1 // SPDX-License-Identifier: ISC
2 /*
3  * Copyright (C) 2022 MediaTek Inc.
4  */
5 
6 #include <linux/firmware.h>
7 #include <linux/fs.h>
8 #include "mt7996.h"
9 #include "mcu.h"
10 #include "mac.h"
11 #include "eeprom.h"
12 
13 struct mt7996_patch_hdr {
14 	char build_date[16];
15 	char platform[4];
16 	__be32 hw_sw_ver;
17 	__be32 patch_ver;
18 	__be16 checksum;
19 	u16 reserved;
20 	struct {
21 		__be32 patch_ver;
22 		__be32 subsys;
23 		__be32 feature;
24 		__be32 n_region;
25 		__be32 crc;
26 		u32 reserved[11];
27 	} desc;
28 } __packed;
29 
30 struct mt7996_patch_sec {
31 	__be32 type;
32 	__be32 offs;
33 	__be32 size;
34 	union {
35 		__be32 spec[13];
36 		struct {
37 			__be32 addr;
38 			__be32 len;
39 			__be32 sec_key_idx;
40 			__be32 align_len;
41 			u32 reserved[9];
42 		} info;
43 	};
44 } __packed;
45 
46 struct mt7996_fw_trailer {
47 	u8 chip_id;
48 	u8 eco_code;
49 	u8 n_region;
50 	u8 format_ver;
51 	u8 format_flag;
52 	u8 reserved[2];
53 	char fw_ver[10];
54 	char build_date[15];
55 	u32 crc;
56 } __packed;
57 
58 struct mt7996_fw_region {
59 	__le32 decomp_crc;
60 	__le32 decomp_len;
61 	__le32 decomp_blk_sz;
62 	u8 reserved[4];
63 	__le32 addr;
64 	__le32 len;
65 	u8 feature_set;
66 	u8 reserved1[15];
67 } __packed;
68 
69 #define MCU_PATCH_ADDRESS		0x200000
70 
71 #define HE_PHY(p, c)			u8_get_bits(c, IEEE80211_HE_PHY_##p)
72 #define HE_MAC(m, c)			u8_get_bits(c, IEEE80211_HE_MAC_##m)
73 #define EHT_PHY(p, c)			u8_get_bits(c, IEEE80211_EHT_PHY_##p)
74 
75 static bool sr_scene_detect = true;
76 module_param(sr_scene_detect, bool, 0644);
77 MODULE_PARM_DESC(sr_scene_detect, "Enable firmware scene detection algorithm");
78 
79 static u8
80 mt7996_mcu_get_sta_nss(u16 mcs_map)
81 {
82 	u8 nss;
83 
84 	for (nss = 8; nss > 0; nss--) {
85 		u8 nss_mcs = (mcs_map >> (2 * (nss - 1))) & 3;
86 
87 		if (nss_mcs != IEEE80211_VHT_MCS_NOT_SUPPORTED)
88 			break;
89 	}
90 
91 	return nss - 1;
92 }
93 
94 static void
95 mt7996_mcu_set_sta_he_mcs(struct ieee80211_sta *sta, __le16 *he_mcs,
96 			  u16 mcs_map)
97 {
98 	struct mt7996_sta *msta = (struct mt7996_sta *)sta->drv_priv;
99 	enum nl80211_band band = msta->vif->phy->mt76->chandef.chan->band;
100 	const u16 *mask = msta->vif->bitrate_mask.control[band].he_mcs;
101 	int nss, max_nss = sta->deflink.rx_nss > 3 ? 4 : sta->deflink.rx_nss;
102 
103 	for (nss = 0; nss < max_nss; nss++) {
104 		int mcs;
105 
106 		switch ((mcs_map >> (2 * nss)) & 0x3) {
107 		case IEEE80211_HE_MCS_SUPPORT_0_11:
108 			mcs = GENMASK(11, 0);
109 			break;
110 		case IEEE80211_HE_MCS_SUPPORT_0_9:
111 			mcs = GENMASK(9, 0);
112 			break;
113 		case IEEE80211_HE_MCS_SUPPORT_0_7:
114 			mcs = GENMASK(7, 0);
115 			break;
116 		default:
117 			mcs = 0;
118 		}
119 
120 		mcs = mcs ? fls(mcs & mask[nss]) - 1 : -1;
121 
122 		switch (mcs) {
123 		case 0 ... 7:
124 			mcs = IEEE80211_HE_MCS_SUPPORT_0_7;
125 			break;
126 		case 8 ... 9:
127 			mcs = IEEE80211_HE_MCS_SUPPORT_0_9;
128 			break;
129 		case 10 ... 11:
130 			mcs = IEEE80211_HE_MCS_SUPPORT_0_11;
131 			break;
132 		default:
133 			mcs = IEEE80211_HE_MCS_NOT_SUPPORTED;
134 			break;
135 		}
136 		mcs_map &= ~(0x3 << (nss * 2));
137 		mcs_map |= mcs << (nss * 2);
138 	}
139 
140 	*he_mcs = cpu_to_le16(mcs_map);
141 }
142 
143 static void
144 mt7996_mcu_set_sta_vht_mcs(struct ieee80211_sta *sta, __le16 *vht_mcs,
145 			   const u16 *mask)
146 {
147 	u16 mcs, mcs_map = le16_to_cpu(sta->deflink.vht_cap.vht_mcs.rx_mcs_map);
148 	int nss, max_nss = sta->deflink.rx_nss > 3 ? 4 : sta->deflink.rx_nss;
149 
150 	for (nss = 0; nss < max_nss; nss++, mcs_map >>= 2) {
151 		switch (mcs_map & 0x3) {
152 		case IEEE80211_VHT_MCS_SUPPORT_0_9:
153 			mcs = GENMASK(9, 0);
154 			break;
155 		case IEEE80211_VHT_MCS_SUPPORT_0_8:
156 			mcs = GENMASK(8, 0);
157 			break;
158 		case IEEE80211_VHT_MCS_SUPPORT_0_7:
159 			mcs = GENMASK(7, 0);
160 			break;
161 		default:
162 			mcs = 0;
163 		}
164 
165 		vht_mcs[nss] = cpu_to_le16(mcs & mask[nss]);
166 	}
167 }
168 
169 static void
170 mt7996_mcu_set_sta_ht_mcs(struct ieee80211_sta *sta, u8 *ht_mcs,
171 			  const u8 *mask)
172 {
173 	int nss, max_nss = sta->deflink.rx_nss > 3 ? 4 : sta->deflink.rx_nss;
174 
175 	for (nss = 0; nss < max_nss; nss++)
176 		ht_mcs[nss] = sta->deflink.ht_cap.mcs.rx_mask[nss] & mask[nss];
177 }
178 
179 static int
180 mt7996_mcu_parse_response(struct mt76_dev *mdev, int cmd,
181 			  struct sk_buff *skb, int seq)
182 {
183 	struct mt7996_mcu_rxd *rxd;
184 	struct mt7996_mcu_uni_event *event;
185 	int mcu_cmd = FIELD_GET(__MCU_CMD_FIELD_ID, cmd);
186 	int ret = 0;
187 
188 	if (!skb) {
189 		dev_err(mdev->dev, "Message %08x (seq %d) timeout\n",
190 			cmd, seq);
191 		return -ETIMEDOUT;
192 	}
193 
194 	rxd = (struct mt7996_mcu_rxd *)skb->data;
195 	if (seq != rxd->seq)
196 		return -EAGAIN;
197 
198 	if (cmd == MCU_CMD(PATCH_SEM_CONTROL)) {
199 		skb_pull(skb, sizeof(*rxd) - 4);
200 		ret = *skb->data;
201 	} else if ((rxd->option & MCU_UNI_CMD_EVENT) &&
202 		    rxd->eid == MCU_UNI_EVENT_RESULT) {
203 		skb_pull(skb, sizeof(*rxd));
204 		event = (struct mt7996_mcu_uni_event *)skb->data;
205 		ret = le32_to_cpu(event->status);
206 		/* skip invalid event */
207 		if (mcu_cmd != event->cid)
208 			ret = -EAGAIN;
209 	} else {
210 		skb_pull(skb, sizeof(struct mt7996_mcu_rxd));
211 	}
212 
213 	return ret;
214 }
215 
216 static int
217 mt7996_mcu_send_message(struct mt76_dev *mdev, struct sk_buff *skb,
218 			int cmd, int *wait_seq)
219 {
220 	struct mt7996_dev *dev = container_of(mdev, struct mt7996_dev, mt76);
221 	int txd_len, mcu_cmd = FIELD_GET(__MCU_CMD_FIELD_ID, cmd);
222 	struct mt76_connac2_mcu_uni_txd *uni_txd;
223 	struct mt76_connac2_mcu_txd *mcu_txd;
224 	enum mt76_mcuq_id qid;
225 	__le32 *txd;
226 	u32 val;
227 	u8 seq;
228 
229 	mdev->mcu.timeout = 20 * HZ;
230 
231 	seq = ++dev->mt76.mcu.msg_seq & 0xf;
232 	if (!seq)
233 		seq = ++dev->mt76.mcu.msg_seq & 0xf;
234 
235 	if (cmd == MCU_CMD(FW_SCATTER)) {
236 		qid = MT_MCUQ_FWDL;
237 		goto exit;
238 	}
239 
240 	txd_len = cmd & __MCU_CMD_FIELD_UNI ? sizeof(*uni_txd) : sizeof(*mcu_txd);
241 	txd = (__le32 *)skb_push(skb, txd_len);
242 	if (test_bit(MT76_STATE_MCU_RUNNING, &dev->mphy.state))
243 		qid = MT_MCUQ_WA;
244 	else
245 		qid = MT_MCUQ_WM;
246 
247 	val = FIELD_PREP(MT_TXD0_TX_BYTES, skb->len) |
248 	      FIELD_PREP(MT_TXD0_PKT_FMT, MT_TX_TYPE_CMD) |
249 	      FIELD_PREP(MT_TXD0_Q_IDX, MT_TX_MCU_PORT_RX_Q0);
250 	txd[0] = cpu_to_le32(val);
251 
252 	val = FIELD_PREP(MT_TXD1_HDR_FORMAT, MT_HDR_FORMAT_CMD);
253 	txd[1] = cpu_to_le32(val);
254 
255 	if (cmd & __MCU_CMD_FIELD_UNI) {
256 		uni_txd = (struct mt76_connac2_mcu_uni_txd *)txd;
257 		uni_txd->len = cpu_to_le16(skb->len - sizeof(uni_txd->txd));
258 		uni_txd->cid = cpu_to_le16(mcu_cmd);
259 		uni_txd->s2d_index = MCU_S2D_H2CN;
260 		uni_txd->pkt_type = MCU_PKT_ID;
261 		uni_txd->seq = seq;
262 
263 		if (cmd & __MCU_CMD_FIELD_QUERY)
264 			uni_txd->option = MCU_CMD_UNI_QUERY_ACK;
265 		else
266 			uni_txd->option = MCU_CMD_UNI_EXT_ACK;
267 
268 		if ((cmd & __MCU_CMD_FIELD_WA) && (cmd & __MCU_CMD_FIELD_WM))
269 			uni_txd->s2d_index = MCU_S2D_H2CN;
270 		else if (cmd & __MCU_CMD_FIELD_WA)
271 			uni_txd->s2d_index = MCU_S2D_H2C;
272 		else if (cmd & __MCU_CMD_FIELD_WM)
273 			uni_txd->s2d_index = MCU_S2D_H2N;
274 
275 		goto exit;
276 	}
277 
278 	mcu_txd = (struct mt76_connac2_mcu_txd *)txd;
279 	mcu_txd->len = cpu_to_le16(skb->len - sizeof(mcu_txd->txd));
280 	mcu_txd->pq_id = cpu_to_le16(MCU_PQ_ID(MT_TX_PORT_IDX_MCU,
281 					       MT_TX_MCU_PORT_RX_Q0));
282 	mcu_txd->pkt_type = MCU_PKT_ID;
283 	mcu_txd->seq = seq;
284 
285 	mcu_txd->cid = FIELD_GET(__MCU_CMD_FIELD_ID, cmd);
286 	mcu_txd->set_query = MCU_Q_NA;
287 	mcu_txd->ext_cid = FIELD_GET(__MCU_CMD_FIELD_EXT_ID, cmd);
288 	if (mcu_txd->ext_cid) {
289 		mcu_txd->ext_cid_ack = 1;
290 
291 		if (cmd & __MCU_CMD_FIELD_QUERY)
292 			mcu_txd->set_query = MCU_Q_QUERY;
293 		else
294 			mcu_txd->set_query = MCU_Q_SET;
295 	}
296 
297 	if (cmd & __MCU_CMD_FIELD_WA)
298 		mcu_txd->s2d_index = MCU_S2D_H2C;
299 	else
300 		mcu_txd->s2d_index = MCU_S2D_H2N;
301 
302 exit:
303 	if (wait_seq)
304 		*wait_seq = seq;
305 
306 	return mt76_tx_queue_skb_raw(dev, mdev->q_mcu[qid], skb, 0);
307 }
308 
309 int mt7996_mcu_wa_cmd(struct mt7996_dev *dev, int cmd, u32 a1, u32 a2, u32 a3)
310 {
311 	struct {
312 		__le32 args[3];
313 	} req = {
314 		.args = {
315 			cpu_to_le32(a1),
316 			cpu_to_le32(a2),
317 			cpu_to_le32(a3),
318 		},
319 	};
320 
321 	return mt76_mcu_send_msg(&dev->mt76, cmd, &req, sizeof(req), false);
322 }
323 
324 static void
325 mt7996_mcu_csa_finish(void *priv, u8 *mac, struct ieee80211_vif *vif)
326 {
327 	if (vif->bss_conf.csa_active)
328 		ieee80211_csa_finish(vif);
329 }
330 
331 static void
332 mt7996_mcu_rx_radar_detected(struct mt7996_dev *dev, struct sk_buff *skb)
333 {
334 	struct mt76_phy *mphy = &dev->mt76.phy;
335 	struct mt7996_mcu_rdd_report *r;
336 
337 	r = (struct mt7996_mcu_rdd_report *)skb->data;
338 
339 	if (r->band_idx >= ARRAY_SIZE(dev->mt76.phys))
340 		return;
341 
342 	if (dev->rdd2_phy && r->band_idx == MT_RX_SEL2)
343 		mphy = dev->rdd2_phy->mt76;
344 	else
345 		mphy = dev->mt76.phys[r->band_idx];
346 
347 	if (!mphy)
348 		return;
349 
350 	if (r->band_idx == MT_RX_SEL2)
351 		cfg80211_background_radar_event(mphy->hw->wiphy,
352 						&dev->rdd2_chandef,
353 						GFP_ATOMIC);
354 	else
355 		ieee80211_radar_detected(mphy->hw);
356 	dev->hw_pattern++;
357 }
358 
359 static void
360 mt7996_mcu_rx_log_message(struct mt7996_dev *dev, struct sk_buff *skb)
361 {
362 #define UNI_EVENT_FW_LOG_FORMAT 0
363 	struct mt7996_mcu_rxd *rxd = (struct mt7996_mcu_rxd *)skb->data;
364 	const char *data = (char *)&rxd[1] + 4, *type;
365 	struct tlv *tlv = (struct tlv *)data;
366 	int len;
367 
368 	if (!(rxd->option & MCU_UNI_CMD_EVENT)) {
369 		len = skb->len - sizeof(*rxd);
370 		data = (char *)&rxd[1];
371 		goto out;
372 	}
373 
374 	if (le16_to_cpu(tlv->tag) != UNI_EVENT_FW_LOG_FORMAT)
375 		return;
376 
377 	data += sizeof(*tlv) + 4;
378 	len = le16_to_cpu(tlv->len) - sizeof(*tlv) - 4;
379 
380 out:
381 	switch (rxd->s2d_index) {
382 	case 0:
383 		if (mt7996_debugfs_rx_log(dev, data, len))
384 			return;
385 
386 		type = "WM";
387 		break;
388 	case 2:
389 		type = "WA";
390 		break;
391 	default:
392 		type = "unknown";
393 		break;
394 	}
395 
396 	wiphy_info(mt76_hw(dev)->wiphy, "%s: %.*s", type, len, data);
397 }
398 
399 static void
400 mt7996_mcu_cca_finish(void *priv, u8 *mac, struct ieee80211_vif *vif)
401 {
402 	if (!vif->bss_conf.color_change_active)
403 		return;
404 
405 	ieee80211_color_change_finish(vif);
406 }
407 
408 static void
409 mt7996_mcu_ie_countdown(struct mt7996_dev *dev, struct sk_buff *skb)
410 {
411 #define UNI_EVENT_IE_COUNTDOWN_CSA 0
412 #define UNI_EVENT_IE_COUNTDOWN_BCC 1
413 	struct header {
414 		u8 band;
415 		u8 rsv[3];
416 	};
417 	struct mt76_phy *mphy = &dev->mt76.phy;
418 	struct mt7996_mcu_rxd *rxd = (struct mt7996_mcu_rxd *)skb->data;
419 	const char *data = (char *)&rxd[1], *tail;
420 	struct header *hdr = (struct header *)data;
421 	struct tlv *tlv = (struct tlv *)(data + 4);
422 
423 	if (hdr->band >= ARRAY_SIZE(dev->mt76.phys))
424 		return;
425 
426 	if (hdr->band && dev->mt76.phys[hdr->band])
427 		mphy = dev->mt76.phys[hdr->band];
428 
429 	tail = skb->data + skb->len;
430 	data += sizeof(struct header);
431 	while (data + sizeof(struct tlv) < tail && le16_to_cpu(tlv->len)) {
432 		switch (le16_to_cpu(tlv->tag)) {
433 		case UNI_EVENT_IE_COUNTDOWN_CSA:
434 			ieee80211_iterate_active_interfaces_atomic(mphy->hw,
435 					IEEE80211_IFACE_ITER_RESUME_ALL,
436 					mt7996_mcu_csa_finish, mphy->hw);
437 			break;
438 		case UNI_EVENT_IE_COUNTDOWN_BCC:
439 			ieee80211_iterate_active_interfaces_atomic(mphy->hw,
440 					IEEE80211_IFACE_ITER_RESUME_ALL,
441 					mt7996_mcu_cca_finish, mphy->hw);
442 			break;
443 		}
444 
445 		data += le16_to_cpu(tlv->len);
446 		tlv = (struct tlv *)data;
447 	}
448 }
449 
450 static void
451 mt7996_mcu_rx_ext_event(struct mt7996_dev *dev, struct sk_buff *skb)
452 {
453 	struct mt7996_mcu_rxd *rxd = (struct mt7996_mcu_rxd *)skb->data;
454 
455 	switch (rxd->ext_eid) {
456 	case MCU_EXT_EVENT_FW_LOG_2_HOST:
457 		mt7996_mcu_rx_log_message(dev, skb);
458 		break;
459 	default:
460 		break;
461 	}
462 }
463 
464 static void
465 mt7996_mcu_rx_unsolicited_event(struct mt7996_dev *dev, struct sk_buff *skb)
466 {
467 	struct mt7996_mcu_rxd *rxd = (struct mt7996_mcu_rxd *)skb->data;
468 
469 	switch (rxd->eid) {
470 	case MCU_EVENT_EXT:
471 		mt7996_mcu_rx_ext_event(dev, skb);
472 		break;
473 	default:
474 		break;
475 	}
476 	dev_kfree_skb(skb);
477 }
478 
479 static void
480 mt7996_mcu_uni_rx_unsolicited_event(struct mt7996_dev *dev, struct sk_buff *skb)
481 {
482 	struct mt7996_mcu_rxd *rxd = (struct mt7996_mcu_rxd *)skb->data;
483 
484 	switch (rxd->eid) {
485 	case MCU_UNI_EVENT_FW_LOG_2_HOST:
486 		mt7996_mcu_rx_log_message(dev, skb);
487 		break;
488 	case MCU_UNI_EVENT_IE_COUNTDOWN:
489 		mt7996_mcu_ie_countdown(dev, skb);
490 		break;
491 	case MCU_UNI_EVENT_RDD_REPORT:
492 		mt7996_mcu_rx_radar_detected(dev, skb);
493 		break;
494 	default:
495 		break;
496 	}
497 	dev_kfree_skb(skb);
498 }
499 
500 void mt7996_mcu_rx_event(struct mt7996_dev *dev, struct sk_buff *skb)
501 {
502 	struct mt7996_mcu_rxd *rxd = (struct mt7996_mcu_rxd *)skb->data;
503 
504 	if (rxd->option & MCU_UNI_CMD_UNSOLICITED_EVENT) {
505 		mt7996_mcu_uni_rx_unsolicited_event(dev, skb);
506 		return;
507 	}
508 
509 	/* WA still uses legacy event*/
510 	if (rxd->ext_eid == MCU_EXT_EVENT_FW_LOG_2_HOST ||
511 	    !rxd->seq)
512 		mt7996_mcu_rx_unsolicited_event(dev, skb);
513 	else
514 		mt76_mcu_rx_event(&dev->mt76, skb);
515 }
516 
517 static struct tlv *
518 mt7996_mcu_add_uni_tlv(struct sk_buff *skb, u16 tag, u16 len)
519 {
520 	struct tlv *ptlv, tlv = {
521 		.tag = cpu_to_le16(tag),
522 		.len = cpu_to_le16(len),
523 	};
524 
525 	ptlv = skb_put(skb, len);
526 	memcpy(ptlv, &tlv, sizeof(tlv));
527 
528 	return ptlv;
529 }
530 
531 static void
532 mt7996_mcu_bss_rfch_tlv(struct sk_buff *skb, struct ieee80211_vif *vif,
533 			struct mt7996_phy *phy)
534 {
535 	static const u8 rlm_ch_band[] = {
536 		[NL80211_BAND_2GHZ] = 1,
537 		[NL80211_BAND_5GHZ] = 2,
538 		[NL80211_BAND_6GHZ] = 3,
539 	};
540 	struct cfg80211_chan_def *chandef = &phy->mt76->chandef;
541 	struct bss_rlm_tlv *ch;
542 	struct tlv *tlv;
543 	int freq1 = chandef->center_freq1;
544 
545 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_RLM, sizeof(*ch));
546 
547 	ch = (struct bss_rlm_tlv *)tlv;
548 	ch->control_channel = chandef->chan->hw_value;
549 	ch->center_chan = ieee80211_frequency_to_channel(freq1);
550 	ch->bw = mt76_connac_chan_bw(chandef);
551 	ch->tx_streams = hweight8(phy->mt76->antenna_mask);
552 	ch->rx_streams = hweight8(phy->mt76->antenna_mask);
553 	ch->band = rlm_ch_band[chandef->chan->band];
554 
555 	if (chandef->width == NL80211_CHAN_WIDTH_80P80) {
556 		int freq2 = chandef->center_freq2;
557 
558 		ch->center_chan2 = ieee80211_frequency_to_channel(freq2);
559 	}
560 }
561 
562 static void
563 mt7996_mcu_bss_ra_tlv(struct sk_buff *skb, struct ieee80211_vif *vif,
564 		      struct mt7996_phy *phy)
565 {
566 	struct bss_ra_tlv *ra;
567 	struct tlv *tlv;
568 
569 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_RA, sizeof(*ra));
570 
571 	ra = (struct bss_ra_tlv *)tlv;
572 	ra->short_preamble = true;
573 }
574 
575 static void
576 mt7996_mcu_bss_he_tlv(struct sk_buff *skb, struct ieee80211_vif *vif,
577 		      struct mt7996_phy *phy)
578 {
579 #define DEFAULT_HE_PE_DURATION		4
580 #define DEFAULT_HE_DURATION_RTS_THRES	1023
581 	const struct ieee80211_sta_he_cap *cap;
582 	struct bss_info_uni_he *he;
583 	struct tlv *tlv;
584 
585 	cap = mt76_connac_get_he_phy_cap(phy->mt76, vif);
586 
587 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_HE_BASIC, sizeof(*he));
588 
589 	he = (struct bss_info_uni_he *)tlv;
590 	he->he_pe_duration = vif->bss_conf.htc_trig_based_pkt_ext;
591 	if (!he->he_pe_duration)
592 		he->he_pe_duration = DEFAULT_HE_PE_DURATION;
593 
594 	he->he_rts_thres = cpu_to_le16(vif->bss_conf.frame_time_rts_th);
595 	if (!he->he_rts_thres)
596 		he->he_rts_thres = cpu_to_le16(DEFAULT_HE_DURATION_RTS_THRES);
597 
598 	he->max_nss_mcs[CMD_HE_MCS_BW80] = cap->he_mcs_nss_supp.tx_mcs_80;
599 	he->max_nss_mcs[CMD_HE_MCS_BW160] = cap->he_mcs_nss_supp.tx_mcs_160;
600 	he->max_nss_mcs[CMD_HE_MCS_BW8080] = cap->he_mcs_nss_supp.tx_mcs_80p80;
601 }
602 
603 static void
604 mt7996_mcu_bss_bmc_tlv(struct sk_buff *skb, struct ieee80211_vif *vif,
605 		       struct mt7996_phy *phy)
606 {
607 	struct mt76_vif *mvif = (struct mt76_vif *)vif->drv_priv;
608 	struct bss_rate_tlv *bmc;
609 	struct cfg80211_chan_def *chandef = &phy->mt76->chandef;
610 	enum nl80211_band band = chandef->chan->band;
611 	struct tlv *tlv;
612 	u8 idx = mvif->mcast_rates_idx ?
