xref: /linux/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c (revision c9d23f9657cabfd2836a096bf6eddf8df2cf1434)
1 // SPDX-License-Identifier: ISC
2 /*
3  * Copyright (C) 2022 MediaTek Inc.
4  */
5 
6 #include <linux/firmware.h>
7 #include <linux/fs.h>
8 #include "mt7996.h"
9 #include "mcu.h"
10 #include "mac.h"
11 #include "eeprom.h"
12 
13 struct mt7996_patch_hdr {
14 	char build_date[16];
15 	char platform[4];
16 	__be32 hw_sw_ver;
17 	__be32 patch_ver;
18 	__be16 checksum;
19 	u16 reserved;
20 	struct {
21 		__be32 patch_ver;
22 		__be32 subsys;
23 		__be32 feature;
24 		__be32 n_region;
25 		__be32 crc;
26 		u32 reserved[11];
27 	} desc;
28 } __packed;
29 
30 struct mt7996_patch_sec {
31 	__be32 type;
32 	__be32 offs;
33 	__be32 size;
34 	union {
35 		__be32 spec[13];
36 		struct {
37 			__be32 addr;
38 			__be32 len;
39 			__be32 sec_key_idx;
40 			__be32 align_len;
41 			u32 reserved[9];
42 		} info;
43 	};
44 } __packed;
45 
46 struct mt7996_fw_trailer {
47 	u8 chip_id;
48 	u8 eco_code;
49 	u8 n_region;
50 	u8 format_ver;
51 	u8 format_flag;
52 	u8 reserved[2];
53 	char fw_ver[10];
54 	char build_date[15];
55 	u32 crc;
56 } __packed;
57 
58 struct mt7996_fw_region {
59 	__le32 decomp_crc;
60 	__le32 decomp_len;
61 	__le32 decomp_blk_sz;
62 	u8 reserved[4];
63 	__le32 addr;
64 	__le32 len;
65 	u8 feature_set;
66 	u8 reserved1[15];
67 } __packed;
68 
69 #define MCU_PATCH_ADDRESS		0x200000
70 
71 #define HE_PHY(p, c)			u8_get_bits(c, IEEE80211_HE_PHY_##p)
72 #define HE_MAC(m, c)			u8_get_bits(c, IEEE80211_HE_MAC_##m)
73 #define EHT_PHY(p, c)			u8_get_bits(c, IEEE80211_EHT_PHY_##p)
74 
75 static bool sr_scene_detect = true;
76 module_param(sr_scene_detect, bool, 0644);
77 MODULE_PARM_DESC(sr_scene_detect, "Enable firmware scene detection algorithm");
78 
79 static u8
80 mt7996_mcu_get_sta_nss(u16 mcs_map)
81 {
82 	u8 nss;
83 
84 	for (nss = 8; nss > 0; nss--) {
85 		u8 nss_mcs = (mcs_map >> (2 * (nss - 1))) & 3;
86 
87 		if (nss_mcs != IEEE80211_VHT_MCS_NOT_SUPPORTED)
88 			break;
89 	}
90 
91 	return nss - 1;
92 }
93 
94 static void
95 mt7996_mcu_set_sta_he_mcs(struct ieee80211_sta *sta, __le16 *he_mcs,
96 			  u16 mcs_map)
97 {
98 	struct mt7996_sta *msta = (struct mt7996_sta *)sta->drv_priv;
99 	enum nl80211_band band = msta->vif->phy->mt76->chandef.chan->band;
100 	const u16 *mask = msta->vif->bitrate_mask.control[band].he_mcs;
101 	int nss, max_nss = sta->deflink.rx_nss > 3 ? 4 : sta->deflink.rx_nss;
102 
103 	for (nss = 0; nss < max_nss; nss++) {
104 		int mcs;
105 
106 		switch ((mcs_map >> (2 * nss)) & 0x3) {
107 		case IEEE80211_HE_MCS_SUPPORT_0_11:
108 			mcs = GENMASK(11, 0);
109 			break;
110 		case IEEE80211_HE_MCS_SUPPORT_0_9:
111 			mcs = GENMASK(9, 0);
112 			break;
113 		case IEEE80211_HE_MCS_SUPPORT_0_7:
114 			mcs = GENMASK(7, 0);
115 			break;
116 		default:
117 			mcs = 0;
118 		}
119 
120 		mcs = mcs ? fls(mcs & mask[nss]) - 1 : -1;
121 
122 		switch (mcs) {
123 		case 0 ... 7:
124 			mcs = IEEE80211_HE_MCS_SUPPORT_0_7;
125 			break;
126 		case 8 ... 9:
127 			mcs = IEEE80211_HE_MCS_SUPPORT_0_9;
128 			break;
129 		case 10 ... 11:
130 			mcs = IEEE80211_HE_MCS_SUPPORT_0_11;
131 			break;
132 		default:
133 			mcs = IEEE80211_HE_MCS_NOT_SUPPORTED;
134 			break;
135 		}
136 		mcs_map &= ~(0x3 << (nss * 2));
137 		mcs_map |= mcs << (nss * 2);
138 	}
139 
140 	*he_mcs = cpu_to_le16(mcs_map);
141 }
142 
143 static void
144 mt7996_mcu_set_sta_vht_mcs(struct ieee80211_sta *sta, __le16 *vht_mcs,
145 			   const u16 *mask)
146 {
147 	u16 mcs, mcs_map = le16_to_cpu(sta->deflink.vht_cap.vht_mcs.rx_mcs_map);
148 	int nss, max_nss = sta->deflink.rx_nss > 3 ? 4 : sta->deflink.rx_nss;
149 
150 	for (nss = 0; nss < max_nss; nss++, mcs_map >>= 2) {
151 		switch (mcs_map & 0x3) {
152 		case IEEE80211_VHT_MCS_SUPPORT_0_9:
153 			mcs = GENMASK(9, 0);
154 			break;
155 		case IEEE80211_VHT_MCS_SUPPORT_0_8:
156 			mcs = GENMASK(8, 0);
157 			break;
158 		case IEEE80211_VHT_MCS_SUPPORT_0_7:
159 			mcs = GENMASK(7, 0);
160 			break;
161 		default:
162 			mcs = 0;
163 		}
164 
165 		vht_mcs[nss] = cpu_to_le16(mcs & mask[nss]);
166 	}
167 }
168 
169 static void
170 mt7996_mcu_set_sta_ht_mcs(struct ieee80211_sta *sta, u8 *ht_mcs,
171 			  const u8 *mask)
172 {
173 	int nss, max_nss = sta->deflink.rx_nss > 3 ? 4 : sta->deflink.rx_nss;
174 
175 	for (nss = 0; nss < max_nss; nss++)
176 		ht_mcs[nss] = sta->deflink.ht_cap.mcs.rx_mask[nss] & mask[nss];
177 }
178 
179 static int
180 mt7996_mcu_parse_response(struct mt76_dev *mdev, int cmd,
181 			  struct sk_buff *skb, int seq)
182 {
183 	struct mt7996_mcu_rxd *rxd;
184 	struct mt7996_mcu_uni_event *event;
185 	int mcu_cmd = FIELD_GET(__MCU_CMD_FIELD_ID, cmd);
186 	int ret = 0;
187 
188 	if (!skb) {
189 		dev_err(mdev->dev, "Message %08x (seq %d) timeout\n",
190 			cmd, seq);
191 		return -ETIMEDOUT;
192 	}
193 
194 	rxd = (struct mt7996_mcu_rxd *)skb->data;
195 	if (seq != rxd->seq)
196 		return -EAGAIN;
197 
198 	if (cmd == MCU_CMD(PATCH_SEM_CONTROL)) {
199 		skb_pull(skb, sizeof(*rxd) - 4);
200 		ret = *skb->data;
201 	} else if ((rxd->option & MCU_UNI_CMD_EVENT) &&
202 		    rxd->eid == MCU_UNI_EVENT_RESULT) {
203 		skb_pull(skb, sizeof(*rxd));
204 		event = (struct mt7996_mcu_uni_event *)skb->data;
205 		ret = le32_to_cpu(event->status);
206 		/* skip invalid event */
207 		if (mcu_cmd != event->cid)
208 			ret = -EAGAIN;
209 	} else {
210 		skb_pull(skb, sizeof(struct mt7996_mcu_rxd));
211 	}
212 
213 	return ret;
214 }
215 
216 static int
217 mt7996_mcu_send_message(struct mt76_dev *mdev, struct sk_buff *skb,
218 			int cmd, int *wait_seq)
219 {
220 	struct mt7996_dev *dev = container_of(mdev, struct mt7996_dev, mt76);
221 	int txd_len, mcu_cmd = FIELD_GET(__MCU_CMD_FIELD_ID, cmd);
222 	struct mt76_connac2_mcu_uni_txd *uni_txd;
223 	struct mt76_connac2_mcu_txd *mcu_txd;
224 	enum mt76_mcuq_id qid;
225 	__le32 *txd;
226 	u32 val;
227 	u8 seq;
228 
229 	mdev->mcu.timeout = 20 * HZ;
230 
231 	seq = ++dev->mt76.mcu.msg_seq & 0xf;
232 	if (!seq)
233 		seq = ++dev->mt76.mcu.msg_seq & 0xf;
234 
235 	if (cmd == MCU_CMD(FW_SCATTER)) {
236 		qid = MT_MCUQ_FWDL;
237 		goto exit;
238 	}
239 
240 	txd_len = cmd & __MCU_CMD_FIELD_UNI ? sizeof(*uni_txd) : sizeof(*mcu_txd);
241 	txd = (__le32 *)skb_push(skb, txd_len);
242 	if (test_bit(MT76_STATE_MCU_RUNNING, &dev->mphy.state))
243 		qid = MT_MCUQ_WA;
244 	else
245 		qid = MT_MCUQ_WM;
246 
247 	val = FIELD_PREP(MT_TXD0_TX_BYTES, skb->len) |
248 	      FIELD_PREP(MT_TXD0_PKT_FMT, MT_TX_TYPE_CMD) |
249 	      FIELD_PREP(MT_TXD0_Q_IDX, MT_TX_MCU_PORT_RX_Q0);
250 	txd[0] = cpu_to_le32(val);
251 
252 	val = FIELD_PREP(MT_TXD1_HDR_FORMAT, MT_HDR_FORMAT_CMD);
253 	txd[1] = cpu_to_le32(val);
254 
255 	if (cmd & __MCU_CMD_FIELD_UNI) {
256 		uni_txd = (struct mt76_connac2_mcu_uni_txd *)txd;
257 		uni_txd->len = cpu_to_le16(skb->len - sizeof(uni_txd->txd));
258 		uni_txd->cid = cpu_to_le16(mcu_cmd);
259 		uni_txd->s2d_index = MCU_S2D_H2CN;
260 		uni_txd->pkt_type = MCU_PKT_ID;
261 		uni_txd->seq = seq;
262 
263 		if (cmd & __MCU_CMD_FIELD_QUERY)
264 			uni_txd->option = MCU_CMD_UNI_QUERY_ACK;
265 		else
266 			uni_txd->option = MCU_CMD_UNI_EXT_ACK;
267 
268 		if ((cmd & __MCU_CMD_FIELD_WA) && (cmd & __MCU_CMD_FIELD_WM))
269 			uni_txd->s2d_index = MCU_S2D_H2CN;
270 		else if (cmd & __MCU_CMD_FIELD_WA)
271 			uni_txd->s2d_index = MCU_S2D_H2C;
272 		else if (cmd & __MCU_CMD_FIELD_WM)
273 			uni_txd->s2d_index = MCU_S2D_H2N;
274 
275 		goto exit;
276 	}
277 
278 	mcu_txd = (struct mt76_connac2_mcu_txd *)txd;
279 	mcu_txd->len = cpu_to_le16(skb->len - sizeof(mcu_txd->txd));
280 	mcu_txd->pq_id = cpu_to_le16(MCU_PQ_ID(MT_TX_PORT_IDX_MCU,
281 					       MT_TX_MCU_PORT_RX_Q0));
282 	mcu_txd->pkt_type = MCU_PKT_ID;
283 	mcu_txd->seq = seq;
284 
285 	mcu_txd->cid = FIELD_GET(__MCU_CMD_FIELD_ID, cmd);
286 	mcu_txd->set_query = MCU_Q_NA;
287 	mcu_txd->ext_cid = FIELD_GET(__MCU_CMD_FIELD_EXT_ID, cmd);
288 	if (mcu_txd->ext_cid) {
289 		mcu_txd->ext_cid_ack = 1;
290 
291 		if (cmd & __MCU_CMD_FIELD_QUERY)
292 			mcu_txd->set_query = MCU_Q_QUERY;
293 		else
294 			mcu_txd->set_query = MCU_Q_SET;
295 	}
296 
297 	if (cmd & __MCU_CMD_FIELD_WA)
298 		mcu_txd->s2d_index = MCU_S2D_H2C;
299 	else
300 		mcu_txd->s2d_index = MCU_S2D_H2N;
301 
302 exit:
303 	if (wait_seq)
304 		*wait_seq = seq;
305 
306 	return mt76_tx_queue_skb_raw(dev, mdev->q_mcu[qid], skb, 0);
307 }
308 
309 int mt7996_mcu_wa_cmd(struct mt7996_dev *dev, int cmd, u32 a1, u32 a2, u32 a3)
310 {
311 	struct {
312 		__le32 args[3];
313 	} req = {
314 		.args = {
315 			cpu_to_le32(a1),
316 			cpu_to_le32(a2),
317 			cpu_to_le32(a3),
318 		},
319 	};
320 
321 	return mt76_mcu_send_msg(&dev->mt76, cmd, &req, sizeof(req), false);
322 }
323 
324 static void
325 mt7996_mcu_csa_finish(void *priv, u8 *mac, struct ieee80211_vif *vif)
326 {
327 	if (vif->bss_conf.csa_active)
328 		ieee80211_csa_finish(vif);
329 }
330 
331 static void
332 mt7996_mcu_rx_radar_detected(struct mt7996_dev *dev, struct sk_buff *skb)
333 {
334 	struct mt76_phy *mphy = &dev->mt76.phy;
335 	struct mt7996_mcu_rdd_report *r;
336 
337 	r = (struct mt7996_mcu_rdd_report *)skb->data;
338 
339 	if (r->band_idx >= ARRAY_SIZE(dev->mt76.phys))
340 		return;
341 
342 	mphy = dev->mt76.phys[r->band_idx];
343 	if (!mphy)
344 		return;
345 
346 	if (r->band_idx == MT_RX_SEL2)
347 		cfg80211_background_radar_event(mphy->hw->wiphy,
348 						&dev->rdd2_chandef,
349 						GFP_ATOMIC);
350 	else
351 		ieee80211_radar_detected(mphy->hw);
352 	dev->hw_pattern++;
353 }
354 
355 static void
356 mt7996_mcu_rx_log_message(struct mt7996_dev *dev, struct sk_buff *skb)
357 {
358 #define UNI_EVENT_FW_LOG_FORMAT 0
359 	struct mt7996_mcu_rxd *rxd = (struct mt7996_mcu_rxd *)skb->data;
360 	const char *data = (char *)&rxd[1] + 4, *type;
361 	struct tlv *tlv = (struct tlv *)data;
362 	int len;
363 
364 	if (!(rxd->option & MCU_UNI_CMD_EVENT)) {
365 		len = skb->len - sizeof(*rxd);
366 		data = (char *)&rxd[1];
367 		goto out;
368 	}
369 
370 	if (le16_to_cpu(tlv->tag) != UNI_EVENT_FW_LOG_FORMAT)
371 		return;
372 
373 	data += sizeof(*tlv) + 4;
374 	len = le16_to_cpu(tlv->len) - sizeof(*tlv) - 4;
375 
376 out:
377 	switch (rxd->s2d_index) {
378 	case 0:
379 		if (mt7996_debugfs_rx_log(dev, data, len))
380 			return;
381 
382 		type = "WM";
383 		break;
384 	case 2:
385 		type = "WA";
386 		break;
387 	default:
388 		type = "unknown";
389 		break;
390 	}
391 
392 	wiphy_info(mt76_hw(dev)->wiphy, "%s: %.*s", type, len, data);
393 }
394 
395 static void
396 mt7996_mcu_cca_finish(void *priv, u8 *mac, struct ieee80211_vif *vif)
397 {
398 	if (!vif->bss_conf.color_change_active)
399 		return;
400 
401 	ieee80211_color_change_finish(vif);
402 }
403 
404 static void
405 mt7996_mcu_ie_countdown(struct mt7996_dev *dev, struct sk_buff *skb)
406 {
407 #define UNI_EVENT_IE_COUNTDOWN_CSA 0
408 #define UNI_EVENT_IE_COUNTDOWN_BCC 1
409 	struct header {
410 		u8 band;
411 		u8 rsv[3];
412 	};
413 	struct mt76_phy *mphy = &dev->mt76.phy;
414 	struct mt7996_mcu_rxd *rxd = (struct mt7996_mcu_rxd *)skb->data;
415 	const char *data = (char *)&rxd[1], *tail;
416 	struct header *hdr = (struct header *)data;
417 	struct tlv *tlv = (struct tlv *)(data + 4);
418 
419 	if (hdr->band >= ARRAY_SIZE(dev->mt76.phys))
420 		return;
421 
422 	if (hdr->band && dev->mt76.phys[hdr->band])
423 		mphy = dev->mt76.phys[hdr->band];
424 
425 	tail = skb->data + le16_to_cpu(rxd->len);
426 	while (data + sizeof(struct tlv) < tail && le16_to_cpu(tlv->len)) {
427 		switch (le16_to_cpu(tlv->tag)) {
428 		case UNI_EVENT_IE_COUNTDOWN_CSA:
429 			ieee80211_iterate_active_interfaces_atomic(mphy->hw,
430 					IEEE80211_IFACE_ITER_RESUME_ALL,
431 					mt7996_mcu_csa_finish, mphy->hw);
432 			break;
433 		case UNI_EVENT_IE_COUNTDOWN_BCC:
434 			ieee80211_iterate_active_interfaces_atomic(mphy->hw,
435 					IEEE80211_IFACE_ITER_RESUME_ALL,
436 					mt7996_mcu_cca_finish, mphy->hw);
437 			break;
438 		}
439 
440 		data += le16_to_cpu(tlv->len);
441 		tlv = (struct tlv *)data;
442 	}
443 }
444 
445 static void
446 mt7996_mcu_rx_ext_event(struct mt7996_dev *dev, struct sk_buff *skb)
447 {
448 	struct mt7996_mcu_rxd *rxd = (struct mt7996_mcu_rxd *)skb->data;
449 
450 	switch (rxd->ext_eid) {
451 	case MCU_EXT_EVENT_FW_LOG_2_HOST:
452 		mt7996_mcu_rx_log_message(dev, skb);
453 		break;
454 	default:
455 		break;
456 	}
457 }
458 
459 static void
460 mt7996_mcu_rx_unsolicited_event(struct mt7996_dev *dev, struct sk_buff *skb)
461 {
462 	struct mt7996_mcu_rxd *rxd = (struct mt7996_mcu_rxd *)skb->data;
463 
464 	switch (rxd->eid) {
465 	case MCU_EVENT_EXT:
466 		mt7996_mcu_rx_ext_event(dev, skb);
467 		break;
468 	default:
469 		break;
470 	}
471 	dev_kfree_skb(skb);
472 }
473 
474 static void
475 mt7996_mcu_uni_rx_unsolicited_event(struct mt7996_dev *dev, struct sk_buff *skb)
476 {
477 	struct mt7996_mcu_rxd *rxd = (struct mt7996_mcu_rxd *)skb->data;
478 
479 	switch (rxd->eid) {
480 	case MCU_UNI_EVENT_FW_LOG_2_HOST:
481 		mt7996_mcu_rx_log_message(dev, skb);
482 		break;
483 	case MCU_UNI_EVENT_IE_COUNTDOWN:
484 		mt7996_mcu_ie_countdown(dev, skb);
485 		break;
486 	case MCU_UNI_EVENT_RDD_REPORT:
487 		mt7996_mcu_rx_radar_detected(dev, skb);
488 		break;
489 	default:
490 		break;
491 	}
492 	dev_kfree_skb(skb);
493 }
494 
495 void mt7996_mcu_rx_event(struct mt7996_dev *dev, struct sk_buff *skb)
496 {
497 	struct mt7996_mcu_rxd *rxd = (struct mt7996_mcu_rxd *)skb->data;
498 
499 	if (rxd->option & MCU_UNI_CMD_UNSOLICITED_EVENT) {
500 		mt7996_mcu_uni_rx_unsolicited_event(dev, skb);
501 		return;
502 	}
503 
504 	/* WA still uses legacy event*/
505 	if (rxd->ext_eid == MCU_EXT_EVENT_FW_LOG_2_HOST ||
506 	    !rxd->seq)
507 		mt7996_mcu_rx_unsolicited_event(dev, skb);
508 	else
509 		mt76_mcu_rx_event(&dev->mt76, skb);
510 }
511 
512 static struct tlv *
513 mt7996_mcu_add_uni_tlv(struct sk_buff *skb, u16 tag, u16 len)
514 {
515 	struct tlv *ptlv, tlv = {
516 		.tag = cpu_to_le16(tag),
517 		.len = cpu_to_le16(len),
518 	};
519 
520 	ptlv = skb_put(skb, len);
521 	memcpy(ptlv, &tlv, sizeof(tlv));
522 
523 	return ptlv;
524 }
525 
526 static void
527 mt7996_mcu_bss_rfch_tlv(struct sk_buff *skb, struct ieee80211_vif *vif,
528 			struct mt7996_phy *phy)
529 {
530 	static const u8 rlm_ch_band[] = {
531 		[NL80211_BAND_2GHZ] = 1,
532 		[NL80211_BAND_5GHZ] = 2,
533 		[NL80211_BAND_6GHZ] = 3,
534 	};
535 	struct cfg80211_chan_def *chandef = &phy->mt76->chandef;
536 	struct bss_rlm_tlv *ch;
537 	struct tlv *tlv;
538 	int freq1 = chandef->center_freq1;
539 
540 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_RLM, sizeof(*ch));
541 
542 	ch = (struct bss_rlm_tlv *)tlv;
543 	ch->control_channel = chandef->chan->hw_value;
544 	ch->center_chan = ieee80211_frequency_to_channel(freq1);
545 	ch->bw = mt76_connac_chan_bw(chandef);
546 	ch->tx_streams = hweight8(phy->mt76->antenna_mask);
547 	ch->rx_streams = hweight8(phy->mt76->antenna_mask);
548 	ch->band = rlm_ch_band[chandef->chan->band];
549 
550 	if (chandef->width == NL80211_CHAN_WIDTH_80P80) {
551 		int freq2 = chandef->center_freq2;
552 
553 		ch->center_chan2 = ieee80211_frequency_to_channel(freq2);
