/*
 * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

/*
 * Copyright (c) 2007-2009 Sam Leffler, Errno Consulting
 * Copyright (c) 2007-2008 Marvell Semiconductor, Inc.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer,
 *    without modification.
 * 2. Redistributions in binary form must reproduce at minimum a disclaimer
 *    similar to the "NO WARRANTY" disclaimer below ("Disclaimer") and any
 *    redistribution must be conditioned upon including a substantially
 *    similar Disclaimer requirement for further binary redistribution.
 *
 * NO WARRANTY
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF NONINFRINGEMENT, MERCHANTIBILITY
 * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
 * THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR SPECIAL, EXEMPLARY,
 * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
 * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
 * THE POSSIBILITY OF SUCH DAMAGES.
 */

/*
 * Copyright 2019 Joyent, Inc.
 */

/*
 * Driver for the Marvell 88W8363 Wireless LAN controller.
 */
#include <sys/stat.h>
#include <sys/dlpi.h>
#include <inet/common.h>
#include <inet/mi.h>
#include <sys/stream.h>
#include <sys/errno.h>
#include <sys/stropts.h>
#include <sys/stat.h>
#include <sys/sunddi.h>
#include <sys/strsubr.h>
#include <sys/strsun.h>
#include <sys/pci.h>
#include <sys/mac_provider.h>
#include <sys/mac_wifi.h>
#include <sys/net80211.h>
#include <inet/wifi_ioctl.h>

#include "mwl_var.h"

static int mwl_attach(dev_info_t *devinfo, ddi_attach_cmd_t cmd);
static int mwl_detach(dev_info_t *devinfo, ddi_detach_cmd_t cmd);
static int mwl_quiesce(dev_info_t *devinfo);

DDI_DEFINE_STREAM_OPS(mwl_dev_ops, nulldev, nulldev, mwl_attach, mwl_detach,
    nodev, NULL, D_MP, NULL, mwl_quiesce);

static struct modldrv mwl_modldrv = {
        &mod_driverops, /* Type of module.  This one is a driver */
        "Marvell 88W8363 WiFi driver v1.1",     /* short description */
        &mwl_dev_ops    /* driver specific ops */
};

static struct modlinkage modlinkage = {
        MODREV_1, (void *)&mwl_modldrv, NULL
};

static void *mwl_soft_state_p = NULL;

static int      mwl_m_stat(void *,  uint_t, uint64_t *);
static int      mwl_m_start(void *);
static void     mwl_m_stop(void *);
static int      mwl_m_promisc(void *, boolean_t);
static int      mwl_m_multicst(void *, boolean_t, const uint8_t *);
static int      mwl_m_unicst(void *, const uint8_t *);
static mblk_t   *mwl_m_tx(void *, mblk_t *);
static void     mwl_m_ioctl(void *, queue_t *, mblk_t *);
static int      mwl_m_setprop(void *arg, const char *pr_name,
                    mac_prop_id_t wldp_pr_num,
                    uint_t wldp_length, const void *wldp_buf);
static int      mwl_m_getprop(void *arg, const char *pr_name,
                    mac_prop_id_t wldp_pr_num, uint_t wldp_length,
                    void *wldp_buf);
static void     mwl_m_propinfo(void *, const char *, mac_prop_id_t,
    mac_prop_info_handle_t);

static mac_callbacks_t mwl_m_callbacks = {
        MC_IOCTL | MC_SETPROP | MC_GETPROP | MC_PROPINFO,
        mwl_m_stat,
        mwl_m_start,
        mwl_m_stop,
        mwl_m_promisc,
        mwl_m_multicst,
        mwl_m_unicst,
        mwl_m_tx,
        NULL,
        mwl_m_ioctl,
        NULL,
        NULL,
        NULL,
        mwl_m_setprop,
        mwl_m_getprop,
        mwl_m_propinfo
};

#define MWL_DBG_ATTACH          (1 << 0)
#define MWL_DBG_DMA             (1 << 1)
#define MWL_DBG_FW              (1 << 2)
#define MWL_DBG_HW              (1 << 3)
#define MWL_DBG_INTR            (1 << 4)
#define MWL_DBG_RX              (1 << 5)
#define MWL_DBG_TX              (1 << 6)
#define MWL_DBG_CMD             (1 << 7)
#define MWL_DBG_CRYPTO          (1 << 8)
#define MWL_DBG_SR              (1 << 9)
#define MWL_DBG_MSG             (1 << 10)

uint32_t mwl_dbg_flags = 0x0;

#ifdef DEBUG
#define MWL_DBG \
        mwl_debug
#else
#define MWL_DBG(...) (void)(0)
#endif

/*
 * PIO access attributes for registers
 */
static ddi_device_acc_attr_t mwl_reg_accattr = {
        DDI_DEVICE_ATTR_V0,
        DDI_STRUCTURE_LE_ACC,
        DDI_STRICTORDER_ACC,
        DDI_DEFAULT_ACC
};

static ddi_device_acc_attr_t mwl_cmdbuf_accattr = {
        DDI_DEVICE_ATTR_V0,
        DDI_NEVERSWAP_ACC,
        DDI_STRICTORDER_ACC,
        DDI_DEFAULT_ACC
};

/*
 * DMA access attributes for descriptors and bufs: NOT to be byte swapped.
 */
static ddi_device_acc_attr_t mwl_desc_accattr = {
        DDI_DEVICE_ATTR_V0,
        DDI_NEVERSWAP_ACC,
        DDI_STRICTORDER_ACC,
        DDI_DEFAULT_ACC
};

static ddi_device_acc_attr_t mwl_buf_accattr = {
        DDI_DEVICE_ATTR_V0,
        DDI_NEVERSWAP_ACC,
        DDI_STRICTORDER_ACC,
        DDI_DEFAULT_ACC
};

/*
 * Describes the chip's DMA engine
 */
static ddi_dma_attr_t mwl_dma_attr = {
        DMA_ATTR_V0,                    /* dma_attr version */
        0x0000000000000000ull,          /* dma_attr_addr_lo */
        0xFFFFFFFF,                     /* dma_attr_addr_hi */
        0x00000000FFFFFFFFull,          /* dma_attr_count_max */
        0x0000000000000001ull,          /* dma_attr_align */
        0x00000FFF,                     /* dma_attr_burstsizes */
        0x00000001,                     /* dma_attr_minxfer */
        0x000000000000FFFFull,          /* dma_attr_maxxfer */
        0xFFFFFFFFFFFFFFFFull,          /* dma_attr_seg */
        1,                              /* dma_attr_sgllen */
        0x00000001,                     /* dma_attr_granular */
        0                               /* dma_attr_flags */
};

/*
 * Supported rates for 802.11a/b/g modes (in 500Kbps unit).
 */
static const struct ieee80211_rateset mwl_rateset_11b =
        { 4, { 2, 4, 11, 22 } };

static const struct ieee80211_rateset mwl_rateset_11g =
        { 12, { 2, 4, 11, 22, 12, 18, 24, 36, 48, 72, 96, 108 } };

static int      mwl_alloc_dma_mem(dev_info_t *, ddi_dma_attr_t *, size_t,
                    ddi_device_acc_attr_t *, uint_t, uint_t,
                    struct dma_area *);
static void     mwl_free_dma_mem(struct dma_area *);
static int      mwl_alloc_cmdbuf(struct mwl_softc *);
static void     mwl_free_cmdbuf(struct mwl_softc *);
static int      mwl_alloc_rx_ring(struct mwl_softc *, int);
static void     mwl_free_rx_ring(struct mwl_softc *);
static int      mwl_alloc_tx_ring(struct mwl_softc *, struct mwl_tx_ring *,
                    int);
static void     mwl_free_tx_ring(struct mwl_softc *, struct mwl_tx_ring *);
static int      mwl_setupdma(struct mwl_softc *);
static void     mwl_txq_init(struct mwl_softc *, struct mwl_tx_ring *, int);
static int      mwl_tx_setup(struct mwl_softc *, int, int);
static int      mwl_setup_txq(struct mwl_softc *);
static int      mwl_fwload(struct mwl_softc *, void *);
static int      mwl_loadsym(ddi_modhandle_t, char *, char **, size_t *);
static void     mwlFwReset(struct mwl_softc *);
static void     mwlPokeSdramController(struct mwl_softc *, int);
static void     mwlTriggerPciCmd(struct mwl_softc *);
static int      mwlWaitFor(struct mwl_softc *, uint32_t);
static int      mwlSendBlock(struct mwl_softc *, int, const void *, size_t);
static int      mwlSendBlock2(struct mwl_softc *, const void *, size_t);
static void     mwlSendCmd(struct mwl_softc *);
static int      mwlExecuteCmd(struct mwl_softc *, unsigned short);
static int      mwlWaitForCmdComplete(struct mwl_softc *, uint16_t);
static void     dumpresult(struct mwl_softc *, int);
static int      mwlResetHalState(struct mwl_softc *);
static int      mwlGetPwrCalTable(struct mwl_softc *);
static int      mwlGetCalTable(struct mwl_softc *, uint8_t, uint8_t);
static int      mwlGetPwrCalTable(struct mwl_softc *);
static void     dumpcaldata(const char *, const uint8_t *, int);
static void     get2Ghz(MWL_HAL_CHANNELINFO *, const uint8_t *, int);
static void     get5Ghz(MWL_HAL_CHANNELINFO *, const uint8_t *, int);
static void     setmaxtxpow(struct mwl_hal_channel *, int, int);
static uint16_t ieee2mhz(int);
static const char *
                mwlcmdname(int);
static int      mwl_gethwspecs(struct mwl_softc *);
static int      mwl_getchannels(struct mwl_softc *);
static void     getchannels(struct mwl_softc *, int, int *,
                    struct mwl_channel *);
static void     addchannels(struct mwl_channel *, int, int *,
                    const MWL_HAL_CHANNELINFO *, int);
static void     addht40channels(struct mwl_channel *, int, int *,
                    const MWL_HAL_CHANNELINFO *, int);
static const struct mwl_channel *
                findchannel(const struct mwl_channel *, int,
                    int, int);
static void     addchan(struct mwl_channel *, int, int, int, int);

static int      mwl_chan_set(struct mwl_softc *, struct mwl_channel *);
static void     mwl_mapchan(MWL_HAL_CHANNEL *, const struct mwl_channel *);
static int      mwl_setcurchanrates(struct mwl_softc *);
const struct ieee80211_rateset *
                mwl_get_suprates(struct ieee80211com *,
                    const struct mwl_channel *);
static uint32_t cvtChannelFlags(const MWL_HAL_CHANNEL *);
static const struct mwl_hal_channel *
                findhalchannel(const struct mwl_softc *,
                    const MWL_HAL_CHANNEL *);
enum ieee80211_phymode
                mwl_chan2mode(const struct mwl_channel *);
static int      mwl_map2regioncode(const struct mwl_regdomain *);
static int      mwl_startrecv(struct mwl_softc *);
static int      mwl_mode_init(struct mwl_softc *);
static void     mwl_hal_intrset(struct mwl_softc *, uint32_t);
static void     mwl_hal_getisr(struct mwl_softc *, uint32_t *);
static int      mwl_hal_sethwdma(struct mwl_softc *,
                    const struct mwl_hal_txrxdma *);
static int      mwl_hal_getchannelinfo(struct mwl_softc *, int, int,
                    const MWL_HAL_CHANNELINFO **);
static int      mwl_hal_setmac_locked(struct mwl_softc *,
                    const uint8_t [IEEE80211_ADDR_LEN]);
static int      mwl_hal_keyreset(struct mwl_softc *, const MWL_HAL_KEYVAL *,
                    const uint8_t mac[IEEE80211_ADDR_LEN]);
static int      mwl_hal_keyset(struct mwl_softc *, const MWL_HAL_KEYVAL *,
                    const uint8_t mac[IEEE80211_ADDR_LEN]);
static int      mwl_hal_newstation(struct mwl_softc *,
                    const uint8_t [IEEE80211_ADDR_LEN],
                    uint16_t, uint16_t, const MWL_HAL_PEERINFO *, int, int);
static int      mwl_hal_setantenna(struct mwl_softc *, MWL_HAL_ANTENNA, int);
static int      mwl_hal_setradio(struct mwl_softc *, int, MWL_HAL_PREAMBLE);
static int      mwl_hal_setwmm(struct mwl_softc *, int);
static int      mwl_hal_setchannel(struct mwl_softc *, const MWL_HAL_CHANNEL *);
static int      mwl_hal_settxpower(struct mwl_softc *, const MWL_HAL_CHANNEL *,
                    uint8_t);
static int      mwl_hal_settxrate(struct mwl_softc *, MWL_HAL_TXRATE_HANDLING,
                    const MWL_HAL_TXRATE *);
static int      mwl_hal_settxrate_auto(struct mwl_softc *,
                    const MWL_HAL_TXRATE *);
static int      mwl_hal_setrateadaptmode(struct mwl_softc *, uint16_t);
static int      mwl_hal_setoptimizationlevel(struct mwl_softc *, int);
static int      mwl_hal_setregioncode(struct mwl_softc *, int);
static int      mwl_hal_setassocid(struct mwl_softc *,
                    const uint8_t [IEEE80211_ADDR_LEN], uint16_t);
static int      mwl_setrates(struct ieee80211com *);
static int      mwl_hal_setrtsthreshold(struct mwl_softc *, int);
static int      mwl_hal_setcsmode(struct mwl_softc *, MWL_HAL_CSMODE);
static int      mwl_hal_setpromisc(struct mwl_softc *, int);
static int      mwl_hal_start(struct mwl_softc *);
static int      mwl_hal_setinframode(struct mwl_softc *);
static int      mwl_hal_stop(struct mwl_softc *);
static struct ieee80211_node *
                mwl_node_alloc(struct ieee80211com *);
static void     mwl_node_free(struct ieee80211_node *);
static int      mwl_key_alloc(struct ieee80211com *,
                    const struct ieee80211_key *,
                    ieee80211_keyix *, ieee80211_keyix *);
static int      mwl_key_delete(struct ieee80211com *,
                    const struct ieee80211_key *);
static int      mwl_key_set(struct ieee80211com *, const struct ieee80211_key *,
                    const uint8_t mac[IEEE80211_ADDR_LEN]);
static void     mwl_setanywepkey(struct ieee80211com *,
                    const uint8_t [IEEE80211_ADDR_LEN]);
static void     mwl_setglobalkeys(struct ieee80211com *c);
static int      addgroupflags(MWL_HAL_KEYVAL *, const struct ieee80211_key *);
static void     mwl_hal_txstart(struct mwl_softc *, int);
static int      mwl_send(ieee80211com_t *, mblk_t *, uint8_t);
static void     mwl_next_scan(void *);
static MWL_HAL_PEERINFO *
                mkpeerinfo(MWL_HAL_PEERINFO *, const struct ieee80211_node *);
static uint32_t get_rate_bitmap(const struct ieee80211_rateset *);
static int      mwl_newstate(struct ieee80211com *, enum ieee80211_state, int);
static int      cvtrssi(uint8_t);
static uint_t   mwl_intr(caddr_t, caddr_t);
static uint_t   mwl_softintr(caddr_t, caddr_t);
static void     mwl_tx_intr(struct mwl_softc *);
static void     mwl_rx_intr(struct mwl_softc *);
static int      mwl_init(struct mwl_softc *);
static void     mwl_stop(struct mwl_softc *);
static int      mwl_resume(struct mwl_softc *);


#ifdef DEBUG
static void
mwl_debug(uint32_t dbg_flags, const int8_t *fmt, ...)
{
        va_list args;

        if (dbg_flags & mwl_dbg_flags) {
                va_start(args, fmt);
                vcmn_err(CE_CONT, fmt, args);
                va_end(args);
        }
}
#endif

/*
 * Allocate an DMA memory and a DMA handle for accessing it
 */
static int
mwl_alloc_dma_mem(dev_info_t *devinfo, ddi_dma_attr_t *dma_attr,
    size_t memsize, ddi_device_acc_attr_t *attr_p, uint_t alloc_flags,
    uint_t bind_flags, struct dma_area *dma_p)
{
        int err;

        /*
         * Allocate handle
         */
        err = ddi_dma_alloc_handle(devinfo, dma_attr,
            DDI_DMA_SLEEP, NULL, &dma_p->dma_hdl);
        if (err != DDI_SUCCESS) {
                MWL_DBG(MWL_DBG_DMA, "mwl: mwl_alloc_dma_mem(): "
                    "failed to alloc handle\n");
                goto fail1;
        }

        /*
         * Allocate memory
         */
        err = ddi_dma_mem_alloc(dma_p->dma_hdl, memsize, attr_p,
            alloc_flags, DDI_DMA_SLEEP, NULL, &dma_p->mem_va,
            &dma_p->alength, &dma_p->acc_hdl);
        if (err != DDI_SUCCESS) {
                MWL_DBG(MWL_DBG_DMA, "mwl: mwl_alloc_dma_mem(): "
                    "failed to alloc mem\n");
                goto fail2;
        }

        /*
         * Bind the two together
         */
        err = ddi_dma_addr_bind_handle(dma_p->dma_hdl, NULL,
            dma_p->mem_va, dma_p->alength, bind_flags,
            DDI_DMA_SLEEP, NULL, &dma_p->cookie, &dma_p->ncookies);
        if (err != DDI_DMA_MAPPED) {
                MWL_DBG(MWL_DBG_DMA, "mwl: mwl_alloc_dma_mem(): "
                    "failed to bind handle\n");
                goto fail3;
        }

        if (dma_p->ncookies != 1) {
                MWL_DBG(MWL_DBG_DMA, "mwl: mwl_alloc_dma_mem(): "
                    "failed to alloc cookies\n");
                goto fail4;
        }

        dma_p->nslots = ~0U;
        dma_p->size = ~0U;
        dma_p->token = ~0U;
        dma_p->offset = 0;

        return (DDI_SUCCESS);

fail4:
        (void) ddi_dma_unbind_handle(dma_p->dma_hdl);
fail3:
        ddi_dma_mem_free(&dma_p->acc_hdl);
fail2:
        ddi_dma_free_handle(&dma_p->dma_hdl);
fail1:
        return (err);
}

static void
mwl_free_dma_mem(struct dma_area *dma_p)
{
        if (dma_p->dma_hdl != NULL) {
                (void) ddi_dma_unbind_handle(dma_p->dma_hdl);
                if (dma_p->acc_hdl != NULL) {
                        ddi_dma_mem_free(&dma_p->acc_hdl);
                        dma_p->acc_hdl = NULL;
                }
                ddi_dma_free_handle(&dma_p->dma_hdl);
                dma_p->ncookies = 0;
                dma_p->dma_hdl = NULL;
        }
}

static int
mwl_alloc_cmdbuf(struct mwl_softc *sc)
{
        int err;
        size_t size;

        size = MWL_CMDBUF_SIZE;

        err = mwl_alloc_dma_mem(sc->sc_dev, &mwl_dma_attr, size,
            &mwl_cmdbuf_accattr, DDI_DMA_CONSISTENT,
            DDI_DMA_RDWR | DDI_DMA_CONSISTENT,
            &sc->sc_cmd_dma);
        if (err != DDI_SUCCESS) {
                MWL_DBG(MWL_DBG_DMA, "mwl: mwl_alloc_cmdbuf(): "
                    "failed to alloc dma mem\n");
                return (DDI_FAILURE);
        }

        sc->sc_cmd_mem = (uint16_t *)sc->sc_cmd_dma.mem_va;
        sc->sc_cmd_dmaaddr = sc->sc_cmd_dma.cookie.dmac_address;

        return (DDI_SUCCESS);
}

static void
mwl_free_cmdbuf(struct mwl_softc *sc)
{
        if (sc->sc_cmd_mem != NULL)
                mwl_free_dma_mem(&sc->sc_cmd_dma);
}

static int
mwl_alloc_rx_ring(struct mwl_softc *sc, int count)
{
        struct mwl_rx_ring *ring;
        struct mwl_rxdesc *ds;
        struct mwl_rxbuf *bf;
        int i, err, datadlen;

        ring = &sc->sc_rxring;
        ring->count = count;
        ring->cur = ring->next = 0;
        err = mwl_alloc_dma_mem(sc->sc_dev, &mwl_dma_attr,
            count * sizeof (struct mwl_rxdesc),
            &mwl_desc_accattr,
            DDI_DMA_CONSISTENT, DDI_DMA_RDWR | DDI_DMA_CONSISTENT,
            &ring->rxdesc_dma);
        if (err) {
                MWL_DBG(MWL_DBG_DMA, "mwl: mwl_alloc_rxring(): "
                    "alloc tx ring failed, size %d\n",
                    (uint32_t)(count * sizeof (struct mwl_rxdesc)));
                return (DDI_FAILURE);
        }

