1/*-
2 * Copyright (c) 2007-2009 Damien Bergamini <damien.bergamini@free.fr>
3 * Copyright (c) 2008 Benjamin Close <benjsc@FreeBSD.org>
4 * Copyright (c) 2008 Sam Leffler, Errno Consulting
5 * Copyright (c) 2011 Intel Corporation
6 * Copyright (c) 2013 Cedric GROSS <c.gross@kreiz-it.fr>
7 * Copyright (c) 2013 Adrian Chadd <adrian@FreeBSD.org>
8 *
9 * Permission to use, copy, modify, and distribute this software for any
10 * purpose with or without fee is hereby granted, provided that the above
11 * copyright notice and this permission notice appear in all copies.
12 *
13 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
14 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
15 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
16 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
17 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 */
21
22/*
23 * Driver for Intel WiFi Link 4965 and 1000/5000/6000 Series 802.11 network
24 * adapters.
25 */
26
27#include <sys/cdefs.h>
28__FBSDID("$FreeBSD: stable/11/sys/dev/iwn/if_iwn.c 345636 2019-03-28 09:50:25Z avos $");
29
30#include "opt_wlan.h"
31#include "opt_iwn.h"
32
33#include <sys/param.h>
34#include <sys/sockio.h>
35#include <sys/sysctl.h>
36#include <sys/mbuf.h>
37#include <sys/kernel.h>
38#include <sys/socket.h>
39#include <sys/systm.h>
40#include <sys/malloc.h>
41#include <sys/bus.h>
42#include <sys/conf.h>
43#include <sys/rman.h>
44#include <sys/endian.h>
45#include <sys/firmware.h>
46#include <sys/limits.h>
47#include <sys/module.h>
48#include <sys/priv.h>
49#include <sys/queue.h>
50#include <sys/taskqueue.h>
51
52#include <machine/bus.h>
53#include <machine/resource.h>
54#include <machine/clock.h>
55
56#include <dev/pci/pcireg.h>
57#include <dev/pci/pcivar.h>
58
59#include <net/if.h>
60#include <net/if_var.h>
61#include <net/if_dl.h>
62#include <net/if_media.h>
63
64#include <netinet/in.h>
65#include <netinet/if_ether.h>
66
67#include <net80211/ieee80211_var.h>
68#include <net80211/ieee80211_radiotap.h>
69#include <net80211/ieee80211_regdomain.h>
70#include <net80211/ieee80211_ratectl.h>
71
72#include <dev/iwn/if_iwnreg.h>
73#include <dev/iwn/if_iwnvar.h>
74#include <dev/iwn/if_iwn_devid.h>
75#include <dev/iwn/if_iwn_chip_cfg.h>
76#include <dev/iwn/if_iwn_debug.h>
77#include <dev/iwn/if_iwn_ioctl.h>
78
79struct iwn_ident {
80	uint16_t	vendor;
81	uint16_t	device;
82	const char	*name;
83};
84
85static const struct iwn_ident iwn_ident_table[] = {
86	{ 0x8086, IWN_DID_6x05_1, "Intel Centrino Advanced-N 6205"		},
87	{ 0x8086, IWN_DID_1000_1, "Intel Centrino Wireless-N 1000"		},
88	{ 0x8086, IWN_DID_1000_2, "Intel Centrino Wireless-N 1000"		},
89	{ 0x8086, IWN_DID_6x05_2, "Intel Centrino Advanced-N 6205"		},
90	{ 0x8086, IWN_DID_6050_1, "Intel Centrino Advanced-N + WiMAX 6250"	},
91	{ 0x8086, IWN_DID_6050_2, "Intel Centrino Advanced-N + WiMAX 6250"	},
92	{ 0x8086, IWN_DID_x030_1, "Intel Centrino Wireless-N 1030"		},
93	{ 0x8086, IWN_DID_x030_2, "Intel Centrino Wireless-N 1030"		},
94	{ 0x8086, IWN_DID_x030_3, "Intel Centrino Advanced-N 6230"		},
95	{ 0x8086, IWN_DID_x030_4, "Intel Centrino Advanced-N 6230"		},
96	{ 0x8086, IWN_DID_6150_1, "Intel Centrino Wireless-N + WiMAX 6150"	},
97	{ 0x8086, IWN_DID_6150_2, "Intel Centrino Wireless-N + WiMAX 6150"	},
98	{ 0x8086, IWN_DID_2x00_1, "Intel(R) Centrino(R) Wireless-N 2200 BGN"	},
99	{ 0x8086, IWN_DID_2x00_2, "Intel(R) Centrino(R) Wireless-N 2200 BGN"	},
100	/* XXX 2200D is IWN_SDID_2x00_4; there's no way to express this here! */
101	{ 0x8086, IWN_DID_2x30_1, "Intel Centrino Wireless-N 2230"		},
102	{ 0x8086, IWN_DID_2x30_2, "Intel Centrino Wireless-N 2230"		},
103	{ 0x8086, IWN_DID_130_1, "Intel Centrino Wireless-N 130"		},
104	{ 0x8086, IWN_DID_130_2, "Intel Centrino Wireless-N 130"		},
105	{ 0x8086, IWN_DID_100_1, "Intel Centrino Wireless-N 100"		},
106	{ 0x8086, IWN_DID_100_2, "Intel Centrino Wireless-N 100"		},
107	{ 0x8086, IWN_DID_105_1, "Intel Centrino Wireless-N 105"		},
108	{ 0x8086, IWN_DID_105_2, "Intel Centrino Wireless-N 105"		},
109	{ 0x8086, IWN_DID_135_1, "Intel Centrino Wireless-N 135"		},
110	{ 0x8086, IWN_DID_135_2, "Intel Centrino Wireless-N 135"		},
111	{ 0x8086, IWN_DID_4965_1, "Intel Wireless WiFi Link 4965"		},
112	{ 0x8086, IWN_DID_6x00_1, "Intel Centrino Ultimate-N 6300"		},
113	{ 0x8086, IWN_DID_6x00_2, "Intel Centrino Advanced-N 6200"		},
114	{ 0x8086, IWN_DID_4965_2, "Intel Wireless WiFi Link 4965"		},
115	{ 0x8086, IWN_DID_4965_3, "Intel Wireless WiFi Link 4965"		},
116	{ 0x8086, IWN_DID_5x00_1, "Intel WiFi Link 5100"			},
117	{ 0x8086, IWN_DID_4965_4, "Intel Wireless WiFi Link 4965"		},
118	{ 0x8086, IWN_DID_5x00_3, "Intel Ultimate N WiFi Link 5300"		},
119	{ 0x8086, IWN_DID_5x00_4, "Intel Ultimate N WiFi Link 5300"		},
120	{ 0x8086, IWN_DID_5x00_2, "Intel WiFi Link 5100"			},
121	{ 0x8086, IWN_DID_6x00_3, "Intel Centrino Ultimate-N 6300"		},
122	{ 0x8086, IWN_DID_6x00_4, "Intel Centrino Advanced-N 6200"		},
123	{ 0x8086, IWN_DID_5x50_1, "Intel WiMAX/WiFi Link 5350"			},
124	{ 0x8086, IWN_DID_5x50_2, "Intel WiMAX/WiFi Link 5350"			},
125	{ 0x8086, IWN_DID_5x50_3, "Intel WiMAX/WiFi Link 5150"			},
126	{ 0x8086, IWN_DID_5x50_4, "Intel WiMAX/WiFi Link 5150"			},
127	{ 0x8086, IWN_DID_6035_1, "Intel Centrino Advanced 6235"		},
128	{ 0x8086, IWN_DID_6035_2, "Intel Centrino Advanced 6235"		},
129	{ 0, 0, NULL }
130};
131
132static int	iwn_probe(device_t);
133static int	iwn_attach(device_t);
134static void	iwn4965_attach(struct iwn_softc *, uint16_t);
135static void	iwn5000_attach(struct iwn_softc *, uint16_t);
136static int	iwn_config_specific(struct iwn_softc *, uint16_t);
137static void	iwn_radiotap_attach(struct iwn_softc *);
138static void	iwn_sysctlattach(struct iwn_softc *);
139static struct ieee80211vap *iwn_vap_create(struct ieee80211com *,
140		    const char [IFNAMSIZ], int, enum ieee80211_opmode, int,
141		    const uint8_t [IEEE80211_ADDR_LEN],
142		    const uint8_t [IEEE80211_ADDR_LEN]);
143static void	iwn_vap_delete(struct ieee80211vap *);
144static int	iwn_detach(device_t);
145static int	iwn_shutdown(device_t);
146static int	iwn_suspend(device_t);
147static int	iwn_resume(device_t);
148static int	iwn_nic_lock(struct iwn_softc *);
149static int	iwn_eeprom_lock(struct iwn_softc *);
150static int	iwn_init_otprom(struct iwn_softc *);
151static int	iwn_read_prom_data(struct iwn_softc *, uint32_t, void *, int);
152static void	iwn_dma_map_addr(void *, bus_dma_segment_t *, int, int);
153static int	iwn_dma_contig_alloc(struct iwn_softc *, struct iwn_dma_info *,
154		    void **, bus_size_t, bus_size_t);
155static void	iwn_dma_contig_free(struct iwn_dma_info *);
156static int	iwn_alloc_sched(struct iwn_softc *);
157static void	iwn_free_sched(struct iwn_softc *);
158static int	iwn_alloc_kw(struct iwn_softc *);
159static void	iwn_free_kw(struct iwn_softc *);
160static int	iwn_alloc_ict(struct iwn_softc *);
161static void	iwn_free_ict(struct iwn_softc *);
162static int	iwn_alloc_fwmem(struct iwn_softc *);
163static void	iwn_free_fwmem(struct iwn_softc *);
164static int	iwn_alloc_rx_ring(struct iwn_softc *, struct iwn_rx_ring *);
165static void	iwn_reset_rx_ring(struct iwn_softc *, struct iwn_rx_ring *);
166static void	iwn_free_rx_ring(struct iwn_softc *, struct iwn_rx_ring *);
167static int	iwn_alloc_tx_ring(struct iwn_softc *, struct iwn_tx_ring *,
168		    int);
169static void	iwn_reset_tx_ring(struct iwn_softc *, struct iwn_tx_ring *);
170static void	iwn_free_tx_ring(struct iwn_softc *, struct iwn_tx_ring *);
171static void	iwn5000_ict_reset(struct iwn_softc *);
172static int	iwn_read_eeprom(struct iwn_softc *,
173		    uint8_t macaddr[IEEE80211_ADDR_LEN]);
174static void	iwn4965_read_eeprom(struct iwn_softc *);
175#ifdef	IWN_DEBUG
176static void	iwn4965_print_power_group(struct iwn_softc *, int);
177#endif
178static void	iwn5000_read_eeprom(struct iwn_softc *);
179static uint32_t	iwn_eeprom_channel_flags(struct iwn_eeprom_chan *);
180static void	iwn_read_eeprom_band(struct iwn_softc *, int, int, int *,
181		    struct ieee80211_channel[]);
182static void	iwn_read_eeprom_ht40(struct iwn_softc *, int, int, int *,
183		    struct ieee80211_channel[]);
184static void	iwn_read_eeprom_channels(struct iwn_softc *, int, uint32_t);
185static struct iwn_eeprom_chan *iwn_find_eeprom_channel(struct iwn_softc *,
186		    struct ieee80211_channel *);
187static void	iwn_getradiocaps(struct ieee80211com *, int, int *,
188		    struct ieee80211_channel[]);
189static int	iwn_setregdomain(struct ieee80211com *,
190		    struct ieee80211_regdomain *, int,
191		    struct ieee80211_channel[]);
192static void	iwn_read_eeprom_enhinfo(struct iwn_softc *);
193static struct ieee80211_node *iwn_node_alloc(struct ieee80211vap *,
194		    const uint8_t mac[IEEE80211_ADDR_LEN]);
195static void	iwn_newassoc(struct ieee80211_node *, int);
196static int	iwn_media_change(struct ifnet *);
197static int	iwn_newstate(struct ieee80211vap *, enum ieee80211_state, int);
198static void	iwn_calib_timeout(void *);
199static void	iwn_rx_phy(struct iwn_softc *, struct iwn_rx_desc *,
200		    struct iwn_rx_data *);
201static void	iwn_rx_done(struct iwn_softc *, struct iwn_rx_desc *,
202		    struct iwn_rx_data *);
203static void	iwn_rx_compressed_ba(struct iwn_softc *, struct iwn_rx_desc *,
204		    struct iwn_rx_data *);
205static void	iwn5000_rx_calib_results(struct iwn_softc *,
206		    struct iwn_rx_desc *, struct iwn_rx_data *);
207static void	iwn_rx_statistics(struct iwn_softc *, struct iwn_rx_desc *,
208		    struct iwn_rx_data *);
209static void	iwn4965_tx_done(struct iwn_softc *, struct iwn_rx_desc *,
210		    struct iwn_rx_data *);
211static void	iwn5000_tx_done(struct iwn_softc *, struct iwn_rx_desc *,
212		    struct iwn_rx_data *);
213static void	iwn_tx_done(struct iwn_softc *, struct iwn_rx_desc *, int,
214		    uint8_t);
215static void	iwn_ampdu_tx_done(struct iwn_softc *, int, int, int, int, void *);
216static void	iwn_cmd_done(struct iwn_softc *, struct iwn_rx_desc *);
217static void	iwn_notif_intr(struct iwn_softc *);
218static void	iwn_wakeup_intr(struct iwn_softc *);
219static void	iwn_rftoggle_intr(struct iwn_softc *);
220static void	iwn_fatal_intr(struct iwn_softc *);
221static void	iwn_intr(void *);
222static void	iwn4965_update_sched(struct iwn_softc *, int, int, uint8_t,
223		    uint16_t);
224static void	iwn5000_update_sched(struct iwn_softc *, int, int, uint8_t,
225		    uint16_t);
226#ifdef notyet
227static void	iwn5000_reset_sched(struct iwn_softc *, int, int);
228#endif
229static int	iwn_tx_data(struct iwn_softc *, struct mbuf *,
230		    struct ieee80211_node *);
231static int	iwn_tx_data_raw(struct iwn_softc *, struct mbuf *,
232		    struct ieee80211_node *,
233		    const struct ieee80211_bpf_params *params);
234static void	iwn_xmit_task(void *arg0, int pending);
235static int	iwn_raw_xmit(struct ieee80211_node *, struct mbuf *,
236		    const struct ieee80211_bpf_params *);
237static int	iwn_transmit(struct ieee80211com *, struct mbuf *);
238static void	iwn_scan_timeout(void *);
239static void	iwn_watchdog(void *);
240static int	iwn_ioctl(struct ieee80211com *, u_long , void *);
241static void	iwn_parent(struct ieee80211com *);
242static int	iwn_cmd(struct iwn_softc *, int, const void *, int, int);
243static int	iwn4965_add_node(struct iwn_softc *, struct iwn_node_info *,
244		    int);
245static int	iwn5000_add_node(struct iwn_softc *, struct iwn_node_info *,
246		    int);
247static int	iwn_set_link_quality(struct iwn_softc *,
248		    struct ieee80211_node *);
249static int	iwn_add_broadcast_node(struct iwn_softc *, int);
250static int	iwn_updateedca(struct ieee80211com *);
251static void	iwn_update_mcast(struct ieee80211com *);
252static void	iwn_set_led(struct iwn_softc *, uint8_t, uint8_t, uint8_t);
253static int	iwn_set_critical_temp(struct iwn_softc *);
254static int	iwn_set_timing(struct iwn_softc *, struct ieee80211_node *);
255static void	iwn4965_power_calibration(struct iwn_softc *, int);
256static int	iwn4965_set_txpower(struct iwn_softc *,
257		    struct ieee80211_channel *, int);
258static int	iwn5000_set_txpower(struct iwn_softc *,
259		    struct ieee80211_channel *, int);
260static int	iwn4965_get_rssi(struct iwn_softc *, struct iwn_rx_stat *);
261static int	iwn5000_get_rssi(struct iwn_softc *, struct iwn_rx_stat *);
262static int	iwn_get_noise(const struct iwn_rx_general_stats *);
263static int	iwn4965_get_temperature(struct iwn_softc *);
264static int	iwn5000_get_temperature(struct iwn_softc *);
265static int	iwn_init_sensitivity(struct iwn_softc *);
266static void	iwn_collect_noise(struct iwn_softc *,
267		    const struct iwn_rx_general_stats *);
268static int	iwn4965_init_gains(struct iwn_softc *);
269static int	iwn5000_init_gains(struct iwn_softc *);
270static int	iwn4965_set_gains(struct iwn_softc *);
271static int	iwn5000_set_gains(struct iwn_softc *);
272static void	iwn_tune_sensitivity(struct iwn_softc *,
273		    const struct iwn_rx_stats *);
274static void	iwn_save_stats_counters(struct iwn_softc *,
275		    const struct iwn_stats *);
276static int	iwn_send_sensitivity(struct iwn_softc *);
277static void	iwn_check_rx_recovery(struct iwn_softc *, struct iwn_stats *);
278static int	iwn_set_pslevel(struct iwn_softc *, int, int, int);
279static int	iwn_send_btcoex(struct iwn_softc *);
280static int	iwn_send_advanced_btcoex(struct iwn_softc *);
281static int	iwn5000_runtime_calib(struct iwn_softc *);
282static int	iwn_config(struct iwn_softc *);
283static int	iwn_scan(struct iwn_softc *, struct ieee80211vap *,
284		    struct ieee80211_scan_state *, struct ieee80211_channel *);
285static int	iwn_auth(struct iwn_softc *, struct ieee80211vap *vap);
286static int	iwn_run(struct iwn_softc *, struct ieee80211vap *vap);
287static int	iwn_ampdu_rx_start(struct ieee80211_node *,
288		    struct ieee80211_rx_ampdu *, int, int, int);
289static void	iwn_ampdu_rx_stop(struct ieee80211_node *,
290		    struct ieee80211_rx_ampdu *);
291static int	iwn_addba_request(struct ieee80211_node *,
292		    struct ieee80211_tx_ampdu *, int, int, int);
293static int	iwn_addba_response(struct ieee80211_node *,
294		    struct ieee80211_tx_ampdu *, int, int, int);
295static int	iwn_ampdu_tx_start(struct ieee80211com *,
296		    struct ieee80211_node *, uint8_t);
297static void	iwn_ampdu_tx_stop(struct ieee80211_node *,
298		    struct ieee80211_tx_ampdu *);
299static void	iwn4965_ampdu_tx_start(struct iwn_softc *,
300		    struct ieee80211_node *, int, uint8_t, uint16_t);
301static void	iwn4965_ampdu_tx_stop(struct iwn_softc *, int,
302		    uint8_t, uint16_t);
303static void	iwn5000_ampdu_tx_start(struct iwn_softc *,
304		    struct ieee80211_node *, int, uint8_t, uint16_t);
305static void	iwn5000_ampdu_tx_stop(struct iwn_softc *, int,
306		    uint8_t, uint16_t);
307static int	iwn5000_query_calibration(struct iwn_softc *);
308static int	iwn5000_send_calibration(struct iwn_softc *);
309static int	iwn5000_send_wimax_coex(struct iwn_softc *);
310static int	iwn5000_crystal_calib(struct iwn_softc *);
311static int	iwn5000_temp_offset_calib(struct iwn_softc *);
312static int	iwn5000_temp_offset_calibv2(struct iwn_softc *);
313static int	iwn4965_post_alive(struct iwn_softc *);
314static int	iwn5000_post_alive(struct iwn_softc *);
315static int	iwn4965_load_bootcode(struct iwn_softc *, const uint8_t *,
316		    int);
317static int	iwn4965_load_firmware(struct iwn_softc *);
318static int	iwn5000_load_firmware_section(struct iwn_softc *, uint32_t,
319		    const uint8_t *, int);
320static int	iwn5000_load_firmware(struct iwn_softc *);
321static int	iwn_read_firmware_leg(struct iwn_softc *,
322		    struct iwn_fw_info *);
323static int	iwn_read_firmware_tlv(struct iwn_softc *,
324		    struct iwn_fw_info *, uint16_t);
325static int	iwn_read_firmware(struct iwn_softc *);
326static void	iwn_unload_firmware(struct iwn_softc *);
327static int	iwn_clock_wait(struct iwn_softc *);
328static int	iwn_apm_init(struct iwn_softc *);
329static void	iwn_apm_stop_master(struct iwn_softc *);
330static void	iwn_apm_stop(struct iwn_softc *);
331static int	iwn4965_nic_config(struct iwn_softc *);
332static int	iwn5000_nic_config(struct iwn_softc *);
333static int	iwn_hw_prepare(struct iwn_softc *);
334static int	iwn_hw_init(struct iwn_softc *);
335static void	iwn_hw_stop(struct iwn_softc *);
336static void	iwn_radio_on(void *, int);
337static void	iwn_radio_off(void *, int);
338static void	iwn_panicked(void *, int);
339static void	iwn_init_locked(struct iwn_softc *);
340static void	iwn_init(struct iwn_softc *);
341static void	iwn_stop_locked(struct iwn_softc *);
342static void	iwn_stop(struct iwn_softc *);
343static void	iwn_scan_start(struct ieee80211com *);
344static void	iwn_scan_end(struct ieee80211com *);
345static void	iwn_set_channel(struct ieee80211com *);
346static void	iwn_scan_curchan(struct ieee80211_scan_state *, unsigned long);
347static void	iwn_scan_mindwell(struct ieee80211_scan_state *);
348#ifdef	IWN_DEBUG
349static char	*iwn_get_csr_string(int);
350static void	iwn_debug_register(struct iwn_softc *);
351#endif
352
353static device_method_t iwn_methods[] = {
354	/* Device interface */
355	DEVMETHOD(device_probe,		iwn_probe),
356	DEVMETHOD(device_attach,	iwn_attach),
357	DEVMETHOD(device_detach,	iwn_detach),
358	DEVMETHOD(device_shutdown,	iwn_shutdown),
359	DEVMETHOD(device_suspend,	iwn_suspend),
360	DEVMETHOD(device_resume,	iwn_resume),
361
362	DEVMETHOD_END
363};
364
365static driver_t iwn_driver = {
366	"iwn",
367	iwn_methods,
368	sizeof(struct iwn_softc)
369};
370static devclass_t iwn_devclass;
371
372DRIVER_MODULE(iwn, pci, iwn_driver, iwn_devclass, NULL, NULL);
373
374MODULE_VERSION(iwn, 1);
375
376MODULE_DEPEND(iwn, firmware, 1, 1, 1);
377MODULE_DEPEND(iwn, pci, 1, 1, 1);
378MODULE_DEPEND(iwn, wlan, 1, 1, 1);
379
380static d_ioctl_t iwn_cdev_ioctl;
381static d_open_t iwn_cdev_open;
382static d_close_t iwn_cdev_close;
383
384static struct cdevsw iwn_cdevsw = {
385	.d_version = D_VERSION,
386	.d_flags = 0,
387	.d_open = iwn_cdev_open,
388	.d_close = iwn_cdev_close,
389	.d_ioctl = iwn_cdev_ioctl,
390	.d_name = "iwn",
391};
392
393static int
394iwn_probe(device_t dev)
395{
396	const struct iwn_ident *ident;
397
398	for (ident = iwn_ident_table; ident->name != NULL; ident++) {
399		if (pci_get_vendor(dev) == ident->vendor &&
400		    pci_get_device(dev) == ident->device) {
401			device_set_desc(dev, ident->name);
402			return (BUS_PROBE_DEFAULT);
403		}
404	}
405	return ENXIO;
406}
407
408static int
409iwn_is_3stream_device(struct iwn_softc *sc)
410{
411	/* XXX for now only 5300, until the 5350 can be tested */
412	if (sc->hw_type == IWN_HW_REV_TYPE_5300)
413		return (1);
414	return (0);
415}
416
417static int
418iwn_attach(device_t dev)
419{
420	struct iwn_softc *sc = device_get_softc(dev);
421	struct ieee80211com *ic;
422	int i, error, rid;
423
424	sc->sc_dev = dev;
425
426#ifdef	IWN_DEBUG
427	error = resource_int_value(device_get_name(sc->sc_dev),
428	    device_get_unit(sc->sc_dev), "debug", &(sc->sc_debug));
429	if (error != 0)
430		sc->sc_debug = 0;
431#else
432	sc->sc_debug = 0;
433#endif
434
435	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: begin\n",__func__);
436
437	/*
438	 * Get the offset of the PCI Express Capability Structure in PCI
439	 * Configuration Space.
440	 */
441	error = pci_find_cap(dev, PCIY_EXPRESS, &sc->sc_cap_off);
442	if (error != 0) {
443		device_printf(dev, "PCIe capability structure not found!\n");
444		return error;
445	}
446
447	/* Clear device-specific "PCI retry timeout" register (41h). */
448	pci_write_config(dev, 0x41, 0, 1);
449
450	/* Enable bus-mastering. */
451	pci_enable_busmaster(dev);
452
453	rid = PCIR_BAR(0);
454	sc->mem = bus_alloc_resource_any(dev, SYS_RES_MEMORY, &rid,
455	    RF_ACTIVE);
456	if (sc->mem == NULL) {
457		device_printf(dev, "can't map mem space\n");
458		error = ENOMEM;
459		return error;
460	}
461	sc->sc_st = rman_get_bustag(sc->mem);
462	sc->sc_sh = rman_get_bushandle(sc->mem);
463
464	i = 1;
465	rid = 0;
466	if (pci_alloc_msi(dev, &i) == 0)
467		rid = 1;
468	/* Install interrupt handler. */
469	sc->irq = bus_alloc_resource_any(dev, SYS_RES_IRQ, &rid, RF_ACTIVE |
470	    (rid != 0 ? 0 : RF_SHAREABLE));
471	if (sc->irq == NULL) {
472		device_printf(dev, "can't map interrupt\n");
473		error = ENOMEM;
474		goto fail;
475	}
476
477	IWN_LOCK_INIT(sc);
478
479	/* Read hardware revision and attach. */
480	sc->hw_type = (IWN_READ(sc, IWN_HW_REV) >> IWN_HW_REV_TYPE_SHIFT)
481	    & IWN_HW_REV_TYPE_MASK;
482	sc->subdevice_id = pci_get_subdevice(dev);
483
484	/*
485	 * 4965 versus 5000 and later have different methods.
486	 * Let's set those up first.
487	 */
488	if (sc->hw_type == IWN_HW_REV_TYPE_4965)
489		iwn4965_attach(sc, pci_get_device(dev));
490	else
491		iwn5000_attach(sc, pci_get_device(dev));
492
493	/*
494	 * Next, let's setup the various parameters of each NIC.
