Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next into for-davem

Conflicts:
	include/net/bluetooth/bluetooth.h

16 files changed, 887 insertions, 188 deletions

diff --git a/include/asm-generic/socket.h b/include/asm-generic/socket.h
index 9a6115e7cf63..49c1704173e7 100644
--- a/include/asm-generic/socket.h
+++ b/include/asm-generic/socket.h
@@ -64,4 +64,7 @@
 #define SO_DOMAIN               39
 
 #define SO_RXQ_OVFL             40
+
+#define SO_WIFI_STATUS          41
+#define SCM_WIFI_STATUS SO_WIFI_STATUS
 #endif /* __ASM_GENERIC_SOCKET_H */
diff --git a/include/linux/errqueue.h b/include/linux/errqueue.h
index 034072cea853..c9f522bd17e4 100644
--- a/include/linux/errqueue.h
+++ b/include/linux/errqueue.h
@@ -17,7 +17,8 @@ struct sock_extended_err {
 #define SO_EE_ORIGIN_LOCAL      1
 #define SO_EE_ORIGIN_ICMP       2
 #define SO_EE_ORIGIN_ICMP6      3
-#define SO_EE_ORIGIN_TIMESTAMPING 4
+#define SO_EE_ORIGIN_TXSTATUS   4
+#define SO_EE_ORIGIN_TIMESTAMPING SO_EE_ORIGIN_TXSTATUS
 
 #define SO_EE_OFFENDER(ee)      ((struct sockaddr*)((ee)+1))
 
diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
index 48363c3c40f8..66cedf6eb5c2 100644
--- a/include/linux/ieee80211.h
+++ b/include/linux/ieee80211.h
@@ -128,6 +128,7 @@
 #define IEEE80211_QOS_CTL_ACK_POLICY_NOACK      0x0020
 #define IEEE80211_QOS_CTL_ACK_POLICY_NO_EXPL    0x0040
 #define IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK   0x0060
+#define IEEE80211_QOS_CTL_ACK_POLICY_MASK       0x0060
 /* A-MSDU 802.11n */
 #define IEEE80211_QOS_CTL_A_MSDU_PRESENT        0x0080
 /* Mesh Control 802.11s */
@@ -770,6 +771,9 @@ struct ieee80211_mgmt {
         } u;
 } __attribute__ ((packed));
 
+/* Supported Rates value encodings in 802.11n-2009 7.3.2.2 */
+#define BSS_MEMBERSHIP_SELECTOR_HT_PHY  127
+
 /* mgmt header + 1 byte category code */
 #define IEEE80211_MIN_ACTION_SIZE offsetof(struct ieee80211_mgmt, u.action.u)
 
@@ -1552,6 +1556,8 @@ enum ieee80211_sa_query_action {
 #define WLAN_CIPHER_SUITE_WEP104        0x000FAC05
 #define WLAN_CIPHER_SUITE_AES_CMAC      0x000FAC06
 
+#define WLAN_CIPHER_SUITE_SMS4          0x00147201
+
 /* AKM suite selectors */
 #define WLAN_AKM_SUITE_8021X            0x000FAC01
 #define WLAN_AKM_SUITE_PSK              0x000FAC02
diff --git a/include/linux/nl80211.h b/include/linux/nl80211.h
index 8049bf77d799..f9261c253735 100644
--- a/include/linux/nl80211.h
+++ b/include/linux/nl80211.h
@@ -509,6 +509,35 @@
  * @NL80211_CMD_TDLS_OPER: Perform a high-level TDLS command (e.g. link setup).
  * @NL80211_CMD_TDLS_MGMT: Send a TDLS management frame.
  *
+ * @NL80211_CMD_UNEXPECTED_FRAME: Used by an application controlling an AP
+ *      (or GO) interface (i.e. hostapd) to ask for unexpected frames to
+ *      implement sending deauth to stations that send unexpected class 3
+ *      frames. Also used as the event sent by the kernel when such a frame
+ *      is received.
+ *      For the event, the %NL80211_ATTR_MAC attribute carries the TA and
+ *      other attributes like the interface index are present.
+ *      If used as the command it must have an interface index and you can
+ *      only unsubscribe from the event by closing the socket. Subscription
+ *      is also for %NL80211_CMD_UNEXPECTED_4ADDR_FRAME events.
+ *
+ * @NL80211_CMD_UNEXPECTED_4ADDR_FRAME: Sent as an event indicating that the
+ *      associated station identified by %NL80211_ATTR_MAC sent a 4addr frame
+ *      and wasn't already in a 4-addr VLAN. The event will be sent similarly
+ *      to the %NL80211_CMD_UNEXPECTED_FRAME event, to the same listener.
+ *
+ * @NL80211_CMD_PROBE_CLIENT: Probe an associated station on an AP interface
+ *      by sending a null data frame to it and reporting when the frame is
+ *      acknowleged. This is used to allow timing out inactive clients. Uses
+ *      %NL80211_ATTR_IFINDEX and %NL80211_ATTR_MAC. The command returns a
+ *      direct reply with an %NL80211_ATTR_COOKIE that is later used to match
+ *      up the event with the request. The event includes the same data and
+ *      has %NL80211_ATTR_ACK set if the frame was ACKed.
+ *
+ * @NL80211_CMD_REGISTER_BEACONS: Register this socket to receive beacons from
+ *      other BSSes when any interfaces are in AP mode. This helps implement
+ *      OLBC handling in hostapd. Beacons are reported in %NL80211_CMD_FRAME
+ *      messages. Note that per PHY only one application may register.
+ *
  * @NL80211_CMD_MAX: highest used command number
  * @__NL80211_CMD_AFTER_LAST: internal use
  */
@@ -638,6 +667,14 @@ enum nl80211_commands {
         NL80211_CMD_TDLS_OPER,
         NL80211_CMD_TDLS_MGMT,
 
+        NL80211_CMD_UNEXPECTED_FRAME,
+
+        NL80211_CMD_PROBE_CLIENT,
+
+        NL80211_CMD_REGISTER_BEACONS,
+
+        NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
+
         /* add new commands above here */
 
         /* used to define NL80211_CMD_MAX below */
@@ -658,6 +695,8 @@ enum nl80211_commands {
 #define NL80211_CMD_DISASSOCIATE NL80211_CMD_DISASSOCIATE
 #define NL80211_CMD_REG_BEACON_HINT NL80211_CMD_REG_BEACON_HINT
 
+#define NL80211_ATTR_FEATURE_FLAGS NL80211_ATTR_FEATURE_FLAGS
+
 /* source-level API compatibility */
 #define NL80211_CMD_GET_MESH_PARAMS NL80211_CMD_GET_MESH_CONFIG
 #define NL80211_CMD_SET_MESH_PARAMS NL80211_CMD_SET_MESH_CONFIG
@@ -1109,6 +1148,28 @@ enum nl80211_commands {
  *      %NL80211_CMD_TDLS_MGMT. Otherwise %NL80211_CMD_TDLS_OPER should be
  *      used for asking the driver to perform a TDLS operation.
  *
+ * @NL80211_ATTR_DEVICE_AP_SME: This u32 attribute may be listed for devices
+ *      that have AP support to indicate that they have the AP SME integrated
+ *      with support for the features listed in this attribute, see
+ *      &enum nl80211_ap_sme_features.
+ *
+ * @NL80211_ATTR_DONT_WAIT_FOR_ACK: Used with %NL80211_CMD_FRAME, this tells
+ *      the driver to not wait for an acknowledgement. Note that due to this,
+ *      it will also not give a status callback nor return a cookie. This is
+ *      mostly useful for probe responses to save airtime.
+ *
+ * @NL80211_ATTR_FEATURE_FLAGS: This u32 attribute contains flags from
+ *      &enum nl80211_feature_flags and is advertised in wiphy information.
+ * @NL80211_ATTR_PROBE_RESP_OFFLOAD: Indicates that the HW responds to probe
+ *
+ *      requests while operating in AP-mode.
+ *      This attribute holds a bitmap of the supported protocols for
+ *      offloading (see &enum nl80211_probe_resp_offload_support_attr).
+ *
+ * @NL80211_ATTR_PROBE_RESP: Probe Response template data. Contains the entire
+ *      probe-response frame. The DA field in the 802.11 header is zero-ed out,
+ *      to be filled by the FW.
+ *
  * @NL80211_ATTR_MAX: highest attribute number currently defined
  * @__NL80211_ATTR_AFTER_LAST: internal use
  */
@@ -1337,6 +1398,16 @@ enum nl80211_attrs {
         NL80211_ATTR_TDLS_SUPPORT,
         NL80211_ATTR_TDLS_EXTERNAL_SETUP,
 
+        NL80211_ATTR_DEVICE_AP_SME,
+
+        NL80211_ATTR_DONT_WAIT_FOR_ACK,
+
+        NL80211_ATTR_FEATURE_FLAGS,
+
+        NL80211_ATTR_PROBE_RESP_OFFLOAD,
+
+        NL80211_ATTR_PROBE_RESP,
+
         /* add attributes here, update the policy in nl80211.c */
 
         __NL80211_ATTR_AFTER_LAST,
@@ -1371,6 +1442,7 @@ enum nl80211_attrs {
 #define NL80211_ATTR_AKM_SUITES NL80211_ATTR_AKM_SUITES
 #define NL80211_ATTR_KEY NL80211_ATTR_KEY
 #define NL80211_ATTR_KEYS NL80211_ATTR_KEYS
+#define NL80211_ATTR_FEATURE_FLAGS NL80211_ATTR_FEATURE_FLAGS
 
 #define NL80211_MAX_SUPP_RATES                  32
 #define NL80211_MAX_SUPP_REG_RULES              32
@@ -2650,4 +2722,43 @@ enum nl80211_tdls_operation {
         NL80211_TDLS_DISABLE_LINK,
 };
 
+/*
+ * enum nl80211_ap_sme_features - device-integrated AP features
+ * Reserved for future use, no bits are defined in
+ * NL80211_ATTR_DEVICE_AP_SME yet.
+enum nl80211_ap_sme_features {
+};
+ */
+
+/**
+ * enum nl80211_feature_flags - device/driver features
+ * @NL80211_FEATURE_SK_TX_STATUS: This driver supports reflecting back
+ *      TX status to the socket error queue when requested with the
+ *      socket option.
+ */
+enum nl80211_feature_flags {
+        NL80211_FEATURE_SK_TX_STATUS    = 1 << 0,
+};
+
+/**
+ * enum nl80211_probe_resp_offload_support_attr - optional supported
+ *      protocols for probe-response offloading by the driver/FW.
+ *      To be used with the %NL80211_ATTR_PROBE_RESP_OFFLOAD attribute.
+ *      Each enum value represents a bit in the bitmap of supported
+ *      protocols. Typically a subset of probe-requests belonging to a
+ *      supported protocol will be excluded from offload and uploaded
+ *      to the host.
+ *
+ * @NL80211_PROBE_RESP_OFFLOAD_SUPPORT_WPS: Support for WPS ver. 1
+ * @NL80211_PROBE_RESP_OFFLOAD_SUPPORT_WPS2: Support for WPS ver. 2
+ * @NL80211_PROBE_RESP_OFFLOAD_SUPPORT_P2P: Support for P2P
+ * @NL80211_PROBE_RESP_OFFLOAD_SUPPORT_80211U: Support for 802.11u
+ */
+enum nl80211_probe_resp_offload_support_attr {
+        NL80211_PROBE_RESP_OFFLOAD_SUPPORT_WPS =        1<<0,
+        NL80211_PROBE_RESP_OFFLOAD_SUPPORT_WPS2 =       1<<1,
+        NL80211_PROBE_RESP_OFFLOAD_SUPPORT_P2P =        1<<2,
+        NL80211_PROBE_RESP_OFFLOAD_SUPPORT_80211U =     1<<3,
+};
+
 #endif /* __LINUX_NL80211_H */
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index b93117389cfe..09b7ea566d66 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -218,6 +218,9 @@ enum {
 
