xref: /linux/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c (revision f4fee216df7d28b87d1c9cc60bcebfecb51c1a05)
1 // SPDX-License-Identifier: ISC
2 /*
3  * Copyright (C) 2022 MediaTek Inc.
4  */
5 
6 #include <linux/firmware.h>
7 #include <linux/fs.h>
8 #include "mt7996.h"
9 #include "mcu.h"
10 #include "mac.h"
11 #include "eeprom.h"
12 
13 #define fw_name(_dev, name, ...)	({			\
14 	char *_fw;						\
15 	switch (mt76_chip(&(_dev)->mt76)) {			\
16 	case 0x7992:						\
17 		_fw = MT7992_##name;				\
18 		break;						\
19 	case 0x7990:						\
20 	default:						\
21 		_fw = MT7996_##name;				\
22 		break;						\
23 	}							\
24 	_fw;							\
25 })
26 
27 struct mt7996_patch_hdr {
28 	char build_date[16];
29 	char platform[4];
30 	__be32 hw_sw_ver;
31 	__be32 patch_ver;
32 	__be16 checksum;
33 	u16 reserved;
34 	struct {
35 		__be32 patch_ver;
36 		__be32 subsys;
37 		__be32 feature;
38 		__be32 n_region;
39 		__be32 crc;
40 		u32 reserved[11];
41 	} desc;
42 } __packed;
43 
44 struct mt7996_patch_sec {
45 	__be32 type;
46 	__be32 offs;
47 	__be32 size;
48 	union {
49 		__be32 spec[13];
50 		struct {
51 			__be32 addr;
52 			__be32 len;
53 			__be32 sec_key_idx;
54 			__be32 align_len;
55 			u32 reserved[9];
56 		} info;
57 	};
58 } __packed;
59 
60 struct mt7996_fw_trailer {
61 	u8 chip_id;
62 	u8 eco_code;
63 	u8 n_region;
64 	u8 format_ver;
65 	u8 format_flag;
66 	u8 reserved[2];
67 	char fw_ver[10];
68 	char build_date[15];
69 	u32 crc;
70 } __packed;
71 
72 struct mt7996_fw_region {
73 	__le32 decomp_crc;
74 	__le32 decomp_len;
75 	__le32 decomp_blk_sz;
76 	u8 reserved[4];
77 	__le32 addr;
78 	__le32 len;
79 	u8 feature_set;
80 	u8 reserved1[15];
81 } __packed;
82 
83 #define MCU_PATCH_ADDRESS		0x200000
84 
85 #define HE_PHY(p, c)			u8_get_bits(c, IEEE80211_HE_PHY_##p)
86 #define HE_MAC(m, c)			u8_get_bits(c, IEEE80211_HE_MAC_##m)
87 #define EHT_PHY(p, c)			u8_get_bits(c, IEEE80211_EHT_PHY_##p)
88 
89 static bool sr_scene_detect = true;
90 module_param(sr_scene_detect, bool, 0644);
91 MODULE_PARM_DESC(sr_scene_detect, "Enable firmware scene detection algorithm");
92 
93 static u8
94 mt7996_mcu_get_sta_nss(u16 mcs_map)
95 {
96 	u8 nss;
97 
98 	for (nss = 8; nss > 0; nss--) {
99 		u8 nss_mcs = (mcs_map >> (2 * (nss - 1))) & 3;
100 
101 		if (nss_mcs != IEEE80211_VHT_MCS_NOT_SUPPORTED)
102 			break;
103 	}
104 
105 	return nss - 1;
106 }
107 
108 static void
109 mt7996_mcu_set_sta_he_mcs(struct ieee80211_sta *sta, __le16 *he_mcs,
110 			  u16 mcs_map)
111 {
112 	struct mt7996_sta *msta = (struct mt7996_sta *)sta->drv_priv;
113 	enum nl80211_band band = msta->vif->phy->mt76->chandef.chan->band;
114 	const u16 *mask = msta->vif->bitrate_mask.control[band].he_mcs;
115 	int nss, max_nss = sta->deflink.rx_nss > 3 ? 4 : sta->deflink.rx_nss;
116 
117 	for (nss = 0; nss < max_nss; nss++) {
118 		int mcs;
119 
120 		switch ((mcs_map >> (2 * nss)) & 0x3) {
121 		case IEEE80211_HE_MCS_SUPPORT_0_11:
122 			mcs = GENMASK(11, 0);
123 			break;
124 		case IEEE80211_HE_MCS_SUPPORT_0_9:
125 			mcs = GENMASK(9, 0);
126 			break;
127 		case IEEE80211_HE_MCS_SUPPORT_0_7:
128 			mcs = GENMASK(7, 0);
129 			break;
130 		default:
131 			mcs = 0;
132 		}
133 
134 		mcs = mcs ? fls(mcs & mask[nss]) - 1 : -1;
135 
136 		switch (mcs) {
137 		case 0 ... 7:
138 			mcs = IEEE80211_HE_MCS_SUPPORT_0_7;
139 			break;
140 		case 8 ... 9:
141 			mcs = IEEE80211_HE_MCS_SUPPORT_0_9;
142 			break;
143 		case 10 ... 11:
144 			mcs = IEEE80211_HE_MCS_SUPPORT_0_11;
145 			break;
146 		default:
147 			mcs = IEEE80211_HE_MCS_NOT_SUPPORTED;
148 			break;
149 		}
150 		mcs_map &= ~(0x3 << (nss * 2));
151 		mcs_map |= mcs << (nss * 2);
152 	}
153 
154 	*he_mcs = cpu_to_le16(mcs_map);
155 }
156 
157 static void
158 mt7996_mcu_set_sta_vht_mcs(struct ieee80211_sta *sta, __le16 *vht_mcs,
159 			   const u16 *mask)
160 {
161 	u16 mcs, mcs_map = le16_to_cpu(sta->deflink.vht_cap.vht_mcs.rx_mcs_map);
162 	int nss, max_nss = sta->deflink.rx_nss > 3 ? 4 : sta->deflink.rx_nss;
163 
164 	for (nss = 0; nss < max_nss; nss++, mcs_map >>= 2) {
165 		switch (mcs_map & 0x3) {
166 		case IEEE80211_VHT_MCS_SUPPORT_0_9:
167 			mcs = GENMASK(9, 0);
168 			break;
169 		case IEEE80211_VHT_MCS_SUPPORT_0_8:
170 			mcs = GENMASK(8, 0);
171 			break;
172 		case IEEE80211_VHT_MCS_SUPPORT_0_7:
173 			mcs = GENMASK(7, 0);
174 			break;
175 		default:
176 			mcs = 0;
177 		}
178 
179 		vht_mcs[nss] = cpu_to_le16(mcs & mask[nss]);
180 	}
181 }
182 
183 static void
184 mt7996_mcu_set_sta_ht_mcs(struct ieee80211_sta *sta, u8 *ht_mcs,
185 			  const u8 *mask)
186 {
187 	int nss, max_nss = sta->deflink.rx_nss > 3 ? 4 : sta->deflink.rx_nss;
188 
189 	for (nss = 0; nss < max_nss; nss++)
190 		ht_mcs[nss] = sta->deflink.ht_cap.mcs.rx_mask[nss] & mask[nss];
191 }
192 
193 static int
194 mt7996_mcu_parse_response(struct mt76_dev *mdev, int cmd,
195 			  struct sk_buff *skb, int seq)
196 {
197 	struct mt7996_mcu_rxd *rxd;
198 	struct mt7996_mcu_uni_event *event;
199 	int mcu_cmd = FIELD_GET(__MCU_CMD_FIELD_ID, cmd);
200 	int ret = 0;
201 
202 	if (!skb) {
203 		dev_err(mdev->dev, "Message %08x (seq %d) timeout\n",
204 			cmd, seq);
205 		return -ETIMEDOUT;
206 	}
207 
208 	rxd = (struct mt7996_mcu_rxd *)skb->data;
209 	if (seq != rxd->seq)
210 		return -EAGAIN;
211 
212 	if (cmd == MCU_CMD(PATCH_SEM_CONTROL)) {
213 		skb_pull(skb, sizeof(*rxd) - 4);
214 		ret = *skb->data;
215 	} else if ((rxd->option & MCU_UNI_CMD_EVENT) &&
216 		    rxd->eid == MCU_UNI_EVENT_RESULT) {
217 		skb_pull(skb, sizeof(*rxd));
218 		event = (struct mt7996_mcu_uni_event *)skb->data;
219 		ret = le32_to_cpu(event->status);
220 		/* skip invalid event */
221 		if (mcu_cmd != event->cid)
222 			ret = -EAGAIN;
223 	} else {
224 		skb_pull(skb, sizeof(struct mt7996_mcu_rxd));
225 	}
226 
227 	return ret;
228 }
229 
230 static int
231 mt7996_mcu_send_message(struct mt76_dev *mdev, struct sk_buff *skb,
232 			int cmd, int *wait_seq)
233 {
234 	struct mt7996_dev *dev = container_of(mdev, struct mt7996_dev, mt76);
235 	int txd_len, mcu_cmd = FIELD_GET(__MCU_CMD_FIELD_ID, cmd);
236 	struct mt76_connac2_mcu_uni_txd *uni_txd;
237 	struct mt76_connac2_mcu_txd *mcu_txd;
238 	enum mt76_mcuq_id qid;
239 	__le32 *txd;
240 	u32 val;
241 	u8 seq;
242 
243 	mdev->mcu.timeout = 20 * HZ;
244 
245 	seq = ++dev->mt76.mcu.msg_seq & 0xf;
246 	if (!seq)
247 		seq = ++dev->mt76.mcu.msg_seq & 0xf;
248 
249 	if (cmd == MCU_CMD(FW_SCATTER)) {
250 		qid = MT_MCUQ_FWDL;
251 		goto exit;
252 	}
253 
254 	txd_len = cmd & __MCU_CMD_FIELD_UNI ? sizeof(*uni_txd) : sizeof(*mcu_txd);
255 	txd = (__le32 *)skb_push(skb, txd_len);
256 	if (test_bit(MT76_STATE_MCU_RUNNING, &dev->mphy.state))
257 		qid = MT_MCUQ_WA;
258 	else
259 		qid = MT_MCUQ_WM;
260 
261 	val = FIELD_PREP(MT_TXD0_TX_BYTES, skb->len) |
262 	      FIELD_PREP(MT_TXD0_PKT_FMT, MT_TX_TYPE_CMD) |
263 	      FIELD_PREP(MT_TXD0_Q_IDX, MT_TX_MCU_PORT_RX_Q0);
264 	txd[0] = cpu_to_le32(val);
265 
266 	val = FIELD_PREP(MT_TXD1_HDR_FORMAT, MT_HDR_FORMAT_CMD);
267 	txd[1] = cpu_to_le32(val);
268 
269 	if (cmd & __MCU_CMD_FIELD_UNI) {
270 		uni_txd = (struct mt76_connac2_mcu_uni_txd *)txd;
271 		uni_txd->len = cpu_to_le16(skb->len - sizeof(uni_txd->txd));
272 		uni_txd->cid = cpu_to_le16(mcu_cmd);
273 		uni_txd->s2d_index = MCU_S2D_H2CN;
274 		uni_txd->pkt_type = MCU_PKT_ID;
275 		uni_txd->seq = seq;
276 
277 		if (cmd & __MCU_CMD_FIELD_QUERY)
278 			uni_txd->option = MCU_CMD_UNI_QUERY_ACK;
279 		else
280 			uni_txd->option = MCU_CMD_UNI_EXT_ACK;
281 
282 		if ((cmd & __MCU_CMD_FIELD_WA) && (cmd & __MCU_CMD_FIELD_WM))
283 			uni_txd->s2d_index = MCU_S2D_H2CN;
284 		else if (cmd & __MCU_CMD_FIELD_WA)
285 			uni_txd->s2d_index = MCU_S2D_H2C;
286 		else if (cmd & __MCU_CMD_FIELD_WM)
287 			uni_txd->s2d_index = MCU_S2D_H2N;
288 
289 		goto exit;
290 	}
291 
292 	mcu_txd = (struct mt76_connac2_mcu_txd *)txd;
293 	mcu_txd->len = cpu_to_le16(skb->len - sizeof(mcu_txd->txd));
294 	mcu_txd->pq_id = cpu_to_le16(MCU_PQ_ID(MT_TX_PORT_IDX_MCU,
295 					       MT_TX_MCU_PORT_RX_Q0));
296 	mcu_txd->pkt_type = MCU_PKT_ID;
297 	mcu_txd->seq = seq;
298 
299 	mcu_txd->cid = FIELD_GET(__MCU_CMD_FIELD_ID, cmd);
300 	mcu_txd->set_query = MCU_Q_NA;
301 	mcu_txd->ext_cid = FIELD_GET(__MCU_CMD_FIELD_EXT_ID, cmd);
302 	if (mcu_txd->ext_cid) {
303 		mcu_txd->ext_cid_ack = 1;
304 
305 		if (cmd & __MCU_CMD_FIELD_QUERY)
306 			mcu_txd->set_query = MCU_Q_QUERY;
307 		else
308 			mcu_txd->set_query = MCU_Q_SET;
309 	}
310 
311 	if (cmd & __MCU_CMD_FIELD_WA)
312 		mcu_txd->s2d_index = MCU_S2D_H2C;
313 	else
314 		mcu_txd->s2d_index = MCU_S2D_H2N;
315 
316 exit:
317 	if (wait_seq)
318 		*wait_seq = seq;
319 
320 	return mt76_tx_queue_skb_raw(dev, mdev->q_mcu[qid], skb, 0);
321 }
322 
323 int mt7996_mcu_wa_cmd(struct mt7996_dev *dev, int cmd, u32 a1, u32 a2, u32 a3)
324 {
325 	struct {
326 		__le32 args[3];
327 	} req = {
328 		.args = {
329 			cpu_to_le32(a1),
330 			cpu_to_le32(a2),
331 			cpu_to_le32(a3),
332 		},
333 	};
334 
335 	return mt76_mcu_send_msg(&dev->mt76, cmd, &req, sizeof(req), false);
336 }
337 
338 static void
339 mt7996_mcu_csa_finish(void *priv, u8 *mac, struct ieee80211_vif *vif)
340 {
341 	if (!vif->bss_conf.csa_active || vif->type == NL80211_IFTYPE_STATION)
342 		return;
343 
344 	ieee80211_csa_finish(vif, 0);
345 }
346 
347 static void
348 mt7996_mcu_rx_radar_detected(struct mt7996_dev *dev, struct sk_buff *skb)
349 {
350 	struct mt76_phy *mphy = &dev->mt76.phy;
351 	struct mt7996_mcu_rdd_report *r;
352 
353 	r = (struct mt7996_mcu_rdd_report *)skb->data;
354 
355 	if (r->band_idx >= ARRAY_SIZE(dev->mt76.phys))
356 		return;
357 
358 	if (dev->rdd2_phy && r->band_idx == MT_RX_SEL2)
359 		mphy = dev->rdd2_phy->mt76;
360 	else
361 		mphy = dev->mt76.phys[r->band_idx];
362 
363 	if (!mphy)
364 		return;
365 
366 	if (r->band_idx == MT_RX_SEL2)
367 		cfg80211_background_radar_event(mphy->hw->wiphy,
368 						&dev->rdd2_chandef,
369 						GFP_ATOMIC);
370 	else
371 		ieee80211_radar_detected(mphy->hw);
372 	dev->hw_pattern++;
373 }
374 
375 static void
376 mt7996_mcu_rx_log_message(struct mt7996_dev *dev, struct sk_buff *skb)
377 {
378 #define UNI_EVENT_FW_LOG_FORMAT 0
379 	struct mt7996_mcu_rxd *rxd = (struct mt7996_mcu_rxd *)skb->data;
380 	const char *data = (char *)&rxd[1] + 4, *type;
381 	struct tlv *tlv = (struct tlv *)data;
382 	int len;
383 
384 	if (!(rxd->option & MCU_UNI_CMD_EVENT)) {
385 		len = skb->len - sizeof(*rxd);
386 		data = (char *)&rxd[1];
387 		goto out;
388 	}
389 
390 	if (le16_to_cpu(tlv->tag) != UNI_EVENT_FW_LOG_FORMAT)
391 		return;
392 
393 	data += sizeof(*tlv) + 4;
394 	len = le16_to_cpu(tlv->len) - sizeof(*tlv) - 4;
395 
396 out:
397 	switch (rxd->s2d_index) {
398 	case 0:
399 		if (mt7996_debugfs_rx_log(dev, data, len))
400 			return;
401 
402 		type = "WM";
403 		break;
404 	case 2:
405 		type = "WA";
406 		break;
407 	default:
408 		type = "unknown";
409 		break;
410 	}
411 
412 	wiphy_info(mt76_hw(dev)->wiphy, "%s: %.*s", type, len, data);
413 }
414 
415 static void
416 mt7996_mcu_cca_finish(void *priv, u8 *mac, struct ieee80211_vif *vif)
417 {
418 	if (!vif->bss_conf.color_change_active || vif->type == NL80211_IFTYPE_STATION)
419 		return;
420 
421 	ieee80211_color_change_finish(vif);
422 }
423 
424 static void
425 mt7996_mcu_ie_countdown(struct mt7996_dev *dev, struct sk_buff *skb)
426 {
427 #define UNI_EVENT_IE_COUNTDOWN_CSA 0
428 #define UNI_EVENT_IE_COUNTDOWN_BCC 1
429 	struct header {
430 		u8 band;
431 		u8 rsv[3];
432 	};
433 	struct mt76_phy *mphy = &dev->mt76.phy;
434 	struct mt7996_mcu_rxd *rxd = (struct mt7996_mcu_rxd *)skb->data;
435 	const char *data = (char *)&rxd[1], *tail;
436 	struct header *hdr = (struct header *)data;
437 	struct tlv *tlv = (struct tlv *)(data + 4);
438 
439 	if (hdr->band >= ARRAY_SIZE(dev->mt76.phys))
440 		return;
441 
442 	if (hdr->band && dev->mt76.phys[hdr->band])
443 		mphy = dev->mt76.phys[hdr->band];
444 
445 	tail = skb->data + skb->len;
446 	data += sizeof(struct header);
447 	while (data + sizeof(struct tlv) < tail && le16_to_cpu(tlv->len)) {
448 		switch (le16_to_cpu(tlv->tag)) {
449 		case UNI_EVENT_IE_COUNTDOWN_CSA:
450 			ieee80211_iterate_active_interfaces_atomic(mphy->hw,
451 					IEEE80211_IFACE_ITER_RESUME_ALL,
452 					mt7996_mcu_csa_finish, mphy->hw);
453 			break;
454 		case UNI_EVENT_IE_COUNTDOWN_BCC:
455 			ieee80211_iterate_active_interfaces_atomic(mphy->hw,
456 					IEEE80211_IFACE_ITER_RESUME_ALL,
457 					mt7996_mcu_cca_finish, mphy->hw);
458 			break;
459 		}
460 
461 		data += le16_to_cpu(tlv->len);
462 		tlv = (struct tlv *)data;
463 	}
464 }
465 
466 static int
467 mt7996_mcu_update_tx_gi(struct rate_info *rate, struct all_sta_trx_rate *mcu_rate)
468 {
469 	switch (mcu_rate->tx_mode) {
470 	case MT_PHY_TYPE_CCK:
471 	case MT_PHY_TYPE_OFDM:
472 		break;
473 	case MT_PHY_TYPE_HT:
474 	case MT_PHY_TYPE_HT_GF:
475 	case MT_PHY_TYPE_VHT:
476 		if (mcu_rate->tx_gi)
477 			rate->flags |= RATE_INFO_FLAGS_SHORT_GI;
478 		else
479 			rate->flags &= ~RATE_INFO_FLAGS_SHORT_GI;
480 		break;
481 	case MT_PHY_TYPE_HE_SU:
482 	case MT_PHY_TYPE_HE_EXT_SU:
483 	case MT_PHY_TYPE_HE_TB:
484 	case MT_PHY_TYPE_HE_MU:
485 		if (mcu_rate->tx_gi > NL80211_RATE_INFO_HE_GI_3_2)
486 			return -EINVAL;
487 		rate->he_gi = mcu_rate->tx_gi;
488 		break;
489 	case MT_PHY_TYPE_EHT_SU:
490 	case MT_PHY_TYPE_EHT_TRIG:
491 	case MT_PHY_TYPE_EHT_MU:
492 		if (mcu_rate->tx_gi > NL80211_RATE_INFO_EHT_GI_3_2)
493 			return -EINVAL;
494 		rate->eht_gi = mcu_rate->tx_gi;
495 		break;
496 	default:
497 		return -EINVAL;
498 	}
499 
500 	return 0;
501 }
502 
503 static void
504 mt7996_mcu_rx_all_sta_info_event(struct mt7996_dev *dev, struct sk_buff *skb)
505 {
506 	struct mt7996_mcu_all_sta_info_event *res;
507 	u16 i;
508 
509 	skb_pull(skb, sizeof(struct mt7996_mcu_rxd));
510 
511 	res = (struct mt7996_mcu_all_sta_info_event *)skb->data;
512 
513 	for (i = 0; i < le16_to_cpu(res->sta_num); i++) {
514 		u8 ac;
515 		u16 wlan_idx;
516 		struct mt76_wcid *wcid;
517 
518 		switch (le16_to_cpu(res->tag)) {
519 		case UNI_ALL_STA_TXRX_RATE:
520 			wlan_idx = le16_to_cpu(res->rate[i].wlan_idx);
521 			wcid = rcu_dereference(dev->mt76.wcid[wlan_idx]);
522 
523 			if (!wcid)
524 				break;
525 
526 			if (mt7996_mcu_update_tx_gi(&wcid->rate, &res->rate[i]))
527 				dev_err(dev->mt76.dev, "Failed to update TX GI\n");
528 			break;
529 		case UNI_ALL_STA_TXRX_ADM_STAT:
530 			wlan_idx = le16_to_cpu(res->adm_stat[i].wlan_idx);
531 			wcid = rcu_dereference(dev->mt76.wcid[wlan_idx]);
532 
533 			if (!wcid)
534 				break;
535 
536 			for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
537 				wcid->stats.tx_bytes +=
538 					le32_to_cpu(res->adm_stat[i].tx_bytes[ac]);
539 				wcid->stats.rx_bytes +=
540 					le32_to_cpu(res->adm_stat[i].rx_bytes[ac]);
541 			}
542 			break;
543 		case UNI_ALL_STA_TXRX_MSDU_COUNT:
544 			wlan_idx = le16_to_cpu(res->msdu_cnt[i].wlan_idx);
545 			wcid = rcu_dereference(dev->mt76.wcid[wlan_idx]);
546 
547 			if (!wcid)
548 				break;
549 
550 			wcid->stats.tx_packets +=
551 				le32_to_cpu(res->msdu_cnt[i].tx_msdu_cnt);
552 			wcid->stats.rx_packets +=
553 				le32_to_cpu(res->msdu_cnt[i].rx_msdu_cnt);
554 			break;
555 		default:
556 			break;
557 		}
558 	}
559 }
560 
561 static void
562 mt7996_mcu_rx_thermal_notify(struct mt7996_dev *dev, struct sk_buff *skb)
563 {
564 #define THERMAL_NOTIFY_TAG 0x4
565 #define THERMAL_NOTIFY 0x2
566 	struct mt76_phy *mphy = &dev->mt76.phy;
567 	struct mt7996_mcu_thermal_notify *n;
568 	struct mt7996_phy *phy;
569 
570 	n = (struct mt7996_mcu_thermal_notify *)skb->data;
571 
572 	if (le16_to_cpu(n->tag) != THERMAL_NOTIFY_TAG)
573 		return;
574 
575 	if (n->event_id != THERMAL_NOTIFY)
576 		return;
577 
578 	if (n->band_idx > MT_BAND2)
579 		return;
580 
581 	mphy = dev->mt76.phys[n->band_idx];
582 	if (!mphy)
583 		return;
584 
585 	phy = (struct mt7996_phy *)mphy->priv;
586 	phy->throttle_state = n->duty_percent;
587 }
588 
589 static void
590 mt7996_mcu_rx_ext_event(struct mt7996_dev *dev, struct sk_buff *skb)
591 {
592 	struct mt7996_mcu_rxd *rxd = (struct mt7996_mcu_rxd *)skb->data;
593 
594 	switch (rxd->ext_eid) {
595 	case MCU_EXT_EVENT_FW_LOG_2_HOST:
596 		mt7996_mcu_rx_log_message(dev, skb);
597 		break;
598 	default:
599 		break;
600 	}
601 }
602 
603 static void
604 mt7996_mcu_rx_unsolicited_event(struct mt7996_dev *dev, struct sk_buff *skb)
605 {
606 	struct mt7996_mcu_rxd *rxd = (struct mt7996_mcu_rxd *)skb->data;
607 
608 	switch (rxd->eid) {
