Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next into for-davem

39 files changed, 773 insertions, 422 deletions

diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
index 13b7683de5a4..ce9633a3cfb0 100644
--- a/net/mac80211/agg-tx.c
+++ b/net/mac80211/agg-tx.c
@@ -107,7 +107,7 @@ static void ieee80211_send_addba_request(struct ieee80211_sub_if_data *sdata,
         mgmt->u.action.u.addba_req.start_seq_num =
                                         cpu_to_le16(start_seq_num << 4);
 
-        ieee80211_tx_skb_tid(sdata, skb, tid);
+        ieee80211_tx_skb(sdata, skb);
 }
 
 void ieee80211_send_bar(struct ieee80211_vif *vif, u8 *ra, u16 tid, u16 ssn)
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 453e974287d1..363d19b5d5c8 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -451,11 +451,11 @@ void sta_set_rate_info_rx(struct sta_info *sta, struct rate_info *rinfo)
                 rinfo->flags |= RATE_INFO_FLAGS_40_MHZ_WIDTH;
         if (sta->last_rx_rate_flag & RX_FLAG_SHORT_GI)
                 rinfo->flags |= RATE_INFO_FLAGS_SHORT_GI;
-        if (sta->last_rx_rate_flag & RX_FLAG_80MHZ)
+        if (sta->last_rx_rate_vht_flag & RX_VHT_FLAG_80MHZ)
                 rinfo->flags |= RATE_INFO_FLAGS_80_MHZ_WIDTH;
-        if (sta->last_rx_rate_flag & RX_FLAG_80P80MHZ)
+        if (sta->last_rx_rate_vht_flag & RX_VHT_FLAG_80P80MHZ)
                 rinfo->flags |= RATE_INFO_FLAGS_80P80_MHZ_WIDTH;
-        if (sta->last_rx_rate_flag & RX_FLAG_160MHZ)
+        if (sta->last_rx_rate_vht_flag & RX_VHT_FLAG_160MHZ)
                 rinfo->flags |= RATE_INFO_FLAGS_160_MHZ_WIDTH;
 }
 
@@ -970,9 +970,9 @@ static int ieee80211_start_ap(struct wiphy *wiphy, struct net_device *dev,
         /* TODO: make hostapd tell us what it wants */
         sdata->smps_mode = IEEE80211_SMPS_OFF;
         sdata->needed_rx_chains = sdata->local->rx_chains;
-        sdata->radar_required = params->radar_required;
 
         mutex_lock(&local->mtx);
+        sdata->radar_required = params->radar_required;
         err = ieee80211_vif_use_channel(sdata, &params->chandef,
                                         IEEE80211_CHANCTX_SHARED);
         mutex_unlock(&local->mtx);
@@ -1056,6 +1056,7 @@ static int ieee80211_change_beacon(struct wiphy *wiphy, struct net_device *dev,
         int err;
 
         sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+        sdata_assert_lock(sdata);
 
         /* don't allow changing the beacon while CSA is in place - offset
          * of channel switch counter may change
@@ -1083,6 +1084,8 @@ static int ieee80211_stop_ap(struct wiphy *wiphy, struct net_device *dev)
         struct probe_resp *old_probe_resp;
         struct cfg80211_chan_def chandef;
 
+        sdata_assert_lock(sdata);
+
         old_beacon = sdata_dereference(sdata->u.ap.beacon, sdata);
         if (!old_beacon)
                 return -ENOENT;
@@ -1343,6 +1346,18 @@ static int sta_apply_parameters(struct ieee80211_local *local,
                 ieee80211_vht_cap_ie_to_sta_vht_cap(sdata, sband,
                                                     params->vht_capa, sta);
 
+        if (params->opmode_notif_used) {
+                enum ieee80211_band band =
+                        ieee80211_get_sdata_band(sdata);
+
+                /* returned value is only needed for rc update, but the
+                 * rc isn't initialized here yet, so ignore it
+                 */
+                __ieee80211_vht_handle_opmode(sdata, sta,
+                                              params->opmode_notif,
+                                              band, false);
+        }
+
         if (ieee80211_vif_is_mesh(&sdata->vif)) {
 #ifdef CONFIG_MAC80211_MESH
                 u32 changed = 0;
@@ -2630,6 +2645,18 @@ static int ieee80211_start_roc_work(struct ieee80211_local *local,
         if (!roc)
                 return -ENOMEM;
 
+        /*
+         * If the duration is zero, then the driver
+         * wouldn't actually do anything. Set it to
+         * 10 for now.
+         *
+         * TODO: cancel the off-channel operation
+         *       when we get the SKB's TX status and
+         *       the wait time was zero before.
+         */
+        if (!duration)
+                duration = 10;
+
         roc->chan = channel;
         roc->duration = duration;
         roc->req_duration = duration;
@@ -2671,18 +2698,6 @@ static int ieee80211_start_roc_work(struct ieee80211_local *local,
 
         /* otherwise actually kick it off here (for error handling) */
 
-        /*
-         * If the duration is zero, then the driver
-         * wouldn't actually do anything. Set it to
-         * 10 for now.
-         *
-         * TODO: cancel the off-channel operation
-         *       when we get the SKB's TX status and
-         *       the wait time was zero before.
-         */
-        if (!duration)
-                duration = 10;
-
         ret = drv_remain_on_channel(local, sdata, channel, duration, type);
         if (ret) {
                 kfree(roc);
@@ -2990,69 +3005,88 @@ cfg80211_beacon_dup(struct cfg80211_beacon_data *beacon)
         return new_beacon;
 }
 
-void ieee80211_csa_finalize_work(struct work_struct *work)
+void ieee80211_csa_finish(struct ieee80211_vif *vif)
+{
+        struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
+
+        ieee80211_queue_work(&sdata->local->hw,
+                             &sdata->csa_finalize_work);
+}
+EXPORT_SYMBOL(ieee80211_csa_finish);
+
+static void ieee80211_csa_finalize(struct ieee80211_sub_if_data *sdata)
 {
-        struct ieee80211_sub_if_data *sdata =
-                container_of(work, struct ieee80211_sub_if_data,
-                             csa_finalize_work);
         struct ieee80211_local *local = sdata->local;
         int err, changed = 0;
 
-        sdata_lock(sdata);
-        /* AP might have been stopped while waiting for the lock. */
-        if (!sdata->vif.csa_active)
-                goto unlock;
-
-        if (!ieee80211_sdata_running(sdata))
-                goto unlock;
+        sdata_assert_lock(sdata);
 
-        sdata->radar_required = sdata->csa_radar_required;
         mutex_lock(&local->mtx);
+        sdata->radar_required = sdata->csa_radar_required;
         err = ieee80211_vif_change_channel(sdata, &changed);
         mutex_unlock(&local->mtx);
         if (WARN_ON(err < 0))
-                goto unlock;
+                return;
 
         if (!local->use_chanctx) {
                 local->_oper_chandef = sdata->csa_chandef;
                 ieee80211_hw_config(local, 0);
         }
 