        MWL_DBG(MWL_DBG_DMA, "mwl: mwl_alloc_rx_ring(): "
            "dma len = %d\n", (uint32_t)(ring->rxdesc_dma.alength));
        ring->desc = (struct mwl_rxdesc *)ring->rxdesc_dma.mem_va;
        ring->physaddr = ring->rxdesc_dma.cookie.dmac_address;
        bzero(ring->desc, count * sizeof (struct mwl_rxdesc));

        datadlen = count * sizeof (struct mwl_rxbuf);
        ring->buf = (struct mwl_rxbuf *)kmem_zalloc(datadlen, KM_SLEEP);
        if (ring->buf == NULL) {
                MWL_DBG(MWL_DBG_DMA, "mwl: mwl_alloc_rxring(): "
                    "could not alloc rx ring data buffer\n");
                return (DDI_FAILURE);
        }
        bzero(ring->buf, count * sizeof (struct mwl_rxbuf));

        /*
         * Pre-allocate Rx buffers and populate Rx ring.
         */
        for (i = 0; i < count; i++) {
                ds = &ring->desc[i];
                bf = &ring->buf[i];
                /* alloc DMA memory */
                (void) mwl_alloc_dma_mem(sc->sc_dev, &mwl_dma_attr,
                    sc->sc_dmabuf_size,
                    &mwl_buf_accattr,
                    DDI_DMA_STREAMING,
                    DDI_DMA_READ | DDI_DMA_STREAMING,
                    &bf->rxbuf_dma);
                bf->bf_mem = (uint8_t *)(bf->rxbuf_dma.mem_va);
                bf->bf_baddr = bf->rxbuf_dma.cookie.dmac_address;
                bf->bf_desc = ds;
                bf->bf_daddr = ring->physaddr + _PTRDIFF(ds, ring->desc);
        }

        (void) ddi_dma_sync(ring->rxdesc_dma.dma_hdl,
            0,
            ring->rxdesc_dma.alength,
            DDI_DMA_SYNC_FORDEV);

        return (0);
}

static void
mwl_free_rx_ring(struct mwl_softc *sc)
{
        struct mwl_rx_ring *ring;
        struct mwl_rxbuf *bf;
        int i;

        ring = &sc->sc_rxring;

        if (ring->desc != NULL) {
                mwl_free_dma_mem(&ring->rxdesc_dma);
        }

        if (ring->buf != NULL) {
                for (i = 0; i < ring->count; i++) {
                        bf = &ring->buf[i];
                        mwl_free_dma_mem(&bf->rxbuf_dma);
                }
                kmem_free(ring->buf,
                    (ring->count * sizeof (struct mwl_rxbuf)));
        }
}

static int
mwl_alloc_tx_ring(struct mwl_softc *sc, struct mwl_tx_ring *ring,
    int count)
{
        struct mwl_txdesc *ds;
        struct mwl_txbuf *bf;
        int i, err, datadlen;

        ring->count = count;
        ring->queued = 0;
        ring->cur = ring->next = ring->stat = 0;
        err = mwl_alloc_dma_mem(sc->sc_dev, &mwl_dma_attr,
            count * sizeof (struct mwl_txdesc), &mwl_desc_accattr,
            DDI_DMA_CONSISTENT, DDI_DMA_RDWR | DDI_DMA_CONSISTENT,
            &ring->txdesc_dma);
        if (err) {
                MWL_DBG(MWL_DBG_DMA, "mwl: mwl_alloc_tx_ring(): "
                    "alloc tx ring failed, size %d\n",
                    (uint32_t)(count * sizeof (struct mwl_txdesc)));
                return (DDI_FAILURE);
        }

        MWL_DBG(MWL_DBG_DMA, "mwl: mwl_alloc_tx_ring(): "
            "dma len = %d\n", (uint32_t)(ring->txdesc_dma.alength));
        ring->desc = (struct mwl_txdesc *)ring->txdesc_dma.mem_va;
        ring->physaddr = ring->txdesc_dma.cookie.dmac_address;
        bzero(ring->desc, count * sizeof (struct mwl_txdesc));

        datadlen = count * sizeof (struct mwl_txbuf);
        ring->buf = kmem_zalloc(datadlen, KM_SLEEP);
        if (ring->buf == NULL) {
                MWL_DBG(MWL_DBG_DMA, "mwl: mwl_alloc_tx_ring(): "
                    "could not alloc tx ring data buffer\n");
                return (DDI_FAILURE);
        }
        bzero(ring->buf, count * sizeof (struct mwl_txbuf));

        for (i = 0; i < count; i++) {
                ds = &ring->desc[i];
                bf = &ring->buf[i];
                /* alloc DMA memory */
                (void) mwl_alloc_dma_mem(sc->sc_dev, &mwl_dma_attr,
                    sc->sc_dmabuf_size,
                    &mwl_buf_accattr,
                    DDI_DMA_STREAMING,
                    DDI_DMA_WRITE | DDI_DMA_STREAMING,
                    &bf->txbuf_dma);
                bf->bf_baddr = bf->txbuf_dma.cookie.dmac_address;
                bf->bf_mem = (uint8_t *)(bf->txbuf_dma.mem_va);
                bf->bf_daddr = ring->physaddr + _PTRDIFF(ds, ring->desc);
                bf->bf_desc = ds;
        }

        (void) ddi_dma_sync(ring->txdesc_dma.dma_hdl,
            0,
            ring->txdesc_dma.alength,
            DDI_DMA_SYNC_FORDEV);

        return (0);
}

/* ARGSUSED */
static void
mwl_free_tx_ring(struct mwl_softc *sc, struct mwl_tx_ring *ring)
{
        struct mwl_txbuf *bf;
        int i;

        if (ring->desc != NULL) {
                mwl_free_dma_mem(&ring->txdesc_dma);
        }

        if (ring->buf != NULL) {
                for (i = 0; i < ring->count; i++) {
                        bf = &ring->buf[i];
                        mwl_free_dma_mem(&bf->txbuf_dma);
                }
                kmem_free(ring->buf,
                    (ring->count * sizeof (struct mwl_txbuf)));
        }
}

/*
 * Inform the f/w about location of the tx/rx dma data structures
 * and related state.  This cmd must be done immediately after a
 * mwl_hal_gethwspecs call or the f/w will lockup.
 */
static int
mwl_hal_sethwdma(struct mwl_softc *sc, const struct mwl_hal_txrxdma *dma)
{
        HostCmd_DS_SET_HW_SPEC *pCmd;
        int retval;

        _CMD_SETUP(pCmd, HostCmd_DS_SET_HW_SPEC, HostCmd_CMD_SET_HW_SPEC);
        pCmd->WcbBase[0] = LE_32(dma->wcbBase[0]);
        pCmd->WcbBase[1] = LE_32(dma->wcbBase[1]);
        pCmd->WcbBase[2] = LE_32(dma->wcbBase[2]);
        pCmd->WcbBase[3] = LE_32(dma->wcbBase[3]);
        pCmd->TxWcbNumPerQueue = LE_32(dma->maxNumTxWcb);
        pCmd->NumTxQueues = LE_32(dma->maxNumWCB);
        pCmd->TotalRxWcb = LE_32(1);            /* XXX */
        pCmd->RxPdWrPtr = LE_32(dma->rxDescRead);
        /*
         * pCmd->Flags = LE_32(SET_HW_SPEC_HOSTFORM_BEACON
         * #ifdef MWL_HOST_PS_SUPPORT
         * | SET_HW_SPEC_HOST_POWERSAVE
         * #endif
         * | SET_HW_SPEC_HOSTFORM_PROBERESP);
         */
        pCmd->Flags = 0;
        /* disable multi-bss operation for A1-A4 parts */
        if (sc->sc_revs.mh_macRev < 5)
                pCmd->Flags |= LE_32(SET_HW_SPEC_DISABLEMBSS);

        retval = mwlExecuteCmd(sc, HostCmd_CMD_SET_HW_SPEC);
        if (retval == 0) {
                if (pCmd->Flags & LE_32(SET_HW_SPEC_DISABLEMBSS))
                        sc->sc_hw_flags &= ~MHF_MBSS;
                else
                        sc->sc_hw_flags |= MHF_MBSS;
        }

        return (retval);
}

/*
 * Inform firmware of our tx/rx dma setup.  The BAR 0
 * writes below are for compatibility with older firmware.
 * For current firmware we send this information with a
 * cmd block via mwl_hal_sethwdma.
 */
static int
mwl_setupdma(struct mwl_softc *sc)
{
        int i, err;

        sc->sc_hwdma.rxDescRead = sc->sc_rxring.physaddr;
        mwl_mem_write4(sc, sc->sc_hwspecs.rxDescRead, sc->sc_hwdma.rxDescRead);
        mwl_mem_write4(sc, sc->sc_hwspecs.rxDescWrite, sc->sc_hwdma.rxDescRead);

        for (i = 0; i < MWL_NUM_TX_QUEUES - MWL_NUM_ACK_QUEUES; i++) {
                struct mwl_tx_ring *txring = &sc->sc_txring[i];
                sc->sc_hwdma.wcbBase[i] = txring->physaddr;
                mwl_mem_write4(sc, sc->sc_hwspecs.wcbBase[i],
                    sc->sc_hwdma.wcbBase[i]);
        }
        sc->sc_hwdma.maxNumTxWcb = MWL_TX_RING_COUNT;
        sc->sc_hwdma.maxNumWCB = MWL_NUM_TX_QUEUES - MWL_NUM_ACK_QUEUES;

        err = mwl_hal_sethwdma(sc, &sc->sc_hwdma);
        if (err != 0) {
                MWL_DBG(MWL_DBG_DMA, "mwl: mwl_setupdma(): "
                    "unable to setup tx/rx dma; hal status %u\n", err);
                /* XXX */
        }

        return (err);
}

/* ARGSUSED */
static void
mwl_txq_init(struct mwl_softc *sc, struct mwl_tx_ring *txring, int qnum)
{
        struct mwl_txbuf *bf;
        struct mwl_txdesc *ds;
        int i;

        txring->qnum = qnum;
        txring->txpri = 0;      /* XXX */

        bf = txring->buf;
        ds = txring->desc;
        for (i = 0; i < MWL_TX_RING_COUNT - 1; i++) {
                bf++;
                ds->pPhysNext = bf->bf_daddr;
                ds++;
        }
        bf = txring->buf;
        ds->pPhysNext = LE_32(bf->bf_daddr);
}

/*
 * Setup a hardware data transmit queue for the specified
 * access control.  We record the mapping from ac's
 * to h/w queues for use by mwl_tx_start.
 */
static int
mwl_tx_setup(struct mwl_softc *sc, int ac, int mvtype)
{
#define N(a)    (sizeof (a)/sizeof (a[0]))
        struct mwl_tx_ring *txring;

        if (ac >= N(sc->sc_ac2q)) {
                MWL_DBG(MWL_DBG_DMA, "mwl: mwl_tx_setup(): "
                    "AC %u out of range, max %u!\n",
                    ac, (uint_t)N(sc->sc_ac2q));
                return (0);
        }
        if (mvtype >= MWL_NUM_TX_QUEUES) {
                MWL_DBG(MWL_DBG_DMA, "mwl: mwl_tx_setup(): "
                    "mvtype %u out of range, max %u!\n",
                    mvtype, MWL_NUM_TX_QUEUES);
                return (0);
        }
        txring = &sc->sc_txring[mvtype];
        mwl_txq_init(sc, txring, mvtype);
        sc->sc_ac2q[ac] = txring;
        return (1);
#undef N
}

static int
mwl_setup_txq(struct mwl_softc *sc)
{
        int err = 0;

        /* NB: insure BK queue is the lowest priority h/w queue */
        if (!mwl_tx_setup(sc, WME_AC_BK, MWL_WME_AC_BK)) {
                MWL_DBG(MWL_DBG_DMA, "mwl: mwl_setup_txq(): "
                    "unable to setup xmit queue for %s traffic!\n",
                    mwl_wme_acnames[WME_AC_BK]);
                err = EIO;
                return (err);
        }
        if (!mwl_tx_setup(sc, WME_AC_BE, MWL_WME_AC_BE) ||
            !mwl_tx_setup(sc, WME_AC_VI, MWL_WME_AC_VI) ||
            !mwl_tx_setup(sc, WME_AC_VO, MWL_WME_AC_VO)) {
                /*
                 * Not enough hardware tx queues to properly do WME;
                 * just punt and assign them all to the same h/w queue.
                 * We could do a better job of this if, for example,
                 * we allocate queues when we switch from station to
                 * AP mode.
                 */
                sc->sc_ac2q[WME_AC_BE] = sc->sc_ac2q[WME_AC_BK];
                sc->sc_ac2q[WME_AC_VI] = sc->sc_ac2q[WME_AC_BK];
                sc->sc_ac2q[WME_AC_VO] = sc->sc_ac2q[WME_AC_BK];
        }

        return (err);
}

/*
 * find mwl firmware module's "_start" "_end" symbols
 * and get its size.
 */
static int
mwl_loadsym(ddi_modhandle_t modp, char *sym, char **start, size_t *len)
{
        char start_sym[64];
        char end_sym[64];
        char *p, *end;
        int rv;
        size_t n;

        (void) snprintf(start_sym, sizeof (start_sym), "%s_start", sym);
        (void) snprintf(end_sym, sizeof (end_sym), "%s_end", sym);

        p = (char *)ddi_modsym(modp, start_sym, &rv);
        if (p == NULL || rv != 0) {
                MWL_DBG(MWL_DBG_FW, "mwl: mwl_loadsym(): "
                    "mod %s: symbol %s not found\n", sym, start_sym);
                return (-1);
        }

        end = (char *)ddi_modsym(modp, end_sym, &rv);
        if (end == NULL || rv != 0) {
                MWL_DBG(MWL_DBG_FW, "mwl: mwl_loadsym(): "
                    "mod %s: symbol %s not found\n", sym, end_sym);
                return (-1);
        }

        n = _PTRDIFF(end, p);
        *start = p;
        *len = n;

        return (0);
}

static void
mwlFwReset(struct mwl_softc *sc)
{
        if (mwl_ctl_read4(sc,  MACREG_REG_INT_CODE) == 0xffffffff) {
                MWL_DBG(MWL_DBG_FW, "mwl: mwlFWReset(): "
                    "device not present!\n");
                return;
        }

        mwl_ctl_write4(sc, MACREG_REG_H2A_INTERRUPT_EVENTS, ISR_RESET);
        sc->sc_hw_flags &= ~MHF_FWHANG;
}

static void
mwlPokeSdramController(struct mwl_softc *sc, int SDRAMSIZE_Addr)
{
        /* Set up sdram controller for superflyv2 */
        mwl_ctl_write4(sc, 0x00006014, 0x33);
        mwl_ctl_write4(sc, 0x00006018, 0xa3a2632);
        mwl_ctl_write4(sc, 0x00006010, SDRAMSIZE_Addr);
}

static void
mwlTriggerPciCmd(struct mwl_softc *sc)
{
        (void) ddi_dma_sync(sc->sc_cmd_dma.dma_hdl,
            0,
            sc->sc_cmd_dma.alength,
            DDI_DMA_SYNC_FORDEV);

        mwl_ctl_write4(sc, MACREG_REG_GEN_PTR, sc->sc_cmd_dmaaddr);
        (void) mwl_ctl_read4(sc, MACREG_REG_INT_CODE);

        mwl_ctl_write4(sc, MACREG_REG_INT_CODE, 0x00);
        (void) mwl_ctl_read4(sc, MACREG_REG_INT_CODE);

        mwl_ctl_write4(sc, MACREG_REG_H2A_INTERRUPT_EVENTS,
            MACREG_H2ARIC_BIT_DOOR_BELL);
        (void) mwl_ctl_read4(sc, MACREG_REG_INT_CODE);
}

static int
mwlWaitFor(struct mwl_softc *sc, uint32_t val)
{
        int i;

        for (i = 0; i < FW_MAX_NUM_CHECKS; i++) {
                DELAY(FW_CHECK_USECS);
                if (mwl_ctl_read4(sc, MACREG_REG_INT_CODE) == val)
                        return (1);
        }
        return (0);
}

/*
 * Firmware block xmit when talking to the boot-rom.
 */
static int
mwlSendBlock(struct mwl_softc *sc, int bsize, const void *data, size_t dsize)
{
        sc->sc_cmd_mem[0] = LE_16(HostCmd_CMD_CODE_DNLD);
        sc->sc_cmd_mem[1] = LE_16(bsize);
        (void) memcpy(&sc->sc_cmd_mem[4], data, dsize);
        mwlTriggerPciCmd(sc);
        /* XXX 2000 vs 200 */
        if (mwlWaitFor(sc, MACREG_INT_CODE_CMD_FINISHED)) {
                mwl_ctl_write4(sc, MACREG_REG_INT_CODE, 0);
                return (1);
        }

        MWL_DBG(MWL_DBG_FW, "mwl: mwlSendBlock(): "
            "timeout waiting for CMD_FINISHED, INT_CODE 0x%x\n",
            mwl_ctl_read4(sc, MACREG_REG_INT_CODE));
        return (0);
}

/*
 * Firmware block xmit when talking to the 1st-stage loader.
 */
static int
mwlSendBlock2(struct mwl_softc *sc, const void *data, size_t dsize)
{
        (void) memcpy(&sc->sc_cmd_mem[0], data, dsize);
        mwlTriggerPciCmd(sc);
        if (mwlWaitFor(sc, MACREG_INT_CODE_CMD_FINISHED)) {
                mwl_ctl_write4(sc, MACREG_REG_INT_CODE, 0);
                return (1);
        }

        MWL_DBG(MWL_DBG_FW, "mwl: mwlSendBlock2(): "
            "timeout waiting for CMD_FINISHED, INT_CODE 0x%x\n",
            mwl_ctl_read4(sc, MACREG_REG_INT_CODE));
        return (0);
}

/* ARGSUSED */
static int
mwl_fwload(struct mwl_softc *sc, void *fwargs)
{
        char *fwname = "mwlfw";
        char *fwbootname = "mwlboot";
        char *fwbinname = "mw88W8363fw";
        char *fwboot_index, *fw_index;
        uint8_t *fw, *fwboot;
        ddi_modhandle_t modfw;
        /* XXX get from firmware header */
        uint32_t FwReadySignature = HostCmd_SOFTAP_FWRDY_SIGNATURE;
        uint32_t OpMode = HostCmd_SOFTAP_MODE;
        const uint8_t *fp, *ep;
        size_t fw_size, fwboot_size;
        uint32_t blocksize, nbytes;
        int i, rv, err, ntries;

        rv = err = 0;
        fw = fwboot = NULL;
        fw_index = fwboot_index = NULL;

        modfw = ddi_modopen(fwname, KRTLD_MODE_FIRST, &rv);
        if (modfw == NULL) {
                MWL_DBG(MWL_DBG_FW, "mwl: mwl_fwload(): "
                    "module %s not found\n", fwname);
                err = -1;
                goto bad2;
        }

        err = mwl_loadsym(modfw, fwbootname, &fwboot_index, &fwboot_size);
        if (err != 0) {
                MWL_DBG(MWL_DBG_FW, "mwl: mwl_fwload(): "
                    "could not get boot firmware\n");
                err = -1;
                goto bad2;
        }

        err = mwl_loadsym(modfw, fwbinname, &fw_index, &fw_size);
        if (err != 0) {
                MWL_DBG(MWL_DBG_FW, "mwl: mwl_fwload(): "
                    "could not get firmware\n");
                err = -1;
                goto bad2;
        }

        fwboot = (uint8_t *)kmem_alloc(fwboot_size, KM_SLEEP);
        if (fwboot == NULL) {
                MWL_DBG(MWL_DBG_FW, "mwl: mwl_loadfirmware(): "
                    "failed to alloc boot firmware memory\n");
                err = -1;
                goto bad2;
        }
        (void) memcpy(fwboot, fwboot_index, fwboot_size);

        fw = (uint8_t *)kmem_alloc(fw_size, KM_SLEEP);
        if (fw == NULL) {
                MWL_DBG(MWL_DBG_FW, "mwl: mwl_loadfirmware(): "
                    "failed to alloc firmware memory\n");
                err = -1;
                goto bad2;
        }
        (void) memcpy(fw, fw_index, fw_size);

        if (modfw != NULL)
                (void) ddi_modclose(modfw);

        if (fw_size < 4) {
                MWL_DBG(MWL_DBG_FW, "mwl: mwl_fwload(): "
                    "could not load firmware image %s\n",
                    fwname);
                err = ENXIO;
                goto bad2;
        }

        if (fw[0] == 0x01 && fw[1] == 0x00 &&
            fw[2] == 0x00 && fw[3] == 0x00) {
                /*
                 * 2-stage load, get the boot firmware.
                 */
                if (fwboot == NULL) {
                        MWL_DBG(MWL_DBG_FW, "mwl: mwl_fwload(): "
                            "could not load firmware image %s\n",
                            fwbootname);
                        err = ENXIO;
                        goto bad2;
                }
        } else
                fwboot = NULL;

        mwlFwReset(sc);

        mwl_ctl_write4(sc, MACREG_REG_A2H_INTERRUPT_CLEAR_SEL,
            MACREG_A2HRIC_BIT_MASK);
        mwl_ctl_write4(sc, MACREG_REG_A2H_INTERRUPT_CAUSE, 0x00);
        mwl_ctl_write4(sc, MACREG_REG_A2H_INTERRUPT_MASK, 0x00);
        mwl_ctl_write4(sc, MACREG_REG_A2H_INTERRUPT_STATUS_MASK,
            MACREG_A2HRIC_BIT_MASK);
        if (sc->sc_SDRAMSIZE_Addr != 0) {
                /* Set up sdram controller for superflyv2 */
                mwlPokeSdramController(sc, sc->sc_SDRAMSIZE_Addr);
        }

