Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless

35 files changed, 303 insertions, 151 deletions

diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
index f98380648cb3..f50dffc0374f 100644
--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -90,7 +90,6 @@ static const struct usb_device_id ath3k_table[] = {
         { USB_DEVICE(0x0b05, 0x17d0) },
         { USB_DEVICE(0x0CF3, 0x0036) },
         { USB_DEVICE(0x0CF3, 0x3004) },
-        { USB_DEVICE(0x0CF3, 0x3005) },
         { USB_DEVICE(0x0CF3, 0x3008) },
         { USB_DEVICE(0x0CF3, 0x311D) },
         { USB_DEVICE(0x0CF3, 0x311E) },
@@ -140,7 +139,6 @@ static const struct usb_device_id ath3k_blist_tbl[] = {
         { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 },
         { USB_DEVICE(0x0CF3, 0x0036), .driver_info = BTUSB_ATH3012 },
         { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 },
-        { USB_DEVICE(0x0cf3, 0x3005), .driver_info = BTUSB_ATH3012 },
         { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 },
         { USB_DEVICE(0x0cf3, 0x311D), .driver_info = BTUSB_ATH3012 },
         { USB_DEVICE(0x0cf3, 0x311E), .driver_info = BTUSB_ATH3012 },
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index a1c80b0c7663..6250fc2fb93a 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -162,7 +162,6 @@ static const struct usb_device_id blacklist_table[] = {
         { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 },
         { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 },
         { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 },
-        { USB_DEVICE(0x0cf3, 0x3005), .driver_info = BTUSB_ATH3012 },
         { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 },
         { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 },
         { USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 },
diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c
index 04680ead9275..fede8ca7147c 100644
--- a/drivers/bluetooth/hci_h5.c
+++ b/drivers/bluetooth/hci_h5.c
@@ -406,6 +406,7 @@ static int h5_rx_3wire_hdr(struct hci_uart *hu, unsigned char c)
             H5_HDR_PKT_TYPE(hdr) != HCI_3WIRE_LINK_PKT) {
                 BT_ERR("Non-link packet received in non-active state");
                 h5_reset_rx(h5);
+                return 0;
         }
 
         h5->rx_func = h5_rx_payload;
diff --git a/drivers/net/wireless/ath/ath10k/core.c b/drivers/net/wireless/ath/ath10k/core.c
index 82017f56e661..e6c56c5bb0f6 100644
--- a/drivers/net/wireless/ath/ath10k/core.c
+++ b/drivers/net/wireless/ath/ath10k/core.c
@@ -795,7 +795,11 @@ int ath10k_core_start(struct ath10k *ar)
         if (status)
                 goto err_htc_stop;
 
-        ar->free_vdev_map = (1 << TARGET_NUM_VDEVS) - 1;
+        if (test_bit(ATH10K_FW_FEATURE_WMI_10X, ar->fw_features))
+                ar->free_vdev_map = (1 << TARGET_10X_NUM_VDEVS) - 1;
+        else
+                ar->free_vdev_map = (1 << TARGET_NUM_VDEVS) - 1;
+
         INIT_LIST_HEAD(&ar->arvifs);
 
         if (!test_bit(ATH10K_FLAG_FIRST_BOOT_DONE, &ar->dev_flags))
diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c
index 6c102b1312ff..eebc860c3655 100644
--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
+++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
@@ -312,7 +312,6 @@ static int ath10k_htt_rx_amsdu_pop(struct ath10k_htt *htt,
         int msdu_len, msdu_chaining = 0;
         struct sk_buff *msdu;
         struct htt_rx_desc *rx_desc;
-        bool corrupted = false;
 
         lockdep_assert_held(&htt->rx_ring.lock);
 
@@ -439,9 +438,6 @@ static int ath10k_htt_rx_amsdu_pop(struct ath10k_htt *htt,
                 last_msdu = __le32_to_cpu(rx_desc->msdu_end.info0) &
                                 RX_MSDU_END_INFO0_LAST_MSDU;
 
-                if (msdu_chaining && !last_msdu)
-                        corrupted = true;
-
                 if (last_msdu) {
                         msdu->next = NULL;
                         break;
@@ -457,20 +453,6 @@ static int ath10k_htt_rx_amsdu_pop(struct ath10k_htt *htt,
                 msdu_chaining = -1;
 
         /*
-         * Apparently FW sometimes reports weird chained MSDU sequences with
-         * more than one rx descriptor. This seems like a bug but needs more
-         * analyzing. For the time being fix it by dropping such sequences to
-         * avoid blowing up the host system.
-         */
-        if (corrupted) {
-                ath10k_warn("failed to pop chained msdus, dropping\n");
-                ath10k_htt_rx_free_msdu_chain(*head_msdu);
-                *head_msdu = NULL;
-                *tail_msdu = NULL;
-                msdu_chaining = -EINVAL;
-        }
-
-        /*
          * Don't refill the ring yet.
          *
          * First, the elements popped here are still in use - it is not
diff --git a/drivers/net/wireless/b43/Kconfig b/drivers/net/wireless/b43/Kconfig
index 037a4e304d14..d4c6ae3a9210 100644
--- a/drivers/net/wireless/b43/Kconfig
+++ b/drivers/net/wireless/b43/Kconfig
@@ -36,7 +36,7 @@ config B43_SSB
 choice
         prompt "Supported bus types"
         depends on B43
-        default B43_BCMA_AND_SSB
+        default B43_BUSES_BCMA_AND_SSB
 
