The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/dev/iwn/if_iwn.c

Version: -  FREEBSD  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-2  -  FREEBSD-11-1  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-4  -  FREEBSD-10-3  -  FREEBSD-10-2  -  FREEBSD-10-1  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-3  -  FREEBSD-9-2  -  FREEBSD-9-1  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-4  -  FREEBSD-8-3  -  FREEBSD-8-2  -  FREEBSD-8-1  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-4  -  FREEBSD-7-3  -  FREEBSD-7-2  -  FREEBSD-7-1  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-4  -  FREEBSD-6-3  -  FREEBSD-6-2  -  FREEBSD-6-1  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-5  -  FREEBSD-5-4  -  FREEBSD-5-3  -  FREEBSD-5-2  -  FREEBSD-5-1  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  linux-2.6  -  linux-2.4.22  -  MK83  -  MK84  -  PLAN9  -  DFBSD  -  NETBSD  -  NETBSD5  -  NETBSD4  -  NETBSD3  -  NETBSD20  -  OPENBSD  -  xnu-517  -  xnu-792  -  xnu-792.6.70  -  xnu-1228  -  xnu-1456.1.26  -  xnu-1699.24.8  -  xnu-2050.18.24  -  OPENSOLARIS  -  minix-3-1-1 
SearchContext: -  none  -  3  -  10 

    1 /*-
    2  * Copyright (c) 2007-2009 Damien Bergamini <damien.bergamini@free.fr>
    3  * Copyright (c) 2008 Benjamin Close <benjsc@FreeBSD.org>
    4  * Copyright (c) 2008 Sam Leffler, Errno Consulting
    5  * Copyright (c) 2011 Intel Corporation
    6  * Copyright (c) 2013 Cedric GROSS <c.gross@kreiz-it.fr>
    7  * Copyright (c) 2013 Adrian Chadd <adrian@FreeBSD.org>
    8  *
    9  * Permission to use, copy, modify, and distribute this software for any
   10  * purpose with or without fee is hereby granted, provided that the above
   11  * copyright notice and this permission notice appear in all copies.
   12  *
   13  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
   14  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
   15  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
   16  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
   17  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
   18  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
   19  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
   20  */
   21 
   22 /*
   23  * Driver for Intel WiFi Link 4965 and 1000/5000/6000 Series 802.11 network
   24  * adapters.
   25  */
   26 
   27 #include <sys/cdefs.h>
   28 __FBSDID("$FreeBSD: stable/12/sys/dev/iwn/if_iwn.c 367373 2020-11-05 12:08:04Z bz $");
   29 
   30 #include "opt_wlan.h"
   31 #include "opt_iwn.h"
   32 
   33 #include <sys/param.h>
   34 #include <sys/sockio.h>
   35 #include <sys/sysctl.h>
   36 #include <sys/mbuf.h>
   37 #include <sys/kernel.h>
   38 #include <sys/socket.h>
   39 #include <sys/systm.h>
   40 #include <sys/malloc.h>
   41 #include <sys/bus.h>
   42 #include <sys/conf.h>
   43 #include <sys/rman.h>
   44 #include <sys/endian.h>
   45 #include <sys/firmware.h>
   46 #include <sys/limits.h>
   47 #include <sys/module.h>
   48 #include <sys/priv.h>
   49 #include <sys/queue.h>
   50 #include <sys/taskqueue.h>
   51 
   52 #include <machine/bus.h>
   53 #include <machine/resource.h>
   54 #include <machine/clock.h>
   55 
   56 #include <dev/pci/pcireg.h>
   57 #include <dev/pci/pcivar.h>
   58 
   59 #include <net/if.h>
   60 #include <net/if_var.h>
   61 #include <net/if_dl.h>
   62 #include <net/if_media.h>
   63 
   64 #include <netinet/in.h>
   65 #include <netinet/if_ether.h>
   66 
   67 #include <net80211/ieee80211_var.h>
   68 #include <net80211/ieee80211_radiotap.h>
   69 #include <net80211/ieee80211_regdomain.h>
   70 #include <net80211/ieee80211_ratectl.h>
   71 
   72 #include <dev/iwn/if_iwnreg.h>
   73 #include <dev/iwn/if_iwnvar.h>
   74 #include <dev/iwn/if_iwn_devid.h>
   75 #include <dev/iwn/if_iwn_chip_cfg.h>
   76 #include <dev/iwn/if_iwn_debug.h>
   77 #include <dev/iwn/if_iwn_ioctl.h>
   78 
   79 struct iwn_ident {
   80         uint16_t        vendor;
   81         uint16_t        device;
   82         const char      *name;
   83 };
   84 
   85 static const struct iwn_ident iwn_ident_table[] = {
   86         { 0x8086, IWN_DID_6x05_1, "Intel Centrino Advanced-N 6205"              },
   87         { 0x8086, IWN_DID_1000_1, "Intel Centrino Wireless-N 1000"              },
   88         { 0x8086, IWN_DID_1000_2, "Intel Centrino Wireless-N 1000"              },
   89         { 0x8086, IWN_DID_6x05_2, "Intel Centrino Advanced-N 6205"              },
   90         { 0x8086, IWN_DID_6050_1, "Intel Centrino Advanced-N + WiMAX 6250"      },
   91         { 0x8086, IWN_DID_6050_2, "Intel Centrino Advanced-N + WiMAX 6250"      },
   92         { 0x8086, IWN_DID_x030_1, "Intel Centrino Wireless-N 1030"              },
   93         { 0x8086, IWN_DID_x030_2, "Intel Centrino Wireless-N 1030"              },
   94         { 0x8086, IWN_DID_x030_3, "Intel Centrino Advanced-N 6230"              },
   95         { 0x8086, IWN_DID_x030_4, "Intel Centrino Advanced-N 6230"              },
   96         { 0x8086, IWN_DID_6150_1, "Intel Centrino Wireless-N + WiMAX 6150"      },
   97         { 0x8086, IWN_DID_6150_2, "Intel Centrino Wireless-N + WiMAX 6150"      },
   98         { 0x8086, IWN_DID_2x00_1, "Intel(R) Centrino(R) Wireless-N 2200 BGN"    },
   99         { 0x8086, IWN_DID_2x00_2, "Intel(R) Centrino(R) Wireless-N 2200 BGN"    },
  100         /* XXX 2200D is IWN_SDID_2x00_4; there's no way to express this here! */
  101         { 0x8086, IWN_DID_2x30_1, "Intel Centrino Wireless-N 2230"              },
  102         { 0x8086, IWN_DID_2x30_2, "Intel Centrino Wireless-N 2230"              },
  103         { 0x8086, IWN_DID_130_1, "Intel Centrino Wireless-N 130"                },
  104         { 0x8086, IWN_DID_130_2, "Intel Centrino Wireless-N 130"                },
  105         { 0x8086, IWN_DID_100_1, "Intel Centrino Wireless-N 100"                },
  106         { 0x8086, IWN_DID_100_2, "Intel Centrino Wireless-N 100"                },
  107         { 0x8086, IWN_DID_105_1, "Intel Centrino Wireless-N 105"                },
  108         { 0x8086, IWN_DID_105_2, "Intel Centrino Wireless-N 105"                },
  109         { 0x8086, IWN_DID_135_1, "Intel Centrino Wireless-N 135"                },
  110         { 0x8086, IWN_DID_135_2, "Intel Centrino Wireless-N 135"                },
  111         { 0x8086, IWN_DID_4965_1, "Intel Wireless WiFi Link 4965"               },
  112         { 0x8086, IWN_DID_6x00_1, "Intel Centrino Ultimate-N 6300"              },
  113         { 0x8086, IWN_DID_6x00_2, "Intel Centrino Advanced-N 6200"              },
  114         { 0x8086, IWN_DID_4965_2, "Intel Wireless WiFi Link 4965"               },
  115         { 0x8086, IWN_DID_4965_3, "Intel Wireless WiFi Link 4965"               },
  116         { 0x8086, IWN_DID_5x00_1, "Intel WiFi Link 5100"                        },
  117         { 0x8086, IWN_DID_4965_4, "Intel Wireless WiFi Link 4965"               },
  118         { 0x8086, IWN_DID_5x00_3, "Intel Ultimate N WiFi Link 5300"             },
  119         { 0x8086, IWN_DID_5x00_4, "Intel Ultimate N WiFi Link 5300"             },
  120         { 0x8086, IWN_DID_5x00_2, "Intel WiFi Link 5100"                        },
  121         { 0x8086, IWN_DID_6x00_3, "Intel Centrino Ultimate-N 6300"              },
  122         { 0x8086, IWN_DID_6x00_4, "Intel Centrino Advanced-N 6200"              },
  123         { 0x8086, IWN_DID_5x50_1, "Intel WiMAX/WiFi Link 5350"                  },
  124         { 0x8086, IWN_DID_5x50_2, "Intel WiMAX/WiFi Link 5350"                  },
  125         { 0x8086, IWN_DID_5x50_3, "Intel WiMAX/WiFi Link 5150"                  },
  126         { 0x8086, IWN_DID_5x50_4, "Intel WiMAX/WiFi Link 5150"                  },
  127         { 0x8086, IWN_DID_6035_1, "Intel Centrino Advanced 6235"                },
  128         { 0x8086, IWN_DID_6035_2, "Intel Centrino Advanced 6235"                },
  129         { 0, 0, NULL }
  130 };
  131 
  132 static int      iwn_probe(device_t);
  133 static int      iwn_attach(device_t);
  134 static void     iwn4965_attach(struct iwn_softc *, uint16_t);
  135 static void     iwn5000_attach(struct iwn_softc *, uint16_t);
  136 static int      iwn_config_specific(struct iwn_softc *, uint16_t);
  137 static void     iwn_radiotap_attach(struct iwn_softc *);
  138 static void     iwn_sysctlattach(struct iwn_softc *);
  139 static struct ieee80211vap *iwn_vap_create(struct ieee80211com *,
  140                     const char [IFNAMSIZ], int, enum ieee80211_opmode, int,
  141                     const uint8_t [IEEE80211_ADDR_LEN],
  142                     const uint8_t [IEEE80211_ADDR_LEN]);
  143 static void     iwn_vap_delete(struct ieee80211vap *);
  144 static int      iwn_detach(device_t);
  145 static int      iwn_shutdown(device_t);
  146 static int      iwn_suspend(device_t);
  147 static int      iwn_resume(device_t);
  148 static int      iwn_nic_lock(struct iwn_softc *);
  149 static int      iwn_eeprom_lock(struct iwn_softc *);
  150 static int      iwn_init_otprom(struct iwn_softc *);
  151 static int      iwn_read_prom_data(struct iwn_softc *, uint32_t, void *, int);
  152 static void     iwn_dma_map_addr(void *, bus_dma_segment_t *, int, int);
  153 static int      iwn_dma_contig_alloc(struct iwn_softc *, struct iwn_dma_info *,
  154                     void **, bus_size_t, bus_size_t);
  155 static void     iwn_dma_contig_free(struct iwn_dma_info *);
  156 static int      iwn_alloc_sched(struct iwn_softc *);
  157 static void     iwn_free_sched(struct iwn_softc *);
  158 static int      iwn_alloc_kw(struct iwn_softc *);
  159 static void     iwn_free_kw(struct iwn_softc *);
  160 static int      iwn_alloc_ict(struct iwn_softc *);
  161 static void     iwn_free_ict(struct iwn_softc *);
  162 static int      iwn_alloc_fwmem(struct iwn_softc *);
  163 static void     iwn_free_fwmem(struct iwn_softc *);
  164 static int      iwn_alloc_rx_ring(struct iwn_softc *, struct iwn_rx_ring *);
  165 static void     iwn_reset_rx_ring(struct iwn_softc *, struct iwn_rx_ring *);
  166 static void     iwn_free_rx_ring(struct iwn_softc *, struct iwn_rx_ring *);
  167 static int      iwn_alloc_tx_ring(struct iwn_softc *, struct iwn_tx_ring *,
  168                     int);
  169 static void     iwn_reset_tx_ring(struct iwn_softc *, struct iwn_tx_ring *);
  170 static void     iwn_free_tx_ring(struct iwn_softc *, struct iwn_tx_ring *);
  171 static void     iwn_check_tx_ring(struct iwn_softc *, int);
  172 static void     iwn5000_ict_reset(struct iwn_softc *);
  173 static int      iwn_read_eeprom(struct iwn_softc *,
  174                     uint8_t macaddr[IEEE80211_ADDR_LEN]);
  175 static void     iwn4965_read_eeprom(struct iwn_softc *);
  176 #ifdef  IWN_DEBUG
  177 static void     iwn4965_print_power_group(struct iwn_softc *, int);
  178 #endif
  179 static void     iwn5000_read_eeprom(struct iwn_softc *);
  180 static uint32_t iwn_eeprom_channel_flags(struct iwn_eeprom_chan *);
  181 static void     iwn_read_eeprom_band(struct iwn_softc *, int, int, int *,
  182                     struct ieee80211_channel[]);
  183 static void     iwn_read_eeprom_ht40(struct iwn_softc *, int, int, int *,
  184                     struct ieee80211_channel[]);
  185 static void     iwn_read_eeprom_channels(struct iwn_softc *, int, uint32_t);
  186 static struct iwn_eeprom_chan *iwn_find_eeprom_channel(struct iwn_softc *,
  187                     struct ieee80211_channel *);
  188 static void     iwn_getradiocaps(struct ieee80211com *, int, int *,
  189                     struct ieee80211_channel[]);
  190 static int      iwn_setregdomain(struct ieee80211com *,
  191                     struct ieee80211_regdomain *, int,
  192                     struct ieee80211_channel[]);
  193 static void     iwn_read_eeprom_enhinfo(struct iwn_softc *);
  194 static struct ieee80211_node *iwn_node_alloc(struct ieee80211vap *,
  195                     const uint8_t mac[IEEE80211_ADDR_LEN]);
  196 static void     iwn_newassoc(struct ieee80211_node *, int);
  197 static int      iwn_newstate(struct ieee80211vap *, enum ieee80211_state, int);
  198 static void     iwn_calib_timeout(void *);
  199 static void     iwn_rx_phy(struct iwn_softc *, struct iwn_rx_desc *);
  200 static void     iwn_rx_done(struct iwn_softc *, struct iwn_rx_desc *,
  201                     struct iwn_rx_data *);
  202 static void     iwn_agg_tx_complete(struct iwn_softc *, struct iwn_tx_ring *,
  203                     int, int, int);
  204 static void     iwn_rx_compressed_ba(struct iwn_softc *, struct iwn_rx_desc *);
  205 static void     iwn5000_rx_calib_results(struct iwn_softc *,
  206                     struct iwn_rx_desc *);
  207 static void     iwn_rx_statistics(struct iwn_softc *, struct iwn_rx_desc *);
  208 static void     iwn4965_tx_done(struct iwn_softc *, struct iwn_rx_desc *,
  209                     struct iwn_rx_data *);
  210 static void     iwn5000_tx_done(struct iwn_softc *, struct iwn_rx_desc *,
  211                     struct iwn_rx_data *);
  212 static void     iwn_adj_ampdu_ptr(struct iwn_softc *, struct iwn_tx_ring *);
  213 static void     iwn_tx_done(struct iwn_softc *, struct iwn_rx_desc *, int, int,
  214                     uint8_t);
  215 static int      iwn_ampdu_check_bitmap(uint64_t, int, int);
  216 static int      iwn_ampdu_index_check(struct iwn_softc *, struct iwn_tx_ring *,
  217                     uint64_t, int, int);
  218 static void     iwn_ampdu_tx_done(struct iwn_softc *, int, int, int, void *);
  219 static void     iwn_cmd_done(struct iwn_softc *, struct iwn_rx_desc *);
  220 static void     iwn_notif_intr(struct iwn_softc *);
  221 static void     iwn_wakeup_intr(struct iwn_softc *);
  222 static void     iwn_rftoggle_task(void *, int);
  223 static void     iwn_fatal_intr(struct iwn_softc *);
  224 static void     iwn_intr(void *);
  225 static void     iwn4965_update_sched(struct iwn_softc *, int, int, uint8_t,
  226                     uint16_t);
  227 static void     iwn5000_update_sched(struct iwn_softc *, int, int, uint8_t,
  228                     uint16_t);
  229 #ifdef notyet
  230 static void     iwn5000_reset_sched(struct iwn_softc *, int, int);
  231 #endif
  232 static int      iwn_tx_data(struct iwn_softc *, struct mbuf *,
  233                     struct ieee80211_node *);
  234 static int      iwn_tx_data_raw(struct iwn_softc *, struct mbuf *,
  235                     struct ieee80211_node *,
  236                     const struct ieee80211_bpf_params *params);
  237 static int      iwn_tx_cmd(struct iwn_softc *, struct mbuf *,
  238                     struct ieee80211_node *, struct iwn_tx_ring *);
  239 static void     iwn_xmit_task(void *arg0, int pending);
  240 static int      iwn_raw_xmit(struct ieee80211_node *, struct mbuf *,
  241                     const struct ieee80211_bpf_params *);
  242 static int      iwn_transmit(struct ieee80211com *, struct mbuf *);
  243 static void     iwn_scan_timeout(void *);
  244 static void     iwn_watchdog(void *);
  245 static int      iwn_ioctl(struct ieee80211com *, u_long , void *);
  246 static void     iwn_parent(struct ieee80211com *);
  247 static int      iwn_cmd(struct iwn_softc *, int, const void *, int, int);
  248 static int      iwn4965_add_node(struct iwn_softc *, struct iwn_node_info *,
  249                     int);
  250 static int      iwn5000_add_node(struct iwn_softc *, struct iwn_node_info *,
  251                     int);
  252 static int      iwn_set_link_quality(struct iwn_softc *,
  253                     struct ieee80211_node *);
  254 static int      iwn_add_broadcast_node(struct iwn_softc *, int);
  255 static int      iwn_updateedca(struct ieee80211com *);
  256 static void     iwn_set_promisc(struct iwn_softc *);
  257 static void     iwn_update_promisc(struct ieee80211com *);
  258 static void     iwn_update_mcast(struct ieee80211com *);
  259 static void     iwn_set_led(struct iwn_softc *, uint8_t, uint8_t, uint8_t);
  260 static int      iwn_set_critical_temp(struct iwn_softc *);
  261 static int      iwn_set_timing(struct iwn_softc *, struct ieee80211_node *);
  262 static void     iwn4965_power_calibration(struct iwn_softc *, int);
  263 static int      iwn4965_set_txpower(struct iwn_softc *, int);
  264 static int      iwn5000_set_txpower(struct iwn_softc *, int);
  265 static int      iwn4965_get_rssi(struct iwn_softc *, struct iwn_rx_stat *);
  266 static int      iwn5000_get_rssi(struct iwn_softc *, struct iwn_rx_stat *);
  267 static int      iwn_get_noise(const struct iwn_rx_general_stats *);
  268 static int      iwn4965_get_temperature(struct iwn_softc *);
  269 static int      iwn5000_get_temperature(struct iwn_softc *);
  270 static int      iwn_init_sensitivity(struct iwn_softc *);
  271 static void     iwn_collect_noise(struct iwn_softc *,
  272                     const struct iwn_rx_general_stats *);
  273 static int      iwn4965_init_gains(struct iwn_softc *);
  274 static int      iwn5000_init_gains(struct iwn_softc *);
  275 static int      iwn4965_set_gains(struct iwn_softc *);
  276 static int      iwn5000_set_gains(struct iwn_softc *);
  277 static void     iwn_tune_sensitivity(struct iwn_softc *,
  278                     const struct iwn_rx_stats *);
  279 static void     iwn_save_stats_counters(struct iwn_softc *,
  280                     const struct iwn_stats *);
  281 static int      iwn_send_sensitivity(struct iwn_softc *);
  282 static void     iwn_check_rx_recovery(struct iwn_softc *, struct iwn_stats *);
  283 static int      iwn_set_pslevel(struct iwn_softc *, int, int, int);
  284 static int      iwn_send_btcoex(struct iwn_softc *);
  285 static int      iwn_send_advanced_btcoex(struct iwn_softc *);
  286 static int      iwn5000_runtime_calib(struct iwn_softc *);
  287 static int      iwn_check_bss_filter(struct iwn_softc *);
  288 static int      iwn4965_rxon_assoc(struct iwn_softc *, int);
  289 static int      iwn5000_rxon_assoc(struct iwn_softc *, int);
  290 static int      iwn_send_rxon(struct iwn_softc *, int, int);
  291 static int      iwn_config(struct iwn_softc *);
  292 static int      iwn_scan(struct iwn_softc *, struct ieee80211vap *,
  293                     struct ieee80211_scan_state *, struct ieee80211_channel *);
  294 static int      iwn_auth(struct iwn_softc *, struct ieee80211vap *vap);
  295 static int      iwn_run(struct iwn_softc *, struct ieee80211vap *vap);
  296 static int      iwn_ampdu_rx_start(struct ieee80211_node *,
  297                     struct ieee80211_rx_ampdu *, int, int, int);
  298 static void     iwn_ampdu_rx_stop(struct ieee80211_node *,
  299                     struct ieee80211_rx_ampdu *);
  300 static int      iwn_addba_request(struct ieee80211_node *,
  301                     struct ieee80211_tx_ampdu *, int, int, int);
  302 static int      iwn_addba_response(struct ieee80211_node *,
  303                     struct ieee80211_tx_ampdu *, int, int, int);
  304 static int      iwn_ampdu_tx_start(struct ieee80211com *,
  305                     struct ieee80211_node *, uint8_t);
  306 static void     iwn_ampdu_tx_stop(struct ieee80211_node *,
  307                     struct ieee80211_tx_ampdu *);
  308 static void     iwn4965_ampdu_tx_start(struct iwn_softc *,
  309                     struct ieee80211_node *, int, uint8_t, uint16_t);
  310 static void     iwn4965_ampdu_tx_stop(struct iwn_softc *, int,
  311                     uint8_t, uint16_t);
  312 static void     iwn5000_ampdu_tx_start(struct iwn_softc *,
  313                     struct ieee80211_node *, int, uint8_t, uint16_t);
  314 static void     iwn5000_ampdu_tx_stop(struct iwn_softc *, int,
  315                     uint8_t, uint16_t);
  316 static int      iwn5000_query_calibration(struct iwn_softc *);
  317 static int      iwn5000_send_calibration(struct iwn_softc *);
  318 static int      iwn5000_send_wimax_coex(struct iwn_softc *);
  319 static int      iwn5000_crystal_calib(struct iwn_softc *);
  320 static int      iwn5000_temp_offset_calib(struct iwn_softc *);
  321 static int      iwn5000_temp_offset_calibv2(struct iwn_softc *);
  322 static int      iwn4965_post_alive(struct iwn_softc *);
  323 static int      iwn5000_post_alive(struct iwn_softc *);
  324 static int      iwn4965_load_bootcode(struct iwn_softc *, const uint8_t *,
  325                     int);
  326 static int      iwn4965_load_firmware(struct iwn_softc *);
  327 static int      iwn5000_load_firmware_section(struct iwn_softc *, uint32_t,
  328                     const uint8_t *, int);
  329 static int      iwn5000_load_firmware(struct iwn_softc *);
  330 static int      iwn_read_firmware_leg(struct iwn_softc *,
  331                     struct iwn_fw_info *);
  332 static int      iwn_read_firmware_tlv(struct iwn_softc *,
  333                     struct iwn_fw_info *, uint16_t);
  334 static int      iwn_read_firmware(struct iwn_softc *);
  335 static void     iwn_unload_firmware(struct iwn_softc *);
  336 static int      iwn_clock_wait(struct iwn_softc *);
  337 static int      iwn_apm_init(struct iwn_softc *);
  338 static void     iwn_apm_stop_master(struct iwn_softc *);
  339 static void     iwn_apm_stop(struct iwn_softc *);
  340 static int      iwn4965_nic_config(struct iwn_softc *);
  341 static int      iwn5000_nic_config(struct iwn_softc *);
  342 static int      iwn_hw_prepare(struct iwn_softc *);
  343 static int      iwn_hw_init(struct iwn_softc *);
  344 static void     iwn_hw_stop(struct iwn_softc *);
  345 static void     iwn_panicked(void *, int);
  346 static int      iwn_init_locked(struct iwn_softc *);
  347 static int      iwn_init(struct iwn_softc *);
  348 static void     iwn_stop_locked(struct iwn_softc *);
  349 static void     iwn_stop(struct iwn_softc *);
  350 static void     iwn_scan_start(struct ieee80211com *);
  351 static void     iwn_scan_end(struct ieee80211com *);
  352 static void     iwn_set_channel(struct ieee80211com *);
  353 static void     iwn_scan_curchan(struct ieee80211_scan_state *, unsigned long);
  354 static void     iwn_scan_mindwell(struct ieee80211_scan_state *);
  355 #ifdef  IWN_DEBUG
  356 static char     *iwn_get_csr_string(int);
  357 static void     iwn_debug_register(struct iwn_softc *);
  358 #endif
  359 
  360 static device_method_t iwn_methods[] = {
  361         /* Device interface */
  362         DEVMETHOD(device_probe,         iwn_probe),
  363         DEVMETHOD(device_attach,        iwn_attach),
  364         DEVMETHOD(device_detach,        iwn_detach),
  365         DEVMETHOD(device_shutdown,      iwn_shutdown),
  366         DEVMETHOD(device_suspend,       iwn_suspend),
  367         DEVMETHOD(device_resume,        iwn_resume),
  368 
  369         DEVMETHOD_END
  370 };
  371 
  372 static driver_t iwn_driver = {
  373         "iwn",
  374         iwn_methods,
  375         sizeof(struct iwn_softc)
  376 };
  377 static devclass_t iwn_devclass;
  378 
  379 DRIVER_MODULE(iwn, pci, iwn_driver, iwn_devclass, NULL, NULL);
  380 MODULE_PNP_INFO("U16:vendor;U16:device;D:#", pci, iwn, iwn_ident_table,
  381     nitems(iwn_ident_table) - 1);
  382 MODULE_VERSION(iwn, 1);
  383 
  384 MODULE_DEPEND(iwn, firmware, 1, 1, 1);
  385 MODULE_DEPEND(iwn, pci, 1, 1, 1);
  386 MODULE_DEPEND(iwn, wlan, 1, 1, 1);
  387 
  388 static d_ioctl_t iwn_cdev_ioctl;
  389 static d_open_t iwn_cdev_open;
  390 static d_close_t iwn_cdev_close;
  391 
  392 static struct cdevsw iwn_cdevsw = {
  393         .d_version = D_VERSION,
  394         .d_flags = 0,
  395         .d_open = iwn_cdev_open,
  396         .d_close = iwn_cdev_close,
  397         .d_ioctl = iwn_cdev_ioctl,
  398         .d_name = "iwn",
  399 };
  400 
  401 static int
  402 iwn_probe(device_t dev)
  403 {
  404         const struct iwn_ident *ident;
  405 
  406         for (ident = iwn_ident_table; ident->name != NULL; ident++) {
  407                 if (pci_get_vendor(dev) == ident->vendor &&
  408                     pci_get_device(dev) == ident->device) {
  409                         device_set_desc(dev, ident->name);
  410                         return (BUS_PROBE_DEFAULT);
  411                 }
  412         }
  413         return ENXIO;
  414 }
  415 
  416 static int
  417 iwn_is_3stream_device(struct iwn_softc *sc)
  418 {
  419         /* XXX for now only 5300, until the 5350 can be tested */
  420         if (sc->hw_type == IWN_HW_REV_TYPE_5300)
  421                 return (1);
  422         return (0);
  423 }
  424 
  425 static int
  426 iwn_attach(device_t dev)
  427 {
  428         struct iwn_softc *sc = device_get_softc(dev);
  429         struct ieee80211com *ic;
  430         int i, error, rid;
  431 
  432         sc->sc_dev = dev;
  433 
  434 #ifdef  IWN_DEBUG
  435         error = resource_int_value(device_get_name(sc->sc_dev),
  436             device_get_unit(sc->sc_dev), "debug", &(sc->sc_debug));
  437         if (error != 0)
  438                 sc->sc_debug = 0;
  439 #else
  440         sc->sc_debug = 0;
  441 #endif
  442 
  443         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: begin\n",__func__);
  444 
  445         /*
  446          * Get the offset of the PCI Express Capability Structure in PCI
  447          * Configuration Space.
  448          */
  449         error = pci_find_cap(dev, PCIY_EXPRESS, &sc->sc_cap_off);
  450         if (error != 0) {
  451                 device_printf(dev, "PCIe capability structure not found!\n");
  452                 return error;
  453         }
  454 
  455         /* Clear device-specific "PCI retry timeout" register (41h). */
  456         pci_write_config(dev, 0x41, 0, 1);
  457 
  458         /* Enable bus-mastering. */
  459         pci_enable_busmaster(dev);
  460 
  461         rid = PCIR_BAR(0);
  462         sc->mem = bus_alloc_resource_any(dev, SYS_RES_MEMORY, &rid,
  463             RF_ACTIVE);
  464         if (sc->mem == NULL) {
  465                 device_printf(dev, "can't map mem space\n");
  466                 error = ENOMEM;
  467                 return error;
  468         }
  469         sc->sc_st = rman_get_bustag(sc->mem);
  470         sc->sc_sh = rman_get_bushandle(sc->mem);
  471 
  472         i = 1;
  473         rid = 0;
  474         if (pci_alloc_msi(dev, &i) == 0)
  475                 rid = 1;
  476         /* Install interrupt handler. */
  477         sc->irq = bus_alloc_resource_any(dev, SYS_RES_IRQ, &rid, RF_ACTIVE |
  478             (rid != 0 ? 0 : RF_SHAREABLE));
  479         if (sc->irq == NULL) {
  480                 device_printf(dev, "can't map interrupt\n");
  481                 error = ENOMEM;
  482                 goto fail;
  483         }
  484 
  485         IWN_LOCK_INIT(sc);
  486 
  487         /* Read hardware revision and attach. */
  488         sc->hw_type = (IWN_READ(sc, IWN_HW_REV) >> IWN_HW_REV_TYPE_SHIFT)
  489             & IWN_HW_REV_TYPE_MASK;
  490         sc->subdevice_id = pci_get_subdevice(dev);
  491 
  492         /*
  493          * 4965 versus 5000 and later have different methods.
  494          * Let's set those up first.
  495          */
  496         if (sc->hw_type == IWN_HW_REV_TYPE_4965)
  497                 iwn4965_attach(sc, pci_get_device(dev));
  498         else
  499                 iwn5000_attach(sc, pci_get_device(dev));
  500 
  501         /*
  502          * Next, let's setup the various parameters of each NIC.
