xref: /illumos-gate/usr/src/uts/common/io/mwl/mwl.c (revision 0dc2366f)
1 /*
2  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 /*
7  * Copyright (c) 2007-2009 Sam Leffler, Errno Consulting
8  * Copyright (c) 2007-2008 Marvell Semiconductor, Inc.
9  * All rights reserved.
10  *
11  * Redistribution and use in source and binary forms, with or without
12  * modification, are permitted provided that the following conditions
13  * are met:
14  * 1. Redistributions of source code must retain the above copyright
15  *    notice, this list of conditions and the following disclaimer,
16  *    without modification.
17  * 2. Redistributions in binary form must reproduce at minimum a disclaimer
18  *    similar to the "NO WARRANTY" disclaimer below ("Disclaimer") and any
19  *    redistribution must be conditioned upon including a substantially
20  *    similar Disclaimer requirement for further binary redistribution.
21  *
22  * NO WARRANTY
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF NONINFRINGEMENT, MERCHANTIBILITY
26  * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
27  * THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR SPECIAL, EXEMPLARY,
28  * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
29  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
30  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
31  * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
32  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
33  * THE POSSIBILITY OF SUCH DAMAGES.
34  */
35 
36 /*
37  * Driver for the Marvell 88W8363 Wireless LAN controller.
38  */
39 #include <sys/stat.h>
40 #include <sys/dlpi.h>
41 #include <inet/common.h>
42 #include <inet/mi.h>
43 #include <sys/stream.h>
44 #include <sys/errno.h>
45 #include <sys/stropts.h>
46 #include <sys/stat.h>
47 #include <sys/sunddi.h>
48 #include <sys/strsubr.h>
49 #include <sys/strsun.h>
50 #include <sys/pci.h>
51 #include <sys/mac_provider.h>
52 #include <sys/mac_wifi.h>
53 #include <sys/net80211.h>
54 #include <inet/wifi_ioctl.h>
55 
56 #include "mwl_var.h"
57 
58 static int mwl_attach(dev_info_t *devinfo, ddi_attach_cmd_t cmd);
59 static int mwl_detach(dev_info_t *devinfo, ddi_detach_cmd_t cmd);
60 static int mwl_quiesce(dev_info_t *devinfo);
61 
62 DDI_DEFINE_STREAM_OPS(mwl_dev_ops, nulldev, nulldev, mwl_attach, mwl_detach,
63     nodev, NULL, D_MP, NULL, mwl_quiesce);
64 
65 static struct modldrv mwl_modldrv = {
66 	&mod_driverops,	/* Type of module.  This one is a driver */
67 	"Marvell 88W8363 WiFi driver v1.1",	/* short description */
68 	&mwl_dev_ops	/* driver specific ops */
69 };
70 
71 static struct modlinkage modlinkage = {
72 	MODREV_1, (void *)&mwl_modldrv, NULL
73 };
74 
75 static void *mwl_soft_state_p = NULL;
76 
77 static int	mwl_m_stat(void *,  uint_t, uint64_t *);
78 static int	mwl_m_start(void *);
79 static void	mwl_m_stop(void *);
80 static int	mwl_m_promisc(void *, boolean_t);
81 static int	mwl_m_multicst(void *, boolean_t, const uint8_t *);
82 static int	mwl_m_unicst(void *, const uint8_t *);
83 static mblk_t	*mwl_m_tx(void *, mblk_t *);
84 static void	mwl_m_ioctl(void *, queue_t *, mblk_t *);
85 static int	mwl_m_setprop(void *arg, const char *pr_name,
86 		    mac_prop_id_t wldp_pr_num,
87 		    uint_t wldp_length, const void *wldp_buf);
88 static int	mwl_m_getprop(void *arg, const char *pr_name,
89 		    mac_prop_id_t wldp_pr_num, uint_t wldp_length,
90 		    void *wldp_buf);
91 static void	mwl_m_propinfo(void *, const char *, mac_prop_id_t,
92     mac_prop_info_handle_t);
93 
94 static mac_callbacks_t mwl_m_callbacks = {
95 	MC_IOCTL | MC_SETPROP | MC_GETPROP | MC_PROPINFO,
96 	mwl_m_stat,
97 	mwl_m_start,
98 	mwl_m_stop,
99 	mwl_m_promisc,
100 	mwl_m_multicst,
101 	mwl_m_unicst,
102 	mwl_m_tx,
103 	NULL,
104 	mwl_m_ioctl,
105 	NULL,
106 	NULL,
107 	NULL,
108 	mwl_m_setprop,
109 	mwl_m_getprop,
110 	mwl_m_propinfo
111 };
112 
113 #define	MWL_DBG_ATTACH		(1 << 0)
114 #define	MWL_DBG_DMA		(1 << 1)
115 #define	MWL_DBG_FW		(1 << 2)
116 #define	MWL_DBG_HW		(1 << 3)
117 #define	MWL_DBG_INTR		(1 << 4)
118 #define	MWL_DBG_RX		(1 << 5)
119 #define	MWL_DBG_TX		(1 << 6)
120 #define	MWL_DBG_CMD		(1 << 7)
121 #define	MWL_DBG_CRYPTO		(1 << 8)
122 #define	MWL_DBG_SR		(1 << 9)
123 #define	MWL_DBG_MSG		(1 << 10)
124 
125 uint32_t mwl_dbg_flags = 0x0;
126 
127 #ifdef DEBUG
128 #define	MWL_DBG	\
129 	mwl_debug
130 #else
131 #define	MWL_DBG
132 #endif
133 
134 /*
135  * PIO access attributes for registers
136  */
137 static ddi_device_acc_attr_t mwl_reg_accattr = {
138 	DDI_DEVICE_ATTR_V0,
139 	DDI_STRUCTURE_LE_ACC,
140 	DDI_STRICTORDER_ACC,
141 	DDI_DEFAULT_ACC
142 };
143 
144 static ddi_device_acc_attr_t mwl_cmdbuf_accattr = {
145 	DDI_DEVICE_ATTR_V0,
146 	DDI_NEVERSWAP_ACC,
147 	DDI_STRICTORDER_ACC,
148 	DDI_DEFAULT_ACC
149 };
150 
151 /*
152  * DMA access attributes for descriptors and bufs: NOT to be byte swapped.
153  */
154 static ddi_device_acc_attr_t mwl_desc_accattr = {
155 	DDI_DEVICE_ATTR_V0,
156 	DDI_NEVERSWAP_ACC,
157 	DDI_STRICTORDER_ACC,
158 	DDI_DEFAULT_ACC
159 };
160 
161 static ddi_device_acc_attr_t mwl_buf_accattr = {
162 	DDI_DEVICE_ATTR_V0,
163 	DDI_NEVERSWAP_ACC,
164 	DDI_STRICTORDER_ACC,
165 	DDI_DEFAULT_ACC
166 };
167 
168 /*
169  * Describes the chip's DMA engine
170  */
171 static ddi_dma_attr_t mwl_dma_attr = {
172 	DMA_ATTR_V0,			/* dma_attr version */
173 	0x0000000000000000ull,		/* dma_attr_addr_lo */
174 	0xFFFFFFFF,			/* dma_attr_addr_hi */
175 	0x00000000FFFFFFFFull,		/* dma_attr_count_max */
176 	0x0000000000000001ull,		/* dma_attr_align */
177 	0x00000FFF,			/* dma_attr_burstsizes */
178 	0x00000001,			/* dma_attr_minxfer */
179 	0x000000000000FFFFull,		/* dma_attr_maxxfer */
180 	0xFFFFFFFFFFFFFFFFull,		/* dma_attr_seg */
181 	1,				/* dma_attr_sgllen */
182 	0x00000001,			/* dma_attr_granular */
183 	0				/* dma_attr_flags */
184 };
185 
186 /*
187  * Supported rates for 802.11a/b/g modes (in 500Kbps unit).
188  */
189 static const struct ieee80211_rateset mwl_rateset_11b =
190 	{ 4, { 2, 4, 11, 22 } };
191 
192 static const struct ieee80211_rateset mwl_rateset_11g =
193 	{ 12, { 2, 4, 11, 22, 12, 18, 24, 36, 48, 72, 96, 108 } };
194 
195 static int	mwl_alloc_dma_mem(dev_info_t *, ddi_dma_attr_t *, size_t,
196 		    ddi_device_acc_attr_t *, uint_t, uint_t,
197 		    struct dma_area *);
198 static void	mwl_free_dma_mem(struct dma_area *);
199 static int	mwl_alloc_cmdbuf(struct mwl_softc *);
200 static void	mwl_free_cmdbuf(struct mwl_softc *);
201 static int	mwl_alloc_rx_ring(struct mwl_softc *, int);
202 static void	mwl_free_rx_ring(struct mwl_softc *);
203 static int	mwl_alloc_tx_ring(struct mwl_softc *, struct mwl_tx_ring *,
204 		    int);
205 static void	mwl_free_tx_ring(struct mwl_softc *, struct mwl_tx_ring *);
206 static int	mwl_setupdma(struct mwl_softc *);
207 static void	mwl_txq_init(struct mwl_softc *, struct mwl_tx_ring *, int);
208 static int	mwl_tx_setup(struct mwl_softc *, int, int);
209 static int	mwl_setup_txq(struct mwl_softc *);
210 static int	mwl_fwload(struct mwl_softc *, void *);
211 static int	mwl_loadsym(ddi_modhandle_t, char *, char **, size_t *);
212 static void	mwlFwReset(struct mwl_softc *);
213 static void	mwlPokeSdramController(struct mwl_softc *, int);
214 static void	mwlTriggerPciCmd(struct mwl_softc *);
215 static int	mwlWaitFor(struct mwl_softc *, uint32_t);
216 static int	mwlSendBlock(struct mwl_softc *, int, const void *, size_t);
217 static int	mwlSendBlock2(struct mwl_softc *, const void *, size_t);
218 static void	mwlSendCmd(struct mwl_softc *);
219 static int	mwlExecuteCmd(struct mwl_softc *, unsigned short);
220 static int	mwlWaitForCmdComplete(struct mwl_softc *, uint16_t);
221 static void	dumpresult(struct mwl_softc *, int);
222 static int	mwlResetHalState(struct mwl_softc *);
223 static int	mwlGetPwrCalTable(struct mwl_softc *);
224 static int	mwlGetCalTable(struct mwl_softc *, uint8_t, uint8_t);
225 static int	mwlGetPwrCalTable(struct mwl_softc *);
226 static void	dumpcaldata(const char *, const uint8_t *, int);
227 static void	get2Ghz(MWL_HAL_CHANNELINFO *, const uint8_t *, int);
228 static void	get5Ghz(MWL_HAL_CHANNELINFO *, const uint8_t *, int);
229 static void	setmaxtxpow(struct mwl_hal_channel *, int, int);
230 static uint16_t	ieee2mhz(int);
231 static const char *
232 		mwlcmdname(int);
233 static int	mwl_gethwspecs(struct mwl_softc *);
234 static int	mwl_getchannels(struct mwl_softc *);
235 static void	getchannels(struct mwl_softc *, int, int *,
236 		    struct mwl_channel *);
237 static void	addchannels(struct mwl_channel *, int, int *,
238 		    const MWL_HAL_CHANNELINFO *, int);
239 static void	addht40channels(struct mwl_channel *, int, int *,
240 		    const MWL_HAL_CHANNELINFO *, int);
241 static const struct mwl_channel *
242 		findchannel(const struct mwl_channel *, int,
243 		    int, int);
244 static void	addchan(struct mwl_channel *, int, int, int, int);
245 
246 static int	mwl_chan_set(struct mwl_softc *, struct mwl_channel *);
247 static void	mwl_mapchan(MWL_HAL_CHANNEL *, const struct mwl_channel *);
248 static int	mwl_setcurchanrates(struct mwl_softc *);
249 const struct ieee80211_rateset *
250 		mwl_get_suprates(struct ieee80211com *,
251 		    const struct mwl_channel *);
252 static uint32_t	cvtChannelFlags(const MWL_HAL_CHANNEL *);
253 static const struct mwl_hal_channel *
254 		findhalchannel(const struct mwl_softc *,
255 		    const MWL_HAL_CHANNEL *);
256 enum ieee80211_phymode
257 		mwl_chan2mode(const struct mwl_channel *);
258 static int	mwl_map2regioncode(const struct mwl_regdomain *);
259 static int	mwl_startrecv(struct mwl_softc *);
260 static int	mwl_mode_init(struct mwl_softc *);
261 static void	mwl_hal_intrset(struct mwl_softc *, uint32_t);
262 static void	mwl_hal_getisr(struct mwl_softc *, uint32_t *);
263 static int	mwl_hal_sethwdma(struct mwl_softc *,
264 		    const struct mwl_hal_txrxdma *);
265 static int	mwl_hal_getchannelinfo(struct mwl_softc *, int, int,
266 		    const MWL_HAL_CHANNELINFO **);
267 static int	mwl_hal_setmac_locked(struct mwl_softc *, const uint8_t *);
268 static int	mwl_hal_keyreset(struct mwl_softc *, const MWL_HAL_KEYVAL *,
269 		    const uint8_t mac[IEEE80211_ADDR_LEN]);
270 static int	mwl_hal_keyset(struct mwl_softc *, const MWL_HAL_KEYVAL *,
271 		    const uint8_t mac[IEEE80211_ADDR_LEN]);
272 static int	mwl_hal_newstation(struct mwl_softc *, const uint8_t *,
273 		    uint16_t, uint16_t, const MWL_HAL_PEERINFO *, int, int);
274 static int	mwl_hal_setantenna(struct mwl_softc *, MWL_HAL_ANTENNA, int);
275 static int	mwl_hal_setradio(struct mwl_softc *, int, MWL_HAL_PREAMBLE);
276 static int	mwl_hal_setwmm(struct mwl_softc *, int);
277 static int	mwl_hal_setchannel(struct mwl_softc *, const MWL_HAL_CHANNEL *);
278 static int	mwl_hal_settxpower(struct mwl_softc *, const MWL_HAL_CHANNEL *,
279 		    uint8_t);
280 static int	mwl_hal_settxrate(struct mwl_softc *, MWL_HAL_TXRATE_HANDLING,
281 		    const MWL_HAL_TXRATE *);
282 static int	mwl_hal_settxrate_auto(struct mwl_softc *,
283 		    const MWL_HAL_TXRATE *);
284 static int	mwl_hal_setrateadaptmode(struct mwl_softc *, uint16_t);
285 static int	mwl_hal_setoptimizationlevel(struct mwl_softc *, int);
286 static int	mwl_hal_setregioncode(struct mwl_softc *, int);
287 static int	mwl_hal_setassocid(struct mwl_softc *, const uint8_t *,
288 		    uint16_t);
289 static int	mwl_setrates(struct ieee80211com *);
290 static int	mwl_hal_setrtsthreshold(struct mwl_softc *, int);
291 static int	mwl_hal_setcsmode(struct mwl_softc *, MWL_HAL_CSMODE);
292 static int	mwl_hal_setpromisc(struct mwl_softc *, int);
293 static int	mwl_hal_start(struct mwl_softc *);
294 static int	mwl_hal_setinframode(struct mwl_softc *);
295 static int	mwl_hal_stop(struct mwl_softc *);
296 static struct ieee80211_node *
297 		mwl_node_alloc(struct ieee80211com *);
298 static void	mwl_node_free(struct ieee80211_node *);
299 static int	mwl_key_alloc(struct ieee80211com *,
300 		    const struct ieee80211_key *,
301 		    ieee80211_keyix *, ieee80211_keyix *);
302 static int	mwl_key_delete(struct ieee80211com *,
303 		    const struct ieee80211_key *);
304 static int	mwl_key_set(struct ieee80211com *, const struct ieee80211_key *,
305 		    const uint8_t mac[IEEE80211_ADDR_LEN]);
306 static void	mwl_setanywepkey(struct ieee80211com *, const uint8_t *);
307 static void	mwl_setglobalkeys(struct ieee80211com *c);
308 static int	addgroupflags(MWL_HAL_KEYVAL *, const struct ieee80211_key *);
309 static void	mwl_hal_txstart(struct mwl_softc *, int);
310 static int	mwl_send(ieee80211com_t *, mblk_t *, uint8_t);
311 static void	mwl_next_scan(void *);
312 static MWL_HAL_PEERINFO *
313 		mkpeerinfo(MWL_HAL_PEERINFO *, const struct ieee80211_node *);
314 static uint32_t	get_rate_bitmap(const struct ieee80211_rateset *);
315 static int	mwl_newstate(struct ieee80211com *, enum ieee80211_state, int);
316 static int	cvtrssi(uint8_t);
317 static uint_t	mwl_intr(caddr_t, caddr_t);
318 static uint_t	mwl_softintr(caddr_t, caddr_t);
319 static void	mwl_tx_intr(struct mwl_softc *);
320 static void	mwl_rx_intr(struct mwl_softc *);
321 static int	mwl_init(struct mwl_softc *);
322 static void	mwl_stop(struct mwl_softc *);
323 static int	mwl_resume(struct mwl_softc *);
324 
325 
326 #ifdef DEBUG
327 static void
328 mwl_debug(uint32_t dbg_flags, const int8_t *fmt, ...)
329 {
330 	va_list args;
331 
332 	if (dbg_flags & mwl_dbg_flags) {
333 		va_start(args, fmt);
334 		vcmn_err(CE_CONT, fmt, args);
335 		va_end(args);
336 	}
337 }
338 #endif
339 
340 /*
341  * Allocate an DMA memory and a DMA handle for accessing it
342  */
343 static int
344 mwl_alloc_dma_mem(dev_info_t *devinfo, ddi_dma_attr_t *dma_attr,
345 	size_t memsize, ddi_device_acc_attr_t *attr_p, uint_t alloc_flags,
346 	uint_t bind_flags, struct dma_area *dma_p)
347 {
348 	int err;
349 
350 	/*
351 	 * Allocate handle
352 	 */
353 	err = ddi_dma_alloc_handle(devinfo, dma_attr,
354 	    DDI_DMA_SLEEP, NULL, &dma_p->dma_hdl);
355 	if (err != DDI_SUCCESS) {
356 		MWL_DBG(MWL_DBG_DMA, "mwl: mwl_alloc_dma_mem(): "
357 		    "failed to alloc handle\n");
358 		goto fail1;
359 	}
360 
361 	/*
362 	 * Allocate memory
363 	 */
364 	err = ddi_dma_mem_alloc(dma_p->dma_hdl, memsize, attr_p,
365 	    alloc_flags, DDI_DMA_SLEEP, NULL, &dma_p->mem_va,
366 	    &dma_p->alength, &dma_p->acc_hdl);
367 	if (err != DDI_SUCCESS) {
368 		MWL_DBG(MWL_DBG_DMA, "mwl: mwl_alloc_dma_mem(): "
369 		    "failed to alloc mem\n");
370 		goto fail2;
371 	}
372 
373 	/*
374 	 * Bind the two together
375 	 */
376 	err = ddi_dma_addr_bind_handle(dma_p->dma_hdl, NULL,
377 	    dma_p->mem_va, dma_p->alength, bind_flags,
378 	    DDI_DMA_SLEEP, NULL, &dma_p->cookie, &dma_p->ncookies);
379 	if (err != DDI_DMA_MAPPED) {
380 		MWL_DBG(MWL_DBG_DMA, "mwl: mwl_alloc_dma_mem(): "
381 		    "failed to bind handle\n");
382 		goto fail3;
383 	}
384 
385 	if (dma_p->ncookies != 1) {
386 		MWL_DBG(MWL_DBG_DMA, "mwl: mwl_alloc_dma_mem(): "
387 		    "failed to alloc cookies\n");
388 		goto fail4;
389 	}
390 
391 	dma_p->nslots = ~0U;
392 	dma_p->size = ~0U;
393 	dma_p->token = ~0U;
394 	dma_p->offset = 0;
395 
396 	return (DDI_SUCCESS);
397 
398 fail4:
399 	(void) ddi_dma_unbind_handle(dma_p->dma_hdl);
400 fail3:
401 	ddi_dma_mem_free(&dma_p->acc_hdl);
402 fail2:
403 	ddi_dma_free_handle(&dma_p->dma_hdl);
404 fail1:
405 	return (err);
406 }
407 
408 static void
409 mwl_free_dma_mem(struct dma_area *dma_p)
410 {
411 	if (dma_p->dma_hdl != NULL) {
412 		(void) ddi_dma_unbind_handle(dma_p->dma_hdl);
413 		if (dma_p->acc_hdl != NULL) {
414 			ddi_dma_mem_free(&dma_p->acc_hdl);
415 			dma_p->acc_hdl = NULL;
416 		}
417 		ddi_dma_free_handle(&dma_p->dma_hdl);
418 		dma_p->ncookies = 0;
419 		dma_p->dma_hdl = NULL;
420 	}
421 }
422 
423 static int
424 mwl_alloc_cmdbuf(struct mwl_softc *sc)
425 {
426 	int err;
427 	size_t size;
428 
429 	size = MWL_CMDBUF_SIZE;
430 
431 	err = mwl_alloc_dma_mem(sc->sc_dev, &mwl_dma_attr, size,
432 	    &mwl_cmdbuf_accattr, DDI_DMA_CONSISTENT,
433 	    DDI_DMA_RDWR | DDI_DMA_CONSISTENT,
434 	    &sc->sc_cmd_dma);
435 	if (err != DDI_SUCCESS) {
436 		MWL_DBG(MWL_DBG_DMA, "mwl: mwl_alloc_cmdbuf(): "
437 		    "failed to alloc dma mem\n");
438 		return (DDI_FAILURE);
439 	}
440 
441 	sc->sc_cmd_mem = (uint16_t *)sc->sc_cmd_dma.mem_va;
442 	sc->sc_cmd_dmaaddr = sc->sc_cmd_dma.cookie.dmac_address;
443 
444 	return (DDI_SUCCESS);
445 }
446 
447 static void
448 mwl_free_cmdbuf(struct mwl_softc *sc)
449 {
450 	if (sc->sc_cmd_mem != NULL)
451 		mwl_free_dma_mem(&sc->sc_cmd_dma);
452 }
453 
454 static int
455 mwl_alloc_rx_ring(struct mwl_softc *sc, int count)
456 {
457 	struct mwl_rx_ring *ring;
458 	struct mwl_rxdesc *ds;
459 	struct mwl_rxbuf *bf;
460 	int i, err, datadlen;
461 
462 	ring = &sc->sc_rxring;
463 	ring->count = count;
464 	ring->cur = ring->next = 0;
465 	err = mwl_alloc_dma_mem(sc->sc_dev, &mwl_dma_attr,
466 	    count * sizeof (struct mwl_rxdesc),
467 	    &mwl_desc_accattr,
468 	    DDI_DMA_CONSISTENT, DDI_DMA_RDWR | DDI_DMA_CONSISTENT,
469 	    &ring->rxdesc_dma);
470 	if (err) {
471 		MWL_DBG(MWL_DBG_DMA, "mwl: mwl_alloc_rxring(): "
472 		    "alloc tx ring failed, size %d\n",
473 		    (uint32_t)(count * sizeof (struct mwl_rxdesc)));
474 		return (DDI_FAILURE);
475 	}
476 
477 	MWL_DBG(MWL_DBG_DMA, "mwl: mwl_alloc_rx_ring(): "
478 	    "dma len = %d\n", (uint32_t)(ring->rxdesc_dma.alength));
479 	ring->desc = (struct mwl_rxdesc *)ring->rxdesc_dma.mem_va;
480 	ring->physaddr = ring->rxdesc_dma.cookie.dmac_address;
481 	bzero(ring->desc, count * sizeof (struct mwl_rxdesc));
482 
483 	datadlen = count * sizeof (struct mwl_rxbuf);
484 	ring->buf = (struct mwl_rxbuf *)kmem_zalloc(datadlen, KM_SLEEP);
485 	if (ring->buf == NULL) {
486 		MWL_DBG(MWL_DBG_DMA, "mwl: mwl_alloc_rxring(): "
487 		    "could not alloc rx ring data buffer\n");
488 		return (DDI_FAILURE);
489 	}
490 	bzero(ring->buf, count * sizeof (struct mwl_rxbuf));
491 
492 	/*
493 	 * Pre-allocate Rx buffers and populate Rx ring.