 config B43_BUSES_BCMA_AND_SSB
         bool "BCMA and SSB"
diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
index b2bc593a6513..15aaeb132a32 100644
--- a/drivers/net/wireless/b43/main.c
+++ b/drivers/net/wireless/b43/main.c
@@ -5250,6 +5250,7 @@ static int b43_wireless_core_attach(struct b43_wldev *dev)
         /* We don't support 5 GHz on some PHYs yet */
         switch (dev->phy.type) {
         case B43_PHYTYPE_A:
+        case B43_PHYTYPE_G:
         case B43_PHYTYPE_N:
         case B43_PHYTYPE_LP:
         case B43_PHYTYPE_HT:
diff --git a/drivers/net/wireless/b43/xmit.c b/drivers/net/wireless/b43/xmit.c
index 4f38f19b8e3d..6e6ef3fc2247 100644
--- a/drivers/net/wireless/b43/xmit.c
+++ b/drivers/net/wireless/b43/xmit.c
@@ -811,9 +811,13 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr)
                 break;
         case B43_PHYTYPE_G:
                 status.band = IEEE80211_BAND_2GHZ;
-                /* chanid is the radio channel cookie value as used
-                 * to tune the radio. */
-                status.freq = chanid + 2400;
+                /* Somewhere between 478.104 and 508.1084 firmware for G-PHY
+                 * has been modified to be compatible with N-PHY and others.
+                 */
+                if (dev->fw.rev >= 508)
+                        status.freq = ieee80211_channel_to_frequency(chanid, status.band);
+                else
+                        status.freq = chanid + 2400;
                 break;
         case B43_PHYTYPE_N:
         case B43_PHYTYPE_LP:
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/brcm80211/brcmfmac/usb.c
index 839bcda9465a..b732a99e402c 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/usb.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/usb.c
@@ -1183,8 +1183,6 @@ static int brcmf_usb_probe_cb(struct brcmf_usbdev_info *devinfo)
         bus->bus_priv.usb = bus_pub;
         dev_set_drvdata(dev, bus);
         bus->ops = &brcmf_usb_bus_ops;
-        bus->chip = bus_pub->devid;
-        bus->chiprev = bus_pub->chiprev;
         bus->proto_type = BRCMF_PROTO_BCDC;
         bus->always_use_fws_queue = true;
 
@@ -1193,6 +1191,9 @@ static int brcmf_usb_probe_cb(struct brcmf_usbdev_info *devinfo)
                 if (ret)
                         goto fail;
         }
+        bus->chip = bus_pub->devid;
+        bus->chiprev = bus_pub->chiprev;
+
         /* request firmware here */
         brcmf_fw_get_firmwares(dev, 0, brcmf_usb_get_fwname(devinfo), NULL,
                                brcmf_usb_probe_phase2);
diff --git a/drivers/net/wireless/mwifiex/11n_aggr.c b/drivers/net/wireless/mwifiex/11n_aggr.c
index b4c14b0fd3cb..8720a3d3c755 100644
--- a/drivers/net/wireless/mwifiex/11n_aggr.c
+++ b/drivers/net/wireless/mwifiex/11n_aggr.c
@@ -185,6 +185,7 @@ mwifiex_11n_aggregate_pkt(struct mwifiex_private *priv,
         skb_reserve(skb_aggr, headroom + sizeof(struct txpd));
         tx_info_aggr =  MWIFIEX_SKB_TXCB(skb_aggr);
 
+        memset(tx_info_aggr, 0, sizeof(*tx_info_aggr));
         tx_info_aggr->bss_type = tx_info_src->bss_type;
         tx_info_aggr->bss_num = tx_info_src->bss_num;
 
diff --git a/drivers/net/wireless/mwifiex/cfg80211.c b/drivers/net/wireless/mwifiex/cfg80211.c
index 15fa7b453372..6af135fa99f7 100644
--- a/drivers/net/wireless/mwifiex/cfg80211.c
+++ b/drivers/net/wireless/mwifiex/cfg80211.c
@@ -188,6 +188,7 @@ mwifiex_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
         }
 
         tx_info = MWIFIEX_SKB_TXCB(skb);
+        memset(tx_info, 0, sizeof(*tx_info));
         tx_info->bss_num = priv->bss_num;
         tx_info->bss_type = priv->bss_type;
         tx_info->pkt_len = pkt_len;
diff --git a/drivers/net/wireless/mwifiex/cmdevt.c b/drivers/net/wireless/mwifiex/cmdevt.c
index df42f066d70c..5899eee87fb1 100644
--- a/drivers/net/wireless/mwifiex/cmdevt.c
+++ b/drivers/net/wireless/mwifiex/cmdevt.c
@@ -462,6 +462,7 @@ int mwifiex_process_event(struct mwifiex_adapter *adapter)
 
         if (skb) {
                 rx_info = MWIFIEX_SKB_RXCB(skb);
+                memset(rx_info, 0, sizeof(*rx_info));
                 rx_info->bss_num = priv->bss_num;
                 rx_info->bss_type = priv->bss_type;
         }
diff --git a/drivers/net/wireless/mwifiex/main.c b/drivers/net/wireless/mwifiex/main.c
index 657504c3c79d..3e5194fb0b0f 100644
--- a/drivers/net/wireless/mwifiex/main.c
+++ b/drivers/net/wireless/mwifiex/main.c
@@ -644,6 +644,7 @@ mwifiex_hard_start_xmit(struct sk_buff *skb, struct net_device *dev)
         }
 
         tx_info = MWIFIEX_SKB_TXCB(skb);
+        memset(tx_info, 0, sizeof(*tx_info));
         tx_info->bss_num = priv->bss_num;
         tx_info->bss_type = priv->bss_type;
         tx_info->pkt_len = skb->len;
diff --git a/drivers/net/wireless/mwifiex/pcie.c b/drivers/net/wireless/mwifiex/pcie.c
index 3c224a793b82..5f7afffdd34e 100644
--- a/drivers/net/wireless/mwifiex/pcie.c
+++ b/drivers/net/wireless/mwifiex/pcie.c
@@ -57,7 +57,7 @@ mwifiex_map_pci_memory(struct mwifiex_adapter *adapter, struct sk_buff *skb,
                 return -1;
         }
         mapping.len = size;
-        memcpy(skb->cb, &mapping, sizeof(mapping));
+        mwifiex_store_mapping(skb, &mapping);
         return 0;
 }
 
@@ -67,7 +67,7 @@ static void mwifiex_unmap_pci_memory(struct mwifiex_adapter *adapter,
         struct pcie_service_card *card = adapter->card;
         struct mwifiex_dma_mapping mapping;
 
