Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6

18 files changed, 225 insertions, 117 deletions

diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c
index e9ec6cae2d39..61234e79022b 100644
--- a/net/mac80211/debugfs_netdev.c
+++ b/net/mac80211/debugfs_netdev.c
@@ -116,6 +116,8 @@ IEEE80211_IF_FILE(peer, u.wds.remote_addr, MAC);
 
 #ifdef CONFIG_MAC80211_MESH
 /* Mesh stats attributes */
+IEEE80211_IF_FILE(fwded_mcast, u.mesh.mshstats.fwded_mcast, DEC);
+IEEE80211_IF_FILE(fwded_unicast, u.mesh.mshstats.fwded_unicast, DEC);
 IEEE80211_IF_FILE(fwded_frames, u.mesh.mshstats.fwded_frames, DEC);
 IEEE80211_IF_FILE(dropped_frames_ttl, u.mesh.mshstats.dropped_frames_ttl, DEC);
 IEEE80211_IF_FILE(dropped_frames_no_route,
@@ -205,6 +207,8 @@ static void add_mesh_stats(struct ieee80211_sub_if_data *sdata)
 {
         sdata->mesh_stats_dir = debugfs_create_dir("mesh_stats",
                                 sdata->debugfsdir);
+        MESHSTATS_ADD(fwded_mcast);
+        MESHSTATS_ADD(fwded_unicast);
         MESHSTATS_ADD(fwded_frames);
         MESHSTATS_ADD(dropped_frames_ttl);
         MESHSTATS_ADD(dropped_frames_no_route);
@@ -327,6 +331,8 @@ static void del_monitor_files(struct ieee80211_sub_if_data *sdata)
 
 static void del_mesh_stats(struct ieee80211_sub_if_data *sdata)
 {
+        MESHSTATS_DEL(fwded_mcast);
+        MESHSTATS_DEL(fwded_unicast);
         MESHSTATS_DEL(fwded_frames);
         MESHSTATS_DEL(dropped_frames_ttl);
         MESHSTATS_DEL(dropped_frames_no_route);
diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h
index 4100c361a99d..d231c9323ad1 100644
--- a/net/mac80211/driver-ops.h
+++ b/net/mac80211/driver-ops.h
@@ -55,16 +55,32 @@ static inline void drv_bss_info_changed(struct ieee80211_local *local,
         trace_drv_bss_info_changed(local, vif, info, changed);
 }
 
+static inline u64 drv_prepare_multicast(struct ieee80211_local *local,
+                                        int mc_count,
+                                        struct dev_addr_list *mc_list)
+{
+        u64 ret = 0;
+
+        if (local->ops->prepare_multicast)
+                ret = local->ops->prepare_multicast(&local->hw, mc_count,
+                                                    mc_list);
+
+        trace_drv_prepare_multicast(local, mc_count, ret);
+
+        return ret;
+}
+
 static inline void drv_configure_filter(struct ieee80211_local *local,
                                         unsigned int changed_flags,
                                         unsigned int *total_flags,
-                                        int mc_count,
-                                        struct dev_addr_list *mc_list)
+                                        u64 multicast)
 {
+        might_sleep();
+
         local->ops->configure_filter(&local->hw, changed_flags, total_flags,
-                                     mc_count, mc_list);
+                                     multicast);
         trace_drv_configure_filter(local, changed_flags, total_flags,
-                                            mc_count);
+                                   multicast);
 }
 
 static inline int drv_set_tim(struct ieee80211_local *local,
diff --git a/net/mac80211/driver-trace.h b/net/mac80211/driver-trace.h
index 5a10da2d70fd..37b9051afcf3 100644
--- a/net/mac80211/driver-trace.h
+++ b/net/mac80211/driver-trace.h
@@ -191,31 +191,55 @@ TRACE_EVENT(drv_bss_info_changed,
         )
 );
 
+TRACE_EVENT(drv_prepare_multicast,
+        TP_PROTO(struct ieee80211_local *local, int mc_count, u64 ret),
+
+        TP_ARGS(local, mc_count, ret),
+
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+                __field(int, mc_count)
+                __field(u64, ret)
+        ),
+
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+                __entry->mc_count = mc_count;
+                __entry->ret = ret;
+        ),
+
+        TP_printk(
+                LOCAL_PR_FMT " prepare mc (%d): %llx",
+                LOCAL_PR_ARG, __entry->mc_count,
+                (unsigned long long) __entry->ret
+        )
+);
+
 TRACE_EVENT(drv_configure_filter,
         TP_PROTO(struct ieee80211_local *local,
                  unsigned int changed_flags,
                  unsigned int *total_flags,
-                 int mc_count),
+                 u64 multicast),
 
-        TP_ARGS(local, changed_flags, total_flags, mc_count),
+        TP_ARGS(local, changed_flags, total_flags, multicast),
 
