1 // SPDX-License-Identifier: ISC
2 /* Copyright (C) 2020 MediaTek Inc. */
3 
4 #include <linux/firmware.h>
5 #include <linux/fs.h>
6 #include "mt7921.h"
7 #include "mt7921_trace.h"
8 #include "mcu.h"
9 #include "mac.h"
10 
11 struct mt7921_patch_hdr {
12 	char build_date[16];
13 	char platform[4];
14 	__be32 hw_sw_ver;
15 	__be32 patch_ver;
16 	__be16 checksum;
17 	u16 reserved;
18 	struct {
19 		__be32 patch_ver;
20 		__be32 subsys;
21 		__be32 feature;
22 		__be32 n_region;
23 		__be32 crc;
24 		u32 reserved[11];
25 	} desc;
26 } __packed;
27 
28 struct mt7921_patch_sec {
29 	__be32 type;
30 	__be32 offs;
31 	__be32 size;
32 	union {
33 		__be32 spec[13];
34 		struct {
35 			__be32 addr;
36 			__be32 len;
37 			__be32 sec_key_idx;
38 			__be32 align_len;
39 			u32 reserved[9];
40 		} info;
41 	};
42 } __packed;
43 
44 struct mt7921_fw_trailer {
45 	u8 chip_id;
46 	u8 eco_code;
47 	u8 n_region;
48 	u8 format_ver;
49 	u8 format_flag;
50 	u8 reserved[2];
51 	char fw_ver[10];
52 	char build_date[15];
53 	u32 crc;
54 } __packed;
55 
56 struct mt7921_fw_region {
57 	__le32 decomp_crc;
58 	__le32 decomp_len;
59 	__le32 decomp_blk_sz;
60 	u8 reserved[4];
61 	__le32 addr;
62 	__le32 len;
63 	u8 feature_set;
64 	u8 reserved1[15];
65 } __packed;
66 
67 #define MT_STA_BFER			BIT(0)
68 #define MT_STA_BFEE			BIT(1)
69 
70 #define PATCH_SEC_ENC_TYPE_MASK		GENMASK(31, 24)
71 #define PATCH_SEC_ENC_TYPE_PLAIN		0x00
72 #define PATCH_SEC_ENC_TYPE_AES			0x01
73 #define PATCH_SEC_ENC_TYPE_SCRAMBLE		0x02
74 #define PATCH_SEC_ENC_SCRAMBLE_INFO_MASK	GENMASK(15, 0)
75 #define PATCH_SEC_ENC_AES_KEY_MASK		GENMASK(7, 0)
76 
77 static int
78 mt7921_mcu_parse_eeprom(struct mt76_dev *dev, struct sk_buff *skb)
79 {
80 	struct mt7921_mcu_eeprom_info *res;
81 	u8 *buf;
82 
83 	if (!skb)
84 		return -EINVAL;
85 
86 	skb_pull(skb, sizeof(struct mt7921_mcu_rxd));
87 
88 	res = (struct mt7921_mcu_eeprom_info *)skb->data;
89 	buf = dev->eeprom.data + le32_to_cpu(res->addr);
90 	memcpy(buf, res->data, 16);
91 
92 	return 0;
93 }
94 
95 int mt7921_mcu_parse_response(struct mt76_dev *mdev, int cmd,
96 			      struct sk_buff *skb, int seq)
97 {
98 	int mcu_cmd = FIELD_GET(__MCU_CMD_FIELD_ID, cmd);
99 	struct mt7921_mcu_rxd *rxd;
100 	int ret = 0;
101 
102 	if (!skb) {
103 		dev_err(mdev->dev, "Message %08x (seq %d) timeout\n",
104 			cmd, seq);
105 		mt7921_reset(mdev);
106 
107 		return -ETIMEDOUT;
108 	}
109 
110 	rxd = (struct mt7921_mcu_rxd *)skb->data;
111 	if (seq != rxd->seq)
112 		return -EAGAIN;
113 
114 	if (cmd == MCU_CMD(PATCH_SEM_CONTROL)) {
115 		skb_pull(skb, sizeof(*rxd) - 4);
116 		ret = *skb->data;
117 	} else if (cmd == MCU_EXT_CMD(THERMAL_CTRL)) {
118 		skb_pull(skb, sizeof(*rxd) + 4);
119 		ret = le32_to_cpu(*(__le32 *)skb->data);
120 	} else if (cmd == MCU_EXT_CMD(EFUSE_ACCESS)) {
121 		ret = mt7921_mcu_parse_eeprom(mdev, skb);
122 	} else if (cmd == MCU_UNI_CMD(DEV_INFO_UPDATE) ||
123 		   cmd == MCU_UNI_CMD(BSS_INFO_UPDATE) ||
124 		   cmd == MCU_UNI_CMD(STA_REC_UPDATE) ||
125 		   cmd == MCU_UNI_CMD(HIF_CTRL) ||
126 		   cmd == MCU_UNI_CMD(OFFLOAD) ||
127 		   cmd == MCU_UNI_CMD(SUSPEND)) {
128 		struct mt7921_mcu_uni_event *event;
129 
130 		skb_pull(skb, sizeof(*rxd));
131 		event = (struct mt7921_mcu_uni_event *)skb->data;
132 		ret = le32_to_cpu(event->status);
133 		/* skip invalid event */
134 		if (mcu_cmd != event->cid)
135 			ret = -EAGAIN;
136 	} else if (cmd == MCU_CE_QUERY(REG_READ)) {
137 		struct mt7921_mcu_reg_event *event;
138 
139 		skb_pull(skb, sizeof(*rxd));
140 		event = (struct mt7921_mcu_reg_event *)skb->data;
141 		ret = (int)le32_to_cpu(event->val);
142 	} else {
143 		skb_pull(skb, sizeof(struct mt7921_mcu_rxd));
144 	}
145 
146 	return ret;
147 }
148 EXPORT_SYMBOL_GPL(mt7921_mcu_parse_response);
149 
150 int mt7921_mcu_fill_message(struct mt76_dev *mdev, struct sk_buff *skb,
151 			    int cmd, int *wait_seq)
152 {
153 	struct mt7921_dev *dev = container_of(mdev, struct mt7921_dev, mt76);
154 	int txd_len, mcu_cmd = FIELD_GET(__MCU_CMD_FIELD_ID, cmd);
155 	struct mt7921_uni_txd *uni_txd;
156 	struct mt7921_mcu_txd *mcu_txd;
157 	__le32 *txd;
158 	u32 val;
159 	u8 seq;
160 
161 	if (cmd == MCU_UNI_CMD(HIF_CTRL) ||
162 	    cmd == MCU_UNI_CMD(SUSPEND) ||
163 	    cmd == MCU_UNI_CMD(OFFLOAD))
164 		mdev->mcu.timeout = HZ;
165 	else
166 		mdev->mcu.timeout = 3 * HZ;
167 
168 	seq = ++dev->mt76.mcu.msg_seq & 0xf;
169 	if (!seq)