495	 */
496	error = iwn_config_specific(sc, pci_get_device(dev));
497	if (error != 0) {
498		device_printf(dev, "could not attach device, error %d\n",
499		    error);
500		goto fail;
501	}
502
503	if ((error = iwn_hw_prepare(sc)) != 0) {
504		device_printf(dev, "hardware not ready, error %d\n", error);
505		goto fail;
506	}
507
508	/* Allocate DMA memory for firmware transfers. */
509	if ((error = iwn_alloc_fwmem(sc)) != 0) {
510		device_printf(dev,
511		    "could not allocate memory for firmware, error %d\n",
512		    error);
513		goto fail;
514	}
515
516	/* Allocate "Keep Warm" page. */
517	if ((error = iwn_alloc_kw(sc)) != 0) {
518		device_printf(dev,
519		    "could not allocate keep warm page, error %d\n", error);
520		goto fail;
521	}
522
523	/* Allocate ICT table for 5000 Series. */
524	if (sc->hw_type != IWN_HW_REV_TYPE_4965 &&
525	    (error = iwn_alloc_ict(sc)) != 0) {
526		device_printf(dev, "could not allocate ICT table, error %d\n",
527		    error);
528		goto fail;
529	}
530
531	/* Allocate TX scheduler "rings". */
532	if ((error = iwn_alloc_sched(sc)) != 0) {
533		device_printf(dev,
534		    "could not allocate TX scheduler rings, error %d\n", error);
535		goto fail;
536	}
537
538	/* Allocate TX rings (16 on 4965AGN, 20 on >=5000). */
539	for (i = 0; i < sc->ntxqs; i++) {
540		if ((error = iwn_alloc_tx_ring(sc, &sc->txq[i], i)) != 0) {
541			device_printf(dev,
542			    "could not allocate TX ring %d, error %d\n", i,
543			    error);
544			goto fail;
545		}
546	}
547
548	/* Allocate RX ring. */
549	if ((error = iwn_alloc_rx_ring(sc, &sc->rxq)) != 0) {
550		device_printf(dev, "could not allocate RX ring, error %d\n",
551		    error);
552		goto fail;
553	}
554
555	/* Clear pending interrupts. */
556	IWN_WRITE(sc, IWN_INT, 0xffffffff);
557
558	ic = &sc->sc_ic;
559	ic->ic_softc = sc;
560	ic->ic_name = device_get_nameunit(dev);
561	ic->ic_phytype = IEEE80211_T_OFDM;	/* not only, but not used */
562	ic->ic_opmode = IEEE80211_M_STA;	/* default to BSS mode */
563
564	/* Set device capabilities. */
565	ic->ic_caps =
566		  IEEE80211_C_STA		/* station mode supported */
567		| IEEE80211_C_MONITOR		/* monitor mode supported */
568#if 0
569		| IEEE80211_C_BGSCAN		/* background scanning */
570#endif
571		| IEEE80211_C_TXPMGT		/* tx power management */
572		| IEEE80211_C_SHSLOT		/* short slot time supported */
573		| IEEE80211_C_WPA
574		| IEEE80211_C_SHPREAMBLE	/* short preamble supported */
575#if 0
576		| IEEE80211_C_IBSS		/* ibss/adhoc mode */
577#endif
578		| IEEE80211_C_WME		/* WME */
579		| IEEE80211_C_PMGT		/* Station-side power mgmt */
580		;
581
582	/* Read MAC address, channels, etc from EEPROM. */
583	if ((error = iwn_read_eeprom(sc, ic->ic_macaddr)) != 0) {
584		device_printf(dev, "could not read EEPROM, error %d\n",
585		    error);
586		goto fail;
587	}
588
589	/* Count the number of available chains. */
590	sc->ntxchains =
591	    ((sc->txchainmask >> 2) & 1) +
592	    ((sc->txchainmask >> 1) & 1) +
593	    ((sc->txchainmask >> 0) & 1);
594	sc->nrxchains =
595	    ((sc->rxchainmask >> 2) & 1) +
596	    ((sc->rxchainmask >> 1) & 1) +
597	    ((sc->rxchainmask >> 0) & 1);
598	if (bootverbose) {
599		device_printf(dev, "MIMO %dT%dR, %.4s, address %6D\n",
600		    sc->ntxchains, sc->nrxchains, sc->eeprom_domain,
601		    ic->ic_macaddr, ":");
602	}
603
604	if (sc->sc_flags & IWN_FLAG_HAS_11N) {
605		ic->ic_rxstream = sc->nrxchains;
606		ic->ic_txstream = sc->ntxchains;
607
608		/*
609		 * Some of the 3 antenna devices (ie, the 4965) only supports
610		 * 2x2 operation.  So correct the number of streams if
611		 * it's not a 3-stream device.
612		 */
613		if (! iwn_is_3stream_device(sc)) {
614			if (ic->ic_rxstream > 2)
615				ic->ic_rxstream = 2;
616			if (ic->ic_txstream > 2)
617				ic->ic_txstream = 2;
618		}
619
620		ic->ic_htcaps =
621			  IEEE80211_HTCAP_SMPS_OFF	/* SMPS mode disabled */
622			| IEEE80211_HTCAP_SHORTGI20	/* short GI in 20MHz */
623			| IEEE80211_HTCAP_CHWIDTH40	/* 40MHz channel width*/
624			| IEEE80211_HTCAP_SHORTGI40	/* short GI in 40MHz */
625#ifdef notyet
626			| IEEE80211_HTCAP_GREENFIELD
627#if IWN_RBUF_SIZE == 8192
628			| IEEE80211_HTCAP_MAXAMSDU_7935	/* max A-MSDU length */
629#else
630			| IEEE80211_HTCAP_MAXAMSDU_3839	/* max A-MSDU length */
631#endif
632#endif
633			/* s/w capabilities */
634			| IEEE80211_HTC_HT		/* HT operation */
635			| IEEE80211_HTC_AMPDU		/* tx A-MPDU */
636#ifdef notyet
637			| IEEE80211_HTC_AMSDU		/* tx A-MSDU */
638#endif
639			;
640	}
641
642	ieee80211_ifattach(ic);
643	ic->ic_vap_create = iwn_vap_create;
644	ic->ic_ioctl = iwn_ioctl;
645	ic->ic_parent = iwn_parent;
646	ic->ic_vap_delete = iwn_vap_delete;
647	ic->ic_transmit = iwn_transmit;
648	ic->ic_raw_xmit = iwn_raw_xmit;
649	ic->ic_node_alloc = iwn_node_alloc;
650	sc->sc_ampdu_rx_start = ic->ic_ampdu_rx_start;
651	ic->ic_ampdu_rx_start = iwn_ampdu_rx_start;
652	sc->sc_ampdu_rx_stop = ic->ic_ampdu_rx_stop;
653	ic->ic_ampdu_rx_stop = iwn_ampdu_rx_stop;
654	sc->sc_addba_request = ic->ic_addba_request;
655	ic->ic_addba_request = iwn_addba_request;
656	sc->sc_addba_response = ic->ic_addba_response;
657	ic->ic_addba_response = iwn_addba_response;
658	sc->sc_addba_stop = ic->ic_addba_stop;
659	ic->ic_addba_stop = iwn_ampdu_tx_stop;
660	ic->ic_newassoc = iwn_newassoc;
661	ic->ic_wme.wme_update = iwn_updateedca;
662	ic->ic_update_mcast = iwn_update_mcast;
663	ic->ic_scan_start = iwn_scan_start;
664	ic->ic_scan_end = iwn_scan_end;
665	ic->ic_set_channel = iwn_set_channel;
666	ic->ic_scan_curchan = iwn_scan_curchan;
667	ic->ic_scan_mindwell = iwn_scan_mindwell;
668	ic->ic_getradiocaps = iwn_getradiocaps;
669	ic->ic_setregdomain = iwn_setregdomain;
670
671	iwn_radiotap_attach(sc);
672
673	callout_init_mtx(&sc->calib_to, &sc->sc_mtx, 0);
674	callout_init_mtx(&sc->scan_timeout, &sc->sc_mtx, 0);
675	callout_init_mtx(&sc->watchdog_to, &sc->sc_mtx, 0);
676	TASK_INIT(&sc->sc_radioon_task, 0, iwn_radio_on, sc);
677	TASK_INIT(&sc->sc_radiooff_task, 0, iwn_radio_off, sc);
678	TASK_INIT(&sc->sc_panic_task, 0, iwn_panicked, sc);
679	TASK_INIT(&sc->sc_xmit_task, 0, iwn_xmit_task, sc);
680
681	mbufq_init(&sc->sc_xmit_queue, 1024);
682
683	sc->sc_tq = taskqueue_create("iwn_taskq", M_WAITOK,
684	    taskqueue_thread_enqueue, &sc->sc_tq);
685	error = taskqueue_start_threads(&sc->sc_tq, 1, 0, "iwn_taskq");
686	if (error != 0) {
687		device_printf(dev, "can't start threads, error %d\n", error);
688		goto fail;
689	}
690
691	iwn_sysctlattach(sc);
692
693	/*
694	 * Hook our interrupt after all initialization is complete.
695	 */
696	error = bus_setup_intr(dev, sc->irq, INTR_TYPE_NET | INTR_MPSAFE,
697	    NULL, iwn_intr, sc, &sc->sc_ih);
698	if (error != 0) {
699		device_printf(dev, "can't establish interrupt, error %d\n",
700		    error);
701		goto fail;
702	}
703
704#if 0
705	device_printf(sc->sc_dev, "%s: rx_stats=%d, rx_stats_bt=%d\n",
706	    __func__,
707	    sizeof(struct iwn_stats),
708	    sizeof(struct iwn_stats_bt));
709#endif
710
711	if (bootverbose)
712		ieee80211_announce(ic);
713	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end\n",__func__);
714
715	/* Add debug ioctl right at the end */
716	sc->sc_cdev = make_dev(&iwn_cdevsw, device_get_unit(dev),
717	    UID_ROOT, GID_WHEEL, 0600, "%s", device_get_nameunit(dev));
718	if (sc->sc_cdev == NULL) {
719		device_printf(dev, "failed to create debug character device\n");
720	} else {
721		sc->sc_cdev->si_drv1 = sc;
722	}
723	return 0;
724fail:
725	iwn_detach(dev);
726	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end in error\n",__func__);
727	return error;
728}
729
730/*
731 * Define specific configuration based on device id and subdevice id
732 * pid : PCI device id
733 */
734static int
735iwn_config_specific(struct iwn_softc *sc, uint16_t pid)
736{
737
738	switch (pid) {
739/* 4965 series */
740	case IWN_DID_4965_1:
741	case IWN_DID_4965_2:
742	case IWN_DID_4965_3:
743	case IWN_DID_4965_4:
744		sc->base_params = &iwn4965_base_params;
745		sc->limits = &iwn4965_sensitivity_limits;
746		sc->fwname = "iwn4965fw";
747		/* Override chains masks, ROM is known to be broken. */
748		sc->txchainmask = IWN_ANT_AB;
749		sc->rxchainmask = IWN_ANT_ABC;
750		/* Enable normal btcoex */
751		sc->sc_flags |= IWN_FLAG_BTCOEX;
752		break;
753/* 1000 Series */
754	case IWN_DID_1000_1:
755	case IWN_DID_1000_2:
756		switch(sc->subdevice_id) {
757			case	IWN_SDID_1000_1:
758			case	IWN_SDID_1000_2:
759			case	IWN_SDID_1000_3:
760			case	IWN_SDID_1000_4:
761			case	IWN_SDID_1000_5:
762			case	IWN_SDID_1000_6:
763			case	IWN_SDID_1000_7:
764			case	IWN_SDID_1000_8:
765			case	IWN_SDID_1000_9:
766			case	IWN_SDID_1000_10:
767			case	IWN_SDID_1000_11:
768			case	IWN_SDID_1000_12:
769				sc->limits = &iwn1000_sensitivity_limits;
770				sc->base_params = &iwn1000_base_params;
771				sc->fwname = "iwn1000fw";
772				break;
773			default:
774				device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
775				    "0x%04x rev %d not supported (subdevice)\n", pid,
776				    sc->subdevice_id,sc->hw_type);
777				return ENOTSUP;
778		}
779		break;
780/* 6x00 Series */
781	case IWN_DID_6x00_2:
782	case IWN_DID_6x00_4:
783	case IWN_DID_6x00_1:
784	case IWN_DID_6x00_3:
785		sc->fwname = "iwn6000fw";
786		sc->limits = &iwn6000_sensitivity_limits;
787		switch(sc->subdevice_id) {
788			case IWN_SDID_6x00_1:
789			case IWN_SDID_6x00_2:
790			case IWN_SDID_6x00_8:
791				//iwl6000_3agn_cfg
792				sc->base_params = &iwn_6000_base_params;
793				break;
794			case IWN_SDID_6x00_3:
795			case IWN_SDID_6x00_6:
796			case IWN_SDID_6x00_9:
797				////iwl6000i_2agn
798			case IWN_SDID_6x00_4:
799			case IWN_SDID_6x00_7:
800			case IWN_SDID_6x00_10:
801				//iwl6000i_2abg_cfg
802			case IWN_SDID_6x00_5:
803				//iwl6000i_2bg_cfg
804				sc->base_params = &iwn_6000i_base_params;
805				sc->sc_flags |= IWN_FLAG_INTERNAL_PA;
806				sc->txchainmask = IWN_ANT_BC;
807				sc->rxchainmask = IWN_ANT_BC;
808				break;
809			default:
810				device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
811				    "0x%04x rev %d not supported (subdevice)\n", pid,
812				    sc->subdevice_id,sc->hw_type);
813				return ENOTSUP;
814		}
815		break;
816/* 6x05 Series */
817	case IWN_DID_6x05_1:
818	case IWN_DID_6x05_2:
819		switch(sc->subdevice_id) {
820			case IWN_SDID_6x05_1:
821			case IWN_SDID_6x05_4:
822			case IWN_SDID_6x05_6:
823				//iwl6005_2agn_cfg
824			case IWN_SDID_6x05_2:
825			case IWN_SDID_6x05_5:
826			case IWN_SDID_6x05_7:
827				//iwl6005_2abg_cfg
828			case IWN_SDID_6x05_3:
829				//iwl6005_2bg_cfg
830			case IWN_SDID_6x05_8:
831			case IWN_SDID_6x05_9:
832				//iwl6005_2agn_sff_cfg
833			case IWN_SDID_6x05_10:
834				//iwl6005_2agn_d_cfg
835			case IWN_SDID_6x05_11:
836				//iwl6005_2agn_mow1_cfg
837			case IWN_SDID_6x05_12:
838				//iwl6005_2agn_mow2_cfg
839				sc->fwname = "iwn6000g2afw";
840				sc->limits = &iwn6000_sensitivity_limits;
841				sc->base_params = &iwn_6000g2_base_params;
842				break;
843			default:
844				device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
845				    "0x%04x rev %d not supported (subdevice)\n", pid,
846				    sc->subdevice_id,sc->hw_type);
847				return ENOTSUP;
848		}
849		break;
850/* 6x35 Series */
851	case IWN_DID_6035_1:
852	case IWN_DID_6035_2:
853		switch(sc->subdevice_id) {
854			case IWN_SDID_6035_1:
855			case IWN_SDID_6035_2:
856			case IWN_SDID_6035_3:
857			case IWN_SDID_6035_4:
858			case IWN_SDID_6035_5:
859				sc->fwname = "iwn6000g2bfw";
860				sc->limits = &iwn6235_sensitivity_limits;
861				sc->base_params = &iwn_6235_base_params;
862				break;
863			default:
864				device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
865				    "0x%04x rev %d not supported (subdevice)\n", pid,
866				    sc->subdevice_id,sc->hw_type);
867				return ENOTSUP;
868		}
869		break;
870/* 6x50 WiFi/WiMax Series */
871	case IWN_DID_6050_1:
872	case IWN_DID_6050_2:
873		switch(sc->subdevice_id) {
874			case IWN_SDID_6050_1:
875			case IWN_SDID_6050_3:
876			case IWN_SDID_6050_5:
877				//iwl6050_2agn_cfg
878			case IWN_SDID_6050_2:
879			case IWN_SDID_6050_4:
880			case IWN_SDID_6050_6:
881				//iwl6050_2abg_cfg
882				sc->fwname = "iwn6050fw";
883				sc->txchainmask = IWN_ANT_AB;
884				sc->rxchainmask = IWN_ANT_AB;
885				sc->limits = &iwn6000_sensitivity_limits;
886				sc->base_params = &iwn_6050_base_params;
887				break;
888			default:
889				device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
890				    "0x%04x rev %d not supported (subdevice)\n", pid,
891				    sc->subdevice_id,sc->hw_type);
892				return ENOTSUP;
893		}
894		break;
895/* 6150 WiFi/WiMax Series */
896	case IWN_DID_6150_1:
897	case IWN_DID_6150_2:
898		switch(sc->subdevice_id) {
899			case IWN_SDID_6150_1:
900			case IWN_SDID_6150_3:
901			case IWN_SDID_6150_5:
902				// iwl6150_bgn_cfg
903			case IWN_SDID_6150_2:
904			case IWN_SDID_6150_4:
905			case IWN_SDID_6150_6:
906				//iwl6150_bg_cfg
907				sc->fwname = "iwn6050fw";
908				sc->limits = &iwn6000_sensitivity_limits;
909				sc->base_params = &iwn_6150_base_params;
910				break;
911			default:
912				device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
913				    "0x%04x rev %d not supported (subdevice)\n", pid,
914				    sc->subdevice_id,sc->hw_type);
915				return ENOTSUP;
916		}
917		break;
918/* 6030 Series and 1030 Series */
919	case IWN_DID_x030_1:
920	case IWN_DID_x030_2:
921	case IWN_DID_x030_3:
922	case IWN_DID_x030_4:
923		switch(sc->subdevice_id) {
924			case IWN_SDID_x030_1:
925			case IWN_SDID_x030_3:
926			case IWN_SDID_x030_5:
927			// iwl1030_bgn_cfg
928			case IWN_SDID_x030_2:
929			case IWN_SDID_x030_4:
930			case IWN_SDID_x030_6:
931			//iwl1030_bg_cfg
932			case IWN_SDID_x030_7:
933			case IWN_SDID_x030_10:
934			case IWN_SDID_x030_14:
935			//iwl6030_2agn_cfg
936			case IWN_SDID_x030_8:
937			case IWN_SDID_x030_11:
938			case IWN_SDID_x030_15:
939			// iwl6030_2bgn_cfg
940			case IWN_SDID_x030_9:
941			case IWN_SDID_x030_12:
942			case IWN_SDID_x030_16:
943			// iwl6030_2abg_cfg
944			case IWN_SDID_x030_13:
945			//iwl6030_2bg_cfg
946				sc->fwname = "iwn6000g2bfw";
947				sc->limits = &iwn6000_sensitivity_limits;
948				sc->base_params = &iwn_6000g2b_base_params;
949				break;
950			default:
951				device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
952				    "0x%04x rev %d not supported (subdevice)\n", pid,
953				    sc->subdevice_id,sc->hw_type);
954				return ENOTSUP;
955		}
956		break;
957/* 130 Series WiFi */
958/* XXX: This series will need adjustment for rate.
959 * see rx_with_siso_diversity in linux kernel
960 */
961	case IWN_DID_130_1:
962	case IWN_DID_130_2:
963		switch(sc->subdevice_id) {
964			case IWN_SDID_130_1:
965			case IWN_SDID_130_3:
966			case IWN_SDID_130_5:
967			//iwl130_bgn_cfg
968			case IWN_SDID_130_2:
969			case IWN_SDID_130_4:
970			case IWN_SDID_130_6:
971			//iwl130_bg_cfg
972				sc->fwname = "iwn6000g2bfw";
973				sc->limits = &iwn6000_sensitivity_limits;
974				sc->base_params = &iwn_6000g2b_base_params;
975				break;
976			default:
977				device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
978				    "0x%04x rev %d not supported (subdevice)\n", pid,
979				    sc->subdevice_id,sc->hw_type);
980				return ENOTSUP;
981		}
982		break;
983/* 100 Series WiFi */
984	case IWN_DID_100_1:
985	case IWN_DID_100_2:
986		switch(sc->subdevice_id) {
987			case IWN_SDID_100_1:
988			case IWN_SDID_100_2:
989			case IWN_SDID_100_3:
990			case IWN_SDID_100_4:
991			case IWN_SDID_100_5:
992			case IWN_SDID_100_6:
993				sc->limits = &iwn1000_sensitivity_limits;
994				sc->base_params = &iwn1000_base_params;
995				sc->fwname = "iwn100fw";
996				break;
997			default:
998				device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
999				    "0x%04x rev %d not supported (subdevice)\n", pid,
1000				    sc->subdevice_id,sc->hw_type);
1001				return ENOTSUP;
1002		}
1003		break;
1004
1005/* 105 Series */
1006/* XXX: This series will need adjustment for rate.
1007 * see rx_with_siso_diversity in linux kernel
1008 */
1009	case IWN_DID_105_1:
1010	case IWN_DID_105_2:
1011		switch(sc->subdevice_id) {
1012			case IWN_SDID_105_1:
1013			case IWN_SDID_105_2:
1014			case IWN_SDID_105_3:
1015			//iwl105_bgn_cfg
1016			case IWN_SDID_105_4:
1017			//iwl105_bgn_d_cfg
1018				sc->limits = &iwn2030_sensitivity_limits;
1019				sc->base_params = &iwn2000_base_params;
1020				sc->fwname = "iwn105fw";
1021				break;
1022			default:
1023				device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
1024				    "0x%04x rev %d not supported (subdevice)\n", pid,
1025				    sc->subdevice_id,sc->hw_type);
1026				return ENOTSUP;
1027		}
1028		break;
1029
1030/* 135 Series */
1031/* XXX: This series will need adjustment for rate.
1032 * see rx_with_siso_diversity in linux kernel
1033 */
1034	case IWN_DID_135_1:
1035	case IWN_DID_135_2:
1036		switch(sc->subdevice_id) {
1037			case IWN_SDID_135_1:
1038			case IWN_SDID_135_2:
1039			case IWN_SDID_135_3:
1040				sc->limits = &iwn2030_sensitivity_limits;
1041				sc->base_params = &iwn2030_base_params;
1042				sc->fwname = "iwn135fw";
1043				break;
1044			default:
1045				device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
1046				    "0x%04x rev %d not supported (subdevice)\n", pid,
1047				    sc->subdevice_id,sc->hw_type);
1048				return ENOTSUP;
1049		}
1050		break;
1051
1052/* 2x00 Series */
1053	case IWN_DID_2x00_1:
1054	case IWN_DID_2x00_2:
1055		switch(sc->subdevice_id) {
1056			case IWN_SDID_2x00_1:
1057			case IWN_SDID_2x00_2:
1058			case IWN_SDID_2x00_3:
1059			//iwl2000_2bgn_cfg
1060			case IWN_SDID_2x00_4:
1061			//iwl2000_2bgn_d_cfg
1062				sc->limits = &iwn2030_sensitivity_limits;
1063				sc->base_params = &iwn2000_base_params;
1064				sc->fwname = "iwn2000fw";
1065				break;
1066			default:
1067				device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
1068				    "0x%04x rev %d not supported (subdevice) \n",
1069				    pid, sc->subdevice_id, sc->hw_type);
1070				return ENOTSUP;
1071		}
1072		break;
1073/* 2x30 Series */
1074	case IWN_DID_2x30_1:
1075	case IWN_DID_2x30_2:
1076		switch(sc->subdevice_id) {
1077			case IWN_SDID_2x30_1:
1078			case IWN_SDID_2x30_3:
1079			case IWN_SDID_2x30_5:
1080			//iwl100_bgn_cfg
1081			case IWN_SDID_2x30_2:
1082			case IWN_SDID_2x30_4:
1083			case IWN_SDID_2x30_6:
1084			//iwl100_bg_cfg
1085				sc->limits = &iwn2030_sensitivity_limits;
1086				sc->base_params = &iwn2030_base_params;
1087				sc->fwname = "iwn2030fw";
1088				break;
1089			default:
1090				device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
1091				    "0x%04x rev %d not supported (subdevice)\n", pid,
1092				    sc->subdevice_id,sc->hw_type);
1093				return ENOTSUP;
1094		}
1095		break;
1096/* 5x00 Series */
1097	case IWN_DID_5x00_1:
1098	case IWN_DID_5x00_2:
1099	case IWN_DID_5x00_3:
1100	case IWN_DID_5x00_4:
1101		sc->limits = &iwn5000_sensitivity_limits;
1102		sc->base_params = &iwn5000_base_params;
1103		sc->fwname = "iwn5000fw";
1104		switch(sc->subdevice_id) {
1105			case IWN_SDID_5x00_1:
1106			case IWN_SDID_5x00_2:
1107			case IWN_SDID_5x00_3:
1108			case IWN_SDID_5x00_4:
1109			case IWN_SDID_5x00_9:
1110			case IWN_SDID_5x00_10:
1111			case IWN_SDID_5x00_11:
1112			case IWN_SDID_5x00_12:
1113			case IWN_SDID_5x00_17:
1114			case IWN_SDID_5x00_18:
1115			case IWN_SDID_5x00_19:
1116			case IWN_SDID_5x00_20:
1117			//iwl5100_agn_cfg
1118				sc->txchainmask = IWN_ANT_B;
1119				sc->rxchainmask = IWN_ANT_AB;
1120				break;
1121			case IWN_SDID_5x00_5:
1122			case IWN_SDID_5x00_6:
1123			case IWN_SDID_5x00_13:
1124			case IWN_SDID_5x00_14:
1125			case IWN_SDID_5x00_21:
1126			case IWN_SDID_5x00_22:
1127			//iwl5100_bgn_cfg
1128				sc->txchainmask = IWN_ANT_B;
1129				sc->rxchainmask = IWN_ANT_AB;
1130				break;
1131			case IWN_SDID_5x00_7:
1132			case IWN_SDID_5x00_8:
1133			case IWN_SDID_5x00_15:
1134			case IWN_SDID_5x00_16:
1135			case IWN_SDID_5x00_23:
1136			case IWN_SDID_5x00_24:
1137			//iwl5100_abg_cfg
1138				sc->txchainmask = IWN_ANT_B;
1139				sc->rxchainmask = IWN_ANT_AB;
1140				break;
1141			case IWN_SDID_5x00_25:
1142			case IWN_SDID_5x00_26:
1143			case IWN_SDID_5x00_27:
1144			case IWN_SDID_5x00_28:
1145			case IWN_SDID_5x00_29:
1146			case IWN_SDID_5x00_30:
1147			case IWN_SDID_5x00_31:
1148			case IWN_SDID_5x00_32:
1149			case IWN_SDID_5x00_33:
1150			case IWN_SDID_5x00_34:
1151			case IWN_SDID_5x00_35:
1152			case IWN_SDID_5x00_36:
1153			//iwl5300_agn_cfg
1154				sc->txchainmask = IWN_ANT_ABC;
1155				sc->rxchainmask = IWN_ANT_ABC;
1156				break;
1157			default:
1158				device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
1159				    "0x%04x rev %d not supported (subdevice)\n", pid,
1160				    sc->subdevice_id,sc->hw_type);
1161				return ENOTSUP;
1162		}
1163		break;
1164/* 5x50 Series */
1165	case IWN_DID_5x50_1:
1166	case IWN_DID_5x50_2:
1167	case IWN_DID_5x50_3:
1168	case IWN_DID_5x50_4:
1169		sc->limits = &iwn5000_sensitivity_limits;
1170		sc->base_params = &iwn5000_base_params;
1171		sc->fwname = "iwn5000fw";
1172		switch(sc->subdevice_id) {
1173			case IWN_SDID_5x50_1:
1174			case IWN_SDID_5x50_2:
1175			case IWN_SDID_5x50_3:
1176			//iwl5350_agn_cfg
1177				sc->limits = &iwn5000_sensitivity_limits;
1178				sc->base_params = &iwn5000_base_params;
1179				sc->fwname = "iwn5000fw";
1180				break;
1181			case IWN_SDID_5x50_4:
1182			case IWN_SDID_5x50_5:
1183			case IWN_SDID_5x50_8:
1184			case IWN_SDID_5x50_9:
1185			case IWN_SDID_5x50_10:
1186			case IWN_SDID_5x50_11:
1187			//iwl5150_agn_cfg
1188			case IWN_SDID_5x50_6:
1189			case IWN_SDID_5x50_7:
1190			case IWN_SDID_5x50_12:
1191			case IWN_SDID_5x50_13:
1192			//iwl5150_abg_cfg
1193				sc->limits = &iwn5000_sensitivity_limits;
1194				sc->fwname = "iwn5150fw";
1195				sc->base_params = &iwn_5x50_base_params;
1196				break;
1197			default:
1198				device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
1199				    "0x%04x rev %d not supported (subdevice)\n", pid,
1200				    sc->subdevice_id,sc->hw_type);
1201				return ENOTSUP;
1202		}
1203		break;
1204	default:
1205		device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id : 0x%04x"
1206		    "rev 0x%08x not supported (device)\n", pid, sc->subdevice_id,
1207		     sc->hw_type);
1208		return ENOTSUP;
1209	}
1210	return 0;
1211}
1212
1213static void
1214iwn4965_attach(struct iwn_softc *sc, uint16_t pid)
1215{
1216	struct iwn_ops *ops = &sc->ops;
1217
1218	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
1219
1220	ops->load_firmware = iwn4965_load_firmware;
1221	ops->read_eeprom = iwn4965_read_eeprom;
1222	ops->post_alive = iwn4965_post_alive;
1223	ops->nic_config = iwn4965_nic_config;
1224	ops->update_sched = iwn4965_update_sched;
1225	ops->get_temperature = iwn4965_get_temperature;
1226	ops->get_rssi = iwn4965_get_rssi;
1227	ops->set_txpower = iwn4965_set_txpower;
1228	ops->init_gains = iwn4965_init_gains;
1229	ops->set_gains = iwn4965_set_gains;
1230	ops->add_node = iwn4965_add_node;
1231	ops->tx_done = iwn4965_tx_done;
1232	ops->ampdu_tx_start = iwn4965_ampdu_tx_start;
1233	ops->ampdu_tx_stop = iwn4965_ampdu_tx_stop;
1234	sc->ntxqs = IWN4965_NTXQUEUES;
1235	sc->firstaggqueue = IWN4965_FIRSTAGGQUEUE;
1236	sc->ndmachnls = IWN4965_NDMACHNLS;
1237	sc->broadcast_id = IWN4965_ID_BROADCAST;
1238	sc->rxonsz = IWN4965_RXONSZ;
1239	sc->schedsz = IWN4965_SCHEDSZ;
1240	sc->fw_text_maxsz = IWN4965_FW_TEXT_MAXSZ;
1241	sc->fw_data_maxsz = IWN4965_FW_DATA_MAXSZ;
1242	sc->fwsz = IWN4965_FWSZ;
1243	sc->sched_txfact_addr = IWN4965_SCHED_TXFACT;
1244	sc->limits = &iwn4965_sensitivity_limits;
1245	sc->fwname = "iwn4965fw";
1246	/* Override chains masks, ROM is known to be broken. */
1247	sc->txchainmask = IWN_ANT_AB;
1248	sc->rxchainmask = IWN_ANT_ABC;
1249	/* Enable normal btcoex */
1250	sc->sc_flags |= IWN_FLAG_BTCOEX;
1251
1252	DPRINTF(sc, IWN_DEBUG_TRACE, "%s: end\n",__func__);
1253}
1254
1255static void
1256iwn5000_attach(struct iwn_softc *sc, uint16_t pid)
1257{
1258	struct iwn_ops *ops = &sc->ops;
1259
1260	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
1261
1262	ops->load_firmware = iwn5000_load_firmware;
1263	ops->read_eeprom = iwn5000_read_eeprom;
1264	ops->post_alive = iwn5000_post_alive;
1265	ops->nic_config = iwn5000_nic_config;
1266	ops->update_sched = iwn5000_update_sched;
1267	ops->get_temperature = iwn5000_get_temperature;
1268	ops->get_rssi = iwn5000_get_rssi;
1269	ops->set_txpower = iwn5000_set_txpower;
1270	ops->init_gains = iwn5000_init_gains;
1271	ops->set_gains = iwn5000_set_gains;
1272	ops->add_node = iwn5000_add_node;
1273	ops->tx_done = iwn5000_tx_done;
1274	ops->ampdu_tx_start = iwn5000_ampdu_tx_start;
1275	ops->ampdu_tx_stop = iwn5000_ampdu_tx_stop;
1276	sc->ntxqs = IWN5000_NTXQUEUES;
1277	sc->firstaggqueue = IWN5000_FIRSTAGGQUEUE;
1278	sc->ndmachnls = IWN5000_NDMACHNLS;
1279	sc->broadcast_id = IWN5000_ID_BROADCAST;
1280	sc->rxonsz = IWN5000_RXONSZ;
1281	sc->schedsz = IWN5000_SCHEDSZ;
1282	sc->fw_text_maxsz = IWN5000_FW_TEXT_MAXSZ;
1283	sc->fw_data_maxsz = IWN5000_FW_DATA_MAXSZ;
1284	sc->fwsz = IWN5000_FWSZ;
1285	sc->sched_txfact_addr = IWN5000_SCHED_TXFACT;
1286	sc->reset_noise_gain = IWN5000_PHY_CALIB_RESET_NOISE_GAIN;
1287	sc->noise_gain = IWN5000_PHY_CALIB_NOISE_GAIN;
1288
1289	DPRINTF(sc, IWN_DEBUG_TRACE, "%s: end\n",__func__);
1290}
1291
1292/*
1293 * Attach the interface to 802.11 radiotap.
