The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/dev/iwn/if_iwn.c

Version: -  FREEBSD  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-2  -  FREEBSD-11-1  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-4  -  FREEBSD-10-3  -  FREEBSD-10-2  -  FREEBSD-10-1  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-3  -  FREEBSD-9-2  -  FREEBSD-9-1  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-4  -  FREEBSD-8-3  -  FREEBSD-8-2  -  FREEBSD-8-1  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-4  -  FREEBSD-7-3  -  FREEBSD-7-2  -  FREEBSD-7-1  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-4  -  FREEBSD-6-3  -  FREEBSD-6-2  -  FREEBSD-6-1  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-5  -  FREEBSD-5-4  -  FREEBSD-5-3  -  FREEBSD-5-2  -  FREEBSD-5-1  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  linux-2.6  -  linux-2.4.22  -  MK83  -  MK84  -  PLAN9  -  DFBSD  -  NETBSD  -  NETBSD5  -  NETBSD4  -  NETBSD3  -  NETBSD20  -  OPENBSD  -  xnu-517  -  xnu-792  -  xnu-792.6.70  -  xnu-1228  -  xnu-1456.1.26  -  xnu-1699.24.8  -  xnu-2050.18.24  -  OPENSOLARIS  -  minix-3-1-1 
SearchContext: -  none  -  3  -  10 

    1 /*-
    2  * Copyright (c) 2007-2009
    3  *      Damien Bergamini <damien.bergamini@free.fr>
    4  * Copyright (c) 2008
    5  *      Benjamin Close <benjsc@FreeBSD.org>
    6  * Copyright (c) 2008 Sam Leffler, Errno Consulting
    7  *
    8  * Permission to use, copy, modify, and distribute this software for any
    9  * purpose with or without fee is hereby granted, provided that the above
   10  * copyright notice and this permission notice appear in all copies.
   11  *
   12  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
   13  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
   14  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
   15  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
   16  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
   17  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
   18  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
   19  */
   20 
   21 /*
   22  * Driver for Intel WiFi Link 4965 and 1000/5000/6000 Series 802.11 network
   23  * adapters.
   24  */
   25 
   26 #include <sys/cdefs.h>
   27 __FBSDID("$FreeBSD: releng/9.1/sys/dev/iwn/if_iwn.c 237917 2012-07-01 09:30:37Z bschmidt $");
   28 
   29 #include <sys/param.h>
   30 #include <sys/sockio.h>
   31 #include <sys/sysctl.h>
   32 #include <sys/mbuf.h>
   33 #include <sys/kernel.h>
   34 #include <sys/socket.h>
   35 #include <sys/systm.h>
   36 #include <sys/malloc.h>
   37 #include <sys/bus.h>
   38 #include <sys/rman.h>
   39 #include <sys/endian.h>
   40 #include <sys/firmware.h>
   41 #include <sys/limits.h>
   42 #include <sys/module.h>
   43 #include <sys/queue.h>
   44 #include <sys/taskqueue.h>
   45 
   46 #include <machine/bus.h>
   47 #include <machine/resource.h>
   48 #include <machine/clock.h>
   49 
   50 #include <dev/pci/pcireg.h>
   51 #include <dev/pci/pcivar.h>
   52 
   53 #include <net/bpf.h>
   54 #include <net/if.h>
   55 #include <net/if_arp.h>
   56 #include <net/ethernet.h>
   57 #include <net/if_dl.h>
   58 #include <net/if_media.h>
   59 #include <net/if_types.h>
   60 
   61 #include <netinet/in.h>
   62 #include <netinet/in_systm.h>
   63 #include <netinet/in_var.h>
   64 #include <netinet/if_ether.h>
   65 #include <netinet/ip.h>
   66 
   67 #include <net80211/ieee80211_var.h>
   68 #include <net80211/ieee80211_radiotap.h>
   69 #include <net80211/ieee80211_regdomain.h>
   70 #include <net80211/ieee80211_ratectl.h>
   71 
   72 #include <dev/iwn/if_iwnreg.h>
   73 #include <dev/iwn/if_iwnvar.h>
   74 
   75 struct iwn_ident {
   76         uint16_t        vendor;
   77         uint16_t        device;
   78         const char      *name;
   79 };
   80 
   81 static const struct iwn_ident iwn_ident_table[] = {
   82         { 0x8086, 0x0082, "Intel Centrino Advanced-N 6205"              },
   83         { 0x8086, 0x0083, "Intel Centrino Wireless-N 1000"              },
   84         { 0x8086, 0x0084, "Intel Centrino Wireless-N 1000"              },
   85         { 0x8086, 0x0085, "Intel Centrino Advanced-N 6205"              },
   86         { 0x8086, 0x0087, "Intel Centrino Advanced-N + WiMAX 6250"      },
   87         { 0x8086, 0x0089, "Intel Centrino Advanced-N + WiMAX 6250"      },
   88         { 0x8086, 0x008a, "Intel Centrino Wireless-N 1030"              },
   89         { 0x8086, 0x008b, "Intel Centrino Wireless-N 1030"              },
   90         { 0x8086, 0x0090, "Intel Centrino Advanced-N 6230"              },
   91         { 0x8086, 0x0091, "Intel Centrino Advanced-N 6230"              },
   92         { 0x8086, 0x0885, "Intel Centrino Wireless-N + WiMAX 6150"      },
   93         { 0x8086, 0x0886, "Intel Centrino Wireless-N + WiMAX 6150"      },
   94         { 0x8086, 0x0896, "Intel Centrino Wireless-N 130"               },
   95         { 0x8086, 0x0887, "Intel Centrino Wireless-N 130"               },
   96         { 0x8086, 0x08ae, "Intel Centrino Wireless-N 100"               },
   97         { 0x8086, 0x08af, "Intel Centrino Wireless-N 100"               },
   98         { 0x8086, 0x4229, "Intel Wireless WiFi Link 4965"               },
   99         { 0x8086, 0x422b, "Intel Centrino Ultimate-N 6300"              },
  100         { 0x8086, 0x422c, "Intel Centrino Advanced-N 6200"              },
  101         { 0x8086, 0x422d, "Intel Wireless WiFi Link 4965"               },
  102         { 0x8086, 0x4230, "Intel Wireless WiFi Link 4965"               },
  103         { 0x8086, 0x4232, "Intel WiFi Link 5100"                        },
  104         { 0x8086, 0x4233, "Intel Wireless WiFi Link 4965"               },
  105         { 0x8086, 0x4235, "Intel Ultimate N WiFi Link 5300"             },
  106         { 0x8086, 0x4236, "Intel Ultimate N WiFi Link 5300"             },
  107         { 0x8086, 0x4237, "Intel WiFi Link 5100"                        },
  108         { 0x8086, 0x4238, "Intel Centrino Ultimate-N 6300"              },
  109         { 0x8086, 0x4239, "Intel Centrino Advanced-N 6200"              },
  110         { 0x8086, 0x423a, "Intel WiMAX/WiFi Link 5350"                  },
  111         { 0x8086, 0x423b, "Intel WiMAX/WiFi Link 5350"                  },
  112         { 0x8086, 0x423c, "Intel WiMAX/WiFi Link 5150"                  },
  113         { 0x8086, 0x423d, "Intel WiMAX/WiFi Link 5150"                  },
  114         { 0, 0, NULL }
  115 };
  116 
  117 static int      iwn_probe(device_t);
  118 static int      iwn_attach(device_t);
  119 static int      iwn4965_attach(struct iwn_softc *, uint16_t);
  120 static int      iwn5000_attach(struct iwn_softc *, uint16_t);
  121 static void     iwn_radiotap_attach(struct iwn_softc *);
  122 static void     iwn_sysctlattach(struct iwn_softc *);
  123 static struct ieee80211vap *iwn_vap_create(struct ieee80211com *,
  124                     const char [IFNAMSIZ], int, enum ieee80211_opmode, int,
  125                     const uint8_t [IEEE80211_ADDR_LEN],
  126                     const uint8_t [IEEE80211_ADDR_LEN]);
  127 static void     iwn_vap_delete(struct ieee80211vap *);
  128 static int      iwn_detach(device_t);
  129 static int      iwn_shutdown(device_t);
  130 static int      iwn_suspend(device_t);
  131 static int      iwn_resume(device_t);
  132 static int      iwn_nic_lock(struct iwn_softc *);
  133 static int      iwn_eeprom_lock(struct iwn_softc *);
  134 static int      iwn_init_otprom(struct iwn_softc *);
  135 static int      iwn_read_prom_data(struct iwn_softc *, uint32_t, void *, int);
  136 static void     iwn_dma_map_addr(void *, bus_dma_segment_t *, int, int);
  137 static int      iwn_dma_contig_alloc(struct iwn_softc *, struct iwn_dma_info *,
  138                     void **, bus_size_t, bus_size_t);
  139 static void     iwn_dma_contig_free(struct iwn_dma_info *);
  140 static int      iwn_alloc_sched(struct iwn_softc *);
  141 static void     iwn_free_sched(struct iwn_softc *);
  142 static int      iwn_alloc_kw(struct iwn_softc *);
  143 static void     iwn_free_kw(struct iwn_softc *);
  144 static int      iwn_alloc_ict(struct iwn_softc *);
  145 static void     iwn_free_ict(struct iwn_softc *);
  146 static int      iwn_alloc_fwmem(struct iwn_softc *);
  147 static void     iwn_free_fwmem(struct iwn_softc *);
  148 static int      iwn_alloc_rx_ring(struct iwn_softc *, struct iwn_rx_ring *);
  149 static void     iwn_reset_rx_ring(struct iwn_softc *, struct iwn_rx_ring *);
  150 static void     iwn_free_rx_ring(struct iwn_softc *, struct iwn_rx_ring *);
  151 static int      iwn_alloc_tx_ring(struct iwn_softc *, struct iwn_tx_ring *,
  152                     int);
  153 static void     iwn_reset_tx_ring(struct iwn_softc *, struct iwn_tx_ring *);
  154 static void     iwn_free_tx_ring(struct iwn_softc *, struct iwn_tx_ring *);
  155 static void     iwn5000_ict_reset(struct iwn_softc *);
  156 static int      iwn_read_eeprom(struct iwn_softc *,
  157                     uint8_t macaddr[IEEE80211_ADDR_LEN]);
  158 static void     iwn4965_read_eeprom(struct iwn_softc *);
  159 static void     iwn4965_print_power_group(struct iwn_softc *, int);
  160 static void     iwn5000_read_eeprom(struct iwn_softc *);
  161 static uint32_t iwn_eeprom_channel_flags(struct iwn_eeprom_chan *);
  162 static void     iwn_read_eeprom_band(struct iwn_softc *, int);
  163 static void     iwn_read_eeprom_ht40(struct iwn_softc *, int);
  164 static void     iwn_read_eeprom_channels(struct iwn_softc *, int, uint32_t);
  165 static struct iwn_eeprom_chan *iwn_find_eeprom_channel(struct iwn_softc *,
  166                     struct ieee80211_channel *);
  167 static int      iwn_setregdomain(struct ieee80211com *,
  168                     struct ieee80211_regdomain *, int,
  169                     struct ieee80211_channel[]);
  170 static void     iwn_read_eeprom_enhinfo(struct iwn_softc *);
  171 static struct ieee80211_node *iwn_node_alloc(struct ieee80211vap *,
  172                     const uint8_t mac[IEEE80211_ADDR_LEN]);
  173 static void     iwn_newassoc(struct ieee80211_node *, int);
  174 static int      iwn_media_change(struct ifnet *);
  175 static int      iwn_newstate(struct ieee80211vap *, enum ieee80211_state, int);
  176 static void     iwn_calib_timeout(void *);
  177 static void     iwn_rx_phy(struct iwn_softc *, struct iwn_rx_desc *,
  178                     struct iwn_rx_data *);
  179 static void     iwn_rx_done(struct iwn_softc *, struct iwn_rx_desc *,
  180                     struct iwn_rx_data *);
  181 static void     iwn_rx_compressed_ba(struct iwn_softc *, struct iwn_rx_desc *,
  182                     struct iwn_rx_data *);
  183 static void     iwn5000_rx_calib_results(struct iwn_softc *,
  184                     struct iwn_rx_desc *, struct iwn_rx_data *);
  185 static void     iwn_rx_statistics(struct iwn_softc *, struct iwn_rx_desc *,
  186                     struct iwn_rx_data *);
  187 static void     iwn4965_tx_done(struct iwn_softc *, struct iwn_rx_desc *,
  188                     struct iwn_rx_data *);
  189 static void     iwn5000_tx_done(struct iwn_softc *, struct iwn_rx_desc *,
  190                     struct iwn_rx_data *);
  191 static void     iwn_tx_done(struct iwn_softc *, struct iwn_rx_desc *, int,
  192                     uint8_t);
  193 static void     iwn_ampdu_tx_done(struct iwn_softc *, int, int, int, void *);
  194 static void     iwn_cmd_done(struct iwn_softc *, struct iwn_rx_desc *);
  195 static void     iwn_notif_intr(struct iwn_softc *);
  196 static void     iwn_wakeup_intr(struct iwn_softc *);
  197 static void     iwn_rftoggle_intr(struct iwn_softc *);
  198 static void     iwn_fatal_intr(struct iwn_softc *);
  199 static void     iwn_intr(void *);
  200 static void     iwn4965_update_sched(struct iwn_softc *, int, int, uint8_t,
  201                     uint16_t);
  202 static void     iwn5000_update_sched(struct iwn_softc *, int, int, uint8_t,
  203                     uint16_t);
  204 #ifdef notyet
  205 static void     iwn5000_reset_sched(struct iwn_softc *, int, int);
  206 #endif
  207 static int      iwn_tx_data(struct iwn_softc *, struct mbuf *,
  208                     struct ieee80211_node *);
  209 static int      iwn_tx_data_raw(struct iwn_softc *, struct mbuf *,
  210                     struct ieee80211_node *,
  211                     const struct ieee80211_bpf_params *params);
  212 static int      iwn_raw_xmit(struct ieee80211_node *, struct mbuf *,
  213                     const struct ieee80211_bpf_params *);
  214 static void     iwn_start(struct ifnet *);
  215 static void     iwn_start_locked(struct ifnet *);
  216 static void     iwn_watchdog(void *);
  217 static int      iwn_ioctl(struct ifnet *, u_long, caddr_t);
  218 static int      iwn_cmd(struct iwn_softc *, int, const void *, int, int);
  219 static int      iwn4965_add_node(struct iwn_softc *, struct iwn_node_info *,
  220                     int);
  221 static int      iwn5000_add_node(struct iwn_softc *, struct iwn_node_info *,
  222                     int);
  223 static int      iwn_set_link_quality(struct iwn_softc *,
  224                     struct ieee80211_node *);
  225 static int      iwn_add_broadcast_node(struct iwn_softc *, int);
  226 static int      iwn_updateedca(struct ieee80211com *);
  227 static void     iwn_update_mcast(struct ifnet *);
  228 static void     iwn_set_led(struct iwn_softc *, uint8_t, uint8_t, uint8_t);
  229 static int      iwn_set_critical_temp(struct iwn_softc *);
  230 static int      iwn_set_timing(struct iwn_softc *, struct ieee80211_node *);
  231 static void     iwn4965_power_calibration(struct iwn_softc *, int);
  232 static int      iwn4965_set_txpower(struct iwn_softc *,
  233                     struct ieee80211_channel *, int);
  234 static int      iwn5000_set_txpower(struct iwn_softc *,
  235                     struct ieee80211_channel *, int);
  236 static int      iwn4965_get_rssi(struct iwn_softc *, struct iwn_rx_stat *);
  237 static int      iwn5000_get_rssi(struct iwn_softc *, struct iwn_rx_stat *);
  238 static int      iwn_get_noise(const struct iwn_rx_general_stats *);
  239 static int      iwn4965_get_temperature(struct iwn_softc *);
  240 static int      iwn5000_get_temperature(struct iwn_softc *);
  241 static int      iwn_init_sensitivity(struct iwn_softc *);
  242 static void     iwn_collect_noise(struct iwn_softc *,
  243                     const struct iwn_rx_general_stats *);
  244 static int      iwn4965_init_gains(struct iwn_softc *);
  245 static int      iwn5000_init_gains(struct iwn_softc *);
  246 static int      iwn4965_set_gains(struct iwn_softc *);
  247 static int      iwn5000_set_gains(struct iwn_softc *);
  248 static void     iwn_tune_sensitivity(struct iwn_softc *,
  249                     const struct iwn_rx_stats *);
  250 static int      iwn_send_sensitivity(struct iwn_softc *);
  251 static int      iwn_set_pslevel(struct iwn_softc *, int, int, int);
  252 static int      iwn_send_btcoex(struct iwn_softc *);
  253 static int      iwn_send_advanced_btcoex(struct iwn_softc *);
  254 static int      iwn5000_runtime_calib(struct iwn_softc *);
  255 static int      iwn_config(struct iwn_softc *);
  256 static uint8_t  *ieee80211_add_ssid(uint8_t *, const uint8_t *, u_int);
  257 static int      iwn_scan(struct iwn_softc *);
  258 static int      iwn_auth(struct iwn_softc *, struct ieee80211vap *vap);
  259 static int      iwn_run(struct iwn_softc *, struct ieee80211vap *vap);
  260 static int      iwn_ampdu_rx_start(struct ieee80211_node *,
  261                     struct ieee80211_rx_ampdu *, int, int, int);
  262 static void     iwn_ampdu_rx_stop(struct ieee80211_node *,
  263                     struct ieee80211_rx_ampdu *);
  264 static int      iwn_addba_request(struct ieee80211_node *,
  265                     struct ieee80211_tx_ampdu *, int, int, int);
  266 static int      iwn_addba_response(struct ieee80211_node *,
  267                     struct ieee80211_tx_ampdu *, int, int, int);
  268 static int      iwn_ampdu_tx_start(struct ieee80211com *,
  269                     struct ieee80211_node *, uint8_t);
  270 static void     iwn_ampdu_tx_stop(struct ieee80211_node *,
  271                     struct ieee80211_tx_ampdu *);
  272 static void     iwn4965_ampdu_tx_start(struct iwn_softc *,
  273                     struct ieee80211_node *, int, uint8_t, uint16_t);
  274 static void     iwn4965_ampdu_tx_stop(struct iwn_softc *, int,
  275                     uint8_t, uint16_t);
  276 static void     iwn5000_ampdu_tx_start(struct iwn_softc *,
  277                     struct ieee80211_node *, int, uint8_t, uint16_t);
  278 static void     iwn5000_ampdu_tx_stop(struct iwn_softc *, int,
  279                     uint8_t, uint16_t);
  280 static int      iwn5000_query_calibration(struct iwn_softc *);
  281 static int      iwn5000_send_calibration(struct iwn_softc *);
  282 static int      iwn5000_send_wimax_coex(struct iwn_softc *);
  283 static int      iwn5000_crystal_calib(struct iwn_softc *);
  284 static int      iwn5000_temp_offset_calib(struct iwn_softc *);
  285 static int      iwn4965_post_alive(struct iwn_softc *);
  286 static int      iwn5000_post_alive(struct iwn_softc *);
  287 static int      iwn4965_load_bootcode(struct iwn_softc *, const uint8_t *,
  288                     int);
  289 static int      iwn4965_load_firmware(struct iwn_softc *);
  290 static int      iwn5000_load_firmware_section(struct iwn_softc *, uint32_t,
  291                     const uint8_t *, int);
  292 static int      iwn5000_load_firmware(struct iwn_softc *);
  293 static int      iwn_read_firmware_leg(struct iwn_softc *,
  294                     struct iwn_fw_info *);
  295 static int      iwn_read_firmware_tlv(struct iwn_softc *,
  296                     struct iwn_fw_info *, uint16_t);
  297 static int      iwn_read_firmware(struct iwn_softc *);
  298 static int      iwn_clock_wait(struct iwn_softc *);
  299 static int      iwn_apm_init(struct iwn_softc *);
  300 static void     iwn_apm_stop_master(struct iwn_softc *);
  301 static void     iwn_apm_stop(struct iwn_softc *);
  302 static int      iwn4965_nic_config(struct iwn_softc *);
  303 static int      iwn5000_nic_config(struct iwn_softc *);
  304 static int      iwn_hw_prepare(struct iwn_softc *);
  305 static int      iwn_hw_init(struct iwn_softc *);
  306 static void     iwn_hw_stop(struct iwn_softc *);
  307 static void     iwn_radio_on(void *, int);
  308 static void     iwn_radio_off(void *, int);
  309 static void     iwn_init_locked(struct iwn_softc *);
  310 static void     iwn_init(void *);
  311 static void     iwn_stop_locked(struct iwn_softc *);
  312 static void     iwn_stop(struct iwn_softc *);
  313 static void     iwn_scan_start(struct ieee80211com *);
  314 static void     iwn_scan_end(struct ieee80211com *);
  315 static void     iwn_set_channel(struct ieee80211com *);
  316 static void     iwn_scan_curchan(struct ieee80211_scan_state *, unsigned long);
  317 static void     iwn_scan_mindwell(struct ieee80211_scan_state *);
  318 static void     iwn_hw_reset(void *, int);
  319 
  320 #define IWN_DEBUG
  321 #ifdef IWN_DEBUG
  322 enum {
  323         IWN_DEBUG_XMIT          = 0x00000001,   /* basic xmit operation */
  324         IWN_DEBUG_RECV          = 0x00000002,   /* basic recv operation */
  325         IWN_DEBUG_STATE         = 0x00000004,   /* 802.11 state transitions */
  326         IWN_DEBUG_TXPOW         = 0x00000008,   /* tx power processing */
  327         IWN_DEBUG_RESET         = 0x00000010,   /* reset processing */
  328         IWN_DEBUG_OPS           = 0x00000020,   /* iwn_ops processing */
  329         IWN_DEBUG_BEACON        = 0x00000040,   /* beacon handling */
  330         IWN_DEBUG_WATCHDOG      = 0x00000080,   /* watchdog timeout */
  331         IWN_DEBUG_INTR          = 0x00000100,   /* ISR */
  332         IWN_DEBUG_CALIBRATE     = 0x00000200,   /* periodic calibration */
  333         IWN_DEBUG_NODE          = 0x00000400,   /* node management */
  334         IWN_DEBUG_LED           = 0x00000800,   /* led management */
  335         IWN_DEBUG_CMD           = 0x00001000,   /* cmd submission */
  336         IWN_DEBUG_FATAL         = 0x80000000,   /* fatal errors */
  337         IWN_DEBUG_ANY           = 0xffffffff
  338 };
  339 
  340 #define DPRINTF(sc, m, fmt, ...) do {                   \
  341         if (sc->sc_debug & (m))                         \
  342                 printf(fmt, __VA_ARGS__);               \
  343 } while (0)
  344 
  345 static const char *
  346 iwn_intr_str(uint8_t cmd)
  347 {
  348         switch (cmd) {
  349         /* Notifications */
  350         case IWN_UC_READY:              return "UC_READY";
  351         case IWN_ADD_NODE_DONE:         return "ADD_NODE_DONE";
  352         case IWN_TX_DONE:               return "TX_DONE";
  353         case IWN_START_SCAN:            return "START_SCAN";
  354         case IWN_STOP_SCAN:             return "STOP_SCAN";
  355         case IWN_RX_STATISTICS:         return "RX_STATS";
  356         case IWN_BEACON_STATISTICS:     return "BEACON_STATS";
  357         case IWN_STATE_CHANGED:         return "STATE_CHANGED";
  358         case IWN_BEACON_MISSED:         return "BEACON_MISSED";
  359         case IWN_RX_PHY:                return "RX_PHY";
  360         case IWN_MPDU_RX_DONE:          return "MPDU_RX_DONE";
  361         case IWN_RX_DONE:               return "RX_DONE";
  362 
  363         /* Command Notifications */
  364         case IWN_CMD_RXON:              return "IWN_CMD_RXON";
  365         case IWN_CMD_RXON_ASSOC:        return "IWN_CMD_RXON_ASSOC";
  366         case IWN_CMD_EDCA_PARAMS:       return "IWN_CMD_EDCA_PARAMS";
  367         case IWN_CMD_TIMING:            return "IWN_CMD_TIMING";
  368         case IWN_CMD_LINK_QUALITY:      return "IWN_CMD_LINK_QUALITY";
  369         case IWN_CMD_SET_LED:           return "IWN_CMD_SET_LED";
  370         case IWN5000_CMD_WIMAX_COEX:    return "IWN5000_CMD_WIMAX_COEX";
  371         case IWN5000_CMD_CALIB_CONFIG:  return "IWN5000_CMD_CALIB_CONFIG";
  372         case IWN5000_CMD_CALIB_RESULT:  return "IWN5000_CMD_CALIB_RESULT";
  373         case IWN5000_CMD_CALIB_COMPLETE: return "IWN5000_CMD_CALIB_COMPLETE";
  374         case IWN_CMD_SET_POWER_MODE:    return "IWN_CMD_SET_POWER_MODE";
  375         case IWN_CMD_SCAN:              return "IWN_CMD_SCAN";
  376         case IWN_CMD_SCAN_RESULTS:      return "IWN_CMD_SCAN_RESULTS";
  377         case IWN_CMD_TXPOWER:           return "IWN_CMD_TXPOWER";
  378         case IWN_CMD_TXPOWER_DBM:       return "IWN_CMD_TXPOWER_DBM";
  379         case IWN5000_CMD_TX_ANT_CONFIG: return "IWN5000_CMD_TX_ANT_CONFIG";
  380         case IWN_CMD_BT_COEX:           return "IWN_CMD_BT_COEX";
  381         case IWN_CMD_SET_CRITICAL_TEMP: return "IWN_CMD_SET_CRITICAL_TEMP";
  382         case IWN_CMD_SET_SENSITIVITY:   return "IWN_CMD_SET_SENSITIVITY";
  383         case IWN_CMD_PHY_CALIB:         return "IWN_CMD_PHY_CALIB";
  384         }
  385         return "UNKNOWN INTR NOTIF/CMD";
  386 }
  387 #else
  388 #define DPRINTF(sc, m, fmt, ...) do { (void) sc; } while (0)
  389 #endif
  390 
  391 static device_method_t iwn_methods[] = {
  392         /* Device interface */
  393         DEVMETHOD(device_probe,         iwn_probe),
  394         DEVMETHOD(device_attach,        iwn_attach),
  395         DEVMETHOD(device_detach,        iwn_detach),
  396         DEVMETHOD(device_shutdown,      iwn_shutdown),
  397         DEVMETHOD(device_suspend,       iwn_suspend),
  398         DEVMETHOD(device_resume,        iwn_resume),
  399         { 0, 0 }
  400 };
  401 
  402 static driver_t iwn_driver = {
  403         "iwn",
  404         iwn_methods,
  405         sizeof(struct iwn_softc)
  406 };
  407 static devclass_t iwn_devclass;
  408 
  409 DRIVER_MODULE(iwn, pci, iwn_driver, iwn_devclass, 0, 0);
  410 
  411 MODULE_VERSION(iwn, 1);
  412 
  413 MODULE_DEPEND(iwn, firmware, 1, 1, 1);
  414 MODULE_DEPEND(iwn, pci, 1, 1, 1);
  415 MODULE_DEPEND(iwn, wlan, 1, 1, 1);
  416 
  417 static int
  418 iwn_probe(device_t dev)
  419 {
  420         const struct iwn_ident *ident;
  421 
  422         for (ident = iwn_ident_table; ident->name != NULL; ident++) {
  423                 if (pci_get_vendor(dev) == ident->vendor &&
  424                     pci_get_device(dev) == ident->device) {
  425                         device_set_desc(dev, ident->name);
  426                         return 0;
  427                 }
  428         }
  429         return ENXIO;
  430 }
  431 
  432 static int
  433 iwn_attach(device_t dev)
  434 {
  435         struct iwn_softc *sc = (struct iwn_softc *)device_get_softc(dev);
  436         struct ieee80211com *ic;
  437         struct ifnet *ifp;
  438         uint32_t reg;
  439         int i, error, result;
  440         uint8_t macaddr[IEEE80211_ADDR_LEN];
  441 
  442         sc->sc_dev = dev;
  443 
  444         /*
  445          * Get the offset of the PCI Express Capability Structure in PCI
  446          * Configuration Space.
  447          */
  448         error = pci_find_cap(dev, PCIY_EXPRESS, &sc->sc_cap_off);
  449         if (error != 0) {
  450                 device_printf(dev, "PCIe capability structure not found!\n");
  451                 return error;
  452         }
  453 
  454         /* Clear device-specific "PCI retry timeout" register (41h). */
  455         pci_write_config(dev, 0x41, 0, 1);
  456 
  457         /* Hardware bug workaround. */
  458         reg = pci_read_config(dev, PCIR_COMMAND, 1);
  459         if (reg & PCIM_CMD_INTxDIS) {
  460                 DPRINTF(sc, IWN_DEBUG_RESET, "%s: PCIe INTx Disable set\n",
  461                     __func__);
  462                 reg &= ~PCIM_CMD_INTxDIS;
  463                 pci_write_config(dev, PCIR_COMMAND, reg, 1);
  464         }
  465 
  466         /* Enable bus-mastering. */
  467         pci_enable_busmaster(dev);
  468 
  469         sc->mem_rid = PCIR_BAR(0);
  470         sc->mem = bus_alloc_resource_any(dev, SYS_RES_MEMORY, &sc->mem_rid,
  471             RF_ACTIVE);
  472         if (sc->mem == NULL) {
  473                 device_printf(dev, "can't map mem space\n");
  474                 error = ENOMEM;
  475                 return error;
  476         }
  477         sc->sc_st = rman_get_bustag(sc->mem);
  478         sc->sc_sh = rman_get_bushandle(sc->mem);
  479 
  480         sc->irq_rid = 0;
  481         if ((result = pci_msi_count(dev)) == 1 &&
  482             pci_alloc_msi(dev, &result) == 0)
  483                 sc->irq_rid = 1;
  484         /* Install interrupt handler. */
  485         sc->irq = bus_alloc_resource_any(dev, SYS_RES_IRQ, &sc->irq_rid,
  486             RF_ACTIVE | RF_SHAREABLE);
  487         if (sc->irq == NULL) {
  488                 device_printf(dev, "can't map interrupt\n");
  489                 error = ENOMEM;
  490                 goto fail;
  491         }
  492 
  493         IWN_LOCK_INIT(sc);
  494 
  495         /* Read hardware revision and attach. */
  496         sc->hw_type = (IWN_READ(sc, IWN_HW_REV) >> 4) & 0xf;
  497         if (sc->hw_type == IWN_HW_REV_TYPE_4965)
  498                 error = iwn4965_attach(sc, pci_get_device(dev));
  499         else
  500                 error = iwn5000_attach(sc, pci_get_device(dev));
  501         if (error != 0) {
  502                 device_printf(dev, "could not attach device, error %d\n",
  503                     error);
  504                 goto fail;
  505         }
  506 
  507         if ((error = iwn_hw_prepare(sc)) != 0) {
  508                 device_printf(dev, "hardware not ready, error %d\n", error);
  509                 goto fail;
  510         }
  511 
  512         /* Allocate DMA memory for firmware transfers. */
  513         if ((error = iwn_alloc_fwmem(sc)) != 0) {
  514                 device_printf(dev,
  515                     "could not allocate memory for firmware, error %d\n",
  516                     error);
  517                 goto fail;
  518         }
  519 
  520         /* Allocate "Keep Warm" page. */
  521         if ((error = iwn_alloc_kw(sc)) != 0) {
  522                 device_printf(dev,
  523                     "could not allocate keep warm page, error %d\n", error);
  524                 goto fail;
  525         }
  526 
  527         /* Allocate ICT table for 5000 Series. */
  528         if (sc->hw_type != IWN_HW_REV_TYPE_4965 &&
  529             (error = iwn_alloc_ict(sc)) != 0) {
  530                 device_printf(dev, "could not allocate ICT table, error %d\n",
  531                     error);
  532                 goto fail;
  533         }
  534 
  535         /* Allocate TX scheduler "rings". */
  536         if ((error = iwn_alloc_sched(sc)) != 0) {
  537                 device_printf(dev,
  538                     "could not allocate TX scheduler rings, error %d\n", error);
  539                 goto fail;
  540         }
  541 
  542         /* Allocate TX rings (16 on 4965AGN, 20 on >=5000). */
  543         for (i = 0; i < sc->ntxqs; i++) {
  544                 if ((error = iwn_alloc_tx_ring(sc, &sc->txq[i], i)) != 0) {
  545                         device_printf(dev,
  546                             "could not allocate TX ring %d, error %d\n", i,
  547                             error);
  548                         goto fail;
  549                 }
  550         }
  551 
  552         /* Allocate RX ring. */
  553         if ((error = iwn_alloc_rx_ring(sc, &sc->rxq)) != 0) {
  554                 device_printf(dev, "could not allocate RX ring, error %d\n",
  555                     error);
  556                 goto fail;
  557         }
  558 
  559         /* Clear pending interrupts. */
  560         IWN_WRITE(sc, IWN_INT, 0xffffffff);
  561 
  562         ifp = sc->sc_ifp = if_alloc(IFT_IEEE80211);
  563         if (ifp == NULL) {
  564                 device_printf(dev, "can not allocate ifnet structure\n");
  565                 goto fail;
  566         }
  567 
  568         ic = ifp->if_l2com;
  569         ic->ic_ifp = ifp;
  570         ic->ic_phytype = IEEE80211_T_OFDM;      /* not only, but not used */
  571         ic->ic_opmode = IEEE80211_M_STA;        /* default to BSS mode */
  572 
  573         /* Set device capabilities. */
  574         ic->ic_caps =
  575                   IEEE80211_C_STA               /* station mode supported */
  576                 | IEEE80211_C_MONITOR           /* monitor mode supported */
  577                 | IEEE80211_C_BGSCAN            /* background scanning */
  578                 | IEEE80211_C_TXPMGT            /* tx power management */
  579                 | IEEE80211_C_SHSLOT            /* short slot time supported */
  580                 | IEEE80211_C_WPA
  581                 | IEEE80211_C_SHPREAMBLE        /* short preamble supported */
  582 #if 0
  583                 | IEEE80211_C_IBSS              /* ibss/adhoc mode */
  584 #endif
  585                 | IEEE80211_C_WME               /* WME */
  586                 ;
  587 
  588         /* Read MAC address, channels, etc from EEPROM. */
  589         if ((error = iwn_read_eeprom(sc, macaddr)) != 0) {
  590                 device_printf(dev, "could not read EEPROM, error %d\n",
  591                     error);
  592                 goto fail;
  593         }
  594 
  595         /* Count the number of available chains. */
  596         sc->ntxchains =
  597             ((sc->txchainmask >> 2) & 1) +
  598             ((sc->txchainmask >> 1) & 1) +
  599             ((sc->txchainmask >> 0) & 1);
  600         sc->nrxchains =
  601             ((sc->rxchainmask >> 2) & 1) +
  602             ((sc->rxchainmask >> 1) & 1) +
  603             ((sc->rxchainmask >> 0) & 1);
  604         if (bootverbose) {
  605                 device_printf(dev, "MIMO %dT%dR, %.4s, address %6D\n",
  606                     sc->ntxchains, sc->nrxchains, sc->eeprom_domain,
  607                     macaddr, ":");
  608         }
  609 
  610         if (sc->sc_flags & IWN_FLAG_HAS_11N) {
  611                 ic->ic_rxstream = sc->nrxchains;
  612                 ic->ic_txstream = sc->ntxchains;
  613                 ic->ic_htcaps =
  614                           IEEE80211_HTCAP_SMPS_OFF      /* SMPS mode disabled */
  615                         | IEEE80211_HTCAP_SHORTGI20     /* short GI in 20MHz */
  616                         | IEEE80211_HTCAP_CHWIDTH40     /* 40MHz channel width*/
  617                         | IEEE80211_HTCAP_SHORTGI40     /* short GI in 40MHz */
  618 #ifdef notyet
  619                         | IEEE80211_HTCAP_GREENFIELD
  620 #if IWN_RBUF_SIZE == 8192
  621                         | IEEE80211_HTCAP_MAXAMSDU_7935 /* max A-MSDU length */
  622 #else
  623                         | IEEE80211_HTCAP_MAXAMSDU_3839 /* max A-MSDU length */
  624 #endif
  625 #endif
  626                         /* s/w capabilities */
  627                         | IEEE80211_HTC_HT              /* HT operation */
  628                         | IEEE80211_HTC_AMPDU           /* tx A-MPDU */
  629 #ifdef notyet
  630                         | IEEE80211_HTC_AMSDU           /* tx A-MSDU */
  631 #endif
  632                         ;
  633         }
  634 
  635         if_initname(ifp, device_get_name(dev), device_get_unit(dev));
  636         ifp->if_softc = sc;
  637         ifp->if_flags = IFF_BROADCAST | IFF_SIMPLEX | IFF_MULTICAST;
  638         ifp->if_init = iwn_init;
  639         ifp->if_ioctl = iwn_ioctl;
  640         ifp->if_start = iwn_start;
  641         IFQ_SET_MAXLEN(&ifp->if_snd, ifqmaxlen);
  642         ifp->if_snd.ifq_drv_maxlen = ifqmaxlen;
  643         IFQ_SET_READY(&ifp->if_snd);
  644 
  645         ieee80211_ifattach(ic, macaddr);
  646         ic->ic_vap_create = iwn_vap_create;
  647         ic->ic_vap_delete = iwn_vap_delete;
  648         ic->ic_raw_xmit = iwn_raw_xmit;
  649         ic->ic_node_alloc = iwn_node_alloc;
  650         sc->sc_ampdu_rx_start = ic->ic_ampdu_rx_start;
  651         ic->ic_ampdu_rx_start = iwn_ampdu_rx_start;
  652         sc->sc_ampdu_rx_stop = ic->ic_ampdu_rx_stop;
  653         ic->ic_ampdu_rx_stop = iwn_ampdu_rx_stop;
  654         sc->sc_addba_request = ic->ic_addba_request;
  655         ic->ic_addba_request = iwn_addba_request;
  656         sc->sc_addba_response = ic->ic_addba_response;
  657         ic->ic_addba_response = iwn_addba_response;
  658         sc->sc_addba_stop = ic->ic_addba_stop;
  659         ic->ic_addba_stop = iwn_ampdu_tx_stop;
  660         ic->ic_newassoc = iwn_newassoc;
  661         ic->ic_wme.wme_update = iwn_updateedca;
  662         ic->ic_update_mcast = iwn_update_mcast;
  663         ic->ic_scan_start = iwn_scan_start;
  664         ic->ic_scan_end = iwn_scan_end;
  665         ic->ic_set_channel = iwn_set_channel;
  666         ic->ic_scan_curchan = iwn_scan_curchan;
  667         ic->ic_scan_mindwell = iwn_scan_mindwell;
  668         ic->ic_setregdomain = iwn_setregdomain;
  669 
  670         iwn_radiotap_attach(sc);
  671 
  672         callout_init_mtx(&sc->calib_to, &sc->sc_mtx, 0);
  673         callout_init_mtx(&sc->watchdog_to, &sc->sc_mtx, 0);
  674         TASK_INIT(&sc->sc_reinit_task, 0, iwn_hw_reset, sc);
  675         TASK_INIT(&sc->sc_radioon_task, 0, iwn_radio_on, sc);
  676         TASK_INIT(&sc->sc_radiooff_task, 0, iwn_radio_off, sc);
  677 
  678         iwn_sysctlattach(sc);
  679 
  680         /*
  681          * Hook our interrupt after all initialization is complete.