170 		seq = ++dev->mt76.mcu.msg_seq & 0xf;
171 
172 	if (cmd == MCU_CMD(FW_SCATTER))
173 		goto exit;
174 
175 	txd_len = cmd & __MCU_CMD_FIELD_UNI ? sizeof(*uni_txd) : sizeof(*mcu_txd);
176 	txd = (__le32 *)skb_push(skb, txd_len);
177 
178 	val = FIELD_PREP(MT_TXD0_TX_BYTES, skb->len) |
179 	      FIELD_PREP(MT_TXD0_PKT_FMT, MT_TX_TYPE_CMD) |
180 	      FIELD_PREP(MT_TXD0_Q_IDX, MT_TX_MCU_PORT_RX_Q0);
181 	txd[0] = cpu_to_le32(val);
182 
183 	val = MT_TXD1_LONG_FORMAT |
184 	      FIELD_PREP(MT_TXD1_HDR_FORMAT, MT_HDR_FORMAT_CMD);
185 	txd[1] = cpu_to_le32(val);
186 
187 	if (cmd & __MCU_CMD_FIELD_UNI) {
188 		uni_txd = (struct mt7921_uni_txd *)txd;
189 		uni_txd->len = cpu_to_le16(skb->len - sizeof(uni_txd->txd));
190 		uni_txd->option = MCU_CMD_UNI_EXT_ACK;
191 		uni_txd->cid = cpu_to_le16(mcu_cmd);
192 		uni_txd->s2d_index = MCU_S2D_H2N;
193 		uni_txd->pkt_type = MCU_PKT_ID;
194 		uni_txd->seq = seq;
195 
196 		goto exit;
197 	}
198 
199 	mcu_txd = (struct mt7921_mcu_txd *)txd;
200 	mcu_txd->len = cpu_to_le16(skb->len - sizeof(mcu_txd->txd));
201 	mcu_txd->pq_id = cpu_to_le16(MCU_PQ_ID(MT_TX_PORT_IDX_MCU,
202 					       MT_TX_MCU_PORT_RX_Q0));
203 	mcu_txd->pkt_type = MCU_PKT_ID;
204 	mcu_txd->seq = seq;
205 	mcu_txd->cid = mcu_cmd;
206 	mcu_txd->s2d_index = MCU_S2D_H2N;
207 	mcu_txd->ext_cid = FIELD_GET(__MCU_CMD_FIELD_EXT_ID, cmd);
208 
209 	if (mcu_txd->ext_cid || (cmd & __MCU_CMD_FIELD_CE)) {
210 		if (cmd & __MCU_CMD_FIELD_QUERY)
211 			mcu_txd->set_query = MCU_Q_QUERY;
212 		else
213 			mcu_txd->set_query = MCU_Q_SET;
214 		mcu_txd->ext_cid_ack = !!mcu_txd->ext_cid;
215 	} else {
216 		mcu_txd->set_query = MCU_Q_NA;
217 	}
218 
219 exit:
220 	if (wait_seq)
221 		*wait_seq = seq;
222 
223 	return 0;
224 }
225 EXPORT_SYMBOL_GPL(mt7921_mcu_fill_message);
226 
227 #ifdef CONFIG_PM
228 
229 static int
230 mt7921_mcu_set_ipv6_ns_filter(struct mt76_dev *dev,
231 			      struct ieee80211_vif *vif, bool suspend)
232 {
233 	struct mt7921_vif *mvif = (struct mt7921_vif *)vif->drv_priv;
234 	struct {
235 		struct {
236 			u8 bss_idx;
237 			u8 pad[3];
238 		} __packed hdr;
239 		struct mt76_connac_arpns_tlv arpns;
240 	} req = {
241 		.hdr = {
242 			.bss_idx = mvif->mt76.idx,
243 		},
244 		.arpns = {
245 			.tag = cpu_to_le16(UNI_OFFLOAD_OFFLOAD_ND),
246 			.len = cpu_to_le16(sizeof(struct mt76_connac_arpns_tlv)),
247 			.mode = suspend,
248 		},
249 	};
250 
251 	return mt76_mcu_send_msg(dev, MCU_UNI_CMD_OFFLOAD, &req, sizeof(req),
252 				 true);
253 }
254 
255 void mt7921_mcu_set_suspend_iter(void *priv, u8 *mac, struct ieee80211_vif *vif)
256 {
257 	if (IS_ENABLED(CONFIG_IPV6)) {
258 		struct mt76_phy *phy = priv;
259 
260 		mt7921_mcu_set_ipv6_ns_filter(phy->dev, vif,
261 					      !test_bit(MT76_STATE_RUNNING,
262 					      &phy->state));
263 	}
264 
265 	mt76_connac_mcu_set_suspend_iter(priv, mac, vif);
266 }
267 
268 #endif /* CONFIG_PM */
269 
270 static void
271 mt7921_mcu_scan_event(struct mt7921_dev *dev, struct sk_buff *skb)
272 {
273 	struct mt76_phy *mphy = &dev->mt76.phy;
274 	struct mt7921_phy *phy = (struct mt7921_phy *)mphy->priv;
275 
276 	spin_lock_bh(&dev->mt76.lock);
277 	__skb_queue_tail(&phy->scan_event_list, skb);
278 	spin_unlock_bh(&dev->mt76.lock);
279 
280 	ieee80211_queue_delayed_work(mphy->hw, &phy->scan_work,
281 				     MT7921_HW_SCAN_TIMEOUT);
282 }
283 
284 static void
285 mt7921_mcu_connection_loss_iter(void *priv, u8 *mac,
286 				struct ieee80211_vif *vif)
287 {
288 	struct mt76_vif *mvif = (struct mt76_vif *)vif->drv_priv;
289 	struct mt76_connac_beacon_loss_event *event = priv;
290 
291 	if (mvif->idx != event->bss_idx)
292 		return;
293 
294 	if (!(vif->driver_flags & IEEE80211_VIF_BEACON_FILTER) ||
295 	    vif->type != NL80211_IFTYPE_STATION)
296 		return;
297 
298 	ieee80211_connection_loss(vif);
299 }
300 
301 static void
302 mt7921_mcu_connection_loss_event(struct mt7921_dev *dev, struct sk_buff *skb)
303 {
304 	struct mt76_connac_beacon_loss_event *event;
305 	struct mt76_phy *mphy = &dev->mt76.phy;
306 
307 	skb_pull(skb, sizeof(struct mt7921_mcu_rxd));
308 	event = (struct mt76_connac_beacon_loss_event *)skb->data;
309 
310 	ieee80211_iterate_active_interfaces_atomic(mphy->hw,
311 					IEEE80211_IFACE_ITER_RESUME_ALL,
312 					mt7921_mcu_connection_loss_iter, event);
313 }
314 
315 static void
316 mt7921_mcu_bss_event(struct mt7921_dev *dev, struct sk_buff *skb)
317 {
318 	struct mt76_phy *mphy = &dev->mt76.phy;