         /* device driver supports TX zero-copy buffers */
         SKBTX_DEV_ZEROCOPY = 1 << 4,
+
+        /* generate wifi status information (where possible) */
+        SKBTX_WIFI_STATUS = 1 << 5,
 };
 
 /*
@@ -352,6 +355,8 @@ typedef unsigned char *sk_buff_data_t;
  *      @ooo_okay: allow the mapping of a socket to a queue to be changed
  *      @l4_rxhash: indicate rxhash is a canonical 4-tuple hash over transport
  *              ports.
+ *      @wifi_acked_valid: wifi_acked was set
+ *      @wifi_acked: whether frame was acked on wifi or not
  *      @dma_cookie: a cookie to one of several possible DMA operations
  *              done by skb DMA functions
  *      @secmark: security marking
@@ -445,10 +450,11 @@ struct sk_buff {
 #endif
         __u8                    ooo_okay:1;
         __u8                    l4_rxhash:1;
+        __u8                    wifi_acked_valid:1;
+        __u8                    wifi_acked:1;
+        /* 10/12 bit hole (depending on ndisc_nodetype presence) */
         kmemcheck_bitfield_end(flags2);
 
-        /* 0/13 bit hole */
-
 #ifdef CONFIG_NET_DMA
         dma_cookie_t            dma_cookie;
 #endif
@@ -2265,6 +2271,15 @@ static inline void skb_tx_timestamp(struct sk_buff *skb)
         sw_tx_timestamp(skb);
 }
 
+/**
+ * skb_complete_wifi_ack - deliver skb with wifi status
+ *
+ * @skb: the original outgoing packet
+ * @acked: ack status
+ *
+ */
+void skb_complete_wifi_ack(struct sk_buff *skb, bool acked);
+
 extern __sum16 __skb_checksum_complete_head(struct sk_buff *skb, int len);
 extern __sum16 __skb_checksum_complete(struct sk_buff *skb);
 
diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h
index e86af08293a8..835f3b229b84 100644
--- a/include/net/bluetooth/bluetooth.h
+++ b/include/net/bluetooth/bluetooth.h
@@ -77,6 +77,33 @@ struct bt_power {
 #define BT_POWER_FORCE_ACTIVE_OFF 0
 #define BT_POWER_FORCE_ACTIVE_ON  1
 
+#define BT_CHANNEL_POLICY       10
+
+/* BR/EDR only (default policy)
+ *   AMP controllers cannot be used.
+ *   Channel move requests from the remote device are denied.
+ *   If the L2CAP channel is currently using AMP, move the channel to BR/EDR.
+ */
+#define BT_CHANNEL_POLICY_BREDR_ONLY            0
+
+/* BR/EDR Preferred
+ *   Allow use of AMP controllers.
+ *   If the L2CAP channel is currently on AMP, move it to BR/EDR.
+ *   Channel move requests from the remote device are allowed.
+ */
+#define BT_CHANNEL_POLICY_BREDR_PREFERRED       1
+
+/* AMP Preferred
+ *   Allow use of AMP controllers
+ *   If the L2CAP channel is currently on BR/EDR and AMP controller
+ *     resources are available, initiate a channel move to AMP.
+ *   Channel move requests from the remote device are allowed.
+ *   If the L2CAP socket has not been connected yet, try to create
+ *     and configure the channel directly on an AMP controller rather
+ *     than BR/EDR.
+ */
+#define BT_CHANNEL_POLICY_AMP_PREFERRED         2
+
 __printf(2, 3)
 int bt_printk(const char *level, const char *fmt, ...);
 
@@ -158,7 +185,7 @@ struct bt_skb_cb {
         __u8 pkt_type;
         __u8 incoming;
         __u16 expect;
-        __u8 tx_seq;
+        __u16 tx_seq;
         __u8 retries;
         __u8 sar;
         unsigned short channel;
diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
index aaf79af72432..139ce2aa6eee 100644
--- a/include/net/bluetooth/hci.h
+++ b/include/net/bluetooth/hci.h
@@ -264,6 +264,13 @@ enum {
 #define HCI_LK_SMP_IRK                  0x82
 #define HCI_LK_SMP_CSRK                 0x83
 
+/* ---- HCI Error Codes ---- */
+#define HCI_ERROR_AUTH_FAILURE          0x05
+#define HCI_ERROR_REJ_BAD_ADDR          0x0f
+#define HCI_ERROR_REMOTE_USER_TERM      0x13
+#define HCI_ERROR_LOCAL_HOST_TERM       0x16
+#define HCI_ERROR_PAIRING_NOT_ALLOWED   0x18
+
 /* -----  HCI Commands ---- */
 #define HCI_OP_NOP                      0x0000
 
@@ -726,6 +733,21 @@ struct hci_cp_write_page_scan_activity {
         #define PAGE_SCAN_TYPE_STANDARD         0x00
         #define PAGE_SCAN_TYPE_INTERLACED       0x01
 
+#define HCI_OP_READ_LOCAL_AMP_INFO      0x1409
+struct hci_rp_read_local_amp_info {
+        __u8     status;
+        __u8     amp_status;
+        __le32   total_bw;
+        __le32   max_bw;
+        __le32   min_latency;
+        __le32   max_pdu;
+        __u8     amp_type;
+        __le16   pal_cap;
+        __le16   max_assoc_size;
+        __le32   max_flush_to;
+        __le32   be_flush_to;
+} __packed;
+
 #define HCI_OP_LE_SET_EVENT_MASK        0x2001
 struct hci_cp_le_set_event_mask {
         __u8     mask[8];
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index 3779ea362257..f333e7682607 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -32,6 +32,9 @@
 #define HCI_PROTO_L2CAP 0
 #define HCI_PROTO_SCO   1
 
+/* HCI priority */
+#define HCI_PRIO_MAX    7
+
 /* HCI Core structures */
 struct inquiry_data {
         bdaddr_t        bdaddr;
@@ -64,6 +67,12 @@ struct hci_conn_hash {
         unsigned int     le_num;
 };
 
+struct hci_chan_hash {
+        struct list_head list;
+        spinlock_t       lock;
+        unsigned int     num;
+};
+
 struct bdaddr_list {
         struct list_head list;
         bdaddr_t bdaddr;
@@ -150,6 +159,17 @@ struct hci_dev {
         __u16           sniff_min_interval;
         __u16           sniff_max_interval;
 
+        __u8            amp_status;
+        __u32           amp_total_bw;
+        __u32           amp_max_bw;
+        __u32           amp_min_latency;
+        __u32           amp_max_pdu;
+        __u8            amp_type;
+        __u16           amp_pal_cap;
+        __u16           amp_assoc_size;
+        __u32           amp_max_flush_to;
+        __u32           amp_be_flush_to;
+
         unsigned int    auto_accept_delay;
 
         unsigned long   quirks;
@@ -173,8 +193,10 @@ struct hci_dev {
         struct workqueue_struct *workqueue;
 
         struct work_struct      power_on;
-        struct work_struct      power_off;
-        struct timer_list       off_timer;
+        struct delayed_work     power_off;
+
+        __u16                   discov_timeout;
+        struct delayed_work     discov_off;
 
         struct timer_list       cmd_timer;
         struct tasklet_struct   cmd_task;
@@ -195,6 +217,8 @@ struct hci_dev {
 
         __u16                   init_last_cmd;
 
+        struct list_head        mgmt_pending;
+
         struct inquiry_cache    inq_cache;
         struct hci_conn_hash    conn_hash;
         struct list_head        blacklist;
@@ -273,6 +297,7 @@ struct hci_conn {
         unsigned int    sent;
 
         struct sk_buff_head data_q;
+        struct hci_chan_hash chan_hash;
 
         struct timer_list disc_timer;
         struct timer_list idle_timer;
@@ -295,6 +320,14 @@ struct hci_conn {
         void (*disconn_cfm_cb)  (struct hci_conn *conn, u8 reason);
 };
 
+struct hci_chan {
+        struct list_head list;
+
+        struct hci_conn *conn;
+        struct sk_buff_head data_q;
+        unsigned int    sent;
+};
+
 extern struct hci_proto *hci_proto[];
 extern struct list_head hci_dev_list;
 extern struct list_head hci_cb_list;
@@ -455,6 +488,28 @@ static inline struct hci_conn *hci_conn_hash_lookup_state(struct hci_dev *hdev,
         return NULL;
 }
 
+static inline void hci_chan_hash_init(struct hci_conn *c)
+{
+        struct hci_chan_hash *h = &c->chan_hash;
+        INIT_LIST_HEAD(&h->list);
+        spin_lock_init(&h->lock);
+        h->num = 0;
+}
+
+static inline void hci_chan_hash_add(struct hci_conn *c, struct hci_chan *chan)
+{
+        struct hci_chan_hash *h = &c->chan_hash;
+        list_add(&chan->list, &h->list);
+        h->num++;
+}
+
+static inline void hci_chan_hash_del(struct hci_conn *c, struct hci_chan *chan)
+{
+        struct hci_chan_hash *h = &c->chan_hash;
+        list_del(&chan->list);
+        h->num--;
+}
+
 void hci_acl_connect(struct hci_conn *conn);
 void hci_acl_disconn(struct hci_conn *conn, __u8 reason);
 void hci_add_sco(struct hci_conn *conn, __u16 handle);
@@ -466,6 +521,10 @@ int hci_conn_del(struct hci_conn *conn);
 void hci_conn_hash_flush(struct hci_dev *hdev);
 void hci_conn_check_pending(struct hci_dev *hdev);
 
+struct hci_chan *hci_chan_create(struct hci_conn *conn);
+int hci_chan_del(struct hci_chan *chan);
+void hci_chan_hash_flush(struct hci_conn *conn);
+
 struct hci_conn *hci_connect(struct hci_dev *hdev, int type, bdaddr_t *dst,
                                                 __u8 sec_level, __u8 auth_type);
 int hci_conn_check_link_mode(struct hci_conn *conn);
@@ -545,7 +604,7 @@ struct hci_dev *hci_get_route(bdaddr_t *src, bdaddr_t *dst);
 struct hci_dev *hci_alloc_dev(void);
 void hci_free_dev(struct hci_dev *hdev);
 int hci_register_dev(struct hci_dev *hdev);
-int hci_unregister_dev(struct hci_dev *hdev);
+void hci_unregister_dev(struct hci_dev *hdev);
 int hci_suspend_dev(struct hci_dev *hdev);
 int hci_resume_dev(struct hci_dev *hdev);
 int hci_dev_open(__u16 dev);
@@ -599,8 +658,9 @@ int hci_recv_frame(struct sk_buff *skb);
 int hci_recv_fragment(struct hci_dev *hdev, int type, void *data, int count);
 int hci_recv_stream_fragment(struct hci_dev *hdev, void *data, int count);
 
