Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next into for-davem

author: John W. Linville <linville@tuxdriver.com> 2014-06-02 11:20:17 -0400
committer: John W. Linville <linville@tuxdriver.com> 2014-06-02 11:20:17 -0400
commit: fcb2c0d6cf75750e2912b09a3d0a782c90e2b1a0 (patch)
tree: a17982638b066ae29f8ab1a6e37f18e6dddb5272
parent: 96b2e73c5471542cb9c622c4360716684f8797ed (diff)
parent: a715c7ddd65a1a3b2839b8ebd759bb2d361f7675 (diff)
88 files changed, 2174 insertions, 997 deletions
diff --git a/Documentation/devicetree/bindings/net/nfc/st21nfca.txt b/Documentation/devicetree/bindings/net/nfc/st21nfca.txt
index 4724fe669172..e4faa2e8dfeb 100644
--- a/Documentation/devicetree/bindings/net/nfc/st21nfca.txt
+++ b/Documentation/devicetree/bindings/net/nfc/st21nfca.txt
@@ -1,7 +1,7 @@
 * STMicroelectronics SAS. ST21NFCA NFC Controller
 Required properties:
- compatible: Should be "st,st21nfca-i2c".
+- compatible: Should be "st,st21nfca_i2c".
 - clock-frequency: I²C work frequency.
 - reg: address on the bus
 - interrupt-parent: phandle for the interrupt gpio controller
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index a7dfbf9a3afb..a1c80b0c7663 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -49,6 +49,7 @@ static struct usb_driver btusb_driver;
 #define BTUSB_WRONG_SCO_MTU     0x40
 #define BTUSB_ATH3012           0x80
 #define BTUSB_INTEL             0x100
+#define BTUSB_BCM_PATCHRAM      0x200
 static const struct usb_device_id btusb_table[] = {
        /* Generic Bluetooth USB device */
@@ -111,7 +112,8 @@ static const struct usb_device_id btusb_table[] = {
        { USB_VENDOR_AND_INTERFACE_INFO(0x0489, 0xff, 0x01, 0x01) },
        /* Broadcom devices with vendor specific id */
-        { USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01) },
+        { USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01),
+          .driver_info = BTUSB_BCM_PATCHRAM },
        /* Belkin F8065bf - Broadcom based */
        { USB_VENDOR_AND_INTERFACE_INFO(0x050d, 0xff, 0x01, 0x01) },
@@ -1381,6 +1383,154 @@ exit_mfg_deactivate:
        return 0;
 }
+static int btusb_setup_bcm_patchram(struct hci_dev *hdev)
+{
+        struct btusb_data *data = hci_get_drvdata(hdev);
+        struct usb_device *udev = data->udev;
+        char fw_name[64];
+        const struct firmware *fw;
+        const u8 *fw_ptr;
+        size_t fw_size;
+        const struct hci_command_hdr *cmd;
+        const u8 *cmd_param;
+        u16 opcode;
+        struct sk_buff *skb;
+        struct hci_rp_read_local_version *ver;
+        long ret;
+        snprintf(fw_name, sizeof(fw_name), "brcm/%s-%04x-%04x.hcd",
+                 udev->product ? udev->product : "BCM",
+                 le16_to_cpu(udev->descriptor.idVendor),
+                 le16_to_cpu(udev->descriptor.idProduct));
+        ret = request_firmware(&fw, fw_name, &hdev->dev);
+        if (ret < 0) {
+                BT_INFO("%s: BCM: patch %s not found", hdev->name,
+                        fw_name);
+                return 0;
+        }
+        /* Reset */
+        skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
+        if (IS_ERR(skb)) {
+                ret = PTR_ERR(skb);
+                BT_ERR("%s: HCI_OP_RESET failed (%ld)", hdev->name, ret);
+                goto done;
+        }
+        kfree_skb(skb);
+        /* Read Local Version Info */
+        skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
+                             HCI_INIT_TIMEOUT);
+        if (IS_ERR(skb)) {
+                ret = PTR_ERR(skb);
+                BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION failed (%ld)",
+                        hdev->name, ret);
+                goto done;
+        }
+        if (skb->len != sizeof(*ver)) {
+                BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION event length mismatch",
+                        hdev->name);
+                kfree_skb(skb);
+                ret = -EIO;
+                goto done;
+        }
+        ver = (struct hci_rp_read_local_version *) skb->data;
+        BT_INFO("%s: BCM: patching hci_ver=%02x hci_rev=%04x lmp_ver=%02x "
+                "lmp_subver=%04x", hdev->name, ver->hci_ver, ver->hci_rev,
+                ver->lmp_ver, ver->lmp_subver);
+        kfree_skb(skb);
+        /* Start Download */
+        skb = __hci_cmd_sync(hdev, 0xfc2e, 0, NULL, HCI_INIT_TIMEOUT);
+        if (IS_ERR(skb)) {
+                ret = PTR_ERR(skb);
+                BT_ERR("%s: BCM: Download Minidrv command failed (%ld)",
+                        hdev->name, ret);
+                goto reset_fw;
+        }
+        kfree_skb(skb);
+        /* 50 msec delay after Download Minidrv completes */
+        msleep(50);
+        fw_ptr = fw->data;
+        fw_size = fw->size;
+        while (fw_size >= sizeof(*cmd)) {
+                cmd = (struct hci_command_hdr *) fw_ptr;
+                fw_ptr += sizeof(*cmd);
+                fw_size -= sizeof(*cmd);
+                if (fw_size < cmd->plen) {
+                        BT_ERR("%s: BCM: patch %s is corrupted",
+                                hdev->name, fw_name);
+                        ret = -EINVAL;
+                        goto reset_fw;
+                }
+                cmd_param = fw_ptr;
+                fw_ptr += cmd->plen;
+                fw_size -= cmd->plen;
+                opcode = le16_to_cpu(cmd->opcode);
+                skb = __hci_cmd_sync(hdev, opcode, cmd->plen, cmd_param,
+                                     HCI_INIT_TIMEOUT);
+                if (IS_ERR(skb)) {
+                        ret = PTR_ERR(skb);
+                        BT_ERR("%s: BCM: patch command %04x failed (%ld)",
+                                hdev->name, opcode, ret);
+                        goto reset_fw;
+                }
+                kfree_skb(skb);
+        }
+        /* 250 msec delay after Launch Ram completes */
+        msleep(250);
+reset_fw:
+        /* Reset */
+        skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
+        if (IS_ERR(skb)) {
+                ret = PTR_ERR(skb);
+                BT_ERR("%s: HCI_OP_RESET failed (%ld)", hdev->name, ret);
+                goto done;
+        }
+        kfree_skb(skb);
+        /* Read Local Version Info */
+        skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
+                             HCI_INIT_TIMEOUT);
+        if (IS_ERR(skb)) {
+                ret = PTR_ERR(skb);
+                BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION failed (%ld)",
+                        hdev->name, ret);
+                goto done;
+        }
+        if (skb->len != sizeof(*ver)) {
+                BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION event length mismatch",
+                        hdev->name);
+                kfree_skb(skb);
+                ret = -EIO;
+                goto done;
+        }
+        ver = (struct hci_rp_read_local_version *) skb->data;
+        BT_INFO("%s: BCM: firmware hci_ver=%02x hci_rev=%04x lmp_ver=%02x "
+                "lmp_subver=%04x", hdev->name, ver->hci_ver, ver->hci_rev,
+                ver->lmp_ver, ver->lmp_subver);
+        kfree_skb(skb);
+done:
+        release_firmware(fw);
+        return ret;
+}
 static int btusb_probe(struct usb_interface *intf,
                                const struct usb_device_id *id)
 {
@@ -1486,6 +1636,9 @@ static int btusb_probe(struct usb_interface *intf,
        if (id->driver_info & BTUSB_BCM92035)
                hdev->setup = btusb_setup_bcm92035;
+        if (id->driver_info & BTUSB_BCM_PATCHRAM)
+                hdev->setup = btusb_setup_bcm_patchram;
        if (id->driver_info & BTUSB_INTEL)
                hdev->setup = btusb_setup_intel;
diff --git a/drivers/net/wireless/at76c50x-usb.c b/drivers/net/wireless/at76c50x-usb.c
index 99b3bfa717d5..10fd12ec85be 100644
--- a/drivers/net/wireless/at76c50x-usb.c
+++ b/drivers/net/wireless/at76c50x-usb.c
@@ -365,15 +365,15 @@ static inline unsigned long at76_get_timeout(struct dfu_status *s)
 static int at76_usbdfu_download(struct usb_device *udev, u8 *buf, u32 size,
                                int manifest_sync_timeout)
 {
-        u8 *block;
-        struct dfu_status dfu_stat_buf;
        int ret = 0;
        int need_dfu_state = 1;
        int is_done = 0;
-        u8 dfu_state = 0;
        u32 dfu_timeout = 0;
        int bsize = 0;
        int blockno = 0;
+        struct dfu_status *dfu_stat_buf = NULL;
+        u8 *dfu_state = NULL;
+        u8 *block = NULL;
        at76_dbg(DBG_DFU, "%s( %p, %u, %d)", __func__, buf, size,
                 manifest_sync_timeout);
@@ -383,13 +383,28 @@ static int at76_usbdfu_download(struct usb_device *udev, u8 *buf, u32 size,
                return -EINVAL;
        }
+        dfu_stat_buf = kmalloc(sizeof(struct dfu_status), GFP_KERNEL);
+        if (!dfu_stat_buf) {
+                ret = -ENOMEM;
+                goto exit;
+        }
        block = kmalloc(FW_BLOCK_SIZE, GFP_KERNEL);
-        if (!block)
+        if (!block) {
-                return -ENOMEM;
+                ret = -ENOMEM;
+                goto exit;
+        }
+        dfu_state = kmalloc(sizeof(u8), GFP_KERNEL);
+        if (!dfu_state) {
+                ret = -ENOMEM;
+                goto exit;
+        }
+        *dfu_state = 0;
        do {
                if (need_dfu_state) {
-                        ret = at76_dfu_get_state(udev, &dfu_state);
+                        ret = at76_dfu_get_state(udev, dfu_state);
                        if (ret < 0) {
                                dev_err(&udev->dev,
                                        "cannot get DFU state: %d\n", ret);
@@ -398,13 +413,13 @@ static int at76_usbdfu_download(struct usb_device *udev, u8 *buf, u32 size,
                        need_dfu_state = 0;
                }
-                switch (dfu_state) {
+                switch (*dfu_state) {
                case STATE_DFU_DOWNLOAD_SYNC:
                        at76_dbg(DBG_DFU, "STATE_DFU_DOWNLOAD_SYNC");
-                        ret = at76_dfu_get_status(udev, &dfu_stat_buf);
+                        ret = at76_dfu_get_status(udev, dfu_stat_buf);
                        if (ret >= 0) {
-                                dfu_state = dfu_stat_buf.state;
+                                *dfu_state = dfu_stat_buf->state;
-                                dfu_timeout = at76_get_timeout(&dfu_stat_buf);
+                                dfu_timeout = at76_get_timeout(dfu_stat_buf);
                                need_dfu_state = 0;
                        } else
                                dev_err(&udev->dev,
@@ -447,12 +462,12 @@ static int at76_usbdfu_download(struct usb_device *udev, u8 *buf, u32 size,
                case STATE_DFU_MANIFEST_SYNC:
                        at76_dbg(DBG_DFU, "STATE_DFU_MANIFEST_SYNC");
-                        ret = at76_dfu_get_status(udev, &dfu_stat_buf);
+                        ret = at76_dfu_get_status(udev, dfu_stat_buf);
                        if (ret < 0)
                                break;
-                        dfu_state = dfu_stat_buf.state;
+                        *dfu_state = dfu_stat_buf->state;
-                        dfu_timeout = at76_get_timeout(&dfu_stat_buf);
+                        dfu_timeout = at76_get_timeout(dfu_stat_buf);
                        need_dfu_state = 0;
                        /* override the timeout from the status response,
@@ -484,14 +499,17 @@ static int at76_usbdfu_download(struct usb_device *udev, u8 *buf, u32 size,
                        break;
                default:
-                        at76_dbg(DBG_DFU, "DFU UNKNOWN STATE (%d)", dfu_state);
+                        at76_dbg(DBG_DFU, "DFU UNKNOWN STATE (%d)", *dfu_state);
                        ret = -EINVAL;
                        break;
                }
        } while (!is_done && (ret >= 0));
 exit:
+        kfree(dfu_state);
        kfree(block);
+        kfree(dfu_stat_buf);
        if (ret >= 0)
                ret = 0;
@@ -1277,6 +1295,7 @@ static int at76_load_external_fw(struct usb_device *udev, struct fwentry *fwe)
                        dev_err(&udev->dev,
                                "loading %dth firmware block failed: %d\n",
                                blockno, ret);
+                        ret = -EIO;
                        goto exit;
                }
                buf += bsize;
@@ -2020,6 +2039,44 @@ static void at76_configure_filter(struct ieee80211_hw *hw,
        ieee80211_queue_work(hw, &priv->work_set_promisc);
 }
+static int at76_set_wep(struct at76_priv *priv)
+{
+        int ret = 0;
+        struct mib_mac_wep *mib_data = &priv->mib_buf.data.wep_mib;
+        priv->mib_buf.type = MIB_MAC_WEP;
+        priv->mib_buf.size = sizeof(struct mib_mac_wep);
+        priv->mib_buf.index = 0;
+        memset(mib_data, 0, sizeof(*mib_data));
+        if (priv->wep_enabled) {
+                if (priv->wep_keys_len[priv->wep_key_id] > WEP_SMALL_KEY_LEN)
+                        mib_data->encryption_level = 2;
+                else
+                        mib_data->encryption_level = 1;
+                /* always exclude unencrypted if WEP is active */
+                mib_data->exclude_unencrypted = 1;
+        } else {
+                mib_data->exclude_unencrypted = 0;
+                mib_data->encryption_level = 0;
+        }
+        mib_data->privacy_invoked = priv->wep_enabled;
+        mib_data->wep_default_key_id = priv->wep_key_id;
+        memcpy(mib_data->wep_default_keyvalue, priv->wep_keys,
+               sizeof(priv->wep_keys));
+        ret = at76_set_mib(priv, &priv->mib_buf);
+        if (ret < 0)
+                wiphy_err(priv->hw->wiphy,
+                          "set_mib (wep) failed: %d\n", ret);
+        return ret;
+}
 static int at76_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
                        struct ieee80211_vif *vif, struct ieee80211_sta *sta,
                        struct ieee80211_key_conf *key)
@@ -2062,7 +2119,7 @@ static int at76_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
                        priv->wep_enabled = 1;
        }
-        at76_startup_device(priv);
+        at76_set_wep(priv);
        mutex_unlock(&priv->mtx);
@@ -2330,16 +2387,22 @@ static int at76_probe(struct usb_interface *interface,
        struct usb_device *udev;
        int op_mode;
        int need_ext_fw = 0;
-        struct mib_fw_version fwv;
+        struct mib_fw_version *fwv = NULL;
        int board_type = (int)id->driver_info;
        udev = usb_get_dev(interface_to_usbdev(interface));
+        fwv = kmalloc(sizeof(*fwv), GFP_KERNEL);
+        if (!fwv) {
+                ret = -ENOMEM;
+                goto exit;
+        }
        /* Load firmware into kernel memory */
        fwe = at76_load_firmware(udev, board_type);
        if (!fwe) {
                ret = -ENOENT;
-                goto error;
+                goto exit;
        }
        op_mode = at76_get_op_mode(udev);
@@ -2353,7 +2416,7 @@ static int at76_probe(struct usb_interface *interface,
                dev_err(&interface->dev,
                        "cannot handle a device in HW_CONFIG_MODE\n");
                ret = -EBUSY;
-                goto error;
+                goto exit;
        }
        if (op_mode != OPMODE_NORMAL_NIC_WITH_FLASH
@@ -2366,10 +2429,10 @@ static int at76_probe(struct usb_interface *interface,
                        dev_err(&interface->dev,
                                "error %d downloading internal firmware\n",
                                ret);
-                        goto error;
+                        goto exit;
                }
                usb_put_dev(udev);
-                return ret;
+                goto exit;
        }
        /* Internal firmware already inside the device.  Get firmware
@@ -2382,8 +2445,8 @@ static int at76_probe(struct usb_interface *interface,
         * query the device for the fw version */
        if ((fwe->fw_version.major > 0 || fwe->fw_version.minor >= 100)
            || (op_mode == OPMODE_NORMAL_NIC_WITH_FLASH)) {
-                ret = at76_get_mib(udev, MIB_FW_VERSION, &fwv, sizeof(fwv));
+                ret = at76_get_mib(udev, MIB_FW_VERSION, fwv, sizeof(*fwv));
-                if (ret < 0 || (fwv.major | fwv.minor) == 0)
+                if (ret < 0 || (fwv->major | fwv->minor) == 0)
                        need_ext_fw = 1;
        } else
                /* No way to check firmware version, reload to be sure */
@@ -2394,37 +2457,37 @@ static int at76_probe(struct usb_interface *interface,
                           "downloading external firmware\n");
                ret = at76_load_external_fw(udev, fwe);
-                if (ret)
+                if (ret < 0)
-                        goto error;
+                        goto exit;
                /* Re-check firmware version */
-                ret = at76_get_mib(udev, MIB_FW_VERSION, &fwv, sizeof(fwv));
+                ret = at76_get_mib(udev, MIB_FW_VERSION, fwv, sizeof(*fwv));
                if (ret < 0) {
                        dev_err(&interface->dev,
                                "error %d getting firmware version\n", ret);
-                        goto error;
+                        goto exit;
                }
        }
        priv = at76_alloc_new_device(udev);
        if (!priv) {
                ret = -ENOMEM;
-                goto error;
+                goto exit;
        }
        usb_set_intfdata(interface, priv);
-        memcpy(&priv->fw_version, &fwv, sizeof(struct mib_fw_version));
+        memcpy(&priv->fw_version, fwv, sizeof(struct mib_fw_version));
        priv->board_type = board_type;
        ret = at76_init_new_device(priv, interface);
        if (ret < 0)
                at76_delete_device(priv);
-        return ret;
+exit:
+        kfree(fwv);
-error:
+        if (ret < 0)
-        usb_put_dev(udev);
+                usb_put_dev(udev);
        return ret;
 }
diff --git a/drivers/net/wireless/at76c50x-usb.h b/drivers/net/wireless/at76c50x-usb.h
index f14a65473fe8..4718aa59f051 100644
--- a/drivers/net/wireless/at76c50x-usb.h
+++ b/drivers/net/wireless/at76c50x-usb.h
@@ -219,18 +219,6 @@ struct at76_req_join {
        u8 reserved;
 } __packed;
-struct set_mib_buffer {
-        u8 type;
-        u8 size;
-        u8 index;
-        u8 reserved;
-        union {
-                u8 byte;
-                __le16 word;
-                u8 addr[ETH_ALEN];
-        } data;
-} __packed;
 struct mib_local {
        u16 reserved0;
        u8 beacon_enable;
@@ -334,6 +322,19 @@ struct mib_mdomain {
        u8 channel_list[14];    /* 0 for invalid channels */
 } __packed;
+struct set_mib_buffer {
+        u8 type;
+        u8 size;
+        u8 index;
+        u8 reserved;
+        union {
+                u8 byte;
+                __le16 word;
+                u8 addr[ETH_ALEN];
+                struct mib_mac_wep wep_mib;
+        } data;
+} __packed;
 struct at76_fw_header {
        __le32 crc;             /* CRC32 of the whole image */
        __le32 board_type;      /* firmware compatibility code */
diff --git a/drivers/net/wireless/ath/ath10k/bmi.h b/drivers/net/wireless/ath/ath10k/bmi.h
index 3a9bdf51c96a..111ab701465c 100644
--- a/drivers/net/wireless/ath/ath10k/bmi.h
+++ b/drivers/net/wireless/ath/ath10k/bmi.h
@@ -201,7 +201,8 @@ int ath10k_bmi_write_memory(struct ath10k *ar, u32 address,
                                                                        \
                addr = host_interest_item_address(HI_ITEM(item));       \
                ret = ath10k_bmi_read_memory(ar, addr, (u8 *)&tmp, 4); \
-                *val = __le32_to_cpu(tmp);                              \
+                if (!ret)                                               \
+                        *val = __le32_to_cpu(tmp);                      \
                ret;                                                    \
         })
diff --git a/drivers/net/wireless/ath/ath10k/ce.c b/drivers/net/wireless/ath/ath10k/ce.c
index 1e4cad8632b5..d185dc0cd12b 100644
--- a/drivers/net/wireless/ath/ath10k/ce.c
+++ b/drivers/net/wireless/ath/ath10k/ce.c
@@ -329,6 +329,33 @@ exit:
        return ret;
 }
+void __ath10k_ce_send_revert(struct ath10k_ce_pipe *pipe)
+{
+        struct ath10k *ar = pipe->ar;
+        struct ath10k_pci *ar_pci = ath10k_pci_priv(ar);
+        struct ath10k_ce_ring *src_ring = pipe->src_ring;
+        u32 ctrl_addr = pipe->ctrl_addr;
+        lockdep_assert_held(&ar_pci->ce_lock);
+        /*
+         * This function must be called only if there is an incomplete
+         * scatter-gather transfer (before index register is updated)
+         * that needs to be cleaned up.
+         */
+        if (WARN_ON_ONCE(src_ring->write_index == src_ring->sw_index))
+                return;
+        if (WARN_ON_ONCE(src_ring->write_index ==
+                         ath10k_ce_src_ring_write_index_get(ar, ctrl_addr)))
+                return;
+        src_ring->write_index--;
+        src_ring->write_index &= src_ring->nentries_mask;
+        src_ring->per_transfer_context[src_ring->write_index] = NULL;
+}
 int ath10k_ce_send(struct ath10k_ce_pipe *ce_state,
                   void *per_transfer_context,
                   u32 buffer,
diff --git a/drivers/net/wireless/ath/ath10k/ce.h b/drivers/net/wireless/ath/ath10k/ce.h
index fd0bc3561e42..7a5a36fc59c1 100644
--- a/drivers/net/wireless/ath/ath10k/ce.h
+++ b/drivers/net/wireless/ath/ath10k/ce.h
@@ -160,6 +160,8 @@ int ath10k_ce_send_nolock(struct ath10k_ce_pipe *ce_state,
                          unsigned int transfer_id,
                          unsigned int flags);
+void __ath10k_ce_send_revert(struct ath10k_ce_pipe *pipe);
 void ath10k_ce_send_cb_register(struct ath10k_ce_pipe *ce_state,
                                void (*send_cb)(struct ath10k_ce_pipe *),
                                int disable_interrupts);
diff --git a/drivers/net/wireless/ath/ath10k/core.c b/drivers/net/wireless/ath/ath10k/core.c
index 75b3dfbd6509..82017f56e661 100644
--- a/drivers/net/wireless/ath/ath10k/core.c
+++ b/drivers/net/wireless/ath/ath10k/core.c
@@ -58,36 +58,6 @@ static void ath10k_send_suspend_complete(struct ath10k *ar)
        complete(&ar->target_suspend);
 }
-static int ath10k_init_connect_htc(struct ath10k *ar)
-{
-        int status;
-        status = ath10k_wmi_connect_htc_service(ar);
-        if (status)
-                goto conn_fail;
-        /* Start HTC */
-        status = ath10k_htc_start(&ar->htc);
-        if (status)
-                goto conn_fail;
-        /* Wait for WMI event to be ready */
-        status = ath10k_wmi_wait_for_service_ready(ar);
-        if (status <= 0) {
-                ath10k_warn("wmi service ready event not received");
-                status = -ETIMEDOUT;
-                goto timeout;
-        }
-        ath10k_dbg(ATH10K_DBG_BOOT, "boot wmi ready\n");
-        return 0;
-timeout:
-        ath10k_htc_stop(&ar->htc);
-conn_fail:
-        return status;
-}
 static int ath10k_init_configure_target(struct ath10k *ar)
 {
        u32 param_host;
@@ -681,7 +651,8 @@ static void ath10k_core_restart(struct work_struct *work)
        switch (ar->state) {
        case ATH10K_STATE_ON:
                ar->state = ATH10K_STATE_RESTARTING;
-                ath10k_halt(ar);
+                del_timer_sync(&ar->scan.timeout);
+                ath10k_reset_scan((unsigned long)ar);
                ieee80211_restart_hw(ar->hw);
                break;
        case ATH10K_STATE_OFF:
@@ -690,6 +661,8 @@ static void ath10k_core_restart(struct work_struct *work)
                ath10k_warn("cannot restart a device that hasn't been started\n");
                break;
        case ATH10K_STATE_RESTARTING:
+                /* hw restart might be requested from multiple places */
+                break;
        case ATH10K_STATE_RESTARTED:
                ar->state = ATH10K_STATE_WEDGED;
                /* fall through */
@@ -701,70 +674,6 @@ static void ath10k_core_restart(struct work_struct *work)
        mutex_unlock(&ar->conf_mutex);
 }
-struct ath10k *ath10k_core_create(void *hif_priv, struct device *dev,
-                                  const struct ath10k_hif_ops *hif_ops)
-{
-        struct ath10k *ar;
-        ar = ath10k_mac_create();
-        if (!ar)
-                return NULL;
-        ar->ath_common.priv = ar;
-        ar->ath_common.hw = ar->hw;
-        ar->p2p = !!ath10k_p2p;
-        ar->dev = dev;
-        ar->hif.priv = hif_priv;
-        ar->hif.ops = hif_ops;
-        init_completion(&ar->scan.started);
-        init_completion(&ar->scan.completed);
-        init_completion(&ar->scan.on_channel);
-        init_completion(&ar->target_suspend);
-        init_completion(&ar->install_key_done);
-        init_completion(&ar->vdev_setup_done);
-        setup_timer(&ar->scan.timeout, ath10k_reset_scan, (unsigned long)ar);
-        ar->workqueue = create_singlethread_workqueue("ath10k_wq");
-        if (!ar->workqueue)
-                goto err_wq;
-        mutex_init(&ar->conf_mutex);
-        spin_lock_init(&ar->data_lock);
-        INIT_LIST_HEAD(&ar->peers);
-        init_waitqueue_head(&ar->peer_mapping_wq);
-        init_completion(&ar->offchan_tx_completed);
-        INIT_WORK(&ar->offchan_tx_work, ath10k_offchan_tx_work);
-        skb_queue_head_init(&ar->offchan_tx_queue);
-        INIT_WORK(&ar->wmi_mgmt_tx_work, ath10k_mgmt_over_wmi_tx_work);
-        skb_queue_head_init(&ar->wmi_mgmt_tx_queue);
-        INIT_WORK(&ar->restart_work, ath10k_core_restart);
-        return ar;
-err_wq:
-        ath10k_mac_destroy(ar);
-        return NULL;
-}
-EXPORT_SYMBOL(ath10k_core_create);
-void ath10k_core_destroy(struct ath10k *ar)
-{
-        flush_workqueue(ar->workqueue);
-        destroy_workqueue(ar->workqueue);
-        ath10k_mac_destroy(ar);
-}
-EXPORT_SYMBOL(ath10k_core_destroy);
 int ath10k_core_start(struct ath10k *ar)
 {
        int status;
@@ -805,10 +714,28 @@ int ath10k_core_start(struct ath10k *ar)
                goto err;
        }
+        status = ath10k_htt_init(ar);
+        if (status) {
+                ath10k_err("failed to init htt: %d\n", status);
+                goto err_wmi_detach;
+        }
+        status = ath10k_htt_tx_alloc(&ar->htt);
+        if (status) {
+                ath10k_err("failed to alloc htt tx: %d\n", status);
+                goto err_wmi_detach;
+        }
+        status = ath10k_htt_rx_alloc(&ar->htt);
+        if (status) {
+                ath10k_err("failed to alloc htt rx: %d\n", status);
+                goto err_htt_tx_detach;
+        }
        status = ath10k_hif_start(ar);
        if (status) {
                ath10k_err("could not start HIF: %d\n", status);
-                goto err_wmi_detach;
+                goto err_htt_rx_detach;
        }
        status = ath10k_htc_wait_target(&ar->htc);
@@ -817,15 +744,30 @@ int ath10k_core_start(struct ath10k *ar)
                goto err_hif_stop;
        }
-        status = ath10k_htt_attach(ar);
+        status = ath10k_htt_connect(&ar->htt);
        if (status) {
-                ath10k_err("could not attach htt (%d)\n", status);
+                ath10k_err("failed to connect htt (%d)\n", status);
                goto err_hif_stop;
        }
-        status = ath10k_init_connect_htc(ar);
+        status = ath10k_wmi_connect(ar);
-        if (status)
+        if (status) {
-                goto err_htt_detach;
+                ath10k_err("could not connect wmi: %d\n", status);
+                goto err_hif_stop;
+        }
+        status = ath10k_htc_start(&ar->htc);
+        if (status) {
+                ath10k_err("failed to start htc: %d\n", status);
+                goto err_hif_stop;
+        }
+        status = ath10k_wmi_wait_for_service_ready(ar);
+        if (status <= 0) {
+                ath10k_warn("wmi service ready event not received");
+                status = -ETIMEDOUT;
+                goto err_htc_stop;
+        }
        ath10k_dbg(ATH10K_DBG_BOOT, "firmware %s booted\n",
                   ar->hw->wiphy->fw_version);
@@ -833,23 +775,25 @@ int ath10k_core_start(struct ath10k *ar)
        status = ath10k_wmi_cmd_init(ar);
        if (status) {
                ath10k_err("could not send WMI init command (%d)\n", status);
-                goto err_disconnect_htc;
+                goto err_htc_stop;
        }
        status = ath10k_wmi_wait_for_unified_ready(ar);
        if (status <= 0) {
                ath10k_err("wmi unified ready event not received\n");
                status = -ETIMEDOUT;
-                goto err_disconnect_htc;
+                goto err_htc_stop;
        }
-        status = ath10k_htt_attach_target(&ar->htt);
+        status = ath10k_htt_setup(&ar->htt);
-        if (status)
+        if (status) {
-                goto err_disconnect_htc;
+                ath10k_err("failed to setup htt: %d\n", status);
+                goto err_htc_stop;
+        }
        status = ath10k_debug_start(ar);
        if (status)
-                goto err_disconnect_htc;
+                goto err_htc_stop;
        ar->free_vdev_map = (1 << TARGET_NUM_VDEVS) - 1;
        INIT_LIST_HEAD(&ar->arvifs);
@@ -868,12 +812,14 @@ int ath10k_core_start(struct ath10k *ar)
        return 0;
-err_disconnect_htc:
+err_htc_stop:
        ath10k_htc_stop(&ar->htc);
-err_htt_detach:
-        ath10k_htt_detach(&ar->htt);
 err_hif_stop:
        ath10k_hif_stop(ar);
+err_htt_rx_detach:
+        ath10k_htt_rx_free(&ar->htt);
+err_htt_tx_detach:
+        ath10k_htt_tx_free(&ar->htt);
 err_wmi_detach:
        ath10k_wmi_detach(ar);
 err:
@@ -913,7 +859,9 @@ void ath10k_core_stop(struct ath10k *ar)
        ath10k_debug_stop(ar);
        ath10k_htc_stop(&ar->htc);
-        ath10k_htt_detach(&ar->htt);
+        ath10k_hif_stop(ar);
+        ath10k_htt_tx_free(&ar->htt);
+        ath10k_htt_rx_free(&ar->htt);
        ath10k_wmi_detach(ar);
 }
 EXPORT_SYMBOL(ath10k_core_stop);
@@ -1005,22 +953,15 @@ static int ath10k_core_check_chip_id(struct ath10k *ar)
        return 0;
 }
-int ath10k_core_register(struct ath10k *ar, u32 chip_id)
+static void ath10k_core_register_work(struct work_struct *work)
 {
+        struct ath10k *ar = container_of(work, struct ath10k, register_work);
        int status;
-        ar->chip_id = chip_id;
-        status = ath10k_core_check_chip_id(ar);
-        if (status) {
-                ath10k_err("Unsupported chip id 0x%08x\n", ar->chip_id);
-                return status;
-        }
        status = ath10k_core_probe_fw(ar);
        if (status) {
                ath10k_err("could not probe fw (%d)\n", status);
-                return status;
+                goto err;
        }
        status = ath10k_mac_register(ar);
@@ -1035,18 +976,43 @@ int ath10k_core_register(struct ath10k *ar, u32 chip_id)
                goto err_unregister_mac;
        }
-        return 0;
+        set_bit(ATH10K_FLAG_CORE_REGISTERED, &ar->dev_flags);
+        return;
 err_unregister_mac:
        ath10k_mac_unregister(ar);
 err_release_fw:
        ath10k_core_free_firmware_files(ar);
-        return status;
+err:
+        device_release_driver(ar->dev);
+        return;
+}
+int ath10k_core_register(struct ath10k *ar, u32 chip_id)
+{
+        int status;
+        ar->chip_id = chip_id;
+        status = ath10k_core_check_chip_id(ar);
+        if (status) {
+                ath10k_err("Unsupported chip id 0x%08x\n", ar->chip_id);
+                return status;
+        }
+        queue_work(ar->workqueue, &ar->register_work);
+        return 0;
 }
 EXPORT_SYMBOL(ath10k_core_register);
 void ath10k_core_unregister(struct ath10k *ar)
 {
+        cancel_work_sync(&ar->register_work);
+        if (!test_bit(ATH10K_FLAG_CORE_REGISTERED, &ar->dev_flags))
+                return;
        /* We must unregister from mac80211 before we stop HTC and HIF.