        MWL_DBG(MWL_DBG_FW, "mwl: mwl_fwload(): "
            "load %s firmware image (%u bytes)\n",
            fwname, (unsigned int)fw_size);

        if (fwboot != NULL) {
                /*
                 * Do 2-stage load.  The 1st stage loader is setup
                 * with the bootrom loader then we load the real
                 * image using a different handshake. With this
                 * mechanism the firmware is segmented into chunks
                 * that have a CRC.  If a chunk is incorrect we'll
                 * be told to retransmit.
                 */
                /* XXX assumes hlpimage fits in a block */
                /* NB: zero size block indicates download is finished */
                if (!mwlSendBlock(sc, fwboot_size, fwboot, fwboot_size) ||
                    !mwlSendBlock(sc, 0, NULL, 0)) {
                        err = ETIMEDOUT;
                        goto bad;
                }
                DELAY(200 * FW_CHECK_USECS);
                if (sc->sc_SDRAMSIZE_Addr != 0) {
                        /* Set up sdram controller for superflyv2 */
                        mwlPokeSdramController(sc, sc->sc_SDRAMSIZE_Addr);
                }
                nbytes = ntries = 0;            /* NB: silence compiler */
                for (fp = fw, ep = fp + fw_size; fp < ep; ) {
                        mwl_ctl_write4(sc, MACREG_REG_INT_CODE, 0);
                        blocksize = mwl_ctl_read4(sc, MACREG_REG_SCRATCH);
                        if (blocksize == 0)     /* download complete */
                                break;
                        if (blocksize > 0x00000c00) {
                                err = EINVAL;
                                goto bad;
                        }
                        if ((blocksize & 0x1) == 0) {
                                /* block successfully downloaded, advance */
                                fp += nbytes;
                                ntries = 0;
                        } else {
                                if (++ntries > 2) {
                                        /*
                                         * Guard against f/w telling us to
                                         * retry infinitely.
                                         */
                                        err = ELOOP;
                                        goto bad;
                                }
                                /* clear NAK bit/flag */
                                blocksize &= ~0x1;
                        }
                        if (blocksize > _PTRDIFF(ep, fp)) {
                                /* XXX this should not happen, what to do? */
                                blocksize = _PTRDIFF(ep, fp);
                        }
                        nbytes = blocksize;
                        if (!mwlSendBlock2(sc, fp, nbytes)) {
                                err = ETIMEDOUT;
                                goto bad;
                        }
                }
        } else {
                for (fp = fw, ep = fp + fw_size; fp < ep; ) {
                        nbytes = _PTRDIFF(ep, fp);
                        if (nbytes > FW_DOWNLOAD_BLOCK_SIZE)
                                nbytes = FW_DOWNLOAD_BLOCK_SIZE;
                        if (!mwlSendBlock(sc, FW_DOWNLOAD_BLOCK_SIZE, fp,
                            nbytes)) {
                                err = EIO;
                                goto bad;
                        }
                        fp += nbytes;
                }
        }

        /*
         * Wait for firmware to startup; we monitor the
         * INT_CODE register waiting for a signature to
         * written back indicating it's ready to go.
         */
        sc->sc_cmd_mem[1] = 0;
        /*
         * XXX WAR for mfg fw download
         */
        if (OpMode != HostCmd_STA_MODE)
                mwlTriggerPciCmd(sc);
        for (i = 0; i < FW_MAX_NUM_CHECKS; i++) {
                mwl_ctl_write4(sc, MACREG_REG_GEN_PTR, OpMode);
                DELAY(FW_CHECK_USECS);
                if (mwl_ctl_read4(sc, MACREG_REG_INT_CODE) ==
                    FwReadySignature) {
                        mwl_ctl_write4(sc, MACREG_REG_INT_CODE, 0x00);
                        return (mwlResetHalState(sc));
                }
        }
        MWL_DBG(MWL_DBG_FW, "mwl: mwl_fwload(): "
            "firmware download timeout\n");
        return (ETIMEDOUT);
bad:
        mwlFwReset(sc);
bad2:
        if (fw != NULL)
                kmem_free(fw, fw_size);
        if (fwboot != NULL)
                kmem_free(fwboot, fwboot_size);
        fwboot = fw = NULL;
        fwboot_index = fw_index = NULL;
        if (modfw != NULL)
                (void) ddi_modclose(modfw);
        return (err);
}

/*
 * Low level firmware cmd block handshake support.
 */
static void
mwlSendCmd(struct mwl_softc *sc)
{
        (void) ddi_dma_sync(sc->sc_cmd_dma.dma_hdl,
            0,
            sc->sc_cmd_dma.alength,
            DDI_DMA_SYNC_FORDEV);

        mwl_ctl_write4(sc, MACREG_REG_GEN_PTR, sc->sc_cmd_dmaaddr);
        (void) mwl_ctl_read4(sc, MACREG_REG_INT_CODE);

        mwl_ctl_write4(sc, MACREG_REG_H2A_INTERRUPT_EVENTS,
            MACREG_H2ARIC_BIT_DOOR_BELL);
}

static int
mwlExecuteCmd(struct mwl_softc *sc, unsigned short cmd)
{
        if (mwl_ctl_read4(sc,  MACREG_REG_INT_CODE) == 0xffffffff) {
                MWL_DBG(MWL_DBG_CMD, "mwl: mwlExecuteCmd(): "
                    "device not present!\n");
                return (EIO);
        }
        mwlSendCmd(sc);
        if (!mwlWaitForCmdComplete(sc, 0x8000 | cmd)) {
                MWL_DBG(MWL_DBG_CMD, "mwl: mwlExecuteCmd(): "
                    "timeout waiting for f/w cmd %s\n", mwlcmdname(cmd));
                return (ETIMEDOUT);
        }
        (void) ddi_dma_sync(sc->sc_cmd_dma.dma_hdl,
            0,
            sc->sc_cmd_dma.alength,
            DDI_DMA_SYNC_FORDEV);

        MWL_DBG(MWL_DBG_CMD, "mwl: mwlExecuteCmd(): "
            "send cmd %s\n", mwlcmdname(cmd));

        if (mwl_dbg_flags & MWL_DBG_CMD)
                dumpresult(sc, 1);

        return (0);
}

static int
mwlWaitForCmdComplete(struct mwl_softc *sc, uint16_t cmdCode)
{
#define MAX_WAIT_FW_COMPLETE_ITERATIONS 10000
        int i;

        for (i = 0; i < MAX_WAIT_FW_COMPLETE_ITERATIONS; i++) {
                if (sc->sc_cmd_mem[0] == LE_16(cmdCode))
                        return (1);
                DELAY(1 * 1000);
        }
        return (0);
#undef MAX_WAIT_FW_COMPLETE_ITERATIONS
}

#ifdef DEBUG
static const char *
mwlcmdname(int cmd)
{
        static char buf[12];
#define CMD(x)  case HostCmd_CMD_##x: return #x
        switch (cmd) {
        CMD(CODE_DNLD);
        CMD(GET_HW_SPEC);
        CMD(SET_HW_SPEC);
        CMD(MAC_MULTICAST_ADR);
        CMD(802_11_GET_STAT);
        CMD(MAC_REG_ACCESS);
        CMD(BBP_REG_ACCESS);
        CMD(RF_REG_ACCESS);
        CMD(802_11_RADIO_CONTROL);
        CMD(802_11_RF_TX_POWER);
        CMD(802_11_RF_ANTENNA);
        CMD(SET_BEACON);
        CMD(SET_RF_CHANNEL);
        CMD(SET_AID);
        CMD(SET_INFRA_MODE);
        CMD(SET_G_PROTECT_FLAG);
        CMD(802_11_RTS_THSD);
        CMD(802_11_SET_SLOT);
        CMD(SET_EDCA_PARAMS);
        CMD(802_11H_DETECT_RADAR);
        CMD(SET_WMM_MODE);
        CMD(HT_GUARD_INTERVAL);
        CMD(SET_FIXED_RATE);
        CMD(SET_LINKADAPT_CS_MODE);
        CMD(SET_MAC_ADDR);
        CMD(SET_RATE_ADAPT_MODE);
        CMD(BSS_START);
        CMD(SET_NEW_STN);
        CMD(SET_KEEP_ALIVE);
        CMD(SET_APMODE);
        CMD(SET_SWITCH_CHANNEL);
        CMD(UPDATE_ENCRYPTION);
        CMD(BASTREAM);
        CMD(SET_RIFS);
        CMD(SET_N_PROTECT_FLAG);
        CMD(SET_N_PROTECT_OPMODE);
        CMD(SET_OPTIMIZATION_LEVEL);
        CMD(GET_CALTABLE);
        CMD(SET_MIMOPSHT);
        CMD(GET_BEACON);
        CMD(SET_REGION_CODE);
        CMD(SET_POWERSAVESTATION);
        CMD(SET_TIM);
        CMD(GET_TIM);
        CMD(GET_SEQNO);
        CMD(DWDS_ENABLE);
        CMD(AMPDU_RETRY_RATEDROP_MODE);
        CMD(CFEND_ENABLE);
        }
        (void) snprintf(buf, sizeof (buf), "0x%x", cmd);
        return (buf);
#undef CMD
}
#endif /* DEBUG */

static void
dumpresult(struct mwl_softc *sc, int showresult)
{
        const FWCmdHdr *h = (const FWCmdHdr *)sc->sc_cmd_mem;
        int len;

        len = LE_16(h->Length);
#ifdef MWL_MBSS_SUPPORT
        MWL_DBG(MWL_DBG_CMD, "mwl: mwl_dumpresult(): "
            "Cmd %s Length %d SeqNum %d MacId %d",
            mwlcmdname(LE_16(h->Cmd) & ~0x8000), len, h->SeqNum, h->MacId);
#else
        MWL_DBG(MWL_DBG_CMD, "mwl: mwl_dumpresult(): "
            "Cmd %s Length %d SeqNum %d",
            mwlcmdname(LE_16(h->Cmd) & ~0x8000), len, LE_16(h->SeqNum));
#endif
        if (showresult) {
                const char *results[] =
                    { "OK", "ERROR", "NOT_SUPPORT", "PENDING", "BUSY",
                    "PARTIAL_DATA" };
                int result = LE_16(h->Result);

                if (result <= HostCmd_RESULT_PARTIAL_DATA)
                        MWL_DBG(MWL_DBG_CMD, "mwl: dumpresult(): "
                            "Result %s", results[result]);
                else
                        MWL_DBG(MWL_DBG_CMD, "mwl: dumpresult(): "
                            "Result %d", result);
        }
}

static int
mwlGetCalTable(struct mwl_softc *sc, uint8_t annex, uint8_t index)
{
        HostCmd_FW_GET_CALTABLE *pCmd;
        int retval;

        _CMD_SETUP(pCmd, HostCmd_FW_GET_CALTABLE, HostCmd_CMD_GET_CALTABLE);
        pCmd->annex = annex;
        pCmd->index = index;
        (void) memset(pCmd->calTbl, 0, sizeof (pCmd->calTbl));

        retval = mwlExecuteCmd(sc, HostCmd_CMD_GET_CALTABLE);
        if (retval == 0 &&
            pCmd->calTbl[0] != annex && annex != 0 && annex != 255)
                retval = EIO;
        return (retval);
}

/*
 * Construct channel info for 2.4GHz channels from cal data.
 */
static void
get2Ghz(MWL_HAL_CHANNELINFO *ci, const uint8_t table[], int len)
{
        int i, j;

        j = 0;
        for (i = 0; i < len; i += 4) {
                struct mwl_hal_channel *hc = &ci->channels[j];
                hc->ieee = 1+j;
                hc->freq = ieee2mhz(1+j);
                (void) memcpy(hc->targetPowers, &table[i], 4);
                setmaxtxpow(hc, 0, 4);
                j++;
        }
        ci->nchannels = j;
        ci->freqLow = ieee2mhz(1);
        ci->freqHigh = ieee2mhz(j);
}

/*
 * Construct channel info for 5GHz channels from cal data.
 */
static void
get5Ghz(MWL_HAL_CHANNELINFO *ci, const uint8_t table[], int len)
{
        int i, j, f, l, h;

        l = 32000;
        h = 0;
        j = 0;
        for (i = 0; i < len; i += 4) {
                struct mwl_hal_channel *hc;

                if (table[i] == 0)
                        continue;
                f = 5000 + 5*table[i];
                if (f < l)
                        l = f;
                if (f > h)
                        h = f;
                hc = &ci->channels[j];
                hc->freq = (uint16_t)f;
                hc->ieee = table[i];
                (void) memcpy(hc->targetPowers, &table[i], 4);
                setmaxtxpow(hc, 1, 4);  /* NB: col 1 is the freq, skip */
                j++;
        }
        ci->nchannels = j;
        ci->freqLow = (uint16_t)((l == 32000) ? 0 : l);
        ci->freqHigh = (uint16_t)h;
}

/*
 * Calculate the max tx power from the channel's cal data.
 */
static void
setmaxtxpow(struct mwl_hal_channel *hc, int i, int maxix)
{
        hc->maxTxPow = hc->targetPowers[i];
        for (i++; i < maxix; i++)
                if (hc->targetPowers[i] > hc->maxTxPow)
                        hc->maxTxPow = hc->targetPowers[i];
}

static uint16_t
ieee2mhz(int chan)
{
        if (chan == 14)
                return (2484);
        if (chan < 14)
                return (2407 + chan * 5);
        return (2512 + (chan - 15) * 20);
}

static void
dumpcaldata(const char *name, const uint8_t *table, int n)
{
        int i;
        MWL_DBG(MWL_DBG_HW, "\n%s:\n", name);
        for (i = 0; i < n; i += 4)
                MWL_DBG(MWL_DBG_HW, "[%2d] %3d %3d %3d %3d\n",
                    i/4, table[i+0], table[i+1], table[i+2], table[i+3]);
}

static int
mwlGetPwrCalTable(struct mwl_softc *sc)
{
        const uint8_t *data;
        MWL_HAL_CHANNELINFO *ci;
        int len;

        /* NB: we hold the lock so it's ok to use cmdbuf */
        data = ((const HostCmd_FW_GET_CALTABLE *) sc->sc_cmd_mem)->calTbl;
        if (mwlGetCalTable(sc, 33, 0) == 0) {
                len = (data[2] | (data[3] << 8)) - 12;
                if (len > PWTAGETRATETABLE20M)
                        len = PWTAGETRATETABLE20M;
                dumpcaldata("2.4G 20M", &data[12], len);
                get2Ghz(&sc->sc_20M, &data[12], len);
        }
        if (mwlGetCalTable(sc, 34, 0) == 0) {
                len = (data[2] | (data[3] << 8)) - 12;
                if (len > PWTAGETRATETABLE40M)
                        len = PWTAGETRATETABLE40M;
                dumpcaldata("2.4G 40M", &data[12], len);
                ci = &sc->sc_40M;
                get2Ghz(ci, &data[12], len);
        }
        if (mwlGetCalTable(sc, 35, 0) == 0) {
                len = (data[2] | (data[3] << 8)) - 20;
                if (len > PWTAGETRATETABLE20M_5G)
                        len = PWTAGETRATETABLE20M_5G;
                dumpcaldata("5G 20M", &data[20], len);
                get5Ghz(&sc->sc_20M_5G, &data[20], len);
        }
        if (mwlGetCalTable(sc, 36, 0) == 0) {
                len = (data[2] | (data[3] << 8)) - 20;
                if (len > PWTAGETRATETABLE40M_5G)
                        len = PWTAGETRATETABLE40M_5G;
                dumpcaldata("5G 40M", &data[20], len);
                ci = &sc->sc_40M_5G;
                get5Ghz(ci, &data[20], len);
        }
        sc->sc_hw_flags |= MHF_CALDATA;
        return (0);
}

/*
 * Reset internal state after a firmware download.
 */
static int
mwlResetHalState(struct mwl_softc *sc)
{
        int err = 0;

        /*
         * Fetch cal data for later use.
         * XXX may want to fetch other stuff too.
         */
        /* XXX check return */
        if ((sc->sc_hw_flags & MHF_CALDATA) == 0)
                err = mwlGetPwrCalTable(sc);
        return (err);
}

#define IEEE80211_CHAN_HTG      (IEEE80211_CHAN_HT|IEEE80211_CHAN_G)
#define IEEE80211_CHAN_HTA      (IEEE80211_CHAN_HT|IEEE80211_CHAN_A)

static void
addchan(struct mwl_channel *c, int freq, int flags, int ieee, int txpow)
{
        c->ic_freq = (uint16_t)freq;
        c->ic_flags = flags;
        c->ic_ieee = (uint8_t)ieee;
        c->ic_minpower = 0;
        c->ic_maxpower = 2*txpow;
        c->ic_maxregpower = (uint8_t)txpow;
}

static const struct mwl_channel *
findchannel(const struct mwl_channel chans[], int nchans,
    int freq, int flags)
{
        const struct mwl_channel *c;
        int i;

        for (i = 0; i < nchans; i++) {
                c = &chans[i];
                if (c->ic_freq == freq && c->ic_flags == flags)
                        return (c);
        }
        return (NULL);
}

static void
addht40channels(struct mwl_channel chans[], int maxchans, int *nchans,
    const MWL_HAL_CHANNELINFO *ci, int flags)
{
        struct mwl_channel *c;
        const struct mwl_channel *extc;
        const struct mwl_hal_channel *hc;
        int i;

        c = &chans[*nchans];

        flags &= ~IEEE80211_CHAN_HT;
        for (i = 0; i < ci->nchannels; i++) {
                /*
                 * Each entry defines an HT40 channel pair; find the
                 * extension channel above and the insert the pair.
                 */
                hc = &ci->channels[i];
                extc = findchannel(chans, *nchans, hc->freq+20,
                    flags | IEEE80211_CHAN_HT20);
                if (extc != NULL) {
                        if (*nchans >= maxchans)
                                break;
                        addchan(c, hc->freq, flags | IEEE80211_CHAN_HT40U,
                            hc->ieee, hc->maxTxPow);
                        c->ic_extieee = extc->ic_ieee;
                        c++, (*nchans)++;
                        if (*nchans >= maxchans)
                                break;
                        addchan(c, extc->ic_freq, flags | IEEE80211_CHAN_HT40D,
                            extc->ic_ieee, hc->maxTxPow);
                        c->ic_extieee = hc->ieee;
                        c++, (*nchans)++;
                }
        }
}

static void
addchannels(struct mwl_channel chans[], int maxchans, int *nchans,
    const MWL_HAL_CHANNELINFO *ci, int flags)
{
        struct mwl_channel *c;
        int i;

        c = &chans[*nchans];

        for (i = 0; i < ci->nchannels; i++) {
                const struct mwl_hal_channel *hc;

                hc = &ci->channels[i];
                if (*nchans >= maxchans)
                        break;
                addchan(c, hc->freq, flags, hc->ieee, hc->maxTxPow);
                c++, (*nchans)++;

                if (flags == IEEE80211_CHAN_G || flags == IEEE80211_CHAN_HTG) {
                        /* g channel have a separate b-only entry */
                        if (*nchans >= maxchans)
                                break;
                        c[0] = c[-1];
                        c[-1].ic_flags = IEEE80211_CHAN_B;
                        c++, (*nchans)++;
                }
                if (flags == IEEE80211_CHAN_HTG) {
                        /* HT g channel have a separate g-only entry */
                        if (*nchans >= maxchans)
                                break;
                        c[-1].ic_flags = IEEE80211_CHAN_G;
                        c[0] = c[-1];
                        c[0].ic_flags &= ~IEEE80211_CHAN_HT;
                        c[0].ic_flags |= IEEE80211_CHAN_HT20;   /* HT20 */
                        c++, (*nchans)++;
                }
                if (flags == IEEE80211_CHAN_HTA) {
                        /* HT a channel have a separate a-only entry */
                        if (*nchans >= maxchans)
                                break;
                        c[-1].ic_flags = IEEE80211_CHAN_A;
                        c[0] = c[-1];
                        c[0].ic_flags &= ~IEEE80211_CHAN_HT;
                        c[0].ic_flags |= IEEE80211_CHAN_HT20;   /* HT20 */
                        c++, (*nchans)++;
                }
        }
}

static int
mwl_hal_getchannelinfo(struct mwl_softc *sc, int band, int chw,
    const MWL_HAL_CHANNELINFO **ci)
{
        switch (band) {
        case MWL_FREQ_BAND_2DOT4GHZ:
                *ci = (chw == MWL_CH_20_MHz_WIDTH) ? &sc->sc_20M : &sc->sc_40M;
                break;
        case MWL_FREQ_BAND_5GHZ:
                *ci = (chw == MWL_CH_20_MHz_WIDTH) ?
                    &sc->sc_20M_5G : &sc->sc_40M_5G;
                break;
        default:
                return (EINVAL);
        }
        return (((*ci)->freqLow == (*ci)->freqHigh) ? EINVAL : 0);
}

static void
getchannels(struct mwl_softc *sc, int maxchans, int *nchans,
    struct mwl_channel chans[])
{
        const MWL_HAL_CHANNELINFO *ci;