         TP_STRUCT__entry(
                 LOCAL_ENTRY
                 __field(unsigned int, changed)
                 __field(unsigned int, total)
-                __field(int, mc)
+                __field(u64, multicast)
         ),
 
         TP_fast_assign(
                 LOCAL_ASSIGN;
                 __entry->changed = changed_flags;
                 __entry->total = *total_flags;
-                __entry->mc = mc_count;
+                __entry->multicast = multicast;
         ),
 
         TP_printk(
-                LOCAL_PR_FMT " changed:%#x total:%#x mc:%d",
-                LOCAL_PR_ARG, __entry->changed, __entry->total, __entry->mc
+                LOCAL_PR_FMT " changed:%#x total:%#x",
+                LOCAL_PR_ARG, __entry->changed, __entry->total
         )
 );
 
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index a6abc7dfd903..93e618a980d1 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -212,7 +212,9 @@ struct ieee80211_if_vlan {
 };
 
 struct mesh_stats {
-        __u32 fwded_frames;             /* Mesh forwarded frames */
+        __u32 fwded_mcast;              /* Mesh forwarded multicast frames */
+        __u32 fwded_unicast;            /* Mesh forwarded unicast frames */
+        __u32 fwded_frames;             /* Mesh total forwarded frames */
         __u32 dropped_frames_ttl;       /* Not transmitted since mesh_ttl == 0*/
         __u32 dropped_frames_no_route;  /* Not transmitted, no route found */
         atomic_t estab_plinks;
@@ -506,6 +508,8 @@ struct ieee80211_sub_if_data {
 #ifdef CONFIG_MAC80211_MESH
         struct dentry *mesh_stats_dir;
         struct {
+                struct dentry *fwded_mcast;
+                struct dentry *fwded_unicast;
                 struct dentry *fwded_frames;
                 struct dentry *dropped_frames_ttl;
                 struct dentry *dropped_frames_no_route;
@@ -636,6 +640,9 @@ struct ieee80211_local {
         /* protects the aggregated multicast list and filter calls */
         spinlock_t filter_lock;
 
+        /* used for uploading changed mc list */
+        struct work_struct reconfig_filter;
+
         /* aggregated multicast list */
         struct dev_addr_list *mc_list;
         int mc_count;
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index e8fb03b91a44..b161301056df 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -227,9 +227,7 @@ static int ieee80211_open(struct net_device *dev)
                 if (sdata->u.mntr_flags & MONITOR_FLAG_OTHER_BSS)
                         local->fif_other_bss++;
 
-                spin_lock_bh(&local->filter_lock);
                 ieee80211_configure_filter(local);
-                spin_unlock_bh(&local->filter_lock);
                 break;
         default:
                 conf.vif = &sdata->vif;
@@ -241,17 +239,13 @@ static int ieee80211_open(struct net_device *dev)
 
                 if (ieee80211_vif_is_mesh(&sdata->vif)) {
                         local->fif_other_bss++;
-                        spin_lock_bh(&local->filter_lock);
                         ieee80211_configure_filter(local);
-                        spin_unlock_bh(&local->filter_lock);
 
                         ieee80211_start_mesh(sdata);
                 } else if (sdata->vif.type == NL80211_IFTYPE_AP) {
                         local->fif_pspoll++;
 
-                        spin_lock_bh(&local->filter_lock);
                         ieee80211_configure_filter(local);
-                        spin_unlock_bh(&local->filter_lock);
                 }
 
                 changed |= ieee80211_reset_erp_info(sdata);
@@ -404,10 +398,11 @@ static int ieee80211_stop(struct net_device *dev)
         spin_lock_bh(&local->filter_lock);
         __dev_addr_unsync(&local->mc_list, &local->mc_count,
                           &dev->mc_list, &dev->mc_count);
-        ieee80211_configure_filter(local);
         spin_unlock_bh(&local->filter_lock);
         netif_addr_unlock_bh(dev);
 
+        ieee80211_configure_filter(local);
+
         del_timer_sync(&local->dynamic_ps_timer);
         cancel_work_sync(&local->dynamic_ps_enable_work);
 
@@ -458,9 +453,7 @@ static int ieee80211_stop(struct net_device *dev)
                 if (sdata->u.mntr_flags & MONITOR_FLAG_OTHER_BSS)
                         local->fif_other_bss--;
 
-                spin_lock_bh(&local->filter_lock);
                 ieee80211_configure_filter(local);
-                spin_unlock_bh(&local->filter_lock);
                 break;
         case NL80211_IFTYPE_STATION:
                 del_timer_sync(&sdata->u.mgd.chswitch_timer);
@@ -503,9 +496,7 @@ static int ieee80211_stop(struct net_device *dev)
                         local->fif_other_bss--;
                         atomic_dec(&local->iff_allmultis);
 
