctl(antenna);
1643 	ctl = b43_shm_read16(dev, B43_SHM_SHARED, B43_SHM_SH_BEACPHYCTL);
1644 	/* We can't send beacons with short preamble. Would get PHY errors. */
1645 	ctl &= ~B43_TXH_PHY_SHORTPRMBL;
1646 	ctl &= ~B43_TXH_PHY_ANT;
1647 	ctl &= ~B43_TXH_PHY_ENC;
1648 	ctl |= antenna;
1649 	if (b43_is_cck_rate(rate))
1650 		ctl |= B43_TXH_PHY_ENC_CCK;
1651 	else
1652 		ctl |= B43_TXH_PHY_ENC_OFDM;
1653 	b43_shm_write16(dev, B43_SHM_SHARED, B43_SHM_SH_BEACPHYCTL, ctl);
1654 
1655 	/* Find the position of the TIM and the DTIM_period value
1656 	 * and write them to SHM. */
1657 	ie = bcn->u.beacon.variable;
1658 	variable_len = len - offsetof(struct ieee80211_mgmt, u.beacon.variable);
1659 	for (i = 0; i < variable_len - 2; ) {
1660 		uint8_t ie_id, ie_len;
1661 
1662 		ie_id = ie[i];
1663 		ie_len = ie[i + 1];
1664 		if (ie_id == 5) {
1665 			u16 tim_position;
1666 			u16 dtim_period;
1667 			/* This is the TIM Information Element */
1668 
1669 			/* Check whether the ie_len is in the beacon data range. */
1670 			if (variable_len < ie_len + 2 + i)
1671 				break;
1672 			/* A valid TIM is at least 4 bytes long. */
1673 			if (ie_len < 4)
1674 				break;
1675 			tim_found = true;
1676 
1677 			tim_position = sizeof(struct b43_plcp_hdr6);
1678 			tim_position += offsetof(struct ieee80211_mgmt, u.beacon.variable);
1679 			tim_position += i;
1680 
1681 			dtim_period = ie[i + 3];
1682 
1683 			b43_shm_write16(dev, B43_SHM_SHARED,
1684 					B43_SHM_SH_TIMBPOS, tim_position);
1685 			b43_shm_write16(dev, B43_SHM_SHARED,
1686 					B43_SHM_SH_DTIMPER, dtim_period);
1687 			break;
1688 		}
1689 		i += ie_len + 2;
1690 	}
1691 	if (!tim_found) {
1692 		/*
1693 		 * If ucode wants to modify TIM do it behind the beacon, this
1694 		 * will happen, for example, when doing mesh networking.
1695 		 */
1696 		b43_shm_write16(dev, B43_SHM_SHARED,
1697 				B43_SHM_SH_TIMBPOS,
1698 				len + sizeof(struct b43_plcp_hdr6));
1699 		b43_shm_write16(dev, B43_SHM_SHARED,
1700 				B43_SHM_SH_DTIMPER, 0);
1701 	}
1702 	b43dbg(dev->wl, "Updated beacon template at 0x%x\n", ram_offset);
1703 
1704 	dev_kfree_skb_any(beacon_skb);
1705 }
1706 
1707 static void b43_upload_beacon0(struct b43_wldev *dev)
1708 {
1709 	struct b43_wl *wl = dev->wl;
1710 
1711 	if (wl->beacon0_uploaded)
1712 		return;
1713 	b43_write_beacon_template(dev, B43_SHM_SH_BT_BASE0, B43_SHM_SH_BTL0);
1714 	wl->beacon0_uploaded = true;
1715 }
1716 
1717 static void b43_upload_beacon1(struct b43_wldev *dev)
1718 {
1719 	struct b43_wl *wl = dev->wl;
1720 
1721 	if (wl->beacon1_uploaded)
1722 		return;
1723 	b43_write_beacon_template(dev, B43_SHM_SH_BT_BASE1, B43_SHM_SH_BTL1);
1724 	wl->beacon1_uploaded = true;
1725 }
1726 
1727 static void handle_irq_beacon(struct b43_wldev *dev)
1728 {
1729 	struct b43_wl *wl = dev->wl;
1730 	u32 cmd, beacon0_valid, beacon1_valid;
1731 
1732 	if (!b43_is_mode(wl, NL80211_IFTYPE_AP) &&
1733 	    !b43_is_mode(wl, NL80211_IFTYPE_MESH_POINT) &&
1734 	    !b43_is_mode(wl, NL80211_IFTYPE_ADHOC))
1735 		return;
1736 
1737 	/* This is the bottom half of the asynchronous beacon update. */
1738 
1739 	/* Ignore interrupt in the future. */
1740 	dev->irq_mask &= ~B43_IRQ_BEACON;
1741 
1742 	cmd = b43_read32(dev, B43_MMIO_MACCMD);
1743 	beacon0_valid = (cmd & B43_MACCMD_BEACON0_VALID);
1744 	beacon1_valid = (cmd & B43_MACCMD_BEACON1_VALID);
1745 
1746 	/* Schedule interrupt manually, if busy. */
1747 	if (beacon0_valid && beacon1_valid) {
1748 		b43_write32(dev, B43_MMIO_GEN_IRQ_REASON, B43_IRQ_BEACON);
1749 		dev->irq_mask |= B43_IRQ_BEACON;
1750 		return;
1751 	}
1752 
1753 	if (unlikely(wl->beacon_templates_virgin)) {
1754 		/* We never uploaded a beacon before.
1755 		 * Upload both templates now, but only mark one valid. */
1756 		wl->beacon_templates_virgin = false;
1757 		b43_upload_beacon0(dev);
1758 		b43_upload_beacon1(dev);
1759 		cmd = b43_read32(dev, B43_MMIO_MACCMD);
1760 		cmd |= B43_MACCMD_BEACON0_VALID;
1761 		b43_write32(dev, B43_MMIO_MACCMD, cmd);
1762 	} else {
1763 		if (!beacon0_valid) {
1764 			b43_upload_beacon0(dev);
1765 			cmd = b43_read32(dev, B43_MMIO_MACCMD);
1766 			cmd |= B43_MACCMD_BEACON0_VALID;
1767 			b43_write32(dev, B43_MMIO_MACCMD, cmd);
1768 		} else if (!beacon1_valid) {
1769 			b43_upload_beacon1(dev);
1770 			cmd = b43_read32(dev, B43_MMIO_MACCMD);
1771 			cmd |= B43_MACCMD_BEACON1_VALID;
1772 			b43_write32(dev, B43_MMIO_MACCMD, cmd);
1773 		}
1774 	}
1775 }
1776 
1777 static void b43_do_beacon_update_trigger_work(struct b43_wldev *dev)
1778 {
1779 	u32 old_irq_mask = dev->irq_mask;
1780 
1781 	/* update beacon right away or defer to irq */
1782 	handle_irq_beacon(dev);
1783 	if (old_irq_mask != dev->irq_mask) {
1784 		/* The handler updated the IRQ mask. */
1785 		B43_WARN_ON(!dev->irq_mask);
1786 		if (b43_read32(dev, B43_MMIO_GEN_IRQ_MASK)) {
1787 			b43_write32(dev, B43_MMIO_GEN_IRQ_MASK, dev->irq_mask);
1788 		} else {
1789 			/* Device interrupts are currently disabled. That means
1790 			 * we just ran the hardirq handler and scheduled the
1791 			 * IRQ thread. The thread will write the IRQ mask when
1792 			 * it finished, so there's nothing to do here. Writing
1793 			 * the mask _here_ would incorrectly re-enable IRQs. */
1794 		}
1795 	}
1796 }
1797 
1798 static void b43_beacon_update_trigger_work(struct work_struct *work)
1799 {
1800 	struct b43_wl *wl = container_of(work, struct b43_wl,
1801 					 beacon_update_trigger);
1802 	struct b43_wldev *dev;
1803 
1804 	mutex_lock(&wl->mutex);
1805 	dev = wl->current_dev;
1806 	if (likely(dev && (b43_status(dev) >= B43_STAT_INITIALIZED))) {
1807 		if (b43_bus_host_is_sdio(dev->dev)) {
1808 			/* wl->mutex is enough. */
1809 			b43_do_beacon_update_trigger_work(dev);
1810 		} else {
1811 			spin_lock_irq(&wl->hardirq_lock);
1812 			b43_do_beacon_update_trigger_work(dev);
1813 			spin_unlock_irq(&wl->hardirq_lock);
1814 		}
1815 	}
1816 	mutex_unlock(&wl->mutex);
1817 }
1818 
1819 /* Asynchronously update the packet templates in template RAM. */
1820 static void b43_update_templates(struct b43_wl *wl)
1821 {
1822 	struct sk_buff *beacon, *old_beacon;
1823 	unsigned long flags;
1824 
1825 	/* This is the top half of the asynchronous beacon update.
1826 	 * The bottom half is the beacon IRQ.
1827 	 * Beacon update must be asynchronous to avoid sending an
1828 	 * invalid beacon. This can happen for example, if the firmware
1829 	 * transmits a beacon while we are updating it. */
1830 
1831 	/* We could modify the existing beacon and set the aid bit in
1832 	 * the TIM field, but that would probably require resizing and
1833 	 * moving of data within the beacon template.
1834 	 * Simply request a new beacon and let mac80211 do the hard work. */
1835 	beacon = ieee80211_beacon_get(wl->hw, wl->vif, 0);
1836 	if (unlikely(!beacon))
1837 		return;
1838 
1839 	spin_lock_irqsave(&wl->beacon_lock, flags);
1840 	old_beacon = wl->current_beacon;
1841 	wl->current_beacon = beacon;
1842 	wl->beacon0_uploaded = false;
1843 	wl->beacon1_uploaded = false;
1844 	spin_unlock_irqrestore(&wl->beacon_lock, flags);
1845 
1846 	ieee80211_queue_work(wl->hw, &wl->beacon_update_trigger);
1847 
1848 	if (old_beacon)
1849 		dev_kfree_skb_any(old_beacon);
1850 }
1851 
1852 static void b43_set_beacon_int(struct b43_wldev *dev, u16 beacon_int)
1853 {
1854 	b43_time_lock(dev);
1855 	if (dev->dev->core_rev >= 3) {
1856 		b43_write32(dev, B43_MMIO_TSF_CFP_REP, (beacon_int << 16));
1857 		b43_write32(dev, B43_MMIO_TSF_CFP_START, (beacon_int << 10));
1858 	} else {
1859 		b43_write16(dev, 0x606, (beacon_int >> 6));
1860 		b43_write16(dev, 0x610, beacon_int);
1861 	}
1862 	b43_time_unlock(dev);
1863 	b43dbg(dev->wl, "Set beacon interval to %u\n", beacon_int);
1864 }
1865 
1866 static void b43_handle_firmware_panic(struct b43_wldev *dev)
1867 {
1868 	u16 reason;
1869 
1870 	/* Read the register that contains the reason code for the panic. */
1871 	reason = b43_shm_read16(dev, B43_SHM_SCRATCH, B43_FWPANIC_REASON_REG);
1872 	b43err(dev->wl, "Whoopsy, firmware panic! Reason: %u\n", reason);
1873 
1874 	switch (reason) {
1875 	default:
1876 		b43dbg(dev->wl, "The panic reason is unknown.\n");
1877 		fallthrough;
1878 	case B43_FWPANIC_DIE:
1879 		/* Do not restart the controller or firmware.
1880 		 * The device is nonfunctional from now on.
1881 		 * Restarting would result in this panic to trigger again,
1882 		 * so we avoid that recursion. */
1883 		break;
1884 	case B43_FWPANIC_RESTART:
1885 		b43_controller_restart(dev, "Microcode panic");
1886 		break;
1887 	}
1888 }
1889 
1890 static void handle_irq_ucode_debug(struct b43_wldev *dev)
1891 {
1892 	unsigned int i, cnt;
1893 	u16 reason, marker_id, marker_line;
1894 	__le16 *buf;
1895 
1896 	/* The proprietary firmware doesn't have this IRQ. */
1897 	if (!dev->fw.opensource)
1898 		return;
1899 
1900 	/* Read the register that contains the reason code for this IRQ. */
1901 	reason = b43_shm_read16(dev, B43_SHM_SCRATCH, B43_DEBUGIRQ_REASON_REG);
1902 
1903 	switch (reason) {
1904 	case B43_DEBUGIRQ_PANIC:
1905 		b43_handle_firmware_panic(dev);
1906 		break;
1907 	case B43_DEBUGIRQ_DUMP_SHM:
1908 		if (!B43_DEBUG)
1909 			break; /* Only with driver debugging enabled. */
1910 		buf = kmalloc(4096, GFP_ATOMIC);
1911 		if (!buf) {
1912 			b43dbg(dev->wl, "SHM-dump: Failed to allocate memory\n");
1913 			goto out;
1914 		}
1915 		for (i = 0; i < 4096; i += 2) {
1916 			u16 tmp = b43_shm_read16(dev, B43_SHM_SHARED, i);
1917 			buf[i / 2] = cpu_to_le16(tmp);
1918 		}
1919 		b43info(dev->wl, "Shared memory dump:\n");
1920 		print_hex_dump(KERN_INFO, "", DUMP_PREFIX_OFFSET,
1921 			       16, 2, buf, 4096, 1);
1922 		kfree(buf);
1923 		break;
1924 	case B43_DEBUGIRQ_DUMP_REGS:
1925 		if (!B43_DEBUG)
1926 			break; /* Only with driver debugging enabled. */
1927 		b43info(dev->wl, "Microcode register dump:\n");
1928 		for (i = 0, cnt = 0; i < 64; i++) {
1929 			u16 tmp = b43_shm_read16(dev, B43_SHM_SCRATCH, i);
1930 			if (cnt == 0)
1931 				printk(KERN_INFO);
1932 			printk("r%02u: 0x%04X  ", i, tmp);
1933 			cnt++;
1934 			if (cnt == 6) {
1935 				printk("\n");
1936 				cnt = 0;
1937 			}
1938 		}
1939 		printk("\n");
1940 		break;
1941 	case B43_DEBUGIRQ_MARKER:
1942 		if (!B43_DEBUG)
1943 			break; /* Only with driver debugging enabled. */
1944 		marker_id = b43_shm_read16(dev, B43_SHM_SCRATCH,
1945 					   B43_MARKER_ID_REG);
1946 		marker_line = b43_shm_read16(dev, B43_SHM_SCRATCH,
1947 					     B43_MARKER_LINE_REG);
1948 		b43info(dev->wl, "The firmware just executed the MARKER(%u) "
1949 			"at line number %u\n",
1950 			marker_id, marker_line);
1951 		break;
1952 	default:
1953 		b43dbg(dev->wl, "Debug-IRQ triggered for unknown reason: %u\n",
1954 		       reason);
1955 	}
1956 out:
1957 	/* Acknowledge the debug-IRQ, so the firmware can continue. */
1958 	b43_shm_write16(dev, B43_SHM_SCRATCH,
1959 			B43_DEBUGIRQ_REASON_REG, B43_DEBUGIRQ_ACK);
1960 }
1961 
1962 static void b43_do_interrupt_thread(struct b43_wldev *dev)
1963 {
1964 	u32 reason;
1965 	u32 dma_reason[ARRAY_SIZE(dev->dma_reason)];
1966 	u32 merged_dma_reason = 0;
1967 	int i;
1968 
1969 	if (unlikely(b43_status(dev) != B43_STAT_STARTED))
1970 		return;
1971 
1972 	reason = dev->irq_reason;
1973 	for (i = 0; i < ARRAY_SIZE(dma_reason); i++) {
1974 		dma_reason[i] = dev->dma_reason[i];
1975 		merged_dma_reason |= dma_reason[i];
1976 	}
1977 
1978 	if (unlikely(reason & B43_IRQ_MAC_TXERR))
1979 		b43err(dev->wl, "MAC transmission error\n");
1980 
1981 	if (unlikely(reason & B43_IRQ_PHY_TXERR)) {
1982 		b43err(dev->wl, "PHY transmission error\n");
1983 		rmb();
1984 		if (unlikely(atomic_dec_and_test(&dev->phy.txerr_cnt))) {
1985 			atomic_set(&dev->phy.txerr_cnt,
1986 				   B43_PHY_TX_BADNESS_LIMIT);
1987 			b43err(dev->wl, "Too many PHY TX errors, "
1988 					"restarting the controller\n");
1989 			b43_controller_restart(dev, "PHY TX errors");
1990 		}
1991 	}
1992 
1993 	if (unlikely(merged_dma_reason & (B43_DMAIRQ_FATALMASK))) {
1994 		b43err(dev->wl,
1995 			"Fatal DMA error: 0x%08X, 0x%08X, 0x%08X, 0x%08X, 0x%08X, 0x%08X\n",
1996 			dma_reason[0], dma_reason[1],
1997 			dma_reason[2], dma_reason[3],
1998 			dma_reason[4], dma_reason[5]);
1999 		b43err(dev->wl, "This device does not support DMA "
2000 			       "on your system. It will now be switched to PIO.\n");
2001 		/* Fall back to PIO transfers if we get fatal DMA errors! */
2002 		dev->use_pio = true;
2003 		b43_controller_restart(dev, "DMA error");
2004 		return;
2005 	}
2006 
2007 	if (unlikely(reason & B43_IRQ_UCODE_DEBUG))
2008 		handle_irq_ucode_debug(dev);
2009 	if (reason & B43_IRQ_TBTT_INDI)
2010 		handle_irq_tbtt_indication(dev);
2011 	if (reason & B43_IRQ_ATIM_END)
2012 		handle_irq_atim_end(dev);
2013 	if (reason & B43_IRQ_BEACON)
2014 		handle_irq_beacon(dev);
2015 	if (reason & B43_IRQ_PMQ)
2016 		handle_irq_pmq(dev);
2017 	if (reason & B43_IRQ_TXFIFO_FLUSH_OK) {
2018 		;/* TODO */
2019 	}
2020 	if (reason & B43_IRQ_NOISESAMPLE_OK)
2021 		handle_irq_noise(dev);
2022 
2023 	/* Check the DMA reason registers for received data. */
2024 	if (dma_reason[0] & B43_DMAIRQ_RDESC_UFLOW) {
2025 		if (B43_DEBUG)
2026 			b43warn(dev->wl, "RX descriptor underrun\n");
2027 		b43_dma_handle_rx_overflow(dev->dma.rx_ring);
2028 	}
2029 	if (dma_reason[0] & B43_DMAIRQ_RX_DONE) {
2030 		if (b43_using_pio_transfers(dev))
2031 			b43_pio_rx(dev->pio.rx_queue);
2032 		else
2033 			b43_dma_rx(dev->dma.rx_ring);
2034 	}
2035 	B43_WARN_ON(dma_reason[1] & B43_DMAIRQ_RX_DONE);
2036 	B43_WARN_ON(dma_reason[2] & B43_DMAIRQ_RX_DONE);
2037 	B43_WARN_ON(dma_reason[3] & B43_DMAIRQ_RX_DONE);
2038 	B43_WARN_ON(dma_reason[4] & B43_DMAIRQ_RX_DONE);
2039 	B43_WARN_ON(dma_reason[5] & B43_DMAIRQ_RX_DONE);
2040 
2041 	if (reason & B43_IRQ_TX_OK)
2042 		handle_irq_transmit_status(dev);
2043 
2044 	/* Re-enable interrupts on the device by restoring the current interrupt mask. */
2045 	b43_write32(dev, B43_MMIO_GEN_IRQ_MASK, dev->irq_mask);
2046 
2047 #if B43_DEBUG
2048 	if (b43_debug(dev, B43_DBG_VERBOSESTATS)) {
2049 		dev->irq_count++;
2050 		for (i = 0; i < ARRAY_SIZE(dev->irq_bit_count); i++) {
2051 			if (reason & (1 << i))
2052 				dev->irq_bit_count[i]++;
2053 		}
2054 	}
2055 #endif
2056 }
2057 
2058 /* Interrupt thread handler. Handles device interrupts in thread context. */
2059 static irqreturn_t b43_interrupt_thread_handler(int irq, void *dev_id)
2060 {
2061 	struct b43_wldev *dev = dev_id;
2062 
2063 	mutex_lock(&dev->wl->mutex);
2064 	b43_do_interrupt_thread(dev);
2065 	mutex_unlock(&dev->wl->mutex);
2066 
2067 	return IRQ_HANDLED;
2068 }
2069 
2070 static irqreturn_t b43_do_interrupt(struct b43_wldev *dev)
2071 {
2072 	u32 reason;
2073 
2074 	/* This code runs under wl->hardirq_lock, but _only_ on non-SDIO busses.