  503          */
  504         error = iwn_config_specific(sc, pci_get_device(dev));
  505         if (error != 0) {
  506                 device_printf(dev, "could not attach device, error %d\n",
  507                     error);
  508                 goto fail;
  509         }
  510 
  511         if ((error = iwn_hw_prepare(sc)) != 0) {
  512                 device_printf(dev, "hardware not ready, error %d\n", error);
  513                 goto fail;
  514         }
  515 
  516         /* Allocate DMA memory for firmware transfers. */
  517         if ((error = iwn_alloc_fwmem(sc)) != 0) {
  518                 device_printf(dev,
  519                     "could not allocate memory for firmware, error %d\n",
  520                     error);
  521                 goto fail;
  522         }
  523 
  524         /* Allocate "Keep Warm" page. */
  525         if ((error = iwn_alloc_kw(sc)) != 0) {
  526                 device_printf(dev,
  527                     "could not allocate keep warm page, error %d\n", error);
  528                 goto fail;
  529         }
  530 
  531         /* Allocate ICT table for 5000 Series. */
  532         if (sc->hw_type != IWN_HW_REV_TYPE_4965 &&
  533             (error = iwn_alloc_ict(sc)) != 0) {
  534                 device_printf(dev, "could not allocate ICT table, error %d\n",
  535                     error);
  536                 goto fail;
  537         }
  538 
  539         /* Allocate TX scheduler "rings". */
  540         if ((error = iwn_alloc_sched(sc)) != 0) {
  541                 device_printf(dev,
  542                     "could not allocate TX scheduler rings, error %d\n", error);
  543                 goto fail;
  544         }
  545 
  546         /* Allocate TX rings (16 on 4965AGN, 20 on >=5000). */
  547         for (i = 0; i < sc->ntxqs; i++) {
  548                 if ((error = iwn_alloc_tx_ring(sc, &sc->txq[i], i)) != 0) {
  549                         device_printf(dev,
  550                             "could not allocate TX ring %d, error %d\n", i,
  551                             error);
  552                         goto fail;
  553                 }
  554         }
  555 
  556         /* Allocate RX ring. */
  557         if ((error = iwn_alloc_rx_ring(sc, &sc->rxq)) != 0) {
  558                 device_printf(dev, "could not allocate RX ring, error %d\n",
  559                     error);
  560                 goto fail;
  561         }
  562 
  563         /* Clear pending interrupts. */
  564         IWN_WRITE(sc, IWN_INT, 0xffffffff);
  565 
  566         ic = &sc->sc_ic;
  567         ic->ic_softc = sc;
  568         ic->ic_name = device_get_nameunit(dev);
  569         ic->ic_phytype = IEEE80211_T_OFDM;      /* not only, but not used */
  570         ic->ic_opmode = IEEE80211_M_STA;        /* default to BSS mode */
  571 
  572         /* Set device capabilities. */
  573         ic->ic_caps =
  574                   IEEE80211_C_STA               /* station mode supported */
  575                 | IEEE80211_C_MONITOR           /* monitor mode supported */
  576 #if 0
  577                 | IEEE80211_C_BGSCAN            /* background scanning */
  578 #endif
  579                 | IEEE80211_C_TXPMGT            /* tx power management */
  580                 | IEEE80211_C_SHSLOT            /* short slot time supported */
  581                 | IEEE80211_C_WPA
  582                 | IEEE80211_C_SHPREAMBLE        /* short preamble supported */
  583 #if 0
  584                 | IEEE80211_C_IBSS              /* ibss/adhoc mode */
  585 #endif
  586                 | IEEE80211_C_WME               /* WME */
  587                 | IEEE80211_C_PMGT              /* Station-side power mgmt */
  588                 ;
  589 
  590         /* Read MAC address, channels, etc from EEPROM. */
  591         if ((error = iwn_read_eeprom(sc, ic->ic_macaddr)) != 0) {
  592                 device_printf(dev, "could not read EEPROM, error %d\n",
  593                     error);
  594                 goto fail;
  595         }
  596 
  597         /* Count the number of available chains. */
  598         sc->ntxchains =
  599             ((sc->txchainmask >> 2) & 1) +
  600             ((sc->txchainmask >> 1) & 1) +
  601             ((sc->txchainmask >> 0) & 1);
  602         sc->nrxchains =
  603             ((sc->rxchainmask >> 2) & 1) +
  604             ((sc->rxchainmask >> 1) & 1) +
  605             ((sc->rxchainmask >> 0) & 1);
  606         if (bootverbose) {
  607                 device_printf(dev, "MIMO %dT%dR, %.4s, address %6D\n",
  608                     sc->ntxchains, sc->nrxchains, sc->eeprom_domain,
  609                     ic->ic_macaddr, ":");
  610         }
  611 
  612         if (sc->sc_flags & IWN_FLAG_HAS_11N) {
  613                 ic->ic_rxstream = sc->nrxchains;
  614                 ic->ic_txstream = sc->ntxchains;
  615 
  616                 /*
  617                  * Some of the 3 antenna devices (ie, the 4965) only supports
  618                  * 2x2 operation.  So correct the number of streams if
  619                  * it's not a 3-stream device.
  620                  */
  621                 if (! iwn_is_3stream_device(sc)) {
  622                         if (ic->ic_rxstream > 2)
  623                                 ic->ic_rxstream = 2;
  624                         if (ic->ic_txstream > 2)
  625                                 ic->ic_txstream = 2;
  626                 }
  627 
  628                 ic->ic_htcaps =
  629                           IEEE80211_HTCAP_SMPS_OFF      /* SMPS mode disabled */
  630                         | IEEE80211_HTCAP_SHORTGI20     /* short GI in 20MHz */
  631                         | IEEE80211_HTCAP_CHWIDTH40     /* 40MHz channel width*/
  632                         | IEEE80211_HTCAP_SHORTGI40     /* short GI in 40MHz */
  633 #ifdef notyet
  634                         | IEEE80211_HTCAP_GREENFIELD
  635 #if IWN_RBUF_SIZE == 8192
  636                         | IEEE80211_HTCAP_MAXAMSDU_7935 /* max A-MSDU length */
  637 #else
  638                         | IEEE80211_HTCAP_MAXAMSDU_3839 /* max A-MSDU length */
  639 #endif
  640 #endif
  641                         /* s/w capabilities */
  642                         | IEEE80211_HTC_HT              /* HT operation */
  643                         | IEEE80211_HTC_AMPDU           /* tx A-MPDU */
  644 #ifdef notyet
  645                         | IEEE80211_HTC_AMSDU           /* tx A-MSDU */
  646 #endif
  647                         ;
  648         }
  649 
  650         ieee80211_ifattach(ic);
  651         ic->ic_vap_create = iwn_vap_create;
  652         ic->ic_ioctl = iwn_ioctl;
  653         ic->ic_parent = iwn_parent;
  654         ic->ic_vap_delete = iwn_vap_delete;
  655         ic->ic_transmit = iwn_transmit;
  656         ic->ic_raw_xmit = iwn_raw_xmit;
  657         ic->ic_node_alloc = iwn_node_alloc;
  658         sc->sc_ampdu_rx_start = ic->ic_ampdu_rx_start;
  659         ic->ic_ampdu_rx_start = iwn_ampdu_rx_start;
  660         sc->sc_ampdu_rx_stop = ic->ic_ampdu_rx_stop;
  661         ic->ic_ampdu_rx_stop = iwn_ampdu_rx_stop;
  662         sc->sc_addba_request = ic->ic_addba_request;
  663         ic->ic_addba_request = iwn_addba_request;
  664         sc->sc_addba_response = ic->ic_addba_response;
  665         ic->ic_addba_response = iwn_addba_response;
  666         sc->sc_addba_stop = ic->ic_addba_stop;
  667         ic->ic_addba_stop = iwn_ampdu_tx_stop;
  668         ic->ic_newassoc = iwn_newassoc;
  669         ic->ic_wme.wme_update = iwn_updateedca;
  670         ic->ic_update_promisc = iwn_update_promisc;
  671         ic->ic_update_mcast = iwn_update_mcast;
  672         ic->ic_scan_start = iwn_scan_start;
  673         ic->ic_scan_end = iwn_scan_end;
  674         ic->ic_set_channel = iwn_set_channel;
  675         ic->ic_scan_curchan = iwn_scan_curchan;
  676         ic->ic_scan_mindwell = iwn_scan_mindwell;
  677         ic->ic_getradiocaps = iwn_getradiocaps;
  678         ic->ic_setregdomain = iwn_setregdomain;
  679 
  680         iwn_radiotap_attach(sc);
  681 
  682         callout_init_mtx(&sc->calib_to, &sc->sc_mtx, 0);
  683         callout_init_mtx(&sc->scan_timeout, &sc->sc_mtx, 0);
  684         callout_init_mtx(&sc->watchdog_to, &sc->sc_mtx, 0);
  685         TASK_INIT(&sc->sc_rftoggle_task, 0, iwn_rftoggle_task, sc);
  686         TASK_INIT(&sc->sc_panic_task, 0, iwn_panicked, sc);
  687         TASK_INIT(&sc->sc_xmit_task, 0, iwn_xmit_task, sc);
  688 
  689         mbufq_init(&sc->sc_xmit_queue, 1024);
  690 
  691         sc->sc_tq = taskqueue_create("iwn_taskq", M_WAITOK,
  692             taskqueue_thread_enqueue, &sc->sc_tq);
  693         error = taskqueue_start_threads(&sc->sc_tq, 1, 0, "iwn_taskq");
  694         if (error != 0) {
  695                 device_printf(dev, "can't start threads, error %d\n", error);
  696                 goto fail;
  697         }
  698 
  699         iwn_sysctlattach(sc);
  700 
  701         /*
  702          * Hook our interrupt after all initialization is complete.
  703          */
  704         error = bus_setup_intr(dev, sc->irq, INTR_TYPE_NET | INTR_MPSAFE,
  705             NULL, iwn_intr, sc, &sc->sc_ih);
  706         if (error != 0) {
  707                 device_printf(dev, "can't establish interrupt, error %d\n",
  708                     error);
  709                 goto fail;
  710         }
  711 
  712 #if 0
  713         device_printf(sc->sc_dev, "%s: rx_stats=%d, rx_stats_bt=%d\n",
  714             __func__,
  715             sizeof(struct iwn_stats),
  716             sizeof(struct iwn_stats_bt));
  717 #endif
  718 
  719         if (bootverbose)
  720                 ieee80211_announce(ic);
  721         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end\n",__func__);
  722 
  723         /* Add debug ioctl right at the end */
  724         sc->sc_cdev = make_dev(&iwn_cdevsw, device_get_unit(dev),
  725             UID_ROOT, GID_WHEEL, 0600, "%s", device_get_nameunit(dev));
  726         if (sc->sc_cdev == NULL) {
  727                 device_printf(dev, "failed to create debug character device\n");
  728         } else {
  729                 sc->sc_cdev->si_drv1 = sc;
  730         }
  731         return 0;
  732 fail:
  733         iwn_detach(dev);
  734         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end in error\n",__func__);
  735         return error;
  736 }
  737 
  738 /*
  739  * Define specific configuration based on device id and subdevice id
  740  * pid : PCI device id
  741  */
  742 static int
  743 iwn_config_specific(struct iwn_softc *sc, uint16_t pid)
  744 {
  745 
  746         switch (pid) {
  747 /* 4965 series */
  748         case IWN_DID_4965_1:
  749         case IWN_DID_4965_2:
  750         case IWN_DID_4965_3:
  751         case IWN_DID_4965_4:
  752                 sc->base_params = &iwn4965_base_params;
  753                 sc->limits = &iwn4965_sensitivity_limits;
  754                 sc->fwname = "iwn4965fw";
  755                 /* Override chains masks, ROM is known to be broken. */
  756                 sc->txchainmask = IWN_ANT_AB;
  757                 sc->rxchainmask = IWN_ANT_ABC;
  758                 /* Enable normal btcoex */
  759                 sc->sc_flags |= IWN_FLAG_BTCOEX;
  760                 break;
  761 /* 1000 Series */
  762         case IWN_DID_1000_1:
  763         case IWN_DID_1000_2:
  764                 switch(sc->subdevice_id) {
  765                         case    IWN_SDID_1000_1:
  766                         case    IWN_SDID_1000_2:
  767                         case    IWN_SDID_1000_3:
  768                         case    IWN_SDID_1000_4:
  769                         case    IWN_SDID_1000_5:
  770                         case    IWN_SDID_1000_6:
  771                         case    IWN_SDID_1000_7:
  772                         case    IWN_SDID_1000_8:
  773                         case    IWN_SDID_1000_9:
  774                         case    IWN_SDID_1000_10:
  775                         case    IWN_SDID_1000_11:
  776                         case    IWN_SDID_1000_12:
  777                                 sc->limits = &iwn1000_sensitivity_limits;
  778                                 sc->base_params = &iwn1000_base_params;
  779                                 sc->fwname = "iwn1000fw";
  780                                 break;
  781                         default:
  782                                 device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
  783                                     "0x%04x rev %d not supported (subdevice)\n", pid,
  784                                     sc->subdevice_id,sc->hw_type);
  785                                 return ENOTSUP;
  786                 }
  787                 break;
  788 /* 6x00 Series */
  789         case IWN_DID_6x00_2:
  790         case IWN_DID_6x00_4:
  791         case IWN_DID_6x00_1:
  792         case IWN_DID_6x00_3:
  793                 sc->fwname = "iwn6000fw";
  794                 sc->limits = &iwn6000_sensitivity_limits;
  795                 switch(sc->subdevice_id) {
  796                         case IWN_SDID_6x00_1:
  797                         case IWN_SDID_6x00_2:
  798                         case IWN_SDID_6x00_8:
  799                                 //iwl6000_3agn_cfg
  800                                 sc->base_params = &iwn_6000_base_params;
  801                                 break;
  802                         case IWN_SDID_6x00_3:
  803                         case IWN_SDID_6x00_6:
  804                         case IWN_SDID_6x00_9:
  805                                 ////iwl6000i_2agn
  806                         case IWN_SDID_6x00_4:
  807                         case IWN_SDID_6x00_7:
  808                         case IWN_SDID_6x00_10:
  809                                 //iwl6000i_2abg_cfg
  810                         case IWN_SDID_6x00_5:
  811                                 //iwl6000i_2bg_cfg
  812                                 sc->base_params = &iwn_6000i_base_params;
  813                                 sc->sc_flags |= IWN_FLAG_INTERNAL_PA;
  814                                 sc->txchainmask = IWN_ANT_BC;
  815                                 sc->rxchainmask = IWN_ANT_BC;
  816                                 break;
  817                         default:
  818                                 device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
  819                                     "0x%04x rev %d not supported (subdevice)\n", pid,
  820                                     sc->subdevice_id,sc->hw_type);
  821                                 return ENOTSUP;
  822                 }
  823                 break;
  824 /* 6x05 Series */
  825         case IWN_DID_6x05_1:
  826         case IWN_DID_6x05_2:
  827                 switch(sc->subdevice_id) {
  828                         case IWN_SDID_6x05_1:
  829                         case IWN_SDID_6x05_4:
  830                         case IWN_SDID_6x05_6:
  831                                 //iwl6005_2agn_cfg
  832                         case IWN_SDID_6x05_2:
  833                         case IWN_SDID_6x05_5:
  834                         case IWN_SDID_6x05_7:
  835                                 //iwl6005_2abg_cfg
  836                         case IWN_SDID_6x05_3:
  837                                 //iwl6005_2bg_cfg
  838                         case IWN_SDID_6x05_8:
  839                         case IWN_SDID_6x05_9:
  840                                 //iwl6005_2agn_sff_cfg
  841                         case IWN_SDID_6x05_10:
  842                                 //iwl6005_2agn_d_cfg
  843                         case IWN_SDID_6x05_11:
  844                                 //iwl6005_2agn_mow1_cfg
  845                         case IWN_SDID_6x05_12:
  846                                 //iwl6005_2agn_mow2_cfg
  847                                 sc->fwname = "iwn6000g2afw";
  848                                 sc->limits = &iwn6000_sensitivity_limits;
  849                                 sc->base_params = &iwn_6000g2_base_params;
  850                                 break;
  851                         default:
  852                                 device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
  853                                     "0x%04x rev %d not supported (subdevice)\n", pid,
  854                                     sc->subdevice_id,sc->hw_type);
  855                                 return ENOTSUP;
  856                 }
  857                 break;
  858 /* 6x35 Series */
  859         case IWN_DID_6035_1:
  860         case IWN_DID_6035_2:
  861                 switch(sc->subdevice_id) {
  862                         case IWN_SDID_6035_1:
  863                         case IWN_SDID_6035_2:
  864                         case IWN_SDID_6035_3:
  865                         case IWN_SDID_6035_4:
  866                         case IWN_SDID_6035_5:
  867                                 sc->fwname = "iwn6000g2bfw";
  868                                 sc->limits = &iwn6235_sensitivity_limits;
  869                                 sc->base_params = &iwn_6235_base_params;
  870                                 break;
  871                         default:
  872                                 device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
  873                                     "0x%04x rev %d not supported (subdevice)\n", pid,
  874                                     sc->subdevice_id,sc->hw_type);
  875                                 return ENOTSUP;
  876                 }
  877                 break;
  878 /* 6x50 WiFi/WiMax Series */
  879         case IWN_DID_6050_1:
  880         case IWN_DID_6050_2:
  881                 switch(sc->subdevice_id) {
  882                         case IWN_SDID_6050_1:
  883                         case IWN_SDID_6050_3:
  884                         case IWN_SDID_6050_5:
  885                                 //iwl6050_2agn_cfg
  886                         case IWN_SDID_6050_2:
  887                         case IWN_SDID_6050_4:
  888                         case IWN_SDID_6050_6:
  889                                 //iwl6050_2abg_cfg
  890                                 sc->fwname = "iwn6050fw";
  891                                 sc->txchainmask = IWN_ANT_AB;
  892                                 sc->rxchainmask = IWN_ANT_AB;
  893                                 sc->limits = &iwn6000_sensitivity_limits;
  894                                 sc->base_params = &iwn_6050_base_params;
  895                                 break;
  896                         default:
  897                                 device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
  898                                     "0x%04x rev %d not supported (subdevice)\n", pid,
  899                                     sc->subdevice_id,sc->hw_type);
  900                                 return ENOTSUP;
  901                 }
  902                 break;
  903 /* 6150 WiFi/WiMax Series */
  904         case IWN_DID_6150_1:
  905         case IWN_DID_6150_2:
  906                 switch(sc->subdevice_id) {
  907                         case IWN_SDID_6150_1:
  908                         case IWN_SDID_6150_3:
  909                         case IWN_SDID_6150_5:
  910                                 // iwl6150_bgn_cfg
  911                         case IWN_SDID_6150_2:
  912                         case IWN_SDID_6150_4:
  913                         case IWN_SDID_6150_6:
  914                                 //iwl6150_bg_cfg
  915                                 sc->fwname = "iwn6050fw";
  916                                 sc->limits = &iwn6000_sensitivity_limits;
  917                                 sc->base_params = &iwn_6150_base_params;
  918                                 break;
  919                         default:
  920                                 device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
  921                                     "0x%04x rev %d not supported (subdevice)\n", pid,
  922                                     sc->subdevice_id,sc->hw_type);
  923                                 return ENOTSUP;
  924                 }
  925                 break;
  926 /* 6030 Series and 1030 Series */
  927         case IWN_DID_x030_1:
  928         case IWN_DID_x030_2:
  929         case IWN_DID_x030_3:
  930         case IWN_DID_x030_4:
  931                 switch(sc->subdevice_id) {
  932                         case IWN_SDID_x030_1:
  933                         case IWN_SDID_x030_3:
  934                         case IWN_SDID_x030_5:
  935                         // iwl1030_bgn_cfg
  936                         case IWN_SDID_x030_2:
  937                         case IWN_SDID_x030_4:
  938                         case IWN_SDID_x030_6:
  939                         //iwl1030_bg_cfg
  940                         case IWN_SDID_x030_7:
  941                         case IWN_SDID_x030_10:
  942                         case IWN_SDID_x030_14:
  943                         //iwl6030_2agn_cfg
  944                         case IWN_SDID_x030_8:
  945                         case IWN_SDID_x030_11:
  946                         case IWN_SDID_x030_15:
  947                         // iwl6030_2bgn_cfg
  948                         case IWN_SDID_x030_9:
  949                         case IWN_SDID_x030_12:
  950                         case IWN_SDID_x030_16:
  951                         // iwl6030_2abg_cfg
  952                         case IWN_SDID_x030_13:
  953                         //iwl6030_2bg_cfg
  954                                 sc->fwname = "iwn6000g2bfw";
  955                                 sc->limits = &iwn6000_sensitivity_limits;
  956                                 sc->base_params = &iwn_6000g2b_base_params;
  957                                 break;
  958                         default:
  959                                 device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
  960                                     "0x%04x rev %d not supported (subdevice)\n", pid,
  961                                     sc->subdevice_id,sc->hw_type);
  962                                 return ENOTSUP;
  963                 }
  964                 break;
  965 /* 130 Series WiFi */
  966 /* XXX: This series will need adjustment for rate.
  967  * see rx_with_siso_diversity in linux kernel
  968  */
  969         case IWN_DID_130_1:
  970         case IWN_DID_130_2:
  971                 switch(sc->subdevice_id) {
  972                         case IWN_SDID_130_1:
  973                         case IWN_SDID_130_3:
  974                         case IWN_SDID_130_5:
  975                         //iwl130_bgn_cfg
  976                         case IWN_SDID_130_2:
  977                         case IWN_SDID_130_4:
  978                         case IWN_SDID_130_6:
  979                         //iwl130_bg_cfg
  980                                 sc->fwname = "iwn6000g2bfw";
  981                                 sc->limits = &iwn6000_sensitivity_limits;
  982                                 sc->base_params = &iwn_6000g2b_base_params;
  983                                 break;
  984                         default:
  985                                 device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
  986                                     "0x%04x rev %d not supported (subdevice)\n", pid,
  987                                     sc->subdevice_id,sc->hw_type);
  988                                 return ENOTSUP;
  989                 }
  990                 break;
  991 /* 100 Series WiFi */
  992         case IWN_DID_100_1:
  993         case IWN_DID_100_2:
  994                 switch(sc->subdevice_id) {
  995                         case IWN_SDID_100_1:
  996                         case IWN_SDID_100_2:
  997                         case IWN_SDID_100_3:
  998                         case IWN_SDID_100_4:
  999                         case IWN_SDID_100_5:
 1000                         case IWN_SDID_100_6:
 1001                                 sc->limits = &iwn1000_sensitivity_limits;
 1002                                 sc->base_params = &iwn1000_base_params;
 1003                                 sc->fwname = "iwn100fw";
 1004                                 break;
 1005                         default:
 1006                                 device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
 1007                                     "0x%04x rev %d not supported (subdevice)\n", pid,
 1008                                     sc->subdevice_id,sc->hw_type);
 1009                                 return ENOTSUP;
 1010                 }
 1011                 break;
 1012 
 1013 /* 105 Series */
 1014 /* XXX: This series will need adjustment for rate.
 1015  * see rx_with_siso_diversity in linux kernel
 1016  */
 1017         case IWN_DID_105_1:
 1018         case IWN_DID_105_2:
 1019                 switch(sc->subdevice_id) {
 1020                         case IWN_SDID_105_1:
 1021                         case IWN_SDID_105_2:
 1022                         case IWN_SDID_105_3:
 1023                         //iwl105_bgn_cfg
 1024                         case IWN_SDID_105_4:
 1025                         //iwl105_bgn_d_cfg
 1026                                 sc->limits = &iwn2030_sensitivity_limits;
 1027                                 sc->base_params = &iwn2000_base_params;
 1028                                 sc->fwname = "iwn105fw";
 1029                                 break;
 1030                         default:
 1031                                 device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
 1032                                     "0x%04x rev %d not supported (subdevice)\n", pid,
 1033                                     sc->subdevice_id,sc->hw_type);
 1034                                 return ENOTSUP;
 1035                 }
 1036                 break;
 1037 
 1038 /* 135 Series */
 1039 /* XXX: This series will need adjustment for rate.
 1040  * see rx_with_siso_diversity in linux kernel
 1041  */
 1042         case IWN_DID_135_1:
 1043         case IWN_DID_135_2:
 1044                 switch(sc->subdevice_id) {
 1045                         case IWN_SDID_135_1:
 1046                         case IWN_SDID_135_2:
 1047                         case IWN_SDID_135_3:
 1048                                 sc->limits = &iwn2030_sensitivity_limits;
 1049                                 sc->base_params = &iwn2030_base_params;
 1050                                 sc->fwname = "iwn135fw";
 1051                                 break;
 1052                         default:
 1053                                 device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
 1054                                     "0x%04x rev %d not supported (subdevice)\n", pid,
 1055                                     sc->subdevice_id,sc->hw_type);
 1056                                 return ENOTSUP;
 1057                 }
 1058                 break;
 1059 
 1060 /* 2x00 Series */
 1061         case IWN_DID_2x00_1:
 1062         case IWN_DID_2x00_2:
 1063                 switch(sc->subdevice_id) {
 1064                         case IWN_SDID_2x00_1:
 1065                         case IWN_SDID_2x00_2:
 1066                         case IWN_SDID_2x00_3:
 1067                         //iwl2000_2bgn_cfg
 1068                         case IWN_SDID_2x00_4:
 1069                         //iwl2000_2bgn_d_cfg
 1070                                 sc->limits = &iwn2030_sensitivity_limits;
 1071                                 sc->base_params = &iwn2000_base_params;
 1072                                 sc->fwname = "iwn2000fw";
 1073                                 break;
 1074                         default:
 1075                                 device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
 1076                                     "0x%04x rev %d not supported (subdevice) \n",
 1077                                     pid, sc->subdevice_id, sc->hw_type);
 1078                                 return ENOTSUP;
 1079                 }
 1080                 break;
 1081 /* 2x30 Series */
 1082         case IWN_DID_2x30_1:
 1083         case IWN_DID_2x30_2:
 1084                 switch(sc->subdevice_id) {
 1085                         case IWN_SDID_2x30_1:
 1086                         case IWN_SDID_2x30_3:
 1087                         case IWN_SDID_2x30_5:
 1088                         //iwl100_bgn_cfg
 1089                         case IWN_SDID_2x30_2:
 1090                         case IWN_SDID_2x30_4:
 1091                         case IWN_SDID_2x30_6:
 1092                         //iwl100_bg_cfg
 1093                                 sc->limits = &iwn2030_sensitivity_limits;
 1094                                 sc->base_params = &iwn2030_base_params;
 1095                                 sc->fwname = "iwn2030fw";
 1096                                 break;
 1097                         default:
 1098                                 device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
 1099                                     "0x%04x rev %d not supported (subdevice)\n", pid,
 1100                                     sc->subdevice_id,sc->hw_type);
 1101                                 return ENOTSUP;
 1102                 }
 1103                 break;
 1104 /* 5x00 Series */
 1105         case IWN_DID_5x00_1:
 1106         case IWN_DID_5x00_2:
 1107         case IWN_DID_5x00_3:
 1108         case IWN_DID_5x00_4:
 1109                 sc->limits = &iwn5000_sensitivity_limits;
 1110                 sc->base_params = &iwn5000_base_params;
 1111                 sc->fwname = "iwn5000fw";
 1112                 switch(sc->subdevice_id) {
 1113                         case IWN_SDID_5x00_1:
 1114                         case IWN_SDID_5x00_2:
 1115                         case IWN_SDID_5x00_3:
 1116                         case IWN_SDID_5x00_4:
 1117                         case IWN_SDID_5x00_9:
 1118                         case IWN_SDID_5x00_10:
 1119                         case IWN_SDID_5x00_11:
 1120                         case IWN_SDID_5x00_12:
 1121                         case IWN_SDID_5x00_17:
 1122                         case IWN_SDID_5x00_18:
 1123                         case IWN_SDID_5x00_19:
 1124                         case IWN_SDID_5x00_20:
 1125                         //iwl5100_agn_cfg
 1126                                 sc->txchainmask = IWN_ANT_B;
 1127                                 sc->rxchainmask = IWN_ANT_AB;
 1128                                 break;
 1129                         case IWN_SDID_5x00_5:
 1130                         case IWN_SDID_5x00_6:
 1131                         case IWN_SDID_5x00_13:
 1132                         case IWN_SDID_5x00_14:
 1133                         case IWN_SDID_5x00_21:
 1134                         case IWN_SDID_5x00_22:
 1135                         //iwl5100_bgn_cfg
 1136                                 sc->txchainmask = IWN_ANT_B;
 1137                                 sc->rxchainmask = IWN_ANT_AB;
 1138                                 break;
 1139                         case IWN_SDID_5x00_7:
 1140                         case IWN_SDID_5x00_8:
 1141                         case IWN_SDID_5x00_15:
 1142                         case IWN_SDID_5x00_16:
 1143                         case IWN_SDID_5x00_23:
 1144                         case IWN_SDID_5x00_24:
 1145                         //iwl5100_abg_cfg
 1146                                 sc->txchainmask = IWN_ANT_B;
 1147                                 sc->rxchainmask = IWN_ANT_AB;
 1148                                 break;
 1149                         case IWN_SDID_5x00_25:
 1150                         case IWN_SDID_5x00_26:
 1151                         case IWN_SDID_5x00_27:
 1152                         case IWN_SDID_5x00_28:
 1153                         case IWN_SDID_5x00_29:
 1154                         case IWN_SDID_5x00_30:
 1155                         case IWN_SDID_5x00_31:
 1156                         case IWN_SDID_5x00_32:
 1157                         case IWN_SDID_5x00_33:
 1158                         case IWN_SDID_5x00_34:
 1159                         case IWN_SDID_5x00_35:
 1160                         case IWN_SDID_5x00_36:
 1161                         //iwl5300_agn_cfg
 1162                                 sc->txchainmask = IWN_ANT_ABC;
 1163                                 sc->rxchainmask = IWN_ANT_ABC;
 1164                                 break;
 1165                         default:
 1166                                 device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
 1167                                     "0x%04x rev %d not supported (subdevice)\n", pid,
 1168                                     sc->subdevice_id,sc->hw_type);
 1169                                 return ENOTSUP;
 1170                 }
 1171                 break;
 1172 /* 5x50 Series */
 1173         case IWN_DID_5x50_1:
 1174         case IWN_DID_5x50_2:
 1175         case IWN_DID_5x50_3:
 1176         case IWN_DID_5x50_4:
 1177                 sc->limits = &iwn5000_sensitivity_limits;
 1178                 sc->base_params = &iwn5000_base_params;
 1179                 sc->fwname = "iwn5000fw";
 1180                 switch(sc->subdevice_id) {
 1181                         case IWN_SDID_5x50_1:
 1182                         case IWN_SDID_5x50_2:
 1183                         case IWN_SDID_5x50_3:
 1184                         //iwl5350_agn_cfg
 1185                                 sc->limits = &iwn5000_sensitivity_limits;
 1186                                 sc->base_params = &iwn5000_base_params;
 1187                                 sc->fwname = "iwn5000fw";
 1188                                 break;
 1189                         case IWN_SDID_5x50_4:
 1190                         case IWN_SDID_5x50_5:
 1191                         case IWN_SDID_5x50_8:
 1192                         case IWN_SDID_5x50_9:
 1193                         case IWN_SDID_5x50_10:
 1194                         case IWN_SDID_5x50_11:
 1195                         //iwl5150_agn_cfg
 1196                         case IWN_SDID_5x50_6:
 1197                         case IWN_SDID_5x50_7:
 1198                         case IWN_SDID_5x50_12:
 1199                         case IWN_SDID_5x50_13:
 1200                         //iwl5150_abg_cfg
 1201                                 sc->limits = &iwn5000_sensitivity_limits;
 1202                                 sc->fwname = "iwn5150fw";
 1203                                 sc->base_params = &iwn_5x50_base_params;
 1204                                 break;
 1205                         default:
 1206                                 device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id :"
 1207                                     "0x%04x rev %d not supported (subdevice)\n", pid,
 1208                                     sc->subdevice_id,sc->hw_type);
 1209                                 return ENOTSUP;
 1210                 }
 1211                 break;
 1212         default:
 1213                 device_printf(sc->sc_dev, "adapter type id : 0x%04x sub id : 0x%04x"
 1214                     "rev 0x%08x not supported (device)\n", pid, sc->subdevice_id,
 1215                      sc->hw_type);
 1216                 return ENOTSUP;
 1217         }
 1218         return 0;
 1219 }
 1220 
 1221 static void
 1222 iwn4965_attach(struct iwn_softc *sc, uint16_t pid)
 1223 {
 1224         struct iwn_ops *ops = &sc->ops;
 1225 
 1226         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
 1227 
 1228         ops->load_firmware = iwn4965_load_firmware;
 1229         ops->read_eeprom = iwn4965_read_eeprom;
 1230         ops->post_alive = iwn4965_post_alive;
 1231         ops->nic_config = iwn4965_nic_config;
 1232         ops->update_sched = iwn4965_update_sched;
 1233         ops->get_temperature = iwn4965_get_temperature;
 1234         ops->get_rssi = iwn4965_get_rssi;
 1235         ops->set_txpower = iwn4965_set_txpower;
 1236         ops->init_gains = iwn4965_init_gains;
 1237         ops->set_gains = iwn4965_set_gains;
 1238         ops->rxon_assoc = iwn4965_rxon_assoc;
 1239         ops->add_node = iwn4965_add_node;
 1240         ops->tx_done = iwn4965_tx_done;
 1241         ops->ampdu_tx_start = iwn4965_ampdu_tx_start;
 1242         ops->ampdu_tx_stop = iwn4965_ampdu_tx_stop;
 1243         sc->ntxqs = IWN4965_NTXQUEUES;
 1244         sc->firstaggqueue = IWN4965_FIRSTAGGQUEUE;
 1245         sc->ndmachnls = IWN4965_NDMACHNLS;
 1246         sc->broadcast_id = IWN4965_ID_BROADCAST;
 1247         sc->rxonsz = IWN4965_RXONSZ;
 1248         sc->schedsz = IWN4965_SCHEDSZ;
 1249         sc->fw_text_maxsz = IWN4965_FW_TEXT_MAXSZ;
 1250         sc->fw_data_maxsz = IWN4965_FW_DATA_MAXSZ;
 1251         sc->fwsz = IWN4965_FWSZ;
 1252         sc->sched_txfact_addr = IWN4965_SCHED_TXFACT;
 1253         sc->limits = &iwn4965_sensitivity_limits;
 1254         sc->fwname = "iwn4965fw";
 1255         /* Override chains masks, ROM is known to be broken. */
 1256         sc->txchainmask = IWN_ANT_AB;
 1257         sc->rxchainmask = IWN_ANT_ABC;
 1258         /* Enable normal btcoex */
 1259         sc->sc_flags |= IWN_FLAG_BTCOEX;
 1260 
 1261         DPRINTF(sc, IWN_DEBUG_TRACE, "%s: end\n",__func__);
 1262 }
 1263 
 1264 static void
 1265 iwn5000_attach(struct iwn_softc *sc, uint16_t pid)
 1266 {
 1267         struct iwn_ops *ops = &sc->ops;
 1268 
 1269         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
 1270 
 1271         ops->load_firmware = iwn5000_load_firmware;
 1272         ops->read_eeprom = iwn5000_read_eeprom;
 1273         ops->post_alive = iwn5000_post_alive;
 1274         ops->nic_config = iwn5000_nic_config;
 1275         ops->update_sched = iwn5000_update_sched;
 1276         ops->get_temperature = iwn5000_get_temperature;
 1277         ops->get_rssi = iwn5000_get_rssi;
 1278         ops->set_txpower = iwn5000_set_txpower;
 1279         ops->init_gains = iwn5000_init_gains;
 1280         ops->set_gains = iwn5000_set_gains;
 1281         ops->rxon_assoc = iwn5000_rxon_assoc;
 1282         ops->add_node = iwn5000_add_node;
 1283         ops->tx_done = iwn5000_tx_done;
 1284         ops->ampdu_tx_start = iwn5000_ampdu_tx_start;
 1285         ops->ampdu_tx_stop = iwn5000_ampdu_tx_stop;
 1286         sc->ntxqs = IWN5000_NTXQUEUES;
 1287         sc->firstaggqueue = IWN5000_FIRSTAGGQUEUE;
 1288         sc->ndmachnls = IWN5000_NDMACHNLS;
 1289         sc->broadcast_id = IWN5000_ID_BROADCAST;
 1290         sc->rxonsz = IWN5000_RXONSZ;
 1291         sc->schedsz = IWN5000_SCHEDSZ;
 1292         sc->fw_text_maxsz = IWN5000_FW_TEXT_MAXSZ;
 1293         sc->fw_data_maxsz = IWN5000_FW_DATA_MAXSZ;
 1294         sc->fwsz = IWN5000_FWSZ;
 1295         sc->sched_txfact_addr = IWN5000_SCHED_TXFACT;
 1296         sc->reset_noise_gain = IWN5000_PHY_CALIB_RESET_NOISE_GAIN;
 1297         sc->noise_gain = IWN5000_PHY_CALIB_NOISE_GAIN;
 1298 
 1299         DPRINTF(sc, IWN_DEBUG_TRACE, "%s: end\n",__func__);
 1300 }
 1301 
 1302 /*
 1303  * Attach the interface to 802.11 radiotap.