1294 */
1295static void
1296iwn_radiotap_attach(struct iwn_softc *sc)
1297{
1298
1299	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
1300	ieee80211_radiotap_attach(&sc->sc_ic,
1301	    &sc->sc_txtap.wt_ihdr, sizeof(sc->sc_txtap),
1302		IWN_TX_RADIOTAP_PRESENT,
1303	    &sc->sc_rxtap.wr_ihdr, sizeof(sc->sc_rxtap),
1304		IWN_RX_RADIOTAP_PRESENT);
1305	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s end\n", __func__);
1306}
1307
1308static void
1309iwn_sysctlattach(struct iwn_softc *sc)
1310{
1311#ifdef	IWN_DEBUG
1312	struct sysctl_ctx_list *ctx = device_get_sysctl_ctx(sc->sc_dev);
1313	struct sysctl_oid *tree = device_get_sysctl_tree(sc->sc_dev);
1314
1315	SYSCTL_ADD_INT(ctx, SYSCTL_CHILDREN(tree), OID_AUTO,
1316	    "debug", CTLFLAG_RW, &sc->sc_debug, sc->sc_debug,
1317		"control debugging printfs");
1318#endif
1319}
1320
1321static struct ieee80211vap *
1322iwn_vap_create(struct ieee80211com *ic, const char name[IFNAMSIZ], int unit,
1323    enum ieee80211_opmode opmode, int flags,
1324    const uint8_t bssid[IEEE80211_ADDR_LEN],
1325    const uint8_t mac[IEEE80211_ADDR_LEN])
1326{
1327	struct iwn_softc *sc = ic->ic_softc;
1328	struct iwn_vap *ivp;
1329	struct ieee80211vap *vap;
1330
1331	if (!TAILQ_EMPTY(&ic->ic_vaps))		/* only one at a time */
1332		return NULL;
1333
1334	ivp = malloc(sizeof(struct iwn_vap), M_80211_VAP, M_WAITOK | M_ZERO);
1335	vap = &ivp->iv_vap;
1336	ieee80211_vap_setup(ic, vap, name, unit, opmode, flags, bssid);
1337	ivp->ctx = IWN_RXON_BSS_CTX;
1338	vap->iv_bmissthreshold = 10;		/* override default */
1339	/* Override with driver methods. */
1340	ivp->iv_newstate = vap->iv_newstate;
1341	vap->iv_newstate = iwn_newstate;
1342	sc->ivap[IWN_RXON_BSS_CTX] = vap;
1343
1344	ieee80211_ratectl_init(vap);
1345	/* Complete setup. */
1346	ieee80211_vap_attach(vap, iwn_media_change, ieee80211_media_status,
1347	    mac);
1348	ic->ic_opmode = opmode;
1349	return vap;
1350}
1351
1352static void
1353iwn_vap_delete(struct ieee80211vap *vap)
1354{
1355	struct iwn_vap *ivp = IWN_VAP(vap);
1356
1357	ieee80211_ratectl_deinit(vap);
1358	ieee80211_vap_detach(vap);
1359	free(ivp, M_80211_VAP);
1360}
1361
1362static void
1363iwn_xmit_queue_drain(struct iwn_softc *sc)
1364{
1365	struct mbuf *m;
1366	struct ieee80211_node *ni;
1367
1368	IWN_LOCK_ASSERT(sc);
1369	while ((m = mbufq_dequeue(&sc->sc_xmit_queue)) != NULL) {
1370		ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
1371		ieee80211_free_node(ni);
1372		m_freem(m);
1373	}
1374}
1375
1376static int
1377iwn_xmit_queue_enqueue(struct iwn_softc *sc, struct mbuf *m)
1378{
1379
1380	IWN_LOCK_ASSERT(sc);
1381	return (mbufq_enqueue(&sc->sc_xmit_queue, m));
1382}
1383
1384static int
1385iwn_detach(device_t dev)
1386{
1387	struct iwn_softc *sc = device_get_softc(dev);
1388	int qid;
1389
1390	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
1391
1392	if (sc->sc_ic.ic_softc != NULL) {
1393		/* Free the mbuf queue and node references */
1394		IWN_LOCK(sc);
1395		iwn_xmit_queue_drain(sc);
1396		IWN_UNLOCK(sc);
1397
1398		ieee80211_draintask(&sc->sc_ic, &sc->sc_radioon_task);
1399		ieee80211_draintask(&sc->sc_ic, &sc->sc_radiooff_task);
1400		iwn_stop(sc);
1401
1402		taskqueue_drain_all(sc->sc_tq);
1403		taskqueue_free(sc->sc_tq);
1404
1405		callout_drain(&sc->watchdog_to);
1406		callout_drain(&sc->scan_timeout);
1407		callout_drain(&sc->calib_to);
1408		ieee80211_ifdetach(&sc->sc_ic);
1409	}
1410
1411	/* Uninstall interrupt handler. */
1412	if (sc->irq != NULL) {
1413		bus_teardown_intr(dev, sc->irq, sc->sc_ih);
1414		bus_release_resource(dev, SYS_RES_IRQ, rman_get_rid(sc->irq),
1415		    sc->irq);
1416		pci_release_msi(dev);
1417	}
1418
1419	/* Free DMA resources. */
1420	iwn_free_rx_ring(sc, &sc->rxq);
1421	for (qid = 0; qid < sc->ntxqs; qid++)
1422		iwn_free_tx_ring(sc, &sc->txq[qid]);
1423	iwn_free_sched(sc);
1424	iwn_free_kw(sc);
1425	if (sc->ict != NULL)
1426		iwn_free_ict(sc);
1427	iwn_free_fwmem(sc);
1428
1429	if (sc->mem != NULL)
1430		bus_release_resource(dev, SYS_RES_MEMORY,
1431		    rman_get_rid(sc->mem), sc->mem);
1432
1433	if (sc->sc_cdev) {
1434		destroy_dev(sc->sc_cdev);
1435		sc->sc_cdev = NULL;
1436	}
1437
1438	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end\n", __func__);
1439	IWN_LOCK_DESTROY(sc);
1440	return 0;
1441}
1442
1443static int
1444iwn_shutdown(device_t dev)
1445{
1446	struct iwn_softc *sc = device_get_softc(dev);
1447
1448	iwn_stop(sc);
1449	return 0;
1450}
1451
1452static int
1453iwn_suspend(device_t dev)
1454{
1455	struct iwn_softc *sc = device_get_softc(dev);
1456
1457	ieee80211_suspend_all(&sc->sc_ic);
1458	return 0;
1459}
1460
1461static int
1462iwn_resume(device_t dev)
1463{
1464	struct iwn_softc *sc = device_get_softc(dev);
1465
1466	/* Clear device-specific "PCI retry timeout" register (41h). */
1467	pci_write_config(dev, 0x41, 0, 1);
1468
1469	ieee80211_resume_all(&sc->sc_ic);
1470	return 0;
1471}
1472
1473static int
1474iwn_nic_lock(struct iwn_softc *sc)
1475{
1476	int ntries;
1477
1478	/* Request exclusive access to NIC. */
1479	IWN_SETBITS(sc, IWN_GP_CNTRL, IWN_GP_CNTRL_MAC_ACCESS_REQ);
1480
1481	/* Spin until we actually get the lock. */
1482	for (ntries = 0; ntries < 1000; ntries++) {
1483		if ((IWN_READ(sc, IWN_GP_CNTRL) &
1484		     (IWN_GP_CNTRL_MAC_ACCESS_ENA | IWN_GP_CNTRL_SLEEP)) ==
1485		    IWN_GP_CNTRL_MAC_ACCESS_ENA)
1486			return 0;
1487		DELAY(10);
1488	}
1489	return ETIMEDOUT;
1490}
1491
1492static __inline void
1493iwn_nic_unlock(struct iwn_softc *sc)
1494{
1495	IWN_CLRBITS(sc, IWN_GP_CNTRL, IWN_GP_CNTRL_MAC_ACCESS_REQ);
1496}
1497
1498static __inline uint32_t
1499iwn_prph_read(struct iwn_softc *sc, uint32_t addr)
1500{
1501	IWN_WRITE(sc, IWN_PRPH_RADDR, IWN_PRPH_DWORD | addr);
1502	IWN_BARRIER_READ_WRITE(sc);
1503	return IWN_READ(sc, IWN_PRPH_RDATA);
1504}
1505
1506static __inline void
1507iwn_prph_write(struct iwn_softc *sc, uint32_t addr, uint32_t data)
1508{
1509	IWN_WRITE(sc, IWN_PRPH_WADDR, IWN_PRPH_DWORD | addr);
1510	IWN_BARRIER_WRITE(sc);
1511	IWN_WRITE(sc, IWN_PRPH_WDATA, data);
1512}
1513
1514static __inline void
1515iwn_prph_setbits(struct iwn_softc *sc, uint32_t addr, uint32_t mask)
1516{
1517	iwn_prph_write(sc, addr, iwn_prph_read(sc, addr) | mask);
1518}
1519
1520static __inline void
1521iwn_prph_clrbits(struct iwn_softc *sc, uint32_t addr, uint32_t mask)
1522{
1523	iwn_prph_write(sc, addr, iwn_prph_read(sc, addr) & ~mask);
1524}
1525
1526static __inline void
1527iwn_prph_write_region_4(struct iwn_softc *sc, uint32_t addr,
1528    const uint32_t *data, int count)
1529{
1530	for (; count > 0; count--, data++, addr += 4)
1531		iwn_prph_write(sc, addr, *data);
1532}
1533
1534static __inline uint32_t
1535iwn_mem_read(struct iwn_softc *sc, uint32_t addr)
1536{
1537	IWN_WRITE(sc, IWN_MEM_RADDR, addr);
1538	IWN_BARRIER_READ_WRITE(sc);
1539	return IWN_READ(sc, IWN_MEM_RDATA);
1540}
1541
1542static __inline void
1543iwn_mem_write(struct iwn_softc *sc, uint32_t addr, uint32_t data)
1544{
1545	IWN_WRITE(sc, IWN_MEM_WADDR, addr);
1546	IWN_BARRIER_WRITE(sc);
1547	IWN_WRITE(sc, IWN_MEM_WDATA, data);
1548}
1549
1550static __inline void
1551iwn_mem_write_2(struct iwn_softc *sc, uint32_t addr, uint16_t data)
1552{
1553	uint32_t tmp;
1554
1555	tmp = iwn_mem_read(sc, addr & ~3);
1556	if (addr & 3)
1557		tmp = (tmp & 0x0000ffff) | data << 16;
1558	else
1559		tmp = (tmp & 0xffff0000) | data;
1560	iwn_mem_write(sc, addr & ~3, tmp);
1561}
1562
1563static __inline void
1564iwn_mem_read_region_4(struct iwn_softc *sc, uint32_t addr, uint32_t *data,
1565    int count)
1566{
1567	for (; count > 0; count--, addr += 4)
1568		*data++ = iwn_mem_read(sc, addr);
1569}
1570
1571static __inline void
1572iwn_mem_set_region_4(struct iwn_softc *sc, uint32_t addr, uint32_t val,
1573    int count)
1574{
1575	for (; count > 0; count--, addr += 4)
1576		iwn_mem_write(sc, addr, val);
1577}
1578
1579static int
1580iwn_eeprom_lock(struct iwn_softc *sc)
1581{
1582	int i, ntries;
1583
1584	for (i = 0; i < 100; i++) {
1585		/* Request exclusive access to EEPROM. */
1586		IWN_SETBITS(sc, IWN_HW_IF_CONFIG,
1587		    IWN_HW_IF_CONFIG_EEPROM_LOCKED);
1588
1589		/* Spin until we actually get the lock. */
1590		for (ntries = 0; ntries < 100; ntries++) {
1591			if (IWN_READ(sc, IWN_HW_IF_CONFIG) &
1592			    IWN_HW_IF_CONFIG_EEPROM_LOCKED)
1593				return 0;
1594			DELAY(10);
1595		}
1596	}
1597	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s end timeout\n", __func__);
1598	return ETIMEDOUT;
1599}
1600
1601static __inline void
1602iwn_eeprom_unlock(struct iwn_softc *sc)
1603{
1604	IWN_CLRBITS(sc, IWN_HW_IF_CONFIG, IWN_HW_IF_CONFIG_EEPROM_LOCKED);
1605}
1606
1607/*
1608 * Initialize access by host to One Time Programmable ROM.
1609 * NB: This kind of ROM can be found on 1000 or 6000 Series only.
1610 */
1611static int
1612iwn_init_otprom(struct iwn_softc *sc)
1613{
1614	uint16_t prev, base, next;
1615	int count, error;
1616
1617	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
1618
1619	/* Wait for clock stabilization before accessing prph. */
1620	if ((error = iwn_clock_wait(sc)) != 0)
1621		return error;
1622
1623	if ((error = iwn_nic_lock(sc)) != 0)
1624		return error;
1625	iwn_prph_setbits(sc, IWN_APMG_PS, IWN_APMG_PS_RESET_REQ);
1626	DELAY(5);
1627	iwn_prph_clrbits(sc, IWN_APMG_PS, IWN_APMG_PS_RESET_REQ);
1628	iwn_nic_unlock(sc);
1629
1630	/* Set auto clock gate disable bit for HW with OTP shadow RAM. */
1631	if (sc->base_params->shadow_ram_support) {
1632		IWN_SETBITS(sc, IWN_DBG_LINK_PWR_MGMT,
1633		    IWN_RESET_LINK_PWR_MGMT_DIS);
1634	}
1635	IWN_CLRBITS(sc, IWN_EEPROM_GP, IWN_EEPROM_GP_IF_OWNER);
1636	/* Clear ECC status. */
1637	IWN_SETBITS(sc, IWN_OTP_GP,
1638	    IWN_OTP_GP_ECC_CORR_STTS | IWN_OTP_GP_ECC_UNCORR_STTS);
1639
1640	/*
1641	 * Find the block before last block (contains the EEPROM image)
1642	 * for HW without OTP shadow RAM.
1643	 */
1644	if (! sc->base_params->shadow_ram_support) {
1645		/* Switch to absolute addressing mode. */
1646		IWN_CLRBITS(sc, IWN_OTP_GP, IWN_OTP_GP_RELATIVE_ACCESS);
1647		base = prev = 0;
1648		for (count = 0; count < sc->base_params->max_ll_items;
1649		    count++) {
1650			error = iwn_read_prom_data(sc, base, &next, 2);
1651			if (error != 0)
1652				return error;
1653			if (next == 0)	/* End of linked-list. */
1654				break;
1655			prev = base;
1656			base = le16toh(next);
1657		}
1658		if (count == 0 || count == sc->base_params->max_ll_items)
1659			return EIO;
1660		/* Skip "next" word. */
1661		sc->prom_base = prev + 1;
1662	}
1663
1664	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s end\n", __func__);
1665
1666	return 0;
1667}
1668
1669static int
1670iwn_read_prom_data(struct iwn_softc *sc, uint32_t addr, void *data, int count)
1671{
1672	uint8_t *out = data;
1673	uint32_t val, tmp;
1674	int ntries;
1675
1676	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
1677
1678	addr += sc->prom_base;
1679	for (; count > 0; count -= 2, addr++) {
1680		IWN_WRITE(sc, IWN_EEPROM, addr << 2);
1681		for (ntries = 0; ntries < 10; ntries++) {
1682			val = IWN_READ(sc, IWN_EEPROM);
1683			if (val & IWN_EEPROM_READ_VALID)
1684				break;
1685			DELAY(5);
1686		}
1687		if (ntries == 10) {
1688			device_printf(sc->sc_dev,
1689			    "timeout reading ROM at 0x%x\n", addr);
1690			return ETIMEDOUT;
1691		}
1692		if (sc->sc_flags & IWN_FLAG_HAS_OTPROM) {
1693			/* OTPROM, check for ECC errors. */
1694			tmp = IWN_READ(sc, IWN_OTP_GP);
1695			if (tmp & IWN_OTP_GP_ECC_UNCORR_STTS) {
1696				device_printf(sc->sc_dev,
1697				    "OTPROM ECC error at 0x%x\n", addr);
1698				return EIO;
1699			}
1700			if (tmp & IWN_OTP_GP_ECC_CORR_STTS) {
1701				/* Correctable ECC error, clear bit. */
1702				IWN_SETBITS(sc, IWN_OTP_GP,
1703				    IWN_OTP_GP_ECC_CORR_STTS);
1704			}
1705		}
1706		*out++ = val >> 16;
1707		if (count > 1)
1708			*out++ = val >> 24;
1709	}
1710
1711	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s end\n", __func__);
1712
1713	return 0;
1714}
1715
1716static void
1717iwn_dma_map_addr(void *arg, bus_dma_segment_t *segs, int nsegs, int error)
1718{
1719	if (error != 0)
1720		return;
1721	KASSERT(nsegs == 1, ("too many DMA segments, %d should be 1", nsegs));
1722	*(bus_addr_t *)arg = segs[0].ds_addr;
1723}
1724
1725static int
1726iwn_dma_contig_alloc(struct iwn_softc *sc, struct iwn_dma_info *dma,
1727    void **kvap, bus_size_t size, bus_size_t alignment)
1728{
1729	int error;
1730
1731	dma->tag = NULL;
1732	dma->size = size;
1733
1734	error = bus_dma_tag_create(bus_get_dma_tag(sc->sc_dev), alignment,
1735	    0, BUS_SPACE_MAXADDR_32BIT, BUS_SPACE_MAXADDR, NULL, NULL, size,
1736	    1, size, 0, NULL, NULL, &dma->tag);
1737	if (error != 0)
1738		goto fail;
1739
1740	error = bus_dmamem_alloc(dma->tag, (void **)&dma->vaddr,
1741	    BUS_DMA_NOWAIT | BUS_DMA_ZERO | BUS_DMA_COHERENT, &dma->map);
1742	if (error != 0)
1743		goto fail;
1744
1745	error = bus_dmamap_load(dma->tag, dma->map, dma->vaddr, size,
1746	    iwn_dma_map_addr, &dma->paddr, BUS_DMA_NOWAIT);
1747	if (error != 0)
1748		goto fail;
1749
1750	bus_dmamap_sync(dma->tag, dma->map, BUS_DMASYNC_PREWRITE);
1751
1752	if (kvap != NULL)
1753		*kvap = dma->vaddr;
1754
1755	return 0;
1756
1757fail:	iwn_dma_contig_free(dma);
1758	return error;
1759}
1760
1761static void
1762iwn_dma_contig_free(struct iwn_dma_info *dma)
1763{
1764	if (dma->vaddr != NULL) {
1765		bus_dmamap_sync(dma->tag, dma->map,
1766		    BUS_DMASYNC_POSTREAD | BUS_DMASYNC_POSTWRITE);
1767		bus_dmamap_unload(dma->tag, dma->map);
1768		bus_dmamem_free(dma->tag, dma->vaddr, dma->map);
1769		dma->vaddr = NULL;
1770	}
1771	if (dma->tag != NULL) {
1772		bus_dma_tag_destroy(dma->tag);
1773		dma->tag = NULL;
1774	}
1775}
1776
1777static int
1778iwn_alloc_sched(struct iwn_softc *sc)
1779{
1780	/* TX scheduler rings must be aligned on a 1KB boundary. */
1781	return iwn_dma_contig_alloc(sc, &sc->sched_dma, (void **)&sc->sched,
1782	    sc->schedsz, 1024);
1783}
1784
1785static void
1786iwn_free_sched(struct iwn_softc *sc)
1787{
1788	iwn_dma_contig_free(&sc->sched_dma);
1789}
1790
1791static int
1792iwn_alloc_kw(struct iwn_softc *sc)
1793{
1794	/* "Keep Warm" page must be aligned on a 4KB boundary. */
1795	return iwn_dma_contig_alloc(sc, &sc->kw_dma, NULL, 4096, 4096);
1796}
1797
1798static void
1799iwn_free_kw(struct iwn_softc *sc)
1800{
1801	iwn_dma_contig_free(&sc->kw_dma);
1802}
1803
1804static int
1805iwn_alloc_ict(struct iwn_softc *sc)
1806{
1807	/* ICT table must be aligned on a 4KB boundary. */
1808	return iwn_dma_contig_alloc(sc, &sc->ict_dma, (void **)&sc->ict,
1809	    IWN_ICT_SIZE, 4096);
1810}
1811
1812static void
1813iwn_free_ict(struct iwn_softc *sc)
1814{
1815	iwn_dma_contig_free(&sc->ict_dma);
1816}
1817
1818static int
1819iwn_alloc_fwmem(struct iwn_softc *sc)
1820{
1821	/* Must be aligned on a 16-byte boundary. */
1822	return iwn_dma_contig_alloc(sc, &sc->fw_dma, NULL, sc->fwsz, 16);
1823}
1824
1825static void
1826iwn_free_fwmem(struct iwn_softc *sc)
1827{
1828	iwn_dma_contig_free(&sc->fw_dma);
1829}
1830
1831static int
1832iwn_alloc_rx_ring(struct iwn_softc *sc, struct iwn_rx_ring *ring)
1833{
1834	bus_size_t size;
1835	int i, error;
1836
1837	ring->cur = 0;
1838
1839	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
1840
1841	/* Allocate RX descriptors (256-byte aligned). */
1842	size = IWN_RX_RING_COUNT * sizeof (uint32_t);
1843	error = iwn_dma_contig_alloc(sc, &ring->desc_dma, (void **)&ring->desc,
1844	    size, 256);
1845	if (error != 0) {
1846		device_printf(sc->sc_dev,
1847		    "%s: could not allocate RX ring DMA memory, error %d\n",
1848		    __func__, error);
1849		goto fail;
1850	}
1851
1852	/* Allocate RX status area (16-byte aligned). */
1853	error = iwn_dma_contig_alloc(sc, &ring->stat_dma, (void **)&ring->stat,
1854	    sizeof (struct iwn_rx_status), 16);
1855	if (error != 0) {
1856		device_printf(sc->sc_dev,
1857		    "%s: could not allocate RX status DMA memory, error %d\n",
1858		    __func__, error);
1859		goto fail;
1860	}
1861
1862	/* Create RX buffer DMA tag. */
1863	error = bus_dma_tag_create(bus_get_dma_tag(sc->sc_dev), 1, 0,
1864	    BUS_SPACE_MAXADDR_32BIT, BUS_SPACE_MAXADDR, NULL, NULL,
1865	    IWN_RBUF_SIZE, 1, IWN_RBUF_SIZE, 0, NULL, NULL, &ring->data_dmat);
1866	if (error != 0) {
1867		device_printf(sc->sc_dev,
1868		    "%s: could not create RX buf DMA tag, error %d\n",
1869		    __func__, error);
1870		goto fail;
1871	}
1872
1873	/*
1874	 * Allocate and map RX buffers.