2075 	 * On SDIO, this runs under wl->mutex. */
2076 
2077 	reason = b43_read32(dev, B43_MMIO_GEN_IRQ_REASON);
2078 	if (reason == 0xffffffff)	/* shared IRQ */
2079 		return IRQ_NONE;
2080 	reason &= dev->irq_mask;
2081 	if (!reason)
2082 		return IRQ_NONE;
2083 
2084 	dev->dma_reason[0] = b43_read32(dev, B43_MMIO_DMA0_REASON)
2085 	    & 0x0001FC00;
2086 	dev->dma_reason[1] = b43_read32(dev, B43_MMIO_DMA1_REASON)
2087 	    & 0x0000DC00;
2088 	dev->dma_reason[2] = b43_read32(dev, B43_MMIO_DMA2_REASON)
2089 	    & 0x0000DC00;
2090 	dev->dma_reason[3] = b43_read32(dev, B43_MMIO_DMA3_REASON)
2091 	    & 0x0001DC00;
2092 	dev->dma_reason[4] = b43_read32(dev, B43_MMIO_DMA4_REASON)
2093 	    & 0x0000DC00;
2094 /* Unused ring
2095 	dev->dma_reason[5] = b43_read32(dev, B43_MMIO_DMA5_REASON)
2096 	    & 0x0000DC00;
2097 */
2098 
2099 	/* ACK the interrupt. */
2100 	b43_write32(dev, B43_MMIO_GEN_IRQ_REASON, reason);
2101 	b43_write32(dev, B43_MMIO_DMA0_REASON, dev->dma_reason[0]);
2102 	b43_write32(dev, B43_MMIO_DMA1_REASON, dev->dma_reason[1]);
2103 	b43_write32(dev, B43_MMIO_DMA2_REASON, dev->dma_reason[2]);
2104 	b43_write32(dev, B43_MMIO_DMA3_REASON, dev->dma_reason[3]);
2105 	b43_write32(dev, B43_MMIO_DMA4_REASON, dev->dma_reason[4]);
2106 /* Unused ring
2107 	b43_write32(dev, B43_MMIO_DMA5_REASON, dev->dma_reason[5]);
2108 */
2109 
2110 	/* Disable IRQs on the device. The IRQ thread handler will re-enable them. */
2111 	b43_write32(dev, B43_MMIO_GEN_IRQ_MASK, 0);
2112 	/* Save the reason bitmasks for the IRQ thread handler. */
2113 	dev->irq_reason = reason;
2114 
2115 	return IRQ_WAKE_THREAD;
2116 }
2117 
2118 /* Interrupt handler top-half. This runs with interrupts disabled. */
2119 static irqreturn_t b43_interrupt_handler(int irq, void *dev_id)
2120 {
2121 	struct b43_wldev *dev = dev_id;
2122 	irqreturn_t ret;
2123 
2124 	if (unlikely(b43_status(dev) < B43_STAT_STARTED))
2125 		return IRQ_NONE;
2126 
2127 	spin_lock(&dev->wl->hardirq_lock);
2128 	ret = b43_do_interrupt(dev);
2129 	spin_unlock(&dev->wl->hardirq_lock);
2130 
2131 	return ret;
2132 }
2133 
2134 /* SDIO interrupt handler. This runs in process context. */
2135 static void b43_sdio_interrupt_handler(struct b43_wldev *dev)
2136 {
2137 	struct b43_wl *wl = dev->wl;
2138 	irqreturn_t ret;
2139 
2140 	mutex_lock(&wl->mutex);
2141 
2142 	ret = b43_do_interrupt(dev);
2143 	if (ret == IRQ_WAKE_THREAD)
2144 		b43_do_interrupt_thread(dev);
2145 
2146 	mutex_unlock(&wl->mutex);
2147 }
2148 
2149 void b43_do_release_fw(struct b43_firmware_file *fw)
2150 {
2151 	release_firmware(fw->data);
2152 	fw->data = NULL;
2153 	fw->filename = NULL;
2154 }
2155 
2156 static void b43_release_firmware(struct b43_wldev *dev)
2157 {
2158 	complete(&dev->fw_load_complete);
2159 	b43_do_release_fw(&dev->fw.ucode);
2160 	b43_do_release_fw(&dev->fw.pcm);
2161 	b43_do_release_fw(&dev->fw.initvals);
2162 	b43_do_release_fw(&dev->fw.initvals_band);
2163 }
2164 
2165 static void b43_print_fw_helptext(struct b43_wl *wl, bool error)
2166 {
2167 	const char text[] =
2168 		"You must go to " \
2169 		"https://wireless.wiki.kernel.org/en/users/Drivers/b43#devicefirmware " \
2170 		"and download the correct firmware for this driver version. " \
2171 		"Please carefully read all instructions on this website.\n";
2172 
2173 	if (error)
2174 		b43err(wl, text);
2175 	else
2176 		b43warn(wl, text);
2177 }
2178 
2179 static void b43_fw_cb(const struct firmware *firmware, void *context)
2180 {
2181 	struct b43_request_fw_context *ctx = context;
2182 
2183 	ctx->blob = firmware;
2184 	complete(&ctx->dev->fw_load_complete);
2185 }
2186 
2187 int b43_do_request_fw(struct b43_request_fw_context *ctx,
2188 		      const char *name,
2189 		      struct b43_firmware_file *fw, bool async)
2190 {
2191 	struct b43_fw_header *hdr;
2192 	u32 size;
2193 	int err;
2194 
2195 	if (!name) {
2196 		/* Don't fetch anything. Free possibly cached firmware. */
2197 		/* FIXME: We should probably keep it anyway, to save some headache
2198 		 * on suspend/resume with multiband devices. */
2199 		b43_do_release_fw(fw);
2200 		return 0;
2201 	}
2202 	if (fw->filename) {
2203 		if ((fw->type == ctx->req_type) &&
2204 		    (strcmp(fw->filename, name) == 0))
2205 			return 0; /* Already have this fw. */
2206 		/* Free the cached firmware first. */
2207 		/* FIXME: We should probably do this later after we successfully
2208 		 * got the new fw. This could reduce headache with multiband devices.
2209 		 * We could also redesign this to cache the firmware for all possible
2210 		 * bands all the time. */
2211 		b43_do_release_fw(fw);
2212 	}
2213 
2214 	switch (ctx->req_type) {
2215 	case B43_FWTYPE_PROPRIETARY:
2216 		snprintf(ctx->fwname, sizeof(ctx->fwname),
2217 			 "b43%s/%s.fw",
2218 			 modparam_fwpostfix, name);
2219 		break;
2220 	case B43_FWTYPE_OPENSOURCE:
2221 		snprintf(ctx->fwname, sizeof(ctx->fwname),
2222 			 "b43-open%s/%s.fw",
2223 			 modparam_fwpostfix, name);
2224 		break;
2225 	default:
2226 		B43_WARN_ON(1);
2227 		return -ENOSYS;
2228 	}
2229 	if (async) {
2230 		/* do this part asynchronously */
2231 		init_completion(&ctx->dev->fw_load_complete);
2232 		err = request_firmware_nowait(THIS_MODULE, 1, ctx->fwname,
2233 					      ctx->dev->dev->dev, GFP_KERNEL,
2234 					      ctx, b43_fw_cb);
2235 		if (err < 0) {
2236 			pr_err("Unable to load firmware\n");
2237 			return err;
2238 		}
2239 		wait_for_completion(&ctx->dev->fw_load_complete);
2240 		if (ctx->blob)
2241 			goto fw_ready;
2242 	/* On some ARM systems, the async request will fail, but the next sync
2243 	 * request works. For this reason, we fall through here
2244 	 */
2245 	}
2246 	err = request_firmware(&ctx->blob, ctx->fwname,
2247 			       ctx->dev->dev->dev);
2248 	if (err == -ENOENT) {
2249 		snprintf(ctx->errors[ctx->req_type],
2250 			 sizeof(ctx->errors[ctx->req_type]),
2251 			 "Firmware file \"%s\" not found\n",
2252 			 ctx->fwname);
2253 		return err;
2254 	} else if (err) {
2255 		snprintf(ctx->errors[ctx->req_type],
2256 			 sizeof(ctx->errors[ctx->req_type]),
2257 			 "Firmware file \"%s\" request failed (err=%d)\n",
2258 			 ctx->fwname, err);
2259 		return err;
2260 	}
2261 fw_ready:
2262 	if (ctx->blob->size < sizeof(struct b43_fw_header))
2263 		goto err_format;
2264 	hdr = (struct b43_fw_header *)(ctx->blob->data);
2265 	switch (hdr->type) {
2266 	case B43_FW_TYPE_UCODE:
2267 	case B43_FW_TYPE_PCM:
2268 		size = be32_to_cpu(hdr->size);
2269 		if (size != ctx->blob->size - sizeof(struct b43_fw_header))
2270 			goto err_format;
2271 		fallthrough;
2272 	case B43_FW_TYPE_IV:
2273 		if (hdr->ver != 1)
2274 			goto err_format;
2275 		break;
2276 	default:
2277 		goto err_format;
2278 	}
2279 
2280 	fw->data = ctx->blob;
2281 	fw->filename = name;
2282 	fw->type = ctx->req_type;
2283 
2284 	return 0;
2285 
2286 err_format:
2287 	snprintf(ctx->errors[ctx->req_type],
2288 		 sizeof(ctx->errors[ctx->req_type]),
2289 		 "Firmware file \"%s\" format error.\n", ctx->fwname);
2290 	release_firmware(ctx->blob);
2291 
2292 	return -EPROTO;
2293 }
2294 
2295 /* https://bcm-v4.sipsolutions.net/802.11/Init/Firmware */
2296 static int b43_try_request_fw(struct b43_request_fw_context *ctx)
2297 {
2298 	struct b43_wldev *dev = ctx->dev;
2299 	struct b43_firmware *fw = &ctx->dev->fw;
2300 	struct b43_phy *phy = &dev->phy;
2301 	const u8 rev = ctx->dev->dev->core_rev;
2302 	const char *filename;
2303 	int err;
2304 
2305 	/* Get microcode */
2306 	filename = NULL;
2307 	switch (rev) {
2308 	case 42:
2309 		if (phy->type == B43_PHYTYPE_AC)
2310 			filename = "ucode42";
2311 		break;
2312 	case 40:
2313 		if (phy->type == B43_PHYTYPE_AC)
2314 			filename = "ucode40";
2315 		break;
2316 	case 33:
2317 		if (phy->type == B43_PHYTYPE_LCN40)
2318 			filename = "ucode33_lcn40";
2319 		break;
2320 	case 30:
2321 		if (phy->type == B43_PHYTYPE_N)
2322 			filename = "ucode30_mimo";
2323 		break;
2324 	case 29:
2325 		if (phy->type == B43_PHYTYPE_HT)
2326 			filename = "ucode29_mimo";
2327 		break;
2328 	case 26:
2329 		if (phy->type == B43_PHYTYPE_HT)
2330 			filename = "ucode26_mimo";
2331 		break;
2332 	case 28:
2333 	case 25:
2334 		if (phy->type == B43_PHYTYPE_N)
2335 			filename = "ucode25_mimo";
2336 		else if (phy->type == B43_PHYTYPE_LCN)
2337 			filename = "ucode25_lcn";
2338 		break;
2339 	case 24:
2340 		if (phy->type == B43_PHYTYPE_LCN)
2341 			filename = "ucode24_lcn";
2342 		break;
2343 	case 23:
2344 		if (phy->type == B43_PHYTYPE_N)
2345 			filename = "ucode16_mimo";
2346 		break;
2347 	case 16 ... 19:
2348 		if (phy->type == B43_PHYTYPE_N)
2349 			filename = "ucode16_mimo";
2350 		else if (phy->type == B43_PHYTYPE_LP)
2351 			filename = "ucode16_lp";
2352 		break;
2353 	case 15:
2354 		filename = "ucode15";
2355 		break;
2356 	case 14:
2357 		filename = "ucode14";
2358 		break;
2359 	case 13:
2360 		filename = "ucode13";
2361 		break;
2362 	case 11 ... 12:
2363 		filename = "ucode11";
2364 		break;
2365 	case 5 ... 10:
2366 		filename = "ucode5";
2367 		break;
2368 	}
2369 	if (!filename)
2370 		goto err_no_ucode;
2371 	err = b43_do_request_fw(ctx, filename, &fw->ucode, true);
2372 	if (err)
2373 		goto err_load;
2374 
2375 	/* Get PCM code */
2376 	if ((rev >= 5) && (rev <= 10))
2377 		filename = "pcm5";
2378 	else if (rev >= 11)
2379 		filename = NULL;
2380 	else
2381 		goto err_no_pcm;
2382 	fw->pcm_request_failed = false;
2383 	err = b43_do_request_fw(ctx, filename, &fw->pcm, false);
2384 	if (err == -ENOENT) {
2385 		/* We did not find a PCM file? Not fatal, but
2386 		 * core rev <= 10 must do without hwcrypto then. */
2387 		fw->pcm_request_failed = true;
2388 	} else if (err)
2389 		goto err_load;
2390 
2391 	/* Get initvals */
2392 	filename = NULL;
2393 	switch (dev->phy.type) {
2394 	case B43_PHYTYPE_G:
2395 		if (rev == 13)
2396 			filename = "b0g0initvals13";
2397 		else if (rev >= 5 && rev <= 10)
2398 			filename = "b0g0initvals5";
2399 		break;
2400 	case B43_PHYTYPE_N:
2401 		if (rev == 30)
2402 			filename = "n16initvals30";
2403 		else if (rev == 28 || rev == 25)
2404 			filename = "n0initvals25";
2405 		else if (rev == 24)
2406 			filename = "n0initvals24";
2407 		else if (rev == 23)
2408 			filename = "n0initvals16"; /* What about n0initvals22? */
2409 		else if (rev >= 16 && rev <= 18)
2410 			filename = "n0initvals16";
2411 		else if (rev >= 11 && rev <= 12)
2412 			filename = "n0initvals11";
2413 		break;
2414 	case B43_PHYTYPE_LP:
2415 		if (rev >= 16 && rev <= 18)
2416 			filename = "lp0initvals16";
2417 		else if (rev == 15)
2418 			filename = "lp0initvals15";
2419 		else if (rev == 14)
2420 			filename = "lp0initvals14";
2421 		else if (rev == 13)
2422 			filename = "lp0initvals13";
2423 		break;
2424 	case B43_PHYTYPE_HT:
2425 		if (rev == 29)
2426 			filename = "ht0initvals29";
2427 		else if (rev == 26)
2428 			filename = "ht0initvals26";
2429 		break;
2430 	case B43_PHYTYPE_LCN:
2431 		if (rev == 24)
2432 			filename = "lcn0initvals24";
2433 		break;
2434 	case B43_PHYTYPE_LCN40:
2435 		if (rev == 33)
2436 			filename = "lcn400initvals33";
2437 		break;
2438 	case B43_PHYTYPE_AC:
2439 		if (rev == 42)
2440 			filename = "ac1initvals42";
2441 		else if (rev == 40)
2442 			filename = "ac0initvals40";
2443 		break;
2444 	}
2445 	if (!filename)
2446 		goto err_no_initvals;
2447 	err = b43_do_request_fw(ctx, filename, &fw->initvals, false);
2448 	if (err)
2449 		goto err_load;
2450 
2451 	/* Get bandswitch initvals */
2452 	filename = NULL;
2453 	switch (dev->phy.type) {
2454 	case B43_PHYTYPE_G:
2455 		if (rev == 13)
2456 			filename = "b0g0bsinitvals13";
2457 		else if (rev >= 5 && rev <= 10)
2458 			filename = "b0g0bsinitvals5";
2459 		break;
2460 	case B43_PHYTYPE_N:
2461 		if (rev == 30)
2462 			filename = "n16bsinitvals30";
2463 		else if (rev == 28 || rev == 25)
2464 			filename = "n0bsinitvals25";
2465 		else if (rev == 24)
2466 			filename = "n0bsinitvals24";
2467 		else if (rev == 23)
2468 			filename = "n0bsinitvals16"; /* What about n0bsinitvals22? */
2469 		else if (rev >= 16 && rev <= 18)
2470 			filename = "n0bsinitvals16";
2471 		else if (rev >= 11 && rev <= 12)
2472 			filename = "n0bsinitvals11";
2473 		break;
2474 	case B43_PHYTYPE_LP:
2475 		if (rev >= 16 && rev <= 18)
2476 			filename = "lp0bsinitvals16";
2477 		else if (rev == 15)
2478 			filename = "lp0bsinitvals15";
2479 		else if (rev == 14)
2480 			filename = "lp0bsinitvals14";
2481 		else if (rev == 13)
2482 			filename = "lp0bsinitvals13";
2483 		break;
2484 	case B43_PHYTYPE_HT:
2485 		if (rev == 29)
2486 			filename = "ht0bsinitvals29";
2487 		else if (rev == 26)
2488 			filename = "ht0bsinitvals26";
2489 		break;
2490 	case B43_PHYTYPE_LCN:
2491 		if (rev == 24)
2492 			filename = "lcn0bsinitvals24";
2493 		break;
2494 	case B43_PHYTYPE_LCN40:
2495 		if (rev == 33)
2496 			filename = "lcn400bsinitvals33";
2497 		break;
2498 	case B43_PHYTYPE_AC:
2499 		if (rev == 42)
2500 			filename = "ac1bsinitvals42";
2501 		else if (rev == 40)
2502 			filename = "ac0bsinitvals40";
2503 		break;
2504 	}
2505 	if (!filename)
2506 		goto err_no_initvals;
2507 	err = b43_do_request_fw(ctx, filename, &fw->initvals_band, false);
2508 	if (err)
2509 		goto err_load;
2510 
2511 	fw->opensource = (ctx->req_type == B43_FWTYPE_OPENSOURCE);
2512 
2513 	return 0;
2514 
2515 err_no_ucode:
2516 	err = ctx->fatal_failure = -EOPNOTSUPP;
2517 	b43err(dev->wl, "The driver does not know which firmware (ucode) "
2518 	       "is required for your device (wl-core rev %u)\n", rev);
2519 	goto error;
2520 
2521 err_no_pcm:
2522 	err = ctx->fatal_failure = -EOPNOTSUPP;
2523 	b43err(dev->wl, "The driver does not know which firmware (PCM) "
2524 	       "is required for your device (wl-core rev %u)\n", rev);
2525 	goto error;
2526 
2527 err_no_initvals:
2528 	err = ctx->fatal_failure = -EOPNOTSUPP;
2529 	b43err(dev->wl, "The driver does not know which firmware (initvals) "
2530 	       "is required for your device (wl-core rev %u)\n", rev);
2531 	goto error;
2532 
2533 err_load:
2534 	/* We failed to load this firmware image. The error message
2535 	 * already is in ctx->errors. Return and let our caller decide
2536 	 * what to do. */
2537 	goto error;
2538 
2539 error:
2540 	b43_release_firmware(dev);
2541 	return err;
2542 }
2543 
2544 static int b43_one_core_attach(struct b43_bus_dev *dev, struct b43_wl *wl);
2545 static void b43_one_core_detach(struct b43_bus_dev *dev);
2546 static int b43_rng_init(struct b43_wl *wl);
2547 
2548 static void b43_request_firmware(struct work_struct *work)
2549 {
2550 	struct b43_wl *wl = container_of(work,
2551 			    struct b43_wl, firmware_load);
2552 	struct b43_wldev *dev = wl->current_dev;
2553 	struct b43_request_fw_context *ctx;
2554 	unsigned int i;
2555 	int err;
2556 	const char *errmsg;
2557 
2558 	ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
2559 	if (!ctx)
2560 		return;
2561 	ctx->dev = dev;
2562 
2563 	ctx->req_type = B43_FWTYPE_PROPRIETARY;
2564 	err = b43_try_request_fw(ctx);
2565 	if (!err)
2566 		goto start_ieee80211; /* Successfully loaded it. */
2567 	/* Was fw version known? */
2568 	if (ctx->fatal_failure)
2569 		goto out;
2570 
2571 	/* proprietary fw not found, try open source */
2572 	ctx->req_type = B43_FWTYPE_OPENSOURCE;
2573 	err = b43_try_request_fw(ctx);
2574 	if (!err)
2575 		goto start_ieee80211; /* Successfully loaded it. */
2576 	if(ctx->fatal_failure)
2577 		goto out;
2578 
2579 	/* Could not find a usable firmware. Print the errors. */
2580 	for (i = 0; i < B43_NR_FWTYPES; i++) {
2581 		errmsg = ctx->errors[i];
2582 		if (strlen(errmsg))
2583 			b43err(dev->wl, "%s", errmsg);
2584 	}
2585 	b43_print_fw_helptext(dev->wl, 1);
2586 	goto out;
2587 
2588 start_ieee80211:
2589 	wl->hw->queues = B43_QOS_QUEUE_NUM;
2590 	if (!modparam_qos || dev->fw.opensource ||
2591 	    dev->dev->chip_id == BCMA_CHIP_ID_BCM4331)
2592 		wl->hw->queues = 1;
2593 
2594 	err = ieee80211_register_hw(wl->hw);
2595 	if (err)
2596 		goto out;
2597 	wl->hw_registered = true;
2598 	b43_leds_register(wl->current_dev);
2599 
2600 	/* Register HW RNG driver */
2601 	b43_rng_init(wl);
2602 
2603 out:
2604 	kfree(ctx);
2605 }
2606 
2607 static int b43_upload_microcode(struct b43_wldev *dev)
2608 {
2609 	struct wiphy *wiphy = dev->wl->hw->wiphy;
2610 	const size_t hdr_len = sizeof(struct b43_fw_header);
2611 	const __be32 *data;
2612 	unsigned int i, len;
2613 	u16 fwrev, fwpatch, fwdate, fwtime;
2614 	u32 tmp, macctl;
2615 	int err = 0;
2616 
2617 	/* Jump the microcode PSM to offset 0 */
2618 	macctl = b43_read32(dev, B43_MMIO_MACCTL);
2619 	B43_WARN_ON(macctl & B43_MACCTL_PSM_RUN);
2620 	macctl |= B43_MACCTL_PSM_JMP0;
2621 	b43_write32(dev, B43_MMIO_MACCTL, macctl);
2622 	/* Zero out all microcode PSM registers and shared memory. */
2623 	for (i = 0; i < 64; i++)
2624 		b43_shm_write16(dev, B43_SHM_SCRATCH, i, 0);
2625 	for (i = 0; i < 4096; i += 2)
2626 		b43_shm_write16(dev, B43_SHM_SHARED, i, 0);
2627 
2628 	/* Upload Microcode. */
2629 	data = (__be32 *) (dev->fw.ucode.data->data + hdr_len);