319 	struct mt76_connac_mcu_bss_event *event;
320 
321 	skb_pull(skb, sizeof(struct mt7921_mcu_rxd));
322 	event = (struct mt76_connac_mcu_bss_event *)skb->data;
323 	if (event->is_absent)
324 		ieee80211_stop_queues(mphy->hw);
325 	else
326 		ieee80211_wake_queues(mphy->hw);
327 }
328 
329 static void
330 mt7921_mcu_debug_msg_event(struct mt7921_dev *dev, struct sk_buff *skb)
331 {
332 	struct mt7921_debug_msg {
333 		__le16 id;
334 		u8 type;
335 		u8 flag;
336 		__le32 value;
337 		__le16 len;
338 		u8 content[512];
339 	} __packed * msg;
340 
341 	skb_pull(skb, sizeof(struct mt7921_mcu_rxd));
342 	msg = (struct mt7921_debug_msg *)skb->data;
343 
344 	if (msg->type == 3) { /* fw log */
345 		u16 len = min_t(u16, le16_to_cpu(msg->len), 512);
346 		int i;
347 
348 		for (i = 0 ; i < len; i++) {
349 			if (!msg->content[i])
350 				msg->content[i] = ' ';
351 		}
352 		wiphy_info(mt76_hw(dev)->wiphy, "%.*s", len, msg->content);
353 	}
354 }
355 
356 static void
357 mt7921_mcu_low_power_event(struct mt7921_dev *dev, struct sk_buff *skb)
358 {
359 	struct mt7921_mcu_lp_event {
360 		u8 state;
361 		u8 reserved[3];
362 	} __packed * event;
363 
364 	skb_pull(skb, sizeof(struct mt7921_mcu_rxd));
365 	event = (struct mt7921_mcu_lp_event *)skb->data;
366 
367 	trace_lp_event(dev, event->state);
368 }
369 
370 static void
371 mt7921_mcu_tx_done_event(struct mt7921_dev *dev, struct sk_buff *skb)
372 {
373 	struct mt7921_mcu_tx_done_event *event;
374 
375 	skb_pull(skb, sizeof(struct mt7921_mcu_rxd));
376 	event = (struct mt7921_mcu_tx_done_event *)skb->data;
377 
378 	mt7921_mac_add_txs(dev, event->txs);
379 }
380 
381 static void
382 mt7921_mcu_rx_unsolicited_event(struct mt7921_dev *dev, struct sk_buff *skb)
383 {
384 	struct mt7921_mcu_rxd *rxd = (struct mt7921_mcu_rxd *)skb->data;
385 
386 	switch (rxd->eid) {
387 	case MCU_EVENT_BSS_BEACON_LOSS:
388 		mt7921_mcu_connection_loss_event(dev, skb);
389 		break;
390 	case MCU_EVENT_SCHED_SCAN_DONE:
391 	case MCU_EVENT_SCAN_DONE:
392 		mt7921_mcu_scan_event(dev, skb);
393 		return;
394 	case MCU_EVENT_BSS_ABSENCE:
395 		mt7921_mcu_bss_event(dev, skb);
396 		break;
397 	case MCU_EVENT_DBG_MSG:
398 		mt7921_mcu_debug_msg_event(dev, skb);
399 		break;
400 	case MCU_EVENT_COREDUMP:
401 		dev->fw_assert = true;
402 		mt76_connac_mcu_coredump_event(&dev->mt76, skb,
403 					       &dev->coredump);
404 		return;
405 	case MCU_EVENT_LP_INFO:
406 		mt7921_mcu_low_power_event(dev, skb);
407 		break;
408 	case MCU_EVENT_TX_DONE:
409 		mt7921_mcu_tx_done_event(dev, skb);
410 		break;
411 	default:
412 		break;
413 	}
414 	dev_kfree_skb(skb);
415 }
416 
417 void mt7921_mcu_rx_event(struct mt7921_dev *dev, struct sk_buff *skb)
418 {
419 	struct mt7921_mcu_rxd *rxd;
420 
421 	if (skb_linearize(skb))
422 		return;
423 
424 	rxd = (struct mt7921_mcu_rxd *)skb->data;
425 
426 	if (rxd->eid == 0x6) {
427 		mt76_mcu_rx_event(&dev->mt76, skb);
428 		return;
429 	}
430 
431 	if (rxd->ext_eid == MCU_EXT_EVENT_RATE_REPORT ||
432 	    rxd->eid == MCU_EVENT_BSS_BEACON_LOSS ||
433 	    rxd->eid == MCU_EVENT_SCHED_SCAN_DONE ||
434 	    rxd->eid == MCU_EVENT_BSS_ABSENCE ||
435 	    rxd->eid == MCU_EVENT_SCAN_DONE ||
436 	    rxd->eid == MCU_EVENT_TX_DONE ||
437 	    rxd->eid == MCU_EVENT_DBG_MSG ||
438 	    rxd->eid == MCU_EVENT_COREDUMP ||
439 	    rxd->eid == MCU_EVENT_LP_INFO ||
440 	    !rxd->seq)
441 		mt7921_mcu_rx_unsolicited_event(dev, skb);
442 	else
443 		mt76_mcu_rx_event(&dev->mt76, skb);
444 }
445 
446 /** starec & wtbl **/
447 int mt7921_mcu_uni_tx_ba(struct mt7921_dev *dev,
448 			 struct ieee80211_ampdu_params *params,
449 			 bool enable)
450 {
451 	struct mt7921_sta *msta = (struct mt7921_sta *)params->sta->drv_priv;
452 
453 	if (enable && !params->amsdu)
454 		msta->wcid.amsdu = false;
455 
456 	return mt76_connac_mcu_sta_ba(&dev->mt76, &msta->vif->mt76, params,
457 				      MCU_UNI_CMD(STA_REC_UPDATE),
458 				      enable, true);
459 }
460 
461 int mt7921_mcu_uni_rx_ba(struct mt7921_dev *dev,
462 			 struct ieee80211_ampdu_params *params,
463 			 bool enable)
464 {
465 	struct mt7921_sta *msta = (struct mt7921_sta *)params->sta->drv_priv;
466 
467 	return mt76_connac_mcu_sta_ba(&dev->mt76, &msta->vif->mt76, params,
468 				      MCU_UNI_CMD(STA_REC_UPDATE),
469 				      enable, false);
470 }
471 
472 static u32 mt7921_get_data_mode(struct mt7921_dev *dev, u32 info)
473 {
474 	u32 mode = DL_MODE_NEED_RSP;
475 