1875	 */
1876	for (i = 0; i < IWN_RX_RING_COUNT; i++) {
1877		struct iwn_rx_data *data = &ring->data[i];
1878		bus_addr_t paddr;
1879
1880		error = bus_dmamap_create(ring->data_dmat, 0, &data->map);
1881		if (error != 0) {
1882			device_printf(sc->sc_dev,
1883			    "%s: could not create RX buf DMA map, error %d\n",
1884			    __func__, error);
1885			goto fail;
1886		}
1887
1888		data->m = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR,
1889		    IWN_RBUF_SIZE);
1890		if (data->m == NULL) {
1891			device_printf(sc->sc_dev,
1892			    "%s: could not allocate RX mbuf\n", __func__);
1893			error = ENOBUFS;
1894			goto fail;
1895		}
1896
1897		error = bus_dmamap_load(ring->data_dmat, data->map,
1898		    mtod(data->m, void *), IWN_RBUF_SIZE, iwn_dma_map_addr,
1899		    &paddr, BUS_DMA_NOWAIT);
1900		if (error != 0 && error != EFBIG) {
1901			device_printf(sc->sc_dev,
1902			    "%s: can't map mbuf, error %d\n", __func__,
1903			    error);
1904			goto fail;
1905		}
1906
1907		bus_dmamap_sync(ring->data_dmat, data->map,
1908		    BUS_DMASYNC_PREREAD);
1909
1910		/* Set physical address of RX buffer (256-byte aligned). */
1911		ring->desc[i] = htole32(paddr >> 8);
1912	}
1913
1914	bus_dmamap_sync(ring->desc_dma.tag, ring->desc_dma.map,
1915	    BUS_DMASYNC_PREWRITE);
1916
1917	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end\n",__func__);
1918
1919	return 0;
1920
1921fail:	iwn_free_rx_ring(sc, ring);
1922
1923	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end in error\n",__func__);
1924
1925	return error;
1926}
1927
1928static void
1929iwn_reset_rx_ring(struct iwn_softc *sc, struct iwn_rx_ring *ring)
1930{
1931	int ntries;
1932
1933	DPRINTF(sc, IWN_DEBUG_TRACE, "->Doing %s\n", __func__);
1934
1935	if (iwn_nic_lock(sc) == 0) {
1936		IWN_WRITE(sc, IWN_FH_RX_CONFIG, 0);
1937		for (ntries = 0; ntries < 1000; ntries++) {
1938			if (IWN_READ(sc, IWN_FH_RX_STATUS) &
1939			    IWN_FH_RX_STATUS_IDLE)
1940				break;
1941			DELAY(10);
1942		}
1943		iwn_nic_unlock(sc);
1944	}
1945	ring->cur = 0;
1946	sc->last_rx_valid = 0;
1947}
1948
1949static void
1950iwn_free_rx_ring(struct iwn_softc *sc, struct iwn_rx_ring *ring)
1951{
1952	int i;
1953
1954	DPRINTF(sc, IWN_DEBUG_TRACE, "->Doing %s \n", __func__);
1955
1956	iwn_dma_contig_free(&ring->desc_dma);
1957	iwn_dma_contig_free(&ring->stat_dma);
1958
1959	for (i = 0; i < IWN_RX_RING_COUNT; i++) {
1960		struct iwn_rx_data *data = &ring->data[i];
1961
1962		if (data->m != NULL) {
1963			bus_dmamap_sync(ring->data_dmat, data->map,
1964			    BUS_DMASYNC_POSTREAD);
1965			bus_dmamap_unload(ring->data_dmat, data->map);
1966			m_freem(data->m);
1967			data->m = NULL;
1968		}
1969		if (data->map != NULL)
1970			bus_dmamap_destroy(ring->data_dmat, data->map);
1971	}
1972	if (ring->data_dmat != NULL) {
1973		bus_dma_tag_destroy(ring->data_dmat);
1974		ring->data_dmat = NULL;
1975	}
1976}
1977
1978static int
1979iwn_alloc_tx_ring(struct iwn_softc *sc, struct iwn_tx_ring *ring, int qid)
1980{
1981	bus_addr_t paddr;
1982	bus_size_t size;
1983	int i, error;
1984
1985	ring->qid = qid;
1986	ring->queued = 0;
1987	ring->cur = 0;
1988
1989	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
1990
1991	/* Allocate TX descriptors (256-byte aligned). */
1992	size = IWN_TX_RING_COUNT * sizeof (struct iwn_tx_desc);
1993	error = iwn_dma_contig_alloc(sc, &ring->desc_dma, (void **)&ring->desc,
1994	    size, 256);
1995	if (error != 0) {
1996		device_printf(sc->sc_dev,
1997		    "%s: could not allocate TX ring DMA memory, error %d\n",
1998		    __func__, error);
1999		goto fail;
2000	}
2001
2002	size = IWN_TX_RING_COUNT * sizeof (struct iwn_tx_cmd);
2003	error = iwn_dma_contig_alloc(sc, &ring->cmd_dma, (void **)&ring->cmd,
2004	    size, 4);
2005	if (error != 0) {
2006		device_printf(sc->sc_dev,
2007		    "%s: could not allocate TX cmd DMA memory, error %d\n",
2008		    __func__, error);
2009		goto fail;
2010	}
2011
2012	error = bus_dma_tag_create(bus_get_dma_tag(sc->sc_dev), 1, 0,
2013	    BUS_SPACE_MAXADDR_32BIT, BUS_SPACE_MAXADDR, NULL, NULL, MCLBYTES,
2014	    IWN_MAX_SCATTER - 1, MCLBYTES, 0, NULL, NULL, &ring->data_dmat);
2015	if (error != 0) {
2016		device_printf(sc->sc_dev,
2017		    "%s: could not create TX buf DMA tag, error %d\n",
2018		    __func__, error);
2019		goto fail;
2020	}
2021
2022	paddr = ring->cmd_dma.paddr;
2023	for (i = 0; i < IWN_TX_RING_COUNT; i++) {
2024		struct iwn_tx_data *data = &ring->data[i];
2025
2026		data->cmd_paddr = paddr;
2027		data->scratch_paddr = paddr + 12;
2028		paddr += sizeof (struct iwn_tx_cmd);
2029
2030		error = bus_dmamap_create(ring->data_dmat, 0, &data->map);
2031		if (error != 0) {
2032			device_printf(sc->sc_dev,
2033			    "%s: could not create TX buf DMA map, error %d\n",
2034			    __func__, error);
2035			goto fail;
2036		}
2037	}
2038
2039	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s end\n", __func__);
2040
2041	return 0;
2042
2043fail:	iwn_free_tx_ring(sc, ring);
2044	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s end in error\n", __func__);
2045	return error;
2046}
2047
2048static void
2049iwn_reset_tx_ring(struct iwn_softc *sc, struct iwn_tx_ring *ring)
2050{
2051	int i;
2052
2053	DPRINTF(sc, IWN_DEBUG_TRACE, "->doing %s \n", __func__);
2054
2055	for (i = 0; i < IWN_TX_RING_COUNT; i++) {
2056		struct iwn_tx_data *data = &ring->data[i];
2057
2058		if (data->m != NULL) {
2059			bus_dmamap_sync(ring->data_dmat, data->map,
2060			    BUS_DMASYNC_POSTWRITE);
2061			bus_dmamap_unload(ring->data_dmat, data->map);
2062			m_freem(data->m);
2063			data->m = NULL;
2064		}
2065		if (data->ni != NULL) {
2066			ieee80211_free_node(data->ni);
2067			data->ni = NULL;
2068		}
2069	}
2070	/* Clear TX descriptors. */
2071	memset(ring->desc, 0, ring->desc_dma.size);
2072	bus_dmamap_sync(ring->desc_dma.tag, ring->desc_dma.map,
2073	    BUS_DMASYNC_PREWRITE);
2074	sc->qfullmsk &= ~(1 << ring->qid);
2075	ring->queued = 0;
2076	ring->cur = 0;
2077}
2078
2079static void
2080iwn_free_tx_ring(struct iwn_softc *sc, struct iwn_tx_ring *ring)
2081{
2082	int i;
2083
2084	DPRINTF(sc, IWN_DEBUG_TRACE, "->Doing %s \n", __func__);
2085
2086	iwn_dma_contig_free(&ring->desc_dma);
2087	iwn_dma_contig_free(&ring->cmd_dma);
2088
2089	for (i = 0; i < IWN_TX_RING_COUNT; i++) {
2090		struct iwn_tx_data *data = &ring->data[i];
2091
2092		if (data->m != NULL) {
2093			bus_dmamap_sync(ring->data_dmat, data->map,
2094			    BUS_DMASYNC_POSTWRITE);
2095			bus_dmamap_unload(ring->data_dmat, data->map);
2096			m_freem(data->m);
2097		}
2098		if (data->map != NULL)
2099			bus_dmamap_destroy(ring->data_dmat, data->map);
2100	}
2101	if (ring->data_dmat != NULL) {
2102		bus_dma_tag_destroy(ring->data_dmat);
2103		ring->data_dmat = NULL;
2104	}
2105}
2106
2107static void
2108iwn5000_ict_reset(struct iwn_softc *sc)
2109{
2110	/* Disable interrupts. */
2111	IWN_WRITE(sc, IWN_INT_MASK, 0);
2112
2113	/* Reset ICT table. */
2114	memset(sc->ict, 0, IWN_ICT_SIZE);
2115	sc->ict_cur = 0;
2116
2117	bus_dmamap_sync(sc->ict_dma.tag, sc->ict_dma.map,
2118	    BUS_DMASYNC_PREWRITE);
2119
2120	/* Set physical address of ICT table (4KB aligned). */
2121	DPRINTF(sc, IWN_DEBUG_RESET, "%s: enabling ICT\n", __func__);
2122	IWN_WRITE(sc, IWN_DRAM_INT_TBL, IWN_DRAM_INT_TBL_ENABLE |
2123	    IWN_DRAM_INT_TBL_WRAP_CHECK | sc->ict_dma.paddr >> 12);
2124
2125	/* Enable periodic RX interrupt. */
2126	sc->int_mask |= IWN_INT_RX_PERIODIC;
2127	/* Switch to ICT interrupt mode in driver. */
2128	sc->sc_flags |= IWN_FLAG_USE_ICT;
2129
2130	/* Re-enable interrupts. */
2131	IWN_WRITE(sc, IWN_INT, 0xffffffff);
2132	IWN_WRITE(sc, IWN_INT_MASK, sc->int_mask);
2133}
2134
2135static int
2136iwn_read_eeprom(struct iwn_softc *sc, uint8_t macaddr[IEEE80211_ADDR_LEN])
2137{
2138	struct iwn_ops *ops = &sc->ops;
2139	uint16_t val;
2140	int error;
2141
2142	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
2143
2144	/* Check whether adapter has an EEPROM or an OTPROM. */
2145	if (sc->hw_type >= IWN_HW_REV_TYPE_1000 &&
2146	    (IWN_READ(sc, IWN_OTP_GP) & IWN_OTP_GP_DEV_SEL_OTP))
2147		sc->sc_flags |= IWN_FLAG_HAS_OTPROM;
2148	DPRINTF(sc, IWN_DEBUG_RESET, "%s found\n",
2149	    (sc->sc_flags & IWN_FLAG_HAS_OTPROM) ? "OTPROM" : "EEPROM");
2150
2151	/* Adapter has to be powered on for EEPROM access to work. */
2152	if ((error = iwn_apm_init(sc)) != 0) {
2153		device_printf(sc->sc_dev,
2154		    "%s: could not power ON adapter, error %d\n", __func__,
2155		    error);
2156		return error;
2157	}
2158
2159	if ((IWN_READ(sc, IWN_EEPROM_GP) & 0x7) == 0) {
2160		device_printf(sc->sc_dev, "%s: bad ROM signature\n", __func__);
2161		return EIO;
2162	}
2163	if ((error = iwn_eeprom_lock(sc)) != 0) {
2164		device_printf(sc->sc_dev, "%s: could not lock ROM, error %d\n",
2165		    __func__, error);
2166		return error;
2167	}
2168	if (sc->sc_flags & IWN_FLAG_HAS_OTPROM) {
2169		if ((error = iwn_init_otprom(sc)) != 0) {
2170			device_printf(sc->sc_dev,
2171			    "%s: could not initialize OTPROM, error %d\n",
2172			    __func__, error);
2173			return error;
2174		}
2175	}
2176
2177	iwn_read_prom_data(sc, IWN_EEPROM_SKU_CAP, &val, 2);
2178	DPRINTF(sc, IWN_DEBUG_RESET, "SKU capabilities=0x%04x\n", le16toh(val));
2179	/* Check if HT support is bonded out. */
2180	if (val & htole16(IWN_EEPROM_SKU_CAP_11N))
2181		sc->sc_flags |= IWN_FLAG_HAS_11N;
2182
2183	iwn_read_prom_data(sc, IWN_EEPROM_RFCFG, &val, 2);
2184	sc->rfcfg = le16toh(val);
2185	DPRINTF(sc, IWN_DEBUG_RESET, "radio config=0x%04x\n", sc->rfcfg);
2186	/* Read Tx/Rx chains from ROM unless it's known to be broken. */
2187	if (sc->txchainmask == 0)
2188		sc->txchainmask = IWN_RFCFG_TXANTMSK(sc->rfcfg);
2189	if (sc->rxchainmask == 0)
2190		sc->rxchainmask = IWN_RFCFG_RXANTMSK(sc->rfcfg);
2191
2192	/* Read MAC address. */
2193	iwn_read_prom_data(sc, IWN_EEPROM_MAC, macaddr, 6);
2194
2195	/* Read adapter-specific information from EEPROM. */
2196	ops->read_eeprom(sc);
2197
2198	iwn_apm_stop(sc);	/* Power OFF adapter. */
2199
2200	iwn_eeprom_unlock(sc);
2201
2202	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s end\n", __func__);
2203
2204	return 0;
2205}
2206
2207static void
2208iwn4965_read_eeprom(struct iwn_softc *sc)
2209{
2210	uint32_t addr;
2211	uint16_t val;
2212	int i;
2213
2214	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
2215
2216	/* Read regulatory domain (4 ASCII characters). */
2217	iwn_read_prom_data(sc, IWN4965_EEPROM_DOMAIN, sc->eeprom_domain, 4);
2218
2219	/* Read the list of authorized channels (20MHz & 40MHz). */
2220	for (i = 0; i < IWN_NBANDS - 1; i++) {
2221		addr = iwn4965_regulatory_bands[i];
2222		iwn_read_eeprom_channels(sc, i, addr);
2223	}
2224
2225	/* Read maximum allowed TX power for 2GHz and 5GHz bands. */
2226	iwn_read_prom_data(sc, IWN4965_EEPROM_MAXPOW, &val, 2);
2227	sc->maxpwr2GHz = val & 0xff;
2228	sc->maxpwr5GHz = val >> 8;
2229	/* Check that EEPROM values are within valid range. */
2230	if (sc->maxpwr5GHz < 20 || sc->maxpwr5GHz > 50)
2231		sc->maxpwr5GHz = 38;
2232	if (sc->maxpwr2GHz < 20 || sc->maxpwr2GHz > 50)
2233		sc->maxpwr2GHz = 38;
2234	DPRINTF(sc, IWN_DEBUG_RESET, "maxpwr 2GHz=%d 5GHz=%d\n",
2235	    sc->maxpwr2GHz, sc->maxpwr5GHz);
2236
2237	/* Read samples for each TX power group. */
2238	iwn_read_prom_data(sc, IWN4965_EEPROM_BANDS, sc->bands,
2239	    sizeof sc->bands);
2240
2241	/* Read voltage at which samples were taken. */
2242	iwn_read_prom_data(sc, IWN4965_EEPROM_VOLTAGE, &val, 2);
2243	sc->eeprom_voltage = (int16_t)le16toh(val);
2244	DPRINTF(sc, IWN_DEBUG_RESET, "voltage=%d (in 0.3V)\n",
2245	    sc->eeprom_voltage);
2246
2247#ifdef IWN_DEBUG
2248	/* Print samples. */
2249	if (sc->sc_debug & IWN_DEBUG_ANY) {
2250		for (i = 0; i < IWN_NBANDS - 1; i++)
2251			iwn4965_print_power_group(sc, i);
2252	}
2253#endif
2254
2255	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s end\n", __func__);
2256}
2257
2258#ifdef IWN_DEBUG
2259static void
2260iwn4965_print_power_group(struct iwn_softc *sc, int i)
2261{
2262	struct iwn4965_eeprom_band *band = &sc->bands[i];
2263	struct iwn4965_eeprom_chan_samples *chans = band->chans;
2264	int j, c;
2265
2266	printf("===band %d===\n", i);
2267	printf("chan lo=%d, chan hi=%d\n", band->lo, band->hi);
2268	printf("chan1 num=%d\n", chans[0].num);
2269	for (c = 0; c < 2; c++) {
2270		for (j = 0; j < IWN_NSAMPLES; j++) {
2271			printf("chain %d, sample %d: temp=%d gain=%d "
2272			    "power=%d pa_det=%d\n", c, j,
2273			    chans[0].samples[c][j].temp,
2274			    chans[0].samples[c][j].gain,
2275			    chans[0].samples[c][j].power,
2276			    chans[0].samples[c][j].pa_det);
2277		}
2278	}
2279	printf("chan2 num=%d\n", chans[1].num);
2280	for (c = 0; c < 2; c++) {
2281		for (j = 0; j < IWN_NSAMPLES; j++) {
2282			printf("chain %d, sample %d: temp=%d gain=%d "
2283			    "power=%d pa_det=%d\n", c, j,
2284			    chans[1].samples[c][j].temp,
2285			    chans[1].samples[c][j].gain,
2286			    chans[1].samples[c][j].power,
2287			    chans[1].samples[c][j].pa_det);
2288		}
2289	}
2290}
2291#endif
2292
2293static void
2294iwn5000_read_eeprom(struct iwn_softc *sc)
2295{
2296	struct iwn5000_eeprom_calib_hdr hdr;
2297	int32_t volt;
2298	uint32_t base, addr;
2299	uint16_t val;
2300	int i;
2301
2302	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
2303
2304	/* Read regulatory domain (4 ASCII characters). */
2305	iwn_read_prom_data(sc, IWN5000_EEPROM_REG, &val, 2);
2306	base = le16toh(val);
2307	iwn_read_prom_data(sc, base + IWN5000_EEPROM_DOMAIN,
2308	    sc->eeprom_domain, 4);
2309
2310	/* Read the list of authorized channels (20MHz & 40MHz). */
2311	for (i = 0; i < IWN_NBANDS - 1; i++) {
2312		addr =  base + sc->base_params->regulatory_bands[i];
2313		iwn_read_eeprom_channels(sc, i, addr);
2314	}
2315
2316	/* Read enhanced TX power information for 6000 Series. */
2317	if (sc->base_params->enhanced_TX_power)
2318		iwn_read_eeprom_enhinfo(sc);
2319
2320	iwn_read_prom_data(sc, IWN5000_EEPROM_CAL, &val, 2);
2321	base = le16toh(val);
2322	iwn_read_prom_data(sc, base, &hdr, sizeof hdr);
2323	DPRINTF(sc, IWN_DEBUG_CALIBRATE,
2324	    "%s: calib version=%u pa type=%u voltage=%u\n", __func__,
2325	    hdr.version, hdr.pa_type, le16toh(hdr.volt));
2326	sc->calib_ver = hdr.version;
2327
2328	if (sc->base_params->calib_need & IWN_FLG_NEED_PHY_CALIB_TEMP_OFFSETv2) {
2329		sc->eeprom_voltage = le16toh(hdr.volt);
2330		iwn_read_prom_data(sc, base + IWN5000_EEPROM_TEMP, &val, 2);
2331		sc->eeprom_temp_high=le16toh(val);
2332		iwn_read_prom_data(sc, base + IWN5000_EEPROM_VOLT, &val, 2);
2333		sc->eeprom_temp = le16toh(val);
2334	}
2335
2336	if (sc->hw_type == IWN_HW_REV_TYPE_5150) {
2337		/* Compute temperature offset. */
2338		iwn_read_prom_data(sc, base + IWN5000_EEPROM_TEMP, &val, 2);
2339		sc->eeprom_temp = le16toh(val);
2340		iwn_read_prom_data(sc, base + IWN5000_EEPROM_VOLT, &val, 2);
2341		volt = le16toh(val);
2342		sc->temp_off = sc->eeprom_temp - (volt / -5);
2343		DPRINTF(sc, IWN_DEBUG_CALIBRATE, "temp=%d volt=%d offset=%dK\n",
2344		    sc->eeprom_temp, volt, sc->temp_off);
2345	} else {
2346		/* Read crystal calibration. */
2347		iwn_read_prom_data(sc, base + IWN5000_EEPROM_CRYSTAL,
2348		    &sc->eeprom_crystal, sizeof (uint32_t));
2349		DPRINTF(sc, IWN_DEBUG_CALIBRATE, "crystal calibration 0x%08x\n",
2350		    le32toh(sc->eeprom_crystal));
2351	}
2352
2353	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s end\n", __func__);
2354
2355}
2356
2357/*
2358 * Translate EEPROM flags to net80211.
2359 */
2360static uint32_t
2361iwn_eeprom_channel_flags(struct iwn_eeprom_chan *channel)
2362{
2363	uint32_t nflags;
2364
2365	nflags = 0;
2366	if ((channel->flags & IWN_EEPROM_CHAN_ACTIVE) == 0)
2367		nflags |= IEEE80211_CHAN_PASSIVE;
2368	if ((channel->flags & IWN_EEPROM_CHAN_IBSS) == 0)
2369		nflags |= IEEE80211_CHAN_NOADHOC;
2370	if (channel->flags & IWN_EEPROM_CHAN_RADAR) {
2371		nflags |= IEEE80211_CHAN_DFS;
2372		/* XXX apparently IBSS may still be marked */
2373		nflags |= IEEE80211_CHAN_NOADHOC;
2374	}
2375
2376	return nflags;
2377}
2378
2379static void
2380iwn_read_eeprom_band(struct iwn_softc *sc, int n, int maxchans, int *nchans,
2381    struct ieee80211_channel chans[])
2382{
2383	struct iwn_eeprom_chan *channels = sc->eeprom_channels[n];
2384	const struct iwn_chan_band *band = &iwn_bands[n];
2385	uint8_t bands[IEEE80211_MODE_BYTES];
2386	uint8_t chan;
2387	int i, error, nflags;
2388
2389	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
2390
2391	memset(bands, 0, sizeof(bands));
2392	if (n == 0) {
2393		setbit(bands, IEEE80211_MODE_11B);
2394		setbit(bands, IEEE80211_MODE_11G);
2395		if (sc->sc_flags & IWN_FLAG_HAS_11N)
2396			setbit(bands, IEEE80211_MODE_11NG);
2397	} else {
2398		setbit(bands, IEEE80211_MODE_11A);
2399		if (sc->sc_flags & IWN_FLAG_HAS_11N)
2400			setbit(bands, IEEE80211_MODE_11NA);
2401	}
2402
2403	for (i = 0; i < band->nchan; i++) {
2404		if (!(channels[i].flags & IWN_EEPROM_CHAN_VALID)) {
2405			DPRINTF(sc, IWN_DEBUG_RESET,
2406			    "skip chan %d flags 0x%x maxpwr %d\n",
2407			    band->chan[i], channels[i].flags,
2408			    channels[i].maxpwr);
2409			continue;
2410		}
2411
2412		chan = band->chan[i];
2413		nflags = iwn_eeprom_channel_flags(&channels[i]);
2414		error = ieee80211_add_channel(chans, maxchans, nchans,
2415		    chan, 0, channels[i].maxpwr, nflags, bands);
2416		if (error != 0)
2417			break;
2418
2419		/* Save maximum allowed TX power for this channel. */
2420		/* XXX wrong */
2421		sc->maxpwr[chan] = channels[i].maxpwr;
2422
2423		DPRINTF(sc, IWN_DEBUG_RESET,
2424		    "add chan %d flags 0x%x maxpwr %d\n", chan,
2425		    channels[i].flags, channels[i].maxpwr);
2426	}
2427
2428	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s end\n", __func__);
2429
2430}
2431
2432static void
2433iwn_read_eeprom_ht40(struct iwn_softc *sc, int n, int maxchans, int *nchans,
2434    struct ieee80211_channel chans[])
2435{
2436	struct iwn_eeprom_chan *channels = sc->eeprom_channels[n];
2437	const struct iwn_chan_band *band = &iwn_bands[n];
2438	uint8_t chan;
2439	int i, error, nflags;
2440
2441	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s start\n", __func__);
2442
2443	if (!(sc->sc_flags & IWN_FLAG_HAS_11N)) {
2444		DPRINTF(sc, IWN_DEBUG_TRACE, "->%s end no 11n\n", __func__);
2445		return;
2446	}
2447
2448	for (i = 0; i < band->nchan; i++) {
2449		if (!(channels[i].flags & IWN_EEPROM_CHAN_VALID)) {
2450			DPRINTF(sc, IWN_DEBUG_RESET,
2451			    "skip chan %d flags 0x%x maxpwr %d\n",
2452			    band->chan[i], channels[i].flags,
2453			    channels[i].maxpwr);
2454			continue;
2455		}
2456
2457		chan = band->chan[i];
2458		nflags = iwn_eeprom_channel_flags(&channels[i]);
2459		nflags |= (n == 5 ? IEEE80211_CHAN_G : IEEE80211_CHAN_A);
2460		error = ieee80211_add_channel_ht40(chans, maxchans, nchans,
2461		    chan, channels[i].maxpwr, nflags);
2462		switch (error) {
2463		case EINVAL:
2464			device_printf(sc->sc_dev,
2465			    "%s: no entry for channel %d\n", __func__, chan);
2466			continue;
2467		case ENOENT:
2468			DPRINTF(sc, IWN_DEBUG_RESET,
2469			    "%s: skip chan %d, extension channel not found\n",
2470			    __func__, chan);
2471			continue;
2472		case ENOBUFS:
2473			device_printf(sc->sc_dev,
2474			    "%s: channel table is full!\n", __func__);
2475			break;
2476		case 0:
2477			DPRINTF(sc, IWN_DEBUG_RESET,
2478			    "add ht40 chan %d flags 0x%x maxpwr %d\n",
2479			    chan, channels[i].flags, channels[i].maxpwr);
2480			/* FALLTHROUGH */
2481		default:
2482			break;
2483		}
2484	}
2485
2486	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s end\n", __func__);
2487
2488}
2489
2490static void
2491iwn_read_eeprom_channels(struct iwn_softc *sc, int n, uint32_t addr)
2492{
2493	struct ieee80211com *ic = &sc->sc_ic;
2494
2495	iwn_read_prom_data(sc, addr, &sc->eeprom_channels[n],
2496	    iwn_bands[n].nchan * sizeof (struct iwn_eeprom_chan));
2497
2498	if (n < 5) {
2499		iwn_read_eeprom_band(sc, n, IEEE80211_CHAN_MAX, &ic->ic_nchans,
2500		    ic->ic_channels);
2501	} else {
2502		iwn_read_eeprom_ht40(sc, n, IEEE80211_CHAN_MAX, &ic->ic_nchans,
2503		    ic->ic_channels);
2504	}
2505	ieee80211_sort_channels(ic->ic_channels, ic->ic_nchans);
2506}
2507
2508static struct iwn_eeprom_chan *
2509iwn_find_eeprom_channel(struct iwn_softc *sc, struct ieee80211_channel *c)
2510{
2511	int band, chan, i, j;
2512
2513	if (IEEE80211_IS_CHAN_HT40(c)) {
2514		band = IEEE80211_IS_CHAN_5GHZ(c) ? 6 : 5;
2515		if (IEEE80211_IS_CHAN_HT40D(c))
2516			chan = c->ic_extieee;
2517		else
2518			chan = c->ic_ieee;
2519		for (i = 0; i < iwn_bands[band].nchan; i++) {
2520			if (iwn_bands[band].chan[i] == chan)
2521				return &sc->eeprom_channels[band][i];
2522		}
2523	} else {
2524		for (j = 0; j < 5; j++) {
2525			for (i = 0; i < iwn_bands[j].nchan; i++) {
2526				if (iwn_bands[j].chan[i] == c->ic_ieee &&
2527				    ((j == 0) ^ IEEE80211_IS_CHAN_A(c)) == 1)
2528					return &sc->eeprom_channels[j][i];
2529			}
2530		}
2531	}
2532	return NULL;
2533}
2534
2535static void
2536iwn_getradiocaps(struct ieee80211com *ic,
2537    int maxchans, int *nchans, struct ieee80211_channel chans[])
2538{
2539	struct iwn_softc *sc = ic->ic_softc;
2540	int i;
2541
2542	/* Parse the list of authorized channels. */
2543	for (i = 0; i < 5 && *nchans < maxchans; i++)
2544		iwn_read_eeprom_band(sc, i, maxchans, nchans, chans);
2545	for (i = 5; i < IWN_NBANDS - 1 && *nchans < maxchans; i++)
2546		iwn_read_eeprom_ht40(sc, i, maxchans, nchans, chans);
2547}
2548
2549/*
2550 * Enforce flags read from EEPROM.