2630 	len = (dev->fw.ucode.data->size - hdr_len) / sizeof(__be32);
2631 	b43_shm_control_word(dev, B43_SHM_UCODE | B43_SHM_AUTOINC_W, 0x0000);
2632 	for (i = 0; i < len; i++) {
2633 		b43_write32(dev, B43_MMIO_SHM_DATA, be32_to_cpu(data[i]));
2634 		udelay(10);
2635 	}
2636 
2637 	if (dev->fw.pcm.data) {
2638 		/* Upload PCM data. */
2639 		data = (__be32 *) (dev->fw.pcm.data->data + hdr_len);
2640 		len = (dev->fw.pcm.data->size - hdr_len) / sizeof(__be32);
2641 		b43_shm_control_word(dev, B43_SHM_HW, 0x01EA);
2642 		b43_write32(dev, B43_MMIO_SHM_DATA, 0x00004000);
2643 		/* No need for autoinc bit in SHM_HW */
2644 		b43_shm_control_word(dev, B43_SHM_HW, 0x01EB);
2645 		for (i = 0; i < len; i++) {
2646 			b43_write32(dev, B43_MMIO_SHM_DATA, be32_to_cpu(data[i]));
2647 			udelay(10);
2648 		}
2649 	}
2650 
2651 	b43_write32(dev, B43_MMIO_GEN_IRQ_REASON, B43_IRQ_ALL);
2652 
2653 	/* Start the microcode PSM */
2654 	b43_maskset32(dev, B43_MMIO_MACCTL, ~B43_MACCTL_PSM_JMP0,
2655 		      B43_MACCTL_PSM_RUN);
2656 
2657 	/* Wait for the microcode to load and respond */
2658 	i = 0;
2659 	while (1) {
2660 		tmp = b43_read32(dev, B43_MMIO_GEN_IRQ_REASON);
2661 		if (tmp == B43_IRQ_MAC_SUSPENDED)
2662 			break;
2663 		i++;
2664 		if (i >= 20) {
2665 			b43err(dev->wl, "Microcode not responding\n");
2666 			b43_print_fw_helptext(dev->wl, 1);
2667 			err = -ENODEV;
2668 			goto error;
2669 		}
2670 		msleep(50);
2671 	}
2672 	b43_read32(dev, B43_MMIO_GEN_IRQ_REASON);	/* dummy read */
2673 
2674 	/* Get and check the revisions. */
2675 	fwrev = b43_shm_read16(dev, B43_SHM_SHARED, B43_SHM_SH_UCODEREV);
2676 	fwpatch = b43_shm_read16(dev, B43_SHM_SHARED, B43_SHM_SH_UCODEPATCH);
2677 	fwdate = b43_shm_read16(dev, B43_SHM_SHARED, B43_SHM_SH_UCODEDATE);
2678 	fwtime = b43_shm_read16(dev, B43_SHM_SHARED, B43_SHM_SH_UCODETIME);
2679 
2680 	if (fwrev <= 0x128) {
2681 		b43err(dev->wl, "YOUR FIRMWARE IS TOO OLD. Firmware from "
2682 		       "binary drivers older than version 4.x is unsupported. "
2683 		       "You must upgrade your firmware files.\n");
2684 		b43_print_fw_helptext(dev->wl, 1);
2685 		err = -EOPNOTSUPP;
2686 		goto error;
2687 	}
2688 	dev->fw.rev = fwrev;
2689 	dev->fw.patch = fwpatch;
2690 	if (dev->fw.rev >= 598)
2691 		dev->fw.hdr_format = B43_FW_HDR_598;
2692 	else if (dev->fw.rev >= 410)
2693 		dev->fw.hdr_format = B43_FW_HDR_410;
2694 	else
2695 		dev->fw.hdr_format = B43_FW_HDR_351;
2696 	WARN_ON(dev->fw.opensource != (fwdate == 0xFFFF));
2697 
2698 	dev->qos_enabled = dev->wl->hw->queues > 1;
2699 	/* Default to firmware/hardware crypto acceleration. */
2700 	dev->hwcrypto_enabled = true;
2701 
2702 	if (dev->fw.opensource) {
2703 		u16 fwcapa;
2704 
2705 		/* Patchlevel info is encoded in the "time" field. */
2706 		dev->fw.patch = fwtime;
2707 		b43info(dev->wl, "Loading OpenSource firmware version %u.%u\n",
2708 			dev->fw.rev, dev->fw.patch);
2709 
2710 		fwcapa = b43_fwcapa_read(dev);
2711 		if (!(fwcapa & B43_FWCAPA_HWCRYPTO) || dev->fw.pcm_request_failed) {
2712 			b43info(dev->wl, "Hardware crypto acceleration not supported by firmware\n");
2713 			/* Disable hardware crypto and fall back to software crypto. */
2714 			dev->hwcrypto_enabled = false;
2715 		}
2716 		/* adding QoS support should use an offline discovery mechanism */
2717 		WARN(fwcapa & B43_FWCAPA_QOS, "QoS in OpenFW not supported\n");
2718 	} else {
2719 		b43info(dev->wl, "Loading firmware version %u.%u "
2720 			"(20%.2i-%.2i-%.2i %.2i:%.2i:%.2i)\n",
2721 			fwrev, fwpatch,
2722 			(fwdate >> 12) & 0xF, (fwdate >> 8) & 0xF, fwdate & 0xFF,
2723 			(fwtime >> 11) & 0x1F, (fwtime >> 5) & 0x3F, fwtime & 0x1F);
2724 		if (dev->fw.pcm_request_failed) {
2725 			b43warn(dev->wl, "No \"pcm5.fw\" firmware file found. "
2726 				"Hardware accelerated cryptography is disabled.\n");
2727 			b43_print_fw_helptext(dev->wl, 0);
2728 		}
2729 	}
2730 
2731 	snprintf(wiphy->fw_version, sizeof(wiphy->fw_version), "%u.%u",
2732 			dev->fw.rev, dev->fw.patch);
2733 	wiphy->hw_version = dev->dev->core_id;
2734 
2735 	if (dev->fw.hdr_format == B43_FW_HDR_351) {
2736 		/* We're over the deadline, but we keep support for old fw
2737 		 * until it turns out to be in major conflict with something new. */
2738 		b43warn(dev->wl, "You are using an old firmware image. "
2739 			"Support for old firmware will be removed soon "
2740 			"(official deadline was July 2008).\n");
2741 		b43_print_fw_helptext(dev->wl, 0);
2742 	}
2743 
2744 	return 0;
2745 
2746 error:
2747 	/* Stop the microcode PSM. */
2748 	b43_maskset32(dev, B43_MMIO_MACCTL, ~B43_MACCTL_PSM_RUN,
2749 		      B43_MACCTL_PSM_JMP0);
2750 
2751 	return err;
2752 }
2753 
2754 static int b43_write_initvals(struct b43_wldev *dev,
2755 			      const struct b43_iv *ivals,
2756 			      size_t count,
2757 			      size_t array_size)
2758 {
2759 	const struct b43_iv *iv;
2760 	u16 offset;
2761 	size_t i;
2762 	bool bit32;
2763 
2764 	BUILD_BUG_ON(sizeof(struct b43_iv) != 6);
2765 	iv = ivals;
2766 	for (i = 0; i < count; i++) {
2767 		if (array_size < sizeof(iv->offset_size))
2768 			goto err_format;
2769 		array_size -= sizeof(iv->offset_size);
2770 		offset = be16_to_cpu(iv->offset_size);
2771 		bit32 = !!(offset & B43_IV_32BIT);
2772 		offset &= B43_IV_OFFSET_MASK;
2773 		if (offset >= 0x1000)
2774 			goto err_format;
2775 		if (bit32) {
2776 			u32 value;
2777 
2778 			if (array_size < sizeof(iv->data.d32))
2779 				goto err_format;
2780 			array_size -= sizeof(iv->data.d32);
2781 
2782 			value = get_unaligned_be32(&iv->data.d32);
2783 			b43_write32(dev, offset, value);
2784 
2785 			iv = (const struct b43_iv *)((const uint8_t *)iv +
2786 							sizeof(__be16) +
2787 							sizeof(__be32));
2788 		} else {
2789 			u16 value;
2790 
2791 			if (array_size < sizeof(iv->data.d16))
2792 				goto err_format;
2793 			array_size -= sizeof(iv->data.d16);
2794 
2795 			value = be16_to_cpu(iv->data.d16);
2796 			b43_write16(dev, offset, value);
2797 
2798 			iv = (const struct b43_iv *)((const uint8_t *)iv +
2799 							sizeof(__be16) +
2800 							sizeof(__be16));
2801 		}
2802 	}
2803 	if (array_size)
2804 		goto err_format;
2805 
2806 	return 0;
2807 
2808 err_format:
2809 	b43err(dev->wl, "Initial Values Firmware file-format error.\n");
2810 	b43_print_fw_helptext(dev->wl, 1);
2811 
2812 	return -EPROTO;
2813 }
2814 
2815 static int b43_upload_initvals(struct b43_wldev *dev)
2816 {
2817 	const size_t hdr_len = sizeof(struct b43_fw_header);
2818 	const struct b43_fw_header *hdr;
2819 	struct b43_firmware *fw = &dev->fw;
2820 	const struct b43_iv *ivals;
2821 	size_t count;
2822 
2823 	hdr = (const struct b43_fw_header *)(fw->initvals.data->data);
2824 	ivals = (const struct b43_iv *)(fw->initvals.data->data + hdr_len);
2825 	count = be32_to_cpu(hdr->size);
2826 	return b43_write_initvals(dev, ivals, count,
2827 				 fw->initvals.data->size - hdr_len);
2828 }
2829 
2830 static int b43_upload_initvals_band(struct b43_wldev *dev)
2831 {
2832 	const size_t hdr_len = sizeof(struct b43_fw_header);
2833 	const struct b43_fw_header *hdr;
2834 	struct b43_firmware *fw = &dev->fw;
2835 	const struct b43_iv *ivals;
2836 	size_t count;
2837 
2838 	if (!fw->initvals_band.data)
2839 		return 0;
2840 
2841 	hdr = (const struct b43_fw_header *)(fw->initvals_band.data->data);
2842 	ivals = (const struct b43_iv *)(fw->initvals_band.data->data + hdr_len);
2843 	count = be32_to_cpu(hdr->size);
2844 	return b43_write_initvals(dev, ivals, count,
2845 				  fw->initvals_band.data->size - hdr_len);
2846 }
2847 
2848 /* Initialize the GPIOs
2849  * https://bcm-specs.sipsolutions.net/GPIO
2850  */
2851 
2852 #ifdef CONFIG_B43_SSB
2853 static struct ssb_device *b43_ssb_gpio_dev(struct b43_wldev *dev)
2854 {
2855 	struct ssb_bus *bus = dev->dev->sdev->bus;
2856 
2857 #ifdef CONFIG_SSB_DRIVER_PCICORE
2858 	return (bus->chipco.dev ? bus->chipco.dev : bus->pcicore.dev);
2859 #else
2860 	return bus->chipco.dev;
2861 #endif
2862 }
2863 #endif
2864 
2865 static int b43_gpio_init(struct b43_wldev *dev)
2866 {
2867 #ifdef CONFIG_B43_SSB
2868 	struct ssb_device *gpiodev;
2869 #endif
2870 	u32 mask, set;
2871 
2872 	b43_maskset32(dev, B43_MMIO_MACCTL, ~B43_MACCTL_GPOUTSMSK, 0);
2873 	b43_maskset16(dev, B43_MMIO_GPIO_MASK, ~0, 0xF);
2874 
2875 	mask = 0x0000001F;
2876 	set = 0x0000000F;
2877 	if (dev->dev->chip_id == 0x4301) {
2878 		mask |= 0x0060;
2879 		set |= 0x0060;
2880 	} else if (dev->dev->chip_id == 0x5354) {
2881 		/* Don't allow overtaking buttons GPIOs */
2882 		set &= 0x2; /* 0x2 is LED GPIO on BCM5354 */
2883 	}
2884 
2885 	if (0 /* FIXME: conditional unknown */ ) {
2886 		b43_write16(dev, B43_MMIO_GPIO_MASK,
2887 			    b43_read16(dev, B43_MMIO_GPIO_MASK)
2888 			    | 0x0100);
2889 		/* BT Coexistance Input */
2890 		mask |= 0x0080;
2891 		set |= 0x0080;
2892 		/* BT Coexistance Out */
2893 		mask |= 0x0100;
2894 		set |= 0x0100;
2895 	}
2896 	if (dev->dev->bus_sprom->boardflags_lo & B43_BFL_PACTRL) {
2897 		/* PA is controlled by gpio 9, let ucode handle it */
2898 		b43_write16(dev, B43_MMIO_GPIO_MASK,
2899 			    b43_read16(dev, B43_MMIO_GPIO_MASK)
2900 			    | 0x0200);
2901 		mask |= 0x0200;
2902 		set |= 0x0200;
2903 	}
2904 
2905 	switch (dev->dev->bus_type) {
2906 #ifdef CONFIG_B43_BCMA
2907 	case B43_BUS_BCMA:
2908 		bcma_chipco_gpio_control(&dev->dev->bdev->bus->drv_cc, mask, set);
2909 		break;
2910 #endif
2911 #ifdef CONFIG_B43_SSB
2912 	case B43_BUS_SSB:
2913 		gpiodev = b43_ssb_gpio_dev(dev);
2914 		if (gpiodev)
2915 			ssb_write32(gpiodev, B43_GPIO_CONTROL,
2916 				    (ssb_read32(gpiodev, B43_GPIO_CONTROL)
2917 				    & ~mask) | set);
2918 		break;
2919 #endif
2920 	}
2921 
2922 	return 0;
2923 }
2924 
2925 /* Turn off all GPIO stuff. Call this on module unload, for example. */
2926 static void b43_gpio_cleanup(struct b43_wldev *dev)
2927 {
2928 #ifdef CONFIG_B43_SSB
2929 	struct ssb_device *gpiodev;
2930 #endif
2931 
2932 	switch (dev->dev->bus_type) {
2933 #ifdef CONFIG_B43_BCMA
2934 	case B43_BUS_BCMA:
2935 		bcma_chipco_gpio_control(&dev->dev->bdev->bus->drv_cc, ~0, 0);
2936 		break;
2937 #endif
2938 #ifdef CONFIG_B43_SSB
2939 	case B43_BUS_SSB:
2940 		gpiodev = b43_ssb_gpio_dev(dev);
2941 		if (gpiodev)
2942 			ssb_write32(gpiodev, B43_GPIO_CONTROL, 0);
2943 		break;
2944 #endif
2945 	}
2946 }
2947 
2948 /* http://bcm-specs.sipsolutions.net/EnableMac */
2949 void b43_mac_enable(struct b43_wldev *dev)
2950 {
2951 	if (b43_debug(dev, B43_DBG_FIRMWARE)) {
2952 		u16 fwstate;
2953 
2954 		fwstate = b43_shm_read16(dev, B43_SHM_SHARED,
2955 					 B43_SHM_SH_UCODESTAT);
2956 		if ((fwstate != B43_SHM_SH_UCODESTAT_SUSP) &&
2957 		    (fwstate != B43_SHM_SH_UCODESTAT_SLEEP)) {
2958 			b43err(dev->wl, "b43_mac_enable(): The firmware "
2959 			       "should be suspended, but current state is %u\n",
2960 			       fwstate);
2961 		}
2962 	}
2963 
2964 	dev->mac_suspended--;
2965 	B43_WARN_ON(dev->mac_suspended < 0);
2966 	if (dev->mac_suspended == 0) {
2967 		b43_maskset32(dev, B43_MMIO_MACCTL, ~0, B43_MACCTL_ENABLED);
2968 		b43_write32(dev, B43_MMIO_GEN_IRQ_REASON,
2969 			    B43_IRQ_MAC_SUSPENDED);
2970 		/* Commit writes */
2971 		b43_read32(dev, B43_MMIO_MACCTL);
2972 		b43_read32(dev, B43_MMIO_GEN_IRQ_REASON);
2973 		b43_power_saving_ctl_bits(dev, 0);
2974 	}
2975 }
2976 
2977 /* https://bcm-specs.sipsolutions.net/SuspendMAC */
2978 void b43_mac_suspend(struct b43_wldev *dev)
2979 {
2980 	int i;
2981 	u32 tmp;
2982 
2983 	might_sleep();
2984 	B43_WARN_ON(dev->mac_suspended < 0);
2985 
2986 	if (dev->mac_suspended == 0) {
2987 		b43_power_saving_ctl_bits(dev, B43_PS_AWAKE);
2988 		b43_maskset32(dev, B43_MMIO_MACCTL, ~B43_MACCTL_ENABLED, 0);
2989 		/* force pci to flush the write */
2990 		b43_read32(dev, B43_MMIO_MACCTL);
2991 		for (i = 35; i; i--) {
2992 			tmp = b43_read32(dev, B43_MMIO_GEN_IRQ_REASON);
2993 			if (tmp & B43_IRQ_MAC_SUSPENDED)
2994 				goto out;
2995 			udelay(10);
2996 		}
2997 		/* Hm, it seems this will take some time. Use msleep(). */
2998 		for (i = 40; i; i--) {
2999 			tmp = b43_read32(dev, B43_MMIO_GEN_IRQ_REASON);
3000 			if (tmp & B43_IRQ_MAC_SUSPENDED)
3001 				goto out;
3002 			msleep(1);
3003 		}
3004 		b43err(dev->wl, "MAC suspend failed\n");
3005 	}
3006 out:
3007 	dev->mac_suspended++;
3008 }
3009 
3010 /* https://bcm-v4.sipsolutions.net/802.11/PHY/N/MacPhyClkSet */
3011 void b43_mac_phy_clock_set(struct b43_wldev *dev, bool on)
3012 {
3013 	u32 tmp;
3014 
3015 	switch (dev->dev->bus_type) {
3016 #ifdef CONFIG_B43_BCMA
3017 	case B43_BUS_BCMA:
3018 		tmp = bcma_aread32(dev->dev->bdev, BCMA_IOCTL);
3019 		if (on)
3020 			tmp |= B43_BCMA_IOCTL_MACPHYCLKEN;
3021 		else
3022 			tmp &= ~B43_BCMA_IOCTL_MACPHYCLKEN;
3023 		bcma_awrite32(dev->dev->bdev, BCMA_IOCTL, tmp);
3024 		break;
3025 #endif
3026 #ifdef CONFIG_B43_SSB
3027 	case B43_BUS_SSB:
3028 		tmp = ssb_read32(dev->dev->sdev, SSB_TMSLOW);
3029 		if (on)
3030 			tmp |= B43_TMSLOW_MACPHYCLKEN;
3031 		else
3032 			tmp &= ~B43_TMSLOW_MACPHYCLKEN;
3033 		ssb_write32(dev->dev->sdev, SSB_TMSLOW, tmp);
3034 		break;
3035 #endif
3036 	}
3037 }
3038 
3039 /* brcms_b_switch_macfreq */
3040 void b43_mac_switch_freq(struct b43_wldev *dev, u8 spurmode)
3041 {
3042 	u16 chip_id = dev->dev->chip_id;
3043 
3044 	if (chip_id == BCMA_CHIP_ID_BCM4331) {
3045 		switch (spurmode) {
3046 		case 2: /* 168 Mhz: 2^26/168 = 0x61862 */
3047 			b43_write16(dev, B43_MMIO_TSF_CLK_FRAC_LOW, 0x1862);
3048 			b43_write16(dev, B43_MMIO_TSF_CLK_FRAC_HIGH, 0x6);
3049 			break;
3050 		case 1: /* 164 Mhz: 2^26/164 = 0x63e70 */
3051 			b43_write16(dev, B43_MMIO_TSF_CLK_FRAC_LOW, 0x3e70);
3052 			b43_write16(dev, B43_MMIO_TSF_CLK_FRAC_HIGH, 0x6);
3053 			break;
3054 		default: /* 160 Mhz: 2^26/160 = 0x66666 */
3055 			b43_write16(dev, B43_MMIO_TSF_CLK_FRAC_LOW, 0x6666);
3056 			b43_write16(dev, B43_MMIO_TSF_CLK_FRAC_HIGH, 0x6);
3057 			break;
3058 		}
3059 	} else if (chip_id == BCMA_CHIP_ID_BCM43131 ||
3060 	    chip_id == BCMA_CHIP_ID_BCM43217 ||
3061 	    chip_id == BCMA_CHIP_ID_BCM43222 ||
3062 	    chip_id == BCMA_CHIP_ID_BCM43224 ||
3063 	    chip_id == BCMA_CHIP_ID_BCM43225 ||
3064 	    chip_id == BCMA_CHIP_ID_BCM43227 ||
3065 	    chip_id == BCMA_CHIP_ID_BCM43228) {
3066 		switch (spurmode) {
3067 		case 2: /* 126 Mhz */
3068 			b43_write16(dev, B43_MMIO_TSF_CLK_FRAC_LOW, 0x2082);
3069 			b43_write16(dev, B43_MMIO_TSF_CLK_FRAC_HIGH, 0x8);
3070 			break;
3071 		case 1: /* 123 Mhz */
3072 			b43_write16(dev, B43_MMIO_TSF_CLK_FRAC_LOW, 0x5341);
3073 			b43_write16(dev, B43_MMIO_TSF_CLK_FRAC_HIGH, 0x8);
3074 			break;
3075 		default: /* 120 Mhz */
3076 			b43_write16(dev, B43_MMIO_TSF_CLK_FRAC_LOW, 0x8889);
3077 			b43_write16(dev, B43_MMIO_TSF_CLK_FRAC_HIGH, 0x8);
3078 			break;
3079 		}
3080 	} else if (dev->phy.type == B43_PHYTYPE_LCN) {
3081 		switch (spurmode) {
3082 		case 1: /* 82 Mhz */
3083 			b43_write16(dev, B43_MMIO_TSF_CLK_FRAC_LOW, 0x7CE0);
3084 			b43_write16(dev, B43_MMIO_TSF_CLK_FRAC_HIGH, 0xC);
3085 			break;
3086 		default: /* 80 Mhz */
3087 			b43_write16(dev, B43_MMIO_TSF_CLK_FRAC_LOW, 0xCCCD);
3088 			b43_write16(dev, B43_MMIO_TSF_CLK_FRAC_HIGH, 0xC);
3089 			break;
3090 		}
3091 	}
3092 }
3093 
3094 static void b43_adjust_opmode(struct b43_wldev *dev)
3095 {
3096 	struct b43_wl *wl = dev->wl;
3097 	u32 ctl;
3098 	u16 cfp_pretbtt;
3099 
3100 	ctl = b43_read32(dev, B43_MMIO_MACCTL);
3101 	/* Reset status to STA infrastructure mode. */
3102 	ctl &= ~B43_MACCTL_AP;
3103 	ctl &= ~B43_MACCTL_KEEP_CTL;
3104 	ctl &= ~B43_MACCTL_KEEP_BADPLCP;
3105 	ctl &= ~B43_MACCTL_KEEP_BAD;
3106 	ctl &= ~B43_MACCTL_PROMISC;
3107 	ctl &= ~B43_MACCTL_BEACPROMISC;
3108 	ctl |= B43_MACCTL_INFRA;
3109 
3110 	if (b43_is_mode(wl, NL80211_IFTYPE_AP) ||
3111 	    b43_is_mode(wl, NL80211_IFTYPE_MESH_POINT))
3112 		ctl |= B43_MACCTL_AP;
3113 	else if (b43_is_mode(wl, NL80211_IFTYPE_ADHOC))
3114 		ctl &= ~B43_MACCTL_INFRA;
3115 
3116 	if (wl->filter_flags & FIF_CONTROL)
3117 		ctl |= B43_MACCTL_KEEP_CTL;
3118 	if (wl->filter_flags & FIF_FCSFAIL)
3119 		ctl |= B43_MACCTL_KEEP_BAD;
3120 	if (wl->filter_flags & FIF_PLCPFAIL)
3121 		ctl |= B43_MACCTL_KEEP_BADPLCP;
3122 	if (wl->filter_flags & FIF_BCN_PRBRESP_PROMISC)
3123 		ctl |= B43_MACCTL_BEACPROMISC;
3124 
3125 	/* Workaround: On old hardware the HW-MAC-address-filter
3126 	 * doesn't work properly, so always run promisc in filter
3127 	 * it in software. */
3128 	if (dev->dev->core_rev <= 4)
3129 		ctl |= B43_MACCTL_PROMISC;
3130 
3131 	b43_write32(dev, B43_MMIO_MACCTL, ctl);
3132 
3133 	cfp_pretbtt = 2;
3134 	if ((ctl & B43_MACCTL_INFRA) && !(ctl & B43_MACCTL_AP)) {
3135 		if (dev->dev->chip_id == 0x4306 &&
3136 		    dev->dev->chip_rev == 3)
3137 			cfp_pretbtt = 100;
3138 		else
3139 			cfp_pretbtt = 50;
3140 	}
3141 	b43_write16(dev, 0x612, cfp_pretbtt);
3142 
3143 	/* FIXME: We don't currently implement the PMQ mechanism,
3144 	 *        so always disable it. If we want to implement PMQ,
3145 	 *        we need to enable it here (clear DISCPMQ) in AP mode.