609 	case MCU_EVENT_EXT:
610 		mt7996_mcu_rx_ext_event(dev, skb);
611 		break;
612 	case MCU_UNI_EVENT_THERMAL:
613 		mt7996_mcu_rx_thermal_notify(dev, skb);
614 		break;
615 	default:
616 		break;
617 	}
618 	dev_kfree_skb(skb);
619 }
620 
621 static void
622 mt7996_mcu_wed_rro_event(struct mt7996_dev *dev, struct sk_buff *skb)
623 {
624 	struct mt7996_mcu_wed_rro_event *event = (void *)skb->data;
625 
626 	if (!dev->has_rro)
627 		return;
628 
629 	skb_pull(skb, sizeof(struct mt7996_mcu_rxd) + 4);
630 
631 	switch (le16_to_cpu(event->tag)) {
632 	case UNI_WED_RRO_BA_SESSION_STATUS: {
633 		struct mt7996_mcu_wed_rro_ba_event *e;
634 
635 		while (skb->len >= sizeof(*e)) {
636 			struct mt76_rx_tid *tid;
637 			struct mt76_wcid *wcid;
638 			u16 idx;
639 
640 			e = (void *)skb->data;
641 			idx = le16_to_cpu(e->wlan_id);
642 			if (idx >= ARRAY_SIZE(dev->mt76.wcid))
643 				break;
644 
645 			wcid = rcu_dereference(dev->mt76.wcid[idx]);
646 			if (!wcid || !wcid->sta)
647 				break;
648 
649 			if (e->tid >= ARRAY_SIZE(wcid->aggr))
650 				break;
651 
652 			tid = rcu_dereference(wcid->aggr[e->tid]);
653 			if (!tid)
654 				break;
655 
656 			tid->id = le16_to_cpu(e->id);
657 			skb_pull(skb, sizeof(*e));
658 		}
659 		break;
660 	}
661 	case UNI_WED_RRO_BA_SESSION_DELETE: {
662 		struct mt7996_mcu_wed_rro_ba_delete_event *e;
663 
664 		while (skb->len >= sizeof(*e)) {
665 			struct mt7996_wed_rro_session_id *session;
666 
667 			e = (void *)skb->data;
668 			session = kzalloc(sizeof(*session), GFP_ATOMIC);
669 			if (!session)
670 				break;
671 
672 			session->id = le16_to_cpu(e->session_id);
673 
674 			spin_lock_bh(&dev->wed_rro.lock);
675 			list_add_tail(&session->list, &dev->wed_rro.poll_list);
676 			spin_unlock_bh(&dev->wed_rro.lock);
677 
678 			ieee80211_queue_work(mt76_hw(dev), &dev->wed_rro.work);
679 			skb_pull(skb, sizeof(*e));
680 		}
681 		break;
682 	}
683 	default:
684 		break;
685 	}
686 }
687 
688 static void
689 mt7996_mcu_uni_rx_unsolicited_event(struct mt7996_dev *dev, struct sk_buff *skb)
690 {
691 	struct mt7996_mcu_rxd *rxd = (struct mt7996_mcu_rxd *)skb->data;
692 
693 	switch (rxd->eid) {
694 	case MCU_UNI_EVENT_FW_LOG_2_HOST:
695 		mt7996_mcu_rx_log_message(dev, skb);
696 		break;
697 	case MCU_UNI_EVENT_IE_COUNTDOWN:
698 		mt7996_mcu_ie_countdown(dev, skb);
699 		break;
700 	case MCU_UNI_EVENT_RDD_REPORT:
701 		mt7996_mcu_rx_radar_detected(dev, skb);
702 		break;
703 	case MCU_UNI_EVENT_ALL_STA_INFO:
704 		mt7996_mcu_rx_all_sta_info_event(dev, skb);
705 		break;
706 	case MCU_UNI_EVENT_WED_RRO:
707 		mt7996_mcu_wed_rro_event(dev, skb);
708 		break;
709 	default:
710 		break;
711 	}
712 	dev_kfree_skb(skb);
713 }
714 
715 void mt7996_mcu_rx_event(struct mt7996_dev *dev, struct sk_buff *skb)
716 {
717 	struct mt7996_mcu_rxd *rxd = (struct mt7996_mcu_rxd *)skb->data;
718 
719 	if (rxd->option & MCU_UNI_CMD_UNSOLICITED_EVENT) {
720 		mt7996_mcu_uni_rx_unsolicited_event(dev, skb);
721 		return;
722 	}
723 
724 	/* WA still uses legacy event*/
725 	if (rxd->ext_eid == MCU_EXT_EVENT_FW_LOG_2_HOST ||
726 	    !rxd->seq)
727 		mt7996_mcu_rx_unsolicited_event(dev, skb);
728 	else
729 		mt76_mcu_rx_event(&dev->mt76, skb);
730 }
731 
732 static struct tlv *
733 mt7996_mcu_add_uni_tlv(struct sk_buff *skb, u16 tag, u16 len)
734 {
735 	struct tlv *ptlv = skb_put(skb, len);
736 
737 	ptlv->tag = cpu_to_le16(tag);
738 	ptlv->len = cpu_to_le16(len);
739 
740 	return ptlv;
741 }
742 
743 static void
744 mt7996_mcu_bss_rfch_tlv(struct sk_buff *skb, struct ieee80211_vif *vif,
745 			struct mt7996_phy *phy)
746 {
747 	static const u8 rlm_ch_band[] = {
748 		[NL80211_BAND_2GHZ] = 1,
749 		[NL80211_BAND_5GHZ] = 2,
750 		[NL80211_BAND_6GHZ] = 3,
751 	};
752 	struct cfg80211_chan_def *chandef = &phy->mt76->chandef;
753 	struct bss_rlm_tlv *ch;
754 	struct tlv *tlv;
755 	int freq1 = chandef->center_freq1;
756 
757 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_RLM, sizeof(*ch));
758 
759 	ch = (struct bss_rlm_tlv *)tlv;
760 	ch->control_channel = chandef->chan->hw_value;
761 	ch->center_chan = ieee80211_frequency_to_channel(freq1);
762 	ch->bw = mt76_connac_chan_bw(chandef);
763 	ch->tx_streams = hweight8(phy->mt76->antenna_mask);
764 	ch->rx_streams = hweight8(phy->mt76->antenna_mask);
765 	ch->band = rlm_ch_band[chandef->chan->band];
766 
767 	if (chandef->width == NL80211_CHAN_WIDTH_80P80) {
768 		int freq2 = chandef->center_freq2;
769 
770 		ch->center_chan2 = ieee80211_frequency_to_channel(freq2);
771 	}
772 }
773 
774 static void
775 mt7996_mcu_bss_ra_tlv(struct sk_buff *skb, struct ieee80211_vif *vif,
776 		      struct mt7996_phy *phy)
777 {
778 	struct bss_ra_tlv *ra;
779 	struct tlv *tlv;
780 
781 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_RA, sizeof(*ra));
782 
783 	ra = (struct bss_ra_tlv *)tlv;
784 	ra->short_preamble = true;
785 }
786 
787 static void
788 mt7996_mcu_bss_he_tlv(struct sk_buff *skb, struct ieee80211_vif *vif,
789 		      struct mt7996_phy *phy)
790 {
791 #define DEFAULT_HE_PE_DURATION		4
792 #define DEFAULT_HE_DURATION_RTS_THRES	1023
793 	const struct ieee80211_sta_he_cap *cap;
794 	struct bss_info_uni_he *he;
795 	struct tlv *tlv;
796 
797 	cap = mt76_connac_get_he_phy_cap(phy->mt76, vif);
798 
799 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_HE_BASIC, sizeof(*he));
800 
801 	he = (struct bss_info_uni_he *)tlv;
802 	he->he_pe_duration = vif->bss_conf.htc_trig_based_pkt_ext;
803 	if (!he->he_pe_duration)
804 		he->he_pe_duration = DEFAULT_HE_PE_DURATION;
805 
806 	he->he_rts_thres = cpu_to_le16(vif->bss_conf.frame_time_rts_th);
807 	if (!he->he_rts_thres)
808 		he->he_rts_thres = cpu_to_le16(DEFAULT_HE_DURATION_RTS_THRES);
809 
810 	he->max_nss_mcs[CMD_HE_MCS_BW80] = cap->he_mcs_nss_supp.tx_mcs_80;
811 	he->max_nss_mcs[CMD_HE_MCS_BW160] = cap->he_mcs_nss_supp.tx_mcs_160;
812 	he->max_nss_mcs[CMD_HE_MCS_BW8080] = cap->he_mcs_nss_supp.tx_mcs_80p80;
813 }
814 
815 static void
816 mt7996_mcu_bss_mbssid_tlv(struct sk_buff *skb, struct ieee80211_vif *vif,
817 			  struct mt7996_phy *phy, int enable)
818 {
819 	struct bss_info_uni_mbssid *mbssid;
820 	struct tlv *tlv;
821 
822 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_11V_MBSSID, sizeof(*mbssid));
823 
824 	mbssid = (struct bss_info_uni_mbssid *)tlv;
825 
826 	if (enable && vif->bss_conf.bssid_indicator) {
827 		mbssid->max_indicator = vif->bss_conf.bssid_indicator;
828 		mbssid->mbss_idx = vif->bss_conf.bssid_index;
829 		mbssid->tx_bss_omac_idx = 0;
830 	}
831 }
832 
833 static void
834 mt7996_mcu_bss_bmc_tlv(struct sk_buff *skb, struct ieee80211_vif *vif,
835 		       struct mt7996_phy *phy)
836 {
837 	struct mt76_vif *mvif = (struct mt76_vif *)vif->drv_priv;
838 	struct bss_rate_tlv *bmc;
839 	struct cfg80211_chan_def *chandef = &phy->mt76->chandef;
840 	enum nl80211_band band = chandef->chan->band;
841 	struct tlv *tlv;
842 	u8 idx = mvif->mcast_rates_idx ?
843 		 mvif->mcast_rates_idx : mvif->basic_rates_idx;
844 
845 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_RATE, sizeof(*bmc));
846 
847 	bmc = (struct bss_rate_tlv *)tlv;
848 
849 	bmc->short_preamble = (band == NL80211_BAND_2GHZ);
850 	bmc->bc_fixed_rate = idx;
851 	bmc->mc_fixed_rate = idx;
852 }
853 
854 static void
855 mt7996_mcu_bss_txcmd_tlv(struct sk_buff *skb, bool en)
856 {
857 	struct bss_txcmd_tlv *txcmd;
858 	struct tlv *tlv;
859 
860 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_TXCMD, sizeof(*txcmd));
861 
862 	txcmd = (struct bss_txcmd_tlv *)tlv;
863 	txcmd->txcmd_mode = en;
864 }
865 
866 static void
867 mt7996_mcu_bss_mld_tlv(struct sk_buff *skb, struct ieee80211_vif *vif)
868 {
869 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
870 	struct bss_mld_tlv *mld;
871 	struct tlv *tlv;
872 
873 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_MLD, sizeof(*mld));
874 
875 	mld = (struct bss_mld_tlv *)tlv;
876 	mld->group_mld_id = 0xff;
877 	mld->own_mld_id = mvif->mt76.idx;
878 	mld->remap_idx = 0xff;
879 }
880 
881 static void
882 mt7996_mcu_bss_sec_tlv(struct sk_buff *skb, struct ieee80211_vif *vif)
883 {
884 	struct mt76_vif *mvif = (struct mt76_vif *)vif->drv_priv;
885 	struct bss_sec_tlv *sec;
886 	struct tlv *tlv;
887 
888 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_SEC, sizeof(*sec));
889 
890 	sec = (struct bss_sec_tlv *)tlv;
891 	sec->cipher = mvif->cipher;
892 }
893 
894 static int
895 mt7996_mcu_muar_config(struct mt7996_phy *phy, struct ieee80211_vif *vif,
896 		       bool bssid, bool enable)
897 {
898 #define UNI_MUAR_ENTRY 2
899 	struct mt7996_dev *dev = phy->dev;
900 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
901 	u32 idx = mvif->mt76.omac_idx - REPEATER_BSSID_START;
902 	const u8 *addr = vif->addr;
903 
904 	struct {
905 		struct {
906 			u8 band;
907 			u8 __rsv[3];
908 		} hdr;
909 
910 		__le16 tag;
911 		__le16 len;
912 
913 		bool smesh;
914 		u8 bssid;
915 		u8 index;
916 		u8 entry_add;
917 		u8 addr[ETH_ALEN];
918 		u8 __rsv[2];
919 	} __packed req = {
920 		.hdr.band = phy->mt76->band_idx,
921 		.tag = cpu_to_le16(UNI_MUAR_ENTRY),
922 		.len = cpu_to_le16(sizeof(req) - sizeof(req.hdr)),
923 		.smesh = false,
924 		.index = idx * 2 + bssid,
925 		.entry_add = true,
926 	};
927 
928 	if (bssid)
929 		addr = vif->bss_conf.bssid;
930 
931 	if (enable)
932 		memcpy(req.addr, addr, ETH_ALEN);
933 
934 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(REPT_MUAR), &req,
935 				 sizeof(req), true);
936 }
937 
938 static void
939 mt7996_mcu_bss_ifs_timing_tlv(struct sk_buff *skb, struct ieee80211_vif *vif)
940 {
941 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
942 	struct mt7996_phy *phy = mvif->phy;
943 	struct bss_ifs_time_tlv *ifs_time;
944 	struct tlv *tlv;
945 	bool is_2ghz = phy->mt76->chandef.chan->band == NL80211_BAND_2GHZ;
946 
947 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_IFS_TIME, sizeof(*ifs_time));
948 
949 	ifs_time = (struct bss_ifs_time_tlv *)tlv;
950 	ifs_time->slot_valid = true;
951 	ifs_time->sifs_valid = true;
952 	ifs_time->rifs_valid = true;
953 	ifs_time->eifs_valid = true;
954 
955 	ifs_time->slot_time = cpu_to_le16(phy->slottime);
956 	ifs_time->sifs_time = cpu_to_le16(10);
957 	ifs_time->rifs_time = cpu_to_le16(2);
958 	ifs_time->eifs_time = cpu_to_le16(is_2ghz ? 78 : 84);
959 
960 	if (is_2ghz) {
961 		ifs_time->eifs_cck_valid = true;
962 		ifs_time->eifs_cck_time = cpu_to_le16(314);
963 	}
964 }
965 
966 static int
967 mt7996_mcu_bss_basic_tlv(struct sk_buff *skb,
968 			 struct ieee80211_vif *vif,
969 			 struct ieee80211_sta *sta,
970 			 struct mt76_phy *phy, u16 wlan_idx,
971 			 bool enable)
972 {
973 	struct mt76_vif *mvif = (struct mt76_vif *)vif->drv_priv;
974 	struct cfg80211_chan_def *chandef = &phy->chandef;
975 	struct mt76_connac_bss_basic_tlv *bss;
976 	u32 type = CONNECTION_INFRA_AP;
977 	u16 sta_wlan_idx = wlan_idx;
978 	struct tlv *tlv;
979 	int idx;
980 
981 	switch (vif->type) {
982 	case NL80211_IFTYPE_MESH_POINT:
983 	case NL80211_IFTYPE_AP:
984 	case NL80211_IFTYPE_MONITOR:
985 		break;
986 	case NL80211_IFTYPE_STATION:
987 		if (enable) {
988 			rcu_read_lock();
989 			if (!sta)
990 				sta = ieee80211_find_sta(vif,
991 							 vif->bss_conf.bssid);
992 			/* TODO: enable BSS_INFO_UAPSD & BSS_INFO_PM */
993 			if (sta) {
994 				struct mt76_wcid *wcid;
995 
996 				wcid = (struct mt76_wcid *)sta->drv_priv;
997 				sta_wlan_idx = wcid->idx;
998 			}
999 			rcu_read_unlock();
1000 		}
1001 		type = CONNECTION_INFRA_STA;
1002 		break;
1003 	case NL80211_IFTYPE_ADHOC:
1004 		type = CONNECTION_IBSS_ADHOC;
1005 		break;
1006 	default:
1007 		WARN_ON(1);
1008 		break;
1009 	}
1010 
1011 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_BASIC, sizeof(*bss));
1012 
1013 	bss = (struct mt76_connac_bss_basic_tlv *)tlv;
1014 	bss->bcn_interval = cpu_to_le16(vif->bss_conf.beacon_int);
1015 	bss->dtim_period = vif->bss_conf.dtim_period;
1016 	bss->bmc_tx_wlan_idx = cpu_to_le16(wlan_idx);
1017 	bss->sta_idx = cpu_to_le16(sta_wlan_idx);
1018 	bss->conn_type = cpu_to_le32(type);
1019 	bss->omac_idx = mvif->omac_idx;
1020 	bss->band_idx = mvif->band_idx;
1021 	bss->wmm_idx = mvif->wmm_idx;
1022 	bss->conn_state = !enable;
1023 	bss->active = enable;
1024 
1025 	idx = mvif->omac_idx > EXT_BSSID_START ? HW_BSSID_0 : mvif->omac_idx;
1026 	bss->hw_bss_idx = idx;
1027 
1028 	if (vif->type == NL80211_IFTYPE_MONITOR) {
1029 		memcpy(bss->bssid, phy->macaddr, ETH_ALEN);
1030 		return 0;
1031 	}
1032 
1033 	memcpy(bss->bssid, vif->bss_conf.bssid, ETH_ALEN);
1034 	bss->bcn_interval = cpu_to_le16(vif->bss_conf.beacon_int);
1035 	bss->dtim_period = vif->bss_conf.dtim_period;
1036 	bss->phymode = mt76_connac_get_phy_mode(phy, vif,
1037 						chandef->chan->band, NULL);
1038 	bss->phymode_ext = mt76_connac_get_phy_mode_ext(phy, vif,
1039 							chandef->chan->band);
1040 
1041 	return 0;
1042 }
1043 
1044 static struct sk_buff *
1045 __mt7996_mcu_alloc_bss_req(struct mt76_dev *dev, struct mt76_vif *mvif, int len)
1046 {
1047 	struct bss_req_hdr hdr = {
1048 		.bss_idx = mvif->idx,
1049 	};
1050 	struct sk_buff *skb;
1051 
1052 	skb = mt76_mcu_msg_alloc(dev, NULL, len);
1053 	if (!skb)
1054 		return ERR_PTR(-ENOMEM);
1055 
1056 	skb_put_data(skb, &hdr, sizeof(hdr));
1057 
1058 	return skb;
1059 }
1060 
1061 int mt7996_mcu_add_bss_info(struct mt7996_phy *phy,
1062 			    struct ieee80211_vif *vif, int enable)
1063 {
1064 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
1065 	struct mt7996_dev *dev = phy->dev;
1066 	struct sk_buff *skb;
1067 
1068 	if (mvif->mt76.omac_idx >= REPEATER_BSSID_START) {
1069 		mt7996_mcu_muar_config(phy, vif, false, enable);
1070 		mt7996_mcu_muar_config(phy, vif, true, enable);
1071 	}
1072 
1073 	skb = __mt7996_mcu_alloc_bss_req(&dev->mt76, &mvif->mt76,
1074 					 MT7996_BSS_UPDATE_MAX_SIZE);
1075 	if (IS_ERR(skb))
1076 		return PTR_ERR(skb);
1077 
1078 	/* bss_basic must be first */
1079 	mt7996_mcu_bss_basic_tlv(skb, vif, NULL, phy->mt76,
1080 				 mvif->sta.wcid.idx, enable);
1081 	mt7996_mcu_bss_sec_tlv(skb, vif);
1082 
1083 	if (vif->type == NL80211_IFTYPE_MONITOR)
1084 		goto out;
1085 
1086 	if (enable) {
1087 		mt7996_mcu_bss_rfch_tlv(skb, vif, phy);
1088 		mt7996_mcu_bss_bmc_tlv(skb, vif, phy);
1089 		mt7996_mcu_bss_ra_tlv(skb, vif, phy);
1090 		mt7996_mcu_bss_txcmd_tlv(skb, true);
1091 		mt7996_mcu_bss_ifs_timing_tlv(skb, vif);
1092 
1093 		if (vif->bss_conf.he_support)
1094 			mt7996_mcu_bss_he_tlv(skb, vif, phy);
1095 
1096 		/* this tag is necessary no matter if the vif is MLD */
1097 		mt7996_mcu_bss_mld_tlv(skb, vif);
1098 	}
1099 
1100 	mt7996_mcu_bss_mbssid_tlv(skb, vif, phy, enable);
1101 
1102 out:
1103 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
1104 				     MCU_WMWA_UNI_CMD(BSS_INFO_UPDATE), true);
1105 }
1106 
1107 int mt7996_mcu_set_timing(struct mt7996_phy *phy, struct ieee80211_vif *vif)
1108 {
1109 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
1110 	struct mt7996_dev *dev = phy->dev;
1111 	struct sk_buff *skb;
1112 
1113 	skb = __mt7996_mcu_alloc_bss_req(&dev->mt76, &mvif->mt76,
1114 					 MT7996_BSS_UPDATE_MAX_SIZE);
1115 	if (IS_ERR(skb))
1116 		return PTR_ERR(skb);
1117 
1118 	mt7996_mcu_bss_ifs_timing_tlv(skb, vif);
1119 
1120 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
1121 				     MCU_WMWA_UNI_CMD(BSS_INFO_UPDATE), true);
1122 }
1123 
1124 static int
1125 mt7996_mcu_sta_ba(struct mt7996_dev *dev, struct mt76_vif *mvif,
1126 		  struct ieee80211_ampdu_params *params,
1127 		  bool enable, bool tx)
1128 {
1129 	struct mt76_wcid *wcid = (struct mt76_wcid *)params->sta->drv_priv;
1130 	struct sta_rec_ba_uni *ba;
1131 	struct sk_buff *skb;
1132 	struct tlv *tlv;
1133 
1134 	skb = __mt76_connac_mcu_alloc_sta_req(&dev->mt76, mvif, wcid,
1135 					      MT7996_STA_UPDATE_MAX_SIZE);
1136 	if (IS_ERR(skb))
1137 		return PTR_ERR(skb);
1138 
1139 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_BA, sizeof(*ba));
1140 
1141 	ba = (struct sta_rec_ba_uni *)tlv;
1142 	ba->ba_type = tx ? MT_BA_TYPE_ORIGINATOR : MT_BA_TYPE_RECIPIENT;
1143 	ba->winsize = cpu_to_le16(params->buf_size);
1144 	ba->ssn = cpu_to_le16(params->ssn);
1145 	ba->ba_en = enable << params->tid;
1146 	ba->amsdu = params->amsdu;
1147 	ba->tid = params->tid;
1148 	ba->ba_rdd_rro = !tx && enable && dev->has_rro;
1149 
1150 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
1151 				     MCU_WMWA_UNI_CMD(STA_REC_UPDATE), true);
1152 }
1153 
1154 /** starec & wtbl **/
1155 int mt7996_mcu_add_tx_ba(struct mt7996_dev *dev,