494 	 */
495 	for (i = 0; i < count; i++) {
496 		ds = &ring->desc[i];
497 		bf = &ring->buf[i];
498 		/* alloc DMA memory */
499 		(void) mwl_alloc_dma_mem(sc->sc_dev, &mwl_dma_attr,
500 		    sc->sc_dmabuf_size,
501 		    &mwl_buf_accattr,
502 		    DDI_DMA_STREAMING,
503 		    DDI_DMA_READ | DDI_DMA_STREAMING,
504 		    &bf->rxbuf_dma);
505 		bf->bf_mem = (uint8_t *)(bf->rxbuf_dma.mem_va);
506 		bf->bf_baddr = bf->rxbuf_dma.cookie.dmac_address;
507 		bf->bf_desc = ds;
508 		bf->bf_daddr = ring->physaddr + _PTRDIFF(ds, ring->desc);
509 	}
510 
511 	(void) ddi_dma_sync(ring->rxdesc_dma.dma_hdl,
512 	    0,
513 	    ring->rxdesc_dma.alength,
514 	    DDI_DMA_SYNC_FORDEV);
515 
516 	return (0);
517 }
518 
519 static void
520 mwl_free_rx_ring(struct mwl_softc *sc)
521 {
522 	struct mwl_rx_ring *ring;
523 	struct mwl_rxbuf *bf;
524 	int i;
525 
526 	ring = &sc->sc_rxring;
527 
528 	if (ring->desc != NULL) {
529 		mwl_free_dma_mem(&ring->rxdesc_dma);
530 	}
531 
532 	if (ring->buf != NULL) {
533 		for (i = 0; i < ring->count; i++) {
534 			bf = &ring->buf[i];
535 			mwl_free_dma_mem(&bf->rxbuf_dma);
536 		}
537 		kmem_free(ring->buf,
538 		    (ring->count * sizeof (struct mwl_rxbuf)));
539 	}
540 }
541 
542 static int
543 mwl_alloc_tx_ring(struct mwl_softc *sc, struct mwl_tx_ring *ring,
544     int count)
545 {
546 	struct mwl_txdesc *ds;
547 	struct mwl_txbuf *bf;
548 	int i, err, datadlen;
549 
550 	ring->count = count;
551 	ring->queued = 0;
552 	ring->cur = ring->next = ring->stat = 0;
553 	err = mwl_alloc_dma_mem(sc->sc_dev, &mwl_dma_attr,
554 	    count * sizeof (struct mwl_txdesc), &mwl_desc_accattr,
555 	    DDI_DMA_CONSISTENT, DDI_DMA_RDWR | DDI_DMA_CONSISTENT,
556 	    &ring->txdesc_dma);
557 	if (err) {
558 		MWL_DBG(MWL_DBG_DMA, "mwl: mwl_alloc_tx_ring(): "
559 		    "alloc tx ring failed, size %d\n",
560 		    (uint32_t)(count * sizeof (struct mwl_txdesc)));
561 		return (DDI_FAILURE);
562 	}
563 
564 	MWL_DBG(MWL_DBG_DMA, "mwl: mwl_alloc_tx_ring(): "
565 	    "dma len = %d\n", (uint32_t)(ring->txdesc_dma.alength));
566 	ring->desc = (struct mwl_txdesc *)ring->txdesc_dma.mem_va;
567 	ring->physaddr = ring->txdesc_dma.cookie.dmac_address;
568 	bzero(ring->desc, count * sizeof (struct mwl_txdesc));
569 
570 	datadlen = count * sizeof (struct mwl_txbuf);
571 	ring->buf = kmem_zalloc(datadlen, KM_SLEEP);
572 	if (ring->buf == NULL) {
573 		MWL_DBG(MWL_DBG_DMA, "mwl: mwl_alloc_tx_ring(): "
574 		    "could not alloc tx ring data buffer\n");
575 		return (DDI_FAILURE);
576 	}
577 	bzero(ring->buf, count * sizeof (struct mwl_txbuf));
578 
579 	for (i = 0; i < count; i++) {
580 		ds = &ring->desc[i];
581 		bf = &ring->buf[i];
582 		/* alloc DMA memory */
583 		(void) mwl_alloc_dma_mem(sc->sc_dev, &mwl_dma_attr,
584 		    sc->sc_dmabuf_size,
585 		    &mwl_buf_accattr,
586 		    DDI_DMA_STREAMING,
587 		    DDI_DMA_WRITE | DDI_DMA_STREAMING,
588 		    &bf->txbuf_dma);
589 		bf->bf_baddr = bf->txbuf_dma.cookie.dmac_address;
590 		bf->bf_mem = (uint8_t *)(bf->txbuf_dma.mem_va);
591 		bf->bf_daddr = ring->physaddr + _PTRDIFF(ds, ring->desc);
592 		bf->bf_desc = ds;
593 	}
594 
595 	(void) ddi_dma_sync(ring->txdesc_dma.dma_hdl,
596 	    0,
597 	    ring->txdesc_dma.alength,
598 	    DDI_DMA_SYNC_FORDEV);
599 
600 	return (0);
601 }
602 
603 /* ARGSUSED */
604 static void
605 mwl_free_tx_ring(struct mwl_softc *sc, struct mwl_tx_ring *ring)
606 {
607 	struct mwl_txbuf *bf;
608 	int i;
609 
610 	if (ring->desc != NULL) {
611 		mwl_free_dma_mem(&ring->txdesc_dma);
612 	}
613 
614 	if (ring->buf != NULL) {
615 		for (i = 0; i < ring->count; i++) {
616 			bf = &ring->buf[i];
617 			mwl_free_dma_mem(&bf->txbuf_dma);
618 		}
619 		kmem_free(ring->buf,
620 		    (ring->count * sizeof (struct mwl_txbuf)));
621 	}
622 }
623 
624 /*
625  * Inform the f/w about location of the tx/rx dma data structures
626  * and related state.  This cmd must be done immediately after a
627  * mwl_hal_gethwspecs call or the f/w will lockup.
628  */
629 static int
630 mwl_hal_sethwdma(struct mwl_softc *sc, const struct mwl_hal_txrxdma *dma)
631 {
632 	HostCmd_DS_SET_HW_SPEC *pCmd;
633 	int retval;
634 
635 	_CMD_SETUP(pCmd, HostCmd_DS_SET_HW_SPEC, HostCmd_CMD_SET_HW_SPEC);
636 	pCmd->WcbBase[0] = LE_32(dma->wcbBase[0]);
637 	pCmd->WcbBase[1] = LE_32(dma->wcbBase[1]);
638 	pCmd->WcbBase[2] = LE_32(dma->wcbBase[2]);
639 	pCmd->WcbBase[3] = LE_32(dma->wcbBase[3]);
640 	pCmd->TxWcbNumPerQueue = LE_32(dma->maxNumTxWcb);
641 	pCmd->NumTxQueues = LE_32(dma->maxNumWCB);
642 	pCmd->TotalRxWcb = LE_32(1);		/* XXX */
643 	pCmd->RxPdWrPtr = LE_32(dma->rxDescRead);
644 	/*
645 	 * pCmd->Flags = LE_32(SET_HW_SPEC_HOSTFORM_BEACON
646 	 * #ifdef MWL_HOST_PS_SUPPORT
647 	 * | SET_HW_SPEC_HOST_POWERSAVE
648 	 * #endif
649 	 * | SET_HW_SPEC_HOSTFORM_PROBERESP);
650 	 */
651 	pCmd->Flags = 0;
652 	/* disable multi-bss operation for A1-A4 parts */
653 	if (sc->sc_revs.mh_macRev < 5)
654 		pCmd->Flags |= LE_32(SET_HW_SPEC_DISABLEMBSS);
655 
656 	retval = mwlExecuteCmd(sc, HostCmd_CMD_SET_HW_SPEC);
657 	if (retval == 0) {
658 		if (pCmd->Flags & LE_32(SET_HW_SPEC_DISABLEMBSS))
659 			sc->sc_hw_flags &= ~MHF_MBSS;
660 		else
661 			sc->sc_hw_flags |= MHF_MBSS;
662 	}
663 
664 	return (retval);
665 }
666 
667 /*
668  * Inform firmware of our tx/rx dma setup.  The BAR 0
669  * writes below are for compatibility with older firmware.
670  * For current firmware we send this information with a
671  * cmd block via mwl_hal_sethwdma.
672  */
673 static int
674 mwl_setupdma(struct mwl_softc *sc)
675 {
676 	int i, err;
677 
678 	sc->sc_hwdma.rxDescRead = sc->sc_rxring.physaddr;
679 	mwl_mem_write4(sc, sc->sc_hwspecs.rxDescRead, sc->sc_hwdma.rxDescRead);
680 	mwl_mem_write4(sc, sc->sc_hwspecs.rxDescWrite, sc->sc_hwdma.rxDescRead);
681 
682 	for (i = 0; i < MWL_NUM_TX_QUEUES - MWL_NUM_ACK_QUEUES; i++) {
683 		struct mwl_tx_ring *txring = &sc->sc_txring[i];
684 		sc->sc_hwdma.wcbBase[i] = txring->physaddr;
685 		mwl_mem_write4(sc, sc->sc_hwspecs.wcbBase[i],
686 		    sc->sc_hwdma.wcbBase[i]);
687 	}
688 	sc->sc_hwdma.maxNumTxWcb = MWL_TX_RING_COUNT;
689 	sc->sc_hwdma.maxNumWCB = MWL_NUM_TX_QUEUES - MWL_NUM_ACK_QUEUES;
690 
691 	err = mwl_hal_sethwdma(sc, &sc->sc_hwdma);
692 	if (err != 0) {
693 		MWL_DBG(MWL_DBG_DMA, "mwl: mwl_setupdma(): "
694 		    "unable to setup tx/rx dma; hal status %u\n", err);
695 		/* XXX */
696 	}
697 
698 	return (err);
699 }
700 
701 /* ARGSUSED */
702 static void
703 mwl_txq_init(struct mwl_softc *sc, struct mwl_tx_ring *txring, int qnum)
704 {
705 	struct mwl_txbuf *bf;
706 	struct mwl_txdesc *ds;
707 	int i;
708 
709 	txring->qnum = qnum;
710 	txring->txpri = 0;	/* XXX */
711 
712 	bf = txring->buf;
713 	ds = txring->desc;
714 	for (i = 0; i < MWL_TX_RING_COUNT - 1; i++) {
715 		bf++;
716 		ds->pPhysNext = bf->bf_daddr;
717 		ds++;
718 	}
719 	bf = txring->buf;
720 	ds->pPhysNext = LE_32(bf->bf_daddr);
721 }
722 
723 /*
724  * Setup a hardware data transmit queue for the specified
725  * access control.  We record the mapping from ac's
726  * to h/w queues for use by mwl_tx_start.
727  */
728 static int
729 mwl_tx_setup(struct mwl_softc *sc, int ac, int mvtype)
730 {
731 #define	N(a)	(sizeof (a)/sizeof (a[0]))
732 	struct mwl_tx_ring *txring;
733 
734 	if (ac >= N(sc->sc_ac2q)) {
735 		MWL_DBG(MWL_DBG_DMA, "mwl: mwl_tx_setup(): "
736 		    "AC %u out of range, max %u!\n",
737 		    ac, (uint_t)N(sc->sc_ac2q));
738 		return (0);
739 	}
740 	if (mvtype >= MWL_NUM_TX_QUEUES) {
741 		MWL_DBG(MWL_DBG_DMA, "mwl: mwl_tx_setup(): "
742 		    "mvtype %u out of range, max %u!\n",
743 		    mvtype, MWL_NUM_TX_QUEUES);
744 		return (0);
745 	}
746 	txring = &sc->sc_txring[mvtype];
747 	mwl_txq_init(sc, txring, mvtype);
748 	sc->sc_ac2q[ac] = txring;
749 	return (1);
750 #undef N
751 }
752 
753 static int
754 mwl_setup_txq(struct mwl_softc *sc)
755 {
756 	int err = 0;
757 
758 	/* NB: insure BK queue is the lowest priority h/w queue */
759 	if (!mwl_tx_setup(sc, WME_AC_BK, MWL_WME_AC_BK)) {
760 		MWL_DBG(MWL_DBG_DMA, "mwl: mwl_setup_txq(): "
761 		    "unable to setup xmit queue for %s traffic!\n",
762 		    mwl_wme_acnames[WME_AC_BK]);
763 		err = EIO;
764 		return (err);
765 	}
766 	if (!mwl_tx_setup(sc, WME_AC_BE, MWL_WME_AC_BE) ||
767 	    !mwl_tx_setup(sc, WME_AC_VI, MWL_WME_AC_VI) ||
768 	    !mwl_tx_setup(sc, WME_AC_VO, MWL_WME_AC_VO)) {
769 		/*
770 		 * Not enough hardware tx queues to properly do WME;
771 		 * just punt and assign them all to the same h/w queue.
772 		 * We could do a better job of this if, for example,
773 		 * we allocate queues when we switch from station to
774 		 * AP mode.
775 		 */
776 		sc->sc_ac2q[WME_AC_BE] = sc->sc_ac2q[WME_AC_BK];
777 		sc->sc_ac2q[WME_AC_VI] = sc->sc_ac2q[WME_AC_BK];
778 		sc->sc_ac2q[WME_AC_VO] = sc->sc_ac2q[WME_AC_BK];
779 	}
780 
781 	return (err);
782 }
783 
784 /*
785  * find mwl firmware module's "_start" "_end" symbols
786  * and get its size.
787  */
788 static int
789 mwl_loadsym(ddi_modhandle_t modp, char *sym, char **start, size_t *len)
790 {
791 	char start_sym[64];
792 	char end_sym[64];
793 	char *p, *end;
794 	int rv;
795 	size_t n;
796 
797 	(void) snprintf(start_sym, sizeof (start_sym), "%s_start", sym);
798 	(void) snprintf(end_sym, sizeof (end_sym), "%s_end", sym);
799 
800 	p = (char *)ddi_modsym(modp, start_sym, &rv);
801 	if (p == NULL || rv != 0) {
802 		MWL_DBG(MWL_DBG_FW, "mwl: mwl_loadsym(): "
803 		    "mod %s: symbol %s not found\n", sym, start_sym);
804 		return (-1);
805 	}
806 
807 	end = (char *)ddi_modsym(modp, end_sym, &rv);
808 	if (end == NULL || rv != 0) {
809 		MWL_DBG(MWL_DBG_FW, "mwl: mwl_loadsym(): "
810 		    "mod %s: symbol %s not found\n", sym, end_sym);
811 		return (-1);
812 	}
813 
814 	n = _PTRDIFF(end, p);
815 	*start = p;
816 	*len = n;
817 
818 	return (0);
819 }
820 
821 static void
822 mwlFwReset(struct mwl_softc *sc)
823 {
824 	if (mwl_ctl_read4(sc,  MACREG_REG_INT_CODE) == 0xffffffff) {
825 		MWL_DBG(MWL_DBG_FW, "mwl: mwlFWReset(): "
826 		    "device not present!\n");
827 		return;
828 	}
829 
830 	mwl_ctl_write4(sc, MACREG_REG_H2A_INTERRUPT_EVENTS, ISR_RESET);
831 	sc->sc_hw_flags &= ~MHF_FWHANG;
832 }
833 
834 static void
835 mwlPokeSdramController(struct mwl_softc *sc, int SDRAMSIZE_Addr)
836 {
837 	/* Set up sdram controller for superflyv2 */
838 	mwl_ctl_write4(sc, 0x00006014, 0x33);
839 	mwl_ctl_write4(sc, 0x00006018, 0xa3a2632);
840 	mwl_ctl_write4(sc, 0x00006010, SDRAMSIZE_Addr);
841 }
842 
843 static void
844 mwlTriggerPciCmd(struct mwl_softc *sc)
845 {
846 	(void) ddi_dma_sync(sc->sc_cmd_dma.dma_hdl,
847 	    0,
848 	    sc->sc_cmd_dma.alength,
849 	    DDI_DMA_SYNC_FORDEV);
850 
851 	mwl_ctl_write4(sc, MACREG_REG_GEN_PTR, sc->sc_cmd_dmaaddr);
852 	(void) mwl_ctl_read4(sc, MACREG_REG_INT_CODE);
853 
854 	mwl_ctl_write4(sc, MACREG_REG_INT_CODE, 0x00);
855 	(void) mwl_ctl_read4(sc, MACREG_REG_INT_CODE);
856 
857 	mwl_ctl_write4(sc, MACREG_REG_H2A_INTERRUPT_EVENTS,
858 	    MACREG_H2ARIC_BIT_DOOR_BELL);
859 	(void) mwl_ctl_read4(sc, MACREG_REG_INT_CODE);
860 }
861 
862 static int
863 mwlWaitFor(struct mwl_softc *sc, uint32_t val)
864 {
865 	int i;
866 
867 	for (i = 0; i < FW_MAX_NUM_CHECKS; i++) {
868 		DELAY(FW_CHECK_USECS);
869 		if (mwl_ctl_read4(sc, MACREG_REG_INT_CODE) == val)
870 			return (1);
871 	}
872 	return (0);
873 }
874 
875 /*
876  * Firmware block xmit when talking to the boot-rom.
877  */
878 static int
879 mwlSendBlock(struct mwl_softc *sc, int bsize, const void *data, size_t dsize)
880 {
881 	sc->sc_cmd_mem[0] = LE_16(HostCmd_CMD_CODE_DNLD);
882 	sc->sc_cmd_mem[1] = LE_16(bsize);
883 	(void) memcpy(&sc->sc_cmd_mem[4], data, dsize);
884 	mwlTriggerPciCmd(sc);
885 	/* XXX 2000 vs 200 */
886 	if (mwlWaitFor(sc, MACREG_INT_CODE_CMD_FINISHED)) {
887 		mwl_ctl_write4(sc, MACREG_REG_INT_CODE, 0);
888 		return (1);
889 	}
890 
891 	MWL_DBG(MWL_DBG_FW, "mwl: mwlSendBlock(): "
892 	    "timeout waiting for CMD_FINISHED, INT_CODE 0x%x\n",
893 	    mwl_ctl_read4(sc, MACREG_REG_INT_CODE));
894 	return (0);
895 }
896 
897 /*
898  * Firmware block xmit when talking to the 1st-stage loader.
899  */
900 static int
901 mwlSendBlock2(struct mwl_softc *sc, const void *data, size_t dsize)
902 {
903 	(void) memcpy(&sc->sc_cmd_mem[0], data, dsize);
904 	mwlTriggerPciCmd(sc);
905 	if (mwlWaitFor(sc, MACREG_INT_CODE_CMD_FINISHED)) {
906 		mwl_ctl_write4(sc, MACREG_REG_INT_CODE, 0);
907 		return (1);
908 	}
909 
910 	MWL_DBG(MWL_DBG_FW, "mwl: mwlSendBlock2(): "
911 	    "timeout waiting for CMD_FINISHED, INT_CODE 0x%x\n",
912 	    mwl_ctl_read4(sc, MACREG_REG_INT_CODE));
913 	return (0);
914 }
915 
916 /* ARGSUSED */
917 static int
918 mwl_fwload(struct mwl_softc *sc, void *fwargs)
919 {
920 	char *fwname = "mwlfw";
921 	char *fwbootname = "mwlboot";
922 	char *fwbinname = "mw88W8363fw";
923 	char *fwboot_index, *fw_index;
924 	uint8_t *fw, *fwboot;
925 	ddi_modhandle_t modfw;
926 	/* XXX get from firmware header */
927 	uint32_t FwReadySignature = HostCmd_SOFTAP_FWRDY_SIGNATURE;
928 	uint32_t OpMode = HostCmd_SOFTAP_MODE;
929 	const uint8_t *fp, *ep;
930 	size_t fw_size, fwboot_size;
931 	uint32_t blocksize, nbytes;
932 	int i, rv, err, ntries;
933 
934 	rv = err = 0;
935 	fw = fwboot = NULL;
936 	fw_index = fwboot_index = NULL;
937 
938 	modfw = ddi_modopen(fwname, KRTLD_MODE_FIRST, &rv);
939 	if (modfw == NULL) {
940 		MWL_DBG(MWL_DBG_FW, "mwl: mwl_fwload(): "
941 		    "module %s not found\n", fwname);
942 		err = -1;
943 		goto bad2;
944 	}
945 
946 	err = mwl_loadsym(modfw, fwbootname, &fwboot_index, &fwboot_size);
947 	if (err != 0) {
948 		MWL_DBG(MWL_DBG_FW, "mwl: mwl_fwload(): "
949 		    "could not get boot firmware\n");
950 		err = -1;
951 		goto bad2;
952 	}
953 
954 	err = mwl_loadsym(modfw, fwbinname, &fw_index, &fw_size);
955 	if (err != 0) {
956 		MWL_DBG(MWL_DBG_FW, "mwl: mwl_fwload(): "
957 		    "could not get firmware\n");
958 		err = -1;
959 		goto bad2;
960 	}
961 
962 	fwboot = (uint8_t *)kmem_alloc(fwboot_size, KM_SLEEP);
963 	if (fwboot == NULL) {
964 		MWL_DBG(MWL_DBG_FW, "mwl: mwl_loadfirmware(): "
965 		    "failed to alloc boot firmware memory\n");
966 		err = -1;
967 		goto bad2;
968 	}
969 	(void) memcpy(fwboot, fwboot_index, fwboot_size);
970 
971 	fw = (uint8_t *)kmem_alloc(fw_size, KM_SLEEP);
972 	if (fw == NULL) {
973 		MWL_DBG(MWL_DBG_FW, "mwl: mwl_loadfirmware(): "
974 		    "failed to alloc firmware memory\n");
975 		err = -1;
976 		goto bad2;
977 	}
978 	(void) memcpy(fw, fw_index, fw_size);
979 
980 	if (modfw != NULL)
981 		(void) ddi_modclose(modfw);
982 
983 	if (fw_size < 4) {
984 		MWL_DBG(MWL_DBG_FW, "mwl: mwl_fwload(): "
985 		    "could not load firmware image %s\n",
986 		    fwname);
987 		err = ENXIO;
988 		goto bad2;
989 	}
990 
991 	if (fw[0] == 0x01 && fw[1] == 0x00 &&
992 	    fw[2] == 0x00 && fw[3] == 0x00) {
993 		/*
994 		 * 2-stage load, get the boot firmware.
995 		 */
996 		if (fwboot == NULL) {
997 			MWL_DBG(MWL_DBG_FW, "mwl: mwl_fwload(): "
998 			    "could not load firmware image %s\n",
999 			    fwbootname);
1000 			err = ENXIO;
1001 			goto bad2;
1002 		}
1003 	} else
1004 		fwboot = NULL;
1005 
1006 	mwlFwReset(sc);
1007 
1008 	mwl_ctl_write4(sc, MACREG_REG_A2H_INTERRUPT_CLEAR_SEL,
1009 	    MACREG_A2HRIC_BIT_MASK);
1010 	mwl_ctl_write4(sc, MACREG_REG_A2H_INTERRUPT_CAUSE, 0x00);
1011 	mwl_ctl_write4(sc, MACREG_REG_A2H_INTERRUPT_MASK, 0x00);
1012 	mwl_ctl_write4(sc, MACREG_REG_A2H_INTERRUPT_STATUS_MASK,
1013 	    MACREG_A2HRIC_BIT_MASK);
1014 	if (sc->sc_SDRAMSIZE_Addr != 0) {
1015 		/* Set up sdram controller for superflyv2 */
1016 		mwlPokeSdramController(sc, sc->sc_SDRAMSIZE_Addr);
1017 	}
1018 
1019 	MWL_DBG(MWL_DBG_FW, "mwl: mwl_fwload(): "
1020 	    "load %s firmware image (%u bytes)\n",
1021 	    fwname, (unsigned int)fw_size);
1022 
1023 	if (fwboot != NULL) {
1024 		/*
1025 		 * Do 2-stage load.  The 1st stage loader is setup
1026 		 * with the bootrom loader then we load the real
1027 		 * image using a different handshake. With this
1028 		 * mechanism the firmware is segmented into chunks
1029 		 * that have a CRC.  If a chunk is incorrect we'll
1030 		 * be told to retransmit.
1031 		 */
1032 		/* XXX assumes hlpimage fits in a block */
1033 		/* NB: zero size block indicates download is finished */
1034 		if (!mwlSendBlock(sc, fwboot_size, fwboot, fwboot_size) ||
1035 		    !mwlSendBlock(sc, 0, NULL, 0)) {
1036 			err = ETIMEDOUT;
1037 			goto bad;
1038 		}
1039 		DELAY(200 * FW_CHECK_USECS);
1040 		if (sc->sc_SDRAMSIZE_Addr != 0) {
1041 			/* Set up sdram controller for superflyv2 */
1042 			mwlPokeSdramController(sc, sc->sc_SDRAMSIZE_Addr);
1043 		}
1044 		nbytes = ntries = 0;		/* NB: silence compiler */
1045 		for (fp = fw, ep = fp + fw_size; fp < ep; ) {
1046 			mwl_ctl_write4(sc, MACREG_REG_INT_CODE, 0);
1047 			blocksize = mwl_ctl_read4(sc, MACREG_REG_SCRATCH);
1048 			if (blocksize == 0)	/* download complete */
1049 				break;
1050 			if (blocksize > 0x00000c00) {
1051 				err = EINVAL;
1052 				goto bad;
1053 			}
1054 			if ((blocksize & 0x1) == 0) {
1055 				/* block successfully downloaded, advance */
1056 				fp += nbytes;
1057 				ntries = 0;
1058 			} else {
1059 				if (++ntries > 2) {
1060 					/*
1061 					 * Guard against f/w telling us to
1062 					 * retry infinitely.