3146 	 */
3147 	if (0  /* ctl & B43_MACCTL_AP */)
3148 		b43_maskset32(dev, B43_MMIO_MACCTL, ~B43_MACCTL_DISCPMQ, 0);
3149 	else
3150 		b43_maskset32(dev, B43_MMIO_MACCTL, ~0, B43_MACCTL_DISCPMQ);
3151 }
3152 
3153 static void b43_rate_memory_write(struct b43_wldev *dev, u16 rate, int is_ofdm)
3154 {
3155 	u16 offset;
3156 
3157 	if (is_ofdm) {
3158 		offset = 0x480;
3159 		offset += (b43_plcp_get_ratecode_ofdm(rate) & 0x000F) * 2;
3160 	} else {
3161 		offset = 0x4C0;
3162 		offset += (b43_plcp_get_ratecode_cck(rate) & 0x000F) * 2;
3163 	}
3164 	b43_shm_write16(dev, B43_SHM_SHARED, offset + 0x20,
3165 			b43_shm_read16(dev, B43_SHM_SHARED, offset));
3166 }
3167 
3168 static void b43_rate_memory_init(struct b43_wldev *dev)
3169 {
3170 	switch (dev->phy.type) {
3171 	case B43_PHYTYPE_G:
3172 	case B43_PHYTYPE_N:
3173 	case B43_PHYTYPE_LP:
3174 	case B43_PHYTYPE_HT:
3175 	case B43_PHYTYPE_LCN:
3176 		b43_rate_memory_write(dev, B43_OFDM_RATE_6MB, 1);
3177 		b43_rate_memory_write(dev, B43_OFDM_RATE_9MB, 1);
3178 		b43_rate_memory_write(dev, B43_OFDM_RATE_12MB, 1);
3179 		b43_rate_memory_write(dev, B43_OFDM_RATE_18MB, 1);
3180 		b43_rate_memory_write(dev, B43_OFDM_RATE_24MB, 1);
3181 		b43_rate_memory_write(dev, B43_OFDM_RATE_36MB, 1);
3182 		b43_rate_memory_write(dev, B43_OFDM_RATE_48MB, 1);
3183 		b43_rate_memory_write(dev, B43_OFDM_RATE_54MB, 1);
3184 		fallthrough;
3185 	case B43_PHYTYPE_B:
3186 		b43_rate_memory_write(dev, B43_CCK_RATE_1MB, 0);
3187 		b43_rate_memory_write(dev, B43_CCK_RATE_2MB, 0);
3188 		b43_rate_memory_write(dev, B43_CCK_RATE_5MB, 0);
3189 		b43_rate_memory_write(dev, B43_CCK_RATE_11MB, 0);
3190 		break;
3191 	default:
3192 		B43_WARN_ON(1);
3193 	}
3194 }
3195 
3196 /* Set the default values for the PHY TX Control Words. */
3197 static void b43_set_phytxctl_defaults(struct b43_wldev *dev)
3198 {
3199 	u16 ctl = 0;
3200 
3201 	ctl |= B43_TXH_PHY_ENC_CCK;
3202 	ctl |= B43_TXH_PHY_ANT01AUTO;
3203 	ctl |= B43_TXH_PHY_TXPWR;
3204 
3205 	b43_shm_write16(dev, B43_SHM_SHARED, B43_SHM_SH_BEACPHYCTL, ctl);
3206 	b43_shm_write16(dev, B43_SHM_SHARED, B43_SHM_SH_ACKCTSPHYCTL, ctl);
3207 	b43_shm_write16(dev, B43_SHM_SHARED, B43_SHM_SH_PRPHYCTL, ctl);
3208 }
3209 
3210 /* Set the TX-Antenna for management frames sent by firmware. */
3211 static void b43_mgmtframe_txantenna(struct b43_wldev *dev, int antenna)
3212 {
3213 	u16 ant;
3214 	u16 tmp;
3215 
3216 	ant = b43_antenna_to_phyctl(antenna);
3217 
3218 	/* For ACK/CTS */
3219 	tmp = b43_shm_read16(dev, B43_SHM_SHARED, B43_SHM_SH_ACKCTSPHYCTL);
3220 	tmp = (tmp & ~B43_TXH_PHY_ANT) | ant;
3221 	b43_shm_write16(dev, B43_SHM_SHARED, B43_SHM_SH_ACKCTSPHYCTL, tmp);
3222 	/* For Probe Resposes */
3223 	tmp = b43_shm_read16(dev, B43_SHM_SHARED, B43_SHM_SH_PRPHYCTL);
3224 	tmp = (tmp & ~B43_TXH_PHY_ANT) | ant;
3225 	b43_shm_write16(dev, B43_SHM_SHARED, B43_SHM_SH_PRPHYCTL, tmp);
3226 }
3227 
3228 /* This is the opposite of b43_chip_init() */
3229 static void b43_chip_exit(struct b43_wldev *dev)
3230 {
3231 	b43_phy_exit(dev);
3232 	b43_gpio_cleanup(dev);
3233 	/* firmware is released later */
3234 }
3235 
3236 /* Initialize the chip
3237  * https://bcm-specs.sipsolutions.net/ChipInit
3238  */
3239 static int b43_chip_init(struct b43_wldev *dev)
3240 {
3241 	struct b43_phy *phy = &dev->phy;
3242 	int err;
3243 	u32 macctl;
3244 	u16 value16;
3245 
3246 	/* Initialize the MAC control */
3247 	macctl = B43_MACCTL_IHR_ENABLED | B43_MACCTL_SHM_ENABLED;
3248 	if (dev->phy.gmode)
3249 		macctl |= B43_MACCTL_GMODE;
3250 	macctl |= B43_MACCTL_INFRA;
3251 	b43_write32(dev, B43_MMIO_MACCTL, macctl);
3252 
3253 	err = b43_upload_microcode(dev);
3254 	if (err)
3255 		goto out;	/* firmware is released later */
3256 
3257 	err = b43_gpio_init(dev);
3258 	if (err)
3259 		goto out;	/* firmware is released later */
3260 
3261 	err = b43_upload_initvals(dev);
3262 	if (err)
3263 		goto err_gpio_clean;
3264 
3265 	err = b43_upload_initvals_band(dev);
3266 	if (err)
3267 		goto err_gpio_clean;
3268 
3269 	/* Turn the Analog on and initialize the PHY. */
3270 	phy->ops->switch_analog(dev, 1);
3271 	err = b43_phy_init(dev);
3272 	if (err)
3273 		goto err_gpio_clean;
3274 
3275 	/* Disable Interference Mitigation. */
3276 	if (phy->ops->interf_mitigation)
3277 		phy->ops->interf_mitigation(dev, B43_INTERFMODE_NONE);
3278 
3279 	/* Select the antennae */
3280 	if (phy->ops->set_rx_antenna)
3281 		phy->ops->set_rx_antenna(dev, B43_ANTENNA_DEFAULT);
3282 	b43_mgmtframe_txantenna(dev, B43_ANTENNA_DEFAULT);
3283 
3284 	if (phy->type == B43_PHYTYPE_B) {
3285 		value16 = b43_read16(dev, 0x005E);
3286 		value16 |= 0x0004;
3287 		b43_write16(dev, 0x005E, value16);
3288 	}
3289 	b43_write32(dev, 0x0100, 0x01000000);
3290 	if (dev->dev->core_rev < 5)
3291 		b43_write32(dev, 0x010C, 0x01000000);
3292 
3293 	b43_maskset32(dev, B43_MMIO_MACCTL, ~B43_MACCTL_INFRA, 0);
3294 	b43_maskset32(dev, B43_MMIO_MACCTL, ~0, B43_MACCTL_INFRA);
3295 
3296 	/* Probe Response Timeout value */
3297 	/* FIXME: Default to 0, has to be set by ioctl probably... :-/ */
3298 	b43_shm_write16(dev, B43_SHM_SHARED, B43_SHM_SH_PRMAXTIME, 0);
3299 
3300 	/* Initially set the wireless operation mode. */
3301 	b43_adjust_opmode(dev);
3302 
3303 	if (dev->dev->core_rev < 3) {
3304 		b43_write16(dev, 0x060E, 0x0000);
3305 		b43_write16(dev, 0x0610, 0x8000);
3306 		b43_write16(dev, 0x0604, 0x0000);
3307 		b43_write16(dev, 0x0606, 0x0200);
3308 	} else {
3309 		b43_write32(dev, 0x0188, 0x80000000);
3310 		b43_write32(dev, 0x018C, 0x02000000);
3311 	}
3312 	b43_write32(dev, B43_MMIO_GEN_IRQ_REASON, 0x00004000);
3313 	b43_write32(dev, B43_MMIO_DMA0_IRQ_MASK, 0x0001FC00);
3314 	b43_write32(dev, B43_MMIO_DMA1_IRQ_MASK, 0x0000DC00);
3315 	b43_write32(dev, B43_MMIO_DMA2_IRQ_MASK, 0x0000DC00);
3316 	b43_write32(dev, B43_MMIO_DMA3_IRQ_MASK, 0x0001DC00);
3317 	b43_write32(dev, B43_MMIO_DMA4_IRQ_MASK, 0x0000DC00);
3318 	b43_write32(dev, B43_MMIO_DMA5_IRQ_MASK, 0x0000DC00);
3319 
3320 	b43_mac_phy_clock_set(dev, true);
3321 
3322 	switch (dev->dev->bus_type) {
3323 #ifdef CONFIG_B43_BCMA
3324 	case B43_BUS_BCMA:
3325 		/* FIXME: 0xE74 is quite common, but should be read from CC */
3326 		b43_write16(dev, B43_MMIO_POWERUP_DELAY, 0xE74);
3327 		break;
3328 #endif
3329 #ifdef CONFIG_B43_SSB
3330 	case B43_BUS_SSB:
3331 		b43_write16(dev, B43_MMIO_POWERUP_DELAY,
3332 			    dev->dev->sdev->bus->chipco.fast_pwrup_delay);
3333 		break;
3334 #endif
3335 	}
3336 
3337 	err = 0;
3338 	b43dbg(dev->wl, "Chip initialized\n");
3339 out:
3340 	return err;
3341 
3342 err_gpio_clean:
3343 	b43_gpio_cleanup(dev);
3344 	return err;
3345 }
3346 
3347 static void b43_periodic_every60sec(struct b43_wldev *dev)
3348 {
3349 	const struct b43_phy_operations *ops = dev->phy.ops;
3350 
3351 	if (ops->pwork_60sec)
3352 		ops->pwork_60sec(dev);
3353 
3354 	/* Force check the TX power emission now. */
3355 	b43_phy_txpower_check(dev, B43_TXPWR_IGNORE_TIME);
3356 }
3357 
3358 static void b43_periodic_every30sec(struct b43_wldev *dev)
3359 {
3360 	/* Update device statistics. */
3361 	b43_calculate_link_quality(dev);
3362 }
3363 
3364 static void b43_periodic_every15sec(struct b43_wldev *dev)
3365 {
3366 	struct b43_phy *phy = &dev->phy;
3367 	u16 wdr;
3368 
3369 	if (dev->fw.opensource) {
3370 		/* Check if the firmware is still alive.
3371 		 * It will reset the watchdog counter to 0 in its idle loop. */
3372 		wdr = b43_shm_read16(dev, B43_SHM_SCRATCH, B43_WATCHDOG_REG);
3373 		if (unlikely(wdr)) {
3374 			b43err(dev->wl, "Firmware watchdog: The firmware died!\n");
3375 			b43_controller_restart(dev, "Firmware watchdog");
3376 			return;
3377 		} else {
3378 			b43_shm_write16(dev, B43_SHM_SCRATCH,
3379 					B43_WATCHDOG_REG, 1);
3380 		}
3381 	}
3382 
3383 	if (phy->ops->pwork_15sec)
3384 		phy->ops->pwork_15sec(dev);
3385 
3386 	atomic_set(&phy->txerr_cnt, B43_PHY_TX_BADNESS_LIMIT);
3387 	wmb();
3388 
3389 #if B43_DEBUG
3390 	if (b43_debug(dev, B43_DBG_VERBOSESTATS)) {
3391 		unsigned int i;
3392 
3393 		b43dbg(dev->wl, "Stats: %7u IRQs/sec, %7u TX/sec, %7u RX/sec\n",
3394 		       dev->irq_count / 15,
3395 		       dev->tx_count / 15,
3396 		       dev->rx_count / 15);
3397 		dev->irq_count = 0;
3398 		dev->tx_count = 0;
3399 		dev->rx_count = 0;
3400 		for (i = 0; i < ARRAY_SIZE(dev->irq_bit_count); i++) {
3401 			if (dev->irq_bit_count[i]) {
3402 				b43dbg(dev->wl, "Stats: %7u IRQ-%02u/sec (0x%08X)\n",
3403 				       dev->irq_bit_count[i] / 15, i, (1 << i));
3404 				dev->irq_bit_count[i] = 0;
3405 			}
3406 		}
3407 	}
3408 #endif
3409 }
3410 
3411 static void do_periodic_work(struct b43_wldev *dev)
3412 {
3413 	unsigned int state;
3414 
3415 	state = dev->periodic_state;
3416 	if (state % 4 == 0)
3417 		b43_periodic_every60sec(dev);
3418 	if (state % 2 == 0)
3419 		b43_periodic_every30sec(dev);
3420 	b43_periodic_every15sec(dev);
3421 }
3422 
3423 /* Periodic work locking policy:
3424  * 	The whole periodic work handler is protected by
3425  * 	wl->mutex. If another lock is needed somewhere in the
3426  * 	pwork callchain, it's acquired in-place, where it's needed.
3427  */
3428 static void b43_periodic_work_handler(struct work_struct *work)
3429 {
3430 	struct b43_wldev *dev = container_of(work, struct b43_wldev,
3431 					     periodic_work.work);
3432 	struct b43_wl *wl = dev->wl;
3433 	unsigned long delay;
3434 
3435 	mutex_lock(&wl->mutex);
3436 
3437 	if (unlikely(b43_status(dev) != B43_STAT_STARTED))
3438 		goto out;
3439 	if (b43_debug(dev, B43_DBG_PWORK_STOP))
3440 		goto out_requeue;
3441 
3442 	do_periodic_work(dev);
3443 
3444 	dev->periodic_state++;
3445 out_requeue:
3446 	if (b43_debug(dev, B43_DBG_PWORK_FAST))
3447 		delay = msecs_to_jiffies(50);
3448 	else
3449 		delay = round_jiffies_relative(HZ * 15);
3450 	ieee80211_queue_delayed_work(wl->hw, &dev->periodic_work, delay);
3451 out:
3452 	mutex_unlock(&wl->mutex);
3453 }
3454 
3455 static void b43_periodic_tasks_setup(struct b43_wldev *dev)
3456 {
3457 	struct delayed_work *work = &dev->periodic_work;
3458 
3459 	dev->periodic_state = 0;
3460 	INIT_DELAYED_WORK(work, b43_periodic_work_handler);
3461 	ieee80211_queue_delayed_work(dev->wl->hw, work, 0);
3462 }
3463 
3464 /* Check if communication with the device works correctly. */
3465 static int b43_validate_chipaccess(struct b43_wldev *dev)
3466 {
3467 	u32 v, backup0, backup4;
3468 
3469 	backup0 = b43_shm_read32(dev, B43_SHM_SHARED, 0);
3470 	backup4 = b43_shm_read32(dev, B43_SHM_SHARED, 4);
3471 
3472 	/* Check for read/write and endianness problems. */
3473 	b43_shm_write32(dev, B43_SHM_SHARED, 0, 0x55AAAA55);
3474 	if (b43_shm_read32(dev, B43_SHM_SHARED, 0) != 0x55AAAA55)
3475 		goto error;
3476 	b43_shm_write32(dev, B43_SHM_SHARED, 0, 0xAA5555AA);
3477 	if (b43_shm_read32(dev, B43_SHM_SHARED, 0) != 0xAA5555AA)
3478 		goto error;
3479 
3480 	/* Check if unaligned 32bit SHM_SHARED access works properly.
3481 	 * However, don't bail out on failure, because it's noncritical. */
3482 	b43_shm_write16(dev, B43_SHM_SHARED, 0, 0x1122);
3483 	b43_shm_write16(dev, B43_SHM_SHARED, 2, 0x3344);
3484 	b43_shm_write16(dev, B43_SHM_SHARED, 4, 0x5566);
3485 	b43_shm_write16(dev, B43_SHM_SHARED, 6, 0x7788);
3486 	if (b43_shm_read32(dev, B43_SHM_SHARED, 2) != 0x55663344)
3487 		b43warn(dev->wl, "Unaligned 32bit SHM read access is broken\n");
3488 	b43_shm_write32(dev, B43_SHM_SHARED, 2, 0xAABBCCDD);
3489 	if (b43_shm_read16(dev, B43_SHM_SHARED, 0) != 0x1122 ||
3490 	    b43_shm_read16(dev, B43_SHM_SHARED, 2) != 0xCCDD ||
3491 	    b43_shm_read16(dev, B43_SHM_SHARED, 4) != 0xAABB ||
3492 	    b43_shm_read16(dev, B43_SHM_SHARED, 6) != 0x7788)
3493 		b43warn(dev->wl, "Unaligned 32bit SHM write access is broken\n");
3494 
3495 	b43_shm_write32(dev, B43_SHM_SHARED, 0, backup0);
3496 	b43_shm_write32(dev, B43_SHM_SHARED, 4, backup4);
3497 
3498 	if ((dev->dev->core_rev >= 3) && (dev->dev->core_rev <= 10)) {
3499 		/* The 32bit register shadows the two 16bit registers
3500 		 * with update sideeffects. Validate this. */
3501 		b43_write16(dev, B43_MMIO_TSF_CFP_START, 0xAAAA);
3502 		b43_write32(dev, B43_MMIO_TSF_CFP_START, 0xCCCCBBBB);
3503 		if (b43_read16(dev, B43_MMIO_TSF_CFP_START_LOW) != 0xBBBB)
3504 			goto error;
3505 		if (b43_read16(dev, B43_MMIO_TSF_CFP_START_HIGH) != 0xCCCC)
3506 			goto error;
3507 	}
3508 	b43_write32(dev, B43_MMIO_TSF_CFP_START, 0);
3509 
3510 	v = b43_read32(dev, B43_MMIO_MACCTL);
3511 	v |= B43_MACCTL_GMODE;
3512 	if (v != (B43_MACCTL_GMODE | B43_MACCTL_IHR_ENABLED))
3513 		goto error;
3514 
3515 	return 0;
3516 error:
3517 	b43err(dev->wl, "Failed to validate the chipaccess\n");
3518 	return -ENODEV;
3519 }
3520 
3521 static void b43_security_init(struct b43_wldev *dev)
3522 {
3523 	dev->ktp = b43_shm_read16(dev, B43_SHM_SHARED, B43_SHM_SH_KTP);
3524 	/* KTP is a word address, but we address SHM bytewise.
3525 	 * So multiply by two.
