Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6

19 files changed, 855 insertions, 136 deletions

diff --git a/net/bluetooth/Makefile b/net/bluetooth/Makefile
index 7ca1f46a471a..250f954f0213 100644
--- a/net/bluetooth/Makefile
+++ b/net/bluetooth/Makefile
@@ -10,4 +10,4 @@ obj-$(CONFIG_BT_BNEP)	+= bnep/
 obj-$(CONFIG_BT_CMTP)   += cmtp/
 obj-$(CONFIG_BT_HIDP)   += hidp/
 
-bluetooth-y := af_bluetooth.o hci_core.o hci_conn.o hci_event.o hci_sock.o hci_sysfs.o lib.o
+bluetooth-y := af_bluetooth.o hci_core.o hci_conn.o hci_event.o mgmt.o hci_sock.o hci_sysfs.o lib.o
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 51c61f75a797..8b602d881fd7 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -91,9 +91,16 @@ static void hci_notify(struct hci_dev *hdev, int event)
 
 /* ---- HCI requests ---- */
 
-void hci_req_complete(struct hci_dev *hdev, int result)
+void hci_req_complete(struct hci_dev *hdev, __u16 cmd, int result)
 {
-        BT_DBG("%s result 0x%2.2x", hdev->name, result);
+        BT_DBG("%s command 0x%04x result 0x%2.2x", hdev->name, cmd, result);
+
+        /* If the request has set req_last_cmd (typical for multi-HCI
+         * command requests) check if the completed command matches
+         * this, and if not just return. Single HCI command requests
+         * typically leave req_last_cmd as 0 */
+        if (hdev->req_last_cmd && cmd != hdev->req_last_cmd)
+                return;
 
         if (hdev->req_status == HCI_REQ_PEND) {
                 hdev->req_result = result;
@@ -149,7 +156,7 @@ static int __hci_request(struct hci_dev *hdev, void (*req)(struct hci_dev *hdev,
                 break;
         }
 
-        hdev->req_status = hdev->req_result = 0;
+        hdev->req_last_cmd = hdev->req_status = hdev->req_result = 0;
 
         BT_DBG("%s end: err %d", hdev->name, err);
 
@@ -252,6 +259,8 @@ static void hci_init_req(struct hci_dev *hdev, unsigned long opt)
         /* Connection accept timeout ~20 secs */
         param = cpu_to_le16(0x7d00);
         hci_send_cmd(hdev, HCI_OP_WRITE_CA_TIMEOUT, 2, &param);
+
+        hdev->req_last_cmd = HCI_OP_WRITE_CA_TIMEOUT;
 }
 
 static void hci_scan_req(struct hci_dev *hdev, unsigned long opt)
@@ -960,6 +969,7 @@ int hci_register_dev(struct hci_dev *hdev)
                 }
         }
 
+        mgmt_index_added(hdev->id);
         hci_notify(hdev, HCI_DEV_REG);
 
         return id;
@@ -989,6 +999,7 @@ int hci_unregister_dev(struct hci_dev *hdev)
         for (i = 0; i < NUM_REASSEMBLY; i++)
                 kfree_skb(hdev->reassembly[i]);
 
+        mgmt_index_removed(hdev->id);
         hci_notify(hdev, HCI_DEV_UNREG);
 
         if (hdev->rfkill) {
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 8923b36a67a2..38100170d380 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -58,7 +58,7 @@ static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
 
         clear_bit(HCI_INQUIRY, &hdev->flags);
 
-        hci_req_complete(hdev, status);
+        hci_req_complete(hdev, HCI_OP_INQUIRY_CANCEL, status);
 
         hci_conn_check_pending(hdev);
 }
@@ -174,7 +174,7 @@ static void hci_cc_write_def_link_policy(struct hci_dev *hdev, struct sk_buff *s
         if (!status)
                 hdev->link_policy = get_unaligned_le16(sent);
 
-        hci_req_complete(hdev, status);
+        hci_req_complete(hdev, HCI_OP_WRITE_DEF_LINK_POLICY, status);
 }
 
 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
@@ -183,7 +183,7 @@ static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
 
         BT_DBG("%s status 0x%x", hdev->name, status);
 
-        hci_req_complete(hdev, status);
+        hci_req_complete(hdev, HCI_OP_RESET, status);
 }
 
 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
@@ -235,7 +235,7 @@ static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
                         clear_bit(HCI_AUTH, &hdev->flags);
         }
 
-        hci_req_complete(hdev, status);
+        hci_req_complete(hdev, HCI_OP_WRITE_AUTH_ENABLE, status);
 }
 
 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
@@ -258,7 +258,7 @@ static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
                         clear_bit(HCI_ENCRYPT, &hdev->flags);
         }
 
-        hci_req_complete(hdev, status);
+        hci_req_complete(hdev, HCI_OP_WRITE_ENCRYPT_MODE, status);
 }
 
 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
@@ -285,7 +285,7 @@ static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
                         set_bit(HCI_PSCAN, &hdev->flags);
         }
 
-        hci_req_complete(hdev, status);
+        hci_req_complete(hdev, HCI_OP_WRITE_SCAN_ENABLE, status);
 }
 
 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
@@ -383,7 +383,7 @@ static void hci_cc_host_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
 
         BT_DBG("%s status 0x%x", hdev->name, status);
 
-        hci_req_complete(hdev, status);
+        hci_req_complete(hdev, HCI_OP_HOST_BUFFER_SIZE, status);
 }
 
 static void hci_cc_read_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
@@ -536,7 +536,16 @@ static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
         if (!rp->status)
                 bacpy(&hdev->bdaddr, &rp->bdaddr);
 
-        hci_req_complete(hdev, rp->status);
+        hci_req_complete(hdev, HCI_OP_READ_BD_ADDR, rp->status);
+}
+
+static void hci_cc_write_ca_timeout(struct hci_dev *hdev, struct sk_buff *skb)
+{
+        __u8 status = *((__u8 *) skb->data);
+
+        BT_DBG("%s status 0x%x", hdev->name, status);
+
+        hci_req_complete(hdev, HCI_OP_WRITE_CA_TIMEOUT, status);
 }
 
 static inline void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
@@ -544,7 +553,7 @@ static inline void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
         BT_DBG("%s status 0x%x", hdev->name, status);
 
         if (status) {
-                hci_req_complete(hdev, status);
+                hci_req_complete(hdev, HCI_OP_INQUIRY, status);
 
                 hci_conn_check_pending(hdev);
         } else
@@ -871,7 +880,7 @@ static inline void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff
 
         clear_bit(HCI_INQUIRY, &hdev->flags);
 
-        hci_req_complete(hdev, status);
+        hci_req_complete(hdev, HCI_OP_INQUIRY, status);
 
         hci_conn_check_pending(hdev);
 }
@@ -1379,6 +1388,10 @@ static inline void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *sk
                 hci_cc_read_bd_addr(hdev, skb);
                 break;
 
+        case HCI_OP_WRITE_CA_TIMEOUT:
+                hci_cc_write_ca_timeout(hdev, skb);
+                break;
+
         default:
                 BT_DBG("%s opcode 0x%x", hdev->name, opcode);
                 break;
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index b3753bad2a55..29827c77f6ce 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -49,6 +49,8 @@
 #include <net/bluetooth/bluetooth.h>
 #include <net/bluetooth/hci_core.h>
 
+static int enable_mgmt;
+
 /* ----- HCI socket interface ----- */
 
 static inline int hci_test_bit(int nr, void *addr)
@@ -102,6 +104,12 @@ void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
                 if (skb->sk == sk)
                         continue;
 
+                if (bt_cb(skb)->channel != hci_pi(sk)->channel)
+                        continue;
+
+                if (bt_cb(skb)->channel == HCI_CHANNEL_CONTROL)
+                        goto clone;
+
                 /* Apply filter */
                 flt = &hci_pi(sk)->filter;
 