-        MWIFIEX_SKB_PACB(skb, &mapping);
+        mwifiex_get_mapping(skb, &mapping);
         pci_unmap_single(card->dev, mapping.addr, mapping.len, flags);
 }
 
diff --git a/drivers/net/wireless/mwifiex/sta_tx.c b/drivers/net/wireless/mwifiex/sta_tx.c
index cf330ba951cd..dab7b33c54be 100644
--- a/drivers/net/wireless/mwifiex/sta_tx.c
+++ b/drivers/net/wireless/mwifiex/sta_tx.c
@@ -150,6 +150,7 @@ int mwifiex_send_null_packet(struct mwifiex_private *priv, u8 flags)
                 return -1;
 
         tx_info = MWIFIEX_SKB_TXCB(skb);
+        memset(tx_info, 0, sizeof(*tx_info));
         tx_info->bss_num = priv->bss_num;
         tx_info->bss_type = priv->bss_type;
         tx_info->pkt_len = data_len - (sizeof(struct txpd) + INTF_HEADER_LEN);
diff --git a/drivers/net/wireless/mwifiex/tdls.c b/drivers/net/wireless/mwifiex/tdls.c
index 3efbcbe7e891..a414161c6064 100644
--- a/drivers/net/wireless/mwifiex/tdls.c
+++ b/drivers/net/wireless/mwifiex/tdls.c
@@ -604,6 +604,7 @@ int mwifiex_send_tdls_data_frame(struct mwifiex_private *priv, const u8 *peer,
         }
 
         tx_info = MWIFIEX_SKB_TXCB(skb);
+        memset(tx_info, 0, sizeof(*tx_info));
         tx_info->bss_num = priv->bss_num;
         tx_info->bss_type = priv->bss_type;
 
@@ -757,6 +758,7 @@ int mwifiex_send_tdls_action_frame(struct mwifiex_private *priv, const u8 *peer,
         skb->priority = MWIFIEX_PRIO_VI;
 
         tx_info = MWIFIEX_SKB_TXCB(skb);
+        memset(tx_info, 0, sizeof(*tx_info));
         tx_info->bss_num = priv->bss_num;
         tx_info->bss_type = priv->bss_type;
         tx_info->flags |= MWIFIEX_BUF_FLAG_TDLS_PKT;
diff --git a/drivers/net/wireless/mwifiex/txrx.c b/drivers/net/wireless/mwifiex/txrx.c
index 08205683f877..96a2126cc44b 100644
--- a/drivers/net/wireless/mwifiex/txrx.c
+++ b/drivers/net/wireless/mwifiex/txrx.c
@@ -55,6 +55,7 @@ int mwifiex_handle_rx_packet(struct mwifiex_adapter *adapter,
                 return -1;
         }
 
+        memset(rx_info, 0, sizeof(*rx_info));
         rx_info->bss_num = priv->bss_num;
         rx_info->bss_type = priv->bss_type;
 
diff --git a/drivers/net/wireless/mwifiex/uap_txrx.c b/drivers/net/wireless/mwifiex/uap_txrx.c
index ddfc3c6c1e78..ec7309d096ab 100644
--- a/drivers/net/wireless/mwifiex/uap_txrx.c
+++ b/drivers/net/wireless/mwifiex/uap_txrx.c
@@ -174,6 +174,7 @@ static void mwifiex_uap_queue_bridged_pkt(struct mwifiex_private *priv,
         }
 
         tx_info = MWIFIEX_SKB_TXCB(skb);
+        memset(tx_info, 0, sizeof(*tx_info));
         tx_info->bss_num = priv->bss_num;
         tx_info->bss_type = priv->bss_type;
         tx_info->flags |= MWIFIEX_BUF_FLAG_BRIDGED_PKT;
diff --git a/drivers/net/wireless/mwifiex/util.h b/drivers/net/wireless/mwifiex/util.h
index 9a31215487dd..40296cb4a3f1 100644
--- a/drivers/net/wireless/mwifiex/util.h
+++ b/drivers/net/wireless/mwifiex/util.h
@@ -20,32 +20,55 @@
 #ifndef _MWIFIEX_UTIL_H_
 #define _MWIFIEX_UTIL_H_
 
+struct mwifiex_dma_mapping {
+        dma_addr_t addr;
+        size_t len;
+};
+
+struct mwifiex_cb {
+        struct mwifiex_dma_mapping dma_mapping;
+        union {
+                struct mwifiex_rxinfo rx_info;
+                struct mwifiex_txinfo tx_info;
+        };
+};
+
 static inline struct mwifiex_rxinfo *MWIFIEX_SKB_RXCB(struct sk_buff *skb)
 {
-        return (struct mwifiex_rxinfo *)(skb->cb + sizeof(dma_addr_t));
+        struct mwifiex_cb *cb = (struct mwifiex_cb *)skb->cb;
+
+        BUILD_BUG_ON(sizeof(struct mwifiex_cb) > sizeof(skb->cb));
+        return &cb->rx_info;
 }
 
 static inline struct mwifiex_txinfo *MWIFIEX_SKB_TXCB(struct sk_buff *skb)
 {
-        return (struct mwifiex_txinfo *)(skb->cb + sizeof(dma_addr_t));
+        struct mwifiex_cb *cb = (struct mwifiex_cb *)skb->cb;
+
+        return &cb->tx_info;
 }
 
-struct mwifiex_dma_mapping {
-        dma_addr_t addr;
-        size_t len;
-};
+static inline void mwifiex_store_mapping(struct sk_buff *skb,
+                                         struct mwifiex_dma_mapping *mapping)
+{
+        struct mwifiex_cb *cb = (struct mwifiex_cb *)skb->cb;
+
+        memcpy(&cb->dma_mapping, mapping, sizeof(*mapping));
+}
 
-static inline void MWIFIEX_SKB_PACB(struct sk_buff *skb,
-                                        struct mwifiex_dma_mapping *mapping)
+static inline void mwifiex_get_mapping(struct sk_buff *skb,
+                                       struct mwifiex_dma_mapping *mapping)
 {
-        memcpy(mapping, skb->cb, sizeof(*mapping));
+        struct mwifiex_cb *cb = (struct mwifiex_cb *)skb->cb;
+
+        memcpy(mapping, &cb->dma_mapping, sizeof(*mapping));
 }
 
 static inline dma_addr_t MWIFIEX_SKB_DMA_ADDR(struct sk_buff *skb)
 {
         struct mwifiex_dma_mapping mapping;
 