1156 			 struct ieee80211_ampdu_params *params,
1157 			 bool enable)
1158 {
1159 	struct mt7996_sta *msta = (struct mt7996_sta *)params->sta->drv_priv;
1160 	struct mt7996_vif *mvif = msta->vif;
1161 
1162 	if (enable && !params->amsdu)
1163 		msta->wcid.amsdu = false;
1164 
1165 	return mt7996_mcu_sta_ba(dev, &mvif->mt76, params, enable, true);
1166 }
1167 
1168 int mt7996_mcu_add_rx_ba(struct mt7996_dev *dev,
1169 			 struct ieee80211_ampdu_params *params,
1170 			 bool enable)
1171 {
1172 	struct mt7996_sta *msta = (struct mt7996_sta *)params->sta->drv_priv;
1173 	struct mt7996_vif *mvif = msta->vif;
1174 
1175 	return mt7996_mcu_sta_ba(dev, &mvif->mt76, params, enable, false);
1176 }
1177 
1178 static void
1179 mt7996_mcu_sta_he_tlv(struct sk_buff *skb, struct ieee80211_sta *sta)
1180 {
1181 	struct ieee80211_he_cap_elem *elem = &sta->deflink.he_cap.he_cap_elem;
1182 	struct ieee80211_he_mcs_nss_supp mcs_map;
1183 	struct sta_rec_he_v2 *he;
1184 	struct tlv *tlv;
1185 	int i = 0;
1186 
1187 	if (!sta->deflink.he_cap.has_he)
1188 		return;
1189 
1190 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_HE_V2, sizeof(*he));
1191 
1192 	he = (struct sta_rec_he_v2 *)tlv;
1193 	for (i = 0; i < 11; i++) {
1194 		if (i < 6)
1195 			he->he_mac_cap[i] = elem->mac_cap_info[i];
1196 		he->he_phy_cap[i] = elem->phy_cap_info[i];
1197 	}
1198 
1199 	mcs_map = sta->deflink.he_cap.he_mcs_nss_supp;
1200 	switch (sta->deflink.bandwidth) {
1201 	case IEEE80211_STA_RX_BW_160:
1202 		if (elem->phy_cap_info[0] &
1203 		    IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_80PLUS80_MHZ_IN_5G)
1204 			mt7996_mcu_set_sta_he_mcs(sta,
1205 						  &he->max_nss_mcs[CMD_HE_MCS_BW8080],
1206 						  le16_to_cpu(mcs_map.rx_mcs_80p80));
1207 
1208 		mt7996_mcu_set_sta_he_mcs(sta,
1209 					  &he->max_nss_mcs[CMD_HE_MCS_BW160],
1210 					  le16_to_cpu(mcs_map.rx_mcs_160));
1211 		fallthrough;
1212 	default:
1213 		mt7996_mcu_set_sta_he_mcs(sta,
1214 					  &he->max_nss_mcs[CMD_HE_MCS_BW80],
1215 					  le16_to_cpu(mcs_map.rx_mcs_80));
1216 		break;
1217 	}
1218 
1219 	he->pkt_ext = 2;
1220 }
1221 
1222 static void
1223 mt7996_mcu_sta_he_6g_tlv(struct sk_buff *skb, struct ieee80211_sta *sta)
1224 {
1225 	struct sta_rec_he_6g_capa *he_6g;
1226 	struct tlv *tlv;
1227 
1228 	if (!sta->deflink.he_6ghz_capa.capa)
1229 		return;
1230 
1231 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_HE_6G, sizeof(*he_6g));
1232 
1233 	he_6g = (struct sta_rec_he_6g_capa *)tlv;
1234 	he_6g->capa = sta->deflink.he_6ghz_capa.capa;
1235 }
1236 
1237 static void
1238 mt7996_mcu_sta_eht_tlv(struct sk_buff *skb, struct ieee80211_sta *sta)
1239 {
1240 	struct mt7996_sta *msta = (struct mt7996_sta *)sta->drv_priv;
1241 	struct ieee80211_vif *vif = container_of((void *)msta->vif,
1242 						 struct ieee80211_vif, drv_priv);
1243 	struct ieee80211_eht_mcs_nss_supp *mcs_map;
1244 	struct ieee80211_eht_cap_elem_fixed *elem;
1245 	struct sta_rec_eht *eht;
1246 	struct tlv *tlv;
1247 
1248 	if (!sta->deflink.eht_cap.has_eht)
1249 		return;
1250 
1251 	mcs_map = &sta->deflink.eht_cap.eht_mcs_nss_supp;
1252 	elem = &sta->deflink.eht_cap.eht_cap_elem;
1253 
1254 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_EHT, sizeof(*eht));
1255 
1256 	eht = (struct sta_rec_eht *)tlv;
1257 	eht->tid_bitmap = 0xff;
1258 	eht->mac_cap = cpu_to_le16(*(u16 *)elem->mac_cap_info);
1259 	eht->phy_cap = cpu_to_le64(*(u64 *)elem->phy_cap_info);
1260 	eht->phy_cap_ext = cpu_to_le64(elem->phy_cap_info[8]);
1261 
1262 	if (vif->type != NL80211_IFTYPE_STATION &&
1263 	    (sta->deflink.he_cap.he_cap_elem.phy_cap_info[0] &
1264 	     (IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_40MHZ_IN_2G |
1265 	      IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_40MHZ_80MHZ_IN_5G |
1266 	      IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G |
1267 	      IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_80PLUS80_MHZ_IN_5G)) == 0) {
1268 		memcpy(eht->mcs_map_bw20, &mcs_map->only_20mhz,
1269 		       sizeof(eht->mcs_map_bw20));
1270 		return;
1271 	}
1272 
1273 	memcpy(eht->mcs_map_bw80, &mcs_map->bw._80, sizeof(eht->mcs_map_bw80));
1274 	memcpy(eht->mcs_map_bw160, &mcs_map->bw._160, sizeof(eht->mcs_map_bw160));
1275 	memcpy(eht->mcs_map_bw320, &mcs_map->bw._320, sizeof(eht->mcs_map_bw320));
1276 }
1277 
1278 static void
1279 mt7996_mcu_sta_ht_tlv(struct sk_buff *skb, struct ieee80211_sta *sta)
1280 {
1281 	struct sta_rec_ht_uni *ht;
1282 	struct tlv *tlv;
1283 
1284 	if (!sta->deflink.ht_cap.ht_supported)
1285 		return;
1286 
1287 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_HT, sizeof(*ht));
1288 
1289 	ht = (struct sta_rec_ht_uni *)tlv;
1290 	ht->ht_cap = cpu_to_le16(sta->deflink.ht_cap.cap);
1291 	ht->ampdu_param = u8_encode_bits(sta->deflink.ht_cap.ampdu_factor,
1292 					 IEEE80211_HT_AMPDU_PARM_FACTOR) |
1293 			  u8_encode_bits(sta->deflink.ht_cap.ampdu_density,
1294 					 IEEE80211_HT_AMPDU_PARM_DENSITY);
1295 }
1296 
1297 static void
1298 mt7996_mcu_sta_vht_tlv(struct sk_buff *skb, struct ieee80211_sta *sta)
1299 {
1300 	struct sta_rec_vht *vht;
1301 	struct tlv *tlv;
1302 
1303 	/* For 6G band, this tlv is necessary to let hw work normally */
1304 	if (!sta->deflink.he_6ghz_capa.capa && !sta->deflink.vht_cap.vht_supported)
1305 		return;
1306 
1307 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_VHT, sizeof(*vht));
1308 
1309 	vht = (struct sta_rec_vht *)tlv;
1310 	vht->vht_cap = cpu_to_le32(sta->deflink.vht_cap.cap);
1311 	vht->vht_rx_mcs_map = sta->deflink.vht_cap.vht_mcs.rx_mcs_map;
1312 	vht->vht_tx_mcs_map = sta->deflink.vht_cap.vht_mcs.tx_mcs_map;
1313 }
1314 
1315 static void
1316 mt7996_mcu_sta_amsdu_tlv(struct mt7996_dev *dev, struct sk_buff *skb,
1317 			 struct ieee80211_vif *vif, struct ieee80211_sta *sta)
1318 {
1319 	struct mt7996_sta *msta = (struct mt7996_sta *)sta->drv_priv;
1320 	struct sta_rec_amsdu *amsdu;
1321 	struct tlv *tlv;
1322 
1323 	if (vif->type != NL80211_IFTYPE_STATION &&
1324 	    vif->type != NL80211_IFTYPE_MESH_POINT &&
1325 	    vif->type != NL80211_IFTYPE_AP)
1326 		return;
1327 
1328 	if (!sta->deflink.agg.max_amsdu_len)
1329 		return;
1330 
1331 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_HW_AMSDU, sizeof(*amsdu));
1332 	amsdu = (struct sta_rec_amsdu *)tlv;
1333 	amsdu->max_amsdu_num = 8;
1334 	amsdu->amsdu_en = true;
1335 	msta->wcid.amsdu = true;
1336 
1337 	switch (sta->deflink.agg.max_amsdu_len) {
1338 	case IEEE80211_MAX_MPDU_LEN_VHT_11454:
1339 		amsdu->max_mpdu_size =
1340 			IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_11454;
1341 		return;
1342 	case IEEE80211_MAX_MPDU_LEN_HT_7935:
1343 	case IEEE80211_MAX_MPDU_LEN_VHT_7991:
1344 		amsdu->max_mpdu_size = IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_7991;
1345 		return;
1346 	default:
1347 		amsdu->max_mpdu_size = IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_3895;
1348 		return;
1349 	}
1350 }
1351 
1352 static void
1353 mt7996_mcu_sta_muru_tlv(struct mt7996_dev *dev, struct sk_buff *skb,
1354 			struct ieee80211_vif *vif, struct ieee80211_sta *sta)
1355 {
1356 	struct ieee80211_he_cap_elem *elem = &sta->deflink.he_cap.he_cap_elem;
1357 	struct sta_rec_muru *muru;
1358 	struct tlv *tlv;
1359 
1360 	if (vif->type != NL80211_IFTYPE_STATION &&
1361 	    vif->type != NL80211_IFTYPE_AP)
1362 		return;
1363 
1364 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_MURU, sizeof(*muru));
1365 
1366 	muru = (struct sta_rec_muru *)tlv;
1367 	muru->cfg.mimo_dl_en = vif->bss_conf.eht_mu_beamformer ||
1368 			       vif->bss_conf.he_mu_beamformer ||
1369 			       vif->bss_conf.vht_mu_beamformer ||
1370 			       vif->bss_conf.vht_mu_beamformee;
1371 	muru->cfg.ofdma_dl_en = true;
1372 
1373 	if (sta->deflink.vht_cap.vht_supported)
1374 		muru->mimo_dl.vht_mu_bfee =
1375 			!!(sta->deflink.vht_cap.cap & IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE);
1376 
1377 	if (!sta->deflink.he_cap.has_he)
1378 		return;
1379 
1380 	muru->mimo_dl.partial_bw_dl_mimo =
1381 		HE_PHY(CAP6_PARTIAL_BANDWIDTH_DL_MUMIMO, elem->phy_cap_info[6]);
1382 
1383 	muru->mimo_ul.full_ul_mimo =
1384 		HE_PHY(CAP2_UL_MU_FULL_MU_MIMO, elem->phy_cap_info[2]);
1385 	muru->mimo_ul.partial_ul_mimo =
1386 		HE_PHY(CAP2_UL_MU_PARTIAL_MU_MIMO, elem->phy_cap_info[2]);
1387 
1388 	muru->ofdma_dl.punc_pream_rx =
1389 		HE_PHY(CAP1_PREAMBLE_PUNC_RX_MASK, elem->phy_cap_info[1]);
1390 	muru->ofdma_dl.he_20m_in_40m_2g =
1391 		HE_PHY(CAP8_20MHZ_IN_40MHZ_HE_PPDU_IN_2G, elem->phy_cap_info[8]);
1392 	muru->ofdma_dl.he_20m_in_160m =
1393 		HE_PHY(CAP8_20MHZ_IN_160MHZ_HE_PPDU, elem->phy_cap_info[8]);
1394 	muru->ofdma_dl.he_80m_in_160m =
1395 		HE_PHY(CAP8_80MHZ_IN_160MHZ_HE_PPDU, elem->phy_cap_info[8]);
1396 
1397 	muru->ofdma_ul.t_frame_dur =
1398 		HE_MAC(CAP1_TF_MAC_PAD_DUR_MASK, elem->mac_cap_info[1]);
1399 	muru->ofdma_ul.mu_cascading =
1400 		HE_MAC(CAP2_MU_CASCADING, elem->mac_cap_info[2]);
1401 	muru->ofdma_ul.uo_ra =
1402 		HE_MAC(CAP3_OFDMA_RA, elem->mac_cap_info[3]);
1403 	muru->ofdma_ul.rx_ctrl_frame_to_mbss =
1404 		HE_MAC(CAP3_RX_CTRL_FRAME_TO_MULTIBSS, elem->mac_cap_info[3]);
1405 }
1406 
1407 static inline bool
1408 mt7996_is_ebf_supported(struct mt7996_phy *phy, struct ieee80211_vif *vif,
1409 			struct ieee80211_sta *sta, bool bfee)
1410 {
1411 	int sts = hweight16(phy->mt76->chainmask);
1412 
1413 	if (vif->type != NL80211_IFTYPE_STATION &&
1414 	    vif->type != NL80211_IFTYPE_AP)
1415 		return false;
1416 
1417 	if (!bfee && sts < 2)
1418 		return false;
1419 
1420 	if (sta->deflink.eht_cap.has_eht) {
1421 		struct ieee80211_sta_eht_cap *pc = &sta->deflink.eht_cap;
1422 		struct ieee80211_eht_cap_elem_fixed *pe = &pc->eht_cap_elem;
1423 
1424 		if (bfee)
1425 			return vif->bss_conf.eht_su_beamformee &&
1426 			       EHT_PHY(CAP0_SU_BEAMFORMEE, pe->phy_cap_info[0]);
1427 		else
1428 			return vif->bss_conf.eht_su_beamformer &&
1429 			       EHT_PHY(CAP0_SU_BEAMFORMER, pe->phy_cap_info[0]);
1430 	}
1431 
1432 	if (sta->deflink.he_cap.has_he) {
1433 		struct ieee80211_he_cap_elem *pe = &sta->deflink.he_cap.he_cap_elem;
1434 
1435 		if (bfee)
1436 			return vif->bss_conf.he_su_beamformee &&
1437 			       HE_PHY(CAP3_SU_BEAMFORMER, pe->phy_cap_info[3]);
1438 		else
1439 			return vif->bss_conf.he_su_beamformer &&
1440 			       HE_PHY(CAP4_SU_BEAMFORMEE, pe->phy_cap_info[4]);
1441 	}
1442 
1443 	if (sta->deflink.vht_cap.vht_supported) {
1444 		u32 cap = sta->deflink.vht_cap.cap;
1445 
1446 		if (bfee)
1447 			return vif->bss_conf.vht_su_beamformee &&
1448 			       (cap & IEEE80211_VHT_CAP_SU_BEAMFORMER_CAPABLE);
1449 		else
1450 			return vif->bss_conf.vht_su_beamformer &&
1451 			       (cap & IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE);
1452 	}
1453 
1454 	return false;
1455 }
1456 
1457 static void
1458 mt7996_mcu_sta_sounding_rate(struct sta_rec_bf *bf)
1459 {
1460 	bf->sounding_phy = MT_PHY_TYPE_OFDM;
1461 	bf->ndp_rate = 0;				/* mcs0 */
1462 	bf->ndpa_rate = MT7996_CFEND_RATE_DEFAULT;	/* ofdm 24m */
1463 	bf->rept_poll_rate = MT7996_CFEND_RATE_DEFAULT;	/* ofdm 24m */
1464 }
1465 
1466 static void
1467 mt7996_mcu_sta_bfer_ht(struct ieee80211_sta *sta, struct mt7996_phy *phy,
1468 		       struct sta_rec_bf *bf)
1469 {
1470 	struct ieee80211_mcs_info *mcs = &sta->deflink.ht_cap.mcs;
1471 	u8 n = 0;
1472 
1473 	bf->tx_mode = MT_PHY_TYPE_HT;
1474 
1475 	if ((mcs->tx_params & IEEE80211_HT_MCS_TX_RX_DIFF) &&
1476 	    (mcs->tx_params & IEEE80211_HT_MCS_TX_DEFINED))
1477 		n = FIELD_GET(IEEE80211_HT_MCS_TX_MAX_STREAMS_MASK,
1478 			      mcs->tx_params);
1479 	else if (mcs->rx_mask[3])
1480 		n = 3;
1481 	else if (mcs->rx_mask[2])
1482 		n = 2;
1483 	else if (mcs->rx_mask[1])
1484 		n = 1;
1485 
1486 	bf->nrow = hweight8(phy->mt76->antenna_mask) - 1;
1487 	bf->ncol = min_t(u8, bf->nrow, n);
1488 	bf->ibf_ncol = n;
1489 }
1490 
1491 static void
1492 mt7996_mcu_sta_bfer_vht(struct ieee80211_sta *sta, struct mt7996_phy *phy,
1493 			struct sta_rec_bf *bf, bool explicit)
1494 {
1495 	struct ieee80211_sta_vht_cap *pc = &sta->deflink.vht_cap;
1496 	struct ieee80211_sta_vht_cap *vc = &phy->mt76->sband_5g.sband.vht_cap;
1497 	u16 mcs_map = le16_to_cpu(pc->vht_mcs.rx_mcs_map);
1498 	u8 nss_mcs = mt7996_mcu_get_sta_nss(mcs_map);
1499 	u8 tx_ant = hweight8(phy->mt76->antenna_mask) - 1;
1500 
1501 	bf->tx_mode = MT_PHY_TYPE_VHT;
1502 
1503 	if (explicit) {
1504 		u8 sts, snd_dim;
1505 
1506 		mt7996_mcu_sta_sounding_rate(bf);
1507 
1508 		sts = FIELD_GET(IEEE80211_VHT_CAP_BEAMFORMEE_STS_MASK,
1509 				pc->cap);
1510 		snd_dim = FIELD_GET(IEEE80211_VHT_CAP_SOUNDING_DIMENSIONS_MASK,
1511 				    vc->cap);
1512 		bf->nrow = min_t(u8, min_t(u8, snd_dim, sts), tx_ant);
1513 		bf->ncol = min_t(u8, nss_mcs, bf->nrow);
1514 		bf->ibf_ncol = bf->ncol;
1515 
1516 		if (sta->deflink.bandwidth == IEEE80211_STA_RX_BW_160)
1517 			bf->nrow = 1;
1518 	} else {
1519 		bf->nrow = tx_ant;
1520 		bf->ncol = min_t(u8, nss_mcs, bf->nrow);
1521 		bf->ibf_ncol = nss_mcs;
1522 
1523 		if (sta->deflink.bandwidth == IEEE80211_STA_RX_BW_160)
1524 			bf->ibf_nrow = 1;
1525 	}
1526 }
1527 
1528 static void
1529 mt7996_mcu_sta_bfer_he(struct ieee80211_sta *sta, struct ieee80211_vif *vif,
1530 		       struct mt7996_phy *phy, struct sta_rec_bf *bf)
1531 {
1532 	struct ieee80211_sta_he_cap *pc = &sta->deflink.he_cap;
1533 	struct ieee80211_he_cap_elem *pe = &pc->he_cap_elem;
1534 	const struct ieee80211_sta_he_cap *vc =
1535 		mt76_connac_get_he_phy_cap(phy->mt76, vif);
1536 	const struct ieee80211_he_cap_elem *ve = &vc->he_cap_elem;
1537 	u16 mcs_map = le16_to_cpu(pc->he_mcs_nss_supp.rx_mcs_80);
1538 	u8 nss_mcs = mt7996_mcu_get_sta_nss(mcs_map);
1539 	u8 snd_dim, sts;
1540 
1541 	bf->tx_mode = MT_PHY_TYPE_HE_SU;
1542 
1543 	mt7996_mcu_sta_sounding_rate(bf);
1544 
1545 	bf->trigger_su = HE_PHY(CAP6_TRIG_SU_BEAMFORMING_FB,
1546 				pe->phy_cap_info[6]);
1547 	bf->trigger_mu = HE_PHY(CAP6_TRIG_MU_BEAMFORMING_PARTIAL_BW_FB,
1548 				pe->phy_cap_info[6]);
1549 	snd_dim = HE_PHY(CAP5_BEAMFORMEE_NUM_SND_DIM_UNDER_80MHZ_MASK,
1550 			 ve->phy_cap_info[5]);
1551 	sts = HE_PHY(CAP4_BEAMFORMEE_MAX_STS_UNDER_80MHZ_MASK,
1552 		     pe->phy_cap_info[4]);
1553 	bf->nrow = min_t(u8, snd_dim, sts);
1554 	bf->ncol = min_t(u8, nss_mcs, bf->nrow);
1555 	bf->ibf_ncol = bf->ncol;
1556 
1557 	if (sta->deflink.bandwidth != IEEE80211_STA_RX_BW_160)
1558 		return;
1559 
1560 	/* go over for 160MHz and 80p80 */
1561 	if (pe->phy_cap_info[0] &
1562 	    IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G) {
1563 		mcs_map = le16_to_cpu(pc->he_mcs_nss_supp.rx_mcs_160);
1564 		nss_mcs = mt7996_mcu_get_sta_nss(mcs_map);
1565 
1566 		bf->ncol_gt_bw80 = nss_mcs;
1567 	}
1568 
1569 	if (pe->phy_cap_info[0] &
1570 	    IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_80PLUS80_MHZ_IN_5G) {
1571 		mcs_map = le16_to_cpu(pc->he_mcs_nss_supp.rx_mcs_80p80);
1572 		nss_mcs = mt7996_mcu_get_sta_nss(mcs_map);
1573 
1574 		if (bf->ncol_gt_bw80)
1575 			bf->ncol_gt_bw80 = min_t(u8, bf->ncol_gt_bw80, nss_mcs);
1576 		else
1577 			bf->ncol_gt_bw80 = nss_mcs;
1578 	}
1579 
1580 	snd_dim = HE_PHY(CAP5_BEAMFORMEE_NUM_SND_DIM_ABOVE_80MHZ_MASK,
1581 			 ve->phy_cap_info[5]);
1582 	sts = HE_PHY(CAP4_BEAMFORMEE_MAX_STS_ABOVE_80MHZ_MASK,
1583 		     pe->phy_cap_info[4]);
1584 
1585 	bf->nrow_gt_bw80 = min_t(int, snd_dim, sts);
1586 }
1587 
1588 static void
1589 mt7996_mcu_sta_bfer_eht(struct ieee80211_sta *sta, struct ieee80211_vif *vif,
1590 			struct mt7996_phy *phy, struct sta_rec_bf *bf)
1591 {
1592 	struct ieee80211_sta_eht_cap *pc = &sta->deflink.eht_cap;
1593 	struct ieee80211_eht_cap_elem_fixed *pe = &pc->eht_cap_elem;
1594 	struct ieee80211_eht_mcs_nss_supp *eht_nss = &pc->eht_mcs_nss_supp;
1595 	const struct ieee80211_sta_eht_cap *vc =
1596 		mt76_connac_get_eht_phy_cap(phy->mt76, vif);
1597 	const struct ieee80211_eht_cap_elem_fixed *ve = &vc->eht_cap_elem;
1598 	u8 nss_mcs = u8_get_bits(eht_nss->bw._80.rx_tx_mcs9_max_nss,
1599 				 IEEE80211_EHT_MCS_NSS_RX) - 1;
1600 	u8 snd_dim, sts;
1601 
1602 	bf->tx_mode = MT_PHY_TYPE_EHT_MU;
1603 
1604 	mt7996_mcu_sta_sounding_rate(bf);
1605 
1606 	bf->trigger_su = EHT_PHY(CAP3_TRIG_SU_BF_FDBK, pe->phy_cap_info[3]);
1607 	bf->trigger_mu = EHT_PHY(CAP3_TRIG_MU_BF_PART_BW_FDBK, pe->phy_cap_info[3]);
1608 	snd_dim = EHT_PHY(CAP2_SOUNDING_DIM_80MHZ_MASK, ve->phy_cap_info[2]);
1609 	sts = EHT_PHY(CAP0_BEAMFORMEE_SS_80MHZ_MASK, pe->phy_cap_info[0]) +
1610 	      (EHT_PHY(CAP1_BEAMFORMEE_SS_80MHZ_MASK, pe->phy_cap_info[1]) << 1);
1611 	bf->nrow = min_t(u8, snd_dim, sts);
