Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next

John W. Linville says: ==================== pull request: wireless-next 2014-06-02 Please pull this remaining batch of updates intended for the 3.16 stream... For the mac80211 bits, Johannes says: "The remainder for -next right now is mostly fixes, and a handful of small new things like some CSA infrastructure, the regdb script mW/dBm conversion change and sending wiphy notifications." For the bluetooth bits, Gustavo says: "Some more patches for 3.16. There is nothing really special here, just a bunch of clean ups, fixes plus some small improvements. Please pull." For the nfc bits, Samuel says: "We have: - Felica (Type3) tags support for trf7970a - Type 4b tags support for port100 - st21nfca DTS typo fix - A few sparse warning fixes" For the atheros bits, Kalle says: "Ben added support for setting antenna configurations. Michal improved warm reset so that we would not need to fall back to cold reset that often, an issue where ath10k stripped protected flag while in monitor mode and made module initialisation asynchronous to fix the problems with firmware loading when the driver is linked to the kernel. Luca removed unused channel_switch_beacon callbacks both from ath9k and ath10k. Marek fixed Protected Management Frames (PMF) when using Action Frames. Also we had other small fixes everywhere in the driver." Along with that, there are a handful of updates to a variety of drivers. This includes updates to at76c50x-usb, ath9k, b43, brcmfmac, mwifiex, rsi, rtlwifi, and wil6210. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2014-06-02 14:17:35 -0400
committer: David S. Miller <davem@davemloft.net> 2014-06-02 14:17:35 -0400
commit: 31595de219e8a1a2ed7aeccbe4f18e44f2d2db00 (patch)
tree: 7fde4fc831867b18e384953a18f50919ccc9245f
parent: 73f156a6e8c1074ac6327e0abd1169e95eb66463 (diff)
parent: fcb2c0d6cf75750e2912b09a3d0a782c90e2b1a0 (diff)
88 files changed, 2174 insertions, 997 deletions
diff --git a/Documentation/devicetree/bindings/net/nfc/st21nfca.txt b/Documentation/devicetree/bindings/net/nfc/st21nfca.txt
index 4724fe669172..e4faa2e8dfeb 100644
--- a/Documentation/devicetree/bindings/net/nfc/st21nfca.txt
+++ b/Documentation/devicetree/bindings/net/nfc/st21nfca.txt
@@ -1,7 +1,7 @@
 * STMicroelectronics SAS. ST21NFCA NFC Controller
 Required properties:
- compatible: Should be "st,st21nfca-i2c".
+- compatible: Should be "st,st21nfca_i2c".
 - clock-frequency: I²C work frequency.
 - reg: address on the bus
 - interrupt-parent: phandle for the interrupt gpio controller
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index a7dfbf9a3afb..a1c80b0c7663 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -49,6 +49,7 @@ static struct usb_driver btusb_driver;
 #define BTUSB_WRONG_SCO_MTU     0x40
 #define BTUSB_ATH3012           0x80
 #define BTUSB_INTEL             0x100
+#define BTUSB_BCM_PATCHRAM      0x200
 static const struct usb_device_id btusb_table[] = {
        /* Generic Bluetooth USB device */
@@ -111,7 +112,8 @@ static const struct usb_device_id btusb_table[] = {
        { USB_VENDOR_AND_INTERFACE_INFO(0x0489, 0xff, 0x01, 0x01) },
        /* Broadcom devices with vendor specific id */
-        { USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01) },
+        { USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01),
+          .driver_info = BTUSB_BCM_PATCHRAM },
        /* Belkin F8065bf - Broadcom based */
        { USB_VENDOR_AND_INTERFACE_INFO(0x050d, 0xff, 0x01, 0x01) },
@@ -1381,6 +1383,154 @@ exit_mfg_deactivate:
        return 0;
 }
+static int btusb_setup_bcm_patchram(struct hci_dev *hdev)
+{
+        struct btusb_data *data = hci_get_drvdata(hdev);
+        struct usb_device *udev = data->udev;
+        char fw_name[64];
+        const struct firmware *fw;
+        const u8 *fw_ptr;
+        size_t fw_size;
+        const struct hci_command_hdr *cmd;
+        const u8 *cmd_param;
+        u16 opcode;
+        struct sk_buff *skb;
+        struct hci_rp_read_local_version *ver;
+        long ret;
+        snprintf(fw_name, sizeof(fw_name), "brcm/%s-%04x-%04x.hcd",
+                 udev->product ? udev->product : "BCM",
+                 le16_to_cpu(udev->descriptor.idVendor),
+                 le16_to_cpu(udev->descriptor.idProduct));
+        ret = request_firmware(&fw, fw_name, &hdev->dev);
+        if (ret < 0) {
+                BT_INFO("%s: BCM: patch %s not found", hdev->name,
+                        fw_name);
+                return 0;
+        }
+        /* Reset */
+        skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
+        if (IS_ERR(skb)) {
+                ret = PTR_ERR(skb);
+                BT_ERR("%s: HCI_OP_RESET failed (%ld)", hdev->name, ret);
+                goto done;
+        }
+        kfree_skb(skb);
+        /* Read Local Version Info */
+        skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
+                             HCI_INIT_TIMEOUT);
+        if (IS_ERR(skb)) {
+                ret = PTR_ERR(skb);
+                BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION failed (%ld)",
+                        hdev->name, ret);
+                goto done;
+        }
+        if (skb->len != sizeof(*ver)) {
+                BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION event length mismatch",
+                        hdev->name);
+                kfree_skb(skb);
+                ret = -EIO;
+                goto done;
+        }
+        ver = (struct hci_rp_read_local_version *) skb->data;
+        BT_INFO("%s: BCM: patching hci_ver=%02x hci_rev=%04x lmp_ver=%02x "
+                "lmp_subver=%04x", hdev->name, ver->hci_ver, ver->hci_rev,
+                ver->lmp_ver, ver->lmp_subver);
+        kfree_skb(skb);
+        /* Start Download */
+        skb = __hci_cmd_sync(hdev, 0xfc2e, 0, NULL, HCI_INIT_TIMEOUT);
+        if (IS_ERR(skb)) {
+                ret = PTR_ERR(skb);
+                BT_ERR("%s: BCM: Download Minidrv command failed (%ld)",
+                        hdev->name, ret);
+                goto reset_fw;
+        }
+        kfree_skb(skb);
+        /* 50 msec delay after Download Minidrv completes */
+        msleep(50);
+        fw_ptr = fw->data;
+        fw_size = fw->size;
+        while (fw_size >= sizeof(*cmd)) {
+                cmd = (struct hci_command_hdr *) fw_ptr;
+                fw_ptr += sizeof(*cmd);
+                fw_size -= sizeof(*cmd);
+                if (fw_size < cmd->plen) {
+                        BT_ERR("%s: BCM: patch %s is corrupted",
+                                hdev->name, fw_name);
+                        ret = -EINVAL;
+                        goto reset_fw;
+                }
+                cmd_param = fw_ptr;
+                fw_ptr += cmd->plen;
+                fw_size -= cmd->plen;
+                opcode = le16_to_cpu(cmd->opcode);
+                skb = __hci_cmd_sync(hdev, opcode, cmd->plen, cmd_param,
+                                     HCI_INIT_TIMEOUT);
+                if (IS_ERR(skb)) {
+                        ret = PTR_ERR(skb);
+                        BT_ERR("%s: BCM: patch command %04x failed (%ld)",
+                                hdev->name, opcode, ret);
+                        goto reset_fw;
+                }
+                kfree_skb(skb);
+        }
+        /* 250 msec delay after Launch Ram completes */
+        msleep(250);
+reset_fw:
+        /* Reset */
+        skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
+        if (IS_ERR(skb)) {
+                ret = PTR_ERR(skb);
+                BT_ERR("%s: HCI_OP_RESET failed (%ld)", hdev->name, ret);
+                goto done;
+        }
+        kfree_skb(skb);
+        /* Read Local Version Info */
+        skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
+                             HCI_INIT_TIMEOUT);
+        if (IS_ERR(skb)) {
+                ret = PTR_ERR(skb);
+                BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION failed (%ld)",
+                        hdev->name, ret);
+                goto done;
+        }
+        if (skb->len != sizeof(*ver)) {
+                BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION event length mismatch",
+                        hdev->name);
+                kfree_skb(skb);
+                ret = -EIO;
+                goto done;
+        }
+        ver = (struct hci_rp_read_local_version *) skb->data;
+        BT_INFO("%s: BCM: firmware hci_ver=%02x hci_rev=%04x lmp_ver=%02x "
+                "lmp_subver=%04x", hdev->name, ver->hci_ver, ver->hci_rev,
+                ver->lmp_ver, ver->lmp_subver);
+        kfree_skb(skb);
+done:
+        release_firmware(fw);
+        return ret;
+}
 static int btusb_probe(struct usb_interface *intf,
                                const struct usb_device_id *id)
 {
@@ -1486,6 +1636,9 @@ static int btusb_probe(struct usb_interface *intf,
        if (id->driver_info & BTUSB_BCM92035)
                hdev->setup = btusb_setup_bcm92035;
+        if (id->driver_info & BTUSB_BCM_PATCHRAM)
+                hdev->setup = btusb_setup_bcm_patchram;
        if (id->driver_info & BTUSB_INTEL)
                hdev->setup = btusb_setup_intel;
diff --git a/drivers/net/wireless/at76c50x-usb.c b/drivers/net/wireless/at76c50x-usb.c
index 99b3bfa717d5..10fd12ec85be 100644
--- a/drivers/net/wireless/at76c50x-usb.c
+++ b/drivers/net/wireless/at76c50x-usb.c
@@ -365,15 +365,15 @@ static inline unsigned long at76_get_timeout(struct dfu_status *s)
 static int at76_usbdfu_download(struct usb_device *udev, u8 *buf, u32 size,
                                int manifest_sync_timeout)
 {
-        u8 *block;
-        struct dfu_status dfu_stat_buf;
        int ret = 0;
        int need_dfu_state = 1;
        int is_done = 0;
-        u8 dfu_state = 0;
        u32 dfu_timeout = 0;
        int bsize = 0;
        int blockno = 0;
+        struct dfu_status *dfu_stat_buf = NULL;
+        u8 *dfu_state = NULL;
+        u8 *block = NULL;
        at76_dbg(DBG_DFU, "%s( %p, %u, %d)", __func__, buf, size,
                 manifest_sync_timeout);
@@ -383,13 +383,28 @@ static int at76_usbdfu_download(struct usb_device *udev, u8 *buf, u32 size,
                return -EINVAL;
        }
+        dfu_stat_buf = kmalloc(sizeof(struct dfu_status), GFP_KERNEL);
+        if (!dfu_stat_buf) {
+                ret = -ENOMEM;
+                goto exit;
+        }
        block = kmalloc(FW_BLOCK_SIZE, GFP_KERNEL);
-        if (!block)
+        if (!block) {
-                return -ENOMEM;
+                ret = -ENOMEM;
+                goto exit;
+        }
+        dfu_state = kmalloc(sizeof(u8), GFP_KERNEL);
+        if (!dfu_state) {
+                ret = -ENOMEM;
+                goto exit;
+        }
+        *dfu_state = 0;
        do {
                if (need_dfu_state) {
-                        ret = at76_dfu_get_state(udev, &dfu_state);
+                        ret = at76_dfu_get_state(udev, dfu_state);
                        if (ret < 0) {
                                dev_err(&udev->dev,
                                        "cannot get DFU state: %d\n", ret);
@@ -398,13 +413,13 @@ static int at76_usbdfu_download(struct usb_device *udev, u8 *buf, u32 size,
                        need_dfu_state = 0;
                }
-                switch (dfu_state) {
+                switch (*dfu_state) {
                case STATE_DFU_DOWNLOAD_SYNC:
                        at76_dbg(DBG_DFU, "STATE_DFU_DOWNLOAD_SYNC");
-                        ret = at76_dfu_get_status(udev, &dfu_stat_buf);
+                        ret = at76_dfu_get_status(udev, dfu_stat_buf);
                        if (ret >= 0) {
-                                dfu_state = dfu_stat_buf.state;
+                                *dfu_state = dfu_stat_buf->state;
-                                dfu_timeout = at76_get_timeout(&dfu_stat_buf);
+                                dfu_timeout = at76_get_timeout(dfu_stat_buf);
                                need_dfu_state = 0;
                        } else
                                dev_err(&udev->dev,
@@ -447,12 +462,12 @@ static int at76_usbdfu_download(struct usb_device *udev, u8 *buf, u32 size,
                case STATE_DFU_MANIFEST_SYNC:
                        at76_dbg(DBG_DFU, "STATE_DFU_MANIFEST_SYNC");
-                        ret = at76_dfu_get_status(udev, &dfu_stat_buf);
+                        ret = at76_dfu_get_status(udev, dfu_stat_buf);
                        if (ret < 0)
                                break;
-                        dfu_state = dfu_stat_buf.state;
+                        *dfu_state = dfu_stat_buf->state;
-                        dfu_timeout = at76_get_timeout(&dfu_stat_buf);
+                        dfu_timeout = at76_get_timeout(dfu_stat_buf);
                        need_dfu_state = 0;
                        /* override the timeout from the status response,
@@ -484,14 +499,17 @@ static int at76_usbdfu_download(struct usb_device *udev, u8 *buf, u32 size,
                        break;
                default:
-                        at76_dbg(DBG_DFU, "DFU UNKNOWN STATE (%d)", dfu_state);
+                        at76_dbg(DBG_DFU, "DFU UNKNOWN STATE (%d)", *dfu_state);
                        ret = -EINVAL;
                        break;
                }
        } while (!is_done && (ret >= 0));
 exit:
+        kfree(dfu_state);
        kfree(block);
+        kfree(dfu_stat_buf);
        if (ret >= 0)
                ret = 0;
@@ -1277,6 +1295,7 @@ static int at76_load_external_fw(struct usb_device *udev, struct fwentry *fwe)
                        dev_err(&udev->dev,
                                "loading %dth firmware block failed: %d\n",
                                blockno, ret);
+                        ret = -EIO;
                        goto exit;
                }
                buf += bsize;
@@ -2020,6 +2039,44 @@ static void at76_configure_filter(struct ieee80211_hw *hw,
        ieee80211_queue_work(hw, &priv->work_set_promisc);
 }
+static int at76_set_wep(struct at76_priv *priv)
+{
+        int ret = 0;
+        struct mib_mac_wep *mib_data = &priv->mib_buf.data.wep_mib;
+        priv->mib_buf.type = MIB_MAC_WEP;
+        priv->mib_buf.size = sizeof(struct mib_mac_wep);
+        priv->mib_buf.index = 0;
+        memset(mib_data, 0, sizeof(*mib_data));
+        if (priv->wep_enabled) {
+                if (priv->wep_keys_len[priv->wep_key_id] > WEP_SMALL_KEY_LEN)
+                        mib_data->encryption_level = 2;
+                else
+                        mib_data->encryption_level = 1;
+                /* always exclude unencrypted if WEP is active */
+                mib_data->exclude_unencrypted = 1;
+        } else {
+                mib_data->exclude_unencrypted = 0;
+                mib_data->encryption_level = 0;
+        }
+        mib_data->privacy_invoked = priv->wep_enabled;
+        mib_data->wep_default_key_id = priv->wep_key_id;
+        memcpy(mib_data->wep_default_keyvalue, priv->wep_keys,
+               sizeof(priv->wep_keys));
+        ret = at76_set_mib(priv, &priv->mib_buf);
+        if (ret < 0)
+                wiphy_err(priv->hw->wiphy,
+                          "set_mib (wep) failed: %d\n", ret);
+        return ret;
+}
 static int at76_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
                        struct ieee80211_vif *vif, struct ieee80211_sta *sta,
                        struct ieee80211_key_conf *key)
@@ -2062,7 +2119,7 @@ static int at76_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
                        priv->wep_enabled = 1;
        }
-        at76_startup_device(priv);
+        at76_set_wep(priv);
        mutex_unlock(&priv->mtx);
@@ -2330,16 +2387,22 @@ static int at76_probe(struct usb_interface *interface,
        struct usb_device *udev;
        int op_mode;
        int need_ext_fw = 0;
-        struct mib_fw_version fwv;
+        struct mib_fw_version *fwv = NULL;
        int board_type = (int)id->driver_info;
        udev = usb_get_dev(interface_to_usbdev(interface));
+        fwv = kmalloc(sizeof(*fwv), GFP_KERNEL);
+        if (!fwv) {
+                ret = -ENOMEM;
+                goto exit;
+        }
        /* Load firmware into kernel memory */
        fwe = at76_load_firmware(udev, board_type);
        if (!fwe) {
                ret = -ENOENT;
-                goto error;
+                goto exit;
        }
        op_mode = at76_get_op_mode(udev);
@@ -2353,7 +2416,7 @@ static int at76_probe(struct usb_interface *interface,
                dev_err(&interface->dev,
                        "cannot handle a device in HW_CONFIG_MODE\n");
                ret = -EBUSY;
-                goto error;
+                goto exit;
        }
        if (op_mode != OPMODE_NORMAL_NIC_WITH_FLASH
@@ -2366,10 +2429,10 @@ static int at76_probe(struct usb_interface *interface,
                        dev_err(&interface->dev,
                                "error %d downloading internal firmware\n",
                                ret);
-                        goto error;
+                        goto exit;
                }
                usb_put_dev(udev);
-                return ret;
+                goto exit;
        }
        /* Internal firmware already inside the device.  Get firmware
@@ -2382,8 +2445,8 @@ static int at76_probe(struct usb_interface *interface,
         * query the device for the fw version */
        if ((fwe->fw_version.major > 0 || fwe->fw_version.minor >= 100)
            || (op_mode == OPMODE_NORMAL_NIC_WITH_FLASH)) {
-                ret = at76_get_mib(udev, MIB_FW_VERSION, &fwv, sizeof(fwv));
+                ret = at76_get_mib(udev, MIB_FW_VERSION, fwv, sizeof(*fwv));
-                if (ret < 0 || (fwv.major | fwv.minor) == 0)
+                if (ret < 0 || (fwv->major | fwv->minor) == 0)
                        need_ext_fw = 1;
        } else
                /* No way to check firmware version, reload to be sure */
@@ -2394,37 +2457,37 @@ static int at76_probe(struct usb_interface *interface,
                           "downloading external firmware\n");
                ret = at76_load_external_fw(udev, fwe);
-                if (ret)
+                if (ret < 0)
-                        goto error;
+                        goto exit;
                /* Re-check firmware version */
-                ret = at76_get_mib(udev, MIB_FW_VERSION, &fwv, sizeof(fwv));
+                ret = at76_get_mib(udev, MIB_FW_VERSION, fwv, sizeof(*fwv));
                if (ret < 0) {
                        dev_err(&interface->dev,
                                "error %d getting firmware version\n", ret);
-                        goto error;
+                        goto exit;
                }
        }
        priv = at76_alloc_new_device(udev);
        if (!priv) {
                ret = -ENOMEM;
-                goto error;
+                goto exit;
        }
        usb_set_intfdata(interface, priv);
-        memcpy(&priv->fw_version, &fwv, sizeof(struct mib_fw_version));
+        memcpy(&priv->fw_version, fwv, sizeof(struct mib_fw_version));
        priv->board_type = board_type;
        ret = at76_init_new_device(priv, interface);
        if (ret < 0)
                at76_delete_device(priv);
-        return ret;
+exit:
+        kfree(fwv);
-error:
+        if (ret < 0)
-        usb_put_dev(udev);
+                usb_put_dev(udev);
        return ret;
 }
diff --git a/drivers/net/wireless/at76c50x-usb.h b/drivers/net/wireless/at76c50x-usb.h
index f14a65473fe8..4718aa59f051 100644
--- a/drivers/net/wireless/at76c50x-usb.h
+++ b/drivers/net/wireless/at76c50x-usb.h
@@ -219,18 +219,6 @@ struct at76_req_join {
        u8 reserved;
 } __packed;
-struct set_mib_buffer {
-        u8 type;
-        u8 size;
-        u8 index;
-        u8 reserved;
-        union {
-                u8 byte;
-                __le16 word;
-                u8 addr[ETH_ALEN];
-        } data;
-} __packed;
 struct mib_local {
        u16 reserved0;
        u8 beacon_enable;
@@ -334,6 +322,19 @@ struct mib_mdomain {
        u8 channel_list[14];    /* 0 for invalid channels */
 } __packed;
+struct set_mib_buffer {
+        u8 type;
+        u8 size;
+        u8 index;
+        u8 reserved;
+        union {
+                u8 byte;
+                __le16 word;
+                u8 addr[ETH_ALEN];
+                struct mib_mac_wep wep_mib;
+        } data;
+} __packed;
 struct at76_fw_header {
        __le32 crc;             /* CRC32 of the whole image */
        __le32 board_type;      /* firmware compatibility code */
diff --git a/drivers/net/wireless/ath/ath10k/bmi.h b/drivers/net/wireless/ath/ath10k/bmi.h
index 3a9bdf51c96a..111ab701465c 100644
--- a/drivers/net/wireless/ath/ath10k/bmi.h
+++ b/drivers/net/wireless/ath/ath10k/bmi.h
@@ -201,7 +201,8 @@ int ath10k_bmi_write_memory(struct ath10k *ar, u32 address,
                                                                        \
                addr = host_interest_item_address(HI_ITEM(item));       \
                ret = ath10k_bmi_read_memory(ar, addr, (u8 *)&tmp, 4); \
-                *val = __le32_to_cpu(tmp);                              \
+                if (!ret)                                               \
+                        *val = __le32_to_cpu(tmp);                      \
                ret;                                                    \
         })
diff --git a/drivers/net/wireless/ath/ath10k/ce.c b/drivers/net/wireless/ath/ath10k/ce.c
index 1e4cad8632b5..d185dc0cd12b 100644
--- a/drivers/net/wireless/ath/ath10k/ce.c
+++ b/drivers/net/wireless/ath/ath10k/ce.c
@@ -329,6 +329,33 @@ exit:
        return ret;
 }
+void __ath10k_ce_send_revert(struct ath10k_ce_pipe *pipe)
+{
+        struct ath10k *ar = pipe->ar;
+        struct ath10k_pci *ar_pci = ath10k_pci_priv(ar);
+        struct ath10k_ce_ring *src_ring = pipe->src_ring;
+        u32 ctrl_addr = pipe->ctrl_addr;
+        lockdep_assert_held(&ar_pci->ce_lock);
+        /*
+         * This function must be called only if there is an incomplete
+         * scatter-gather transfer (before index register is updated)
+         * that needs to be cleaned up.
+         */
+        if (WARN_ON_ONCE(src_ring->write_index == src_ring->sw_index))
+                return;
+        if (WARN_ON_ONCE(src_ring->write_index ==
+                         ath10k_ce_src_ring_write_index_get(ar, ctrl_addr)))
+                return;
+        src_ring->write_index--;
+        src_ring->write_index &= src_ring->nentries_mask;
+        src_ring->per_transfer_context[src_ring->write_index] = NULL;
+}
 int ath10k_ce_send(struct ath10k_ce_pipe *ce_state,
                   void *per_transfer_context,
                   u32 buffer,
diff --git a/drivers/net/wireless/ath/ath10k/ce.h b/drivers/net/wireless/ath/ath10k/ce.h
index fd0bc3561e42..7a5a36fc59c1 100644
--- a/drivers/net/wireless/ath/ath10k/ce.h
+++ b/drivers/net/wireless/ath/ath10k/ce.h
@@ -160,6 +160,8 @@ int ath10k_ce_send_nolock(struct ath10k_ce_pipe *ce_state,
                          unsigned int transfer_id,
                          unsigned int flags);
+void __ath10k_ce_send_revert(struct ath10k_ce_pipe *pipe);
 void ath10k_ce_send_cb_register(struct ath10k_ce_pipe *ce_state,
                                void (*send_cb)(struct ath10k_ce_pipe *),
                                int disable_interrupts);
diff --git a/drivers/net/wireless/ath/ath10k/core.c b/drivers/net/wireless/ath/ath10k/core.c
index 75b3dfbd6509..82017f56e661 100644
--- a/drivers/net/wireless/ath/ath10k/core.c
+++ b/drivers/net/wireless/ath/ath10k/core.c
@@ -58,36 +58,6 @@ static void ath10k_send_suspend_complete(struct ath10k *ar)
        complete(&ar->target_suspend);
 }
-static int ath10k_init_connect_htc(struct ath10k *ar)
-{
-        int status;
-        status = ath10k_wmi_connect_htc_service(ar);
-        if (status)
-                goto conn_fail;
-        /* Start HTC */
-        status = ath10k_htc_start(&ar->htc);
-        if (status)
-                goto conn_fail;
-        /* Wait for WMI event to be ready */
-        status = ath10k_wmi_wait_for_service_ready(ar);
-        if (status <= 0) {
-                ath10k_warn("wmi service ready event not received");
-                status = -ETIMEDOUT;
-                goto timeout;
-        }
-        ath10k_dbg(ATH10K_DBG_BOOT, "boot wmi ready\n");
-        return 0;
-timeout:
-        ath10k_htc_stop(&ar->htc);
-conn_fail:
-        return status;
-}
 static int ath10k_init_configure_target(struct ath10k *ar)
 {
        u32 param_host;
@@ -681,7 +651,8 @@ static void ath10k_core_restart(struct work_struct *work)
        switch (ar->state) {
        case ATH10K_STATE_ON:
                ar->state = ATH10K_STATE_RESTARTING;
-                ath10k_halt(ar);
+                del_timer_sync(&ar->scan.timeout);
+                ath10k_reset_scan((unsigned long)ar);
                ieee80211_restart_hw(ar->hw);
                break;
        case ATH10K_STATE_OFF:
@@ -690,6 +661,8 @@ static void ath10k_core_restart(struct work_struct *work)
                ath10k_warn("cannot restart a device that hasn't been started\n");
                break;
        case ATH10K_STATE_RESTARTING:
+                /* hw restart might be requested from multiple places */
+                break;
        case ATH10K_STATE_RESTARTED:
                ar->state = ATH10K_STATE_WEDGED;
                /* fall through */
@@ -701,70 +674,6 @@ static void ath10k_core_restart(struct work_struct *work)
        mutex_unlock(&ar->conf_mutex);
 }
-struct ath10k *ath10k_core_create(void *hif_priv, struct device *dev,
-                                  const struct ath10k_hif_ops *hif_ops)
-{
-        struct ath10k *ar;
-        ar = ath10k_mac_create();
-        if (!ar)
-                return NULL;
-        ar->ath_common.priv = ar;
-        ar->ath_common.hw = ar->hw;
-        ar->p2p = !!ath10k_p2p;
-        ar->dev = dev;
-        ar->hif.priv = hif_priv;
-        ar->hif.ops = hif_ops;
-        init_completion(&ar->scan.started);
-        init_completion(&ar->scan.completed);
-        init_completion(&ar->scan.on_channel);
-        init_completion(&ar->target_suspend);
-        init_completion(&ar->install_key_done);
-        init_completion(&ar->vdev_setup_done);
-        setup_timer(&ar->scan.timeout, ath10k_reset_scan, (unsigned long)ar);
-        ar->workqueue = create_singlethread_workqueue("ath10k_wq");
-        if (!ar->workqueue)
-                goto err_wq;
-        mutex_init(&ar->conf_mutex);
-        spin_lock_init(&ar->data_lock);
-        INIT_LIST_HEAD(&ar->peers);
-        init_waitqueue_head(&ar->peer_mapping_wq);
-        init_completion(&ar->offchan_tx_completed);
-        INIT_WORK(&ar->offchan_tx_work, ath10k_offchan_tx_work);
-        skb_queue_head_init(&ar->offchan_tx_queue);
-        INIT_WORK(&ar->wmi_mgmt_tx_work, ath10k_mgmt_over_wmi_tx_work);
-        skb_queue_head_init(&ar->wmi_mgmt_tx_queue);
-        INIT_WORK(&ar->restart_work, ath10k_core_restart);
-        return ar;
-err_wq:
-        ath10k_mac_destroy(ar);
-        return NULL;
-}
-EXPORT_SYMBOL(ath10k_core_create);
-void ath10k_core_destroy(struct ath10k *ar)
-{
-        flush_workqueue(ar->workqueue);
-        destroy_workqueue(ar->workqueue);
-        ath10k_mac_destroy(ar);
-}
-EXPORT_SYMBOL(ath10k_core_destroy);
 int ath10k_core_start(struct ath10k *ar)
 {
        int status;
@@ -805,10 +714,28 @@ int ath10k_core_start(struct ath10k *ar)
                goto err;
        }
+        status = ath10k_htt_init(ar);
+        if (status) {
+                ath10k_err("failed to init htt: %d\n", status);
+                goto err_wmi_detach;
+        }
+        status = ath10k_htt_tx_alloc(&ar->htt);
+        if (status) {
+                ath10k_err("failed to alloc htt tx: %d\n", status);
+                goto err_wmi_detach;
+        }
+        status = ath10k_htt_rx_alloc(&ar->htt);
+        if (status) {
+                ath10k_err("failed to alloc htt rx: %d\n", status);
+                goto err_htt_tx_detach;
+        }
        status = ath10k_hif_start(ar);
        if (status) {
                ath10k_err("could not start HIF: %d\n", status);
-                goto err_wmi_detach;
+                goto err_htt_rx_detach;
        }
        status = ath10k_htc_wait_target(&ar->htc);
@@ -817,15 +744,30 @@ int ath10k_core_start(struct ath10k *ar)
                goto err_hif_stop;
        }
-        status = ath10k_htt_attach(ar);
+        status = ath10k_htt_connect(&ar->htt);
        if (status) {
-                ath10k_err("could not attach htt (%d)\n", status);
+                ath10k_err("failed to connect htt (%d)\n", status);
                goto err_hif_stop;
        }
-        status = ath10k_init_connect_htc(ar);
+        status = ath10k_wmi_connect(ar);
-        if (status)
+        if (status) {
-                goto err_htt_detach;
+                ath10k_err("could not connect wmi: %d\n", status);
+                goto err_hif_stop;
+        }
+        status = ath10k_htc_start(&ar->htc);
+        if (status) {
+                ath10k_err("failed to start htc: %d\n", status);
+                goto err_hif_stop;
+        }
+        status = ath10k_wmi_wait_for_service_ready(ar);
+        if (status <= 0) {
+                ath10k_warn("wmi service ready event not received");
+                status = -ETIMEDOUT;
+                goto err_htc_stop;
+        }
        ath10k_dbg(ATH10K_DBG_BOOT, "firmware %s booted\n",
                   ar->hw->wiphy->fw_version);
@@ -833,23 +775,25 @@ int ath10k_core_start(struct ath10k *ar)
        status = ath10k_wmi_cmd_init(ar);
        if (status) {
                ath10k_err("could not send WMI init command (%d)\n", status);
-                goto err_disconnect_htc;
+                goto err_htc_stop;
        }
        status = ath10k_wmi_wait_for_unified_ready(ar);
        if (status <= 0) {
                ath10k_err("wmi unified ready event not received\n");
                status = -ETIMEDOUT;
-                goto err_disconnect_htc;
+                goto err_htc_stop;
        }
-        status = ath10k_htt_attach_target(&ar->htt);
+        status = ath10k_htt_setup(&ar->htt);
-        if (status)
+        if (status) {
-                goto err_disconnect_htc;
+                ath10k_err("failed to setup htt: %d\n", status);
+                goto err_htc_stop;
+        }
        status = ath10k_debug_start(ar);
        if (status)
-                goto err_disconnect_htc;
+                goto err_htc_stop;
        ar->free_vdev_map = (1 << TARGET_NUM_VDEVS) - 1;
        INIT_LIST_HEAD(&ar->arvifs);
@@ -868,12 +812,14 @@ int ath10k_core_start(struct ath10k *ar)
        return 0;
-err_disconnect_htc:
+err_htc_stop:
        ath10k_htc_stop(&ar->htc);
-err_htt_detach:
-        ath10k_htt_detach(&ar->htt);
 err_hif_stop:
        ath10k_hif_stop(ar);
+err_htt_rx_detach:
+        ath10k_htt_rx_free(&ar->htt);
+err_htt_tx_detach:
+        ath10k_htt_tx_free(&ar->htt);
 err_wmi_detach:
        ath10k_wmi_detach(ar);
 err:
@@ -913,7 +859,9 @@ void ath10k_core_stop(struct ath10k *ar)
        ath10k_debug_stop(ar);
        ath10k_htc_stop(&ar->htc);
-        ath10k_htt_detach(&ar->htt);
+        ath10k_hif_stop(ar);
+        ath10k_htt_tx_free(&ar->htt);
+        ath10k_htt_rx_free(&ar->htt);
        ath10k_wmi_detach(ar);
 }
 EXPORT_SYMBOL(ath10k_core_stop);
@@ -1005,22 +953,15 @@ static int ath10k_core_check_chip_id(struct ath10k *ar)
        return 0;
 }
-int ath10k_core_register(struct ath10k *ar, u32 chip_id)
+static void ath10k_core_register_work(struct work_struct *work)
 {
+        struct ath10k *ar = container_of(work, struct ath10k, register_work);
        int status;
-        ar->chip_id = chip_id;
-        status = ath10k_core_check_chip_id(ar);
-        if (status) {
-                ath10k_err("Unsupported chip id 0x%08x\n", ar->chip_id);
-                return status;
-        }
        status = ath10k_core_probe_fw(ar);
        if (status) {
                ath10k_err("could not probe fw (%d)\n", status);
-                return status;
+                goto err;
        }
        status = ath10k_mac_register(ar);
@@ -1035,18 +976,43 @@ int ath10k_core_register(struct ath10k *ar, u32 chip_id)
                goto err_unregister_mac;
        }
-        return 0;
+        set_bit(ATH10K_FLAG_CORE_REGISTERED, &ar->dev_flags);
+        return;
 err_unregister_mac:
        ath10k_mac_unregister(ar);
 err_release_fw:
        ath10k_core_free_firmware_files(ar);
-        return status;
+err:
+        device_release_driver(ar->dev);
+        return;
+}
+int ath10k_core_register(struct ath10k *ar, u32 chip_id)
+{
+        int status;
+        ar->chip_id = chip_id;
+        status = ath10k_core_check_chip_id(ar);
+        if (status) {
+                ath10k_err("Unsupported chip id 0x%08x\n", ar->chip_id);
+                return status;
+        }
+        queue_work(ar->workqueue, &ar->register_work);
+        return 0;
 }
 EXPORT_SYMBOL(ath10k_core_register);
 void ath10k_core_unregister(struct ath10k *ar)
 {
+        cancel_work_sync(&ar->register_work);
+        if (!test_bit(ATH10K_FLAG_CORE_REGISTERED, &ar->dev_flags))
+                return;
        /* We must unregister from mac80211 before we stop HTC and HIF.