         * Otherwise we will fail to submit commands to FW and mac80211 will be
         * unhappy about callback failures. */
@@ -1058,6 +1024,71 @@ void ath10k_core_unregister(struct ath10k *ar)
 }
 EXPORT_SYMBOL(ath10k_core_unregister);
+struct ath10k *ath10k_core_create(void *hif_priv, struct device *dev,
+                                  const struct ath10k_hif_ops *hif_ops)
+{
+        struct ath10k *ar;
+        ar = ath10k_mac_create();
+        if (!ar)
+                return NULL;
+        ar->ath_common.priv = ar;
+        ar->ath_common.hw = ar->hw;
+        ar->p2p = !!ath10k_p2p;
+        ar->dev = dev;
+        ar->hif.priv = hif_priv;
+        ar->hif.ops = hif_ops;
+        init_completion(&ar->scan.started);
+        init_completion(&ar->scan.completed);
+        init_completion(&ar->scan.on_channel);
+        init_completion(&ar->target_suspend);
+        init_completion(&ar->install_key_done);
+        init_completion(&ar->vdev_setup_done);
+        setup_timer(&ar->scan.timeout, ath10k_reset_scan, (unsigned long)ar);
+        ar->workqueue = create_singlethread_workqueue("ath10k_wq");
+        if (!ar->workqueue)
+                goto err_wq;
+        mutex_init(&ar->conf_mutex);
+        spin_lock_init(&ar->data_lock);
+        INIT_LIST_HEAD(&ar->peers);
+        init_waitqueue_head(&ar->peer_mapping_wq);
+        init_completion(&ar->offchan_tx_completed);
+        INIT_WORK(&ar->offchan_tx_work, ath10k_offchan_tx_work);
+        skb_queue_head_init(&ar->offchan_tx_queue);
+        INIT_WORK(&ar->wmi_mgmt_tx_work, ath10k_mgmt_over_wmi_tx_work);
+        skb_queue_head_init(&ar->wmi_mgmt_tx_queue);
+        INIT_WORK(&ar->register_work, ath10k_core_register_work);
+        INIT_WORK(&ar->restart_work, ath10k_core_restart);
+        return ar;
+err_wq:
+        ath10k_mac_destroy(ar);
+        return NULL;
+}
+EXPORT_SYMBOL(ath10k_core_create);
+void ath10k_core_destroy(struct ath10k *ar)
+{
+        flush_workqueue(ar->workqueue);
+        destroy_workqueue(ar->workqueue);
+        ath10k_mac_destroy(ar);
+}
+EXPORT_SYMBOL(ath10k_core_destroy);
 MODULE_AUTHOR("Qualcomm Atheros");
 MODULE_DESCRIPTION("Core module for QCA988X PCIe devices.");
 MODULE_LICENSE("Dual BSD/GPL");
diff --git a/drivers/net/wireless/ath/ath10k/core.h b/drivers/net/wireless/ath/ath10k/core.h
index 2c1dfd719146..68ceef61933d 100644
--- a/drivers/net/wireless/ath/ath10k/core.h
+++ b/drivers/net/wireless/ath/ath10k/core.h
@@ -335,6 +335,7 @@ enum ath10k_dev_flags {
        /* Indicates that ath10k device is during CAC phase of DFS */
        ATH10K_CAC_RUNNING,
        ATH10K_FLAG_FIRST_BOOT_DONE,
+        ATH10K_FLAG_CORE_REGISTERED,
 };
 struct ath10k {
@@ -440,6 +441,12 @@ struct ath10k {
        bool radar_enabled;
        int num_started_vdevs;
+        /* Protected by conf-mutex */
+        u8 supp_tx_chainmask;
+        u8 supp_rx_chainmask;
+        u8 cfg_tx_chainmask;
+        u8 cfg_rx_chainmask;
        struct wmi_pdev_set_wmm_params_arg wmm_params;
        struct completion install_key_done;
@@ -470,6 +477,7 @@ struct ath10k {
        enum ath10k_state state;
+        struct work_struct register_work;
        struct work_struct restart_work;
        /* cycle count is reported twice for each visited channel during scan.
diff --git a/drivers/net/wireless/ath/ath10k/htc.c b/drivers/net/wireless/ath/ath10k/htc.c
index 5b58dbb17416..e493db4b4a41 100644
--- a/drivers/net/wireless/ath/ath10k/htc.c
+++ b/drivers/net/wireless/ath/ath10k/htc.c
@@ -830,17 +830,11 @@ int ath10k_htc_start(struct ath10k_htc *htc)
        return 0;
 }
-/*
- * stop HTC communications, i.e. stop interrupt reception, and flush all
- * queued buffers
- */
 void ath10k_htc_stop(struct ath10k_htc *htc)
 {
        spin_lock_bh(&htc->tx_lock);
        htc->stopped = true;
        spin_unlock_bh(&htc->tx_lock);
-        ath10k_hif_stop(htc->ar);
 }
 /* registered target arrival callback from the HIF layer */
diff --git a/drivers/net/wireless/ath/ath10k/htt.c b/drivers/net/wireless/ath/ath10k/htt.c
index 69697af59ce0..19c12cc8d663 100644
--- a/drivers/net/wireless/ath/ath10k/htt.c
+++ b/drivers/net/wireless/ath/ath10k/htt.c
@@ -22,7 +22,7 @@
 #include "core.h"
 #include "debug.h"
-static int ath10k_htt_htc_attach(struct ath10k_htt *htt)
+int ath10k_htt_connect(struct ath10k_htt *htt)
 {
        struct ath10k_htc_svc_conn_req conn_req;
        struct ath10k_htc_svc_conn_resp conn_resp;
@@ -48,39 +48,14 @@ static int ath10k_htt_htc_attach(struct ath10k_htt *htt)
        return 0;
 }
-int ath10k_htt_attach(struct ath10k *ar)
+int ath10k_htt_init(struct ath10k *ar)
 {
        struct ath10k_htt *htt = &ar->htt;
-        int ret;
        htt->ar = ar;
        htt->max_throughput_mbps = 800;
        /*
-         * Connect to HTC service.
-         * This has to be done before calling ath10k_htt_rx_attach,
-         * since ath10k_htt_rx_attach involves sending a rx ring configure
-         * message to the target.
-         */
-        ret = ath10k_htt_htc_attach(htt);
-        if (ret) {
-                ath10k_err("could not attach htt htc (%d)\n", ret);
-                goto err_htc_attach;
-        }
-        ret = ath10k_htt_tx_attach(htt);
-        if (ret) {
-                ath10k_err("could not attach htt tx (%d)\n", ret);
-                goto err_htc_attach;
-        }
-        ret = ath10k_htt_rx_attach(htt);
-        if (ret) {
-                ath10k_err("could not attach htt rx (%d)\n", ret);
-                goto err_rx_attach;
-        }
-        /*
         * Prefetch enough data to satisfy target
         * classification engine.
         * This is for LL chips. HL chips will probably
@@ -93,11 +68,6 @@ int ath10k_htt_attach(struct ath10k *ar)
                2; /* ip4 dscp or ip6 priority */
        return 0;
-err_rx_attach:
-        ath10k_htt_tx_detach(htt);
-err_htc_attach:
-        return ret;
 }
 #define HTT_TARGET_VERSION_TIMEOUT_HZ (3*HZ)
@@ -117,7 +87,7 @@ static int ath10k_htt_verify_version(struct ath10k_htt *htt)
        return 0;
 }
-int ath10k_htt_attach_target(struct ath10k_htt *htt)
+int ath10k_htt_setup(struct ath10k_htt *htt)
 {
        int status;
@@ -140,9 +110,3 @@ int ath10k_htt_attach_target(struct ath10k_htt *htt)
        return ath10k_htt_send_rx_ring_cfg_ll(htt);
 }
-void ath10k_htt_detach(struct ath10k_htt *htt)
-{
-        ath10k_htt_rx_detach(htt);
-        ath10k_htt_tx_detach(htt);
-}
diff --git a/drivers/net/wireless/ath/ath10k/htt.h b/drivers/net/wireless/ath/ath10k/htt.h
index 645a563e3fb9..9a263462c793 100644
--- a/drivers/net/wireless/ath/ath10k/htt.h
+++ b/drivers/net/wireless/ath/ath10k/htt.h
@@ -1328,14 +1328,16 @@ struct htt_rx_desc {
 #define HTT_LOG2_MAX_CACHE_LINE_SIZE 7  /* 2^7 = 128 */
 #define HTT_MAX_CACHE_LINE_SIZE_MASK ((1 << HTT_LOG2_MAX_CACHE_LINE_SIZE) - 1)
-int ath10k_htt_attach(struct ath10k *ar);
+int ath10k_htt_connect(struct ath10k_htt *htt);
-int ath10k_htt_attach_target(struct ath10k_htt *htt);
+int ath10k_htt_init(struct ath10k *ar);
-void ath10k_htt_detach(struct ath10k_htt *htt);
+int ath10k_htt_setup(struct ath10k_htt *htt);
-int ath10k_htt_tx_attach(struct ath10k_htt *htt);
+int ath10k_htt_tx_alloc(struct ath10k_htt *htt);
-void ath10k_htt_tx_detach(struct ath10k_htt *htt);
+void ath10k_htt_tx_free(struct ath10k_htt *htt);
-int ath10k_htt_rx_attach(struct ath10k_htt *htt);
-void ath10k_htt_rx_detach(struct ath10k_htt *htt);
+int ath10k_htt_rx_alloc(struct ath10k_htt *htt);
+void ath10k_htt_rx_free(struct ath10k_htt *htt);
 void ath10k_htt_htc_tx_complete(struct ath10k *ar, struct sk_buff *skb);
 void ath10k_htt_t2h_msg_handler(struct ath10k *ar, struct sk_buff *skb);
 int ath10k_htt_h2t_ver_req_msg(struct ath10k_htt *htt);
diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c
index f85a3cf6da31..6c102b1312ff 100644
--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
+++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
@@ -225,10 +225,26 @@ static void ath10k_htt_rx_ring_refill_retry(unsigned long arg)
        ath10k_htt_rx_msdu_buff_replenish(htt);
 }
-void ath10k_htt_rx_detach(struct ath10k_htt *htt)
+static void ath10k_htt_rx_ring_clean_up(struct ath10k_htt *htt)
 {
-        int sw_rd_idx = htt->rx_ring.sw_rd_idx.msdu_payld;
+        struct sk_buff *skb;
+        int i;
+        for (i = 0; i < htt->rx_ring.size; i++) {
+                skb = htt->rx_ring.netbufs_ring[i];
+                if (!skb)
+                        continue;
+                dma_unmap_single(htt->ar->dev, ATH10K_SKB_CB(skb)->paddr,
+                                 skb->len + skb_tailroom(skb),
+                                 DMA_FROM_DEVICE);
+                dev_kfree_skb_any(skb);
+                htt->rx_ring.netbufs_ring[i] = NULL;
+        }
+}
+void ath10k_htt_rx_free(struct ath10k_htt *htt)
+{
        del_timer_sync(&htt->rx_ring.refill_retry_timer);
        tasklet_kill(&htt->rx_replenish_task);
        tasklet_kill(&htt->txrx_compl_task);
@@ -236,18 +252,7 @@ void ath10k_htt_rx_detach(struct ath10k_htt *htt)
        skb_queue_purge(&htt->tx_compl_q);
        skb_queue_purge(&htt->rx_compl_q);
-        while (sw_rd_idx != __le32_to_cpu(*(htt->rx_ring.alloc_idx.vaddr))) {
+        ath10k_htt_rx_ring_clean_up(htt);
-                struct sk_buff *skb =
-                                htt->rx_ring.netbufs_ring[sw_rd_idx];
-                struct ath10k_skb_cb *cb = ATH10K_SKB_CB(skb);
-                dma_unmap_single(htt->ar->dev, cb->paddr,
-                                 skb->len + skb_tailroom(skb),
-                                 DMA_FROM_DEVICE);
-                dev_kfree_skb_any(htt->rx_ring.netbufs_ring[sw_rd_idx]);
-                sw_rd_idx++;
-                sw_rd_idx &= htt->rx_ring.size_mask;
-        }
        dma_free_coherent(htt->ar->dev,
                          (htt->rx_ring.size *
@@ -277,6 +282,7 @@ static inline struct sk_buff *ath10k_htt_rx_netbuf_pop(struct ath10k_htt *htt)
        idx = htt->rx_ring.sw_rd_idx.msdu_payld;
        msdu = htt->rx_ring.netbufs_ring[idx];
+        htt->rx_ring.netbufs_ring[idx] = NULL;
        idx++;
        idx &= htt->rx_ring.size_mask;
@@ -306,6 +312,7 @@ static int ath10k_htt_rx_amsdu_pop(struct ath10k_htt *htt,
        int msdu_len, msdu_chaining = 0;
        struct sk_buff *msdu;
        struct htt_rx_desc *rx_desc;
+        bool corrupted = false;
        lockdep_assert_held(&htt->rx_ring.lock);
@@ -399,7 +406,6 @@ static int ath10k_htt_rx_amsdu_pop(struct ath10k_htt *htt,
                msdu_len = MS(__le32_to_cpu(rx_desc->msdu_start.info0),
                              RX_MSDU_START_INFO0_MSDU_LENGTH);
                msdu_chained = rx_desc->frag_info.ring2_more_count;
-                msdu_chaining = msdu_chained;
                if (msdu_len_invalid)
                        msdu_len = 0;
@@ -427,11 +433,15 @@ static int ath10k_htt_rx_amsdu_pop(struct ath10k_htt *htt,
                        msdu->next = next;
                        msdu = next;
+                        msdu_chaining = 1;
                }
                last_msdu = __le32_to_cpu(rx_desc->msdu_end.info0) &
                                RX_MSDU_END_INFO0_LAST_MSDU;
+                if (msdu_chaining && !last_msdu)
+                        corrupted = true;
                if (last_msdu) {
                        msdu->next = NULL;
                        break;
@@ -447,6 +457,20 @@ static int ath10k_htt_rx_amsdu_pop(struct ath10k_htt *htt,
                msdu_chaining = -1;
        /*
+         * Apparently FW sometimes reports weird chained MSDU sequences with
+         * more than one rx descriptor. This seems like a bug but needs more
+         * analyzing. For the time being fix it by dropping such sequences to
+         * avoid blowing up the host system.
+         */
+        if (corrupted) {
+                ath10k_warn("failed to pop chained msdus, dropping\n");
+                ath10k_htt_rx_free_msdu_chain(*head_msdu);
+                *head_msdu = NULL;
+                *tail_msdu = NULL;
+                msdu_chaining = -EINVAL;
+        }
+        /*
         * Don't refill the ring yet.
         *
         * First, the elements popped here are still in use - it is not
@@ -468,7 +492,7 @@ static void ath10k_htt_rx_replenish_task(unsigned long ptr)
        ath10k_htt_rx_msdu_buff_replenish(htt);
 }
-int ath10k_htt_rx_attach(struct ath10k_htt *htt)
+int ath10k_htt_rx_alloc(struct ath10k_htt *htt)
 {
        dma_addr_t paddr;
        void *vaddr;
@@ -494,7 +518,7 @@ int ath10k_htt_rx_attach(struct ath10k_htt *htt)
        htt->rx_ring.fill_level = ath10k_htt_rx_ring_fill_level(htt);
        htt->rx_ring.netbufs_ring =
-                kmalloc(htt->rx_ring.size * sizeof(struct sk_buff *),
+                kzalloc(htt->rx_ring.size * sizeof(struct sk_buff *),
                        GFP_KERNEL);
        if (!htt->rx_ring.netbufs_ring)
                goto err_netbuf;
@@ -754,17 +778,30 @@ static void ath10k_htt_rx_h_rates(struct ath10k *ar,
 static void ath10k_htt_rx_h_protected(struct ath10k_htt *htt,
                                      struct ieee80211_rx_status *rx_status,
                                      struct sk_buff *skb,
-                                      enum htt_rx_mpdu_encrypt_type enctype)
+                                      enum htt_rx_mpdu_encrypt_type enctype,
+                                      enum rx_msdu_decap_format fmt,
+                                      bool dot11frag)
 {
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
+        rx_status->flag &= ~(RX_FLAG_DECRYPTED |
+                             RX_FLAG_IV_STRIPPED |
+                             RX_FLAG_MMIC_STRIPPED);
-        if (enctype == HTT_RX_MPDU_ENCRYPT_NONE) {
+        if (enctype == HTT_RX_MPDU_ENCRYPT_NONE)
-                rx_status->flag &= ~(RX_FLAG_DECRYPTED |
+                return;
-                                     RX_FLAG_IV_STRIPPED |
-                                     RX_FLAG_MMIC_STRIPPED);
+        /*
+         * There's no explicit rx descriptor flag to indicate whether a given
+         * frame has been decrypted or not. We're forced to use the decap
+         * format as an implicit indication. However fragmentation rx is always
+         * raw and it probably never reports undecrypted raws.
+         *
+         * This makes sure sniffed frames are reported as-is without stripping
+         * the protected flag.
+         */
+        if (fmt == RX_MSDU_DECAP_RAW && !dot11frag)
                return;
-        }
        rx_status->flag |= RX_FLAG_DECRYPTED |
                           RX_FLAG_IV_STRIPPED |
@@ -918,7 +955,8 @@ static void ath10k_htt_rx_amsdu(struct ath10k_htt *htt,
                }
                skb_in = skb;
-                ath10k_htt_rx_h_protected(htt, rx_status, skb_in, enctype);
+                ath10k_htt_rx_h_protected(htt, rx_status, skb_in, enctype, fmt,
+                                          false);
                skb = skb->next;
                skb_in->next = NULL;
@@ -1000,7 +1038,7 @@ static void ath10k_htt_rx_msdu(struct ath10k_htt *htt,
                break;
        }
-        ath10k_htt_rx_h_protected(htt, rx_status, skb, enctype);
+        ath10k_htt_rx_h_protected(htt, rx_status, skb, enctype, fmt, false);
        ath10k_process_rx(htt->ar, rx_status, skb);
 }
@@ -1288,6 +1326,7 @@ static void ath10k_htt_rx_frag_handler(struct ath10k_htt *htt,
        }
        /* FIXME: implement signal strength */
+        rx_status->flag |= RX_FLAG_NO_SIGNAL_VAL;
        hdr = (struct ieee80211_hdr *)msdu_head->data;
        rxd = (void *)msdu_head->data - sizeof(*rxd);
@@ -1306,7 +1345,8 @@ static void ath10k_htt_rx_frag_handler(struct ath10k_htt *htt,
        enctype = MS(__le32_to_cpu(rxd->mpdu_start.info0),
                     RX_MPDU_START_INFO0_ENCRYPT_TYPE);
-        ath10k_htt_rx_h_protected(htt, rx_status, msdu_head, enctype);
+        ath10k_htt_rx_h_protected(htt, rx_status, msdu_head, enctype, fmt,
+                                  true);
        msdu_head->ip_summed = ath10k_htt_rx_get_csum_state(msdu_head);
        if (tkip_mic_err)
diff --git a/drivers/net/wireless/ath/ath10k/htt_tx.c b/drivers/net/wireless/ath/ath10k/htt_tx.c
index 7a3e2e40dd5c..7064354d1f4f 100644
--- a/drivers/net/wireless/ath/ath10k/htt_tx.c
+++ b/drivers/net/wireless/ath/ath10k/htt_tx.c
@@ -83,7 +83,7 @@ void ath10k_htt_tx_free_msdu_id(struct ath10k_htt *htt, u16 msdu_id)
        __clear_bit(msdu_id, htt->used_msdu_ids);
 }
-int ath10k_htt_tx_attach(struct ath10k_htt *htt)
+int ath10k_htt_tx_alloc(struct ath10k_htt *htt)
 {
        spin_lock_init(&htt->tx_lock);
        init_waitqueue_head(&htt->empty_tx_wq);
@@ -120,7 +120,7 @@ int ath10k_htt_tx_attach(struct ath10k_htt *htt)
        return 0;
 }
-static void ath10k_htt_tx_cleanup_pending(struct ath10k_htt *htt)
+static void ath10k_htt_tx_free_pending(struct ath10k_htt *htt)
 {
        struct htt_tx_done tx_done = {0};
        int msdu_id;
@@ -141,9 +141,9 @@ static void ath10k_htt_tx_cleanup_pending(struct ath10k_htt *htt)
        spin_unlock_bh(&htt->tx_lock);
 }
-void ath10k_htt_tx_detach(struct ath10k_htt *htt)
+void ath10k_htt_tx_free(struct ath10k_htt *htt)
 {
-        ath10k_htt_tx_cleanup_pending(htt);
+        ath10k_htt_tx_free_pending(htt);
        kfree(htt->pending_tx);
        kfree(htt->used_msdu_ids);
        dma_pool_destroy(htt->tx_pool);
diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
index 7026f021ccbb..a21080028c54 100644
--- a/drivers/net/wireless/ath/ath10k/mac.c
+++ b/drivers/net/wireless/ath/ath10k/mac.c
@@ -54,7 +54,10 @@ static int ath10k_send_key(struct ath10k_vif *arvif,
        switch (key->cipher) {
        case WLAN_CIPHER_SUITE_CCMP:
                arg.key_cipher = WMI_CIPHER_AES_CCM;
-                key->flags |= IEEE80211_KEY_FLAG_SW_MGMT_TX;
+                if (arvif->vdev_type == WMI_VDEV_TYPE_AP)
+                        key->flags |= IEEE80211_KEY_FLAG_GENERATE_IV_MGMT;
+                else
+                        key->flags |= IEEE80211_KEY_FLAG_SW_MGMT_TX;
                break;
        case WLAN_CIPHER_SUITE_TKIP:
                arg.key_cipher = WMI_CIPHER_TKIP;
@@ -1888,8 +1891,13 @@ static void ath10k_tx_wep_key_work(struct work_struct *work)
                                                wep_key_work);
        int ret, keyidx = arvif->def_wep_key_newidx;
+        mutex_lock(&arvif->ar->conf_mutex);
+        if (arvif->ar->state != ATH10K_STATE_ON)
+                goto unlock;
        if (arvif->def_wep_key_idx == keyidx)
-                return;
+                goto unlock;
        ath10k_dbg(ATH10K_DBG_MAC, "mac vdev %d set keyidx %d\n",
                   arvif->vdev_id, keyidx);
@@ -1902,10 +1910,13 @@ static void ath10k_tx_wep_key_work(struct work_struct *work)
                ath10k_warn("failed to update wep key index for vdev %d: %d\n",
                            arvif->vdev_id,
                            ret);
-                return;
+                goto unlock;
        }
        arvif->def_wep_key_idx = keyidx;
+unlock:
+        mutex_unlock(&arvif->ar->conf_mutex);
 }
 static void ath10k_tx_h_update_wep_key(struct sk_buff *skb)
@@ -2286,9 +2297,19 @@ static void ath10k_tx(struct ieee80211_hw *hw,
        ath10k_tx_htt(ar, skb);
 }
-/*
+/* Must not be called with conf_mutex held as workers can use that also. */
- * Initialize various parameters with default vaules.
+static void ath10k_drain_tx(struct ath10k *ar)
- */
+{
+        /* make sure rcu-protected mac80211 tx path itself is drained */
+        synchronize_net();
+        ath10k_offchan_tx_purge(ar);
+        ath10k_mgmt_over_wmi_tx_purge(ar);
+        cancel_work_sync(&ar->offchan_tx_work);
+        cancel_work_sync(&ar->wmi_mgmt_tx_work);
+}
 void ath10k_halt(struct ath10k *ar)
 {
        struct ath10k_vif *arvif;
@@ -2303,19 +2324,12 @@ void ath10k_halt(struct ath10k *ar)
        }
        del_timer_sync(&ar->scan.timeout);
-        ath10k_offchan_tx_purge(ar);
+        ath10k_reset_scan((unsigned long)ar);
-        ath10k_mgmt_over_wmi_tx_purge(ar);
        ath10k_peer_cleanup_all(ar);
        ath10k_core_stop(ar);
        ath10k_hif_power_down(ar);
        spin_lock_bh(&ar->data_lock);
-        if (ar->scan.in_progress) {
-                del_timer(&ar->scan.timeout);
-                ar->scan.in_progress = false;
-                ieee80211_scan_completed(ar->hw, true);
-        }
        list_for_each_entry(arvif, &ar->arvifs, list) {
                if (!arvif->beacon)
                        continue;
@@ -2329,46 +2343,125 @@ void ath10k_halt(struct ath10k *ar)
        spin_unlock_bh(&ar->data_lock);
 }
+static int ath10k_get_antenna(struct ieee80211_hw *hw, u32 *tx_ant, u32 *rx_ant)
+{
+        struct ath10k *ar = hw->priv;
+        mutex_lock(&ar->conf_mutex);
+        if (ar->cfg_tx_chainmask) {
+                *tx_ant = ar->cfg_tx_chainmask;
+                *rx_ant = ar->cfg_rx_chainmask;
+        } else {
+                *tx_ant = ar->supp_tx_chainmask;
+                *rx_ant = ar->supp_rx_chainmask;
+        }
+        mutex_unlock(&ar->conf_mutex);
+        return 0;
+}
+static int __ath10k_set_antenna(struct ath10k *ar, u32 tx_ant, u32 rx_ant)
+{
+        int ret;
+        lockdep_assert_held(&ar->conf_mutex);
+        ar->cfg_tx_chainmask = tx_ant;
+        ar->cfg_rx_chainmask = rx_ant;
+        if ((ar->state != ATH10K_STATE_ON) &&
+            (ar->state != ATH10K_STATE_RESTARTED))
+                return 0;
+        ret = ath10k_wmi_pdev_set_param(ar, ar->wmi.pdev_param->tx_chain_mask,
+                                        tx_ant);
+        if (ret) {
+                ath10k_warn("failed to set tx-chainmask: %d, req 0x%x\n",
+                            ret, tx_ant);
+                return ret;
+        }
+        ret = ath10k_wmi_pdev_set_param(ar, ar->wmi.pdev_param->rx_chain_mask,
+                                        rx_ant);
+        if (ret) {
+                ath10k_warn("failed to set rx-chainmask: %d, req 0x%x\n",
+                            ret, rx_ant);
+                return ret;
+        }
+        return 0;
+}
+static int ath10k_set_antenna(struct ieee80211_hw *hw, u32 tx_ant, u32 rx_ant)
+{
+        struct ath10k *ar = hw->priv;
+        int ret;
+        mutex_lock(&ar->conf_mutex);
+        ret = __ath10k_set_antenna(ar, tx_ant, rx_ant);
+        mutex_unlock(&ar->conf_mutex);
+        return ret;
+}
 static int ath10k_start(struct ieee80211_hw *hw)
 {
        struct ath10k *ar = hw->priv;
        int ret = 0;
+        /*
+         * This makes sense only when restarting hw. It is harmless to call
+         * uncoditionally. This is necessary to make sure no HTT/WMI tx
+         * commands will be submitted while restarting.
+         */
+        ath10k_drain_tx(ar);
        mutex_lock(&ar->conf_mutex);
-        if (ar->state != ATH10K_STATE_OFF &&
+        switch (ar->state) {
-            ar->state != ATH10K_STATE_RESTARTING) {
+        case ATH10K_STATE_OFF:
+                ar->state = ATH10K_STATE_ON;
+                break;
+        case ATH10K_STATE_RESTARTING:
+                ath10k_halt(ar);
+                ar->state = ATH10K_STATE_RESTARTED;
+                break;
+        case ATH10K_STATE_ON:
+        case ATH10K_STATE_RESTARTED:
+        case ATH10K_STATE_WEDGED:
+                WARN_ON(1);
                ret = -EINVAL;
-                goto exit;
+                goto err;
        }
        ret = ath10k_hif_power_up(ar);
        if (ret) {
                ath10k_err("Could not init hif: %d\n", ret);
-                ar->state = ATH10K_STATE_OFF;
+                goto err_off;
-                goto exit;
        }
        ret = ath10k_core_start(ar);
        if (ret) {
                ath10k_err("Could not init core: %d\n", ret);
-                ath10k_hif_power_down(ar);
+                goto err_power_down;
-                ar->state = ATH10K_STATE_OFF;
-                goto exit;
        }
-        if (ar->state == ATH10K_STATE_OFF)
-                ar->state = ATH10K_STATE_ON;
-        else if (ar->state == ATH10K_STATE_RESTARTING)
-                ar->state = ATH10K_STATE_RESTARTED;
        ret = ath10k_wmi_pdev_set_param(ar, ar->wmi.pdev_param->pmf_qos, 1);
-        if (ret)
+        if (ret) {
                ath10k_warn("failed to enable PMF QOS: %d\n", ret);
+                goto err_core_stop;
+        }
        ret = ath10k_wmi_pdev_set_param(ar, ar->wmi.pdev_param->dynamic_bw, 1);
-        if (ret)
+        if (ret) {
                ath10k_warn("failed to enable dynamic BW: %d\n", ret);
+                goto err_core_stop;
+        }
+        if (ar->cfg_tx_chainmask)
+                __ath10k_set_antenna(ar, ar->cfg_tx_chainmask,
+                                     ar->cfg_rx_chainmask);
        /*
         * By default FW set ARP frames ac to voice (6). In that case ARP
@@ -2384,14 +2477,25 @@ static int ath10k_start(struct ieee80211_hw *hw)
        if (ret) {
                ath10k_warn("failed to set arp ac override parameter: %d\n",
                            ret);
-                goto exit;
+                goto err_core_stop;
        }
        ar->num_started_vdevs = 0;
        ath10k_regd_update(ar);
-        ret = 0;
-exit:
+        mutex_unlock(&ar->conf_mutex);
+        return 0;
+err_core_stop:
+        ath10k_core_stop(ar);
+err_power_down:
+        ath10k_hif_power_down(ar);
+err_off:
+        ar->state = ATH10K_STATE_OFF;
+err:
        mutex_unlock(&ar->conf_mutex);
        return ret;
 }
@@ -2400,19 +2504,15 @@ static void ath10k_stop(struct ieee80211_hw *hw)
 {
        struct ath10k *ar = hw->priv;
+        ath10k_drain_tx(ar);
        mutex_lock(&ar->conf_mutex);
-        if (ar->state == ATH10K_STATE_ON ||
+        if (ar->state != ATH10K_STATE_OFF) {
-            ar->state == ATH10K_STATE_RESTARTED ||
-            ar->state == ATH10K_STATE_WEDGED)
                ath10k_halt(ar);
+                ar->state = ATH10K_STATE_OFF;
-        ar->state = ATH10K_STATE_OFF;
+        }
        mutex_unlock(&ar->conf_mutex);
-        ath10k_mgmt_over_wmi_tx_purge(ar);
-        cancel_work_sync(&ar->offchan_tx_work);
-        cancel_work_sync(&ar->wmi_mgmt_tx_work);
        cancel_work_sync(&ar->restart_work);
 }
@@ -2925,7 +3025,12 @@ static void ath10k_bss_info_changed(struct ieee80211_hw *hw,
                arvif->u.ap.hidden_ssid = info->hidden_ssid;
        }
-        if (changed & BSS_CHANGED_BSSID) {
+        /*
+         * Firmware manages AP self-peer internally so make sure to not create
+         * it in driver. Otherwise AP self-peer deletion may timeout later.