-int hci_register_sysfs(struct hci_dev *hdev);
-void hci_unregister_sysfs(struct hci_dev *hdev);
+void hci_init_sysfs(struct hci_dev *hdev);
+int hci_add_sysfs(struct hci_dev *hdev);
+void hci_del_sysfs(struct hci_dev *hdev);
 void hci_conn_init_sysfs(struct hci_conn *conn);
 void hci_conn_add_sysfs(struct hci_conn *conn);
 void hci_conn_del_sysfs(struct hci_conn *conn);
@@ -676,7 +736,7 @@ static inline void hci_proto_connect_cfm(struct hci_conn *conn, __u8 status)
 static inline int hci_proto_disconn_ind(struct hci_conn *conn)
 {
         register struct hci_proto *hp;
-        int reason = 0x13;
+        int reason = HCI_ERROR_REMOTE_USER_TERM;
 
         hp = hci_proto[HCI_PROTO_L2CAP];
         if (hp && hp->disconn_ind)
@@ -836,7 +896,7 @@ int hci_register_notifier(struct notifier_block *nb);
 int hci_unregister_notifier(struct notifier_block *nb);
 
 int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen, void *param);
-void hci_send_acl(struct hci_conn *conn, struct sk_buff *skb, __u16 flags);
+void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags);
 void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb);
 
 void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode);
@@ -849,34 +909,41 @@ void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb,
 
 /* Management interface */
 int mgmt_control(struct sock *sk, struct msghdr *msg, size_t len);
-int mgmt_index_added(u16 index);
-int mgmt_index_removed(u16 index);
-int mgmt_powered(u16 index, u8 powered);
-int mgmt_discoverable(u16 index, u8 discoverable);
-int mgmt_connectable(u16 index, u8 connectable);
-int mgmt_new_key(u16 index, struct link_key *key, u8 persistent);
-int mgmt_connected(u16 index, bdaddr_t *bdaddr, u8 link_type);
-int mgmt_disconnected(u16 index, bdaddr_t *bdaddr);
-int mgmt_disconnect_failed(u16 index);
-int mgmt_connect_failed(u16 index, bdaddr_t *bdaddr, u8 status);
-int mgmt_pin_code_request(u16 index, bdaddr_t *bdaddr, u8 secure);
-int mgmt_pin_code_reply_complete(u16 index, bdaddr_t *bdaddr, u8 status);
-int mgmt_pin_code_neg_reply_complete(u16 index, bdaddr_t *bdaddr, u8 status);
-int mgmt_user_confirm_request(u16 index, bdaddr_t *bdaddr, __le32 value,
-                                                        u8 confirm_hint);
-int mgmt_user_confirm_reply_complete(u16 index, bdaddr_t *bdaddr, u8 status);
-int mgmt_user_confirm_neg_reply_complete(u16 index, bdaddr_t *bdaddr,
+int mgmt_index_added(struct hci_dev *hdev);
+int mgmt_index_removed(struct hci_dev *hdev);
+int mgmt_powered(struct hci_dev *hdev, u8 powered);
+int mgmt_discoverable(struct hci_dev *hdev, u8 discoverable);
+int mgmt_connectable(struct hci_dev *hdev, u8 connectable);
+int mgmt_write_scan_failed(struct hci_dev *hdev, u8 scan, u8 status);
+int mgmt_new_link_key(struct hci_dev *hdev, struct link_key *key,
+                                                                u8 persistent);
+int mgmt_connected(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type);
+int mgmt_disconnected(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type);
+int mgmt_disconnect_failed(struct hci_dev *hdev);
+int mgmt_connect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type,
                                                                 u8 status);
-int mgmt_auth_failed(u16 index, bdaddr_t *bdaddr, u8 status);
-int mgmt_set_local_name_complete(u16 index, u8 *name, u8 status);
-int mgmt_read_local_oob_data_reply_complete(u16 index, u8 *hash, u8 *randomizer,
+int mgmt_pin_code_request(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 secure);
+int mgmt_pin_code_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
                                                                 u8 status);
-int mgmt_device_found(u16 index, bdaddr_t *bdaddr, u8 *dev_class, s8 rssi,
-                                                                u8 *eir);
-int mgmt_remote_name(u16 index, bdaddr_t *bdaddr, u8 *name);
-int mgmt_discovering(u16 index, u8 discovering);
-int mgmt_device_blocked(u16 index, bdaddr_t *bdaddr);
-int mgmt_device_unblocked(u16 index, bdaddr_t *bdaddr);
+int mgmt_pin_code_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
+                                                                u8 status);
+int mgmt_user_confirm_request(struct hci_dev *hdev, bdaddr_t *bdaddr,
+                                                __le32 value, u8 confirm_hint);
+int mgmt_user_confirm_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
+                                                                u8 status);
+int mgmt_user_confirm_neg_reply_complete(struct hci_dev *hdev,
+                                                bdaddr_t *bdaddr, u8 status);
+int mgmt_auth_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 status);
+int mgmt_set_local_name_complete(struct hci_dev *hdev, u8 *name, u8 status);
+int mgmt_read_local_oob_data_reply_complete(struct hci_dev *hdev, u8 *hash,
+                                                u8 *randomizer, u8 status);
+int mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type,
+                                        u8 *dev_class, s8 rssi, u8 *eir);
+int mgmt_remote_name(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *name);
+int mgmt_inquiry_failed(struct hci_dev *hdev, u8 status);
+int mgmt_discovering(struct hci_dev *hdev, u8 discovering);
+int mgmt_device_blocked(struct hci_dev *hdev, bdaddr_t *bdaddr);
+int mgmt_device_unblocked(struct hci_dev *hdev, bdaddr_t *bdaddr);
 
 /* HCI info for socket */
 #define hci_pi(sk) ((struct hci_pinfo *) sk)
@@ -915,4 +982,7 @@ void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __u8 rand[8],
 void hci_le_ltk_reply(struct hci_conn *conn, u8 ltk[16]);
 void hci_le_ltk_neg_reply(struct hci_conn *conn);
 
+int hci_do_inquiry(struct hci_dev *hdev, u8 length);
+int hci_cancel_inquiry(struct hci_dev *hdev);
+
 #endif /* __HCI_CORE_H */
diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
index ab90ae0970a6..875021ad0675 100644
--- a/include/net/bluetooth/l2cap.h
+++ b/include/net/bluetooth/l2cap.h
@@ -27,20 +27,29 @@
 #ifndef __L2CAP_H
 #define __L2CAP_H
 
+#include <asm/unaligned.h>
+
 /* L2CAP defaults */
 #define L2CAP_DEFAULT_MTU               672
 #define L2CAP_DEFAULT_MIN_MTU           48
 #define L2CAP_DEFAULT_FLUSH_TO          0xffff
 #define L2CAP_DEFAULT_TX_WINDOW         63
+#define L2CAP_DEFAULT_EXT_WINDOW        0x3FFF
 #define L2CAP_DEFAULT_MAX_TX            3
 #define L2CAP_DEFAULT_RETRANS_TO        2000    /* 2 seconds */
 #define L2CAP_DEFAULT_MONITOR_TO        12000   /* 12 seconds */
 #define L2CAP_DEFAULT_MAX_PDU_SIZE      1009    /* Sized for 3-DH5 packet */
 #define L2CAP_DEFAULT_ACK_TO            200
 #define L2CAP_LE_DEFAULT_MTU            23
+#define L2CAP_DEFAULT_MAX_SDU_SIZE      0xFFFF
+#define L2CAP_DEFAULT_SDU_ITIME         0xFFFFFFFF
+#define L2CAP_DEFAULT_ACC_LAT           0xFFFFFFFF
 
-#define L2CAP_CONN_TIMEOUT      (40000) /* 40 seconds */
-#define L2CAP_INFO_TIMEOUT      (4000)  /*  4 seconds */
+#define L2CAP_DISC_TIMEOUT             (100)
+#define L2CAP_DISC_REJ_TIMEOUT         (5000)  /*  5 seconds */
+#define L2CAP_ENC_TIMEOUT              (5000)  /*  5 seconds */
+#define L2CAP_CONN_TIMEOUT             (40000) /* 40 seconds */
+#define L2CAP_INFO_TIMEOUT             (4000)  /*  4 seconds */
 
 /* L2CAP socket address */
 struct sockaddr_l2 {
@@ -88,52 +97,82 @@ struct l2cap_conninfo {
 #define L2CAP_ECHO_RSP          0x09
 #define L2CAP_INFO_REQ          0x0a
 #define L2CAP_INFO_RSP          0x0b
+#define L2CAP_CREATE_CHAN_REQ   0x0c
+#define L2CAP_CREATE_CHAN_RSP   0x0d
+#define L2CAP_MOVE_CHAN_REQ     0x0e
+#define L2CAP_MOVE_CHAN_RSP     0x0f
+#define L2CAP_MOVE_CHAN_CFM     0x10
+#define L2CAP_MOVE_CHAN_CFM_RSP 0x11
 #define L2CAP_CONN_PARAM_UPDATE_REQ     0x12
 #define L2CAP_CONN_PARAM_UPDATE_RSP     0x13
 
-/* L2CAP feature mask */
+/* L2CAP extended feature mask */
 #define L2CAP_FEAT_FLOWCTL      0x00000001
 #define L2CAP_FEAT_RETRANS      0x00000002
+#define L2CAP_FEAT_BIDIR_QOS    0x00000004
 #define L2CAP_FEAT_ERTM         0x00000008
 #define L2CAP_FEAT_STREAMING    0x00000010
 #define L2CAP_FEAT_FCS          0x00000020
+#define L2CAP_FEAT_EXT_FLOW     0x00000040
 #define L2CAP_FEAT_FIXED_CHAN   0x00000080
+#define L2CAP_FEAT_EXT_WINDOW   0x00000100
+#define L2CAP_FEAT_UCD          0x00000200
 
 /* L2CAP checksum option */
 #define L2CAP_FCS_NONE          0x00
 #define L2CAP_FCS_CRC16         0x01
 