613 		 mvif->mcast_rates_idx : mvif->basic_rates_idx;
614 
615 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_RATE, sizeof(*bmc));
616 
617 	bmc = (struct bss_rate_tlv *)tlv;
618 
619 	bmc->short_preamble = (band == NL80211_BAND_2GHZ);
620 	bmc->bc_fixed_rate = idx;
621 	bmc->mc_fixed_rate = idx;
622 }
623 
624 static void
625 mt7996_mcu_bss_txcmd_tlv(struct sk_buff *skb, bool en)
626 {
627 	struct bss_txcmd_tlv *txcmd;
628 	struct tlv *tlv;
629 
630 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_TXCMD, sizeof(*txcmd));
631 
632 	txcmd = (struct bss_txcmd_tlv *)tlv;
633 	txcmd->txcmd_mode = en;
634 }
635 
636 static void
637 mt7996_mcu_bss_mld_tlv(struct sk_buff *skb, struct ieee80211_vif *vif)
638 {
639 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
640 	struct bss_mld_tlv *mld;
641 	struct tlv *tlv;
642 
643 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_MLD, sizeof(*mld));
644 
645 	mld = (struct bss_mld_tlv *)tlv;
646 	mld->group_mld_id = 0xff;
647 	mld->own_mld_id = mvif->mt76.idx;
648 	mld->remap_idx = 0xff;
649 }
650 
651 static void
652 mt7996_mcu_bss_sec_tlv(struct sk_buff *skb, struct ieee80211_vif *vif)
653 {
654 	struct mt76_vif *mvif = (struct mt76_vif *)vif->drv_priv;
655 	struct bss_sec_tlv *sec;
656 	struct tlv *tlv;
657 
658 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_SEC, sizeof(*sec));
659 
660 	sec = (struct bss_sec_tlv *)tlv;
661 	sec->cipher = mvif->cipher;
662 }
663 
664 static int
665 mt7996_mcu_muar_config(struct mt7996_phy *phy, struct ieee80211_vif *vif,
666 		       bool bssid, bool enable)
667 {
668 #define UNI_MUAR_ENTRY 2
669 	struct mt7996_dev *dev = phy->dev;
670 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
671 	u32 idx = mvif->mt76.omac_idx - REPEATER_BSSID_START;
672 	const u8 *addr = vif->addr;
673 
674 	struct {
675 		struct {
676 			u8 band;
677 			u8 __rsv[3];
678 		} hdr;
679 
680 		__le16 tag;
681 		__le16 len;
682 
683 		bool smesh;
684 		u8 bssid;
685 		u8 index;
686 		u8 entry_add;
687 		u8 addr[ETH_ALEN];
688 		u8 __rsv[2];
689 	} __packed req = {
690 		.hdr.band = phy->mt76->band_idx,
691 		.tag = cpu_to_le16(UNI_MUAR_ENTRY),
692 		.len = cpu_to_le16(sizeof(req) - sizeof(req.hdr)),
693 		.smesh = false,
694 		.index = idx * 2 + bssid,
695 		.entry_add = true,
696 	};
697 
698 	if (bssid)
699 		addr = vif->bss_conf.bssid;
700 
701 	if (enable)
702 		memcpy(req.addr, addr, ETH_ALEN);
703 
704 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(REPT_MUAR), &req,
705 				 sizeof(req), true);
706 }
707 
708 static void
709 mt7996_mcu_bss_ifs_timing_tlv(struct sk_buff *skb, struct ieee80211_vif *vif)
710 {
711 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
712 	struct mt7996_phy *phy = mvif->phy;
713 	struct bss_ifs_time_tlv *ifs_time;
714 	struct tlv *tlv;
715 	bool is_2ghz = phy->mt76->chandef.chan->band == NL80211_BAND_2GHZ;
716 
717 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_IFS_TIME, sizeof(*ifs_time));
718 
719 	ifs_time = (struct bss_ifs_time_tlv *)tlv;
720 	ifs_time->slot_valid = true;
721 	ifs_time->sifs_valid = true;
722 	ifs_time->rifs_valid = true;
723 	ifs_time->eifs_valid = true;
724 
725 	ifs_time->slot_time = cpu_to_le16(phy->slottime);
726 	ifs_time->sifs_time = cpu_to_le16(10);
727 	ifs_time->rifs_time = cpu_to_le16(2);
728 	ifs_time->eifs_time = cpu_to_le16(is_2ghz ? 78 : 84);
729 
730 	if (is_2ghz) {
731 		ifs_time->eifs_cck_valid = true;
732 		ifs_time->eifs_cck_time = cpu_to_le16(314);
733 	}
734 }
735 
736 static int
737 mt7996_mcu_bss_basic_tlv(struct sk_buff *skb,
738 			 struct ieee80211_vif *vif,
739 			 struct ieee80211_sta *sta,
740 			 struct mt76_phy *phy, u16 wlan_idx,
741 			 bool enable)
742 {
743 	struct mt76_vif *mvif = (struct mt76_vif *)vif->drv_priv;
744 	struct cfg80211_chan_def *chandef = &phy->chandef;
745 	struct mt76_connac_bss_basic_tlv *bss;
746 	u32 type = CONNECTION_INFRA_AP;
747 	u16 sta_wlan_idx = wlan_idx;
748 	struct tlv *tlv;
749 	int idx;
750 
751 	switch (vif->type) {
752 	case NL80211_IFTYPE_MESH_POINT:
753 	case NL80211_IFTYPE_AP:
754 	case NL80211_IFTYPE_MONITOR:
755 		break;
756 	case NL80211_IFTYPE_STATION:
757 		if (enable) {
758 			rcu_read_lock();
759 			if (!sta)
760 				sta = ieee80211_find_sta(vif,
761 							 vif->bss_conf.bssid);
762 			/* TODO: enable BSS_INFO_UAPSD & BSS_INFO_PM */
763 			if (sta) {
764 				struct mt76_wcid *wcid;
765 
766 				wcid = (struct mt76_wcid *)sta->drv_priv;
767 				sta_wlan_idx = wcid->idx;
768 			}
769 			rcu_read_unlock();
770 		}
771 		type = CONNECTION_INFRA_STA;
772 		break;
773 	case NL80211_IFTYPE_ADHOC:
774 		type = CONNECTION_IBSS_ADHOC;
775 		break;
776 	default:
777 		WARN_ON(1);
778 		break;
779 	}
780 
781 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_BASIC, sizeof(*bss));
782 
783 	bss = (struct mt76_connac_bss_basic_tlv *)tlv;
784 	bss->bcn_interval = cpu_to_le16(vif->bss_conf.beacon_int);
785 	bss->dtim_period = vif->bss_conf.dtim_period;
786 	bss->bmc_tx_wlan_idx = cpu_to_le16(wlan_idx);
787 	bss->sta_idx = cpu_to_le16(sta_wlan_idx);
788 	bss->conn_type = cpu_to_le32(type);
789 	bss->omac_idx = mvif->omac_idx;
790 	bss->band_idx = mvif->band_idx;
791 	bss->wmm_idx = mvif->wmm_idx;
792 	bss->conn_state = !enable;
793 	bss->active = enable;
794 
795 	idx = mvif->omac_idx > EXT_BSSID_START ? HW_BSSID_0 : mvif->omac_idx;
796 	bss->hw_bss_idx = idx;
797 
798 	if (vif->type == NL80211_IFTYPE_MONITOR) {
799 		memcpy(bss->bssid, phy->macaddr, ETH_ALEN);
800 		return 0;
801 	}
802 
803 	memcpy(bss->bssid, vif->bss_conf.bssid, ETH_ALEN);
804 	bss->bcn_interval = cpu_to_le16(vif->bss_conf.beacon_int);
805 	bss->dtim_period = vif->bss_conf.dtim_period;
806 	bss->phymode = mt76_connac_get_phy_mode(phy, vif,
807 						chandef->chan->band, NULL);
808 	bss->phymode_ext = mt76_connac_get_phy_mode_ext(phy, vif,
809 							chandef->chan->band);
810 
811 	return 0;
812 }
813 
814 static struct sk_buff *
815 __mt7996_mcu_alloc_bss_req(struct mt76_dev *dev, struct mt76_vif *mvif, int len)
816 {
817 	struct bss_req_hdr hdr = {
818 		.bss_idx = mvif->idx,
819 	};
820 	struct sk_buff *skb;
821 
822 	skb = mt76_mcu_msg_alloc(dev, NULL, len);
823 	if (!skb)
824 		return ERR_PTR(-ENOMEM);
825 
826 	skb_put_data(skb, &hdr, sizeof(hdr));
827 
828 	return skb;
829 }
830 
831 int mt7996_mcu_add_bss_info(struct mt7996_phy *phy,
832 			    struct ieee80211_vif *vif, int enable)
833 {
834 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
835 	struct mt7996_dev *dev = phy->dev;
836 	struct sk_buff *skb;
837 
838 	if (mvif->mt76.omac_idx >= REPEATER_BSSID_START) {
839 		mt7996_mcu_muar_config(phy, vif, false, enable);
840 		mt7996_mcu_muar_config(phy, vif, true, enable);
841 	}
842 
843 	skb = __mt7996_mcu_alloc_bss_req(&dev->mt76, &mvif->mt76,
844 					 MT7996_BSS_UPDATE_MAX_SIZE);
845 	if (IS_ERR(skb))
846 		return PTR_ERR(skb);
847 
848 	/* bss_basic must be first */
849 	mt7996_mcu_bss_basic_tlv(skb, vif, NULL, phy->mt76,
850 				 mvif->sta.wcid.idx, enable);
851 	mt7996_mcu_bss_sec_tlv(skb, vif);
852 
853 	if (vif->type == NL80211_IFTYPE_MONITOR)
854 		goto out;
855 
856 	if (enable) {
857 		mt7996_mcu_bss_rfch_tlv(skb, vif, phy);
858 		mt7996_mcu_bss_bmc_tlv(skb, vif, phy);
859 		mt7996_mcu_bss_ra_tlv(skb, vif, phy);
860 		mt7996_mcu_bss_txcmd_tlv(skb, true);
861 		mt7996_mcu_bss_ifs_timing_tlv(skb, vif);
862 
863 		if (vif->bss_conf.he_support)
864 			mt7996_mcu_bss_he_tlv(skb, vif, phy);
865 
866 		/* this tag is necessary no matter if the vif is MLD */
867 		mt7996_mcu_bss_mld_tlv(skb, vif);
868 	}
869 out:
870 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
871 				     MCU_WMWA_UNI_CMD(BSS_INFO_UPDATE), true);
872 }
873 
874 int mt7996_mcu_set_timing(struct mt7996_phy *phy, struct ieee80211_vif *vif)
875 {
876 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
877 	struct mt7996_dev *dev = phy->dev;
878 	struct sk_buff *skb;
879 
880 	skb = __mt7996_mcu_alloc_bss_req(&dev->mt76, &mvif->mt76,
881 					 MT7996_BSS_UPDATE_MAX_SIZE);
882 	if (IS_ERR(skb))
883 		return PTR_ERR(skb);
884 
885 	mt7996_mcu_bss_ifs_timing_tlv(skb, vif);
886 
887 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
888 				     MCU_WMWA_UNI_CMD(BSS_INFO_UPDATE), true);
889 }
890 
891 static int
892 mt7996_mcu_sta_ba(struct mt76_dev *dev, struct mt76_vif *mvif,
893 		  struct ieee80211_ampdu_params *params,
894 		  bool enable, bool tx)
895 {
896 	struct mt76_wcid *wcid = (struct mt76_wcid *)params->sta->drv_priv;
897 	struct sta_rec_ba_uni *ba;
898 	struct sk_buff *skb;
899 	struct tlv *tlv;
900 
901 	skb = __mt76_connac_mcu_alloc_sta_req(dev, mvif, wcid,
902 					      MT7996_STA_UPDATE_MAX_SIZE);
903 	if (IS_ERR(skb))
904 		return PTR_ERR(skb);
905 
906 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_BA, sizeof(*ba));
907 
908 	ba = (struct sta_rec_ba_uni *)tlv;
909 	ba->ba_type = tx ? MT_BA_TYPE_ORIGINATOR : MT_BA_TYPE_RECIPIENT;
910 	ba->winsize = cpu_to_le16(params->buf_size);
911 	ba->ssn = cpu_to_le16(params->ssn);
912 	ba->ba_en = enable << params->tid;
913 	ba->amsdu = params->amsdu;
914 	ba->tid = params->tid;
915 
916 	return mt76_mcu_skb_send_msg(dev, skb,
917 				     MCU_WMWA_UNI_CMD(STA_REC_UPDATE), true);
918 }
919 
920 /** starec & wtbl **/
921 int mt7996_mcu_add_tx_ba(struct mt7996_dev *dev,
922 			 struct ieee80211_ampdu_params *params,
923 			 bool enable)
924 {
925 	struct mt7996_sta *msta = (struct mt7996_sta *)params->sta->drv_priv;
926 	struct mt7996_vif *mvif = msta->vif;
927 
928 	if (enable && !params->amsdu)
929 		msta->wcid.amsdu = false;
930 
931 	return mt7996_mcu_sta_ba(&dev->mt76, &mvif->mt76, params,
932 				 enable, true);
933 }
934 
935 int mt7996_mcu_add_rx_ba(struct mt7996_dev *dev,
936 			 struct ieee80211_ampdu_params *params,
937 			 bool enable)
938 {
939 	struct mt7996_sta *msta = (struct mt7996_sta *)params->sta->drv_priv;
940 	struct mt7996_vif *mvif = msta->vif;
941 
942 	return mt7996_mcu_sta_ba(&dev->mt76, &mvif->mt76, params,
943 				 enable, false);
944 }
945 
946 static void
947 mt7996_mcu_sta_he_tlv(struct sk_buff *skb, struct ieee80211_sta *sta)
948 {
949 	struct ieee80211_he_cap_elem *elem = &sta->deflink.he_cap.he_cap_elem;
950 	struct ieee80211_he_mcs_nss_supp mcs_map;
951 	struct sta_rec_he_v2 *he;
952 	struct tlv *tlv;
953 	int i = 0;
954 
955 	if (!sta->deflink.he_cap.has_he)
956 		return;
957 
958 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_HE_V2, sizeof(*he));
959 
960 	he = (struct sta_rec_he_v2 *)tlv;
961 	for (i = 0; i < 11; i++) {
962 		if (i < 6)
963 			he->he_mac_cap[i] = elem->mac_cap_info[i];
964 		he->he_phy_cap[i] = elem->phy_cap_info[i];
965 	}
966 
967 	mcs_map = sta->deflink.he_cap.he_mcs_nss_supp;
968 	switch (sta->deflink.bandwidth) {
969 	case IEEE80211_STA_RX_BW_160:
970 		if (elem->phy_cap_info[0] &
971 		    IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_80PLUS80_MHZ_IN_5G)
972 			mt7996_mcu_set_sta_he_mcs(sta,
973 						  &he->max_nss_mcs[CMD_HE_MCS_BW8080],
974 						  le16_to_cpu(mcs_map.rx_mcs_80p80));
975 
976 		mt7996_mcu_set_sta_he_mcs(sta,
977 					  &he->max_nss_mcs[CMD_HE_MCS_BW160],
978 					  le16_to_cpu(mcs_map.rx_mcs_160));
979 		fallthrough;
980 	default:
981 		mt7996_mcu_set_sta_he_mcs(sta,
982 					  &he->max_nss_mcs[CMD_HE_MCS_BW80],
983 					  le16_to_cpu(mcs_map.rx_mcs_80));
984 		break;
985 	}
986 
987 	he->pkt_ext = 2;
988 }
989 
990 static void
991 mt7996_mcu_sta_he_6g_tlv(struct sk_buff *skb, struct ieee80211_sta *sta)
992 {
993 	struct sta_rec_he_6g_capa *he_6g;
994 	struct tlv *tlv;
995 
996 	if (!sta->deflink.he_6ghz_capa.capa)
997 		return;
998 
999 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_HE_6G, sizeof(*he_6g));
1000 
1001 	he_6g = (struct sta_rec_he_6g_capa *)tlv;
1002 	he_6g->capa = sta->deflink.he_6ghz_capa.capa;
1003 }
1004 
1005 static void
1006 mt7996_mcu_sta_eht_tlv(struct sk_buff *skb, struct ieee80211_sta *sta)
1007 {
1008 	struct ieee80211_eht_mcs_nss_supp *mcs_map;
1009 	struct ieee80211_eht_cap_elem_fixed *elem;
1010 	struct sta_rec_eht *eht;
1011 	struct tlv *tlv;
1012 
1013 	if (!sta->deflink.eht_cap.has_eht)
1014 		return;
1015 
1016 	mcs_map = &sta->deflink.eht_cap.eht_mcs_nss_supp;
1017 	elem = &sta->deflink.eht_cap.eht_cap_elem;
1018 
1019 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_EHT, sizeof(*eht));
1020 
1021 	eht = (struct sta_rec_eht *)tlv;
1022 	eht->tid_bitmap = 0xff;
1023 	eht->mac_cap = cpu_to_le16(*(u16 *)elem->mac_cap_info);
1024 	eht->phy_cap = cpu_to_le64(*(u64 *)elem->phy_cap_info);
1025 	eht->phy_cap_ext = cpu_to_le64(elem->phy_cap_info[8]);
1026 
1027 	if (sta->deflink.bandwidth == IEEE80211_STA_RX_BW_20)
1028 		memcpy(eht->mcs_map_bw20, &mcs_map->only_20mhz, sizeof(eht->mcs_map_bw20));
