39 files changed, 304 insertions, 125 deletions

diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c
index b479160dc262..7a9c6f7cd7e1 100644
--- a/drivers/net/wireless/ath/ath9k/hw.c
+++ b/drivers/net/wireless/ath/ath9k/hw.c
@@ -1826,7 +1826,8 @@ static void ath9k_set_power_sleep(struct ath_hw *ah, int setChip)
         }
 
         /* Clear Bit 14 of AR_WA after putting chip into Full Sleep mode. */
-        REG_WRITE(ah, AR_WA, ah->WARegVal & ~AR_WA_D3_L1_DISABLE);
+        if (AR_SREV_9300_20_OR_LATER(ah))
+                REG_WRITE(ah, AR_WA, ah->WARegVal & ~AR_WA_D3_L1_DISABLE);
 }
 
 /*
diff --git a/drivers/net/wireless/ath/regd.c b/drivers/net/wireless/ath/regd.c
index 028310f263c8..f1be57f0f5bb 100644
--- a/drivers/net/wireless/ath/regd.c
+++ b/drivers/net/wireless/ath/regd.c
@@ -253,6 +253,8 @@ ath_reg_apply_active_scan_flags(struct wiphy *wiphy,
         int r;
 
         sband = wiphy->bands[IEEE80211_BAND_2GHZ];
+        if (!sband)
+                return;
 
         /*
          * If no country IE has been received always enable active scan
diff --git a/drivers/net/wireless/b43/xmit.c b/drivers/net/wireless/b43/xmit.c
index 58ea0e5fabfd..5f77cbe0b6aa 100644
--- a/drivers/net/wireless/b43/xmit.c
+++ b/drivers/net/wireless/b43/xmit.c
@@ -175,6 +175,7 @@ void b43_generate_plcp_hdr(struct b43_plcp_hdr4 *plcp,
         }
 }
 
+/* TODO: verify if needed for SSLPN or LCN  */
 static u16 b43_generate_tx_phy_ctl1(struct b43_wldev *dev, u8 bitrate)
 {
         const struct b43_phy *phy = &dev->phy;
@@ -256,6 +257,9 @@ int b43_generate_txhdr(struct b43_wldev *dev,
         unsigned int plcp_fragment_len;
         u32 mac_ctl = 0;
         u16 phy_ctl = 0;
+        bool fill_phy_ctl1 = (phy->type == B43_PHYTYPE_LP ||
+                              phy->type == B43_PHYTYPE_N ||
+                              phy->type == B43_PHYTYPE_HT);
         u8 extra_ft = 0;
         struct ieee80211_rate *txrate;
         struct ieee80211_tx_rate *rates;
@@ -531,7 +535,7 @@ int b43_generate_txhdr(struct b43_wldev *dev,
                         extra_ft |= B43_TXH_EFT_RTSFB_CCK;
 
                 if (rates[0].flags & IEEE80211_TX_RC_USE_RTS_CTS &&
-                    phy->type == B43_PHYTYPE_N) {
+                    fill_phy_ctl1) {
                         txhdr->phy_ctl1_rts = cpu_to_le16(
                                 b43_generate_tx_phy_ctl1(dev, rts_rate));
                         txhdr->phy_ctl1_rts_fb = cpu_to_le16(
@@ -552,7 +556,7 @@ int b43_generate_txhdr(struct b43_wldev *dev,
                 break;
         }
 
-        if (phy->type == B43_PHYTYPE_N) {
+        if (fill_phy_ctl1) {
                 txhdr->phy_ctl1 =
                         cpu_to_le16(b43_generate_tx_phy_ctl1(dev, rate));
                 txhdr->phy_ctl1_fb =
@@ -736,7 +740,14 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr)
 
         /* Link quality statistics */
         switch (chanstat & B43_RX_CHAN_PHYTYPE) {
+        case B43_PHYTYPE_HT:
+                /* TODO: is max the right choice? */
+                status.signal = max_t(__s8,
+                        max(rxhdr->phy_ht_power0, rxhdr->phy_ht_power1),
+                        rxhdr->phy_ht_power2);
+                break;
         case B43_PHYTYPE_N:
+                /* Broadcom has code for min and avg, but always uses max */
                 if (rxhdr->power0 == 16 || rxhdr->power0 == 32)
                         status.signal = max(rxhdr->power1, rxhdr->power2);
                 else
diff --git a/drivers/net/wireless/b43/xmit.h b/drivers/net/wireless/b43/xmit.h
index 16c514d54afa..98d90747836a 100644
--- a/drivers/net/wireless/b43/xmit.h
+++ b/drivers/net/wireless/b43/xmit.h
@@ -249,6 +249,12 @@ struct b43_rxhdr_fw4 {
                 } __packed;
         } __packed;
         union {
+                /* HT-PHY */
+                struct {
+                        PAD_BYTES(1);
+                        __s8 phy_ht_power0;
+                } __packed;
+
                 /* RSSI for N-PHYs */
                 struct {
                         __s8 power2;
@@ -257,7 +263,15 @@ struct b43_rxhdr_fw4 {
 
                 __le16 phy_status2;     /* PHY RX Status 2 */
         } __packed;
-        __le16 phy_status3;     /* PHY RX Status 3 */
+        union {
+                /* HT-PHY */
+                struct {
+                        __s8 phy_ht_power1;
+                        __s8 phy_ht_power2;
+                } __packed;
+
+                __le16 phy_status3;     /* PHY RX Status 3 */
+        } __packed;
         union {
                 /* Tested with 598.314, 644.1001 and 666.2 */
                 struct {
diff --git a/drivers/net/wireless/brcm80211/brcmsmac/dma.c b/drivers/net/wireless/brcm80211/brcmsmac/dma.c
index b56a30297c26..6ebec8f42846 100644
--- a/drivers/net/wireless/brcm80211/brcmsmac/dma.c
+++ b/drivers/net/wireless/brcm80211/brcmsmac/dma.c
@@ -358,13 +358,14 @@ static uint nrxdactive(struct dma_info *di, uint h, uint t)
 
 static uint _dma_ctrlflags(struct dma_info *di, uint mask, uint flags)
 {
-        uint dmactrlflags = di->dma.dmactrlflags;
+        uint dmactrlflags;
 
         if (di == NULL) {
-                DMA_ERROR(("%s: _dma_ctrlflags: NULL dma handle\n", di->name));
+                DMA_ERROR(("_dma_ctrlflags: NULL dma handle\n"));
                 return 0;
         }
 