-                        spin_lock_bh(&local->filter_lock);
                         ieee80211_configure_filter(local);
-                        spin_unlock_bh(&local->filter_lock);
 
                         ieee80211_stop_mesh(sdata);
                 }
@@ -622,8 +613,8 @@ static void ieee80211_set_multicast_list(struct net_device *dev)
         spin_lock_bh(&local->filter_lock);
         __dev_addr_sync(&local->mc_list, &local->mc_count,
                         &dev->mc_list, &dev->mc_count);
-        ieee80211_configure_filter(local);
         spin_unlock_bh(&local->filter_lock);
+        ieee80211_queue_work(&local->hw, &local->reconfig_filter);
 }
 
 /*
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index b03fd84777fa..dd3b0816614d 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -50,9 +50,9 @@ struct ieee80211_tx_status_rtap_hdr {
 } __attribute__ ((packed));
 
 
-/* must be called under mdev tx lock */
 void ieee80211_configure_filter(struct ieee80211_local *local)
 {
+        u64 mc;
         unsigned int changed_flags;
         unsigned int new_flags = 0;
 
@@ -62,7 +62,7 @@ void ieee80211_configure_filter(struct ieee80211_local *local)
         if (atomic_read(&local->iff_allmultis))
                 new_flags |= FIF_ALLMULTI;
 
-        if (local->monitors)
+        if (local->monitors || local->scanning)
                 new_flags |= FIF_BCN_PRBRESP_PROMISC;
 
         if (local->fif_fcsfail)
@@ -80,20 +80,30 @@ void ieee80211_configure_filter(struct ieee80211_local *local)
         if (local->fif_pspoll)
                 new_flags |= FIF_PSPOLL;
 
+        spin_lock_bh(&local->filter_lock);
         changed_flags = local->filter_flags ^ new_flags;
 
+        mc = drv_prepare_multicast(local, local->mc_count, local->mc_list);
+        spin_unlock_bh(&local->filter_lock);
+
         /* be a bit nasty */
         new_flags |= (1<<31);
 
-        drv_configure_filter(local, changed_flags, &new_flags,
-                             local->mc_count,
-                             local->mc_list);
+        drv_configure_filter(local, changed_flags, &new_flags, mc);
 
         WARN_ON(new_flags & (1<<31));
 
         local->filter_flags = new_flags & ~(1<<31);
 }
 
+static void ieee80211_reconfig_filter(struct work_struct *work)
+{
+        struct ieee80211_local *local =
+                container_of(work, struct ieee80211_local, reconfig_filter);
+
+        ieee80211_configure_filter(local);
+}
+
 int ieee80211_hw_config(struct ieee80211_local *local, u32 changed)
 {
         struct ieee80211_channel *chan, *scan_chan;
@@ -231,9 +241,6 @@ void ieee80211_bss_info_change_notify(struct ieee80211_sub_if_data *sdata,
 
         drv_bss_info_changed(local, &sdata->vif,
                              &sdata->vif.bss_conf, changed);
-
-        /* DEPRECATED */
-        local->hw.conf.beacon_int = sdata->vif.bss_conf.beacon_int;
 }
 
 u32 ieee80211_reset_erp_info(struct ieee80211_sub_if_data *sdata)
@@ -475,6 +482,8 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb)
                 }
 
                 rate_control_tx_status(local, sband, sta, skb);
+                if (ieee80211_vif_is_mesh(&sta->sdata->vif))
+                        ieee80211s_update_metric(local, sta, skb);
         }
 
         rcu_read_unlock();
@@ -677,7 +686,6 @@ struct ieee80211_hw *ieee80211_alloc_hw(size_t priv_data_len,
         local->hw.max_rates = 1;
         local->hw.conf.long_frame_max_tx_count = wiphy->retry_long;
         local->hw.conf.short_frame_max_tx_count = wiphy->retry_short;
-        local->hw.conf.radio_enabled = true;
         local->user_power_level = -1;
 
         INIT_LIST_HEAD(&local->interfaces);
@@ -692,6 +700,8 @@ struct ieee80211_hw *ieee80211_alloc_hw(size_t priv_data_len,
 
         INIT_WORK(&local->restart_work, ieee80211_restart_work);
 
+        INIT_WORK(&local->reconfig_filter, ieee80211_reconfig_filter);
+
         INIT_WORK(&local->dynamic_ps_enable_work,
                   ieee80211_dynamic_ps_enable_work);
         INIT_WORK(&local->dynamic_ps_disable_work,
@@ -920,7 +930,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
  fail_workqueue:
         wiphy_unregister(local->hw.wiphy);
  fail_wiphy_register:
-        kfree(local->int_scan_req->channels);
+        kfree(local->int_scan_req);
         return result;
 }
 EXPORT_SYMBOL(ieee80211_register_hw);
@@ -946,6 +956,8 @@ void ieee80211_unregister_hw(struct ieee80211_hw *hw)
 
         rtnl_unlock();
 