 1304  */
 1305 static void
 1306 iwn_radiotap_attach(struct iwn_softc *sc)
 1307 {
 1308 
 1309         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
 1310         ieee80211_radiotap_attach(&sc->sc_ic,
 1311             &sc->sc_txtap.wt_ihdr, sizeof(sc->sc_txtap),
 1312                 IWN_TX_RADIOTAP_PRESENT,
 1313             &sc->sc_rxtap.wr_ihdr, sizeof(sc->sc_rxtap),
 1314                 IWN_RX_RADIOTAP_PRESENT);
 1315         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s end\n", __func__);
 1316 }
 1317 
 1318 static void
 1319 iwn_sysctlattach(struct iwn_softc *sc)
 1320 {
 1321 #ifdef  IWN_DEBUG
 1322         struct sysctl_ctx_list *ctx = device_get_sysctl_ctx(sc->sc_dev);
 1323         struct sysctl_oid *tree = device_get_sysctl_tree(sc->sc_dev);
 1324 
 1325         SYSCTL_ADD_INT(ctx, SYSCTL_CHILDREN(tree), OID_AUTO,
 1326             "debug", CTLFLAG_RW, &sc->sc_debug, sc->sc_debug,
 1327                 "control debugging printfs");
 1328 #endif
 1329 }
 1330 
 1331 static struct ieee80211vap *
 1332 iwn_vap_create(struct ieee80211com *ic, const char name[IFNAMSIZ], int unit,
 1333     enum ieee80211_opmode opmode, int flags,
 1334     const uint8_t bssid[IEEE80211_ADDR_LEN],
 1335     const uint8_t mac[IEEE80211_ADDR_LEN])
 1336 {
 1337         struct iwn_softc *sc = ic->ic_softc;
 1338         struct iwn_vap *ivp;
 1339         struct ieee80211vap *vap;
 1340 
 1341         if (!TAILQ_EMPTY(&ic->ic_vaps))         /* only one at a time */
 1342                 return NULL;
 1343 
 1344         ivp = malloc(sizeof(struct iwn_vap), M_80211_VAP, M_WAITOK | M_ZERO);
 1345         vap = &ivp->iv_vap;
 1346         ieee80211_vap_setup(ic, vap, name, unit, opmode, flags, bssid);
 1347         ivp->ctx = IWN_RXON_BSS_CTX;
 1348         vap->iv_bmissthreshold = 10;            /* override default */
 1349         /* Override with driver methods. */
 1350         ivp->iv_newstate = vap->iv_newstate;
 1351         vap->iv_newstate = iwn_newstate;
 1352         sc->ivap[IWN_RXON_BSS_CTX] = vap;
 1353         vap->iv_ampdu_rxmax = IEEE80211_HTCAP_MAXRXAMPDU_64K;
 1354         vap->iv_ampdu_density = IEEE80211_HTCAP_MPDUDENSITY_4; /* 4uS */
 1355 
 1356         ieee80211_ratectl_init(vap);
 1357         /* Complete setup. */
 1358         ieee80211_vap_attach(vap, ieee80211_media_change,
 1359             ieee80211_media_status, mac);
 1360         ic->ic_opmode = opmode;
 1361         return vap;
 1362 }
 1363 
 1364 static void
 1365 iwn_vap_delete(struct ieee80211vap *vap)
 1366 {
 1367         struct iwn_vap *ivp = IWN_VAP(vap);
 1368 
 1369         ieee80211_ratectl_deinit(vap);
 1370         ieee80211_vap_detach(vap);
 1371         free(ivp, M_80211_VAP);
 1372 }
 1373 
 1374 static void
 1375 iwn_xmit_queue_drain(struct iwn_softc *sc)
 1376 {
 1377         struct mbuf *m;
 1378         struct ieee80211_node *ni;
 1379 
 1380         IWN_LOCK_ASSERT(sc);
 1381         while ((m = mbufq_dequeue(&sc->sc_xmit_queue)) != NULL) {
 1382                 ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
 1383                 ieee80211_free_node(ni);
 1384                 m_freem(m);
 1385         }
 1386 }
 1387 
 1388 static int
 1389 iwn_xmit_queue_enqueue(struct iwn_softc *sc, struct mbuf *m)
 1390 {
 1391 
 1392         IWN_LOCK_ASSERT(sc);
 1393         return (mbufq_enqueue(&sc->sc_xmit_queue, m));
 1394 }
 1395 
 1396 static int
 1397 iwn_detach(device_t dev)
 1398 {
 1399         struct iwn_softc *sc = device_get_softc(dev);
 1400         int qid;
 1401 
 1402         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
 1403 
 1404         if (sc->sc_ic.ic_softc != NULL) {
 1405                 /* Free the mbuf queue and node references */
 1406                 IWN_LOCK(sc);
 1407                 iwn_xmit_queue_drain(sc);
 1408                 IWN_UNLOCK(sc);
 1409 
 1410                 iwn_stop(sc);
 1411 
 1412                 taskqueue_drain_all(sc->sc_tq);
 1413                 taskqueue_free(sc->sc_tq);
 1414 
 1415                 callout_drain(&sc->watchdog_to);
 1416                 callout_drain(&sc->scan_timeout);
 1417                 callout_drain(&sc->calib_to);
 1418                 ieee80211_ifdetach(&sc->sc_ic);
 1419         }
 1420 
 1421         /* Uninstall interrupt handler. */
 1422         if (sc->irq != NULL) {
 1423                 bus_teardown_intr(dev, sc->irq, sc->sc_ih);
 1424                 bus_release_resource(dev, SYS_RES_IRQ, rman_get_rid(sc->irq),
 1425                     sc->irq);
 1426                 pci_release_msi(dev);
 1427         }
 1428 
 1429         /* Free DMA resources. */
 1430         iwn_free_rx_ring(sc, &sc->rxq);
 1431         for (qid = 0; qid < sc->ntxqs; qid++)
 1432                 iwn_free_tx_ring(sc, &sc->txq[qid]);
 1433         iwn_free_sched(sc);
 1434         iwn_free_kw(sc);
 1435         if (sc->ict != NULL)
 1436                 iwn_free_ict(sc);
 1437         iwn_free_fwmem(sc);
 1438 
 1439         if (sc->mem != NULL)
 1440                 bus_release_resource(dev, SYS_RES_MEMORY,
 1441                     rman_get_rid(sc->mem), sc->mem);
 1442 
 1443         if (sc->sc_cdev) {
 1444                 destroy_dev(sc->sc_cdev);
 1445                 sc->sc_cdev = NULL;
 1446         }
 1447 
 1448         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end\n", __func__);
 1449         IWN_LOCK_DESTROY(sc);
 1450         return 0;
 1451 }
 1452 
 1453 static int
 1454 iwn_shutdown(device_t dev)
 1455 {
 1456         struct iwn_softc *sc = device_get_softc(dev);
 1457 
 1458         iwn_stop(sc);
 1459         return 0;
 1460 }
 1461 
 1462 static int
 1463 iwn_suspend(device_t dev)
 1464 {
 1465         struct iwn_softc *sc = device_get_softc(dev);
 1466 
 1467         ieee80211_suspend_all(&sc->sc_ic);
 1468         return 0;
 1469 }
 1470 
 1471 static int
 1472 iwn_resume(device_t dev)
 1473 {
 1474         struct iwn_softc *sc = device_get_softc(dev);
 1475 
 1476         /* Clear device-specific "PCI retry timeout" register (41h). */
 1477         pci_write_config(dev, 0x41, 0, 1);
 1478 
 1479         ieee80211_resume_all(&sc->sc_ic);
 1480         return 0;
 1481 }
 1482 
 1483 static int
 1484 iwn_nic_lock(struct iwn_softc *sc)
 1485 {
 1486         int ntries;
 1487 
 1488         /* Request exclusive access to NIC. */
 1489         IWN_SETBITS(sc, IWN_GP_CNTRL, IWN_GP_CNTRL_MAC_ACCESS_REQ);
 1490 
 1491         /* Spin until we actually get the lock. */
 1492         for (ntries = 0; ntries < 1000; ntries++) {
 1493                 if ((IWN_READ(sc, IWN_GP_CNTRL) &
 1494                      (IWN_GP_CNTRL_MAC_ACCESS_ENA | IWN_GP_CNTRL_SLEEP)) ==
 1495                     IWN_GP_CNTRL_MAC_ACCESS_ENA)
 1496                         return 0;
 1497                 DELAY(10);
 1498         }
 1499         return ETIMEDOUT;
 1500 }
 1501 
 1502 static __inline void
 1503 iwn_nic_unlock(struct iwn_softc *sc)
 1504 {
 1505         IWN_CLRBITS(sc, IWN_GP_CNTRL, IWN_GP_CNTRL_MAC_ACCESS_REQ);
 1506 }
 1507 
 1508 static __inline uint32_t
 1509 iwn_prph_read(struct iwn_softc *sc, uint32_t addr)
 1510 {
 1511         IWN_WRITE(sc, IWN_PRPH_RADDR, IWN_PRPH_DWORD | addr);
 1512         IWN_BARRIER_READ_WRITE(sc);
 1513         return IWN_READ(sc, IWN_PRPH_RDATA);
 1514 }
 1515 
 1516 static __inline void
 1517 iwn_prph_write(struct iwn_softc *sc, uint32_t addr, uint32_t data)
 1518 {
 1519         IWN_WRITE(sc, IWN_PRPH_WADDR, IWN_PRPH_DWORD | addr);
 1520         IWN_BARRIER_WRITE(sc);
 1521         IWN_WRITE(sc, IWN_PRPH_WDATA, data);
 1522 }
 1523 
 1524 static __inline void
 1525 iwn_prph_setbits(struct iwn_softc *sc, uint32_t addr, uint32_t mask)
 1526 {
 1527         iwn_prph_write(sc, addr, iwn_prph_read(sc, addr) | mask);
 1528 }
 1529 
 1530 static __inline void
 1531 iwn_prph_clrbits(struct iwn_softc *sc, uint32_t addr, uint32_t mask)
 1532 {
 1533         iwn_prph_write(sc, addr, iwn_prph_read(sc, addr) & ~mask);
 1534 }
 1535 
 1536 static __inline void
 1537 iwn_prph_write_region_4(struct iwn_softc *sc, uint32_t addr,
 1538     const uint32_t *data, int count)
 1539 {
 1540         for (; count > 0; count--, data++, addr += 4)
 1541                 iwn_prph_write(sc, addr, *data);
 1542 }
 1543 
 1544 static __inline uint32_t
 1545 iwn_mem_read(struct iwn_softc *sc, uint32_t addr)
 1546 {
 1547         IWN_WRITE(sc, IWN_MEM_RADDR, addr);
 1548         IWN_BARRIER_READ_WRITE(sc);
 1549         return IWN_READ(sc, IWN_MEM_RDATA);
 1550 }
 1551 
 1552 static __inline void
 1553 iwn_mem_write(struct iwn_softc *sc, uint32_t addr, uint32_t data)
 1554 {
 1555         IWN_WRITE(sc, IWN_MEM_WADDR, addr);
 1556         IWN_BARRIER_WRITE(sc);
 1557         IWN_WRITE(sc, IWN_MEM_WDATA, data);
 1558 }
 1559 
 1560 static __inline void
 1561 iwn_mem_write_2(struct iwn_softc *sc, uint32_t addr, uint16_t data)
 1562 {
 1563         uint32_t tmp;
 1564 
 1565         tmp = iwn_mem_read(sc, addr & ~3);
 1566         if (addr & 3)
 1567                 tmp = (tmp & 0x0000ffff) | data << 16;
 1568         else
 1569                 tmp = (tmp & 0xffff0000) | data;
 1570         iwn_mem_write(sc, addr & ~3, tmp);
 1571 }
 1572 
 1573 static __inline void
 1574 iwn_mem_read_region_4(struct iwn_softc *sc, uint32_t addr, uint32_t *data,
 1575     int count)
 1576 {
 1577         for (; count > 0; count--, addr += 4)
 1578                 *data++ = iwn_mem_read(sc, addr);
 1579 }
 1580 
 1581 static __inline void
 1582 iwn_mem_set_region_4(struct iwn_softc *sc, uint32_t addr, uint32_t val,
 1583     int count)
 1584 {
 1585         for (; count > 0; count--, addr += 4)
 1586                 iwn_mem_write(sc, addr, val);
 1587 }
 1588 
 1589 static int
 1590 iwn_eeprom_lock(struct iwn_softc *sc)
 1591 {
 1592         int i, ntries;
 1593 
 1594         for (i = 0; i < 100; i++) {
 1595                 /* Request exclusive access to EEPROM. */
 1596                 IWN_SETBITS(sc, IWN_HW_IF_CONFIG,
 1597                     IWN_HW_IF_CONFIG_EEPROM_LOCKED);
 1598 
 1599                 /* Spin until we actually get the lock. */
 1600                 for (ntries = 0; ntries < 100; ntries++) {
 1601                         if (IWN_READ(sc, IWN_HW_IF_CONFIG) &
 1602                             IWN_HW_IF_CONFIG_EEPROM_LOCKED)
 1603                                 return 0;
 1604                         DELAY(10);
 1605                 }
 1606         }
 1607         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s end timeout\n", __func__);
 1608         return ETIMEDOUT;
 1609 }
 1610 
 1611 static __inline void
 1612 iwn_eeprom_unlock(struct iwn_softc *sc)
 1613 {
 1614         IWN_CLRBITS(sc, IWN_HW_IF_CONFIG, IWN_HW_IF_CONFIG_EEPROM_LOCKED);
 1615 }
 1616 
 1617 /*
 1618  * Initialize access by host to One Time Programmable ROM.
 1619  * NB: This kind of ROM can be found on 1000 or 6000 Series only.
 1620  */
 1621 static int
 1622 iwn_init_otprom(struct iwn_softc *sc)
 1623 {
 1624         uint16_t prev, base, next;
 1625         int count, error;
 1626 
 1627         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
 1628 
 1629         /* Wait for clock stabilization before accessing prph. */
 1630         if ((error = iwn_clock_wait(sc)) != 0)
 1631                 return error;
 1632 
 1633         if ((error = iwn_nic_lock(sc)) != 0)
 1634                 return error;
 1635         iwn_prph_setbits(sc, IWN_APMG_PS, IWN_APMG_PS_RESET_REQ);
 1636         DELAY(5);
 1637         iwn_prph_clrbits(sc, IWN_APMG_PS, IWN_APMG_PS_RESET_REQ);
 1638         iwn_nic_unlock(sc);
 1639 
 1640         /* Set auto clock gate disable bit for HW with OTP shadow RAM. */
 1641         if (sc->base_params->shadow_ram_support) {
 1642                 IWN_SETBITS(sc, IWN_DBG_LINK_PWR_MGMT,
 1643                     IWN_RESET_LINK_PWR_MGMT_DIS);
 1644         }
 1645         IWN_CLRBITS(sc, IWN_EEPROM_GP, IWN_EEPROM_GP_IF_OWNER);
 1646         /* Clear ECC status. */
 1647         IWN_SETBITS(sc, IWN_OTP_GP,
 1648             IWN_OTP_GP_ECC_CORR_STTS | IWN_OTP_GP_ECC_UNCORR_STTS);
 1649 
 1650         /*
 1651          * Find the block before last block (contains the EEPROM image)
 1652          * for HW without OTP shadow RAM.
 1653          */
 1654         if (! sc->base_params->shadow_ram_support) {
 1655                 /* Switch to absolute addressing mode. */
 1656                 IWN_CLRBITS(sc, IWN_OTP_GP, IWN_OTP_GP_RELATIVE_ACCESS);
 1657                 base = prev = 0;
 1658                 for (count = 0; count < sc->base_params->max_ll_items;
 1659                     count++) {
 1660                         error = iwn_read_prom_data(sc, base, &next, 2);
 1661                         if (error != 0)
 1662                                 return error;
 1663                         if (next == 0)  /* End of linked-list. */
 1664                                 break;
 1665                         prev = base;
 1666                         base = le16toh(next);
 1667                 }
 1668                 if (count == 0 || count == sc->base_params->max_ll_items)
 1669                         return EIO;
 1670                 /* Skip "next" word. */
 1671                 sc->prom_base = prev + 1;
 1672         }
 1673 
 1674         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s end\n", __func__);
 1675 
 1676         return 0;
 1677 }
 1678 
 1679 static int
 1680 iwn_read_prom_data(struct iwn_softc *sc, uint32_t addr, void *data, int count)
 1681 {
 1682         uint8_t *out = data;
 1683         uint32_t val, tmp;
 1684         int ntries;
 1685 
 1686         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
 1687 
 1688         addr += sc->prom_base;
 1689         for (; count > 0; count -= 2, addr++) {
 1690                 IWN_WRITE(sc, IWN_EEPROM, addr << 2);
 1691                 for (ntries = 0; ntries < 10; ntries++) {
 1692                         val = IWN_READ(sc, IWN_EEPROM);
 1693                         if (val & IWN_EEPROM_READ_VALID)
 1694                                 break;
 1695                         DELAY(5);
 1696                 }
 1697                 if (ntries == 10) {
 1698                         device_printf(sc->sc_dev,
 1699                             "timeout reading ROM at 0x%x\n", addr);
 1700                         return ETIMEDOUT;
 1701                 }
 1702                 if (sc->sc_flags & IWN_FLAG_HAS_OTPROM) {
 1703                         /* OTPROM, check for ECC errors. */
 1704                         tmp = IWN_READ(sc, IWN_OTP_GP);
 1705                         if (tmp & IWN_OTP_GP_ECC_UNCORR_STTS) {
 1706                                 device_printf(sc->sc_dev,
 1707                                     "OTPROM ECC error at 0x%x\n", addr);
 1708                                 return EIO;
 1709                         }
 1710                         if (tmp & IWN_OTP_GP_ECC_CORR_STTS) {
 1711                                 /* Correctable ECC error, clear bit. */
 1712                                 IWN_SETBITS(sc, IWN_OTP_GP,
 1713                                     IWN_OTP_GP_ECC_CORR_STTS);
 1714                         }
 1715                 }
 1716                 *out++ = val >> 16;
 1717                 if (count > 1)
 1718                         *out++ = val >> 24;
 1719         }
 1720 
 1721         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s end\n", __func__);
 1722 
 1723         return 0;
 1724 }
 1725 
 1726 static void
 1727 iwn_dma_map_addr(void *arg, bus_dma_segment_t *segs, int nsegs, int error)
 1728 {
 1729         if (error != 0)
 1730                 return;
 1731         KASSERT(nsegs == 1, ("too many DMA segments, %d should be 1", nsegs));
 1732         *(bus_addr_t *)arg = segs[0].ds_addr;
 1733 }
 1734 
 1735 static int
 1736 iwn_dma_contig_alloc(struct iwn_softc *sc, struct iwn_dma_info *dma,
 1737     void **kvap, bus_size_t size, bus_size_t alignment)
 1738 {
 1739         int error;
 1740 
 1741         dma->tag = NULL;
 1742         dma->size = size;
 1743 
 1744         error = bus_dma_tag_create(bus_get_dma_tag(sc->sc_dev), alignment,
 1745             0, BUS_SPACE_MAXADDR_32BIT, BUS_SPACE_MAXADDR, NULL, NULL, size,
 1746             1, size, 0, NULL, NULL, &dma->tag);
 1747         if (error != 0)
 1748                 goto fail;
 1749 
 1750         error = bus_dmamem_alloc(dma->tag, (void **)&dma->vaddr,
 1751             BUS_DMA_NOWAIT | BUS_DMA_ZERO | BUS_DMA_COHERENT, &dma->map);
 1752         if (error != 0)
 1753                 goto fail;
 1754 
 1755         error = bus_dmamap_load(dma->tag, dma->map, dma->vaddr, size,
 1756             iwn_dma_map_addr, &dma->paddr, BUS_DMA_NOWAIT);
 1757         if (error != 0)
 1758                 goto fail;
 1759 
 1760         bus_dmamap_sync(dma->tag, dma->map, BUS_DMASYNC_PREWRITE);
 1761 
 1762         if (kvap != NULL)
 1763                 *kvap = dma->vaddr;
 1764 
 1765         return 0;
 1766 
 1767 fail:   iwn_dma_contig_free(dma);
 1768         return error;
 1769 }
 1770 
 1771 static void
 1772 iwn_dma_contig_free(struct iwn_dma_info *dma)
 1773 {
 1774         if (dma->vaddr != NULL) {
 1775                 bus_dmamap_sync(dma->tag, dma->map,
 1776                     BUS_DMASYNC_POSTREAD | BUS_DMASYNC_POSTWRITE);
 1777                 bus_dmamap_unload(dma->tag, dma->map);
 1778                 bus_dmamem_free(dma->tag, dma->vaddr, dma->map);
 1779                 dma->vaddr = NULL;
 1780         }
 1781         if (dma->tag != NULL) {
 1782                 bus_dma_tag_destroy(dma->tag);
 1783                 dma->tag = NULL;
 1784         }
 1785 }
 1786 
 1787 static int
 1788 iwn_alloc_sched(struct iwn_softc *sc)
 1789 {
 1790         /* TX scheduler rings must be aligned on a 1KB boundary. */
 1791         return iwn_dma_contig_alloc(sc, &sc->sched_dma, (void **)&sc->sched,
 1792             sc->schedsz, 1024);
 1793 }
 1794 
 1795 static void
 1796 iwn_free_sched(struct iwn_softc *sc)
 1797 {
 1798         iwn_dma_contig_free(&sc->sched_dma);
 1799 }
 1800 
 1801 static int
 1802 iwn_alloc_kw(struct iwn_softc *sc)
 1803 {
 1804         /* "Keep Warm" page must be aligned on a 4KB boundary. */
 1805         return iwn_dma_contig_alloc(sc, &sc->kw_dma, NULL, 4096, 4096);
 1806 }
 1807 
 1808 static void
 1809 iwn_free_kw(struct iwn_softc *sc)
 1810 {
 1811         iwn_dma_contig_free(&sc->kw_dma);
 1812 }
 1813 
 1814 static int
 1815 iwn_alloc_ict(struct iwn_softc *sc)
 1816 {
 1817         /* ICT table must be aligned on a 4KB boundary. */
 1818         return iwn_dma_contig_alloc(sc, &sc->ict_dma, (void **)&sc->ict,
 1819             IWN_ICT_SIZE, 4096);
 1820 }
 1821 
 1822 static void
 1823 iwn_free_ict(struct iwn_softc *sc)
 1824 {
 1825         iwn_dma_contig_free(&sc->ict_dma);
 1826 }
 1827 
 1828 static int
 1829 iwn_alloc_fwmem(struct iwn_softc *sc)
 1830 {
 1831         /* Must be aligned on a 16-byte boundary. */
 1832         return iwn_dma_contig_alloc(sc, &sc->fw_dma, NULL, sc->fwsz, 16);
 1833 }
 1834 
 1835 static void
 1836 iwn_free_fwmem(struct iwn_softc *sc)
 1837 {
 1838         iwn_dma_contig_free(&sc->fw_dma);
 1839 }
 1840 
 1841 static int
 1842 iwn_alloc_rx_ring(struct iwn_softc *sc, struct iwn_rx_ring *ring)
 1843 {
 1844         bus_size_t size;
 1845         int i, error;
 1846 
 1847         ring->cur = 0;
 1848 
 1849         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
 1850 
 1851         /* Allocate RX descriptors (256-byte aligned). */
 1852         size = IWN_RX_RING_COUNT * sizeof (uint32_t);
 1853         error = iwn_dma_contig_alloc(sc, &ring->desc_dma, (void **)&ring->desc,
 1854             size, 256);
 1855         if (error != 0) {
 1856                 device_printf(sc->sc_dev,
 1857                     "%s: could not allocate RX ring DMA memory, error %d\n",
 1858                     __func__, error);
 1859                 goto fail;
 1860         }
 1861 
 1862         /* Allocate RX status area (16-byte aligned). */
 1863         error = iwn_dma_contig_alloc(sc, &ring->stat_dma, (void **)&ring->stat,
 1864             sizeof (struct iwn_rx_status), 16);
 1865         if (error != 0) {
 1866                 device_printf(sc->sc_dev,
 1867                     "%s: could not allocate RX status DMA memory, error %d\n",
 1868                     __func__, error);
 1869                 goto fail;
 1870         }
 1871 
 1872         /* Create RX buffer DMA tag. */
 1873         error = bus_dma_tag_create(bus_get_dma_tag(sc->sc_dev), 1, 0,
 1874             BUS_SPACE_MAXADDR_32BIT, BUS_SPACE_MAXADDR, NULL, NULL,
 1875             IWN_RBUF_SIZE, 1, IWN_RBUF_SIZE, 0, NULL, NULL, &ring->data_dmat);
 1876         if (error != 0) {
 1877                 device_printf(sc->sc_dev,
 1878                     "%s: could not create RX buf DMA tag, error %d\n",
 1879                     __func__, error);
 1880                 goto fail;
 1881         }
 1882 
 1883         /*
 1884          * Allocate and map RX buffers.