+         */
+        if (changed & BSS_CHANGED_BSSID &&
+            vif->type != NL80211_IFTYPE_AP) {
                if (!is_zero_ether_addr(info->bssid)) {
                        ath10k_dbg(ATH10K_DBG_MAC,
                                   "mac vdev %d create peer %pM\n",
@@ -4142,14 +4247,6 @@ static int ath10k_set_bitrate_mask(struct ieee80211_hw *hw,
                                           fixed_nss, force_sgi);
 }
-static void ath10k_channel_switch_beacon(struct ieee80211_hw *hw,
-                                         struct ieee80211_vif *vif,
-                                         struct cfg80211_chan_def *chandef)
-{
-        /* there's no need to do anything here. vif->csa_active is enough */
-        return;
-}
 static void ath10k_sta_rc_update(struct ieee80211_hw *hw,
                                 struct ieee80211_vif *vif,
                                 struct ieee80211_sta *sta,
@@ -4253,10 +4350,11 @@ static const struct ieee80211_ops ath10k_ops = {
        .set_frag_threshold             = ath10k_set_frag_threshold,
        .flush                          = ath10k_flush,
        .tx_last_beacon                 = ath10k_tx_last_beacon,
+        .set_antenna                    = ath10k_set_antenna,
+        .get_antenna                    = ath10k_get_antenna,
        .restart_complete               = ath10k_restart_complete,
        .get_survey                     = ath10k_get_survey,
        .set_bitrate_mask               = ath10k_set_bitrate_mask,
-        .channel_switch_beacon          = ath10k_channel_switch_beacon,
        .sta_rc_update                  = ath10k_sta_rc_update,
        .get_tsf                        = ath10k_get_tsf,
 #ifdef CONFIG_PM
@@ -4602,6 +4700,18 @@ int ath10k_mac_register(struct ath10k *ar)
                BIT(NL80211_IFTYPE_ADHOC) |
                BIT(NL80211_IFTYPE_AP);
+        if (test_bit(ATH10K_FW_FEATURE_WMI_10X, ar->fw_features)) {
+                /* TODO:  Have to deal with 2x2 chips if/when the come out. */
+                ar->supp_tx_chainmask = TARGET_10X_TX_CHAIN_MASK;
+                ar->supp_rx_chainmask = TARGET_10X_RX_CHAIN_MASK;
+        } else {
+                ar->supp_tx_chainmask = TARGET_TX_CHAIN_MASK;
+                ar->supp_rx_chainmask = TARGET_RX_CHAIN_MASK;
+        }
+        ar->hw->wiphy->available_antennas_rx = ar->supp_rx_chainmask;
+        ar->hw->wiphy->available_antennas_tx = ar->supp_tx_chainmask;
        if (!test_bit(ATH10K_FW_FEATURE_NO_P2P, ar->fw_features))
                ar->hw->wiphy->interface_modes |=
                        BIT(NL80211_IFTYPE_P2P_CLIENT) |
diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c
index 66b1f3017f2b..d0004d59c97e 100644
--- a/drivers/net/wireless/ath/ath10k/pci.c
+++ b/drivers/net/wireless/ath/ath10k/pci.c
@@ -59,6 +59,7 @@ MODULE_PARM_DESC(reset_mode, "0: auto, 1: warm only (default: 0)");
 /* how long wait to wait for target to initialise, in ms */
 #define ATH10K_PCI_TARGET_WAIT 3000
+#define ATH10K_PCI_NUM_WARM_RESET_ATTEMPTS 3
 #define QCA988X_2_0_DEVICE_ID   (0x003c)
@@ -761,17 +762,21 @@ static int ath10k_pci_hif_tx_sg(struct ath10k *ar, u8 pipe_id,
        struct ath10k_pci_pipe *pci_pipe = &ar_pci->pipe_info[pipe_id];
        struct ath10k_ce_pipe *ce_pipe = pci_pipe->ce_hdl;
        struct ath10k_ce_ring *src_ring = ce_pipe->src_ring;
-        unsigned int nentries_mask = src_ring->nentries_mask;
+        unsigned int nentries_mask;
-        unsigned int sw_index = src_ring->sw_index;
+        unsigned int sw_index;
-        unsigned int write_index = src_ring->write_index;
+        unsigned int write_index;
-        int err, i;
+        int err, i = 0;
        spin_lock_bh(&ar_pci->ce_lock);
+        nentries_mask = src_ring->nentries_mask;
+        sw_index = src_ring->sw_index;
+        write_index = src_ring->write_index;
        if (unlikely(CE_RING_DELTA(nentries_mask,
                                   write_index, sw_index - 1) < n_items)) {
                err = -ENOBUFS;
-                goto unlock;
+                goto err;
        }
        for (i = 0; i < n_items - 1; i++) {
@@ -788,7 +793,7 @@ static int ath10k_pci_hif_tx_sg(struct ath10k *ar, u8 pipe_id,
                                            items[i].transfer_id,
                                            CE_SEND_FLAG_GATHER);
                if (err)
-                        goto unlock;
+                        goto err;
        }
        /* `i` is equal to `n_items -1` after for() */
@@ -806,10 +811,15 @@ static int ath10k_pci_hif_tx_sg(struct ath10k *ar, u8 pipe_id,
                                    items[i].transfer_id,
                                    0);
        if (err)
-                goto unlock;
+                goto err;
+        spin_unlock_bh(&ar_pci->ce_lock);
+        return 0;
+err:
+        for (; i > 0; i--)
+                __ath10k_ce_send_revert(ce_pipe);
-        err = 0;
-unlock:
        spin_unlock_bh(&ar_pci->ce_lock);
        return err;
 }
@@ -1271,6 +1281,9 @@ static void ath10k_pci_hif_stop(struct ath10k *ar)
        ath10k_dbg(ATH10K_DBG_BOOT, "boot hif stop\n");
+        if (WARN_ON(!ar_pci->started))
+                return;
        ret = ath10k_ce_disable_interrupts(ar);
        if (ret)
                ath10k_warn("failed to disable CE interrupts: %d\n", ret);
@@ -1802,6 +1815,26 @@ static void ath10k_pci_fw_interrupt_handler(struct ath10k *ar)
        ath10k_pci_sleep(ar);
 }
+/* this function effectively clears target memory controller assert line */
+static void ath10k_pci_warm_reset_si0(struct ath10k *ar)
+{
+        u32 val;
+        val = ath10k_pci_soc_read32(ar, SOC_RESET_CONTROL_ADDRESS);
+        ath10k_pci_soc_write32(ar, SOC_RESET_CONTROL_ADDRESS,
+                               val | SOC_RESET_CONTROL_SI0_RST_MASK);
+        val = ath10k_pci_soc_read32(ar, SOC_RESET_CONTROL_ADDRESS);
+        msleep(10);
+        val = ath10k_pci_soc_read32(ar, SOC_RESET_CONTROL_ADDRESS);
+        ath10k_pci_soc_write32(ar, SOC_RESET_CONTROL_ADDRESS,
+                               val & ~SOC_RESET_CONTROL_SI0_RST_MASK);
+        val = ath10k_pci_soc_read32(ar, SOC_RESET_CONTROL_ADDRESS);
+        msleep(10);
+}
 static int ath10k_pci_warm_reset(struct ath10k *ar)
 {
        int ret = 0;
@@ -1860,6 +1893,8 @@ static int ath10k_pci_warm_reset(struct ath10k *ar)
                                SOC_RESET_CONTROL_ADDRESS);
        msleep(10);
+        ath10k_pci_warm_reset_si0(ar);
        /* debug */
        val = ath10k_pci_read32(ar, SOC_CORE_BASE_ADDRESS +
                                PCIE_INTR_CAUSE_ADDRESS);
@@ -1988,6 +2023,28 @@ err:
        return ret;
 }
+static int ath10k_pci_hif_power_up_warm(struct ath10k *ar)
+{
+        int i, ret;
+        /*
+         * Sometime warm reset succeeds after retries.
+         *
+         * FIXME: It might be possible to tune ath10k_pci_warm_reset() to work
+         * at first try.
+         */
+        for (i = 0; i < ATH10K_PCI_NUM_WARM_RESET_ATTEMPTS; i++) {
+                ret = __ath10k_pci_hif_power_up(ar, false);
+                if (ret == 0)
+                        break;
+                ath10k_warn("failed to warm reset (attempt %d out of %d): %d\n",
+                            i + 1, ATH10K_PCI_NUM_WARM_RESET_ATTEMPTS, ret);
+        }
+        return ret;
+}
 static int ath10k_pci_hif_power_up(struct ath10k *ar)
 {
        int ret;
@@ -1999,10 +2056,10 @@ static int ath10k_pci_hif_power_up(struct ath10k *ar)
         * preferred (and safer) way to perform a device reset is through a
         * warm reset.
         *
-         * Warm reset doesn't always work though (notably after a firmware
+         * Warm reset doesn't always work though so fall back to cold reset may
-         * crash) so fall back to cold reset if necessary.
+         * be necessary.
         */
-        ret = __ath10k_pci_hif_power_up(ar, false);
+        ret = ath10k_pci_hif_power_up_warm(ar);
        if (ret) {
                ath10k_warn("failed to power up target using warm reset: %d\n",
                            ret);
@@ -2196,10 +2253,7 @@ static void ath10k_pci_early_irq_tasklet(unsigned long data)
        if (fw_ind & FW_IND_EVENT_PENDING) {
                ath10k_pci_write32(ar, FW_INDICATOR_ADDRESS,
                                   fw_ind & ~FW_IND_EVENT_PENDING);
+                ath10k_pci_hif_dump_area(ar);
-                /* Some structures are unavailable during early boot or at
-                 * driver teardown so just print that the device has crashed. */
-                ath10k_warn("device crashed - no diagnostics available\n");
        }
        ath10k_pci_sleep(ar);
@@ -2476,6 +2530,9 @@ static int ath10k_pci_wait_for_target_init(struct ath10k *ar)
        if (val & FW_IND_EVENT_PENDING) {
                ath10k_warn("device has crashed during init\n");
+                ath10k_pci_write32(ar, FW_INDICATOR_ADDRESS,
+                                   val & ~FW_IND_EVENT_PENDING);
+                ath10k_pci_hif_dump_area(ar);
                ret = -ECOMM;
                goto out;
        }
@@ -2602,18 +2659,6 @@ static int ath10k_pci_probe(struct pci_dev *pdev,
        pci_set_drvdata(pdev, ar);
-        /*
-         * Without any knowledge of the Host, the Target may have been reset or
-         * power cycled and its Config Space may no longer reflect the PCI
-         * address space that was assigned earlier by the PCI infrastructure.
-         * Refresh it now.
-         */
-        ret = pci_assign_resource(pdev, BAR_NUM);
-        if (ret) {
-                ath10k_err("failed to assign PCI space: %d\n", ret);
-                goto err_ar;
-        }
        ret = pci_enable_device(pdev);
        if (ret) {
                ath10k_err("failed to enable PCI device: %d\n", ret);
@@ -2725,8 +2770,6 @@ static void ath10k_pci_remove(struct pci_dev *pdev)
        if (!ar_pci)
                return;
-        tasklet_kill(&ar_pci->msi_fw_err);
        ath10k_core_unregister(ar);
        ath10k_pci_free_ce(ar);
diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c
index 72cc4f20d102..4b7782a529ac 100644
--- a/drivers/net/wireless/ath/ath10k/wmi.c
+++ b/drivers/net/wireless/ath/ath10k/wmi.c
@@ -639,6 +639,7 @@ int ath10k_wmi_mgmt_tx(struct ath10k *ar, struct sk_buff *skb)
        struct sk_buff *wmi_skb;
        struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
        int len;
+        u32 buf_len = skb->len;
        u16 fc;
        hdr = (struct ieee80211_hdr *)skb->data;
@@ -648,6 +649,15 @@ int ath10k_wmi_mgmt_tx(struct ath10k *ar, struct sk_buff *skb)
                return -EINVAL;
        len = sizeof(cmd->hdr) + skb->len;
+        if ((ieee80211_is_action(hdr->frame_control) ||
+             ieee80211_is_deauth(hdr->frame_control) ||
+             ieee80211_is_disassoc(hdr->frame_control)) &&
+             ieee80211_has_protected(hdr->frame_control)) {
+                len += IEEE80211_CCMP_MIC_LEN;
+                buf_len += IEEE80211_CCMP_MIC_LEN;
+        }
        len = round_up(len, 4);
        wmi_skb = ath10k_wmi_alloc_skb(len);
@@ -659,7 +669,7 @@ int ath10k_wmi_mgmt_tx(struct ath10k *ar, struct sk_buff *skb)
        cmd->hdr.vdev_id = __cpu_to_le32(ATH10K_SKB_CB(skb)->vdev_id);
        cmd->hdr.tx_rate = 0;
        cmd->hdr.tx_power = 0;
-        cmd->hdr.buf_len = __cpu_to_le32((u32)(skb->len));
+        cmd->hdr.buf_len = __cpu_to_le32(buf_len);
        memcpy(cmd->hdr.peer_macaddr.addr, ieee80211_get_DA(hdr), ETH_ALEN);
        memcpy(cmd->buf, skb->data, skb->len);
@@ -957,10 +967,16 @@ static int ath10k_wmi_event_mgmt_rx(struct ath10k *ar, struct sk_buff *skb)
         * frames with Protected Bit set. */
        if (ieee80211_has_protected(hdr->frame_control) &&
            !ieee80211_is_auth(hdr->frame_control)) {
-                status->flag |= RX_FLAG_DECRYPTED | RX_FLAG_IV_STRIPPED |
+                status->flag |= RX_FLAG_DECRYPTED;
-                                RX_FLAG_MMIC_STRIPPED;
-                hdr->frame_control = __cpu_to_le16(fc &
+                if (!ieee80211_is_action(hdr->frame_control) &&
+                    !ieee80211_is_deauth(hdr->frame_control) &&
+                    !ieee80211_is_disassoc(hdr->frame_control)) {
+                        status->flag |= RX_FLAG_IV_STRIPPED |
+                                        RX_FLAG_MMIC_STRIPPED;
+                        hdr->frame_control = __cpu_to_le16(fc &
                                        ~IEEE80211_FCTL_PROTECTED);
+                }
        }
        ath10k_dbg(ATH10K_DBG_MGMT,
@@ -2359,7 +2375,7 @@ void ath10k_wmi_detach(struct ath10k *ar)
        ar->wmi.num_mem_chunks = 0;
 }
-int ath10k_wmi_connect_htc_service(struct ath10k *ar)
+int ath10k_wmi_connect(struct ath10k *ar)
 {
        int status;
        struct ath10k_htc_svc_conn_req conn_req;
diff --git a/drivers/net/wireless/ath/ath10k/wmi.h b/drivers/net/wireless/ath/ath10k/wmi.h
index ae838221af65..89ef3b3749eb 100644
--- a/drivers/net/wireless/ath/ath10k/wmi.h
+++ b/drivers/net/wireless/ath/ath10k/wmi.h
@@ -2323,9 +2323,9 @@ struct wmi_pdev_param_map {
 #define WMI_PDEV_PARAM_UNSUPPORTED 0
 enum wmi_pdev_param {
-        /* TX chian mask */
+        /* TX chain mask */
        WMI_PDEV_PARAM_TX_CHAIN_MASK = 0x1,
-        /* RX chian mask */
+        /* RX chain mask */
        WMI_PDEV_PARAM_RX_CHAIN_MASK,
        /* TX power limit for 2G Radio */
        WMI_PDEV_PARAM_TXPOWER_LIMIT2G,
@@ -4259,7 +4259,7 @@ void ath10k_wmi_detach(struct ath10k *ar);
 int ath10k_wmi_wait_for_service_ready(struct ath10k *ar);
 int ath10k_wmi_wait_for_unified_ready(struct ath10k *ar);
-int ath10k_wmi_connect_htc_service(struct ath10k *ar);
+int ath10k_wmi_connect(struct ath10k *ar);
 int ath10k_wmi_pdev_set_channel(struct ath10k *ar,
                                const struct wmi_channel_arg *);
 int ath10k_wmi_pdev_suspend_target(struct ath10k *ar, u32 suspend_opt);
diff --git a/drivers/net/wireless/ath/ath9k/ath9k.h b/drivers/net/wireless/ath/ath9k/ath9k.h
index b20469425865..2ca8f7e06174 100644
--- a/drivers/net/wireless/ath/ath9k/ath9k.h
+++ b/drivers/net/wireless/ath/ath9k/ath9k.h
@@ -770,6 +770,7 @@ struct ath_softc {
        struct ath_ant_comb ant_comb;
        u8 ant_tx, ant_rx;
        struct dfs_pattern_detector *dfs_detector;
+        u64 dfs_prev_pulse_ts;
        u32 wow_enabled;
        /* relay(fs) channel for spectral scan */
        struct rchan *rfs_chan_spec_scan;
diff --git a/drivers/net/wireless/ath/ath9k/dfs.c b/drivers/net/wireless/ath/ath9k/dfs.c
index e0c740dcfea8..726271c7c330 100644
--- a/drivers/net/wireless/ath/ath9k/dfs.c
+++ b/drivers/net/wireless/ath/ath9k/dfs.c
@@ -178,14 +178,12 @@ void ath9k_dfs_process_phyerr(struct ath_softc *sc, void *data,
        pe.ts = mactime;
        if (ath9k_postprocess_radar_event(sc, &ard, &pe)) {
                struct dfs_pattern_detector *pd = sc->dfs_detector;
-#ifdef CONFIG_ATH9K_DEBUGFS
                ath_dbg(common, DFS,
                        "ath9k_dfs_process_phyerr: channel=%d, ts=%llu, "
                        "width=%d, rssi=%d, delta_ts=%llu\n",
                        pe.freq, pe.ts, pe.width, pe.rssi,
-                        pe.ts - sc->debug.stats.dfs_stats.last_ts);
+                        pe.ts - sc->dfs_prev_pulse_ts);
-                sc->debug.stats.dfs_stats.last_ts = pe.ts;
+                sc->dfs_prev_pulse_ts = pe.ts;
-#endif
                DFS_STAT_INC(sc, pulses_processed);
                if (pd != NULL && pd->add_pulse(pd, &pe)) {
                        DFS_STAT_INC(sc, radar_detected);
diff --git a/drivers/net/wireless/ath/ath9k/dfs_debug.h b/drivers/net/wireless/ath/ath9k/dfs_debug.h
index d9486867a5e0..7936c9126a20 100644
--- a/drivers/net/wireless/ath/ath9k/dfs_debug.h
+++ b/drivers/net/wireless/ath/ath9k/dfs_debug.h
@@ -51,7 +51,6 @@ struct ath_dfs_stats {
        /* pattern detection stats */
        u32 pulses_processed;
        u32 radar_detected;
-        u64 last_ts;
 };
 #if defined(CONFIG_ATH9K_DFS_DEBUGFS)
diff --git a/drivers/net/wireless/ath/ath9k/init.c b/drivers/net/wireless/ath/ath9k/init.c
index 1af77081181e..0246b990fe87 100644
--- a/drivers/net/wireless/ath/ath9k/init.c
+++ b/drivers/net/wireless/ath/ath9k/init.c
@@ -61,6 +61,10 @@ static int ath9k_ps_enable;
 module_param_named(ps_enable, ath9k_ps_enable, int, 0444);
 MODULE_PARM_DESC(ps_enable, "Enable WLAN PowerSave");
+static int ath9k_use_chanctx;
+module_param_named(use_chanctx, ath9k_use_chanctx, int, 0444);
+MODULE_PARM_DESC(use_chanctx, "Enable channel context for concurrency");
 bool is_ath9k_unloaded;
 #ifdef CONFIG_MAC80211_LEDS
@@ -646,8 +650,7 @@ static void ath9k_init_txpower_limits(struct ath_softc *sc)
 }
 static const struct ieee80211_iface_limit if_limits[] = {
-        { .max = 2048,  .types = BIT(NL80211_IFTYPE_STATION) |
+        { .max = 2048,  .types = BIT(NL80211_IFTYPE_STATION) },
-                                 BIT(NL80211_IFTYPE_WDS) },
        { .max = 8,     .types =
 #ifdef CONFIG_MAC80211_MESH
                                 BIT(NL80211_IFTYPE_MESH_POINT) |
@@ -657,6 +660,10 @@ static const struct ieee80211_iface_limit if_limits[] = {
                                 BIT(NL80211_IFTYPE_P2P_GO) },
 };
+static const struct ieee80211_iface_limit wds_limits[] = {
+        { .max = 2048,  .types = BIT(NL80211_IFTYPE_WDS) },
+};
 static const struct ieee80211_iface_limit if_dfs_limits[] = {
        { .max = 1,     .types = BIT(NL80211_IFTYPE_AP) |
 #ifdef CONFIG_MAC80211_MESH
@@ -673,6 +680,13 @@ static const struct ieee80211_iface_combination if_comb[] = {
                .num_different_channels = 1,
                .beacon_int_infra_match = true,
        },
+        {
+                .limits = wds_limits,
+                .n_limits = ARRAY_SIZE(wds_limits),
+                .max_interfaces = 2048,
+                .num_different_channels = 1,
+                .beacon_int_infra_match = true,
+        },
 #ifdef CONFIG_ATH9K_DFS_CERTIFIED
        {
                .limits = if_dfs_limits,
@@ -722,12 +736,15 @@ static void ath9k_set_hw_capab(struct ath_softc *sc, struct ieee80211_hw *hw)
                        BIT(NL80211_IFTYPE_P2P_GO) |
                        BIT(NL80211_IFTYPE_P2P_CLIENT) |
                        BIT(NL80211_IFTYPE_AP) |
-                        BIT(NL80211_IFTYPE_WDS) |
                        BIT(NL80211_IFTYPE_STATION) |
                        BIT(NL80211_IFTYPE_ADHOC) |
                        BIT(NL80211_IFTYPE_MESH_POINT);
                hw->wiphy->iface_combinations = if_comb;
-                hw->wiphy->n_iface_combinations = ARRAY_SIZE(if_comb);
+                if (!ath9k_use_chanctx) {
+                        hw->wiphy->n_iface_combinations = ARRAY_SIZE(if_comb);
+                        hw->wiphy->interface_modes |= BIT(NL80211_IFTYPE_WDS);
+                } else
+                        hw->wiphy->n_iface_combinations = 1;
        }
        hw->wiphy->flags &= ~WIPHY_FLAG_PS_ON_BY_DEFAULT;
diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c
index 6965ceac7bc6..62ac95d6bb9d 100644
--- a/drivers/net/wireless/ath/ath9k/main.c
+++ b/drivers/net/wireless/ath/ath9k/main.c
@@ -1757,7 +1757,6 @@ out:
 void ath9k_update_p2p_ps(struct ath_softc *sc, struct ieee80211_vif *vif)
 {
        struct ath_vif *avp = (void *)vif->drv_priv;
-        unsigned long flags;
        u32 tsf;
        if (!sc->p2p_ps_timer)
@@ -1767,14 +1766,9 @@ void ath9k_update_p2p_ps(struct ath_softc *sc, struct ieee80211_vif *vif)
                return;
        sc->p2p_ps_vif = avp;
+        tsf = ath9k_hw_gettsf32(sc->sc_ah);
-        spin_lock_irqsave(&sc->sc_pm_lock, flags);
+        ieee80211_parse_p2p_noa(&vif->bss_conf.p2p_noa_attr, &avp->noa, tsf);
-        if (!(sc->ps_flags & PS_BEACON_SYNC)) {
+        ath9k_update_p2p_ps_timer(sc, avp);
-                tsf = ath9k_hw_gettsf32(sc->sc_ah);
-                ieee80211_parse_p2p_noa(&vif->bss_conf.p2p_noa_attr, &avp->noa, tsf);
-                ath9k_update_p2p_ps_timer(sc, avp);
-        }
-        spin_unlock_irqrestore(&sc->sc_pm_lock, flags);
 }
 static void ath9k_bss_info_changed(struct ieee80211_hw *hw,
@@ -1791,6 +1785,7 @@ static void ath9k_bss_info_changed(struct ieee80211_hw *hw,
        struct ath_hw *ah = sc->sc_ah;
        struct ath_common *common = ath9k_hw_common(ah);
        struct ath_vif *avp = (void *)vif->drv_priv;
+        unsigned long flags;
        int slottime;
        ath9k_ps_wakeup(sc);
@@ -1853,7 +1848,10 @@ static void ath9k_bss_info_changed(struct ieee80211_hw *hw,
        if (changed & BSS_CHANGED_P2P_PS) {
                spin_lock_bh(&sc->sc_pcu_lock);
-                ath9k_update_p2p_ps(sc, vif);
+                spin_lock_irqsave(&sc->sc_pm_lock, flags);
+                if (!(sc->ps_flags & PS_BEACON_SYNC))
+                        ath9k_update_p2p_ps(sc, vif);
+                spin_unlock_irqrestore(&sc->sc_pm_lock, flags);
                spin_unlock_bh(&sc->sc_pcu_lock);
        }
@@ -2232,14 +2230,6 @@ static void ath9k_sw_scan_complete(struct ieee80211_hw *hw)
        clear_bit(ATH_OP_SCANNING, &common->op_flags);
 }
-static void ath9k_channel_switch_beacon(struct ieee80211_hw *hw,
-                                        struct ieee80211_vif *vif,
-                                        struct cfg80211_chan_def *chandef)
-{
-        /* depend on vif->csa_active only */
-        return;
-}
 struct ieee80211_ops ath9k_ops = {
        .tx                 = ath9k_tx,
        .start              = ath9k_start,
@@ -2287,5 +2277,4 @@ struct ieee80211_ops ath9k_ops = {
 #endif
        .sw_scan_start      = ath9k_sw_scan_start,
        .sw_scan_complete   = ath9k_sw_scan_complete,
-        .channel_switch_beacon     = ath9k_channel_switch_beacon,
 };
diff --git a/drivers/net/wireless/ath/ath9k/recv.c b/drivers/net/wireless/ath/ath9k/recv.c
index 43ae199601f7..9105a92364f7 100644
--- a/drivers/net/wireless/ath/ath9k/recv.c
+++ b/drivers/net/wireless/ath/ath9k/recv.c
@@ -34,7 +34,8 @@ static inline bool ath9k_check_auto_sleep(struct ath_softc *sc)
 * buffer (or rx fifo). This can incorrectly acknowledge packets
 * to a sender if last desc is self-linked.