+        cancel_work_sync(&local->reconfig_filter);
+
         ieee80211_clear_tx_pending(local);
         sta_info_stop(local);
         rate_control_deinitialize(local);
diff --git a/net/mac80211/mesh.h b/net/mac80211/mesh.h
index eb23fc639b2b..dd1c19319f0a 100644
--- a/net/mac80211/mesh.h
+++ b/net/mac80211/mesh.h
@@ -226,6 +226,8 @@ void mesh_mgmt_ies_add(struct sk_buff *skb,
 void mesh_rmc_free(struct ieee80211_sub_if_data *sdata);
 int mesh_rmc_init(struct ieee80211_sub_if_data *sdata);
 void ieee80211s_init(void);
+void ieee80211s_update_metric(struct ieee80211_local *local,
+                struct sta_info *stainfo, struct sk_buff *skb);
 void ieee80211s_stop(void);
 void ieee80211_mesh_init_sdata(struct ieee80211_sub_if_data *sdata);
 ieee80211_rx_result
diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
index ef1efd362691..e12a786e26b8 100644
--- a/net/mac80211/mesh_hwmp.c
+++ b/net/mac80211/mesh_hwmp.c
@@ -201,6 +201,24 @@ int mesh_path_error_tx(u8 *dst, __le32 dst_dsn, u8 *ra,
         return 0;
 }
 
+void ieee80211s_update_metric(struct ieee80211_local *local,
+                struct sta_info *stainfo, struct sk_buff *skb)
+{
+        struct ieee80211_tx_info *txinfo = IEEE80211_SKB_CB(skb);
+        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
+        int failed;
+
+        if (!ieee80211_is_data(hdr->frame_control))
+                return;
+
+        failed = !(txinfo->flags & IEEE80211_TX_STAT_ACK);
+
+        /* moving average, scaled to 100 */
+        stainfo->fail_avg = ((80 * stainfo->fail_avg + 5) / 100 + 20 * failed);
+        if (stainfo->fail_avg > 95)
+                mesh_plink_broken(stainfo);
+}
+
 static u32 airtime_link_metric_get(struct ieee80211_local *local,
                                    struct sta_info *sta)
 {
@@ -479,6 +497,7 @@ static void hwmp_preq_frame_process(struct ieee80211_sub_if_data *sdata,
                                 hopcount, ttl, cpu_to_le32(lifetime),
                                 cpu_to_le32(metric), cpu_to_le32(preq_id),
                                 sdata);
+                ifmsh->mshstats.fwded_mcast++;
                 ifmsh->mshstats.fwded_frames++;
         }
 }
@@ -537,6 +556,8 @@ static void hwmp_prep_frame_process(struct ieee80211_sub_if_data *sdata,
                 cpu_to_le32(lifetime), cpu_to_le32(metric),
                 0, sdata);
         rcu_read_unlock();
+
+        sdata->u.mesh.mshstats.fwded_unicast++;
         sdata->u.mesh.mshstats.fwded_frames++;
         return;
 
diff --git a/net/mac80211/rc80211_minstrel.c b/net/mac80211/rc80211_minstrel.c
index 007164919e02..7c5142988bbb 100644
--- a/net/mac80211/rc80211_minstrel.c
+++ b/net/mac80211/rc80211_minstrel.c
@@ -51,7 +51,6 @@
 #include <linux/random.h>
 #include <linux/ieee80211.h>
 #include <net/mac80211.h>
-#include "mesh.h"
 #include "rate.h"
 #include "rc80211_minstrel.h"
 
@@ -156,16 +155,12 @@ minstrel_tx_status(void *priv, struct ieee80211_supported_band *sband,
                    struct sk_buff *skb)
 {
         struct minstrel_sta_info *mi = priv_sta;
-        struct minstrel_priv *mp = (struct minstrel_priv *)priv;
         struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
         struct ieee80211_tx_rate *ar = info->status.rates;
-        struct ieee80211_local *local = hw_to_local(mp->hw);
-        struct sta_info *si;
         int i, ndx;
         int success;
 
         success = !!(info->flags & IEEE80211_TX_STAT_ACK);
-        si = sta_info_get(local, sta->addr);
 
         for (i = 0; i < IEEE80211_TX_MAX_RATES; i++) {
                 if (ar[i].idx < 0)
@@ -177,17 +172,8 @@ minstrel_tx_status(void *priv, struct ieee80211_supported_band *sband,
 
                 mi->r[ndx].attempts += ar[i].count;
 