1063 					 */
1064 					err = ELOOP;
1065 					goto bad;
1066 				}
1067 				/* clear NAK bit/flag */
1068 				blocksize &= ~0x1;
1069 			}
1070 			if (blocksize > _PTRDIFF(ep, fp)) {
1071 				/* XXX this should not happen, what to do? */
1072 				blocksize = _PTRDIFF(ep, fp);
1073 			}
1074 			nbytes = blocksize;
1075 			if (!mwlSendBlock2(sc, fp, nbytes)) {
1076 				err = ETIMEDOUT;
1077 				goto bad;
1078 			}
1079 		}
1080 	} else {
1081 		for (fp = fw, ep = fp + fw_size; fp < ep; ) {
1082 			nbytes = _PTRDIFF(ep, fp);
1083 			if (nbytes > FW_DOWNLOAD_BLOCK_SIZE)
1084 				nbytes = FW_DOWNLOAD_BLOCK_SIZE;
1085 			if (!mwlSendBlock(sc, FW_DOWNLOAD_BLOCK_SIZE, fp,
1086 			    nbytes)) {
1087 				err = EIO;
1088 				goto bad;
1089 			}
1090 			fp += nbytes;
1091 		}
1092 	}
1093 
1094 	/*
1095 	 * Wait for firmware to startup; we monitor the
1096 	 * INT_CODE register waiting for a signature to
1097 	 * written back indicating it's ready to go.
1098 	 */
1099 	sc->sc_cmd_mem[1] = 0;
1100 	/*
1101 	 * XXX WAR for mfg fw download
1102 	 */
1103 	if (OpMode != HostCmd_STA_MODE)
1104 		mwlTriggerPciCmd(sc);
1105 	for (i = 0; i < FW_MAX_NUM_CHECKS; i++) {
1106 		mwl_ctl_write4(sc, MACREG_REG_GEN_PTR, OpMode);
1107 		DELAY(FW_CHECK_USECS);
1108 		if (mwl_ctl_read4(sc, MACREG_REG_INT_CODE) ==
1109 		    FwReadySignature) {
1110 			mwl_ctl_write4(sc, MACREG_REG_INT_CODE, 0x00);
1111 			return (mwlResetHalState(sc));
1112 		}
1113 	}
1114 	MWL_DBG(MWL_DBG_FW, "mwl: mwl_fwload(): "
1115 	    "firmware download timeout\n");
1116 	return (ETIMEDOUT);
1117 bad:
1118 	mwlFwReset(sc);
1119 bad2:
1120 	if (fw != NULL)
1121 		kmem_free(fw, fw_size);
1122 	if (fwboot != NULL)
1123 		kmem_free(fwboot, fwboot_size);
1124 	fwboot = fw = NULL;
1125 	fwboot_index = fw_index = NULL;
1126 	if (modfw != NULL)
1127 		(void) ddi_modclose(modfw);
1128 	return (err);
1129 }
1130 
1131 /*
1132  * Low level firmware cmd block handshake support.
1133  */
1134 static void
1135 mwlSendCmd(struct mwl_softc *sc)
1136 {
1137 	(void) ddi_dma_sync(sc->sc_cmd_dma.dma_hdl,
1138 	    0,
1139 	    sc->sc_cmd_dma.alength,
1140 	    DDI_DMA_SYNC_FORDEV);
1141 
1142 	mwl_ctl_write4(sc, MACREG_REG_GEN_PTR, sc->sc_cmd_dmaaddr);
1143 	(void) mwl_ctl_read4(sc, MACREG_REG_INT_CODE);
1144 
1145 	mwl_ctl_write4(sc, MACREG_REG_H2A_INTERRUPT_EVENTS,
1146 	    MACREG_H2ARIC_BIT_DOOR_BELL);
1147 }
1148 
1149 static int
1150 mwlExecuteCmd(struct mwl_softc *sc, unsigned short cmd)
1151 {
1152 	if (mwl_ctl_read4(sc,  MACREG_REG_INT_CODE) == 0xffffffff) {
1153 		MWL_DBG(MWL_DBG_CMD, "mwl: mwlExecuteCmd(): "
1154 		    "device not present!\n");
1155 		return (EIO);
1156 	}
1157 	mwlSendCmd(sc);
1158 	if (!mwlWaitForCmdComplete(sc, 0x8000 | cmd)) {
1159 		MWL_DBG(MWL_DBG_CMD, "mwl: mwlExecuteCmd(): "
1160 		    "timeout waiting for f/w cmd %s\n", mwlcmdname(cmd));
1161 		return (ETIMEDOUT);
1162 	}
1163 	(void) ddi_dma_sync(sc->sc_cmd_dma.dma_hdl,
1164 	    0,
1165 	    sc->sc_cmd_dma.alength,
1166 	    DDI_DMA_SYNC_FORDEV);
1167 
1168 	MWL_DBG(MWL_DBG_CMD, "mwl: mwlExecuteCmd(): "
1169 	    "send cmd %s\n", mwlcmdname(cmd));
1170 
1171 	if (mwl_dbg_flags & MWL_DBG_CMD)
1172 		dumpresult(sc, 1);
1173 
1174 	return (0);
1175 }
1176 
1177 static int
1178 mwlWaitForCmdComplete(struct mwl_softc *sc, uint16_t cmdCode)
1179 {
1180 #define	MAX_WAIT_FW_COMPLETE_ITERATIONS	10000
1181 	int i;
1182 
1183 	for (i = 0; i < MAX_WAIT_FW_COMPLETE_ITERATIONS; i++) {
1184 		if (sc->sc_cmd_mem[0] == LE_16(cmdCode))
1185 			return (1);
1186 		DELAY(1 * 1000);
1187 	}
1188 	return (0);
1189 #undef MAX_WAIT_FW_COMPLETE_ITERATIONS
1190 }
1191 
1192 static const char *
1193 mwlcmdname(int cmd)
1194 {
1195 	static char buf[12];
1196 #define	CMD(x)	case HostCmd_CMD_##x: return #x
1197 	switch (cmd) {
1198 	CMD(CODE_DNLD);
1199 	CMD(GET_HW_SPEC);
1200 	CMD(SET_HW_SPEC);
1201 	CMD(MAC_MULTICAST_ADR);
1202 	CMD(802_11_GET_STAT);
1203 	CMD(MAC_REG_ACCESS);
1204 	CMD(BBP_REG_ACCESS);
1205 	CMD(RF_REG_ACCESS);
1206 	CMD(802_11_RADIO_CONTROL);
1207 	CMD(802_11_RF_TX_POWER);
1208 	CMD(802_11_RF_ANTENNA);
1209 	CMD(SET_BEACON);
1210 	CMD(SET_RF_CHANNEL);
1211 	CMD(SET_AID);
1212 	CMD(SET_INFRA_MODE);
1213 	CMD(SET_G_PROTECT_FLAG);
1214 	CMD(802_11_RTS_THSD);
1215 	CMD(802_11_SET_SLOT);
1216 	CMD(SET_EDCA_PARAMS);
1217 	CMD(802_11H_DETECT_RADAR);
1218 	CMD(SET_WMM_MODE);
1219 	CMD(HT_GUARD_INTERVAL);
1220 	CMD(SET_FIXED_RATE);
1221 	CMD(SET_LINKADAPT_CS_MODE);
1222 	CMD(SET_MAC_ADDR);
1223 	CMD(SET_RATE_ADAPT_MODE);
1224 	CMD(BSS_START);
1225 	CMD(SET_NEW_STN);
1226 	CMD(SET_KEEP_ALIVE);
1227 	CMD(SET_APMODE);
1228 	CMD(SET_SWITCH_CHANNEL);
1229 	CMD(UPDATE_ENCRYPTION);
1230 	CMD(BASTREAM);
1231 	CMD(SET_RIFS);
1232 	CMD(SET_N_PROTECT_FLAG);
1233 	CMD(SET_N_PROTECT_OPMODE);
1234 	CMD(SET_OPTIMIZATION_LEVEL);
1235 	CMD(GET_CALTABLE);
1236 	CMD(SET_MIMOPSHT);
1237 	CMD(GET_BEACON);
1238 	CMD(SET_REGION_CODE);
1239 	CMD(SET_POWERSAVESTATION);
1240 	CMD(SET_TIM);
1241 	CMD(GET_TIM);
1242 	CMD(GET_SEQNO);
1243 	CMD(DWDS_ENABLE);
1244 	CMD(AMPDU_RETRY_RATEDROP_MODE);
1245 	CMD(CFEND_ENABLE);
1246 	}
1247 	(void) snprintf(buf, sizeof (buf), "0x%x", cmd);
1248 	return (buf);
1249 #undef CMD
1250 }
1251 
1252 static void
1253 dumpresult(struct mwl_softc *sc, int showresult)
1254 {
1255 	const FWCmdHdr *h = (const FWCmdHdr *)sc->sc_cmd_mem;
1256 	int len;
1257 
1258 	len = LE_16(h->Length);
1259 #ifdef MWL_MBSS_SUPPORT
1260 	MWL_DBG(MWL_DBG_CMD, "mwl: mwl_dumpresult(): "
1261 	    "Cmd %s Length %d SeqNum %d MacId %d",
1262 	    mwlcmdname(LE_16(h->Cmd) & ~0x8000), len, h->SeqNum, h->MacId);
1263 #else
1264 	MWL_DBG(MWL_DBG_CMD, "mwl: mwl_dumpresult(): "
1265 	    "Cmd %s Length %d SeqNum %d",
1266 	    mwlcmdname(LE_16(h->Cmd) & ~0x8000), len, LE_16(h->SeqNum));
1267 #endif
1268 	if (showresult) {
1269 		const char *results[] =
1270 		    { "OK", "ERROR", "NOT_SUPPORT", "PENDING", "BUSY",
1271 		    "PARTIAL_DATA" };
1272 		int result = LE_16(h->Result);
1273 
1274 		if (result <= HostCmd_RESULT_PARTIAL_DATA)
1275 			MWL_DBG(MWL_DBG_CMD, "mwl: dumpresult(): "
1276 			    "Result %s", results[result]);
1277 		else
1278 			MWL_DBG(MWL_DBG_CMD, "mwl: dumpresult(): "
1279 			    "Result %d", result);
1280 	}
1281 }
1282 
1283 static int
1284 mwlGetCalTable(struct mwl_softc *sc, uint8_t annex, uint8_t index)
1285 {
1286 	HostCmd_FW_GET_CALTABLE *pCmd;
1287 	int retval;
1288 
1289 	_CMD_SETUP(pCmd, HostCmd_FW_GET_CALTABLE, HostCmd_CMD_GET_CALTABLE);
1290 	pCmd->annex = annex;
1291 	pCmd->index = index;
1292 	(void) memset(pCmd->calTbl, 0, sizeof (pCmd->calTbl));
1293 
1294 	retval = mwlExecuteCmd(sc, HostCmd_CMD_GET_CALTABLE);
1295 	if (retval == 0 &&
1296 	    pCmd->calTbl[0] != annex && annex != 0 && annex != 255)
1297 		retval = EIO;
1298 	return (retval);
1299 }
1300 
1301 /*
1302  * Construct channel info for 2.4GHz channels from cal data.
1303  */
1304 static void
1305 get2Ghz(MWL_HAL_CHANNELINFO *ci, const uint8_t table[], int len)
1306 {
1307 	int i, j;
1308 
1309 	j = 0;
1310 	for (i = 0; i < len; i += 4) {
1311 		struct mwl_hal_channel *hc = &ci->channels[j];
1312 		hc->ieee = 1+j;
1313 		hc->freq = ieee2mhz(1+j);
1314 		(void) memcpy(hc->targetPowers, &table[i], 4);
1315 		setmaxtxpow(hc, 0, 4);
1316 		j++;
1317 	}
1318 	ci->nchannels = j;
1319 	ci->freqLow = ieee2mhz(1);
1320 	ci->freqHigh = ieee2mhz(j);
1321 }
1322 
1323 /*
1324  * Construct channel info for 5GHz channels from cal data.
1325  */
1326 static void
1327 get5Ghz(MWL_HAL_CHANNELINFO *ci, const uint8_t table[], int len)
1328 {
1329 	int i, j, f, l, h;
1330 
1331 	l = 32000;
1332 	h = 0;
1333 	j = 0;
1334 	for (i = 0; i < len; i += 4) {
1335 		struct mwl_hal_channel *hc;
1336 
1337 		if (table[i] == 0)
1338 			continue;
1339 		f = 5000 + 5*table[i];
1340 		if (f < l)
1341 			l = f;
1342 		if (f > h)
1343 			h = f;
1344 		hc = &ci->channels[j];
1345 		hc->freq = (uint16_t)f;
1346 		hc->ieee = table[i];
1347 		(void) memcpy(hc->targetPowers, &table[i], 4);
1348 		setmaxtxpow(hc, 1, 4);	/* NB: col 1 is the freq, skip */
1349 		j++;
1350 	}
1351 	ci->nchannels = j;
1352 	ci->freqLow = (uint16_t)((l == 32000) ? 0 : l);
1353 	ci->freqHigh = (uint16_t)h;
1354 }
1355 
1356 /*
1357  * Calculate the max tx power from the channel's cal data.
1358  */
1359 static void
1360 setmaxtxpow(struct mwl_hal_channel *hc, int i, int maxix)
1361 {
1362 	hc->maxTxPow = hc->targetPowers[i];
1363 	for (i++; i < maxix; i++)
1364 		if (hc->targetPowers[i] > hc->maxTxPow)
1365 			hc->maxTxPow = hc->targetPowers[i];
1366 }
1367 
1368 static uint16_t
1369 ieee2mhz(int chan)
1370 {
1371 	if (chan == 14)
1372 		return (2484);
1373 	if (chan < 14)
1374 		return (2407 + chan * 5);
1375 	return (2512 + (chan - 15) * 20);
1376 }
1377 
1378 static void
1379 dumpcaldata(const char *name, const uint8_t *table, int n)
1380 {
1381 	int i;
1382 	MWL_DBG(MWL_DBG_HW, "\n%s:\n", name);
1383 	for (i = 0; i < n; i += 4)
1384 		MWL_DBG(MWL_DBG_HW, "[%2d] %3d %3d %3d %3d\n",
1385 		    i/4, table[i+0], table[i+1], table[i+2], table[i+3]);
1386 }
1387 
1388 static int
1389 mwlGetPwrCalTable(struct mwl_softc *sc)
1390 {
1391 	const uint8_t *data;
1392 	MWL_HAL_CHANNELINFO *ci;
1393 	int len;
1394 
1395 	/* NB: we hold the lock so it's ok to use cmdbuf */
1396 	data = ((const HostCmd_FW_GET_CALTABLE *) sc->sc_cmd_mem)->calTbl;
1397 	if (mwlGetCalTable(sc, 33, 0) == 0) {
1398 		len = (data[2] | (data[3] << 8)) - 12;
1399 		if (len > PWTAGETRATETABLE20M)
1400 			len = PWTAGETRATETABLE20M;
1401 		dumpcaldata("2.4G 20M", &data[12], len);
1402 		get2Ghz(&sc->sc_20M, &data[12], len);
1403 	}
1404 	if (mwlGetCalTable(sc, 34, 0) == 0) {
1405 		len = (data[2] | (data[3] << 8)) - 12;
1406 		if (len > PWTAGETRATETABLE40M)
1407 			len = PWTAGETRATETABLE40M;
1408 		dumpcaldata("2.4G 40M", &data[12], len);
1409 		ci = &sc->sc_40M;
1410 		get2Ghz(ci, &data[12], len);
1411 	}
1412 	if (mwlGetCalTable(sc, 35, 0) == 0) {
1413 		len = (data[2] | (data[3] << 8)) - 20;
1414 		if (len > PWTAGETRATETABLE20M_5G)
1415 			len = PWTAGETRATETABLE20M_5G;
1416 		dumpcaldata("5G 20M", &data[20], len);
1417 		get5Ghz(&sc->sc_20M_5G, &data[20], len);
1418 	}
1419 	if (mwlGetCalTable(sc, 36, 0) == 0) {
1420 		len = (data[2] | (data[3] << 8)) - 20;
1421 		if (len > PWTAGETRATETABLE40M_5G)
1422 			len = PWTAGETRATETABLE40M_5G;
1423 		dumpcaldata("5G 40M", &data[20], len);
1424 		ci = &sc->sc_40M_5G;
1425 		get5Ghz(ci, &data[20], len);
1426 	}
1427 	sc->sc_hw_flags |= MHF_CALDATA;
1428 	return (0);
1429 }
1430 
1431 /*
1432  * Reset internal state after a firmware download.
1433  */
1434 static int
1435 mwlResetHalState(struct mwl_softc *sc)
1436 {
1437 	int err = 0;
1438 
1439 	/*
1440 	 * Fetch cal data for later use.
1441 	 * XXX may want to fetch other stuff too.
1442 	 */
1443 	/* XXX check return */
1444 	if ((sc->sc_hw_flags & MHF_CALDATA) == 0)
1445 		err = mwlGetPwrCalTable(sc);
1446 	return (err);
1447 }
1448 
1449 #define	IEEE80211_CHAN_HTG	(IEEE80211_CHAN_HT|IEEE80211_CHAN_G)
1450 #define	IEEE80211_CHAN_HTA	(IEEE80211_CHAN_HT|IEEE80211_CHAN_A)
1451 
1452 static void
1453 addchan(struct mwl_channel *c, int freq, int flags, int ieee, int txpow)
1454 {
1455 	c->ic_freq = (uint16_t)freq;
1456 	c->ic_flags = flags;
1457 	c->ic_ieee = (uint8_t)ieee;
1458 	c->ic_minpower = 0;
1459 	c->ic_maxpower = 2*txpow;
1460 	c->ic_maxregpower = (uint8_t)txpow;
1461 }
1462 
1463 static const struct mwl_channel *
1464 findchannel(const struct mwl_channel chans[], int nchans,
1465 	int freq, int flags)
1466 {
1467 	const struct mwl_channel *c;
1468 	int i;
1469 
1470 	for (i = 0; i < nchans; i++) {
1471 		c = &chans[i];
1472 		if (c->ic_freq == freq && c->ic_flags == flags)
1473 			return (c);
1474 	}
1475 	return (NULL);
1476 }
1477 
1478 static void
1479 addht40channels(struct mwl_channel chans[], int maxchans, int *nchans,
1480 	const MWL_HAL_CHANNELINFO *ci, int flags)
1481 {
1482 	struct mwl_channel *c;
1483 	const struct mwl_channel *extc;
1484 	const struct mwl_hal_channel *hc;
1485 	int i;
1486 
1487 	c = &chans[*nchans];
1488 
1489 	flags &= ~IEEE80211_CHAN_HT;
1490 	for (i = 0; i < ci->nchannels; i++) {
1491 		/*
1492 		 * Each entry defines an HT40 channel pair; find the
1493 		 * extension channel above and the insert the pair.
1494 		 */
1495 		hc = &ci->channels[i];
1496 		extc = findchannel(chans, *nchans, hc->freq+20,
1497 		    flags | IEEE80211_CHAN_HT20);
1498 		if (extc != NULL) {
1499 			if (*nchans >= maxchans)
1500 				break;
1501 			addchan(c, hc->freq, flags | IEEE80211_CHAN_HT40U,
1502 			    hc->ieee, hc->maxTxPow);
1503 			c->ic_extieee = extc->ic_ieee;
1504 			c++, (*nchans)++;
1505 			if (*nchans >= maxchans)
1506 				break;
1507 			addchan(c, extc->ic_freq, flags | IEEE80211_CHAN_HT40D,
1508 			    extc->ic_ieee, hc->maxTxPow);
1509 			c->ic_extieee = hc->ieee;
1510 			c++, (*nchans)++;
1511 		}
1512 	}
1513 }
1514 
1515 static void
1516 addchannels(struct mwl_channel chans[], int maxchans, int *nchans,
1517 	const MWL_HAL_CHANNELINFO *ci, int flags)
1518 {
1519 	struct mwl_channel *c;
1520 	int i;
1521 
1522 	c = &chans[*nchans];
1523 
1524 	for (i = 0; i < ci->nchannels; i++) {
1525 		const struct mwl_hal_channel *hc;
1526 
1527 		hc = &ci->channels[i];
1528 		if (*nchans >= maxchans)
1529 			break;
1530 		addchan(c, hc->freq, flags, hc->ieee, hc->maxTxPow);
1531 		c++, (*nchans)++;
1532 
1533 		if (flags == IEEE80211_CHAN_G || flags == IEEE80211_CHAN_HTG) {
1534 			/* g channel have a separate b-only entry */
1535 			if (*nchans >= maxchans)
1536 				break;
1537 			c[0] = c[-1];
1538 			c[-1].ic_flags = IEEE80211_CHAN_B;
1539 			c++, (*nchans)++;
1540 		}
1541 		if (flags == IEEE80211_CHAN_HTG) {
1542 			/* HT g channel have a separate g-only entry */
1543 			if (*nchans >= maxchans)
1544 				break;
1545 			c[-1].ic_flags = IEEE80211_CHAN_G;
1546 			c[0] = c[-1];
1547 			c[0].ic_flags &= ~IEEE80211_CHAN_HT;
1548 			c[0].ic_flags |= IEEE80211_CHAN_HT20;	/* HT20 */
1549 			c++, (*nchans)++;
1550 		}
1551 		if (flags == IEEE80211_CHAN_HTA) {
1552 			/* HT a channel have a separate a-only entry */
1553 			if (*nchans >= maxchans)
1554 				break;
1555 			c[-1].ic_flags = IEEE80211_CHAN_A;
1556 			c[0] = c[-1];
1557 			c[0].ic_flags &= ~IEEE80211_CHAN_HT;
1558 			c[0].ic_flags |= IEEE80211_CHAN_HT20;	/* HT20 */
1559 			c++, (*nchans)++;
1560 		}
1561 	}
1562 }
1563 
1564 static int
1565 mwl_hal_getchannelinfo(struct mwl_softc *sc, int band, int chw,
1566 	const MWL_HAL_CHANNELINFO **ci)
1567 {
1568 	switch (band) {
1569 	case MWL_FREQ_BAND_2DOT4GHZ:
1570 		*ci = (chw == MWL_CH_20_MHz_WIDTH) ? &sc->sc_20M : &sc->sc_40M;
1571 		break;
1572 	case MWL_FREQ_BAND_5GHZ:
1573 		*ci = (chw == MWL_CH_20_MHz_WIDTH) ?
1574 		    &sc->sc_20M_5G : &sc->sc_40M_5G;
1575 		break;
1576 	default:
1577 		return (EINVAL);
1578 	}
1579 	return (((*ci)->freqLow == (*ci)->freqHigh) ? EINVAL : 0);
1580 }
1581 
1582 static void
1583 getchannels(struct mwl_softc *sc, int maxchans, int *nchans,
1584 	struct mwl_channel chans[])
1585 {
1586 	const MWL_HAL_CHANNELINFO *ci;
1587 
1588 	/*
1589 	 * Use the channel info from the hal to craft the
1590 	 * channel list.  Note that we pass back an unsorted
1591 	 * list; the caller is required to sort it for us
1592 	 * (if desired).
1593 	 */
1594 	*nchans = 0;
1595 	if (mwl_hal_getchannelinfo(sc,
1596 	    MWL_FREQ_BAND_2DOT4GHZ, MWL_CH_20_MHz_WIDTH, &ci) == 0)
1597 		addchannels(chans, maxchans, nchans, ci, IEEE80211_CHAN_HTG);
1598 	if (mwl_hal_getchannelinfo(sc,
1599 	    MWL_FREQ_BAND_5GHZ, MWL_CH_20_MHz_WIDTH, &ci) == 0)
1600 		addchannels(chans, maxchans, nchans, ci, IEEE80211_CHAN_HTA);
1601 	if (mwl_hal_getchannelinfo(sc,
1602 	    MWL_FREQ_BAND_2DOT4GHZ, MWL_CH_40_MHz_WIDTH, &ci) == 0)
1603 		addht40channels(chans, maxchans, nchans, ci,
1604 		    IEEE80211_CHAN_HTG);
1605 	if (mwl_hal_getchannelinfo(sc,
1606 	    MWL_FREQ_BAND_5GHZ, MWL_CH_40_MHz_WIDTH, &ci) == 0)
1607 		addht40channels(chans, maxchans, nchans, ci,
1608 		    IEEE80211_CHAN_HTA);
1609 }
1610 
1611 static int
1612 mwl_getchannels(struct mwl_softc *sc)
1613 {
1614 	/*
1615 	 * Use the channel info from the hal to craft the
1616 	 * channel list for net80211.  Note that we pass up
1617 	 * an unsorted list; net80211 will sort it for us.