476 	if (info == PATCH_SEC_NOT_SUPPORT)
477 		return mode;
478 
479 	switch (FIELD_GET(PATCH_SEC_ENC_TYPE_MASK, info)) {
480 	case PATCH_SEC_ENC_TYPE_PLAIN:
481 		break;
482 	case PATCH_SEC_ENC_TYPE_AES:
483 		mode |= DL_MODE_ENCRYPT;
484 		mode |= FIELD_PREP(DL_MODE_KEY_IDX,
485 				(info & PATCH_SEC_ENC_AES_KEY_MASK)) & DL_MODE_KEY_IDX;
486 		mode |= DL_MODE_RESET_SEC_IV;
487 		break;
488 	case PATCH_SEC_ENC_TYPE_SCRAMBLE:
489 		mode |= DL_MODE_ENCRYPT;
490 		mode |= DL_CONFIG_ENCRY_MODE_SEL;
491 		mode |= DL_MODE_RESET_SEC_IV;
492 		break;
493 	default:
494 		dev_err(dev->mt76.dev, "Encryption type not support!\n");
495 	}
496 
497 	return mode;
498 }
499 
500 static char *mt7921_patch_name(struct mt7921_dev *dev)
501 {
502 	char *ret;
503 
504 	if (is_mt7922(&dev->mt76))
505 		ret = MT7922_ROM_PATCH;
506 	else
507 		ret = MT7921_ROM_PATCH;
508 
509 	return ret;
510 }
511 
512 static int mt7921_load_patch(struct mt7921_dev *dev)
513 {
514 	const struct mt7921_patch_hdr *hdr;
515 	const struct firmware *fw = NULL;
516 	int i, ret, sem, max_len;
517 
518 	max_len = mt76_is_sdio(&dev->mt76) ? 2048 : 4096;
519 
520 	sem = mt76_connac_mcu_patch_sem_ctrl(&dev->mt76, true);
521 	switch (sem) {
522 	case PATCH_IS_DL:
523 		return 0;
524 	case PATCH_NOT_DL_SEM_SUCCESS:
525 		break;
526 	default:
527 		dev_err(dev->mt76.dev, "Failed to get patch semaphore\n");
528 		return -EAGAIN;
529 	}
530 
531 	ret = request_firmware(&fw, mt7921_patch_name(dev), dev->mt76.dev);
532 	if (ret)
533 		goto out;
534 
535 	if (!fw || !fw->data || fw->size < sizeof(*hdr)) {
536 		dev_err(dev->mt76.dev, "Invalid firmware\n");
537 		ret = -EINVAL;
538 		goto out;
539 	}
540 
541 	hdr = (const struct mt7921_patch_hdr *)(fw->data);
542 
543 	dev_info(dev->mt76.dev, "HW/SW Version: 0x%x, Build Time: %.16s\n",
544 		 be32_to_cpu(hdr->hw_sw_ver), hdr->build_date);
545 
546 	for (i = 0; i < be32_to_cpu(hdr->desc.n_region); i++) {
547 		struct mt7921_patch_sec *sec;
548 		const u8 *dl;
549 		u32 len, addr, mode;
550 		u32 sec_info = 0;
551 
552 		sec = (struct mt7921_patch_sec *)(fw->data + sizeof(*hdr) +
553 						  i * sizeof(*sec));
554 		if ((be32_to_cpu(sec->type) & PATCH_SEC_TYPE_MASK) !=
555 		    PATCH_SEC_TYPE_INFO) {
556 			ret = -EINVAL;
557 			goto out;
558 		}
559 
560 		addr = be32_to_cpu(sec->info.addr);
561 		len = be32_to_cpu(sec->info.len);
562 		dl = fw->data + be32_to_cpu(sec->offs);
563 		sec_info = be32_to_cpu(sec->info.sec_key_idx);
564 		mode = mt7921_get_data_mode(dev, sec_info);
565 
566 		ret = mt76_connac_mcu_init_download(&dev->mt76, addr, len,
567 						    mode);
568 		if (ret) {
569 			dev_err(dev->mt76.dev, "Download request failed\n");
570 			goto out;
571 		}
572 
573 		ret = __mt76_mcu_send_firmware(&dev->mt76, MCU_CMD(FW_SCATTER),
574 					       dl, len, max_len);
575 		if (ret) {
576 			dev_err(dev->mt76.dev, "Failed to send patch\n");
577 			goto out;
578 		}
579 	}
580 
581 	ret = mt76_connac_mcu_start_patch(&dev->mt76);
582 	if (ret)
583 		dev_err(dev->mt76.dev, "Failed to start patch\n");
584 
585 	if (mt76_is_sdio(&dev->mt76)) {
586 		/* activate again */
587 		ret = __mt7921_mcu_fw_pmctrl(dev);
588 		if (!ret)
589 			ret = __mt7921_mcu_drv_pmctrl(dev);
590 	}
591 
592 out:
593 	sem = mt76_connac_mcu_patch_sem_ctrl(&dev->mt76, false);
594 	switch (sem) {
595 	case PATCH_REL_SEM_SUCCESS:
596 		break;
597 	default:
598 		ret = -EAGAIN;
599 		dev_err(dev->mt76.dev, "Failed to release patch semaphore\n");
600 		break;
601 	}
602 	release_firmware(fw);
603 
604 	return ret;
605 }
606 
607 static int
608 mt7921_mcu_send_ram_firmware(struct mt7921_dev *dev,
609 			     const struct mt7921_fw_trailer *hdr,
610 			     const u8 *data, bool is_wa)
611 {
612 	int i, offset = 0, max_len;
613 	u32 override = 0, option = 0;
614 
615 	max_len = mt76_is_sdio(&dev->mt76) ? 2048 : 4096;
616 
617 	for (i = 0; i < hdr->n_region; i++) {
618 		const struct mt7921_fw_region *region;
619 		int err;
620 		u32 len, addr, mode;
621 
622 		region = (const struct mt7921_fw_region *)((const u8 *)hdr -
623 			 (hdr->n_region - i) * sizeof(*region));
624 		mode = mt76_connac_mcu_gen_dl_mode(&dev->mt76,
625 						   region->feature_set, is_wa);
626 		len = le32_to_cpu(region->len);
627 		addr = le32_to_cpu(region->addr);
628 
629 		if (region->feature_set & FW_FEATURE_OVERRIDE_ADDR)
630 			override = addr;
631 
632 		err = mt76_connac_mcu_init_download(&dev->mt76, addr, len,