-        ieee80211_bss_info_change_notify(sdata, changed);
-
         sdata->vif.csa_active = false;
         switch (sdata->vif.type) {
         case NL80211_IFTYPE_AP:
                 err = ieee80211_assign_beacon(sdata, sdata->u.ap.next_beacon);
-                if (err < 0)
-                        goto unlock;
-
-                changed |= err;
                 kfree(sdata->u.ap.next_beacon);
                 sdata->u.ap.next_beacon = NULL;
 
-                ieee80211_bss_info_change_notify(sdata, err);
+                if (err < 0)
+                        return;
+                changed |= err;
                 break;
         case NL80211_IFTYPE_ADHOC:
-                ieee80211_ibss_finish_csa(sdata);
+                err = ieee80211_ibss_finish_csa(sdata);
+                if (err < 0)
+                        return;
+                changed |= err;
                 break;
 #ifdef CONFIG_MAC80211_MESH
         case NL80211_IFTYPE_MESH_POINT:
                 err = ieee80211_mesh_finish_csa(sdata);
                 if (err < 0)
-                        goto unlock;
+                        return;
+                changed |= err;
                 break;
 #endif
         default:
                 WARN_ON(1);
-                goto unlock;
+                return;
         }
 
+        ieee80211_bss_info_change_notify(sdata, changed);
+
         ieee80211_wake_queues_by_reason(&sdata->local->hw,
                                         IEEE80211_MAX_QUEUE_MAP,
                                         IEEE80211_QUEUE_STOP_REASON_CSA);
 
         cfg80211_ch_switch_notify(sdata->dev, &sdata->csa_chandef);
+}
+
+void ieee80211_csa_finalize_work(struct work_struct *work)
+{
+        struct ieee80211_sub_if_data *sdata =
+                container_of(work, struct ieee80211_sub_if_data,
+                             csa_finalize_work);
+
+        sdata_lock(sdata);
+        /* AP might have been stopped while waiting for the lock. */
+        if (!sdata->vif.csa_active)
+                goto unlock;
+
+        if (!ieee80211_sdata_running(sdata))
+                goto unlock;
+
+        ieee80211_csa_finalize(sdata);
 
 unlock:
         sdata_unlock(sdata);
@@ -3066,9 +3100,9 @@ int ieee80211_channel_switch(struct wiphy *wiphy, struct net_device *dev,
         struct ieee80211_chanctx_conf *chanctx_conf;
         struct ieee80211_chanctx *chanctx;
         struct ieee80211_if_mesh __maybe_unused *ifmsh;
-        int err, num_chanctx;
+        int err, num_chanctx, changed = 0;
 
-        lockdep_assert_held(&sdata->wdev.mtx);
+        sdata_assert_lock(sdata);
 
         if (!list_empty(&local->roc_list) || local->scanning)
                 return -EBUSY;
@@ -3107,19 +3141,40 @@ int ieee80211_channel_switch(struct wiphy *wiphy, struct net_device *dev,
 
         switch (sdata->vif.type) {
         case NL80211_IFTYPE_AP:
-                sdata->csa_counter_offset_beacon =
-                        params->counter_offset_beacon;
-                sdata->csa_counter_offset_presp = params->counter_offset_presp;
                 sdata->u.ap.next_beacon =
                         cfg80211_beacon_dup(&params->beacon_after);
                 if (!sdata->u.ap.next_beacon)
                         return -ENOMEM;
 
+                /*
+                 * With a count of 0, we don't have to wait for any
+                 * TBTT before switching, so complete the CSA
+                 * immediately.  In theory, with a count == 1 we
+                 * should delay the switch until just before the next
+                 * TBTT, but that would complicate things so we switch
+                 * immediately too.  If we would delay the switch
+                 * until the next TBTT, we would have to set the probe
+                 * response here.
+                 *
+                 * TODO: A channel switch with count <= 1 without
+                 * sending a CSA action frame is kind of useless,
+                 * because the clients won't know we're changing
+                 * channels.  The action frame must be implemented
+                 * either here or in the userspace.
+                 */
+                if (params->count <= 1)
+                        break;
+
+                sdata->csa_counter_offset_beacon =
+                        params->counter_offset_beacon;
+                sdata->csa_counter_offset_presp = params->counter_offset_presp;
                 err = ieee80211_assign_beacon(sdata, &params->beacon_csa);
                 if (err < 0) {
                         kfree(sdata->u.ap.next_beacon);
                         return err;
                 }
+                changed |= err;
+
                 break;
         case NL80211_IFTYPE_ADHOC:
                 if (!sdata->vif.bss_conf.ibss_joined)
@@ -3147,17 +3202,21 @@ int ieee80211_channel_switch(struct wiphy *wiphy, struct net_device *dev,
                     params->chandef.chan->band)
                         return -EINVAL;
 
-                err = ieee80211_ibss_csa_beacon(sdata, params);
-                if (err < 0)
-                        return err;
+                /* see comments in the NL80211_IFTYPE_AP block */
+                if (params->count > 1) {
+                        err = ieee80211_ibss_csa_beacon(sdata, params);
+                        if (err < 0)
+                                return err;
+                        changed |= err;
+                }
+
+                ieee80211_send_action_csa(sdata, params);
+
                 break;
 #ifdef CONFIG_MAC80211_MESH
         case NL80211_IFTYPE_MESH_POINT:
                 ifmsh = &sdata->u.mesh;
 
-                if (!ifmsh->mesh_id)
-                        return -EINVAL;
-
                 if (params->chandef.width != sdata->vif.bss_conf.chandef.width)
                         return -EINVAL;
 
@@ -3166,17 +3225,27 @@ int ieee80211_channel_switch(struct wiphy *wiphy, struct net_device *dev,
                     params->chandef.chan->band)
                         return -EINVAL;
 
-                ifmsh->chsw_init = true;
-                if (!ifmsh->pre_value)
-                        ifmsh->pre_value = 1;
-                else
-                        ifmsh->pre_value++;
+                if (ifmsh->csa_role == IEEE80211_MESH_CSA_ROLE_NONE) {
+                        ifmsh->csa_role = IEEE80211_MESH_CSA_ROLE_INIT;
+                        if (!ifmsh->pre_value)
+                                ifmsh->pre_value = 1;
+                        else
+                                ifmsh->pre_value++;
+                }
 
-                err = ieee80211_mesh_csa_beacon(sdata, params, true);
-                if (err < 0) {
-                        ifmsh->chsw_init = false;
-                        return err;
+                /* see comments in the NL80211_IFTYPE_AP block */
+                if (params->count > 1) {
+                        err = ieee80211_mesh_csa_beacon(sdata, params);
+                        if (err < 0) {
+                                ifmsh->csa_role = IEEE80211_MESH_CSA_ROLE_NONE;
+                                return err;
+                        }
+                        changed |= err;
                 }
+
+                if (ifmsh->csa_role == IEEE80211_MESH_CSA_ROLE_INIT)
+                        ieee80211_send_action_csa(sdata, params);
+
                 break;
 #endif
         default:
@@ -3193,8 +3262,13 @@ int ieee80211_channel_switch(struct wiphy *wiphy, struct net_device *dev,
         sdata->csa_chandef = params->chandef;
         sdata->vif.csa_active = true;
 