1618 	 */
1619 	(void) memset(sc->sc_channels, 0, sizeof (sc->sc_channels));
1620 	sc->sc_nchans = 0;
1621 	getchannels(sc, IEEE80211_CHAN_MAX, &sc->sc_nchans, sc->sc_channels);
1622 
1623 	sc->sc_regdomain.regdomain = SKU_DEBUG;
1624 	sc->sc_regdomain.country = CTRY_DEFAULT;
1625 	sc->sc_regdomain.location = 'I';
1626 	sc->sc_regdomain.isocc[0] = ' ';	/* XXX? */
1627 	sc->sc_regdomain.isocc[1] = ' ';
1628 	return (sc->sc_nchans == 0 ? EIO : 0);
1629 }
1630 
1631 #undef IEEE80211_CHAN_HTA
1632 #undef IEEE80211_CHAN_HTG
1633 
1634 /*
1635  * Return "hw specs".  Note this must be the first
1636  * cmd MUST be done after a firmware download or the
1637  * f/w will lockup.
1638  * XXX move into the hal so driver doesn't need to be responsible
1639  */
1640 static int
1641 mwl_gethwspecs(struct mwl_softc *sc)
1642 {
1643 	struct mwl_hal_hwspec *hw;
1644 	HostCmd_DS_GET_HW_SPEC *pCmd;
1645 	int retval;
1646 
1647 	hw = &sc->sc_hwspecs;
1648 	_CMD_SETUP(pCmd, HostCmd_DS_GET_HW_SPEC, HostCmd_CMD_GET_HW_SPEC);
1649 	(void) memset(&pCmd->PermanentAddr[0], 0xff, IEEE80211_ADDR_LEN);
1650 	pCmd->ulFwAwakeCookie = LE_32((unsigned int)sc->sc_cmd_dmaaddr + 2048);
1651 
1652 	retval = mwlExecuteCmd(sc, HostCmd_CMD_GET_HW_SPEC);
1653 	if (retval == 0) {
1654 		IEEE80211_ADDR_COPY(hw->macAddr, pCmd->PermanentAddr);
1655 		hw->wcbBase[0] = LE_32(pCmd->WcbBase0) & 0x0000ffff;
1656 		hw->wcbBase[1] = LE_32(pCmd->WcbBase1[0]) & 0x0000ffff;
1657 		hw->wcbBase[2] = LE_32(pCmd->WcbBase1[1]) & 0x0000ffff;
1658 		hw->wcbBase[3] = LE_32(pCmd->WcbBase1[2]) & 0x0000ffff;
1659 		hw->rxDescRead = LE_32(pCmd->RxPdRdPtr)& 0x0000ffff;
1660 		hw->rxDescWrite = LE_32(pCmd->RxPdWrPtr)& 0x0000ffff;
1661 		hw->regionCode = LE_16(pCmd->RegionCode) & 0x00ff;
1662 		hw->fwReleaseNumber = LE_32(pCmd->FWReleaseNumber);
1663 		hw->maxNumWCB = LE_16(pCmd->NumOfWCB);
1664 		hw->maxNumMCAddr = LE_16(pCmd->NumOfMCastAddr);
1665 		hw->numAntennas = LE_16(pCmd->NumberOfAntenna);
1666 		hw->hwVersion = pCmd->Version;
1667 		hw->hostInterface = pCmd->HostIf;
1668 
1669 		sc->sc_revs.mh_macRev = hw->hwVersion;		/* XXX */
1670 		sc->sc_revs.mh_phyRev = hw->hostInterface;	/* XXX */
1671 	}
1672 
1673 	return (retval);
1674 }
1675 
1676 static int
1677 mwl_hal_setmac_locked(struct mwl_softc *sc,
1678 	const uint8_t addr[IEEE80211_ADDR_LEN])
1679 {
1680 	HostCmd_DS_SET_MAC *pCmd;
1681 
1682 	_VCMD_SETUP(pCmd, HostCmd_DS_SET_MAC, HostCmd_CMD_SET_MAC_ADDR);
1683 	IEEE80211_ADDR_COPY(&pCmd->MacAddr[0], addr);
1684 #ifdef MWL_MBSS_SUPPORT
1685 	/* NB: already byte swapped */
1686 	pCmd->MacType = WL_MAC_TYPE_PRIMARY_CLIENT;
1687 #endif
1688 	return (mwlExecuteCmd(sc, HostCmd_CMD_SET_MAC_ADDR));
1689 }
1690 
1691 static void
1692 cvtPeerInfo(PeerInfo_t *to, const MWL_HAL_PEERINFO *from)
1693 {
1694 	to->LegacyRateBitMap = LE_32(from->LegacyRateBitMap);
1695 	to->HTRateBitMap = LE_32(from->HTRateBitMap);
1696 	to->CapInfo = LE_16(from->CapInfo);
1697 	to->HTCapabilitiesInfo = LE_16(from->HTCapabilitiesInfo);
1698 	to->MacHTParamInfo = from->MacHTParamInfo;
1699 	to->AddHtInfo.ControlChan = from->AddHtInfo.ControlChan;
1700 	to->AddHtInfo.AddChan = from->AddHtInfo.AddChan;
1701 	to->AddHtInfo.OpMode = LE_16(from->AddHtInfo.OpMode);
1702 	to->AddHtInfo.stbc = LE_16(from->AddHtInfo.stbc);
1703 }
1704 
1705 /* XXX station id must be in [0..63] */
1706 static int
1707 mwl_hal_newstation(struct mwl_softc *sc,
1708 	const uint8_t addr[IEEE80211_ADDR_LEN], uint16_t aid, uint16_t sid,
1709 	const MWL_HAL_PEERINFO *peer, int isQosSta, int wmeInfo)
1710 {
1711 	HostCmd_FW_SET_NEW_STN *pCmd;
1712 	int retval;
1713 
1714 	_VCMD_SETUP(pCmd, HostCmd_FW_SET_NEW_STN, HostCmd_CMD_SET_NEW_STN);
1715 	pCmd->AID = LE_16(aid);
1716 	pCmd->StnId = LE_16(sid);
1717 	pCmd->Action = LE_16(0);	/* SET */
1718 	if (peer != NULL) {
1719 		/* NB: must fix up byte order */
1720 		cvtPeerInfo(&pCmd->PeerInfo, peer);
1721 	}
1722 	IEEE80211_ADDR_COPY(&pCmd->MacAddr[0], addr);
1723 	pCmd->Qosinfo = (uint8_t)wmeInfo;
1724 	pCmd->isQosSta = (isQosSta != 0);
1725 
1726 	MWL_DBG(MWL_DBG_HW, "mwl: mwl_hal_newstation(): "
1727 	    "LegacyRateBitMap %x, CapInfo %x\n",
1728 	    pCmd->PeerInfo.LegacyRateBitMap, pCmd->PeerInfo.CapInfo);
1729 
1730 	retval = mwlExecuteCmd(sc, HostCmd_CMD_SET_NEW_STN);
1731 	return (retval);
1732 }
1733 
1734 /*
1735  * Configure antenna use.
1736  * Takes effect immediately.
1737  * XXX tx antenna setting ignored
1738  * XXX rx antenna setting should always be 3 (for now)
1739  */
1740 static int
1741 mwl_hal_setantenna(struct mwl_softc *sc, MWL_HAL_ANTENNA dirSet, int ant)
1742 {
1743 	HostCmd_DS_802_11_RF_ANTENNA *pCmd;
1744 	int retval;
1745 
1746 	if (!(dirSet == WL_ANTENNATYPE_RX || dirSet == WL_ANTENNATYPE_TX))
1747 		return (EINVAL);
1748 
1749 	_CMD_SETUP(pCmd, HostCmd_DS_802_11_RF_ANTENNA,
1750 	    HostCmd_CMD_802_11_RF_ANTENNA);
1751 	pCmd->Action = LE_16(dirSet);
1752 	if (ant == 0)			/* default to all/both antennae */
1753 		ant = 3;
1754 	pCmd->AntennaMode = LE_16(ant);
1755 
1756 	retval = mwlExecuteCmd(sc, HostCmd_CMD_802_11_RF_ANTENNA);
1757 	return (retval);
1758 }
1759 
1760 /*
1761  * Configure radio.
1762  * Takes effect immediately.
1763  * XXX preamble installed after set fixed rate cmd
1764  */
1765 static int
1766 mwl_hal_setradio(struct mwl_softc *sc, int onoff, MWL_HAL_PREAMBLE preamble)
1767 {
1768 	HostCmd_DS_802_11_RADIO_CONTROL *pCmd;
1769 	int retval;
1770 
1771 	_CMD_SETUP(pCmd, HostCmd_DS_802_11_RADIO_CONTROL,
1772 	    HostCmd_CMD_802_11_RADIO_CONTROL);
1773 	pCmd->Action = LE_16(HostCmd_ACT_GEN_SET);
1774 	if (onoff == 0)
1775 		pCmd->Control = 0;
1776 	else
1777 		pCmd->Control = LE_16(preamble);
1778 	pCmd->RadioOn = LE_16(onoff);
1779 
1780 	retval = mwlExecuteCmd(sc, HostCmd_CMD_802_11_RADIO_CONTROL);
1781 	return (retval);
1782 }
1783 
1784 static int
1785 mwl_hal_setwmm(struct mwl_softc *sc, int onoff)
1786 {
1787 	HostCmd_FW_SetWMMMode *pCmd;
1788 	int retval;
1789 
1790 	_CMD_SETUP(pCmd, HostCmd_FW_SetWMMMode,
1791 	    HostCmd_CMD_SET_WMM_MODE);
1792 	pCmd->Action = LE_16(onoff);
1793 
1794 	retval = mwlExecuteCmd(sc, HostCmd_CMD_SET_WMM_MODE);
1795 	return (retval);
1796 }
1797 
1798 /*
1799  * Convert public channel flags definition to a
1800  * value suitable for feeding to the firmware.
1801  * Note this includes byte swapping.
1802  */
1803 static uint32_t
1804 cvtChannelFlags(const MWL_HAL_CHANNEL *chan)
1805 {
1806 	uint32_t w;
1807 
1808 	/*
1809 	 * NB: f/w only understands FREQ_BAND_5GHZ, supplying the more
1810 	 * precise band info causes it to lockup (sometimes).
1811 	 */
1812 	w = (chan->channelFlags.FreqBand == MWL_FREQ_BAND_2DOT4GHZ) ?
1813 	    FREQ_BAND_2DOT4GHZ : FREQ_BAND_5GHZ;
1814 	switch (chan->channelFlags.ChnlWidth) {
1815 	case MWL_CH_10_MHz_WIDTH:
1816 		w |= CH_10_MHz_WIDTH;
1817 		break;
1818 	case MWL_CH_20_MHz_WIDTH:
1819 		w |= CH_20_MHz_WIDTH;
1820 		break;
1821 	case MWL_CH_40_MHz_WIDTH:
1822 	default:
1823 		w |= CH_40_MHz_WIDTH;
1824 		break;
1825 	}
1826 	switch (chan->channelFlags.ExtChnlOffset) {
1827 	case MWL_EXT_CH_NONE:
1828 		w |= EXT_CH_NONE;
1829 		break;
1830 	case MWL_EXT_CH_ABOVE_CTRL_CH:
1831 		w |= EXT_CH_ABOVE_CTRL_CH;
1832 		break;
1833 	case MWL_EXT_CH_BELOW_CTRL_CH:
1834 		w |= EXT_CH_BELOW_CTRL_CH;
1835 		break;
1836 	}
1837 	return (LE_32(w));
1838 }
1839 
1840 static int
1841 mwl_hal_setchannel(struct mwl_softc *sc, const MWL_HAL_CHANNEL *chan)
1842 {
1843 	HostCmd_FW_SET_RF_CHANNEL *pCmd;
1844 	int retval;
1845 
1846 	_CMD_SETUP(pCmd, HostCmd_FW_SET_RF_CHANNEL, HostCmd_CMD_SET_RF_CHANNEL);
1847 	pCmd->Action = LE_16(HostCmd_ACT_GEN_SET);
1848 	pCmd->CurrentChannel = chan->channel;
1849 	pCmd->ChannelFlags = cvtChannelFlags(chan);	/* NB: byte-swapped */
1850 
1851 	retval = mwlExecuteCmd(sc, HostCmd_CMD_SET_RF_CHANNEL);
1852 	return (retval);
1853 }
1854 
1855 static int
1856 mwl_hal_settxpower(struct mwl_softc *sc,
1857     const MWL_HAL_CHANNEL *c, uint8_t maxtxpow)
1858 {
1859 	HostCmd_DS_802_11_RF_TX_POWER *pCmd;
1860 	const struct mwl_hal_channel *hc;
1861 	int i = 0, retval;
1862 
1863 	hc = findhalchannel(sc, c);
1864 	if (hc == NULL) {
1865 		/* XXX temp while testing */
1866 		MWL_DBG(MWL_DBG_HW, "mwl: mwl_hal_settxpower(): "
1867 		    "no cal data for channel %u band %u width %u ext %u\n",
1868 		    c->channel, c->channelFlags.FreqBand,
1869 		    c->channelFlags.ChnlWidth, c->channelFlags.ExtChnlOffset);
1870 		return (EINVAL);
1871 	}
1872 
1873 	_CMD_SETUP(pCmd, HostCmd_DS_802_11_RF_TX_POWER,
1874 	    HostCmd_CMD_802_11_RF_TX_POWER);
1875 	pCmd->Action = LE_16(HostCmd_ACT_GEN_SET_LIST);
1876 	/* NB: 5Ghz cal data have the channel # in [0]; don't truncate */
1877 	if (c->channelFlags.FreqBand == MWL_FREQ_BAND_5GHZ)
1878 		pCmd->PowerLevelList[i++] = LE_16(hc->targetPowers[0]);
1879 	for (; i < 4; i++) {
1880 		uint16_t pow = hc->targetPowers[i];
1881 		if (pow > maxtxpow)
1882 			pow = maxtxpow;
1883 		pCmd->PowerLevelList[i] = LE_16(pow);
1884 	}
1885 	retval = mwlExecuteCmd(sc, HostCmd_CMD_802_11_RF_TX_POWER);
1886 	return (retval);
1887 }
1888 
1889 #define	RATEVAL(r)	((r) &~ RATE_MCS)
1890 #define	RATETYPE(r)	(((r) & RATE_MCS) ? HT_RATE_TYPE : LEGACY_RATE_TYPE)
1891 
1892 static int
1893 mwl_hal_settxrate(struct mwl_softc *sc, MWL_HAL_TXRATE_HANDLING handling,
1894 	const MWL_HAL_TXRATE *rate)
1895 {
1896 	HostCmd_FW_USE_FIXED_RATE *pCmd;
1897 	FIXED_RATE_ENTRY *fp;
1898 	int retval, i, n;
1899 
1900 	_VCMD_SETUP(pCmd, HostCmd_FW_USE_FIXED_RATE,
1901 	    HostCmd_CMD_SET_FIXED_RATE);
1902 
1903 	pCmd->MulticastRate = RATEVAL(rate->McastRate);
1904 	pCmd->MultiRateTxType = RATETYPE(rate->McastRate);
1905 	/* NB: no rate type field */
1906 	pCmd->ManagementRate = RATEVAL(rate->MgtRate);
1907 	(void) memset(pCmd->FixedRateTable, 0, sizeof (pCmd->FixedRateTable));
1908 	if (handling == RATE_FIXED) {
1909 		pCmd->Action = LE_32(HostCmd_ACT_GEN_SET);
1910 		pCmd->AllowRateDrop = LE_32(FIXED_RATE_WITHOUT_AUTORATE_DROP);
1911 		fp = pCmd->FixedRateTable;
1912 		fp->FixedRate =
1913 		    LE_32(RATEVAL(rate->RateSeries[0].Rate));
1914 		fp->FixRateTypeFlags.FixRateType =
1915 		    LE_32(RATETYPE(rate->RateSeries[0].Rate));
1916 		pCmd->EntryCount = LE_32(1);
1917 	} else if (handling == RATE_FIXED_DROP) {
1918 		pCmd->Action = LE_32(HostCmd_ACT_GEN_SET);
1919 		pCmd->AllowRateDrop = LE_32(FIXED_RATE_WITH_AUTO_RATE_DROP);
1920 		n = 0;
1921 		fp = pCmd->FixedRateTable;
1922 		for (i = 0; i < 4; i++) {
1923 			if (rate->RateSeries[0].TryCount == 0)
1924 				break;
1925 			fp->FixRateTypeFlags.FixRateType =
1926 			    LE_32(RATETYPE(rate->RateSeries[i].Rate));
1927 			fp->FixedRate =
1928 			    LE_32(RATEVAL(rate->RateSeries[i].Rate));
1929 			fp->FixRateTypeFlags.RetryCountValid =
1930 			    LE_32(RETRY_COUNT_VALID);
1931 			fp->RetryCount =
1932 			    LE_32(rate->RateSeries[i].TryCount-1);
1933 			n++;
1934 		}
1935 		pCmd->EntryCount = LE_32(n);
1936 	} else
1937 		pCmd->Action = LE_32(HostCmd_ACT_NOT_USE_FIXED_RATE);
1938 
1939 	retval = mwlExecuteCmd(sc, HostCmd_CMD_SET_FIXED_RATE);
1940 	return (retval);
1941 }
1942 
1943 static int
1944 mwl_hal_settxrate_auto(struct mwl_softc *sc, const MWL_HAL_TXRATE *rate)
1945 {
1946 	HostCmd_FW_USE_FIXED_RATE *pCmd;
1947 	int retval;
1948 
1949 	_CMD_SETUP(pCmd, HostCmd_FW_USE_FIXED_RATE,
1950 	    HostCmd_CMD_SET_FIXED_RATE);
1951 
1952 	pCmd->MulticastRate = RATEVAL(rate->McastRate);
1953 	pCmd->MultiRateTxType = RATETYPE(rate->McastRate);
1954 	/* NB: no rate type field */
1955 	pCmd->ManagementRate = RATEVAL(rate->MgtRate);
1956 	(void) memset(pCmd->FixedRateTable, 0, sizeof (pCmd->FixedRateTable));
1957 	pCmd->Action = LE_32(HostCmd_ACT_NOT_USE_FIXED_RATE);
1958 
1959 	retval = mwlExecuteCmd(sc, HostCmd_CMD_SET_FIXED_RATE);
1960 	return (retval);
1961 }
1962 
1963 #undef RATEVAL
1964 #undef RATETYPE
1965 
1966 /* XXX 0 = indoor, 1 = outdoor */
1967 static int
1968 mwl_hal_setrateadaptmode(struct mwl_softc *sc, uint16_t mode)
1969 {
1970 	HostCmd_DS_SET_RATE_ADAPT_MODE *pCmd;
1971 	int retval;
1972 
1973 	_CMD_SETUP(pCmd, HostCmd_DS_SET_RATE_ADAPT_MODE,
1974 	    HostCmd_CMD_SET_RATE_ADAPT_MODE);
1975 	pCmd->Action = LE_16(HostCmd_ACT_GEN_SET);
1976 	pCmd->RateAdaptMode = LE_16(mode);
1977 
1978 	retval = mwlExecuteCmd(sc, HostCmd_CMD_SET_RATE_ADAPT_MODE);
1979 	return (retval);
1980 }
1981 
1982 static int
1983 mwl_hal_setoptimizationlevel(struct mwl_softc *sc, int level)
1984 {
1985 	HostCmd_FW_SET_OPTIMIZATION_LEVEL *pCmd;
1986 	int retval;
1987 
1988 	_CMD_SETUP(pCmd, HostCmd_FW_SET_OPTIMIZATION_LEVEL,
1989 	    HostCmd_CMD_SET_OPTIMIZATION_LEVEL);
1990 	pCmd->OptLevel = (uint8_t)level;
1991 
1992 	retval = mwlExecuteCmd(sc, HostCmd_CMD_SET_OPTIMIZATION_LEVEL);
1993 	return (retval);
1994 }
1995 
1996 /*
1997  * Set the region code that selects the radar bin'ing agorithm.
1998  */
1999 static int
2000 mwl_hal_setregioncode(struct mwl_softc *sc, int regionCode)
2001 {
2002 	HostCmd_SET_REGIONCODE_INFO *pCmd;
2003 	int retval;
2004 
2005 	_CMD_SETUP(pCmd, HostCmd_SET_REGIONCODE_INFO,
2006 	    HostCmd_CMD_SET_REGION_CODE);
2007 	/* XXX map pseudo-codes to fw codes */
2008 	switch (regionCode) {
2009 	case DOMAIN_CODE_ETSI_131:
2010 		pCmd->regionCode = LE_16(DOMAIN_CODE_ETSI);
2011 		break;
2012 	default:
2013 		pCmd->regionCode = LE_16(regionCode);
2014 		break;
2015 	}
2016 
2017 	retval = mwlExecuteCmd(sc, HostCmd_CMD_SET_REGION_CODE);
2018 	return (retval);
2019 }
2020 
2021 static int
2022 mwl_hal_setassocid(struct mwl_softc *sc,
2023 	const uint8_t bssId[IEEE80211_ADDR_LEN], uint16_t assocId)
2024 {
2025 	HostCmd_FW_SET_AID *pCmd = (HostCmd_FW_SET_AID *) &sc->sc_cmd_mem[0];
2026 	int retval;
2027 
2028 	_VCMD_SETUP(pCmd, HostCmd_FW_SET_AID, HostCmd_CMD_SET_AID);
2029 	pCmd->AssocID = LE_16(assocId);
2030 	IEEE80211_ADDR_COPY(&pCmd->MacAddr[0], bssId);
2031 
2032 	retval = mwlExecuteCmd(sc, HostCmd_CMD_SET_AID);
2033 	return (retval);
2034 }
2035 
2036 /*
2037  * Inform firmware of tx rate parameters.  Called whenever
2038  * user-settable params change and after a channel change.
2039  */
2040 static int
2041 mwl_setrates(struct ieee80211com *ic)
2042 {
2043 	struct mwl_softc *sc = (struct mwl_softc *)ic;
2044 	MWL_HAL_TXRATE rates;
2045 
2046 	const struct ieee80211_rateset *rs;
2047 	rs = &ic->ic_bss->in_rates;
2048 
2049 	/*
2050 	 * Update the h/w rate map.
2051 	 * NB: 0x80 for MCS is passed through unchanged
2052 	 */
2053 	(void) memset(&rates, 0, sizeof (rates));
2054 	/* rate used to send management frames */
2055 	rates.MgtRate = rs->ir_rates[0] & IEEE80211_RATE_VAL;
2056 	/* rate used to send multicast frames */
2057 	rates.McastRate = rates.MgtRate;
2058 
2059 	return (mwl_hal_settxrate(sc, RATE_AUTO, &rates));
2060 }
2061 
2062 /*
2063  * Set packet size threshold for implicit use of RTS.
2064  * Takes effect immediately.
2065  * XXX packet length > threshold =>'s RTS
2066  */
2067 static int
2068 mwl_hal_setrtsthreshold(struct mwl_softc *sc, int threshold)
2069 {
2070 	HostCmd_DS_802_11_RTS_THSD *pCmd;
2071 	int retval;
2072 
2073 	_VCMD_SETUP(pCmd, HostCmd_DS_802_11_RTS_THSD,
2074 	    HostCmd_CMD_802_11_RTS_THSD);
2075 	pCmd->Action  = LE_16(HostCmd_ACT_GEN_SET);
2076 	pCmd->Threshold = LE_16(threshold);
2077 
2078 	retval = mwlExecuteCmd(sc, HostCmd_CMD_802_11_RTS_THSD);
2079 	return (retval);
2080 }
2081 
2082 static int
2083 mwl_hal_setcsmode(struct mwl_softc *sc, MWL_HAL_CSMODE csmode)
2084 {
2085 	HostCmd_DS_SET_LINKADAPT_CS_MODE *pCmd;
2086 	int retval;
2087 
2088 	_CMD_SETUP(pCmd, HostCmd_DS_SET_LINKADAPT_CS_MODE,
2089 	    HostCmd_CMD_SET_LINKADAPT_CS_MODE);
2090 	pCmd->Action = LE_16(HostCmd_ACT_GEN_SET);
2091 	pCmd->CSMode = LE_16(csmode);
2092 
2093 	retval = mwlExecuteCmd(sc, HostCmd_CMD_SET_LINKADAPT_CS_MODE);
2094 	return (retval);
2095 }
2096 
2097 static int
2098 mwl_hal_setpromisc(struct mwl_softc *sc, int ena)
2099 {
2100 	uint32_t v;
2101 
2102 	v = mwl_ctl_read4(sc, MACREG_REG_PROMISCUOUS);
2103 	mwl_ctl_write4(sc, MACREG_REG_PROMISCUOUS, ena ? v | 1 : v & ~1);
2104 
2105 	return (0);
2106 }
2107 
2108 static int
2109 mwl_hal_start(struct mwl_softc *sc)
2110 {
2111 	HostCmd_DS_BSS_START *pCmd;
2112 	int retval;
2113 
2114 	_VCMD_SETUP(pCmd, HostCmd_DS_BSS_START, HostCmd_CMD_BSS_START);
2115 	pCmd->Enable = LE_32(HostCmd_ACT_GEN_ON);
2116 
2117 	retval = mwlExecuteCmd(sc, HostCmd_CMD_BSS_START);
2118 	return (retval);
2119 }
2120 
2121 /*
2122  * Enable sta-mode operation (disables beacon frame xmit).