@@ -125,12 +133,14 @@ void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
                                 continue;
                 }
 
+clone:
                 nskb = skb_clone(skb, GFP_ATOMIC);
                 if (!nskb)
                         continue;
 
                 /* Put type byte before the data */
-                memcpy(skb_push(nskb, 1), &bt_cb(nskb)->pkt_type, 1);
+                if (bt_cb(skb)->channel == HCI_CHANNEL_RAW)
+                        memcpy(skb_push(nskb, 1), &bt_cb(nskb)->pkt_type, 1);
 
                 if (sock_queue_rcv_skb(sk, nskb))
                         kfree_skb(nskb);
@@ -353,25 +363,38 @@ static int hci_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long a
 
 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
 {
-        struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr;
+        struct sockaddr_hci haddr;
         struct sock *sk = sock->sk;
         struct hci_dev *hdev = NULL;
-        int err = 0;
+        int len, err = 0;
 
         BT_DBG("sock %p sk %p", sock, sk);
 
-        if (!haddr || haddr->hci_family != AF_BLUETOOTH)
+        if (!addr)
+                return -EINVAL;
+
+        memset(&haddr, 0, sizeof(haddr));
+        len = min_t(unsigned int, sizeof(haddr), addr_len);
+        memcpy(&haddr, addr, len);
+
+        if (haddr.hci_family != AF_BLUETOOTH)
+                return -EINVAL;
+
+        if (haddr.hci_channel > HCI_CHANNEL_CONTROL)
+                return -EINVAL;
+
+        if (haddr.hci_channel == HCI_CHANNEL_CONTROL && !enable_mgmt)
                 return -EINVAL;
 
         lock_sock(sk);
 
-        if (hci_pi(sk)->hdev) {
+        if (sk->sk_state == BT_BOUND || hci_pi(sk)->hdev) {
                 err = -EALREADY;
                 goto done;
         }
 
-        if (haddr->hci_dev != HCI_DEV_NONE) {
-                hdev = hci_dev_get(haddr->hci_dev);
+        if (haddr.hci_dev != HCI_DEV_NONE) {
+                hdev = hci_dev_get(haddr.hci_dev);
                 if (!hdev) {
                         err = -ENODEV;
                         goto done;
@@ -380,6 +403,7 @@ static int hci_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_le
                 atomic_inc(&hdev->promisc);
         }
 
+        hci_pi(sk)->channel = haddr.hci_channel;
         hci_pi(sk)->hdev = hdev;
         sk->sk_state = BT_BOUND;
 
@@ -502,6 +526,17 @@ static int hci_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
 
         lock_sock(sk);
 
+        switch (hci_pi(sk)->channel) {
+        case HCI_CHANNEL_RAW:
+                break;
+        case HCI_CHANNEL_CONTROL:
+                err = mgmt_control(sk, msg, len);
+                goto done;
+        default:
+                err = -EINVAL;
+                goto done;
+        }
+
         hdev = hci_pi(sk)->hdev;
         if (!hdev) {
                 err = -EBADFD;
@@ -831,3 +866,6 @@ void __exit hci_sock_cleanup(void)
 
         proto_unregister(&hci_sk_proto);
 }
+
+module_param(enable_mgmt, bool, 0644);
+MODULE_PARM_DESC(enable_mgmt, "Enable Management interface");
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index c12eccfdfe01..c791fcda7b2d 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -3124,8 +3124,14 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
         if (!sk)
                 return -ENOENT;
 
-        if (sk->sk_state == BT_DISCONN)
+        if (sk->sk_state != BT_CONFIG) {
+                struct l2cap_cmd_rej rej;
+
+                rej.reason = cpu_to_le16(0x0002);
+                l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
+                                sizeof(rej), &rej);
                 goto unlock;
+        }
 