554 	}
555 }
556 
557 static void
558 mt7996_mcu_bss_ra_tlv(struct sk_buff *skb, struct ieee80211_vif *vif,
559 		      struct mt7996_phy *phy)
560 {
561 	struct bss_ra_tlv *ra;
562 	struct tlv *tlv;
563 
564 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_RA, sizeof(*ra));
565 
566 	ra = (struct bss_ra_tlv *)tlv;
567 	ra->short_preamble = true;
568 }
569 
570 static void
571 mt7996_mcu_bss_he_tlv(struct sk_buff *skb, struct ieee80211_vif *vif,
572 		      struct mt7996_phy *phy)
573 {
574 #define DEFAULT_HE_PE_DURATION		4
575 #define DEFAULT_HE_DURATION_RTS_THRES	1023
576 	const struct ieee80211_sta_he_cap *cap;
577 	struct bss_info_uni_he *he;
578 	struct tlv *tlv;
579 
580 	cap = mt76_connac_get_he_phy_cap(phy->mt76, vif);
581 
582 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_HE_BASIC, sizeof(*he));
583 
584 	he = (struct bss_info_uni_he *)tlv;
585 	he->he_pe_duration = vif->bss_conf.htc_trig_based_pkt_ext;
586 	if (!he->he_pe_duration)
587 		he->he_pe_duration = DEFAULT_HE_PE_DURATION;
588 
589 	he->he_rts_thres = cpu_to_le16(vif->bss_conf.frame_time_rts_th);
590 	if (!he->he_rts_thres)
591 		he->he_rts_thres = cpu_to_le16(DEFAULT_HE_DURATION_RTS_THRES);
592 
593 	he->max_nss_mcs[CMD_HE_MCS_BW80] = cap->he_mcs_nss_supp.tx_mcs_80;
594 	he->max_nss_mcs[CMD_HE_MCS_BW160] = cap->he_mcs_nss_supp.tx_mcs_160;
595 	he->max_nss_mcs[CMD_HE_MCS_BW8080] = cap->he_mcs_nss_supp.tx_mcs_80p80;
596 }
597 
598 static void
599 mt7996_mcu_bss_bmc_tlv(struct sk_buff *skb, struct mt7996_phy *phy)
600 {
601 	struct bss_rate_tlv *bmc;
602 	struct cfg80211_chan_def *chandef = &phy->mt76->chandef;
603 	enum nl80211_band band = chandef->chan->band;
604 	struct tlv *tlv;
605 
606 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_RATE, sizeof(*bmc));
607 
608 	bmc = (struct bss_rate_tlv *)tlv;
609 	if (band == NL80211_BAND_2GHZ) {
610 		bmc->short_preamble = true;
611 	} else {
612 		bmc->bc_trans = cpu_to_le16(0x8080);
613 		bmc->mc_trans = cpu_to_le16(0x8080);
614 		bmc->bc_fixed_rate = 1;
615 		bmc->mc_fixed_rate = 1;
616 		bmc->short_preamble = 1;
617 	}
618 }
619 
620 static void
621 mt7996_mcu_bss_txcmd_tlv(struct sk_buff *skb, bool en)
622 {
623 	struct bss_txcmd_tlv *txcmd;
624 	struct tlv *tlv;
625 
626 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_TXCMD, sizeof(*txcmd));
627 
628 	txcmd = (struct bss_txcmd_tlv *)tlv;
629 	txcmd->txcmd_mode = en;
630 }
631 
632 static void
633 mt7996_mcu_bss_mld_tlv(struct sk_buff *skb, struct ieee80211_vif *vif)
634 {
635 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
636 	struct bss_mld_tlv *mld;
637 	struct tlv *tlv;
638 
639 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_MLD, sizeof(*mld));
640 
641 	mld = (struct bss_mld_tlv *)tlv;
642 	mld->group_mld_id = 0xff;
643 	mld->own_mld_id = mvif->mt76.idx;
644 	mld->remap_idx = 0xff;
645 }
646 
647 static void
648 mt7996_mcu_bss_sec_tlv(struct sk_buff *skb, struct ieee80211_vif *vif)
649 {
650 	struct mt76_vif *mvif = (struct mt76_vif *)vif->drv_priv;
651 	struct bss_sec_tlv *sec;
652 	struct tlv *tlv;
653 
654 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_SEC, sizeof(*sec));
655 
656 	sec = (struct bss_sec_tlv *)tlv;
657 	sec->cipher = mvif->cipher;
658 }
659 
660 static int
661 mt7996_mcu_muar_config(struct mt7996_phy *phy, struct ieee80211_vif *vif,
662 		       bool bssid, bool enable)
663 {
664 #define UNI_MUAR_ENTRY 2
665 	struct mt7996_dev *dev = phy->dev;
666 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
667 	u32 idx = mvif->mt76.omac_idx - REPEATER_BSSID_START;
668 	const u8 *addr = vif->addr;
669 
670 	struct {
671 		struct {
672 			u8 band;
673 			u8 __rsv[3];
674 		} hdr;
675 
676 		__le16 tag;
677 		__le16 len;
678 
679 		bool smesh;
680 		u8 bssid;
681 		u8 index;
682 		u8 entry_add;
683 		u8 addr[ETH_ALEN];
684 		u8 __rsv[2];
685 	} __packed req = {
686 		.hdr.band = phy->mt76->band_idx,
687 		.tag = cpu_to_le16(UNI_MUAR_ENTRY),
688 		.len = cpu_to_le16(sizeof(req) - sizeof(req.hdr)),
689 		.smesh = false,
690 		.index = idx * 2 + bssid,
691 		.entry_add = true,
692 	};
693 
694 	if (bssid)
695 		addr = vif->bss_conf.bssid;
696 
697 	if (enable)
698 		memcpy(req.addr, addr, ETH_ALEN);
699 
700 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(REPT_MUAR), &req,
701 				 sizeof(req), true);
702 }
703 
704 static int
705 mt7996_mcu_bss_basic_tlv(struct sk_buff *skb,
706 			 struct ieee80211_vif *vif,
707 			 struct ieee80211_sta *sta,
708 			 struct mt76_phy *phy, u16 wlan_idx,
709 			 bool enable)
710 {
711 	struct mt76_vif *mvif = (struct mt76_vif *)vif->drv_priv;
712 	struct cfg80211_chan_def *chandef = &phy->chandef;
713 	struct mt76_connac_bss_basic_tlv *bss;
714 	u32 type = CONNECTION_INFRA_AP;
715 	struct tlv *tlv;
716 	int idx;
717 
718 	switch (vif->type) {
719 	case NL80211_IFTYPE_MESH_POINT:
720 	case NL80211_IFTYPE_AP:
721 	case NL80211_IFTYPE_MONITOR:
722 		break;
723 	case NL80211_IFTYPE_STATION:
724 		if (enable) {
725 			rcu_read_lock();
726 			if (!sta)
727 				sta = ieee80211_find_sta(vif,
728 							 vif->bss_conf.bssid);
729 			/* TODO: enable BSS_INFO_UAPSD & BSS_INFO_PM */
730 			if (sta) {
731 				struct mt76_wcid *wcid;
732 
733 				wcid = (struct mt76_wcid *)sta->drv_priv;
734 				wlan_idx = wcid->idx;
735 			}
736 			rcu_read_unlock();
737 		}
738 		type = CONNECTION_INFRA_STA;
739 		break;
740 	case NL80211_IFTYPE_ADHOC:
741 		type = CONNECTION_IBSS_ADHOC;
742 		break;
743 	default:
744 		WARN_ON(1);
745 		break;
746 	}
747 
748 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_BASIC, sizeof(*bss));
749 
750 	bss = (struct mt76_connac_bss_basic_tlv *)tlv;
751 	bss->bcn_interval = cpu_to_le16(vif->bss_conf.beacon_int);
752 	bss->dtim_period = vif->bss_conf.dtim_period;
753 	bss->bmc_tx_wlan_idx = cpu_to_le16(wlan_idx);
754 	bss->sta_idx = cpu_to_le16(wlan_idx);
755 	bss->conn_type = cpu_to_le32(type);
756 	bss->omac_idx = mvif->omac_idx;
757 	bss->band_idx = mvif->band_idx;
758 	bss->wmm_idx = mvif->wmm_idx;
759 	bss->conn_state = !enable;
760 	bss->active = enable;
761 
762 	idx = mvif->omac_idx > EXT_BSSID_START ? HW_BSSID_0 : mvif->omac_idx;
763 	bss->hw_bss_idx = idx;
764 
765 	if (vif->type == NL80211_IFTYPE_MONITOR) {
766 		memcpy(bss->bssid, phy->macaddr, ETH_ALEN);
767 		return 0;
768 	}
769 
770 	memcpy(bss->bssid, vif->bss_conf.bssid, ETH_ALEN);
771 	bss->bcn_interval = cpu_to_le16(vif->bss_conf.beacon_int);
772 	bss->dtim_period = vif->bss_conf.dtim_period;
773 	bss->phymode = mt76_connac_get_phy_mode(phy, vif,
774 						chandef->chan->band, NULL);
775 	bss->phymode_ext = mt76_connac_get_phy_mode_ext(phy, vif,
776 							chandef->chan->band);
777 
778 	return 0;
779 }
780 
781 static struct sk_buff *
782 __mt7996_mcu_alloc_bss_req(struct mt76_dev *dev, struct mt76_vif *mvif, int len)
783 {
784 	struct bss_req_hdr hdr = {
785 		.bss_idx = mvif->idx,
786 	};
787 	struct sk_buff *skb;
788 
789 	skb = mt76_mcu_msg_alloc(dev, NULL, len);
790 	if (!skb)
791 		return ERR_PTR(-ENOMEM);
792 
793 	skb_put_data(skb, &hdr, sizeof(hdr));
794 
795 	return skb;
796 }
797 
798 int mt7996_mcu_add_bss_info(struct mt7996_phy *phy,
799 			    struct ieee80211_vif *vif, int enable)
800 {
801 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
802 	struct mt7996_dev *dev = phy->dev;
803 	struct sk_buff *skb;
804 
805 	if (mvif->mt76.omac_idx >= REPEATER_BSSID_START) {
806 		mt7996_mcu_muar_config(phy, vif, false, enable);
807 		mt7996_mcu_muar_config(phy, vif, true, enable);
808 	}
809 
810 	skb = __mt7996_mcu_alloc_bss_req(&dev->mt76, &mvif->mt76,
811 					 MT7996_BSS_UPDATE_MAX_SIZE);
812 	if (IS_ERR(skb))
813 		return PTR_ERR(skb);
814 
815 	/* bss_basic must be first */
816 	mt7996_mcu_bss_basic_tlv(skb, vif, NULL, phy->mt76,
817 				 mvif->sta.wcid.idx, enable);
818 	mt7996_mcu_bss_sec_tlv(skb, vif);
819 
820 	if (vif->type == NL80211_IFTYPE_MONITOR)
821 		goto out;
822 
823 	if (enable) {
824 		mt7996_mcu_bss_rfch_tlv(skb, vif, phy);
825 		mt7996_mcu_bss_bmc_tlv(skb, phy);
826 		mt7996_mcu_bss_ra_tlv(skb, vif, phy);
827 		mt7996_mcu_bss_txcmd_tlv(skb, true);
828 
829 		if (vif->bss_conf.he_support)
830 			mt7996_mcu_bss_he_tlv(skb, vif, phy);
831 
832 		/* this tag is necessary no matter if the vif is MLD */
833 		mt7996_mcu_bss_mld_tlv(skb, vif);
834 	}
835 out:
836 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
837 				     MCU_WMWA_UNI_CMD(BSS_INFO_UPDATE), true);
838 }
839 
840 static int
841 mt7996_mcu_sta_ba(struct mt76_dev *dev, struct mt76_vif *mvif,
842 		  struct ieee80211_ampdu_params *params,
843 		  bool enable, bool tx)
844 {
845 	struct mt76_wcid *wcid = (struct mt76_wcid *)params->sta->drv_priv;
846 	struct sta_rec_ba_uni *ba;
847 	struct sk_buff *skb;
848 	struct tlv *tlv;
849 
850 	skb = __mt76_connac_mcu_alloc_sta_req(dev, mvif, wcid,
851 					      MT7996_STA_UPDATE_MAX_SIZE);
852 	if (IS_ERR(skb))
853 		return PTR_ERR(skb);
854 
855 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_BA, sizeof(*ba));
856 
857 	ba = (struct sta_rec_ba_uni *)tlv;
858 	ba->ba_type = tx ? MT_BA_TYPE_ORIGINATOR : MT_BA_TYPE_RECIPIENT;
859 	ba->winsize = cpu_to_le16(params->buf_size);
860 	ba->ssn = cpu_to_le16(params->ssn);
861 	ba->ba_en = enable << params->tid;
862 	ba->amsdu = params->amsdu;
863 	ba->tid = params->tid;
864 
865 	return mt76_mcu_skb_send_msg(dev, skb,
866 				     MCU_WMWA_UNI_CMD(STA_REC_UPDATE), true);
867 }
868 
869 /** starec & wtbl **/
870 int mt7996_mcu_add_tx_ba(struct mt7996_dev *dev,
871 			 struct ieee80211_ampdu_params *params,
872 			 bool enable)
873 {
874 	struct mt7996_sta *msta = (struct mt7996_sta *)params->sta->drv_priv;
875 	struct mt7996_vif *mvif = msta->vif;
876 
877 	if (enable && !params->amsdu)
878 		msta->wcid.amsdu = false;
879 
880 	return mt7996_mcu_sta_ba(&dev->mt76, &mvif->mt76, params,
881 				 enable, true);
882 }
883 
884 int mt7996_mcu_add_rx_ba(struct mt7996_dev *dev,
885 			 struct ieee80211_ampdu_params *params,
886 			 bool enable)
887 {
888 	struct mt7996_sta *msta = (struct mt7996_sta *)params->sta->drv_priv;
889 	struct mt7996_vif *mvif = msta->vif;
890 
891 	return mt7996_mcu_sta_ba(&dev->mt76, &mvif->mt76, params,
892 				 enable, false);
893 }
894 
895 static void
896 mt7996_mcu_sta_he_tlv(struct sk_buff *skb, struct ieee80211_sta *sta)
897 {
898 	struct ieee80211_he_cap_elem *elem = &sta->deflink.he_cap.he_cap_elem;
899 	struct ieee80211_he_mcs_nss_supp mcs_map;
900 	struct sta_rec_he_v2 *he;
901 	struct tlv *tlv;
902 	int i = 0;
903 
904 	if (!sta->deflink.he_cap.has_he)
905 		return;
906 
907 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_HE_V2, sizeof(*he));
908 
909 	he = (struct sta_rec_he_v2 *)tlv;
910 	for (i = 0; i < 11; i++) {
911 		if (i < 6)
912 			he->he_mac_cap[i] = elem->mac_cap_info[i];
913 		he->he_phy_cap[i] = elem->phy_cap_info[i];
914 	}
915 
916 	mcs_map = sta->deflink.he_cap.he_mcs_nss_supp;
917 	switch (sta->deflink.bandwidth) {
918 	case IEEE80211_STA_RX_BW_160:
919 		if (elem->phy_cap_info[0] &
920 		    IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_80PLUS80_MHZ_IN_5G)
921 			mt7996_mcu_set_sta_he_mcs(sta,
922 						  &he->max_nss_mcs[CMD_HE_MCS_BW8080],
923 						  le16_to_cpu(mcs_map.rx_mcs_80p80));
924 
925 		mt7996_mcu_set_sta_he_mcs(sta,
926 					  &he->max_nss_mcs[CMD_HE_MCS_BW160],
927 					  le16_to_cpu(mcs_map.rx_mcs_160));
928 		fallthrough;
929 	default:
930 		mt7996_mcu_set_sta_he_mcs(sta,
931 					  &he->max_nss_mcs[CMD_HE_MCS_BW80],
932 					  le16_to_cpu(mcs_map.rx_mcs_80));
933 		break;
934 	}
935 
936 	he->pkt_ext = 2;
937 }
938 
939 static void
940 mt7996_mcu_sta_he_6g_tlv(struct sk_buff *skb, struct ieee80211_sta *sta)
941 {
942 	struct sta_rec_he_6g_capa *he_6g;
943 	struct tlv *tlv;
944 
945 	if (!sta->deflink.he_6ghz_capa.capa)
946 		return;
947 
948 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_HE_6G, sizeof(*he_6g));
949 
950 	he_6g = (struct sta_rec_he_6g_capa *)tlv;
951 	he_6g->capa = sta->deflink.he_6ghz_capa.capa;
952 }
953 
954 static void
955 mt7996_mcu_sta_eht_tlv(struct sk_buff *skb, struct ieee80211_sta *sta)
956 {
957 	struct ieee80211_eht_mcs_nss_supp *mcs_map;
958 	struct ieee80211_eht_cap_elem_fixed *elem;
959 	struct sta_rec_eht *eht;
960 	struct tlv *tlv;
961 
962 	if (!sta->deflink.eht_cap.has_eht)
963 		return;
964 
965 	mcs_map = &sta->deflink.eht_cap.eht_mcs_nss_supp;
966 	elem = &sta->deflink.eht_cap.eht_cap_elem;
967 
968 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_EHT, sizeof(*eht));
969 
970 	eht = (struct sta_rec_eht *)tlv;
971 	eht->tid_bitmap = 0xff;
972 	eht->mac_cap = cpu_to_le16(*(u16 *)elem->mac_cap_info);
973 	eht->phy_cap = cpu_to_le64(*(u64 *)elem->phy_cap_info);
974 	eht->phy_cap_ext = cpu_to_le64(elem->phy_cap_info[8]);
975 
976 	if (sta->deflink.bandwidth == IEEE80211_STA_RX_BW_20)
977 		memcpy(eht->mcs_map_bw20, &mcs_map->only_20mhz, sizeof(eht->mcs_map_bw20));
978 	memcpy(eht->mcs_map_bw80, &mcs_map->bw._80, sizeof(eht->mcs_map_bw80));
979 	memcpy(eht->mcs_map_bw160, &mcs_map->bw._160, sizeof(eht->mcs_map_bw160));
980 	memcpy(eht->mcs_map_bw320, &mcs_map->bw._320, sizeof(eht->mcs_map_bw320));
981 }
982 
983 static void
984 mt7996_mcu_sta_ht_tlv(struct sk_buff *skb, struct ieee80211_sta *sta)
985 {
986 	struct sta_rec_ht *ht;
987 	struct tlv *tlv;
988 
989 	if (!sta->deflink.ht_cap.ht_supported)
990 		return;
991 
992 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_HT, sizeof(*ht));
993 
994 	ht = (struct sta_rec_ht *)tlv;
995 	ht->ht_cap = cpu_to_le16(sta->deflink.ht_cap.cap);
996 }
997 
998 static void
999 mt7996_mcu_sta_vht_tlv(struct sk_buff *skb, struct ieee80211_sta *sta)
1000 {
1001 	struct sta_rec_vht *vht;
1002 	struct tlv *tlv;
1003 
1004 	/* For 6G band, this tlv is necessary to let hw work normally */
1005 	if (!sta->deflink.he_6ghz_capa.capa && !sta->deflink.vht_cap.vht_supported)
1006 		return;
1007 
1008 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_VHT, sizeof(*vht));
1009 
1010 	vht = (struct sta_rec_vht *)tlv;
1011 	vht->vht_cap = cpu_to_le32(sta->deflink.vht_cap.cap);
1012 	vht->vht_rx_mcs_map = sta->deflink.vht_cap.vht_mcs.rx_mcs_map;
1013 	vht->vht_tx_mcs_map = sta->deflink.vht_cap.vht_mcs.tx_mcs_map;
1014 }
1015 
1016 static void
1017 mt7996_mcu_sta_amsdu_tlv(struct mt7996_dev *dev, struct sk_buff *skb,
1018 			 struct ieee80211_vif *vif, struct ieee80211_sta *sta)
1019 {
1020 	struct mt7996_sta *msta = (struct mt7996_sta *)sta->drv_priv;
1021 	struct sta_rec_amsdu *amsdu;
1022 	struct tlv *tlv;
1023 
1024 	if (vif->type != NL80211_IFTYPE_STATION &&
1025 	    vif->type != NL80211_IFTYPE_AP)
1026 		return;
1027 
1028 	if (!sta->deflink.agg.max_amsdu_len)
1029 		return;
1030 
1031 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_HW_AMSDU, sizeof(*amsdu));
1032 	amsdu = (struct sta_rec_amsdu *)tlv;
1033 	amsdu->max_amsdu_num = 8;
1034 	amsdu->amsdu_en = true;
1035 	msta->wcid.amsdu = true;
1036 
1037 	switch (sta->deflink.agg.max_amsdu_len) {
1038 	case IEEE80211_MAX_MPDU_LEN_VHT_11454:
1039 		amsdu->max_mpdu_size =
1040 			IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_11454;
1041 		return;