2123  */
2124 static int
2125 mwl_hal_setinframode(struct mwl_softc *sc)
2126 {
2127 	HostCmd_FW_SET_INFRA_MODE *pCmd;
2128 	int retval;
2129 
2130 	_VCMD_SETUP(pCmd, HostCmd_FW_SET_INFRA_MODE,
2131 	    HostCmd_CMD_SET_INFRA_MODE);
2132 
2133 	retval = mwlExecuteCmd(sc, HostCmd_CMD_SET_INFRA_MODE);
2134 	return (retval);
2135 }
2136 
2137 static int
2138 mwl_hal_stop(struct mwl_softc *sc)
2139 {
2140 	HostCmd_DS_BSS_START *pCmd;
2141 	int retval;
2142 
2143 	_VCMD_SETUP(pCmd, HostCmd_DS_BSS_START,
2144 	    HostCmd_CMD_BSS_START);
2145 	pCmd->Enable = LE_32(HostCmd_ACT_GEN_OFF);
2146 	retval = mwlExecuteCmd(sc, HostCmd_CMD_BSS_START);
2147 
2148 	return (retval);
2149 }
2150 
2151 static int
2152 mwl_hal_keyset(struct mwl_softc *sc, const MWL_HAL_KEYVAL *kv,
2153 	const uint8_t mac[IEEE80211_ADDR_LEN])
2154 {
2155 	HostCmd_FW_UPDATE_ENCRYPTION_SET_KEY *pCmd;
2156 	int retval;
2157 
2158 	_VCMD_SETUP(pCmd, HostCmd_FW_UPDATE_ENCRYPTION_SET_KEY,
2159 	    HostCmd_CMD_UPDATE_ENCRYPTION);
2160 	if (kv->keyFlags & (KEY_FLAG_TXGROUPKEY|KEY_FLAG_RXGROUPKEY))
2161 		pCmd->ActionType = LE_32(EncrActionTypeSetGroupKey);
2162 	else
2163 		pCmd->ActionType = LE_32(EncrActionTypeSetKey);
2164 	pCmd->KeyParam.Length = LE_16(sizeof (pCmd->KeyParam));
2165 	pCmd->KeyParam.KeyTypeId = LE_16(kv->keyTypeId);
2166 	pCmd->KeyParam.KeyInfo = LE_32(kv->keyFlags);
2167 	pCmd->KeyParam.KeyIndex = LE_32(kv->keyIndex);
2168 	/* NB: includes TKIP MIC keys */
2169 	(void) memcpy(&pCmd->KeyParam.Key, &kv->key, kv->keyLen);
2170 	switch (kv->keyTypeId) {
2171 	case KEY_TYPE_ID_WEP:
2172 		pCmd->KeyParam.KeyLen = LE_16(kv->keyLen);
2173 		break;
2174 	case KEY_TYPE_ID_TKIP:
2175 		pCmd->KeyParam.KeyLen = LE_16(sizeof (TKIP_TYPE_KEY));
2176 		pCmd->KeyParam.Key.TkipKey.TkipRsc.low =
2177 		    LE_16(kv->key.tkip.rsc.low);
2178 		pCmd->KeyParam.Key.TkipKey.TkipRsc.high =
2179 		    LE_32(kv->key.tkip.rsc.high);
2180 		pCmd->KeyParam.Key.TkipKey.TkipTsc.low =
2181 		    LE_16(kv->key.tkip.tsc.low);
2182 		pCmd->KeyParam.Key.TkipKey.TkipTsc.high =
2183 		    LE_32(kv->key.tkip.tsc.high);
2184 		break;
2185 	case KEY_TYPE_ID_AES:
2186 		pCmd->KeyParam.KeyLen = LE_16(sizeof (AES_TYPE_KEY));
2187 		break;
2188 	}
2189 #ifdef MWL_MBSS_SUPPORT
2190 	IEEE80211_ADDR_COPY(pCmd->KeyParam.Macaddr, mac);
2191 #else
2192 	IEEE80211_ADDR_COPY(pCmd->Macaddr, mac);
2193 #endif
2194 
2195 	retval = mwlExecuteCmd(sc, HostCmd_CMD_UPDATE_ENCRYPTION);
2196 	return (retval);
2197 }
2198 
2199 static int
2200 mwl_hal_keyreset(struct mwl_softc *sc, const MWL_HAL_KEYVAL *kv,
2201     const uint8_t mac[IEEE80211_ADDR_LEN])
2202 {
2203 	HostCmd_FW_UPDATE_ENCRYPTION_SET_KEY *pCmd;
2204 	int retval;
2205 
2206 	_VCMD_SETUP(pCmd, HostCmd_FW_UPDATE_ENCRYPTION_SET_KEY,
2207 	    HostCmd_CMD_UPDATE_ENCRYPTION);
2208 	pCmd->ActionType = LE_16(EncrActionTypeRemoveKey);
2209 	pCmd->KeyParam.Length = LE_16(sizeof (pCmd->KeyParam));
2210 	pCmd->KeyParam.KeyTypeId = LE_16(kv->keyTypeId);
2211 	pCmd->KeyParam.KeyInfo = LE_32(kv->keyFlags);
2212 	pCmd->KeyParam.KeyIndex = LE_32(kv->keyIndex);
2213 #ifdef MWL_MBSS_SUPPORT
2214 	IEEE80211_ADDR_COPY(pCmd->KeyParam.Macaddr, mac);
2215 #else
2216 	IEEE80211_ADDR_COPY(pCmd->Macaddr, mac);
2217 #endif
2218 	retval = mwlExecuteCmd(sc, HostCmd_CMD_UPDATE_ENCRYPTION);
2219 	return (retval);
2220 }
2221 
2222 /* ARGSUSED */
2223 static struct ieee80211_node *
2224 mwl_node_alloc(struct ieee80211com *ic)
2225 {
2226 	struct mwl_node *mn;
2227 
2228 	mn = kmem_zalloc(sizeof (struct mwl_node), KM_SLEEP);
2229 	if (mn == NULL) {
2230 		/* XXX stat+msg */
2231 		MWL_DBG(MWL_DBG_MSG, "mwl: mwl_node_alloc(): "
2232 		    "alloc node failed\n");
2233 		return (NULL);
2234 	}
2235 	return (&mn->mn_node);
2236 }
2237 
2238 static void
2239 mwl_node_free(struct ieee80211_node *ni)
2240 {
2241 	struct ieee80211com *ic = ni->in_ic;
2242 	struct mwl_node *mn = MWL_NODE(ni);
2243 
2244 	if (mn->mn_staid != 0) {
2245 		// mwl_hal_delstation(mn->mn_hvap, vap->iv_myaddr);
2246 		// delstaid(sc, mn->mn_staid);
2247 		mn->mn_staid = 0;
2248 	}
2249 	ic->ic_node_cleanup(ni);
2250 	kmem_free(ni, sizeof (struct mwl_node));
2251 }
2252 
2253 /*
2254  * Allocate a key cache slot for a unicast key.  The
2255  * firmware handles key allocation and every station is
2256  * guaranteed key space so we are always successful.
2257  */
2258 static int
2259 mwl_key_alloc(struct ieee80211com *ic, const struct ieee80211_key *k,
2260 	ieee80211_keyix *keyix, ieee80211_keyix *rxkeyix)
2261 {
2262 	if (k->wk_keyix != IEEE80211_KEYIX_NONE ||
2263 	    (k->wk_flags & IEEE80211_KEY_GROUP)) {
2264 		if (!(&ic->ic_nw_keys[0] <= k &&
2265 		    k < &ic->ic_nw_keys[IEEE80211_WEP_NKID])) {
2266 			/* should not happen */
2267 			MWL_DBG(MWL_DBG_CRYPTO, "mwl: mwl_key_alloc(): "
2268 			    "bogus group key\n");
2269 			return (0);
2270 		}
2271 		/* give the caller what they requested */
2272 		*keyix = *rxkeyix = k - ic->ic_nw_keys;
2273 		MWL_DBG(MWL_DBG_CRYPTO, "mwl: mwl_key_alloc(): "
2274 		    "alloc GROUP key keyix %x, rxkeyix %x\n",
2275 		    *keyix, *rxkeyix);
2276 	} else {
2277 		/*
2278 		 * Firmware handles key allocation.
2279 		 */
2280 		*keyix = *rxkeyix = 0;
2281 		MWL_DBG(MWL_DBG_CRYPTO, "mwl: mwl_key_alloc(): "
2282 		    "reset key index in key allocation\n");
2283 	}
2284 
2285 	return (1);
2286 }
2287 
2288 /*
2289  * Delete a key entry allocated by mwl_key_alloc.
2290  */
2291 static int
2292 mwl_key_delete(struct ieee80211com *ic, const struct ieee80211_key *k)
2293 {
2294 	struct mwl_softc *sc = (struct mwl_softc *)ic;
2295 	MWL_HAL_KEYVAL hk;
2296 	const uint8_t bcastaddr[IEEE80211_ADDR_LEN] =
2297 	    { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
2298 
2299 	(void) memset(&hk, 0, sizeof (hk));
2300 	hk.keyIndex = k->wk_keyix;
2301 	switch (k->wk_cipher->ic_cipher) {
2302 	case IEEE80211_CIPHER_WEP:
2303 		hk.keyTypeId = KEY_TYPE_ID_WEP;
2304 		break;
2305 	case IEEE80211_CIPHER_TKIP:
2306 		hk.keyTypeId = KEY_TYPE_ID_TKIP;
2307 		break;
2308 	case IEEE80211_CIPHER_AES_CCM:
2309 		hk.keyTypeId = KEY_TYPE_ID_AES;
2310 		break;
2311 	default:
2312 		/* XXX should not happen */
2313 		MWL_DBG(MWL_DBG_CRYPTO, "mwl: mwl_key_delete(): "
2314 		    "unknown cipher %d\n", k->wk_cipher->ic_cipher);
2315 		return (0);
2316 	}
2317 	return (mwl_hal_keyreset(sc, &hk, bcastaddr) == 0);
2318 }
2319 
2320 /*
2321  * Set the key cache contents for the specified key.  Key cache
2322  * slot(s) must already have been allocated by mwl_key_alloc.
2323  */
2324 /* ARGSUSED */
2325 static int
2326 mwl_key_set(struct ieee80211com *ic, const struct ieee80211_key *k,
2327 	const uint8_t mac[IEEE80211_ADDR_LEN])
2328 {
2329 #define	GRPXMIT	(IEEE80211_KEY_XMIT | IEEE80211_KEY_GROUP)
2330 /* NB: static wep keys are marked GROUP+tx/rx; GTK will be tx or rx */
2331 #define	IEEE80211_IS_STATICKEY(k) \
2332 	(((k)->wk_flags & (GRPXMIT|IEEE80211_KEY_RECV)) == \
2333 	(GRPXMIT|IEEE80211_KEY_RECV))
2334 	struct mwl_softc *sc = (struct mwl_softc *)ic;
2335 	const struct ieee80211_cipher *cip = k->wk_cipher;
2336 	const uint8_t *macaddr;
2337 	MWL_HAL_KEYVAL hk;
2338 
2339 	(void) memset(&hk, 0, sizeof (hk));
2340 	hk.keyIndex = k->wk_keyix;
2341 	switch (cip->ic_cipher) {
2342 	case IEEE80211_CIPHER_WEP:
2343 		hk.keyTypeId = KEY_TYPE_ID_WEP;
2344 		hk.keyLen = k->wk_keylen;
2345 		if (k->wk_keyix == ic->ic_def_txkey)
2346 			hk.keyFlags = KEY_FLAG_WEP_TXKEY;
2347 		if (!IEEE80211_IS_STATICKEY(k)) {
2348 			/* NB: WEP is never used for the PTK */
2349 			(void) addgroupflags(&hk, k);
2350 		}
2351 		break;
2352 	case IEEE80211_CIPHER_TKIP:
2353 		hk.keyTypeId = KEY_TYPE_ID_TKIP;
2354 		hk.key.tkip.tsc.high = (uint32_t)(k->wk_keytsc >> 16);
2355 		hk.key.tkip.tsc.low = (uint16_t)k->wk_keytsc;
2356 		hk.keyFlags = KEY_FLAG_TSC_VALID | KEY_FLAG_MICKEY_VALID;
2357 		hk.keyLen = k->wk_keylen + IEEE80211_MICBUF_SIZE;
2358 		if (!addgroupflags(&hk, k))
2359 			hk.keyFlags |= KEY_FLAG_PAIRWISE;
2360 		break;
2361 	case IEEE80211_CIPHER_AES_CCM:
2362 		hk.keyTypeId = KEY_TYPE_ID_AES;
2363 		hk.keyLen = k->wk_keylen;
2364 		if (!addgroupflags(&hk, k))
2365 			hk.keyFlags |= KEY_FLAG_PAIRWISE;
2366 		break;
2367 	default:
2368 		/* XXX should not happen */
2369 		MWL_DBG(MWL_DBG_CRYPTO, "mwl: mwl_key_set(): "
2370 		    "unknown cipher %d\n",
2371 		    k->wk_cipher->ic_cipher);
2372 		return (0);
2373 	}
2374 	/*
2375 	 * NB: tkip mic keys get copied here too; the layout
2376 	 * just happens to match that in ieee80211_key.
2377 	 */
2378 	(void) memcpy(hk.key.aes, k->wk_key, hk.keyLen);
2379 
2380 	/*
2381 	 * Locate address of sta db entry for writing key;
2382 	 * the convention unfortunately is somewhat different
2383 	 * than how net80211, hostapd, and wpa_supplicant think.
2384 	 */
2385 
2386 	/*
2387 	 * NB: keys plumbed before the sta reaches AUTH state
2388 	 * will be discarded or written to the wrong sta db
2389 	 * entry because iv_bss is meaningless.  This is ok
2390 	 * (right now) because we handle deferred plumbing of
2391 	 * WEP keys when the sta reaches AUTH state.
2392 	 */
2393 	macaddr = ic->ic_bss->in_bssid;
2394 	if (k->wk_flags & IEEE80211_KEY_XMIT) {
2395 		/* XXX plumb to local sta db too for static key wep */
2396 		(void) mwl_hal_keyset(sc, &hk, ic->ic_macaddr);
2397 	}
2398 	return (mwl_hal_keyset(sc, &hk, macaddr) == 0);
2399 #undef IEEE80211_IS_STATICKEY
2400 #undef GRPXMIT
2401 }
2402 
2403 /*
2404  * Plumb any static WEP key for the station.  This is
2405  * necessary as we must propagate the key from the
2406  * global key table of the vap to each sta db entry.
2407  */
2408 static void
2409 mwl_setanywepkey(struct ieee80211com *ic, const uint8_t mac[IEEE80211_ADDR_LEN])
2410 {
2411 	if ((ic->ic_flags & (IEEE80211_F_PRIVACY|IEEE80211_F_WPA)) ==
2412 	    IEEE80211_F_PRIVACY &&
2413 	    ic->ic_def_txkey != IEEE80211_KEYIX_NONE &&
2414 	    ic->ic_nw_keys[ic->ic_def_txkey].wk_keyix != IEEE80211_KEYIX_NONE)
2415 		(void) mwl_key_set(ic, &ic->ic_nw_keys[ic->ic_def_txkey], mac);
2416 }
2417 
2418 static void
2419 mwl_setglobalkeys(struct ieee80211com *ic)
2420 {
2421 	struct ieee80211_key *wk;
2422 
2423 	wk = &ic->ic_nw_keys[0];
2424 	for (; wk < &ic->ic_nw_keys[IEEE80211_WEP_NKID]; wk++)
2425 		if (wk->wk_keyix != IEEE80211_KEYIX_NONE)
2426 			(void) mwl_key_set(ic, wk, ic->ic_macaddr);
2427 }
2428 
2429 static int
2430 addgroupflags(MWL_HAL_KEYVAL *hk, const struct ieee80211_key *k)
2431 {
2432 	if (k->wk_flags & IEEE80211_KEY_GROUP) {
2433 		if (k->wk_flags & IEEE80211_KEY_XMIT)
2434 			hk->keyFlags |= KEY_FLAG_TXGROUPKEY;
2435 		if (k->wk_flags & IEEE80211_KEY_RECV)
2436 			hk->keyFlags |= KEY_FLAG_RXGROUPKEY;
2437 		return (1);
2438 	} else
2439 		return (0);
2440 }
2441 
2442 /*
2443  * Set/change channels.
2444  */
2445 static int
2446 mwl_chan_set(struct mwl_softc *sc, struct mwl_channel *chan)
2447 {
2448 	MWL_HAL_CHANNEL hchan;
2449 	int maxtxpow;
2450 
2451 	MWL_DBG(MWL_DBG_HW, "mwl: mwl_chan_set(): "
2452 	    "chan %u MHz/flags 0x%x\n",
2453 	    chan->ic_freq, chan->ic_flags);
2454 
2455 	/*
2456 	 * Convert to a HAL channel description with
2457 	 * the flags constrained to reflect the current
2458 	 * operating mode.
2459 	 */
2460 	mwl_mapchan(&hchan, chan);
2461 	mwl_hal_intrset(sc, 0);		/* disable interrupts */
2462 
2463 	(void) mwl_hal_setchannel(sc, &hchan);
2464 	/*
2465 	 * Tx power is cap'd by the regulatory setting and
2466 	 * possibly a user-set limit.  We pass the min of
2467 	 * these to the hal to apply them to the cal data
2468 	 * for this channel.
2469 	 * XXX min bound?
2470 	 */
2471 	maxtxpow = 2 * chan->ic_maxregpower;
2472 	if (maxtxpow > 100)
2473 		maxtxpow = 100;
2474 	(void) mwl_hal_settxpower(sc, &hchan, maxtxpow / 2);
2475 	/* NB: potentially change mcast/mgt rates */
2476 	(void) mwl_setcurchanrates(sc);
2477 
2478 	sc->sc_curchan = hchan;
2479 	mwl_hal_intrset(sc, sc->sc_imask);
2480 
2481 	return (0);
2482 }
2483 
2484 /*
2485  * Convert net80211 channel to a HAL channel.
2486  */
2487 static void
2488 mwl_mapchan(MWL_HAL_CHANNEL *hc, const struct mwl_channel *chan)
2489 {
2490 	hc->channel = chan->ic_ieee;
2491 
2492 	*(uint32_t *)&hc->channelFlags = 0;
2493 	if (((chan)->ic_flags & IEEE80211_CHAN_2GHZ) != 0)
2494 		hc->channelFlags.FreqBand = MWL_FREQ_BAND_2DOT4GHZ;
2495 	else if (((chan)->ic_flags & IEEE80211_CHAN_5GHZ) != 0)
2496 		hc->channelFlags.FreqBand = MWL_FREQ_BAND_5GHZ;
2497 	if (((chan)->ic_flags & IEEE80211_CHAN_HT40) != 0) {
2498 		hc->channelFlags.ChnlWidth = MWL_CH_40_MHz_WIDTH;
2499 		if (((chan)->ic_flags & IEEE80211_CHAN_HT40U) != 0)
2500 			hc->channelFlags.ExtChnlOffset =
2501 			    MWL_EXT_CH_ABOVE_CTRL_CH;
2502 		else
2503 			hc->channelFlags.ExtChnlOffset =
2504 			    MWL_EXT_CH_BELOW_CTRL_CH;
2505 	} else
2506 		hc->channelFlags.ChnlWidth = MWL_CH_20_MHz_WIDTH;
2507 	/* XXX 10MHz channels */
2508 }
2509 
2510 /*
2511  * Return the phy mode for with the specified channel.
2512  */
2513 enum ieee80211_phymode
2514 mwl_chan2mode(const struct mwl_channel *chan)
2515 {
2516 
2517 	if (IEEE80211_IS_CHAN_HTA(chan))
2518 		return (IEEE80211_MODE_11NA);
2519 	else if (IEEE80211_IS_CHAN_HTG(chan))
2520 		return (IEEE80211_MODE_11NG);
2521 	else if (IEEE80211_IS_CHAN_108G(chan))
2522 		return (IEEE80211_MODE_TURBO_G);
2523 	else if (IEEE80211_IS_CHAN_ST(chan))
2524 		return (IEEE80211_MODE_STURBO_A);
2525 	else if (IEEE80211_IS_CHAN_TURBO(chan))
2526 		return (IEEE80211_MODE_TURBO_A);
2527 	else if (IEEE80211_IS_CHAN_HALF(chan))
2528 		return (IEEE80211_MODE_HALF);
2529 	else if (IEEE80211_IS_CHAN_QUARTER(chan))
2530 		return (IEEE80211_MODE_QUARTER);
2531 	else if (IEEE80211_IS_CHAN_A(chan))
2532 		return (IEEE80211_MODE_11A);
2533 	else if (IEEE80211_IS_CHAN_ANYG(chan))
2534 		return (IEEE80211_MODE_11G);
2535 	else if (IEEE80211_IS_CHAN_B(chan))
2536 		return (IEEE80211_MODE_11B);
2537 	else if (IEEE80211_IS_CHAN_FHSS(chan))
2538 		return (IEEE80211_MODE_FH);
2539 
2540 	/* NB: should not get here */
2541 	MWL_DBG(MWL_DBG_HW, "mwl: mwl_chan2mode(): "
2542 	    "cannot map channel to mode; freq %u flags 0x%x\n",
2543 	    chan->ic_freq, chan->ic_flags);
2544 	return (IEEE80211_MODE_11B);
2545 }
2546 
2547 /* XXX inline or eliminate? */
2548 const struct ieee80211_rateset *
2549 mwl_get_suprates(struct ieee80211com *ic, const struct mwl_channel *c)
2550 {
2551 	/* XXX does this work for 11ng basic rates? */
2552 	return (&ic->ic_sup_rates[mwl_chan2mode(c)]);
2553 }
2554 
2555 /*
2556  * Inform firmware of tx rate parameters.
2557  * Called after a channel change.
2558  */
2559 static int
2560 mwl_setcurchanrates(struct mwl_softc *sc)
2561 {
2562 	struct ieee80211com *ic = &sc->sc_ic;
2563 	const struct ieee80211_rateset *rs;
2564 	MWL_HAL_TXRATE rates;
2565 
2566 	(void) memset(&rates, 0, sizeof (rates));
2567 	rs = mwl_get_suprates(ic, sc->sc_cur_chan);
2568 	/* rate used to send management frames */
2569 	rates.MgtRate = rs->ir_rates[0] & IEEE80211_RATE_VAL;
2570 	/* rate used to send multicast frames */
2571 	rates.McastRate = rates.MgtRate;
2572 
2573 	return (mwl_hal_settxrate_auto(sc, &rates));
2574 }
2575 
2576 static const struct mwl_hal_channel *
2577 findhalchannel(const struct mwl_softc *sc, const MWL_HAL_CHANNEL *c)
2578 {
2579 	const struct mwl_hal_channel *hc;
2580 	const MWL_HAL_CHANNELINFO *ci;
2581 	int chan = c->channel, i;
2582 
2583 	if (c->channelFlags.FreqBand == MWL_FREQ_BAND_2DOT4GHZ) {
2584 		i = chan - 1;
2585 		if (c->channelFlags.ChnlWidth == MWL_CH_40_MHz_WIDTH) {
2586 			ci = &sc->sc_40M;
2587 			if (c->channelFlags.ExtChnlOffset ==
2588 			    MWL_EXT_CH_BELOW_CTRL_CH)
2589 				i -= 4;
2590 		} else
2591 			ci = &sc->sc_20M;
2592 		/* 2.4G channel table is directly indexed */
2593 		hc = ((unsigned)i < ci->nchannels) ? &ci->channels[i] : NULL;
2594 	} else if (c->channelFlags.FreqBand == MWL_FREQ_BAND_5GHZ) {
2595 		if (c->channelFlags.ChnlWidth == MWL_CH_40_MHz_WIDTH) {
2596 			ci = &sc->sc_40M_5G;
2597 			if (c->channelFlags.ExtChnlOffset ==
2598 			    MWL_EXT_CH_BELOW_CTRL_CH)
2599 				chan -= 4;
2600 		} else
2601 			ci = &sc->sc_20M_5G;
2602 		/* 5GHz channel table is sparse and must be searched */
2603 		for (i = 0; i < ci->nchannels; i++)
2604 			if (ci->channels[i].ieee == chan)
2605 				break;
2606 		hc = (i < ci->nchannels) ? &ci->channels[i] : NULL;
2607 	} else
2608 		hc = NULL;
2609 	return (hc);
2610 }
2611 
2612 /*
2613  * Map SKU+country code to region code for radar bin'ing.