633 						    mode);
634 		if (err) {
635 			dev_err(dev->mt76.dev, "Download request failed\n");
636 			return err;
637 		}
638 
639 		err = __mt76_mcu_send_firmware(&dev->mt76, MCU_CMD(FW_SCATTER),
640 					       data + offset, len, max_len);
641 		if (err) {
642 			dev_err(dev->mt76.dev, "Failed to send firmware.\n");
643 			return err;
644 		}
645 
646 		offset += len;
647 	}
648 
649 	if (override)
650 		option |= FW_START_OVERRIDE;
651 
652 	if (is_wa)
653 		option |= FW_START_WORKING_PDA_CR4;
654 
655 	return mt76_connac_mcu_start_firmware(&dev->mt76, override, option);
656 }
657 
658 static char *mt7921_ram_name(struct mt7921_dev *dev)
659 {
660 	char *ret;
661 
662 	if (is_mt7922(&dev->mt76))
663 		ret = MT7922_FIRMWARE_WM;
664 	else
665 		ret = MT7921_FIRMWARE_WM;
666 
667 	return ret;
668 }
669 
670 static int mt7921_load_ram(struct mt7921_dev *dev)
671 {
672 	const struct mt7921_fw_trailer *hdr;
673 	const struct firmware *fw;
674 	int ret;
675 
676 	ret = request_firmware(&fw, mt7921_ram_name(dev), dev->mt76.dev);
677 	if (ret)
678 		return ret;
679 
680 	if (!fw || !fw->data || fw->size < sizeof(*hdr)) {
681 		dev_err(dev->mt76.dev, "Invalid firmware\n");
682 		ret = -EINVAL;
683 		goto out;
684 	}
685 
686 	hdr = (const struct mt7921_fw_trailer *)(fw->data + fw->size -
687 					sizeof(*hdr));
688 
689 	dev_info(dev->mt76.dev, "WM Firmware Version: %.10s, Build Time: %.15s\n",
690 		 hdr->fw_ver, hdr->build_date);
691 
692 	ret = mt7921_mcu_send_ram_firmware(dev, hdr, fw->data, false);
693 	if (ret) {
694 		dev_err(dev->mt76.dev, "Failed to start WM firmware\n");
695 		goto out;
696 	}
697 
698 	snprintf(dev->mt76.hw->wiphy->fw_version,
699 		 sizeof(dev->mt76.hw->wiphy->fw_version),
700 		 "%.10s-%.15s", hdr->fw_ver, hdr->build_date);
701 
702 out:
703 	release_firmware(fw);
704 
705 	return ret;
706 }
707 
708 static int mt7921_load_firmware(struct mt7921_dev *dev)
709 {
710 	int ret;
711 
712 	ret = mt76_get_field(dev, MT_CONN_ON_MISC, MT_TOP_MISC2_FW_N9_RDY);
713 	if (ret && mt76_is_mmio(&dev->mt76)) {
714 		dev_dbg(dev->mt76.dev, "Firmware is already download\n");
715 		goto fw_loaded;
716 	}
717 
718 	ret = mt7921_load_patch(dev);
719 	if (ret)
720 		return ret;
721 
722 	ret = mt7921_load_ram(dev);
723 	if (ret)
724 		return ret;
725 
726 	if (!mt76_poll_msec(dev, MT_CONN_ON_MISC, MT_TOP_MISC2_FW_N9_RDY,
727 			    MT_TOP_MISC2_FW_N9_RDY, 1500)) {
728 		dev_err(dev->mt76.dev, "Timeout for initializing firmware\n");
729 
730 		return -EIO;
731 	}
732 
733 fw_loaded:
734 
735 #ifdef CONFIG_PM
736 	dev->mt76.hw->wiphy->wowlan = &mt76_connac_wowlan_support;
737 #endif /* CONFIG_PM */
738 
739 	dev_dbg(dev->mt76.dev, "Firmware init done\n");
740 
741 	return 0;
742 }
743 
744 int mt7921_mcu_fw_log_2_host(struct mt7921_dev *dev, u8 ctrl)
745 {
746 	struct {
747 		u8 ctrl_val;
748 		u8 pad[3];
749 	} data = {
750 		.ctrl_val = ctrl
751 	};
752 
753 	return mt76_mcu_send_msg(&dev->mt76, MCU_CE_CMD(FWLOG_2_HOST),
754 				 &data, sizeof(data), false);
755 }
756 
757 int mt7921_run_firmware(struct mt7921_dev *dev)
758 {
759 	int err;
760 
761 	err = mt7921_load_firmware(dev);
762 	if (err)
763 		return err;
764 
765 	err = mt76_connac_mcu_get_nic_capability(&dev->mphy);
766 	if (err)
767 		return err;
768 
769 	set_bit(MT76_STATE_MCU_RUNNING, &dev->mphy.state);
770 	return mt7921_mcu_fw_log_2_host(dev, 1);
771 }
772 EXPORT_SYMBOL_GPL(mt7921_run_firmware);
773 
774 void mt7921_mcu_exit(struct mt7921_dev *dev)
775 {
776 	skb_queue_purge(&dev->mt76.mcu.res_q);
777 }
778 EXPORT_SYMBOL_GPL(mt7921_mcu_exit);
779 
780 int mt7921_mcu_set_tx(struct mt7921_dev *dev, struct ieee80211_vif *vif)
781 {
782 	struct mt7921_vif *mvif = (struct mt7921_vif *)vif->drv_priv;
783 	struct edca {
784 		__le16 cw_min;
785 		__le16 cw_max;
786 		__le16 txop;
787 		__le16 aifs;
788 		u8 guardtime;
789 		u8 acm;
790 	} __packed;
791 	struct mt7921_mcu_tx {
792 		struct edca edca[IEEE80211_NUM_ACS];
793 		u8 bss_idx;
794 		u8 qos;
795 		u8 wmm_idx;
796 		u8 pad;
797 	} __packed req = {
798 		.bss_idx = mvif->mt76.idx,
799 		.qos = vif->bss_conf.qos,
800 		.wmm_idx = mvif->mt76.wmm_idx,
801 	};
802 	struct mu_edca {
803 		u8 cw_min;
804 		u8 cw_max;
805 		u8 aifsn;
806 		u8 acm;
807 		u8 timer;
808 		u8 padding[3];
809 	};
810 	struct mt7921_mcu_mu_tx {
811 		u8 ver;
812 		u8 pad0;
813 		__le16 len;
814 		u8 bss_idx;
815 		u8 qos;
816 		u8 wmm_idx;
817 		u8 pad1;