1029 	memcpy(eht->mcs_map_bw80, &mcs_map->bw._80, sizeof(eht->mcs_map_bw80));
1030 	memcpy(eht->mcs_map_bw160, &mcs_map->bw._160, sizeof(eht->mcs_map_bw160));
1031 	memcpy(eht->mcs_map_bw320, &mcs_map->bw._320, sizeof(eht->mcs_map_bw320));
1032 }
1033 
1034 static void
1035 mt7996_mcu_sta_ht_tlv(struct sk_buff *skb, struct ieee80211_sta *sta)
1036 {
1037 	struct sta_rec_ht *ht;
1038 	struct tlv *tlv;
1039 
1040 	if (!sta->deflink.ht_cap.ht_supported)
1041 		return;
1042 
1043 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_HT, sizeof(*ht));
1044 
1045 	ht = (struct sta_rec_ht *)tlv;
1046 	ht->ht_cap = cpu_to_le16(sta->deflink.ht_cap.cap);
1047 }
1048 
1049 static void
1050 mt7996_mcu_sta_vht_tlv(struct sk_buff *skb, struct ieee80211_sta *sta)
1051 {
1052 	struct sta_rec_vht *vht;
1053 	struct tlv *tlv;
1054 
1055 	/* For 6G band, this tlv is necessary to let hw work normally */
1056 	if (!sta->deflink.he_6ghz_capa.capa && !sta->deflink.vht_cap.vht_supported)
1057 		return;
1058 
1059 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_VHT, sizeof(*vht));
1060 
1061 	vht = (struct sta_rec_vht *)tlv;
1062 	vht->vht_cap = cpu_to_le32(sta->deflink.vht_cap.cap);
1063 	vht->vht_rx_mcs_map = sta->deflink.vht_cap.vht_mcs.rx_mcs_map;
1064 	vht->vht_tx_mcs_map = sta->deflink.vht_cap.vht_mcs.tx_mcs_map;
1065 }
1066 
1067 static void
1068 mt7996_mcu_sta_amsdu_tlv(struct mt7996_dev *dev, struct sk_buff *skb,
1069 			 struct ieee80211_vif *vif, struct ieee80211_sta *sta)
1070 {
1071 	struct mt7996_sta *msta = (struct mt7996_sta *)sta->drv_priv;
1072 	struct sta_rec_amsdu *amsdu;
1073 	struct tlv *tlv;
1074 
1075 	if (vif->type != NL80211_IFTYPE_STATION &&
1076 	    vif->type != NL80211_IFTYPE_MESH_POINT &&
1077 	    vif->type != NL80211_IFTYPE_AP)
1078 		return;
1079 
1080 	if (!sta->deflink.agg.max_amsdu_len)
1081 		return;
1082 
1083 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_HW_AMSDU, sizeof(*amsdu));
1084 	amsdu = (struct sta_rec_amsdu *)tlv;
1085 	amsdu->max_amsdu_num = 8;
1086 	amsdu->amsdu_en = true;
1087 	msta->wcid.amsdu = true;
1088 
1089 	switch (sta->deflink.agg.max_amsdu_len) {
1090 	case IEEE80211_MAX_MPDU_LEN_VHT_11454:
1091 		amsdu->max_mpdu_size =
1092 			IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_11454;
1093 		return;
1094 	case IEEE80211_MAX_MPDU_LEN_HT_7935:
1095 	case IEEE80211_MAX_MPDU_LEN_VHT_7991:
1096 		amsdu->max_mpdu_size = IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_7991;
1097 		return;
1098 	default:
1099 		amsdu->max_mpdu_size = IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_3895;
1100 		return;
1101 	}
1102 }
1103 
1104 static void
1105 mt7996_mcu_sta_muru_tlv(struct mt7996_dev *dev, struct sk_buff *skb,
1106 			struct ieee80211_vif *vif, struct ieee80211_sta *sta)
1107 {
1108 	struct ieee80211_he_cap_elem *elem = &sta->deflink.he_cap.he_cap_elem;
1109 	struct sta_rec_muru *muru;
1110 	struct tlv *tlv;
1111 
1112 	if (vif->type != NL80211_IFTYPE_STATION &&
1113 	    vif->type != NL80211_IFTYPE_AP)
1114 		return;
1115 
1116 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_MURU, sizeof(*muru));
1117 
1118 	muru = (struct sta_rec_muru *)tlv;
1119 	muru->cfg.mimo_dl_en = vif->bss_conf.eht_mu_beamformer ||
1120 			       vif->bss_conf.he_mu_beamformer ||
1121 			       vif->bss_conf.vht_mu_beamformer ||
1122 			       vif->bss_conf.vht_mu_beamformee;
1123 	muru->cfg.ofdma_dl_en = true;
1124 
1125 	if (sta->deflink.vht_cap.vht_supported)
1126 		muru->mimo_dl.vht_mu_bfee =
1127 			!!(sta->deflink.vht_cap.cap & IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE);
1128 
1129 	if (!sta->deflink.he_cap.has_he)
1130 		return;
1131 
1132 	muru->mimo_dl.partial_bw_dl_mimo =
1133 		HE_PHY(CAP6_PARTIAL_BANDWIDTH_DL_MUMIMO, elem->phy_cap_info[6]);
1134 
1135 	muru->mimo_ul.full_ul_mimo =
1136 		HE_PHY(CAP2_UL_MU_FULL_MU_MIMO, elem->phy_cap_info[2]);
1137 	muru->mimo_ul.partial_ul_mimo =
1138 		HE_PHY(CAP2_UL_MU_PARTIAL_MU_MIMO, elem->phy_cap_info[2]);
1139 
1140 	muru->ofdma_dl.punc_pream_rx =
1141 		HE_PHY(CAP1_PREAMBLE_PUNC_RX_MASK, elem->phy_cap_info[1]);
1142 	muru->ofdma_dl.he_20m_in_40m_2g =
1143 		HE_PHY(CAP8_20MHZ_IN_40MHZ_HE_PPDU_IN_2G, elem->phy_cap_info[8]);
1144 	muru->ofdma_dl.he_20m_in_160m =
1145 		HE_PHY(CAP8_20MHZ_IN_160MHZ_HE_PPDU, elem->phy_cap_info[8]);
1146 	muru->ofdma_dl.he_80m_in_160m =
1147 		HE_PHY(CAP8_80MHZ_IN_160MHZ_HE_PPDU, elem->phy_cap_info[8]);
1148 
1149 	muru->ofdma_ul.t_frame_dur =
1150 		HE_MAC(CAP1_TF_MAC_PAD_DUR_MASK, elem->mac_cap_info[1]);
1151 	muru->ofdma_ul.mu_cascading =
1152 		HE_MAC(CAP2_MU_CASCADING, elem->mac_cap_info[2]);
1153 	muru->ofdma_ul.uo_ra =
1154 		HE_MAC(CAP3_OFDMA_RA, elem->mac_cap_info[3]);
1155 }
1156 
1157 static inline bool
1158 mt7996_is_ebf_supported(struct mt7996_phy *phy, struct ieee80211_vif *vif,
1159 			struct ieee80211_sta *sta, bool bfee)
1160 {
1161 	int sts = hweight16(phy->mt76->chainmask);
1162 
1163 	if (vif->type != NL80211_IFTYPE_STATION &&
1164 	    vif->type != NL80211_IFTYPE_AP)
1165 		return false;
1166 
1167 	if (!bfee && sts < 2)
1168 		return false;
1169 
1170 	if (sta->deflink.eht_cap.has_eht) {
1171 		struct ieee80211_sta_eht_cap *pc = &sta->deflink.eht_cap;
1172 		struct ieee80211_eht_cap_elem_fixed *pe = &pc->eht_cap_elem;
1173 
1174 		if (bfee)
1175 			return vif->bss_conf.eht_su_beamformee &&
1176 			       EHT_PHY(CAP0_SU_BEAMFORMEE, pe->phy_cap_info[0]);
1177 		else
1178 			return vif->bss_conf.eht_su_beamformer &&
1179 			       EHT_PHY(CAP0_SU_BEAMFORMER, pe->phy_cap_info[0]);
1180 	}
1181 
1182 	if (sta->deflink.he_cap.has_he) {
1183 		struct ieee80211_he_cap_elem *pe = &sta->deflink.he_cap.he_cap_elem;
1184 
1185 		if (bfee)
1186 			return vif->bss_conf.he_su_beamformee &&
1187 			       HE_PHY(CAP3_SU_BEAMFORMER, pe->phy_cap_info[3]);
1188 		else
1189 			return vif->bss_conf.he_su_beamformer &&
1190 			       HE_PHY(CAP4_SU_BEAMFORMEE, pe->phy_cap_info[4]);
1191 	}
1192 
1193 	if (sta->deflink.vht_cap.vht_supported) {
1194 		u32 cap = sta->deflink.vht_cap.cap;
1195 
1196 		if (bfee)
1197 			return vif->bss_conf.vht_su_beamformee &&
1198 			       (cap & IEEE80211_VHT_CAP_SU_BEAMFORMER_CAPABLE);
1199 		else
1200 			return vif->bss_conf.vht_su_beamformer &&
1201 			       (cap & IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE);
1202 	}
1203 
1204 	return false;
1205 }
1206 
1207 static void
1208 mt7996_mcu_sta_sounding_rate(struct sta_rec_bf *bf)
1209 {
1210 	bf->sounding_phy = MT_PHY_TYPE_OFDM;
1211 	bf->ndp_rate = 0;				/* mcs0 */
1212 	bf->ndpa_rate = MT7996_CFEND_RATE_DEFAULT;	/* ofdm 24m */
1213 	bf->rept_poll_rate = MT7996_CFEND_RATE_DEFAULT;	/* ofdm 24m */
1214 }
1215 
1216 static void
1217 mt7996_mcu_sta_bfer_ht(struct ieee80211_sta *sta, struct mt7996_phy *phy,
1218 		       struct sta_rec_bf *bf)
1219 {
1220 	struct ieee80211_mcs_info *mcs = &sta->deflink.ht_cap.mcs;
1221 	u8 n = 0;
1222 
1223 	bf->tx_mode = MT_PHY_TYPE_HT;
1224 
1225 	if ((mcs->tx_params & IEEE80211_HT_MCS_TX_RX_DIFF) &&
1226 	    (mcs->tx_params & IEEE80211_HT_MCS_TX_DEFINED))
1227 		n = FIELD_GET(IEEE80211_HT_MCS_TX_MAX_STREAMS_MASK,
1228 			      mcs->tx_params);
1229 	else if (mcs->rx_mask[3])
1230 		n = 3;
1231 	else if (mcs->rx_mask[2])
1232 		n = 2;
1233 	else if (mcs->rx_mask[1])
1234 		n = 1;
1235 
1236 	bf->nrow = hweight8(phy->mt76->antenna_mask) - 1;
1237 	bf->ncol = min_t(u8, bf->nrow, n);
1238 	bf->ibf_ncol = n;
1239 }
1240 
1241 static void
1242 mt7996_mcu_sta_bfer_vht(struct ieee80211_sta *sta, struct mt7996_phy *phy,
1243 			struct sta_rec_bf *bf, bool explicit)
1244 {
1245 	struct ieee80211_sta_vht_cap *pc = &sta->deflink.vht_cap;
1246 	struct ieee80211_sta_vht_cap *vc = &phy->mt76->sband_5g.sband.vht_cap;
1247 	u16 mcs_map = le16_to_cpu(pc->vht_mcs.rx_mcs_map);
1248 	u8 nss_mcs = mt7996_mcu_get_sta_nss(mcs_map);
1249 	u8 tx_ant = hweight8(phy->mt76->antenna_mask) - 1;
1250 
1251 	bf->tx_mode = MT_PHY_TYPE_VHT;
1252 
1253 	if (explicit) {
1254 		u8 sts, snd_dim;
1255 
1256 		mt7996_mcu_sta_sounding_rate(bf);
1257 
1258 		sts = FIELD_GET(IEEE80211_VHT_CAP_BEAMFORMEE_STS_MASK,
1259 				pc->cap);
1260 		snd_dim = FIELD_GET(IEEE80211_VHT_CAP_SOUNDING_DIMENSIONS_MASK,
1261 				    vc->cap);
1262 		bf->nrow = min_t(u8, min_t(u8, snd_dim, sts), tx_ant);
1263 		bf->ncol = min_t(u8, nss_mcs, bf->nrow);
1264 		bf->ibf_ncol = bf->ncol;
1265 
1266 		if (sta->deflink.bandwidth == IEEE80211_STA_RX_BW_160)
1267 			bf->nrow = 1;
1268 	} else {
1269 		bf->nrow = tx_ant;
1270 		bf->ncol = min_t(u8, nss_mcs, bf->nrow);
1271 		bf->ibf_ncol = nss_mcs;
1272 
1273 		if (sta->deflink.bandwidth == IEEE80211_STA_RX_BW_160)
1274 			bf->ibf_nrow = 1;
1275 	}
1276 }
1277 
1278 static void
1279 mt7996_mcu_sta_bfer_he(struct ieee80211_sta *sta, struct ieee80211_vif *vif,
1280 		       struct mt7996_phy *phy, struct sta_rec_bf *bf)
1281 {
1282 	struct ieee80211_sta_he_cap *pc = &sta->deflink.he_cap;
1283 	struct ieee80211_he_cap_elem *pe = &pc->he_cap_elem;
1284 	const struct ieee80211_sta_he_cap *vc =
1285 		mt76_connac_get_he_phy_cap(phy->mt76, vif);
1286 	const struct ieee80211_he_cap_elem *ve = &vc->he_cap_elem;
1287 	u16 mcs_map = le16_to_cpu(pc->he_mcs_nss_supp.rx_mcs_80);
1288 	u8 nss_mcs = mt7996_mcu_get_sta_nss(mcs_map);
1289 	u8 snd_dim, sts;
1290 
1291 	bf->tx_mode = MT_PHY_TYPE_HE_SU;
1292 
1293 	mt7996_mcu_sta_sounding_rate(bf);
1294 
1295 	bf->trigger_su = HE_PHY(CAP6_TRIG_SU_BEAMFORMING_FB,
1296 				pe->phy_cap_info[6]);
1297 	bf->trigger_mu = HE_PHY(CAP6_TRIG_MU_BEAMFORMING_PARTIAL_BW_FB,
1298 				pe->phy_cap_info[6]);
1299 	snd_dim = HE_PHY(CAP5_BEAMFORMEE_NUM_SND_DIM_UNDER_80MHZ_MASK,
1300 			 ve->phy_cap_info[5]);
1301 	sts = HE_PHY(CAP4_BEAMFORMEE_MAX_STS_UNDER_80MHZ_MASK,
1302 		     pe->phy_cap_info[4]);
1303 	bf->nrow = min_t(u8, snd_dim, sts);
1304 	bf->ncol = min_t(u8, nss_mcs, bf->nrow);
1305 	bf->ibf_ncol = bf->ncol;
1306 
1307 	if (sta->deflink.bandwidth != IEEE80211_STA_RX_BW_160)
1308 		return;
1309 
1310 	/* go over for 160MHz and 80p80 */
1311 	if (pe->phy_cap_info[0] &
1312 	    IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G) {
1313 		mcs_map = le16_to_cpu(pc->he_mcs_nss_supp.rx_mcs_160);
1314 		nss_mcs = mt7996_mcu_get_sta_nss(mcs_map);
1315 
1316 		bf->ncol_gt_bw80 = nss_mcs;
1317 	}
1318 
1319 	if (pe->phy_cap_info[0] &
1320 	    IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_80PLUS80_MHZ_IN_5G) {
1321 		mcs_map = le16_to_cpu(pc->he_mcs_nss_supp.rx_mcs_80p80);
1322 		nss_mcs = mt7996_mcu_get_sta_nss(mcs_map);
1323 
1324 		if (bf->ncol_gt_bw80)
1325 			bf->ncol_gt_bw80 = min_t(u8, bf->ncol_gt_bw80, nss_mcs);
1326 		else
1327 			bf->ncol_gt_bw80 = nss_mcs;
1328 	}
1329 
1330 	snd_dim = HE_PHY(CAP5_BEAMFORMEE_NUM_SND_DIM_ABOVE_80MHZ_MASK,
1331 			 ve->phy_cap_info[5]);
1332 	sts = HE_PHY(CAP4_BEAMFORMEE_MAX_STS_ABOVE_80MHZ_MASK,
1333 		     pe->phy_cap_info[4]);
1334 
1335 	bf->nrow_gt_bw80 = min_t(int, snd_dim, sts);
1336 }
1337 
1338 static void
1339 mt7996_mcu_sta_bfer_eht(struct ieee80211_sta *sta, struct ieee80211_vif *vif,
1340 			struct mt7996_phy *phy, struct sta_rec_bf *bf)
1341 {
1342 	struct ieee80211_sta_eht_cap *pc = &sta->deflink.eht_cap;
1343 	struct ieee80211_eht_cap_elem_fixed *pe = &pc->eht_cap_elem;
1344 	struct ieee80211_eht_mcs_nss_supp *eht_nss = &pc->eht_mcs_nss_supp;
1345 	const struct ieee80211_sta_eht_cap *vc =
1346 		mt76_connac_get_eht_phy_cap(phy->mt76, vif);
1347 	const struct ieee80211_eht_cap_elem_fixed *ve = &vc->eht_cap_elem;
1348 	u8 nss_mcs = u8_get_bits(eht_nss->bw._80.rx_tx_mcs9_max_nss,
1349 				 IEEE80211_EHT_MCS_NSS_RX) - 1;
1350 	u8 snd_dim, sts;
1351 
1352 	bf->tx_mode = MT_PHY_TYPE_EHT_MU;
1353 
1354 	mt7996_mcu_sta_sounding_rate(bf);
1355 
1356 	bf->trigger_su = EHT_PHY(CAP3_TRIG_SU_BF_FDBK, pe->phy_cap_info[3]);
1357 	bf->trigger_mu = EHT_PHY(CAP3_TRIG_MU_BF_PART_BW_FDBK, pe->phy_cap_info[3]);
1358 	snd_dim = EHT_PHY(CAP2_SOUNDING_DIM_80MHZ_MASK, ve->phy_cap_info[2]);
1359 	sts = EHT_PHY(CAP0_BEAMFORMEE_SS_80MHZ_MASK, pe->phy_cap_info[0]) +
1360 	      (EHT_PHY(CAP1_BEAMFORMEE_SS_80MHZ_MASK, pe->phy_cap_info[1]) << 1);
1361 	bf->nrow = min_t(u8, snd_dim, sts);
1362 	bf->ncol = min_t(u8, nss_mcs, bf->nrow);
1363 	bf->ibf_ncol = bf->ncol;
1364 
1365 	if (sta->deflink.bandwidth < IEEE80211_STA_RX_BW_160)
1366 		return;
1367 
1368 	switch (sta->deflink.bandwidth) {
1369 	case IEEE80211_STA_RX_BW_160:
1370 		snd_dim = EHT_PHY(CAP2_SOUNDING_DIM_160MHZ_MASK, ve->phy_cap_info[2]);
1371 		sts = EHT_PHY(CAP1_BEAMFORMEE_SS_160MHZ_MASK, pe->phy_cap_info[1]);
1372 		nss_mcs = u8_get_bits(eht_nss->bw._160.rx_tx_mcs9_max_nss,
1373 				      IEEE80211_EHT_MCS_NSS_RX) - 1;
1374 
1375 		bf->nrow_gt_bw80 = min_t(u8, snd_dim, sts);
1376 		bf->ncol_gt_bw80 = nss_mcs;