         /* Reject if config buffer is too small. */
         len = cmd_len - sizeof(*req);
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
new file mode 100644
index 000000000000..f827fd908380
--- /dev/null
+++ b/net/bluetooth/mgmt.c
@@ -0,0 +1,308 @@
+/*
+   BlueZ - Bluetooth protocol stack for Linux
+   Copyright (C) 2010  Nokia Corporation
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License version 2 as
+   published by the Free Software Foundation;
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
+   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
+   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
+   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
+   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
+   SOFTWARE IS DISCLAIMED.
+*/
+
+/* Bluetooth HCI Management interface */
+
+#include <asm/uaccess.h>
+#include <asm/unaligned.h>
+
+#include <net/bluetooth/bluetooth.h>
+#include <net/bluetooth/hci_core.h>
+#include <net/bluetooth/mgmt.h>
+
+#define MGMT_VERSION    0
+#define MGMT_REVISION   1
+
+static int cmd_status(struct sock *sk, u16 cmd, u8 status)
+{
+        struct sk_buff *skb;
+        struct mgmt_hdr *hdr;
+        struct mgmt_ev_cmd_status *ev;
+
+        BT_DBG("sock %p", sk);
+
+        skb = alloc_skb(sizeof(*hdr) + sizeof(*ev), GFP_ATOMIC);
+        if (!skb)
+                return -ENOMEM;
+
+        hdr = (void *) skb_put(skb, sizeof(*hdr));
+
+        hdr->opcode = cpu_to_le16(MGMT_EV_CMD_STATUS);
+        hdr->len = cpu_to_le16(sizeof(*ev));
+
+        ev = (void *) skb_put(skb, sizeof(*ev));
+        ev->status = status;
+        put_unaligned_le16(cmd, &ev->opcode);
+
+        if (sock_queue_rcv_skb(sk, skb) < 0)
+                kfree_skb(skb);
+
+        return 0;
+}
+
+static int read_version(struct sock *sk)
+{
+        struct sk_buff *skb;
+        struct mgmt_hdr *hdr;
+        struct mgmt_ev_cmd_complete *ev;
+        struct mgmt_rp_read_version *rp;
+
+        BT_DBG("sock %p", sk);
+
+        skb = alloc_skb(sizeof(*hdr) + sizeof(*ev) + sizeof(*rp), GFP_ATOMIC);
+        if (!skb)
+                return -ENOMEM;
+
+        hdr = (void *) skb_put(skb, sizeof(*hdr));
+        hdr->opcode = cpu_to_le16(MGMT_EV_CMD_COMPLETE);
+        hdr->len = cpu_to_le16(sizeof(*ev) + sizeof(*rp));
+
+        ev = (void *) skb_put(skb, sizeof(*ev));
+        put_unaligned_le16(MGMT_OP_READ_VERSION, &ev->opcode);
+
+        rp = (void *) skb_put(skb, sizeof(*rp));
+        rp->version = MGMT_VERSION;
+        put_unaligned_le16(MGMT_REVISION, &rp->revision);
+
+        if (sock_queue_rcv_skb(sk, skb) < 0)
+                kfree_skb(skb);
+
+        return 0;
+}
+
+static int read_index_list(struct sock *sk)
+{
+        struct sk_buff *skb;
+        struct mgmt_hdr *hdr;
+        struct mgmt_ev_cmd_complete *ev;
+        struct mgmt_rp_read_index_list *rp;
+        struct list_head *p;
+        size_t body_len;
+        u16 count;
+        int i;
+
+        BT_DBG("sock %p", sk);
+
+        read_lock(&hci_dev_list_lock);
+
+        count = 0;
+        list_for_each(p, &hci_dev_list) {
+                count++;
+        }
+
+        body_len = sizeof(*ev) + sizeof(*rp) + (2 * count);
+        skb = alloc_skb(sizeof(*hdr) + body_len, GFP_ATOMIC);
+        if (!skb)
+                return -ENOMEM;
+
+        hdr = (void *) skb_put(skb, sizeof(*hdr));
+        hdr->opcode = cpu_to_le16(MGMT_EV_CMD_COMPLETE);
+        hdr->len = cpu_to_le16(body_len);
+
+        ev = (void *) skb_put(skb, sizeof(*ev));
+        put_unaligned_le16(MGMT_OP_READ_INDEX_LIST, &ev->opcode);
+
+        rp = (void *) skb_put(skb, sizeof(*rp) + (2 * count));
+        put_unaligned_le16(count, &rp->num_controllers);
+
+        i = 0;
+        list_for_each(p, &hci_dev_list) {
+                struct hci_dev *d = list_entry(p, struct hci_dev, list);
+                put_unaligned_le16(d->id, &rp->index[i++]);
+                BT_DBG("Added hci%u", d->id);
+        }
+
+        read_unlock(&hci_dev_list_lock);
+
+        if (sock_queue_rcv_skb(sk, skb) < 0)
+                kfree_skb(skb);
+
+        return 0;
+}
+
+static int read_controller_info(struct sock *sk, unsigned char *data, u16 len)
+{
+        struct sk_buff *skb;
+        struct mgmt_hdr *hdr;
+        struct mgmt_ev_cmd_complete *ev;
+        struct mgmt_rp_read_info *rp;
+        struct mgmt_cp_read_info *cp;
+        struct hci_dev *hdev;
+        u16 dev_id;
+
+        BT_DBG("sock %p", sk);
+
+        if (len != 2)
+                return cmd_status(sk, MGMT_OP_READ_INFO, EINVAL);
+
+        skb = alloc_skb(sizeof(*hdr) + sizeof(*ev) + sizeof(*rp), GFP_ATOMIC);
+        if (!skb)
+                return -ENOMEM;
+
+        hdr = (void *) skb_put(skb, sizeof(*hdr));
+        hdr->opcode = cpu_to_le16(MGMT_EV_CMD_COMPLETE);
+        hdr->len = cpu_to_le16(sizeof(*ev) + sizeof(*rp));
+
+        ev = (void *) skb_put(skb, sizeof(*ev));
+        put_unaligned_le16(MGMT_OP_READ_INFO, &ev->opcode);
+
+        rp = (void *) skb_put(skb, sizeof(*rp));
+
+        cp = (void *) data;
+        dev_id = get_unaligned_le16(&cp->index);
+
+        BT_DBG("request for hci%u", dev_id);
+
+        hdev = hci_dev_get(dev_id);
+        if (!hdev) {
+                kfree_skb(skb);
+                return cmd_status(sk, MGMT_OP_READ_INFO, ENODEV);
+        }
+
+        hci_dev_lock_bh(hdev);
+
+        put_unaligned_le16(hdev->id, &rp->index);
+        rp->type = hdev->dev_type;
+
+        rp->powered = test_bit(HCI_UP, &hdev->flags);
+        rp->discoverable = test_bit(HCI_ISCAN, &hdev->flags);
+        rp->pairable = test_bit(HCI_PSCAN, &hdev->flags);
+
+        if (test_bit(HCI_AUTH, &hdev->flags))
+                rp->sec_mode = 3;
+        else if (hdev->ssp_mode > 0)
+                rp->sec_mode = 4;
+        else
+                rp->sec_mode = 2;
+
+        bacpy(&rp->bdaddr, &hdev->bdaddr);
+        memcpy(rp->features, hdev->features, 8);
+        memcpy(rp->dev_class, hdev->dev_class, 3);
+        put_unaligned_le16(hdev->manufacturer, &rp->manufacturer);
+        rp->hci_ver = hdev->hci_ver;
+        put_unaligned_le16(hdev->hci_rev, &rp->hci_rev);
+
+        hci_dev_unlock_bh(hdev);
+        hci_dev_put(hdev);
+
+        if (sock_queue_rcv_skb(sk, skb) < 0)
+                kfree_skb(skb);
+
+        return 0;
+}
+
+int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
+{
+        unsigned char *buf;
+        struct mgmt_hdr *hdr;
+        u16 opcode, len;
+        int err;
+
+        BT_DBG("got %zu bytes", msglen);
+
+        if (msglen < sizeof(*hdr))
+                return -EINVAL;
+
+        buf = kmalloc(msglen, GFP_ATOMIC);
+        if (!buf)
+                return -ENOMEM;
+
+        if (memcpy_fromiovec(buf, msg->msg_iov, msglen)) {
+                err = -EFAULT;
+                goto done;
+        }
+
+        hdr = (struct mgmt_hdr *) buf;
+        opcode = get_unaligned_le16(&hdr->opcode);
+        len = get_unaligned_le16(&hdr->len);
+
+        if (len != msglen - sizeof(*hdr)) {
+                err = -EINVAL;
+                goto done;
+        }
+
+        switch (opcode) {
+        case MGMT_OP_READ_VERSION:
+                err = read_version(sk);
+                break;
+        case MGMT_OP_READ_INDEX_LIST:
+                err = read_index_list(sk);
+                break;
+        case MGMT_OP_READ_INFO:
+                err = read_controller_info(sk, buf + sizeof(*hdr), len);
+                break;
+        default:
+                BT_DBG("Unknown op %u", opcode);
+                err = cmd_status(sk, opcode, 0x01);
+                break;
+        }
+
+        if (err < 0)
+                goto done;
+
+        err = msglen;
+
+done:
+        kfree(buf);
+        return err;
+}
+
+static int mgmt_event(u16 event, void *data, u16 data_len)
+{
+        struct sk_buff *skb;
+        struct mgmt_hdr *hdr;
+
+        skb = alloc_skb(sizeof(*hdr) + data_len, GFP_ATOMIC);
+        if (!skb)
+                return -ENOMEM;
+
+        bt_cb(skb)->channel = HCI_CHANNEL_CONTROL;
+
+        hdr = (void *) skb_put(skb, sizeof(*hdr));
+        hdr->opcode = cpu_to_le16(event);
+        hdr->len = cpu_to_le16(data_len);
+
+        memcpy(skb_put(skb, data_len), data, data_len);
+
+        hci_send_to_sock(NULL, skb);
+        kfree_skb(skb);
+
+        return 0;
+}
+
+int mgmt_index_added(u16 index)
+{
+        struct mgmt_ev_index_added ev;
+
+        put_unaligned_le16(index, &ev.index);
+
+        return mgmt_event(MGMT_EV_INDEX_ADDED, &ev, sizeof(ev));
+}
+
+int mgmt_index_removed(u16 index)
+{
+        struct mgmt_ev_index_added ev;
+
+        put_unaligned_le16(index, &ev.index);
+
+        return mgmt_event(MGMT_EV_INDEX_REMOVED, &ev, sizeof(ev));
+}
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 5892b0302454..4bc8a9250cfd 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1593,6 +1593,37 @@ static int ieee80211_set_bitrate_mask(struct wiphy *wiphy,
         return 0;
 }
 