1042 	case IEEE80211_MAX_MPDU_LEN_HT_7935:
1043 	case IEEE80211_MAX_MPDU_LEN_VHT_7991:
1044 		amsdu->max_mpdu_size = IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_7991;
1045 		return;
1046 	default:
1047 		amsdu->max_mpdu_size = IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_3895;
1048 		return;
1049 	}
1050 }
1051 
1052 static inline bool
1053 mt7996_is_ebf_supported(struct mt7996_phy *phy, struct ieee80211_vif *vif,
1054 			struct ieee80211_sta *sta, bool bfee)
1055 {
1056 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
1057 	int sts = hweight16(phy->mt76->chainmask);
1058 
1059 	if (vif->type != NL80211_IFTYPE_STATION &&
1060 	    vif->type != NL80211_IFTYPE_AP)
1061 		return false;
1062 
1063 	if (!bfee && sts < 2)
1064 		return false;
1065 
1066 	if (sta->deflink.eht_cap.has_eht) {
1067 		struct ieee80211_sta_eht_cap *pc = &sta->deflink.eht_cap;
1068 		struct ieee80211_eht_cap_elem_fixed *pe = &pc->eht_cap_elem;
1069 
1070 		if (bfee)
1071 			return mvif->cap.eht_su_ebfee &&
1072 			       EHT_PHY(CAP0_SU_BEAMFORMEE, pe->phy_cap_info[0]);
1073 		else
1074 			return mvif->cap.eht_su_ebfer &&
1075 			       EHT_PHY(CAP0_SU_BEAMFORMER, pe->phy_cap_info[0]);
1076 	}
1077 
1078 	if (sta->deflink.he_cap.has_he) {
1079 		struct ieee80211_he_cap_elem *pe = &sta->deflink.he_cap.he_cap_elem;
1080 
1081 		if (bfee)
1082 			return mvif->cap.he_su_ebfee &&
1083 			       HE_PHY(CAP3_SU_BEAMFORMER, pe->phy_cap_info[3]);
1084 		else
1085 			return mvif->cap.he_su_ebfer &&
1086 			       HE_PHY(CAP4_SU_BEAMFORMEE, pe->phy_cap_info[4]);
1087 	}
1088 
1089 	if (sta->deflink.vht_cap.vht_supported) {
1090 		u32 cap = sta->deflink.vht_cap.cap;
1091 
1092 		if (bfee)
1093 			return mvif->cap.vht_su_ebfee &&
1094 			       (cap & IEEE80211_VHT_CAP_SU_BEAMFORMER_CAPABLE);
1095 		else
1096 			return mvif->cap.vht_su_ebfer &&
1097 			       (cap & IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE);
1098 	}
1099 
1100 	return false;
1101 }
1102 
1103 static void
1104 mt7996_mcu_sta_sounding_rate(struct sta_rec_bf *bf)
1105 {
1106 	bf->sounding_phy = MT_PHY_TYPE_OFDM;
1107 	bf->ndp_rate = 0;				/* mcs0 */
1108 	bf->ndpa_rate = MT7996_CFEND_RATE_DEFAULT;	/* ofdm 24m */
1109 	bf->rept_poll_rate = MT7996_CFEND_RATE_DEFAULT;	/* ofdm 24m */
1110 }
1111 
1112 static void
1113 mt7996_mcu_sta_bfer_ht(struct ieee80211_sta *sta, struct mt7996_phy *phy,
1114 		       struct sta_rec_bf *bf)
1115 {
1116 	struct ieee80211_mcs_info *mcs = &sta->deflink.ht_cap.mcs;
1117 	u8 n = 0;
1118 
1119 	bf->tx_mode = MT_PHY_TYPE_HT;
1120 
1121 	if ((mcs->tx_params & IEEE80211_HT_MCS_TX_RX_DIFF) &&
1122 	    (mcs->tx_params & IEEE80211_HT_MCS_TX_DEFINED))
1123 		n = FIELD_GET(IEEE80211_HT_MCS_TX_MAX_STREAMS_MASK,
1124 			      mcs->tx_params);
1125 	else if (mcs->rx_mask[3])
1126 		n = 3;
1127 	else if (mcs->rx_mask[2])
1128 		n = 2;
1129 	else if (mcs->rx_mask[1])
1130 		n = 1;
1131 
1132 	bf->nrow = hweight8(phy->mt76->antenna_mask) - 1;
1133 	bf->ncol = min_t(u8, bf->nrow, n);
1134 	bf->ibf_ncol = n;
1135 }
1136 
1137 static void
1138 mt7996_mcu_sta_bfer_vht(struct ieee80211_sta *sta, struct mt7996_phy *phy,
1139 			struct sta_rec_bf *bf, bool explicit)
1140 {
1141 	struct ieee80211_sta_vht_cap *pc = &sta->deflink.vht_cap;
1142 	struct ieee80211_sta_vht_cap *vc = &phy->mt76->sband_5g.sband.vht_cap;
1143 	u16 mcs_map = le16_to_cpu(pc->vht_mcs.rx_mcs_map);
1144 	u8 nss_mcs = mt7996_mcu_get_sta_nss(mcs_map);
1145 	u8 tx_ant = hweight8(phy->mt76->antenna_mask) - 1;
1146 
1147 	bf->tx_mode = MT_PHY_TYPE_VHT;
1148 
1149 	if (explicit) {
1150 		u8 sts, snd_dim;
1151 
1152 		mt7996_mcu_sta_sounding_rate(bf);
1153 
1154 		sts = FIELD_GET(IEEE80211_VHT_CAP_BEAMFORMEE_STS_MASK,
1155 				pc->cap);
1156 		snd_dim = FIELD_GET(IEEE80211_VHT_CAP_SOUNDING_DIMENSIONS_MASK,
1157 				    vc->cap);
1158 		bf->nrow = min_t(u8, min_t(u8, snd_dim, sts), tx_ant);
1159 		bf->ncol = min_t(u8, nss_mcs, bf->nrow);
1160 		bf->ibf_ncol = bf->ncol;
1161 
1162 		if (sta->deflink.bandwidth == IEEE80211_STA_RX_BW_160)
1163 			bf->nrow = 1;
1164 	} else {
1165 		bf->nrow = tx_ant;
1166 		bf->ncol = min_t(u8, nss_mcs, bf->nrow);
1167 		bf->ibf_ncol = nss_mcs;
1168 
1169 		if (sta->deflink.bandwidth == IEEE80211_STA_RX_BW_160)
1170 			bf->ibf_nrow = 1;
1171 	}
1172 }
1173 
1174 static void
1175 mt7996_mcu_sta_bfer_he(struct ieee80211_sta *sta, struct ieee80211_vif *vif,
1176 		       struct mt7996_phy *phy, struct sta_rec_bf *bf)
1177 {
1178 	struct ieee80211_sta_he_cap *pc = &sta->deflink.he_cap;
1179 	struct ieee80211_he_cap_elem *pe = &pc->he_cap_elem;
1180 	const struct ieee80211_sta_he_cap *vc =
1181 		mt76_connac_get_he_phy_cap(phy->mt76, vif);
1182 	const struct ieee80211_he_cap_elem *ve = &vc->he_cap_elem;
1183 	u16 mcs_map = le16_to_cpu(pc->he_mcs_nss_supp.rx_mcs_80);
1184 	u8 nss_mcs = mt7996_mcu_get_sta_nss(mcs_map);
1185 	u8 snd_dim, sts;
1186 
1187 	bf->tx_mode = MT_PHY_TYPE_HE_SU;
1188 
1189 	mt7996_mcu_sta_sounding_rate(bf);
1190 
1191 	bf->trigger_su = HE_PHY(CAP6_TRIG_SU_BEAMFORMING_FB,
1192 				pe->phy_cap_info[6]);
1193 	bf->trigger_mu = HE_PHY(CAP6_TRIG_MU_BEAMFORMING_PARTIAL_BW_FB,
1194 				pe->phy_cap_info[6]);
1195 	snd_dim = HE_PHY(CAP5_BEAMFORMEE_NUM_SND_DIM_UNDER_80MHZ_MASK,
1196 			 ve->phy_cap_info[5]);
1197 	sts = HE_PHY(CAP4_BEAMFORMEE_MAX_STS_UNDER_80MHZ_MASK,
1198 		     pe->phy_cap_info[4]);
1199 	bf->nrow = min_t(u8, snd_dim, sts);
1200 	bf->ncol = min_t(u8, nss_mcs, bf->nrow);
1201 	bf->ibf_ncol = bf->ncol;
1202 
1203 	if (sta->deflink.bandwidth != IEEE80211_STA_RX_BW_160)
1204 		return;
1205 
1206 	/* go over for 160MHz and 80p80 */
1207 	if (pe->phy_cap_info[0] &
1208 	    IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G) {
1209 		mcs_map = le16_to_cpu(pc->he_mcs_nss_supp.rx_mcs_160);
1210 		nss_mcs = mt7996_mcu_get_sta_nss(mcs_map);
1211 
1212 		bf->ncol_gt_bw80 = nss_mcs;
1213 	}
1214 
1215 	if (pe->phy_cap_info[0] &
1216 	    IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_80PLUS80_MHZ_IN_5G) {
1217 		mcs_map = le16_to_cpu(pc->he_mcs_nss_supp.rx_mcs_80p80);
1218 		nss_mcs = mt7996_mcu_get_sta_nss(mcs_map);
1219 
1220 		if (bf->ncol_gt_bw80)
1221 			bf->ncol_gt_bw80 = min_t(u8, bf->ncol_gt_bw80, nss_mcs);
1222 		else
1223 			bf->ncol_gt_bw80 = nss_mcs;
1224 	}
1225 
1226 	snd_dim = HE_PHY(CAP5_BEAMFORMEE_NUM_SND_DIM_ABOVE_80MHZ_MASK,
1227 			 ve->phy_cap_info[5]);
1228 	sts = HE_PHY(CAP4_BEAMFORMEE_MAX_STS_ABOVE_80MHZ_MASK,
1229 		     pe->phy_cap_info[4]);
1230 
1231 	bf->nrow_gt_bw80 = min_t(int, snd_dim, sts);
1232 }
1233 
1234 static void
1235 mt7996_mcu_sta_bfer_eht(struct ieee80211_sta *sta, struct ieee80211_vif *vif,
1236 			struct mt7996_phy *phy, struct sta_rec_bf *bf)
1237 {
1238 	struct ieee80211_sta_eht_cap *pc = &sta->deflink.eht_cap;
1239 	struct ieee80211_eht_cap_elem_fixed *pe = &pc->eht_cap_elem;
1240 	struct ieee80211_eht_mcs_nss_supp *eht_nss = &pc->eht_mcs_nss_supp;
1241 	const struct ieee80211_sta_eht_cap *vc =
1242 		mt76_connac_get_eht_phy_cap(phy->mt76, vif);
1243 	const struct ieee80211_eht_cap_elem_fixed *ve = &vc->eht_cap_elem;
1244 	u8 nss_mcs = u8_get_bits(eht_nss->bw._80.rx_tx_mcs9_max_nss,
1245 				 IEEE80211_EHT_MCS_NSS_RX) - 1;
1246 	u8 snd_dim, sts;
1247 
1248 	bf->tx_mode = MT_PHY_TYPE_EHT_MU;
1249 
1250 	mt7996_mcu_sta_sounding_rate(bf);
1251 
1252 	bf->trigger_su = EHT_PHY(CAP3_TRIG_SU_BF_FDBK, pe->phy_cap_info[3]);
1253 	bf->trigger_mu = EHT_PHY(CAP3_TRIG_MU_BF_PART_BW_FDBK, pe->phy_cap_info[3]);
1254 	snd_dim = EHT_PHY(CAP2_SOUNDING_DIM_80MHZ_MASK, ve->phy_cap_info[2]);
1255 	sts = EHT_PHY(CAP0_BEAMFORMEE_SS_80MHZ_MASK, pe->phy_cap_info[0]) +
1256 	      (EHT_PHY(CAP1_BEAMFORMEE_SS_80MHZ_MASK, pe->phy_cap_info[1]) << 1);
1257 	bf->nrow = min_t(u8, snd_dim, sts);
1258 	bf->ncol = min_t(u8, nss_mcs, bf->nrow);
1259 	bf->ibf_ncol = bf->ncol;
1260 
1261 	if (sta->deflink.bandwidth < IEEE80211_STA_RX_BW_160)
1262 		return;
1263 
1264 	switch (sta->deflink.bandwidth) {
1265 	case IEEE80211_STA_RX_BW_160:
1266 		snd_dim = EHT_PHY(CAP2_SOUNDING_DIM_160MHZ_MASK, ve->phy_cap_info[2]);
1267 		sts = EHT_PHY(CAP1_BEAMFORMEE_SS_160MHZ_MASK, pe->phy_cap_info[1]);
1268 		nss_mcs = u8_get_bits(eht_nss->bw._160.rx_tx_mcs9_max_nss,
1269 				      IEEE80211_EHT_MCS_NSS_RX) - 1;
1270 
1271 		bf->nrow_gt_bw80 = min_t(u8, snd_dim, sts);
1272 		bf->ncol_gt_bw80 = nss_mcs;
1273 		break;
1274 	case IEEE80211_STA_RX_BW_320:
1275 		snd_dim = EHT_PHY(CAP2_SOUNDING_DIM_320MHZ_MASK, ve->phy_cap_info[2]) +
1276 			  (EHT_PHY(CAP3_SOUNDING_DIM_320MHZ_MASK,
1277 				   ve->phy_cap_info[3]) << 1);
1278 		sts = EHT_PHY(CAP1_BEAMFORMEE_SS_320MHZ_MASK, pe->phy_cap_info[1]);
1279 		nss_mcs = u8_get_bits(eht_nss->bw._320.rx_tx_mcs9_max_nss,
1280 				      IEEE80211_EHT_MCS_NSS_RX) - 1;
1281 
1282 		bf->nrow_gt_bw80 = min_t(u8, snd_dim, sts) << 4;
1283 		bf->ncol_gt_bw80 = nss_mcs << 4;
1284 		break;
1285 	default:
1286 		break;
1287 	}
1288 }
1289 
1290 static void
1291 mt7996_mcu_sta_bfer_tlv(struct mt7996_dev *dev, struct sk_buff *skb,
1292 			struct ieee80211_vif *vif, struct ieee80211_sta *sta)
1293 {
1294 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
1295 	struct mt7996_phy *phy = mvif->phy;
1296 	int tx_ant = hweight8(phy->mt76->chainmask) - 1;
1297 	struct sta_rec_bf *bf;
1298 	struct tlv *tlv;
1299 	const u8 matrix[4][4] = {
1300 		{0, 0, 0, 0},
1301 		{1, 1, 0, 0},	/* 2x1, 2x2, 2x3, 2x4 */
1302 		{2, 4, 4, 0},	/* 3x1, 3x2, 3x3, 3x4 */
1303 		{3, 5, 6, 0}	/* 4x1, 4x2, 4x3, 4x4 */
1304 	};
1305 	bool ebf;
1306 
1307 	if (!(sta->deflink.ht_cap.ht_supported || sta->deflink.he_cap.has_he))
1308 		return;
1309 
1310 	ebf = mt7996_is_ebf_supported(phy, vif, sta, false);
1311 	if (!ebf && !dev->ibf)
1312 		return;
1313 
1314 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_BF, sizeof(*bf));
1315 	bf = (struct sta_rec_bf *)tlv;
1316 
1317 	/* he/eht: eBF only, in accordance with spec
1318 	 * vht: support eBF and iBF
1319 	 * ht: iBF only, since mac80211 lacks of eBF support
1320 	 */
1321 	if (sta->deflink.eht_cap.has_eht && ebf)
1322 		mt7996_mcu_sta_bfer_eht(sta, vif, phy, bf);
1323 	else if (sta->deflink.he_cap.has_he && ebf)
1324 		mt7996_mcu_sta_bfer_he(sta, vif, phy, bf);
1325 	else if (sta->deflink.vht_cap.vht_supported)
1326 		mt7996_mcu_sta_bfer_vht(sta, phy, bf, ebf);
1327 	else if (sta->deflink.ht_cap.ht_supported)
1328 		mt7996_mcu_sta_bfer_ht(sta, phy, bf);
1329 	else
1330 		return;
1331 
1332 	bf->bf_cap = ebf ? ebf : dev->ibf << 1;
1333 	bf->bw = sta->deflink.bandwidth;
1334 	bf->ibf_dbw = sta->deflink.bandwidth;
1335 	bf->ibf_nrow = tx_ant;
1336 
1337 	if (!ebf && sta->deflink.bandwidth <= IEEE80211_STA_RX_BW_40 && !bf->ncol)
1338 		bf->ibf_timeout = 0x48;
1339 	else
1340 		bf->ibf_timeout = 0x18;
1341 
1342 	if (ebf && bf->nrow != tx_ant)
1343 		bf->mem_20m = matrix[tx_ant][bf->ncol];
1344 	else
1345 		bf->mem_20m = matrix[bf->nrow][bf->ncol];
1346 
1347 	switch (sta->deflink.bandwidth) {
1348 	case IEEE80211_STA_RX_BW_160:
1349 	case IEEE80211_STA_RX_BW_80:
1350 		bf->mem_total = bf->mem_20m * 2;
1351 		break;
1352 	case IEEE80211_STA_RX_BW_40:
1353 		bf->mem_total = bf->mem_20m;
1354 		break;
1355 	case IEEE80211_STA_RX_BW_20:
1356 	default:
1357 		break;
1358 	}
1359 }
1360 
1361 static void
1362 mt7996_mcu_sta_bfee_tlv(struct mt7996_dev *dev, struct sk_buff *skb,
1363 			struct ieee80211_vif *vif, struct ieee80211_sta *sta)
1364 {
1365 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
1366 	struct mt7996_phy *phy = mvif->phy;
1367 	int tx_ant = hweight8(phy->mt76->antenna_mask) - 1;
1368 	struct sta_rec_bfee *bfee;
1369 	struct tlv *tlv;
1370 	u8 nrow = 0;
1371 
1372 	if (!(sta->deflink.vht_cap.vht_supported || sta->deflink.he_cap.has_he))
1373 		return;
1374 
1375 	if (!mt7996_is_ebf_supported(phy, vif, sta, true))
1376 		return;
1377 
1378 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_BFEE, sizeof(*bfee));
1379 	bfee = (struct sta_rec_bfee *)tlv;
1380 
1381 	if (sta->deflink.he_cap.has_he) {
1382 		struct ieee80211_he_cap_elem *pe = &sta->deflink.he_cap.he_cap_elem;
1383 
1384 		nrow = HE_PHY(CAP5_BEAMFORMEE_NUM_SND_DIM_UNDER_80MHZ_MASK,
1385 			      pe->phy_cap_info[5]);
1386 	} else if (sta->deflink.vht_cap.vht_supported) {
1387 		struct ieee80211_sta_vht_cap *pc = &sta->deflink.vht_cap;
1388 
1389 		nrow = FIELD_GET(IEEE80211_VHT_CAP_SOUNDING_DIMENSIONS_MASK,
1390 				 pc->cap);
1391 	}
1392 
1393 	/* reply with identity matrix to avoid 2x2 BF negative gain */
1394 	bfee->fb_identity_matrix = (nrow == 1 && tx_ant == 2);
1395 }
1396 
1397 static void
1398 mt7996_mcu_sta_phy_tlv(struct mt7996_dev *dev, struct sk_buff *skb,
1399 		       struct ieee80211_vif *vif, struct ieee80211_sta *sta)
1400 {
1401 	struct sta_rec_phy *phy;
1402 	struct tlv *tlv;
1403 	u8 af = 0, mm = 0;
1404 
1405 	if (!sta->deflink.ht_cap.ht_supported && !sta->deflink.he_6ghz_capa.capa)
1406 		return;
1407 
1408 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_PHY, sizeof(*phy));
1409 
1410 	phy = (struct sta_rec_phy *)tlv;
1411 	if (sta->deflink.ht_cap.ht_supported) {
1412 		af = sta->deflink.ht_cap.ampdu_factor;
1413 		mm = sta->deflink.ht_cap.ampdu_density;
1414 	}
1415 
1416 	if (sta->deflink.vht_cap.vht_supported) {
1417 		u8 vht_af = FIELD_GET(IEEE80211_VHT_CAP_MAX_A_MPDU_LENGTH_EXPONENT_MASK,
1418 				      sta->deflink.vht_cap.cap);
1419 
1420 		af = max_t(u8, af, vht_af);
1421 	}
1422 
1423 	if (sta->deflink.he_6ghz_capa.capa) {
1424 		af = le16_get_bits(sta->deflink.he_6ghz_capa.capa,
1425 				   IEEE80211_HE_6GHZ_CAP_MAX_AMPDU_LEN_EXP);
1426 		mm = le16_get_bits(sta->deflink.he_6ghz_capa.capa,
1427 				   IEEE80211_HE_6GHZ_CAP_MIN_MPDU_START);
1428 	}
1429 
1430 	phy->ampdu = FIELD_PREP(IEEE80211_HT_AMPDU_PARM_FACTOR, af) |
1431 		     FIELD_PREP(IEEE80211_HT_AMPDU_PARM_DENSITY, mm);
1432 	phy->max_ampdu_len = af;
1433 }
1434 
1435 static void
1436 mt7996_mcu_sta_hdrt_tlv(struct mt7996_dev *dev, struct sk_buff *skb)
1437 {
1438 	struct sta_rec_hdrt *hdrt;
1439 	struct tlv *tlv;
1440 
1441 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_HDRT, sizeof(*hdrt));
1442 
1443 	hdrt = (struct sta_rec_hdrt *)tlv;
1444 	hdrt->hdrt_mode = 1;
1445 }
1446 
1447 static void
1448 mt7996_mcu_sta_hdr_trans_tlv(struct mt7996_dev *dev, struct sk_buff *skb,
1449 			     struct ieee80211_vif *vif,
1450 			     struct ieee80211_sta *sta)
1451 {
1452 	struct sta_rec_hdr_trans *hdr_trans;
1453 	struct mt76_wcid *wcid;
1454 	struct tlv *tlv;
1455 
1456 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_HDR_TRANS, sizeof(*hdr_trans));
1457 	hdr_trans = (struct sta_rec_hdr_trans *)tlv;
1458 	hdr_trans->dis_rx_hdr_tran = true;
1459 
1460 	if (vif->type == NL80211_IFTYPE_STATION)
1461 		hdr_trans->to_ds = true;
1462 	else
1463 		hdr_trans->from_ds = true;
1464 
1465 	wcid = (struct mt76_wcid *)sta->drv_priv;
1466 	if (!wcid)
1467 		return;
1468 
1469 	hdr_trans->dis_rx_hdr_tran = !test_bit(MT_WCID_FLAG_HDR_TRANS, &wcid->flags);
1470 	if (test_bit(MT_WCID_FLAG_4ADDR, &wcid->flags)) {
1471 		hdr_trans->to_ds = true;
1472 		hdr_trans->from_ds = true;
1473 	}
1474 }
1475 
1476 static enum mcu_mmps_mode