-        ieee80211_bss_info_change_notify(sdata, err);
-        drv_channel_switch_beacon(sdata, &params->chandef);
+        if (changed) {
+                ieee80211_bss_info_change_notify(sdata, changed);
+                drv_channel_switch_beacon(sdata, &params->chandef);
+        } else {
+                /* if the beacon didn't change, we can finalize immediately */
+                ieee80211_csa_finalize(sdata);
+        }
 
         return 0;
 }
@@ -3865,7 +3939,7 @@ static int ieee80211_set_qos_map(struct wiphy *wiphy,
         return 0;
 }
 
-struct cfg80211_ops mac80211_config_ops = {
+const struct cfg80211_ops mac80211_config_ops = {
         .add_virtual_intf = ieee80211_add_iface,
         .del_virtual_intf = ieee80211_del_iface,
         .change_virtual_intf = ieee80211_change_iface,
diff --git a/net/mac80211/cfg.h b/net/mac80211/cfg.h
index 7d7879f5b00b..2d51f62dc76c 100644
--- a/net/mac80211/cfg.h
+++ b/net/mac80211/cfg.h
@@ -4,6 +4,6 @@
 #ifndef __CFG_H
 #define __CFG_H
 
-extern struct cfg80211_ops mac80211_config_ops;
+extern const struct cfg80211_ops mac80211_config_ops;
 
 #endif /* __CFG_H */
diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c
index f43613a97dd6..42c659229a09 100644
--- a/net/mac80211/chan.c
+++ b/net/mac80211/chan.c
@@ -196,6 +196,8 @@ static bool ieee80211_is_radar_required(struct ieee80211_local *local)
 {
         struct ieee80211_sub_if_data *sdata;
 
+        lockdep_assert_held(&local->mtx);
+
         rcu_read_lock();
         list_for_each_entry_rcu(sdata, &local->interfaces, list) {
                 if (sdata->radar_required) {
diff --git a/net/mac80211/debugfs_sta.c b/net/mac80211/debugfs_sta.c
index 80194b557a0c..2ecb4deddb5d 100644
--- a/net/mac80211/debugfs_sta.c
+++ b/net/mac80211/debugfs_sta.c
@@ -195,7 +195,7 @@ static ssize_t sta_agg_status_read(struct file *file, char __user *userbuf,
 static ssize_t sta_agg_status_write(struct file *file, const char __user *userbuf,
                                     size_t count, loff_t *ppos)
 {
-        char _buf[12], *buf = _buf;
+        char _buf[12] = {}, *buf = _buf;
         struct sta_info *sta = file->private_data;
         bool start, tx;
         unsigned long tid;
diff --git a/net/mac80211/ht.c b/net/mac80211/ht.c
index 70dd013de836..afbe2b203c3e 100644
--- a/net/mac80211/ht.c
+++ b/net/mac80211/ht.c
@@ -375,7 +375,7 @@ void ieee80211_send_delba(struct ieee80211_sub_if_data *sdata,
         mgmt->u.action.u.delba.params = cpu_to_le16(params);
         mgmt->u.action.u.delba.reason_code = cpu_to_le16(reason_code);
 
-        ieee80211_tx_skb_tid(sdata, skb, tid);
+        ieee80211_tx_skb(sdata, skb);
 }
 
 void ieee80211_process_delba(struct ieee80211_sub_if_data *sdata,
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index 2796a198728f..4453e2725e40 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -220,7 +220,6 @@ static void __ieee80211_sta_join_ibss(struct ieee80211_sub_if_data *sdata,
 {
         struct ieee80211_if_ibss *ifibss = &sdata->u.ibss;
         struct ieee80211_local *local = sdata->local;
-        struct ieee80211_supported_band *sband;
         struct ieee80211_mgmt *mgmt;
         struct cfg80211_bss *bss;
         u32 bss_change;
@@ -294,7 +293,6 @@ static void __ieee80211_sta_join_ibss(struct ieee80211_sub_if_data *sdata,
         }
 
         mutex_lock(&local->mtx);
-        ieee80211_vif_release_channel(sdata);
         if (ieee80211_vif_use_channel(sdata, &chandef,
                                       ifibss->fixed_channel ?
                                         IEEE80211_CHANCTX_SHARED :
@@ -303,12 +301,11 @@ static void __ieee80211_sta_join_ibss(struct ieee80211_sub_if_data *sdata,
                 mutex_unlock(&local->mtx);
                 return;
         }
+        sdata->radar_required = radar_required;
         mutex_unlock(&local->mtx);
 
         memcpy(ifibss->bssid, bssid, ETH_ALEN);
 
-        sband = local->hw.wiphy->bands[chan->band];
-
         presp = ieee80211_ibss_build_presp(sdata, beacon_int, basic_rates,
                                            capability, tsf, &chandef,
                                            &have_higher_than_11mbit, NULL);
@@ -318,7 +315,6 @@ static void __ieee80211_sta_join_ibss(struct ieee80211_sub_if_data *sdata,
         rcu_assign_pointer(ifibss->presp, presp);
         mgmt = (void *)presp->head;
 
-        sdata->radar_required = radar_required;
         sdata->vif.bss_conf.enable_beacon = true;
         sdata->vif.bss_conf.beacon_int = beacon_int;
         sdata->vif.bss_conf.basic_rates = basic_rates;
@@ -386,7 +382,7 @@ static void __ieee80211_sta_join_ibss(struct ieee80211_sub_if_data *sdata,
                                               presp->head_len, 0, GFP_KERNEL);
         cfg80211_put_bss(local->hw.wiphy, bss);
         netif_carrier_on(sdata->dev);
-        cfg80211_ibss_joined(sdata->dev, ifibss->bssid, GFP_KERNEL);
+        cfg80211_ibss_joined(sdata->dev, ifibss->bssid, chan, GFP_KERNEL);
 }
 
 static void ieee80211_sta_join_ibss(struct ieee80211_sub_if_data *sdata,
@@ -521,12 +517,6 @@ int ieee80211_ibss_csa_beacon(struct ieee80211_sub_if_data *sdata,
         if (old_presp)
                 kfree_rcu(old_presp, rcu_head);
 
-        /* it might not send the beacon for a while. send an action frame
-         * immediately to announce the channel switch.
-         */
-        if (csa_settings)
-                ieee80211_send_action_csa(sdata, csa_settings);
-
         return BSS_CHANGED_BEACON;
  out:
         return ret;
@@ -536,7 +526,7 @@ int ieee80211_ibss_finish_csa(struct ieee80211_sub_if_data *sdata)
 {
         struct ieee80211_if_ibss *ifibss = &sdata->u.ibss;
         struct cfg80211_bss *cbss;
-        int err;
+        int err, changed = 0;
         u16 capability;
 
         sdata_assert_lock(sdata);
@@ -568,10 +558,9 @@ int ieee80211_ibss_finish_csa(struct ieee80211_sub_if_data *sdata)
         if (err < 0)
                 return err;
 
-        if (err)
-                ieee80211_bss_info_change_notify(sdata, err);
+        changed |= err;
 
-        return 0;
+        return changed;
 }
 
 void ieee80211_ibss_stop(struct ieee80211_sub_if_data *sdata)
@@ -799,6 +788,8 @@ ieee80211_ibss_process_chanswitch(struct ieee80211_sub_if_data *sdata,
         int err;
         u32 sta_flags;
 