+/* L2CAP fixed channels */
+#define L2CAP_FC_L2CAP          0x02
+#define L2CAP_FC_A2MP           0x08
+
 /* L2CAP Control Field bit masks */
-#define L2CAP_CTRL_SAR               0xC000
-#define L2CAP_CTRL_REQSEQ            0x3F00
-#define L2CAP_CTRL_TXSEQ             0x007E
-#define L2CAP_CTRL_RETRANS           0x0080
-#define L2CAP_CTRL_FINAL             0x0080
-#define L2CAP_CTRL_POLL              0x0010
-#define L2CAP_CTRL_SUPERVISE         0x000C
-#define L2CAP_CTRL_FRAME_TYPE        0x0001 /* I- or S-Frame */
-
-#define L2CAP_CTRL_TXSEQ_SHIFT      1
-#define L2CAP_CTRL_REQSEQ_SHIFT     8
-#define L2CAP_CTRL_SAR_SHIFT       14
+#define L2CAP_CTRL_SAR                  0xC000
+#define L2CAP_CTRL_REQSEQ               0x3F00
+#define L2CAP_CTRL_TXSEQ                0x007E
+#define L2CAP_CTRL_SUPERVISE            0x000C
+
+#define L2CAP_CTRL_RETRANS              0x0080
+#define L2CAP_CTRL_FINAL                0x0080
+#define L2CAP_CTRL_POLL                 0x0010
+#define L2CAP_CTRL_FRAME_TYPE           0x0001 /* I- or S-Frame */
+
+#define L2CAP_CTRL_TXSEQ_SHIFT          1
+#define L2CAP_CTRL_SUPER_SHIFT          2
+#define L2CAP_CTRL_REQSEQ_SHIFT         8
+#define L2CAP_CTRL_SAR_SHIFT            14
+
+/* L2CAP Extended Control Field bit mask */
+#define L2CAP_EXT_CTRL_TXSEQ            0xFFFC0000
+#define L2CAP_EXT_CTRL_SAR              0x00030000
+#define L2CAP_EXT_CTRL_SUPERVISE        0x00030000
+#define L2CAP_EXT_CTRL_REQSEQ           0x0000FFFC
+
+#define L2CAP_EXT_CTRL_POLL             0x00040000
+#define L2CAP_EXT_CTRL_FINAL            0x00000002
+#define L2CAP_EXT_CTRL_FRAME_TYPE       0x00000001 /* I- or S-Frame */
+
+#define L2CAP_EXT_CTRL_REQSEQ_SHIFT     2
+#define L2CAP_EXT_CTRL_SAR_SHIFT        16
+#define L2CAP_EXT_CTRL_SUPER_SHIFT      16
+#define L2CAP_EXT_CTRL_TXSEQ_SHIFT      18
 
 /* L2CAP Supervisory Function */
-#define L2CAP_SUPER_RCV_READY           0x0000
-#define L2CAP_SUPER_REJECT              0x0004
-#define L2CAP_SUPER_RCV_NOT_READY       0x0008
-#define L2CAP_SUPER_SELECT_REJECT       0x000C
+#define L2CAP_SUPER_RR          0x00
+#define L2CAP_SUPER_REJ         0x01
+#define L2CAP_SUPER_RNR         0x02
+#define L2CAP_SUPER_SREJ        0x03
 
 /* L2CAP Segmentation and Reassembly */
-#define L2CAP_SDU_UNSEGMENTED       0x0000
-#define L2CAP_SDU_START             0x4000
-#define L2CAP_SDU_END               0x8000
-#define L2CAP_SDU_CONTINUE          0xC000
+#define L2CAP_SAR_UNSEGMENTED   0x00
+#define L2CAP_SAR_START         0x01
+#define L2CAP_SAR_END           0x02
+#define L2CAP_SAR_CONTINUE      0x03
 
 /* L2CAP Command rej. reasons */
-#define L2CAP_REJ_NOT_UNDERSTOOD      0x0000
-#define L2CAP_REJ_MTU_EXCEEDED        0x0001
-#define L2CAP_REJ_INVALID_CID         0x0002
-
+#define L2CAP_REJ_NOT_UNDERSTOOD        0x0000
+#define L2CAP_REJ_MTU_EXCEEDED          0x0001
+#define L2CAP_REJ_INVALID_CID           0x0002
 
 /* L2CAP structures */
 struct l2cap_hdr {
@@ -141,6 +180,12 @@ struct l2cap_hdr {
         __le16     cid;
 } __packed;
 #define L2CAP_HDR_SIZE          4
+#define L2CAP_ENH_HDR_SIZE      6
+#define L2CAP_EXT_HDR_SIZE      8
+
+#define L2CAP_FCS_SIZE          2
+#define L2CAP_SDULEN_SIZE       2
+#define L2CAP_PSMLEN_SIZE       2
 
 struct l2cap_cmd_hdr {
         __u8       code;
@@ -185,14 +230,15 @@ struct l2cap_conn_rsp {
 #define L2CAP_CID_DYN_START     0x0040
 #define L2CAP_CID_DYN_END       0xffff
 
-/* connect result */
+/* connect/create channel results */
 #define L2CAP_CR_SUCCESS        0x0000
 #define L2CAP_CR_PEND           0x0001
 #define L2CAP_CR_BAD_PSM        0x0002
 #define L2CAP_CR_SEC_BLOCK      0x0003
 #define L2CAP_CR_NO_MEM         0x0004
+#define L2CAP_CR_BAD_AMP        0x0005
 
-/* connect status */
+/* connect/create channel status */
 #define L2CAP_CS_NO_INFO        0x0000
 #define L2CAP_CS_AUTHEN_PEND    0x0001
 #define L2CAP_CS_AUTHOR_PEND    0x0002
@@ -214,6 +260,8 @@ struct l2cap_conf_rsp {
 #define L2CAP_CONF_UNACCEPT     0x0001
 #define L2CAP_CONF_REJECT       0x0002
 #define L2CAP_CONF_UNKNOWN      0x0003
+#define L2CAP_CONF_PENDING      0x0004
+#define L2CAP_CONF_EFS_REJECT   0x0005
 
 struct l2cap_conf_opt {
         __u8       type;
@@ -230,6 +278,8 @@ struct l2cap_conf_opt {
 #define L2CAP_CONF_QOS          0x03
 #define L2CAP_CONF_RFC          0x04
 #define L2CAP_CONF_FCS          0x05
+#define L2CAP_CONF_EFS          0x06
+#define L2CAP_CONF_EWS          0x07
 
 #define L2CAP_CONF_MAX_SIZE     22
 
@@ -248,6 +298,21 @@ struct l2cap_conf_rfc {
 #define L2CAP_MODE_ERTM         0x03
 #define L2CAP_MODE_STREAMING    0x04
 
+struct l2cap_conf_efs {
+        __u8    id;
+        __u8    stype;
+        __le16  msdu;
+        __le32  sdu_itime;
+        __le32  acc_lat;
+        __le32  flush_to;
+} __packed;
+
+#define L2CAP_SERV_NOTRAFIC     0x00
+#define L2CAP_SERV_BESTEFFORT   0x01
+#define L2CAP_SERV_GUARANTEED   0x02
+
+#define L2CAP_BESTEFFORT_ID     0x01
+
 struct l2cap_disconn_req {
         __le16     dcid;
         __le16     scid;
@@ -268,14 +333,57 @@ struct l2cap_info_rsp {
         __u8        data[0];
 } __packed;
 
+struct l2cap_create_chan_req {
+        __le16      psm;
+        __le16      scid;
+        __u8        amp_id;
+} __packed;
+
+struct l2cap_create_chan_rsp {
+        __le16      dcid;
+        __le16      scid;
+        __le16      result;
+        __le16      status;
+} __packed;
+
+struct l2cap_move_chan_req {
+        __le16      icid;
+        __u8        dest_amp_id;
+} __packed;
+
+struct l2cap_move_chan_rsp {
+        __le16      icid;
+        __le16      result;
+} __packed;
+
+#define L2CAP_MR_SUCCESS        0x0000
+#define L2CAP_MR_PEND           0x0001
+#define L2CAP_MR_BAD_ID         0x0002
+#define L2CAP_MR_SAME_ID        0x0003
+#define L2CAP_MR_NOT_SUPP       0x0004
+#define L2CAP_MR_COLLISION      0x0005
+#define L2CAP_MR_NOT_ALLOWED    0x0006
+
+struct l2cap_move_chan_cfm {
+        __le16      icid;
+        __le16      result;
+} __packed;
+
+#define L2CAP_MC_CONFIRMED      0x0000
+#define L2CAP_MC_UNCONFIRMED    0x0001
+
+struct l2cap_move_chan_cfm_rsp {
+        __le16      icid;
+} __packed;
+
 /* info type */
-#define L2CAP_IT_CL_MTU     0x0001
-#define L2CAP_IT_FEAT_MASK  0x0002
-#define L2CAP_IT_FIXED_CHAN 0x0003
+#define L2CAP_IT_CL_MTU         0x0001
+#define L2CAP_IT_FEAT_MASK      0x0002
+#define L2CAP_IT_FIXED_CHAN     0x0003
 
 /* info result */
-#define L2CAP_IR_SUCCESS    0x0000
-#define L2CAP_IR_NOTSUPP    0x0001
+#define L2CAP_IR_SUCCESS        0x0000
+#define L2CAP_IR_NOTSUPP        0x0001
 
 struct l2cap_conn_param_update_req {
         __le16      min;
@@ -294,7 +402,7 @@ struct l2cap_conn_param_update_rsp {
 
 /* ----- L2CAP channels and connections ----- */
 struct srej_list {
-        __u8    tx_seq;
+        __u16   tx_seq;
         struct list_head list;
 };
 
@@ -316,14 +424,11 @@ struct l2cap_chan {
         __u16           flush_to;
         __u8            mode;
         __u8            chan_type;
+        __u8            chan_policy;
 
         __le16          sport;
 
         __u8            sec_level;
-        __u8            role_switch;
-        __u8            force_reliable;
-        __u8            flushable;
-        __u8            force_active;
 
         __u8            ident;
 
@@ -334,7 +439,8 @@ struct l2cap_chan {
 
         __u8            fcs;
 
-        __u8            tx_win;
+        __u16           tx_win;
+        __u16           tx_win_max;
         __u8            max_tx;
         __u16           retrans_timeout;
         __u16           monitor_timeout;
@@ -342,25 +448,40 @@ struct l2cap_chan {
 
         unsigned long   conf_state;
         unsigned long   conn_state;
-
-        __u8            next_tx_seq;
-        __u8            expected_ack_seq;
-        __u8            expected_tx_seq;
-        __u8            buffer_seq;
-        __u8            buffer_seq_srej;
-        __u8            srej_save_reqseq;
-        __u8            frames_sent;
-        __u8            unacked_frames;
+        unsigned long   flags;
+
+        __u16           next_tx_seq;
+        __u16           expected_ack_seq;
+        __u16           expected_tx_seq;
+        __u16           buffer_seq;
+        __u16           buffer_seq_srej;
+        __u16           srej_save_reqseq;
+        __u16           frames_sent;
+        __u16           unacked_frames;
         __u8            retry_count;
         __u8            num_acked;
         __u16           sdu_len;
         struct sk_buff  *sdu;
         struct sk_buff  *sdu_last_frag;
 
-        __u8            remote_tx_win;
+        __u16           remote_tx_win;
         __u8            remote_max_tx;
         __u16           remote_mps;
 
