xref: /titanic_41/usr/src/uts/common/io/iwp/iwp.c (revision ead9bb4b1be81d7bbf8ed86ee41d6c1e58b069a3)
1 /*
2  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 /*
7  * Copyright (c) 2009, Intel Corporation
8  * All rights reserved.
9  */
10 
11 /*
12  * Copyright (c) 2006
13  * Copyright (c) 2007
14  *	Damien Bergamini <damien.bergamini@free.fr>
15  *
16  * Permission to use, copy, modify, and distribute this software for any
17  * purpose with or without fee is hereby granted, provided that the above
18  * copyright notice and this permission notice appear in all copies.
19  *
20  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
21  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
22  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
23  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
24  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
25  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
26  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
27  */
28 
29 /*
30  * Intel(R) WiFi Link 6000 Driver
31  */
32 
33 #include <sys/types.h>
34 #include <sys/byteorder.h>
35 #include <sys/conf.h>
36 #include <sys/cmn_err.h>
37 #include <sys/stat.h>
38 #include <sys/ddi.h>
39 #include <sys/sunddi.h>
40 #include <sys/strsubr.h>
41 #include <sys/ethernet.h>
42 #include <inet/common.h>
43 #include <inet/nd.h>
44 #include <inet/mi.h>
45 #include <sys/note.h>
46 #include <sys/stream.h>
47 #include <sys/strsun.h>
48 #include <sys/modctl.h>
49 #include <sys/devops.h>
50 #include <sys/dlpi.h>
51 #include <sys/mac_provider.h>
52 #include <sys/mac_wifi.h>
53 #include <sys/net80211.h>
54 #include <sys/net80211_proto.h>
55 #include <sys/varargs.h>
56 #include <sys/policy.h>
57 #include <sys/pci.h>
58 
59 #include "iwp_calibration.h"
60 #include "iwp_hw.h"
61 #include "iwp_eeprom.h"
62 #include "iwp_var.h"
63 #include <inet/wifi_ioctl.h>
64 
65 #ifdef DEBUG
66 #define	IWP_DEBUG_80211		(1 << 0)
67 #define	IWP_DEBUG_CMD		(1 << 1)
68 #define	IWP_DEBUG_DMA		(1 << 2)
69 #define	IWP_DEBUG_EEPROM	(1 << 3)
70 #define	IWP_DEBUG_FW		(1 << 4)
71 #define	IWP_DEBUG_HW		(1 << 5)
72 #define	IWP_DEBUG_INTR		(1 << 6)
73 #define	IWP_DEBUG_MRR		(1 << 7)
74 #define	IWP_DEBUG_PIO		(1 << 8)
75 #define	IWP_DEBUG_RX		(1 << 9)
76 #define	IWP_DEBUG_SCAN		(1 << 10)
77 #define	IWP_DEBUG_TX		(1 << 11)
78 #define	IWP_DEBUG_RATECTL	(1 << 12)
79 #define	IWP_DEBUG_RADIO		(1 << 13)
80 #define	IWP_DEBUG_RESUME	(1 << 14)
81 #define	IWP_DEBUG_CALIBRATION	(1 << 15)
82 /*
83  * if want to see debug message of a given section,
84  * please set this flag to one of above values
85  */
86 uint32_t iwp_dbg_flags = 0;
87 #define	IWP_DBG(x) \
88 	iwp_dbg x
89 #else
90 #define	IWP_DBG(x)
91 #endif
92 
93 static void	*iwp_soft_state_p = NULL;
94 
95 /*
96  * ucode will be compiled into driver image
97  */
98 static uint8_t iwp_fw_bin [] = {
99 #include "fw-iw/iwp.ucode"
100 };
101 
102 /*
103  * DMA attributes for a shared page
104  */
105 static ddi_dma_attr_t sh_dma_attr = {
106 	DMA_ATTR_V0,	/* version of this structure */
107 	0,		/* lowest usable address */
108 	0xffffffffU,	/* highest usable address */
109 	0xffffffffU,	/* maximum DMAable byte count */
110 	0x1000,		/* alignment in bytes */
111 	0x1000,		/* burst sizes (any?) */
112 	1,		/* minimum transfer */
113 	0xffffffffU,	/* maximum transfer */
114 	0xffffffffU,	/* maximum segment length */
115 	1,		/* maximum number of segments */
116 	1,		/* granularity */
117 	0,		/* flags (reserved) */
118 };
119 
120 /*
121  * DMA attributes for a keep warm DRAM descriptor
122  */
123 static ddi_dma_attr_t kw_dma_attr = {
124 	DMA_ATTR_V0,	/* version of this structure */
125 	0,		/* lowest usable address */
126 	0xffffffffU,	/* highest usable address */
127 	0xffffffffU,	/* maximum DMAable byte count */
128 	0x1000,		/* alignment in bytes */
129 	0x1000,		/* burst sizes (any?) */
130 	1,		/* minimum transfer */
131 	0xffffffffU,	/* maximum transfer */
132 	0xffffffffU,	/* maximum segment length */
133 	1,		/* maximum number of segments */
134 	1,		/* granularity */
135 	0,		/* flags (reserved) */
136 };
137 
138 /*
139  * DMA attributes for a ring descriptor
140  */
141 static ddi_dma_attr_t ring_desc_dma_attr = {
142 	DMA_ATTR_V0,	/* version of this structure */
143 	0,		/* lowest usable address */
144 	0xffffffffU,	/* highest usable address */
145 	0xffffffffU,	/* maximum DMAable byte count */
146 	0x100,		/* alignment in bytes */
147 	0x100,		/* burst sizes (any?) */
148 	1,		/* minimum transfer */
149 	0xffffffffU,	/* maximum transfer */
150 	0xffffffffU,	/* maximum segment length */
151 	1,		/* maximum number of segments */
152 	1,		/* granularity */
153 	0,		/* flags (reserved) */
154 };
155 
156 /*
157  * DMA attributes for a cmd
158  */
159 static ddi_dma_attr_t cmd_dma_attr = {
160 	DMA_ATTR_V0,	/* version of this structure */
161 	0,		/* lowest usable address */
162 	0xffffffffU,	/* highest usable address */
163 	0xffffffffU,	/* maximum DMAable byte count */
164 	4,		/* alignment in bytes */
165 	0x100,		/* burst sizes (any?) */
166 	1,		/* minimum transfer */
167 	0xffffffffU,	/* maximum transfer */
168 	0xffffffffU,	/* maximum segment length */
169 	1,		/* maximum number of segments */
170 	1,		/* granularity */
171 	0,		/* flags (reserved) */
172 };
173 
174 /*
175  * DMA attributes for a rx buffer
176  */
177 static ddi_dma_attr_t rx_buffer_dma_attr = {
178 	DMA_ATTR_V0,	/* version of this structure */
179 	0,		/* lowest usable address */
180 	0xffffffffU,	/* highest usable address */
181 	0xffffffffU,	/* maximum DMAable byte count */
182 	0x100,		/* alignment in bytes */
183 	0x100,		/* burst sizes (any?) */
184 	1,		/* minimum transfer */
185 	0xffffffffU,	/* maximum transfer */
186 	0xffffffffU,	/* maximum segment length */
187 	1,		/* maximum number of segments */
188 	1,		/* granularity */
189 	0,		/* flags (reserved) */
190 };
191 
192 /*
193  * DMA attributes for a tx buffer.
194  * the maximum number of segments is 4 for the hardware.
195  * now all the wifi drivers put the whole frame in a single
196  * descriptor, so we define the maximum  number of segments 1,
197  * just the same as the rx_buffer. we consider leverage the HW
198  * ability in the future, that is why we don't define rx and tx
199  * buffer_dma_attr as the same.
200  */
201 static ddi_dma_attr_t tx_buffer_dma_attr = {
202 	DMA_ATTR_V0,	/* version of this structure */
203 	0,		/* lowest usable address */
204 	0xffffffffU,	/* highest usable address */
205 	0xffffffffU,	/* maximum DMAable byte count */
206 	4,		/* alignment in bytes */
207 	0x100,		/* burst sizes (any?) */
208 	1,		/* minimum transfer */
209 	0xffffffffU,	/* maximum transfer */
210 	0xffffffffU,	/* maximum segment length */
211 	1,		/* maximum number of segments */
212 	1,		/* granularity */
213 	0,		/* flags (reserved) */
214 };
215 
216 /*
217  * DMA attributes for text and data part in the firmware
218  */
219 static ddi_dma_attr_t fw_dma_attr = {
220 	DMA_ATTR_V0,	/* version of this structure */
221 	0,		/* lowest usable address */
222 	0xffffffffU,	/* highest usable address */
223 	0x7fffffff,	/* maximum DMAable byte count */
224 	0x10,		/* alignment in bytes */
225 	0x100,		/* burst sizes (any?) */
226 	1,		/* minimum transfer */
227 	0xffffffffU,	/* maximum transfer */
228 	0xffffffffU,	/* maximum segment length */
229 	1,		/* maximum number of segments */
230 	1,		/* granularity */
231 	0,		/* flags (reserved) */
232 };
233 
234 /*
235  * regs access attributes
236  */
237 static ddi_device_acc_attr_t iwp_reg_accattr = {
238 	DDI_DEVICE_ATTR_V0,
239 	DDI_STRUCTURE_LE_ACC,
240 	DDI_STRICTORDER_ACC,
241 	DDI_DEFAULT_ACC
242 };
243 
244 /*
245  * DMA access attributes for descriptor
246  */
247 static ddi_device_acc_attr_t iwp_dma_descattr = {
248 	DDI_DEVICE_ATTR_V0,
249 	DDI_STRUCTURE_LE_ACC,
250 	DDI_STRICTORDER_ACC,
251 	DDI_DEFAULT_ACC
252 };
253 
254 /*
255  * DMA access attributes
256  */
257 static ddi_device_acc_attr_t iwp_dma_accattr = {
258 	DDI_DEVICE_ATTR_V0,
259 	DDI_NEVERSWAP_ACC,
260 	DDI_STRICTORDER_ACC,
261 	DDI_DEFAULT_ACC
262 };
263 
264 static int	iwp_ring_init(iwp_sc_t *);
265 static void	iwp_ring_free(iwp_sc_t *);
266 static int	iwp_alloc_shared(iwp_sc_t *);
267 static void	iwp_free_shared(iwp_sc_t *);
268 static int	iwp_alloc_kw(iwp_sc_t *);
269 static void	iwp_free_kw(iwp_sc_t *);
270 static int	iwp_alloc_fw_dma(iwp_sc_t *);
271 static void	iwp_free_fw_dma(iwp_sc_t *);
272 static int	iwp_alloc_rx_ring(iwp_sc_t *);
273 static void	iwp_reset_rx_ring(iwp_sc_t *);
274 static void	iwp_free_rx_ring(iwp_sc_t *);
275 static int	iwp_alloc_tx_ring(iwp_sc_t *, iwp_tx_ring_t *,
276     int, int);
277 static void	iwp_reset_tx_ring(iwp_sc_t *, iwp_tx_ring_t *);
278 static void	iwp_free_tx_ring(iwp_tx_ring_t *);
279 static ieee80211_node_t *iwp_node_alloc(ieee80211com_t *);
280 static void	iwp_node_free(ieee80211_node_t *);
281 static int	iwp_newstate(ieee80211com_t *, enum ieee80211_state, int);
282 static void	iwp_mac_access_enter(iwp_sc_t *);
283 static void	iwp_mac_access_exit(iwp_sc_t *);
284 static uint32_t	iwp_reg_read(iwp_sc_t *, uint32_t);
285 static void	iwp_reg_write(iwp_sc_t *, uint32_t, uint32_t);
286 static int	iwp_load_init_firmware(iwp_sc_t *);
287 static int	iwp_load_run_firmware(iwp_sc_t *);
288 static void	iwp_tx_intr(iwp_sc_t *, iwp_rx_desc_t *);
289 static void	iwp_cmd_intr(iwp_sc_t *, iwp_rx_desc_t *);
290 static uint_t   iwp_intr(caddr_t, caddr_t);
291 static int	iwp_eep_load(iwp_sc_t *);
292 static void	iwp_get_mac_from_eep(iwp_sc_t *);
293 static int	iwp_eep_sem_down(iwp_sc_t *);
294 static void	iwp_eep_sem_up(iwp_sc_t *);
295 static uint_t   iwp_rx_softintr(caddr_t, caddr_t);
296 static uint8_t	iwp_rate_to_plcp(int);
297 static int	iwp_cmd(iwp_sc_t *, int, const void *, int, int);
298 static void	iwp_set_led(iwp_sc_t *, uint8_t, uint8_t, uint8_t);
299 static int	iwp_hw_set_before_auth(iwp_sc_t *);
300 static int	iwp_scan(iwp_sc_t *);
301 static int	iwp_config(iwp_sc_t *);
302 static void	iwp_stop_master(iwp_sc_t *);
303 static int	iwp_power_up(iwp_sc_t *);
304 static int	iwp_preinit(iwp_sc_t *);
305 static int	iwp_init(iwp_sc_t *);
306 static void	iwp_stop(iwp_sc_t *);
307 static int	iwp_quiesce(dev_info_t *t);
308 static void	iwp_amrr_init(iwp_amrr_t *);
309 static void	iwp_amrr_timeout(iwp_sc_t *);
310 static void	iwp_amrr_ratectl(void *, ieee80211_node_t *);
311 static void	iwp_ucode_alive(iwp_sc_t *, iwp_rx_desc_t *);
312 static void	iwp_rx_phy_intr(iwp_sc_t *, iwp_rx_desc_t *);
313 static void	iwp_rx_mpdu_intr(iwp_sc_t *, iwp_rx_desc_t *);
314 static void	iwp_release_calib_buffer(iwp_sc_t *);
315 static int	iwp_init_common(iwp_sc_t *);
316 static uint8_t	*iwp_eep_addr_trans(iwp_sc_t *, uint32_t);
317 static int	iwp_put_seg_fw(iwp_sc_t *, uint32_t, uint32_t, uint32_t);
318 static	int	iwp_alive_common(iwp_sc_t *);
319 static void	iwp_save_calib_result(iwp_sc_t *, iwp_rx_desc_t *);
320 static int	iwp_attach(dev_info_t *, ddi_attach_cmd_t);
321 static int	iwp_detach(dev_info_t *, ddi_detach_cmd_t);
322 static void	iwp_destroy_locks(iwp_sc_t *);
323 static int	iwp_send(ieee80211com_t *, mblk_t *, uint8_t);
324 static void	iwp_thread(iwp_sc_t *);
325 static int	iwp_run_state_config(iwp_sc_t *);
326 static int	iwp_fast_recover(iwp_sc_t *);
327 static void	iwp_overwrite_ic_default(iwp_sc_t *);
328 static int	iwp_add_ap_sta(iwp_sc_t *);
329 static int	iwp_alloc_dma_mem(iwp_sc_t *, size_t,
330     ddi_dma_attr_t *, ddi_device_acc_attr_t *,
331     uint_t, iwp_dma_t *);
332 static void	iwp_free_dma_mem(iwp_dma_t *);
333 static int	iwp_eep_ver_chk(iwp_sc_t *);
334 static void	iwp_set_chip_param(iwp_sc_t *);
335 
336 /*
337  * GLD specific operations
338  */
339 static int	iwp_m_stat(void *, uint_t, uint64_t *);
340 static int	iwp_m_start(void *);
341 static void	iwp_m_stop(void *);
342 static int	iwp_m_unicst(void *, const uint8_t *);
343 static int	iwp_m_multicst(void *, boolean_t, const uint8_t *);
344 static int	iwp_m_promisc(void *, boolean_t);
345 static mblk_t	*iwp_m_tx(void *, mblk_t *);
346 static void	iwp_m_ioctl(void *, queue_t *, mblk_t *);
347 static int	iwp_m_setprop(void *arg, const char *pr_name,
348     mac_prop_id_t wldp_pr_num, uint_t wldp_length, const void *wldp_buf);
349 static int	iwp_m_getprop(void *arg, const char *pr_name,
350     mac_prop_id_t wldp_pr_num, uint_t wldp_length, void *wldp_buf);
351 static void	iwp_m_propinfo(void *, const char *, mac_prop_id_t,
352     mac_prop_info_handle_t);
353 
354 /*
355  * Supported rates for 802.11b/g modes (in 500Kbps unit).
356  */
357 static const struct ieee80211_rateset iwp_rateset_11b =
358 	{ 4, { 2, 4, 11, 22 } };
359 
360 static const struct ieee80211_rateset iwp_rateset_11g =
361 	{ 12, { 2, 4, 11, 22, 12, 18, 24, 36, 48, 72, 96, 108 } };
362 
363 /*
364  * For mfthread only
365  */
366 extern pri_t minclsyspri;
367 
368 #define	DRV_NAME_SP	"iwp"
369 
370 /*
371  * Module Loading Data & Entry Points
372  */
373 DDI_DEFINE_STREAM_OPS(iwp_devops, nulldev, nulldev, iwp_attach,
374     iwp_detach, nodev, NULL, D_MP, NULL, iwp_quiesce);
375 
376 static struct modldrv iwp_modldrv = {
377 	&mod_driverops,
378 	"Intel(R) PumaPeak driver(N)",
379 	&iwp_devops
380 };
381 
382 static struct modlinkage iwp_modlinkage = {
383 	MODREV_1,
384 	&iwp_modldrv,
385 	NULL
386 };
387 
388 int
389 _init(void)
390 {
391 	int	status;
392 
393 	status = ddi_soft_state_init(&iwp_soft_state_p,
394 	    sizeof (iwp_sc_t), 1);
395 	if (status != DDI_SUCCESS) {
396 		return (status);
397 	}
398 
399 	mac_init_ops(&iwp_devops, DRV_NAME_SP);
400 	status = mod_install(&iwp_modlinkage);
401 	if (status != DDI_SUCCESS) {
402 		mac_fini_ops(&iwp_devops);
403 		ddi_soft_state_fini(&iwp_soft_state_p);
404 	}
405 
406 	return (status);
407 }
408 
409 int
410 _fini(void)
411 {
412 	int status;
413 
414 	status = mod_remove(&iwp_modlinkage);
415 	if (DDI_SUCCESS == status) {
416 		mac_fini_ops(&iwp_devops);
417 		ddi_soft_state_fini(&iwp_soft_state_p);
418 	}
419 
420 	return (status);
421 }
422 
423 int
424 _info(struct modinfo *mip)
425 {
426 	return (mod_info(&iwp_modlinkage, mip));
427 }
428 
429 /*
430  * Mac Call Back entries
431  */
432 mac_callbacks_t	iwp_m_callbacks = {
433 	MC_IOCTL | MC_SETPROP | MC_GETPROP | MC_PROPINFO,
434 	iwp_m_stat,
435 	iwp_m_start,
436 	iwp_m_stop,
437 	iwp_m_promisc,
438 	iwp_m_multicst,
439 	iwp_m_unicst,
440 	iwp_m_tx,
441 	NULL,
442 	iwp_m_ioctl,
443 	NULL,
444 	NULL,
445 	NULL,
446 	iwp_m_setprop,
447 	iwp_m_getprop,
448 	iwp_m_propinfo
449 };
450 
451 #ifdef DEBUG
452 void
453 iwp_dbg(uint32_t flags, const char *fmt, ...)
454 {
455 	va_list	ap;
456 
457 	if (flags & iwp_dbg_flags) {
458 		va_start(ap, fmt);
459 		vcmn_err(CE_NOTE, fmt, ap);
460 		va_end(ap);
461 	}
462 }
463 #endif	/* DEBUG */
464 
465 /*
466  * device operations
467  */
468 int
469 iwp_attach(dev_info_t *dip, ddi_attach_cmd_t cmd)
470 {
471 	iwp_sc_t		*sc;
472 	ieee80211com_t		*ic;
473 	int			instance, i;
474 	char			strbuf[32];
475 	wifi_data_t		wd = { 0 };
476 	mac_register_t		*macp;
477 	int			intr_type;
478 	int			intr_count;
479 	int			intr_actual;
480 	int			err = DDI_FAILURE;
481 
482 	switch (cmd) {
483 	case DDI_ATTACH:
484 		break;
485 	case DDI_RESUME:
486 		instance = ddi_get_instance(dip);
487 		sc = ddi_get_soft_state(iwp_soft_state_p,
488 		    instance);
489 		ASSERT(sc != NULL);
490 
491 		if (sc->sc_flags & IWP_F_RUNNING) {
492 			(void) iwp_init(sc);
493 		}
494 
495 		atomic_and_32(&sc->sc_flags, ~IWP_F_SUSPEND);
496 
497 		IWP_DBG((IWP_DEBUG_RESUME, "iwp_attach(): "
498 		    "resume\n"));
499 		return (DDI_SUCCESS);
500 	default:
501 		goto attach_fail1;
502 	}
503 
504 	instance = ddi_get_instance(dip);
505 	err = ddi_soft_state_zalloc(iwp_soft_state_p, instance);
506 	if (err != DDI_SUCCESS) {
507 		cmn_err(CE_WARN, "iwp_attach(): "
508 		    "failed to allocate soft state\n");
509 		goto attach_fail1;
510 	}
511 
512 	sc = ddi_get_soft_state(iwp_soft_state_p, instance);
513 	ASSERT(sc != NULL);
514 
515 	sc->sc_dip = dip;
516 
517 	/*
518 	 * map configure space
519 	 */
520 	err = ddi_regs_map_setup(dip, 0, &sc->sc_cfg_base, 0, 0,
521 	    &iwp_reg_accattr, &sc->sc_cfg_handle);
522 	if (err != DDI_SUCCESS) {
523 		cmn_err(CE_WARN, "iwp_attach(): "
524 		    "failed to map config spaces regs\n");
525 		goto attach_fail2;
526 	}
527 
528 	sc->sc_dev_id = ddi_get16(sc->sc_cfg_handle,
529 	    (uint16_t *)(sc->sc_cfg_base + PCI_CONF_DEVID));
530 	if ((sc->sc_dev_id != 0x422B) &&
531 	    (sc->sc_dev_id != 0x422C) &&
532 	    (sc->sc_dev_id != 0x4238) &&
533 	    (sc->sc_dev_id != 0x4239) &&
534 	    (sc->sc_dev_id != 0x008d) &&
535 	    (sc->sc_dev_id != 0x008e)) {
536 		cmn_err(CE_WARN, "iwp_attach(): "
537 		    "Do not support this device\n");
538 		goto attach_fail3;
539 	}
540 
541 	iwp_set_chip_param(sc);
542 
543 	sc->sc_rev = ddi_get8(sc->sc_cfg_handle,
544 	    (uint8_t *)(sc->sc_cfg_base + PCI_CONF_REVID));
545 
546 	/*
547 	 * keep from disturbing C3 state of CPU
548 	 */
549 	ddi_put8(sc->sc_cfg_handle, (uint8_t *)(sc->sc_cfg_base +
550 	    PCI_CFG_RETRY_TIMEOUT), 0);
551 
552 	/*
553 	 * determine the size of buffer for frame and command to ucode
554 	 */
555 	sc->sc_clsz = ddi_get16(sc->sc_cfg_handle,
556 	    (uint16_t *)(sc->sc_cfg_base + PCI_CONF_CACHE_LINESZ));
557 	if (!sc->sc_clsz) {
558 		sc->sc_clsz = 16;
559 	}
560 	sc->sc_clsz = (sc->sc_clsz << 2);
561 
562 	sc->sc_dmabuf_sz = roundup(0x1000 + sizeof (struct ieee80211_frame) +
563 	    IEEE80211_MTU + IEEE80211_CRC_LEN +
564 	    (IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN +
565 	    IEEE80211_WEP_CRCLEN), sc->sc_clsz);
566 
567 	/*
568 	 * Map operating registers
569 	 */
570 	err = ddi_regs_map_setup(dip, 1, &sc->sc_base,
571 	    0, 0, &iwp_reg_accattr, &sc->sc_handle);
572 	if (err != DDI_SUCCESS) {
573 		cmn_err(CE_WARN, "iwp_attach(): "
574 		    "failed to map device regs\n");
575 		goto attach_fail3;
576 	}
577 
578 	/*
579 	 * this is used to differentiate type of hardware
580 	 */
581 	sc->sc_hw_rev = IWP_READ(sc, CSR_HW_REV);
582 
583 	err = ddi_intr_get_supported_types(dip, &intr_type);
584 	if ((err != DDI_SUCCESS) || (!(intr_type & DDI_INTR_TYPE_FIXED))) {
585 		cmn_err(CE_WARN, "iwp_attach(): "
586 		    "fixed type interrupt is not supported\n");
587 		goto attach_fail4;
588 	}
589 
590 	err = ddi_intr_get_nintrs(dip, DDI_INTR_TYPE_FIXED, &intr_count);
591 	if ((err != DDI_SUCCESS) || (intr_count != 1)) {
592 		cmn_err(CE_WARN, "iwp_attach(): "
593 		    "no fixed interrupts\n");
594 		goto attach_fail4;
595 	}
596 
597 	sc->sc_intr_htable = kmem_zalloc(sizeof (ddi_intr_handle_t), KM_SLEEP);
598 
599 	err = ddi_intr_alloc(dip, sc->sc_intr_htable, DDI_INTR_TYPE_FIXED, 0,
600 	    intr_count, &intr_actual, 0);
601 	if ((err != DDI_SUCCESS) || (intr_actual != 1)) {
602 		cmn_err(CE_WARN, "iwp_attach(): "
603 		    "ddi_intr_alloc() failed 0x%x\n", err);
604 		goto attach_fail5;
605 	}
606 
607 	err = ddi_intr_get_pri(sc->sc_intr_htable[0], &sc->sc_intr_pri);
608 	if (err != DDI_SUCCESS) {
609 		cmn_err(CE_WARN, "iwp_attach(): "
610 		    "ddi_intr_get_pri() failed 0x%x\n", err);
611 		goto attach_fail6;
612 	}
613 
614 	mutex_init(&sc->sc_glock, NULL, MUTEX_DRIVER,
615 	    DDI_INTR_PRI(sc->sc_intr_pri));
616 	mutex_init(&sc->sc_tx_lock, NULL, MUTEX_DRIVER,
617 	    DDI_INTR_PRI(sc->sc_intr_pri));
618 	mutex_init(&sc->sc_mt_lock, NULL, MUTEX_DRIVER,
619 	    DDI_INTR_PRI(sc->sc_intr_pri));
620 
621 	cv_init(&sc->sc_cmd_cv, NULL, CV_DRIVER, NULL);
622 	cv_init(&sc->sc_put_seg_cv, NULL, CV_DRIVER, NULL);
623 	cv_init(&sc->sc_ucode_cv, NULL, CV_DRIVER, NULL);
624 
625 	/*
626 	 * initialize the mfthread
627 	 */
628 	cv_init(&sc->sc_mt_cv, NULL, CV_DRIVER, NULL);
629 	sc->sc_mf_thread = NULL;
630 	sc->sc_mf_thread_switch = 0;
631 
632 	/*
633 	 * Allocate shared buffer for communication between driver and ucode.
634 	 */
635 	err = iwp_alloc_shared(sc);
636 	if (err != DDI_SUCCESS) {
637 		cmn_err(CE_WARN, "iwp_attach(): "
638 		    "failed to allocate shared page\n");
639 		goto attach_fail7;
640 	}
641 
642 	(void) memset(sc->sc_shared, 0, sizeof (iwp_shared_t));
643 
644 	/*
645 	 * Allocate keep warm page.
646 	 */
647 	err = iwp_alloc_kw(sc);
648 	if (err != DDI_SUCCESS) {
649 		cmn_err(CE_WARN, "iwp_attach(): "
650 		    "failed to allocate keep warm page\n");
651 		goto attach_fail8;
652 	}
653 
654 	/*
655 	 * Do some necessary hardware initializations.