        /*
         * Use the channel info from the hal to craft the
         * channel list.  Note that we pass back an unsorted
         * list; the caller is required to sort it for us
         * (if desired).
         */
        *nchans = 0;
        if (mwl_hal_getchannelinfo(sc,
            MWL_FREQ_BAND_2DOT4GHZ, MWL_CH_20_MHz_WIDTH, &ci) == 0)
                addchannels(chans, maxchans, nchans, ci, IEEE80211_CHAN_HTG);
        if (mwl_hal_getchannelinfo(sc,
            MWL_FREQ_BAND_5GHZ, MWL_CH_20_MHz_WIDTH, &ci) == 0)
                addchannels(chans, maxchans, nchans, ci, IEEE80211_CHAN_HTA);
        if (mwl_hal_getchannelinfo(sc,
            MWL_FREQ_BAND_2DOT4GHZ, MWL_CH_40_MHz_WIDTH, &ci) == 0)
                addht40channels(chans, maxchans, nchans, ci,
                    IEEE80211_CHAN_HTG);
        if (mwl_hal_getchannelinfo(sc,
            MWL_FREQ_BAND_5GHZ, MWL_CH_40_MHz_WIDTH, &ci) == 0)
                addht40channels(chans, maxchans, nchans, ci,
                    IEEE80211_CHAN_HTA);
}

static int
mwl_getchannels(struct mwl_softc *sc)
{
        /*
         * Use the channel info from the hal to craft the
         * channel list for net80211.  Note that we pass up
         * an unsorted list; net80211 will sort it for us.
         */
        (void) memset(sc->sc_channels, 0, sizeof (sc->sc_channels));
        sc->sc_nchans = 0;
        getchannels(sc, IEEE80211_CHAN_MAX, &sc->sc_nchans, sc->sc_channels);

        sc->sc_regdomain.regdomain = SKU_DEBUG;
        sc->sc_regdomain.country = CTRY_DEFAULT;
        sc->sc_regdomain.location = 'I';
        sc->sc_regdomain.isocc[0] = ' ';        /* XXX? */
        sc->sc_regdomain.isocc[1] = ' ';
        return (sc->sc_nchans == 0 ? EIO : 0);
}

#undef IEEE80211_CHAN_HTA
#undef IEEE80211_CHAN_HTG

/*
 * Return "hw specs".  Note this must be the first
 * cmd MUST be done after a firmware download or the
 * f/w will lockup.
 * XXX move into the hal so driver doesn't need to be responsible
 */
static int
mwl_gethwspecs(struct mwl_softc *sc)
{
        struct mwl_hal_hwspec *hw;
        HostCmd_DS_GET_HW_SPEC *pCmd;
        int retval;

        hw = &sc->sc_hwspecs;
        _CMD_SETUP(pCmd, HostCmd_DS_GET_HW_SPEC, HostCmd_CMD_GET_HW_SPEC);
        (void) memset(&pCmd->PermanentAddr[0], 0xff, IEEE80211_ADDR_LEN);
        pCmd->ulFwAwakeCookie = LE_32((unsigned int)sc->sc_cmd_dmaaddr + 2048);

        retval = mwlExecuteCmd(sc, HostCmd_CMD_GET_HW_SPEC);
        if (retval == 0) {
                IEEE80211_ADDR_COPY(hw->macAddr, pCmd->PermanentAddr);
                hw->wcbBase[0] = LE_32(pCmd->WcbBase0) & 0x0000ffff;
                hw->wcbBase[1] = LE_32(pCmd->WcbBase1[0]) & 0x0000ffff;
                hw->wcbBase[2] = LE_32(pCmd->WcbBase1[1]) & 0x0000ffff;
                hw->wcbBase[3] = LE_32(pCmd->WcbBase1[2]) & 0x0000ffff;
                hw->rxDescRead = LE_32(pCmd->RxPdRdPtr)& 0x0000ffff;
                hw->rxDescWrite = LE_32(pCmd->RxPdWrPtr)& 0x0000ffff;
                hw->regionCode = LE_16(pCmd->RegionCode) & 0x00ff;
                hw->fwReleaseNumber = LE_32(pCmd->FWReleaseNumber);
                hw->maxNumWCB = LE_16(pCmd->NumOfWCB);
                hw->maxNumMCAddr = LE_16(pCmd->NumOfMCastAddr);
                hw->numAntennas = LE_16(pCmd->NumberOfAntenna);
                hw->hwVersion = pCmd->Version;
                hw->hostInterface = pCmd->HostIf;

                sc->sc_revs.mh_macRev = hw->hwVersion;          /* XXX */
                sc->sc_revs.mh_phyRev = hw->hostInterface;      /* XXX */
        }

        return (retval);
}

static int
mwl_hal_setmac_locked(struct mwl_softc *sc,
    const uint8_t addr[IEEE80211_ADDR_LEN])
{
        HostCmd_DS_SET_MAC *pCmd;

        _VCMD_SETUP(pCmd, HostCmd_DS_SET_MAC, HostCmd_CMD_SET_MAC_ADDR);
        IEEE80211_ADDR_COPY(&pCmd->MacAddr[0], addr);
#ifdef MWL_MBSS_SUPPORT
        /* NB: already byte swapped */
        pCmd->MacType = WL_MAC_TYPE_PRIMARY_CLIENT;
#endif
        return (mwlExecuteCmd(sc, HostCmd_CMD_SET_MAC_ADDR));
}

static void
cvtPeerInfo(PeerInfo_t *to, const MWL_HAL_PEERINFO *from)
{
        to->LegacyRateBitMap = LE_32(from->LegacyRateBitMap);
        to->HTRateBitMap = LE_32(from->HTRateBitMap);
        to->CapInfo = LE_16(from->CapInfo);
        to->HTCapabilitiesInfo = LE_16(from->HTCapabilitiesInfo);
        to->MacHTParamInfo = from->MacHTParamInfo;
        to->AddHtInfo.ControlChan = from->AddHtInfo.ControlChan;
        to->AddHtInfo.AddChan = from->AddHtInfo.AddChan;
        to->AddHtInfo.OpMode = LE_16(from->AddHtInfo.OpMode);
        to->AddHtInfo.stbc = LE_16(from->AddHtInfo.stbc);
}

/* XXX station id must be in [0..63] */
static int
mwl_hal_newstation(struct mwl_softc *sc,
    const uint8_t addr[IEEE80211_ADDR_LEN], uint16_t aid, uint16_t sid,
    const MWL_HAL_PEERINFO *peer, int isQosSta, int wmeInfo)
{
        HostCmd_FW_SET_NEW_STN *pCmd;
        int retval;

        _VCMD_SETUP(pCmd, HostCmd_FW_SET_NEW_STN, HostCmd_CMD_SET_NEW_STN);
        pCmd->AID = LE_16(aid);
        pCmd->StnId = LE_16(sid);
        pCmd->Action = LE_16(0);        /* SET */
        if (peer != NULL) {
                /* NB: must fix up byte order */
                cvtPeerInfo(&pCmd->PeerInfo, peer);
        }
        IEEE80211_ADDR_COPY(&pCmd->MacAddr[0], addr);
        pCmd->Qosinfo = (uint8_t)wmeInfo;
        pCmd->isQosSta = (isQosSta != 0);

        MWL_DBG(MWL_DBG_HW, "mwl: mwl_hal_newstation(): "
            "LegacyRateBitMap %x, CapInfo %x\n",
            pCmd->PeerInfo.LegacyRateBitMap, pCmd->PeerInfo.CapInfo);

        retval = mwlExecuteCmd(sc, HostCmd_CMD_SET_NEW_STN);
        return (retval);
}

/*
 * Configure antenna use.
 * Takes effect immediately.
 * XXX tx antenna setting ignored
 * XXX rx antenna setting should always be 3 (for now)
 */
static int
mwl_hal_setantenna(struct mwl_softc *sc, MWL_HAL_ANTENNA dirSet, int ant)
{
        HostCmd_DS_802_11_RF_ANTENNA *pCmd;
        int retval;

        if (!(dirSet == WL_ANTENNATYPE_RX || dirSet == WL_ANTENNATYPE_TX))
                return (EINVAL);

        _CMD_SETUP(pCmd, HostCmd_DS_802_11_RF_ANTENNA,
            HostCmd_CMD_802_11_RF_ANTENNA);
        pCmd->Action = LE_16(dirSet);
        if (ant == 0)                   /* default to all/both antennae */
                ant = 3;
        pCmd->AntennaMode = LE_16(ant);

        retval = mwlExecuteCmd(sc, HostCmd_CMD_802_11_RF_ANTENNA);
        return (retval);
}

/*
 * Configure radio.
 * Takes effect immediately.
 * XXX preamble installed after set fixed rate cmd
 */
static int
mwl_hal_setradio(struct mwl_softc *sc, int onoff, MWL_HAL_PREAMBLE preamble)
{
        HostCmd_DS_802_11_RADIO_CONTROL *pCmd;
        int retval;

        _CMD_SETUP(pCmd, HostCmd_DS_802_11_RADIO_CONTROL,
            HostCmd_CMD_802_11_RADIO_CONTROL);
        pCmd->Action = LE_16(HostCmd_ACT_GEN_SET);
        if (onoff == 0)
                pCmd->Control = 0;
        else
                pCmd->Control = LE_16(preamble);
        pCmd->RadioOn = LE_16(onoff);

        retval = mwlExecuteCmd(sc, HostCmd_CMD_802_11_RADIO_CONTROL);
        return (retval);
}

static int
mwl_hal_setwmm(struct mwl_softc *sc, int onoff)
{
        HostCmd_FW_SetWMMMode *pCmd;
        int retval;

        _CMD_SETUP(pCmd, HostCmd_FW_SetWMMMode,
            HostCmd_CMD_SET_WMM_MODE);
        pCmd->Action = LE_16(onoff);

        retval = mwlExecuteCmd(sc, HostCmd_CMD_SET_WMM_MODE);
        return (retval);
}

/*
 * Convert public channel flags definition to a
 * value suitable for feeding to the firmware.
 * Note this includes byte swapping.
 */
static uint32_t
cvtChannelFlags(const MWL_HAL_CHANNEL *chan)
{
        uint32_t w;

        /*
         * NB: f/w only understands FREQ_BAND_5GHZ, supplying the more
         * precise band info causes it to lockup (sometimes).
         */
        w = (chan->channelFlags.FreqBand == MWL_FREQ_BAND_2DOT4GHZ) ?
            FREQ_BAND_2DOT4GHZ : FREQ_BAND_5GHZ;
        switch (chan->channelFlags.ChnlWidth) {
        case MWL_CH_10_MHz_WIDTH:
                w |= CH_10_MHz_WIDTH;
                break;
        case MWL_CH_20_MHz_WIDTH:
                w |= CH_20_MHz_WIDTH;
                break;
        case MWL_CH_40_MHz_WIDTH:
        default:
                w |= CH_40_MHz_WIDTH;
                break;
        }
        switch (chan->channelFlags.ExtChnlOffset) {
        case MWL_EXT_CH_NONE:
                w |= EXT_CH_NONE;
                break;
        case MWL_EXT_CH_ABOVE_CTRL_CH:
                w |= EXT_CH_ABOVE_CTRL_CH;
                break;
        case MWL_EXT_CH_BELOW_CTRL_CH:
                w |= EXT_CH_BELOW_CTRL_CH;
                break;
        }
        return (LE_32(w));
}

static int
mwl_hal_setchannel(struct mwl_softc *sc, const MWL_HAL_CHANNEL *chan)
{
        HostCmd_FW_SET_RF_CHANNEL *pCmd;
        int retval;

        _CMD_SETUP(pCmd, HostCmd_FW_SET_RF_CHANNEL, HostCmd_CMD_SET_RF_CHANNEL);
        pCmd->Action = LE_16(HostCmd_ACT_GEN_SET);
        pCmd->CurrentChannel = chan->channel;
        pCmd->ChannelFlags = cvtChannelFlags(chan);     /* NB: byte-swapped */

        retval = mwlExecuteCmd(sc, HostCmd_CMD_SET_RF_CHANNEL);
        return (retval);
}

static int
mwl_hal_settxpower(struct mwl_softc *sc,
    const MWL_HAL_CHANNEL *c, uint8_t maxtxpow)
{
        HostCmd_DS_802_11_RF_TX_POWER *pCmd;
        const struct mwl_hal_channel *hc;
        int i = 0, retval;

        hc = findhalchannel(sc, c);
        if (hc == NULL) {
                /* XXX temp while testing */
                MWL_DBG(MWL_DBG_HW, "mwl: mwl_hal_settxpower(): "
                    "no cal data for channel %u band %u width %u ext %u\n",
                    c->channel, c->channelFlags.FreqBand,
                    c->channelFlags.ChnlWidth, c->channelFlags.ExtChnlOffset);
                return (EINVAL);
        }

        _CMD_SETUP(pCmd, HostCmd_DS_802_11_RF_TX_POWER,
            HostCmd_CMD_802_11_RF_TX_POWER);
        pCmd->Action = LE_16(HostCmd_ACT_GEN_SET_LIST);
        /* NB: 5Ghz cal data have the channel # in [0]; don't truncate */
        if (c->channelFlags.FreqBand == MWL_FREQ_BAND_5GHZ)
                pCmd->PowerLevelList[i++] = LE_16(hc->targetPowers[0]);
        for (; i < 4; i++) {
                uint16_t pow = hc->targetPowers[i];
                if (pow > maxtxpow)
                        pow = maxtxpow;
                pCmd->PowerLevelList[i] = LE_16(pow);
        }
        retval = mwlExecuteCmd(sc, HostCmd_CMD_802_11_RF_TX_POWER);
        return (retval);
}

#define RATEVAL(r)      ((r) &~ RATE_MCS)
#define RATETYPE(r)     (((r) & RATE_MCS) ? HT_RATE_TYPE : LEGACY_RATE_TYPE)

static int
mwl_hal_settxrate(struct mwl_softc *sc, MWL_HAL_TXRATE_HANDLING handling,
    const MWL_HAL_TXRATE *rate)
{
        HostCmd_FW_USE_FIXED_RATE *pCmd;
        FIXED_RATE_ENTRY *fp;
        int retval, i, n;

        _VCMD_SETUP(pCmd, HostCmd_FW_USE_FIXED_RATE,
            HostCmd_CMD_SET_FIXED_RATE);

        pCmd->MulticastRate = RATEVAL(rate->McastRate);
        pCmd->MultiRateTxType = RATETYPE(rate->McastRate);
        /* NB: no rate type field */
        pCmd->ManagementRate = RATEVAL(rate->MgtRate);
        (void) memset(pCmd->FixedRateTable, 0, sizeof (pCmd->FixedRateTable));
        if (handling == RATE_FIXED) {
                pCmd->Action = LE_32(HostCmd_ACT_GEN_SET);
                pCmd->AllowRateDrop = LE_32(FIXED_RATE_WITHOUT_AUTORATE_DROP);
                fp = pCmd->FixedRateTable;
                fp->FixedRate =
                    LE_32(RATEVAL(rate->RateSeries[0].Rate));
                fp->FixRateTypeFlags.FixRateType =
                    LE_32(RATETYPE(rate->RateSeries[0].Rate));
                pCmd->EntryCount = LE_32(1);
        } else if (handling == RATE_FIXED_DROP) {
                pCmd->Action = LE_32(HostCmd_ACT_GEN_SET);
                pCmd->AllowRateDrop = LE_32(FIXED_RATE_WITH_AUTO_RATE_DROP);
                n = 0;
                fp = pCmd->FixedRateTable;
                for (i = 0; i < 4; i++) {
                        if (rate->RateSeries[0].TryCount == 0)
                                break;
                        fp->FixRateTypeFlags.FixRateType =
                            LE_32(RATETYPE(rate->RateSeries[i].Rate));
                        fp->FixedRate =
                            LE_32(RATEVAL(rate->RateSeries[i].Rate));
                        fp->FixRateTypeFlags.RetryCountValid =
                            LE_32(RETRY_COUNT_VALID);
                        fp->RetryCount =
                            LE_32(rate->RateSeries[i].TryCount-1);
                        n++;
                }
                pCmd->EntryCount = LE_32(n);
        } else
                pCmd->Action = LE_32(HostCmd_ACT_NOT_USE_FIXED_RATE);

        retval = mwlExecuteCmd(sc, HostCmd_CMD_SET_FIXED_RATE);
        return (retval);
}

static int
mwl_hal_settxrate_auto(struct mwl_softc *sc, const MWL_HAL_TXRATE *rate)
{
        HostCmd_FW_USE_FIXED_RATE *pCmd;
        int retval;

        _CMD_SETUP(pCmd, HostCmd_FW_USE_FIXED_RATE,
            HostCmd_CMD_SET_FIXED_RATE);

        pCmd->MulticastRate = RATEVAL(rate->McastRate);
        pCmd->MultiRateTxType = RATETYPE(rate->McastRate);
        /* NB: no rate type field */
        pCmd->ManagementRate = RATEVAL(rate->MgtRate);
        (void) memset(pCmd->FixedRateTable, 0, sizeof (pCmd->FixedRateTable));
        pCmd->Action = LE_32(HostCmd_ACT_NOT_USE_FIXED_RATE);

        retval = mwlExecuteCmd(sc, HostCmd_CMD_SET_FIXED_RATE);
        return (retval);
}

#undef RATEVAL
#undef RATETYPE

/* XXX 0 = indoor, 1 = outdoor */
static int
mwl_hal_setrateadaptmode(struct mwl_softc *sc, uint16_t mode)
{
        HostCmd_DS_SET_RATE_ADAPT_MODE *pCmd;
        int retval;

        _CMD_SETUP(pCmd, HostCmd_DS_SET_RATE_ADAPT_MODE,
            HostCmd_CMD_SET_RATE_ADAPT_MODE);
        pCmd->Action = LE_16(HostCmd_ACT_GEN_SET);
        pCmd->RateAdaptMode = LE_16(mode);

        retval = mwlExecuteCmd(sc, HostCmd_CMD_SET_RATE_ADAPT_MODE);
        return (retval);
}

static int
mwl_hal_setoptimizationlevel(struct mwl_softc *sc, int level)
{
        HostCmd_FW_SET_OPTIMIZATION_LEVEL *pCmd;
        int retval;

        _CMD_SETUP(pCmd, HostCmd_FW_SET_OPTIMIZATION_LEVEL,
            HostCmd_CMD_SET_OPTIMIZATION_LEVEL);
        pCmd->OptLevel = (uint8_t)level;

        retval = mwlExecuteCmd(sc, HostCmd_CMD_SET_OPTIMIZATION_LEVEL);
        return (retval);
}

/*
 * Set the region code that selects the radar bin'ing agorithm.
 */
static int
mwl_hal_setregioncode(struct mwl_softc *sc, int regionCode)
{
        HostCmd_SET_REGIONCODE_INFO *pCmd;
        int retval;

        _CMD_SETUP(pCmd, HostCmd_SET_REGIONCODE_INFO,
            HostCmd_CMD_SET_REGION_CODE);
        /* XXX map pseudo-codes to fw codes */
        switch (regionCode) {
        case DOMAIN_CODE_ETSI_131:
                pCmd->regionCode = LE_16(DOMAIN_CODE_ETSI);
                break;
        default:
                pCmd->regionCode = LE_16(regionCode);
                break;
        }

        retval = mwlExecuteCmd(sc, HostCmd_CMD_SET_REGION_CODE);
        return (retval);
}

static int
mwl_hal_setassocid(struct mwl_softc *sc,
    const uint8_t bssId[IEEE80211_ADDR_LEN], uint16_t assocId)
{
        HostCmd_FW_SET_AID *pCmd = (HostCmd_FW_SET_AID *) &sc->sc_cmd_mem[0];
        int retval;

        _VCMD_SETUP(pCmd, HostCmd_FW_SET_AID, HostCmd_CMD_SET_AID);
        pCmd->AssocID = LE_16(assocId);
        IEEE80211_ADDR_COPY(&pCmd->MacAddr[0], bssId);

        retval = mwlExecuteCmd(sc, HostCmd_CMD_SET_AID);
        return (retval);
}

/*
 * Inform firmware of tx rate parameters.  Called whenever
 * user-settable params change and after a channel change.
 */
static int
mwl_setrates(struct ieee80211com *ic)
{
        struct mwl_softc *sc = (struct mwl_softc *)ic;
        MWL_HAL_TXRATE rates;

        const struct ieee80211_rateset *rs;
        rs = &ic->ic_bss->in_rates;