 1885          */
 1886         for (i = 0; i < IWN_RX_RING_COUNT; i++) {
 1887                 struct iwn_rx_data *data = &ring->data[i];
 1888                 bus_addr_t paddr;
 1889 
 1890                 error = bus_dmamap_create(ring->data_dmat, 0, &data->map);
 1891                 if (error != 0) {
 1892                         device_printf(sc->sc_dev,
 1893                             "%s: could not create RX buf DMA map, error %d\n",
 1894                             __func__, error);
 1895                         goto fail;
 1896                 }
 1897 
 1898                 data->m = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR,
 1899                     IWN_RBUF_SIZE);
 1900                 if (data->m == NULL) {
 1901                         device_printf(sc->sc_dev,
 1902                             "%s: could not allocate RX mbuf\n", __func__);
 1903                         error = ENOBUFS;
 1904                         goto fail;
 1905                 }
 1906 
 1907                 error = bus_dmamap_load(ring->data_dmat, data->map,
 1908                     mtod(data->m, void *), IWN_RBUF_SIZE, iwn_dma_map_addr,
 1909                     &paddr, BUS_DMA_NOWAIT);
 1910                 if (error != 0 && error != EFBIG) {
 1911                         device_printf(sc->sc_dev,
 1912                             "%s: can't map mbuf, error %d\n", __func__,
 1913                             error);
 1914                         goto fail;
 1915                 }
 1916 
 1917                 bus_dmamap_sync(ring->data_dmat, data->map,
 1918                     BUS_DMASYNC_PREREAD);
 1919 
 1920                 /* Set physical address of RX buffer (256-byte aligned). */
 1921                 ring->desc[i] = htole32(paddr >> 8);
 1922         }
 1923 
 1924         bus_dmamap_sync(ring->desc_dma.tag, ring->desc_dma.map,
 1925             BUS_DMASYNC_PREWRITE);
 1926 
 1927         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end\n",__func__);
 1928 
 1929         return 0;
 1930 
 1931 fail:   iwn_free_rx_ring(sc, ring);
 1932 
 1933         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end in error\n",__func__);
 1934 
 1935         return error;
 1936 }
 1937 
 1938 static void
 1939 iwn_reset_rx_ring(struct iwn_softc *sc, struct iwn_rx_ring *ring)
 1940 {
 1941         int ntries;
 1942 
 1943         DPRINTF(sc, IWN_DEBUG_TRACE, "->Doing %s\n", __func__);
 1944 
 1945         if (iwn_nic_lock(sc) == 0) {
 1946                 IWN_WRITE(sc, IWN_FH_RX_CONFIG, 0);
 1947                 for (ntries = 0; ntries < 1000; ntries++) {
 1948                         if (IWN_READ(sc, IWN_FH_RX_STATUS) &
 1949                             IWN_FH_RX_STATUS_IDLE)
 1950                                 break;
 1951                         DELAY(10);
 1952                 }
 1953                 iwn_nic_unlock(sc);
 1954         }
 1955         ring->cur = 0;
 1956         sc->last_rx_valid = 0;
 1957 }
 1958 
 1959 static void
 1960 iwn_free_rx_ring(struct iwn_softc *sc, struct iwn_rx_ring *ring)
 1961 {
 1962         int i;
 1963 
 1964         DPRINTF(sc, IWN_DEBUG_TRACE, "->Doing %s \n", __func__);
 1965 
 1966         iwn_dma_contig_free(&ring->desc_dma);
 1967         iwn_dma_contig_free(&ring->stat_dma);
 1968 
 1969         for (i = 0; i < IWN_RX_RING_COUNT; i++) {
 1970                 struct iwn_rx_data *data = &ring->data[i];
 1971 
 1972                 if (data->m != NULL) {
 1973                         bus_dmamap_sync(ring->data_dmat, data->map,
 1974                             BUS_DMASYNC_POSTREAD);
 1975                         bus_dmamap_unload(ring->data_dmat, data->map);
 1976                         m_freem(data->m);
 1977                         data->m = NULL;
 1978                 }
 1979                 if (data->map != NULL)
 1980                         bus_dmamap_destroy(ring->data_dmat, data->map);
 1981         }
 1982         if (ring->data_dmat != NULL) {
 1983                 bus_dma_tag_destroy(ring->data_dmat);
 1984                 ring->data_dmat = NULL;
 1985         }
 1986 }
 1987 
 1988 static int
 1989 iwn_alloc_tx_ring(struct iwn_softc *sc, struct iwn_tx_ring *ring, int qid)
 1990 {
 1991         bus_addr_t paddr;
 1992         bus_size_t size;
 1993         int i, error;
 1994 
 1995         ring->qid = qid;
 1996         ring->queued = 0;
 1997         ring->cur = 0;
 1998 
 1999         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
 2000 
 2001         /* Allocate TX descriptors (256-byte aligned). */
 2002         size = IWN_TX_RING_COUNT * sizeof (struct iwn_tx_desc);
 2003         error = iwn_dma_contig_alloc(sc, &ring->desc_dma, (void **)&ring->desc,
 2004             size, 256);
 2005         if (error != 0) {
 2006                 device_printf(sc->sc_dev,
 2007                     "%s: could not allocate TX ring DMA memory, error %d\n",
 2008                     __func__, error);
 2009                 goto fail;
 2010         }
 2011 
 2012         size = IWN_TX_RING_COUNT * sizeof (struct iwn_tx_cmd);
 2013         error = iwn_dma_contig_alloc(sc, &ring->cmd_dma, (void **)&ring->cmd,
 2014             size, 4);
 2015         if (error != 0) {
 2016                 device_printf(sc->sc_dev,
 2017                     "%s: could not allocate TX cmd DMA memory, error %d\n",
 2018                     __func__, error);
 2019                 goto fail;
 2020         }
 2021 
 2022         error = bus_dma_tag_create(bus_get_dma_tag(sc->sc_dev), 1, 0,
 2023             BUS_SPACE_MAXADDR_32BIT, BUS_SPACE_MAXADDR, NULL, NULL, MCLBYTES,
 2024             IWN_MAX_SCATTER - 1, MCLBYTES, 0, NULL, NULL, &ring->data_dmat);
 2025         if (error != 0) {
 2026                 device_printf(sc->sc_dev,
 2027                     "%s: could not create TX buf DMA tag, error %d\n",
 2028                     __func__, error);
 2029                 goto fail;
 2030         }
 2031 
 2032         paddr = ring->cmd_dma.paddr;
 2033         for (i = 0; i < IWN_TX_RING_COUNT; i++) {
 2034                 struct iwn_tx_data *data = &ring->data[i];
 2035 
 2036                 data->cmd_paddr = paddr;
 2037                 data->scratch_paddr = paddr + 12;
 2038                 paddr += sizeof (struct iwn_tx_cmd);
 2039 
 2040                 error = bus_dmamap_create(ring->data_dmat, 0, &data->map);
 2041                 if (error != 0) {
 2042                         device_printf(sc->sc_dev,
 2043                             "%s: could not create TX buf DMA map, error %d\n",
 2044                             __func__, error);
 2045                         goto fail;
 2046                 }
 2047         }
 2048 
 2049         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s end\n", __func__);
 2050 
 2051         return 0;
 2052 
 2053 fail:   iwn_free_tx_ring(sc, ring);
 2054         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s end in error\n", __func__);
 2055         return error;
 2056 }
 2057 
 2058 static void
 2059 iwn_reset_tx_ring(struct iwn_softc *sc, struct iwn_tx_ring *ring)
 2060 {
 2061         int i;
 2062 
 2063         DPRINTF(sc, IWN_DEBUG_TRACE, "->doing %s \n", __func__);
 2064 
 2065         for (i = 0; i < IWN_TX_RING_COUNT; i++) {
 2066                 struct iwn_tx_data *data = &ring->data[i];
 2067 
 2068                 if (data->m != NULL) {
 2069                         bus_dmamap_sync(ring->data_dmat, data->map,
 2070                             BUS_DMASYNC_POSTWRITE);
 2071                         bus_dmamap_unload(ring->data_dmat, data->map);
 2072                         m_freem(data->m);
 2073                         data->m = NULL;
 2074                 }
 2075                 if (data->ni != NULL) {
 2076                         ieee80211_free_node(data->ni);
 2077                         data->ni = NULL;
 2078                 }
 2079                 data->remapped = 0;
 2080                 data->long_retries = 0;
 2081         }
 2082         /* Clear TX descriptors. */
 2083         memset(ring->desc, 0, ring->desc_dma.size);
 2084         bus_dmamap_sync(ring->desc_dma.tag, ring->desc_dma.map,
 2085             BUS_DMASYNC_PREWRITE);
 2086         sc->qfullmsk &= ~(1 << ring->qid);
 2087         ring->queued = 0;
 2088         ring->cur = 0;
 2089 }
 2090 
 2091 static void
 2092 iwn_free_tx_ring(struct iwn_softc *sc, struct iwn_tx_ring *ring)
 2093 {
 2094         int i;
 2095 
 2096         DPRINTF(sc, IWN_DEBUG_TRACE, "->Doing %s \n", __func__);
 2097 
 2098         iwn_dma_contig_free(&ring->desc_dma);
 2099         iwn_dma_contig_free(&ring->cmd_dma);
 2100 
 2101         for (i = 0; i < IWN_TX_RING_COUNT; i++) {
 2102                 struct iwn_tx_data *data = &ring->data[i];
 2103 
 2104                 if (data->m != NULL) {
 2105                         bus_dmamap_sync(ring->data_dmat, data->map,
 2106                             BUS_DMASYNC_POSTWRITE);
 2107                         bus_dmamap_unload(ring->data_dmat, data->map);
 2108                         m_freem(data->m);
 2109                 }
 2110                 if (data->map != NULL)
 2111                         bus_dmamap_destroy(ring->data_dmat, data->map);
 2112         }
 2113         if (ring->data_dmat != NULL) {
 2114                 bus_dma_tag_destroy(ring->data_dmat);
 2115                 ring->data_dmat = NULL;
 2116         }
 2117 }
 2118 
 2119 static void
 2120 iwn_check_tx_ring(struct iwn_softc *sc, int qid)
 2121 {
 2122         struct iwn_tx_ring *ring = &sc->txq[qid];
 2123 
 2124         KASSERT(ring->queued >= 0, ("%s: ring->queued (%d) for queue %d < 0!",
 2125             __func__, ring->queued, qid));
 2126 
 2127         if (qid >= sc->firstaggqueue) {
 2128                 struct iwn_ops *ops = &sc->ops;
 2129                 struct ieee80211_tx_ampdu *tap = sc->qid2tap[qid];
 2130 
 2131                 if (ring->queued == 0 && !IEEE80211_AMPDU_RUNNING(tap)) {
 2132                         uint16_t ssn = tap->txa_start & 0xfff;
 2133                         uint8_t tid = tap->txa_tid;
 2134                         int *res = tap->txa_private;
 2135 
 2136                         iwn_nic_lock(sc);
 2137                         ops->ampdu_tx_stop(sc, qid, tid, ssn);
 2138                         iwn_nic_unlock(sc);
 2139 
 2140                         sc->qid2tap[qid] = NULL;
 2141                         free(res, M_DEVBUF);
 2142                 }
 2143         }
 2144 
 2145         if (ring->queued < IWN_TX_RING_LOMARK) {
 2146                 sc->qfullmsk &= ~(1 << qid);
 2147 
 2148                 if (ring->queued == 0)
 2149                         sc->sc_tx_timer = 0;
 2150                 else
 2151                         sc->sc_tx_timer = 5;
 2152         }
 2153 }
 2154 
 2155 static void
 2156 iwn5000_ict_reset(struct iwn_softc *sc)
 2157 {
 2158         /* Disable interrupts. */
 2159         IWN_WRITE(sc, IWN_INT_MASK, 0);
 2160 
 2161         /* Reset ICT table. */
 2162         memset(sc->ict, 0, IWN_ICT_SIZE);
 2163         sc->ict_cur = 0;
 2164 
 2165         bus_dmamap_sync(sc->ict_dma.tag, sc->ict_dma.map,
 2166             BUS_DMASYNC_PREWRITE);
 2167 
 2168         /* Set physical address of ICT table (4KB aligned). */
 2169         DPRINTF(sc, IWN_DEBUG_RESET, "%s: enabling ICT\n", __func__);
 2170         IWN_WRITE(sc, IWN_DRAM_INT_TBL, IWN_DRAM_INT_TBL_ENABLE |
 2171             IWN_DRAM_INT_TBL_WRAP_CHECK | sc->ict_dma.paddr >> 12);
 2172 
 2173         /* Enable periodic RX interrupt. */
 2174         sc->int_mask |= IWN_INT_RX_PERIODIC;
 2175         /* Switch to ICT interrupt mode in driver. */
 2176         sc->sc_flags |= IWN_FLAG_USE_ICT;
 2177 
 2178         /* Re-enable interrupts. */
 2179         IWN_WRITE(sc, IWN_INT, 0xffffffff);
 2180         IWN_WRITE(sc, IWN_INT_MASK, sc->int_mask);
 2181 }
 2182 
 2183 static int
 2184 iwn_read_eeprom(struct iwn_softc *sc, uint8_t macaddr[IEEE80211_ADDR_LEN])
 2185 {
 2186         struct iwn_ops *ops = &sc->ops;
 2187         uint16_t val;
 2188         int error;
 2189 
 2190         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
 2191 
 2192         /* Check whether adapter has an EEPROM or an OTPROM. */
 2193         if (sc->hw_type >= IWN_HW_REV_TYPE_1000 &&
 2194             (IWN_READ(sc, IWN_OTP_GP) & IWN_OTP_GP_DEV_SEL_OTP))
 2195                 sc->sc_flags |= IWN_FLAG_HAS_OTPROM;
 2196         DPRINTF(sc, IWN_DEBUG_RESET, "%s found\n",
 2197             (sc->sc_flags & IWN_FLAG_HAS_OTPROM) ? "OTPROM" : "EEPROM");
 2198 
 2199         /* Adapter has to be powered on for EEPROM access to work. */
 2200         if ((error = iwn_apm_init(sc)) != 0) {
 2201                 device_printf(sc->sc_dev,
 2202                     "%s: could not power ON adapter, error %d\n", __func__,
 2203                     error);
 2204                 return error;
 2205         }
 2206 
 2207         if ((IWN_READ(sc, IWN_EEPROM_GP) & 0x7) == 0) {
 2208                 device_printf(sc->sc_dev, "%s: bad ROM signature\n", __func__);
 2209                 return EIO;
 2210         }
 2211         if ((error = iwn_eeprom_lock(sc)) != 0) {
 2212                 device_printf(sc->sc_dev, "%s: could not lock ROM, error %d\n",
 2213                     __func__, error);
 2214                 return error;
 2215         }
 2216         if (sc->sc_flags & IWN_FLAG_HAS_OTPROM) {
 2217                 if ((error = iwn_init_otprom(sc)) != 0) {
 2218                         device_printf(sc->sc_dev,
 2219                             "%s: could not initialize OTPROM, error %d\n",
 2220                             __func__, error);
 2221                         return error;
 2222                 }
 2223         }
 2224 
 2225         iwn_read_prom_data(sc, IWN_EEPROM_SKU_CAP, &val, 2);
 2226         DPRINTF(sc, IWN_DEBUG_RESET, "SKU capabilities=0x%04x\n", le16toh(val));
 2227         /* Check if HT support is bonded out. */
 2228         if (val & htole16(IWN_EEPROM_SKU_CAP_11N))
 2229                 sc->sc_flags |= IWN_FLAG_HAS_11N;
 2230 
 2231         iwn_read_prom_data(sc, IWN_EEPROM_RFCFG, &val, 2);
 2232         sc->rfcfg = le16toh(val);
 2233         DPRINTF(sc, IWN_DEBUG_RESET, "radio config=0x%04x\n", sc->rfcfg);
 2234         /* Read Tx/Rx chains from ROM unless it's known to be broken. */
 2235         if (sc->txchainmask == 0)
 2236                 sc->txchainmask = IWN_RFCFG_TXANTMSK(sc->rfcfg);
 2237         if (sc->rxchainmask == 0)
 2238                 sc->rxchainmask = IWN_RFCFG_RXANTMSK(sc->rfcfg);
 2239 
 2240         /* Read MAC address. */
 2241         iwn_read_prom_data(sc, IWN_EEPROM_MAC, macaddr, 6);
 2242 
 2243         /* Read adapter-specific information from EEPROM. */
 2244         ops->read_eeprom(sc);
 2245 
 2246         iwn_apm_stop(sc);       /* Power OFF adapter. */
 2247 
 2248         iwn_eeprom_unlock(sc);
 2249 
 2250         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s end\n", __func__);
 2251 
 2252         return 0;
 2253 }
 2254 
 2255 static void
 2256 iwn4965_read_eeprom(struct iwn_softc *sc)
 2257 {
 2258         uint32_t addr;
 2259         uint16_t val;
 2260         int i;
 2261 
 2262         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
 2263 
 2264         /* Read regulatory domain (4 ASCII characters). */
 2265         iwn_read_prom_data(sc, IWN4965_EEPROM_DOMAIN, sc->eeprom_domain, 4);
 2266 
 2267         /* Read the list of authorized channels (20MHz & 40MHz). */
 2268         for (i = 0; i < IWN_NBANDS - 1; i++) {
 2269                 addr = iwn4965_regulatory_bands[i];
 2270                 iwn_read_eeprom_channels(sc, i, addr);
 2271         }
 2272 
 2273         /* Read maximum allowed TX power for 2GHz and 5GHz bands. */
 2274         iwn_read_prom_data(sc, IWN4965_EEPROM_MAXPOW, &val, 2);
 2275         sc->maxpwr2GHz = val & 0xff;
 2276         sc->maxpwr5GHz = val >> 8;
 2277         /* Check that EEPROM values are within valid range. */
 2278         if (sc->maxpwr5GHz < 20 || sc->maxpwr5GHz > 50)
 2279                 sc->maxpwr5GHz = 38;
 2280         if (sc->maxpwr2GHz < 20 || sc->maxpwr2GHz > 50)
 2281                 sc->maxpwr2GHz = 38;
 2282         DPRINTF(sc, IWN_DEBUG_RESET, "maxpwr 2GHz=%d 5GHz=%d\n",
 2283             sc->maxpwr2GHz, sc->maxpwr5GHz);
 2284 
 2285         /* Read samples for each TX power group. */
 2286         iwn_read_prom_data(sc, IWN4965_EEPROM_BANDS, sc->bands,
 2287             sizeof sc->bands);
 2288 
 2289         /* Read voltage at which samples were taken. */
 2290         iwn_read_prom_data(sc, IWN4965_EEPROM_VOLTAGE, &val, 2);
 2291         sc->eeprom_voltage = (int16_t)le16toh(val);
 2292         DPRINTF(sc, IWN_DEBUG_RESET, "voltage=%d (in 0.3V)\n",
 2293             sc->eeprom_voltage);
 2294 
 2295 #ifdef IWN_DEBUG
 2296         /* Print samples. */
 2297         if (sc->sc_debug & IWN_DEBUG_ANY) {
 2298                 for (i = 0; i < IWN_NBANDS - 1; i++)
 2299                         iwn4965_print_power_group(sc, i);
 2300         }
 2301 #endif
 2302 
 2303         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s end\n", __func__);
 2304 }
 2305 
 2306 #ifdef IWN_DEBUG
 2307 static void
 2308 iwn4965_print_power_group(struct iwn_softc *sc, int i)
 2309 {
 2310         struct iwn4965_eeprom_band *band = &sc->bands[i];
 2311         struct iwn4965_eeprom_chan_samples *chans = band->chans;
 2312         int j, c;
 2313 
 2314         printf("===band %d===\n", i);
 2315         printf("chan lo=%d, chan hi=%d\n", band->lo, band->hi);
 2316         printf("chan1 num=%d\n", chans[0].num);
 2317         for (c = 0; c < 2; c++) {
 2318                 for (j = 0; j < IWN_NSAMPLES; j++) {
 2319                         printf("chain %d, sample %d: temp=%d gain=%d "
 2320                             "power=%d pa_det=%d\n", c, j,
 2321                             chans[0].samples[c][j].temp,
 2322                             chans[0].samples[c][j].gain,
 2323                             chans[0].samples[c][j].power,
 2324                             chans[0].samples[c][j].pa_det);
 2325                 }
 2326         }
 2327         printf("chan2 num=%d\n", chans[1].num);
 2328         for (c = 0; c < 2; c++) {
 2329                 for (j = 0; j < IWN_NSAMPLES; j++) {
 2330                         printf("chain %d, sample %d: temp=%d gain=%d "
 2331                             "power=%d pa_det=%d\n", c, j,
 2332                             chans[1].samples[c][j].temp,
 2333                             chans[1].samples[c][j].gain,
 2334                             chans[1].samples[c][j].power,
 2335                             chans[1].samples[c][j].pa_det);
 2336                 }
 2337         }
 2338 }
 2339 #endif
 2340 
 2341 static void
 2342 iwn5000_read_eeprom(struct iwn_softc *sc)
 2343 {
 2344         struct iwn5000_eeprom_calib_hdr hdr;
 2345         int32_t volt;
 2346         uint32_t base, addr;
 2347         uint16_t val;
 2348         int i;
 2349 
 2350         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
 2351 
 2352         /* Read regulatory domain (4 ASCII characters). */
 2353         iwn_read_prom_data(sc, IWN5000_EEPROM_REG, &val, 2);
 2354         base = le16toh(val);
 2355         iwn_read_prom_data(sc, base + IWN5000_EEPROM_DOMAIN,
 2356             sc->eeprom_domain, 4);
 2357 
 2358         /* Read the list of authorized channels (20MHz & 40MHz). */
 2359         for (i = 0; i < IWN_NBANDS - 1; i++) {
 2360                 addr =  base + sc->base_params->regulatory_bands[i];
 2361                 iwn_read_eeprom_channels(sc, i, addr);
 2362         }
 2363 
 2364         /* Read enhanced TX power information for 6000 Series. */
 2365         if (sc->base_params->enhanced_TX_power)
 2366                 iwn_read_eeprom_enhinfo(sc);
 2367 
 2368         iwn_read_prom_data(sc, IWN5000_EEPROM_CAL, &val, 2);
 2369         base = le16toh(val);
 2370         iwn_read_prom_data(sc, base, &hdr, sizeof hdr);
 2371         DPRINTF(sc, IWN_DEBUG_CALIBRATE,
 2372             "%s: calib version=%u pa type=%u voltage=%u\n", __func__,
 2373             hdr.version, hdr.pa_type, le16toh(hdr.volt));
 2374         sc->calib_ver = hdr.version;
 2375 
 2376         if (sc->base_params->calib_need & IWN_FLG_NEED_PHY_CALIB_TEMP_OFFSETv2) {
 2377                 sc->eeprom_voltage = le16toh(hdr.volt);
 2378                 iwn_read_prom_data(sc, base + IWN5000_EEPROM_TEMP, &val, 2);
 2379                 sc->eeprom_temp_high=le16toh(val);
 2380                 iwn_read_prom_data(sc, base + IWN5000_EEPROM_VOLT, &val, 2);
 2381                 sc->eeprom_temp = le16toh(val);
 2382         }
 2383 
 2384         if (sc->hw_type == IWN_HW_REV_TYPE_5150) {
 2385                 /* Compute temperature offset. */
 2386                 iwn_read_prom_data(sc, base + IWN5000_EEPROM_TEMP, &val, 2);
 2387                 sc->eeprom_temp = le16toh(val);
 2388                 iwn_read_prom_data(sc, base + IWN5000_EEPROM_VOLT, &val, 2);
 2389                 volt = le16toh(val);
 2390                 sc->temp_off = sc->eeprom_temp - (volt / -5);
 2391                 DPRINTF(sc, IWN_DEBUG_CALIBRATE, "temp=%d volt=%d offset=%dK\n",
 2392                     sc->eeprom_temp, volt, sc->temp_off);
 2393         } else {
 2394                 /* Read crystal calibration. */
 2395                 iwn_read_prom_data(sc, base + IWN5000_EEPROM_CRYSTAL,
 2396                     &sc->eeprom_crystal, sizeof (uint32_t));
 2397                 DPRINTF(sc, IWN_DEBUG_CALIBRATE, "crystal calibration 0x%08x\n",
 2398                     le32toh(sc->eeprom_crystal));
 2399         }
 2400 
 2401         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s end\n", __func__);
 2402 
 2403 }
 2404 
 2405 /*
 2406  * Translate EEPROM flags to net80211.
 2407  */
 2408 static uint32_t
 2409 iwn_eeprom_channel_flags(struct iwn_eeprom_chan *channel)
 2410 {
 2411         uint32_t nflags;
 2412 
 2413         nflags = 0;
 2414         if ((channel->flags & IWN_EEPROM_CHAN_ACTIVE) == 0)
 2415                 nflags |= IEEE80211_CHAN_PASSIVE;
 2416         if ((channel->flags & IWN_EEPROM_CHAN_IBSS) == 0)
 2417                 nflags |= IEEE80211_CHAN_NOADHOC;
 2418         if (channel->flags & IWN_EEPROM_CHAN_RADAR) {
 2419                 nflags |= IEEE80211_CHAN_DFS;
 2420                 /* XXX apparently IBSS may still be marked */
 2421                 nflags |= IEEE80211_CHAN_NOADHOC;
 2422         }
 2423 
 2424         return nflags;
 2425 }
 2426 
 2427 static void
 2428 iwn_read_eeprom_band(struct iwn_softc *sc, int n, int maxchans, int *nchans,
 2429     struct ieee80211_channel chans[])
 2430 {
 2431         struct iwn_eeprom_chan *channels = sc->eeprom_channels[n];
 2432         const struct iwn_chan_band *band = &iwn_bands[n];
 2433         uint8_t bands[IEEE80211_MODE_BYTES];
 2434         uint8_t chan;
 2435         int i, error, nflags;
 2436 
 2437         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
 2438 
 2439         memset(bands, 0, sizeof(bands));
 2440         if (n == 0) {
 2441                 setbit(bands, IEEE80211_MODE_11B);
 2442                 setbit(bands, IEEE80211_MODE_11G);
 2443                 if (sc->sc_flags & IWN_FLAG_HAS_11N)
 2444                         setbit(bands, IEEE80211_MODE_11NG);
 2445         } else {
 2446                 setbit(bands, IEEE80211_MODE_11A);
 2447                 if (sc->sc_flags & IWN_FLAG_HAS_11N)
 2448                         setbit(bands, IEEE80211_MODE_11NA);
 2449         }
 2450 
 2451         for (i = 0; i < band->nchan; i++) {
 2452                 if (!(channels[i].flags & IWN_EEPROM_CHAN_VALID)) {
 2453                         DPRINTF(sc, IWN_DEBUG_RESET,
 2454                             "skip chan %d flags 0x%x maxpwr %d\n",
 2455                             band->chan[i], channels[i].flags,
 2456                             channels[i].maxpwr);
 2457                         continue;
 2458                 }
 2459 
 2460                 chan = band->chan[i];
 2461                 nflags = iwn_eeprom_channel_flags(&channels[i]);
 2462                 error = ieee80211_add_channel(chans, maxchans, nchans,
 2463                     chan, 0, channels[i].maxpwr, nflags, bands);
 2464                 if (error != 0)
 2465                         break;
 2466 
 2467                 /* Save maximum allowed TX power for this channel. */
 2468                 /* XXX wrong */
 2469                 sc->maxpwr[chan] = channels[i].maxpwr;
 2470 
 2471                 DPRINTF(sc, IWN_DEBUG_RESET,
 2472                     "add chan %d flags 0x%x maxpwr %d\n", chan,
 2473                     channels[i].flags, channels[i].maxpwr);
 2474         }
 2475 
 2476         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s end\n", __func__);
 2477 
 2478 }
 2479 
 2480 static void
 2481 iwn_read_eeprom_ht40(struct iwn_softc *sc, int n, int maxchans, int *nchans,
 2482     struct ieee80211_channel chans[])
 2483 {
 2484         struct iwn_eeprom_chan *channels = sc->eeprom_channels[n];
 2485         const struct iwn_chan_band *band = &iwn_bands[n];
 2486         uint8_t chan;
 2487         int i, error, nflags;
 2488 
 2489         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s start\n", __func__);
 2490 
 2491         if (!(sc->sc_flags & IWN_FLAG_HAS_11N)) {
 2492                 DPRINTF(sc, IWN_DEBUG_TRACE, "->%s end no 11n\n", __func__);
 2493                 return;
 2494         }
 2495 
 2496         for (i = 0; i < band->nchan; i++) {
 2497                 if (!(channels[i].flags & IWN_EEPROM_CHAN_VALID)) {
 2498                         DPRINTF(sc, IWN_DEBUG_RESET,
 2499                             "skip chan %d flags 0x%x maxpwr %d\n",
 2500                             band->chan[i], channels[i].flags,
 2501                             channels[i].maxpwr);
 2502                         continue;
 2503                 }
 2504 
 2505                 chan = band->chan[i];
 2506                 nflags = iwn_eeprom_channel_flags(&channels[i]);
 2507                 nflags |= (n == 5 ? IEEE80211_CHAN_G : IEEE80211_CHAN_A);
 2508                 error = ieee80211_add_channel_ht40(chans, maxchans, nchans,
 2509                     chan, channels[i].maxpwr, nflags);
 2510                 switch (error) {
 2511                 case EINVAL:
 2512                         device_printf(sc->sc_dev,
 2513                             "%s: no entry for channel %d\n", __func__, chan);
 2514                         continue;
 2515                 case ENOENT:
 2516                         DPRINTF(sc, IWN_DEBUG_RESET,
 2517                             "%s: skip chan %d, extension channel not found\n",
 2518                             __func__, chan);
 2519                         continue;
 2520                 case ENOBUFS:
 2521                         device_printf(sc->sc_dev,
 2522                             "%s: channel table is full!\n", __func__);
 2523                         break;
 2524                 case 0:
 2525                         DPRINTF(sc, IWN_DEBUG_RESET,
 2526                             "add ht40 chan %d flags 0x%x maxpwr %d\n",
 2527                             chan, channels[i].flags, channels[i].maxpwr);
 2528                         /* FALLTHROUGH */
 2529                 default:
 2530                         break;
 2531                 }
 2532         }
 2533 
 2534         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s end\n", __func__);
 2535 
 2536 }
 2537 
 2538 static void
 2539 iwn_read_eeprom_channels(struct iwn_softc *sc, int n, uint32_t addr)
 2540 {
 2541         struct ieee80211com *ic = &sc->sc_ic;
 2542 
 2543         iwn_read_prom_data(sc, addr, &sc->eeprom_channels[n],
 2544             iwn_bands[n].nchan * sizeof (struct iwn_eeprom_chan));
 2545 
 2546         if (n < 5) {
 2547                 iwn_read_eeprom_band(sc, n, IEEE80211_CHAN_MAX, &ic->ic_nchans,
 2548                     ic->ic_channels);
 2549         } else {
 2550                 iwn_read_eeprom_ht40(sc, n, IEEE80211_CHAN_MAX, &ic->ic_nchans,
 2551                     ic->ic_channels);
 2552         }
 2553         ieee80211_sort_channels(ic->ic_channels, ic->ic_nchans);
 2554 }
 2555 
 2556 static struct iwn_eeprom_chan *
 2557 iwn_find_eeprom_channel(struct iwn_softc *sc, struct ieee80211_channel *c)
 2558 {
 2559         int band, chan, i, j;
 2560 
 2561         if (IEEE80211_IS_CHAN_HT40(c)) {
 2562                 band = IEEE80211_IS_CHAN_5GHZ(c) ? 6 : 5;
 2563                 if (IEEE80211_IS_CHAN_HT40D(c))
 2564                         chan = c->ic_extieee;
 2565                 else
 2566                         chan = c->ic_ieee;
 2567                 for (i = 0; i < iwn_bands[band].nchan; i++) {
 2568                         if (iwn_bands[band].chan[i] == chan)
 2569                                 return &sc->eeprom_channels[band][i];
 2570                 }
 2571         } else {
 2572                 for (j = 0; j < 5; j++) {
 2573                         for (i = 0; i < iwn_bands[j].nchan; i++) {
 2574                                 if (iwn_bands[j].chan[i] == c->ic_ieee &&
 2575                                     ((j == 0) ^ IEEE80211_IS_CHAN_A(c)) == 1)
 2576                                         return &sc->eeprom_channels[j][i];
 2577                         }
 2578                 }
 2579         }
 2580         return NULL;
 2581 }
 2582 
 2583 static void
 2584 iwn_getradiocaps(struct ieee80211com *ic,
 2585     int maxchans, int *nchans, struct ieee80211_channel chans[])
 2586 {
 2587         struct iwn_softc *sc = ic->ic_softc;
 2588         int i;
 2589 
 2590         /* Parse the list of authorized channels. */
 2591         for (i = 0; i < 5 && *nchans < maxchans; i++)
 2592                 iwn_read_eeprom_band(sc, i, maxchans, nchans, chans);
 2593         for (i = 5; i < IWN_NBANDS - 1 && *nchans < maxchans; i++)
 2594                 iwn_read_eeprom_ht40(sc, i, maxchans, nchans, chans);
 2595 }
 2596 
 2597 /*
 2598  * Enforce flags read from EEPROM.
 2599  */
 2600 static int
 2601 iwn_setregdomain(struct ieee80211com *ic, struct ieee80211_regdomain *rd,
 2602     int nchan, struct ieee80211_channel chans[])
 2603 {
 2604         struct iwn_softc *sc = ic->ic_softc;
 2605         int i;
 2606 
 2607         for (i = 0; i < nchan; i++) {
 2608                 struct ieee80211_channel *c = &chans[i];
 2609                 struct iwn_eeprom_chan *channel;
 2610 
 2611                 channel = iwn_find_eeprom_channel(sc, c);
 2612                 if (channel == NULL) {
 2613                         ic_printf(ic, "%s: invalid channel %u freq %u/0x%x\n",
 2614                             __func__, c->ic_ieee, c->ic_freq, c->ic_flags);
 2615                         return EINVAL;
 2616                 }
 2617                 c->ic_flags |= iwn_eeprom_channel_flags(channel);
 2618         }
 2619 
 2620         return 0;
 2621 }
 2622 
 2623 static void
 2624 iwn_read_eeprom_enhinfo(struct iwn_softc *sc)
 2625 {
 2626         struct iwn_eeprom_enhinfo enhinfo[35];
 2627         struct ieee80211com *ic = &sc->sc_ic;
 2628         struct ieee80211_channel *c;
 2629         uint16_t val, base;
 2630         int8_t maxpwr;
 2631         uint8_t flags;
 2632         int i, j;
 2633 
 2634         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
 2635 
 2636         iwn_read_prom_data(sc, IWN5000_EEPROM_REG, &val, 2);
 2637         base = le16toh(val);
 2638         iwn_read_prom_data(sc, base + IWN6000_EEPROM_ENHINFO,
 2639             enhinfo, sizeof enhinfo);
 2640 
 2641         for (i = 0; i < nitems(enhinfo); i++) {
 2642                 flags = enhinfo[i].flags;
 2643                 if (!(flags & IWN_ENHINFO_VALID))
 2644                         continue;       /* Skip invalid entries. */
 2645 
 2646                 maxpwr = 0;
 2647                 if (sc->txchainmask & IWN_ANT_A)
 2648                         maxpwr = MAX(maxpwr, enhinfo[i].chain[0]);
 2649                 if (sc->txchainmask & IWN_ANT_B)
 2650                         maxpwr = MAX(maxpwr, enhinfo[i].chain[1]);
 2651                 if (sc->txchainmask & IWN_ANT_C)
 2652                         maxpwr = MAX(maxpwr, enhinfo[i].chain[2]);
 2653                 if (sc->ntxchains == 2)
 2654                         maxpwr = MAX(maxpwr, enhinfo[i].mimo2);
 2655                 else if (sc->ntxchains == 3)
 2656                         maxpwr = MAX(maxpwr, enhinfo[i].mimo3);
 2657 
 2658                 for (j = 0; j < ic->ic_nchans; j++) {
 2659                         c = &ic->ic_channels[j];
 2660                         if ((flags & IWN_ENHINFO_5GHZ)) {
 2661                                 if (!IEEE80211_IS_CHAN_A(c))
 2662                                         continue;
 2663                         } else if ((flags & IWN_ENHINFO_OFDM)) {
 2664                                 if (!IEEE80211_IS_CHAN_G(c))
 2665                                         continue;
 2666                         } else if (!IEEE80211_IS_CHAN_B(c))
 2667                                 continue;
 2668                         if ((flags & IWN_ENHINFO_HT40)) {
 2669                                 if (!IEEE80211_IS_CHAN_HT40(c))
 2670                                         continue;
 2671                         } else {
 2672                                 if (IEEE80211_IS_CHAN_HT40(c))
 2673                                         continue;
 2674                         }
 2675                         if (enhinfo[i].chan != 0 &&
 2676                             enhinfo[i].chan != c->ic_ieee)
 2677                                 continue;
 2678 
 2679                         DPRINTF(sc, IWN_DEBUG_RESET,
 2680                             "channel %d(%x), maxpwr %d\n", c->ic_ieee,
 2681                             c->ic_flags, maxpwr / 2);
 2682                         c->ic_maxregpower = maxpwr / 2;
 2683                         c->ic_maxpower = maxpwr;
 2684                 }
 2685         }
 2686 
 2687         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s end\n", __func__);
 2688 
 2689 }
 2690 
 2691 static struct ieee80211_node *
 2692 iwn_node_alloc(struct ieee80211vap *vap, const uint8_t mac[IEEE80211_ADDR_LEN])
 2693 {
 2694         struct iwn_node *wn;
 2695 
 2696         wn = malloc(sizeof (struct iwn_node), M_80211_NODE, M_NOWAIT | M_ZERO);
 2697         if (wn == NULL)
 2698                 return (NULL);
 2699 
 2700         wn->id = IWN_ID_UNDEFINED;
 2701 
 2702         return (&wn->ni);
 2703 }
 2704 
 2705 static __inline int
 2706 rate2plcp(int rate)
 2707 {
 2708         switch (rate & 0xff) {
 2709         case 12:        return 0xd;
 2710         case 18:        return 0xf;
 2711         case 24:        return 0x5;
 2712         case 36:        return 0x7;
 2713         case 48:        return 0x9;
 2714         case 72:        return 0xb;
 2715         case 96:        return 0x1;
 2716         case 108:       return 0x3;
 2717         case 2:         return 10;
 2718         case 4:         return 20;
 2719         case 11:        return 55;
 2720         case 22:        return 110;
 2721         }
 2722         return 0;
 2723 }
 2724 
 2725 static __inline uint8_t
 2726 plcp2rate(const uint8_t rate_plcp)
 2727 {
 2728         switch (rate_plcp) {
 2729         case 0xd:       return 12;
 2730         case 0xf:       return 18;
 2731         case 0x5:       return 24;
 2732         case 0x7:       return 36;
 2733         case 0x9:       return 48;
 2734         case 0xb:       return 72;
 2735         case 0x1:       return 96;
 2736         case 0x3:       return 108;
 2737         case 10:        return 2;
 2738         case 20:        return 4;
 2739         case 55:        return 11;
 2740         case 110:       return 22;
 2741         default:        return 0;
 2742         }
 2743 }
 2744 
 2745 static int
 2746 iwn_get_1stream_tx_antmask(struct iwn_softc *sc)
 2747 {
 2748 
 2749         return IWN_LSB(sc->txchainmask);
 2750 }
 2751 
 2752 static int
 2753 iwn_get_2stream_tx_antmask(struct iwn_softc *sc)
 2754 {
 2755         int tx;
 2756 
 2757         /*
 2758          * The '2 stream' setup is a bit .. odd.