656 	 */
657 	err = iwp_preinit(sc);
658 	if (err != IWP_SUCCESS) {
659 		cmn_err(CE_WARN, "iwp_attach(): "
660 		    "failed to initialize hardware\n");
661 		goto attach_fail9;
662 	}
663 
664 	/*
665 	 * get hardware configurations from eeprom
666 	 */
667 	err = iwp_eep_load(sc);
668 	if (err != IWP_SUCCESS) {
669 		cmn_err(CE_WARN, "iwp_attach(): "
670 		    "failed to load eeprom\n");
671 		goto attach_fail9;
672 	}
673 
674 	/*
675 	 * calibration information from EEPROM
676 	 */
677 	sc->sc_eep_calib = (struct iwp_eep_calibration *)
678 	    iwp_eep_addr_trans(sc, EEP_CALIBRATION);
679 
680 	err = iwp_eep_ver_chk(sc);
681 	if (err != IWP_SUCCESS) {
682 		goto attach_fail9;
683 	}
684 
685 	/*
686 	 * get MAC address of this chipset
687 	 */
688 	iwp_get_mac_from_eep(sc);
689 
690 
691 	/*
692 	 * initialize TX and RX ring buffers
693 	 */
694 	err = iwp_ring_init(sc);
695 	if (err != DDI_SUCCESS) {
696 		cmn_err(CE_WARN, "iwp_attach(): "
697 		    "failed to allocate and initialize ring\n");
698 		goto attach_fail9;
699 	}
700 
701 	sc->sc_hdr = (iwp_firmware_hdr_t *)iwp_fw_bin;
702 
703 	/*
704 	 * copy ucode to dma buffer
705 	 */
706 	err = iwp_alloc_fw_dma(sc);
707 	if (err != DDI_SUCCESS) {
708 		cmn_err(CE_WARN, "iwp_attach(): "
709 		    "failed to allocate firmware dma\n");
710 		goto attach_fail10;
711 	}
712 
713 	/*
714 	 * Initialize the wifi part, which will be used by
715 	 * 802.11 module
716 	 */
717 	ic = &sc->sc_ic;
718 	ic->ic_phytype  = IEEE80211_T_OFDM;
719 	ic->ic_opmode   = IEEE80211_M_STA; /* default to BSS mode */
720 	ic->ic_state    = IEEE80211_S_INIT;
721 	ic->ic_maxrssi  = 100; /* experimental number */
722 	ic->ic_caps = IEEE80211_C_SHPREAMBLE | IEEE80211_C_TXPMGT |
723 	    IEEE80211_C_PMGT | IEEE80211_C_SHSLOT;
724 
725 	/*
726 	 * Support WPA/WPA2
727 	 */
728 	ic->ic_caps |= IEEE80211_C_WPA;
729 
730 	/*
731 	 * set supported .11b and .11g rates
732 	 */
733 	ic->ic_sup_rates[IEEE80211_MODE_11B] = iwp_rateset_11b;
734 	ic->ic_sup_rates[IEEE80211_MODE_11G] = iwp_rateset_11g;
735 
736 	/*
737 	 * set supported .11b and .11g channels (1 through 11)
738 	 */
739 	for (i = 1; i <= 11; i++) {
740 		ic->ic_sup_channels[i].ich_freq =
741 		    ieee80211_ieee2mhz(i, IEEE80211_CHAN_2GHZ);
742 		ic->ic_sup_channels[i].ich_flags =
743 		    IEEE80211_CHAN_CCK | IEEE80211_CHAN_OFDM |
744 		    IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ |
745 		    IEEE80211_CHAN_PASSIVE;
746 	}
747 
748 	ic->ic_ibss_chan = &ic->ic_sup_channels[0];
749 	ic->ic_xmit = iwp_send;
750 
751 	/*
752 	 * attach to 802.11 module
753 	 */
754 	ieee80211_attach(ic);
755 
756 	/*
757 	 * different instance has different WPA door
758 	 */
759 	(void) snprintf(ic->ic_wpadoor, MAX_IEEE80211STR, "%s_%s%d", WPA_DOOR,
760 	    ddi_driver_name(dip),
761 	    ddi_get_instance(dip));
762 
763 	/*
764 	 * Overwrite 80211 default configurations.
765 	 */
766 	iwp_overwrite_ic_default(sc);
767 
768 	/*
769 	 * initialize 802.11 module
770 	 */
771 	ieee80211_media_init(ic);
772 
773 	/*
774 	 * initialize default tx key
775 	 */
776 	ic->ic_def_txkey = 0;
777 
778 	err = ddi_intr_add_softint(dip, &sc->sc_soft_hdl, DDI_INTR_SOFTPRI_MAX,
779 	    iwp_rx_softintr, (caddr_t)sc);
780 	if (err != DDI_SUCCESS) {
781 		cmn_err(CE_WARN, "iwp_attach(): "
782 		    "add soft interrupt failed\n");
783 		goto attach_fail12;
784 	}
785 
786 	err = ddi_intr_add_handler(sc->sc_intr_htable[0], iwp_intr,
787 	    (caddr_t)sc, NULL);
788 	if (err != DDI_SUCCESS) {
789 		cmn_err(CE_WARN, "iwp_attach(): "
790 		    "ddi_intr_add_handle() failed\n");
791 		goto attach_fail13;
792 	}
793 
794 	err = ddi_intr_enable(sc->sc_intr_htable[0]);
795 	if (err != DDI_SUCCESS) {
796 		cmn_err(CE_WARN, "iwp_attach(): "
797 		    "ddi_intr_enable() failed\n");
798 		goto attach_fail14;
799 	}
800 
801 	/*
802 	 * Initialize pointer to device specific functions
803 	 */
804 	wd.wd_secalloc = WIFI_SEC_NONE;
805 	wd.wd_opmode = ic->ic_opmode;
806 	IEEE80211_ADDR_COPY(wd.wd_bssid, ic->ic_macaddr);
807 
808 	/*
809 	 * create relation to GLD
810 	 */
811 	macp = mac_alloc(MAC_VERSION);
812 	if (NULL == macp) {
813 		cmn_err(CE_WARN, "iwp_attach(): "
814 		    "failed to do mac_alloc()\n");
815 		goto attach_fail15;
816 	}
817 
818 	macp->m_type_ident	= MAC_PLUGIN_IDENT_WIFI;
819 	macp->m_driver		= sc;
820 	macp->m_dip		= dip;
821 	macp->m_src_addr	= ic->ic_macaddr;
822 	macp->m_callbacks	= &iwp_m_callbacks;
823 	macp->m_min_sdu		= 0;
824 	macp->m_max_sdu		= IEEE80211_MTU;
825 	macp->m_pdata		= &wd;
826 	macp->m_pdata_size	= sizeof (wd);
827 
828 	/*
829 	 * Register the macp to mac
830 	 */
831 	err = mac_register(macp, &ic->ic_mach);
832 	mac_free(macp);
833 	if (err != DDI_SUCCESS) {
834 		cmn_err(CE_WARN, "iwp_attach(): "
835 		    "failed to do mac_register()\n");
836 		goto attach_fail15;
837 	}
838 
839 	/*
840 	 * Create minor node of type DDI_NT_NET_WIFI
841 	 */
842 	(void) snprintf(strbuf, sizeof (strbuf), DRV_NAME_SP"%d", instance);
843 	err = ddi_create_minor_node(dip, strbuf, S_IFCHR,
844 	    instance + 1, DDI_NT_NET_WIFI, 0);
845 	if (err != DDI_SUCCESS) {
846 		cmn_err(CE_WARN, "iwp_attach(): "
847 		    "failed to do ddi_create_minor_node()\n");
848 	}
849 
850 	/*
851 	 * Notify link is down now
852 	 */
853 	mac_link_update(ic->ic_mach, LINK_STATE_DOWN);
854 
855 	/*
856 	 * create the mf thread to handle the link status,
857 	 * recovery fatal error, etc.
858 	 */
859 	sc->sc_mf_thread_switch = 1;
860 	if (NULL == sc->sc_mf_thread) {
861 		sc->sc_mf_thread = thread_create((caddr_t)NULL, 0,
862 		    iwp_thread, sc, 0, &p0, TS_RUN, minclsyspri);
863 	}
864 
865 	atomic_or_32(&sc->sc_flags, IWP_F_ATTACHED);
866 
867 	return (DDI_SUCCESS);
868 
869 attach_fail15:
870 	(void) ddi_intr_disable(sc->sc_intr_htable[0]);
871 attach_fail14:
872 	(void) ddi_intr_remove_handler(sc->sc_intr_htable[0]);
873 attach_fail13:
874 	(void) ddi_intr_remove_softint(sc->sc_soft_hdl);
875 	sc->sc_soft_hdl = NULL;
876 attach_fail12:
877 	ieee80211_detach(ic);
878 attach_fail11:
879 	iwp_free_fw_dma(sc);
880 attach_fail10:
881 	iwp_ring_free(sc);
882 attach_fail9:
883 	iwp_free_kw(sc);
884 attach_fail8:
885 	iwp_free_shared(sc);
886 attach_fail7:
887 	iwp_destroy_locks(sc);
888 attach_fail6:
889 	(void) ddi_intr_free(sc->sc_intr_htable[0]);
890 attach_fail5:
891 	kmem_free(sc->sc_intr_htable, sizeof (ddi_intr_handle_t));
892 attach_fail4:
893 	ddi_regs_map_free(&sc->sc_handle);
894 attach_fail3:
895 	ddi_regs_map_free(&sc->sc_cfg_handle);
896 attach_fail2:
897 	ddi_soft_state_free(iwp_soft_state_p, instance);
898 attach_fail1:
899 	return (DDI_FAILURE);
900 }
901 
902 int
903 iwp_detach(dev_info_t *dip, ddi_detach_cmd_t cmd)
904 {
905 	iwp_sc_t *sc;
906 	ieee80211com_t	*ic;
907 	int err;
908 
909 	sc = ddi_get_soft_state(iwp_soft_state_p, ddi_get_instance(dip));
910 	ASSERT(sc != NULL);
911 	ic = &sc->sc_ic;
912 
913 	switch (cmd) {
914 	case DDI_DETACH:
915 		break;
916 	case DDI_SUSPEND:
917 		atomic_and_32(&sc->sc_flags, ~IWP_F_HW_ERR_RECOVER);
918 		atomic_and_32(&sc->sc_flags, ~IWP_F_RATE_AUTO_CTL);
919 
920 		atomic_or_32(&sc->sc_flags, IWP_F_SUSPEND);
921 
922 		if (sc->sc_flags & IWP_F_RUNNING) {
923 			iwp_stop(sc);
924 			ieee80211_new_state(ic, IEEE80211_S_INIT, -1);
925 
926 		}
927 
928 		IWP_DBG((IWP_DEBUG_RESUME, "iwp_detach(): "
929 		    "suspend\n"));
930 		return (DDI_SUCCESS);
931 	default:
932 		return (DDI_FAILURE);
933 	}
934 
935 	if (!(sc->sc_flags & IWP_F_ATTACHED)) {
936 		return (DDI_FAILURE);
937 	}
938 
939 	/*
940 	 * Destroy the mf_thread
941 	 */
942 	sc->sc_mf_thread_switch = 0;
943 
944 	mutex_enter(&sc->sc_mt_lock);
945 	while (sc->sc_mf_thread != NULL) {
946 		if (cv_wait_sig(&sc->sc_mt_cv, &sc->sc_mt_lock) == 0) {
947 			break;
948 		}
949 	}
950 	mutex_exit(&sc->sc_mt_lock);
951 
952 	err = mac_disable(sc->sc_ic.ic_mach);
953 	if (err != DDI_SUCCESS) {
954 		return (err);
955 	}
956 
957 	/*
958 	 * stop chipset
959 	 */
960 	iwp_stop(sc);
961 
962 	DELAY(500000);
963 
964 	/*
965 	 * release buffer for calibration
966 	 */
967 	iwp_release_calib_buffer(sc);
968 
969 	/*
970 	 * Unregiste from GLD
971 	 */
972 	(void) mac_unregister(sc->sc_ic.ic_mach);
973 
974 	mutex_enter(&sc->sc_glock);
975 	iwp_free_fw_dma(sc);
976 	iwp_ring_free(sc);
977 	iwp_free_kw(sc);
978 	iwp_free_shared(sc);
979 	mutex_exit(&sc->sc_glock);
980 
981 	(void) ddi_intr_disable(sc->sc_intr_htable[0]);
982 	(void) ddi_intr_remove_handler(sc->sc_intr_htable[0]);
983 	(void) ddi_intr_free(sc->sc_intr_htable[0]);
984 	kmem_free(sc->sc_intr_htable, sizeof (ddi_intr_handle_t));
985 
986 	(void) ddi_intr_remove_softint(sc->sc_soft_hdl);
987 	sc->sc_soft_hdl = NULL;
988 
989 	/*
990 	 * detach from 80211 module
991 	 */
992 	ieee80211_detach(&sc->sc_ic);
993 
994 	iwp_destroy_locks(sc);
995 
996 	ddi_regs_map_free(&sc->sc_handle);
997 	ddi_regs_map_free(&sc->sc_cfg_handle);
998 	ddi_remove_minor_node(dip, NULL);
999 	ddi_soft_state_free(iwp_soft_state_p, ddi_get_instance(dip));
1000 
1001 	return (DDI_SUCCESS);
1002 }
1003 
1004 /*
1005  * destroy all locks
1006  */
1007 static void
1008 iwp_destroy_locks(iwp_sc_t *sc)
1009 {
1010 	cv_destroy(&sc->sc_mt_cv);
1011 	cv_destroy(&sc->sc_cmd_cv);
1012 	cv_destroy(&sc->sc_put_seg_cv);
1013 	cv_destroy(&sc->sc_ucode_cv);
1014 	mutex_destroy(&sc->sc_mt_lock);
1015 	mutex_destroy(&sc->sc_tx_lock);
1016 	mutex_destroy(&sc->sc_glock);
1017 }
1018 
1019 /*
1020  * Allocate an area of memory and a DMA handle for accessing it
1021  */
1022 static int
1023 iwp_alloc_dma_mem(iwp_sc_t *sc, size_t memsize,
1024     ddi_dma_attr_t *dma_attr_p, ddi_device_acc_attr_t *acc_attr_p,
1025     uint_t dma_flags, iwp_dma_t *dma_p)
1026 {
1027 	caddr_t vaddr;
1028 	int err = DDI_FAILURE;
1029 
1030 	/*
1031 	 * Allocate handle
1032 	 */
1033 	err = ddi_dma_alloc_handle(sc->sc_dip, dma_attr_p,
1034 	    DDI_DMA_SLEEP, NULL, &dma_p->dma_hdl);
1035 	if (err != DDI_SUCCESS) {
1036 		dma_p->dma_hdl = NULL;
1037 		return (DDI_FAILURE);
1038 	}
1039 
1040 	/*
1041 	 * Allocate memory
1042 	 */
1043 	err = ddi_dma_mem_alloc(dma_p->dma_hdl, memsize, acc_attr_p,
1044 	    dma_flags & (DDI_DMA_CONSISTENT | DDI_DMA_STREAMING),
1045 	    DDI_DMA_SLEEP, NULL, &vaddr, &dma_p->alength, &dma_p->acc_hdl);
1046 	if (err != DDI_SUCCESS) {
1047 		ddi_dma_free_handle(&dma_p->dma_hdl);
1048 		dma_p->dma_hdl = NULL;
1049 		dma_p->acc_hdl = NULL;
1050 		return (DDI_FAILURE);
1051 	}
1052 
1053 	/*
1054 	 * Bind the two together
1055 	 */
1056 	dma_p->mem_va = vaddr;
1057 	err = ddi_dma_addr_bind_handle(dma_p->dma_hdl, NULL,
1058 	    vaddr, dma_p->alength, dma_flags, DDI_DMA_SLEEP, NULL,
1059 	    &dma_p->cookie, &dma_p->ncookies);
1060 	if (err != DDI_DMA_MAPPED) {
1061 		ddi_dma_mem_free(&dma_p->acc_hdl);
1062 		ddi_dma_free_handle(&dma_p->dma_hdl);
1063 		dma_p->acc_hdl = NULL;
1064 		dma_p->dma_hdl = NULL;
1065 		return (DDI_FAILURE);
1066 	}
1067 
1068 	dma_p->nslots = ~0U;
1069 	dma_p->size = ~0U;
1070 	dma_p->token = ~0U;
1071 	dma_p->offset = 0;
1072 	return (DDI_SUCCESS);
1073 }
1074 
1075 /*
1076  * Free one allocated area of DMAable memory
1077  */
1078 static void
1079 iwp_free_dma_mem(iwp_dma_t *dma_p)
1080 {
1081 	if (dma_p->dma_hdl != NULL) {
1082 		if (dma_p->ncookies) {
1083 			(void) ddi_dma_unbind_handle(dma_p->dma_hdl);
1084 			dma_p->ncookies = 0;
1085 		}
1086 		ddi_dma_free_handle(&dma_p->dma_hdl);
1087 		dma_p->dma_hdl = NULL;
1088 	}
1089 
1090 	if (dma_p->acc_hdl != NULL) {
1091 		ddi_dma_mem_free(&dma_p->acc_hdl);
1092 		dma_p->acc_hdl = NULL;
1093 	}
1094 }
1095 
1096 /*
1097  * copy ucode into dma buffers
1098  */
1099 static int
1100 iwp_alloc_fw_dma(iwp_sc_t *sc)
1101 {
1102 	int err = DDI_FAILURE;
1103 	iwp_dma_t *dma_p;
1104 	char *t;
1105 
1106 	/*
1107 	 * firmware image layout:
1108 	 * |HDR|<-TEXT->|<-DATA->|<-INIT_TEXT->|<-INIT_DATA->|<-BOOT->|
1109 	 */
1110 
1111 	/*
1112 	 * Check firmware image size.
1113 	 */
1114 	if (LE_32(sc->sc_hdr->init_textsz) > RTC_INST_SIZE) {
1115 		cmn_err(CE_WARN, "iwp_alloc_fw_dma(): "
1116 		    "firmware init text size 0x%x is too large\n",
1117 		    LE_32(sc->sc_hdr->init_textsz));
1118 
1119 		goto fail;
1120 	}
1121 
1122 	if (LE_32(sc->sc_hdr->init_datasz) > RTC_DATA_SIZE) {
1123 		cmn_err(CE_WARN, "iwp_alloc_fw_dma(): "
1124 		    "firmware init data size 0x%x is too large\n",
1125 		    LE_32(sc->sc_hdr->init_datasz));
1126 
1127 		goto fail;
1128 	}
1129 
1130 	if (LE_32(sc->sc_hdr->textsz) > RTC_INST_SIZE) {
1131 		cmn_err(CE_WARN, "iwp_alloc_fw_dma(): "
1132 		    "firmware text size 0x%x is too large\n",
1133 		    LE_32(sc->sc_hdr->textsz));
1134 
1135 		goto fail;
1136 	}
1137 
1138 	if (LE_32(sc->sc_hdr->datasz) > RTC_DATA_SIZE) {
1139 		cmn_err(CE_WARN, "iwp_alloc_fw_dma(): "
1140 		    "firmware data size 0x%x is too large\n",
1141 		    LE_32(sc->sc_hdr->datasz));
1142 
1143 		goto fail;
1144 	}
1145 
1146 	/*
1147 	 * copy text of runtime ucode
1148 	 */
1149 	t = (char *)(sc->sc_hdr + 1);
1150 	err = iwp_alloc_dma_mem(sc, LE_32(sc->sc_hdr->textsz),
1151 	    &fw_dma_attr, &iwp_dma_accattr,
1152 	    DDI_DMA_RDWR | DDI_DMA_CONSISTENT,
1153 	    &sc->sc_dma_fw_text);
1154 	if (err != DDI_SUCCESS) {
1155 		cmn_err(CE_WARN, "iwp_alloc_fw_dma(): "
1156 		    "failed to allocate text dma memory.\n");
1157 		goto fail;
1158 	}
1159 
1160 	dma_p = &sc->sc_dma_fw_text;
1161 
1162 	IWP_DBG((IWP_DEBUG_DMA, "iwp_alloc_fw_dma(): "
1163 	    "text[ncookies:%d addr:%lx size:%lx]\n",
1164 	    dma_p->ncookies, dma_p->cookie.dmac_address,
1165 	    dma_p->cookie.dmac_size));
1166 
1167 	(void) memcpy(dma_p->mem_va, t, LE_32(sc->sc_hdr->textsz));
1168 
1169 	/*
1170 	 * copy data and bak-data of runtime ucode
1171 	 */
1172 	t += LE_32(sc->sc_hdr->textsz);
1173 	err = iwp_alloc_dma_mem(sc, LE_32(sc->sc_hdr->datasz),
1174 	    &fw_dma_attr, &iwp_dma_accattr,
1175 	    DDI_DMA_RDWR | DDI_DMA_CONSISTENT,
1176 	    &sc->sc_dma_fw_data);
1177 	if (err != DDI_SUCCESS) {
1178 		cmn_err(CE_WARN, "iwp_alloc_fw_dma(): "
1179 		    "failed to allocate data dma memory\n");
1180 		goto fail;
1181 	}
1182 
1183 	dma_p = &sc->sc_dma_fw_data;
1184 
1185 	IWP_DBG((IWP_DEBUG_DMA, "iwp_alloc_fw_dma(): "
1186 	    "data[ncookies:%d addr:%lx size:%lx]\n",
1187 	    dma_p->ncookies, dma_p->cookie.dmac_address,
1188 	    dma_p->cookie.dmac_size));
1189 
1190 	(void) memcpy(dma_p->mem_va, t, LE_32(sc->sc_hdr->datasz));
1191 
1192 	err = iwp_alloc_dma_mem(sc, LE_32(sc->sc_hdr->datasz),
1193 	    &fw_dma_attr, &iwp_dma_accattr,
1194 	    DDI_DMA_RDWR | DDI_DMA_CONSISTENT,
1195 	    &sc->sc_dma_fw_data_bak);
1196 	if (err != DDI_SUCCESS) {
1197 		cmn_err(CE_WARN, "iwp_alloc_fw_dma(): "
1198 		    "failed to allocate data bakup dma memory\n");
1199 		goto fail;
1200 	}
1201 
1202 	dma_p = &sc->sc_dma_fw_data_bak;
1203 
1204 	IWP_DBG((IWP_DEBUG_DMA, "iwp_alloc_fw_dma(): "
1205 	    "data_bak[ncookies:%d addr:%lx "
1206 	    "size:%lx]\n",
1207 	    dma_p->ncookies, dma_p->cookie.dmac_address,
1208 	    dma_p->cookie.dmac_size));
1209 
1210 	(void) memcpy(dma_p->mem_va, t, LE_32(sc->sc_hdr->datasz));
1211 
1212 	/*
1213 	 * copy text of init ucode
1214 	 */
1215 	t += LE_32(sc->sc_hdr->datasz);
1216 	err = iwp_alloc_dma_mem(sc, LE_32(sc->sc_hdr->init_textsz),
1217 	    &fw_dma_attr, &iwp_dma_accattr,
1218 	    DDI_DMA_RDWR | DDI_DMA_CONSISTENT,
1219 	    &sc->sc_dma_fw_init_text);
1220 	if (err != DDI_SUCCESS) {
1221 		cmn_err(CE_WARN, "iwp_alloc_fw_dma(): "
1222 		    "failed to allocate init text dma memory\n");
1223 		goto fail;
1224 	}
1225 
1226 	dma_p = &sc->sc_dma_fw_init_text;
1227 
1228 	IWP_DBG((IWP_DEBUG_DMA, "iwp_alloc_fw_dma(): "
1229 	    "init_text[ncookies:%d addr:%lx "
1230 	    "size:%lx]\n",
1231 	    dma_p->ncookies, dma_p->cookie.dmac_address,
1232 	    dma_p->cookie.dmac_size));
1233 
1234 	(void) memcpy(dma_p->mem_va, t, LE_32(sc->sc_hdr->init_textsz));
1235 
1236 	/*
1237 	 * copy data of init ucode
1238 	 */
1239 	t += LE_32(sc->sc_hdr->init_textsz);
1240 	err = iwp_alloc_dma_mem(sc, LE_32(sc->sc_hdr->init_datasz),
1241 	    &fw_dma_attr, &iwp_dma_accattr,
1242 	    DDI_DMA_RDWR | DDI_DMA_CONSISTENT,
1243 	    &sc->sc_dma_fw_init_data);
1244 	if (err != DDI_SUCCESS) {
1245 		cmn_err(CE_WARN, "iwp_alloc_fw_dma(): "
1246 		    "failed to allocate init data dma memory\n");
1247 		goto fail;
1248 	}
1249 
1250 	dma_p = &sc->sc_dma_fw_init_data;
1251 
1252 	IWP_DBG((IWP_DEBUG_DMA, "iwp_alloc_fw_dma(): "
1253 	    "init_data[ncookies:%d addr:%lx "
1254 	    "size:%lx]\n",
1255 	    dma_p->ncookies, dma_p->cookie.dmac_address,
1256 	    dma_p->cookie.dmac_size));
1257 
1258 	(void) memcpy(dma_p->mem_va, t, LE_32(sc->sc_hdr->init_datasz));
1259 
1260 	sc->sc_boot = t + LE_32(sc->sc_hdr->init_datasz);
1261 fail:
1262 	return (err);
1263 }
1264 
1265 static void
1266 iwp_free_fw_dma(iwp_sc_t *sc)
1267 {
1268 	iwp_free_dma_mem(&sc->sc_dma_fw_text);
1269 	iwp_free_dma_mem(&sc->sc_dma_fw_data);
1270 	iwp_free_dma_mem(&sc->sc_dma_fw_data_bak);
1271 	iwp_free_dma_mem(&sc->sc_dma_fw_init_text);
1272 	iwp_free_dma_mem(&sc->sc_dma_fw_init_data);
1273 }
1274 
1275 /*
1276  * Allocate a shared buffer between host and NIC.
1277  */
1278 static int
1279 iwp_alloc_shared(iwp_sc_t *sc)
1280 {
1281 #ifdef	DEBUG
1282 	iwp_dma_t *dma_p;
1283 #endif
1284 	int err = DDI_FAILURE;
1285 
1286 	/*
1287 	 * must be aligned on a 4K-page boundary
1288 	 */
1289 	err = iwp_alloc_dma_mem(sc, sizeof (iwp_shared_t),
1290 	    &sh_dma_attr, &iwp_dma_descattr,
1291 	    DDI_DMA_RDWR | DDI_DMA_CONSISTENT,
1292 	    &sc->sc_dma_sh);
1293 	if (err != DDI_SUCCESS) {
1294 		goto fail;
1295 	}
1296 
1297 	sc->sc_shared = (iwp_shared_t *)sc->sc_dma_sh.mem_va;
1298 
1299 #ifdef	DEBUG
1300 	dma_p = &sc->sc_dma_sh;
1301 #endif
1302 	IWP_DBG((IWP_DEBUG_DMA, "iwp_alloc_shared(): "
1303 	    "sh[ncookies:%d addr:%lx size:%lx]\n",
1304 	    dma_p->ncookies, dma_p->cookie.dmac_address,
1305 	    dma_p->cookie.dmac_size));
1306 
1307 	return (err);
1308 fail:
1309 	iwp_free_shared(sc);
1310 	return (err);
1311 }
1312 
1313 static void
1314 iwp_free_shared(iwp_sc_t *sc)
1315 {
1316 	iwp_free_dma_mem(&sc->sc_dma_sh);
1317 }
1318 
1319 /*
1320  * Allocate a keep warm page.
1321  */
1322 static int
1323 iwp_alloc_kw(iwp_sc_t *sc)
1324 {
1325 #ifdef	DEBUG
1326 	iwp_dma_t *dma_p;
1327 #endif
1328 	int err = DDI_FAILURE;
1329 
1330 	/*
1331 	 * must be aligned on a 4K-page boundary
1332 	 */
1333 	err = iwp_alloc_dma_mem(sc, IWP_KW_SIZE,
1334 	    &kw_dma_attr, &iwp_dma_descattr,
1335 	    DDI_DMA_RDWR | DDI_DMA_CONSISTENT,
1336 	    &sc->sc_dma_kw);
1337 	if (err != DDI_SUCCESS) {
1338 		goto fail;
1339 	}
1340 
1341 #ifdef	DEBUG
1342 	dma_p = &sc->sc_dma_kw;
1343 #endif
1344 	IWP_DBG((IWP_DEBUG_DMA, "iwp_alloc_kw(): "
1345 	    "kw[ncookies:%d addr:%lx size:%lx]\n",
1346 	    dma_p->ncookies, dma_p->cookie.dmac_address,
1347 	    dma_p->cookie.dmac_size));
1348 
1349 	return (err);
1350 fail:
1351 	iwp_free_kw(sc);
1352 	return (err);
1353 }
1354 
1355 static void
1356 iwp_free_kw(iwp_sc_t *sc)
1357 {
1358 	iwp_free_dma_mem(&sc->sc_dma_kw);
1359 }
1360 
1361 /*
1362  * initialize RX ring buffers
1363  */
1364 static int
1365 iwp_alloc_rx_ring(iwp_sc_t *sc)
1366 {
1367 	iwp_rx_ring_t *ring;
1368 	iwp_rx_data_t *data;
1369 #ifdef	DEBUG
1370 	iwp_dma_t *dma_p;
1371 #endif
1372 	int i, err = DDI_FAILURE;
1373 
1374 	ring = &sc->sc_rxq;
1375 	ring->cur = 0;
1376 
1377 	/*
1378 	 * allocate RX description ring buffer
1379 	 */
1380 	err = iwp_alloc_dma_mem(sc, RX_QUEUE_SIZE * sizeof (uint32_t),
1381 	    &ring_desc_dma_attr, &iwp_dma_descattr,
1382 	    DDI_DMA_RDWR | DDI_DMA_CONSISTENT,
1383 	    &ring->dma_desc);
1384 	if (err != DDI_SUCCESS) {
1385 		IWP_DBG((IWP_DEBUG_DMA, "iwp_alloc_rx_ring(): "
1386 		    "dma alloc rx ring desc "
1387 		    "failed\n"));
1388 		goto fail;
1389 	}
1390 
1391 	ring->desc = (uint32_t *)ring->dma_desc.mem_va;
1392 #ifdef	DEBUG
1393 	dma_p = &ring->dma_desc;
1394 #endif
1395 	IWP_DBG((IWP_DEBUG_DMA, "iwp_alloc_rx_ring(): "
1396 	    "rx bd[ncookies:%d addr:%lx size:%lx]\n",
1397 	    dma_p->ncookies, dma_p->cookie.dmac_address,
1398 	    dma_p->cookie.dmac_size));
1399 
1400 	/*
1401 	 * Allocate Rx frame buffers.