+        dmactrlflags = di->dma.dmactrlflags;
         dmactrlflags &= ~mask;
         dmactrlflags |= flags;
 
diff --git a/drivers/net/wireless/iwlwifi/iwl-1000.c b/drivers/net/wireless/iwlwifi/iwl-1000.c
index e12b48c2cff6..dd008b0e6417 100644
--- a/drivers/net/wireless/iwlwifi/iwl-1000.c
+++ b/drivers/net/wireless/iwlwifi/iwl-1000.c
@@ -191,6 +191,7 @@ static struct iwl_base_params iwl1000_base_params = {
         .chain_noise_scale = 1000,
         .wd_timeout = IWL_DEF_WD_TIMEOUT,
         .max_event_log_size = 128,
+        .wd_disable = true,
 };
 static struct iwl_ht_params iwl1000_ht_params = {
         .ht_greenfield_support = true,
diff --git a/drivers/net/wireless/iwlwifi/iwl-5000.c b/drivers/net/wireless/iwlwifi/iwl-5000.c
index c511c98a89a8..f55fb2d1af52 100644
--- a/drivers/net/wireless/iwlwifi/iwl-5000.c
+++ b/drivers/net/wireless/iwlwifi/iwl-5000.c
@@ -364,6 +364,7 @@ static struct iwl_base_params iwl5000_base_params = {
         .wd_timeout = IWL_LONG_WD_TIMEOUT,
         .max_event_log_size = 512,
         .no_idle_support = true,
+        .wd_disable = true,
 };
 static struct iwl_ht_params iwl5000_ht_params = {
         .ht_greenfield_support = true,
diff --git a/drivers/net/wireless/iwlwifi/iwl-agn-rxon.c b/drivers/net/wireless/iwlwifi/iwl-agn-rxon.c
index 58a381c01c89..a7a6def40d05 100644
--- a/drivers/net/wireless/iwlwifi/iwl-agn-rxon.c
+++ b/drivers/net/wireless/iwlwifi/iwl-agn-rxon.c
@@ -528,6 +528,24 @@ int iwlagn_commit_rxon(struct iwl_priv *priv, struct iwl_rxon_context *ctx)
         return 0;
 }
 
+void iwlagn_config_ht40(struct ieee80211_conf *conf,
+        struct iwl_rxon_context *ctx)
+{
+        if (conf_is_ht40_minus(conf)) {
+                ctx->ht.extension_chan_offset =
+                        IEEE80211_HT_PARAM_CHA_SEC_BELOW;
+                ctx->ht.is_40mhz = true;
+        } else if (conf_is_ht40_plus(conf)) {
+                ctx->ht.extension_chan_offset =
+                        IEEE80211_HT_PARAM_CHA_SEC_ABOVE;
+                ctx->ht.is_40mhz = true;
+        } else {
+                ctx->ht.extension_chan_offset =
+                        IEEE80211_HT_PARAM_CHA_SEC_NONE;
+                ctx->ht.is_40mhz = false;
+        }
+}
+
 int iwlagn_mac_config(struct ieee80211_hw *hw, u32 changed)
 {
         struct iwl_priv *priv = hw->priv;
@@ -586,19 +604,11 @@ int iwlagn_mac_config(struct ieee80211_hw *hw, u32 changed)
                                 ctx->ht.enabled = conf_is_ht(conf);
 
                         if (ctx->ht.enabled) {
-                                if (conf_is_ht40_minus(conf)) {
-                                        ctx->ht.extension_chan_offset =
-                                                IEEE80211_HT_PARAM_CHA_SEC_BELOW;
-                                        ctx->ht.is_40mhz = true;
-                                } else if (conf_is_ht40_plus(conf)) {
-                                        ctx->ht.extension_chan_offset =
-                                                IEEE80211_HT_PARAM_CHA_SEC_ABOVE;
-                                        ctx->ht.is_40mhz = true;
-                                } else {
-                                        ctx->ht.extension_chan_offset =
-                                                IEEE80211_HT_PARAM_CHA_SEC_NONE;
-                                        ctx->ht.is_40mhz = false;
-                                }
+                                /* if HT40 is used, it should not change
+                                 * after associated except channel switch */
+                                if (iwl_is_associated_ctx(ctx) &&
+                                     !ctx->ht.is_40mhz)
+                                        iwlagn_config_ht40(conf, ctx);
                         } else
                                 ctx->ht.is_40mhz = false;
 
diff --git a/drivers/net/wireless/iwlwifi/iwl-agn-sta.c b/drivers/net/wireless/iwlwifi/iwl-agn-sta.c
index ed6283623932..4b2aa1da0953 100644
--- a/drivers/net/wireless/iwlwifi/iwl-agn-sta.c
+++ b/drivers/net/wireless/iwlwifi/iwl-agn-sta.c
@@ -1268,9 +1268,6 @@ int iwl_set_dynamic_key(struct iwl_priv *priv,
 
         switch (keyconf->cipher) {
         case WLAN_CIPHER_SUITE_TKIP:
-                keyconf->flags |= IEEE80211_KEY_FLAG_GENERATE_MMIC;
-                keyconf->flags |= IEEE80211_KEY_FLAG_GENERATE_IV;
-
                 if (sta)
                         addr = sta->addr;
                 else /* station mode case only */
@@ -1283,8 +1280,6 @@ int iwl_set_dynamic_key(struct iwl_priv *priv,
                                           seq.tkip.iv32, p1k, CMD_SYNC);
                 break;
         case WLAN_CIPHER_SUITE_CCMP:
-                keyconf->flags |= IEEE80211_KEY_FLAG_GENERATE_IV;
-                /* fall through */
         case WLAN_CIPHER_SUITE_WEP40:
         case WLAN_CIPHER_SUITE_WEP104:
                 ret = iwlagn_send_sta_key(priv, keyconf, sta_id,
diff --git a/drivers/net/wireless/iwlwifi/iwl-agn.c b/drivers/net/wireless/iwlwifi/iwl-agn.c
index ccba69b7f8a7..bacc06c95e7a 100644
--- a/drivers/net/wireless/iwlwifi/iwl-agn.c
+++ b/drivers/net/wireless/iwlwifi/iwl-agn.c
@@ -2316,6 +2316,17 @@ static int iwlagn_mac_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
                 return -EOPNOTSUPP;
         }
 
+        switch (key->cipher) {
+        case WLAN_CIPHER_SUITE_TKIP:
+                key->flags |= IEEE80211_KEY_FLAG_GENERATE_MMIC;
+                /* fall through */
+        case WLAN_CIPHER_SUITE_CCMP:
+                key->flags |= IEEE80211_KEY_FLAG_GENERATE_IV;
+                break;
+        default:
+                break;
+        }
+
         /*
          * We could program these keys into the hardware as well, but we
          * don't expect much multicast traffic in IBSS and having keys
@@ -2599,21 +2610,9 @@ static void iwlagn_mac_channel_switch(struct ieee80211_hw *hw,
 
         /* Configure HT40 channels */
         ctx->ht.enabled = conf_is_ht(conf);
-        if (ctx->ht.enabled) {
-                if (conf_is_ht40_minus(conf)) {
-                        ctx->ht.extension_chan_offset =
-                                IEEE80211_HT_PARAM_CHA_SEC_BELOW;
-                        ctx->ht.is_40mhz = true;
-                } else if (conf_is_ht40_plus(conf)) {
-                        ctx->ht.extension_chan_offset =
-                                IEEE80211_HT_PARAM_CHA_SEC_ABOVE;
-                        ctx->ht.is_40mhz = true;
-                } else {
-                        ctx->ht.extension_chan_offset =
-                                IEEE80211_HT_PARAM_CHA_SEC_NONE;
-                        ctx->ht.is_40mhz = false;
-                }
-        } else
+        if (ctx->ht.enabled)
+                iwlagn_config_ht40(conf, ctx);
+        else
                 ctx->ht.is_40mhz = false;
 
         if ((le16_to_cpu(ctx->staging.channel) != ch))
@@ -3499,9 +3498,10 @@ MODULE_PARM_DESC(plcp_check, "Check plcp health (default: 1 [enabled])");
 module_param_named(ack_check, iwlagn_mod_params.ack_check, bool, S_IRUGO);
 MODULE_PARM_DESC(ack_check, "Check ack health (default: 0 [disabled])");
 