         * Otherwise we will fail to submit commands to FW and mac80211 will be
         * unhappy about callback failures. */
@@ -1058,6 +1024,71 @@ void ath10k_core_unregister(struct ath10k *ar)
 }
 EXPORT_SYMBOL(ath10k_core_unregister);
+struct ath10k *ath10k_core_create(void *hif_priv, struct device *dev,
+                                  const struct ath10k_hif_ops *hif_ops)
+{
+        struct ath10k *ar;
+        ar = ath10k_mac_create();
+        if (!ar)
+                return NULL;
+        ar->ath_common.priv = ar;
+        ar->ath_common.hw = ar->hw;
+        ar->p2p = !!ath10k_p2p;
+        ar->dev = dev;
+        ar->hif.priv = hif_priv;
+        ar->hif.ops = hif_ops;
+        init_completion(&ar->scan.started);
+        init_completion(&ar->scan.completed);
+        init_completion(&ar->scan.on_channel);
+        init_completion(&ar->target_suspend);
+        init_completion(&ar->install_key_done);
+        init_completion(&ar->vdev_setup_done);
+        setup_timer(&ar->scan.timeout, ath10k_reset_scan, (unsigned long)ar);
+        ar->workqueue = create_singlethread_workqueue("ath10k_wq");
+        if (!ar->workqueue)
+                goto err_wq;
+        mutex_init(&ar->conf_mutex);
+        spin_lock_init(&ar->data_lock);
+        INIT_LIST_HEAD(&ar->peers);
+        init_waitqueue_head(&ar->peer_mapping_wq);
+        init_completion(&ar->offchan_tx_completed);
+        INIT_WORK(&ar->offchan_tx_work, ath10k_offchan_tx_work);
+        skb_queue_head_init(&ar->offchan_tx_queue);
+        INIT_WORK(&ar->wmi_mgmt_tx_work, ath10k_mgmt_over_wmi_tx_work);
+        skb_queue_head_init(&ar->wmi_mgmt_tx_queue);
+        INIT_WORK(&ar->register_work, ath10k_core_register_work);
+        INIT_WORK(&ar->restart_work, ath10k_core_restart);
+        return ar;
+err_wq:
+        ath10k_mac_destroy(ar);
+        return NULL;
+}
+EXPORT_SYMBOL(ath10k_core_create);
+void ath10k_core_destroy(struct ath10k *ar)
+{
+        flush_workqueue(ar->workqueue);
+        destroy_workqueue(ar->workqueue);
+        ath10k_mac_destroy(ar);
+}
+EXPORT_SYMBOL(ath10k_core_destroy);
 MODULE_AUTHOR("Qualcomm Atheros");
 MODULE_DESCRIPTION("Core module for QCA988X PCIe devices.");
 MODULE_LICENSE("Dual BSD/GPL");
diff --git a/drivers/net/wireless/ath/ath10k/core.h b/drivers/net/wireless/ath/ath10k/core.h
index 2c1dfd719146..68ceef61933d 100644
--- a/drivers/net/wireless/ath/ath10k/core.h
+++ b/drivers/net/wireless/ath/ath10k/core.h
@@ -335,6 +335,7 @@ enum ath10k_dev_flags {
        /* Indicates that ath10k device is during CAC phase of DFS */
        ATH10K_CAC_RUNNING,
        ATH10K_FLAG_FIRST_BOOT_DONE,
+        ATH10K_FLAG_CORE_REGISTERED,
 };
 struct ath10k {
@@ -440,6 +441,12 @@ struct ath10k {
        bool radar_enabled;
        int num_started_vdevs;
+        /* Protected by conf-mutex */
+        u8 supp_tx_chainmask;
+        u8 supp_rx_chainmask;
+        u8 cfg_tx_chainmask;
+        u8 cfg_rx_chainmask;
        struct wmi_pdev_set_wmm_params_arg wmm_params;
        struct completion install_key_done;
@@ -470,6 +477,7 @@ struct ath10k {
        enum ath10k_state state;
+        struct work_struct register_work;
        struct work_struct restart_work;
        /* cycle count is reported twice for each visited channel during scan.
diff --git a/drivers/net/wireless/ath/ath10k/htc.c b/drivers/net/wireless/ath/ath10k/htc.c
index 5b58dbb17416..e493db4b4a41 100644
--- a/drivers/net/wireless/ath/ath10k/htc.c
+++ b/drivers/net/wireless/ath/ath10k/htc.c
@@ -830,17 +830,11 @@ int ath10k_htc_start(struct ath10k_htc *htc)
        return 0;
 }
-/*
- * stop HTC communications, i.e. stop interrupt reception, and flush all
- * queued buffers
- */
 void ath10k_htc_stop(struct ath10k_htc *htc)
 {
        spin_lock_bh(&htc->tx_lock);
        htc->stopped = true;
        spin_unlock_bh(&htc->tx_lock);
-        ath10k_hif_stop(htc->ar);
 }
 /* registered target arrival callback from the HIF layer */
diff --git a/drivers/net/wireless/ath/ath10k/htt.c b/drivers/net/wireless/ath/ath10k/htt.c
index 69697af59ce0..19c12cc8d663 100644
--- a/drivers/net/wireless/ath/ath10k/htt.c
+++ b/drivers/net/wireless/ath/ath10k/htt.c
@@ -22,7 +22,7 @@
 #include "core.h"
 #include "debug.h"
-static int ath10k_htt_htc_attach(struct ath10k_htt *htt)
+int ath10k_htt_connect(struct ath10k_htt *htt)
 {
        struct ath10k_htc_svc_conn_req conn_req;
        struct ath10k_htc_svc_conn_resp conn_resp;
@@ -48,39 +48,14 @@ static int ath10k_htt_htc_attach(struct ath10k_htt *htt)
        return 0;
 }
-int ath10k_htt_attach(struct ath10k *ar)
+int ath10k_htt_init(struct ath10k *ar)
 {
        struct ath10k_htt *htt = &ar->htt;
-        int ret;
        htt->ar = ar;
        htt->max_throughput_mbps = 800;
        /*
-         * Connect to HTC service.
-         * This has to be done before calling ath10k_htt_rx_attach,
-         * since ath10k_htt_rx_attach involves sending a rx ring configure
-         * message to the target.
-         */
-        ret = ath10k_htt_htc_attach(htt);
-        if (ret) {
-                ath10k_err("could not attach htt htc (%d)\n", ret);
-                goto err_htc_attach;
-        }
-        ret = ath10k_htt_tx_attach(htt);
-        if (ret) {
-                ath10k_err("could not attach htt tx (%d)\n", ret);
-                goto err_htc_attach;
-        }
-        ret = ath10k_htt_rx_attach(htt);
-        if (ret) {
-                ath10k_err("could not attach htt rx (%d)\n", ret);
-                goto err_rx_attach;
-        }
-        /*
         * Prefetch enough data to satisfy target
         * classification engine.
         * This is for LL chips. HL chips will probably
@@ -93,11 +68,6 @@ int ath10k_htt_attach(struct ath10k *ar)
                2; /* ip4 dscp or ip6 priority */
        return 0;
-err_rx_attach:
-        ath10k_htt_tx_detach(htt);
-err_htc_attach:
-        return ret;
 }
 #define HTT_TARGET_VERSION_TIMEOUT_HZ (3*HZ)
@@ -117,7 +87,7 @@ static int ath10k_htt_verify_version(struct ath10k_htt *htt)
        return 0;
 }
-int ath10k_htt_attach_target(struct ath10k_htt *htt)
+int ath10k_htt_setup(struct ath10k_htt *htt)
 {
        int status;
@@ -140,9 +110,3 @@ int ath10k_htt_attach_target(struct ath10k_htt *htt)
        return ath10k_htt_send_rx_ring_cfg_ll(htt);
 }
-void ath10k_htt_detach(struct ath10k_htt *htt)
-{
-        ath10k_htt_rx_detach(htt);
-        ath10k_htt_tx_detach(htt);
-}
diff --git a/drivers/net/wireless/ath/ath10k/htt.h b/drivers/net/wireless/ath/ath10k/htt.h
index 645a563e3fb9..9a263462c793 100644
--- a/drivers/net/wireless/ath/ath10k/htt.h
+++ b/drivers/net/wireless/ath/ath10k/htt.h
@@ -1328,14 +1328,16 @@ struct htt_rx_desc {
 #define HTT_LOG2_MAX_CACHE_LINE_SIZE 7  /* 2^7 = 128 */
 #define HTT_MAX_CACHE_LINE_SIZE_MASK ((1 << HTT_LOG2_MAX_CACHE_LINE_SIZE) - 1)
-int ath10k_htt_attach(struct ath10k *ar);
+int ath10k_htt_connect(struct ath10k_htt *htt);
-int ath10k_htt_attach_target(struct ath10k_htt *htt);
+int ath10k_htt_init(struct ath10k *ar);
-void ath10k_htt_detach(struct ath10k_htt *htt);
+int ath10k_htt_setup(struct ath10k_htt *htt);
-int ath10k_htt_tx_attach(struct ath10k_htt *htt);
+int ath10k_htt_tx_alloc(struct ath10k_htt *htt);
-void ath10k_htt_tx_detach(struct ath10k_htt *htt);
+void ath10k_htt_tx_free(struct ath10k_htt *htt);
-int ath10k_htt_rx_attach(struct ath10k_htt *htt);
-void ath10k_htt_rx_detach(struct ath10k_htt *htt);
+int ath10k_htt_rx_alloc(struct ath10k_htt *htt);
+void ath10k_htt_rx_free(struct ath10k_htt *htt);
 void ath10k_htt_htc_tx_complete(struct ath10k *ar, struct sk_buff *skb);
 void ath10k_htt_t2h_msg_handler(struct ath10k *ar, struct sk_buff *skb);
 int ath10k_htt_h2t_ver_req_msg(struct ath10k_htt *htt);
diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c
index f85a3cf6da31..6c102b1312ff 100644
--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
+++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
@@ -225,10 +225,26 @@ static void ath10k_htt_rx_ring_refill_retry(unsigned long arg)
        ath10k_htt_rx_msdu_buff_replenish(htt);
 }
-void ath10k_htt_rx_detach(struct ath10k_htt *htt)
+static void ath10k_htt_rx_ring_clean_up(struct ath10k_htt *htt)
 {
-        int sw_rd_idx = htt->rx_ring.sw_rd_idx.msdu_payld;
+        struct sk_buff *skb;
+        int i;
+        for (i = 0; i < htt->rx_ring.size; i++) {
+                skb = htt->rx_ring.netbufs_ring[i];
+                if (!skb)
+                        continue;
+                dma_unmap_single(htt->ar->dev, ATH10K_SKB_CB(skb)->paddr,
+                                 skb->len + skb_tailroom(skb),
+                                 DMA_FROM_DEVICE);
+                dev_kfree_skb_any(skb);
+                htt->rx_ring.netbufs_ring[i] = NULL;
+        }
+}
+void ath10k_htt_rx_free(struct ath10k_htt *htt)
+{
        del_timer_sync(&htt->rx_ring.refill_retry_timer);
        tasklet_kill(&htt->rx_replenish_task);
        tasklet_kill(&htt->txrx_compl_task);
@@ -236,18 +252,7 @@ void ath10k_htt_rx_detach(struct ath10k_htt *htt)
        skb_queue_purge(&htt->tx_compl_q);
        skb_queue_purge(&htt->rx_compl_q);
-        while (sw_rd_idx != __le32_to_cpu(*(htt->rx_ring.alloc_idx.vaddr))) {
+        ath10k_htt_rx_ring_clean_up(htt);
-                struct sk_buff *skb =
-                                htt->rx_ring.netbufs_ring[sw_rd_idx];
-                struct ath10k_skb_cb *cb = ATH10K_SKB_CB(skb);
-                dma_unmap_single(htt->ar->dev, cb->paddr,
-                                 skb->len + skb_tailroom(skb),
-                                 DMA_FROM_DEVICE);
-                dev_kfree_skb_any(htt->rx_ring.netbufs_ring[sw_rd_idx]);
-                sw_rd_idx++;
-                sw_rd_idx &= htt->rx_ring.size_mask;
-        }
        dma_free_coherent(htt->ar->dev,
                          (htt->rx_ring.size *
@@ -277,6 +282,7 @@ static inline struct sk_buff *ath10k_htt_rx_netbuf_pop(struct ath10k_htt *htt)
        idx = htt->rx_ring.sw_rd_idx.msdu_payld;
        msdu = htt->rx_ring.netbufs_ring[idx];
+        htt->rx_ring.netbufs_ring[idx] = NULL;
        idx++;
        idx &= htt->rx_ring.size_mask;
@@ -306,6 +312,7 @@ static int ath10k_htt_rx_amsdu_pop(struct ath10k_htt *htt,
        int msdu_len, msdu_chaining = 0;
        struct sk_buff *msdu;
        struct htt_rx_desc *rx_desc;
+        bool corrupted = false;
        lockdep_assert_held(&htt->rx_ring.lock);
@@ -399,7 +406,6 @@ static int ath10k_htt_rx_amsdu_pop(struct ath10k_htt *htt,
                msdu_len = MS(__le32_to_cpu(rx_desc->msdu_start.info0),
                              RX_MSDU_START_INFO0_MSDU_LENGTH);
                msdu_chained = rx_desc->frag_info.ring2_more_count;
-                msdu_chaining = msdu_chained;
                if (msdu_len_invalid)
                        msdu_len = 0;
@@ -427,11 +433,15 @@ static int ath10k_htt_rx_amsdu_pop(struct ath10k_htt *htt,
                        msdu->next = next;
                        msdu = next;
+                        msdu_chaining = 1;
                }
                last_msdu = __le32_to_cpu(rx_desc->msdu_end.info0) &
                                RX_MSDU_END_INFO0_LAST_MSDU;
+                if (msdu_chaining && !last_msdu)
+                        corrupted = true;
                if (last_msdu) {
                        msdu->next = NULL;
                        break;
@@ -447,6 +457,20 @@ static int ath10k_htt_rx_amsdu_pop(struct ath10k_htt *htt,
                msdu_chaining = -1;
        /*
+         * Apparently FW sometimes reports weird chained MSDU sequences with
+         * more than one rx descriptor. This seems like a bug but needs more
+         * analyzing. For the time being fix it by dropping such sequences to
+         * avoid blowing up the host system.
+         */
+        if (corrupted) {
+                ath10k_warn("failed to pop chained msdus, dropping\n");
+                ath10k_htt_rx_free_msdu_chain(*head_msdu);
+                *head_msdu = NULL;
+                *tail_msdu = NULL;
+                msdu_chaining = -EINVAL;
+        }
+        /*
         * Don't refill the ring yet.
         *
         * First, the elements popped here are still in use - it is not
@@ -468,7 +492,7 @@ static void ath10k_htt_rx_replenish_task(unsigned long ptr)
        ath10k_htt_rx_msdu_buff_replenish(htt);
 }
-int ath10k_htt_rx_attach(struct ath10k_htt *htt)
+int ath10k_htt_rx_alloc(struct ath10k_htt *htt)
 {
        dma_addr_t paddr;
        void *vaddr;
@@ -494,7 +518,7 @@ int ath10k_htt_rx_attach(struct ath10k_htt *htt)
        htt->rx_ring.fill_level = ath10k_htt_rx_ring_fill_level(htt);
        htt->rx_ring.netbufs_ring =
-                kmalloc(htt->rx_ring.size * sizeof(struct sk_buff *),
+                kzalloc(htt->rx_ring.size * sizeof(struct sk_buff *),
                        GFP_KERNEL);
        if (!htt->rx_ring.netbufs_ring)
                goto err_netbuf;
@@ -754,17 +778,30 @@ static void ath10k_htt_rx_h_rates(struct ath10k *ar,
 static void ath10k_htt_rx_h_protected(struct ath10k_htt *htt,
                                      struct ieee80211_rx_status *rx_status,
                                      struct sk_buff *skb,
-                                      enum htt_rx_mpdu_encrypt_type enctype)
+                                      enum htt_rx_mpdu_encrypt_type enctype,
+                                      enum rx_msdu_decap_format fmt,
+                                      bool dot11frag)
 {
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
+        rx_status->flag &= ~(RX_FLAG_DECRYPTED |
+                             RX_FLAG_IV_STRIPPED |
+                             RX_FLAG_MMIC_STRIPPED);
-        if (enctype == HTT_RX_MPDU_ENCRYPT_NONE) {
+        if (enctype == HTT_RX_MPDU_ENCRYPT_NONE)
-                rx_status->flag &= ~(RX_FLAG_DECRYPTED |
+                return;
-                                     RX_FLAG_IV_STRIPPED |
-                                     RX_FLAG_MMIC_STRIPPED);
+        /*
+         * There's no explicit rx descriptor flag to indicate whether a given
+         * frame has been decrypted or not. We're forced to use the decap
+         * format as an implicit indication. However fragmentation rx is always
+         * raw and it probably never reports undecrypted raws.
+         *
+         * This makes sure sniffed frames are reported as-is without stripping
+         * the protected flag.
+         */
+        if (fmt == RX_MSDU_DECAP_RAW && !dot11frag)
                return;
-        }
        rx_status->flag |= RX_FLAG_DECRYPTED |
                           RX_FLAG_IV_STRIPPED |
@@ -918,7 +955,8 @@ static void ath10k_htt_rx_amsdu(struct ath10k_htt *htt,
                }
                skb_in = skb;
-                ath10k_htt_rx_h_protected(htt, rx_status, skb_in, enctype);
+                ath10k_htt_rx_h_protected(htt, rx_status, skb_in, enctype, fmt,
+                                          false);
                skb = skb->next;
                skb_in->next = NULL;
@@ -1000,7 +1038,7 @@ static void ath10k_htt_rx_msdu(struct ath10k_htt *htt,
                break;
        }
-        ath10k_htt_rx_h_protected(htt, rx_status, skb, enctype);
+        ath10k_htt_rx_h_protected(htt, rx_status, skb, enctype, fmt, false);
        ath10k_process_rx(htt->ar, rx_status, skb);
 }
@@ -1288,6 +1326,7 @@ static void ath10k_htt_rx_frag_handler(struct ath10k_htt *htt,
        }
        /* FIXME: implement signal strength */
+        rx_status->flag |= RX_FLAG_NO_SIGNAL_VAL;
        hdr = (struct ieee80211_hdr *)msdu_head->data;
        rxd = (void *)msdu_head->data - sizeof(*rxd);
@@ -1306,7 +1345,8 @@ static void ath10k_htt_rx_frag_handler(struct ath10k_htt *htt,
        enctype = MS(__le32_to_cpu(rxd->mpdu_start.info0),
                     RX_MPDU_START_INFO0_ENCRYPT_TYPE);
-        ath10k_htt_rx_h_protected(htt, rx_status, msdu_head, enctype);
+        ath10k_htt_rx_h_protected(htt, rx_status, msdu_head, enctype, fmt,
+                                  true);
        msdu_head->ip_summed = ath10k_htt_rx_get_csum_state(msdu_head);
        if (tkip_mic_err)
diff --git a/drivers/net/wireless/ath/ath10k/htt_tx.c b/drivers/net/wireless/ath/ath10k/htt_tx.c
index 7a3e2e40dd5c..7064354d1f4f 100644
--- a/drivers/net/wireless/ath/ath10k/htt_tx.c
+++ b/drivers/net/wireless/ath/ath10k/htt_tx.c
@@ -83,7 +83,7 @@ void ath10k_htt_tx_free_msdu_id(struct ath10k_htt *htt, u16 msdu_id)
        __clear_bit(msdu_id, htt->used_msdu_ids);
 }
-int ath10k_htt_tx_attach(struct ath10k_htt *htt)
+int ath10k_htt_tx_alloc(struct ath10k_htt *htt)
 {
        spin_lock_init(&htt->tx_lock);
        init_waitqueue_head(&htt->empty_tx_wq);
@@ -120,7 +120,7 @@ int ath10k_htt_tx_attach(struct ath10k_htt *htt)
        return 0;
 }
-static void ath10k_htt_tx_cleanup_pending(struct ath10k_htt *htt)
+static void ath10k_htt_tx_free_pending(struct ath10k_htt *htt)
 {
        struct htt_tx_done tx_done = {0};
        int msdu_id;
@@ -141,9 +141,9 @@ static void ath10k_htt_tx_cleanup_pending(struct ath10k_htt *htt)
        spin_unlock_bh(&htt->tx_lock);
 }
-void ath10k_htt_tx_detach(struct ath10k_htt *htt)
+void ath10k_htt_tx_free(struct ath10k_htt *htt)
 {
-        ath10k_htt_tx_cleanup_pending(htt);
+        ath10k_htt_tx_free_pending(htt);
        kfree(htt->pending_tx);
        kfree(htt->used_msdu_ids);
        dma_pool_destroy(htt->tx_pool);
diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
index 7026f021ccbb..a21080028c54 100644
--- a/drivers/net/wireless/ath/ath10k/mac.c
+++ b/drivers/net/wireless/ath/ath10k/mac.c
@@ -54,7 +54,10 @@ static int ath10k_send_key(struct ath10k_vif *arvif,
        switch (key->cipher) {
        case WLAN_CIPHER_SUITE_CCMP:
                arg.key_cipher = WMI_CIPHER_AES_CCM;
-                key->flags |= IEEE80211_KEY_FLAG_SW_MGMT_TX;
+                if (arvif->vdev_type == WMI_VDEV_TYPE_AP)
+                        key->flags |= IEEE80211_KEY_FLAG_GENERATE_IV_MGMT;
+                else
+                        key->flags |= IEEE80211_KEY_FLAG_SW_MGMT_TX;
                break;
        case WLAN_CIPHER_SUITE_TKIP:
                arg.key_cipher = WMI_CIPHER_TKIP;
@@ -1888,8 +1891,13 @@ static void ath10k_tx_wep_key_work(struct work_struct *work)
                                                wep_key_work);
        int ret, keyidx = arvif->def_wep_key_newidx;
+        mutex_lock(&arvif->ar->conf_mutex);
+        if (arvif->ar->state != ATH10K_STATE_ON)
+                goto unlock;
        if (arvif->def_wep_key_idx == keyidx)
-                return;
+                goto unlock;
        ath10k_dbg(ATH10K_DBG_MAC, "mac vdev %d set keyidx %d\n",
                   arvif->vdev_id, keyidx);
@@ -1902,10 +1910,13 @@ static void ath10k_tx_wep_key_work(struct work_struct *work)
                ath10k_warn("failed to update wep key index for vdev %d: %d\n",
                            arvif->vdev_id,
                            ret);
-                return;
+                goto unlock;
        }
        arvif->def_wep_key_idx = keyidx;
+unlock:
+        mutex_unlock(&arvif->ar->conf_mutex);
 }
 static void ath10k_tx_h_update_wep_key(struct sk_buff *skb)
@@ -2286,9 +2297,19 @@ static void ath10k_tx(struct ieee80211_hw *hw,
        ath10k_tx_htt(ar, skb);
 }
-/*
+/* Must not be called with conf_mutex held as workers can use that also. */
- * Initialize various parameters with default vaules.
+static void ath10k_drain_tx(struct ath10k *ar)
- */
+{
+        /* make sure rcu-protected mac80211 tx path itself is drained */
+        synchronize_net();
+        ath10k_offchan_tx_purge(ar);
+        ath10k_mgmt_over_wmi_tx_purge(ar);
+        cancel_work_sync(&ar->offchan_tx_work);
+        cancel_work_sync(&ar->wmi_mgmt_tx_work);
+}
 void ath10k_halt(struct ath10k *ar)
 {
        struct ath10k_vif *arvif;
@@ -2303,19 +2324,12 @@ void ath10k_halt(struct ath10k *ar)
        }
        del_timer_sync(&ar->scan.timeout);
-        ath10k_offchan_tx_purge(ar);
+        ath10k_reset_scan((unsigned long)ar);
-        ath10k_mgmt_over_wmi_tx_purge(ar);
        ath10k_peer_cleanup_all(ar);
        ath10k_core_stop(ar);
        ath10k_hif_power_down(ar);
        spin_lock_bh(&ar->data_lock);
-        if (ar->scan.in_progress) {
-                del_timer(&ar->scan.timeout);
-                ar->scan.in_progress = false;
-                ieee80211_scan_completed(ar->hw, true);
-        }
        list_for_each_entry(arvif, &ar->arvifs, list) {
                if (!arvif->beacon)
                        continue;
@@ -2329,46 +2343,125 @@ void ath10k_halt(struct ath10k *ar)
        spin_unlock_bh(&ar->data_lock);
 }
+static int ath10k_get_antenna(struct ieee80211_hw *hw, u32 *tx_ant, u32 *rx_ant)
+{
+        struct ath10k *ar = hw->priv;
+        mutex_lock(&ar->conf_mutex);
+        if (ar->cfg_tx_chainmask) {
+                *tx_ant = ar->cfg_tx_chainmask;
+                *rx_ant = ar->cfg_rx_chainmask;
+        } else {
+                *tx_ant = ar->supp_tx_chainmask;
+                *rx_ant = ar->supp_rx_chainmask;
+        }
+        mutex_unlock(&ar->conf_mutex);
+        return 0;
+}
+static int __ath10k_set_antenna(struct ath10k *ar, u32 tx_ant, u32 rx_ant)
+{
+        int ret;
+        lockdep_assert_held(&ar->conf_mutex);
+        ar->cfg_tx_chainmask = tx_ant;
+        ar->cfg_rx_chainmask = rx_ant;
+        if ((ar->state != ATH10K_STATE_ON) &&
+            (ar->state != ATH10K_STATE_RESTARTED))
+                return 0;
+        ret = ath10k_wmi_pdev_set_param(ar, ar->wmi.pdev_param->tx_chain_mask,
+                                        tx_ant);
+        if (ret) {
+                ath10k_warn("failed to set tx-chainmask: %d, req 0x%x\n",
+                            ret, tx_ant);
+                return ret;
+        }
+        ret = ath10k_wmi_pdev_set_param(ar, ar->wmi.pdev_param->rx_chain_mask,
+                                        rx_ant);
+        if (ret) {
+                ath10k_warn("failed to set rx-chainmask: %d, req 0x%x\n",
+                            ret, rx_ant);
+                return ret;
+        }
+        return 0;
+}
+static int ath10k_set_antenna(struct ieee80211_hw *hw, u32 tx_ant, u32 rx_ant)
+{
+        struct ath10k *ar = hw->priv;
+        int ret;
+        mutex_lock(&ar->conf_mutex);
+        ret = __ath10k_set_antenna(ar, tx_ant, rx_ant);
+        mutex_unlock(&ar->conf_mutex);
+        return ret;
+}
 static int ath10k_start(struct ieee80211_hw *hw)
 {
        struct ath10k *ar = hw->priv;
        int ret = 0;
+        /*
+         * This makes sense only when restarting hw. It is harmless to call
+         * uncoditionally. This is necessary to make sure no HTT/WMI tx
+         * commands will be submitted while restarting.