+static int ieee80211_remain_on_channel_hw(struct ieee80211_local *local,
+                                          struct net_device *dev,
+                                          struct ieee80211_channel *chan,
+                                          enum nl80211_channel_type chantype,
+                                          unsigned int duration, u64 *cookie)
+{
+        int ret;
+        u32 random_cookie;
+
+        lockdep_assert_held(&local->mtx);
+
+        if (local->hw_roc_cookie)
+                return -EBUSY;
+        /* must be nonzero */
+        random_cookie = random32() | 1;
+
+        *cookie = random_cookie;
+        local->hw_roc_dev = dev;
+        local->hw_roc_cookie = random_cookie;
+        local->hw_roc_channel = chan;
+        local->hw_roc_channel_type = chantype;
+        local->hw_roc_duration = duration;
+        ret = drv_remain_on_channel(local, chan, chantype, duration);
+        if (ret) {
+                local->hw_roc_channel = NULL;
+                local->hw_roc_cookie = 0;
+        }
+
+        return ret;
+}
+
 static int ieee80211_remain_on_channel(struct wiphy *wiphy,
                                        struct net_device *dev,
                                        struct ieee80211_channel *chan,
@@ -1601,16 +1632,63 @@ static int ieee80211_remain_on_channel(struct wiphy *wiphy,
                                        u64 *cookie)
 {
         struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+        struct ieee80211_local *local = sdata->local;
+
+        if (local->ops->remain_on_channel) {
+                int ret;
+
+                mutex_lock(&local->mtx);
+                ret = ieee80211_remain_on_channel_hw(local, dev,
+                                                     chan, channel_type,
+                                                     duration, cookie);
+                local->hw_roc_for_tx = false;
+                mutex_unlock(&local->mtx);
+
+                return ret;
+        }
 
         return ieee80211_wk_remain_on_channel(sdata, chan, channel_type,
                                               duration, cookie);
 }
 
+static int ieee80211_cancel_remain_on_channel_hw(struct ieee80211_local *local,
+                                                 u64 cookie)
+{
+        int ret;
+
+        lockdep_assert_held(&local->mtx);
+
+        if (local->hw_roc_cookie != cookie)
+                return -ENOENT;
+
+        ret = drv_cancel_remain_on_channel(local);
+        if (ret)
+                return ret;
+
+        local->hw_roc_cookie = 0;
+        local->hw_roc_channel = NULL;
+
+        ieee80211_recalc_idle(local);
+
+        return 0;
+}
+
 static int ieee80211_cancel_remain_on_channel(struct wiphy *wiphy,
                                               struct net_device *dev,
                                               u64 cookie)
 {
         struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+        struct ieee80211_local *local = sdata->local;
+
+        if (local->ops->cancel_remain_on_channel) {
+                int ret;
+
+                mutex_lock(&local->mtx);
+                ret = ieee80211_cancel_remain_on_channel_hw(local, cookie);
+                mutex_unlock(&local->mtx);
+
+                return ret;
+        }
 
         return ieee80211_wk_cancel_remain_on_channel(sdata, cookie);
 }
@@ -1662,6 +1740,12 @@ static int ieee80211_mgmt_tx(struct wiphy *wiphy, struct net_device *dev,
              channel_type != local->_oper_channel_type))
                 is_offchan = true;
 
+        if (chan == local->hw_roc_channel) {
+                /* TODO: check channel type? */
+                is_offchan = false;
+                flags |= IEEE80211_TX_CTL_TX_OFFCHAN;
+        }
+
         if (is_offchan && !offchan)
                 return -EBUSY;
 
@@ -1700,6 +1784,49 @@ static int ieee80211_mgmt_tx(struct wiphy *wiphy, struct net_device *dev,
 
         *cookie = (unsigned long) skb;
 
+        if (is_offchan && local->ops->remain_on_channel) {
+                unsigned int duration;
+                int ret;
+
+                mutex_lock(&local->mtx);
+                /*
+                 * If the duration is zero, then the driver
+                 * wouldn't actually do anything. Set it to
+                 * 100 for now.
+                 *
+                 * TODO: cancel the off-channel operation
+                 *       when we get the SKB's TX status and
+                 *       the wait time was zero before.
+                 */
+                duration = 100;
+                if (wait)
+                        duration = wait;
+                ret = ieee80211_remain_on_channel_hw(local, dev, chan,
+                                                     channel_type,
+                                                     duration, cookie);
+                if (ret) {
+                        kfree_skb(skb);
+                        mutex_unlock(&local->mtx);
+                        return ret;
+                }
+
+                local->hw_roc_for_tx = true;
+                local->hw_roc_duration = wait;
+
+                /*
+                 * queue up frame for transmission after
+                 * ieee80211_ready_on_channel call
+                 */
+
+                /* modify cookie to prevent API mismatches */
+                *cookie ^= 2;
+                IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_TX_OFFCHAN;
+                local->hw_roc_skb = skb;
+                mutex_unlock(&local->mtx);
+
+                return 0;
+        }
+
         /*
          * Can transmit right away if the channel was the
          * right one and there's no wait involved... If a
@@ -1740,6 +1867,21 @@ static int ieee80211_mgmt_tx_cancel_wait(struct wiphy *wiphy,
         int ret = -ENOENT;
 
         mutex_lock(&local->mtx);
+
+        if (local->ops->cancel_remain_on_channel) {
+                cookie ^= 2;
+                ret = ieee80211_cancel_remain_on_channel_hw(local, cookie);
+
+                if (ret == 0) {
+                        kfree_skb(local->hw_roc_skb);
+                        local->hw_roc_skb = NULL;
+                }
+
+                mutex_unlock(&local->mtx);
+
+                return ret;
+        }
+
         list_for_each_entry(wk, &local->work_list, list) {
                 if (wk->sdata != sdata)
                         continue;
diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h
index af0c4398cceb..98d589960a49 100644
--- a/net/mac80211/driver-ops.h
+++ b/net/mac80211/driver-ops.h
@@ -465,4 +465,34 @@ static inline int drv_get_antenna(struct ieee80211_local *local,
         return ret;
 }
 
+static inline int drv_remain_on_channel(struct ieee80211_local *local,
+                                        struct ieee80211_channel *chan,
+                                        enum nl80211_channel_type chantype,
+                                        unsigned int duration)
+{
+        int ret;
+
+        might_sleep();
+
+        trace_drv_remain_on_channel(local, chan, chantype, duration);
+        ret = local->ops->remain_on_channel(&local->hw, chan, chantype,
+                                            duration);
+        trace_drv_return_int(local, ret);
+
+        return ret;
+}
+
+static inline int drv_cancel_remain_on_channel(struct ieee80211_local *local)
+{
+        int ret;
+
+        might_sleep();
+
+        trace_drv_cancel_remain_on_channel(local);
+        ret = local->ops->cancel_remain_on_channel(&local->hw);
+        trace_drv_return_int(local, ret);
+
+        return ret;
+}
+
 #endif /* __MAC80211_DRIVER_OPS */
diff --git a/net/mac80211/driver-trace.h b/net/mac80211/driver-trace.h
index c2772f23ac9c..49c84218b2f4 100644
--- a/net/mac80211/driver-trace.h
+++ b/net/mac80211/driver-trace.h
@@ -933,6 +933,50 @@ TRACE_EVENT(drv_get_antenna,
         )
 );
 
+TRACE_EVENT(drv_remain_on_channel,
+        TP_PROTO(struct ieee80211_local *local, struct ieee80211_channel *chan,
+                 enum nl80211_channel_type chantype, unsigned int duration),
+
+        TP_ARGS(local, chan, chantype, duration),
+
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+                __field(int, center_freq)
+                __field(int, channel_type)
+                __field(unsigned int, duration)
+        ),
+
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+                __entry->center_freq = chan->center_freq;
+                __entry->channel_type = chantype;
+                __entry->duration = duration;
+        ),
+
+        TP_printk(
+                LOCAL_PR_FMT " freq:%dMHz duration:%dms",
+                LOCAL_PR_ARG, __entry->center_freq, __entry->duration
+        )
+);
+
+TRACE_EVENT(drv_cancel_remain_on_channel,
+        TP_PROTO(struct ieee80211_local *local),
+
+        TP_ARGS(local),
+
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+        ),
+
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+        ),
+
+        TP_printk(
+                LOCAL_PR_FMT, LOCAL_PR_ARG
+        )
+);
+
 /*
  * Tracing for API calls that drivers call.
  */
@@ -1170,6 +1214,42 @@ TRACE_EVENT(api_chswitch_done,
         )
 );
 