+        __u8            local_id;
+        __u8            local_stype;
+        __u16           local_msdu;
+        __u32           local_sdu_itime;
+        __u32           local_acc_lat;
+        __u32           local_flush_to;
+
+        __u8            remote_id;
+        __u8            remote_stype;
+        __u16           remote_msdu;
+        __u32           remote_sdu_itime;
+        __u32           remote_acc_lat;
+        __u32           remote_flush_to;
+
         struct timer_list       chan_timer;
         struct timer_list       retrans_timer;
         struct timer_list       monitor_timer;
@@ -388,6 +509,7 @@ struct l2cap_ops {
 
 struct l2cap_conn {
         struct hci_conn *hcon;
+        struct hci_chan *hchan;
 
         bdaddr_t        *dst;
         bdaddr_t        *src;
@@ -442,6 +564,9 @@ enum {
         CONF_CONNECT_PEND,
         CONF_NO_FCS_RECV,
         CONF_STATE2_DEVICE,
+        CONF_EWS_RECV,
+        CONF_LOC_CONF_PEND,
+        CONF_REM_CONF_PEND,
 };
 
 #define L2CAP_CONF_MAX_CONF_REQ 2
@@ -459,6 +584,16 @@ enum {
         CONN_RNR_SENT,
 };
 
+/* Definitions for flags in l2cap_chan */
+enum {
+        FLAG_ROLE_SWITCH,
+        FLAG_FORCE_ACTIVE,
+        FLAG_FORCE_RELIABLE,
+        FLAG_FLUSHABLE,
+        FLAG_EXT_CTRL,
+        FLAG_EFS_ENABLE,
+};
+
 #define __set_chan_timer(c, t) l2cap_set_timer(c, &c->chan_timer, (t))
 #define __clear_chan_timer(c) l2cap_clear_timer(c, &c->chan_timer)
 #define __set_retrans_timer(c) l2cap_set_timer(c, &c->retrans_timer, \
@@ -471,6 +606,22 @@ enum {
                 L2CAP_DEFAULT_ACK_TO);
 #define __clear_ack_timer(c) l2cap_clear_timer(c, &c->ack_timer)
 
+static inline int __seq_offset(struct l2cap_chan *chan, __u16 seq1, __u16 seq2)
+{
+        int offset;
+
+        offset = (seq1 - seq2) % (chan->tx_win_max + 1);
+        if (offset < 0)
+                offset += (chan->tx_win_max + 1);
+
+        return offset;
+}
+
+static inline __u16 __next_seq(struct l2cap_chan *chan, __u16 seq)
+{
+        return (seq + 1) % (chan->tx_win_max + 1);
+}
+
 static inline int l2cap_tx_window_full(struct l2cap_chan *ch)
 {
         int sub;
@@ -483,13 +634,165 @@ static inline int l2cap_tx_window_full(struct l2cap_chan *ch)
         return sub == ch->remote_tx_win;
 }
 
-#define __get_txseq(ctrl)       (((ctrl) & L2CAP_CTRL_TXSEQ) >> 1)
-#define __get_reqseq(ctrl)      (((ctrl) & L2CAP_CTRL_REQSEQ) >> 8)
-#define __is_iframe(ctrl)       (!((ctrl) & L2CAP_CTRL_FRAME_TYPE))
-#define __is_sframe(ctrl)       ((ctrl) & L2CAP_CTRL_FRAME_TYPE)
-#define __is_sar_start(ctrl)    (((ctrl) & L2CAP_CTRL_SAR) == L2CAP_SDU_START)
+static inline __u16 __get_reqseq(struct l2cap_chan *chan, __u32 ctrl)
+{
+        if (test_bit(FLAG_EXT_CTRL, &chan->flags))
+                return (ctrl & L2CAP_EXT_CTRL_REQSEQ) >>
+                                                L2CAP_EXT_CTRL_REQSEQ_SHIFT;
+        else
+                return (ctrl & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
+}
+
+static inline __u32 __set_reqseq(struct l2cap_chan *chan, __u32 reqseq)
+{
+        if (test_bit(FLAG_EXT_CTRL, &chan->flags))
+                return (reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT) &
+                                                        L2CAP_EXT_CTRL_REQSEQ;
+        else
+                return (reqseq << L2CAP_CTRL_REQSEQ_SHIFT) & L2CAP_CTRL_REQSEQ;
+}
+
+static inline __u16 __get_txseq(struct l2cap_chan *chan, __u32 ctrl)
+{
+        if (test_bit(FLAG_EXT_CTRL, &chan->flags))
+                return (ctrl & L2CAP_EXT_CTRL_TXSEQ) >>
+                                                L2CAP_EXT_CTRL_TXSEQ_SHIFT;
+        else
+                return (ctrl & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
+}
+
+static inline __u32 __set_txseq(struct l2cap_chan *chan, __u32 txseq)
+{
+        if (test_bit(FLAG_EXT_CTRL, &chan->flags))
+                return (txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT) &
+                                                        L2CAP_EXT_CTRL_TXSEQ;
+        else
+                return (txseq << L2CAP_CTRL_TXSEQ_SHIFT) & L2CAP_CTRL_TXSEQ;
+}
+
+static inline bool __is_sframe(struct l2cap_chan *chan, __u32 ctrl)
+{
+        if (test_bit(FLAG_EXT_CTRL, &chan->flags))
+                return ctrl & L2CAP_EXT_CTRL_FRAME_TYPE;
+        else
+                return ctrl & L2CAP_CTRL_FRAME_TYPE;
+}
+
+static inline __u32 __set_sframe(struct l2cap_chan *chan)
+{
+        if (test_bit(FLAG_EXT_CTRL, &chan->flags))
+                return L2CAP_EXT_CTRL_FRAME_TYPE;
+        else
+                return L2CAP_CTRL_FRAME_TYPE;
+}
+
+static inline __u8 __get_ctrl_sar(struct l2cap_chan *chan, __u32 ctrl)
+{
+        if (test_bit(FLAG_EXT_CTRL, &chan->flags))
+                return (ctrl & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
+        else
+                return (ctrl & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
+}
+
+static inline __u32 __set_ctrl_sar(struct l2cap_chan *chan, __u32 sar)
+{
+        if (test_bit(FLAG_EXT_CTRL, &chan->flags))
+                return (sar << L2CAP_EXT_CTRL_SAR_SHIFT) & L2CAP_EXT_CTRL_SAR;
+        else
+                return (sar << L2CAP_CTRL_SAR_SHIFT) & L2CAP_CTRL_SAR;
+}
+
+static inline bool __is_sar_start(struct l2cap_chan *chan, __u32 ctrl)
+{
+        return __get_ctrl_sar(chan, ctrl) == L2CAP_SAR_START;
+}
+
+static inline __u32 __get_sar_mask(struct l2cap_chan *chan)
+{
+        if (test_bit(FLAG_EXT_CTRL, &chan->flags))
+                return L2CAP_EXT_CTRL_SAR;
+        else
+                return L2CAP_CTRL_SAR;
+}
+
+static inline __u8 __get_ctrl_super(struct l2cap_chan *chan, __u32 ctrl)
+{
+        if (test_bit(FLAG_EXT_CTRL, &chan->flags))
+                return (ctrl & L2CAP_EXT_CTRL_SUPERVISE) >>
+                                                L2CAP_EXT_CTRL_SUPER_SHIFT;
+        else
+                return (ctrl & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
+}
+
+static inline __u32 __set_ctrl_super(struct l2cap_chan *chan, __u32 super)
+{
+        if (test_bit(FLAG_EXT_CTRL, &chan->flags))
+                return (super << L2CAP_EXT_CTRL_SUPER_SHIFT) &
+                                                L2CAP_EXT_CTRL_SUPERVISE;
+        else
+                return (super << L2CAP_CTRL_SUPER_SHIFT) &
+                                                        L2CAP_CTRL_SUPERVISE;
+}
+
+static inline __u32 __set_ctrl_final(struct l2cap_chan *chan)
+{
+        if (test_bit(FLAG_EXT_CTRL, &chan->flags))
+                return L2CAP_EXT_CTRL_FINAL;
+        else
+                return L2CAP_CTRL_FINAL;
+}
+
+static inline bool __is_ctrl_final(struct l2cap_chan *chan, __u32 ctrl)
+{
+        if (test_bit(FLAG_EXT_CTRL, &chan->flags))
+                return ctrl & L2CAP_EXT_CTRL_FINAL;
+        else
+                return ctrl & L2CAP_CTRL_FINAL;
+}
+
+static inline __u32 __set_ctrl_poll(struct l2cap_chan *chan)
+{
+        if (test_bit(FLAG_EXT_CTRL, &chan->flags))
+                return L2CAP_EXT_CTRL_POLL;
+        else
+                return L2CAP_CTRL_POLL;
+}
+
+static inline bool __is_ctrl_poll(struct l2cap_chan *chan, __u32 ctrl)
+{
+        if (test_bit(FLAG_EXT_CTRL, &chan->flags))
+                return ctrl & L2CAP_EXT_CTRL_POLL;
+        else
+                return ctrl & L2CAP_CTRL_POLL;
+}
+
+static inline __u32 __get_control(struct l2cap_chan *chan, void *p)
+{
+        if (test_bit(FLAG_EXT_CTRL, &chan->flags))
+                return get_unaligned_le32(p);
+        else
+                return get_unaligned_le16(p);
+}
+
+static inline void __put_control(struct l2cap_chan *chan, __u32 control,
+                                                                void *p)
+{
+        if (test_bit(FLAG_EXT_CTRL, &chan->flags))
+                return put_unaligned_le32(control, p);
+        else
+                return put_unaligned_le16(control, p);
+}
+
+static inline __u8 __ctrl_size(struct l2cap_chan *chan)
+{
+        if (test_bit(FLAG_EXT_CTRL, &chan->flags))
+                return L2CAP_EXT_HDR_SIZE - L2CAP_HDR_SIZE;
+        else
+                return L2CAP_ENH_HDR_SIZE - L2CAP_HDR_SIZE;
+}
 
 extern int disable_ertm;
+extern int enable_hs;
 
 int l2cap_init_sockets(void);
 void l2cap_cleanup_sockets(void);
@@ -504,7 +807,8 @@ struct l2cap_chan *l2cap_chan_create(struct sock *sk);
 void l2cap_chan_close(struct l2cap_chan *chan, int reason);
 void l2cap_chan_destroy(struct l2cap_chan *chan);
 int l2cap_chan_connect(struct l2cap_chan *chan);
-int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len);
+int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
+                                                                u32 priority);
 void l2cap_chan_busy(struct l2cap_chan *chan, int busy);
 
 #endif /* __L2CAP_H */
diff --git a/include/net/bluetooth/mgmt.h b/include/net/bluetooth/mgmt.h
index d66da0f94f95..3e320c9cae8f 100644
--- a/include/net/bluetooth/mgmt.h
+++ b/include/net/bluetooth/mgmt.h
@@ -69,6 +69,10 @@ struct mgmt_mode {
 #define MGMT_OP_SET_POWERED             0x0005
 
 #define MGMT_OP_SET_DISCOVERABLE        0x0006
+struct mgmt_cp_set_discoverable {
+        __u8 val;
+        __u16 timeout;
+} __packed;
 
 #define MGMT_OP_SET_CONNECTABLE         0x0007
 
@@ -96,24 +100,22 @@ struct mgmt_cp_set_service_cache {
         __u8 enable;
 } __packed;
 
-struct mgmt_key_info {
+struct mgmt_link_key_info {
         bdaddr_t bdaddr;
         u8 type;
         u8 val[16];
         u8 pin_len;
-        u8 dlen;
-        u8 data[0];
 } __packed;
 