+         */
+        ath10k_drain_tx(ar);
        mutex_lock(&ar->conf_mutex);
-        if (ar->state != ATH10K_STATE_OFF &&
+        switch (ar->state) {
-            ar->state != ATH10K_STATE_RESTARTING) {
+        case ATH10K_STATE_OFF:
+                ar->state = ATH10K_STATE_ON;
+                break;
+        case ATH10K_STATE_RESTARTING:
+                ath10k_halt(ar);
+                ar->state = ATH10K_STATE_RESTARTED;
+                break;
+        case ATH10K_STATE_ON:
+        case ATH10K_STATE_RESTARTED:
+        case ATH10K_STATE_WEDGED:
+                WARN_ON(1);
                ret = -EINVAL;
-                goto exit;
+                goto err;
        }
        ret = ath10k_hif_power_up(ar);
        if (ret) {
                ath10k_err("Could not init hif: %d\n", ret);
-                ar->state = ATH10K_STATE_OFF;
+                goto err_off;
-                goto exit;
        }
        ret = ath10k_core_start(ar);
        if (ret) {
                ath10k_err("Could not init core: %d\n", ret);
-                ath10k_hif_power_down(ar);
+                goto err_power_down;
-                ar->state = ATH10K_STATE_OFF;
-                goto exit;
        }
-        if (ar->state == ATH10K_STATE_OFF)
-                ar->state = ATH10K_STATE_ON;
-        else if (ar->state == ATH10K_STATE_RESTARTING)
-                ar->state = ATH10K_STATE_RESTARTED;
        ret = ath10k_wmi_pdev_set_param(ar, ar->wmi.pdev_param->pmf_qos, 1);
-        if (ret)
+        if (ret) {
                ath10k_warn("failed to enable PMF QOS: %d\n", ret);
+                goto err_core_stop;
+        }
        ret = ath10k_wmi_pdev_set_param(ar, ar->wmi.pdev_param->dynamic_bw, 1);
-        if (ret)
+        if (ret) {
                ath10k_warn("failed to enable dynamic BW: %d\n", ret);
+                goto err_core_stop;
+        }
+        if (ar->cfg_tx_chainmask)
+                __ath10k_set_antenna(ar, ar->cfg_tx_chainmask,
+                                     ar->cfg_rx_chainmask);
        /*
         * By default FW set ARP frames ac to voice (6). In that case ARP
@@ -2384,14 +2477,25 @@ static int ath10k_start(struct ieee80211_hw *hw)
        if (ret) {
                ath10k_warn("failed to set arp ac override parameter: %d\n",
                            ret);
-                goto exit;
+                goto err_core_stop;
        }
        ar->num_started_vdevs = 0;
        ath10k_regd_update(ar);
-        ret = 0;
-exit:
+        mutex_unlock(&ar->conf_mutex);
+        return 0;
+err_core_stop:
+        ath10k_core_stop(ar);
+err_power_down:
+        ath10k_hif_power_down(ar);
+err_off:
+        ar->state = ATH10K_STATE_OFF;
+err:
        mutex_unlock(&ar->conf_mutex);
        return ret;
 }
@@ -2400,19 +2504,15 @@ static void ath10k_stop(struct ieee80211_hw *hw)
 {
        struct ath10k *ar = hw->priv;
+        ath10k_drain_tx(ar);
        mutex_lock(&ar->conf_mutex);
-        if (ar->state == ATH10K_STATE_ON ||
+        if (ar->state != ATH10K_STATE_OFF) {
-            ar->state == ATH10K_STATE_RESTARTED ||
-            ar->state == ATH10K_STATE_WEDGED)
                ath10k_halt(ar);
+                ar->state = ATH10K_STATE_OFF;
-        ar->state = ATH10K_STATE_OFF;
+        }
        mutex_unlock(&ar->conf_mutex);
-        ath10k_mgmt_over_wmi_tx_purge(ar);
-        cancel_work_sync(&ar->offchan_tx_work);
-        cancel_work_sync(&ar->wmi_mgmt_tx_work);
        cancel_work_sync(&ar->restart_work);
 }
@@ -2925,7 +3025,12 @@ static void ath10k_bss_info_changed(struct ieee80211_hw *hw,
                arvif->u.ap.hidden_ssid = info->hidden_ssid;
        }
-        if (changed & BSS_CHANGED_BSSID) {
+        /*
+         * Firmware manages AP self-peer internally so make sure to not create
+         * it in driver. Otherwise AP self-peer deletion may timeout later.
+         */
+        if (changed & BSS_CHANGED_BSSID &&
+            vif->type != NL80211_IFTYPE_AP) {
                if (!is_zero_ether_addr(info->bssid)) {
                        ath10k_dbg(ATH10K_DBG_MAC,
                                   "mac vdev %d create peer %pM\n",
@@ -4142,14 +4247,6 @@ static int ath10k_set_bitrate_mask(struct ieee80211_hw *hw,
                                           fixed_nss, force_sgi);
 }
-static void ath10k_channel_switch_beacon(struct ieee80211_hw *hw,
-                                         struct ieee80211_vif *vif,
-                                         struct cfg80211_chan_def *chandef)
-{
-        /* there's no need to do anything here. vif->csa_active is enough */
-        return;
-}
 static void ath10k_sta_rc_update(struct ieee80211_hw *hw,
                                 struct ieee80211_vif *vif,
                                 struct ieee80211_sta *sta,
@@ -4253,10 +4350,11 @@ static const struct ieee80211_ops ath10k_ops = {
        .set_frag_threshold             = ath10k_set_frag_threshold,
        .flush                          = ath10k_flush,
        .tx_last_beacon                 = ath10k_tx_last_beacon,
+        .set_antenna                    = ath10k_set_antenna,
+        .get_antenna                    = ath10k_get_antenna,
        .restart_complete               = ath10k_restart_complete,
        .get_survey                     = ath10k_get_survey,
        .set_bitrate_mask               = ath10k_set_bitrate_mask,
-        .channel_switch_beacon          = ath10k_channel_switch_beacon,
        .sta_rc_update                  = ath10k_sta_rc_update,
        .get_tsf                        = ath10k_get_tsf,
 #ifdef CONFIG_PM
@@ -4602,6 +4700,18 @@ int ath10k_mac_register(struct ath10k *ar)
                BIT(NL80211_IFTYPE_ADHOC) |
                BIT(NL80211_IFTYPE_AP);
+        if (test_bit(ATH10K_FW_FEATURE_WMI_10X, ar->fw_features)) {
+                /* TODO:  Have to deal with 2x2 chips if/when the come out. */
+                ar->supp_tx_chainmask = TARGET_10X_TX_CHAIN_MASK;
+                ar->supp_rx_chainmask = TARGET_10X_RX_CHAIN_MASK;
+        } else {
+                ar->supp_tx_chainmask = TARGET_TX_CHAIN_MASK;
+                ar->supp_rx_chainmask = TARGET_RX_CHAIN_MASK;
+        }
+        ar->hw->wiphy->available_antennas_rx = ar->supp_rx_chainmask;
+        ar->hw->wiphy->available_antennas_tx = ar->supp_tx_chainmask;
        if (!test_bit(ATH10K_FW_FEATURE_NO_P2P, ar->fw_features))
                ar->hw->wiphy->interface_modes |=
                        BIT(NL80211_IFTYPE_P2P_CLIENT) |
diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c
index 66b1f3017f2b..d0004d59c97e 100644
--- a/drivers/net/wireless/ath/ath10k/pci.c
+++ b/drivers/net/wireless/ath/ath10k/pci.c
@@ -59,6 +59,7 @@ MODULE_PARM_DESC(reset_mode, "0: auto, 1: warm only (default: 0)");
 /* how long wait to wait for target to initialise, in ms */
 #define ATH10K_PCI_TARGET_WAIT 3000
+#define ATH10K_PCI_NUM_WARM_RESET_ATTEMPTS 3
 #define QCA988X_2_0_DEVICE_ID   (0x003c)
@@ -761,17 +762,21 @@ static int ath10k_pci_hif_tx_sg(struct ath10k *ar, u8 pipe_id,
        struct ath10k_pci_pipe *pci_pipe = &ar_pci->pipe_info[pipe_id];
        struct ath10k_ce_pipe *ce_pipe = pci_pipe->ce_hdl;
        struct ath10k_ce_ring *src_ring = ce_pipe->src_ring;
-        unsigned int nentries_mask = src_ring->nentries_mask;
+        unsigned int nentries_mask;
-        unsigned int sw_index = src_ring->sw_index;
+        unsigned int sw_index;
-        unsigned int write_index = src_ring->write_index;
+        unsigned int write_index;
-        int err, i;
+        int err, i = 0;
        spin_lock_bh(&ar_pci->ce_lock);
+        nentries_mask = src_ring->nentries_mask;
+        sw_index = src_ring->sw_index;
+        write_index = src_ring->write_index;
        if (unlikely(CE_RING_DELTA(nentries_mask,
                                   write_index, sw_index - 1) < n_items)) {
                err = -ENOBUFS;
-                goto unlock;
+                goto err;
        }
        for (i = 0; i < n_items - 1; i++) {
@@ -788,7 +793,7 @@ static int ath10k_pci_hif_tx_sg(struct ath10k *ar, u8 pipe_id,
                                            items[i].transfer_id,
                                            CE_SEND_FLAG_GATHER);
                if (err)
-                        goto unlock;
+                        goto err;
        }
        /* `i` is equal to `n_items -1` after for() */
@@ -806,10 +811,15 @@ static int ath10k_pci_hif_tx_sg(struct ath10k *ar, u8 pipe_id,
                                    items[i].transfer_id,
                                    0);
        if (err)
-                goto unlock;
+                goto err;
+        spin_unlock_bh(&ar_pci->ce_lock);
+        return 0;
+err:
+        for (; i > 0; i--)
+                __ath10k_ce_send_revert(ce_pipe);
-        err = 0;
-unlock:
        spin_unlock_bh(&ar_pci->ce_lock);
        return err;
 }
@@ -1271,6 +1281,9 @@ static void ath10k_pci_hif_stop(struct ath10k *ar)
        ath10k_dbg(ATH10K_DBG_BOOT, "boot hif stop\n");
+        if (WARN_ON(!ar_pci->started))
+                return;
        ret = ath10k_ce_disable_interrupts(ar);
        if (ret)
                ath10k_warn("failed to disable CE interrupts: %d\n", ret);
@@ -1802,6 +1815,26 @@ static void ath10k_pci_fw_interrupt_handler(struct ath10k *ar)
        ath10k_pci_sleep(ar);
 }
+/* this function effectively clears target memory controller assert line */
+static void ath10k_pci_warm_reset_si0(struct ath10k *ar)
+{
+        u32 val;
+        val = ath10k_pci_soc_read32(ar, SOC_RESET_CONTROL_ADDRESS);
+        ath10k_pci_soc_write32(ar, SOC_RESET_CONTROL_ADDRESS,
+                               val | SOC_RESET_CONTROL_SI0_RST_MASK);
+        val = ath10k_pci_soc_read32(ar, SOC_RESET_CONTROL_ADDRESS);
+        msleep(10);
+        val = ath10k_pci_soc_read32(ar, SOC_RESET_CONTROL_ADDRESS);
+        ath10k_pci_soc_write32(ar, SOC_RESET_CONTROL_ADDRESS,
+                               val & ~SOC_RESET_CONTROL_SI0_RST_MASK);
+        val = ath10k_pci_soc_read32(ar, SOC_RESET_CONTROL_ADDRESS);
+        msleep(10);
+}
 static int ath10k_pci_warm_reset(struct ath10k *ar)
 {
        int ret = 0;
@@ -1860,6 +1893,8 @@ static int ath10k_pci_warm_reset(struct ath10k *ar)
                                SOC_RESET_CONTROL_ADDRESS);
        msleep(10);
+        ath10k_pci_warm_reset_si0(ar);
        /* debug */
        val = ath10k_pci_read32(ar, SOC_CORE_BASE_ADDRESS +
                                PCIE_INTR_CAUSE_ADDRESS);
@@ -1988,6 +2023,28 @@ err:
        return ret;
 }
+static int ath10k_pci_hif_power_up_warm(struct ath10k *ar)
+{
+        int i, ret;
+        /*
+         * Sometime warm reset succeeds after retries.
+         *
+         * FIXME: It might be possible to tune ath10k_pci_warm_reset() to work
+         * at first try.
+         */
+        for (i = 0; i < ATH10K_PCI_NUM_WARM_RESET_ATTEMPTS; i++) {
+                ret = __ath10k_pci_hif_power_up(ar, false);
+                if (ret == 0)
+                        break;
+                ath10k_warn("failed to warm reset (attempt %d out of %d): %d\n",
+                            i + 1, ATH10K_PCI_NUM_WARM_RESET_ATTEMPTS, ret);
+        }
+        return ret;
+}
 static int ath10k_pci_hif_power_up(struct ath10k *ar)
 {
        int ret;
@@ -1999,10 +2056,10 @@ static int ath10k_pci_hif_power_up(struct ath10k *ar)
         * preferred (and safer) way to perform a device reset is through a
         * warm reset.
         *
-         * Warm reset doesn't always work though (notably after a firmware
+         * Warm reset doesn't always work though so fall back to cold reset may
-         * crash) so fall back to cold reset if necessary.
+         * be necessary.
         */
-        ret = __ath10k_pci_hif_power_up(ar, false);
+        ret = ath10k_pci_hif_power_up_warm(ar);
        if (ret) {
                ath10k_warn("failed to power up target using warm reset: %d\n",
                            ret);
@@ -2196,10 +2253,7 @@ static void ath10k_pci_early_irq_tasklet(unsigned long data)
        if (fw_ind & FW_IND_EVENT_PENDING) {
                ath10k_pci_write32(ar, FW_INDICATOR_ADDRESS,
                                   fw_ind & ~FW_IND_EVENT_PENDING);
+                ath10k_pci_hif_dump_area(ar);
-                /* Some structures are unavailable during early boot or at
-                 * driver teardown so just print that the device has crashed. */
-                ath10k_warn("device crashed - no diagnostics available\n");
        }
        ath10k_pci_sleep(ar);
@@ -2476,6 +2530,9 @@ static int ath10k_pci_wait_for_target_init(struct ath10k *ar)
        if (val & FW_IND_EVENT_PENDING) {
                ath10k_warn("device has crashed during init\n");
+                ath10k_pci_write32(ar, FW_INDICATOR_ADDRESS,
+                                   val & ~FW_IND_EVENT_PENDING);
+                ath10k_pci_hif_dump_area(ar);
                ret = -ECOMM;
                goto out;
        }
@@ -2602,18 +2659,6 @@ static int ath10k_pci_probe(struct pci_dev *pdev,
        pci_set_drvdata(pdev, ar);
-        /*
-         * Without any knowledge of the Host, the Target may have been reset or
-         * power cycled and its Config Space may no longer reflect the PCI
-         * address space that was assigned earlier by the PCI infrastructure.
-         * Refresh it now.
-         */
-        ret = pci_assign_resource(pdev, BAR_NUM);
-        if (ret) {
-                ath10k_err("failed to assign PCI space: %d\n", ret);
-                goto err_ar;
-        }
        ret = pci_enable_device(pdev);
        if (ret) {
                ath10k_err("failed to enable PCI device: %d\n", ret);
@@ -2725,8 +2770,6 @@ static void ath10k_pci_remove(struct pci_dev *pdev)
        if (!ar_pci)
                return;
-        tasklet_kill(&ar_pci->msi_fw_err);
        ath10k_core_unregister(ar);
        ath10k_pci_free_ce(ar);
diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c
index 72cc4f20d102..4b7782a529ac 100644
--- a/drivers/net/wireless/ath/ath10k/wmi.c
+++ b/drivers/net/wireless/ath/ath10k/wmi.c
@@ -639,6 +639,7 @@ int ath10k_wmi_mgmt_tx(struct ath10k *ar, struct sk_buff *skb)
        struct sk_buff *wmi_skb;
        struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
        int len;
+        u32 buf_len = skb->len;
        u16 fc;
        hdr = (struct ieee80211_hdr *)skb->data;
@@ -648,6 +649,15 @@ int ath10k_wmi_mgmt_tx(struct ath10k *ar, struct sk_buff *skb)
                return -EINVAL;
        len = sizeof(cmd->hdr) + skb->len;
+        if ((ieee80211_is_action(hdr->frame_control) ||
+             ieee80211_is_deauth(hdr->frame_control) ||
+             ieee80211_is_disassoc(hdr->frame_control)) &&
+             ieee80211_has_protected(hdr->frame_control)) {
+                len += IEEE80211_CCMP_MIC_LEN;
+                buf_len += IEEE80211_CCMP_MIC_LEN;
+        }
        len = round_up(len, 4);
        wmi_skb = ath10k_wmi_alloc_skb(len);
@@ -659,7 +669,7 @@ int ath10k_wmi_mgmt_tx(struct ath10k *ar, struct sk_buff *skb)
        cmd->hdr.vdev_id = __cpu_to_le32(ATH10K_SKB_CB(skb)->vdev_id);
        cmd->hdr.tx_rate = 0;
        cmd->hdr.tx_power = 0;
-        cmd->hdr.buf_len = __cpu_to_le32((u32)(skb->len));
+        cmd->hdr.buf_len = __cpu_to_le32(buf_len);
        memcpy(cmd->hdr.peer_macaddr.addr, ieee80211_get_DA(hdr), ETH_ALEN);
        memcpy(cmd->buf, skb->data, skb->len);
@@ -957,10 +967,16 @@ static int ath10k_wmi_event_mgmt_rx(struct ath10k *ar, struct sk_buff *skb)
         * frames with Protected Bit set. */
        if (ieee80211_has_protected(hdr->frame_control) &&
            !ieee80211_is_auth(hdr->frame_control)) {
-                status->flag |= RX_FLAG_DECRYPTED | RX_FLAG_IV_STRIPPED |
+                status->flag |= RX_FLAG_DECRYPTED;
-                                RX_FLAG_MMIC_STRIPPED;
-                hdr->frame_control = __cpu_to_le16(fc &
+                if (!ieee80211_is_action(hdr->frame_control) &&
+                    !ieee80211_is_deauth(hdr->frame_control) &&
+                    !ieee80211_is_disassoc(hdr->frame_control)) {
+                        status->flag |= RX_FLAG_IV_STRIPPED |
+                                        RX_FLAG_MMIC_STRIPPED;
+                        hdr->frame_control = __cpu_to_le16(fc &
                                        ~IEEE80211_FCTL_PROTECTED);
+                }
        }
        ath10k_dbg(ATH10K_DBG_MGMT,
@@ -2359,7 +2375,7 @@ void ath10k_wmi_detach(struct ath10k *ar)
        ar->wmi.num_mem_chunks = 0;
 }
-int ath10k_wmi_connect_htc_service(struct ath10k *ar)
+int ath10k_wmi_connect(struct ath10k *ar)
 {
        int status;
        struct ath10k_htc_svc_conn_req conn_req;
diff --git a/drivers/net/wireless/ath/ath10k/wmi.h b/drivers/net/wireless/ath/ath10k/wmi.h
index ae838221af65..89ef3b3749eb 100644
--- a/drivers/net/wireless/ath/ath10k/wmi.h
+++ b/drivers/net/wireless/ath/ath10k/wmi.h
@@ -2323,9 +2323,9 @@ struct wmi_pdev_param_map {
 #define WMI_PDEV_PARAM_UNSUPPORTED 0
 enum wmi_pdev_param {
-        /* TX chian mask */
+        /* TX chain mask */
        WMI_PDEV_PARAM_TX_CHAIN_MASK = 0x1,
-        /* RX chian mask */
+        /* RX chain mask */
        WMI_PDEV_PARAM_RX_CHAIN_MASK,
        /* TX power limit for 2G Radio */
        WMI_PDEV_PARAM_TXPOWER_LIMIT2G,
@@ -4259,7 +4259,7 @@ void ath10k_wmi_detach(struct ath10k *ar);
 int ath10k_wmi_wait_for_service_ready(struct ath10k *ar);
 int ath10k_wmi_wait_for_unified_ready(struct ath10k *ar);
-int ath10k_wmi_connect_htc_service(struct ath10k *ar);
+int ath10k_wmi_connect(struct ath10k *ar);
 int ath10k_wmi_pdev_set_channel(struct ath10k *ar,
                                const struct wmi_channel_arg *);
 int ath10k_wmi_pdev_suspend_target(struct ath10k *ar, u32 suspend_opt);
diff --git a/drivers/net/wireless/ath/ath9k/ath9k.h b/drivers/net/wireless/ath/ath9k/ath9k.h
index b20469425865..2ca8f7e06174 100644
--- a/drivers/net/wireless/ath/ath9k/ath9k.h
+++ b/drivers/net/wireless/ath/ath9k/ath9k.h
@@ -770,6 +770,7 @@ struct ath_softc {
        struct ath_ant_comb ant_comb;
        u8 ant_tx, ant_rx;
        struct dfs_pattern_detector *dfs_detector;
+        u64 dfs_prev_pulse_ts;
        u32 wow_enabled;
        /* relay(fs) channel for spectral scan */
        struct rchan *rfs_chan_spec_scan;
diff --git a/drivers/net/wireless/ath/ath9k/dfs.c b/drivers/net/wireless/ath/ath9k/dfs.c
index e0c740dcfea8..726271c7c330 100644
--- a/drivers/net/wireless/ath/ath9k/dfs.c
+++ b/drivers/net/wireless/ath/ath9k/dfs.c
@@ -178,14 +178,12 @@ void ath9k_dfs_process_phyerr(struct ath_softc *sc, void *data,
        pe.ts = mactime;
        if (ath9k_postprocess_radar_event(sc, &ard, &pe)) {
                struct dfs_pattern_detector *pd = sc->dfs_detector;
-#ifdef CONFIG_ATH9K_DEBUGFS
                ath_dbg(common, DFS,
                        "ath9k_dfs_process_phyerr: channel=%d, ts=%llu, "
                        "width=%d, rssi=%d, delta_ts=%llu\n",
                        pe.freq, pe.ts, pe.width, pe.rssi,
-                        pe.ts - sc->debug.stats.dfs_stats.last_ts);
+                        pe.ts - sc->dfs_prev_pulse_ts);
-                sc->debug.stats.dfs_stats.last_ts = pe.ts;
+                sc->dfs_prev_pulse_ts = pe.ts;
-#endif
                DFS_STAT_INC(sc, pulses_processed);
                if (pd != NULL && pd->add_pulse(pd, &pe)) {
                        DFS_STAT_INC(sc, radar_detected);
diff --git a/drivers/net/wireless/ath/ath9k/dfs_debug.h b/drivers/net/wireless/ath/ath9k/dfs_debug.h
index d9486867a5e0..7936c9126a20 100644
--- a/drivers/net/wireless/ath/ath9k/dfs_debug.h
+++ b/drivers/net/wireless/ath/ath9k/dfs_debug.h
@@ -51,7 +51,6 @@ struct ath_dfs_stats {
        /* pattern detection stats */
        u32 pulses_processed;
        u32 radar_detected;
-        u64 last_ts;
 };
 #if defined(CONFIG_ATH9K_DFS_DEBUGFS)
diff --git a/drivers/net/wireless/ath/ath9k/init.c b/drivers/net/wireless/ath/ath9k/init.c
index 1af77081181e..0246b990fe87 100644
--- a/drivers/net/wireless/ath/ath9k/init.c
+++ b/drivers/net/wireless/ath/ath9k/init.c
@@ -61,6 +61,10 @@ static int ath9k_ps_enable;
 module_param_named(ps_enable, ath9k_ps_enable, int, 0444);
 MODULE_PARM_DESC(ps_enable, "Enable WLAN PowerSave");
+static int ath9k_use_chanctx;
+module_param_named(use_chanctx, ath9k_use_chanctx, int, 0444);
+MODULE_PARM_DESC(use_chanctx, "Enable channel context for concurrency");
 bool is_ath9k_unloaded;
 #ifdef CONFIG_MAC80211_LEDS
@@ -646,8 +650,7 @@ static void ath9k_init_txpower_limits(struct ath_softc *sc)
 }
 static const struct ieee80211_iface_limit if_limits[] = {
-        { .max = 2048,  .types = BIT(NL80211_IFTYPE_STATION) |
+        { .max = 2048,  .types = BIT(NL80211_IFTYPE_STATION) },
-                                 BIT(NL80211_IFTYPE_WDS) },
        { .max = 8,     .types =
 #ifdef CONFIG_MAC80211_MESH
                                 BIT(NL80211_IFTYPE_MESH_POINT) |
@@ -657,6 +660,10 @@ static const struct ieee80211_iface_limit if_limits[] = {
                                 BIT(NL80211_IFTYPE_P2P_GO) },
 };
+static const struct ieee80211_iface_limit wds_limits[] = {
+        { .max = 2048,  .types = BIT(NL80211_IFTYPE_WDS) },
+};
 static const struct ieee80211_iface_limit if_dfs_limits[] = {
        { .max = 1,     .types = BIT(NL80211_IFTYPE_AP) |
 #ifdef CONFIG_MAC80211_MESH
@@ -673,6 +680,13 @@ static const struct ieee80211_iface_combination if_comb[] = {
                .num_different_channels = 1,
                .beacon_int_infra_match = true,
        },
+        {
+                .limits = wds_limits,
+                .n_limits = ARRAY_SIZE(wds_limits),
+                .max_interfaces = 2048,
+                .num_different_channels = 1,
+                .beacon_int_infra_match = true,
+        },
 #ifdef CONFIG_ATH9K_DFS_CERTIFIED
        {
                .limits = if_dfs_limits,
@@ -722,12 +736,15 @@ static void ath9k_set_hw_capab(struct ath_softc *sc, struct ieee80211_hw *hw)
                        BIT(NL80211_IFTYPE_P2P_GO) |
                        BIT(NL80211_IFTYPE_P2P_CLIENT) |
                        BIT(NL80211_IFTYPE_AP) |
-                        BIT(NL80211_IFTYPE_WDS) |
                        BIT(NL80211_IFTYPE_STATION) |
                        BIT(NL80211_IFTYPE_ADHOC) |
                        BIT(NL80211_IFTYPE_MESH_POINT);
                hw->wiphy->iface_combinations = if_comb;
-                hw->wiphy->n_iface_combinations = ARRAY_SIZE(if_comb);
+                if (!ath9k_use_chanctx) {
+                        hw->wiphy->n_iface_combinations = ARRAY_SIZE(if_comb);
+                        hw->wiphy->interface_modes |= BIT(NL80211_IFTYPE_WDS);
+                } else
+                        hw->wiphy->n_iface_combinations = 1;
        }
        hw->wiphy->flags &= ~WIPHY_FLAG_PS_ON_BY_DEFAULT;
diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c
index 6965ceac7bc6..62ac95d6bb9d 100644
--- a/drivers/net/wireless/ath/ath9k/main.c
+++ b/drivers/net/wireless/ath/ath9k/main.c
@@ -1757,7 +1757,6 @@ out:
 void ath9k_update_p2p_ps(struct ath_softc *sc, struct ieee80211_vif *vif)
 {
        struct ath_vif *avp = (void *)vif->drv_priv;
-        unsigned long flags;
        u32 tsf;
        if (!sc->p2p_ps_timer)
@@ -1767,14 +1766,9 @@ void ath9k_update_p2p_ps(struct ath_softc *sc, struct ieee80211_vif *vif)
                return;
        sc->p2p_ps_vif = avp;
+        tsf = ath9k_hw_gettsf32(sc->sc_ah);
-        spin_lock_irqsave(&sc->sc_pm_lock, flags);
+        ieee80211_parse_p2p_noa(&vif->bss_conf.p2p_noa_attr, &avp->noa, tsf);
-        if (!(sc->ps_flags & PS_BEACON_SYNC)) {
+        ath9k_update_p2p_ps_timer(sc, avp);
-                tsf = ath9k_hw_gettsf32(sc->sc_ah);
-                ieee80211_parse_p2p_noa(&vif->bss_conf.p2p_noa_attr, &avp->noa, tsf);
-                ath9k_update_p2p_ps_timer(sc, avp);
-        }
-        spin_unlock_irqrestore(&sc->sc_pm_lock, flags);
 }
 static void ath9k_bss_info_changed(struct ieee80211_hw *hw,
@@ -1791,6 +1785,7 @@ static void ath9k_bss_info_changed(struct ieee80211_hw *hw,
        struct ath_hw *ah = sc->sc_ah;
        struct ath_common *common = ath9k_hw_common(ah);
        struct ath_vif *avp = (void *)vif->drv_priv;
+        unsigned long flags;
        int slottime;
        ath9k_ps_wakeup(sc);
@@ -1853,7 +1848,10 @@ static void ath9k_bss_info_changed(struct ieee80211_hw *hw,
        if (changed & BSS_CHANGED_P2P_PS) {
                spin_lock_bh(&sc->sc_pcu_lock);
-                ath9k_update_p2p_ps(sc, vif);
+                spin_lock_irqsave(&sc->sc_pm_lock, flags);
+                if (!(sc->ps_flags & PS_BEACON_SYNC))
+                        ath9k_update_p2p_ps(sc, vif);
+                spin_unlock_irqrestore(&sc->sc_pm_lock, flags);
                spin_unlock_bh(&sc->sc_pcu_lock);
        }
@@ -2232,14 +2230,6 @@ static void ath9k_sw_scan_complete(struct ieee80211_hw *hw)
        clear_bit(ATH_OP_SCANNING, &common->op_flags);
 }
-static void ath9k_channel_switch_beacon(struct ieee80211_hw *hw,
-                                        struct ieee80211_vif *vif,
-                                        struct cfg80211_chan_def *chandef)
-{
-        /* depend on vif->csa_active only */
-        return;
-}
 struct ieee80211_ops ath9k_ops = {
        .tx                 = ath9k_tx,
        .start              = ath9k_start,
@@ -2287,5 +2277,4 @@ struct ieee80211_ops ath9k_ops = {
 #endif
        .sw_scan_start      = ath9k_sw_scan_start,
        .sw_scan_complete   = ath9k_sw_scan_complete,
-        .channel_switch_beacon     = ath9k_channel_switch_beacon,
 };
diff --git a/drivers/net/wireless/ath/ath9k/recv.c b/drivers/net/wireless/ath/ath9k/recv.c
index 43ae199601f7..9105a92364f7 100644
--- a/drivers/net/wireless/ath/ath9k/recv.c
+++ b/drivers/net/wireless/ath/ath9k/recv.c
@@ -34,7 +34,8 @@ static inline bool ath9k_check_auto_sleep(struct ath_softc *sc)
 * buffer (or rx fifo). This can incorrectly acknowledge packets
 * to a sender if last desc is self-linked.