1612 	bf->ncol = min_t(u8, nss_mcs, bf->nrow);
1613 	bf->ibf_ncol = bf->ncol;
1614 
1615 	if (sta->deflink.bandwidth < IEEE80211_STA_RX_BW_160)
1616 		return;
1617 
1618 	switch (sta->deflink.bandwidth) {
1619 	case IEEE80211_STA_RX_BW_160:
1620 		snd_dim = EHT_PHY(CAP2_SOUNDING_DIM_160MHZ_MASK, ve->phy_cap_info[2]);
1621 		sts = EHT_PHY(CAP1_BEAMFORMEE_SS_160MHZ_MASK, pe->phy_cap_info[1]);
1622 		nss_mcs = u8_get_bits(eht_nss->bw._160.rx_tx_mcs9_max_nss,
1623 				      IEEE80211_EHT_MCS_NSS_RX) - 1;
1624 
1625 		bf->nrow_gt_bw80 = min_t(u8, snd_dim, sts);
1626 		bf->ncol_gt_bw80 = nss_mcs;
1627 		break;
1628 	case IEEE80211_STA_RX_BW_320:
1629 		snd_dim = EHT_PHY(CAP2_SOUNDING_DIM_320MHZ_MASK, ve->phy_cap_info[2]) +
1630 			  (EHT_PHY(CAP3_SOUNDING_DIM_320MHZ_MASK,
1631 				   ve->phy_cap_info[3]) << 1);
1632 		sts = EHT_PHY(CAP1_BEAMFORMEE_SS_320MHZ_MASK, pe->phy_cap_info[1]);
1633 		nss_mcs = u8_get_bits(eht_nss->bw._320.rx_tx_mcs9_max_nss,
1634 				      IEEE80211_EHT_MCS_NSS_RX) - 1;
1635 
1636 		bf->nrow_gt_bw80 = min_t(u8, snd_dim, sts) << 4;
1637 		bf->ncol_gt_bw80 = nss_mcs << 4;
1638 		break;
1639 	default:
1640 		break;
1641 	}
1642 }
1643 
1644 static void
1645 mt7996_mcu_sta_bfer_tlv(struct mt7996_dev *dev, struct sk_buff *skb,
1646 			struct ieee80211_vif *vif, struct ieee80211_sta *sta)
1647 {
1648 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
1649 	struct mt7996_phy *phy = mvif->phy;
1650 	int tx_ant = hweight8(phy->mt76->chainmask) - 1;
1651 	struct sta_rec_bf *bf;
1652 	struct tlv *tlv;
1653 	const u8 matrix[4][4] = {
1654 		{0, 0, 0, 0},
1655 		{1, 1, 0, 0},	/* 2x1, 2x2, 2x3, 2x4 */
1656 		{2, 4, 4, 0},	/* 3x1, 3x2, 3x3, 3x4 */
1657 		{3, 5, 6, 0}	/* 4x1, 4x2, 4x3, 4x4 */
1658 	};
1659 	bool ebf;
1660 
1661 	if (!(sta->deflink.ht_cap.ht_supported || sta->deflink.he_cap.has_he))
1662 		return;
1663 
1664 	ebf = mt7996_is_ebf_supported(phy, vif, sta, false);
1665 	if (!ebf && !dev->ibf)
1666 		return;
1667 
1668 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_BF, sizeof(*bf));
1669 	bf = (struct sta_rec_bf *)tlv;
1670 
1671 	/* he/eht: eBF only, in accordance with spec
1672 	 * vht: support eBF and iBF
1673 	 * ht: iBF only, since mac80211 lacks of eBF support
1674 	 */
1675 	if (sta->deflink.eht_cap.has_eht && ebf)
1676 		mt7996_mcu_sta_bfer_eht(sta, vif, phy, bf);
1677 	else if (sta->deflink.he_cap.has_he && ebf)
1678 		mt7996_mcu_sta_bfer_he(sta, vif, phy, bf);
1679 	else if (sta->deflink.vht_cap.vht_supported)
1680 		mt7996_mcu_sta_bfer_vht(sta, phy, bf, ebf);
1681 	else if (sta->deflink.ht_cap.ht_supported)
1682 		mt7996_mcu_sta_bfer_ht(sta, phy, bf);
1683 	else
1684 		return;
1685 
1686 	bf->bf_cap = ebf ? ebf : dev->ibf << 1;
1687 	bf->bw = sta->deflink.bandwidth;
1688 	bf->ibf_dbw = sta->deflink.bandwidth;
1689 	bf->ibf_nrow = tx_ant;
1690 
1691 	if (!ebf && sta->deflink.bandwidth <= IEEE80211_STA_RX_BW_40 && !bf->ncol)
1692 		bf->ibf_timeout = 0x48;
1693 	else
1694 		bf->ibf_timeout = 0x18;
1695 
1696 	if (ebf && bf->nrow != tx_ant)
1697 		bf->mem_20m = matrix[tx_ant][bf->ncol];
1698 	else
1699 		bf->mem_20m = matrix[bf->nrow][bf->ncol];
1700 
1701 	switch (sta->deflink.bandwidth) {
1702 	case IEEE80211_STA_RX_BW_160:
1703 	case IEEE80211_STA_RX_BW_80:
1704 		bf->mem_total = bf->mem_20m * 2;
1705 		break;
1706 	case IEEE80211_STA_RX_BW_40:
1707 		bf->mem_total = bf->mem_20m;
1708 		break;
1709 	case IEEE80211_STA_RX_BW_20:
1710 	default:
1711 		break;
1712 	}
1713 }
1714 
1715 static void
1716 mt7996_mcu_sta_bfee_tlv(struct mt7996_dev *dev, struct sk_buff *skb,
1717 			struct ieee80211_vif *vif, struct ieee80211_sta *sta)
1718 {
1719 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
1720 	struct mt7996_phy *phy = mvif->phy;
1721 	int tx_ant = hweight8(phy->mt76->antenna_mask) - 1;
1722 	struct sta_rec_bfee *bfee;
1723 	struct tlv *tlv;
1724 	u8 nrow = 0;
1725 
1726 	if (!(sta->deflink.vht_cap.vht_supported || sta->deflink.he_cap.has_he))
1727 		return;
1728 
1729 	if (!mt7996_is_ebf_supported(phy, vif, sta, true))
1730 		return;
1731 
1732 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_BFEE, sizeof(*bfee));
1733 	bfee = (struct sta_rec_bfee *)tlv;
1734 
1735 	if (sta->deflink.he_cap.has_he) {
1736 		struct ieee80211_he_cap_elem *pe = &sta->deflink.he_cap.he_cap_elem;
1737 
1738 		nrow = HE_PHY(CAP5_BEAMFORMEE_NUM_SND_DIM_UNDER_80MHZ_MASK,
1739 			      pe->phy_cap_info[5]);
1740 	} else if (sta->deflink.vht_cap.vht_supported) {
1741 		struct ieee80211_sta_vht_cap *pc = &sta->deflink.vht_cap;
1742 
1743 		nrow = FIELD_GET(IEEE80211_VHT_CAP_SOUNDING_DIMENSIONS_MASK,
1744 				 pc->cap);
1745 	}
1746 
1747 	/* reply with identity matrix to avoid 2x2 BF negative gain */
1748 	bfee->fb_identity_matrix = (nrow == 1 && tx_ant == 2);
1749 }
1750 
1751 static void
1752 mt7996_mcu_sta_hdrt_tlv(struct mt7996_dev *dev, struct sk_buff *skb)
1753 {
1754 	struct sta_rec_hdrt *hdrt;
1755 	struct tlv *tlv;
1756 
1757 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_HDRT, sizeof(*hdrt));
1758 
1759 	hdrt = (struct sta_rec_hdrt *)tlv;
1760 	hdrt->hdrt_mode = 1;
1761 }
1762 
1763 static void
1764 mt7996_mcu_sta_hdr_trans_tlv(struct mt7996_dev *dev, struct sk_buff *skb,
1765 			     struct ieee80211_vif *vif,
1766 			     struct ieee80211_sta *sta)
1767 {
1768 	struct sta_rec_hdr_trans *hdr_trans;
1769 	struct mt76_wcid *wcid;
1770 	struct tlv *tlv;
1771 
1772 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_HDR_TRANS, sizeof(*hdr_trans));
1773 	hdr_trans = (struct sta_rec_hdr_trans *)tlv;
1774 	hdr_trans->dis_rx_hdr_tran = true;
1775 
1776 	if (vif->type == NL80211_IFTYPE_STATION)
1777 		hdr_trans->to_ds = true;
1778 	else
1779 		hdr_trans->from_ds = true;
1780 
1781 	wcid = (struct mt76_wcid *)sta->drv_priv;
1782 	if (!wcid)
1783 		return;
1784 
1785 	hdr_trans->dis_rx_hdr_tran = !test_bit(MT_WCID_FLAG_HDR_TRANS, &wcid->flags);
1786 	if (test_bit(MT_WCID_FLAG_4ADDR, &wcid->flags)) {
1787 		hdr_trans->to_ds = true;
1788 		hdr_trans->from_ds = true;
1789 	}
1790 
1791 	if (vif->type == NL80211_IFTYPE_MESH_POINT) {
1792 		hdr_trans->to_ds = true;
1793 		hdr_trans->from_ds = true;
1794 		hdr_trans->mesh = true;
1795 	}
1796 }
1797 
1798 static enum mcu_mmps_mode
1799 mt7996_mcu_get_mmps_mode(enum ieee80211_smps_mode smps)
1800 {
1801 	switch (smps) {
1802 	case IEEE80211_SMPS_OFF:
1803 		return MCU_MMPS_DISABLE;
1804 	case IEEE80211_SMPS_STATIC:
1805 		return MCU_MMPS_STATIC;
1806 	case IEEE80211_SMPS_DYNAMIC:
1807 		return MCU_MMPS_DYNAMIC;
1808 	default:
1809 		return MCU_MMPS_DISABLE;
1810 	}
1811 }
1812 
1813 int mt7996_mcu_set_fixed_rate_ctrl(struct mt7996_dev *dev,
1814 				   void *data, u16 version)
1815 {
1816 	struct ra_fixed_rate *req;
1817 	struct uni_header hdr;
1818 	struct sk_buff *skb;
1819 	struct tlv *tlv;
1820 	int len;
1821 
1822 	len = sizeof(hdr) + sizeof(*req);
1823 
1824 	skb = mt76_mcu_msg_alloc(&dev->mt76, NULL, len);
1825 	if (!skb)
1826 		return -ENOMEM;
1827 
1828 	skb_put_data(skb, &hdr, sizeof(hdr));
1829 
1830 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_RA_FIXED_RATE, sizeof(*req));
1831 	req = (struct ra_fixed_rate *)tlv;
1832 	req->version = cpu_to_le16(version);
1833 	memcpy(&req->rate, data, sizeof(req->rate));
1834 
1835 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
1836 				     MCU_WM_UNI_CMD(RA), true);
1837 }
1838 
1839 int mt7996_mcu_set_fixed_field(struct mt7996_dev *dev, struct ieee80211_vif *vif,
1840 			       struct ieee80211_sta *sta, void *data, u32 field)
1841 {
1842 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
1843 	struct mt7996_sta *msta = (struct mt7996_sta *)sta->drv_priv;
1844 	struct sta_phy_uni *phy = data;
1845 	struct sta_rec_ra_fixed_uni *ra;
1846 	struct sk_buff *skb;
1847 	struct tlv *tlv;
1848 
1849 	skb = __mt76_connac_mcu_alloc_sta_req(&dev->mt76, &mvif->mt76,
1850 					      &msta->wcid,
1851 					      MT7996_STA_UPDATE_MAX_SIZE);
1852 	if (IS_ERR(skb))
1853 		return PTR_ERR(skb);
1854 
1855 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_RA_UPDATE, sizeof(*ra));
1856 	ra = (struct sta_rec_ra_fixed_uni *)tlv;
1857 
1858 	switch (field) {
1859 	case RATE_PARAM_AUTO:
1860 		break;
1861 	case RATE_PARAM_FIXED:
1862 	case RATE_PARAM_FIXED_MCS:
1863 	case RATE_PARAM_FIXED_GI:
1864 	case RATE_PARAM_FIXED_HE_LTF:
1865 		if (phy)
1866 			ra->phy = *phy;
1867 		break;
1868 	case RATE_PARAM_MMPS_UPDATE:
1869 		ra->mmps_mode = mt7996_mcu_get_mmps_mode(sta->deflink.smps_mode);
1870 		break;
1871 	default:
1872 		break;
1873 	}
1874 	ra->field = cpu_to_le32(field);
1875 
1876 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
1877 				     MCU_WMWA_UNI_CMD(STA_REC_UPDATE), true);
1878 }
1879 
1880 static int
1881 mt7996_mcu_add_rate_ctrl_fixed(struct mt7996_dev *dev, struct ieee80211_vif *vif,
1882 			       struct ieee80211_sta *sta)
1883 {
1884 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
1885 	struct cfg80211_chan_def *chandef = &mvif->phy->mt76->chandef;
1886 	struct cfg80211_bitrate_mask *mask = &mvif->bitrate_mask;
1887 	enum nl80211_band band = chandef->chan->band;
1888 	struct sta_phy_uni phy = {};
1889 	int ret, nrates = 0;
1890 
1891 #define __sta_phy_bitrate_mask_check(_mcs, _gi, _ht, _he)			\
1892 	do {									\
1893 		u8 i, gi = mask->control[band]._gi;				\
1894 		gi = (_he) ? gi : gi == NL80211_TXRATE_FORCE_SGI;		\
1895 		phy.sgi = gi;							\
1896 		phy.he_ltf = mask->control[band].he_ltf;			\
1897 		for (i = 0; i < ARRAY_SIZE(mask->control[band]._mcs); i++) {	\
1898 			if (!mask->control[band]._mcs[i])			\
1899 				continue;					\
1900 			nrates += hweight16(mask->control[band]._mcs[i]);	\
1901 			phy.mcs = ffs(mask->control[band]._mcs[i]) - 1;		\
1902 			if (_ht)						\
1903 				phy.mcs += 8 * i;				\
1904 		}								\
1905 	} while (0)
1906 
1907 	if (sta->deflink.he_cap.has_he) {
1908 		__sta_phy_bitrate_mask_check(he_mcs, he_gi, 0, 1);
1909 	} else if (sta->deflink.vht_cap.vht_supported) {
1910 		__sta_phy_bitrate_mask_check(vht_mcs, gi, 0, 0);
1911 	} else if (sta->deflink.ht_cap.ht_supported) {
1912 		__sta_phy_bitrate_mask_check(ht_mcs, gi, 1, 0);
1913 	} else {
1914 		nrates = hweight32(mask->control[band].legacy);
1915 		phy.mcs = ffs(mask->control[band].legacy) - 1;
1916 	}
1917 #undef __sta_phy_bitrate_mask_check
1918 
1919 	/* fall back to auto rate control */
1920 	if (mask->control[band].gi == NL80211_TXRATE_DEFAULT_GI &&
1921 	    mask->control[band].he_gi == GENMASK(7, 0) &&
1922 	    mask->control[band].he_ltf == GENMASK(7, 0) &&
1923 	    nrates != 1)
1924 		return 0;
1925 
1926 	/* fixed single rate */
1927 	if (nrates == 1) {
1928 		ret = mt7996_mcu_set_fixed_field(dev, vif, sta, &phy,
1929 						 RATE_PARAM_FIXED_MCS);
1930 		if (ret)
1931 			return ret;
1932 	}
1933 
1934 	/* fixed GI */
1935 	if (mask->control[band].gi != NL80211_TXRATE_DEFAULT_GI ||
1936 	    mask->control[band].he_gi != GENMASK(7, 0)) {
1937 		struct mt7996_sta *msta = (struct mt7996_sta *)sta->drv_priv;
1938 		u32 addr;
1939 
1940 		/* firmware updates only TXCMD but doesn't take WTBL into
1941 		 * account, so driver should update here to reflect the
1942 		 * actual txrate hardware sends out.
1943 		 */
1944 		addr = mt7996_mac_wtbl_lmac_addr(dev, msta->wcid.idx, 7);
1945 		if (sta->deflink.he_cap.has_he)
1946 			mt76_rmw_field(dev, addr, GENMASK(31, 24), phy.sgi);
1947 		else
1948 			mt76_rmw_field(dev, addr, GENMASK(15, 12), phy.sgi);
1949 
1950 		ret = mt7996_mcu_set_fixed_field(dev, vif, sta, &phy,
1951 						 RATE_PARAM_FIXED_GI);
1952 		if (ret)
1953 			return ret;
1954 	}
1955 
1956 	/* fixed HE_LTF */
1957 	if (mask->control[band].he_ltf != GENMASK(7, 0)) {
1958 		ret = mt7996_mcu_set_fixed_field(dev, vif, sta, &phy,
1959 						 RATE_PARAM_FIXED_HE_LTF);
1960 		if (ret)
1961 			return ret;
1962 	}
1963 
1964 	return 0;
1965 }
1966 
1967 static void
1968 mt7996_mcu_sta_rate_ctrl_tlv(struct sk_buff *skb, struct mt7996_dev *dev,
1969 			     struct ieee80211_vif *vif, struct ieee80211_sta *sta)
1970 {
1971 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
1972 	struct mt76_phy *mphy = mvif->phy->mt76;
1973 	struct cfg80211_chan_def *chandef = &mphy->chandef;
1974 	struct cfg80211_bitrate_mask *mask = &mvif->bitrate_mask;
1975 	enum nl80211_band band = chandef->chan->band;
1976 	struct sta_rec_ra_uni *ra;
1977 	struct tlv *tlv;
1978 	u32 supp_rate = sta->deflink.supp_rates[band];
1979 	u32 cap = sta->wme ? STA_CAP_WMM : 0;
1980 
1981 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_RA, sizeof(*ra));
1982 	ra = (struct sta_rec_ra_uni *)tlv;
1983 
1984 	ra->valid = true;
1985 	ra->auto_rate = true;
1986 	ra->phy_mode = mt76_connac_get_phy_mode(mphy, vif, band, sta);
1987 	ra->channel = chandef->chan->hw_value;
1988 	ra->bw = (sta->deflink.bandwidth == IEEE80211_STA_RX_BW_320) ?
1989 		 CMD_CBW_320MHZ : sta->deflink.bandwidth;
1990 	ra->phy.bw = ra->bw;
1991 	ra->mmps_mode = mt7996_mcu_get_mmps_mode(sta->deflink.smps_mode);
1992 
1993 	if (supp_rate) {
1994 		supp_rate &= mask->control[band].legacy;
1995 		ra->rate_len = hweight32(supp_rate);
1996 
1997 		if (band == NL80211_BAND_2GHZ) {
1998 			ra->supp_mode = MODE_CCK;
1999 			ra->supp_cck_rate = supp_rate & GENMASK(3, 0);
2000 
2001 			if (ra->rate_len > 4) {
2002 				ra->supp_mode |= MODE_OFDM;
2003 				ra->supp_ofdm_rate = supp_rate >> 4;
2004 			}
2005 		} else {
2006 			ra->supp_mode = MODE_OFDM;
2007 			ra->supp_ofdm_rate = supp_rate;
2008 		}
2009 	}
2010 
2011 	if (sta->deflink.ht_cap.ht_supported) {
2012 		ra->supp_mode |= MODE_HT;
2013 		ra->af = sta->deflink.ht_cap.ampdu_factor;
2014 		ra->ht_gf = !!(sta->deflink.ht_cap.cap & IEEE80211_HT_CAP_GRN_FLD);
2015 
2016 		cap |= STA_CAP_HT;
2017 		if (sta->deflink.ht_cap.cap & IEEE80211_HT_CAP_SGI_20)
2018 			cap |= STA_CAP_SGI_20;
2019 		if (sta->deflink.ht_cap.cap & IEEE80211_HT_CAP_SGI_40)
2020 			cap |= STA_CAP_SGI_40;
2021 		if (sta->deflink.ht_cap.cap & IEEE80211_HT_CAP_TX_STBC)
2022 			cap |= STA_CAP_TX_STBC;
2023 		if (sta->deflink.ht_cap.cap & IEEE80211_HT_CAP_RX_STBC)
2024 			cap |= STA_CAP_RX_STBC;
2025 		if (vif->bss_conf.ht_ldpc &&
2026 		    (sta->deflink.ht_cap.cap & IEEE80211_HT_CAP_LDPC_CODING))
2027 			cap |= STA_CAP_LDPC;
2028 
2029 		mt7996_mcu_set_sta_ht_mcs(sta, ra->ht_mcs,
2030 					  mask->control[band].ht_mcs);
2031 		ra->supp_ht_mcs = *(__le32 *)ra->ht_mcs;
2032 	}
2033 
2034 	if (sta->deflink.vht_cap.vht_supported) {
2035 		u8 af;
2036 
2037 		ra->supp_mode |= MODE_VHT;
2038 		af = FIELD_GET(IEEE80211_VHT_CAP_MAX_A_MPDU_LENGTH_EXPONENT_MASK,
2039 			       sta->deflink.vht_cap.cap);
2040 		ra->af = max_t(u8, ra->af, af);
2041 
2042 		cap |= STA_CAP_VHT;
2043 		if (sta->deflink.vht_cap.cap & IEEE80211_VHT_CAP_SHORT_GI_80)
2044 			cap |= STA_CAP_VHT_SGI_80;
2045 		if (sta->deflink.vht_cap.cap & IEEE80211_VHT_CAP_SHORT_GI_160)
2046 			cap |= STA_CAP_VHT_SGI_160;
2047 		if (sta->deflink.vht_cap.cap & IEEE80211_VHT_CAP_TXSTBC)
2048 			cap |= STA_CAP_VHT_TX_STBC;
2049 		if (sta->deflink.vht_cap.cap & IEEE80211_VHT_CAP_RXSTBC_1)
2050 			cap |= STA_CAP_VHT_RX_STBC;
2051 		if (vif->bss_conf.vht_ldpc &&
2052 		    (sta->deflink.vht_cap.cap & IEEE80211_VHT_CAP_RXLDPC))
2053 			cap |= STA_CAP_VHT_LDPC;
2054 
2055 		mt7996_mcu_set_sta_vht_mcs(sta, ra->supp_vht_mcs,
2056 					   mask->control[band].vht_mcs);
2057 	}
2058 
2059 	if (sta->deflink.he_cap.has_he) {
2060 		ra->supp_mode |= MODE_HE;
2061 		cap |= STA_CAP_HE;
2062 
2063 		if (sta->deflink.he_6ghz_capa.capa)
2064 			ra->af = le16_get_bits(sta->deflink.he_6ghz_capa.capa,
2065 					       IEEE80211_HE_6GHZ_CAP_MAX_AMPDU_LEN_EXP);
2066 	}
2067 	ra->sta_cap = cpu_to_le32(cap);
2068 }
2069 
2070 int mt7996_mcu_add_rate_ctrl(struct mt7996_dev *dev, struct ieee80211_vif *vif,
2071 			     struct ieee80211_sta *sta, bool changed)
2072 {
2073 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
2074 	struct mt7996_sta *msta = (struct mt7996_sta *)sta->drv_priv;
2075 	struct sk_buff *skb;
2076 	int ret;
2077 
2078 	skb = __mt76_connac_mcu_alloc_sta_req(&dev->mt76, &mvif->mt76,
2079 					      &msta->wcid,
2080 					      MT7996_STA_UPDATE_MAX_SIZE);
2081 	if (IS_ERR(skb))
2082 		return PTR_ERR(skb);
2083 
2084 	/* firmware rc algorithm refers to sta_rec_he for HE control.
2085 	 * once dev->rc_work changes the settings driver should also
2086 	 * update sta_rec_he here.
2087 	 */
2088 	if (changed)
2089 		mt7996_mcu_sta_he_tlv(skb, sta);
2090 
2091 	/* sta_rec_ra accommodates BW, NSS and only MCS range format
2092 	 * i.e 0-{7,8,9} for VHT.