 */
-static void ath_rx_buf_link(struct ath_softc *sc, struct ath_rxbuf *bf)
+static void ath_rx_buf_link(struct ath_softc *sc, struct ath_rxbuf *bf,
+                            bool flush)
 {
        struct ath_hw *ah = sc->sc_ah;
        struct ath_common *common = ath9k_hw_common(ah);
@@ -59,18 +60,19 @@ static void ath_rx_buf_link(struct ath_softc *sc, struct ath_rxbuf *bf)
                             common->rx_bufsize,
                             0);
-        if (sc->rx.rxlink == NULL)
+        if (sc->rx.rxlink)
-                ath9k_hw_putrxbuf(ah, bf->bf_daddr);
-        else
                *sc->rx.rxlink = bf->bf_daddr;
+        else if (!flush)
+                ath9k_hw_putrxbuf(ah, bf->bf_daddr);
        sc->rx.rxlink = &ds->ds_link;
 }
-static void ath_rx_buf_relink(struct ath_softc *sc, struct ath_rxbuf *bf)
+static void ath_rx_buf_relink(struct ath_softc *sc, struct ath_rxbuf *bf,
+                              bool flush)
 {
        if (sc->rx.buf_hold)
-                ath_rx_buf_link(sc, sc->rx.buf_hold);
+                ath_rx_buf_link(sc, sc->rx.buf_hold, flush);
        sc->rx.buf_hold = bf;
 }
@@ -442,7 +444,7 @@ int ath_startrecv(struct ath_softc *sc)
        sc->rx.buf_hold = NULL;
        sc->rx.rxlink = NULL;
        list_for_each_entry_safe(bf, tbf, &sc->rx.rxbuf, list) {
-                ath_rx_buf_link(sc, bf);
+                ath_rx_buf_link(sc, bf, false);
        }
        /* We could have deleted elements so the list may be empty now */
@@ -1118,12 +1120,12 @@ requeue_drop_frag:
 requeue:
                list_add_tail(&bf->list, &sc->rx.rxbuf);
-                if (edma) {
+                if (!edma) {
-                        ath_rx_edma_buf_link(sc, qtype);
+                        ath_rx_buf_relink(sc, bf, flush);
-                } else {
-                        ath_rx_buf_relink(sc, bf);
                        if (!flush)
                                ath9k_hw_rxena(ah);
+                } else if (!flush) {
+                        ath_rx_edma_buf_link(sc, qtype);
                }
                if (!budget--)
diff --git a/drivers/net/wireless/ath/wcn36xx/smd.c b/drivers/net/wireless/ath/wcn36xx/smd.c
index 7bf0ef8a1f56..63986931829e 100644
--- a/drivers/net/wireless/ath/wcn36xx/smd.c
+++ b/drivers/net/wireless/ath/wcn36xx/smd.c
@@ -2068,7 +2068,7 @@ static void wcn36xx_smd_rsp_process(struct wcn36xx *wcn, void *buf, size_t len)
                if (!msg_ind)
                        goto nomem;
                msg_ind->msg_len = len;
-                msg_ind->msg = kmalloc(len, GFP_KERNEL);
+                msg_ind->msg = kmemdup(buf, len, GFP_KERNEL);
                if (!msg_ind->msg) {
                        kfree(msg_ind);
 nomem:
@@ -2080,7 +2080,6 @@ nomem:
                                    msg_header->msg_type);
                        break;
                }
-                memcpy(msg_ind->msg, buf, len);
                mutex_lock(&wcn->hal_ind_mutex);
                list_add_tail(&msg_ind->list, &wcn->hal_ind_queue);
                queue_work(wcn->hal_ind_wq, &wcn->hal_ind_work);
diff --git a/drivers/net/wireless/ath/wil6210/cfg80211.c b/drivers/net/wireless/ath/wil6210/cfg80211.c
index 6e699d050d1e..820d4ebd9322 100644
--- a/drivers/net/wireless/ath/wil6210/cfg80211.c
+++ b/drivers/net/wireless/ath/wil6210/cfg80211.c
@@ -288,6 +288,7 @@ static int wil_cfg80211_scan(struct wiphy *wiphy,
        }
        wil->scan_request = request;
+        mod_timer(&wil->scan_timer, jiffies + WIL6210_SCAN_TO);
        memset(&cmd, 0, sizeof(cmd));
        cmd.cmd.num_channels = 0;
diff --git a/drivers/net/wireless/ath/wil6210/debugfs.c b/drivers/net/wireless/ath/wil6210/debugfs.c
index ecdabe4adec3..8d4bc4bfb664 100644
--- a/drivers/net/wireless/ath/wil6210/debugfs.c
+++ b/drivers/net/wireless/ath/wil6210/debugfs.c
@@ -35,7 +35,7 @@ static void wil_print_vring(struct seq_file *s, struct wil6210_priv *wil,
        void __iomem *x = wmi_addr(wil, vring->hwtail);
        seq_printf(s, "VRING %s = {\n", name);
-        seq_printf(s, "  pa     = 0x%016llx\n", (unsigned long long)vring->pa);
+        seq_printf(s, "  pa     = %pad\n", &vring->pa);
        seq_printf(s, "  va     = 0x%p\n", vring->va);
        seq_printf(s, "  size   = %d\n", vring->size);
        seq_printf(s, "  swtail = %d\n", vring->swtail);
@@ -473,7 +473,7 @@ static int wil_txdesc_debugfs_show(struct seq_file *s, void *data)
                           u[0], u[1], u[2], u[3]);
                seq_printf(s, "  DMA = 0x%08x 0x%08x 0x%08x 0x%08x\n",
                           u[4], u[5], u[6], u[7]);
-                seq_printf(s, "  SKB = %p\n", skb);
+                seq_printf(s, "  SKB = 0x%p\n", skb);
                if (skb) {
                        skb_get(skb);
diff --git a/drivers/net/wireless/ath/wil6210/main.c b/drivers/net/wireless/ath/wil6210/main.c
index 670cc6de3b4c..11e6d9d22eae 100644
--- a/drivers/net/wireless/ath/wil6210/main.c
+++ b/drivers/net/wireless/ath/wil6210/main.c
@@ -150,6 +150,15 @@ static void wil_connect_timer_fn(ulong x)
        schedule_work(&wil->disconnect_worker);
 }
+static void wil_scan_timer_fn(ulong x)
+{
+        struct wil6210_priv *wil = (void *)x;
+        clear_bit(wil_status_fwready, &wil->status);
+        wil_err(wil, "Scan timeout detected, start fw error recovery\n");
+        schedule_work(&wil->fw_error_worker);
+}
 static void wil_fw_error_worker(struct work_struct *work)
 {
        struct wil6210_priv *wil = container_of(work,
@@ -161,12 +170,30 @@ static void wil_fw_error_worker(struct work_struct *work)
        if (no_fw_recovery)
                return;
+        /* increment @recovery_count if less then WIL6210_FW_RECOVERY_TO
+         * passed since last recovery attempt
+         */
+        if (time_is_after_jiffies(wil->last_fw_recovery +
+                                  WIL6210_FW_RECOVERY_TO))
+                wil->recovery_count++;
+        else
+                wil->recovery_count = 1; /* fw was alive for a long time */
+        if (wil->recovery_count > WIL6210_FW_RECOVERY_RETRIES) {
+                wil_err(wil, "too many recovery attempts (%d), giving up\n",
+                        wil->recovery_count);
+                return;
+        }
+        wil->last_fw_recovery = jiffies;
        mutex_lock(&wil->mutex);
        switch (wdev->iftype) {
        case NL80211_IFTYPE_STATION:
        case NL80211_IFTYPE_P2P_CLIENT:
        case NL80211_IFTYPE_MONITOR:
-                wil_info(wil, "fw error recovery started...\n");
+                wil_info(wil, "fw error recovery started (try %d)...\n",
+                         wil->recovery_count);
                wil_reset(wil);
                /* need to re-allocate Rx ring after reset */
@@ -230,6 +257,7 @@ int wil_priv_init(struct wil6210_priv *wil)
        wil->pending_connect_cid = -1;
        setup_timer(&wil->connect_timer, wil_connect_timer_fn, (ulong)wil);
+        setup_timer(&wil->scan_timer, wil_scan_timer_fn, (ulong)wil);
        INIT_WORK(&wil->connect_worker, wil_connect_worker);
        INIT_WORK(&wil->disconnect_worker, wil_disconnect_worker);
@@ -249,6 +277,8 @@ int wil_priv_init(struct wil6210_priv *wil)
                return -EAGAIN;
        }
+        wil->last_fw_recovery = jiffies;
        return 0;
 }
@@ -260,6 +290,7 @@ void wil6210_disconnect(struct wil6210_priv *wil, const u8 *bssid)
 void wil_priv_deinit(struct wil6210_priv *wil)
 {
+        del_timer_sync(&wil->scan_timer);
        cancel_work_sync(&wil->disconnect_worker);
        cancel_work_sync(&wil->fw_error_worker);
        mutex_lock(&wil->mutex);
@@ -391,6 +422,7 @@ int wil_reset(struct wil6210_priv *wil)
        if (wil->scan_request) {
                wil_dbg_misc(wil, "Abort scan_request 0x%p\n",
                             wil->scan_request);
+                del_timer_sync(&wil->scan_timer);
                cfg80211_scan_done(wil->scan_request, true);
                wil->scan_request = NULL;
        }
@@ -520,6 +552,7 @@ static int __wil_down(struct wil6210_priv *wil)
        napi_disable(&wil->napi_tx);
        if (wil->scan_request) {
+                del_timer_sync(&wil->scan_timer);
                cfg80211_scan_done(wil->scan_request, true);
                wil->scan_request = NULL;
        }
diff --git a/drivers/net/wireless/ath/wil6210/netdev.c b/drivers/net/wireless/ath/wil6210/netdev.c
index fdcaeb820e75..106b6dcb773a 100644
--- a/drivers/net/wireless/ath/wil6210/netdev.c
+++ b/drivers/net/wireless/ath/wil6210/netdev.c
@@ -32,12 +32,26 @@ static int wil_stop(struct net_device *ndev)
        return wil_down(wil);
 }
+static int wil_change_mtu(struct net_device *ndev, int new_mtu)
+{
+        struct wil6210_priv *wil = ndev_to_wil(ndev);
+        if (new_mtu < 68 || new_mtu > IEEE80211_MAX_DATA_LEN_DMG)
+                return -EINVAL;
+        wil_dbg_misc(wil, "change MTU %d -> %d\n", ndev->mtu, new_mtu);
+        ndev->mtu = new_mtu;
+        return 0;
+}
 static const struct net_device_ops wil_netdev_ops = {
        .ndo_open               = wil_open,
        .ndo_stop               = wil_stop,
        .ndo_start_xmit         = wil_start_xmit,
        .ndo_set_mac_address    = eth_mac_addr,
        .ndo_validate_addr      = eth_validate_addr,
+        .ndo_change_mtu         = wil_change_mtu,
 };
 static int wil6210_netdev_poll_rx(struct napi_struct *napi, int budget)
diff --git a/drivers/net/wireless/ath/wil6210/pcie_bus.c b/drivers/net/wireless/ath/wil6210/pcie_bus.c
index 066088418307..1e2e07b9d13d 100644
--- a/drivers/net/wireless/ath/wil6210/pcie_bus.c
+++ b/drivers/net/wireless/ath/wil6210/pcie_bus.c
@@ -138,7 +138,7 @@ static int wil_pcie_probe(struct pci_dev *pdev, const struct pci_device_id *id)
                goto err_release_reg;
        }
        /* rollback to err_iounmap */
-        dev_info(&pdev->dev, "CSR at %pR -> %p\n", &pdev->resource[0], csr);
+        dev_info(&pdev->dev, "CSR at %pR -> 0x%p\n", &pdev->resource[0], csr);
        wil = wil_if_alloc(dev, csr);
        if (IS_ERR(wil)) {
diff --git a/drivers/net/wireless/ath/wil6210/rx_reorder.c b/drivers/net/wireless/ath/wil6210/rx_reorder.c
index ec29954bd44d..747ae1275877 100644
--- a/drivers/net/wireless/ath/wil6210/rx_reorder.c
+++ b/drivers/net/wireless/ath/wil6210/rx_reorder.c
@@ -49,10 +49,17 @@ static void wil_release_reorder_frames(struct wil6210_priv *wil,
 {
        int index;
-        while (seq_less(r->head_seq_num, hseq)) {
+        /* note: this function is never called with
+         * hseq preceding r->head_seq_num, i.e it is always true
+         * !seq_less(hseq, r->head_seq_num)
+         * and thus on loop exit it should be
+         * r->head_seq_num == hseq
+         */
+        while (seq_less(r->head_seq_num, hseq) && r->stored_mpdu_num) {
                index = reorder_index(r, r->head_seq_num);
                wil_release_reorder_frame(wil, r, index);
        }
+        r->head_seq_num = hseq;
 }
 static void wil_reorder_release(struct wil6210_priv *wil,
diff --git a/drivers/net/wireless/ath/wil6210/txrx.c b/drivers/net/wireless/ath/wil6210/txrx.c
index c8c547457eb4..0784ef3d4ce2 100644
--- a/drivers/net/wireless/ath/wil6210/txrx.c
+++ b/drivers/net/wireless/ath/wil6210/txrx.c
@@ -64,6 +64,22 @@ static inline int wil_vring_avail_tx(struct vring *vring)
        return vring->size - used - 1;
 }
+/**
+ * wil_vring_wmark_low - low watermark for available descriptor space
+ */
+static inline int wil_vring_wmark_low(struct vring *vring)
+{
+        return vring->size/8;
+}
+/**
+ * wil_vring_wmark_high - high watermark for available descriptor space
+ */
+static inline int wil_vring_wmark_high(struct vring *vring)
+{
+        return vring->size/4;
+}
 static int wil_vring_alloc(struct wil6210_priv *wil, struct vring *vring)
 {
        struct device *dev = wil_to_dev(wil);
@@ -98,8 +114,8 @@ static int wil_vring_alloc(struct wil6210_priv *wil, struct vring *vring)
                _d->dma.status = TX_DMA_STATUS_DU;
        }
-        wil_dbg_misc(wil, "vring[%d] 0x%p:0x%016llx 0x%p\n", vring->size,
+        wil_dbg_misc(wil, "vring[%d] 0x%p:%pad 0x%p\n", vring->size,
-                     vring->va, (unsigned long long)vring->pa, vring->ctx);
+                     vring->va, &vring->pa, vring->ctx);
        return 0;
 }
@@ -880,8 +896,8 @@ static int wil_tx_vring(struct wil6210_priv *wil, struct vring *vring,
        pa = dma_map_single(dev, skb->data,
                        skb_headlen(skb), DMA_TO_DEVICE);
-        wil_dbg_txrx(wil, "Tx skb %d bytes %p -> %#08llx\n", skb_headlen(skb),
+        wil_dbg_txrx(wil, "Tx skb %d bytes 0x%p -> %pad\n", skb_headlen(skb),
-                     skb->data, (unsigned long long)pa);
+                     skb->data, &pa);
        wil_hex_dump_txrx("Tx ", DUMP_PREFIX_OFFSET, 16, 1,
                          skb->data, skb_headlen(skb), false);
@@ -1007,7 +1023,7 @@ netdev_tx_t wil_start_xmit(struct sk_buff *skb, struct net_device *ndev)
        rc = wil_tx_vring(wil, vring, skb);
        /* do we still have enough room in the vring? */
-        if (wil_vring_avail_tx(vring) < vring->size/8)
+        if (wil_vring_avail_tx(vring) < wil_vring_wmark_low(vring))
                netif_tx_stop_all_queues(wil_to_ndev(wil));
        switch (rc) {
@@ -1116,7 +1132,7 @@ int wil_tx_complete(struct wil6210_priv *wil, int ringid)
                        done++;
                }
        }
-        if (wil_vring_avail_tx(vring) > vring->size/4)
+        if (wil_vring_avail_tx(vring) > wil_vring_wmark_high(vring))
                netif_tx_wake_all_queues(wil_to_ndev(wil));
        return done;
diff --git a/drivers/net/wireless/ath/wil6210/wil6210.h b/drivers/net/wireless/ath/wil6210/wil6210.h
index 3427ac4a4fa1..e25edc52398f 100644
--- a/drivers/net/wireless/ath/wil6210/wil6210.h
+++ b/drivers/net/wireless/ath/wil6210/wil6210.h
@@ -40,6 +40,9 @@ static inline u32 WIL_GET_BITS(u32 x, int b0, int b1)
 #define WIL6210_MAX_CID         (8) /* HW limit */
 #define WIL6210_NAPI_BUDGET     (16) /* arbitrary */
 #define WIL6210_ITR_TRSH        (10000) /* arbitrary - about 15 IRQs/msec */
+#define WIL6210_FW_RECOVERY_RETRIES     (5) /* try to recover this many times */
+#define WIL6210_FW_RECOVERY_TO  msecs_to_jiffies(5000)
+#define WIL6210_SCAN_TO         msecs_to_jiffies(10000)
 /* Hardware definitions begin */
@@ -361,6 +364,8 @@ struct wil6210_priv {
        u32 fw_version;
        u32 hw_version;
        u8 n_mids; /* number of additional MIDs as reported by FW */
+        int recovery_count; /* num of FW recovery attempts in a short time */
+        unsigned long last_fw_recovery; /* jiffies of last fw recovery */
        /* profile */
        u32 monitor_flags;
        u32 secure_pcp; /* create secure PCP? */
@@ -382,6 +387,7 @@ struct wil6210_priv {
        struct work_struct disconnect_worker;
        struct work_struct fw_error_worker;     /* for FW error recovery */
        struct timer_list connect_timer;
+        struct timer_list scan_timer; /* detect scan timeout */
        int pending_connect_cid;
        struct list_head pending_wmi_ev;
        /*
diff --git a/drivers/net/wireless/ath/wil6210/wmi.c b/drivers/net/wireless/ath/wil6210/wmi.c
index e9a11cb3428a..6cc0e182cc70 100644
--- a/drivers/net/wireless/ath/wil6210/wmi.c
+++ b/drivers/net/wireless/ath/wil6210/wmi.c
@@ -351,6 +351,7 @@ static void wmi_evt_scan_complete(struct wil6210_priv *wil, int id,
                bool aborted = (data->status != WMI_SCAN_SUCCESS);
                wil_dbg_wmi(wil, "SCAN_COMPLETE(0x%08x)\n", data->status);
+                del_timer_sync(&wil->scan_timer);
                cfg80211_scan_done(wil->scan_request, aborted);
                wil->scan_request = NULL;
        } else {
@@ -658,21 +659,27 @@ void wmi_recv_cmd(struct wil6210_priv *wil)
        u8 *cmd;
        void __iomem *src;
        ulong flags;
+        unsigned n;
        if (!test_bit(wil_status_reset_done, &wil->status)) {
                wil_err(wil, "Reset not completed\n");
                return;
        }
-        for (;;) {
+        for (n = 0;; n++) {
                u16 len;
                r->head = ioread32(wil->csr + HOST_MBOX +
                                   offsetof(struct wil6210_mbox_ctl, rx.head));
-                if (r->tail == r->head)
+                if (r->tail == r->head) {
+                        if (n == 0)
+                                wil_dbg_wmi(wil, "No events?\n");
                        return;
+                }
-                /* read cmd from tail */
+                wil_dbg_wmi(wil, "Mbox head %08x tail %08x\n",
+                            r->head, r->tail);
+                /* read cmd descriptor from tail */
                wil_memcpy_fromio_32(&d_tail, wil->csr + HOSTADDR(r->tail),
                                     sizeof(struct wil6210_mbox_ring_desc));
                if (d_tail.sync == 0) {
@@ -680,13 +687,18 @@ void wmi_recv_cmd(struct wil6210_priv *wil)
                        return;
                }
+                /* read cmd header from descriptor */
                if (0 != wmi_read_hdr(wil, d_tail.addr, &hdr)) {
                        wil_err(wil, "Mbox evt at 0x%08x?\n",
                                le32_to_cpu(d_tail.addr));
                        return;
                }
                len = le16_to_cpu(hdr.len);
+                wil_dbg_wmi(wil, "Mbox evt %04x %04x %04x %02x\n",
+                            le16_to_cpu(hdr.seq), len, le16_to_cpu(hdr.type),
+                            hdr.flags);
+                /* read cmd buffer from descriptor */
                src = wmi_buffer(wil, d_tail.addr) +
                      sizeof(struct wil6210_mbox_hdr);
                evt = kmalloc(ALIGN(offsetof(struct pending_wmi_event,
@@ -702,9 +714,6 @@ void wmi_recv_cmd(struct wil6210_priv *wil)
                iowrite32(0, wil->csr + HOSTADDR(r->tail) +
                          offsetof(struct wil6210_mbox_ring_desc, sync));
                /* indicate */
-                wil_dbg_wmi(wil, "Mbox evt %04x %04x %04x %02x\n",
-                            le16_to_cpu(hdr.seq), len, le16_to_cpu(hdr.type),
-                            hdr.flags);
                if ((hdr.type == WIL_MBOX_HDR_TYPE_WMI) &&
                    (len >= sizeof(struct wil6210_mbox_hdr_wmi))) {
                        struct wil6210_mbox_hdr_wmi *wmi = &evt->event.wmi;
@@ -734,6 +743,8 @@ void wmi_recv_cmd(struct wil6210_priv *wil)
                        wil_dbg_wmi(wil, "queue_work -> %d\n", q);
                }
        }
+        if (n > 1)
+                wil_dbg_wmi(wil, "%s -> %d events processed\n", __func__, n);
 }
 int wmi_call(struct wil6210_priv *wil, u16 cmdid, void *buf, u16 len,
diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
index 3d67e6b08e1c..32538ac5f7e4 100644
--- a/drivers/net/wireless/b43/main.c
+++ b/drivers/net/wireless/b43/main.c
@@ -3742,7 +3742,9 @@ static int b43_switch_band(struct b43_wldev *dev,
        b43dbg(dev->wl, "Switching to %s GHz band\n",
               band_to_string(chan->band));
-        b43_software_rfkill(dev, true);
+        /* Some new devices don't need disabling radio for band switching */
+        if (!(phy->type == B43_PHYTYPE_N && phy->rev >= 3))
+                b43_software_rfkill(dev, true);
        phy->gmode = gmode;
        b43_phy_put_into_reset(dev);
@@ -5164,6 +5166,7 @@ static void b43_supported_bands(struct b43_wldev *dev, bool *have_2ghz_phy,
 static int b43_wireless_core_attach(struct b43_wldev *dev)
 {
        struct b43_wl *wl = dev->wl;
+        struct b43_phy *phy = &dev->phy;
        int err;
        u32 tmp;
        bool have_2ghz_phy = false, have_5ghz_phy = false;
@@ -5181,6 +5184,8 @@ static int b43_wireless_core_attach(struct b43_wldev *dev)
                goto out;
        }
+        phy->do_full_init = true;
        /* Try to guess supported bands for the first init needs */
        switch (dev->dev->bus_type) {
 #ifdef CONFIG_B43_BCMA
diff --git a/drivers/net/wireless/b43/phy_common.c b/drivers/net/wireless/b43/phy_common.c
index fb0ddddde16b..08244b3b327e 100644
--- a/drivers/net/wireless/b43/phy_common.c
+++ b/drivers/net/wireless/b43/phy_common.c
@@ -98,11 +98,14 @@ int b43_phy_init(struct b43_wldev *dev)
        phy->ops->switch_analog(dev, true);
        b43_software_rfkill(dev, false);
        err = ops->init(dev);
        if (err) {
                b43err(dev->wl, "PHY init failed\n");
                goto err_block_rf;
        }
+        phy->do_full_init = false;
        /* Make sure to switch hardware and firmware (SHM) to
         * the default channel. */
        err = b43_switch_channel(dev, ops->get_default_chan(dev));
@@ -114,6 +117,7 @@ int b43_phy_init(struct b43_wldev *dev)
        return 0;
 err_phy_exit:
+        phy->do_full_init = true;
        if (ops->exit)
                ops->exit(dev);
 err_block_rf:
@@ -127,6 +131,7 @@ void b43_phy_exit(struct b43_wldev *dev)
        const struct b43_phy_operations *ops = dev->phy.ops;
        b43_software_rfkill(dev, true);
+        dev->phy.do_full_init = true;
        if (ops->exit)
                ops->exit(dev);
 }
diff --git a/drivers/net/wireless/b43/phy_common.h b/drivers/net/wireless/b43/phy_common.h
index 47b55855c37d..4ad6240d9ff4 100644
--- a/drivers/net/wireless/b43/phy_common.h
+++ b/drivers/net/wireless/b43/phy_common.h
@@ -234,6 +234,9 @@ struct b43_phy {
        /* Is GMODE (2 GHz mode) bit enabled? */
        bool gmode;
+        /* After power reset full init has to be performed */
+        bool do_full_init;
        /* Analog Type */
        u8 analog;
        /* B43_PHYTYPE_ */
diff --git a/drivers/net/wireless/b43/phy_n.c b/drivers/net/wireless/b43/phy_n.c
index 41dab89a2942..86569f6a8705 100644
--- a/drivers/net/wireless/b43/phy_n.c
+++ b/drivers/net/wireless/b43/phy_n.c
@@ -700,13 +700,11 @@ static void b43_radio_2057_init_post(struct b43_wldev *dev)
        b43_radio_mask(dev, R2057_RFPLL_MISC_CAL_RESETN, ~0x78);
        b43_radio_mask(dev, R2057_XTAL_CONFIG2, ~0x80);
-        if (dev->phy.n->init_por) {
+        if (dev->phy.do_full_init) {
                b43_radio_2057_rcal(dev);
                b43_radio_2057_rccal(dev);
        }
        b43_radio_mask(dev, R2057_RFPLL_MASTER, ~0x8);
-        dev->phy.n->init_por = false;
 }
 /* http://bcm-v4.sipsolutions.net/802.11/Radio/2057/Init */
@@ -1028,7 +1026,7 @@ static void b43_radio_init2056_post(struct b43_wldev *dev)
        b43_radio_mask(dev, B2056_SYN_COM_RESET, ~0x2);
        b43_radio_mask(dev, B2056_SYN_PLL_MAST2, ~0xFC);
        b43_radio_mask(dev, B2056_SYN_RCCAL_CTRL0, ~0x1);
-        if (dev->phy.n->init_por)
+        if (dev->phy.do_full_init)
                b43_radio_2056_rcal(dev);
 }
@@ -1041,8 +1039,6 @@ static void b43_radio_init2056(struct b43_wldev *dev)
        b43_radio_init2056_pre(dev);
        b2056_upload_inittabs(dev, 0, 0);
        b43_radio_init2056_post(dev);
-        dev->phy.n->init_por = false;
 }
 /**************************************************
@@ -5561,7 +5557,6 @@ static void b43_nphy_op_prepare_structs(struct b43_wldev *dev)
        nphy->hang_avoid = (phy->rev == 3 || phy->rev == 4);
        nphy->spur_avoid = (phy->rev >= 3) ?