-module_param_named(wd_disable, iwlagn_mod_params.wd_disable, bool, S_IRUGO);
+module_param_named(wd_disable, iwlagn_mod_params.wd_disable, int, S_IRUGO);
 MODULE_PARM_DESC(wd_disable,
-                "Disable stuck queue watchdog timer (default: 0 [enabled])");
+                "Disable stuck queue watchdog timer 0=system default, "
+                "1=disable, 2=enable (default: 0)");
 
 /*
  * set bt_coex_active to true, uCode will do kill/defer
diff --git a/drivers/net/wireless/iwlwifi/iwl-agn.h b/drivers/net/wireless/iwlwifi/iwl-agn.h
index 5b936ec1a541..3856abaea507 100644
--- a/drivers/net/wireless/iwlwifi/iwl-agn.h
+++ b/drivers/net/wireless/iwlwifi/iwl-agn.h
@@ -86,6 +86,8 @@ void iwlagn_bss_info_changed(struct ieee80211_hw *hw,
                              struct ieee80211_vif *vif,
                              struct ieee80211_bss_conf *bss_conf,
                              u32 changes);
+void iwlagn_config_ht40(struct ieee80211_conf *conf,
+                        struct iwl_rxon_context *ctx);
 
 /* uCode */
 int iwlagn_rx_calib_result(struct iwl_priv *priv,
diff --git a/drivers/net/wireless/iwlwifi/iwl-core.c b/drivers/net/wireless/iwlwifi/iwl-core.c
index 001fdf140abb..fcf54160e4ed 100644
--- a/drivers/net/wireless/iwlwifi/iwl-core.c
+++ b/drivers/net/wireless/iwlwifi/iwl-core.c
@@ -1810,11 +1810,23 @@ void iwl_setup_watchdog(struct iwl_priv *priv)
 {
         unsigned int timeout = priv->cfg->base_params->wd_timeout;
 
-        if (timeout && !iwlagn_mod_params.wd_disable)
-                mod_timer(&priv->watchdog,
-                          jiffies + msecs_to_jiffies(IWL_WD_TICK(timeout)));
-        else
-                del_timer(&priv->watchdog);
+        if (!iwlagn_mod_params.wd_disable) {
+                /* use system default */
+                if (timeout && !priv->cfg->base_params->wd_disable)
+                        mod_timer(&priv->watchdog,
+                                jiffies +
+                                msecs_to_jiffies(IWL_WD_TICK(timeout)));
+                else
+                        del_timer(&priv->watchdog);
+        } else {
+                /* module parameter overwrite default configuration */
+                if (timeout && iwlagn_mod_params.wd_disable == 2)
+                        mod_timer(&priv->watchdog,
+                                jiffies +
+                                msecs_to_jiffies(IWL_WD_TICK(timeout)));
+                else
+                        del_timer(&priv->watchdog);
+        }
 }
 
 /**
diff --git a/drivers/net/wireless/iwlwifi/iwl-core.h b/drivers/net/wireless/iwlwifi/iwl-core.h
index 137da3380704..f2fc288f3dd3 100644
--- a/drivers/net/wireless/iwlwifi/iwl-core.h
+++ b/drivers/net/wireless/iwlwifi/iwl-core.h
@@ -113,6 +113,7 @@ struct iwl_lib_ops {
  * @shadow_reg_enable: HW shadhow register bit
  * @no_idle_support: do not support idle mode
  * @hd_v2: v2 of enhanced sensitivity value, used for 2000 series and up
+ * wd_disable: disable watchdog timer
  */
 struct iwl_base_params {
         int eeprom_size;
@@ -134,6 +135,7 @@ struct iwl_base_params {
         const bool shadow_reg_enable;
         const bool no_idle_support;
         const bool hd_v2;
+        const bool wd_disable;
 };
 /*
  * @advanced_bt_coexist: support advanced bt coexist
diff --git a/drivers/net/wireless/iwlwifi/iwl-shared.h b/drivers/net/wireless/iwlwifi/iwl-shared.h
index 1f7a93c67c45..14eaf37ce3b1 100644
--- a/drivers/net/wireless/iwlwifi/iwl-shared.h
+++ b/drivers/net/wireless/iwlwifi/iwl-shared.h
@@ -120,7 +120,7 @@ extern struct iwl_mod_params iwlagn_mod_params;
  * @restart_fw: restart firmware, default = 1
  * @plcp_check: enable plcp health check, default = true
  * @ack_check: disable ack health check, default = false
- * @wd_disable: enable stuck queue check, default = false
+ * @wd_disable: enable stuck queue check, default = 0
  * @bt_coex_active: enable bt coex, default = true
  * @led_mode: system default, default = 0
  * @no_sleep_autoadjust: disable autoadjust, default = true
@@ -141,7 +141,7 @@ struct iwl_mod_params {
         int restart_fw;
         bool plcp_check;
         bool ack_check;
-        bool wd_disable;
+        int  wd_disable;
         bool bt_coex_active;
         int led_mode;
         bool no_sleep_autoadjust;
diff --git a/drivers/net/wireless/iwlwifi/iwl-trans-pcie.c b/drivers/net/wireless/iwlwifi/iwl-trans-pcie.c
index da3411057afc..ce918980e977 100644
--- a/drivers/net/wireless/iwlwifi/iwl-trans-pcie.c
+++ b/drivers/net/wireless/iwlwifi/iwl-trans-pcie.c
@@ -990,29 +990,16 @@ static int iwl_trans_tx_stop(struct iwl_trans *trans)
         return 0;
 }
 
-static void iwl_trans_pcie_disable_sync_irq(struct iwl_trans *trans)
+static void iwl_trans_pcie_stop_device(struct iwl_trans *trans)
 {
         unsigned long flags;
-        struct iwl_trans_pcie *trans_pcie =
-                IWL_TRANS_GET_PCIE_TRANS(trans);
+        struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
 
+        /* tell the device to stop sending interrupts */
         spin_lock_irqsave(&trans->shrd->lock, flags);
         iwl_disable_interrupts(trans);
         spin_unlock_irqrestore(&trans->shrd->lock, flags);
 
-        /* wait to make sure we flush pending tasklet*/
-        synchronize_irq(bus(trans)->irq);
-        tasklet_kill(&trans_pcie->irq_tasklet);
-}
-
-static void iwl_trans_pcie_stop_device(struct iwl_trans *trans)
-{
-        /* stop and reset the on-board processor */
-        iwl_write32(bus(trans), CSR_RESET, CSR_RESET_REG_FLAG_NEVO_RESET);
-
-        /* tell the device to stop sending interrupts */
-        iwl_trans_pcie_disable_sync_irq(trans);
-
         /* device going down, Stop using ICT table */
         iwl_disable_ict(trans);
 
@@ -1039,6 +1026,20 @@ static void iwl_trans_pcie_stop_device(struct iwl_trans *trans)
 