 */
-static void ath_rx_buf_link(struct ath_softc *sc, struct ath_rxbuf *bf)
+static void ath_rx_buf_link(struct ath_softc *sc, struct ath_rxbuf *bf,
+                            bool flush)
 {
        struct ath_hw *ah = sc->sc_ah;
        struct ath_common *common = ath9k_hw_common(ah);
@@ -59,18 +60,19 @@ static void ath_rx_buf_link(struct ath_softc *sc, struct ath_rxbuf *bf)
                             common->rx_bufsize,
                             0);
-        if (sc->rx.rxlink == NULL)
+        if (sc->rx.rxlink)
-                ath9k_hw_putrxbuf(ah, bf->bf_daddr);
-        else
                *sc->rx.rxlink = bf->bf_daddr;
+        else if (!flush)
+                ath9k_hw_putrxbuf(ah, bf->bf_daddr);
        sc->rx.rxlink = &ds->ds_link;
 }
-static void ath_rx_buf_relink(struct ath_softc *sc, struct ath_rxbuf *bf)
+static void ath_rx_buf_relink(struct ath_softc *sc, struct ath_rxbuf *bf,
+                              bool flush)
 {
        if (sc->rx.buf_hold)
-                ath_rx_buf_link(sc, sc->rx.buf_hold);
+                ath_rx_buf_link(sc, sc->rx.buf_hold, flush);
        sc->rx.buf_hold = bf;
 }
@@ -442,7 +444,7 @@ int ath_startrecv(struct ath_softc *sc)
        sc->rx.buf_hold = NULL;
        sc->rx.rxlink = NULL;
        list_for_each_entry_safe(bf, tbf, &sc->rx.rxbuf, list) {
-                ath_rx_buf_link(sc, bf);
+                ath_rx_buf_link(sc, bf, false);
        }
        /* We could have deleted elements so the list may be empty now */
@@ -1118,12 +1120,12 @@ requeue_drop_frag:
 requeue:
                list_add_tail(&bf->list, &sc->rx.rxbuf);
-                if (edma) {
+                if (!edma) {
-                        ath_rx_edma_buf_link(sc, qtype);
+                        ath_rx_buf_relink(sc, bf, flush);
-                } else {
-                        ath_rx_buf_relink(sc, bf);
                        if (!flush)
                                ath9k_hw_rxena(ah);
+                } else if (!flush) {
+                        ath_rx_edma_buf_link(sc, qtype);
                }
                if (!budget--)
diff --git a/drivers/net/wireless/ath/wcn36xx/smd.c b/drivers/net/wireless/ath/wcn36xx/smd.c
index 7bf0ef8a1f56..63986931829e 100644
--- a/drivers/net/wireless/ath/wcn36xx/smd.c
+++ b/drivers/net/wireless/ath/wcn36xx/smd.c
@@ -2068,7 +2068,7 @@ static void wcn36xx_smd_rsp_process(struct wcn36xx *wcn, void *buf, size_t len)
                if (!msg_ind)
                        goto nomem;
                msg_ind->msg_len = len;
-                msg_ind->msg = kmalloc(len, GFP_KERNEL);
+                msg_ind->msg = kmemdup(buf, len, GFP_KERNEL);
                if (!msg_ind->msg) {
                        kfree(msg_ind);
 nomem:
@@ -2080,7 +2080,6 @@ nomem:
                                    msg_header->msg_type);
                        break;
                }
-                memcpy(msg_ind->msg, buf, len);
                mutex_lock(&wcn->hal_ind_mutex);
                list_add_tail(&msg_ind->list, &wcn->hal_ind_queue);
                queue_work(wcn->hal_ind_wq, &wcn->hal_ind_work);
diff --git a/drivers/net/wireless/ath/wil6210/cfg80211.c b/drivers/net/wireless/ath/wil6210/cfg80211.c
index 6e699d050d1e..820d4ebd9322 100644
--- a/drivers/net/wireless/ath/wil6210/cfg80211.c
+++ b/drivers/net/wireless/ath/wil6210/cfg80211.c
@@ -288,6 +288,7 @@ static int wil_cfg80211_scan(struct wiphy *wiphy,
        }
        wil->scan_request = request;
+        mod_timer(&wil->scan_timer, jiffies + WIL6210_SCAN_TO);
        memset(&cmd, 0, sizeof(cmd));
        cmd.cmd.num_channels = 0;
diff --git a/drivers/net/wireless/ath/wil6210/debugfs.c b/drivers/net/wireless/ath/wil6210/debugfs.c
index ecdabe4adec3..8d4bc4bfb664 100644
--- a/drivers/net/wireless/ath/wil6210/debugfs.c
+++ b/drivers/net/wireless/ath/wil6210/debugfs.c
@@ -35,7 +35,7 @@ static void wil_print_vring(struct seq_file *s, struct wil6210_priv *wil,
        void __iomem *x = wmi_addr(wil, vring->hwtail);
        seq_printf(s, "VRING %s = {\n", name);
-        seq_printf(s, "  pa     = 0x%016llx\n", (unsigned long long)vring->pa);
+        seq_printf(s, "  pa     = %pad\n", &vring->pa);
        seq_printf(s, "  va     = 0x%p\n", vring->va);
        seq_printf(s, "  size   = %d\n", vring->size);
        seq_printf(s, "  swtail = %d\n", vring->swtail);
@@ -473,7 +473,7 @@ static int wil_txdesc_debugfs_show(struct seq_file *s, void *data)
                           u[0], u[1], u[2], u[3]);
                seq_printf(s, "  DMA = 0x%08x 0x%08x 0x%08x 0x%08x\n",
                           u[4], u[5], u[6], u[7]);
-                seq_printf(s, "  SKB = %p\n", skb);
+                seq_printf(s, "  SKB = 0x%p\n", skb);
                if (skb) {
                        skb_get(skb);
diff --git a/drivers/net/wireless/ath/wil6210/main.c b/drivers/net/wireless/ath/wil6210/main.c
index 670cc6de3b4c..11e6d9d22eae 100644
--- a/drivers/net/wireless/ath/wil6210/main.c
+++ b/drivers/net/wireless/ath/wil6210/main.c
@@ -150,6 +150,15 @@ static void wil_connect_timer_fn(ulong x)
        schedule_work(&wil->disconnect_worker);
 }
+static void wil_scan_timer_fn(ulong x)
+{
+        struct wil6210_priv *wil = (void *)x;
+        clear_bit(wil_status_fwready, &wil->status);
+        wil_err(wil, "Scan timeout detected, start fw error recovery\n");
+        schedule_work(&wil->fw_error_worker);
+}
 static void wil_fw_error_worker(struct work_struct *work)
 {
        struct wil6210_priv *wil = container_of(work,
@@ -161,12 +170,30 @@ static void wil_fw_error_worker(struct work_struct *work)
        if (no_fw_recovery)
                return;
+        /* increment @recovery_count if less then WIL6210_FW_RECOVERY_TO
+         * passed since last recovery attempt
+         */
+        if (time_is_after_jiffies(wil->last_fw_recovery +
+                                  WIL6210_FW_RECOVERY_TO))
+                wil->recovery_count++;
+        else
+                wil->recovery_count = 1; /* fw was alive for a long time */
+        if (wil->recovery_count > WIL6210_FW_RECOVERY_RETRIES) {
+                wil_err(wil, "too many recovery attempts (%d), giving up\n",
+                        wil->recovery_count);
+                return;
+        }
+        wil->last_fw_recovery = jiffies;
        mutex_lock(&wil->mutex);
        switch (wdev->iftype) {
        case NL80211_IFTYPE_STATION:
        case NL80211_IFTYPE_P2P_CLIENT:
        case NL80211_IFTYPE_MONITOR:
-                wil_info(wil, "fw error recovery started...\n");
+                wil_info(wil, "fw error recovery started (try %d)...\n",
+                         wil->recovery_count);
                wil_reset(wil);
                /* need to re-allocate Rx ring after reset */
@@ -230,6 +257,7 @@ int wil_priv_init(struct wil6210_priv *wil)
        wil->pending_connect_cid = -1;
        setup_timer(&wil->connect_timer, wil_connect_timer_fn, (ulong)wil);
+        setup_timer(&wil->scan_timer, wil_scan_timer_fn, (ulong)wil);
        INIT_WORK(&wil->connect_worker, wil_connect_worker);
        INIT_WORK(&wil->disconnect_worker, wil_disconnect_worker);
@@ -249,6 +277,8 @@ int wil_priv_init(struct wil6210_priv *wil)
                return -EAGAIN;
        }
+        wil->last_fw_recovery = jiffies;
        return 0;
 }
@@ -260,6 +290,7 @@ void wil6210_disconnect(struct wil6210_priv *wil, const u8 *bssid)
 void wil_priv_deinit(struct wil6210_priv *wil)
 {
+        del_timer_sync(&wil->scan_timer);
        cancel_work_sync(&wil->disconnect_worker);
        cancel_work_sync(&wil->fw_error_worker);
        mutex_lock(&wil->mutex);
@@ -391,6 +422,7 @@ int wil_reset(struct wil6210_priv *wil)
        if (wil->scan_request) {
                wil_dbg_misc(wil, "Abort scan_request 0x%p\n",
                             wil->scan_request);
+                del_timer_sync(&wil->scan_timer);
                cfg80211_scan_done(wil->scan_request, true);
                wil->scan_request = NULL;
        }
@@ -520,6 +552,7 @@ static int __wil_down(struct wil6210_priv *wil)
        napi_disable(&wil->napi_tx);
        if (wil->scan_request) {
+                del_timer_sync(&wil->scan_timer);
                cfg80211_scan_done(wil->scan_request, true);
                wil->scan_request = NULL;
        }
diff --git a/drivers/net/wireless/ath/wil6210/netdev.c b/drivers/net/wireless/ath/wil6210/netdev.c
index fdcaeb820e75..106b6dcb773a 100644
--- a/drivers/net/wireless/ath/wil6210/netdev.c
+++ b/drivers/net/wireless/ath/wil6210/netdev.c
@@ -32,12 +32,26 @@ static int wil_stop(struct net_device *ndev)
        return wil_down(wil);
 }
+static int wil_change_mtu(struct net_device *ndev, int new_mtu)
+{
+        struct wil6210_priv *wil = ndev_to_wil(ndev);
+        if (new_mtu < 68 || new_mtu > IEEE80211_MAX_DATA_LEN_DMG)
+                return -EINVAL;
+        wil_dbg_misc(wil, "change MTU %d -> %d\n", ndev->mtu, new_mtu);
+        ndev->mtu = new_mtu;
+        return 0;
+}
 static const struct net_device_ops wil_netdev_ops = {
        .ndo_open               = wil_open,
        .ndo_stop               = wil_stop,
        .ndo_start_xmit         = wil_start_xmit,
        .ndo_set_mac_address    = eth_mac_addr,
        .ndo_validate_addr      = eth_validate_addr,
+        .ndo_change_mtu         = wil_change_mtu,
 };
 static int wil6210_netdev_poll_rx(struct napi_struct *napi, int budget)
diff --git a/drivers/net/wireless/ath/wil6210/pcie_bus.c b/drivers/net/wireless/ath/wil6210/pcie_bus.c
index 066088418307..1e2e07b9d13d 100644
--- a/drivers/net/wireless/ath/wil6210/pcie_bus.c
+++ b/drivers/net/wireless/ath/wil6210/pcie_bus.c
@@ -138,7 +138,7 @@ static int wil_pcie_probe(struct pci_dev *pdev, const struct pci_device_id *id)
                goto err_release_reg;
        }
        /* rollback to err_iounmap */
-        dev_info(&pdev->dev, "CSR at %pR -> %p\n", &pdev->resource[0], csr);
+        dev_info(&pdev->dev, "CSR at %pR -> 0x%p\n", &pdev->resource[0], csr);
        wil = wil_if_alloc(dev, csr);
        if (IS_ERR(wil)) {
diff --git a/drivers/net/wireless/ath/wil6210/rx_reorder.c b/drivers/net/wireless/ath/wil6210/rx_reorder.c
index ec29954bd44d..747ae1275877 100644
--- a/drivers/net/wireless/ath/wil6210/rx_reorder.c
+++ b/drivers/net/wireless/ath/wil6210/rx_reorder.c
@@ -49,10 +49,17 @@ static void wil_release_reorder_frames(struct wil6210_priv *wil,
 {
        int index;
-        while (seq_less(r->head_seq_num, hseq)) {
+        /* note: this function is never called with
+         * hseq preceding r->head_seq_num, i.e it is always true
+         * !seq_less(hseq, r->head_seq_num)
+         * and thus on loop exit it should be
+         * r->head_seq_num == hseq
+         */
+        while (seq_less(r->head_seq_num, hseq) && r->stored_mpdu_num) {
                index = reorder_index(r, r->head_seq_num);
                wil_release_reorder_frame(wil, r, index);
        }
+        r->head_seq_num = hseq;
 }
 static void wil_reorder_release(struct wil6210_priv *wil,
diff --git a/drivers/net/wireless/ath/wil6210/txrx.c b/drivers/net/wireless/ath/wil6210/txrx.c
index c8c547457eb4..0784ef3d4ce2 100644
--- a/drivers/net/wireless/ath/wil6210/txrx.c
+++ b/drivers/net/wireless/ath/wil6210/txrx.c
@@ -64,6 +64,22 @@ static inline int wil_vring_avail_tx(struct vring *vring)
        return vring->size - used - 1;
 }
+/**
+ * wil_vring_wmark_low - low watermark for available descriptor space
+ */
+static inline int wil_vring_wmark_low(struct vring *vring)
+{
+        return vring->size/8;
+}
+/**
+ * wil_vring_wmark_high - high watermark for available descriptor space
+ */
+static inline int wil_vring_wmark_high(struct vring *vring)
+{
+        return vring->size/4;
+}
 static int wil_vring_alloc(struct wil6210_priv *wil, struct vring *vring)
 {
        struct device *dev = wil_to_dev(wil);
@@ -98,8 +114,8 @@ static int wil_vring_alloc(struct wil6210_priv *wil, struct vring *vring)
                _d->dma.status = TX_DMA_STATUS_DU;
        }
-        wil_dbg_misc(wil, "vring[%d] 0x%p:0x%016llx 0x%p\n", vring->size,
+        wil_dbg_misc(wil, "vring[%d] 0x%p:%pad 0x%p\n", vring->size,
-                     vring->va, (unsigned long long)vring->pa, vring->ctx);
+                     vring->va, &vring->pa, vring->ctx);
        return 0;
 }
@@ -880,8 +896,8 @@ static int wil_tx_vring(struct wil6210_priv *wil, struct vring *vring,
        pa = dma_map_single(dev, skb->data,
                        skb_headlen(skb), DMA_TO_DEVICE);
-        wil_dbg_txrx(wil, "Tx skb %d bytes %p -> %#08llx\n", skb_headlen(skb),
+        wil_dbg_txrx(wil, "Tx skb %d bytes 0x%p -> %pad\n", skb_headlen(skb),
-                     skb->data, (unsigned long long)pa);
+                     skb->data, &pa);
        wil_hex_dump_txrx("Tx ", DUMP_PREFIX_OFFSET, 16, 1,
                          skb->data, skb_headlen(skb), false);
@@ -1007,7 +1023,7 @@ netdev_tx_t wil_start_xmit(struct sk_buff *skb, struct net_device *ndev)
        rc = wil_tx_vring(wil, vring, skb);
        /* do we still have enough room in the vring? */
-        if (wil_vring_avail_tx(vring) < vring->size/8)
+        if (wil_vring_avail_tx(vring) < wil_vring_wmark_low(vring))
                netif_tx_stop_all_queues(wil_to_ndev(wil));
        switch (rc) {
@@ -1116,7 +1132,7 @@ int wil_tx_complete(struct wil6210_priv *wil, int ringid)
                        done++;
                }
        }
-        if (wil_vring_avail_tx(vring) > vring->size/4)
+        if (wil_vring_avail_tx(vring) > wil_vring_wmark_high(vring))
                netif_tx_wake_all_queues(wil_to_ndev(wil));
        return done;
diff --git a/drivers/net/wireless/ath/wil6210/wil6210.h b/drivers/net/wireless/ath/wil6210/wil6210.h
index 3427ac4a4fa1..e25edc52398f 100644
--- a/drivers/net/wireless/ath/wil6210/wil6210.h
+++ b/drivers/net/wireless/ath/wil6210/wil6210.h
@@ -40,6 +40,9 @@ static inline u32 WIL_GET_BITS(u32 x, int b0, int b1)
 #define WIL6210_MAX_CID         (8) /* HW limit */
 #define WIL6210_NAPI_BUDGET     (16) /* arbitrary */
 #define WIL6210_ITR_TRSH        (10000) /* arbitrary - about 15 IRQs/msec */
+#define WIL6210_FW_RECOVERY_RETRIES     (5) /* try to recover this many times */
+#define WIL6210_FW_RECOVERY_TO  msecs_to_jiffies(5000)
+#define WIL6210_SCAN_TO         msecs_to_jiffies(10000)
 /* Hardware definitions begin */
@@ -361,6 +364,8 @@ struct wil6210_priv {
        u32 fw_version;
        u32 hw_version;
        u8 n_mids; /* number of additional MIDs as reported by FW */
+        int recovery_count; /* num of FW recovery attempts in a short time */
+        unsigned long last_fw_recovery; /* jiffies of last fw recovery */
        /* profile */
        u32 monitor_flags;
        u32 secure_pcp; /* create secure PCP? */
@@ -382,6 +387,7 @@ struct wil6210_priv {
        struct work_struct disconnect_worker;
        struct work_struct fw_error_worker;     /* for FW error recovery */
        struct timer_list connect_timer;
+        struct timer_list scan_timer; /* detect scan timeout */
        int pending_connect_cid;
        struct list_head pending_wmi_ev;
        /*
diff --git a/drivers/net/wireless/ath/wil6210/wmi.c b/drivers/net/wireless/ath/wil6210/wmi.c
index e9a11cb3428a..6cc0e182cc70 100644
--- a/drivers/net/wireless/ath/wil6210/wmi.c
+++ b/drivers/net/wireless/ath/wil6210/wmi.c
@@ -351,6 +351,7 @@ static void wmi_evt_scan_complete(struct wil6210_priv *wil, int id,
                bool aborted = (data->status != WMI_SCAN_SUCCESS);
                wil_dbg_wmi(wil, "SCAN_COMPLETE(0x%08x)\n", data->status);
+                del_timer_sync(&wil->scan_timer);
                cfg80211_scan_done(wil->scan_request, aborted);
                wil->scan_request = NULL;
        } else {
@@ -658,21 +659,27 @@ void wmi_recv_cmd(struct wil6210_priv *wil)
        u8 *cmd;
        void __iomem *src;
        ulong flags;
+        unsigned n;
        if (!test_bit(wil_status_reset_done, &wil->status)) {
                wil_err(wil, "Reset not completed\n");
                return;
        }
-        for (;;) {
+        for (n = 0;; n++) {
                u16 len;
                r->head = ioread32(wil->csr + HOST_MBOX +
                                   offsetof(struct wil6210_mbox_ctl, rx.head));
-                if (r->tail == r->head)
+                if (r->tail == r->head) {
+                        if (n == 0)
+                                wil_dbg_wmi(wil, "No events?\n");
                        return;
+                }
-                /* read cmd from tail */
+                wil_dbg_wmi(wil, "Mbox head %08x tail %08x\n",
+                            r->head, r->tail);
+                /* read cmd descriptor from tail */
                wil_memcpy_fromio_32(&d_tail, wil->csr + HOSTADDR(r->tail),
                                     sizeof(struct wil6210_mbox_ring_desc));
                if (d_tail.sync == 0) {
@@ -680,13 +687,18 @@ void wmi_recv_cmd(struct wil6210_priv *wil)
                        return;
                }
+                /* read cmd header from descriptor */
                if (0 != wmi_read_hdr(wil, d_tail.addr, &hdr)) {
                        wil_err(wil, "Mbox evt at 0x%08x?\n",
                                le32_to_cpu(d_tail.addr));
                        return;
                }
                len = le16_to_cpu(hdr.len);
+                wil_dbg_wmi(wil, "Mbox evt %04x %04x %04x %02x\n",
+                            le16_to_cpu(hdr.seq), len, le16_to_cpu(hdr.type),
+                            hdr.flags);
+                /* read cmd buffer from descriptor */
                src = wmi_buffer(wil, d_tail.addr) +
                      sizeof(struct wil6210_mbox_hdr);
                evt = kmalloc(ALIGN(offsetof(struct pending_wmi_event,
@@ -702,9 +714,6 @@ void wmi_recv_cmd(struct wil6210_priv *wil)
                iowrite32(0, wil->csr + HOSTADDR(r->tail) +
                          offsetof(struct wil6210_mbox_ring_desc, sync));
                /* indicate */
-                wil_dbg_wmi(wil, "Mbox evt %04x %04x %04x %02x\n",
-                            le16_to_cpu(hdr.seq), len, le16_to_cpu(hdr.type),
-                            hdr.flags);
                if ((hdr.type == WIL_MBOX_HDR_TYPE_WMI) &&
                    (len >= sizeof(struct wil6210_mbox_hdr_wmi))) {
                        struct wil6210_mbox_hdr_wmi *wmi = &evt->event.wmi;
@@ -734,6 +743,8 @@ void wmi_recv_cmd(struct wil6210_priv *wil)
                        wil_dbg_wmi(wil, "queue_work -> %d\n", q);
                }
        }
+        if (n > 1)
+                wil_dbg_wmi(wil, "%s -> %d events processed\n", __func__, n);
 }
 int wmi_call(struct wil6210_priv *wil, u16 cmdid, void *buf, u16 len,
diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
index 3d67e6b08e1c..32538ac5f7e4 100644
--- a/drivers/net/wireless/b43/main.c
+++ b/drivers/net/wireless/b43/main.c
@@ -3742,7 +3742,9 @@ static int b43_switch_band(struct b43_wldev *dev,
        b43dbg(dev->wl, "Switching to %s GHz band\n",
               band_to_string(chan->band));
-        b43_software_rfkill(dev, true);
+        /* Some new devices don't need disabling radio for band switching */
+        if (!(phy->type == B43_PHYTYPE_N && phy->rev >= 3))
+                b43_software_rfkill(dev, true);
        phy->gmode = gmode;
        b43_phy_put_into_reset(dev);
@@ -5164,6 +5166,7 @@ static void b43_supported_bands(struct b43_wldev *dev, bool *have_2ghz_phy,
 static int b43_wireless_core_attach(struct b43_wldev *dev)
 {
        struct b43_wl *wl = dev->wl;
+        struct b43_phy *phy = &dev->phy;
        int err;
        u32 tmp;
        bool have_2ghz_phy = false, have_5ghz_phy = false;
@@ -5181,6 +5184,8 @@ static int b43_wireless_core_attach(struct b43_wldev *dev)
                goto out;
        }
+        phy->do_full_init = true;
        /* Try to guess supported bands for the first init needs */
        switch (dev->dev->bus_type) {
 #ifdef CONFIG_B43_BCMA
diff --git a/drivers/net/wireless/b43/phy_common.c b/drivers/net/wireless/b43/phy_common.c
index fb0ddddde16b..08244b3b327e 100644
--- a/drivers/net/wireless/b43/phy_common.c
+++ b/drivers/net/wireless/b43/phy_common.c
@@ -98,11 +98,14 @@ int b43_phy_init(struct b43_wldev *dev)
        phy->ops->switch_analog(dev, true);
        b43_software_rfkill(dev, false);
        err = ops->init(dev);
        if (err) {
                b43err(dev->wl, "PHY init failed\n");
                goto err_block_rf;
        }
+        phy->do_full_init = false;
        /* Make sure to switch hardware and firmware (SHM) to
         * the default channel. */
        err = b43_switch_channel(dev, ops->get_default_chan(dev));
@@ -114,6 +117,7 @@ int b43_phy_init(struct b43_wldev *dev)
        return 0;
 err_phy_exit:
+        phy->do_full_init = true;
        if (ops->exit)
                ops->exit(dev);
 err_block_rf:
@@ -127,6 +131,7 @@ void b43_phy_exit(struct b43_wldev *dev)
        const struct b43_phy_operations *ops = dev->phy.ops;
        b43_software_rfkill(dev, true);
+        dev->phy.do_full_init = true;
        if (ops->exit)
                ops->exit(dev);
 }
diff --git a/drivers/net/wireless/b43/phy_common.h b/drivers/net/wireless/b43/phy_common.h
index 47b55855c37d..4ad6240d9ff4 100644
--- a/drivers/net/wireless/b43/phy_common.h
+++ b/drivers/net/wireless/b43/phy_common.h
@@ -234,6 +234,9 @@ struct b43_phy {
        /* Is GMODE (2 GHz mode) bit enabled? */
        bool gmode;
+        /* After power reset full init has to be performed */
+        bool do_full_init;
        /* Analog Type */
        u8 analog;
        /* B43_PHYTYPE_ */
diff --git a/drivers/net/wireless/b43/phy_n.c b/drivers/net/wireless/b43/phy_n.c
index 41dab89a2942..86569f6a8705 100644
--- a/drivers/net/wireless/b43/phy_n.c
+++ b/drivers/net/wireless/b43/phy_n.c
@@ -700,13 +700,11 @@ static void b43_radio_2057_init_post(struct b43_wldev *dev)
        b43_radio_mask(dev, R2057_RFPLL_MISC_CAL_RESETN, ~0x78);
        b43_radio_mask(dev, R2057_XTAL_CONFIG2, ~0x80);
-        if (dev->phy.n->init_por) {
+        if (dev->phy.do_full_init) {
                b43_radio_2057_rcal(dev);
                b43_radio_2057_rccal(dev);
        }
        b43_radio_mask(dev, R2057_RFPLL_MASTER, ~0x8);
-        dev->phy.n->init_por = false;
 }
 /* http://bcm-v4.sipsolutions.net/802.11/Radio/2057/Init */
@@ -1028,7 +1026,7 @@ static void b43_radio_init2056_post(struct b43_wldev *dev)
        b43_radio_mask(dev, B2056_SYN_COM_RESET, ~0x2);
        b43_radio_mask(dev, B2056_SYN_PLL_MAST2, ~0xFC);
        b43_radio_mask(dev, B2056_SYN_RCCAL_CTRL0, ~0x1);
-        if (dev->phy.n->init_por)
+        if (dev->phy.do_full_init)
                b43_radio_2056_rcal(dev);
 }
@@ -1041,8 +1039,6 @@ static void b43_radio_init2056(struct b43_wldev *dev)
        b43_radio_init2056_pre(dev);
        b2056_upload_inittabs(dev, 0, 0);
        b43_radio_init2056_post(dev);
-        dev->phy.n->init_por = false;
 }
 /**************************************************
@@ -5561,7 +5557,6 @@ static void b43_nphy_op_prepare_structs(struct b43_wldev *dev)
        nphy->hang_avoid = (phy->rev == 3 || phy->rev == 4);
        nphy->spur_avoid = (phy->rev >= 3) ?