2551 */
2552static int
2553iwn_setregdomain(struct ieee80211com *ic, struct ieee80211_regdomain *rd,
2554    int nchan, struct ieee80211_channel chans[])
2555{
2556	struct iwn_softc *sc = ic->ic_softc;
2557	int i;
2558
2559	for (i = 0; i < nchan; i++) {
2560		struct ieee80211_channel *c = &chans[i];
2561		struct iwn_eeprom_chan *channel;
2562
2563		channel = iwn_find_eeprom_channel(sc, c);
2564		if (channel == NULL) {
2565			ic_printf(ic, "%s: invalid channel %u freq %u/0x%x\n",
2566			    __func__, c->ic_ieee, c->ic_freq, c->ic_flags);
2567			return EINVAL;
2568		}
2569		c->ic_flags |= iwn_eeprom_channel_flags(channel);
2570	}
2571
2572	return 0;
2573}
2574
2575static void
2576iwn_read_eeprom_enhinfo(struct iwn_softc *sc)
2577{
2578	struct iwn_eeprom_enhinfo enhinfo[35];
2579	struct ieee80211com *ic = &sc->sc_ic;
2580	struct ieee80211_channel *c;
2581	uint16_t val, base;
2582	int8_t maxpwr;
2583	uint8_t flags;
2584	int i, j;
2585
2586	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
2587
2588	iwn_read_prom_data(sc, IWN5000_EEPROM_REG, &val, 2);
2589	base = le16toh(val);
2590	iwn_read_prom_data(sc, base + IWN6000_EEPROM_ENHINFO,
2591	    enhinfo, sizeof enhinfo);
2592
2593	for (i = 0; i < nitems(enhinfo); i++) {
2594		flags = enhinfo[i].flags;
2595		if (!(flags & IWN_ENHINFO_VALID))
2596			continue;	/* Skip invalid entries. */
2597
2598		maxpwr = 0;
2599		if (sc->txchainmask & IWN_ANT_A)
2600			maxpwr = MAX(maxpwr, enhinfo[i].chain[0]);
2601		if (sc->txchainmask & IWN_ANT_B)
2602			maxpwr = MAX(maxpwr, enhinfo[i].chain[1]);
2603		if (sc->txchainmask & IWN_ANT_C)
2604			maxpwr = MAX(maxpwr, enhinfo[i].chain[2]);
2605		if (sc->ntxchains == 2)
2606			maxpwr = MAX(maxpwr, enhinfo[i].mimo2);
2607		else if (sc->ntxchains == 3)
2608			maxpwr = MAX(maxpwr, enhinfo[i].mimo3);
2609
2610		for (j = 0; j < ic->ic_nchans; j++) {
2611			c = &ic->ic_channels[j];
2612			if ((flags & IWN_ENHINFO_5GHZ)) {
2613				if (!IEEE80211_IS_CHAN_A(c))
2614					continue;
2615			} else if ((flags & IWN_ENHINFO_OFDM)) {
2616				if (!IEEE80211_IS_CHAN_G(c))
2617					continue;
2618			} else if (!IEEE80211_IS_CHAN_B(c))
2619				continue;
2620			if ((flags & IWN_ENHINFO_HT40)) {
2621				if (!IEEE80211_IS_CHAN_HT40(c))
2622					continue;
2623			} else {
2624				if (IEEE80211_IS_CHAN_HT40(c))
2625					continue;
2626			}
2627			if (enhinfo[i].chan != 0 &&
2628			    enhinfo[i].chan != c->ic_ieee)
2629				continue;
2630
2631			DPRINTF(sc, IWN_DEBUG_RESET,
2632			    "channel %d(%x), maxpwr %d\n", c->ic_ieee,
2633			    c->ic_flags, maxpwr / 2);
2634			c->ic_maxregpower = maxpwr / 2;
2635			c->ic_maxpower = maxpwr;
2636		}
2637	}
2638
2639	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s end\n", __func__);
2640
2641}
2642
2643static struct ieee80211_node *
2644iwn_node_alloc(struct ieee80211vap *vap, const uint8_t mac[IEEE80211_ADDR_LEN])
2645{
2646	return malloc(sizeof (struct iwn_node), M_80211_NODE,M_NOWAIT | M_ZERO);
2647}
2648
2649static __inline int
2650rate2plcp(int rate)
2651{
2652	switch (rate & 0xff) {
2653	case 12:	return 0xd;
2654	case 18:	return 0xf;
2655	case 24:	return 0x5;
2656	case 36:	return 0x7;
2657	case 48:	return 0x9;
2658	case 72:	return 0xb;
2659	case 96:	return 0x1;
2660	case 108:	return 0x3;
2661	case 2:		return 10;
2662	case 4:		return 20;
2663	case 11:	return 55;
2664	case 22:	return 110;
2665	}
2666	return 0;
2667}
2668
2669static int
2670iwn_get_1stream_tx_antmask(struct iwn_softc *sc)
2671{
2672
2673	return IWN_LSB(sc->txchainmask);
2674}
2675
2676static int
2677iwn_get_2stream_tx_antmask(struct iwn_softc *sc)
2678{
2679	int tx;
2680
2681	/*
2682	 * The '2 stream' setup is a bit .. odd.
2683	 *
2684	 * For NICs that support only 1 antenna, default to IWN_ANT_AB or
2685	 * the firmware panics (eg Intel 5100.)
2686	 *
2687	 * For NICs that support two antennas, we use ANT_AB.
2688	 *
2689	 * For NICs that support three antennas, we use the two that
2690	 * wasn't the default one.
2691	 *
2692	 * XXX TODO: if bluetooth (full concurrent) is enabled, restrict
2693	 * this to only one antenna.
2694	 */
2695
2696	/* Default - transmit on the other antennas */
2697	tx = (sc->txchainmask & ~IWN_LSB(sc->txchainmask));
2698
2699	/* Now, if it's zero, set it to IWN_ANT_AB, so to not panic firmware */
2700	if (tx == 0)
2701		tx = IWN_ANT_AB;
2702
2703	/*
2704	 * If the NIC is a two-stream TX NIC, configure the TX mask to
2705	 * the default chainmask
2706	 */
2707	else if (sc->ntxchains == 2)
2708		tx = sc->txchainmask;
2709
2710	return (tx);
2711}
2712
2713
2714
2715/*
2716 * Calculate the required PLCP value from the given rate,
2717 * to the given node.
2718 *
2719 * This will take the node configuration (eg 11n, rate table
2720 * setup, etc) into consideration.
2721 */
2722static uint32_t
2723iwn_rate_to_plcp(struct iwn_softc *sc, struct ieee80211_node *ni,
2724    uint8_t rate)
2725{
2726	struct ieee80211com *ic = ni->ni_ic;
2727	uint32_t plcp = 0;
2728	int ridx;
2729
2730	/*
2731	 * If it's an MCS rate, let's set the plcp correctly
2732	 * and set the relevant flags based on the node config.
2733	 */
2734	if (rate & IEEE80211_RATE_MCS) {
2735		/*
2736		 * Set the initial PLCP value to be between 0->31 for
2737		 * MCS 0 -> MCS 31, then set the "I'm an MCS rate!"
2738		 * flag.
2739		 */
2740		plcp = IEEE80211_RV(rate) | IWN_RFLAG_MCS;
2741
2742		/*
2743		 * XXX the following should only occur if both
2744		 * the local configuration _and_ the remote node
2745		 * advertise these capabilities.  Thus this code
2746		 * may need fixing!
2747		 */
2748
2749		/*
2750		 * Set the channel width and guard interval.
2751		 */
2752		if (IEEE80211_IS_CHAN_HT40(ni->ni_chan)) {
2753			plcp |= IWN_RFLAG_HT40;
2754			if (ni->ni_htcap & IEEE80211_HTCAP_SHORTGI40)
2755				plcp |= IWN_RFLAG_SGI;
2756		} else if (ni->ni_htcap & IEEE80211_HTCAP_SHORTGI20) {
2757			plcp |= IWN_RFLAG_SGI;
2758		}
2759
2760		/*
2761		 * Ensure the selected rate matches the link quality
2762		 * table entries being used.
2763		 */
2764		if (rate > 0x8f)
2765			plcp |= IWN_RFLAG_ANT(sc->txchainmask);
2766		else if (rate > 0x87)
2767			plcp |= IWN_RFLAG_ANT(iwn_get_2stream_tx_antmask(sc));
2768		else
2769			plcp |= IWN_RFLAG_ANT(iwn_get_1stream_tx_antmask(sc));
2770	} else {
2771		/*
2772		 * Set the initial PLCP - fine for both
2773		 * OFDM and CCK rates.
2774		 */
2775		plcp = rate2plcp(rate);
2776
2777		/* Set CCK flag if it's CCK */
2778
2779		/* XXX It would be nice to have a method
2780		 * to map the ridx -> phy table entry
2781		 * so we could just query that, rather than
2782		 * this hack to check against IWN_RIDX_OFDM6.
2783		 */
2784		ridx = ieee80211_legacy_rate_lookup(ic->ic_rt,
2785		    rate & IEEE80211_RATE_VAL);
2786		if (ridx < IWN_RIDX_OFDM6 &&
2787		    IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))
2788			plcp |= IWN_RFLAG_CCK;
2789
2790		/* Set antenna configuration */
2791		/* XXX TODO: is this the right antenna to use for legacy? */
2792		plcp |= IWN_RFLAG_ANT(iwn_get_1stream_tx_antmask(sc));
2793	}
2794
2795	DPRINTF(sc, IWN_DEBUG_TXRATE, "%s: rate=0x%02x, plcp=0x%08x\n",
2796	    __func__,
2797	    rate,
2798	    plcp);
2799
2800	return (htole32(plcp));
2801}
2802
2803static void
2804iwn_newassoc(struct ieee80211_node *ni, int isnew)
2805{
2806	/* Doesn't do anything at the moment */
2807}
2808
2809static int
2810iwn_media_change(struct ifnet *ifp)
2811{
2812	int error;
2813
2814	error = ieee80211_media_change(ifp);
2815	/* NB: only the fixed rate can change and that doesn't need a reset */
2816	return (error == ENETRESET ? 0 : error);
2817}
2818
2819static int
2820iwn_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
2821{
2822	struct iwn_vap *ivp = IWN_VAP(vap);
2823	struct ieee80211com *ic = vap->iv_ic;
2824	struct iwn_softc *sc = ic->ic_softc;
2825	int error = 0;
2826
2827	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
2828
2829	DPRINTF(sc, IWN_DEBUG_STATE, "%s: %s -> %s\n", __func__,
2830	    ieee80211_state_name[vap->iv_state], ieee80211_state_name[nstate]);
2831
2832	IEEE80211_UNLOCK(ic);
2833	IWN_LOCK(sc);
2834	callout_stop(&sc->calib_to);
2835
2836	sc->rxon = &sc->rx_on[IWN_RXON_BSS_CTX];
2837
2838	switch (nstate) {
2839	case IEEE80211_S_ASSOC:
2840		if (vap->iv_state != IEEE80211_S_RUN)
2841			break;
2842		/* FALLTHROUGH */
2843	case IEEE80211_S_AUTH:
2844		if (vap->iv_state == IEEE80211_S_AUTH)
2845			break;
2846
2847		/*
2848		 * !AUTH -> AUTH transition requires state reset to handle
2849		 * reassociations correctly.
2850		 */
2851		sc->rxon->associd = 0;
2852		sc->rxon->filter &= ~htole32(IWN_FILTER_BSS);
2853		sc->calib.state = IWN_CALIB_STATE_INIT;
2854
2855		/* Wait until we hear a beacon before we transmit */
2856		if (IEEE80211_IS_CHAN_PASSIVE(ic->ic_curchan))
2857			sc->sc_beacon_wait = 1;
2858
2859		if ((error = iwn_auth(sc, vap)) != 0) {
2860			device_printf(sc->sc_dev,
2861			    "%s: could not move to auth state\n", __func__);
2862		}
2863		break;
2864
2865	case IEEE80211_S_RUN:
2866		/*
2867		 * RUN -> RUN transition; Just restart the timers.
2868		 */
2869		if (vap->iv_state == IEEE80211_S_RUN) {
2870			sc->calib_cnt = 0;
2871			break;
2872		}
2873
2874		/* Wait until we hear a beacon before we transmit */
2875		if (IEEE80211_IS_CHAN_PASSIVE(ic->ic_curchan))
2876			sc->sc_beacon_wait = 1;
2877
2878		/*
2879		 * !RUN -> RUN requires setting the association id
2880		 * which is done with a firmware cmd.  We also defer
2881		 * starting the timers until that work is done.
2882		 */
2883		if ((error = iwn_run(sc, vap)) != 0) {
2884			device_printf(sc->sc_dev,
2885			    "%s: could not move to run state\n", __func__);
2886		}
2887		break;
2888
2889	case IEEE80211_S_INIT:
2890		sc->calib.state = IWN_CALIB_STATE_INIT;
2891		/*
2892		 * Purge the xmit queue so we don't have old frames
2893		 * during a new association attempt.
2894		 */
2895		sc->sc_beacon_wait = 0;
2896		iwn_xmit_queue_drain(sc);
2897		break;
2898
2899	default:
2900		break;
2901	}
2902	IWN_UNLOCK(sc);
2903	IEEE80211_LOCK(ic);
2904	if (error != 0){
2905		DPRINTF(sc, IWN_DEBUG_TRACE, "->%s end in error\n", __func__);
2906		return error;
2907	}
2908
2909	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end\n",__func__);
2910
2911	return ivp->iv_newstate(vap, nstate, arg);
2912}
2913
2914static void
2915iwn_calib_timeout(void *arg)
2916{
2917	struct iwn_softc *sc = arg;
2918
2919	IWN_LOCK_ASSERT(sc);
2920
2921	/* Force automatic TX power calibration every 60 secs. */
2922	if (++sc->calib_cnt >= 120) {
2923		uint32_t flags = 0;
2924
2925		DPRINTF(sc, IWN_DEBUG_CALIBRATE, "%s\n",
2926		    "sending request for statistics");
2927		(void)iwn_cmd(sc, IWN_CMD_GET_STATISTICS, &flags,
2928		    sizeof flags, 1);
2929		sc->calib_cnt = 0;
2930	}
2931	callout_reset(&sc->calib_to, msecs_to_ticks(500), iwn_calib_timeout,
2932	    sc);
2933}
2934
2935/*
2936 * Process an RX_PHY firmware notification.  This is usually immediately
2937 * followed by an MPDU_RX_DONE notification.
2938 */
2939static void
2940iwn_rx_phy(struct iwn_softc *sc, struct iwn_rx_desc *desc,
2941    struct iwn_rx_data *data)
2942{
2943	struct iwn_rx_stat *stat = (struct iwn_rx_stat *)(desc + 1);
2944
2945	DPRINTF(sc, IWN_DEBUG_CALIBRATE, "%s: received PHY stats\n", __func__);
2946	bus_dmamap_sync(sc->rxq.data_dmat, data->map, BUS_DMASYNC_POSTREAD);
2947
2948	/* Save RX statistics, they will be used on MPDU_RX_DONE. */
2949	memcpy(&sc->last_rx_stat, stat, sizeof (*stat));
2950	sc->last_rx_valid = 1;
2951}
2952
2953/*
2954 * Process an RX_DONE (4965AGN only) or MPDU_RX_DONE firmware notification.
2955 * Each MPDU_RX_DONE notification must be preceded by an RX_PHY one.
2956 */
2957static void
2958iwn_rx_done(struct iwn_softc *sc, struct iwn_rx_desc *desc,
2959    struct iwn_rx_data *data)
2960{
2961	struct iwn_ops *ops = &sc->ops;
2962	struct ieee80211com *ic = &sc->sc_ic;
2963	struct iwn_rx_ring *ring = &sc->rxq;
2964	struct ieee80211_frame *wh;
2965	struct ieee80211_node *ni;
2966	struct mbuf *m, *m1;
2967	struct iwn_rx_stat *stat;
2968	caddr_t head;
2969	bus_addr_t paddr;
2970	uint32_t flags;
2971	int error, len, rssi, nf;
2972
2973	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
2974
2975	if (desc->type == IWN_MPDU_RX_DONE) {
2976		/* Check for prior RX_PHY notification. */
2977		if (!sc->last_rx_valid) {
2978			DPRINTF(sc, IWN_DEBUG_ANY,
2979			    "%s: missing RX_PHY\n", __func__);
2980			return;
2981		}
2982		stat = &sc->last_rx_stat;
2983	} else
2984		stat = (struct iwn_rx_stat *)(desc + 1);
2985
2986	bus_dmamap_sync(ring->data_dmat, data->map, BUS_DMASYNC_POSTREAD);
2987
2988	if (stat->cfg_phy_len > IWN_STAT_MAXLEN) {
2989		device_printf(sc->sc_dev,
2990		    "%s: invalid RX statistic header, len %d\n", __func__,
2991		    stat->cfg_phy_len);
2992		return;
2993	}
2994	if (desc->type == IWN_MPDU_RX_DONE) {
2995		struct iwn_rx_mpdu *mpdu = (struct iwn_rx_mpdu *)(desc + 1);
2996		head = (caddr_t)(mpdu + 1);
2997		len = le16toh(mpdu->len);
2998	} else {
2999		head = (caddr_t)(stat + 1) + stat->cfg_phy_len;
3000		len = le16toh(stat->len);
3001	}
3002
3003	flags = le32toh(*(uint32_t *)(head + len));
3004
3005	/* Discard frames with a bad FCS early. */
3006	if ((flags & IWN_RX_NOERROR) != IWN_RX_NOERROR) {
3007		DPRINTF(sc, IWN_DEBUG_RECV, "%s: RX flags error %x\n",
3008		    __func__, flags);
3009		counter_u64_add(ic->ic_ierrors, 1);
3010		return;
3011	}
3012	/* Discard frames that are too short. */
3013	if (len < sizeof (struct ieee80211_frame_ack)) {
3014		DPRINTF(sc, IWN_DEBUG_RECV, "%s: frame too short: %d\n",
3015		    __func__, len);
3016		counter_u64_add(ic->ic_ierrors, 1);
3017		return;
3018	}
3019
3020	m1 = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR, IWN_RBUF_SIZE);
3021	if (m1 == NULL) {
3022		DPRINTF(sc, IWN_DEBUG_ANY, "%s: no mbuf to restock ring\n",
3023		    __func__);
3024		counter_u64_add(ic->ic_ierrors, 1);
3025		return;
3026	}
3027	bus_dmamap_unload(ring->data_dmat, data->map);
3028
3029	error = bus_dmamap_load(ring->data_dmat, data->map, mtod(m1, void *),
3030	    IWN_RBUF_SIZE, iwn_dma_map_addr, &paddr, BUS_DMA_NOWAIT);
3031	if (error != 0 && error != EFBIG) {
3032		device_printf(sc->sc_dev,
3033		    "%s: bus_dmamap_load failed, error %d\n", __func__, error);
3034		m_freem(m1);
3035
3036		/* Try to reload the old mbuf. */
3037		error = bus_dmamap_load(ring->data_dmat, data->map,
3038		    mtod(data->m, void *), IWN_RBUF_SIZE, iwn_dma_map_addr,
3039		    &paddr, BUS_DMA_NOWAIT);
3040		if (error != 0 && error != EFBIG) {
3041			panic("%s: could not load old RX mbuf", __func__);
3042		}
3043		bus_dmamap_sync(ring->data_dmat, data->map,
3044		    BUS_DMASYNC_PREREAD);
3045		/* Physical address may have changed. */
3046		ring->desc[ring->cur] = htole32(paddr >> 8);
3047		bus_dmamap_sync(ring->desc_dma.tag, ring->desc_dma.map,
3048		    BUS_DMASYNC_PREWRITE);
3049		counter_u64_add(ic->ic_ierrors, 1);
3050		return;
3051	}
3052
3053	bus_dmamap_sync(ring->data_dmat, data->map,
3054	    BUS_DMASYNC_PREREAD);
3055
3056	m = data->m;
3057	data->m = m1;
3058	/* Update RX descriptor. */
3059	ring->desc[ring->cur] = htole32(paddr >> 8);
3060	bus_dmamap_sync(ring->desc_dma.tag, ring->desc_dma.map,
3061	    BUS_DMASYNC_PREWRITE);
3062
3063	/* Finalize mbuf. */
3064	m->m_data = head;
3065	m->m_pkthdr.len = m->m_len = len;
3066
3067	/* Grab a reference to the source node. */
3068	wh = mtod(m, struct ieee80211_frame *);
3069	if (len >= sizeof(struct ieee80211_frame_min))
3070		ni = ieee80211_find_rxnode(ic, (struct ieee80211_frame_min *)wh);
3071	else
3072		ni = NULL;
3073	nf = (ni != NULL && ni->ni_vap->iv_state == IEEE80211_S_RUN &&
3074	    (ic->ic_flags & IEEE80211_F_SCAN) == 0) ? sc->noise : -95;
3075
3076	rssi = ops->get_rssi(sc, stat);
3077
3078	if (ieee80211_radiotap_active(ic)) {
3079		struct iwn_rx_radiotap_header *tap = &sc->sc_rxtap;
3080
3081		tap->wr_flags = 0;
3082		if (stat->flags & htole16(IWN_STAT_FLAG_SHPREAMBLE))
3083			tap->wr_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
3084		tap->wr_dbm_antsignal = (int8_t)rssi;
3085		tap->wr_dbm_antnoise = (int8_t)nf;
3086		tap->wr_tsft = stat->tstamp;
3087		switch (stat->rate) {
3088		/* CCK rates. */
3089		case  10: tap->wr_rate =   2; break;
3090		case  20: tap->wr_rate =   4; break;
3091		case  55: tap->wr_rate =  11; break;
3092		case 110: tap->wr_rate =  22; break;
3093		/* OFDM rates. */
3094		case 0xd: tap->wr_rate =  12; break;
3095		case 0xf: tap->wr_rate =  18; break;
3096		case 0x5: tap->wr_rate =  24; break;
3097		case 0x7: tap->wr_rate =  36; break;
3098		case 0x9: tap->wr_rate =  48; break;
3099		case 0xb: tap->wr_rate =  72; break;
3100		case 0x1: tap->wr_rate =  96; break;
3101		case 0x3: tap->wr_rate = 108; break;
3102		/* Unknown rate: should not happen. */
3103		default:  tap->wr_rate =   0;
3104		}
3105	}
3106
3107	/*
3108	 * If it's a beacon and we're waiting, then do the
3109	 * wakeup.  This should unblock raw_xmit/start.
3110	 */
3111	if (sc->sc_beacon_wait) {
3112		uint8_t type, subtype;
3113		/* NB: Re-assign wh */
3114		wh = mtod(m, struct ieee80211_frame *);
3115		type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
3116		subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
3117		/*
3118		 * This assumes at this point we've received our own
3119		 * beacon.
3120		 */
3121		DPRINTF(sc, IWN_DEBUG_TRACE,
3122		    "%s: beacon_wait, type=%d, subtype=%d\n",
3123		    __func__, type, subtype);
3124		if (type == IEEE80211_FC0_TYPE_MGT &&
3125		    subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
3126			DPRINTF(sc, IWN_DEBUG_TRACE | IWN_DEBUG_XMIT,
3127			    "%s: waking things up\n", __func__);
3128			/* queue taskqueue to transmit! */
3129			taskqueue_enqueue(sc->sc_tq, &sc->sc_xmit_task);
3130		}
3131	}
3132
3133	IWN_UNLOCK(sc);
3134
3135	/* Send the frame to the 802.11 layer. */
3136	if (ni != NULL) {
3137		if (ni->ni_flags & IEEE80211_NODE_HT)
3138			m->m_flags |= M_AMPDU;
3139		(void)ieee80211_input(ni, m, rssi - nf, nf);
3140		/* Node is no longer needed. */
3141		ieee80211_free_node(ni);
3142	} else
3143		(void)ieee80211_input_all(ic, m, rssi - nf, nf);
3144
3145	IWN_LOCK(sc);
3146
3147	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end\n",__func__);
3148
3149}
3150
3151/* Process an incoming Compressed BlockAck. */
3152static void
3153iwn_rx_compressed_ba(struct iwn_softc *sc, struct iwn_rx_desc *desc,
3154    struct iwn_rx_data *data)
3155{
3156	struct iwn_ops *ops = &sc->ops;
3157	struct iwn_node *wn;
3158	struct ieee80211_node *ni;
3159	struct iwn_compressed_ba *ba = (struct iwn_compressed_ba *)(desc + 1);
3160	struct iwn_tx_ring *txq;
3161	struct iwn_tx_data *txdata;
3162	struct ieee80211_tx_ampdu *tap;
3163	struct mbuf *m;
3164	uint64_t bitmap;
3165	uint16_t ssn;
3166	uint8_t tid;
3167	int ackfailcnt = 0, i, lastidx, qid, *res, shift;
3168	int tx_ok = 0, tx_err = 0;
3169
3170	DPRINTF(sc, IWN_DEBUG_TRACE | IWN_DEBUG_XMIT, "->%s begin\n", __func__);
3171
3172	bus_dmamap_sync(sc->rxq.data_dmat, data->map, BUS_DMASYNC_POSTREAD);
3173
3174	qid = le16toh(ba->qid);
3175	txq = &sc->txq[ba->qid];
3176	tap = sc->qid2tap[ba->qid];
3177	tid = tap->txa_tid;
3178	wn = (void *)tap->txa_ni;
3179
3180	res = NULL;
3181	ssn = 0;
3182	if (!IEEE80211_AMPDU_RUNNING(tap)) {
3183		res = tap->txa_private;
3184		ssn = tap->txa_start & 0xfff;
3185	}
3186
3187	for (lastidx = le16toh(ba->ssn) & 0xff; txq->read != lastidx;) {
3188		txdata = &txq->data[txq->read];
3189
3190		/* Unmap and free mbuf. */
3191		bus_dmamap_sync(txq->data_dmat, txdata->map,
3192		    BUS_DMASYNC_POSTWRITE);
3193		bus_dmamap_unload(txq->data_dmat, txdata->map);
3194		m = txdata->m, txdata->m = NULL;
3195		ni = txdata->ni, txdata->ni = NULL;
3196
3197		KASSERT(ni != NULL, ("no node"));
3198		KASSERT(m != NULL, ("no mbuf"));
3199
3200		DPRINTF(sc, IWN_DEBUG_XMIT, "%s: freeing m=%p\n", __func__, m);
3201		ieee80211_tx_complete(ni, m, 1);
3202
3203		txq->queued--;
3204		txq->read = (txq->read + 1) % IWN_TX_RING_COUNT;
3205	}
3206
3207	if (txq->queued == 0 && res != NULL) {
3208		iwn_nic_lock(sc);
3209		ops->ampdu_tx_stop(sc, qid, tid, ssn);
3210		iwn_nic_unlock(sc);
3211		sc->qid2tap[qid] = NULL;
3212		free(res, M_DEVBUF);
3213		return;
3214	}
3215
3216	if (wn->agg[tid].bitmap == 0)
3217		return;
3218
3219	shift = wn->agg[tid].startidx - ((le16toh(ba->seq) >> 4) & 0xff);
3220	if (shift < 0)
3221		shift += 0x100;
3222
3223	if (wn->agg[tid].nframes > (64 - shift))
3224		return;
3225
3226	/*
3227	 * Walk the bitmap and calculate how many successful and failed
3228	 * attempts are made.
3229	 *
3230	 * Yes, the rate control code doesn't know these are A-MPDU
3231	 * subframes and that it's okay to fail some of these.
3232	 */
3233	ni = tap->txa_ni;
3234	bitmap = (le64toh(ba->bitmap) >> shift) & wn->agg[tid].bitmap;
3235	for (i = 0; bitmap; i++) {
3236		if ((bitmap & 1) == 0) {
3237			tx_err ++;
3238			ieee80211_ratectl_tx_complete(ni->ni_vap, ni,
3239			    IEEE80211_RATECTL_TX_FAILURE, &ackfailcnt, NULL);
3240		} else {
3241			tx_ok ++;
3242			ieee80211_ratectl_tx_complete(ni->ni_vap, ni,
3243			    IEEE80211_RATECTL_TX_SUCCESS, &ackfailcnt, NULL);
3244		}
3245		bitmap >>= 1;
3246	}
3247
3248	DPRINTF(sc, IWN_DEBUG_TRACE | IWN_DEBUG_XMIT,
3249	    "->%s: end; %d ok; %d err\n",__func__, tx_ok, tx_err);
3250
3251}
3252
3253/*
3254 * Process a CALIBRATION_RESULT notification sent by the initialization
3255 * firmware on response to a CMD_CALIB_CONFIG command (5000 only).
3256 */
3257static void
3258iwn5000_rx_calib_results(struct iwn_softc *sc, struct iwn_rx_desc *desc,
3259    struct iwn_rx_data *data)
3260{
3261	struct iwn_phy_calib *calib = (struct iwn_phy_calib *)(desc + 1);
3262	int len, idx = -1;
3263
3264	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
3265
3266	/* Runtime firmware should not send such a notification. */
3267	if (sc->sc_flags & IWN_FLAG_CALIB_DONE){
3268		DPRINTF(sc, IWN_DEBUG_TRACE, "->%s received after clib done\n",
3269	    __func__);
3270		return;
3271	}
3272	len = (le32toh(desc->len) & 0x3fff) - 4;
3273	bus_dmamap_sync(sc->rxq.data_dmat, data->map, BUS_DMASYNC_POSTREAD);
3274
3275	switch (calib->code) {
3276	case IWN5000_PHY_CALIB_DC:
3277		if (sc->base_params->calib_need & IWN_FLG_NEED_PHY_CALIB_DC)
3278			idx = 0;
3279		break;
3280	case IWN5000_PHY_CALIB_LO:
3281		if (sc->base_params->calib_need & IWN_FLG_NEED_PHY_CALIB_LO)
3282			idx = 1;
3283		break;
3284	case IWN5000_PHY_CALIB_TX_IQ:
3285		if (sc->base_params->calib_need & IWN_FLG_NEED_PHY_CALIB_TX_IQ)
3286			idx = 2;
3287		break;
3288	case IWN5000_PHY_CALIB_TX_IQ_PERIODIC:
3289		if (sc->base_params->calib_need & IWN_FLG_NEED_PHY_CALIB_TX_IQ_PERIODIC)
3290			idx = 3;
3291		break;
3292	case IWN5000_PHY_CALIB_BASE_BAND:
3293		if (sc->base_params->calib_need & IWN_FLG_NEED_PHY_CALIB_BASE_BAND)
3294			idx = 4;
3295		break;
3296	}
3297	if (idx == -1)	/* Ignore other results. */
3298		return;
3299
3300	/* Save calibration result. */
3301	if (sc->calibcmd[idx].buf != NULL)
3302		free(sc->calibcmd[idx].buf, M_DEVBUF);
3303	sc->calibcmd[idx].buf = malloc(len, M_DEVBUF, M_NOWAIT);
3304	if (sc->calibcmd[idx].buf == NULL) {
3305		DPRINTF(sc, IWN_DEBUG_CALIBRATE,
3306		    "not enough memory for calibration result %d\n",
3307		    calib->code);
3308		return;
3309	}
3310	DPRINTF(sc, IWN_DEBUG_CALIBRATE,
3311	    "saving calibration result idx=%d, code=%d len=%d\n", idx, calib->code, len);
3312	sc->calibcmd[idx].len = len;
3313	memcpy(sc->calibcmd[idx].buf, calib, len);
3314}
3315
3316static void
3317iwn_stats_update(struct iwn_softc *sc, struct iwn_calib_state *calib,
3318    struct iwn_stats *stats, int len)
3319{
3320	struct iwn_stats_bt *stats_bt;
3321	struct iwn_stats *lstats;
3322
3323	/*
3324	 * First - check whether the length is the bluetooth or normal.