+TRACE_EVENT(api_ready_on_channel,
+        TP_PROTO(struct ieee80211_local *local),
+
+        TP_ARGS(local),
+
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+        ),
+
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+        ),
+
+        TP_printk(
+                LOCAL_PR_FMT, LOCAL_PR_ARG
+        )
+);
+
+TRACE_EVENT(api_remain_on_channel_expired,
+        TP_PROTO(struct ieee80211_local *local),
+
+        TP_ARGS(local),
+
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+        ),
+
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+        ),
+
+        TP_printk(
+                LOCAL_PR_FMT, LOCAL_PR_ARG
+        )
+);
+
 /*
  * Tracing for internal functions
  * (which may also be called in response to driver calls)
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index a05893a238b7..c47d7c0e48a4 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -168,6 +168,7 @@ typedef unsigned __bitwise__ ieee80211_rx_result;
  * @IEEE80211_RX_FRAGMENTED: fragmented frame
  * @IEEE80211_RX_AMSDU: a-MSDU packet
  * @IEEE80211_RX_MALFORMED_ACTION_FRM: action frame is malformed
+ * @IEEE80211_RX_DEFERRED_RELEASE: frame was subjected to receive reordering
  *
  * These are per-frame flags that are attached to a frame in the
  * @rx_flags field of &struct ieee80211_rx_status.
@@ -178,6 +179,7 @@ enum ieee80211_packet_rx_flags {
         IEEE80211_RX_FRAGMENTED                 = BIT(2),
         IEEE80211_RX_AMSDU                      = BIT(3),
         IEEE80211_RX_MALFORMED_ACTION_FRM       = BIT(4),
+        IEEE80211_RX_DEFERRED_RELEASE           = BIT(5),
 };
 
 /**
@@ -774,6 +776,15 @@ struct ieee80211_local {
         struct sk_buff_head skb_queue;
         struct sk_buff_head skb_queue_unreliable;
 
+        /*
+         * Internal FIFO queue which is shared between multiple rx path
+         * stages. Its main task is to provide a serialization mechanism,
+         * so all rx handlers can enjoy having exclusive access to their
+         * private data structures.
+         */
+        struct sk_buff_head rx_skb_queue;
+        bool running_rx_handler;        /* protected by rx_skb_queue.lock */
+
         /* Station data */
         /*
          * The mutex only protects the list and counter,
@@ -940,6 +951,15 @@ struct ieee80211_local {
         } debugfs;
 #endif
 
+        struct ieee80211_channel *hw_roc_channel;
+        struct net_device *hw_roc_dev;
+        struct sk_buff *hw_roc_skb;
+        struct work_struct hw_roc_start, hw_roc_done;
+        enum nl80211_channel_type hw_roc_channel_type;
+        unsigned int hw_roc_duration;
+        u32 hw_roc_cookie;
+        bool hw_roc_for_tx;
+
         /* dummy netdev for use w/ NAPI */
         struct net_device napi_dev;
 
@@ -1131,6 +1151,7 @@ void ieee80211_offchannel_stop_beaconing(struct ieee80211_local *local);
 void ieee80211_offchannel_stop_station(struct ieee80211_local *local);
 void ieee80211_offchannel_return(struct ieee80211_local *local,
                                  bool enable_beaconing);
+void ieee80211_hw_roc_setup(struct ieee80211_local *local);
 
 /* interface handling */
 int ieee80211_iface_init(void);
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index b6db237672ff..8acba456744e 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -1264,7 +1264,7 @@ u32 __ieee80211_recalc_idle(struct ieee80211_local *local)
 {
         struct ieee80211_sub_if_data *sdata;
         int count = 0;
-        bool working = false, scanning = false;
+        bool working = false, scanning = false, hw_roc = false;
         struct ieee80211_work *wk;
         unsigned int led_trig_start = 0, led_trig_stop = 0;
 
@@ -1308,6 +1308,9 @@ u32 __ieee80211_recalc_idle(struct ieee80211_local *local)
                 local->scan_sdata->vif.bss_conf.idle = false;
         }
 
+        if (local->hw_roc_channel)
+                hw_roc = true;
+
         list_for_each_entry(sdata, &local->interfaces, list) {
                 if (sdata->old_idle == sdata->vif.bss_conf.idle)
                         continue;
@@ -1316,7 +1319,7 @@ u32 __ieee80211_recalc_idle(struct ieee80211_local *local)
                 ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_IDLE);
         }
 
-        if (working || scanning)
+        if (working || scanning || hw_roc)
                 led_trig_start |= IEEE80211_TPT_LEDTRIG_FL_WORK;
         else
                 led_trig_stop |= IEEE80211_TPT_LEDTRIG_FL_WORK;
@@ -1328,6 +1331,8 @@ u32 __ieee80211_recalc_idle(struct ieee80211_local *local)
 
         ieee80211_mod_tpt_led_trig(local, led_trig_start, led_trig_stop);
 
+        if (hw_roc)
+                return ieee80211_idle_off(local, "hw remain-on-channel");
         if (working)
                 return ieee80211_idle_off(local, "working");
         if (scanning)
diff --git a/net/mac80211/key.c b/net/mac80211/key.c
index 84cf9196820f..8c02469b7176 100644
--- a/net/mac80211/key.c
+++ b/net/mac80211/key.c
@@ -30,19 +30,20 @@
  * keys and per-station keys. Since each station belongs to an interface,
  * each station key also belongs to that interface.
  *
- * Hardware acceleration is done on a best-effort basis, for each key
- * that is eligible the hardware is asked to enable that key but if
- * it cannot do that they key is simply kept for software encryption.
- * There is currently no way of knowing this except by looking into
- * debugfs.
+ * Hardware acceleration is done on a best-effort basis for algorithms
+ * that are implemented in software,  for each key the hardware is asked
+ * to enable that key for offloading but if it cannot do that the key is
+ * simply kept for software encryption (unless it is for an algorithm
+ * that isn't implemented in software).
+ * There is currently no way of knowing whether a key is handled in SW
+ * or HW except by looking into debugfs.
  *
- * All key operations are protected internally.
- *
- * Within mac80211, key references are, just as STA structure references,
- * protected by RCU. Note, however, that some things are unprotected,
- * namely the key->sta dereferences within the hardware acceleration
- * functions. This means that sta_info_destroy() must remove the key
- * which waits for an RCU grace period.
+ * All key management is internally protected by a mutex. Within all
+ * other parts of mac80211, key references are, just as STA structure
+ * references, protected by RCU. Note, however, that some things are
+ * unprotected, namely the key->sta dereferences within the hardware
+ * acceleration functions. This means that sta_info_destroy() must
+ * remove the key which waits for an RCU grace period.
  */
 
 static const u8 bcast_addr[ETH_ALEN] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF };
@@ -279,13 +280,8 @@ static void __ieee80211_key_replace(struct ieee80211_sub_if_data *sdata,
                                                          new->conf.keyidx);
         }
 
-        if (old) {
-                /*
-                 * We'll use an empty list to indicate that the key
-                 * has already been removed.
-                 */
-                list_del_init(&old->list);
-        }
+        if (old)
+                list_del(&old->list);
 }
 
 struct ieee80211_key *ieee80211_key_alloc(u32 cipher, int idx, size_t key_len,
@@ -379,6 +375,12 @@ static void __ieee80211_key_destroy(struct ieee80211_key *key)
         if (!key)
                 return;
 
+        /*
+         * Synchronize so the TX path can no longer be using
+         * this key before we free/remove it.
+         */
+        synchronize_rcu();
+
         if (key->local)
                 ieee80211_key_disable_hw_accel(key);
 
@@ -420,8 +422,8 @@ int ieee80211_key_link(struct ieee80211_key *key,
                         struct sta_info *ap;
 
                         /*
-                         * We're getting a sta pointer in,
-                         * so must be under RCU read lock.
+                         * We're getting a sta pointer in, so must be under
+                         * appropriate locking for sta_info_get().
                          */
 