                                B43_SPUR_AVOID_AUTO : B43_SPUR_AVOID_DISABLE;
-        nphy->init_por = true;
        nphy->gain_boost = true; /* this way we follow wl, assume it is true */
        nphy->txrx_chain = 2; /* sth different than 0 and 1 for now */
        nphy->phyrxchain = 3; /* to avoid b43_nphy_set_rx_core_state like wl */
@@ -5602,8 +5597,6 @@ static void b43_nphy_op_prepare_structs(struct b43_wldev *dev)
                nphy->ipa2g_on = sprom->fem.ghz2.extpa_gain == 2;
                nphy->ipa5g_on = sprom->fem.ghz5.extpa_gain == 2;
        }
-        nphy->init_por = true;
 }
 static void b43_nphy_op_free(struct b43_wldev *dev)
@@ -5714,10 +5707,12 @@ static void b43_nphy_op_software_rfkill(struct b43_wldev *dev,
                }
        } else {
                if (dev->phy.rev >= 7) {
-                        b43_radio_2057_init(dev);
+                        if (!dev->phy.radio_on)
+                                b43_radio_2057_init(dev);
                        b43_switch_channel(dev, dev->phy.channel);
                } else if (dev->phy.rev >= 3) {
-                        b43_radio_init2056(dev);
+                        if (!dev->phy.radio_on)
+                                b43_radio_init2056(dev);
                        b43_switch_channel(dev, dev->phy.channel);
                } else {
                        b43_radio_init2055(dev);
diff --git a/drivers/net/wireless/b43/phy_n.h b/drivers/net/wireless/b43/phy_n.h
index 9a5b6bc27d24..ecfbf66dbc3b 100644
--- a/drivers/net/wireless/b43/phy_n.h
+++ b/drivers/net/wireless/b43/phy_n.h
@@ -931,7 +931,6 @@ struct b43_phy_n {
        u16 papd_epsilon_offset[2];
        s32 preamble_override;
        u32 bb_mult_save;
-        bool init_por;
        bool gain_boost;
        bool elna_gain_config;
diff --git a/drivers/net/wireless/b43/tables_nphy.c b/drivers/net/wireless/b43/tables_nphy.c
index 50d03ffeac8c..4047c05e3807 100644
--- a/drivers/net/wireless/b43/tables_nphy.c
+++ b/drivers/net/wireless/b43/tables_nphy.c
@@ -3042,30 +3042,32 @@ static void b43_nphy_tables_init_rev3(struct b43_wldev *dev)
                antswlut = sprom->fem.ghz2.antswlut;
        /* Static tables */
-        ntab_upload(dev, B43_NTAB_FRAMESTRUCT_R3, b43_ntab_framestruct_r3);
+        if (dev->phy.do_full_init) {
-        ntab_upload(dev, B43_NTAB_PILOT_R3, b43_ntab_pilot_r3);
+                ntab_upload(dev, B43_NTAB_FRAMESTRUCT_R3, b43_ntab_framestruct_r3);
-        ntab_upload(dev, B43_NTAB_TMAP_R3, b43_ntab_tmap_r3);
+                ntab_upload(dev, B43_NTAB_PILOT_R3, b43_ntab_pilot_r3);
-        ntab_upload(dev, B43_NTAB_INTLEVEL_R3, b43_ntab_intlevel_r3);
+                ntab_upload(dev, B43_NTAB_TMAP_R3, b43_ntab_tmap_r3);
-        ntab_upload(dev, B43_NTAB_TDTRN_R3, b43_ntab_tdtrn_r3);
+                ntab_upload(dev, B43_NTAB_INTLEVEL_R3, b43_ntab_intlevel_r3);
-        ntab_upload(dev, B43_NTAB_NOISEVAR_R3, b43_ntab_noisevar_r3);
+                ntab_upload(dev, B43_NTAB_TDTRN_R3, b43_ntab_tdtrn_r3);
-        ntab_upload(dev, B43_NTAB_MCS_R3, b43_ntab_mcs_r3);
+                ntab_upload(dev, B43_NTAB_NOISEVAR_R3, b43_ntab_noisevar_r3);
-        ntab_upload(dev, B43_NTAB_TDI20A0_R3, b43_ntab_tdi20a0_r3);
+                ntab_upload(dev, B43_NTAB_MCS_R3, b43_ntab_mcs_r3);
-        ntab_upload(dev, B43_NTAB_TDI20A1_R3, b43_ntab_tdi20a1_r3);
+                ntab_upload(dev, B43_NTAB_TDI20A0_R3, b43_ntab_tdi20a0_r3);
-        ntab_upload(dev, B43_NTAB_TDI40A0_R3, b43_ntab_tdi40a0_r3);
+                ntab_upload(dev, B43_NTAB_TDI20A1_R3, b43_ntab_tdi20a1_r3);
-        ntab_upload(dev, B43_NTAB_TDI40A1_R3, b43_ntab_tdi40a1_r3);
+                ntab_upload(dev, B43_NTAB_TDI40A0_R3, b43_ntab_tdi40a0_r3);
-        ntab_upload(dev, B43_NTAB_PILOTLT_R3, b43_ntab_pilotlt_r3);
+                ntab_upload(dev, B43_NTAB_TDI40A1_R3, b43_ntab_tdi40a1_r3);
-        ntab_upload(dev, B43_NTAB_CHANEST_R3, b43_ntab_channelest_r3);
+                ntab_upload(dev, B43_NTAB_PILOTLT_R3, b43_ntab_pilotlt_r3);
-        ntab_upload(dev, B43_NTAB_FRAMELT_R3, b43_ntab_framelookup_r3);
+                ntab_upload(dev, B43_NTAB_CHANEST_R3, b43_ntab_channelest_r3);
-        ntab_upload(dev, B43_NTAB_C0_ESTPLT_R3, b43_ntab_estimatepowerlt0_r3);
+                ntab_upload(dev, B43_NTAB_FRAMELT_R3, b43_ntab_framelookup_r3);
-        ntab_upload(dev, B43_NTAB_C1_ESTPLT_R3, b43_ntab_estimatepowerlt1_r3);
+                ntab_upload(dev, B43_NTAB_C0_ESTPLT_R3, b43_ntab_estimatepowerlt0_r3);
-        ntab_upload(dev, B43_NTAB_C0_ADJPLT_R3, b43_ntab_adjustpower0_r3);
+                ntab_upload(dev, B43_NTAB_C1_ESTPLT_R3, b43_ntab_estimatepowerlt1_r3);
-        ntab_upload(dev, B43_NTAB_C1_ADJPLT_R3, b43_ntab_adjustpower1_r3);
+                ntab_upload(dev, B43_NTAB_C0_ADJPLT_R3, b43_ntab_adjustpower0_r3);
-        ntab_upload(dev, B43_NTAB_C0_GAINCTL_R3, b43_ntab_gainctl0_r3);
+                ntab_upload(dev, B43_NTAB_C1_ADJPLT_R3, b43_ntab_adjustpower1_r3);
-        ntab_upload(dev, B43_NTAB_C1_GAINCTL_R3, b43_ntab_gainctl1_r3);
+                ntab_upload(dev, B43_NTAB_C0_GAINCTL_R3, b43_ntab_gainctl0_r3);
-        ntab_upload(dev, B43_NTAB_C0_IQLT_R3, b43_ntab_iqlt0_r3);
+                ntab_upload(dev, B43_NTAB_C1_GAINCTL_R3, b43_ntab_gainctl1_r3);
-        ntab_upload(dev, B43_NTAB_C1_IQLT_R3, b43_ntab_iqlt1_r3);
+                ntab_upload(dev, B43_NTAB_C0_IQLT_R3, b43_ntab_iqlt0_r3);
-        ntab_upload(dev, B43_NTAB_C0_LOFEEDTH_R3, b43_ntab_loftlt0_r3);
+                ntab_upload(dev, B43_NTAB_C1_IQLT_R3, b43_ntab_iqlt1_r3);
-        ntab_upload(dev, B43_NTAB_C1_LOFEEDTH_R3, b43_ntab_loftlt1_r3);
+                ntab_upload(dev, B43_NTAB_C0_LOFEEDTH_R3, b43_ntab_loftlt0_r3);
+                ntab_upload(dev, B43_NTAB_C1_LOFEEDTH_R3, b43_ntab_loftlt1_r3);
+        }
        /* Volatile tables */
        if (antswlut < ARRAY_SIZE(b43_ntab_antswctl_r3))
@@ -3078,20 +3080,22 @@ static void b43_nphy_tables_init_rev3(struct b43_wldev *dev)
 static void b43_nphy_tables_init_rev0(struct b43_wldev *dev)
 {
        /* Static tables */
-        ntab_upload(dev, B43_NTAB_FRAMESTRUCT, b43_ntab_framestruct);
+        if (dev->phy.do_full_init) {
-        ntab_upload(dev, B43_NTAB_FRAMELT, b43_ntab_framelookup);
+                ntab_upload(dev, B43_NTAB_FRAMESTRUCT, b43_ntab_framestruct);
-        ntab_upload(dev, B43_NTAB_TMAP, b43_ntab_tmap);
+                ntab_upload(dev, B43_NTAB_FRAMELT, b43_ntab_framelookup);
-        ntab_upload(dev, B43_NTAB_TDTRN, b43_ntab_tdtrn);
+                ntab_upload(dev, B43_NTAB_TMAP, b43_ntab_tmap);
-        ntab_upload(dev, B43_NTAB_INTLEVEL, b43_ntab_intlevel);
+                ntab_upload(dev, B43_NTAB_TDTRN, b43_ntab_tdtrn);
-        ntab_upload(dev, B43_NTAB_PILOT, b43_ntab_pilot);
+                ntab_upload(dev, B43_NTAB_INTLEVEL, b43_ntab_intlevel);
-        ntab_upload(dev, B43_NTAB_TDI20A0, b43_ntab_tdi20a0);
+                ntab_upload(dev, B43_NTAB_PILOT, b43_ntab_pilot);
-        ntab_upload(dev, B43_NTAB_TDI20A1, b43_ntab_tdi20a1);
+                ntab_upload(dev, B43_NTAB_TDI20A0, b43_ntab_tdi20a0);
-        ntab_upload(dev, B43_NTAB_TDI40A0, b43_ntab_tdi40a0);
+                ntab_upload(dev, B43_NTAB_TDI20A1, b43_ntab_tdi20a1);
-        ntab_upload(dev, B43_NTAB_TDI40A1, b43_ntab_tdi40a1);
+                ntab_upload(dev, B43_NTAB_TDI40A0, b43_ntab_tdi40a0);
-        ntab_upload(dev, B43_NTAB_CHANEST, b43_ntab_channelest);
+                ntab_upload(dev, B43_NTAB_TDI40A1, b43_ntab_tdi40a1);
-        ntab_upload(dev, B43_NTAB_MCS, b43_ntab_mcs);
+                ntab_upload(dev, B43_NTAB_CHANEST, b43_ntab_channelest);
-        ntab_upload(dev, B43_NTAB_NOISEVAR10, b43_ntab_noisevar10);
+                ntab_upload(dev, B43_NTAB_MCS, b43_ntab_mcs);
-        ntab_upload(dev, B43_NTAB_NOISEVAR11, b43_ntab_noisevar11);
+                ntab_upload(dev, B43_NTAB_NOISEVAR10, b43_ntab_noisevar10);
+                ntab_upload(dev, B43_NTAB_NOISEVAR11, b43_ntab_noisevar11);
+        }
        /* Volatile tables */
        ntab_upload(dev, B43_NTAB_BDI, b43_ntab_bdi);
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/Makefile b/drivers/net/wireless/brcm80211/brcmfmac/Makefile
index 1d2ceac3a221..98e67c18f276 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/Makefile
+++ b/drivers/net/wireless/brcm80211/brcmfmac/Makefile
@@ -33,7 +33,7 @@ brcmfmac-objs += \
                bcdc.o \
                dhd_common.o \
                dhd_linux.o \
-                nvram.o \
+                firmware.o \
                btcoex.o
 brcmfmac-$(CONFIG_BRCMFMAC_SDIO) += \
                dhd_sdio.o \
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/dhd_bus.h b/drivers/net/wireless/brcm80211/brcmfmac/dhd_bus.h
index c5dcd82e884b..7735328fff21 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_bus.h
+++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_bus.h
@@ -63,7 +63,6 @@ struct brcmf_bus_dcmd {
 */
 struct brcmf_bus_ops {
        int (*preinit)(struct device *dev);
-        int (*init)(struct device *dev);
        void (*stop)(struct device *dev);
        int (*txdata)(struct device *dev, struct sk_buff *skb);
        int (*txctl)(struct device *dev, unsigned char *msg, uint len);
@@ -114,11 +113,6 @@ static inline int brcmf_bus_preinit(struct brcmf_bus *bus)
        return bus->ops->preinit(bus->dev);
 }
-static inline int brcmf_bus_init(struct brcmf_bus *bus)
-{
-        return bus->ops->init(bus->dev);
-}
 static inline void brcmf_bus_stop(struct brcmf_bus *bus)
 {
        bus->ops->stop(bus->dev);
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/dhd_linux.c b/drivers/net/wireless/brcm80211/brcmfmac/dhd_linux.c
index 4cacc3d85212..09dd8c13d844 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_linux.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_linux.c
@@ -916,13 +916,6 @@ int brcmf_bus_start(struct device *dev)
        brcmf_dbg(TRACE, "\n");
-        /* Bring up the bus */
-        ret = brcmf_bus_init(bus_if);
-        if (ret != 0) {
-                brcmf_err("brcmf_sdbrcm_bus_init failed %d\n", ret);
-                return ret;
-        }
        /* add primary networking interface */
        ifp = brcmf_add_if(drvr, 0, 0, "wlan%d", NULL);
        if (IS_ERR(ifp))
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c b/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
index 13c89a0c4ba7..8fa0dbbbda72 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
@@ -42,7 +42,7 @@
 #include <soc.h>
 #include "sdio_host.h"
 #include "chip.h"
-#include "nvram.h"
+#include "firmware.h"
 #define DCMD_RESP_TIMEOUT  2000 /* In milli second */
@@ -632,43 +632,28 @@ static const struct brcmf_firmware_names brcmf_fwname_data[] = {
        { BCM4354_CHIP_ID, 0xFFFFFFFF, BRCMF_FIRMWARE_NVRAM(BCM4354) }
 };
+static const char *brcmf_sdio_get_fwname(struct brcmf_chip *ci,
-static const struct firmware *brcmf_sdio_get_fw(struct brcmf_sdio *bus,
+                                         enum brcmf_firmware_type type)
-                                                  enum brcmf_firmware_type type)
 {
-        const struct firmware *fw;
+        int i;
-        const char *name;
-        int err, i;
        for (i = 0; i < ARRAY_SIZE(brcmf_fwname_data); i++) {
-                if (brcmf_fwname_data[i].chipid == bus->ci->chip &&
+                if (brcmf_fwname_data[i].chipid == ci->chip &&
-                    brcmf_fwname_data[i].revmsk & BIT(bus->ci->chiprev)) {
+                    brcmf_fwname_data[i].revmsk & BIT(ci->chiprev)) {
                        switch (type) {
                        case BRCMF_FIRMWARE_BIN:
-                                name = brcmf_fwname_data[i].bin;
+                                return brcmf_fwname_data[i].bin;
-                                break;
                        case BRCMF_FIRMWARE_NVRAM:
-                                name = brcmf_fwname_data[i].nv;
+                                return brcmf_fwname_data[i].nv;
-                                break;
                        default:
                                brcmf_err("invalid firmware type (%d)\n", type);
                                return NULL;
                        }
-                        goto found;
                }
        }
        brcmf_err("Unknown chipid %d [%d]\n",
-                  bus->ci->chip, bus->ci->chiprev);
+                  ci->chip, ci->chiprev);
        return NULL;
-found:
-        err = request_firmware(&fw, name, &bus->sdiodev->func[2]->dev);
-        if ((err) || (!fw)) {
-                brcmf_err("fail to request firmware %s (%d)\n", name, err);
-                return NULL;
-        }
-        return fw;
 }
 static void pkt_align(struct sk_buff *p, int len, int align)
@@ -3278,20 +3263,13 @@ static int brcmf_sdio_download_code_file(struct brcmf_sdio *bus,
 }
 static int brcmf_sdio_download_nvram(struct brcmf_sdio *bus,
-                                     const struct firmware *nv)
+                                     void *vars, u32 varsz)
 {
-        void *vars;
-        u32 varsz;
        int address;
        int err;
        brcmf_dbg(TRACE, "Enter\n");
-        vars = brcmf_nvram_strip(nv, &varsz);
-        if (vars == NULL)
-                return -EINVAL;
        address = bus->ci->ramsize - varsz + bus->ci->rambase;
        err = brcmf_sdiod_ramrw(bus->sdiodev, true, address, vars, varsz);
        if (err)
@@ -3300,15 +3278,14 @@ static int brcmf_sdio_download_nvram(struct brcmf_sdio *bus,
        else if (!brcmf_sdio_verifymemory(bus->sdiodev, address, vars, varsz))
                err = -EIO;
-        brcmf_nvram_free(vars);
        return err;
 }
-static int brcmf_sdio_download_firmware(struct brcmf_sdio *bus)
+static int brcmf_sdio_download_firmware(struct brcmf_sdio *bus,
+                                        const struct firmware *fw,
+                                        void *nvram, u32 nvlen)
 {
        int bcmerror = -EFAULT;
-        const struct firmware *fw;
        u32 rstvec;
        sdio_claim_host(bus->sdiodev->func[1]);
@@ -3317,12 +3294,6 @@ static int brcmf_sdio_download_firmware(struct brcmf_sdio *bus)
        /* Keep arm in reset */
        brcmf_chip_enter_download(bus->ci);
-        fw = brcmf_sdio_get_fw(bus, BRCMF_FIRMWARE_BIN);
-        if (fw == NULL) {
-                bcmerror = -ENOENT;
-                goto err;
-        }
        rstvec = get_unaligned_le32(fw->data);
        brcmf_dbg(SDIO, "firmware rstvec: %x\n", rstvec);
@@ -3330,17 +3301,12 @@ static int brcmf_sdio_download_firmware(struct brcmf_sdio *bus)
        release_firmware(fw);
        if (bcmerror) {
                brcmf_err("dongle image file download failed\n");
+                brcmf_fw_nvram_free(nvram);
                goto err;
        }
-        fw = brcmf_sdio_get_fw(bus, BRCMF_FIRMWARE_NVRAM);
+        bcmerror = brcmf_sdio_download_nvram(bus, nvram, nvlen);
-        if (fw == NULL) {
+        brcmf_fw_nvram_free(nvram);
-                bcmerror = -ENOENT;
-                goto err;
-        }
-        bcmerror = brcmf_sdio_download_nvram(bus, fw);
-        release_firmware(fw);
        if (bcmerror) {
                brcmf_err("dongle nvram file download failed\n");
                goto err;
@@ -3490,97 +3456,6 @@ done:
        return err;
 }
-static int brcmf_sdio_bus_init(struct device *dev)
-{
-        struct brcmf_bus *bus_if = dev_get_drvdata(dev);
-        struct brcmf_sdio_dev *sdiodev = bus_if->bus_priv.sdio;
-        struct brcmf_sdio *bus = sdiodev->bus;
-        int err, ret = 0;
-        u8 saveclk;
-        brcmf_dbg(TRACE, "Enter\n");
-        /* try to download image and nvram to the dongle */
-        if (bus_if->state == BRCMF_BUS_DOWN) {
-                bus->alp_only = true;
-                err = brcmf_sdio_download_firmware(bus);
-                if (err)
-                        return err;
-                bus->alp_only = false;
-        }
-        if (!bus->sdiodev->bus_if->drvr)
-                return 0;
-        /* Start the watchdog timer */
-        bus->sdcnt.tickcnt = 0;
-        brcmf_sdio_wd_timer(bus, BRCMF_WD_POLL_MS);
-        sdio_claim_host(bus->sdiodev->func[1]);
-        /* Make sure backplane clock is on, needed to generate F2 interrupt */
-        brcmf_sdio_clkctl(bus, CLK_AVAIL, false);
-        if (bus->clkstate != CLK_AVAIL)
-                goto exit;
-        /* Force clocks on backplane to be sure F2 interrupt propagates */
-        saveclk = brcmf_sdiod_regrb(bus->sdiodev,
-                                    SBSDIO_FUNC1_CHIPCLKCSR, &err);
-        if (!err) {
-                brcmf_sdiod_regwb(bus->sdiodev, SBSDIO_FUNC1_CHIPCLKCSR,
-                                  (saveclk | SBSDIO_FORCE_HT), &err);
-        }
-        if (err) {
-                brcmf_err("Failed to force clock for F2: err %d\n", err);
-                goto exit;
-        }
-        /* Enable function 2 (frame transfers) */
-        w_sdreg32(bus, SDPCM_PROT_VERSION << SMB_DATA_VERSION_SHIFT,
-                  offsetof(struct sdpcmd_regs, tosbmailboxdata));
-        err = sdio_enable_func(bus->sdiodev->func[SDIO_FUNC_2]);
-        brcmf_dbg(INFO, "enable F2: err=%d\n", err);
-        /* If F2 successfully enabled, set core and enable interrupts */
-        if (!err) {
-                /* Set up the interrupt mask and enable interrupts */
-                bus->hostintmask = HOSTINTMASK;
-                w_sdreg32(bus, bus->hostintmask,
-                          offsetof(struct sdpcmd_regs, hostintmask));
-                brcmf_sdiod_regwb(bus->sdiodev, SBSDIO_WATERMARK, 8, &err);
-        } else {
-                /* Disable F2 again */
-                sdio_disable_func(bus->sdiodev->func[SDIO_FUNC_2]);
-                ret = -ENODEV;
-        }
-        if (brcmf_chip_sr_capable(bus->ci)) {
-                brcmf_sdio_sr_init(bus);
-        } else {
-                /* Restore previous clock setting */
-                brcmf_sdiod_regwb(bus->sdiodev, SBSDIO_FUNC1_CHIPCLKCSR,
-                                  saveclk, &err);
-        }
-        if (ret == 0) {
-                ret = brcmf_sdiod_intr_register(bus->sdiodev);
-                if (ret != 0)
-                        brcmf_err("intr register failed:%d\n", ret);
-        }
-        /* If we didn't come up, turn off backplane clock */
-        if (ret != 0)
-                brcmf_sdio_clkctl(bus, CLK_NONE, false);
-exit:
-        sdio_release_host(bus->sdiodev->func[1]);
-        return ret;
-}
 void brcmf_sdio_isr(struct brcmf_sdio *bus)
 {
        brcmf_dbg(TRACE, "Enter\n");
@@ -4020,13 +3895,114 @@ brcmf_sdio_watchdog(unsigned long data)
 static struct brcmf_bus_ops brcmf_sdio_bus_ops = {
        .stop = brcmf_sdio_bus_stop,
        .preinit = brcmf_sdio_bus_preinit,
-        .init = brcmf_sdio_bus_init,
        .txdata = brcmf_sdio_bus_txdata,
        .txctl = brcmf_sdio_bus_txctl,
        .rxctl = brcmf_sdio_bus_rxctl,
        .gettxq = brcmf_sdio_bus_gettxq,
 };
+static void brcmf_sdio_firmware_callback(struct device *dev,
+                                         const struct firmware *code,
+                                         void *nvram, u32 nvram_len)
+{
+        struct brcmf_bus *bus_if = dev_get_drvdata(dev);
+        struct brcmf_sdio_dev *sdiodev = bus_if->bus_priv.sdio;
+        struct brcmf_sdio *bus = sdiodev->bus;
+        int err = 0;
+        u8 saveclk;
+        brcmf_dbg(TRACE, "Enter: dev=%s\n", dev_name(dev));
+        /* try to download image and nvram to the dongle */
+        if (bus_if->state == BRCMF_BUS_DOWN) {
+                bus->alp_only = true;
+                err = brcmf_sdio_download_firmware(bus, code, nvram, nvram_len);
+                if (err)
+                        goto fail;
+                bus->alp_only = false;
+        }
+        if (!bus_if->drvr)
+                return;
+        /* Start the watchdog timer */
+        bus->sdcnt.tickcnt = 0;
+        brcmf_sdio_wd_timer(bus, BRCMF_WD_POLL_MS);
+        sdio_claim_host(sdiodev->func[1]);
+        /* Make sure backplane clock is on, needed to generate F2 interrupt */
+        brcmf_sdio_clkctl(bus, CLK_AVAIL, false);
+        if (bus->clkstate != CLK_AVAIL)
+                goto release;
+        /* Force clocks on backplane to be sure F2 interrupt propagates */
+        saveclk = brcmf_sdiod_regrb(sdiodev, SBSDIO_FUNC1_CHIPCLKCSR, &err);
+        if (!err) {
+                brcmf_sdiod_regwb(sdiodev, SBSDIO_FUNC1_CHIPCLKCSR,
+                                  (saveclk | SBSDIO_FORCE_HT), &err);
+        }
+        if (err) {
+                brcmf_err("Failed to force clock for F2: err %d\n", err);
+                goto release;
+        }
+        /* Enable function 2 (frame transfers) */
+        w_sdreg32(bus, SDPCM_PROT_VERSION << SMB_DATA_VERSION_SHIFT,
+                  offsetof(struct sdpcmd_regs, tosbmailboxdata));
+        err = sdio_enable_func(sdiodev->func[SDIO_FUNC_2]);
+        brcmf_dbg(INFO, "enable F2: err=%d\n", err);
+        /* If F2 successfully enabled, set core and enable interrupts */
+        if (!err) {
+                /* Set up the interrupt mask and enable interrupts */
+                bus->hostintmask = HOSTINTMASK;
+                w_sdreg32(bus, bus->hostintmask,
+                          offsetof(struct sdpcmd_regs, hostintmask));
+                brcmf_sdiod_regwb(sdiodev, SBSDIO_WATERMARK, 8, &err);
+        } else {
+                /* Disable F2 again */
+                sdio_disable_func(sdiodev->func[SDIO_FUNC_2]);
+                goto release;
+        }
+        if (brcmf_chip_sr_capable(bus->ci)) {
+                brcmf_sdio_sr_init(bus);
+        } else {
+                /* Restore previous clock setting */
+                brcmf_sdiod_regwb(sdiodev, SBSDIO_FUNC1_CHIPCLKCSR,
+                                  saveclk, &err);
+        }
+        if (err == 0) {
+                err = brcmf_sdiod_intr_register(sdiodev);
+                if (err != 0)
+                        brcmf_err("intr register failed:%d\n", err);
+        }
+        /* If we didn't come up, turn off backplane clock */
+        if (err != 0)
+                brcmf_sdio_clkctl(bus, CLK_NONE, false);
+        sdio_release_host(sdiodev->func[1]);
+        err = brcmf_bus_start(dev);
+        if (err != 0) {
+                brcmf_err("dongle is not responding\n");
+                goto fail;
+        }
+        return;
+release:
+        sdio_release_host(sdiodev->func[1]);
+fail:
+        brcmf_dbg(TRACE, "failed: dev=%s, err=%d\n", dev_name(dev), err);
+        device_release_driver(dev);
+}
 struct brcmf_sdio *brcmf_sdio_probe(struct brcmf_sdio_dev *sdiodev)
 {
        int ret;
@@ -4110,8 +4086,13 @@ struct brcmf_sdio *brcmf_sdio_probe(struct brcmf_sdio_dev *sdiodev)
                goto fail;
        }
+        /* Query the F2 block size, set roundup accordingly */
+        bus->blocksize = bus->sdiodev->func[2]->cur_blksize;
+        bus->roundup = min(max_roundup, bus->blocksize);
        /* Allocate buffers */
        if (bus->sdiodev->bus_if->maxctl) {
+                bus->sdiodev->bus_if->maxctl += bus->roundup;
                bus->rxblen =
                    roundup((bus->sdiodev->bus_if->maxctl + SDPCM_HDRLEN),
                            ALIGNMENT) + bus->head_align;
@@ -4139,10 +4120,6 @@ struct brcmf_sdio *brcmf_sdio_probe(struct brcmf_sdio_dev *sdiodev)
        bus->idletime = BRCMF_IDLE_INTERVAL;
        bus->idleclock = BRCMF_IDLE_ACTIVE;
-        /* Query the F2 block size, set roundup accordingly */
-        bus->blocksize = bus->sdiodev->func[2]->cur_blksize;
-        bus->roundup = min(max_roundup, bus->blocksize);
        /* SR state */
        bus->sleeping = false;
        bus->sr_enabled = false;
@@ -4150,10 +4127,14 @@ struct brcmf_sdio *brcmf_sdio_probe(struct brcmf_sdio_dev *sdiodev)
        brcmf_sdio_debugfs_create(bus);
        brcmf_dbg(INFO, "completed!!\n");
-        /* if firmware path present try to download and bring up bus */
+        ret = brcmf_fw_get_firmwares(sdiodev->dev, BRCMF_FW_REQUEST_NVRAM,
-        ret = brcmf_bus_start(bus->sdiodev->dev);
+                                     brcmf_sdio_get_fwname(bus->ci,
+                                                           BRCMF_FIRMWARE_BIN),
+                                     brcmf_sdio_get_fwname(bus->ci,
+                                                           BRCMF_FIRMWARE_NVRAM),
+                                     brcmf_sdio_firmware_callback);
        if (ret != 0) {
-                brcmf_err("dongle is not responding\n");
+                brcmf_err("async firmware request failed: %d\n", ret);
                goto fail;
        }
@@ -4173,9 +4154,7 @@ void brcmf_sdio_remove(struct brcmf_sdio *bus)
                /* De-register interrupt handler */
                brcmf_sdiod_intr_unregister(bus->sdiodev);
-                if (bus->sdiodev->bus_if->drvr) {
+                brcmf_detach(bus->sdiodev->dev);
-                        brcmf_detach(bus->sdiodev->dev);
-                }
                cancel_work_sync(&bus->datawork);
                if (bus->brcmf_wq)
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/nvram.c b/drivers/net/wireless/brcm80211/brcmfmac/firmware.c
index 5c450d11dbc9..7b7d237c1ddb 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/nvram.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/firmware.c
@@ -16,10 +16,11 @@
 #include <linux/kernel.h>
 #include <linux/slab.h>
+#include <linux/device.h>
 #include <linux/firmware.h>
 #include "dhd_dbg.h"
-#include "nvram.h"
+#include "firmware.h"
 enum nvram_parser_state {
        IDLE,
@@ -187,7 +188,7 @@ static int brcmf_init_nvram_parser(struct nvram_parser *nvp,
 * and converts newlines to NULs. Shortens buffer as needed and pads with NULs.
 * End of buffer is completed with token identifying length of buffer.
 */
-void *brcmf_nvram_strip(const struct firmware *nv, u32 *new_length)
+static void *brcmf_fw_nvram_strip(const struct firmware *nv, u32 *new_length)
 {
        struct nvram_parser nvp;
        u32 pad;
@@ -219,8 +220,113 @@ void *brcmf_nvram_strip(const struct firmware *nv, u32 *new_length)
        return nvp.nvram;
 }
-void brcmf_nvram_free(void *nvram)
+void brcmf_fw_nvram_free(void *nvram)
 {
        kfree(nvram);
 }
+struct brcmf_fw {
+        struct device *dev;
+        u16 flags;
+        const struct firmware *code;
+        const char *nvram_name;
+        void (*done)(struct device *dev, const struct firmware *fw,
+                     void *nvram_image, u32 nvram_len);
+};
+static void brcmf_fw_request_nvram_done(const struct firmware *fw, void *ctx)
+{
+        struct brcmf_fw *fwctx = ctx;
+        u32 nvram_length = 0;
+        void *nvram = NULL;
+        brcmf_dbg(TRACE, "enter: dev=%s\n", dev_name(fwctx->dev));
+        if (!fw && !(fwctx->flags & BRCMF_FW_REQ_NV_OPTIONAL))
+                goto fail;
+        if (fw) {
+                nvram = brcmf_fw_nvram_strip(fw, &nvram_length);
+                release_firmware(fw);
+                if (!nvram && !(fwctx->flags & BRCMF_FW_REQ_NV_OPTIONAL))
+                        goto fail;
+        }
+        fwctx->done(fwctx->dev, fwctx->code, nvram, nvram_length);
+        kfree(fwctx);
+        return;
+fail:
+        brcmf_dbg(TRACE, "failed: dev=%s\n", dev_name(fwctx->dev));
+        if (fwctx->code)
+                release_firmware(fwctx->code);
+        device_release_driver(fwctx->dev);
+        kfree(fwctx);
+}
+static void brcmf_fw_request_code_done(const struct firmware *fw, void *ctx)
+{
+        struct brcmf_fw *fwctx = ctx;
+        int ret;
+        brcmf_dbg(TRACE, "enter: dev=%s\n", dev_name(fwctx->dev));
+        if (!fw)
+                goto fail;
+        /* only requested code so done here */
+        if (!(fwctx->flags & BRCMF_FW_REQUEST_NVRAM)) {
+                fwctx->done(fwctx->dev, fw, NULL, 0);
+                kfree(fwctx);
+                return;
+        }
+        fwctx->code = fw;
+        ret = request_firmware_nowait(THIS_MODULE, true, fwctx->nvram_name,
+                                      fwctx->dev, GFP_KERNEL, fwctx,
+                                      brcmf_fw_request_nvram_done);
+        if (!ret)
+                return;
+        /* when nvram is optional call .done() callback here */
+        if (fwctx->flags & BRCMF_FW_REQ_NV_OPTIONAL) {
+                fwctx->done(fwctx->dev, fw, NULL, 0);
+                kfree(fwctx);
+                return;
+        }
+        /* failed nvram request */
+        release_firmware(fw);
+fail:
+        brcmf_dbg(TRACE, "failed: dev=%s\n", dev_name(fwctx->dev));
+        device_release_driver(fwctx->dev);
+        kfree(fwctx);
+}
+int brcmf_fw_get_firmwares(struct device *dev, u16 flags,
+                           const char *code, const char *nvram,
+                           void (*fw_cb)(struct device *dev,
+                                         const struct firmware *fw,
+                                         void *nvram_image, u32 nvram_len))
+{
+        struct brcmf_fw *fwctx;
+        brcmf_dbg(TRACE, "enter: dev=%s\n", dev_name(dev));
+        if (!fw_cb || !code)
+                return -EINVAL;
+        if ((flags & BRCMF_FW_REQUEST_NVRAM) && !nvram)
+                return -EINVAL;
+        fwctx = kzalloc(sizeof(*fwctx), GFP_KERNEL);
+        if (!fwctx)
+                return -ENOMEM;
+        fwctx->dev = dev;
+        fwctx->flags = flags;
+        fwctx->done = fw_cb;
+        if (flags & BRCMF_FW_REQUEST_NVRAM)
+                fwctx->nvram_name = nvram;
+        return request_firmware_nowait(THIS_MODULE, true, code, dev,
+                                       GFP_KERNEL, fwctx,
+                                       brcmf_fw_request_code_done);
+}
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/nvram.h b/drivers/net/wireless/brcm80211/brcmfmac/firmware.h
index d454580928c9..6431bfd7afff 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/nvram.h
+++ b/drivers/net/wireless/brcm80211/brcmfmac/firmware.h
@@ -13,12 +13,24 @@
 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
-#ifndef BRCMFMAC_NVRAM_H
+#ifndef BRCMFMAC_FIRMWARE_H
-#define BRCMFMAC_NVRAM_H
+#define BRCMFMAC_FIRMWARE_H
+#define BRCMF_FW_REQUEST                0x000F
+#define  BRCMF_FW_REQUEST_NVRAM         0x0001
+#define BRCMF_FW_REQ_FLAGS              0x00F0
+#define  BRCMF_FW_REQ_NV_OPTIONAL       0x0010
-void *brcmf_nvram_strip(const struct firmware *nv, u32 *new_length);
+void brcmf_fw_nvram_free(void *nvram);
-void brcmf_nvram_free(void *nvram);
+/*
+ * Request firmware(s) asynchronously. When the asynchronous request
+ * fails it will not use the callback, but call device_release_driver()
+ * instead which will call the driver .remove() callback.