3526 	 */
3527 	dev->ktp *= 2;
3528 	/* Number of RCMTA address slots */
3529 	b43_write16(dev, B43_MMIO_RCMTA_COUNT, B43_NR_PAIRWISE_KEYS);
3530 	/* Clear the key memory. */
3531 	b43_clear_keys(dev);
3532 }
3533 
3534 #ifdef CONFIG_B43_HWRNG
3535 static int b43_rng_read(struct hwrng *rng, u32 *data)
3536 {
3537 	struct b43_wl *wl = (struct b43_wl *)rng->priv;
3538 	struct b43_wldev *dev;
3539 	int count = -ENODEV;
3540 
3541 	mutex_lock(&wl->mutex);
3542 	dev = wl->current_dev;
3543 	if (likely(dev && b43_status(dev) >= B43_STAT_INITIALIZED)) {
3544 		*data = b43_read16(dev, B43_MMIO_RNG);
3545 		count = sizeof(u16);
3546 	}
3547 	mutex_unlock(&wl->mutex);
3548 
3549 	return count;
3550 }
3551 #endif /* CONFIG_B43_HWRNG */
3552 
3553 static void b43_rng_exit(struct b43_wl *wl)
3554 {
3555 #ifdef CONFIG_B43_HWRNG
3556 	if (wl->rng_initialized)
3557 		hwrng_unregister(&wl->rng);
3558 #endif /* CONFIG_B43_HWRNG */
3559 }
3560 
3561 static int b43_rng_init(struct b43_wl *wl)
3562 {
3563 	int err = 0;
3564 
3565 #ifdef CONFIG_B43_HWRNG
3566 	snprintf(wl->rng_name, ARRAY_SIZE(wl->rng_name),
3567 		 "%s_%s", KBUILD_MODNAME, wiphy_name(wl->hw->wiphy));
3568 	wl->rng.name = wl->rng_name;
3569 	wl->rng.data_read = b43_rng_read;
3570 	wl->rng.priv = (unsigned long)wl;
3571 	wl->rng_initialized = true;
3572 	err = hwrng_register(&wl->rng);
3573 	if (err) {
3574 		wl->rng_initialized = false;
3575 		b43err(wl, "Failed to register the random "
3576 		       "number generator (%d)\n", err);
3577 	}
3578 #endif /* CONFIG_B43_HWRNG */
3579 
3580 	return err;
3581 }
3582 
3583 static void b43_tx_work(struct work_struct *work)
3584 {
3585 	struct b43_wl *wl = container_of(work, struct b43_wl, tx_work);
3586 	struct b43_wldev *dev;
3587 	struct sk_buff *skb;
3588 	int queue_num;
3589 	int err = 0;
3590 
3591 	mutex_lock(&wl->mutex);
3592 	dev = wl->current_dev;
3593 	if (unlikely(!dev || b43_status(dev) < B43_STAT_STARTED)) {
3594 		mutex_unlock(&wl->mutex);
3595 		return;
3596 	}
3597 
3598 	for (queue_num = 0; queue_num < B43_QOS_QUEUE_NUM; queue_num++) {
3599 		while (skb_queue_len(&wl->tx_queue[queue_num])) {
3600 			skb = skb_dequeue(&wl->tx_queue[queue_num]);
3601 			if (b43_using_pio_transfers(dev))
3602 				err = b43_pio_tx(dev, skb);
3603 			else
3604 				err = b43_dma_tx(dev, skb);
3605 			if (err == -ENOSPC) {
3606 				wl->tx_queue_stopped[queue_num] = true;
3607 				b43_stop_queue(dev, queue_num);
3608 				skb_queue_head(&wl->tx_queue[queue_num], skb);
3609 				break;
3610 			}
3611 			if (unlikely(err))
3612 				ieee80211_free_txskb(wl->hw, skb);
3613 			err = 0;
3614 		}
3615 
3616 		if (!err)
3617 			wl->tx_queue_stopped[queue_num] = false;
3618 	}
3619 
3620 #if B43_DEBUG
3621 	dev->tx_count++;
3622 #endif
3623 	mutex_unlock(&wl->mutex);
3624 }
3625 
3626 static void b43_op_tx(struct ieee80211_hw *hw,
3627 		      struct ieee80211_tx_control *control,
3628 		      struct sk_buff *skb)
3629 {
3630 	struct b43_wl *wl = hw_to_b43_wl(hw);
3631 	u16 skb_queue_mapping;
3632 
3633 	if (unlikely(skb->len < 2 + 2 + 6)) {
3634 		/* Too short, this can't be a valid frame. */
3635 		ieee80211_free_txskb(hw, skb);
3636 		return;
3637 	}
3638 	B43_WARN_ON(skb_shinfo(skb)->nr_frags);
3639 
3640 	skb_queue_mapping = skb_get_queue_mapping(skb);
3641 	skb_queue_tail(&wl->tx_queue[skb_queue_mapping], skb);
3642 	if (!wl->tx_queue_stopped[skb_queue_mapping])
3643 		ieee80211_queue_work(wl->hw, &wl->tx_work);
3644 	else
3645 		b43_stop_queue(wl->current_dev, skb_queue_mapping);
3646 }
3647 
3648 static void b43_qos_params_upload(struct b43_wldev *dev,
3649 				  const struct ieee80211_tx_queue_params *p,
3650 				  u16 shm_offset)
3651 {
3652 	u16 params[B43_NR_QOSPARAMS];
3653 	int bslots, tmp;
3654 	unsigned int i;
3655 
3656 	if (!dev->qos_enabled)
3657 		return;
3658 
3659 	bslots = b43_read16(dev, B43_MMIO_RNG) & p->cw_min;
3660 
3661 	memset(&params, 0, sizeof(params));
3662 
3663 	params[B43_QOSPARAM_TXOP] = p->txop * 32;
3664 	params[B43_QOSPARAM_CWMIN] = p->cw_min;
3665 	params[B43_QOSPARAM_CWMAX] = p->cw_max;
3666 	params[B43_QOSPARAM_CWCUR] = p->cw_min;
3667 	params[B43_QOSPARAM_AIFS] = p->aifs;
3668 	params[B43_QOSPARAM_BSLOTS] = bslots;
3669 	params[B43_QOSPARAM_REGGAP] = bslots + p->aifs;
3670 
3671 	for (i = 0; i < ARRAY_SIZE(params); i++) {
3672 		if (i == B43_QOSPARAM_STATUS) {
3673 			tmp = b43_shm_read16(dev, B43_SHM_SHARED,
3674 					     shm_offset + (i * 2));
3675 			/* Mark the parameters as updated. */
3676 			tmp |= 0x100;
3677 			b43_shm_write16(dev, B43_SHM_SHARED,
3678 					shm_offset + (i * 2),
3679 					tmp);
3680 		} else {
3681 			b43_shm_write16(dev, B43_SHM_SHARED,
3682 					shm_offset + (i * 2),
3683 					params[i]);
3684 		}
3685 	}
3686 }
3687 
3688 /* Mapping of mac80211 queue numbers to b43 QoS SHM offsets. */
3689 static const u16 b43_qos_shm_offsets[] = {
3690 	/* [mac80211-queue-nr] = SHM_OFFSET, */
3691 	[0] = B43_QOS_VOICE,
3692 	[1] = B43_QOS_VIDEO,
3693 	[2] = B43_QOS_BESTEFFORT,
3694 	[3] = B43_QOS_BACKGROUND,
3695 };
3696 
3697 /* Update all QOS parameters in hardware. */
3698 static void b43_qos_upload_all(struct b43_wldev *dev)
3699 {
3700 	struct b43_wl *wl = dev->wl;
3701 	struct b43_qos_params *params;
3702 	unsigned int i;
3703 
3704 	if (!dev->qos_enabled)
3705 		return;
3706 
3707 	BUILD_BUG_ON(ARRAY_SIZE(b43_qos_shm_offsets) !=
3708 		     ARRAY_SIZE(wl->qos_params));
3709 
3710 	b43_mac_suspend(dev);
3711 	for (i = 0; i < ARRAY_SIZE(wl->qos_params); i++) {
3712 		params = &(wl->qos_params[i]);
3713 		b43_qos_params_upload(dev, &(params->p),
3714 				      b43_qos_shm_offsets[i]);
3715 	}
3716 	b43_mac_enable(dev);
3717 }
3718 
3719 static void b43_qos_clear(struct b43_wl *wl)
3720 {
3721 	struct b43_qos_params *params;
3722 	unsigned int i;
3723 
3724 	/* Initialize QoS parameters to sane defaults. */
3725 
3726 	BUILD_BUG_ON(ARRAY_SIZE(b43_qos_shm_offsets) !=
3727 		     ARRAY_SIZE(wl->qos_params));
3728 
3729 	for (i = 0; i < ARRAY_SIZE(wl->qos_params); i++) {
3730 		params = &(wl->qos_params[i]);
3731 
3732 		switch (b43_qos_shm_offsets[i]) {
3733 		case B43_QOS_VOICE:
3734 			params->p.txop = 0;
3735 			params->p.aifs = 2;
3736 			params->p.cw_min = 0x0001;
3737 			params->p.cw_max = 0x0001;
3738 			break;
3739 		case B43_QOS_VIDEO:
3740 			params->p.txop = 0;
3741 			params->p.aifs = 2;
3742 			params->p.cw_min = 0x0001;
3743 			params->p.cw_max = 0x0001;
3744 			break;
3745 		case B43_QOS_BESTEFFORT:
3746 			params->p.txop = 0;
3747 			params->p.aifs = 3;
3748 			params->p.cw_min = 0x0001;
3749 			params->p.cw_max = 0x03FF;
3750 			break;
3751 		case B43_QOS_BACKGROUND:
3752 			params->p.txop = 0;
3753 			params->p.aifs = 7;
3754 			params->p.cw_min = 0x0001;
3755 			params->p.cw_max = 0x03FF;
3756 			break;
3757 		default:
3758 			B43_WARN_ON(1);
3759 		}
3760 	}
3761 }
3762 
3763 /* Initialize the core's QOS capabilities */
3764 static void b43_qos_init(struct b43_wldev *dev)
3765 {
3766 	if (!dev->qos_enabled) {
3767 		/* Disable QOS support. */
3768 		b43_hf_write(dev, b43_hf_read(dev) & ~B43_HF_EDCF);
3769 		b43_write16(dev, B43_MMIO_IFSCTL,
3770 			    b43_read16(dev, B43_MMIO_IFSCTL)
3771 			    & ~B43_MMIO_IFSCTL_USE_EDCF);
3772 		b43dbg(dev->wl, "QoS disabled\n");
3773 		return;
3774 	}
3775 
3776 	/* Upload the current QOS parameters. */
3777 	b43_qos_upload_all(dev);
3778 
3779 	/* Enable QOS support. */
3780 	b43_hf_write(dev, b43_hf_read(dev) | B43_HF_EDCF);
3781 	b43_write16(dev, B43_MMIO_IFSCTL,
3782 		    b43_read16(dev, B43_MMIO_IFSCTL)
3783 		    | B43_MMIO_IFSCTL_USE_EDCF);
3784 	b43dbg(dev->wl, "QoS enabled\n");
3785 }
3786 
3787 static int b43_op_conf_tx(struct ieee80211_hw *hw,
3788 			  struct ieee80211_vif *vif,
3789 			  unsigned int link_id, u16 _queue,
3790 			  const struct ieee80211_tx_queue_params *params)
3791 {
3792 	struct b43_wl *wl = hw_to_b43_wl(hw);
3793 	struct b43_wldev *dev;
3794 	unsigned int queue = (unsigned int)_queue;
3795 	int err = -ENODEV;
3796 
3797 	if (queue >= ARRAY_SIZE(wl->qos_params)) {
3798 		/* Queue not available or don't support setting
3799 		 * params on this queue. Return success to not
3800 		 * confuse mac80211. */
3801 		return 0;
3802 	}
3803 	BUILD_BUG_ON(ARRAY_SIZE(b43_qos_shm_offsets) !=
3804 		     ARRAY_SIZE(wl->qos_params));
3805 
3806 	mutex_lock(&wl->mutex);
3807 	dev = wl->current_dev;
3808 	if (unlikely(!dev || (b43_status(dev) < B43_STAT_INITIALIZED)))
3809 		goto out_unlock;
3810 
3811 	memcpy(&(wl->qos_params[queue].p), params, sizeof(*params));
3812 	b43_mac_suspend(dev);
3813 	b43_qos_params_upload(dev, &(wl->qos_params[queue].p),
3814 			      b43_qos_shm_offsets[queue]);
3815 	b43_mac_enable(dev);
3816 	err = 0;
3817 
3818 out_unlock:
3819 	mutex_unlock(&wl->mutex);
3820 
3821 	return err;
3822 }
3823 
3824 static int b43_op_get_stats(struct ieee80211_hw *hw,
3825 			    struct ieee80211_low_level_stats *stats)
3826 {
3827 	struct b43_wl *wl = hw_to_b43_wl(hw);
3828 
3829 	mutex_lock(&wl->mutex);
3830 	memcpy(stats, &wl->ieee_stats, sizeof(*stats));
3831 	mutex_unlock(&wl->mutex);
3832 
3833 	return 0;
3834 }
3835 
3836 static u64 b43_op_get_tsf(struct ieee80211_hw *hw, struct ieee80211_vif *vif)
3837 {
3838 	struct b43_wl *wl = hw_to_b43_wl(hw);
3839 	struct b43_wldev *dev;
3840 	u64 tsf;
3841 
3842 	mutex_lock(&wl->mutex);
3843 	dev = wl->current_dev;
3844 
3845 	if (dev && (b43_status(dev) >= B43_STAT_INITIALIZED))
3846 		b43_tsf_read(dev, &tsf);
3847 	else
3848 		tsf = 0;
3849 
3850 	mutex_unlock(&wl->mutex);
3851 
3852 	return tsf;
3853 }
3854 
3855 static void b43_op_set_tsf(struct ieee80211_hw *hw,
3856 			   struct ieee80211_vif *vif, u64 tsf)
3857 {
3858 	struct b43_wl *wl = hw_to_b43_wl(hw);
3859 	struct b43_wldev *dev;
3860 
3861 	mutex_lock(&wl->mutex);
3862 	dev = wl->current_dev;
3863 
3864 	if (dev && (b43_status(dev) >= B43_STAT_INITIALIZED))
3865 		b43_tsf_write(dev, tsf);
3866 
3867 	mutex_unlock(&wl->mutex);
3868 }
3869 
3870 static const char *band_to_string(enum nl80211_band band)
3871 {
3872 	switch (band) {
3873 	case NL80211_BAND_5GHZ:
3874 		return "5";
3875 	case NL80211_BAND_2GHZ:
3876 		return "2.4";
3877 	default:
3878 		break;
3879 	}
3880 	B43_WARN_ON(1);
3881 	return "";
3882 }
3883 
3884 /* Expects wl->mutex locked */
3885 static int b43_switch_band(struct b43_wldev *dev,
3886 			   struct ieee80211_channel *chan)
3887 {
3888 	struct b43_phy *phy = &dev->phy;
3889 	bool gmode;
3890 	u32 tmp;
3891 
3892 	switch (chan->band) {
3893 	case NL80211_BAND_5GHZ:
3894 		gmode = false;
3895 		break;
3896 	case NL80211_BAND_2GHZ:
3897 		gmode = true;
3898 		break;
3899 	default:
3900 		B43_WARN_ON(1);
3901 		return -EINVAL;
3902 	}
3903 
3904 	if (!((gmode && phy->supports_2ghz) ||
3905 	      (!gmode && phy->supports_5ghz))) {
3906 		b43err(dev->wl, "This device doesn't support %s-GHz band\n",
3907 		       band_to_string(chan->band));
3908 		return -ENODEV;
3909 	}
3910 
3911 	if (!!phy->gmode == !!gmode) {
3912 		/* This device is already running. */
3913 		return 0;
3914 	}
3915 
3916 	b43dbg(dev->wl, "Switching to %s GHz band\n",
3917 	       band_to_string(chan->band));
3918 
3919 	/* Some new devices don't need disabling radio for band switching */
3920 	if (!(phy->type == B43_PHYTYPE_N && phy->rev >= 3))
3921 		b43_software_rfkill(dev, true);
3922 
3923 	phy->gmode = gmode;
3924 	b43_phy_put_into_reset(dev);
3925 	switch (dev->dev->bus_type) {
3926 #ifdef CONFIG_B43_BCMA
3927 	case B43_BUS_BCMA:
3928 		tmp = bcma_aread32(dev->dev->bdev, BCMA_IOCTL);
3929 		if (gmode)
3930 			tmp |= B43_BCMA_IOCTL_GMODE;
3931 		else
3932 			tmp &= ~B43_BCMA_IOCTL_GMODE;
3933 		bcma_awrite32(dev->dev->bdev, BCMA_IOCTL, tmp);
3934 		break;
3935 #endif
3936 #ifdef CONFIG_B43_SSB
3937 	case B43_BUS_SSB:
3938 		tmp = ssb_read32(dev->dev->sdev, SSB_TMSLOW);
3939 		if (gmode)
3940 			tmp |= B43_TMSLOW_GMODE;
3941 		else
3942 			tmp &= ~B43_TMSLOW_GMODE;
3943 		ssb_write32(dev->dev->sdev, SSB_TMSLOW, tmp);
3944 		break;
3945 #endif
3946 	}
3947 	b43_phy_take_out_of_reset(dev);
3948 
3949 	b43_upload_initvals_band(dev);
3950 
3951 	b43_phy_init(dev);
3952 
3953 	return 0;
3954 }
3955 
3956 static void b43_set_beacon_listen_interval(struct b43_wldev *dev, u16 interval)
3957 {
3958 	interval = min_t(u16, interval, (u16)0xFF);
3959 	b43_shm_write16(dev, B43_SHM_SHARED, B43_SHM_SH_BCN_LI, interval);
3960 }
3961 
3962 /* Write the short and long frame retry limit values. */
3963 static void b43_set_retry_limits(struct b43_wldev *dev,
3964 				 unsigned int short_retry,
3965 				 unsigned int long_retry)
3966 {
3967 	/* The retry limit is a 4-bit counter. Enforce this to avoid overflowing
3968 	 * the chip-internal counter. */
3969 	short_retry = min(short_retry, (unsigned int)0xF);
3970 	long_retry = min(long_retry, (unsigned int)0xF);
3971 
3972 	b43_shm_write16(dev, B43_SHM_SCRATCH, B43_SHM_SC_SRLIMIT,
3973 			short_retry);
3974 	b43_shm_write16(dev, B43_SHM_SCRATCH, B43_SHM_SC_LRLIMIT,
3975 			long_retry);
3976 }
3977 
3978 static int b43_op_config(struct ieee80211_hw *hw, u32 changed)
3979 {
3980 	struct b43_wl *wl = hw_to_b43_wl(hw);
3981 	struct b43_wldev *dev = wl->current_dev;
3982 	struct b43_phy *phy = &dev->phy;
3983 	struct ieee80211_conf *conf = &hw->conf;
3984 	int antenna;
3985 	int err = 0;
3986 
3987 	mutex_lock(&wl->mutex);
3988 	b43_mac_suspend(dev);
3989 
3990 	if (changed & IEEE80211_CONF_CHANGE_LISTEN_INTERVAL)
3991 		b43_set_beacon_listen_interval(dev, conf->listen_interval);
3992 
3993 	if (changed & IEEE80211_CONF_CHANGE_CHANNEL) {
3994 		phy->chandef = &conf->chandef;
3995 		phy->channel = conf->chandef.chan->hw_value;
3996 
3997 		/* Switch the band (if necessary). */
3998 		err = b43_switch_band(dev, conf->chandef.chan);
3999 		if (err)
4000 			goto out_mac_enable;
4001 
4002 		/* Switch to the requested channel.
4003 		 * The firmware takes care of races with the TX handler.
4004 		 */
4005 		b43_switch_channel(dev, phy->channel);
4006 	}
4007 
4008 	if (changed & IEEE80211_CONF_CHANGE_RETRY_LIMITS)
4009 		b43_set_retry_limits(dev, conf->short_frame_max_tx_count,
4010 					  conf->long_frame_max_tx_count);
4011 	changed &= ~IEEE80211_CONF_CHANGE_RETRY_LIMITS;
4012 	if (!changed)
4013 		goto out_mac_enable;
4014 
4015 	dev->wl->radiotap_enabled = !!(conf->flags & IEEE80211_CONF_MONITOR);
4016 
4017 	/* Adjust the desired TX power level. */
4018 	if (conf->power_level != 0) {
4019 		if (conf->power_level != phy->desired_txpower) {
4020 			phy->desired_txpower = conf->power_level;
4021 			b43_phy_txpower_check(dev, B43_TXPWR_IGNORE_TIME |
4022 						   B43_TXPWR_IGNORE_TSSI);
4023 		}
4024 	}
4025 
4026 	/* Antennas for RX and management frame TX. */
4027 	antenna = B43_ANTENNA_DEFAULT;
4028 	b43_mgmtframe_txantenna(dev, antenna);
4029 	antenna = B43_ANTENNA_DEFAULT;
4030 	if (phy->ops->set_rx_antenna)
4031 		phy->ops->set_rx_antenna(dev, antenna);
4032 
4033 	if (wl->radio_enabled != phy->radio_on) {
4034 		if (wl->radio_enabled) {
4035 			b43_software_rfkill(dev, false);
4036 			b43info(dev->wl, "Radio turned on by software\n");
4037 			if (!dev->radio_hw_enable) {
4038 				b43info(dev->wl, "The hardware RF-kill button "
4039 					"still turns the radio physically off. "
4040 					"Press the button to turn it on.\n");
4041 			}
4042 		} else {
4043 			b43_software_rfkill(dev, true);
4044 			b43info(dev->wl, "Radio turned off by software\n");
4045 		}
4046 	}
4047 
4048 out_mac_enable:
4049 	b43_mac_enable(dev);
4050 	mutex_unlock(&wl->mutex);
4051 
4052 	return err;
4053 }
4054 
4055 static void b43_update_basic_rates(struct b43_wldev *dev, u32 brates)
4056 {
4057 	struct ieee80211_supported_band *sband =
4058 		dev->wl->hw->wiphy->bands[b43_current_band(dev->wl)];
4059 	const struct ieee80211_rate *rate;
4060 	int i;
4061 	u16 basic, direct, offset, basic_offset, rateptr;
4062 
4063 	for (i = 0; i < sband->n_bitrates; i++) {
4064 		rate = &sband->bitrates[i];
4065 
4066 		if (b43_is_cck_rate(rate->hw_value)) {
4067 			direct = B43_SHM_SH_CCKDIRECT;
4068 			basic = B43_SHM_SH_CCKBASIC;
4069 			offset = b43_plcp_get_ratecode_cck(rate->hw_value);
4070 			offset &= 0xF;
4071 		} else {
4072 			direct = B43_SHM_SH_OFDMDIRECT;
4073 			basic = B43_SHM_SH_OFDMBASIC;
4074 			offset = b43_plcp_get_ratecode_ofdm(rate->hw_value);
4075 			offset &= 0xF;
4076 		}
4077 
4078 		rate = ieee80211_get_response_rate(sband, brates, rate->bitrate);
4079 
4080 		if (b43_is_cck_rate(rate->hw_value)) {
4081 			basic_offset = b43_plcp_get_ratecode_cck(rate->hw_value);
4082 			basic_offset &= 0xF;
4083 		} else {
4084 			basic_offset = b43_plcp_get_ratecode_ofdm(rate->hw_value);
4085 			basic_offset &= 0xF;
4086 		}
4087 
4088 		/*
4089 		 * Get the pointer that we need to point to
4090 		 * from the direct map
4091 		 */
4092 		rateptr = b43_shm_read16(dev, B43_SHM_SHARED,
4093 					 direct + 2 * basic_offset);
4094 		/* and write it to the basic map */
4095 		b43_shm_write16(dev, B43_SHM_SHARED, basic + 2 * offset,
4096 				rateptr);
4097 	}
4098 }
4099 
4100 static void b43_op_bss_info_changed(struct ieee80211_hw *hw,
4101 				    struct ieee80211_vif *vif,
4102 				    struct ieee80211_bss_conf *conf,
4103 				    u64 changed)
4104 {
4105 	struct b43_wl *wl = hw_to_b43_wl(hw);
4106 	struct b43_wldev *dev;
4107 
4108 	mutex_lock(&wl->mutex);
4109 
4110 	dev = wl->current_dev;
4111 	if (!dev || b43_status(dev) < B43_STAT_STARTED)
4112 		goto out_unlock_mutex;
4113 
4114 	B43_WARN_ON(wl->vif != vif);
4115 
4116 	if (changed & BSS_CHANGED_BSSID) {
4117 		if (conf->bssid)
4118 			memcpy(wl->bssid, conf->bssid, ETH_ALEN);
4119 		else
4120 			eth_zero_addr(wl->bssid);
4121 	}
4122 
4123 	if (b43_status(dev) >= B43_STAT_INITIALIZED) {
4124 		if (changed & BSS_CHANGED_BEACON &&
4125 		    (b43_is_mode(wl, NL80211_IFTYPE_AP) ||
4126 		     b43_is_mode(wl, NL80211_IFTYPE_MESH_POINT) ||
4127 		     b43_is_mode(wl, NL80211_IFTYPE_ADHOC)))
4128 			b43_update_templates(wl);
4129 
4130 		if (changed & BSS_CHANGED_BSSID)
4131 			b43_write_mac_bssid_templates(dev);
4132 	}
4133 
4134 	b43_mac_suspend(dev);
4135 
4136 	/* Update templates for AP/mesh mode. */
4137 	if (changed & BSS_CHANGED_BEACON_INT &&
4138 	    (b43_is_mode(wl, NL80211_IFTYPE_AP) ||
4139 	     b43_is_mode(wl, NL80211_IFTYPE_MESH_POINT) ||
4140 	     b43_is_mode(wl, NL80211_IFTYPE_ADHOC)) &&
4141 	    conf->beacon_int)
4142 		b43_set_beacon_int(dev, conf->beacon_int);
4143 
4144 	if (changed & BSS_CHANGED_BASIC_RATES)
4145 		b43_update_basic_rates(dev, conf->basic_rates);
4146 
4147 	if (changed & BSS_CHANGED_ERP_SLOT) {
4148 		if (conf->use_short_slot)
4149 			b43_short_slot_timing_enable(dev);
4150 		else
4151 			b43_short_slot_timing_disable(dev);
4152 	}
4153 
4154 	b43_mac_enable(dev);
4155 out_unlock_mutex:
4156 	mutex_unlock(&wl->mutex);
4157 }
4158 
4159 static int b43_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
4160 			  struct ieee80211_vif *vif, struct ieee80211_sta *sta,
4161 			  struct ieee80211_key_conf *key)
4162 {
4163 	struct b43_wl *wl = hw_to_b43_wl(hw);
4164 	struct b43_wldev *dev;
4165 	u8 algorithm;
4166 	u8 index;
4167 	int err;
4168 	static const u8 bcast_addr[ETH_ALEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
4169 
4170 	if (modparam_nohwcrypt)
4171 		return -ENOSPC; /* User disabled HW-crypto */
4172 
4173 	if ((vif->type == NL80211_IFTYPE_ADHOC ||
4174 	     vif->type == NL80211_IFTYPE_MESH_POINT) &&
4175 	    (key->cipher == WLAN_CIPHER_SUITE_TKIP ||
4176 	     key->cipher == WLAN_CIPHER_SUITE_CCMP) &&
4177 	    !(key->flags & IEEE80211_KEY_FLAG_PAIRWISE)) {
4178 		/*
4179 		 * For now, disable hw crypto for the RSN IBSS group keys. This
4180 		 * could be optimized in the future, but until that gets
4181 		 * implemented, use of software crypto for group addressed
4182 		 * frames is a acceptable to allow RSN IBSS to be used.
4183 		 */
4184 		return -EOPNOTSUPP;
4185 	}
4186 
4187 	mutex_lock(&wl->mutex);
4188 
4189 	dev = wl->current_dev;
4190 	err = -ENODEV;
4191 	if (!dev || b43_status(dev) < B43_STAT_INITIALIZED)
4192 		goto out_unlock;
4193 
4194 	if (dev->fw.pcm_request_failed || !dev->hwcrypto_enabled) {
4195 		/* We don't have firmware for the crypto engine.