 2759          *
 2760          * For NICs that support only 1 antenna, default to IWN_ANT_AB or
 2761          * the firmware panics (eg Intel 5100.)
 2762          *
 2763          * For NICs that support two antennas, we use ANT_AB.
 2764          *
 2765          * For NICs that support three antennas, we use the two that
 2766          * wasn't the default one.
 2767          *
 2768          * XXX TODO: if bluetooth (full concurrent) is enabled, restrict
 2769          * this to only one antenna.
 2770          */
 2771 
 2772         /* Default - transmit on the other antennas */
 2773         tx = (sc->txchainmask & ~IWN_LSB(sc->txchainmask));
 2774 
 2775         /* Now, if it's zero, set it to IWN_ANT_AB, so to not panic firmware */
 2776         if (tx == 0)
 2777                 tx = IWN_ANT_AB;
 2778 
 2779         /*
 2780          * If the NIC is a two-stream TX NIC, configure the TX mask to
 2781          * the default chainmask
 2782          */
 2783         else if (sc->ntxchains == 2)
 2784                 tx = sc->txchainmask;
 2785 
 2786         return (tx);
 2787 }
 2788 
 2789 
 2790 
 2791 /*
 2792  * Calculate the required PLCP value from the given rate,
 2793  * to the given node.
 2794  *
 2795  * This will take the node configuration (eg 11n, rate table
 2796  * setup, etc) into consideration.
 2797  */
 2798 static uint32_t
 2799 iwn_rate_to_plcp(struct iwn_softc *sc, struct ieee80211_node *ni,
 2800     uint8_t rate)
 2801 {
 2802         struct ieee80211com *ic = ni->ni_ic;
 2803         uint32_t plcp = 0;
 2804         int ridx;
 2805 
 2806         /*
 2807          * If it's an MCS rate, let's set the plcp correctly
 2808          * and set the relevant flags based on the node config.
 2809          */
 2810         if (rate & IEEE80211_RATE_MCS) {
 2811                 /*
 2812                  * Set the initial PLCP value to be between 0->31 for
 2813                  * MCS 0 -> MCS 31, then set the "I'm an MCS rate!"
 2814                  * flag.
 2815                  */
 2816                 plcp = IEEE80211_RV(rate) | IWN_RFLAG_MCS;
 2817 
 2818                 /*
 2819                  * XXX the following should only occur if both
 2820                  * the local configuration _and_ the remote node
 2821                  * advertise these capabilities.  Thus this code
 2822                  * may need fixing!
 2823                  */
 2824 
 2825                 /*
 2826                  * Set the channel width and guard interval.
 2827                  */
 2828                 if (IEEE80211_IS_CHAN_HT40(ni->ni_chan)) {
 2829                         plcp |= IWN_RFLAG_HT40;
 2830                         if (ni->ni_htcap & IEEE80211_HTCAP_SHORTGI40)
 2831                                 plcp |= IWN_RFLAG_SGI;
 2832                 } else if (ni->ni_htcap & IEEE80211_HTCAP_SHORTGI20) {
 2833                         plcp |= IWN_RFLAG_SGI;
 2834                 }
 2835 
 2836                 /*
 2837                  * Ensure the selected rate matches the link quality
 2838                  * table entries being used.
 2839                  */
 2840                 if (rate > 0x8f)
 2841                         plcp |= IWN_RFLAG_ANT(sc->txchainmask);
 2842                 else if (rate > 0x87)
 2843                         plcp |= IWN_RFLAG_ANT(iwn_get_2stream_tx_antmask(sc));
 2844                 else
 2845                         plcp |= IWN_RFLAG_ANT(iwn_get_1stream_tx_antmask(sc));
 2846         } else {
 2847                 /*
 2848                  * Set the initial PLCP - fine for both
 2849                  * OFDM and CCK rates.
 2850                  */
 2851                 plcp = rate2plcp(rate);
 2852 
 2853                 /* Set CCK flag if it's CCK */
 2854 
 2855                 /* XXX It would be nice to have a method
 2856                  * to map the ridx -> phy table entry
 2857                  * so we could just query that, rather than
 2858                  * this hack to check against IWN_RIDX_OFDM6.
 2859                  */
 2860                 ridx = ieee80211_legacy_rate_lookup(ic->ic_rt,
 2861                     rate & IEEE80211_RATE_VAL);
 2862                 if (ridx < IWN_RIDX_OFDM6 &&
 2863                     IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))
 2864                         plcp |= IWN_RFLAG_CCK;
 2865 
 2866                 /* Set antenna configuration */
 2867                 /* XXX TODO: is this the right antenna to use for legacy? */
 2868                 plcp |= IWN_RFLAG_ANT(iwn_get_1stream_tx_antmask(sc));
 2869         }
 2870 
 2871         DPRINTF(sc, IWN_DEBUG_TXRATE, "%s: rate=0x%02x, plcp=0x%08x\n",
 2872             __func__,
 2873             rate,
 2874             plcp);
 2875 
 2876         return (htole32(plcp));
 2877 }
 2878 
 2879 static void
 2880 iwn_newassoc(struct ieee80211_node *ni, int isnew)
 2881 {
 2882         /* Doesn't do anything at the moment */
 2883 }
 2884 
 2885 static int
 2886 iwn_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
 2887 {
 2888         struct iwn_vap *ivp = IWN_VAP(vap);
 2889         struct ieee80211com *ic = vap->iv_ic;
 2890         struct iwn_softc *sc = ic->ic_softc;
 2891         int error = 0;
 2892 
 2893         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
 2894 
 2895         DPRINTF(sc, IWN_DEBUG_STATE, "%s: %s -> %s\n", __func__,
 2896             ieee80211_state_name[vap->iv_state], ieee80211_state_name[nstate]);
 2897 
 2898         IEEE80211_UNLOCK(ic);
 2899         IWN_LOCK(sc);
 2900         callout_stop(&sc->calib_to);
 2901 
 2902         sc->rxon = &sc->rx_on[IWN_RXON_BSS_CTX];
 2903 
 2904         switch (nstate) {
 2905         case IEEE80211_S_ASSOC:
 2906                 if (vap->iv_state != IEEE80211_S_RUN)
 2907                         break;
 2908                 /* FALLTHROUGH */
 2909         case IEEE80211_S_AUTH:
 2910                 if (vap->iv_state == IEEE80211_S_AUTH)
 2911                         break;
 2912 
 2913                 /*
 2914                  * !AUTH -> AUTH transition requires state reset to handle
 2915                  * reassociations correctly.
 2916                  */
 2917                 sc->rxon->associd = 0;
 2918                 sc->rxon->filter &= ~htole32(IWN_FILTER_BSS);
 2919                 sc->calib.state = IWN_CALIB_STATE_INIT;
 2920 
 2921                 /* Wait until we hear a beacon before we transmit */
 2922                 if (IEEE80211_IS_CHAN_PASSIVE(ic->ic_curchan))
 2923                         sc->sc_beacon_wait = 1;
 2924 
 2925                 if ((error = iwn_auth(sc, vap)) != 0) {
 2926                         device_printf(sc->sc_dev,
 2927                             "%s: could not move to auth state\n", __func__);
 2928                 }
 2929                 break;
 2930 
 2931         case IEEE80211_S_RUN:
 2932                 /*
 2933                  * RUN -> RUN transition; Just restart the timers.
 2934                  */
 2935                 if (vap->iv_state == IEEE80211_S_RUN) {
 2936                         sc->calib_cnt = 0;
 2937                         break;
 2938                 }
 2939 
 2940                 /* Wait until we hear a beacon before we transmit */
 2941                 if (IEEE80211_IS_CHAN_PASSIVE(ic->ic_curchan))
 2942                         sc->sc_beacon_wait = 1;
 2943 
 2944                 /*
 2945                  * !RUN -> RUN requires setting the association id
 2946                  * which is done with a firmware cmd.  We also defer
 2947                  * starting the timers until that work is done.
 2948                  */
 2949                 if ((error = iwn_run(sc, vap)) != 0) {
 2950                         device_printf(sc->sc_dev,
 2951                             "%s: could not move to run state\n", __func__);
 2952                 }
 2953                 break;
 2954 
 2955         case IEEE80211_S_INIT:
 2956                 sc->calib.state = IWN_CALIB_STATE_INIT;
 2957                 /*
 2958                  * Purge the xmit queue so we don't have old frames
 2959                  * during a new association attempt.
 2960                  */
 2961                 sc->sc_beacon_wait = 0;
 2962                 iwn_xmit_queue_drain(sc);
 2963                 break;
 2964 
 2965         default:
 2966                 break;
 2967         }
 2968         IWN_UNLOCK(sc);
 2969         IEEE80211_LOCK(ic);
 2970         if (error != 0){
 2971                 DPRINTF(sc, IWN_DEBUG_TRACE, "->%s end in error\n", __func__);
 2972                 return error;
 2973         }
 2974 
 2975         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end\n",__func__);
 2976 
 2977         return ivp->iv_newstate(vap, nstate, arg);
 2978 }
 2979 
 2980 static void
 2981 iwn_calib_timeout(void *arg)
 2982 {
 2983         struct iwn_softc *sc = arg;
 2984 
 2985         IWN_LOCK_ASSERT(sc);
 2986 
 2987         /* Force automatic TX power calibration every 60 secs. */
 2988         if (++sc->calib_cnt >= 120) {
 2989                 uint32_t flags = 0;
 2990 
 2991                 DPRINTF(sc, IWN_DEBUG_CALIBRATE, "%s\n",
 2992                     "sending request for statistics");
 2993                 (void)iwn_cmd(sc, IWN_CMD_GET_STATISTICS, &flags,
 2994                     sizeof flags, 1);
 2995                 sc->calib_cnt = 0;
 2996         }
 2997         callout_reset(&sc->calib_to, msecs_to_ticks(500), iwn_calib_timeout,
 2998             sc);
 2999 }
 3000 
 3001 /*
 3002  * Process an RX_PHY firmware notification.  This is usually immediately
 3003  * followed by an MPDU_RX_DONE notification.
 3004  */
 3005 static void
 3006 iwn_rx_phy(struct iwn_softc *sc, struct iwn_rx_desc *desc)
 3007 {
 3008         struct iwn_rx_stat *stat = (struct iwn_rx_stat *)(desc + 1);
 3009 
 3010         DPRINTF(sc, IWN_DEBUG_CALIBRATE, "%s: received PHY stats\n", __func__);
 3011 
 3012         /* Save RX statistics, they will be used on MPDU_RX_DONE. */
 3013         memcpy(&sc->last_rx_stat, stat, sizeof (*stat));
 3014         sc->last_rx_valid = 1;
 3015 }
 3016 
 3017 /*
 3018  * Process an RX_DONE (4965AGN only) or MPDU_RX_DONE firmware notification.
 3019  * Each MPDU_RX_DONE notification must be preceded by an RX_PHY one.
 3020  */
 3021 static void
 3022 iwn_rx_done(struct iwn_softc *sc, struct iwn_rx_desc *desc,
 3023     struct iwn_rx_data *data)
 3024 {
 3025         struct iwn_ops *ops = &sc->ops;
 3026         struct ieee80211com *ic = &sc->sc_ic;
 3027         struct iwn_rx_ring *ring = &sc->rxq;
 3028         struct ieee80211_frame_min *wh;
 3029         struct ieee80211_node *ni;
 3030         struct mbuf *m, *m1;
 3031         struct iwn_rx_stat *stat;
 3032         caddr_t head;
 3033         bus_addr_t paddr;
 3034         uint32_t flags;
 3035         int error, len, rssi, nf;
 3036 
 3037         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
 3038 
 3039         if (desc->type == IWN_MPDU_RX_DONE) {
 3040                 /* Check for prior RX_PHY notification. */
 3041                 if (!sc->last_rx_valid) {
 3042                         DPRINTF(sc, IWN_DEBUG_ANY,
 3043                             "%s: missing RX_PHY\n", __func__);
 3044                         return;
 3045                 }
 3046                 stat = &sc->last_rx_stat;
 3047         } else
 3048                 stat = (struct iwn_rx_stat *)(desc + 1);
 3049 
 3050         if (stat->cfg_phy_len > IWN_STAT_MAXLEN) {
 3051                 device_printf(sc->sc_dev,
 3052                     "%s: invalid RX statistic header, len %d\n", __func__,
 3053                     stat->cfg_phy_len);
 3054                 return;
 3055         }
 3056         if (desc->type == IWN_MPDU_RX_DONE) {
 3057                 struct iwn_rx_mpdu *mpdu = (struct iwn_rx_mpdu *)(desc + 1);
 3058                 head = (caddr_t)(mpdu + 1);
 3059                 len = le16toh(mpdu->len);
 3060         } else {
 3061                 head = (caddr_t)(stat + 1) + stat->cfg_phy_len;
 3062                 len = le16toh(stat->len);
 3063         }
 3064 
 3065         flags = le32toh(*(uint32_t *)(head + len));
 3066 
 3067         /* Discard frames with a bad FCS early. */
 3068         if ((flags & IWN_RX_NOERROR) != IWN_RX_NOERROR) {
 3069                 DPRINTF(sc, IWN_DEBUG_RECV, "%s: RX flags error %x\n",
 3070                     __func__, flags);
 3071                 counter_u64_add(ic->ic_ierrors, 1);
 3072                 return;
 3073         }
 3074         /* Discard frames that are too short. */
 3075         if (len < sizeof (struct ieee80211_frame_ack)) {
 3076                 DPRINTF(sc, IWN_DEBUG_RECV, "%s: frame too short: %d\n",
 3077                     __func__, len);
 3078                 counter_u64_add(ic->ic_ierrors, 1);
 3079                 return;
 3080         }
 3081 
 3082         m1 = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR, IWN_RBUF_SIZE);
 3083         if (m1 == NULL) {
 3084                 DPRINTF(sc, IWN_DEBUG_ANY, "%s: no mbuf to restock ring\n",
 3085                     __func__);
 3086                 counter_u64_add(ic->ic_ierrors, 1);
 3087                 return;
 3088         }
 3089         bus_dmamap_unload(ring->data_dmat, data->map);
 3090 
 3091         error = bus_dmamap_load(ring->data_dmat, data->map, mtod(m1, void *),
 3092             IWN_RBUF_SIZE, iwn_dma_map_addr, &paddr, BUS_DMA_NOWAIT);
 3093         if (error != 0 && error != EFBIG) {
 3094                 device_printf(sc->sc_dev,
 3095                     "%s: bus_dmamap_load failed, error %d\n", __func__, error);
 3096                 m_freem(m1);
 3097 
 3098                 /* Try to reload the old mbuf. */
 3099                 error = bus_dmamap_load(ring->data_dmat, data->map,
 3100                     mtod(data->m, void *), IWN_RBUF_SIZE, iwn_dma_map_addr,
 3101                     &paddr, BUS_DMA_NOWAIT);
 3102                 if (error != 0 && error != EFBIG) {
 3103                         panic("%s: could not load old RX mbuf", __func__);
 3104                 }
 3105                 bus_dmamap_sync(ring->data_dmat, data->map,
 3106                     BUS_DMASYNC_PREREAD);
 3107                 /* Physical address may have changed. */
 3108                 ring->desc[ring->cur] = htole32(paddr >> 8);
 3109                 bus_dmamap_sync(ring->desc_dma.tag, ring->desc_dma.map,
 3110                     BUS_DMASYNC_PREWRITE);
 3111                 counter_u64_add(ic->ic_ierrors, 1);
 3112                 return;
 3113         }
 3114 
 3115         bus_dmamap_sync(ring->data_dmat, data->map,
 3116             BUS_DMASYNC_PREREAD);
 3117 
 3118         m = data->m;
 3119         data->m = m1;
 3120         /* Update RX descriptor. */
 3121         ring->desc[ring->cur] = htole32(paddr >> 8);
 3122         bus_dmamap_sync(ring->desc_dma.tag, ring->desc_dma.map,
 3123             BUS_DMASYNC_PREWRITE);
 3124 
 3125         /* Finalize mbuf. */
 3126         m->m_data = head;
 3127         m->m_pkthdr.len = m->m_len = len;
 3128 
 3129         /* Grab a reference to the source node. */
 3130         wh = mtod(m, struct ieee80211_frame_min *);
 3131         if (len >= sizeof(struct ieee80211_frame_min))
 3132                 ni = ieee80211_find_rxnode(ic, wh);
 3133         else
 3134                 ni = NULL;
 3135         nf = (ni != NULL && ni->ni_vap->iv_state == IEEE80211_S_RUN &&
 3136             (ic->ic_flags & IEEE80211_F_SCAN) == 0) ? sc->noise : -95;
 3137 
 3138         rssi = ops->get_rssi(sc, stat);
 3139 
 3140         if (ieee80211_radiotap_active(ic)) {
 3141                 struct iwn_rx_radiotap_header *tap = &sc->sc_rxtap;
 3142                 uint32_t rate = le32toh(stat->rate);
 3143 
 3144                 tap->wr_flags = 0;
 3145                 if (stat->flags & htole16(IWN_STAT_FLAG_SHPREAMBLE))
 3146                         tap->wr_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
 3147                 tap->wr_dbm_antsignal = (int8_t)rssi;
 3148                 tap->wr_dbm_antnoise = (int8_t)nf;
 3149                 tap->wr_tsft = stat->tstamp;
 3150                 if (rate & IWN_RFLAG_MCS) {
 3151                         tap->wr_rate = rate & IWN_RFLAG_RATE_MCS;
 3152                         tap->wr_rate |= IEEE80211_RATE_MCS;
 3153                 } else
 3154                         tap->wr_rate = plcp2rate(rate & IWN_RFLAG_RATE);
 3155         }
 3156 
 3157         /*
 3158          * If it's a beacon and we're waiting, then do the
 3159          * wakeup.  This should unblock raw_xmit/start.
 3160          */
 3161         if (sc->sc_beacon_wait) {
 3162                 uint8_t type, subtype;
 3163                 /* NB: Re-assign wh */
 3164                 wh = mtod(m, struct ieee80211_frame_min *);
 3165                 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
 3166                 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
 3167                 /*
 3168                  * This assumes at this point we've received our own
 3169                  * beacon.
 3170                  */
 3171                 DPRINTF(sc, IWN_DEBUG_TRACE,
 3172                     "%s: beacon_wait, type=%d, subtype=%d\n",
 3173                     __func__, type, subtype);
 3174                 if (type == IEEE80211_FC0_TYPE_MGT &&
 3175                     subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
 3176                         DPRINTF(sc, IWN_DEBUG_TRACE | IWN_DEBUG_XMIT,
 3177                             "%s: waking things up\n", __func__);
 3178                         /* queue taskqueue to transmit! */
 3179                         taskqueue_enqueue(sc->sc_tq, &sc->sc_xmit_task);
 3180                 }
 3181         }
 3182 
 3183         IWN_UNLOCK(sc);
 3184 
 3185         /* Send the frame to the 802.11 layer. */
 3186         if (ni != NULL) {
 3187                 if (ni->ni_flags & IEEE80211_NODE_HT)
 3188                         m->m_flags |= M_AMPDU;
 3189                 (void)ieee80211_input(ni, m, rssi - nf, nf);
 3190                 /* Node is no longer needed. */
 3191                 ieee80211_free_node(ni);
 3192         } else
 3193                 (void)ieee80211_input_all(ic, m, rssi - nf, nf);
 3194 
 3195         IWN_LOCK(sc);
 3196 
 3197         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end\n",__func__);
 3198 
 3199 }
 3200 
 3201 static void
 3202 iwn_agg_tx_complete(struct iwn_softc *sc, struct iwn_tx_ring *ring, int tid,
 3203     int idx, int success)
 3204 {
 3205         struct ieee80211_ratectl_tx_status *txs = &sc->sc_txs;
 3206         struct iwn_tx_data *data = &ring->data[idx];
 3207         struct iwn_node *wn;
 3208         struct mbuf *m;
 3209         struct ieee80211_node *ni;
 3210 
 3211         KASSERT(data->ni != NULL, ("idx %d: no node", idx));
 3212         KASSERT(data->m != NULL, ("idx %d: no mbuf", idx));
 3213 
 3214         /* Unmap and free mbuf. */
 3215         bus_dmamap_sync(ring->data_dmat, data->map,
 3216             BUS_DMASYNC_POSTWRITE);
 3217         bus_dmamap_unload(ring->data_dmat, data->map);
 3218         m = data->m, data->m = NULL;
 3219         ni = data->ni, data->ni = NULL;
 3220         wn = (void *)ni;
 3221 
 3222 #if 0
 3223         /* XXX causes significant performance degradation. */
 3224         txs->flags = IEEE80211_RATECTL_STATUS_SHORT_RETRY |
 3225                      IEEE80211_RATECTL_STATUS_LONG_RETRY;
 3226         txs->long_retries = data->long_retries - 1;
 3227 #else
 3228         txs->flags = IEEE80211_RATECTL_STATUS_SHORT_RETRY;
 3229 #endif
 3230         txs->short_retries = wn->agg[tid].short_retries;
 3231         if (success)
 3232                 txs->status = IEEE80211_RATECTL_TX_SUCCESS;
 3233         else
 3234                 txs->status = IEEE80211_RATECTL_TX_FAIL_UNSPECIFIED;
 3235 
 3236         wn->agg[tid].short_retries = 0;
 3237         data->long_retries = 0;
 3238 
 3239         DPRINTF(sc, IWN_DEBUG_AMPDU, "%s: freeing m %p ni %p idx %d qid %d\n",
 3240             __func__, m, ni, idx, ring->qid);
 3241         ieee80211_ratectl_tx_complete(ni, txs);
 3242         ieee80211_tx_complete(ni, m, !success);
 3243 }
 3244 
 3245 /* Process an incoming Compressed BlockAck. */
 3246 static void
 3247 iwn_rx_compressed_ba(struct iwn_softc *sc, struct iwn_rx_desc *desc)
 3248 {
 3249         struct iwn_tx_ring *ring;
 3250         struct iwn_tx_data *data;
 3251         struct iwn_node *wn;
 3252         struct iwn_compressed_ba *ba = (struct iwn_compressed_ba *)(desc + 1);
 3253         struct ieee80211_tx_ampdu *tap;
 3254         uint64_t bitmap;
 3255         uint8_t tid;
 3256         int i, qid, shift;
 3257         int tx_ok = 0;
 3258 
 3259         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
 3260 
 3261         qid = le16toh(ba->qid);
 3262         tap = sc->qid2tap[qid];
 3263         ring = &sc->txq[qid];
 3264         tid = tap->txa_tid;
 3265         wn = (void *)tap->txa_ni;
 3266 
 3267         DPRINTF(sc, IWN_DEBUG_AMPDU, "%s: qid %d tid %d seq %04X ssn %04X\n"
 3268             "bitmap: ba %016jX wn %016jX, start %d\n",
 3269             __func__, qid, tid, le16toh(ba->seq), le16toh(ba->ssn),
 3270             (uintmax_t)le64toh(ba->bitmap), (uintmax_t)wn->agg[tid].bitmap,
 3271             wn->agg[tid].startidx);
 3272 
 3273         if (wn->agg[tid].bitmap == 0)
 3274                 return;
 3275 
 3276         shift = wn->agg[tid].startidx - ((le16toh(ba->seq) >> 4) & 0xff);
 3277         if (shift <= -64)
 3278                 shift += 0x100;
 3279 
 3280         /*
 3281          * Walk the bitmap and calculate how many successful attempts
 3282          * are made.
 3283          *
 3284          * Yes, the rate control code doesn't know these are A-MPDU
 3285          * subframes; due to that long_retries stats are not used here.
 3286          */
 3287         bitmap = le64toh(ba->bitmap);
 3288         if (shift >= 0)
 3289                 bitmap >>= shift;
 3290         else
 3291                 bitmap <<= -shift;
 3292         bitmap &= wn->agg[tid].bitmap;
 3293         wn->agg[tid].bitmap = 0;
 3294 
 3295         for (i = wn->agg[tid].startidx;
 3296              bitmap;
 3297              bitmap >>= 1, i = (i + 1) % IWN_TX_RING_COUNT) {
 3298                 if ((bitmap & 1) == 0)
 3299                         continue;
 3300 
 3301                 data = &ring->data[i];
 3302                 if (__predict_false(data->m == NULL)) {
 3303                         /*
 3304                          * There is no frame; skip this entry.
 3305                          *
 3306                          * NB: it is "ok" to have both
 3307                          * 'tx done' + 'compressed BA' replies for frame
 3308                          * with STATE_SCD_QUERY status.
 3309                          */
 3310                         DPRINTF(sc, IWN_DEBUG_AMPDU,
 3311                             "%s: ring %d: no entry %d\n", __func__, qid, i);
 3312                         continue;
 3313                 }
 3314 
 3315                 tx_ok++;
 3316                 iwn_agg_tx_complete(sc, ring, tid, i, 1);
 3317         }
 3318 
 3319         ring->queued -= tx_ok;
 3320         iwn_check_tx_ring(sc, qid);
 3321 
 3322         DPRINTF(sc, IWN_DEBUG_TRACE | IWN_DEBUG_AMPDU,
 3323             "->%s: end; %d ok\n",__func__, tx_ok);
 3324 }
 3325 
 3326 /*
 3327  * Process a CALIBRATION_RESULT notification sent by the initialization
 3328  * firmware on response to a CMD_CALIB_CONFIG command (5000 only).
 3329  */
 3330 static void
 3331 iwn5000_rx_calib_results(struct iwn_softc *sc, struct iwn_rx_desc *desc)
 3332 {
 3333         struct iwn_phy_calib *calib = (struct iwn_phy_calib *)(desc + 1);
 3334         int len, idx = -1;
 3335 
 3336         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
 3337 
 3338         /* Runtime firmware should not send such a notification. */
 3339         if (sc->sc_flags & IWN_FLAG_CALIB_DONE){
 3340                 DPRINTF(sc, IWN_DEBUG_TRACE,
 3341                     "->%s received after calib done\n", __func__);
 3342                 return;
 3343         }
 3344         len = (le32toh(desc->len) & 0x3fff) - 4;
 3345 
 3346         switch (calib->code) {
 3347         case IWN5000_PHY_CALIB_DC:
 3348                 if (sc->base_params->calib_need & IWN_FLG_NEED_PHY_CALIB_DC)
 3349                         idx = 0;
 3350                 break;
 3351         case IWN5000_PHY_CALIB_LO:
 3352                 if (sc->base_params->calib_need & IWN_FLG_NEED_PHY_CALIB_LO)
 3353                         idx = 1;
 3354                 break;
 3355         case IWN5000_PHY_CALIB_TX_IQ:
 3356                 if (sc->base_params->calib_need & IWN_FLG_NEED_PHY_CALIB_TX_IQ)
 3357                         idx = 2;
 3358                 break;
 3359         case IWN5000_PHY_CALIB_TX_IQ_PERIODIC:
 3360                 if (sc->base_params->calib_need & IWN_FLG_NEED_PHY_CALIB_TX_IQ_PERIODIC)
 3361                         idx = 3;
 3362                 break;
 3363         case IWN5000_PHY_CALIB_BASE_BAND:
 3364                 if (sc->base_params->calib_need & IWN_FLG_NEED_PHY_CALIB_BASE_BAND)
 3365                         idx = 4;
 3366                 break;
 3367         }
 3368         if (idx == -1)  /* Ignore other results. */
 3369                 return;
 3370 
 3371         /* Save calibration result. */
 3372         if (sc->calibcmd[idx].buf != NULL)
 3373                 free(sc->calibcmd[idx].buf, M_DEVBUF);
 3374         sc->calibcmd[idx].buf = malloc(len, M_DEVBUF, M_NOWAIT);
 3375         if (sc->calibcmd[idx].buf == NULL) {
 3376                 DPRINTF(sc, IWN_DEBUG_CALIBRATE,
 3377                     "not enough memory for calibration result %d\n",
 3378                     calib->code);
 3379                 return;
 3380         }
 3381         DPRINTF(sc, IWN_DEBUG_CALIBRATE,
 3382             "saving calibration result idx=%d, code=%d len=%d\n", idx, calib->code, len);
 3383         sc->calibcmd[idx].len = len;
 3384         memcpy(sc->calibcmd[idx].buf, calib, len);
 3385 }
 3386 
 3387 static void
 3388 iwn_stats_update(struct iwn_softc *sc, struct iwn_calib_state *calib,
 3389     struct iwn_stats *stats, int len)
 3390 {
 3391         struct iwn_stats_bt *stats_bt;
 3392         struct iwn_stats *lstats;
 3393 
 3394         /*
 3395          * First - check whether the length is the bluetooth or normal.
 3396          *
 3397          * If it's normal - just copy it and bump out.
 3398          * Otherwise we have to convert things.
 3399          */
 3400 
 3401         if (len == sizeof(struct iwn_stats) + 4) {
 3402                 memcpy(&sc->last_stat, stats, sizeof(struct iwn_stats));
 3403                 sc->last_stat_valid = 1;
 3404                 return;
 3405         }
 3406 
 3407         /*
 3408          * If it's not the bluetooth size - log, then just copy.
 3409          */
 3410         if (len != sizeof(struct iwn_stats_bt) + 4) {
 3411                 DPRINTF(sc, IWN_DEBUG_STATS,
 3412                     "%s: size of rx statistics (%d) not an expected size!\n",
 3413                     __func__,
 3414                     len);
 3415                 memcpy(&sc->last_stat, stats, sizeof(struct iwn_stats));
 3416                 sc->last_stat_valid = 1;
 3417                 return;
 3418         }
 3419 
 3420         /*
 3421          * Ok. Time to copy.
 3422          */
 3423         stats_bt = (struct iwn_stats_bt *) stats;
 3424         lstats = &sc->last_stat;
 3425 
 3426         /* flags */
 3427         lstats->flags = stats_bt->flags;
 3428         /* rx_bt */
 3429         memcpy(&lstats->rx.ofdm, &stats_bt->rx_bt.ofdm,
 3430             sizeof(struct iwn_rx_phy_stats));
 3431         memcpy(&lstats->rx.cck, &stats_bt->rx_bt.cck,
 3432             sizeof(struct iwn_rx_phy_stats));
 3433         memcpy(&lstats->rx.general, &stats_bt->rx_bt.general_bt.common,
 3434             sizeof(struct iwn_rx_general_stats));
 3435         memcpy(&lstats->rx.ht, &stats_bt->rx_bt.ht,
 3436             sizeof(struct iwn_rx_ht_phy_stats));
 3437         /* tx */
 3438         memcpy(&lstats->tx, &stats_bt->tx,
 3439             sizeof(struct iwn_tx_stats));
 3440         /* general */
 3441         memcpy(&lstats->general, &stats_bt->general,
 3442             sizeof(struct iwn_general_stats));
 3443 
 3444         /* XXX TODO: Squirrel away the extra bluetooth stats somewhere */
 3445         sc->last_stat_valid = 1;
 3446 }
 3447 
 3448 /*
 3449  * Process an RX_STATISTICS or BEACON_STATISTICS firmware notification.
 3450  * The latter is sent by the firmware after each received beacon.
 3451  */
 3452 static void
 3453 iwn_rx_statistics(struct iwn_softc *sc, struct iwn_rx_desc *desc)
 3454 {
 3455         struct iwn_ops *ops = &sc->ops;
 3456         struct ieee80211com *ic = &sc->sc_ic;
 3457         struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
 3458         struct iwn_calib_state *calib = &sc->calib;
 3459         struct iwn_stats *stats = (struct iwn_stats *)(desc + 1);
 3460         struct iwn_stats *lstats;
 3461         int temp;
 3462 
 3463         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
 3464 
 3465         /* Ignore statistics received during a scan. */
 3466         if (vap->iv_state != IEEE80211_S_RUN ||
 3467             (ic->ic_flags & IEEE80211_F_SCAN)){
 3468                 DPRINTF(sc, IWN_DEBUG_TRACE, "->%s received during calib\n",
 3469             __func__);
 3470                 return;
 3471         }
 3472 
 3473         DPRINTF(sc, IWN_DEBUG_CALIBRATE | IWN_DEBUG_STATS,
 3474             "%s: received statistics, cmd %d, len %d\n",
 3475             __func__, desc->type, le16toh(desc->len));
 3476         sc->calib_cnt = 0;      /* Reset TX power calibration timeout. */
 3477 
 3478         /*
 3479          * Collect/track general statistics for reporting.