+ */
+int brcmf_fw_get_firmwares(struct device *dev, u16 flags,
+                           const char *code, const char *nvram,
+                           void (*fw_cb)(struct device *dev,
+                                         const struct firmware *fw,
+                                         void *nvram_image, u32 nvram_len));
-#endif /* BRCMFMAC_NVRAM_H */
+#endif /* BRCMFMAC_FIRMWARE_H */
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/brcm80211/brcmfmac/usb.c
index 3ce0e7cfd027..6db51a666f61 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/usb.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/usb.c
@@ -25,6 +25,7 @@
 #include <dhd_bus.h>
 #include <dhd_dbg.h>
+#include "firmware.h"
 #include "usb_rdl.h"
 #include "usb.h"
@@ -61,12 +62,6 @@ struct brcmf_usb_image {
        u8 *image;
        int image_len;
 };
-static struct list_head fw_image_list;
-struct intr_transfer_buf {
-        u32 notification;
-        u32 reserved;
-};
 struct brcmf_usbdev_info {
        struct brcmf_usbdev bus_pub; /* MUST BE FIRST */
@@ -75,7 +70,7 @@ struct brcmf_usbdev_info {
        struct list_head rx_postq;
        struct list_head tx_freeq;
        struct list_head tx_postq;
-        uint rx_pipe, tx_pipe, intr_pipe, rx_pipe2;
+        uint rx_pipe, tx_pipe, rx_pipe2;
        int rx_low_watermark;
        int tx_low_watermark;
@@ -87,7 +82,7 @@ struct brcmf_usbdev_info {
        struct brcmf_usbreq *tx_reqs;
        struct brcmf_usbreq *rx_reqs;
-        u8 *image;      /* buffer for combine fw and nvram */
+        const u8 *image;        /* buffer for combine fw and nvram */
        int image_len;
        struct usb_device *usbdev;
@@ -104,10 +99,6 @@ struct brcmf_usbdev_info {
        ulong ctl_op;
        struct urb *bulk_urb; /* used for FW download */
-        struct urb *intr_urb; /* URB for interrupt endpoint */
-        int intr_size;          /* Size of interrupt message */
-        int interval;           /* Interrupt polling interval */
-        struct intr_transfer_buf intr; /* Data buffer for interrupt endpoint */
 };
 static void brcmf_usb_rx_refill(struct brcmf_usbdev_info *devinfo,
@@ -531,39 +522,6 @@ brcmf_usb_state_change(struct brcmf_usbdev_info *devinfo, int state)
        }
 }
-static void
-brcmf_usb_intr_complete(struct urb *urb)
-{
-        struct brcmf_usbdev_info *devinfo =
-                        (struct brcmf_usbdev_info *)urb->context;
-        int err;
-        brcmf_dbg(USB, "Enter, urb->status=%d\n", urb->status);
-        if (devinfo == NULL)
-                return;
-        if (unlikely(urb->status)) {
-                if (urb->status == -ENOENT ||
-                    urb->status == -ESHUTDOWN ||
-                    urb->status == -ENODEV) {
-                        brcmf_usb_state_change(devinfo,
-                                               BRCMFMAC_USB_STATE_DOWN);
-                }
-        }
-        if (devinfo->bus_pub.state == BRCMFMAC_USB_STATE_DOWN) {
-                brcmf_err("intr cb when DBUS down, ignoring\n");
-                return;
-        }
-        if (devinfo->bus_pub.state == BRCMFMAC_USB_STATE_UP) {
-                err = usb_submit_urb(devinfo->intr_urb, GFP_ATOMIC);
-                if (err)
-                        brcmf_err("usb_submit_urb, err=%d\n", err);
-        }
-}
 static int brcmf_usb_tx(struct device *dev, struct sk_buff *skb)
 {
        struct brcmf_usbdev_info *devinfo = brcmf_usb_get_businfo(dev);
@@ -619,7 +577,6 @@ static int brcmf_usb_up(struct device *dev)
 {
        struct brcmf_usbdev_info *devinfo = brcmf_usb_get_businfo(dev);
        u16 ifnum;
-        int ret;
        brcmf_dbg(USB, "Enter\n");
        if (devinfo->bus_pub.state == BRCMFMAC_USB_STATE_UP)
@@ -628,23 +585,6 @@ static int brcmf_usb_up(struct device *dev)
        /* Success, indicate devinfo is fully up */
        brcmf_usb_state_change(devinfo, BRCMFMAC_USB_STATE_UP);
-        if (devinfo->intr_urb) {
-                usb_fill_int_urb(devinfo->intr_urb, devinfo->usbdev,
-                        devinfo->intr_pipe,
-                        &devinfo->intr,
-                        devinfo->intr_size,
-                        (usb_complete_t)brcmf_usb_intr_complete,
-                        devinfo,
-                        devinfo->interval);
-                ret = usb_submit_urb(devinfo->intr_urb, GFP_ATOMIC);
-                if (ret) {
-                        brcmf_err("USB_SUBMIT_URB failed with status %d\n",
-                                  ret);
-                        return -EINVAL;
-                }
-        }
        if (devinfo->ctl_urb) {
                devinfo->ctl_in_pipe = usb_rcvctrlpipe(devinfo->usbdev, 0);
                devinfo->ctl_out_pipe = usb_sndctrlpipe(devinfo->usbdev, 0);
@@ -681,8 +621,6 @@ static void brcmf_usb_down(struct device *dev)
                return;
        brcmf_usb_state_change(devinfo, BRCMFMAC_USB_STATE_DOWN);
-        if (devinfo->intr_urb)
-                usb_kill_urb(devinfo->intr_urb);
        if (devinfo->ctl_urb)
                usb_kill_urb(devinfo->ctl_urb);
@@ -1021,7 +959,7 @@ brcmf_usb_fw_download(struct brcmf_usbdev_info *devinfo)
        }
        err = brcmf_usb_dlstart(devinfo,
-                devinfo->image, devinfo->image_len);
+                (u8 *)devinfo->image, devinfo->image_len);
        if (err == 0)
                err = brcmf_usb_dlrun(devinfo);
        return err;
@@ -1036,7 +974,6 @@ static void brcmf_usb_detach(struct brcmf_usbdev_info *devinfo)
        brcmf_usb_free_q(&devinfo->rx_freeq, false);
        brcmf_usb_free_q(&devinfo->tx_freeq, false);
-        usb_free_urb(devinfo->intr_urb);
        usb_free_urb(devinfo->ctl_urb);
        usb_free_urb(devinfo->bulk_urb);
@@ -1080,68 +1017,20 @@ static int check_file(const u8 *headers)
        return -1;
 }
-static int brcmf_usb_get_fw(struct brcmf_usbdev_info *devinfo)
+static const char *brcmf_usb_get_fwname(struct brcmf_usbdev_info *devinfo)
 {
-        s8 *fwname;
-        const struct firmware *fw;
-        struct brcmf_usb_image *fw_image;
-        int err;
-        brcmf_dbg(USB, "Enter\n");
        switch (devinfo->bus_pub.devid) {
        case 43143:
-                fwname = BRCMF_USB_43143_FW_NAME;
+                return BRCMF_USB_43143_FW_NAME;
-                break;
        case 43235:
        case 43236:
        case 43238:
-                fwname = BRCMF_USB_43236_FW_NAME;
+                return BRCMF_USB_43236_FW_NAME;
-                break;
        case 43242:
-                fwname = BRCMF_USB_43242_FW_NAME;
+                return BRCMF_USB_43242_FW_NAME;
-                break;
        default:
-                return -EINVAL;
+                return NULL;
-                break;
-        }
-        brcmf_dbg(USB, "Loading FW %s\n", fwname);
-        list_for_each_entry(fw_image, &fw_image_list, list) {
-                if (fw_image->fwname == fwname) {
-                        devinfo->image = fw_image->image;
-                        devinfo->image_len = fw_image->image_len;
-                        return 0;
-                }
-        }
-        /* fw image not yet loaded. Load it now and add to list */
-        err = request_firmware(&fw, fwname, devinfo->dev);
-        if (!fw) {
-                brcmf_err("fail to request firmware %s\n", fwname);
-                return err;
-        }
-        if (check_file(fw->data) < 0) {
-                brcmf_err("invalid firmware %s\n", fwname);
-                return -EINVAL;
        }
-        fw_image = kzalloc(sizeof(*fw_image), GFP_ATOMIC);
-        if (!fw_image)
-                return -ENOMEM;
-        INIT_LIST_HEAD(&fw_image->list);
-        list_add_tail(&fw_image->list, &fw_image_list);
-        fw_image->fwname = fwname;
-        fw_image->image = vmalloc(fw->size);
-        if (!fw_image->image)
-                return -ENOMEM;
-        memcpy(fw_image->image, fw->data, fw->size);
-        fw_image->image_len = fw->size;
-        release_firmware(fw);
-        devinfo->image = fw_image->image;
-        devinfo->image_len = fw_image->image_len;
-        return 0;
 }
@@ -1186,11 +1075,6 @@ struct brcmf_usbdev *brcmf_usb_attach(struct brcmf_usbdev_info *devinfo,
                goto error;
        devinfo->tx_freecount = ntxq;
-        devinfo->intr_urb = usb_alloc_urb(0, GFP_ATOMIC);
-        if (!devinfo->intr_urb) {
-                brcmf_err("usb_alloc_urb (intr) failed\n");
-                goto error;
-        }
        devinfo->ctl_urb = usb_alloc_urb(0, GFP_ATOMIC);
        if (!devinfo->ctl_urb) {
                brcmf_err("usb_alloc_urb (ctl) failed\n");
@@ -1202,16 +1086,6 @@ struct brcmf_usbdev *brcmf_usb_attach(struct brcmf_usbdev_info *devinfo,
                goto error;
        }
-        if (!brcmf_usb_dlneeded(devinfo))
-                return &devinfo->bus_pub;
-        brcmf_dbg(USB, "Start fw downloading\n");
-        if (brcmf_usb_get_fw(devinfo))
-                goto error;
-        if (brcmf_usb_fw_download(devinfo))
-                goto error;
        return &devinfo->bus_pub;
 error:
@@ -1222,18 +1096,77 @@ error:
 static struct brcmf_bus_ops brcmf_usb_bus_ops = {
        .txdata = brcmf_usb_tx,
-        .init = brcmf_usb_up,
        .stop = brcmf_usb_down,
        .txctl = brcmf_usb_tx_ctlpkt,
        .rxctl = brcmf_usb_rx_ctlpkt,
 };
+static int brcmf_usb_bus_setup(struct brcmf_usbdev_info *devinfo)
+{
+        int ret;
+        /* Attach to the common driver interface */
+        ret = brcmf_attach(devinfo->dev);
+        if (ret) {
+                brcmf_err("brcmf_attach failed\n");
+                return ret;
+        }
+        ret = brcmf_usb_up(devinfo->dev);
+        if (ret)
+                goto fail;
+        ret = brcmf_bus_start(devinfo->dev);
+        if (ret)
+                goto fail;
+        return 0;
+fail:
+        brcmf_detach(devinfo->dev);
+        return ret;
+}
+static void brcmf_usb_probe_phase2(struct device *dev,
+                                   const struct firmware *fw,
+                                   void *nvram, u32 nvlen)
+{
+        struct brcmf_bus *bus = dev_get_drvdata(dev);
+        struct brcmf_usbdev_info *devinfo;
+        int ret;
+        brcmf_dbg(USB, "Start fw downloading\n");
+        ret = check_file(fw->data);
+        if (ret < 0) {
+                brcmf_err("invalid firmware\n");
+                release_firmware(fw);
+                goto error;
+        }
+        devinfo = bus->bus_priv.usb->devinfo;
+        devinfo->image = fw->data;
+        devinfo->image_len = fw->size;
+        ret = brcmf_usb_fw_download(devinfo);
+        release_firmware(fw);
+        if (ret)
+                goto error;
+        ret = brcmf_usb_bus_setup(devinfo);
+        if (ret)
+                goto error;
+        return;
+error:
+        brcmf_dbg(TRACE, "failed: dev=%s, err=%d\n", dev_name(dev), ret);
+        device_release_driver(dev);
+}
 static int brcmf_usb_probe_cb(struct brcmf_usbdev_info *devinfo)
 {
        struct brcmf_bus *bus = NULL;
        struct brcmf_usbdev *bus_pub = NULL;
-        int ret;
        struct device *dev = devinfo->dev;
+        int ret;
        brcmf_dbg(USB, "Enter\n");
        bus_pub = brcmf_usb_attach(devinfo, BRCMF_USB_NRXQ, BRCMF_USB_NTXQ);
@@ -1256,21 +1189,16 @@ static int brcmf_usb_probe_cb(struct brcmf_usbdev_info *devinfo)
        bus->proto_type = BRCMF_PROTO_BCDC;
        bus->always_use_fws_queue = true;
-        /* Attach to the common driver interface */
+        if (!brcmf_usb_dlneeded(devinfo)) {
-        ret = brcmf_attach(dev);
+                ret = brcmf_usb_bus_setup(devinfo);
-        if (ret) {
+                if (ret)
-                brcmf_err("brcmf_attach failed\n");
+                        goto fail;
-                goto fail;
-        }
-        ret = brcmf_bus_start(dev);
-        if (ret) {
-                brcmf_err("dongle is not responding\n");
-                brcmf_detach(dev);
-                goto fail;
        }
+        /* request firmware here */
+        brcmf_fw_get_firmwares(dev, 0, brcmf_usb_get_fwname(devinfo), NULL,
+                               brcmf_usb_probe_phase2);
        return 0;
 fail:
        /* Release resources in reverse order */
        kfree(bus);
@@ -1358,9 +1286,6 @@ brcmf_usb_probe(struct usb_interface *intf, const struct usb_device_id *id)
                goto fail;
        }
-        endpoint_num = endpoint->bEndpointAddress & USB_ENDPOINT_NUMBER_MASK;
-        devinfo->intr_pipe = usb_rcvintpipe(usb, endpoint_num);
        devinfo->rx_pipe = 0;
        devinfo->rx_pipe2 = 0;
        devinfo->tx_pipe = 0;
@@ -1392,16 +1317,9 @@ brcmf_usb_probe(struct usb_interface *intf, const struct usb_device_id *id)
                }
        }
-        /* Allocate interrupt URB and data buffer */
+        if (usb->speed == USB_SPEED_SUPER)
-        /* RNDIS says 8-byte intr, our old drivers used 4-byte */
+                brcmf_dbg(USB, "Broadcom super speed USB wireless device detected\n");
-        if (IFEPDESC(usb, CONTROL_IF, 0).wMaxPacketSize == cpu_to_le16(16))
+        else if (usb->speed == USB_SPEED_HIGH)
-                devinfo->intr_size = 8;
-        else
-                devinfo->intr_size = 4;
-        devinfo->interval = IFEPDESC(usb, CONTROL_IF, 0).bInterval;
-        if (usb->speed == USB_SPEED_HIGH)
                brcmf_dbg(USB, "Broadcom high speed USB wireless device detected\n");
        else
                brcmf_dbg(USB, "Broadcom full speed USB wireless device detected\n");
@@ -1456,23 +1374,18 @@ static int brcmf_usb_resume(struct usb_interface *intf)
        struct brcmf_usbdev_info *devinfo = brcmf_usb_get_businfo(&usb->dev);
        brcmf_dbg(USB, "Enter\n");
-        if (!brcmf_attach(devinfo->dev))
+        return brcmf_usb_bus_setup(devinfo);
-                return brcmf_bus_start(&usb->dev);
-        return 0;
 }
 static int brcmf_usb_reset_resume(struct usb_interface *intf)
 {
        struct usb_device *usb = interface_to_usbdev(intf);
        struct brcmf_usbdev_info *devinfo = brcmf_usb_get_businfo(&usb->dev);
        brcmf_dbg(USB, "Enter\n");
-        if (!brcmf_usb_fw_download(devinfo))
+        return brcmf_fw_get_firmwares(&usb->dev, 0,
-                return brcmf_usb_resume(intf);
+                                      brcmf_usb_get_fwname(devinfo), NULL,
+                                      brcmf_usb_probe_phase2);
-        return -EIO;
 }
 #define BRCMF_USB_VENDOR_ID_BROADCOM    0x0a5c
@@ -1507,16 +1420,6 @@ static struct usb_driver brcmf_usbdrvr = {
        .disable_hub_initiated_lpm = 1,
 };
-static void brcmf_release_fw(struct list_head *q)
-{
-        struct brcmf_usb_image *fw_image, *next;
-        list_for_each_entry_safe(fw_image, next, q, list) {
-                vfree(fw_image->image);
-                list_del_init(&fw_image->list);
-        }
-}
 static int brcmf_usb_reset_device(struct device *dev, void *notused)
 {
        /* device past is the usb interface so we
@@ -1535,12 +1438,10 @@ void brcmf_usb_exit(void)
        ret = driver_for_each_device(drv, NULL, NULL,
                                     brcmf_usb_reset_device);
        usb_deregister(&brcmf_usbdrvr);
-        brcmf_release_fw(&fw_image_list);
 }
 void brcmf_usb_register(void)
 {
        brcmf_dbg(USB, "Enter\n");
-        INIT_LIST_HEAD(&fw_image_list);
        usb_register(&brcmf_usbdrvr);
 }
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
index 92cb29a2003f..d8fa276e368b 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
@@ -341,8 +341,8 @@ static u8 brcmf_mw_to_qdbm(u16 mw)
        return qdbm;
 }
-u16 chandef_to_chanspec(struct brcmu_d11inf *d11inf,
+static u16 chandef_to_chanspec(struct brcmu_d11inf *d11inf,
-                        struct cfg80211_chan_def *ch)
+                               struct cfg80211_chan_def *ch)
 {
        struct brcmu_chan ch_inf;
        s32 primary_offset;
@@ -640,6 +640,9 @@ s32 brcmf_notify_escan_complete(struct brcmf_cfg80211_info *cfg,
                if (err)
                        brcmf_err("Scan abort  failed\n");
        }
+        brcmf_set_mpc(ifp, 1);
        /*
         * e-scan can be initiated by scheduled scan
         * which takes precedence.
@@ -649,12 +652,10 @@ s32 brcmf_notify_escan_complete(struct brcmf_cfg80211_info *cfg,
                cfg->sched_escan = false;
                if (!aborted)
                        cfg80211_sched_scan_results(cfg_to_wiphy(cfg));
-                brcmf_set_mpc(ifp, 1);
        } else if (scan_request) {
                brcmf_dbg(SCAN, "ESCAN Completed scan: %s\n",
                          aborted ? "Aborted" : "Done");
                cfg80211_scan_done(scan_request, aborted);
-                brcmf_set_mpc(ifp, 1);
        }
        if (!test_and_clear_bit(BRCMF_SCAN_STATUS_BUSY, &cfg->scan_status))
                brcmf_dbg(SCAN, "Scan complete, probably P2P scan\n");
@@ -3178,7 +3179,7 @@ brcmf_cfg80211_sched_scan_start(struct wiphy *wiphy,
        }
        if (!request->n_ssids || !request->n_match_sets) {
-                brcmf_err("Invalid sched scan req!! n_ssids:%d\n",
+                brcmf_dbg(SCAN, "Invalid sched scan req!! n_ssids:%d\n",
                          request->n_ssids);
                return -EINVAL;
        }
diff --git a/drivers/net/wireless/brcm80211/brcmutil/d11.c b/drivers/net/wireless/brcm80211/brcmutil/d11.c
index 6cbc33d0fc19..2b2522bdd8eb 100644
--- a/drivers/net/wireless/brcm80211/brcmutil/d11.c
+++ b/drivers/net/wireless/brcm80211/brcmutil/d11.c
@@ -54,6 +54,7 @@ static void brcmu_d11n_encchspec(struct brcmu_chan *ch)
        if (ch->bw == BRCMU_CHAN_BW_20)
                ch->sb = BRCMU_CHAN_SB_NONE;
+        ch->chspec = 0;
        brcmu_maskset16(&ch->chspec, BRCMU_CHSPEC_CH_MASK,
                        BRCMU_CHSPEC_CH_SHIFT, ch->chnum);
        brcmu_maskset16(&ch->chspec, BRCMU_CHSPEC_D11N_SB_MASK,
@@ -61,7 +62,6 @@ static void brcmu_d11n_encchspec(struct brcmu_chan *ch)
        brcmu_maskset16(&ch->chspec, BRCMU_CHSPEC_D11N_BW_MASK,
                        0, d11n_bw(ch->bw));
-        ch->chspec &= ~BRCMU_CHSPEC_D11N_BND_MASK;
        if (ch->chnum <= CH_MAX_2G_CHANNEL)
                ch->chspec |= BRCMU_CHSPEC_D11N_BND_2G;
        else
diff --git a/drivers/net/wireless/mwifiex/fw.h b/drivers/net/wireless/mwifiex/fw.h
index 42eaeda1dc82..3175dd04834b 100644
--- a/drivers/net/wireless/mwifiex/fw.h
+++ b/drivers/net/wireless/mwifiex/fw.h
@@ -405,7 +405,7 @@ enum P2P_MODES {
 #define HS_CFG_CANCEL                   0xffffffff
 #define HS_CFG_COND_DEF                 0x00000000
 #define HS_CFG_GPIO_DEF                 0xff
-#define HS_CFG_GAP_DEF                  0
+#define HS_CFG_GAP_DEF                  0xff
 #define HS_CFG_COND_BROADCAST_DATA      0x00000001
 #define HS_CFG_COND_UNICAST_DATA        0x00000002
 #define HS_CFG_COND_MAC_EVENT           0x00000004
diff --git a/drivers/net/wireless/mwifiex/main.h b/drivers/net/wireless/mwifiex/main.h
index 3f25feb1508e..1398afa84064 100644
--- a/drivers/net/wireless/mwifiex/main.h
+++ b/drivers/net/wireless/mwifiex/main.h
@@ -1099,7 +1099,7 @@ mwifiex_11h_get_csa_closed_channel(struct mwifiex_private *priv)
                return 0;
        /* Clear csa channel, if DFS channel move time has passed */
-        if (jiffies > priv->csa_expire_time) {
+        if (time_after(jiffies, priv->csa_expire_time)) {
                priv->csa_chan = 0;
                priv->csa_expire_time = 0;
        }
diff --git a/drivers/net/wireless/mwifiex/scan.c b/drivers/net/wireless/mwifiex/scan.c
index d75f4ebd4bdc..45c5b3450cf5 100644
--- a/drivers/net/wireless/mwifiex/scan.c
+++ b/drivers/net/wireless/mwifiex/scan.c
@@ -1738,6 +1738,19 @@ mwifiex_parse_single_response_buf(struct mwifiex_private *priv, u8 **bss_info,
        return 0;
 }
+static void mwifiex_complete_scan(struct mwifiex_private *priv)
+{
+        struct mwifiex_adapter *adapter = priv->adapter;
+        if (adapter->curr_cmd->wait_q_enabled) {
+                adapter->cmd_wait_q.status = 0;
+                if (!priv->scan_request) {
+                        dev_dbg(adapter->dev, "complete internal scan\n");
+                        mwifiex_complete_cmd(adapter, adapter->curr_cmd);
+                }
+        }
+}
 static void mwifiex_check_next_scan_command(struct mwifiex_private *priv)
 {
        struct mwifiex_adapter *adapter = priv->adapter;
@@ -1751,16 +1764,9 @@ static void mwifiex_check_next_scan_command(struct mwifiex_private *priv)
                adapter->scan_processing = false;
                spin_unlock_irqrestore(&adapter->mwifiex_cmd_lock, flags);
-                /* Need to indicate IOCTL complete */
+                if (!adapter->ext_scan)
-                if (adapter->curr_cmd->wait_q_enabled) {
+                        mwifiex_complete_scan(priv);
-                        adapter->cmd_wait_q.status = 0;
-                        if (!priv->scan_request) {
-                                dev_dbg(adapter->dev,
-                                        "complete internal scan\n");
-                                mwifiex_complete_cmd(adapter,
-                                                     adapter->curr_cmd);
-                        }
-                }
                if (priv->report_scan_result)
                        priv->report_scan_result = false;
@@ -1965,6 +1971,9 @@ int mwifiex_cmd_802_11_scan_ext(struct mwifiex_private *priv,
 int mwifiex_ret_802_11_scan_ext(struct mwifiex_private *priv)
 {
        dev_dbg(priv->adapter->dev, "info: EXT scan returns successfully\n");
+        mwifiex_complete_scan(priv);
        return 0;
 }
diff --git a/drivers/net/wireless/mwifiex/wmm.c b/drivers/net/wireless/mwifiex/wmm.c
index 6d9738a5dc31..d3671d009f6c 100644
--- a/drivers/net/wireless/mwifiex/wmm.c
+++ b/drivers/net/wireless/mwifiex/wmm.c
@@ -163,6 +163,7 @@ void mwifiex_ralist_add(struct mwifiex_private *priv, const u8 *ra)
                if (!mwifiex_queuing_ra_based(priv)) {
                        if (mwifiex_get_tdls_link_status(priv, ra) ==
                            TDLS_SETUP_COMPLETE) {
+                                ra_list->tdls_link = true;
                                ra_list->is_11n_enabled =
                                        mwifiex_tdls_peer_11n_enabled(priv, ra);
                        } else {
diff --git a/drivers/net/wireless/rsi/rsi_common.h b/drivers/net/wireless/rsi/rsi_common.h
index f2f70784d4ad..d3fbe33d2324 100644
--- a/drivers/net/wireless/rsi/rsi_common.h
+++ b/drivers/net/wireless/rsi/rsi_common.h
@@ -63,7 +63,7 @@ static inline int rsi_create_kthread(struct rsi_common *common,
                                     u8 *name)
 {
        init_completion(&thread->completion);
-        thread->task = kthread_run(func_ptr, common, name);
+        thread->task = kthread_run(func_ptr, common, "%s", name);
        if (IS_ERR(thread->task))
                return (int)PTR_ERR(thread->task);
diff --git a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
index c61311084d7e..361435f8608a 100644
--- a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
+++ b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
@@ -395,9 +395,6 @@ static struct usb_driver rtl8192cu_driver = {
        /* .resume = rtl_usb_resume, */
        /* .reset_resume = rtl8192c_resume, */
 #endif /* CONFIG_PM */
-#ifdef CONFIG_AUTOSUSPEND
-        .supports_autosuspend = 1,
-#endif
        .disable_hub_initiated_lpm = 1,
 };
diff --git a/drivers/net/wireless/rtlwifi/rtl8723ae/hal_bt_coexist.c b/drivers/net/wireless/rtlwifi/rtl8723ae/hal_bt_coexist.c
index 48fee1be78c2..5b4a714f3c8c 100644
--- a/drivers/net/wireless/rtlwifi/rtl8723ae/hal_bt_coexist.c
+++ b/drivers/net/wireless/rtlwifi/rtl8723ae/hal_bt_coexist.c
@@ -32,7 +32,6 @@
 #include "dm.h"
 #include "fw.h"
 #include "../rtl8723com/fw_common.h"
-#include "../rtl8723com/fw_common.h"
 #include "phy.h"
 #include "reg.h"
 #include "hal_btc.h"
diff --git a/drivers/net/wireless/rtlwifi/rtl8723be/trx.c b/drivers/net/wireless/rtlwifi/rtl8723be/trx.c
index e0a0d8c8fed5..969eaea5eddd 100644
--- a/drivers/net/wireless/rtlwifi/rtl8723be/trx.c
+++ b/drivers/net/wireless/rtlwifi/rtl8723be/trx.c
@@ -33,7 +33,6 @@
 #include "trx.h"
 #include "led.h"
 #include "dm.h"
-#include "phy.h"
 static u8 _rtl8723be_map_hwqueue_to_fwqueue(struct sk_buff *skb, u8 hw_queue)
 {
diff --git a/drivers/nfc/port100.c b/drivers/nfc/port100.c
index b7a372af5eb7..4ac4d31f6c59 100644
--- a/drivers/nfc/port100.c
+++ b/drivers/nfc/port100.c
@@ -28,7 +28,8 @@
                           NFC_PROTO_MIFARE_MASK   | \
                           NFC_PROTO_FELICA_MASK   | \
                           NFC_PROTO_NFC_DEP_MASK  | \
-                           NFC_PROTO_ISO14443_MASK)
+                           NFC_PROTO_ISO14443_MASK | \
+                           NFC_PROTO_ISO14443_B_MASK)
 #define PORT100_CAPABILITIES (NFC_DIGITAL_DRV_CAPS_IN_CRC | \
                              NFC_DIGITAL_DRV_CAPS_TG_CRC)
@@ -120,6 +121,7 @@ struct port100_in_rf_setting {
 #define PORT100_COMM_TYPE_IN_212F 0x01
 #define PORT100_COMM_TYPE_IN_424F 0x02
 #define PORT100_COMM_TYPE_IN_106A 0x03
+#define PORT100_COMM_TYPE_IN_106B 0x07
 static const struct port100_in_rf_setting in_rf_settings[] = {
        [NFC_DIGITAL_RF_TECH_212F] = {
@@ -140,6 +142,12 @@ static const struct port100_in_rf_setting in_rf_settings[] = {
                .in_recv_set_number = 15,
                .in_recv_comm_type  = PORT100_COMM_TYPE_IN_106A,
        },
+        [NFC_DIGITAL_RF_TECH_106B] = {
+                .in_send_set_number = 3,
+                .in_send_comm_type  = PORT100_COMM_TYPE_IN_106B,
+                .in_recv_set_number = 15,
+                .in_recv_comm_type  = PORT100_COMM_TYPE_IN_106B,
+        },
        /* Ensures the array has NFC_DIGITAL_RF_TECH_LAST elements */
        [NFC_DIGITAL_RF_TECH_LAST] = { 0 },
 };
@@ -340,6 +348,32 @@ in_protocols[][PORT100_IN_MAX_NUM_PROTOCOLS + 1] = {
        [NFC_DIGITAL_FRAMING_NFC_DEP_ACTIVATED] = {
                { PORT100_IN_PROT_END, 0 },
        },
+        [NFC_DIGITAL_FRAMING_NFCB] = {
+                { PORT100_IN_PROT_INITIAL_GUARD_TIME,     20 },
+                { PORT100_IN_PROT_ADD_CRC,                 1 },
+                { PORT100_IN_PROT_CHECK_CRC,               1 },
+                { PORT100_IN_PROT_MULTI_CARD,              0 },
+                { PORT100_IN_PROT_ADD_PARITY,              0 },
+                { PORT100_IN_PROT_CHECK_PARITY,            0 },
+                { PORT100_IN_PROT_BITWISE_AC_RECV_MODE,    0 },
+                { PORT100_IN_PROT_VALID_BIT_NUMBER,        8 },
+                { PORT100_IN_PROT_CRYPTO1,                 0 },
+                { PORT100_IN_PROT_ADD_SOF,                 1 },
+                { PORT100_IN_PROT_CHECK_SOF,               1 },
+                { PORT100_IN_PROT_ADD_EOF,                 1 },
+                { PORT100_IN_PROT_CHECK_EOF,               1 },
+                { PORT100_IN_PROT_DEAF_TIME,               4 },
+                { PORT100_IN_PROT_CRM,                     0 },
+                { PORT100_IN_PROT_CRM_MIN_LEN,             0 },
+                { PORT100_IN_PROT_T1_TAG_FRAME,            0 },
+                { PORT100_IN_PROT_RFCA,                    0 },
+                { PORT100_IN_PROT_GUARD_TIME_AT_INITIATOR, 6 },
+                { PORT100_IN_PROT_END,                     0 },
+        },
+        [NFC_DIGITAL_FRAMING_NFCB_T4T] = {
+                /* nfc_digital_framing_nfcb */
+                { PORT100_IN_PROT_END,                     0 },
+        },
        /* Ensures the array has NFC_DIGITAL_FRAMING_LAST elements */
        [NFC_DIGITAL_FRAMING_LAST] = {
                { PORT100_IN_PROT_END, 0 },
diff --git a/drivers/nfc/trf7970a.c b/drivers/nfc/trf7970a.c
index efb36593ecb4..3b78b031e617 100644
--- a/drivers/nfc/trf7970a.c
+++ b/drivers/nfc/trf7970a.c
@@ -105,7 +105,8 @@
 #define TRF7970A_SUPPORTED_PROTOCOLS \
                (NFC_PROTO_MIFARE_MASK | NFC_PROTO_ISO14443_MASK |      \
-                 NFC_PROTO_ISO14443_B_MASK | NFC_PROTO_ISO15693_MASK)
+                 NFC_PROTO_ISO14443_B_MASK | NFC_PROTO_FELICA_MASK | \
+                 NFC_PROTO_ISO15693_MASK)
 #define TRF7970A_AUTOSUSPEND_DELAY              30000 /* 30 seconds */
@@ -867,6 +868,14 @@ static int trf7970a_config_rf_tech(struct trf7970a *trf, int tech)
                trf->iso_ctrl_tech = TRF7970A_ISO_CTRL_14443B_106;
                trf->modulator_sys_clk_ctrl = TRF7970A_MODULATOR_DEPTH_ASK10;
                break;
+        case NFC_DIGITAL_RF_TECH_212F:
+                trf->iso_ctrl_tech = TRF7970A_ISO_CTRL_FELICA_212;
+                trf->modulator_sys_clk_ctrl = TRF7970A_MODULATOR_DEPTH_ASK10;
+                break;
+        case NFC_DIGITAL_RF_TECH_424F:
+                trf->iso_ctrl_tech = TRF7970A_ISO_CTRL_FELICA_424;
+                trf->modulator_sys_clk_ctrl = TRF7970A_MODULATOR_DEPTH_ASK10;
+                break;
        case NFC_DIGITAL_RF_TECH_ISO15693:
                trf->iso_ctrl_tech = TRF7970A_ISO_CTRL_15693_SGL_1OF4_2648;
                trf->modulator_sys_clk_ctrl = TRF7970A_MODULATOR_DEPTH_OOK;
@@ -898,6 +907,8 @@ static int trf7970a_config_framing(struct trf7970a *trf, int framing)
        case NFC_DIGITAL_FRAMING_NFCA_T4T:
        case NFC_DIGITAL_FRAMING_NFCB:
        case NFC_DIGITAL_FRAMING_NFCB_T4T:
+        case NFC_DIGITAL_FRAMING_NFCF:
+        case NFC_DIGITAL_FRAMING_NFCF_T3T:
        case NFC_DIGITAL_FRAMING_ISO15693_INVENTORY:
        case NFC_DIGITAL_FRAMING_ISO15693_T5T:
                trf->tx_cmd = TRF7970A_CMD_TRANSMIT;
diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
index f194ccb8539c..6bff13f74050 100644
--- a/include/linux/ieee80211.h
+++ b/include/linux/ieee80211.h
@@ -1711,6 +1711,7 @@ enum ieee80211_eid {
        WLAN_EID_RRM_ENABLED_CAPABILITIES = 70,
        WLAN_EID_MULTIPLE_BSSID = 71,
        WLAN_EID_BSS_COEX_2040 = 72,
+        WLAN_EID_BSS_INTOLERANT_CHL_REPORT = 73,
        WLAN_EID_OVERLAP_BSS_SCAN_PARAM = 74,
        WLAN_EID_RIC_DESCRIPTOR = 75,
        WLAN_EID_MMIE = 76,
diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
index 4261a67682c0..16587dcd6a91 100644
--- a/include/net/bluetooth/hci.h
+++ b/include/net/bluetooth/hci.h
@@ -1054,6 +1054,17 @@ struct hci_cp_write_page_scan_activity {
        __le16   window;
 } __packed;
+#define HCI_OP_READ_TX_POWER            0x0c2d
+struct hci_cp_read_tx_power {
+        __le16   handle;
+        __u8     type;
+} __packed;
+struct hci_rp_read_tx_power {
+        __u8     status;
+        __le16   handle;
+        __s8     tx_power;
+} __packed;
 #define HCI_OP_READ_PAGE_SCAN_TYPE      0x0c46
 struct hci_rp_read_page_scan_type {
        __u8     status;
@@ -1064,6 +1075,16 @@ struct hci_rp_read_page_scan_type {
        #define PAGE_SCAN_TYPE_STANDARD         0x00
        #define PAGE_SCAN_TYPE_INTERLACED       0x01
+#define HCI_OP_READ_RSSI                0x1405
+struct hci_cp_read_rssi {
+        __le16   handle;
+} __packed;
+struct hci_rp_read_rssi {
+        __u8     status;
+        __le16   handle;
+        __s8     rssi;
+} __packed;
 #define HCI_OP_READ_LOCAL_AMP_INFO      0x1409
 struct hci_rp_read_local_amp_info {
        __u8     status;
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index d73f41855ada..b386bf17e6c2 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -145,6 +145,10 @@ struct oob_data {
 /* Default LE RPA expiry time, 15 minutes */
 #define HCI_DEFAULT_RPA_TIMEOUT         (15 * 60)
+/* Default min/max age of connection information (1s/3s) */
+#define DEFAULT_CONN_INFO_MIN_AGE       1000
+#define DEFAULT_CONN_INFO_MAX_AGE       3000
 struct amp_assoc {
        __u16   len;
        __u16   offset;
@@ -200,6 +204,8 @@ struct hci_dev {
        __u16           le_conn_min_interval;
        __u16           le_conn_max_interval;
        __u16           discov_interleaved_timeout;
+        __u16           conn_info_min_age;
+        __u16           conn_info_max_age;
        __u8            ssp_debug_mode;
        __u16           devid_source;
@@ -374,8 +380,13 @@ struct hci_conn {
        __u16           setting;
        __u16           le_conn_min_interval;
        __u16           le_conn_max_interval;
+        __s8            rssi;
+        __s8            tx_power;
+        __s8            max_tx_power;
        unsigned long   flags;
+        unsigned long   conn_info_timestamp;
        __u8            remote_cap;
        __u8            remote_auth;
        __u8            remote_id;
diff --git a/include/net/bluetooth/mgmt.h b/include/net/bluetooth/mgmt.h
index d4b571c2f9fd..bcffc9ae0c89 100644
--- a/include/net/bluetooth/mgmt.h
+++ b/include/net/bluetooth/mgmt.h
@@ -181,6 +181,9 @@ struct mgmt_cp_load_link_keys {
 } __packed;
 #define MGMT_LOAD_LINK_KEYS_SIZE        3
+#define MGMT_LTK_UNAUTHENTICATED        0x00
+#define MGMT_LTK_AUTHENTICATED          0x01
 struct mgmt_ltk_info {
        struct mgmt_addr_info addr;
        __u8    type;
@@ -409,6 +412,18 @@ struct mgmt_cp_load_irks {
 } __packed;
 #define MGMT_LOAD_IRKS_SIZE             2
+#define MGMT_OP_GET_CONN_INFO           0x0031
+struct mgmt_cp_get_conn_info {
+        struct mgmt_addr_info addr;
+} __packed;
+#define MGMT_GET_CONN_INFO_SIZE         MGMT_ADDR_INFO_SIZE
+struct mgmt_rp_get_conn_info {
+        struct mgmt_addr_info addr;
+        __s8    rssi;
+        __s8    tx_power;
+        __s8    max_tx_power;
+} __packed;
 #define MGMT_EV_CMD_COMPLETE            0x0001
 struct mgmt_ev_cmd_complete {
        __le16  opcode;
diff --git a/include/net/bluetooth/rfcomm.h b/include/net/bluetooth/rfcomm.h
index 2611cc389d7d..578b83127af1 100644
--- a/include/net/bluetooth/rfcomm.h
+++ b/include/net/bluetooth/rfcomm.h
@@ -173,7 +173,7 @@ struct rfcomm_dlc {
        struct sk_buff_head   tx_queue;
        struct timer_list     timer;
-        spinlock_t    lock;
+        struct mutex  lock;
        unsigned long state;
        unsigned long flags;
        atomic_t      refcnt;
@@ -244,8 +244,8 @@ int  rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig);
 void rfcomm_dlc_accept(struct rfcomm_dlc *d);
 struct rfcomm_dlc *rfcomm_dlc_exists(bdaddr_t *src, bdaddr_t *dst, u8 channel);
-#define rfcomm_dlc_lock(d)     spin_lock(&d->lock)
+#define rfcomm_dlc_lock(d)     mutex_lock(&d->lock)
-#define rfcomm_dlc_unlock(d)   spin_unlock(&d->lock)
+#define rfcomm_dlc_unlock(d)   mutex_unlock(&d->lock)
 static inline void rfcomm_dlc_hold(struct rfcomm_dlc *d)
 {
diff --git a/include/net/mac80211.h b/include/net/mac80211.h
index 2c78997bc48d..421b6ecb4b2c 100644
--- a/include/net/mac80211.h
+++ b/include/net/mac80211.h
@@ -189,6 +189,43 @@ struct ieee80211_chanctx_conf {
 };
 /**
+ * enum ieee80211_chanctx_switch_mode - channel context switch mode
+ * @CHANCTX_SWMODE_REASSIGN_VIF: Both old and new contexts already
+ *      exist (and will continue to exist), but the virtual interface
+ *      needs to be switched from one to the other.