  682          */
  683         error = bus_setup_intr(dev, sc->irq, INTR_TYPE_NET | INTR_MPSAFE,
  684             NULL, iwn_intr, sc, &sc->sc_ih);
  685         if (error != 0) {
  686                 device_printf(dev, "can't establish interrupt, error %d\n",
  687                     error);
  688                 goto fail;
  689         }
  690 
  691         if (bootverbose)
  692                 ieee80211_announce(ic);
  693         return 0;
  694 fail:
  695         iwn_detach(dev);
  696         return error;
  697 }
  698 
  699 static int
  700 iwn4965_attach(struct iwn_softc *sc, uint16_t pid)
  701 {
  702         struct iwn_ops *ops = &sc->ops;
  703 
  704         ops->load_firmware = iwn4965_load_firmware;
  705         ops->read_eeprom = iwn4965_read_eeprom;
  706         ops->post_alive = iwn4965_post_alive;
  707         ops->nic_config = iwn4965_nic_config;
  708         ops->update_sched = iwn4965_update_sched;
  709         ops->get_temperature = iwn4965_get_temperature;
  710         ops->get_rssi = iwn4965_get_rssi;
  711         ops->set_txpower = iwn4965_set_txpower;
  712         ops->init_gains = iwn4965_init_gains;
  713         ops->set_gains = iwn4965_set_gains;
  714         ops->add_node = iwn4965_add_node;
  715         ops->tx_done = iwn4965_tx_done;
  716         ops->ampdu_tx_start = iwn4965_ampdu_tx_start;
  717         ops->ampdu_tx_stop = iwn4965_ampdu_tx_stop;
  718         sc->ntxqs = IWN4965_NTXQUEUES;
  719         sc->firstaggqueue = IWN4965_FIRSTAGGQUEUE;
  720         sc->ndmachnls = IWN4965_NDMACHNLS;
  721         sc->broadcast_id = IWN4965_ID_BROADCAST;
  722         sc->rxonsz = IWN4965_RXONSZ;
  723         sc->schedsz = IWN4965_SCHEDSZ;
  724         sc->fw_text_maxsz = IWN4965_FW_TEXT_MAXSZ;
  725         sc->fw_data_maxsz = IWN4965_FW_DATA_MAXSZ;
  726         sc->fwsz = IWN4965_FWSZ;
  727         sc->sched_txfact_addr = IWN4965_SCHED_TXFACT;
  728         sc->limits = &iwn4965_sensitivity_limits;
  729         sc->fwname = "iwn4965fw";
  730         /* Override chains masks, ROM is known to be broken. */
  731         sc->txchainmask = IWN_ANT_AB;
  732         sc->rxchainmask = IWN_ANT_ABC;
  733 
  734         return 0;
  735 }
  736 
  737 static int
  738 iwn5000_attach(struct iwn_softc *sc, uint16_t pid)
  739 {
  740         struct iwn_ops *ops = &sc->ops;
  741 
  742         ops->load_firmware = iwn5000_load_firmware;
  743         ops->read_eeprom = iwn5000_read_eeprom;
  744         ops->post_alive = iwn5000_post_alive;
  745         ops->nic_config = iwn5000_nic_config;
  746         ops->update_sched = iwn5000_update_sched;
  747         ops->get_temperature = iwn5000_get_temperature;
  748         ops->get_rssi = iwn5000_get_rssi;
  749         ops->set_txpower = iwn5000_set_txpower;
  750         ops->init_gains = iwn5000_init_gains;
  751         ops->set_gains = iwn5000_set_gains;
  752         ops->add_node = iwn5000_add_node;
  753         ops->tx_done = iwn5000_tx_done;
  754         ops->ampdu_tx_start = iwn5000_ampdu_tx_start;
  755         ops->ampdu_tx_stop = iwn5000_ampdu_tx_stop;
  756         sc->ntxqs = IWN5000_NTXQUEUES;
  757         sc->firstaggqueue = IWN5000_FIRSTAGGQUEUE;
  758         sc->ndmachnls = IWN5000_NDMACHNLS;
  759         sc->broadcast_id = IWN5000_ID_BROADCAST;
  760         sc->rxonsz = IWN5000_RXONSZ;
  761         sc->schedsz = IWN5000_SCHEDSZ;
  762         sc->fw_text_maxsz = IWN5000_FW_TEXT_MAXSZ;
  763         sc->fw_data_maxsz = IWN5000_FW_DATA_MAXSZ;
  764         sc->fwsz = IWN5000_FWSZ;
  765         sc->sched_txfact_addr = IWN5000_SCHED_TXFACT;
  766         sc->reset_noise_gain = IWN5000_PHY_CALIB_RESET_NOISE_GAIN;
  767         sc->noise_gain = IWN5000_PHY_CALIB_NOISE_GAIN;
  768 
  769         switch (sc->hw_type) {
  770         case IWN_HW_REV_TYPE_5100:
  771                 sc->limits = &iwn5000_sensitivity_limits;
  772                 sc->fwname = "iwn5000fw";
  773                 /* Override chains masks, ROM is known to be broken. */
  774                 sc->txchainmask = IWN_ANT_B;
  775                 sc->rxchainmask = IWN_ANT_AB;
  776                 break;
  777         case IWN_HW_REV_TYPE_5150:
  778                 sc->limits = &iwn5150_sensitivity_limits;
  779                 sc->fwname = "iwn5150fw";
  780                 break;
  781         case IWN_HW_REV_TYPE_5300:
  782         case IWN_HW_REV_TYPE_5350:
  783                 sc->limits = &iwn5000_sensitivity_limits;
  784                 sc->fwname = "iwn5000fw";
  785                 break;
  786         case IWN_HW_REV_TYPE_1000:
  787                 sc->limits = &iwn1000_sensitivity_limits;
  788                 sc->fwname = "iwn1000fw";
  789                 break;
  790         case IWN_HW_REV_TYPE_6000:
  791                 sc->limits = &iwn6000_sensitivity_limits;
  792                 sc->fwname = "iwn6000fw";
  793                 if (pid == 0x422c || pid == 0x4239) {
  794                         sc->sc_flags |= IWN_FLAG_INTERNAL_PA;
  795                         /* Override chains masks, ROM is known to be broken. */
  796                         sc->txchainmask = IWN_ANT_BC;
  797                         sc->rxchainmask = IWN_ANT_BC;
  798                 }
  799                 break;
  800         case IWN_HW_REV_TYPE_6050:
  801                 sc->limits = &iwn6000_sensitivity_limits;
  802                 sc->fwname = "iwn6050fw";
  803                 /* Override chains masks, ROM is known to be broken. */
  804                 sc->txchainmask = IWN_ANT_AB;
  805                 sc->rxchainmask = IWN_ANT_AB;
  806                 break;
  807         case IWN_HW_REV_TYPE_6005:
  808                 sc->limits = &iwn6000_sensitivity_limits;
  809                 if (pid != 0x0082 && pid != 0x0085) {
  810                         sc->fwname = "iwn6000g2bfw";
  811                         sc->sc_flags |= IWN_FLAG_ADV_BTCOEX;
  812                 } else
  813                         sc->fwname = "iwn6000g2afw";
  814                 break;
  815         default:
  816                 device_printf(sc->sc_dev, "adapter type %d not supported\n",
  817                     sc->hw_type);
  818                 return ENOTSUP;
  819         }
  820         return 0;
  821 }
  822 
  823 /*
  824  * Attach the interface to 802.11 radiotap.
  825  */
  826 static void
  827 iwn_radiotap_attach(struct iwn_softc *sc)
  828 {
  829         struct ifnet *ifp = sc->sc_ifp;
  830         struct ieee80211com *ic = ifp->if_l2com;
  831 
  832         ieee80211_radiotap_attach(ic,
  833             &sc->sc_txtap.wt_ihdr, sizeof(sc->sc_txtap),
  834                 IWN_TX_RADIOTAP_PRESENT,
  835             &sc->sc_rxtap.wr_ihdr, sizeof(sc->sc_rxtap),
  836                 IWN_RX_RADIOTAP_PRESENT);
  837 }
  838 
  839 static void
  840 iwn_sysctlattach(struct iwn_softc *sc)
  841 {
  842         struct sysctl_ctx_list *ctx = device_get_sysctl_ctx(sc->sc_dev);
  843         struct sysctl_oid *tree = device_get_sysctl_tree(sc->sc_dev);
  844 
  845 #ifdef IWN_DEBUG
  846         sc->sc_debug = 0;
  847         SYSCTL_ADD_INT(ctx, SYSCTL_CHILDREN(tree), OID_AUTO,
  848             "debug", CTLFLAG_RW, &sc->sc_debug, 0, "control debugging printfs");
  849 #endif
  850 }
  851 
  852 static struct ieee80211vap *
  853 iwn_vap_create(struct ieee80211com *ic, const char name[IFNAMSIZ], int unit,
  854     enum ieee80211_opmode opmode, int flags,
  855     const uint8_t bssid[IEEE80211_ADDR_LEN],
  856     const uint8_t mac[IEEE80211_ADDR_LEN])
  857 {
  858         struct iwn_vap *ivp;
  859         struct ieee80211vap *vap;
  860 
  861         if (!TAILQ_EMPTY(&ic->ic_vaps))         /* only one at a time */
  862                 return NULL;
  863         ivp = (struct iwn_vap *) malloc(sizeof(struct iwn_vap),
  864             M_80211_VAP, M_NOWAIT | M_ZERO);
  865         if (ivp == NULL)
  866                 return NULL;
  867         vap = &ivp->iv_vap;
  868         ieee80211_vap_setup(ic, vap, name, unit, opmode, flags, bssid, mac);
  869         vap->iv_bmissthreshold = 10;            /* override default */
  870         /* Override with driver methods. */
  871         ivp->iv_newstate = vap->iv_newstate;
  872         vap->iv_newstate = iwn_newstate;
  873 
  874         ieee80211_ratectl_init(vap);
  875         /* Complete setup. */
  876         ieee80211_vap_attach(vap, iwn_media_change, ieee80211_media_status);
  877         ic->ic_opmode = opmode;
  878         return vap;
  879 }
  880 
  881 static void
  882 iwn_vap_delete(struct ieee80211vap *vap)
  883 {
  884         struct iwn_vap *ivp = IWN_VAP(vap);
  885 
  886         ieee80211_ratectl_deinit(vap);
  887         ieee80211_vap_detach(vap);
  888         free(ivp, M_80211_VAP);
  889 }
  890 
  891 static int
  892 iwn_detach(device_t dev)
  893 {
  894         struct iwn_softc *sc = device_get_softc(dev);
  895         struct ifnet *ifp = sc->sc_ifp;
  896         struct ieee80211com *ic;
  897         int qid;
  898 
  899         if (ifp != NULL) {
  900                 ic = ifp->if_l2com;
  901 
  902                 ieee80211_draintask(ic, &sc->sc_reinit_task);
  903                 ieee80211_draintask(ic, &sc->sc_radioon_task);
  904                 ieee80211_draintask(ic, &sc->sc_radiooff_task);
  905 
  906                 iwn_stop(sc);
  907                 callout_drain(&sc->watchdog_to);
  908                 callout_drain(&sc->calib_to);
  909                 ieee80211_ifdetach(ic);
  910         }
  911 
  912         /* Uninstall interrupt handler. */
  913         if (sc->irq != NULL) {
  914                 bus_teardown_intr(dev, sc->irq, sc->sc_ih);
  915                 bus_release_resource(dev, SYS_RES_IRQ, sc->irq_rid, sc->irq);
  916                 if (sc->irq_rid == 1)
  917                         pci_release_msi(dev);
  918         }
  919 
  920         /* Free DMA resources. */
  921         iwn_free_rx_ring(sc, &sc->rxq);
  922         for (qid = 0; qid < sc->ntxqs; qid++)
  923                 iwn_free_tx_ring(sc, &sc->txq[qid]);
  924         iwn_free_sched(sc);
  925         iwn_free_kw(sc);
  926         if (sc->ict != NULL)
  927                 iwn_free_ict(sc);
  928         iwn_free_fwmem(sc);
  929 
  930         if (sc->mem != NULL)
  931                 bus_release_resource(dev, SYS_RES_MEMORY, sc->mem_rid, sc->mem);
  932 
  933         if (ifp != NULL)
  934                 if_free(ifp);
  935 
  936         IWN_LOCK_DESTROY(sc);
  937         return 0;
  938 }
  939 
  940 static int
  941 iwn_shutdown(device_t dev)
  942 {
  943         struct iwn_softc *sc = device_get_softc(dev);
  944 
  945         iwn_stop(sc);
  946         return 0;
  947 }
  948 
  949 static int
  950 iwn_suspend(device_t dev)
  951 {
  952         struct iwn_softc *sc = device_get_softc(dev);
  953         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
  954 
  955         ieee80211_suspend_all(ic);
  956         return 0;
  957 }
  958 
  959 static int
  960 iwn_resume(device_t dev)
  961 {
  962         struct iwn_softc *sc = device_get_softc(dev);
  963         struct ieee80211com *ic = sc->sc_ifp->if_l2com;
  964 
  965         /* Clear device-specific "PCI retry timeout" register (41h). */
  966         pci_write_config(dev, 0x41, 0, 1);
  967 
  968         ieee80211_resume_all(ic);
  969         return 0;
  970 }
  971 
  972 static int
  973 iwn_nic_lock(struct iwn_softc *sc)
  974 {
  975         int ntries;
  976 
  977         /* Request exclusive access to NIC. */
  978         IWN_SETBITS(sc, IWN_GP_CNTRL, IWN_GP_CNTRL_MAC_ACCESS_REQ);
  979 
  980         /* Spin until we actually get the lock. */
  981         for (ntries = 0; ntries < 1000; ntries++) {
  982                 if ((IWN_READ(sc, IWN_GP_CNTRL) &
  983                      (IWN_GP_CNTRL_MAC_ACCESS_ENA | IWN_GP_CNTRL_SLEEP)) ==
  984                     IWN_GP_CNTRL_MAC_ACCESS_ENA)
  985                         return 0;
  986                 DELAY(10);
  987         }
  988         return ETIMEDOUT;
  989 }
  990 
  991 static __inline void
  992 iwn_nic_unlock(struct iwn_softc *sc)
  993 {
  994         IWN_CLRBITS(sc, IWN_GP_CNTRL, IWN_GP_CNTRL_MAC_ACCESS_REQ);
  995 }
  996 
  997 static __inline uint32_t
  998 iwn_prph_read(struct iwn_softc *sc, uint32_t addr)
  999 {
 1000         IWN_WRITE(sc, IWN_PRPH_RADDR, IWN_PRPH_DWORD | addr);
 1001         IWN_BARRIER_READ_WRITE(sc);
 1002         return IWN_READ(sc, IWN_PRPH_RDATA);
 1003 }
 1004 
 1005 static __inline void
 1006 iwn_prph_write(struct iwn_softc *sc, uint32_t addr, uint32_t data)
 1007 {
 1008         IWN_WRITE(sc, IWN_PRPH_WADDR, IWN_PRPH_DWORD | addr);
 1009         IWN_BARRIER_WRITE(sc);
 1010         IWN_WRITE(sc, IWN_PRPH_WDATA, data);
 1011 }
 1012 
 1013 static __inline void
 1014 iwn_prph_setbits(struct iwn_softc *sc, uint32_t addr, uint32_t mask)
 1015 {
 1016         iwn_prph_write(sc, addr, iwn_prph_read(sc, addr) | mask);
 1017 }
 1018 
 1019 static __inline void
 1020 iwn_prph_clrbits(struct iwn_softc *sc, uint32_t addr, uint32_t mask)
 1021 {
 1022         iwn_prph_write(sc, addr, iwn_prph_read(sc, addr) & ~mask);
 1023 }
 1024 
 1025 static __inline void
 1026 iwn_prph_write_region_4(struct iwn_softc *sc, uint32_t addr,
 1027     const uint32_t *data, int count)
 1028 {
 1029         for (; count > 0; count--, data++, addr += 4)
 1030                 iwn_prph_write(sc, addr, *data);
 1031 }
 1032 
 1033 static __inline uint32_t
 1034 iwn_mem_read(struct iwn_softc *sc, uint32_t addr)
 1035 {
 1036         IWN_WRITE(sc, IWN_MEM_RADDR, addr);
 1037         IWN_BARRIER_READ_WRITE(sc);
 1038         return IWN_READ(sc, IWN_MEM_RDATA);
 1039 }
 1040 
 1041 static __inline void
 1042 iwn_mem_write(struct iwn_softc *sc, uint32_t addr, uint32_t data)
 1043 {
 1044         IWN_WRITE(sc, IWN_MEM_WADDR, addr);
 1045         IWN_BARRIER_WRITE(sc);
 1046         IWN_WRITE(sc, IWN_MEM_WDATA, data);
 1047 }
 1048 
 1049 static __inline void
 1050 iwn_mem_write_2(struct iwn_softc *sc, uint32_t addr, uint16_t data)
 1051 {
 1052         uint32_t tmp;
 1053 
 1054         tmp = iwn_mem_read(sc, addr & ~3);
 1055         if (addr & 3)
 1056                 tmp = (tmp & 0x0000ffff) | data << 16;
 1057         else
 1058                 tmp = (tmp & 0xffff0000) | data;
 1059         iwn_mem_write(sc, addr & ~3, tmp);
 1060 }
 1061 
 1062 static __inline void
 1063 iwn_mem_read_region_4(struct iwn_softc *sc, uint32_t addr, uint32_t *data,
 1064     int count)
 1065 {
 1066         for (; count > 0; count--, addr += 4)
 1067                 *data++ = iwn_mem_read(sc, addr);
 1068 }
 1069 
 1070 static __inline void
 1071 iwn_mem_set_region_4(struct iwn_softc *sc, uint32_t addr, uint32_t val,
 1072     int count)
 1073 {
 1074         for (; count > 0; count--, addr += 4)
 1075                 iwn_mem_write(sc, addr, val);
 1076 }
 1077 
 1078 static int
 1079 iwn_eeprom_lock(struct iwn_softc *sc)
 1080 {
 1081         int i, ntries;
 1082 
 1083         for (i = 0; i < 100; i++) {
 1084                 /* Request exclusive access to EEPROM. */
 1085                 IWN_SETBITS(sc, IWN_HW_IF_CONFIG,
 1086                     IWN_HW_IF_CONFIG_EEPROM_LOCKED);
 1087 
 1088                 /* Spin until we actually get the lock. */
 1089                 for (ntries = 0; ntries < 100; ntries++) {
 1090                         if (IWN_READ(sc, IWN_HW_IF_CONFIG) &
 1091                             IWN_HW_IF_CONFIG_EEPROM_LOCKED)
 1092                                 return 0;
 1093                         DELAY(10);
 1094                 }
 1095         }
 1096         return ETIMEDOUT;
 1097 }
 1098 
 1099 static __inline void
 1100 iwn_eeprom_unlock(struct iwn_softc *sc)
 1101 {
 1102         IWN_CLRBITS(sc, IWN_HW_IF_CONFIG, IWN_HW_IF_CONFIG_EEPROM_LOCKED);
 1103 }
 1104 
 1105 /*
 1106  * Initialize access by host to One Time Programmable ROM.
 1107  * NB: This kind of ROM can be found on 1000 or 6000 Series only.
 1108  */
 1109 static int
 1110 iwn_init_otprom(struct iwn_softc *sc)
 1111 {
 1112         uint16_t prev, base, next;
 1113         int count, error;
 1114 
 1115         /* Wait for clock stabilization before accessing prph. */
 1116         if ((error = iwn_clock_wait(sc)) != 0)
 1117                 return error;
 1118 
 1119         if ((error = iwn_nic_lock(sc)) != 0)
 1120                 return error;
 1121         iwn_prph_setbits(sc, IWN_APMG_PS, IWN_APMG_PS_RESET_REQ);
 1122         DELAY(5);
 1123         iwn_prph_clrbits(sc, IWN_APMG_PS, IWN_APMG_PS_RESET_REQ);
 1124         iwn_nic_unlock(sc);
 1125 
 1126         /* Set auto clock gate disable bit for HW with OTP shadow RAM. */
 1127         if (sc->hw_type != IWN_HW_REV_TYPE_1000) {
 1128                 IWN_SETBITS(sc, IWN_DBG_LINK_PWR_MGMT,
 1129                     IWN_RESET_LINK_PWR_MGMT_DIS);
 1130         }
 1131         IWN_CLRBITS(sc, IWN_EEPROM_GP, IWN_EEPROM_GP_IF_OWNER);
 1132         /* Clear ECC status. */
 1133         IWN_SETBITS(sc, IWN_OTP_GP,
 1134             IWN_OTP_GP_ECC_CORR_STTS | IWN_OTP_GP_ECC_UNCORR_STTS);
 1135 
 1136         /*
 1137          * Find the block before last block (contains the EEPROM image)
 1138          * for HW without OTP shadow RAM.
 1139          */
 1140         if (sc->hw_type == IWN_HW_REV_TYPE_1000) {
 1141                 /* Switch to absolute addressing mode. */
 1142                 IWN_CLRBITS(sc, IWN_OTP_GP, IWN_OTP_GP_RELATIVE_ACCESS);
 1143                 base = prev = 0;
 1144                 for (count = 0; count < IWN1000_OTP_NBLOCKS; count++) {
 1145                         error = iwn_read_prom_data(sc, base, &next, 2);
 1146                         if (error != 0)
 1147                                 return error;
 1148                         if (next == 0)  /* End of linked-list. */
 1149                                 break;
 1150                         prev = base;
 1151                         base = le16toh(next);
 1152                 }
 1153                 if (count == 0 || count == IWN1000_OTP_NBLOCKS)
 1154                         return EIO;
 1155                 /* Skip "next" word. */
 1156                 sc->prom_base = prev + 1;
 1157         }
 1158         return 0;
 1159 }
 1160 
 1161 static int
 1162 iwn_read_prom_data(struct iwn_softc *sc, uint32_t addr, void *data, int count)
 1163 {
 1164         uint8_t *out = data;
 1165         uint32_t val, tmp;
 1166         int ntries;
 1167 
 1168         addr += sc->prom_base;
 1169         for (; count > 0; count -= 2, addr++) {
 1170                 IWN_WRITE(sc, IWN_EEPROM, addr << 2);
 1171                 for (ntries = 0; ntries < 10; ntries++) {
 1172                         val = IWN_READ(sc, IWN_EEPROM);
 1173                         if (val & IWN_EEPROM_READ_VALID)
 1174                                 break;
 1175                         DELAY(5);
 1176                 }
 1177                 if (ntries == 10) {
 1178                         device_printf(sc->sc_dev,
 1179                             "timeout reading ROM at 0x%x\n", addr);
 1180                         return ETIMEDOUT;
 1181                 }
 1182                 if (sc->sc_flags & IWN_FLAG_HAS_OTPROM) {
 1183                         /* OTPROM, check for ECC errors. */
 1184                         tmp = IWN_READ(sc, IWN_OTP_GP);
 1185                         if (tmp & IWN_OTP_GP_ECC_UNCORR_STTS) {
 1186                                 device_printf(sc->sc_dev,
 1187                                     "OTPROM ECC error at 0x%x\n", addr);
 1188                                 return EIO;
 1189                         }
 1190                         if (tmp & IWN_OTP_GP_ECC_CORR_STTS) {
 1191                                 /* Correctable ECC error, clear bit. */
 1192                                 IWN_SETBITS(sc, IWN_OTP_GP,
 1193                                     IWN_OTP_GP_ECC_CORR_STTS);
 1194                         }
 1195                 }
 1196                 *out++ = val >> 16;
 1197                 if (count > 1)
 1198                         *out++ = val >> 24;
 1199         }
 1200         return 0;
 1201 }
 1202 
 1203 static void
 1204 iwn_dma_map_addr(void *arg, bus_dma_segment_t *segs, int nsegs, int error)
 1205 {
 1206         if (error != 0)
 1207                 return;
 1208         KASSERT(nsegs == 1, ("too many DMA segments, %d should be 1", nsegs));
 1209         *(bus_addr_t *)arg = segs[0].ds_addr;
 1210 }
 1211 
 1212 static int
 1213 iwn_dma_contig_alloc(struct iwn_softc *sc, struct iwn_dma_info *dma,
 1214     void **kvap, bus_size_t size, bus_size_t alignment)
 1215 {
 1216         int error;
 1217 
 1218         dma->tag = NULL;
 1219         dma->size = size;
 1220 
 1221         error = bus_dma_tag_create(bus_get_dma_tag(sc->sc_dev), alignment,
 1222             0, BUS_SPACE_MAXADDR_32BIT, BUS_SPACE_MAXADDR, NULL, NULL, size,
 1223             1, size, BUS_DMA_NOWAIT, NULL, NULL, &dma->tag);
 1224         if (error != 0)
 1225                 goto fail;
 1226 
 1227         error = bus_dmamem_alloc(dma->tag, (void **)&dma->vaddr,
 1228             BUS_DMA_NOWAIT | BUS_DMA_ZERO | BUS_DMA_COHERENT, &dma->map);
 1229         if (error != 0)
 1230                 goto fail;
 1231 
 1232         error = bus_dmamap_load(dma->tag, dma->map, dma->vaddr, size,
 1233             iwn_dma_map_addr, &dma->paddr, BUS_DMA_NOWAIT);
 1234         if (error != 0)
 1235                 goto fail;
 1236 
 1237         bus_dmamap_sync(dma->tag, dma->map, BUS_DMASYNC_PREWRITE);
 1238 
 1239         if (kvap != NULL)
 1240                 *kvap = dma->vaddr;
 1241 
 1242         return 0;
 1243 
 1244 fail:   iwn_dma_contig_free(dma);
 1245         return error;
 1246 }
 1247 
 1248 static void
 1249 iwn_dma_contig_free(struct iwn_dma_info *dma)
 1250 {
 1251         if (dma->map != NULL) {
 1252                 if (dma->vaddr != NULL) {
 1253                         bus_dmamap_sync(dma->tag, dma->map,
 1254                             BUS_DMASYNC_POSTREAD | BUS_DMASYNC_POSTWRITE);
 1255                         bus_dmamap_unload(dma->tag, dma->map);
 1256                         bus_dmamem_free(dma->tag, &dma->vaddr, dma->map);
 1257                         dma->vaddr = NULL;
 1258                 }
 1259                 bus_dmamap_destroy(dma->tag, dma->map);
 1260                 dma->map = NULL;
 1261         }
 1262         if (dma->tag != NULL) {
 1263                 bus_dma_tag_destroy(dma->tag);
 1264                 dma->tag = NULL;
 1265         }
 1266 }
 1267 
 1268 static int
 1269 iwn_alloc_sched(struct iwn_softc *sc)
 1270 {
 1271         /* TX scheduler rings must be aligned on a 1KB boundary. */
 1272         return iwn_dma_contig_alloc(sc, &sc->sched_dma, (void **)&sc->sched,
 1273             sc->schedsz, 1024);
 1274 }
 1275 
 1276 static void
 1277 iwn_free_sched(struct iwn_softc *sc)
 1278 {
 1279         iwn_dma_contig_free(&sc->sched_dma);
 1280 }
 1281 
 1282 static int
 1283 iwn_alloc_kw(struct iwn_softc *sc)
 1284 {
 1285         /* "Keep Warm" page must be aligned on a 4KB boundary. */
 1286         return iwn_dma_contig_alloc(sc, &sc->kw_dma, NULL, 4096, 4096);
 1287 }
 1288 
 1289 static void
 1290 iwn_free_kw(struct iwn_softc *sc)
 1291 {
 1292         iwn_dma_contig_free(&sc->kw_dma);
 1293 }
 1294 
 1295 static int
 1296 iwn_alloc_ict(struct iwn_softc *sc)
 1297 {
 1298         /* ICT table must be aligned on a 4KB boundary. */
 1299         return iwn_dma_contig_alloc(sc, &sc->ict_dma, (void **)&sc->ict,
 1300             IWN_ICT_SIZE, 4096);
 1301 }
 1302 
 1303 static void
 1304 iwn_free_ict(struct iwn_softc *sc)
 1305 {
 1306         iwn_dma_contig_free(&sc->ict_dma);
 1307 }
 1308 
 1309 static int
 1310 iwn_alloc_fwmem(struct iwn_softc *sc)
 1311 {
 1312         /* Must be aligned on a 16-byte boundary. */
 1313         return iwn_dma_contig_alloc(sc, &sc->fw_dma, NULL, sc->fwsz, 16);
 1314 }
 1315 
 1316 static void
 1317 iwn_free_fwmem(struct iwn_softc *sc)
 1318 {
 1319         iwn_dma_contig_free(&sc->fw_dma);
 1320 }
 1321 
 1322 static int
 1323 iwn_alloc_rx_ring(struct iwn_softc *sc, struct iwn_rx_ring *ring)
 1324 {
 1325         bus_size_t size;
 1326         int i, error;
 1327 
 1328         ring->cur = 0;
 1329 
 1330         /* Allocate RX descriptors (256-byte aligned). */
 1331         size = IWN_RX_RING_COUNT * sizeof (uint32_t);
 1332         error = iwn_dma_contig_alloc(sc, &ring->desc_dma, (void **)&ring->desc,
 1333             size, 256);
 1334         if (error != 0) {
 1335                 device_printf(sc->sc_dev,
 1336                     "%s: could not allocate RX ring DMA memory, error %d\n",
 1337                     __func__, error);
 1338                 goto fail;
 1339         }
 1340 
 1341         /* Allocate RX status area (16-byte aligned). */
 1342         error = iwn_dma_contig_alloc(sc, &ring->stat_dma, (void **)&ring->stat,
 1343             sizeof (struct iwn_rx_status), 16);
 1344         if (error != 0) {
 1345                 device_printf(sc->sc_dev,
 1346                     "%s: could not allocate RX status DMA memory, error %d\n",
 1347                     __func__, error);
 1348                 goto fail;
 1349         }
 1350 
 1351         /* Create RX buffer DMA tag. */
 1352         error = bus_dma_tag_create(bus_get_dma_tag(sc->sc_dev), 1, 0,
 1353             BUS_SPACE_MAXADDR_32BIT, BUS_SPACE_MAXADDR, NULL, NULL,
 1354             IWN_RBUF_SIZE, 1, IWN_RBUF_SIZE, BUS_DMA_NOWAIT, NULL, NULL,
 1355             &ring->data_dmat);
 1356         if (error != 0) {
 1357                 device_printf(sc->sc_dev,
 1358                     "%s: could not create RX buf DMA tag, error %d\n",
 1359                     __func__, error);
 1360                 goto fail;
 1361         }
 1362 
 1363         /*
 1364          * Allocate and map RX buffers.