-#define MGMT_OP_LOAD_KEYS               0x000D
-struct mgmt_cp_load_keys {
+#define MGMT_OP_LOAD_LINK_KEYS          0x000D
+struct mgmt_cp_load_link_keys {
         __u8 debug_keys;
         __le16 key_count;
-        struct mgmt_key_info keys[0];
+        struct mgmt_link_key_info keys[0];
 } __packed;
 
-#define MGMT_OP_REMOVE_KEY              0x000E
-struct mgmt_cp_remove_key {
+#define MGMT_OP_REMOVE_KEYS             0x000E
+struct mgmt_cp_remove_keys {
         bdaddr_t bdaddr;
         __u8 disconnect;
 } __packed;
@@ -126,10 +128,20 @@ struct mgmt_rp_disconnect {
         bdaddr_t bdaddr;
 } __packed;
 
+#define MGMT_ADDR_BREDR                 0x00
+#define MGMT_ADDR_LE                    0x01
+#define MGMT_ADDR_BREDR_LE              0x02
+#define MGMT_ADDR_INVALID               0xff
+
+struct mgmt_addr_info {
+        bdaddr_t bdaddr;
+        __u8 type;
+} __packed;
+
 #define MGMT_OP_GET_CONNECTIONS         0x0010
 struct mgmt_rp_get_connections {
         __le16 conn_count;
-        bdaddr_t conn[0];
+        struct mgmt_addr_info addr[0];
 } __packed;
 
 #define MGMT_OP_PIN_CODE_REPLY          0x0011
@@ -245,26 +257,19 @@ struct mgmt_ev_controller_error {
 
 #define MGMT_EV_PAIRABLE                0x0009
 
-#define MGMT_EV_NEW_KEY                 0x000A
-struct mgmt_ev_new_key {
+#define MGMT_EV_NEW_LINK_KEY            0x000A
+struct mgmt_ev_new_link_key {
         __u8 store_hint;
-        struct mgmt_key_info key;
+        struct mgmt_link_key_info key;
 } __packed;
 
 #define MGMT_EV_CONNECTED               0x000B
-struct mgmt_ev_connected {
-        bdaddr_t bdaddr;
-        __u8 link_type;
-} __packed;
 
 #define MGMT_EV_DISCONNECTED            0x000C
-struct mgmt_ev_disconnected {
-        bdaddr_t bdaddr;
-} __packed;
 
 #define MGMT_EV_CONNECT_FAILED          0x000D
 struct mgmt_ev_connect_failed {
-        bdaddr_t bdaddr;
+        struct mgmt_addr_info addr;
         __u8 status;
 } __packed;
 
@@ -294,7 +299,7 @@ struct mgmt_ev_local_name_changed {
 
 #define MGMT_EV_DEVICE_FOUND            0x0012
 struct mgmt_ev_device_found {
-        bdaddr_t bdaddr;
+        struct mgmt_addr_info addr;
         __u8 dev_class[3];
         __s8 rssi;
         __u8 eir[HCI_MAX_EIR_LENGTH];
diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index 92cf1c2c30c9..8d7ba0961d3e 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -391,6 +391,8 @@ struct cfg80211_crypto_settings {
  * @assocresp_ies: extra information element(s) to add into (Re)Association
  *      Response frames or %NULL
  * @assocresp_ies_len: length of assocresp_ies in octets
+ * @probe_resp_len: length of probe response template (@probe_resp)
+ * @probe_resp: probe response template (AP mode only)
  */
 struct beacon_parameters {
         u8 *head, *tail;
@@ -408,6 +410,8 @@ struct beacon_parameters {
         size_t proberesp_ies_len;
         const u8 *assocresp_ies;
         size_t assocresp_ies_len;
+        int probe_resp_len;
+        u8 *probe_resp;
 };
 
 /**
@@ -456,6 +460,9 @@ enum station_parameters_apply_mask {
  *      as the AC bitmap in the QoS info field
  * @max_sp: max Service Period. same format as the MAX_SP in the
  *      QoS info field (but already shifted down)
+ * @sta_modify_mask: bitmap indicating which parameters changed
+ *      (for those that don't have a natural "no change" value),
+ *      see &enum station_parameters_apply_mask
  */
 struct station_parameters {
         u8 *supported_rates;
@@ -615,6 +622,7 @@ struct sta_bss_parameters {
  *      user space MLME/SME implementation. The information is provided for
  *      the cfg80211_new_sta() calls to notify user space of the IEs.
  * @assoc_req_ies_len: Length of assoc_req_ies buffer in octets.
+ * @sta_flags: station flags mask & values
  */
 struct station_info {
         u32 filled;
@@ -1338,6 +1346,9 @@ struct cfg80211_gtk_rekey_data {
  *      doesn't verify much. Note, however, that the passed netdev may be
  *      %NULL as well if the user requested changing the channel for the
  *      device itself, or for a monitor interface.
+ * @get_channel: Get the current operating channel, should return %NULL if
+ *      there's no single defined operating channel if for example the
+ *      device implements channel hopping for multi-channel virtual interfaces.
  *
  * @scan: Request to do a scan. If returning zero, the scan request is given
  *      the driver, and will be valid until passed to cfg80211_scan_done().
@@ -1428,6 +1439,9 @@ struct cfg80211_gtk_rekey_data {
  *
  * @tdls_mgmt: Transmit a TDLS management frame.
  * @tdls_oper: Perform a high-level TDLS operation (e.g. TDLS link setup).
+ *
+ * @probe_client: probe an associated client, must return a cookie that it
+ *      later passes to cfg80211_probe_status().
  */
 struct cfg80211_ops {
         int     (*suspend)(struct wiphy *wiphy, struct cfg80211_wowlan *wow);
@@ -1581,7 +1595,7 @@ struct cfg80211_ops {
                           enum nl80211_channel_type channel_type,
                           bool channel_type_valid, unsigned int wait,
                           const u8 *buf, size_t len, bool no_cck,
-                          u64 *cookie);
+                          bool dont_wait_for_ack, u64 *cookie);
         int     (*mgmt_tx_cancel_wait)(struct wiphy *wiphy,
                                        struct net_device *dev,
                                        u64 cookie);
@@ -1617,6 +1631,11 @@ struct cfg80211_ops {
                              u16 status_code, const u8 *buf, size_t len);
         int     (*tdls_oper)(struct wiphy *wiphy, struct net_device *dev,
                              u8 *peer, enum nl80211_tdls_operation oper);
+
+        int     (*probe_client)(struct wiphy *wiphy, struct net_device *dev,
+                                const u8 *peer, u64 *cookie);
+
+        struct ieee80211_channel *(*get_channel)(struct wiphy *wiphy);
 };
 
 /*
@@ -1675,6 +1694,12 @@ struct cfg80211_ops {
  *      teardown packets should be sent through the @NL80211_CMD_TDLS_MGMT
  *      command. When this flag is not set, @NL80211_CMD_TDLS_OPER should be
  *      used for asking the driver/firmware to perform a TDLS operation.
+ * @WIPHY_FLAG_HAVE_AP_SME: device integrates AP SME
+ * @WIPHY_FLAG_REPORTS_OBSS: the device will report beacons from other BSSes
+ *      when there are virtual interfaces in AP mode by calling
+ *      cfg80211_report_obss_beacon().
+ * @WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD: When operating as an AP, the device
+ *      responds to probe-requests in hardware.
  */
 enum wiphy_flags {
         WIPHY_FLAG_CUSTOM_REGULATORY            = BIT(0),
@@ -1693,6 +1718,9 @@ enum wiphy_flags {
         WIPHY_FLAG_AP_UAPSD                     = BIT(14),
         WIPHY_FLAG_SUPPORTS_TDLS                = BIT(15),
         WIPHY_FLAG_TDLS_EXTERNAL_SETUP          = BIT(16),
+        WIPHY_FLAG_HAVE_AP_SME                  = BIT(17),
+        WIPHY_FLAG_REPORTS_OBSS                 = BIT(18),
+        WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD        = BIT(19),
 };
 
 /**
@@ -1865,6 +1893,7 @@ struct wiphy_wowlan_support {
  * @software_iftypes: bitmask of software interface types, these are not
  *      subject to any restrictions since they are purely managed in SW.
  * @flags: wiphy flags, see &enum wiphy_flags
+ * @features: features advertised to nl80211, see &enum nl80211_feature_flags.
  * @bss_priv_size: each BSS struct has private data allocated with it,
  *      this variable determines its size
  * @max_scan_ssids: maximum number of SSIDs the device can scan for in
@@ -1903,6 +1932,8 @@ struct wiphy_wowlan_support {
  *      may request, if implemented.
  *
  * @wowlan: WoWLAN support information
+ *
+ * @ap_sme_capa: AP SME capabilities, flags from &enum nl80211_ap_sme_features.
  */
 struct wiphy {
         /* assign these fields before you register the wiphy */
@@ -1924,7 +1955,9 @@ struct wiphy {
         /* Supported interface modes, OR together BIT(NL80211_IFTYPE_...) */
         u16 interface_modes;
 
-        u32 flags;
+        u32 flags, features;
+
+        u32 ap_sme_capa;
 
         enum cfg80211_signal_type signal_type;
 
@@ -1956,6 +1989,13 @@ struct wiphy {
         u32 available_antennas_tx;
         u32 available_antennas_rx;
 
+        /*
+         * Bitmap of supported protocols for probe response offloading
+         * see &enum nl80211_probe_resp_offload_support_attr. Only valid
+         * when the wiphy flag @WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD is set.
+         */
+        u32 probe_resp_offload;
+
         /* If multiple wiphys are registered and you're handed e.g.
          * a regular netdev with assigned ieee80211_ptr, you won't
          * know whether it points to a wiphy your driver has registered
@@ -2179,6 +2219,8 @@ struct wireless_dev {
 
         int beacon_interval;
 
+        u32 ap_unexpected_nlpid;
+
 #ifdef CONFIG_CFG80211_WEXT
         /* wext data */
         struct {
@@ -2632,8 +2674,10 @@ void cfg80211_sched_scan_stopped(struct wiphy *wiphy);
  *
  * This informs cfg80211 that BSS information was found and
  * the BSS should be updated/added.
+ *
+ * NOTE: Returns a referenced struct, must be released with cfg80211_put_bss()!
  */
-struct cfg80211_bss*
+struct cfg80211_bss * __must_check
 cfg80211_inform_bss_frame(struct wiphy *wiphy,
                           struct ieee80211_channel *channel,
                           struct ieee80211_mgmt *mgmt, size_t len,
@@ -2655,8 +2699,10 @@ cfg80211_inform_bss_frame(struct wiphy *wiphy,
  *
  * This informs cfg80211 that BSS information was found and
  * the BSS should be updated/added.
+ *
+ * NOTE: Returns a referenced struct, must be released with cfg80211_put_bss()!
  */
-struct cfg80211_bss*
+struct cfg80211_bss * __must_check
 cfg80211_inform_bss(struct wiphy *wiphy,
                     struct ieee80211_channel *channel,
                     const u8 *bssid,
@@ -3185,6 +3231,64 @@ void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
                                      const u8 *bssid, bool preauth, gfp_t gfp);
 