2614  */
2615 static int
2616 mwl_map2regioncode(const struct mwl_regdomain *rd)
2617 {
2618 	switch (rd->regdomain) {
2619 	case SKU_FCC:
2620 	case SKU_FCC3:
2621 		return (DOMAIN_CODE_FCC);
2622 	case SKU_CA:
2623 		return (DOMAIN_CODE_IC);
2624 	case SKU_ETSI:
2625 	case SKU_ETSI2:
2626 	case SKU_ETSI3:
2627 		if (rd->country == CTRY_SPAIN)
2628 			return (DOMAIN_CODE_SPAIN);
2629 		if (rd->country == CTRY_FRANCE || rd->country == CTRY_FRANCE2)
2630 			return (DOMAIN_CODE_FRANCE);
2631 		/* XXX force 1.3.1 radar type */
2632 		return (DOMAIN_CODE_ETSI_131);
2633 	case SKU_JAPAN:
2634 		return (DOMAIN_CODE_MKK);
2635 	case SKU_ROW:
2636 		return (DOMAIN_CODE_DGT);	/* Taiwan */
2637 	case SKU_APAC:
2638 	case SKU_APAC2:
2639 	case SKU_APAC3:
2640 		return (DOMAIN_CODE_AUS);	/* Australia */
2641 	}
2642 	/* XXX KOREA? */
2643 	return (DOMAIN_CODE_FCC);			/* XXX? */
2644 }
2645 
2646 /*
2647  * Setup the rx data structures.  This should only be
2648  * done once or we may get out of sync with the firmware.
2649  */
2650 static int
2651 mwl_startrecv(struct mwl_softc *sc)
2652 {
2653 	struct mwl_rx_ring *ring;
2654 	struct mwl_rxdesc *ds;
2655 	struct mwl_rxbuf *bf, *prev;
2656 
2657 	int i;
2658 
2659 	ring = &sc->sc_rxring;
2660 	bf = ring->buf;
2661 
2662 	prev = NULL;
2663 	for (i = 0; i < MWL_RX_RING_COUNT; i++, bf++) {
2664 		ds = bf->bf_desc;
2665 		/*
2666 		 * NB: DMA buffer contents is known to be unmodified
2667 		 * so there's no need to flush the data cache.
2668 		 */
2669 
2670 		/*
2671 		 * Setup descriptor.
2672 		 */
2673 		ds->QosCtrl = 0;
2674 		ds->RSSI = 0;
2675 		ds->Status = EAGLE_RXD_STATUS_IDLE;
2676 		ds->Channel = 0;
2677 		ds->PktLen = LE_16(MWL_AGGR_SIZE);
2678 		ds->SQ2 = 0;
2679 		ds->pPhysBuffData = LE_32(bf->bf_baddr);
2680 		/* NB: don't touch pPhysNext, set once */
2681 		ds->RxControl = EAGLE_RXD_CTRL_DRIVER_OWN;
2682 
2683 		(void) ddi_dma_sync(ring->rxdesc_dma.dma_hdl,
2684 		    i * sizeof (struct mwl_rxdesc),
2685 		    sizeof (struct mwl_rxdesc),
2686 		    DDI_DMA_SYNC_FORDEV);
2687 
2688 		if (prev != NULL) {
2689 			ds = prev->bf_desc;
2690 			ds->pPhysNext = LE_32(bf->bf_daddr);
2691 		}
2692 		prev = bf;
2693 	}
2694 
2695 	if (prev != NULL) {
2696 		ds = prev->bf_desc;
2697 		ds->pPhysNext = ring->physaddr;
2698 	}
2699 
2700 	/* set filters, etc. */
2701 	(void) mwl_mode_init(sc);
2702 
2703 	return (0);
2704 }
2705 
2706 static int
2707 mwl_mode_init(struct mwl_softc *sc)
2708 {
2709 	/*
2710 	 * NB: Ignore promisc in hostap mode; it's set by the
2711 	 * bridge.  This is wrong but we have no way to
2712 	 * identify internal requests (from the bridge)
2713 	 * versus external requests such as for tcpdump.
2714 	 */
2715 	/* mwl_setmcastfilter - not support now */
2716 	(void) mwl_hal_setpromisc(sc, 0);
2717 
2718 	return (0);
2719 }
2720 
2721 /*
2722  * Kick the firmware to tell it there are new tx descriptors
2723  * for processing.  The driver says what h/w q has work in
2724  * case the f/w ever gets smarter.
2725  */
2726 /* ARGSUSED */
2727 static void
2728 mwl_hal_txstart(struct mwl_softc *sc, int qnum)
2729 {
2730 
2731 	mwl_ctl_write4(sc, MACREG_REG_H2A_INTERRUPT_EVENTS,
2732 	    MACREG_H2ARIC_BIT_PPA_READY);
2733 	(void) mwl_ctl_read4(sc, MACREG_REG_INT_CODE);
2734 }
2735 
2736 static int
2737 mwl_send(ieee80211com_t *ic, mblk_t *mp, uint8_t type)
2738 {
2739 	struct mwl_softc *sc = (struct mwl_softc *)ic;
2740 	struct mwl_tx_ring *ring;
2741 	struct mwl_txdesc *ds;
2742 	struct mwl_txbuf *bf;
2743 	struct ieee80211_frame *wh, *wh1;
2744 	struct ieee80211_node *ni = NULL;
2745 
2746 	int err, off;
2747 	int mblen, pktlen, hdrlen;
2748 	mblk_t *m, *m0;
2749 	uint8_t *addr_4, *txbuf;
2750 	uint16_t *pfwlen;
2751 
2752 	MWL_TXLOCK(sc);
2753 
2754 	err = DDI_SUCCESS;
2755 	if (!MWL_IS_RUNNING(sc) || MWL_IS_SUSPEND(sc)) {
2756 		err = ENXIO;
2757 		goto fail1;
2758 	}
2759 
2760 	ring = &sc->sc_txring[1];
2761 	if (ring->queued > 15) {
2762 		MWL_DBG(MWL_DBG_TX, "mwl: mwl_send(): "
2763 		    "no txbuf, %d\n", ring->queued);
2764 		sc->sc_need_sched = 1;
2765 		sc->sc_tx_nobuf++;
2766 		err = ENOMEM;
2767 		goto fail1;
2768 	}
2769 
2770 	m = allocb(msgdsize(mp) + 32, BPRI_MED);
2771 	if (m == NULL) {
2772 		MWL_DBG(MWL_DBG_TX, "mwl: mwl_send():"
2773 		    "can't alloc mblk.\n");
2774 		err = DDI_FAILURE;
2775 		goto fail1;
2776 	}
2777 
2778 	for (off = 0, m0 = mp; m0 != NULL; m0 = m0->b_cont) {
2779 		mblen = MBLKL(m0);
2780 		(void) bcopy(m0->b_rptr, m->b_rptr + off, mblen);
2781 		off += mblen;
2782 	}
2783 	m->b_wptr += off;
2784 
2785 	wh = (struct ieee80211_frame *)m->b_rptr;
2786 	ni = ieee80211_find_txnode(ic, wh->i_addr1);
2787 	if (ni == NULL) {
2788 		err = DDI_FAILURE;
2789 		sc->sc_tx_err++;
2790 		goto fail2;
2791 	}
2792 
2793 	hdrlen = sizeof (*wh);
2794 	pktlen = msgdsize(m);
2795 
2796 	(void) ieee80211_encap(ic, m, ni);
2797 
2798 	if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
2799 		const struct ieee80211_cipher *cip;
2800 		struct ieee80211_key *k;
2801 		k = ieee80211_crypto_encap(ic, m);
2802 		if (k == NULL) {
2803 			sc->sc_tx_err++;
2804 			err = DDI_FAILURE;
2805 			goto fail3;
2806 		}
2807 
2808 		/*
2809 		 * Adjust the packet length for the crypto additions
2810 		 * done during encap and any other bits that the f/w
2811 		 * will add later on.
2812 		 */
2813 		cip = k->wk_cipher;
2814 		pktlen += cip->ic_header + cip->ic_miclen + cip->ic_trailer;
2815 		/* packet header may have moved, reset our local pointer */
2816 		wh = (struct ieee80211_frame *)m->b_rptr;
2817 	}
2818 
2819 	ds = &ring->desc[ring->cur];
2820 	bf = &ring->buf[ring->cur];
2821 
2822 	bf->bf_node = ieee80211_ref_node(ni);
2823 	txbuf = (uint8_t *)bf->bf_mem;
2824 
2825 	/*
2826 	 * inject FW specific fields into the 802.11 frame
2827 	 *
2828 	 *  2   bytes FW len (inject)
2829 	 *  24 bytes 802.11 frame header
2830 	 *  6   bytes addr4 (inject)
2831 	 *  n   bytes 802.11 frame body
2832 	 */
2833 	pfwlen = (uint16_t *)txbuf;
2834 	*pfwlen = pktlen - hdrlen;
2835 	wh1 = (struct ieee80211_frame *)(txbuf + 2);
2836 	bcopy(wh, wh1, sizeof (struct ieee80211_frame));
2837 	addr_4 = txbuf + (sizeof (struct ieee80211_frame) + sizeof (uint16_t));
2838 	(void) memset(addr_4, 0, 6);
2839 	bcopy(m->b_rptr + sizeof (struct ieee80211_frame), txbuf + 32, *pfwlen);
2840 	pktlen += 8;
2841 
2842 	(void) ddi_dma_sync(bf->txbuf_dma.dma_hdl,
2843 	    0,
2844 	    pktlen,
2845 	    DDI_DMA_SYNC_FORDEV);
2846 
2847 	ds->QosCtrl = 0;
2848 	ds->PktLen = (uint16_t)pktlen;
2849 	ds->PktPtr = bf->bf_baddr;
2850 	ds->Status = LE_32(EAGLE_TXD_STATUS_FW_OWNED);
2851 	ds->Format = 0;
2852 	ds->pad = 0;
2853 	ds->ack_wcb_addr = 0;
2854 	ds->TxPriority = 1;
2855 
2856 	MWL_DBG(MWL_DBG_TX, "mwl: mwl_send(): "
2857 	    "tx desc Status %x, DataRate %x, TxPriority %x, QosCtrl %x, "
2858 	    "PktLen %x, SapPktInfo %x, Format %x, Pad %x, ack_wcb_addr %x\n",
2859 	    ds->Status, ds->DataRate, ds->TxPriority, ds->QosCtrl, ds->PktLen,
2860 	    ds->SapPktInfo, ds->Format, ds->pad, ds->ack_wcb_addr);
2861 
2862 	(void) ddi_dma_sync(ring->txdesc_dma.dma_hdl,
2863 	    ring->cur * sizeof (struct mwl_txdesc),
2864 	    sizeof (struct mwl_txdesc),
2865 	    DDI_DMA_SYNC_FORDEV);
2866 
2867 	MWL_DBG(MWL_DBG_TX, "mwl: mwl_send(): "
2868 	    "pktlen = %u, slot = %u, queued = %x\n",
2869 	    mblen, ring->cur, ring->queued);
2870 
2871 	ring->queued++;
2872 	ring->cur = (ring->cur + 1) % MWL_TX_RING_COUNT;
2873 
2874 	/*
2875 	 * NB: We don't need to lock against tx done because
2876 	 * this just prods the firmware to check the transmit
2877 	 * descriptors.  The firmware will also start fetching
2878 	 * descriptors by itself if it notices new ones are
2879 	 * present when it goes to deliver a tx done interrupt
2880 	 * to the host. So if we race with tx done processing
2881 	 * it's ok.  Delivering the kick here rather than in
2882 	 * mwl_tx_start is an optimization to avoid poking the
2883 	 * firmware for each packet.
2884 	 *
2885 	 * NB: the queue id isn't used so 0 is ok.
2886 	 */
2887 	mwl_hal_txstart(sc, 0);
2888 
2889 	ic->ic_stats.is_tx_frags++;
2890 	ic->ic_stats.is_tx_bytes += pktlen;
2891 
2892 fail3:
2893 	ieee80211_free_node(ni);
2894 fail2:
2895 	freemsg(m);
2896 fail1:
2897 	if ((type & IEEE80211_FC0_TYPE_MASK) != IEEE80211_FC0_TYPE_DATA ||
2898 	    err == DDI_SUCCESS)
2899 		freemsg(mp);
2900 	MWL_TXUNLOCK(sc);
2901 	return (err);
2902 }
2903 
2904 /*
2905  * This function is called periodically (every 200ms) during scanning to
2906  * switch from one channel to another.
2907  */
2908 static void
2909 mwl_next_scan(void *arg)
2910 {
2911 	struct mwl_softc *sc = (struct mwl_softc *)arg;
2912 	struct ieee80211com *ic = &sc->sc_ic;
2913 
2914 	if (ic->ic_state == IEEE80211_S_SCAN)
2915 		(void) ieee80211_next_scan(ic);
2916 
2917 	sc->sc_scan_id = 0;
2918 }
2919 
2920 /*
2921  * Convert a legacy rate set to a firmware bitmask.
2922  */
2923 static uint32_t
2924 get_rate_bitmap(const struct ieee80211_rateset *rs)
2925 {
2926 	uint32_t rates;
2927 	int i;
2928 
2929 	rates = 0;
2930 	for (i = 0; i < rs->ir_nrates; i++)
2931 		switch (rs->ir_rates[i] & IEEE80211_RATE_VAL) {
2932 		case 2:	  rates |= 0x001; break;
2933 		case 4:	  rates |= 0x002; break;
2934 		case 11:  rates |= 0x004; break;
2935 		case 22:  rates |= 0x008; break;
2936 		case 44:  rates |= 0x010; break;
2937 		case 12:  rates |= 0x020; break;
2938 		case 18:  rates |= 0x040; break;
2939 		case 24:  rates |= 0x080; break;
2940 		case 36:  rates |= 0x100; break;
2941 		case 48:  rates |= 0x200; break;
2942 		case 72:  rates |= 0x400; break;
2943 		case 96:  rates |= 0x800; break;
2944 		case 108: rates |= 0x1000; break;
2945 		}
2946 	return (rates);
2947 }
2948 
2949 /*
2950  * Craft station database entry for station.
2951  * NB: use host byte order here, the hal handles byte swapping.
2952  */
2953 static MWL_HAL_PEERINFO *
2954 mkpeerinfo(MWL_HAL_PEERINFO *pi, const struct ieee80211_node *ni)
2955 {
2956 	(void) memset(pi, 0, sizeof (*pi));
2957 	pi->LegacyRateBitMap = get_rate_bitmap(&ni->in_rates);
2958 	pi->CapInfo = ni->in_capinfo;
2959 	return (pi);
2960 }
2961 
2962 static int
2963 mwl_newstate(struct ieee80211com *ic, enum ieee80211_state nstate, int arg)
2964 {
2965 	struct mwl_softc *sc = (struct mwl_softc *)ic;
2966 	enum ieee80211_state ostate;
2967 	struct ieee80211_channel *ic_chan;
2968 	struct ieee80211_node *ni = NULL;
2969 	MWL_HAL_PEERINFO pi;
2970 	uint32_t chan;
2971 
2972 	if (sc->sc_scan_id != 0) {
2973 		(void) untimeout(sc->sc_scan_id);
2974 		sc->sc_scan_id = 0;
2975 	}
2976 
2977 	MWL_GLOCK(sc);
2978 
2979 	ostate = ic->ic_state;
2980 	MWL_DBG(MWL_DBG_MSG, "mwl: mwl_newstate(): "
2981 	    "ostate %x -> nstate %x\n",
2982 	    ostate, nstate);
2983 
2984 	switch (nstate) {
2985 	case IEEE80211_S_INIT:
2986 		break;
2987 	case IEEE80211_S_SCAN:
2988 		if (ostate != IEEE80211_S_INIT) {
2989 			ic_chan = ic->ic_curchan;
2990 			chan = ieee80211_chan2ieee(ic, ic_chan);
2991 			if (chan != 0 && chan != IEEE80211_CHAN_ANY) {
2992 				sc->sc_cur_chan =
2993 				    &sc->sc_channels[3 * chan - 2];
2994 				MWL_DBG(MWL_DBG_MSG, "mwl: mwl_newstate(): "
2995 				    "chan num is %u, sc chan is %u\n",
2996 				    chan, sc->sc_cur_chan->ic_ieee);
2997 				(void) mwl_chan_set(sc, sc->sc_cur_chan);
2998 			}
2999 		}
3000 		sc->sc_scan_id = timeout(mwl_next_scan, (void *)sc,
3001 		    drv_usectohz(250000));
3002 		break;
3003 	case IEEE80211_S_AUTH:
3004 		ic_chan = ic->ic_curchan;
3005 		chan = ieee80211_chan2ieee(ic, ic_chan);
3006 		sc->sc_cur_chan = &sc->sc_channels[3 * chan - 2];
3007 		MWL_DBG(MWL_DBG_MSG, "mwl: mwl_newstate(): "
3008 		    "chan num is %u, sc chan is %u\n",
3009 		    chan, sc->sc_cur_chan->ic_ieee);
3010 		(void) mwl_chan_set(sc, sc->sc_cur_chan);
3011 		ni = ic->ic_bss;
3012 		(void) mwl_hal_newstation(sc, ic->ic_macaddr, 0, 0, NULL, 0, 0);
3013 		mwl_setanywepkey(ic, ni->in_macaddr);
3014 		break;
3015 	case IEEE80211_S_ASSOC:
3016 		break;
3017 	case IEEE80211_S_RUN:
3018 		ni = ic->ic_bss;
3019 		(void) mwl_hal_newstation(sc,
3020 		    ic->ic_macaddr, 0, 0, mkpeerinfo(&pi, ni), 0, 0);
3021 		mwl_setglobalkeys(ic);
3022 		(void) mwl_hal_setassocid(sc,
3023 		    ic->ic_bss->in_bssid, ic->ic_bss->in_associd);
3024 		(void) mwl_setrates(ic);
3025 		(void) mwl_hal_setrtsthreshold(sc, ic->ic_rtsthreshold);
3026 		(void) mwl_hal_setcsmode(sc, CSMODE_AUTO_ENA);
3027 		break;
3028 	default:
3029 		break;
3030 	}
3031 
3032 	MWL_GUNLOCK(sc);
3033 
3034 	return (sc->sc_newstate(ic, nstate, arg));
3035 }
3036 
3037 /*
3038  * Set the interrupt mask.
3039  */
3040 static void
3041 mwl_hal_intrset(struct mwl_softc *sc, uint32_t mask)
3042 {
3043 	mwl_ctl_write4(sc, MACREG_REG_A2H_INTERRUPT_MASK, 0);
3044 	(void) mwl_ctl_read4(sc, MACREG_REG_INT_CODE);
3045 
3046 	sc->sc_hal_imask = mask;
3047 	mwl_ctl_write4(sc, MACREG_REG_A2H_INTERRUPT_MASK, mask);
3048 	(void) mwl_ctl_read4(sc, MACREG_REG_INT_CODE);
3049 }
3050 
3051 /*
3052  * Return the current ISR setting and clear the cause.
3053  */
3054 static void
3055 mwl_hal_getisr(struct mwl_softc *sc, uint32_t *status)
3056 {
3057 	uint32_t cause;
3058 
3059 	cause = mwl_ctl_read4(sc, MACREG_REG_A2H_INTERRUPT_CAUSE);
3060 	if (cause == 0xffffffff) {	/* card removed */
3061 		cause = 0;
3062 	} else if (cause != 0) {
3063 		/* clear cause bits */
3064 		mwl_ctl_write4(sc, MACREG_REG_A2H_INTERRUPT_CAUSE,
3065 		    cause & ~sc->sc_hal_imask);
3066 		(void) mwl_ctl_read4(sc, MACREG_REG_INT_CODE);
3067 		cause &= sc->sc_hal_imask;
3068 	}
3069 	*status = cause;
3070 }
3071 
3072 static void
3073 mwl_tx_intr(struct mwl_softc *sc)
3074 {
3075 	struct ieee80211com *ic = &sc->sc_ic;
3076 	struct mwl_tx_ring *ring;
3077 	struct mwl_txdesc *ds;
3078 
3079 	uint32_t status;
3080 
3081 	MWL_TXLOCK(sc);
3082 
3083 	ring = &sc->sc_txring[1];
3084 
3085 	if (!(ring->queued)) {
3086 		MWL_TXUNLOCK(sc);
3087 		return;
3088 	}
3089 
3090 	(void) ddi_dma_sync(ring->txdesc_dma.dma_hdl,
3091 	    0,
3092 	    ring->txdesc_dma.alength,
3093 	    DDI_DMA_SYNC_FORCPU);
3094 
3095 	for (;;) {
3096 		ds = &ring->desc[ring->next];
3097 
3098 		status = LE_32(ds->Status);
3099 
3100 		if (status & LE_32(EAGLE_TXD_STATUS_FW_OWNED)) {
3101 			break;
3102 		}
3103 
3104 		if (status == LE_32(EAGLE_TXD_STATUS_IDLE)) {
3105 			break;
3106 		}
3107 
3108 		MWL_DBG(MWL_DBG_TX, "mwl: mwl_tx_intr(): "
3109 		    "recv tx desc status %x, datarate %x, txpriority %x, "
3110 		    "QosCtrl %x, pktLen %x, SapPktInfo %x, Format %x, "
3111 		    "pad %x, ack_wcb_addr %x\n",
3112 		    ds->Status, ds->DataRate, ds->TxPriority,
3113 		    ds->QosCtrl, ds->PktLen, ds->SapPktInfo,
3114 		    ds->Format, ds->pad, ds->ack_wcb_addr);
3115 
3116 		/* descriptor is no longer valid */
3117 		ds->Status = LE_32(EAGLE_TXD_STATUS_IDLE);
3118 
3119 		(void) ddi_dma_sync(ring->txdesc_dma.dma_hdl,
3120 		    ring->next * sizeof (struct mwl_txdesc),
3121 		    sizeof (struct mwl_txdesc),
3122 		    DDI_DMA_SYNC_FORDEV);
3123 
3124 		ring->queued--;
3125 		ring->next = (ring->next + 1) % MWL_TX_RING_COUNT;
3126 		MWL_DBG(MWL_DBG_TX, "mwl: mwl_tx_intr(): "
3127 		    " tx done idx=%u, queued= %d\n",
3128 		    ring->next, ring->queued);
3129 
3130 		if (sc->sc_need_sched &&
3131 		    (ring->queued < MWL_TX_RING_COUNT)) {
3132 			sc->sc_need_sched = 0;
3133 			mac_tx_update(ic->ic_mach);
3134 		}
3135 
3136 	}
3137 
3138 	MWL_TXUNLOCK(sc);
3139 }
3140 
3141 /*
3142  * Convert hardware signal strength to rssi.  The value
3143  * provided by the device has the noise floor added in;
3144  * we need to compensate for this but we don't have that
3145  * so we use a fixed value.
3146  *
3147  * The offset of 8 is good for both 2.4 and 5GHz.  The LNA
3148  * offset is already set as part of the initial gain.  This
3149  * will give at least +/- 3dB for 2.4GHz and +/- 5dB for 5GHz.
3150  */
3151 static int
3152 cvtrssi(uint8_t ssi)
3153 {
3154 	int rssi = (int)ssi + 8;
3155 	/* XXX hack guess until we have a real noise floor */
3156 	rssi = 2 * (87 - rssi);	/* NB: .5 dBm units */
3157 	return (rssi < 0 ? 0 : rssi > 127 ? 127 : rssi);
3158 }
3159 
3160 static void
3161 mwl_rx_intr(struct mwl_softc *sc)
3162 {
3163 	struct ieee80211com	*ic = &sc->sc_ic;
3164 	struct mwl_rx_ring *ring;
3165 	struct ieee80211_node	*ni;
3166 	struct ieee80211_frame *wh;
3167 
3168 	struct mwl_rxbuf *bf;
3169 	struct mwl_rxdesc *ds;
3170 	mblk_t	*mp0;
3171 
3172 	int ntodo, len, rssi;
3173 	uint8_t *data, status;
3174 
3175 	MWL_RXLOCK(sc);
3176 
3177 	ring = &sc->sc_rxring;
3178 	for (ntodo = MWL_RX_RING_COUNT; ntodo > 0; ntodo--) {
3179 		bf = &ring->buf[ring->cur];
3180 		ds = bf->bf_desc;
3181 		data = bf->bf_mem;
3182 
3183 		(void) ddi_dma_sync(ring->rxdesc_dma.dma_hdl,
3184 		    ring->cur * sizeof (struct mwl_rxdesc),
3185 		    sizeof (struct mwl_rxdesc),
3186 		    DDI_DMA_SYNC_FORCPU);
3187 
3188 		if (ds->RxControl != EAGLE_RXD_CTRL_DMA_OWN)
3189 			break;
3190 
3191 		status = ds->Status;
3192 		if (status & EAGLE_RXD_STATUS_DECRYPT_ERR_MASK) {
3193 			MWL_DBG(MWL_DBG_CRYPTO, "mwl: mwl_rx_intr(): "
3194 			    "rx decrypt error\n");
3195 			sc->sc_rx_err++;
3196 		}
3197 
3198 		/*
3199 		 * Sync the data buffer.