3325	 *
3326	 * If it's normal - just copy it and bump out.
3327	 * Otherwise we have to convert things.
3328	 */
3329
3330	if (len == sizeof(struct iwn_stats) + 4) {
3331		memcpy(&sc->last_stat, stats, sizeof(struct iwn_stats));
3332		sc->last_stat_valid = 1;
3333		return;
3334	}
3335
3336	/*
3337	 * If it's not the bluetooth size - log, then just copy.
3338	 */
3339	if (len != sizeof(struct iwn_stats_bt) + 4) {
3340		DPRINTF(sc, IWN_DEBUG_STATS,
3341		    "%s: size of rx statistics (%d) not an expected size!\n",
3342		    __func__,
3343		    len);
3344		memcpy(&sc->last_stat, stats, sizeof(struct iwn_stats));
3345		sc->last_stat_valid = 1;
3346		return;
3347	}
3348
3349	/*
3350	 * Ok. Time to copy.
3351	 */
3352	stats_bt = (struct iwn_stats_bt *) stats;
3353	lstats = &sc->last_stat;
3354
3355	/* flags */
3356	lstats->flags = stats_bt->flags;
3357	/* rx_bt */
3358	memcpy(&lstats->rx.ofdm, &stats_bt->rx_bt.ofdm,
3359	    sizeof(struct iwn_rx_phy_stats));
3360	memcpy(&lstats->rx.cck, &stats_bt->rx_bt.cck,
3361	    sizeof(struct iwn_rx_phy_stats));
3362	memcpy(&lstats->rx.general, &stats_bt->rx_bt.general_bt.common,
3363	    sizeof(struct iwn_rx_general_stats));
3364	memcpy(&lstats->rx.ht, &stats_bt->rx_bt.ht,
3365	    sizeof(struct iwn_rx_ht_phy_stats));
3366	/* tx */
3367	memcpy(&lstats->tx, &stats_bt->tx,
3368	    sizeof(struct iwn_tx_stats));
3369	/* general */
3370	memcpy(&lstats->general, &stats_bt->general,
3371	    sizeof(struct iwn_general_stats));
3372
3373	/* XXX TODO: Squirrel away the extra bluetooth stats somewhere */
3374	sc->last_stat_valid = 1;
3375}
3376
3377/*
3378 * Process an RX_STATISTICS or BEACON_STATISTICS firmware notification.
3379 * The latter is sent by the firmware after each received beacon.
3380 */
3381static void
3382iwn_rx_statistics(struct iwn_softc *sc, struct iwn_rx_desc *desc,
3383    struct iwn_rx_data *data)
3384{
3385	struct iwn_ops *ops = &sc->ops;
3386	struct ieee80211com *ic = &sc->sc_ic;
3387	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
3388	struct iwn_calib_state *calib = &sc->calib;
3389	struct iwn_stats *stats = (struct iwn_stats *)(desc + 1);
3390	struct iwn_stats *lstats;
3391	int temp;
3392
3393	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
3394
3395	/* Ignore statistics received during a scan. */
3396	if (vap->iv_state != IEEE80211_S_RUN ||
3397	    (ic->ic_flags & IEEE80211_F_SCAN)){
3398		DPRINTF(sc, IWN_DEBUG_TRACE, "->%s received during calib\n",
3399	    __func__);
3400		return;
3401	}
3402
3403	bus_dmamap_sync(sc->rxq.data_dmat, data->map, BUS_DMASYNC_POSTREAD);
3404
3405	DPRINTF(sc, IWN_DEBUG_CALIBRATE | IWN_DEBUG_STATS,
3406	    "%s: received statistics, cmd %d, len %d\n",
3407	    __func__, desc->type, le16toh(desc->len));
3408	sc->calib_cnt = 0;	/* Reset TX power calibration timeout. */
3409
3410	/*
3411	 * Collect/track general statistics for reporting.
3412	 *
3413	 * This takes care of ensuring that the bluetooth sized message
3414	 * will be correctly converted to the legacy sized message.
3415	 */
3416	iwn_stats_update(sc, calib, stats, le16toh(desc->len));
3417
3418	/*
3419	 * And now, let's take a reference of it to use!
3420	 */
3421	lstats = &sc->last_stat;
3422
3423	/* Test if temperature has changed. */
3424	if (lstats->general.temp != sc->rawtemp) {
3425		/* Convert "raw" temperature to degC. */
3426		sc->rawtemp = stats->general.temp;
3427		temp = ops->get_temperature(sc);
3428		DPRINTF(sc, IWN_DEBUG_CALIBRATE, "%s: temperature %d\n",
3429		    __func__, temp);
3430
3431		/* Update TX power if need be (4965AGN only). */
3432		if (sc->hw_type == IWN_HW_REV_TYPE_4965)
3433			iwn4965_power_calibration(sc, temp);
3434	}
3435
3436	if (desc->type != IWN_BEACON_STATISTICS)
3437		return;	/* Reply to a statistics request. */
3438
3439	sc->noise = iwn_get_noise(&lstats->rx.general);
3440	DPRINTF(sc, IWN_DEBUG_CALIBRATE, "%s: noise %d\n", __func__, sc->noise);
3441
3442	/* Test that RSSI and noise are present in stats report. */
3443	if (le32toh(lstats->rx.general.flags) != 1) {
3444		DPRINTF(sc, IWN_DEBUG_ANY, "%s\n",
3445		    "received statistics without RSSI");
3446		return;
3447	}
3448
3449	if (calib->state == IWN_CALIB_STATE_ASSOC)
3450		iwn_collect_noise(sc, &lstats->rx.general);
3451	else if (calib->state == IWN_CALIB_STATE_RUN) {
3452		iwn_tune_sensitivity(sc, &lstats->rx);
3453		/*
3454		 * XXX TODO: Only run the RX recovery if we're associated!
3455		 */
3456		iwn_check_rx_recovery(sc, lstats);
3457		iwn_save_stats_counters(sc, lstats);
3458	}
3459
3460	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end\n",__func__);
3461}
3462
3463/*
3464 * Save the relevant statistic counters for the next calibration
3465 * pass.
3466 */
3467static void
3468iwn_save_stats_counters(struct iwn_softc *sc, const struct iwn_stats *rs)
3469{
3470	struct iwn_calib_state *calib = &sc->calib;
3471
3472	/* Save counters values for next call. */
3473	calib->bad_plcp_cck = le32toh(rs->rx.cck.bad_plcp);
3474	calib->fa_cck = le32toh(rs->rx.cck.fa);
3475	calib->bad_plcp_ht = le32toh(rs->rx.ht.bad_plcp);
3476	calib->bad_plcp_ofdm = le32toh(rs->rx.ofdm.bad_plcp);
3477	calib->fa_ofdm = le32toh(rs->rx.ofdm.fa);
3478
3479	/* Last time we received these tick values */
3480	sc->last_calib_ticks = ticks;
3481}
3482
3483/*
3484 * Process a TX_DONE firmware notification.  Unfortunately, the 4965AGN
3485 * and 5000 adapters have different incompatible TX status formats.
3486 */
3487static void
3488iwn4965_tx_done(struct iwn_softc *sc, struct iwn_rx_desc *desc,
3489    struct iwn_rx_data *data)
3490{
3491	struct iwn4965_tx_stat *stat = (struct iwn4965_tx_stat *)(desc + 1);
3492	struct iwn_tx_ring *ring;
3493	int qid;
3494
3495	qid = desc->qid & 0xf;
3496	ring = &sc->txq[qid];
3497
3498	DPRINTF(sc, IWN_DEBUG_XMIT, "%s: "
3499	    "qid %d idx %d RTS retries %d ACK retries %d nkill %d rate %x duration %d status %x\n",
3500	    __func__, desc->qid, desc->idx,
3501	    stat->rtsfailcnt,
3502	    stat->ackfailcnt,
3503	    stat->btkillcnt,
3504	    stat->rate, le16toh(stat->duration),
3505	    le32toh(stat->status));
3506
3507	bus_dmamap_sync(ring->data_dmat, data->map, BUS_DMASYNC_POSTREAD);
3508	if (qid >= sc->firstaggqueue) {
3509		iwn_ampdu_tx_done(sc, qid, desc->idx, stat->nframes,
3510		    stat->ackfailcnt, &stat->status);
3511	} else {
3512		iwn_tx_done(sc, desc, stat->ackfailcnt,
3513		    le32toh(stat->status) & 0xff);
3514	}
3515}
3516
3517static void
3518iwn5000_tx_done(struct iwn_softc *sc, struct iwn_rx_desc *desc,
3519    struct iwn_rx_data *data)
3520{
3521	struct iwn5000_tx_stat *stat = (struct iwn5000_tx_stat *)(desc + 1);
3522	struct iwn_tx_ring *ring;
3523	int qid;
3524
3525	qid = desc->qid & 0xf;
3526	ring = &sc->txq[qid];
3527
3528	DPRINTF(sc, IWN_DEBUG_XMIT, "%s: "
3529	    "qid %d idx %d RTS retries %d ACK retries %d nkill %d rate %x duration %d status %x\n",
3530	    __func__, desc->qid, desc->idx,
3531	    stat->rtsfailcnt,
3532	    stat->ackfailcnt,
3533	    stat->btkillcnt,
3534	    stat->rate, le16toh(stat->duration),
3535	    le32toh(stat->status));
3536
3537#ifdef notyet
3538	/* Reset TX scheduler slot. */
3539	iwn5000_reset_sched(sc, desc->qid & 0xf, desc->idx);
3540#endif
3541
3542	bus_dmamap_sync(ring->data_dmat, data->map, BUS_DMASYNC_POSTREAD);
3543	if (qid >= sc->firstaggqueue) {
3544		iwn_ampdu_tx_done(sc, qid, desc->idx, stat->nframes,
3545		    stat->ackfailcnt, &stat->status);
3546	} else {
3547		iwn_tx_done(sc, desc, stat->ackfailcnt,
3548		    le16toh(stat->status) & 0xff);
3549	}
3550}
3551
3552/*
3553 * Adapter-independent backend for TX_DONE firmware notifications.
3554 */
3555static void
3556iwn_tx_done(struct iwn_softc *sc, struct iwn_rx_desc *desc, int ackfailcnt,
3557    uint8_t status)
3558{
3559	struct iwn_tx_ring *ring = &sc->txq[desc->qid & 0xf];
3560	struct iwn_tx_data *data = &ring->data[desc->idx];
3561	struct mbuf *m;
3562	struct ieee80211_node *ni;
3563	struct ieee80211vap *vap;
3564
3565	KASSERT(data->ni != NULL, ("no node"));
3566
3567	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
3568
3569	/* Unmap and free mbuf. */
3570	bus_dmamap_sync(ring->data_dmat, data->map, BUS_DMASYNC_POSTWRITE);
3571	bus_dmamap_unload(ring->data_dmat, data->map);
3572	m = data->m, data->m = NULL;
3573	ni = data->ni, data->ni = NULL;
3574	vap = ni->ni_vap;
3575
3576	/*
3577	 * Update rate control statistics for the node.
3578	 */
3579	if (status & IWN_TX_FAIL)
3580		ieee80211_ratectl_tx_complete(vap, ni,
3581		    IEEE80211_RATECTL_TX_FAILURE, &ackfailcnt, NULL);
3582	else
3583		ieee80211_ratectl_tx_complete(vap, ni,
3584		    IEEE80211_RATECTL_TX_SUCCESS, &ackfailcnt, NULL);
3585
3586	/*
3587	 * Channels marked for "radar" require traffic to be received
3588	 * to unlock before we can transmit.  Until traffic is seen
3589	 * any attempt to transmit is returned immediately with status
3590	 * set to IWN_TX_FAIL_TX_LOCKED.  Unfortunately this can easily
3591	 * happen on first authenticate after scanning.  To workaround
3592	 * this we ignore a failure of this sort in AUTH state so the
3593	 * 802.11 layer will fall back to using a timeout to wait for
3594	 * the AUTH reply.  This allows the firmware time to see
3595	 * traffic so a subsequent retry of AUTH succeeds.  It's
3596	 * unclear why the firmware does not maintain state for
3597	 * channels recently visited as this would allow immediate
3598	 * use of the channel after a scan (where we see traffic).
3599	 */
3600	if (status == IWN_TX_FAIL_TX_LOCKED &&
3601	    ni->ni_vap->iv_state == IEEE80211_S_AUTH)
3602		ieee80211_tx_complete(ni, m, 0);
3603	else
3604		ieee80211_tx_complete(ni, m,
3605		    (status & IWN_TX_FAIL) != 0);
3606
3607	sc->sc_tx_timer = 0;
3608	if (--ring->queued < IWN_TX_RING_LOMARK)
3609		sc->qfullmsk &= ~(1 << ring->qid);
3610
3611	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end\n",__func__);
3612}
3613
3614/*
3615 * Process a "command done" firmware notification.  This is where we wakeup
3616 * processes waiting for a synchronous command completion.
3617 */
3618static void
3619iwn_cmd_done(struct iwn_softc *sc, struct iwn_rx_desc *desc)
3620{
3621	struct iwn_tx_ring *ring;
3622	struct iwn_tx_data *data;
3623	int cmd_queue_num;
3624
3625	if (sc->sc_flags & IWN_FLAG_PAN_SUPPORT)
3626		cmd_queue_num = IWN_PAN_CMD_QUEUE;
3627	else
3628		cmd_queue_num = IWN_CMD_QUEUE_NUM;
3629
3630	if ((desc->qid & IWN_RX_DESC_QID_MSK) != cmd_queue_num)
3631		return;	/* Not a command ack. */
3632
3633	ring = &sc->txq[cmd_queue_num];
3634	data = &ring->data[desc->idx];
3635
3636	/* If the command was mapped in an mbuf, free it. */
3637	if (data->m != NULL) {
3638		bus_dmamap_sync(ring->data_dmat, data->map,
3639		    BUS_DMASYNC_POSTWRITE);
3640		bus_dmamap_unload(ring->data_dmat, data->map);
3641		m_freem(data->m);
3642		data->m = NULL;
3643	}
3644	wakeup(&ring->desc[desc->idx]);
3645}
3646
3647static void
3648iwn_ampdu_tx_done(struct iwn_softc *sc, int qid, int idx, int nframes,
3649    int ackfailcnt, void *stat)
3650{
3651	struct iwn_ops *ops = &sc->ops;
3652	struct iwn_tx_ring *ring = &sc->txq[qid];
3653	struct iwn_tx_data *data;
3654	struct mbuf *m;
3655	struct iwn_node *wn;
3656	struct ieee80211_node *ni;
3657	struct ieee80211_tx_ampdu *tap;
3658	uint64_t bitmap;
3659	uint32_t *status = stat;
3660	uint16_t *aggstatus = stat;
3661	uint16_t ssn;
3662	uint8_t tid;
3663	int bit, i, lastidx, *res, seqno, shift, start;
3664
3665	/* XXX TODO: status is le16 field! Grr */
3666
3667	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
3668	DPRINTF(sc, IWN_DEBUG_XMIT, "%s: nframes=%d, status=0x%08x\n",
3669	    __func__,
3670	    nframes,
3671	    *status);
3672
3673	tap = sc->qid2tap[qid];
3674	tid = tap->txa_tid;
3675	wn = (void *)tap->txa_ni;
3676	ni = tap->txa_ni;
3677
3678	/*
3679	 * XXX TODO: ACK and RTS failures would be nice here!
3680	 */
3681
3682	/*
3683	 * A-MPDU single frame status - if we failed to transmit it
3684	 * in A-MPDU, then it may be a permanent failure.
3685	 *
3686	 * XXX TODO: check what the Linux iwlwifi driver does here;
3687	 * there's some permanent and temporary failures that may be
3688	 * handled differently.
3689	 */
3690	if (nframes == 1) {
3691		if ((*status & 0xff) != 1 && (*status & 0xff) != 2) {
3692#ifdef	NOT_YET
3693			printf("ieee80211_send_bar()\n");
3694#endif
3695			/*
3696			 * If we completely fail a transmit, make sure a
3697			 * notification is pushed up to the rate control
3698			 * layer.
3699			 */
3700			ieee80211_ratectl_tx_complete(ni->ni_vap,
3701			    ni,
3702			    IEEE80211_RATECTL_TX_FAILURE,
3703			    &ackfailcnt,
3704			    NULL);
3705		} else {
3706			/*
3707			 * If nframes=1, then we won't be getting a BA for
3708			 * this frame.  Ensure that we correctly update the
3709			 * rate control code with how many retries were
3710			 * needed to send it.
3711			 */
3712			ieee80211_ratectl_tx_complete(ni->ni_vap,
3713			    ni,
3714			    IEEE80211_RATECTL_TX_SUCCESS,
3715			    &ackfailcnt,
3716			    NULL);
3717		}
3718	}
3719
3720	bitmap = 0;
3721	start = idx;
3722	for (i = 0; i < nframes; i++) {
3723		if (le16toh(aggstatus[i * 2]) & 0xc)
3724			continue;
3725
3726		idx = le16toh(aggstatus[2*i + 1]) & 0xff;
3727		bit = idx - start;
3728		shift = 0;
3729		if (bit >= 64) {
3730			shift = 0x100 - idx + start;
3731			bit = 0;
3732			start = idx;
3733		} else if (bit <= -64)
3734			bit = 0x100 - start + idx;
3735		else if (bit < 0) {
3736			shift = start - idx;
3737			start = idx;
3738			bit = 0;
3739		}
3740		bitmap = bitmap << shift;
3741		bitmap |= 1ULL << bit;
3742	}
3743	tap = sc->qid2tap[qid];
3744	tid = tap->txa_tid;
3745	wn = (void *)tap->txa_ni;
3746	wn->agg[tid].bitmap = bitmap;
3747	wn->agg[tid].startidx = start;
3748	wn->agg[tid].nframes = nframes;
3749
3750	res = NULL;
3751	ssn = 0;
3752	if (!IEEE80211_AMPDU_RUNNING(tap)) {
3753		res = tap->txa_private;
3754		ssn = tap->txa_start & 0xfff;
3755	}
3756
3757	/* This is going nframes DWORDS into the descriptor? */
3758	seqno = le32toh(*(status + nframes)) & 0xfff;
3759	for (lastidx = (seqno & 0xff); ring->read != lastidx;) {
3760		data = &ring->data[ring->read];
3761
3762		/* Unmap and free mbuf. */
3763		bus_dmamap_sync(ring->data_dmat, data->map,
3764		    BUS_DMASYNC_POSTWRITE);
3765		bus_dmamap_unload(ring->data_dmat, data->map);
3766		m = data->m, data->m = NULL;
3767		ni = data->ni, data->ni = NULL;
3768
3769		KASSERT(ni != NULL, ("no node"));
3770		KASSERT(m != NULL, ("no mbuf"));
3771		DPRINTF(sc, IWN_DEBUG_XMIT, "%s: freeing m=%p\n", __func__, m);
3772		ieee80211_tx_complete(ni, m, 1);
3773
3774		ring->queued--;
3775		ring->read = (ring->read + 1) % IWN_TX_RING_COUNT;
3776	}
3777
3778	if (ring->queued == 0 && res != NULL) {
3779		iwn_nic_lock(sc);
3780		ops->ampdu_tx_stop(sc, qid, tid, ssn);
3781		iwn_nic_unlock(sc);
3782		sc->qid2tap[qid] = NULL;
3783		free(res, M_DEVBUF);
3784		return;
3785	}
3786
3787	sc->sc_tx_timer = 0;
3788	if (ring->queued < IWN_TX_RING_LOMARK)
3789		sc->qfullmsk &= ~(1 << ring->qid);
3790
3791	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end\n",__func__);
3792}
3793
3794/*
3795 * Process an INT_FH_RX or INT_SW_RX interrupt.
3796 */
3797static void
3798iwn_notif_intr(struct iwn_softc *sc)
3799{
3800	struct iwn_ops *ops = &sc->ops;
3801	struct ieee80211com *ic = &sc->sc_ic;
3802	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
3803	uint16_t hw;
3804	int is_stopped;
3805
3806	bus_dmamap_sync(sc->rxq.stat_dma.tag, sc->rxq.stat_dma.map,
3807	    BUS_DMASYNC_POSTREAD);
3808
3809	hw = le16toh(sc->rxq.stat->closed_count) & 0xfff;
3810	while (sc->rxq.cur != hw) {
3811		struct iwn_rx_data *data = &sc->rxq.data[sc->rxq.cur];
3812		struct iwn_rx_desc *desc;
3813
3814		bus_dmamap_sync(sc->rxq.data_dmat, data->map,
3815		    BUS_DMASYNC_POSTREAD);
3816		desc = mtod(data->m, struct iwn_rx_desc *);
3817
3818		DPRINTF(sc, IWN_DEBUG_RECV,
3819		    "%s: cur=%d; qid %x idx %d flags %x type %d(%s) len %d\n",
3820		    __func__, sc->rxq.cur, desc->qid & 0xf, desc->idx, desc->flags,
3821		    desc->type, iwn_intr_str(desc->type),
3822		    le16toh(desc->len));
3823
3824		if (!(desc->qid & IWN_UNSOLICITED_RX_NOTIF))	/* Reply to a command. */
3825			iwn_cmd_done(sc, desc);
3826
3827		switch (desc->type) {
3828		case IWN_RX_PHY:
3829			iwn_rx_phy(sc, desc, data);
3830			break;
3831
3832		case IWN_RX_DONE:		/* 4965AGN only. */
3833		case IWN_MPDU_RX_DONE:
3834			/* An 802.11 frame has been received. */
3835			iwn_rx_done(sc, desc, data);
3836
3837			is_stopped = (sc->sc_flags & IWN_FLAG_RUNNING) == 0;
3838			if (__predict_false(is_stopped))
3839				return;
3840
3841			break;
3842
3843		case IWN_RX_COMPRESSED_BA:
3844			/* A Compressed BlockAck has been received. */
3845			iwn_rx_compressed_ba(sc, desc, data);
3846			break;
3847
3848		case IWN_TX_DONE:
3849			/* An 802.11 frame has been transmitted. */
3850			ops->tx_done(sc, desc, data);
3851			break;
3852
3853		case IWN_RX_STATISTICS:
3854		case IWN_BEACON_STATISTICS:
3855			iwn_rx_statistics(sc, desc, data);
3856			break;
3857
3858		case IWN_BEACON_MISSED:
3859		{
3860			struct iwn_beacon_missed *miss =
3861			    (struct iwn_beacon_missed *)(desc + 1);
3862			int misses;
3863
3864			bus_dmamap_sync(sc->rxq.data_dmat, data->map,
3865			    BUS_DMASYNC_POSTREAD);
3866			misses = le32toh(miss->consecutive);
3867
3868			DPRINTF(sc, IWN_DEBUG_STATE,
3869			    "%s: beacons missed %d/%d\n", __func__,
3870			    misses, le32toh(miss->total));
3871			/*
3872			 * If more than 5 consecutive beacons are missed,
3873			 * reinitialize the sensitivity state machine.
3874			 */
3875			if (vap->iv_state == IEEE80211_S_RUN &&
3876			    (ic->ic_flags & IEEE80211_F_SCAN) == 0) {
3877				if (misses > 5)
3878					(void)iwn_init_sensitivity(sc);
3879				if (misses >= vap->iv_bmissthreshold) {
3880					IWN_UNLOCK(sc);
3881					ieee80211_beacon_miss(ic);
3882					IWN_LOCK(sc);
3883
3884					is_stopped = (sc->sc_flags &
3885					    IWN_FLAG_RUNNING) == 0;
3886					if (__predict_false(is_stopped))
3887						return;
3888				}
3889			}
3890			break;
3891		}
3892		case IWN_UC_READY:
3893		{
3894			struct iwn_ucode_info *uc =
3895			    (struct iwn_ucode_info *)(desc + 1);
3896
3897			/* The microcontroller is ready. */
3898			bus_dmamap_sync(sc->rxq.data_dmat, data->map,
3899			    BUS_DMASYNC_POSTREAD);
3900			DPRINTF(sc, IWN_DEBUG_RESET,
3901			    "microcode alive notification version=%d.%d "
3902			    "subtype=%x alive=%x\n", uc->major, uc->minor,
3903			    uc->subtype, le32toh(uc->valid));
3904
3905			if (le32toh(uc->valid) != 1) {
3906				device_printf(sc->sc_dev,
3907				    "microcontroller initialization failed");
3908				break;
3909			}
3910			if (uc->subtype == IWN_UCODE_INIT) {
3911				/* Save microcontroller report. */
3912				memcpy(&sc->ucode_info, uc, sizeof (*uc));
3913			}
3914			/* Save the address of the error log in SRAM. */
3915			sc->errptr = le32toh(uc->errptr);
3916			break;
3917		}
3918		case IWN_STATE_CHANGED:
3919		{
3920			/*
3921			 * State change allows hardware switch change to be
3922			 * noted. However, we handle this in iwn_intr as we
3923			 * get both the enable/disble intr.
3924			 */
3925			bus_dmamap_sync(sc->rxq.data_dmat, data->map,
3926			    BUS_DMASYNC_POSTREAD);
3927#ifdef	IWN_DEBUG
3928			uint32_t *status = (uint32_t *)(desc + 1);
3929			DPRINTF(sc, IWN_DEBUG_INTR | IWN_DEBUG_STATE,
3930			    "state changed to %x\n",
3931			    le32toh(*status));
3932#endif
3933			break;
3934		}
3935		case IWN_START_SCAN:
3936		{
3937			bus_dmamap_sync(sc->rxq.data_dmat, data->map,
3938			    BUS_DMASYNC_POSTREAD);
3939#ifdef	IWN_DEBUG
3940			struct iwn_start_scan *scan =
3941			    (struct iwn_start_scan *)(desc + 1);
3942			DPRINTF(sc, IWN_DEBUG_ANY,
3943			    "%s: scanning channel %d status %x\n",
3944			    __func__, scan->chan, le32toh(scan->status));
3945#endif
3946			break;
3947		}
3948		case IWN_STOP_SCAN:
3949		{
3950			bus_dmamap_sync(sc->rxq.data_dmat, data->map,
3951			    BUS_DMASYNC_POSTREAD);
3952#ifdef	IWN_DEBUG
3953			struct iwn_stop_scan *scan =
3954			    (struct iwn_stop_scan *)(desc + 1);
3955			DPRINTF(sc, IWN_DEBUG_STATE | IWN_DEBUG_SCAN,
3956			    "scan finished nchan=%d status=%d chan=%d\n",
3957			    scan->nchan, scan->status, scan->chan);
3958#endif
3959			sc->sc_is_scanning = 0;
3960			callout_stop(&sc->scan_timeout);
3961			IWN_UNLOCK(sc);
3962			ieee80211_scan_next(vap);
3963			IWN_LOCK(sc);
3964
3965			is_stopped = (sc->sc_flags & IWN_FLAG_RUNNING) == 0;
3966			if (__predict_false(is_stopped))
3967				return;
3968
3969			break;
3970		}
3971		case IWN5000_CALIBRATION_RESULT:
3972			iwn5000_rx_calib_results(sc, desc, data);
3973			break;
3974
3975		case IWN5000_CALIBRATION_DONE:
3976			sc->sc_flags |= IWN_FLAG_CALIB_DONE;
3977			wakeup(sc);
3978			break;
3979		}
3980
3981		sc->rxq.cur = (sc->rxq.cur + 1) % IWN_RX_RING_COUNT;
3982	}
3983
3984	/* Tell the firmware what we have processed. */
3985	hw = (hw == 0) ? IWN_RX_RING_COUNT - 1 : hw - 1;
3986	IWN_WRITE(sc, IWN_FH_RX_WPTR, hw & ~7);
3987}
3988
3989/*
3990 * Process an INT_WAKEUP interrupt raised when the microcontroller wakes up
3991 * from power-down sleep mode.