        /*
         * Update the h/w rate map.
         * NB: 0x80 for MCS is passed through unchanged
         */
        (void) memset(&rates, 0, sizeof (rates));
        /* rate used to send management frames */
        rates.MgtRate = rs->ir_rates[0] & IEEE80211_RATE_VAL;
        /* rate used to send multicast frames */
        rates.McastRate = rates.MgtRate;

        return (mwl_hal_settxrate(sc, RATE_AUTO, &rates));
}

/*
 * Set packet size threshold for implicit use of RTS.
 * Takes effect immediately.
 * XXX packet length > threshold =>'s RTS
 */
static int
mwl_hal_setrtsthreshold(struct mwl_softc *sc, int threshold)
{
        HostCmd_DS_802_11_RTS_THSD *pCmd;
        int retval;

        _VCMD_SETUP(pCmd, HostCmd_DS_802_11_RTS_THSD,
            HostCmd_CMD_802_11_RTS_THSD);
        pCmd->Action  = LE_16(HostCmd_ACT_GEN_SET);
        pCmd->Threshold = LE_16(threshold);

        retval = mwlExecuteCmd(sc, HostCmd_CMD_802_11_RTS_THSD);
        return (retval);
}

static int
mwl_hal_setcsmode(struct mwl_softc *sc, MWL_HAL_CSMODE csmode)
{
        HostCmd_DS_SET_LINKADAPT_CS_MODE *pCmd;
        int retval;

        _CMD_SETUP(pCmd, HostCmd_DS_SET_LINKADAPT_CS_MODE,
            HostCmd_CMD_SET_LINKADAPT_CS_MODE);
        pCmd->Action = LE_16(HostCmd_ACT_GEN_SET);
        pCmd->CSMode = LE_16(csmode);

        retval = mwlExecuteCmd(sc, HostCmd_CMD_SET_LINKADAPT_CS_MODE);
        return (retval);
}

static int
mwl_hal_setpromisc(struct mwl_softc *sc, int ena)
{
        uint32_t v;

        v = mwl_ctl_read4(sc, MACREG_REG_PROMISCUOUS);
        mwl_ctl_write4(sc, MACREG_REG_PROMISCUOUS, ena ? v | 1 : v & ~1);

        return (0);
}

static int
mwl_hal_start(struct mwl_softc *sc)
{
        HostCmd_DS_BSS_START *pCmd;
        int retval;

        _VCMD_SETUP(pCmd, HostCmd_DS_BSS_START, HostCmd_CMD_BSS_START);
        pCmd->Enable = LE_32(HostCmd_ACT_GEN_ON);

        retval = mwlExecuteCmd(sc, HostCmd_CMD_BSS_START);
        return (retval);
}

/*
 * Enable sta-mode operation (disables beacon frame xmit).
 */
static int
mwl_hal_setinframode(struct mwl_softc *sc)
{
        HostCmd_FW_SET_INFRA_MODE *pCmd;
        int retval;

        _VCMD_SETUP(pCmd, HostCmd_FW_SET_INFRA_MODE,
            HostCmd_CMD_SET_INFRA_MODE);

        retval = mwlExecuteCmd(sc, HostCmd_CMD_SET_INFRA_MODE);
        return (retval);
}

static int
mwl_hal_stop(struct mwl_softc *sc)
{
        HostCmd_DS_BSS_START *pCmd;
        int retval;

        _VCMD_SETUP(pCmd, HostCmd_DS_BSS_START,
            HostCmd_CMD_BSS_START);
        pCmd->Enable = LE_32(HostCmd_ACT_GEN_OFF);
        retval = mwlExecuteCmd(sc, HostCmd_CMD_BSS_START);

        return (retval);
}

static int
mwl_hal_keyset(struct mwl_softc *sc, const MWL_HAL_KEYVAL *kv,
    const uint8_t mac[IEEE80211_ADDR_LEN])
{
        HostCmd_FW_UPDATE_ENCRYPTION_SET_KEY *pCmd;
        int retval;

        _VCMD_SETUP(pCmd, HostCmd_FW_UPDATE_ENCRYPTION_SET_KEY,
            HostCmd_CMD_UPDATE_ENCRYPTION);
        if (kv->keyFlags & (KEY_FLAG_TXGROUPKEY|KEY_FLAG_RXGROUPKEY))
                pCmd->ActionType = LE_32(EncrActionTypeSetGroupKey);
        else
                pCmd->ActionType = LE_32(EncrActionTypeSetKey);
        pCmd->KeyParam.Length = LE_16(sizeof (pCmd->KeyParam));
        pCmd->KeyParam.KeyTypeId = LE_16(kv->keyTypeId);
        pCmd->KeyParam.KeyInfo = LE_32(kv->keyFlags);
        pCmd->KeyParam.KeyIndex = LE_32(kv->keyIndex);
        /* NB: includes TKIP MIC keys */
        (void) memcpy(&pCmd->KeyParam.Key, &kv->key, kv->keyLen);
        switch (kv->keyTypeId) {
        case KEY_TYPE_ID_WEP:
                pCmd->KeyParam.KeyLen = LE_16(kv->keyLen);
                break;
        case KEY_TYPE_ID_TKIP:
                pCmd->KeyParam.KeyLen = LE_16(sizeof (TKIP_TYPE_KEY));
                pCmd->KeyParam.Key.TkipKey.TkipRsc.low =
                    LE_16(kv->key.tkip.rsc.low);
                pCmd->KeyParam.Key.TkipKey.TkipRsc.high =
                    LE_32(kv->key.tkip.rsc.high);
                pCmd->KeyParam.Key.TkipKey.TkipTsc.low =
                    LE_16(kv->key.tkip.tsc.low);
                pCmd->KeyParam.Key.TkipKey.TkipTsc.high =
                    LE_32(kv->key.tkip.tsc.high);
                break;
        case KEY_TYPE_ID_AES:
                pCmd->KeyParam.KeyLen = LE_16(sizeof (AES_TYPE_KEY));
                break;
        }
#ifdef MWL_MBSS_SUPPORT
        IEEE80211_ADDR_COPY(pCmd->KeyParam.Macaddr, mac);
#else
        IEEE80211_ADDR_COPY(pCmd->Macaddr, mac);
#endif

        retval = mwlExecuteCmd(sc, HostCmd_CMD_UPDATE_ENCRYPTION);
        return (retval);
}

static int
mwl_hal_keyreset(struct mwl_softc *sc, const MWL_HAL_KEYVAL *kv,
    const uint8_t mac[IEEE80211_ADDR_LEN])
{
        HostCmd_FW_UPDATE_ENCRYPTION_SET_KEY *pCmd;
        int retval;

        _VCMD_SETUP(pCmd, HostCmd_FW_UPDATE_ENCRYPTION_SET_KEY,
            HostCmd_CMD_UPDATE_ENCRYPTION);
        pCmd->ActionType = LE_16(EncrActionTypeRemoveKey);
        pCmd->KeyParam.Length = LE_16(sizeof (pCmd->KeyParam));
        pCmd->KeyParam.KeyTypeId = LE_16(kv->keyTypeId);
        pCmd->KeyParam.KeyInfo = LE_32(kv->keyFlags);
        pCmd->KeyParam.KeyIndex = LE_32(kv->keyIndex);
#ifdef MWL_MBSS_SUPPORT
        IEEE80211_ADDR_COPY(pCmd->KeyParam.Macaddr, mac);
#else
        IEEE80211_ADDR_COPY(pCmd->Macaddr, mac);
#endif
        retval = mwlExecuteCmd(sc, HostCmd_CMD_UPDATE_ENCRYPTION);
        return (retval);
}

/* ARGSUSED */
static struct ieee80211_node *
mwl_node_alloc(struct ieee80211com *ic)
{
        struct mwl_node *mn;

        mn = kmem_zalloc(sizeof (struct mwl_node), KM_SLEEP);
        if (mn == NULL) {
                /* XXX stat+msg */
                MWL_DBG(MWL_DBG_MSG, "mwl: mwl_node_alloc(): "
                    "alloc node failed\n");
                return (NULL);
        }
        return (&mn->mn_node);
}

static void
mwl_node_free(struct ieee80211_node *ni)
{
        struct ieee80211com *ic = ni->in_ic;
        struct mwl_node *mn = MWL_NODE(ni);

        if (mn->mn_staid != 0) {
                // mwl_hal_delstation(mn->mn_hvap, vap->iv_myaddr);
                // delstaid(sc, mn->mn_staid);
                mn->mn_staid = 0;
        }
        ic->ic_node_cleanup(ni);
        kmem_free(ni, sizeof (struct mwl_node));
}

/*
 * Allocate a key cache slot for a unicast key.  The
 * firmware handles key allocation and every station is
 * guaranteed key space so we are always successful.
 */
static int
mwl_key_alloc(struct ieee80211com *ic, const struct ieee80211_key *k,
    ieee80211_keyix *keyix, ieee80211_keyix *rxkeyix)
{
        if (k->wk_keyix != IEEE80211_KEYIX_NONE ||
            (k->wk_flags & IEEE80211_KEY_GROUP)) {
                if (!(&ic->ic_nw_keys[0] <= k &&
                    k < &ic->ic_nw_keys[IEEE80211_WEP_NKID])) {
                        /* should not happen */
                        MWL_DBG(MWL_DBG_CRYPTO, "mwl: mwl_key_alloc(): "
                            "bogus group key\n");
                        return (0);
                }
                /* give the caller what they requested */
                *keyix = *rxkeyix = k - ic->ic_nw_keys;
                MWL_DBG(MWL_DBG_CRYPTO, "mwl: mwl_key_alloc(): "
                    "alloc GROUP key keyix %x, rxkeyix %x\n",
                    *keyix, *rxkeyix);
        } else {
                /*
                 * Firmware handles key allocation.
                 */
                *keyix = *rxkeyix = 0;
                MWL_DBG(MWL_DBG_CRYPTO, "mwl: mwl_key_alloc(): "
                    "reset key index in key allocation\n");
        }

        return (1);
}

/*
 * Delete a key entry allocated by mwl_key_alloc.
 */
static int
mwl_key_delete(struct ieee80211com *ic, const struct ieee80211_key *k)
{
        struct mwl_softc *sc = (struct mwl_softc *)ic;
        MWL_HAL_KEYVAL hk;
        const uint8_t bcastaddr[IEEE80211_ADDR_LEN] =
            { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };

        (void) memset(&hk, 0, sizeof (hk));
        hk.keyIndex = k->wk_keyix;
        switch (k->wk_cipher->ic_cipher) {
        case IEEE80211_CIPHER_WEP:
                hk.keyTypeId = KEY_TYPE_ID_WEP;
                break;
        case IEEE80211_CIPHER_TKIP:
                hk.keyTypeId = KEY_TYPE_ID_TKIP;
                break;
        case IEEE80211_CIPHER_AES_CCM:
                hk.keyTypeId = KEY_TYPE_ID_AES;
                break;
        default:
                /* XXX should not happen */
                MWL_DBG(MWL_DBG_CRYPTO, "mwl: mwl_key_delete(): "
                    "unknown cipher %d\n", k->wk_cipher->ic_cipher);
                return (0);
        }
        return (mwl_hal_keyreset(sc, &hk, bcastaddr) == 0);
}

/*
 * Set the key cache contents for the specified key.  Key cache
 * slot(s) must already have been allocated by mwl_key_alloc.
 */
/* ARGSUSED */
static int
mwl_key_set(struct ieee80211com *ic, const struct ieee80211_key *k,
    const uint8_t mac[IEEE80211_ADDR_LEN])
{
#define GRPXMIT (IEEE80211_KEY_XMIT | IEEE80211_KEY_GROUP)
/* NB: static wep keys are marked GROUP+tx/rx; GTK will be tx or rx */
#define IEEE80211_IS_STATICKEY(k) \
        (((k)->wk_flags & (GRPXMIT|IEEE80211_KEY_RECV)) == \
        (GRPXMIT|IEEE80211_KEY_RECV))
        struct mwl_softc *sc = (struct mwl_softc *)ic;
        const struct ieee80211_cipher *cip = k->wk_cipher;
        const uint8_t *macaddr;
        MWL_HAL_KEYVAL hk;

        (void) memset(&hk, 0, sizeof (hk));
        hk.keyIndex = k->wk_keyix;
        switch (cip->ic_cipher) {
        case IEEE80211_CIPHER_WEP:
                hk.keyTypeId = KEY_TYPE_ID_WEP;
                hk.keyLen = k->wk_keylen;
                if (k->wk_keyix == ic->ic_def_txkey)
                        hk.keyFlags = KEY_FLAG_WEP_TXKEY;
                if (!IEEE80211_IS_STATICKEY(k)) {
                        /* NB: WEP is never used for the PTK */
                        (void) addgroupflags(&hk, k);
                }
                break;
        case IEEE80211_CIPHER_TKIP:
                hk.keyTypeId = KEY_TYPE_ID_TKIP;
                hk.key.tkip.tsc.high = (uint32_t)(k->wk_keytsc >> 16);
                hk.key.tkip.tsc.low = (uint16_t)k->wk_keytsc;
                hk.keyFlags = KEY_FLAG_TSC_VALID | KEY_FLAG_MICKEY_VALID;
                hk.keyLen = k->wk_keylen + IEEE80211_MICBUF_SIZE;
                if (!addgroupflags(&hk, k))
                        hk.keyFlags |= KEY_FLAG_PAIRWISE;
                break;
        case IEEE80211_CIPHER_AES_CCM:
                hk.keyTypeId = KEY_TYPE_ID_AES;
                hk.keyLen = k->wk_keylen;
                if (!addgroupflags(&hk, k))
                        hk.keyFlags |= KEY_FLAG_PAIRWISE;
                break;
        default:
                /* XXX should not happen */
                MWL_DBG(MWL_DBG_CRYPTO, "mwl: mwl_key_set(): "
                    "unknown cipher %d\n",
                    k->wk_cipher->ic_cipher);
                return (0);
        }
        /*
         * NB: tkip mic keys get copied here too; the layout
         * just happens to match that in ieee80211_key.
         */
        (void) memcpy(hk.key.aes, k->wk_key, hk.keyLen);

        /*
         * Locate address of sta db entry for writing key;
         * the convention unfortunately is somewhat different
         * than how net80211, hostapd, and wpa_supplicant think.
         */

        /*
         * NB: keys plumbed before the sta reaches AUTH state
         * will be discarded or written to the wrong sta db
         * entry because iv_bss is meaningless.  This is ok
         * (right now) because we handle deferred plumbing of
         * WEP keys when the sta reaches AUTH state.
         */
        macaddr = ic->ic_bss->in_bssid;
        if (k->wk_flags & IEEE80211_KEY_XMIT) {
                /* XXX plumb to local sta db too for static key wep */
                (void) mwl_hal_keyset(sc, &hk, ic->ic_macaddr);
        }
        return (mwl_hal_keyset(sc, &hk, macaddr) == 0);
#undef IEEE80211_IS_STATICKEY
#undef GRPXMIT
}

/*
 * Plumb any static WEP key for the station.  This is
 * necessary as we must propagate the key from the
 * global key table of the vap to each sta db entry.
 */
static void
mwl_setanywepkey(struct ieee80211com *ic, const uint8_t mac[IEEE80211_ADDR_LEN])
{
        if ((ic->ic_flags & (IEEE80211_F_PRIVACY|IEEE80211_F_WPA)) ==
            IEEE80211_F_PRIVACY &&
            ic->ic_def_txkey != IEEE80211_KEYIX_NONE &&
            ic->ic_nw_keys[ic->ic_def_txkey].wk_keyix != IEEE80211_KEYIX_NONE)
                (void) mwl_key_set(ic, &ic->ic_nw_keys[ic->ic_def_txkey], mac);
}

static void
mwl_setglobalkeys(struct ieee80211com *ic)
{
        struct ieee80211_key *wk;

        wk = &ic->ic_nw_keys[0];
        for (; wk < &ic->ic_nw_keys[IEEE80211_WEP_NKID]; wk++)
                if (wk->wk_keyix != IEEE80211_KEYIX_NONE)
                        (void) mwl_key_set(ic, wk, ic->ic_macaddr);
}

static int
addgroupflags(MWL_HAL_KEYVAL *hk, const struct ieee80211_key *k)
{
        if (k->wk_flags & IEEE80211_KEY_GROUP) {
                if (k->wk_flags & IEEE80211_KEY_XMIT)
                        hk->keyFlags |= KEY_FLAG_TXGROUPKEY;
                if (k->wk_flags & IEEE80211_KEY_RECV)
                        hk->keyFlags |= KEY_FLAG_RXGROUPKEY;
                return (1);
        } else
                return (0);
}

/*
 * Set/change channels.
 */
static int
mwl_chan_set(struct mwl_softc *sc, struct mwl_channel *chan)
{
        MWL_HAL_CHANNEL hchan;
        int maxtxpow;

        MWL_DBG(MWL_DBG_HW, "mwl: mwl_chan_set(): "
            "chan %u MHz/flags 0x%x\n",
            chan->ic_freq, chan->ic_flags);

        /*
         * Convert to a HAL channel description with
         * the flags constrained to reflect the current
         * operating mode.
         */
        mwl_mapchan(&hchan, chan);
        mwl_hal_intrset(sc, 0);         /* disable interrupts */

        (void) mwl_hal_setchannel(sc, &hchan);
        /*
         * Tx power is cap'd by the regulatory setting and
         * possibly a user-set limit.  We pass the min of
         * these to the hal to apply them to the cal data
         * for this channel.
         * XXX min bound?
         */
        maxtxpow = 2 * chan->ic_maxregpower;
        if (maxtxpow > 100)
                maxtxpow = 100;
        (void) mwl_hal_settxpower(sc, &hchan, maxtxpow / 2);
        /* NB: potentially change mcast/mgt rates */
        (void) mwl_setcurchanrates(sc);

        sc->sc_curchan = hchan;
        mwl_hal_intrset(sc, sc->sc_imask);

        return (0);
}

/*
 * Convert net80211 channel to a HAL channel.
 */
static void
mwl_mapchan(MWL_HAL_CHANNEL *hc, const struct mwl_channel *chan)
{
        hc->channel = chan->ic_ieee;

        *(uint32_t *)&hc->channelFlags = 0;
        if (((chan)->ic_flags & IEEE80211_CHAN_2GHZ) != 0)
                hc->channelFlags.FreqBand = MWL_FREQ_BAND_2DOT4GHZ;
        else if (((chan)->ic_flags & IEEE80211_CHAN_5GHZ) != 0)
                hc->channelFlags.FreqBand = MWL_FREQ_BAND_5GHZ;
        if (((chan)->ic_flags & IEEE80211_CHAN_HT40) != 0) {
                hc->channelFlags.ChnlWidth = MWL_CH_40_MHz_WIDTH;
                if (((chan)->ic_flags & IEEE80211_CHAN_HT40U) != 0)
                        hc->channelFlags.ExtChnlOffset =
                            MWL_EXT_CH_ABOVE_CTRL_CH;
                else
                        hc->channelFlags.ExtChnlOffset =
                            MWL_EXT_CH_BELOW_CTRL_CH;
        } else
                hc->channelFlags.ChnlWidth = MWL_CH_20_MHz_WIDTH;
        /* XXX 10MHz channels */
}

/*
 * Return the phy mode for with the specified channel.
 */
enum ieee80211_phymode
mwl_chan2mode(const struct mwl_channel *chan)
{

        if (IEEE80211_IS_CHAN_HTA(chan))
                return (IEEE80211_MODE_11NA);
        else if (IEEE80211_IS_CHAN_HTG(chan))
                return (IEEE80211_MODE_11NG);
        else if (IEEE80211_IS_CHAN_108G(chan))
                return (IEEE80211_MODE_TURBO_G);
        else if (IEEE80211_IS_CHAN_ST(chan))
                return (IEEE80211_MODE_STURBO_A);
        else if (IEEE80211_IS_CHAN_TURBO(chan))
                return (IEEE80211_MODE_TURBO_A);
        else if (IEEE80211_IS_CHAN_HALF(chan))
                return (IEEE80211_MODE_HALF);
        else if (IEEE80211_IS_CHAN_QUARTER(chan))
                return (IEEE80211_MODE_QUARTER);
        else if (IEEE80211_IS_CHAN_A(chan))
                return (IEEE80211_MODE_11A);
        else if (IEEE80211_IS_CHAN_ANYG(chan))
                return (IEEE80211_MODE_11G);
        else if (IEEE80211_IS_CHAN_B(chan))
                return (IEEE80211_MODE_11B);
        else if (IEEE80211_IS_CHAN_FHSS(chan))
                return (IEEE80211_MODE_FH);

        /* NB: should not get here */
        MWL_DBG(MWL_DBG_HW, "mwl: mwl_chan2mode(): "
            "cannot map channel to mode; freq %u flags 0x%x\n",
            chan->ic_freq, chan->ic_flags);
        return (IEEE80211_MODE_11B);
}

/* XXX inline or eliminate? */
const struct ieee80211_rateset *
mwl_get_suprates(struct ieee80211com *ic, const struct mwl_channel *c)
{
        /* XXX does this work for 11ng basic rates? */
        return (&ic->ic_sup_rates[mwl_chan2mode(c)]);
}