 3480          *
 3481          * This takes care of ensuring that the bluetooth sized message
 3482          * will be correctly converted to the legacy sized message.
 3483          */
 3484         iwn_stats_update(sc, calib, stats, le16toh(desc->len));
 3485 
 3486         /*
 3487          * And now, let's take a reference of it to use!
 3488          */
 3489         lstats = &sc->last_stat;
 3490 
 3491         /* Test if temperature has changed. */
 3492         if (lstats->general.temp != sc->rawtemp) {
 3493                 /* Convert "raw" temperature to degC. */
 3494                 sc->rawtemp = stats->general.temp;
 3495                 temp = ops->get_temperature(sc);
 3496                 DPRINTF(sc, IWN_DEBUG_CALIBRATE, "%s: temperature %d\n",
 3497                     __func__, temp);
 3498 
 3499                 /* Update TX power if need be (4965AGN only). */
 3500                 if (sc->hw_type == IWN_HW_REV_TYPE_4965)
 3501                         iwn4965_power_calibration(sc, temp);
 3502         }
 3503 
 3504         if (desc->type != IWN_BEACON_STATISTICS)
 3505                 return; /* Reply to a statistics request. */
 3506 
 3507         sc->noise = iwn_get_noise(&lstats->rx.general);
 3508         DPRINTF(sc, IWN_DEBUG_CALIBRATE, "%s: noise %d\n", __func__, sc->noise);
 3509 
 3510         /* Test that RSSI and noise are present in stats report. */
 3511         if (le32toh(lstats->rx.general.flags) != 1) {
 3512                 DPRINTF(sc, IWN_DEBUG_ANY, "%s\n",
 3513                     "received statistics without RSSI");
 3514                 return;
 3515         }
 3516 
 3517         if (calib->state == IWN_CALIB_STATE_ASSOC)
 3518                 iwn_collect_noise(sc, &lstats->rx.general);
 3519         else if (calib->state == IWN_CALIB_STATE_RUN) {
 3520                 iwn_tune_sensitivity(sc, &lstats->rx);
 3521                 /*
 3522                  * XXX TODO: Only run the RX recovery if we're associated!
 3523                  */
 3524                 iwn_check_rx_recovery(sc, lstats);
 3525                 iwn_save_stats_counters(sc, lstats);
 3526         }
 3527 
 3528         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end\n",__func__);
 3529 }
 3530 
 3531 /*
 3532  * Save the relevant statistic counters for the next calibration
 3533  * pass.
 3534  */
 3535 static void
 3536 iwn_save_stats_counters(struct iwn_softc *sc, const struct iwn_stats *rs)
 3537 {
 3538         struct iwn_calib_state *calib = &sc->calib;
 3539 
 3540         /* Save counters values for next call. */
 3541         calib->bad_plcp_cck = le32toh(rs->rx.cck.bad_plcp);
 3542         calib->fa_cck = le32toh(rs->rx.cck.fa);
 3543         calib->bad_plcp_ht = le32toh(rs->rx.ht.bad_plcp);
 3544         calib->bad_plcp_ofdm = le32toh(rs->rx.ofdm.bad_plcp);
 3545         calib->fa_ofdm = le32toh(rs->rx.ofdm.fa);
 3546 
 3547         /* Last time we received these tick values */
 3548         sc->last_calib_ticks = ticks;
 3549 }
 3550 
 3551 /*
 3552  * Process a TX_DONE firmware notification.  Unfortunately, the 4965AGN
 3553  * and 5000 adapters have different incompatible TX status formats.
 3554  */
 3555 static void
 3556 iwn4965_tx_done(struct iwn_softc *sc, struct iwn_rx_desc *desc,
 3557     struct iwn_rx_data *data)
 3558 {
 3559         struct iwn4965_tx_stat *stat = (struct iwn4965_tx_stat *)(desc + 1);
 3560         int qid = desc->qid & IWN_RX_DESC_QID_MSK;
 3561 
 3562         DPRINTF(sc, IWN_DEBUG_XMIT, "%s: "
 3563             "qid %d idx %d RTS retries %d ACK retries %d nkill %d rate %x duration %d status %x\n",
 3564             __func__, desc->qid, desc->idx,
 3565             stat->rtsfailcnt,
 3566             stat->ackfailcnt,
 3567             stat->btkillcnt,
 3568             stat->rate, le16toh(stat->duration),
 3569             le32toh(stat->status));
 3570 
 3571         if (qid >= sc->firstaggqueue && stat->nframes != 1) {
 3572                 iwn_ampdu_tx_done(sc, qid, stat->nframes, stat->rtsfailcnt,
 3573                     &stat->status);
 3574         } else {
 3575                 iwn_tx_done(sc, desc, stat->rtsfailcnt, stat->ackfailcnt,
 3576                     le32toh(stat->status) & 0xff);
 3577         }
 3578 }
 3579 
 3580 static void
 3581 iwn5000_tx_done(struct iwn_softc *sc, struct iwn_rx_desc *desc,
 3582     struct iwn_rx_data *data)
 3583 {
 3584         struct iwn5000_tx_stat *stat = (struct iwn5000_tx_stat *)(desc + 1);
 3585         int qid = desc->qid & IWN_RX_DESC_QID_MSK;
 3586 
 3587         DPRINTF(sc, IWN_DEBUG_XMIT, "%s: "
 3588             "qid %d idx %d RTS retries %d ACK retries %d nkill %d rate %x duration %d status %x\n",
 3589             __func__, desc->qid, desc->idx,
 3590             stat->rtsfailcnt,
 3591             stat->ackfailcnt,
 3592             stat->btkillcnt,
 3593             stat->rate, le16toh(stat->duration),
 3594             le32toh(stat->status));
 3595 
 3596 #ifdef notyet
 3597         /* Reset TX scheduler slot. */
 3598         iwn5000_reset_sched(sc, qid, desc->idx);
 3599 #endif
 3600 
 3601         if (qid >= sc->firstaggqueue && stat->nframes != 1) {
 3602                 iwn_ampdu_tx_done(sc, qid, stat->nframes, stat->rtsfailcnt,
 3603                     &stat->status);
 3604         } else {
 3605                 iwn_tx_done(sc, desc, stat->rtsfailcnt, stat->ackfailcnt,
 3606                     le16toh(stat->status) & 0xff);
 3607         }
 3608 }
 3609 
 3610 static void
 3611 iwn_adj_ampdu_ptr(struct iwn_softc *sc, struct iwn_tx_ring *ring)
 3612 {
 3613         int i;
 3614 
 3615         for (i = ring->read; i != ring->cur; i = (i + 1) % IWN_TX_RING_COUNT) {
 3616                 struct iwn_tx_data *data = &ring->data[i];
 3617 
 3618                 if (data->m != NULL)
 3619                         break;
 3620 
 3621                 data->remapped = 0;
 3622         }
 3623 
 3624         ring->read = i;
 3625 }
 3626 
 3627 /*
 3628  * Adapter-independent backend for TX_DONE firmware notifications.
 3629  */
 3630 static void
 3631 iwn_tx_done(struct iwn_softc *sc, struct iwn_rx_desc *desc, int rtsfailcnt,
 3632     int ackfailcnt, uint8_t status)
 3633 {
 3634         struct ieee80211_ratectl_tx_status *txs = &sc->sc_txs;
 3635         struct iwn_tx_ring *ring = &sc->txq[desc->qid & IWN_RX_DESC_QID_MSK];
 3636         struct iwn_tx_data *data = &ring->data[desc->idx];
 3637         struct mbuf *m;
 3638         struct ieee80211_node *ni;
 3639 
 3640         if (__predict_false(data->m == NULL &&
 3641             ring->qid >= sc->firstaggqueue)) {
 3642                 /*
 3643                  * There is no frame; skip this entry.
 3644                  */
 3645                 DPRINTF(sc, IWN_DEBUG_AMPDU, "%s: ring %d: no entry %d\n",
 3646                     __func__, ring->qid, desc->idx);
 3647                 return;
 3648         }
 3649 
 3650         KASSERT(data->ni != NULL, ("no node"));
 3651         KASSERT(data->m != NULL, ("no mbuf"));
 3652 
 3653         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
 3654 
 3655         /* Unmap and free mbuf. */
 3656         bus_dmamap_sync(ring->data_dmat, data->map, BUS_DMASYNC_POSTWRITE);
 3657         bus_dmamap_unload(ring->data_dmat, data->map);
 3658         m = data->m, data->m = NULL;
 3659         ni = data->ni, data->ni = NULL;
 3660 
 3661         data->long_retries = 0;
 3662 
 3663         if (ring->qid >= sc->firstaggqueue)
 3664                 iwn_adj_ampdu_ptr(sc, ring);
 3665 
 3666         /*
 3667          * XXX f/w may hang (device timeout) when desc->idx - ring->read == 64
 3668          * (aggregation queues only).
 3669          */
 3670 
 3671         ring->queued--;
 3672         iwn_check_tx_ring(sc, ring->qid);
 3673 
 3674         /*
 3675          * Update rate control statistics for the node.
 3676          */
 3677         txs->flags = IEEE80211_RATECTL_STATUS_SHORT_RETRY |
 3678                      IEEE80211_RATECTL_STATUS_LONG_RETRY;
 3679         txs->short_retries = rtsfailcnt;
 3680         txs->long_retries = ackfailcnt;
 3681         if (!(status & IWN_TX_FAIL))
 3682                 txs->status = IEEE80211_RATECTL_TX_SUCCESS;
 3683         else {
 3684                 switch (status) {
 3685                 case IWN_TX_FAIL_SHORT_LIMIT:
 3686                         txs->status = IEEE80211_RATECTL_TX_FAIL_SHORT;
 3687                         break;
 3688                 case IWN_TX_FAIL_LONG_LIMIT:
 3689                         txs->status = IEEE80211_RATECTL_TX_FAIL_LONG;
 3690                         break;
 3691                 case IWN_TX_STATUS_FAIL_LIFE_EXPIRE:
 3692                         txs->status = IEEE80211_RATECTL_TX_FAIL_EXPIRED;
 3693                         break;
 3694                 default:
 3695                         txs->status = IEEE80211_RATECTL_TX_FAIL_UNSPECIFIED;
 3696                         break;
 3697                 }
 3698         }
 3699         ieee80211_ratectl_tx_complete(ni, txs);
 3700 
 3701         /*
 3702          * Channels marked for "radar" require traffic to be received
 3703          * to unlock before we can transmit.  Until traffic is seen
 3704          * any attempt to transmit is returned immediately with status
 3705          * set to IWN_TX_FAIL_TX_LOCKED.  Unfortunately this can easily
 3706          * happen on first authenticate after scanning.  To workaround
 3707          * this we ignore a failure of this sort in AUTH state so the
 3708          * 802.11 layer will fall back to using a timeout to wait for
 3709          * the AUTH reply.  This allows the firmware time to see
 3710          * traffic so a subsequent retry of AUTH succeeds.  It's
 3711          * unclear why the firmware does not maintain state for
 3712          * channels recently visited as this would allow immediate
 3713          * use of the channel after a scan (where we see traffic).
 3714          */
 3715         if (status == IWN_TX_FAIL_TX_LOCKED &&
 3716             ni->ni_vap->iv_state == IEEE80211_S_AUTH)
 3717                 ieee80211_tx_complete(ni, m, 0);
 3718         else
 3719                 ieee80211_tx_complete(ni, m,
 3720                     (status & IWN_TX_FAIL) != 0);
 3721 
 3722         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end\n",__func__);
 3723 }
 3724 
 3725 /*
 3726  * Process a "command done" firmware notification.  This is where we wakeup
 3727  * processes waiting for a synchronous command completion.
 3728  */
 3729 static void
 3730 iwn_cmd_done(struct iwn_softc *sc, struct iwn_rx_desc *desc)
 3731 {
 3732         struct iwn_tx_ring *ring;
 3733         struct iwn_tx_data *data;
 3734         int cmd_queue_num;
 3735 
 3736         if (sc->sc_flags & IWN_FLAG_PAN_SUPPORT)
 3737                 cmd_queue_num = IWN_PAN_CMD_QUEUE;
 3738         else
 3739                 cmd_queue_num = IWN_CMD_QUEUE_NUM;
 3740 
 3741         if ((desc->qid & IWN_RX_DESC_QID_MSK) != cmd_queue_num)
 3742                 return; /* Not a command ack. */
 3743 
 3744         ring = &sc->txq[cmd_queue_num];
 3745         data = &ring->data[desc->idx];
 3746 
 3747         /* If the command was mapped in an mbuf, free it. */
 3748         if (data->m != NULL) {
 3749                 bus_dmamap_sync(ring->data_dmat, data->map,
 3750                     BUS_DMASYNC_POSTWRITE);
 3751                 bus_dmamap_unload(ring->data_dmat, data->map);
 3752                 m_freem(data->m);
 3753                 data->m = NULL;
 3754         }
 3755         wakeup(&ring->desc[desc->idx]);
 3756 }
 3757 
 3758 static int
 3759 iwn_ampdu_check_bitmap(uint64_t bitmap, int start, int idx)
 3760 {
 3761         int bit, shift;
 3762 
 3763         bit = idx - start;
 3764         shift = 0;
 3765         if (bit >= 64) {
 3766                 shift = 0x100 - bit;
 3767                 bit = 0;
 3768         } else if (bit <= -64)
 3769                 bit = 0x100 + bit;
 3770         else if (bit < 0) {
 3771                 shift = -bit;
 3772                 bit = 0;
 3773         }
 3774 
 3775         if (bit - shift >= 64)
 3776                 return (0);
 3777 
 3778         return ((bitmap & (1ULL << (bit - shift))) != 0);
 3779 }
 3780 
 3781 /*
 3782  * Firmware bug workaround: in case if 'retries' counter
 3783  * overflows 'seqno' field will be incremented:
 3784  *    status|sequence|status|sequence|status|sequence
 3785  *     0000    0A48    0001    0A49    0000    0A6A
 3786  *     1000    0A48    1000    0A49    1000    0A6A
 3787  *     2000    0A48    2000    0A49    2000    0A6A
 3788  * ...
 3789  *     E000    0A48    E000    0A49    E000    0A6A
 3790  *     F000    0A48    F000    0A49    F000    0A6A
 3791  *     0000    0A49    0000    0A49    0000    0A6B
 3792  *     1000    0A49    1000    0A49    1000    0A6B
 3793  * ...
 3794  *     D000    0A49    D000    0A49    D000    0A6B
 3795  *     E000    0A49    E001    0A49    E000    0A6B
 3796  *     F000    0A49    F001    0A49    F000    0A6B
 3797  *     0000    0A4A    0000    0A4B    0000    0A6A
 3798  *     1000    0A4A    1000    0A4B    1000    0A6A
 3799  * ...
 3800  *
 3801  * Odd 'seqno' numbers are incremened by 2 every 2 overflows.
 3802  * For even 'seqno' % 4 != 0 overflow is cyclic (0 -> +1 -> 0).
 3803  * Not checked with nretries >= 64.
 3804  *
 3805  */
 3806 static int
 3807 iwn_ampdu_index_check(struct iwn_softc *sc, struct iwn_tx_ring *ring,
 3808     uint64_t bitmap, int start, int idx)
 3809 {
 3810         struct ieee80211com *ic = &sc->sc_ic;
 3811         struct iwn_tx_data *data;
 3812         int diff, min_retries, max_retries, new_idx, loop_end;
 3813 
 3814         new_idx = idx - IWN_LONG_RETRY_LIMIT_LOG;
 3815         if (new_idx < 0)
 3816                 new_idx += IWN_TX_RING_COUNT;
 3817 
 3818         /*
 3819          * Corner case: check if retry count is not too big;
 3820          * reset device otherwise.
 3821          */
 3822         if (!iwn_ampdu_check_bitmap(bitmap, start, new_idx)) {
 3823                 data = &ring->data[new_idx];
 3824                 if (data->long_retries > IWN_LONG_RETRY_LIMIT) {
 3825                         device_printf(sc->sc_dev,
 3826                             "%s: retry count (%d) for idx %d/%d overflow, "
 3827                             "resetting...\n", __func__, data->long_retries,
 3828                             ring->qid, new_idx);
 3829                         ieee80211_restart_all(ic);
 3830                         return (-1);
 3831                 }
 3832         }
 3833 
 3834         /* Correct index if needed. */
 3835         loop_end = idx;
 3836         do {
 3837                 data = &ring->data[new_idx];
 3838                 diff = idx - new_idx;
 3839                 if (diff < 0)
 3840                         diff += IWN_TX_RING_COUNT;
 3841 
 3842                 min_retries = IWN_LONG_RETRY_FW_OVERFLOW * diff;
 3843                 if ((new_idx % 2) == 0)
 3844                         max_retries = IWN_LONG_RETRY_FW_OVERFLOW * (diff + 1);
 3845                 else
 3846                         max_retries = IWN_LONG_RETRY_FW_OVERFLOW * (diff + 2);
 3847 
 3848                 if (!iwn_ampdu_check_bitmap(bitmap, start, new_idx) &&
 3849                     ((data->long_retries >= min_retries &&
 3850                       data->long_retries < max_retries) ||
 3851                      (diff == 1 &&
 3852                       (new_idx & 0x03) == 0x02 &&
 3853                       data->long_retries >= IWN_LONG_RETRY_FW_OVERFLOW))) {
 3854                         DPRINTF(sc, IWN_DEBUG_AMPDU,
 3855                             "%s: correcting index %d -> %d in queue %d"
 3856                             " (retries %d)\n", __func__, idx, new_idx,
 3857                             ring->qid, data->long_retries);
 3858                         return (new_idx);
 3859                 }
 3860 
 3861                 new_idx = (new_idx + 1) % IWN_TX_RING_COUNT;
 3862         } while (new_idx != loop_end);
 3863 
 3864         return (idx);
 3865 }
 3866 
 3867 static void
 3868 iwn_ampdu_tx_done(struct iwn_softc *sc, int qid, int nframes, int rtsfailcnt,
 3869     void *stat)
 3870 {
 3871         struct iwn_tx_ring *ring = &sc->txq[qid];
 3872         struct ieee80211_tx_ampdu *tap = sc->qid2tap[qid];
 3873         struct iwn_node *wn = (void *)tap->txa_ni;
 3874         struct iwn_tx_data *data;
 3875         uint64_t bitmap = 0;
 3876         uint16_t *aggstatus = stat;
 3877         uint8_t tid = tap->txa_tid;
 3878         int bit, i, idx, shift, start, tx_err;
 3879 
 3880         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
 3881 
 3882         start = le16toh(*(aggstatus + nframes * 2)) & 0xff;
 3883 
 3884         for (i = 0; i < nframes; i++) {
 3885                 uint16_t status = le16toh(aggstatus[i * 2]);
 3886 
 3887                 if (status & IWN_AGG_TX_STATE_IGNORE_MASK)
 3888                         continue;
 3889 
 3890                 idx = le16toh(aggstatus[i * 2 + 1]) & 0xff;
 3891                 data = &ring->data[idx];
 3892                 if (data->remapped) {
 3893                         idx = iwn_ampdu_index_check(sc, ring, bitmap, start, idx);
 3894                         if (idx == -1) {
 3895                                 /* skip error (device will be restarted anyway). */
 3896                                 continue;
 3897                         }
 3898 
 3899                         /* Index may have changed. */
 3900                         data = &ring->data[idx];
 3901                 }
 3902 
 3903                 /*
 3904                  * XXX Sometimes (rarely) some frames are excluded from events.
 3905                  * XXX Due to that long_retries counter may be wrong.
 3906                  */
 3907                 data->long_retries &= ~0x0f;
 3908                 data->long_retries += IWN_AGG_TX_TRY_COUNT(status) + 1;
 3909 
 3910                 if (data->long_retries >= IWN_LONG_RETRY_FW_OVERFLOW) {
 3911                         int diff, wrong_idx;
 3912 
 3913                         diff = data->long_retries / IWN_LONG_RETRY_FW_OVERFLOW;
 3914                         wrong_idx = (idx + diff) % IWN_TX_RING_COUNT;
 3915 
 3916                         /*
 3917                          * Mark the entry so the above code will check it
 3918                          * next time.
 3919                          */
 3920                         ring->data[wrong_idx].remapped = 1;
 3921                 }
 3922 
 3923                 if (status & IWN_AGG_TX_STATE_UNDERRUN_MSK) {
 3924                         /*
 3925                          * NB: count retries but postpone - it was not
 3926                          * transmitted.
 3927                          */
 3928                         continue;
 3929                 }
 3930 
 3931                 bit = idx - start;
 3932                 shift = 0;
 3933                 if (bit >= 64) {
 3934                         shift = 0x100 - bit;
 3935                         bit = 0;
 3936                 } else if (bit <= -64)
 3937                         bit = 0x100 + bit;
 3938                 else if (bit < 0) {
 3939                         shift = -bit;
 3940                         bit = 0;
 3941                 }
 3942                 bitmap = bitmap << shift;
 3943                 bitmap |= 1ULL << bit;
 3944         }
 3945         wn->agg[tid].startidx = start;
 3946         wn->agg[tid].bitmap = bitmap;
 3947         wn->agg[tid].short_retries = rtsfailcnt;
 3948 
 3949         DPRINTF(sc, IWN_DEBUG_AMPDU, "%s: nframes %d start %d bitmap %016jX\n",
 3950             __func__, nframes, start, (uintmax_t)bitmap);
 3951 
 3952         i = ring->read;
 3953 
 3954         for (tx_err = 0;
 3955              i != wn->agg[tid].startidx;
 3956              i = (i + 1) % IWN_TX_RING_COUNT) {
 3957                 data = &ring->data[i];
 3958                 data->remapped = 0;
 3959                 if (data->m == NULL)
 3960                         continue;
 3961 
 3962                 tx_err++;
 3963                 iwn_agg_tx_complete(sc, ring, tid, i, 0);
 3964         }
 3965 
 3966         ring->read = wn->agg[tid].startidx;
 3967         ring->queued -= tx_err;
 3968 
 3969         iwn_check_tx_ring(sc, qid);
 3970 
 3971         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end\n",__func__);
 3972 }
 3973 
 3974 /*
 3975  * Process an INT_FH_RX or INT_SW_RX interrupt.
 3976  */
 3977 static void
 3978 iwn_notif_intr(struct iwn_softc *sc)
 3979 {
 3980         struct iwn_ops *ops = &sc->ops;
 3981         struct ieee80211com *ic = &sc->sc_ic;
 3982         struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
 3983         uint16_t hw;
 3984         int is_stopped;
 3985 
 3986         bus_dmamap_sync(sc->rxq.stat_dma.tag, sc->rxq.stat_dma.map,
 3987             BUS_DMASYNC_POSTREAD);
 3988 
 3989         hw = le16toh(sc->rxq.stat->closed_count) & 0xfff;
 3990         while (sc->rxq.cur != hw) {
 3991                 struct iwn_rx_data *data = &sc->rxq.data[sc->rxq.cur];
 3992                 struct iwn_rx_desc *desc;
 3993 
 3994                 bus_dmamap_sync(sc->rxq.data_dmat, data->map,
 3995                     BUS_DMASYNC_POSTREAD);
 3996                 desc = mtod(data->m, struct iwn_rx_desc *);
 3997 
 3998                 DPRINTF(sc, IWN_DEBUG_RECV,
 3999                     "%s: cur=%d; qid %x idx %d flags %x type %d(%s) len %d\n",
 4000                     __func__, sc->rxq.cur, desc->qid & IWN_RX_DESC_QID_MSK,
 4001                     desc->idx, desc->flags, desc->type,
 4002                     iwn_intr_str(desc->type), le16toh(desc->len));
 4003 
 4004                 if (!(desc->qid & IWN_UNSOLICITED_RX_NOTIF))    /* Reply to a command. */
 4005                         iwn_cmd_done(sc, desc);
 4006 
 4007                 switch (desc->type) {
 4008                 case IWN_RX_PHY:
 4009                         iwn_rx_phy(sc, desc);
 4010                         break;
 4011 
 4012                 case IWN_RX_DONE:               /* 4965AGN only. */
 4013                 case IWN_MPDU_RX_DONE:
 4014                         /* An 802.11 frame has been received. */
 4015                         iwn_rx_done(sc, desc, data);
 4016 
 4017                         is_stopped = (sc->sc_flags & IWN_FLAG_RUNNING) == 0;
 4018                         if (__predict_false(is_stopped))
 4019                                 return;
 4020 
 4021                         break;
 4022 
 4023                 case IWN_RX_COMPRESSED_BA:
 4024                         /* A Compressed BlockAck has been received. */
 4025                         iwn_rx_compressed_ba(sc, desc);
 4026                         break;
 4027 
 4028                 case IWN_TX_DONE:
 4029                         /* An 802.11 frame has been transmitted. */
 4030                         ops->tx_done(sc, desc, data);
 4031                         break;
 4032 
 4033                 case IWN_RX_STATISTICS:
 4034                 case IWN_BEACON_STATISTICS:
 4035                         iwn_rx_statistics(sc, desc);
 4036                         break;
 4037 
 4038                 case IWN_BEACON_MISSED:
 4039                 {
 4040                         struct iwn_beacon_missed *miss =
 4041                             (struct iwn_beacon_missed *)(desc + 1);
 4042                         int misses;
 4043 
 4044                         misses = le32toh(miss->consecutive);
 4045 
 4046                         DPRINTF(sc, IWN_DEBUG_STATE,
 4047                             "%s: beacons missed %d/%d\n", __func__,
 4048                             misses, le32toh(miss->total));
 4049                         /*
 4050                          * If more than 5 consecutive beacons are missed,
 4051                          * reinitialize the sensitivity state machine.
 4052                          */
 4053                         if (vap->iv_state == IEEE80211_S_RUN &&
 4054                             (ic->ic_flags & IEEE80211_F_SCAN) == 0) {
 4055                                 if (misses > 5)
 4056                                         (void)iwn_init_sensitivity(sc);
 4057                                 if (misses >= vap->iv_bmissthreshold) {
 4058                                         IWN_UNLOCK(sc);
 4059                                         ieee80211_beacon_miss(ic);
 4060                                         IWN_LOCK(sc);
 4061 
 4062                                         is_stopped = (sc->sc_flags &
 4063                                             IWN_FLAG_RUNNING) == 0;
 4064                                         if (__predict_false(is_stopped))
 4065                                                 return;
 4066                                 }
 4067                         }
 4068                         break;
 4069                 }
 4070                 case IWN_UC_READY:
 4071                 {
 4072                         struct iwn_ucode_info *uc =
 4073                             (struct iwn_ucode_info *)(desc + 1);
 4074 
 4075                         /* The microcontroller is ready. */
 4076                         DPRINTF(sc, IWN_DEBUG_RESET,
 4077                             "microcode alive notification version=%d.%d "
 4078                             "subtype=%x alive=%x\n", uc->major, uc->minor,
 4079                             uc->subtype, le32toh(uc->valid));
 4080 
 4081                         if (le32toh(uc->valid) != 1) {
 4082                                 device_printf(sc->sc_dev,
 4083                                     "microcontroller initialization failed");
 4084                                 break;
 4085                         }
 4086                         if (uc->subtype == IWN_UCODE_INIT) {
 4087                                 /* Save microcontroller report. */
 4088                                 memcpy(&sc->ucode_info, uc, sizeof (*uc));
 4089                         }
 4090                         /* Save the address of the error log in SRAM. */
 4091                         sc->errptr = le32toh(uc->errptr);
 4092                         break;
 4093                 }
 4094 #ifdef IWN_DEBUG
 4095                 case IWN_STATE_CHANGED:
 4096                 {
 4097                         /*
 4098                          * State change allows hardware switch change to be
 4099                          * noted. However, we handle this in iwn_intr as we
 4100                          * get both the enable/disble intr.
 4101                          */
 4102                         uint32_t *status = (uint32_t *)(desc + 1);
 4103                         DPRINTF(sc, IWN_DEBUG_INTR | IWN_DEBUG_STATE,
 4104                             "state changed to %x\n",
 4105                             le32toh(*status));
 4106                         break;
 4107                 }
 4108                 case IWN_START_SCAN:
 4109                 {
 4110                         struct iwn_start_scan *scan =
 4111                             (struct iwn_start_scan *)(desc + 1);
 4112                         DPRINTF(sc, IWN_DEBUG_ANY,
 4113                             "%s: scanning channel %d status %x\n",
 4114                             __func__, scan->chan, le32toh(scan->status));
 4115                         break;
 4116                 }
 4117 #endif
 4118                 case IWN_STOP_SCAN:
 4119                 {
 4120 #ifdef  IWN_DEBUG
 4121                         struct iwn_stop_scan *scan =
 4122                             (struct iwn_stop_scan *)(desc + 1);
 4123                         DPRINTF(sc, IWN_DEBUG_STATE | IWN_DEBUG_SCAN,
 4124                             "scan finished nchan=%d status=%d chan=%d\n",
 4125                             scan->nchan, scan->status, scan->chan);
 4126 #endif
 4127                         sc->sc_is_scanning = 0;
 4128                         callout_stop(&sc->scan_timeout);
 4129                         IWN_UNLOCK(sc);
 4130                         ieee80211_scan_next(vap);
 4131                         IWN_LOCK(sc);
 4132 
 4133                         is_stopped = (sc->sc_flags & IWN_FLAG_RUNNING) == 0;
 4134                         if (__predict_false(is_stopped))  
 4135                                 return;
 4136 
 4137                         break;
 4138                 }
 4139                 case IWN5000_CALIBRATION_RESULT:
 4140                         iwn5000_rx_calib_results(sc, desc);
 4141                         break;
 4142 
 4143                 case IWN5000_CALIBRATION_DONE:
 4144                         sc->sc_flags |= IWN_FLAG_CALIB_DONE;
 4145                         wakeup(sc);
 4146                         break;
 4147                 }
 4148 
 4149                 sc->rxq.cur = (sc->rxq.cur + 1) % IWN_RX_RING_COUNT;
 4150         }
 4151 
 4152         /* Tell the firmware what we have processed. */
 4153         hw = (hw == 0) ? IWN_RX_RING_COUNT - 1 : hw - 1;
 4154         IWN_WRITE(sc, IWN_FH_RX_WPTR, hw & ~7);
 4155 }
 4156 
 4157 /*
 4158  * Process an INT_WAKEUP interrupt raised when the microcontroller wakes up
 4159  * from power-down sleep mode.
 4160  */
 4161 static void
 4162 iwn_wakeup_intr(struct iwn_softc *sc)
 4163 {
 4164         int qid;
 4165 
 4166         DPRINTF(sc, IWN_DEBUG_RESET, "%s: ucode wakeup from power-down sleep\n",
 4167             __func__);
 4168 
 4169         /* Wakeup RX and TX rings. */
 4170         IWN_WRITE(sc, IWN_FH_RX_WPTR, sc->rxq.cur & ~7);
 4171         for (qid = 0; qid < sc->ntxqs; qid++) {
 4172                 struct iwn_tx_ring *ring = &sc->txq[qid];
 4173                 IWN_WRITE(sc, IWN_HBUS_TARG_WRPTR, qid << 8 | ring->cur);
 4174         }
 4175 }
 4176 
 4177 static void
 4178 iwn_rftoggle_task(void *arg, int npending)
 4179 {
 4180         struct iwn_softc *sc = arg;
 4181         struct ieee80211com *ic = &sc->sc_ic;
 4182         uint32_t tmp;
 4183 
 4184         IWN_LOCK(sc);
 4185         tmp = IWN_READ(sc, IWN_GP_CNTRL);
 4186         IWN_UNLOCK(sc);
 4187 
 4188         device_printf(sc->sc_dev, "RF switch: radio %s\n",
 4189             (tmp & IWN_GP_CNTRL_RFKILL) ? "enabled" : "disabled");
 4190         if (!(tmp & IWN_GP_CNTRL_RFKILL)) {
 4191                 ieee80211_suspend_all(ic);
 4192 
 4193                 /* Enable interrupts to get RF toggle notification. */
 4194                 IWN_LOCK(sc);
 4195                 IWN_WRITE(sc, IWN_INT, 0xffffffff);
 4196                 IWN_WRITE(sc, IWN_INT_MASK, sc->int_mask);
 4197                 IWN_UNLOCK(sc);
 4198         } else
 4199                 ieee80211_resume_all(ic);
 4200 }
 4201 
 4202 /*
 4203  * Dump the error log of the firmware when a firmware panic occurs.  Although
 4204  * we can't debug the firmware because it is neither open source nor free, it
 4205  * can help us to identify certain classes of problems.