1402 	 */
1403 	for (i = 0; i < RX_QUEUE_SIZE; i++) {
1404 		data = &ring->data[i];
1405 		err = iwp_alloc_dma_mem(sc, sc->sc_dmabuf_sz,
1406 		    &rx_buffer_dma_attr, &iwp_dma_accattr,
1407 		    DDI_DMA_READ | DDI_DMA_STREAMING,
1408 		    &data->dma_data);
1409 		if (err != DDI_SUCCESS) {
1410 			IWP_DBG((IWP_DEBUG_DMA, "iwp_alloc_rx_ring(): "
1411 			    "dma alloc rx ring "
1412 			    "buf[%d] failed\n", i));
1413 			goto fail;
1414 		}
1415 		/*
1416 		 * the physical address bit [8-36] are used,
1417 		 * instead of bit [0-31] in 3945.
1418 		 */
1419 		ring->desc[i] = (uint32_t)
1420 		    (data->dma_data.cookie.dmac_address >> 8);
1421 	}
1422 
1423 #ifdef	DEBUG
1424 	dma_p = &ring->data[0].dma_data;
1425 #endif
1426 	IWP_DBG((IWP_DEBUG_DMA, "iwp_alloc_rx_ring(): "
1427 	    "rx buffer[0][ncookies:%d addr:%lx "
1428 	    "size:%lx]\n",
1429 	    dma_p->ncookies, dma_p->cookie.dmac_address,
1430 	    dma_p->cookie.dmac_size));
1431 
1432 	IWP_DMA_SYNC(ring->dma_desc, DDI_DMA_SYNC_FORDEV);
1433 
1434 	return (err);
1435 
1436 fail:
1437 	iwp_free_rx_ring(sc);
1438 	return (err);
1439 }
1440 
1441 /*
1442  * disable RX ring
1443  */
1444 static void
1445 iwp_reset_rx_ring(iwp_sc_t *sc)
1446 {
1447 	int n;
1448 
1449 	iwp_mac_access_enter(sc);
1450 	IWP_WRITE(sc, FH_MEM_RCSR_CHNL0_CONFIG_REG, 0);
1451 	for (n = 0; n < 2000; n++) {
1452 		if (IWP_READ(sc, FH_MEM_RSSR_RX_STATUS_REG) & (1 << 24)) {
1453 			break;
1454 		}
1455 		DELAY(1000);
1456 	}
1457 #ifdef DEBUG
1458 	if (2000 == n) {
1459 		IWP_DBG((IWP_DEBUG_DMA, "iwp_reset_rx_ring(): "
1460 		    "timeout resetting Rx ring\n"));
1461 	}
1462 #endif
1463 	iwp_mac_access_exit(sc);
1464 
1465 	sc->sc_rxq.cur = 0;
1466 }
1467 
1468 static void
1469 iwp_free_rx_ring(iwp_sc_t *sc)
1470 {
1471 	int i;
1472 
1473 	for (i = 0; i < RX_QUEUE_SIZE; i++) {
1474 		if (sc->sc_rxq.data[i].dma_data.dma_hdl) {
1475 			IWP_DMA_SYNC(sc->sc_rxq.data[i].dma_data,
1476 			    DDI_DMA_SYNC_FORCPU);
1477 		}
1478 
1479 		iwp_free_dma_mem(&sc->sc_rxq.data[i].dma_data);
1480 	}
1481 
1482 	if (sc->sc_rxq.dma_desc.dma_hdl) {
1483 		IWP_DMA_SYNC(sc->sc_rxq.dma_desc, DDI_DMA_SYNC_FORDEV);
1484 	}
1485 
1486 	iwp_free_dma_mem(&sc->sc_rxq.dma_desc);
1487 }
1488 
1489 /*
1490  * initialize TX ring buffers
1491  */
1492 static int
1493 iwp_alloc_tx_ring(iwp_sc_t *sc, iwp_tx_ring_t *ring,
1494     int slots, int qid)
1495 {
1496 	iwp_tx_data_t *data;
1497 	iwp_tx_desc_t *desc_h;
1498 	uint32_t paddr_desc_h;
1499 	iwp_cmd_t *cmd_h;
1500 	uint32_t paddr_cmd_h;
1501 #ifdef	DEBUG
1502 	iwp_dma_t *dma_p;
1503 #endif
1504 	int i, err = DDI_FAILURE;
1505 	ring->qid = qid;
1506 	ring->count = TFD_QUEUE_SIZE_MAX;
1507 	ring->window = slots;
1508 	ring->queued = 0;
1509 	ring->cur = 0;
1510 	ring->desc_cur = 0;
1511 
1512 	/*
1513 	 * allocate buffer for TX descriptor ring
1514 	 */
1515 	err = iwp_alloc_dma_mem(sc,
1516 	    TFD_QUEUE_SIZE_MAX * sizeof (iwp_tx_desc_t),
1517 	    &ring_desc_dma_attr, &iwp_dma_descattr,
1518 	    DDI_DMA_RDWR | DDI_DMA_CONSISTENT,
1519 	    &ring->dma_desc);
1520 	if (err != DDI_SUCCESS) {
1521 		IWP_DBG((IWP_DEBUG_DMA, "iwp_alloc_tx_ring(): "
1522 		    "dma alloc tx ring desc[%d] "
1523 		    "failed\n", qid));
1524 		goto fail;
1525 	}
1526 
1527 #ifdef	DEBUG
1528 	dma_p = &ring->dma_desc;
1529 #endif
1530 	IWP_DBG((IWP_DEBUG_DMA, "iwp_alloc_tx_ring(): "
1531 	    "tx bd[ncookies:%d addr:%lx size:%lx]\n",
1532 	    dma_p->ncookies, dma_p->cookie.dmac_address,
1533 	    dma_p->cookie.dmac_size));
1534 
1535 	desc_h = (iwp_tx_desc_t *)ring->dma_desc.mem_va;
1536 	paddr_desc_h = ring->dma_desc.cookie.dmac_address;
1537 
1538 	/*
1539 	 * allocate buffer for ucode command
1540 	 */
1541 	err = iwp_alloc_dma_mem(sc,
1542 	    TFD_QUEUE_SIZE_MAX * sizeof (iwp_cmd_t),
1543 	    &cmd_dma_attr, &iwp_dma_accattr,
1544 	    DDI_DMA_RDWR | DDI_DMA_CONSISTENT,
1545 	    &ring->dma_cmd);
1546 	if (err != DDI_SUCCESS) {
1547 		IWP_DBG((IWP_DEBUG_DMA, "iwp_alloc_tx_ring(): "
1548 		    "dma alloc tx ring cmd[%d]"
1549 		    " failed\n", qid));
1550 		goto fail;
1551 	}
1552 
1553 #ifdef	DEBUG
1554 	dma_p = &ring->dma_cmd;
1555 #endif
1556 	IWP_DBG((IWP_DEBUG_DMA, "iwp_alloc_tx_ring(): "
1557 	    "tx cmd[ncookies:%d addr:%lx size:%lx]\n",
1558 	    dma_p->ncookies, dma_p->cookie.dmac_address,
1559 	    dma_p->cookie.dmac_size));
1560 
1561 	cmd_h = (iwp_cmd_t *)ring->dma_cmd.mem_va;
1562 	paddr_cmd_h = ring->dma_cmd.cookie.dmac_address;
1563 
1564 	/*
1565 	 * Allocate Tx frame buffers.
1566 	 */
1567 	ring->data = kmem_zalloc(sizeof (iwp_tx_data_t) * TFD_QUEUE_SIZE_MAX,
1568 	    KM_NOSLEEP);
1569 	if (NULL == ring->data) {
1570 		IWP_DBG((IWP_DEBUG_DMA, "iwp_alloc_tx_ring(): "
1571 		    "could not allocate "
1572 		    "tx data slots\n"));
1573 		goto fail;
1574 	}
1575 
1576 	for (i = 0; i < TFD_QUEUE_SIZE_MAX; i++) {
1577 		data = &ring->data[i];
1578 		err = iwp_alloc_dma_mem(sc, sc->sc_dmabuf_sz,
1579 		    &tx_buffer_dma_attr, &iwp_dma_accattr,
1580 		    DDI_DMA_WRITE | DDI_DMA_STREAMING,
1581 		    &data->dma_data);
1582 		if (err != DDI_SUCCESS) {
1583 			IWP_DBG((IWP_DEBUG_DMA, "iwp_alloc_tx_ring(): "
1584 			    "dma alloc tx "
1585 			    "ring buf[%d] failed\n", i));
1586 			goto fail;
1587 		}
1588 
1589 		data->desc = desc_h + i;
1590 		data->paddr_desc = paddr_desc_h +
1591 		    _PTRDIFF(data->desc, desc_h);
1592 		data->cmd = cmd_h +  i;
1593 		data->paddr_cmd = paddr_cmd_h +
1594 		    _PTRDIFF(data->cmd, cmd_h);
1595 	}
1596 #ifdef	DEBUG
1597 	dma_p = &ring->data[0].dma_data;
1598 #endif
1599 	IWP_DBG((IWP_DEBUG_DMA, "iwp_alloc_tx_ring(): "
1600 	    "tx buffer[0][ncookies:%d addr:%lx "
1601 	    "size:%lx]\n",
1602 	    dma_p->ncookies, dma_p->cookie.dmac_address,
1603 	    dma_p->cookie.dmac_size));
1604 
1605 	return (err);
1606 
1607 fail:
1608 	iwp_free_tx_ring(ring);
1609 
1610 	return (err);
1611 }
1612 
1613 /*
1614  * disable TX ring
1615  */
1616 static void
1617 iwp_reset_tx_ring(iwp_sc_t *sc, iwp_tx_ring_t *ring)
1618 {
1619 	iwp_tx_data_t *data;
1620 	int i, n;
1621 
1622 	iwp_mac_access_enter(sc);
1623 
1624 	IWP_WRITE(sc, IWP_FH_TCSR_CHNL_TX_CONFIG_REG(ring->qid), 0);
1625 	for (n = 0; n < 200; n++) {
1626 		if (IWP_READ(sc, IWP_FH_TSSR_TX_STATUS_REG) &
1627 		    IWP_FH_TSSR_TX_STATUS_REG_MSK_CHNL_IDLE(ring->qid)) {
1628 			break;
1629 		}
1630 		DELAY(10);
1631 	}
1632 
1633 #ifdef	DEBUG
1634 	if (200 == n) {
1635 		IWP_DBG((IWP_DEBUG_DMA, "iwp_reset_tx_ring(): "
1636 		    "timeout reset tx ring %d\n",
1637 		    ring->qid));
1638 	}
1639 #endif
1640 
1641 	iwp_mac_access_exit(sc);
1642 
1643 	/* by pass, if it's quiesce */
1644 	if (!(sc->sc_flags & IWP_F_QUIESCED)) {
1645 		for (i = 0; i < ring->count; i++) {
1646 			data = &ring->data[i];
1647 			IWP_DMA_SYNC(data->dma_data, DDI_DMA_SYNC_FORDEV);
1648 		}
1649 	}
1650 
1651 	ring->queued = 0;
1652 	ring->cur = 0;
1653 	ring->desc_cur = 0;
1654 }
1655 
1656 static void
1657 iwp_free_tx_ring(iwp_tx_ring_t *ring)
1658 {
1659 	int i;
1660 
1661 	if (ring->dma_desc.dma_hdl != NULL) {
1662 		IWP_DMA_SYNC(ring->dma_desc, DDI_DMA_SYNC_FORDEV);
1663 	}
1664 	iwp_free_dma_mem(&ring->dma_desc);
1665 
1666 	if (ring->dma_cmd.dma_hdl != NULL) {
1667 		IWP_DMA_SYNC(ring->dma_cmd, DDI_DMA_SYNC_FORDEV);
1668 	}
1669 	iwp_free_dma_mem(&ring->dma_cmd);
1670 
1671 	if (ring->data != NULL) {
1672 		for (i = 0; i < ring->count; i++) {
1673 			if (ring->data[i].dma_data.dma_hdl) {
1674 				IWP_DMA_SYNC(ring->data[i].dma_data,
1675 				    DDI_DMA_SYNC_FORDEV);
1676 			}
1677 			iwp_free_dma_mem(&ring->data[i].dma_data);
1678 		}
1679 		kmem_free(ring->data, ring->count * sizeof (iwp_tx_data_t));
1680 	}
1681 }
1682 
1683 /*
1684  * initialize TX and RX ring
1685  */
1686 static int
1687 iwp_ring_init(iwp_sc_t *sc)
1688 {
1689 	int i, err = DDI_FAILURE;
1690 
1691 	for (i = 0; i < IWP_NUM_QUEUES; i++) {
1692 		if (IWP_CMD_QUEUE_NUM == i) {
1693 			continue;
1694 		}
1695 
1696 		err = iwp_alloc_tx_ring(sc, &sc->sc_txq[i], TFD_TX_CMD_SLOTS,
1697 		    i);
1698 		if (err != DDI_SUCCESS) {
1699 			goto fail;
1700 		}
1701 	}
1702 
1703 	/*
1704 	 * initialize command queue
1705 	 */
1706 	err = iwp_alloc_tx_ring(sc, &sc->sc_txq[IWP_CMD_QUEUE_NUM],
1707 	    TFD_CMD_SLOTS, IWP_CMD_QUEUE_NUM);
1708 	if (err != DDI_SUCCESS) {
1709 		goto fail;
1710 	}
1711 
1712 	err = iwp_alloc_rx_ring(sc);
1713 	if (err != DDI_SUCCESS) {
1714 		goto fail;
1715 	}
1716 
1717 fail:
1718 	return (err);
1719 }
1720 
1721 static void
1722 iwp_ring_free(iwp_sc_t *sc)
1723 {
1724 	int i = IWP_NUM_QUEUES;
1725 
1726 	iwp_free_rx_ring(sc);
1727 	while (--i >= 0) {
1728 		iwp_free_tx_ring(&sc->sc_txq[i]);
1729 	}
1730 }
1731 
1732 /* ARGSUSED */
1733 static ieee80211_node_t *
1734 iwp_node_alloc(ieee80211com_t *ic)
1735 {
1736 	iwp_amrr_t *amrr;
1737 
1738 	amrr = kmem_zalloc(sizeof (iwp_amrr_t), KM_SLEEP);
1739 	if (NULL == amrr) {
1740 		cmn_err(CE_WARN, "iwp_node_alloc(): "
1741 		    "failed to allocate memory for amrr structure\n");
1742 		return (NULL);
1743 	}
1744 
1745 	iwp_amrr_init(amrr);
1746 
1747 	return (&amrr->in);
1748 }
1749 
1750 static void
1751 iwp_node_free(ieee80211_node_t *in)
1752 {
1753 	ieee80211com_t *ic;
1754 
1755 	if ((NULL == in) ||
1756 	    (NULL == in->in_ic)) {
1757 		cmn_err(CE_WARN, "iwp_node_free() "
1758 		    "Got a NULL point from Net80211 module\n");
1759 		return;
1760 	}
1761 	ic = in->in_ic;
1762 
1763 	if (ic->ic_node_cleanup != NULL) {
1764 		ic->ic_node_cleanup(in);
1765 	}
1766 
1767 	if (in->in_wpa_ie != NULL) {
1768 		ieee80211_free(in->in_wpa_ie);
1769 	}
1770 
1771 	if (in->in_wme_ie != NULL) {
1772 		ieee80211_free(in->in_wme_ie);
1773 	}
1774 
1775 	if (in->in_htcap_ie != NULL) {
1776 		ieee80211_free(in->in_htcap_ie);
1777 	}
1778 
1779 	kmem_free(in, sizeof (iwp_amrr_t));
1780 }
1781 
1782 
1783 /*
1784  * change station's state. this function will be invoked by 80211 module
1785  * when need to change staton's state.
1786  */
1787 static int
1788 iwp_newstate(ieee80211com_t *ic, enum ieee80211_state nstate, int arg)
1789 {
1790 	iwp_sc_t *sc;
1791 	ieee80211_node_t *in;
1792 	enum ieee80211_state ostate;
1793 	iwp_add_sta_t node;
1794 	int i, err = IWP_FAIL;
1795 
1796 	if (NULL == ic) {
1797 		return (err);
1798 	}
1799 	sc = (iwp_sc_t *)ic;
1800 	in = ic->ic_bss;
1801 	ostate = ic->ic_state;
1802 
1803 	mutex_enter(&sc->sc_glock);
1804 
1805 	switch (nstate) {
1806 	case IEEE80211_S_SCAN:
1807 		switch (ostate) {
1808 		case IEEE80211_S_INIT:
1809 			atomic_or_32(&sc->sc_flags, IWP_F_SCANNING);
1810 			iwp_set_led(sc, 2, 10, 2);
1811 
1812 			/*
1813 			 * clear association to receive beacons from
1814 			 * all BSS'es
1815 			 */
1816 			sc->sc_config.assoc_id = 0;
1817 			sc->sc_config.filter_flags &=
1818 			    ~LE_32(RXON_FILTER_ASSOC_MSK);
1819 
1820 			IWP_DBG((IWP_DEBUG_80211, "iwp_newstate(): "
1821 			    "config chan %d "
1822 			    "flags %x filter_flags %x\n",
1823 			    LE_16(sc->sc_config.chan),
1824 			    LE_32(sc->sc_config.flags),
1825 			    LE_32(sc->sc_config.filter_flags)));
1826 
1827 			err = iwp_cmd(sc, REPLY_RXON, &sc->sc_config,
1828 			    sizeof (iwp_rxon_cmd_t), 1);
1829 			if (err != IWP_SUCCESS) {
1830 				cmn_err(CE_WARN, "iwp_newstate(): "
1831 				    "could not clear association\n");
1832 				atomic_and_32(&sc->sc_flags, ~IWP_F_SCANNING);
1833 				mutex_exit(&sc->sc_glock);
1834 				return (err);
1835 			}
1836 
1837 			/* add broadcast node to send probe request */
1838 			(void) memset(&node, 0, sizeof (node));
1839 			(void) memset(&node.sta.addr, 0xff, IEEE80211_ADDR_LEN);
1840 			node.sta.sta_id = IWP_BROADCAST_ID;
1841 			err = iwp_cmd(sc, REPLY_ADD_STA, &node,
1842 			    sizeof (node), 1);
1843 			if (err != IWP_SUCCESS) {
1844 				cmn_err(CE_WARN, "iwp_newstate(): "
1845 				    "could not add broadcast node\n");
1846 				atomic_and_32(&sc->sc_flags, ~IWP_F_SCANNING);
1847 				mutex_exit(&sc->sc_glock);
1848 				return (err);
1849 			}
1850 			break;
1851 		case IEEE80211_S_SCAN:
1852 			mutex_exit(&sc->sc_glock);
1853 			/* step to next channel before actual FW scan */
1854 			err = sc->sc_newstate(ic, nstate, arg);
1855 			mutex_enter(&sc->sc_glock);
1856 			if ((err != 0) || ((err = iwp_scan(sc)) != 0)) {
1857 				cmn_err(CE_WARN, "iwp_newstate(): "
1858 				    "could not initiate scan\n");
1859 				atomic_and_32(&sc->sc_flags, ~IWP_F_SCANNING);
1860 				ieee80211_cancel_scan(ic);
1861 			}
1862 			mutex_exit(&sc->sc_glock);
1863 			return (err);
1864 		default:
1865 			break;
1866 		}
1867 		sc->sc_clk = 0;
1868 		break;
1869 
1870 	case IEEE80211_S_AUTH:
1871 		if (ostate == IEEE80211_S_SCAN) {
1872 			atomic_and_32(&sc->sc_flags, ~IWP_F_SCANNING);
1873 		}
1874 
1875 		/*
1876 		 * reset state to handle reassociations correctly
1877 		 */
1878 		sc->sc_config.assoc_id = 0;
1879 		sc->sc_config.filter_flags &= ~LE_32(RXON_FILTER_ASSOC_MSK);
1880 
1881 		/*
1882 		 * before sending authentication and association request frame,
1883 		 * we need do something in the hardware, such as setting the
1884 		 * channel same to the target AP...
1885 		 */
1886 		if ((err = iwp_hw_set_before_auth(sc)) != 0) {
1887 			IWP_DBG((IWP_DEBUG_80211, "iwp_newstate(): "
1888 			    "could not send authentication request\n"));
1889 			mutex_exit(&sc->sc_glock);
1890 			return (err);
1891 		}
1892 		break;
1893 
1894 	case IEEE80211_S_RUN:
1895 		if (ostate == IEEE80211_S_SCAN) {
1896 			atomic_and_32(&sc->sc_flags, ~IWP_F_SCANNING);
1897 		}
1898 
1899 		if (IEEE80211_M_MONITOR == ic->ic_opmode) {
1900 			/* let LED blink when monitoring */
1901 			iwp_set_led(sc, 2, 10, 10);
1902 			break;
1903 		}
1904 
1905 		IWP_DBG((IWP_DEBUG_80211, "iwp_newstate(): "
1906 		    "associated.\n"));
1907 
1908 		err = iwp_run_state_config(sc);
1909 		if (err != IWP_SUCCESS) {
1910 			cmn_err(CE_WARN, "iwp_newstate(): "
1911 			    "failed to set up association\n");
1912 			mutex_exit(&sc->sc_glock);
1913 			return (err);
1914 		}
1915 
1916 		/*
1917 		 * start automatic rate control
1918 		 */
1919 		if (IEEE80211_FIXED_RATE_NONE == ic->ic_fixed_rate) {
1920 			atomic_or_32(&sc->sc_flags, IWP_F_RATE_AUTO_CTL);
1921 
1922 			/*
1923 			 * set rate to some reasonable initial value
1924 			 */
1925 			i = in->in_rates.ir_nrates - 1;
1926 			while (i > 0 && IEEE80211_RATE(i) > 72) {
1927 				i--;
1928 			}
1929 			in->in_txrate = i;
1930 
1931 		} else {
1932 			atomic_and_32(&sc->sc_flags, ~IWP_F_RATE_AUTO_CTL);
1933 		}
1934 
1935 		/*
1936 		 * set LED on after associated
1937 		 */
1938 		iwp_set_led(sc, 2, 0, 1);
1939 		break;
1940 
1941 	case IEEE80211_S_INIT:
1942 		if (ostate == IEEE80211_S_SCAN) {
1943 			atomic_and_32(&sc->sc_flags, ~IWP_F_SCANNING);
1944 		}
1945 		/*
1946 		 * set LED off after init
1947 		 */
1948 		iwp_set_led(sc, 2, 1, 0);
1949 		break;
1950 
1951 	case IEEE80211_S_ASSOC:
1952 		if (ostate == IEEE80211_S_SCAN) {
1953 			atomic_and_32(&sc->sc_flags, ~IWP_F_SCANNING);
1954 		}
1955 		break;
1956 	}
1957 
1958 	mutex_exit(&sc->sc_glock);
1959 
1960 	return (sc->sc_newstate(ic, nstate, arg));
1961 }
1962 
1963 /*
1964  * exclusive access to mac begin.
1965  */
1966 static void
1967 iwp_mac_access_enter(iwp_sc_t *sc)
1968 {
1969 	uint32_t tmp;
1970 	int n;
1971 
1972 	tmp = IWP_READ(sc, CSR_GP_CNTRL);
1973 	IWP_WRITE(sc, CSR_GP_CNTRL,
1974 	    tmp | CSR_GP_CNTRL_REG_FLAG_MAC_ACCESS_REQ);
1975 
1976 	/* wait until we succeed */
1977 	for (n = 0; n < 1000; n++) {
1978 		if ((IWP_READ(sc, CSR_GP_CNTRL) &
1979 		    (CSR_GP_CNTRL_REG_FLAG_MAC_CLOCK_READY |
1980 		    CSR_GP_CNTRL_REG_FLAG_GOING_TO_SLEEP)) ==
1981 		    CSR_GP_CNTRL_REG_VAL_MAC_ACCESS_EN) {
1982 			break;
1983 		}
1984 		DELAY(10);
1985 	}
1986 
1987 #ifdef	DEBUG
1988 	if (1000 == n) {
1989 		IWP_DBG((IWP_DEBUG_PIO, "iwp_mac_access_enter(): "
1990 		    "could not lock memory\n"));
1991 	}
1992 #endif
1993 }
1994 
1995 /*
1996  * exclusive access to mac end.
1997  */
1998 static void
1999 iwp_mac_access_exit(iwp_sc_t *sc)
2000 {
2001 	uint32_t tmp = IWP_READ(sc, CSR_GP_CNTRL);
2002 	IWP_WRITE(sc, CSR_GP_CNTRL,
2003 	    tmp & ~CSR_GP_CNTRL_REG_FLAG_MAC_ACCESS_REQ);
2004 }
2005 
2006 /*
2007  * this function defined here for future use.
2008  * static uint32_t
2009  * iwp_mem_read(iwp_sc_t *sc, uint32_t addr)
2010  * {
2011  * 	IWP_WRITE(sc, HBUS_TARG_MEM_RADDR, addr);
2012  * 	return (IWP_READ(sc, HBUS_TARG_MEM_RDAT));
2013  * }
2014  */
2015 
2016 /*
2017  * write mac memory
2018  */
2019 static void
2020 iwp_mem_write(iwp_sc_t *sc, uint32_t addr, uint32_t data)
2021 {
2022 	IWP_WRITE(sc, HBUS_TARG_MEM_WADDR, addr);
2023 	IWP_WRITE(sc, HBUS_TARG_MEM_WDAT, data);
2024 }
2025 
2026 /*
2027  * read mac register
2028  */
2029 static uint32_t
2030 iwp_reg_read(iwp_sc_t *sc, uint32_t addr)
2031 {
2032 	IWP_WRITE(sc, HBUS_TARG_PRPH_RADDR, addr | (3 << 24));
2033 	return (IWP_READ(sc, HBUS_TARG_PRPH_RDAT));
2034 }
2035 
2036 /*
2037  * write mac register
2038  */
2039 static void
2040 iwp_reg_write(iwp_sc_t *sc, uint32_t addr, uint32_t data)
2041 {
2042 	IWP_WRITE(sc, HBUS_TARG_PRPH_WADDR, addr | (3 << 24));
2043 	IWP_WRITE(sc, HBUS_TARG_PRPH_WDAT, data);
2044 }
2045 
2046 
2047 /*
2048  * steps of loading ucode:
2049  * load init ucode=>init alive=>calibrate=>
2050  * receive calibration result=>reinitialize NIC=>
2051  * load runtime ucode=>runtime alive=>
2052  * send calibration result=>running.