2093 	 */
2094 	mt7996_mcu_sta_rate_ctrl_tlv(skb, dev, vif, sta);
2095 
2096 	ret = mt76_mcu_skb_send_msg(&dev->mt76, skb,
2097 				    MCU_WMWA_UNI_CMD(STA_REC_UPDATE), true);
2098 	if (ret)
2099 		return ret;
2100 
2101 	return mt7996_mcu_add_rate_ctrl_fixed(dev, vif, sta);
2102 }
2103 
2104 static int
2105 mt7996_mcu_add_group(struct mt7996_dev *dev, struct ieee80211_vif *vif,
2106 		     struct ieee80211_sta *sta)
2107 {
2108 #define MT_STA_BSS_GROUP		1
2109 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
2110 	struct mt7996_sta *msta;
2111 	struct {
2112 		u8 __rsv1[4];
2113 
2114 		__le16 tag;
2115 		__le16 len;
2116 		__le16 wlan_idx;
2117 		u8 __rsv2[2];
2118 		__le32 action;
2119 		__le32 val;
2120 		u8 __rsv3[8];
2121 	} __packed req = {
2122 		.tag = cpu_to_le16(UNI_VOW_DRR_CTRL),
2123 		.len = cpu_to_le16(sizeof(req) - 4),
2124 		.action = cpu_to_le32(MT_STA_BSS_GROUP),
2125 		.val = cpu_to_le32(mvif->mt76.idx % 16),
2126 	};
2127 
2128 	msta = sta ? (struct mt7996_sta *)sta->drv_priv : &mvif->sta;
2129 	req.wlan_idx = cpu_to_le16(msta->wcid.idx);
2130 
2131 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(VOW), &req,
2132 				 sizeof(req), true);
2133 }
2134 
2135 int mt7996_mcu_add_sta(struct mt7996_dev *dev, struct ieee80211_vif *vif,
2136 		       struct ieee80211_sta *sta, bool enable)
2137 {
2138 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
2139 	struct mt7996_sta *msta;
2140 	struct sk_buff *skb;
2141 	int ret;
2142 
2143 	msta = sta ? (struct mt7996_sta *)sta->drv_priv : &mvif->sta;
2144 
2145 	skb = __mt76_connac_mcu_alloc_sta_req(&dev->mt76, &mvif->mt76,
2146 					      &msta->wcid,
2147 					      MT7996_STA_UPDATE_MAX_SIZE);
2148 	if (IS_ERR(skb))
2149 		return PTR_ERR(skb);
2150 
2151 	/* starec basic */
2152 	mt76_connac_mcu_sta_basic_tlv(&dev->mt76, skb, vif, sta, enable,
2153 				      !rcu_access_pointer(dev->mt76.wcid[msta->wcid.idx]));
2154 	if (!enable)
2155 		goto out;
2156 
2157 	/* tag order is in accordance with firmware dependency. */
2158 	if (sta) {
2159 		/* starec hdrt mode */
2160 		mt7996_mcu_sta_hdrt_tlv(dev, skb);
2161 		/* starec bfer */
2162 		mt7996_mcu_sta_bfer_tlv(dev, skb, vif, sta);
2163 		/* starec ht */
2164 		mt7996_mcu_sta_ht_tlv(skb, sta);
2165 		/* starec vht */
2166 		mt7996_mcu_sta_vht_tlv(skb, sta);
2167 		/* starec uapsd */
2168 		mt76_connac_mcu_sta_uapsd(skb, vif, sta);
2169 		/* starec amsdu */
2170 		mt7996_mcu_sta_amsdu_tlv(dev, skb, vif, sta);
2171 		/* starec he */
2172 		mt7996_mcu_sta_he_tlv(skb, sta);
2173 		/* starec he 6g*/
2174 		mt7996_mcu_sta_he_6g_tlv(skb, sta);
2175 		/* starec eht */
2176 		mt7996_mcu_sta_eht_tlv(skb, sta);
2177 		/* starec muru */
2178 		mt7996_mcu_sta_muru_tlv(dev, skb, vif, sta);
2179 		/* starec bfee */
2180 		mt7996_mcu_sta_bfee_tlv(dev, skb, vif, sta);
2181 		/* starec hdr trans */
2182 		mt7996_mcu_sta_hdr_trans_tlv(dev, skb, vif, sta);
2183 	}
2184 
2185 	ret = mt7996_mcu_add_group(dev, vif, sta);
2186 	if (ret) {
2187 		dev_kfree_skb(skb);
2188 		return ret;
2189 	}
2190 out:
2191 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
2192 				     MCU_WMWA_UNI_CMD(STA_REC_UPDATE), true);
2193 }
2194 
2195 static int
2196 mt7996_mcu_sta_key_tlv(struct mt76_wcid *wcid,
2197 		       struct sk_buff *skb,
2198 		       struct ieee80211_key_conf *key,
2199 		       enum set_key_cmd cmd)
2200 {
2201 	struct sta_rec_sec_uni *sec;
2202 	struct tlv *tlv;
2203 
2204 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_KEY_V2, sizeof(*sec));
2205 	sec = (struct sta_rec_sec_uni *)tlv;
2206 	sec->add = cmd;
2207 
2208 	if (cmd == SET_KEY) {
2209 		struct sec_key_uni *sec_key;
2210 		u8 cipher;
2211 
2212 		cipher = mt76_connac_mcu_get_cipher(key->cipher);
2213 		if (cipher == MCU_CIPHER_NONE)
2214 			return -EOPNOTSUPP;
2215 
2216 		sec_key = &sec->key[0];
2217 		sec_key->wlan_idx = cpu_to_le16(wcid->idx);
2218 		sec_key->mgmt_prot = 0;
2219 		sec_key->cipher_id = cipher;
2220 		sec_key->cipher_len = sizeof(*sec_key);
2221 		sec_key->key_id = key->keyidx;
2222 		sec_key->key_len = key->keylen;
2223 		sec_key->need_resp = 0;
2224 		memcpy(sec_key->key, key->key, key->keylen);
2225 
2226 		if (cipher == MCU_CIPHER_TKIP) {
2227 			/* Rx/Tx MIC keys are swapped */
2228 			memcpy(sec_key->key + 16, key->key + 24, 8);
2229 			memcpy(sec_key->key + 24, key->key + 16, 8);
2230 		}
2231 
2232 		sec->n_cipher = 1;
2233 	} else {
2234 		sec->n_cipher = 0;
2235 	}
2236 
2237 	return 0;
2238 }
2239 
2240 int mt7996_mcu_add_key(struct mt76_dev *dev, struct ieee80211_vif *vif,
2241 		       struct ieee80211_key_conf *key, int mcu_cmd,
2242 		       struct mt76_wcid *wcid, enum set_key_cmd cmd)
2243 {
2244 	struct mt76_vif *mvif = (struct mt76_vif *)vif->drv_priv;
2245 	struct sk_buff *skb;
2246 	int ret;
2247 
2248 	skb = __mt76_connac_mcu_alloc_sta_req(dev, mvif, wcid,
2249 					      MT7996_STA_UPDATE_MAX_SIZE);
2250 	if (IS_ERR(skb))
2251 		return PTR_ERR(skb);
2252 
2253 	ret = mt7996_mcu_sta_key_tlv(wcid, skb, key, cmd);
2254 	if (ret)
2255 		return ret;
2256 
2257 	return mt76_mcu_skb_send_msg(dev, skb, mcu_cmd, true);
2258 }
2259 
2260 static int mt7996_mcu_get_pn(struct mt7996_dev *dev, struct ieee80211_vif *vif,
2261 			     u8 *pn)
2262 {
2263 #define TSC_TYPE_BIGTK_PN 2
2264 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
2265 	struct sta_rec_pn_info *pn_info;
2266 	struct sk_buff *skb, *rskb;
2267 	struct tlv *tlv;
2268 	int ret;
2269 
2270 	skb = mt76_connac_mcu_alloc_sta_req(&dev->mt76, &mvif->mt76, &mvif->sta.wcid);
2271 	if (IS_ERR(skb))
2272 		return PTR_ERR(skb);
2273 
2274 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_PN_INFO, sizeof(*pn_info));
2275 	pn_info = (struct sta_rec_pn_info *)tlv;
2276 
2277 	pn_info->tsc_type = TSC_TYPE_BIGTK_PN;
2278 	ret = mt76_mcu_skb_send_and_get_msg(&dev->mt76, skb,
2279 					    MCU_WM_UNI_CMD_QUERY(STA_REC_UPDATE),
2280 					    true, &rskb);
2281 	if (ret)
2282 		return ret;
2283 
2284 	skb_pull(rskb, 4);
2285 
2286 	pn_info = (struct sta_rec_pn_info *)rskb->data;
2287 	if (le16_to_cpu(pn_info->tag) == STA_REC_PN_INFO)
2288 		memcpy(pn, pn_info->pn, 6);
2289 
2290 	dev_kfree_skb(rskb);
2291 	return 0;
2292 }
2293 
2294 int mt7996_mcu_bcn_prot_enable(struct mt7996_dev *dev, struct ieee80211_vif *vif,
2295 			       struct ieee80211_key_conf *key)
2296 {
2297 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
2298 	struct mt7996_mcu_bcn_prot_tlv *bcn_prot;
2299 	struct sk_buff *skb;
2300 	struct tlv *tlv;
2301 	u8 pn[6] = {};
2302 	int len = sizeof(struct bss_req_hdr) +
2303 		  sizeof(struct mt7996_mcu_bcn_prot_tlv);
2304 	int ret;
2305 
2306 	skb = __mt7996_mcu_alloc_bss_req(&dev->mt76, &mvif->mt76, len);
2307 	if (IS_ERR(skb))
2308 		return PTR_ERR(skb);
2309 
2310 	tlv = mt76_connac_mcu_add_tlv(skb, UNI_BSS_INFO_BCN_PROT, sizeof(*bcn_prot));
2311 
2312 	bcn_prot = (struct mt7996_mcu_bcn_prot_tlv *)tlv;
2313 
2314 	ret = mt7996_mcu_get_pn(dev, vif, pn);
2315 	if (ret) {
2316 		dev_kfree_skb(skb);
2317 		return ret;
2318 	}
2319 
2320 	switch (key->cipher) {
2321 	case WLAN_CIPHER_SUITE_AES_CMAC:
2322 		bcn_prot->cipher_id = MCU_CIPHER_BCN_PROT_CMAC_128;
2323 		break;
2324 	case WLAN_CIPHER_SUITE_BIP_GMAC_128:
2325 		bcn_prot->cipher_id = MCU_CIPHER_BCN_PROT_GMAC_128;
2326 		break;
2327 	case WLAN_CIPHER_SUITE_BIP_GMAC_256:
2328 		bcn_prot->cipher_id = MCU_CIPHER_BCN_PROT_GMAC_256;
2329 		break;
2330 	case WLAN_CIPHER_SUITE_BIP_CMAC_256:
2331 	default:
2332 		dev_err(dev->mt76.dev, "Not supported Bigtk Cipher\n");
2333 		dev_kfree_skb(skb);
2334 		return -EOPNOTSUPP;
2335 	}
2336 
2337 	pn[0]++;
2338 	memcpy(bcn_prot->pn, pn, 6);
2339 	bcn_prot->enable = BP_SW_MODE;
2340 	memcpy(bcn_prot->key, key->key, WLAN_MAX_KEY_LEN);
2341 	bcn_prot->key_id = key->keyidx;
2342 
2343 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
2344 				     MCU_WMWA_UNI_CMD(BSS_INFO_UPDATE), true);
2345 }
2346 int mt7996_mcu_add_dev_info(struct mt7996_phy *phy,
2347 			    struct ieee80211_vif *vif, bool enable)
2348 {
2349 	struct mt7996_dev *dev = phy->dev;
2350 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
2351 	struct {
2352 		struct req_hdr {
2353 			u8 omac_idx;
2354 			u8 band_idx;
2355 			u8 __rsv[2];
2356 		} __packed hdr;
2357 		struct req_tlv {
2358 			__le16 tag;
2359 			__le16 len;
2360 			u8 active;
2361 			u8 __rsv;
2362 			u8 omac_addr[ETH_ALEN];
2363 		} __packed tlv;
2364 	} data = {
2365 		.hdr = {
2366 			.omac_idx = mvif->mt76.omac_idx,
2367 			.band_idx = mvif->mt76.band_idx,
2368 		},
2369 		.tlv = {
2370 			.tag = cpu_to_le16(DEV_INFO_ACTIVE),
2371 			.len = cpu_to_le16(sizeof(struct req_tlv)),
2372 			.active = enable,
2373 		},
2374 	};
2375 
2376 	if (mvif->mt76.omac_idx >= REPEATER_BSSID_START)
2377 		return mt7996_mcu_muar_config(phy, vif, false, enable);
2378 
2379 	memcpy(data.tlv.omac_addr, vif->addr, ETH_ALEN);
2380 	return mt76_mcu_send_msg(&dev->mt76, MCU_WMWA_UNI_CMD(DEV_INFO_UPDATE),
2381 				 &data, sizeof(data), true);
2382 }
2383 
2384 static void
2385 mt7996_mcu_beacon_cntdwn(struct ieee80211_vif *vif, struct sk_buff *rskb,
2386 			 struct sk_buff *skb,
2387 			 struct ieee80211_mutable_offsets *offs)
2388 {
2389 	struct bss_bcn_cntdwn_tlv *info;
2390 	struct tlv *tlv;
2391 	u16 tag;
2392 
2393 	if (!offs->cntdwn_counter_offs[0])
2394 		return;
2395 
2396 	tag = vif->bss_conf.csa_active ? UNI_BSS_INFO_BCN_CSA : UNI_BSS_INFO_BCN_BCC;
2397 
2398 	tlv = mt7996_mcu_add_uni_tlv(rskb, tag, sizeof(*info));
2399 
2400 	info = (struct bss_bcn_cntdwn_tlv *)tlv;
2401 	info->cnt = skb->data[offs->cntdwn_counter_offs[0]];
2402 }
2403 
2404 static void
2405 mt7996_mcu_beacon_mbss(struct sk_buff *rskb, struct sk_buff *skb,
2406 		       struct ieee80211_vif *vif, struct bss_bcn_content_tlv *bcn,
2407 		       struct ieee80211_mutable_offsets *offs)
2408 {
2409 	struct bss_bcn_mbss_tlv *mbss;
2410 	const struct element *elem;
2411 	struct tlv *tlv;
2412 
2413 	if (!vif->bss_conf.bssid_indicator)
2414 		return;
2415 
2416 	tlv = mt7996_mcu_add_uni_tlv(rskb, UNI_BSS_INFO_BCN_MBSSID, sizeof(*mbss));
2417 
2418 	mbss = (struct bss_bcn_mbss_tlv *)tlv;
2419 	mbss->offset[0] = cpu_to_le16(offs->tim_offset);
2420 	mbss->bitmap = cpu_to_le32(1);
2421 
2422 	for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID,
2423 			    &skb->data[offs->mbssid_off],
2424 			    skb->len - offs->mbssid_off) {
2425 		const struct element *sub_elem;
2426 
2427 		if (elem->datalen < 2)
2428 			continue;
2429 
2430 		for_each_element(sub_elem, elem->data + 1, elem->datalen - 1) {
2431 			const struct ieee80211_bssid_index *idx;
2432 			const u8 *idx_ie;
2433 
2434 			/* not a valid BSS profile */
2435 			if (sub_elem->id || sub_elem->datalen < 4)
2436 				continue;
2437 
2438 			/* Find WLAN_EID_MULTI_BSSID_IDX
2439 			 * in the merged nontransmitted profile
2440 			 */
2441 			idx_ie = cfg80211_find_ie(WLAN_EID_MULTI_BSSID_IDX,
2442 						  sub_elem->data, sub_elem->datalen);
2443 			if (!idx_ie || idx_ie[1] < sizeof(*idx))
2444 				continue;
2445 
2446 			idx = (void *)(idx_ie + 2);
2447 			if (!idx->bssid_index || idx->bssid_index > 31)
2448 				continue;
2449 
2450 			mbss->offset[idx->bssid_index] = cpu_to_le16(idx_ie -
2451 								     skb->data);
2452 			mbss->bitmap |= cpu_to_le32(BIT(idx->bssid_index));
2453 		}
2454 	}
2455 }
2456 
2457 static void
2458 mt7996_mcu_beacon_cont(struct mt7996_dev *dev, struct ieee80211_vif *vif,
2459 		       struct sk_buff *rskb, struct sk_buff *skb,
2460 		       struct bss_bcn_content_tlv *bcn,
2461 		       struct ieee80211_mutable_offsets *offs)
2462 {
2463 	struct mt76_wcid *wcid = &dev->mt76.global_wcid;
2464 	u8 *buf;
2465 
2466 	bcn->pkt_len = cpu_to_le16(MT_TXD_SIZE + skb->len);
2467 	bcn->tim_ie_pos = cpu_to_le16(offs->tim_offset);
2468 
2469 	if (offs->cntdwn_counter_offs[0]) {
2470 		u16 offset = offs->cntdwn_counter_offs[0];
2471 
2472 		if (vif->bss_conf.csa_active)
2473 			bcn->csa_ie_pos = cpu_to_le16(offset - 4);
2474 		if (vif->bss_conf.color_change_active)
2475 			bcn->bcc_ie_pos = cpu_to_le16(offset - 3);
2476 	}
2477 
2478 	buf = (u8 *)bcn + sizeof(*bcn);
2479 	mt7996_mac_write_txwi(dev, (__le32 *)buf, skb, wcid, NULL, 0, 0,
2480 			      BSS_CHANGED_BEACON);
2481 
2482 	memcpy(buf + MT_TXD_SIZE, skb->data, skb->len);
2483 }
2484 
2485 int mt7996_mcu_add_beacon(struct ieee80211_hw *hw,
2486 			  struct ieee80211_vif *vif, int en)
2487 {
2488 	struct mt7996_dev *dev = mt7996_hw_dev(hw);
2489 	struct mt7996_phy *phy = mt7996_hw_phy(hw);
2490 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
2491 	struct ieee80211_mutable_offsets offs;
2492 	struct ieee80211_tx_info *info;
2493 	struct sk_buff *skb, *rskb;
2494 	struct tlv *tlv;
2495 	struct bss_bcn_content_tlv *bcn;
2496 	int len;
2497 
2498 	if (vif->bss_conf.nontransmitted)
2499 		return 0;
2500 
2501 	rskb = __mt7996_mcu_alloc_bss_req(&dev->mt76, &mvif->mt76,
2502 					  MT7996_MAX_BSS_OFFLOAD_SIZE);
2503 	if (IS_ERR(rskb))
2504 		return PTR_ERR(rskb);
2505 
2506 	skb = ieee80211_beacon_get_template(hw, vif, &offs, 0);
2507 	if (!skb) {
2508 		dev_kfree_skb(rskb);
2509 		return -EINVAL;
2510 	}
2511 
2512 	if (skb->len > MT7996_MAX_BEACON_SIZE) {
2513 		dev_err(dev->mt76.dev, "Bcn size limit exceed\n");
2514 		dev_kfree_skb(rskb);
2515 		dev_kfree_skb(skb);
2516 		return -EINVAL;
2517 	}
2518 
2519 	info = IEEE80211_SKB_CB(skb);
2520 	info->hw_queue |= FIELD_PREP(MT_TX_HW_QUEUE_PHY, phy->mt76->band_idx);
2521 
2522 	len = ALIGN(sizeof(*bcn) + MT_TXD_SIZE + skb->len, 4);
2523 	tlv = mt7996_mcu_add_uni_tlv(rskb, UNI_BSS_INFO_BCN_CONTENT, len);
2524 	bcn = (struct bss_bcn_content_tlv *)tlv;
2525 	bcn->enable = en;
2526 	if (!en)
2527 		goto out;
2528 
2529 	mt7996_mcu_beacon_cont(dev, vif, rskb, skb, bcn, &offs);
2530 	mt7996_mcu_beacon_mbss(rskb, skb, vif, bcn, &offs);
2531 	mt7996_mcu_beacon_cntdwn(vif, rskb, skb, &offs);
2532 out:
2533 	dev_kfree_skb(skb);
2534 	return mt76_mcu_skb_send_msg(&phy->dev->mt76, rskb,
2535 				     MCU_WMWA_UNI_CMD(BSS_INFO_UPDATE), true);
2536 }
2537 
2538 int mt7996_mcu_beacon_inband_discov(struct mt7996_dev *dev,
2539 				    struct ieee80211_vif *vif, u32 changed)
2540 {
2541 #define OFFLOAD_TX_MODE_SU	BIT(0)
2542 #define OFFLOAD_TX_MODE_MU	BIT(1)
2543 	struct ieee80211_hw *hw = mt76_hw(dev);
2544 	struct mt7996_phy *phy = mt7996_hw_phy(hw);
2545 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
2546 	struct cfg80211_chan_def *chandef = &mvif->phy->mt76->chandef;
2547 	enum nl80211_band band = chandef->chan->band;
2548 	struct mt76_wcid *wcid = &dev->mt76.global_wcid;
2549 	struct bss_inband_discovery_tlv *discov;
2550 	struct ieee80211_tx_info *info;
2551 	struct sk_buff *rskb, *skb = NULL;
2552 	struct tlv *tlv;
2553 	u8 *buf, interval;
2554 	int len;
2555 
2556 	if (vif->bss_conf.nontransmitted)
2557 		return 0;
2558 
2559 	rskb = __mt7996_mcu_alloc_bss_req(&dev->mt76, &mvif->mt76,
2560 					  MT7996_MAX_BSS_OFFLOAD_SIZE);
2561 	if (IS_ERR(rskb))
2562 		return PTR_ERR(rskb);
2563 
2564 	if (changed & BSS_CHANGED_FILS_DISCOVERY &&
2565 	    vif->bss_conf.fils_discovery.max_interval) {
2566 		interval = vif->bss_conf.fils_discovery.max_interval;
2567 		skb = ieee80211_get_fils_discovery_tmpl(hw, vif);
2568 	} else if (changed & BSS_CHANGED_UNSOL_BCAST_PROBE_RESP &&
2569 		   vif->bss_conf.unsol_bcast_probe_resp_interval) {
2570 		interval = vif->bss_conf.unsol_bcast_probe_resp_interval;
2571 		skb = ieee80211_get_unsol_bcast_probe_resp_tmpl(hw, vif);
2572 	}
2573 
2574 	if (!skb) {
2575 		dev_kfree_skb(rskb);
2576 		return -EINVAL;
2577 	}
2578 
2579 	if (skb->len > MT7996_MAX_BEACON_SIZE) {
2580 		dev_err(dev->mt76.dev, "inband discovery size limit exceed\n");
2581 		dev_kfree_skb(rskb);
2582 		dev_kfree_skb(skb);
2583 		return -EINVAL;
2584 	}
2585 
2586 	info = IEEE80211_SKB_CB(skb);
2587 	info->control.vif = vif;
2588 	info->band = band;
2589 	info->hw_queue |= FIELD_PREP(MT_TX_HW_QUEUE_PHY, phy->mt76->band_idx);
2590 
2591 	len = ALIGN(sizeof(*discov) + MT_TXD_SIZE + skb->len, 4);
2592 	tlv = mt7996_mcu_add_uni_tlv(rskb, UNI_BSS_INFO_OFFLOAD, len);
2593 
2594 	discov = (struct bss_inband_discovery_tlv *)tlv;
2595 	discov->tx_mode = OFFLOAD_TX_MODE_SU;
2596 	/* 0: UNSOL PROBE RESP, 1: FILS DISCOV */
2597 	discov->tx_type = !!(changed & BSS_CHANGED_FILS_DISCOVERY);
2598 	discov->tx_interval = interval;
2599 	discov->prob_rsp_len = cpu_to_le16(MT_TXD_SIZE + skb->len);
2600 	discov->enable = true;
2601 	discov->wcid = cpu_to_le16(MT7996_WTBL_RESERVED);
2602 
2603 	buf = (u8 *)tlv + sizeof(*discov);
2604 
2605 	mt7996_mac_write_txwi(dev, (__le32 *)buf, skb, wcid, NULL, 0, 0, changed);
2606 
2607 	memcpy(buf + MT_TXD_SIZE, skb->data, skb->len);
2608 
2609 	dev_kfree_skb(skb);
2610 
2611 	return mt76_mcu_skb_send_msg(&dev->mt76, rskb,
2612 				     MCU_WMWA_UNI_CMD(BSS_INFO_UPDATE), true);
2613 }
2614 
2615 static int mt7996_driver_own(struct mt7996_dev *dev, u8 band)
2616 {
2617 	mt76_wr(dev, MT_TOP_LPCR_HOST_BAND(band), MT_TOP_LPCR_HOST_DRV_OWN);
2618 	if (!mt76_poll_msec(dev, MT_TOP_LPCR_HOST_BAND(band),
2619 			    MT_TOP_LPCR_HOST_FW_OWN_STAT, 0, 500)) {
2620 		dev_err(dev->mt76.dev, "Timeout for driver own\n");
2621 		return -EIO;
2622 	}
2623 
2624 	/* clear irq when the driver own success */
2625 	mt76_wr(dev, MT_TOP_LPCR_HOST_BAND_IRQ_STAT(band),
2626 		MT_TOP_LPCR_HOST_BAND_STAT);
2627 
2628 	return 0;
2629 }
2630 
2631 static u32 mt7996_patch_sec_mode(u32 key_info)
2632 {
2633 	u32 sec = u32_get_bits(key_info, MT7996_PATCH_SEC), key = 0;
2634 
2635 	if (key_info == GENMASK(31, 0) || sec == MT7996_SEC_MODE_PLAIN)
2636 		return 0;
2637 
2638 	if (sec == MT7996_SEC_MODE_AES)
2639 		key = u32_get_bits(key_info, MT7996_PATCH_AES_KEY);
2640 	else