818 		struct mu_edca edca[IEEE80211_NUM_ACS];
819 		u8 pad3[32];
820 	} __packed req_mu = {
821 		.bss_idx = mvif->mt76.idx,
822 		.qos = vif->bss_conf.qos,
823 		.wmm_idx = mvif->mt76.wmm_idx,
824 	};
825 	static const int to_aci[] = { 1, 0, 2, 3 };
826 	int ac, ret;
827 
828 	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
829 		struct ieee80211_tx_queue_params *q = &mvif->queue_params[ac];
830 		struct edca *e = &req.edca[to_aci[ac]];
831 
832 		e->aifs = cpu_to_le16(q->aifs);
833 		e->txop = cpu_to_le16(q->txop);
834 
835 		if (q->cw_min)
836 			e->cw_min = cpu_to_le16(q->cw_min);
837 		else
838 			e->cw_min = cpu_to_le16(5);
839 
840 		if (q->cw_max)
841 			e->cw_max = cpu_to_le16(q->cw_max);
842 		else
843 			e->cw_max = cpu_to_le16(10);
844 	}
845 
846 	ret = mt76_mcu_send_msg(&dev->mt76, MCU_CE_CMD(SET_EDCA_PARMS), &req,
847 				sizeof(req), false);
848 	if (ret)
849 		return ret;
850 
851 	if (!vif->bss_conf.he_support)
852 		return 0;
853 
854 	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
855 		struct ieee80211_he_mu_edca_param_ac_rec *q;
856 		struct mu_edca *e;
857 
858 		if (!mvif->queue_params[ac].mu_edca)
859 			break;
860 
861 		q = &mvif->queue_params[ac].mu_edca_param_rec;
862 		e = &(req_mu.edca[to_aci[ac]]);
863 
864 		e->cw_min = q->ecw_min_max & 0xf;
865 		e->cw_max = (q->ecw_min_max & 0xf0) >> 4;
866 		e->aifsn = q->aifsn;
867 		e->timer = q->mu_edca_timer;
868 	}
869 
870 	return mt76_mcu_send_msg(&dev->mt76, MCU_CE_CMD(SET_MU_EDCA_PARMS),
871 				 &req_mu, sizeof(req_mu), false);
872 }
873 
874 int mt7921_mcu_set_chan_info(struct mt7921_phy *phy, int cmd)
875 {
876 	struct mt7921_dev *dev = phy->dev;
877 	struct cfg80211_chan_def *chandef = &phy->mt76->chandef;
878 	int freq1 = chandef->center_freq1;
879 	struct {
880 		u8 control_ch;
881 		u8 center_ch;
882 		u8 bw;
883 		u8 tx_streams_num;
884 		u8 rx_streams;	/* mask or num */
885 		u8 switch_reason;
886 		u8 band_idx;
887 		u8 center_ch2;	/* for 80+80 only */
888 		__le16 cac_case;
889 		u8 channel_band;
890 		u8 rsv0;
891 		__le32 outband_freq;
892 		u8 txpower_drop;
893 		u8 ap_bw;
894 		u8 ap_center_ch;
895 		u8 rsv1[57];
896 	} __packed req = {
897 		.control_ch = chandef->chan->hw_value,
898 		.center_ch = ieee80211_frequency_to_channel(freq1),
899 		.bw = mt76_connac_chan_bw(chandef),
900 		.tx_streams_num = hweight8(phy->mt76->antenna_mask),
901 		.rx_streams = phy->mt76->antenna_mask,
902 		.band_idx = phy != &dev->phy,
903 	};
904 
905 	if (chandef->chan->band == NL80211_BAND_6GHZ)
906 		req.channel_band = 2;
907 	else
908 		req.channel_band = chandef->chan->band;
909 
910 	if (cmd == MCU_EXT_CMD(SET_RX_PATH) ||
911 	    dev->mt76.hw->conf.flags & IEEE80211_CONF_MONITOR)
912 		req.switch_reason = CH_SWITCH_NORMAL;
913 	else if (dev->mt76.hw->conf.flags & IEEE80211_CONF_OFFCHANNEL)
914 		req.switch_reason = CH_SWITCH_SCAN_BYPASS_DPD;
915 	else if (!cfg80211_reg_can_beacon(dev->mt76.hw->wiphy, chandef,
916 					  NL80211_IFTYPE_AP))
917 		req.switch_reason = CH_SWITCH_DFS;
918 	else
919 		req.switch_reason = CH_SWITCH_NORMAL;
920 
921 	if (cmd == MCU_EXT_CMD(CHANNEL_SWITCH))
922 		req.rx_streams = hweight8(req.rx_streams);
923 
924 	if (chandef->width == NL80211_CHAN_WIDTH_80P80) {
925 		int freq2 = chandef->center_freq2;
926 
927 		req.center_ch2 = ieee80211_frequency_to_channel(freq2);
928 	}
929 
930 	return mt76_mcu_send_msg(&dev->mt76, cmd, &req, sizeof(req), true);
931 }
932 
933 int mt7921_mcu_set_eeprom(struct mt7921_dev *dev)
934 {
935 	struct req_hdr {
936 		u8 buffer_mode;
937 		u8 format;
938 		__le16 len;
939 	} __packed req = {
940 		.buffer_mode = EE_MODE_EFUSE,
941 		.format = EE_FORMAT_WHOLE,
942 	};
943 
944 	return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(EFUSE_BUFFER_MODE),
945 				 &req, sizeof(req), true);
946 }
947 EXPORT_SYMBOL_GPL(mt7921_mcu_set_eeprom);
948 
949 int mt7921_mcu_uni_bss_ps(struct mt7921_dev *dev, struct ieee80211_vif *vif)
950 {
951 	struct mt7921_vif *mvif = (struct mt7921_vif *)vif->drv_priv;
952 	struct {
953 		struct {
954 			u8 bss_idx;
955 			u8 pad[3];
956 		} __packed hdr;
957 		struct ps_tlv {
958 			__le16 tag;
959 			__le16 len;
960 			u8 ps_state; /* 0: device awake
961 				      * 1: static power save
962 				      * 2: dynamic power saving
963 				      * 3: enter TWT power saving
964 				      * 4: leave TWT power saving
965 				      */
966 			u8 pad[3];
967 		} __packed ps;
968 	} __packed ps_req = {