         /* Stop the device, and put it in low power state */
         iwl_apm_stop(priv(trans));
+
+        /* Upon stop, the APM issues an interrupt if HW RF kill is set.
+         * Clean again the interrupt here
+         */
+        spin_lock_irqsave(&trans->shrd->lock, flags);
+        iwl_disable_interrupts(trans);
+        spin_unlock_irqrestore(&trans->shrd->lock, flags);
+
+        /* wait to make sure we flush pending tasklet*/
+        synchronize_irq(bus(trans)->irq);
+        tasklet_kill(&trans_pcie->irq_tasklet);
+
+        /* stop and reset the on-board processor */
+        iwl_write32(bus(trans), CSR_RESET, CSR_RESET_REG_FLAG_NEVO_RESET);
 }
 
 static int iwl_trans_pcie_tx(struct iwl_trans *trans, struct sk_buff *skb,
diff --git a/drivers/net/wireless/libertas/cfg.c b/drivers/net/wireless/libertas/cfg.c
index 4fcd653bddc4..a7f1ab28940d 100644
--- a/drivers/net/wireless/libertas/cfg.c
+++ b/drivers/net/wireless/libertas/cfg.c
@@ -634,7 +634,7 @@ static int lbs_ret_scan(struct lbs_private *priv, unsigned long dummy,
                         if (channel &&
                             !(channel->flags & IEEE80211_CHAN_DISABLED))
                                 cfg80211_inform_bss(wiphy, channel,
-                                        bssid, le64_to_cpu(*(__le64 *)tsfdesc),
+                                        bssid, get_unaligned_le64(tsfdesc),
                                         capa, intvl, ie, ielen,
                                         LBS_SCAN_RSSI_TO_MBM(rssi),
                                         GFP_KERNEL);
diff --git a/drivers/net/wireless/libertas/if_spi.c b/drivers/net/wireless/libertas/if_spi.c
index 622ae6de0d8b..7059d9645dab 100644
--- a/drivers/net/wireless/libertas/if_spi.c
+++ b/drivers/net/wireless/libertas/if_spi.c
@@ -995,6 +995,7 @@ static int if_spi_host_to_card(struct lbs_private *priv,
                 spin_unlock_irqrestore(&card->buffer_lock, flags);
                 break;
         default:
+                kfree(packet);
                 netdev_err(priv->dev, "can't transfer buffer of type %d\n",
                            type);
                 err = -EINVAL;
diff --git a/drivers/net/wireless/mwifiex/scan.c b/drivers/net/wireless/mwifiex/scan.c
index dae8dbb24a03..8d3ab378662b 100644
--- a/drivers/net/wireless/mwifiex/scan.c
+++ b/drivers/net/wireless/mwifiex/scan.c
@@ -819,8 +819,10 @@ mwifiex_scan_setup_scan_config(struct mwifiex_private *priv,
                         wildcard_ssid_tlv->header.len = cpu_to_le16(
                                 (u16) (ssid_len + sizeof(wildcard_ssid_tlv->
                                                          max_ssid_length)));
-                        wildcard_ssid_tlv->max_ssid_length =
-                                user_scan_in->ssid_list[ssid_idx].max_len;
+
+                        /* max_ssid_length = 0 tells firmware to perform
+                           specific scan for the SSID filled */
+                        wildcard_ssid_tlv->max_ssid_length = 0;
 
                         memcpy(wildcard_ssid_tlv->ssid,
                                user_scan_in->ssid_list[ssid_idx].ssid,
@@ -1469,7 +1471,7 @@ mwifiex_update_curr_bss_params(struct mwifiex_private *priv, u8 *bssid,
                                s32 rssi, const u8 *ie_buf, size_t ie_len,
                                u16 beacon_period, u16 cap_info_bitmap, u8 band)
 {
-        struct mwifiex_bssdescriptor *bss_desc = NULL;
+        struct mwifiex_bssdescriptor *bss_desc;
         int ret;
         unsigned long flags;
         u8 *beacon_ie;
@@ -1484,6 +1486,7 @@ mwifiex_update_curr_bss_params(struct mwifiex_private *priv, u8 *bssid,
 
         beacon_ie = kmemdup(ie_buf, ie_len, GFP_KERNEL);
         if (!beacon_ie) {
+                kfree(bss_desc);
                 dev_err(priv->adapter->dev, " failed to alloc beacon_ie\n");
                 return -ENOMEM;
         }
diff --git a/drivers/net/wireless/p54/p54spi.c b/drivers/net/wireless/p54/p54spi.c
index f18df82eeb92..78d0d6988553 100644
--- a/drivers/net/wireless/p54/p54spi.c
+++ b/drivers/net/wireless/p54/p54spi.c
@@ -588,8 +588,6 @@ static void p54spi_op_stop(struct ieee80211_hw *dev)
 
         WARN_ON(priv->fw_state != FW_STATE_READY);
 
-        cancel_work_sync(&priv->work);
-
         p54spi_power_off(priv);
         spin_lock_irqsave(&priv->tx_lock, flags);
         INIT_LIST_HEAD(&priv->tx_pending);
@@ -597,6 +595,8 @@ static void p54spi_op_stop(struct ieee80211_hw *dev)
 
         priv->fw_state = FW_STATE_OFF;
         mutex_unlock(&priv->mutex);
+
+        cancel_work_sync(&priv->work);
 }
 
 static int __devinit p54spi_probe(struct spi_device *spi)
@@ -656,6 +656,7 @@ static int __devinit p54spi_probe(struct spi_device *spi)
         init_completion(&priv->fw_comp);
         INIT_LIST_HEAD(&priv->tx_pending);
         mutex_init(&priv->mutex);
+        spin_lock_init(&priv->tx_lock);
         SET_IEEE80211_DEV(hw, &spi->dev);
         priv->common.open = p54spi_op_start;
         priv->common.stop = p54spi_op_stop;
diff --git a/drivers/net/wireless/prism54/isl_ioctl.c b/drivers/net/wireless/prism54/isl_ioctl.c
index d97a2caf582b..bc2ba80c47bb 100644
--- a/drivers/net/wireless/prism54/isl_ioctl.c
+++ b/drivers/net/wireless/prism54/isl_ioctl.c
@@ -778,7 +778,7 @@ prism54_get_essid(struct net_device *ndev, struct iw_request_info *info,
                 dwrq->flags = 0;
                 dwrq->length = 0;
         }
-        essid->octets[essid->length] = '\0';
+        essid->octets[dwrq->length] = '\0';
         memcpy(extra, essid->octets, dwrq->length);
         kfree(essid);
 