                         /* same here, the AP could be using QoS */
diff --git a/net/mac80211/led.c b/net/mac80211/led.c
index 4905eb8af572..14590332c81c 100644
--- a/net/mac80211/led.c
+++ b/net/mac80211/led.c
@@ -215,8 +215,8 @@ static void tpt_trig_timer(unsigned long data)
         read_unlock(&tpt_trig->trig.leddev_list_lock);
 }
 
-extern char *__ieee80211_create_tpt_led_trigger(
-                                struct ieee80211_hw *hw, unsigned int flags,
+char *__ieee80211_create_tpt_led_trigger(struct ieee80211_hw *hw,
+                                unsigned int flags,
                                 const struct ieee80211_tpt_blink *blink_table,
                                 unsigned int blink_table_len)
 {
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index bbe8e0ac6e52..485d36bc9a46 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -569,6 +569,8 @@ struct ieee80211_hw *ieee80211_alloc_hw(size_t priv_data_len,
         spin_lock_init(&local->filter_lock);
         spin_lock_init(&local->queue_stop_reason_lock);
 
+        skb_queue_head_init(&local->rx_skb_queue);
+
         INIT_DELAYED_WORK(&local->scan_work, ieee80211_scan_work);
 
         ieee80211_work_init(local);
@@ -607,6 +609,8 @@ struct ieee80211_hw *ieee80211_alloc_hw(size_t priv_data_len,
 
         ieee80211_led_names(local);
 
+        ieee80211_hw_roc_setup(local);
+
         return local_to_hw(local);
 }
 EXPORT_SYMBOL(ieee80211_alloc_hw);
@@ -751,7 +755,8 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
                 }
         }
 
-        local->hw.wiphy->max_remain_on_channel_duration = 5000;
+        if (!local->ops->remain_on_channel)
+                local->hw.wiphy->max_remain_on_channel_duration = 5000;
 
         result = wiphy_register(local->hw.wiphy);
         if (result < 0)
@@ -914,6 +919,7 @@ void ieee80211_unregister_hw(struct ieee80211_hw *hw)
                 wiphy_warn(local->hw.wiphy, "skb_queue not empty\n");
         skb_queue_purge(&local->skb_queue);
         skb_queue_purge(&local->skb_queue_unreliable);
+        skb_queue_purge(&local->rx_skb_queue);
 
         destroy_workqueue(local->workqueue);
         wiphy_unregister(local->hw.wiphy);
diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
index 4b564091e51d..b4e52676f3fb 100644
--- a/net/mac80211/offchannel.c
+++ b/net/mac80211/offchannel.c
@@ -14,6 +14,7 @@
  */
 #include <net/mac80211.h>
 #include "ieee80211_i.h"
+#include "driver-trace.h"
 
 /*
  * inform AP that we will go to sleep so that it will buffer the frames
@@ -190,3 +191,87 @@ void ieee80211_offchannel_return(struct ieee80211_local *local,
         }
         mutex_unlock(&local->iflist_mtx);
 }
+
+static void ieee80211_hw_roc_start(struct work_struct *work)
+{
+        struct ieee80211_local *local =
+                container_of(work, struct ieee80211_local, hw_roc_start);
+        struct ieee80211_sub_if_data *sdata;
+
+        mutex_lock(&local->mtx);
+
+        if (!local->hw_roc_channel) {
+                mutex_unlock(&local->mtx);
+                return;
+        }
+
+        ieee80211_recalc_idle(local);
+
+        if (local->hw_roc_skb) {
+                sdata = IEEE80211_DEV_TO_SUB_IF(local->hw_roc_dev);
+                ieee80211_tx_skb(sdata, local->hw_roc_skb);
+                local->hw_roc_skb = NULL;
+        } else {
+                cfg80211_ready_on_channel(local->hw_roc_dev,
+                                          local->hw_roc_cookie,
+                                          local->hw_roc_channel,
+                                          local->hw_roc_channel_type,
+                                          local->hw_roc_duration,
+                                          GFP_KERNEL);
+        }
+
+        mutex_unlock(&local->mtx);
+}
+
+void ieee80211_ready_on_channel(struct ieee80211_hw *hw)
+{
+        struct ieee80211_local *local = hw_to_local(hw);
+
+        trace_api_ready_on_channel(local);
+
+        ieee80211_queue_work(hw, &local->hw_roc_start);
+}
+EXPORT_SYMBOL_GPL(ieee80211_ready_on_channel);
+
+static void ieee80211_hw_roc_done(struct work_struct *work)
+{
+        struct ieee80211_local *local =
+                container_of(work, struct ieee80211_local, hw_roc_done);
+
+        mutex_lock(&local->mtx);
+
+        if (!local->hw_roc_channel) {
+                mutex_unlock(&local->mtx);
+                return;
+        }
+
+        if (!local->hw_roc_for_tx)
+                cfg80211_remain_on_channel_expired(local->hw_roc_dev,
+                                                   local->hw_roc_cookie,
+                                                   local->hw_roc_channel,
+                                                   local->hw_roc_channel_type,
+                                                   GFP_KERNEL);
+
+        local->hw_roc_channel = NULL;
+        local->hw_roc_cookie = 0;
+
+        ieee80211_recalc_idle(local);
+
+        mutex_unlock(&local->mtx);
+}
+
+void ieee80211_remain_on_channel_expired(struct ieee80211_hw *hw)
+{
+        struct ieee80211_local *local = hw_to_local(hw);
+
+        trace_api_remain_on_channel_expired(local);
+
+        ieee80211_queue_work(hw, &local->hw_roc_done);
+}
+EXPORT_SYMBOL_GPL(ieee80211_remain_on_channel_expired);
+
+void ieee80211_hw_roc_setup(struct ieee80211_local *local)
+{
+        INIT_WORK(&local->hw_roc_start, ieee80211_hw_roc_start);
+        INIT_WORK(&local->hw_roc_done, ieee80211_hw_roc_done);
+}
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 5e9d3bc6a2d9..a6701ed87f0d 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -533,10 +533,11 @@ static inline u16 seq_sub(u16 sq1, u16 sq2)
 
 static void ieee80211_release_reorder_frame(struct ieee80211_hw *hw,
                                             struct tid_ampdu_rx *tid_agg_rx,
-                                            int index,
-                                            struct sk_buff_head *frames)
+                                            int index)
 {
+        struct ieee80211_local *local = hw_to_local(hw);
         struct sk_buff *skb = tid_agg_rx->reorder_buf[index];
+        struct ieee80211_rx_status *status;
 
         lockdep_assert_held(&tid_agg_rx->reorder_lock);
 
@@ -546,7 +547,9 @@ static void ieee80211_release_reorder_frame(struct ieee80211_hw *hw,
         /* release the frame from the reorder ring buffer */
         tid_agg_rx->stored_mpdu_num--;
         tid_agg_rx->reorder_buf[index] = NULL;
-        __skb_queue_tail(frames, skb);
+        status = IEEE80211_SKB_RXCB(skb);
+        status->rx_flags |= IEEE80211_RX_DEFERRED_RELEASE;
+        skb_queue_tail(&local->rx_skb_queue, skb);
 
 no_frame:
         tid_agg_rx->head_seq_num = seq_inc(tid_agg_rx->head_seq_num);
@@ -554,8 +557,7 @@ no_frame:
 
 static void ieee80211_release_reorder_frames(struct ieee80211_hw *hw,
                                              struct tid_ampdu_rx *tid_agg_rx,
-                                             u16 head_seq_num,
-                                             struct sk_buff_head *frames)
+                                             u16 head_seq_num)
 {
         int index;
 