 1365          */
 1366         for (i = 0; i < IWN_RX_RING_COUNT; i++) {
 1367                 struct iwn_rx_data *data = &ring->data[i];
 1368                 bus_addr_t paddr;
 1369 
 1370                 error = bus_dmamap_create(ring->data_dmat, 0, &data->map);
 1371                 if (error != 0) {
 1372                         device_printf(sc->sc_dev,
 1373                             "%s: could not create RX buf DMA map, error %d\n",
 1374                             __func__, error);
 1375                         goto fail;
 1376                 }
 1377 
 1378                 data->m = m_getjcl(M_DONTWAIT, MT_DATA, M_PKTHDR,
 1379                     IWN_RBUF_SIZE);
 1380                 if (data->m == NULL) {
 1381                         device_printf(sc->sc_dev,
 1382                             "%s: could not allocate RX mbuf\n", __func__);
 1383                         error = ENOBUFS;
 1384                         goto fail;
 1385                 }
 1386 
 1387                 error = bus_dmamap_load(ring->data_dmat, data->map,
 1388                     mtod(data->m, void *), IWN_RBUF_SIZE, iwn_dma_map_addr,
 1389                     &paddr, BUS_DMA_NOWAIT);
 1390                 if (error != 0 && error != EFBIG) {
 1391                         device_printf(sc->sc_dev,
 1392                             "%s: can't not map mbuf, error %d\n", __func__,
 1393                             error);
 1394                         goto fail;
 1395                 }
 1396 
 1397                 /* Set physical address of RX buffer (256-byte aligned). */
 1398                 ring->desc[i] = htole32(paddr >> 8);
 1399         }
 1400 
 1401         bus_dmamap_sync(ring->desc_dma.tag, ring->desc_dma.map,
 1402             BUS_DMASYNC_PREWRITE);
 1403 
 1404         return 0;
 1405 
 1406 fail:   iwn_free_rx_ring(sc, ring);
 1407         return error;
 1408 }
 1409 
 1410 static void
 1411 iwn_reset_rx_ring(struct iwn_softc *sc, struct iwn_rx_ring *ring)
 1412 {
 1413         int ntries;
 1414 
 1415         if (iwn_nic_lock(sc) == 0) {
 1416                 IWN_WRITE(sc, IWN_FH_RX_CONFIG, 0);
 1417                 for (ntries = 0; ntries < 1000; ntries++) {
 1418                         if (IWN_READ(sc, IWN_FH_RX_STATUS) &
 1419                             IWN_FH_RX_STATUS_IDLE)
 1420                                 break;
 1421                         DELAY(10);
 1422                 }
 1423                 iwn_nic_unlock(sc);
 1424         }
 1425         ring->cur = 0;
 1426         sc->last_rx_valid = 0;
 1427 }
 1428 
 1429 static void
 1430 iwn_free_rx_ring(struct iwn_softc *sc, struct iwn_rx_ring *ring)
 1431 {
 1432         int i;
 1433 
 1434         iwn_dma_contig_free(&ring->desc_dma);
 1435         iwn_dma_contig_free(&ring->stat_dma);
 1436 
 1437         for (i = 0; i < IWN_RX_RING_COUNT; i++) {
 1438                 struct iwn_rx_data *data = &ring->data[i];
 1439 
 1440                 if (data->m != NULL) {
 1441                         bus_dmamap_sync(ring->data_dmat, data->map,
 1442                             BUS_DMASYNC_POSTREAD);
 1443                         bus_dmamap_unload(ring->data_dmat, data->map);
 1444                         m_freem(data->m);
 1445                         data->m = NULL;
 1446                 }
 1447                 if (data->map != NULL)
 1448                         bus_dmamap_destroy(ring->data_dmat, data->map);
 1449         }
 1450         if (ring->data_dmat != NULL) {
 1451                 bus_dma_tag_destroy(ring->data_dmat);
 1452                 ring->data_dmat = NULL;
 1453         }
 1454 }
 1455 
 1456 static int
 1457 iwn_alloc_tx_ring(struct iwn_softc *sc, struct iwn_tx_ring *ring, int qid)
 1458 {
 1459         bus_addr_t paddr;
 1460         bus_size_t size;
 1461         int i, error;
 1462 
 1463         ring->qid = qid;
 1464         ring->queued = 0;
 1465         ring->cur = 0;
 1466 
 1467         /* Allocate TX descriptors (256-byte aligned). */
 1468         size = IWN_TX_RING_COUNT * sizeof (struct iwn_tx_desc);
 1469         error = iwn_dma_contig_alloc(sc, &ring->desc_dma, (void **)&ring->desc,
 1470             size, 256);
 1471         if (error != 0) {
 1472                 device_printf(sc->sc_dev,
 1473                     "%s: could not allocate TX ring DMA memory, error %d\n",
 1474                     __func__, error);
 1475                 goto fail;
 1476         }
 1477 
 1478         size = IWN_TX_RING_COUNT * sizeof (struct iwn_tx_cmd);
 1479         error = iwn_dma_contig_alloc(sc, &ring->cmd_dma, (void **)&ring->cmd,
 1480             size, 4);
 1481         if (error != 0) {
 1482                 device_printf(sc->sc_dev,
 1483                     "%s: could not allocate TX cmd DMA memory, error %d\n",
 1484                     __func__, error);
 1485                 goto fail;
 1486         }
 1487 
 1488         error = bus_dma_tag_create(bus_get_dma_tag(sc->sc_dev), 1, 0,
 1489             BUS_SPACE_MAXADDR_32BIT, BUS_SPACE_MAXADDR, NULL, NULL, MCLBYTES,
 1490             IWN_MAX_SCATTER - 1, MCLBYTES, BUS_DMA_NOWAIT, NULL, NULL,
 1491             &ring->data_dmat);
 1492         if (error != 0) {
 1493                 device_printf(sc->sc_dev,
 1494                     "%s: could not create TX buf DMA tag, error %d\n",
 1495                     __func__, error);
 1496                 goto fail;
 1497         }
 1498 
 1499         paddr = ring->cmd_dma.paddr;
 1500         for (i = 0; i < IWN_TX_RING_COUNT; i++) {
 1501                 struct iwn_tx_data *data = &ring->data[i];
 1502 
 1503                 data->cmd_paddr = paddr;
 1504                 data->scratch_paddr = paddr + 12;
 1505                 paddr += sizeof (struct iwn_tx_cmd);
 1506 
 1507                 error = bus_dmamap_create(ring->data_dmat, 0, &data->map);
 1508                 if (error != 0) {
 1509                         device_printf(sc->sc_dev,
 1510                             "%s: could not create TX buf DMA map, error %d\n",
 1511                             __func__, error);
 1512                         goto fail;
 1513                 }
 1514         }
 1515         return 0;
 1516 
 1517 fail:   iwn_free_tx_ring(sc, ring);
 1518         return error;
 1519 }
 1520 
 1521 static void
 1522 iwn_reset_tx_ring(struct iwn_softc *sc, struct iwn_tx_ring *ring)
 1523 {
 1524         int i;
 1525 
 1526         for (i = 0; i < IWN_TX_RING_COUNT; i++) {
 1527                 struct iwn_tx_data *data = &ring->data[i];
 1528 
 1529                 if (data->m != NULL) {
 1530                         bus_dmamap_sync(ring->data_dmat, data->map,
 1531                             BUS_DMASYNC_POSTWRITE);
 1532                         bus_dmamap_unload(ring->data_dmat, data->map);
 1533                         m_freem(data->m);
 1534                         data->m = NULL;
 1535                 }
 1536         }
 1537         /* Clear TX descriptors. */
 1538         memset(ring->desc, 0, ring->desc_dma.size);
 1539         bus_dmamap_sync(ring->desc_dma.tag, ring->desc_dma.map,
 1540             BUS_DMASYNC_PREWRITE);
 1541         sc->qfullmsk &= ~(1 << ring->qid);
 1542         ring->queued = 0;
 1543         ring->cur = 0;
 1544 }
 1545 
 1546 static void
 1547 iwn_free_tx_ring(struct iwn_softc *sc, struct iwn_tx_ring *ring)
 1548 {
 1549         int i;
 1550 
 1551         iwn_dma_contig_free(&ring->desc_dma);
 1552         iwn_dma_contig_free(&ring->cmd_dma);
 1553 
 1554         for (i = 0; i < IWN_TX_RING_COUNT; i++) {
 1555                 struct iwn_tx_data *data = &ring->data[i];
 1556 
 1557                 if (data->m != NULL) {
 1558                         bus_dmamap_sync(ring->data_dmat, data->map,
 1559                             BUS_DMASYNC_POSTWRITE);
 1560                         bus_dmamap_unload(ring->data_dmat, data->map);
 1561                         m_freem(data->m);
 1562                 }
 1563                 if (data->map != NULL)
 1564                         bus_dmamap_destroy(ring->data_dmat, data->map);
 1565         }
 1566         if (ring->data_dmat != NULL) {
 1567                 bus_dma_tag_destroy(ring->data_dmat);
 1568                 ring->data_dmat = NULL;
 1569         }
 1570 }
 1571 
 1572 static void
 1573 iwn5000_ict_reset(struct iwn_softc *sc)
 1574 {
 1575         /* Disable interrupts. */
 1576         IWN_WRITE(sc, IWN_INT_MASK, 0);
 1577 
 1578         /* Reset ICT table. */
 1579         memset(sc->ict, 0, IWN_ICT_SIZE);
 1580         sc->ict_cur = 0;
 1581 
 1582         /* Set physical address of ICT table (4KB aligned). */
 1583         DPRINTF(sc, IWN_DEBUG_RESET, "%s: enabling ICT\n", __func__);
 1584         IWN_WRITE(sc, IWN_DRAM_INT_TBL, IWN_DRAM_INT_TBL_ENABLE |
 1585             IWN_DRAM_INT_TBL_WRAP_CHECK | sc->ict_dma.paddr >> 12);
 1586 
 1587         /* Enable periodic RX interrupt. */
 1588         sc->int_mask |= IWN_INT_RX_PERIODIC;
 1589         /* Switch to ICT interrupt mode in driver. */
 1590         sc->sc_flags |= IWN_FLAG_USE_ICT;
 1591 
 1592         /* Re-enable interrupts. */
 1593         IWN_WRITE(sc, IWN_INT, 0xffffffff);
 1594         IWN_WRITE(sc, IWN_INT_MASK, sc->int_mask);
 1595 }
 1596 
 1597 static int
 1598 iwn_read_eeprom(struct iwn_softc *sc, uint8_t macaddr[IEEE80211_ADDR_LEN])
 1599 {
 1600         struct iwn_ops *ops = &sc->ops;
 1601         uint16_t val;
 1602         int error;
 1603 
 1604         /* Check whether adapter has an EEPROM or an OTPROM. */
 1605         if (sc->hw_type >= IWN_HW_REV_TYPE_1000 &&
 1606             (IWN_READ(sc, IWN_OTP_GP) & IWN_OTP_GP_DEV_SEL_OTP))
 1607                 sc->sc_flags |= IWN_FLAG_HAS_OTPROM;
 1608         DPRINTF(sc, IWN_DEBUG_RESET, "%s found\n",
 1609             (sc->sc_flags & IWN_FLAG_HAS_OTPROM) ? "OTPROM" : "EEPROM");
 1610 
 1611         /* Adapter has to be powered on for EEPROM access to work. */
 1612         if ((error = iwn_apm_init(sc)) != 0) {
 1613                 device_printf(sc->sc_dev,
 1614                     "%s: could not power ON adapter, error %d\n", __func__,
 1615                     error);
 1616                 return error;
 1617         }
 1618 
 1619         if ((IWN_READ(sc, IWN_EEPROM_GP) & 0x7) == 0) {
 1620                 device_printf(sc->sc_dev, "%s: bad ROM signature\n", __func__);
 1621                 return EIO;
 1622         }
 1623         if ((error = iwn_eeprom_lock(sc)) != 0) {
 1624                 device_printf(sc->sc_dev, "%s: could not lock ROM, error %d\n",
 1625                     __func__, error);
 1626                 return error;
 1627         }
 1628         if (sc->sc_flags & IWN_FLAG_HAS_OTPROM) {
 1629                 if ((error = iwn_init_otprom(sc)) != 0) {
 1630                         device_printf(sc->sc_dev,
 1631                             "%s: could not initialize OTPROM, error %d\n",
 1632                             __func__, error);
 1633                         return error;
 1634                 }
 1635         }
 1636 
 1637         iwn_read_prom_data(sc, IWN_EEPROM_SKU_CAP, &val, 2);
 1638         DPRINTF(sc, IWN_DEBUG_RESET, "SKU capabilities=0x%04x\n", le16toh(val));
 1639         /* Check if HT support is bonded out. */
 1640         if (val & htole16(IWN_EEPROM_SKU_CAP_11N))
 1641                 sc->sc_flags |= IWN_FLAG_HAS_11N;
 1642 
 1643         iwn_read_prom_data(sc, IWN_EEPROM_RFCFG, &val, 2);
 1644         sc->rfcfg = le16toh(val);
 1645         DPRINTF(sc, IWN_DEBUG_RESET, "radio config=0x%04x\n", sc->rfcfg);
 1646         /* Read Tx/Rx chains from ROM unless it's known to be broken. */
 1647         if (sc->txchainmask == 0)
 1648                 sc->txchainmask = IWN_RFCFG_TXANTMSK(sc->rfcfg);
 1649         if (sc->rxchainmask == 0)
 1650                 sc->rxchainmask = IWN_RFCFG_RXANTMSK(sc->rfcfg);
 1651 
 1652         /* Read MAC address. */
 1653         iwn_read_prom_data(sc, IWN_EEPROM_MAC, macaddr, 6);
 1654 
 1655         /* Read adapter-specific information from EEPROM. */
 1656         ops->read_eeprom(sc);
 1657 
 1658         iwn_apm_stop(sc);       /* Power OFF adapter. */
 1659 
 1660         iwn_eeprom_unlock(sc);
 1661         return 0;
 1662 }
 1663 
 1664 static void
 1665 iwn4965_read_eeprom(struct iwn_softc *sc)
 1666 {
 1667         uint32_t addr;
 1668         uint16_t val;
 1669         int i;
 1670 
 1671         /* Read regulatory domain (4 ASCII characters). */
 1672         iwn_read_prom_data(sc, IWN4965_EEPROM_DOMAIN, sc->eeprom_domain, 4);
 1673 
 1674         /* Read the list of authorized channels (20MHz ones only). */
 1675         for (i = 0; i < 7; i++) {
 1676                 addr = iwn4965_regulatory_bands[i];
 1677                 iwn_read_eeprom_channels(sc, i, addr);
 1678         }
 1679 
 1680         /* Read maximum allowed TX power for 2GHz and 5GHz bands. */
 1681         iwn_read_prom_data(sc, IWN4965_EEPROM_MAXPOW, &val, 2);
 1682         sc->maxpwr2GHz = val & 0xff;
 1683         sc->maxpwr5GHz = val >> 8;
 1684         /* Check that EEPROM values are within valid range. */
 1685         if (sc->maxpwr5GHz < 20 || sc->maxpwr5GHz > 50)
 1686                 sc->maxpwr5GHz = 38;
 1687         if (sc->maxpwr2GHz < 20 || sc->maxpwr2GHz > 50)
 1688                 sc->maxpwr2GHz = 38;
 1689         DPRINTF(sc, IWN_DEBUG_RESET, "maxpwr 2GHz=%d 5GHz=%d\n",
 1690             sc->maxpwr2GHz, sc->maxpwr5GHz);
 1691 
 1692         /* Read samples for each TX power group. */
 1693         iwn_read_prom_data(sc, IWN4965_EEPROM_BANDS, sc->bands,
 1694             sizeof sc->bands);
 1695 
 1696         /* Read voltage at which samples were taken. */
 1697         iwn_read_prom_data(sc, IWN4965_EEPROM_VOLTAGE, &val, 2);
 1698         sc->eeprom_voltage = (int16_t)le16toh(val);
 1699         DPRINTF(sc, IWN_DEBUG_RESET, "voltage=%d (in 0.3V)\n",
 1700             sc->eeprom_voltage);
 1701 
 1702 #ifdef IWN_DEBUG
 1703         /* Print samples. */
 1704         if (sc->sc_debug & IWN_DEBUG_ANY) {
 1705                 for (i = 0; i < IWN_NBANDS; i++)
 1706                         iwn4965_print_power_group(sc, i);
 1707         }
 1708 #endif
 1709 }
 1710 
 1711 #ifdef IWN_DEBUG
 1712 static void
 1713 iwn4965_print_power_group(struct iwn_softc *sc, int i)
 1714 {
 1715         struct iwn4965_eeprom_band *band = &sc->bands[i];
 1716         struct iwn4965_eeprom_chan_samples *chans = band->chans;
 1717         int j, c;
 1718 
 1719         printf("===band %d===\n", i);
 1720         printf("chan lo=%d, chan hi=%d\n", band->lo, band->hi);
 1721         printf("chan1 num=%d\n", chans[0].num);
 1722         for (c = 0; c < 2; c++) {
 1723                 for (j = 0; j < IWN_NSAMPLES; j++) {
 1724                         printf("chain %d, sample %d: temp=%d gain=%d "
 1725                             "power=%d pa_det=%d\n", c, j,
 1726                             chans[0].samples[c][j].temp,
 1727                             chans[0].samples[c][j].gain,
 1728                             chans[0].samples[c][j].power,
 1729                             chans[0].samples[c][j].pa_det);
 1730                 }
 1731         }
 1732         printf("chan2 num=%d\n", chans[1].num);
 1733         for (c = 0; c < 2; c++) {
 1734                 for (j = 0; j < IWN_NSAMPLES; j++) {
 1735                         printf("chain %d, sample %d: temp=%d gain=%d "
 1736                             "power=%d pa_det=%d\n", c, j,
 1737                             chans[1].samples[c][j].temp,
 1738                             chans[1].samples[c][j].gain,
 1739                             chans[1].samples[c][j].power,
 1740                             chans[1].samples[c][j].pa_det);
 1741                 }
 1742         }
 1743 }
 1744 #endif
 1745 
 1746 static void
 1747 iwn5000_read_eeprom(struct iwn_softc *sc)
 1748 {
 1749         struct iwn5000_eeprom_calib_hdr hdr;
 1750         int32_t volt;
 1751         uint32_t base, addr;
 1752         uint16_t val;
 1753         int i;
 1754 
 1755         /* Read regulatory domain (4 ASCII characters). */
 1756         iwn_read_prom_data(sc, IWN5000_EEPROM_REG, &val, 2);
 1757         base = le16toh(val);
 1758         iwn_read_prom_data(sc, base + IWN5000_EEPROM_DOMAIN,
 1759             sc->eeprom_domain, 4);
 1760 
 1761         /* Read the list of authorized channels (20MHz ones only). */
 1762         for (i = 0; i < 7; i++) {
 1763                 if (sc->hw_type >= IWN_HW_REV_TYPE_6000)
 1764                         addr = base + iwn6000_regulatory_bands[i];
 1765                 else
 1766                         addr = base + iwn5000_regulatory_bands[i];
 1767                 iwn_read_eeprom_channels(sc, i, addr);
 1768         }
 1769 
 1770         /* Read enhanced TX power information for 6000 Series. */
 1771         if (sc->hw_type >= IWN_HW_REV_TYPE_6000)
 1772                 iwn_read_eeprom_enhinfo(sc);
 1773 
 1774         iwn_read_prom_data(sc, IWN5000_EEPROM_CAL, &val, 2);
 1775         base = le16toh(val);
 1776         iwn_read_prom_data(sc, base, &hdr, sizeof hdr);
 1777         DPRINTF(sc, IWN_DEBUG_CALIBRATE,
 1778             "%s: calib version=%u pa type=%u voltage=%u\n", __func__,
 1779             hdr.version, hdr.pa_type, le16toh(hdr.volt));
 1780         sc->calib_ver = hdr.version;
 1781 
 1782         if (sc->hw_type == IWN_HW_REV_TYPE_5150) {
 1783                 /* Compute temperature offset. */
 1784                 iwn_read_prom_data(sc, base + IWN5000_EEPROM_TEMP, &val, 2);
 1785                 sc->eeprom_temp = le16toh(val);
 1786                 iwn_read_prom_data(sc, base + IWN5000_EEPROM_VOLT, &val, 2);
 1787                 volt = le16toh(val);
 1788                 sc->temp_off = sc->eeprom_temp - (volt / -5);
 1789                 DPRINTF(sc, IWN_DEBUG_CALIBRATE, "temp=%d volt=%d offset=%dK\n",
 1790                     sc->eeprom_temp, volt, sc->temp_off);
 1791         } else {
 1792                 /* Read crystal calibration. */
 1793                 iwn_read_prom_data(sc, base + IWN5000_EEPROM_CRYSTAL,
 1794                     &sc->eeprom_crystal, sizeof (uint32_t));
 1795                 DPRINTF(sc, IWN_DEBUG_CALIBRATE, "crystal calibration 0x%08x\n",
 1796                     le32toh(sc->eeprom_crystal));
 1797         }
 1798 }
 1799 
 1800 /*
 1801  * Translate EEPROM flags to net80211.
 1802  */
 1803 static uint32_t
 1804 iwn_eeprom_channel_flags(struct iwn_eeprom_chan *channel)
 1805 {
 1806         uint32_t nflags;
 1807 
 1808         nflags = 0;
 1809         if ((channel->flags & IWN_EEPROM_CHAN_ACTIVE) == 0)
 1810                 nflags |= IEEE80211_CHAN_PASSIVE;
 1811         if ((channel->flags & IWN_EEPROM_CHAN_IBSS) == 0)
 1812                 nflags |= IEEE80211_CHAN_NOADHOC;
 1813         if (channel->flags & IWN_EEPROM_CHAN_RADAR) {
 1814                 nflags |= IEEE80211_CHAN_DFS;
 1815                 /* XXX apparently IBSS may still be marked */
 1816                 nflags |= IEEE80211_CHAN_NOADHOC;
 1817         }
 1818 
 1819         return nflags;
 1820 }
 1821 
 1822 static void
 1823 iwn_read_eeprom_band(struct iwn_softc *sc, int n)
 1824 {
 1825         struct ifnet *ifp = sc->sc_ifp;
 1826         struct ieee80211com *ic = ifp->if_l2com;
 1827         struct iwn_eeprom_chan *channels = sc->eeprom_channels[n];
 1828         const struct iwn_chan_band *band = &iwn_bands[n];
 1829         struct ieee80211_channel *c;
 1830         uint8_t chan;
 1831         int i, nflags;
 1832 
 1833         for (i = 0; i < band->nchan; i++) {
 1834                 if (!(channels[i].flags & IWN_EEPROM_CHAN_VALID)) {
 1835                         DPRINTF(sc, IWN_DEBUG_RESET,
 1836                             "skip chan %d flags 0x%x maxpwr %d\n",
 1837                             band->chan[i], channels[i].flags,
 1838                             channels[i].maxpwr);
 1839                         continue;
 1840                 }
 1841                 chan = band->chan[i];
 1842                 nflags = iwn_eeprom_channel_flags(&channels[i]);
 1843 
 1844                 c = &ic->ic_channels[ic->ic_nchans++];
 1845                 c->ic_ieee = chan;
 1846                 c->ic_maxregpower = channels[i].maxpwr;
 1847                 c->ic_maxpower = 2*c->ic_maxregpower;
 1848 
 1849                 if (n == 0) {   /* 2GHz band */
 1850                         c->ic_freq = ieee80211_ieee2mhz(chan, IEEE80211_CHAN_G);
 1851                         /* G =>'s B is supported */
 1852                         c->ic_flags = IEEE80211_CHAN_B | nflags;
 1853                         c = &ic->ic_channels[ic->ic_nchans++];
 1854                         c[0] = c[-1];
 1855                         c->ic_flags = IEEE80211_CHAN_G | nflags;
 1856                 } else {        /* 5GHz band */
 1857                         c->ic_freq = ieee80211_ieee2mhz(chan, IEEE80211_CHAN_A);
 1858                         c->ic_flags = IEEE80211_CHAN_A | nflags;
 1859                 }
 1860 
 1861                 /* Save maximum allowed TX power for this channel. */
 1862                 sc->maxpwr[chan] = channels[i].maxpwr;
 1863 
 1864                 DPRINTF(sc, IWN_DEBUG_RESET,
 1865                     "add chan %d flags 0x%x maxpwr %d\n", chan,
 1866                     channels[i].flags, channels[i].maxpwr);
 1867 
 1868                 if (sc->sc_flags & IWN_FLAG_HAS_11N) {
 1869                         /* add HT20, HT40 added separately */
 1870                         c = &ic->ic_channels[ic->ic_nchans++];
 1871                         c[0] = c[-1];
 1872                         c->ic_flags |= IEEE80211_CHAN_HT20;
 1873                 }
 1874         }
 1875 }
 1876 
 1877 static void
 1878 iwn_read_eeprom_ht40(struct iwn_softc *sc, int n)
 1879 {
 1880         struct ifnet *ifp = sc->sc_ifp;
 1881         struct ieee80211com *ic = ifp->if_l2com;
 1882         struct iwn_eeprom_chan *channels = sc->eeprom_channels[n];
 1883         const struct iwn_chan_band *band = &iwn_bands[n];
 1884         struct ieee80211_channel *c, *cent, *extc;
 1885         uint8_t chan;
 1886         int i, nflags;
 1887 
 1888         if (!(sc->sc_flags & IWN_FLAG_HAS_11N))
 1889                 return;
 1890 
 1891         for (i = 0; i < band->nchan; i++) {
 1892                 if (!(channels[i].flags & IWN_EEPROM_CHAN_VALID)) {
 1893                         DPRINTF(sc, IWN_DEBUG_RESET,
 1894                             "skip chan %d flags 0x%x maxpwr %d\n",
 1895                             band->chan[i], channels[i].flags,
 1896                             channels[i].maxpwr);
 1897                         continue;
 1898                 }
 1899                 chan = band->chan[i];
 1900                 nflags = iwn_eeprom_channel_flags(&channels[i]);
 1901 
 1902                 /*
 1903                  * Each entry defines an HT40 channel pair; find the
 1904                  * center channel, then the extension channel above.
 1905                  */
 1906                 cent = ieee80211_find_channel_byieee(ic, chan,
 1907                     (n == 5 ? IEEE80211_CHAN_G : IEEE80211_CHAN_A));
 1908                 if (cent == NULL) {     /* XXX shouldn't happen */
 1909                         device_printf(sc->sc_dev,
 1910                             "%s: no entry for channel %d\n", __func__, chan);
 1911                         continue;
 1912                 }
 1913                 extc = ieee80211_find_channel(ic, cent->ic_freq+20,
 1914                     (n == 5 ? IEEE80211_CHAN_G : IEEE80211_CHAN_A));
 1915                 if (extc == NULL) {
 1916                         DPRINTF(sc, IWN_DEBUG_RESET,
 1917                             "%s: skip chan %d, extension channel not found\n",
 1918                             __func__, chan);
 1919                         continue;
 1920                 }
 1921 
 1922                 DPRINTF(sc, IWN_DEBUG_RESET,
 1923                     "add ht40 chan %d flags 0x%x maxpwr %d\n",
 1924                     chan, channels[i].flags, channels[i].maxpwr);
 1925 
 1926                 c = &ic->ic_channels[ic->ic_nchans++];
 1927                 c[0] = cent[0];
 1928                 c->ic_extieee = extc->ic_ieee;
 1929                 c->ic_flags &= ~IEEE80211_CHAN_HT;
 1930                 c->ic_flags |= IEEE80211_CHAN_HT40U | nflags;
 1931                 c = &ic->ic_channels[ic->ic_nchans++];
 1932                 c[0] = extc[0];
 1933                 c->ic_extieee = cent->ic_ieee;
 1934                 c->ic_flags &= ~IEEE80211_CHAN_HT;
 1935                 c->ic_flags |= IEEE80211_CHAN_HT40D | nflags;
 1936         }
 1937 }
 1938 
 1939 static void
 1940 iwn_read_eeprom_channels(struct iwn_softc *sc, int n, uint32_t addr)
 1941 {
 1942         struct ifnet *ifp = sc->sc_ifp;
 1943         struct ieee80211com *ic = ifp->if_l2com;
 1944 
 1945         iwn_read_prom_data(sc, addr, &sc->eeprom_channels[n],
 1946             iwn_bands[n].nchan * sizeof (struct iwn_eeprom_chan));
 1947 
 1948         if (n < 5)
 1949                 iwn_read_eeprom_band(sc, n);
 1950         else
 1951                 iwn_read_eeprom_ht40(sc, n);
 1952         ieee80211_sort_channels(ic->ic_channels, ic->ic_nchans);
 1953 }
 1954 
 1955 static struct iwn_eeprom_chan *
 1956 iwn_find_eeprom_channel(struct iwn_softc *sc, struct ieee80211_channel *c)
 1957 {
 1958         int band, chan, i, j;
 1959 
 1960         if (IEEE80211_IS_CHAN_HT40(c)) {
 1961                 band = IEEE80211_IS_CHAN_5GHZ(c) ? 6 : 5;
 1962                 if (IEEE80211_IS_CHAN_HT40D(c))
 1963                         chan = c->ic_extieee;
 1964                 else
 1965                         chan = c->ic_ieee;
 1966                 for (i = 0; i < iwn_bands[band].nchan; i++) {
 1967                         if (iwn_bands[band].chan[i] == chan)
 1968                                 return &sc->eeprom_channels[band][i];
 1969                 }
 1970         } else {
 1971                 for (j = 0; j < 5; j++) {
 1972                         for (i = 0; i < iwn_bands[j].nchan; i++) {
 1973                                 if (iwn_bands[j].chan[i] == c->ic_ieee)
 1974                                         return &sc->eeprom_channels[j][i];
 1975                         }
 1976                 }
 1977         }
 1978         return NULL;
 1979 }
 1980 
 1981 /*
 1982  * Enforce flags read from EEPROM.
 1983  */
 1984 static int
 1985 iwn_setregdomain(struct ieee80211com *ic, struct ieee80211_regdomain *rd,
 1986     int nchan, struct ieee80211_channel chans[])
 1987 {
 1988         struct iwn_softc *sc = ic->ic_ifp->if_softc;
 1989         int i;
 1990 
 1991         for (i = 0; i < nchan; i++) {
 1992                 struct ieee80211_channel *c = &chans[i];
 1993                 struct iwn_eeprom_chan *channel;
 1994 
 1995                 channel = iwn_find_eeprom_channel(sc, c);
 1996                 if (channel == NULL) {
 1997                         if_printf(ic->ic_ifp,
 1998                             "%s: invalid channel %u freq %u/0x%x\n",
 1999                             __func__, c->ic_ieee, c->ic_freq, c->ic_flags);
 2000                         return EINVAL;
 2001                 }
 2002                 c->ic_flags |= iwn_eeprom_channel_flags(channel);
 2003         }
 2004 
 2005         return 0;
 2006 }
 2007 
 2008 static void
 2009 iwn_read_eeprom_enhinfo(struct iwn_softc *sc)
 2010 {
 2011         struct iwn_eeprom_enhinfo enhinfo[35];
 2012         struct ifnet *ifp = sc->sc_ifp;
 2013         struct ieee80211com *ic = ifp->if_l2com;
 2014         struct ieee80211_channel *c;
 2015         uint16_t val, base;
 2016         int8_t maxpwr;
 2017         uint8_t flags;
 2018         int i, j;
 2019 
 2020         iwn_read_prom_data(sc, IWN5000_EEPROM_REG, &val, 2);
 2021         base = le16toh(val);
 2022         iwn_read_prom_data(sc, base + IWN6000_EEPROM_ENHINFO,
 2023             enhinfo, sizeof enhinfo);
 2024 
 2025         for (i = 0; i < nitems(enhinfo); i++) {
 2026                 flags = enhinfo[i].flags;
 2027                 if (!(flags & IWN_ENHINFO_VALID))
 2028                         continue;       /* Skip invalid entries. */
 2029 
 2030                 maxpwr = 0;
 2031                 if (sc->txchainmask & IWN_ANT_A)
 2032                         maxpwr = MAX(maxpwr, enhinfo[i].chain[0]);
 2033                 if (sc->txchainmask & IWN_ANT_B)
 2034                         maxpwr = MAX(maxpwr, enhinfo[i].chain[1]);
 2035                 if (sc->txchainmask & IWN_ANT_C)
 2036                         maxpwr = MAX(maxpwr, enhinfo[i].chain[2]);
 2037                 if (sc->ntxchains == 2)
 2038                         maxpwr = MAX(maxpwr, enhinfo[i].mimo2);
 2039                 else if (sc->ntxchains == 3)
 2040                         maxpwr = MAX(maxpwr, enhinfo[i].mimo3);
 2041 
 2042                 for (j = 0; j < ic->ic_nchans; j++) {
 2043                         c = &ic->ic_channels[j];
 2044                         if ((flags & IWN_ENHINFO_5GHZ)) {
 2045                                 if (!IEEE80211_IS_CHAN_A(c))
 2046                                         continue;
 2047                         } else if ((flags & IWN_ENHINFO_OFDM)) {
 2048                                 if (!IEEE80211_IS_CHAN_G(c))
 2049                                         continue;
 2050                         } else if (!IEEE80211_IS_CHAN_B(c))
 2051                                 continue;
 2052                         if ((flags & IWN_ENHINFO_HT40)) {
 2053                                 if (!IEEE80211_IS_CHAN_HT40(c))
 2054                                         continue;
 2055                         } else {
 2056                                 if (IEEE80211_IS_CHAN_HT40(c))
 2057                                         continue;
 2058                         }
 2059                         if (enhinfo[i].chan != 0 &&
 2060                             enhinfo[i].chan != c->ic_ieee)
 2061                                 continue;
 2062 
 2063                         DPRINTF(sc, IWN_DEBUG_RESET,
 2064                             "channel %d(%x), maxpwr %d\n", c->ic_ieee,
 2065                             c->ic_flags, maxpwr / 2);
 2066                         c->ic_maxregpower = maxpwr / 2;
 2067                         c->ic_maxpower = maxpwr;
 2068                 }
 2069         }
 2070 }
 2071 
 2072 static struct ieee80211_node *
 2073 iwn_node_alloc(struct ieee80211vap *vap, const uint8_t mac[IEEE80211_ADDR_LEN])
 2074 {
 2075         return malloc(sizeof (struct iwn_node), M_80211_NODE,M_NOWAIT | M_ZERO);
 2076 }
 2077 
 2078 static __inline int
 2079 rate2plcp(int rate)
 2080 {
 2081         switch (rate & 0xff) {
 2082         case 12:        return 0xd;
 2083         case 18:        return 0xf;
 2084         case 24:        return 0x5;
 2085         case 36:        return 0x7;
 2086         case 48:        return 0x9;
 2087         case 72:        return 0xb;
 2088         case 96:        return 0x1;
 2089         case 108:       return 0x3;
 2090         case 2:         return 10;
 2091         case 4:         return 20;
 2092         case 11:        return 55;
 2093         case 22:        return 110;
 2094         }
 2095         return 0;
 2096 }
 2097 
 2098 static void
 2099 iwn_newassoc(struct ieee80211_node *ni, int isnew)
 2100 {
 2101 #define RV(v)   ((v) & IEEE80211_RATE_VAL)
 2102         struct ieee80211com *ic = ni->ni_ic;
 2103         struct iwn_softc *sc = ic->ic_ifp->if_softc;
 2104         struct iwn_node *wn = (void *)ni;
 2105         uint8_t txant1, txant2;
 2106         int i, plcp, rate, ridx;
 2107 
 2108         /* Use the first valid TX antenna. */
 2109         txant1 = IWN_LSB(sc->txchainmask);
 2110         txant2 = IWN_LSB(sc->txchainmask & ~txant1);
 2111 
 2112         if (IEEE80211_IS_CHAN_HT(ni->ni_chan)) {
 2113                 ridx = ni->ni_rates.rs_nrates - 1;
 2114                 for (i = ni->ni_htrates.rs_nrates - 1; i >= 0; i--) {
 2115                         plcp = RV(ni->ni_htrates.rs_rates[i]) | IWN_RFLAG_MCS;
 2116                         if (IEEE80211_IS_CHAN_HT40(ni->ni_chan)) {
 2117                                 plcp |= IWN_RFLAG_HT40;
 2118                                 if (ni->ni_htcap & IEEE80211_HTCAP_SHORTGI40)
 2119                                         plcp |= IWN_RFLAG_SGI;
 2120                         } else if (ni->ni_htcap & IEEE80211_HTCAP_SHORTGI20)
 2121                                 plcp |= IWN_RFLAG_SGI;
 2122                         if (RV(ni->ni_htrates.rs_rates[i]) > 7)
 2123                                 plcp |= IWN_RFLAG_ANT(txant1 | txant2);
 2124                         else
 2125                                 plcp |= IWN_RFLAG_ANT(txant1);
 2126                         if (ridx >= 0) {
 2127                                 rate = RV(ni->ni_rates.rs_rates[ridx]);
 2128                                 wn->ridx[rate] = plcp;
 2129                         }
 2130                         wn->ridx[IEEE80211_RATE_MCS | i] = plcp;
 2131                         ridx--;
 2132                 }
 2133         } else {
 2134                 for (i = 0; i < ni->ni_rates.rs_nrates; i++) {
 2135                         rate = RV(ni->ni_rates.rs_rates[i]);
 2136                         plcp = rate2plcp(rate);
 2137                         ridx = ic->ic_rt->rateCodeToIndex[rate];
 2138                         if (ridx < IWN_RIDX_OFDM6 &&
 2139                             IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))
 2140                                 plcp |= IWN_RFLAG_CCK;
 2141                         plcp |= IWN_RFLAG_ANT(txant1);
 2142                         wn->ridx[rate] = htole32(plcp);
 2143                 }
 2144         }
 2145 #undef  RV
 2146 }
 2147 
 2148 static int
 2149 iwn_media_change(struct ifnet *ifp)
 2150 {
 2151         int error;
 2152 
 2153         error = ieee80211_media_change(ifp);
 2154         /* NB: only the fixed rate can change and that doesn't need a reset */
 2155         return (error == ENETRESET ? 0 : error);
 2156 }
 2157 
 2158 static int
 2159 iwn_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
 2160 {
 2161         struct iwn_vap *ivp = IWN_VAP(vap);
 2162         struct ieee80211com *ic = vap->iv_ic;
 2163         struct iwn_softc *sc = ic->ic_ifp->if_softc;
 2164         int error = 0;
 2165 
 2166         DPRINTF(sc, IWN_DEBUG_STATE, "%s: %s -> %s\n", __func__,
 2167             ieee80211_state_name[vap->iv_state], ieee80211_state_name[nstate]);
 2168 
 2169         IEEE80211_UNLOCK(ic);
 2170         IWN_LOCK(sc);
 2171         callout_stop(&sc->calib_to);
 2172 
 2173         switch (nstate) {
 2174         case IEEE80211_S_ASSOC:
 2175                 if (vap->iv_state != IEEE80211_S_RUN)
 2176                         break;
 2177                 /* FALLTHROUGH */
 2178         case IEEE80211_S_AUTH:
 2179                 if (vap->iv_state == IEEE80211_S_AUTH)
 2180                         break;
 2181 
 2182                 /*
 2183                  * !AUTH -> AUTH transition requires state reset to handle
 2184                  * reassociations correctly.