2641 		key = u32_get_bits(key_info, MT7996_PATCH_SCRAMBLE_KEY);
2642 
2643 	return MT7996_SEC_ENCRYPT | MT7996_SEC_IV |
2644 	       u32_encode_bits(key, MT7996_SEC_KEY_IDX);
2645 }
2646 
2647 static int mt7996_load_patch(struct mt7996_dev *dev)
2648 {
2649 	const struct mt7996_patch_hdr *hdr;
2650 	const struct firmware *fw = NULL;
2651 	int i, ret, sem;
2652 
2653 	sem = mt76_connac_mcu_patch_sem_ctrl(&dev->mt76, 1);
2654 	switch (sem) {
2655 	case PATCH_IS_DL:
2656 		return 0;
2657 	case PATCH_NOT_DL_SEM_SUCCESS:
2658 		break;
2659 	default:
2660 		dev_err(dev->mt76.dev, "Failed to get patch semaphore\n");
2661 		return -EAGAIN;
2662 	}
2663 
2664 	ret = request_firmware(&fw, fw_name(dev, ROM_PATCH), dev->mt76.dev);
2665 	if (ret)
2666 		goto out;
2667 
2668 	if (!fw || !fw->data || fw->size < sizeof(*hdr)) {
2669 		dev_err(dev->mt76.dev, "Invalid firmware\n");
2670 		ret = -EINVAL;
2671 		goto out;
2672 	}
2673 
2674 	hdr = (const struct mt7996_patch_hdr *)(fw->data);
2675 
2676 	dev_info(dev->mt76.dev, "HW/SW Version: 0x%x, Build Time: %.16s\n",
2677 		 be32_to_cpu(hdr->hw_sw_ver), hdr->build_date);
2678 
2679 	for (i = 0; i < be32_to_cpu(hdr->desc.n_region); i++) {
2680 		struct mt7996_patch_sec *sec;
2681 		const u8 *dl;
2682 		u32 len, addr, sec_key_idx, mode = DL_MODE_NEED_RSP;
2683 
2684 		sec = (struct mt7996_patch_sec *)(fw->data + sizeof(*hdr) +
2685 						  i * sizeof(*sec));
2686 		if ((be32_to_cpu(sec->type) & PATCH_SEC_TYPE_MASK) !=
2687 		    PATCH_SEC_TYPE_INFO) {
2688 			ret = -EINVAL;
2689 			goto out;
2690 		}
2691 
2692 		addr = be32_to_cpu(sec->info.addr);
2693 		len = be32_to_cpu(sec->info.len);
2694 		sec_key_idx = be32_to_cpu(sec->info.sec_key_idx);
2695 		dl = fw->data + be32_to_cpu(sec->offs);
2696 
2697 		mode |= mt7996_patch_sec_mode(sec_key_idx);
2698 
2699 		ret = mt76_connac_mcu_init_download(&dev->mt76, addr, len,
2700 						    mode);
2701 		if (ret) {
2702 			dev_err(dev->mt76.dev, "Download request failed\n");
2703 			goto out;
2704 		}
2705 
2706 		ret = __mt76_mcu_send_firmware(&dev->mt76, MCU_CMD(FW_SCATTER),
2707 					       dl, len, 4096);
2708 		if (ret) {
2709 			dev_err(dev->mt76.dev, "Failed to send patch\n");
2710 			goto out;
2711 		}
2712 	}
2713 
2714 	ret = mt76_connac_mcu_start_patch(&dev->mt76);
2715 	if (ret)
2716 		dev_err(dev->mt76.dev, "Failed to start patch\n");
2717 
2718 out:
2719 	sem = mt76_connac_mcu_patch_sem_ctrl(&dev->mt76, 0);
2720 	switch (sem) {
2721 	case PATCH_REL_SEM_SUCCESS:
2722 		break;
2723 	default:
2724 		ret = -EAGAIN;
2725 		dev_err(dev->mt76.dev, "Failed to release patch semaphore\n");
2726 		break;
2727 	}
2728 	release_firmware(fw);
2729 
2730 	return ret;
2731 }
2732 
2733 static int
2734 mt7996_mcu_send_ram_firmware(struct mt7996_dev *dev,
2735 			     const struct mt7996_fw_trailer *hdr,
2736 			     const u8 *data, enum mt7996_ram_type type)
2737 {
2738 	int i, offset = 0;
2739 	u32 override = 0, option = 0;
2740 
2741 	for (i = 0; i < hdr->n_region; i++) {
2742 		const struct mt7996_fw_region *region;
2743 		int err;
2744 		u32 len, addr, mode;
2745 
2746 		region = (const struct mt7996_fw_region *)((const u8 *)hdr -
2747 			 (hdr->n_region - i) * sizeof(*region));
2748 		/* DSP and WA use same mode */
2749 		mode = mt76_connac_mcu_gen_dl_mode(&dev->mt76,
2750 						   region->feature_set,
2751 						   type != MT7996_RAM_TYPE_WM);
2752 		len = le32_to_cpu(region->len);
2753 		addr = le32_to_cpu(region->addr);
2754 
2755 		if (region->feature_set & FW_FEATURE_OVERRIDE_ADDR)
2756 			override = addr;
2757 
2758 		err = mt76_connac_mcu_init_download(&dev->mt76, addr, len,
2759 						    mode);
2760 		if (err) {
2761 			dev_err(dev->mt76.dev, "Download request failed\n");
2762 			return err;
2763 		}
2764 
2765 		err = __mt76_mcu_send_firmware(&dev->mt76, MCU_CMD(FW_SCATTER),
2766 					       data + offset, len, 4096);
2767 		if (err) {
2768 			dev_err(dev->mt76.dev, "Failed to send firmware.\n");
2769 			return err;
2770 		}
2771 
2772 		offset += len;
2773 	}
2774 
2775 	if (override)
2776 		option |= FW_START_OVERRIDE;
2777 
2778 	if (type == MT7996_RAM_TYPE_WA)
2779 		option |= FW_START_WORKING_PDA_CR4;
2780 	else if (type == MT7996_RAM_TYPE_DSP)
2781 		option |= FW_START_WORKING_PDA_DSP;
2782 
2783 	return mt76_connac_mcu_start_firmware(&dev->mt76, override, option);
2784 }
2785 
2786 static int __mt7996_load_ram(struct mt7996_dev *dev, const char *fw_type,
2787 			     const char *fw_file, enum mt7996_ram_type ram_type)
2788 {
2789 	const struct mt7996_fw_trailer *hdr;
2790 	const struct firmware *fw;
2791 	int ret;
2792 
2793 	ret = request_firmware(&fw, fw_file, dev->mt76.dev);
2794 	if (ret)
2795 		return ret;
2796 
2797 	if (!fw || !fw->data || fw->size < sizeof(*hdr)) {
2798 		dev_err(dev->mt76.dev, "Invalid firmware\n");
2799 		ret = -EINVAL;
2800 		goto out;
2801 	}
2802 
2803 	hdr = (const void *)(fw->data + fw->size - sizeof(*hdr));
2804 	dev_info(dev->mt76.dev, "%s Firmware Version: %.10s, Build Time: %.15s\n",
2805 		 fw_type, hdr->fw_ver, hdr->build_date);
2806 
2807 	ret = mt7996_mcu_send_ram_firmware(dev, hdr, fw->data, ram_type);
2808 	if (ret) {
2809 		dev_err(dev->mt76.dev, "Failed to start %s firmware\n", fw_type);
2810 		goto out;
2811 	}
2812 
2813 	snprintf(dev->mt76.hw->wiphy->fw_version,
2814 		 sizeof(dev->mt76.hw->wiphy->fw_version),
2815 		 "%.10s-%.15s", hdr->fw_ver, hdr->build_date);
2816 
2817 out:
2818 	release_firmware(fw);
2819 
2820 	return ret;
2821 }
2822 
2823 static int mt7996_load_ram(struct mt7996_dev *dev)
2824 {
2825 	int ret;
2826 
2827 	ret = __mt7996_load_ram(dev, "WM", fw_name(dev, FIRMWARE_WM),
2828 				MT7996_RAM_TYPE_WM);
2829 	if (ret)
2830 		return ret;
2831 
2832 	ret = __mt7996_load_ram(dev, "DSP", fw_name(dev, FIRMWARE_DSP),
2833 				MT7996_RAM_TYPE_DSP);
2834 	if (ret)
2835 		return ret;
2836 
2837 	return __mt7996_load_ram(dev, "WA", fw_name(dev, FIRMWARE_WA),
2838 				 MT7996_RAM_TYPE_WA);
2839 }
2840 
2841 static int
2842 mt7996_firmware_state(struct mt7996_dev *dev, bool wa)
2843 {
2844 	u32 state = FIELD_PREP(MT_TOP_MISC_FW_STATE,
2845 			       wa ? FW_STATE_RDY : FW_STATE_FW_DOWNLOAD);
2846 
2847 	if (!mt76_poll_msec(dev, MT_TOP_MISC, MT_TOP_MISC_FW_STATE,
2848 			    state, 1000)) {
2849 		dev_err(dev->mt76.dev, "Timeout for initializing firmware\n");
2850 		return -EIO;
2851 	}
2852 	return 0;
2853 }
2854 
2855 static int
2856 mt7996_mcu_restart(struct mt76_dev *dev)
2857 {
2858 	struct {
2859 		u8 __rsv1[4];
2860 
2861 		__le16 tag;
2862 		__le16 len;
2863 		u8 power_mode;
2864 		u8 __rsv2[3];
2865 	} __packed req = {
2866 		.tag = cpu_to_le16(UNI_POWER_OFF),
2867 		.len = cpu_to_le16(sizeof(req) - 4),
2868 		.power_mode = 1,
2869 	};
2870 
2871 	return mt76_mcu_send_msg(dev, MCU_WM_UNI_CMD(POWER_CTRL), &req,
2872 				 sizeof(req), false);
2873 }
2874 
2875 static int mt7996_load_firmware(struct mt7996_dev *dev)
2876 {
2877 	int ret;
2878 
2879 	/* make sure fw is download state */
2880 	if (mt7996_firmware_state(dev, false)) {
2881 		/* restart firmware once */
2882 		mt7996_mcu_restart(&dev->mt76);
2883 		ret = mt7996_firmware_state(dev, false);
2884 		if (ret) {
2885 			dev_err(dev->mt76.dev,
2886 				"Firmware is not ready for download\n");
2887 			return ret;
2888 		}
2889 	}
2890 
2891 	ret = mt7996_load_patch(dev);
2892 	if (ret)
2893 		return ret;
2894 
2895 	ret = mt7996_load_ram(dev);
2896 	if (ret)
2897 		return ret;
2898 
2899 	ret = mt7996_firmware_state(dev, true);
2900 	if (ret)
2901 		return ret;
2902 
2903 	mt76_queue_tx_cleanup(dev, dev->mt76.q_mcu[MT_MCUQ_FWDL], false);
2904 
2905 	dev_dbg(dev->mt76.dev, "Firmware init done\n");
2906 
2907 	return 0;
2908 }
2909 
2910 int mt7996_mcu_fw_log_2_host(struct mt7996_dev *dev, u8 type, u8 ctrl)
2911 {
2912 	struct {
2913 		u8 _rsv[4];
2914 
2915 		__le16 tag;
2916 		__le16 len;
2917 		u8 ctrl;
2918 		u8 interval;
2919 		u8 _rsv2[2];
2920 	} __packed data = {
2921 		.tag = cpu_to_le16(UNI_WSYS_CONFIG_FW_LOG_CTRL),
2922 		.len = cpu_to_le16(sizeof(data) - 4),
2923 		.ctrl = ctrl,
2924 	};
2925 
2926 	if (type == MCU_FW_LOG_WA)
2927 		return mt76_mcu_send_msg(&dev->mt76, MCU_WA_UNI_CMD(WSYS_CONFIG),
2928 					 &data, sizeof(data), true);
2929 
2930 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(WSYS_CONFIG), &data,
2931 				 sizeof(data), true);
2932 }
2933 
2934 int mt7996_mcu_fw_dbg_ctrl(struct mt7996_dev *dev, u32 module, u8 level)
2935 {
2936 	struct {
2937 		u8 _rsv[4];
2938 
2939 		__le16 tag;
2940 		__le16 len;
2941 		__le32 module_idx;
2942 		u8 level;
2943 		u8 _rsv2[3];
2944 	} data = {
2945 		.tag = cpu_to_le16(UNI_WSYS_CONFIG_FW_DBG_CTRL),
2946 		.len = cpu_to_le16(sizeof(data) - 4),
2947 		.module_idx = cpu_to_le32(module),
2948 		.level = level,
2949 	};
2950 
2951 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(WSYS_CONFIG), &data,
2952 				 sizeof(data), false);
2953 }
2954 
2955 static int mt7996_mcu_set_mwds(struct mt7996_dev *dev, bool enabled)
2956 {
2957 	struct {
2958 		u8 enable;
2959 		u8 _rsv[3];
2960 	} __packed req = {
2961 		.enable = enabled
2962 	};
2963 
2964 	return mt76_mcu_send_msg(&dev->mt76, MCU_WA_EXT_CMD(MWDS_SUPPORT), &req,
2965 				 sizeof(req), false);
2966 }
2967 
2968 static void mt7996_add_rx_airtime_tlv(struct sk_buff *skb, u8 band_idx)
2969 {
2970 	struct vow_rx_airtime *req;
2971 	struct tlv *tlv;
2972 
2973 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_VOW_RX_AT_AIRTIME_CLR_EN, sizeof(*req));
2974 	req = (struct vow_rx_airtime *)tlv;
2975 	req->enable = true;
2976 	req->band = band_idx;
2977 
2978 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_VOW_RX_AT_AIRTIME_EN, sizeof(*req));
2979 	req = (struct vow_rx_airtime *)tlv;
2980 	req->enable = true;
2981 	req->band = band_idx;
2982 }
2983 
2984 static int
2985 mt7996_mcu_init_rx_airtime(struct mt7996_dev *dev)
2986 {
2987 	struct uni_header hdr = {};
2988 	struct sk_buff *skb;
2989 	int len, num, i;
2990 
2991 	num = 2 + 2 * (mt7996_band_valid(dev, MT_BAND1) +
2992 		       mt7996_band_valid(dev, MT_BAND2));
2993 	len = sizeof(hdr) + num * sizeof(struct vow_rx_airtime);
2994 	skb = mt76_mcu_msg_alloc(&dev->mt76, NULL, len);
2995 	if (!skb)
2996 		return -ENOMEM;
2997 
2998 	skb_put_data(skb, &hdr, sizeof(hdr));
2999 
3000 	for (i = 0; i < __MT_MAX_BAND; i++) {
3001 		if (mt7996_band_valid(dev, i))
3002 			mt7996_add_rx_airtime_tlv(skb, i);
3003 	}
3004 
3005 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
3006 				     MCU_WM_UNI_CMD(VOW), true);
3007 }
3008 
3009 int mt7996_mcu_init_firmware(struct mt7996_dev *dev)
3010 {
3011 	int ret;
3012 
3013 	/* force firmware operation mode into normal state,
3014 	 * which should be set before firmware download stage.
3015 	 */
3016 	mt76_wr(dev, MT_SWDEF_MODE, MT_SWDEF_NORMAL_MODE);
3017 
3018 	ret = mt7996_driver_own(dev, 0);
3019 	if (ret)
3020 		return ret;
3021 	/* set driver own for band1 when two hif exist */
3022 	if (dev->hif2) {
3023 		ret = mt7996_driver_own(dev, 1);
3024 		if (ret)
3025 			return ret;
3026 	}
3027 
3028 	ret = mt7996_load_firmware(dev);
3029 	if (ret)
3030 		return ret;
3031 
3032 	set_bit(MT76_STATE_MCU_RUNNING, &dev->mphy.state);
3033 	ret = mt7996_mcu_fw_log_2_host(dev, MCU_FW_LOG_WM, 0);
3034 	if (ret)
3035 		return ret;
3036 
3037 	ret = mt7996_mcu_fw_log_2_host(dev, MCU_FW_LOG_WA, 0);
3038 	if (ret)
3039 		return ret;
3040 
3041 	ret = mt7996_mcu_set_mwds(dev, 1);
3042 	if (ret)
3043 		return ret;
3044 
3045 	ret = mt7996_mcu_init_rx_airtime(dev);
3046 	if (ret)
3047 		return ret;
3048 
3049 	return mt7996_mcu_wa_cmd(dev, MCU_WA_PARAM_CMD(SET),
3050 				 MCU_WA_PARAM_RED, 0, 0);
3051 }
3052 
3053 int mt7996_mcu_init(struct mt7996_dev *dev)
3054 {
3055 	static const struct mt76_mcu_ops mt7996_mcu_ops = {
3056 		.headroom = sizeof(struct mt76_connac2_mcu_txd), /* reuse */
3057 		.mcu_skb_send_msg = mt7996_mcu_send_message,
3058 		.mcu_parse_response = mt7996_mcu_parse_response,
3059 	};
3060 
3061 	dev->mt76.mcu_ops = &mt7996_mcu_ops;
3062 
3063 	return mt7996_mcu_init_firmware(dev);
3064 }
3065 
3066 void mt7996_mcu_exit(struct mt7996_dev *dev)
3067 {
3068 	mt7996_mcu_restart(&dev->mt76);
3069 	if (mt7996_firmware_state(dev, false)) {
3070 		dev_err(dev->mt76.dev, "Failed to exit mcu\n");
3071 		goto out;
3072 	}
3073 
3074 	mt76_wr(dev, MT_TOP_LPCR_HOST_BAND(0), MT_TOP_LPCR_HOST_FW_OWN);
3075 	if (dev->hif2)
3076 		mt76_wr(dev, MT_TOP_LPCR_HOST_BAND(1),
3077 			MT_TOP_LPCR_HOST_FW_OWN);
3078 out:
3079 	skb_queue_purge(&dev->mt76.mcu.res_q);
3080 }
3081 
3082 int mt7996_mcu_set_hdr_trans(struct mt7996_dev *dev, bool hdr_trans)
3083 {
3084 	struct {
3085 		u8 __rsv[4];
3086 	} __packed hdr;
3087 	struct hdr_trans_blacklist *req_blacklist;
3088 	struct hdr_trans_en *req_en;
3089 	struct sk_buff *skb;
3090 	struct tlv *tlv;
3091 	int len = MT7996_HDR_TRANS_MAX_SIZE + sizeof(hdr);
3092 
3093 	skb = mt76_mcu_msg_alloc(&dev->mt76, NULL, len);
3094 	if (!skb)
3095 		return -ENOMEM;
3096 
3097 	skb_put_data(skb, &hdr, sizeof(hdr));
3098 
3099 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_HDR_TRANS_EN, sizeof(*req_en));
3100 	req_en = (struct hdr_trans_en *)tlv;
3101 	req_en->enable = hdr_trans;
3102 
3103 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_HDR_TRANS_VLAN,
3104 				     sizeof(struct hdr_trans_vlan));
3105 
3106 	if (hdr_trans) {
3107 		tlv = mt7996_mcu_add_uni_tlv(skb, UNI_HDR_TRANS_BLACKLIST,
3108 					     sizeof(*req_blacklist));
3109 		req_blacklist = (struct hdr_trans_blacklist *)tlv;
3110 		req_blacklist->enable = 1;
3111 		req_blacklist->type = cpu_to_le16(ETH_P_PAE);
3112 	}
3113 
3114 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
3115 				     MCU_WM_UNI_CMD(RX_HDR_TRANS), true);
3116 }
3117 
3118 int mt7996_mcu_set_tx(struct mt7996_dev *dev, struct ieee80211_vif *vif)
3119 {
3120 #define MCU_EDCA_AC_PARAM	0
3121 #define WMM_AIFS_SET		BIT(0)
3122 #define WMM_CW_MIN_SET		BIT(1)
3123 #define WMM_CW_MAX_SET		BIT(2)
3124 #define WMM_TXOP_SET		BIT(3)
3125 #define WMM_PARAM_SET		(WMM_AIFS_SET | WMM_CW_MIN_SET | \
3126 				 WMM_CW_MAX_SET | WMM_TXOP_SET)
3127 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
3128 	struct {
3129 		u8 bss_idx;
3130 		u8 __rsv[3];
3131 	} __packed hdr = {
3132 		.bss_idx = mvif->mt76.idx,
3133 	};
3134 	struct sk_buff *skb;
3135 	int len = sizeof(hdr) + IEEE80211_NUM_ACS * sizeof(struct edca);
3136 	int ac;
3137 
3138 	skb = mt76_mcu_msg_alloc(&dev->mt76, NULL, len);
3139 	if (!skb)
3140 		return -ENOMEM;
3141 
3142 	skb_put_data(skb, &hdr, sizeof(hdr));
3143 
3144 	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
3145 		struct ieee80211_tx_queue_params *q = &mvif->queue_params[ac];
3146 		struct edca *e;
3147 		struct tlv *tlv;
3148 
3149 		tlv = mt7996_mcu_add_uni_tlv(skb, MCU_EDCA_AC_PARAM, sizeof(*e));
3150 
3151 		e = (struct edca *)tlv;
3152 		e->set = WMM_PARAM_SET;
3153 		e->queue = ac;
3154 		e->aifs = q->aifs;
3155 		e->txop = cpu_to_le16(q->txop);
3156 
3157 		if (q->cw_min)
3158 			e->cw_min = fls(q->cw_min);
3159 		else
3160 			e->cw_min = 5;
3161 
3162 		if (q->cw_max)
3163 			e->cw_max = fls(q->cw_max);
3164 		else
3165 			e->cw_max = 10;
3166 	}
3167 
3168 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
3169 				     MCU_WM_UNI_CMD(EDCA_UPDATE), true);
3170 }
3171 
3172 int mt7996_mcu_set_fcc5_lpn(struct mt7996_dev *dev, int val)
3173 {
3174 	struct {
3175 		u8 _rsv[4];
3176 
3177 		__le16 tag;
3178 		__le16 len;
3179 
3180 		__le32 ctrl;
3181 		__le16 min_lpn;
3182 		u8 rsv[2];
3183 	} __packed req = {
3184 		.tag = cpu_to_le16(UNI_RDD_CTRL_SET_TH),
3185 		.len = cpu_to_le16(sizeof(req) - 4),
3186 
3187 		.ctrl = cpu_to_le32(0x1),
3188 		.min_lpn = cpu_to_le16(val),
3189 	};
3190 
3191 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(RDD_CTRL),
3192 				 &req, sizeof(req), true);
3193 }
3194 
3195 int mt7996_mcu_set_pulse_th(struct mt7996_dev *dev,
3196 			    const struct mt7996_dfs_pulse *pulse)
3197 {
3198 	struct {
3199 		u8 _rsv[4];
3200 
3201 		__le16 tag;
3202 		__le16 len;
3203 
3204 		__le32 ctrl;
3205 
3206 		__le32 max_width;		/* us */
3207 		__le32 max_pwr;			/* dbm */
3208 		__le32 min_pwr;			/* dbm */
3209 		__le32 min_stgr_pri;		/* us */
3210 		__le32 max_stgr_pri;		/* us */
3211 		__le32 min_cr_pri;		/* us */
3212 		__le32 max_cr_pri;		/* us */
3213 	} __packed req = {
3214 		.tag = cpu_to_le16(UNI_RDD_CTRL_SET_TH),
3215 		.len = cpu_to_le16(sizeof(req) - 4),
3216 
3217 		.ctrl = cpu_to_le32(0x3),
3218 
3219 #define __req_field(field) .field = cpu_to_le32(pulse->field)
3220 		__req_field(max_width),
3221 		__req_field(max_pwr),
3222 		__req_field(min_pwr),
3223 		__req_field(min_stgr_pri),
3224 		__req_field(max_stgr_pri),
3225 		__req_field(min_cr_pri),
3226 		__req_field(max_cr_pri),
3227 #undef __req_field
3228 	};
3229 
3230 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(RDD_CTRL),
3231 				 &req, sizeof(req), true);
3232 }
3233 
3234 int mt7996_mcu_set_radar_th(struct mt7996_dev *dev, int index,
3235 			    const struct mt7996_dfs_pattern *pattern)
3236 {
3237 	struct {
3238 		u8 _rsv[4];
3239 
3240 		__le16 tag;
3241 		__le16 len;
3242 
3243 		__le32 ctrl;
3244 		__le16 radar_type;
3245 
3246 		u8 enb;
3247 		u8 stgr;
3248 		u8 min_crpn;
3249 		u8 max_crpn;
3250 		u8 min_crpr;
3251 		u8 min_pw;
3252 		__le32 min_pri;
3253 		__le32 max_pri;
3254 		u8 max_pw;
3255 		u8 min_crbn;
3256 		u8 max_crbn;
3257 		u8 min_stgpn;
3258 		u8 max_stgpn;
3259 		u8 min_stgpr;
3260 		u8 rsv[2];
3261 		__le32 min_stgpr_diff;
3262 	} __packed req = {
3263 		.tag = cpu_to_le16(UNI_RDD_CTRL_SET_TH),
3264 		.len = cpu_to_le16(sizeof(req) - 4),
3265 
3266 		.ctrl = cpu_to_le32(0x2),
3267 		.radar_type = cpu_to_le16(index),
3268 
3269 #define __req_field_u8(field) .field = pattern->field