-        MWIFIEX_SKB_PACB(skb, &mapping);
+        mwifiex_get_mapping(skb, &mapping);
 
         return mapping.addr;
 }
diff --git a/drivers/net/wireless/rt2x00/rt2500pci.c b/drivers/net/wireless/rt2x00/rt2500pci.c
index 2f1cd929c6f6..a511cccc9f01 100644
--- a/drivers/net/wireless/rt2x00/rt2500pci.c
+++ b/drivers/net/wireless/rt2x00/rt2500pci.c
@@ -1681,8 +1681,13 @@ static int rt2500pci_init_eeprom(struct rt2x00_dev *rt2x00dev)
         /*
          * Detect if this device has an hardware controlled radio.
          */
-        if (rt2x00_get_field16(eeprom, EEPROM_ANTENNA_HARDWARE_RADIO))
+        if (rt2x00_get_field16(eeprom, EEPROM_ANTENNA_HARDWARE_RADIO)) {
                 __set_bit(CAPABILITY_HW_BUTTON, &rt2x00dev->cap_flags);
+                /*
+                 * On this device RFKILL initialized during probe does not work.
+                 */
+                __set_bit(REQUIRE_DELAYED_RFKILL, &rt2x00dev->cap_flags);
+        }
 
         /*
          * Check if the BBP tuning should be enabled.
diff --git a/drivers/net/wireless/rt2x00/rt2800usb.c b/drivers/net/wireless/rt2x00/rt2800usb.c
index a49c3d73ea2c..832006b5aab1 100644
--- a/drivers/net/wireless/rt2x00/rt2800usb.c
+++ b/drivers/net/wireless/rt2x00/rt2800usb.c
@@ -229,6 +229,31 @@ static enum hrtimer_restart rt2800usb_tx_sta_fifo_timeout(struct hrtimer *timer)
 /*
  * Firmware functions
  */
+static int rt2800usb_autorun_detect(struct rt2x00_dev *rt2x00dev)
+{
+        __le32 *reg;
+        u32 fw_mode;
+
+        reg = kmalloc(sizeof(*reg), GFP_KERNEL);
+        if (reg == NULL)
+                return -ENOMEM;
+        /* cannot use rt2x00usb_register_read here as it uses different
+         * mode (MULTI_READ vs. DEVICE_MODE) and does not pass the
+         * magic value USB_MODE_AUTORUN (0x11) to the device, thus the
+         * returned value would be invalid.
+         */
+        rt2x00usb_vendor_request(rt2x00dev, USB_DEVICE_MODE,
+                                 USB_VENDOR_REQUEST_IN, 0, USB_MODE_AUTORUN,
+                                 reg, sizeof(*reg), REGISTER_TIMEOUT_FIRMWARE);
+        fw_mode = le32_to_cpu(*reg);
+        kfree(reg);
+
+        if ((fw_mode & 0x00000003) == 2)
+                return 1;
+
+        return 0;
+}
+
 static char *rt2800usb_get_firmware_name(struct rt2x00_dev *rt2x00dev)
 {
         return FIRMWARE_RT2870;
@@ -240,6 +265,7 @@ static int rt2800usb_write_firmware(struct rt2x00_dev *rt2x00dev,
         int status;
         u32 offset;
         u32 length;
+        int retval;
 
         /*
          * Check which section of the firmware we need.
@@ -257,8 +283,16 @@ static int rt2800usb_write_firmware(struct rt2x00_dev *rt2x00dev,
         /*
          * Write firmware to device.
          */
-        rt2x00usb_register_multiwrite(rt2x00dev, FIRMWARE_IMAGE_BASE,
-                                      data + offset, length);
+        retval = rt2800usb_autorun_detect(rt2x00dev);
+        if (retval < 0)
+                return retval;
+        if (retval) {
+                rt2x00_info(rt2x00dev,
+                            "Firmware loading not required - NIC in AutoRun mode\n");
+        } else {
+                rt2x00usb_register_multiwrite(rt2x00dev, FIRMWARE_IMAGE_BASE,
+                                              data + offset, length);
+        }
 
         rt2x00usb_register_write(rt2x00dev, H2M_MAILBOX_CID, ~0);
         rt2x00usb_register_write(rt2x00dev, H2M_MAILBOX_STATUS, ~0);
@@ -735,11 +769,26 @@ static void rt2800usb_fill_rxdone(struct queue_entry *entry,
 /*
  * Device probe functions.
  */
+static int rt2800usb_efuse_detect(struct rt2x00_dev *rt2x00dev)
+{
+        int retval;
+
+        retval = rt2800usb_autorun_detect(rt2x00dev);
+        if (retval < 0)
+                return retval;
+        if (retval)
+                return 1;
+        return rt2800_efuse_detect(rt2x00dev);
+}
+
 static int rt2800usb_read_eeprom(struct rt2x00_dev *rt2x00dev)
 {
         int retval;
 
-        if (rt2800_efuse_detect(rt2x00dev))
+        retval = rt2800usb_efuse_detect(rt2x00dev);
+        if (retval < 0)
+                return retval;
+        if (retval)
                 retval = rt2800_read_eeprom_efuse(rt2x00dev);
         else
                 retval = rt2x00usb_eeprom_read(rt2x00dev, rt2x00dev->eeprom,
diff --git a/drivers/net/wireless/rt2x00/rt2x00.h b/drivers/net/wireless/rt2x00/rt2x00.h
index 010b76505243..d13f25cd70d5 100644
--- a/drivers/net/wireless/rt2x00/rt2x00.h
+++ b/drivers/net/wireless/rt2x00/rt2x00.h
@@ -693,6 +693,7 @@ enum rt2x00_capability_flags {
         REQUIRE_SW_SEQNO,
         REQUIRE_HT_TX_DESC,
         REQUIRE_PS_AUTOWAKE,
+        REQUIRE_DELAYED_RFKILL,
 