1477 mt7996_mcu_get_mmps_mode(enum ieee80211_smps_mode smps)
1478 {
1479 	switch (smps) {
1480 	case IEEE80211_SMPS_OFF:
1481 		return MCU_MMPS_DISABLE;
1482 	case IEEE80211_SMPS_STATIC:
1483 		return MCU_MMPS_STATIC;
1484 	case IEEE80211_SMPS_DYNAMIC:
1485 		return MCU_MMPS_DYNAMIC;
1486 	default:
1487 		return MCU_MMPS_DISABLE;
1488 	}
1489 }
1490 
1491 int mt7996_mcu_set_fixed_rate_ctrl(struct mt7996_dev *dev,
1492 				   void *data, u16 version)
1493 {
1494 	struct ra_fixed_rate *req;
1495 	struct uni_header hdr;
1496 	struct sk_buff *skb;
1497 	struct tlv *tlv;
1498 	int len;
1499 
1500 	len = sizeof(hdr) + sizeof(*req);
1501 
1502 	skb = mt76_mcu_msg_alloc(&dev->mt76, NULL, len);
1503 	if (!skb)
1504 		return -ENOMEM;
1505 
1506 	skb_put_data(skb, &hdr, sizeof(hdr));
1507 
1508 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_RA_FIXED_RATE, sizeof(*req));
1509 	req = (struct ra_fixed_rate *)tlv;
1510 	req->version = cpu_to_le16(version);
1511 	memcpy(&req->rate, data, sizeof(req->rate));
1512 
1513 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
1514 				     MCU_WM_UNI_CMD(RA), true);
1515 }
1516 
1517 static void
1518 mt7996_mcu_sta_rate_ctrl_tlv(struct sk_buff *skb, struct mt7996_dev *dev,
1519 			     struct ieee80211_vif *vif, struct ieee80211_sta *sta)
1520 {
1521 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
1522 	struct mt76_phy *mphy = mvif->phy->mt76;
1523 	struct cfg80211_chan_def *chandef = &mphy->chandef;
1524 	struct cfg80211_bitrate_mask *mask = &mvif->bitrate_mask;
1525 	enum nl80211_band band = chandef->chan->band;
1526 	struct sta_rec_ra *ra;
1527 	struct tlv *tlv;
1528 	u32 supp_rate = sta->deflink.supp_rates[band];
1529 	u32 cap = sta->wme ? STA_CAP_WMM : 0;
1530 
1531 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_RA, sizeof(*ra));
1532 	ra = (struct sta_rec_ra *)tlv;
1533 
1534 	ra->valid = true;
1535 	ra->auto_rate = true;
1536 	ra->phy_mode = mt76_connac_get_phy_mode(mphy, vif, band, sta);
1537 	ra->channel = chandef->chan->hw_value;
1538 	ra->bw = (sta->deflink.bandwidth == IEEE80211_STA_RX_BW_320) ?
1539 		 CMD_CBW_320MHZ : sta->deflink.bandwidth;
1540 	ra->phy.bw = ra->bw;
1541 	ra->mmps_mode = mt7996_mcu_get_mmps_mode(sta->deflink.smps_mode);
1542 
1543 	if (supp_rate) {
1544 		supp_rate &= mask->control[band].legacy;
1545 		ra->rate_len = hweight32(supp_rate);
1546 
1547 		if (band == NL80211_BAND_2GHZ) {
1548 			ra->supp_mode = MODE_CCK;
1549 			ra->supp_cck_rate = supp_rate & GENMASK(3, 0);
1550 
1551 			if (ra->rate_len > 4) {
1552 				ra->supp_mode |= MODE_OFDM;
1553 				ra->supp_ofdm_rate = supp_rate >> 4;
1554 			}
1555 		} else {
1556 			ra->supp_mode = MODE_OFDM;
1557 			ra->supp_ofdm_rate = supp_rate;
1558 		}
1559 	}
1560 
1561 	if (sta->deflink.ht_cap.ht_supported) {
1562 		ra->supp_mode |= MODE_HT;
1563 		ra->af = sta->deflink.ht_cap.ampdu_factor;
1564 		ra->ht_gf = !!(sta->deflink.ht_cap.cap & IEEE80211_HT_CAP_GRN_FLD);
1565 
1566 		cap |= STA_CAP_HT;
1567 		if (sta->deflink.ht_cap.cap & IEEE80211_HT_CAP_SGI_20)
1568 			cap |= STA_CAP_SGI_20;
1569 		if (sta->deflink.ht_cap.cap & IEEE80211_HT_CAP_SGI_40)
1570 			cap |= STA_CAP_SGI_40;
1571 		if (sta->deflink.ht_cap.cap & IEEE80211_HT_CAP_TX_STBC)
1572 			cap |= STA_CAP_TX_STBC;
1573 		if (sta->deflink.ht_cap.cap & IEEE80211_HT_CAP_RX_STBC)
1574 			cap |= STA_CAP_RX_STBC;
1575 		if (mvif->cap.ht_ldpc &&
1576 		    (sta->deflink.ht_cap.cap & IEEE80211_HT_CAP_LDPC_CODING))
1577 			cap |= STA_CAP_LDPC;
1578 
1579 		mt7996_mcu_set_sta_ht_mcs(sta, ra->ht_mcs,
1580 					  mask->control[band].ht_mcs);
1581 		ra->supp_ht_mcs = *(__le32 *)ra->ht_mcs;
1582 	}
1583 
1584 	if (sta->deflink.vht_cap.vht_supported) {
1585 		u8 af;
1586 
1587 		ra->supp_mode |= MODE_VHT;
1588 		af = FIELD_GET(IEEE80211_VHT_CAP_MAX_A_MPDU_LENGTH_EXPONENT_MASK,
1589 			       sta->deflink.vht_cap.cap);
1590 		ra->af = max_t(u8, ra->af, af);
1591 
1592 		cap |= STA_CAP_VHT;
1593 		if (sta->deflink.vht_cap.cap & IEEE80211_VHT_CAP_SHORT_GI_80)
1594 			cap |= STA_CAP_VHT_SGI_80;
1595 		if (sta->deflink.vht_cap.cap & IEEE80211_VHT_CAP_SHORT_GI_160)
1596 			cap |= STA_CAP_VHT_SGI_160;
1597 		if (sta->deflink.vht_cap.cap & IEEE80211_VHT_CAP_TXSTBC)
1598 			cap |= STA_CAP_VHT_TX_STBC;
1599 		if (sta->deflink.vht_cap.cap & IEEE80211_VHT_CAP_RXSTBC_1)
1600 			cap |= STA_CAP_VHT_RX_STBC;
1601 		if (mvif->cap.vht_ldpc &&
1602 		    (sta->deflink.vht_cap.cap & IEEE80211_VHT_CAP_RXLDPC))
1603 			cap |= STA_CAP_VHT_LDPC;
1604 
1605 		mt7996_mcu_set_sta_vht_mcs(sta, ra->supp_vht_mcs,
1606 					   mask->control[band].vht_mcs);
1607 	}
1608 
1609 	if (sta->deflink.he_cap.has_he) {
1610 		ra->supp_mode |= MODE_HE;
1611 		cap |= STA_CAP_HE;
1612 
1613 		if (sta->deflink.he_6ghz_capa.capa)
1614 			ra->af = le16_get_bits(sta->deflink.he_6ghz_capa.capa,
1615 					       IEEE80211_HE_6GHZ_CAP_MAX_AMPDU_LEN_EXP);
1616 	}
1617 	ra->sta_cap = cpu_to_le32(cap);
1618 }
1619 
1620 int mt7996_mcu_add_rate_ctrl(struct mt7996_dev *dev, struct ieee80211_vif *vif,
1621 			     struct ieee80211_sta *sta, bool changed)
1622 {
1623 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
1624 	struct mt7996_sta *msta = (struct mt7996_sta *)sta->drv_priv;
1625 	struct sk_buff *skb;
1626 
1627 	skb = __mt76_connac_mcu_alloc_sta_req(&dev->mt76, &mvif->mt76,
1628 					      &msta->wcid,
1629 					      MT7996_STA_UPDATE_MAX_SIZE);
1630 	if (IS_ERR(skb))
1631 		return PTR_ERR(skb);
1632 
1633 	/* firmware rc algorithm refers to sta_rec_he for HE control.
1634 	 * once dev->rc_work changes the settings driver should also
1635 	 * update sta_rec_he here.
1636 	 */
1637 	if (changed)
1638 		mt7996_mcu_sta_he_tlv(skb, sta);
1639 
1640 	/* sta_rec_ra accommodates BW, NSS and only MCS range format
1641 	 * i.e 0-{7,8,9} for VHT.
1642 	 */
1643 	mt7996_mcu_sta_rate_ctrl_tlv(skb, dev, vif, sta);
1644 
1645 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
1646 				     MCU_WMWA_UNI_CMD(STA_REC_UPDATE), true);
1647 }
1648 
1649 static int
1650 mt7996_mcu_add_group(struct mt7996_dev *dev, struct ieee80211_vif *vif,
1651 		     struct ieee80211_sta *sta)
1652 {
1653 #define MT_STA_BSS_GROUP		1
1654 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
1655 	struct mt7996_sta *msta;
1656 	struct {
1657 		u8 __rsv1[4];
1658 
1659 		__le16 tag;
1660 		__le16 len;
1661 		__le16 wlan_idx;
1662 		u8 __rsv2[2];
1663 		__le32 action;
1664 		__le32 val;
1665 		u8 __rsv3[8];
1666 	} __packed req = {
1667 		.tag = cpu_to_le16(UNI_VOW_DRR_CTRL),
1668 		.len = cpu_to_le16(sizeof(req) - 4),
1669 		.action = cpu_to_le32(MT_STA_BSS_GROUP),
1670 		.val = cpu_to_le32(mvif->mt76.idx % 16),
1671 	};
1672 
1673 	msta = sta ? (struct mt7996_sta *)sta->drv_priv : &mvif->sta;
1674 	req.wlan_idx = cpu_to_le16(msta->wcid.idx);
1675 
1676 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(VOW), &req,
1677 				 sizeof(req), true);
1678 }
1679 
1680 int mt7996_mcu_add_sta(struct mt7996_dev *dev, struct ieee80211_vif *vif,
1681 		       struct ieee80211_sta *sta, bool enable)
1682 {
1683 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
1684 	struct mt7996_sta *msta;
1685 	struct sk_buff *skb;
1686 	int ret;
1687 
1688 	msta = sta ? (struct mt7996_sta *)sta->drv_priv : &mvif->sta;
1689 
1690 	skb = __mt76_connac_mcu_alloc_sta_req(&dev->mt76, &mvif->mt76,
1691 					      &msta->wcid,
1692 					      MT7996_STA_UPDATE_MAX_SIZE);
1693 	if (IS_ERR(skb))
1694 		return PTR_ERR(skb);
1695 
1696 	/* starec basic */
1697 	mt76_connac_mcu_sta_basic_tlv(skb, vif, sta, enable,
1698 			!rcu_access_pointer(dev->mt76.wcid[msta->wcid.idx]));
1699 	if (!enable)
1700 		goto out;
1701 
1702 	/* tag order is in accordance with firmware dependency. */
1703 	if (sta) {
1704 		/* starec phy */
1705 		mt7996_mcu_sta_phy_tlv(dev, skb, vif, sta);
1706 		/* starec hdrt mode */
1707 		mt7996_mcu_sta_hdrt_tlv(dev, skb);
1708 		/* starec bfer */
1709 		mt7996_mcu_sta_bfer_tlv(dev, skb, vif, sta);
1710 		/* starec ht */
1711 		mt7996_mcu_sta_ht_tlv(skb, sta);
1712 		/* starec vht */
1713 		mt7996_mcu_sta_vht_tlv(skb, sta);
1714 		/* starec uapsd */
1715 		mt76_connac_mcu_sta_uapsd(skb, vif, sta);
1716 		/* starec amsdu */
1717 		mt7996_mcu_sta_amsdu_tlv(dev, skb, vif, sta);
1718 		/* starec he */
1719 		mt7996_mcu_sta_he_tlv(skb, sta);
1720 		/* starec he 6g*/
1721 		mt7996_mcu_sta_he_6g_tlv(skb, sta);
1722 		/* starec eht */
1723 		mt7996_mcu_sta_eht_tlv(skb, sta);
1724 		/* TODO: starec muru */
1725 		/* starec bfee */
1726 		mt7996_mcu_sta_bfee_tlv(dev, skb, vif, sta);
1727 		/* starec hdr trans */
1728 		mt7996_mcu_sta_hdr_trans_tlv(dev, skb, vif, sta);
1729 	}
1730 
1731 	ret = mt7996_mcu_add_group(dev, vif, sta);
1732 	if (ret) {
1733 		dev_kfree_skb(skb);
1734 		return ret;
1735 	}
1736 out:
1737 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
1738 				     MCU_WMWA_UNI_CMD(STA_REC_UPDATE), true);
1739 }
1740 
1741 static int
1742 mt7996_mcu_sta_key_tlv(struct mt76_wcid *wcid,
1743 		       struct mt76_connac_sta_key_conf *sta_key_conf,
1744 		       struct sk_buff *skb,
1745 		       struct ieee80211_key_conf *key,
1746 		       enum set_key_cmd cmd)
1747 {
1748 	struct sta_rec_sec_uni *sec;
1749 	struct tlv *tlv;
1750 
1751 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_KEY_V2, sizeof(*sec));
1752 	sec = (struct sta_rec_sec_uni *)tlv;
1753 	sec->add = cmd;
1754 
1755 	if (cmd == SET_KEY) {
1756 		struct sec_key_uni *sec_key;
1757 		u8 cipher;
1758 
1759 		cipher = mt76_connac_mcu_get_cipher(key->cipher);
1760 		if (cipher == MCU_CIPHER_NONE)
1761 			return -EOPNOTSUPP;
1762 
1763 		sec_key = &sec->key[0];
1764 		sec_key->cipher_len = sizeof(*sec_key);
1765 
1766 		if (cipher == MCU_CIPHER_BIP_CMAC_128) {
1767 			sec_key->wlan_idx = cpu_to_le16(wcid->idx);
1768 			sec_key->cipher_id = MCU_CIPHER_AES_CCMP;
1769 			sec_key->key_id = sta_key_conf->keyidx;
1770 			sec_key->key_len = 16;
1771 			memcpy(sec_key->key, sta_key_conf->key, 16);
1772 
1773 			sec_key = &sec->key[1];
1774 			sec_key->wlan_idx = cpu_to_le16(wcid->idx);
1775 			sec_key->cipher_id = MCU_CIPHER_BIP_CMAC_128;
1776 			sec_key->cipher_len = sizeof(*sec_key);
1777 			sec_key->key_len = 16;
1778 			memcpy(sec_key->key, key->key, 16);
1779 			sec->n_cipher = 2;
1780 		} else {
1781 			sec_key->wlan_idx = cpu_to_le16(wcid->idx);
1782 			sec_key->cipher_id = cipher;
1783 			sec_key->key_id = key->keyidx;
1784 			sec_key->key_len = key->keylen;
1785 			memcpy(sec_key->key, key->key, key->keylen);
1786 
1787 			if (cipher == MCU_CIPHER_TKIP) {
1788 				/* Rx/Tx MIC keys are swapped */
1789 				memcpy(sec_key->key + 16, key->key + 24, 8);
1790 				memcpy(sec_key->key + 24, key->key + 16, 8);
1791 			}
1792 
1793 			/* store key_conf for BIP batch update */
1794 			if (cipher == MCU_CIPHER_AES_CCMP) {
1795 				memcpy(sta_key_conf->key, key->key, key->keylen);
1796 				sta_key_conf->keyidx = key->keyidx;
1797 			}
1798 
1799 			sec->n_cipher = 1;
1800 		}
1801 	} else {
1802 		sec->n_cipher = 0;
1803 	}
1804 
1805 	return 0;
1806 }
1807 
1808 int mt7996_mcu_add_key(struct mt76_dev *dev, struct ieee80211_vif *vif,
1809 		       struct mt76_connac_sta_key_conf *sta_key_conf,
1810 		       struct ieee80211_key_conf *key, int mcu_cmd,
1811 		       struct mt76_wcid *wcid, enum set_key_cmd cmd)
1812 {
1813 	struct mt76_vif *mvif = (struct mt76_vif *)vif->drv_priv;
1814 	struct sk_buff *skb;
1815 	int ret;
1816 
1817 	skb = __mt76_connac_mcu_alloc_sta_req(dev, mvif, wcid,
1818 					      MT7996_STA_UPDATE_MAX_SIZE);
1819 	if (IS_ERR(skb))
1820 		return PTR_ERR(skb);
1821 
1822 	ret = mt7996_mcu_sta_key_tlv(wcid, sta_key_conf, skb, key, cmd);
1823 	if (ret)
1824 		return ret;
1825 
1826 	return mt76_mcu_skb_send_msg(dev, skb, mcu_cmd, true);
1827 }
1828 
1829 int mt7996_mcu_add_dev_info(struct mt7996_phy *phy,
1830 			    struct ieee80211_vif *vif, bool enable)
1831 {
1832 	struct mt7996_dev *dev = phy->dev;
1833 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
1834 	struct {
1835 		struct req_hdr {
1836 			u8 omac_idx;
1837 			u8 band_idx;
1838 			u8 __rsv[2];
1839 		} __packed hdr;
1840 		struct req_tlv {
1841 			__le16 tag;
1842 			__le16 len;
1843 			u8 active;
1844 			u8 __rsv;
1845 			u8 omac_addr[ETH_ALEN];
1846 		} __packed tlv;
1847 	} data = {
1848 		.hdr = {
1849 			.omac_idx = mvif->mt76.omac_idx,
1850 			.band_idx = mvif->mt76.band_idx,
1851 		},
1852 		.tlv = {
1853 			.tag = cpu_to_le16(DEV_INFO_ACTIVE),
1854 			.len = cpu_to_le16(sizeof(struct req_tlv)),
1855 			.active = enable,
1856 		},
1857 	};
1858 
1859 	if (mvif->mt76.omac_idx >= REPEATER_BSSID_START)
1860 		return mt7996_mcu_muar_config(phy, vif, false, enable);
1861 
1862 	memcpy(data.tlv.omac_addr, vif->addr, ETH_ALEN);
1863 	return mt76_mcu_send_msg(&dev->mt76, MCU_WMWA_UNI_CMD(DEV_INFO_UPDATE),
1864 				 &data, sizeof(data), true);
1865 }
1866 
1867 static void
1868 mt7996_mcu_beacon_cntdwn(struct ieee80211_vif *vif, struct sk_buff *rskb,
1869 			 struct sk_buff *skb,
1870 			 struct ieee80211_mutable_offsets *offs)
1871 {
1872 	struct bss_bcn_cntdwn_tlv *info;
1873 	struct tlv *tlv;
1874 	u16 tag;
1875 
1876 	if (!offs->cntdwn_counter_offs[0])
1877 		return;
1878 
1879 	tag = vif->bss_conf.csa_active ? UNI_BSS_INFO_BCN_CSA : UNI_BSS_INFO_BCN_BCC;
1880 
1881 	tlv = mt7996_mcu_add_uni_tlv(rskb, tag, sizeof(*info));
1882 
1883 	info = (struct bss_bcn_cntdwn_tlv *)tlv;
1884 	info->cnt = skb->data[offs->cntdwn_counter_offs[0]];
1885 }
1886 
1887 static void
1888 mt7996_mcu_beacon_cont(struct mt7996_dev *dev, struct ieee80211_vif *vif,
1889 		       struct sk_buff *rskb, struct sk_buff *skb,
1890 		       struct bss_bcn_content_tlv *bcn,
1891 		       struct ieee80211_mutable_offsets *offs)
1892 {
1893 	struct mt76_wcid *wcid = &dev->mt76.global_wcid;
1894 	u8 *buf;
1895 
1896 	bcn->pkt_len = cpu_to_le16(MT_TXD_SIZE + skb->len);
1897 	bcn->tim_ie_pos = cpu_to_le16(offs->tim_offset);
1898 
1899 	if (offs->cntdwn_counter_offs[0]) {
1900 		u16 offset = offs->cntdwn_counter_offs[0];
1901 
1902 		if (vif->bss_conf.csa_active)
1903 			bcn->csa_ie_pos = cpu_to_le16(offset - 4);
1904 		if (vif->bss_conf.color_change_active)
1905 			bcn->bcc_ie_pos = cpu_to_le16(offset - 3);
1906 	}
1907 
1908 	buf = (u8 *)bcn + sizeof(*bcn) - MAX_BEACON_SIZE;
1909 	mt7996_mac_write_txwi(dev, (__le32 *)buf, skb, wcid, 0, NULL,
1910 			      BSS_CHANGED_BEACON);
1911 	memcpy(buf + MT_TXD_SIZE, skb->data, skb->len);
1912 }
1913 
1914 static void
1915 mt7996_mcu_beacon_check_caps(struct mt7996_phy *phy, struct ieee80211_vif *vif,
1916 			     struct sk_buff *skb)
1917 {
1918 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
1919 	struct mt7996_vif_cap *vc = &mvif->cap;
1920 	const struct ieee80211_eht_cap_elem_fixed *eht;
1921 	const struct ieee80211_he_cap_elem *he;
1922 	const struct ieee80211_vht_cap *vht;
1923 	const struct ieee80211_ht_cap *ht;
1924 	struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)skb->data;
1925 	const u8 *ie;
1926 	u32 len, bc;
1927 
1928 	/* Check missing configuration options to allow AP mode in mac80211
1929 	 * to remain in sync with hostapd settings, and get a subset of
1930 	 * beacon and hardware capabilities.