diff --git a/drivers/net/wireless/rt2x00/rt2800lib.c b/drivers/net/wireless/rt2x00/rt2800lib.c
index 3f183a15186e..1ba079dffb11 100644
--- a/drivers/net/wireless/rt2x00/rt2800lib.c
+++ b/drivers/net/wireless/rt2x00/rt2800lib.c
@@ -3771,7 +3771,7 @@ static void rt2800_efuse_read(struct rt2x00_dev *rt2x00dev, unsigned int i)
         /* Apparently the data is read from end to start */
         rt2800_register_read_lock(rt2x00dev, EFUSE_DATA3, &reg);
         /* The returned value is in CPU order, but eeprom is le */
-        rt2x00dev->eeprom[i] = cpu_to_le32(reg);
+        *(u32 *)&rt2x00dev->eeprom[i] = cpu_to_le32(reg);
         rt2800_register_read_lock(rt2x00dev, EFUSE_DATA2, &reg);
         *(u32 *)&rt2x00dev->eeprom[i + 2] = cpu_to_le32(reg);
         rt2800_register_read_lock(rt2x00dev, EFUSE_DATA1, &reg);
diff --git a/drivers/net/wireless/rt2x00/rt2800usb.c b/drivers/net/wireless/rt2x00/rt2800usb.c
index f1565792f270..377876315b8d 100644
--- a/drivers/net/wireless/rt2x00/rt2800usb.c
+++ b/drivers/net/wireless/rt2x00/rt2800usb.c
@@ -919,6 +919,7 @@ static struct usb_device_id rt2800usb_device_table[] = {
         { USB_DEVICE(0x050d, 0x935b) },
         /* Buffalo */
         { USB_DEVICE(0x0411, 0x00e8) },
+        { USB_DEVICE(0x0411, 0x0158) },
         { USB_DEVICE(0x0411, 0x016f) },
         { USB_DEVICE(0x0411, 0x01a2) },
         /* Corega */
diff --git a/drivers/net/wireless/rt2x00/rt2x00.h b/drivers/net/wireless/rt2x00/rt2x00.h
index 2ec5c00235e6..99ff12d0c29d 100644
--- a/drivers/net/wireless/rt2x00/rt2x00.h
+++ b/drivers/net/wireless/rt2x00/rt2x00.h
@@ -943,6 +943,7 @@ struct rt2x00_dev {
          * Powersaving work
          */
         struct delayed_work autowakeup_work;
+        struct work_struct sleep_work;
 
         /*
          * Data queue arrays for RX, TX, Beacon and ATIM.
diff --git a/drivers/net/wireless/rt2x00/rt2x00dev.c b/drivers/net/wireless/rt2x00/rt2x00dev.c
index e1fb2a8569be..edd317fa7c0a 100644
--- a/drivers/net/wireless/rt2x00/rt2x00dev.c
+++ b/drivers/net/wireless/rt2x00/rt2x00dev.c
@@ -465,6 +465,23 @@ static u8 *rt2x00lib_find_ie(u8 *data, unsigned int len, u8 ie)
         return NULL;
 }
 
+static void rt2x00lib_sleep(struct work_struct *work)
+{
+        struct rt2x00_dev *rt2x00dev =
+            container_of(work, struct rt2x00_dev, sleep_work);
+
+        if (!test_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags))
+                return;
+
+        /*
+         * Check again is powersaving is enabled, to prevent races from delayed
+         * work execution.
+         */
+        if (!test_bit(CONFIG_POWERSAVING, &rt2x00dev->flags))
+                rt2x00lib_config(rt2x00dev, &rt2x00dev->hw->conf,
+                                 IEEE80211_CONF_CHANGE_PS);
+}
+
 static void rt2x00lib_rxdone_check_ps(struct rt2x00_dev *rt2x00dev,
                                       struct sk_buff *skb,
                                       struct rxdone_entry_desc *rxdesc)
@@ -512,8 +529,7 @@ static void rt2x00lib_rxdone_check_ps(struct rt2x00_dev *rt2x00dev,
         cam |= (tim_ie->bitmap_ctrl & 0x01);
 
         if (!cam && !test_bit(CONFIG_POWERSAVING, &rt2x00dev->flags))
-                rt2x00lib_config(rt2x00dev, &rt2x00dev->hw->conf,
-                                 IEEE80211_CONF_CHANGE_PS);
+                queue_work(rt2x00dev->workqueue, &rt2x00dev->sleep_work);
 }
 
 static int rt2x00lib_rxdone_read_signal(struct rt2x00_dev *rt2x00dev,
@@ -1141,6 +1157,7 @@ int rt2x00lib_probe_dev(struct rt2x00_dev *rt2x00dev)
 
         INIT_WORK(&rt2x00dev->intf_work, rt2x00lib_intf_scheduled);
         INIT_DELAYED_WORK(&rt2x00dev->autowakeup_work, rt2x00lib_autowakeup);
+        INIT_WORK(&rt2x00dev->sleep_work, rt2x00lib_sleep);
 
         /*
          * Let the driver probe the device to detect the capabilities.
@@ -1197,6 +1214,7 @@ void rt2x00lib_remove_dev(struct rt2x00_dev *rt2x00dev)
          */
         cancel_work_sync(&rt2x00dev->intf_work);
         cancel_delayed_work_sync(&rt2x00dev->autowakeup_work);
+        cancel_work_sync(&rt2x00dev->sleep_work);
         if (rt2x00_is_usb(rt2x00dev)) {
                 del_timer_sync(&rt2x00dev->txstatus_timer);
                 cancel_work_sync(&rt2x00dev->rxdone_work);
diff --git a/drivers/net/wireless/rtlwifi/ps.c b/drivers/net/wireless/rtlwifi/ps.c
index a693feffbe72..0b04b2e7b597 100644
--- a/drivers/net/wireless/rtlwifi/ps.c
+++ b/drivers/net/wireless/rtlwifi/ps.c
@@ -394,7 +394,7 @@ void rtl_lps_enter(struct ieee80211_hw *hw)
         if (mac->link_state != MAC80211_LINKED)
                 return;
 
-        spin_lock(&rtlpriv->locks.lps_lock);
+        spin_lock_irq(&rtlpriv->locks.lps_lock);
 
         /* Idle for a while if we connect to AP a while ago. */
         if (mac->cnt_after_linked >= 2) {
@@ -406,7 +406,7 @@ void rtl_lps_enter(struct ieee80211_hw *hw)
                 }
         }
 
-        spin_unlock(&rtlpriv->locks.lps_lock);
+        spin_unlock_irq(&rtlpriv->locks.lps_lock);
 }
 
 /*Leave the leisure power save mode.*/
@@ -415,8 +415,9 @@ void rtl_lps_leave(struct ieee80211_hw *hw)
         struct rtl_priv *rtlpriv = rtl_priv(hw);
         struct rtl_ps_ctl *ppsc = rtl_psc(rtl_priv(hw));
         struct rtl_hal *rtlhal = rtl_hal(rtl_priv(hw));
+        unsigned long flags;
 
-        spin_lock(&rtlpriv->locks.lps_lock);
+        spin_lock_irqsave(&rtlpriv->locks.lps_lock, flags);
 
         if (ppsc->fwctrl_lps) {
                 if (ppsc->dot11_psmode != EACTIVE) {
@@ -437,7 +438,7 @@ void rtl_lps_leave(struct ieee80211_hw *hw)
                         rtl_lps_set_psmode(hw, EACTIVE);
                 }
         }
-        spin_unlock(&rtlpriv->locks.lps_lock);
+        spin_unlock_irqrestore(&rtlpriv->locks.lps_lock, flags);
 }
 
 /* For sw LPS*/
@@ -538,9 +539,9 @@ void rtl_swlps_rf_awake(struct ieee80211_hw *hw)
                 RT_CLEAR_PS_LEVEL(ppsc, RT_PS_LEVEL_ASPM);
         }
 
-        spin_lock(&rtlpriv->locks.lps_lock);
+        spin_lock_irq(&rtlpriv->locks.lps_lock);
         rtl_ps_set_rf_state(hw, ERFON, RF_CHANGE_BY_PS);
-        spin_unlock(&rtlpriv->locks.lps_lock);
+        spin_unlock_irq(&rtlpriv->locks.lps_lock);
 }
 
 void rtl_swlps_rfon_wq_callback(void *data)
@@ -573,9 +574,9 @@ void rtl_swlps_rf_sleep(struct ieee80211_hw *hw)
         if (rtlpriv->link_info.busytraffic)
                 return;
 