 4206  */
 4207 static void
 4208 iwn_fatal_intr(struct iwn_softc *sc)
 4209 {
 4210         struct iwn_fw_dump dump;
 4211         int i;
 4212 
 4213         IWN_LOCK_ASSERT(sc);
 4214 
 4215         /* Force a complete recalibration on next init. */
 4216         sc->sc_flags &= ~IWN_FLAG_CALIB_DONE;
 4217 
 4218         /* Check that the error log address is valid. */
 4219         if (sc->errptr < IWN_FW_DATA_BASE ||
 4220             sc->errptr + sizeof (dump) >
 4221             IWN_FW_DATA_BASE + sc->fw_data_maxsz) {
 4222                 printf("%s: bad firmware error log address 0x%08x\n", __func__,
 4223                     sc->errptr);
 4224                 return;
 4225         }
 4226         if (iwn_nic_lock(sc) != 0) {
 4227                 printf("%s: could not read firmware error log\n", __func__);
 4228                 return;
 4229         }
 4230         /* Read firmware error log from SRAM. */
 4231         iwn_mem_read_region_4(sc, sc->errptr, (uint32_t *)&dump,
 4232             sizeof (dump) / sizeof (uint32_t));
 4233         iwn_nic_unlock(sc);
 4234 
 4235         if (dump.valid == 0) {
 4236                 printf("%s: firmware error log is empty\n", __func__);
 4237                 return;
 4238         }
 4239         printf("firmware error log:\n");
 4240         printf("  error type      = \"%s\" (0x%08X)\n",
 4241             (dump.id < nitems(iwn_fw_errmsg)) ?
 4242                 iwn_fw_errmsg[dump.id] : "UNKNOWN",
 4243             dump.id);
 4244         printf("  program counter = 0x%08X\n", dump.pc);
 4245         printf("  source line     = 0x%08X\n", dump.src_line);
 4246         printf("  error data      = 0x%08X%08X\n",
 4247             dump.error_data[0], dump.error_data[1]);
 4248         printf("  branch link     = 0x%08X%08X\n",
 4249             dump.branch_link[0], dump.branch_link[1]);
 4250         printf("  interrupt link  = 0x%08X%08X\n",
 4251             dump.interrupt_link[0], dump.interrupt_link[1]);
 4252         printf("  time            = %u\n", dump.time[0]);
 4253 
 4254         /* Dump driver status (TX and RX rings) while we're here. */
 4255         printf("driver status:\n");
 4256         for (i = 0; i < sc->ntxqs; i++) {
 4257                 struct iwn_tx_ring *ring = &sc->txq[i];
 4258                 printf("  tx ring %2d: qid=%-2d cur=%-3d queued=%-3d\n",
 4259                     i, ring->qid, ring->cur, ring->queued);
 4260         }
 4261         printf("  rx ring: cur=%d\n", sc->rxq.cur);
 4262 }
 4263 
 4264 static void
 4265 iwn_intr(void *arg)
 4266 {
 4267         struct iwn_softc *sc = arg;
 4268         uint32_t r1, r2, tmp;
 4269 
 4270         IWN_LOCK(sc);
 4271 
 4272         /* Disable interrupts. */
 4273         IWN_WRITE(sc, IWN_INT_MASK, 0);
 4274 
 4275         /* Read interrupts from ICT (fast) or from registers (slow). */
 4276         if (sc->sc_flags & IWN_FLAG_USE_ICT) {
 4277                 bus_dmamap_sync(sc->ict_dma.tag, sc->ict_dma.map,
 4278                     BUS_DMASYNC_POSTREAD);
 4279                 tmp = 0;
 4280                 while (sc->ict[sc->ict_cur] != 0) {
 4281                         tmp |= sc->ict[sc->ict_cur];
 4282                         sc->ict[sc->ict_cur] = 0;       /* Acknowledge. */
 4283                         sc->ict_cur = (sc->ict_cur + 1) % IWN_ICT_COUNT;
 4284                 }
 4285                 tmp = le32toh(tmp);
 4286                 if (tmp == 0xffffffff)  /* Shouldn't happen. */
 4287                         tmp = 0;
 4288                 else if (tmp & 0xc0000) /* Workaround a HW bug. */
 4289                         tmp |= 0x8000;
 4290                 r1 = (tmp & 0xff00) << 16 | (tmp & 0xff);
 4291                 r2 = 0; /* Unused. */
 4292         } else {
 4293                 r1 = IWN_READ(sc, IWN_INT);
 4294                 if (r1 == 0xffffffff || (r1 & 0xfffffff0) == 0xa5a5a5a0) {
 4295                         IWN_UNLOCK(sc);
 4296                         return; /* Hardware gone! */
 4297                 }
 4298                 r2 = IWN_READ(sc, IWN_FH_INT);
 4299         }
 4300 
 4301         DPRINTF(sc, IWN_DEBUG_INTR, "interrupt reg1=0x%08x reg2=0x%08x\n"
 4302     , r1, r2);
 4303 
 4304         if (r1 == 0 && r2 == 0)
 4305                 goto done;      /* Interrupt not for us. */
 4306 
 4307         /* Acknowledge interrupts. */
 4308         IWN_WRITE(sc, IWN_INT, r1);
 4309         if (!(sc->sc_flags & IWN_FLAG_USE_ICT))
 4310                 IWN_WRITE(sc, IWN_FH_INT, r2);
 4311 
 4312         if (r1 & IWN_INT_RF_TOGGLED) {
 4313                 taskqueue_enqueue(sc->sc_tq, &sc->sc_rftoggle_task);
 4314                 goto done;
 4315         }
 4316         if (r1 & IWN_INT_CT_REACHED) {
 4317                 device_printf(sc->sc_dev, "%s: critical temperature reached!\n",
 4318                     __func__);
 4319         }
 4320         if (r1 & (IWN_INT_SW_ERR | IWN_INT_HW_ERR)) {
 4321                 device_printf(sc->sc_dev, "%s: fatal firmware error\n",
 4322                     __func__);
 4323 #ifdef  IWN_DEBUG
 4324                 iwn_debug_register(sc);
 4325 #endif
 4326                 /* Dump firmware error log and stop. */
 4327                 iwn_fatal_intr(sc);
 4328 
 4329                 taskqueue_enqueue(sc->sc_tq, &sc->sc_panic_task);
 4330                 goto done;
 4331         }
 4332         if ((r1 & (IWN_INT_FH_RX | IWN_INT_SW_RX | IWN_INT_RX_PERIODIC)) ||
 4333             (r2 & IWN_FH_INT_RX)) {
 4334                 if (sc->sc_flags & IWN_FLAG_USE_ICT) {
 4335                         if (r1 & (IWN_INT_FH_RX | IWN_INT_SW_RX))
 4336                                 IWN_WRITE(sc, IWN_FH_INT, IWN_FH_INT_RX);
 4337                         IWN_WRITE_1(sc, IWN_INT_PERIODIC,
 4338                             IWN_INT_PERIODIC_DIS);
 4339                         iwn_notif_intr(sc);
 4340                         if (r1 & (IWN_INT_FH_RX | IWN_INT_SW_RX)) {
 4341                                 IWN_WRITE_1(sc, IWN_INT_PERIODIC,
 4342                                     IWN_INT_PERIODIC_ENA);
 4343                         }
 4344                 } else
 4345                         iwn_notif_intr(sc);
 4346         }
 4347 
 4348         if ((r1 & IWN_INT_FH_TX) || (r2 & IWN_FH_INT_TX)) {
 4349                 if (sc->sc_flags & IWN_FLAG_USE_ICT)
 4350                         IWN_WRITE(sc, IWN_FH_INT, IWN_FH_INT_TX);
 4351                 wakeup(sc);     /* FH DMA transfer completed. */
 4352         }
 4353 
 4354         if (r1 & IWN_INT_ALIVE)
 4355                 wakeup(sc);     /* Firmware is alive. */
 4356 
 4357         if (r1 & IWN_INT_WAKEUP)
 4358                 iwn_wakeup_intr(sc);
 4359 
 4360 done:
 4361         /* Re-enable interrupts. */
 4362         if (sc->sc_flags & IWN_FLAG_RUNNING)
 4363                 IWN_WRITE(sc, IWN_INT_MASK, sc->int_mask);
 4364 
 4365         IWN_UNLOCK(sc);
 4366 }
 4367 
 4368 /*
 4369  * Update TX scheduler ring when transmitting an 802.11 frame (4965AGN and
 4370  * 5000 adapters use a slightly different format).
 4371  */
 4372 static void
 4373 iwn4965_update_sched(struct iwn_softc *sc, int qid, int idx, uint8_t id,
 4374     uint16_t len)
 4375 {
 4376         uint16_t *w = &sc->sched[qid * IWN4965_SCHED_COUNT + idx];
 4377 
 4378         DPRINTF(sc, IWN_DEBUG_TRACE, "->Doing %s\n", __func__);
 4379 
 4380         *w = htole16(len + 8);
 4381         bus_dmamap_sync(sc->sched_dma.tag, sc->sched_dma.map,
 4382             BUS_DMASYNC_PREWRITE);
 4383         if (idx < IWN_SCHED_WINSZ) {
 4384                 *(w + IWN_TX_RING_COUNT) = *w;
 4385                 bus_dmamap_sync(sc->sched_dma.tag, sc->sched_dma.map,
 4386                     BUS_DMASYNC_PREWRITE);
 4387         }
 4388 }
 4389 
 4390 static void
 4391 iwn5000_update_sched(struct iwn_softc *sc, int qid, int idx, uint8_t id,
 4392     uint16_t len)
 4393 {
 4394         uint16_t *w = &sc->sched[qid * IWN5000_SCHED_COUNT + idx];
 4395 
 4396         DPRINTF(sc, IWN_DEBUG_TRACE, "->Doing %s\n", __func__);
 4397 
 4398         *w = htole16(id << 12 | (len + 8));
 4399         bus_dmamap_sync(sc->sched_dma.tag, sc->sched_dma.map,
 4400             BUS_DMASYNC_PREWRITE);
 4401         if (idx < IWN_SCHED_WINSZ) {
 4402                 *(w + IWN_TX_RING_COUNT) = *w;
 4403                 bus_dmamap_sync(sc->sched_dma.tag, sc->sched_dma.map,
 4404                     BUS_DMASYNC_PREWRITE);
 4405         }
 4406 }
 4407 
 4408 #ifdef notyet
 4409 static void
 4410 iwn5000_reset_sched(struct iwn_softc *sc, int qid, int idx)
 4411 {
 4412         uint16_t *w = &sc->sched[qid * IWN5000_SCHED_COUNT + idx];
 4413 
 4414         DPRINTF(sc, IWN_DEBUG_TRACE, "->Doing %s\n", __func__);
 4415 
 4416         *w = (*w & htole16(0xf000)) | htole16(1);
 4417         bus_dmamap_sync(sc->sched_dma.tag, sc->sched_dma.map,
 4418             BUS_DMASYNC_PREWRITE);
 4419         if (idx < IWN_SCHED_WINSZ) {
 4420                 *(w + IWN_TX_RING_COUNT) = *w;
 4421                 bus_dmamap_sync(sc->sched_dma.tag, sc->sched_dma.map,
 4422                     BUS_DMASYNC_PREWRITE);
 4423         }
 4424 }
 4425 #endif
 4426 
 4427 /*
 4428  * Check whether OFDM 11g protection will be enabled for the given rate.
 4429  *
 4430  * The original driver code only enabled protection for OFDM rates.
 4431  * It didn't check to see whether it was operating in 11a or 11bg mode.
 4432  */
 4433 static int
 4434 iwn_check_rate_needs_protection(struct iwn_softc *sc,
 4435     struct ieee80211vap *vap, uint8_t rate)
 4436 {
 4437         struct ieee80211com *ic = vap->iv_ic;
 4438 
 4439         /*
 4440          * Not in 2GHz mode? Then there's no need to enable OFDM
 4441          * 11bg protection.
 4442          */
 4443         if (! IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan)) {
 4444                 return (0);
 4445         }
 4446 
 4447         /*
 4448          * 11bg protection not enabled? Then don't use it.
 4449          */
 4450         if ((ic->ic_flags & IEEE80211_F_USEPROT) == 0)
 4451                 return (0);
 4452 
 4453         /*
 4454          * If it's an 11n rate - no protection.
 4455          * We'll do it via a specific 11n check.
 4456          */
 4457         if (rate & IEEE80211_RATE_MCS) {
 4458                 return (0);
 4459         }
 4460 
 4461         /*
 4462          * Do a rate table lookup.  If the PHY is CCK,
 4463          * don't do protection.
 4464          */
 4465         if (ieee80211_rate2phytype(ic->ic_rt, rate) == IEEE80211_T_CCK)
 4466                 return (0);
 4467 
 4468         /*
 4469          * Yup, enable protection.
 4470          */
 4471         return (1);
 4472 }
 4473 
 4474 /*
 4475  * return a value between 0 and IWN_MAX_TX_RETRIES-1 as an index into
 4476  * the link quality table that reflects this particular entry.
 4477  */
 4478 static int
 4479 iwn_tx_rate_to_linkq_offset(struct iwn_softc *sc, struct ieee80211_node *ni,
 4480     uint8_t rate)
 4481 {
 4482         struct ieee80211_rateset *rs;
 4483         int is_11n;
 4484         int nr;
 4485         int i;
 4486         uint8_t cmp_rate;
 4487 
 4488         /*
 4489          * Figure out if we're using 11n or not here.
 4490          */
 4491         if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && ni->ni_htrates.rs_nrates > 0)
 4492                 is_11n = 1;
 4493         else
 4494                 is_11n = 0;
 4495 
 4496         /*
 4497          * Use the correct rate table.
 4498          */
 4499         if (is_11n) {
 4500                 rs = (struct ieee80211_rateset *) &ni->ni_htrates;
 4501                 nr = ni->ni_htrates.rs_nrates;
 4502         } else {
 4503                 rs = &ni->ni_rates;
 4504                 nr = rs->rs_nrates;
 4505         }
 4506 
 4507         /*
 4508          * Find the relevant link quality entry in the table.
 4509          */
 4510         for (i = 0; i < nr && i < IWN_MAX_TX_RETRIES - 1 ; i++) {
 4511                 /*
 4512                  * The link quality table index starts at 0 == highest
 4513                  * rate, so we walk the rate table backwards.
 4514                  */
 4515                 cmp_rate = rs->rs_rates[(nr - 1) - i];
 4516                 if (rate & IEEE80211_RATE_MCS)
 4517                         cmp_rate |= IEEE80211_RATE_MCS;
 4518 
 4519 #if 0
 4520                 DPRINTF(sc, IWN_DEBUG_XMIT, "%s: idx %d: nr=%d, rate=0x%02x, rateentry=0x%02x\n",
 4521                     __func__,
 4522                     i,
 4523                     nr,
 4524                     rate,
 4525                     cmp_rate);
 4526 #endif
 4527 
 4528                 if (cmp_rate == rate)
 4529                         return (i);
 4530         }
 4531 
 4532         /* Failed? Start at the end */
 4533         return (IWN_MAX_TX_RETRIES - 1);
 4534 }
 4535 
 4536 static int
 4537 iwn_tx_data(struct iwn_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
 4538 {
 4539         const struct ieee80211_txparam *tp = ni->ni_txparms;
 4540         struct ieee80211vap *vap = ni->ni_vap;
 4541         struct ieee80211com *ic = ni->ni_ic;
 4542         struct iwn_node *wn = (void *)ni;
 4543         struct iwn_tx_ring *ring;
 4544         struct iwn_tx_cmd *cmd;
 4545         struct iwn_cmd_data *tx;
 4546         struct ieee80211_frame *wh;
 4547         struct ieee80211_key *k = NULL;
 4548         uint32_t flags;
 4549         uint16_t qos;
 4550         uint8_t tid, type;
 4551         int ac, totlen, rate;
 4552 
 4553         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
 4554 
 4555         IWN_LOCK_ASSERT(sc);
 4556 
 4557         wh = mtod(m, struct ieee80211_frame *);
 4558         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
 4559 
 4560         /* Select EDCA Access Category and TX ring for this frame. */
 4561         if (IEEE80211_QOS_HAS_SEQ(wh)) {
 4562                 qos = ((const struct ieee80211_qosframe *)wh)->i_qos[0];
 4563                 tid = qos & IEEE80211_QOS_TID;
 4564         } else {
 4565                 qos = 0;
 4566                 tid = 0;
 4567         }
 4568 
 4569         /* Choose a TX rate index. */
 4570         if (type == IEEE80211_FC0_TYPE_MGT ||
 4571             type == IEEE80211_FC0_TYPE_CTL ||
 4572             (m->m_flags & M_EAPOL) != 0)
 4573                 rate = tp->mgmtrate;
 4574         else if (IEEE80211_IS_MULTICAST(wh->i_addr1))
 4575                 rate = tp->mcastrate;
 4576         else if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE)
 4577                 rate = tp->ucastrate;
 4578         else {
 4579                 /* XXX pass pktlen */
 4580                 (void) ieee80211_ratectl_rate(ni, NULL, 0);
 4581                 rate = ni->ni_txrate;
 4582         }
 4583 
 4584         /*
 4585          * XXX TODO: Group addressed frames aren't aggregated and must
 4586          * go to the normal non-aggregation queue, and have a NONQOS TID
 4587          * assigned from net80211.
 4588          */
 4589 
 4590         ac = M_WME_GETAC(m);
 4591         if (m->m_flags & M_AMPDU_MPDU) {
 4592                 struct ieee80211_tx_ampdu *tap = &ni->ni_tx_ampdu[ac];
 4593 
 4594                 if (!IEEE80211_AMPDU_RUNNING(tap))
 4595                         return (EINVAL);
 4596 
 4597                 ac = *(int *)tap->txa_private;
 4598         }
 4599 
 4600         /* Encrypt the frame if need be. */
 4601         if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
 4602                 /* Retrieve key for TX. */
 4603                 k = ieee80211_crypto_encap(ni, m);
 4604                 if (k == NULL) {
 4605                         return ENOBUFS;
 4606                 }
 4607                 /* 802.11 header may have moved. */
 4608                 wh = mtod(m, struct ieee80211_frame *);
 4609         }
 4610         totlen = m->m_pkthdr.len;
 4611 
 4612         if (ieee80211_radiotap_active_vap(vap)) {
 4613                 struct iwn_tx_radiotap_header *tap = &sc->sc_txtap;
 4614 
 4615                 tap->wt_flags = 0;
 4616                 tap->wt_rate = rate;
 4617                 if (k != NULL)
 4618                         tap->wt_flags |= IEEE80211_RADIOTAP_F_WEP;
 4619 
 4620                 ieee80211_radiotap_tx(vap, m);
 4621         }
 4622 
 4623         flags = 0;
 4624         if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
 4625                 /* Unicast frame, check if an ACK is expected. */
 4626                 if (!qos || (qos & IEEE80211_QOS_ACKPOLICY) !=
 4627                     IEEE80211_QOS_ACKPOLICY_NOACK)
 4628                         flags |= IWN_TX_NEED_ACK;
 4629         }
 4630         if ((wh->i_fc[0] &
 4631             (IEEE80211_FC0_TYPE_MASK | IEEE80211_FC0_SUBTYPE_MASK)) ==
 4632             (IEEE80211_FC0_TYPE_CTL | IEEE80211_FC0_SUBTYPE_BAR))
 4633                 flags |= IWN_TX_IMM_BA;         /* Cannot happen yet. */
 4634 
 4635         if (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG)
 4636                 flags |= IWN_TX_MORE_FRAG;      /* Cannot happen yet. */
 4637 
 4638         /* Check if frame must be protected using RTS/CTS or CTS-to-self. */
 4639         if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
 4640                 /* NB: Group frames are sent using CCK in 802.11b/g. */
 4641                 if (totlen + IEEE80211_CRC_LEN > vap->iv_rtsthreshold) {
 4642                         flags |= IWN_TX_NEED_RTS;
 4643                 } else if (iwn_check_rate_needs_protection(sc, vap, rate)) {
 4644                         if (ic->ic_protmode == IEEE80211_PROT_CTSONLY)
 4645                                 flags |= IWN_TX_NEED_CTS;
 4646                         else if (ic->ic_protmode == IEEE80211_PROT_RTSCTS)
 4647                                 flags |= IWN_TX_NEED_RTS;
 4648                 } else if ((rate & IEEE80211_RATE_MCS) &&
 4649                         (ic->ic_htprotmode == IEEE80211_PROT_RTSCTS)) {
 4650                         flags |= IWN_TX_NEED_RTS;
 4651                 }
 4652 
 4653                 /* XXX HT protection? */
 4654 
 4655                 if (flags & (IWN_TX_NEED_RTS | IWN_TX_NEED_CTS)) {
 4656                         if (sc->hw_type != IWN_HW_REV_TYPE_4965) {
 4657                                 /* 5000 autoselects RTS/CTS or CTS-to-self. */
 4658                                 flags &= ~(IWN_TX_NEED_RTS | IWN_TX_NEED_CTS);
 4659                                 flags |= IWN_TX_NEED_PROTECTION;
 4660                         } else
 4661                                 flags |= IWN_TX_FULL_TXOP;
 4662                 }
 4663         }
 4664 
 4665         ring = &sc->txq[ac];
 4666         if (m->m_flags & M_AMPDU_MPDU) {
 4667                 uint16_t seqno = ni->ni_txseqs[tid];
 4668 
 4669                 if (ring->queued > IWN_TX_RING_COUNT / 2 &&
 4670                     (ring->cur + 1) % IWN_TX_RING_COUNT == ring->read) {
 4671                         DPRINTF(sc, IWN_DEBUG_AMPDU, "%s: no more space "
 4672                             "(queued %d) left in %d queue!\n",
 4673                             __func__, ring->queued, ac);
 4674                         return (ENOBUFS);
 4675                 }
 4676 
 4677                 /*
 4678                  * Queue this frame to the hardware ring that we've
 4679                  * negotiated AMPDU TX on.
 4680                  *
 4681                  * Note that the sequence number must match the TX slot
 4682                  * being used!
 4683                  */
 4684                 if ((seqno % 256) != ring->cur) {
 4685                         device_printf(sc->sc_dev,
 4686                             "%s: m=%p: seqno (%d) (%d) != ring index (%d) !\n",
 4687                             __func__,
 4688                             m,
 4689                             seqno,
 4690                             seqno % 256,
 4691                             ring->cur);
 4692 
 4693                         /* XXX until D9195 will not be committed */
 4694                         ni->ni_txseqs[tid] &= ~0xff;
 4695                         ni->ni_txseqs[tid] += ring->cur;
 4696                         seqno = ni->ni_txseqs[tid];
 4697                 }
 4698 
 4699                 *(uint16_t *)wh->i_seq =
 4700                     htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT);
 4701                 ni->ni_txseqs[tid]++;
 4702         }
 4703 
 4704         /* Prepare TX firmware command. */
 4705         cmd = &ring->cmd[ring->cur];
 4706         tx = (struct iwn_cmd_data *)cmd->data;
 4707 
 4708         /* NB: No need to clear tx, all fields are reinitialized here. */
 4709         tx->scratch = 0;        /* clear "scratch" area */
 4710 
 4711         if (IEEE80211_IS_MULTICAST(wh->i_addr1) ||
 4712             type != IEEE80211_FC0_TYPE_DATA)
 4713                 tx->id = sc->broadcast_id;
 4714         else
 4715                 tx->id = wn->id;
 4716 
 4717         if (type == IEEE80211_FC0_TYPE_MGT) {
 4718                 uint8_t subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
 4719 
 4720                 /* Tell HW to set timestamp in probe responses. */
 4721                 if (subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP)
 4722                         flags |= IWN_TX_INSERT_TSTAMP;
 4723                 if (subtype == IEEE80211_FC0_SUBTYPE_ASSOC_REQ ||
 4724                     subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ)
 4725                         tx->timeout = htole16(3);
 4726                 else
 4727                         tx->timeout = htole16(2);
 4728         } else
 4729                 tx->timeout = htole16(0);
 4730 
 4731         if (tx->id == sc->broadcast_id) {
 4732                 /* Group or management frame. */
 4733                 tx->linkq = 0;
 4734         } else {
 4735                 tx->linkq = iwn_tx_rate_to_linkq_offset(sc, ni, rate);
 4736                 flags |= IWN_TX_LINKQ;  /* enable MRR */
 4737         }
 4738 
 4739         tx->tid = tid;
 4740         tx->rts_ntries = 60;
 4741         tx->data_ntries = 15;
 4742         tx->lifetime = htole32(IWN_LIFETIME_INFINITE);
 4743         tx->rate = iwn_rate_to_plcp(sc, ni, rate);
 4744         tx->security = 0;
 4745         tx->flags = htole32(flags);
 4746 
 4747         return (iwn_tx_cmd(sc, m, ni, ring));
 4748 }
 4749 
 4750 static int
 4751 iwn_tx_data_raw(struct iwn_softc *sc, struct mbuf *m,
 4752     struct ieee80211_node *ni, const struct ieee80211_bpf_params *params)
 4753 {
 4754         struct ieee80211vap *vap = ni->ni_vap;
 4755         struct iwn_tx_cmd *cmd;
 4756         struct iwn_cmd_data *tx;
 4757         struct ieee80211_frame *wh;
 4758         struct iwn_tx_ring *ring;
 4759         uint32_t flags;
 4760         int ac, rate;
 4761         uint8_t type;
 4762 
 4763         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
 4764 
 4765         IWN_LOCK_ASSERT(sc);
 4766 
 4767         wh = mtod(m, struct ieee80211_frame *);
 4768         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
 4769 
 4770         ac = params->ibp_pri & 3;
 4771 
 4772         /* Choose a TX rate. */
 4773         rate = params->ibp_rate0;
 4774 
 4775         flags = 0;
 4776         if ((params->ibp_flags & IEEE80211_BPF_NOACK) == 0)
 4777                 flags |= IWN_TX_NEED_ACK;
 4778         if (params->ibp_flags & IEEE80211_BPF_RTS) {
 4779                 if (sc->hw_type != IWN_HW_REV_TYPE_4965) {
 4780                         /* 5000 autoselects RTS/CTS or CTS-to-self. */
 4781                         flags &= ~IWN_TX_NEED_RTS;
 4782                         flags |= IWN_TX_NEED_PROTECTION;
 4783                 } else
 4784                         flags |= IWN_TX_NEED_RTS | IWN_TX_FULL_TXOP;
 4785         }
 4786         if (params->ibp_flags & IEEE80211_BPF_CTS) {
 4787                 if (sc->hw_type != IWN_HW_REV_TYPE_4965) {
 4788                         /* 5000 autoselects RTS/CTS or CTS-to-self. */
 4789                         flags &= ~IWN_TX_NEED_CTS;
 4790                         flags |= IWN_TX_NEED_PROTECTION;
 4791                 } else
 4792                         flags |= IWN_TX_NEED_CTS | IWN_TX_FULL_TXOP;
 4793         }
 4794 
 4795         if (ieee80211_radiotap_active_vap(vap)) {
 4796                 struct iwn_tx_radiotap_header *tap = &sc->sc_txtap;
 4797 
 4798                 tap->wt_flags = 0;
 4799                 tap->wt_rate = rate;
 4800 
 4801                 ieee80211_radiotap_tx(vap, m);
 4802         }
 4803 
 4804         ring = &sc->txq[ac];
 4805         cmd = &ring->cmd[ring->cur];
 4806 
 4807         tx = (struct iwn_cmd_data *)cmd->data;
 4808         /* NB: No need to clear tx, all fields are reinitialized here. */
 4809         tx->scratch = 0;        /* clear "scratch" area */
 4810 
 4811         if (type == IEEE80211_FC0_TYPE_MGT) {
 4812                 uint8_t subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
 4813 
 4814                 /* Tell HW to set timestamp in probe responses. */
 4815                 if (subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP)
 4816                         flags |= IWN_TX_INSERT_TSTAMP;
 4817 
 4818                 if (subtype == IEEE80211_FC0_SUBTYPE_ASSOC_REQ ||
 4819                     subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ)
 4820                         tx->timeout = htole16(3);
 4821                 else
 4822                         tx->timeout = htole16(2);
 4823         } else
 4824                 tx->timeout = htole16(0);
 4825 
 4826         tx->tid = 0;
 4827         tx->id = sc->broadcast_id;
 4828         tx->rts_ntries = params->ibp_try1;
 4829         tx->data_ntries = params->ibp_try0;
 4830         tx->lifetime = htole32(IWN_LIFETIME_INFINITE);
 4831         tx->rate = iwn_rate_to_plcp(sc, ni, rate);
 4832         tx->security = 0;
 4833         tx->flags = htole32(flags);
 4834 
 4835         /* Group or management frame. */
 4836         tx->linkq = 0;
 4837 
 4838         return (iwn_tx_cmd(sc, m, ni, ring));
 4839 }
 4840 
 4841 static int
 4842 iwn_tx_cmd(struct iwn_softc *sc, struct mbuf *m, struct ieee80211_node *ni,
 4843     struct iwn_tx_ring *ring)
 4844 {
 4845         struct iwn_ops *ops = &sc->ops;
 4846         struct iwn_tx_cmd *cmd;
 4847         struct iwn_cmd_data *tx;
 4848         struct ieee80211_frame *wh;
 4849         struct iwn_tx_desc *desc;
 4850         struct iwn_tx_data *data;
 4851         bus_dma_segment_t *seg, segs[IWN_MAX_SCATTER];
 4852         struct mbuf *m1;
 4853         u_int hdrlen;
 4854         int totlen, error, pad, nsegs = 0, i;
 4855 
 4856         wh = mtod(m, struct ieee80211_frame *);
 4857         hdrlen = ieee80211_anyhdrsize(wh);
 4858         totlen = m->m_pkthdr.len;
 4859 
 4860         desc = &ring->desc[ring->cur];
 4861         data = &ring->data[ring->cur];
 4862 
 4863         if (__predict_false(data->m != NULL || data->ni != NULL)) {
 4864                 device_printf(sc->sc_dev, "%s: ni (%p) or m (%p) for idx %d "
 4865                     "in queue %d is not NULL!\n", __func__, data->ni, data->m,
 4866                     ring->cur, ring->qid);
 4867                 return EIO;
 4868         }
 4869 
 4870         /* Prepare TX firmware command. */
 4871         cmd = &ring->cmd[ring->cur];
 4872         cmd->code = IWN_CMD_TX_DATA;
 4873         cmd->flags = 0;
 4874         cmd->qid = ring->qid;
 4875         cmd->idx = ring->cur;
 4876 
 4877         tx = (struct iwn_cmd_data *)cmd->data;
 4878         tx->len = htole16(totlen);
 4879 
 4880         /* Set physical address of "scratch area". */
 4881         tx->loaddr = htole32(IWN_LOADDR(data->scratch_paddr));
 4882         tx->hiaddr = IWN_HIADDR(data->scratch_paddr);
 4883         if (hdrlen & 3) {
 4884                 /* First segment length must be a multiple of 4. */
 4885                 tx->flags |= htole32(IWN_TX_NEED_PADDING);
 4886                 pad = 4 - (hdrlen & 3);
 4887         } else
 4888                 pad = 0;
 4889 
 4890         /* Copy 802.11 header in TX command. */
 4891         memcpy((uint8_t *)(tx + 1), wh, hdrlen);
 4892 
 4893         /* Trim 802.11 header. */
 4894         m_adj(m, hdrlen);
 4895 
 4896         error = bus_dmamap_load_mbuf_sg(ring->data_dmat, data->map, m, segs,
 4897             &nsegs, BUS_DMA_NOWAIT);
 4898         if (error != 0) {
 4899                 if (error != EFBIG) {
 4900                         device_printf(sc->sc_dev,
 4901                             "%s: can't map mbuf (error %d)\n", __func__, error);
 4902                         return error;
 4903                 }
 4904                 /* Too many DMA segments, linearize mbuf. */
 4905                 m1 = m_collapse(m, M_NOWAIT, IWN_MAX_SCATTER - 1);
 4906                 if (m1 == NULL) {
 4907                         device_printf(sc->sc_dev,
 4908                             "%s: could not defrag mbuf\n", __func__);
 4909                         return ENOBUFS;
 4910                 }
 4911                 m = m1;
 4912 
 4913                 error = bus_dmamap_load_mbuf_sg(ring->data_dmat, data->map, m,
 4914                     segs, &nsegs, BUS_DMA_NOWAIT);
 4915                 if (error != 0) {
 4916                         /* XXX fix this */
 4917                         /*
 4918                          * NB: Do not return error;
 4919                          * original mbuf does not exist anymore.