/*
 * Inform firmware of tx rate parameters.
 * Called after a channel change.
 */
static int
mwl_setcurchanrates(struct mwl_softc *sc)
{
        struct ieee80211com *ic = &sc->sc_ic;
        const struct ieee80211_rateset *rs;
        MWL_HAL_TXRATE rates;

        (void) memset(&rates, 0, sizeof (rates));
        rs = mwl_get_suprates(ic, sc->sc_cur_chan);
        /* rate used to send management frames */
        rates.MgtRate = rs->ir_rates[0] & IEEE80211_RATE_VAL;
        /* rate used to send multicast frames */
        rates.McastRate = rates.MgtRate;

        return (mwl_hal_settxrate_auto(sc, &rates));
}

static const struct mwl_hal_channel *
findhalchannel(const struct mwl_softc *sc, const MWL_HAL_CHANNEL *c)
{
        const struct mwl_hal_channel *hc;
        const MWL_HAL_CHANNELINFO *ci;
        int chan = c->channel, i;

        if (c->channelFlags.FreqBand == MWL_FREQ_BAND_2DOT4GHZ) {
                i = chan - 1;
                if (c->channelFlags.ChnlWidth == MWL_CH_40_MHz_WIDTH) {
                        ci = &sc->sc_40M;
                        if (c->channelFlags.ExtChnlOffset ==
                            MWL_EXT_CH_BELOW_CTRL_CH)
                                i -= 4;
                } else
                        ci = &sc->sc_20M;
                /* 2.4G channel table is directly indexed */
                hc = ((unsigned)i < ci->nchannels) ? &ci->channels[i] : NULL;
        } else if (c->channelFlags.FreqBand == MWL_FREQ_BAND_5GHZ) {
                if (c->channelFlags.ChnlWidth == MWL_CH_40_MHz_WIDTH) {
                        ci = &sc->sc_40M_5G;
                        if (c->channelFlags.ExtChnlOffset ==
                            MWL_EXT_CH_BELOW_CTRL_CH)
                                chan -= 4;
                } else
                        ci = &sc->sc_20M_5G;
                /* 5GHz channel table is sparse and must be searched */
                for (i = 0; i < ci->nchannels; i++)
                        if (ci->channels[i].ieee == chan)
                                break;
                hc = (i < ci->nchannels) ? &ci->channels[i] : NULL;
        } else
                hc = NULL;
        return (hc);
}

/*
 * Map SKU+country code to region code for radar bin'ing.
 */
static int
mwl_map2regioncode(const struct mwl_regdomain *rd)
{
        switch (rd->regdomain) {
        case SKU_FCC:
        case SKU_FCC3:
                return (DOMAIN_CODE_FCC);
        case SKU_CA:
                return (DOMAIN_CODE_IC);
        case SKU_ETSI:
        case SKU_ETSI2:
        case SKU_ETSI3:
                if (rd->country == CTRY_SPAIN)
                        return (DOMAIN_CODE_SPAIN);
                if (rd->country == CTRY_FRANCE || rd->country == CTRY_FRANCE2)
                        return (DOMAIN_CODE_FRANCE);
                /* XXX force 1.3.1 radar type */
                return (DOMAIN_CODE_ETSI_131);
        case SKU_JAPAN:
                return (DOMAIN_CODE_MKK);
        case SKU_ROW:
                return (DOMAIN_CODE_DGT);       /* Taiwan */
        case SKU_APAC:
        case SKU_APAC2:
        case SKU_APAC3:
                return (DOMAIN_CODE_AUS);       /* Australia */
        }
        /* XXX KOREA? */
        return (DOMAIN_CODE_FCC);                       /* XXX? */
}

/*
 * Setup the rx data structures.  This should only be
 * done once or we may get out of sync with the firmware.
 */
static int
mwl_startrecv(struct mwl_softc *sc)
{
        struct mwl_rx_ring *ring;
        struct mwl_rxdesc *ds;
        struct mwl_rxbuf *bf, *prev;

        int i;

        ring = &sc->sc_rxring;
        bf = ring->buf;

        prev = NULL;
        for (i = 0; i < MWL_RX_RING_COUNT; i++, bf++) {
                ds = bf->bf_desc;
                /*
                 * NB: DMA buffer contents is known to be unmodified
                 * so there's no need to flush the data cache.
                 */

                /*
                 * Setup descriptor.
                 */
                ds->QosCtrl = 0;
                ds->RSSI = 0;
                ds->Status = EAGLE_RXD_STATUS_IDLE;
                ds->Channel = 0;
                ds->PktLen = LE_16(MWL_AGGR_SIZE);
                ds->SQ2 = 0;
                ds->pPhysBuffData = LE_32(bf->bf_baddr);
                /* NB: don't touch pPhysNext, set once */
                ds->RxControl = EAGLE_RXD_CTRL_DRIVER_OWN;

                (void) ddi_dma_sync(ring->rxdesc_dma.dma_hdl,
                    i * sizeof (struct mwl_rxdesc),
                    sizeof (struct mwl_rxdesc),
                    DDI_DMA_SYNC_FORDEV);

                if (prev != NULL) {
                        ds = prev->bf_desc;
                        ds->pPhysNext = LE_32(bf->bf_daddr);
                }
                prev = bf;
        }

        if (prev != NULL) {
                ds = prev->bf_desc;
                ds->pPhysNext = ring->physaddr;
        }

        /* set filters, etc. */
        (void) mwl_mode_init(sc);

        return (0);
}

static int
mwl_mode_init(struct mwl_softc *sc)
{
        /*
         * NB: Ignore promisc in hostap mode; it's set by the
         * bridge.  This is wrong but we have no way to
         * identify internal requests (from the bridge)
         * versus external requests such as for tcpdump.
         */
        /* mwl_setmcastfilter - not support now */
        (void) mwl_hal_setpromisc(sc, 0);

        return (0);
}

/*
 * Kick the firmware to tell it there are new tx descriptors
 * for processing.  The driver says what h/w q has work in
 * case the f/w ever gets smarter.
 */
/* ARGSUSED */
static void
mwl_hal_txstart(struct mwl_softc *sc, int qnum)
{

        mwl_ctl_write4(sc, MACREG_REG_H2A_INTERRUPT_EVENTS,
            MACREG_H2ARIC_BIT_PPA_READY);
        (void) mwl_ctl_read4(sc, MACREG_REG_INT_CODE);
}

static int
mwl_send(ieee80211com_t *ic, mblk_t *mp, uint8_t type)
{
        struct mwl_softc *sc = (struct mwl_softc *)ic;
        struct mwl_tx_ring *ring;
        struct mwl_txdesc *ds;
        struct mwl_txbuf *bf;
        struct ieee80211_frame *wh, *wh1;
        struct ieee80211_node *ni = NULL;

        int err, off;
        int mblen, pktlen, hdrlen;
        mblk_t *m, *m0;
        uint8_t *addr_4, *txbuf;
        uint16_t *pfwlen;

        MWL_TXLOCK(sc);

        err = DDI_SUCCESS;
        if (!MWL_IS_RUNNING(sc) || MWL_IS_SUSPEND(sc)) {
                err = ENXIO;
                goto fail1;
        }

        ring = &sc->sc_txring[1];
        if (ring->queued > 15) {
                MWL_DBG(MWL_DBG_TX, "mwl: mwl_send(): "
                    "no txbuf, %d\n", ring->queued);
                sc->sc_need_sched = 1;
                sc->sc_tx_nobuf++;
                err = ENOMEM;
                goto fail1;
        }

        m = allocb(msgdsize(mp) + 32, BPRI_MED);
        if (m == NULL) {
                MWL_DBG(MWL_DBG_TX, "mwl: mwl_send():"
                    "can't alloc mblk.\n");
                err = DDI_FAILURE;
                goto fail1;
        }

        for (off = 0, m0 = mp; m0 != NULL; m0 = m0->b_cont) {
                mblen = MBLKL(m0);
                (void) bcopy(m0->b_rptr, m->b_rptr + off, mblen);
                off += mblen;
        }
        m->b_wptr += off;

        wh = (struct ieee80211_frame *)m->b_rptr;
        ni = ieee80211_find_txnode(ic, wh->i_addr1);
        if (ni == NULL) {
                err = DDI_FAILURE;
                sc->sc_tx_err++;
                goto fail2;
        }

        hdrlen = sizeof (*wh);
        pktlen = msgdsize(m);

        (void) ieee80211_encap(ic, m, ni);

        if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
                const struct ieee80211_cipher *cip;
                struct ieee80211_key *k;
                k = ieee80211_crypto_encap(ic, m);
                if (k == NULL) {
                        sc->sc_tx_err++;
                        err = DDI_FAILURE;
                        goto fail3;
                }

                /*
                 * Adjust the packet length for the crypto additions
                 * done during encap and any other bits that the f/w
                 * will add later on.
                 */
                cip = k->wk_cipher;
                pktlen += cip->ic_header + cip->ic_miclen + cip->ic_trailer;
                /* packet header may have moved, reset our local pointer */
                wh = (struct ieee80211_frame *)m->b_rptr;
        }

        ds = &ring->desc[ring->cur];
        bf = &ring->buf[ring->cur];

        bf->bf_node = ieee80211_ref_node(ni);
        txbuf = (uint8_t *)bf->bf_mem;

        /*
         * inject FW specific fields into the 802.11 frame
         *
         *  2   bytes FW len (inject)
         *  24 bytes 802.11 frame header
         *  6   bytes addr4 (inject)
         *  n   bytes 802.11 frame body
         */
        pfwlen = (uint16_t *)txbuf;
        *pfwlen = pktlen - hdrlen;
        wh1 = (struct ieee80211_frame *)(txbuf + 2);
        bcopy(wh, wh1, sizeof (struct ieee80211_frame));
        addr_4 = txbuf + (sizeof (struct ieee80211_frame) + sizeof (uint16_t));
        (void) memset(addr_4, 0, 6);
        bcopy(m->b_rptr + sizeof (struct ieee80211_frame), txbuf + 32, *pfwlen);
        pktlen += 8;

        (void) ddi_dma_sync(bf->txbuf_dma.dma_hdl,
            0,
            pktlen,
            DDI_DMA_SYNC_FORDEV);

        ds->QosCtrl = 0;
        ds->PktLen = (uint16_t)pktlen;
        ds->PktPtr = bf->bf_baddr;
        ds->Status = LE_32(EAGLE_TXD_STATUS_FW_OWNED);
        ds->Format = 0;
        ds->pad = 0;
        ds->ack_wcb_addr = 0;
        ds->TxPriority = 1;

        MWL_DBG(MWL_DBG_TX, "mwl: mwl_send(): "
            "tx desc Status %x, DataRate %x, TxPriority %x, QosCtrl %x, "
            "PktLen %x, SapPktInfo %x, Format %x, Pad %x, ack_wcb_addr %x\n",
            ds->Status, ds->DataRate, ds->TxPriority, ds->QosCtrl, ds->PktLen,
            ds->SapPktInfo, ds->Format, ds->pad, ds->ack_wcb_addr);

        (void) ddi_dma_sync(ring->txdesc_dma.dma_hdl,
            ring->cur * sizeof (struct mwl_txdesc),
            sizeof (struct mwl_txdesc),
            DDI_DMA_SYNC_FORDEV);

        MWL_DBG(MWL_DBG_TX, "mwl: mwl_send(): "
            "pktlen = %u, slot = %u, queued = %x\n",
            mblen, ring->cur, ring->queued);

        ring->queued++;
        ring->cur = (ring->cur + 1) % MWL_TX_RING_COUNT;

        /*
         * NB: We don't need to lock against tx done because
         * this just prods the firmware to check the transmit
         * descriptors.  The firmware will also start fetching
         * descriptors by itself if it notices new ones are
         * present when it goes to deliver a tx done interrupt
         * to the host. So if we race with tx done processing
         * it's ok.  Delivering the kick here rather than in
         * mwl_tx_start is an optimization to avoid poking the
         * firmware for each packet.
         *
         * NB: the queue id isn't used so 0 is ok.
         */
        mwl_hal_txstart(sc, 0);

        ic->ic_stats.is_tx_frags++;
        ic->ic_stats.is_tx_bytes += pktlen;

fail3:
        ieee80211_free_node(ni);
fail2:
        freemsg(m);
fail1:
        if ((type & IEEE80211_FC0_TYPE_MASK) != IEEE80211_FC0_TYPE_DATA ||
            err == DDI_SUCCESS)
                freemsg(mp);
        MWL_TXUNLOCK(sc);
        return (err);
}

/*
 * This function is called periodically (every 200ms) during scanning to
 * switch from one channel to another.
 */
static void
mwl_next_scan(void *arg)
{
        struct mwl_softc *sc = (struct mwl_softc *)arg;
        struct ieee80211com *ic = &sc->sc_ic;

        if (ic->ic_state == IEEE80211_S_SCAN)
                (void) ieee80211_next_scan(ic);

        sc->sc_scan_id = 0;
}

/*
 * Convert a legacy rate set to a firmware bitmask.
 */
static uint32_t
get_rate_bitmap(const struct ieee80211_rateset *rs)
{
        uint32_t rates;
        int i;

        rates = 0;
        for (i = 0; i < rs->ir_nrates; i++)
                switch (rs->ir_rates[i] & IEEE80211_RATE_VAL) {
                case 2:   rates |= 0x001; break;
                case 4:   rates |= 0x002; break;
                case 11:  rates |= 0x004; break;
                case 22:  rates |= 0x008; break;
                case 44:  rates |= 0x010; break;
                case 12:  rates |= 0x020; break;
                case 18:  rates |= 0x040; break;
                case 24:  rates |= 0x080; break;
                case 36:  rates |= 0x100; break;
                case 48:  rates |= 0x200; break;
                case 72:  rates |= 0x400; break;
                case 96:  rates |= 0x800; break;
                case 108: rates |= 0x1000; break;
                }
        return (rates);
}

/*
 * Craft station database entry for station.
 * NB: use host byte order here, the hal handles byte swapping.
 */
static MWL_HAL_PEERINFO *
mkpeerinfo(MWL_HAL_PEERINFO *pi, const struct ieee80211_node *ni)
{
        (void) memset(pi, 0, sizeof (*pi));
        pi->LegacyRateBitMap = get_rate_bitmap(&ni->in_rates);
        pi->CapInfo = ni->in_capinfo;
        return (pi);
}

static int
mwl_newstate(struct ieee80211com *ic, enum ieee80211_state nstate, int arg)
{
        struct mwl_softc *sc = (struct mwl_softc *)ic;
        enum ieee80211_state ostate;
        struct ieee80211_channel *ic_chan;
        struct ieee80211_node *ni = NULL;
        MWL_HAL_PEERINFO pi;
        uint32_t chan;

        if (sc->sc_scan_id != 0) {
                (void) untimeout(sc->sc_scan_id);
                sc->sc_scan_id = 0;
        }

        MWL_GLOCK(sc);

        ostate = ic->ic_state;
        MWL_DBG(MWL_DBG_MSG, "mwl: mwl_newstate(): "
            "ostate %x -> nstate %x\n",
            ostate, nstate);

        switch (nstate) {
        case IEEE80211_S_INIT:
                break;
        case IEEE80211_S_SCAN:
                if (ostate != IEEE80211_S_INIT) {
                        ic_chan = ic->ic_curchan;
                        chan = ieee80211_chan2ieee(ic, ic_chan);
                        if (chan != 0 && chan != IEEE80211_CHAN_ANY) {
                                sc->sc_cur_chan =
                                    &sc->sc_channels[3 * chan - 2];
                                MWL_DBG(MWL_DBG_MSG, "mwl: mwl_newstate(): "
                                    "chan num is %u, sc chan is %u\n",
                                    chan, sc->sc_cur_chan->ic_ieee);
                                (void) mwl_chan_set(sc, sc->sc_cur_chan);
                        }
                }
                sc->sc_scan_id = timeout(mwl_next_scan, (void *)sc,
                    drv_usectohz(250000));
                break;
        case IEEE80211_S_AUTH:
                ic_chan = ic->ic_curchan;
                chan = ieee80211_chan2ieee(ic, ic_chan);
                sc->sc_cur_chan = &sc->sc_channels[3 * chan - 2];
                MWL_DBG(MWL_DBG_MSG, "mwl: mwl_newstate(): "
                    "chan num is %u, sc chan is %u\n",
                    chan, sc->sc_cur_chan->ic_ieee);
                (void) mwl_chan_set(sc, sc->sc_cur_chan);
                ni = ic->ic_bss;
                (void) mwl_hal_newstation(sc, ic->ic_macaddr, 0, 0, NULL, 0, 0);
                mwl_setanywepkey(ic, ni->in_macaddr);
                break;
        case IEEE80211_S_ASSOC:
                break;
        case IEEE80211_S_RUN:
                ni = ic->ic_bss;
                (void) mwl_hal_newstation(sc,
                    ic->ic_macaddr, 0, 0, mkpeerinfo(&pi, ni), 0, 0);
                mwl_setglobalkeys(ic);
                (void) mwl_hal_setassocid(sc,
                    ic->ic_bss->in_bssid, ic->ic_bss->in_associd);
                (void) mwl_setrates(ic);
                (void) mwl_hal_setrtsthreshold(sc, ic->ic_rtsthreshold);
                (void) mwl_hal_setcsmode(sc, CSMODE_AUTO_ENA);
                break;
        default:
                break;
        }

        MWL_GUNLOCK(sc);

        return (sc->sc_newstate(ic, nstate, arg));
}

/*
 * Set the interrupt mask.
 */
static void
mwl_hal_intrset(struct mwl_softc *sc, uint32_t mask)
{
        mwl_ctl_write4(sc, MACREG_REG_A2H_INTERRUPT_MASK, 0);
        (void) mwl_ctl_read4(sc, MACREG_REG_INT_CODE);

        sc->sc_hal_imask = mask;
        mwl_ctl_write4(sc, MACREG_REG_A2H_INTERRUPT_MASK, mask);
        (void) mwl_ctl_read4(sc, MACREG_REG_INT_CODE);
}

/*
 * Return the current ISR setting and clear the cause.
 */
static void
mwl_hal_getisr(struct mwl_softc *sc, uint32_t *status)
{
        uint32_t cause;

        cause = mwl_ctl_read4(sc, MACREG_REG_A2H_INTERRUPT_CAUSE);
        if (cause == 0xffffffff) {      /* card removed */
                cause = 0;
        } else if (cause != 0) {
                /* clear cause bits */
                mwl_ctl_write4(sc, MACREG_REG_A2H_INTERRUPT_CAUSE,
                    cause & ~sc->sc_hal_imask);
                (void) mwl_ctl_read4(sc, MACREG_REG_INT_CODE);
                cause &= sc->sc_hal_imask;
        }
        *status = cause;
}

static void
mwl_tx_intr(struct mwl_softc *sc)
{
        struct ieee80211com *ic = &sc->sc_ic;
        struct mwl_tx_ring *ring;
        struct mwl_txdesc *ds;

        uint32_t status;

        MWL_TXLOCK(sc);

        ring = &sc->sc_txring[1];

        if (!(ring->queued)) {
                MWL_TXUNLOCK(sc);
                return;
        }

        (void) ddi_dma_sync(ring->txdesc_dma.dma_hdl,
            0,
            ring->txdesc_dma.alength,
            DDI_DMA_SYNC_FORCPU);

        for (;;) {
                ds = &ring->desc[ring->next];

                status = LE_32(ds->Status);

                if (status & LE_32(EAGLE_TXD_STATUS_FW_OWNED)) {
                        break;
                }

                if (status == LE_32(EAGLE_TXD_STATUS_IDLE)) {
                        break;
                }

                MWL_DBG(MWL_DBG_TX, "mwl: mwl_tx_intr(): "
                    "recv tx desc status %x, datarate %x, txpriority %x, "
                    "QosCtrl %x, pktLen %x, SapPktInfo %x, Format %x, "
                    "pad %x, ack_wcb_addr %x\n",
                    ds->Status, ds->DataRate, ds->TxPriority,
                    ds->QosCtrl, ds->PktLen, ds->SapPktInfo,
                    ds->Format, ds->pad, ds->ack_wcb_addr);

                /* descriptor is no longer valid */
                ds->Status = LE_32(EAGLE_TXD_STATUS_IDLE);

                (void) ddi_dma_sync(ring->txdesc_dma.dma_hdl,
                    ring->next * sizeof (struct mwl_txdesc),
                    sizeof (struct mwl_txdesc),
                    DDI_DMA_SYNC_FORDEV);

                ring->queued--;
                ring->next = (ring->next + 1) % MWL_TX_RING_COUNT;
                MWL_DBG(MWL_DBG_TX, "mwl: mwl_tx_intr(): "
                    " tx done idx=%u, queued= %d\n",
                    ring->next, ring->queued);

                if (sc->sc_need_sched &&
                    (ring->queued < MWL_TX_RING_COUNT)) {
                        sc->sc_need_sched = 0;
                        mac_tx_update(ic->ic_mach);
                }