+        sdata_assert_lock(sdata);
+
         sta_flags = IEEE80211_STA_DISABLE_VHT;
         switch (ifibss->chandef.width) {
         case NL80211_CHAN_WIDTH_5:
@@ -1468,6 +1459,11 @@ static void ieee80211_rx_mgmt_probe_req(struct ieee80211_sub_if_data *sdata,
         memcpy(((struct ieee80211_mgmt *) skb->data)->da, mgmt->sa, ETH_ALEN);
         ibss_dbg(sdata, "Sending ProbeResp to %pM\n", mgmt->sa);
         IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
+
+        /* avoid excessive retries for probe request to wildcard SSIDs */
+        if (pos[1] == 0)
+                IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_NO_ACK;
+
         ieee80211_tx_skb(sdata, skb);
 }
 
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 3701930c6649..0014b5396ce5 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -616,7 +616,11 @@ struct ieee80211_if_mesh {
         struct ps_data ps;
         /* Channel Switching Support */
         struct mesh_csa_settings __rcu *csa;
-        bool chsw_init;
+        enum {
+                IEEE80211_MESH_CSA_ROLE_NONE,
+                IEEE80211_MESH_CSA_ROLE_INIT,
+                IEEE80211_MESH_CSA_ROLE_REPEATER,
+        } csa_role;
         u8 chsw_ttl;
         u16 pre_value;
 
@@ -1408,8 +1412,7 @@ void ieee80211_mesh_work(struct ieee80211_sub_if_data *sdata);
 void ieee80211_mesh_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
                                    struct sk_buff *skb);
 int ieee80211_mesh_csa_beacon(struct ieee80211_sub_if_data *sdata,
-                              struct cfg80211_csa_settings *csa_settings,
-                              bool csa_action);
+                              struct cfg80211_csa_settings *csa_settings);
 int ieee80211_mesh_finish_csa(struct ieee80211_sub_if_data *sdata);
 
 /* scan/BSS handling */
@@ -1553,6 +1556,9 @@ ieee80211_vht_cap_ie_to_sta_vht_cap(struct ieee80211_sub_if_data *sdata,
                                     struct sta_info *sta);
 enum ieee80211_sta_rx_bandwidth ieee80211_sta_cur_vht_bw(struct sta_info *sta);
 void ieee80211_sta_set_rx_nss(struct sta_info *sta);
+u32 __ieee80211_vht_handle_opmode(struct ieee80211_sub_if_data *sdata,
+                                  struct sta_info *sta, u8 opmode,
+                                  enum ieee80211_band band, bool nss_only);
 void ieee80211_vht_handle_opmode(struct ieee80211_sub_if_data *sdata,
                                  struct sta_info *sta, u8 opmode,
                                  enum ieee80211_band band, bool nss_only);
@@ -1605,7 +1611,7 @@ static inline int __ieee80211_resume(struct ieee80211_hw *hw)
 }
 
 /* utility functions/constants */
-extern void *mac80211_wiphy_privid; /* for wiphy privid */
+extern const void *const mac80211_wiphy_privid; /* for wiphy privid */
 u8 *ieee80211_get_bssid(struct ieee80211_hdr *hdr, size_t len,
                         enum nl80211_iftype type);
 int ieee80211_frame_duration(enum ieee80211_band band, size_t len,
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index ce1c44370610..088111af6c7c 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -833,7 +833,9 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
         cancel_work_sync(&local->dynamic_ps_enable_work);
 
         cancel_work_sync(&sdata->recalc_smps);
+        sdata_lock(sdata);
         sdata->vif.csa_active = false;
+        sdata_unlock(sdata);
         cancel_work_sync(&sdata->csa_finalize_work);
 
         cancel_delayed_work_sync(&sdata->dfs_cac_timer_work);
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index d767cfb9b45f..1f7d8422d62d 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -893,10 +893,15 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
         /* mac80211 supports control port protocol changing */
         local->hw.wiphy->flags |= WIPHY_FLAG_CONTROL_PORT_PROTOCOL;
 
-        if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM)
+        if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM) {
                 local->hw.wiphy->signal_type = CFG80211_SIGNAL_TYPE_MBM;
-        else if (local->hw.flags & IEEE80211_HW_SIGNAL_UNSPEC)
+        } else if (local->hw.flags & IEEE80211_HW_SIGNAL_UNSPEC) {
                 local->hw.wiphy->signal_type = CFG80211_SIGNAL_TYPE_UNSPEC;
+                if (hw->max_signal <= 0) {
+                        result = -EINVAL;
+                        goto fail_wiphy_register;
+                }
+        }
 
         WARN((local->hw.flags & IEEE80211_HW_SUPPORTS_UAPSD)
              && (local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK),
diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
index 5b919cab1de0..f70e9cd10552 100644
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -688,7 +688,7 @@ ieee80211_mesh_build_beacon(struct ieee80211_if_mesh *ifmsh)
                 *pos++ = csa->settings.count;
                 *pos++ = WLAN_EID_CHAN_SWITCH_PARAM;
                 *pos++ = 6;
-                if (ifmsh->chsw_init) {
+                if (ifmsh->csa_role == IEEE80211_MESH_CSA_ROLE_INIT) {
                         *pos++ = ifmsh->mshcfg.dot11MeshTTL;
                         *pos |= WLAN_EID_CHAN_SWITCH_PARAM_INITIATOR;
                 } else {
@@ -859,18 +859,12 @@ ieee80211_mesh_process_chnswitch(struct ieee80211_sub_if_data *sdata,
 {
         struct cfg80211_csa_settings params;
         struct ieee80211_csa_ie csa_ie;
-        struct ieee80211_chanctx_conf *chanctx_conf;
-        struct ieee80211_chanctx *chanctx;
         struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
         enum ieee80211_band band = ieee80211_get_sdata_band(sdata);
-        int err, num_chanctx;
+        int err;
         u32 sta_flags;
 
-        if (sdata->vif.csa_active)
-                return true;
-
-        if (!ifmsh->mesh_id)
-                return false;
+        sdata_assert_lock(sdata);
 
         sta_flags = IEEE80211_STA_DISABLE_VHT;
         switch (sdata->vif.bss_conf.chandef.width) {
@@ -896,10 +890,6 @@ ieee80211_mesh_process_chnswitch(struct ieee80211_sub_if_data *sdata,
         params.chandef = csa_ie.chandef;
         params.count = csa_ie.count;
 
-        if (sdata->vif.bss_conf.chandef.chan->band !=
-            params.chandef.chan->band)
-                return false;
-
         if (!cfg80211_chandef_usable(sdata->local->hw.wiphy, &params.chandef,
                                      IEEE80211_CHAN_DISABLED)) {
                 sdata_info(sdata,
@@ -922,24 +912,12 @@ ieee80211_mesh_process_chnswitch(struct ieee80211_sub_if_data *sdata,
                 return false;
         }
 