2053  */
2054 static int
2055 iwp_load_init_firmware(iwp_sc_t *sc)
2056 {
2057 	int	err = IWP_FAIL;
2058 	clock_t	clk;
2059 
2060 	atomic_and_32(&sc->sc_flags, ~IWP_F_PUT_SEG);
2061 
2062 	/*
2063 	 * load init_text section of uCode to hardware
2064 	 */
2065 	err = iwp_put_seg_fw(sc, sc->sc_dma_fw_init_text.cookie.dmac_address,
2066 	    RTC_INST_LOWER_BOUND, sc->sc_dma_fw_init_text.cookie.dmac_size);
2067 	if (err != IWP_SUCCESS) {
2068 		cmn_err(CE_WARN, "iwp_load_init_firmware(): "
2069 		    "failed to write init uCode.\n");
2070 		return (err);
2071 	}
2072 
2073 	clk = ddi_get_lbolt() + drv_usectohz(1000000);
2074 
2075 	/* wait loading init_text until completed or timeout */
2076 	while (!(sc->sc_flags & IWP_F_PUT_SEG)) {
2077 		if (cv_timedwait(&sc->sc_put_seg_cv, &sc->sc_glock, clk) < 0) {
2078 			break;
2079 		}
2080 	}
2081 
2082 	if (!(sc->sc_flags & IWP_F_PUT_SEG)) {
2083 		cmn_err(CE_WARN, "iwp_load_init_firmware(): "
2084 		    "timeout waiting for init uCode load.\n");
2085 		return (IWP_FAIL);
2086 	}
2087 
2088 	atomic_and_32(&sc->sc_flags, ~IWP_F_PUT_SEG);
2089 
2090 	/*
2091 	 * load init_data section of uCode to hardware
2092 	 */
2093 	err = iwp_put_seg_fw(sc, sc->sc_dma_fw_init_data.cookie.dmac_address,
2094 	    RTC_DATA_LOWER_BOUND, sc->sc_dma_fw_init_data.cookie.dmac_size);
2095 	if (err != IWP_SUCCESS) {
2096 		cmn_err(CE_WARN, "iwp_load_init_firmware(): "
2097 		    "failed to write init_data uCode.\n");
2098 		return (err);
2099 	}
2100 
2101 	clk = ddi_get_lbolt() + drv_usectohz(1000000);
2102 
2103 	/*
2104 	 * wait loading init_data until completed or timeout
2105 	 */
2106 	while (!(sc->sc_flags & IWP_F_PUT_SEG)) {
2107 		if (cv_timedwait(&sc->sc_put_seg_cv, &sc->sc_glock, clk) < 0) {
2108 			break;
2109 		}
2110 	}
2111 
2112 	if (!(sc->sc_flags & IWP_F_PUT_SEG)) {
2113 		cmn_err(CE_WARN, "iwp_load_init_firmware(): "
2114 		    "timeout waiting for init_data uCode load.\n");
2115 		return (IWP_FAIL);
2116 	}
2117 
2118 	atomic_and_32(&sc->sc_flags, ~IWP_F_PUT_SEG);
2119 
2120 	return (err);
2121 }
2122 
2123 static int
2124 iwp_load_run_firmware(iwp_sc_t *sc)
2125 {
2126 	int	err = IWP_FAIL;
2127 	clock_t	clk;
2128 
2129 	atomic_and_32(&sc->sc_flags, ~IWP_F_PUT_SEG);
2130 
2131 	/*
2132 	 * load init_text section of uCode to hardware
2133 	 */
2134 	err = iwp_put_seg_fw(sc, sc->sc_dma_fw_text.cookie.dmac_address,
2135 	    RTC_INST_LOWER_BOUND, sc->sc_dma_fw_text.cookie.dmac_size);
2136 	if (err != IWP_SUCCESS) {
2137 		cmn_err(CE_WARN, "iwp_load_run_firmware(): "
2138 		    "failed to write run uCode.\n");
2139 		return (err);
2140 	}
2141 
2142 	clk = ddi_get_lbolt() + drv_usectohz(1000000);
2143 
2144 	/* wait loading run_text until completed or timeout */
2145 	while (!(sc->sc_flags & IWP_F_PUT_SEG)) {
2146 		if (cv_timedwait(&sc->sc_put_seg_cv, &sc->sc_glock, clk) < 0) {
2147 			break;
2148 		}
2149 	}
2150 
2151 	if (!(sc->sc_flags & IWP_F_PUT_SEG)) {
2152 		cmn_err(CE_WARN, "iwp_load_run_firmware(): "
2153 		    "timeout waiting for run uCode load.\n");
2154 		return (IWP_FAIL);
2155 	}
2156 
2157 	atomic_and_32(&sc->sc_flags, ~IWP_F_PUT_SEG);
2158 
2159 	/*
2160 	 * load run_data section of uCode to hardware
2161 	 */
2162 	err = iwp_put_seg_fw(sc, sc->sc_dma_fw_data_bak.cookie.dmac_address,
2163 	    RTC_DATA_LOWER_BOUND, sc->sc_dma_fw_data.cookie.dmac_size);
2164 	if (err != IWP_SUCCESS) {
2165 		cmn_err(CE_WARN, "iwp_load_run_firmware(): "
2166 		    "failed to write run_data uCode.\n");
2167 		return (err);
2168 	}
2169 
2170 	clk = ddi_get_lbolt() + drv_usectohz(1000000);
2171 
2172 	/*
2173 	 * wait loading run_data until completed or timeout
2174 	 */
2175 	while (!(sc->sc_flags & IWP_F_PUT_SEG)) {
2176 		if (cv_timedwait(&sc->sc_put_seg_cv, &sc->sc_glock, clk) < 0) {
2177 			break;
2178 		}
2179 	}
2180 
2181 	if (!(sc->sc_flags & IWP_F_PUT_SEG)) {
2182 		cmn_err(CE_WARN, "iwp_load_run_firmware(): "
2183 		    "timeout waiting for run_data uCode load.\n");
2184 		return (IWP_FAIL);
2185 	}
2186 
2187 	atomic_and_32(&sc->sc_flags, ~IWP_F_PUT_SEG);
2188 
2189 	return (err);
2190 }
2191 
2192 /*
2193  * this function will be invoked to receive phy information
2194  * when a frame is received.
2195  */
2196 static void
2197 iwp_rx_phy_intr(iwp_sc_t *sc, iwp_rx_desc_t *desc)
2198 {
2199 
2200 	sc->sc_rx_phy_res.flag = 1;
2201 
2202 	(void) memcpy(sc->sc_rx_phy_res.buf, (uint8_t *)(desc + 1),
2203 	    sizeof (iwp_rx_phy_res_t));
2204 }
2205 
2206 /*
2207  * this function will be invoked to receive body of frame when
2208  * a frame is received.
2209  */
2210 static void
2211 iwp_rx_mpdu_intr(iwp_sc_t *sc, iwp_rx_desc_t *desc)
2212 {
2213 	ieee80211com_t	*ic = &sc->sc_ic;
2214 #ifdef	DEBUG
2215 	iwp_rx_ring_t	*ring = &sc->sc_rxq;
2216 #endif
2217 	struct ieee80211_frame		*wh;
2218 	struct iwp_rx_non_cfg_phy	*phyinfo;
2219 	struct	iwp_rx_mpdu_body_size	*mpdu_size;
2220 
2221 	mblk_t			*mp;
2222 	int16_t			t;
2223 	uint16_t		len, rssi, agc;
2224 	uint32_t		temp, crc, *tail;
2225 	uint32_t		arssi, brssi, crssi, mrssi;
2226 	iwp_rx_phy_res_t	*stat;
2227 	ieee80211_node_t	*in;
2228 
2229 	/*
2230 	 * assuming not 11n here. cope with 11n in phase-II
2231 	 */
2232 	mpdu_size = (struct iwp_rx_mpdu_body_size *)(desc + 1);
2233 	stat = (iwp_rx_phy_res_t *)sc->sc_rx_phy_res.buf;
2234 	if (stat->cfg_phy_cnt > 20) {
2235 		return;
2236 	}
2237 
2238 	phyinfo = (struct iwp_rx_non_cfg_phy *)stat->non_cfg_phy;
2239 	temp = LE_32(phyinfo->non_cfg_phy[IWP_RX_RES_AGC_IDX]);
2240 	agc = (temp & IWP_OFDM_AGC_MSK) >> IWP_OFDM_AGC_BIT_POS;
2241 
2242 	temp = LE_32(phyinfo->non_cfg_phy[IWP_RX_RES_RSSI_AB_IDX]);
2243 	arssi = (temp & IWP_OFDM_RSSI_A_MSK) >> IWP_OFDM_RSSI_A_BIT_POS;
2244 	brssi = (temp & IWP_OFDM_RSSI_B_MSK) >> IWP_OFDM_RSSI_B_BIT_POS;
2245 
2246 	temp = LE_32(phyinfo->non_cfg_phy[IWP_RX_RES_RSSI_C_IDX]);
2247 	crssi = (temp & IWP_OFDM_RSSI_C_MSK) >> IWP_OFDM_RSSI_C_BIT_POS;
2248 
2249 	mrssi = MAX(arssi, brssi);
2250 	mrssi = MAX(mrssi, crssi);
2251 
2252 	t = mrssi - agc - IWP_RSSI_OFFSET;
2253 	/*
2254 	 * convert dBm to percentage
2255 	 */
2256 	rssi = (100 * 75 * 75 - (-20 - t) * (15 * 75 + 62 * (-20 - t)))
2257 	    / (75 * 75);
2258 	if (rssi > 100) {
2259 		rssi = 100;
2260 	}
2261 	if (rssi < 1) {
2262 		rssi = 1;
2263 	}
2264 
2265 	/*
2266 	 * size of frame, not include FCS
2267 	 */
2268 	len = LE_16(mpdu_size->byte_count);
2269 	tail = (uint32_t *)((uint8_t *)(desc + 1) +
2270 	    sizeof (struct iwp_rx_mpdu_body_size) + len);
2271 	bcopy(tail, &crc, 4);
2272 
2273 	IWP_DBG((IWP_DEBUG_RX, "iwp_rx_mpdu_intr(): "
2274 	    "rx intr: idx=%d phy_len=%x len=%d "
2275 	    "rate=%x chan=%d tstamp=%x non_cfg_phy_count=%x "
2276 	    "cfg_phy_count=%x tail=%x", ring->cur, sizeof (*stat),
2277 	    len, stat->rate.r.s.rate, stat->channel,
2278 	    LE_32(stat->timestampl), stat->non_cfg_phy_cnt,
2279 	    stat->cfg_phy_cnt, LE_32(crc)));
2280 
2281 	if ((len < 16) || (len > sc->sc_dmabuf_sz)) {
2282 		IWP_DBG((IWP_DEBUG_RX, "iwp_rx_mpdu_intr(): "
2283 		    "rx frame oversize\n"));
2284 		return;
2285 	}
2286 
2287 	/*
2288 	 * discard Rx frames with bad CRC
2289 	 */
2290 	if ((LE_32(crc) &
2291 	    (RX_RES_STATUS_NO_CRC32_ERROR | RX_RES_STATUS_NO_RXE_OVERFLOW)) !=
2292 	    (RX_RES_STATUS_NO_CRC32_ERROR | RX_RES_STATUS_NO_RXE_OVERFLOW)) {
2293 		IWP_DBG((IWP_DEBUG_RX, "iwp_rx_mpdu_intr(): "
2294 		    "rx crc error tail: %x\n",
2295 		    LE_32(crc)));
2296 		sc->sc_rx_err++;
2297 		return;
2298 	}
2299 
2300 	wh = (struct ieee80211_frame *)
2301 	    ((uint8_t *)(desc + 1)+ sizeof (struct iwp_rx_mpdu_body_size));
2302 
2303 	if (IEEE80211_FC0_SUBTYPE_ASSOC_RESP == *(uint8_t *)wh) {
2304 		sc->sc_assoc_id = *((uint16_t *)(wh + 1) + 2);
2305 		IWP_DBG((IWP_DEBUG_RX, "iwp_rx_mpdu_intr(): "
2306 		    "rx : association id = %x\n",
2307 		    sc->sc_assoc_id));
2308 	}
2309 
2310 #ifdef DEBUG
2311 	if (iwp_dbg_flags & IWP_DEBUG_RX) {
2312 		ieee80211_dump_pkt((uint8_t *)wh, len, 0, 0);
2313 	}
2314 #endif
2315 
2316 	in = ieee80211_find_rxnode(ic, wh);
2317 	mp = allocb(len, BPRI_MED);
2318 	if (mp) {
2319 		(void) memcpy(mp->b_wptr, wh, len);
2320 		mp->b_wptr += len;
2321 
2322 		/*
2323 		 * send the frame to the 802.11 layer
2324 		 */
2325 		(void) ieee80211_input(ic, mp, in, rssi, 0);
2326 	} else {
2327 		sc->sc_rx_nobuf++;
2328 		IWP_DBG((IWP_DEBUG_RX, "iwp_rx_mpdu_intr(): "
2329 		    "alloc rx buf failed\n"));
2330 	}
2331 
2332 	/*
2333 	 * release node reference
2334 	 */
2335 	ieee80211_free_node(in);
2336 }
2337 
2338 /*
2339  * process correlative affairs after a frame is sent.
2340  */
2341 static void
2342 iwp_tx_intr(iwp_sc_t *sc, iwp_rx_desc_t *desc)
2343 {
2344 	ieee80211com_t *ic = &sc->sc_ic;
2345 	iwp_tx_ring_t *ring = &sc->sc_txq[desc->hdr.qid & 0x3];
2346 	iwp_tx_stat_t *stat = (iwp_tx_stat_t *)(desc + 1);
2347 	iwp_amrr_t *amrr;
2348 
2349 	if (NULL == ic->ic_bss) {
2350 		return;
2351 	}
2352 
2353 	amrr = (iwp_amrr_t *)ic->ic_bss;
2354 
2355 	amrr->txcnt++;
2356 	IWP_DBG((IWP_DEBUG_RATECTL, "iwp_tx_intr(): "
2357 	    "tx: %d cnt\n", amrr->txcnt));
2358 
2359 	if (stat->ntries > 0) {
2360 		amrr->retrycnt++;
2361 		sc->sc_tx_retries++;
2362 		IWP_DBG((IWP_DEBUG_TX, "iwp_tx_intr(): "
2363 		    "tx: %d retries\n",
2364 		    sc->sc_tx_retries));
2365 	}
2366 
2367 	mutex_enter(&sc->sc_mt_lock);
2368 	sc->sc_tx_timer = 0;
2369 	mutex_exit(&sc->sc_mt_lock);
2370 
2371 	mutex_enter(&sc->sc_tx_lock);
2372 
2373 	ring->queued--;
2374 	if (ring->queued < 0) {
2375 		ring->queued = 0;
2376 	}
2377 
2378 	if ((sc->sc_need_reschedule) && (ring->queued <= (ring->count >> 3))) {
2379 		sc->sc_need_reschedule = 0;
2380 		mutex_exit(&sc->sc_tx_lock);
2381 		mac_tx_update(ic->ic_mach);
2382 		mutex_enter(&sc->sc_tx_lock);
2383 	}
2384 
2385 	mutex_exit(&sc->sc_tx_lock);
2386 }
2387 
2388 /*
2389  * inform a given command has been executed
2390  */
2391 static void
2392 iwp_cmd_intr(iwp_sc_t *sc, iwp_rx_desc_t *desc)
2393 {
2394 	if ((desc->hdr.qid & 7) != 4) {
2395 		return;
2396 	}
2397 
2398 	if (sc->sc_cmd_accum > 0) {
2399 		sc->sc_cmd_accum--;
2400 		return;
2401 	}
2402 
2403 	mutex_enter(&sc->sc_glock);
2404 
2405 	sc->sc_cmd_flag = SC_CMD_FLG_DONE;
2406 
2407 	cv_signal(&sc->sc_cmd_cv);
2408 
2409 	mutex_exit(&sc->sc_glock);
2410 
2411 	IWP_DBG((IWP_DEBUG_CMD, "iwp_cmd_intr(): "
2412 	    "qid=%x idx=%d flags=%x type=0x%x\n",
2413 	    desc->hdr.qid, desc->hdr.idx, desc->hdr.flags,
2414 	    desc->hdr.type));
2415 }
2416 
2417 /*
2418  * this function will be invoked when alive notification occur.
2419  */
2420 static void
2421 iwp_ucode_alive(iwp_sc_t *sc, iwp_rx_desc_t *desc)
2422 {
2423 	uint32_t rv;
2424 	struct iwp_calib_cfg_cmd cmd;
2425 	struct iwp_alive_resp *ar =
2426 	    (struct iwp_alive_resp *)(desc + 1);
2427 	struct iwp_calib_results *res_p = &sc->sc_calib_results;
2428 
2429 	/*
2430 	 * the microcontroller is ready
2431 	 */
2432 	IWP_DBG((IWP_DEBUG_FW, "iwp_ucode_alive(): "
2433 	    "microcode alive notification minor: %x major: %x type: "
2434 	    "%x subtype: %x\n",
2435 	    ar->ucode_minor, ar->ucode_minor, ar->ver_type, ar->ver_subtype));
2436 
2437 #ifdef	DEBUG
2438 	if (LE_32(ar->is_valid) != UCODE_VALID_OK) {
2439 		IWP_DBG((IWP_DEBUG_FW, "iwp_ucode_alive(): "
2440 		    "microcontroller initialization failed\n"));
2441 	}
2442 #endif
2443 
2444 	/*
2445 	 * determine if init alive or runtime alive.
2446 	 */
2447 	if (INITIALIZE_SUBTYPE == ar->ver_subtype) {
2448 		IWP_DBG((IWP_DEBUG_FW, "iwp_ucode_alive(): "
2449 		    "initialization alive received.\n"));
2450 
2451 		(void) memcpy(&sc->sc_card_alive_init, ar,
2452 		    sizeof (struct iwp_init_alive_resp));
2453 
2454 		/*
2455 		 * necessary configuration to NIC
2456 		 */
2457 		mutex_enter(&sc->sc_glock);
2458 
2459 		rv = iwp_alive_common(sc);
2460 		if (rv != IWP_SUCCESS) {
2461 			cmn_err(CE_WARN, "iwp_ucode_alive(): "
2462 			    "common alive process failed in init alive.\n");
2463 			mutex_exit(&sc->sc_glock);
2464 			return;
2465 		}
2466 
2467 		(void) memset(&cmd, 0, sizeof (cmd));
2468 
2469 		cmd.ucd_calib_cfg.once.is_enable = IWP_CALIB_INIT_CFG_ALL;
2470 		cmd.ucd_calib_cfg.once.start = IWP_CALIB_INIT_CFG_ALL;
2471 		cmd.ucd_calib_cfg.once.send_res = IWP_CALIB_INIT_CFG_ALL;
2472 		cmd.ucd_calib_cfg.flags = IWP_CALIB_INIT_CFG_ALL;
2473 
2474 		/*
2475 		 * require ucode execute calibration
2476 		 */
2477 		rv = iwp_cmd(sc, CALIBRATION_CFG_CMD, &cmd, sizeof (cmd), 1);
2478 		if (rv != IWP_SUCCESS) {
2479 			cmn_err(CE_WARN, "iwp_ucode_alive(): "
2480 			    "failed to send calibration configure command.\n");
2481 			mutex_exit(&sc->sc_glock);
2482 			return;
2483 		}
2484 
2485 		mutex_exit(&sc->sc_glock);
2486 
2487 	} else {	/* runtime alive */
2488 
2489 		IWP_DBG((IWP_DEBUG_FW, "iwp_ucode_alive(): "
2490 		    "runtime alive received.\n"));
2491 
2492 		(void) memcpy(&sc->sc_card_alive_run, ar,
2493 		    sizeof (struct iwp_alive_resp));
2494 
2495 		mutex_enter(&sc->sc_glock);
2496 
2497 		/*
2498 		 * necessary configuration to NIC
2499 		 */
2500 		rv = iwp_alive_common(sc);
2501 		if (rv != IWP_SUCCESS) {
2502 			cmn_err(CE_WARN, "iwp_ucode_alive(): "
2503 			    "common alive process failed in run alive.\n");
2504 			mutex_exit(&sc->sc_glock);
2505 			return;
2506 		}
2507 
2508 		/*
2509 		 * send the result of local oscilator calibration to uCode.
2510 		 */
2511 		if (res_p->lo_res != NULL) {
2512 			rv = iwp_cmd(sc, REPLY_PHY_CALIBRATION_CMD,
2513 			    res_p->lo_res, res_p->lo_res_len, 1);
2514 			if (rv != IWP_SUCCESS) {
2515 				cmn_err(CE_WARN, "iwp_ucode_alive(): "
2516 				    "failed to send local"
2517 				    "oscilator calibration command.\n");
2518 				mutex_exit(&sc->sc_glock);
2519 				return;
2520 			}
2521 
2522 			DELAY(1000);
2523 		}
2524 
2525 		/*
2526 		 * send the result of TX IQ calibration to uCode.
2527 		 */
2528 		if (res_p->tx_iq_res != NULL) {
2529 			rv = iwp_cmd(sc, REPLY_PHY_CALIBRATION_CMD,
2530 			    res_p->tx_iq_res, res_p->tx_iq_res_len, 1);
2531 			if (rv != IWP_SUCCESS) {
2532 				cmn_err(CE_WARN, "iwp_ucode_alive(): "
2533 				    "failed to send TX IQ"
2534 				    "calibration command.\n");
2535 				mutex_exit(&sc->sc_glock);
2536 				return;
2537 			}
2538 
2539 			DELAY(1000);
2540 		}
2541 
2542 		/*
2543 		 * send the result of TX IQ perd calibration to uCode.
2544 		 */
2545 		if (res_p->tx_iq_perd_res != NULL) {
2546 			rv = iwp_cmd(sc, REPLY_PHY_CALIBRATION_CMD,
2547 			    res_p->tx_iq_perd_res,
2548 			    res_p->tx_iq_perd_res_len, 1);
2549 			if (rv != IWP_SUCCESS) {
2550 				cmn_err(CE_WARN, "iwp_ucode_alive(): "
2551 				    "failed to send TX IQ perd"
2552 				    "calibration command.\n");
2553 				mutex_exit(&sc->sc_glock);
2554 				return;
2555 			}
2556 
2557 			DELAY(1000);
2558 		}
2559 
2560 		/*
2561 		 * send the result of Base Band calibration to uCode.
2562 		 */
2563 		if (res_p->base_band_res != NULL) {
2564 			rv = iwp_cmd(sc, REPLY_PHY_CALIBRATION_CMD,
2565 			    res_p->base_band_res,
2566 			    res_p->base_band_res_len, 1);
2567 			if (rv != IWP_SUCCESS) {
2568 				cmn_err(CE_WARN, "iwp_ucode_alive(): "
2569 				    "failed to send Base Band"
2570 				    "calibration command.\n");
2571 				mutex_exit(&sc->sc_glock);
2572 				return;
2573 			}
2574 
2575 			DELAY(1000);
2576 		}
2577 
2578 		atomic_or_32(&sc->sc_flags, IWP_F_FW_INIT);
2579 		cv_signal(&sc->sc_ucode_cv);
2580 
2581 		mutex_exit(&sc->sc_glock);
2582 	}
2583 
2584 }
2585 
2586 /*
2587  * deal with receiving frames, command response
2588  * and all notifications from ucode.
2589  */
2590 /* ARGSUSED */
2591 static uint_t
2592 iwp_rx_softintr(caddr_t arg, caddr_t unused)
2593 {
2594 	iwp_sc_t *sc;
2595 	ieee80211com_t *ic;
2596 	iwp_rx_desc_t *desc;
2597 	iwp_rx_data_t *data;
2598 	uint32_t index;
2599 
2600 	if (NULL == arg) {
2601 		return (DDI_INTR_UNCLAIMED);
2602 	}
2603 	sc = (iwp_sc_t *)arg;
2604 	ic = &sc->sc_ic;
2605 
2606 	/*
2607 	 * firmware has moved the index of the rx queue, driver get it,
2608 	 * and deal with it.
2609 	 */
2610 	index = (sc->sc_shared->val0) & 0xfff;
2611 
2612 	while (sc->sc_rxq.cur != index) {
2613 		data = &sc->sc_rxq.data[sc->sc_rxq.cur];
2614 		desc = (iwp_rx_desc_t *)data->dma_data.mem_va;
2615 
2616 		IWP_DBG((IWP_DEBUG_INTR, "iwp_rx_softintr(): "
2617 		    "rx notification index = %d"
2618 		    " cur = %d qid=%x idx=%d flags=%x type=%x len=%d\n",
2619 		    index, sc->sc_rxq.cur, desc->hdr.qid, desc->hdr.idx,
2620 		    desc->hdr.flags, desc->hdr.type, LE_32(desc->len)));
2621 
2622 		/*
2623 		 * a command other than a tx need to be replied
2624 		 */
2625 		if (!(desc->hdr.qid & 0x80) &&
2626 		    (desc->hdr.type != REPLY_SCAN_CMD) &&
2627 		    (desc->hdr.type != REPLY_TX)) {
2628 			iwp_cmd_intr(sc, desc);
2629 		}
2630 
2631 		switch (desc->hdr.type) {
2632 		case REPLY_RX_PHY_CMD:
2633 			iwp_rx_phy_intr(sc, desc);
2634 			break;
2635 
2636 		case REPLY_RX_MPDU_CMD:
2637 			iwp_rx_mpdu_intr(sc, desc);
2638 			break;
2639 
2640 		case REPLY_TX:
2641 			iwp_tx_intr(sc, desc);
2642 			break;
2643 
2644 		case REPLY_ALIVE:
2645 			iwp_ucode_alive(sc, desc);
2646 			break;
2647 
2648 		case CARD_STATE_NOTIFICATION:
2649 		{
2650 			uint32_t *status = (uint32_t *)(desc + 1);
2651 
2652 			IWP_DBG((IWP_DEBUG_RADIO, "iwp_rx_softintr(): "
2653 			    "state changed to %x\n",
2654 			    LE_32(*status)));
2655 
2656 			if (LE_32(*status) & 1) {
2657 				/*
2658 				 * the radio button has to be pushed(OFF). It
2659 				 * is considered as a hw error, the
2660 				 * iwp_thread() tries to recover it after the
2661 				 * button is pushed again(ON)
2662 				 */
2663 				cmn_err(CE_NOTE, "iwp_rx_softintr(): "
2664 				    "radio transmitter is off\n");
2665 				sc->sc_ostate = sc->sc_ic.ic_state;
2666 				ieee80211_new_state(&sc->sc_ic,
2667 				    IEEE80211_S_INIT, -1);
2668 				atomic_or_32(&sc->sc_flags,
2669 				    IWP_F_HW_ERR_RECOVER | IWP_F_RADIO_OFF);
2670 			}
2671 
2672 			break;
2673 		}
2674 
2675 		case SCAN_START_NOTIFICATION:
2676 		{
2677 			iwp_start_scan_t *scan =
2678 			    (iwp_start_scan_t *)(desc + 1);
2679 
2680 			IWP_DBG((IWP_DEBUG_SCAN, "iwp_rx_softintr(): "
2681 			    "scanning channel %d status %x\n",
2682 			    scan->chan, LE_32(scan->status)));
2683 
2684 			ic->ic_curchan = &ic->ic_sup_channels[scan->chan];
2685 			break;
2686 		}
2687 
2688 		case SCAN_COMPLETE_NOTIFICATION:
2689 		{
2690 #ifdef	DEBUG
2691 			iwp_stop_scan_t *scan =
2692 			    (iwp_stop_scan_t *)(desc + 1);
2693 
2694 			IWP_DBG((IWP_DEBUG_SCAN, "iwp_rx_softintr(): "
2695 			    "completed channel %d (burst of %d) status %02x\n",
2696 			    scan->chan, scan->nchan, scan->status));
2697 #endif
2698 
2699 			sc->sc_scan_pending++;
2700 			break;
2701 		}
2702 
2703 		case STATISTICS_NOTIFICATION:
2704 		{
2705 			/*
2706 			 * handle statistics notification
2707 			 */
2708 			break;
2709 		}
2710 
2711 		case CALIBRATION_RES_NOTIFICATION:
2712 			iwp_save_calib_result(sc, desc);
2713 			break;
2714 
2715 		case CALIBRATION_COMPLETE_NOTIFICATION:
2716 			mutex_enter(&sc->sc_glock);
2717 			atomic_or_32(&sc->sc_flags, IWP_F_FW_INIT);
2718 			cv_signal(&sc->sc_ucode_cv);
2719 			mutex_exit(&sc->sc_glock);
2720 			break;
2721 
2722 		case MISSED_BEACONS_NOTIFICATION:
2723 		{
2724 			struct iwp_beacon_missed *miss =
2725 			    (struct iwp_beacon_missed *)(desc + 1);
2726 
2727 			if ((ic->ic_state == IEEE80211_S_RUN) &&
2728 			    (LE_32(miss->consecutive) > 50)) {
2729 				cmn_err(CE_NOTE, "iwp: iwp_rx_softintr(): "
2730 				    "beacon missed %d/%d\n",
2731 				    LE_32(miss->consecutive),
2732 				    LE_32(miss->total));
2733 				(void) ieee80211_new_state(ic,
2734 				    IEEE80211_S_INIT, -1);
2735 			}
2736 			break;
2737 		}
2738 		}
2739 
2740 		sc->sc_rxq.cur = (sc->sc_rxq.cur + 1) % RX_QUEUE_SIZE;
2741 	}
2742 
2743 	/*
2744 	 * driver dealt with what received in rx queue and tell the information
2745 	 * to the firmware.