3270 #define __req_field_u32(field) .field = cpu_to_le32(pattern->field)
3271 		__req_field_u8(enb),
3272 		__req_field_u8(stgr),
3273 		__req_field_u8(min_crpn),
3274 		__req_field_u8(max_crpn),
3275 		__req_field_u8(min_crpr),
3276 		__req_field_u8(min_pw),
3277 		__req_field_u32(min_pri),
3278 		__req_field_u32(max_pri),
3279 		__req_field_u8(max_pw),
3280 		__req_field_u8(min_crbn),
3281 		__req_field_u8(max_crbn),
3282 		__req_field_u8(min_stgpn),
3283 		__req_field_u8(max_stgpn),
3284 		__req_field_u8(min_stgpr),
3285 		__req_field_u32(min_stgpr_diff),
3286 #undef __req_field_u8
3287 #undef __req_field_u32
3288 	};
3289 
3290 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(RDD_CTRL),
3291 				 &req, sizeof(req), true);
3292 }
3293 
3294 static int
3295 mt7996_mcu_background_chain_ctrl(struct mt7996_phy *phy,
3296 				 struct cfg80211_chan_def *chandef,
3297 				 int cmd)
3298 {
3299 	struct mt7996_dev *dev = phy->dev;
3300 	struct mt76_phy *mphy = phy->mt76;
3301 	struct ieee80211_channel *chan = mphy->chandef.chan;
3302 	int freq = mphy->chandef.center_freq1;
3303 	struct mt7996_mcu_background_chain_ctrl req = {
3304 		.tag = cpu_to_le16(0),
3305 		.len = cpu_to_le16(sizeof(req) - 4),
3306 		.monitor_scan_type = 2, /* simple rx */
3307 	};
3308 
3309 	if (!chandef && cmd != CH_SWITCH_BACKGROUND_SCAN_STOP)
3310 		return -EINVAL;
3311 
3312 	if (!cfg80211_chandef_valid(&mphy->chandef))
3313 		return -EINVAL;
3314 
3315 	switch (cmd) {
3316 	case CH_SWITCH_BACKGROUND_SCAN_START: {
3317 		req.chan = chan->hw_value;
3318 		req.central_chan = ieee80211_frequency_to_channel(freq);
3319 		req.bw = mt76_connac_chan_bw(&mphy->chandef);
3320 		req.monitor_chan = chandef->chan->hw_value;
3321 		req.monitor_central_chan =
3322 			ieee80211_frequency_to_channel(chandef->center_freq1);
3323 		req.monitor_bw = mt76_connac_chan_bw(chandef);
3324 		req.band_idx = phy->mt76->band_idx;
3325 		req.scan_mode = 1;
3326 		break;
3327 	}
3328 	case CH_SWITCH_BACKGROUND_SCAN_RUNNING:
3329 		req.monitor_chan = chandef->chan->hw_value;
3330 		req.monitor_central_chan =
3331 			ieee80211_frequency_to_channel(chandef->center_freq1);
3332 		req.band_idx = phy->mt76->band_idx;
3333 		req.scan_mode = 2;
3334 		break;
3335 	case CH_SWITCH_BACKGROUND_SCAN_STOP:
3336 		req.chan = chan->hw_value;
3337 		req.central_chan = ieee80211_frequency_to_channel(freq);
3338 		req.bw = mt76_connac_chan_bw(&mphy->chandef);
3339 		req.tx_stream = hweight8(mphy->antenna_mask);
3340 		req.rx_stream = mphy->antenna_mask;
3341 		break;
3342 	default:
3343 		return -EINVAL;
3344 	}
3345 	req.band = chandef ? chandef->chan->band == NL80211_BAND_5GHZ : 1;
3346 
3347 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(OFFCH_SCAN_CTRL),
3348 				 &req, sizeof(req), false);
3349 }
3350 
3351 int mt7996_mcu_rdd_background_enable(struct mt7996_phy *phy,
3352 				     struct cfg80211_chan_def *chandef)
3353 {
3354 	struct mt7996_dev *dev = phy->dev;
3355 	int err, region;
3356 
3357 	if (!chandef) { /* disable offchain */
3358 		err = mt7996_mcu_rdd_cmd(dev, RDD_STOP, MT_RX_SEL2,
3359 					 0, 0);
3360 		if (err)
3361 			return err;
3362 
3363 		return mt7996_mcu_background_chain_ctrl(phy, NULL,
3364 				CH_SWITCH_BACKGROUND_SCAN_STOP);
3365 	}
3366 
3367 	err = mt7996_mcu_background_chain_ctrl(phy, chandef,
3368 					       CH_SWITCH_BACKGROUND_SCAN_START);
3369 	if (err)
3370 		return err;
3371 
3372 	switch (dev->mt76.region) {
3373 	case NL80211_DFS_ETSI:
3374 		region = 0;
3375 		break;
3376 	case NL80211_DFS_JP:
3377 		region = 2;
3378 		break;
3379 	case NL80211_DFS_FCC:
3380 	default:
3381 		region = 1;
3382 		break;
3383 	}
3384 
3385 	return mt7996_mcu_rdd_cmd(dev, RDD_START, MT_RX_SEL2,
3386 				  0, region);
3387 }
3388 
3389 int mt7996_mcu_set_chan_info(struct mt7996_phy *phy, u16 tag)
3390 {
3391 	static const u8 ch_band[] = {
3392 		[NL80211_BAND_2GHZ] = 0,
3393 		[NL80211_BAND_5GHZ] = 1,
3394 		[NL80211_BAND_6GHZ] = 2,
3395 	};
3396 	struct mt7996_dev *dev = phy->dev;
3397 	struct cfg80211_chan_def *chandef = &phy->mt76->chandef;
3398 	int freq1 = chandef->center_freq1;
3399 	u8 band_idx = phy->mt76->band_idx;
3400 	struct {
3401 		/* fixed field */
3402 		u8 __rsv[4];
3403 
3404 		__le16 tag;
3405 		__le16 len;
3406 		u8 control_ch;
3407 		u8 center_ch;
3408 		u8 bw;
3409 		u8 tx_path_num;
3410 		u8 rx_path;	/* mask or num */
3411 		u8 switch_reason;
3412 		u8 band_idx;
3413 		u8 center_ch2;	/* for 80+80 only */
3414 		__le16 cac_case;
3415 		u8 channel_band;
3416 		u8 rsv0;
3417 		__le32 outband_freq;
3418 		u8 txpower_drop;
3419 		u8 ap_bw;
3420 		u8 ap_center_ch;
3421 		u8 rsv1[53];
3422 	} __packed req = {
3423 		.tag = cpu_to_le16(tag),
3424 		.len = cpu_to_le16(sizeof(req) - 4),
3425 		.control_ch = chandef->chan->hw_value,
3426 		.center_ch = ieee80211_frequency_to_channel(freq1),
3427 		.bw = mt76_connac_chan_bw(chandef),
3428 		.tx_path_num = hweight16(phy->mt76->chainmask),
3429 		.rx_path = mt7996_rx_chainmask(phy) >> dev->chainshift[band_idx],
3430 		.band_idx = band_idx,
3431 		.channel_band = ch_band[chandef->chan->band],
3432 	};
3433 
3434 	if (phy->mt76->hw->conf.flags & IEEE80211_CONF_MONITOR)
3435 		req.switch_reason = CH_SWITCH_NORMAL;
3436 	else if (phy->mt76->hw->conf.flags & IEEE80211_CONF_OFFCHANNEL ||
3437 		 phy->mt76->hw->conf.flags & IEEE80211_CONF_IDLE)
3438 		req.switch_reason = CH_SWITCH_SCAN_BYPASS_DPD;
3439 	else if (!cfg80211_reg_can_beacon(phy->mt76->hw->wiphy, chandef,
3440 					  NL80211_IFTYPE_AP))
3441 		req.switch_reason = CH_SWITCH_DFS;
3442 	else
3443 		req.switch_reason = CH_SWITCH_NORMAL;
3444 
3445 	if (tag == UNI_CHANNEL_SWITCH)
3446 		req.rx_path = hweight8(req.rx_path);
3447 
3448 	if (chandef->width == NL80211_CHAN_WIDTH_80P80) {
3449 		int freq2 = chandef->center_freq2;
3450 
3451 		req.center_ch2 = ieee80211_frequency_to_channel(freq2);
3452 	}
3453 
3454 	return mt76_mcu_send_msg(&dev->mt76, MCU_WMWA_UNI_CMD(CHANNEL_SWITCH),
3455 				 &req, sizeof(req), true);
3456 }
3457 
3458 static int mt7996_mcu_set_eeprom_flash(struct mt7996_dev *dev)
3459 {
3460 #define MAX_PAGE_IDX_MASK	GENMASK(7, 5)
3461 #define PAGE_IDX_MASK		GENMASK(4, 2)
3462 #define PER_PAGE_SIZE		0x400
3463 	struct mt7996_mcu_eeprom req = {
3464 		.tag = cpu_to_le16(UNI_EFUSE_BUFFER_MODE),
3465 		.buffer_mode = EE_MODE_BUFFER
3466 	};
3467 	u16 eeprom_size = MT7996_EEPROM_SIZE;
3468 	u8 total = DIV_ROUND_UP(eeprom_size, PER_PAGE_SIZE);
3469 	u8 *eep = (u8 *)dev->mt76.eeprom.data;
3470 	int eep_len, i;
3471 
3472 	for (i = 0; i < total; i++, eep += eep_len) {
3473 		struct sk_buff *skb;
3474 		int ret, msg_len;
3475 
3476 		if (i == total - 1 && !!(eeprom_size % PER_PAGE_SIZE))
3477 			eep_len = eeprom_size % PER_PAGE_SIZE;
3478 		else
3479 			eep_len = PER_PAGE_SIZE;
3480 
3481 		msg_len = sizeof(req) + eep_len;
3482 		skb = mt76_mcu_msg_alloc(&dev->mt76, NULL, msg_len);
3483 		if (!skb)
3484 			return -ENOMEM;
3485 
3486 		req.len = cpu_to_le16(msg_len - 4);
3487 		req.format = FIELD_PREP(MAX_PAGE_IDX_MASK, total - 1) |
3488 			     FIELD_PREP(PAGE_IDX_MASK, i) | EE_FORMAT_WHOLE;
3489 		req.buf_len = cpu_to_le16(eep_len);
3490 
3491 		skb_put_data(skb, &req, sizeof(req));
3492 		skb_put_data(skb, eep, eep_len);
3493 
3494 		ret = mt76_mcu_skb_send_msg(&dev->mt76, skb,
3495 					    MCU_WM_UNI_CMD(EFUSE_CTRL), true);
3496 		if (ret)
3497 			return ret;
3498 	}
3499 
3500 	return 0;
3501 }
3502 
3503 int mt7996_mcu_set_eeprom(struct mt7996_dev *dev)
3504 {
3505 	struct mt7996_mcu_eeprom req = {
3506 		.tag = cpu_to_le16(UNI_EFUSE_BUFFER_MODE),
3507 		.len = cpu_to_le16(sizeof(req) - 4),
3508 		.buffer_mode = EE_MODE_EFUSE,
3509 		.format = EE_FORMAT_WHOLE
3510 	};
3511 
3512 	if (dev->flash_mode)
3513 		return mt7996_mcu_set_eeprom_flash(dev);
3514 
3515 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(EFUSE_CTRL),
3516 				 &req, sizeof(req), true);
3517 }
3518 
3519 int mt7996_mcu_get_eeprom(struct mt7996_dev *dev, u32 offset)
3520 {
3521 	struct {
3522 		u8 _rsv[4];
3523 
3524 		__le16 tag;
3525 		__le16 len;
3526 		__le32 addr;
3527 		__le32 valid;
3528 		u8 data[16];
3529 	} __packed req = {
3530 		.tag = cpu_to_le16(UNI_EFUSE_ACCESS),
3531 		.len = cpu_to_le16(sizeof(req) - 4),
3532 		.addr = cpu_to_le32(round_down(offset,
3533 				    MT7996_EEPROM_BLOCK_SIZE)),
3534 	};
3535 	struct sk_buff *skb;
3536 	bool valid;
3537 	int ret;
3538 
3539 	ret = mt76_mcu_send_and_get_msg(&dev->mt76,
3540 					MCU_WM_UNI_CMD_QUERY(EFUSE_CTRL),
3541 					&req, sizeof(req), true, &skb);
3542 	if (ret)
3543 		return ret;
3544 
3545 	valid = le32_to_cpu(*(__le32 *)(skb->data + 16));
3546 	if (valid) {
3547 		u32 addr = le32_to_cpu(*(__le32 *)(skb->data + 12));
3548 		u8 *buf = (u8 *)dev->mt76.eeprom.data + addr;
3549 
3550 		skb_pull(skb, 48);
3551 		memcpy(buf, skb->data, MT7996_EEPROM_BLOCK_SIZE);
3552 	}
3553 
3554 	dev_kfree_skb(skb);
3555 
3556 	return 0;
3557 }
3558 
3559 int mt7996_mcu_get_eeprom_free_block(struct mt7996_dev *dev, u8 *block_num)
3560 {
3561 	struct {
3562 		u8 _rsv[4];
3563 
3564 		__le16 tag;
3565 		__le16 len;
3566 		u8 num;
3567 		u8 version;
3568 		u8 die_idx;
3569 		u8 _rsv2;
3570 	} __packed req = {
3571 		.tag = cpu_to_le16(UNI_EFUSE_FREE_BLOCK),
3572 		.len = cpu_to_le16(sizeof(req) - 4),
3573 		.version = 2,
3574 	};
3575 	struct sk_buff *skb;
3576 	int ret;
3577 
3578 	ret = mt76_mcu_send_and_get_msg(&dev->mt76, MCU_WM_UNI_CMD_QUERY(EFUSE_CTRL), &req,
3579 					sizeof(req), true, &skb);
3580 	if (ret)
3581 		return ret;
3582 
3583 	*block_num = *(u8 *)(skb->data + 8);
3584 	dev_kfree_skb(skb);
3585 
3586 	return 0;
3587 }
3588 
3589 int mt7996_mcu_get_chip_config(struct mt7996_dev *dev, u32 *cap)
3590 {
3591 #define NIC_CAP	3
3592 #define UNI_EVENT_CHIP_CONFIG_EFUSE_VERSION	0x21
3593 	struct {
3594 		u8 _rsv[4];
3595 
3596 		__le16 tag;
3597 		__le16 len;
3598 	} __packed req = {
3599 		.tag = cpu_to_le16(NIC_CAP),
3600 		.len = cpu_to_le16(sizeof(req) - 4),
3601 	};
3602 	struct sk_buff *skb;
3603 	u8 *buf;
3604 	int ret;
3605 
3606 	ret = mt76_mcu_send_and_get_msg(&dev->mt76,
3607 					MCU_WM_UNI_CMD_QUERY(CHIP_CONFIG), &req,
3608 					sizeof(req), true, &skb);
3609 	if (ret)
3610 		return ret;
3611 
3612 	/* fixed field */
3613 	skb_pull(skb, 4);
3614 
3615 	buf = skb->data;
3616 	while (buf - skb->data < skb->len) {
3617 		struct tlv *tlv = (struct tlv *)buf;
3618 
3619 		switch (le16_to_cpu(tlv->tag)) {
3620 		case UNI_EVENT_CHIP_CONFIG_EFUSE_VERSION:
3621 			*cap = le32_to_cpu(*(__le32 *)(buf + sizeof(*tlv)));
3622 			break;
3623 		default:
3624 			break;
3625 		}
3626 
3627 		buf += le16_to_cpu(tlv->len);
3628 	}
3629 
3630 	dev_kfree_skb(skb);
3631 
3632 	return 0;
3633 }
3634 
3635 int mt7996_mcu_get_chan_mib_info(struct mt7996_phy *phy, bool chan_switch)
3636 {
3637 	struct {
3638 		struct {
3639 			u8 band;
3640 			u8 __rsv[3];
3641 		} hdr;
3642 		struct {
3643 			__le16 tag;
3644 			__le16 len;
3645 			__le32 offs;
3646 		} data[4];
3647 	} __packed req = {
3648 		.hdr.band = phy->mt76->band_idx,
3649 	};
3650 	/* strict order */
3651 	static const u32 offs[] = {
3652 		UNI_MIB_TX_TIME,
3653 		UNI_MIB_RX_TIME,
3654 		UNI_MIB_OBSS_AIRTIME,
3655 		UNI_MIB_NON_WIFI_TIME,
3656 	};
3657 	struct mt76_channel_state *state = phy->mt76->chan_state;
3658 	struct mt76_channel_state *state_ts = &phy->state_ts;
3659 	struct mt7996_dev *dev = phy->dev;
3660 	struct mt7996_mcu_mib *res;
3661 	struct sk_buff *skb;
3662 	int i, ret;
3663 
3664 	for (i = 0; i < 4; i++) {
3665 		req.data[i].tag = cpu_to_le16(UNI_CMD_MIB_DATA);
3666 		req.data[i].len = cpu_to_le16(sizeof(req.data[i]));
3667 		req.data[i].offs = cpu_to_le32(offs[i]);
3668 	}
3669 
3670 	ret = mt76_mcu_send_and_get_msg(&dev->mt76, MCU_WM_UNI_CMD_QUERY(GET_MIB_INFO),
3671 					&req, sizeof(req), true, &skb);
3672 	if (ret)
3673 		return ret;
3674 
3675 	skb_pull(skb, sizeof(req.hdr));
3676 
3677 	res = (struct mt7996_mcu_mib *)(skb->data);
3678 
3679 	if (chan_switch)
3680 		goto out;
3681 
3682 #define __res_u64(s) le64_to_cpu(res[s].data)
3683 	state->cc_tx += __res_u64(1) - state_ts->cc_tx;
3684 	state->cc_bss_rx += __res_u64(2) - state_ts->cc_bss_rx;
3685 	state->cc_rx += __res_u64(2) + __res_u64(3) - state_ts->cc_rx;
3686 	state->cc_busy += __res_u64(0) + __res_u64(1) + __res_u64(2) + __res_u64(3) -
3687 			  state_ts->cc_busy;
3688 
3689 out:
3690 	state_ts->cc_tx = __res_u64(1);
3691 	state_ts->cc_bss_rx = __res_u64(2);
3692 	state_ts->cc_rx = __res_u64(2) + __res_u64(3);
3693 	state_ts->cc_busy = __res_u64(0) + __res_u64(1) + __res_u64(2) + __res_u64(3);
3694 #undef __res_u64
3695 
3696 	dev_kfree_skb(skb);
3697 
3698 	return 0;
3699 }
3700 
3701 int mt7996_mcu_get_temperature(struct mt7996_phy *phy)
3702 {
3703 #define TEMPERATURE_QUERY 0
3704 #define GET_TEMPERATURE 0
3705 	struct {
3706 		u8 _rsv[4];
3707 
3708 		__le16 tag;
3709 		__le16 len;
3710 
3711 		u8 rsv1;
3712 		u8 action;
3713 		u8 band_idx;
3714 		u8 rsv2;
3715 	} req = {
3716 		.tag = cpu_to_le16(TEMPERATURE_QUERY),
3717 		.len = cpu_to_le16(sizeof(req) - 4),
3718 		.action = GET_TEMPERATURE,
3719 		.band_idx = phy->mt76->band_idx,
3720 	};
3721 	struct mt7996_mcu_thermal {
3722 		u8 _rsv[4];
3723 
3724 		__le16 tag;
3725 		__le16 len;
3726 
3727 		__le32 rsv;
3728 		__le32 temperature;
3729 	} __packed * res;
3730 	struct sk_buff *skb;
3731 	int ret;
3732 
3733 	ret = mt76_mcu_send_and_get_msg(&phy->dev->mt76, MCU_WM_UNI_CMD(THERMAL),
3734 					&req, sizeof(req), true, &skb);
3735 	if (ret)
3736 		return ret;
3737 
3738 	res = (void *)skb->data;
3739 
3740 	return le32_to_cpu(res->temperature);
3741 }
3742 
3743 int mt7996_mcu_set_thermal_throttling(struct mt7996_phy *phy, u8 state)
3744 {
3745 	struct {
3746 		u8 _rsv[4];
3747 
3748 		__le16 tag;
3749 		__le16 len;
3750 
3751 		struct mt7996_mcu_thermal_ctrl ctrl;
3752 	} __packed req = {
3753 		.tag = cpu_to_le16(UNI_CMD_THERMAL_PROTECT_DUTY_CONFIG),
3754 		.len = cpu_to_le16(sizeof(req) - 4),
3755 		.ctrl = {
3756 			.band_idx = phy->mt76->band_idx,
3757 		},
3758 	};
3759 	int level, ret;
3760 
3761 	/* set duty cycle and level */
3762 	for (level = 0; level < 4; level++) {
3763 		req.ctrl.duty.duty_level = level;
3764 		req.ctrl.duty.duty_cycle = state;
3765 		state /= 2;
3766 
3767 		ret = mt76_mcu_send_msg(&phy->dev->mt76, MCU_WM_UNI_CMD(THERMAL),
3768 					&req, sizeof(req), false);
3769 		if (ret)
3770 			return ret;
3771 	}
3772 
3773 	return 0;
3774 }
3775 
3776 int mt7996_mcu_set_thermal_protect(struct mt7996_phy *phy, bool enable)
3777 {
3778 #define SUSTAIN_PERIOD		10
3779 	struct {
3780 		u8 _rsv[4];
3781 
3782 		__le16 tag;
3783 		__le16 len;
3784 
3785 		struct mt7996_mcu_thermal_ctrl ctrl;
3786 		struct mt7996_mcu_thermal_enable enable;
3787 	} __packed req = {
3788 		.len = cpu_to_le16(sizeof(req) - 4 - sizeof(req.enable)),
3789 		.ctrl = {
3790 			.band_idx = phy->mt76->band_idx,
3791 			.type.protect_type = 1,
3792 			.type.trigger_type = 1,
3793 		},
3794 	};
3795 	int ret;
3796 
3797 	req.tag = cpu_to_le16(UNI_CMD_THERMAL_PROTECT_DISABLE);
3798 
3799 	ret = mt76_mcu_send_msg(&phy->dev->mt76, MCU_WM_UNI_CMD(THERMAL),
3800 				&req, sizeof(req) - sizeof(req.enable), false);
3801 	if (ret || !enable)
3802 		return ret;
3803 
3804 	/* set high-temperature trigger threshold */
3805 	req.tag = cpu_to_le16(UNI_CMD_THERMAL_PROTECT_ENABLE);
3806 	req.enable.restore_temp = cpu_to_le32(phy->throttle_temp[0]);
3807 	req.enable.trigger_temp = cpu_to_le32(phy->throttle_temp[1]);
3808 	req.enable.sustain_time = cpu_to_le16(SUSTAIN_PERIOD);
3809 
3810 	req.len = cpu_to_le16(sizeof(req) - 4);
3811 
3812 	return mt76_mcu_send_msg(&phy->dev->mt76, MCU_WM_UNI_CMD(THERMAL),
3813 				 &req, sizeof(req), false);
3814 }
3815 
3816 int mt7996_mcu_set_ser(struct mt7996_dev *dev, u8 action, u8 val, u8 band)
3817 {
3818 	struct {
3819 		u8 rsv[4];
3820 
3821 		__le16 tag;
3822 		__le16 len;
3823 
3824 		union {
3825 			struct {
3826 				__le32 mask;
3827 			} __packed set;
3828 
3829 			struct {
3830 				u8 method;
3831 				u8 band;
3832 				u8 rsv2[2];
3833 			} __packed trigger;
3834 		};
3835 	} __packed req = {
3836 		.tag = cpu_to_le16(action),
3837 		.len = cpu_to_le16(sizeof(req) - 4),
3838 	};
3839 
3840 	switch (action) {
3841 	case UNI_CMD_SER_SET:
3842 		req.set.mask = cpu_to_le32(val);
3843 		break;
3844 	case UNI_CMD_SER_TRIGGER:
3845 		req.trigger.method = val;
3846 		req.trigger.band = band;
3847 		break;
3848 	default:
3849 		return -EINVAL;
3850 	}
3851 
3852 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(SER),
3853 				 &req, sizeof(req), false);
3854 }
3855 
3856 int mt7996_mcu_set_txbf(struct mt7996_dev *dev, u8 action)
3857 {
3858 #define MT7996_BF_MAX_SIZE	sizeof(union bf_tag_tlv)
3859 #define BF_PROCESSING	4
3860 	struct uni_header hdr;
3861 	struct sk_buff *skb;
3862 	struct tlv *tlv;
3863 	int len = sizeof(hdr) + MT7996_BF_MAX_SIZE;
3864 
3865 	memset(&hdr, 0, sizeof(hdr));
3866 
3867 	skb = mt76_mcu_msg_alloc(&dev->mt76, NULL, len);
3868 	if (!skb)
3869 		return -ENOMEM;
3870 
3871 	skb_put_data(skb, &hdr, sizeof(hdr));
3872 
3873 	switch (action) {
3874 	case BF_SOUNDING_ON: {
3875 		struct bf_sounding_on *req_snd_on;
3876 
3877 		tlv = mt7996_mcu_add_uni_tlv(skb, action, sizeof(*req_snd_on));
3878 		req_snd_on = (struct bf_sounding_on *)tlv;
3879 		req_snd_on->snd_mode = BF_PROCESSING;
3880 		break;
3881 	}
3882 	case BF_HW_EN_UPDATE: {
3883 		struct bf_hw_en_status_update *req_hw_en;
3884 
3885 		tlv = mt7996_mcu_add_uni_tlv(skb, action, sizeof(*req_hw_en));
3886 		req_hw_en = (struct bf_hw_en_status_update *)tlv;
3887 		req_hw_en->ebf = true;
3888 		req_hw_en->ibf = dev->ibf;
3889 		break;
3890 	}
3891 	case BF_MOD_EN_CTRL: {
3892 		struct bf_mod_en_ctrl *req_mod_en;
3893 