-        rcu_read_lock();
-        chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
-        if (!chanctx_conf)
-                goto failed_chswitch;
-
-        /* don't handle for multi-VIF cases */
-        chanctx = container_of(chanctx_conf, struct ieee80211_chanctx, conf);
-        if (chanctx->refcount > 1)
-                goto failed_chswitch;
-
-        num_chanctx = 0;
-        list_for_each_entry_rcu(chanctx, &sdata->local->chanctx_list, list)
-                num_chanctx++;
-
-        if (num_chanctx > 1)
-                goto failed_chswitch;
-
-        rcu_read_unlock();
+        if (cfg80211_chandef_identical(&params.chandef,
+                                       &sdata->vif.bss_conf.chandef)) {
+                mcsa_dbg(sdata,
+                         "received csa with an identical chandef, ignoring\n");
+                return true;
+        }
 
         mcsa_dbg(sdata,
                  "received channel switch announcement to go to channel %d MHz\n",
@@ -953,30 +931,16 @@ ieee80211_mesh_process_chnswitch(struct ieee80211_sub_if_data *sdata,
                 ifmsh->pre_value = csa_ie.pre_value;
         }
 
-        if (ifmsh->chsw_ttl < ifmsh->mshcfg.dot11MeshTTL) {
-                if (ieee80211_mesh_csa_beacon(sdata, &params, false) < 0)
-                        return false;
-        } else {
+        if (ifmsh->chsw_ttl >= ifmsh->mshcfg.dot11MeshTTL)
                 return false;
-        }
 
-        sdata->csa_radar_required = params.radar_required;
+        ifmsh->csa_role = IEEE80211_MESH_CSA_ROLE_REPEATER;
 
-        if (params.block_tx)
-                ieee80211_stop_queues_by_reason(&sdata->local->hw,
-                                IEEE80211_MAX_QUEUE_MAP,
-                                IEEE80211_QUEUE_STOP_REASON_CSA);
-
-        sdata->csa_chandef = params.chandef;
-        sdata->vif.csa_active = true;
-
-        ieee80211_bss_info_change_notify(sdata, err);
-        drv_channel_switch_beacon(sdata, &params.chandef);
+        if (ieee80211_channel_switch(sdata->local->hw.wiphy, sdata->dev,
+                                     &params) < 0)
+                return false;
 
         return true;
-failed_chswitch:
-        rcu_read_unlock();
-        return false;
 }
 
 static void
@@ -1086,7 +1050,8 @@ static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
                 ifmsh->sync_ops->rx_bcn_presp(sdata,
                         stype, mgmt, &elems, rx_status);
 
-        if (!ifmsh->chsw_init)
+        if (ifmsh->csa_role != IEEE80211_MESH_CSA_ROLE_INIT &&
+            !sdata->vif.csa_active)
                 ieee80211_mesh_process_chnswitch(sdata, &elems, true);
 }
 
@@ -1095,29 +1060,30 @@ int ieee80211_mesh_finish_csa(struct ieee80211_sub_if_data *sdata)
         struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
         struct mesh_csa_settings *tmp_csa_settings;
         int ret = 0;
+        int changed = 0;
 
         /* Reset the TTL value and Initiator flag */
-        ifmsh->chsw_init = false;
+        ifmsh->csa_role = IEEE80211_MESH_CSA_ROLE_NONE;
         ifmsh->chsw_ttl = 0;
 
         /* Remove the CSA and MCSP elements from the beacon */
         tmp_csa_settings = rcu_dereference(ifmsh->csa);
         rcu_assign_pointer(ifmsh->csa, NULL);
-        kfree_rcu(tmp_csa_settings, rcu_head);
+        if (tmp_csa_settings)
+                kfree_rcu(tmp_csa_settings, rcu_head);
         ret = ieee80211_mesh_rebuild_beacon(sdata);
         if (ret)
                 return -EINVAL;
 
-        ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BEACON);
+        changed |= BSS_CHANGED_BEACON;
 
         mcsa_dbg(sdata, "complete switching to center freq %d MHz",
                  sdata->vif.bss_conf.chandef.chan->center_freq);
-        return 0;
+        return changed;
 }
 
 int ieee80211_mesh_csa_beacon(struct ieee80211_sub_if_data *sdata,
-                              struct cfg80211_csa_settings *csa_settings,
-                              bool csa_action)
+                              struct cfg80211_csa_settings *csa_settings)
 {
         struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
         struct mesh_csa_settings *tmp_csa_settings;
@@ -1141,12 +1107,7 @@ int ieee80211_mesh_csa_beacon(struct ieee80211_sub_if_data *sdata,
                 return ret;
         }
 
-        ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BEACON);
-
-        if (csa_action)
-                ieee80211_send_action_csa(sdata, csa_settings);
-
-        return 0;
+        return BSS_CHANGED_BEACON;
 }
 
 static int mesh_fwd_csa_frame(struct ieee80211_sub_if_data *sdata,
@@ -1210,7 +1171,8 @@ static void mesh_rx_csa_frame(struct ieee80211_sub_if_data *sdata,
 
         ifmsh->pre_value = pre_value;
 
-        if (!ieee80211_mesh_process_chnswitch(sdata, &elems, false)) {
+        if (!sdata->vif.csa_active &&
+            !ieee80211_mesh_process_chnswitch(sdata, &elems, false)) {
                 mcsa_dbg(sdata, "Failed to process CSA action frame");
                 return;
         }
@@ -1257,7 +1219,7 @@ void ieee80211_mesh_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
         sdata_lock(sdata);
 
         /* mesh already went down */
-        if (!sdata->wdev.mesh_id_len)
+        if (!sdata->u.mesh.mesh_id_len)
                 goto out;
 
         rx_status = IEEE80211_SKB_RXCB(skb);
@@ -1310,7 +1272,7 @@ void ieee80211_mesh_work(struct ieee80211_sub_if_data *sdata)
         sdata_lock(sdata);
 
         /* mesh already went down */
-        if (!sdata->wdev.mesh_id_len)
+        if (!sdata->u.mesh.mesh_id_len)
                 goto out;
 
         if (ifmsh->preq_queue_len &&
@@ -1365,7 +1327,7 @@ void ieee80211_mesh_init_sdata(struct ieee80211_sub_if_data *sdata)
         mesh_rmc_init(sdata);
         ifmsh->last_preq = jiffies;
         ifmsh->next_perr = jiffies;
-        ifmsh->chsw_init = false;
+        ifmsh->csa_role = IEEE80211_MESH_CSA_ROLE_NONE;
         /* Allocate all mesh structures when creating the first mesh interface. */
         if (!mesh_allocated)
                 ieee80211s_init();
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index fc1d82465b3c..61604834b914 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -508,6 +508,7 @@ static void ieee80211_add_vht_ie(struct ieee80211_sub_if_data *sdata,
         u8 *pos;
         u32 cap;
         struct ieee80211_sta_vht_cap vht_cap;
+        u32 mask, ap_bf_sts, our_bf_sts;
 
         BUILD_BUG_ON(sizeof(vht_cap) != sizeof(sband->vht_cap));
 
@@ -535,6 +536,16 @@ static void ieee80211_add_vht_ie(struct ieee80211_sub_if_data *sdata,
                         cpu_to_le32(IEEE80211_VHT_CAP_SU_BEAMFORMER_CAPABLE)))
                 cap &= ~IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE;
 