1931 	 */
1932 	if (WARN_ON_ONCE(skb->len <= (mgmt->u.beacon.variable - skb->data)))
1933 		return;
1934 
1935 	memset(vc, 0, sizeof(*vc));
1936 
1937 	len = skb->len - (mgmt->u.beacon.variable - skb->data);
1938 
1939 	ie = cfg80211_find_ie(WLAN_EID_HT_CAPABILITY, mgmt->u.beacon.variable,
1940 			      len);
1941 	if (ie && ie[1] >= sizeof(*ht)) {
1942 		ht = (void *)(ie + 2);
1943 		vc->ht_ldpc |= !!(le16_to_cpu(ht->cap_info) &
1944 				  IEEE80211_HT_CAP_LDPC_CODING);
1945 	}
1946 
1947 	ie = cfg80211_find_ie(WLAN_EID_VHT_CAPABILITY, mgmt->u.beacon.variable,
1948 			      len);
1949 	if (ie && ie[1] >= sizeof(*vht)) {
1950 		u32 pc = phy->mt76->sband_5g.sband.vht_cap.cap;
1951 
1952 		vht = (void *)(ie + 2);
1953 		bc = le32_to_cpu(vht->vht_cap_info);
1954 
1955 		vc->vht_ldpc |= !!(bc & IEEE80211_VHT_CAP_RXLDPC);
1956 		vc->vht_su_ebfer =
1957 			(bc & IEEE80211_VHT_CAP_SU_BEAMFORMER_CAPABLE) &&
1958 			(pc & IEEE80211_VHT_CAP_SU_BEAMFORMER_CAPABLE);
1959 		vc->vht_su_ebfee =
1960 			(bc & IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE) &&
1961 			(pc & IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE);
1962 		vc->vht_mu_ebfer =
1963 			(bc & IEEE80211_VHT_CAP_MU_BEAMFORMER_CAPABLE) &&
1964 			(pc & IEEE80211_VHT_CAP_MU_BEAMFORMER_CAPABLE);
1965 		vc->vht_mu_ebfee =
1966 			(bc & IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE) &&
1967 			(pc & IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE);
1968 	}
1969 
1970 	ie = cfg80211_find_ext_ie(WLAN_EID_EXT_HE_CAPABILITY,
1971 				  mgmt->u.beacon.variable, len);
1972 	if (ie && ie[1] >= sizeof(*he) + 1) {
1973 		const struct ieee80211_sta_he_cap *pc =
1974 			mt76_connac_get_he_phy_cap(phy->mt76, vif);
1975 		const struct ieee80211_he_cap_elem *pe = &pc->he_cap_elem;
1976 
1977 		he = (void *)(ie + 3);
1978 
1979 		vc->he_ldpc =
1980 			HE_PHY(CAP1_LDPC_CODING_IN_PAYLOAD, pe->phy_cap_info[1]);
1981 		vc->he_su_ebfer =
1982 			HE_PHY(CAP3_SU_BEAMFORMER, he->phy_cap_info[3]) &&
1983 			HE_PHY(CAP3_SU_BEAMFORMER, pe->phy_cap_info[3]);
1984 		vc->he_su_ebfee =
1985 			HE_PHY(CAP4_SU_BEAMFORMEE, he->phy_cap_info[4]) &&
1986 			HE_PHY(CAP4_SU_BEAMFORMEE, pe->phy_cap_info[4]);
1987 		vc->he_mu_ebfer =
1988 			HE_PHY(CAP4_MU_BEAMFORMER, he->phy_cap_info[4]) &&
1989 			HE_PHY(CAP4_MU_BEAMFORMER, pe->phy_cap_info[4]);
1990 	}
1991 
1992 	ie = cfg80211_find_ext_ie(WLAN_EID_EXT_EHT_CAPABILITY,
1993 				  mgmt->u.beacon.variable, len);
1994 	if (ie && ie[1] >= sizeof(*eht) + 1) {
1995 		const struct ieee80211_sta_eht_cap *pc =
1996 			mt76_connac_get_eht_phy_cap(phy->mt76, vif);
1997 		const struct ieee80211_eht_cap_elem_fixed *pe = &pc->eht_cap_elem;
1998 
1999 		eht = (void *)(ie + 3);
2000 
2001 		vc->eht_su_ebfer =
2002 			EHT_PHY(CAP0_SU_BEAMFORMER, eht->phy_cap_info[0]) &&
2003 			EHT_PHY(CAP0_SU_BEAMFORMER, pe->phy_cap_info[0]);
2004 		vc->eht_su_ebfee =
2005 			EHT_PHY(CAP0_SU_BEAMFORMEE, eht->phy_cap_info[0]) &&
2006 			EHT_PHY(CAP0_SU_BEAMFORMEE, pe->phy_cap_info[0]);
2007 	}
2008 }
2009 
2010 int mt7996_mcu_add_beacon(struct ieee80211_hw *hw,
2011 			  struct ieee80211_vif *vif, int en)
2012 {
2013 	struct mt7996_dev *dev = mt7996_hw_dev(hw);
2014 	struct mt7996_phy *phy = mt7996_hw_phy(hw);
2015 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
2016 	struct ieee80211_mutable_offsets offs;
2017 	struct ieee80211_tx_info *info;
2018 	struct sk_buff *skb, *rskb;
2019 	struct tlv *tlv;
2020 	struct bss_bcn_content_tlv *bcn;
2021 
2022 	rskb = __mt7996_mcu_alloc_bss_req(&dev->mt76, &mvif->mt76,
2023 					  MT7996_BEACON_UPDATE_SIZE);
2024 	if (IS_ERR(rskb))
2025 		return PTR_ERR(rskb);
2026 
2027 	tlv = mt7996_mcu_add_uni_tlv(rskb,
2028 				     UNI_BSS_INFO_BCN_CONTENT, sizeof(*bcn));
2029 	bcn = (struct bss_bcn_content_tlv *)tlv;
2030 	bcn->enable = en;
2031 
2032 	if (!en)
2033 		goto out;
2034 
2035 	skb = ieee80211_beacon_get_template(hw, vif, &offs, 0);
2036 	if (!skb)
2037 		return -EINVAL;
2038 
2039 	if (skb->len > MAX_BEACON_SIZE - MT_TXD_SIZE) {
2040 		dev_err(dev->mt76.dev, "Bcn size limit exceed\n");
2041 		dev_kfree_skb(skb);
2042 		return -EINVAL;
2043 	}
2044 
2045 	info = IEEE80211_SKB_CB(skb);
2046 	info->hw_queue |= FIELD_PREP(MT_TX_HW_QUEUE_PHY, phy->mt76->band_idx);
2047 
2048 	mt7996_mcu_beacon_check_caps(phy, vif, skb);
2049 
2050 	mt7996_mcu_beacon_cont(dev, vif, rskb, skb, bcn, &offs);
2051 	/* TODO: subtag - 11v MBSSID */
2052 	mt7996_mcu_beacon_cntdwn(vif, rskb, skb, &offs);
2053 	dev_kfree_skb(skb);
2054 out:
2055 	return mt76_mcu_skb_send_msg(&phy->dev->mt76, rskb,
2056 				     MCU_WMWA_UNI_CMD(BSS_INFO_UPDATE), true);
2057 }
2058 
2059 int mt7996_mcu_beacon_inband_discov(struct mt7996_dev *dev,
2060 				    struct ieee80211_vif *vif, u32 changed)
2061 {
2062 #define OFFLOAD_TX_MODE_SU	BIT(0)
2063 #define OFFLOAD_TX_MODE_MU	BIT(1)
2064 	struct ieee80211_hw *hw = mt76_hw(dev);
2065 	struct mt7996_phy *phy = mt7996_hw_phy(hw);
2066 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
2067 	struct cfg80211_chan_def *chandef = &mvif->phy->mt76->chandef;
2068 	enum nl80211_band band = chandef->chan->band;
2069 	struct mt76_wcid *wcid = &dev->mt76.global_wcid;
2070 	struct bss_inband_discovery_tlv *discov;
2071 	struct ieee80211_tx_info *info;
2072 	struct sk_buff *rskb, *skb = NULL;
2073 	struct tlv *tlv;
2074 	u8 *buf, interval;
2075 
2076 	rskb = __mt7996_mcu_alloc_bss_req(&dev->mt76, &mvif->mt76,
2077 					  MT7996_INBAND_FRAME_SIZE);
2078 	if (IS_ERR(rskb))
2079 		return PTR_ERR(rskb);
2080 
2081 	if (changed & BSS_CHANGED_FILS_DISCOVERY &&
2082 	    vif->bss_conf.fils_discovery.max_interval) {
2083 		interval = vif->bss_conf.fils_discovery.max_interval;
2084 		skb = ieee80211_get_fils_discovery_tmpl(hw, vif);
2085 	} else if (changed & BSS_CHANGED_UNSOL_BCAST_PROBE_RESP &&
2086 		   vif->bss_conf.unsol_bcast_probe_resp_interval) {
2087 		interval = vif->bss_conf.unsol_bcast_probe_resp_interval;
2088 		skb = ieee80211_get_unsol_bcast_probe_resp_tmpl(hw, vif);
2089 	}
2090 
2091 	if (!skb)
2092 		return -EINVAL;
2093 
2094 	if (skb->len > MAX_INBAND_FRAME_SIZE - MT_TXD_SIZE) {
2095 		dev_err(dev->mt76.dev, "inband discovery size limit exceed\n");
2096 		dev_kfree_skb(skb);
2097 		return -EINVAL;
2098 	}
2099 
2100 	info = IEEE80211_SKB_CB(skb);
2101 	info->control.vif = vif;
2102 	info->band = band;
2103 	info->hw_queue |= FIELD_PREP(MT_TX_HW_QUEUE_PHY, phy->mt76->band_idx);
2104 
2105 	tlv = mt7996_mcu_add_uni_tlv(rskb, UNI_BSS_INFO_OFFLOAD, sizeof(*discov));
2106 
2107 	discov = (struct bss_inband_discovery_tlv *)tlv;
2108 	discov->tx_mode = OFFLOAD_TX_MODE_SU;
2109 	/* 0: UNSOL PROBE RESP, 1: FILS DISCOV */
2110 	discov->tx_type = !!(changed & BSS_CHANGED_FILS_DISCOVERY);
2111 	discov->tx_interval = interval;
2112 	discov->prob_rsp_len = cpu_to_le16(MT_TXD_SIZE + skb->len);
2113 	discov->enable = true;
2114 	discov->wcid = cpu_to_le16(MT7996_WTBL_RESERVED);
2115 
2116 	buf = (u8 *)tlv + sizeof(*discov) - MAX_INBAND_FRAME_SIZE;
2117 
2118 	mt7996_mac_write_txwi(dev, (__le32 *)buf, skb, wcid, 0, NULL,
2119 			      changed);
2120 
2121 	memcpy(buf + MT_TXD_SIZE, skb->data, skb->len);
2122 
2123 	dev_kfree_skb(skb);
2124 
2125 	return mt76_mcu_skb_send_msg(&dev->mt76, rskb,
2126 				     MCU_WMWA_UNI_CMD(BSS_INFO_UPDATE), true);
2127 }
2128 
2129 static int mt7996_driver_own(struct mt7996_dev *dev, u8 band)
2130 {
2131 	mt76_wr(dev, MT_TOP_LPCR_HOST_BAND(band), MT_TOP_LPCR_HOST_DRV_OWN);
2132 	if (!mt76_poll_msec(dev, MT_TOP_LPCR_HOST_BAND(band),
2133 			    MT_TOP_LPCR_HOST_FW_OWN_STAT, 0, 500)) {
2134 		dev_err(dev->mt76.dev, "Timeout for driver own\n");
2135 		return -EIO;
2136 	}
2137 
2138 	/* clear irq when the driver own success */
2139 	mt76_wr(dev, MT_TOP_LPCR_HOST_BAND_IRQ_STAT(band),
2140 		MT_TOP_LPCR_HOST_BAND_STAT);
2141 
2142 	return 0;
2143 }
2144 
2145 static u32 mt7996_patch_sec_mode(u32 key_info)
2146 {
2147 	u32 sec = u32_get_bits(key_info, MT7996_PATCH_SEC), key = 0;
2148 
2149 	if (key_info == GENMASK(31, 0) || sec == MT7996_SEC_MODE_PLAIN)
2150 		return 0;
2151 
2152 	if (sec == MT7996_SEC_MODE_AES)
2153 		key = u32_get_bits(key_info, MT7996_PATCH_AES_KEY);
2154 	else
2155 		key = u32_get_bits(key_info, MT7996_PATCH_SCRAMBLE_KEY);
2156 
2157 	return MT7996_SEC_ENCRYPT | MT7996_SEC_IV |
2158 	       u32_encode_bits(key, MT7996_SEC_KEY_IDX);
2159 }
2160 
2161 static int mt7996_load_patch(struct mt7996_dev *dev)
2162 {
2163 	const struct mt7996_patch_hdr *hdr;
2164 	const struct firmware *fw = NULL;
2165 	int i, ret, sem;
2166 
2167 	sem = mt76_connac_mcu_patch_sem_ctrl(&dev->mt76, 1);
2168 	switch (sem) {
2169 	case PATCH_IS_DL:
2170 		return 0;
2171 	case PATCH_NOT_DL_SEM_SUCCESS:
2172 		break;
2173 	default:
2174 		dev_err(dev->mt76.dev, "Failed to get patch semaphore\n");
2175 		return -EAGAIN;
2176 	}
2177 
2178 	ret = request_firmware(&fw, MT7996_ROM_PATCH, dev->mt76.dev);
2179 	if (ret)
2180 		goto out;
2181 
2182 	if (!fw || !fw->data || fw->size < sizeof(*hdr)) {
2183 		dev_err(dev->mt76.dev, "Invalid firmware\n");
2184 		ret = -EINVAL;
2185 		goto out;
2186 	}
2187 
2188 	hdr = (const struct mt7996_patch_hdr *)(fw->data);
2189 
2190 	dev_info(dev->mt76.dev, "HW/SW Version: 0x%x, Build Time: %.16s\n",
2191 		 be32_to_cpu(hdr->hw_sw_ver), hdr->build_date);
2192 
2193 	for (i = 0; i < be32_to_cpu(hdr->desc.n_region); i++) {
2194 		struct mt7996_patch_sec *sec;
2195 		const u8 *dl;
2196 		u32 len, addr, sec_key_idx, mode = DL_MODE_NEED_RSP;
2197 
2198 		sec = (struct mt7996_patch_sec *)(fw->data + sizeof(*hdr) +
2199 						  i * sizeof(*sec));
2200 		if ((be32_to_cpu(sec->type) & PATCH_SEC_TYPE_MASK) !=
2201 		    PATCH_SEC_TYPE_INFO) {
2202 			ret = -EINVAL;
2203 			goto out;
2204 		}
2205 
2206 		addr = be32_to_cpu(sec->info.addr);
2207 		len = be32_to_cpu(sec->info.len);
2208 		sec_key_idx = be32_to_cpu(sec->info.sec_key_idx);
2209 		dl = fw->data + be32_to_cpu(sec->offs);
2210 
2211 		mode |= mt7996_patch_sec_mode(sec_key_idx);
2212 
2213 		ret = mt76_connac_mcu_init_download(&dev->mt76, addr, len,
2214 						    mode);
2215 		if (ret) {
2216 			dev_err(dev->mt76.dev, "Download request failed\n");
2217 			goto out;
2218 		}
2219 
2220 		ret = __mt76_mcu_send_firmware(&dev->mt76, MCU_CMD(FW_SCATTER),
2221 					       dl, len, 4096);
2222 		if (ret) {
2223 			dev_err(dev->mt76.dev, "Failed to send patch\n");
2224 			goto out;
2225 		}
2226 	}
2227 
2228 	ret = mt76_connac_mcu_start_patch(&dev->mt76);
2229 	if (ret)
2230 		dev_err(dev->mt76.dev, "Failed to start patch\n");
2231 
2232 out:
2233 	sem = mt76_connac_mcu_patch_sem_ctrl(&dev->mt76, 0);
2234 	switch (sem) {
2235 	case PATCH_REL_SEM_SUCCESS:
2236 		break;
2237 	default:
2238 		ret = -EAGAIN;
2239 		dev_err(dev->mt76.dev, "Failed to release patch semaphore\n");
2240 		break;
2241 	}
2242 	release_firmware(fw);
2243 
2244 	return ret;
2245 }
2246 
2247 static int
2248 mt7996_mcu_send_ram_firmware(struct mt7996_dev *dev,
2249 			     const struct mt7996_fw_trailer *hdr,
2250 			     const u8 *data, bool is_wa)
2251 {
2252 	int i, offset = 0;
2253 	u32 override = 0, option = 0;
2254 
2255 	for (i = 0; i < hdr->n_region; i++) {
2256 		const struct mt7996_fw_region *region;
2257 		int err;
2258 		u32 len, addr, mode;
2259 
2260 		region = (const struct mt7996_fw_region *)((const u8 *)hdr -
2261 			 (hdr->n_region - i) * sizeof(*region));
2262 		mode = mt76_connac_mcu_gen_dl_mode(&dev->mt76,
2263 						   region->feature_set, is_wa);
2264 		len = le32_to_cpu(region->len);
2265 		addr = le32_to_cpu(region->addr);
2266 
2267 		if (region->feature_set & FW_FEATURE_OVERRIDE_ADDR)
2268 			override = addr;
2269 
2270 		err = mt76_connac_mcu_init_download(&dev->mt76, addr, len,
2271 						    mode);
2272 		if (err) {
2273 			dev_err(dev->mt76.dev, "Download request failed\n");
2274 			return err;
2275 		}
2276 
2277 		err = __mt76_mcu_send_firmware(&dev->mt76, MCU_CMD(FW_SCATTER),
2278 					       data + offset, len, 4096);
2279 		if (err) {
2280 			dev_err(dev->mt76.dev, "Failed to send firmware.\n");
2281 			return err;
2282 		}
2283 
2284 		offset += len;
2285 	}
2286 
2287 	if (override)
2288 		option |= FW_START_OVERRIDE;
2289 
2290 	if (is_wa)
2291 		option |= FW_START_WORKING_PDA_CR4;
2292 
2293 	return mt76_connac_mcu_start_firmware(&dev->mt76, override, option);
2294 }
2295 
2296 static int mt7996_load_ram(struct mt7996_dev *dev)
2297 {
2298 	const struct mt7996_fw_trailer *hdr;
2299 	const struct firmware *fw;
2300 	int ret;
2301 
2302 	ret = request_firmware(&fw, MT7996_FIRMWARE_WM, dev->mt76.dev);
2303 	if (ret)
2304 		return ret;
2305 
2306 	if (!fw || !fw->data || fw->size < sizeof(*hdr)) {
2307 		dev_err(dev->mt76.dev, "Invalid firmware\n");
2308 		ret = -EINVAL;
2309 		goto out;
2310 	}
2311 
2312 	hdr = (const struct mt7996_fw_trailer *)(fw->data + fw->size - sizeof(*hdr));
2313 
2314 	dev_info(dev->mt76.dev, "WM Firmware Version: %.10s, Build Time: %.15s\n",
2315 		 hdr->fw_ver, hdr->build_date);
2316 
2317 	ret = mt7996_mcu_send_ram_firmware(dev, hdr, fw->data, false);
2318 	if (ret) {
2319 		dev_err(dev->mt76.dev, "Failed to start WM firmware\n");
2320 		goto out;
2321 	}
2322 
2323 	release_firmware(fw);
2324 
2325 	ret = request_firmware(&fw, MT7996_FIRMWARE_WA, dev->mt76.dev);
2326 	if (ret)
2327 		return ret;
2328 
2329 	if (!fw || !fw->data || fw->size < sizeof(*hdr)) {
2330 		dev_err(dev->mt76.dev, "Invalid firmware\n");
2331 		ret = -EINVAL;
2332 		goto out;
2333 	}
2334 
2335 	hdr = (const struct mt7996_fw_trailer *)(fw->data + fw->size - sizeof(*hdr));
2336 
2337 	dev_info(dev->mt76.dev, "WA Firmware Version: %.10s, Build Time: %.15s\n",
2338 		 hdr->fw_ver, hdr->build_date);
2339 