1377 		break;
1378 	case IEEE80211_STA_RX_BW_320:
1379 		snd_dim = EHT_PHY(CAP2_SOUNDING_DIM_320MHZ_MASK, ve->phy_cap_info[2]) +
1380 			  (EHT_PHY(CAP3_SOUNDING_DIM_320MHZ_MASK,
1381 				   ve->phy_cap_info[3]) << 1);
1382 		sts = EHT_PHY(CAP1_BEAMFORMEE_SS_320MHZ_MASK, pe->phy_cap_info[1]);
1383 		nss_mcs = u8_get_bits(eht_nss->bw._320.rx_tx_mcs9_max_nss,
1384 				      IEEE80211_EHT_MCS_NSS_RX) - 1;
1385 
1386 		bf->nrow_gt_bw80 = min_t(u8, snd_dim, sts) << 4;
1387 		bf->ncol_gt_bw80 = nss_mcs << 4;
1388 		break;
1389 	default:
1390 		break;
1391 	}
1392 }
1393 
1394 static void
1395 mt7996_mcu_sta_bfer_tlv(struct mt7996_dev *dev, struct sk_buff *skb,
1396 			struct ieee80211_vif *vif, struct ieee80211_sta *sta)
1397 {
1398 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
1399 	struct mt7996_phy *phy = mvif->phy;
1400 	int tx_ant = hweight8(phy->mt76->chainmask) - 1;
1401 	struct sta_rec_bf *bf;
1402 	struct tlv *tlv;
1403 	const u8 matrix[4][4] = {
1404 		{0, 0, 0, 0},
1405 		{1, 1, 0, 0},	/* 2x1, 2x2, 2x3, 2x4 */
1406 		{2, 4, 4, 0},	/* 3x1, 3x2, 3x3, 3x4 */
1407 		{3, 5, 6, 0}	/* 4x1, 4x2, 4x3, 4x4 */
1408 	};
1409 	bool ebf;
1410 
1411 	if (!(sta->deflink.ht_cap.ht_supported || sta->deflink.he_cap.has_he))
1412 		return;
1413 
1414 	ebf = mt7996_is_ebf_supported(phy, vif, sta, false);
1415 	if (!ebf && !dev->ibf)
1416 		return;
1417 
1418 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_BF, sizeof(*bf));
1419 	bf = (struct sta_rec_bf *)tlv;
1420 
1421 	/* he/eht: eBF only, in accordance with spec
1422 	 * vht: support eBF and iBF
1423 	 * ht: iBF only, since mac80211 lacks of eBF support
1424 	 */
1425 	if (sta->deflink.eht_cap.has_eht && ebf)
1426 		mt7996_mcu_sta_bfer_eht(sta, vif, phy, bf);
1427 	else if (sta->deflink.he_cap.has_he && ebf)
1428 		mt7996_mcu_sta_bfer_he(sta, vif, phy, bf);
1429 	else if (sta->deflink.vht_cap.vht_supported)
1430 		mt7996_mcu_sta_bfer_vht(sta, phy, bf, ebf);
1431 	else if (sta->deflink.ht_cap.ht_supported)
1432 		mt7996_mcu_sta_bfer_ht(sta, phy, bf);
1433 	else
1434 		return;
1435 
1436 	bf->bf_cap = ebf ? ebf : dev->ibf << 1;
1437 	bf->bw = sta->deflink.bandwidth;
1438 	bf->ibf_dbw = sta->deflink.bandwidth;
1439 	bf->ibf_nrow = tx_ant;
1440 
1441 	if (!ebf && sta->deflink.bandwidth <= IEEE80211_STA_RX_BW_40 && !bf->ncol)
1442 		bf->ibf_timeout = 0x48;
1443 	else
1444 		bf->ibf_timeout = 0x18;
1445 
1446 	if (ebf && bf->nrow != tx_ant)
1447 		bf->mem_20m = matrix[tx_ant][bf->ncol];
1448 	else
1449 		bf->mem_20m = matrix[bf->nrow][bf->ncol];
1450 
1451 	switch (sta->deflink.bandwidth) {
1452 	case IEEE80211_STA_RX_BW_160:
1453 	case IEEE80211_STA_RX_BW_80:
1454 		bf->mem_total = bf->mem_20m * 2;
1455 		break;
1456 	case IEEE80211_STA_RX_BW_40:
1457 		bf->mem_total = bf->mem_20m;
1458 		break;
1459 	case IEEE80211_STA_RX_BW_20:
1460 	default:
1461 		break;
1462 	}
1463 }
1464 
1465 static void
1466 mt7996_mcu_sta_bfee_tlv(struct mt7996_dev *dev, struct sk_buff *skb,
1467 			struct ieee80211_vif *vif, struct ieee80211_sta *sta)
1468 {
1469 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
1470 	struct mt7996_phy *phy = mvif->phy;
1471 	int tx_ant = hweight8(phy->mt76->antenna_mask) - 1;
1472 	struct sta_rec_bfee *bfee;
1473 	struct tlv *tlv;
1474 	u8 nrow = 0;
1475 
1476 	if (!(sta->deflink.vht_cap.vht_supported || sta->deflink.he_cap.has_he))
1477 		return;
1478 
1479 	if (!mt7996_is_ebf_supported(phy, vif, sta, true))
1480 		return;
1481 
1482 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_BFEE, sizeof(*bfee));
1483 	bfee = (struct sta_rec_bfee *)tlv;
1484 
1485 	if (sta->deflink.he_cap.has_he) {
1486 		struct ieee80211_he_cap_elem *pe = &sta->deflink.he_cap.he_cap_elem;
1487 
1488 		nrow = HE_PHY(CAP5_BEAMFORMEE_NUM_SND_DIM_UNDER_80MHZ_MASK,
1489 			      pe->phy_cap_info[5]);
1490 	} else if (sta->deflink.vht_cap.vht_supported) {
1491 		struct ieee80211_sta_vht_cap *pc = &sta->deflink.vht_cap;
1492 
1493 		nrow = FIELD_GET(IEEE80211_VHT_CAP_SOUNDING_DIMENSIONS_MASK,
1494 				 pc->cap);
1495 	}
1496 
1497 	/* reply with identity matrix to avoid 2x2 BF negative gain */
1498 	bfee->fb_identity_matrix = (nrow == 1 && tx_ant == 2);
1499 }
1500 
1501 static void
1502 mt7996_mcu_sta_phy_tlv(struct mt7996_dev *dev, struct sk_buff *skb,
1503 		       struct ieee80211_vif *vif, struct ieee80211_sta *sta)
1504 {
1505 	struct sta_rec_phy *phy;
1506 	struct tlv *tlv;
1507 	u8 af = 0, mm = 0;
1508 
1509 	if (!sta->deflink.ht_cap.ht_supported && !sta->deflink.he_6ghz_capa.capa)
1510 		return;
1511 
1512 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_PHY, sizeof(*phy));
1513 
1514 	phy = (struct sta_rec_phy *)tlv;
1515 	if (sta->deflink.ht_cap.ht_supported) {
1516 		af = sta->deflink.ht_cap.ampdu_factor;
1517 		mm = sta->deflink.ht_cap.ampdu_density;
1518 	}
1519 
1520 	if (sta->deflink.vht_cap.vht_supported) {
1521 		u8 vht_af = FIELD_GET(IEEE80211_VHT_CAP_MAX_A_MPDU_LENGTH_EXPONENT_MASK,
1522 				      sta->deflink.vht_cap.cap);
1523 
1524 		af = max_t(u8, af, vht_af);
1525 	}
1526 
1527 	if (sta->deflink.he_6ghz_capa.capa) {
1528 		af = le16_get_bits(sta->deflink.he_6ghz_capa.capa,
1529 				   IEEE80211_HE_6GHZ_CAP_MAX_AMPDU_LEN_EXP);
1530 		mm = le16_get_bits(sta->deflink.he_6ghz_capa.capa,
1531 				   IEEE80211_HE_6GHZ_CAP_MIN_MPDU_START);
1532 	}
1533 
1534 	phy->ampdu = FIELD_PREP(IEEE80211_HT_AMPDU_PARM_FACTOR, af) |
1535 		     FIELD_PREP(IEEE80211_HT_AMPDU_PARM_DENSITY, mm);
1536 	phy->max_ampdu_len = af;
1537 }
1538 
1539 static void
1540 mt7996_mcu_sta_hdrt_tlv(struct mt7996_dev *dev, struct sk_buff *skb)
1541 {
1542 	struct sta_rec_hdrt *hdrt;
1543 	struct tlv *tlv;
1544 
1545 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_HDRT, sizeof(*hdrt));
1546 
1547 	hdrt = (struct sta_rec_hdrt *)tlv;
1548 	hdrt->hdrt_mode = 1;
1549 }
1550 
1551 static void
1552 mt7996_mcu_sta_hdr_trans_tlv(struct mt7996_dev *dev, struct sk_buff *skb,
1553 			     struct ieee80211_vif *vif,
1554 			     struct ieee80211_sta *sta)
1555 {
1556 	struct sta_rec_hdr_trans *hdr_trans;
1557 	struct mt76_wcid *wcid;
1558 	struct tlv *tlv;
1559 
1560 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_HDR_TRANS, sizeof(*hdr_trans));
1561 	hdr_trans = (struct sta_rec_hdr_trans *)tlv;
1562 	hdr_trans->dis_rx_hdr_tran = true;
1563 
1564 	if (vif->type == NL80211_IFTYPE_STATION)
1565 		hdr_trans->to_ds = true;
1566 	else
1567 		hdr_trans->from_ds = true;
1568 
1569 	wcid = (struct mt76_wcid *)sta->drv_priv;
1570 	if (!wcid)
1571 		return;
1572 
1573 	hdr_trans->dis_rx_hdr_tran = !test_bit(MT_WCID_FLAG_HDR_TRANS, &wcid->flags);
1574 	if (test_bit(MT_WCID_FLAG_4ADDR, &wcid->flags)) {
1575 		hdr_trans->to_ds = true;
1576 		hdr_trans->from_ds = true;
1577 	}
1578 
1579 	if (vif->type == NL80211_IFTYPE_MESH_POINT) {
1580 		hdr_trans->to_ds = true;
1581 		hdr_trans->from_ds = true;
1582 		hdr_trans->mesh = true;
1583 	}
1584 }
1585 
1586 static enum mcu_mmps_mode
1587 mt7996_mcu_get_mmps_mode(enum ieee80211_smps_mode smps)
1588 {
1589 	switch (smps) {
1590 	case IEEE80211_SMPS_OFF:
1591 		return MCU_MMPS_DISABLE;
1592 	case IEEE80211_SMPS_STATIC:
1593 		return MCU_MMPS_STATIC;
1594 	case IEEE80211_SMPS_DYNAMIC:
1595 		return MCU_MMPS_DYNAMIC;
1596 	default:
1597 		return MCU_MMPS_DISABLE;
1598 	}
1599 }
1600 
1601 int mt7996_mcu_set_fixed_rate_ctrl(struct mt7996_dev *dev,
1602 				   void *data, u16 version)
1603 {
1604 	struct ra_fixed_rate *req;
1605 	struct uni_header hdr;
1606 	struct sk_buff *skb;
1607 	struct tlv *tlv;
1608 	int len;
1609 
1610 	len = sizeof(hdr) + sizeof(*req);
1611 
1612 	skb = mt76_mcu_msg_alloc(&dev->mt76, NULL, len);
1613 	if (!skb)
1614 		return -ENOMEM;
1615 
1616 	skb_put_data(skb, &hdr, sizeof(hdr));
1617 
1618 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_RA_FIXED_RATE, sizeof(*req));
1619 	req = (struct ra_fixed_rate *)tlv;
1620 	req->version = cpu_to_le16(version);
1621 	memcpy(&req->rate, data, sizeof(req->rate));
1622 
1623 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
1624 				     MCU_WM_UNI_CMD(RA), true);
1625 }
1626 
1627 static void
1628 mt7996_mcu_sta_rate_ctrl_tlv(struct sk_buff *skb, struct mt7996_dev *dev,
1629 			     struct ieee80211_vif *vif, struct ieee80211_sta *sta)
1630 {
1631 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
1632 	struct mt76_phy *mphy = mvif->phy->mt76;
1633 	struct cfg80211_chan_def *chandef = &mphy->chandef;
1634 	struct cfg80211_bitrate_mask *mask = &mvif->bitrate_mask;
1635 	enum nl80211_band band = chandef->chan->band;
1636 	struct sta_rec_ra *ra;
1637 	struct tlv *tlv;
1638 	u32 supp_rate = sta->deflink.supp_rates[band];
1639 	u32 cap = sta->wme ? STA_CAP_WMM : 0;
1640 
1641 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_RA, sizeof(*ra));
1642 	ra = (struct sta_rec_ra *)tlv;
1643 
1644 	ra->valid = true;
1645 	ra->auto_rate = true;
1646 	ra->phy_mode = mt76_connac_get_phy_mode(mphy, vif, band, sta);
1647 	ra->channel = chandef->chan->hw_value;
1648 	ra->bw = (sta->deflink.bandwidth == IEEE80211_STA_RX_BW_320) ?
1649 		 CMD_CBW_320MHZ : sta->deflink.bandwidth;
1650 	ra->phy.bw = ra->bw;
1651 	ra->mmps_mode = mt7996_mcu_get_mmps_mode(sta->deflink.smps_mode);
1652 
1653 	if (supp_rate) {
1654 		supp_rate &= mask->control[band].legacy;
1655 		ra->rate_len = hweight32(supp_rate);
1656 
1657 		if (band == NL80211_BAND_2GHZ) {
1658 			ra->supp_mode = MODE_CCK;
1659 			ra->supp_cck_rate = supp_rate & GENMASK(3, 0);
1660 
1661 			if (ra->rate_len > 4) {
1662 				ra->supp_mode |= MODE_OFDM;
1663 				ra->supp_ofdm_rate = supp_rate >> 4;
1664 			}
1665 		} else {
1666 			ra->supp_mode = MODE_OFDM;
1667 			ra->supp_ofdm_rate = supp_rate;
1668 		}
1669 	}
1670 
1671 	if (sta->deflink.ht_cap.ht_supported) {
1672 		ra->supp_mode |= MODE_HT;
1673 		ra->af = sta->deflink.ht_cap.ampdu_factor;
1674 		ra->ht_gf = !!(sta->deflink.ht_cap.cap & IEEE80211_HT_CAP_GRN_FLD);
1675 
1676 		cap |= STA_CAP_HT;
1677 		if (sta->deflink.ht_cap.cap & IEEE80211_HT_CAP_SGI_20)
1678 			cap |= STA_CAP_SGI_20;
1679 		if (sta->deflink.ht_cap.cap & IEEE80211_HT_CAP_SGI_40)
1680 			cap |= STA_CAP_SGI_40;
1681 		if (sta->deflink.ht_cap.cap & IEEE80211_HT_CAP_TX_STBC)
1682 			cap |= STA_CAP_TX_STBC;
1683 		if (sta->deflink.ht_cap.cap & IEEE80211_HT_CAP_RX_STBC)
1684 			cap |= STA_CAP_RX_STBC;
1685 		if (vif->bss_conf.ht_ldpc &&
1686 		    (sta->deflink.ht_cap.cap & IEEE80211_HT_CAP_LDPC_CODING))
1687 			cap |= STA_CAP_LDPC;
1688 
1689 		mt7996_mcu_set_sta_ht_mcs(sta, ra->ht_mcs,
1690 					  mask->control[band].ht_mcs);
1691 		ra->supp_ht_mcs = *(__le32 *)ra->ht_mcs;
1692 	}
1693 
1694 	if (sta->deflink.vht_cap.vht_supported) {
1695 		u8 af;
1696 
1697 		ra->supp_mode |= MODE_VHT;
1698 		af = FIELD_GET(IEEE80211_VHT_CAP_MAX_A_MPDU_LENGTH_EXPONENT_MASK,
1699 			       sta->deflink.vht_cap.cap);
1700 		ra->af = max_t(u8, ra->af, af);
1701 
1702 		cap |= STA_CAP_VHT;
1703 		if (sta->deflink.vht_cap.cap & IEEE80211_VHT_CAP_SHORT_GI_80)
1704 			cap |= STA_CAP_VHT_SGI_80;
1705 		if (sta->deflink.vht_cap.cap & IEEE80211_VHT_CAP_SHORT_GI_160)
1706 			cap |= STA_CAP_VHT_SGI_160;
1707 		if (sta->deflink.vht_cap.cap & IEEE80211_VHT_CAP_TXSTBC)
1708 			cap |= STA_CAP_VHT_TX_STBC;
1709 		if (sta->deflink.vht_cap.cap & IEEE80211_VHT_CAP_RXSTBC_1)
1710 			cap |= STA_CAP_VHT_RX_STBC;
1711 		if (vif->bss_conf.vht_ldpc &&
1712 		    (sta->deflink.vht_cap.cap & IEEE80211_VHT_CAP_RXLDPC))
1713 			cap |= STA_CAP_VHT_LDPC;
1714 
1715 		mt7996_mcu_set_sta_vht_mcs(sta, ra->supp_vht_mcs,
1716 					   mask->control[band].vht_mcs);
1717 	}
1718 
1719 	if (sta->deflink.he_cap.has_he) {
1720 		ra->supp_mode |= MODE_HE;
1721 		cap |= STA_CAP_HE;
1722 
1723 		if (sta->deflink.he_6ghz_capa.capa)
1724 			ra->af = le16_get_bits(sta->deflink.he_6ghz_capa.capa,
1725 					       IEEE80211_HE_6GHZ_CAP_MAX_AMPDU_LEN_EXP);
1726 	}
1727 	ra->sta_cap = cpu_to_le32(cap);
1728 }
1729 
1730 int mt7996_mcu_add_rate_ctrl(struct mt7996_dev *dev, struct ieee80211_vif *vif,
1731 			     struct ieee80211_sta *sta, bool changed)
1732 {
1733 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
1734 	struct mt7996_sta *msta = (struct mt7996_sta *)sta->drv_priv;
1735 	struct sk_buff *skb;
1736 
1737 	skb = __mt76_connac_mcu_alloc_sta_req(&dev->mt76, &mvif->mt76,
1738 					      &msta->wcid,
1739 					      MT7996_STA_UPDATE_MAX_SIZE);
1740 	if (IS_ERR(skb))
1741 		return PTR_ERR(skb);
1742 
1743 	/* firmware rc algorithm refers to sta_rec_he for HE control.
1744 	 * once dev->rc_work changes the settings driver should also
1745 	 * update sta_rec_he here.
1746 	 */
1747 	if (changed)
1748 		mt7996_mcu_sta_he_tlv(skb, sta);
1749 
1750 	/* sta_rec_ra accommodates BW, NSS and only MCS range format
1751 	 * i.e 0-{7,8,9} for VHT.