-        spin_lock(&rtlpriv->locks.lps_lock);
+        spin_lock_irq(&rtlpriv->locks.lps_lock);
         rtl_ps_set_rf_state(hw, ERFSLEEP, RF_CHANGE_BY_PS);
-        spin_unlock(&rtlpriv->locks.lps_lock);
+        spin_unlock_irq(&rtlpriv->locks.lps_lock);
 
         if (ppsc->reg_rfps_level & RT_RF_OFF_LEVL_ASPM &&
                 !RT_IN_PS_LEVEL(ppsc, RT_PS_LEVEL_ASPM)) {
diff --git a/drivers/net/wireless/wl12xx/scan.c b/drivers/net/wireless/wl12xx/scan.c
index 128ccb79318c..fc29c671cf3b 100644
--- a/drivers/net/wireless/wl12xx/scan.c
+++ b/drivers/net/wireless/wl12xx/scan.c
@@ -559,7 +559,7 @@ wl12xx_scan_sched_scan_ssid_list(struct wl1271 *wl,
                                                 break;
                                         }
                                 /* Fail if SSID isn't present in the filters */
-                                if (j == req->n_ssids) {
+                                if (j == cmd->n_ssids) {
                                         ret = -EINVAL;
                                         goto out_free;
                                 }
diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index 92cf1c2c30c9..95852e36713b 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -456,6 +456,9 @@ enum station_parameters_apply_mask {
  *      as the AC bitmap in the QoS info field
  * @max_sp: max Service Period. same format as the MAX_SP in the
  *      QoS info field (but already shifted down)
+ * @sta_modify_mask: bitmap indicating which parameters changed
+ *      (for those that don't have a natural "no change" value),
+ *      see &enum station_parameters_apply_mask
  */
 struct station_parameters {
         u8 *supported_rates;
@@ -615,6 +618,7 @@ struct sta_bss_parameters {
  *      user space MLME/SME implementation. The information is provided for
  *      the cfg80211_new_sta() calls to notify user space of the IEs.
  * @assoc_req_ies_len: Length of assoc_req_ies buffer in octets.
+ * @sta_flags: station flags mask & values
  */
 struct station_info {
         u32 filled;
diff --git a/include/net/mac80211.h b/include/net/mac80211.h
index dc1123aa8181..72eddd1b410b 100644
--- a/include/net/mac80211.h
+++ b/include/net/mac80211.h
@@ -3567,8 +3567,9 @@ rate_lowest_index(struct ieee80211_supported_band *sband,
                         return i;
 
         /* warn when we cannot find a rate. */
-        WARN_ON(1);
+        WARN_ON_ONCE(1);
 
+        /* and return 0 (the lowest index) */
         return 0;
 }
 
diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
index 2ac033989e01..331472ce038c 100644
--- a/net/mac80211/agg-tx.c
+++ b/net/mac80211/agg-tx.c
@@ -160,6 +160,12 @@ int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid,
                 return -ENOENT;
         }
 
+        /* if we're already stopping ignore any new requests to stop */
+        if (test_bit(HT_AGG_STATE_STOPPING, &tid_tx->state)) {
+                spin_unlock_bh(&sta->lock);
+                return -EALREADY;
+        }
+
         if (test_bit(HT_AGG_STATE_WANT_START, &tid_tx->state)) {
                 /* not even started yet! */
                 ieee80211_assign_tid_tx(sta, tid, NULL);
@@ -168,6 +174,8 @@ int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid,
                 return 0;
         }
 
+        set_bit(HT_AGG_STATE_STOPPING, &tid_tx->state);
+
         spin_unlock_bh(&sta->lock);
 
 #ifdef CONFIG_MAC80211_HT_DEBUG
@@ -175,8 +183,6 @@ int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid,
                sta->sta.addr, tid);
 #endif /* CONFIG_MAC80211_HT_DEBUG */
 
-        set_bit(HT_AGG_STATE_STOPPING, &tid_tx->state);
-
         del_timer_sync(&tid_tx->addba_resp_timer);
 
         /*
@@ -186,6 +192,20 @@ int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid,
          */
         clear_bit(HT_AGG_STATE_OPERATIONAL, &tid_tx->state);
 
+        /*
+         * There might be a few packets being processed right now (on
+         * another CPU) that have already gotten past the aggregation
+         * check when it was still OPERATIONAL and consequently have
+         * IEEE80211_TX_CTL_AMPDU set. In that case, this code might
+         * call into the driver at the same time or even before the
+         * TX paths calls into it, which could confuse the driver.
+         *
+         * Wait for all currently running TX paths to finish before
+         * telling the driver. New packets will not go through since
+         * the aggregation session is no longer OPERATIONAL.
+         */
+        synchronize_net();
+
         tid_tx->stop_initiator = initiator;
         tid_tx->tx_stop = tx;
 
@@ -756,11 +776,27 @@ void ieee80211_process_addba_resp(struct ieee80211_local *local,
                 goto out;
         }
 
-        del_timer(&tid_tx->addba_resp_timer);
+        del_timer_sync(&tid_tx->addba_resp_timer);
 
 #ifdef CONFIG_MAC80211_HT_DEBUG
         printk(KERN_DEBUG "switched off addBA timer for tid %d\n", tid);
 #endif
+
+        /*
+         * addba_resp_timer may have fired before we got here, and
+         * caused WANT_STOP to be set. If the stop then was already
+         * processed further, STOPPING might be set.
+         */
+        if (test_bit(HT_AGG_STATE_WANT_STOP, &tid_tx->state) ||
+            test_bit(HT_AGG_STATE_STOPPING, &tid_tx->state)) {
+#ifdef CONFIG_MAC80211_HT_DEBUG
+                printk(KERN_DEBUG
+                       "got addBA resp for tid %d but we already gave up\n",
+                       tid);
+#endif
+                goto out;
+        }
+
         /*
          * IEEE 802.11-2007 7.3.1.14:
          * In an ADDBA Response frame, when the Status Code field
diff --git a/net/mac80211/debugfs_sta.c b/net/mac80211/debugfs_sta.c
index c5f341798c16..3110cbdc501b 100644
--- a/net/mac80211/debugfs_sta.c
+++ b/net/mac80211/debugfs_sta.c
@@ -274,9 +274,9 @@ static ssize_t sta_ht_capa_read(struct file *file, char __user *userbuf,
 
                 PRINT_HT_CAP((htc->cap & BIT(10)), "HT Delayed Block Ack");
 
-                PRINT_HT_CAP((htc->cap & BIT(11)), "Max AMSDU length: "
-                             "3839 bytes");
                 PRINT_HT_CAP(!(htc->cap & BIT(11)), "Max AMSDU length: "
+                             "3839 bytes");
+                PRINT_HT_CAP((htc->cap & BIT(11)), "Max AMSDU length: "
                              "7935 bytes");
 
                 /*
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index d999bf3b84e1..cae443563ec9 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -757,6 +757,12 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
         if (!local->int_scan_req)
                 return -ENOMEM;
 