 2185                  */
 2186                 sc->rxon.associd = 0;
 2187                 sc->rxon.filter &= ~htole32(IWN_FILTER_BSS);
 2188                 sc->calib.state = IWN_CALIB_STATE_INIT;
 2189 
 2190                 if ((error = iwn_auth(sc, vap)) != 0) {
 2191                         device_printf(sc->sc_dev,
 2192                             "%s: could not move to auth state\n", __func__);
 2193                 }
 2194                 break;
 2195 
 2196         case IEEE80211_S_RUN:
 2197                 /*
 2198                  * RUN -> RUN transition; Just restart the timers.
 2199                  */
 2200                 if (vap->iv_state == IEEE80211_S_RUN) {
 2201                         sc->calib_cnt = 0;
 2202                         break;
 2203                 }
 2204 
 2205                 /*
 2206                  * !RUN -> RUN requires setting the association id
 2207                  * which is done with a firmware cmd.  We also defer
 2208                  * starting the timers until that work is done.
 2209                  */
 2210                 if ((error = iwn_run(sc, vap)) != 0) {
 2211                         device_printf(sc->sc_dev,
 2212                             "%s: could not move to run state\n", __func__);
 2213                 }
 2214                 break;
 2215 
 2216         case IEEE80211_S_INIT:
 2217                 sc->calib.state = IWN_CALIB_STATE_INIT;
 2218                 break;
 2219 
 2220         default:
 2221                 break;
 2222         }
 2223         IWN_UNLOCK(sc);
 2224         IEEE80211_LOCK(ic);
 2225         if (error != 0)
 2226                 return error;
 2227         return ivp->iv_newstate(vap, nstate, arg);
 2228 }
 2229 
 2230 static void
 2231 iwn_calib_timeout(void *arg)
 2232 {
 2233         struct iwn_softc *sc = arg;
 2234 
 2235         IWN_LOCK_ASSERT(sc);
 2236 
 2237         /* Force automatic TX power calibration every 60 secs. */
 2238         if (++sc->calib_cnt >= 120) {
 2239                 uint32_t flags = 0;
 2240 
 2241                 DPRINTF(sc, IWN_DEBUG_CALIBRATE, "%s\n",
 2242                     "sending request for statistics");
 2243                 (void)iwn_cmd(sc, IWN_CMD_GET_STATISTICS, &flags,
 2244                     sizeof flags, 1);
 2245                 sc->calib_cnt = 0;
 2246         }
 2247         callout_reset(&sc->calib_to, msecs_to_ticks(500), iwn_calib_timeout,
 2248             sc);
 2249 }
 2250 
 2251 /*
 2252  * Process an RX_PHY firmware notification.  This is usually immediately
 2253  * followed by an MPDU_RX_DONE notification.
 2254  */
 2255 static void
 2256 iwn_rx_phy(struct iwn_softc *sc, struct iwn_rx_desc *desc,
 2257     struct iwn_rx_data *data)
 2258 {
 2259         struct iwn_rx_stat *stat = (struct iwn_rx_stat *)(desc + 1);
 2260 
 2261         DPRINTF(sc, IWN_DEBUG_CALIBRATE, "%s: received PHY stats\n", __func__);
 2262         bus_dmamap_sync(sc->rxq.data_dmat, data->map, BUS_DMASYNC_POSTREAD);
 2263 
 2264         /* Save RX statistics, they will be used on MPDU_RX_DONE. */
 2265         memcpy(&sc->last_rx_stat, stat, sizeof (*stat));
 2266         sc->last_rx_valid = 1;
 2267 }
 2268 
 2269 /*
 2270  * Process an RX_DONE (4965AGN only) or MPDU_RX_DONE firmware notification.
 2271  * Each MPDU_RX_DONE notification must be preceded by an RX_PHY one.
 2272  */
 2273 static void
 2274 iwn_rx_done(struct iwn_softc *sc, struct iwn_rx_desc *desc,
 2275     struct iwn_rx_data *data)
 2276 {
 2277         struct iwn_ops *ops = &sc->ops;
 2278         struct ifnet *ifp = sc->sc_ifp;
 2279         struct ieee80211com *ic = ifp->if_l2com;
 2280         struct iwn_rx_ring *ring = &sc->rxq;
 2281         struct ieee80211_frame *wh;
 2282         struct ieee80211_node *ni;
 2283         struct mbuf *m, *m1;
 2284         struct iwn_rx_stat *stat;
 2285         caddr_t head;
 2286         bus_addr_t paddr;
 2287         uint32_t flags;
 2288         int error, len, rssi, nf;
 2289 
 2290         if (desc->type == IWN_MPDU_RX_DONE) {
 2291                 /* Check for prior RX_PHY notification. */
 2292                 if (!sc->last_rx_valid) {
 2293                         DPRINTF(sc, IWN_DEBUG_ANY,
 2294                             "%s: missing RX_PHY\n", __func__);
 2295                         return;
 2296                 }
 2297                 stat = &sc->last_rx_stat;
 2298         } else
 2299                 stat = (struct iwn_rx_stat *)(desc + 1);
 2300 
 2301         bus_dmamap_sync(ring->data_dmat, data->map, BUS_DMASYNC_POSTREAD);
 2302 
 2303         if (stat->cfg_phy_len > IWN_STAT_MAXLEN) {
 2304                 device_printf(sc->sc_dev,
 2305                     "%s: invalid RX statistic header, len %d\n", __func__,
 2306                     stat->cfg_phy_len);
 2307                 return;
 2308         }
 2309         if (desc->type == IWN_MPDU_RX_DONE) {
 2310                 struct iwn_rx_mpdu *mpdu = (struct iwn_rx_mpdu *)(desc + 1);
 2311                 head = (caddr_t)(mpdu + 1);
 2312                 len = le16toh(mpdu->len);
 2313         } else {
 2314                 head = (caddr_t)(stat + 1) + stat->cfg_phy_len;
 2315                 len = le16toh(stat->len);
 2316         }
 2317 
 2318         flags = le32toh(*(uint32_t *)(head + len));
 2319 
 2320         /* Discard frames with a bad FCS early. */
 2321         if ((flags & IWN_RX_NOERROR) != IWN_RX_NOERROR) {
 2322                 DPRINTF(sc, IWN_DEBUG_RECV, "%s: RX flags error %x\n",
 2323                     __func__, flags);
 2324                 ifp->if_ierrors++;
 2325                 return;
 2326         }
 2327         /* Discard frames that are too short. */
 2328         if (len < sizeof (*wh)) {
 2329                 DPRINTF(sc, IWN_DEBUG_RECV, "%s: frame too short: %d\n",
 2330                     __func__, len);
 2331                 ifp->if_ierrors++;
 2332                 return;
 2333         }
 2334 
 2335         m1 = m_getjcl(M_DONTWAIT, MT_DATA, M_PKTHDR, IWN_RBUF_SIZE);
 2336         if (m1 == NULL) {
 2337                 DPRINTF(sc, IWN_DEBUG_ANY, "%s: no mbuf to restock ring\n",
 2338                     __func__);
 2339                 ifp->if_ierrors++;
 2340                 return;
 2341         }
 2342         bus_dmamap_unload(ring->data_dmat, data->map);
 2343 
 2344         error = bus_dmamap_load(ring->data_dmat, data->map, mtod(m1, void *),
 2345             IWN_RBUF_SIZE, iwn_dma_map_addr, &paddr, BUS_DMA_NOWAIT);
 2346         if (error != 0 && error != EFBIG) {
 2347                 device_printf(sc->sc_dev,
 2348                     "%s: bus_dmamap_load failed, error %d\n", __func__, error);
 2349                 m_freem(m1);
 2350 
 2351                 /* Try to reload the old mbuf. */
 2352                 error = bus_dmamap_load(ring->data_dmat, data->map,
 2353                     mtod(data->m, void *), IWN_RBUF_SIZE, iwn_dma_map_addr,
 2354                     &paddr, BUS_DMA_NOWAIT);
 2355                 if (error != 0 && error != EFBIG) {
 2356                         panic("%s: could not load old RX mbuf", __func__);
 2357                 }
 2358                 /* Physical address may have changed. */
 2359                 ring->desc[ring->cur] = htole32(paddr >> 8);
 2360                 bus_dmamap_sync(ring->data_dmat, ring->desc_dma.map,
 2361                     BUS_DMASYNC_PREWRITE);
 2362                 ifp->if_ierrors++;
 2363                 return;
 2364         }
 2365 
 2366         m = data->m;
 2367         data->m = m1;
 2368         /* Update RX descriptor. */
 2369         ring->desc[ring->cur] = htole32(paddr >> 8);
 2370         bus_dmamap_sync(ring->desc_dma.tag, ring->desc_dma.map,
 2371             BUS_DMASYNC_PREWRITE);
 2372 
 2373         /* Finalize mbuf. */
 2374         m->m_pkthdr.rcvif = ifp;
 2375         m->m_data = head;
 2376         m->m_pkthdr.len = m->m_len = len;
 2377 
 2378         /* Grab a reference to the source node. */
 2379         wh = mtod(m, struct ieee80211_frame *);
 2380         ni = ieee80211_find_rxnode(ic, (struct ieee80211_frame_min *)wh);
 2381         nf = (ni != NULL && ni->ni_vap->iv_state == IEEE80211_S_RUN &&
 2382             (ic->ic_flags & IEEE80211_F_SCAN) == 0) ? sc->noise : -95;
 2383 
 2384         rssi = ops->get_rssi(sc, stat);
 2385 
 2386         if (ieee80211_radiotap_active(ic)) {
 2387                 struct iwn_rx_radiotap_header *tap = &sc->sc_rxtap;
 2388 
 2389                 tap->wr_flags = 0;
 2390                 if (stat->flags & htole16(IWN_STAT_FLAG_SHPREAMBLE))
 2391                         tap->wr_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
 2392                 tap->wr_dbm_antsignal = (int8_t)rssi;
 2393                 tap->wr_dbm_antnoise = (int8_t)nf;
 2394                 tap->wr_tsft = stat->tstamp;
 2395                 switch (stat->rate) {
 2396                 /* CCK rates. */
 2397                 case  10: tap->wr_rate =   2; break;
 2398                 case  20: tap->wr_rate =   4; break;
 2399                 case  55: tap->wr_rate =  11; break;
 2400                 case 110: tap->wr_rate =  22; break;
 2401                 /* OFDM rates. */
 2402                 case 0xd: tap->wr_rate =  12; break;
 2403                 case 0xf: tap->wr_rate =  18; break;
 2404                 case 0x5: tap->wr_rate =  24; break;
 2405                 case 0x7: tap->wr_rate =  36; break;
 2406                 case 0x9: tap->wr_rate =  48; break;
 2407                 case 0xb: tap->wr_rate =  72; break;
 2408                 case 0x1: tap->wr_rate =  96; break;
 2409                 case 0x3: tap->wr_rate = 108; break;
 2410                 /* Unknown rate: should not happen. */
 2411                 default:  tap->wr_rate =   0;
 2412                 }
 2413         }
 2414 
 2415         IWN_UNLOCK(sc);
 2416 
 2417         /* Send the frame to the 802.11 layer. */
 2418         if (ni != NULL) {
 2419                 if (ni->ni_flags & IEEE80211_NODE_HT)
 2420                         m->m_flags |= M_AMPDU;
 2421                 (void)ieee80211_input(ni, m, rssi - nf, nf);
 2422                 /* Node is no longer needed. */
 2423                 ieee80211_free_node(ni);
 2424         } else
 2425                 (void)ieee80211_input_all(ic, m, rssi - nf, nf);
 2426 
 2427         IWN_LOCK(sc);
 2428 }
 2429 
 2430 /* Process an incoming Compressed BlockAck. */
 2431 static void
 2432 iwn_rx_compressed_ba(struct iwn_softc *sc, struct iwn_rx_desc *desc,
 2433     struct iwn_rx_data *data)
 2434 {
 2435         struct iwn_ops *ops = &sc->ops;
 2436         struct ifnet *ifp = sc->sc_ifp;
 2437         struct iwn_node *wn;
 2438         struct ieee80211_node *ni;
 2439         struct iwn_compressed_ba *ba = (struct iwn_compressed_ba *)(desc + 1);
 2440         struct iwn_tx_ring *txq;
 2441         struct iwn_tx_data *txdata;
 2442         struct ieee80211_tx_ampdu *tap;
 2443         struct mbuf *m;
 2444         uint64_t bitmap;
 2445         uint16_t ssn;
 2446         uint8_t tid;
 2447         int ackfailcnt = 0, i, lastidx, qid, *res, shift;
 2448 
 2449         bus_dmamap_sync(sc->rxq.data_dmat, data->map, BUS_DMASYNC_POSTREAD);
 2450 
 2451         qid = le16toh(ba->qid);
 2452         txq = &sc->txq[ba->qid];
 2453         tap = sc->qid2tap[ba->qid];
 2454         tid = WME_AC_TO_TID(tap->txa_ac);
 2455         wn = (void *)tap->txa_ni;
 2456 
 2457         res = NULL;
 2458         ssn = 0;
 2459         if (!IEEE80211_AMPDU_RUNNING(tap)) {
 2460                 res = tap->txa_private;
 2461                 ssn = tap->txa_start & 0xfff;
 2462         }
 2463 
 2464         for (lastidx = le16toh(ba->ssn) & 0xff; txq->read != lastidx;) {
 2465                 txdata = &txq->data[txq->read];
 2466 
 2467                 /* Unmap and free mbuf. */
 2468                 bus_dmamap_sync(txq->data_dmat, txdata->map,
 2469                     BUS_DMASYNC_POSTWRITE);
 2470                 bus_dmamap_unload(txq->data_dmat, txdata->map);
 2471                 m = txdata->m, txdata->m = NULL;
 2472                 ni = txdata->ni, txdata->ni = NULL;
 2473 
 2474                 KASSERT(ni != NULL, ("no node"));
 2475                 KASSERT(m != NULL, ("no mbuf"));
 2476 
 2477                 if (m->m_flags & M_TXCB)
 2478                         ieee80211_process_callback(ni, m, 1);
 2479 
 2480                 m_freem(m);
 2481                 ieee80211_free_node(ni);
 2482 
 2483                 txq->queued--;
 2484                 txq->read = (txq->read + 1) % IWN_TX_RING_COUNT;
 2485         }
 2486 
 2487         if (txq->queued == 0 && res != NULL) {
 2488                 iwn_nic_lock(sc);
 2489                 ops->ampdu_tx_stop(sc, qid, tid, ssn);
 2490                 iwn_nic_unlock(sc);
 2491                 sc->qid2tap[qid] = NULL;
 2492                 free(res, M_DEVBUF);
 2493                 return;
 2494         }
 2495 
 2496         if (wn->agg[tid].bitmap == 0)
 2497                 return;
 2498 
 2499         shift = wn->agg[tid].startidx - ((le16toh(ba->seq) >> 4) & 0xff);
 2500         if (shift < 0)
 2501                 shift += 0x100;
 2502 
 2503         if (wn->agg[tid].nframes > (64 - shift))
 2504                 return;
 2505 
 2506         ni = tap->txa_ni;
 2507         bitmap = (le64toh(ba->bitmap) >> shift) & wn->agg[tid].bitmap;
 2508         for (i = 0; bitmap; i++) {
 2509                 if ((bitmap & 1) == 0) {
 2510                         ifp->if_oerrors++;
 2511                         ieee80211_ratectl_tx_complete(ni->ni_vap, ni,
 2512                             IEEE80211_RATECTL_TX_FAILURE, &ackfailcnt, NULL);
 2513                 } else {
 2514                         ifp->if_opackets++;
 2515                         ieee80211_ratectl_tx_complete(ni->ni_vap, ni,
 2516                             IEEE80211_RATECTL_TX_SUCCESS, &ackfailcnt, NULL);
 2517                 }
 2518                 bitmap >>= 1;
 2519         }
 2520 }
 2521 
 2522 /*
 2523  * Process a CALIBRATION_RESULT notification sent by the initialization
 2524  * firmware on response to a CMD_CALIB_CONFIG command (5000 only).
 2525  */
 2526 static void
 2527 iwn5000_rx_calib_results(struct iwn_softc *sc, struct iwn_rx_desc *desc,
 2528     struct iwn_rx_data *data)
 2529 {
 2530         struct iwn_phy_calib *calib = (struct iwn_phy_calib *)(desc + 1);
 2531         int len, idx = -1;
 2532 
 2533         /* Runtime firmware should not send such a notification. */
 2534         if (sc->sc_flags & IWN_FLAG_CALIB_DONE)
 2535                 return;
 2536 
 2537         len = (le32toh(desc->len) & 0x3fff) - 4;
 2538         bus_dmamap_sync(sc->rxq.data_dmat, data->map, BUS_DMASYNC_POSTREAD);
 2539 
 2540         switch (calib->code) {
 2541         case IWN5000_PHY_CALIB_DC:
 2542                 if ((sc->sc_flags & IWN_FLAG_INTERNAL_PA) == 0 &&
 2543                     (sc->hw_type == IWN_HW_REV_TYPE_5150 ||
 2544                      sc->hw_type >= IWN_HW_REV_TYPE_6000) &&
 2545                      sc->hw_type != IWN_HW_REV_TYPE_6050)
 2546                         idx = 0;
 2547                 break;
 2548         case IWN5000_PHY_CALIB_LO:
 2549                 idx = 1;
 2550                 break;
 2551         case IWN5000_PHY_CALIB_TX_IQ:
 2552                 idx = 2;
 2553                 break;
 2554         case IWN5000_PHY_CALIB_TX_IQ_PERIODIC:
 2555                 if (sc->hw_type < IWN_HW_REV_TYPE_6000 &&
 2556                     sc->hw_type != IWN_HW_REV_TYPE_5150)
 2557                         idx = 3;
 2558                 break;
 2559         case IWN5000_PHY_CALIB_BASE_BAND:
 2560                 idx = 4;
 2561                 break;
 2562         }
 2563         if (idx == -1)  /* Ignore other results. */
 2564                 return;
 2565 
 2566         /* Save calibration result. */
 2567         if (sc->calibcmd[idx].buf != NULL)
 2568                 free(sc->calibcmd[idx].buf, M_DEVBUF);
 2569         sc->calibcmd[idx].buf = malloc(len, M_DEVBUF, M_NOWAIT);
 2570         if (sc->calibcmd[idx].buf == NULL) {
 2571                 DPRINTF(sc, IWN_DEBUG_CALIBRATE,
 2572                     "not enough memory for calibration result %d\n",
 2573                     calib->code);
 2574                 return;
 2575         }
 2576         DPRINTF(sc, IWN_DEBUG_CALIBRATE,
 2577             "saving calibration result code=%d len=%d\n", calib->code, len);
 2578         sc->calibcmd[idx].len = len;
 2579         memcpy(sc->calibcmd[idx].buf, calib, len);
 2580 }
 2581 
 2582 /*
 2583  * Process an RX_STATISTICS or BEACON_STATISTICS firmware notification.
 2584  * The latter is sent by the firmware after each received beacon.
 2585  */
 2586 static void
 2587 iwn_rx_statistics(struct iwn_softc *sc, struct iwn_rx_desc *desc,
 2588     struct iwn_rx_data *data)
 2589 {
 2590         struct iwn_ops *ops = &sc->ops;
 2591         struct ifnet *ifp = sc->sc_ifp;
 2592         struct ieee80211com *ic = ifp->if_l2com;
 2593         struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
 2594         struct iwn_calib_state *calib = &sc->calib;
 2595         struct iwn_stats *stats = (struct iwn_stats *)(desc + 1);
 2596         int temp;
 2597 
 2598         /* Ignore statistics received during a scan. */
 2599         if (vap->iv_state != IEEE80211_S_RUN ||
 2600             (ic->ic_flags & IEEE80211_F_SCAN))
 2601                 return;
 2602 
 2603         bus_dmamap_sync(sc->rxq.data_dmat, data->map, BUS_DMASYNC_POSTREAD);
 2604 
 2605         DPRINTF(sc, IWN_DEBUG_CALIBRATE, "%s: received statistics, cmd %d\n",
 2606             __func__, desc->type);
 2607         sc->calib_cnt = 0;      /* Reset TX power calibration timeout. */
 2608 
 2609         /* Test if temperature has changed. */
 2610         if (stats->general.temp != sc->rawtemp) {
 2611                 /* Convert "raw" temperature to degC. */
 2612                 sc->rawtemp = stats->general.temp;
 2613                 temp = ops->get_temperature(sc);
 2614                 DPRINTF(sc, IWN_DEBUG_CALIBRATE, "%s: temperature %d\n",
 2615                     __func__, temp);
 2616 
 2617                 /* Update TX power if need be (4965AGN only). */
 2618                 if (sc->hw_type == IWN_HW_REV_TYPE_4965)
 2619                         iwn4965_power_calibration(sc, temp);
 2620         }
 2621 
 2622         if (desc->type != IWN_BEACON_STATISTICS)
 2623                 return; /* Reply to a statistics request. */
 2624 
 2625         sc->noise = iwn_get_noise(&stats->rx.general);
 2626         DPRINTF(sc, IWN_DEBUG_CALIBRATE, "%s: noise %d\n", __func__, sc->noise);
 2627 
 2628         /* Test that RSSI and noise are present in stats report. */
 2629         if (le32toh(stats->rx.general.flags) != 1) {
 2630                 DPRINTF(sc, IWN_DEBUG_ANY, "%s\n",
 2631                     "received statistics without RSSI");
 2632                 return;
 2633         }
 2634 
 2635         if (calib->state == IWN_CALIB_STATE_ASSOC)
 2636                 iwn_collect_noise(sc, &stats->rx.general);
 2637         else if (calib->state == IWN_CALIB_STATE_RUN)
 2638                 iwn_tune_sensitivity(sc, &stats->rx);
 2639 }
 2640 
 2641 /*
 2642  * Process a TX_DONE firmware notification.  Unfortunately, the 4965AGN
 2643  * and 5000 adapters have different incompatible TX status formats.
 2644  */
 2645 static void
 2646 iwn4965_tx_done(struct iwn_softc *sc, struct iwn_rx_desc *desc,
 2647     struct iwn_rx_data *data)
 2648 {
 2649         struct iwn4965_tx_stat *stat = (struct iwn4965_tx_stat *)(desc + 1);
 2650         struct iwn_tx_ring *ring;
 2651         int qid;
 2652 
 2653         qid = desc->qid & 0xf;
 2654         ring = &sc->txq[qid];
 2655 
 2656         DPRINTF(sc, IWN_DEBUG_XMIT, "%s: "
 2657             "qid %d idx %d retries %d nkill %d rate %x duration %d status %x\n",
 2658             __func__, desc->qid, desc->idx, stat->ackfailcnt,
 2659             stat->btkillcnt, stat->rate, le16toh(stat->duration),
 2660             le32toh(stat->status));
 2661 
 2662         bus_dmamap_sync(ring->data_dmat, data->map, BUS_DMASYNC_POSTREAD);
 2663         if (qid >= sc->firstaggqueue) {
 2664                 iwn_ampdu_tx_done(sc, qid, desc->idx, stat->nframes,
 2665                     &stat->status);
 2666         } else {
 2667                 iwn_tx_done(sc, desc, stat->ackfailcnt,
 2668                     le32toh(stat->status) & 0xff);
 2669         }
 2670 }
 2671 
 2672 static void
 2673 iwn5000_tx_done(struct iwn_softc *sc, struct iwn_rx_desc *desc,
 2674     struct iwn_rx_data *data)
 2675 {
 2676         struct iwn5000_tx_stat *stat = (struct iwn5000_tx_stat *)(desc + 1);
 2677         struct iwn_tx_ring *ring;
 2678         int qid;
 2679 
 2680         qid = desc->qid & 0xf;
 2681         ring = &sc->txq[qid];
 2682 
 2683         DPRINTF(sc, IWN_DEBUG_XMIT, "%s: "
 2684             "qid %d idx %d retries %d nkill %d rate %x duration %d status %x\n",
 2685             __func__, desc->qid, desc->idx, stat->ackfailcnt,
 2686             stat->btkillcnt, stat->rate, le16toh(stat->duration),
 2687             le32toh(stat->status));
 2688 
 2689 #ifdef notyet
 2690         /* Reset TX scheduler slot. */
 2691         iwn5000_reset_sched(sc, desc->qid & 0xf, desc->idx);
 2692 #endif
 2693 
 2694         bus_dmamap_sync(ring->data_dmat, data->map, BUS_DMASYNC_POSTREAD);
 2695         if (qid >= sc->firstaggqueue) {
 2696                 iwn_ampdu_tx_done(sc, qid, desc->idx, stat->nframes,
 2697                     &stat->status);
 2698         } else {
 2699                 iwn_tx_done(sc, desc, stat->ackfailcnt,
 2700                     le16toh(stat->status) & 0xff);
 2701         }
 2702 }
 2703 
 2704 /*
 2705  * Adapter-independent backend for TX_DONE firmware notifications.
 2706  */
 2707 static void
 2708 iwn_tx_done(struct iwn_softc *sc, struct iwn_rx_desc *desc, int ackfailcnt,
 2709     uint8_t status)
 2710 {
 2711         struct ifnet *ifp = sc->sc_ifp;
 2712         struct iwn_tx_ring *ring = &sc->txq[desc->qid & 0xf];
 2713         struct iwn_tx_data *data = &ring->data[desc->idx];
 2714         struct mbuf *m;
 2715         struct ieee80211_node *ni;
 2716         struct ieee80211vap *vap;
 2717 
 2718         KASSERT(data->ni != NULL, ("no node"));
 2719 
 2720         /* Unmap and free mbuf. */
 2721         bus_dmamap_sync(ring->data_dmat, data->map, BUS_DMASYNC_POSTWRITE);
 2722         bus_dmamap_unload(ring->data_dmat, data->map);
 2723         m = data->m, data->m = NULL;
 2724         ni = data->ni, data->ni = NULL;
 2725         vap = ni->ni_vap;
 2726 
 2727         if (m->m_flags & M_TXCB) {
 2728                 /*
 2729                  * Channels marked for "radar" require traffic to be received
 2730                  * to unlock before we can transmit.  Until traffic is seen
 2731                  * any attempt to transmit is returned immediately with status
 2732                  * set to IWN_TX_FAIL_TX_LOCKED.  Unfortunately this can easily
 2733                  * happen on first authenticate after scanning.  To workaround
 2734                  * this we ignore a failure of this sort in AUTH state so the
 2735                  * 802.11 layer will fall back to using a timeout to wait for
 2736                  * the AUTH reply.  This allows the firmware time to see
 2737                  * traffic so a subsequent retry of AUTH succeeds.  It's
 2738                  * unclear why the firmware does not maintain state for
 2739                  * channels recently visited as this would allow immediate
 2740                  * use of the channel after a scan (where we see traffic).
 2741                  */
 2742                 if (status == IWN_TX_FAIL_TX_LOCKED &&
 2743                     ni->ni_vap->iv_state == IEEE80211_S_AUTH)
 2744                         ieee80211_process_callback(ni, m, 0);
 2745                 else
 2746                         ieee80211_process_callback(ni, m,
 2747                             (status & IWN_TX_FAIL) != 0);
 2748         }
 2749 
 2750         /*
 2751          * Update rate control statistics for the node.
 2752          */
 2753         if (status & IWN_TX_FAIL) {
 2754                 ifp->if_oerrors++;
 2755                 ieee80211_ratectl_tx_complete(vap, ni,
 2756                     IEEE80211_RATECTL_TX_FAILURE, &ackfailcnt, NULL);
 2757         } else {
 2758                 ifp->if_opackets++;
 2759                 ieee80211_ratectl_tx_complete(vap, ni,
 2760                     IEEE80211_RATECTL_TX_SUCCESS, &ackfailcnt, NULL);
 2761         }
 2762         m_freem(m);
 2763         ieee80211_free_node(ni);
 2764 
 2765         sc->sc_tx_timer = 0;
 2766         if (--ring->queued < IWN_TX_RING_LOMARK) {
 2767                 sc->qfullmsk &= ~(1 << ring->qid);
 2768                 if (sc->qfullmsk == 0 &&
 2769                     (ifp->if_drv_flags & IFF_DRV_OACTIVE)) {
 2770                         ifp->if_drv_flags &= ~IFF_DRV_OACTIVE;
 2771                         iwn_start_locked(ifp);
 2772                 }
 2773         }
 2774 }
 2775 
 2776 /*
 2777  * Process a "command done" firmware notification.  This is where we wakeup
 2778  * processes waiting for a synchronous command completion.
 2779  */
 2780 static void
 2781 iwn_cmd_done(struct iwn_softc *sc, struct iwn_rx_desc *desc)
 2782 {
 2783         struct iwn_tx_ring *ring = &sc->txq[4];
 2784         struct iwn_tx_data *data;
 2785 
 2786         if ((desc->qid & 0xf) != 4)
 2787                 return; /* Not a command ack. */
 2788 
 2789         data = &ring->data[desc->idx];
 2790 
 2791         /* If the command was mapped in an mbuf, free it. */
 2792         if (data->m != NULL) {
 2793                 bus_dmamap_sync(ring->data_dmat, data->map,
 2794                     BUS_DMASYNC_POSTWRITE);
 2795                 bus_dmamap_unload(ring->data_dmat, data->map);
 2796                 m_freem(data->m);
 2797                 data->m = NULL;
 2798         }
 2799         wakeup(&ring->desc[desc->idx]);
 2800 }
 2801 
 2802 static void
 2803 iwn_ampdu_tx_done(struct iwn_softc *sc, int qid, int idx, int nframes,
 2804     void *stat)
 2805 {
 2806         struct iwn_ops *ops = &sc->ops;
 2807         struct ifnet *ifp = sc->sc_ifp;
 2808         struct iwn_tx_ring *ring = &sc->txq[qid];
 2809         struct iwn_tx_data *data;
 2810         struct mbuf *m;
 2811         struct iwn_node *wn;
 2812         struct ieee80211_node *ni;
 2813         struct ieee80211_tx_ampdu *tap;
 2814         uint64_t bitmap;
 2815         uint32_t *status = stat;
 2816         uint16_t *aggstatus = stat;
 2817         uint16_t ssn;
 2818         uint8_t tid;
 2819         int bit, i, lastidx, *res, seqno, shift, start;
 2820 
 2821 #ifdef NOT_YET
 2822         if (nframes == 1) {
 2823                 if ((*status & 0xff) != 1 && (*status & 0xff) != 2)
 2824                         printf("ieee80211_send_bar()\n");
 2825         }
 2826 #endif
 2827 
 2828         bitmap = 0;
 2829         start = idx;
 2830         for (i = 0; i < nframes; i++) {
 2831                 if (le16toh(aggstatus[i * 2]) & 0xc)
 2832                         continue;
 2833 
 2834                 idx = le16toh(aggstatus[2*i + 1]) & 0xff;
 2835                 bit = idx - start;
 2836                 shift = 0;
 2837                 if (bit >= 64) {
 2838                         shift = 0x100 - idx + start;
 2839                         bit = 0;
 2840                         start = idx;
 2841                 } else if (bit <= -64)
 2842                         bit = 0x100 - start + idx;
 2843                 else if (bit < 0) {
 2844                         shift = start - idx;
 2845                         start = idx;
 2846                         bit = 0;
 2847                 }
 2848                 bitmap = bitmap << shift;
 2849                 bitmap |= 1ULL << bit;
 2850         }
 2851         tap = sc->qid2tap[qid];
 2852         tid = WME_AC_TO_TID(tap->txa_ac);
 2853         wn = (void *)tap->txa_ni;
 2854         wn->agg[tid].bitmap = bitmap;
 2855         wn->agg[tid].startidx = start;
 2856         wn->agg[tid].nframes = nframes;
 2857 
 2858         res = NULL;
 2859         ssn = 0;
 2860         if (!IEEE80211_AMPDU_RUNNING(tap)) {
 2861                 res = tap->txa_private;
 2862                 ssn = tap->txa_start & 0xfff;
 2863         }
 2864 
 2865         seqno = le32toh(*(status + nframes)) & 0xfff;
 2866         for (lastidx = (seqno & 0xff); ring->read != lastidx;) {
 2867                 data = &ring->data[ring->read];
 2868 
 2869                 /* Unmap and free mbuf. */
 2870                 bus_dmamap_sync(ring->data_dmat, data->map,
 2871                     BUS_DMASYNC_POSTWRITE);
 2872                 bus_dmamap_unload(ring->data_dmat, data->map);
 2873                 m = data->m, data->m = NULL;
 2874                 ni = data->ni, data->ni = NULL;
 2875 
 2876                 KASSERT(ni != NULL, ("no node"));
 2877                 KASSERT(m != NULL, ("no mbuf"));
 2878 
 2879                 if (m->m_flags & M_TXCB)
 2880                         ieee80211_process_callback(ni, m, 1);
 2881 
 2882                 m_freem(m);
 2883                 ieee80211_free_node(ni);
 2884 
 2885                 ring->queued--;
 2886                 ring->read = (ring->read + 1) % IWN_TX_RING_COUNT;
 2887         }
 2888 
 2889         if (ring->queued == 0 && res != NULL) {
 2890                 iwn_nic_lock(sc);
 2891                 ops->ampdu_tx_stop(sc, qid, tid, ssn);
 2892                 iwn_nic_unlock(sc);
 2893                 sc->qid2tap[qid] = NULL;
 2894                 free(res, M_DEVBUF);
 2895                 return;
 2896         }
 2897 
 2898         sc->sc_tx_timer = 0;
 2899         if (ring->queued < IWN_TX_RING_LOMARK) {
 2900                 sc->qfullmsk &= ~(1 << ring->qid);
 2901                 if (sc->qfullmsk == 0 &&
 2902                     (ifp->if_drv_flags & IFF_DRV_OACTIVE)) {
 2903                         ifp->if_drv_flags &= ~IFF_DRV_OACTIVE;
 2904                         iwn_start_locked(ifp);
 2905                 }
 2906         }
 2907 }
 2908 
 2909 /*
 2910  * Process an INT_FH_RX or INT_SW_RX interrupt.