2746 	 */
2747 	index = (0 == index) ? RX_QUEUE_SIZE - 1 : index - 1;
2748 	IWP_WRITE(sc, FH_RSCSR_CHNL0_RBDCB_WPTR_REG, index & (~7));
2749 
2750 	/*
2751 	 * re-enable interrupts
2752 	 */
2753 	IWP_WRITE(sc, CSR_INT_MASK, CSR_INI_SET_MASK);
2754 
2755 	return (DDI_INTR_CLAIMED);
2756 }
2757 
2758 /*
2759  * the handle of interrupt
2760  */
2761 /* ARGSUSED */
2762 static uint_t
2763 iwp_intr(caddr_t arg, caddr_t unused)
2764 {
2765 	iwp_sc_t *sc;
2766 	uint32_t r, rfh;
2767 
2768 	if (NULL == arg) {
2769 		return (DDI_INTR_UNCLAIMED);
2770 	}
2771 	sc = (iwp_sc_t *)arg;
2772 
2773 	r = IWP_READ(sc, CSR_INT);
2774 	if (0 == r || 0xffffffff == r) {
2775 		return (DDI_INTR_UNCLAIMED);
2776 	}
2777 
2778 	IWP_DBG((IWP_DEBUG_INTR, "iwp_intr(): "
2779 	    "interrupt reg %x\n", r));
2780 
2781 	rfh = IWP_READ(sc, CSR_FH_INT_STATUS);
2782 
2783 	IWP_DBG((IWP_DEBUG_INTR, "iwp_intr(): "
2784 	    "FH interrupt reg %x\n", rfh));
2785 
2786 	/*
2787 	 * disable interrupts
2788 	 */
2789 	IWP_WRITE(sc, CSR_INT_MASK, 0);
2790 
2791 	/*
2792 	 * ack interrupts
2793 	 */
2794 	IWP_WRITE(sc, CSR_INT, r);
2795 	IWP_WRITE(sc, CSR_FH_INT_STATUS, rfh);
2796 
2797 	if (r & (BIT_INT_SWERROR | BIT_INT_ERR)) {
2798 		IWP_DBG((IWP_DEBUG_FW, "iwp_intr(): "
2799 		    "fatal firmware error\n"));
2800 		iwp_stop(sc);
2801 		sc->sc_ostate = sc->sc_ic.ic_state;
2802 
2803 		/* notify upper layer */
2804 		if (!IWP_CHK_FAST_RECOVER(sc)) {
2805 			ieee80211_new_state(&sc->sc_ic, IEEE80211_S_INIT, -1);
2806 		}
2807 
2808 		atomic_or_32(&sc->sc_flags, IWP_F_HW_ERR_RECOVER);
2809 		return (DDI_INTR_CLAIMED);
2810 	}
2811 
2812 	if (r & BIT_INT_RF_KILL) {
2813 		uint32_t tmp = IWP_READ(sc, CSR_GP_CNTRL);
2814 		if (tmp & (1 << 27)) {
2815 			cmn_err(CE_NOTE, "RF switch: radio on\n");
2816 		}
2817 	}
2818 
2819 	if ((r & (BIT_INT_FH_RX | BIT_INT_SW_RX)) ||
2820 	    (rfh & FH_INT_RX_MASK)) {
2821 		(void) ddi_intr_trigger_softint(sc->sc_soft_hdl, NULL);
2822 		return (DDI_INTR_CLAIMED);
2823 	}
2824 
2825 	if (r & BIT_INT_FH_TX) {
2826 		mutex_enter(&sc->sc_glock);
2827 		atomic_or_32(&sc->sc_flags, IWP_F_PUT_SEG);
2828 		cv_signal(&sc->sc_put_seg_cv);
2829 		mutex_exit(&sc->sc_glock);
2830 	}
2831 
2832 #ifdef	DEBUG
2833 	if (r & BIT_INT_ALIVE)	{
2834 		IWP_DBG((IWP_DEBUG_FW, "iwp_intr(): "
2835 		    "firmware initialized.\n"));
2836 	}
2837 #endif
2838 
2839 	/*
2840 	 * re-enable interrupts
2841 	 */
2842 	IWP_WRITE(sc, CSR_INT_MASK, CSR_INI_SET_MASK);
2843 
2844 	return (DDI_INTR_CLAIMED);
2845 }
2846 
2847 static uint8_t
2848 iwp_rate_to_plcp(int rate)
2849 {
2850 	uint8_t ret;
2851 
2852 	switch (rate) {
2853 	/*
2854 	 * CCK rates
2855 	 */
2856 	case 2:
2857 		ret = 0xa;
2858 		break;
2859 
2860 	case 4:
2861 		ret = 0x14;
2862 		break;
2863 
2864 	case 11:
2865 		ret = 0x37;
2866 		break;
2867 
2868 	case 22:
2869 		ret = 0x6e;
2870 		break;
2871 
2872 	/*
2873 	 * OFDM rates
2874 	 */
2875 	case 12:
2876 		ret = 0xd;
2877 		break;
2878 
2879 	case 18:
2880 		ret = 0xf;
2881 		break;
2882 
2883 	case 24:
2884 		ret = 0x5;
2885 		break;
2886 
2887 	case 36:
2888 		ret = 0x7;
2889 		break;
2890 
2891 	case 48:
2892 		ret = 0x9;
2893 		break;
2894 
2895 	case 72:
2896 		ret = 0xb;
2897 		break;
2898 
2899 	case 96:
2900 		ret = 0x1;
2901 		break;
2902 
2903 	case 108:
2904 		ret = 0x3;
2905 		break;
2906 
2907 	default:
2908 		ret = 0;
2909 		break;
2910 	}
2911 
2912 	return (ret);
2913 }
2914 
2915 /*
2916  * invoked by GLD send frames
2917  */
2918 static mblk_t *
2919 iwp_m_tx(void *arg, mblk_t *mp)
2920 {
2921 	iwp_sc_t	*sc;
2922 	ieee80211com_t	*ic;
2923 	mblk_t		*next;
2924 
2925 	if (NULL == arg) {
2926 		return (NULL);
2927 	}
2928 	sc = (iwp_sc_t *)arg;
2929 	ic = &sc->sc_ic;
2930 
2931 	if (sc->sc_flags & IWP_F_SUSPEND) {
2932 		freemsgchain(mp);
2933 		return (NULL);
2934 	}
2935 
2936 	if (ic->ic_state != IEEE80211_S_RUN) {
2937 		freemsgchain(mp);
2938 		return (NULL);
2939 	}
2940 
2941 	if ((sc->sc_flags & IWP_F_HW_ERR_RECOVER) &&
2942 	    IWP_CHK_FAST_RECOVER(sc)) {
2943 		IWP_DBG((IWP_DEBUG_FW, "iwp_m_tx(): "
2944 		    "hold queue\n"));
2945 		return (mp);
2946 	}
2947 
2948 
2949 	while (mp != NULL) {
2950 		next = mp->b_next;
2951 		mp->b_next = NULL;
2952 		if (iwp_send(ic, mp, IEEE80211_FC0_TYPE_DATA) != 0) {
2953 			mp->b_next = next;
2954 			break;
2955 		}
2956 		mp = next;
2957 	}
2958 
2959 	return (mp);
2960 }
2961 
2962 /*
2963  * send frames
2964  */
2965 static int
2966 iwp_send(ieee80211com_t *ic, mblk_t *mp, uint8_t type)
2967 {
2968 	iwp_sc_t *sc;
2969 	iwp_tx_ring_t *ring;
2970 	iwp_tx_desc_t *desc;
2971 	iwp_tx_data_t *data;
2972 	iwp_tx_data_t *desc_data;
2973 	iwp_cmd_t *cmd;
2974 	iwp_tx_cmd_t *tx;
2975 	ieee80211_node_t *in;
2976 	struct ieee80211_frame *wh;
2977 	struct ieee80211_key *k = NULL;
2978 	mblk_t *m, *m0;
2979 	int hdrlen, len, len0, mblen, off, err = IWP_SUCCESS;
2980 	uint16_t masks = 0;
2981 	uint32_t rate, s_id = 0;
2982 
2983 	if (NULL == ic) {
2984 		return (IWP_FAIL);
2985 	}
2986 	sc = (iwp_sc_t *)ic;
2987 
2988 	if (sc->sc_flags & IWP_F_SUSPEND) {
2989 		if ((type & IEEE80211_FC0_TYPE_MASK) !=
2990 		    IEEE80211_FC0_TYPE_DATA) {
2991 			freemsg(mp);
2992 		}
2993 		err = IWP_FAIL;
2994 		goto exit;
2995 	}
2996 
2997 	mutex_enter(&sc->sc_tx_lock);
2998 	ring = &sc->sc_txq[0];
2999 	data = &ring->data[ring->cur];
3000 	cmd = data->cmd;
3001 	bzero(cmd, sizeof (*cmd));
3002 
3003 	ring->cur = (ring->cur + 1) % ring->count;
3004 
3005 	/*
3006 	 * Need reschedule TX if TX buffer is full.
3007 	 */
3008 	if (ring->queued > ring->count - IWP_MAX_WIN_SIZE) {
3009 		IWP_DBG((IWP_DEBUG_TX, "iwp_send(): "
3010 		"no txbuf\n"));
3011 
3012 		sc->sc_need_reschedule = 1;
3013 		mutex_exit(&sc->sc_tx_lock);
3014 
3015 		if ((type & IEEE80211_FC0_TYPE_MASK) !=
3016 		    IEEE80211_FC0_TYPE_DATA) {
3017 			freemsg(mp);
3018 		}
3019 		sc->sc_tx_nobuf++;
3020 		err = IWP_FAIL;
3021 		goto exit;
3022 	}
3023 
3024 	ring->queued++;
3025 
3026 	mutex_exit(&sc->sc_tx_lock);
3027 
3028 	hdrlen = ieee80211_hdrspace(ic, mp->b_rptr);
3029 
3030 	m = allocb(msgdsize(mp) + 32, BPRI_MED);
3031 	if (NULL == m) { /* can not alloc buf, drop this package */
3032 		cmn_err(CE_WARN, "iwp_send(): "
3033 		    "failed to allocate msgbuf\n");
3034 		freemsg(mp);
3035 
3036 		mutex_enter(&sc->sc_tx_lock);
3037 		ring->queued--;
3038 		if ((sc->sc_need_reschedule) && (ring->queued <= 0)) {
3039 			sc->sc_need_reschedule = 0;
3040 			mutex_exit(&sc->sc_tx_lock);
3041 			mac_tx_update(ic->ic_mach);
3042 			mutex_enter(&sc->sc_tx_lock);
3043 		}
3044 		mutex_exit(&sc->sc_tx_lock);
3045 
3046 		err = IWP_SUCCESS;
3047 		goto exit;
3048 	}
3049 
3050 	for (off = 0, m0 = mp; m0 != NULL; m0 = m0->b_cont) {
3051 		mblen = MBLKL(m0);
3052 		(void) memcpy(m->b_rptr + off, m0->b_rptr, mblen);
3053 		off += mblen;
3054 	}
3055 
3056 	m->b_wptr += off;
3057 
3058 	wh = (struct ieee80211_frame *)m->b_rptr;
3059 
3060 	/*
3061 	 * determine send which AP or station in IBSS
3062 	 */
3063 	in = ieee80211_find_txnode(ic, wh->i_addr1);
3064 	if (NULL == in) {
3065 		cmn_err(CE_WARN, "iwp_send(): "
3066 		    "failed to find tx node\n");
3067 		freemsg(mp);
3068 		freemsg(m);
3069 		sc->sc_tx_err++;
3070 
3071 		mutex_enter(&sc->sc_tx_lock);
3072 		ring->queued--;
3073 		if ((sc->sc_need_reschedule) && (ring->queued <= 0)) {
3074 			sc->sc_need_reschedule = 0;
3075 			mutex_exit(&sc->sc_tx_lock);
3076 			mac_tx_update(ic->ic_mach);
3077 			mutex_enter(&sc->sc_tx_lock);
3078 		}
3079 		mutex_exit(&sc->sc_tx_lock);
3080 
3081 		err = IWP_SUCCESS;
3082 		goto exit;
3083 	}
3084 
3085 	/*
3086 	 * Net80211 module encapsulate outbound data frames.
3087 	 * Add some feilds of 80211 frame.
3088 	 */
3089 	if ((type & IEEE80211_FC0_TYPE_MASK) ==
3090 	    IEEE80211_FC0_TYPE_DATA) {
3091 		(void) ieee80211_encap(ic, m, in);
3092 	}
3093 
3094 	freemsg(mp);
3095 
3096 	cmd->hdr.type = REPLY_TX;
3097 	cmd->hdr.flags = 0;
3098 	cmd->hdr.qid = ring->qid;
3099 
3100 	tx = (iwp_tx_cmd_t *)cmd->data;
3101 	tx->tx_flags = 0;
3102 
3103 	if (IEEE80211_IS_MULTICAST(wh->i_addr1)) {
3104 		tx->tx_flags &= ~(LE_32(TX_CMD_FLG_ACK_MSK));
3105 	} else {
3106 		tx->tx_flags |= LE_32(TX_CMD_FLG_ACK_MSK);
3107 	}
3108 
3109 	if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
3110 		k = ieee80211_crypto_encap(ic, m);
3111 		if (NULL == k) {
3112 			freemsg(m);
3113 			sc->sc_tx_err++;
3114 
3115 			mutex_enter(&sc->sc_tx_lock);
3116 			ring->queued--;
3117 			if ((sc->sc_need_reschedule) && (ring->queued <= 0)) {
3118 				sc->sc_need_reschedule = 0;
3119 				mutex_exit(&sc->sc_tx_lock);
3120 				mac_tx_update(ic->ic_mach);
3121 				mutex_enter(&sc->sc_tx_lock);
3122 			}
3123 			mutex_exit(&sc->sc_tx_lock);
3124 
3125 			err = IWP_SUCCESS;
3126 			goto exit;
3127 		}
3128 
3129 		/* packet header may have moved, reset our local pointer */
3130 		wh = (struct ieee80211_frame *)m->b_rptr;
3131 	}
3132 
3133 	len = msgdsize(m);
3134 
3135 #ifdef DEBUG
3136 	if (iwp_dbg_flags & IWP_DEBUG_TX) {
3137 		ieee80211_dump_pkt((uint8_t *)wh, hdrlen, 0, 0);
3138 	}
3139 #endif
3140 
3141 	tx->rts_retry_limit = IWP_TX_RTS_RETRY_LIMIT;
3142 	tx->data_retry_limit = IWP_TX_DATA_RETRY_LIMIT;
3143 
3144 	/*
3145 	 * specific TX parameters for management frames
3146 	 */
3147 	if ((wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) ==
3148 	    IEEE80211_FC0_TYPE_MGT) {
3149 		/*
3150 		 * mgmt frames are sent at 1M
3151 		 */
3152 		if ((in->in_rates.ir_rates[0] &
3153 		    IEEE80211_RATE_VAL) != 0) {
3154 			rate = in->in_rates.ir_rates[0] & IEEE80211_RATE_VAL;
3155 		} else {
3156 			rate = 2;
3157 		}
3158 
3159 		tx->tx_flags |= LE_32(TX_CMD_FLG_SEQ_CTL_MSK);
3160 
3161 		/*
3162 		 * tell h/w to set timestamp in probe responses
3163 		 */
3164 		if ((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) ==
3165 		    IEEE80211_FC0_SUBTYPE_PROBE_RESP) {
3166 			tx->tx_flags |= LE_32(TX_CMD_FLG_TSF_MSK);
3167 
3168 			tx->data_retry_limit = 3;
3169 			if (tx->data_retry_limit < tx->rts_retry_limit) {
3170 				tx->rts_retry_limit = tx->data_retry_limit;
3171 			}
3172 		}
3173 
3174 		if (((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) ==
3175 		    IEEE80211_FC0_SUBTYPE_ASSOC_REQ) ||
3176 		    ((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) ==
3177 		    IEEE80211_FC0_SUBTYPE_REASSOC_REQ)) {
3178 			tx->timeout.pm_frame_timeout = LE_16(3);
3179 		} else {
3180 			tx->timeout.pm_frame_timeout = LE_16(2);
3181 		}
3182 
3183 	} else {
3184 		/*
3185 		 * do it here for the software way rate scaling.
3186 		 * later for rate scaling in hardware.
3187 		 *
3188 		 * now the txrate is determined in tx cmd flags, set to the
3189 		 * max value 54M for 11g and 11M for 11b originally.
3190 		 */
3191 		if (ic->ic_fixed_rate != IEEE80211_FIXED_RATE_NONE) {
3192 			rate = ic->ic_fixed_rate;
3193 		} else {
3194 			if ((in->in_rates.ir_rates[in->in_txrate] &
3195 			    IEEE80211_RATE_VAL) != 0) {
3196 				rate = in->in_rates.
3197 				    ir_rates[in->in_txrate] &
3198 				    IEEE80211_RATE_VAL;
3199 			}
3200 		}
3201 
3202 		tx->tx_flags |= LE_32(TX_CMD_FLG_SEQ_CTL_MSK);
3203 
3204 		tx->timeout.pm_frame_timeout = 0;
3205 	}
3206 
3207 	IWP_DBG((IWP_DEBUG_TX, "iwp_send(): "
3208 	    "tx rate[%d of %d] = %x",
3209 	    in->in_txrate, in->in_rates.ir_nrates, rate));
3210 
3211 	len0 = roundup(4 + sizeof (iwp_tx_cmd_t) + hdrlen, 4);
3212 	if (len0 != (4 + sizeof (iwp_tx_cmd_t) + hdrlen)) {
3213 		tx->tx_flags |= LE_32(TX_CMD_FLG_MH_PAD_MSK);
3214 	}
3215 
3216 	/*
3217 	 * retrieve destination node's id
3218 	 */
3219 	if (IEEE80211_IS_MULTICAST(wh->i_addr1)) {
3220 		tx->sta_id = IWP_BROADCAST_ID;
3221 	} else {
3222 		tx->sta_id = IWP_AP_ID;
3223 	}
3224 
3225 	if (2 == rate || 4 == rate || 11 == rate || 22 == rate) {
3226 		masks |= RATE_MCS_CCK_MSK;
3227 	}
3228 
3229 	masks |= RATE_MCS_ANT_B_MSK;
3230 	tx->rate.r.rate_n_flags = LE_32(iwp_rate_to_plcp(rate) | masks);
3231 
3232 	IWP_DBG((IWP_DEBUG_TX, "iwp_send(): "
3233 	    "tx flag = %x",
3234 	    tx->tx_flags));
3235 
3236 	tx->stop_time.life_time  = LE_32(0xffffffff);
3237 
3238 	tx->len = LE_16(len);
3239 
3240 	tx->dram_lsb_ptr =
3241 	    LE_32(data->paddr_cmd + 4 + offsetof(iwp_tx_cmd_t, scratch));
3242 	tx->dram_msb_ptr = 0;
3243 	tx->driver_txop = 0;
3244 	tx->next_frame_len = 0;
3245 
3246 	(void) memcpy(tx + 1, m->b_rptr, hdrlen);
3247 	m->b_rptr += hdrlen;
3248 	(void) memcpy(data->dma_data.mem_va, m->b_rptr, len - hdrlen);
3249 
3250 	IWP_DBG((IWP_DEBUG_TX, "iwp_send(): "
3251 	    "sending data: qid=%d idx=%d len=%d",
3252 	    ring->qid, ring->cur, len));
3253 
3254 	/*
3255 	 * first segment includes the tx cmd plus the 802.11 header,
3256 	 * the second includes the remaining of the 802.11 frame.
3257 	 */
3258 	mutex_enter(&sc->sc_tx_lock);
3259 
3260 	cmd->hdr.idx = ring->desc_cur;
3261 
3262 	desc_data = &ring->data[ring->desc_cur];
3263 	desc = desc_data->desc;
3264 	bzero(desc, sizeof (*desc));
3265 	desc->val0 = 2 << 24;
3266 	desc->pa[0].tb1_addr = data->paddr_cmd;
3267 	desc->pa[0].val1 = ((len0 << 4) & 0xfff0) |
3268 	    ((data->dma_data.cookie.dmac_address & 0xffff) << 16);
3269 	desc->pa[0].val2 =
3270 	    ((data->dma_data.cookie.dmac_address & 0xffff0000) >> 16) |
3271 	    ((len - hdrlen) << 20);
3272 	IWP_DBG((IWP_DEBUG_TX, "iwp_send(): "
3273 	    "phy addr1 = 0x%x phy addr2 = 0x%x "
3274 	    "len1 = 0x%x, len2 = 0x%x val1 = 0x%x val2 = 0x%x",
3275 	    data->paddr_cmd, data->dma_data.cookie.dmac_address,
3276 	    len0, len - hdrlen, desc->pa[0].val1, desc->pa[0].val2));
3277 
3278 	/*
3279 	 * kick ring
3280 	 */
3281 	s_id = tx->sta_id;
3282 
3283 	sc->sc_shared->queues_byte_cnt_tbls[ring->qid].
3284 	    tfd_offset[ring->desc_cur].val =
3285 	    (8 + len) | (s_id << 12);
3286 	if (ring->desc_cur < IWP_MAX_WIN_SIZE) {
3287 		sc->sc_shared->queues_byte_cnt_tbls[ring->qid].
3288 		    tfd_offset[IWP_QUEUE_SIZE + ring->desc_cur].val =
3289 		    (8 + len) | (s_id << 12);
3290 	}
3291 
3292 	IWP_DMA_SYNC(data->dma_data, DDI_DMA_SYNC_FORDEV);
3293 	IWP_DMA_SYNC(ring->dma_desc, DDI_DMA_SYNC_FORDEV);
3294 
3295 	ring->desc_cur = (ring->desc_cur + 1) % ring->count;
3296 	IWP_WRITE(sc, HBUS_TARG_WRPTR, ring->qid << 8 | ring->desc_cur);
3297 
3298 	mutex_exit(&sc->sc_tx_lock);
3299 	freemsg(m);
3300 
3301 	/*
3302 	 * release node reference
3303 	 */
3304 	ieee80211_free_node(in);
3305 
3306 	ic->ic_stats.is_tx_bytes += len;
3307 	ic->ic_stats.is_tx_frags++;
3308 
3309 	mutex_enter(&sc->sc_mt_lock);
3310 	if (0 == sc->sc_tx_timer) {
3311 		sc->sc_tx_timer = 4;
3312 	}
3313 	mutex_exit(&sc->sc_mt_lock);
3314 
3315 exit:
3316 	return (err);
3317 }
3318 
3319 /*
3320  * invoked by GLD to deal with IOCTL affaires
3321  */
3322 static void
3323 iwp_m_ioctl(void* arg, queue_t *wq, mblk_t *mp)
3324 {
3325 	iwp_sc_t	*sc;
3326 	ieee80211com_t	*ic;
3327 	int		err = EINVAL;
3328 
3329 	if (NULL == arg) {
3330 		return;
3331 	}
3332 	sc = (iwp_sc_t *)arg;
3333 	ic = &sc->sc_ic;
3334 
3335 	err = ieee80211_ioctl(ic, wq, mp);
3336 	if (ENETRESET == err) {
3337 		/*
3338 		 * This is special for the hidden AP connection.
3339 		 * In any case, we should make sure only one 'scan'
3340 		 * in the driver for a 'connect' CLI command. So
3341 		 * when connecting to a hidden AP, the scan is just
3342 		 * sent out to the air when we know the desired
3343 		 * essid of the AP we want to connect.
3344 		 */
3345 		if (ic->ic_des_esslen) {
3346 			if (sc->sc_flags & IWP_F_RUNNING) {
3347 				iwp_m_stop(sc);
3348 				(void) iwp_m_start(sc);
3349 				(void) ieee80211_new_state(ic,
3350 				    IEEE80211_S_SCAN, -1);
3351 			}
3352 		}
3353 	}
3354 }
3355 
3356 /*
3357  * Call back functions for get/set proporty
3358  */
3359 static int
3360 iwp_m_getprop(void *arg, const char *pr_name, mac_prop_id_t wldp_pr_num,
3361     uint_t wldp_length, void *wldp_buf)
3362 {
3363 	iwp_sc_t	*sc;
3364 	int		err = EINVAL;
3365 
3366 	if (NULL == arg) {
3367 		return (EINVAL);
3368 	}
3369 	sc = (iwp_sc_t *)arg;
3370 
3371 	err = ieee80211_getprop(&sc->sc_ic, pr_name, wldp_pr_num,
3372 	    wldp_length, wldp_buf);
3373 
3374 	return (err);
3375 }
3376 
3377 static void
3378 iwp_m_propinfo(void *arg, const char *pr_name, mac_prop_id_t wldp_pr_num,
3379     mac_prop_info_handle_t prh)
3380 {
3381 	iwp_sc_t	*sc;
3382 
3383 	sc = (iwp_sc_t *)arg;
3384 	ieee80211_propinfo(&sc->sc_ic, pr_name, wldp_pr_num, prh);
3385 }
3386 
3387 static int
3388 iwp_m_setprop(void *arg, const char *pr_name, mac_prop_id_t wldp_pr_num,
3389     uint_t wldp_length, const void *wldp_buf)
3390 {
3391 	iwp_sc_t		*sc;
3392 	ieee80211com_t		*ic;
3393 	int			err = EINVAL;
3394 
3395 	if (NULL == arg) {
3396 		return (EINVAL);
3397 	}
3398 	sc = (iwp_sc_t *)arg;
3399 	ic = &sc->sc_ic;
3400 
3401 	err = ieee80211_setprop(ic, pr_name, wldp_pr_num, wldp_length,
3402 	    wldp_buf);
3403 
3404 	if (err == ENETRESET) {
3405 		if (ic->ic_des_esslen) {
3406 			if (sc->sc_flags & IWP_F_RUNNING) {
3407 				iwp_m_stop(sc);
3408 				(void) iwp_m_start(sc);
3409 				(void) ieee80211_new_state(ic,
3410 				    IEEE80211_S_SCAN, -1);
3411 			}
3412 		}
3413 		err = 0;
3414 	}
3415 	return (err);
3416 }
3417 
3418 /*
3419  * invoked by GLD supply statistics NIC and driver
3420  */
3421 static int
3422 iwp_m_stat(void *arg, uint_t stat, uint64_t *val)
3423 {
3424 	iwp_sc_t	*sc;
3425 	ieee80211com_t	*ic;
3426 	ieee80211_node_t *in;
3427 
3428 	if (NULL == arg) {
3429 		return (EINVAL);
3430 	}
3431 	sc = (iwp_sc_t *)arg;
3432 	ic = &sc->sc_ic;
3433 
3434 	mutex_enter(&sc->sc_glock);
3435 
3436 	switch (stat) {
3437 	case MAC_STAT_IFSPEED:
3438 		in = ic->ic_bss;
3439 		*val = ((IEEE80211_FIXED_RATE_NONE == ic->ic_fixed_rate) ?
3440 		    IEEE80211_RATE(in->in_txrate) :
3441 		    ic->ic_fixed_rate) / 2 * 1000000;
3442 		break;
3443 	case MAC_STAT_NOXMTBUF:
3444 		*val = sc->sc_tx_nobuf;
3445 		break;
3446 	case MAC_STAT_NORCVBUF:
3447 		*val = sc->sc_rx_nobuf;
3448 		break;
3449 	case MAC_STAT_IERRORS:
3450 		*val = sc->sc_rx_err;
3451 		break;
3452 	case MAC_STAT_RBYTES:
3453 		*val = ic->ic_stats.is_rx_bytes;
3454 		break;
3455 	case MAC_STAT_IPACKETS:
3456 		*val = ic->ic_stats.is_rx_frags;
3457 		break;
3458 	case MAC_STAT_OBYTES:
3459 		*val = ic->ic_stats.is_tx_bytes;
3460 		break;
3461 	case MAC_STAT_OPACKETS:
3462 		*val = ic->ic_stats.is_tx_frags;
3463 		break;
3464 	case MAC_STAT_OERRORS:
3465 	case WIFI_STAT_TX_FAILED:
3466 		*val = sc->sc_tx_err;
3467 		break;
3468 	case WIFI_STAT_TX_RETRANS:
3469 		*val = sc->sc_tx_retries;
3470 		break;
3471 	case WIFI_STAT_FCS_ERRORS:
3472 	case WIFI_STAT_WEP_ERRORS:
3473 	case WIFI_STAT_TX_FRAGS:
3474 	case WIFI_STAT_MCAST_TX:
3475 	case WIFI_STAT_RTS_SUCCESS:
3476 	case WIFI_STAT_RTS_FAILURE:
3477 	case WIFI_STAT_ACK_FAILURE:
3478 	case WIFI_STAT_RX_FRAGS:
3479 	case WIFI_STAT_MCAST_RX:
3480 	case WIFI_STAT_RX_DUPS:
3481 		mutex_exit(&sc->sc_glock);
3482 		return (ieee80211_stat(ic, stat, val));
3483 	default:
3484 		mutex_exit(&sc->sc_glock);
3485 		return (ENOTSUP);
3486 	}
3487 
3488 	mutex_exit(&sc->sc_glock);
3489 
3490 	return (IWP_SUCCESS);
3491 
3492 }
3493 
3494 /*
3495  * invoked by GLD to start or open NIC
3496  */
3497 static int
3498 iwp_m_start(void *arg)
3499 {
3500 	iwp_sc_t *sc;
3501 	ieee80211com_t	*ic;
3502 	int err = IWP_FAIL;
3503 
3504 	if (NULL == arg) {
3505 		return (EINVAL);
3506 	}
3507 	sc = (iwp_sc_t *)arg;
3508 	ic = &sc->sc_ic;
3509 
3510 	err = iwp_init(sc);
3511 	if (err != IWP_SUCCESS) {
3512 		/*
3513 		 * The hw init err(eg. RF is OFF). Return Success to make
3514 		 * the 'plumb' succeed. The iwp_thread() tries to re-init
3515 		 * background.