@@ -564,7 +566,7 @@ static void ieee80211_release_reorder_frames(struct ieee80211_hw *hw,
         while (seq_less(tid_agg_rx->head_seq_num, head_seq_num)) {
                 index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) %
                                                         tid_agg_rx->buf_size;
-                ieee80211_release_reorder_frame(hw, tid_agg_rx, index, frames);
+                ieee80211_release_reorder_frame(hw, tid_agg_rx, index);
         }
 }
 
@@ -580,8 +582,7 @@ static void ieee80211_release_reorder_frames(struct ieee80211_hw *hw,
 #define HT_RX_REORDER_BUF_TIMEOUT (HZ / 10)
 
 static void ieee80211_sta_reorder_release(struct ieee80211_hw *hw,
-                                          struct tid_ampdu_rx *tid_agg_rx,
-                                          struct sk_buff_head *frames)
+                                          struct tid_ampdu_rx *tid_agg_rx)
 {
         int index, j;
 
@@ -612,8 +613,7 @@ static void ieee80211_sta_reorder_release(struct ieee80211_hw *hw,
                                 wiphy_debug(hw->wiphy,
                                             "release an RX reorder frame due to timeout on earlier frames\n");
 #endif
-                        ieee80211_release_reorder_frame(hw, tid_agg_rx,
-                                                        j, frames);
+                        ieee80211_release_reorder_frame(hw, tid_agg_rx, j);
 
                         /*
                          * Increment the head seq# also for the skipped slots.
@@ -623,31 +623,11 @@ static void ieee80211_sta_reorder_release(struct ieee80211_hw *hw,
                         skipped = 0;
                 }
         } else while (tid_agg_rx->reorder_buf[index]) {
-                ieee80211_release_reorder_frame(hw, tid_agg_rx, index, frames);
+                ieee80211_release_reorder_frame(hw, tid_agg_rx, index);
                 index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) %
                                                         tid_agg_rx->buf_size;
         }
 
-        /*
-         * Disable the reorder release timer for now.
-         *
-         * The current implementation lacks a proper locking scheme
-         * which would protect vital statistic and debug counters
-         * from being updated by two different but concurrent BHs.
-         *
-         * More information about the topic is available from:
-         * - thread: http://marc.info/?t=128635927000001
-         *
-         * What was wrong:
-         * =>  http://marc.info/?l=linux-wireless&m=128636170811964
-         * "Basically the thing is that until your patch, the data
-         *  in the struct didn't actually need locking because it
-         *  was accessed by the RX path only which is not concurrent."
-         *
-         * List of what needs to be fixed:
-         * => http://marc.info/?l=linux-wireless&m=128656352920957
-         *
-
         if (tid_agg_rx->stored_mpdu_num) {
                 j = index = seq_sub(tid_agg_rx->head_seq_num,
                                     tid_agg_rx->ssn) % tid_agg_rx->buf_size;
@@ -666,10 +646,6 @@ static void ieee80211_sta_reorder_release(struct ieee80211_hw *hw,
         } else {
                 del_timer(&tid_agg_rx->reorder_timer);
         }
-        */
-
-set_release_timer:
-        return;
 }
 
 /*
@@ -679,8 +655,7 @@ set_release_timer:
  */
 static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw,
                                              struct tid_ampdu_rx *tid_agg_rx,
-                                             struct sk_buff *skb,
-                                             struct sk_buff_head *frames)
+                                             struct sk_buff *skb)
 {
         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
         u16 sc = le16_to_cpu(hdr->seq_ctrl);
@@ -707,8 +682,7 @@ static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw,
         if (!seq_less(mpdu_seq_num, head_seq_num + buf_size)) {
                 head_seq_num = seq_inc(seq_sub(mpdu_seq_num, buf_size));
                 /* release stored frames up to new head to stack */
-                ieee80211_release_reorder_frames(hw, tid_agg_rx, head_seq_num,
-                                                 frames);
+                ieee80211_release_reorder_frames(hw, tid_agg_rx, head_seq_num);
         }
 
         /* Now the new frame is always in the range of the reordering buffer */
@@ -736,7 +710,7 @@ static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw,
         tid_agg_rx->reorder_buf[index] = skb;
         tid_agg_rx->reorder_time[index] = jiffies;
         tid_agg_rx->stored_mpdu_num++;
-        ieee80211_sta_reorder_release(hw, tid_agg_rx, frames);
+        ieee80211_sta_reorder_release(hw, tid_agg_rx);
 
  out:
         spin_unlock(&tid_agg_rx->reorder_lock);
@@ -747,8 +721,7 @@ static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw,
  * Reorder MPDUs from A-MPDUs, keeping them on a buffer. Returns
  * true if the MPDU was buffered, false if it should be processed.
  */
-static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx,
-                                       struct sk_buff_head *frames)
+static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx)
 {
         struct sk_buff *skb = rx->skb;
         struct ieee80211_local *local = rx->local;
@@ -803,11 +776,11 @@ static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx,
          * sure that we cannot get to it any more before doing
          * anything with it.
          */
-        if (ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb, frames))
+        if (ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb))
                 return;
 
  dont_reorder:
-        __skb_queue_tail(frames, skb);
+        skb_queue_tail(&local->rx_skb_queue, skb);
 }
 
 static ieee80211_rx_result debug_noinline
@@ -1189,6 +1162,7 @@ ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx)
          * exchange sequence.
          */
         if (!ieee80211_has_morefrags(hdr->frame_control) &&
+            !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
             (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
              rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) {
                 if (test_sta_flags(sta, WLAN_STA_PS_STA)) {
@@ -1831,11 +1805,11 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
 
                         fwd_skb = skb_copy(skb, GFP_ATOMIC);
 
-                        if (!fwd_skb && net_ratelimit()) {
+                        if (!fwd_skb && net_ratelimit())
                                 printk(KERN_DEBUG "%s: failed to clone mesh frame\n",
                                                    sdata->name);
+                        if (!fwd_skb)
                                 goto out;
-                        }
 
                         fwd_hdr =  (struct ieee80211_hdr *) fwd_skb->data;
                         memcpy(fwd_hdr->addr2, sdata->vif.addr, ETH_ALEN);
@@ -1930,7 +1904,7 @@ ieee80211_rx_h_data(struct ieee80211_rx_data *rx)
 }
 
 static ieee80211_rx_result debug_noinline
-ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx, struct sk_buff_head *frames)
+ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx)
 {
         struct ieee80211_local *local = rx->local;
         struct ieee80211_hw *hw = &local->hw;
@@ -1970,8 +1944,7 @@ ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx, struct sk_buff_head *frames)
 
                 spin_lock(&tid_agg_rx->reorder_lock);
                 /* release stored frames up to start of BAR */
-                ieee80211_release_reorder_frames(hw, tid_agg_rx, start_seq_num,
-                                                 frames);
+                ieee80211_release_reorder_frames(hw, tid_agg_rx, start_seq_num);
                 spin_unlock(&tid_agg_rx->reorder_lock);
 
                 kfree_skb(skb);
@@ -2488,8 +2461,7 @@ static void ieee80211_rx_handlers_result(struct ieee80211_rx_data *rx,
         }
 }
 
-static void ieee80211_rx_handlers(struct ieee80211_rx_data *rx,
-                                  struct sk_buff_head *frames)
+static void ieee80211_rx_handlers(struct ieee80211_rx_data *rx)
 {
         ieee80211_rx_result res = RX_DROP_MONITOR;
         struct sk_buff *skb;
@@ -2501,7 +2473,15 @@ static void ieee80211_rx_handlers(struct ieee80211_rx_data *rx,
                         goto rxh_next;  \
         } while (0);
 