1752 	 */
1753 	mt7996_mcu_sta_rate_ctrl_tlv(skb, dev, vif, sta);
1754 
1755 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
1756 				     MCU_WMWA_UNI_CMD(STA_REC_UPDATE), true);
1757 }
1758 
1759 static int
1760 mt7996_mcu_add_group(struct mt7996_dev *dev, struct ieee80211_vif *vif,
1761 		     struct ieee80211_sta *sta)
1762 {
1763 #define MT_STA_BSS_GROUP		1
1764 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
1765 	struct mt7996_sta *msta;
1766 	struct {
1767 		u8 __rsv1[4];
1768 
1769 		__le16 tag;
1770 		__le16 len;
1771 		__le16 wlan_idx;
1772 		u8 __rsv2[2];
1773 		__le32 action;
1774 		__le32 val;
1775 		u8 __rsv3[8];
1776 	} __packed req = {
1777 		.tag = cpu_to_le16(UNI_VOW_DRR_CTRL),
1778 		.len = cpu_to_le16(sizeof(req) - 4),
1779 		.action = cpu_to_le32(MT_STA_BSS_GROUP),
1780 		.val = cpu_to_le32(mvif->mt76.idx % 16),
1781 	};
1782 
1783 	msta = sta ? (struct mt7996_sta *)sta->drv_priv : &mvif->sta;
1784 	req.wlan_idx = cpu_to_le16(msta->wcid.idx);
1785 
1786 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(VOW), &req,
1787 				 sizeof(req), true);
1788 }
1789 
1790 int mt7996_mcu_add_sta(struct mt7996_dev *dev, struct ieee80211_vif *vif,
1791 		       struct ieee80211_sta *sta, bool enable)
1792 {
1793 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
1794 	struct mt7996_sta *msta;
1795 	struct sk_buff *skb;
1796 	int ret;
1797 
1798 	msta = sta ? (struct mt7996_sta *)sta->drv_priv : &mvif->sta;
1799 
1800 	skb = __mt76_connac_mcu_alloc_sta_req(&dev->mt76, &mvif->mt76,
1801 					      &msta->wcid,
1802 					      MT7996_STA_UPDATE_MAX_SIZE);
1803 	if (IS_ERR(skb))
1804 		return PTR_ERR(skb);
1805 
1806 	/* starec basic */
1807 	mt76_connac_mcu_sta_basic_tlv(&dev->mt76, skb, vif, sta, enable,
1808 				      !rcu_access_pointer(dev->mt76.wcid[msta->wcid.idx]));
1809 	if (!enable)
1810 		goto out;
1811 
1812 	/* tag order is in accordance with firmware dependency. */
1813 	if (sta) {
1814 		/* starec phy */
1815 		mt7996_mcu_sta_phy_tlv(dev, skb, vif, sta);
1816 		/* starec hdrt mode */
1817 		mt7996_mcu_sta_hdrt_tlv(dev, skb);
1818 		/* starec bfer */
1819 		mt7996_mcu_sta_bfer_tlv(dev, skb, vif, sta);
1820 		/* starec ht */
1821 		mt7996_mcu_sta_ht_tlv(skb, sta);
1822 		/* starec vht */
1823 		mt7996_mcu_sta_vht_tlv(skb, sta);
1824 		/* starec uapsd */
1825 		mt76_connac_mcu_sta_uapsd(skb, vif, sta);
1826 		/* starec amsdu */
1827 		mt7996_mcu_sta_amsdu_tlv(dev, skb, vif, sta);
1828 		/* starec he */
1829 		mt7996_mcu_sta_he_tlv(skb, sta);
1830 		/* starec he 6g*/
1831 		mt7996_mcu_sta_he_6g_tlv(skb, sta);
1832 		/* starec eht */
1833 		mt7996_mcu_sta_eht_tlv(skb, sta);
1834 		/* starec muru */
1835 		mt7996_mcu_sta_muru_tlv(dev, skb, vif, sta);
1836 		/* starec bfee */
1837 		mt7996_mcu_sta_bfee_tlv(dev, skb, vif, sta);
1838 		/* starec hdr trans */
1839 		mt7996_mcu_sta_hdr_trans_tlv(dev, skb, vif, sta);
1840 	}
1841 
1842 	ret = mt7996_mcu_add_group(dev, vif, sta);
1843 	if (ret) {
1844 		dev_kfree_skb(skb);
1845 		return ret;
1846 	}
1847 out:
1848 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
1849 				     MCU_WMWA_UNI_CMD(STA_REC_UPDATE), true);
1850 }
1851 
1852 static int
1853 mt7996_mcu_sta_key_tlv(struct mt76_wcid *wcid,
1854 		       struct mt76_connac_sta_key_conf *sta_key_conf,
1855 		       struct sk_buff *skb,
1856 		       struct ieee80211_key_conf *key,
1857 		       enum set_key_cmd cmd)
1858 {
1859 	struct sta_rec_sec_uni *sec;
1860 	struct tlv *tlv;
1861 
1862 	tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_KEY_V2, sizeof(*sec));
1863 	sec = (struct sta_rec_sec_uni *)tlv;
1864 	sec->add = cmd;
1865 
1866 	if (cmd == SET_KEY) {
1867 		struct sec_key_uni *sec_key;
1868 		u8 cipher;
1869 
1870 		cipher = mt76_connac_mcu_get_cipher(key->cipher);
1871 		if (cipher == MCU_CIPHER_NONE)
1872 			return -EOPNOTSUPP;
1873 
1874 		sec_key = &sec->key[0];
1875 		sec_key->cipher_len = sizeof(*sec_key);
1876 
1877 		if (cipher == MCU_CIPHER_BIP_CMAC_128) {
1878 			sec_key->wlan_idx = cpu_to_le16(wcid->idx);
1879 			sec_key->cipher_id = MCU_CIPHER_AES_CCMP;
1880 			sec_key->key_id = sta_key_conf->keyidx;
1881 			sec_key->key_len = 16;
1882 			memcpy(sec_key->key, sta_key_conf->key, 16);
1883 
1884 			sec_key = &sec->key[1];
1885 			sec_key->wlan_idx = cpu_to_le16(wcid->idx);
1886 			sec_key->cipher_id = MCU_CIPHER_BIP_CMAC_128;
1887 			sec_key->cipher_len = sizeof(*sec_key);
1888 			sec_key->key_len = 16;
1889 			memcpy(sec_key->key, key->key, 16);
1890 			sec->n_cipher = 2;
1891 		} else {
1892 			sec_key->wlan_idx = cpu_to_le16(wcid->idx);
1893 			sec_key->cipher_id = cipher;
1894 			sec_key->key_id = key->keyidx;
1895 			sec_key->key_len = key->keylen;
1896 			memcpy(sec_key->key, key->key, key->keylen);
1897 
1898 			if (cipher == MCU_CIPHER_TKIP) {
1899 				/* Rx/Tx MIC keys are swapped */
1900 				memcpy(sec_key->key + 16, key->key + 24, 8);
1901 				memcpy(sec_key->key + 24, key->key + 16, 8);
1902 			}
1903 
1904 			/* store key_conf for BIP batch update */
1905 			if (cipher == MCU_CIPHER_AES_CCMP) {
1906 				memcpy(sta_key_conf->key, key->key, key->keylen);
1907 				sta_key_conf->keyidx = key->keyidx;
1908 			}
1909 
1910 			sec->n_cipher = 1;
1911 		}
1912 	} else {
1913 		sec->n_cipher = 0;
1914 	}
1915 
1916 	return 0;
1917 }
1918 
1919 int mt7996_mcu_add_key(struct mt76_dev *dev, struct ieee80211_vif *vif,
1920 		       struct mt76_connac_sta_key_conf *sta_key_conf,
1921 		       struct ieee80211_key_conf *key, int mcu_cmd,
1922 		       struct mt76_wcid *wcid, enum set_key_cmd cmd)
1923 {
1924 	struct mt76_vif *mvif = (struct mt76_vif *)vif->drv_priv;
1925 	struct sk_buff *skb;
1926 	int ret;
1927 
1928 	skb = __mt76_connac_mcu_alloc_sta_req(dev, mvif, wcid,
1929 					      MT7996_STA_UPDATE_MAX_SIZE);
1930 	if (IS_ERR(skb))
1931 		return PTR_ERR(skb);
1932 
1933 	ret = mt7996_mcu_sta_key_tlv(wcid, sta_key_conf, skb, key, cmd);
1934 	if (ret)
1935 		return ret;
1936 
1937 	return mt76_mcu_skb_send_msg(dev, skb, mcu_cmd, true);
1938 }
1939 
1940 int mt7996_mcu_add_dev_info(struct mt7996_phy *phy,
1941 			    struct ieee80211_vif *vif, bool enable)
1942 {
1943 	struct mt7996_dev *dev = phy->dev;
1944 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
1945 	struct {
1946 		struct req_hdr {
1947 			u8 omac_idx;
1948 			u8 band_idx;
1949 			u8 __rsv[2];
1950 		} __packed hdr;
1951 		struct req_tlv {
1952 			__le16 tag;
1953 			__le16 len;
1954 			u8 active;
1955 			u8 __rsv;
1956 			u8 omac_addr[ETH_ALEN];
1957 		} __packed tlv;
1958 	} data = {
1959 		.hdr = {
1960 			.omac_idx = mvif->mt76.omac_idx,
1961 			.band_idx = mvif->mt76.band_idx,
1962 		},
1963 		.tlv = {
1964 			.tag = cpu_to_le16(DEV_INFO_ACTIVE),
1965 			.len = cpu_to_le16(sizeof(struct req_tlv)),
1966 			.active = enable,
1967 		},
1968 	};
1969 
1970 	if (mvif->mt76.omac_idx >= REPEATER_BSSID_START)
1971 		return mt7996_mcu_muar_config(phy, vif, false, enable);
1972 
1973 	memcpy(data.tlv.omac_addr, vif->addr, ETH_ALEN);
1974 	return mt76_mcu_send_msg(&dev->mt76, MCU_WMWA_UNI_CMD(DEV_INFO_UPDATE),
1975 				 &data, sizeof(data), true);
1976 }
1977 
1978 static void
1979 mt7996_mcu_beacon_cntdwn(struct ieee80211_vif *vif, struct sk_buff *rskb,
1980 			 struct sk_buff *skb,
1981 			 struct ieee80211_mutable_offsets *offs)
1982 {
1983 	struct bss_bcn_cntdwn_tlv *info;
1984 	struct tlv *tlv;
1985 	u16 tag;
1986 
1987 	if (!offs->cntdwn_counter_offs[0])
1988 		return;
1989 
1990 	tag = vif->bss_conf.csa_active ? UNI_BSS_INFO_BCN_CSA : UNI_BSS_INFO_BCN_BCC;
1991 
1992 	tlv = mt7996_mcu_add_uni_tlv(rskb, tag, sizeof(*info));
1993 
1994 	info = (struct bss_bcn_cntdwn_tlv *)tlv;
1995 	info->cnt = skb->data[offs->cntdwn_counter_offs[0]];
1996 }
1997 
1998 static void
1999 mt7996_mcu_beacon_cont(struct mt7996_dev *dev, struct ieee80211_vif *vif,
2000 		       struct sk_buff *rskb, struct sk_buff *skb,
2001 		       struct bss_bcn_content_tlv *bcn,
2002 		       struct ieee80211_mutable_offsets *offs)
2003 {
2004 	struct mt76_wcid *wcid = &dev->mt76.global_wcid;
2005 	u8 *buf;
2006 
2007 	bcn->pkt_len = cpu_to_le16(MT_TXD_SIZE + skb->len);
2008 	bcn->tim_ie_pos = cpu_to_le16(offs->tim_offset);
2009 
2010 	if (offs->cntdwn_counter_offs[0]) {
2011 		u16 offset = offs->cntdwn_counter_offs[0];
2012 
2013 		if (vif->bss_conf.csa_active)
2014 			bcn->csa_ie_pos = cpu_to_le16(offset - 4);
2015 		if (vif->bss_conf.color_change_active)
2016 			bcn->bcc_ie_pos = cpu_to_le16(offset - 3);
2017 	}
2018 
2019 	buf = (u8 *)bcn + sizeof(*bcn);
2020 	mt7996_mac_write_txwi(dev, (__le32 *)buf, skb, wcid, NULL, 0, 0,
2021 			      BSS_CHANGED_BEACON);
2022 
2023 	memcpy(buf + MT_TXD_SIZE, skb->data, skb->len);
2024 }
2025 
2026 int mt7996_mcu_add_beacon(struct ieee80211_hw *hw,
2027 			  struct ieee80211_vif *vif, int en)
2028 {
2029 	struct mt7996_dev *dev = mt7996_hw_dev(hw);
2030 	struct mt7996_phy *phy = mt7996_hw_phy(hw);
2031 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
2032 	struct ieee80211_mutable_offsets offs;
2033 	struct ieee80211_tx_info *info;
2034 	struct sk_buff *skb, *rskb;
2035 	struct tlv *tlv;
2036 	struct bss_bcn_content_tlv *bcn;
2037 	int len;
2038 
2039 	rskb = __mt7996_mcu_alloc_bss_req(&dev->mt76, &mvif->mt76,
2040 					  MT7996_MAX_BSS_OFFLOAD_SIZE);
2041 	if (IS_ERR(rskb))
2042 		return PTR_ERR(rskb);
2043 
2044 	skb = ieee80211_beacon_get_template(hw, vif, &offs, 0);
2045 	if (!skb) {
2046 		dev_kfree_skb(rskb);
2047 		return -EINVAL;
2048 	}
2049 
2050 	if (skb->len > MT7996_MAX_BEACON_SIZE) {
2051 		dev_err(dev->mt76.dev, "Bcn size limit exceed\n");
2052 		dev_kfree_skb(rskb);
2053 		dev_kfree_skb(skb);
2054 		return -EINVAL;
2055 	}
2056 
2057 	info = IEEE80211_SKB_CB(skb);
2058 	info->hw_queue |= FIELD_PREP(MT_TX_HW_QUEUE_PHY, phy->mt76->band_idx);
2059 
2060 	len = sizeof(*bcn) + MT_TXD_SIZE + skb->len;
2061 	tlv = mt7996_mcu_add_uni_tlv(rskb, UNI_BSS_INFO_BCN_CONTENT, len);
2062 	bcn = (struct bss_bcn_content_tlv *)tlv;
2063 	bcn->enable = en;
2064 	if (!en)
2065 		goto out;
2066 
2067 	mt7996_mcu_beacon_cont(dev, vif, rskb, skb, bcn, &offs);
2068 	/* TODO: subtag - 11v MBSSID */
2069 	mt7996_mcu_beacon_cntdwn(vif, rskb, skb, &offs);
2070 out:
2071 	dev_kfree_skb(skb);
2072 	return mt76_mcu_skb_send_msg(&phy->dev->mt76, rskb,
2073 				     MCU_WMWA_UNI_CMD(BSS_INFO_UPDATE), true);
2074 }
2075 
2076 int mt7996_mcu_beacon_inband_discov(struct mt7996_dev *dev,
2077 				    struct ieee80211_vif *vif, u32 changed)
2078 {
2079 #define OFFLOAD_TX_MODE_SU	BIT(0)
2080 #define OFFLOAD_TX_MODE_MU	BIT(1)
2081 	struct ieee80211_hw *hw = mt76_hw(dev);
2082 	struct mt7996_phy *phy = mt7996_hw_phy(hw);
2083 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
2084 	struct cfg80211_chan_def *chandef = &mvif->phy->mt76->chandef;
2085 	enum nl80211_band band = chandef->chan->band;
2086 	struct mt76_wcid *wcid = &dev->mt76.global_wcid;
2087 	struct bss_inband_discovery_tlv *discov;
2088 	struct ieee80211_tx_info *info;
2089 	struct sk_buff *rskb, *skb = NULL;
2090 	struct tlv *tlv;
2091 	u8 *buf, interval;
2092 	int len;
2093 
2094 	if (vif->bss_conf.nontransmitted)
2095 		return 0;
2096 
2097 	rskb = __mt7996_mcu_alloc_bss_req(&dev->mt76, &mvif->mt76,
2098 					  MT7996_MAX_BSS_OFFLOAD_SIZE);
2099 	if (IS_ERR(rskb))
2100 		return PTR_ERR(rskb);
2101 
2102 	if (changed & BSS_CHANGED_FILS_DISCOVERY &&
2103 	    vif->bss_conf.fils_discovery.max_interval) {
2104 		interval = vif->bss_conf.fils_discovery.max_interval;
2105 		skb = ieee80211_get_fils_discovery_tmpl(hw, vif);
2106 	} else if (changed & BSS_CHANGED_UNSOL_BCAST_PROBE_RESP &&
2107 		   vif->bss_conf.unsol_bcast_probe_resp_interval) {
2108 		interval = vif->bss_conf.unsol_bcast_probe_resp_interval;
2109 		skb = ieee80211_get_unsol_bcast_probe_resp_tmpl(hw, vif);
2110 	}
2111 
2112 	if (!skb) {
2113 		dev_kfree_skb(rskb);
2114 		return -EINVAL;
2115 	}
2116 
2117 	if (skb->len > MT7996_MAX_BEACON_SIZE) {
2118 		dev_err(dev->mt76.dev, "inband discovery size limit exceed\n");
2119 		dev_kfree_skb(rskb);
2120 		dev_kfree_skb(skb);
2121 		return -EINVAL;
2122 	}
2123 
2124 	info = IEEE80211_SKB_CB(skb);
2125 	info->control.vif = vif;
2126 	info->band = band;
2127 	info->hw_queue |= FIELD_PREP(MT_TX_HW_QUEUE_PHY, phy->mt76->band_idx);
2128 
2129 	len = sizeof(*discov) + MT_TXD_SIZE + skb->len;
2130 
2131 	tlv = mt7996_mcu_add_uni_tlv(rskb, UNI_BSS_INFO_OFFLOAD, len);
2132 
2133 	discov = (struct bss_inband_discovery_tlv *)tlv;
2134 	discov->tx_mode = OFFLOAD_TX_MODE_SU;
2135 	/* 0: UNSOL PROBE RESP, 1: FILS DISCOV */
2136 	discov->tx_type = !!(changed & BSS_CHANGED_FILS_DISCOVERY);
2137 	discov->tx_interval = interval;
2138 	discov->prob_rsp_len = cpu_to_le16(MT_TXD_SIZE + skb->len);
2139 	discov->enable = true;
2140 	discov->wcid = cpu_to_le16(MT7996_WTBL_RESERVED);
2141 
2142 	buf = (u8 *)tlv + sizeof(*discov);
2143 
2144 	mt7996_mac_write_txwi(dev, (__le32 *)buf, skb, wcid, NULL, 0, 0, changed);
2145 
2146 	memcpy(buf + MT_TXD_SIZE, skb->data, skb->len);
2147 
2148 	dev_kfree_skb(skb);
2149 
2150 	return mt76_mcu_skb_send_msg(&dev->mt76, rskb,
2151 				     MCU_WMWA_UNI_CMD(BSS_INFO_UPDATE), true);
2152 }
2153 
2154 static int mt7996_driver_own(struct mt7996_dev *dev, u8 band)
2155 {
2156 	mt76_wr(dev, MT_TOP_LPCR_HOST_BAND(band), MT_TOP_LPCR_HOST_DRV_OWN);
2157 	if (!mt76_poll_msec(dev, MT_TOP_LPCR_HOST_BAND(band),
2158 			    MT_TOP_LPCR_HOST_FW_OWN_STAT, 0, 500)) {
2159 		dev_err(dev->mt76.dev, "Timeout for driver own\n");
2160 		return -EIO;
2161 	}
2162 
2163 	/* clear irq when the driver own success */
2164 	mt76_wr(dev, MT_TOP_LPCR_HOST_BAND_IRQ_STAT(band),
2165 		MT_TOP_LPCR_HOST_BAND_STAT);
2166 
2167 	return 0;
2168 }
2169 
2170 static u32 mt7996_patch_sec_mode(u32 key_info)
2171 {
2172 	u32 sec = u32_get_bits(key_info, MT7996_PATCH_SEC), key = 0;
2173 
2174 	if (key_info == GENMASK(31, 0) || sec == MT7996_SEC_MODE_PLAIN)
2175 		return 0;
2176 
2177 	if (sec == MT7996_SEC_MODE_AES)
2178 		key = u32_get_bits(key_info, MT7996_PATCH_AES_KEY);
2179 	else
2180 		key = u32_get_bits(key_info, MT7996_PATCH_SCRAMBLE_KEY);
2181 
2182 	return MT7996_SEC_ENCRYPT | MT7996_SEC_IV |
2183 	       u32_encode_bits(key, MT7996_SEC_KEY_IDX);
2184 }
2185 
2186 static int mt7996_load_patch(struct mt7996_dev *dev)
2187 {
2188 	const struct mt7996_patch_hdr *hdr;
2189 	const struct firmware *fw = NULL;
2190 	int i, ret, sem;
2191 
2192 	sem = mt76_connac_mcu_patch_sem_ctrl(&dev->mt76, 1);
2193 	switch (sem) {
2194 	case PATCH_IS_DL:
2195 		return 0;
2196 	case PATCH_NOT_DL_SEM_SUCCESS:
2197 		break;
2198 	default:
2199 		dev_err(dev->mt76.dev, "Failed to get patch semaphore\n");
2200 		return -EAGAIN;
2201 	}
2202 
2203 	ret = request_firmware(&fw, MT7996_ROM_PATCH, dev->mt76.dev);
2204 	if (ret)
2205 		goto out;
2206 
2207 	if (!fw || !fw->data || fw->size < sizeof(*hdr)) {
2208 		dev_err(dev->mt76.dev, "Invalid firmware\n");
2209 		ret = -EINVAL;
2210 		goto out;
2211 	}
2212 
2213 	hdr = (const struct mt7996_patch_hdr *)(fw->data);
2214 
2215 	dev_info(dev->mt76.dev, "HW/SW Version: 0x%x, Build Time: %.16s\n",