969 		.hdr = {
970 			.bss_idx = mvif->mt76.idx,
971 		},
972 		.ps = {
973 			.tag = cpu_to_le16(UNI_BSS_INFO_PS),
974 			.len = cpu_to_le16(sizeof(struct ps_tlv)),
975 			.ps_state = vif->bss_conf.ps ? 2 : 0,
976 		},
977 	};
978 
979 	if (vif->type != NL80211_IFTYPE_STATION)
980 		return -EOPNOTSUPP;
981 
982 	return mt76_mcu_send_msg(&dev->mt76, MCU_UNI_CMD(BSS_INFO_UPDATE),
983 				 &ps_req, sizeof(ps_req), true);
984 }
985 
986 static int
987 mt7921_mcu_uni_bss_bcnft(struct mt7921_dev *dev, struct ieee80211_vif *vif,
988 			 bool enable)
989 {
990 	struct mt7921_vif *mvif = (struct mt7921_vif *)vif->drv_priv;
991 	struct {
992 		struct {
993 			u8 bss_idx;
994 			u8 pad[3];
995 		} __packed hdr;
996 		struct bcnft_tlv {
997 			__le16 tag;
998 			__le16 len;
999 			__le16 bcn_interval;
1000 			u8 dtim_period;
1001 			u8 pad;
1002 		} __packed bcnft;
1003 	} __packed bcnft_req = {
1004 		.hdr = {
1005 			.bss_idx = mvif->mt76.idx,
1006 		},
1007 		.bcnft = {
1008 			.tag = cpu_to_le16(UNI_BSS_INFO_BCNFT),
1009 			.len = cpu_to_le16(sizeof(struct bcnft_tlv)),
1010 			.bcn_interval = cpu_to_le16(vif->bss_conf.beacon_int),
1011 			.dtim_period = vif->bss_conf.dtim_period,
1012 		},
1013 	};
1014 
1015 	if (vif->type != NL80211_IFTYPE_STATION)
1016 		return 0;
1017 
1018 	return mt76_mcu_send_msg(&dev->mt76, MCU_UNI_CMD(BSS_INFO_UPDATE),
1019 				 &bcnft_req, sizeof(bcnft_req), true);
1020 }
1021 
1022 static int
1023 mt7921_mcu_set_bss_pm(struct mt7921_dev *dev, struct ieee80211_vif *vif,
1024 		      bool enable)
1025 {
1026 	struct mt7921_vif *mvif = (struct mt7921_vif *)vif->drv_priv;
1027 	struct {
1028 		u8 bss_idx;
1029 		u8 dtim_period;
1030 		__le16 aid;
1031 		__le16 bcn_interval;
1032 		__le16 atim_window;
1033 		u8 uapsd;
1034 		u8 bmc_delivered_ac;
1035 		u8 bmc_triggered_ac;
1036 		u8 pad;
1037 	} req = {
1038 		.bss_idx = mvif->mt76.idx,
1039 		.aid = cpu_to_le16(vif->cfg.aid),
1040 		.dtim_period = vif->bss_conf.dtim_period,
1041 		.bcn_interval = cpu_to_le16(vif->bss_conf.beacon_int),
1042 	};
1043 	struct {
1044 		u8 bss_idx;
1045 		u8 pad[3];
1046 	} req_hdr = {
1047 		.bss_idx = mvif->mt76.idx,
1048 	};
1049 	int err;
1050 
1051 	if (vif->type != NL80211_IFTYPE_STATION)
1052 		return 0;
1053 
1054 	err = mt76_mcu_send_msg(&dev->mt76, MCU_CE_CMD(SET_BSS_ABORT),
1055 				&req_hdr, sizeof(req_hdr), false);
1056 	if (err < 0 || !enable)
1057 		return err;
1058 
1059 	return mt76_mcu_send_msg(&dev->mt76, MCU_CE_CMD(SET_BSS_CONNECTED),
1060 				 &req, sizeof(req), false);
1061 }
1062 
1063 int mt7921_mcu_sta_update(struct mt7921_dev *dev, struct ieee80211_sta *sta,
1064 			  struct ieee80211_vif *vif, bool enable,
1065 			  enum mt76_sta_info_state state)
1066 {
1067 	struct mt7921_vif *mvif = (struct mt7921_vif *)vif->drv_priv;
1068 	int rssi = -ewma_rssi_read(&mvif->rssi);
1069 	struct mt76_sta_cmd_info info = {
1070 		.sta = sta,
1071 		.vif = vif,
1072 		.enable = enable,
1073 		.cmd = MCU_UNI_CMD(STA_REC_UPDATE),
1074 		.state = state,
1075 		.offload_fw = true,
1076 		.rcpi = to_rcpi(rssi),
1077 	};
1078 	struct mt7921_sta *msta;
1079 
1080 	msta = sta ? (struct mt7921_sta *)sta->drv_priv : NULL;
1081 	info.wcid = msta ? &msta->wcid : &mvif->sta.wcid;
1082 	info.newly = msta ? state != MT76_STA_INFO_STATE_ASSOC : true;
1083 
1084 	return mt76_connac_mcu_sta_cmd(&dev->mphy, &info);
1085 }
1086 
1087 int mt7921_mcu_drv_pmctrl(struct mt7921_dev *dev)
1088 {
1089 	struct mt76_phy *mphy = &dev->mt76.phy;
1090 	struct mt76_connac_pm *pm = &dev->pm;
1091 	int err = 0;
1092 
1093 	mutex_lock(&pm->mutex);
1094 
1095 	if (!test_bit(MT76_STATE_PM, &mphy->state))
1096 		goto out;
1097 
1098 	err = __mt7921_mcu_drv_pmctrl(dev);
1099 out:
1100 	mutex_unlock(&pm->mutex);
1101 
1102 	if (err)
1103 		mt7921_reset(&dev->mt76);
1104 
1105 	return err;
1106 }
1107 EXPORT_SYMBOL_GPL(mt7921_mcu_drv_pmctrl);
1108 
1109 int mt7921_mcu_fw_pmctrl(struct mt7921_dev *dev)
1110 {
1111 	struct mt76_phy *mphy = &dev->mt76.phy;
1112 	struct mt76_connac_pm *pm = &dev->pm;
1113 	int err = 0;
1114 
1115 	mutex_lock(&pm->mutex);
1116 
1117 	if (mt76_connac_skip_fw_pmctrl(mphy, pm))
1118 		goto out;
1119 
1120 	err = __mt7921_mcu_fw_pmctrl(dev);
1121 out:
1122 	mutex_unlock(&pm->mutex);
1123 
1124 	if (err)
1125 		mt7921_reset(&dev->mt76);
1126 
1127 	return err;
1128 }
1129 EXPORT_SYMBOL_GPL(mt7921_mcu_fw_pmctrl);
1130 
1131 int mt7921_mcu_set_beacon_filter(struct mt7921_dev *dev,