4196 		 * Must use software-crypto. */
4197 		err = -EOPNOTSUPP;
4198 		goto out_unlock;
4199 	}
4200 
4201 	err = -EINVAL;
4202 	switch (key->cipher) {
4203 	case WLAN_CIPHER_SUITE_WEP40:
4204 		algorithm = B43_SEC_ALGO_WEP40;
4205 		break;
4206 	case WLAN_CIPHER_SUITE_WEP104:
4207 		algorithm = B43_SEC_ALGO_WEP104;
4208 		break;
4209 	case WLAN_CIPHER_SUITE_TKIP:
4210 		algorithm = B43_SEC_ALGO_TKIP;
4211 		break;
4212 	case WLAN_CIPHER_SUITE_CCMP:
4213 		algorithm = B43_SEC_ALGO_AES;
4214 		break;
4215 	default:
4216 		B43_WARN_ON(1);
4217 		goto out_unlock;
4218 	}
4219 	index = (u8) (key->keyidx);
4220 	if (index > 3)
4221 		goto out_unlock;
4222 
4223 	switch (cmd) {
4224 	case SET_KEY:
4225 		if (algorithm == B43_SEC_ALGO_TKIP &&
4226 		    (!(key->flags & IEEE80211_KEY_FLAG_PAIRWISE) ||
4227 		    !modparam_hwtkip)) {
4228 			/* We support only pairwise key */
4229 			err = -EOPNOTSUPP;
4230 			goto out_unlock;
4231 		}
4232 
4233 		if (key->flags & IEEE80211_KEY_FLAG_PAIRWISE) {
4234 			if (WARN_ON(!sta)) {
4235 				err = -EOPNOTSUPP;
4236 				goto out_unlock;
4237 			}
4238 			/* Pairwise key with an assigned MAC address. */
4239 			err = b43_key_write(dev, -1, algorithm,
4240 					    key->key, key->keylen,
4241 					    sta->addr, key);
4242 		} else {
4243 			/* Group key */
4244 			err = b43_key_write(dev, index, algorithm,
4245 					    key->key, key->keylen, NULL, key);
4246 		}
4247 		if (err)
4248 			goto out_unlock;
4249 
4250 		if (algorithm == B43_SEC_ALGO_WEP40 ||
4251 		    algorithm == B43_SEC_ALGO_WEP104) {
4252 			b43_hf_write(dev, b43_hf_read(dev) | B43_HF_USEDEFKEYS);
4253 		} else {
4254 			b43_hf_write(dev,
4255 				     b43_hf_read(dev) & ~B43_HF_USEDEFKEYS);
4256 		}
4257 		key->flags |= IEEE80211_KEY_FLAG_GENERATE_IV;
4258 		if (algorithm == B43_SEC_ALGO_TKIP)
4259 			key->flags |= IEEE80211_KEY_FLAG_GENERATE_MMIC;
4260 		break;
4261 	case DISABLE_KEY: {
4262 		err = b43_key_clear(dev, key->hw_key_idx);
4263 		if (err)
4264 			goto out_unlock;
4265 		break;
4266 	}
4267 	default:
4268 		B43_WARN_ON(1);
4269 	}
4270 
4271 out_unlock:
4272 	if (!err) {
4273 		b43dbg(wl, "%s hardware based encryption for keyidx: %d, "
4274 		       "mac: %pM\n",
4275 		       cmd == SET_KEY ? "Using" : "Disabling", key->keyidx,
4276 		       sta ? sta->addr : bcast_addr);
4277 		b43_dump_keymemory(dev);
4278 	}
4279 	mutex_unlock(&wl->mutex);
4280 
4281 	return err;
4282 }
4283 
4284 static void b43_op_configure_filter(struct ieee80211_hw *hw,
4285 				    unsigned int changed, unsigned int *fflags,
4286 				    u64 multicast)
4287 {
4288 	struct b43_wl *wl = hw_to_b43_wl(hw);
4289 	struct b43_wldev *dev;
4290 
4291 	mutex_lock(&wl->mutex);
4292 	dev = wl->current_dev;
4293 	if (!dev) {
4294 		*fflags = 0;
4295 		goto out_unlock;
4296 	}
4297 
4298 	*fflags &= FIF_ALLMULTI |
4299 		  FIF_FCSFAIL |
4300 		  FIF_PLCPFAIL |
4301 		  FIF_CONTROL |
4302 		  FIF_OTHER_BSS |
4303 		  FIF_BCN_PRBRESP_PROMISC;
4304 
4305 	changed &= FIF_ALLMULTI |
4306 		   FIF_FCSFAIL |
4307 		   FIF_PLCPFAIL |
4308 		   FIF_CONTROL |
4309 		   FIF_OTHER_BSS |
4310 		   FIF_BCN_PRBRESP_PROMISC;
4311 
4312 	wl->filter_flags = *fflags;
4313 
4314 	if (changed && b43_status(dev) >= B43_STAT_INITIALIZED)
4315 		b43_adjust_opmode(dev);
4316 
4317 out_unlock:
4318 	mutex_unlock(&wl->mutex);
4319 }
4320 
4321 /* Locking: wl->mutex
4322  * Returns the current dev. This might be different from the passed in dev,
4323  * because the core might be gone away while we unlocked the mutex. */
4324 static struct b43_wldev * b43_wireless_core_stop(struct b43_wldev *dev)
4325 {
4326 	struct b43_wl *wl;
4327 	struct b43_wldev *orig_dev;
4328 	u32 mask;
4329 	int queue_num;
4330 
4331 	if (!dev)
4332 		return NULL;
4333 	wl = dev->wl;
4334 redo:
4335 	if (!dev || b43_status(dev) < B43_STAT_STARTED)
4336 		return dev;
4337 
4338 	/* Cancel work. Unlock to avoid deadlocks. */
4339 	mutex_unlock(&wl->mutex);
4340 	cancel_delayed_work_sync(&dev->periodic_work);
4341 	cancel_work_sync(&wl->tx_work);
4342 	b43_leds_stop(dev);
4343 	mutex_lock(&wl->mutex);
4344 	dev = wl->current_dev;
4345 	if (!dev || b43_status(dev) < B43_STAT_STARTED) {
4346 		/* Whoops, aliens ate up the device while we were unlocked. */
4347 		return dev;
4348 	}
4349 
4350 	/* Disable interrupts on the device. */
4351 	b43_set_status(dev, B43_STAT_INITIALIZED);
4352 	if (b43_bus_host_is_sdio(dev->dev)) {
4353 		/* wl->mutex is locked. That is enough. */
4354 		b43_write32(dev, B43_MMIO_GEN_IRQ_MASK, 0);
4355 		b43_read32(dev, B43_MMIO_GEN_IRQ_MASK);	/* Flush */
4356 	} else {
4357 		spin_lock_irq(&wl->hardirq_lock);
4358 		b43_write32(dev, B43_MMIO_GEN_IRQ_MASK, 0);
4359 		b43_read32(dev, B43_MMIO_GEN_IRQ_MASK);	/* Flush */
4360 		spin_unlock_irq(&wl->hardirq_lock);
4361 	}
4362 	/* Synchronize and free the interrupt handlers. Unlock to avoid deadlocks. */
4363 	orig_dev = dev;
4364 	mutex_unlock(&wl->mutex);
4365 	if (b43_bus_host_is_sdio(dev->dev))
4366 		b43_sdio_free_irq(dev);
4367 	else
4368 		free_irq(dev->dev->irq, dev);
4369 	mutex_lock(&wl->mutex);
4370 	dev = wl->current_dev;
4371 	if (!dev)
4372 		return dev;
4373 	if (dev != orig_dev) {
4374 		if (b43_status(dev) >= B43_STAT_STARTED)
4375 			goto redo;
4376 		return dev;
4377 	}
4378 	mask = b43_read32(dev, B43_MMIO_GEN_IRQ_MASK);
4379 	B43_WARN_ON(mask != 0xFFFFFFFF && mask);
4380 
4381 	/* Drain all TX queues. */
4382 	for (queue_num = 0; queue_num < B43_QOS_QUEUE_NUM; queue_num++) {
4383 		while (skb_queue_len(&wl->tx_queue[queue_num])) {
4384 			struct sk_buff *skb;
4385 
4386 			skb = skb_dequeue(&wl->tx_queue[queue_num]);
4387 			ieee80211_free_txskb(wl->hw, skb);
4388 		}
4389 	}
4390 
4391 	b43_mac_suspend(dev);
4392 	b43_leds_exit(dev);
4393 	b43dbg(wl, "Wireless interface stopped\n");
4394 
4395 	return dev;
4396 }
4397 
4398 /* Locking: wl->mutex */
4399 static int b43_wireless_core_start(struct b43_wldev *dev)
4400 {
4401 	int err;
4402 
4403 	B43_WARN_ON(b43_status(dev) != B43_STAT_INITIALIZED);
4404 
4405 	drain_txstatus_queue(dev);
4406 	if (b43_bus_host_is_sdio(dev->dev)) {
4407 		err = b43_sdio_request_irq(dev, b43_sdio_interrupt_handler);
4408 		if (err) {
4409 			b43err(dev->wl, "Cannot request SDIO IRQ\n");
4410 			goto out;
4411 		}
4412 	} else {
4413 		err = request_threaded_irq(dev->dev->irq, b43_interrupt_handler,
4414 					   b43_interrupt_thread_handler,
4415 					   IRQF_SHARED, KBUILD_MODNAME, dev);
4416 		if (err) {
4417 			b43err(dev->wl, "Cannot request IRQ-%d\n",
4418 			       dev->dev->irq);
4419 			goto out;
4420 		}
4421 	}
4422 
4423 	/* We are ready to run. */
4424 	ieee80211_wake_queues(dev->wl->hw);
4425 	b43_set_status(dev, B43_STAT_STARTED);
4426 
4427 	/* Start data flow (TX/RX). */
4428 	b43_mac_enable(dev);
4429 	b43_write32(dev, B43_MMIO_GEN_IRQ_MASK, dev->irq_mask);
4430 
4431 	/* Start maintenance work */
4432 	b43_periodic_tasks_setup(dev);
4433 
4434 	b43_leds_init(dev);
4435 
4436 	b43dbg(dev->wl, "Wireless interface started\n");
4437 out:
4438 	return err;
4439 }
4440 
4441 static char *b43_phy_name(struct b43_wldev *dev, u8 phy_type)
4442 {
4443 	switch (phy_type) {
4444 	case B43_PHYTYPE_A:
4445 		return "A";
4446 	case B43_PHYTYPE_B:
4447 		return "B";
4448 	case B43_PHYTYPE_G:
4449 		return "G";
4450 	case B43_PHYTYPE_N:
4451 		return "N";
4452 	case B43_PHYTYPE_LP:
4453 		return "LP";
4454 	case B43_PHYTYPE_SSLPN:
4455 		return "SSLPN";
4456 	case B43_PHYTYPE_HT:
4457 		return "HT";
4458 	case B43_PHYTYPE_LCN:
4459 		return "LCN";
4460 	case B43_PHYTYPE_LCNXN:
4461 		return "LCNXN";
4462 	case B43_PHYTYPE_LCN40:
4463 		return "LCN40";
4464 	case B43_PHYTYPE_AC:
4465 		return "AC";
4466 	}
4467 	return "UNKNOWN";
4468 }
4469 
4470 /* Get PHY and RADIO versioning numbers */
4471 static int b43_phy_versioning(struct b43_wldev *dev)
4472 {
4473 	struct b43_phy *phy = &dev->phy;
4474 	const u8 core_rev = dev->dev->core_rev;
4475 	u32 tmp;
4476 	u8 analog_type;
4477 	u8 phy_type;
4478 	u8 phy_rev;
4479 	u16 radio_manuf;
4480 	u16 radio_id;
4481 	u16 radio_rev;
4482 	u8 radio_ver;
4483 	int unsupported = 0;
4484 
4485 	/* Get PHY versioning */
4486 	tmp = b43_read16(dev, B43_MMIO_PHY_VER);
4487 	analog_type = (tmp & B43_PHYVER_ANALOG) >> B43_PHYVER_ANALOG_SHIFT;
4488 	phy_type = (tmp & B43_PHYVER_TYPE) >> B43_PHYVER_TYPE_SHIFT;
4489 	phy_rev = (tmp & B43_PHYVER_VERSION);
4490 
4491 	/* LCNXN is continuation of N which run out of revisions */
4492 	if (phy_type == B43_PHYTYPE_LCNXN) {
4493 		phy_type = B43_PHYTYPE_N;
4494 		phy_rev += 16;
4495 	}
4496 
4497 	switch (phy_type) {
4498 #ifdef CONFIG_B43_PHY_G
4499 	case B43_PHYTYPE_G:
4500 		if (phy_rev > 9)
4501 			unsupported = 1;
4502 		break;
4503 #endif
4504 #ifdef CONFIG_B43_PHY_N
4505 	case B43_PHYTYPE_N:
4506 		if (phy_rev >= 19)
4507 			unsupported = 1;
4508 		break;
4509 #endif
4510 #ifdef CONFIG_B43_PHY_LP
4511 	case B43_PHYTYPE_LP:
4512 		if (phy_rev > 2)
4513 			unsupported = 1;
4514 		break;
4515 #endif
4516 #ifdef CONFIG_B43_PHY_HT
4517 	case B43_PHYTYPE_HT:
4518 		if (phy_rev > 1)
4519 			unsupported = 1;
4520 		break;
4521 #endif
4522 #ifdef CONFIG_B43_PHY_LCN
4523 	case B43_PHYTYPE_LCN:
4524 		if (phy_rev > 1)
4525 			unsupported = 1;
4526 		break;
4527 #endif
4528 #ifdef CONFIG_B43_PHY_AC
4529 	case B43_PHYTYPE_AC:
4530 		if (phy_rev > 1)
4531 			unsupported = 1;
4532 		break;
4533 #endif
4534 	default:
4535 		unsupported = 1;
4536 	}
4537 	if (unsupported) {
4538 		b43err(dev->wl, "FOUND UNSUPPORTED PHY (Analog %u, Type %d (%s), Revision %u)\n",
4539 		       analog_type, phy_type, b43_phy_name(dev, phy_type),
4540 		       phy_rev);
4541 		return -EOPNOTSUPP;
4542 	}
4543 	b43info(dev->wl, "Found PHY: Analog %u, Type %d (%s), Revision %u\n",
4544 		analog_type, phy_type, b43_phy_name(dev, phy_type), phy_rev);
4545 
4546 	/* Get RADIO versioning */
4547 	if (core_rev == 40 || core_rev == 42) {
4548 		radio_manuf = 0x17F;
4549 
4550 		b43_write16f(dev, B43_MMIO_RADIO24_CONTROL, 0);
4551 		radio_rev = b43_read16(dev, B43_MMIO_RADIO24_DATA);
4552 
4553 		b43_write16f(dev, B43_MMIO_RADIO24_CONTROL, 1);
4554 		radio_id = b43_read16(dev, B43_MMIO_RADIO24_DATA);
4555 
4556 		radio_ver = 0; /* Is there version somewhere? */
4557 	} else if (core_rev >= 24) {
4558 		u16 radio24[3];
4559 
4560 		for (tmp = 0; tmp < 3; tmp++) {
4561 			b43_write16f(dev, B43_MMIO_RADIO24_CONTROL, tmp);
4562 			radio24[tmp] = b43_read16(dev, B43_MMIO_RADIO24_DATA);
4563 		}
4564 
4565 		radio_manuf = 0x17F;
4566 		radio_id = (radio24[2] << 8) | radio24[1];
4567 		radio_rev = (radio24[0] & 0xF);
4568 		radio_ver = (radio24[0] & 0xF0) >> 4;
4569 	} else {
4570 		if (dev->dev->chip_id == 0x4317) {
4571 			if (dev->dev->chip_rev == 0)
4572 				tmp = 0x3205017F;
4573 			else if (dev->dev->chip_rev == 1)
4574 				tmp = 0x4205017F;
4575 			else
4576 				tmp = 0x5205017F;
4577 		} else {
4578 			b43_write16f(dev, B43_MMIO_RADIO_CONTROL,
4579 				     B43_RADIOCTL_ID);
4580 			tmp = b43_read16(dev, B43_MMIO_RADIO_DATA_LOW);
4581 			b43_write16f(dev, B43_MMIO_RADIO_CONTROL,
4582 				     B43_RADIOCTL_ID);
4583 			tmp |= b43_read16(dev, B43_MMIO_RADIO_DATA_HIGH) << 16;
4584 		}
4585 		radio_manuf = (tmp & 0x00000FFF);
4586 		radio_id = (tmp & 0x0FFFF000) >> 12;
4587 		radio_rev = (tmp & 0xF0000000) >> 28;
4588 		radio_ver = 0; /* Probably not available on old hw */
4589 	}
4590 
4591 	if (radio_manuf != 0x17F /* Broadcom */)
4592 		unsupported = 1;
4593 	switch (phy_type) {
4594 	case B43_PHYTYPE_B:
4595 		if ((radio_id & 0xFFF0) != 0x2050)
4596 			unsupported = 1;
4597 		break;
4598 	case B43_PHYTYPE_G:
4599 		if (radio_id != 0x2050)
4600 			unsupported = 1;
4601 		break;
4602 	case B43_PHYTYPE_N:
4603 		if (radio_id != 0x2055 && radio_id != 0x2056 &&
4604 		    radio_id != 0x2057)
4605 			unsupported = 1;
4606 		if (radio_id == 0x2057 &&
4607 		    !(radio_rev == 9 || radio_rev == 14))
4608 			unsupported = 1;
4609 		break;
4610 	case B43_PHYTYPE_LP:
4611 		if (radio_id != 0x2062 && radio_id != 0x2063)
4612 			unsupported = 1;
4613 		break;
4614 	case B43_PHYTYPE_HT:
4615 		if (radio_id != 0x2059)
4616 			unsupported = 1;
4617 		break;
4618 	case B43_PHYTYPE_LCN:
4619 		if (radio_id != 0x2064)
4620 			unsupported = 1;
4621 		break;
4622 	case B43_PHYTYPE_AC:
4623 		if (radio_id != 0x2069)
4624 			unsupported = 1;
4625 		break;
4626 	default:
4627 		B43_WARN_ON(1);
4628 	}
4629 	if (unsupported) {
4630 		b43err(dev->wl,
4631 		       "FOUND UNSUPPORTED RADIO (Manuf 0x%X, ID 0x%X, Revision %u, Version %u)\n",
4632 		       radio_manuf, radio_id, radio_rev, radio_ver);
4633 		return -EOPNOTSUPP;
4634 	}
4635 	b43info(dev->wl,
4636 		"Found Radio: Manuf 0x%X, ID 0x%X, Revision %u, Version %u\n",
4637 		radio_manuf, radio_id, radio_rev, radio_ver);
4638 
4639 	/* FIXME: b43 treats "id" as "ver" and ignores the real "ver" */
4640 	phy->radio_manuf = radio_manuf;
4641 	phy->radio_ver = radio_id;
4642 	phy->radio_rev = radio_rev;
4643 
4644 	phy->analog = analog_type;
4645 	phy->type = phy_type;
4646 	phy->rev = phy_rev;
4647 
4648 	return 0;
4649 }
4650 
4651 static void setup_struct_phy_for_init(struct b43_wldev *dev,
4652 				      struct b43_phy *phy)
4653 {
4654 	phy->hardware_power_control = !!modparam_hwpctl;
4655 	phy->next_txpwr_check_time = jiffies;
4656 	/* PHY TX errors counter. */
4657 	atomic_set(&phy->txerr_cnt, B43_PHY_TX_BADNESS_LIMIT);
4658 
4659 #if B43_DEBUG
4660 	phy->phy_locked = false;
4661 	phy->radio_locked = false;
4662 #endif
4663 }
4664 
4665 static void setup_struct_wldev_for_init(struct b43_wldev *dev)
4666 {
4667 	dev->dfq_valid = false;
4668 
4669 	/* Assume the radio is enabled. If it's not enabled, the state will
4670 	 * immediately get fixed on the first periodic work run. */
4671 	dev->radio_hw_enable = true;
4672 
4673 	/* Stats */
4674 	memset(&dev->stats, 0, sizeof(dev->stats));
4675 
4676 	setup_struct_phy_for_init(dev, &dev->phy);
4677 
4678 	/* IRQ related flags */
4679 	dev->irq_reason = 0;
4680 	memset(dev->dma_reason, 0, sizeof(dev->dma_reason));
4681 	dev->irq_mask = B43_IRQ_MASKTEMPLATE;
4682 	if (b43_modparam_verbose < B43_VERBOSITY_DEBUG)
4683 		dev->irq_mask &= ~B43_IRQ_PHY_TXERR;
4684 
4685 	dev->mac_suspended = 1;
4686 
4687 	/* Noise calculation context */
4688 	memset(&dev->noisecalc, 0, sizeof(dev->noisecalc));
4689 }
4690 
4691 static void b43_bluetooth_coext_enable(struct b43_wldev *dev)
4692 {
4693 	struct ssb_sprom *sprom = dev->dev->bus_sprom;
4694 	u64 hf;
4695 
4696 	if (!modparam_btcoex)
4697 		return;
4698 	if (!(sprom->boardflags_lo & B43_BFL_BTCOEXIST))
4699 		return;
4700 	if (dev->phy.type != B43_PHYTYPE_B && !dev->phy.gmode)
4701 		return;
4702 
4703 	hf = b43_hf_read(dev);
4704 	if (sprom->boardflags_lo & B43_BFL_BTCMOD)
4705 		hf |= B43_HF_BTCOEXALT;
4706 	else
4707 		hf |= B43_HF_BTCOEX;
4708 	b43_hf_write(dev, hf);
4709 }
4710 
4711 static void b43_bluetooth_coext_disable(struct b43_wldev *dev)
4712 {
4713 	if (!modparam_btcoex)
4714 		return;
4715 	//TODO
4716 }
4717 
4718 static void b43_imcfglo_timeouts_workaround(struct b43_wldev *dev)
4719 {
4720 	struct ssb_bus *bus;
4721 	u32 tmp;
4722 
4723 #ifdef CONFIG_B43_SSB
4724 	if (dev->dev->bus_type != B43_BUS_SSB)
4725 		return;
4726 #else
4727 	return;
4728 #endif
4729 
4730 	bus = dev->dev->sdev->bus;
4731 
4732 	if ((bus->chip_id == 0x4311 && bus->chip_rev == 2) ||
4733 	    (bus->chip_id == 0x4312)) {
4734 		tmp = ssb_read32(dev->dev->sdev, SSB_IMCFGLO);
4735 		tmp &= ~SSB_IMCFGLO_REQTO;
4736 		tmp &= ~SSB_IMCFGLO_SERTO;
4737 		tmp |= 0x3;
4738 		ssb_write32(dev->dev->sdev, SSB_IMCFGLO, tmp);
4739 		ssb_commit_settings(bus);
4740 	}
4741 }
4742 
4743 static void b43_set_synth_pu_delay(struct b43_wldev *dev, bool idle)
4744 {
4745 	u16 pu_delay;
4746 
4747 	/* The time value is in microseconds. */
4748 	pu_delay = 1050;
4749 	if (b43_is_mode(dev->wl, NL80211_IFTYPE_ADHOC) || idle)
4750 		pu_delay = 500;
4751 	if ((dev->phy.radio_ver == 0x2050) && (dev->phy.radio_rev == 8))
4752 		pu_delay = max(pu_delay, (u16)2400);
4753 
4754 	b43_shm_write16(dev, B43_SHM_SHARED, B43_SHM_SH_SPUWKUP, pu_delay);
4755 }
4756 
4757 /* Set the TSF CFP pre-TargetBeaconTransmissionTime. */
4758 static void b43_set_pretbtt(struct b43_wldev *dev)
4759 {
4760 	u16 pretbtt;
4761 
4762 	/* The time value is in microseconds. */
4763 	if (b43_is_mode(dev->wl, NL80211_IFTYPE_ADHOC))
4764 		pretbtt = 2;
4765 	else
4766 		pretbtt = 250;
4767 	b43_shm_write16(dev, B43_SHM_SHARED, B43_SHM_SH_PRETBTT, pretbtt);
4768 	b43_write16(dev, B43_MMIO_TSF_CFP_PRETBTT, pretbtt);
4769 }
4770 
4771 /* Shutdown a wireless core */
4772 /* Locking: wl->mutex */
4773 static void b43_wireless_core_exit(struct b43_wldev *dev)
4774 {
4775 	B43_WARN_ON(dev && b43_status(dev) > B43_STAT_INITIALIZED);
4776 	if (!dev || b43_status(dev) != B43_STAT_INITIALIZED)
4777 		return;
4778 
4779 	b43_set_status(dev, B43_STAT_UNINIT);
4780 
4781 	/* Stop the microcode PSM. */
4782 	b43_maskset32(dev, B43_MMIO_MACCTL, ~B43_MACCTL_PSM_RUN,
4783 		      B43_MACCTL_PSM_JMP0);
4784 
4785 	switch (dev->dev->bus_type) {
4786 #ifdef CONFIG_B43_BCMA
4787 	case B43_BUS_BCMA:
4788 		bcma_host_pci_down(dev->dev->bdev->bus);
4789 		break;
4790 #endif
4791 #ifdef CONFIG_B43_SSB
4792 	case B43_BUS_SSB:
4793 		/* TODO */
4794 		break;
4795 #endif
4796 	}
4797 
4798 	b43_dma_free(dev);
4799 	b43_pio_free(dev);
4800 	b43_chip_exit(dev);
4801 	dev->phy.ops->switch_analog(dev, 0);
4802 	if (dev->wl->current_beacon) {
4803 		dev_kfree_skb_any(dev->wl->current_beacon);
4804 		dev->wl->current_beacon = NULL;
4805 	}
4806 
4807 	b43_device_disable(dev, 0);
4808 	b43_bus_may_powerdown(dev);
4809 }
4810 
4811 /* Initialize a wireless core */
4812 static int b43_wireless_core_init(struct b43_wldev *dev)
4813 {
4814 	struct ssb_sprom *sprom = dev->dev->bus_sprom;
4815 	struct b43_phy *phy = &dev->phy;
4816 	int err;
4817 	u64 hf;
4818 
4819 	B43_WARN_ON(b43_status(dev) != B43_STAT_UNINIT);
4820 
4821 	err = b43_bus_powerup(dev, 0);
4822 	if (err)
4823 		goto out;
4824 	if (!b43_device_is_enabled(dev))
4825 		b43_wireless_core_reset(dev, phy->gmode);
4826 
4827 	/* Reset all data structures. */
4828 	setup_struct_wldev_for_init(dev);
4829 	phy->ops->prepare_structs(dev);
4830 
4831 	/* Enable IRQ routing to this device. */
4832 	switch (dev->dev->bus_type) {
4833 #ifdef CONFIG_B43_BCMA
4834 	case B43_BUS_BCMA:
4835 		bcma_host_pci_irq_ctl(dev->dev->bdev->bus,
4836 				      dev->dev->bdev, true);
4837 		bcma_host_pci_up(dev->dev->bdev->bus);
4838 		break;
4839 #endif
4840 #ifdef CONFIG_B43_SSB
4841 	case B43_BUS_SSB:
4842 		ssb_pcicore_dev_irqvecs_enable(&dev->dev->sdev->bus->pcicore,
4843 					       dev->dev->sdev);
4844 		break;
4845 #endif
4846 	}
4847 
4848 	b43_imcfglo_timeouts_workaround(dev);
4849 	b43_bluetooth_coext_disable(dev);
4850 	if (phy->ops->prepare_hardware) {
4851 		err = phy->ops->prepare_hardware(dev);
4852 		if (err)
4853 			goto err_busdown;
4854 	}
4855 	err = b43_chip_init(dev);
4856 	if (err)
4857 		goto err_busdown;
4858 	b43_shm_write16(dev, B43_SHM_SHARED,
4859 			B43_SHM_SH_WLCOREREV, dev->dev->core_rev);
4860 	hf = b43_hf_read(dev);
4861 	if (phy->type == B43_PHYTYPE_G) {
4862 		hf |= B43_HF_SYMW;
4863 		if (phy->rev == 1)
4864 			hf |= B43_HF_GDCW;
4865 		if (sprom->boardflags_lo & B43_BFL_PACTRL)
4866 			hf |= B43_HF_OFDMPABOOST;
4867 	}
4868 	if (phy->radio_ver == 0x2050) {
4869 		if (phy->radio_rev == 6)
4870 			hf |= B43_HF_4318TSSI;
4871 		if (phy->radio_rev < 6)
4872 			hf |= B43_HF_VCORECALC;
4873 	}
4874 	if (sprom->boardflags_lo & B43_BFL_XTAL_NOSLOW)
4875 		hf |= B43_HF_DSCRQ; /* Disable slowclock requests from ucode. */
4876 #if defined(CONFIG_B43_SSB) && defined(CONFIG_SSB_DRIVER_PCICORE)
4877 	if (dev->dev->bus_type == B43_BUS_SSB &&
4878 	    dev->dev->sdev->bus->bustype == SSB_BUSTYPE_PCI &&
4879 	    dev->dev->sdev->bus->pcicore.dev->id.revision <= 10)
4880 		hf |= B43_HF_PCISCW; /* PCI slow clock workaround. */
4881 #endif
4882 	hf &= ~B43_HF_SKCFPUP;
4883 	b43_hf_write(dev, hf);
4884 
4885 	/* tell the ucode MAC capabilities */
4886 	if (dev->dev->core_rev >= 13) {
4887 		u32 mac_hw_cap = b43_read32(dev, B43_MMIO_MAC_HW_CAP);
4888 
4889 		b43_shm_write16(dev, B43_SHM_SHARED, B43_SHM_SH_MACHW_L,
4890 				mac_hw_cap & 0xffff);
4891 		b43_shm_write16(dev, B43_SHM_SHARED, B43_SHM_SH_MACHW_H,
4892 				(mac_hw_cap >> 16) & 0xffff);
4893 	}
4894 
4895 	b43_set_retry_limits(dev, B43_DEFAULT_SHORT_RETRY_LIMIT,
4896 			     B43_DEFAULT_LONG_RETRY_LIMIT);
4897 	b43_shm_write16(dev, B43_SHM_SHARED, B43_SHM_SH_SFFBLIM, 3);
4898 	b43_shm_write16(dev, B43_SHM_SHARED, B43_SHM_SH_LFFBLIM, 2);
4899 
4900 	/* Disable sending probe responses from firmware.