         /*
          * Capabilities
diff --git a/drivers/net/wireless/rt2x00/rt2x00dev.c b/drivers/net/wireless/rt2x00/rt2x00dev.c
index c6ae9a495b77..9967a1d9f0ec 100644
--- a/drivers/net/wireless/rt2x00/rt2x00dev.c
+++ b/drivers/net/wireless/rt2x00/rt2x00dev.c
@@ -1129,9 +1129,10 @@ static void rt2x00lib_uninitialize(struct rt2x00_dev *rt2x00dev)
                 return;
 
         /*
-         * Unregister extra components.
+         * Stop rfkill polling.
          */
-        rt2x00rfkill_unregister(rt2x00dev);
+        if (test_bit(REQUIRE_DELAYED_RFKILL, &rt2x00dev->cap_flags))
+                rt2x00rfkill_unregister(rt2x00dev);
 
         /*
          * Allow the HW to uninitialize.
@@ -1169,6 +1170,12 @@ static int rt2x00lib_initialize(struct rt2x00_dev *rt2x00dev)
 
         set_bit(DEVICE_STATE_INITIALIZED, &rt2x00dev->flags);
 
+        /*
+         * Start rfkill polling.
+         */
+        if (test_bit(REQUIRE_DELAYED_RFKILL, &rt2x00dev->cap_flags))
+                rt2x00rfkill_register(rt2x00dev);
+
         return 0;
 }
 
@@ -1378,7 +1385,12 @@ int rt2x00lib_probe_dev(struct rt2x00_dev *rt2x00dev)
         rt2x00link_register(rt2x00dev);
         rt2x00leds_register(rt2x00dev);
         rt2x00debug_register(rt2x00dev);
-        rt2x00rfkill_register(rt2x00dev);
+
+        /*
+         * Start rfkill polling.
+         */
+        if (!test_bit(REQUIRE_DELAYED_RFKILL, &rt2x00dev->cap_flags))
+                rt2x00rfkill_register(rt2x00dev);
 
         return 0;
 
@@ -1394,6 +1406,12 @@ void rt2x00lib_remove_dev(struct rt2x00_dev *rt2x00dev)
         clear_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags);
 
         /*
+         * Stop rfkill polling.
+         */
+        if (!test_bit(REQUIRE_DELAYED_RFKILL, &rt2x00dev->cap_flags))
+                rt2x00rfkill_unregister(rt2x00dev);
+
+        /*
          * Disable radio.
          */
         rt2x00lib_disable_radio(rt2x00dev);
diff --git a/drivers/net/wireless/rt2x00/rt2x00mac.c b/drivers/net/wireless/rt2x00/rt2x00mac.c
index e5935ea3719f..ad6e5a8d1e10 100644
--- a/drivers/net/wireless/rt2x00/rt2x00mac.c
+++ b/drivers/net/wireless/rt2x00/rt2x00mac.c
@@ -487,6 +487,8 @@ int rt2x00mac_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
         crypto.cipher = rt2x00crypto_key_to_cipher(key);
         if (crypto.cipher == CIPHER_NONE)
                 return -EOPNOTSUPP;
+        if (crypto.cipher == CIPHER_TKIP && rt2x00_is_usb(rt2x00dev))
+                return -EOPNOTSUPP;
 
         crypto.cmd = cmd;
 
diff --git a/drivers/net/wireless/rt2x00/rt2x00usb.h b/drivers/net/wireless/rt2x00/rt2x00usb.h
index e7bcf62347d5..831b65f93feb 100644
--- a/drivers/net/wireless/rt2x00/rt2x00usb.h
+++ b/drivers/net/wireless/rt2x00/rt2x00usb.h
@@ -93,6 +93,7 @@ enum rt2x00usb_mode_offset {
         USB_MODE_SLEEP = 7,     /* RT73USB */
         USB_MODE_FIRMWARE = 8,  /* RT73USB */
         USB_MODE_WAKEUP = 9,    /* RT73USB */
+        USB_MODE_AUTORUN = 17, /* RT2800USB */
 };
 
 /**
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 8671bc79a35b..a7a27bc2c0b1 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -289,10 +289,20 @@ static void hci_conn_timeout(struct work_struct *work)
 {
         struct hci_conn *conn = container_of(work, struct hci_conn,
                                              disc_work.work);
+        int refcnt = atomic_read(&conn->refcnt);
 
         BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
 
-        if (atomic_read(&conn->refcnt))
+        WARN_ON(refcnt < 0);
+
+        /* FIXME: It was observed that in pairing failed scenario, refcnt
+         * drops below 0. Probably this is because l2cap_conn_del calls
+         * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
+         * dropped. After that loop hci_chan_del is called which also drops
+         * conn. For now make sure that ACL is alive if refcnt is higher then 0,
+         * otherwise drop it.
+         */
+        if (refcnt > 0)
                 return;
 
         switch (conn->state) {
@@ -610,11 +620,6 @@ static void hci_req_add_le_create_conn(struct hci_request *req,
         if (hci_update_random_address(req, false, &own_addr_type))
                 return;
 
-        /* Save the address type used for this connnection attempt so we able
-         * to retrieve this information if we need it.
-         */
-        conn->src_type = own_addr_type;
-
         cp.scan_interval = cpu_to_le16(hdev->le_scan_interval);
         cp.scan_window = cpu_to_le16(hdev->le_scan_window);
         bacpy(&cp.peer_addr, &conn->dst);
@@ -894,7 +899,7 @@ static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
                 /* If we're already encrypted set the REAUTH_PEND flag,
                  * otherwise set the ENCRYPT_PEND.
                  */
-                if (conn->key_type != 0xff)
+                if (conn->link_mode & HCI_LM_ENCRYPT)
                         set_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
                 else
                         set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 21e5913d12e0..640c54ec1bd2 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -48,6 +48,10 @@ static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
         smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
         wake_up_bit(&hdev->flags, HCI_INQUIRY);
 
+        hci_dev_lock(hdev);
+        hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
+        hci_dev_unlock(hdev);
+
         hci_conn_check_pending(hdev);
 }
 
@@ -3537,7 +3541,11 @@ static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
                         cp.authentication = conn->auth_type;
 
                         /* Request MITM protection if our IO caps allow it
-                         * except for the no-bonding case
+                         * except for the no-bonding case.
+                         * conn->auth_type is not updated here since
+                         * that might cause the user confirmation to be
+                         * rejected in case the remote doesn't have the
+                         * IO capabilities for MITM.
                          */
                         if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
                             cp.authentication != HCI_AT_NO_BONDING)
@@ -3628,8 +3636,11 @@ static void hci_user_confirm_request_evt(struct hci_dev *hdev,
 