                                B43_SPUR_AVOID_AUTO : B43_SPUR_AVOID_DISABLE;
-        nphy->init_por = true;
        nphy->gain_boost = true; /* this way we follow wl, assume it is true */
        nphy->txrx_chain = 2; /* sth different than 0 and 1 for now */
        nphy->phyrxchain = 3; /* to avoid b43_nphy_set_rx_core_state like wl */
@@ -5602,8 +5597,6 @@ static void b43_nphy_op_prepare_structs(struct b43_wldev *dev)
                nphy->ipa2g_on = sprom->fem.ghz2.extpa_gain == 2;
                nphy->ipa5g_on = sprom->fem.ghz5.extpa_gain == 2;
        }
-        nphy->init_por = true;
 }
 static void b43_nphy_op_free(struct b43_wldev *dev)
@@ -5714,10 +5707,12 @@ static void b43_nphy_op_software_rfkill(struct b43_wldev *dev,
                }
        } else {
                if (dev->phy.rev >= 7) {
-                        b43_radio_2057_init(dev);
+                        if (!dev->phy.radio_on)
+                                b43_radio_2057_init(dev);
                        b43_switch_channel(dev, dev->phy.channel);
                } else if (dev->phy.rev >= 3) {
-                        b43_radio_init2056(dev);
+                        if (!dev->phy.radio_on)
+                                b43_radio_init2056(dev);
                        b43_switch_channel(dev, dev->phy.channel);
                } else {
                        b43_radio_init2055(dev);
diff --git a/drivers/net/wireless/b43/phy_n.h b/drivers/net/wireless/b43/phy_n.h
index 9a5b6bc27d24..ecfbf66dbc3b 100644
--- a/drivers/net/wireless/b43/phy_n.h
+++ b/drivers/net/wireless/b43/phy_n.h
@@ -931,7 +931,6 @@ struct b43_phy_n {
        u16 papd_epsilon_offset[2];
        s32 preamble_override;
        u32 bb_mult_save;
-        bool init_por;
        bool gain_boost;
        bool elna_gain_config;
diff --git a/drivers/net/wireless/b43/tables_nphy.c b/drivers/net/wireless/b43/tables_nphy.c
index 50d03ffeac8c..4047c05e3807 100644
--- a/drivers/net/wireless/b43/tables_nphy.c
+++ b/drivers/net/wireless/b43/tables_nphy.c
@@ -3042,30 +3042,32 @@ static void b43_nphy_tables_init_rev3(struct b43_wldev *dev)
                antswlut = sprom->fem.ghz2.antswlut;
        /* Static tables */
-        ntab_upload(dev, B43_NTAB_FRAMESTRUCT_R3, b43_ntab_framestruct_r3);
+        if (dev->phy.do_full_init) {
-        ntab_upload(dev, B43_NTAB_PILOT_R3, b43_ntab_pilot_r3);
+                ntab_upload(dev, B43_NTAB_FRAMESTRUCT_R3, b43_ntab_framestruct_r3);
-        ntab_upload(dev, B43_NTAB_TMAP_R3, b43_ntab_tmap_r3);
+                ntab_upload(dev, B43_NTAB_PILOT_R3, b43_ntab_pilot_r3);
-        ntab_upload(dev, B43_NTAB_INTLEVEL_R3, b43_ntab_intlevel_r3);
+                ntab_upload(dev, B43_NTAB_TMAP_R3, b43_ntab_tmap_r3);
-        ntab_upload(dev, B43_NTAB_TDTRN_R3, b43_ntab_tdtrn_r3);
+                ntab_upload(dev, B43_NTAB_INTLEVEL_R3, b43_ntab_intlevel_r3);
-        ntab_upload(dev, B43_NTAB_NOISEVAR_R3, b43_ntab_noisevar_r3);
+                ntab_upload(dev, B43_NTAB_TDTRN_R3, b43_ntab_tdtrn_r3);
-        ntab_upload(dev, B43_NTAB_MCS_R3, b43_ntab_mcs_r3);
+                ntab_upload(dev, B43_NTAB_NOISEVAR_R3, b43_ntab_noisevar_r3);
-        ntab_upload(dev, B43_NTAB_TDI20A0_R3, b43_ntab_tdi20a0_r3);
+                ntab_upload(dev, B43_NTAB_MCS_R3, b43_ntab_mcs_r3);
-        ntab_upload(dev, B43_NTAB_TDI20A1_R3, b43_ntab_tdi20a1_r3);
+                ntab_upload(dev, B43_NTAB_TDI20A0_R3, b43_ntab_tdi20a0_r3);
-        ntab_upload(dev, B43_NTAB_TDI40A0_R3, b43_ntab_tdi40a0_r3);
+                ntab_upload(dev, B43_NTAB_TDI20A1_R3, b43_ntab_tdi20a1_r3);
-        ntab_upload(dev, B43_NTAB_TDI40A1_R3, b43_ntab_tdi40a1_r3);
+                ntab_upload(dev, B43_NTAB_TDI40A0_R3, b43_ntab_tdi40a0_r3);
-        ntab_upload(dev, B43_NTAB_PILOTLT_R3, b43_ntab_pilotlt_r3);
+                ntab_upload(dev, B43_NTAB_TDI40A1_R3, b43_ntab_tdi40a1_r3);
-        ntab_upload(dev, B43_NTAB_CHANEST_R3, b43_ntab_channelest_r3);
+                ntab_upload(dev, B43_NTAB_PILOTLT_R3, b43_ntab_pilotlt_r3);
-        ntab_upload(dev, B43_NTAB_FRAMELT_R3, b43_ntab_framelookup_r3);
+                ntab_upload(dev, B43_NTAB_CHANEST_R3, b43_ntab_channelest_r3);
-        ntab_upload(dev, B43_NTAB_C0_ESTPLT_R3, b43_ntab_estimatepowerlt0_r3);
+                ntab_upload(dev, B43_NTAB_FRAMELT_R3, b43_ntab_framelookup_r3);
-        ntab_upload(dev, B43_NTAB_C1_ESTPLT_R3, b43_ntab_estimatepowerlt1_r3);
+                ntab_upload(dev, B43_NTAB_C0_ESTPLT_R3, b43_ntab_estimatepowerlt0_r3);
-        ntab_upload(dev, B43_NTAB_C0_ADJPLT_R3, b43_ntab_adjustpower0_r3);
+                ntab_upload(dev, B43_NTAB_C1_ESTPLT_R3, b43_ntab_estimatepowerlt1_r3);
-        ntab_upload(dev, B43_NTAB_C1_ADJPLT_R3, b43_ntab_adjustpower1_r3);
+                ntab_upload(dev, B43_NTAB_C0_ADJPLT_R3, b43_ntab_adjustpower0_r3);
-        ntab_upload(dev, B43_NTAB_C0_GAINCTL_R3, b43_ntab_gainctl0_r3);
+                ntab_upload(dev, B43_NTAB_C1_ADJPLT_R3, b43_ntab_adjustpower1_r3);
-        ntab_upload(dev, B43_NTAB_C1_GAINCTL_R3, b43_ntab_gainctl1_r3);
+                ntab_upload(dev, B43_NTAB_C0_GAINCTL_R3, b43_ntab_gainctl0_r3);
-        ntab_upload(dev, B43_NTAB_C0_IQLT_R3, b43_ntab_iqlt0_r3);
+                ntab_upload(dev, B43_NTAB_C1_GAINCTL_R3, b43_ntab_gainctl1_r3);
-        ntab_upload(dev, B43_NTAB_C1_IQLT_R3, b43_ntab_iqlt1_r3);
+                ntab_upload(dev, B43_NTAB_C0_IQLT_R3, b43_ntab_iqlt0_r3);
-        ntab_upload(dev, B43_NTAB_C0_LOFEEDTH_R3, b43_ntab_loftlt0_r3);
+                ntab_upload(dev, B43_NTAB_C1_IQLT_R3, b43_ntab_iqlt1_r3);
-        ntab_upload(dev, B43_NTAB_C1_LOFEEDTH_R3, b43_ntab_loftlt1_r3);
+                ntab_upload(dev, B43_NTAB_C0_LOFEEDTH_R3, b43_ntab_loftlt0_r3);
+                ntab_upload(dev, B43_NTAB_C1_LOFEEDTH_R3, b43_ntab_loftlt1_r3);
+        }
        /* Volatile tables */
        if (antswlut < ARRAY_SIZE(b43_ntab_antswctl_r3))
@@ -3078,20 +3080,22 @@ static void b43_nphy_tables_init_rev3(struct b43_wldev *dev)
 static void b43_nphy_tables_init_rev0(struct b43_wldev *dev)
 {
        /* Static tables */
-        ntab_upload(dev, B43_NTAB_FRAMESTRUCT, b43_ntab_framestruct);
+        if (dev->phy.do_full_init) {
-        ntab_upload(dev, B43_NTAB_FRAMELT, b43_ntab_framelookup);
+                ntab_upload(dev, B43_NTAB_FRAMESTRUCT, b43_ntab_framestruct);
-        ntab_upload(dev, B43_NTAB_TMAP, b43_ntab_tmap);
+                ntab_upload(dev, B43_NTAB_FRAMELT, b43_ntab_framelookup);
-        ntab_upload(dev, B43_NTAB_TDTRN, b43_ntab_tdtrn);
+                ntab_upload(dev, B43_NTAB_TMAP, b43_ntab_tmap);
-        ntab_upload(dev, B43_NTAB_INTLEVEL, b43_ntab_intlevel);
+                ntab_upload(dev, B43_NTAB_TDTRN, b43_ntab_tdtrn);
-        ntab_upload(dev, B43_NTAB_PILOT, b43_ntab_pilot);
+                ntab_upload(dev, B43_NTAB_INTLEVEL, b43_ntab_intlevel);
-        ntab_upload(dev, B43_NTAB_TDI20A0, b43_ntab_tdi20a0);
+                ntab_upload(dev, B43_NTAB_PILOT, b43_ntab_pilot);
-        ntab_upload(dev, B43_NTAB_TDI20A1, b43_ntab_tdi20a1);
+                ntab_upload(dev, B43_NTAB_TDI20A0, b43_ntab_tdi20a0);
-        ntab_upload(dev, B43_NTAB_TDI40A0, b43_ntab_tdi40a0);
+                ntab_upload(dev, B43_NTAB_TDI20A1, b43_ntab_tdi20a1);
-        ntab_upload(dev, B43_NTAB_TDI40A1, b43_ntab_tdi40a1);
+                ntab_upload(dev, B43_NTAB_TDI40A0, b43_ntab_tdi40a0);
-        ntab_upload(dev, B43_NTAB_CHANEST, b43_ntab_channelest);
+                ntab_upload(dev, B43_NTAB_TDI40A1, b43_ntab_tdi40a1);
-        ntab_upload(dev, B43_NTAB_MCS, b43_ntab_mcs);
+                ntab_upload(dev, B43_NTAB_CHANEST, b43_ntab_channelest);
-        ntab_upload(dev, B43_NTAB_NOISEVAR10, b43_ntab_noisevar10);
+                ntab_upload(dev, B43_NTAB_MCS, b43_ntab_mcs);
-        ntab_upload(dev, B43_NTAB_NOISEVAR11, b43_ntab_noisevar11);
+                ntab_upload(dev, B43_NTAB_NOISEVAR10, b43_ntab_noisevar10);
+                ntab_upload(dev, B43_NTAB_NOISEVAR11, b43_ntab_noisevar11);
+        }
        /* Volatile tables */
        ntab_upload(dev, B43_NTAB_BDI, b43_ntab_bdi);
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/Makefile b/drivers/net/wireless/brcm80211/brcmfmac/Makefile
index 1d2ceac3a221..98e67c18f276 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/Makefile
+++ b/drivers/net/wireless/brcm80211/brcmfmac/Makefile
@@ -33,7 +33,7 @@ brcmfmac-objs += \
                bcdc.o \
                dhd_common.o \
                dhd_linux.o \
-                nvram.o \
+                firmware.o \
                btcoex.o
 brcmfmac-$(CONFIG_BRCMFMAC_SDIO) += \
                dhd_sdio.o \
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/dhd_bus.h b/drivers/net/wireless/brcm80211/brcmfmac/dhd_bus.h
index c5dcd82e884b..7735328fff21 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_bus.h
+++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_bus.h
@@ -63,7 +63,6 @@ struct brcmf_bus_dcmd {
 */
 struct brcmf_bus_ops {
        int (*preinit)(struct device *dev);
-        int (*init)(struct device *dev);
        void (*stop)(struct device *dev);
        int (*txdata)(struct device *dev, struct sk_buff *skb);
        int (*txctl)(struct device *dev, unsigned char *msg, uint len);
@@ -114,11 +113,6 @@ static inline int brcmf_bus_preinit(struct brcmf_bus *bus)
        return bus->ops->preinit(bus->dev);
 }
-static inline int brcmf_bus_init(struct brcmf_bus *bus)
-{
-        return bus->ops->init(bus->dev);
-}
 static inline void brcmf_bus_stop(struct brcmf_bus *bus)
 {
        bus->ops->stop(bus->dev);
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/dhd_linux.c b/drivers/net/wireless/brcm80211/brcmfmac/dhd_linux.c
index 4cacc3d85212..09dd8c13d844 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_linux.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_linux.c
@@ -916,13 +916,6 @@ int brcmf_bus_start(struct device *dev)
        brcmf_dbg(TRACE, "\n");
-        /* Bring up the bus */
-        ret = brcmf_bus_init(bus_if);
-        if (ret != 0) {
-                brcmf_err("brcmf_sdbrcm_bus_init failed %d\n", ret);
-                return ret;
-        }
        /* add primary networking interface */
        ifp = brcmf_add_if(drvr, 0, 0, "wlan%d", NULL);
        if (IS_ERR(ifp))
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c b/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
index 13c89a0c4ba7..8fa0dbbbda72 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
@@ -42,7 +42,7 @@
 #include <soc.h>
 #include "sdio_host.h"
 #include "chip.h"
-#include "nvram.h"
+#include "firmware.h"
 #define DCMD_RESP_TIMEOUT  2000 /* In milli second */
@@ -632,43 +632,28 @@ static const struct brcmf_firmware_names brcmf_fwname_data[] = {
        { BCM4354_CHIP_ID, 0xFFFFFFFF, BRCMF_FIRMWARE_NVRAM(BCM4354) }
 };
+static const char *brcmf_sdio_get_fwname(struct brcmf_chip *ci,
-static const struct firmware *brcmf_sdio_get_fw(struct brcmf_sdio *bus,
+                                         enum brcmf_firmware_type type)
-                                                  enum brcmf_firmware_type type)
 {
-        const struct firmware *fw;
+        int i;
-        const char *name;
-        int err, i;
        for (i = 0; i < ARRAY_SIZE(brcmf_fwname_data); i++) {
-                if (brcmf_fwname_data[i].chipid == bus->ci->chip &&
+                if (brcmf_fwname_data[i].chipid == ci->chip &&
-                    brcmf_fwname_data[i].revmsk & BIT(bus->ci->chiprev)) {
+                    brcmf_fwname_data[i].revmsk & BIT(ci->chiprev)) {
                        switch (type) {
                        case BRCMF_FIRMWARE_BIN:
-                                name = brcmf_fwname_data[i].bin;
+                                return brcmf_fwname_data[i].bin;
-                                break;
                        case BRCMF_FIRMWARE_NVRAM:
-                                name = brcmf_fwname_data[i].nv;
+                                return brcmf_fwname_data[i].nv;
-                                break;
                        default:
                                brcmf_err("invalid firmware type (%d)\n", type);
                                return NULL;
                        }
-                        goto found;
                }
        }
        brcmf_err("Unknown chipid %d [%d]\n",
-                  bus->ci->chip, bus->ci->chiprev);
+                  ci->chip, ci->chiprev);
        return NULL;
-found:
-        err = request_firmware(&fw, name, &bus->sdiodev->func[2]->dev);
-        if ((err) || (!fw)) {
-                brcmf_err("fail to request firmware %s (%d)\n", name, err);
-                return NULL;
-        }
-        return fw;
 }
 static void pkt_align(struct sk_buff *p, int len, int align)
@@ -3278,20 +3263,13 @@ static int brcmf_sdio_download_code_file(struct brcmf_sdio *bus,
 }
 static int brcmf_sdio_download_nvram(struct brcmf_sdio *bus,
-                                     const struct firmware *nv)
+                                     void *vars, u32 varsz)
 {
-        void *vars;
-        u32 varsz;
        int address;
        int err;
        brcmf_dbg(TRACE, "Enter\n");
-        vars = brcmf_nvram_strip(nv, &varsz);
-        if (vars == NULL)
-                return -EINVAL;
        address = bus->ci->ramsize - varsz + bus->ci->rambase;
        err = brcmf_sdiod_ramrw(bus->sdiodev, true, address, vars, varsz);
        if (err)
@@ -3300,15 +3278,14 @@ static int brcmf_sdio_download_nvram(struct brcmf_sdio *bus,
        else if (!brcmf_sdio_verifymemory(bus->sdiodev, address, vars, varsz))
                err = -EIO;
-        brcmf_nvram_free(vars);
        return err;
 }
-static int brcmf_sdio_download_firmware(struct brcmf_sdio *bus)
+static int brcmf_sdio_download_firmware(struct brcmf_sdio *bus,
+                                        const struct firmware *fw,
+                                        void *nvram, u32 nvlen)
 {
        int bcmerror = -EFAULT;
-        const struct firmware *fw;
        u32 rstvec;
        sdio_claim_host(bus->sdiodev->func[1]);
@@ -3317,12 +3294,6 @@ static int brcmf_sdio_download_firmware(struct brcmf_sdio *bus)
        /* Keep arm in reset */
        brcmf_chip_enter_download(bus->ci);
-        fw = brcmf_sdio_get_fw(bus, BRCMF_FIRMWARE_BIN);
-        if (fw == NULL) {
-                bcmerror = -ENOENT;
-                goto err;
-        }
        rstvec = get_unaligned_le32(fw->data);
        brcmf_dbg(SDIO, "firmware rstvec: %x\n", rstvec);
@@ -3330,17 +3301,12 @@ static int brcmf_sdio_download_firmware(struct brcmf_sdio *bus)
        release_firmware(fw);
        if (bcmerror) {
                brcmf_err("dongle image file download failed\n");
+                brcmf_fw_nvram_free(nvram);
                goto err;
        }
-        fw = brcmf_sdio_get_fw(bus, BRCMF_FIRMWARE_NVRAM);
+        bcmerror = brcmf_sdio_download_nvram(bus, nvram, nvlen);
-        if (fw == NULL) {
+        brcmf_fw_nvram_free(nvram);
-                bcmerror = -ENOENT;
-                goto err;
-        }
-        bcmerror = brcmf_sdio_download_nvram(bus, fw);
-        release_firmware(fw);
        if (bcmerror) {
                brcmf_err("dongle nvram file download failed\n");
                goto err;
@@ -3490,97 +3456,6 @@ done:
        return err;
 }
-static int brcmf_sdio_bus_init(struct device *dev)
-{
-        struct brcmf_bus *bus_if = dev_get_drvdata(dev);
-        struct brcmf_sdio_dev *sdiodev = bus_if->bus_priv.sdio;
-        struct brcmf_sdio *bus = sdiodev->bus;
-        int err, ret = 0;
-        u8 saveclk;
-        brcmf_dbg(TRACE, "Enter\n");
-        /* try to download image and nvram to the dongle */
-        if (bus_if->state == BRCMF_BUS_DOWN) {
-                bus->alp_only = true;
-                err = brcmf_sdio_download_firmware(bus);
-                if (err)
-                        return err;
-                bus->alp_only = false;
-        }
-        if (!bus->sdiodev->bus_if->drvr)
-                return 0;
-        /* Start the watchdog timer */
-        bus->sdcnt.tickcnt = 0;
-        brcmf_sdio_wd_timer(bus, BRCMF_WD_POLL_MS);
-        sdio_claim_host(bus->sdiodev->func[1]);
-        /* Make sure backplane clock is on, needed to generate F2 interrupt */
-        brcmf_sdio_clkctl(bus, CLK_AVAIL, false);
-        if (bus->clkstate != CLK_AVAIL)
-                goto exit;
-        /* Force clocks on backplane to be sure F2 interrupt propagates */
-        saveclk = brcmf_sdiod_regrb(bus->sdiodev,
-                                    SBSDIO_FUNC1_CHIPCLKCSR, &err);
-        if (!err) {
-                brcmf_sdiod_regwb(bus->sdiodev, SBSDIO_FUNC1_CHIPCLKCSR,
-                                  (saveclk | SBSDIO_FORCE_HT), &err);
-        }
-        if (err) {
-                brcmf_err("Failed to force clock for F2: err %d\n", err);
-                goto exit;
-        }
-        /* Enable function 2 (frame transfers) */
-        w_sdreg32(bus, SDPCM_PROT_VERSION << SMB_DATA_VERSION_SHIFT,
-                  offsetof(struct sdpcmd_regs, tosbmailboxdata));
-        err = sdio_enable_func(bus->sdiodev->func[SDIO_FUNC_2]);
-        brcmf_dbg(INFO, "enable F2: err=%d\n", err);
-        /* If F2 successfully enabled, set core and enable interrupts */
-        if (!err) {
-                /* Set up the interrupt mask and enable interrupts */
-                bus->hostintmask = HOSTINTMASK;
-                w_sdreg32(bus, bus->hostintmask,
-                          offsetof(struct sdpcmd_regs, hostintmask));
-                brcmf_sdiod_regwb(bus->sdiodev, SBSDIO_WATERMARK, 8, &err);
-        } else {
-                /* Disable F2 again */
-                sdio_disable_func(bus->sdiodev->func[SDIO_FUNC_2]);
-                ret = -ENODEV;
-        }
-        if (brcmf_chip_sr_capable(bus->ci)) {
-                brcmf_sdio_sr_init(bus);
-        } else {
-                /* Restore previous clock setting */
-                brcmf_sdiod_regwb(bus->sdiodev, SBSDIO_FUNC1_CHIPCLKCSR,
-                                  saveclk, &err);
-        }
-        if (ret == 0) {
-                ret = brcmf_sdiod_intr_register(bus->sdiodev);
-                if (ret != 0)
-                        brcmf_err("intr register failed:%d\n", ret);
-        }
-        /* If we didn't come up, turn off backplane clock */
-        if (ret != 0)
-                brcmf_sdio_clkctl(bus, CLK_NONE, false);
-exit:
-        sdio_release_host(bus->sdiodev->func[1]);
-        return ret;
-}
 void brcmf_sdio_isr(struct brcmf_sdio *bus)
 {
        brcmf_dbg(TRACE, "Enter\n");
@@ -4020,13 +3895,114 @@ brcmf_sdio_watchdog(unsigned long data)
 static struct brcmf_bus_ops brcmf_sdio_bus_ops = {
        .stop = brcmf_sdio_bus_stop,
        .preinit = brcmf_sdio_bus_preinit,
-        .init = brcmf_sdio_bus_init,
        .txdata = brcmf_sdio_bus_txdata,
        .txctl = brcmf_sdio_bus_txctl,
        .rxctl = brcmf_sdio_bus_rxctl,
        .gettxq = brcmf_sdio_bus_gettxq,
 };
+static void brcmf_sdio_firmware_callback(struct device *dev,
+                                         const struct firmware *code,
+                                         void *nvram, u32 nvram_len)
+{
+        struct brcmf_bus *bus_if = dev_get_drvdata(dev);
+        struct brcmf_sdio_dev *sdiodev = bus_if->bus_priv.sdio;
+        struct brcmf_sdio *bus = sdiodev->bus;
+        int err = 0;
+        u8 saveclk;
+        brcmf_dbg(TRACE, "Enter: dev=%s\n", dev_name(dev));
+        /* try to download image and nvram to the dongle */
+        if (bus_if->state == BRCMF_BUS_DOWN) {
+                bus->alp_only = true;
+                err = brcmf_sdio_download_firmware(bus, code, nvram, nvram_len);
+                if (err)
+                        goto fail;
+                bus->alp_only = false;
+        }
+        if (!bus_if->drvr)
+                return;
+        /* Start the watchdog timer */
+        bus->sdcnt.tickcnt = 0;
+        brcmf_sdio_wd_timer(bus, BRCMF_WD_POLL_MS);
+        sdio_claim_host(sdiodev->func[1]);
+        /* Make sure backplane clock is on, needed to generate F2 interrupt */
+        brcmf_sdio_clkctl(bus, CLK_AVAIL, false);
+        if (bus->clkstate != CLK_AVAIL)
+                goto release;
+        /* Force clocks on backplane to be sure F2 interrupt propagates */
+        saveclk = brcmf_sdiod_regrb(sdiodev, SBSDIO_FUNC1_CHIPCLKCSR, &err);
+        if (!err) {
+                brcmf_sdiod_regwb(sdiodev, SBSDIO_FUNC1_CHIPCLKCSR,
+                                  (saveclk | SBSDIO_FORCE_HT), &err);
+        }
+        if (err) {
+                brcmf_err("Failed to force clock for F2: err %d\n", err);
+                goto release;
+        }
+        /* Enable function 2 (frame transfers) */
+        w_sdreg32(bus, SDPCM_PROT_VERSION << SMB_DATA_VERSION_SHIFT,
+                  offsetof(struct sdpcmd_regs, tosbmailboxdata));
+        err = sdio_enable_func(sdiodev->func[SDIO_FUNC_2]);
+        brcmf_dbg(INFO, "enable F2: err=%d\n", err);
+        /* If F2 successfully enabled, set core and enable interrupts */
+        if (!err) {
+                /* Set up the interrupt mask and enable interrupts */
+                bus->hostintmask = HOSTINTMASK;
+                w_sdreg32(bus, bus->hostintmask,
+                          offsetof(struct sdpcmd_regs, hostintmask));
+                brcmf_sdiod_regwb(sdiodev, SBSDIO_WATERMARK, 8, &err);
+        } else {
+                /* Disable F2 again */
+                sdio_disable_func(sdiodev->func[SDIO_FUNC_2]);
+                goto release;
+        }
+        if (brcmf_chip_sr_capable(bus->ci)) {
+                brcmf_sdio_sr_init(bus);
+        } else {
+                /* Restore previous clock setting */
+                brcmf_sdiod_regwb(sdiodev, SBSDIO_FUNC1_CHIPCLKCSR,
+                                  saveclk, &err);
+        }
+        if (err == 0) {
+                err = brcmf_sdiod_intr_register(sdiodev);
+                if (err != 0)
+                        brcmf_err("intr register failed:%d\n", err);
+        }
+        /* If we didn't come up, turn off backplane clock */
+        if (err != 0)
+                brcmf_sdio_clkctl(bus, CLK_NONE, false);
+        sdio_release_host(sdiodev->func[1]);
+        err = brcmf_bus_start(dev);
+        if (err != 0) {
+                brcmf_err("dongle is not responding\n");
+                goto fail;
+        }
+        return;
+release:
+        sdio_release_host(sdiodev->func[1]);
+fail:
+        brcmf_dbg(TRACE, "failed: dev=%s, err=%d\n", dev_name(dev), err);
+        device_release_driver(dev);
+}
 struct brcmf_sdio *brcmf_sdio_probe(struct brcmf_sdio_dev *sdiodev)
 {
        int ret;
@@ -4110,8 +4086,13 @@ struct brcmf_sdio *brcmf_sdio_probe(struct brcmf_sdio_dev *sdiodev)
                goto fail;
        }
+        /* Query the F2 block size, set roundup accordingly */
+        bus->blocksize = bus->sdiodev->func[2]->cur_blksize;
+        bus->roundup = min(max_roundup, bus->blocksize);
        /* Allocate buffers */
        if (bus->sdiodev->bus_if->maxctl) {
+                bus->sdiodev->bus_if->maxctl += bus->roundup;
                bus->rxblen =
                    roundup((bus->sdiodev->bus_if->maxctl + SDPCM_HDRLEN),
                            ALIGNMENT) + bus->head_align;
@@ -4139,10 +4120,6 @@ struct brcmf_sdio *brcmf_sdio_probe(struct brcmf_sdio_dev *sdiodev)
        bus->idletime = BRCMF_IDLE_INTERVAL;
        bus->idleclock = BRCMF_IDLE_ACTIVE;
-        /* Query the F2 block size, set roundup accordingly */
-        bus->blocksize = bus->sdiodev->func[2]->cur_blksize;
-        bus->roundup = min(max_roundup, bus->blocksize);
        /* SR state */
        bus->sleeping = false;
        bus->sr_enabled = false;
@@ -4150,10 +4127,14 @@ struct brcmf_sdio *brcmf_sdio_probe(struct brcmf_sdio_dev *sdiodev)
        brcmf_sdio_debugfs_create(bus);
        brcmf_dbg(INFO, "completed!!\n");
-        /* if firmware path present try to download and bring up bus */
+        ret = brcmf_fw_get_firmwares(sdiodev->dev, BRCMF_FW_REQUEST_NVRAM,
-        ret = brcmf_bus_start(bus->sdiodev->dev);
+                                     brcmf_sdio_get_fwname(bus->ci,
+                                                           BRCMF_FIRMWARE_BIN),
+                                     brcmf_sdio_get_fwname(bus->ci,
+                                                           BRCMF_FIRMWARE_NVRAM),
+                                     brcmf_sdio_firmware_callback);
        if (ret != 0) {
-                brcmf_err("dongle is not responding\n");
+                brcmf_err("async firmware request failed: %d\n", ret);
                goto fail;
        }
@@ -4173,9 +4154,7 @@ void brcmf_sdio_remove(struct brcmf_sdio *bus)
                /* De-register interrupt handler */
                brcmf_sdiod_intr_unregister(bus->sdiodev);
-                if (bus->sdiodev->bus_if->drvr) {
+                brcmf_detach(bus->sdiodev->dev);
-                        brcmf_detach(bus->sdiodev->dev);
-                }
                cancel_work_sync(&bus->datawork);
                if (bus->brcmf_wq)
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/nvram.c b/drivers/net/wireless/brcm80211/brcmfmac/firmware.c
index 5c450d11dbc9..7b7d237c1ddb 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/nvram.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/firmware.c
@@ -16,10 +16,11 @@
 #include <linux/kernel.h>
 #include <linux/slab.h>
+#include <linux/device.h>
 #include <linux/firmware.h>
 #include "dhd_dbg.h"
-#include "nvram.h"
+#include "firmware.h"
 enum nvram_parser_state {
        IDLE,
@@ -187,7 +188,7 @@ static int brcmf_init_nvram_parser(struct nvram_parser *nvp,
 * and converts newlines to NULs. Shortens buffer as needed and pads with NULs.
 * End of buffer is completed with token identifying length of buffer.
 */
-void *brcmf_nvram_strip(const struct firmware *nv, u32 *new_length)
+static void *brcmf_fw_nvram_strip(const struct firmware *nv, u32 *new_length)
 {
        struct nvram_parser nvp;
        u32 pad;
@@ -219,8 +220,113 @@ void *brcmf_nvram_strip(const struct firmware *nv, u32 *new_length)
        return nvp.nvram;
 }
-void brcmf_nvram_free(void *nvram)
+void brcmf_fw_nvram_free(void *nvram)
 {
        kfree(nvram);
 }
+struct brcmf_fw {
+        struct device *dev;
+        u16 flags;
+        const struct firmware *code;
+        const char *nvram_name;
+        void (*done)(struct device *dev, const struct firmware *fw,
+                     void *nvram_image, u32 nvram_len);
+};
+static void brcmf_fw_request_nvram_done(const struct firmware *fw, void *ctx)
+{
+        struct brcmf_fw *fwctx = ctx;
+        u32 nvram_length = 0;
+        void *nvram = NULL;
+        brcmf_dbg(TRACE, "enter: dev=%s\n", dev_name(fwctx->dev));
+        if (!fw && !(fwctx->flags & BRCMF_FW_REQ_NV_OPTIONAL))
+                goto fail;
+        if (fw) {
+                nvram = brcmf_fw_nvram_strip(fw, &nvram_length);
+                release_firmware(fw);
+                if (!nvram && !(fwctx->flags & BRCMF_FW_REQ_NV_OPTIONAL))
+                        goto fail;
+        }
+        fwctx->done(fwctx->dev, fwctx->code, nvram, nvram_length);
+        kfree(fwctx);
+        return;
+fail:
+        brcmf_dbg(TRACE, "failed: dev=%s\n", dev_name(fwctx->dev));
+        if (fwctx->code)
+                release_firmware(fwctx->code);
+        device_release_driver(fwctx->dev);
+        kfree(fwctx);
+}
+static void brcmf_fw_request_code_done(const struct firmware *fw, void *ctx)
+{
+        struct brcmf_fw *fwctx = ctx;
+        int ret;
+        brcmf_dbg(TRACE, "enter: dev=%s\n", dev_name(fwctx->dev));
+        if (!fw)
+                goto fail;
+        /* only requested code so done here */
+        if (!(fwctx->flags & BRCMF_FW_REQUEST_NVRAM)) {
+                fwctx->done(fwctx->dev, fw, NULL, 0);
+                kfree(fwctx);
+                return;
+        }
+        fwctx->code = fw;
+        ret = request_firmware_nowait(THIS_MODULE, true, fwctx->nvram_name,
+                                      fwctx->dev, GFP_KERNEL, fwctx,
+                                      brcmf_fw_request_nvram_done);
+        if (!ret)
+                return;
+        /* when nvram is optional call .done() callback here */
+        if (fwctx->flags & BRCMF_FW_REQ_NV_OPTIONAL) {
+                fwctx->done(fwctx->dev, fw, NULL, 0);
+                kfree(fwctx);
+                return;
+        }
+        /* failed nvram request */
+        release_firmware(fw);
+fail:
+        brcmf_dbg(TRACE, "failed: dev=%s\n", dev_name(fwctx->dev));
+        device_release_driver(fwctx->dev);
+        kfree(fwctx);
+}
+int brcmf_fw_get_firmwares(struct device *dev, u16 flags,
+                           const char *code, const char *nvram,
+                           void (*fw_cb)(struct device *dev,
+                                         const struct firmware *fw,
+                                         void *nvram_image, u32 nvram_len))
+{
+        struct brcmf_fw *fwctx;
+        brcmf_dbg(TRACE, "enter: dev=%s\n", dev_name(dev));
+        if (!fw_cb || !code)
+                return -EINVAL;
+        if ((flags & BRCMF_FW_REQUEST_NVRAM) && !nvram)
+                return -EINVAL;
+        fwctx = kzalloc(sizeof(*fwctx), GFP_KERNEL);
+        if (!fwctx)
+                return -ENOMEM;
+        fwctx->dev = dev;
+        fwctx->flags = flags;
+        fwctx->done = fw_cb;
+        if (flags & BRCMF_FW_REQUEST_NVRAM)
+                fwctx->nvram_name = nvram;
+        return request_firmware_nowait(THIS_MODULE, true, code, dev,
+                                       GFP_KERNEL, fwctx,
+                                       brcmf_fw_request_code_done);
+}
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/nvram.h b/drivers/net/wireless/brcm80211/brcmfmac/firmware.h
index d454580928c9..6431bfd7afff 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/nvram.h
+++ b/drivers/net/wireless/brcm80211/brcmfmac/firmware.h
@@ -13,12 +13,24 @@
 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
-#ifndef BRCMFMAC_NVRAM_H
+#ifndef BRCMFMAC_FIRMWARE_H
-#define BRCMFMAC_NVRAM_H
+#define BRCMFMAC_FIRMWARE_H
+#define BRCMF_FW_REQUEST                0x000F
+#define  BRCMF_FW_REQUEST_NVRAM         0x0001
+#define BRCMF_FW_REQ_FLAGS              0x00F0
+#define  BRCMF_FW_REQ_NV_OPTIONAL       0x0010
-void *brcmf_nvram_strip(const struct firmware *nv, u32 *new_length);
+void brcmf_fw_nvram_free(void *nvram);
-void brcmf_nvram_free(void *nvram);
+/*
+ * Request firmware(s) asynchronously. When the asynchronous request
+ * fails it will not use the callback, but call device_release_driver()
+ * instead which will call the driver .remove() callback.