-        while ((skb = __skb_dequeue(frames))) {
+        spin_lock(&rx->local->rx_skb_queue.lock);
+        if (rx->local->running_rx_handler)
+                goto unlock;
+
+        rx->local->running_rx_handler = true;
+
+        while ((skb = __skb_dequeue(&rx->local->rx_skb_queue))) {
+                spin_unlock(&rx->local->rx_skb_queue.lock);
+
                 /*
                  * all the other fields are valid across frames
                  * that belong to an aMPDU since they are on the
@@ -2524,12 +2504,7 @@ static void ieee80211_rx_handlers(struct ieee80211_rx_data *rx,
                         CALL_RXH(ieee80211_rx_h_mesh_fwding);
 #endif
                 CALL_RXH(ieee80211_rx_h_data)
-
-                /* special treatment -- needs the queue */
-                res = ieee80211_rx_h_ctrl(rx, frames);
-                if (res != RX_CONTINUE)
-                        goto rxh_next;
-
+                CALL_RXH(ieee80211_rx_h_ctrl);
                 CALL_RXH(ieee80211_rx_h_mgmt_check)
                 CALL_RXH(ieee80211_rx_h_action)
                 CALL_RXH(ieee80211_rx_h_userspace_mgmt)
@@ -2538,18 +2513,20 @@ static void ieee80211_rx_handlers(struct ieee80211_rx_data *rx,
 
  rxh_next:
                 ieee80211_rx_handlers_result(rx, res);
-
+                spin_lock(&rx->local->rx_skb_queue.lock);
 #undef CALL_RXH
         }
+
+        rx->local->running_rx_handler = false;
+
+ unlock:
+        spin_unlock(&rx->local->rx_skb_queue.lock);
 }
 
 static void ieee80211_invoke_rx_handlers(struct ieee80211_rx_data *rx)
 {
-        struct sk_buff_head reorder_release;
         ieee80211_rx_result res = RX_DROP_MONITOR;
 
-        __skb_queue_head_init(&reorder_release);
-
 #define CALL_RXH(rxh)                   \
         do {                            \
                 res = rxh(rx);          \
@@ -2560,9 +2537,9 @@ static void ieee80211_invoke_rx_handlers(struct ieee80211_rx_data *rx)
         CALL_RXH(ieee80211_rx_h_passive_scan)
         CALL_RXH(ieee80211_rx_h_check)
 
-        ieee80211_rx_reorder_ampdu(rx, &reorder_release);
+        ieee80211_rx_reorder_ampdu(rx);
 
-        ieee80211_rx_handlers(rx, &reorder_release);
+        ieee80211_rx_handlers(rx);
         return;
 
  rxh_next:
@@ -2577,7 +2554,6 @@ static void ieee80211_invoke_rx_handlers(struct ieee80211_rx_data *rx)
  */
 void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid)
 {
-        struct sk_buff_head frames;
         struct ieee80211_rx_data rx = {
                 .sta = sta,
                 .sdata = sta->sdata,
@@ -2590,13 +2566,11 @@ void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid)
         if (!tid_agg_rx)
                 return;
 
-        __skb_queue_head_init(&frames);
-
         spin_lock(&tid_agg_rx->reorder_lock);
-        ieee80211_sta_reorder_release(&sta->local->hw, tid_agg_rx, &frames);
+        ieee80211_sta_reorder_release(&sta->local->hw, tid_agg_rx);
         spin_unlock(&tid_agg_rx->reorder_lock);
 
-        ieee80211_rx_handlers(&rx, &frames);
+        ieee80211_rx_handlers(&rx);
 }
 
 /* main receive path */
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 68c2fbd16ebb..5950e3abead9 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1750,6 +1750,7 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
         __le16 fc;
         struct ieee80211_hdr hdr;
         struct ieee80211s_hdr mesh_hdr __maybe_unused;
+        struct mesh_path *mppath = NULL;
         const u8 *encaps_data;
         int encaps_len, skip_header_bytes;
         int nh_pos, h_pos;
@@ -1810,16 +1811,23 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                         ret = NETDEV_TX_OK;
                         goto fail;
                 }
+                if (!is_multicast_ether_addr(skb->data))
+                        mppath = mpp_path_lookup(skb->data, sdata);
 
+                /*
+                 * Do not use address extension, if it is a packet from
+                 * the same interface and the destination is not being
+                 * proxied by any other mest point.
+                 */
                 if (compare_ether_addr(sdata->vif.addr,
-                                       skb->data + ETH_ALEN) == 0) {
+                                       skb->data + ETH_ALEN) == 0 &&
+                    (!mppath || !compare_ether_addr(mppath->mpp, skb->data))) {
                         hdrlen = ieee80211_fill_mesh_addresses(&hdr, &fc,
                                         skb->data, skb->data + ETH_ALEN);
                         meshhdrlen = ieee80211_new_mesh_header(&mesh_hdr,
                                         sdata, NULL, NULL);
                 } else {
                         /* packet from other interface */
-                        struct mesh_path *mppath;
                         int is_mesh_mcast = 1;
                         const u8 *mesh_da;
 
@@ -1830,8 +1838,6 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                         else {
                                 static const u8 bcast[ETH_ALEN] =
                                         { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
-
-                                mppath = mpp_path_lookup(skb->data, sdata);
                                 if (mppath) {
                                         /* RA TA mDA mSA AE:DA SA */
                                         mesh_da = mppath->mpp;
diff --git a/net/mac80211/wme.c b/net/mac80211/wme.c
index 58e75bbc1f91..28bc084dbfb9 100644
--- a/net/mac80211/wme.c
+++ b/net/mac80211/wme.c
@@ -59,26 +59,22 @@ u16 ieee80211_select_queue(struct ieee80211_sub_if_data *sdata,
 {
         struct ieee80211_local *local = sdata->local;
         struct sta_info *sta = NULL;
-        u32 sta_flags = 0;
         const u8 *ra = NULL;
         bool qos = false;
 
         if (local->hw.queues < 4 || skb->len < 6) {
                 skb->priority = 0; /* required for correct WPA/11i MIC */
-                return min_t(u16, local->hw.queues - 1,
-                             ieee802_1d_to_ac[skb->priority]);
+                return min_t(u16, local->hw.queues - 1, IEEE80211_AC_BE);
         }
 
         rcu_read_lock();
         switch (sdata->vif.type) {
         case NL80211_IFTYPE_AP_VLAN:
-                rcu_read_lock();
                 sta = rcu_dereference(sdata->u.vlan.sta);
-                if (sta)
-                        sta_flags = get_sta_flags(sta);
-                rcu_read_unlock();
-                if (sta)
+                if (sta) {
+                        qos = get_sta_flags(sta) & WLAN_STA_WME;
                         break;
+                }
         case NL80211_IFTYPE_AP:
                 ra = skb->data;
                 break;
@@ -107,17 +103,13 @@ u16 ieee80211_select_queue(struct ieee80211_sub_if_data *sdata,
         if (!sta && ra && !is_multicast_ether_addr(ra)) {
                 sta = sta_info_get(sdata, ra);
                 if (sta)
-                        sta_flags = get_sta_flags(sta);
+                        qos = get_sta_flags(sta) & WLAN_STA_WME;
         }
-
-        if (sta_flags & WLAN_STA_WME)
-                qos = true;
-
         rcu_read_unlock();
 
         if (!qos) {
                 skb->priority = 0; /* required for correct WPA/11i MIC */
-                return ieee802_1d_to_ac[skb->priority];
+                return IEEE80211_AC_BE;
         }
 
         /* use the data classifier to determine what 802.1d tag the
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 99d41831d76e..37693b6ef23a 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -752,7 +752,7 @@ static void chan_reg_rule_print_dbg(struct ieee80211_channel *chan,
                 snprintf(max_antenna_gain, 32, "%d", power_rule->max_antenna_gain);
 
         REG_DBG_PRINT("Updating information on frequency %d MHz "
-                      "for %d a MHz width channel with regulatory rule:\n",
+                      "for a %d MHz width channel with regulatory rule:\n",
                       chan->center_freq,
                       KHZ_TO_MHZ(desired_bw_khz));