 2911  */
 2912 static void
 2913 iwn_notif_intr(struct iwn_softc *sc)
 2914 {
 2915         struct iwn_ops *ops = &sc->ops;
 2916         struct ifnet *ifp = sc->sc_ifp;
 2917         struct ieee80211com *ic = ifp->if_l2com;
 2918         struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
 2919         uint16_t hw;
 2920 
 2921         bus_dmamap_sync(sc->rxq.stat_dma.tag, sc->rxq.stat_dma.map,
 2922             BUS_DMASYNC_POSTREAD);
 2923 
 2924         hw = le16toh(sc->rxq.stat->closed_count) & 0xfff;
 2925         while (sc->rxq.cur != hw) {
 2926                 struct iwn_rx_data *data = &sc->rxq.data[sc->rxq.cur];
 2927                 struct iwn_rx_desc *desc;
 2928 
 2929                 bus_dmamap_sync(sc->rxq.data_dmat, data->map,
 2930                     BUS_DMASYNC_POSTREAD);
 2931                 desc = mtod(data->m, struct iwn_rx_desc *);
 2932 
 2933                 DPRINTF(sc, IWN_DEBUG_RECV,
 2934                     "%s: qid %x idx %d flags %x type %d(%s) len %d\n",
 2935                     __func__, desc->qid & 0xf, desc->idx, desc->flags,
 2936                     desc->type, iwn_intr_str(desc->type),
 2937                     le16toh(desc->len));
 2938 
 2939                 if (!(desc->qid & 0x80))        /* Reply to a command. */
 2940                         iwn_cmd_done(sc, desc);
 2941 
 2942                 switch (desc->type) {
 2943                 case IWN_RX_PHY:
 2944                         iwn_rx_phy(sc, desc, data);
 2945                         break;
 2946 
 2947                 case IWN_RX_DONE:               /* 4965AGN only. */
 2948                 case IWN_MPDU_RX_DONE:
 2949                         /* An 802.11 frame has been received. */
 2950                         iwn_rx_done(sc, desc, data);
 2951                         break;
 2952 
 2953                 case IWN_RX_COMPRESSED_BA:
 2954                         /* A Compressed BlockAck has been received. */
 2955                         iwn_rx_compressed_ba(sc, desc, data);
 2956                         break;
 2957 
 2958                 case IWN_TX_DONE:
 2959                         /* An 802.11 frame has been transmitted. */
 2960                         ops->tx_done(sc, desc, data);
 2961                         break;
 2962 
 2963                 case IWN_RX_STATISTICS:
 2964                 case IWN_BEACON_STATISTICS:
 2965                         iwn_rx_statistics(sc, desc, data);
 2966                         break;
 2967 
 2968                 case IWN_BEACON_MISSED:
 2969                 {
 2970                         struct iwn_beacon_missed *miss =
 2971                             (struct iwn_beacon_missed *)(desc + 1);
 2972                         int misses;
 2973 
 2974                         bus_dmamap_sync(sc->rxq.data_dmat, data->map,
 2975                             BUS_DMASYNC_POSTREAD);
 2976                         misses = le32toh(miss->consecutive);
 2977 
 2978                         DPRINTF(sc, IWN_DEBUG_STATE,
 2979                             "%s: beacons missed %d/%d\n", __func__,
 2980                             misses, le32toh(miss->total));
 2981                         /*
 2982                          * If more than 5 consecutive beacons are missed,
 2983                          * reinitialize the sensitivity state machine.
 2984                          */
 2985                         if (vap->iv_state == IEEE80211_S_RUN &&
 2986                             (ic->ic_flags & IEEE80211_F_SCAN) == 0) {
 2987                                 if (misses > 5)
 2988                                         (void)iwn_init_sensitivity(sc);
 2989                                 if (misses >= vap->iv_bmissthreshold) {
 2990                                         IWN_UNLOCK(sc);
 2991                                         ieee80211_beacon_miss(ic);
 2992                                         IWN_LOCK(sc);
 2993                                 }
 2994                         }
 2995                         break;
 2996                 }
 2997                 case IWN_UC_READY:
 2998                 {
 2999                         struct iwn_ucode_info *uc =
 3000                             (struct iwn_ucode_info *)(desc + 1);
 3001 
 3002                         /* The microcontroller is ready. */
 3003                         bus_dmamap_sync(sc->rxq.data_dmat, data->map,
 3004                             BUS_DMASYNC_POSTREAD);
 3005                         DPRINTF(sc, IWN_DEBUG_RESET,
 3006                             "microcode alive notification version=%d.%d "
 3007                             "subtype=%x alive=%x\n", uc->major, uc->minor,
 3008                             uc->subtype, le32toh(uc->valid));
 3009 
 3010                         if (le32toh(uc->valid) != 1) {
 3011                                 device_printf(sc->sc_dev,
 3012                                     "microcontroller initialization failed");
 3013                                 break;
 3014                         }
 3015                         if (uc->subtype == IWN_UCODE_INIT) {
 3016                                 /* Save microcontroller report. */
 3017                                 memcpy(&sc->ucode_info, uc, sizeof (*uc));
 3018                         }
 3019                         /* Save the address of the error log in SRAM. */
 3020                         sc->errptr = le32toh(uc->errptr);
 3021                         break;
 3022                 }
 3023                 case IWN_STATE_CHANGED:
 3024                 {
 3025                         uint32_t *status = (uint32_t *)(desc + 1);
 3026 
 3027                         /*
 3028                          * State change allows hardware switch change to be
 3029                          * noted. However, we handle this in iwn_intr as we
 3030                          * get both the enable/disble intr.
 3031                          */
 3032                         bus_dmamap_sync(sc->rxq.data_dmat, data->map,
 3033                             BUS_DMASYNC_POSTREAD);
 3034                         DPRINTF(sc, IWN_DEBUG_INTR, "state changed to %x\n",
 3035                             le32toh(*status));
 3036                         break;
 3037                 }
 3038                 case IWN_START_SCAN:
 3039                 {
 3040                         struct iwn_start_scan *scan =
 3041                             (struct iwn_start_scan *)(desc + 1);
 3042 
 3043                         bus_dmamap_sync(sc->rxq.data_dmat, data->map,
 3044                             BUS_DMASYNC_POSTREAD);
 3045                         DPRINTF(sc, IWN_DEBUG_ANY,
 3046                             "%s: scanning channel %d status %x\n",
 3047                             __func__, scan->chan, le32toh(scan->status));
 3048                         break;
 3049                 }
 3050                 case IWN_STOP_SCAN:
 3051                 {
 3052                         struct iwn_stop_scan *scan =
 3053                             (struct iwn_stop_scan *)(desc + 1);
 3054 
 3055                         bus_dmamap_sync(sc->rxq.data_dmat, data->map,
 3056                             BUS_DMASYNC_POSTREAD);
 3057                         DPRINTF(sc, IWN_DEBUG_STATE,
 3058                             "scan finished nchan=%d status=%d chan=%d\n",
 3059                             scan->nchan, scan->status, scan->chan);
 3060 
 3061                         IWN_UNLOCK(sc);
 3062                         ieee80211_scan_next(vap);
 3063                         IWN_LOCK(sc);
 3064                         break;
 3065                 }
 3066                 case IWN5000_CALIBRATION_RESULT:
 3067                         iwn5000_rx_calib_results(sc, desc, data);
 3068                         break;
 3069 
 3070                 case IWN5000_CALIBRATION_DONE:
 3071                         sc->sc_flags |= IWN_FLAG_CALIB_DONE;
 3072                         wakeup(sc);
 3073                         break;
 3074                 }
 3075 
 3076                 sc->rxq.cur = (sc->rxq.cur + 1) % IWN_RX_RING_COUNT;
 3077         }
 3078 
 3079         /* Tell the firmware what we have processed. */
 3080         hw = (hw == 0) ? IWN_RX_RING_COUNT - 1 : hw - 1;
 3081         IWN_WRITE(sc, IWN_FH_RX_WPTR, hw & ~7);
 3082 }
 3083 
 3084 /*
 3085  * Process an INT_WAKEUP interrupt raised when the microcontroller wakes up
 3086  * from power-down sleep mode.
 3087  */
 3088 static void
 3089 iwn_wakeup_intr(struct iwn_softc *sc)
 3090 {
 3091         int qid;
 3092 
 3093         DPRINTF(sc, IWN_DEBUG_RESET, "%s: ucode wakeup from power-down sleep\n",
 3094             __func__);
 3095 
 3096         /* Wakeup RX and TX rings. */
 3097         IWN_WRITE(sc, IWN_FH_RX_WPTR, sc->rxq.cur & ~7);
 3098         for (qid = 0; qid < sc->ntxqs; qid++) {
 3099                 struct iwn_tx_ring *ring = &sc->txq[qid];
 3100                 IWN_WRITE(sc, IWN_HBUS_TARG_WRPTR, qid << 8 | ring->cur);
 3101         }
 3102 }
 3103 
 3104 static void
 3105 iwn_rftoggle_intr(struct iwn_softc *sc)
 3106 {
 3107         struct ifnet *ifp = sc->sc_ifp;
 3108         struct ieee80211com *ic = ifp->if_l2com;
 3109         uint32_t tmp = IWN_READ(sc, IWN_GP_CNTRL);
 3110 
 3111         IWN_LOCK_ASSERT(sc);
 3112 
 3113         device_printf(sc->sc_dev, "RF switch: radio %s\n",
 3114             (tmp & IWN_GP_CNTRL_RFKILL) ? "enabled" : "disabled");
 3115         if (tmp & IWN_GP_CNTRL_RFKILL)
 3116                 ieee80211_runtask(ic, &sc->sc_radioon_task);
 3117         else
 3118                 ieee80211_runtask(ic, &sc->sc_radiooff_task);
 3119 }
 3120 
 3121 /*
 3122  * Dump the error log of the firmware when a firmware panic occurs.  Although
 3123  * we can't debug the firmware because it is neither open source nor free, it
 3124  * can help us to identify certain classes of problems.
 3125  */
 3126 static void
 3127 iwn_fatal_intr(struct iwn_softc *sc)
 3128 {
 3129         struct iwn_fw_dump dump;
 3130         int i;
 3131 
 3132         IWN_LOCK_ASSERT(sc);
 3133 
 3134         /* Force a complete recalibration on next init. */
 3135         sc->sc_flags &= ~IWN_FLAG_CALIB_DONE;
 3136 
 3137         /* Check that the error log address is valid. */
 3138         if (sc->errptr < IWN_FW_DATA_BASE ||
 3139             sc->errptr + sizeof (dump) >
 3140             IWN_FW_DATA_BASE + sc->fw_data_maxsz) {
 3141                 printf("%s: bad firmware error log address 0x%08x\n", __func__,
 3142                     sc->errptr);
 3143                 return;
 3144         }
 3145         if (iwn_nic_lock(sc) != 0) {
 3146                 printf("%s: could not read firmware error log\n", __func__);
 3147                 return;
 3148         }
 3149         /* Read firmware error log from SRAM. */
 3150         iwn_mem_read_region_4(sc, sc->errptr, (uint32_t *)&dump,
 3151             sizeof (dump) / sizeof (uint32_t));
 3152         iwn_nic_unlock(sc);
 3153 
 3154         if (dump.valid == 0) {
 3155                 printf("%s: firmware error log is empty\n", __func__);
 3156                 return;
 3157         }
 3158         printf("firmware error log:\n");
 3159         printf("  error type      = \"%s\" (0x%08X)\n",
 3160             (dump.id < nitems(iwn_fw_errmsg)) ?
 3161                 iwn_fw_errmsg[dump.id] : "UNKNOWN",
 3162             dump.id);
 3163         printf("  program counter = 0x%08X\n", dump.pc);
 3164         printf("  source line     = 0x%08X\n", dump.src_line);
 3165         printf("  error data      = 0x%08X%08X\n",
 3166             dump.error_data[0], dump.error_data[1]);
 3167         printf("  branch link     = 0x%08X%08X\n",
 3168             dump.branch_link[0], dump.branch_link[1]);
 3169         printf("  interrupt link  = 0x%08X%08X\n",
 3170             dump.interrupt_link[0], dump.interrupt_link[1]);
 3171         printf("  time            = %u\n", dump.time[0]);
 3172 
 3173         /* Dump driver status (TX and RX rings) while we're here. */
 3174         printf("driver status:\n");
 3175         for (i = 0; i < sc->ntxqs; i++) {
 3176                 struct iwn_tx_ring *ring = &sc->txq[i];
 3177                 printf("  tx ring %2d: qid=%-2d cur=%-3d queued=%-3d\n",
 3178                     i, ring->qid, ring->cur, ring->queued);
 3179         }
 3180         printf("  rx ring: cur=%d\n", sc->rxq.cur);
 3181 }
 3182 
 3183 static void
 3184 iwn_intr(void *arg)
 3185 {
 3186         struct iwn_softc *sc = arg;
 3187         struct ifnet *ifp = sc->sc_ifp;
 3188         uint32_t r1, r2, tmp;
 3189 
 3190         IWN_LOCK(sc);
 3191 
 3192         /* Disable interrupts. */
 3193         IWN_WRITE(sc, IWN_INT_MASK, 0);
 3194 
 3195         /* Read interrupts from ICT (fast) or from registers (slow). */
 3196         if (sc->sc_flags & IWN_FLAG_USE_ICT) {
 3197                 tmp = 0;
 3198                 while (sc->ict[sc->ict_cur] != 0) {
 3199                         tmp |= sc->ict[sc->ict_cur];
 3200                         sc->ict[sc->ict_cur] = 0;       /* Acknowledge. */
 3201                         sc->ict_cur = (sc->ict_cur + 1) % IWN_ICT_COUNT;
 3202                 }
 3203                 tmp = le32toh(tmp);
 3204                 if (tmp == 0xffffffff)  /* Shouldn't happen. */
 3205                         tmp = 0;
 3206                 else if (tmp & 0xc0000) /* Workaround a HW bug. */
 3207                         tmp |= 0x8000;
 3208                 r1 = (tmp & 0xff00) << 16 | (tmp & 0xff);
 3209                 r2 = 0; /* Unused. */
 3210         } else {
 3211                 r1 = IWN_READ(sc, IWN_INT);
 3212                 if (r1 == 0xffffffff || (r1 & 0xfffffff0) == 0xa5a5a5a0)
 3213                         return; /* Hardware gone! */
 3214                 r2 = IWN_READ(sc, IWN_FH_INT);
 3215         }
 3216 
 3217         DPRINTF(sc, IWN_DEBUG_INTR, "interrupt reg1=%x reg2=%x\n", r1, r2);
 3218 
 3219         if (r1 == 0 && r2 == 0)
 3220                 goto done;      /* Interrupt not for us. */
 3221 
 3222         /* Acknowledge interrupts. */
 3223         IWN_WRITE(sc, IWN_INT, r1);
 3224         if (!(sc->sc_flags & IWN_FLAG_USE_ICT))
 3225                 IWN_WRITE(sc, IWN_FH_INT, r2);
 3226 
 3227         if (r1 & IWN_INT_RF_TOGGLED) {
 3228                 iwn_rftoggle_intr(sc);
 3229                 goto done;
 3230         }
 3231         if (r1 & IWN_INT_CT_REACHED) {
 3232                 device_printf(sc->sc_dev, "%s: critical temperature reached!\n",
 3233                     __func__);
 3234         }
 3235         if (r1 & (IWN_INT_SW_ERR | IWN_INT_HW_ERR)) {
 3236                 device_printf(sc->sc_dev, "%s: fatal firmware error\n",
 3237                     __func__);
 3238                 /* Dump firmware error log and stop. */
 3239                 iwn_fatal_intr(sc);
 3240                 ifp->if_flags &= ~IFF_UP;
 3241                 iwn_stop_locked(sc);
 3242                 goto done;
 3243         }
 3244         if ((r1 & (IWN_INT_FH_RX | IWN_INT_SW_RX | IWN_INT_RX_PERIODIC)) ||
 3245             (r2 & IWN_FH_INT_RX)) {
 3246                 if (sc->sc_flags & IWN_FLAG_USE_ICT) {
 3247                         if (r1 & (IWN_INT_FH_RX | IWN_INT_SW_RX))
 3248                                 IWN_WRITE(sc, IWN_FH_INT, IWN_FH_INT_RX);
 3249                         IWN_WRITE_1(sc, IWN_INT_PERIODIC,
 3250                             IWN_INT_PERIODIC_DIS);
 3251                         iwn_notif_intr(sc);
 3252                         if (r1 & (IWN_INT_FH_RX | IWN_INT_SW_RX)) {
 3253                                 IWN_WRITE_1(sc, IWN_INT_PERIODIC,
 3254                                     IWN_INT_PERIODIC_ENA);
 3255                         }
 3256                 } else
 3257                         iwn_notif_intr(sc);
 3258         }
 3259 
 3260         if ((r1 & IWN_INT_FH_TX) || (r2 & IWN_FH_INT_TX)) {
 3261                 if (sc->sc_flags & IWN_FLAG_USE_ICT)
 3262                         IWN_WRITE(sc, IWN_FH_INT, IWN_FH_INT_TX);
 3263                 wakeup(sc);     /* FH DMA transfer completed. */
 3264         }
 3265 
 3266         if (r1 & IWN_INT_ALIVE)
 3267                 wakeup(sc);     /* Firmware is alive. */
 3268 
 3269         if (r1 & IWN_INT_WAKEUP)
 3270                 iwn_wakeup_intr(sc);
 3271 
 3272 done:
 3273         /* Re-enable interrupts. */
 3274         if (ifp->if_flags & IFF_UP)
 3275                 IWN_WRITE(sc, IWN_INT_MASK, sc->int_mask);
 3276 
 3277         IWN_UNLOCK(sc);
 3278 }
 3279 
 3280 /*
 3281  * Update TX scheduler ring when transmitting an 802.11 frame (4965AGN and
 3282  * 5000 adapters use a slightly different format).
 3283  */
 3284 static void
 3285 iwn4965_update_sched(struct iwn_softc *sc, int qid, int idx, uint8_t id,
 3286     uint16_t len)
 3287 {
 3288         uint16_t *w = &sc->sched[qid * IWN4965_SCHED_COUNT + idx];
 3289 
 3290         *w = htole16(len + 8);
 3291         bus_dmamap_sync(sc->sched_dma.tag, sc->sched_dma.map,
 3292             BUS_DMASYNC_PREWRITE);
 3293         if (idx < IWN_SCHED_WINSZ) {
 3294                 *(w + IWN_TX_RING_COUNT) = *w;
 3295                 bus_dmamap_sync(sc->sched_dma.tag, sc->sched_dma.map,
 3296                     BUS_DMASYNC_PREWRITE);
 3297         }
 3298 }
 3299 
 3300 static void
 3301 iwn5000_update_sched(struct iwn_softc *sc, int qid, int idx, uint8_t id,
 3302     uint16_t len)
 3303 {
 3304         uint16_t *w = &sc->sched[qid * IWN5000_SCHED_COUNT + idx];
 3305 
 3306         *w = htole16(id << 12 | (len + 8));
 3307         bus_dmamap_sync(sc->sched_dma.tag, sc->sched_dma.map,
 3308             BUS_DMASYNC_PREWRITE);
 3309         if (idx < IWN_SCHED_WINSZ) {
 3310                 *(w + IWN_TX_RING_COUNT) = *w;
 3311                 bus_dmamap_sync(sc->sched_dma.tag, sc->sched_dma.map,
 3312                     BUS_DMASYNC_PREWRITE);
 3313         }
 3314 }
 3315 
 3316 #ifdef notyet
 3317 static void
 3318 iwn5000_reset_sched(struct iwn_softc *sc, int qid, int idx)
 3319 {
 3320         uint16_t *w = &sc->sched[qid * IWN5000_SCHED_COUNT + idx];
 3321 
 3322         *w = (*w & htole16(0xf000)) | htole16(1);
 3323         bus_dmamap_sync(sc->sched_dma.tag, sc->sched_dma.map,
 3324             BUS_DMASYNC_PREWRITE);
 3325         if (idx < IWN_SCHED_WINSZ) {
 3326                 *(w + IWN_TX_RING_COUNT) = *w;
 3327                 bus_dmamap_sync(sc->sched_dma.tag, sc->sched_dma.map,
 3328                     BUS_DMASYNC_PREWRITE);
 3329         }
 3330 }
 3331 #endif
 3332 
 3333 static int
 3334 iwn_tx_data(struct iwn_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
 3335 {
 3336         struct iwn_ops *ops = &sc->ops;
 3337         const struct ieee80211_txparam *tp;
 3338         struct ieee80211vap *vap = ni->ni_vap;
 3339         struct ieee80211com *ic = ni->ni_ic;
 3340         struct iwn_node *wn = (void *)ni;
 3341         struct iwn_tx_ring *ring;
 3342         struct iwn_tx_desc *desc;
 3343         struct iwn_tx_data *data;
 3344         struct iwn_tx_cmd *cmd;
 3345         struct iwn_cmd_data *tx;
 3346         struct ieee80211_frame *wh;
 3347         struct ieee80211_key *k = NULL;
 3348         struct mbuf *m1;
 3349         uint32_t flags;
 3350         uint16_t qos;
 3351         u_int hdrlen;
 3352         bus_dma_segment_t *seg, segs[IWN_MAX_SCATTER];
 3353         uint8_t tid, ridx, txant, type;
 3354         int ac, i, totlen, error, pad, nsegs = 0, rate;
 3355 
 3356         IWN_LOCK_ASSERT(sc);
 3357 
 3358         wh = mtod(m, struct ieee80211_frame *);
 3359         hdrlen = ieee80211_anyhdrsize(wh);
 3360         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
 3361 
 3362         /* Select EDCA Access Category and TX ring for this frame. */
 3363         if (IEEE80211_QOS_HAS_SEQ(wh)) {
 3364                 qos = ((const struct ieee80211_qosframe *)wh)->i_qos[0];
 3365                 tid = qos & IEEE80211_QOS_TID;
 3366         } else {
 3367                 qos = 0;
 3368                 tid = 0;
 3369         }
 3370         ac = M_WME_GETAC(m);
 3371         if (m->m_flags & M_AMPDU_MPDU) {
 3372                 struct ieee80211_tx_ampdu *tap = &ni->ni_tx_ampdu[ac];
 3373 
 3374                 if (!IEEE80211_AMPDU_RUNNING(tap)) {
 3375                         m_freem(m);
 3376                         return EINVAL;
 3377                 }
 3378 
 3379                 ac = *(int *)tap->txa_private;
 3380                 *(uint16_t *)wh->i_seq =
 3381                     htole16(ni->ni_txseqs[tid] << IEEE80211_SEQ_SEQ_SHIFT);
 3382                 ni->ni_txseqs[tid]++;
 3383         }
 3384         ring = &sc->txq[ac];
 3385         desc = &ring->desc[ring->cur];
 3386         data = &ring->data[ring->cur];
 3387 
 3388         /* Choose a TX rate index. */
 3389         tp = &vap->iv_txparms[ieee80211_chan2mode(ni->ni_chan)];
 3390         if (type == IEEE80211_FC0_TYPE_MGT)
 3391                 rate = tp->mgmtrate;
 3392         else if (IEEE80211_IS_MULTICAST(wh->i_addr1))
 3393                 rate = tp->mcastrate;
 3394         else if (tp->ucastrate != IEEE80211_FIXED_RATE_NONE)
 3395                 rate = tp->ucastrate;
 3396         else {
 3397                 /* XXX pass pktlen */
 3398                 (void) ieee80211_ratectl_rate(ni, NULL, 0);
 3399                 rate = ni->ni_txrate;
 3400         }
 3401         ridx = ic->ic_rt->rateCodeToIndex[rate];
 3402 
 3403         /* Encrypt the frame if need be. */
 3404         if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
 3405                 /* Retrieve key for TX. */
 3406                 k = ieee80211_crypto_encap(ni, m);
 3407                 if (k == NULL) {
 3408                         m_freem(m);
 3409                         return ENOBUFS;
 3410                 }
 3411                 /* 802.11 header may have moved. */
 3412                 wh = mtod(m, struct ieee80211_frame *);
 3413         }
 3414         totlen = m->m_pkthdr.len;
 3415 
 3416         if (ieee80211_radiotap_active_vap(vap)) {
 3417                 struct iwn_tx_radiotap_header *tap = &sc->sc_txtap;
 3418 
 3419                 tap->wt_flags = 0;
 3420                 tap->wt_rate = rate;
 3421                 if (k != NULL)
 3422                         tap->wt_flags |= IEEE80211_RADIOTAP_F_WEP;
 3423 
 3424                 ieee80211_radiotap_tx(vap, m);
 3425         }
 3426 
 3427         /* Prepare TX firmware command. */
 3428         cmd = &ring->cmd[ring->cur];
 3429         cmd->code = IWN_CMD_TX_DATA;
 3430         cmd->flags = 0;
 3431         cmd->qid = ring->qid;
 3432         cmd->idx = ring->cur;
 3433 
 3434         tx = (struct iwn_cmd_data *)cmd->data;
 3435         /* NB: No need to clear tx, all fields are reinitialized here. */
 3436         tx->scratch = 0;        /* clear "scratch" area */
 3437 
 3438         flags = 0;
 3439         if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
 3440                 /* Unicast frame, check if an ACK is expected. */
 3441                 if (!qos || (qos & IEEE80211_QOS_ACKPOLICY) !=
 3442                     IEEE80211_QOS_ACKPOLICY_NOACK)
 3443                         flags |= IWN_TX_NEED_ACK;
 3444         }
 3445         if ((wh->i_fc[0] &
 3446             (IEEE80211_FC0_TYPE_MASK | IEEE80211_FC0_SUBTYPE_MASK)) ==
 3447             (IEEE80211_FC0_TYPE_CTL | IEEE80211_FC0_SUBTYPE_BAR))
 3448                 flags |= IWN_TX_IMM_BA;         /* Cannot happen yet. */
 3449 
 3450         if (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG)
 3451                 flags |= IWN_TX_MORE_FRAG;      /* Cannot happen yet. */
 3452 
 3453         /* Check if frame must be protected using RTS/CTS or CTS-to-self. */
 3454         if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
 3455                 /* NB: Group frames are sent using CCK in 802.11b/g. */
 3456                 if (totlen + IEEE80211_CRC_LEN > vap->iv_rtsthreshold) {
 3457                         flags |= IWN_TX_NEED_RTS;
 3458                 } else if ((ic->ic_flags & IEEE80211_F_USEPROT) &&
 3459                     ridx >= IWN_RIDX_OFDM6) {
 3460                         if (ic->ic_protmode == IEEE80211_PROT_CTSONLY)
 3461                                 flags |= IWN_TX_NEED_CTS;
 3462                         else if (ic->ic_protmode == IEEE80211_PROT_RTSCTS)
 3463                                 flags |= IWN_TX_NEED_RTS;
 3464                 }
 3465                 if (flags & (IWN_TX_NEED_RTS | IWN_TX_NEED_CTS)) {
 3466                         if (sc->hw_type != IWN_HW_REV_TYPE_4965) {
 3467                                 /* 5000 autoselects RTS/CTS or CTS-to-self. */
 3468                                 flags &= ~(IWN_TX_NEED_RTS | IWN_TX_NEED_CTS);
 3469                                 flags |= IWN_TX_NEED_PROTECTION;
 3470                         } else
 3471                                 flags |= IWN_TX_FULL_TXOP;
 3472                 }
 3473         }
 3474 
 3475         if (IEEE80211_IS_MULTICAST(wh->i_addr1) ||
 3476             type != IEEE80211_FC0_TYPE_DATA)
 3477                 tx->id = sc->broadcast_id;
 3478         else
 3479                 tx->id = wn->id;
 3480 
 3481         if (type == IEEE80211_FC0_TYPE_MGT) {
 3482                 uint8_t subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
 3483 
 3484                 /* Tell HW to set timestamp in probe responses. */
 3485                 if (subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP)
 3486                         flags |= IWN_TX_INSERT_TSTAMP;
 3487                 if (subtype == IEEE80211_FC0_SUBTYPE_ASSOC_REQ ||
 3488                     subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ)
 3489                         tx->timeout = htole16(3);
 3490                 else
 3491                         tx->timeout = htole16(2);
 3492         } else
 3493                 tx->timeout = htole16(0);
 3494 
 3495         if (hdrlen & 3) {
 3496                 /* First segment length must be a multiple of 4. */
 3497                 flags |= IWN_TX_NEED_PADDING;
 3498                 pad = 4 - (hdrlen & 3);
 3499         } else
 3500                 pad = 0;
 3501 
 3502         tx->len = htole16(totlen);
 3503         tx->tid = tid;
 3504         tx->rts_ntries = 60;
 3505         tx->data_ntries = 15;
 3506         tx->lifetime = htole32(IWN_LIFETIME_INFINITE);
 3507         tx->rate = wn->ridx[rate];
 3508         if (tx->id == sc->broadcast_id) {
 3509                 /* Group or management frame. */
 3510                 tx->linkq = 0;
 3511                 /* XXX Alternate between antenna A and B? */
 3512                 txant = IWN_LSB(sc->txchainmask);
 3513                 tx->rate |= htole32(IWN_RFLAG_ANT(txant));
 3514         } else {
 3515                 tx->linkq = ni->ni_rates.rs_nrates - ridx - 1;
 3516                 flags |= IWN_TX_LINKQ;  /* enable MRR */
 3517         }
 3518         /* Set physical address of "scratch area". */
 3519         tx->loaddr = htole32(IWN_LOADDR(data->scratch_paddr));
 3520         tx->hiaddr = IWN_HIADDR(data->scratch_paddr);
 3521 
 3522         /* Copy 802.11 header in TX command. */
 3523         memcpy((uint8_t *)(tx + 1), wh, hdrlen);
 3524 
 3525         /* Trim 802.11 header. */
 3526         m_adj(m, hdrlen);
 3527         tx->security = 0;
 3528         tx->flags = htole32(flags);
 3529 
 3530         error = bus_dmamap_load_mbuf_sg(ring->data_dmat, data->map, m, segs,
 3531             &nsegs, BUS_DMA_NOWAIT);
 3532         if (error != 0) {
 3533                 if (error != EFBIG) {
 3534                         device_printf(sc->sc_dev,
 3535                             "%s: can't map mbuf (error %d)\n", __func__, error);
 3536                         m_freem(m);
 3537                         return error;
 3538                 }
 3539                 /* Too many DMA segments, linearize mbuf. */
 3540                 m1 = m_collapse(m, M_DONTWAIT, IWN_MAX_SCATTER);
 3541                 if (m1 == NULL) {
 3542                         device_printf(sc->sc_dev,
 3543                             "%s: could not defrag mbuf\n", __func__);
 3544                         m_freem(m);
 3545                         return ENOBUFS;
 3546                 }
 3547                 m = m1;
 3548 
 3549                 error = bus_dmamap_load_mbuf_sg(ring->data_dmat, data->map, m,
 3550                     segs, &nsegs, BUS_DMA_NOWAIT);
 3551                 if (error != 0) {
 3552                         device_printf(sc->sc_dev,
 3553                             "%s: can't map mbuf (error %d)\n", __func__, error);
 3554                         m_freem(m);
 3555                         return error;
 3556                 }
 3557         }
 3558 
 3559         data->m = m;
 3560         data->ni = ni;
 3561 
 3562         DPRINTF(sc, IWN_DEBUG_XMIT, "%s: qid %d idx %d len %d nsegs %d\n",
 3563             __func__, ring->qid, ring->cur, m->m_pkthdr.len, nsegs);
 3564 
 3565         /* Fill TX descriptor. */
 3566         desc->nsegs = 1;
 3567         if (m->m_len != 0)
 3568                 desc->nsegs += nsegs;
 3569         /* First DMA segment is used by the TX command. */
 3570         desc->segs[0].addr = htole32(IWN_LOADDR(data->cmd_paddr));
 3571         desc->segs[0].len  = htole16(IWN_HIADDR(data->cmd_paddr) |
 3572             (4 + sizeof (*tx) + hdrlen + pad) << 4);
 3573         /* Other DMA segments are for data payload. */
 3574         seg = &segs[0];
 3575         for (i = 1; i <= nsegs; i++) {
 3576                 desc->segs[i].addr = htole32(IWN_LOADDR(seg->ds_addr));
 3577                 desc->segs[i].len  = htole16(IWN_HIADDR(seg->ds_addr) |
 3578                     seg->ds_len << 4);
 3579                 seg++;
 3580         }
 3581 
 3582         bus_dmamap_sync(ring->data_dmat, data->map, BUS_DMASYNC_PREWRITE);
 3583         bus_dmamap_sync(ring->data_dmat, ring->cmd_dma.map,
 3584             BUS_DMASYNC_PREWRITE);
 3585         bus_dmamap_sync(ring->desc_dma.tag, ring->desc_dma.map,
 3586             BUS_DMASYNC_PREWRITE);
 3587 
 3588         /* Update TX scheduler. */
 3589         if (ring->qid >= sc->firstaggqueue)
 3590                 ops->update_sched(sc, ring->qid, ring->cur, tx->id, totlen);
 3591 
 3592         /* Kick TX ring. */
 3593         ring->cur = (ring->cur + 1) % IWN_TX_RING_COUNT;
 3594         IWN_WRITE(sc, IWN_HBUS_TARG_WRPTR, ring->qid << 8 | ring->cur);
 3595 
 3596         /* Mark TX ring as full if we reach a certain threshold. */
 3597         if (++ring->queued > IWN_TX_RING_HIMARK)
 3598                 sc->qfullmsk |= 1 << ring->qid;
 3599 
 3600         return 0;
 3601 }
 3602 
 3603 static int
 3604 iwn_tx_data_raw(struct iwn_softc *sc, struct mbuf *m,
 3605     struct ieee80211_node *ni, const struct ieee80211_bpf_params *params)
 3606 {
 3607         struct iwn_ops *ops = &sc->ops;
 3608         struct ifnet *ifp = sc->sc_ifp;
 3609         struct ieee80211vap *vap = ni->ni_vap;
 3610         struct ieee80211com *ic = ifp->if_l2com;
 3611         struct iwn_tx_cmd *cmd;
 3612         struct iwn_cmd_data *tx;
 3613         struct ieee80211_frame *wh;
 3614         struct iwn_tx_ring *ring;
 3615         struct iwn_tx_desc *desc;
 3616         struct iwn_tx_data *data;
 3617         struct mbuf *m1;
 3618         bus_dma_segment_t *seg, segs[IWN_MAX_SCATTER];
 3619         uint32_t flags;
 3620         u_int hdrlen;
 3621         int ac, totlen, error, pad, nsegs = 0, i, rate;
 3622         uint8_t ridx, type, txant;
 3623 
 3624         IWN_LOCK_ASSERT(sc);
 3625 
 3626         wh = mtod(m, struct ieee80211_frame *);
 3627         hdrlen = ieee80211_anyhdrsize(wh);
 3628         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
 3629 
 3630         ac = params->ibp_pri & 3;
 3631 
 3632         ring = &sc->txq[ac];
 3633         desc = &ring->desc[ring->cur];
 3634         data = &ring->data[ring->cur];
 3635 
 3636         /* Choose a TX rate index. */
 3637         rate = params->ibp_rate0;
 3638         ridx = ic->ic_rt->rateCodeToIndex[rate];
 3639         if (ridx == (uint8_t)-1) {
 3640                 /* XXX fall back to mcast/mgmt rate? */
 3641                 m_freem(m);
 3642                 return EINVAL;
 3643         }
 3644 
 3645         totlen = m->m_pkthdr.len;
 3646 
 3647         /* Prepare TX firmware command. */
 3648         cmd = &ring->cmd[ring->cur];
 3649         cmd->code = IWN_CMD_TX_DATA;
 3650         cmd->flags = 0;
 3651         cmd->qid = ring->qid;
 3652         cmd->idx = ring->cur;
 3653 
 3654         tx = (struct iwn_cmd_data *)cmd->data;
 3655         /* NB: No need to clear tx, all fields are reinitialized here. */
 3656         tx->scratch = 0;        /* clear "scratch" area */
 3657 
 3658         flags = 0;
 3659         if ((params->ibp_flags & IEEE80211_BPF_NOACK) == 0)
 3660                 flags |= IWN_TX_NEED_ACK;
 3661         if (params->ibp_flags & IEEE80211_BPF_RTS) {
 3662                 if (sc->hw_type != IWN_HW_REV_TYPE_4965) {
 3663                         /* 5000 autoselects RTS/CTS or CTS-to-self. */
 3664                         flags &= ~IWN_TX_NEED_RTS;
 3665                         flags |= IWN_TX_NEED_PROTECTION;
 3666                 } else
 3667                         flags |= IWN_TX_NEED_RTS | IWN_TX_FULL_TXOP;
 3668         }
 3669         if (params->ibp_flags & IEEE80211_BPF_CTS) {
 3670                 if (sc->hw_type != IWN_HW_REV_TYPE_4965) {
 3671                         /* 5000 autoselects RTS/CTS or CTS-to-self. */
 3672                         flags &= ~IWN_TX_NEED_CTS;
 3673                         flags |= IWN_TX_NEED_PROTECTION;
 3674                 } else
 3675                         flags |= IWN_TX_NEED_CTS | IWN_TX_FULL_TXOP;
 3676         }
 3677         if (type == IEEE80211_FC0_TYPE_MGT) {
 3678                 uint8_t subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
 3679 
 3680                 /* Tell HW to set timestamp in probe responses. */
 3681                 if (subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP)
 3682                         flags |= IWN_TX_INSERT_TSTAMP;
 3683 
 3684                 if (subtype == IEEE80211_FC0_SUBTYPE_ASSOC_REQ ||
 3685                     subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ)
 3686                         tx->timeout = htole16(3);
 3687                 else
 3688                         tx->timeout = htole16(2);
 3689         } else
 3690                 tx->timeout = htole16(0);
 3691 
 3692         if (hdrlen & 3) {
 3693                 /* First segment length must be a multiple of 4. */
 3694                 flags |= IWN_TX_NEED_PADDING;
 3695                 pad = 4 - (hdrlen & 3);
 3696         } else
 3697                 pad = 0;
 3698 
 3699         if (ieee80211_radiotap_active_vap(vap)) {
 3700                 struct iwn_tx_radiotap_header *tap = &sc->sc_txtap;
 3701 
 3702                 tap->wt_flags = 0;
 3703                 tap->wt_rate = rate;
 3704 
 3705                 ieee80211_radiotap_tx(vap, m);
 3706         }
 3707 
 3708         tx->len = htole16(totlen);
 3709         tx->tid = 0;
 3710         tx->id = sc->broadcast_id;
 3711         tx->rts_ntries = params->ibp_try1;
 3712         tx->data_ntries = params->ibp_try0;
 3713         tx->lifetime = htole32(IWN_LIFETIME_INFINITE);
 3714         tx->rate = htole32(rate2plcp(rate));
 3715         if (ridx < IWN_RIDX_OFDM6 &&
 3716             IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))
 3717                 tx->rate |= htole32(IWN_RFLAG_CCK);
 3718         /* Group or management frame. */
 3719         tx->linkq = 0;
 3720         txant = IWN_LSB(sc->txchainmask);
 3721         tx->rate |= htole32(IWN_RFLAG_ANT(txant));
 3722         /* Set physical address of "scratch area". */
 3723         tx->loaddr = htole32(IWN_LOADDR(data->scratch_paddr));
 3724         tx->hiaddr = IWN_HIADDR(data->scratch_paddr);
 3725 
 3726         /* Copy 802.11 header in TX command. */
 3727         memcpy((uint8_t *)(tx + 1), wh, hdrlen);
 3728 
 3729         /* Trim 802.11 header. */
 3730         m_adj(m, hdrlen);
 3731         tx->security = 0;
 3732         tx->flags = htole32(flags);
 3733 
 3734         error = bus_dmamap_load_mbuf_sg(ring->data_dmat, data->map, m, segs,
 3735             &nsegs, BUS_DMA_NOWAIT);
 3736         if (error != 0) {
 3737                 if (error != EFBIG) {
 3738                         device_printf(sc->sc_dev,
 3739                             "%s: can't map mbuf (error %d)\n", __func__, error);
 3740                         m_freem(m);
 3741                         return error;
 3742                 }
 3743                 /* Too many DMA segments, linearize mbuf. */
 3744                 m1 = m_collapse(m, M_DONTWAIT, IWN_MAX_SCATTER);
 3745                 if (m1 == NULL) {
 3746                         device_printf(sc->sc_dev,
 3747                             "%s: could not defrag mbuf\n", __func__);
 3748                         m_freem(m);
 3749                         return ENOBUFS;
 3750                 }
 3751                 m = m1;
 3752 
 3753                 error = bus_dmamap_load_mbuf_sg(ring->data_dmat, data->map, m,
 3754                     segs, &nsegs, BUS_DMA_NOWAIT);
 3755                 if (error != 0) {
 3756                         device_printf(sc->sc_dev,
 3757                             "%s: can't map mbuf (error %d)\n", __func__, error);
 3758                         m_freem(m);
 3759                         return error;
 3760                 }
 3761         }
 3762 
 3763         data->m = m;
 3764         data->ni = ni;
 3765 
 3766         DPRINTF(sc, IWN_DEBUG_XMIT, "%s: qid %d idx %d len %d nsegs %d\n",
 3767             __func__, ring->qid, ring->cur, m->m_pkthdr.len, nsegs);
 3768 
 3769         /* Fill TX descriptor. */
 3770         desc->nsegs = 1;
 3771         if (m->m_len != 0)
 3772                 desc->nsegs += nsegs;
 3773         /* First DMA segment is used by the TX command. */
 3774         desc->segs[0].addr = htole32(IWN_LOADDR(data->cmd_paddr));
 3775         desc->segs[0].len  = htole16(IWN_HIADDR(data->cmd_paddr) |
 3776             (4 + sizeof (*tx) + hdrlen + pad) << 4);
 3777         /* Other DMA segments are for data payload. */
 3778         seg = &segs[0];
 3779         for (i = 1; i <= nsegs; i++) {
 3780                 desc->segs[i].addr = htole32(IWN_LOADDR(seg->ds_addr));
 3781                 desc->segs[i].len  = htole16(IWN_HIADDR(seg->ds_addr) |
 3782                     seg->ds_len << 4);
 3783                 seg++;
 3784         }
 3785 
 3786         bus_dmamap_sync(ring->data_dmat, data->map, BUS_DMASYNC_PREWRITE);
 3787         bus_dmamap_sync(ring->data_dmat, ring->cmd_dma.map,
 3788             BUS_DMASYNC_PREWRITE);
 3789         bus_dmamap_sync(ring->desc_dma.tag, ring->desc_dma.map,
 3790             BUS_DMASYNC_PREWRITE);
 3791 
 3792         /* Update TX scheduler. */
 3793         if (ring->qid >= sc->firstaggqueue)
 3794                 ops->update_sched(sc, ring->qid, ring->cur, tx->id, totlen);
 3795 
 3796         /* Kick TX ring. */
 3797         ring->cur = (ring->cur + 1) % IWN_TX_RING_COUNT;
 3798         IWN_WRITE(sc, IWN_HBUS_TARG_WRPTR, ring->qid << 8 | ring->cur);
 3799 
 3800         /* Mark TX ring as full if we reach a certain threshold. */
 3801         if (++ring->queued > IWN_TX_RING_HIMARK)
 3802                 sc->qfullmsk |= 1 << ring->qid;
 3803 
 3804         return 0;
 3805 }
 3806 
 3807 static int
 3808 iwn_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
 3809     const struct ieee80211_bpf_params *params)
 3810 {
 3811         struct ieee80211com *ic = ni->ni_ic;
 3812         struct ifnet *ifp = ic->ic_ifp;
 3813         struct iwn_softc *sc = ifp->if_softc;
 3814         int error = 0;
 3815 
 3816         if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0) {
 3817                 ieee80211_free_node(ni);
 3818                 m_freem(m);
 3819                 return ENETDOWN;
 3820         }
 3821 
 3822         IWN_LOCK(sc);
 3823         if (params == NULL) {
 3824                 /*
 3825                  * Legacy path; interpret frame contents to decide
 3826                  * precisely how to send the frame.