-                if ((i != IEEE80211_TX_MAX_RATES - 1) && (ar[i + 1].idx < 0)) {
+                if ((i != IEEE80211_TX_MAX_RATES - 1) && (ar[i + 1].idx < 0))
                         mi->r[ndx].success += success;
-                        if (si) {
-                                si->fail_avg = (18050 - mi->r[ndx].probability)
-                                        / 180;
-                                WARN_ON(si->fail_avg > 100);
-                                if (si->fail_avg == 100 &&
-                                        ieee80211_vif_is_mesh(&si->sdata->vif))
-                                        mesh_plink_broken(si);
-                        }
-                }
         }
 
         if ((info->flags & IEEE80211_TX_CTL_RATE_CTRL_PROBE) && (i >= 0))
diff --git a/net/mac80211/rc80211_pid_algo.c b/net/mac80211/rc80211_pid_algo.c
index 8c053be9dc24..699d3ed869c4 100644
--- a/net/mac80211/rc80211_pid_algo.c
+++ b/net/mac80211/rc80211_pid_algo.c
@@ -169,19 +169,9 @@ static void rate_control_pid_sample(struct rc_pid_info *pinfo,
          * still a good measurement and copy it. */
         if (unlikely(spinfo->tx_num_xmit == 0))
                 pf = spinfo->last_pf;
-        else {
-                /* XXX: BAD HACK!!! */
-                struct sta_info *si = container_of(sta, struct sta_info, sta);
-
+        else
                 pf = spinfo->tx_num_failed * 100 / spinfo->tx_num_xmit;
 
-                if (ieee80211_vif_is_mesh(&si->sdata->vif) && pf == 100)
-                        mesh_plink_broken(si);
-                pf <<= RC_PID_ARITH_SHIFT;
-                si->fail_avg = ((pf + (spinfo->last_pf << 3)) / 9)
-                                        >> RC_PID_ARITH_SHIFT;
-        }
-
         spinfo->tx_num_xmit = 0;
         spinfo->tx_num_failed = 0;
 
@@ -311,7 +301,6 @@ rate_control_pid_rate_init(void *priv, struct ieee80211_supported_band *sband,
         struct rc_pid_sta_info *spinfo = priv_sta;
         struct rc_pid_info *pinfo = priv;
         struct rc_pid_rateinfo *rinfo = pinfo->rinfo;
-        struct sta_info *si;
         int i, j, tmp;
         bool s;
 
@@ -348,9 +337,6 @@ rate_control_pid_rate_init(void *priv, struct ieee80211_supported_band *sband,
         }
 
         spinfo->txrate_idx = rate_lowest_index(sband, sta);
-        /* HACK */
-        si = container_of(sta, struct sta_info, sta);
-        si->fail_avg = 0;
 }
 
 static void *rate_control_pid_alloc(struct ieee80211_hw *hw,
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 4cd9e45b1443..7065fd7e7ba2 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1550,7 +1550,10 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
                         info->flags |= IEEE80211_TX_INTFL_NEED_TXPROCESSING;
                         info->control.vif = &rx->sdata->vif;
                         ieee80211_select_queue(local, fwd_skb);
-                        if (!is_multicast_ether_addr(fwd_hdr->addr1)) {
+                        if (is_multicast_ether_addr(fwd_hdr->addr1))
+                                IEEE80211_IFSTA_MESH_CTR_INC(&sdata->u.mesh,
+                                                                fwded_mcast);
+                        else {
                                 int err;
                                 /*
                                  * Save TA to addr1 to send TA a path error if a
@@ -1564,6 +1567,9 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
                                  * later to the pending skb queue.  */
                                 if (err)
                                         return RX_DROP_MONITOR;
+
+                                IEEE80211_IFSTA_MESH_CTR_INC(&sdata->u.mesh,
+                                                                fwded_unicast);
                         }
                         IEEE80211_IFSTA_MESH_CTR_INC(&sdata->u.mesh,
                                                      fwded_frames);
diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
index e091cbc3434f..1e04be6b9129 100644
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -292,13 +292,7 @@ void ieee80211_scan_completed(struct ieee80211_hw *hw, bool aborted)
         if (was_hw_scan)
                 goto done;
 
-        spin_lock_bh(&local->filter_lock);
-        local->filter_flags &= ~FIF_BCN_PRBRESP_PROMISC;
-        drv_configure_filter(local, FIF_BCN_PRBRESP_PROMISC,
-                             &local->filter_flags,
-                             local->mc_count,
-                             local->mc_list);
-        spin_unlock_bh(&local->filter_lock);
+        ieee80211_configure_filter(local);
 
         drv_sw_scan_complete(local);
 
@@ -376,13 +370,7 @@ static int ieee80211_start_sw_scan(struct ieee80211_local *local)
         local->next_scan_state = SCAN_DECISION;
         local->scan_channel_idx = 0;
 
-        spin_lock_bh(&local->filter_lock);
-        local->filter_flags |= FIF_BCN_PRBRESP_PROMISC;
-        drv_configure_filter(local, FIF_BCN_PRBRESP_PROMISC,
-                             &local->filter_flags,
-                             local->mc_count,
-                             local->mc_list);
-        spin_unlock_bh(&local->filter_lock);
+        ieee80211_configure_filter(local);
 