+ */
+int brcmf_fw_get_firmwares(struct device *dev, u16 flags,
+                           const char *code, const char *nvram,
+                           void (*fw_cb)(struct device *dev,
+                                         const struct firmware *fw,
+                                         void *nvram_image, u32 nvram_len));
-#endif /* BRCMFMAC_NVRAM_H */
+#endif /* BRCMFMAC_FIRMWARE_H */
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/brcm80211/brcmfmac/usb.c
index 3ce0e7cfd027..6db51a666f61 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/usb.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/usb.c
@@ -25,6 +25,7 @@
 #include <dhd_bus.h>
 #include <dhd_dbg.h>
+#include "firmware.h"
 #include "usb_rdl.h"
 #include "usb.h"
@@ -61,12 +62,6 @@ struct brcmf_usb_image {
        u8 *image;
        int image_len;
 };
-static struct list_head fw_image_list;
-struct intr_transfer_buf {
-        u32 notification;
-        u32 reserved;
-};
 struct brcmf_usbdev_info {
        struct brcmf_usbdev bus_pub; /* MUST BE FIRST */
@@ -75,7 +70,7 @@ struct brcmf_usbdev_info {
        struct list_head rx_postq;
        struct list_head tx_freeq;
        struct list_head tx_postq;
-        uint rx_pipe, tx_pipe, intr_pipe, rx_pipe2;
+        uint rx_pipe, tx_pipe, rx_pipe2;
        int rx_low_watermark;
        int tx_low_watermark;
@@ -87,7 +82,7 @@ struct brcmf_usbdev_info {
        struct brcmf_usbreq *tx_reqs;
        struct brcmf_usbreq *rx_reqs;
-        u8 *image;      /* buffer for combine fw and nvram */
+        const u8 *image;        /* buffer for combine fw and nvram */
        int image_len;
        struct usb_device *usbdev;
@@ -104,10 +99,6 @@ struct brcmf_usbdev_info {
        ulong ctl_op;
        struct urb *bulk_urb; /* used for FW download */
-        struct urb *intr_urb; /* URB for interrupt endpoint */
-        int intr_size;          /* Size of interrupt message */
-        int interval;           /* Interrupt polling interval */
-        struct intr_transfer_buf intr; /* Data buffer for interrupt endpoint */
 };
 static void brcmf_usb_rx_refill(struct brcmf_usbdev_info *devinfo,
@@ -531,39 +522,6 @@ brcmf_usb_state_change(struct brcmf_usbdev_info *devinfo, int state)
        }
 }
-static void
-brcmf_usb_intr_complete(struct urb *urb)
-{
-        struct brcmf_usbdev_info *devinfo =
-                        (struct brcmf_usbdev_info *)urb->context;
-        int err;
-        brcmf_dbg(USB, "Enter, urb->status=%d\n", urb->status);
-        if (devinfo == NULL)
-                return;
-        if (unlikely(urb->status)) {
-                if (urb->status == -ENOENT ||
-                    urb->status == -ESHUTDOWN ||
-                    urb->status == -ENODEV) {
-                        brcmf_usb_state_change(devinfo,
-                                               BRCMFMAC_USB_STATE_DOWN);
-                }
-        }
-        if (devinfo->bus_pub.state == BRCMFMAC_USB_STATE_DOWN) {
-                brcmf_err("intr cb when DBUS down, ignoring\n");
-                return;
-        }
-        if (devinfo->bus_pub.state == BRCMFMAC_USB_STATE_UP) {
-                err = usb_submit_urb(devinfo->intr_urb, GFP_ATOMIC);
-                if (err)
-                        brcmf_err("usb_submit_urb, err=%d\n", err);
-        }
-}
 static int brcmf_usb_tx(struct device *dev, struct sk_buff *skb)
 {
        struct brcmf_usbdev_info *devinfo = brcmf_usb_get_businfo(dev);
@@ -619,7 +577,6 @@ static int brcmf_usb_up(struct device *dev)
 {
        struct brcmf_usbdev_info *devinfo = brcmf_usb_get_businfo(dev);
        u16 ifnum;
-        int ret;
        brcmf_dbg(USB, "Enter\n");
        if (devinfo->bus_pub.state == BRCMFMAC_USB_STATE_UP)
@@ -628,23 +585,6 @@ static int brcmf_usb_up(struct device *dev)
        /* Success, indicate devinfo is fully up */
        brcmf_usb_state_change(devinfo, BRCMFMAC_USB_STATE_UP);
-        if (devinfo->intr_urb) {
-                usb_fill_int_urb(devinfo->intr_urb, devinfo->usbdev,
-                        devinfo->intr_pipe,
-                        &devinfo->intr,
-                        devinfo->intr_size,
-                        (usb_complete_t)brcmf_usb_intr_complete,
-                        devinfo,
-                        devinfo->interval);
-                ret = usb_submit_urb(devinfo->intr_urb, GFP_ATOMIC);
-                if (ret) {
-                        brcmf_err("USB_SUBMIT_URB failed with status %d\n",
-                                  ret);
-                        return -EINVAL;
-                }
-        }
        if (devinfo->ctl_urb) {
                devinfo->ctl_in_pipe = usb_rcvctrlpipe(devinfo->usbdev, 0);
                devinfo->ctl_out_pipe = usb_sndctrlpipe(devinfo->usbdev, 0);
@@ -681,8 +621,6 @@ static void brcmf_usb_down(struct device *dev)
                return;
        brcmf_usb_state_change(devinfo, BRCMFMAC_USB_STATE_DOWN);
-        if (devinfo->intr_urb)
-                usb_kill_urb(devinfo->intr_urb);
        if (devinfo->ctl_urb)
                usb_kill_urb(devinfo->ctl_urb);
@@ -1021,7 +959,7 @@ brcmf_usb_fw_download(struct brcmf_usbdev_info *devinfo)
        }
        err = brcmf_usb_dlstart(devinfo,
-                devinfo->image, devinfo->image_len);
+                (u8 *)devinfo->image, devinfo->image_len);
        if (err == 0)
                err = brcmf_usb_dlrun(devinfo);
        return err;
@@ -1036,7 +974,6 @@ static void brcmf_usb_detach(struct brcmf_usbdev_info *devinfo)
        brcmf_usb_free_q(&devinfo->rx_freeq, false);
        brcmf_usb_free_q(&devinfo->tx_freeq, false);
-        usb_free_urb(devinfo->intr_urb);
        usb_free_urb(devinfo->ctl_urb);
        usb_free_urb(devinfo->bulk_urb);
@@ -1080,68 +1017,20 @@ static int check_file(const u8 *headers)
        return -1;
 }
-static int brcmf_usb_get_fw(struct brcmf_usbdev_info *devinfo)
+static const char *brcmf_usb_get_fwname(struct brcmf_usbdev_info *devinfo)
 {
-        s8 *fwname;
-        const struct firmware *fw;
-        struct brcmf_usb_image *fw_image;
-        int err;
-        brcmf_dbg(USB, "Enter\n");
        switch (devinfo->bus_pub.devid) {
        case 43143:
-                fwname = BRCMF_USB_43143_FW_NAME;
+                return BRCMF_USB_43143_FW_NAME;
-                break;
        case 43235:
        case 43236:
        case 43238:
-                fwname = BRCMF_USB_43236_FW_NAME;
+                return BRCMF_USB_43236_FW_NAME;
-                break;
        case 43242:
-                fwname = BRCMF_USB_43242_FW_NAME;
+                return BRCMF_USB_43242_FW_NAME;
-                break;
        default:
-                return -EINVAL;
+                return NULL;
-                break;
-        }
-        brcmf_dbg(USB, "Loading FW %s\n", fwname);
-        list_for_each_entry(fw_image, &fw_image_list, list) {
-                if (fw_image->fwname == fwname) {
-                        devinfo->image = fw_image->image;
-                        devinfo->image_len = fw_image->image_len;
-                        return 0;
-                }
-        }
-        /* fw image not yet loaded. Load it now and add to list */
-        err = request_firmware(&fw, fwname, devinfo->dev);
-        if (!fw) {
-                brcmf_err("fail to request firmware %s\n", fwname);
-                return err;
-        }
-        if (check_file(fw->data) < 0) {
-                brcmf_err("invalid firmware %s\n", fwname);
-                return -EINVAL;
        }
-        fw_image = kzalloc(sizeof(*fw_image), GFP_ATOMIC);
-        if (!fw_image)
-                return -ENOMEM;
-        INIT_LIST_HEAD(&fw_image->list);
-        list_add_tail(&fw_image->list, &fw_image_list);
-        fw_image->fwname = fwname;
-        fw_image->image = vmalloc(fw->size);
-        if (!fw_image->image)
-                return -ENOMEM;
-        memcpy(fw_image->image, fw->data, fw->size);
-        fw_image->image_len = fw->size;
-        release_firmware(fw);
-        devinfo->image = fw_image->image;
-        devinfo->image_len = fw_image->image_len;
-        return 0;
 }
@@ -1186,11 +1075,6 @@ struct brcmf_usbdev *brcmf_usb_attach(struct brcmf_usbdev_info *devinfo,
                goto error;
        devinfo->tx_freecount = ntxq;
-        devinfo->intr_urb = usb_alloc_urb(0, GFP_ATOMIC);
-        if (!devinfo->intr_urb) {
-                brcmf_err("usb_alloc_urb (intr) failed\n");
-                goto error;
-        }
        devinfo->ctl_urb = usb_alloc_urb(0, GFP_ATOMIC);
        if (!devinfo->ctl_urb) {
                brcmf_err("usb_alloc_urb (ctl) failed\n");
@@ -1202,16 +1086,6 @@ struct brcmf_usbdev *brcmf_usb_attach(struct brcmf_usbdev_info *devinfo,
                goto error;
        }
-        if (!brcmf_usb_dlneeded(devinfo))
-                return &devinfo->bus_pub;
-        brcmf_dbg(USB, "Start fw downloading\n");
-        if (brcmf_usb_get_fw(devinfo))
-                goto error;
-        if (brcmf_usb_fw_download(devinfo))
-                goto error;
        return &devinfo->bus_pub;
 error:
@@ -1222,18 +1096,77 @@ error:
 static struct brcmf_bus_ops brcmf_usb_bus_ops = {
        .txdata = brcmf_usb_tx,
-        .init = brcmf_usb_up,
        .stop = brcmf_usb_down,
        .txctl = brcmf_usb_tx_ctlpkt,
        .rxctl = brcmf_usb_rx_ctlpkt,
 };
+static int brcmf_usb_bus_setup(struct brcmf_usbdev_info *devinfo)
+{
+        int ret;
+        /* Attach to the common driver interface */
+        ret = brcmf_attach(devinfo->dev);
+        if (ret) {
+                brcmf_err("brcmf_attach failed\n");
+                return ret;
+        }
+        ret = brcmf_usb_up(devinfo->dev);
+        if (ret)
+                goto fail;
+        ret = brcmf_bus_start(devinfo->dev);
+        if (ret)
+                goto fail;
+        return 0;
+fail:
+        brcmf_detach(devinfo->dev);
+        return ret;
+}
+static void brcmf_usb_probe_phase2(struct device *dev,
+                                   const struct firmware *fw,
+                                   void *nvram, u32 nvlen)
+{
+        struct brcmf_bus *bus = dev_get_drvdata(dev);
+        struct brcmf_usbdev_info *devinfo;
+        int ret;
+        brcmf_dbg(USB, "Start fw downloading\n");
+        ret = check_file(fw->data);
+        if (ret < 0) {
+                brcmf_err("invalid firmware\n");
+                release_firmware(fw);
+                goto error;
+        }
+        devinfo = bus->bus_priv.usb->devinfo;
+        devinfo->image = fw->data;
+        devinfo->image_len = fw->size;
+        ret = brcmf_usb_fw_download(devinfo);
+        release_firmware(fw);
+        if (ret)
+                goto error;
+        ret = brcmf_usb_bus_setup(devinfo);
+        if (ret)
+                goto error;
+        return;
+error:
+        brcmf_dbg(TRACE, "failed: dev=%s, err=%d\n", dev_name(dev), ret);
+        device_release_driver(dev);
+}
 static int brcmf_usb_probe_cb(struct brcmf_usbdev_info *devinfo)
 {
        struct brcmf_bus *bus = NULL;
        struct brcmf_usbdev *bus_pub = NULL;
-        int ret;
        struct device *dev = devinfo->dev;
+        int ret;
        brcmf_dbg(USB, "Enter\n");
        bus_pub = brcmf_usb_attach(devinfo, BRCMF_USB_NRXQ, BRCMF_USB_NTXQ);
@@ -1256,21 +1189,16 @@ static int brcmf_usb_probe_cb(struct brcmf_usbdev_info *devinfo)
        bus->proto_type = BRCMF_PROTO_BCDC;
        bus->always_use_fws_queue = true;
-        /* Attach to the common driver interface */
+        if (!brcmf_usb_dlneeded(devinfo)) {
-        ret = brcmf_attach(dev);
+                ret = brcmf_usb_bus_setup(devinfo);
-        if (ret) {
+                if (ret)
-                brcmf_err("brcmf_attach failed\n");
+                        goto fail;
-                goto fail;
-        }
-        ret = brcmf_bus_start(dev);
-        if (ret) {
-                brcmf_err("dongle is not responding\n");
-                brcmf_detach(dev);
-                goto fail;
        }
+        /* request firmware here */
+        brcmf_fw_get_firmwares(dev, 0, brcmf_usb_get_fwname(devinfo), NULL,
+                               brcmf_usb_probe_phase2);
        return 0;
 fail:
        /* Release resources in reverse order */
        kfree(bus);
@@ -1358,9 +1286,6 @@ brcmf_usb_probe(struct usb_interface *intf, const struct usb_device_id *id)
                goto fail;
        }
-        endpoint_num = endpoint->bEndpointAddress & USB_ENDPOINT_NUMBER_MASK;
-        devinfo->intr_pipe = usb_rcvintpipe(usb, endpoint_num);
        devinfo->rx_pipe = 0;
        devinfo->rx_pipe2 = 0;
        devinfo->tx_pipe = 0;
@@ -1392,16 +1317,9 @@ brcmf_usb_probe(struct usb_interface *intf, const struct usb_device_id *id)
                }
        }
-        /* Allocate interrupt URB and data buffer */
+        if (usb->speed == USB_SPEED_SUPER)
-        /* RNDIS says 8-byte intr, our old drivers used 4-byte */
+                brcmf_dbg(USB, "Broadcom super speed USB wireless device detected\n");
-        if (IFEPDESC(usb, CONTROL_IF, 0).wMaxPacketSize == cpu_to_le16(16))
+        else if (usb->speed == USB_SPEED_HIGH)
-                devinfo->intr_size = 8;
-        else
-                devinfo->intr_size = 4;
-        devinfo->interval = IFEPDESC(usb, CONTROL_IF, 0).bInterval;
-        if (usb->speed == USB_SPEED_HIGH)
                brcmf_dbg(USB, "Broadcom high speed USB wireless device detected\n");
        else
                brcmf_dbg(USB, "Broadcom full speed USB wireless device detected\n");
@@ -1456,23 +1374,18 @@ static int brcmf_usb_resume(struct usb_interface *intf)
        struct brcmf_usbdev_info *devinfo = brcmf_usb_get_businfo(&usb->dev);
        brcmf_dbg(USB, "Enter\n");
-        if (!brcmf_attach(devinfo->dev))
+        return brcmf_usb_bus_setup(devinfo);
-                return brcmf_bus_start(&usb->dev);
-        return 0;
 }
 static int brcmf_usb_reset_resume(struct usb_interface *intf)
 {
        struct usb_device *usb = interface_to_usbdev(intf);
        struct brcmf_usbdev_info *devinfo = brcmf_usb_get_businfo(&usb->dev);
        brcmf_dbg(USB, "Enter\n");
-        if (!brcmf_usb_fw_download(devinfo))
+        return brcmf_fw_get_firmwares(&usb->dev, 0,
-                return brcmf_usb_resume(intf);
+                                      brcmf_usb_get_fwname(devinfo), NULL,
+                                      brcmf_usb_probe_phase2);
-        return -EIO;
 }
 #define BRCMF_USB_VENDOR_ID_BROADCOM    0x0a5c
@@ -1507,16 +1420,6 @@ static struct usb_driver brcmf_usbdrvr = {
        .disable_hub_initiated_lpm = 1,
 };
-static void brcmf_release_fw(struct list_head *q)
-{
-        struct brcmf_usb_image *fw_image, *next;
-        list_for_each_entry_safe(fw_image, next, q, list) {
-                vfree(fw_image->image);
-                list_del_init(&fw_image->list);
-        }
-}
 static int brcmf_usb_reset_device(struct device *dev, void *notused)
 {
        /* device past is the usb interface so we
@@ -1535,12 +1438,10 @@ void brcmf_usb_exit(void)
        ret = driver_for_each_device(drv, NULL, NULL,
                                     brcmf_usb_reset_device);
        usb_deregister(&brcmf_usbdrvr);
-        brcmf_release_fw(&fw_image_list);
 }
 void brcmf_usb_register(void)
 {
        brcmf_dbg(USB, "Enter\n");
-        INIT_LIST_HEAD(&fw_image_list);
        usb_register(&brcmf_usbdrvr);
 }
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
index 92cb29a2003f..d8fa276e368b 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
@@ -341,8 +341,8 @@ static u8 brcmf_mw_to_qdbm(u16 mw)
        return qdbm;
 }
-u16 chandef_to_chanspec(struct brcmu_d11inf *d11inf,
+static u16 chandef_to_chanspec(struct brcmu_d11inf *d11inf,
-                        struct cfg80211_chan_def *ch)
+                               struct cfg80211_chan_def *ch)
 {
        struct brcmu_chan ch_inf;
        s32 primary_offset;
@@ -640,6 +640,9 @@ s32 brcmf_notify_escan_complete(struct brcmf_cfg80211_info *cfg,
                if (err)
                        brcmf_err("Scan abort  failed\n");
        }
+        brcmf_set_mpc(ifp, 1);
        /*
         * e-scan can be initiated by scheduled scan
         * which takes precedence.
@@ -649,12 +652,10 @@ s32 brcmf_notify_escan_complete(struct brcmf_cfg80211_info *cfg,
                cfg->sched_escan = false;
                if (!aborted)
                        cfg80211_sched_scan_results(cfg_to_wiphy(cfg));
-                brcmf_set_mpc(ifp, 1);
        } else if (scan_request) {
                brcmf_dbg(SCAN, "ESCAN Completed scan: %s\n",
                          aborted ? "Aborted" : "Done");
                cfg80211_scan_done(scan_request, aborted);
-                brcmf_set_mpc(ifp, 1);
        }
        if (!test_and_clear_bit(BRCMF_SCAN_STATUS_BUSY, &cfg->scan_status))
                brcmf_dbg(SCAN, "Scan complete, probably P2P scan\n");
@@ -3178,7 +3179,7 @@ brcmf_cfg80211_sched_scan_start(struct wiphy *wiphy,
        }
        if (!request->n_ssids || !request->n_match_sets) {
-                brcmf_err("Invalid sched scan req!! n_ssids:%d\n",
+                brcmf_dbg(SCAN, "Invalid sched scan req!! n_ssids:%d\n",
                          request->n_ssids);
                return -EINVAL;
        }
diff --git a/drivers/net/wireless/brcm80211/brcmutil/d11.c b/drivers/net/wireless/brcm80211/brcmutil/d11.c
index 6cbc33d0fc19..2b2522bdd8eb 100644
--- a/drivers/net/wireless/brcm80211/brcmutil/d11.c
+++ b/drivers/net/wireless/brcm80211/brcmutil/d11.c
@@ -54,6 +54,7 @@ static void brcmu_d11n_encchspec(struct brcmu_chan *ch)
        if (ch->bw == BRCMU_CHAN_BW_20)
                ch->sb = BRCMU_CHAN_SB_NONE;
+        ch->chspec = 0;
        brcmu_maskset16(&ch->chspec, BRCMU_CHSPEC_CH_MASK,
                        BRCMU_CHSPEC_CH_SHIFT, ch->chnum);
        brcmu_maskset16(&ch->chspec, BRCMU_CHSPEC_D11N_SB_MASK,
@@ -61,7 +62,6 @@ static void brcmu_d11n_encchspec(struct brcmu_chan *ch)
        brcmu_maskset16(&ch->chspec, BRCMU_CHSPEC_D11N_BW_MASK,
                        0, d11n_bw(ch->bw));
-        ch->chspec &= ~BRCMU_CHSPEC_D11N_BND_MASK;
        if (ch->chnum <= CH_MAX_2G_CHANNEL)
                ch->chspec |= BRCMU_CHSPEC_D11N_BND_2G;
        else
diff --git a/drivers/net/wireless/mwifiex/fw.h b/drivers/net/wireless/mwifiex/fw.h
index 42eaeda1dc82..3175dd04834b 100644
--- a/drivers/net/wireless/mwifiex/fw.h
+++ b/drivers/net/wireless/mwifiex/fw.h
@@ -405,7 +405,7 @@ enum P2P_MODES {
 #define HS_CFG_CANCEL                   0xffffffff
 #define HS_CFG_COND_DEF                 0x00000000
 #define HS_CFG_GPIO_DEF                 0xff
-#define HS_CFG_GAP_DEF                  0
+#define HS_CFG_GAP_DEF                  0xff
 #define HS_CFG_COND_BROADCAST_DATA      0x00000001
 #define HS_CFG_COND_UNICAST_DATA        0x00000002
 #define HS_CFG_COND_MAC_EVENT           0x00000004
diff --git a/drivers/net/wireless/mwifiex/main.h b/drivers/net/wireless/mwifiex/main.h
index 3f25feb1508e..1398afa84064 100644
--- a/drivers/net/wireless/mwifiex/main.h
+++ b/drivers/net/wireless/mwifiex/main.h
@@ -1099,7 +1099,7 @@ mwifiex_11h_get_csa_closed_channel(struct mwifiex_private *priv)
                return 0;
        /* Clear csa channel, if DFS channel move time has passed */
-        if (jiffies > priv->csa_expire_time) {
+        if (time_after(jiffies, priv->csa_expire_time)) {
                priv->csa_chan = 0;
                priv->csa_expire_time = 0;
        }
diff --git a/drivers/net/wireless/mwifiex/scan.c b/drivers/net/wireless/mwifiex/scan.c
index d75f4ebd4bdc..45c5b3450cf5 100644
--- a/drivers/net/wireless/mwifiex/scan.c
+++ b/drivers/net/wireless/mwifiex/scan.c
@@ -1738,6 +1738,19 @@ mwifiex_parse_single_response_buf(struct mwifiex_private *priv, u8 **bss_info,
        return 0;
 }
+static void mwifiex_complete_scan(struct mwifiex_private *priv)
+{
+        struct mwifiex_adapter *adapter = priv->adapter;
+        if (adapter->curr_cmd->wait_q_enabled) {
+                adapter->cmd_wait_q.status = 0;
+                if (!priv->scan_request) {
+                        dev_dbg(adapter->dev, "complete internal scan\n");
+                        mwifiex_complete_cmd(adapter, adapter->curr_cmd);
+                }
+        }
+}
 static void mwifiex_check_next_scan_command(struct mwifiex_private *priv)
 {
        struct mwifiex_adapter *adapter = priv->adapter;
@@ -1751,16 +1764,9 @@ static void mwifiex_check_next_scan_command(struct mwifiex_private *priv)
                adapter->scan_processing = false;
                spin_unlock_irqrestore(&adapter->mwifiex_cmd_lock, flags);
-                /* Need to indicate IOCTL complete */
+                if (!adapter->ext_scan)
-                if (adapter->curr_cmd->wait_q_enabled) {
+                        mwifiex_complete_scan(priv);
-                        adapter->cmd_wait_q.status = 0;
-                        if (!priv->scan_request) {
-                                dev_dbg(adapter->dev,
-                                        "complete internal scan\n");
-                                mwifiex_complete_cmd(adapter,
-                                                     adapter->curr_cmd);
-                        }
-                }
                if (priv->report_scan_result)
                        priv->report_scan_result = false;
@@ -1965,6 +1971,9 @@ int mwifiex_cmd_802_11_scan_ext(struct mwifiex_private *priv,
 int mwifiex_ret_802_11_scan_ext(struct mwifiex_private *priv)
 {
        dev_dbg(priv->adapter->dev, "info: EXT scan returns successfully\n");
+        mwifiex_complete_scan(priv);
        return 0;
 }
diff --git a/drivers/net/wireless/mwifiex/wmm.c b/drivers/net/wireless/mwifiex/wmm.c
index 6d9738a5dc31..d3671d009f6c 100644
--- a/drivers/net/wireless/mwifiex/wmm.c
+++ b/drivers/net/wireless/mwifiex/wmm.c
@@ -163,6 +163,7 @@ void mwifiex_ralist_add(struct mwifiex_private *priv, const u8 *ra)
                if (!mwifiex_queuing_ra_based(priv)) {
                        if (mwifiex_get_tdls_link_status(priv, ra) ==
                            TDLS_SETUP_COMPLETE) {
+                                ra_list->tdls_link = true;
                                ra_list->is_11n_enabled =
                                        mwifiex_tdls_peer_11n_enabled(priv, ra);
                        } else {
diff --git a/drivers/net/wireless/rsi/rsi_common.h b/drivers/net/wireless/rsi/rsi_common.h
index f2f70784d4ad..d3fbe33d2324 100644
--- a/drivers/net/wireless/rsi/rsi_common.h
+++ b/drivers/net/wireless/rsi/rsi_common.h
@@ -63,7 +63,7 @@ static inline int rsi_create_kthread(struct rsi_common *common,
                                     u8 *name)
 {
        init_completion(&thread->completion);
-        thread->task = kthread_run(func_ptr, common, name);
+        thread->task = kthread_run(func_ptr, common, "%s", name);
        if (IS_ERR(thread->task))
                return (int)PTR_ERR(thread->task);
diff --git a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
index c61311084d7e..361435f8608a 100644
--- a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
+++ b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
@@ -395,9 +395,6 @@ static struct usb_driver rtl8192cu_driver = {
        /* .resume = rtl_usb_resume, */
        /* .reset_resume = rtl8192c_resume, */
 #endif /* CONFIG_PM */
-#ifdef CONFIG_AUTOSUSPEND
-        .supports_autosuspend = 1,
-#endif
        .disable_hub_initiated_lpm = 1,
 };
diff --git a/drivers/net/wireless/rtlwifi/rtl8723ae/hal_bt_coexist.c b/drivers/net/wireless/rtlwifi/rtl8723ae/hal_bt_coexist.c
index 48fee1be78c2..5b4a714f3c8c 100644
--- a/drivers/net/wireless/rtlwifi/rtl8723ae/hal_bt_coexist.c
+++ b/drivers/net/wireless/rtlwifi/rtl8723ae/hal_bt_coexist.c
@@ -32,7 +32,6 @@
 #include "dm.h"
 #include "fw.h"
 #include "../rtl8723com/fw_common.h"
-#include "../rtl8723com/fw_common.h"
 #include "phy.h"
 #include "reg.h"
 #include "hal_btc.h"
diff --git a/drivers/net/wireless/rtlwifi/rtl8723be/trx.c b/drivers/net/wireless/rtlwifi/rtl8723be/trx.c
index e0a0d8c8fed5..969eaea5eddd 100644
--- a/drivers/net/wireless/rtlwifi/rtl8723be/trx.c
+++ b/drivers/net/wireless/rtlwifi/rtl8723be/trx.c
@@ -33,7 +33,6 @@
 #include "trx.h"
 #include "led.h"
 #include "dm.h"
-#include "phy.h"
 static u8 _rtl8723be_map_hwqueue_to_fwqueue(struct sk_buff *skb, u8 hw_queue)
 {
diff --git a/drivers/nfc/port100.c b/drivers/nfc/port100.c
index b7a372af5eb7..4ac4d31f6c59 100644
--- a/drivers/nfc/port100.c
+++ b/drivers/nfc/port100.c
@@ -28,7 +28,8 @@
                           NFC_PROTO_MIFARE_MASK   | \
                           NFC_PROTO_FELICA_MASK   | \
                           NFC_PROTO_NFC_DEP_MASK  | \
-                           NFC_PROTO_ISO14443_MASK)
+                           NFC_PROTO_ISO14443_MASK | \
+                           NFC_PROTO_ISO14443_B_MASK)
 #define PORT100_CAPABILITIES (NFC_DIGITAL_DRV_CAPS_IN_CRC | \
                              NFC_DIGITAL_DRV_CAPS_TG_CRC)
@@ -120,6 +121,7 @@ struct port100_in_rf_setting {
 #define PORT100_COMM_TYPE_IN_212F 0x01
 #define PORT100_COMM_TYPE_IN_424F 0x02
 #define PORT100_COMM_TYPE_IN_106A 0x03
+#define PORT100_COMM_TYPE_IN_106B 0x07
 static const struct port100_in_rf_setting in_rf_settings[] = {
        [NFC_DIGITAL_RF_TECH_212F] = {
@@ -140,6 +142,12 @@ static const struct port100_in_rf_setting in_rf_settings[] = {
                .in_recv_set_number = 15,
                .in_recv_comm_type  = PORT100_COMM_TYPE_IN_106A,
        },
+        [NFC_DIGITAL_RF_TECH_106B] = {
+                .in_send_set_number = 3,
+                .in_send_comm_type  = PORT100_COMM_TYPE_IN_106B,
+                .in_recv_set_number = 15,
+                .in_recv_comm_type  = PORT100_COMM_TYPE_IN_106B,
+        },
        /* Ensures the array has NFC_DIGITAL_RF_TECH_LAST elements */
        [NFC_DIGITAL_RF_TECH_LAST] = { 0 },
 };
@@ -340,6 +348,32 @@ in_protocols[][PORT100_IN_MAX_NUM_PROTOCOLS + 1] = {
        [NFC_DIGITAL_FRAMING_NFC_DEP_ACTIVATED] = {
                { PORT100_IN_PROT_END, 0 },
        },
+        [NFC_DIGITAL_FRAMING_NFCB] = {
+                { PORT100_IN_PROT_INITIAL_GUARD_TIME,     20 },
+                { PORT100_IN_PROT_ADD_CRC,                 1 },
+                { PORT100_IN_PROT_CHECK_CRC,               1 },
+                { PORT100_IN_PROT_MULTI_CARD,              0 },
+                { PORT100_IN_PROT_ADD_PARITY,              0 },
+                { PORT100_IN_PROT_CHECK_PARITY,            0 },
+                { PORT100_IN_PROT_BITWISE_AC_RECV_MODE,    0 },
+                { PORT100_IN_PROT_VALID_BIT_NUMBER,        8 },
+                { PORT100_IN_PROT_CRYPTO1,                 0 },
+                { PORT100_IN_PROT_ADD_SOF,                 1 },
+                { PORT100_IN_PROT_CHECK_SOF,               1 },
+                { PORT100_IN_PROT_ADD_EOF,                 1 },
+                { PORT100_IN_PROT_CHECK_EOF,               1 },
+                { PORT100_IN_PROT_DEAF_TIME,               4 },
+                { PORT100_IN_PROT_CRM,                     0 },
+                { PORT100_IN_PROT_CRM_MIN_LEN,             0 },
+                { PORT100_IN_PROT_T1_TAG_FRAME,            0 },
+                { PORT100_IN_PROT_RFCA,                    0 },
+                { PORT100_IN_PROT_GUARD_TIME_AT_INITIATOR, 6 },
+                { PORT100_IN_PROT_END,                     0 },
+        },
+        [NFC_DIGITAL_FRAMING_NFCB_T4T] = {
+                /* nfc_digital_framing_nfcb */
+                { PORT100_IN_PROT_END,                     0 },
+        },
        /* Ensures the array has NFC_DIGITAL_FRAMING_LAST elements */
        [NFC_DIGITAL_FRAMING_LAST] = {
                { PORT100_IN_PROT_END, 0 },
diff --git a/drivers/nfc/trf7970a.c b/drivers/nfc/trf7970a.c
index efb36593ecb4..3b78b031e617 100644
--- a/drivers/nfc/trf7970a.c
+++ b/drivers/nfc/trf7970a.c
@@ -105,7 +105,8 @@
 #define TRF7970A_SUPPORTED_PROTOCOLS \
                (NFC_PROTO_MIFARE_MASK | NFC_PROTO_ISO14443_MASK |      \
-                 NFC_PROTO_ISO14443_B_MASK | NFC_PROTO_ISO15693_MASK)
+                 NFC_PROTO_ISO14443_B_MASK | NFC_PROTO_FELICA_MASK | \
+                 NFC_PROTO_ISO15693_MASK)
 #define TRF7970A_AUTOSUSPEND_DELAY              30000 /* 30 seconds */
@@ -867,6 +868,14 @@ static int trf7970a_config_rf_tech(struct trf7970a *trf, int tech)
                trf->iso_ctrl_tech = TRF7970A_ISO_CTRL_14443B_106;
                trf->modulator_sys_clk_ctrl = TRF7970A_MODULATOR_DEPTH_ASK10;
                break;
+        case NFC_DIGITAL_RF_TECH_212F:
+                trf->iso_ctrl_tech = TRF7970A_ISO_CTRL_FELICA_212;
+                trf->modulator_sys_clk_ctrl = TRF7970A_MODULATOR_DEPTH_ASK10;
+                break;
+        case NFC_DIGITAL_RF_TECH_424F:
+                trf->iso_ctrl_tech = TRF7970A_ISO_CTRL_FELICA_424;
+                trf->modulator_sys_clk_ctrl = TRF7970A_MODULATOR_DEPTH_ASK10;
+                break;
        case NFC_DIGITAL_RF_TECH_ISO15693:
                trf->iso_ctrl_tech = TRF7970A_ISO_CTRL_15693_SGL_1OF4_2648;
                trf->modulator_sys_clk_ctrl = TRF7970A_MODULATOR_DEPTH_OOK;
@@ -898,6 +907,8 @@ static int trf7970a_config_framing(struct trf7970a *trf, int framing)
        case NFC_DIGITAL_FRAMING_NFCA_T4T:
        case NFC_DIGITAL_FRAMING_NFCB:
        case NFC_DIGITAL_FRAMING_NFCB_T4T:
+        case NFC_DIGITAL_FRAMING_NFCF:
+        case NFC_DIGITAL_FRAMING_NFCF_T3T:
        case NFC_DIGITAL_FRAMING_ISO15693_INVENTORY:
        case NFC_DIGITAL_FRAMING_ISO15693_T5T:
                trf->tx_cmd = TRF7970A_CMD_TRANSMIT;
diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
index f194ccb8539c..6bff13f74050 100644
--- a/include/linux/ieee80211.h
+++ b/include/linux/ieee80211.h
@@ -1711,6 +1711,7 @@ enum ieee80211_eid {
        WLAN_EID_RRM_ENABLED_CAPABILITIES = 70,
        WLAN_EID_MULTIPLE_BSSID = 71,
        WLAN_EID_BSS_COEX_2040 = 72,
+        WLAN_EID_BSS_INTOLERANT_CHL_REPORT = 73,
        WLAN_EID_OVERLAP_BSS_SCAN_PARAM = 74,
        WLAN_EID_RIC_DESCRIPTOR = 75,
        WLAN_EID_MMIE = 76,
diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
index 4261a67682c0..16587dcd6a91 100644
--- a/include/net/bluetooth/hci.h
+++ b/include/net/bluetooth/hci.h
@@ -1054,6 +1054,17 @@ struct hci_cp_write_page_scan_activity {
        __le16   window;
 } __packed;
+#define HCI_OP_READ_TX_POWER            0x0c2d
+struct hci_cp_read_tx_power {
+        __le16   handle;
+        __u8     type;
+} __packed;
+struct hci_rp_read_tx_power {
+        __u8     status;
+        __le16   handle;
+        __s8     tx_power;
+} __packed;
 #define HCI_OP_READ_PAGE_SCAN_TYPE      0x0c46
 struct hci_rp_read_page_scan_type {
        __u8     status;
@@ -1064,6 +1075,16 @@ struct hci_rp_read_page_scan_type {
        #define PAGE_SCAN_TYPE_STANDARD         0x00
        #define PAGE_SCAN_TYPE_INTERLACED       0x01
+#define HCI_OP_READ_RSSI                0x1405
+struct hci_cp_read_rssi {
+        __le16   handle;
+} __packed;
+struct hci_rp_read_rssi {
+        __u8     status;
+        __le16   handle;
+        __s8     rssi;
+} __packed;
 #define HCI_OP_READ_LOCAL_AMP_INFO      0x1409
 struct hci_rp_read_local_amp_info {
        __u8     status;
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index d73f41855ada..b386bf17e6c2 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -145,6 +145,10 @@ struct oob_data {
 /* Default LE RPA expiry time, 15 minutes */
 #define HCI_DEFAULT_RPA_TIMEOUT         (15 * 60)
+/* Default min/max age of connection information (1s/3s) */
+#define DEFAULT_CONN_INFO_MIN_AGE       1000
+#define DEFAULT_CONN_INFO_MAX_AGE       3000
 struct amp_assoc {
        __u16   len;
        __u16   offset;
@@ -200,6 +204,8 @@ struct hci_dev {
        __u16           le_conn_min_interval;
        __u16           le_conn_max_interval;
        __u16           discov_interleaved_timeout;
+        __u16           conn_info_min_age;
+        __u16           conn_info_max_age;
        __u8            ssp_debug_mode;
        __u16           devid_source;
@@ -374,8 +380,13 @@ struct hci_conn {
        __u16           setting;
        __u16           le_conn_min_interval;
        __u16           le_conn_max_interval;
+        __s8            rssi;
+        __s8            tx_power;
+        __s8            max_tx_power;
        unsigned long   flags;
+        unsigned long   conn_info_timestamp;
        __u8            remote_cap;
        __u8            remote_auth;
        __u8            remote_id;
diff --git a/include/net/bluetooth/mgmt.h b/include/net/bluetooth/mgmt.h
index d4b571c2f9fd..bcffc9ae0c89 100644
--- a/include/net/bluetooth/mgmt.h
+++ b/include/net/bluetooth/mgmt.h
@@ -181,6 +181,9 @@ struct mgmt_cp_load_link_keys {
 } __packed;
 #define MGMT_LOAD_LINK_KEYS_SIZE        3
+#define MGMT_LTK_UNAUTHENTICATED        0x00
+#define MGMT_LTK_AUTHENTICATED          0x01
 struct mgmt_ltk_info {
        struct mgmt_addr_info addr;
        __u8    type;
@@ -409,6 +412,18 @@ struct mgmt_cp_load_irks {
 } __packed;
 #define MGMT_LOAD_IRKS_SIZE             2
+#define MGMT_OP_GET_CONN_INFO           0x0031
+struct mgmt_cp_get_conn_info {
+        struct mgmt_addr_info addr;
+} __packed;
+#define MGMT_GET_CONN_INFO_SIZE         MGMT_ADDR_INFO_SIZE
+struct mgmt_rp_get_conn_info {
+        struct mgmt_addr_info addr;
+        __s8    rssi;
+        __s8    tx_power;
+        __s8    max_tx_power;
+} __packed;
 #define MGMT_EV_CMD_COMPLETE            0x0001
 struct mgmt_ev_cmd_complete {
        __le16  opcode;
diff --git a/include/net/bluetooth/rfcomm.h b/include/net/bluetooth/rfcomm.h
index 2611cc389d7d..578b83127af1 100644
--- a/include/net/bluetooth/rfcomm.h
+++ b/include/net/bluetooth/rfcomm.h
@@ -173,7 +173,7 @@ struct rfcomm_dlc {
        struct sk_buff_head   tx_queue;
        struct timer_list     timer;
-        spinlock_t    lock;
+        struct mutex  lock;
        unsigned long state;
        unsigned long flags;
        atomic_t      refcnt;
@@ -244,8 +244,8 @@ int  rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig);
 void rfcomm_dlc_accept(struct rfcomm_dlc *d);
 struct rfcomm_dlc *rfcomm_dlc_exists(bdaddr_t *src, bdaddr_t *dst, u8 channel);
-#define rfcomm_dlc_lock(d)     spin_lock(&d->lock)
+#define rfcomm_dlc_lock(d)     mutex_lock(&d->lock)
-#define rfcomm_dlc_unlock(d)   spin_unlock(&d->lock)
+#define rfcomm_dlc_unlock(d)   mutex_unlock(&d->lock)
 static inline void rfcomm_dlc_hold(struct rfcomm_dlc *d)
 {
diff --git a/include/net/mac80211.h b/include/net/mac80211.h
index 2c78997bc48d..421b6ecb4b2c 100644
--- a/include/net/mac80211.h
+++ b/include/net/mac80211.h
@@ -189,6 +189,43 @@ struct ieee80211_chanctx_conf {
 };
 /**
+ * enum ieee80211_chanctx_switch_mode - channel context switch mode
+ * @CHANCTX_SWMODE_REASSIGN_VIF: Both old and new contexts already
+ *      exist (and will continue to exist), but the virtual interface
+ *      needs to be switched from one to the other.