 3827                  */
 3828                 error = iwn_tx_data(sc, m, ni);
 3829         } else {
 3830                 /*
 3831                  * Caller supplied explicit parameters to use in
 3832                  * sending the frame.
 3833                  */
 3834                 error = iwn_tx_data_raw(sc, m, ni, params);
 3835         }
 3836         if (error != 0) {
 3837                 /* NB: m is reclaimed on tx failure */
 3838                 ieee80211_free_node(ni);
 3839                 ifp->if_oerrors++;
 3840         }
 3841         sc->sc_tx_timer = 5;
 3842 
 3843         IWN_UNLOCK(sc);
 3844         return error;
 3845 }
 3846 
 3847 static void
 3848 iwn_start(struct ifnet *ifp)
 3849 {
 3850         struct iwn_softc *sc = ifp->if_softc;
 3851 
 3852         IWN_LOCK(sc);
 3853         iwn_start_locked(ifp);
 3854         IWN_UNLOCK(sc);
 3855 }
 3856 
 3857 static void
 3858 iwn_start_locked(struct ifnet *ifp)
 3859 {
 3860         struct iwn_softc *sc = ifp->if_softc;
 3861         struct ieee80211_node *ni;
 3862         struct mbuf *m;
 3863 
 3864         IWN_LOCK_ASSERT(sc);
 3865 
 3866         if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 ||
 3867             (ifp->if_drv_flags & IFF_DRV_OACTIVE))
 3868                 return;
 3869 
 3870         for (;;) {
 3871                 if (sc->qfullmsk != 0) {
 3872                         ifp->if_drv_flags |= IFF_DRV_OACTIVE;
 3873                         break;
 3874                 }
 3875                 IFQ_DRV_DEQUEUE(&ifp->if_snd, m);
 3876                 if (m == NULL)
 3877                         break;
 3878                 ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
 3879                 if (iwn_tx_data(sc, m, ni) != 0) {
 3880                         ieee80211_free_node(ni);
 3881                         ifp->if_oerrors++;
 3882                         continue;
 3883                 }
 3884                 sc->sc_tx_timer = 5;
 3885         }
 3886 }
 3887 
 3888 static void
 3889 iwn_watchdog(void *arg)
 3890 {
 3891         struct iwn_softc *sc = arg;
 3892         struct ifnet *ifp = sc->sc_ifp;
 3893         struct ieee80211com *ic = ifp->if_l2com;
 3894 
 3895         IWN_LOCK_ASSERT(sc);
 3896 
 3897         KASSERT(ifp->if_drv_flags & IFF_DRV_RUNNING, ("not running"));
 3898 
 3899         if (sc->sc_tx_timer > 0) {
 3900                 if (--sc->sc_tx_timer == 0) {
 3901                         if_printf(ifp, "device timeout\n");
 3902                         ieee80211_runtask(ic, &sc->sc_reinit_task);
 3903                         return;
 3904                 }
 3905         }
 3906         callout_reset(&sc->watchdog_to, hz, iwn_watchdog, sc);
 3907 }
 3908 
 3909 static int
 3910 iwn_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 3911 {
 3912         struct iwn_softc *sc = ifp->if_softc;
 3913         struct ieee80211com *ic = ifp->if_l2com;
 3914         struct ieee80211vap *vap = TAILQ_FIRST(&ic->ic_vaps);
 3915         struct ifreq *ifr = (struct ifreq *) data;
 3916         int error = 0, startall = 0, stop = 0;
 3917 
 3918         switch (cmd) {
 3919         case SIOCGIFADDR:
 3920                 error = ether_ioctl(ifp, cmd, data);
 3921                 break;
 3922         case SIOCSIFFLAGS:
 3923                 IWN_LOCK(sc);
 3924                 if (ifp->if_flags & IFF_UP) {
 3925                         if (!(ifp->if_drv_flags & IFF_DRV_RUNNING)) {
 3926                                 iwn_init_locked(sc);
 3927                                 if (IWN_READ(sc, IWN_GP_CNTRL) & IWN_GP_CNTRL_RFKILL)
 3928                                         startall = 1;
 3929                                 else
 3930                                         stop = 1;
 3931                         }
 3932                 } else {
 3933                         if (ifp->if_drv_flags & IFF_DRV_RUNNING)
 3934                                 iwn_stop_locked(sc);
 3935                 }
 3936                 IWN_UNLOCK(sc);
 3937                 if (startall)
 3938                         ieee80211_start_all(ic);
 3939                 else if (vap != NULL && stop)
 3940                         ieee80211_stop(vap);
 3941                 break;
 3942         case SIOCGIFMEDIA:
 3943                 error = ifmedia_ioctl(ifp, ifr, &ic->ic_media, cmd);
 3944                 break;
 3945         default:
 3946                 error = EINVAL;
 3947                 break;
 3948         }
 3949         return error;
 3950 }
 3951 
 3952 /*
 3953  * Send a command to the firmware.
 3954  */
 3955 static int
 3956 iwn_cmd(struct iwn_softc *sc, int code, const void *buf, int size, int async)
 3957 {
 3958         struct iwn_tx_ring *ring = &sc->txq[4];
 3959         struct iwn_tx_desc *desc;
 3960         struct iwn_tx_data *data;
 3961         struct iwn_tx_cmd *cmd;
 3962         struct mbuf *m;
 3963         bus_addr_t paddr;
 3964         int totlen, error;
 3965 
 3966         if (async == 0)
 3967                 IWN_LOCK_ASSERT(sc);
 3968 
 3969         desc = &ring->desc[ring->cur];
 3970         data = &ring->data[ring->cur];
 3971         totlen = 4 + size;
 3972 
 3973         if (size > sizeof cmd->data) {
 3974                 /* Command is too large to fit in a descriptor. */
 3975                 if (totlen > MCLBYTES)
 3976                         return EINVAL;
 3977                 m = m_getjcl(M_DONTWAIT, MT_DATA, M_PKTHDR, MJUMPAGESIZE);
 3978                 if (m == NULL)
 3979                         return ENOMEM;
 3980                 cmd = mtod(m, struct iwn_tx_cmd *);
 3981                 error = bus_dmamap_load(ring->data_dmat, data->map, cmd,
 3982                     totlen, iwn_dma_map_addr, &paddr, BUS_DMA_NOWAIT);
 3983                 if (error != 0) {
 3984                         m_freem(m);
 3985                         return error;
 3986                 }
 3987                 data->m = m;
 3988         } else {
 3989                 cmd = &ring->cmd[ring->cur];
 3990                 paddr = data->cmd_paddr;
 3991         }
 3992 
 3993         cmd->code = code;
 3994         cmd->flags = 0;
 3995         cmd->qid = ring->qid;
 3996         cmd->idx = ring->cur;
 3997         memcpy(cmd->data, buf, size);
 3998 
 3999         desc->nsegs = 1;
 4000         desc->segs[0].addr = htole32(IWN_LOADDR(paddr));
 4001         desc->segs[0].len  = htole16(IWN_HIADDR(paddr) | totlen << 4);
 4002 
 4003         DPRINTF(sc, IWN_DEBUG_CMD, "%s: %s (0x%x) flags %d qid %d idx %d\n",
 4004             __func__, iwn_intr_str(cmd->code), cmd->code,
 4005             cmd->flags, cmd->qid, cmd->idx);
 4006 
 4007         if (size > sizeof cmd->data) {
 4008                 bus_dmamap_sync(ring->data_dmat, data->map,
 4009                     BUS_DMASYNC_PREWRITE);
 4010         } else {
 4011                 bus_dmamap_sync(ring->data_dmat, ring->cmd_dma.map,
 4012                     BUS_DMASYNC_PREWRITE);
 4013         }
 4014         bus_dmamap_sync(ring->desc_dma.tag, ring->desc_dma.map,
 4015             BUS_DMASYNC_PREWRITE);
 4016 
 4017         /* Kick command ring. */
 4018         ring->cur = (ring->cur + 1) % IWN_TX_RING_COUNT;
 4019         IWN_WRITE(sc, IWN_HBUS_TARG_WRPTR, ring->qid << 8 | ring->cur);
 4020 
 4021         return async ? 0 : msleep(desc, &sc->sc_mtx, PCATCH, "iwncmd", hz);
 4022 }
 4023 
 4024 static int
 4025 iwn4965_add_node(struct iwn_softc *sc, struct iwn_node_info *node, int async)
 4026 {
 4027         struct iwn4965_node_info hnode;
 4028         caddr_t src, dst;
 4029 
 4030         /*
 4031          * We use the node structure for 5000 Series internally (it is
 4032          * a superset of the one for 4965AGN). We thus copy the common
 4033          * fields before sending the command.
 4034          */
 4035         src = (caddr_t)node;
 4036         dst = (caddr_t)&hnode;
 4037         memcpy(dst, src, 48);
 4038         /* Skip TSC, RX MIC and TX MIC fields from ``src''. */
 4039         memcpy(dst + 48, src + 72, 20);
 4040         return iwn_cmd(sc, IWN_CMD_ADD_NODE, &hnode, sizeof hnode, async);
 4041 }
 4042 
 4043 static int
 4044 iwn5000_add_node(struct iwn_softc *sc, struct iwn_node_info *node, int async)
 4045 {
 4046         /* Direct mapping. */
 4047         return iwn_cmd(sc, IWN_CMD_ADD_NODE, node, sizeof (*node), async);
 4048 }
 4049 
 4050 static int
 4051 iwn_set_link_quality(struct iwn_softc *sc, struct ieee80211_node *ni)
 4052 {
 4053 #define RV(v)   ((v) & IEEE80211_RATE_VAL)
 4054         struct iwn_node *wn = (void *)ni;
 4055         struct ieee80211_rateset *rs = &ni->ni_rates;
 4056         struct iwn_cmd_link_quality linkq;
 4057         uint8_t txant;
 4058         int i, rate, txrate;
 4059 
 4060         /* Use the first valid TX antenna. */
 4061         txant = IWN_LSB(sc->txchainmask);
 4062 
 4063         memset(&linkq, 0, sizeof linkq);
 4064         linkq.id = wn->id;
 4065         linkq.antmsk_1stream = txant;
 4066         linkq.antmsk_2stream = IWN_ANT_AB;
 4067         linkq.ampdu_max = 64;
 4068         linkq.ampdu_threshold = 3;
 4069         linkq.ampdu_limit = htole16(4000);      /* 4ms */
 4070 
 4071         /* Start at highest available bit-rate. */
 4072         if (IEEE80211_IS_CHAN_HT(ni->ni_chan))
 4073                 txrate = ni->ni_htrates.rs_nrates - 1;
 4074         else
 4075                 txrate = rs->rs_nrates - 1;
 4076         for (i = 0; i < IWN_MAX_TX_RETRIES; i++) {
 4077                 if (IEEE80211_IS_CHAN_HT(ni->ni_chan))
 4078                         rate = IEEE80211_RATE_MCS | txrate;
 4079                 else
 4080                         rate = RV(rs->rs_rates[txrate]);
 4081                 linkq.retry[i] = wn->ridx[rate];
 4082 
 4083                 if ((le32toh(wn->ridx[rate]) & IWN_RFLAG_MCS) &&
 4084                     RV(le32toh(wn->ridx[rate])) > 7)
 4085                         linkq.mimo = i + 1;
 4086 
 4087                 /* Next retry at immediate lower bit-rate. */
 4088                 if (txrate > 0)
 4089                         txrate--;
 4090         }
 4091         return iwn_cmd(sc, IWN_CMD_LINK_QUALITY, &linkq, sizeof linkq, 1);
 4092 #undef  RV
 4093 }
 4094 
 4095 /*
 4096  * Broadcast node is used to send group-addressed and management frames.
 4097  */
 4098 static int
 4099 iwn_add_broadcast_node(struct iwn_softc *sc, int async)
 4100 {
 4101         struct iwn_ops *ops = &sc->ops;
 4102         struct ifnet *ifp = sc->sc_ifp;
 4103         struct ieee80211com *ic = ifp->if_l2com;
 4104         struct iwn_node_info node;
 4105         struct iwn_cmd_link_quality linkq;
 4106         uint8_t txant;
 4107         int i, error;
 4108 
 4109         memset(&node, 0, sizeof node);
 4110         IEEE80211_ADDR_COPY(node.macaddr, ifp->if_broadcastaddr);
 4111         node.id = sc->broadcast_id;
 4112         DPRINTF(sc, IWN_DEBUG_RESET, "%s: adding broadcast node\n", __func__);
 4113         if ((error = ops->add_node(sc, &node, async)) != 0)
 4114                 return error;
 4115 
 4116         /* Use the first valid TX antenna. */
 4117         txant = IWN_LSB(sc->txchainmask);
 4118 
 4119         memset(&linkq, 0, sizeof linkq);
 4120         linkq.id = sc->broadcast_id;
 4121         linkq.antmsk_1stream = txant;
 4122         linkq.antmsk_2stream = IWN_ANT_AB;
 4123         linkq.ampdu_max = 64;
 4124         linkq.ampdu_threshold = 3;
 4125         linkq.ampdu_limit = htole16(4000);      /* 4ms */
 4126 
 4127         /* Use lowest mandatory bit-rate. */
 4128         if (IEEE80211_IS_CHAN_5GHZ(ic->ic_curchan))
 4129                 linkq.retry[0] = htole32(0xd);
 4130         else
 4131                 linkq.retry[0] = htole32(10 | IWN_RFLAG_CCK);
 4132         linkq.retry[0] |= htole32(IWN_RFLAG_ANT(txant));
 4133         /* Use same bit-rate for all TX retries. */
 4134         for (i = 1; i < IWN_MAX_TX_RETRIES; i++) {
 4135                 linkq.retry[i] = linkq.retry[0];
 4136         }
 4137         return iwn_cmd(sc, IWN_CMD_LINK_QUALITY, &linkq, sizeof linkq, async);
 4138 }
 4139 
 4140 static int
 4141 iwn_updateedca(struct ieee80211com *ic)
 4142 {
 4143 #define IWN_EXP2(x)     ((1 << (x)) - 1)        /* CWmin = 2^ECWmin - 1 */
 4144         struct iwn_softc *sc = ic->ic_ifp->if_softc;
 4145         struct iwn_edca_params cmd;
 4146         int aci;
 4147 
 4148         memset(&cmd, 0, sizeof cmd);
 4149         cmd.flags = htole32(IWN_EDCA_UPDATE);
 4150         for (aci = 0; aci < WME_NUM_AC; aci++) {
 4151                 const struct wmeParams *ac =
 4152                     &ic->ic_wme.wme_chanParams.cap_wmeParams[aci];
 4153                 cmd.ac[aci].aifsn = ac->wmep_aifsn;
 4154                 cmd.ac[aci].cwmin = htole16(IWN_EXP2(ac->wmep_logcwmin));
 4155                 cmd.ac[aci].cwmax = htole16(IWN_EXP2(ac->wmep_logcwmax));
 4156                 cmd.ac[aci].txoplimit =
 4157                     htole16(IEEE80211_TXOP_TO_US(ac->wmep_txopLimit));
 4158         }
 4159         IEEE80211_UNLOCK(ic);
 4160         IWN_LOCK(sc);
 4161         (void)iwn_cmd(sc, IWN_CMD_EDCA_PARAMS, &cmd, sizeof cmd, 1);
 4162         IWN_UNLOCK(sc);
 4163         IEEE80211_LOCK(ic);
 4164         return 0;
 4165 #undef IWN_EXP2
 4166 }
 4167 
 4168 static void
 4169 iwn_update_mcast(struct ifnet *ifp)
 4170 {
 4171         /* Ignore */
 4172 }
 4173 
 4174 static void
 4175 iwn_set_led(struct iwn_softc *sc, uint8_t which, uint8_t off, uint8_t on)
 4176 {
 4177         struct iwn_cmd_led led;
 4178 
 4179         /* Clear microcode LED ownership. */
 4180         IWN_CLRBITS(sc, IWN_LED, IWN_LED_BSM_CTRL);
 4181 
 4182         led.which = which;
 4183         led.unit = htole32(10000);      /* on/off in unit of 100ms */
 4184         led.off = off;
 4185         led.on = on;
 4186         (void)iwn_cmd(sc, IWN_CMD_SET_LED, &led, sizeof led, 1);
 4187 }
 4188 
 4189 /*
 4190  * Set the critical temperature at which the firmware will stop the radio
 4191  * and notify us.
 4192  */
 4193 static int
 4194 iwn_set_critical_temp(struct iwn_softc *sc)
 4195 {
 4196         struct iwn_critical_temp crit;
 4197         int32_t temp;
 4198 
 4199         IWN_WRITE(sc, IWN_UCODE_GP1_CLR, IWN_UCODE_GP1_CTEMP_STOP_RF);
 4200 
 4201         if (sc->hw_type == IWN_HW_REV_TYPE_5150)
 4202                 temp = (IWN_CTOK(110) - sc->temp_off) * -5;
 4203         else if (sc->hw_type == IWN_HW_REV_TYPE_4965)
 4204                 temp = IWN_CTOK(110);
 4205         else
 4206                 temp = 110;
 4207         memset(&crit, 0, sizeof crit);
 4208         crit.tempR = htole32(temp);
 4209         DPRINTF(sc, IWN_DEBUG_RESET, "setting critical temp to %d\n", temp);
 4210         return iwn_cmd(sc, IWN_CMD_SET_CRITICAL_TEMP, &crit, sizeof crit, 0);
 4211 }
 4212 
 4213 static int
 4214 iwn_set_timing(struct iwn_softc *sc, struct ieee80211_node *ni)
 4215 {
 4216         struct iwn_cmd_timing cmd;
 4217         uint64_t val, mod;
 4218 
 4219         memset(&cmd, 0, sizeof cmd);
 4220         memcpy(&cmd.tstamp, ni->ni_tstamp.data, sizeof (uint64_t));
 4221         cmd.bintval = htole16(ni->ni_intval);
 4222         cmd.lintval = htole16(10);
 4223 
 4224         /* Compute remaining time until next beacon. */
 4225         val = (uint64_t)ni->ni_intval * IEEE80211_DUR_TU;
 4226         mod = le64toh(cmd.tstamp) % val;
 4227         cmd.binitval = htole32((uint32_t)(val - mod));
 4228 
 4229         DPRINTF(sc, IWN_DEBUG_RESET, "timing bintval=%u tstamp=%ju, init=%u\n",
 4230             ni->ni_intval, le64toh(cmd.tstamp), (uint32_t)(val - mod));
 4231 
 4232         return iwn_cmd(sc, IWN_CMD_TIMING, &cmd, sizeof cmd, 1);
 4233 }
 4234 
 4235 static void
 4236 iwn4965_power_calibration(struct iwn_softc *sc, int temp)
 4237 {
 4238         struct ifnet *ifp = sc->sc_ifp;
 4239         struct ieee80211com *ic = ifp->if_l2com;
 4240 
 4241         /* Adjust TX power if need be (delta >= 3 degC). */
 4242         DPRINTF(sc, IWN_DEBUG_CALIBRATE, "%s: temperature %d->%d\n",
 4243             __func__, sc->temp, temp);
 4244         if (abs(temp - sc->temp) >= 3) {
 4245                 /* Record temperature of last calibration. */
 4246                 sc->temp = temp;
 4247                 (void)iwn4965_set_txpower(sc, ic->ic_bsschan, 1);
 4248         }
 4249 }
 4250 
 4251 /*
 4252  * Set TX power for current channel (each rate has its own power settings).
 4253  * This function takes into account the regulatory information from EEPROM,
 4254  * the current temperature and the current voltage.
 4255  */
 4256 static int
 4257 iwn4965_set_txpower(struct iwn_softc *sc, struct ieee80211_channel *ch,
 4258     int async)
 4259 {
 4260 /* Fixed-point arithmetic division using a n-bit fractional part. */
 4261 #define fdivround(a, b, n)      \
 4262         ((((1 << n) * (a)) / (b) + (1 << n) / 2) / (1 << n))
 4263 /* Linear interpolation. */
 4264 #define interpolate(x, x1, y1, x2, y2, n)       \
 4265         ((y1) + fdivround(((int)(x) - (x1)) * ((y2) - (y1)), (x2) - (x1), n))
 4266 
 4267         static const int tdiv[IWN_NATTEN_GROUPS] = { 9, 8, 8, 8, 6 };
 4268         struct iwn_ucode_info *uc = &sc->ucode_info;
 4269         struct iwn4965_cmd_txpower cmd;
 4270         struct iwn4965_eeprom_chan_samples *chans;
 4271         const uint8_t *rf_gain, *dsp_gain;
 4272         int32_t vdiff, tdiff;
 4273         int i, c, grp, maxpwr;
 4274         uint8_t chan;
 4275 
 4276         /* Retrieve current channel from last RXON. */
 4277         chan = sc->rxon.chan;
 4278         DPRINTF(sc, IWN_DEBUG_RESET, "setting TX power for channel %d\n",
 4279             chan);
 4280 
 4281         memset(&cmd, 0, sizeof cmd);
 4282         cmd.band = IEEE80211_IS_CHAN_5GHZ(ch) ? 0 : 1;
 4283         cmd.chan = chan;
 4284 
 4285         if (IEEE80211_IS_CHAN_5GHZ(ch)) {
 4286                 maxpwr   = sc->maxpwr5GHz;
 4287                 rf_gain  = iwn4965_rf_gain_5ghz;
 4288                 dsp_gain = iwn4965_dsp_gain_5ghz;
 4289         } else {
 4290                 maxpwr   = sc->maxpwr2GHz;
 4291                 rf_gain  = iwn4965_rf_gain_2ghz;
 4292                 dsp_gain = iwn4965_dsp_gain_2ghz;
 4293         }
 4294 
 4295         /* Compute voltage compensation. */
 4296         vdiff = ((int32_t)le32toh(uc->volt) - sc->eeprom_voltage) / 7;
 4297         if (vdiff > 0)
 4298                 vdiff *= 2;
 4299         if (abs(vdiff) > 2)
 4300                 vdiff = 0;
 4301         DPRINTF(sc, IWN_DEBUG_CALIBRATE | IWN_DEBUG_TXPOW,
 4302             "%s: voltage compensation=%d (UCODE=%d, EEPROM=%d)\n",
 4303             __func__, vdiff, le32toh(uc->volt), sc->eeprom_voltage);
 4304 
 4305         /* Get channel attenuation group. */
 4306         if (chan <= 20)         /* 1-20 */
 4307                 grp = 4;
 4308         else if (chan <= 43)    /* 34-43 */
 4309                 grp = 0;
 4310         else if (chan <= 70)    /* 44-70 */
 4311                 grp = 1;
 4312         else if (chan <= 124)   /* 71-124 */
 4313                 grp = 2;
 4314         else                    /* 125-200 */
 4315                 grp = 3;
 4316         DPRINTF(sc, IWN_DEBUG_CALIBRATE | IWN_DEBUG_TXPOW,
 4317             "%s: chan %d, attenuation group=%d\n", __func__, chan, grp);
 4318 
 4319         /* Get channel sub-band. */
 4320         for (i = 0; i < IWN_NBANDS; i++)
 4321                 if (sc->bands[i].lo != 0 &&
 4322                     sc->bands[i].lo <= chan && chan <= sc->bands[i].hi)
 4323                         break;
 4324         if (i == IWN_NBANDS)    /* Can't happen in real-life. */
 4325                 return EINVAL;
 4326         chans = sc->bands[i].chans;
 4327         DPRINTF(sc, IWN_DEBUG_CALIBRATE | IWN_DEBUG_TXPOW,
 4328             "%s: chan %d sub-band=%d\n", __func__, chan, i);
 4329 
 4330         for (c = 0; c < 2; c++) {
 4331                 uint8_t power, gain, temp;
 4332                 int maxchpwr, pwr, ridx, idx;
 4333 
 4334                 power = interpolate(chan,
 4335                     chans[0].num, chans[0].samples[c][1].power,
 4336                     chans[1].num, chans[1].samples[c][1].power, 1);
 4337                 gain  = interpolate(chan,
 4338                     chans[0].num, chans[0].samples[c][1].gain,
 4339                     chans[1].num, chans[1].samples[c][1].gain, 1);
 4340                 temp  = interpolate(chan,
 4341                     chans[0].num, chans[0].samples[c][1].temp,
 4342                     chans[1].num, chans[1].samples[c][1].temp, 1);
 4343                 DPRINTF(sc, IWN_DEBUG_CALIBRATE | IWN_DEBUG_TXPOW,
 4344                     "%s: Tx chain %d: power=%d gain=%d temp=%d\n",
 4345                     __func__, c, power, gain, temp);
 4346 
 4347                 /* Compute temperature compensation. */
 4348                 tdiff = ((sc->temp - temp) * 2) / tdiv[grp];
 4349                 DPRINTF(sc, IWN_DEBUG_CALIBRATE | IWN_DEBUG_TXPOW,
 4350                     "%s: temperature compensation=%d (current=%d, EEPROM=%d)\n",
 4351                     __func__, tdiff, sc->temp, temp);
 4352 
 4353                 for (ridx = 0; ridx <= IWN_RIDX_MAX; ridx++) {
 4354                         /* Convert dBm to half-dBm. */
 4355                         maxchpwr = sc->maxpwr[chan] * 2;
 4356                         if ((ridx / 8) & 1)
 4357                                 maxchpwr -= 6;  /* MIMO 2T: -3dB */
 4358 
 4359                         pwr = maxpwr;
 4360 
 4361                         /* Adjust TX power based on rate. */
 4362                         if ((ridx % 8) == 5)
 4363                                 pwr -= 15;      /* OFDM48: -7.5dB */
 4364                         else if ((ridx % 8) == 6)
 4365                                 pwr -= 17;      /* OFDM54: -8.5dB */
 4366                         else if ((ridx % 8) == 7)
 4367                                 pwr -= 20;      /* OFDM60: -10dB */
 4368                         else
 4369                                 pwr -= 10;      /* Others: -5dB */
 4370 
 4371                         /* Do not exceed channel max TX power. */
 4372                         if (pwr > maxchpwr)
 4373                                 pwr = maxchpwr;
 4374 
 4375                         idx = gain - (pwr - power) - tdiff - vdiff;
 4376                         if ((ridx / 8) & 1)     /* MIMO */
 4377                                 idx += (int32_t)le32toh(uc->atten[grp][c]);
 4378 
 4379                         if (cmd.band == 0)
 4380                                 idx += 9;       /* 5GHz */
 4381                         if (ridx == IWN_RIDX_MAX)
 4382                                 idx += 5;       /* CCK */
 4383 
 4384                         /* Make sure idx stays in a valid range. */
 4385                         if (idx < 0)
 4386                                 idx = 0;
 4387                         else if (idx > IWN4965_MAX_PWR_INDEX)
 4388                                 idx = IWN4965_MAX_PWR_INDEX;
 4389 
 4390                         DPRINTF(sc, IWN_DEBUG_CALIBRATE | IWN_DEBUG_TXPOW,
 4391                             "%s: Tx chain %d, rate idx %d: power=%d\n",
 4392                             __func__, c, ridx, idx);
 4393                         cmd.power[ridx].rf_gain[c] = rf_gain[idx];
 4394                         cmd.power[ridx].dsp_gain[c] = dsp_gain[idx];
 4395                 }
 4396         }
 4397 
 4398         DPRINTF(sc, IWN_DEBUG_CALIBRATE | IWN_DEBUG_TXPOW,
 4399             "%s: set tx power for chan %d\n", __func__, chan);
 4400         return iwn_cmd(sc, IWN_CMD_TXPOWER, &cmd, sizeof cmd, async);
 4401 
 4402 #undef interpolate
 4403 #undef fdivround
 4404 }
 4405 
 4406 static int
 4407 iwn5000_set_txpower(struct iwn_softc *sc, struct ieee80211_channel *ch,
 4408     int async)
 4409 {
 4410         struct iwn5000_cmd_txpower cmd;
 4411 
 4412         /*
 4413          * TX power calibration is handled automatically by the firmware
 4414          * for 5000 Series.