1132 				 struct ieee80211_vif *vif,
1133 				 bool enable)
1134 {
1135 	struct ieee80211_hw *hw = mt76_hw(dev);
1136 	int err;
1137 
1138 	if (enable) {
1139 		err = mt7921_mcu_uni_bss_bcnft(dev, vif, true);
1140 		if (err)
1141 			return err;
1142 
1143 		vif->driver_flags |= IEEE80211_VIF_BEACON_FILTER;
1144 		ieee80211_hw_set(hw, CONNECTION_MONITOR);
1145 		mt76_set(dev, MT_WF_RFCR(0), MT_WF_RFCR_DROP_OTHER_BEACON);
1146 
1147 		return 0;
1148 	}
1149 
1150 	err = mt7921_mcu_set_bss_pm(dev, vif, false);
1151 	if (err)
1152 		return err;
1153 
1154 	vif->driver_flags &= ~IEEE80211_VIF_BEACON_FILTER;
1155 	__clear_bit(IEEE80211_HW_CONNECTION_MONITOR, hw->flags);
1156 	mt76_clear(dev, MT_WF_RFCR(0), MT_WF_RFCR_DROP_OTHER_BEACON);
1157 
1158 	return 0;
1159 }
1160 
1161 int mt7921_get_txpwr_info(struct mt7921_dev *dev, struct mt7921_txpwr *txpwr)
1162 {
1163 	struct mt7921_txpwr_event *event;
1164 	struct mt7921_txpwr_req req = {
1165 		.dbdc_idx = 0,
1166 	};
1167 	struct sk_buff *skb;
1168 	int ret;
1169 
1170 	ret = mt76_mcu_send_and_get_msg(&dev->mt76, MCU_CE_CMD(GET_TXPWR),
1171 					&req, sizeof(req), true, &skb);
1172 	if (ret)
1173 		return ret;
1174 
1175 	event = (struct mt7921_txpwr_event *)skb->data;
1176 	WARN_ON(skb->len != le16_to_cpu(event->len));
1177 	memcpy(txpwr, &event->txpwr, sizeof(event->txpwr));
1178 
1179 	dev_kfree_skb(skb);
1180 
1181 	return 0;
1182 }
1183 
1184 int mt7921_mcu_set_sniffer(struct mt7921_dev *dev, struct ieee80211_vif *vif,
1185 			   bool enable)
1186 {
1187 	struct mt76_vif *mvif = (struct mt76_vif *)vif->drv_priv;
1188 	struct {
1189 		struct {
1190 			u8 band_idx;
1191 			u8 pad[3];
1192 		} __packed hdr;
1193 		struct sniffer_enable_tlv {
1194 			__le16 tag;
1195 			__le16 len;
1196 			u8 enable;
1197 			u8 pad[3];
1198 		} __packed enable;
1199 	} req = {
1200 		.hdr = {
1201 			.band_idx = mvif->band_idx,
1202 		},
1203 		.enable = {
1204 			.tag = cpu_to_le16(0),
1205 			.len = cpu_to_le16(sizeof(struct sniffer_enable_tlv)),
1206 			.enable = enable,
1207 		},
1208 	};
1209 
1210 	return mt76_mcu_send_msg(&dev->mt76, MCU_UNI_CMD(SNIFFER), &req, sizeof(req),
1211 				 true);
1212 }
1213 
1214 int
1215 mt7921_mcu_uni_add_beacon_offload(struct mt7921_dev *dev,
1216 				  struct ieee80211_hw *hw,
1217 				  struct ieee80211_vif *vif,
1218 				  bool enable)
1219 {
1220 	struct mt7921_vif *mvif = (struct mt7921_vif *)vif->drv_priv;
1221 	struct mt76_wcid *wcid = &dev->mt76.global_wcid;
1222 	struct ieee80211_mutable_offsets offs;
1223 	struct {
1224 		struct req_hdr {
1225 			u8 bss_idx;
1226 			u8 pad[3];
1227 		} __packed hdr;
1228 		struct bcn_content_tlv {
1229 			__le16 tag;
1230 			__le16 len;
1231 			__le16 tim_ie_pos;
1232 			__le16 csa_ie_pos;
1233 			__le16 bcc_ie_pos;
1234 			/* 0: disable beacon offload
1235 			 * 1: enable beacon offload
1236 			 * 2: update probe respond offload
1237 			 */
1238 			u8 enable;
1239 			/* 0: legacy format (TXD + payload)
1240 			 * 1: only cap field IE
1241 			 */
1242 			u8 type;
1243 			__le16 pkt_len;
1244 			u8 pkt[512];
1245 		} __packed beacon_tlv;
1246 	} req = {
1247 		.hdr = {
1248 			.bss_idx = mvif->mt76.idx,
1249 		},
1250 		.beacon_tlv = {
1251 			.tag = cpu_to_le16(UNI_BSS_INFO_BCN_CONTENT),
1252 			.len = cpu_to_le16(sizeof(struct bcn_content_tlv)),
1253 			.enable = enable,
1254 		},
1255 	};
1256 	struct sk_buff *skb;
1257 
1258 	if (!enable)
1259 		goto out;
1260 
1261 	skb = ieee80211_beacon_get_template(mt76_hw(dev), vif, &offs, 0);
1262 	if (!skb)
1263 		return -EINVAL;
1264 
1265 	if (skb->len > 512 - MT_TXD_SIZE) {
1266 		dev_err(dev->mt76.dev, "beacon size limit exceed\n");
1267 		dev_kfree_skb(skb);
1268 		return -EINVAL;
1269 	}
1270 
1271 	mt7921_mac_write_txwi(dev, (__le32 *)(req.beacon_tlv.pkt), skb,
1272 			      wcid, NULL, 0, true);
1273 	memcpy(req.beacon_tlv.pkt + MT_TXD_SIZE, skb->data, skb->len);
1274 	req.beacon_tlv.pkt_len = cpu_to_le16(MT_TXD_SIZE + skb->len);
1275 	req.beacon_tlv.tim_ie_pos = cpu_to_le16(MT_TXD_SIZE + offs.tim_offset);
1276 
1277 	if (offs.cntdwn_counter_offs[0]) {
1278 		u16 csa_offs;
1279 
1280 		csa_offs = MT_TXD_SIZE + offs.cntdwn_counter_offs[0] - 4;
1281 		req.beacon_tlv.csa_ie_pos = cpu_to_le16(csa_offs);
1282 	}
1283 	dev_kfree_skb(skb);
1284 
1285 out:
1286 	return mt76_mcu_send_msg(&dev->mt76, MCU_UNI_CMD(BSS_INFO_UPDATE),
1287 				 &req, sizeof(req), true);
1288 }
1289