3516 		 */
3517 		atomic_or_32(&sc->sc_flags, IWP_F_HW_ERR_RECOVER);
3518 		return (IWP_SUCCESS);
3519 	}
3520 
3521 	ieee80211_new_state(ic, IEEE80211_S_INIT, -1);
3522 
3523 	atomic_or_32(&sc->sc_flags, IWP_F_RUNNING);
3524 
3525 	return (IWP_SUCCESS);
3526 }
3527 
3528 /*
3529  * invoked by GLD to stop or down NIC
3530  */
3531 static void
3532 iwp_m_stop(void *arg)
3533 {
3534 	iwp_sc_t *sc;
3535 	ieee80211com_t	*ic;
3536 
3537 	if (NULL == arg) {
3538 		return;
3539 	}
3540 	sc = (iwp_sc_t *)arg;
3541 	ic = &sc->sc_ic;
3542 
3543 	iwp_stop(sc);
3544 
3545 	/*
3546 	 * release buffer for calibration
3547 	 */
3548 	iwp_release_calib_buffer(sc);
3549 
3550 	ieee80211_new_state(ic, IEEE80211_S_INIT, -1);
3551 
3552 	atomic_and_32(&sc->sc_flags, ~IWP_F_HW_ERR_RECOVER);
3553 	atomic_and_32(&sc->sc_flags, ~IWP_F_RATE_AUTO_CTL);
3554 
3555 	atomic_and_32(&sc->sc_flags, ~IWP_F_RUNNING);
3556 	atomic_and_32(&sc->sc_flags, ~IWP_F_SCANNING);
3557 }
3558 
3559 /*
3560  * invoked by GLD to configure NIC
3561  */
3562 static int
3563 iwp_m_unicst(void *arg, const uint8_t *macaddr)
3564 {
3565 	iwp_sc_t *sc;
3566 	ieee80211com_t	*ic;
3567 	int err = IWP_SUCCESS;
3568 
3569 	if (NULL == arg) {
3570 		return (EINVAL);
3571 	}
3572 	sc = (iwp_sc_t *)arg;
3573 	ic = &sc->sc_ic;
3574 
3575 	if (!IEEE80211_ADDR_EQ(ic->ic_macaddr, macaddr)) {
3576 		IEEE80211_ADDR_COPY(ic->ic_macaddr, macaddr);
3577 		mutex_enter(&sc->sc_glock);
3578 		err = iwp_config(sc);
3579 		mutex_exit(&sc->sc_glock);
3580 		if (err != IWP_SUCCESS) {
3581 			cmn_err(CE_WARN, "iwp_m_unicst(): "
3582 			    "failed to configure device\n");
3583 			goto fail;
3584 		}
3585 	}
3586 
3587 	return (err);
3588 
3589 fail:
3590 	return (err);
3591 }
3592 
3593 /* ARGSUSED */
3594 static int
3595 iwp_m_multicst(void *arg, boolean_t add, const uint8_t *m)
3596 {
3597 	return (IWP_SUCCESS);
3598 }
3599 
3600 /* ARGSUSED */
3601 static int
3602 iwp_m_promisc(void *arg, boolean_t on)
3603 {
3604 	return (IWP_SUCCESS);
3605 }
3606 
3607 /*
3608  * kernel thread to deal with exceptional situation
3609  */
3610 static void
3611 iwp_thread(iwp_sc_t *sc)
3612 {
3613 	ieee80211com_t	*ic = &sc->sc_ic;
3614 	clock_t clk;
3615 	int err, n = 0, timeout = 0;
3616 	uint32_t tmp;
3617 #ifdef	DEBUG
3618 	int times = 0;
3619 #endif
3620 
3621 	while (sc->sc_mf_thread_switch) {
3622 		tmp = IWP_READ(sc, CSR_GP_CNTRL);
3623 		if (tmp & CSR_GP_CNTRL_REG_FLAG_HW_RF_KILL_SW) {
3624 			atomic_and_32(&sc->sc_flags, ~IWP_F_RADIO_OFF);
3625 		} else {
3626 			atomic_or_32(&sc->sc_flags, IWP_F_RADIO_OFF);
3627 		}
3628 
3629 		/*
3630 		 * If  in SUSPEND or the RF is OFF, do nothing.
3631 		 */
3632 		if (sc->sc_flags & IWP_F_RADIO_OFF) {
3633 			delay(drv_usectohz(100000));
3634 			continue;
3635 		}
3636 
3637 		/*
3638 		 * recovery fatal error
3639 		 */
3640 		if (ic->ic_mach &&
3641 		    (sc->sc_flags & IWP_F_HW_ERR_RECOVER)) {
3642 
3643 			IWP_DBG((IWP_DEBUG_FW, "iwp_thread(): "
3644 			    "try to recover fatal hw error: %d\n", times++));
3645 
3646 			iwp_stop(sc);
3647 
3648 			if (IWP_CHK_FAST_RECOVER(sc)) {
3649 				/* save runtime configuration */
3650 				bcopy(&sc->sc_config, &sc->sc_config_save,
3651 				    sizeof (sc->sc_config));
3652 			} else {
3653 				ieee80211_new_state(ic, IEEE80211_S_INIT, -1);
3654 				delay(drv_usectohz(2000000 + n*500000));
3655 			}
3656 
3657 			err = iwp_init(sc);
3658 			if (err != IWP_SUCCESS) {
3659 				n++;
3660 				if (n < 20) {
3661 					continue;
3662 				}
3663 			}
3664 
3665 			n = 0;
3666 			if (!err) {
3667 				atomic_or_32(&sc->sc_flags, IWP_F_RUNNING);
3668 			}
3669 
3670 
3671 			if (!IWP_CHK_FAST_RECOVER(sc) ||
3672 			    iwp_fast_recover(sc) != IWP_SUCCESS) {
3673 				atomic_and_32(&sc->sc_flags,
3674 				    ~IWP_F_HW_ERR_RECOVER);
3675 
3676 				delay(drv_usectohz(2000000));
3677 				if (sc->sc_ostate != IEEE80211_S_INIT) {
3678 					ieee80211_new_state(ic,
3679 					    IEEE80211_S_SCAN, 0);
3680 				}
3681 			}
3682 		}
3683 
3684 		if (ic->ic_mach &&
3685 		    (sc->sc_flags & IWP_F_SCANNING) && sc->sc_scan_pending) {
3686 			IWP_DBG((IWP_DEBUG_SCAN, "iwp_thread(): "
3687 			    "wait for probe response\n"));
3688 
3689 			sc->sc_scan_pending--;
3690 			delay(drv_usectohz(200000));
3691 			ieee80211_next_scan(ic);
3692 		}
3693 
3694 		/*
3695 		 * rate ctl
3696 		 */
3697 		if (ic->ic_mach &&
3698 		    (sc->sc_flags & IWP_F_RATE_AUTO_CTL)) {
3699 			clk = ddi_get_lbolt();
3700 			if (clk > sc->sc_clk + drv_usectohz(1000000)) {
3701 				iwp_amrr_timeout(sc);
3702 			}
3703 		}
3704 
3705 		delay(drv_usectohz(100000));
3706 
3707 		mutex_enter(&sc->sc_mt_lock);
3708 		if (sc->sc_tx_timer) {
3709 			timeout++;
3710 			if (10 == timeout) {
3711 				sc->sc_tx_timer--;
3712 				if (0 == sc->sc_tx_timer) {
3713 					atomic_or_32(&sc->sc_flags,
3714 					    IWP_F_HW_ERR_RECOVER);
3715 					sc->sc_ostate = IEEE80211_S_RUN;
3716 					IWP_DBG((IWP_DEBUG_FW, "iwp_thread(): "
3717 					    "try to recover from "
3718 					    "send fail\n"));
3719 				}
3720 				timeout = 0;
3721 			}
3722 		}
3723 		mutex_exit(&sc->sc_mt_lock);
3724 	}
3725 
3726 	mutex_enter(&sc->sc_mt_lock);
3727 	sc->sc_mf_thread = NULL;
3728 	cv_signal(&sc->sc_mt_cv);
3729 	mutex_exit(&sc->sc_mt_lock);
3730 }
3731 
3732 
3733 /*
3734  * Send a command to the ucode.
3735  */
3736 static int
3737 iwp_cmd(iwp_sc_t *sc, int code, const void *buf, int size, int async)
3738 {
3739 	iwp_tx_ring_t *ring = &sc->sc_txq[IWP_CMD_QUEUE_NUM];
3740 	iwp_tx_desc_t *desc;
3741 	iwp_cmd_t *cmd;
3742 
3743 	ASSERT(size <= sizeof (cmd->data));
3744 	ASSERT(mutex_owned(&sc->sc_glock));
3745 
3746 	IWP_DBG((IWP_DEBUG_CMD, "iwp_cmd() "
3747 	    "code[%d]", code));
3748 	desc = ring->data[ring->cur].desc;
3749 	cmd = ring->data[ring->cur].cmd;
3750 
3751 	cmd->hdr.type = (uint8_t)code;
3752 	cmd->hdr.flags = 0;
3753 	cmd->hdr.qid = ring->qid;
3754 	cmd->hdr.idx = ring->cur;
3755 	(void) memcpy(cmd->data, buf, size);
3756 	(void) memset(desc, 0, sizeof (*desc));
3757 
3758 	desc->val0 = 1 << 24;
3759 	desc->pa[0].tb1_addr =
3760 	    (uint32_t)(ring->data[ring->cur].paddr_cmd & 0xffffffff);
3761 	desc->pa[0].val1 = ((4 + size) << 4) & 0xfff0;
3762 
3763 	if (async) {
3764 		sc->sc_cmd_accum++;
3765 	}
3766 
3767 	/*
3768 	 * kick cmd ring XXX
3769 	 */
3770 	sc->sc_shared->queues_byte_cnt_tbls[ring->qid].
3771 	    tfd_offset[ring->cur].val = 8;
3772 	if (ring->cur < IWP_MAX_WIN_SIZE) {
3773 		sc->sc_shared->queues_byte_cnt_tbls[ring->qid].
3774 		    tfd_offset[IWP_QUEUE_SIZE + ring->cur].val = 8;
3775 	}
3776 	ring->cur = (ring->cur + 1) % ring->count;
3777 	IWP_WRITE(sc, HBUS_TARG_WRPTR, ring->qid << 8 | ring->cur);
3778 
3779 	if (async) {
3780 		return (IWP_SUCCESS);
3781 	} else {
3782 		clock_t clk;
3783 
3784 		clk = ddi_get_lbolt() + drv_usectohz(2000000);
3785 		while (sc->sc_cmd_flag != SC_CMD_FLG_DONE) {
3786 			if (cv_timedwait(&sc->sc_cmd_cv,
3787 			    &sc->sc_glock, clk) < 0) {
3788 				break;
3789 			}
3790 		}
3791 
3792 		if (SC_CMD_FLG_DONE == sc->sc_cmd_flag) {
3793 			sc->sc_cmd_flag = SC_CMD_FLG_NONE;
3794 			return (IWP_SUCCESS);
3795 		} else {
3796 			sc->sc_cmd_flag = SC_CMD_FLG_NONE;
3797 			return (IWP_FAIL);
3798 		}
3799 	}
3800 }
3801 
3802 /*
3803  * require ucode seting led of NIC
3804  */
3805 static void
3806 iwp_set_led(iwp_sc_t *sc, uint8_t id, uint8_t off, uint8_t on)
3807 {
3808 	iwp_led_cmd_t led;
3809 
3810 	led.interval = LE_32(100000);	/* unit: 100ms */
3811 	led.id = id;
3812 	led.off = off;
3813 	led.on = on;
3814 
3815 	(void) iwp_cmd(sc, REPLY_LEDS_CMD, &led, sizeof (led), 1);
3816 }
3817 
3818 /*
3819  * necessary setting to NIC before authentication
3820  */
3821 static int
3822 iwp_hw_set_before_auth(iwp_sc_t *sc)
3823 {
3824 	ieee80211com_t *ic = &sc->sc_ic;
3825 	ieee80211_node_t *in = ic->ic_bss;
3826 	int err = IWP_FAIL;
3827 
3828 	/*
3829 	 * update adapter's configuration according
3830 	 * the info of target AP
3831 	 */
3832 	IEEE80211_ADDR_COPY(sc->sc_config.bssid, in->in_bssid);
3833 	sc->sc_config.chan = LE_16(ieee80211_chan2ieee(ic, in->in_chan));
3834 
3835 		sc->sc_config.ofdm_ht_triple_stream_basic_rates = 0;
3836 		sc->sc_config.ofdm_ht_dual_stream_basic_rates = 0;
3837 		sc->sc_config.ofdm_ht_single_stream_basic_rates = 0;
3838 
3839 		if (IEEE80211_MODE_11B == ic->ic_curmode) {
3840 			sc->sc_config.cck_basic_rates  = 0x03;
3841 			sc->sc_config.ofdm_basic_rates = 0;
3842 		} else if ((in->in_chan != IEEE80211_CHAN_ANYC) &&
3843 		    (IEEE80211_IS_CHAN_5GHZ(in->in_chan))) {
3844 			sc->sc_config.cck_basic_rates  = 0;
3845 			sc->sc_config.ofdm_basic_rates = 0x15;
3846 		} else { /* assume 802.11b/g */
3847 			sc->sc_config.cck_basic_rates  = 0x0f;
3848 			sc->sc_config.ofdm_basic_rates = 0xff;
3849 		}
3850 
3851 	sc->sc_config.flags &= ~LE_32(RXON_FLG_SHORT_PREAMBLE_MSK |
3852 	    RXON_FLG_SHORT_SLOT_MSK);
3853 
3854 	if (ic->ic_flags & IEEE80211_F_SHSLOT) {
3855 		sc->sc_config.flags |= LE_32(RXON_FLG_SHORT_SLOT_MSK);
3856 	} else {
3857 		sc->sc_config.flags &= LE_32(~RXON_FLG_SHORT_SLOT_MSK);
3858 	}
3859 
3860 	if (ic->ic_flags & IEEE80211_F_SHPREAMBLE) {
3861 		sc->sc_config.flags |= LE_32(RXON_FLG_SHORT_PREAMBLE_MSK);
3862 	} else {
3863 		sc->sc_config.flags &= LE_32(~RXON_FLG_SHORT_PREAMBLE_MSK);
3864 	}
3865 
3866 	IWP_DBG((IWP_DEBUG_80211, "iwp_hw_set_before_auth(): "
3867 	    "config chan %d flags %x "
3868 	    "filter_flags %x  cck %x ofdm %x"
3869 	    " bssid:%02x:%02x:%02x:%02x:%02x:%2x\n",
3870 	    LE_16(sc->sc_config.chan), LE_32(sc->sc_config.flags),
3871 	    LE_32(sc->sc_config.filter_flags),
3872 	    sc->sc_config.cck_basic_rates, sc->sc_config.ofdm_basic_rates,
3873 	    sc->sc_config.bssid[0], sc->sc_config.bssid[1],
3874 	    sc->sc_config.bssid[2], sc->sc_config.bssid[3],
3875 	    sc->sc_config.bssid[4], sc->sc_config.bssid[5]));
3876 
3877 	err = iwp_cmd(sc, REPLY_RXON, &sc->sc_config,
3878 	    sizeof (iwp_rxon_cmd_t), 1);
3879 	if (err != IWP_SUCCESS) {
3880 		cmn_err(CE_WARN, "iwp_hw_set_before_auth(): "
3881 		    "failed to config chan%d\n", sc->sc_config.chan);
3882 		return (err);
3883 	}
3884 
3885 	/*
3886 	 * add default AP node
3887 	 */
3888 	err = iwp_add_ap_sta(sc);
3889 	if (err != IWP_SUCCESS) {
3890 		return (err);
3891 	}
3892 
3893 
3894 	return (err);
3895 }
3896 
3897 /*
3898  * Send a scan request(assembly scan cmd) to the firmware.
3899  */
3900 static int
3901 iwp_scan(iwp_sc_t *sc)
3902 {
3903 	ieee80211com_t *ic = &sc->sc_ic;
3904 	iwp_tx_ring_t *ring = &sc->sc_txq[IWP_CMD_QUEUE_NUM];
3905 	iwp_tx_desc_t *desc;
3906 	iwp_tx_data_t *data;
3907 	iwp_cmd_t *cmd;
3908 	iwp_scan_hdr_t *hdr;
3909 	iwp_scan_chan_t chan;
3910 	struct ieee80211_frame *wh;
3911 	ieee80211_node_t *in = ic->ic_bss;
3912 	uint8_t essid[IEEE80211_NWID_LEN+1];
3913 	struct ieee80211_rateset *rs;
3914 	enum ieee80211_phymode mode;
3915 	uint8_t *frm;
3916 	int i, pktlen, nrates;
3917 
3918 	data = &ring->data[ring->cur];
3919 	desc = data->desc;
3920 	cmd = (iwp_cmd_t *)data->dma_data.mem_va;
3921 
3922 	cmd->hdr.type = REPLY_SCAN_CMD;
3923 	cmd->hdr.flags = 0;
3924 	cmd->hdr.qid = ring->qid;
3925 	cmd->hdr.idx = ring->cur | 0x40;
3926 
3927 	hdr = (iwp_scan_hdr_t *)cmd->data;
3928 	(void) memset(hdr, 0, sizeof (iwp_scan_hdr_t));
3929 	hdr->nchan = 1;
3930 	hdr->quiet_time = LE_16(50);
3931 	hdr->quiet_plcp_th = LE_16(1);
3932 
3933 	hdr->flags = LE_32(RXON_FLG_BAND_24G_MSK);
3934 	hdr->rx_chain = LE_16(RXON_RX_CHAIN_DRIVER_FORCE_MSK |
3935 	    (0x7 << RXON_RX_CHAIN_VALID_POS) |
3936 	    (0x2 << RXON_RX_CHAIN_FORCE_SEL_POS) |
3937 	    (0x2 << RXON_RX_CHAIN_FORCE_MIMO_SEL_POS));
3938 
3939 	hdr->tx_cmd.tx_flags = LE_32(TX_CMD_FLG_SEQ_CTL_MSK);
3940 	hdr->tx_cmd.sta_id = IWP_BROADCAST_ID;
3941 	hdr->tx_cmd.stop_time.life_time = LE_32(0xffffffff);
3942 	hdr->tx_cmd.rate.r.rate_n_flags = LE_32(iwp_rate_to_plcp(2));
3943 	hdr->tx_cmd.rate.r.rate_n_flags |=
3944 	    LE_32(RATE_MCS_ANT_B_MSK |RATE_MCS_CCK_MSK);
3945 	hdr->direct_scan[0].len = ic->ic_des_esslen;
3946 	hdr->direct_scan[0].id  = IEEE80211_ELEMID_SSID;
3947 
3948 	hdr->filter_flags = LE_32(RXON_FILTER_ACCEPT_GRP_MSK |
3949 	    RXON_FILTER_BCON_AWARE_MSK);
3950 
3951 	if (ic->ic_des_esslen) {
3952 		bcopy(ic->ic_des_essid, essid, ic->ic_des_esslen);
3953 		essid[ic->ic_des_esslen] = '\0';
3954 		IWP_DBG((IWP_DEBUG_SCAN, "iwp_scan(): "
3955 		    "directed scan %s\n", essid));
3956 
3957 		bcopy(ic->ic_des_essid, hdr->direct_scan[0].ssid,
3958 		    ic->ic_des_esslen);
3959 	} else {
3960 		bzero(hdr->direct_scan[0].ssid,
3961 		    sizeof (hdr->direct_scan[0].ssid));
3962 	}
3963 
3964 	/*
3965 	 * a probe request frame is required after the REPLY_SCAN_CMD
3966 	 */
3967 	wh = (struct ieee80211_frame *)(hdr + 1);
3968 	wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT |
3969 	    IEEE80211_FC0_SUBTYPE_PROBE_REQ;
3970 	wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
3971 	(void) memset(wh->i_addr1, 0xff, 6);
3972 	IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_macaddr);
3973 	(void) memset(wh->i_addr3, 0xff, 6);
3974 	*(uint16_t *)&wh->i_dur[0] = 0;
3975 	*(uint16_t *)&wh->i_seq[0] = 0;
3976 
3977 	frm = (uint8_t *)(wh + 1);
3978 
3979 	/*
3980 	 * essid IE
3981 	 */
3982 	if (in->in_esslen) {
3983 		bcopy(in->in_essid, essid, in->in_esslen);
3984 		essid[in->in_esslen] = '\0';
3985 		IWP_DBG((IWP_DEBUG_SCAN, "iwp_scan(): "
3986 		    "probe with ESSID %s\n",
3987 		    essid));
3988 	}
3989 	*frm++ = IEEE80211_ELEMID_SSID;
3990 	*frm++ = in->in_esslen;
3991 	(void) memcpy(frm, in->in_essid, in->in_esslen);
3992 	frm += in->in_esslen;
3993 
3994 	mode = ieee80211_chan2mode(ic, ic->ic_curchan);
3995 	rs = &ic->ic_sup_rates[mode];
3996 
3997 	/*
3998 	 * supported rates IE
3999 	 */
4000 	*frm++ = IEEE80211_ELEMID_RATES;
4001 	nrates = rs->ir_nrates;
4002 	if (nrates > IEEE80211_RATE_SIZE) {
4003 		nrates = IEEE80211_RATE_SIZE;
4004 	}
4005 
4006 	*frm++ = (uint8_t)nrates;
4007 	(void) memcpy(frm, rs->ir_rates, nrates);
4008 	frm += nrates;
4009 
4010 	/*
4011 	 * supported xrates IE
4012 	 */
4013 	if (rs->ir_nrates > IEEE80211_RATE_SIZE) {
4014 		nrates = rs->ir_nrates - IEEE80211_RATE_SIZE;
4015 		*frm++ = IEEE80211_ELEMID_XRATES;
4016 		*frm++ = (uint8_t)nrates;
4017 		(void) memcpy(frm, rs->ir_rates + IEEE80211_RATE_SIZE, nrates);
4018 		frm += nrates;
4019 	}
4020 
4021 	/*
4022 	 * optionnal IE (usually for wpa)
4023 	 */
4024 	if (ic->ic_opt_ie != NULL) {
4025 		(void) memcpy(frm, ic->ic_opt_ie, ic->ic_opt_ie_len);
4026 		frm += ic->ic_opt_ie_len;
4027 	}
4028 
4029 	/* setup length of probe request */
4030 	hdr->tx_cmd.len = LE_16(_PTRDIFF(frm, wh));
4031 	hdr->len = LE_16(hdr->nchan * sizeof (iwp_scan_chan_t) +
4032 	    LE_16(hdr->tx_cmd.len) + sizeof (iwp_scan_hdr_t));
4033 
4034 	/*
4035 	 * the attribute of the scan channels are required after the probe
4036 	 * request frame.
4037 	 */
4038 	for (i = 1; i <= hdr->nchan; i++) {
4039 		if (ic->ic_des_esslen) {
4040 			chan.type = LE_32(3);
4041 		} else {
4042 			chan.type = LE_32(1);
4043 		}
4044 
4045 		chan.chan = LE_16(ieee80211_chan2ieee(ic, ic->ic_curchan));
4046 		chan.tpc.tx_gain = 0x28;
4047 		chan.tpc.dsp_atten = 110;
4048 		chan.active_dwell = LE_16(50);
4049 		chan.passive_dwell = LE_16(120);
4050 
4051 		bcopy(&chan, frm, sizeof (iwp_scan_chan_t));
4052 		frm += sizeof (iwp_scan_chan_t);
4053 	}
4054 
4055 	pktlen = _PTRDIFF(frm, cmd);
4056 
4057 	(void) memset(desc, 0, sizeof (*desc));
4058 	desc->val0 = 1 << 24;
4059 	desc->pa[0].tb1_addr =
4060 	    (uint32_t)(data->dma_data.cookie.dmac_address & 0xffffffff);
4061 	desc->pa[0].val1 = (pktlen << 4) & 0xfff0;
4062 
4063 	/*
4064 	 * maybe for cmd, filling the byte cnt table is not necessary.
4065 	 * anyway, we fill it here.
4066 	 */
4067 	sc->sc_shared->queues_byte_cnt_tbls[ring->qid]
4068 	    .tfd_offset[ring->cur].val = 8;
4069 	if (ring->cur < IWP_MAX_WIN_SIZE) {
4070 		sc->sc_shared->queues_byte_cnt_tbls[ring->qid].
4071 		    tfd_offset[IWP_QUEUE_SIZE + ring->cur].val = 8;
4072 	}
4073 
4074 	/*
4075 	 * kick cmd ring
4076 	 */
4077 	ring->cur = (ring->cur + 1) % ring->count;
4078 	IWP_WRITE(sc, HBUS_TARG_WRPTR, ring->qid << 8 | ring->cur);
4079 
4080 	return (IWP_SUCCESS);
4081 }
4082 
4083 /*
4084  * configure NIC by using ucode commands after loading ucode.
4085  */
4086 static int
4087 iwp_config(iwp_sc_t *sc)
4088 {
4089 	ieee80211com_t *ic = &sc->sc_ic;
4090 	iwp_powertable_cmd_t powertable;
4091 	iwp_bt_cmd_t bt;
4092 	iwp_add_sta_t node;
4093 	iwp_rem_sta_t	rm_sta;
4094 	const uint8_t bcast[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
4095 	int err = IWP_FAIL;
4096 
4097 	/*
4098 	 * set power mode. Disable power management at present, do it later
4099 	 */
4100 	(void) memset(&powertable, 0, sizeof (powertable));
4101 	powertable.flags = LE_16(0x8);
4102 	err = iwp_cmd(sc, POWER_TABLE_CMD, &powertable,
4103 	    sizeof (powertable), 0);
4104 	if (err != IWP_SUCCESS) {
4105 		cmn_err(CE_WARN, "iwp_config(): "
4106 		    "failed to set power mode\n");
4107 		return (err);
4108 	}
4109 
4110 	/*
4111 	 * configure bt coexistence
4112 	 */
4113 	(void) memset(&bt, 0, sizeof (bt));
4114 	bt.flags = 3;
4115 	bt.lead_time = 0xaa;
4116 	bt.max_kill = 1;
4117 	err = iwp_cmd(sc, REPLY_BT_CONFIG, &bt,
4118 	    sizeof (bt), 0);
4119 	if (err != IWP_SUCCESS) {
4120 		cmn_err(CE_WARN, "iwp_config(): "
4121 		    "failed to configurate bt coexistence\n");
4122 		return (err);
4123 	}
4124 
4125 	/*
4126 	 * configure rxon
4127 	 */
4128 	(void) memset(&sc->sc_config, 0, sizeof (iwp_rxon_cmd_t));
4129 	IEEE80211_ADDR_COPY(sc->sc_config.node_addr, ic->ic_macaddr);
4130 	IEEE80211_ADDR_COPY(sc->sc_config.wlap_bssid, ic->ic_macaddr);
4131 	sc->sc_config.chan = LE_16(ieee80211_chan2ieee(ic, ic->ic_curchan));
4132 	sc->sc_config.flags = LE_32(RXON_FLG_BAND_24G_MSK);
4133 	sc->sc_config.flags &= LE_32(~(RXON_FLG_CHANNEL_MODE_MIXED_MSK |
4134 	    RXON_FLG_CHANNEL_MODE_PURE_40_MSK));
4135 
4136 	switch (ic->ic_opmode) {
4137 	case IEEE80211_M_STA:
4138 		sc->sc_config.dev_type = RXON_DEV_TYPE_ESS;
4139 		sc->sc_config.filter_flags |= LE_32(RXON_FILTER_ACCEPT_GRP_MSK |
4140 		    RXON_FILTER_DIS_DECRYPT_MSK |
4141 		    RXON_FILTER_DIS_GRP_DECRYPT_MSK);
4142 		break;
4143 	case IEEE80211_M_IBSS:
4144 	case IEEE80211_M_AHDEMO:
4145 		sc->sc_config.dev_type = RXON_DEV_TYPE_IBSS;
4146 
4147 		sc->sc_config.flags |= LE_32(RXON_FLG_SHORT_PREAMBLE_MSK);
4148 		sc->sc_config.filter_flags = LE_32(RXON_FILTER_ACCEPT_GRP_MSK |
4149 		    RXON_FILTER_DIS_DECRYPT_MSK |
4150 		    RXON_FILTER_DIS_GRP_DECRYPT_MSK);
4151 		break;
4152 	case IEEE80211_M_HOSTAP:
4153 		sc->sc_config.dev_type = RXON_DEV_TYPE_AP;
4154 		break;
4155 	case IEEE80211_M_MONITOR:
4156 		sc->sc_config.dev_type = RXON_DEV_TYPE_SNIFFER;
4157 		sc->sc_config.filter_flags |= LE_32(RXON_FILTER_ACCEPT_GRP_MSK |
4158 		    RXON_FILTER_CTL2HOST_MSK | RXON_FILTER_PROMISC_MSK);
4159 		break;
4160 	}
4161 
4162 	/*
4163 	 * Support all CCK rates.