                 /* If we're not the initiators request authorization to
                  * proceed from user space (mgmt_user_confirm with
-                 * confirm_hint set to 1). */
-                if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
+                 * confirm_hint set to 1). The exception is if neither
+                 * side had MITM in which case we do auto-accept.
+                 */
+                if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
+                    (loc_mitm || rem_mitm)) {
                         BT_DBG("Confirming auto-accept as acceptor");
                         confirm_hint = 1;
                         goto confirm;
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 6eabbe05fe54..323f23cd2c37 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1663,7 +1663,13 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
         kfree_skb(conn->rx_skb);
 
         skb_queue_purge(&conn->pending_rx);
-        flush_work(&conn->pending_rx_work);
+
+        /* We can not call flush_work(&conn->pending_rx_work) here since we
+         * might block if we are running on a worker from the same workqueue
+         * pending_rx_work is waiting on.
+         */
+        if (work_pending(&conn->pending_rx_work))
+                cancel_work_sync(&conn->pending_rx_work);
 
         l2cap_unregister_all_users(conn);
 
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index ade3fb4c23bc..e1378693cc90 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -787,11 +787,6 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
 
                 /*change security for LE channels */
                 if (chan->scid == L2CAP_CID_ATT) {
-                        if (!conn->hcon->out) {
-                                err = -EINVAL;
-                                break;
-                        }
-
                         if (smp_conn_security(conn->hcon, sec.level))
                                 break;
                         sk->sk_state = BT_CONFIG;
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 0fce54412ffd..af8e0a6243b7 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -1047,6 +1047,43 @@ static void clean_up_hci_complete(struct hci_dev *hdev, u8 status)
         }
 }
 
+static void hci_stop_discovery(struct hci_request *req)
+{
+        struct hci_dev *hdev = req->hdev;
+        struct hci_cp_remote_name_req_cancel cp;
+        struct inquiry_entry *e;
+
+        switch (hdev->discovery.state) {
+        case DISCOVERY_FINDING:
+                if (test_bit(HCI_INQUIRY, &hdev->flags)) {
+                        hci_req_add(req, HCI_OP_INQUIRY_CANCEL, 0, NULL);
+                } else {
+                        cancel_delayed_work(&hdev->le_scan_disable);
+                        hci_req_add_le_scan_disable(req);
+                }
+
+                break;
+
+        case DISCOVERY_RESOLVING:
+                e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY,
+                                                     NAME_PENDING);
+                if (!e)
+                        return;
+
+                bacpy(&cp.bdaddr, &e->data.bdaddr);
+                hci_req_add(req, HCI_OP_REMOTE_NAME_REQ_CANCEL, sizeof(cp),
+                            &cp);
+
+                break;
+
+        default:
+                /* Passive scanning */
+                if (test_bit(HCI_LE_SCAN, &hdev->dev_flags))
+                        hci_req_add_le_scan_disable(req);
+                break;
+        }
+}
+
 static int clean_up_hci_state(struct hci_dev *hdev)
 {
         struct hci_request req;
@@ -1063,9 +1100,7 @@ static int clean_up_hci_state(struct hci_dev *hdev)
         if (test_bit(HCI_ADVERTISING, &hdev->dev_flags))
                 disable_advertising(&req);
 
-        if (test_bit(HCI_LE_SCAN, &hdev->dev_flags)) {
-                hci_req_add_le_scan_disable(&req);
-        }
+        hci_stop_discovery(&req);
 
         list_for_each_entry(conn, &hdev->conn_hash.list, list) {
                 struct hci_cp_disconnect dc;
@@ -2996,8 +3031,13 @@ static int user_pairing_resp(struct sock *sk, struct hci_dev *hdev,
         }
 
         if (addr->type == BDADDR_LE_PUBLIC || addr->type == BDADDR_LE_RANDOM) {
-                /* Continue with pairing via SMP */
+                /* Continue with pairing via SMP. The hdev lock must be
+                 * released as SMP may try to recquire it for crypto
+                 * purposes.
+                 */
+                hci_dev_unlock(hdev);
                 err = smp_user_confirm_reply(conn, mgmt_op, passkey);
+                hci_dev_lock(hdev);
 
                 if (!err)
                         err = cmd_complete(sk, hdev->id, mgmt_op,
@@ -3574,8 +3614,6 @@ static int stop_discovery(struct sock *sk, struct hci_dev *hdev, void *data,
 {
         struct mgmt_cp_stop_discovery *mgmt_cp = data;
         struct pending_cmd *cmd;
-        struct hci_cp_remote_name_req_cancel cp;
-        struct inquiry_entry *e;
         struct hci_request req;
         int err;
 
@@ -3605,52 +3643,22 @@ static int stop_discovery(struct sock *sk, struct hci_dev *hdev, void *data,
 
         hci_req_init(&req, hdev);
 
-        switch (hdev->discovery.state) {
-        case DISCOVERY_FINDING:
-                if (test_bit(HCI_INQUIRY, &hdev->flags)) {
-                        hci_req_add(&req, HCI_OP_INQUIRY_CANCEL, 0, NULL);
-                } else {
-                        cancel_delayed_work(&hdev->le_scan_disable);
-
-                        hci_req_add_le_scan_disable(&req);
-                }
-
-                break;
+        hci_stop_discovery(&req);
 
-        case DISCOVERY_RESOLVING:
-                e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY,
-                                                     NAME_PENDING);
-                if (!e) {
-                        mgmt_pending_remove(cmd);
-                        err = cmd_complete(sk, hdev->id,
-                                           MGMT_OP_STOP_DISCOVERY, 0,
-                                           &mgmt_cp->type,
-                                           sizeof(mgmt_cp->type));
-                        hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
-                        goto unlock;
-                }
-
-                bacpy(&cp.bdaddr, &e->data.bdaddr);
-                hci_req_add(&req, HCI_OP_REMOTE_NAME_REQ_CANCEL, sizeof(cp),
-                            &cp);
-
-                break;
-
-        default:
-                BT_DBG("unknown discovery state %u", hdev->discovery.state);
-
-                mgmt_pending_remove(cmd);
-                err = cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
-                                   MGMT_STATUS_FAILED, &mgmt_cp->type,
-                                   sizeof(mgmt_cp->type));
+        err = hci_req_run(&req, stop_discovery_complete);
+        if (!err) {
+                hci_discovery_set_state(hdev, DISCOVERY_STOPPING);
                 goto unlock;
         }
 