2340 	ret = mt7996_mcu_send_ram_firmware(dev, hdr, fw->data, true);
2341 	if (ret) {
2342 		dev_err(dev->mt76.dev, "Failed to start WA firmware\n");
2343 		goto out;
2344 	}
2345 
2346 	snprintf(dev->mt76.hw->wiphy->fw_version,
2347 		 sizeof(dev->mt76.hw->wiphy->fw_version),
2348 		 "%.10s-%.15s", hdr->fw_ver, hdr->build_date);
2349 
2350 out:
2351 	release_firmware(fw);
2352 
2353 	return ret;
2354 }
2355 
2356 static int
2357 mt7996_firmware_state(struct mt7996_dev *dev, bool wa)
2358 {
2359 	u32 state = FIELD_PREP(MT_TOP_MISC_FW_STATE,
2360 			       wa ? FW_STATE_RDY : FW_STATE_FW_DOWNLOAD);
2361 
2362 	if (!mt76_poll_msec(dev, MT_TOP_MISC, MT_TOP_MISC_FW_STATE,
2363 			    state, 1000)) {
2364 		dev_err(dev->mt76.dev, "Timeout for initializing firmware\n");
2365 		return -EIO;
2366 	}
2367 	return 0;
2368 }
2369 
2370 static int
2371 mt7996_mcu_restart(struct mt76_dev *dev)
2372 {
2373 	struct {
2374 		u8 __rsv1[4];
2375 
2376 		__le16 tag;
2377 		__le16 len;
2378 		u8 power_mode;
2379 		u8 __rsv2[3];
2380 	} __packed req = {
2381 		.tag = cpu_to_le16(UNI_POWER_OFF),
2382 		.len = cpu_to_le16(sizeof(req) - 4),
2383 		.power_mode = 1,
2384 	};
2385 
2386 	return mt76_mcu_send_msg(dev, MCU_WM_UNI_CMD(POWER_CTRL), &req,
2387 				 sizeof(req), false);
2388 }
2389 
2390 static int mt7996_load_firmware(struct mt7996_dev *dev)
2391 {
2392 	int ret;
2393 
2394 	/* make sure fw is download state */
2395 	if (mt7996_firmware_state(dev, false)) {
2396 		/* restart firmware once */
2397 		mt7996_mcu_restart(&dev->mt76);
2398 		ret = mt7996_firmware_state(dev, false);
2399 		if (ret) {
2400 			dev_err(dev->mt76.dev,
2401 				"Firmware is not ready for download\n");
2402 			return ret;
2403 		}
2404 	}
2405 
2406 	ret = mt7996_load_patch(dev);
2407 	if (ret)
2408 		return ret;
2409 
2410 	ret = mt7996_load_ram(dev);
2411 	if (ret)
2412 		return ret;
2413 
2414 	ret = mt7996_firmware_state(dev, true);
2415 	if (ret)
2416 		return ret;
2417 
2418 	mt76_queue_tx_cleanup(dev, dev->mt76.q_mcu[MT_MCUQ_FWDL], false);
2419 
2420 	dev_dbg(dev->mt76.dev, "Firmware init done\n");
2421 
2422 	return 0;
2423 }
2424 
2425 int mt7996_mcu_fw_log_2_host(struct mt7996_dev *dev, u8 type, u8 ctrl)
2426 {
2427 	struct {
2428 		u8 _rsv[4];
2429 
2430 		__le16 tag;
2431 		__le16 len;
2432 		u8 ctrl;
2433 		u8 interval;
2434 		u8 _rsv2[2];
2435 	} __packed data = {
2436 		.tag = cpu_to_le16(UNI_WSYS_CONFIG_FW_LOG_CTRL),
2437 		.len = cpu_to_le16(sizeof(data) - 4),
2438 		.ctrl = ctrl,
2439 	};
2440 
2441 	if (type == MCU_FW_LOG_WA)
2442 		return mt76_mcu_send_msg(&dev->mt76, MCU_WA_UNI_CMD(WSYS_CONFIG),
2443 					 &data, sizeof(data), true);
2444 
2445 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(WSYS_CONFIG), &data,
2446 				 sizeof(data), true);
2447 }
2448 
2449 int mt7996_mcu_fw_dbg_ctrl(struct mt7996_dev *dev, u32 module, u8 level)
2450 {
2451 	struct {
2452 		u8 _rsv[4];
2453 
2454 		__le16 tag;
2455 		__le16 len;
2456 		__le32 module_idx;
2457 		u8 level;
2458 		u8 _rsv2[3];
2459 	} data = {
2460 		.tag = cpu_to_le16(UNI_WSYS_CONFIG_FW_DBG_CTRL),
2461 		.len = cpu_to_le16(sizeof(data) - 4),
2462 		.module_idx = cpu_to_le32(module),
2463 		.level = level,
2464 	};
2465 
2466 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(WSYS_CONFIG), &data,
2467 				 sizeof(data), false);
2468 }
2469 
2470 static int mt7996_mcu_set_mwds(struct mt7996_dev *dev, bool enabled)
2471 {
2472 	struct {
2473 		u8 enable;
2474 		u8 _rsv[3];
2475 	} __packed req = {
2476 		.enable = enabled
2477 	};
2478 
2479 	return mt76_mcu_send_msg(&dev->mt76, MCU_WA_EXT_CMD(MWDS_SUPPORT), &req,
2480 				 sizeof(req), false);
2481 }
2482 
2483 static void mt7996_add_rx_airtime_tlv(struct sk_buff *skb, u8 band_idx)
2484 {
2485 	struct vow_rx_airtime *req;
2486 	struct tlv *tlv;
2487 
2488 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_VOW_RX_AT_AIRTIME_CLR_EN, sizeof(*req));
2489 	req = (struct vow_rx_airtime *)tlv;
2490 	req->enable = true;
2491 	req->band = band_idx;
2492 
2493 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_VOW_RX_AT_AIRTIME_EN, sizeof(*req));
2494 	req = (struct vow_rx_airtime *)tlv;
2495 	req->enable = true;
2496 	req->band = band_idx;
2497 }
2498 
2499 static int
2500 mt7996_mcu_init_rx_airtime(struct mt7996_dev *dev)
2501 {
2502 	struct uni_header hdr = {};
2503 	struct sk_buff *skb;
2504 	int len, num;
2505 
2506 	num = 2 + 2 * (dev->dbdc_support + dev->tbtc_support);
2507 	len = sizeof(hdr) + num * sizeof(struct vow_rx_airtime);
2508 	skb = mt76_mcu_msg_alloc(&dev->mt76, NULL, len);
2509 	if (!skb)
2510 		return -ENOMEM;
2511 
2512 	skb_put_data(skb, &hdr, sizeof(hdr));
2513 
2514 	mt7996_add_rx_airtime_tlv(skb, dev->mt76.phy.band_idx);
2515 
2516 	if (dev->dbdc_support)
2517 		mt7996_add_rx_airtime_tlv(skb, MT_BAND1);
2518 
2519 	if (dev->tbtc_support)
2520 		mt7996_add_rx_airtime_tlv(skb, MT_BAND2);
2521 
2522 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
2523 				     MCU_WM_UNI_CMD(VOW), true);
2524 }
2525 
2526 int mt7996_mcu_init(struct mt7996_dev *dev)
2527 {
2528 	static const struct mt76_mcu_ops mt7996_mcu_ops = {
2529 		.headroom = sizeof(struct mt76_connac2_mcu_txd), /* reuse */
2530 		.mcu_skb_send_msg = mt7996_mcu_send_message,
2531 		.mcu_parse_response = mt7996_mcu_parse_response,
2532 	};
2533 	int ret;
2534 
2535 	dev->mt76.mcu_ops = &mt7996_mcu_ops;
2536 
2537 	/* force firmware operation mode into normal state,
2538 	 * which should be set before firmware download stage.
2539 	 */
2540 	mt76_wr(dev, MT_SWDEF_MODE, MT_SWDEF_NORMAL_MODE);
2541 
2542 	ret = mt7996_driver_own(dev, 0);
2543 	if (ret)
2544 		return ret;
2545 	/* set driver own for band1 when two hif exist */
2546 	if (dev->hif2) {
2547 		ret = mt7996_driver_own(dev, 1);
2548 		if (ret)
2549 			return ret;
2550 	}
2551 
2552 	ret = mt7996_load_firmware(dev);
2553 	if (ret)
2554 		return ret;
2555 
2556 	set_bit(MT76_STATE_MCU_RUNNING, &dev->mphy.state);
2557 	ret = mt7996_mcu_fw_log_2_host(dev, MCU_FW_LOG_WM, 0);
2558 	if (ret)
2559 		return ret;
2560 
2561 	ret = mt7996_mcu_fw_log_2_host(dev, MCU_FW_LOG_WA, 0);
2562 	if (ret)
2563 		return ret;
2564 
2565 	ret = mt7996_mcu_set_mwds(dev, 1);
2566 	if (ret)
2567 		return ret;
2568 
2569 	ret = mt7996_mcu_init_rx_airtime(dev);
2570 	if (ret)
2571 		return ret;
2572 
2573 	return mt7996_mcu_wa_cmd(dev, MCU_WA_PARAM_CMD(SET),
2574 				 MCU_WA_PARAM_RED, 0, 0);
2575 }
2576 
2577 void mt7996_mcu_exit(struct mt7996_dev *dev)
2578 {
2579 	mt7996_mcu_restart(&dev->mt76);
2580 	if (mt7996_firmware_state(dev, false)) {
2581 		dev_err(dev->mt76.dev, "Failed to exit mcu\n");
2582 		goto out;
2583 	}
2584 
2585 	mt76_wr(dev, MT_TOP_LPCR_HOST_BAND(0), MT_TOP_LPCR_HOST_FW_OWN);
2586 	if (dev->hif2)
2587 		mt76_wr(dev, MT_TOP_LPCR_HOST_BAND(1),
2588 			MT_TOP_LPCR_HOST_FW_OWN);
2589 out:
2590 	skb_queue_purge(&dev->mt76.mcu.res_q);
2591 }
2592 
2593 int mt7996_mcu_set_hdr_trans(struct mt7996_dev *dev, bool hdr_trans)
2594 {
2595 	struct {
2596 		u8 __rsv[4];
2597 	} __packed hdr;
2598 	struct hdr_trans_blacklist *req_blacklist;
2599 	struct hdr_trans_en *req_en;
2600 	struct sk_buff *skb;
2601 	struct tlv *tlv;
2602 	int len = MT7996_HDR_TRANS_MAX_SIZE + sizeof(hdr);
2603 
2604 	skb = mt76_mcu_msg_alloc(&dev->mt76, NULL, len);
2605 	if (!skb)
2606 		return -ENOMEM;
2607 
2608 	skb_put_data(skb, &hdr, sizeof(hdr));
2609 
2610 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_HDR_TRANS_EN, sizeof(*req_en));
2611 	req_en = (struct hdr_trans_en *)tlv;
2612 	req_en->enable = hdr_trans;
2613 
2614 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_HDR_TRANS_VLAN,
2615 				     sizeof(struct hdr_trans_vlan));
2616 
2617 	if (hdr_trans) {
2618 		tlv = mt7996_mcu_add_uni_tlv(skb, UNI_HDR_TRANS_BLACKLIST,
2619 					     sizeof(*req_blacklist));
2620 		req_blacklist = (struct hdr_trans_blacklist *)tlv;
2621 		req_blacklist->enable = 1;
2622 		req_blacklist->type = cpu_to_le16(ETH_P_PAE);
2623 	}
2624 
2625 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
2626 				     MCU_WM_UNI_CMD(RX_HDR_TRANS), true);
2627 }
2628 
2629 int mt7996_mcu_set_tx(struct mt7996_dev *dev, struct ieee80211_vif *vif)
2630 {
2631 #define MCU_EDCA_AC_PARAM	0
2632 #define WMM_AIFS_SET		BIT(0)
2633 #define WMM_CW_MIN_SET		BIT(1)
2634 #define WMM_CW_MAX_SET		BIT(2)
2635 #define WMM_TXOP_SET		BIT(3)
2636 #define WMM_PARAM_SET		(WMM_AIFS_SET | WMM_CW_MIN_SET | \
2637 				 WMM_CW_MAX_SET | WMM_TXOP_SET)
2638 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
2639 	struct {
2640 		u8 bss_idx;
2641 		u8 __rsv[3];
2642 	} __packed hdr = {
2643 		.bss_idx = mvif->mt76.idx,
2644 	};
2645 	struct sk_buff *skb;
2646 	int len = sizeof(hdr) + IEEE80211_NUM_ACS * sizeof(struct edca);
2647 	int ac;
2648 
2649 	skb = mt76_mcu_msg_alloc(&dev->mt76, NULL, len);
2650 	if (!skb)
2651 		return -ENOMEM;
2652 
2653 	skb_put_data(skb, &hdr, sizeof(hdr));
2654 
2655 	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
2656 		struct ieee80211_tx_queue_params *q = &mvif->queue_params[ac];
2657 		struct edca *e;
2658 		struct tlv *tlv;
2659 
2660 		tlv = mt7996_mcu_add_uni_tlv(skb, MCU_EDCA_AC_PARAM, sizeof(*e));
2661 
2662 		e = (struct edca *)tlv;
2663 		e->set = WMM_PARAM_SET;
2664 		e->queue = ac + mvif->mt76.wmm_idx * MT7996_MAX_WMM_SETS;
2665 		e->aifs = q->aifs;
2666 		e->txop = cpu_to_le16(q->txop);
2667 
2668 		if (q->cw_min)
2669 			e->cw_min = fls(q->cw_min);
2670 		else
2671 			e->cw_min = 5;
2672 
2673 		if (q->cw_max)
2674 			e->cw_max = fls(q->cw_max);
2675 		else
2676 			e->cw_max = 10;
2677 	}
2678 
2679 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
2680 				     MCU_WM_UNI_CMD(EDCA_UPDATE), true);
2681 }
2682 
2683 int mt7996_mcu_set_fcc5_lpn(struct mt7996_dev *dev, int val)
2684 {
2685 	struct {
2686 		u8 _rsv[4];
2687 
2688 		__le16 tag;
2689 		__le16 len;
2690 
2691 		__le32 ctrl;
2692 		__le16 min_lpn;
2693 		u8 rsv[2];
2694 	} __packed req = {
2695 		.tag = cpu_to_le16(UNI_RDD_CTRL_SET_TH),
2696 		.len = cpu_to_le16(sizeof(req) - 4),
2697 
2698 		.ctrl = cpu_to_le32(0x1),
2699 		.min_lpn = cpu_to_le16(val),
2700 	};
2701 
2702 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(RDD_CTRL),
2703 				 &req, sizeof(req), true);
2704 }
2705 
2706 int mt7996_mcu_set_pulse_th(struct mt7996_dev *dev,
2707 			    const struct mt7996_dfs_pulse *pulse)
2708 {
2709 	struct {
2710 		u8 _rsv[4];
2711 
2712 		__le16 tag;
2713 		__le16 len;
2714 
2715 		__le32 ctrl;
2716 
2717 		__le32 max_width;		/* us */
2718 		__le32 max_pwr;			/* dbm */
2719 		__le32 min_pwr;			/* dbm */
2720 		__le32 min_stgr_pri;		/* us */
2721 		__le32 max_stgr_pri;		/* us */
2722 		__le32 min_cr_pri;		/* us */
2723 		__le32 max_cr_pri;		/* us */
2724 	} __packed req = {
2725 		.tag = cpu_to_le16(UNI_RDD_CTRL_SET_TH),
2726 		.len = cpu_to_le16(sizeof(req) - 4),
2727 
2728 		.ctrl = cpu_to_le32(0x3),
2729 
2730 #define __req_field(field) .field = cpu_to_le32(pulse->field)
2731 		__req_field(max_width),
2732 		__req_field(max_pwr),
2733 		__req_field(min_pwr),
2734 		__req_field(min_stgr_pri),
2735 		__req_field(max_stgr_pri),
2736 		__req_field(min_cr_pri),
2737 		__req_field(max_cr_pri),
2738 #undef __req_field
2739 	};
2740 
2741 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(RDD_CTRL),
2742 				 &req, sizeof(req), true);
2743 }
2744 
2745 int mt7996_mcu_set_radar_th(struct mt7996_dev *dev, int index,
2746 			    const struct mt7996_dfs_pattern *pattern)
2747 {
2748 	struct {
2749 		u8 _rsv[4];
2750 
2751 		__le16 tag;
2752 		__le16 len;
2753 
2754 		__le32 ctrl;
2755 		__le16 radar_type;
2756 
2757 		u8 enb;
2758 		u8 stgr;
2759 		u8 min_crpn;
2760 		u8 max_crpn;
2761 		u8 min_crpr;
2762 		u8 min_pw;
2763 		__le32 min_pri;
2764 		__le32 max_pri;
2765 		u8 max_pw;
2766 		u8 min_crbn;
2767 		u8 max_crbn;
2768 		u8 min_stgpn;
2769 		u8 max_stgpn;
2770 		u8 min_stgpr;
2771 		u8 rsv[2];
2772 		__le32 min_stgpr_diff;
2773 	} __packed req = {
2774 		.tag = cpu_to_le16(UNI_RDD_CTRL_SET_TH),
2775 		.len = cpu_to_le16(sizeof(req) - 4),
2776 
2777 		.ctrl = cpu_to_le32(0x2),
2778 		.radar_type = cpu_to_le16(index),
2779 
2780 #define __req_field_u8(field) .field = pattern->field
2781 #define __req_field_u32(field) .field = cpu_to_le32(pattern->field)
2782 		__req_field_u8(enb),
2783 		__req_field_u8(stgr),
2784 		__req_field_u8(min_crpn),
2785 		__req_field_u8(max_crpn),
2786 		__req_field_u8(min_crpr),
2787 		__req_field_u8(min_pw),
2788 		__req_field_u32(min_pri),
2789 		__req_field_u32(max_pri),
2790 		__req_field_u8(max_pw),
2791 		__req_field_u8(min_crbn),
2792 		__req_field_u8(max_crbn),
2793 		__req_field_u8(min_stgpn),
2794 		__req_field_u8(max_stgpn),
2795 		__req_field_u8(min_stgpr),
2796 		__req_field_u32(min_stgpr_diff),
2797 #undef __req_field_u8
2798 #undef __req_field_u32
2799 	};
2800 
2801 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(RDD_CTRL),
2802 				 &req, sizeof(req), true);
2803 }
2804 
2805 static int
2806 mt7996_mcu_background_chain_ctrl(struct mt7996_phy *phy,
2807 				 struct cfg80211_chan_def *chandef,
2808 				 int cmd)
2809 {
2810 	struct mt7996_dev *dev = phy->dev;
2811 	struct mt76_phy *mphy = phy->mt76;
2812 	struct ieee80211_channel *chan = mphy->chandef.chan;
2813 	int freq = mphy->chandef.center_freq1;
2814 	struct mt7996_mcu_background_chain_ctrl req = {
2815 		.tag = cpu_to_le16(0),
2816 		.len = cpu_to_le16(sizeof(req) - 4),
2817 		.monitor_scan_type = 2, /* simple rx */
2818 	};
2819 
2820 	if (!chandef && cmd != CH_SWITCH_BACKGROUND_SCAN_STOP)
2821 		return -EINVAL;
2822 
2823 	if (!cfg80211_chandef_valid(&mphy->chandef))
2824 		return -EINVAL;
2825 
2826 	switch (cmd) {
2827 	case CH_SWITCH_BACKGROUND_SCAN_START: {
2828 		req.chan = chan->hw_value;