+        for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
+                if (!local->hw.wiphy->bands[band])
+                        continue;
+                local->int_scan_req->rates[band] = (u32) -1;
+        }
+
         /* if low-level driver supports AP, we also support VLAN */
         if (local->hw.wiphy->interface_modes & BIT(NL80211_IFTYPE_AP)) {
                 hw->wiphy->interface_modes |= BIT(NL80211_IFTYPE_AP_VLAN);
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 17258feaab9b..40db011da580 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1485,6 +1485,7 @@ static bool ieee80211_assoc_success(struct ieee80211_work *wk,
         int i, j, err;
         bool have_higher_than_11mbit = false;
         u16 ap_ht_cap_flags;
+        int min_rate = INT_MAX, min_rate_index = -1;
 
         /* AssocResp and ReassocResp have identical structure */
 
@@ -1551,6 +1552,10 @@ static bool ieee80211_assoc_success(struct ieee80211_work *wk,
                                 rates |= BIT(j);
                                 if (is_basic)
                                         basic_rates |= BIT(j);
+                                if (rate < min_rate) {
+                                        min_rate = rate;
+                                        min_rate_index = j;
+                                }
                                 break;
                         }
                 }
@@ -1568,11 +1573,25 @@ static bool ieee80211_assoc_success(struct ieee80211_work *wk,
                                 rates |= BIT(j);
                                 if (is_basic)
                                         basic_rates |= BIT(j);
+                                if (rate < min_rate) {
+                                        min_rate = rate;
+                                        min_rate_index = j;
+                                }
                                 break;
                         }
                 }
         }
 
+        /*
+         * some buggy APs don't advertise basic_rates. use the lowest
+         * supported rate instead.
+         */
+        if (unlikely(!basic_rates) && min_rate_index >= 0) {
+                printk(KERN_DEBUG "%s: No basic rates in AssocResp. "
+                       "Using min supported rate instead.\n", sdata->name);
+                basic_rates = BIT(min_rate_index);
+        }
+
         sta->sta.supp_rates[wk->chan->band] = rates;
         sdata->vif.bss_conf.basic_rates = basic_rates;
 
@@ -2267,6 +2286,7 @@ void ieee80211_sta_quiesce(struct ieee80211_sub_if_data *sdata)
 
         cancel_work_sync(&ifmgd->request_smps_work);
 
+        cancel_work_sync(&ifmgd->monitor_work);
         cancel_work_sync(&ifmgd->beacon_connection_loss_work);
         if (del_timer_sync(&ifmgd->timer))
                 set_bit(TMR_RUNNING_TIMER, &ifmgd->timers_running);
@@ -2275,7 +2295,6 @@ void ieee80211_sta_quiesce(struct ieee80211_sub_if_data *sdata)
         if (del_timer_sync(&ifmgd->chswitch_timer))
                 set_bit(TMR_RUNNING_CHANSW, &ifmgd->timers_running);
 
-        cancel_work_sync(&ifmgd->monitor_work);
         /* these will just be re-established on connection */
         del_timer_sync(&ifmgd->conn_mon_timer);
         del_timer_sync(&ifmgd->bcn_mon_timer);
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index b867bd55de7a..097b42d286e2 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -140,8 +140,9 @@ ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
         pos++;
 
         /* IEEE80211_RADIOTAP_RATE */
-        if (status->flag & RX_FLAG_HT) {
+        if (!rate || status->flag & RX_FLAG_HT) {
                 /*
+                 * Without rate information don't add it. If we have,
                  * MCS information is a separate field in radiotap,
                  * added below. The byte here is needed as padding
                  * for the channel though, so initialise it to 0.
@@ -162,12 +163,14 @@ ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
         else if (status->flag & RX_FLAG_HT)
                 put_unaligned_le16(IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ,
                                    pos);
-        else if (rate->flags & IEEE80211_RATE_ERP_G)
+        else if (rate && rate->flags & IEEE80211_RATE_ERP_G)
                 put_unaligned_le16(IEEE80211_CHAN_OFDM | IEEE80211_CHAN_2GHZ,
                                    pos);
-        else
+        else if (rate)
                 put_unaligned_le16(IEEE80211_CHAN_CCK | IEEE80211_CHAN_2GHZ,
                                    pos);
+        else
+                put_unaligned_le16(IEEE80211_CHAN_2GHZ, pos);
         pos += 2;
 
         /* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index ce962d2c8782..8eaa746ec7a2 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -1354,12 +1354,12 @@ ieee80211_sta_ps_deliver_response(struct sta_info *sta,
                          * Use MoreData flag to indicate whether there are
                          * more buffered frames for this STA
                          */
-                        if (!more_data)
-                                hdr->frame_control &=
-                                        cpu_to_le16(~IEEE80211_FCTL_MOREDATA);
-                        else
+                        if (more_data || !skb_queue_empty(&frames))
                                 hdr->frame_control |=
                                         cpu_to_le16(IEEE80211_FCTL_MOREDATA);
+                        else
+                                hdr->frame_control &=
+                                        cpu_to_le16(~IEEE80211_FCTL_MOREDATA);
 
                         if (ieee80211_is_data_qos(hdr->frame_control) ||
                             ieee80211_is_qos_nullfunc(hdr->frame_control))
diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index df643cedf9b9..5533a74e9bb3 100644
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -259,7 +259,7 @@ static void ieee80211_add_tx_radiotap_header(struct ieee80211_supported_band
         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
         struct ieee80211_radiotap_header *rthdr;
         unsigned char *pos;
-        __le16 txflags;
+        u16 txflags;
 
         rthdr = (struct ieee80211_radiotap_header *) skb_push(skb, rtap_len);
 
@@ -289,13 +289,13 @@ static void ieee80211_add_tx_radiotap_header(struct ieee80211_supported_band
         txflags = 0;
         if (!(info->flags & IEEE80211_TX_STAT_ACK) &&
             !is_multicast_ether_addr(hdr->addr1))
-                txflags |= cpu_to_le16(IEEE80211_RADIOTAP_F_TX_FAIL);
+                txflags |= IEEE80211_RADIOTAP_F_TX_FAIL;
 
         if ((info->status.rates[0].flags & IEEE80211_TX_RC_USE_RTS_CTS) ||
             (info->status.rates[0].flags & IEEE80211_TX_RC_USE_CTS_PROTECT))
-                txflags |= cpu_to_le16(IEEE80211_RADIOTAP_F_TX_CTS);
+                txflags |= IEEE80211_RADIOTAP_F_TX_CTS;
         else if (info->status.rates[0].flags & IEEE80211_TX_RC_USE_RTS_CTS)
-                txflags |= cpu_to_le16(IEEE80211_RADIOTAP_F_TX_RTS);
+                txflags |= IEEE80211_RADIOTAP_F_TX_RTS;
 
         put_unaligned_le16(txflags, pos);
         pos += 2;
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 7439d26bf5f9..6719bce4a081 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -880,6 +880,8 @@ struct sk_buff *ieee80211_build_probe_req(struct ieee80211_sub_if_data *sdata,
         skb = ieee80211_probereq_get(&local->hw, &sdata->vif,
                                      ssid, ssid_len,
                                      buf, buf_len);
+        if (!skb)
+                goto out;
 
         if (dst) {
                 mgmt = (struct ieee80211_mgmt *) skb->data;
@@ -888,6 +890,8 @@ struct sk_buff *ieee80211_build_probe_req(struct ieee80211_sub_if_data *sdata,
         }
 
         IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
+
+ out:
         kfree(buf);
 
         return skb;
@@ -1034,7 +1038,6 @@ int ieee80211_reconfig(struct ieee80211_local *local)
                                              struct ieee80211_sub_if_data,
                                              u.ap);
 