+/**
+ * cfg80211_rx_spurious_frame - inform userspace about a spurious frame
+ * @dev: The device the frame matched to
+ * @addr: the transmitter address
+ * @gfp: context flags
+ *
+ * This function is used in AP mode (only!) to inform userspace that
+ * a spurious class 3 frame was received, to be able to deauth the
+ * sender.
+ * Returns %true if the frame was passed to userspace (or this failed
+ * for a reason other than not having a subscription.)
+ */
+bool cfg80211_rx_spurious_frame(struct net_device *dev,
+                                const u8 *addr, gfp_t gfp);
+
+/**
+ * cfg80211_rx_unexpected_4addr_frame - inform about unexpected WDS frame
+ * @dev: The device the frame matched to
+ * @addr: the transmitter address
+ * @gfp: context flags
+ *
+ * This function is used in AP mode (only!) to inform userspace that
+ * an associated station sent a 4addr frame but that wasn't expected.
+ * It is allowed and desirable to send this event only once for each
+ * station to avoid event flooding.
+ * Returns %true if the frame was passed to userspace (or this failed
+ * for a reason other than not having a subscription.)
+ */
+bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
+                                        const u8 *addr, gfp_t gfp);
+
+/**
+ * cfg80211_probe_status - notify userspace about probe status
+ * @dev: the device the probe was sent on
+ * @addr: the address of the peer
+ * @cookie: the cookie filled in @probe_client previously
+ * @acked: indicates whether probe was acked or not
+ * @gfp: allocation flags
+ */
+void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
+                           u64 cookie, bool acked, gfp_t gfp);
+
+/**
+ * cfg80211_report_obss_beacon - report beacon from other APs
+ * @wiphy: The wiphy that received the beacon
+ * @frame: the frame
+ * @len: length of the frame
+ * @freq: frequency the frame was received on
+ * @gfp: allocation flags
+ *
+ * Use this function to report to userspace when a beacon was
+ * received. It is not useful to call this when there is no
+ * netdev that is in AP/GO mode.
+ */
+void cfg80211_report_obss_beacon(struct wiphy *wiphy,
+                                 const u8 *frame, size_t len,
+                                 int freq, gfp_t gfp);
+
 /* Logging, debugging and troubleshooting/diagnostic helpers. */
 
 /* wiphy_printk helpers, similar to dev_printk */
diff --git a/include/net/ieee80211_radiotap.h b/include/net/ieee80211_radiotap.h
index 7e2c4d483ad0..71392545d0a1 100644
--- a/include/net/ieee80211_radiotap.h
+++ b/include/net/ieee80211_radiotap.h
@@ -271,14 +271,6 @@ enum ieee80211_radiotap_type {
 #define IEEE80211_RADIOTAP_MCS_FEC_LDPC         0x10
 
 
-/* Ugly macro to convert literal channel numbers into their mhz equivalents
- * There are certianly some conditions that will break this (like feeding it '30')
- * but they shouldn't arise since nothing talks on channel 30. */
-#define ieee80211chan2mhz(x) \
-        (((x) <= 14) ? \
-        (((x) == 14) ? 2484 : ((x) * 5) + 2407) : \
-        ((x) + 1000) * 5)
-
 /* helpers */
 static inline int ieee80211_get_radiotap_len(unsigned char *data)
 {
diff --git a/include/net/mac80211.h b/include/net/mac80211.h
index 72eddd1b410b..0756049ae76d 100644
--- a/include/net/mac80211.h
+++ b/include/net/mac80211.h
@@ -166,6 +166,7 @@ struct ieee80211_low_level_stats {
  *      that it is only ever disabled for station mode.
  * @BSS_CHANGED_IDLE: Idle changed for this BSS/interface.
  * @BSS_CHANGED_SSID: SSID changed for this BSS (AP mode)
+ * @BSS_CHANGED_AP_PROBE_RESP: Probe Response changed for this BSS (AP mode)
  */
 enum ieee80211_bss_change {
         BSS_CHANGED_ASSOC               = 1<<0,
@@ -184,6 +185,7 @@ enum ieee80211_bss_change {
         BSS_CHANGED_QOS                 = 1<<13,
         BSS_CHANGED_IDLE                = 1<<14,
         BSS_CHANGED_SSID                = 1<<15,
+        BSS_CHANGED_AP_PROBE_RESP       = 1<<16,
 
         /* when adding here, make sure to change ieee80211_reconfig */
 };
@@ -518,7 +520,7 @@ struct ieee80211_tx_rate {
  * @flags: transmit info flags, defined above
  * @band: the band to transmit on (use for checking for races)
  * @antenna_sel_tx: antenna to use, 0 for automatic diversity
- * @pad: padding, ignore
+ * @ack_frame_id: internal frame ID for TX status, used internally
  * @control: union for control data
  * @status: union for status data
  * @driver_data: array of driver_data pointers
@@ -535,8 +537,7 @@ struct ieee80211_tx_info {
 
         u8 antenna_sel_tx;
 
-        /* 2 byte hole */
-        u8 pad[2];
+        u16 ack_frame_id;
 
         union {
                 struct {
@@ -901,6 +902,10 @@ static inline bool ieee80211_vif_is_mesh(struct ieee80211_vif *vif)
  * @IEEE80211_KEY_FLAG_SW_MGMT: This flag should be set by the driver for a
  *      CCMP key if it requires CCMP encryption of management frames (MFP) to
  *      be done in software.
+ * @IEEE80211_KEY_FLAG_PUT_IV_SPACE: This flag should be set by the driver
+ *      for a CCMP key if space should be prepared for the IV, but the IV
+ *      itself should not be generated. Do not set together with
+ *      @IEEE80211_KEY_FLAG_GENERATE_IV on the same key.
  */
 enum ieee80211_key_flags {
         IEEE80211_KEY_FLAG_WMM_STA      = 1<<0,
@@ -908,6 +913,7 @@ enum ieee80211_key_flags {
         IEEE80211_KEY_FLAG_GENERATE_MMIC= 1<<2,
         IEEE80211_KEY_FLAG_PAIRWISE     = 1<<3,
         IEEE80211_KEY_FLAG_SW_MGMT      = 1<<4,
+        IEEE80211_KEY_FLAG_PUT_IV_SPACE = 1<<5,
 };
 
 /**
@@ -1304,6 +1310,16 @@ ieee80211_get_alt_retry_rate(const struct ieee80211_hw *hw,
 }
 
 /**
+ * ieee80211_free_txskb - free TX skb
+ * @hw: the hardware
+ * @skb: the skb
+ *
+ * Free a transmit skb. Use this funtion when some failure
+ * to transmit happened and thus status cannot be reported.
+ */
+void ieee80211_free_txskb(struct ieee80211_hw *hw, struct sk_buff *skb);
+
+/**
  * DOC: Hardware crypto acceleration
  *
  * mac80211 is capable of taking advantage of many hardware
@@ -2661,6 +2677,19 @@ static inline struct sk_buff *ieee80211_beacon_get(struct ieee80211_hw *hw,
 }
 
 /**
+ * ieee80211_proberesp_get - retrieve a Probe Response template
+ * @hw: pointer obtained from ieee80211_alloc_hw().
+ * @vif: &struct ieee80211_vif pointer from the add_interface callback.
+ *
+ * Creates a Probe Response template which can, for example, be uploaded to
+ * hardware. The destination address should be set by the caller.
+ *
+ * Can only be called in AP mode.
+ */
+struct sk_buff *ieee80211_proberesp_get(struct ieee80211_hw *hw,
+                                        struct ieee80211_vif *vif);
+
+/**
  * ieee80211_pspoll_get - retrieve a PS Poll template
  * @hw: pointer obtained from ieee80211_alloc_hw().
  * @vif: &struct ieee80211_vif pointer from the add_interface callback.
diff --git a/include/net/nfc/nci.h b/include/net/nfc/nci.h
index 39b85bc0804f..cdbe67139343 100644
--- a/include/net/nfc/nci.h
+++ b/include/net/nfc/nci.h
@@ -36,24 +36,23 @@
 /* NCI Status Codes */
 #define NCI_STATUS_OK                                           0x00
 #define NCI_STATUS_REJECTED                                     0x01
-#define NCI_STATUS_MESSAGE_CORRUPTED                            0x02
-#define NCI_STATUS_BUFFER_FULL                                  0x03
-#define NCI_STATUS_FAILED                                       0x04
-#define NCI_STATUS_NOT_INITIALIZED                              0x05
-#define NCI_STATUS_SYNTAX_ERROR                                 0x06
-#define NCI_STATUS_SEMANTIC_ERROR                               0x07
-#define NCI_STATUS_UNKNOWN_GID                                  0x08
-#define NCI_STATUS_UNKNOWN_OID                                  0x09
-#define NCI_STATUS_INVALID_PARAM                                0x0a
-#define NCI_STATUS_MESSAGE_SIZE_EXCEEDED                        0x0b
+#define NCI_STATUS_RF_FRAME_CORRUPTED                           0x02
+#define NCI_STATUS_FAILED                                       0x03
+#define NCI_STATUS_NOT_INITIALIZED                              0x04
+#define NCI_STATUS_SYNTAX_ERROR                                 0x05
+#define NCI_STATUS_SEMANTIC_ERROR                               0x06
+#define NCI_STATUS_UNKNOWN_GID                                  0x07
+#define NCI_STATUS_UNKNOWN_OID                                  0x08
+#define NCI_STATUS_INVALID_PARAM                                0x09
+#define NCI_STATUS_MESSAGE_SIZE_EXCEEDED                        0x0a
 /* Discovery Specific Status Codes */
 #define NCI_STATUS_DISCOVERY_ALREADY_STARTED                    0xa0
 #define NCI_STATUS_DISCOVERY_TARGET_ACTIVATION_FAILED           0xa1
+#define NCI_STATUS_DISCOVERY_TEAR_DOWN                          0xa2
 /* RF Interface Specific Status Codes */
 #define NCI_STATUS_RF_TRANSMISSION_ERROR                        0xb0
 #define NCI_STATUS_RF_PROTOCOL_ERROR                            0xb1
 #define NCI_STATUS_RF_TIMEOUT_ERROR                             0xb2
-#define NCI_STATUS_RF_LINK_LOSS_ERROR                           0xb3
 /* NFCEE Interface Specific Status Codes */
 #define NCI_STATUS_MAX_ACTIVE_NFCEE_INTERFACES_REACHED          0xc0
 #define NCI_STATUS_NFCEE_INTERFACE_ACTIVATION_FAILED            0xc1
@@ -73,6 +72,21 @@
 #define NCI_NFC_A_ACTIVE_LISTEN_MODE                            0x83
 #define NCI_NFC_F_ACTIVE_LISTEN_MODE                            0x85
 