+        mask = IEEE80211_VHT_CAP_BEAMFORMEE_STS_MASK;
+
+        ap_bf_sts = le32_to_cpu(ap_vht_cap->vht_cap_info) & mask;
+        our_bf_sts = cap & mask;
+
+        if (ap_bf_sts < our_bf_sts) {
+                cap &= ~mask;
+                cap |= ap_bf_sts;
+        }
+
         /* reserve and fill IE */
         pos = skb_put(skb, sizeof(struct ieee80211_vht_cap) + 2);
         ieee80211_ie_build_vht_cap(pos, &vht_cap, cap);
@@ -745,6 +756,34 @@ static void ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata)
                 ieee80211_add_ht_ie(sdata, skb, assoc_data->ap_ht_param,
                                     sband, chan, sdata->smps_mode);
 
+        /* if present, add any custom IEs that go before VHT */
+        if (assoc_data->ie_len) {
+                static const u8 before_vht[] = {
+                        WLAN_EID_SSID,
+                        WLAN_EID_SUPP_RATES,
+                        WLAN_EID_EXT_SUPP_RATES,
+                        WLAN_EID_PWR_CAPABILITY,
+                        WLAN_EID_SUPPORTED_CHANNELS,
+                        WLAN_EID_RSN,
+                        WLAN_EID_QOS_CAPA,
+                        WLAN_EID_RRM_ENABLED_CAPABILITIES,
+                        WLAN_EID_MOBILITY_DOMAIN,
+                        WLAN_EID_SUPPORTED_REGULATORY_CLASSES,
+                        WLAN_EID_HT_CAPABILITY,
+                        WLAN_EID_BSS_COEX_2040,
+                        WLAN_EID_EXT_CAPABILITY,
+                        WLAN_EID_QOS_TRAFFIC_CAPA,
+                        WLAN_EID_TIM_BCAST_REQ,
+                        WLAN_EID_INTERWORKING,
+                };
+                noffset = ieee80211_ie_split(assoc_data->ie, assoc_data->ie_len,
+                                             before_vht, ARRAY_SIZE(before_vht),
+                                             offset);
+                pos = skb_put(skb, noffset - offset);
+                memcpy(pos, assoc_data->ie + offset, noffset - offset);
+                offset = noffset;
+        }
+
         if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT))
                 ieee80211_add_vht_ie(sdata, skb, sband,
                                      &assoc_data->ap_vht_cap);
@@ -1001,7 +1040,6 @@ ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
         }
 
         ifmgd->flags |= IEEE80211_STA_CSA_RECEIVED;
-        sdata->vif.csa_active = true;
 
         mutex_lock(&local->chanctx_mtx);
         if (local->use_chanctx) {
@@ -1039,6 +1077,7 @@ ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
         mutex_unlock(&local->chanctx_mtx);
 
         sdata->csa_chandef = csa_ie.chandef;
+        sdata->vif.csa_active = true;
 
         if (csa_ie.mode)
                 ieee80211_stop_queues_by_reason(&local->hw,
diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c
index 22b223f13c9f..8fdadfd94ba8 100644
--- a/net/mac80211/rate.c
+++ b/net/mac80211/rate.c
@@ -10,15 +10,15 @@
 
 #include <linux/kernel.h>
 #include <linux/rtnetlink.h>
-#include <linux/slab.h>
 #include <linux/module.h>
+#include <linux/slab.h>
 #include "rate.h"
 #include "ieee80211_i.h"
 #include "debugfs.h"
 
 struct rate_control_alg {
         struct list_head list;
-        struct rate_control_ops *ops;
+        const struct rate_control_ops *ops;
 };
 
 static LIST_HEAD(rate_ctrl_algs);
@@ -29,7 +29,7 @@ module_param(ieee80211_default_rc_algo, charp, 0644);
 MODULE_PARM_DESC(ieee80211_default_rc_algo,
                  "Default rate control algorithm for mac80211 to use");
 
-int ieee80211_rate_control_register(struct rate_control_ops *ops)
+int ieee80211_rate_control_register(const struct rate_control_ops *ops)
 {
         struct rate_control_alg *alg;
 
@@ -60,7 +60,7 @@ int ieee80211_rate_control_register(struct rate_control_ops *ops)
 }
 EXPORT_SYMBOL(ieee80211_rate_control_register);
 
-void ieee80211_rate_control_unregister(struct rate_control_ops *ops)
+void ieee80211_rate_control_unregister(const struct rate_control_ops *ops)
 {
         struct rate_control_alg *alg;
 
@@ -76,32 +76,31 @@ void ieee80211_rate_control_unregister(struct rate_control_ops *ops)
 }
 EXPORT_SYMBOL(ieee80211_rate_control_unregister);
 
-static struct rate_control_ops *
+static const struct rate_control_ops *
 ieee80211_try_rate_control_ops_get(const char *name)
 {
         struct rate_control_alg *alg;
-        struct rate_control_ops *ops = NULL;
+        const struct rate_control_ops *ops = NULL;
 
         if (!name)
                 return NULL;
 
         mutex_lock(&rate_ctrl_mutex);
         list_for_each_entry(alg, &rate_ctrl_algs, list) {
-                if (!strcmp(alg->ops->name, name))
-                        if (try_module_get(alg->ops->module)) {
-                                ops = alg->ops;
-                                break;
-                        }
+                if (!strcmp(alg->ops->name, name)) {
+                        ops = alg->ops;
+                        break;
+                }
         }
         mutex_unlock(&rate_ctrl_mutex);
         return ops;
 }
 
 /* Get the rate control algorithm. */
-static struct rate_control_ops *
+static const struct rate_control_ops *
 ieee80211_rate_control_ops_get(const char *name)
 {
-        struct rate_control_ops *ops;
+        const struct rate_control_ops *ops;
         const char *alg_name;
 
         kparam_block_sysfs_write(ieee80211_default_rc_algo);
@@ -111,10 +110,6 @@ ieee80211_rate_control_ops_get(const char *name)
                 alg_name = name;
 
         ops = ieee80211_try_rate_control_ops_get(alg_name);
-        if (!ops) {
-                request_module("rc80211_%s", alg_name);
-                ops = ieee80211_try_rate_control_ops_get(alg_name);
-        }
         if (!ops && name)
                 /* try default if specific alg requested but not found */
                 ops = ieee80211_try_rate_control_ops_get(ieee80211_default_rc_algo);
@@ -127,11 +122,6 @@ ieee80211_rate_control_ops_get(const char *name)
         return ops;
 }
 
-static void ieee80211_rate_control_ops_put(struct rate_control_ops *ops)
-{
-        module_put(ops->module);
-}
-
 #ifdef CONFIG_MAC80211_DEBUGFS
 static ssize_t rcname_read(struct file *file, char __user *userbuf,
                            size_t count, loff_t *ppos)
@@ -158,11 +148,11 @@ static struct rate_control_ref *rate_control_alloc(const char *name,
 
         ref = kmalloc(sizeof(struct rate_control_ref), GFP_KERNEL);
         if (!ref)
-                goto fail_ref;
+                return NULL;
         ref->local = local;
         ref->ops = ieee80211_rate_control_ops_get(name);
         if (!ref->ops)
-                goto fail_ops;
+                goto free;
 