2829 		req.central_chan = ieee80211_frequency_to_channel(freq);
2830 		req.bw = mt76_connac_chan_bw(&mphy->chandef);
2831 		req.monitor_chan = chandef->chan->hw_value;
2832 		req.monitor_central_chan =
2833 			ieee80211_frequency_to_channel(chandef->center_freq1);
2834 		req.monitor_bw = mt76_connac_chan_bw(chandef);
2835 		req.band_idx = phy->mt76->band_idx;
2836 		req.scan_mode = 1;
2837 		break;
2838 	}
2839 	case CH_SWITCH_BACKGROUND_SCAN_RUNNING:
2840 		req.monitor_chan = chandef->chan->hw_value;
2841 		req.monitor_central_chan =
2842 			ieee80211_frequency_to_channel(chandef->center_freq1);
2843 		req.band_idx = phy->mt76->band_idx;
2844 		req.scan_mode = 2;
2845 		break;
2846 	case CH_SWITCH_BACKGROUND_SCAN_STOP:
2847 		req.chan = chan->hw_value;
2848 		req.central_chan = ieee80211_frequency_to_channel(freq);
2849 		req.bw = mt76_connac_chan_bw(&mphy->chandef);
2850 		req.tx_stream = hweight8(mphy->antenna_mask);
2851 		req.rx_stream = mphy->antenna_mask;
2852 		break;
2853 	default:
2854 		return -EINVAL;
2855 	}
2856 	req.band = chandef ? chandef->chan->band == NL80211_BAND_5GHZ : 1;
2857 
2858 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(OFFCH_SCAN_CTRL),
2859 				 &req, sizeof(req), false);
2860 }
2861 
2862 int mt7996_mcu_rdd_background_enable(struct mt7996_phy *phy,
2863 				     struct cfg80211_chan_def *chandef)
2864 {
2865 	struct mt7996_dev *dev = phy->dev;
2866 	int err, region;
2867 
2868 	if (!chandef) { /* disable offchain */
2869 		err = mt7996_mcu_rdd_cmd(dev, RDD_STOP, MT_RX_SEL2,
2870 					 0, 0);
2871 		if (err)
2872 			return err;
2873 
2874 		return mt7996_mcu_background_chain_ctrl(phy, NULL,
2875 				CH_SWITCH_BACKGROUND_SCAN_STOP);
2876 	}
2877 
2878 	err = mt7996_mcu_background_chain_ctrl(phy, chandef,
2879 					       CH_SWITCH_BACKGROUND_SCAN_START);
2880 	if (err)
2881 		return err;
2882 
2883 	switch (dev->mt76.region) {
2884 	case NL80211_DFS_ETSI:
2885 		region = 0;
2886 		break;
2887 	case NL80211_DFS_JP:
2888 		region = 2;
2889 		break;
2890 	case NL80211_DFS_FCC:
2891 	default:
2892 		region = 1;
2893 		break;
2894 	}
2895 
2896 	return mt7996_mcu_rdd_cmd(dev, RDD_START, MT_RX_SEL2,
2897 				  0, region);
2898 }
2899 
2900 int mt7996_mcu_set_chan_info(struct mt7996_phy *phy, u16 tag)
2901 {
2902 	static const u8 ch_band[] = {
2903 		[NL80211_BAND_2GHZ] = 0,
2904 		[NL80211_BAND_5GHZ] = 1,
2905 		[NL80211_BAND_6GHZ] = 2,
2906 	};
2907 	struct mt7996_dev *dev = phy->dev;
2908 	struct cfg80211_chan_def *chandef = &phy->mt76->chandef;
2909 	int freq1 = chandef->center_freq1;
2910 	u8 band_idx = phy->mt76->band_idx;
2911 	struct {
2912 		/* fixed field */
2913 		u8 __rsv[4];
2914 
2915 		__le16 tag;
2916 		__le16 len;
2917 		u8 control_ch;
2918 		u8 center_ch;
2919 		u8 bw;
2920 		u8 tx_path_num;
2921 		u8 rx_path;	/* mask or num */
2922 		u8 switch_reason;
2923 		u8 band_idx;
2924 		u8 center_ch2;	/* for 80+80 only */
2925 		__le16 cac_case;
2926 		u8 channel_band;
2927 		u8 rsv0;
2928 		__le32 outband_freq;
2929 		u8 txpower_drop;
2930 		u8 ap_bw;
2931 		u8 ap_center_ch;
2932 		u8 rsv1[53];
2933 	} __packed req = {
2934 		.tag = cpu_to_le16(tag),
2935 		.len = cpu_to_le16(sizeof(req) - 4),
2936 		.control_ch = chandef->chan->hw_value,
2937 		.center_ch = ieee80211_frequency_to_channel(freq1),
2938 		.bw = mt76_connac_chan_bw(chandef),
2939 		.tx_path_num = hweight16(phy->mt76->chainmask),
2940 		.rx_path = phy->mt76->chainmask >> dev->chainshift[band_idx],
2941 		.band_idx = band_idx,
2942 		.channel_band = ch_band[chandef->chan->band],
2943 	};
2944 
2945 	if (tag == UNI_CHANNEL_RX_PATH ||
2946 	    dev->mt76.hw->conf.flags & IEEE80211_CONF_MONITOR)
2947 		req.switch_reason = CH_SWITCH_NORMAL;
2948 	else if (phy->mt76->hw->conf.flags & IEEE80211_CONF_OFFCHANNEL)
2949 		req.switch_reason = CH_SWITCH_SCAN_BYPASS_DPD;
2950 	else if (!cfg80211_reg_can_beacon(phy->mt76->hw->wiphy, chandef,
2951 					  NL80211_IFTYPE_AP))
2952 		req.switch_reason = CH_SWITCH_DFS;
2953 	else
2954 		req.switch_reason = CH_SWITCH_NORMAL;
2955 
2956 	if (tag == UNI_CHANNEL_SWITCH)
2957 		req.rx_path = hweight8(req.rx_path);
2958 
2959 	if (chandef->width == NL80211_CHAN_WIDTH_80P80) {
2960 		int freq2 = chandef->center_freq2;
2961 
2962 		req.center_ch2 = ieee80211_frequency_to_channel(freq2);
2963 	}
2964 
2965 	return mt76_mcu_send_msg(&dev->mt76, MCU_WMWA_UNI_CMD(CHANNEL_SWITCH),
2966 				 &req, sizeof(req), true);
2967 }
2968 
2969 static int mt7996_mcu_set_eeprom_flash(struct mt7996_dev *dev)
2970 {
2971 #define MAX_PAGE_IDX_MASK	GENMASK(7, 5)
2972 #define PAGE_IDX_MASK		GENMASK(4, 2)
2973 #define PER_PAGE_SIZE		0x400
2974 	struct mt7996_mcu_eeprom req = {
2975 		.tag = cpu_to_le16(UNI_EFUSE_BUFFER_MODE),
2976 		.buffer_mode = EE_MODE_BUFFER
2977 	};
2978 	u16 eeprom_size = MT7996_EEPROM_SIZE;
2979 	u8 total = DIV_ROUND_UP(eeprom_size, PER_PAGE_SIZE);
2980 	u8 *eep = (u8 *)dev->mt76.eeprom.data;
2981 	int eep_len, i;
2982 
2983 	for (i = 0; i < total; i++, eep += eep_len) {
2984 		struct sk_buff *skb;
2985 		int ret, msg_len;
2986 
2987 		if (i == total - 1 && !!(eeprom_size % PER_PAGE_SIZE))
2988 			eep_len = eeprom_size % PER_PAGE_SIZE;
2989 		else
2990 			eep_len = PER_PAGE_SIZE;
2991 
2992 		msg_len = sizeof(req) + eep_len;
2993 		skb = mt76_mcu_msg_alloc(&dev->mt76, NULL, msg_len);
2994 		if (!skb)
2995 			return -ENOMEM;
2996 
2997 		req.len = cpu_to_le16(msg_len - 4);
2998 		req.format = FIELD_PREP(MAX_PAGE_IDX_MASK, total - 1) |
2999 			     FIELD_PREP(PAGE_IDX_MASK, i) | EE_FORMAT_WHOLE;
3000 		req.buf_len = cpu_to_le16(eep_len);
3001 
3002 		skb_put_data(skb, &req, sizeof(req));
3003 		skb_put_data(skb, eep, eep_len);
3004 
3005 		ret = mt76_mcu_skb_send_msg(&dev->mt76, skb,
3006 					    MCU_WM_UNI_CMD(EFUSE_CTRL), true);
3007 		if (ret)
3008 			return ret;
3009 	}
3010 
3011 	return 0;
3012 }
3013 
3014 int mt7996_mcu_set_eeprom(struct mt7996_dev *dev)
3015 {
3016 	struct mt7996_mcu_eeprom req = {
3017 		.tag = cpu_to_le16(UNI_EFUSE_BUFFER_MODE),
3018 		.len = cpu_to_le16(sizeof(req) - 4),
3019 		.buffer_mode = EE_MODE_EFUSE,
3020 		.format = EE_FORMAT_WHOLE
3021 	};
3022 
3023 	if (dev->flash_mode)
3024 		return mt7996_mcu_set_eeprom_flash(dev);
3025 
3026 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(EFUSE_CTRL),
3027 				 &req, sizeof(req), true);
3028 }
3029 
3030 int mt7996_mcu_get_eeprom(struct mt7996_dev *dev, u32 offset)
3031 {
3032 	struct {
3033 		u8 _rsv[4];
3034 
3035 		__le16 tag;
3036 		__le16 len;
3037 		__le32 addr;
3038 		__le32 valid;
3039 		u8 data[16];
3040 	} __packed req = {
3041 		.tag = cpu_to_le16(UNI_EFUSE_ACCESS),
3042 		.len = cpu_to_le16(sizeof(req) - 4),
3043 		.addr = cpu_to_le32(round_down(offset,
3044 				    MT7996_EEPROM_BLOCK_SIZE)),
3045 	};
3046 	struct sk_buff *skb;
3047 	bool valid;
3048 	int ret;
3049 
3050 	ret = mt76_mcu_send_and_get_msg(&dev->mt76,
3051 					MCU_WM_UNI_CMD_QUERY(EFUSE_CTRL),
3052 					&req, sizeof(req), true, &skb);
3053 	if (ret)
3054 		return ret;
3055 
3056 	valid = le32_to_cpu(*(__le32 *)(skb->data + 16));
3057 	if (valid) {
3058 		u32 addr = le32_to_cpu(*(__le32 *)(skb->data + 12));
3059 		u8 *buf = (u8 *)dev->mt76.eeprom.data + addr;
3060 
3061 		skb_pull(skb, 64);
3062 		memcpy(buf, skb->data, MT7996_EEPROM_BLOCK_SIZE);
3063 	}
3064 
3065 	dev_kfree_skb(skb);
3066 
3067 	return 0;
3068 }
3069 
3070 int mt7996_mcu_get_eeprom_free_block(struct mt7996_dev *dev, u8 *block_num)
3071 {
3072 	struct {
3073 		u8 _rsv[4];
3074 
3075 		__le16 tag;
3076 		__le16 len;
3077 		u8 num;
3078 		u8 version;
3079 		u8 die_idx;
3080 		u8 _rsv2;
3081 	} __packed req = {
3082 		.tag = cpu_to_le16(UNI_EFUSE_FREE_BLOCK),
3083 		.len = cpu_to_le16(sizeof(req) - 4),
3084 		.version = 2,
3085 	};
3086 	struct sk_buff *skb;
3087 	int ret;
3088 
3089 	ret = mt76_mcu_send_and_get_msg(&dev->mt76, MCU_WM_UNI_CMD_QUERY(EFUSE_CTRL), &req,
3090 					sizeof(req), true, &skb);
3091 	if (ret)
3092 		return ret;
3093 
3094 	*block_num = *(u8 *)(skb->data + 8);
3095 	dev_kfree_skb(skb);
3096 
3097 	return 0;
3098 }
3099 
3100 int mt7996_mcu_get_chip_config(struct mt7996_dev *dev, u32 *cap)
3101 {
3102 #define NIC_CAP	3
3103 #define UNI_EVENT_CHIP_CONFIG_EFUSE_VERSION	0x21
3104 	struct {
3105 		u8 _rsv[4];
3106 
3107 		__le16 tag;
3108 		__le16 len;
3109 	} __packed req = {
3110 		.tag = cpu_to_le16(NIC_CAP),
3111 		.len = cpu_to_le16(sizeof(req) - 4),
3112 	};
3113 	struct sk_buff *skb;
3114 	u8 *buf;
3115 	int ret;
3116 
3117 	ret = mt76_mcu_send_and_get_msg(&dev->mt76,
3118 					MCU_WM_UNI_CMD_QUERY(CHIP_CONFIG), &req,
3119 					sizeof(req), true, &skb);
3120 	if (ret)
3121 		return ret;
3122 
3123 	/* fixed field */
3124 	skb_pull(skb, 4);
3125 
3126 	buf = skb->data;
3127 	while (buf - skb->data < skb->len) {
3128 		struct tlv *tlv = (struct tlv *)buf;
3129 
3130 		switch (le16_to_cpu(tlv->tag)) {
3131 		case UNI_EVENT_CHIP_CONFIG_EFUSE_VERSION:
3132 			*cap = le32_to_cpu(*(__le32 *)(buf + sizeof(*tlv)));
3133 			break;
3134 		default:
3135 			break;
3136 		};
3137 
3138 		buf += le16_to_cpu(tlv->len);
3139 	}
3140 
3141 	dev_kfree_skb(skb);
3142 
3143 	return 0;
3144 }
3145 
3146 int mt7996_mcu_get_chan_mib_info(struct mt7996_phy *phy, bool chan_switch)
3147 {
3148 	struct {
3149 		struct {
3150 			u8 band;
3151 			u8 __rsv[3];
3152 		} hdr;
3153 		struct {
3154 			__le16 tag;
3155 			__le16 len;
3156 			__le32 offs;
3157 		} data[4];
3158 	} __packed req = {
3159 		.hdr.band = phy->mt76->band_idx,
3160 	};
3161 	/* strict order */
3162 	static const u32 offs[] = {
3163 		UNI_MIB_TX_TIME,
3164 		UNI_MIB_RX_TIME,
3165 		UNI_MIB_OBSS_AIRTIME,
3166 		UNI_MIB_NON_WIFI_TIME,
3167 	};
3168 	struct mt76_channel_state *state = phy->mt76->chan_state;
3169 	struct mt76_channel_state *state_ts = &phy->state_ts;
3170 	struct mt7996_dev *dev = phy->dev;
3171 	struct mt7996_mcu_mib *res;
3172 	struct sk_buff *skb;
3173 	int i, ret;
3174 
3175 	for (i = 0; i < 4; i++) {
3176 		req.data[i].tag = cpu_to_le16(UNI_CMD_MIB_DATA);
3177 		req.data[i].len = cpu_to_le16(sizeof(req.data[i]));
3178 		req.data[i].offs = cpu_to_le32(offs[i]);
3179 	}
3180 
3181 	ret = mt76_mcu_send_and_get_msg(&dev->mt76, MCU_WM_UNI_CMD_QUERY(GET_MIB_INFO),
3182 					&req, sizeof(req), true, &skb);
3183 	if (ret)
3184 		return ret;
3185 
3186 	skb_pull(skb, sizeof(req.hdr));
3187 
3188 	res = (struct mt7996_mcu_mib *)(skb->data);
3189 
3190 	if (chan_switch)
3191 		goto out;
3192 
3193 #define __res_u64(s) le64_to_cpu(res[s].data)
3194 	state->cc_tx += __res_u64(1) - state_ts->cc_tx;
3195 	state->cc_bss_rx += __res_u64(2) - state_ts->cc_bss_rx;
3196 	state->cc_rx += __res_u64(2) + __res_u64(3) - state_ts->cc_rx;
3197 	state->cc_busy += __res_u64(0) + __res_u64(1) + __res_u64(2) + __res_u64(3) -
3198 			  state_ts->cc_busy;
3199 
3200 out:
3201 	state_ts->cc_tx = __res_u64(1);
3202 	state_ts->cc_bss_rx = __res_u64(2);
3203 	state_ts->cc_rx = __res_u64(2) + __res_u64(3);
3204 	state_ts->cc_busy = __res_u64(0) + __res_u64(1) + __res_u64(2) + __res_u64(3);
3205 #undef __res_u64
3206 
3207 	dev_kfree_skb(skb);
3208 
3209 	return 0;
3210 }
3211 
3212 int mt7996_mcu_set_ser(struct mt7996_dev *dev, u8 action, u8 val, u8 band)
3213 {
3214 	struct {
3215 		u8 rsv[4];
3216 
3217 		__le16 tag;
3218 		__le16 len;
3219 
3220 		union {
3221 			struct {
3222 				__le32 mask;
3223 			} __packed set;
3224 
3225 			struct {
3226 				u8 method;
3227 				u8 band;
3228 				u8 rsv2[2];
3229 			} __packed trigger;
3230 		};
3231 	} __packed req = {
3232 		.tag = cpu_to_le16(action),
3233 		.len = cpu_to_le16(sizeof(req) - 4),
3234 	};
3235 
3236 	switch (action) {
3237 	case UNI_CMD_SER_SET:
3238 		req.set.mask = cpu_to_le32(val);
3239 		break;
3240 	case UNI_CMD_SER_TRIGGER:
3241 		req.trigger.method = val;
3242 		req.trigger.band = band;
3243 		break;
3244 	default:
3245 		return -EINVAL;
3246 	}
3247 
3248 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(SER),
3249 				 &req, sizeof(req), false);
3250 }
3251 
3252 int mt7996_mcu_set_txbf(struct mt7996_dev *dev, u8 action)
3253 {
3254 #define MT7996_BF_MAX_SIZE	sizeof(union bf_tag_tlv)
3255 #define BF_PROCESSING	4
3256 	struct uni_header hdr;
3257 	struct sk_buff *skb;
3258 	struct tlv *tlv;
3259 	int len = sizeof(hdr) + MT7996_BF_MAX_SIZE;
3260 
3261 	memset(&hdr, 0, sizeof(hdr));
3262 
3263 	skb = mt76_mcu_msg_alloc(&dev->mt76, NULL, len);
3264 	if (!skb)
3265 		return -ENOMEM;
3266 
3267 	skb_put_data(skb, &hdr, sizeof(hdr));
3268 
3269 	switch (action) {
3270 	case BF_SOUNDING_ON: {
3271 		struct bf_sounding_on *req_snd_on;
3272 
3273 		tlv = mt7996_mcu_add_uni_tlv(skb, action, sizeof(*req_snd_on));
3274 		req_snd_on = (struct bf_sounding_on *)tlv;
3275 		req_snd_on->snd_mode = BF_PROCESSING;
3276 		break;
3277 	}
3278 	case BF_HW_EN_UPDATE: {
3279 		struct bf_hw_en_status_update *req_hw_en;
3280 
3281 		tlv = mt7996_mcu_add_uni_tlv(skb, action, sizeof(*req_hw_en));
3282 		req_hw_en = (struct bf_hw_en_status_update *)tlv;
3283 		req_hw_en->ebf = true;
3284 		req_hw_en->ibf = dev->ibf;
3285 		break;
3286 	}
3287 	case BF_MOD_EN_CTRL: {
3288 		struct bf_mod_en_ctrl *req_mod_en;
3289 
3290 		tlv = mt7996_mcu_add_uni_tlv(skb, action, sizeof(*req_mod_en));
3291 		req_mod_en = (struct bf_mod_en_ctrl *)tlv;
3292 		req_mod_en->bf_num = 2;
3293 		req_mod_en->bf_bitmap = GENMASK(0, 0);
3294 		break;
3295 	}
3296 	default:
3297 		return -EINVAL;
3298 	}
3299 
3300 	return mt76_mcu_skb_send_msg(&dev->mt76, skb, MCU_WM_UNI_CMD(BF), true);
3301 }
3302 
3303 static int
3304 mt7996_mcu_enable_obss_spr(struct mt7996_phy *phy, u16 action, u8 val)
3305 {
3306 	struct mt7996_dev *dev = phy->dev;
3307 	struct {
3308 		u8 band_idx;
3309 		u8 __rsv[3];
3310 