+ * @CHANCTX_SWMODE_SWAP_CONTEXTS: The old context exists but will stop
+ *      to exist with this call, the new context doesn't exist but
+ *      will be active after this call, the virtual interface switches
+ *      from the old to the new (note that the driver may of course
+ *      implement this as an on-the-fly chandef switch of the existing
+ *      hardware context, but the mac80211 pointer for the old context
+ *      will cease to exist and only the new one will later be used
+ *      for changes/removal.)
+ */
+enum ieee80211_chanctx_switch_mode {
+        CHANCTX_SWMODE_REASSIGN_VIF,
+        CHANCTX_SWMODE_SWAP_CONTEXTS,
+};
+/**
+ * struct ieee80211_vif_chanctx_switch - vif chanctx switch information
+ *
+ * This is structure is used to pass information about a vif that
+ * needs to switch from one chanctx to another.  The
+ * &ieee80211_chanctx_switch_mode defines how the switch should be
+ * done.
+ *
+ * @vif: the vif that should be switched from old_ctx to new_ctx
+ * @old_ctx: the old context to which the vif was assigned
+ * @new_ctx: the new context to which the vif must be assigned
+ */
+struct ieee80211_vif_chanctx_switch {
+        struct ieee80211_vif *vif;
+        struct ieee80211_chanctx_conf *old_ctx;
+        struct ieee80211_chanctx_conf *new_ctx;
+};
+/**
 * enum ieee80211_bss_change - BSS change notification flags
 *
 * These flags are used with the bss_info_changed() callback
@@ -2736,6 +2773,11 @@ enum ieee80211_roc_type {
 *      to vif. Possible use is for hw queue remapping.
 * @unassign_vif_chanctx: Notifies device driver about channel context being
 *      unbound from vif.
+ * @switch_vif_chanctx: switch a number of vifs from one chanctx to
+ *      another, as specified in the list of
+ *      @ieee80211_vif_chanctx_switch passed to the driver, according
+ *      to the mode defined in &ieee80211_chanctx_switch_mode.
+ *
 * @start_ap: Start operation on the AP interface, this is called after all the
 *      information in bss_conf is set and beacon can be retrieved. A channel
 *      context is bound before this is called. Note that if the driver uses
@@ -2952,6 +2994,10 @@ struct ieee80211_ops {
        void (*unassign_vif_chanctx)(struct ieee80211_hw *hw,
                                     struct ieee80211_vif *vif,
                                     struct ieee80211_chanctx_conf *ctx);
+        int (*switch_vif_chanctx)(struct ieee80211_hw *hw,
+                                  struct ieee80211_vif_chanctx_switch *vifs,
+                                  int n_vifs,
+                                  enum ieee80211_chanctx_switch_mode mode);
        void (*restart_complete)(struct ieee80211_hw *hw);
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 095943c02d6e..8671bc79a35b 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -28,6 +28,7 @@
 #include <net/bluetooth/bluetooth.h>
 #include <net/bluetooth/hci_core.h>
+#include <net/bluetooth/l2cap.h>
 #include "smp.h"
 #include "a2mp.h"
@@ -407,6 +408,8 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
        conn->io_capability = hdev->io_capability;
        conn->remote_auth = 0xff;
        conn->key_type = 0xff;
+        conn->tx_power = HCI_TX_POWER_INVALID;
+        conn->max_tx_power = HCI_TX_POWER_INVALID;
        set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
        conn->disc_timeout = HCI_DISCONN_TIMEOUT;
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index d31f144860d1..0a43cce9a914 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -34,6 +34,7 @@
 #include <net/bluetooth/bluetooth.h>
 #include <net/bluetooth/hci_core.h>
+#include <net/bluetooth/l2cap.h>
 #include "smp.h"
@@ -579,6 +580,62 @@ static int sniff_max_interval_get(void *data, u64 *val)
 DEFINE_SIMPLE_ATTRIBUTE(sniff_max_interval_fops, sniff_max_interval_get,
                        sniff_max_interval_set, "%llu\n");
+static int conn_info_min_age_set(void *data, u64 val)
+{
+        struct hci_dev *hdev = data;
+        if (val == 0 || val > hdev->conn_info_max_age)
+                return -EINVAL;
+        hci_dev_lock(hdev);
+        hdev->conn_info_min_age = val;
+        hci_dev_unlock(hdev);
+        return 0;
+}
+static int conn_info_min_age_get(void *data, u64 *val)
+{
+        struct hci_dev *hdev = data;
+        hci_dev_lock(hdev);
+        *val = hdev->conn_info_min_age;
+        hci_dev_unlock(hdev);
+        return 0;
+}
+DEFINE_SIMPLE_ATTRIBUTE(conn_info_min_age_fops, conn_info_min_age_get,
+                        conn_info_min_age_set, "%llu\n");
+static int conn_info_max_age_set(void *data, u64 val)
+{
+        struct hci_dev *hdev = data;
+        if (val == 0 || val < hdev->conn_info_min_age)
+                return -EINVAL;
+        hci_dev_lock(hdev);
+        hdev->conn_info_max_age = val;
+        hci_dev_unlock(hdev);
+        return 0;
+}
+static int conn_info_max_age_get(void *data, u64 *val)
+{
+        struct hci_dev *hdev = data;
+        hci_dev_lock(hdev);
+        *val = hdev->conn_info_max_age;
+        hci_dev_unlock(hdev);
+        return 0;
+}
+DEFINE_SIMPLE_ATTRIBUTE(conn_info_max_age_fops, conn_info_max_age_get,
+                        conn_info_max_age_set, "%llu\n");
 static int identity_show(struct seq_file *f, void *p)
 {
        struct hci_dev *hdev = f->private;
@@ -1754,6 +1811,11 @@ static int __hci_init(struct hci_dev *hdev)
                            &blacklist_fops);
        debugfs_create_file("uuids", 0444, hdev->debugfs, hdev, &uuids_fops);
+        debugfs_create_file("conn_info_min_age", 0644, hdev->debugfs, hdev,
+                            &conn_info_min_age_fops);
+        debugfs_create_file("conn_info_max_age", 0644, hdev->debugfs, hdev,
+                            &conn_info_max_age_fops);
        if (lmp_bredr_capable(hdev)) {
                debugfs_create_file("inquiry_cache", 0444, hdev->debugfs,
                                    hdev, &inquiry_cache_fops);
@@ -3789,6 +3851,8 @@ struct hci_dev *hci_alloc_dev(void)
        hdev->rpa_timeout = HCI_DEFAULT_RPA_TIMEOUT;
        hdev->discov_interleaved_timeout = DISCOV_INTERLEAVED_TIMEOUT;
+        hdev->conn_info_min_age = DEFAULT_CONN_INFO_MIN_AGE;
+        hdev->conn_info_max_age = DEFAULT_CONN_INFO_MAX_AGE;
        mutex_init(&hdev->lock);
        mutex_init(&hdev->req_lock);
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index ca19fd4bbb8f..3454807a40c5 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -1245,6 +1245,59 @@ static void hci_cc_write_remote_amp_assoc(struct hci_dev *hdev,
        amp_write_rem_assoc_continue(hdev, rp->phy_handle);
 }
+static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
+{
+        struct hci_rp_read_rssi *rp = (void *) skb->data;
+        struct hci_conn *conn;
+        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
+        if (rp->status)
+                return;
+        hci_dev_lock(hdev);
+        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
+        if (conn)
+                conn->rssi = rp->rssi;
+        hci_dev_unlock(hdev);
+}
+static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
+{
+        struct hci_cp_read_tx_power *sent;
+        struct hci_rp_read_tx_power *rp = (void *) skb->data;
+        struct hci_conn *conn;
+        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
+        if (rp->status)
+                return;
+        sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
+        if (!sent)
+                return;
+        hci_dev_lock(hdev);
+        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
+        if (!conn)
+                goto unlock;
+        switch (sent->type) {
+        case 0x00:
+                conn->tx_power = rp->tx_power;
+                break;
+        case 0x01:
+                conn->max_tx_power = rp->tx_power;
+                break;
+        }
+unlock:
+        hci_dev_unlock(hdev);
+}
 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
 {
        BT_DBG("%s status 0x%2.2x", hdev->name, status);
@@ -2637,6 +2690,14 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
                hci_cc_write_remote_amp_assoc(hdev, skb);
                break;
+        case HCI_OP_READ_RSSI:
+                hci_cc_read_rssi(hdev, skb);
+                break;
+        case HCI_OP_READ_TX_POWER:
+                hci_cc_read_tx_power(hdev, skb);
+                break;
        default:
                BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
                break;
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 54abbce3a39e..5e9c21a5525f 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -29,12 +29,13 @@
 #include <net/bluetooth/bluetooth.h>
 #include <net/bluetooth/hci_core.h>
+#include <net/bluetooth/l2cap.h>
 #include <net/bluetooth/mgmt.h>
 #include "smp.h"
 #define MGMT_VERSION    1
-#define MGMT_REVISION   5
+#define MGMT_REVISION   6
 static const u16 mgmt_commands[] = {
        MGMT_OP_READ_INDEX_LIST,
@@ -83,6 +84,7 @@ static const u16 mgmt_commands[] = {
        MGMT_OP_SET_DEBUG_KEYS,
        MGMT_OP_SET_PRIVACY,
        MGMT_OP_LOAD_IRKS,
+        MGMT_OP_GET_CONN_INFO,
 };
 static const u16 mgmt_events[] = {
@@ -4532,7 +4534,7 @@ static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
        for (i = 0; i < key_count; i++) {
                struct mgmt_ltk_info *key = &cp->keys[i];
-                u8 type, addr_type;
+                u8 type, addr_type, authenticated;
                if (key->addr.type == BDADDR_LE_PUBLIC)
                        addr_type = ADDR_LE_DEV_PUBLIC;
@@ -4544,8 +4546,13 @@ static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
                else
                        type = HCI_SMP_LTK_SLAVE;
+                if (key->type == MGMT_LTK_UNAUTHENTICATED)
+                        authenticated = 0x00;
+                else
+                        authenticated = 0x01;
                hci_add_ltk(hdev, &key->addr.bdaddr, addr_type, type,
-                            key->type, key->val, key->enc_size, key->ediv,
+                            authenticated, key->val, key->enc_size, key->ediv,
                            key->rand);
        }
@@ -4557,6 +4564,218 @@ static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
        return err;
 }
+struct cmd_conn_lookup {
+        struct hci_conn *conn;
+        bool valid_tx_power;
+        u8 mgmt_status;
+};
+static void get_conn_info_complete(struct pending_cmd *cmd, void *data)
+{
+        struct cmd_conn_lookup *match = data;
+        struct mgmt_cp_get_conn_info *cp;
+        struct mgmt_rp_get_conn_info rp;
+        struct hci_conn *conn = cmd->user_data;
+        if (conn != match->conn)
+                return;
+        cp = (struct mgmt_cp_get_conn_info *) cmd->param;
+        memset(&rp, 0, sizeof(rp));
+        bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
+        rp.addr.type = cp->addr.type;
+        if (!match->mgmt_status) {
+                rp.rssi = conn->rssi;
+                if (match->valid_tx_power) {
+                        rp.tx_power = conn->tx_power;
+                        rp.max_tx_power = conn->max_tx_power;
+                } else {
+                        rp.tx_power = HCI_TX_POWER_INVALID;
+                        rp.max_tx_power = HCI_TX_POWER_INVALID;
+                }
+        }
+        cmd_complete(cmd->sk, cmd->index, MGMT_OP_GET_CONN_INFO,
+                     match->mgmt_status, &rp, sizeof(rp));
+        hci_conn_drop(conn);
+        mgmt_pending_remove(cmd);
+}
+static void conn_info_refresh_complete(struct hci_dev *hdev, u8 status)
+{
+        struct hci_cp_read_rssi *cp;
+        struct hci_conn *conn;
+        struct cmd_conn_lookup match;
+        u16 handle;
+        BT_DBG("status 0x%02x", status);
+        hci_dev_lock(hdev);
+        /* TX power data is valid in case request completed successfully,
+         * otherwise we assume it's not valid. At the moment we assume that
+         * either both or none of current and max values are valid to keep code
+         * simple.
+         */
+        match.valid_tx_power = !status;
+        /* Commands sent in request are either Read RSSI or Read Transmit Power
+         * Level so we check which one was last sent to retrieve connection
+         * handle.  Both commands have handle as first parameter so it's safe to
+         * cast data on the same command struct.
+         *
+         * First command sent is always Read RSSI and we fail only if it fails.
+         * In other case we simply override error to indicate success as we
+         * already remembered if TX power value is actually valid.
+         */
+        cp = hci_sent_cmd_data(hdev, HCI_OP_READ_RSSI);
+        if (!cp) {
+                cp = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
+                status = 0;
+        }
+        if (!cp) {
+                BT_ERR("invalid sent_cmd in response");
+                goto unlock;
+        }
+        handle = __le16_to_cpu(cp->handle);
+        conn = hci_conn_hash_lookup_handle(hdev, handle);
+        if (!conn) {
+                BT_ERR("unknown handle (%d) in response", handle);
+                goto unlock;
+        }
+        match.conn = conn;
+        match.mgmt_status = mgmt_status(status);
+        /* Cache refresh is complete, now reply for mgmt request for given
+         * connection only.
+         */
+        mgmt_pending_foreach(MGMT_OP_GET_CONN_INFO, hdev,
+                             get_conn_info_complete, &match);
+unlock:
+        hci_dev_unlock(hdev);
+}
+static int get_conn_info(struct sock *sk, struct hci_dev *hdev, void *data,
+                         u16 len)
+{
+        struct mgmt_cp_get_conn_info *cp = data;
+        struct mgmt_rp_get_conn_info rp;
+        struct hci_conn *conn;
+        unsigned long conn_info_age;
+        int err = 0;
+        BT_DBG("%s", hdev->name);
+        memset(&rp, 0, sizeof(rp));
+        bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
+        rp.addr.type = cp->addr.type;
+        if (!bdaddr_type_is_valid(cp->addr.type))
+                return cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
+                                    MGMT_STATUS_INVALID_PARAMS,
+                                    &rp, sizeof(rp));
+        hci_dev_lock(hdev);
+        if (!hdev_is_powered(hdev)) {
+                err = cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
+                                   MGMT_STATUS_NOT_POWERED, &rp, sizeof(rp));
+                goto unlock;
+        }
+        if (cp->addr.type == BDADDR_BREDR)
+                conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
+                                               &cp->addr.bdaddr);
+        else
+                conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr);
+        if (!conn || conn->state != BT_CONNECTED) {
+                err = cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
+                                   MGMT_STATUS_NOT_CONNECTED, &rp, sizeof(rp));
+                goto unlock;
+        }
+        /* To avoid client trying to guess when to poll again for information we
+         * calculate conn info age as random value between min/max set in hdev.
+         */
+        conn_info_age = hdev->conn_info_min_age +
+                        prandom_u32_max(hdev->conn_info_max_age -
+                                        hdev->conn_info_min_age);
+        /* Query controller to refresh cached values if they are too old or were
+         * never read.
+         */
+        if (time_after(jiffies, conn->conn_info_timestamp +
+                       msecs_to_jiffies(conn_info_age)) ||
+            !conn->conn_info_timestamp) {
+                struct hci_request req;
+                struct hci_cp_read_tx_power req_txp_cp;
+                struct hci_cp_read_rssi req_rssi_cp;
+                struct pending_cmd *cmd;
+                hci_req_init(&req, hdev);
+                req_rssi_cp.handle = cpu_to_le16(conn->handle);
+                hci_req_add(&req, HCI_OP_READ_RSSI, sizeof(req_rssi_cp),
+                            &req_rssi_cp);
+                /* For LE links TX power does not change thus we don't need to
+                 * query for it once value is known.
+                 */
+                if (!bdaddr_type_is_le(cp->addr.type) ||
+                    conn->tx_power == HCI_TX_POWER_INVALID) {
+                        req_txp_cp.handle = cpu_to_le16(conn->handle);
+                        req_txp_cp.type = 0x00;
+                        hci_req_add(&req, HCI_OP_READ_TX_POWER,
+                                    sizeof(req_txp_cp), &req_txp_cp);
+                }
+                /* Max TX power needs to be read only once per connection */
+                if (conn->max_tx_power == HCI_TX_POWER_INVALID) {
+                        req_txp_cp.handle = cpu_to_le16(conn->handle);
+                        req_txp_cp.type = 0x01;
+                        hci_req_add(&req, HCI_OP_READ_TX_POWER,
+                                    sizeof(req_txp_cp), &req_txp_cp);
+                }
+                err = hci_req_run(&req, conn_info_refresh_complete);
+                if (err < 0)
+                        goto unlock;
+                cmd = mgmt_pending_add(sk, MGMT_OP_GET_CONN_INFO, hdev,
+                                       data, len);
+                if (!cmd) {
+                        err = -ENOMEM;
+                        goto unlock;
+                }
+                hci_conn_hold(conn);
+                cmd->user_data = conn;
+                conn->conn_info_timestamp = jiffies;
+        } else {
+                /* Cache is valid, just reply with values cached in hci_conn */
+                rp.rssi = conn->rssi;
+                rp.tx_power = conn->tx_power;
+                rp.max_tx_power = conn->max_tx_power;
+                err = cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
+                                   MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
+        }
+unlock:
+        hci_dev_unlock(hdev);
+        return err;
+}
 static const struct mgmt_handler {
        int (*func) (struct sock *sk, struct hci_dev *hdev, void *data,
                     u16 data_len);
@@ -4612,6 +4831,7 @@ static const struct mgmt_handler {
        { set_debug_keys,         false, MGMT_SETTING_SIZE },
        { set_privacy,            false, MGMT_SET_PRIVACY_SIZE },
        { load_irks,              true,  MGMT_LOAD_IRKS_SIZE },
+        { get_conn_info,          false, MGMT_GET_CONN_INFO_SIZE },
 };
@@ -5007,6 +5227,14 @@ void mgmt_new_link_key(struct hci_dev *hdev, struct link_key *key,
        mgmt_event(MGMT_EV_NEW_LINK_KEY, hdev, &ev, sizeof(ev), NULL);
 }
+static u8 mgmt_ltk_type(struct smp_ltk *ltk)
+{
+        if (ltk->authenticated)
+                return MGMT_LTK_AUTHENTICATED;
+        return MGMT_LTK_UNAUTHENTICATED;
+}
 void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key, bool persistent)
 {
        struct mgmt_ev_new_long_term_key ev;
@@ -5032,7 +5260,7 @@ void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key, bool persistent)
        bacpy(&ev.key.addr.bdaddr, &key->bdaddr);
        ev.key.addr.type = link_to_bdaddr(LE_LINK, key->bdaddr_type);
-        ev.key.type = key->authenticated;
+        ev.key.type = mgmt_ltk_type(key);
        ev.key.enc_size = key->enc_size;
        ev.key.ediv = key->ediv;
        ev.key.rand = key->rand;
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index cf620260affa..754b6fe4f742 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -307,7 +307,7 @@ struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
        setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
        skb_queue_head_init(&d->tx_queue);
-        spin_lock_init(&d->lock);
+        mutex_init(&d->lock);
        atomic_set(&d->refcnt, 1);
        rfcomm_dlc_clear_state(d);
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index 403ec09f480a..8e385a0ae60e 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -70,7 +70,7 @@ struct rfcomm_dev {
 };
 static LIST_HEAD(rfcomm_dev_list);
-static DEFINE_SPINLOCK(rfcomm_dev_lock);
+static DEFINE_MUTEX(rfcomm_dev_lock);
 static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb);
 static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err);
@@ -96,9 +96,9 @@ static void rfcomm_dev_destruct(struct tty_port *port)
        if (dev->tty_dev)
                tty_unregister_device(rfcomm_tty_driver, dev->id);
-        spin_lock(&rfcomm_dev_lock);
+        mutex_lock(&rfcomm_dev_lock);
        list_del(&dev->list);
-        spin_unlock(&rfcomm_dev_lock);
+        mutex_unlock(&rfcomm_dev_lock);
        kfree(dev);
@@ -161,14 +161,14 @@ static struct rfcomm_dev *rfcomm_dev_get(int id)
 {
        struct rfcomm_dev *dev;
-        spin_lock(&rfcomm_dev_lock);
+        mutex_lock(&rfcomm_dev_lock);
        dev = __rfcomm_dev_lookup(id);
        if (dev && !tty_port_get(&dev->port))
                dev = NULL;
-        spin_unlock(&rfcomm_dev_lock);
+        mutex_unlock(&rfcomm_dev_lock);
        return dev;
 }
@@ -224,7 +224,7 @@ static struct rfcomm_dev *__rfcomm_dev_add(struct rfcomm_dev_req *req,
        if (!dev)
                return ERR_PTR(-ENOMEM);
-        spin_lock(&rfcomm_dev_lock);
+        mutex_lock(&rfcomm_dev_lock);
        if (req->dev_id < 0) {
                dev->id = 0;
@@ -305,11 +305,11 @@ static struct rfcomm_dev *__rfcomm_dev_add(struct rfcomm_dev_req *req,
           holds reference to this module. */
        __module_get(THIS_MODULE);
-        spin_unlock(&rfcomm_dev_lock);
+        mutex_unlock(&rfcomm_dev_lock);
        return dev;
 out:
-        spin_unlock(&rfcomm_dev_lock);
+        mutex_unlock(&rfcomm_dev_lock);
        kfree(dev);
        return ERR_PTR(err);
 }
@@ -524,7 +524,7 @@ static int rfcomm_get_dev_list(void __user *arg)
        di = dl->dev_info;
-        spin_lock(&rfcomm_dev_lock);
+        mutex_lock(&rfcomm_dev_lock);
        list_for_each_entry(dev, &rfcomm_dev_list, list) {
                if (!tty_port_get(&dev->port))
@@ -540,7 +540,7 @@ static int rfcomm_get_dev_list(void __user *arg)
                        break;
        }
-        spin_unlock(&rfcomm_dev_lock);
+        mutex_unlock(&rfcomm_dev_lock);
        dl->dev_num = n;
        size = sizeof(*dl) + n * sizeof(*di);
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index dfb4e1161c10..4f9662d0fd81 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -35,6 +35,33 @@
 #define AUTH_REQ_MASK   0x07
+#define SMP_FLAG_TK_VALID       1
+#define SMP_FLAG_CFM_PENDING    2
+#define SMP_FLAG_MITM_AUTH      3
+#define SMP_FLAG_COMPLETE       4
+#define SMP_FLAG_INITIATOR      5
+struct smp_chan {
+        struct l2cap_conn *conn;
+        u8              preq[7]; /* SMP Pairing Request */
+        u8              prsp[7]; /* SMP Pairing Response */
+        u8              prnd[16]; /* SMP Pairing Random (local) */
+        u8              rrnd[16]; /* SMP Pairing Random (remote) */
+        u8              pcnf[16]; /* SMP Pairing Confirm */
+        u8              tk[16]; /* SMP Temporary Key */
+        u8              enc_key_size;
+        u8              remote_key_dist;
+        bdaddr_t        id_addr;
+        u8              id_addr_type;
+        u8              irk[16];
+        struct smp_csrk *csrk;
+        struct smp_csrk *slave_csrk;
+        struct smp_ltk  *ltk;
+        struct smp_ltk  *slave_ltk;
+        struct smp_irk  *remote_irk;
+        unsigned long   flags;
+};
 static inline void swap128(const u8 src[16], u8 dst[16])
 {
        int i;
@@ -369,7 +396,7 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
        /* Initialize key for JUST WORKS */
        memset(smp->tk, 0, sizeof(smp->tk));
-        clear_bit(SMP_FLAG_TK_VALID, &smp->smp_flags);
+        clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
        BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
@@ -388,19 +415,18 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
                method = JUST_WORKS;
        /* Don't confirm locally initiated pairing attempts */
-        if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
+        if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
-                                           &smp->smp_flags))
                method = JUST_WORKS;
        /* If Just Works, Continue with Zero TK */
        if (method == JUST_WORKS) {
-                set_bit(SMP_FLAG_TK_VALID, &smp->smp_flags);
+                set_bit(SMP_FLAG_TK_VALID, &smp->flags);
                return 0;
        }
        /* Not Just Works/Confirm results in MITM Authentication */
        if (method != JUST_CFM)
-                set_bit(SMP_FLAG_MITM_AUTH, &smp->smp_flags);
+                set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
        /* If both devices have Keyoard-Display I/O, the master
         * Confirms and the slave Enters the passkey.