 #ifdef CONFIG_MAC80211_DEBUGFS
         debugfsdir = debugfs_create_dir("rc", local->hw.wiphy->debugfsdir);
@@ -172,14 +162,11 @@ static struct rate_control_ref *rate_control_alloc(const char *name,
 
         ref->priv = ref->ops->alloc(&local->hw, debugfsdir);
         if (!ref->priv)
-                goto fail_priv;
+                goto free;
         return ref;
 
-fail_priv:
-        ieee80211_rate_control_ops_put(ref->ops);
-fail_ops:
+free:
         kfree(ref);
-fail_ref:
         return NULL;
 }
 
@@ -192,7 +179,6 @@ static void rate_control_free(struct rate_control_ref *ctrl_ref)
         ctrl_ref->local->debugfs.rcdir = NULL;
 #endif
 
-        ieee80211_rate_control_ops_put(ctrl_ref->ops);
         kfree(ctrl_ref);
 }
 
diff --git a/net/mac80211/rate.h b/net/mac80211/rate.h
index b95e16c07081..9aa2a1190a86 100644
--- a/net/mac80211/rate.h
+++ b/net/mac80211/rate.h
@@ -21,7 +21,7 @@
 
 struct rate_control_ref {
         struct ieee80211_local *local;
-        struct rate_control_ops *ops;
+        const struct rate_control_ops *ops;
         void *priv;
 };
 
diff --git a/net/mac80211/rc80211_minstrel.c b/net/mac80211/rc80211_minstrel.c
index f3d88b0c054c..26fd94fa0aed 100644
--- a/net/mac80211/rc80211_minstrel.c
+++ b/net/mac80211/rc80211_minstrel.c
@@ -657,7 +657,7 @@ minstrel_free(void *priv)
         kfree(priv);
 }
 
-struct rate_control_ops mac80211_minstrel = {
+const struct rate_control_ops mac80211_minstrel = {
         .name = "minstrel",
         .tx_status = minstrel_tx_status,
         .get_rate = minstrel_get_rate,
diff --git a/net/mac80211/rc80211_minstrel.h b/net/mac80211/rc80211_minstrel.h
index f4301f4b2e41..046d1bd598a8 100644
--- a/net/mac80211/rc80211_minstrel.h
+++ b/net/mac80211/rc80211_minstrel.h
@@ -123,7 +123,7 @@ struct minstrel_debugfs_info {
         char buf[];
 };
 
-extern struct rate_control_ops mac80211_minstrel;
+extern const struct rate_control_ops mac80211_minstrel;
 void minstrel_add_sta_debugfs(void *priv, void *priv_sta, struct dentry *dir);
 void minstrel_remove_sta_debugfs(void *priv, void *priv_sta);
 
diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c
index c1b5b73c5b91..bccaf854a309 100644
--- a/net/mac80211/rc80211_minstrel_ht.c
+++ b/net/mac80211/rc80211_minstrel_ht.c
@@ -124,7 +124,7 @@ const struct mcs_group minstrel_mcs_groups[] = {
 
 #define MINSTREL_CCK_GROUP      (ARRAY_SIZE(minstrel_mcs_groups) - 1)
 
-static u8 sample_table[SAMPLE_COLUMNS][MCS_GROUP_RATES];
+static u8 sample_table[SAMPLE_COLUMNS][MCS_GROUP_RATES] __read_mostly;
 
 static void
 minstrel_ht_update_rates(struct minstrel_priv *mp, struct minstrel_ht_sta *mi);
@@ -1031,7 +1031,7 @@ minstrel_ht_free(void *priv)
         mac80211_minstrel.free(priv);
 }
 
-static struct rate_control_ops mac80211_minstrel_ht = {
+static const struct rate_control_ops mac80211_minstrel_ht = {
         .name = "minstrel_ht",
         .tx_status = minstrel_ht_tx_status,
         .get_rate = minstrel_ht_get_rate,
@@ -1048,8 +1048,7 @@ static struct rate_control_ops mac80211_minstrel_ht = {
 };
 
 
-static void
-init_sample_table(void)
+static void __init init_sample_table(void)
 {
         int col, i, new_idx;
         u8 rnd[MCS_GROUP_RATES];
diff --git a/net/mac80211/rc80211_pid_algo.c b/net/mac80211/rc80211_pid_algo.c
index 958fad07b54c..d0da2a70fe68 100644
--- a/net/mac80211/rc80211_pid_algo.c
+++ b/net/mac80211/rc80211_pid_algo.c
@@ -452,7 +452,7 @@ static void rate_control_pid_free_sta(void *priv, struct ieee80211_sta *sta,
         kfree(priv_sta);
 }
 
-static struct rate_control_ops mac80211_rcpid = {
+static const struct rate_control_ops mac80211_rcpid = {
         .name = "pid",
         .tx_status = rate_control_pid_tx_status,
         .get_rate = rate_control_pid_get_rate,
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index c24ca0d0f469..593062109c50 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -40,8 +40,6 @@
 static struct sk_buff *remove_monitor_info(struct ieee80211_local *local,
                                            struct sk_buff *skb)
 {
-        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
-
         if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) {
                 if (likely(skb->len > FCS_LEN))
                         __pskb_trim(skb, skb->len - FCS_LEN);
@@ -53,9 +51,6 @@ static struct sk_buff *remove_monitor_info(struct ieee80211_local *local,
                 }
         }
 
-        if (status->vendor_radiotap_len)
-                __pskb_pull(skb, status->vendor_radiotap_len);
-
         return skb;
 }
 
@@ -64,14 +59,13 @@ static inline int should_drop_frame(struct sk_buff *skb, int present_fcs_len)
         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
         struct ieee80211_hdr *hdr;
 
-        hdr = (void *)(skb->data + status->vendor_radiotap_len);
+        hdr = (void *)(skb->data);
 
         if (status->flag & (RX_FLAG_FAILED_FCS_CRC |
                             RX_FLAG_FAILED_PLCP_CRC |
                             RX_FLAG_AMPDU_IS_ZEROLEN))
                 return 1;
-        if (unlikely(skb->len < 16 + present_fcs_len +
-                                status->vendor_radiotap_len))
+        if (unlikely(skb->len < 16 + present_fcs_len))
                 return 1;
         if (ieee80211_is_ctl(hdr->frame_control) &&
             !ieee80211_is_pspoll(hdr->frame_control) &&
@@ -90,8 +84,6 @@ ieee80211_rx_radiotap_space(struct ieee80211_local *local,
         len = sizeof(struct ieee80211_radiotap_header) + 8;
 
         /* allocate extra bitmaps */
-        if (status->vendor_radiotap_len)
-                len += 4;
         if (status->chains)
                 len += 4 * hweight8(status->chains);
 
@@ -127,18 +119,6 @@ ieee80211_rx_radiotap_space(struct ieee80211_local *local,
                 len += 2 * hweight8(status->chains);
         }
 
-        if (status->vendor_radiotap_len) {
-                if (WARN_ON_ONCE(status->vendor_radiotap_align == 0))
-                        status->vendor_radiotap_align = 1;
-                /* align standard part of vendor namespace */
-                len = ALIGN(len, 2);
-                /* allocate standard part of vendor namespace */
-                len += 6;
-                /* align vendor-defined part */
-                len = ALIGN(len, status->vendor_radiotap_align);
-                /* vendor-defined part is already in skb */
-        }
-
         return len;
 }
 