+ * @CHANCTX_SWMODE_SWAP_CONTEXTS: The old context exists but will stop
+ *      to exist with this call, the new context doesn't exist but
+ *      will be active after this call, the virtual interface switches
+ *      from the old to the new (note that the driver may of course
+ *      implement this as an on-the-fly chandef switch of the existing
+ *      hardware context, but the mac80211 pointer for the old context
+ *      will cease to exist and only the new one will later be used
+ *      for changes/removal.)
+ */
+enum ieee80211_chanctx_switch_mode {
+        CHANCTX_SWMODE_REASSIGN_VIF,
+        CHANCTX_SWMODE_SWAP_CONTEXTS,
+};
+/**
+ * struct ieee80211_vif_chanctx_switch - vif chanctx switch information
+ *
+ * This is structure is used to pass information about a vif that
+ * needs to switch from one chanctx to another.  The
+ * &ieee80211_chanctx_switch_mode defines how the switch should be
+ * done.
+ *
+ * @vif: the vif that should be switched from old_ctx to new_ctx
+ * @old_ctx: the old context to which the vif was assigned
+ * @new_ctx: the new context to which the vif must be assigned
+ */
+struct ieee80211_vif_chanctx_switch {
+        struct ieee80211_vif *vif;
+        struct ieee80211_chanctx_conf *old_ctx;
+        struct ieee80211_chanctx_conf *new_ctx;
+};
+/**
 * enum ieee80211_bss_change - BSS change notification flags
 *
 * These flags are used with the bss_info_changed() callback
@@ -2736,6 +2773,11 @@ enum ieee80211_roc_type {
 *      to vif. Possible use is for hw queue remapping.
 * @unassign_vif_chanctx: Notifies device driver about channel context being
 *      unbound from vif.
+ * @switch_vif_chanctx: switch a number of vifs from one chanctx to
+ *      another, as specified in the list of
+ *      @ieee80211_vif_chanctx_switch passed to the driver, according
+ *      to the mode defined in &ieee80211_chanctx_switch_mode.
+ *
 * @start_ap: Start operation on the AP interface, this is called after all the
 *      information in bss_conf is set and beacon can be retrieved. A channel
 *      context is bound before this is called. Note that if the driver uses
@@ -2952,6 +2994,10 @@ struct ieee80211_ops {
        void (*unassign_vif_chanctx)(struct ieee80211_hw *hw,
                                     struct ieee80211_vif *vif,
                                     struct ieee80211_chanctx_conf *ctx);
+        int (*switch_vif_chanctx)(struct ieee80211_hw *hw,
+                                  struct ieee80211_vif_chanctx_switch *vifs,
+                                  int n_vifs,
+                                  enum ieee80211_chanctx_switch_mode mode);
        void (*restart_complete)(struct ieee80211_hw *hw);
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 095943c02d6e..8671bc79a35b 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -28,6 +28,7 @@
 #include <net/bluetooth/bluetooth.h>
 #include <net/bluetooth/hci_core.h>
+#include <net/bluetooth/l2cap.h>
 #include "smp.h"
 #include "a2mp.h"
@@ -407,6 +408,8 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
        conn->io_capability = hdev->io_capability;
        conn->remote_auth = 0xff;
        conn->key_type = 0xff;
+        conn->tx_power = HCI_TX_POWER_INVALID;
+        conn->max_tx_power = HCI_TX_POWER_INVALID;
        set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
        conn->disc_timeout = HCI_DISCONN_TIMEOUT;
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index d31f144860d1..0a43cce9a914 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -34,6 +34,7 @@
 #include <net/bluetooth/bluetooth.h>
 #include <net/bluetooth/hci_core.h>
+#include <net/bluetooth/l2cap.h>
 #include "smp.h"
@@ -579,6 +580,62 @@ static int sniff_max_interval_get(void *data, u64 *val)
 DEFINE_SIMPLE_ATTRIBUTE(sniff_max_interval_fops, sniff_max_interval_get,
                        sniff_max_interval_set, "%llu\n");
+static int conn_info_min_age_set(void *data, u64 val)
+{
+        struct hci_dev *hdev = data;
+        if (val == 0 || val > hdev->conn_info_max_age)
+                return -EINVAL;
+        hci_dev_lock(hdev);
+        hdev->conn_info_min_age = val;
+        hci_dev_unlock(hdev);
+        return 0;
+}
+static int conn_info_min_age_get(void *data, u64 *val)
+{
+        struct hci_dev *hdev = data;
+        hci_dev_lock(hdev);
+        *val = hdev->conn_info_min_age;
+        hci_dev_unlock(hdev);
+        return 0;
+}
+DEFINE_SIMPLE_ATTRIBUTE(conn_info_min_age_fops, conn_info_min_age_get,
+                        conn_info_min_age_set, "%llu\n");
+static int conn_info_max_age_set(void *data, u64 val)
+{
+        struct hci_dev *hdev = data;
+        if (val == 0 || val < hdev->conn_info_min_age)
+                return -EINVAL;
+        hci_dev_lock(hdev);
+        hdev->conn_info_max_age = val;
+        hci_dev_unlock(hdev);
+        return 0;
+}
+static int conn_info_max_age_get(void *data, u64 *val)
+{
+        struct hci_dev *hdev = data;
+        hci_dev_lock(hdev);
+        *val = hdev->conn_info_max_age;
+        hci_dev_unlock(hdev);
+        return 0;
+}
+DEFINE_SIMPLE_ATTRIBUTE(conn_info_max_age_fops, conn_info_max_age_get,
+                        conn_info_max_age_set, "%llu\n");
 static int identity_show(struct seq_file *f, void *p)
 {
        struct hci_dev *hdev = f->private;
@@ -1754,6 +1811,11 @@ static int __hci_init(struct hci_dev *hdev)
                            &blacklist_fops);
        debugfs_create_file("uuids", 0444, hdev->debugfs, hdev, &uuids_fops);
+        debugfs_create_file("conn_info_min_age", 0644, hdev->debugfs, hdev,
+                            &conn_info_min_age_fops);
+        debugfs_create_file("conn_info_max_age", 0644, hdev->debugfs, hdev,
+                            &conn_info_max_age_fops);
        if (lmp_bredr_capable(hdev)) {
                debugfs_create_file("inquiry_cache", 0444, hdev->debugfs,
                                    hdev, &inquiry_cache_fops);
@@ -3789,6 +3851,8 @@ struct hci_dev *hci_alloc_dev(void)
        hdev->rpa_timeout = HCI_DEFAULT_RPA_TIMEOUT;
        hdev->discov_interleaved_timeout = DISCOV_INTERLEAVED_TIMEOUT;
+        hdev->conn_info_min_age = DEFAULT_CONN_INFO_MIN_AGE;
+        hdev->conn_info_max_age = DEFAULT_CONN_INFO_MAX_AGE;
        mutex_init(&hdev->lock);
        mutex_init(&hdev->req_lock);
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index ca19fd4bbb8f..3454807a40c5 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -1245,6 +1245,59 @@ static void hci_cc_write_remote_amp_assoc(struct hci_dev *hdev,
        amp_write_rem_assoc_continue(hdev, rp->phy_handle);
 }
+static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
+{
+        struct hci_rp_read_rssi *rp = (void *) skb->data;
+        struct hci_conn *conn;
+        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
+        if (rp->status)
+                return;
+        hci_dev_lock(hdev);
+        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
+        if (conn)
+                conn->rssi = rp->rssi;
+        hci_dev_unlock(hdev);
+}
+static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
+{
+        struct hci_cp_read_tx_power *sent;
+        struct hci_rp_read_tx_power *rp = (void *) skb->data;
+        struct hci_conn *conn;
+        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
+        if (rp->status)
+                return;
+        sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
+        if (!sent)
+                return;
+        hci_dev_lock(hdev);
+        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
+        if (!conn)
+                goto unlock;
+        switch (sent->type) {
+        case 0x00:
+                conn->tx_power = rp->tx_power;
+                break;
+        case 0x01:
+                conn->max_tx_power = rp->tx_power;
+                break;
+        }
+unlock:
+        hci_dev_unlock(hdev);
+}
 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
 {
        BT_DBG("%s status 0x%2.2x", hdev->name, status);
@@ -2637,6 +2690,14 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
                hci_cc_write_remote_amp_assoc(hdev, skb);
                break;
+        case HCI_OP_READ_RSSI:
+                hci_cc_read_rssi(hdev, skb);
+                break;
+        case HCI_OP_READ_TX_POWER:
+                hci_cc_read_tx_power(hdev, skb);
+                break;
        default:
                BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
                break;
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 54abbce3a39e..5e9c21a5525f 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -29,12 +29,13 @@
 #include <net/bluetooth/bluetooth.h>
 #include <net/bluetooth/hci_core.h>
+#include <net/bluetooth/l2cap.h>
 #include <net/bluetooth/mgmt.h>
 #include "smp.h"
 #define MGMT_VERSION    1
-#define MGMT_REVISION   5
+#define MGMT_REVISION   6
 static const u16 mgmt_commands[] = {
        MGMT_OP_READ_INDEX_LIST,
@@ -83,6 +84,7 @@ static const u16 mgmt_commands[] = {
        MGMT_OP_SET_DEBUG_KEYS,
        MGMT_OP_SET_PRIVACY,
        MGMT_OP_LOAD_IRKS,
+        MGMT_OP_GET_CONN_INFO,
 };
 static const u16 mgmt_events[] = {
@@ -4532,7 +4534,7 @@ static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
        for (i = 0; i < key_count; i++) {
                struct mgmt_ltk_info *key = &cp->keys[i];
-                u8 type, addr_type;
+                u8 type, addr_type, authenticated;
                if (key->addr.type == BDADDR_LE_PUBLIC)
                        addr_type = ADDR_LE_DEV_PUBLIC;
@@ -4544,8 +4546,13 @@ static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
                else
                        type = HCI_SMP_LTK_SLAVE;
+                if (key->type == MGMT_LTK_UNAUTHENTICATED)
+                        authenticated = 0x00;
+                else
+                        authenticated = 0x01;
                hci_add_ltk(hdev, &key->addr.bdaddr, addr_type, type,
-                            key->type, key->val, key->enc_size, key->ediv,
+                            authenticated, key->val, key->enc_size, key->ediv,
                            key->rand);
        }
@@ -4557,6 +4564,218 @@ static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
        return err;
 }
+struct cmd_conn_lookup {
+        struct hci_conn *conn;
+        bool valid_tx_power;
+        u8 mgmt_status;
+};
+static void get_conn_info_complete(struct pending_cmd *cmd, void *data)
+{
+        struct cmd_conn_lookup *match = data;
+        struct mgmt_cp_get_conn_info *cp;
+        struct mgmt_rp_get_conn_info rp;
+        struct hci_conn *conn = cmd->user_data;
+        if (conn != match->conn)
+                return;
+        cp = (struct mgmt_cp_get_conn_info *) cmd->param;
+        memset(&rp, 0, sizeof(rp));
+        bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
+        rp.addr.type = cp->addr.type;
+        if (!match->mgmt_status) {
+                rp.rssi = conn->rssi;
+                if (match->valid_tx_power) {
+                        rp.tx_power = conn->tx_power;
+                        rp.max_tx_power = conn->max_tx_power;
+                } else {
+                        rp.tx_power = HCI_TX_POWER_INVALID;
+                        rp.max_tx_power = HCI_TX_POWER_INVALID;
+                }
+        }
+        cmd_complete(cmd->sk, cmd->index, MGMT_OP_GET_CONN_INFO,
+                     match->mgmt_status, &rp, sizeof(rp));
+        hci_conn_drop(conn);
+        mgmt_pending_remove(cmd);
+}
+static void conn_info_refresh_complete(struct hci_dev *hdev, u8 status)
+{
+        struct hci_cp_read_rssi *cp;
+        struct hci_conn *conn;
+        struct cmd_conn_lookup match;
+        u16 handle;
+        BT_DBG("status 0x%02x", status);
+        hci_dev_lock(hdev);
+        /* TX power data is valid in case request completed successfully,
+         * otherwise we assume it's not valid. At the moment we assume that
+         * either both or none of current and max values are valid to keep code
+         * simple.
+         */
+        match.valid_tx_power = !status;
+        /* Commands sent in request are either Read RSSI or Read Transmit Power
+         * Level so we check which one was last sent to retrieve connection
+         * handle.  Both commands have handle as first parameter so it's safe to
+         * cast data on the same command struct.
+         *
+         * First command sent is always Read RSSI and we fail only if it fails.
+         * In other case we simply override error to indicate success as we
+         * already remembered if TX power value is actually valid.
+         */
+        cp = hci_sent_cmd_data(hdev, HCI_OP_READ_RSSI);
+        if (!cp) {
+                cp = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
+                status = 0;
+        }
+        if (!cp) {
+                BT_ERR("invalid sent_cmd in response");
+                goto unlock;
+        }
+        handle = __le16_to_cpu(cp->handle);
+        conn = hci_conn_hash_lookup_handle(hdev, handle);
+        if (!conn) {
+                BT_ERR("unknown handle (%d) in response", handle);
+                goto unlock;
+        }
+        match.conn = conn;
+        match.mgmt_status = mgmt_status(status);
+        /* Cache refresh is complete, now reply for mgmt request for given
+         * connection only.
+         */
+        mgmt_pending_foreach(MGMT_OP_GET_CONN_INFO, hdev,
+                             get_conn_info_complete, &match);
+unlock:
+        hci_dev_unlock(hdev);
+}
+static int get_conn_info(struct sock *sk, struct hci_dev *hdev, void *data,
+                         u16 len)
+{
+        struct mgmt_cp_get_conn_info *cp = data;
+        struct mgmt_rp_get_conn_info rp;
+        struct hci_conn *conn;
+        unsigned long conn_info_age;
+        int err = 0;
+        BT_DBG("%s", hdev->name);
+        memset(&rp, 0, sizeof(rp));
+        bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
+        rp.addr.type = cp->addr.type;
+        if (!bdaddr_type_is_valid(cp->addr.type))
+                return cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
+                                    MGMT_STATUS_INVALID_PARAMS,
+                                    &rp, sizeof(rp));
+        hci_dev_lock(hdev);
+        if (!hdev_is_powered(hdev)) {
+                err = cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
+                                   MGMT_STATUS_NOT_POWERED, &rp, sizeof(rp));
+                goto unlock;
+        }
+        if (cp->addr.type == BDADDR_BREDR)
+                conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
+                                               &cp->addr.bdaddr);
+        else
+                conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr);
+        if (!conn || conn->state != BT_CONNECTED) {
+                err = cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
+                                   MGMT_STATUS_NOT_CONNECTED, &rp, sizeof(rp));
+                goto unlock;
+        }
+        /* To avoid client trying to guess when to poll again for information we
+         * calculate conn info age as random value between min/max set in hdev.
+         */
+        conn_info_age = hdev->conn_info_min_age +
+                        prandom_u32_max(hdev->conn_info_max_age -
+                                        hdev->conn_info_min_age);
+        /* Query controller to refresh cached values if they are too old or were
+         * never read.
+         */
+        if (time_after(jiffies, conn->conn_info_timestamp +
+                       msecs_to_jiffies(conn_info_age)) ||
+            !conn->conn_info_timestamp) {
+                struct hci_request req;
+                struct hci_cp_read_tx_power req_txp_cp;
+                struct hci_cp_read_rssi req_rssi_cp;
+                struct pending_cmd *cmd;
+                hci_req_init(&req, hdev);
+                req_rssi_cp.handle = cpu_to_le16(conn->handle);
+                hci_req_add(&req, HCI_OP_READ_RSSI, sizeof(req_rssi_cp),
+                            &req_rssi_cp);
+                /* For LE links TX power does not change thus we don't need to
+                 * query for it once value is known.
+                 */
+                if (!bdaddr_type_is_le(cp->addr.type) ||
+                    conn->tx_power == HCI_TX_POWER_INVALID) {
+                        req_txp_cp.handle = cpu_to_le16(conn->handle);
+                        req_txp_cp.type = 0x00;
+                        hci_req_add(&req, HCI_OP_READ_TX_POWER,
+                                    sizeof(req_txp_cp), &req_txp_cp);
+                }
+                /* Max TX power needs to be read only once per connection */
+                if (conn->max_tx_power == HCI_TX_POWER_INVALID) {
+                        req_txp_cp.handle = cpu_to_le16(conn->handle);
+                        req_txp_cp.type = 0x01;
+                        hci_req_add(&req, HCI_OP_READ_TX_POWER,
+                                    sizeof(req_txp_cp), &req_txp_cp);
+                }
+                err = hci_req_run(&req, conn_info_refresh_complete);
+                if (err < 0)
+                        goto unlock;
+                cmd = mgmt_pending_add(sk, MGMT_OP_GET_CONN_INFO, hdev,
+                                       data, len);
+                if (!cmd) {
+                        err = -ENOMEM;
+                        goto unlock;
+                }
+                hci_conn_hold(conn);
+                cmd->user_data = conn;
+                conn->conn_info_timestamp = jiffies;
+        } else {
+                /* Cache is valid, just reply with values cached in hci_conn */
+                rp.rssi = conn->rssi;
+                rp.tx_power = conn->tx_power;
+                rp.max_tx_power = conn->max_tx_power;
+                err = cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
+                                   MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
+        }
+unlock:
+        hci_dev_unlock(hdev);
+        return err;
+}
 static const struct mgmt_handler {
        int (*func) (struct sock *sk, struct hci_dev *hdev, void *data,
                     u16 data_len);
@@ -4612,6 +4831,7 @@ static const struct mgmt_handler {
        { set_debug_keys,         false, MGMT_SETTING_SIZE },
        { set_privacy,            false, MGMT_SET_PRIVACY_SIZE },
        { load_irks,              true,  MGMT_LOAD_IRKS_SIZE },
+        { get_conn_info,          false, MGMT_GET_CONN_INFO_SIZE },
 };
@@ -5007,6 +5227,14 @@ void mgmt_new_link_key(struct hci_dev *hdev, struct link_key *key,
        mgmt_event(MGMT_EV_NEW_LINK_KEY, hdev, &ev, sizeof(ev), NULL);
 }
+static u8 mgmt_ltk_type(struct smp_ltk *ltk)
+{
+        if (ltk->authenticated)
+                return MGMT_LTK_AUTHENTICATED;
+        return MGMT_LTK_UNAUTHENTICATED;
+}
 void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key, bool persistent)
 {
        struct mgmt_ev_new_long_term_key ev;
@@ -5032,7 +5260,7 @@ void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key, bool persistent)
        bacpy(&ev.key.addr.bdaddr, &key->bdaddr);
        ev.key.addr.type = link_to_bdaddr(LE_LINK, key->bdaddr_type);
-        ev.key.type = key->authenticated;
+        ev.key.type = mgmt_ltk_type(key);
        ev.key.enc_size = key->enc_size;
        ev.key.ediv = key->ediv;
        ev.key.rand = key->rand;
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index cf620260affa..754b6fe4f742 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -307,7 +307,7 @@ struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
        setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
        skb_queue_head_init(&d->tx_queue);
-        spin_lock_init(&d->lock);
+        mutex_init(&d->lock);
        atomic_set(&d->refcnt, 1);
        rfcomm_dlc_clear_state(d);
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index 403ec09f480a..8e385a0ae60e 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -70,7 +70,7 @@ struct rfcomm_dev {
 };
 static LIST_HEAD(rfcomm_dev_list);
-static DEFINE_SPINLOCK(rfcomm_dev_lock);
+static DEFINE_MUTEX(rfcomm_dev_lock);
 static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb);
 static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err);
@@ -96,9 +96,9 @@ static void rfcomm_dev_destruct(struct tty_port *port)
        if (dev->tty_dev)
                tty_unregister_device(rfcomm_tty_driver, dev->id);
-        spin_lock(&rfcomm_dev_lock);
+        mutex_lock(&rfcomm_dev_lock);
        list_del(&dev->list);
-        spin_unlock(&rfcomm_dev_lock);
+        mutex_unlock(&rfcomm_dev_lock);
        kfree(dev);
@@ -161,14 +161,14 @@ static struct rfcomm_dev *rfcomm_dev_get(int id)
 {
        struct rfcomm_dev *dev;
-        spin_lock(&rfcomm_dev_lock);
+        mutex_lock(&rfcomm_dev_lock);
        dev = __rfcomm_dev_lookup(id);
        if (dev && !tty_port_get(&dev->port))
                dev = NULL;
-        spin_unlock(&rfcomm_dev_lock);
+        mutex_unlock(&rfcomm_dev_lock);
        return dev;
 }
@@ -224,7 +224,7 @@ static struct rfcomm_dev *__rfcomm_dev_add(struct rfcomm_dev_req *req,
        if (!dev)
                return ERR_PTR(-ENOMEM);
-        spin_lock(&rfcomm_dev_lock);
+        mutex_lock(&rfcomm_dev_lock);
        if (req->dev_id < 0) {
                dev->id = 0;
@@ -305,11 +305,11 @@ static struct rfcomm_dev *__rfcomm_dev_add(struct rfcomm_dev_req *req,
           holds reference to this module. */
        __module_get(THIS_MODULE);
-        spin_unlock(&rfcomm_dev_lock);
+        mutex_unlock(&rfcomm_dev_lock);
        return dev;
 out:
-        spin_unlock(&rfcomm_dev_lock);
+        mutex_unlock(&rfcomm_dev_lock);
        kfree(dev);
        return ERR_PTR(err);
 }
@@ -524,7 +524,7 @@ static int rfcomm_get_dev_list(void __user *arg)
        di = dl->dev_info;
-        spin_lock(&rfcomm_dev_lock);
+        mutex_lock(&rfcomm_dev_lock);
        list_for_each_entry(dev, &rfcomm_dev_list, list) {
                if (!tty_port_get(&dev->port))
@@ -540,7 +540,7 @@ static int rfcomm_get_dev_list(void __user *arg)
                        break;
        }
-        spin_unlock(&rfcomm_dev_lock);
+        mutex_unlock(&rfcomm_dev_lock);
        dl->dev_num = n;
        size = sizeof(*dl) + n * sizeof(*di);
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index dfb4e1161c10..4f9662d0fd81 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -35,6 +35,33 @@
 #define AUTH_REQ_MASK   0x07
+#define SMP_FLAG_TK_VALID       1
+#define SMP_FLAG_CFM_PENDING    2
+#define SMP_FLAG_MITM_AUTH      3
+#define SMP_FLAG_COMPLETE       4
+#define SMP_FLAG_INITIATOR      5
+struct smp_chan {
+        struct l2cap_conn *conn;
+        u8              preq[7]; /* SMP Pairing Request */
+        u8              prsp[7]; /* SMP Pairing Response */
+        u8              prnd[16]; /* SMP Pairing Random (local) */
+        u8              rrnd[16]; /* SMP Pairing Random (remote) */
+        u8              pcnf[16]; /* SMP Pairing Confirm */
+        u8              tk[16]; /* SMP Temporary Key */
+        u8              enc_key_size;
+        u8              remote_key_dist;
+        bdaddr_t        id_addr;
+        u8              id_addr_type;
+        u8              irk[16];
+        struct smp_csrk *csrk;
+        struct smp_csrk *slave_csrk;
+        struct smp_ltk  *ltk;
+        struct smp_ltk  *slave_ltk;
+        struct smp_irk  *remote_irk;
+        unsigned long   flags;
+};
 static inline void swap128(const u8 src[16], u8 dst[16])
 {
        int i;
@@ -369,7 +396,7 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
        /* Initialize key for JUST WORKS */
        memset(smp->tk, 0, sizeof(smp->tk));
-        clear_bit(SMP_FLAG_TK_VALID, &smp->smp_flags);
+        clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
        BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
@@ -388,19 +415,18 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
                method = JUST_WORKS;
        /* Don't confirm locally initiated pairing attempts */
-        if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
+        if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
-                                           &smp->smp_flags))
                method = JUST_WORKS;
        /* If Just Works, Continue with Zero TK */
        if (method == JUST_WORKS) {
-                set_bit(SMP_FLAG_TK_VALID, &smp->smp_flags);
+                set_bit(SMP_FLAG_TK_VALID, &smp->flags);
                return 0;
        }
        /* Not Just Works/Confirm results in MITM Authentication */
        if (method != JUST_CFM)
-                set_bit(SMP_FLAG_MITM_AUTH, &smp->smp_flags);
+                set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
        /* If both devices have Keyoard-Display I/O, the master
         * Confirms and the slave Enters the passkey.