3200 		 */
3201 		len = LE_16(ds->PktLen);
3202 
3203 		(void) ddi_dma_sync(bf->rxbuf_dma.dma_hdl,
3204 		    0,
3205 		    bf->rxbuf_dma.alength,
3206 		    DDI_DMA_SYNC_FORCPU);
3207 
3208 		if (len < 32 || len > sc->sc_dmabuf_size) {
3209 			MWL_DBG(MWL_DBG_RX, "mwl: mwl_rx_intr(): "
3210 			    "packet len error %d\n", len);
3211 			sc->sc_rx_err++;
3212 			goto rxnext;
3213 		}
3214 
3215 		mp0 = allocb(sc->sc_dmabuf_size, BPRI_MED);
3216 		if (mp0 == NULL) {
3217 			MWL_DBG(MWL_DBG_RX, "mwl: mwl_rx_intr(): "
3218 			    "alloc mblk error\n");
3219 			sc->sc_rx_nobuf++;
3220 			goto rxnext;
3221 		}
3222 		bcopy(data+ 2, mp0->b_wptr, 24);
3223 		mp0->b_wptr += 24;
3224 		bcopy(data + 32, mp0->b_wptr, len - 32);
3225 		mp0->b_wptr += (len - 32);
3226 
3227 		wh = (struct ieee80211_frame *)mp0->b_rptr;
3228 		if ((wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) ==
3229 		    IEEE80211_FC0_TYPE_CTL) {
3230 			freemsg(mp0);
3231 			goto rxnext;
3232 		}
3233 
3234 		/*
3235 		 * The f/w strips WEP header but doesn't clear
3236 		 * the WEP bit; mark the packet with M_WEP so
3237 		 * net80211 will treat the data as decrypted.
3238 		 * While here also clear the PWR_MGT bit since
3239 		 * power save is handled by the firmware and
3240 		 * passing this up will potentially cause the
3241 		 * upper layer to put a station in power save
3242 		 * (except when configured with MWL_HOST_PS_SUPPORT).
3243 		 */
3244 #ifdef MWL_HOST_PS_SUPPORT
3245 		wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
3246 #else
3247 		wh->i_fc[1] &= ~(IEEE80211_FC1_WEP | IEEE80211_FC1_PWR_MGT);
3248 #endif
3249 
3250 		/* calculate rssi early so we can re-use for each aggregate */
3251 		rssi = cvtrssi(ds->RSSI);
3252 
3253 		ni = ieee80211_find_rxnode(ic, wh);
3254 
3255 		/* send the frame to the 802.11 layer */
3256 		(void) ieee80211_input(ic, mp0, ni, rssi, 0);
3257 		ieee80211_free_node(ni);
3258 rxnext:
3259 		/*
3260 		 * Setup descriptor.
3261 		 */
3262 		ds->QosCtrl = 0;
3263 		ds->RSSI = 0;
3264 		ds->Status = EAGLE_RXD_STATUS_IDLE;
3265 		ds->Channel = 0;
3266 		ds->PktLen = LE_16(MWL_AGGR_SIZE);
3267 		ds->SQ2 = 0;
3268 		ds->pPhysBuffData = bf->bf_baddr;
3269 		/* NB: don't touch pPhysNext, set once */
3270 		ds->RxControl = EAGLE_RXD_CTRL_DRIVER_OWN;
3271 
3272 		(void) ddi_dma_sync(ring->rxdesc_dma.dma_hdl,
3273 		    ring->cur * sizeof (struct mwl_rxdesc),
3274 		    sizeof (struct mwl_rxdesc),
3275 		    DDI_DMA_SYNC_FORDEV);
3276 
3277 		/* NB: ignore ENOMEM so we process more descriptors */
3278 		ring->cur = (ring->cur + 1) % MWL_RX_RING_COUNT;
3279 	}
3280 
3281 	MWL_RXUNLOCK(sc);
3282 }
3283 
3284 /*ARGSUSED*/
3285 static uint_t
3286 mwl_softintr(caddr_t data, caddr_t unused)
3287 {
3288 	struct mwl_softc *sc = (struct mwl_softc *)data;
3289 
3290 	/*
3291 	 * Check if the soft interrupt is triggered by another
3292 	 * driver at the same level.
3293 	 */
3294 	MWL_GLOCK(sc);
3295 	if (sc->sc_rx_pend) {
3296 		sc->sc_rx_pend = 0;
3297 		MWL_GUNLOCK(sc);
3298 		mwl_rx_intr(sc);
3299 		return (DDI_INTR_CLAIMED);
3300 	}
3301 	MWL_GUNLOCK(sc);
3302 
3303 	return (DDI_INTR_UNCLAIMED);
3304 }
3305 
3306 /*ARGSUSED*/
3307 static uint_t
3308 mwl_intr(caddr_t arg, caddr_t unused)
3309 {
3310 	struct mwl_softc *sc = (struct mwl_softc *)arg;
3311 	uint32_t status;
3312 
3313 	MWL_GLOCK(sc);
3314 
3315 	if (!MWL_IS_RUNNING(sc) || MWL_IS_SUSPEND(sc)) {
3316 		MWL_GUNLOCK(sc);
3317 		return (DDI_INTR_UNCLAIMED);
3318 	}
3319 
3320 	/*
3321 	 * Figure out the reason(s) for the interrupt.
3322 	 */
3323 	mwl_hal_getisr(sc, &status);		/* NB: clears ISR too */
3324 	if (status == 0) {
3325 		MWL_GUNLOCK(sc);
3326 		return (DDI_INTR_UNCLAIMED);
3327 	}
3328 
3329 	if (status & MACREG_A2HRIC_BIT_RX_RDY) {
3330 		sc->sc_rx_pend = 1;
3331 		(void) ddi_intr_trigger_softint(sc->sc_softintr_hdl, NULL);
3332 	}
3333 	if (status & MACREG_A2HRIC_BIT_TX_DONE) {
3334 		mwl_tx_intr(sc);
3335 	}
3336 	if (status & MACREG_A2HRIC_BIT_BA_WATCHDOG) {
3337 		MWL_DBG(MWL_DBG_INTR, "mwl: mwl_intr(): "
3338 		    "ba watchdog\n");
3339 	}
3340 	if (status & MACREG_A2HRIC_BIT_OPC_DONE) {
3341 		MWL_DBG(MWL_DBG_INTR, "mwl: mwl_intr(): "
3342 		    "opc done\n");
3343 	}
3344 	if (status & MACREG_A2HRIC_BIT_MAC_EVENT) {
3345 		MWL_DBG(MWL_DBG_INTR, "mwl: mwl_intr(): "
3346 		    "mac event\n");
3347 	}
3348 	if (status & MACREG_A2HRIC_BIT_ICV_ERROR) {
3349 		MWL_DBG(MWL_DBG_INTR, "mwl: mwl_intr(): "
3350 		    "ICV error\n");
3351 	}
3352 	if (status & MACREG_A2HRIC_BIT_QUEUE_EMPTY) {
3353 		MWL_DBG(MWL_DBG_INTR, "mwl: mwl_intr(): "
3354 		    "queue empty\n");
3355 	}
3356 	if (status & MACREG_A2HRIC_BIT_QUEUE_FULL) {
3357 		MWL_DBG(MWL_DBG_INTR, "mwl: mwl_intr(): "
3358 		    "queue full\n");
3359 	}
3360 	if (status & MACREG_A2HRIC_BIT_RADAR_DETECT) {
3361 		MWL_DBG(MWL_DBG_INTR, "mwl: mwl_intr(): "
3362 		    "radar detect\n");
3363 	}
3364 	if (status & MACREG_A2HRIC_BIT_CHAN_SWITCH) {
3365 		MWL_DBG(MWL_DBG_INTR, "mwl: mwl_intr(): "
3366 		    "chan switch\n");
3367 	}
3368 
3369 	MWL_GUNLOCK(sc);
3370 
3371 	return (DDI_INTR_CLAIMED);
3372 }
3373 
3374 static int
3375 mwl_init(struct mwl_softc *sc)
3376 {
3377 	struct ieee80211com *ic = &sc->sc_ic;
3378 	int err = 0;
3379 
3380 	mwl_hal_intrset(sc, 0);
3381 
3382 	sc->sc_txantenna = 0;		/* h/w default */
3383 	sc->sc_rxantenna = 0;		/* h/w default */
3384 
3385 	err = mwl_hal_setantenna(sc, WL_ANTENNATYPE_RX, sc->sc_rxantenna);
3386 	if (err != 0) {
3387 		MWL_DBG(MWL_DBG_HW, "mwl: mwl_init(): "
3388 		    "could not set rx antenna\n");
3389 		goto fail;
3390 	}
3391 
3392 	err = mwl_hal_setantenna(sc, WL_ANTENNATYPE_TX, sc->sc_txantenna);
3393 	if (err != 0) {
3394 		MWL_DBG(MWL_DBG_HW, "mwl: init(): "
3395 		    "could not set tx antenna\n");
3396 		goto fail;
3397 	}
3398 
3399 	err = mwl_hal_setradio(sc, 1, WL_AUTO_PREAMBLE);
3400 	if (err != 0) {
3401 		MWL_DBG(MWL_DBG_HW, "mwl: init(): "
3402 		    "could not set radio\n");
3403 		goto fail;
3404 	}
3405 
3406 	err = mwl_hal_setwmm(sc, (ic->ic_flags & IEEE80211_F_WME) != 0);
3407 	if (err != 0) {
3408 		MWL_DBG(MWL_DBG_HW, "mwl: init(): "
3409 		    "could not set wme\n");
3410 		goto fail;
3411 	}
3412 
3413 	/* select default channel */
3414 	ic->ic_ibss_chan = &ic->ic_sup_channels[0];
3415 	ic->ic_curchan = ic->ic_ibss_chan;
3416 	sc->sc_cur_chan = &sc->sc_channels[1];
3417 
3418 	err = mwl_chan_set(sc, sc->sc_cur_chan);
3419 	if (err != 0) {
3420 		MWL_DBG(MWL_DBG_HW, "mwl: init(): "
3421 		    "could not set wme\n");
3422 		goto fail;
3423 	}
3424 
3425 	err = mwl_hal_setrateadaptmode(sc, 0);
3426 	if (err != 0) {
3427 		MWL_DBG(MWL_DBG_HW, "mwl: init(): "
3428 		    "could not set rate adapt mode\n");
3429 		goto fail;
3430 	}
3431 
3432 	err = mwl_hal_setoptimizationlevel(sc,
3433 	    (ic->ic_flags & IEEE80211_F_BURST) != 0);
3434 	if (err != 0) {
3435 		MWL_DBG(MWL_DBG_HW, "mwl: init(): "
3436 		    "could not set optimization level\n");
3437 		goto fail;
3438 	}
3439 
3440 	err = mwl_hal_setregioncode(sc, mwl_map2regioncode(&sc->sc_regdomain));
3441 	if (err != 0) {
3442 		MWL_DBG(MWL_DBG_HW, "mwl: init(): "
3443 		    "could not set regioncode\n");
3444 		goto fail;
3445 	}
3446 
3447 	err = mwl_startrecv(sc);
3448 	if (err != 0) {
3449 		MWL_DBG(MWL_DBG_HW, "mwl: init(): "
3450 		    "could not set start recv logic\n");
3451 		goto fail;
3452 	}
3453 
3454 	/*
3455 	 * Enable interrupts.
3456 	 */
3457 	sc->sc_imask = MACREG_A2HRIC_BIT_RX_RDY
3458 	    | MACREG_A2HRIC_BIT_TX_DONE
3459 	    | MACREG_A2HRIC_BIT_OPC_DONE
3460 	    | MACREG_A2HRIC_BIT_ICV_ERROR
3461 	    | MACREG_A2HRIC_BIT_RADAR_DETECT
3462 	    | MACREG_A2HRIC_BIT_CHAN_SWITCH
3463 	    | MACREG_A2HRIC_BIT_BA_WATCHDOG
3464 	    | MACREQ_A2HRIC_BIT_TX_ACK;
3465 
3466 	mwl_hal_intrset(sc, sc->sc_imask);
3467 
3468 	err = mwl_hal_start(sc);
3469 	if (err != 0) {
3470 		MWL_DBG(MWL_DBG_HW, "mwl: init(): "
3471 		    "could not get hal start\n");
3472 		goto fail;
3473 	}
3474 
3475 	err = mwl_hal_setinframode(sc);
3476 	if (err != 0) {
3477 		MWL_DBG(MWL_DBG_HW, "mwl: init(): "
3478 		    "could not set infra mode\n");
3479 		goto fail;
3480 	}
3481 
3482 fail:
3483 	return (err);
3484 }
3485 
3486 static int
3487 mwl_resume(struct mwl_softc *sc)
3488 {
3489 	int qid, err = 0;
3490 
3491 	err = mwl_fwload(sc, NULL);
3492 	if (err != 0) {
3493 		MWL_DBG(MWL_DBG_SR, "mwl: mwl_resume(): "
3494 		    "failed to load fw\n");
3495 		goto fail;
3496 	}
3497 
3498 	err = mwl_gethwspecs(sc);
3499 	if (err != 0) {
3500 		MWL_DBG(MWL_DBG_SR, "mwl: mwl_resume(): "
3501 		    "failed to get hw spec\n");
3502 		goto fail;
3503 	}
3504 
3505 	err = mwl_alloc_rx_ring(sc, MWL_RX_RING_COUNT);
3506 	if (err != 0) {
3507 		MWL_DBG(MWL_DBG_SR, "mwl: mwl_resume(): "
3508 		    "could not alloc cmd dma buffer\n");
3509 		goto fail;
3510 	}
3511 
3512 	for (qid = 0; qid < MWL_NUM_TX_QUEUES; qid++) {
3513 		err = mwl_alloc_tx_ring(sc,
3514 		    &sc->sc_txring[qid], MWL_TX_RING_COUNT);
3515 		if (err != 0) {
3516 			MWL_DBG(MWL_DBG_SR, "mwl: mwl_resume(): "
3517 			    "could not alloc tx ring %d\n", qid);
3518 			goto fail;
3519 		}
3520 	}
3521 
3522 	err = mwl_setupdma(sc);
3523 	if (err != 0) {
3524 		MWL_DBG(MWL_DBG_SR, "mwl: mwl_resume(): "
3525 		    "could not setup dma\n");
3526 		goto fail;
3527 	}
3528 
3529 	err = mwl_setup_txq(sc);
3530 	if (err != 0) {
3531 		MWL_DBG(MWL_DBG_SR, "mwl: mwl_resume(): "
3532 		    "could not setup txq\n");
3533 		goto fail;
3534 	}
3535 
3536 fail:
3537 	return (err);
3538 }
3539 
3540 static void
3541 mwl_stop(struct mwl_softc *sc)
3542 {
3543 	int err;
3544 
3545 	/* by pass if it's quiesced */
3546 	if (!MWL_IS_QUIESCE(sc))
3547 		MWL_GLOCK(sc);
3548 
3549 	err = mwl_hal_stop(sc);
3550 	if (err != 0) {
3551 		MWL_DBG(MWL_DBG_HW, "mwl: mwl_stop(): "
3552 		    "could not stop hw\n");
3553 	}
3554 
3555 	/* by pass if it's quiesced */
3556 	if (!MWL_IS_QUIESCE(sc))
3557 		MWL_GUNLOCK(sc);
3558 }
3559 
3560 static int
3561 mwl_m_stat(void *arg, uint_t stat, uint64_t *val)
3562 {
3563 	struct mwl_softc *sc  = (struct mwl_softc *)arg;
3564 	struct ieee80211com *ic = &sc->sc_ic;
3565 	struct ieee80211_node *ni = NULL;
3566 	struct ieee80211_rateset *rs = NULL;
3567 
3568 	MWL_GLOCK(sc);
3569 	switch (stat) {
3570 	case MAC_STAT_IFSPEED:
3571 		ni = ic->ic_bss;
3572 		rs = &ni->in_rates;
3573 		*val = ((ic->ic_fixed_rate == IEEE80211_FIXED_RATE_NONE) ?
3574 		    (rs->ir_rates[ni->in_txrate] & IEEE80211_RATE_VAL)
3575 		    : ic->ic_fixed_rate) / 2 * 1000000;
3576 		break;
3577 	case MAC_STAT_NOXMTBUF:
3578 		*val = sc->sc_tx_nobuf;
3579 		break;
3580 	case MAC_STAT_NORCVBUF:
3581 		*val = sc->sc_rx_nobuf;
3582 		break;
3583 	case MAC_STAT_IERRORS:
3584 		*val = sc->sc_rx_err;
3585 		break;
3586 	case MAC_STAT_RBYTES:
3587 		*val = ic->ic_stats.is_rx_bytes;
3588 		break;
3589 	case MAC_STAT_IPACKETS:
3590 		*val = ic->ic_stats.is_rx_frags;
3591 		break;
3592 	case MAC_STAT_OBYTES:
3593 		*val = ic->ic_stats.is_tx_bytes;
3594 		break;
3595 	case MAC_STAT_OPACKETS:
3596 		*val = ic->ic_stats.is_tx_frags;
3597 		break;
3598 	case MAC_STAT_OERRORS:
3599 	case WIFI_STAT_TX_FAILED:
3600 		*val = sc->sc_tx_err;
3601 		break;
3602 	case WIFI_STAT_TX_RETRANS:
3603 		*val = sc->sc_tx_retries;
3604 		break;
3605 	case WIFI_STAT_FCS_ERRORS:
3606 	case WIFI_STAT_WEP_ERRORS:
3607 	case WIFI_STAT_TX_FRAGS:
3608 	case WIFI_STAT_MCAST_TX:
3609 	case WIFI_STAT_RTS_SUCCESS:
3610 	case WIFI_STAT_RTS_FAILURE:
3611 	case WIFI_STAT_ACK_FAILURE:
3612 	case WIFI_STAT_RX_FRAGS:
3613 	case WIFI_STAT_MCAST_RX:
3614 	case WIFI_STAT_RX_DUPS:
3615 		MWL_GUNLOCK(sc);
3616 		return (ieee80211_stat(ic, stat, val));
3617 	default:
3618 		MWL_GUNLOCK(sc);
3619 		return (ENOTSUP);
3620 	}
3621 
3622 	MWL_GUNLOCK(sc);
3623 	return (0);
3624 }
3625 
3626 static int
3627 mwl_m_start(void *arg)
3628 {
3629 	struct mwl_softc *sc = (struct mwl_softc *)arg;
3630 	struct ieee80211com *ic = &sc->sc_ic;
3631 	int err;
3632 
3633 	err = mwl_init(sc);
3634 	if (err != DDI_SUCCESS) {
3635 		MWL_DBG(MWL_DBG_HW, "mwl: mwl_m_start():"
3636 		    "Hardware initialization failed\n");
3637 		goto fail1;
3638 	}
3639 
3640 	ieee80211_new_state(ic, IEEE80211_S_INIT, -1);
3641 
3642 	MWL_GLOCK(sc);
3643 	sc->sc_flags |= MWL_F_RUNNING;
3644 	MWL_GUNLOCK(sc);
3645 
3646 	return (0);
3647 fail1:
3648 	mwl_stop(sc);
3649 	return (err);
3650 }
3651 
3652 static void
3653 mwl_m_stop(void *arg)
3654 {
3655 	struct mwl_softc *sc = (struct mwl_softc *)arg;
3656 
3657 	mwl_stop(sc);
3658 
3659 	ieee80211_new_state(&sc->sc_ic, IEEE80211_S_INIT, -1);
3660 
3661 	MWL_GLOCK(sc);
3662 	sc->sc_flags &= ~MWL_F_RUNNING;
3663 	MWL_GUNLOCK(sc);
3664 }
3665 
3666 /*ARGSUSED*/
3667 static int
3668 mwl_m_promisc(void *arg, boolean_t on)
3669 {
3670 	struct mwl_softc *sc = (struct mwl_softc *)arg;
3671 	int err;
3672 
3673 	err = mwl_hal_setpromisc(sc, on);
3674 
3675 	return (err);
3676 }
3677 
3678 /*ARGSUSED*/
3679 static int
3680 mwl_m_multicst(void *arg, boolean_t add, const uint8_t *mca)
3681 {
3682 	return (ENOTSUP);
3683 }
3684 
3685 /*ARGSUSED*/
3686 static int
3687 mwl_m_unicst(void *arg, const uint8_t *macaddr)
3688 {
3689 	return (ENOTSUP);
3690 }
3691 
3692 static mblk_t *
3693 mwl_m_tx(void *arg, mblk_t *mp)
3694 {
3695 	struct mwl_softc *sc = (struct mwl_softc *)arg;
3696 	struct ieee80211com *ic = &sc->sc_ic;
3697 	mblk_t *next;
3698 
3699 	if (MWL_IS_SUSPEND(sc)) {
3700 		freemsgchain(mp);
3701 		return (NULL);
3702 	}
3703 
3704 	/*
3705 	 * No data frames go out unless we're associated; this
3706 	 * should not happen as the 802.11 layer does not enable
3707 	 * the xmit queue until we enter the RUN state.