2216 		 be32_to_cpu(hdr->hw_sw_ver), hdr->build_date);
2217 
2218 	for (i = 0; i < be32_to_cpu(hdr->desc.n_region); i++) {
2219 		struct mt7996_patch_sec *sec;
2220 		const u8 *dl;
2221 		u32 len, addr, sec_key_idx, mode = DL_MODE_NEED_RSP;
2222 
2223 		sec = (struct mt7996_patch_sec *)(fw->data + sizeof(*hdr) +
2224 						  i * sizeof(*sec));
2225 		if ((be32_to_cpu(sec->type) & PATCH_SEC_TYPE_MASK) !=
2226 		    PATCH_SEC_TYPE_INFO) {
2227 			ret = -EINVAL;
2228 			goto out;
2229 		}
2230 
2231 		addr = be32_to_cpu(sec->info.addr);
2232 		len = be32_to_cpu(sec->info.len);
2233 		sec_key_idx = be32_to_cpu(sec->info.sec_key_idx);
2234 		dl = fw->data + be32_to_cpu(sec->offs);
2235 
2236 		mode |= mt7996_patch_sec_mode(sec_key_idx);
2237 
2238 		ret = mt76_connac_mcu_init_download(&dev->mt76, addr, len,
2239 						    mode);
2240 		if (ret) {
2241 			dev_err(dev->mt76.dev, "Download request failed\n");
2242 			goto out;
2243 		}
2244 
2245 		ret = __mt76_mcu_send_firmware(&dev->mt76, MCU_CMD(FW_SCATTER),
2246 					       dl, len, 4096);
2247 		if (ret) {
2248 			dev_err(dev->mt76.dev, "Failed to send patch\n");
2249 			goto out;
2250 		}
2251 	}
2252 
2253 	ret = mt76_connac_mcu_start_patch(&dev->mt76);
2254 	if (ret)
2255 		dev_err(dev->mt76.dev, "Failed to start patch\n");
2256 
2257 out:
2258 	sem = mt76_connac_mcu_patch_sem_ctrl(&dev->mt76, 0);
2259 	switch (sem) {
2260 	case PATCH_REL_SEM_SUCCESS:
2261 		break;
2262 	default:
2263 		ret = -EAGAIN;
2264 		dev_err(dev->mt76.dev, "Failed to release patch semaphore\n");
2265 		break;
2266 	}
2267 	release_firmware(fw);
2268 
2269 	return ret;
2270 }
2271 
2272 static int
2273 mt7996_mcu_send_ram_firmware(struct mt7996_dev *dev,
2274 			     const struct mt7996_fw_trailer *hdr,
2275 			     const u8 *data, enum mt7996_ram_type type)
2276 {
2277 	int i, offset = 0;
2278 	u32 override = 0, option = 0;
2279 
2280 	for (i = 0; i < hdr->n_region; i++) {
2281 		const struct mt7996_fw_region *region;
2282 		int err;
2283 		u32 len, addr, mode;
2284 
2285 		region = (const struct mt7996_fw_region *)((const u8 *)hdr -
2286 			 (hdr->n_region - i) * sizeof(*region));
2287 		/* DSP and WA use same mode */
2288 		mode = mt76_connac_mcu_gen_dl_mode(&dev->mt76,
2289 						   region->feature_set,
2290 						   type != MT7996_RAM_TYPE_WM);
2291 		len = le32_to_cpu(region->len);
2292 		addr = le32_to_cpu(region->addr);
2293 
2294 		if (region->feature_set & FW_FEATURE_OVERRIDE_ADDR)
2295 			override = addr;
2296 
2297 		err = mt76_connac_mcu_init_download(&dev->mt76, addr, len,
2298 						    mode);
2299 		if (err) {
2300 			dev_err(dev->mt76.dev, "Download request failed\n");
2301 			return err;
2302 		}
2303 
2304 		err = __mt76_mcu_send_firmware(&dev->mt76, MCU_CMD(FW_SCATTER),
2305 					       data + offset, len, 4096);
2306 		if (err) {
2307 			dev_err(dev->mt76.dev, "Failed to send firmware.\n");
2308 			return err;
2309 		}
2310 
2311 		offset += len;
2312 	}
2313 
2314 	if (override)
2315 		option |= FW_START_OVERRIDE;
2316 
2317 	if (type == MT7996_RAM_TYPE_WA)
2318 		option |= FW_START_WORKING_PDA_CR4;
2319 	else if (type == MT7996_RAM_TYPE_DSP)
2320 		option |= FW_START_WORKING_PDA_DSP;
2321 
2322 	return mt76_connac_mcu_start_firmware(&dev->mt76, override, option);
2323 }
2324 
2325 static int __mt7996_load_ram(struct mt7996_dev *dev, const char *fw_type,
2326 			     const char *fw_file, enum mt7996_ram_type ram_type)
2327 {
2328 	const struct mt7996_fw_trailer *hdr;
2329 	const struct firmware *fw;
2330 	int ret;
2331 
2332 	ret = request_firmware(&fw, fw_file, dev->mt76.dev);
2333 	if (ret)
2334 		return ret;
2335 
2336 	if (!fw || !fw->data || fw->size < sizeof(*hdr)) {
2337 		dev_err(dev->mt76.dev, "Invalid firmware\n");
2338 		ret = -EINVAL;
2339 		goto out;
2340 	}
2341 
2342 	hdr = (const void *)(fw->data + fw->size - sizeof(*hdr));
2343 	dev_info(dev->mt76.dev, "%s Firmware Version: %.10s, Build Time: %.15s\n",
2344 		 fw_type, hdr->fw_ver, hdr->build_date);
2345 
2346 	ret = mt7996_mcu_send_ram_firmware(dev, hdr, fw->data, ram_type);
2347 	if (ret) {
2348 		dev_err(dev->mt76.dev, "Failed to start %s firmware\n", fw_type);
2349 		goto out;
2350 	}
2351 
2352 	snprintf(dev->mt76.hw->wiphy->fw_version,
2353 		 sizeof(dev->mt76.hw->wiphy->fw_version),
2354 		 "%.10s-%.15s", hdr->fw_ver, hdr->build_date);
2355 
2356 out:
2357 	release_firmware(fw);
2358 
2359 	return ret;
2360 }
2361 
2362 static int mt7996_load_ram(struct mt7996_dev *dev)
2363 {
2364 	int ret;
2365 
2366 	ret = __mt7996_load_ram(dev, "WM", MT7996_FIRMWARE_WM,
2367 				MT7996_RAM_TYPE_WM);
2368 	if (ret)
2369 		return ret;
2370 
2371 	ret = __mt7996_load_ram(dev, "DSP", MT7996_FIRMWARE_DSP,
2372 				MT7996_RAM_TYPE_DSP);
2373 	if (ret)
2374 		return ret;
2375 
2376 	return __mt7996_load_ram(dev, "WA", MT7996_FIRMWARE_WA,
2377 				 MT7996_RAM_TYPE_WA);
2378 }
2379 
2380 static int
2381 mt7996_firmware_state(struct mt7996_dev *dev, bool wa)
2382 {
2383 	u32 state = FIELD_PREP(MT_TOP_MISC_FW_STATE,
2384 			       wa ? FW_STATE_RDY : FW_STATE_FW_DOWNLOAD);
2385 
2386 	if (!mt76_poll_msec(dev, MT_TOP_MISC, MT_TOP_MISC_FW_STATE,
2387 			    state, 1000)) {
2388 		dev_err(dev->mt76.dev, "Timeout for initializing firmware\n");
2389 		return -EIO;
2390 	}
2391 	return 0;
2392 }
2393 
2394 static int
2395 mt7996_mcu_restart(struct mt76_dev *dev)
2396 {
2397 	struct {
2398 		u8 __rsv1[4];
2399 
2400 		__le16 tag;
2401 		__le16 len;
2402 		u8 power_mode;
2403 		u8 __rsv2[3];
2404 	} __packed req = {
2405 		.tag = cpu_to_le16(UNI_POWER_OFF),
2406 		.len = cpu_to_le16(sizeof(req) - 4),
2407 		.power_mode = 1,
2408 	};
2409 
2410 	return mt76_mcu_send_msg(dev, MCU_WM_UNI_CMD(POWER_CTRL), &req,
2411 				 sizeof(req), false);
2412 }
2413 
2414 static int mt7996_load_firmware(struct mt7996_dev *dev)
2415 {
2416 	int ret;
2417 
2418 	/* make sure fw is download state */
2419 	if (mt7996_firmware_state(dev, false)) {
2420 		/* restart firmware once */
2421 		mt7996_mcu_restart(&dev->mt76);
2422 		ret = mt7996_firmware_state(dev, false);
2423 		if (ret) {
2424 			dev_err(dev->mt76.dev,
2425 				"Firmware is not ready for download\n");
2426 			return ret;
2427 		}
2428 	}
2429 
2430 	ret = mt7996_load_patch(dev);
2431 	if (ret)
2432 		return ret;
2433 
2434 	ret = mt7996_load_ram(dev);
2435 	if (ret)
2436 		return ret;
2437 
2438 	ret = mt7996_firmware_state(dev, true);
2439 	if (ret)
2440 		return ret;
2441 
2442 	mt76_queue_tx_cleanup(dev, dev->mt76.q_mcu[MT_MCUQ_FWDL], false);
2443 
2444 	dev_dbg(dev->mt76.dev, "Firmware init done\n");
2445 
2446 	return 0;
2447 }
2448 
2449 int mt7996_mcu_fw_log_2_host(struct mt7996_dev *dev, u8 type, u8 ctrl)
2450 {
2451 	struct {
2452 		u8 _rsv[4];
2453 
2454 		__le16 tag;
2455 		__le16 len;
2456 		u8 ctrl;
2457 		u8 interval;
2458 		u8 _rsv2[2];
2459 	} __packed data = {
2460 		.tag = cpu_to_le16(UNI_WSYS_CONFIG_FW_LOG_CTRL),
2461 		.len = cpu_to_le16(sizeof(data) - 4),
2462 		.ctrl = ctrl,
2463 	};
2464 
2465 	if (type == MCU_FW_LOG_WA)
2466 		return mt76_mcu_send_msg(&dev->mt76, MCU_WA_UNI_CMD(WSYS_CONFIG),
2467 					 &data, sizeof(data), true);
2468 
2469 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(WSYS_CONFIG), &data,
2470 				 sizeof(data), true);
2471 }
2472 
2473 int mt7996_mcu_fw_dbg_ctrl(struct mt7996_dev *dev, u32 module, u8 level)
2474 {
2475 	struct {
2476 		u8 _rsv[4];
2477 
2478 		__le16 tag;
2479 		__le16 len;
2480 		__le32 module_idx;
2481 		u8 level;
2482 		u8 _rsv2[3];
2483 	} data = {
2484 		.tag = cpu_to_le16(UNI_WSYS_CONFIG_FW_DBG_CTRL),
2485 		.len = cpu_to_le16(sizeof(data) - 4),
2486 		.module_idx = cpu_to_le32(module),
2487 		.level = level,
2488 	};
2489 
2490 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(WSYS_CONFIG), &data,
2491 				 sizeof(data), false);
2492 }
2493 
2494 static int mt7996_mcu_set_mwds(struct mt7996_dev *dev, bool enabled)
2495 {
2496 	struct {
2497 		u8 enable;
2498 		u8 _rsv[3];
2499 	} __packed req = {
2500 		.enable = enabled
2501 	};
2502 
2503 	return mt76_mcu_send_msg(&dev->mt76, MCU_WA_EXT_CMD(MWDS_SUPPORT), &req,
2504 				 sizeof(req), false);
2505 }
2506 
2507 static void mt7996_add_rx_airtime_tlv(struct sk_buff *skb, u8 band_idx)
2508 {
2509 	struct vow_rx_airtime *req;
2510 	struct tlv *tlv;
2511 
2512 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_VOW_RX_AT_AIRTIME_CLR_EN, sizeof(*req));
2513 	req = (struct vow_rx_airtime *)tlv;
2514 	req->enable = true;
2515 	req->band = band_idx;
2516 
2517 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_VOW_RX_AT_AIRTIME_EN, sizeof(*req));
2518 	req = (struct vow_rx_airtime *)tlv;
2519 	req->enable = true;
2520 	req->band = band_idx;
2521 }
2522 
2523 static int
2524 mt7996_mcu_init_rx_airtime(struct mt7996_dev *dev)
2525 {
2526 	struct uni_header hdr = {};
2527 	struct sk_buff *skb;
2528 	int len, num;
2529 
2530 	num = 2 + 2 * (dev->dbdc_support + dev->tbtc_support);
2531 	len = sizeof(hdr) + num * sizeof(struct vow_rx_airtime);
2532 	skb = mt76_mcu_msg_alloc(&dev->mt76, NULL, len);
2533 	if (!skb)
2534 		return -ENOMEM;
2535 
2536 	skb_put_data(skb, &hdr, sizeof(hdr));
2537 
2538 	mt7996_add_rx_airtime_tlv(skb, dev->mt76.phy.band_idx);
2539 
2540 	if (dev->dbdc_support)
2541 		mt7996_add_rx_airtime_tlv(skb, MT_BAND1);
2542 
2543 	if (dev->tbtc_support)
2544 		mt7996_add_rx_airtime_tlv(skb, MT_BAND2);
2545 
2546 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
2547 				     MCU_WM_UNI_CMD(VOW), true);
2548 }
2549 
2550 int mt7996_mcu_init_firmware(struct mt7996_dev *dev)
2551 {
2552 	int ret;
2553 
2554 	/* force firmware operation mode into normal state,
2555 	 * which should be set before firmware download stage.
2556 	 */
2557 	mt76_wr(dev, MT_SWDEF_MODE, MT_SWDEF_NORMAL_MODE);
2558 
2559 	ret = mt7996_driver_own(dev, 0);
2560 	if (ret)
2561 		return ret;
2562 	/* set driver own for band1 when two hif exist */
2563 	if (dev->hif2) {
2564 		ret = mt7996_driver_own(dev, 1);
2565 		if (ret)
2566 			return ret;
2567 	}
2568 
2569 	ret = mt7996_load_firmware(dev);
2570 	if (ret)
2571 		return ret;
2572 
2573 	set_bit(MT76_STATE_MCU_RUNNING, &dev->mphy.state);
2574 	ret = mt7996_mcu_fw_log_2_host(dev, MCU_FW_LOG_WM, 0);
2575 	if (ret)
2576 		return ret;
2577 
2578 	ret = mt7996_mcu_fw_log_2_host(dev, MCU_FW_LOG_WA, 0);
2579 	if (ret)
2580 		return ret;
2581 
2582 	ret = mt7996_mcu_set_mwds(dev, 1);
2583 	if (ret)
2584 		return ret;
2585 
2586 	ret = mt7996_mcu_init_rx_airtime(dev);
2587 	if (ret)
2588 		return ret;
2589 
2590 	return mt7996_mcu_wa_cmd(dev, MCU_WA_PARAM_CMD(SET),
2591 				 MCU_WA_PARAM_RED, 0, 0);
2592 }
2593 
2594 int mt7996_mcu_init(struct mt7996_dev *dev)
2595 {
2596 	static const struct mt76_mcu_ops mt7996_mcu_ops = {
2597 		.headroom = sizeof(struct mt76_connac2_mcu_txd), /* reuse */
2598 		.mcu_skb_send_msg = mt7996_mcu_send_message,
2599 		.mcu_parse_response = mt7996_mcu_parse_response,
2600 	};
2601 
2602 	dev->mt76.mcu_ops = &mt7996_mcu_ops;
2603 
2604 	return mt7996_mcu_init_firmware(dev);
2605 }
2606 
2607 void mt7996_mcu_exit(struct mt7996_dev *dev)
2608 {
2609 	mt7996_mcu_restart(&dev->mt76);
2610 	if (mt7996_firmware_state(dev, false)) {
2611 		dev_err(dev->mt76.dev, "Failed to exit mcu\n");
2612 		goto out;
2613 	}
2614 
2615 	mt76_wr(dev, MT_TOP_LPCR_HOST_BAND(0), MT_TOP_LPCR_HOST_FW_OWN);
2616 	if (dev->hif2)
2617 		mt76_wr(dev, MT_TOP_LPCR_HOST_BAND(1),
2618 			MT_TOP_LPCR_HOST_FW_OWN);
2619 out:
2620 	skb_queue_purge(&dev->mt76.mcu.res_q);
2621 }
2622 
2623 int mt7996_mcu_set_hdr_trans(struct mt7996_dev *dev, bool hdr_trans)
2624 {
2625 	struct {
2626 		u8 __rsv[4];
2627 	} __packed hdr;
2628 	struct hdr_trans_blacklist *req_blacklist;
2629 	struct hdr_trans_en *req_en;
2630 	struct sk_buff *skb;
2631 	struct tlv *tlv;
2632 	int len = MT7996_HDR_TRANS_MAX_SIZE + sizeof(hdr);
2633 
2634 	skb = mt76_mcu_msg_alloc(&dev->mt76, NULL, len);
2635 	if (!skb)
2636 		return -ENOMEM;
2637 
2638 	skb_put_data(skb, &hdr, sizeof(hdr));
2639 
2640 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_HDR_TRANS_EN, sizeof(*req_en));
2641 	req_en = (struct hdr_trans_en *)tlv;
2642 	req_en->enable = hdr_trans;
2643 
2644 	tlv = mt7996_mcu_add_uni_tlv(skb, UNI_HDR_TRANS_VLAN,
2645 				     sizeof(struct hdr_trans_vlan));
2646 
2647 	if (hdr_trans) {
2648 		tlv = mt7996_mcu_add_uni_tlv(skb, UNI_HDR_TRANS_BLACKLIST,
2649 					     sizeof(*req_blacklist));
2650 		req_blacklist = (struct hdr_trans_blacklist *)tlv;
2651 		req_blacklist->enable = 1;
2652 		req_blacklist->type = cpu_to_le16(ETH_P_PAE);
2653 	}
2654 
2655 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
2656 				     MCU_WM_UNI_CMD(RX_HDR_TRANS), true);
2657 }
2658 
2659 int mt7996_mcu_set_tx(struct mt7996_dev *dev, struct ieee80211_vif *vif)
2660 {
2661 #define MCU_EDCA_AC_PARAM	0
2662 #define WMM_AIFS_SET		BIT(0)
2663 #define WMM_CW_MIN_SET		BIT(1)
2664 #define WMM_CW_MAX_SET		BIT(2)
2665 #define WMM_TXOP_SET		BIT(3)
2666 #define WMM_PARAM_SET		(WMM_AIFS_SET | WMM_CW_MIN_SET | \
2667 				 WMM_CW_MAX_SET | WMM_TXOP_SET)
2668 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
2669 	struct {
2670 		u8 bss_idx;
2671 		u8 __rsv[3];
2672 	} __packed hdr = {
2673 		.bss_idx = mvif->mt76.idx,
2674 	};
2675 	struct sk_buff *skb;
2676 	int len = sizeof(hdr) + IEEE80211_NUM_ACS * sizeof(struct edca);
2677 	int ac;
2678 
2679 	skb = mt76_mcu_msg_alloc(&dev->mt76, NULL, len);
2680 	if (!skb)
2681 		return -ENOMEM;
2682 
2683 	skb_put_data(skb, &hdr, sizeof(hdr));
2684 
2685 	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
2686 		struct ieee80211_tx_queue_params *q = &mvif->queue_params[ac];
2687 		struct edca *e;
2688 		struct tlv *tlv;
2689 
2690 		tlv = mt7996_mcu_add_uni_tlv(skb, MCU_EDCA_AC_PARAM, sizeof(*e));
2691 
2692 		e = (struct edca *)tlv;
2693 		e->set = WMM_PARAM_SET;
2694 		e->queue = ac;
2695 		e->aifs = q->aifs;
2696 		e->txop = cpu_to_le16(q->txop);
2697 
2698 		if (q->cw_min)
2699 			e->cw_min = fls(q->cw_min);
2700 		else
2701 			e->cw_min = 5;
2702 
2703 		if (q->cw_max)
2704 			e->cw_max = fls(q->cw_max);
2705 		else
2706 			e->cw_max = 10;
2707 	}
2708 
2709 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
2710 				     MCU_WM_UNI_CMD(EDCA_UPDATE), true);
2711 }
2712 
2713 int mt7996_mcu_set_fcc5_lpn(struct mt7996_dev *dev, int val)
2714 {
2715 	struct {
2716 		u8 _rsv[4];
2717 
2718 		__le16 tag;
2719 		__le16 len;
2720 
2721 		__le32 ctrl;
2722 		__le16 min_lpn;
2723 		u8 rsv[2];
2724 	} __packed req = {
2725 		.tag = cpu_to_le16(UNI_RDD_CTRL_SET_TH),
2726 		.len = cpu_to_le16(sizeof(req) - 4),
2727 
2728 		.ctrl = cpu_to_le32(0x1),
2729 		.min_lpn = cpu_to_le16(val),
2730 	};
2731 
2732 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(RDD_CTRL),
2733 				 &req, sizeof(req), true);
2734 }
2735 
2736 int mt7996_mcu_set_pulse_th(struct mt7996_dev *dev,
2737 			    const struct mt7996_dfs_pulse *pulse)
2738 {
2739 	struct {
2740 		u8 _rsv[4];
2741 
2742 		__le16 tag;
2743 		__le16 len;
2744 
2745 		__le32 ctrl;
2746 
2747 		__le32 max_width;		/* us */