 4415          */
 4416         memset(&cmd, 0, sizeof cmd);
 4417         cmd.global_limit = 2 * IWN5000_TXPOWER_MAX_DBM; /* 16 dBm */
 4418         cmd.flags = IWN5000_TXPOWER_NO_CLOSED;
 4419         cmd.srv_limit = IWN5000_TXPOWER_AUTO;
 4420         DPRINTF(sc, IWN_DEBUG_CALIBRATE, "%s: setting TX power\n", __func__);
 4421         return iwn_cmd(sc, IWN_CMD_TXPOWER_DBM, &cmd, sizeof cmd, async);
 4422 }
 4423 
 4424 /*
 4425  * Retrieve the maximum RSSI (in dBm) among receivers.
 4426  */
 4427 static int
 4428 iwn4965_get_rssi(struct iwn_softc *sc, struct iwn_rx_stat *stat)
 4429 {
 4430         struct iwn4965_rx_phystat *phy = (void *)stat->phybuf;
 4431         uint8_t mask, agc;
 4432         int rssi;
 4433 
 4434         mask = (le16toh(phy->antenna) >> 4) & IWN_ANT_ABC;
 4435         agc  = (le16toh(phy->agc) >> 7) & 0x7f;
 4436 
 4437         rssi = 0;
 4438         if (mask & IWN_ANT_A)
 4439                 rssi = MAX(rssi, phy->rssi[0]);
 4440         if (mask & IWN_ANT_B)
 4441                 rssi = MAX(rssi, phy->rssi[2]);
 4442         if (mask & IWN_ANT_C)
 4443                 rssi = MAX(rssi, phy->rssi[4]);
 4444 
 4445         DPRINTF(sc, IWN_DEBUG_RECV,
 4446             "%s: agc %d mask 0x%x rssi %d %d %d result %d\n", __func__, agc,
 4447             mask, phy->rssi[0], phy->rssi[2], phy->rssi[4],
 4448             rssi - agc - IWN_RSSI_TO_DBM);
 4449         return rssi - agc - IWN_RSSI_TO_DBM;
 4450 }
 4451 
 4452 static int
 4453 iwn5000_get_rssi(struct iwn_softc *sc, struct iwn_rx_stat *stat)
 4454 {
 4455         struct iwn5000_rx_phystat *phy = (void *)stat->phybuf;
 4456         uint8_t agc;
 4457         int rssi;
 4458 
 4459         agc = (le32toh(phy->agc) >> 9) & 0x7f;
 4460 
 4461         rssi = MAX(le16toh(phy->rssi[0]) & 0xff,
 4462                    le16toh(phy->rssi[1]) & 0xff);
 4463         rssi = MAX(le16toh(phy->rssi[2]) & 0xff, rssi);
 4464 
 4465         DPRINTF(sc, IWN_DEBUG_RECV,
 4466             "%s: agc %d rssi %d %d %d result %d\n", __func__, agc,
 4467             phy->rssi[0], phy->rssi[1], phy->rssi[2],
 4468             rssi - agc - IWN_RSSI_TO_DBM);
 4469         return rssi - agc - IWN_RSSI_TO_DBM;
 4470 }
 4471 
 4472 /*
 4473  * Retrieve the average noise (in dBm) among receivers.
 4474  */
 4475 static int
 4476 iwn_get_noise(const struct iwn_rx_general_stats *stats)
 4477 {
 4478         int i, total, nbant, noise;
 4479 
 4480         total = nbant = 0;
 4481         for (i = 0; i < 3; i++) {
 4482                 if ((noise = le32toh(stats->noise[i]) & 0xff) == 0)
 4483                         continue;
 4484                 total += noise;
 4485                 nbant++;
 4486         }
 4487         /* There should be at least one antenna but check anyway. */
 4488         return (nbant == 0) ? -127 : (total / nbant) - 107;
 4489 }
 4490 
 4491 /*
 4492  * Compute temperature (in degC) from last received statistics.
 4493  */
 4494 static int
 4495 iwn4965_get_temperature(struct iwn_softc *sc)
 4496 {
 4497         struct iwn_ucode_info *uc = &sc->ucode_info;
 4498         int32_t r1, r2, r3, r4, temp;
 4499 
 4500         r1 = le32toh(uc->temp[0].chan20MHz);
 4501         r2 = le32toh(uc->temp[1].chan20MHz);
 4502         r3 = le32toh(uc->temp[2].chan20MHz);
 4503         r4 = le32toh(sc->rawtemp);
 4504 
 4505         if (r1 == r3)   /* Prevents division by 0 (should not happen). */
 4506                 return 0;
 4507 
 4508         /* Sign-extend 23-bit R4 value to 32-bit. */
 4509         r4 = ((r4 & 0xffffff) ^ 0x800000) - 0x800000;
 4510         /* Compute temperature in Kelvin. */
 4511         temp = (259 * (r4 - r2)) / (r3 - r1);
 4512         temp = (temp * 97) / 100 + 8;
 4513 
 4514         DPRINTF(sc, IWN_DEBUG_ANY, "temperature %dK/%dC\n", temp,
 4515             IWN_KTOC(temp));
 4516         return IWN_KTOC(temp);
 4517 }
 4518 
 4519 static int
 4520 iwn5000_get_temperature(struct iwn_softc *sc)
 4521 {
 4522         int32_t temp;
 4523 
 4524         /*
 4525          * Temperature is not used by the driver for 5000 Series because
 4526          * TX power calibration is handled by firmware.
 4527          */
 4528         temp = le32toh(sc->rawtemp);
 4529         if (sc->hw_type == IWN_HW_REV_TYPE_5150) {
 4530                 temp = (temp / -5) + sc->temp_off;
 4531                 temp = IWN_KTOC(temp);
 4532         }
 4533         return temp;
 4534 }
 4535 
 4536 /*
 4537  * Initialize sensitivity calibration state machine.
 4538  */
 4539 static int
 4540 iwn_init_sensitivity(struct iwn_softc *sc)
 4541 {
 4542         struct iwn_ops *ops = &sc->ops;
 4543         struct iwn_calib_state *calib = &sc->calib;
 4544         uint32_t flags;
 4545         int error;
 4546 
 4547         /* Reset calibration state machine. */
 4548         memset(calib, 0, sizeof (*calib));
 4549         calib->state = IWN_CALIB_STATE_INIT;
 4550         calib->cck_state = IWN_CCK_STATE_HIFA;
 4551         /* Set initial correlation values. */
 4552         calib->ofdm_x1     = sc->limits->min_ofdm_x1;
 4553         calib->ofdm_mrc_x1 = sc->limits->min_ofdm_mrc_x1;
 4554         calib->ofdm_x4     = sc->limits->min_ofdm_x4;
 4555         calib->ofdm_mrc_x4 = sc->limits->min_ofdm_mrc_x4;
 4556         calib->cck_x4      = 125;
 4557         calib->cck_mrc_x4  = sc->limits->min_cck_mrc_x4;
 4558         calib->energy_cck  = sc->limits->energy_cck;
 4559 
 4560         /* Write initial sensitivity. */
 4561         if ((error = iwn_send_sensitivity(sc)) != 0)
 4562                 return error;
 4563 
 4564         /* Write initial gains. */
 4565         if ((error = ops->init_gains(sc)) != 0)
 4566                 return error;
 4567 
 4568         /* Request statistics at each beacon interval. */
 4569         flags = 0;
 4570         DPRINTF(sc, IWN_DEBUG_CALIBRATE, "%s: sending request for statistics\n",
 4571             __func__);
 4572         return iwn_cmd(sc, IWN_CMD_GET_STATISTICS, &flags, sizeof flags, 1);
 4573 }
 4574 
 4575 /*
 4576  * Collect noise and RSSI statistics for the first 20 beacons received
 4577  * after association and use them to determine connected antennas and
 4578  * to set differential gains.
 4579  */
 4580 static void
 4581 iwn_collect_noise(struct iwn_softc *sc,
 4582     const struct iwn_rx_general_stats *stats)
 4583 {
 4584         struct iwn_ops *ops = &sc->ops;
 4585         struct iwn_calib_state *calib = &sc->calib;
 4586         uint32_t val;
 4587         int i;
 4588 
 4589         /* Accumulate RSSI and noise for all 3 antennas. */
 4590         for (i = 0; i < 3; i++) {
 4591                 calib->rssi[i] += le32toh(stats->rssi[i]) & 0xff;
 4592                 calib->noise[i] += le32toh(stats->noise[i]) & 0xff;
 4593         }
 4594         /* NB: We update differential gains only once after 20 beacons. */
 4595         if (++calib->nbeacons < 20)
 4596                 return;
 4597 
 4598         /* Determine highest average RSSI. */
 4599         val = MAX(calib->rssi[0], calib->rssi[1]);
 4600         val = MAX(calib->rssi[2], val);
 4601 
 4602         /* Determine which antennas are connected. */
 4603         sc->chainmask = sc->rxchainmask;
 4604         for (i = 0; i < 3; i++)
 4605                 if (val - calib->rssi[i] > 15 * 20)
 4606                         sc->chainmask &= ~(1 << i);
 4607         DPRINTF(sc, IWN_DEBUG_CALIBRATE,
 4608             "%s: RX chains mask: theoretical=0x%x, actual=0x%x\n",
 4609             __func__, sc->rxchainmask, sc->chainmask);
 4610 
 4611         /* If none of the TX antennas are connected, keep at least one. */
 4612         if ((sc->chainmask & sc->txchainmask) == 0)
 4613                 sc->chainmask |= IWN_LSB(sc->txchainmask);
 4614 
 4615         (void)ops->set_gains(sc);
 4616         calib->state = IWN_CALIB_STATE_RUN;
 4617 
 4618 #ifdef notyet
 4619         /* XXX Disable RX chains with no antennas connected. */
 4620         sc->rxon.rxchain = htole16(IWN_RXCHAIN_SEL(sc->chainmask));
 4621         (void)iwn_cmd(sc, IWN_CMD_RXON, &sc->rxon, sc->rxonsz, 1);
 4622 #endif
 4623 
 4624 #if 0
 4625         /* XXX: not yet */
 4626         /* Enable power-saving mode if requested by user. */
 4627         if (sc->sc_ic.ic_flags & IEEE80211_F_PMGTON)
 4628                 (void)iwn_set_pslevel(sc, 0, 3, 1);
 4629 #endif
 4630 }
 4631 
 4632 static int
 4633 iwn4965_init_gains(struct iwn_softc *sc)
 4634 {
 4635         struct iwn_phy_calib_gain cmd;
 4636 
 4637         memset(&cmd, 0, sizeof cmd);
 4638         cmd.code = IWN4965_PHY_CALIB_DIFF_GAIN;
 4639         /* Differential gains initially set to 0 for all 3 antennas. */
 4640         DPRINTF(sc, IWN_DEBUG_CALIBRATE,
 4641             "%s: setting initial differential gains\n", __func__);
 4642         return iwn_cmd(sc, IWN_CMD_PHY_CALIB, &cmd, sizeof cmd, 1);
 4643 }
 4644 
 4645 static int
 4646 iwn5000_init_gains(struct iwn_softc *sc)
 4647 {
 4648         struct iwn_phy_calib cmd;
 4649 
 4650         memset(&cmd, 0, sizeof cmd);
 4651         cmd.code = sc->reset_noise_gain;
 4652         cmd.ngroups = 1;
 4653         cmd.isvalid = 1;
 4654         DPRINTF(sc, IWN_DEBUG_CALIBRATE,
 4655             "%s: setting initial differential gains\n", __func__);
 4656         return iwn_cmd(sc, IWN_CMD_PHY_CALIB, &cmd, sizeof cmd, 1);
 4657 }
 4658 
 4659 static int
 4660 iwn4965_set_gains(struct iwn_softc *sc)
 4661 {
 4662         struct iwn_calib_state *calib = &sc->calib;
 4663         struct iwn_phy_calib_gain cmd;
 4664         int i, delta, noise;
 4665 
 4666         /* Get minimal noise among connected antennas. */
 4667         noise = INT_MAX;        /* NB: There's at least one antenna. */
 4668         for (i = 0; i < 3; i++)
 4669                 if (sc->chainmask & (1 << i))
 4670                         noise = MIN(calib->noise[i], noise);
 4671 
 4672         memset(&cmd, 0, sizeof cmd);
 4673         cmd.code = IWN4965_PHY_CALIB_DIFF_GAIN;
 4674         /* Set differential gains for connected antennas. */
 4675         for (i = 0; i < 3; i++) {
 4676                 if (sc->chainmask & (1 << i)) {
 4677                         /* Compute attenuation (in unit of 1.5dB). */
 4678                         delta = (noise - (int32_t)calib->noise[i]) / 30;
 4679                         /* NB: delta <= 0 */
 4680                         /* Limit to [-4.5dB,0]. */
 4681                         cmd.gain[i] = MIN(abs(delta), 3);
 4682                         if (delta < 0)
 4683                                 cmd.gain[i] |= 1 << 2;  /* sign bit */
 4684                 }
 4685         }
 4686         DPRINTF(sc, IWN_DEBUG_CALIBRATE,
 4687             "setting differential gains Ant A/B/C: %x/%x/%x (%x)\n",
 4688             cmd.gain[0], cmd.gain[1], cmd.gain[2], sc->chainmask);
 4689         return iwn_cmd(sc, IWN_CMD_PHY_CALIB, &cmd, sizeof cmd, 1);
 4690 }
 4691 
 4692 static int
 4693 iwn5000_set_gains(struct iwn_softc *sc)
 4694 {
 4695         struct iwn_calib_state *calib = &sc->calib;
 4696         struct iwn_phy_calib_gain cmd;
 4697         int i, ant, div, delta;
 4698 
 4699         /* We collected 20 beacons and !=6050 need a 1.5 factor. */
 4700         div = (sc->hw_type == IWN_HW_REV_TYPE_6050) ? 20 : 30;
 4701 
 4702         memset(&cmd, 0, sizeof cmd);
 4703         cmd.code = sc->noise_gain;
 4704         cmd.ngroups = 1;
 4705         cmd.isvalid = 1;
 4706         /* Get first available RX antenna as referential. */
 4707         ant = IWN_LSB(sc->rxchainmask);
 4708         /* Set differential gains for other antennas. */
 4709         for (i = ant + 1; i < 3; i++) {
 4710                 if (sc->chainmask & (1 << i)) {
 4711                         /* The delta is relative to antenna "ant". */
 4712                         delta = ((int32_t)calib->noise[ant] -
 4713                             (int32_t)calib->noise[i]) / div;
 4714                         /* Limit to [-4.5dB,+4.5dB]. */
 4715                         cmd.gain[i - 1] = MIN(abs(delta), 3);
 4716                         if (delta < 0)
 4717                                 cmd.gain[i - 1] |= 1 << 2;      /* sign bit */
 4718                 }
 4719         }
 4720         DPRINTF(sc, IWN_DEBUG_CALIBRATE,
 4721             "setting differential gains Ant B/C: %x/%x (%x)\n",
 4722             cmd.gain[0], cmd.gain[1], sc->chainmask);
 4723         return iwn_cmd(sc, IWN_CMD_PHY_CALIB, &cmd, sizeof cmd, 1);
 4724 }
 4725 
 4726 /*
 4727  * Tune RF RX sensitivity based on the number of false alarms detected
 4728  * during the last beacon period.
 4729  */
 4730 static void
 4731 iwn_tune_sensitivity(struct iwn_softc *sc, const struct iwn_rx_stats *stats)
 4732 {
 4733 #define inc(val, inc, max)                      \
 4734         if ((val) < (max)) {                    \
 4735                 if ((val) < (max) - (inc))      \
 4736                         (val) += (inc);         \
 4737                 else                            \
 4738                         (val) = (max);          \
 4739                 needs_update = 1;               \
 4740         }
 4741 #define dec(val, dec, min)                      \
 4742         if ((val) > (min)) {                    \
 4743                 if ((val) > (min) + (dec))      \
 4744                         (val) -= (dec);         \
 4745                 else                            \
 4746                         (val) = (min);          \
 4747                 needs_update = 1;               \
 4748         }
 4749 
 4750         const struct iwn_sensitivity_limits *limits = sc->limits;
 4751         struct iwn_calib_state *calib = &sc->calib;
 4752         uint32_t val, rxena, fa;
 4753         uint32_t energy[3], energy_min;
 4754         uint8_t noise[3], noise_ref;
 4755         int i, needs_update = 0;
 4756 
 4757         /* Check that we've been enabled long enough. */
 4758         if ((rxena = le32toh(stats->general.load)) == 0)
 4759                 return;
 4760 
 4761         /* Compute number of false alarms since last call for OFDM. */
 4762         fa  = le32toh(stats->ofdm.bad_plcp) - calib->bad_plcp_ofdm;
 4763         fa += le32toh(stats->ofdm.fa) - calib->fa_ofdm;
 4764         fa *= 200 * IEEE80211_DUR_TU;   /* 200TU */
 4765 
 4766         /* Save counters values for next call. */
 4767         calib->bad_plcp_ofdm = le32toh(stats->ofdm.bad_plcp);
 4768         calib->fa_ofdm = le32toh(stats->ofdm.fa);
 4769 
 4770         if (fa > 50 * rxena) {
 4771                 /* High false alarm count, decrease sensitivity. */
 4772                 DPRINTF(sc, IWN_DEBUG_CALIBRATE,
 4773                     "%s: OFDM high false alarm count: %u\n", __func__, fa);
 4774                 inc(calib->ofdm_x1,     1, limits->max_ofdm_x1);
 4775                 inc(calib->ofdm_mrc_x1, 1, limits->max_ofdm_mrc_x1);
 4776                 inc(calib->ofdm_x4,     1, limits->max_ofdm_x4);
 4777                 inc(calib->ofdm_mrc_x4, 1, limits->max_ofdm_mrc_x4);
 4778 
 4779         } else if (fa < 5 * rxena) {
 4780                 /* Low false alarm count, increase sensitivity. */
 4781                 DPRINTF(sc, IWN_DEBUG_CALIBRATE,
 4782                     "%s: OFDM low false alarm count: %u\n", __func__, fa);
 4783                 dec(calib->ofdm_x1,     1, limits->min_ofdm_x1);
 4784                 dec(calib->ofdm_mrc_x1, 1, limits->min_ofdm_mrc_x1);
 4785                 dec(calib->ofdm_x4,     1, limits->min_ofdm_x4);
 4786                 dec(calib->ofdm_mrc_x4, 1, limits->min_ofdm_mrc_x4);
 4787         }
 4788 
 4789         /* Compute maximum noise among 3 receivers. */
 4790         for (i = 0; i < 3; i++)
 4791                 noise[i] = (le32toh(stats->general.noise[i]) >> 8) & 0xff;
 4792         val = MAX(noise[0], noise[1]);
 4793         val = MAX(noise[2], val);
 4794         /* Insert it into our samples table. */
 4795         calib->noise_samples[calib->cur_noise_sample] = val;
 4796         calib->cur_noise_sample = (calib->cur_noise_sample + 1) % 20;
 4797 
 4798         /* Compute maximum noise among last 20 samples. */
 4799         noise_ref = calib->noise_samples[0];
 4800         for (i = 1; i < 20; i++)
 4801                 noise_ref = MAX(noise_ref, calib->noise_samples[i]);
 4802 
 4803         /* Compute maximum energy among 3 receivers. */
 4804         for (i = 0; i < 3; i++)
 4805                 energy[i] = le32toh(stats->general.energy[i]);
 4806         val = MIN(energy[0], energy[1]);
 4807         val = MIN(energy[2], val);
 4808         /* Insert it into our samples table. */
 4809         calib->energy_samples[calib->cur_energy_sample] = val;
 4810         calib->cur_energy_sample = (calib->cur_energy_sample + 1) % 10;
 4811 
 4812         /* Compute minimum energy among last 10 samples. */
 4813         energy_min = calib->energy_samples[0];
 4814         for (i = 1; i < 10; i++)
 4815                 energy_min = MAX(energy_min, calib->energy_samples[i]);
 4816         energy_min += 6;
 4817 
 4818         /* Compute number of false alarms since last call for CCK. */
 4819         fa  = le32toh(stats->cck.bad_plcp) - calib->bad_plcp_cck;
 4820         fa += le32toh(stats->cck.fa) - calib->fa_cck;
 4821         fa *= 200 * IEEE80211_DUR_TU;   /* 200TU */
 4822 
 4823         /* Save counters values for next call. */
 4824         calib->bad_plcp_cck = le32toh(stats->cck.bad_plcp);
 4825         calib->fa_cck = le32toh(stats->cck.fa);
 4826 
 4827         if (fa > 50 * rxena) {
 4828                 /* High false alarm count, decrease sensitivity. */
 4829                 DPRINTF(sc, IWN_DEBUG_CALIBRATE,
 4830                     "%s: CCK high false alarm count: %u\n", __func__, fa);
 4831                 calib->cck_state = IWN_CCK_STATE_HIFA;
 4832                 calib->low_fa = 0;
 4833 
 4834                 if (calib->cck_x4 > 160) {
 4835                         calib->noise_ref = noise_ref;
 4836                         if (calib->energy_cck > 2)
 4837                                 dec(calib->energy_cck, 2, energy_min);
 4838                 }
 4839                 if (calib->cck_x4 < 160) {
 4840                         calib->cck_x4 = 161;
 4841                         needs_update = 1;
 4842                 } else
 4843                         inc(calib->cck_x4, 3, limits->max_cck_x4);
 4844 
 4845                 inc(calib->cck_mrc_x4, 3, limits->max_cck_mrc_x4);
 4846 
 4847         } else if (fa < 5 * rxena) {
 4848                 /* Low false alarm count, increase sensitivity. */
 4849                 DPRINTF(sc, IWN_DEBUG_CALIBRATE,
 4850                     "%s: CCK low false alarm count: %u\n", __func__, fa);
 4851                 calib->cck_state = IWN_CCK_STATE_LOFA;
 4852                 calib->low_fa++;
 4853 
 4854                 if (calib->cck_state != IWN_CCK_STATE_INIT &&
 4855                     (((int32_t)calib->noise_ref - (int32_t)noise_ref) > 2 ||
 4856                      calib->low_fa > 100)) {
 4857                         inc(calib->energy_cck, 2, limits->min_energy_cck);
 4858                         dec(calib->cck_x4,     3, limits->min_cck_x4);
 4859                         dec(calib->cck_mrc_x4, 3, limits->min_cck_mrc_x4);
 4860                 }
 4861         } else {
 4862                 /* Not worth to increase or decrease sensitivity. */
 4863                 DPRINTF(sc, IWN_DEBUG_CALIBRATE,
 4864                     "%s: CCK normal false alarm count: %u\n", __func__, fa);
 4865                 calib->low_fa = 0;
 4866                 calib->noise_ref = noise_ref;
 4867 
 4868                 if (calib->cck_state == IWN_CCK_STATE_HIFA) {
 4869                         /* Previous interval had many false alarms. */
 4870                         dec(calib->energy_cck, 8, energy_min);
 4871                 }
 4872                 calib->cck_state = IWN_CCK_STATE_INIT;
 4873         }
 4874 
 4875         if (needs_update)
 4876                 (void)iwn_send_sensitivity(sc);
 4877 #undef dec
 4878 #undef inc
 4879 }
 4880 
 4881 static int
 4882 iwn_send_sensitivity(struct iwn_softc *sc)
 4883 {
 4884         struct iwn_calib_state *calib = &sc->calib;
 4885         struct iwn_enhanced_sensitivity_cmd cmd;
 4886         int len;
 4887 
 4888         memset(&cmd, 0, sizeof cmd);
 4889         len = sizeof (struct iwn_sensitivity_cmd);
 4890         cmd.which = IWN_SENSITIVITY_WORKTBL;
 4891         /* OFDM modulation. */
 4892         cmd.corr_ofdm_x1       = htole16(calib->ofdm_x1);
 4893         cmd.corr_ofdm_mrc_x1   = htole16(calib->ofdm_mrc_x1);
 4894         cmd.corr_ofdm_x4       = htole16(calib->ofdm_x4);
 4895         cmd.corr_ofdm_mrc_x4   = htole16(calib->ofdm_mrc_x4);
 4896         cmd.energy_ofdm        = htole16(sc->limits->energy_ofdm);
 4897         cmd.energy_ofdm_th     = htole16(62);
 4898         /* CCK modulation. */
 4899         cmd.corr_cck_x4        = htole16(calib->cck_x4);
 4900         cmd.corr_cck_mrc_x4    = htole16(calib->cck_mrc_x4);
 4901         cmd.energy_cck         = htole16(calib->energy_cck);
 4902         /* Barker modulation: use default values. */
 4903         cmd.corr_barker        = htole16(190);
 4904         cmd.corr_barker_mrc    = htole16(390);
 4905 
 4906         DPRINTF(sc, IWN_DEBUG_CALIBRATE,
 4907             "%s: set sensitivity %d/%d/%d/%d/%d/%d/%d\n", __func__,
 4908             calib->ofdm_x1, calib->ofdm_mrc_x1, calib->ofdm_x4,
 4909             calib->ofdm_mrc_x4, calib->cck_x4,
 4910             calib->cck_mrc_x4, calib->energy_cck);
 4911 
 4912         if (!(sc->sc_flags & IWN_FLAG_ENH_SENS))
 4913                 goto send;
 4914         /* Enhanced sensitivity settings. */
 4915         len = sizeof (struct iwn_enhanced_sensitivity_cmd);
 4916         cmd.ofdm_det_slope_mrc = htole16(668);
 4917         cmd.ofdm_det_icept_mrc = htole16(4);
 4918         cmd.ofdm_det_slope     = htole16(486);
 4919         cmd.ofdm_det_icept     = htole16(37);
 4920         cmd.cck_det_slope_mrc  = htole16(853);
 4921         cmd.cck_det_icept_mrc  = htole16(4);
 4922         cmd.cck_det_slope      = htole16(476);
 4923         cmd.cck_det_icept      = htole16(99);
 4924 send:
 4925         return iwn_cmd(sc, IWN_CMD_SET_SENSITIVITY, &cmd, len, 1);
 4926 }
 4927 
 4928 /*
 4929  * Set STA mode power saving level (between 0 and 5).
 4930  * Level 0 is CAM (Continuously Aware Mode), 5 is for maximum power saving.
 4931  */
 4932 static int
 4933 iwn_set_pslevel(struct iwn_softc *sc, int dtim, int level, int async)
 4934 {
 4935         struct iwn_pmgt_cmd cmd;
 4936         const struct iwn_pmgt *pmgt;
 4937         uint32_t max, skip_dtim;
 4938         uint32_t reg;
 4939         int i;
 4940 
 4941         /* Select which PS parameters to use. */
 4942         if (dtim <= 2)
 4943                 pmgt = &iwn_pmgt[0][level];
 4944         else if (dtim <= 10)
 4945                 pmgt = &iwn_pmgt[1][level];
 4946         else
 4947                 pmgt = &iwn_pmgt[2][level];
 4948 
 4949         memset(&cmd, 0, sizeof cmd);
 4950         if (level != 0) /* not CAM */
 4951                 cmd.flags |= htole16(IWN_PS_ALLOW_SLEEP);
 4952         if (level == 5)
 4953                 cmd.flags |= htole16(IWN_PS_FAST_PD);
 4954         /* Retrieve PCIe Active State Power Management (ASPM). */
 4955         reg = pci_read_config(sc->sc_dev, sc->sc_cap_off + 0x10, 1);
 4956         if (!(reg & 0x1))       /* L0s Entry disabled. */
 4957                 cmd.flags |= htole16(IWN_PS_PCI_PMGT);
 4958         cmd.rxtimeout = htole32(pmgt->rxtimeout * 1024);
 4959         cmd.txtimeout = htole32(pmgt->txtimeout * 1024);
 4960 
 4961         if (dtim == 0) {
 4962                 dtim = 1;
 4963                 skip_dtim = 0;
 4964         } else
 4965                 skip_dtim = pmgt->skip_dtim;
 4966         if (skip_dtim != 0) {
 4967                 cmd.flags |= htole16(IWN_PS_SLEEP_OVER_DTIM);
 4968                 max = pmgt->intval[4];
 4969                 if (max == (uint32_t)-1)
 4970                         max = dtim * (skip_dtim + 1);
 4971                 else if (max > dtim)
 4972                         max = (max / dtim) * dtim;
 4973         } else
 4974                 max = dtim;
 4975         for (i = 0; i < 5; i++)
 4976                 cmd.intval[i] = htole32(MIN(max, pmgt->intval[i]));
 4977 
 4978         DPRINTF(sc, IWN_DEBUG_RESET, "setting power saving level to %d\n",
 4979             level);
 4980         return iwn_cmd(sc, IWN_CMD_SET_POWER_MODE, &cmd, sizeof cmd, async);
 4981 }
 4982 
 4983 static int
 4984 iwn_send_btcoex(struct iwn_softc *sc)
 4985 {
 4986         struct iwn_bluetooth cmd;
 4987 
 4988         memset(&cmd, 0, sizeof cmd);
 4989         cmd.flags = IWN_BT_COEX_CHAN_ANN | IWN_BT_COEX_BT_PRIO;
 4990         cmd.lead_time = IWN_BT_LEAD_TIME_DEF;
 4991         cmd.max_kill = IWN_BT_MAX_KILL_DEF;
 4992         DPRINTF(sc, IWN_DEBUG_RESET, "%s: configuring bluetooth coexistence\n",
 4993             __func__);
 4994         return iwn_cmd(sc, IWN_CMD_BT_COEX, &cmd, sizeof(cmd), 0);
 4995 }
 4996 
 4997 static int
 4998 iwn_send_advanced_btcoex(struct iwn_softc *sc)
 4999 {
 5000         static const uint32_t btcoex_3wire[12] = {
 5001                 0xaaaaaaaa, 0xaaaaaaaa, 0xaeaaaaaa, 0xaaaaaaaa,
 5002                 0xcc00ff28, 0x0000aaaa, 0xcc00aaaa, 0x0000aaaa,
 5003                 0xc0004000, 0x00004000, 0xf0005000, 0xf0005000,
 5004         };
 5005         struct iwn6000_btcoex_config btconfig;
 5006         struct iwn_btcoex_priotable btprio;
 5007         struct iwn_btcoex_prot btprot;
 5008         int error, i;
 5009 
 5010         memset(&btconfig, 0, sizeof btconfig);
 5011         btconfig.flags = 145;
 5012         btconfig.max_kill = 5;
 5013         btconfig.bt3_t7_timer = 1;
 5014         btconfig.kill_ack = htole32(0xffff0000);
 5015         btconfig.kill_cts = htole32(0xffff0000);
 5016         btconfig.sample_time = 2;
 5017         btconfig.bt3_t2_timer = 0xc;
 5018         for (i = 0; i < 12; i++)
 5019                 btconfig.lookup_table[i] = htole32(btcoex_3wire[i]);
 5020         btconfig.valid = htole16(0xff);
 5021         btconfig.prio_boost = 0xf0;
 5022         DPRINTF(sc, IWN_DEBUG_RESET,
 5023             "%s: configuring advanced bluetooth coexistence\n", __func__);
 5024         error = iwn_cmd(sc, IWN_CMD_BT_COEX, &btconfig, sizeof(btconfig), 1);
 5025         if (error != 0)
 5026                 return error;
 5027 
 5028         memset(&btprio, 0, sizeof btprio);
 5029         btprio.calib_init1 = 0x6;
 5030         btprio.calib_init2 = 0x7;
 5031         btprio.calib_periodic_low1 = 0x2;
 5032         btprio.calib_periodic_low2 = 0x3;
 5033         btprio.calib_periodic_high1 = 0x4;
 5034         btprio.calib_periodic_high2 = 0x5;
 5035         btprio.dtim = 0x6;
 5036         btprio.scan52 = 0x8;
 5037         btprio.scan24 = 0xa;
 5038         error = iwn_cmd(sc, IWN_CMD_BT_COEX_PRIOTABLE, &btprio, sizeof(btprio),
 5039             1);
 5040         if (error != 0)
 5041                 return error;
 5042 
 5043         /* Force BT state machine change. */
 5044         memset(&btprot, 0, sizeof btprio);
 5045         btprot.open = 1;
 5046         btprot.type = 1;
 5047         error = iwn_cmd(sc, IWN_CMD_BT_COEX_PROT, &btprot, sizeof(btprot), 1);
 5048         if (error != 0)
 5049                 return error;
 5050         btprot.open = 0;
 5051         return iwn_cmd(sc, IWN_CMD_BT_COEX_PROT, &btprot, sizeof(btprot), 1);
 5052 }
 5053 
 5054 static int
 5055 iwn5000_runtime_calib(struct iwn_softc *sc)
 5056 {
 5057         struct iwn5000_calib_config cmd;
 5058 
 5059         memset(&cmd, 0, sizeof cmd);
 5060         cmd.ucode.once.enable = 0xffffffff;
 5061         cmd.ucode.once.start = IWN5000_CALIB_DC;
 5062         DPRINTF(sc, IWN_DEBUG_CALIBRATE,
 5063             "%s: configuring runtime calibration\n", __func__);
 5064         return iwn_cmd(sc, IWN5000_CMD_CALIB_CONFIG, &cmd, sizeof(cmd), 0);
 5065 }
 5066 
 5067 static int
 5068 iwn_config(struct iwn_softc *sc)
 5069 {
 5070         struct iwn_ops *ops = &sc->ops;
 5071         struct ifnet *ifp = sc->sc_ifp;
 5072         struct ieee80211com *ic = ifp->if_l2com;
 5073         uint32_t txmask;
 5074         uint16_t rxchain;
 5075         int error;
 5076 
 5077         if (sc->hw_type == IWN_HW_REV_TYPE_6005) {
 5078                 /* Set radio temperature sensor offset. */
 5079                 error = iwn5000_temp_offset_calib(sc);
 5080                 if (error != 0) {
 5081                         device_printf(sc->sc_dev,
 5082                             "%s: could not set temperature offset\n", __func__);
 5083                         return error;
 5084                 }
 5085         }
 5086 
 5087         if (sc->hw_type == IWN_HW_REV_TYPE_6050) {
 5088                 /* Configure runtime DC calibration. */
 5089                 error = iwn5000_runtime_calib(sc);
 5090                 if (error != 0) {
 5091                         device_printf(sc->sc_dev,
 5092                             "%s: could not configure runtime calibration\n",
 5093                             __func__);
 5094                         return error;
 5095                 }
 5096         }
 5097 
 5098         /* Configure valid TX chains for >=5000 Series. */
 5099         if (sc->hw_type != IWN_HW_REV_TYPE_4965) {
 5100                 txmask = htole32(sc->txchainmask);
 5101                 DPRINTF(sc, IWN_DEBUG_RESET,
 5102                     "%s: configuring valid TX chains 0x%x\n", __func__, txmask);
 5103                 error = iwn_cmd(sc, IWN5000_CMD_TX_ANT_CONFIG, &txmask,
 5104                     sizeof txmask, 0);
 5105                 if (error != 0) {
 5106                         device_printf(sc->sc_dev,
 5107                             "%s: could not configure valid TX chains, "
 5108                             "error %d\n", __func__, error);
 5109                         return error;
 5110                 }
 5111         }
 5112 
 5113         /* Configure bluetooth coexistence. */
 5114         if (sc->sc_flags & IWN_FLAG_ADV_BTCOEX)
 5115                 error = iwn_send_advanced_btcoex(sc);
 5116         else
 5117                 error = iwn_send_btcoex(sc);
 5118         if (error != 0) {
 5119                 device_printf(sc->sc_dev,
 5120                     "%s: could not configure bluetooth coexistence, error %d\n",
 5121                     __func__, error);
 5122                 return error;
 5123         }
 5124 
 5125         /* Set mode, channel, RX filter and enable RX. */
 5126         memset(&sc->rxon, 0, sizeof (struct iwn_rxon));
 5127         IEEE80211_ADDR_COPY(sc->rxon.myaddr, IF_LLADDR(ifp));
 5128         IEEE80211_ADDR_COPY(sc->rxon.wlap, IF_LLADDR(ifp));
 5129         sc->rxon.chan = ieee80211_chan2ieee(ic, ic->ic_curchan);
 5130         sc->rxon.flags = htole32(IWN_RXON_TSF | IWN_RXON_CTS_TO_SELF);
 5131         if (IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan))
 5132                 sc->rxon.flags |= htole32(IWN_RXON_AUTO | IWN_RXON_24GHZ);
 5133         switch (ic->ic_opmode) {
 5134         case IEEE80211_M_STA:
 5135                 sc->rxon.mode = IWN_MODE_STA;
 5136                 sc->rxon.filter = htole32(IWN_FILTER_MULTICAST);
 5137                 break;
 5138         case IEEE80211_M_MONITOR:
 5139                 sc->rxon.mode = IWN_MODE_MONITOR;
 5140                 sc->rxon.filter = htole32(IWN_FILTER_MULTICAST |
 5141                     IWN_FILTER_CTL | IWN_FILTER_PROMISC);
 5142                 break;
 5143         default:
 5144                 /* Should not get there. */
 5145                 break;
 5146         }
 5147         sc->rxon.cck_mask  = 0x0f;      /* not yet negotiated */
 5148         sc->rxon.ofdm_mask = 0xff;      /* not yet negotiated */
 5149         sc->rxon.ht_single_mask = 0xff;
 5150         sc->rxon.ht_dual_mask = 0xff;
 5151         sc->rxon.ht_triple_mask = 0xff;
 5152         rxchain =
 5153             IWN_RXCHAIN_VALID(sc->rxchainmask) |
 5154             IWN_RXCHAIN_MIMO_COUNT(2) |
 5155             IWN_RXCHAIN_IDLE_COUNT(2);
 5156         sc->rxon.rxchain = htole16(rxchain);
 5157         DPRINTF(sc, IWN_DEBUG_RESET, "%s: setting configuration\n", __func__);
 5158         error = iwn_cmd(sc, IWN_CMD_RXON, &sc->rxon, sc->rxonsz, 0);
 5159         if (error != 0) {
 5160                 device_printf(sc->sc_dev, "%s: RXON command failed\n",
 5161                     __func__);
 5162                 return error;
 5163         }
 5164 
 5165         if ((error = iwn_add_broadcast_node(sc, 0)) != 0) {
 5166                 device_printf(sc->sc_dev, "%s: could not add broadcast node\n",
 5167                     __func__);
 5168                 return error;
 5169         }
 5170 
 5171         /* Configuration has changed, set TX power accordingly. */
 5172         if ((error = ops->set_txpower(sc, ic->ic_curchan, 0)) != 0) {
 5173                 device_printf(sc->sc_dev, "%s: could not set TX power\n",
 5174                     __func__);
 5175                 return error;
 5176         }
 5177 
 5178         if ((error = iwn_set_critical_temp(sc)) != 0) {
 5179                 device_printf(sc->sc_dev,
 5180                     "%s: could not set critical temperature\n", __func__);
 5181                 return error;
 5182         }
 5183 
 5184         /* Set power saving level to CAM during initialization. */
 5185         if ((error = iwn_set_pslevel(sc, 0, 0, 0)) != 0) {
 5186                 device_printf(sc->sc_dev,
 5187                     "%s: could not set power saving level\n", __func__);
 5188                 return error;
 5189         }
 5190         return 0;
 5191 }
 5192 
 5193 /*
 5194  * Add an ssid element to a frame.