-        err = hci_req_run(&req, stop_discovery_complete);
-        if (err < 0)
-                mgmt_pending_remove(cmd);
-        else
-                hci_discovery_set_state(hdev, DISCOVERY_STOPPING);
+        mgmt_pending_remove(cmd);
+
+        /* If no HCI commands were sent we're done */
+        if (err == -ENODATA) {
+                err = cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY, 0,
+                                   &mgmt_cp->type, sizeof(mgmt_cp->type));
+                hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
+        }
 
 unlock:
         hci_dev_unlock(hdev);
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 3d1cc164557d..e33a982161c1 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -385,6 +385,16 @@ static const u8 gen_method[5][5] = {
         { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
 };
 
+static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
+{
+        /* If either side has unknown io_caps, use JUST WORKS */
+        if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
+            remote_io > SMP_IO_KEYBOARD_DISPLAY)
+                return JUST_WORKS;
+
+        return gen_method[remote_io][local_io];
+}
+
 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
                                                 u8 local_io, u8 remote_io)
 {
@@ -401,14 +411,11 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
         BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
 
         /* If neither side wants MITM, use JUST WORKS */
-        /* If either side has unknown io_caps, use JUST WORKS */
         /* Otherwise, look up method from the table */
-        if (!(auth & SMP_AUTH_MITM) ||
-            local_io > SMP_IO_KEYBOARD_DISPLAY ||
-            remote_io > SMP_IO_KEYBOARD_DISPLAY)
+        if (!(auth & SMP_AUTH_MITM))
                 method = JUST_WORKS;
         else
-                method = gen_method[remote_io][local_io];
+                method = get_auth_method(smp, local_io, remote_io);
 
         /* If not bonding, don't ask user to confirm a Zero TK */
         if (!(auth & SMP_AUTH_BONDING) && method == JUST_CFM)
@@ -544,7 +551,7 @@ static u8 smp_random(struct smp_chan *smp)
                 hci_le_start_enc(hcon, ediv, rand, stk);
                 hcon->enc_key_size = smp->enc_key_size;
         } else {
-                u8 stk[16];
+                u8 stk[16], auth;
                 __le64 rand = 0;
                 __le16 ediv = 0;
 
@@ -556,8 +563,13 @@ static u8 smp_random(struct smp_chan *smp)
                 memset(stk + smp->enc_key_size, 0,
                        SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
 
+                if (hcon->pending_sec_level == BT_SECURITY_HIGH)
+                        auth = 1;
+                else
+                        auth = 0;
+
                 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
-                            HCI_SMP_STK_SLAVE, 0, stk, smp->enc_key_size,
+                            HCI_SMP_STK_SLAVE, auth, stk, smp->enc_key_size,
                             ediv, rand);
         }
 
@@ -664,7 +676,7 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
 {
         struct smp_cmd_pairing rsp, *req = (void *) skb->data;
         struct smp_chan *smp;
-        u8 key_size, auth;
+        u8 key_size, auth, sec_level;
         int ret;
 
         BT_DBG("conn %p", conn);
@@ -690,7 +702,19 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
         /* We didn't start the pairing, so match remote */
         auth = req->auth_req;
 
-        conn->hcon->pending_sec_level = authreq_to_seclevel(auth);
+        sec_level = authreq_to_seclevel(auth);
+        if (sec_level > conn->hcon->pending_sec_level)
+                conn->hcon->pending_sec_level = sec_level;
+
+        /* If we need MITM check that it can be acheived */
+        if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
+                u8 method;
+
+                method = get_auth_method(smp, conn->hcon->io_capability,
+                                         req->io_capability);
+                if (method == JUST_WORKS || method == JUST_CFM)
+                        return SMP_AUTH_REQUIREMENTS;
+        }
 
         build_pairing_cmd(conn, req, &rsp, auth);
 
@@ -738,6 +762,16 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
         if (check_enc_key_size(conn, key_size))
                 return SMP_ENC_KEY_SIZE;
 
+        /* If we need MITM check that it can be acheived */
+        if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
+                u8 method;
+
+                method = get_auth_method(smp, req->io_capability,
+                                         rsp->io_capability);
+                if (method == JUST_WORKS || method == JUST_CFM)
+                        return SMP_AUTH_REQUIREMENTS;
+        }
+
         get_random_bytes(smp->prnd, sizeof(smp->prnd));
 
         smp->prsp[0] = SMP_CMD_PAIRING_RSP;
@@ -833,6 +867,7 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
         struct smp_cmd_pairing cp;
         struct hci_conn *hcon = conn->hcon;
         struct smp_chan *smp;
+        u8 sec_level;
 
         BT_DBG("conn %p", conn);
 
@@ -842,7 +877,9 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
         if (!(conn->hcon->link_mode & HCI_LM_MASTER))
                 return SMP_CMD_NOTSUPP;
 
-        hcon->pending_sec_level = authreq_to_seclevel(rp->auth_req);
+        sec_level = authreq_to_seclevel(rp->auth_req);
+        if (sec_level > hcon->pending_sec_level)
+                hcon->pending_sec_level = sec_level;
 
         if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
                 return 0;
@@ -896,9 +933,12 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
         if (smp_sufficient_security(hcon, sec_level))
                 return 1;
 
+        if (sec_level > hcon->pending_sec_level)
+                hcon->pending_sec_level = sec_level;
+
         if (hcon->link_mode & HCI_LM_MASTER)
-                if (smp_ltk_encrypt(conn, sec_level))
-                        goto done;
+                if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
+                        return 0;
 
         if (test_and_set_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
                 return 0;
@@ -913,7 +953,7 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
          * requires it.
          */
         if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
-            sec_level > BT_SECURITY_MEDIUM)
+            hcon->pending_sec_level > BT_SECURITY_MEDIUM)
                 authreq |= SMP_AUTH_MITM;
 
         if (hcon->link_mode & HCI_LM_MASTER) {
@@ -932,9 +972,6 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
 
         set_bit(SMP_FLAG_INITIATOR, &smp->flags);
 