2748 		__le32 max_pwr;			/* dbm */
2749 		__le32 min_pwr;			/* dbm */
2750 		__le32 min_stgr_pri;		/* us */
2751 		__le32 max_stgr_pri;		/* us */
2752 		__le32 min_cr_pri;		/* us */
2753 		__le32 max_cr_pri;		/* us */
2754 	} __packed req = {
2755 		.tag = cpu_to_le16(UNI_RDD_CTRL_SET_TH),
2756 		.len = cpu_to_le16(sizeof(req) - 4),
2757 
2758 		.ctrl = cpu_to_le32(0x3),
2759 
2760 #define __req_field(field) .field = cpu_to_le32(pulse->field)
2761 		__req_field(max_width),
2762 		__req_field(max_pwr),
2763 		__req_field(min_pwr),
2764 		__req_field(min_stgr_pri),
2765 		__req_field(max_stgr_pri),
2766 		__req_field(min_cr_pri),
2767 		__req_field(max_cr_pri),
2768 #undef __req_field
2769 	};
2770 
2771 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(RDD_CTRL),
2772 				 &req, sizeof(req), true);
2773 }
2774 
2775 int mt7996_mcu_set_radar_th(struct mt7996_dev *dev, int index,
2776 			    const struct mt7996_dfs_pattern *pattern)
2777 {
2778 	struct {
2779 		u8 _rsv[4];
2780 
2781 		__le16 tag;
2782 		__le16 len;
2783 
2784 		__le32 ctrl;
2785 		__le16 radar_type;
2786 
2787 		u8 enb;
2788 		u8 stgr;
2789 		u8 min_crpn;
2790 		u8 max_crpn;
2791 		u8 min_crpr;
2792 		u8 min_pw;
2793 		__le32 min_pri;
2794 		__le32 max_pri;
2795 		u8 max_pw;
2796 		u8 min_crbn;
2797 		u8 max_crbn;
2798 		u8 min_stgpn;
2799 		u8 max_stgpn;
2800 		u8 min_stgpr;
2801 		u8 rsv[2];
2802 		__le32 min_stgpr_diff;
2803 	} __packed req = {
2804 		.tag = cpu_to_le16(UNI_RDD_CTRL_SET_TH),
2805 		.len = cpu_to_le16(sizeof(req) - 4),
2806 
2807 		.ctrl = cpu_to_le32(0x2),
2808 		.radar_type = cpu_to_le16(index),
2809 
2810 #define __req_field_u8(field) .field = pattern->field
2811 #define __req_field_u32(field) .field = cpu_to_le32(pattern->field)
2812 		__req_field_u8(enb),
2813 		__req_field_u8(stgr),
2814 		__req_field_u8(min_crpn),
2815 		__req_field_u8(max_crpn),
2816 		__req_field_u8(min_crpr),
2817 		__req_field_u8(min_pw),
2818 		__req_field_u32(min_pri),
2819 		__req_field_u32(max_pri),
2820 		__req_field_u8(max_pw),
2821 		__req_field_u8(min_crbn),
2822 		__req_field_u8(max_crbn),
2823 		__req_field_u8(min_stgpn),
2824 		__req_field_u8(max_stgpn),
2825 		__req_field_u8(min_stgpr),
2826 		__req_field_u32(min_stgpr_diff),
2827 #undef __req_field_u8
2828 #undef __req_field_u32
2829 	};
2830 
2831 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(RDD_CTRL),
2832 				 &req, sizeof(req), true);
2833 }
2834 
2835 static int
2836 mt7996_mcu_background_chain_ctrl(struct mt7996_phy *phy,
2837 				 struct cfg80211_chan_def *chandef,
2838 				 int cmd)
2839 {
2840 	struct mt7996_dev *dev = phy->dev;
2841 	struct mt76_phy *mphy = phy->mt76;
2842 	struct ieee80211_channel *chan = mphy->chandef.chan;
2843 	int freq = mphy->chandef.center_freq1;
2844 	struct mt7996_mcu_background_chain_ctrl req = {
2845 		.tag = cpu_to_le16(0),
2846 		.len = cpu_to_le16(sizeof(req) - 4),
2847 		.monitor_scan_type = 2, /* simple rx */
2848 	};
2849 
2850 	if (!chandef && cmd != CH_SWITCH_BACKGROUND_SCAN_STOP)
2851 		return -EINVAL;
2852 
2853 	if (!cfg80211_chandef_valid(&mphy->chandef))
2854 		return -EINVAL;
2855 
2856 	switch (cmd) {
2857 	case CH_SWITCH_BACKGROUND_SCAN_START: {
2858 		req.chan = chan->hw_value;
2859 		req.central_chan = ieee80211_frequency_to_channel(freq);
2860 		req.bw = mt76_connac_chan_bw(&mphy->chandef);
2861 		req.monitor_chan = chandef->chan->hw_value;
2862 		req.monitor_central_chan =
2863 			ieee80211_frequency_to_channel(chandef->center_freq1);
2864 		req.monitor_bw = mt76_connac_chan_bw(chandef);
2865 		req.band_idx = phy->mt76->band_idx;
2866 		req.scan_mode = 1;
2867 		break;
2868 	}
2869 	case CH_SWITCH_BACKGROUND_SCAN_RUNNING:
2870 		req.monitor_chan = chandef->chan->hw_value;
2871 		req.monitor_central_chan =
2872 			ieee80211_frequency_to_channel(chandef->center_freq1);
2873 		req.band_idx = phy->mt76->band_idx;
2874 		req.scan_mode = 2;
2875 		break;
2876 	case CH_SWITCH_BACKGROUND_SCAN_STOP:
2877 		req.chan = chan->hw_value;
2878 		req.central_chan = ieee80211_frequency_to_channel(freq);
2879 		req.bw = mt76_connac_chan_bw(&mphy->chandef);
2880 		req.tx_stream = hweight8(mphy->antenna_mask);
2881 		req.rx_stream = mphy->antenna_mask;
2882 		break;
2883 	default:
2884 		return -EINVAL;
2885 	}
2886 	req.band = chandef ? chandef->chan->band == NL80211_BAND_5GHZ : 1;
2887 
2888 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(OFFCH_SCAN_CTRL),
2889 				 &req, sizeof(req), false);
2890 }
2891 
2892 int mt7996_mcu_rdd_background_enable(struct mt7996_phy *phy,
2893 				     struct cfg80211_chan_def *chandef)
2894 {
2895 	struct mt7996_dev *dev = phy->dev;
2896 	int err, region;
2897 
2898 	if (!chandef) { /* disable offchain */
2899 		err = mt7996_mcu_rdd_cmd(dev, RDD_STOP, MT_RX_SEL2,
2900 					 0, 0);
2901 		if (err)
2902 			return err;
2903 
2904 		return mt7996_mcu_background_chain_ctrl(phy, NULL,
2905 				CH_SWITCH_BACKGROUND_SCAN_STOP);
2906 	}
2907 
2908 	err = mt7996_mcu_background_chain_ctrl(phy, chandef,
2909 					       CH_SWITCH_BACKGROUND_SCAN_START);
2910 	if (err)
2911 		return err;
2912 
2913 	switch (dev->mt76.region) {
2914 	case NL80211_DFS_ETSI:
2915 		region = 0;
2916 		break;
2917 	case NL80211_DFS_JP:
2918 		region = 2;
2919 		break;
2920 	case NL80211_DFS_FCC:
2921 	default:
2922 		region = 1;
2923 		break;
2924 	}
2925 
2926 	return mt7996_mcu_rdd_cmd(dev, RDD_START, MT_RX_SEL2,
2927 				  0, region);
2928 }
2929 
2930 int mt7996_mcu_set_chan_info(struct mt7996_phy *phy, u16 tag)
2931 {
2932 	static const u8 ch_band[] = {
2933 		[NL80211_BAND_2GHZ] = 0,
2934 		[NL80211_BAND_5GHZ] = 1,
2935 		[NL80211_BAND_6GHZ] = 2,
2936 	};
2937 	struct mt7996_dev *dev = phy->dev;
2938 	struct cfg80211_chan_def *chandef = &phy->mt76->chandef;
2939 	int freq1 = chandef->center_freq1;
2940 	u8 band_idx = phy->mt76->band_idx;
2941 	struct {
2942 		/* fixed field */
2943 		u8 __rsv[4];
2944 
2945 		__le16 tag;
2946 		__le16 len;
2947 		u8 control_ch;
2948 		u8 center_ch;
2949 		u8 bw;
2950 		u8 tx_path_num;
2951 		u8 rx_path;	/* mask or num */
2952 		u8 switch_reason;
2953 		u8 band_idx;
2954 		u8 center_ch2;	/* for 80+80 only */
2955 		__le16 cac_case;
2956 		u8 channel_band;
2957 		u8 rsv0;
2958 		__le32 outband_freq;
2959 		u8 txpower_drop;
2960 		u8 ap_bw;
2961 		u8 ap_center_ch;
2962 		u8 rsv1[53];
2963 	} __packed req = {
2964 		.tag = cpu_to_le16(tag),
2965 		.len = cpu_to_le16(sizeof(req) - 4),
2966 		.control_ch = chandef->chan->hw_value,
2967 		.center_ch = ieee80211_frequency_to_channel(freq1),
2968 		.bw = mt76_connac_chan_bw(chandef),
2969 		.tx_path_num = hweight16(phy->mt76->chainmask),
2970 		.rx_path = phy->mt76->chainmask >> dev->chainshift[band_idx],
2971 		.band_idx = band_idx,
2972 		.channel_band = ch_band[chandef->chan->band],
2973 	};
2974 
2975 	if (phy->mt76->hw->conf.flags & IEEE80211_CONF_MONITOR)
2976 		req.switch_reason = CH_SWITCH_NORMAL;
2977 	else if (phy->mt76->hw->conf.flags & IEEE80211_CONF_OFFCHANNEL ||
2978 		 phy->mt76->hw->conf.flags & IEEE80211_CONF_IDLE)
2979 		req.switch_reason = CH_SWITCH_SCAN_BYPASS_DPD;
2980 	else if (!cfg80211_reg_can_beacon(phy->mt76->hw->wiphy, chandef,
2981 					  NL80211_IFTYPE_AP))
2982 		req.switch_reason = CH_SWITCH_DFS;
2983 	else
2984 		req.switch_reason = CH_SWITCH_NORMAL;
2985 
2986 	if (tag == UNI_CHANNEL_SWITCH)
2987 		req.rx_path = hweight8(req.rx_path);
2988 
2989 	if (chandef->width == NL80211_CHAN_WIDTH_80P80) {
2990 		int freq2 = chandef->center_freq2;
2991 
2992 		req.center_ch2 = ieee80211_frequency_to_channel(freq2);
2993 	}
2994 
2995 	return mt76_mcu_send_msg(&dev->mt76, MCU_WMWA_UNI_CMD(CHANNEL_SWITCH),
2996 				 &req, sizeof(req), true);
2997 }
2998 
2999 static int mt7996_mcu_set_eeprom_flash(struct mt7996_dev *dev)
3000 {
3001 #define MAX_PAGE_IDX_MASK	GENMASK(7, 5)
3002 #define PAGE_IDX_MASK		GENMASK(4, 2)
3003 #define PER_PAGE_SIZE		0x400
3004 	struct mt7996_mcu_eeprom req = {
3005 		.tag = cpu_to_le16(UNI_EFUSE_BUFFER_MODE),
3006 		.buffer_mode = EE_MODE_BUFFER
3007 	};
3008 	u16 eeprom_size = MT7996_EEPROM_SIZE;
3009 	u8 total = DIV_ROUND_UP(eeprom_size, PER_PAGE_SIZE);
3010 	u8 *eep = (u8 *)dev->mt76.eeprom.data;
3011 	int eep_len, i;
3012 
3013 	for (i = 0; i < total; i++, eep += eep_len) {
3014 		struct sk_buff *skb;
3015 		int ret, msg_len;
3016 
3017 		if (i == total - 1 && !!(eeprom_size % PER_PAGE_SIZE))
3018 			eep_len = eeprom_size % PER_PAGE_SIZE;
3019 		else
3020 			eep_len = PER_PAGE_SIZE;
3021 
3022 		msg_len = sizeof(req) + eep_len;
3023 		skb = mt76_mcu_msg_alloc(&dev->mt76, NULL, msg_len);
3024 		if (!skb)
3025 			return -ENOMEM;
3026 
3027 		req.len = cpu_to_le16(msg_len - 4);
3028 		req.format = FIELD_PREP(MAX_PAGE_IDX_MASK, total - 1) |
3029 			     FIELD_PREP(PAGE_IDX_MASK, i) | EE_FORMAT_WHOLE;
3030 		req.buf_len = cpu_to_le16(eep_len);
3031 
3032 		skb_put_data(skb, &req, sizeof(req));
3033 		skb_put_data(skb, eep, eep_len);
3034 
3035 		ret = mt76_mcu_skb_send_msg(&dev->mt76, skb,
3036 					    MCU_WM_UNI_CMD(EFUSE_CTRL), true);
3037 		if (ret)
3038 			return ret;
3039 	}
3040 
3041 	return 0;
3042 }
3043 
3044 int mt7996_mcu_set_eeprom(struct mt7996_dev *dev)
3045 {
3046 	struct mt7996_mcu_eeprom req = {
3047 		.tag = cpu_to_le16(UNI_EFUSE_BUFFER_MODE),
3048 		.len = cpu_to_le16(sizeof(req) - 4),
3049 		.buffer_mode = EE_MODE_EFUSE,
3050 		.format = EE_FORMAT_WHOLE
3051 	};
3052 
3053 	if (dev->flash_mode)
3054 		return mt7996_mcu_set_eeprom_flash(dev);
3055 
3056 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(EFUSE_CTRL),
3057 				 &req, sizeof(req), true);
3058 }
3059 
3060 int mt7996_mcu_get_eeprom(struct mt7996_dev *dev, u32 offset)
3061 {
3062 	struct {
3063 		u8 _rsv[4];
3064 
3065 		__le16 tag;
3066 		__le16 len;
3067 		__le32 addr;
3068 		__le32 valid;
3069 		u8 data[16];
3070 	} __packed req = {
3071 		.tag = cpu_to_le16(UNI_EFUSE_ACCESS),
3072 		.len = cpu_to_le16(sizeof(req) - 4),
3073 		.addr = cpu_to_le32(round_down(offset,
3074 				    MT7996_EEPROM_BLOCK_SIZE)),
3075 	};
3076 	struct sk_buff *skb;
3077 	bool valid;
3078 	int ret;
3079 
3080 	ret = mt76_mcu_send_and_get_msg(&dev->mt76,
3081 					MCU_WM_UNI_CMD_QUERY(EFUSE_CTRL),
3082 					&req, sizeof(req), true, &skb);
3083 	if (ret)
3084 		return ret;
3085 
3086 	valid = le32_to_cpu(*(__le32 *)(skb->data + 16));
3087 	if (valid) {
3088 		u32 addr = le32_to_cpu(*(__le32 *)(skb->data + 12));
3089 		u8 *buf = (u8 *)dev->mt76.eeprom.data + addr;
3090 
3091 		skb_pull(skb, 64);
3092 		memcpy(buf, skb->data, MT7996_EEPROM_BLOCK_SIZE);
3093 	}
3094 
3095 	dev_kfree_skb(skb);
3096 
3097 	return 0;
3098 }
3099 
3100 int mt7996_mcu_get_eeprom_free_block(struct mt7996_dev *dev, u8 *block_num)
3101 {
3102 	struct {
3103 		u8 _rsv[4];
3104 
3105 		__le16 tag;
3106 		__le16 len;
3107 		u8 num;
3108 		u8 version;
3109 		u8 die_idx;
3110 		u8 _rsv2;
3111 	} __packed req = {
3112 		.tag = cpu_to_le16(UNI_EFUSE_FREE_BLOCK),
3113 		.len = cpu_to_le16(sizeof(req) - 4),
3114 		.version = 2,
3115 	};
3116 	struct sk_buff *skb;
3117 	int ret;
3118 
3119 	ret = mt76_mcu_send_and_get_msg(&dev->mt76, MCU_WM_UNI_CMD_QUERY(EFUSE_CTRL), &req,
3120 					sizeof(req), true, &skb);
3121 	if (ret)
3122 		return ret;
3123 
3124 	*block_num = *(u8 *)(skb->data + 8);
3125 	dev_kfree_skb(skb);
3126 
3127 	return 0;
3128 }
3129 
3130 int mt7996_mcu_get_chip_config(struct mt7996_dev *dev, u32 *cap)
3131 {
3132 #define NIC_CAP	3
3133 #define UNI_EVENT_CHIP_CONFIG_EFUSE_VERSION	0x21
3134 	struct {
3135 		u8 _rsv[4];
3136 
3137 		__le16 tag;
3138 		__le16 len;
3139 	} __packed req = {
3140 		.tag = cpu_to_le16(NIC_CAP),
3141 		.len = cpu_to_le16(sizeof(req) - 4),
3142 	};
3143 	struct sk_buff *skb;
3144 	u8 *buf;
3145 	int ret;
3146 
3147 	ret = mt76_mcu_send_and_get_msg(&dev->mt76,
3148 					MCU_WM_UNI_CMD_QUERY(CHIP_CONFIG), &req,
3149 					sizeof(req), true, &skb);
3150 	if (ret)
3151 		return ret;
3152 
3153 	/* fixed field */
3154 	skb_pull(skb, 4);
3155 
3156 	buf = skb->data;
3157 	while (buf - skb->data < skb->len) {
3158 		struct tlv *tlv = (struct tlv *)buf;
3159 
3160 		switch (le16_to_cpu(tlv->tag)) {
3161 		case UNI_EVENT_CHIP_CONFIG_EFUSE_VERSION:
3162 			*cap = le32_to_cpu(*(__le32 *)(buf + sizeof(*tlv)));
3163 			break;
3164 		default:
3165 			break;
3166 		}
3167 
3168 		buf += le16_to_cpu(tlv->len);
3169 	}
3170 
3171 	dev_kfree_skb(skb);
3172 
3173 	return 0;
3174 }
3175 
3176 int mt7996_mcu_get_chan_mib_info(struct mt7996_phy *phy, bool chan_switch)
3177 {
3178 	struct {
3179 		struct {
3180 			u8 band;
3181 			u8 __rsv[3];
3182 		} hdr;
3183 		struct {
3184 			__le16 tag;
3185 			__le16 len;
3186 			__le32 offs;
3187 		} data[4];
3188 	} __packed req = {
3189 		.hdr.band = phy->mt76->band_idx,
3190 	};
3191 	/* strict order */
3192 	static const u32 offs[] = {
3193 		UNI_MIB_TX_TIME,
3194 		UNI_MIB_RX_TIME,
3195 		UNI_MIB_OBSS_AIRTIME,
3196 		UNI_MIB_NON_WIFI_TIME,
3197 	};
3198 	struct mt76_channel_state *state = phy->mt76->chan_state;
3199 	struct mt76_channel_state *state_ts = &phy->state_ts;
3200 	struct mt7996_dev *dev = phy->dev;
3201 	struct mt7996_mcu_mib *res;
3202 	struct sk_buff *skb;
3203 	int i, ret;
3204 
3205 	for (i = 0; i < 4; i++) {
3206 		req.data[i].tag = cpu_to_le16(UNI_CMD_MIB_DATA);
3207 		req.data[i].len = cpu_to_le16(sizeof(req.data[i]));
3208 		req.data[i].offs = cpu_to_le32(offs[i]);
3209 	}
3210 
3211 	ret = mt76_mcu_send_and_get_msg(&dev->mt76, MCU_WM_UNI_CMD_QUERY(GET_MIB_INFO),
3212 					&req, sizeof(req), true, &skb);
3213 	if (ret)
3214 		return ret;
3215 
3216 	skb_pull(skb, sizeof(req.hdr));
3217 
3218 	res = (struct mt7996_mcu_mib *)(skb->data);
3219 
3220 	if (chan_switch)
3221 		goto out;
3222 
3223 #define __res_u64(s) le64_to_cpu(res[s].data)
3224 	state->cc_tx += __res_u64(1) - state_ts->cc_tx;
3225 	state->cc_bss_rx += __res_u64(2) - state_ts->cc_bss_rx;
3226 	state->cc_rx += __res_u64(2) + __res_u64(3) - state_ts->cc_rx;
3227 	state->cc_busy += __res_u64(0) + __res_u64(1) + __res_u64(2) + __res_u64(3) -
3228 			  state_ts->cc_busy;
3229 
3230 out:
3231 	state_ts->cc_tx = __res_u64(1);
3232 	state_ts->cc_bss_rx = __res_u64(2);
3233 	state_ts->cc_rx = __res_u64(2) + __res_u64(3);
3234 	state_ts->cc_busy = __res_u64(0) + __res_u64(1) + __res_u64(2) + __res_u64(3);
3235 #undef __res_u64
3236 
3237 	dev_kfree_skb(skb);
3238 
3239 	return 0;
3240 }
3241 
3242 int mt7996_mcu_set_ser(struct mt7996_dev *dev, u8 action, u8 val, u8 band)
3243 {
3244 	struct {
3245 		u8 rsv[4];
3246 
3247 		__le16 tag;
3248 		__le16 len;
3249 
3250 		union {
3251 			struct {
3252 				__le32 mask;
3253 			} __packed set;
3254 
3255 			struct {
3256 				u8 method;
3257 				u8 band;
3258 				u8 rsv2[2];
3259 			} __packed trigger;
3260 		};
3261 	} __packed req = {
3262 		.tag = cpu_to_le16(action),
3263 		.len = cpu_to_le16(sizeof(req) - 4),
3264 	};
3265 
3266 	switch (action) {
3267 	case UNI_CMD_SER_SET:
3268 		req.set.mask = cpu_to_le32(val);
3269 		break;
3270 	case UNI_CMD_SER_TRIGGER:
3271 		req.trigger.method = val;
3272 		req.trigger.band = band;
3273 		break;
3274 	default:
3275 		return -EINVAL;
3276 	}
3277 
3278 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(SER),
3279 				 &req, sizeof(req), false);
3280 }
3281 
3282 int mt7996_mcu_set_txbf(struct mt7996_dev *dev, u8 action)
3283 {
3284 #define MT7996_BF_MAX_SIZE	sizeof(union bf_tag_tlv)
3285 #define BF_PROCESSING	4
3286 	struct uni_header hdr;
3287 	struct sk_buff *skb;
3288 	struct tlv *tlv;
3289 	int len = sizeof(hdr) + MT7996_BF_MAX_SIZE;
3290 
3291 	memset(&hdr, 0, sizeof(hdr));
3292 
3293 	skb = mt76_mcu_msg_alloc(&dev->mt76, NULL, len);
3294 	if (!skb)
3295 		return -ENOMEM;
3296 
3297 	skb_put_data(skb, &hdr, sizeof(hdr));
3298 
3299 	switch (action) {
3300 	case BF_SOUNDING_ON: {
3301 		struct bf_sounding_on *req_snd_on;
3302 
3303 		tlv = mt7996_mcu_add_uni_tlv(skb, action, sizeof(*req_snd_on));
3304 		req_snd_on = (struct bf_sounding_on *)tlv;
3305 		req_snd_on->snd_mode = BF_PROCESSING;
3306 		break;
3307 	}
3308 	case BF_HW_EN_UPDATE: {
3309 		struct bf_hw_en_status_update *req_hw_en;
3310 
3311 		tlv = mt7996_mcu_add_uni_tlv(skb, action, sizeof(*req_hw_en));
3312 		req_hw_en = (struct bf_hw_en_status_update *)tlv;
3313 		req_hw_en->ebf = true;
3314 		req_hw_en->ibf = dev->ibf;
3315 		break;
3316 	}
3317 	case BF_MOD_EN_CTRL: {
3318 		struct bf_mod_en_ctrl *req_mod_en;
3319 
3320 		tlv = mt7996_mcu_add_uni_tlv(skb, action, sizeof(*req_mod_en));
3321 		req_mod_en = (struct bf_mod_en_ctrl *)tlv;
3322 		req_mod_en->bf_num = 3;
3323 		req_mod_en->bf_bitmap = GENMASK(2, 0);
3324 		break;
3325 	}
3326 	default:
3327 		return -EINVAL;
3328 	}
3329 
3330 	return mt76_mcu_skb_send_msg(&dev->mt76, skb, MCU_WM_UNI_CMD(BF), true);
3331 }
3332 
3333 static int
3334 mt7996_mcu_enable_obss_spr(struct mt7996_phy *phy, u16 action, u8 val)
3335 {
3336 	struct mt7996_dev *dev = phy->dev;
3337 	struct {
3338 		u8 band_idx;
3339 		u8 __rsv[3];
3340 
3341 		__le16 tag;
3342 		__le16 len;
3343 
3344 		__le32 val;
3345 	} __packed req = {
3346 		.band_idx = phy->mt76->band_idx,
3347 		.tag = cpu_to_le16(action),
3348 		.len = cpu_to_le16(sizeof(req) - 4),
3349 		.val = cpu_to_le32(val),
3350 	};
3351 
3352 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(SR),
3353 				 &req, sizeof(req), true);
3354 }
3355 
3356 static int
3357 mt7996_mcu_set_obss_spr_pd(struct mt7996_phy *phy,
3358 			   struct ieee80211_he_obss_pd *he_obss_pd)
3359 {
3360 	struct mt7996_dev *dev = phy->dev;
3361 	u8 max_th = 82, non_srg_max_th = 62;
3362 	struct {
3363 		u8 band_idx;
3364 		u8 __rsv[3];
3365 
3366 		__le16 tag;
3367 		__le16 len;
3368 
3369 		u8 pd_th_non_srg;
3370 		u8 pd_th_srg;
3371 		u8 period_offs;
3372 		u8 rcpi_src;
3373 		__le16 obss_pd_min;
3374 		__le16 obss_pd_min_srg;
3375 		u8 resp_txpwr_mode;
3376 		u8 txpwr_restrict_mode;
3377 		u8 txpwr_ref;
3378 		u8 __rsv2[3];
3379 	} __packed req = {
3380 		.band_idx = phy->mt76->band_idx,
3381 		.tag = cpu_to_le16(UNI_CMD_SR_SET_PARAM),
3382 		.len = cpu_to_le16(sizeof(req) - 4),
3383 		.obss_pd_min = cpu_to_le16(max_th),
3384 		.obss_pd_min_srg = cpu_to_le16(max_th),
3385 		.txpwr_restrict_mode = 2,
3386 		.txpwr_ref = 21
3387 	};
3388 	int ret;
3389 
3390 	/* disable firmware dynamical PD asjustment */
3391 	ret = mt7996_mcu_enable_obss_spr(phy, UNI_CMD_SR_ENABLE_DPD, false);
3392 	if (ret)
3393 		return ret;
3394 
3395 	if (he_obss_pd->sr_ctrl &
3396 	    IEEE80211_HE_SPR_NON_SRG_OBSS_PD_SR_DISALLOWED)
3397 		req.pd_th_non_srg = max_th;
3398 	else if (he_obss_pd->sr_ctrl & IEEE80211_HE_SPR_NON_SRG_OFFSET_PRESENT)
3399 		req.pd_th_non_srg  = max_th - he_obss_pd->non_srg_max_offset;
3400 	else
3401 		req.pd_th_non_srg  = non_srg_max_th;
3402 
3403 	if (he_obss_pd->sr_ctrl & IEEE80211_HE_SPR_SRG_INFORMATION_PRESENT)
3404 		req.pd_th_srg = max_th - he_obss_pd->max_offset;
3405 
3406 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(SR),
3407 				 &req, sizeof(req), true);
3408 }
3409 
3410 static int
3411 mt7996_mcu_set_obss_spr_siga(struct mt7996_phy *phy, struct ieee80211_vif *vif,
3412 			     struct ieee80211_he_obss_pd *he_obss_pd)
3413 {
3414 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
3415 	struct mt7996_dev *dev = phy->dev;
3416 	u8 omac = mvif->mt76.omac_idx;
3417 	struct {
3418 		u8 band_idx;
3419 		u8 __rsv[3];
3420 
3421 		__le16 tag;
3422 		__le16 len;
3423 
3424 		u8 omac;
3425 		u8 __rsv2[3];
3426 		u8 flag[20];
3427 	} __packed req = {
3428 		.band_idx = phy->mt76->band_idx,
3429 		.tag = cpu_to_le16(UNI_CMD_SR_SET_SIGA),
3430 		.len = cpu_to_le16(sizeof(req) - 4),
3431 		.omac = omac > HW_BSSID_MAX ? omac - 12 : omac,
3432 	};
3433 	int ret;
3434 
3435 	if (he_obss_pd->sr_ctrl & IEEE80211_HE_SPR_HESIGA_SR_VAL15_ALLOWED)
3436 		req.flag[req.omac] = 0xf;
3437 	else
3438 		return 0;
3439 
3440 	/* switch to normal AP mode */
3441 	ret = mt7996_mcu_enable_obss_spr(phy, UNI_CMD_SR_ENABLE_MODE, 0);
3442 	if (ret)
3443 		return ret;
3444 
3445 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(SR),
3446 				 &req, sizeof(req), true);
3447 }
3448 
3449 static int
3450 mt7996_mcu_set_obss_spr_bitmap(struct mt7996_phy *phy,
3451 			       struct ieee80211_he_obss_pd *he_obss_pd)
3452 {
3453 	struct mt7996_dev *dev = phy->dev;
3454 	struct {
3455 		u8 band_idx;
3456 		u8 __rsv[3];
3457 
3458 		__le16 tag;
3459 		__le16 len;
3460 
3461 		__le32 color_l[2];
3462 		__le32 color_h[2];
3463 		__le32 bssid_l[2];
3464 		__le32 bssid_h[2];
3465 	} __packed req = {
3466 		.band_idx = phy->mt76->band_idx,
3467 		.tag = cpu_to_le16(UNI_CMD_SR_SET_SRG_BITMAP),
3468 		.len = cpu_to_le16(sizeof(req) - 4),
3469 	};
3470 	u32 bitmap;
3471 
3472 	memcpy(&bitmap, he_obss_pd->bss_color_bitmap, sizeof(bitmap));
3473 	req.color_l[req.band_idx] = cpu_to_le32(bitmap);
3474 
3475 	memcpy(&bitmap, he_obss_pd->bss_color_bitmap + 4, sizeof(bitmap));
3476 	req.color_h[req.band_idx] = cpu_to_le32(bitmap);
3477 
3478 	memcpy(&bitmap, he_obss_pd->partial_bssid_bitmap, sizeof(bitmap));
3479 	req.bssid_l[req.band_idx] = cpu_to_le32(bitmap);
3480 
3481 	memcpy(&bitmap, he_obss_pd->partial_bssid_bitmap + 4, sizeof(bitmap));
3482 	req.bssid_h[req.band_idx] = cpu_to_le32(bitmap);
3483 
3484 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(SR), &req,
3485 				 sizeof(req), true);
3486 }
3487 
3488 int mt7996_mcu_add_obss_spr(struct mt7996_phy *phy, struct ieee80211_vif *vif,
3489 			    struct ieee80211_he_obss_pd *he_obss_pd)
3490 {
3491 	int ret;
3492 
3493 	/* enable firmware scene detection algorithms */
3494 	ret = mt7996_mcu_enable_obss_spr(phy, UNI_CMD_SR_ENABLE_SD,
3495 					 sr_scene_detect);
3496 	if (ret)
3497 		return ret;
3498 
3499 	/* firmware dynamically adjusts PD threshold so skip manual control */
3500 	if (sr_scene_detect && !he_obss_pd->enable)
3501 		return 0;
3502 
3503 	/* enable spatial reuse */
3504 	ret = mt7996_mcu_enable_obss_spr(phy, UNI_CMD_SR_ENABLE,
3505 					 he_obss_pd->enable);
3506 	if (ret)
3507 		return ret;
3508 
3509 	if (sr_scene_detect || !he_obss_pd->enable)
3510 		return 0;
3511 
3512 	ret = mt7996_mcu_enable_obss_spr(phy, UNI_CMD_SR_ENABLE_TX, true);
3513 	if (ret)
3514 		return ret;
3515 
3516 	/* set SRG/non-SRG OBSS PD threshold */
3517 	ret = mt7996_mcu_set_obss_spr_pd(phy, he_obss_pd);
3518 	if (ret)
3519 		return ret;
3520 
3521 	/* Set SR prohibit */
3522 	ret = mt7996_mcu_set_obss_spr_siga(phy, vif, he_obss_pd);
3523 	if (ret)
3524 		return ret;
3525 
3526 	/* set SRG BSS color/BSSID bitmap */
3527 	return mt7996_mcu_set_obss_spr_bitmap(phy, he_obss_pd);
3528 }
3529 
3530 int mt7996_mcu_update_bss_color(struct mt7996_dev *dev, struct ieee80211_vif *vif,
3531 				struct cfg80211_he_bss_color *he_bss_color)
3532 {
3533 	int len = sizeof(struct bss_req_hdr) + sizeof(struct bss_color_tlv);
3534 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
3535 	struct bss_color_tlv *bss_color;
3536 	struct sk_buff *skb;
3537 	struct tlv *tlv;
3538 
3539 	skb = __mt7996_mcu_alloc_bss_req(&dev->mt76, &mvif->mt76, len);
3540 	if (IS_ERR(skb))
3541 		return PTR_ERR(skb);
3542 
3543 	tlv = mt76_connac_mcu_add_tlv(skb, UNI_BSS_INFO_BSS_COLOR,
3544 				      sizeof(*bss_color));
3545 	bss_color = (struct bss_color_tlv *)tlv;
3546 	bss_color->enable = he_bss_color->enabled;
3547 	bss_color->color = he_bss_color->color;
3548 
3549 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
3550 				     MCU_WMWA_UNI_CMD(BSS_INFO_UPDATE), true);
3551 }
3552 
3553 #define TWT_AGRT_TRIGGER	BIT(0)
3554 #define TWT_AGRT_ANNOUNCE	BIT(1)
3555 #define TWT_AGRT_PROTECT	BIT(2)
3556 
3557 int mt7996_mcu_twt_agrt_update(struct mt7996_dev *dev,
3558 			       struct mt7996_vif *mvif,
3559 			       struct mt7996_twt_flow *flow,
3560 			       int cmd)
3561 {
3562 	struct {
3563 		/* fixed field */
3564 		u8 bss;
3565 		u8 _rsv[3];
3566 
3567 		__le16 tag;
3568 		__le16 len;
3569 		u8 tbl_idx;
3570 		u8 cmd;
3571 		u8 own_mac_idx;
3572 		u8 flowid; /* 0xff for group id */
3573 		__le16 peer_id; /* specify the peer_id (msb=0)
3574 				 * or group_id (msb=1)
3575 				 */
3576 		u8 duration; /* 256 us */
3577 		u8 bss_idx;
3578 		__le64 start_tsf;
3579 		__le16 mantissa;
3580 		u8 exponent;
3581 		u8 is_ap;
3582 		u8 agrt_params;
3583 		u8 __rsv2[23];
3584 	} __packed req = {
3585 		.tag = cpu_to_le16(UNI_CMD_TWT_ARGT_UPDATE),
3586 		.len = cpu_to_le16(sizeof(req) - 4),
3587 		.tbl_idx = flow->table_id,
3588 		.cmd = cmd,
3589 		.own_mac_idx = mvif->mt76.omac_idx,
3590 		.flowid = flow->id,
3591 		.peer_id = cpu_to_le16(flow->wcid),
3592 		.duration = flow->duration,
3593 		.bss = mvif->mt76.idx,
3594 		.bss_idx = mvif->mt76.idx,
3595 		.start_tsf = cpu_to_le64(flow->tsf),
3596 		.mantissa = flow->mantissa,
3597 		.exponent = flow->exp,
3598 		.is_ap = true,
3599 	};
3600 
3601 	if (flow->protection)
3602 		req.agrt_params |= TWT_AGRT_PROTECT;
3603 	if (!flow->flowtype)
3604 		req.agrt_params |= TWT_AGRT_ANNOUNCE;
3605 	if (flow->trigger)
3606 		req.agrt_params |= TWT_AGRT_TRIGGER;
3607 
3608 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(TWT),
3609 				 &req, sizeof(req), true);
3610 }
3611 
3612 int mt7996_mcu_set_rts_thresh(struct mt7996_phy *phy, u32 val)
3613 {
3614 	struct {
3615 		u8 band_idx;
3616 		u8 _rsv[3];
3617 
3618 		__le16 tag;
3619 		__le16 len;
3620 		__le32 len_thresh;
3621 		__le32 pkt_thresh;
3622 	} __packed req = {
3623 		.band_idx = phy->mt76->band_idx,
3624 		.tag = cpu_to_le16(UNI_BAND_CONFIG_RTS_THRESHOLD),
3625 		.len = cpu_to_le16(sizeof(req) - 4),
3626 		.len_thresh = cpu_to_le32(val),
3627 		.pkt_thresh = cpu_to_le32(0x2),
3628 	};
3629 
3630 	return mt76_mcu_send_msg(&phy->dev->mt76, MCU_WM_UNI_CMD(BAND_CONFIG),
3631 				 &req, sizeof(req), true);
3632 }
3633 
3634 int mt7996_mcu_set_radio_en(struct mt7996_phy *phy, bool enable)
3635 {
3636 	struct {
3637 		u8 band_idx;
3638 		u8 _rsv[3];
3639 
3640 		__le16 tag;
3641 		__le16 len;
3642 		u8 enable;
3643 		u8 _rsv2[3];
3644 	} __packed req = {
3645 		.band_idx = phy->mt76->band_idx,
3646 		.tag = cpu_to_le16(UNI_BAND_CONFIG_RADIO_ENABLE),
3647 		.len = cpu_to_le16(sizeof(req) - 4),
3648 		.enable = enable,
3649 	};
3650 
3651 	return mt76_mcu_send_msg(&phy->dev->mt76, MCU_WM_UNI_CMD(BAND_CONFIG),
3652 				 &req, sizeof(req), true);
3653 }
3654 
3655 int mt7996_mcu_rdd_cmd(struct mt7996_dev *dev, int cmd, u8 index,
3656 		       u8 rx_sel, u8 val)
3657 {
3658 	struct {
3659 		u8 _rsv[4];
3660 
3661 		__le16 tag;
3662 		__le16 len;
3663 
3664 		u8 ctrl;
3665 		u8 rdd_idx;
3666 		u8 rdd_rx_sel;
3667 		u8 val;
3668 		u8 rsv[4];
3669 	} __packed req = {
3670 		.tag = cpu_to_le16(UNI_RDD_CTRL_PARM),
3671 		.len = cpu_to_le16(sizeof(req) - 4),
3672 		.ctrl = cmd,
3673 		.rdd_idx = index,
3674 		.rdd_rx_sel = rx_sel,
3675 		.val = val,
3676 	};
3677 
3678 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(RDD_CTRL),
3679 				 &req, sizeof(req), true);
3680 }
3681 
3682 int mt7996_mcu_wtbl_update_hdr_trans(struct mt7996_dev *dev,
3683 				     struct ieee80211_vif *vif,
3684 				     struct ieee80211_sta *sta)
3685 {
3686 	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
3687 	struct mt7996_sta *msta;
3688 	struct sk_buff *skb;
3689 
3690 	msta = sta ? (struct mt7996_sta *)sta->drv_priv : &mvif->sta;
3691 
3692 	skb = __mt76_connac_mcu_alloc_sta_req(&dev->mt76, &mvif->mt76,
3693 					      &msta->wcid,
3694 					      MT7996_STA_UPDATE_MAX_SIZE);
3695 	if (IS_ERR(skb))
3696 		return PTR_ERR(skb);
3697 
3698 	/* starec hdr trans */
3699 	mt7996_mcu_sta_hdr_trans_tlv(dev, skb, vif, sta);
3700 	return mt76_mcu_skb_send_msg(&dev->mt76, skb,
3701 				     MCU_WMWA_UNI_CMD(STA_REC_UPDATE), true);
3702 }
3703 
3704 int mt7996_mcu_rf_regval(struct mt7996_dev *dev, u32 regidx, u32 *val, bool set)
3705 {
3706 	struct {
3707 		u8 __rsv1[4];
3708 
3709 		__le16 tag;
3710 		__le16 len;
3711 		__le16 idx;
3712 		u8 __rsv2[2];
3713 		__le32 ofs;
3714 		__le32 data;
3715 	} __packed *res, req = {
3716 		.tag = cpu_to_le16(UNI_CMD_ACCESS_RF_REG_BASIC),
3717 		.len = cpu_to_le16(sizeof(req) - 4),
3718 
3719 		.idx = cpu_to_le16(u32_get_bits(regidx, GENMASK(31, 24))),
3720 		.ofs = cpu_to_le32(u32_get_bits(regidx, GENMASK(23, 0))),
3721 		.data = set ? cpu_to_le32(*val) : 0,
3722 	};
3723 	struct sk_buff *skb;
3724 	int ret;
3725 
3726 	if (set)
3727 		return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(REG_ACCESS),
3728 					 &req, sizeof(req), true);
3729 
3730 	ret = mt76_mcu_send_and_get_msg(&dev->mt76,
3731 					MCU_WM_UNI_CMD_QUERY(REG_ACCESS),
3732 					&req, sizeof(req), true, &skb);
3733 	if (ret)
3734 		return ret;
3735 
3736 	res = (void *)skb->data;
3737 	*val = le32_to_cpu(res->data);
3738 	dev_kfree_skb(skb);
3739 
3740 	return 0;
3741 }
3742 
3743 int mt7996_mcu_trigger_assert(struct mt7996_dev *dev)
3744 {
3745 	struct {
3746 		__le16 tag;
3747 		__le16 len;
3748 		u8 enable;
3749 		u8 rsv[3];
3750 	} __packed req = {
3751 		.len = cpu_to_le16(sizeof(req) - 4),
3752 		.enable = true,
3753 	};
3754 
3755 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(ASSERT_DUMP),
3756 				 &req, sizeof(req), false);
3757 }
3758 
3759 int mt7996_mcu_set_rro(struct mt7996_dev *dev, u16 tag, u8 val)
3760 {
3761 	struct {
3762 		u8 __rsv1[4];
3763 
3764 		__le16 tag;
3765 		__le16 len;
3766 
3767 		union {
3768 			struct {
3769 				u8 type;
3770 				u8 __rsv2[3];
3771 			} __packed platform_type;
3772 			struct {
3773 				u8 type;
3774 				u8 dest;
3775 				u8 __rsv2[2];
3776 			} __packed bypass_mode;
3777 			struct {
3778 				u8 path;
3779 				u8 __rsv2[3];
3780 			} __packed txfree_path;
3781 		};
3782 	} __packed req = {
3783 		.tag = cpu_to_le16(tag),
3784 		.len = cpu_to_le16(sizeof(req) - 4),
3785 	};
3786 
3787 	switch (tag) {
3788 	case UNI_RRO_SET_PLATFORM_TYPE:
3789 		req.platform_type.type = val;
3790 		break;
3791 	case UNI_RRO_SET_BYPASS_MODE:
3792 		req.bypass_mode.type = val;
3793 		break;
3794 	case UNI_RRO_SET_TXFREE_PATH:
3795 		req.txfree_path.path = val;
3796 		break;
3797 	default:
3798 		return -EINVAL;
3799 	}
3800 
3801 	return mt76_mcu_send_msg(&dev->mt76, MCU_WM_UNI_CMD(RRO), &req,
3802 				 sizeof(req), true);
3803 }
3804