@@ -419,7 +445,7 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
                passkey %= 1000000;
                put_unaligned_le32(passkey, smp->tk);
                BT_DBG("PassKey: %d", passkey);
-                set_bit(SMP_FLAG_TK_VALID, &smp->smp_flags);
+                set_bit(SMP_FLAG_TK_VALID, &smp->flags);
        }
        hci_dev_lock(hcon->hdev);
@@ -441,15 +467,13 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
        return ret;
 }
-static void confirm_work(struct work_struct *work)
+static u8 smp_confirm(struct smp_chan *smp)
 {
-        struct smp_chan *smp = container_of(work, struct smp_chan, confirm);
        struct l2cap_conn *conn = smp->conn;
        struct hci_dev *hdev = conn->hcon->hdev;
        struct crypto_blkcipher *tfm = hdev->tfm_aes;
        struct smp_cmd_pairing_confirm cp;
        int ret;
-        u8 reason;
        BT_DBG("conn %p", conn);
@@ -463,35 +487,27 @@ static void confirm_work(struct work_struct *work)
        hci_dev_unlock(hdev);
-        if (ret) {
+        if (ret)
-                reason = SMP_UNSPECIFIED;
+                return SMP_UNSPECIFIED;
-                goto error;
-        }
-        clear_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags);
+        clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
        smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
-        return;
+        return 0;
-error:
-        smp_failure(conn, reason);
 }
-static void random_work(struct work_struct *work)
+static u8 smp_random(struct smp_chan *smp)
 {
-        struct smp_chan *smp = container_of(work, struct smp_chan, random);
        struct l2cap_conn *conn = smp->conn;
        struct hci_conn *hcon = conn->hcon;
        struct hci_dev *hdev = hcon->hdev;
        struct crypto_blkcipher *tfm = hdev->tfm_aes;
-        u8 reason, confirm[16];
+        u8 confirm[16];
        int ret;
-        if (IS_ERR_OR_NULL(tfm)) {
+        if (IS_ERR_OR_NULL(tfm))
-                reason = SMP_UNSPECIFIED;
+                return SMP_UNSPECIFIED;
-                goto error;
-        }
        BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
@@ -504,15 +520,12 @@ static void random_work(struct work_struct *work)
        hci_dev_unlock(hdev);
-        if (ret) {
+        if (ret)
-                reason = SMP_UNSPECIFIED;
+                return SMP_UNSPECIFIED;
-                goto error;
-        }
        if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
                BT_ERR("Pairing failed (confirmation values mismatch)");
-                reason = SMP_CONFIRM_FAILED;
+                return SMP_CONFIRM_FAILED;
-                goto error;
        }
        if (hcon->out) {
@@ -525,10 +538,8 @@ static void random_work(struct work_struct *work)
                memset(stk + smp->enc_key_size, 0,
                       SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
-                if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags)) {
+                if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
-                        reason = SMP_UNSPECIFIED;
+                        return SMP_UNSPECIFIED;
-                        goto error;
-                }
                hci_le_start_enc(hcon, ediv, rand, stk);
                hcon->enc_key_size = smp->enc_key_size;
@@ -550,10 +561,7 @@ static void random_work(struct work_struct *work)
                            ediv, rand);
        }
-        return;
+        return 0;
-error:
-        smp_failure(conn, reason);
 }
 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
@@ -564,9 +572,6 @@ static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
        if (!smp)
                return NULL;
-        INIT_WORK(&smp->confirm, confirm_work);
-        INIT_WORK(&smp->random, random_work);
        smp->conn = conn;
        conn->smp_chan = smp;
        conn->hcon->smp_conn = conn;
@@ -583,7 +588,7 @@ void smp_chan_destroy(struct l2cap_conn *conn)
        BUG_ON(!smp);
-        complete = test_bit(SMP_FLAG_COMPLETE, &smp->smp_flags);
+        complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
        mgmt_smp_complete(conn->hcon, complete);
        kfree(smp->csrk);
@@ -634,7 +639,7 @@ int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
                put_unaligned_le32(value, smp->tk);
                /* Fall Through */
        case MGMT_OP_USER_CONFIRM_REPLY:
-                set_bit(SMP_FLAG_TK_VALID, &smp->smp_flags);
+                set_bit(SMP_FLAG_TK_VALID, &smp->flags);
                break;
        case MGMT_OP_USER_PASSKEY_NEG_REPLY:
        case MGMT_OP_USER_CONFIRM_NEG_REPLY:
@@ -646,8 +651,11 @@ int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
        }
        /* If it is our turn to send Pairing Confirm, do so now */
-        if (test_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags))
+        if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
-                queue_work(hcon->hdev->workqueue, &smp->confirm);
+                u8 rsp = smp_confirm(smp);
+                if (rsp)
+                        smp_failure(conn, rsp);
+        }
        return 0;
 }
@@ -656,14 +664,13 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
 {
        struct smp_cmd_pairing rsp, *req = (void *) skb->data;
        struct smp_chan *smp;
-        u8 key_size;
+        u8 key_size, auth;
-        u8 auth = SMP_AUTH_NONE;
        int ret;
        BT_DBG("conn %p", conn);
        if (skb->len < sizeof(*req))
-                return SMP_UNSPECIFIED;
+                return SMP_INVALID_PARAMS;
        if (conn->hcon->link_mode & HCI_LM_MASTER)
                return SMP_CMD_NOTSUPP;
@@ -681,8 +688,7 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
        skb_pull(skb, sizeof(*req));
        /* We didn't start the pairing, so match remote */
-        if (req->auth_req & SMP_AUTH_BONDING)
+        auth = req->auth_req;
-                auth = req->auth_req;
        conn->hcon->pending_sec_level = authreq_to_seclevel(auth);
@@ -704,7 +710,7 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
        if (ret)
                return SMP_UNSPECIFIED;
-        clear_bit(SMP_FLAG_INITIATOR, &smp->smp_flags);
+        clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
        return 0;
 }
@@ -713,14 +719,13 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
 {
        struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
        struct smp_chan *smp = conn->smp_chan;
-        struct hci_dev *hdev = conn->hcon->hdev;
        u8 key_size, auth = SMP_AUTH_NONE;
        int ret;
        BT_DBG("conn %p", conn);
        if (skb->len < sizeof(*rsp))
-                return SMP_UNSPECIFIED;
+                return SMP_INVALID_PARAMS;
        if (!(conn->hcon->link_mode & HCI_LM_MASTER))
                return SMP_CMD_NOTSUPP;
@@ -753,11 +758,11 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
        if (ret)
                return SMP_UNSPECIFIED;
-        set_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags);
+        set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
        /* Can't compose response until we have been confirmed */
-        if (test_bit(SMP_FLAG_TK_VALID, &smp->smp_flags))
+        if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
-                queue_work(hdev->workqueue, &smp->confirm);
+                return smp_confirm(smp);
        return 0;
 }
@@ -765,12 +770,11 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
 {
        struct smp_chan *smp = conn->smp_chan;
-        struct hci_dev *hdev = conn->hcon->hdev;
        BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
        if (skb->len < sizeof(smp->pcnf))
-                return SMP_UNSPECIFIED;
+                return SMP_INVALID_PARAMS;
        memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
        skb_pull(skb, sizeof(smp->pcnf));
@@ -778,10 +782,10 @@ static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
        if (conn->hcon->out)
                smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
                             smp->prnd);
-        else if (test_bit(SMP_FLAG_TK_VALID, &smp->smp_flags))
+        else if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
-                queue_work(hdev->workqueue, &smp->confirm);
+                return smp_confirm(smp);
        else
-                set_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags);
+                set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
        return 0;
 }
@@ -789,19 +793,16 @@ static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
 {
        struct smp_chan *smp = conn->smp_chan;
-        struct hci_dev *hdev = conn->hcon->hdev;
        BT_DBG("conn %p", conn);
        if (skb->len < sizeof(smp->rrnd))
-                return SMP_UNSPECIFIED;
+                return SMP_INVALID_PARAMS;
        memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
        skb_pull(skb, sizeof(smp->rrnd));
-        queue_work(hdev->workqueue, &smp->random);
+        return smp_random(smp);
-        return 0;
 }
 static u8 smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
@@ -836,7 +837,7 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
        BT_DBG("conn %p", conn);
        if (skb->len < sizeof(*rp))
-                return SMP_UNSPECIFIED;
+                return SMP_INVALID_PARAMS;
        if (!(conn->hcon->link_mode & HCI_LM_MASTER))
                return SMP_CMD_NOTSUPP;
@@ -861,7 +862,7 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
        smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
-        clear_bit(SMP_FLAG_INITIATOR, &smp->smp_flags);
+        clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
        return 0;
 }
@@ -928,7 +929,7 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
                smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
        }
-        set_bit(SMP_FLAG_INITIATOR, &smp->smp_flags);
+        set_bit(SMP_FLAG_INITIATOR, &smp->flags);
 done:
        hcon->pending_sec_level = sec_level;
@@ -944,7 +945,7 @@ static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
        BT_DBG("conn %p", conn);
        if (skb->len < sizeof(*rp))
-                return SMP_UNSPECIFIED;
+                return SMP_INVALID_PARAMS;
        /* Ignore this PDU if it wasn't requested */
        if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
@@ -969,7 +970,7 @@ static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
        BT_DBG("conn %p", conn);
        if (skb->len < sizeof(*rp))
-                return SMP_UNSPECIFIED;
+                return SMP_INVALID_PARAMS;
        /* Ignore this PDU if it wasn't requested */
        if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
@@ -1001,7 +1002,7 @@ static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
        BT_DBG("");
        if (skb->len < sizeof(*info))
-                return SMP_UNSPECIFIED;
+                return SMP_INVALID_PARAMS;
        /* Ignore this PDU if it wasn't requested */
        if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
@@ -1025,7 +1026,7 @@ static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
        BT_DBG("");
        if (skb->len < sizeof(*info))
-                return SMP_UNSPECIFIED;
+                return SMP_INVALID_PARAMS;
        /* Ignore this PDU if it wasn't requested */
        if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
@@ -1075,7 +1076,7 @@ static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
        BT_DBG("conn %p", conn);
        if (skb->len < sizeof(*rp))
-                return SMP_UNSPECIFIED;
+                return SMP_INVALID_PARAMS;
        /* Ignore this PDU if it wasn't requested */
        if (!(smp->remote_key_dist & SMP_DIST_SIGN))
@@ -1358,7 +1359,7 @@ int smp_distribute_keys(struct l2cap_conn *conn)
        clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags);
        cancel_delayed_work_sync(&conn->security_timer);
-        set_bit(SMP_FLAG_COMPLETE, &smp->smp_flags);
+        set_bit(SMP_FLAG_COMPLETE, &smp->flags);
        smp_notify_keys(conn);
        smp_chan_destroy(conn);
diff --git a/net/bluetooth/smp.h b/net/bluetooth/smp.h
index 1277147a9150..5a8dc36460a1 100644
--- a/net/bluetooth/smp.h
+++ b/net/bluetooth/smp.h
@@ -111,39 +111,11 @@ struct smp_cmd_security_req {
 #define SMP_CMD_NOTSUPP                 0x07
 #define SMP_UNSPECIFIED                 0x08
 #define SMP_REPEATED_ATTEMPTS           0x09
+#define SMP_INVALID_PARAMS              0x0a
 #define SMP_MIN_ENC_KEY_SIZE            7
 #define SMP_MAX_ENC_KEY_SIZE            16
-#define SMP_FLAG_TK_VALID       1
-#define SMP_FLAG_CFM_PENDING    2
-#define SMP_FLAG_MITM_AUTH      3
-#define SMP_FLAG_COMPLETE       4
-#define SMP_FLAG_INITIATOR      5
-struct smp_chan {
-        struct l2cap_conn *conn;
-        u8              preq[7]; /* SMP Pairing Request */
-        u8              prsp[7]; /* SMP Pairing Response */
-        u8              prnd[16]; /* SMP Pairing Random (local) */
-        u8              rrnd[16]; /* SMP Pairing Random (remote) */
-        u8              pcnf[16]; /* SMP Pairing Confirm */
-        u8              tk[16]; /* SMP Temporary Key */
-        u8              enc_key_size;
-        u8              remote_key_dist;
-        bdaddr_t        id_addr;
-        u8              id_addr_type;
-        u8              irk[16];
-        struct smp_csrk *csrk;
-        struct smp_csrk *slave_csrk;
-        struct smp_ltk  *ltk;
-        struct smp_ltk  *slave_ltk;
-        struct smp_irk  *remote_irk;
-        unsigned long   smp_flags;
-        struct work_struct confirm;
-        struct work_struct random;
-};
 /* SMP Commands */
 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level);
 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level);
diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c
index 40a648938985..e205ebabfa50 100644
--- a/net/mac80211/debugfs_netdev.c
+++ b/net/mac80211/debugfs_netdev.c
@@ -34,8 +34,7 @@ static ssize_t ieee80211_if_read(
        ssize_t ret = -EINVAL;
        read_lock(&dev_base_lock);
-        if (sdata->dev->reg_state == NETREG_REGISTERED)
+        ret = (*format)(sdata, buf, sizeof(buf));
-                ret = (*format)(sdata, buf, sizeof(buf));
        read_unlock(&dev_base_lock);
        if (ret >= 0)
@@ -62,8 +61,7 @@ static ssize_t ieee80211_if_write(
        ret = -ENODEV;
        rtnl_lock();
-        if (sdata->dev->reg_state == NETREG_REGISTERED)
+        ret = (*write)(sdata, buf, count);
-                ret = (*write)(sdata, buf, count);
        rtnl_unlock();
        return ret;
diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h
index 696ef78b1fb7..bd782dcffcc7 100644
--- a/net/mac80211/driver-ops.h
+++ b/net/mac80211/driver-ops.h
@@ -1048,6 +1048,59 @@ static inline void drv_unassign_vif_chanctx(struct ieee80211_local *local,
        trace_drv_return_void(local);
 }
+static inline int
+drv_switch_vif_chanctx(struct ieee80211_local *local,
+                       struct ieee80211_vif_chanctx_switch *vifs,
+                       int n_vifs,
+                       enum ieee80211_chanctx_switch_mode mode)
+{
+        int ret = 0;
+        int i;
+        if (!local->ops->switch_vif_chanctx)
+                return -EOPNOTSUPP;
+        for (i = 0; i < n_vifs; i++) {
+                struct ieee80211_chanctx *new_ctx =
+                        container_of(vifs[i].new_ctx,
+                                     struct ieee80211_chanctx,
+                                     conf);
+                struct ieee80211_chanctx *old_ctx =
+                        container_of(vifs[i].old_ctx,
+                                     struct ieee80211_chanctx,
+                                     conf);
+                WARN_ON_ONCE(!old_ctx->driver_present);
+                WARN_ON_ONCE((mode == CHANCTX_SWMODE_SWAP_CONTEXTS &&
+                              new_ctx->driver_present) ||
+                             (mode == CHANCTX_SWMODE_REASSIGN_VIF &&
+                              !new_ctx->driver_present));
+        }
+        trace_drv_switch_vif_chanctx(local, vifs, n_vifs, mode);
+        ret = local->ops->switch_vif_chanctx(&local->hw,
+                                             vifs, n_vifs, mode);
+        trace_drv_return_int(local, ret);
+        if (!ret && mode == CHANCTX_SWMODE_SWAP_CONTEXTS) {
+                for (i = 0; i < n_vifs; i++) {
+                        struct ieee80211_chanctx *new_ctx =
+                                container_of(vifs[i].new_ctx,
+                                             struct ieee80211_chanctx,
+                                             conf);
+                        struct ieee80211_chanctx *old_ctx =
+                                container_of(vifs[i].old_ctx,
+                                             struct ieee80211_chanctx,
+                                             conf);
+                        new_ctx->driver_present = true;
+                        old_ctx->driver_present = false;
+                }
+        }
+        return ret;
+}
 static inline int drv_start_ap(struct ieee80211_local *local,
                               struct ieee80211_sub_if_data *sdata)
 {
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index 1bbac94da58d..18ee0a256b1e 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -1677,6 +1677,7 @@ int ieee80211_ibss_join(struct ieee80211_sub_if_data *sdata,
        sdata->u.ibss.control_port = params->control_port;
        sdata->u.ibss.userspace_handles_dfs = params->userspace_handles_dfs;
        sdata->u.ibss.basic_rates = params->basic_rates;
+        sdata->u.ibss.last_scan_completed = jiffies;
        /* fix basic_rates if channel does not support these rates */
        rate_flags = ieee80211_chandef_rate_flags(&params->chandef);
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 79fc98815da8..81a8e2a0b6aa 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -399,6 +399,7 @@ int ieee80211_add_virtual_monitor(struct ieee80211_local *local)
        sdata->vif.type = NL80211_IFTYPE_MONITOR;
        snprintf(sdata->name, IFNAMSIZ, "%s-monitor",
                 wiphy_name(local->hw.wiphy));
+        sdata->wdev.iftype = NL80211_IFTYPE_MONITOR;
        sdata->encrypt_headroom = IEEE80211_ENCRYPT_HEADROOM;
@@ -1285,6 +1286,7 @@ static void ieee80211_setup_sdata(struct ieee80211_sub_if_data *sdata,
        sdata->control_port_protocol = cpu_to_be16(ETH_P_PAE);
        sdata->control_port_no_encrypt = false;
        sdata->encrypt_headroom = IEEE80211_ENCRYPT_HEADROOM;
+        sdata->vif.bss_conf.idle = true;
        sdata->noack_map = 0;
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index 632d372bb511..a9b46d8ea22f 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -240,6 +240,7 @@ void sta_info_free(struct ieee80211_local *local, struct sta_info *sta)
        sta_dbg(sta->sdata, "Destroyed STA %pM\n", sta->sta.addr);
+        kfree(rcu_dereference_raw(sta->sta.rates));
        kfree(sta);
 }
diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index 60cb7a665976..ba29ebc86141 100644
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -541,6 +541,23 @@ static void ieee80211_tx_latency_end_msrmnt(struct ieee80211_local *local,
 */
 #define STA_LOST_PKT_THRESHOLD  50
+static void ieee80211_lost_packet(struct sta_info *sta, struct sk_buff *skb)
+{
+        struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
+        /* This packet was aggregated but doesn't carry status info */
+        if ((info->flags & IEEE80211_TX_CTL_AMPDU) &&
+            !(info->flags & IEEE80211_TX_STAT_AMPDU))
+                return;
+        if (++sta->lost_packets < STA_LOST_PKT_THRESHOLD)
+                return;
+        cfg80211_cqm_pktloss_notify(sta->sdata->dev, sta->sta.addr,
+                                    sta->lost_packets, GFP_ATOMIC);
+        sta->lost_packets = 0;
+}
 void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb)
 {
        struct sk_buff *skb2;
@@ -680,12 +697,8 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb)
                        if (info->flags & IEEE80211_TX_STAT_ACK) {
                                if (sta->lost_packets)
                                        sta->lost_packets = 0;
-                        } else if (++sta->lost_packets >= STA_LOST_PKT_THRESHOLD) {
+                        } else {
-                                cfg80211_cqm_pktloss_notify(sta->sdata->dev,
+                                ieee80211_lost_packet(sta, skb);
-                                                            sta->sta.addr,
-                                                            sta->lost_packets,
-                                                            GFP_ATOMIC);
-                                sta->lost_packets = 0;
                        }
                }
diff --git a/net/mac80211/trace.h b/net/mac80211/trace.h
index 762e4cd16386..cfe1a0688b5c 100644
--- a/net/mac80211/trace.h
+++ b/net/mac80211/trace.h
@@ -1389,6 +1389,91 @@ TRACE_EVENT(drv_change_chanctx,
        )
 );
+#if !defined(__TRACE_VIF_ENTRY)
+#define __TRACE_VIF_ENTRY
+struct trace_vif_entry {
+        enum nl80211_iftype vif_type;
+        bool p2p;
+        char vif_name[IFNAMSIZ];
+} __packed;
+struct trace_chandef_entry {
+        u32 control_freq;
+        u32 chan_width;
+        u32 center_freq1;
+        u32 center_freq2;
+} __packed;
+struct trace_switch_entry {
+        struct trace_vif_entry vif;
+        struct trace_chandef_entry old_chandef;
+        struct trace_chandef_entry new_chandef;
+} __packed;
+#define SWITCH_ENTRY_ASSIGN(to, from) local_vifs[i].to = vifs[i].from
+#endif
+TRACE_EVENT(drv_switch_vif_chanctx,
+        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_vif_chanctx_switch *vifs,
+                 int n_vifs, enum ieee80211_chanctx_switch_mode mode),
+            TP_ARGS(local, vifs, n_vifs, mode),
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+                __field(int, n_vifs)
+                __field(u32, mode)
+                __dynamic_array(u8, vifs,
+                                sizeof(struct trace_switch_entry) * n_vifs)
+        ),
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+                __entry->n_vifs = n_vifs;
+                __entry->mode = mode;
+                {
+                        struct trace_switch_entry *local_vifs =
+                                __get_dynamic_array(vifs);
+                        int i;
+                        for (i = 0; i < n_vifs; i++) {
+                                struct ieee80211_sub_if_data *sdata;
+                                sdata = container_of(vifs[i].vif,
+                                                struct ieee80211_sub_if_data,
+                                                vif);
+                                SWITCH_ENTRY_ASSIGN(vif.vif_type, vif->type);
+                                SWITCH_ENTRY_ASSIGN(vif.p2p, vif->p2p);
+                                strncpy(local_vifs[i].vif.vif_name,
+                                        sdata->name,
+                                        sizeof(local_vifs[i].vif.vif_name));
+                                SWITCH_ENTRY_ASSIGN(old_chandef.control_freq,
+                                                old_ctx->def.chan->center_freq);
+                                SWITCH_ENTRY_ASSIGN(old_chandef.chan_width,
+                                                    old_ctx->def.width);
+                                SWITCH_ENTRY_ASSIGN(old_chandef.center_freq1,
+                                                    old_ctx->def.center_freq1);
+                                SWITCH_ENTRY_ASSIGN(old_chandef.center_freq2,
+                                                    old_ctx->def.center_freq2);
+                                SWITCH_ENTRY_ASSIGN(new_chandef.control_freq,
+                                                new_ctx->def.chan->center_freq);
+                                SWITCH_ENTRY_ASSIGN(new_chandef.chan_width,
+                                                    new_ctx->def.width);
+                                SWITCH_ENTRY_ASSIGN(new_chandef.center_freq1,
+                                                    new_ctx->def.center_freq1);
+                                SWITCH_ENTRY_ASSIGN(new_chandef.center_freq2,
+                                                    new_ctx->def.center_freq2);
+                        }
+                }
+        ),
+        TP_printk(
+                LOCAL_PR_FMT " n_vifs:%d mode:%d",
+                LOCAL_PR_ARG, __entry->n_vifs, __entry->mode
+        )
+);
 DECLARE_EVENT_CLASS(local_sdata_chanctx,
        TP_PROTO(struct ieee80211_local *local,
                 struct ieee80211_sub_if_data *sdata,
diff --git a/net/nfc/digital_core.c b/net/nfc/digital_core.c
index b105cfb00e76..a6ce3c627e4e 100644
--- a/net/nfc/digital_core.c
+++ b/net/nfc/digital_core.c
@@ -386,6 +386,8 @@ int digital_target_found(struct nfc_digital_dev *ddev,
 void digital_poll_next_tech(struct nfc_digital_dev *ddev)
 {
+        u8 rand_mod;
        digital_switch_rf(ddev, 0);
        mutex_lock(&ddev->poll_lock);
@@ -395,8 +397,8 @@ void digital_poll_next_tech(struct nfc_digital_dev *ddev)
                return;
        }
-        ddev->poll_tech_index = (ddev->poll_tech_index + 1) %
+        get_random_bytes(&rand_mod, sizeof(rand_mod));
-                                ddev->poll_tech_count;
+        ddev->poll_tech_index = rand_mod % ddev->poll_tech_count;
        mutex_unlock(&ddev->poll_lock);
diff --git a/net/nfc/digital_dep.c b/net/nfc/digital_dep.c
index d4ed25ff723f..171cb9949ab5 100644
--- a/net/nfc/digital_dep.c
+++ b/net/nfc/digital_dep.c
@@ -224,9 +224,8 @@ int digital_in_send_atr_req(struct nfc_digital_dev *ddev,
        ddev->skb_add_crc(skb);
-        digital_in_send_cmd(ddev, skb, 500, digital_in_recv_atr_res, target);
+        return digital_in_send_cmd(ddev, skb, 500, digital_in_recv_atr_res,
+                                   target);
-        return 0;
 }
 static int digital_in_send_rtox(struct nfc_digital_dev *ddev,
diff --git a/net/nfc/digital_technology.c b/net/nfc/digital_technology.c
index 12a233e9ece5..c2c1c0189b7c 100644
--- a/net/nfc/digital_technology.c
+++ b/net/nfc/digital_technology.c
@@ -613,7 +613,7 @@ exit:
                digital_poll_next_tech(ddev);
 }
-int digital_in_send_attrib_req(struct nfc_digital_dev *ddev,
+static int digital_in_send_attrib_req(struct nfc_digital_dev *ddev,
                               struct nfc_target *target,
                               struct digital_sensb_res *sensb_res)
 {
diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c
index 8627c75063e2..55eefee311eb 100644
--- a/net/nfc/rawsock.c
+++ b/net/nfc/rawsock.c
@@ -31,14 +31,14 @@ static struct nfc_sock_list raw_sk_list = {
        .lock = __RW_LOCK_UNLOCKED(raw_sk_list.lock)
 };
-void nfc_sock_link(struct nfc_sock_list *l, struct sock *sk)
+static void nfc_sock_link(struct nfc_sock_list *l, struct sock *sk)
 {
        write_lock(&l->lock);
        sk_add_node(sk, &l->head);
        write_unlock(&l->lock);
 }
-void nfc_sock_unlink(struct nfc_sock_list *l, struct sock *sk)
+static void nfc_sock_unlink(struct nfc_sock_list *l, struct sock *sk)
 {
        write_lock(&l->lock);
        sk_del_node_init(sk);
diff --git a/net/wireless/core.c b/net/wireless/core.c
index d03d8bdb29ca..a1c40654dd9b 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -130,7 +130,7 @@ int cfg80211_dev_rename(struct cfg80211_registered_device *rdev,
                            newname))
                pr_err("failed to rename debugfs dir to %s!\n", newname);
-        nl80211_notify_dev_rename(rdev);
+        nl80211_notify_wiphy(rdev, NL80211_CMD_NEW_WIPHY);
        return 0;
 }
@@ -660,6 +660,8 @@ int wiphy_register(struct wiphy *wiphy)
                return res;
        }
+        nl80211_notify_wiphy(rdev, NL80211_CMD_NEW_WIPHY);
        return 0;
 }
 EXPORT_SYMBOL(wiphy_register);
@@ -698,6 +700,7 @@ void wiphy_unregister(struct wiphy *wiphy)
                rfkill_unregister(rdev->rfkill);
        rtnl_lock();
+        nl80211_notify_wiphy(rdev, NL80211_CMD_DEL_WIPHY);
        rdev->wiphy.registered = false;
        WARN_ON(!list_empty(&rdev->wdev_list));
diff --git a/net/wireless/genregdb.awk b/net/wireless/genregdb.awk
index b35da8dc85de..40c37fc5b67c 100644
--- a/net/wireless/genregdb.awk
+++ b/net/wireless/genregdb.awk
@@ -68,17 +68,7 @@ function parse_reg_rule()
        sub(/,/, "", units)
        dfs_cac = $9
        if (units == "mW") {
-                if (power == 100) {
+                power = 10 * log(power)/log(10)
-                        power = 20
-                } else if (power == 200) {
-                        power = 23
-                } else if (power == 500) {
-                        power = 27
-                } else if (power == 1000) {
-                        power = 30
-                } else {
-                        print "Unknown power value in database!"
-                }
        } else {
                dfs_cac = $8
        }
@@ -117,7 +107,7 @@ function parse_reg_rule()
        }
        flags = flags "0"
-        printf "\t\tREG_RULE_EXT(%d, %d, %d, %d, %d, %d, %s),\n", start, end, bw, gain, power, dfs_cac, flags
+        printf "\t\tREG_RULE_EXT(%d, %d, %d, %d, %.0f, %d, %s),\n", start, end, bw, gain, power, dfs_cac, flags
        rules++
 }
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 62bdb1adaa4d..ba4f1723c83a 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -1226,6 +1226,7 @@ struct nl80211_dump_wiphy_state {
 };
 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
+                              enum nl80211_commands cmd,
                              struct sk_buff *msg, u32 portid, u32 seq,
                              int flags, struct nl80211_dump_wiphy_state *state)
 {
@@ -1240,7 +1241,7 @@ static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
                                rdev->wiphy.mgmt_stypes;
        u32 features;
-        hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_WIPHY);
+        hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
        if (!hdr)
                return -ENOBUFS;
@@ -1254,6 +1255,9 @@ static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
                        cfg80211_rdev_list_generation))
                goto nla_put_failure;
+        if (cmd != NL80211_CMD_NEW_WIPHY)
+                goto finish;
        switch (state->split_start) {
        case 0:
                if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
@@ -1682,6 +1686,7 @@ static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
                state->split_start = 0;
                break;
        }
+ finish:
        return genlmsg_end(msg, hdr);
 nla_put_failure:
@@ -1756,7 +1761,8 @@ static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
                        continue;
                /* attempt to fit multiple wiphy data chunks into the skb */
                do {
-                        ret = nl80211_send_wiphy(rdev, skb,
+                        ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
+                                                 skb,
                                                 NETLINK_CB(cb->skb).portid,
                                                 cb->nlh->nlmsg_seq,
                                                 NLM_F_MULTI, state);
@@ -1811,7 +1817,8 @@ static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
        if (!msg)
                return -ENOMEM;
-        if (nl80211_send_wiphy(rdev, msg, info->snd_portid, info->snd_seq, 0,
+        if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
+                               info->snd_portid, info->snd_seq, 0,
                               &state) < 0) {
                nlmsg_free(msg);
                return -ENOBUFS;
@@ -10101,16 +10108,20 @@ static const struct genl_ops nl80211_ops[] = {
 /* notification functions */
-void nl80211_notify_dev_rename(struct cfg80211_registered_device *rdev)
+void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
+                          enum nl80211_commands cmd)
 {
        struct sk_buff *msg;
        struct nl80211_dump_wiphy_state state = {};
+        WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
+                cmd != NL80211_CMD_DEL_WIPHY);
        msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
        if (!msg)
                return;
-        if (nl80211_send_wiphy(rdev, msg, 0, 0, 0, &state) < 0) {
+        if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
                nlmsg_free(msg);
                return;
        }
diff --git a/net/wireless/nl80211.h b/net/wireless/nl80211.h
index 1e6df9630f42..49c9a482dd12 100644
--- a/net/wireless/nl80211.h
+++ b/net/wireless/nl80211.h
@@ -5,7 +5,8 @@
 int nl80211_init(void);
 void nl80211_exit(void);
-void nl80211_notify_dev_rename(struct cfg80211_registered_device *rdev);
+void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
+                          enum nl80211_commands cmd);
 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
                             struct wireless_dev *wdev);
 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
author	David S. Miller <davem@davemloft.net>	2014-06-02 14:17:35 -0400
committer	David S. Miller <davem@davemloft.net>	2014-06-02 14:17:35 -0400
commit	31595de219e8a1a2ed7aeccbe4f18e44f2d2db00 (patch)
tree	7fde4fc831867b18e384953a18f50919ccc9245f
parent	73f156a6e8c1074ac6327e0abd1169e95eb66463 (diff)
parent	fcb2c0d6cf75750e2912b09a3d0a782c90e2b1a0 (diff)