3992 */
3993static void
3994iwn_wakeup_intr(struct iwn_softc *sc)
3995{
3996	int qid;
3997
3998	DPRINTF(sc, IWN_DEBUG_RESET, "%s: ucode wakeup from power-down sleep\n",
3999	    __func__);
4000
4001	/* Wakeup RX and TX rings. */
4002	IWN_WRITE(sc, IWN_FH_RX_WPTR, sc->rxq.cur & ~7);
4003	for (qid = 0; qid < sc->ntxqs; qid++) {
4004		struct iwn_tx_ring *ring = &sc->txq[qid];
4005		IWN_WRITE(sc, IWN_HBUS_TARG_WRPTR, qid << 8 | ring->cur);
4006	}
4007}
4008
4009static void
4010iwn_rftoggle_intr(struct iwn_softc *sc)
4011{
4012	struct ieee80211com *ic = &sc->sc_ic;
4013	uint32_t tmp = IWN_READ(sc, IWN_GP_CNTRL);
4014
4015	IWN_LOCK_ASSERT(sc);
4016
4017	device_printf(sc->sc_dev, "RF switch: radio %s\n",
4018	    (tmp & IWN_GP_CNTRL_RFKILL) ? "enabled" : "disabled");
4019	if (tmp & IWN_GP_CNTRL_RFKILL)
4020		ieee80211_runtask(ic, &sc->sc_radioon_task);
4021	else
4022		ieee80211_runtask(ic, &sc->sc_radiooff_task);
4023}
4024
4025/*
4026 * Dump the error log of the firmware when a firmware panic occurs.  Although
4027 * we can't debug the firmware because it is neither open source nor free, it
4028 * can help us to identify certain classes of problems.
4029 */
4030static void
4031iwn_fatal_intr(struct iwn_softc *sc)
4032{
4033	struct iwn_fw_dump dump;
4034	int i;
4035
4036	IWN_LOCK_ASSERT(sc);
4037
4038	/* Force a complete recalibration on next init. */
4039	sc->sc_flags &= ~IWN_FLAG_CALIB_DONE;
4040
4041	/* Check that the error log address is valid. */
4042	if (sc->errptr < IWN_FW_DATA_BASE ||
4043	    sc->errptr + sizeof (dump) >
4044	    IWN_FW_DATA_BASE + sc->fw_data_maxsz) {
4045		printf("%s: bad firmware error log address 0x%08x\n", __func__,
4046		    sc->errptr);
4047		return;
4048	}
4049	if (iwn_nic_lock(sc) != 0) {
4050		printf("%s: could not read firmware error log\n", __func__);
4051		return;
4052	}
4053	/* Read firmware error log from SRAM. */
4054	iwn_mem_read_region_4(sc, sc->errptr, (uint32_t *)&dump,
4055	    sizeof (dump) / sizeof (uint32_t));
4056	iwn_nic_unlock(sc);
4057
4058	if (dump.valid == 0) {
4059		printf("%s: firmware error log is empty\n", __func__);
4060		return;
4061	}
4062	printf("firmware error log:\n");
4063	printf("  error type      = \"%s\" (0x%08X)\n",
4064	    (dump.id < nitems(iwn_fw_errmsg)) ?
4065		iwn_fw_errmsg[dump.id] : "UNKNOWN",
4066	    dump.id);
4067	printf("  program counter = 0x%08X\n", dump.pc);
4068	printf("  source line     = 0x%08X\n", dump.src_line);
4069	printf("  error data      = 0x%08X%08X\n",
4070	    dump.error_data[0], dump.error_data[1]);
4071	printf("  branch link     = 0x%08X%08X\n",
4072	    dump.branch_link[0], dump.branch_link[1]);
4073	printf("  interrupt link  = 0x%08X%08X\n",
4074	    dump.interrupt_link[0], dump.interrupt_link[1]);
4075	printf("  time            = %u\n", dump.time[0]);
4076
4077	/* Dump driver status (TX and RX rings) while we're here. */
4078	printf("driver status:\n");
4079	for (i = 0; i < sc->ntxqs; i++) {
4080		struct iwn_tx_ring *ring = &sc->txq[i];
4081		printf("  tx ring %2d: qid=%-2d cur=%-3d queued=%-3d\n",
4082		    i, ring->qid, ring->cur, ring->queued);
4083	}
4084	printf("  rx ring: cur=%d\n", sc->rxq.cur);
4085}
4086
4087static void
4088iwn_intr(void *arg)
4089{
4090	struct iwn_softc *sc = arg;
4091	uint32_t r1, r2, tmp;
4092
4093	IWN_LOCK(sc);
4094
4095	/* Disable interrupts. */
4096	IWN_WRITE(sc, IWN_INT_MASK, 0);
4097
4098	/* Read interrupts from ICT (fast) or from registers (slow). */
4099	if (sc->sc_flags & IWN_FLAG_USE_ICT) {
4100		bus_dmamap_sync(sc->ict_dma.tag, sc->ict_dma.map,
4101		    BUS_DMASYNC_POSTREAD);
4102		tmp = 0;
4103		while (sc->ict[sc->ict_cur] != 0) {
4104			tmp |= sc->ict[sc->ict_cur];
4105			sc->ict[sc->ict_cur] = 0;	/* Acknowledge. */
4106			sc->ict_cur = (sc->ict_cur + 1) % IWN_ICT_COUNT;
4107		}
4108		tmp = le32toh(tmp);
4109		if (tmp == 0xffffffff)	/* Shouldn't happen. */
4110			tmp = 0;
4111		else if (tmp & 0xc0000)	/* Workaround a HW bug. */
4112			tmp |= 0x8000;
4113		r1 = (tmp & 0xff00) << 16 | (tmp & 0xff);
4114		r2 = 0;	/* Unused. */
4115	} else {
4116		r1 = IWN_READ(sc, IWN_INT);
4117		if (r1 == 0xffffffff || (r1 & 0xfffffff0) == 0xa5a5a5a0) {
4118			IWN_UNLOCK(sc);
4119			return;	/* Hardware gone! */
4120		}
4121		r2 = IWN_READ(sc, IWN_FH_INT);
4122	}
4123
4124	DPRINTF(sc, IWN_DEBUG_INTR, "interrupt reg1=0x%08x reg2=0x%08x\n"
4125    , r1, r2);
4126
4127	if (r1 == 0 && r2 == 0)
4128		goto done;	/* Interrupt not for us. */
4129
4130	/* Acknowledge interrupts. */
4131	IWN_WRITE(sc, IWN_INT, r1);
4132	if (!(sc->sc_flags & IWN_FLAG_USE_ICT))
4133		IWN_WRITE(sc, IWN_FH_INT, r2);
4134
4135	if (r1 & IWN_INT_RF_TOGGLED) {
4136		iwn_rftoggle_intr(sc);
4137		goto done;
4138	}
4139	if (r1 & IWN_INT_CT_REACHED) {
4140		device_printf(sc->sc_dev, "%s: critical temperature reached!\n",
4141		    __func__);
4142	}
4143	if (r1 & (IWN_INT_SW_ERR | IWN_INT_HW_ERR)) {
4144		device_printf(sc->sc_dev, "%s: fatal firmware error\n",
4145		    __func__);
4146#ifdef	IWN_DEBUG
4147		iwn_debug_register(sc);
4148#endif
4149		/* Dump firmware error log and stop. */
4150		iwn_fatal_intr(sc);
4151
4152		taskqueue_enqueue(sc->sc_tq, &sc->sc_panic_task);
4153		goto done;
4154	}
4155	if ((r1 & (IWN_INT_FH_RX | IWN_INT_SW_RX | IWN_INT_RX_PERIODIC)) ||
4156	    (r2 & IWN_FH_INT_RX)) {
4157		if (sc->sc_flags & IWN_FLAG_USE_ICT) {
4158			if (r1 & (IWN_INT_FH_RX | IWN_INT_SW_RX))
4159				IWN_WRITE(sc, IWN_FH_INT, IWN_FH_INT_RX);
4160			IWN_WRITE_1(sc, IWN_INT_PERIODIC,
4161			    IWN_INT_PERIODIC_DIS);
4162			iwn_notif_intr(sc);
4163			if (r1 & (IWN_INT_FH_RX | IWN_INT_SW_RX)) {
4164				IWN_WRITE_1(sc, IWN_INT_PERIODIC,
4165				    IWN_INT_PERIODIC_ENA);
4166			}
4167		} else
4168			iwn_notif_intr(sc);
4169	}
4170
4171	if ((r1 & IWN_INT_FH_TX) || (r2 & IWN_FH_INT_TX)) {
4172		if (sc->sc_flags & IWN_FLAG_USE_ICT)
4173			IWN_WRITE(sc, IWN_FH_INT, IWN_FH_INT_TX);
4174		wakeup(sc);	/* FH DMA transfer completed. */
4175	}
4176
4177	if (r1 & IWN_INT_ALIVE)
4178		wakeup(sc);	/* Firmware is alive. */
4179
4180	if (r1 & IWN_INT_WAKEUP)
4181		iwn_wakeup_intr(sc);
4182
4183done:
4184	/* Re-enable interrupts. */
4185	if (sc->sc_flags & IWN_FLAG_RUNNING)
4186		IWN_WRITE(sc, IWN_INT_MASK, sc->int_mask);
4187
4188	IWN_UNLOCK(sc);
4189}
4190
4191/*
4192 * Update TX scheduler ring when transmitting an 802.11 frame (4965AGN and
4193 * 5000 adapters use a slightly different format).
4194 */
4195static void
4196iwn4965_update_sched(struct iwn_softc *sc, int qid, int idx, uint8_t id,
4197    uint16_t len)
4198{
4199	uint16_t *w = &sc->sched[qid * IWN4965_SCHED_COUNT + idx];
4200
4201	DPRINTF(sc, IWN_DEBUG_TRACE, "->Doing %s\n", __func__);
4202
4203	*w = htole16(len + 8);
4204	bus_dmamap_sync(sc->sched_dma.tag, sc->sched_dma.map,
4205	    BUS_DMASYNC_PREWRITE);
4206	if (idx < IWN_SCHED_WINSZ) {
4207		*(w + IWN_TX_RING_COUNT) = *w;
4208		bus_dmamap_sync(sc->sched_dma.tag, sc->sched_dma.map,
4209		    BUS_DMASYNC_PREWRITE);
4210	}
4211}
4212
4213static void
4214iwn5000_update_sched(struct iwn_softc *sc, int qid, int idx, uint8_t id,
4215    uint16_t len)
4216{
4217	uint16_t *w = &sc->sched[qid * IWN5000_SCHED_COUNT + idx];
4218
4219	DPRINTF(sc, IWN_DEBUG_TRACE, "->Doing %s\n", __func__);
4220
4221	*w = htole16(id << 12 | (len + 8));
4222	bus_dmamap_sync(sc->sched_dma.tag, sc->sched_dma.map,
4223	    BUS_DMASYNC_PREWRITE);
4224	if (idx < IWN_SCHED_WINSZ) {
4225		*(w + IWN_TX_RING_COUNT) = *w;
4226		bus_dmamap_sync(sc->sched_dma.tag, sc->sched_dma.map,
4227		    BUS_DMASYNC_PREWRITE);
4228	}
4229}
4230
4231#ifdef notyet
4232static void
4233iwn5000_reset_sched(struct iwn_softc *sc, int qid, int idx)
4234{
4235	uint16_t *w = &sc->sched[qid * IWN5000_SCHED_COUNT + idx];
4236
4237	DPRINTF(sc, IWN_DEBUG_TRACE, "->Doing %s\n", __func__);
4238
4239	*w = (*w & htole16(0xf000)) | htole16(1);
4240	bus_dmamap_sync(sc->sched_dma.tag, sc->sched_dma.map,
4241	    BUS_DMASYNC_PREWRITE);
4242	if (idx < IWN_SCHED_WINSZ) {
4243		*(w + IWN_TX_RING_COUNT) = *w;
4244		bus_dmamap_sync(sc->sched_dma.tag, sc->sched_dma.map,
4245		    BUS_DMASYNC_PREWRITE);
4246	}
4247}
4248#endif
4249
4250/*
4251 * Check whether OFDM 11g protection will be enabled for the given rate.
4252 *
4253 * The original driver code only enabled protection for OFDM rates.
4254 * It didn't check to see whether it was operating in 11a or 11bg mode.
4255 */
4256static int
4257iwn_check_rate_needs_protection(struct iwn_softc *sc,
4258    struct ieee80211vap *vap, uint8_t rate)
4259{
4260	struct ieee80211com *ic = vap->iv_ic;
4261
4262	/*
4263	 * Not in 2GHz mode? Then there's no need to enable OFDM
4264	 * 11bg protection.
4265	 */
4266	if (! IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan)) {
4267		return (0);
4268	}
4269
4270	/*
4271	 * 11bg protection not enabled? Then don't use it.
4272	 */
4273	if ((ic->ic_flags & IEEE80211_F_USEPROT) == 0)
4274		return (0);
4275
4276	/*
4277	 * If it's an 11n rate - no protection.
4278	 * We'll do it via a specific 11n check.
4279	 */
4280	if (rate & IEEE80211_RATE_MCS) {
4281		return (0);
4282	}
4283
4284	/*
4285	 * Do a rate table lookup.  If the PHY is CCK,
4286	 * don't do protection.
4287	 */
4288	if (ieee80211_rate2phytype(ic->ic_rt, rate) == IEEE80211_T_CCK)
4289		return (0);
4290
4291	/*
4292	 * Yup, enable protection.
4293	 */
4294	return (1);
4295}
4296
4297/*
4298 * return a value between 0 and IWN_MAX_TX_RETRIES-1 as an index into
4299 * the link quality table that reflects this particular entry.
4300 */
4301static int
4302iwn_tx_rate_to_linkq_offset(struct iwn_softc *sc, struct ieee80211_node *ni,
4303    uint8_t rate)
4304{
4305	struct ieee80211_rateset *rs;
4306	int is_11n;
4307	int nr;
4308	int i;
4309	uint8_t cmp_rate;
4310
4311	/*
4312	 * Figure out if we're using 11n or not here.
4313	 */
4314	if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && ni->ni_htrates.rs_nrates > 0)
4315		is_11n = 1;
4316	else
4317		is_11n = 0;
4318
4319	/*
4320	 * Use the correct rate table.
4321	 */
4322	if (is_11n) {
4323		rs = (struct ieee80211_rateset *) &ni->ni_htrates;
4324		nr = ni->ni_htrates.rs_nrates;
4325	} else {
4326		rs = &ni->ni_rates;
4327		nr = rs->rs_nrates;
4328	}
4329
4330	/*
4331	 * Find the relevant link quality entry in the table.
4332	 */
4333	for (i = 0; i < nr && i < IWN_MAX_TX_RETRIES - 1 ; i++) {
4334		/*
4335		 * The link quality table index starts at 0 == highest
4336		 * rate, so we walk the rate table backwards.
4337		 */
4338		cmp_rate = rs->rs_rates[(nr - 1) - i];
4339		if (rate & IEEE80211_RATE_MCS)
4340			cmp_rate |= IEEE80211_RATE_MCS;
4341
4342#if 0
4343		DPRINTF(sc, IWN_DEBUG_XMIT, "%s: idx %d: nr=%d, rate=0x%02x, rateentry=0x%02x\n",
4344		    __func__,
4345		    i,
4346		    nr,
4347		    rate,
4348		    cmp_rate);
4349#endif
4350
4351		if (cmp_rate == rate)
4352			return (i);
4353	}
4354
4355	/* Failed? Start at the end */
4356	return (IWN_MAX_TX_RETRIES - 1);
4357}
4358
4359static int
4360iwn_tx_data(struct iwn_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
4361{
4362	struct iwn_ops *ops = &sc->ops;
4363	const struct ieee80211_txparam *tp;
4364	struct ieee80211vap *vap = ni->ni_vap;
4365	struct ieee80211com *ic = ni->ni_ic;
4366	struct iwn_node *wn = (void *)ni;
4367	struct iwn_tx_ring *ring;
4368	struct iwn_tx_desc *desc;
4369	struct iwn_tx_data *data;
4370	struct iwn_tx_cmd *cmd;
4371	struct iwn_cmd_data *tx;
4372	struct ieee80211_frame *wh;
4373	struct ieee80211_key *k = NULL;
4374	struct mbuf *m1;
4375	uint32_t flags;
4376	uint16_t qos;
4377	u_int hdrlen;
4378	bus_dma_segment_t *seg, segs[IWN_MAX_SCATTER];
4379	uint8_t tid, type;
4380	int ac, i, totlen, error, pad, nsegs = 0, rate;
4381
4382	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
4383
4384	IWN_LOCK_ASSERT(sc);
4385
4386	wh = mtod(m, struct ieee80211_frame *);
4387	hdrlen = ieee80211_anyhdrsize(wh);
4388	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
4389
4390	/* Select EDCA Access Category and TX ring for this frame. */
4391	if (IEEE80211_QOS_HAS_SEQ(wh)) {
4392		qos = ((const struct ieee80211_qosframe *)wh)->i_qos[0];
4393		tid = qos & IEEE80211_QOS_TID;
4394	} else {
4395		qos = 0;
4396		tid = 0;
4397	}
4398	ac = M_WME_GETAC(m);
4399	if (m->m_flags & M_AMPDU_MPDU) {
4400		uint16_t seqno;
4401		struct ieee80211_tx_ampdu *tap = &ni->ni_tx_ampdu[ac];
4402
4403		if (!IEEE80211_AMPDU_RUNNING(tap)) {
4404			return EINVAL;
4405		}
4406
4407		/*
4408		 * Queue this frame to the hardware ring that we've
4409		 * negotiated AMPDU TX on.
4410		 *
4411		 * Note that the sequence number must match the TX slot
4412		 * being used!
4413		 */
4414		ac = *(int *)tap->txa_private;
4415		seqno = ni->ni_txseqs[tid];
4416		*(uint16_t *)wh->i_seq =
4417		    htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT);
4418		ring = &sc->txq[ac];
4419		if ((seqno % 256) != ring->cur) {
4420			device_printf(sc->sc_dev,
4421			    "%s: m=%p: seqno (%d) (%d) != ring index (%d) !\n",
4422			    __func__,
4423			    m,
4424			    seqno,
4425			    seqno % 256,
4426			    ring->cur);
4427		}
4428		ni->ni_txseqs[tid]++;
4429	}
4430	ring = &sc->txq[ac];
4431	desc = &ring->desc[ring->cur];
4432	data = &ring->data[ring->cur];
4433
4434	/* Choose a TX rate index. */
4435	tp = &vap->iv_txparms[ieee80211_chan2mode(ni->ni_chan)];
4436	if (type == IEEE80211_FC0_TYPE_MGT)
4437		rate = tp->mgmtrate;
4438	else if (IEEE80211_IS_MULTICAST(wh->i_addr1))
4439		rate = tp->mcastrate;
4440	else if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE)
4441		rate = tp->ucastrate;
4442	else if (m->m_flags & M_EAPOL)
4443		rate = tp->mgmtrate;
4444	else {
4445		/* XXX pass pktlen */
4446		(void) ieee80211_ratectl_rate(ni, NULL, 0);
4447		rate = ni->ni_txrate;
4448	}
4449
4450	/* Encrypt the frame if need be. */
4451	if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
4452		/* Retrieve key for TX. */
4453		k = ieee80211_crypto_encap(ni, m);
4454		if (k == NULL) {
4455			return ENOBUFS;
4456		}
4457		/* 802.11 header may have moved. */
4458		wh = mtod(m, struct ieee80211_frame *);
4459	}
4460	totlen = m->m_pkthdr.len;
4461
4462	if (ieee80211_radiotap_active_vap(vap)) {
4463		struct iwn_tx_radiotap_header *tap = &sc->sc_txtap;
4464
4465		tap->wt_flags = 0;
4466		tap->wt_rate = rate;
4467		if (k != NULL)
4468			tap->wt_flags |= IEEE80211_RADIOTAP_F_WEP;
4469
4470		ieee80211_radiotap_tx(vap, m);
4471	}
4472
4473	/* Prepare TX firmware command. */
4474	cmd = &ring->cmd[ring->cur];
4475	cmd->code = IWN_CMD_TX_DATA;
4476	cmd->flags = 0;
4477	cmd->qid = ring->qid;
4478	cmd->idx = ring->cur;
4479
4480	tx = (struct iwn_cmd_data *)cmd->data;
4481	/* NB: No need to clear tx, all fields are reinitialized here. */
4482	tx->scratch = 0;	/* clear "scratch" area */
4483
4484	flags = 0;
4485	if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
4486		/* Unicast frame, check if an ACK is expected. */
4487		if (!qos || (qos & IEEE80211_QOS_ACKPOLICY) !=
4488		    IEEE80211_QOS_ACKPOLICY_NOACK)
4489			flags |= IWN_TX_NEED_ACK;
4490	}
4491	if ((wh->i_fc[0] &
4492	    (IEEE80211_FC0_TYPE_MASK | IEEE80211_FC0_SUBTYPE_MASK)) ==
4493	    (IEEE80211_FC0_TYPE_CTL | IEEE80211_FC0_SUBTYPE_BAR))
4494		flags |= IWN_TX_IMM_BA;		/* Cannot happen yet. */
4495
4496	if (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG)
4497		flags |= IWN_TX_MORE_FRAG;	/* Cannot happen yet. */
4498
4499	/* Check if frame must be protected using RTS/CTS or CTS-to-self. */
4500	if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
4501		/* NB: Group frames are sent using CCK in 802.11b/g. */
4502		if (totlen + IEEE80211_CRC_LEN > vap->iv_rtsthreshold) {
4503			flags |= IWN_TX_NEED_RTS;
4504		} else if (iwn_check_rate_needs_protection(sc, vap, rate)) {
4505			if (ic->ic_protmode == IEEE80211_PROT_CTSONLY)
4506				flags |= IWN_TX_NEED_CTS;
4507			else if (ic->ic_protmode == IEEE80211_PROT_RTSCTS)
4508				flags |= IWN_TX_NEED_RTS;
4509		} else if ((rate & IEEE80211_RATE_MCS) &&
4510			(ic->ic_htprotmode == IEEE80211_PROT_RTSCTS)) {
4511			flags |= IWN_TX_NEED_RTS;
4512		}
4513
4514		/* XXX HT protection? */
4515
4516		if (flags & (IWN_TX_NEED_RTS | IWN_TX_NEED_CTS)) {
4517			if (sc->hw_type != IWN_HW_REV_TYPE_4965) {
4518				/* 5000 autoselects RTS/CTS or CTS-to-self. */
4519				flags &= ~(IWN_TX_NEED_RTS | IWN_TX_NEED_CTS);
4520				flags |= IWN_TX_NEED_PROTECTION;
4521			} else
4522				flags |= IWN_TX_FULL_TXOP;
4523		}
4524	}
4525
4526	if (IEEE80211_IS_MULTICAST(wh->i_addr1) ||
4527	    type != IEEE80211_FC0_TYPE_DATA)
4528		tx->id = sc->broadcast_id;
4529	else
4530		tx->id = wn->id;
4531
4532	if (type == IEEE80211_FC0_TYPE_MGT) {
4533		uint8_t subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
4534
4535		/* Tell HW to set timestamp in probe responses. */
4536		if (subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP)
4537			flags |= IWN_TX_INSERT_TSTAMP;
4538		if (subtype == IEEE80211_FC0_SUBTYPE_ASSOC_REQ ||
4539		    subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ)
4540			tx->timeout = htole16(3);
4541		else
4542			tx->timeout = htole16(2);
4543	} else
4544		tx->timeout = htole16(0);
4545
4546	if (hdrlen & 3) {
4547		/* First segment length must be a multiple of 4. */
4548		flags |= IWN_TX_NEED_PADDING;
4549		pad = 4 - (hdrlen & 3);
4550	} else
4551		pad = 0;
4552
4553	tx->len = htole16(totlen);
4554	tx->tid = tid;
4555	tx->rts_ntries = 60;
4556	tx->data_ntries = 15;
4557	tx->lifetime = htole32(IWN_LIFETIME_INFINITE);
4558	tx->rate = iwn_rate_to_plcp(sc, ni, rate);
4559	if (tx->id == sc->broadcast_id) {
4560		/* Group or management frame. */
4561		tx->linkq = 0;
4562	} else {
4563		tx->linkq = iwn_tx_rate_to_linkq_offset(sc, ni, rate);
4564		flags |= IWN_TX_LINKQ;	/* enable MRR */
4565	}
4566
4567	/* Set physical address of "scratch area". */
4568	tx->loaddr = htole32(IWN_LOADDR(data->scratch_paddr));
4569	tx->hiaddr = IWN_HIADDR(data->scratch_paddr);
4570
4571	/* Copy 802.11 header in TX command. */
4572	memcpy((uint8_t *)(tx + 1), wh, hdrlen);
4573
4574	/* Trim 802.11 header. */
4575	m_adj(m, hdrlen);
4576	tx->security = 0;
4577	tx->flags = htole32(flags);
4578
4579	error = bus_dmamap_load_mbuf_sg(ring->data_dmat, data->map, m, segs,
4580	    &nsegs, BUS_DMA_NOWAIT);
4581	if (error != 0) {
4582		if (error != EFBIG) {
4583			device_printf(sc->sc_dev,
4584			    "%s: can't map mbuf (error %d)\n", __func__, error);
4585			return error;
4586		}
4587		/* Too many DMA segments, linearize mbuf. */
4588		m1 = m_collapse(m, M_NOWAIT, IWN_MAX_SCATTER - 1);
4589		if (m1 == NULL) {
4590			device_printf(sc->sc_dev,
4591			    "%s: could not defrag mbuf\n", __func__);
4592			return ENOBUFS;
4593		}
4594		m = m1;
4595
4596		error = bus_dmamap_load_mbuf_sg(ring->data_dmat, data->map, m,
4597		    segs, &nsegs, BUS_DMA_NOWAIT);
4598		if (error != 0) {
4599			device_printf(sc->sc_dev,
4600			    "%s: can't map mbuf (error %d)\n", __func__, error);
4601			return error;
4602		}
4603	}
4604
4605	data->m = m;
4606	data->ni = ni;
4607
4608	DPRINTF(sc, IWN_DEBUG_XMIT,
4609	    "%s: qid %d idx %d len %d nsegs %d flags 0x%08x rate 0x%04x plcp 0x%08x\n",
4610	    __func__,
4611	    ring->qid,
4612	    ring->cur,
4613	    m->m_pkthdr.len,
4614	    nsegs,
4615	    flags,
4616	    rate,
4617	    tx->rate);
4618
4619	/* Fill TX descriptor. */
4620	desc->nsegs = 1;
4621	if (m->m_len != 0)
4622		desc->nsegs += nsegs;
4623	/* First DMA segment is used by the TX command. */
4624	desc->segs[0].addr = htole32(IWN_LOADDR(data->cmd_paddr));
4625	desc->segs[0].len  = htole16(IWN_HIADDR(data->cmd_paddr) |
4626	    (4 + sizeof (*tx) + hdrlen + pad) << 4);
4627	/* Other DMA segments are for data payload. */
4628	seg = &segs[0];
4629	for (i = 1; i <= nsegs; i++) {
4630		desc->segs[i].addr = htole32(IWN_LOADDR(seg->ds_addr));
4631		desc->segs[i].len  = htole16(IWN_HIADDR(seg->ds_addr) |
4632		    seg->ds_len << 4);
4633		seg++;
4634	}
4635
4636	bus_dmamap_sync(ring->data_dmat, data->map, BUS_DMASYNC_PREWRITE);
4637	bus_dmamap_sync(ring->cmd_dma.tag, ring->cmd_dma.map,
4638	    BUS_DMASYNC_PREWRITE);
4639	bus_dmamap_sync(ring->desc_dma.tag, ring->desc_dma.map,
4640	    BUS_DMASYNC_PREWRITE);
4641
4642	/* Update TX scheduler. */
4643	if (ring->qid >= sc->firstaggqueue)
4644		ops->update_sched(sc, ring->qid, ring->cur, tx->id, totlen);
4645
4646	/* Kick TX ring. */
4647	ring->cur = (ring->cur + 1) % IWN_TX_RING_COUNT;
4648	IWN_WRITE(sc, IWN_HBUS_TARG_WRPTR, ring->qid << 8 | ring->cur);
4649
4650	/* Mark TX ring as full if we reach a certain threshold. */
4651	if (++ring->queued > IWN_TX_RING_HIMARK)
4652		sc->qfullmsk |= 1 << ring->qid;
4653
4654	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end\n",__func__);
4655
4656	return 0;
4657}
4658
4659static int
4660iwn_tx_data_raw(struct iwn_softc *sc, struct mbuf *m,
4661    struct ieee80211_node *ni, const struct ieee80211_bpf_params *params)
4662{
4663	struct iwn_ops *ops = &sc->ops;
4664	struct ieee80211vap *vap = ni->ni_vap;
4665	struct iwn_tx_cmd *cmd;
4666	struct iwn_cmd_data *tx;
4667	struct ieee80211_frame *wh;
4668	struct iwn_tx_ring *ring;