 5195  */
 5196 static uint8_t *
 5197 ieee80211_add_ssid(uint8_t *frm, const uint8_t *ssid, u_int len)
 5198 {
 5199         *frm++ = IEEE80211_ELEMID_SSID;
 5200         *frm++ = len;
 5201         memcpy(frm, ssid, len);
 5202         return frm + len;
 5203 }
 5204 
 5205 static int
 5206 iwn_scan(struct iwn_softc *sc)
 5207 {
 5208         struct ifnet *ifp = sc->sc_ifp;
 5209         struct ieee80211com *ic = ifp->if_l2com;
 5210         struct ieee80211_scan_state *ss = ic->ic_scan;  /*XXX*/
 5211         struct ieee80211_node *ni = ss->ss_vap->iv_bss;
 5212         struct iwn_scan_hdr *hdr;
 5213         struct iwn_cmd_data *tx;
 5214         struct iwn_scan_essid *essid;
 5215         struct iwn_scan_chan *chan;
 5216         struct ieee80211_frame *wh;
 5217         struct ieee80211_rateset *rs;
 5218         struct ieee80211_channel *c;
 5219         uint8_t *buf, *frm;
 5220         uint16_t rxchain;
 5221         uint8_t txant;
 5222         int buflen, error;
 5223 
 5224         buf = malloc(IWN_SCAN_MAXSZ, M_DEVBUF, M_NOWAIT | M_ZERO);
 5225         if (buf == NULL) {
 5226                 device_printf(sc->sc_dev,
 5227                     "%s: could not allocate buffer for scan command\n",
 5228                     __func__);
 5229                 return ENOMEM;
 5230         }
 5231         hdr = (struct iwn_scan_hdr *)buf;
 5232         /*
 5233          * Move to the next channel if no frames are received within 10ms
 5234          * after sending the probe request.
 5235          */
 5236         hdr->quiet_time = htole16(10);          /* timeout in milliseconds */
 5237         hdr->quiet_threshold = htole16(1);      /* min # of packets */
 5238 
 5239         /* Select antennas for scanning. */
 5240         rxchain =
 5241             IWN_RXCHAIN_VALID(sc->rxchainmask) |
 5242             IWN_RXCHAIN_FORCE_MIMO_SEL(sc->rxchainmask) |
 5243             IWN_RXCHAIN_DRIVER_FORCE;
 5244         if (IEEE80211_IS_CHAN_A(ic->ic_curchan) &&
 5245             sc->hw_type == IWN_HW_REV_TYPE_4965) {
 5246                 /* Ant A must be avoided in 5GHz because of an HW bug. */
 5247                 rxchain |= IWN_RXCHAIN_FORCE_SEL(IWN_ANT_B);
 5248         } else  /* Use all available RX antennas. */
 5249                 rxchain |= IWN_RXCHAIN_FORCE_SEL(sc->rxchainmask);
 5250         hdr->rxchain = htole16(rxchain);
 5251         hdr->filter = htole32(IWN_FILTER_MULTICAST | IWN_FILTER_BEACON);
 5252 
 5253         tx = (struct iwn_cmd_data *)(hdr + 1);
 5254         tx->flags = htole32(IWN_TX_AUTO_SEQ);
 5255         tx->id = sc->broadcast_id;
 5256         tx->lifetime = htole32(IWN_LIFETIME_INFINITE);
 5257 
 5258         if (IEEE80211_IS_CHAN_5GHZ(ic->ic_curchan)) {
 5259                 /* Send probe requests at 6Mbps. */
 5260                 tx->rate = htole32(0xd);
 5261                 rs = &ic->ic_sup_rates[IEEE80211_MODE_11A];
 5262         } else {
 5263                 hdr->flags = htole32(IWN_RXON_24GHZ | IWN_RXON_AUTO);
 5264                 if (sc->hw_type == IWN_HW_REV_TYPE_4965 &&
 5265                     sc->rxon.associd && sc->rxon.chan > 14)
 5266                         tx->rate = htole32(0xd);
 5267                 else {
 5268                         /* Send probe requests at 1Mbps. */
 5269                         tx->rate = htole32(10 | IWN_RFLAG_CCK);
 5270                 }
 5271                 rs = &ic->ic_sup_rates[IEEE80211_MODE_11G];
 5272         }
 5273         /* Use the first valid TX antenna. */
 5274         txant = IWN_LSB(sc->txchainmask);
 5275         tx->rate |= htole32(IWN_RFLAG_ANT(txant));
 5276 
 5277         essid = (struct iwn_scan_essid *)(tx + 1);
 5278         if (ss->ss_ssid[0].len != 0) {
 5279                 essid[0].id = IEEE80211_ELEMID_SSID;
 5280                 essid[0].len = ss->ss_ssid[0].len;
 5281                 memcpy(essid[0].data, ss->ss_ssid[0].ssid, ss->ss_ssid[0].len);
 5282         }
 5283         /*
 5284          * Build a probe request frame.  Most of the following code is a
 5285          * copy & paste of what is done in net80211.
 5286          */
 5287         wh = (struct ieee80211_frame *)(essid + 20);
 5288         wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT |
 5289             IEEE80211_FC0_SUBTYPE_PROBE_REQ;
 5290         wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
 5291         IEEE80211_ADDR_COPY(wh->i_addr1, ifp->if_broadcastaddr);
 5292         IEEE80211_ADDR_COPY(wh->i_addr2, IF_LLADDR(ifp));
 5293         IEEE80211_ADDR_COPY(wh->i_addr3, ifp->if_broadcastaddr);
 5294         *(uint16_t *)&wh->i_dur[0] = 0; /* filled by HW */
 5295         *(uint16_t *)&wh->i_seq[0] = 0; /* filled by HW */
 5296 
 5297         frm = (uint8_t *)(wh + 1);
 5298         frm = ieee80211_add_ssid(frm, NULL, 0);
 5299         frm = ieee80211_add_rates(frm, rs);
 5300         if (rs->rs_nrates > IEEE80211_RATE_SIZE)
 5301                 frm = ieee80211_add_xrates(frm, rs);
 5302         if (ic->ic_htcaps & IEEE80211_HTC_HT)
 5303                 frm = ieee80211_add_htcap(frm, ni);
 5304 
 5305         /* Set length of probe request. */
 5306         tx->len = htole16(frm - (uint8_t *)wh);
 5307 
 5308         c = ic->ic_curchan;
 5309         chan = (struct iwn_scan_chan *)frm;
 5310         chan->chan = htole16(ieee80211_chan2ieee(ic, c));
 5311         chan->flags = 0;
 5312         if (ss->ss_nssid > 0)
 5313                 chan->flags |= htole32(IWN_CHAN_NPBREQS(1));
 5314         chan->dsp_gain = 0x6e;
 5315         if (IEEE80211_IS_CHAN_5GHZ(c) &&
 5316             !(c->ic_flags & IEEE80211_CHAN_PASSIVE)) {
 5317                 chan->rf_gain = 0x3b;
 5318                 chan->active  = htole16(24);
 5319                 chan->passive = htole16(110);
 5320                 chan->flags |= htole32(IWN_CHAN_ACTIVE);
 5321         } else if (IEEE80211_IS_CHAN_5GHZ(c)) {
 5322                 chan->rf_gain = 0x3b;
 5323                 chan->active  = htole16(24);
 5324                 if (sc->rxon.associd)
 5325                         chan->passive = htole16(78);
 5326                 else
 5327                         chan->passive = htole16(110);
 5328                 hdr->crc_threshold = 0xffff;
 5329         } else if (!(c->ic_flags & IEEE80211_CHAN_PASSIVE)) {
 5330                 chan->rf_gain = 0x28;
 5331                 chan->active  = htole16(36);
 5332                 chan->passive = htole16(120);
 5333                 chan->flags |= htole32(IWN_CHAN_ACTIVE);
 5334         } else {
 5335                 chan->rf_gain = 0x28;
 5336                 chan->active  = htole16(36);
 5337                 if (sc->rxon.associd)
 5338                         chan->passive = htole16(88);
 5339                 else
 5340                         chan->passive = htole16(120);
 5341                 hdr->crc_threshold = 0xffff;
 5342         }
 5343 
 5344         DPRINTF(sc, IWN_DEBUG_STATE,
 5345             "%s: chan %u flags 0x%x rf_gain 0x%x "
 5346             "dsp_gain 0x%x active 0x%x passive 0x%x\n", __func__,
 5347             chan->chan, chan->flags, chan->rf_gain, chan->dsp_gain,
 5348             chan->active, chan->passive);
 5349 
 5350         hdr->nchan++;
 5351         chan++;
 5352         buflen = (uint8_t *)chan - buf;
 5353         hdr->len = htole16(buflen);
 5354 
 5355         DPRINTF(sc, IWN_DEBUG_STATE, "sending scan command nchan=%d\n",
 5356             hdr->nchan);
 5357         error = iwn_cmd(sc, IWN_CMD_SCAN, buf, buflen, 1);
 5358         free(buf, M_DEVBUF);
 5359         return error;
 5360 }
 5361 
 5362 static int
 5363 iwn_auth(struct iwn_softc *sc, struct ieee80211vap *vap)
 5364 {
 5365         struct iwn_ops *ops = &sc->ops;
 5366         struct ifnet *ifp = sc->sc_ifp;
 5367         struct ieee80211com *ic = ifp->if_l2com;
 5368         struct ieee80211_node *ni = vap->iv_bss;
 5369         int error;
 5370 
 5371         /* Update adapter configuration. */
 5372         IEEE80211_ADDR_COPY(sc->rxon.bssid, ni->ni_bssid);
 5373         sc->rxon.chan = ieee80211_chan2ieee(ic, ni->ni_chan);
 5374         sc->rxon.flags = htole32(IWN_RXON_TSF | IWN_RXON_CTS_TO_SELF);
 5375         if (IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))
 5376                 sc->rxon.flags |= htole32(IWN_RXON_AUTO | IWN_RXON_24GHZ);
 5377         if (ic->ic_flags & IEEE80211_F_SHSLOT)
 5378                 sc->rxon.flags |= htole32(IWN_RXON_SHSLOT);
 5379         if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
 5380                 sc->rxon.flags |= htole32(IWN_RXON_SHPREAMBLE);
 5381         if (IEEE80211_IS_CHAN_A(ni->ni_chan)) {
 5382                 sc->rxon.cck_mask  = 0;
 5383                 sc->rxon.ofdm_mask = 0x15;
 5384         } else if (IEEE80211_IS_CHAN_B(ni->ni_chan)) {
 5385                 sc->rxon.cck_mask  = 0x03;
 5386                 sc->rxon.ofdm_mask = 0;
 5387         } else {
 5388                 /* Assume 802.11b/g. */
 5389                 sc->rxon.cck_mask  = 0x0f;
 5390                 sc->rxon.ofdm_mask = 0x15;
 5391         }
 5392         DPRINTF(sc, IWN_DEBUG_STATE, "rxon chan %d flags %x cck %x ofdm %x\n",
 5393             sc->rxon.chan, sc->rxon.flags, sc->rxon.cck_mask,
 5394             sc->rxon.ofdm_mask);
 5395         error = iwn_cmd(sc, IWN_CMD_RXON, &sc->rxon, sc->rxonsz, 1);
 5396         if (error != 0) {
 5397                 device_printf(sc->sc_dev, "%s: RXON command failed, error %d\n",
 5398                     __func__, error);
 5399                 return error;
 5400         }
 5401 
 5402         /* Configuration has changed, set TX power accordingly. */
 5403         if ((error = ops->set_txpower(sc, ni->ni_chan, 1)) != 0) {
 5404                 device_printf(sc->sc_dev,
 5405                     "%s: could not set TX power, error %d\n", __func__, error);
 5406                 return error;
 5407         }
 5408         /*
 5409          * Reconfiguring RXON clears the firmware nodes table so we must
 5410          * add the broadcast node again.
 5411          */
 5412         if ((error = iwn_add_broadcast_node(sc, 1)) != 0) {
 5413                 device_printf(sc->sc_dev,
 5414                     "%s: could not add broadcast node, error %d\n", __func__,
 5415                     error);
 5416                 return error;
 5417         }
 5418         return 0;
 5419 }
 5420 
 5421 static int
 5422 iwn_run(struct iwn_softc *sc, struct ieee80211vap *vap)
 5423 {
 5424         struct iwn_ops *ops = &sc->ops;
 5425         struct ifnet *ifp = sc->sc_ifp;
 5426         struct ieee80211com *ic = ifp->if_l2com;
 5427         struct ieee80211_node *ni = vap->iv_bss;
 5428         struct iwn_node_info node;
 5429         uint32_t htflags = 0;
 5430         int error;
 5431 
 5432         if (ic->ic_opmode == IEEE80211_M_MONITOR) {
 5433                 /* Link LED blinks while monitoring. */
 5434                 iwn_set_led(sc, IWN_LED_LINK, 5, 5);
 5435                 return 0;
 5436         }
 5437         if ((error = iwn_set_timing(sc, ni)) != 0) {
 5438                 device_printf(sc->sc_dev,
 5439                     "%s: could not set timing, error %d\n", __func__, error);
 5440                 return error;
 5441         }
 5442 
 5443         /* Update adapter configuration. */
 5444         IEEE80211_ADDR_COPY(sc->rxon.bssid, ni->ni_bssid);
 5445         sc->rxon.associd = htole16(IEEE80211_AID(ni->ni_associd));
 5446         sc->rxon.chan = ieee80211_chan2ieee(ic, ni->ni_chan);
 5447         sc->rxon.flags = htole32(IWN_RXON_TSF | IWN_RXON_CTS_TO_SELF);
 5448         if (IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))
 5449                 sc->rxon.flags |= htole32(IWN_RXON_AUTO | IWN_RXON_24GHZ);
 5450         if (ic->ic_flags & IEEE80211_F_SHSLOT)
 5451                 sc->rxon.flags |= htole32(IWN_RXON_SHSLOT);
 5452         if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
 5453                 sc->rxon.flags |= htole32(IWN_RXON_SHPREAMBLE);
 5454         if (IEEE80211_IS_CHAN_A(ni->ni_chan)) {
 5455                 sc->rxon.cck_mask  = 0;
 5456                 sc->rxon.ofdm_mask = 0x15;
 5457         } else if (IEEE80211_IS_CHAN_B(ni->ni_chan)) {
 5458                 sc->rxon.cck_mask  = 0x03;
 5459                 sc->rxon.ofdm_mask = 0;
 5460         } else {
 5461                 /* Assume 802.11b/g. */
 5462                 sc->rxon.cck_mask  = 0x0f;
 5463                 sc->rxon.ofdm_mask = 0x15;
 5464         }
 5465         if (IEEE80211_IS_CHAN_HT(ni->ni_chan)) {
 5466                 htflags |= IWN_RXON_HT_PROTMODE(ic->ic_curhtprotmode);
 5467                 if (IEEE80211_IS_CHAN_HT40(ni->ni_chan)) {
 5468                         switch (ic->ic_curhtprotmode) {
 5469                         case IEEE80211_HTINFO_OPMODE_HT20PR:
 5470                                 htflags |= IWN_RXON_HT_MODEPURE40;
 5471                                 break;
 5472                         default:
 5473                                 htflags |= IWN_RXON_HT_MODEMIXED;
 5474                                 break;
 5475                         }
 5476                 }
 5477                 if (IEEE80211_IS_CHAN_HT40D(ni->ni_chan))
 5478                         htflags |= IWN_RXON_HT_HT40MINUS;
 5479         }
 5480         sc->rxon.flags |= htole32(htflags);
 5481         sc->rxon.filter |= htole32(IWN_FILTER_BSS);
 5482         DPRINTF(sc, IWN_DEBUG_STATE, "rxon chan %d flags %x\n",
 5483             sc->rxon.chan, sc->rxon.flags);
 5484         error = iwn_cmd(sc, IWN_CMD_RXON, &sc->rxon, sc->rxonsz, 1);
 5485         if (error != 0) {
 5486                 device_printf(sc->sc_dev,
 5487                     "%s: could not update configuration, error %d\n", __func__,
 5488                     error);
 5489                 return error;
 5490         }
 5491 
 5492         /* Configuration has changed, set TX power accordingly. */
 5493         if ((error = ops->set_txpower(sc, ni->ni_chan, 1)) != 0) {
 5494                 device_printf(sc->sc_dev,
 5495                     "%s: could not set TX power, error %d\n", __func__, error);
 5496                 return error;
 5497         }
 5498 
 5499         /* Fake a join to initialize the TX rate. */
 5500         ((struct iwn_node *)ni)->id = IWN_ID_BSS;
 5501         iwn_newassoc(ni, 1);
 5502 
 5503         /* Add BSS node. */
 5504         memset(&node, 0, sizeof node);
 5505         IEEE80211_ADDR_COPY(node.macaddr, ni->ni_macaddr);
 5506         node.id = IWN_ID_BSS;
 5507         if (IEEE80211_IS_CHAN_HT(ni->ni_chan)) {
 5508                 switch (ni->ni_htcap & IEEE80211_HTCAP_SMPS) {
 5509                 case IEEE80211_HTCAP_SMPS_ENA:
 5510                         node.htflags |= htole32(IWN_SMPS_MIMO_DIS);
 5511                         break;
 5512                 case IEEE80211_HTCAP_SMPS_DYNAMIC:
 5513                         node.htflags |= htole32(IWN_SMPS_MIMO_PROT);
 5514                         break;
 5515                 }
 5516                 node.htflags |= htole32(IWN_AMDPU_SIZE_FACTOR(3) |
 5517                     IWN_AMDPU_DENSITY(5));      /* 4us */
 5518                 if (IEEE80211_IS_CHAN_HT40(ni->ni_chan))
 5519                         node.htflags |= htole32(IWN_NODE_HT40);
 5520         }
 5521         DPRINTF(sc, IWN_DEBUG_STATE, "%s: adding BSS node\n", __func__);
 5522         error = ops->add_node(sc, &node, 1);
 5523         if (error != 0) {
 5524                 device_printf(sc->sc_dev,
 5525                     "%s: could not add BSS node, error %d\n", __func__, error);
 5526                 return error;
 5527         }
 5528         DPRINTF(sc, IWN_DEBUG_STATE, "%s: setting link quality for node %d\n",
 5529             __func__, node.id);
 5530         if ((error = iwn_set_link_quality(sc, ni)) != 0) {
 5531                 device_printf(sc->sc_dev,
 5532                     "%s: could not setup link quality for node %d, error %d\n",
 5533                     __func__, node.id, error);
 5534                 return error;
 5535         }
 5536 
 5537         if ((error = iwn_init_sensitivity(sc)) != 0) {
 5538                 device_printf(sc->sc_dev,
 5539                     "%s: could not set sensitivity, error %d\n", __func__,
 5540                     error);
 5541                 return error;
 5542         }
 5543         /* Start periodic calibration timer. */
 5544         sc->calib.state = IWN_CALIB_STATE_ASSOC;
 5545         sc->calib_cnt = 0;
 5546         callout_reset(&sc->calib_to, msecs_to_ticks(500), iwn_calib_timeout,
 5547             sc);
 5548 
 5549         /* Link LED always on while associated. */
 5550         iwn_set_led(sc, IWN_LED_LINK, 0, 1);
 5551         return 0;
 5552 }
 5553 
 5554 /*
 5555  * This function is called by upper layer when an ADDBA request is received
 5556  * from another STA and before the ADDBA response is sent.
 5557  */
 5558 static int
 5559 iwn_ampdu_rx_start(struct ieee80211_node *ni, struct ieee80211_rx_ampdu *rap,
 5560     int baparamset, int batimeout, int baseqctl)
 5561 {
 5562 #define MS(_v, _f)      (((_v) & _f) >> _f##_S)
 5563         struct iwn_softc *sc = ni->ni_ic->ic_ifp->if_softc;
 5564         struct iwn_ops *ops = &sc->ops;
 5565         struct iwn_node *wn = (void *)ni;
 5566         struct iwn_node_info node;
 5567         uint16_t ssn;
 5568         uint8_t tid;
 5569         int error;
 5570 
 5571         tid = MS(le16toh(baparamset), IEEE80211_BAPS_TID);
 5572         ssn = MS(le16toh(baseqctl), IEEE80211_BASEQ_START);
 5573 
 5574         memset(&node, 0, sizeof node);
 5575         node.id = wn->id;
 5576         node.control = IWN_NODE_UPDATE;
 5577         node.flags = IWN_FLAG_SET_ADDBA;
 5578         node.addba_tid = tid;
 5579         node.addba_ssn = htole16(ssn);
 5580         DPRINTF(sc, IWN_DEBUG_RECV, "ADDBA RA=%d TID=%d SSN=%d\n",
 5581             wn->id, tid, ssn);
 5582         error = ops->add_node(sc, &node, 1);
 5583         if (error != 0)
 5584                 return error;
 5585         return sc->sc_ampdu_rx_start(ni, rap, baparamset, batimeout, baseqctl);
 5586 #undef MS
 5587 }
 5588 
 5589 /*
 5590  * This function is called by upper layer on teardown of an HT-immediate
 5591  * Block Ack agreement (eg. uppon receipt of a DELBA frame).
 5592  */
 5593 static void
 5594 iwn_ampdu_rx_stop(struct ieee80211_node *ni, struct ieee80211_rx_ampdu *rap)
 5595 {
 5596         struct ieee80211com *ic = ni->ni_ic;
 5597         struct iwn_softc *sc = ic->ic_ifp->if_softc;
 5598         struct iwn_ops *ops = &sc->ops;
 5599         struct iwn_node *wn = (void *)ni;
 5600         struct iwn_node_info node;
 5601         uint8_t tid;
 5602 
 5603         /* XXX: tid as an argument */
 5604         for (tid = 0; tid < WME_NUM_TID; tid++) {
 5605                 if (&ni->ni_rx_ampdu[tid] == rap)
 5606                         break;
 5607         }
 5608 
 5609         memset(&node, 0, sizeof node);
 5610         node.id = wn->id;
 5611         node.control = IWN_NODE_UPDATE;
 5612         node.flags = IWN_FLAG_SET_DELBA;
 5613         node.delba_tid = tid;
 5614         DPRINTF(sc, IWN_DEBUG_RECV, "DELBA RA=%d TID=%d\n", wn->id, tid);
 5615         (void)ops->add_node(sc, &node, 1);
 5616         sc->sc_ampdu_rx_stop(ni, rap);
 5617 }
 5618 
 5619 static int
 5620 iwn_addba_request(struct ieee80211_node *ni, struct ieee80211_tx_ampdu *tap,
 5621     int dialogtoken, int baparamset, int batimeout)
 5622 {
 5623         struct iwn_softc *sc = ni->ni_ic->ic_ifp->if_softc;
 5624         int qid;
 5625 
 5626         for (qid = sc->firstaggqueue; qid < sc->ntxqs; qid++) {
 5627                 if (sc->qid2tap[qid] == NULL)
 5628                         break;
 5629         }
 5630         if (qid == sc->ntxqs) {
 5631                 DPRINTF(sc, IWN_DEBUG_XMIT, "%s: not free aggregation queue\n",
 5632                     __func__);
 5633                 return 0;
 5634         }
 5635         tap->txa_private = malloc(sizeof(int), M_DEVBUF, M_NOWAIT);
 5636         if (tap->txa_private == NULL) {
 5637                 device_printf(sc->sc_dev,
 5638                     "%s: failed to alloc TX aggregation structure\n", __func__);
 5639                 return 0;
 5640         }
 5641         sc->qid2tap[qid] = tap;
 5642         *(int *)tap->txa_private = qid;
 5643         return sc->sc_addba_request(ni, tap, dialogtoken, baparamset,
 5644             batimeout);
 5645 }
 5646 
 5647 static int
 5648 iwn_addba_response(struct ieee80211_node *ni, struct ieee80211_tx_ampdu *tap,
 5649     int code, int baparamset, int batimeout)
 5650 {
 5651         struct iwn_softc *sc = ni->ni_ic->ic_ifp->if_softc;
 5652         int qid = *(int *)tap->txa_private;
 5653         uint8_t tid = WME_AC_TO_TID(tap->txa_ac);
 5654         int ret;
 5655 
 5656         if (code == IEEE80211_STATUS_SUCCESS) {
 5657                 ni->ni_txseqs[tid] = tap->txa_start & 0xfff;
 5658                 ret = iwn_ampdu_tx_start(ni->ni_ic, ni, tid);
 5659                 if (ret != 1)
 5660                         return ret;
 5661         } else {
 5662                 sc->qid2tap[qid] = NULL;
 5663                 free(tap->txa_private, M_DEVBUF);
 5664                 tap->txa_private = NULL;
 5665         }
 5666         return sc->sc_addba_response(ni, tap, code, baparamset, batimeout);
 5667 }
 5668 
 5669 /*
 5670  * This function is called by upper layer when an ADDBA response is received
 5671  * from another STA.
 5672  */
 5673 static int
 5674 iwn_ampdu_tx_start(struct ieee80211com *ic, struct ieee80211_node *ni,
 5675     uint8_t tid)
 5676 {
 5677         struct ieee80211_tx_ampdu *tap = &ni->ni_tx_ampdu[TID_TO_WME_AC(tid)];
 5678         struct iwn_softc *sc = ni->ni_ic->ic_ifp->if_softc;
 5679         struct iwn_ops *ops = &sc->ops;
 5680         struct iwn_node *wn = (void *)ni;
 5681         struct iwn_node_info node;
 5682         int error, qid;
 5683 
 5684         /* Enable TX for the specified RA/TID. */
 5685         wn->disable_tid &= ~(1 << tid);
 5686         memset(&node, 0, sizeof node);
 5687         node.id = wn->id;
 5688         node.control = IWN_NODE_UPDATE;
 5689         node.flags = IWN_FLAG_SET_DISABLE_TID;
 5690         node.disable_tid = htole16(wn->disable_tid);
 5691         error = ops->add_node(sc, &node, 1);
 5692         if (error != 0)
 5693                 return 0;
 5694 
 5695         if ((error = iwn_nic_lock(sc)) != 0)
 5696                 return 0;
 5697         qid = *(int *)tap->txa_private;
 5698         DPRINTF(sc, IWN_DEBUG_XMIT, "%s: ra=%d tid=%d ssn=%d qid=%d\n",
 5699             __func__, wn->id, tid, tap->txa_start, qid);
 5700         ops->ampdu_tx_start(sc, ni, qid, tid, tap->txa_start & 0xfff);
 5701         iwn_nic_unlock(sc);
 5702 
 5703         iwn_set_link_quality(sc, ni);
 5704         return 1;
 5705 }
 5706 
 5707 static void
 5708 iwn_ampdu_tx_stop(struct ieee80211_node *ni, struct ieee80211_tx_ampdu *tap)
 5709 {
 5710         struct iwn_softc *sc = ni->ni_ic->ic_ifp->if_softc;
 5711         struct iwn_ops *ops = &sc->ops;
 5712         uint8_t tid = WME_AC_TO_TID(tap->txa_ac);
 5713         int qid;
 5714 
 5715         sc->sc_addba_stop(ni, tap);
 5716 
 5717         if (tap->txa_private == NULL)
 5718                 return;
 5719 
 5720         qid = *(int *)tap->txa_private;
 5721         if (sc->txq[qid].queued != 0)
 5722                 return;
 5723         if (iwn_nic_lock(sc) != 0)
 5724                 return;
 5725         ops->ampdu_tx_stop(sc, qid, tid, tap->txa_start & 0xfff);
 5726         iwn_nic_unlock(sc);
 5727         sc->qid2tap[qid] = NULL;
 5728         free(tap->txa_private, M_DEVBUF);
 5729         tap->txa_private = NULL;
 5730 }
 5731 
 5732 static void
 5733 iwn4965_ampdu_tx_start(struct iwn_softc *sc, struct ieee80211_node *ni,
 5734     int qid, uint8_t tid, uint16_t ssn)
 5735 {
 5736         struct iwn_node *wn = (void *)ni;
 5737 
 5738         /* Stop TX scheduler while we're changing its configuration. */
 5739         iwn_prph_write(sc, IWN4965_SCHED_QUEUE_STATUS(qid),
 5740             IWN4965_TXQ_STATUS_CHGACT);
 5741 
 5742         /* Assign RA/TID translation to the queue. */
 5743         iwn_mem_write_2(sc, sc->sched_base + IWN4965_SCHED_TRANS_TBL(qid),
 5744             wn->id << 4 | tid);
 5745 
 5746         /* Enable chain-building mode for the queue. */
 5747         iwn_prph_setbits(sc, IWN4965_SCHED_QCHAIN_SEL, 1 << qid);
 5748 
 5749         /* Set starting sequence number from the ADDBA request. */
 5750         sc->txq[qid].cur = sc->txq[qid].read = (ssn & 0xff);
 5751         IWN_WRITE(sc, IWN_HBUS_TARG_WRPTR, qid << 8 | (ssn & 0xff));
 5752         iwn_prph_write(sc, IWN4965_SCHED_QUEUE_RDPTR(qid), ssn);
 5753 
 5754         /* Set scheduler window size. */
 5755         iwn_mem_write(sc, sc->sched_base + IWN4965_SCHED_QUEUE_OFFSET(qid),
 5756             IWN_SCHED_WINSZ);
 5757         /* Set scheduler frame limit. */
 5758         iwn_mem_write(sc, sc->sched_base + IWN4965_SCHED_QUEUE_OFFSET(qid) + 4,
 5759             IWN_SCHED_LIMIT << 16);
 5760 
 5761         /* Enable interrupts for the queue. */
 5762         iwn_prph_setbits(sc, IWN4965_SCHED_INTR_MASK, 1 << qid);
 5763 
 5764         /* Mark the queue as active. */
 5765         iwn_prph_write(sc, IWN4965_SCHED_QUEUE_STATUS(qid),
 5766             IWN4965_TXQ_STATUS_ACTIVE | IWN4965_TXQ_STATUS_AGGR_ENA |
 5767             iwn_tid2fifo[tid] << 1);
 5768 }
 5769 
 5770 static void
 5771 iwn4965_ampdu_tx_stop(struct iwn_softc *sc, int qid, uint8_t tid, uint16_t ssn)
 5772 {
 5773         /* Stop TX scheduler while we're changing its configuration. */
 5774         iwn_prph_write(sc, IWN4965_SCHED_QUEUE_STATUS(qid),
 5775             IWN4965_TXQ_STATUS_CHGACT);
 5776 
 5777         /* Set starting sequence number from the ADDBA request. */
 5778         IWN_WRITE(sc, IWN_HBUS_TARG_WRPTR, qid << 8 | (ssn & 0xff));
 5779         iwn_prph_write(sc, IWN4965_SCHED_QUEUE_RDPTR(qid), ssn);
 5780 
 5781         /* Disable interrupts for the queue. */
 5782         iwn_prph_clrbits(sc, IWN4965_SCHED_INTR_MASK, 1 << qid);
 5783 
 5784         /* Mark the queue as inactive. */
 5785         iwn_prph_write(sc, IWN4965_SCHED_QUEUE_STATUS(qid),
 5786             IWN4965_TXQ_STATUS_INACTIVE | iwn_tid2fifo[tid] << 1);
 5787 }
 5788 
 5789 static void
 5790 iwn5000_ampdu_tx_start(struct iwn_softc *sc, struct ieee80211_node *ni,
 5791     int qid, uint8_t tid, uint16_t ssn)
 5792 {
 5793         struct iwn_node *wn = (void *)ni;
 5794 
 5795         /* Stop TX scheduler while we're changing its configuration. */
 5796         iwn_prph_write(sc, IWN5000_SCHED_QUEUE_STATUS(qid),
 5797             IWN5000_TXQ_STATUS_CHGACT);
 5798 
 5799         /* Assign RA/TID translation to the queue. */
 5800         iwn_mem_write_2(sc, sc->sched_base + IWN5000_SCHED_TRANS_TBL(qid),
 5801             wn->id << 4 | tid);
 5802 
 5803         /* Enable chain-building mode for the queue. */
 5804         iwn_prph_setbits(sc, IWN5000_SCHED_QCHAIN_SEL, 1 << qid);
 5805 
 5806         /* Enable aggregation for the queue. */
 5807         iwn_prph_setbits(sc, IWN5000_SCHED_AGGR_SEL, 1 << qid);
 5808 
 5809         /* Set starting sequence number from the ADDBA request. */
 5810         sc->txq[qid].cur = sc->txq[qid].read = (ssn & 0xff);
 5811         IWN_WRITE(sc,