        }

        MWL_TXUNLOCK(sc);
}

/*
 * Convert hardware signal strength to rssi.  The value
 * provided by the device has the noise floor added in;
 * we need to compensate for this but we don't have that
 * so we use a fixed value.
 *
 * The offset of 8 is good for both 2.4 and 5GHz.  The LNA
 * offset is already set as part of the initial gain.  This
 * will give at least +/- 3dB for 2.4GHz and +/- 5dB for 5GHz.
 */
static int
cvtrssi(uint8_t ssi)
{
        int rssi = (int)ssi + 8;
        /* XXX hack guess until we have a real noise floor */
        rssi = 2 * (87 - rssi); /* NB: .5 dBm units */
        return (rssi < 0 ? 0 : rssi > 127 ? 127 : rssi);
}

static void
mwl_rx_intr(struct mwl_softc *sc)
{
        struct ieee80211com     *ic = &sc->sc_ic;
        struct mwl_rx_ring *ring;
        struct ieee80211_node   *ni;
        struct ieee80211_frame *wh;

        struct mwl_rxbuf *bf;
        struct mwl_rxdesc *ds;
        mblk_t  *mp0;

        int ntodo, len, rssi;
        uint8_t *data, status;

        MWL_RXLOCK(sc);

        ring = &sc->sc_rxring;
        for (ntodo = MWL_RX_RING_COUNT; ntodo > 0; ntodo--) {
                bf = &ring->buf[ring->cur];
                ds = bf->bf_desc;
                data = bf->bf_mem;

                (void) ddi_dma_sync(ring->rxdesc_dma.dma_hdl,
                    ring->cur * sizeof (struct mwl_rxdesc),
                    sizeof (struct mwl_rxdesc),
                    DDI_DMA_SYNC_FORCPU);

                if (ds->RxControl != EAGLE_RXD_CTRL_DMA_OWN)
                        break;

                status = ds->Status;
                if (status & EAGLE_RXD_STATUS_DECRYPT_ERR_MASK) {
                        MWL_DBG(MWL_DBG_CRYPTO, "mwl: mwl_rx_intr(): "
                            "rx decrypt error\n");
                        sc->sc_rx_err++;
                }

                /*
                 * Sync the data buffer.
                 */
                len = LE_16(ds->PktLen);

                (void) ddi_dma_sync(bf->rxbuf_dma.dma_hdl,
                    0,
                    bf->rxbuf_dma.alength,
                    DDI_DMA_SYNC_FORCPU);

                if (len < 32 || len > sc->sc_dmabuf_size) {
                        MWL_DBG(MWL_DBG_RX, "mwl: mwl_rx_intr(): "
                            "packet len error %d\n", len);
                        sc->sc_rx_err++;
                        goto rxnext;
                }

                mp0 = allocb(sc->sc_dmabuf_size, BPRI_MED);
                if (mp0 == NULL) {
                        MWL_DBG(MWL_DBG_RX, "mwl: mwl_rx_intr(): "
                            "alloc mblk error\n");
                        sc->sc_rx_nobuf++;
                        goto rxnext;
                }
                bcopy(data+ 2, mp0->b_wptr, 24);
                mp0->b_wptr += 24;
                bcopy(data + 32, mp0->b_wptr, len - 32);
                mp0->b_wptr += (len - 32);

                wh = (struct ieee80211_frame *)mp0->b_rptr;
                if ((wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) ==
                    IEEE80211_FC0_TYPE_CTL) {
                        freemsg(mp0);
                        goto rxnext;
                }

                /*
                 * The f/w strips WEP header but doesn't clear
                 * the WEP bit; mark the packet with M_WEP so
                 * net80211 will treat the data as decrypted.
                 * While here also clear the PWR_MGT bit since
                 * power save is handled by the firmware and
                 * passing this up will potentially cause the
                 * upper layer to put a station in power save
                 * (except when configured with MWL_HOST_PS_SUPPORT).
                 */
#ifdef MWL_HOST_PS_SUPPORT
                wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
#else
                wh->i_fc[1] &= ~(IEEE80211_FC1_WEP | IEEE80211_FC1_PWR_MGT);
#endif

                /* calculate rssi early so we can re-use for each aggregate */
                rssi = cvtrssi(ds->RSSI);

                ni = ieee80211_find_rxnode(ic, wh);

                /* send the frame to the 802.11 layer */
                (void) ieee80211_input(ic, mp0, ni, rssi, 0);
                ieee80211_free_node(ni);
rxnext:
                /*
                 * Setup descriptor.
                 */
                ds->QosCtrl = 0;
                ds->RSSI = 0;
                ds->Status = EAGLE_RXD_STATUS_IDLE;
                ds->Channel = 0;
                ds->PktLen = LE_16(MWL_AGGR_SIZE);
                ds->SQ2 = 0;
                ds->pPhysBuffData = bf->bf_baddr;
                /* NB: don't touch pPhysNext, set once */
                ds->RxControl = EAGLE_RXD_CTRL_DRIVER_OWN;

                (void) ddi_dma_sync(ring->rxdesc_dma.dma_hdl,
                    ring->cur * sizeof (struct mwl_rxdesc),
                    sizeof (struct mwl_rxdesc),
                    DDI_DMA_SYNC_FORDEV);

                /* NB: ignore ENOMEM so we process more descriptors */
                ring->cur = (ring->cur + 1) % MWL_RX_RING_COUNT;
        }

        MWL_RXUNLOCK(sc);
}

/*ARGSUSED*/
static uint_t
mwl_softintr(caddr_t data, caddr_t unused)
{
        struct mwl_softc *sc = (struct mwl_softc *)data;

        /*
         * Check if the soft interrupt is triggered by another
         * driver at the same level.
         */
        MWL_GLOCK(sc);
        if (sc->sc_rx_pend) {
                sc->sc_rx_pend = 0;
                MWL_GUNLOCK(sc);
                mwl_rx_intr(sc);
                return (DDI_INTR_CLAIMED);
        }
        MWL_GUNLOCK(sc);

        return (DDI_INTR_UNCLAIMED);
}

/*ARGSUSED*/
static uint_t
mwl_intr(caddr_t arg, caddr_t unused)
{
        struct mwl_softc *sc = (struct mwl_softc *)arg;
        uint32_t status;

        MWL_GLOCK(sc);

        if (!MWL_IS_RUNNING(sc) || MWL_IS_SUSPEND(sc)) {
                MWL_GUNLOCK(sc);
                return (DDI_INTR_UNCLAIMED);
        }

        /*
         * Figure out the reason(s) for the interrupt.
         */
        mwl_hal_getisr(sc, &status);            /* NB: clears ISR too */
        if (status == 0) {
                MWL_GUNLOCK(sc);
                return (DDI_INTR_UNCLAIMED);
        }

        if (status & MACREG_A2HRIC_BIT_RX_RDY) {
                sc->sc_rx_pend = 1;
                (void) ddi_intr_trigger_softint(sc->sc_softintr_hdl, NULL);
        }
        if (status & MACREG_A2HRIC_BIT_TX_DONE) {
                mwl_tx_intr(sc);
        }
        if (status & MACREG_A2HRIC_BIT_BA_WATCHDOG) {
                MWL_DBG(MWL_DBG_INTR, "mwl: mwl_intr(): "
                    "ba watchdog\n");
        }
        if (status & MACREG_A2HRIC_BIT_OPC_DONE) {
                MWL_DBG(MWL_DBG_INTR, "mwl: mwl_intr(): "
                    "opc done\n");
        }
        if (status & MACREG_A2HRIC_BIT_MAC_EVENT) {
                MWL_DBG(MWL_DBG_INTR, "mwl: mwl_intr(): "
                    "mac event\n");
        }
        if (status & MACREG_A2HRIC_BIT_ICV_ERROR) {
                MWL_DBG(MWL_DBG_INTR, "mwl: mwl_intr(): "
                    "ICV error\n");
        }
        if (status & MACREG_A2HRIC_BIT_QUEUE_EMPTY) {
                MWL_DBG(MWL_DBG_INTR, "mwl: mwl_intr(): "
                    "queue empty\n");
        }
        if (status & MACREG_A2HRIC_BIT_QUEUE_FULL) {
                MWL_DBG(MWL_DBG_INTR, "mwl: mwl_intr(): "
                    "queue full\n");
        }
        if (status & MACREG_A2HRIC_BIT_RADAR_DETECT) {
                MWL_DBG(MWL_DBG_INTR, "mwl: mwl_intr(): "
                    "radar detect\n");
        }
        if (status & MACREG_A2HRIC_BIT_CHAN_SWITCH) {
                MWL_DBG(MWL_DBG_INTR, "mwl: mwl_intr(): "
                    "chan switch\n");
        }

        MWL_GUNLOCK(sc);

        return (DDI_INTR_CLAIMED);
}

static int
mwl_init(struct mwl_softc *sc)
{
        struct ieee80211com *ic = &sc->sc_ic;
        int err = 0;

        mwl_hal_intrset(sc, 0);

        sc->sc_txantenna = 0;           /* h/w default */
        sc->sc_rxantenna = 0;           /* h/w default */

        err = mwl_hal_setantenna(sc, WL_ANTENNATYPE_RX, sc->sc_rxantenna);
        if (err != 0) {
                MWL_DBG(MWL_DBG_HW, "mwl: mwl_init(): "
                    "could not set rx antenna\n");
                goto fail;
        }

        err = mwl_hal_setantenna(sc, WL_ANTENNATYPE_TX, sc->sc_txantenna);
        if (err != 0) {
                MWL_DBG(MWL_DBG_HW, "mwl: init(): "
                    "could not set tx antenna\n");
                goto fail;
        }

        err = mwl_hal_setradio(sc, 1, WL_AUTO_PREAMBLE);
        if (err != 0) {
                MWL_DBG(MWL_DBG_HW, "mwl: init(): "
                    "could not set radio\n");
                goto fail;
        }

        err = mwl_hal_setwmm(sc, (ic->ic_flags & IEEE80211_F_WME) != 0);
        if (err != 0) {
                MWL_DBG(MWL_DBG_HW, "mwl: init(): "
                    "could not set wme\n");
                goto fail;
        }

        /* select default channel */
        ic->ic_ibss_chan = &ic->ic_sup_channels[0];
        ic->ic_curchan = ic->ic_ibss_chan;
        sc->sc_cur_chan = &sc->sc_channels[1];

        err = mwl_chan_set(sc, sc->sc_cur_chan);
        if (err != 0) {
                MWL_DBG(MWL_DBG_HW, "mwl: init(): "
                    "could not set wme\n");
                goto fail;
        }

        err = mwl_hal_setrateadaptmode(sc, 0);
        if (err != 0) {
                MWL_DBG(MWL_DBG_HW, "mwl: init(): "
                    "could not set rate adapt mode\n");
                goto fail;
        }

        err = mwl_hal_setoptimizationlevel(sc,
            (ic->ic_flags & IEEE80211_F_BURST) != 0);
        if (err != 0) {
                MWL_DBG(MWL_DBG_HW, "mwl: init(): "
                    "could not set optimization level\n");
                goto fail;
        }

        err = mwl_hal_setregioncode(sc, mwl_map2regioncode(&sc->sc_regdomain));
        if (err != 0) {
                MWL_DBG(MWL_DBG_HW, "mwl: init(): "
                    "could not set regioncode\n");
                goto fail;
        }

        err = mwl_startrecv(sc);
        if (err != 0) {
                MWL_DBG(MWL_DBG_HW, "mwl: init(): "
                    "could not set start recv logic\n");
                goto fail;
        }

        /*
         * Enable interrupts.
         */
        sc->sc_imask = MACREG_A2HRIC_BIT_RX_RDY
            | MACREG_A2HRIC_BIT_TX_DONE
            | MACREG_A2HRIC_BIT_OPC_DONE
            | MACREG_A2HRIC_BIT_ICV_ERROR
            | MACREG_A2HRIC_BIT_RADAR_DETECT
            | MACREG_A2HRIC_BIT_CHAN_SWITCH
            | MACREG_A2HRIC_BIT_BA_WATCHDOG
            | MACREQ_A2HRIC_BIT_TX_ACK;

        mwl_hal_intrset(sc, sc->sc_imask);

        err = mwl_hal_start(sc);
        if (err != 0) {
                MWL_DBG(MWL_DBG_HW, "mwl: init(): "
                    "could not get hal start\n");
                goto fail;
        }

        err = mwl_hal_setinframode(sc);
        if (err != 0) {
                MWL_DBG(MWL_DBG_HW, "mwl: init(): "
                    "could not set infra mode\n");
                goto fail;
        }

fail:
        return (err);
}

static int
mwl_resume(struct mwl_softc *sc)
{
        int qid, err = 0;

        err = mwl_fwload(sc, NULL);
        if (err != 0) {
                MWL_DBG(MWL_DBG_SR, "mwl: mwl_resume(): "
                    "failed to load fw\n");
                goto fail;
        }

        err = mwl_gethwspecs(sc);
        if (err != 0) {
                MWL_DBG(MWL_DBG_SR, "mwl: mwl_resume(): "
                    "failed to get hw spec\n");
                goto fail;
        }

        err = mwl_alloc_rx_ring(sc, MWL_RX_RING_COUNT);
        if (err != 0) {
                MWL_DBG(MWL_DBG_SR, "mwl: mwl_resume(): "
                    "could not alloc cmd dma buffer\n");
                goto fail;
        }

        for (qid = 0; qid < MWL_NUM_TX_QUEUES; qid++) {
                err = mwl_alloc_tx_ring(sc,
                    &sc->sc_txring[qid], MWL_TX_RING_COUNT);
                if (err != 0) {
                        MWL_DBG(MWL_DBG_SR, "mwl: mwl_resume(): "
                            "could not alloc tx ring %d\n", qid);
                        goto fail;
                }
        }

        err = mwl_setupdma(sc);
        if (err != 0) {
                MWL_DBG(MWL_DBG_SR, "mwl: mwl_resume(): "
                    "could not setup dma\n");
                goto fail;
        }

        err = mwl_setup_txq(sc);
        if (err != 0) {
                MWL_DBG(MWL_DBG_SR, "mwl: mwl_resume(): "
                    "could not setup txq\n");
                goto fail;
        }

fail:
        return (err);
}

static void
mwl_stop(struct mwl_softc *sc)
{
        int err;

        /* by pass if it's quiesced */
        if (!MWL_IS_QUIESCE(sc))
                MWL_GLOCK(sc);

        err = mwl_hal_stop(sc);
        if (err != 0) {
                MWL_DBG(MWL_DBG_HW, "mwl: mwl_stop(): "
                    "could not stop hw\n");
        }

        /* by pass if it's quiesced */
        if (!MWL_IS_QUIESCE(sc))
                MWL_GUNLOCK(sc);
}

static int
mwl_m_stat(void *arg, uint_t stat, uint64_t *val)
{
        struct mwl_softc *sc  = (struct mwl_softc *)arg;
        struct ieee80211com *ic = &sc->sc_ic;
        struct ieee80211_node *ni = NULL;
        struct ieee80211_rateset *rs = NULL;

        MWL_GLOCK(sc);
        switch (stat) {
        case MAC_STAT_IFSPEED:
                ni = ic->ic_bss;
                rs = &ni->in_rates;
                *val = ((ic->ic_fixed_rate == IEEE80211_FIXED_RATE_NONE) ?
                    (rs->ir_rates[ni->in_txrate] & IEEE80211_RATE_VAL)
                    : ic->ic_fixed_rate) / 2 * 1000000;
                break;
        case MAC_STAT_NOXMTBUF:
                *val = sc->sc_tx_nobuf;
                break;
        case MAC_STAT_NORCVBUF:
                *val = sc->sc_rx_nobuf;
                break;
        case MAC_STAT_IERRORS:
                *val = sc->sc_rx_err;
                break;
        case MAC_STAT_RBYTES:
                *val = ic->ic_stats.is_rx_bytes;
                break;
        case MAC_STAT_IPACKETS:
                *val = ic->ic_stats.is_rx_frags;
                break;
        case MAC_STAT_OBYTES:
                *val = ic->ic_stats.is_tx_bytes;
                break;
        case MAC_STAT_OPACKETS:
                *val = ic->ic_stats.is_tx_frags;
                break;
        case MAC_STAT_OERRORS:
        case WIFI_STAT_TX_FAILED:
                *val = sc->sc_tx_err;
                break;
        case WIFI_STAT_TX_RETRANS:
                *val = sc->sc_tx_retries;
                break;
        case WIFI_STAT_FCS_ERRORS:
        case WIFI_STAT_WEP_ERRORS:
        case WIFI_STAT_TX_FRAGS:
        case WIFI_STAT_MCAST_TX:
        case WIFI_STAT_RTS_SUCCESS:
        case WIFI_STAT_RTS_FAILURE:
        case WIFI_STAT_ACK_FAILURE:
        case WIFI_STAT_RX_FRAGS:
        case WIFI_STAT_MCAST_RX:
        case WIFI_STAT_RX_DUPS:
                MWL_GUNLOCK(sc);
                return (ieee80211_stat(ic, stat, val));
        default:
                MWL_GUNLOCK(sc);
                return (ENOTSUP);
        }

        MWL_GUNLOCK(sc);
        return (0);
}

static int
mwl_m_start(void *arg)
{
        struct mwl_softc *sc = (struct mwl_softc *)arg;
        struct ieee80211com *ic = &sc->sc_ic;
        int err;

        err = mwl_init(sc);
        if (err != DDI_SUCCESS) {
                MWL_DBG(MWL_DBG_HW, "mwl: mwl_m_start():"
                    "Hardware initialization failed\n");
                goto fail1;
        }

        ieee80211_new_state(ic, IEEE80211_S_INIT, -1);

        MWL_GLOCK(sc);
        sc->sc_flags |= MWL_F_RUNNING;
        MWL_GUNLOCK(sc);

        return (0);
fail1:
        mwl_stop(sc);
        return (err);
}

static void
mwl_m_stop(void *arg)
{
        struct mwl_softc *sc = (struct mwl_softc *)arg;

        mwl_stop(sc);

        ieee80211_new_state(&sc->sc_ic, IEEE80211_S_INIT, -1);

        MWL_GLOCK(sc);
        sc->sc_flags &= ~MWL_F_RUNNING;
        MWL_GUNLOCK(sc);
}

/*ARGSUSED*/
static int
mwl_m_promisc(void *arg, boolean_t on)
{
        struct mwl_softc *sc = (struct mwl_softc *)arg;
        int err;

        err = mwl_hal_setpromisc(sc, on);

        return (err);
}

/*ARGSUSED*/
static int
mwl_m_multicst(void *arg, boolean_t add, const uint8_t *mca)
{
        return (ENOTSUP);
}

/*ARGSUSED*/
static int
mwl_m_unicst(void *arg, const uint8_t *macaddr)
{
        return (ENOTSUP);
}

static mblk_t *
mwl_m_tx(void *arg, mblk_t *mp)
{
        struct mwl_softc *sc = (struct mwl_softc *)arg;
        struct ieee80211com *ic = &sc->sc_ic;
        mblk_t *next;

        if (MWL_IS_SUSPEND(sc)) {
                freemsgchain(mp);
                return (NULL);
        }

        /*
         * No data frames go out unless we're associated; this
         * should not happen as the 802.11 layer does not enable
         * the xmit queue until we enter the RUN state.
         */
        if (ic->ic_state != IEEE80211_S_RUN) {
                MWL_DBG(MWL_DBG_TX, "mwl: mwl_m_tx(): "
                    "discard, state %u\n", ic->ic_state);
                freemsgchain(mp);
                return (NULL);
        }

        while (mp != NULL) {
                next = mp->b_next;
                mp->b_next = NULL;
                if (mwl_send(ic, mp, IEEE80211_FC0_TYPE_DATA) !=
                    DDI_SUCCESS) {
                        mp->b_next = next;
                        break;
                }
                mp = next;
        }
        return (mp);
}

static void
mwl_m_ioctl(void* arg, queue_t *wq, mblk_t *mp)
{
        struct mwl_softc *sc = (struct mwl_softc *)arg;
        struct ieee80211com *ic = &sc->sc_ic;
        int err;

        err = ieee80211_ioctl(ic, wq, mp);
        if (err == ENETRESET) {
                if (ic->ic_des_esslen) {
                        if (MWL_IS_RUNNING(sc)) {
                                (void) mwl_init(sc);
                                (void) ieee80211_new_state(ic,
                                    IEEE80211_S_SCAN, -1);
                        }
                }
        }
}