4669	struct iwn_tx_desc *desc;
4670	struct iwn_tx_data *data;
4671	struct mbuf *m1;
4672	bus_dma_segment_t *seg, segs[IWN_MAX_SCATTER];
4673	uint32_t flags;
4674	u_int hdrlen;
4675	int ac, totlen, error, pad, nsegs = 0, i, rate;
4676	uint8_t type;
4677
4678	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
4679
4680	IWN_LOCK_ASSERT(sc);
4681
4682	wh = mtod(m, struct ieee80211_frame *);
4683	hdrlen = ieee80211_anyhdrsize(wh);
4684	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
4685
4686	ac = params->ibp_pri & 3;
4687
4688	ring = &sc->txq[ac];
4689	desc = &ring->desc[ring->cur];
4690	data = &ring->data[ring->cur];
4691
4692	/* Choose a TX rate. */
4693	rate = params->ibp_rate0;
4694	totlen = m->m_pkthdr.len;
4695
4696	/* Prepare TX firmware command. */
4697	cmd = &ring->cmd[ring->cur];
4698	cmd->code = IWN_CMD_TX_DATA;
4699	cmd->flags = 0;
4700	cmd->qid = ring->qid;
4701	cmd->idx = ring->cur;
4702
4703	tx = (struct iwn_cmd_data *)cmd->data;
4704	/* NB: No need to clear tx, all fields are reinitialized here. */
4705	tx->scratch = 0;	/* clear "scratch" area */
4706
4707	flags = 0;
4708	if ((params->ibp_flags & IEEE80211_BPF_NOACK) == 0)
4709		flags |= IWN_TX_NEED_ACK;
4710	if (params->ibp_flags & IEEE80211_BPF_RTS) {
4711		if (sc->hw_type != IWN_HW_REV_TYPE_4965) {
4712			/* 5000 autoselects RTS/CTS or CTS-to-self. */
4713			flags &= ~IWN_TX_NEED_RTS;
4714			flags |= IWN_TX_NEED_PROTECTION;
4715		} else
4716			flags |= IWN_TX_NEED_RTS | IWN_TX_FULL_TXOP;
4717	}
4718	if (params->ibp_flags & IEEE80211_BPF_CTS) {
4719		if (sc->hw_type != IWN_HW_REV_TYPE_4965) {
4720			/* 5000 autoselects RTS/CTS or CTS-to-self. */
4721			flags &= ~IWN_TX_NEED_CTS;
4722			flags |= IWN_TX_NEED_PROTECTION;
4723		} else
4724			flags |= IWN_TX_NEED_CTS | IWN_TX_FULL_TXOP;
4725	}
4726	if (type == IEEE80211_FC0_TYPE_MGT) {
4727		uint8_t subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
4728
4729		/* Tell HW to set timestamp in probe responses. */
4730		if (subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP)
4731			flags |= IWN_TX_INSERT_TSTAMP;
4732
4733		if (subtype == IEEE80211_FC0_SUBTYPE_ASSOC_REQ ||
4734		    subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ)
4735			tx->timeout = htole16(3);
4736		else
4737			tx->timeout = htole16(2);
4738	} else
4739		tx->timeout = htole16(0);
4740
4741	if (hdrlen & 3) {
4742		/* First segment length must be a multiple of 4. */
4743		flags |= IWN_TX_NEED_PADDING;
4744		pad = 4 - (hdrlen & 3);
4745	} else
4746		pad = 0;
4747
4748	if (ieee80211_radiotap_active_vap(vap)) {
4749		struct iwn_tx_radiotap_header *tap = &sc->sc_txtap;
4750
4751		tap->wt_flags = 0;
4752		tap->wt_rate = rate;
4753
4754		ieee80211_radiotap_tx(vap, m);
4755	}
4756
4757	tx->len = htole16(totlen);
4758	tx->tid = 0;
4759	tx->id = sc->broadcast_id;
4760	tx->rts_ntries = params->ibp_try1;
4761	tx->data_ntries = params->ibp_try0;
4762	tx->lifetime = htole32(IWN_LIFETIME_INFINITE);
4763	tx->rate = iwn_rate_to_plcp(sc, ni, rate);
4764
4765	/* Group or management frame. */
4766	tx->linkq = 0;
4767
4768	/* Set physical address of "scratch area". */
4769	tx->loaddr = htole32(IWN_LOADDR(data->scratch_paddr));
4770	tx->hiaddr = IWN_HIADDR(data->scratch_paddr);
4771
4772	/* Copy 802.11 header in TX command. */
4773	memcpy((uint8_t *)(tx + 1), wh, hdrlen);
4774
4775	/* Trim 802.11 header. */
4776	m_adj(m, hdrlen);
4777	tx->security = 0;
4778	tx->flags = htole32(flags);
4779
4780	error = bus_dmamap_load_mbuf_sg(ring->data_dmat, data->map, m, segs,
4781	    &nsegs, BUS_DMA_NOWAIT);
4782	if (error != 0) {
4783		if (error != EFBIG) {
4784			device_printf(sc->sc_dev,
4785			    "%s: can't map mbuf (error %d)\n", __func__, error);
4786			return error;
4787		}
4788		/* Too many DMA segments, linearize mbuf. */
4789		m1 = m_collapse(m, M_NOWAIT, IWN_MAX_SCATTER - 1);
4790		if (m1 == NULL) {
4791			device_printf(sc->sc_dev,
4792			    "%s: could not defrag mbuf\n", __func__);
4793			return ENOBUFS;
4794		}
4795		m = m1;
4796
4797		error = bus_dmamap_load_mbuf_sg(ring->data_dmat, data->map, m,
4798		    segs, &nsegs, BUS_DMA_NOWAIT);
4799		if (error != 0) {
4800			device_printf(sc->sc_dev,
4801			    "%s: can't map mbuf (error %d)\n", __func__, error);
4802			return error;
4803		}
4804	}
4805
4806	data->m = m;
4807	data->ni = ni;
4808
4809	DPRINTF(sc, IWN_DEBUG_XMIT, "%s: qid %d idx %d len %d nsegs %d\n",
4810	    __func__, ring->qid, ring->cur, m->m_pkthdr.len, nsegs);
4811
4812	/* Fill TX descriptor. */
4813	desc->nsegs = 1;
4814	if (m->m_len != 0)
4815		desc->nsegs += nsegs;
4816	/* First DMA segment is used by the TX command. */
4817	desc->segs[0].addr = htole32(IWN_LOADDR(data->cmd_paddr));
4818	desc->segs[0].len  = htole16(IWN_HIADDR(data->cmd_paddr) |
4819	    (4 + sizeof (*tx) + hdrlen + pad) << 4);
4820	/* Other DMA segments are for data payload. */
4821	seg = &segs[0];
4822	for (i = 1; i <= nsegs; i++) {
4823		desc->segs[i].addr = htole32(IWN_LOADDR(seg->ds_addr));
4824		desc->segs[i].len  = htole16(IWN_HIADDR(seg->ds_addr) |
4825		    seg->ds_len << 4);
4826		seg++;
4827	}
4828
4829	bus_dmamap_sync(ring->data_dmat, data->map, BUS_DMASYNC_PREWRITE);
4830	bus_dmamap_sync(ring->cmd_dma.tag, ring->cmd_dma.map,
4831	    BUS_DMASYNC_PREWRITE);
4832	bus_dmamap_sync(ring->desc_dma.tag, ring->desc_dma.map,
4833	    BUS_DMASYNC_PREWRITE);
4834
4835	/* Update TX scheduler. */
4836	if (ring->qid >= sc->firstaggqueue)
4837		ops->update_sched(sc, ring->qid, ring->cur, tx->id, totlen);
4838
4839	/* Kick TX ring. */
4840	ring->cur = (ring->cur + 1) % IWN_TX_RING_COUNT;
4841	IWN_WRITE(sc, IWN_HBUS_TARG_WRPTR, ring->qid << 8 | ring->cur);
4842
4843	/* Mark TX ring as full if we reach a certain threshold. */
4844	if (++ring->queued > IWN_TX_RING_HIMARK)
4845		sc->qfullmsk |= 1 << ring->qid;
4846
4847	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end\n",__func__);
4848
4849	return 0;
4850}
4851
4852static void
4853iwn_xmit_task(void *arg0, int pending)
4854{
4855	struct iwn_softc *sc = arg0;
4856	struct ieee80211_node *ni;
4857	struct mbuf *m;
4858	int error;
4859	struct ieee80211_bpf_params p;
4860	int have_p;
4861
4862	DPRINTF(sc, IWN_DEBUG_XMIT, "%s: called\n", __func__);
4863
4864	IWN_LOCK(sc);
4865	/*
4866	 * Dequeue frames, attempt to transmit,
4867	 * then disable beaconwait when we're done.
4868	 */
4869	while ((m = mbufq_dequeue(&sc->sc_xmit_queue)) != NULL) {
4870		have_p = 0;
4871		ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
4872
4873		/* Get xmit params if appropriate */
4874		if (ieee80211_get_xmit_params(m, &p) == 0)
4875			have_p = 1;
4876
4877		DPRINTF(sc, IWN_DEBUG_XMIT, "%s: m=%p, have_p=%d\n",
4878		    __func__, m, have_p);
4879
4880		/* If we have xmit params, use them */
4881		if (have_p)
4882			error = iwn_tx_data_raw(sc, m, ni, &p);
4883		else
4884			error = iwn_tx_data(sc, m, ni);
4885
4886		if (error != 0) {
4887			if_inc_counter(ni->ni_vap->iv_ifp,
4888			    IFCOUNTER_OERRORS, 1);
4889			ieee80211_free_node(ni);
4890			m_freem(m);
4891		}
4892	}
4893
4894	sc->sc_beacon_wait = 0;
4895	IWN_UNLOCK(sc);
4896}
4897
4898/*
4899 * raw frame xmit - free node/reference if failed.
4900 */
4901static int
4902iwn_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
4903    const struct ieee80211_bpf_params *params)
4904{
4905	struct ieee80211com *ic = ni->ni_ic;
4906	struct iwn_softc *sc = ic->ic_softc;
4907	int error = 0;
4908
4909	DPRINTF(sc, IWN_DEBUG_XMIT | IWN_DEBUG_TRACE, "->%s begin\n", __func__);
4910
4911	IWN_LOCK(sc);
4912	if ((sc->sc_flags & IWN_FLAG_RUNNING) == 0) {
4913		m_freem(m);
4914		IWN_UNLOCK(sc);
4915		return (ENETDOWN);
4916	}
4917
4918	/* queue frame if we have to */
4919	if (sc->sc_beacon_wait) {
4920		if (iwn_xmit_queue_enqueue(sc, m) != 0) {
4921			m_freem(m);
4922			IWN_UNLOCK(sc);
4923			return (ENOBUFS);
4924		}
4925		/* Queued, so just return OK */
4926		IWN_UNLOCK(sc);
4927		return (0);
4928	}
4929
4930	if (params == NULL) {
4931		/*
4932		 * Legacy path; interpret frame contents to decide
4933		 * precisely how to send the frame.
4934		 */
4935		error = iwn_tx_data(sc, m, ni);
4936	} else {
4937		/*
4938		 * Caller supplied explicit parameters to use in
4939		 * sending the frame.
4940		 */
4941		error = iwn_tx_data_raw(sc, m, ni, params);
4942	}
4943	if (error == 0)
4944		sc->sc_tx_timer = 5;
4945	else
4946		m_freem(m);
4947
4948	IWN_UNLOCK(sc);
4949
4950	DPRINTF(sc, IWN_DEBUG_TRACE | IWN_DEBUG_XMIT, "->%s: end\n",__func__);
4951
4952	return (error);
4953}
4954
4955/*
4956 * transmit - don't free mbuf if failed; don't free node ref if failed.
4957 */
4958static int
4959iwn_transmit(struct ieee80211com *ic, struct mbuf *m)
4960{
4961	struct iwn_softc *sc = ic->ic_softc;
4962	struct ieee80211_node *ni;
4963	int error;
4964
4965	ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
4966
4967	IWN_LOCK(sc);
4968	if ((sc->sc_flags & IWN_FLAG_RUNNING) == 0 || sc->sc_beacon_wait) {
4969		IWN_UNLOCK(sc);
4970		return (ENXIO);
4971	}
4972
4973	if (sc->qfullmsk) {
4974		IWN_UNLOCK(sc);
4975		return (ENOBUFS);
4976	}
4977
4978	error = iwn_tx_data(sc, m, ni);
4979	if (!error)
4980		sc->sc_tx_timer = 5;
4981	IWN_UNLOCK(sc);
4982	return (error);
4983}
4984
4985static void
4986iwn_scan_timeout(void *arg)
4987{
4988	struct iwn_softc *sc = arg;
4989	struct ieee80211com *ic = &sc->sc_ic;
4990
4991	ic_printf(ic, "scan timeout\n");
4992	ieee80211_restart_all(ic);
4993}
4994
4995static void
4996iwn_watchdog(void *arg)
4997{
4998	struct iwn_softc *sc = arg;
4999	struct ieee80211com *ic = &sc->sc_ic;
5000
5001	IWN_LOCK_ASSERT(sc);
5002
5003	KASSERT(sc->sc_flags & IWN_FLAG_RUNNING, ("not running"));
5004
5005	DPRINTF(sc, IWN_DEBUG_TRACE, "->Doing %s\n", __func__);
5006
5007	if (sc->sc_tx_timer > 0) {
5008		if (--sc->sc_tx_timer == 0) {
5009			ic_printf(ic, "device timeout\n");
5010			ieee80211_restart_all(ic);
5011			return;
5012		}
5013	}
5014	callout_reset(&sc->watchdog_to, hz, iwn_watchdog, sc);
5015}
5016
5017static int
5018iwn_cdev_open(struct cdev *dev, int flags, int type, struct thread *td)
5019{
5020
5021	return (0);
5022}
5023
5024static int
5025iwn_cdev_close(struct cdev *dev, int flags, int type, struct thread *td)
5026{
5027
5028	return (0);
5029}
5030
5031static int
5032iwn_cdev_ioctl(struct cdev *dev, unsigned long cmd, caddr_t data, int fflag,
5033    struct thread *td)
5034{
5035	int rc;
5036	struct iwn_softc *sc = dev->si_drv1;
5037	struct iwn_ioctl_data *d;
5038
5039	rc = priv_check(td, PRIV_DRIVER);
5040	if (rc != 0)
5041		return (0);
5042
5043	switch (cmd) {
5044	case SIOCGIWNSTATS:
5045		d = (struct iwn_ioctl_data *) data;
5046		IWN_LOCK(sc);
5047		/* XXX validate permissions/memory/etc? */
5048		rc = copyout(&sc->last_stat, d->dst_addr, sizeof(struct iwn_stats));
5049		IWN_UNLOCK(sc);
5050		break;
5051	case SIOCZIWNSTATS:
5052		IWN_LOCK(sc);
5053		memset(&sc->last_stat, 0, sizeof(struct iwn_stats));
5054		IWN_UNLOCK(sc);
5055		break;
5056	default:
5057		rc = EINVAL;
5058		break;
5059	}
5060	return (rc);
5061}
5062
5063static int
5064iwn_ioctl(struct ieee80211com *ic, u_long cmd, void *data)
5065{
5066
5067	return (ENOTTY);
5068}
5069
5070static void
5071iwn_parent(struct ieee80211com *ic)
5072{
5073	struct iwn_softc *sc = ic->ic_softc;
5074	struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
5075	int startall = 0, stop = 0;
5076
5077	IWN_LOCK(sc);
5078	if (ic->ic_nrunning > 0) {
5079		if (!(sc->sc_flags & IWN_FLAG_RUNNING)) {
5080			iwn_init_locked(sc);
5081			if (IWN_READ(sc, IWN_GP_CNTRL) & IWN_GP_CNTRL_RFKILL)
5082				startall = 1;
5083			else
5084				stop = 1;
5085		}
5086	} else if (sc->sc_flags & IWN_FLAG_RUNNING)
5087		iwn_stop_locked(sc);
5088	IWN_UNLOCK(sc);
5089	if (startall)
5090		ieee80211_start_all(ic);
5091	else if (vap != NULL && stop)
5092		ieee80211_stop(vap);
5093}
5094
5095/*
5096 * Send a command to the firmware.
5097 */
5098static int
5099iwn_cmd(struct iwn_softc *sc, int code, const void *buf, int size, int async)
5100{
5101	struct iwn_tx_ring *ring;
5102	struct iwn_tx_desc *desc;
5103	struct iwn_tx_data *data;
5104	struct iwn_tx_cmd *cmd;
5105	struct mbuf *m;
5106	bus_addr_t paddr;
5107	int totlen, error;
5108	int cmd_queue_num;
5109
5110	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
5111
5112	if (async == 0)
5113		IWN_LOCK_ASSERT(sc);
5114
5115	if (sc->sc_flags & IWN_FLAG_PAN_SUPPORT)
5116		cmd_queue_num = IWN_PAN_CMD_QUEUE;
5117	else
5118		cmd_queue_num = IWN_CMD_QUEUE_NUM;
5119
5120	ring = &sc->txq[cmd_queue_num];
5121	desc = &ring->desc[ring->cur];
5122	data = &ring->data[ring->cur];
5123	totlen = 4 + size;
5124
5125	if (size > sizeof cmd->data) {
5126		/* Command is too large to fit in a descriptor. */
5127		if (totlen > MCLBYTES)
5128			return EINVAL;
5129		m = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR, MJUMPAGESIZE);
5130		if (m == NULL)
5131			return ENOMEM;
5132		cmd = mtod(m, struct iwn_tx_cmd *);
5133		error = bus_dmamap_load(ring->data_dmat, data->map, cmd,
5134		    totlen, iwn_dma_map_addr, &paddr, BUS_DMA_NOWAIT);
5135		if (error != 0) {
5136			m_freem(m);
5137			return error;
5138		}
5139		data->m = m;
5140	} else {
5141		cmd = &ring->cmd[ring->cur];
5142		paddr = data->cmd_paddr;
5143	}
5144
5145	cmd->code = code;
5146	cmd->flags = 0;
5147	cmd->qid = ring->qid;
5148	cmd->idx = ring->cur;
5149	memcpy(cmd->data, buf, size);
5150
5151	desc->nsegs = 1;
5152	desc->segs[0].addr = htole32(IWN_LOADDR(paddr));
5153	desc->segs[0].len  = htole16(IWN_HIADDR(paddr) | totlen << 4);
5154
5155	DPRINTF(sc, IWN_DEBUG_CMD, "%s: %s (0x%x) flags %d qid %d idx %d\n",
5156	    __func__, iwn_intr_str(cmd->code), cmd->code,
5157	    cmd->flags, cmd->qid, cmd->idx);
5158
5159	if (size > sizeof cmd->data) {
5160		bus_dmamap_sync(ring->data_dmat, data->map,
5161		    BUS_DMASYNC_PREWRITE);
5162	} else {
5163		bus_dmamap_sync(ring->cmd_dma.tag, ring->cmd_dma.map,
5164		    BUS_DMASYNC_PREWRITE);
5165	}
5166	bus_dmamap_sync(ring->desc_dma.tag, ring->desc_dma.map,
5167	    BUS_DMASYNC_PREWRITE);
5168
5169	/* Kick command ring. */
5170	ring->cur = (ring->cur + 1) % IWN_TX_RING_COUNT;
5171	IWN_WRITE(sc, IWN_HBUS_TARG_WRPTR, ring->qid << 8 | ring->cur);
5172
5173	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end\n",__func__);
5174
5175	return async ? 0 : msleep(desc, &sc->sc_mtx, PCATCH, "iwncmd", hz);
5176}
5177
5178static int
5179iwn4965_add_node(struct iwn_softc *sc, struct iwn_node_info *node, int async)
5180{
5181	struct iwn4965_node_info hnode;
5182	caddr_t src, dst;
5183
5184	DPRINTF(sc, IWN_DEBUG_TRACE, "->Doing %s\n", __func__);
5185
5186	/*
5187	 * We use the node structure for 5000 Series internally (it is
5188	 * a superset of the one for 4965AGN). We thus copy the common
5189	 * fields before sending the command.
5190	 */
5191	src = (caddr_t)node;
5192	dst = (caddr_t)&hnode;
5193	memcpy(dst, src, 48);
5194	/* Skip TSC, RX MIC and TX MIC fields from ``src''. */
5195	memcpy(dst + 48, src + 72, 20);
5196	return iwn_cmd(sc, IWN_CMD_ADD_NODE, &hnode, sizeof hnode, async);
5197}
5198
5199static int
5200iwn5000_add_node(struct iwn_softc *sc, struct iwn_node_info *node, int async)
5201{
5202
5203	DPRINTF(sc, IWN_DEBUG_TRACE, "->Doing %s\n", __func__);
5204
5205	/* Direct mapping. */
5206	return iwn_cmd(sc, IWN_CMD_ADD_NODE, node, sizeof (*node), async);
5207}
5208
5209static int
5210iwn_set_link_quality(struct iwn_softc *sc, struct ieee80211_node *ni)
5211{
5212	struct iwn_node *wn = (void *)ni;
5213	struct ieee80211_rateset *rs;
5214	struct iwn_cmd_link_quality linkq;
5215	int i, rate, txrate;
5216	int is_11n;
5217
5218	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
5219
5220	memset(&linkq, 0, sizeof linkq);
5221	linkq.id = wn->id;
5222	linkq.antmsk_1stream = iwn_get_1stream_tx_antmask(sc);
5223	linkq.antmsk_2stream = iwn_get_2stream_tx_antmask(sc);
5224
5225	linkq.ampdu_max = 32;		/* XXX negotiated? */
5226	linkq.ampdu_threshold = 3;
5227	linkq.ampdu_limit = htole16(4000);	/* 4ms */
5228
5229	DPRINTF(sc, IWN_DEBUG_XMIT,
5230	    "%s: 1stream antenna=0x%02x, 2stream antenna=0x%02x, ntxstreams=%d\n",
5231	    __func__,
5232	    linkq.antmsk_1stream,
5233	    linkq.antmsk_2stream,
5234	    sc->ntxchains);
5235
5236	/*
5237	 * Are we using 11n rates? Ensure the channel is
5238	 * 11n _and_ we have some 11n rates, or don't
5239	 * try.
5240	 */
5241	if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && ni->ni_htrates.rs_nrates > 0) {
5242		rs = (struct ieee80211_rateset *) &ni->ni_htrates;
5243		is_11n = 1;
5244	} else {
5245		rs = &ni->ni_rates;
5246		is_11n = 0;
5247	}
5248
5249	/* Start at highest available bit-rate. */
5250	/*
5251	 * XXX this is all very dirty!
5252	 */
5253	if (is_11n)
5254		txrate = ni->ni_htrates.rs_nrates - 1;
5255	else
5256		txrate = rs->rs_nrates - 1;
5257	for (i = 0; i < IWN_MAX_TX_RETRIES; i++) {
5258		uint32_t plcp;
5259
5260		/*
5261		 * XXX TODO: ensure the last two slots are the two lowest
5262		 * rate entries, just for now.
5263		 */
5264		if (i == 14 || i == 15)
5265			txrate = 0;
5266
5267		if (is_11n)
5268			rate = IEEE80211_RATE_MCS | rs->rs_rates[txrate];
5269		else
5270			rate = IEEE80211_RV(rs->rs_rates[txrate]);
5271
5272		/* Do rate -> PLCP config mapping */
5273		plcp = iwn_rate_to_plcp(sc, ni, rate);
5274		linkq.retry[i] = plcp;
5275		DPRINTF(sc, IWN_DEBUG_XMIT,
5276		    "%s: i=%d, txrate=%d, rate=0x%02x, plcp=0x%08x\n",
5277		    __func__,
5278		    i,
5279		    txrate,
5280		    rate,
5281		    le32toh(plcp));
5282
5283		/*
5284		 * The mimo field is an index into the table which
5285		 * indicates the first index where it and subsequent entries
5286		 * will not be using MIMO.
5287		 *
5288		 * Since we're filling linkq from 0..15 and we're filling
5289		 * from the highest MCS rates to the lowest rates, if we
5290		 * _are_ doing a dual-stream rate, set mimo to idx+1 (ie,
5291		 * the next entry.)  That way if the next entry is a non-MIMO
5292		 * entry, we're already pointing at it.
5293		 */
5294		if ((le32toh(plcp) & IWN_RFLAG_MCS) &&
5295		    IEEE80211_RV(le32toh(plcp)) > 7)
5296			linkq.mimo = i + 1;
5297
5298		/* Next retry at immediate lower bit-rate. */
5299		if (txrate > 0)
5300			txrate--;
5301	}
5302	/*
5303	 * If we reached the end of the list and indeed we hit
5304	 * all MIMO rates (eg 5300 doing MCS23-15) then yes,
5305	 * set mimo to 15.  Setting it to 16 panics the firmware.
5306	 */
5307	if (linkq.mimo > 15)
5308		linkq.mimo = 15;
5309
5310	DPRINTF(sc, IWN_DEBUG_XMIT, "%s: mimo = %d\n", __func__, linkq.mimo);
5311
5312	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end\n",__func__);
5313
5314	return iwn_cmd(sc, IWN_CMD_LINK_QUALITY, &linkq, sizeof linkq, 1);
5315}
5316
5317/*
5318 * Broadcast node is used to send group-addressed and management frames.
5319 */
5320static int
5321iwn_add_broadcast_node(struct iwn_softc *sc, int async)
5322{
5323	struct iwn_ops *ops = &sc->ops;
5324	struct ieee80211com *ic = &sc->sc_ic;
5325	struct iwn_node_info node;
5326	struct iwn_cmd_link_quality linkq;
5327	uint8_t txant;
5328	int i, error;
5329
5330	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
5331
5332	sc->rxon = &sc->rx_on[IWN_RXON_BSS_CTX];
5333
5334	memset(&node, 0, sizeof node);
5335	IEEE80211_ADDR_COPY(node.macaddr, ieee80211broadcastaddr);
5336	node.id = sc->broadcast_id;
5337	DPRINTF(sc, IWN_DEBUG_RESET, "%s: adding broadcast node\n", __func__);
5338	if ((error = ops->add_node(sc, &node, async)) != 0)
5339		return error;
5340
5341	/* Use the first valid TX antenna. */
5342	txant = IWN_LSB(sc->txchainmask);
5343
5344	memset(&linkq, 0, sizeof linkq);
5345	linkq.id = sc->broadcast_id;
5346	linkq.antmsk_1stream = iwn_get_1stream_tx_antmask(sc);
5347	linkq.antmsk_2stream = iwn_get_2stream_tx_antmask(sc);
5348	linkq.ampdu_max = 64;
5349	linkq.ampdu_threshold = 3;
5350	linkq.ampdu_limit = htole16(4000);	/* 4ms */
5351
5352	/* Use lowest mandatory bit-rate. */
5353	/* XXX rate table lookup? */
5354	if (IEEE80211_IS_CHAN_5GHZ(ic->ic_curchan))
5355		linkq.retry[0] = htole32(0xd);
5356	else
5357		linkq.retry[0] = htole32(10 | IWN_RFLAG_CCK);
5358	linkq.retry[0] |= htole32(IWN_RFLAG_ANT(txant));
5359	/* Use same bit-rate for all TX retries. */
5360	for (i = 1; i < IWN_MAX_TX_RETRIES; i++) {
5361		linkq.retry[i] = linkq.retry[0];
5362	}
5363
5364	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end\n",__func__);
5365
5366	return iwn_cmd(sc, IWN_CMD_LINK_QUALITY, &linkq, sizeof linkq, async);
5367}
5368
5369static int
5370iwn_updateedca(struct ieee80211com *ic)
5371{
5372#define IWN_EXP2(x)	((1 << (x)) - 1)	/* CWmin = 2^ECWmin - 1 */
5373	struct iwn_softc *sc = ic->ic_softc;
5374	struct iwn_edca_params cmd;
5375	int aci;
5376
5377	DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
5378
5379	memset(&cmd, 0, sizeof cmd);
5380	cmd.flags = htole32(IWN_EDCA_UPDATE);
5381
5382	IEEE80211_LOCK(ic);
5383	for (aci = 0; aci < WME_NUM_AC; aci++) {
5384		const struct wmeParams *ac =
5385		    &ic->ic_wme.wme_chanParams.cap_wmeParams[aci];
5386		cmd.ac[aci].aifsn = ac->wmep_aifsn;
5387		cmd.ac[aci].cwmin = htole16(