         /* TODO: start scan as soon as all nullfunc frames are ACKed */
         ieee80211_queue_delayed_work(&local->hw,
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index e55d57f559ec..5eb306377c63 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1076,9 +1076,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
         /* reconfigure hardware */
         ieee80211_hw_config(local, ~0);
 
-        spin_lock_bh(&local->filter_lock);
         ieee80211_configure_filter(local);
-        spin_unlock_bh(&local->filter_lock);
 
         /* Finally also reconfigure all the BSS information */
         list_for_each_entry(sdata, &local->interfaces, list) {
diff --git a/net/wireless/core.c b/net/wireless/core.c
index bc99e4ec7463..154e1e294cb9 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -12,6 +12,7 @@
 #include <linux/debugfs.h>
 #include <linux/notifier.h>
 #include <linux/device.h>
+#include <linux/etherdevice.h>
 #include <linux/rtnetlink.h>
 #include <net/genetlink.h>
 #include <net/cfg80211.h>
@@ -309,7 +310,8 @@ static void cfg80211_process_events(struct wireless_dev *wdev)
                 switch (ev->type) {
                 case EVENT_CONNECT_RESULT:
                         __cfg80211_connect_result(
-                                wdev->netdev, ev->cr.bssid,
+                                wdev->netdev, is_zero_ether_addr(ev->cr.bssid) ?
+                                NULL : ev->cr.bssid,
                                 ev->cr.req_ie, ev->cr.req_ie_len,
                                 ev->cr.resp_ie, ev->cr.resp_ie_len,
                                 ev->cr.status,
@@ -430,6 +432,8 @@ struct wiphy *wiphy_new(const struct cfg80211_ops *ops, int sizeof_priv)
         INIT_WORK(&rdev->conn_work, cfg80211_conn_work);
         INIT_WORK(&rdev->event_work, cfg80211_event_work);
 
+        init_waitqueue_head(&rdev->dev_wait);
+
         /*
          * Initialize wiphy parameters to IEEE 802.11 MIB default values.
          * Fragmentation and RTS threshold are disabled by default with the
@@ -574,7 +578,23 @@ void wiphy_unregister(struct wiphy *wiphy)
         /* protect the device list */
         mutex_lock(&cfg80211_mutex);
 
+        wait_event(rdev->dev_wait, ({
+                int __count;
+                mutex_lock(&rdev->devlist_mtx);
+                __count = rdev->opencount;
+                mutex_unlock(&rdev->devlist_mtx);
+                __count == 0;}));
+
+        mutex_lock(&rdev->devlist_mtx);
         BUG_ON(!list_empty(&rdev->netdev_list));
+        mutex_unlock(&rdev->devlist_mtx);
+
+        /*
+         * First remove the hardware from everywhere, this makes
+         * it impossible to find from userspace.
+         */
+        cfg80211_debugfs_rdev_del(rdev);
+        list_del(&rdev->list);
 
         /*
          * Try to grab rdev->mtx. If a command is still in progress,
@@ -582,21 +602,18 @@ void wiphy_unregister(struct wiphy *wiphy)
          * down the device already. We wait for this command to complete
          * before unlinking the item from the list.
          * Note: as codified by the BUG_ON above we cannot get here if
-         * a virtual interface is still associated. Hence, we can only
-         * get to lock contention here if userspace issues a command
-         * that identified the hardware by wiphy index.
+         * a virtual interface is still present. Hence, we can only get
+         * to lock contention here if userspace issues a command that
+         * identified the hardware by wiphy index.
          */
-        mutex_lock(&rdev->mtx);
-        /* unlock again before freeing */
-        mutex_unlock(&rdev->mtx);
-
-        cfg80211_debugfs_rdev_del(rdev);
+        cfg80211_lock_rdev(rdev);
+        /* nothing */
+        cfg80211_unlock_rdev(rdev);
 
         /* If this device got a regulatory hint tell core its
          * free to listen now to a new shiny device regulatory hint */
         reg_device_remove(wiphy);
 
-        list_del(&rdev->list);
         cfg80211_rdev_list_generation++;
         device_del(&rdev->wiphy.dev);
         debugfs_remove(rdev->wiphy.debugfsdir);
@@ -605,7 +622,6 @@ void wiphy_unregister(struct wiphy *wiphy)
 
         flush_work(&rdev->scan_done_wk);
         cancel_work_sync(&rdev->conn_work);
-        kfree(rdev->scan_req);
         flush_work(&rdev->event_work);
 }
 EXPORT_SYMBOL(wiphy_unregister);
@@ -636,6 +652,31 @@ void wiphy_rfkill_set_hw_state(struct wiphy *wiphy, bool blocked)
 }
 EXPORT_SYMBOL(wiphy_rfkill_set_hw_state);
 