3311 		__le16 tag;
3312 		__le16 len;
3313 
3314 		__le32 val;
3315 	} __packed req = {
3316 		.band_idx = phy->mt76->band_idx,
3317 		.tag = cpu_to_le16(action),
3318 		.len = cpu_to_le16(sizeof(req) - 4),
3319 		.val = cpu_to_le32(val),
3320 	};
3321 
3322 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(SR),
3323 				 &req, sizeof(req), true);
3324 }
3325 
3326 static int
3327 mt7996_mcu_set_obss_spr_pd(struct mt7996_phy *phy,
3328 			   struct ieee80211_he_obss_pd *he_obss_pd)
3329 {
3330 	struct mt7996_dev *dev = phy->dev;
3331 	u8 max_th = 82, non_srg_max_th = 62;
3332 	struct {
3333 		u8 band_idx;
3334 		u8 __rsv[3];
3335 
3336 		__le16 tag;
3337 		__le16 len;
3338 
3339 		u8 pd_th_non_srg;
3340 		u8 pd_th_srg;
3341 		u8 period_offs;
3342 		u8 rcpi_src;
3343 		__le16 obss_pd_min;
3344 		__le16 obss_pd_min_srg;
3345 		u8 resp_txpwr_mode;
3346 		u8 txpwr_restrict_mode;
3347 		u8 txpwr_ref;
3348 		u8 __rsv2[3];
3349 	} __packed req = {
3350 		.band_idx = phy->mt76->band_idx,
3351 		.tag = cpu_to_le16(UNI_CMD_SR_SET_PARAM),
3352 		.len = cpu_to_le16(sizeof(req) - 4),
3353 		.obss_pd_min = cpu_to_le16(max_th),
3354 		.obss_pd_min_srg = cpu_to_le16(max_th),
3355 		.txpwr_restrict_mode = 2,
3356 		.txpwr_ref = 21
3357 	};
3358 	int ret;
3359 
3360 	/* disable firmware dynamical PD asjustment */
3361 	ret = mt7996_mcu_enable_obss_spr(phy, UNI_CMD_SR_ENABLE_DPD, false);
3362 	if (ret)
3363 		return ret;
3364 
3365 	if (he_obss_pd->sr_ctrl &
3366 	    IEEE80211_HE_SPR_NON_SRG_OBSS_PD_SR_DISALLOWED)
3367 		req.pd_th_non_srg = max_th;
3368 	else if (he_obss_pd->sr_ctrl & IEEE80211_HE_SPR_NON_SRG_OFFSET_PRESENT)
3369 		req.pd_th_non_srg  = max_th - he_obss_pd->non_srg_max_offset;
3370 	else
3371 		req.pd_th_non_srg  = non_srg_max_th;
3372 
3373 	if (he_obss_pd->sr_ctrl & IEEE80211_HE_SPR_SRG_INFORMATION_PRESENT)
3374 		req.pd_th_srg = max_th - he_obss_pd->max_offset;
3375 
3376 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(SR),
3377 				 &req, sizeof(req), true);
3378 }
3379 
3380 static int
3381 mt7996_mcu_set_obss_spr_siga(struct mt7996_phy *phy, struct ieee80211_vif *vif,
3382 			     struct ieee80211_he_obss_pd *he_obss_pd)
3383 {
3384 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
3385 	struct mt7996_dev *dev = phy->dev;
3386 	u8 omac = mvif->mt76.omac_idx;
3387 	struct {
3388 		u8 band_idx;
3389 		u8 __rsv[3];
3390 
3391 		__le16 tag;
3392 		__le16 len;
3393 
3394 		u8 omac;
3395 		u8 __rsv2[3];
3396 		u8 flag[20];
3397 	} __packed req = {
3398 		.band_idx = phy->mt76->band_idx,
3399 		.tag = cpu_to_le16(UNI_CMD_SR_SET_SIGA),
3400 		.len = cpu_to_le16(sizeof(req) - 4),
3401 		.omac = omac > HW_BSSID_MAX ? omac - 12 : omac,
3402 	};
3403 	int ret;
3404 
3405 	if (he_obss_pd->sr_ctrl & IEEE80211_HE_SPR_HESIGA_SR_VAL15_ALLOWED)
3406 		req.flag[req.omac] = 0xf;
3407 	else
3408 		return 0;
3409 
3410 	/* switch to normal AP mode */
3411 	ret = mt7996_mcu_enable_obss_spr(phy, UNI_CMD_SR_ENABLE_MODE, 0);
3412 	if (ret)
3413 		return ret;
3414 
3415 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(SR),
3416 				 &req, sizeof(req), true);
3417 }
3418 
3419 static int
3420 mt7996_mcu_set_obss_spr_bitmap(struct mt7996_phy *phy,
3421 			       struct ieee80211_he_obss_pd *he_obss_pd)
3422 {
3423 	struct mt7996_dev *dev = phy->dev;
3424 	struct {
3425 		u8 band_idx;
3426 		u8 __rsv[3];
3427 
3428 		__le16 tag;
3429 		__le16 len;
3430 
3431 		__le32 color_l[2];
3432 		__le32 color_h[2];
3433 		__le32 bssid_l[2];
3434 		__le32 bssid_h[2];
3435 	} __packed req = {
3436 		.band_idx = phy->mt76->band_idx,
3437 		.tag = cpu_to_le16(UNI_CMD_SR_SET_SRG_BITMAP),
3438 		.len = cpu_to_le16(sizeof(req) - 4),
3439 	};
3440 	u32 bitmap;
3441 
3442 	memcpy(&bitmap, he_obss_pd->bss_color_bitmap, sizeof(bitmap));
3443 	req.color_l[req.band_idx] = cpu_to_le32(bitmap);
3444 
3445 	memcpy(&bitmap, he_obss_pd->bss_color_bitmap + 4, sizeof(bitmap));
3446 	req.color_h[req.band_idx] = cpu_to_le32(bitmap);
3447 
3448 	memcpy(&bitmap, he_obss_pd->partial_bssid_bitmap, sizeof(bitmap));
3449 	req.bssid_l[req.band_idx] = cpu_to_le32(bitmap);
3450 
3451 	memcpy(&bitmap, he_obss_pd->partial_bssid_bitmap + 4, sizeof(bitmap));
3452 	req.bssid_h[req.band_idx] = cpu_to_le32(bitmap);
3453 
3454 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(SR), &req,
3455 				 sizeof(req), true);
3456 }
3457 
3458 int mt7996_mcu_add_obss_spr(struct mt7996_phy *phy, struct ieee80211_vif *vif,
3459 			    struct ieee80211_he_obss_pd *he_obss_pd)
3460 {
3461 	int ret;
3462 
3463 	/* enable firmware scene detection algorithms */
3464 	ret = mt7996_mcu_enable_obss_spr(phy, UNI_CMD_SR_ENABLE_SD,
3465 					 sr_scene_detect);
3466 	if (ret)
3467 		return ret;
3468 
3469 	/* firmware dynamically adjusts PD threshold so skip manual control */
3470 	if (sr_scene_detect && !he_obss_pd->enable)
3471 		return 0;
3472 
3473 	/* enable spatial reuse */
3474 	ret = mt7996_mcu_enable_obss_spr(phy, UNI_CMD_SR_ENABLE,
3475 					 he_obss_pd->enable);
3476 	if (ret)
3477 		return ret;
3478 
3479 	if (sr_scene_detect || !he_obss_pd->enable)
3480 		return 0;
3481 
3482 	ret = mt7996_mcu_enable_obss_spr(phy, UNI_CMD_SR_ENABLE_TX, true);
3483 	if (ret)
3484 		return ret;
3485 
3486 	/* set SRG/non-SRG OBSS PD threshold */
3487 	ret = mt7996_mcu_set_obss_spr_pd(phy, he_obss_pd);
3488 	if (ret)
3489 		return ret;
3490 
3491 	/* Set SR prohibit */
3492 	ret = mt7996_mcu_set_obss_spr_siga(phy, vif, he_obss_pd);
3493 	if (ret)
3494 		return ret;
3495 
3496 	/* set SRG BSS color/BSSID bitmap */
3497 	return mt7996_mcu_set_obss_spr_bitmap(phy, he_obss_pd);
3498 }
3499 
3500 int mt7996_mcu_update_bss_color(struct mt7996_dev *dev, struct ieee80211_vif *vif,
3501 				struct cfg80211_he_bss_color *he_bss_color)
3502 {
3503 	int len = sizeof(struct bss_req_hdr) + sizeof(struct bss_color_tlv);
3504 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
3505 	struct bss_color_tlv *bss_color;
3506 	struct sk_buff *skb;
3507 	struct tlv *tlv;
3508 
3509 	skb = __mt7996_mcu_alloc_bss_req(&dev->mt76, &mvif->mt76, len);
3510 	if (IS_ERR(skb))
3511 		return PTR_ERR(skb);
3512 
3513 	tlv = mt76_connac_mcu_add_tlv(skb, UNI_BSS_INFO_BSS_COLOR,
3514 				      sizeof(*bss_color));
3515 	bss_color = (struct bss_color_tlv *)tlv;
3516 	bss_color->enable = he_bss_color->enabled;
3517 	bss_color->color = he_bss_color->color;
3518 
3519 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
3520 				     MCU_WMWA_UNI_CMD(BSS_INFO_UPDATE), true);
3521 }
3522 
3523 #define TWT_AGRT_TRIGGER	BIT(0)
3524 #define TWT_AGRT_ANNOUNCE	BIT(1)
3525 #define TWT_AGRT_PROTECT	BIT(2)
3526 
3527 int mt7996_mcu_twt_agrt_update(struct mt7996_dev *dev,
3528 			       struct mt7996_vif *mvif,
3529 			       struct mt7996_twt_flow *flow,
3530 			       int cmd)
3531 {
3532 	struct {
3533 		u8 _rsv[4];
3534 
3535 		__le16 tag;
3536 		__le16 len;
3537 		u8 tbl_idx;
3538 		u8 cmd;
3539 		u8 own_mac_idx;
3540 		u8 flowid; /* 0xff for group id */
3541 		__le16 peer_id; /* specify the peer_id (msb=0)
3542 				 * or group_id (msb=1)
3543 				 */
3544 		u8 duration; /* 256 us */
3545 		u8 bss_idx;
3546 		__le64 start_tsf;
3547 		__le16 mantissa;
3548 		u8 exponent;
3549 		u8 is_ap;
3550 		u8 agrt_params;
3551 		u8 __rsv2[135];
3552 	} __packed req = {
3553 		.tag = cpu_to_le16(UNI_CMD_TWT_ARGT_UPDATE),
3554 		.len = cpu_to_le16(sizeof(req) - 4),
3555 		.tbl_idx = flow->table_id,
3556 		.cmd = cmd,
3557 		.own_mac_idx = mvif->mt76.omac_idx,
3558 		.flowid = flow->id,
3559 		.peer_id = cpu_to_le16(flow->wcid),
3560 		.duration = flow->duration,
3561 		.bss_idx = mvif->mt76.idx,
3562 		.start_tsf = cpu_to_le64(flow->tsf),
3563 		.mantissa = flow->mantissa,
3564 		.exponent = flow->exp,
3565 		.is_ap = true,
3566 	};
3567 
3568 	if (flow->protection)
3569 		req.agrt_params |= TWT_AGRT_PROTECT;
3570 	if (!flow->flowtype)
3571 		req.agrt_params |= TWT_AGRT_ANNOUNCE;
3572 	if (flow->trigger)
3573 		req.agrt_params |= TWT_AGRT_TRIGGER;
3574 
3575 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(TWT),
3576 				 &req, sizeof(req), true);
3577 }
3578 
3579 void mt7996_mcu_set_pm(void *priv, u8 *mac, struct ieee80211_vif *vif)
3580 {
3581 #define EXIT_PM_STATE	0
3582 #define ENTER_PM_STATE	1
3583 	struct ieee80211_hw *hw = priv;
3584 	struct mt7996_dev *dev = mt7996_hw_dev(hw);
3585 	struct mt7996_phy *phy = mt7996_hw_phy(hw);
3586 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
3587 	struct bss_power_save *ps;
3588 	struct sk_buff *skb;
3589 	struct tlv *tlv;
3590 	bool running = test_bit(MT76_STATE_RUNNING, &phy->mt76->state);
3591 
3592 	skb = __mt7996_mcu_alloc_bss_req(&dev->mt76, &mvif->mt76,
3593 					 MT7996_BSS_UPDATE_MAX_SIZE);
3594 	if (IS_ERR(skb))
3595 		return;
3596 
3597 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_PS, sizeof(*ps));
3598 	ps = (struct bss_power_save *)tlv;
3599 	ps->profile = running ? EXIT_PM_STATE : ENTER_PM_STATE;
3600 
3601 	mt76_mcu_skb_send_msg(&dev->mt76, skb,
3602 			      MCU_WMWA_UNI_CMD(BSS_INFO_UPDATE), true);
3603 }
3604 
3605 int mt7996_mcu_set_rts_thresh(struct mt7996_phy *phy, u32 val)
3606 {
3607 	struct {
3608 		u8 band_idx;
3609 		u8 _rsv[3];
3610 
3611 		__le16 tag;
3612 		__le16 len;
3613 		__le32 len_thresh;
3614 		__le32 pkt_thresh;
3615 	} __packed req = {
3616 		.band_idx = phy->mt76->band_idx,
3617 		.tag = cpu_to_le16(UNI_BAND_CONFIG_RTS_THRESHOLD),
3618 		.len = cpu_to_le16(sizeof(req) - 4),
3619 		.len_thresh = cpu_to_le32(val),
3620 		.pkt_thresh = cpu_to_le32(0x2),
3621 	};
3622 
3623 	return mt76_mcu_send_msg(&phy->dev->mt76, MCU_WM_UNI_CMD(BAND_CONFIG),
3624 				 &req, sizeof(req), true);
3625 }
3626 
3627 int mt7996_mcu_set_radio_en(struct mt7996_phy *phy, bool enable)
3628 {
3629 	struct {
3630 		u8 band_idx;
3631 		u8 _rsv[3];
3632 
3633 		__le16 tag;
3634 		__le16 len;
3635 		u8 enable;
3636 		u8 _rsv2[3];
3637 	} __packed req = {
3638 		.band_idx = phy->mt76->band_idx,
3639 		.tag = cpu_to_le16(UNI_BAND_CONFIG_RADIO_ENABLE),
3640 		.len = cpu_to_le16(sizeof(req) - 4),
3641 		.enable = enable,
3642 	};
3643 
3644 	return mt76_mcu_send_msg(&phy->dev->mt76, MCU_WM_UNI_CMD(BAND_CONFIG),
3645 				 &req, sizeof(req), true);
3646 }
3647 
3648 int mt7996_mcu_rdd_cmd(struct mt7996_dev *dev, int cmd, u8 index,
3649 		       u8 rx_sel, u8 val)
3650 {
3651 	struct {
3652 		u8 _rsv[4];
3653 
3654 		__le16 tag;
3655 		__le16 len;
3656 
3657 		u8 ctrl;
3658 		u8 rdd_idx;
3659 		u8 rdd_rx_sel;
3660 		u8 val;
3661 		u8 rsv[4];
3662 	} __packed req = {
3663 		.tag = cpu_to_le16(UNI_RDD_CTRL_PARM),
3664 		.len = cpu_to_le16(sizeof(req) - 4),
3665 		.ctrl = cmd,
3666 		.rdd_idx = index,
3667 		.rdd_rx_sel = rx_sel,
3668 		.val = val,
3669 	};
3670 
3671 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(RDD_CTRL),
3672 				 &req, sizeof(req), true);
3673 }
3674 
3675 int mt7996_mcu_wtbl_update_hdr_trans(struct mt7996_dev *dev,
3676 				     struct ieee80211_vif *vif,
3677 				     struct ieee80211_sta *sta)
3678 {
3679 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
3680 	struct mt7996_sta *msta;
3681 	struct sk_buff *skb;
3682 
3683 	msta = sta ? (struct mt7996_sta *)sta->drv_priv : &mvif->sta;
3684 
3685 	skb = __mt76_connac_mcu_alloc_sta_req(&dev->mt76, &mvif->mt76,
3686 					      &msta->wcid,
3687 					      MT7996_STA_UPDATE_MAX_SIZE);
3688 	if (IS_ERR(skb))
3689 		return PTR_ERR(skb);
3690 
3691 	/* starec hdr trans */
3692 	mt7996_mcu_sta_hdr_trans_tlv(dev, skb, vif, sta);
3693 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
3694 				     MCU_WMWA_UNI_CMD(STA_REC_UPDATE), true);
3695 }
3696 
3697 int mt7996_mcu_rf_regval(struct mt7996_dev *dev, u32 regidx, u32 *val, bool set)
3698 {
3699 	struct {
3700 		u8 __rsv1[4];
3701 
3702 		__le16 tag;
3703 		__le16 len;
3704 		__le16 idx;
3705 		u8 __rsv2[2];
3706 		__le32 ofs;
3707 		__le32 data;
3708 	} __packed *res, req = {
3709 		.tag = cpu_to_le16(UNI_CMD_ACCESS_RF_REG_BASIC),
3710 		.len = cpu_to_le16(sizeof(req) - 4),
3711 
3712 		.idx = cpu_to_le16(u32_get_bits(regidx, GENMASK(31, 24))),
3713 		.ofs = cpu_to_le32(u32_get_bits(regidx, GENMASK(23, 0))),
3714 		.data = set ? cpu_to_le32(*val) : 0,
3715 	};
3716 	struct sk_buff *skb;
3717 	int ret;
3718 
3719 	if (set)
3720 		return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(REG_ACCESS),
3721 					 &req, sizeof(req), true);
3722 
3723 	ret = mt76_mcu_send_and_get_msg(&dev->mt76,
3724 					MCU_WM_UNI_CMD_QUERY(REG_ACCESS),
3725 					&req, sizeof(req), true, &skb);
3726 	if (ret)
3727 		return ret;
3728 
3729 	res = (void *)skb->data;
3730 	*val = le32_to_cpu(res->data);
3731 	dev_kfree_skb(skb);
3732 
3733 	return 0;
3734 }
3735 
3736 int mt7996_mcu_set_rro(struct mt7996_dev *dev, u16 tag, u8 val)
3737 {
3738 	struct {
3739 		u8 __rsv1[4];
3740 
3741 		__le16 tag;
3742 		__le16 len;
3743 
3744 		union {
3745 			struct {
3746 				u8 type;
3747 				u8 __rsv2[3];
3748 			} __packed platform_type;
3749 			struct {
3750 				u8 type;
3751 				u8 dest;
3752 				u8 __rsv2[2];
3753 			} __packed bypass_mode;
3754 			struct {
3755 				u8 path;
3756 				u8 __rsv2[3];
3757 			} __packed txfree_path;
3758 		};
3759 	} __packed req = {
3760 		.tag = cpu_to_le16(tag),
3761 		.len = cpu_to_le16(sizeof(req) - 4),
3762 	};
3763 
3764 	switch (tag) {
3765 	case UNI_RRO_SET_PLATFORM_TYPE:
3766 		req.platform_type.type = val;
3767 		break;
3768 	case UNI_RRO_SET_BYPASS_MODE:
3769 		req.bypass_mode.type = val;
3770 		break;
3771 	case UNI_RRO_SET_TXFREE_PATH:
3772 		req.txfree_path.path = val;
3773 		break;
3774 	default:
3775 		return -EINVAL;
3776 	}
3777 
3778 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(RRO), &req,
3779 				 sizeof(req), true);
3780 }
3781