4164 	 */
4165 	sc->sc_config.cck_basic_rates  = 0x0f;
4166 
4167 	/*
4168 	 * Support all OFDM rates.
4169 	 */
4170 	sc->sc_config.ofdm_basic_rates = 0xff;
4171 
4172 	sc->sc_config.rx_chain = LE_16(RXON_RX_CHAIN_DRIVER_FORCE_MSK |
4173 	    (0x7 << RXON_RX_CHAIN_VALID_POS) |
4174 	    (0x2 << RXON_RX_CHAIN_FORCE_SEL_POS) |
4175 	    (0x2 << RXON_RX_CHAIN_FORCE_MIMO_SEL_POS));
4176 
4177 	err = iwp_cmd(sc, REPLY_RXON, &sc->sc_config,
4178 	    sizeof (iwp_rxon_cmd_t), 0);
4179 	if (err != IWP_SUCCESS) {
4180 		cmn_err(CE_WARN, "iwp_config(): "
4181 		    "failed to set configure command\n");
4182 		return (err);
4183 	}
4184 
4185 	/*
4186 	 * remove all nodes in NIC
4187 	 */
4188 	(void) memset(&rm_sta, 0, sizeof (rm_sta));
4189 	rm_sta.num_sta = 1;
4190 	(void) memcpy(rm_sta.addr, bcast, 6);
4191 
4192 	err = iwp_cmd(sc, REPLY_REMOVE_STA, &rm_sta, sizeof (iwp_rem_sta_t), 0);
4193 	if (err != IWP_SUCCESS) {
4194 		cmn_err(CE_WARN, "iwp_config(): "
4195 		    "failed to remove broadcast node in hardware.\n");
4196 		return (err);
4197 	}
4198 
4199 	/*
4200 	 * add broadcast node so that we can send broadcast frame
4201 	 */
4202 	(void) memset(&node, 0, sizeof (node));
4203 	(void) memset(node.sta.addr, 0xff, 6);
4204 	node.mode = 0;
4205 	node.sta.sta_id = IWP_BROADCAST_ID;
4206 	node.station_flags = 0;
4207 
4208 	err = iwp_cmd(sc, REPLY_ADD_STA, &node, sizeof (node), 0);
4209 	if (err != IWP_SUCCESS) {
4210 		cmn_err(CE_WARN, "iwp_config(): "
4211 		    "failed to add broadcast node\n");
4212 		return (err);
4213 	}
4214 
4215 	return (err);
4216 }
4217 
4218 /*
4219  * quiesce(9E) entry point.
4220  * This function is called when the system is single-threaded at high
4221  * PIL with preemption disabled. Therefore, this function must not be
4222  * blocked.
4223  * This function returns DDI_SUCCESS on success, or DDI_FAILURE on failure.
4224  * DDI_FAILURE indicates an error condition and should almost never happen.
4225  */
4226 static int
4227 iwp_quiesce(dev_info_t *dip)
4228 {
4229 	iwp_sc_t *sc;
4230 
4231 	sc = ddi_get_soft_state(iwp_soft_state_p, ddi_get_instance(dip));
4232 	if (NULL == sc) {
4233 		return (DDI_FAILURE);
4234 	}
4235 
4236 #ifdef DEBUG
4237 	/* by pass any messages, if it's quiesce */
4238 	iwp_dbg_flags = 0;
4239 #endif
4240 
4241 	/*
4242 	 * No more blocking is allowed while we are in the
4243 	 * quiesce(9E) entry point.
4244 	 */
4245 	atomic_or_32(&sc->sc_flags, IWP_F_QUIESCED);
4246 
4247 	/*
4248 	 * Disable and mask all interrupts.
4249 	 */
4250 	iwp_stop(sc);
4251 
4252 	return (DDI_SUCCESS);
4253 }
4254 
4255 static void
4256 iwp_stop_master(iwp_sc_t *sc)
4257 {
4258 	uint32_t tmp;
4259 	int n;
4260 
4261 	tmp = IWP_READ(sc, CSR_RESET);
4262 	IWP_WRITE(sc, CSR_RESET, tmp | CSR_RESET_REG_FLAG_STOP_MASTER);
4263 
4264 	tmp = IWP_READ(sc, CSR_GP_CNTRL);
4265 	if ((tmp & CSR_GP_CNTRL_REG_MSK_POWER_SAVE_TYPE) ==
4266 	    CSR_GP_CNTRL_REG_FLAG_MAC_POWER_SAVE) {
4267 		return;
4268 	}
4269 
4270 	for (n = 0; n < 2000; n++) {
4271 		if (IWP_READ(sc, CSR_RESET) &
4272 		    CSR_RESET_REG_FLAG_MASTER_DISABLED) {
4273 			break;
4274 		}
4275 		DELAY(1000);
4276 	}
4277 
4278 #ifdef	DEBUG
4279 	if (2000 == n) {
4280 		IWP_DBG((IWP_DEBUG_HW, "iwp_stop_master(): "
4281 		    "timeout waiting for master stop\n"));
4282 	}
4283 #endif
4284 }
4285 
4286 static int
4287 iwp_power_up(iwp_sc_t *sc)
4288 {
4289 	uint32_t tmp;
4290 
4291 	iwp_mac_access_enter(sc);
4292 	tmp = iwp_reg_read(sc, ALM_APMG_PS_CTL);
4293 	tmp &= ~APMG_PS_CTRL_REG_MSK_POWER_SRC;
4294 	tmp |= APMG_PS_CTRL_REG_VAL_POWER_SRC_VMAIN;
4295 	iwp_reg_write(sc, ALM_APMG_PS_CTL, tmp);
4296 	iwp_mac_access_exit(sc);
4297 
4298 	DELAY(5000);
4299 	return (IWP_SUCCESS);
4300 }
4301 
4302 /*
4303  * hardware initialization
4304  */
4305 static int
4306 iwp_preinit(iwp_sc_t *sc)
4307 {
4308 	int		n;
4309 	uint8_t		vlink;
4310 	uint16_t	radio_cfg;
4311 	uint32_t	tmp;
4312 
4313 	/*
4314 	 * clear any pending interrupts
4315 	 */
4316 	IWP_WRITE(sc, CSR_INT, 0xffffffff);
4317 
4318 	tmp = IWP_READ(sc, CSR_GIO_CHICKEN_BITS);
4319 	IWP_WRITE(sc, CSR_GIO_CHICKEN_BITS,
4320 	    tmp | CSR_GIO_CHICKEN_BITS_REG_BIT_DIS_L0S_EXIT_TIMER);
4321 
4322 	tmp = IWP_READ(sc, CSR_GP_CNTRL);
4323 	IWP_WRITE(sc, CSR_GP_CNTRL, tmp | CSR_GP_CNTRL_REG_FLAG_INIT_DONE);
4324 
4325 	/*
4326 	 * wait for clock ready
4327 	 */
4328 	for (n = 0; n < 1000; n++) {
4329 		if (IWP_READ(sc, CSR_GP_CNTRL) &
4330 		    CSR_GP_CNTRL_REG_FLAG_MAC_CLOCK_READY) {
4331 			break;
4332 		}
4333 		DELAY(10);
4334 	}
4335 
4336 	if (1000 == n) {
4337 		return (ETIMEDOUT);
4338 	}
4339 
4340 	iwp_mac_access_enter(sc);
4341 
4342 	iwp_reg_write(sc, ALM_APMG_CLK_EN, APMG_CLK_REG_VAL_DMA_CLK_RQT);
4343 
4344 	DELAY(20);
4345 	tmp = iwp_reg_read(sc, ALM_APMG_PCIDEV_STT);
4346 	iwp_reg_write(sc, ALM_APMG_PCIDEV_STT, tmp |
4347 	    APMG_DEV_STATE_REG_VAL_L1_ACTIVE_DISABLE);
4348 	iwp_mac_access_exit(sc);
4349 
4350 	radio_cfg = IWP_READ_EEP_SHORT(sc, EEP_SP_RADIO_CONFIGURATION);
4351 	if (SP_RADIO_TYPE_MSK(radio_cfg) < SP_RADIO_TYPE_MAX) {
4352 		tmp = IWP_READ(sc, CSR_HW_IF_CONFIG_REG);
4353 		IWP_WRITE(sc, CSR_HW_IF_CONFIG_REG,
4354 		    tmp | SP_RADIO_TYPE_MSK(radio_cfg) |
4355 		    SP_RADIO_STEP_MSK(radio_cfg) |
4356 		    SP_RADIO_DASH_MSK(radio_cfg));
4357 	} else {
4358 		cmn_err(CE_WARN, "iwp_preinit(): "
4359 		    "radio configuration information in eeprom is wrong\n");
4360 		return (IWP_FAIL);
4361 	}
4362 
4363 
4364 	IWP_WRITE(sc, CSR_INT_COALESCING, 512 / 32);
4365 
4366 	(void) iwp_power_up(sc);
4367 
4368 	if ((sc->sc_rev & 0x80) == 0x80 && (sc->sc_rev & 0x7f) < 8) {
4369 		tmp = ddi_get32(sc->sc_cfg_handle,
4370 		    (uint32_t *)(sc->sc_cfg_base + 0xe8));
4371 		ddi_put32(sc->sc_cfg_handle,
4372 		    (uint32_t *)(sc->sc_cfg_base + 0xe8),
4373 		    tmp & ~(1 << 11));
4374 	}
4375 
4376 	vlink = ddi_get8(sc->sc_cfg_handle,
4377 	    (uint8_t *)(sc->sc_cfg_base + 0xf0));
4378 	ddi_put8(sc->sc_cfg_handle, (uint8_t *)(sc->sc_cfg_base + 0xf0),
4379 	    vlink & ~2);
4380 
4381 	tmp = IWP_READ(sc, CSR_HW_IF_CONFIG_REG);
4382 	tmp |= CSR_HW_IF_CONFIG_REG_BIT_RADIO_SI |
4383 	    CSR_HW_IF_CONFIG_REG_BIT_MAC_SI;
4384 	IWP_WRITE(sc, CSR_HW_IF_CONFIG_REG, tmp);
4385 
4386 	/*
4387 	 * make sure power supply on each part of the hardware
4388 	 */
4389 	iwp_mac_access_enter(sc);
4390 	tmp = iwp_reg_read(sc, ALM_APMG_PS_CTL);
4391 	tmp |= APMG_PS_CTRL_REG_VAL_ALM_R_RESET_REQ;
4392 	iwp_reg_write(sc, ALM_APMG_PS_CTL, tmp);
4393 	DELAY(5);
4394 
4395 	tmp = iwp_reg_read(sc, ALM_APMG_PS_CTL);
4396 	tmp &= ~APMG_PS_CTRL_REG_VAL_ALM_R_RESET_REQ;
4397 	iwp_reg_write(sc, ALM_APMG_PS_CTL, tmp);
4398 	iwp_mac_access_exit(sc);
4399 
4400 	if (PA_TYPE_MIX == sc->sc_chip_param.pa_type) {
4401 		IWP_WRITE(sc, CSR_GP_DRIVER_REG,
4402 		    CSR_GP_DRIVER_REG_BIT_RADIO_SKU_2x2_MIX);
4403 	}
4404 
4405 	if (PA_TYPE_INTER == sc->sc_chip_param.pa_type) {
4406 
4407 		IWP_WRITE(sc, CSR_GP_DRIVER_REG,
4408 		    CSR_GP_DRIVER_REG_BIT_RADIO_SKU_2x2_IPA);
4409 	}
4410 
4411 	return (IWP_SUCCESS);
4412 }
4413 
4414 /*
4415  * set up semphore flag to own EEPROM
4416  */
4417 static int
4418 iwp_eep_sem_down(iwp_sc_t *sc)
4419 {
4420 	int count1, count2;
4421 	uint32_t tmp;
4422 
4423 	for (count1 = 0; count1 < 1000; count1++) {
4424 		tmp = IWP_READ(sc, CSR_HW_IF_CONFIG_REG);
4425 		IWP_WRITE(sc, CSR_HW_IF_CONFIG_REG,
4426 		    tmp | CSR_HW_IF_CONFIG_REG_EEP_SEM);
4427 
4428 		for (count2 = 0; count2 < 2; count2++) {
4429 			if (IWP_READ(sc, CSR_HW_IF_CONFIG_REG) &
4430 			    CSR_HW_IF_CONFIG_REG_EEP_SEM) {
4431 				return (IWP_SUCCESS);
4432 			}
4433 			DELAY(10000);
4434 		}
4435 	}
4436 	return (IWP_FAIL);
4437 }
4438 
4439 /*
4440  * reset semphore flag to release EEPROM
4441  */
4442 static void
4443 iwp_eep_sem_up(iwp_sc_t *sc)
4444 {
4445 	uint32_t tmp;
4446 
4447 	tmp = IWP_READ(sc, CSR_HW_IF_CONFIG_REG);
4448 	IWP_WRITE(sc, CSR_HW_IF_CONFIG_REG,
4449 	    tmp & (~CSR_HW_IF_CONFIG_REG_EEP_SEM));
4450 }
4451 
4452 /*
4453  * This function read all infomation from eeprom
4454  */
4455 static int
4456 iwp_eep_load(iwp_sc_t *sc)
4457 {
4458 	int i, rr;
4459 	uint32_t rv, tmp, eep_gp;
4460 	uint16_t addr, eep_sz = sizeof (sc->sc_eep_map);
4461 	uint16_t *eep_p = (uint16_t *)&sc->sc_eep_map;
4462 
4463 	/*
4464 	 * read eeprom gp register in CSR
4465 	 */
4466 	eep_gp = IWP_READ(sc, CSR_EEPROM_GP);
4467 	if ((eep_gp & CSR_EEPROM_GP_VALID_MSK) ==
4468 	    CSR_EEPROM_GP_BAD_SIGNATURE) {
4469 		IWP_DBG((IWP_DEBUG_EEPROM, "iwp_eep_load(): "
4470 		    "not find eeprom\n"));
4471 		return (IWP_FAIL);
4472 	}
4473 
4474 	rr = iwp_eep_sem_down(sc);
4475 	if (rr != 0) {
4476 		IWP_DBG((IWP_DEBUG_EEPROM, "iwp_eep_load(): "
4477 		    "driver failed to own EEPROM\n"));
4478 		return (IWP_FAIL);
4479 	}
4480 
4481 	for (addr = 0; addr < eep_sz; addr += 2) {
4482 		IWP_WRITE(sc, CSR_EEPROM_REG, addr<<1);
4483 		tmp = IWP_READ(sc, CSR_EEPROM_REG);
4484 		IWP_WRITE(sc, CSR_EEPROM_REG, tmp & ~(0x2));
4485 
4486 		for (i = 0; i < 10; i++) {
4487 			rv = IWP_READ(sc, CSR_EEPROM_REG);
4488 			if (rv & 1) {
4489 				break;
4490 			}
4491 			DELAY(10);
4492 		}
4493 
4494 		if (!(rv & 1)) {
4495 			IWP_DBG((IWP_DEBUG_EEPROM, "iwp_eep_load(): "
4496 			    "time out when read eeprome\n"));
4497 			iwp_eep_sem_up(sc);
4498 			return (IWP_FAIL);
4499 		}
4500 
4501 		eep_p[addr/2] = LE_16(rv >> 16);
4502 	}
4503 
4504 	iwp_eep_sem_up(sc);
4505 	return (IWP_SUCCESS);
4506 }
4507 
4508 /*
4509  * initialize mac address in ieee80211com_t struct
4510  */
4511 static void
4512 iwp_get_mac_from_eep(iwp_sc_t *sc)
4513 {
4514 	ieee80211com_t *ic = &sc->sc_ic;
4515 
4516 	IEEE80211_ADDR_COPY(ic->ic_macaddr, &sc->sc_eep_map[EEP_MAC_ADDRESS]);
4517 
4518 	IWP_DBG((IWP_DEBUG_EEPROM, "iwp_get_mac_from_eep(): "
4519 	    "mac:%2x:%2x:%2x:%2x:%2x:%2x\n",
4520 	    ic->ic_macaddr[0], ic->ic_macaddr[1], ic->ic_macaddr[2],
4521 	    ic->ic_macaddr[3], ic->ic_macaddr[4], ic->ic_macaddr[5]));
4522 }
4523 
4524 /*
4525  * main initialization function
4526  */
4527 static int
4528 iwp_init(iwp_sc_t *sc)
4529 {
4530 	int err = IWP_FAIL;
4531 	clock_t clk;
4532 
4533 	/*
4534 	 * release buffer for calibration
4535 	 */
4536 	iwp_release_calib_buffer(sc);
4537 
4538 	mutex_enter(&sc->sc_glock);
4539 	atomic_and_32(&sc->sc_flags, ~IWP_F_FW_INIT);
4540 
4541 	err = iwp_init_common(sc);
4542 	if (err != IWP_SUCCESS) {
4543 		mutex_exit(&sc->sc_glock);
4544 		return (IWP_FAIL);
4545 	}
4546 
4547 	/*
4548 	 * backup ucode data part for future use.
4549 	 */
4550 	(void) memcpy(sc->sc_dma_fw_data_bak.mem_va,
4551 	    sc->sc_dma_fw_data.mem_va,
4552 	    sc->sc_dma_fw_data.alength);
4553 
4554 	/* load firmware init segment into NIC */
4555 	err = iwp_load_init_firmware(sc);
4556 	if (err != IWP_SUCCESS) {
4557 		cmn_err(CE_WARN, "iwp_init(): "
4558 		    "failed to setup init firmware\n");
4559 		mutex_exit(&sc->sc_glock);
4560 		return (IWP_FAIL);
4561 	}
4562 
4563 	/*
4564 	 * now press "execute" start running
4565 	 */
4566 	IWP_WRITE(sc, CSR_RESET, 0);
4567 
4568 	clk = ddi_get_lbolt() + drv_usectohz(1000000);
4569 	while (!(sc->sc_flags & IWP_F_FW_INIT)) {
4570 		if (cv_timedwait(&sc->sc_ucode_cv,
4571 		    &sc->sc_glock, clk) < 0) {
4572 			break;
4573 		}
4574 	}
4575 
4576 	if (!(sc->sc_flags & IWP_F_FW_INIT)) {
4577 		cmn_err(CE_WARN, "iwp_init(): "
4578 		    "failed to process init alive.\n");
4579 		mutex_exit(&sc->sc_glock);
4580 		return (IWP_FAIL);
4581 	}
4582 
4583 	mutex_exit(&sc->sc_glock);
4584 
4585 	/*
4586 	 * stop chipset for initializing chipset again
4587 	 */
4588 	iwp_stop(sc);
4589 
4590 	mutex_enter(&sc->sc_glock);
4591 	atomic_and_32(&sc->sc_flags, ~IWP_F_FW_INIT);
4592 
4593 	err = iwp_init_common(sc);
4594 	if (err != IWP_SUCCESS) {
4595 		mutex_exit(&sc->sc_glock);
4596 		return (IWP_FAIL);
4597 	}
4598 
4599 	/*
4600 	 * load firmware run segment into NIC
4601 	 */
4602 	err = iwp_load_run_firmware(sc);
4603 	if (err != IWP_SUCCESS) {
4604 		cmn_err(CE_WARN, "iwp_init(): "
4605 		    "failed to setup run firmware\n");
4606 		mutex_exit(&sc->sc_glock);
4607 		return (IWP_FAIL);
4608 	}
4609 
4610 	/*
4611 	 * now press "execute" start running
4612 	 */
4613 	IWP_WRITE(sc, CSR_RESET, 0);
4614 
4615 	clk = ddi_get_lbolt() + drv_usectohz(1000000);
4616 	while (!(sc->sc_flags & IWP_F_FW_INIT)) {
4617 		if (cv_timedwait(&sc->sc_ucode_cv,
4618 		    &sc->sc_glock, clk) < 0) {
4619 			break;
4620 		}
4621 	}
4622 
4623 	if (!(sc->sc_flags & IWP_F_FW_INIT)) {
4624 		cmn_err(CE_WARN, "iwp_init(): "
4625 		    "failed to process runtime alive.\n");
4626 		mutex_exit(&sc->sc_glock);
4627 		return (IWP_FAIL);
4628 	}
4629 
4630 	mutex_exit(&sc->sc_glock);
4631 
4632 	DELAY(1000);
4633 
4634 	mutex_enter(&sc->sc_glock);
4635 	atomic_and_32(&sc->sc_flags, ~IWP_F_FW_INIT);
4636 
4637 	/*
4638 	 * at this point, the firmware is loaded OK, then config the hardware
4639 	 * with the ucode API, including rxon, txpower, etc.
4640 	 */
4641 	err = iwp_config(sc);
4642 	if (err) {
4643 		cmn_err(CE_WARN, "iwp_init(): "
4644 		    "failed to configure device\n");
4645 		mutex_exit(&sc->sc_glock);
4646 		return (IWP_FAIL);
4647 	}
4648 
4649 	/*
4650 	 * at this point, hardware may receive beacons :)
4651 	 */
4652 	mutex_exit(&sc->sc_glock);
4653 	return (IWP_SUCCESS);
4654 }
4655 
4656 /*
4657  * stop or disable NIC
4658  */
4659 static void
4660 iwp_stop(iwp_sc_t *sc)
4661 {
4662 	uint32_t tmp;
4663 	int i;
4664 
4665 	/* by pass if it's quiesced */
4666 	if (!(sc->sc_flags & IWP_F_QUIESCED)) {
4667 		mutex_enter(&sc->sc_glock);
4668 	}
4669 
4670 	IWP_WRITE(sc, CSR_RESET, CSR_RESET_REG_FLAG_NEVO_RESET);
4671 	/*
4672 	 * disable interrupts
4673 	 */
4674 	IWP_WRITE(sc, CSR_INT_MASK, 0);
4675 	IWP_WRITE(sc, CSR_INT, CSR_INI_SET_MASK);
4676 	IWP_WRITE(sc, CSR_FH_INT_STATUS, 0xffffffff);
4677 
4678 	/*
4679 	 * reset all Tx rings
4680 	 */
4681 	for (i = 0; i < IWP_NUM_QUEUES; i++) {
4682 		iwp_reset_tx_ring(sc, &sc->sc_txq[i]);
4683 	}
4684 
4685 	/*
4686 	 * reset Rx ring
4687 	 */
4688 	iwp_reset_rx_ring(sc);
4689 
4690 	iwp_mac_access_enter(sc);
4691 	iwp_reg_write(sc, ALM_APMG_CLK_DIS, APMG_CLK_REG_VAL_DMA_CLK_RQT);
4692 	iwp_mac_access_exit(sc);
4693 
4694 	DELAY(5);
4695 
4696 	iwp_stop_master(sc);
4697 
4698 	mutex_enter(&sc->sc_mt_lock);
4699 	sc->sc_tx_timer = 0;
4700 	mutex_exit(&sc->sc_mt_lock);
4701 
4702 	tmp = IWP_READ(sc, CSR_RESET);
4703 	IWP_WRITE(sc, CSR_RESET, tmp | CSR_RESET_REG_FLAG_SW_RESET);
4704 
4705 	/* by pass if it's quiesced */
4706 	if (!(sc->sc_flags & IWP_F_QUIESCED)) {
4707 		mutex_exit(&sc->sc_glock);
4708 	}
4709 }
4710 
4711 /*
4712  * Naive implementation of the Adaptive Multi Rate Retry algorithm:
4713  * "IEEE 802.11 Rate Adaptation: A Practical Approach"
4714  * Mathieu Lacage, Hossein Manshaei, Thierry Turletti
4715  * INRIA Sophia - Projet Planete
4716  * http://www-sop.inria.fr/rapports/sophia/RR-5208.html
4717  */
4718 #define	is_success(amrr)	\
4719 	((amrr)->retrycnt < (amrr)->txcnt / 10)
4720 #define	is_failure(amrr)	\
4721 	((amrr)->retrycnt > (amrr)->txcnt / 3)
4722 #define	is_enough(amrr)		\
4723 	((amrr)->txcnt > 200)
4724 #define	not_very_few(amrr)	\
4725 	((amrr)->txcnt > 40)
4726 #define	is_min_rate(in)		\
4727 	(0 == (in)->in_txrate)
4728 #define	is_max_rate(in)		\
4729 	((in)->in_rates.ir_nrates - 1 == (in)->in_txrate)
4730 #define	increase_rate(in)	\
4731 	((in)->in_txrate++)
4732 #define	decrease_rate(in)	\
4733 	((in)->in_txrate--)
4734 #define	reset_cnt(amrr)		\
4735 	{ (amrr)->txcnt = (amrr)->retrycnt = 0; }
4736 
4737 #define	IWP_AMRR_MIN_SUCCESS_THRESHOLD	 1
4738 #define	IWP_AMRR_MAX_SUCCESS_THRESHOLD	15
4739 
4740 static void
4741 iwp_amrr_init(iwp_amrr_t *amrr)
4742 {
4743 	amrr->success = 0;
4744 	amrr->recovery = 0;
4745 	amrr->txcnt = amrr->retrycnt = 0;
4746 	amrr->success_threshold = IWP_AMRR_MIN_SUCCESS_THRESHOLD;
4747 }
4748 
4749 static void
4750 iwp_amrr_timeout(iwp_sc_t *sc)
4751 {
4752 	ieee80211com_t *ic = &sc->sc_ic;
4753 
4754 	IWP_DBG((IWP_DEBUG_RATECTL, "iwp_amrr_timeout(): "
4755 	    "enter\n"));
4756 
4757 	if (IEEE80211_M_STA == ic->ic_opmode) {
4758 		iwp_amrr_ratectl(NULL, ic->ic_bss);
4759 	} else {
4760 		ieee80211_iterate_nodes(&ic->ic_sta, iwp_amrr_ratectl, NULL);
4761 	}
4762 
4763 	sc->sc_clk = ddi_get_lbolt();
4764 }
4765 
4766 /* ARGSUSED */
4767 static void
4768 iwp_amrr_ratectl(void *arg, ieee80211_node_t *in)
4769 {
4770 	iwp_amrr_t *amrr = (iwp_amrr_t *)in;
4771 	int need_change = 0;
4772 
4773 	if (is_success(amrr) && is_enough(amrr)) {
4774 		amrr->success++;
4775 		if (amrr->success >= amrr->success_threshold &&
4776 		    !is_max_rate(in)) {
4777 			amrr->recovery = 1;
4778 			amrr->success = 0;
4779 			increase_rate(in);
4780 			IWP_DBG((IWP_DEBUG_RATECTL, "iwp_amrr_ratectl(): "
4781 			    "AMRR increasing rate %d "
4782 			    "(txcnt=%d retrycnt=%d)\n",
4783 			    in->in_txrate, amrr->txcnt,
4784 			    amrr->retrycnt));
4785 			need_change = 1;
4786 		} else {
4787 			amrr->recovery = 0;
4788 		}
4789 	} else if (not_very_few(amrr) && is_failure(amrr)) {
4790 		amrr->success = 0;
4791 		if (!is_min_rate(in)) {
4792 			if (amrr->recovery) {
4793 				amrr->success_threshold++;
4794 				if (amrr->success_threshold >
4795 				    IWP_AMRR_MAX_SUCCESS_THRESHOLD) {
4796 					amrr->success_threshold =
4797 					    IWP_AMRR_MAX_SUCCESS_THRESHOLD;
4798 				}
4799 			} else {
4800 				amrr->success_threshold =
4801 				    IWP_AMRR_MIN_SUCCESS_THRESHOLD;
4802 			}
4803 			decrease_rate(in);
4804 			IWP_DBG((IWP_DEBUG_RATECTL, "iwp_amrr_ratectl(): "
4805 			    "AMRR decreasing rate %d "
4806 			    "(txcnt=%d retrycnt=%d)\n",
4807 			    in->in_txrate, amrr->txcnt,
4808 			    amrr->retrycnt));
4809 			need_change = 1;
4810 		}
4811 		amrr->recovery = 0;	/* paper is incorrect */
4812 	}
4813 
4814 	if (is_enough(amrr) || need_change) {
4815 		reset_cnt(amrr);
4816 	}
4817 }
4818 
4819 /*
4820  * translate indirect address in eeprom to direct address
4821  * in eeprom and return address of entry whos indirect address
4822  * is indi_addr
4823  */
4824 static uint8_t *
4825 iwp_eep_addr_trans(iwp_sc_t *sc, uint32_t indi_addr)
4826 {
4827 	uint32_t	di_addr;
4828 	uint16_t	temp;
4829 
4830 	if (!(indi_addr & INDIRECT_ADDRESS)) {
4831 		di_addr = indi_addr;
4832 		return (&sc->sc_eep_map[di_addr]);
4833 	}
4834 
4835 	switch (indi_addr & INDIRECT_TYPE_MSK) {
4836 	case INDIRECT_GENERAL:
4837 		temp = IWP_READ_EEP_SHORT(sc, EEP_LINK_GENERAL);
4838 		break;
4839 	case	INDIRECT_HOST:
4840 		temp = IWP_READ_EEP_SHORT(sc, EEP_LINK_HOST);
4841 		break;
4842 	case	INDIRECT_REGULATORY:
4843 		temp = IWP_READ_EEP_SHORT(sc, EEP_LINK_REGULATORY);
4844 		break;
4845 	case	INDIRECT_CALIBRATION:
4846 		temp = IWP_READ_EEP_SHORT(sc, EEP_LINK_CALIBRATION);
4847 		break;
4848 	case	INDIRECT_PROCESS_ADJST:
4849 		temp = IWP_READ_EEP_SHORT(sc, EEP_LINK_PROCESS_ADJST);
4850 		break;
4851 	case	INDIRECT_OTHERS:
4852 		temp = IWP_READ_EEP_SHORT(sc, EEP_LINK_OTHERS);
4853 		break;
4854 	default:
4855 		temp = 0;
4856 		cmn_err(CE_WARN, "iwp_eep_addr_trans(): "
4857 		    "incorrect indirect eeprom address.\n");
4858 		break;
4859 	}
4860 
4861 	di_addr = (indi_addr & ADDRESS_MSK) + (temp << 1);
4862 
4863 	return (&sc->sc_eep_map[di_addr]);
4864 }
4865 
4866 /*
4867  * loade a section of ucode into NIC
4868  */
4869 static int
4870 iwp_put_seg_fw(iwp_sc_t *sc, uint32_t addr_s, uint32_t addr_d, uint32_t len)
4871 {
4872 
4873 	iwp_mac_access_enter(sc);
4874 
4875 	IWP_WRITE(sc, IWP_FH_TCSR_CHNL_TX_CONFIG_REG(IWP_FH_SRVC_CHNL),
4876 	    IWP_FH_TCSR_TX_CONFIG_REG_VAL_DMA_CHNL_PAUSE);
4877 
4878 	IWP_WRITE(sc, IWP_FH_SRVC_CHNL_SRAM_ADDR_REG(IWP_FH_SRVC_CHNL), addr_d);
4879 
4880 	IWP_WRITE(sc, IWP_FH_TFDIB_CTRL0_REG(IWP_FH_SRVC_CHNL),
4881 	    (addr_s & FH_MEM_TFDIB_DRAM_ADDR_LSB_MASK));
4882 
4883 	IWP_WRITE(sc, IWP_FH_TFDIB_CTRL1_REG(IWP_FH_SRVC_CHNL), len);
4884 
4885 	IWP_WRITE(sc, IWP_FH_TCSR_CHNL_TX_BUF_STS_REG(IWP_FH_SRVC_CHNL),
4886 	    (1 << IWP_FH_TCSR_CHNL_TX_BUF_STS_REG_POS_TB_NUM) |
4887 	    (1 << IWP_FH_TCSR_CHNL_TX_BUF_STS_REG_POS_TB_IDX) |
4888 	    IWP_FH_TCSR_CHNL_TX_BUF_STS_REG_VAL_TFDB_VALID);
4889 
4890 	IWP_WRITE(sc, IWP_FH_TCSR_CHNL_TX_CONFIG_REG(IWP_FH_SRVC_CHNL),
4891 	    IWP_FH_TCSR_TX_CONFIG_REG_VAL_DMA_CHNL_ENABLE |
4892 	    IWP_FH_TCSR_TX_CONFIG_REG_VAL_DMA_CREDIT_DISABLE_VAL |
4893 	    IWP_FH_TCSR_TX_CONFIG_REG_VAL_CIRQ_HOST_ENDTFD);
4894 
4895 	iwp_mac_access_exit(sc);
4896 
4897 	return (IWP_SUCCESS);
4898 }
4899 
4900 /*
4901  * necessary setting during alive notification
4902  */
4903 static int
4904 iwp_alive_common(iwp_sc_t *sc)
4905 {
4906 	uint32_t	base;
4907 	uint32_t	i;
4908 	iwp_wimax_coex_cmd_t	w_cmd;
4909 	iwp_calibration_crystal_cmd_t	c_cmd;
4910 	uint32_t	rv = IWP_FAIL;
4911 
4912 	/*
4913 	 * initialize SCD related registers to make TX work.