+/* NCI RF Technologies */
+#define NCI_NFC_RF_TECHNOLOGY_A                                 0x00
+#define NCI_NFC_RF_TECHNOLOGY_B                                 0x01
+#define NCI_NFC_RF_TECHNOLOGY_F                                 0x02
+#define NCI_NFC_RF_TECHNOLOGY_15693                             0x03
+
+/* NCI Bit Rates */
+#define NCI_NFC_BIT_RATE_106                                    0x00
+#define NCI_NFC_BIT_RATE_212                                    0x01
+#define NCI_NFC_BIT_RATE_424                                    0x02
+#define NCI_NFC_BIT_RATE_848                                    0x03
+#define NCI_NFC_BIT_RATE_1696                                   0x04
+#define NCI_NFC_BIT_RATE_3392                                   0x05
+#define NCI_NFC_BIT_RATE_6784                                   0x06
+
 /* NCI RF Protocols */
 #define NCI_RF_PROTOCOL_UNKNOWN                                 0x00
 #define NCI_RF_PROTOCOL_T1T                                     0x01
@@ -82,11 +96,21 @@
 #define NCI_RF_PROTOCOL_NFC_DEP                                 0x05
 
 /* NCI RF Interfaces */
-#define NCI_RF_INTERFACE_RFU                                    0x00
+#define NCI_RF_INTERFACE_NFCEE_DIRECT                           0x00
 #define NCI_RF_INTERFACE_FRAME                                  0x01
 #define NCI_RF_INTERFACE_ISO_DEP                                0x02
 #define NCI_RF_INTERFACE_NFC_DEP                                0x03
 
+/* NCI Reset types */
+#define NCI_RESET_TYPE_KEEP_CONFIG                              0x00
+#define NCI_RESET_TYPE_RESET_CONFIG                             0x01
+
+/* NCI Static RF connection ID */
+#define NCI_STATIC_RF_CONN_ID                                   0x00
+
+/* NCI Data Flow Control */
+#define NCI_DATA_FLOW_CONTROL_NOT_USED                          0xff
+
 /* NCI RF_DISCOVER_MAP_CMD modes */
 #define NCI_DISC_MAP_MODE_POLL                                  0x01
 #define NCI_DISC_MAP_MODE_LISTEN                                0x02
@@ -98,8 +122,6 @@
 #define NCI_DISCOVERY_TYPE_POLL_F_PASSIVE                       0x02
 #define NCI_DISCOVERY_TYPE_POLL_A_ACTIVE                        0x03
 #define NCI_DISCOVERY_TYPE_POLL_F_ACTIVE                        0x05
-#define NCI_DISCOVERY_TYPE_WAKEUP_A_PASSIVE                     0x06
-#define NCI_DISCOVERY_TYPE_WAKEUP_B_PASSIVE                     0x07
 #define NCI_DISCOVERY_TYPE_WAKEUP_A_ACTIVE                      0x09
 #define NCI_DISCOVERY_TYPE_LISTEN_A_PASSIVE                     0x80
 #define NCI_DISCOVERY_TYPE_LISTEN_B_PASSIVE                     0x81
@@ -111,8 +133,7 @@
 #define NCI_DEACTIVATE_TYPE_IDLE_MODE                           0x00
 #define NCI_DEACTIVATE_TYPE_SLEEP_MODE                          0x01
 #define NCI_DEACTIVATE_TYPE_SLEEP_AF_MODE                       0x02
-#define NCI_DEACTIVATE_TYPE_RF_LINK_LOSS                        0x03
-#define NCI_DEACTIVATE_TYPE_DISCOVERY_ERROR                     0x04
+#define NCI_DEACTIVATE_TYPE_DISCOVERY                           0x03
 
 /* Message Type (MT) */
 #define NCI_MT_DATA_PKT                                         0x00
@@ -169,18 +190,11 @@ struct nci_data_hdr {
 /* -----  NCI Commands ---- */
 /* ------------------------ */
 #define NCI_OP_CORE_RESET_CMD           nci_opcode_pack(NCI_GID_CORE, 0x00)
-
-#define NCI_OP_CORE_INIT_CMD            nci_opcode_pack(NCI_GID_CORE, 0x01)
-
-#define NCI_OP_CORE_SET_CONFIG_CMD      nci_opcode_pack(NCI_GID_CORE, 0x02)
-
-#define NCI_OP_CORE_CONN_CREATE_CMD     nci_opcode_pack(NCI_GID_CORE, 0x04)
-struct nci_core_conn_create_cmd {
-        __u8    target_handle;
-        __u8    num_target_specific_params;
+struct nci_core_reset_cmd {
+        __u8    reset_type;
 } __packed;
 
-#define NCI_OP_CORE_CONN_CLOSE_CMD      nci_opcode_pack(NCI_GID_CORE, 0x06)
+#define NCI_OP_CORE_INIT_CMD            nci_opcode_pack(NCI_GID_CORE, 0x01)
 
 #define NCI_OP_RF_DISCOVER_MAP_CMD      nci_opcode_pack(NCI_GID_RF_MGMT, 0x00)
 struct disc_map_config {
@@ -218,6 +232,7 @@ struct nci_rf_deactivate_cmd {
 struct nci_core_reset_rsp {
         __u8    status;
         __u8    nci_ver;
+        __u8    config_status;
 } __packed;
 
 #define NCI_OP_CORE_INIT_RSP            nci_opcode_pack(NCI_GID_CORE, 0x01)
@@ -232,24 +247,14 @@ struct nci_core_init_rsp_1 {
 struct nci_core_init_rsp_2 {
         __u8    max_logical_connections;
         __le16  max_routing_table_size;
-        __u8    max_control_packet_payload_length;
-        __le16  rf_sending_buffer_size;
-        __le16  rf_receiving_buffer_size;
-        __le16  manufacturer_id;
-} __packed;
-
-#define NCI_OP_CORE_SET_CONFIG_RSP      nci_opcode_pack(NCI_GID_CORE, 0x02)
-
-#define NCI_OP_CORE_CONN_CREATE_RSP     nci_opcode_pack(NCI_GID_CORE, 0x04)
-struct nci_core_conn_create_rsp {
-        __u8    status;
-        __u8    max_pkt_payload_size;
+        __u8    max_ctrl_pkt_payload_len;
+        __le16  max_size_for_large_params;
+        __u8    max_data_pkt_payload_size;
         __u8    initial_num_credits;
-        __u8    conn_id;
+        __u8    manufact_id;
+        __le32  manufact_specific_info;
 } __packed;
 
-#define NCI_OP_CORE_CONN_CLOSE_RSP      nci_opcode_pack(NCI_GID_CORE, 0x06)
-
 #define NCI_OP_RF_DISCOVER_MAP_RSP      nci_opcode_pack(NCI_GID_RF_MGMT, 0x00)
 
 #define NCI_OP_RF_DISCOVER_RSP          nci_opcode_pack(NCI_GID_RF_MGMT, 0x03)
@@ -270,12 +275,7 @@ struct nci_core_conn_credit_ntf {
         struct conn_credit_entry        conn_entries[NCI_MAX_NUM_CONN];
 } __packed;
 
-#define NCI_OP_RF_FIELD_INFO_NTF        nci_opcode_pack(NCI_GID_CORE, 0x08)
-struct nci_rf_field_info_ntf {
-        __u8    rf_field_status;
-} __packed;
-
-#define NCI_OP_RF_ACTIVATE_NTF          nci_opcode_pack(NCI_GID_RF_MGMT, 0x05)
+#define NCI_OP_RF_INTF_ACTIVATED_NTF    nci_opcode_pack(NCI_GID_RF_MGMT, 0x05)
 struct rf_tech_specific_params_nfca_poll {
         __u16   sens_res;
         __u8    nfcid1_len;     /* 0, 4, 7, or 10 Bytes */
@@ -289,17 +289,20 @@ struct activation_params_nfca_poll_iso_dep {
         __u8    rats_res[20];
 };
 
-struct nci_rf_activate_ntf {
-        __u8    target_handle;
+struct nci_rf_intf_activated_ntf {
+        __u8    rf_discovery_id;
+        __u8    rf_interface_type;
         __u8    rf_protocol;
-        __u8    rf_tech_and_mode;
+        __u8    activation_rf_tech_and_mode;
         __u8    rf_tech_specific_params_len;
 
         union {
                 struct rf_tech_specific_params_nfca_poll nfca_poll;
         } rf_tech_specific_params;
 
-        __u8    rf_interface_type;
+        __u8    data_exch_rf_tech_and_mode;
+        __u8    data_exch_tx_bit_rate;
+        __u8    data_exch_rx_bit_rate;
         __u8    activation_params_len;
 
         union {
@@ -309,5 +312,9 @@ struct nci_rf_activate_ntf {
 } __packed;
 
 #define NCI_OP_RF_DEACTIVATE_NTF        nci_opcode_pack(NCI_GID_RF_MGMT, 0x06)
+struct nci_rf_deactivate_ntf {
+        __u8    type;
+        __u8    reason;
+} __packed;
 
 #endif /* __NCI_H */
diff --git a/include/net/nfc/nci_core.h b/include/net/nfc/nci_core.h
index b8b4bbd7e0fc..c92b69d7e0c2 100644
--- a/include/net/nfc/nci_core.h
+++ b/include/net/nfc/nci_core.h
@@ -109,15 +109,12 @@ struct nci_dev {
                                 [NCI_MAX_SUPPORTED_RF_INTERFACES];
         __u8                    max_logical_connections;
         __u16                   max_routing_table_size;
-        __u8                    max_control_packet_payload_length;
-        __u16                   rf_sending_buffer_size;
-        __u16                   rf_receiving_buffer_size;
-        __u16                   manufacturer_id;
-
-        /* received during NCI_OP_CORE_CONN_CREATE_RSP for static conn 0 */
-        __u8                    max_pkt_payload_size;
+        __u8                    max_ctrl_pkt_payload_len;
+        __u16                   max_size_for_large_params;
+        __u8                    max_data_pkt_payload_size;
         __u8                    initial_num_credits;
-        __u8                    conn_id;
+        __u8                    manufact_id;
+        __u32                   manufact_specific_info;
 
         /* stored during nci_data_exchange */
         data_exchange_cb_t      data_exchange_cb;
diff --git a/include/net/sock.h b/include/net/sock.h
index 1331008ad885..1c28f394d8ec 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -563,6 +563,7 @@ enum sock_flags {
         SOCK_FASYNC, /* fasync() active */
         SOCK_RXQ_OVFL,
         SOCK_ZEROCOPY, /* buffers from userspace */
+        SOCK_WIFI_STATUS, /* push wifi status to userspace */
 };
 
 static inline void sock_copy_flags(struct sock *nsk, struct sock *osk)
@@ -1714,6 +1715,8 @@ static inline int sock_intr_errno(long timeo)
 
 extern void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
         struct sk_buff *skb);
+extern void __sock_recv_wifi_status(struct msghdr *msg, struct sock *sk,
+        struct sk_buff *skb);
 
 static __inline__ void
 sock_recv_timestamp(struct msghdr *msg, struct sock *sk, struct sk_buff *skb)
@@ -1741,6 +1744,9 @@ sock_recv_timestamp(struct msghdr *msg, struct sock *sk, struct sk_buff *skb)
                 __sock_recv_timestamp(msg, sk, skb);
         else
                 sk->sk_stamp = kt;
+
+        if (sock_flag(sk, SOCK_WIFI_STATUS) && skb->wifi_acked_valid)
+                __sock_recv_wifi_status(msg, sk, skb);
 }
 
 extern void __sock_recv_ts_and_drops(struct msghdr *msg, struct sock *sk,