-done:
-        hcon->pending_sec_level = sec_level;
-
         return 0;
 }
 
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index ea79668c2e5f..df1bb7e16cfe 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1150,11 +1150,12 @@ void ieee80211_send_auth(struct ieee80211_sub_if_data *sdata,
         int err;
 
         /* 24 + 6 = header + auth_algo + auth_transaction + status_code */
-        skb = dev_alloc_skb(local->hw.extra_tx_headroom + 24 + 6 + extra_len);
+        skb = dev_alloc_skb(local->hw.extra_tx_headroom + IEEE80211_WEP_IV_LEN +
+                            24 + 6 + extra_len + IEEE80211_WEP_ICV_LEN);
         if (!skb)
                 return;
 
-        skb_reserve(skb, local->hw.extra_tx_headroom);
+        skb_reserve(skb, local->hw.extra_tx_headroom + IEEE80211_WEP_IV_LEN);
 
         mgmt = (struct ieee80211_mgmt *) skb_put(skb, 24 + 6);
         memset(mgmt, 0, 24 + 6);
diff --git a/net/wireless/core.h b/net/wireless/core.h
index e9afbf10e756..7e3a3cef7df9 100644
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -424,7 +424,7 @@ static inline unsigned int elapsed_jiffies_msecs(unsigned long start)
         if (end >= start)
                 return jiffies_to_msecs(end - start);
 
-        return jiffies_to_msecs(end + (MAX_JIFFY_OFFSET - start) + 1);
+        return jiffies_to_msecs(end + (ULONG_MAX - start) + 1);
 }
 
 void
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index c10295138eb5..082f5c62b8cf 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -1498,18 +1498,17 @@ static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
                 }
                 CMD(start_p2p_device, START_P2P_DEVICE);
                 CMD(set_mcast_rate, SET_MCAST_RATE);
+#ifdef CONFIG_NL80211_TESTMODE
+                CMD(testmode_cmd, TESTMODE);
+#endif
                 if (state->split) {
                         CMD(crit_proto_start, CRIT_PROTOCOL_START);
                         CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
                         if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
                                 CMD(channel_switch, CHANNEL_SWITCH);
+                        CMD(set_qos_map, SET_QOS_MAP);
                 }
-                CMD(set_qos_map, SET_QOS_MAP);
-
-#ifdef CONFIG_NL80211_TESTMODE
-                CMD(testmode_cmd, TESTMODE);
-#endif
-
+                /* add into the if now */
 #undef CMD
 
                 if (rdev->ops->connect || rdev->ops->auth) {
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 558b0e3a02d8..1afdf45db38f 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -935,7 +935,7 @@ freq_reg_info_regd(struct wiphy *wiphy, u32 center_freq,
                 if (!band_rule_found)
                         band_rule_found = freq_in_rule_band(fr, center_freq);
 
-                bw_fits = reg_does_bw_fit(fr, center_freq, MHZ_TO_KHZ(5));
+                bw_fits = reg_does_bw_fit(fr, center_freq, MHZ_TO_KHZ(20));
 
                 if (band_rule_found && bw_fits)
                         return rr;
@@ -1019,10 +1019,10 @@ static void chan_reg_rule_print_dbg(const struct ieee80211_regdomain *regd,
 }
 #endif
 
-/* Find an ieee80211_reg_rule such that a 5MHz channel with frequency
- * chan->center_freq fits there.
- * If there is no such reg_rule, disable the channel, otherwise set the
- * flags corresponding to the bandwidths allowed in the particular reg_rule
+/*
+ * Note that right now we assume the desired channel bandwidth
+ * is always 20 MHz for each individual channel (HT40 uses 20 MHz
+ * per channel, the primary and the extension channel).
  */
 static void handle_channel(struct wiphy *wiphy,
                            enum nl80211_reg_initiator initiator,
@@ -1083,12 +1083,8 @@ static void handle_channel(struct wiphy *wiphy,
         if (reg_rule->flags & NL80211_RRF_AUTO_BW)
                 max_bandwidth_khz = reg_get_max_bandwidth(regd, reg_rule);
 
-        if (max_bandwidth_khz < MHZ_TO_KHZ(10))
-                bw_flags = IEEE80211_CHAN_NO_10MHZ;
-        if (max_bandwidth_khz < MHZ_TO_KHZ(20))
-                bw_flags |= IEEE80211_CHAN_NO_20MHZ;
         if (max_bandwidth_khz < MHZ_TO_KHZ(40))
-                bw_flags |= IEEE80211_CHAN_NO_HT40;
+                bw_flags = IEEE80211_CHAN_NO_HT40;
         if (max_bandwidth_khz < MHZ_TO_KHZ(80))
                 bw_flags |= IEEE80211_CHAN_NO_80MHZ;
         if (max_bandwidth_khz < MHZ_TO_KHZ(160))
@@ -1522,12 +1518,8 @@ static void handle_channel_custom(struct wiphy *wiphy,
         if (reg_rule->flags & NL80211_RRF_AUTO_BW)
                 max_bandwidth_khz = reg_get_max_bandwidth(regd, reg_rule);
 
-        if (max_bandwidth_khz < MHZ_TO_KHZ(10))
-                bw_flags = IEEE80211_CHAN_NO_10MHZ;
-        if (max_bandwidth_khz < MHZ_TO_KHZ(20))
-                bw_flags |= IEEE80211_CHAN_NO_20MHZ;
         if (max_bandwidth_khz < MHZ_TO_KHZ(40))
-                bw_flags |= IEEE80211_CHAN_NO_HT40;
+                bw_flags = IEEE80211_CHAN_NO_HT40;
         if (max_bandwidth_khz < MHZ_TO_KHZ(80))
                 bw_flags |= IEEE80211_CHAN_NO_80MHZ;
         if (max_bandwidth_khz < MHZ_TO_KHZ(160))