/*
 * Call back function for get/set proporty
 */
static int
mwl_m_getprop(void *arg, const char *pr_name, mac_prop_id_t wldp_pr_num,
    uint_t wldp_length, void *wldp_buf)
{
        struct mwl_softc *sc = (struct mwl_softc *)arg;
        int err = 0;

        err = ieee80211_getprop(&sc->sc_ic, pr_name, wldp_pr_num,
            wldp_length, wldp_buf);

        return (err);
}

static void
mwl_m_propinfo(void *arg, const char *pr_name, mac_prop_id_t wldp_pr_num,
    mac_prop_info_handle_t prh)
{
        struct mwl_softc *sc = (struct mwl_softc *)arg;

        ieee80211_propinfo(&sc->sc_ic, pr_name, wldp_pr_num, prh);
}

static int
mwl_m_setprop(void *arg, const char *pr_name, mac_prop_id_t wldp_pr_num,
    uint_t wldp_length, const void *wldp_buf)
{
        struct mwl_softc *sc = (struct mwl_softc *)arg;
        ieee80211com_t *ic = &sc->sc_ic;
        int err;

        err = ieee80211_setprop(ic, pr_name, wldp_pr_num, wldp_length,
            wldp_buf);
        if (err == ENETRESET) {
                if (ic->ic_des_esslen) {
                        if (MWL_IS_RUNNING(sc)) {
                                (void) mwl_init(sc);
                                (void) ieee80211_new_state(ic,
                                    IEEE80211_S_SCAN, -1);
                        }
                }
                err = 0;
        }
        return (err);
}

static int
mwl_attach(dev_info_t *devinfo, ddi_attach_cmd_t cmd)
{
        struct mwl_softc *sc;
        struct ieee80211com *ic;
        int i, err, qid, instance;
        int intr_type, intr_count, intr_actual;
        char strbuf[32];
        uint8_t csz;
        uint16_t vendor_id, device_id, command;

        wifi_data_t wd = { 0 };
        mac_register_t *macp;

        switch (cmd) {
        case DDI_ATTACH:
                break;
        case DDI_RESUME:
                sc = ddi_get_soft_state(mwl_soft_state_p,
                    ddi_get_instance(devinfo));
                ASSERT(sc != NULL);
                MWL_GLOCK(sc);
                sc->sc_flags &= ~MWL_F_SUSPEND;
                MWL_GUNLOCK(sc);
                if (mwl_resume(sc) != 0) {
                        MWL_DBG(MWL_DBG_SR, "mwl: mwl_attach(): "
                            "failed to resume\n");
                        return (DDI_FAILURE);
                }
                if (MWL_IS_RUNNING(sc)) {
                        (void) mwl_init(sc);
                        ieee80211_new_state(&sc->sc_ic, IEEE80211_S_INIT, -1);
                }
                MWL_DBG(MWL_DBG_SR, "mwl: mwl_attach(): "
                    "resume now\n");
                return (DDI_SUCCESS);
        default:
                return (DDI_FAILURE);
        }

        instance = ddi_get_instance(devinfo);
        if (ddi_soft_state_zalloc(mwl_soft_state_p,
            ddi_get_instance(devinfo)) != DDI_SUCCESS) {
                MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
                    "Unable to alloc soft state\n");
                return (DDI_FAILURE);
        }

        sc = ddi_get_soft_state(mwl_soft_state_p, ddi_get_instance(devinfo));
        ic = &sc->sc_ic;
        sc->sc_dev = devinfo;

        /* PCI configuration space */
        err = ddi_regs_map_setup(devinfo, 0, (caddr_t *)&sc->sc_cfg_base, 0, 0,
            &mwl_reg_accattr, &sc->sc_cfg_handle);
        if (err != DDI_SUCCESS) {
                MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
                    "ddi_regs_map_setup() failed");
                goto attach_fail0;
        }
        csz = ddi_get8(sc->sc_cfg_handle,
            (uint8_t *)(sc->sc_cfg_base + PCI_CONF_CACHE_LINESZ));
        if (!csz)
                csz = 16;
        sc->sc_cachelsz = csz << 2;
        sc->sc_dmabuf_size = roundup(IEEE80211_MAX_LEN, sc->sc_cachelsz);
        vendor_id = ddi_get16(sc->sc_cfg_handle,
            (uint16_t *)(sc->sc_cfg_base + PCI_CONF_VENID));
        device_id = ddi_get16(sc->sc_cfg_handle,
            (uint16_t *)(sc->sc_cfg_base + PCI_CONF_DEVID));
        MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
            "vendor 0x%x, device id 0x%x, cache size %d\n",
            vendor_id, device_id, csz);

        /*
         * Enable response to memory space accesses,
         * and enabe bus master.
         */
        command = PCI_COMM_MAE | PCI_COMM_ME;
        ddi_put16(sc->sc_cfg_handle,
            (uint16_t *)((uintptr_t)(sc->sc_cfg_base) + PCI_CONF_COMM),
            command);
        ddi_put8(sc->sc_cfg_handle,
            (uint8_t *)(sc->sc_cfg_base + PCI_CONF_LATENCY_TIMER), 0xa8);
        ddi_put8(sc->sc_cfg_handle,
            (uint8_t *)(sc->sc_cfg_base + PCI_CONF_ILINE), 0x10);

        /* BAR0 */
        err = ddi_regs_map_setup(devinfo, 1,
            &sc->sc_mem_base, 0, 0, &mwl_reg_accattr, &sc->sc_mem_handle);
        if (err != DDI_SUCCESS) {
                MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
                    "i/o space failed");
                goto attach_fail1;
        }

        /* BAR1 */
        err = ddi_regs_map_setup(devinfo, 2,
            &sc->sc_io_base, 0, 0, &mwl_reg_accattr, &sc->sc_io_handle);
        if (err != DDI_SUCCESS) {
                MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
                    "memory space failed");
                goto attach_fail2;
        }

        MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
            "PCI configuration is done successfully\n");

        /*
         * Alloc cmd DMA buffer for firmware download
         */
        err = mwl_alloc_cmdbuf(sc);
        if (err != 0) {
                MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
                    "could not alloc cmd dma buffer\n");
                goto attach_fail3;
        }

        sc->sc_imask = 0;
        sc->sc_hw_flags = 0;
        sc->sc_flags = 0;

        /*
         * Some cards have SDRAM.  When loading firmware we need
         * to reset the SDRAM controller prior to doing this.
         * When the SDRAMSIZE is non-zero we do that work in
         * mwl_hal_fwload.
         */
        switch (device_id) {
        case 0x2a02:            /* CB82 */
        case 0x2a03:            /* CB85 */
        case 0x2a08:            /* MC85_B1 */
        case 0x2a0b:            /* CB85AP */
        case 0x2a24:
                sc->sc_SDRAMSIZE_Addr = 0x40fe70b7;     /* 8M SDRAM */
                break;
        case 0x2a04:            /* MC85 */
                sc->sc_SDRAMSIZE_Addr = 0x40fc70b7;     /* 16M SDRAM */
                break;
        default:
                break;
        }

        err = mwl_fwload(sc, NULL);
        if (err != 0) {
                MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
                    "firmware download failed\n");
                goto attach_fail4;
        }

        MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
            "firmware download successfully\n");

        err = mwl_gethwspecs(sc);
        if (err != 0) {
                MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
                    "failed to get hw spec\n");
                goto attach_fail4;
        }

        err = mwl_getchannels(sc);
        if (err != 0) {
                MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
                    "failed to get channels\n");
                goto attach_fail4;
        }

        /*
         * Alloc rx DMA buffer
         */
        err = mwl_alloc_rx_ring(sc, MWL_RX_RING_COUNT);
        if (err != 0) {
                MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
                    "could not alloc cmd dma buffer\n");
                goto attach_fail5;
        }

        /*
         * Alloc rx DMA buffer
         */
        for (qid = 0; qid < MWL_NUM_TX_QUEUES; qid++) {
                err = mwl_alloc_tx_ring(sc,
                    &sc->sc_txring[qid], MWL_TX_RING_COUNT);
                if (err != 0) {
                        MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
                            "could not alloc tx ring %d\n", qid);
                        goto attach_fail6;
                }
        }

        err = mwl_setupdma(sc);
        if (err != 0) {
                MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
                    "could not setup dma\n");
                goto attach_fail6;
        }

        err = mwl_setup_txq(sc);
        if (err != 0) {
                MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
                    "could not setup txq\n");
                goto attach_fail6;
        }

        IEEE80211_ADDR_COPY(ic->ic_macaddr, sc->sc_hwspecs.macAddr);
        MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
            "mwl MAC:%2x:%2x:%2x:%2x:%2x:%2x\n",
            ic->ic_macaddr[0],
            ic->ic_macaddr[1],
            ic->ic_macaddr[2],
            ic->ic_macaddr[3],
            ic->ic_macaddr[4],
            ic->ic_macaddr[5]);

        err = mwl_hal_setmac_locked(sc, ic->ic_macaddr);
        if (err != 0) {                 /* NB: mwl_setupdma prints msg */
                MWL_DBG(MWL_DBG_ATTACH, "mwl: attach(): "
                    "could not set mac\n");
                goto attach_fail6;
        }

        mutex_init(&sc->sc_glock, NULL, MUTEX_DRIVER, NULL);
        mutex_init(&sc->sc_rxlock, NULL, MUTEX_DRIVER, NULL);
        mutex_init(&sc->sc_txlock, NULL, MUTEX_DRIVER, NULL);


        /* set supported rates */
        ic->ic_sup_rates[IEEE80211_MODE_11B] = mwl_rateset_11b;
        ic->ic_sup_rates[IEEE80211_MODE_11G] = mwl_rateset_11g;

        /* set supported .11b and .11g channels (1 through 14) */
        for (i = 1; i <= 14; i++) {
                ic->ic_sup_channels[i].ich_freq =
                    ieee80211_ieee2mhz(i, IEEE80211_CHAN_2GHZ);
                ic->ic_sup_channels[i].ich_flags =
                    IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ;
        }

        ic->ic_phytype = IEEE80211_T_OFDM; /* not only, but not used */
        ic->ic_opmode = IEEE80211_M_STA; /* default to BSS mode */
        ic->ic_state = IEEE80211_S_INIT;

        /* set device capabilities */
        ic->ic_caps =
            IEEE80211_C_TXPMGT |        /* tx power management */
            IEEE80211_C_SHPREAMBLE |    /* short preamble supported */
            IEEE80211_C_SHSLOT;         /* short slot time supported */

        /* WPA/WPA2 support */
        ic->ic_caps |= IEEE80211_C_WPA; /* Support WPA/WPA2 */

        /* Enable hardware encryption */
        ic->ic_caps |= IEEE80211_C_WEP | IEEE80211_C_TKIP | IEEE80211_C_AES_CCM;

        ic->ic_xmit = mwl_send;

        ieee80211_attach(ic);

        /* register WPA door */
        ieee80211_register_door(ic, ddi_driver_name(devinfo),
            ddi_get_instance(devinfo));

        /* override state transition machine */
        sc->sc_newstate = ic->ic_newstate;
        ic->ic_newstate = mwl_newstate;
        ic->ic_node_alloc = mwl_node_alloc;
        ic->ic_node_free = mwl_node_free;
        ic->ic_crypto.cs_max_keyix = 0;
        ic->ic_crypto.cs_key_alloc = mwl_key_alloc;
        ic->ic_crypto.cs_key_delete = mwl_key_delete;
        ic->ic_crypto.cs_key_set = mwl_key_set;

        ieee80211_media_init(ic);

        ic->ic_def_txkey = 0;

        err = mwl_hal_newstation(sc, ic->ic_macaddr, 0, 0, NULL, 0, 0);
        if (err != 0) {
                MWL_DBG(MWL_DBG_ATTACH, "mwl: attach(): "
                    "could not create new station\n");
                goto attach_fail7;
        }

        IEEE80211_ADDR_COPY(ic->ic_bss->in_bssid, ic->ic_macaddr);
        // mwl_setglobalkeys(ic);

        err = ddi_intr_get_supported_types(devinfo, &intr_type);
        if ((err != DDI_SUCCESS) || (!(intr_type & DDI_INTR_TYPE_FIXED))) {
                MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
                    "fixed type interrupt is not supported\n");
                goto attach_fail7;
        }

        err = ddi_intr_get_nintrs(devinfo, DDI_INTR_TYPE_FIXED, &intr_count);
        if ((err != DDI_SUCCESS) || (intr_count != 1)) {
                MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
                    "no fixed interrupts\n");
                goto attach_fail7;
        }

        sc->sc_intr_htable = kmem_zalloc(sizeof (ddi_intr_handle_t), KM_SLEEP);

        err = ddi_intr_alloc(devinfo, sc->sc_intr_htable,
            DDI_INTR_TYPE_FIXED, 0, intr_count, &intr_actual, 0);
        if ((err != DDI_SUCCESS) || (intr_actual != 1)) {
                MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
                    "ddi_intr_alloc() failed 0x%x\n", err);
                goto attach_fail8;
        }

        err = ddi_intr_get_pri(sc->sc_intr_htable[0], &sc->sc_intr_pri);
        if (err != DDI_SUCCESS) {
                MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
                    "ddi_intr_get_pri() failed 0x%x\n", err);
                goto attach_fail9;
        }

        err = ddi_intr_add_softint(devinfo, &sc->sc_softintr_hdl,
            DDI_INTR_SOFTPRI_MAX, mwl_softintr, (caddr_t)sc);
        if (err != DDI_SUCCESS) {
                MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
                    "ddi_add_softintr() failed");
                goto attach_fail9;
        }

        err = ddi_intr_add_handler(sc->sc_intr_htable[0], mwl_intr,
            (caddr_t)sc, NULL);
        if (err != DDI_SUCCESS) {
                MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
                    "ddi_intr_addr_handle() failed\n");
                goto attach_fail10;
        }

        err = ddi_intr_enable(sc->sc_intr_htable[0]);
        if (err != DDI_SUCCESS) {
                MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
                    "ddi_intr_enable() failed\n");
                goto attach_fail11;
        }

        /*
         * Provide initial settings for the WiFi plugin; whenever this
         * information changes, we need to call mac_plugindata_update()
         */
        wd.wd_opmode = ic->ic_opmode;
        wd.wd_secalloc = WIFI_SEC_NONE;
        IEEE80211_ADDR_COPY(wd.wd_bssid, ic->ic_bss->in_bssid);

        if ((macp = mac_alloc(MAC_VERSION)) == NULL) {
                MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
                    "MAC version mismatch\n");
                goto attach_fail12;
        }

        macp->m_type_ident      = MAC_PLUGIN_IDENT_WIFI;
        macp->m_driver          = sc;
        macp->m_dip             = devinfo;
        macp->m_src_addr        = ic->ic_macaddr;
        macp->m_callbacks       = &mwl_m_callbacks;
        macp->m_min_sdu         = 0;
        macp->m_max_sdu         = IEEE80211_MTU;
        macp->m_pdata           = &wd;
        macp->m_pdata_size      = sizeof (wd);

        err = mac_register(macp, &ic->ic_mach);
        mac_free(macp);
        if (err != 0) {
                MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
                    "mac_register err %x\n", err);
                goto attach_fail12;
        }

        /*
         * Create minor node of type DDI_NT_NET_WIFI
         */
        (void) snprintf(strbuf, sizeof (strbuf), "%s%d",
            "mwl", instance);
        err = ddi_create_minor_node(devinfo, strbuf, S_IFCHR,
            instance + 1, DDI_NT_NET_WIFI, 0);
        if (err != 0) {
                MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
                    "create minor node error\n");
                goto attach_fail13;
        }

        /*
         * Notify link is down now
         */
        mac_link_update(ic->ic_mach, LINK_STATE_DOWN);

        MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_attach(): "
            "driver attach successfully\n");
        return (DDI_SUCCESS);

attach_fail13:
        (void) mac_disable(ic->ic_mach);
        (void) mac_unregister(ic->ic_mach);
attach_fail12:
        (void) ddi_intr_disable(sc->sc_intr_htable[0]);
attach_fail11:
        (void) ddi_intr_remove_handler(sc->sc_intr_htable[0]);
attach_fail10:
        (void) ddi_intr_remove_softint(sc->sc_softintr_hdl);
        sc->sc_softintr_hdl = NULL;
attach_fail9:
        (void) ddi_intr_free(sc->sc_intr_htable[0]);
attach_fail8:
        kmem_free(sc->sc_intr_htable, sizeof (ddi_intr_handle_t));
attach_fail7:
        mutex_destroy(&sc->sc_txlock);
        mutex_destroy(&sc->sc_rxlock);
        mutex_destroy(&sc->sc_glock);
attach_fail6:
        while (--qid >= 0)
                mwl_free_tx_ring(sc, &sc->sc_txring[qid]);
attach_fail5:
        mwl_free_rx_ring(sc);
attach_fail4:
        mwl_free_cmdbuf(sc);
attach_fail3:
        ddi_regs_map_free(&sc->sc_mem_handle);
attach_fail2:
        ddi_regs_map_free(&sc->sc_io_handle);
attach_fail1:
        ddi_regs_map_free(&sc->sc_cfg_handle);
attach_fail0:
        ddi_soft_state_free(mwl_soft_state_p, ddi_get_instance(devinfo));
        return (DDI_FAILURE);
}

static int32_t
mwl_detach(dev_info_t *devinfo, ddi_detach_cmd_t cmd)
{
        struct mwl_softc *sc;
        int qid;

        sc = ddi_get_soft_state(mwl_soft_state_p, ddi_get_instance(devinfo));
        ASSERT(sc != NULL);

        switch (cmd) {
        case DDI_DETACH:
                break;
        case DDI_SUSPEND:
                if (MWL_IS_RUNNING(sc))
                        mwl_stop(sc);
                for (qid = 0; qid < MWL_NUM_TX_QUEUES; qid++)
                        mwl_free_tx_ring(sc, &sc->sc_txring[qid]);
                mwl_free_rx_ring(sc);
                MWL_GLOCK(sc);
                sc->sc_flags |= MWL_F_SUSPEND;
                MWL_GUNLOCK(sc);
                MWL_DBG(MWL_DBG_SR, "mwl: mwl_detach(): "
                    "suspend now\n");
                return (DDI_SUCCESS);
        default:
                return (DDI_FAILURE);
        }

        if (mac_disable(sc->sc_ic.ic_mach) != 0)
                return (DDI_FAILURE);

        /*
         * Unregister from the MAC layer subsystem
         */
        (void) mac_unregister(sc->sc_ic.ic_mach);

        (void) ddi_intr_remove_softint(sc->sc_softintr_hdl);
        sc->sc_softintr_hdl = NULL;
        (void) ddi_intr_disable(sc->sc_intr_htable[0]);
        (void) ddi_intr_remove_handler(sc->sc_intr_htable[0]);
        (void) ddi_intr_free(sc->sc_intr_htable[0]);
        kmem_free(sc->sc_intr_htable, sizeof (ddi_intr_handle_t));

        /*
         * detach ieee80211 layer
         */
        ieee80211_detach(&sc->sc_ic);


        for (qid = 0; qid < MWL_NUM_TX_QUEUES; qid++)
                mwl_free_tx_ring(sc, &sc->sc_txring[qid]);
        mwl_free_rx_ring(sc);
        mwl_free_cmdbuf(sc);

        mutex_destroy(&sc->sc_txlock);
        mutex_destroy(&sc->sc_rxlock);
        mutex_destroy(&sc->sc_glock);

        ddi_regs_map_free(&sc->sc_mem_handle);
        ddi_regs_map_free(&sc->sc_io_handle);
        ddi_regs_map_free(&sc->sc_cfg_handle);

        ddi_remove_minor_node(devinfo, NULL);
        ddi_soft_state_free(mwl_soft_state_p, ddi_get_instance(devinfo));

        MWL_DBG(MWL_DBG_ATTACH, "mwl: mwl_detach(): "
            "detach successfully\n");
        return (DDI_SUCCESS);
}

/*
 * quiesce(9E) entry point.
 *
 * This function is called when the system is single-threaded at high
 * PIL with preemption disabled. Therefore, this function must not be
 * blocked.
 *
 * This function returns DDI_SUCCESS on success, or DDI_FAILURE on failure.
 * DDI_FAILURE indicates an error condition and should almost never happen.
 */
int
mwl_quiesce(dev_info_t *dip)
{
        struct mwl_softc *sc;

        sc = ddi_get_soft_state(mwl_soft_state_p, ddi_get_instance(dip));
        if (sc == NULL)
                return (DDI_FAILURE);

#ifdef DEBUG
        mwl_dbg_flags = 0;
#endif

        /*
         * No more blocking is allowed while we are in quiesce(9E) entry point
         */
        sc->sc_flags |= MWL_F_QUIESCE;

        /*
         * Disable all interrupts
         */
        mwl_stop(sc);
        return (DDI_SUCCESS);
}

int
_init(void)
{
        int status;

        status = ddi_soft_state_init(&mwl_soft_state_p,
            sizeof (struct mwl_softc), 1);
        if (status != 0)
                return (status);

        mac_init_ops(&mwl_dev_ops, "mwl");
        status = mod_install(&modlinkage);
        if (status != 0) {
                mac_fini_ops(&mwl_dev_ops);
                ddi_soft_state_fini(&mwl_soft_state_p);
        }
        return (status);
}

int
_info(struct modinfo *modinfop)
{
        return (mod_info(&modlinkage, modinfop));
}

int
_fini(void)
{
        int status;

        status = mod_remove(&modlinkage);
        if (status == 0) {
                mac_fini_ops(&mwl_dev_ops);
                ddi_soft_state_fini(&mwl_soft_state_p);
        }
        return (status);
}