4914 	 */
4915 	iwp_mac_access_enter(sc);
4916 
4917 	/*
4918 	 * read sram address of data base.
4919 	 */
4920 	sc->sc_scd_base = iwp_reg_read(sc, IWP_SCD_SRAM_BASE_ADDR);
4921 
4922 	for (base = sc->sc_scd_base + IWP_SCD_CONTEXT_DATA_OFFSET;
4923 	    base < sc->sc_scd_base + IWP_SCD_TX_STTS_BITMAP_OFFSET;
4924 	    base += 4) {
4925 		iwp_mem_write(sc, base, 0);
4926 	}
4927 
4928 	for (; base < sc->sc_scd_base + IWP_SCD_TRANSLATE_TBL_OFFSET;
4929 	    base += 4) {
4930 		iwp_mem_write(sc, base, 0);
4931 	}
4932 
4933 	for (i = 0; i < sizeof (uint16_t) * IWP_NUM_QUEUES; i += 4) {
4934 		iwp_mem_write(sc, base + i, 0);
4935 	}
4936 
4937 	iwp_reg_write(sc, IWP_SCD_DRAM_BASE_ADDR,
4938 	    sc->sc_dma_sh.cookie.dmac_address >> 10);
4939 
4940 	iwp_reg_write(sc, IWP_SCD_QUEUECHAIN_SEL,
4941 	    IWP_SCD_QUEUECHAIN_SEL_ALL(IWP_NUM_QUEUES));
4942 
4943 	iwp_reg_write(sc, IWP_SCD_AGGR_SEL, 0);
4944 
4945 	for (i = 0; i < IWP_NUM_QUEUES; i++) {
4946 		iwp_reg_write(sc, IWP_SCD_QUEUE_RDPTR(i), 0);
4947 		IWP_WRITE(sc, HBUS_TARG_WRPTR, 0 | (i << 8));
4948 		iwp_mem_write(sc, sc->sc_scd_base +
4949 		    IWP_SCD_CONTEXT_QUEUE_OFFSET(i), 0);
4950 		iwp_mem_write(sc, sc->sc_scd_base +
4951 		    IWP_SCD_CONTEXT_QUEUE_OFFSET(i) +
4952 		    sizeof (uint32_t),
4953 		    ((SCD_WIN_SIZE << IWP_SCD_QUEUE_CTX_REG2_WIN_SIZE_POS) &
4954 		    IWP_SCD_QUEUE_CTX_REG2_WIN_SIZE_MSK) |
4955 		    ((SCD_FRAME_LIMIT <<
4956 		    IWP_SCD_QUEUE_CTX_REG2_FRAME_LIMIT_POS) &
4957 		    IWP_SCD_QUEUE_CTX_REG2_FRAME_LIMIT_MSK));
4958 	}
4959 
4960 	iwp_reg_write(sc, IWP_SCD_INTERRUPT_MASK, (1 << IWP_NUM_QUEUES) - 1);
4961 
4962 	iwp_reg_write(sc, (IWP_SCD_BASE + 0x10),
4963 	    SCD_TXFACT_REG_TXFIFO_MASK(0, 7));
4964 
4965 	IWP_WRITE(sc, HBUS_TARG_WRPTR, (IWP_CMD_QUEUE_NUM << 8));
4966 	iwp_reg_write(sc, IWP_SCD_QUEUE_RDPTR(IWP_CMD_QUEUE_NUM), 0);
4967 
4968 	/*
4969 	 * queue 0-7 map to FIFO 0-7 and
4970 	 * all queues work under FIFO mode(none-scheduler_ack)
4971 	 */
4972 	for (i = 0; i < 4; i++) {
4973 		iwp_reg_write(sc, IWP_SCD_QUEUE_STATUS_BITS(i),
4974 		    (1 << IWP_SCD_QUEUE_STTS_REG_POS_ACTIVE) |
4975 		    ((3-i) << IWP_SCD_QUEUE_STTS_REG_POS_TXF) |
4976 		    (1 << IWP_SCD_QUEUE_STTS_REG_POS_WSL) |
4977 		    IWP_SCD_QUEUE_STTS_REG_MSK);
4978 	}
4979 
4980 	iwp_reg_write(sc, IWP_SCD_QUEUE_STATUS_BITS(IWP_CMD_QUEUE_NUM),
4981 	    (1 << IWP_SCD_QUEUE_STTS_REG_POS_ACTIVE) |
4982 	    (IWP_CMD_FIFO_NUM << IWP_SCD_QUEUE_STTS_REG_POS_TXF) |
4983 	    (1 << IWP_SCD_QUEUE_STTS_REG_POS_WSL) |
4984 	    IWP_SCD_QUEUE_STTS_REG_MSK);
4985 
4986 	for (i = 5; i < 7; i++) {
4987 		iwp_reg_write(sc, IWP_SCD_QUEUE_STATUS_BITS(i),
4988 		    (1 << IWP_SCD_QUEUE_STTS_REG_POS_ACTIVE) |
4989 		    (i << IWP_SCD_QUEUE_STTS_REG_POS_TXF) |
4990 		    (1 << IWP_SCD_QUEUE_STTS_REG_POS_WSL) |
4991 		    IWP_SCD_QUEUE_STTS_REG_MSK);
4992 	}
4993 
4994 	iwp_mac_access_exit(sc);
4995 
4996 	(void) memset(&w_cmd, 0, sizeof (w_cmd));
4997 
4998 	rv = iwp_cmd(sc, COEX_PRIORITY_TABLE_CMD, &w_cmd, sizeof (w_cmd), 1);
4999 	if (rv != IWP_SUCCESS) {
5000 		cmn_err(CE_WARN, "iwp_alive_common(): "
5001 		    "failed to send wimax coexist command.\n");
5002 		return (rv);
5003 	}
5004 
5005 	(void) memset(&c_cmd, 0, sizeof (c_cmd));
5006 
5007 	c_cmd.opCode = PHY_CALIBRATE_CRYSTAL_FRQ_CMD;
5008 	c_cmd.data.cap_pin1 = LE_16(sc->sc_eep_calib->xtal_calib[0]);
5009 	c_cmd.data.cap_pin2 = LE_16(sc->sc_eep_calib->xtal_calib[1]);
5010 
5011 	rv = iwp_cmd(sc, REPLY_PHY_CALIBRATION_CMD, &c_cmd, sizeof (c_cmd), 1);
5012 	if (rv != IWP_SUCCESS) {
5013 		cmn_err(CE_WARN, "iwp_alive_common(): "
5014 		    "failed to send crystal frq calibration command.\n");
5015 		return (rv);
5016 	}
5017 
5018 	/*
5019 	 * make sure crystal frequency calibration ready
5020 	 * before next operations.
5021 	 */
5022 	DELAY(1000);
5023 
5024 	return (IWP_SUCCESS);
5025 }
5026 
5027 /*
5028  * save results of calibration from ucode
5029  */
5030 static void
5031 iwp_save_calib_result(iwp_sc_t *sc, iwp_rx_desc_t *desc)
5032 {
5033 	struct iwp_calib_results *res_p = &sc->sc_calib_results;
5034 	struct iwp_calib_hdr *calib_hdr = (struct iwp_calib_hdr *)(desc + 1);
5035 	int len = LE_32(desc->len);
5036 
5037 	/*
5038 	 * ensure the size of buffer is not too big
5039 	 */
5040 	len = (len & FH_RSCSR_FRAME_SIZE_MASK) - 4;
5041 
5042 	switch (calib_hdr->op_code) {
5043 	case PHY_CALIBRATE_LO_CMD:
5044 		if (NULL == res_p->lo_res) {
5045 			res_p->lo_res = kmem_alloc(len, KM_NOSLEEP);
5046 		}
5047 
5048 		if (NULL == res_p->lo_res) {
5049 			cmn_err(CE_WARN, "iwp_save_calib_result(): "
5050 			    "failed to allocate memory.\n");
5051 			return;
5052 		}
5053 
5054 		res_p->lo_res_len = len;
5055 		(void) memcpy(res_p->lo_res, calib_hdr, len);
5056 		break;
5057 	case PHY_CALIBRATE_TX_IQ_CMD:
5058 		if (NULL == res_p->tx_iq_res) {
5059 			res_p->tx_iq_res = kmem_alloc(len, KM_NOSLEEP);
5060 		}
5061 
5062 		if (NULL == res_p->tx_iq_res) {
5063 			cmn_err(CE_WARN, "iwp_save_calib_result(): "
5064 			    "failed to allocate memory.\n");
5065 			return;
5066 		}
5067 
5068 		res_p->tx_iq_res_len = len;
5069 		(void) memcpy(res_p->tx_iq_res, calib_hdr, len);
5070 		break;
5071 	case PHY_CALIBRATE_TX_IQ_PERD_CMD:
5072 		if (NULL == res_p->tx_iq_perd_res) {
5073 			res_p->tx_iq_perd_res = kmem_alloc(len, KM_NOSLEEP);
5074 		}
5075 
5076 		if (NULL == res_p->tx_iq_perd_res) {
5077 			cmn_err(CE_WARN, "iwp_save_calib_result(): "
5078 			    "failed to allocate memory.\n");
5079 		}
5080 
5081 		res_p->tx_iq_perd_res_len = len;
5082 		(void) memcpy(res_p->tx_iq_perd_res, calib_hdr, len);
5083 		break;
5084 	case PHY_CALIBRATE_BASE_BAND_CMD:
5085 		if (NULL == res_p->base_band_res) {
5086 			res_p->base_band_res = kmem_alloc(len, KM_NOSLEEP);
5087 		}
5088 
5089 		if (NULL == res_p->base_band_res) {
5090 			cmn_err(CE_WARN, "iwp_save_calib_result(): "
5091 			    "failed to allocate memory.\n");
5092 		}
5093 
5094 		res_p->base_band_res_len = len;
5095 		(void) memcpy(res_p->base_band_res, calib_hdr, len);
5096 		break;
5097 	default:
5098 		cmn_err(CE_WARN, "iwp_save_calib_result(): "
5099 		    "incorrect calibration type(%d).\n", calib_hdr->op_code);
5100 		break;
5101 	}
5102 
5103 }
5104 
5105 static void
5106 iwp_release_calib_buffer(iwp_sc_t *sc)
5107 {
5108 	if (sc->sc_calib_results.lo_res != NULL) {
5109 		kmem_free(sc->sc_calib_results.lo_res,
5110 		    sc->sc_calib_results.lo_res_len);
5111 		sc->sc_calib_results.lo_res = NULL;
5112 	}
5113 
5114 	if (sc->sc_calib_results.tx_iq_res != NULL) {
5115 		kmem_free(sc->sc_calib_results.tx_iq_res,
5116 		    sc->sc_calib_results.tx_iq_res_len);
5117 		sc->sc_calib_results.tx_iq_res = NULL;
5118 	}
5119 
5120 	if (sc->sc_calib_results.tx_iq_perd_res != NULL) {
5121 		kmem_free(sc->sc_calib_results.tx_iq_perd_res,
5122 		    sc->sc_calib_results.tx_iq_perd_res_len);
5123 		sc->sc_calib_results.tx_iq_perd_res = NULL;
5124 	}
5125 
5126 	if (sc->sc_calib_results.base_band_res != NULL) {
5127 		kmem_free(sc->sc_calib_results.base_band_res,
5128 		    sc->sc_calib_results.base_band_res_len);
5129 		sc->sc_calib_results.base_band_res = NULL;
5130 	}
5131 
5132 }
5133 
5134 /*
5135  * common section of intialization
5136  */
5137 static int
5138 iwp_init_common(iwp_sc_t *sc)
5139 {
5140 	int32_t	qid;
5141 	uint32_t tmp;
5142 
5143 	(void) iwp_preinit(sc);
5144 
5145 	tmp = IWP_READ(sc, CSR_GP_CNTRL);
5146 	if (!(tmp & CSR_GP_CNTRL_REG_FLAG_HW_RF_KILL_SW)) {
5147 		cmn_err(CE_NOTE, "iwp_init_common(): "
5148 		    "radio transmitter is off\n");
5149 		return (IWP_FAIL);
5150 	}
5151 
5152 	/*
5153 	 * init Rx ring
5154 	 */
5155 	iwp_mac_access_enter(sc);
5156 	IWP_WRITE(sc, FH_MEM_RCSR_CHNL0_CONFIG_REG, 0);
5157 
5158 	IWP_WRITE(sc, FH_RSCSR_CHNL0_RBDCB_WPTR_REG, 0);
5159 	IWP_WRITE(sc, FH_RSCSR_CHNL0_RBDCB_BASE_REG,
5160 	    sc->sc_rxq.dma_desc.cookie.dmac_address >> 8);
5161 
5162 	IWP_WRITE(sc, FH_RSCSR_CHNL0_STTS_WPTR_REG,
5163 	    ((uint32_t)(sc->sc_dma_sh.cookie.dmac_address +
5164 	    offsetof(struct iwp_shared, val0)) >> 4));
5165 
5166 	IWP_WRITE(sc, FH_MEM_RCSR_CHNL0_CONFIG_REG,
5167 	    FH_RCSR_RX_CONFIG_CHNL_EN_ENABLE_VAL |
5168 	    FH_RCSR_CHNL0_RX_CONFIG_IRQ_DEST_INT_HOST_VAL |
5169 	    IWP_FH_RCSR_RX_CONFIG_REG_VAL_RB_SIZE_4K |
5170 	    (RX_QUEUE_SIZE_LOG <<
5171 	    FH_RCSR_RX_CONFIG_RBDCB_SIZE_BITSHIFT));
5172 	iwp_mac_access_exit(sc);
5173 	IWP_WRITE(sc, FH_RSCSR_CHNL0_RBDCB_WPTR_REG,
5174 	    (RX_QUEUE_SIZE - 1) & ~0x7);
5175 
5176 	/*
5177 	 * init Tx rings
5178 	 */
5179 	iwp_mac_access_enter(sc);
5180 	iwp_reg_write(sc, IWP_SCD_TXFACT, 0);
5181 
5182 	/*
5183 	 * keep warm page
5184 	 */
5185 	IWP_WRITE(sc, IWP_FH_KW_MEM_ADDR_REG,
5186 	    sc->sc_dma_kw.cookie.dmac_address >> 4);
5187 
5188 	for (qid = 0; qid < IWP_NUM_QUEUES; qid++) {
5189 		IWP_WRITE(sc, FH_MEM_CBBC_QUEUE(qid),
5190 		    sc->sc_txq[qid].dma_desc.cookie.dmac_address >> 8);
5191 		IWP_WRITE(sc, IWP_FH_TCSR_CHNL_TX_CONFIG_REG(qid),
5192 		    IWP_FH_TCSR_TX_CONFIG_REG_VAL_DMA_CHNL_ENABLE |
5193 		    IWP_FH_TCSR_TX_CONFIG_REG_VAL_DMA_CREDIT_ENABLE_VAL);
5194 	}
5195 
5196 	iwp_mac_access_exit(sc);
5197 
5198 	/*
5199 	 * clear "radio off" and "disable command" bits
5200 	 */
5201 	IWP_WRITE(sc, CSR_UCODE_DRV_GP1_CLR, CSR_UCODE_SW_BIT_RFKILL);
5202 	IWP_WRITE(sc, CSR_UCODE_DRV_GP1_CLR,
5203 	    CSR_UCODE_DRV_GP1_BIT_CMD_BLOCKED);
5204 
5205 	/*
5206 	 * clear any pending interrupts
5207 	 */
5208 	IWP_WRITE(sc, CSR_INT, 0xffffffff);
5209 
5210 	/*
5211 	 * enable interrupts
5212 	 */
5213 	IWP_WRITE(sc, CSR_INT_MASK, CSR_INI_SET_MASK);
5214 
5215 	IWP_WRITE(sc, CSR_UCODE_DRV_GP1_CLR, CSR_UCODE_SW_BIT_RFKILL);
5216 	IWP_WRITE(sc, CSR_UCODE_DRV_GP1_CLR, CSR_UCODE_SW_BIT_RFKILL);
5217 
5218 	return (IWP_SUCCESS);
5219 }
5220 
5221 static int
5222 iwp_fast_recover(iwp_sc_t *sc)
5223 {
5224 	ieee80211com_t *ic = &sc->sc_ic;
5225 	int err = IWP_FAIL;
5226 
5227 	mutex_enter(&sc->sc_glock);
5228 
5229 	/* restore runtime configuration */
5230 	bcopy(&sc->sc_config_save, &sc->sc_config,
5231 	    sizeof (sc->sc_config));
5232 
5233 	sc->sc_config.assoc_id = 0;
5234 	sc->sc_config.filter_flags &= ~LE_32(RXON_FILTER_ASSOC_MSK);
5235 
5236 	if ((err = iwp_hw_set_before_auth(sc)) != IWP_SUCCESS) {
5237 		cmn_err(CE_WARN, "iwp_fast_recover(): "
5238 		    "could not setup authentication\n");
5239 		mutex_exit(&sc->sc_glock);
5240 		return (err);
5241 	}
5242 
5243 	bcopy(&sc->sc_config_save, &sc->sc_config,
5244 	    sizeof (sc->sc_config));
5245 
5246 	/* update adapter's configuration */
5247 	err = iwp_run_state_config(sc);
5248 	if (err != IWP_SUCCESS) {
5249 		cmn_err(CE_WARN, "iwp_fast_recover(): "
5250 		    "failed to setup association\n");
5251 		mutex_exit(&sc->sc_glock);
5252 		return (err);
5253 	}
5254 	/* set LED on */
5255 	iwp_set_led(sc, 2, 0, 1);
5256 
5257 	mutex_exit(&sc->sc_glock);
5258 
5259 	atomic_and_32(&sc->sc_flags, ~IWP_F_HW_ERR_RECOVER);
5260 
5261 	/* start queue */
5262 	IWP_DBG((IWP_DEBUG_FW, "iwp_fast_recover(): "
5263 	    "resume xmit\n"));
5264 	mac_tx_update(ic->ic_mach);
5265 
5266 	return (IWP_SUCCESS);
5267 }
5268 
5269 static int
5270 iwp_run_state_config(iwp_sc_t *sc)
5271 {
5272 	struct ieee80211com *ic = &sc->sc_ic;
5273 	ieee80211_node_t *in = ic->ic_bss;
5274 	int err = IWP_FAIL;
5275 
5276 	/*
5277 	 * update adapter's configuration
5278 	 */
5279 	sc->sc_config.assoc_id = in->in_associd & 0x3fff;
5280 
5281 	/*
5282 	 * short preamble/slot time are
5283 	 * negotiated when associating
5284 	 */
5285 	sc->sc_config.flags &=
5286 	    ~LE_32(RXON_FLG_SHORT_PREAMBLE_MSK |
5287 	    RXON_FLG_SHORT_SLOT_MSK);
5288 
5289 	if (ic->ic_flags & IEEE80211_F_SHSLOT) {
5290 		sc->sc_config.flags |=
5291 		    LE_32(RXON_FLG_SHORT_SLOT_MSK);
5292 	}
5293 
5294 	if (ic->ic_flags & IEEE80211_F_SHPREAMBLE) {
5295 		sc->sc_config.flags |=
5296 		    LE_32(RXON_FLG_SHORT_PREAMBLE_MSK);
5297 	}
5298 
5299 	sc->sc_config.filter_flags |=
5300 	    LE_32(RXON_FILTER_ASSOC_MSK);
5301 
5302 	if (ic->ic_opmode != IEEE80211_M_STA) {
5303 		sc->sc_config.filter_flags |=
5304 		    LE_32(RXON_FILTER_BCON_AWARE_MSK);
5305 	}
5306 
5307 	IWP_DBG((IWP_DEBUG_80211, "iwp_run_state_config(): "
5308 	    "config chan %d flags %x"
5309 	    " filter_flags %x\n",
5310 	    sc->sc_config.chan, sc->sc_config.flags,
5311 	    sc->sc_config.filter_flags));
5312 
5313 	err = iwp_cmd(sc, REPLY_RXON, &sc->sc_config,
5314 	    sizeof (iwp_rxon_cmd_t), 1);
5315 	if (err != IWP_SUCCESS) {
5316 		cmn_err(CE_WARN, "iwp_run_state_config(): "
5317 		    "could not update configuration\n");
5318 		return (err);
5319 	}
5320 
5321 	return (err);
5322 }
5323 
5324 /*
5325  * This function overwrites default configurations of
5326  * ieee80211com structure in Net80211 module.
5327  */
5328 static void
5329 iwp_overwrite_ic_default(iwp_sc_t *sc)
5330 {
5331 	ieee80211com_t *ic = &sc->sc_ic;
5332 
5333 	sc->sc_newstate = ic->ic_newstate;
5334 	ic->ic_newstate = iwp_newstate;
5335 	ic->ic_node_alloc = iwp_node_alloc;
5336 	ic->ic_node_free = iwp_node_free;
5337 }
5338 
5339 
5340 /*
5341  * This function adds AP station into hardware.
5342  */
5343 static int
5344 iwp_add_ap_sta(iwp_sc_t *sc)
5345 {
5346 	ieee80211com_t *ic = &sc->sc_ic;
5347 	ieee80211_node_t *in = ic->ic_bss;
5348 	iwp_add_sta_t node;
5349 	int err = IWP_FAIL;
5350 
5351 	/*
5352 	 * Add AP node into hardware.
5353 	 */
5354 	(void) memset(&node, 0, sizeof (node));
5355 	IEEE80211_ADDR_COPY(node.sta.addr, in->in_bssid);
5356 	node.mode = STA_MODE_ADD_MSK;
5357 	node.sta.sta_id = IWP_AP_ID;
5358 
5359 	err = iwp_cmd(sc, REPLY_ADD_STA, &node, sizeof (node), 1);
5360 	if (err != IWP_SUCCESS) {
5361 		cmn_err(CE_WARN, "iwp_add_ap_sta(): "
5362 		    "failed to add AP node\n");
5363 		return (err);
5364 	}
5365 
5366 	return (err);
5367 }
5368 
5369 /*
5370  * Check EEPROM version and Calibration version.
5371  */
5372 static int
5373 iwp_eep_ver_chk(iwp_sc_t *sc)
5374 {
5375 	if ((IWP_READ_EEP_SHORT(sc, EEP_VERSION) < 0x011a) ||
5376 	    (sc->sc_eep_calib->tx_pow_calib_hdr.calib_version < 4)) {
5377 		cmn_err(CE_WARN, "iwp_eep_ver_chk(): "
5378 		    "unsupported eeprom detected\n");
5379 		return (IWP_FAIL);
5380 	}
5381 
5382 	return (IWP_SUCCESS);
5383 }
5384 
5385 /*
5386  * Determine parameters for all supported chips.
5387  */
5388 static void
5389 iwp_set_chip_param(iwp_sc_t *sc)
5390 {
5391 	if ((0x008d == sc->sc_dev_id) ||
5392 	    (0x008e == sc->sc_dev_id)) {
5393 		sc->sc_chip_param.phy_mode = PHY_MODE_G |
5394 		    PHY_MODE_A | PHY_MODE_N;
5395 
5396 		sc->sc_chip_param.tx_ant = ANT_A | ANT_B;
5397 		sc->sc_chip_param.rx_ant = ANT_A | ANT_B;
5398 
5399 		sc->sc_chip_param.pa_type = PA_TYPE_MIX;
5400 	}
5401 
5402 	if ((0x422c == sc->sc_dev_id) ||
5403 	    (0x4239 == sc->sc_dev_id)) {
5404 		sc->sc_chip_param.phy_mode = PHY_MODE_G |
5405 		    PHY_MODE_A | PHY_MODE_N;
5406 
5407 		sc->sc_chip_param.tx_ant = ANT_B | ANT_C;
5408 		sc->sc_chip_param.rx_ant = ANT_B | ANT_C;
5409 
5410 		sc->sc_chip_param.pa_type = PA_TYPE_INTER;
5411 	}
5412 
5413 	if ((0x422b == sc->sc_dev_id) ||
5414 	    (0x4238 == sc->sc_dev_id)) {
5415 		sc->sc_chip_param.phy_mode = PHY_MODE_G |
5416 		    PHY_MODE_A | PHY_MODE_N;
5417 
5418 		sc->sc_chip_param.tx_ant = ANT_A | ANT_B | ANT_C;
5419 		sc->sc_chip_param.rx_ant = ANT_A | ANT_B | ANT_C;
5420 
5421 		sc->sc_chip_param.pa_type = PA_TYPE_SYSTEM;
5422 	}
5423 }
5424