4901 	 * Setting the MaxTime to one usec will always trigger
4902 	 * a timeout, so we never send any probe resp.
4903 	 * A timeout of zero is infinite. */
4904 	b43_shm_write16(dev, B43_SHM_SHARED, B43_SHM_SH_PRMAXTIME, 1);
4905 
4906 	b43_rate_memory_init(dev);
4907 	b43_set_phytxctl_defaults(dev);
4908 
4909 	/* Minimum Contention Window */
4910 	if (phy->type == B43_PHYTYPE_B)
4911 		b43_shm_write16(dev, B43_SHM_SCRATCH, B43_SHM_SC_MINCONT, 0x1F);
4912 	else
4913 		b43_shm_write16(dev, B43_SHM_SCRATCH, B43_SHM_SC_MINCONT, 0xF);
4914 	/* Maximum Contention Window */
4915 	b43_shm_write16(dev, B43_SHM_SCRATCH, B43_SHM_SC_MAXCONT, 0x3FF);
4916 
4917 	/* write phytype and phyvers */
4918 	b43_shm_write16(dev, B43_SHM_SHARED, B43_SHM_SH_PHYTYPE, phy->type);
4919 	b43_shm_write16(dev, B43_SHM_SHARED, B43_SHM_SH_PHYVER, phy->rev);
4920 
4921 	if (b43_bus_host_is_pcmcia(dev->dev) ||
4922 	    b43_bus_host_is_sdio(dev->dev)) {
4923 		dev->__using_pio_transfers = true;
4924 		err = b43_pio_init(dev);
4925 	} else if (dev->use_pio) {
4926 		b43warn(dev->wl, "Forced PIO by use_pio module parameter. "
4927 			"This should not be needed and will result in lower "
4928 			"performance.\n");
4929 		dev->__using_pio_transfers = true;
4930 		err = b43_pio_init(dev);
4931 	} else {
4932 		dev->__using_pio_transfers = false;
4933 		err = b43_dma_init(dev);
4934 	}
4935 	if (err)
4936 		goto err_chip_exit;
4937 	b43_qos_init(dev);
4938 	b43_set_synth_pu_delay(dev, 1);
4939 	b43_bluetooth_coext_enable(dev);
4940 
4941 	b43_bus_powerup(dev, !(sprom->boardflags_lo & B43_BFL_XTAL_NOSLOW));
4942 	b43_upload_card_macaddress(dev);
4943 	b43_security_init(dev);
4944 
4945 	ieee80211_wake_queues(dev->wl->hw);
4946 
4947 	b43_set_status(dev, B43_STAT_INITIALIZED);
4948 
4949 out:
4950 	return err;
4951 
4952 err_chip_exit:
4953 	b43_chip_exit(dev);
4954 err_busdown:
4955 	b43_bus_may_powerdown(dev);
4956 	B43_WARN_ON(b43_status(dev) != B43_STAT_UNINIT);
4957 	return err;
4958 }
4959 
4960 static int b43_op_add_interface(struct ieee80211_hw *hw,
4961 				struct ieee80211_vif *vif)
4962 {
4963 	struct b43_wl *wl = hw_to_b43_wl(hw);
4964 	struct b43_wldev *dev;
4965 	int err = -EOPNOTSUPP;
4966 
4967 	/* TODO: allow AP devices to coexist */
4968 
4969 	if (vif->type != NL80211_IFTYPE_AP &&
4970 	    vif->type != NL80211_IFTYPE_MESH_POINT &&
4971 	    vif->type != NL80211_IFTYPE_STATION &&
4972 	    vif->type != NL80211_IFTYPE_ADHOC)
4973 		return -EOPNOTSUPP;
4974 
4975 	mutex_lock(&wl->mutex);
4976 	if (wl->operating)
4977 		goto out_mutex_unlock;
4978 
4979 	b43dbg(wl, "Adding Interface type %d\n", vif->type);
4980 
4981 	dev = wl->current_dev;
4982 	wl->operating = true;
4983 	wl->vif = vif;
4984 	wl->if_type = vif->type;
4985 	memcpy(wl->mac_addr, vif->addr, ETH_ALEN);
4986 
4987 	b43_adjust_opmode(dev);
4988 	b43_set_pretbtt(dev);
4989 	b43_set_synth_pu_delay(dev, 0);
4990 	b43_upload_card_macaddress(dev);
4991 
4992 	err = 0;
4993  out_mutex_unlock:
4994 	mutex_unlock(&wl->mutex);
4995 
4996 	if (err == 0)
4997 		b43_op_bss_info_changed(hw, vif, &vif->bss_conf, ~0);
4998 
4999 	return err;
5000 }
5001 
5002 static void b43_op_remove_interface(struct ieee80211_hw *hw,
5003 				    struct ieee80211_vif *vif)
5004 {
5005 	struct b43_wl *wl = hw_to_b43_wl(hw);
5006 	struct b43_wldev *dev = wl->current_dev;
5007 
5008 	b43dbg(wl, "Removing Interface type %d\n", vif->type);
5009 
5010 	mutex_lock(&wl->mutex);
5011 
5012 	B43_WARN_ON(!wl->operating);
5013 	B43_WARN_ON(wl->vif != vif);
5014 	wl->vif = NULL;
5015 
5016 	wl->operating = false;
5017 
5018 	b43_adjust_opmode(dev);
5019 	eth_zero_addr(wl->mac_addr);
5020 	b43_upload_card_macaddress(dev);
5021 
5022 	mutex_unlock(&wl->mutex);
5023 }
5024 
5025 static int b43_op_start(struct ieee80211_hw *hw)
5026 {
5027 	struct b43_wl *wl = hw_to_b43_wl(hw);
5028 	struct b43_wldev *dev = wl->current_dev;
5029 	int did_init = 0;
5030 	int err = 0;
5031 
5032 	/* Kill all old instance specific information to make sure
5033 	 * the card won't use it in the short timeframe between start
5034 	 * and mac80211 reconfiguring it. */
5035 	eth_zero_addr(wl->bssid);
5036 	eth_zero_addr(wl->mac_addr);
5037 	wl->filter_flags = 0;
5038 	wl->radiotap_enabled = false;
5039 	b43_qos_clear(wl);
5040 	wl->beacon0_uploaded = false;
5041 	wl->beacon1_uploaded = false;
5042 	wl->beacon_templates_virgin = true;
5043 	wl->radio_enabled = true;
5044 
5045 	mutex_lock(&wl->mutex);
5046 
5047 	if (b43_status(dev) < B43_STAT_INITIALIZED) {
5048 		err = b43_wireless_core_init(dev);
5049 		if (err)
5050 			goto out_mutex_unlock;
5051 		did_init = 1;
5052 	}
5053 
5054 	if (b43_status(dev) < B43_STAT_STARTED) {
5055 		err = b43_wireless_core_start(dev);
5056 		if (err) {
5057 			if (did_init)
5058 				b43_wireless_core_exit(dev);
5059 			goto out_mutex_unlock;
5060 		}
5061 	}
5062 
5063 	/* XXX: only do if device doesn't support rfkill irq */
5064 	wiphy_rfkill_start_polling(hw->wiphy);
5065 
5066  out_mutex_unlock:
5067 	mutex_unlock(&wl->mutex);
5068 
5069 	/*
5070 	 * Configuration may have been overwritten during initialization.
5071 	 * Reload the configuration, but only if initialization was
5072 	 * successful. Reloading the configuration after a failed init
5073 	 * may hang the system.
5074 	 */
5075 	if (!err)
5076 		b43_op_config(hw, ~0);
5077 
5078 	return err;
5079 }
5080 
5081 static void b43_op_stop(struct ieee80211_hw *hw, bool suspend)
5082 {
5083 	struct b43_wl *wl = hw_to_b43_wl(hw);
5084 	struct b43_wldev *dev = wl->current_dev;
5085 
5086 	cancel_work_sync(&(wl->beacon_update_trigger));
5087 
5088 	if (!dev)
5089 		goto out;
5090 
5091 	mutex_lock(&wl->mutex);
5092 	if (b43_status(dev) >= B43_STAT_STARTED) {
5093 		dev = b43_wireless_core_stop(dev);
5094 		if (!dev)
5095 			goto out_unlock;
5096 	}
5097 	b43_wireless_core_exit(dev);
5098 	wl->radio_enabled = false;
5099 
5100 out_unlock:
5101 	mutex_unlock(&wl->mutex);
5102 out:
5103 	cancel_work_sync(&(wl->txpower_adjust_work));
5104 }
5105 
5106 static int b43_op_beacon_set_tim(struct ieee80211_hw *hw,
5107 				 struct ieee80211_sta *sta, bool set)
5108 {
5109 	struct b43_wl *wl = hw_to_b43_wl(hw);
5110 
5111 	b43_update_templates(wl);
5112 
5113 	return 0;
5114 }
5115 
5116 static void b43_op_sta_notify(struct ieee80211_hw *hw,
5117 			      struct ieee80211_vif *vif,
5118 			      enum sta_notify_cmd notify_cmd,
5119 			      struct ieee80211_sta *sta)
5120 {
5121 	struct b43_wl *wl = hw_to_b43_wl(hw);
5122 
5123 	B43_WARN_ON(!vif || wl->vif != vif);
5124 }
5125 
5126 static void b43_op_sw_scan_start_notifier(struct ieee80211_hw *hw,
5127 					  struct ieee80211_vif *vif,
5128 					  const u8 *mac_addr)
5129 {
5130 	struct b43_wl *wl = hw_to_b43_wl(hw);
5131 	struct b43_wldev *dev;
5132 
5133 	mutex_lock(&wl->mutex);
5134 	dev = wl->current_dev;
5135 	if (dev && (b43_status(dev) >= B43_STAT_INITIALIZED)) {
5136 		/* Disable CFP update during scan on other channels. */
5137 		b43_hf_write(dev, b43_hf_read(dev) | B43_HF_SKCFPUP);
5138 	}
5139 	mutex_unlock(&wl->mutex);
5140 }
5141 
5142 static void b43_op_sw_scan_complete_notifier(struct ieee80211_hw *hw,
5143 					     struct ieee80211_vif *vif)
5144 {
5145 	struct b43_wl *wl = hw_to_b43_wl(hw);
5146 	struct b43_wldev *dev;
5147 
5148 	mutex_lock(&wl->mutex);
5149 	dev = wl->current_dev;
5150 	if (dev && (b43_status(dev) >= B43_STAT_INITIALIZED)) {
5151 		/* Re-enable CFP update. */
5152 		b43_hf_write(dev, b43_hf_read(dev) & ~B43_HF_SKCFPUP);
5153 	}
5154 	mutex_unlock(&wl->mutex);
5155 }
5156 
5157 static int b43_op_get_survey(struct ieee80211_hw *hw, int idx,
5158 			     struct survey_info *survey)
5159 {
5160 	struct b43_wl *wl = hw_to_b43_wl(hw);
5161 	struct b43_wldev *dev = wl->current_dev;
5162 	struct ieee80211_conf *conf = &hw->conf;
5163 
5164 	if (idx != 0)
5165 		return -ENOENT;
5166 
5167 	survey->channel = conf->chandef.chan;
5168 	survey->filled = SURVEY_INFO_NOISE_DBM;
5169 	survey->noise = dev->stats.link_noise;
5170 
5171 	return 0;
5172 }
5173 
5174 static const struct ieee80211_ops b43_hw_ops = {
5175 	.add_chanctx = ieee80211_emulate_add_chanctx,
5176 	.remove_chanctx = ieee80211_emulate_remove_chanctx,
5177 	.change_chanctx = ieee80211_emulate_change_chanctx,
5178 	.switch_vif_chanctx = ieee80211_emulate_switch_vif_chanctx,
5179 	.tx			= b43_op_tx,
5180 	.wake_tx_queue		= ieee80211_handle_wake_tx_queue,
5181 	.conf_tx		= b43_op_conf_tx,
5182 	.add_interface		= b43_op_add_interface,
5183 	.remove_interface	= b43_op_remove_interface,
5184 	.config			= b43_op_config,
5185 	.bss_info_changed	= b43_op_bss_info_changed,
5186 	.configure_filter	= b43_op_configure_filter,
5187 	.set_key		= b43_op_set_key,
5188 	.update_tkip_key	= b43_op_update_tkip_key,
5189 	.get_stats		= b43_op_get_stats,
5190 	.get_tsf		= b43_op_get_tsf,
5191 	.set_tsf		= b43_op_set_tsf,
5192 	.start			= b43_op_start,
5193 	.stop			= b43_op_stop,
5194 	.set_tim		= b43_op_beacon_set_tim,
5195 	.sta_notify		= b43_op_sta_notify,
5196 	.sw_scan_start		= b43_op_sw_scan_start_notifier,
5197 	.sw_scan_complete	= b43_op_sw_scan_complete_notifier,
5198 	.get_survey		= b43_op_get_survey,
5199 	.rfkill_poll		= b43_rfkill_poll,
5200 };
5201 
5202 /* Hard-reset the chip. Do not call this directly.
5203  * Use b43_controller_restart()
5204  */
5205 static void b43_chip_reset(struct work_struct *work)
5206 {
5207 	struct b43_wldev *dev =
5208 	    container_of(work, struct b43_wldev, restart_work);
5209 	struct b43_wl *wl = dev->wl;
5210 	int err = 0;
5211 	int prev_status;
5212 
5213 	mutex_lock(&wl->mutex);
5214 
5215 	prev_status = b43_status(dev);
5216 	/* Bring the device down... */
5217 	if (prev_status >= B43_STAT_STARTED) {
5218 		dev = b43_wireless_core_stop(dev);
5219 		if (!dev) {
5220 			err = -ENODEV;
5221 			goto out;
5222 		}
5223 	}
5224 	if (prev_status >= B43_STAT_INITIALIZED)
5225 		b43_wireless_core_exit(dev);
5226 
5227 	/* ...and up again. */
5228 	if (prev_status >= B43_STAT_INITIALIZED) {
5229 		err = b43_wireless_core_init(dev);
5230 		if (err)
5231 			goto out;
5232 	}
5233 	if (prev_status >= B43_STAT_STARTED) {
5234 		err = b43_wireless_core_start(dev);
5235 		if (err) {
5236 			b43_wireless_core_exit(dev);
5237 			goto out;
5238 		}
5239 	}
5240 out:
5241 	if (err)
5242 		wl->current_dev = NULL; /* Failed to init the dev. */
5243 	mutex_unlock(&wl->mutex);
5244 
5245 	if (err) {
5246 		b43err(wl, "Controller restart FAILED\n");
5247 		return;
5248 	}
5249 
5250 	/* reload configuration */
5251 	b43_op_config(wl->hw, ~0);
5252 	if (wl->vif)
5253 		b43_op_bss_info_changed(wl->hw, wl->vif, &wl->vif->bss_conf, ~0);
5254 
5255 	b43info(wl, "Controller restarted\n");
5256 }
5257 
5258 static int b43_setup_bands(struct b43_wldev *dev,
5259 			   bool have_2ghz_phy, bool have_5ghz_phy)
5260 {
5261 	struct ieee80211_hw *hw = dev->wl->hw;
5262 	struct b43_phy *phy = &dev->phy;
5263 	bool limited_2g;
5264 	bool limited_5g;
5265 
5266 	/* We don't support all 2 GHz channels on some devices */
5267 	limited_2g = phy->radio_ver == 0x2057 &&
5268 		     (phy->radio_rev == 9 || phy->radio_rev == 14);
5269 	limited_5g = phy->radio_ver == 0x2057 &&
5270 		     phy->radio_rev == 9;
5271 
5272 	if (have_2ghz_phy)
5273 		hw->wiphy->bands[NL80211_BAND_2GHZ] = limited_2g ?
5274 			&b43_band_2ghz_limited : &b43_band_2GHz;
5275 	if (dev->phy.type == B43_PHYTYPE_N) {
5276 		if (have_5ghz_phy)
5277 			hw->wiphy->bands[NL80211_BAND_5GHZ] = limited_5g ?