@@ -419,7 +445,7 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
                passkey %= 1000000;
                put_unaligned_le32(passkey, smp->tk);
                BT_DBG("PassKey: %d", passkey);
-                set_bit(SMP_FLAG_TK_VALID, &smp->smp_flags);
+                set_bit(SMP_FLAG_TK_VALID, &smp->flags);
        }
        hci_dev_lock(hcon->hdev);
@@ -441,15 +467,13 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
        return ret;
 }
-static void confirm_work(struct work_struct *work)
+static u8 smp_confirm(struct smp_chan *smp)
 {
-        struct smp_chan *smp = container_of(work, struct smp_chan, confirm);
        struct l2cap_conn *conn = smp->conn;
        struct hci_dev *hdev = conn->hcon->hdev;
        struct crypto_blkcipher *tfm = hdev->tfm_aes;
        struct smp_cmd_pairing_confirm cp;
        int ret;
-        u8 reason;
        BT_DBG("conn %p", conn);
@@ -463,35 +487,27 @@ static void confirm_work(struct work_struct *work)
        hci_dev_unlock(hdev);
-        if (ret) {
+        if (ret)
-                reason = SMP_UNSPECIFIED;
+                return SMP_UNSPECIFIED;
-                goto error;
-        }
-        clear_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags);
+        clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
        smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
-        return;
+        return 0;
-error:
-        smp_failure(conn, reason);
 }
-static void random_work(struct work_struct *work)
+static u8 smp_random(struct smp_chan *smp)
 {
-        struct smp_chan *smp = container_of(work, struct smp_chan, random);
        struct l2cap_conn *conn = smp->conn;
        struct hci_conn *hcon = conn->hcon;
        struct hci_dev *hdev = hcon->hdev;
        struct crypto_blkcipher *tfm = hdev->tfm_aes;
-        u8 reason, confirm[16];
+        u8 confirm[16];
        int ret;
-        if (IS_ERR_OR_NULL(tfm)) {
+        if (IS_ERR_OR_NULL(tfm))
-                reason = SMP_UNSPECIFIED;
+                return SMP_UNSPECIFIED;
-                goto error;
-        }
        BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
@@ -504,15 +520,12 @@ static void random_work(struct work_struct *work)
        hci_dev_unlock(hdev);
-        if (ret) {
+        if (ret)
-                reason = SMP_UNSPECIFIED;
+                return SMP_UNSPECIFIED;
-                goto error;
-        }
        if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
                BT_ERR("Pairing failed (confirmation values mismatch)");
-                reason = SMP_CONFIRM_FAILED;
+                return SMP_CONFIRM_FAILED;
-                goto error;
        }
        if (hcon->out) {
@@ -525,10 +538,8 @@ static void random_work(struct work_struct *work)
                memset(stk + smp->enc_key_size, 0,
                       SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
-                if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags)) {
+                if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
-                        reason = SMP_UNSPECIFIED;
+                        return SMP_UNSPECIFIED;
-                        goto error;
-                }
                hci_le_start_enc(hcon, ediv, rand, stk);
                hcon->enc_key_size = smp->enc_key_size;
@@ -550,10 +561,7 @@ static void random_work(struct work_struct *work)
                            ediv, rand);
        }
-        return;
+        return 0;
-error:
-        smp_failure(conn, reason);
 }
 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
@@ -564,9 +572,6 @@ static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
        if (!smp)
                return NULL;
-        INIT_WORK(&smp->confirm, confirm_work);
-        INIT_WORK(&smp->random, random_work);
        smp->conn = conn;
        conn->smp_chan = smp;
        conn->hcon->smp_conn = conn;
@@ -583,7 +588,7 @@ void smp_chan_destroy(struct l2cap_conn *conn)
        BUG_ON(!smp);
-        complete = test_bit(SMP_FLAG_COMPLETE, &smp->smp_flags);
+        complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
        mgmt_smp_complete(conn->hcon, complete);
        kfree(smp->csrk);
@@ -634,7 +639,7 @@ int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
                put_unaligned_le32(value, smp->tk);
                /* Fall Through */
        case MGMT_OP_USER_CONFIRM_REPLY:
-                set_bit(SMP_FLAG_TK_VALID, &smp->smp_flags);
+                set_bit(SMP_FLAG_TK_VALID, &smp->flags);
                break;
        case MGMT_OP_USER_PASSKEY_NEG_REPLY:
        case MGMT_OP_USER_CONFIRM_NEG_REPLY:
@@ -646,8 +651,11 @@ int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
        }
        /* If it is our turn to send Pairing Confirm, do so now */
-        if (test_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags))
+        if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
-                queue_work(hcon->hdev->workqueue, &smp->confirm);
+                u8 rsp = smp_confirm(smp);
+                if (rsp)
+                        smp_failure(conn, rsp);
+        }
        return 0;
 }
@@ -656,14 +664,13 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
 {
        struct smp_cmd_pairing rsp, *req = (void *) skb->data;
        struct smp_chan *smp;
-        u8 key_size;
+        u8 key_size, auth;
-        u8 auth = SMP_AUTH_NONE;
        int ret;
        BT_DBG("conn %p", conn);
        if (skb->len < sizeof(*req))
-                return SMP_UNSPECIFIED;
+                return SMP_INVALID_PARAMS;
        if (conn->hcon->link_mode & HCI_LM_MASTER)
                return SMP_CMD_NOTSUPP;
@@ -681,8 +688,7 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
        skb_pull(skb, sizeof(*req));
        /* We didn't start the pairing, so match remote */
-        if (req->auth_req & SMP_AUTH_BONDING)
+        auth = req->auth_req;
-                auth = req->auth_req;
        conn->hcon->pending_sec_level = authreq_to_seclevel(auth);
@@ -704,7 +710,7 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
        if (ret)
                return SMP_UNSPECIFIED;
-        clear_bit(SMP_FLAG_INITIATOR, &smp->smp_flags);
+        clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
        return 0;
 }
@@ -713,14 +719,13 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
 {
        struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
        struct smp_chan *smp = conn->smp_chan;
-        struct hci_dev *hdev = conn->hcon->hdev;
        u8 key_size, auth = SMP_AUTH_NONE;
        int ret;
        BT_DBG("conn %p", conn);
        if (skb->len < sizeof(*rsp))
-                return SMP_UNSPECIFIED;
+                return SMP_INVALID_PARAMS;
        if (!(conn->hcon->link_mode & HCI_LM_MASTER))
                return SMP_CMD_NOTSUPP;
@@ -753,11 +758,11 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
        if (ret)
                return SMP_UNSPECIFIED;
-        set_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags);
+        set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
        /* Can't compose response until we have been confirmed */
-        if (test_bit(SMP_FLAG_TK_VALID, &smp->smp_flags))
+        if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
-                queue_work(hdev->workqueue, &smp->confirm);
+                return smp_confirm(smp);
        return 0;
 }
@@ -765,12 +770,11 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
 {
        struct smp_chan *smp = conn->smp_chan;
-        struct hci_dev *hdev = conn->hcon->hdev;
        BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
        if (skb->len < sizeof(smp->pcnf))
-                return SMP_UNSPECIFIED;
+                return SMP_INVALID_PARAMS;
        memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
        skb_pull(skb, sizeof(smp->pcnf));
@@ -778,10 +782,10 @@ static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
        if (conn->hcon->out)
                smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
                             smp->prnd);
-        else if (test_bit(SMP_FLAG_TK_VALID, &smp->smp_flags))
+        else if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
-                queue_work(hdev->workqueue, &smp->confirm);
+                return smp_confirm(smp);
        else
-                set_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags);
+                set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
        return 0;
 }
@@ -789,19 +793,16 @@ static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
 {
        struct smp_chan *smp = conn->smp_chan;
-        struct hci_dev *hdev = conn->hcon->hdev;
        BT_DBG("conn %p", conn);
        if (skb->len < sizeof(smp->rrnd))
-                return SMP_UNSPECIFIED;
+                return SMP_INVALID_PARAMS;
        memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
        skb_pull(skb, sizeof(smp->rrnd));
-        queue_work(hdev->workqueue, &smp->random);
+        return smp_random(smp);
-        return 0;
 }
 static u8 smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
@@ -836,7 +837,7 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
        BT_DBG("conn %p", conn);
        if (skb->len < sizeof(*rp))
-                return SMP_UNSPECIFIED;
+                return SMP_INVALID_PARAMS;
        if (!(conn->hcon->link_mode & HCI_LM_MASTER))
                return SMP_CMD_NOTSUPP;
@@ -861,7 +862,7 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
        smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
-        clear_bit(SMP_FLAG_INITIATOR, &smp->smp_flags);
+        clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
        return 0;
 }
@@ -928,7 +929,7 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
                smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
        }
-        set_bit(SMP_FLAG_INITIATOR, &smp->smp_flags);
+        set_bit(SMP_FLAG_INITIATOR, &smp->flags);
 done:
        hcon->pending_sec_level = sec_level;
@@ -944,7 +945,7 @@ static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
        BT_DBG("conn %p", conn);
        if (skb->len < sizeof(*rp))
-                return SMP_UNSPECIFIED;
+                return SMP_INVALID_PARAMS;
        /* Ignore this PDU if it wasn't requested */
        if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
@@ -969,7 +970,7 @@ static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
        BT_DBG("conn %p", conn);
        if (skb->len < sizeof(*rp))
-                return SMP_UNSPECIFIED;
+                return SMP_INVALID_PARAMS;
        /* Ignore this PDU if it wasn't requested */
        if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
@@ -1001,7 +1002,7 @@ static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
        BT_DBG("");
        if (skb->len < sizeof(*info))
-                return SMP_UNSPECIFIED;
+                return SMP_INVALID_PARAMS;
        /* Ignore this PDU if it wasn't requested */
        if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
@@ -1025,7 +1026,7 @@ static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
        BT_DBG("");
        if (skb->len < sizeof(*info))
-                return SMP_UNSPECIFIED;
+                return SMP_INVALID_PARAMS;
        /* Ignore this PDU if it wasn't requested */
        if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
@@ -1075,7 +1076,7 @@ static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
        BT_DBG("conn %p", conn);
        if (skb->len < sizeof(*rp))
-                return SMP_UNSPECIFIED;
+                return SMP_INVALID_PARAMS;
        /* Ignore this PDU if it wasn't requested */
        if (!(smp->remote_key_dist & SMP_DIST_SIGN))
@@ -1358,7 +1359,7 @@ int smp_distribute_keys(struct l2cap_conn *conn)
        clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags);
        cancel_delayed_work_sync(&conn->security_timer);
-        set_bit(SMP_FLAG_COMPLETE, &smp->smp_flags);
+        set_bit(SMP_FLAG_COMPLETE, &smp->flags);
        smp_notify_keys(conn);
        smp_chan_destroy(conn);
diff --git a/net/bluetooth/smp.h b/net/bluetooth/smp.h
index 1277147a9150..5a8dc36460a1 100644
--- a/net/bluetooth/smp.h
+++ b/net/bluetooth/smp.h
@@ -111,39 +111,11 @@ struct smp_cmd_security_req {
 #define SMP_CMD_NOTSUPP                 0x07
 #define SMP_UNSPECIFIED                 0x08
 #define SMP_REPEATED_ATTEMPTS           0x09
+#define SMP_INVALID_PARAMS              0x0a
 #define SMP_MIN_ENC_KEY_SIZE            7
 #define SMP_MAX_ENC_KEY_SIZE            16
-#define SMP_FLAG_TK_VALID       1
-#define SMP_FLAG_CFM_PENDING    2
-#define SMP_FLAG_MITM_AUTH      3
-#define SMP_FLAG_COMPLETE       4
-#define SMP_FLAG_INITIATOR      5
-struct smp_chan {
-        struct l2cap_conn *conn;
-        u8              preq[7]; /* SMP Pairing Request */
-        u8              prsp[7]; /* SMP Pairing Response */
-        u8              prnd[16]; /* SMP Pairing Random (local) */
-        u8              rrnd[16]; /* SMP Pairing Random (remote) */
-        u8              pcnf[16]; /* SMP Pairing Confirm */
-        u8              tk[16]; /* SMP Temporary Key */
-        u8              enc_key_size;
-        u8              remote_key_dist;
-        bdaddr_t        id_addr;
-        u8              id_addr_type;
-        u8              irk[16];
-        struct smp_csrk *csrk;
-        struct smp_csrk *slave_csrk;
-        struct smp_ltk  *ltk;
-        struct smp_ltk  *slave_ltk;
-        struct smp_irk  *remote_irk;
-        unsigned long   smp_flags;
-        struct work_struct confirm;
-        struct work_struct random;
-};
 /* SMP Commands */
 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level);
 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level);
diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c
index 40a648938985..e205ebabfa50 100644
--- a/net/mac80211/debugfs_netdev.c
+++ b/net/mac80211/debugfs_netdev.c
@@ -34,8 +34,7 @@ static ssize_t ieee80211_if_read(
        ssize_t ret = -EINVAL;
        read_lock(&dev_base_lock);
-        if (sdata->dev->reg_state == NETREG_REGISTERED)
+        ret = (*format)(sdata, buf, sizeof(buf));
-                ret = (*format)(sdata, buf, sizeof(buf));
        read_unlock(&dev_base_lock);
        if (ret >= 0)
@@ -62,8 +61,7 @@ static ssize_t ieee80211_if_write(
        ret = -ENODEV;
        rtnl_lock();
-        if (sdata->dev->reg_state == NETREG_REGISTERED)
+        ret = (*write)(sdata, buf, count);
-                ret = (*write)(sdata, buf, count);
        rtnl_unlock();
        return ret;
diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h
index 696ef78b1fb7..bd782dcffcc7 100644
--- a/net/mac80211/driver-ops.h
+++ b/net/mac80211/driver-ops.h
@@ -1048,6 +1048,59 @@ static inline void drv_unassign_vif_chanctx(struct ieee80211_local *local,
        trace_drv_return_void(local);
 }
+static inline int
+drv_switch_vif_chanctx(struct ieee80211_local *local,
+                       struct ieee80211_vif_chanctx_switch *vifs,
+                       int n_vifs,
+                       enum ieee80211_chanctx_switch_mode mode)
+{
+        int ret = 0;
+        int i;
+        if (!local->ops->switch_vif_chanctx)
+                return -EOPNOTSUPP;
+        for (i = 0; i < n_vifs; i++) {
+                struct ieee80211_chanctx *new_ctx =
+                        container_of(vifs[i].new_ctx,
+                                     struct ieee80211_chanctx,
+                                     conf);
+                struct ieee80211_chanctx *old_ctx =
+                        container_of(vifs[i].old_ctx,
+                                     struct ieee80211_chanctx,
+                                     conf);
+                WARN_ON_ONCE(!old_ctx->driver_present);
+                WARN_ON_ONCE((mode == CHANCTX_SWMODE_SWAP_CONTEXTS &&
+                              new_ctx->driver_present) ||
+                             (mode == CHANCTX_SWMODE_REASSIGN_VIF &&
+                              !new_ctx->driver_present));
+        }
+        trace_drv_switch_vif_chanctx(local, vifs, n_vifs, mode);
+        ret = local->ops->switch_vif_chanctx(&local->hw,
+                                             vifs, n_vifs, mode);
+        trace_drv_return_int(local, ret);
+        if (!ret && mode == CHANCTX_SWMODE_SWAP_CONTEXTS) {
+                for (i = 0; i < n_vifs; i++) {
+                        struct ieee80211_chanctx *new_ctx =
+                                container_of(vifs[i].new_ctx,
+                                             struct ieee80211_chanctx,
+                                             conf);
+                        struct ieee80211_chanctx *old_ctx =
+                                container_of(vifs[i].old_ctx,
+                                             struct ieee80211_chanctx,
+                                             conf);
+                        new_ctx->driver_present = true;
+                        old_ctx->driver_present = false;
+                }
+        }
+        return ret;
+}
 static inline int drv_start_ap(struct ieee80211_local *local,
                               struct ieee80211_sub_if_data *sdata)
 {
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index 1bbac94da58d..18ee0a256b1e 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -1677,6 +1677,7 @@ int ieee80211_ibss_join(struct ieee80211_sub_if_data *sdata,
        sdata->u.ibss.control_port = params->control_port;
        sdata->u.ibss.userspace_handles_dfs = params->userspace_handles_dfs;
        sdata->u.ibss.basic_rates = params->basic_rates;
+        sdata->u.ibss.last_scan_completed = jiffies;
        /* fix basic_rates if channel does not support these rates */
        rate_flags = ieee80211_chandef_rate_flags(&params->chandef);
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 79fc98815da8..81a8e2a0b6aa 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -399,6 +399,7 @@ int ieee80211_add_virtual_monitor(struct ieee80211_local *local)
        sdata->vif.type = NL80211_IFTYPE_MONITOR;
        snprintf(sdata->name, IFNAMSIZ, "%s-monitor",
                 wiphy_name(local->hw.wiphy));
+        sdata->wdev.iftype = NL80211_IFTYPE_MONITOR;
        sdata->encrypt_headroom = IEEE80211_ENCRYPT_HEADROOM;
@@ -1285,6 +1286,7 @@ static void ieee80211_setup_sdata(struct ieee80211_sub_if_data *sdata,
        sdata->control_port_protocol = cpu_to_be16(ETH_P_PAE);
        sdata->control_port_no_encrypt = false;
        sdata->encrypt_headroom = IEEE80211_ENCRYPT_HEADROOM;
+        sdata->vif.bss_conf.idle = true;
        sdata->noack_map = 0;
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index 632d372bb511..a9b46d8ea22f 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -240,6 +240,7 @@ void sta_info_free(struct ieee80211_local *local, struct sta_info *sta)
        sta_dbg(sta->sdata, "Destroyed STA %pM\n", sta->sta.addr);
+        kfree(rcu_dereference_raw(sta->sta.rates));
        kfree(sta);
 }
diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index 60cb7a665976..ba29ebc86141 100644
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -541,6 +541,23 @@ static void ieee80211_tx_latency_end_msrmnt(struct ieee80211_local *local,
 */
 #define STA_LOST_PKT_THRESHOLD  50
+static void ieee80211_lost_packet(struct sta_info *sta, struct sk_buff *skb)
+{
+        struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
+        /* This packet was aggregated but doesn't carry status info */
+        if ((info->flags & IEEE80211_TX_CTL_AMPDU) &&
+            !(info->flags & IEEE80211_TX_STAT_AMPDU))
+                return;
+        if (++sta->lost_packets < STA_LOST_PKT_THRESHOLD)
+                return;
+        cfg80211_cqm_pktloss_notify(sta->sdata->dev, sta->sta.addr,
+                                    sta->lost_packets, GFP_ATOMIC);
+        sta->lost_packets = 0;
+}
 void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb)
 {
        struct sk_buff *skb2;
@@ -680,12 +697,8 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb)
                        if (info->flags & IEEE80211_TX_STAT_ACK) {
                                if (sta->lost_packets)
                                        sta->lost_packets = 0;
-                        } else if (++sta->lost_packets >= STA_LOST_PKT_THRESHOLD) {
+                        } else {
-                                cfg80211_cqm_pktloss_notify(sta->sdata->dev,
+                                ieee80211_lost_packet(sta, skb);
-                                                            sta->sta.addr,
-                                                            sta->lost_packets,
-                                                            GFP_ATOMIC);
-                                sta->lost_packets = 0;
                        }
                }
diff --git a/net/mac80211/trace.h b/net/mac80211/trace.h
index 762e4cd16386..cfe1a0688b5c 100644
--- a/net/mac80211/trace.h
+++ b/net/mac80211/trace.h
@@ -1389,6 +1389,91 @@ TRACE_EVENT(drv_change_chanctx,
        )
 );
+#if !defined(__TRACE_VIF_ENTRY)
+#define __TRACE_VIF_ENTRY
+struct trace_vif_entry {
+        enum nl80211_iftype vif_type;
+        bool p2p;
+        char vif_name[IFNAMSIZ];
+} __packed;
+struct trace_chandef_entry {
+        u32 control_freq;
+        u32 chan_width;
+        u32 center_freq1;
+        u32 center_freq2;
+} __packed;
+struct trace_switch_entry {
+        struct trace_vif_entry vif;
+        struct trace_chandef_entry old_chandef;
+        struct trace_chandef_entry new_chandef;
+} __packed;
+#define SWITCH_ENTRY_ASSIGN(to, from) local_vifs[i].to = vifs[i].from
+#endif
+TRACE_EVENT(drv_switch_vif_chanctx,
+        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_vif_chanctx_switch *vifs,
+                 int n_vifs, enum ieee80211_chanctx_switch_mode mode),
+            TP_ARGS(local, vifs, n_vifs, mode),
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+                __field(int, n_vifs)
+                __field(u32, mode)
+                __dynamic_array(u8, vifs,
+                                sizeof(struct trace_switch_entry) * n_vifs)
+        ),
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+                __entry->n_vifs = n_vifs;
+                __entry->mode = mode;
+                {
+                        struct trace_switch_entry *local_vifs =
+                                __get_dynamic_array(vifs);
+                        int i;
+                        for (i = 0; i < n_vifs; i++) {
+                                struct ieee80211_sub_if_data *sdata;
+                                sdata = container_of(vifs[i].vif,
+                                                struct ieee80211_sub_if_data,
+                                                vif);
+                                SWITCH_ENTRY_ASSIGN(vif.vif_type, vif->type);
+                                SWITCH_ENTRY_ASSIGN(vif.p2p, vif->p2p);
+                                strncpy(local_vifs[i].vif.vif_name,
+                                        sdata->name,
+                                        sizeof(local_vifs[i].vif.vif_name));
+                                SWITCH_ENTRY_ASSIGN(old_chandef.control_freq,
+                                                old_ctx->def.chan->center_freq);
+                                SWITCH_ENTRY_ASSIGN(old_chandef.chan_width,
+                                                    old_ctx->def.width);
+                                SWITCH_ENTRY_ASSIGN(old_chandef.center_freq1,
+                                                    old_ctx->def.center_freq1);
+                                SWITCH_ENTRY_ASSIGN(old_chandef.center_freq2,
+                                                    old_ctx->def.center_freq2);
+                                SWITCH_ENTRY_ASSIGN(new_chandef.control_freq,
+                                                new_ctx->def.chan->center_freq);
+                                SWITCH_ENTRY_ASSIGN(new_chandef.chan_width,
+                                                    new_ctx->def.width);
+                                SWITCH_ENTRY_ASSIGN(new_chandef.center_freq1,
+                                                    new_ctx->def.center_freq1);
+                                SWITCH_ENTRY_ASSIGN(new_chandef.center_freq2,
+                                                    new_ctx->def.center_freq2);
+                        }
+                }
+        ),
+        TP_printk(
+                LOCAL_PR_FMT " n_vifs:%d mode:%d",
+                LOCAL_PR_ARG, __entry->n_vifs, __entry->mode
+        )
+);
 DECLARE_EVENT_CLASS(local_sdata_chanctx,
        TP_PROTO(struct ieee80211_local *local,
                 struct ieee80211_sub_if_data *sdata,
diff --git a/net/nfc/digital_core.c b/net/nfc/digital_core.c
index b105cfb00e76..a6ce3c627e4e 100644
--- a/net/nfc/digital_core.c
+++ b/net/nfc/digital_core.c
@@ -386,6 +386,8 @@ int digital_target_found(struct nfc_digital_dev *ddev,
 void digital_poll_next_tech(struct nfc_digital_dev *ddev)
 {
+        u8 rand_mod;
        digital_switch_rf(ddev, 0);
        mutex_lock(&ddev->poll_lock);
@@ -395,8 +397,8 @@ void digital_poll_next_tech(struct nfc_digital_dev *ddev)
                return;
        }
-        ddev->poll_tech_index = (ddev->poll_tech_index + 1) %
+        get_random_bytes(&rand_mod, sizeof(rand_mod));
-                                ddev->poll_tech_count;
+        ddev->poll_tech_index = rand_mod % ddev->poll_tech_count;
        mutex_unlock(&ddev->poll_lock);
diff --git a/net/nfc/digital_dep.c b/net/nfc/digital_dep.c
index d4ed25ff723f..171cb9949ab5 100644
--- a/net/nfc/digital_dep.c
+++ b/net/nfc/digital_dep.c
@@ -224,9 +224,8 @@ int digital_in_send_atr_req(struct nfc_digital_dev *ddev,
        ddev->skb_add_crc(skb);
-        digital_in_send_cmd(ddev, skb, 500, digital_in_recv_atr_res, target);
+        return digital_in_send_cmd(ddev, skb, 500, digital_in_recv_atr_res,
+                                   target);
-        return 0;
 }
 static int digital_in_send_rtox(struct nfc_digital_dev *ddev,
diff --git a/net/nfc/digital_technology.c b/net/nfc/digital_technology.c
index 12a233e9ece5..c2c1c0189b7c 100644
--- a/net/nfc/digital_technology.c
+++ b/net/nfc/digital_technology.c
@@ -613,7 +613,7 @@ exit:
                digital_poll_next_tech(ddev);
 }
-int digital_in_send_attrib_req(struct nfc_digital_dev *ddev,
+static int digital_in_send_attrib_req(struct nfc_digital_dev *ddev,
                               struct nfc_target *target,
                               struct digital_sensb_res *sensb_res)
 {
diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c
index 8627c75063e2..55eefee311eb 100644
--- a/net/nfc/rawsock.c
+++ b/net/nfc/rawsock.c
@@ -31,14 +31,14 @@ static struct nfc_sock_list raw_sk_list = {
        .lock = __RW_LOCK_UNLOCKED(raw_sk_list.lock)
 };
-void nfc_sock_link(struct nfc_sock_list *l, struct sock *sk)
+static void nfc_sock_link(struct nfc_sock_list *l, struct sock *sk)
 {
        write_lock(&l->lock);
        sk_add_node(sk, &l->head);
        write_unlock(&l->lock);
 }
-void nfc_sock_unlink(struct nfc_sock_list *l, struct sock *sk)
+static void nfc_sock_unlink(struct nfc_sock_list *l, struct sock *sk)
 {
        write_lock(&l->lock);
        sk_del_node_init(sk);
diff --git a/net/wireless/core.c b/net/wireless/core.c
index d03d8bdb29ca..a1c40654dd9b 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -130,7 +130,7 @@ int cfg80211_dev_rename(struct cfg80211_registered_device *rdev,
                            newname))
                pr_err("failed to rename debugfs dir to %s!\n", newname);
-        nl80211_notify_dev_rename(rdev);
+        nl80211_notify_wiphy(rdev, NL80211_CMD_NEW_WIPHY);
        return 0;
 }
@@ -660,6 +660,8 @@ int wiphy_register(struct wiphy *wiphy)
                return res;
        }
+        nl80211_notify_wiphy(rdev, NL80211_CMD_NEW_WIPHY);
        return 0;
 }
 EXPORT_SYMBOL(wiphy_register);
@@ -698,6 +700,7 @@ void wiphy_unregister(struct wiphy *wiphy)
                rfkill_unregister(rdev->rfkill);
        rtnl_lock();
+        nl80211_notify_wiphy(rdev, NL80211_CMD_DEL_WIPHY);
        rdev->wiphy.registered = false;
        WARN_ON(!list_empty(&rdev->wdev_list));
diff --git a/net/wireless/genregdb.awk b/net/wireless/genregdb.awk
index b35da8dc85de..40c37fc5b67c 100644
--- a/net/wireless/genregdb.awk
+++ b/net/wireless/genregdb.awk
@@ -68,17 +68,7 @@ function parse_reg_rule()
        sub(/,/, "", units)
        dfs_cac = $9
        if (units == "mW") {
-                if (power == 100) {
+                power = 10 * log(power)/log(10)
-                        power = 20
-                } else if (power == 200) {
-                        power = 23
-                } else if (power == 500) {
-                        power = 27
-                } else if (power == 1000) {
-                        power = 30
-                } else {
-                        print "Unknown power value in database!"
-                }
        } else {
                dfs_cac = $8
        }
@@ -117,7 +107,7 @@ function parse_reg_rule()
        }
        flags = flags "0"
-        printf "\t\tREG_RULE_EXT(%d, %d, %d, %d, %d, %d, %s),\n", start, end, bw, gain, power, dfs_cac, flags
+        printf "\t\tREG_RULE_EXT(%d, %d, %d, %d, %.0f, %d, %s),\n", start, end, bw, gain, power, dfs_cac, flags
        rules++
 }
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 62bdb1adaa4d..ba4f1723c83a 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -1226,6 +1226,7 @@ struct nl80211_dump_wiphy_state {
 };
 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
+                              enum nl80211_commands cmd,
                              struct sk_buff *msg, u32 portid, u32 seq,
                              int flags, struct nl80211_dump_wiphy_state *state)
 {
@@ -1240,7 +1241,7 @@ static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
                                rdev->wiphy.mgmt_stypes;
        u32 features;
-        hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_WIPHY);
+        hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
        if (!hdr)
                return -ENOBUFS;
@@ -1254,6 +1255,9 @@ static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
                        cfg80211_rdev_list_generation))
                goto nla_put_failure;
+        if (cmd != NL80211_CMD_NEW_WIPHY)
+                goto finish;
        switch (state->split_start) {
        case 0:
                if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
@@ -1682,6 +1686,7 @@ static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
                state->split_start = 0;
                break;
        }
+ finish:
        return genlmsg_end(msg, hdr);
 nla_put_failure:
@@ -1756,7 +1761,8 @@ static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
                        continue;
                /* attempt to fit multiple wiphy data chunks into the skb */
                do {
-                        ret = nl80211_send_wiphy(rdev, skb,
+                        ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
+                                                 skb,
                                                 NETLINK_CB(cb->skb).portid,
                                                 cb->nlh->nlmsg_seq,
                                                 NLM_F_MULTI, state);
@@ -1811,7 +1817,8 @@ static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
        if (!msg)
                return -ENOMEM;
-        if (nl80211_send_wiphy(rdev, msg, info->snd_portid, info->snd_seq, 0,
+        if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
+                               info->snd_portid, info->snd_seq, 0,
                               &state) < 0) {
                nlmsg_free(msg);
                return -ENOBUFS;
@@ -10101,16 +10108,20 @@ static const struct genl_ops nl80211_ops[] = {
 /* notification functions */
-void nl80211_notify_dev_rename(struct cfg80211_registered_device *rdev)
+void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
+                          enum nl80211_commands cmd)
 {
        struct sk_buff *msg;
        struct nl80211_dump_wiphy_state state = {};
+        WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
+                cmd != NL80211_CMD_DEL_WIPHY);
        msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
        if (!msg)
                return;
-        if (nl80211_send_wiphy(rdev, msg, 0, 0, 0, &state) < 0) {
+        if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
                nlmsg_free(msg);
                return;
        }
diff --git a/net/wireless/nl80211.h b/net/wireless/nl80211.h
index 1e6df9630f42..49c9a482dd12 100644
--- a/net/wireless/nl80211.h
+++ b/net/wireless/nl80211.h
@@ -5,7 +5,8 @@
 int nl80211_init(void);
 void nl80211_exit(void);
-void nl80211_notify_dev_rename(struct cfg80211_registered_device *rdev);
+void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
+                          enum nl80211_commands cmd);
 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
                             struct wireless_dev *wdev);
 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
author	John W. Linville <linville@tuxdriver.com>	2014-06-02 11:20:17 -0400
committer	John W. Linville <linville@tuxdriver.com>	2014-06-02 11:20:17 -0400
commit	fcb2c0d6cf75750e2912b09a3d0a782c90e2b1a0 (patch)
tree	a17982638b066ae29f8ab1a6e37f18e6dddb5272
parent	96b2e73c5471542cb9c622c4360716684f8797ed (diff)
parent	a715c7ddd65a1a3b2839b8ebd759bb2d361f7675 (diff)