3708 	 */
3709 	if (ic->ic_state != IEEE80211_S_RUN) {
3710 		MWL_DBG(MWL_DBG_TX, "mwl: mwl_m_tx(): "
3711 		    "discard, state %u\n", ic->ic_state);
3712 		freemsgchain(mp);
3713 		return (NULL);
3714 	}
3715 
3716 	while (mp != NULL) {
3717 		next = mp->b_next;
3718 		mp->b_next = NULL;
3719 		if (mwl_send(ic, mp, IEEE80211_FC0_TYPE_DATA) !=
3720 		    DDI_SUCCESS) {
3721 			mp->b_next = next;
3722 			break;
3723 		}
3724 		mp = next;
3725 	}
3726 	return (mp);
3727 }
3728 
3729 static void
3730 mwl_m_ioctl(void* arg, queue_t *wq, mblk_t *mp)
3731 {
3732 	struct mwl_softc *sc = (struct mwl_softc *)arg;
3733 	struct ieee80211com *ic = &sc->sc_ic;
3734 	int err;
3735 
3736 	err = ieee80211_ioctl(ic, wq, mp);
3737 	if (err == ENETRESET) {
3738 		if (ic->ic_des_esslen) {
3739 			if (MWL_IS_RUNNING(sc)) {
3740 				(void) mwl_init(sc);
3741 				(void) ieee80211_new_state(ic,
3742 				    IEEE80211_S_SCAN, -1);
3743 			}
3744 		}
3745 	}
3746 }
3747 
3748 /*
3749  * Call back function for get/set proporty
3750  */
3751 static int
3752 mwl_m_getprop(void *arg, const char *pr_name, mac_prop_id_t wldp_pr_num,
3753     uint_t wldp_length, void *wldp_buf)
3754 {
3755 	struct mwl_softc *sc = (struct mwl_softc *)arg;
3756 	int err = 0;
3757 
3758 	err = ieee80211_getprop(&sc->sc_ic, pr_name, wldp_pr_num,
3759 	    wldp_length, wldp_buf);
3760 
3761 	return (err);
3762 }
3763 
3764 static void
3765 mwl_m_propinfo(void *arg, const char *pr_name, mac_prop_id_t wldp_pr_num,
3766     mac_prop_info_handle_t prh)
3767 {
3768 	struct mwl_softc *sc = (struct mwl_softc *)arg;
3769 
3770 	ieee80211_propinfo(&sc->sc_ic, pr_name, wldp_pr_num, prh);
3771 }
3772 
3773 static int
3774 mwl_m_setprop(void *arg, const char *pr_name, mac_prop_id_t wldp_pr_num,
3775     uint_t wldp_length, const void *wldp_buf)
3776 {
3777 	struct mwl_softc *sc = (struct mwl_softc *)arg;
3778 	ieee80211com_t *ic = &sc->sc_ic;
3779 	int err;
3780 
3781 	err = ieee80211_setprop(ic, pr_name, wldp_pr_num, wldp_length,
3782 	    wldp_buf);
3783 	if (err == ENETRESET) {
3784 		if (ic->ic_des_esslen) {
3785 			if (MWL_IS_RUNNING(sc)) {
3786 				(void) mwl_init(sc);
3787 				(void) ieee80211_new_state(ic,
3788 				    IEEE80211_S_SCAN, -1);
3789 			}
3790 		}
3791 		err = 0;
3792 	}
3793 	return (err);
3794 }
3795 
3796 static int
3797 mwl_attach(dev_info_t *devinfo, ddi_attach_cmd_t cmd)
3798 {
3799 	struct mwl_softc *sc;
3800 	struct ieee80211com *ic;
3801 	int i, err, qid, instance;
3802 	int intr_type, intr_count, intr_actual;
3803 	char strbuf[32];
3804 	uint8_t csz;
3805 	uint16_t vendor_id, device_id, command;
3806 
3807 	wifi_data_t wd = { 0 };
3808 	mac_register_t *macp;
3809 
3810 	switch (cmd) {
3811 	case DDI_ATTACH:
3812 		break;
3813 	case DDI_RESUME:
3814 		sc = ddi_get_soft_state(mwl_soft_state_p,
3815 		    ddi_get_instance(devinfo));
3816 		ASSERT(sc != NULL);
3817 		MWL_GLOCK(sc);
3818 		sc->sc_flags &= ~MWL_F_SUSPEND;
3819 		MWL_GUNLOCK(sc);
3820 		if (mwl_resume(sc) != 0) {
3821 			MWL_DBG(MWL_DBG_SR, "mwl: mwl_attach(): "
3822 			    "failed to resume\n");
3823 			return (DDI_FAILURE);
3824 		}
3825 		if (MWL_IS_RUNNING(sc)) {
3826 			(void) mwl_init(sc);
3827 			ieee80211_new_state(&sc->sc_ic, IEEE80211_S_INIT, -1);
3828 		}
3829 		MWL_DBG(MWL_DBG_SR, "mwl: mwl_attach(): "
3830 		    "resume now\n");
3831 		return (DDI_SUCCESS);
3832 	default:
3833 		return (DDI_FAILURE);
3834 	}
3835 
3836 	instance = ddi_get_instance(devinfo);
3837 	if (ddi_soft_state_zalloc(mwl_soft_state_p,
3838 	    ddi_get_instance(devinfo)) != DDI_SUCCESS) {
3839 		MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
3840 		    "Unable to alloc soft state\n");
3841 		return (DDI_FAILURE);
3842 	}
3843 
3844 	sc = ddi_get_soft_state(mwl_soft_state_p, ddi_get_instance(devinfo));
3845 	ic = &sc->sc_ic;
3846 	sc->sc_dev = devinfo;
3847 
3848 	/* PCI configuration space */
3849 	err = ddi_regs_map_setup(devinfo, 0, (caddr_t *)&sc->sc_cfg_base, 0, 0,
3850 	    &mwl_reg_accattr, &sc->sc_cfg_handle);
3851 	if (err != DDI_SUCCESS) {
3852 		MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
3853 		    "ddi_regs_map_setup() failed");
3854 		goto attach_fail0;
3855 	}
3856 	csz = ddi_get8(sc->sc_cfg_handle,
3857 	    (uint8_t *)(sc->sc_cfg_base + PCI_CONF_CACHE_LINESZ));
3858 	if (!csz)
3859 		csz = 16;
3860 	sc->sc_cachelsz = csz << 2;
3861 	sc->sc_dmabuf_size = roundup(IEEE80211_MAX_LEN, sc->sc_cachelsz);
3862 	vendor_id = ddi_get16(sc->sc_cfg_handle,
3863 	    (uint16_t *)(sc->sc_cfg_base + PCI_CONF_VENID));
3864 	device_id = ddi_get16(sc->sc_cfg_handle,
3865 	    (uint16_t *)(sc->sc_cfg_base + PCI_CONF_DEVID));
3866 	MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
3867 	    "vendor 0x%x, device id 0x%x, cache size %d\n",
3868 	    vendor_id, device_id, csz);
3869 
3870 	/*
3871 	 * Enable response to memory space accesses,
3872 	 * and enabe bus master.
3873 	 */
3874 	command = PCI_COMM_MAE | PCI_COMM_ME;
3875 	ddi_put16(sc->sc_cfg_handle,
3876 	    (uint16_t *)((uintptr_t)(sc->sc_cfg_base) + PCI_CONF_COMM),
3877 	    command);
3878 	ddi_put8(sc->sc_cfg_handle,
3879 	    (uint8_t *)(sc->sc_cfg_base + PCI_CONF_LATENCY_TIMER), 0xa8);
3880 	ddi_put8(sc->sc_cfg_handle,
3881 	    (uint8_t *)(sc->sc_cfg_base + PCI_CONF_ILINE), 0x10);
3882 
3883 	/* BAR0 */
3884 	err = ddi_regs_map_setup(devinfo, 1,
3885 	    &sc->sc_mem_base, 0, 0, &mwl_reg_accattr, &sc->sc_mem_handle);
3886 	if (err != DDI_SUCCESS) {
3887 		MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
3888 		    "i/o space failed");
3889 		goto attach_fail1;
3890 	}
3891 
3892 	/* BAR1 */
3893 	err = ddi_regs_map_setup(devinfo, 2,
3894 	    &sc->sc_io_base, 0, 0, &mwl_reg_accattr, &sc->sc_io_handle);
3895 	if (err != DDI_SUCCESS) {
3896 		MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
3897 		    "memory space failed");
3898 		goto attach_fail2;
3899 	}
3900 
3901 	MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
3902 	    "PCI configuration is done successfully\n");
3903 
3904 	/*
3905 	 * Alloc cmd DMA buffer for firmware download
3906 	 */
3907 	err = mwl_alloc_cmdbuf(sc);
3908 	if (err != 0) {
3909 		MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
3910 		    "could not alloc cmd dma buffer\n");
3911 		goto attach_fail3;
3912 	}
3913 
3914 	sc->sc_imask = 0;
3915 	sc->sc_hw_flags = 0;
3916 	sc->sc_flags = 0;
3917 
3918 	/*
3919 	 * Some cards have SDRAM.  When loading firmware we need
3920 	 * to reset the SDRAM controller prior to doing this.
3921 	 * When the SDRAMSIZE is non-zero we do that work in
3922 	 * mwl_hal_fwload.
3923 	 */
3924 	switch (device_id) {
3925 	case 0x2a02:		/* CB82 */
3926 	case 0x2a03:		/* CB85 */
3927 	case 0x2a08:		/* MC85_B1 */
3928 	case 0x2a0b:		/* CB85AP */
3929 	case 0x2a24:
3930 		sc->sc_SDRAMSIZE_Addr = 0x40fe70b7;	/* 8M SDRAM */
3931 		break;
3932 	case 0x2a04:		/* MC85 */
3933 		sc->sc_SDRAMSIZE_Addr = 0x40fc70b7;	/* 16M SDRAM */
3934 		break;
3935 	default:
3936 		break;
3937 	}
3938 
3939 	err = mwl_fwload(sc, NULL);
3940 	if (err != 0) {
3941 		MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
3942 		    "firmware download failed\n");
3943 		goto attach_fail4;
3944 	}
3945 
3946 	MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
3947 	    "firmware download successfully\n");
3948 
3949 	err = mwl_gethwspecs(sc);
3950 	if (err != 0) {
3951 		MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
3952 		    "failed to get hw spec\n");
3953 		goto attach_fail4;
3954 	}
3955 
3956 	err = mwl_getchannels(sc);
3957 	if (err != 0) {
3958 		MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
3959 		    "failed to get channels\n");
3960 		goto attach_fail4;
3961 	}
3962 
3963 	/*
3964 	 * Alloc rx DMA buffer
3965 	 */
3966 	err = mwl_alloc_rx_ring(sc, MWL_RX_RING_COUNT);
3967 	if (err != 0) {
3968 		MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
3969 		    "could not alloc cmd dma buffer\n");
3970 		goto attach_fail5;
3971 	}
3972 
3973 	/*
3974 	 * Alloc rx DMA buffer
3975 	 */
3976 	for (qid = 0; qid < MWL_NUM_TX_QUEUES; qid++) {
3977 		err = mwl_alloc_tx_ring(sc,
3978 		    &sc->sc_txring[qid], MWL_TX_RING_COUNT);
3979 		if (err != 0) {
3980 			MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
3981 			    "could not alloc tx ring %d\n", qid);
3982 			goto attach_fail6;
3983 		}
3984 	}
3985 
3986 	err = mwl_setupdma(sc);
3987 	if (err != 0) {
3988 		MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
3989 		    "could not setup dma\n");
3990 		goto attach_fail6;
3991 	}
3992 
3993 	err = mwl_setup_txq(sc);
3994 	if (err != 0) {
3995 		MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
3996 		    "could not setup txq\n");
3997 		goto attach_fail6;
3998 	}
3999 
4000 	IEEE80211_ADDR_COPY(ic->ic_macaddr, sc->sc_hwspecs.macAddr);
4001 	MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
4002 	    "mwl MAC:%2x:%2x:%2x:%2x:%2x:%2x\n",
4003 	    ic->ic_macaddr[0],
4004 	    ic->ic_macaddr[1],
4005 	    ic->ic_macaddr[2],
4006 	    ic->ic_macaddr[3],
4007 	    ic->ic_macaddr[4],
4008 	    ic->ic_macaddr[5]);
4009 
4010 	err = mwl_hal_setmac_locked(sc, ic->ic_macaddr);
4011 	if (err != 0) {			/* NB: mwl_setupdma prints msg */
4012 		MWL_DBG(MWL_DBG_ATTACH, "mwl: attach(): "
4013 		    "could not set mac\n");
4014 		goto attach_fail6;
4015 	}
4016 
4017 	mutex_init(&sc->sc_glock, NULL, MUTEX_DRIVER, NULL);
4018 	mutex_init(&sc->sc_rxlock, NULL, MUTEX_DRIVER, NULL);
4019 	mutex_init(&sc->sc_txlock, NULL, MUTEX_DRIVER, NULL);
4020 
4021 
4022 	/* set supported rates */
4023 	ic->ic_sup_rates[IEEE80211_MODE_11B] = mwl_rateset_11b;
4024 	ic->ic_sup_rates[IEEE80211_MODE_11G] = mwl_rateset_11g;
4025 
4026 	/* set supported .11b and .11g channels (1 through 14) */
4027 	for (i = 1; i <= 14; i++) {
4028 		ic->ic_sup_channels[i].ich_freq =
4029 		    ieee80211_ieee2mhz(i, IEEE80211_CHAN_2GHZ);
4030 		ic->ic_sup_channels[i].ich_flags =
4031 		    IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ;
4032 	}
4033 
4034 	ic->ic_phytype = IEEE80211_T_OFDM; /* not only, but not used */
4035 	ic->ic_opmode = IEEE80211_M_STA; /* default to BSS mode */
4036 	ic->ic_state = IEEE80211_S_INIT;
4037 
4038 	/* set device capabilities */
4039 	ic->ic_caps =
4040 	    IEEE80211_C_TXPMGT |	/* tx power management */
4041 	    IEEE80211_C_SHPREAMBLE |	/* short preamble supported */
4042 	    IEEE80211_C_SHSLOT;		/* short slot time supported */
4043 
4044 	/* WPA/WPA2 support */
4045 	ic->ic_caps |= IEEE80211_C_WPA; /* Support WPA/WPA2 */
4046 
4047 	/* Enable hardware encryption */
4048 	ic->ic_caps |= IEEE80211_C_WEP | IEEE80211_C_TKIP | IEEE80211_C_AES_CCM;
4049 
4050 	ic->ic_xmit = mwl_send;
4051 
4052 	ieee80211_attach(ic);
4053 
4054 	/* register WPA door */
4055 	ieee80211_register_door(ic, ddi_driver_name(devinfo),
4056 	    ddi_get_instance(devinfo));
4057 
4058 	/* override state transition machine */
4059 	sc->sc_newstate = ic->ic_newstate;
4060 	ic->ic_newstate = mwl_newstate;
4061 	ic->ic_node_alloc = mwl_node_alloc;
4062 	ic->ic_node_free = mwl_node_free;
4063 	ic->ic_crypto.cs_max_keyix = 0;
4064 	ic->ic_crypto.cs_key_alloc = mwl_key_alloc;
4065 	ic->ic_crypto.cs_key_delete = mwl_key_delete;
4066 	ic->ic_crypto.cs_key_set = mwl_key_set;
4067 
4068 	ieee80211_media_init(ic);
4069 
4070 	ic->ic_def_txkey = 0;
4071 
4072 	err = mwl_hal_newstation(sc, ic->ic_macaddr, 0, 0, NULL, 0, 0);
4073 	if (err != 0) {
4074 		MWL_DBG(MWL_DBG_ATTACH, "mwl: attach(): "
4075 		    "could not create new station\n");
4076 		goto attach_fail7;
4077 	}
4078 
4079 	IEEE80211_ADDR_COPY(ic->ic_bss->in_bssid, ic->ic_macaddr);
4080 	// mwl_setglobalkeys(ic);
4081 
4082 	err = ddi_intr_get_supported_types(devinfo, &intr_type);
4083 	if ((err != DDI_SUCCESS) || (!(intr_type & DDI_INTR_TYPE_FIXED))) {
4084 		MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
4085 		    "fixed type interrupt is not supported\n");
4086 		goto attach_fail7;
4087 	}
4088 
4089 	err = ddi_intr_get_nintrs(devinfo, DDI_INTR_TYPE_FIXED, &intr_count);
4090 	if ((err != DDI_SUCCESS) || (intr_count != 1)) {
4091 		MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
4092 		    "no fixed interrupts\n");
4093 		goto attach_fail7;
4094 	}
4095 
4096 	sc->sc_intr_htable = kmem_zalloc(sizeof (ddi_intr_handle_t), KM_SLEEP);
4097 
4098 	err = ddi_intr_alloc(devinfo, sc->sc_intr_htable,
4099 	    DDI_INTR_TYPE_FIXED, 0, intr_count, &intr_actual, 0);
4100 	if ((err != DDI_SUCCESS) || (intr_actual != 1)) {
4101 		MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
4102 		    "ddi_intr_alloc() failed 0x%x\n", err);
4103 		goto attach_fail8;
4104 	}
4105 
4106 	err = ddi_intr_get_pri(sc->sc_intr_htable[0], &sc->sc_intr_pri);
4107 	if (err != DDI_SUCCESS) {
4108 		MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
4109 		    "ddi_intr_get_pri() failed 0x%x\n", err);
4110 		goto attach_fail9;
4111 	}
4112 
4113 	err = ddi_intr_add_softint(devinfo, &sc->sc_softintr_hdl,
4114 	    DDI_INTR_SOFTPRI_MAX, mwl_softintr, (caddr_t)sc);
4115 	if (err != DDI_SUCCESS) {
4116 		MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
4117 		    "ddi_add_softintr() failed");
4118 		goto attach_fail9;
4119 	}
4120 
4121 	err = ddi_intr_add_handler(sc->sc_intr_htable[0], mwl_intr,
4122 	    (caddr_t)sc, NULL);
4123 	if (err != DDI_SUCCESS) {
4124 		MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
4125 		    "ddi_intr_addr_handle() failed\n");
4126 		goto attach_fail10;
4127 	}
4128 
4129 	err = ddi_intr_enable(sc->sc_intr_htable[0]);
4130 	if (err != DDI_SUCCESS) {
4131 		MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
4132 		    "ddi_intr_enable() failed\n");
4133 		goto attach_fail11;
4134 	}
4135 
4136 	/*
4137 	 * Provide initial settings for the WiFi plugin; whenever this
4138 	 * information changes, we need to call mac_plugindata_update()
4139 	 */
4140 	wd.wd_opmode = ic->ic_opmode;
4141 	wd.wd_secalloc = WIFI_SEC_NONE;
4142 	IEEE80211_ADDR_COPY(wd.wd_bssid, ic->ic_bss->in_bssid);
4143 
4144 	if ((macp = mac_alloc(MAC_VERSION)) == NULL) {
4145 		MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
4146 		    "MAC version mismatch\n");
4147 		goto attach_fail12;
4148 	}
4149 
4150 	macp->m_type_ident	= MAC_PLUGIN_IDENT_WIFI;
4151 	macp->m_driver		= sc;
4152 	macp->m_dip		= devinfo;
4153 	macp->m_src_addr	= ic->ic_macaddr;
4154 	macp->m_callbacks	= &mwl_m_callbacks;
4155 	macp->m_min_sdu		= 0;
4156 	macp->m_max_sdu		= IEEE80211_MTU;
4157 	macp->m_pdata		= &wd;
4158 	macp->m_pdata_size	= sizeof (wd);
4159 
4160 	err = mac_register(macp, &ic->ic_mach);
4161 	mac_free(macp);
4162 	if (err != 0) {
4163 		MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
4164 		    "mac_register err %x\n", err);
4165 		goto attach_fail12;
4166 	}
4167 
4168 	/*
4169 	 * Create minor node of type DDI_NT_NET_WIFI
4170 	 */
4171 	(void) snprintf(strbuf, sizeof (strbuf), "%s%d",
4172 	    "mwl", instance);
4173 	err = ddi_create_minor_node(devinfo, strbuf, S_IFCHR,
4174 	    instance + 1, DDI_NT_NET_WIFI, 0);
4175 	if (err != 0) {
4176 		MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
4177 		    "create minor node error\n");
4178 		goto attach_fail13;
4179 	}
4180 
4181 	/*
4182 	 * Notify link is down now
4183 	 */
4184 	mac_link_update(ic->ic_mach, LINK_STATE_DOWN);
4185 
4186 	MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
4187 	    "driver attach successfully\n");
4188 	return (DDI_SUCCESS);
4189 
4190 attach_fail13:
4191 	(void) mac_disable(ic->ic_mach);
4192 	(void) mac_unregister(ic->ic_mach);
4193 attach_fail12:
4194 	(void) ddi_intr_disable(sc->sc_intr_htable[0]);
4195 attach_fail11:
4196 	(void) ddi_intr_remove_handler(sc->sc_intr_htable[0]);
4197 attach_fail10:
4198 	(void) ddi_intr_remove_softint(sc->sc_softintr_hdl);
4199 	sc->sc_softintr_hdl = NULL;
4200 attach_fail9:
4201 	(void) ddi_intr_free(sc->sc_intr_htable[0]);
4202 attach_fail8:
4203 	kmem_free(sc->sc_intr_htable, sizeof (ddi_intr_handle_t));
4204 attach_fail7:
4205 	mutex_destroy(&sc->sc_txlock);
4206 	mutex_destroy(&sc->sc_rxlock);
4207 	mutex_destroy(&sc->sc_glock);
4208 attach_fail6:
4209 	while (--qid >= 0)
4210 		mwl_free_tx_ring(sc, &sc->sc_txring[qid]);
4211 attach_fail5:
4212 	mwl_free_rx_ring(sc);
4213 attach_fail4:
4214 	mwl_free_cmdbuf(sc);
4215 attach_fail3:
4216 	ddi_regs_map_free(&sc->sc_mem_handle);
4217 attach_fail2:
4218 	ddi_regs_map_free(&sc->sc_io_handle);
4219 attach_fail1:
4220 	ddi_regs_map_free(&sc->sc_cfg_handle);
4221 attach_fail0:
4222 	ddi_soft_state_free(mwl_soft_state_p, ddi_get_instance(devinfo));
4223 	return (DDI_FAILURE);
4224 }
4225 
4226 static int32_t
4227 mwl_detach(dev_info_t *devinfo, ddi_detach_cmd_t cmd)
4228 {
4229 	struct mwl_softc *sc;
4230 	int qid;
4231 
4232 	sc = ddi_get_soft_state(mwl_soft_state_p, ddi_get_instance(devinfo));
4233 	ASSERT(sc != NULL);
4234 
4235 	switch (cmd) {
4236 	case DDI_DETACH:
4237 		break;
4238 	case DDI_SUSPEND:
4239 		if (MWL_IS_RUNNING(sc))
4240 			mwl_stop(sc);
4241 		for (qid = 0; qid < MWL_NUM_TX_QUEUES; qid++)
4242 			mwl_free_tx_ring(sc, &sc->sc_txring[qid]);
4243 		mwl_free_rx_ring(sc);
4244 		MWL_GLOCK(sc);
4245 		sc->sc_flags |= MWL_F_SUSPEND;
4246 		MWL_GUNLOCK(sc);
4247 		MWL_DBG(MWL_DBG_SR, "mwl: mwl_detach(): "
4248 		    "suspend now\n");
4249 		return (DDI_SUCCESS);
4250 	default:
4251 		return (DDI_FAILURE);
4252 	}
4253 
4254 	if (mac_disable(sc->sc_ic.ic_mach) != 0)
4255 		return (DDI_FAILURE);
4256 
4257 	/*
4258 	 * Unregister from the MAC layer subsystem
4259 	 */
4260 	(void) mac_unregister(sc->sc_ic.ic_mach);
4261 
4262 	(void) ddi_intr_remove_softint(sc->sc_softintr_hdl);
4263 	sc->sc_softintr_hdl = NULL;
4264 	(void) ddi_intr_disable(sc->sc_intr_htable[0]);
4265 	(void) ddi_intr_remove_handler(sc->sc_intr_htable[0]);
4266 	(void) ddi_intr_free(sc->sc_intr_htable[0]);
4267 	kmem_free(sc->sc_intr_htable, sizeof (ddi_intr_handle_t));
4268 
4269 	/*
4270 	 * detach ieee80211 layer
4271 	 */
4272 	ieee80211_detach(&sc->sc_ic);
4273 
4274 
4275 	for (qid = 0; qid < MWL_NUM_TX_QUEUES; qid++)
4276 		mwl_free_tx_ring(sc, &sc->sc_txring[qid]);
4277 	mwl_free_rx_ring(sc);
4278 	mwl_free_cmdbuf(sc);
4279 
4280 	mutex_destroy(&sc->sc_txlock);
4281 	mutex_destroy(&sc->sc_rxlock);
4282 	mutex_destroy(&sc->sc_glock);
4283 
4284 	ddi_regs_map_free(&sc->sc_mem_handle);
4285 	ddi_regs_map_free(&sc->sc_io_handle);
4286 	ddi_regs_map_free(&sc->sc_cfg_handle);
4287 
4288 	ddi_remove_minor_node(devinfo, NULL);
4289 	ddi_soft_state_free(mwl_soft_state_p, ddi_get_instance(devinfo));
4290 
4291 	MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_detach(): "
4292 	    "detach successfully\n");
4293 	return (DDI_SUCCESS);
4294 }
4295 
4296 /*
4297  * quiesce(9E) entry point.
4298  *
4299  * This function is called when the system is single-threaded at high
4300  * PIL with preemption disabled. Therefore, this function must not be
4301  * blocked.
4302  *
4303  * This function returns DDI_SUCCESS on success, or DDI_FAILURE on failure.
4304  * DDI_FAILURE indicates an error condition and should almost never happen.
4305  */
4306 int
4307 mwl_quiesce(dev_info_t *dip)
4308 {
4309 	struct mwl_softc *sc;
4310 
4311 	sc = ddi_get_soft_state(mwl_soft_state_p, ddi_get_instance(dip));
4312 	if (sc == NULL)
4313 		return (DDI_FAILURE);
4314 
4315 #ifdef DEBUG
4316 	mwl_dbg_flags = 0;
4317 #endif
4318 
4319 	/*
4320 	 * No more blocking is allowed while we are in quiesce(9E) entry point
4321 	 */
4322 	sc->sc_flags |= MWL_F_QUIESCE;
4323 
4324 	/*
4325 	 * Disable all interrupts
4326 	 */
4327 	mwl_stop(sc);
4328 	return (DDI_SUCCESS);
4329 }
4330 
4331 int
4332 _init(void)
4333 {
4334 	int status;
4335 
4336 	status = ddi_soft_state_init(&mwl_soft_state_p,
4337 	    sizeof (struct mwl_softc), 1);
4338 	if (status != 0)
4339 		return (status);
4340 
4341 	mac_init_ops(&mwl_dev_ops, "mwl");
4342 	status = mod_install(&modlinkage);
4343 	if (status != 0) {
4344 		mac_fini_ops(&mwl_dev_ops);
4345 		ddi_soft_state_fini(&mwl_soft_state_p);
4346 	}
4347 	return (status);
4348 }
4349 
4350 int
4351 _info(struct modinfo *modinfop)
4352 {
4353 	return (mod_info(&modlinkage, modinfop));
4354 }
4355 
4356 int
4357 _fini(void)
4358 {
4359 	int status;
4360 
4361 	status = mod_remove(&modlinkage);
4362 	if (status == 0) {
4363 		mac_fini_ops(&mwl_dev_ops);
4364 		ddi_soft_state_fini(&mwl_soft_state_p);
4365 	}
4366 	return (status);
4367 }
4368