 4920                          */
 4921                         device_printf(sc->sc_dev,
 4922                             "%s: can't map mbuf (error %d)\n",
 4923                             __func__, error);
 4924                         if_inc_counter(ni->ni_vap->iv_ifp,
 4925                             IFCOUNTER_OERRORS, 1);
 4926                         ieee80211_free_node(ni);
 4927                         m_freem(m);
 4928                         return 0;
 4929                 }
 4930         }
 4931 
 4932         data->m = m;
 4933         data->ni = ni;
 4934 
 4935         DPRINTF(sc, IWN_DEBUG_XMIT, "%s: qid %d idx %d len %d nsegs %d "
 4936             "plcp %d\n",
 4937             __func__, ring->qid, ring->cur, totlen, nsegs, tx->rate);
 4938 
 4939         /* Fill TX descriptor. */
 4940         desc->nsegs = 1;
 4941         if (m->m_len != 0)
 4942                 desc->nsegs += nsegs;
 4943         /* First DMA segment is used by the TX command. */
 4944         desc->segs[0].addr = htole32(IWN_LOADDR(data->cmd_paddr));
 4945         desc->segs[0].len  = htole16(IWN_HIADDR(data->cmd_paddr) |
 4946             (4 + sizeof (*tx) + hdrlen + pad) << 4);
 4947         /* Other DMA segments are for data payload. */
 4948         seg = &segs[0];
 4949         for (i = 1; i <= nsegs; i++) {
 4950                 desc->segs[i].addr = htole32(IWN_LOADDR(seg->ds_addr));
 4951                 desc->segs[i].len  = htole16(IWN_HIADDR(seg->ds_addr) |
 4952                     seg->ds_len << 4);
 4953                 seg++;
 4954         }
 4955 
 4956         bus_dmamap_sync(ring->data_dmat, data->map, BUS_DMASYNC_PREWRITE);
 4957         bus_dmamap_sync(ring->cmd_dma.tag, ring->cmd_dma.map,
 4958             BUS_DMASYNC_PREWRITE);
 4959         bus_dmamap_sync(ring->desc_dma.tag, ring->desc_dma.map,
 4960             BUS_DMASYNC_PREWRITE);
 4961 
 4962         /* Update TX scheduler. */
 4963         if (ring->qid >= sc->firstaggqueue)
 4964                 ops->update_sched(sc, ring->qid, ring->cur, tx->id, totlen);
 4965 
 4966         /* Kick TX ring. */
 4967         ring->cur = (ring->cur + 1) % IWN_TX_RING_COUNT;
 4968         IWN_WRITE(sc, IWN_HBUS_TARG_WRPTR, ring->qid << 8 | ring->cur);
 4969 
 4970         /* Mark TX ring as full if we reach a certain threshold. */
 4971         if (++ring->queued > IWN_TX_RING_HIMARK)
 4972                 sc->qfullmsk |= 1 << ring->qid;
 4973 
 4974         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end\n",__func__);
 4975 
 4976         return 0;
 4977 }
 4978 
 4979 static void
 4980 iwn_xmit_task(void *arg0, int pending)
 4981 {
 4982         struct iwn_softc *sc = arg0;
 4983         struct ieee80211_node *ni;
 4984         struct mbuf *m;
 4985         int error;
 4986         struct ieee80211_bpf_params p;
 4987         int have_p;
 4988 
 4989         DPRINTF(sc, IWN_DEBUG_XMIT, "%s: called\n", __func__);
 4990 
 4991         IWN_LOCK(sc);
 4992         /*
 4993          * Dequeue frames, attempt to transmit,
 4994          * then disable beaconwait when we're done.
 4995          */
 4996         while ((m = mbufq_dequeue(&sc->sc_xmit_queue)) != NULL) {
 4997                 have_p = 0;
 4998                 ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
 4999 
 5000                 /* Get xmit params if appropriate */
 5001                 if (ieee80211_get_xmit_params(m, &p) == 0)
 5002                         have_p = 1;
 5003 
 5004                 DPRINTF(sc, IWN_DEBUG_XMIT, "%s: m=%p, have_p=%d\n",
 5005                     __func__, m, have_p);
 5006 
 5007                 /* If we have xmit params, use them */
 5008                 if (have_p)
 5009                         error = iwn_tx_data_raw(sc, m, ni, &p);
 5010                 else
 5011                         error = iwn_tx_data(sc, m, ni);
 5012 
 5013                 if (error != 0) {
 5014                         if_inc_counter(ni->ni_vap->iv_ifp,
 5015                             IFCOUNTER_OERRORS, 1);
 5016                         ieee80211_free_node(ni);
 5017                         m_freem(m);
 5018                 }
 5019         }
 5020 
 5021         sc->sc_beacon_wait = 0;
 5022         IWN_UNLOCK(sc);
 5023 }
 5024 
 5025 /*
 5026  * raw frame xmit - free node/reference if failed.
 5027  */
 5028 static int
 5029 iwn_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
 5030     const struct ieee80211_bpf_params *params)
 5031 {
 5032         struct ieee80211com *ic = ni->ni_ic;
 5033         struct iwn_softc *sc = ic->ic_softc;
 5034         int error = 0;
 5035 
 5036         DPRINTF(sc, IWN_DEBUG_XMIT | IWN_DEBUG_TRACE, "->%s begin\n", __func__);
 5037 
 5038         IWN_LOCK(sc);
 5039         if ((sc->sc_flags & IWN_FLAG_RUNNING) == 0) {
 5040                 m_freem(m);
 5041                 IWN_UNLOCK(sc);
 5042                 return (ENETDOWN);
 5043         }
 5044 
 5045         /* queue frame if we have to */
 5046         if (sc->sc_beacon_wait) {
 5047                 if (iwn_xmit_queue_enqueue(sc, m) != 0) {
 5048                         m_freem(m);
 5049                         IWN_UNLOCK(sc);
 5050                         return (ENOBUFS);
 5051                 }
 5052                 /* Queued, so just return OK */
 5053                 IWN_UNLOCK(sc);
 5054                 return (0);
 5055         }
 5056 
 5057         if (params == NULL) {
 5058                 /*
 5059                  * Legacy path; interpret frame contents to decide
 5060                  * precisely how to send the frame.
 5061                  */
 5062                 error = iwn_tx_data(sc, m, ni);
 5063         } else {
 5064                 /*
 5065                  * Caller supplied explicit parameters to use in
 5066                  * sending the frame.
 5067                  */
 5068                 error = iwn_tx_data_raw(sc, m, ni, params);
 5069         }
 5070         if (error == 0)
 5071                 sc->sc_tx_timer = 5;
 5072         else
 5073                 m_freem(m);
 5074 
 5075         IWN_UNLOCK(sc);
 5076 
 5077         DPRINTF(sc, IWN_DEBUG_TRACE | IWN_DEBUG_XMIT, "->%s: end\n",__func__);
 5078 
 5079         return (error);
 5080 }
 5081 
 5082 /*
 5083  * transmit - don't free mbuf if failed; don't free node ref if failed.
 5084  */
 5085 static int
 5086 iwn_transmit(struct ieee80211com *ic, struct mbuf *m)
 5087 {
 5088         struct iwn_softc *sc = ic->ic_softc;
 5089         struct ieee80211_node *ni;
 5090         int error;
 5091 
 5092         ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
 5093 
 5094         IWN_LOCK(sc);
 5095         if ((sc->sc_flags & IWN_FLAG_RUNNING) == 0 || sc->sc_beacon_wait) {
 5096                 IWN_UNLOCK(sc);
 5097                 return (ENXIO);
 5098         }
 5099 
 5100         if (sc->qfullmsk) {
 5101                 IWN_UNLOCK(sc);
 5102                 return (ENOBUFS);
 5103         }
 5104 
 5105         error = iwn_tx_data(sc, m, ni);
 5106         if (!error)
 5107                 sc->sc_tx_timer = 5;
 5108         IWN_UNLOCK(sc);
 5109         return (error);
 5110 }
 5111 
 5112 static void
 5113 iwn_scan_timeout(void *arg)
 5114 {
 5115         struct iwn_softc *sc = arg;
 5116         struct ieee80211com *ic = &sc->sc_ic;
 5117 
 5118         ic_printf(ic, "scan timeout\n");
 5119         ieee80211_restart_all(ic);
 5120 }
 5121 
 5122 static void
 5123 iwn_watchdog(void *arg)
 5124 {
 5125         struct iwn_softc *sc = arg;
 5126         struct ieee80211com *ic = &sc->sc_ic;
 5127 
 5128         IWN_LOCK_ASSERT(sc);
 5129 
 5130         KASSERT(sc->sc_flags & IWN_FLAG_RUNNING, ("not running"));
 5131 
 5132         DPRINTF(sc, IWN_DEBUG_TRACE, "->Doing %s\n", __func__);
 5133 
 5134         if (sc->sc_tx_timer > 0) {
 5135                 if (--sc->sc_tx_timer == 0) {
 5136                         ic_printf(ic, "device timeout\n");
 5137                         ieee80211_restart_all(ic);
 5138                         return;
 5139                 }
 5140         }
 5141         callout_reset(&sc->watchdog_to, hz, iwn_watchdog, sc);
 5142 }
 5143 
 5144 static int
 5145 iwn_cdev_open(struct cdev *dev, int flags, int type, struct thread *td)
 5146 {
 5147 
 5148         return (0);
 5149 }
 5150 
 5151 static int
 5152 iwn_cdev_close(struct cdev *dev, int flags, int type, struct thread *td)
 5153 {
 5154 
 5155         return (0);
 5156 }
 5157 
 5158 static int
 5159 iwn_cdev_ioctl(struct cdev *dev, unsigned long cmd, caddr_t data, int fflag,
 5160     struct thread *td)
 5161 {
 5162         int rc;
 5163         struct iwn_softc *sc = dev->si_drv1;
 5164         struct iwn_ioctl_data *d;
 5165 
 5166         rc = priv_check(td, PRIV_DRIVER);
 5167         if (rc != 0)
 5168                 return (0);
 5169 
 5170         switch (cmd) {
 5171         case SIOCGIWNSTATS:
 5172                 d = (struct iwn_ioctl_data *) data;
 5173                 IWN_LOCK(sc);
 5174                 /* XXX validate permissions/memory/etc? */
 5175                 rc = copyout(&sc->last_stat, d->dst_addr, sizeof(struct iwn_stats));
 5176                 IWN_UNLOCK(sc);
 5177                 break;
 5178         case SIOCZIWNSTATS:
 5179                 IWN_LOCK(sc);
 5180                 memset(&sc->last_stat, 0, sizeof(struct iwn_stats));
 5181                 IWN_UNLOCK(sc);
 5182                 break;
 5183         default:
 5184                 rc = EINVAL;
 5185                 break;
 5186         }
 5187         return (rc);
 5188 }
 5189 
 5190 static int
 5191 iwn_ioctl(struct ieee80211com *ic, u_long cmd, void *data)
 5192 {
 5193 
 5194         return (ENOTTY);
 5195 }
 5196 
 5197 static void
 5198 iwn_parent(struct ieee80211com *ic)
 5199 {
 5200         struct iwn_softc *sc = ic->ic_softc;
 5201         struct ieee80211vap *vap;
 5202         int error;
 5203 
 5204         if (ic->ic_nrunning > 0) {
 5205                 error = iwn_init(sc);
 5206 
 5207                 switch (error) {
 5208                 case 0:
 5209                         ieee80211_start_all(ic);
 5210                         break;
 5211                 case 1:
 5212                         /* radio is disabled via RFkill switch */
 5213                         taskqueue_enqueue(sc->sc_tq, &sc->sc_rftoggle_task);
 5214                         break;
 5215                 default:
 5216                         vap = TAILQ_FIRST(&ic->ic_vaps);
 5217                         if (vap != NULL)
 5218                                 ieee80211_stop(vap);
 5219                         break;
 5220                 }
 5221         } else
 5222                 iwn_stop(sc);
 5223 }
 5224 
 5225 /*
 5226  * Send a command to the firmware.
 5227  */
 5228 static int
 5229 iwn_cmd(struct iwn_softc *sc, int code, const void *buf, int size, int async)
 5230 {
 5231         struct iwn_tx_ring *ring;
 5232         struct iwn_tx_desc *desc;
 5233         struct iwn_tx_data *data;
 5234         struct iwn_tx_cmd *cmd;
 5235         struct mbuf *m;
 5236         bus_addr_t paddr;
 5237         int totlen, error;
 5238         int cmd_queue_num;
 5239 
 5240         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
 5241 
 5242         if (async == 0)
 5243                 IWN_LOCK_ASSERT(sc);
 5244 
 5245         if (sc->sc_flags & IWN_FLAG_PAN_SUPPORT)
 5246                 cmd_queue_num = IWN_PAN_CMD_QUEUE;
 5247         else
 5248                 cmd_queue_num = IWN_CMD_QUEUE_NUM;
 5249 
 5250         ring = &sc->txq[cmd_queue_num];
 5251         desc = &ring->desc[ring->cur];
 5252         data = &ring->data[ring->cur];
 5253         totlen = 4 + size;
 5254 
 5255         if (size > sizeof cmd->data) {
 5256                 /* Command is too large to fit in a descriptor. */
 5257                 if (totlen > MCLBYTES)
 5258                         return EINVAL;
 5259                 m = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR, MJUMPAGESIZE);
 5260                 if (m == NULL)
 5261                         return ENOMEM;
 5262                 cmd = mtod(m, struct iwn_tx_cmd *);
 5263                 error = bus_dmamap_load(ring->data_dmat, data->map, cmd,
 5264                     totlen, iwn_dma_map_addr, &paddr, BUS_DMA_NOWAIT);
 5265                 if (error != 0) {
 5266                         m_freem(m);
 5267                         return error;
 5268                 }
 5269                 data->m = m;
 5270         } else {
 5271                 cmd = &ring->cmd[ring->cur];
 5272                 paddr = data->cmd_paddr;
 5273         }
 5274 
 5275         cmd->code = code;
 5276         cmd->flags = 0;
 5277         cmd->qid = ring->qid;
 5278         cmd->idx = ring->cur;
 5279         memcpy(cmd->data, buf, size);
 5280 
 5281         desc->nsegs = 1;
 5282         desc->segs[0].addr = htole32(IWN_LOADDR(paddr));
 5283         desc->segs[0].len  = htole16(IWN_HIADDR(paddr) | totlen << 4);
 5284 
 5285         DPRINTF(sc, IWN_DEBUG_CMD, "%s: %s (0x%x) flags %d qid %d idx %d\n",
 5286             __func__, iwn_intr_str(cmd->code), cmd->code,
 5287             cmd->flags, cmd->qid, cmd->idx);
 5288 
 5289         if (size > sizeof cmd->data) {
 5290                 bus_dmamap_sync(ring->data_dmat, data->map,
 5291                     BUS_DMASYNC_PREWRITE);
 5292         } else {
 5293                 bus_dmamap_sync(ring->cmd_dma.tag, ring->cmd_dma.map,
 5294                     BUS_DMASYNC_PREWRITE);
 5295         }
 5296         bus_dmamap_sync(ring->desc_dma.tag, ring->desc_dma.map,
 5297             BUS_DMASYNC_PREWRITE);
 5298 
 5299         /* Kick command ring. */
 5300         ring->cur = (ring->cur + 1) % IWN_TX_RING_COUNT;
 5301         IWN_WRITE(sc, IWN_HBUS_TARG_WRPTR, ring->qid << 8 | ring->cur);
 5302 
 5303         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end\n",__func__);
 5304 
 5305         return async ? 0 : msleep(desc, &sc->sc_mtx, PCATCH, "iwncmd", hz);
 5306 }
 5307 
 5308 static int
 5309 iwn4965_add_node(struct iwn_softc *sc, struct iwn_node_info *node, int async)
 5310 {
 5311         struct iwn4965_node_info hnode;
 5312         caddr_t src, dst;
 5313 
 5314         DPRINTF(sc, IWN_DEBUG_TRACE, "->Doing %s\n", __func__);
 5315 
 5316         /*
 5317          * We use the node structure for 5000 Series internally (it is
 5318          * a superset of the one for 4965AGN). We thus copy the common
 5319          * fields before sending the command.
 5320          */
 5321         src = (caddr_t)node;
 5322         dst = (caddr_t)&hnode;
 5323         memcpy(dst, src, 48);
 5324         /* Skip TSC, RX MIC and TX MIC fields from ``src''. */
 5325         memcpy(dst + 48, src + 72, 20);
 5326         return iwn_cmd(sc, IWN_CMD_ADD_NODE, &hnode, sizeof hnode, async);
 5327 }
 5328 
 5329 static int
 5330 iwn5000_add_node(struct iwn_softc *sc, struct iwn_node_info *node, int async)
 5331 {
 5332 
 5333         DPRINTF(sc, IWN_DEBUG_TRACE, "->Doing %s\n", __func__);
 5334 
 5335         /* Direct mapping. */
 5336         return iwn_cmd(sc, IWN_CMD_ADD_NODE, node, sizeof (*node), async);
 5337 }
 5338 
 5339 static int
 5340 iwn_set_link_quality(struct iwn_softc *sc, struct ieee80211_node *ni)
 5341 {
 5342         struct iwn_node *wn = (void *)ni;
 5343         struct ieee80211_rateset *rs;
 5344         struct iwn_cmd_link_quality linkq;
 5345         int i, rate, txrate;
 5346         int is_11n;
 5347 
 5348         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
 5349 
 5350         memset(&linkq, 0, sizeof linkq);
 5351         linkq.id = wn->id;
 5352         linkq.antmsk_1stream = iwn_get_1stream_tx_antmask(sc);
 5353         linkq.antmsk_2stream = iwn_get_2stream_tx_antmask(sc);
 5354 
 5355         linkq.ampdu_max = 32;           /* XXX negotiated? */
 5356         linkq.ampdu_threshold = 3;
 5357         linkq.ampdu_limit = htole16(4000);      /* 4ms */
 5358 
 5359         DPRINTF(sc, IWN_DEBUG_XMIT,
 5360             "%s: 1stream antenna=0x%02x, 2stream antenna=0x%02x, ntxstreams=%d\n",
 5361             __func__,
 5362             linkq.antmsk_1stream,
 5363             linkq.antmsk_2stream,
 5364             sc->ntxchains);
 5365 
 5366         /*
 5367          * Are we using 11n rates? Ensure the channel is
 5368          * 11n _and_ we have some 11n rates, or don't
 5369          * try.
 5370          */
 5371         if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && ni->ni_htrates.rs_nrates > 0) {
 5372                 rs = (struct ieee80211_rateset *) &ni->ni_htrates;
 5373                 is_11n = 1;
 5374         } else {
 5375                 rs = &ni->ni_rates;
 5376                 is_11n = 0;
 5377         }
 5378 
 5379         /* Start at highest available bit-rate. */
 5380         /*
 5381          * XXX this is all very dirty!
 5382          */
 5383         if (is_11n)
 5384                 txrate = ni->ni_htrates.rs_nrates - 1;
 5385         else
 5386                 txrate = rs->rs_nrates - 1;
 5387         for (i = 0; i < IWN_MAX_TX_RETRIES; i++) {
 5388                 uint32_t plcp;
 5389 
 5390                 /*
 5391                  * XXX TODO: ensure the last two slots are the two lowest
 5392                  * rate entries, just for now.
 5393                  */
 5394                 if (i == 14 || i == 15)
 5395                         txrate = 0;
 5396 
 5397                 if (is_11n)
 5398                         rate = IEEE80211_RATE_MCS | rs->rs_rates[txrate];
 5399                 else
 5400                         rate = IEEE80211_RV(rs->rs_rates[txrate]);
 5401 
 5402                 /* Do rate -> PLCP config mapping */
 5403                 plcp = iwn_rate_to_plcp(sc, ni, rate);
 5404                 linkq.retry[i] = plcp;
 5405                 DPRINTF(sc, IWN_DEBUG_XMIT,
 5406                     "%s: i=%d, txrate=%d, rate=0x%02x, plcp=0x%08x\n",
 5407                     __func__,
 5408                     i,
 5409                     txrate,
 5410                     rate,
 5411                     le32toh(plcp));
 5412 
 5413                 /*
 5414                  * The mimo field is an index into the table which
 5415                  * indicates the first index where it and subsequent entries
 5416                  * will not be using MIMO.
 5417                  *
 5418                  * Since we're filling linkq from 0..15 and we're filling
 5419                  * from the highest MCS rates to the lowest rates, if we
 5420                  * _are_ doing a dual-stream rate, set mimo to idx+1 (ie,
 5421                  * the next entry.)  That way if the next entry is a non-MIMO
 5422                  * entry, we're already pointing at it.
 5423                  */
 5424                 if ((le32toh(plcp) & IWN_RFLAG_MCS) &&
 5425                     IEEE80211_RV(le32toh(plcp)) > 7)
 5426                         linkq.mimo = i + 1;
 5427 
 5428                 /* Next retry at immediate lower bit-rate. */
 5429                 if (txrate > 0)
 5430                         txrate--;
 5431         }
 5432         /*
 5433          * If we reached the end of the list and indeed we hit
 5434          * all MIMO rates (eg 5300 doing MCS23-15) then yes,
 5435          * set mimo to 15.  Setting it to 16 panics the firmware.
 5436          */
 5437         if (linkq.mimo > 15)
 5438                 linkq.mimo = 15;
 5439 
 5440         DPRINTF(sc, IWN_DEBUG_XMIT, "%s: mimo = %d\n", __func__, linkq.mimo);
 5441 
 5442         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end\n",__func__);
 5443 
 5444         return iwn_cmd(sc, IWN_CMD_LINK_QUALITY, &linkq, sizeof linkq, 1);
 5445 }
 5446 
 5447 /*
 5448  * Broadcast node is used to send group-addressed and management frames.
 5449  */
 5450 static int
 5451 iwn_add_broadcast_node(struct iwn_softc *sc, int async)
 5452 {
 5453         struct iwn_ops *ops = &sc->ops;
 5454         struct ieee80211com *ic = &sc->sc_ic;
 5455         struct iwn_node_info node;
 5456         struct iwn_cmd_link_quality linkq;
 5457         uint8_t txant;
 5458         int i, error;
 5459 
 5460         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
 5461 
 5462         sc->rxon = &sc->rx_on[IWN_RXON_BSS_CTX];
 5463 
 5464         memset(&node, 0, sizeof node);
 5465         IEEE80211_ADDR_COPY(node.macaddr, ieee80211broadcastaddr);
 5466         node.id = sc->broadcast_id;
 5467         DPRINTF(sc, IWN_DEBUG_RESET, "%s: adding broadcast node\n", __func__);
 5468         if ((error = ops->add_node(sc, &node, async)) != 0)
 5469                 return error;
 5470 
 5471         /* Use the first valid TX antenna. */
 5472         txant = IWN_LSB(sc->txchainmask);
 5473 
 5474         memset(&linkq, 0, sizeof linkq);
 5475         linkq.id = sc->broadcast_id;
 5476         linkq.antmsk_1stream = iwn_get_1stream_tx_antmask(sc);
 5477         linkq.antmsk_2stream = iwn_get_2stream_tx_antmask(sc);
 5478         linkq.ampdu_max = 64;
 5479         linkq.ampdu_threshold = 3;
 5480         linkq.ampdu_limit = htole16(4000);      /* 4ms */
 5481 
 5482         /* Use lowest mandatory bit-rate. */
 5483         /* XXX rate table lookup? */
 5484         if (IEEE80211_IS_CHAN_5GHZ(ic->ic_curchan))
 5485                 linkq.retry[0] = htole32(0xd);
 5486         else
 5487                 linkq.retry[0] = htole32(10 | IWN_RFLAG_CCK);
 5488         linkq.retry[0] |= htole32(IWN_RFLAG_ANT(txant));
 5489         /* Use same bit-rate for all TX retries. */
 5490         for (i = 1; i < IWN_MAX_TX_RETRIES; i++) {
 5491                 linkq.retry[i] = linkq.retry[0];
 5492         }
 5493 
 5494         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end\n",__func__);
 5495 
 5496         return iwn_cmd(sc, IWN_CMD_LINK_QUALITY, &linkq, sizeof linkq, async);
 5497 }
 5498 
 5499 static int
 5500 iwn_updateedca(struct ieee80211com *ic)
 5501 {
 5502 #define IWN_EXP2(x)     ((1 << (x)) - 1)        /* CWmin = 2^ECWmin - 1 */
 5503         struct iwn_softc *sc = ic->ic_softc;
 5504         struct iwn_edca_params cmd;
 5505         struct chanAccParams chp;
 5506         int aci;
 5507 
 5508         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s begin\n", __func__);
 5509 
 5510         ieee80211_wme_ic_getparams(ic, &chp);
 5511 
 5512         memset(&cmd, 0, sizeof cmd);
 5513         cmd.flags = htole32(IWN_EDCA_UPDATE);
 5514 
 5515         IEEE80211_LOCK(ic);
 5516         for (aci = 0; aci < WME_NUM_AC; aci++) {
 5517                 const struct wmeParams *ac = &chp.cap_wmeParams[aci];
 5518                 cmd.ac[aci].aifsn = ac->wmep_aifsn;
 5519                 cmd.ac[aci].cwmin = htole16(IWN_EXP2(ac->wmep_logcwmin));
 5520                 cmd.ac[aci].cwmax = htole16(IWN_EXP2(ac->wmep_logcwmax));
 5521                 cmd.ac[aci].txoplimit =
 5522                     htole16(IEEE80211_TXOP_TO_US(ac->wmep_txopLimit));
 5523         }
 5524         IEEE80211_UNLOCK(ic);
 5525 
 5526         IWN_LOCK(sc);
 5527         (void)iwn_cmd(sc, IWN_CMD_EDCA_PARAMS, &cmd, sizeof cmd, 1);
 5528         IWN_UNLOCK(sc);
 5529 
 5530         DPRINTF(sc, IWN_DEBUG_TRACE, "->%s: end\n",__func__);
 5531 
 5532         return 0;
 5533 #undef IWN_EXP2
 5534 }
 5535 
 5536 static void
 5537 iwn_set_promisc(struct iwn_softc *sc)
 5538 {
 5539         struct ieee80211com *ic = &sc->sc_ic;
 5540         uint32_t promisc_filter;
 5541 
 5542         promisc_filter = IWN_FILTER_CTL | IWN_FILTER_PROMISC;
 5543         if (ic->ic_promisc > 0 || ic->ic_opmode == IEEE80211_M_MONITOR)
 5544                 sc->rxon->filter |= htole32(promisc_filter);
 5545         else
 5546                 sc->rxon->filter &= ~htole32(promisc_filter);
 5547 }
 5548 
 5549 static void
 5550 iwn_update_promisc(struct ieee80211com *ic)
 5551 {
 5552         struct iwn_softc *sc = ic->ic_softc;
 5553         int error;
 5554 
 5555         if (ic->ic_opmode == IEEE80211_M_MONITOR)
 5556                 return;         /* nothing to do */
 5557 
 5558         IWN_LOCK(sc);
 5559         if (!(sc->sc_flags & IWN_FLAG_RUNNING)) {
 5560                 IWN_UNLOCK(sc);
 5561                 return;
 5562         }
 5563 
 5564         iwn_set_promisc(sc);
 5565         if ((error = iwn_send_rxon(sc, 1, 1)) != 0) {
 5566                 device_printf(sc->sc_dev,
 5567                     "%s: could not send RXON, error %d\n",
 5568                     __func__, error);
 5569         }
 5570         IWN_UNLOCK(sc);
 5571 }
 5572 
 5573 static void
 5574 iwn_update_mcast(struct ieee80211com *ic)
 5575 {
 5576         /* Ignore */
 5577 }
 5578 
 5579 static void
 5580 iwn_set_led(struct iwn_softc *sc, uint8_t which, uint8_t off, uint8_t on)
 5581 {
 5582         struct iwn_cmd_led led;
 5583 
 5584         DPRINTF(sc, IWN_DEBUG_TRACE, "->Doing %s\n", __func__);
 5585 
 5586 #if 0
 5587         /* XXX don't set LEDs during scan? */
 5588         if (sc->sc_is_scanning)
 5589                 return;
 5590 #endif
 5591 
 5592         /* Clear microcode LED ownership. */
 5593         IWN_CLRBITS(sc, IWN_LED, IWN_LED_BSM_CTRL);
 5594 
 5595         led.which = which;
 5596         led.unit = htole32(10000);      /* on/off in unit of 100ms */
 5597         led.off = off;
 5598         led.on = on;
 5599         (void)iwn_cmd(sc, IWN_CMD_SET_LED, &led, sizeof led, 1);
 5600 }
 5601 
 5602 /*
 5603  * Set the critical temperature at which the firmware will stop the radio
 5604  * and notify us.
 5605  */
 5606 static int
 5607 iwn_set_critical_temp(struct iwn_softc *sc)
 5608 {
 5609         struct iwn_critical_temp crit;
 5610         int32_t temp;
 5611 
 5612         DPRINTF(sc, IWN_DEBUG_TRACE, "->Doing %s\n", __func__);
 5613 
 5614         IWN_WRITE(sc, IWN_UCODE_GP1_CLR, IWN_UCODE_GP1_CTEMP_STOP_RF);
 5615 
 5616         if (sc->hw_type == IWN_HW_REV_TYPE_5150)
 5617                 temp = (IWN_CTOK(110) - sc->temp_off) * -5;
 5618         else if (sc->hw_type == IWN_HW_REV_TYPE_4965)
 5619                 temp = IWN_CTOK(110);
 5620         else
 5621                 temp = 110;
 5622         memset(&crit, 0, sizeof crit);
 5623         crit.tempR = htole32(temp);
 5624         DPRINTF(sc, IWN_DEBUG_RESET, "setting critical temp to %d\n", temp);
 5625         return iwn_cmd(sc, IWN_CMD_SET_CRITICAL_TEMP, &crit, sizeof crit, 0);
 5626 }
 5627 
 5628 static int
 5629 iwn_set_timing(struct iwn_softc *sc, struct ieee80211_node *ni)
 5630 {
 5631         struct iwn_cmd_timing cmd;
 5632         uint64_t val, mod;
 5633 
 5634         DPRINTF(sc, IWN_DEBUG_TRACE, "->Doing %s\n", __func__);
 5635 
 5636         memset(&cmd, 0, sizeof cmd);
 5637         memcpy(&cmd.tstamp, ni->ni_tstamp.data, sizeof (uint64_t));
 5638         cmd.bintval = htole16(ni->ni_intval);
 5639         cmd.lintval = htole16(10);
 5640 
 5641         /* Compute remaining time until next beacon. */
 5642         val = (uint64_t)ni->ni_intval * IEEE80211_DUR_TU;
 5643         mod = le64toh(cmd.tstamp) % val;
 5644         cmd.binitval = htole32((uint32_t)(val - mod));
 5645 
 5646         DPRINTF(sc, IWN_DEBUG_RESET, "timing bintval=%u tstamp=%ju, init=%u\n",
 5647             ni->ni_intval, le64toh(cmd.tstamp), (uint32_t)(val - mod));
 5648 
 5649         return iwn_cmd(sc, IWN_CMD_TIMING, &cmd, sizeof cmd, 1);
 5650 }
 5651 
 5652 static void
 5653 iwn4965_power_calibration(struct iwn_softc *sc, int temp)
 5654 {
 5655 
 5656         DPRINTF(sc, IWN_DEBUG_TRACE, "->Doing %s\n", __func__);
 5657 
 5658         /* Adjust TX power if need be (delta >= 3 degC). */
 5659         DPRINTF(sc, IWN_DEBUG_CALIBRATE, "%s: temperature %d->%d\n",
 5660             __func__, sc->temp, temp);
 5661         if (abs(temp - sc->temp) >= 3) {
 5662                 /* Record temperature of last calibration. */
 5663                 sc->temp = temp;
 5664                 (void)iwn4965_set_txpower(sc, 1);
 5665         }
 5666 }
 5667 
 5668 /*
 5669  * Set TX power for current channel (each rate has its own power settings).
 5670  * This function takes into account the regulatory information from EEPROM,
 5671  * the current temperature and the current voltage.
 5672  */
 5673 static int
 5674 iwn4965_set_txpower(struct iwn_softc *sc, int async)
 5675 {
 5676 /* Fixed-point arithmetic division using a n-bit fractional part. */
 5677 #define fdivround(a, b, n)      \
 5678         ((((1 << n) * (a)) / (b) + (1 << n) / 2) / (1 << n))
 5679 /* Linear interpolation. */
 5680 #define interpolate(x, x1, y1, x2, y2, n)       \
 5681         ((y1) + fdivround(((int)(x) - (x1)) * ((y2) - (y1)), (x2) - (x1), n))
 5682 
 5683         static const int tdiv[IWN_NATTEN_GROUPS] = { 9, 8, 8, 8, 6 };
 5684         struct iwn_ucode_info *uc = &sc->ucode_info;
 5685         struct iwn4965_cmd_txpower cmd;
 5686         struct iwn4965_eeprom_chan_samples *chans;
 5687         const uint8_t *rf_gain, *dsp_gain;
 5688         int32_t vdiff, tdiff;
 5689         int i, is_chan_5ghz, c, grp, maxpwr;
 5690         uint8_t chan;
 5691 
 5692         sc->rxon = &sc->rx_on[IWN_RXON_BSS_CTX];
 5693         /* Retrieve current channel from last RXON. */
 5694         chan = sc->rxon->chan;
 5695         is_chan_5ghz = (sc->rxon->flags & htole32(IWN_RXON_24GHZ)) == 0;
 5696         DPRINTF(sc, IWN_DEBUG_RESET, "setting TX power for channel %d\n",
 5697             chan);
 5698