-                        memset(&sta->sta.drv_priv, 0, hw->sta_data_size);
                         WARN_ON(drv_sta_add(local, sdata, &sta->sta));
                 }
         }
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 48260c2d092a..ffafda5022c2 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -89,8 +89,8 @@ static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
         [NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
         [NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
 
-        [NL80211_ATTR_MAC] = { .type = NLA_BINARY, .len = ETH_ALEN },
-        [NL80211_ATTR_PREV_BSSID] = { .type = NLA_BINARY, .len = ETH_ALEN },
+        [NL80211_ATTR_MAC] = { .len = ETH_ALEN },
+        [NL80211_ATTR_PREV_BSSID] = { .len = ETH_ALEN },
 
         [NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
         [NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
@@ -132,8 +132,7 @@ static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
         [NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
         [NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
 
-        [NL80211_ATTR_HT_CAPABILITY] = { .type = NLA_BINARY,
-                                         .len = NL80211_HT_CAPABILITY_LEN },
+        [NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN },
 
         [NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
         [NL80211_ATTR_IE] = { .type = NLA_BINARY,
@@ -1253,6 +1252,12 @@ static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
                         goto bad_res;
                 }
 
+                if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
+                    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
+                        result = -EINVAL;
+                        goto bad_res;
+                }
+
                 nla_for_each_nested(nl_txq_params,
                                     info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
                                     rem_txq_params) {
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 2520a1b7e7db..074c1122ce42 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -55,8 +55,17 @@
 #define REG_DBG_PRINT(args...)
 #endif
 
+static struct regulatory_request core_request_world = {
+        .initiator = NL80211_REGDOM_SET_BY_CORE,
+        .alpha2[0] = '0',
+        .alpha2[1] = '0',
+        .intersect = false,
+        .processed = true,
+        .country_ie_env = ENVIRON_ANY,
+};
+
 /* Receipt of information from last regulatory request */
-static struct regulatory_request *last_request;
+static struct regulatory_request *last_request = &core_request_world;
 
 /* To trigger userspace events */
 static struct platform_device *reg_pdev;
@@ -148,7 +157,7 @@ static char user_alpha2[2];
 module_param(ieee80211_regdom, charp, 0444);
 MODULE_PARM_DESC(ieee80211_regdom, "IEEE 802.11 regulatory domain code");
 
-static void reset_regdomains(void)
+static void reset_regdomains(bool full_reset)
 {
         /* avoid freeing static information or freeing something twice */
         if (cfg80211_regdomain == cfg80211_world_regdom)
@@ -163,6 +172,13 @@ static void reset_regdomains(void)
 
         cfg80211_world_regdom = &world_regdom;
         cfg80211_regdomain = NULL;
+
+        if (!full_reset)
+                return;
+
+        if (last_request != &core_request_world)
+                kfree(last_request);
+        last_request = &core_request_world;
 }
 
 /*
@@ -173,7 +189,7 @@ static void update_world_regdomain(const struct ieee80211_regdomain *rd)
 {
         BUG_ON(!last_request);
 
-        reset_regdomains();
+        reset_regdomains(false);
 
         cfg80211_world_regdom = rd;
         cfg80211_regdomain = rd;
@@ -1405,7 +1421,8 @@ static int __regulatory_hint(struct wiphy *wiphy,
         }
 
 new_request:
-        kfree(last_request);
+        if (last_request != &core_request_world)
+                kfree(last_request);
 
         last_request = pending_request;
         last_request->intersect = intersect;
@@ -1575,9 +1592,6 @@ static int regulatory_hint_core(const char *alpha2)
 {
         struct regulatory_request *request;
 
-        kfree(last_request);
-        last_request = NULL;
-
         request = kzalloc(sizeof(struct regulatory_request),
                           GFP_KERNEL);
         if (!request)
@@ -1775,7 +1789,7 @@ static void restore_regulatory_settings(bool reset_user)
         mutex_lock(&cfg80211_mutex);
         mutex_lock(&reg_mutex);
 
-        reset_regdomains();
+        reset_regdomains(true);
         restore_alpha2(alpha2, reset_user);
 
         /*
@@ -2035,12 +2049,18 @@ static int __set_regdom(const struct ieee80211_regdomain *rd)
         }
 
         request_wiphy = wiphy_idx_to_wiphy(last_request->wiphy_idx);
+        if (!request_wiphy &&
+            (last_request->initiator == NL80211_REGDOM_SET_BY_DRIVER ||
+             last_request->initiator == NL80211_REGDOM_SET_BY_COUNTRY_IE)) {
+                schedule_delayed_work(&reg_timeout, 0);
+                return -ENODEV;
+        }
 
         if (!last_request->intersect) {
                 int r;
 
                 if (last_request->initiator != NL80211_REGDOM_SET_BY_DRIVER) {
-                        reset_regdomains();
+                        reset_regdomains(false);
                         cfg80211_regdomain = rd;
                         return 0;
                 }
@@ -2061,7 +2081,7 @@ static int __set_regdom(const struct ieee80211_regdomain *rd)
                 if (r)
                         return r;
 
-                reset_regdomains();
+                reset_regdomains(false);
                 cfg80211_regdomain = rd;
                 return 0;
         }
@@ -2086,7 +2106,7 @@ static int __set_regdom(const struct ieee80211_regdomain *rd)
 
                 rd = NULL;
 
-                reset_regdomains();
+                reset_regdomains(false);
                 cfg80211_regdomain = intersected_rd;
 
                 return 0;
@@ -2106,7 +2126,7 @@ static int __set_regdom(const struct ieee80211_regdomain *rd)
         kfree(rd);
         rd = NULL;
 
-        reset_regdomains();
+        reset_regdomains(false);
         cfg80211_regdomain = intersected_rd;
 
         return 0;
@@ -2259,9 +2279,9 @@ void /* __init_or_exit */ regulatory_exit(void)
         mutex_lock(&cfg80211_mutex);
         mutex_lock(&reg_mutex);
 
-        reset_regdomains();
+        reset_regdomains(true);
 
-        kfree(last_request);
+        dev_set_uevent_suppress(&reg_pdev->dev, true);
 
         platform_device_unregister(reg_pdev);
 
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 0fb142410404..dc23b31594e0 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -259,17 +259,20 @@ static int cmp_ies(u8 num, u8 *ies1, size_t len1, u8 *ies2, size_t len2)
 {
         const u8 *ie1 = cfg80211_find_ie(num, ies1, len1);
         const u8 *ie2 = cfg80211_find_ie(num, ies2, len2);
-        int r;
 
+        /* equal if both missing */
         if (!ie1 && !ie2)
                 return 0;
-        if (!ie1 || !ie2)
+        /* sort missing IE before (left of) present IE */
+        if (!ie1)
                 return -1;
+        if (!ie2)
+                return 1;
 
-        r = memcmp(ie1 + 2, ie2 + 2, min(ie1[1], ie2[1]));
-        if (r == 0 && ie1[1] != ie2[1])
+        /* sort by length first, then by contents */
+        if (ie1[1] != ie2[1])
                 return ie2[1] - ie1[1];
-        return r;
+        return memcmp(ie1 + 2, ie2 + 2, ie1[1]);
 }
 
 static bool is_bss(struct cfg80211_bss *a,