+static void wdev_cleanup_work(struct work_struct *work)
+{
+        struct wireless_dev *wdev;
+        struct cfg80211_registered_device *rdev;
+
+        wdev = container_of(work, struct wireless_dev, cleanup_work);
+        rdev = wiphy_to_dev(wdev->wiphy);
+
+        cfg80211_lock_rdev(rdev);
+
+        if (WARN_ON(rdev->scan_req && rdev->scan_req->dev == wdev->netdev)) {
+                rdev->scan_req->aborted = true;
+                ___cfg80211_scan_done(rdev);
+        }
+
+        cfg80211_unlock_rdev(rdev);
+
+        mutex_lock(&rdev->devlist_mtx);
+        rdev->opencount--;
+        mutex_unlock(&rdev->devlist_mtx);
+        wake_up(&rdev->dev_wait);
+
+        dev_put(wdev->netdev);
+}
+
 static int cfg80211_netdev_notifier_call(struct notifier_block * nb,
                                          unsigned long state,
                                          void *ndev)
@@ -653,7 +694,13 @@ static int cfg80211_netdev_notifier_call(struct notifier_block * nb,
 
         switch (state) {
         case NETDEV_REGISTER:
+                /*
+                 * NB: cannot take rdev->mtx here because this may be
+                 * called within code protected by it when interfaces
+                 * are added with nl80211.
+                 */
                 mutex_init(&wdev->mtx);
+                INIT_WORK(&wdev->cleanup_work, wdev_cleanup_work);
                 INIT_LIST_HEAD(&wdev->event_list);
                 spin_lock_init(&wdev->event_lock);
                 mutex_lock(&rdev->devlist_mtx);
@@ -708,8 +755,22 @@ static int cfg80211_netdev_notifier_call(struct notifier_block * nb,
                 default:
                         break;
                 }
+                dev_hold(dev);
+                schedule_work(&wdev->cleanup_work);
                 break;
         case NETDEV_UP:
+                /*
+                 * If we have a really quick DOWN/UP succession we may
+                 * have this work still pending ... cancel it and see
+                 * if it was pending, in which case we need to account
+                 * for some of the work it would have done.
+                 */
+                if (cancel_work_sync(&wdev->cleanup_work)) {
+                        mutex_lock(&rdev->devlist_mtx);
+                        rdev->opencount--;
+                        mutex_unlock(&rdev->devlist_mtx);
+                        dev_put(dev);
+                }
 #ifdef CONFIG_WIRELESS_EXT
                 cfg80211_lock_rdev(rdev);
                 mutex_lock(&rdev->devlist_mtx);
@@ -725,18 +786,17 @@ static int cfg80211_netdev_notifier_call(struct notifier_block * nb,
                         break;
                 }
                 wdev_unlock(wdev);
+                rdev->opencount++;
                 mutex_unlock(&rdev->devlist_mtx);
                 cfg80211_unlock_rdev(rdev);
 #endif
                 break;
         case NETDEV_UNREGISTER:
-                cfg80211_lock_rdev(rdev);
-
-                if (WARN_ON(rdev->scan_req && rdev->scan_req->dev == dev)) {
-                        rdev->scan_req->aborted = true;
-                        ___cfg80211_scan_done(rdev);
-                }
-
+                /*
+                 * NB: cannot take rdev->mtx here because this may be
+                 * called within code protected by it when interfaces
+                 * are removed with nl80211.
+                 */
                 mutex_lock(&rdev->devlist_mtx);
                 /*
                  * It is possible to get NETDEV_UNREGISTER
@@ -749,13 +809,11 @@ static int cfg80211_netdev_notifier_call(struct notifier_block * nb,
                         sysfs_remove_link(&dev->dev.kobj, "phy80211");
                         list_del_init(&wdev->list);
                         rdev->devlist_generation++;
-                        mutex_destroy(&wdev->mtx);
 #ifdef CONFIG_WIRELESS_EXT
                         kfree(wdev->wext.keys);
 #endif
                 }
                 mutex_unlock(&rdev->devlist_mtx);
-                cfg80211_unlock_rdev(rdev);
                 break;
         case NETDEV_PRE_UP:
                 if (!(wdev->wiphy->interface_modes & BIT(wdev->iftype)))
diff --git a/net/wireless/core.h b/net/wireless/core.h
index c603f5286326..f565432ae22f 100644
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -50,6 +50,8 @@ struct cfg80211_registered_device {
         struct mutex devlist_mtx;
         struct list_head netdev_list;
         int devlist_generation;
+        int opencount; /* also protected by devlist_mtx */
+        wait_queue_head_t dev_wait;
 