3894 		tlv = mt7996_mcu_add_uni_tlv(skb, action, sizeof(*req_mod_en));
3895 		req_mod_en = (struct bf_mod_en_ctrl *)tlv;
3896 		req_mod_en->bf_num = 3;
3897 		req_mod_en->bf_bitmap = GENMASK(2, 0);
3898 		break;
3899 	}
3900 	default:
3901 		return -EINVAL;
3902 	}
3903 
3904 	return mt76_mcu_skb_send_msg(&dev->mt76, skb, MCU_WM_UNI_CMD(BF), true);
3905 }
3906 
3907 static int
3908 mt7996_mcu_enable_obss_spr(struct mt7996_phy *phy, u16 action, u8 val)
3909 {
3910 	struct mt7996_dev *dev = phy->dev;
3911 	struct {
3912 		u8 band_idx;
3913 		u8 __rsv[3];
3914 
3915 		__le16 tag;
3916 		__le16 len;
3917 
3918 		__le32 val;
3919 	} __packed req = {
3920 		.band_idx = phy->mt76->band_idx,
3921 		.tag = cpu_to_le16(action),
3922 		.len = cpu_to_le16(sizeof(req) - 4),
3923 		.val = cpu_to_le32(val),
3924 	};
3925 
3926 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(SR),
3927 				 &req, sizeof(req), true);
3928 }
3929 
3930 static int
3931 mt7996_mcu_set_obss_spr_pd(struct mt7996_phy *phy,
3932 			   struct ieee80211_he_obss_pd *he_obss_pd)
3933 {
3934 	struct mt7996_dev *dev = phy->dev;
3935 	u8 max_th = 82, non_srg_max_th = 62;
3936 	struct {
3937 		u8 band_idx;
3938 		u8 __rsv[3];
3939 
3940 		__le16 tag;
3941 		__le16 len;
3942 
3943 		u8 pd_th_non_srg;
3944 		u8 pd_th_srg;
3945 		u8 period_offs;
3946 		u8 rcpi_src;
3947 		__le16 obss_pd_min;
3948 		__le16 obss_pd_min_srg;
3949 		u8 resp_txpwr_mode;
3950 		u8 txpwr_restrict_mode;
3951 		u8 txpwr_ref;
3952 		u8 __rsv2[3];
3953 	} __packed req = {
3954 		.band_idx = phy->mt76->band_idx,
3955 		.tag = cpu_to_le16(UNI_CMD_SR_SET_PARAM),
3956 		.len = cpu_to_le16(sizeof(req) - 4),
3957 		.obss_pd_min = cpu_to_le16(max_th),
3958 		.obss_pd_min_srg = cpu_to_le16(max_th),
3959 		.txpwr_restrict_mode = 2,
3960 		.txpwr_ref = 21
3961 	};
3962 	int ret;
3963 
3964 	/* disable firmware dynamical PD asjustment */
3965 	ret = mt7996_mcu_enable_obss_spr(phy, UNI_CMD_SR_ENABLE_DPD, false);
3966 	if (ret)
3967 		return ret;
3968 
3969 	if (he_obss_pd->sr_ctrl &
3970 	    IEEE80211_HE_SPR_NON_SRG_OBSS_PD_SR_DISALLOWED)
3971 		req.pd_th_non_srg = max_th;
3972 	else if (he_obss_pd->sr_ctrl & IEEE80211_HE_SPR_NON_SRG_OFFSET_PRESENT)
3973 		req.pd_th_non_srg  = max_th - he_obss_pd->non_srg_max_offset;
3974 	else
3975 		req.pd_th_non_srg  = non_srg_max_th;
3976 
3977 	if (he_obss_pd->sr_ctrl & IEEE80211_HE_SPR_SRG_INFORMATION_PRESENT)
3978 		req.pd_th_srg = max_th - he_obss_pd->max_offset;
3979 
3980 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(SR),
3981 				 &req, sizeof(req), true);
3982 }
3983 
3984 static int
3985 mt7996_mcu_set_obss_spr_siga(struct mt7996_phy *phy, struct ieee80211_vif *vif,
3986 			     struct ieee80211_he_obss_pd *he_obss_pd)
3987 {
3988 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
3989 	struct mt7996_dev *dev = phy->dev;
3990 	u8 omac = mvif->mt76.omac_idx;
3991 	struct {
3992 		u8 band_idx;
3993 		u8 __rsv[3];
3994 
3995 		__le16 tag;
3996 		__le16 len;
3997 
3998 		u8 omac;
3999 		u8 __rsv2[3];
4000 		u8 flag[20];
4001 	} __packed req = {
4002 		.band_idx = phy->mt76->band_idx,
4003 		.tag = cpu_to_le16(UNI_CMD_SR_SET_SIGA),
4004 		.len = cpu_to_le16(sizeof(req) - 4),
4005 		.omac = omac > HW_BSSID_MAX ? omac - 12 : omac,
4006 	};
4007 	int ret;
4008 
4009 	if (he_obss_pd->sr_ctrl & IEEE80211_HE_SPR_HESIGA_SR_VAL15_ALLOWED)
4010 		req.flag[req.omac] = 0xf;
4011 	else
4012 		return 0;
4013 
4014 	/* switch to normal AP mode */
4015 	ret = mt7996_mcu_enable_obss_spr(phy, UNI_CMD_SR_ENABLE_MODE, 0);
4016 	if (ret)
4017 		return ret;
4018 
4019 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(SR),
4020 				 &req, sizeof(req), true);
4021 }
4022 
4023 static int
4024 mt7996_mcu_set_obss_spr_bitmap(struct mt7996_phy *phy,
4025 			       struct ieee80211_he_obss_pd *he_obss_pd)
4026 {
4027 	struct mt7996_dev *dev = phy->dev;
4028 	struct {
4029 		u8 band_idx;
4030 		u8 __rsv[3];
4031 
4032 		__le16 tag;
4033 		__le16 len;
4034 
4035 		__le32 color_l[2];
4036 		__le32 color_h[2];
4037 		__le32 bssid_l[2];
4038 		__le32 bssid_h[2];
4039 	} __packed req = {
4040 		.band_idx = phy->mt76->band_idx,
4041 		.tag = cpu_to_le16(UNI_CMD_SR_SET_SRG_BITMAP),
4042 		.len = cpu_to_le16(sizeof(req) - 4),
4043 	};
4044 	u32 bitmap;
4045 
4046 	memcpy(&bitmap, he_obss_pd->bss_color_bitmap, sizeof(bitmap));
4047 	req.color_l[req.band_idx] = cpu_to_le32(bitmap);
4048 
4049 	memcpy(&bitmap, he_obss_pd->bss_color_bitmap + 4, sizeof(bitmap));
4050 	req.color_h[req.band_idx] = cpu_to_le32(bitmap);
4051 
4052 	memcpy(&bitmap, he_obss_pd->partial_bssid_bitmap, sizeof(bitmap));
4053 	req.bssid_l[req.band_idx] = cpu_to_le32(bitmap);
4054 
4055 	memcpy(&bitmap, he_obss_pd->partial_bssid_bitmap + 4, sizeof(bitmap));
4056 	req.bssid_h[req.band_idx] = cpu_to_le32(bitmap);
4057 
4058 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(SR), &req,
4059 				 sizeof(req), true);
4060 }
4061 
4062 int mt7996_mcu_add_obss_spr(struct mt7996_phy *phy, struct ieee80211_vif *vif,
4063 			    struct ieee80211_he_obss_pd *he_obss_pd)
4064 {
4065 	int ret;
4066 
4067 	/* enable firmware scene detection algorithms */
4068 	ret = mt7996_mcu_enable_obss_spr(phy, UNI_CMD_SR_ENABLE_SD,
4069 					 sr_scene_detect);
4070 	if (ret)
4071 		return ret;
4072 
4073 	/* firmware dynamically adjusts PD threshold so skip manual control */
4074 	if (sr_scene_detect && !he_obss_pd->enable)
4075 		return 0;
4076 
4077 	/* enable spatial reuse */
4078 	ret = mt7996_mcu_enable_obss_spr(phy, UNI_CMD_SR_ENABLE,
4079 					 he_obss_pd->enable);
4080 	if (ret)
4081 		return ret;
4082 
4083 	if (sr_scene_detect || !he_obss_pd->enable)
4084 		return 0;
4085 
4086 	ret = mt7996_mcu_enable_obss_spr(phy, UNI_CMD_SR_ENABLE_TX, true);
4087 	if (ret)
4088 		return ret;
4089 
4090 	/* set SRG/non-SRG OBSS PD threshold */
4091 	ret = mt7996_mcu_set_obss_spr_pd(phy, he_obss_pd);
4092 	if (ret)
4093 		return ret;
4094 
4095 	/* Set SR prohibit */
4096 	ret = mt7996_mcu_set_obss_spr_siga(phy, vif, he_obss_pd);
4097 	if (ret)
4098 		return ret;
4099 
4100 	/* set SRG BSS color/BSSID bitmap */
4101 	return mt7996_mcu_set_obss_spr_bitmap(phy, he_obss_pd);
4102 }
4103 
4104 int mt7996_mcu_update_bss_color(struct mt7996_dev *dev, struct ieee80211_vif *vif,
4105 				struct cfg80211_he_bss_color *he_bss_color)
4106 {
4107 	int len = sizeof(struct bss_req_hdr) + sizeof(struct bss_color_tlv);
4108 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
4109 	struct bss_color_tlv *bss_color;
4110 	struct sk_buff *skb;
4111 	struct tlv *tlv;
4112 
4113 	skb = __mt7996_mcu_alloc_bss_req(&dev->mt76, &mvif->mt76, len);
4114 	if (IS_ERR(skb))
4115 		return PTR_ERR(skb);
4116 
4117 	tlv = mt76_connac_mcu_add_tlv(skb, UNI_BSS_INFO_BSS_COLOR,
4118 				      sizeof(*bss_color));
4119 	bss_color = (struct bss_color_tlv *)tlv;
4120 	bss_color->enable = he_bss_color->enabled;
4121 	bss_color->color = he_bss_color->color;
4122 
4123 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
4124 				     MCU_WMWA_UNI_CMD(BSS_INFO_UPDATE), true);
4125 }
4126 
4127 #define TWT_AGRT_TRIGGER	BIT(0)
4128 #define TWT_AGRT_ANNOUNCE	BIT(1)
4129 #define TWT_AGRT_PROTECT	BIT(2)
4130 
4131 int mt7996_mcu_twt_agrt_update(struct mt7996_dev *dev,
4132 			       struct mt7996_vif *mvif,
4133 			       struct mt7996_twt_flow *flow,
4134 			       int cmd)
4135 {
4136 	struct {
4137 		/* fixed field */
4138 		u8 bss;
4139 		u8 _rsv[3];
4140 
4141 		__le16 tag;
4142 		__le16 len;
4143 		u8 tbl_idx;
4144 		u8 cmd;
4145 		u8 own_mac_idx;
4146 		u8 flowid; /* 0xff for group id */
4147 		__le16 peer_id; /* specify the peer_id (msb=0)
4148 				 * or group_id (msb=1)
4149 				 */
4150 		u8 duration; /* 256 us */
4151 		u8 bss_idx;
4152 		__le64 start_tsf;
4153 		__le16 mantissa;
4154 		u8 exponent;
4155 		u8 is_ap;
4156 		u8 agrt_params;
4157 		u8 __rsv2[23];
4158 	} __packed req = {
4159 		.tag = cpu_to_le16(UNI_CMD_TWT_ARGT_UPDATE),
4160 		.len = cpu_to_le16(sizeof(req) - 4),
4161 		.tbl_idx = flow->table_id,
4162 		.cmd = cmd,
4163 		.own_mac_idx = mvif->mt76.omac_idx,
4164 		.flowid = flow->id,
4165 		.peer_id = cpu_to_le16(flow->wcid),
4166 		.duration = flow->duration,
4167 		.bss = mvif->mt76.idx,
4168 		.bss_idx = mvif->mt76.idx,
4169 		.start_tsf = cpu_to_le64(flow->tsf),
4170 		.mantissa = flow->mantissa,
4171 		.exponent = flow->exp,
4172 		.is_ap = true,
4173 	};
4174 
4175 	if (flow->protection)
4176 		req.agrt_params |= TWT_AGRT_PROTECT;
4177 	if (!flow->flowtype)
4178 		req.agrt_params |= TWT_AGRT_ANNOUNCE;
4179 	if (flow->trigger)
4180 		req.agrt_params |= TWT_AGRT_TRIGGER;
4181 
4182 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(TWT),
4183 				 &req, sizeof(req), true);
4184 }
4185 
4186 int mt7996_mcu_set_rts_thresh(struct mt7996_phy *phy, u32 val)
4187 {
4188 	struct {
4189 		u8 band_idx;
4190 		u8 _rsv[3];
4191 
4192 		__le16 tag;
4193 		__le16 len;
4194 		__le32 len_thresh;
4195 		__le32 pkt_thresh;
4196 	} __packed req = {
4197 		.band_idx = phy->mt76->band_idx,
4198 		.tag = cpu_to_le16(UNI_BAND_CONFIG_RTS_THRESHOLD),
4199 		.len = cpu_to_le16(sizeof(req) - 4),
4200 		.len_thresh = cpu_to_le32(val),
4201 		.pkt_thresh = cpu_to_le32(0x2),
4202 	};
4203 
4204 	return mt76_mcu_send_msg(&phy->dev->mt76, MCU_WM_UNI_CMD(BAND_CONFIG),
4205 				 &req, sizeof(req), true);
4206 }
4207 
4208 int mt7996_mcu_set_radio_en(struct mt7996_phy *phy, bool enable)
4209 {
4210 	struct {
4211 		u8 band_idx;
4212 		u8 _rsv[3];
4213 
4214 		__le16 tag;
4215 		__le16 len;
4216 		u8 enable;
4217 		u8 _rsv2[3];
4218 	} __packed req = {
4219 		.band_idx = phy->mt76->band_idx,
4220 		.tag = cpu_to_le16(UNI_BAND_CONFIG_RADIO_ENABLE),
4221 		.len = cpu_to_le16(sizeof(req) - 4),
4222 		.enable = enable,
4223 	};
4224 
4225 	return mt76_mcu_send_msg(&phy->dev->mt76, MCU_WM_UNI_CMD(BAND_CONFIG),
4226 				 &req, sizeof(req), true);
4227 }
4228 
4229 int mt7996_mcu_rdd_cmd(struct mt7996_dev *dev, int cmd, u8 index,
4230 		       u8 rx_sel, u8 val)
4231 {
4232 	struct {
4233 		u8 _rsv[4];
4234 
4235 		__le16 tag;
4236 		__le16 len;
4237 
4238 		u8 ctrl;
4239 		u8 rdd_idx;
4240 		u8 rdd_rx_sel;
4241 		u8 val;
4242 		u8 rsv[4];
4243 	} __packed req = {
4244 		.tag = cpu_to_le16(UNI_RDD_CTRL_PARM),
4245 		.len = cpu_to_le16(sizeof(req) - 4),
4246 		.ctrl = cmd,
4247 		.rdd_idx = index,
4248 		.rdd_rx_sel = rx_sel,
4249 		.val = val,
4250 	};
4251 
4252 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(RDD_CTRL),
4253 				 &req, sizeof(req), true);
4254 }
4255 
4256 int mt7996_mcu_wtbl_update_hdr_trans(struct mt7996_dev *dev,
4257 				     struct ieee80211_vif *vif,
4258 				     struct ieee80211_sta *sta)
4259 {
4260 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
4261 	struct mt7996_sta *msta;
4262 	struct sk_buff *skb;
4263 
4264 	msta = sta ? (struct mt7996_sta *)sta->drv_priv : &mvif->sta;
4265 
4266 	skb = __mt76_connac_mcu_alloc_sta_req(&dev->mt76, &mvif->mt76,
4267 					      &msta->wcid,
4268 					      MT7996_STA_UPDATE_MAX_SIZE);
4269 	if (IS_ERR(skb))
4270 		return PTR_ERR(skb);
4271 
4272 	/* starec hdr trans */
4273 	mt7996_mcu_sta_hdr_trans_tlv(dev, skb, vif, sta);
4274 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
4275 				     MCU_WMWA_UNI_CMD(STA_REC_UPDATE), true);
4276 }
4277 
4278 int mt7996_mcu_set_fixed_rate_table(struct mt7996_phy *phy, u8 table_idx,
4279 				    u16 rate_idx, bool beacon)
4280 {
4281 #define UNI_FIXED_RATE_TABLE_SET	0
4282 #define SPE_IXD_SELECT_TXD		0
4283 #define SPE_IXD_SELECT_BMC_WTBL		1
4284 	struct mt7996_dev *dev = phy->dev;
4285 	struct fixed_rate_table_ctrl req = {
4286 		.tag = cpu_to_le16(UNI_FIXED_RATE_TABLE_SET),
4287 		.len = cpu_to_le16(sizeof(req) - 4),
4288 		.table_idx = table_idx,
4289 		.rate_idx = cpu_to_le16(rate_idx),
4290 		.gi = 1,
4291 		.he_ltf = 1,
4292 	};
4293 	u8 band_idx = phy->mt76->band_idx;
4294 
4295 	if (beacon) {
4296 		req.spe_idx_sel = SPE_IXD_SELECT_TXD;
4297 		req.spe_idx = 24 + band_idx;
4298 		phy->beacon_rate = rate_idx;
4299 	} else {
4300 		req.spe_idx_sel = SPE_IXD_SELECT_BMC_WTBL;
4301 	}
4302 
4303 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(FIXED_RATE_TABLE),
4304 				 &req, sizeof(req), false);
4305 }
4306 
4307 int mt7996_mcu_rf_regval(struct mt7996_dev *dev, u32 regidx, u32 *val, bool set)
4308 {
4309 	struct {
4310 		u8 __rsv1[4];
4311 
4312 		__le16 tag;
4313 		__le16 len;
4314 		__le16 idx;
4315 		u8 __rsv2[2];
4316 		__le32 ofs;
4317 		__le32 data;
4318 	} __packed *res, req = {
4319 		.tag = cpu_to_le16(UNI_CMD_ACCESS_RF_REG_BASIC),
4320 		.len = cpu_to_le16(sizeof(req) - 4),
4321 
4322 		.idx = cpu_to_le16(u32_get_bits(regidx, GENMASK(31, 24))),
4323 		.ofs = cpu_to_le32(u32_get_bits(regidx, GENMASK(23, 0))),
4324 		.data = set ? cpu_to_le32(*val) : 0,
4325 	};
4326 	struct sk_buff *skb;
4327 	int ret;
4328 
4329 	if (set)
4330 		return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(REG_ACCESS),
4331 					 &req, sizeof(req), true);
4332 
4333 	ret = mt76_mcu_send_and_get_msg(&dev->mt76,
4334 					MCU_WM_UNI_CMD_QUERY(REG_ACCESS),
4335 					&req, sizeof(req), true, &skb);
4336 	if (ret)
4337 		return ret;
4338 
4339 	res = (void *)skb->data;
4340 	*val = le32_to_cpu(res->data);
4341 	dev_kfree_skb(skb);
4342 
4343 	return 0;
4344 }
4345 
4346 int mt7996_mcu_trigger_assert(struct mt7996_dev *dev)
4347 {
4348 	struct {
4349 		__le16 tag;
4350 		__le16 len;
4351 		u8 enable;
4352 		u8 rsv[3];
4353 	} __packed req = {
4354 		.len = cpu_to_le16(sizeof(req) - 4),
4355 		.enable = true,
4356 	};
4357 
4358 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(ASSERT_DUMP),
4359 				 &req, sizeof(req), false);
4360 }
4361 
4362 int mt7996_mcu_set_rro(struct mt7996_dev *dev, u16 tag, u16 val)
4363 {
4364 	struct {
4365 		u8 __rsv1[4];
4366 		__le16 tag;
4367 		__le16 len;
4368 		union {
4369 			struct {
4370 				u8 type;
4371 				u8 __rsv2[3];
4372 			} __packed platform_type;
4373 			struct {
4374 				u8 type;
4375 				u8 dest;
4376 				u8 __rsv2[2];
4377 			} __packed bypass_mode;
4378 			struct {
4379 				u8 path;
4380 				u8 __rsv2[3];
4381 			} __packed txfree_path;
4382 			struct {
4383 				__le16 flush_one;
4384 				__le16 flush_all;
4385 				u8 __rsv2[4];
4386 			} __packed timeout;
4387 		};
4388 	} __packed req = {
4389 		.tag = cpu_to_le16(tag),
4390 		.len = cpu_to_le16(sizeof(req) - 4),
4391 	};
4392 
4393 	switch (tag) {
4394 	case UNI_RRO_SET_PLATFORM_TYPE:
4395 		req.platform_type.type = val;
4396 		break;
4397 	case UNI_RRO_SET_BYPASS_MODE:
4398 		req.bypass_mode.type = val;
4399 		break;
4400 	case UNI_RRO_SET_TXFREE_PATH:
4401 		req.txfree_path.path = val;
4402 		break;
4403 	case UNI_RRO_SET_FLUSH_TIMEOUT:
4404 		req.timeout.flush_one = cpu_to_le16(val);
4405 		req.timeout.flush_all = cpu_to_le16(2 * val);
4406 		break;
4407 	default:
4408 		return -EINVAL;
4409 	}
4410 
4411 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(RRO), &req,
4412 				 sizeof(req), true);
4413 }
4414 
4415 int mt7996_mcu_get_all_sta_info(struct mt7996_phy *phy, u16 tag)
4416 {
4417 	struct mt7996_dev *dev = phy->dev;
4418 	struct {
4419 		u8 _rsv[4];
4420 
4421 		__le16 tag;
4422 		__le16 len;
4423 	} __packed req = {
4424 		.tag = cpu_to_le16(tag),
4425 		.len = cpu_to_le16(sizeof(req) - 4),
4426 	};
4427 
4428 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(ALL_STA_INFO),
4429 				 &req, sizeof(req), false);
4430 }
4431 
4432 int mt7996_mcu_wed_rro_reset_sessions(struct mt7996_dev *dev, u16 id)
4433 {
4434 	struct {
4435 		u8 __rsv[4];
4436 
4437 		__le16 tag;
4438 		__le16 len;
4439 		__le16 session_id;
4440 		u8 pad[4];
4441 	} __packed req = {
4442 		.tag = cpu_to_le16(UNI_RRO_DEL_BA_SESSION),
4443 		.len = cpu_to_le16(sizeof(req) - 4),
4444 		.session_id = cpu_to_le16(id),
4445 	};
4446 
4447 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(RRO), &req,
4448 				 sizeof(req), true);
4449 }
4450 
4451 int mt7996_mcu_set_txpower_sku(struct mt7996_phy *phy)
4452 {
4453 #define TX_POWER_LIMIT_TABLE_RATE	0
4454 	struct mt7996_dev *dev = phy->dev;
4455 	struct mt76_phy *mphy = phy->mt76;
4456 	struct ieee80211_hw *hw = mphy->hw;
4457 	struct tx_power_limit_table_ctrl {
4458 		u8 __rsv1[4];
4459 
4460 		__le16 tag;
4461 		__le16 len;
4462 		u8 power_ctrl_id;
4463 		u8 power_limit_type;
4464 		u8 band_idx;
4465 	} __packed req = {
4466 		.tag = cpu_to_le16(UNI_TXPOWER_POWER_LIMIT_TABLE_CTRL),
4467 		.len = cpu_to_le16(sizeof(req) + MT7996_SKU_RATE_NUM - 4),
4468 		.power_ctrl_id = UNI_TXPOWER_POWER_LIMIT_TABLE_CTRL,
4469 		.power_limit_type = TX_POWER_LIMIT_TABLE_RATE,
4470 		.band_idx = phy->mt76->band_idx,
4471 	};
4472 	struct mt76_power_limits la = {};
4473 	struct sk_buff *skb;
4474 	int i, tx_power;
4475 
4476 	tx_power = mt7996_get_power_bound(phy, hw->conf.power_level);
4477 	tx_power = mt76_get_rate_power_limits(mphy, mphy->chandef.chan,
4478 					      &la, tx_power);
4479 	mphy->txpower_cur = tx_power;
4480 
4481 	skb = mt76_mcu_msg_alloc(&dev->mt76, NULL,
4482 				 sizeof(req) + MT7996_SKU_RATE_NUM);
4483 	if (!skb)
4484 		return -ENOMEM;
4485 
4486 	skb_put_data(skb, &req, sizeof(req));
4487 	/* cck and ofdm */
4488 	skb_put_data(skb, &la.cck, sizeof(la.cck));
4489 	skb_put_data(skb, &la.ofdm, sizeof(la.ofdm));
4490 	/* ht20 */
4491 	skb_put_data(skb, &la.mcs[0], 8);
4492 	/* ht40 */
4493 	skb_put_data(skb, &la.mcs[1], 9);
4494 
4495 	/* vht */
4496 	for (i = 0; i < 4; i++) {
4497 		skb_put_data(skb, &la.mcs[i], sizeof(la.mcs[i]));
4498 		skb_put_zero(skb, 2);  /* padding */
4499 	}
4500 
4501 	/* he */
4502 	skb_put_data(skb, &la.ru[0], sizeof(la.ru));
4503 	/* eht */
4504 	skb_put_data(skb, &la.eht[0], sizeof(la.eht));
4505 
4506 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
4507 				     MCU_WM_UNI_CMD(TXPOWER), true);
4508 }
4509