5278 				&b43_band_5GHz_nphy_limited :
5279 				&b43_band_5GHz_nphy;
5280 	} else {
5281 		if (have_5ghz_phy)
5282 			hw->wiphy->bands[NL80211_BAND_5GHZ] = &b43_band_5GHz_aphy;
5283 	}
5284 
5285 	dev->phy.supports_2ghz = have_2ghz_phy;
5286 	dev->phy.supports_5ghz = have_5ghz_phy;
5287 
5288 	return 0;
5289 }
5290 
5291 static void b43_wireless_core_detach(struct b43_wldev *dev)
5292 {
5293 	/* We release firmware that late to not be required to re-request
5294 	 * is all the time when we reinit the core. */
5295 	b43_release_firmware(dev);
5296 	b43_phy_free(dev);
5297 }
5298 
5299 static void b43_supported_bands(struct b43_wldev *dev, bool *have_2ghz_phy,
5300 				bool *have_5ghz_phy)
5301 {
5302 	u16 dev_id = 0;
5303 
5304 #ifdef CONFIG_B43_BCMA
5305 	if (dev->dev->bus_type == B43_BUS_BCMA &&
5306 	    dev->dev->bdev->bus->hosttype == BCMA_HOSTTYPE_PCI)
5307 		dev_id = dev->dev->bdev->bus->host_pci->device;
5308 #endif
5309 #ifdef CONFIG_B43_SSB
5310 	if (dev->dev->bus_type == B43_BUS_SSB &&
5311 	    dev->dev->sdev->bus->bustype == SSB_BUSTYPE_PCI)
5312 		dev_id = dev->dev->sdev->bus->host_pci->device;
5313 #endif
5314 	/* Override with SPROM value if available */
5315 	if (dev->dev->bus_sprom->dev_id)
5316 		dev_id = dev->dev->bus_sprom->dev_id;
5317 
5318 	/* Note: below IDs can be "virtual" (not maching e.g. real PCI ID) */
5319 	switch (dev_id) {
5320 	case 0x4324: /* BCM4306 */
5321 	case 0x4312: /* BCM4311 */
5322 	case 0x4319: /* BCM4318 */
5323 	case 0x4328: /* BCM4321 */
5324 	case 0x432b: /* BCM4322 */
5325 	case 0x4350: /* BCM43222 */
5326 	case 0x4353: /* BCM43224 */
5327 	case 0x0576: /* BCM43224 */
5328 	case 0x435f: /* BCM6362 */
5329 	case 0x4331: /* BCM4331 */
5330 	case 0x4359: /* BCM43228 */
5331 	case 0x43a0: /* BCM4360 */
5332 	case 0x43b1: /* BCM4352 */
5333 		/* Dual band devices */
5334 		*have_2ghz_phy = true;
5335 		*have_5ghz_phy = true;
5336 		return;
5337 	case 0x4321: /* BCM4306 */
5338 		/* There are 14e4:4321 PCI devs with 2.4 GHz BCM4321 (N-PHY) */
5339 		if (dev->phy.type != B43_PHYTYPE_G)
5340 			break;
5341 		fallthrough;
5342 	case 0x4313: /* BCM4311 */
5343 	case 0x431a: /* BCM4318 */
5344 	case 0x432a: /* BCM4321 */
5345 	case 0x432d: /* BCM4322 */
5346 	case 0x4352: /* BCM43222 */
5347 	case 0x435a: /* BCM43228 */
5348 	case 0x4333: /* BCM4331 */
5349 	case 0x43a2: /* BCM4360 */
5350 	case 0x43b3: /* BCM4352 */
5351 		/* 5 GHz only devices */
5352 		*have_2ghz_phy = false;
5353 		*have_5ghz_phy = true;
5354 		return;
5355 	}
5356 
5357 	/* As a fallback, try to guess using PHY type */
5358 	switch (dev->phy.type) {
5359 	case B43_PHYTYPE_G:
5360 	case B43_PHYTYPE_N:
5361 	case B43_PHYTYPE_LP:
5362 	case B43_PHYTYPE_HT:
5363 	case B43_PHYTYPE_LCN:
5364 		*have_2ghz_phy = true;
5365 		*have_5ghz_phy = false;
5366 		return;
5367 	}
5368 
5369 	B43_WARN_ON(1);
5370 }
5371 
5372 static int b43_wireless_core_attach(struct b43_wldev *dev)
5373 {
5374 	struct b43_wl *wl = dev->wl;
5375 	struct b43_phy *phy = &dev->phy;
5376 	int err;
5377 	u32 tmp;
5378 	bool have_2ghz_phy = false, have_5ghz_phy = false;
5379 
5380 	/* Do NOT do any device initialization here.
5381 	 * Do it in wireless_core_init() instead.
5382 	 * This function is for gathering basic information about the HW, only.
5383 	 * Also some structs may be set up here. But most likely you want to have
5384 	 * that in core_init(), too.
5385 	 */
5386 
5387 	err = b43_bus_powerup(dev, 0);
5388 	if (err) {
5389 		b43err(wl, "Bus powerup failed\n");
5390 		goto out;
5391 	}
5392 
5393 	phy->do_full_init = true;
5394 
5395 	/* Try to guess supported bands for the first init needs */
5396 	switch (dev->dev->bus_type) {
5397 #ifdef CONFIG_B43_BCMA
5398 	case B43_BUS_BCMA:
5399 		tmp = bcma_aread32(dev->dev->bdev, BCMA_IOST);
5400 		have_2ghz_phy = !!(tmp & B43_BCMA_IOST_2G_PHY);
5401 		have_5ghz_phy = !!(tmp & B43_BCMA_IOST_5G_PHY);
5402 		break;
5403 #endif
5404 #ifdef CONFIG_B43_SSB
5405 	case B43_BUS_SSB:
5406 		if (dev->dev->core_rev >= 5) {
5407 			tmp = ssb_read32(dev->dev->sdev, SSB_TMSHIGH);
5408 			have_2ghz_phy = !!(tmp & B43_TMSHIGH_HAVE_2GHZ_PHY);
5409 			have_5ghz_phy = !!(tmp & B43_TMSHIGH_HAVE_5GHZ_PHY);
5410 		} else
5411 			B43_WARN_ON(1);
5412 		break;
5413 #endif
5414 	}
5415 
5416 	dev->phy.gmode = have_2ghz_phy;
5417 	b43_wireless_core_reset(dev, dev->phy.gmode);
5418 
5419 	/* Get the PHY type. */
5420 	err = b43_phy_versioning(dev);
5421 	if (err)
5422 		goto err_powerdown;
5423 
5424 	/* Get real info about supported bands */
5425 	b43_supported_bands(dev, &have_2ghz_phy, &have_5ghz_phy);
5426 
5427 	/* We don't support 5 GHz on some PHYs yet */
5428 	if (have_5ghz_phy) {
5429 		switch (dev->phy.type) {
5430 		case B43_PHYTYPE_G:
5431 		case B43_PHYTYPE_LP:
5432 		case B43_PHYTYPE_HT:
5433 			b43warn(wl, "5 GHz band is unsupported on this PHY\n");
5434 			have_5ghz_phy = false;
5435 		}
5436 	}
5437 
5438 	if (!have_2ghz_phy && !have_5ghz_phy) {
5439 		b43err(wl, "b43 can't support any band on this device\n");
5440 		err = -EOPNOTSUPP;
5441 		goto err_powerdown;
5442 	}
5443 
5444 	err = b43_phy_allocate(dev);
5445 	if (err)
5446 		goto err_powerdown;
5447 
5448 	dev->phy.gmode = have_2ghz_phy;
5449 	b43_wireless_core_reset(dev, dev->phy.gmode);
5450 
5451 	err = b43_validate_chipaccess(dev);
5452 	if (err)
5453 		goto err_phy_free;
5454 	err = b43_setup_bands(dev, have_2ghz_phy, have_5ghz_phy);
5455 	if (err)
5456 		goto err_phy_free;
5457 
5458 	/* Now set some default "current_dev" */
5459 	if (!wl->current_dev)
5460 		wl->current_dev = dev;
5461 	INIT_WORK(&dev->restart_work, b43_chip_reset);
5462 
5463 	dev->phy.ops->switch_analog(dev, 0);
5464 	b43_device_disable(dev, 0);
5465 	b43_bus_may_powerdown(dev);
5466 
5467 out:
5468 	return err;
5469 
5470 err_phy_free:
5471 	b43_phy_free(dev);
5472 err_powerdown:
5473 	b43_bus_may_powerdown(dev);
5474 	return err;
5475 }
5476 
5477 static void b43_one_core_detach(struct b43_bus_dev *dev)
5478 {
5479 	struct b43_wldev *wldev;
5480 
5481 	/* Do not cancel ieee80211-workqueue based work here.
5482 	 * See comment in b43_remove(). */
5483 
5484 	wldev = b43_bus_get_wldev(dev);
5485 	b43_debugfs_remove_device(wldev);
5486 	b43_wireless_core_detach(wldev);
5487 	list_del(&wldev->list);
5488 	b43_bus_set_wldev(dev, NULL);
5489 	kfree(wldev);
5490 }
5491 
5492 static int b43_one_core_attach(struct b43_bus_dev *dev, struct b43_wl *wl)
5493 {
5494 	struct b43_wldev *wldev;
5495 	int err = -ENOMEM;
5496 
5497 	wldev = kzalloc(sizeof(*wldev), GFP_KERNEL);
5498 	if (!wldev)
5499 		goto out;
5500 
5501 	wldev->use_pio = b43_modparam_pio;
5502 	wldev->dev = dev;
5503 	wldev->wl = wl;
5504 	b43_set_status(wldev, B43_STAT_UNINIT);
5505 	wldev->bad_frames_preempt = modparam_bad_frames_preempt;
5506 	INIT_LIST_HEAD(&wldev->list);
5507 
5508 	err = b43_wireless_core_attach(wldev);
5509 	if (err)
5510 		goto err_kfree_wldev;
5511 
5512 	b43_bus_set_wldev(dev, wldev);
5513 	b43_debugfs_add_device(wldev);
5514 
5515       out:
5516 	return err;
5517 
5518       err_kfree_wldev:
5519 	kfree(wldev);
5520 	return err;
5521 }
5522 
5523 #define IS_PDEV(pdev, _vendor, _device, _subvendor, _subdevice)		( \
5524 	(pdev->vendor == PCI_VENDOR_ID_##_vendor) &&			\
5525 	(pdev->device == _device) &&					\
5526 	(pdev->subsystem_vendor == PCI_VENDOR_ID_##_subvendor) &&	\
5527 	(pdev->subsystem_device == _subdevice)				)
5528 
5529 #ifdef CONFIG_B43_SSB
5530 static void b43_sprom_fixup(struct ssb_bus *bus)
5531 {
5532 	struct pci_dev *pdev;
5533 
5534 	/* boardflags workarounds */
5535 	if (bus->boardinfo.vendor == SSB_BOARDVENDOR_DELL &&
5536 	    bus->chip_id == 0x4301 && bus->sprom.board_rev == 0x74)
5537 		bus->sprom.boardflags_lo |= B43_BFL_BTCOEXIST;
5538 	if (bus->boardinfo.vendor == PCI_VENDOR_ID_APPLE &&
5539 	    bus->boardinfo.type == 0x4E && bus->sprom.board_rev > 0x40)
5540 		bus->sprom.boardflags_lo |= B43_BFL_PACTRL;
5541 	if (bus->bustype == SSB_BUSTYPE_PCI) {
5542 		pdev = bus->host_pci;
5543 		if (IS_PDEV(pdev, BROADCOM, 0x4318, ASUSTEK, 0x100F) ||
5544 		    IS_PDEV(pdev, BROADCOM, 0x4320,    DELL, 0x0003) ||
5545 		    IS_PDEV(pdev, BROADCOM, 0x4320,      HP, 0x12f8) ||
5546 		    IS_PDEV(pdev, BROADCOM, 0x4320, LINKSYS, 0x0015) ||
5547 		    IS_PDEV(pdev, BROADCOM, 0x4320, LINKSYS, 0x0014) ||
5548 		    IS_PDEV(pdev, BROADCOM, 0x4320, LINKSYS, 0x0013) ||
5549 		    IS_PDEV(pdev, BROADCOM, 0x4320, MOTOROLA, 0x7010))
5550 			bus->sprom.boardflags_lo &= ~B43_BFL_BTCOEXIST;
5551 	}
5552 }
5553 
5554 static void b43_wireless_exit(struct b43_bus_dev *dev, struct b43_wl *wl)
5555 {
5556 	struct ieee80211_hw *hw = wl->hw;
5557 
5558 	ssb_set_devtypedata(dev->sdev, NULL);
5559 	ieee80211_free_hw(hw);
5560 }
5561 #endif
5562 
5563 static struct b43_wl *b43_wireless_init(struct b43_bus_dev *dev)
5564 {
5565 	struct ssb_sprom *sprom = dev->bus_sprom;
5566 	struct ieee80211_hw *hw;
5567 	struct b43_wl *wl;
5568 	char chip_name[6];
5569 	int queue_num;
5570 
5571 	hw = ieee80211_alloc_hw(sizeof(*wl), &b43_hw_ops);
5572 	if (!hw) {
5573 		b43err(NULL, "Could not allocate ieee80211 device\n");
5574 		return ERR_PTR(-ENOMEM);
5575 	}
5576 	wl = hw_to_b43_wl(hw);
5577 
5578 	/* fill hw info */
5579 	ieee80211_hw_set(hw, RX_INCLUDES_FCS);
5580 	ieee80211_hw_set(hw, SIGNAL_DBM);
5581 	ieee80211_hw_set(hw, MFP_CAPABLE);
5582 	hw->wiphy->interface_modes =
5583 		BIT(NL80211_IFTYPE_AP) |
5584 		BIT(NL80211_IFTYPE_MESH_POINT) |
5585 		BIT(NL80211_IFTYPE_STATION) |
5586 		BIT(NL80211_IFTYPE_ADHOC);
5587 
5588 	hw->wiphy->flags |= WIPHY_FLAG_IBSS_RSN;
5589 
5590 	wiphy_ext_feature_set(hw->wiphy, NL80211_EXT_FEATURE_CQM_RSSI_LIST);
5591 
5592 	wl->hw_registered = false;
5593 	hw->max_rates = 2;
5594 	SET_IEEE80211_DEV(hw, dev->dev);
5595 	if (is_valid_ether_addr(sprom->et1mac))
5596 		SET_IEEE80211_PERM_ADDR(hw, sprom->et1mac);
5597 	else
5598 		SET_IEEE80211_PERM_ADDR(hw, sprom->il0mac);
5599 
5600 	/* Initialize struct b43_wl */
5601 	wl->hw = hw;
5602 	mutex_init(&wl->mutex);
5603 	spin_lock_init(&wl->hardirq_lock);
5604 	spin_lock_init(&wl->beacon_lock);
5605 	INIT_WORK(&wl->beacon_update_trigger, b43_beacon_update_trigger_work);
5606 	INIT_WORK(&wl->txpower_adjust_work, b43_phy_txpower_adjust_work);
5607 	INIT_WORK(&wl->tx_work, b43_tx_work);
5608 
5609 	/* Initialize queues and flags. */
5610 	for (queue_num = 0; queue_num < B43_QOS_QUEUE_NUM; queue_num++) {
5611 		skb_queue_head_init(&wl->tx_queue[queue_num]);
5612 		wl->tx_queue_stopped[queue_num] = false;
5613 	}
5614 
5615 	snprintf(chip_name, ARRAY_SIZE(chip_name),
5616 		 (dev->chip_id > 0x9999) ? "%d" : "%04X", dev->chip_id);
5617 	b43info(wl, "Broadcom %s WLAN found (core revision %u)\n", chip_name,
5618 		dev->core_rev);
5619 	return wl;
5620 }
5621 
5622 #ifdef CONFIG_B43_BCMA
5623 static int b43_bcma_probe(struct bcma_device *core)
5624 {
5625 	struct b43_bus_dev *dev;
5626 	struct b43_wl *wl;
5627 	int err;
5628 
5629 	if (!modparam_allhwsupport &&
5630 	    (core->id.rev == 0x17 || core->id.rev == 0x18)) {
5631 		pr_err("Support for cores revisions 0x17 and 0x18 disabled by module param allhwsupport=0. Try b43.allhwsupport=1\n");
5632 		return -ENOTSUPP;
5633 	}
5634 
5635 	dev = b43_bus_dev_bcma_init(core);
5636 	if (!dev)
5637 		return -ENODEV;
5638 
5639 	wl = b43_wireless_init(dev);
5640 	if (IS_ERR(wl)) {
5641 		err = PTR_ERR(wl);
5642 		goto bcma_out;
5643 	}
5644 
5645 	err = b43_one_core_attach(dev, wl);
5646 	if (err)
5647 		goto bcma_err_wireless_exit;
5648 
5649 	/* setup and start work to load firmware */
5650 	INIT_WORK(&wl->firmware_load, b43_request_firmware);
5651 	schedule_work(&wl->firmware_load);
5652 
5653 	return err;
5654 
5655 bcma_err_wireless_exit:
5656 	ieee80211_free_hw(wl->hw);
5657 bcma_out:
5658 	kfree(dev);
5659 	return err;
5660 }
5661 
5662 static void b43_bcma_remove(struct bcma_device *core)
5663 {
5664 	struct b43_wldev *wldev = bcma_get_drvdata(core);
5665 	struct b43_wl *wl = wldev->wl;
5666 
5667 	/* We must cancel any work here before unregistering from ieee80211,
5668 	 * as the ieee80211 unreg will destroy the workqueue. */
5669 	cancel_work_sync(&wldev->restart_work);
5670 	cancel_work_sync(&wl->firmware_load);
5671 
5672 	B43_WARN_ON(!wl);
5673 	if (!wldev->fw.ucode.data)
5674 		return;			/* NULL if firmware never loaded */
5675 	if (wl->current_dev == wldev && wl->hw_registered) {
5676 		b43_leds_stop(wldev);
5677 		ieee80211_unregister_hw(wl->hw);
5678 	}
5679 
5680 	b43_one_core_detach(wldev->dev);
5681 
5682 	/* Unregister HW RNG driver */
5683 	b43_rng_exit(wl);
5684 
5685 	b43_leds_unregister(wl);
5686 	ieee80211_free_hw(wl->hw);
5687 	kfree(wldev->dev);
5688 }
5689 
5690 static struct bcma_driver b43_bcma_driver = {
5691 	.name		= KBUILD_MODNAME,
5692 	.id_table	= b43_bcma_tbl,
5693 	.probe		= b43_bcma_probe,
5694 	.remove		= b43_bcma_remove,
5695 };
5696 #endif
5697 
5698 #ifdef CONFIG_B43_SSB
5699 static
5700 int b43_ssb_probe(struct ssb_device *sdev, const struct ssb_device_id *id)
5701 {
5702 	struct b43_bus_dev *dev;
5703 	struct b43_wl *wl;
5704 	int err;
5705 
5706 	dev = b43_bus_dev_ssb_init(sdev);
5707 	if (!dev)
5708 		return -ENOMEM;
5709 
5710 	wl = ssb_get_devtypedata(sdev);
5711 	if (wl) {
5712 		b43err(NULL, "Dual-core devices are not supported\n");
5713 		err = -ENOTSUPP;
5714 		goto err_ssb_kfree_dev;
5715 	}
5716 
5717 	b43_sprom_fixup(sdev->bus);
5718 
5719 	wl = b43_wireless_init(dev);
5720 	if (IS_ERR(wl)) {
5721 		err = PTR_ERR(wl);
5722 		goto err_ssb_kfree_dev;
5723 	}
5724 	ssb_set_devtypedata(sdev, wl);
5725 	B43_WARN_ON(ssb_get_devtypedata(sdev) != wl);
5726 
5727 	err = b43_one_core_attach(dev, wl);
5728 	if (err)
5729 		goto err_ssb_wireless_exit;
5730 
5731 	/* setup and start work to load firmware */
5732 	INIT_WORK(&wl->firmware_load, b43_request_firmware);
5733 	schedule_work(&wl->firmware_load);
5734 
5735 	return err;
5736 
5737 err_ssb_wireless_exit:
5738 	b43_wireless_exit(dev, wl);
5739 err_ssb_kfree_dev:
5740 	kfree(dev);
5741 	return err;
5742 }
5743 
5744 static void b43_ssb_remove(struct ssb_device *sdev)
5745 {
5746 	struct b43_wl *wl = ssb_get_devtypedata(sdev);
5747 	struct b43_wldev *wldev = ssb_get_drvdata(sdev);
5748 	struct b43_bus_dev *dev = wldev->dev;
5749 
5750 	/* We must cancel any work here before unregistering from ieee80211,
5751 	 * as the ieee80211 unreg will destroy the workqueue. */
5752 	cancel_work_sync(&wldev->restart_work);
5753 	cancel_work_sync(&wl->firmware_load);
5754 
5755 	B43_WARN_ON(!wl);
5756 	if (!wldev->fw.ucode.data)
5757 		return;			/* NULL if firmware never loaded */
5758 	if (wl->current_dev == wldev && wl->hw_registered) {
5759 		b43_leds_stop(wldev);
5760 		ieee80211_unregister_hw(wl->hw);
5761 	}
5762 
5763 	b43_one_core_detach(dev);
5764 
5765 	/* Unregister HW RNG driver */
5766 	b43_rng_exit(wl);
5767 
5768 	b43_leds_unregister(wl);
5769 	b43_wireless_exit(dev, wl);
5770 	kfree(dev);
5771 }
5772 
5773 static struct ssb_driver b43_ssb_driver = {
5774 	.name		= KBUILD_MODNAME,
5775 	.id_table	= b43_ssb_tbl,
5776 	.probe		= b43_ssb_probe,
5777 	.remove		= b43_ssb_remove,
5778 };
5779 #endif /* CONFIG_B43_SSB */
5780 
5781 /* Perform a hardware reset. This can be called from any context. */
5782 void b43_controller_restart(struct b43_wldev *dev, const char *reason)
5783 {
5784 	/* Must avoid requeueing, if we are in shutdown. */
5785 	if (b43_status(dev) < B43_STAT_INITIALIZED)
5786 		return;
5787 	b43info(dev->wl, "Controller RESET (%s) ...\n", reason);
5788 	ieee80211_queue_work(dev->wl->hw, &dev->restart_work);
5789 }
5790 
5791 static void b43_print_driverinfo(void)
5792 {
5793 	const char *feat_pci = "", *feat_nphy = "",
5794 		   *feat_leds = "", *feat_sdio = "";
5795 
5796 #ifdef CONFIG_B43_PCI_AUTOSELECT
5797 	feat_pci = "P";
5798 #endif
5799 #ifdef CONFIG_B43_PHY_N
5800 	feat_nphy = "N";
5801 #endif
5802 #ifdef CONFIG_B43_LEDS
5803 	feat_leds = "L";
5804 #endif
5805 #ifdef CONFIG_B43_SDIO
5806 	feat_sdio = "S";
5807 #endif
5808 	printk(KERN_INFO "Broadcom 43xx driver loaded "
5809 	       "[ Features: %s%s%s%s ]\n",
5810 	       feat_pci, feat_nphy, feat_leds, feat_sdio);
5811 }
5812 
5813 static int __init b43_init(void)
5814 {
5815 	int err;
5816 
5817 	b43_debugfs_init();
5818 	err = b43_sdio_init();
5819 	if (err)
5820 		goto err_dfs_exit;
5821 #ifdef CONFIG_B43_BCMA
5822 	err = bcma_driver_register(&b43_bcma_driver);
5823 	if (err)
5824 		goto err_sdio_exit;
5825 #endif
5826 #ifdef CONFIG_B43_SSB
5827 	err = ssb_driver_register(&b43_ssb_driver);
5828 	if (err)
5829 		goto err_bcma_driver_exit;
5830 #endif
5831 	b43_print_driverinfo();
5832 
5833 	return err;
5834 
5835 #ifdef CONFIG_B43_SSB
5836 err_bcma_driver_exit:
5837 #endif
5838 #ifdef CONFIG_B43_BCMA
5839 	bcma_driver_unregister(&b43_bcma_driver);
5840 err_sdio_exit:
5841 #endif
5842 	b43_sdio_exit();
5843 err_dfs_exit:
5844 	b43_debugfs_exit();
5845 	return err;
5846 }
5847 
5848 static void __exit b43_exit(void)
5849 {
5850 #ifdef CONFIG_B43_SSB
5851 	ssb_driver_unregister(&b43_ssb_driver);
5852 #endif
5853 #ifdef CONFIG_B43_BCMA
5854 	bcma_driver_unregister(&b43_bcma_driver);
5855 #endif
5856 	b43_sdio_exit();
5857 	b43_debugfs_exit();
5858 }
5859 
5860 module_init(b43_init)
5861 module_exit(b43_exit)
5862