         /* BSSes/scanning */
         spinlock_t bss_lock;
diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c
index da64071ceb84..79d2eec54cec 100644
--- a/net/wireless/mlme.c
+++ b/net/wireless/mlme.c
@@ -96,6 +96,15 @@ void cfg80211_send_rx_assoc(struct net_device *dev, const u8 *buf, size_t len)
                 WARN_ON(!bss);
         }
 
+        if (!wdev->conn && wdev->sme_state == CFG80211_SME_IDLE) {
+                /*
+                 * This is for the userspace SME, the CONNECTING
+                 * state will be changed to CONNECTED by
+                 * __cfg80211_connect_result() below.
+                 */
+                wdev->sme_state = CFG80211_SME_CONNECTING;
+        }
+
         /* this consumes one bss reference (unless bss is NULL) */
         __cfg80211_connect_result(dev, mgmt->bssid, NULL, 0, ie, len - ieoffs,
                                   status_code,
diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index 8e2ef54ea714..4a8289f9b4f0 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -351,15 +351,13 @@ void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid,
         if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION))
                 return;
 
-        if (wdev->sme_state == CFG80211_SME_CONNECTED)
-                nl80211_send_roamed(wiphy_to_dev(wdev->wiphy), dev,
+        if (WARN_ON(wdev->sme_state != CFG80211_SME_CONNECTING))
+                return;
+
+        nl80211_send_connect_result(wiphy_to_dev(wdev->wiphy), dev,
                                     bssid, req_ie, req_ie_len,
-                                    resp_ie, resp_ie_len, GFP_KERNEL);
-        else
-                nl80211_send_connect_result(wiphy_to_dev(wdev->wiphy), dev,
-                                            bssid, req_ie, req_ie_len,
-                                            resp_ie, resp_ie_len,
-                                            status, GFP_KERNEL);
+                                    resp_ie, resp_ie_len,
+                                    status, GFP_KERNEL);
 
 #ifdef CONFIG_WIRELESS_EXT
         if (wextev) {
@@ -392,18 +390,13 @@ void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid,
                 wdev->current_bss = NULL;
         }
 
-        if (status == WLAN_STATUS_SUCCESS &&
-            wdev->sme_state == CFG80211_SME_IDLE)
-                goto success;
-
-        if (wdev->sme_state != CFG80211_SME_CONNECTING)
-                return;
-
         if (wdev->conn)
                 wdev->conn->state = CFG80211_CONN_IDLE;
 
         if (status != WLAN_STATUS_SUCCESS) {
                 wdev->sme_state = CFG80211_SME_IDLE;
+                if (wdev->conn)
+                        kfree(wdev->conn->ie);
                 kfree(wdev->conn);
                 wdev->conn = NULL;
                 kfree(wdev->connect_keys);
@@ -412,7 +405,6 @@ void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid,
                 return;
         }
 
- success:
         if (!bss)
                 bss = cfg80211_get_bss(wdev->wiphy, NULL, bssid,
                                        wdev->ssid, wdev->ssid_len,
@@ -458,7 +450,8 @@ void cfg80211_connect_result(struct net_device *dev, const u8 *bssid,
                 return;
 
         ev->type = EVENT_CONNECT_RESULT;
-        memcpy(ev->cr.bssid, bssid, ETH_ALEN);
+        if (bssid)
+                memcpy(ev->cr.bssid, bssid, ETH_ALEN);
         ev->cr.req_ie = ((u8 *)ev) + sizeof(*ev);
         ev->cr.req_ie_len = req_ie_len;
         memcpy((void *)ev->cr.req_ie, req_ie, req_ie_len);
@@ -789,6 +782,7 @@ int __cfg80211_connect(struct cfg80211_registered_device *rdev,
                         }
                 }
                 if (err) {
+                        kfree(wdev->conn->ie);
                         kfree(wdev->conn);
                         wdev->conn = NULL;
                         wdev->sme_state = CFG80211_SME_IDLE;
@@ -858,6 +852,7 @@ int __cfg80211_disconnect(struct cfg80211_registered_device *rdev,
                     (wdev->conn->state == CFG80211_CONN_SCANNING ||
                      wdev->conn->state == CFG80211_CONN_SCAN_AGAIN)) {
                         wdev->sme_state = CFG80211_SME_IDLE;
+                        kfree(wdev->conn->ie);
                         kfree(wdev->conn);
                         wdev->conn = NULL;
                         wdev->ssid_len = 0;
diff --git a/net/wireless/wext-compat.c b/net/wireless/wext-compat.c
index c44917492210..c12029b1def0 100644
--- a/net/wireless/wext-compat.c
+++ b/net/wireless/wext-compat.c
@@ -771,6 +771,7 @@ int cfg80211_wext_siwfreq(struct net_device *dev,
                 return err;
         }
 }
+EXPORT_SYMBOL_GPL(cfg80211_wext_siwfreq);
 
 int cfg80211_wext_giwfreq(struct net_device *dev,
                           struct iw_request_info *info,