@@ -172,7 +152,7 @@ ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
         it_present = &rthdr->it_present;
 
         /* radiotap header, set always present flags */
-        rthdr->it_len = cpu_to_le16(rtap_len + status->vendor_radiotap_len);
+        rthdr->it_len = cpu_to_le16(rtap_len);
         it_present_val = BIT(IEEE80211_RADIOTAP_FLAGS) |
                          BIT(IEEE80211_RADIOTAP_CHANNEL) |
                          BIT(IEEE80211_RADIOTAP_RX_FLAGS);
@@ -190,14 +170,6 @@ ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
                                  BIT(IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
         }
 
-        if (status->vendor_radiotap_len) {
-                it_present_val |= BIT(IEEE80211_RADIOTAP_VENDOR_NAMESPACE) |
-                                  BIT(IEEE80211_RADIOTAP_EXT);
-                put_unaligned_le32(it_present_val, it_present);
-                it_present++;
-                it_present_val = status->vendor_radiotap_bitmap;
-        }
-
         put_unaligned_le32(it_present_val, it_present);
 
         pos = (void *)(it_present + 1);
@@ -307,6 +279,8 @@ ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
                         *pos |= IEEE80211_RADIOTAP_MCS_BW_40;
                 if (status->flag & RX_FLAG_HT_GF)
                         *pos |= IEEE80211_RADIOTAP_MCS_FMT_GF;
+                if (status->flag & RX_FLAG_LDPC)
+                        *pos |= IEEE80211_RADIOTAP_MCS_FEC_LDPC;
                 stbc = (status->flag & RX_FLAG_STBC_MASK) >> RX_FLAG_STBC_SHIFT;
                 *pos |= stbc << IEEE80211_RADIOTAP_MCS_STBC_SHIFT;
                 pos++;
@@ -349,20 +323,23 @@ ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
 
                 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_VHT);
                 /* known field - how to handle 80+80? */
-                if (status->flag & RX_FLAG_80P80MHZ)
+                if (status->vht_flag & RX_VHT_FLAG_80P80MHZ)
                         known &= ~IEEE80211_RADIOTAP_VHT_KNOWN_BANDWIDTH;
                 put_unaligned_le16(known, pos);
                 pos += 2;
                 /* flags */
                 if (status->flag & RX_FLAG_SHORT_GI)
                         *pos |= IEEE80211_RADIOTAP_VHT_FLAG_SGI;
+                /* in VHT, STBC is binary */
+                if (status->flag & RX_FLAG_STBC_MASK)
+                        *pos |= IEEE80211_RADIOTAP_VHT_FLAG_STBC;
                 pos++;
                 /* bandwidth */
-                if (status->flag & RX_FLAG_80MHZ)
+                if (status->vht_flag & RX_VHT_FLAG_80MHZ)
                         *pos++ = 4;
-                else if (status->flag & RX_FLAG_80P80MHZ)
+                else if (status->vht_flag & RX_VHT_FLAG_80P80MHZ)
                         *pos++ = 0; /* marked not known above */
-                else if (status->flag & RX_FLAG_160MHZ)
+                else if (status->vht_flag & RX_VHT_FLAG_160MHZ)
                         *pos++ = 11;
                 else if (status->flag & RX_FLAG_40MHZ)
                         *pos++ = 1;
@@ -372,6 +349,8 @@ ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
                 *pos = (status->rate_idx << 4) | status->vht_nss;
                 pos += 4;
                 /* coding field */
+                if (status->flag & RX_FLAG_LDPC)
+                        *pos |= IEEE80211_RADIOTAP_CODING_LDPC_USER0;
                 pos++;
                 /* group ID */
                 pos++;
@@ -383,21 +362,6 @@ ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
                 *pos++ = status->chain_signal[chain];
                 *pos++ = chain;
         }
-
-        if (status->vendor_radiotap_len) {
-                /* ensure 2 byte alignment for the vendor field as required */
-                if ((pos - (u8 *)rthdr) & 1)
-                        *pos++ = 0;
-                *pos++ = status->vendor_radiotap_oui[0];
-                *pos++ = status->vendor_radiotap_oui[1];
-                *pos++ = status->vendor_radiotap_oui[2];
-                *pos++ = status->vendor_radiotap_subns;
-                put_unaligned_le16(status->vendor_radiotap_len, pos);
-                pos += 2;
-                /* align the actual payload as requested */
-                while ((pos - (u8 *)rthdr) & (status->vendor_radiotap_align - 1))
-                        *pos++ = 0;
-        }
 }
 
 /*
@@ -428,8 +392,8 @@ ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
         if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS)
                 present_fcs_len = FCS_LEN;
 
-        /* ensure hdr->frame_control and vendor radiotap data are in skb head */
-        if (!pskb_may_pull(origskb, 2 + status->vendor_radiotap_len)) {
+        /* ensure hdr->frame_control is in skb head */
+        if (!pskb_may_pull(origskb, 2)) {
                 dev_kfree_skb(origskb);
                 return NULL;
         }
@@ -599,10 +563,10 @@ static int ieee80211_is_unicast_robust_mgmt_frame(struct sk_buff *skb)
 {
         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
 
-        if (skb->len < 24 || is_multicast_ether_addr(hdr->addr1))
+        if (is_multicast_ether_addr(hdr->addr1))
                 return 0;
 
-        return ieee80211_is_robust_mgmt_frame(hdr);
+        return ieee80211_is_robust_mgmt_frame(skb);
 }
 
 
@@ -610,10 +574,10 @@ static int ieee80211_is_multicast_robust_mgmt_frame(struct sk_buff *skb)
 {
         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
 
-        if (skb->len < 24 || !is_multicast_ether_addr(hdr->addr1))
+        if (!is_multicast_ether_addr(hdr->addr1))
                 return 0;
 
-        return ieee80211_is_robust_mgmt_frame(hdr);
+        return ieee80211_is_robust_mgmt_frame(skb);
 }
 
 
@@ -626,7 +590,7 @@ static int ieee80211_get_mmie_keyidx(struct sk_buff *skb)
         if (skb->len < 24 + sizeof(*mmie) || !is_multicast_ether_addr(hdr->da))
                 return -1;
 
-        if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *) hdr))
+        if (!ieee80211_is_robust_mgmt_frame(skb))
                 return -1; /* not a robust management frame */
 
         mmie = (struct ieee80211_mmie *)
@@ -1261,6 +1225,7 @@ ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx)
                         if (ieee80211_is_data(hdr->frame_control)) {
                                 sta->last_rx_rate_idx = status->rate_idx;
                                 sta->last_rx_rate_flag = status->flag;
+                                sta->last_rx_rate_vht_flag = status->vht_flag;
                                 sta->last_rx_rate_vht_nss = status->vht_nss;
                         }
                 }
@@ -1311,18 +1276,15 @@ ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx)
             !ieee80211_has_morefrags(hdr->frame_control) &&
             !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
             (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
-             rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) {
+             rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN) &&
+            /* PM bit is only checked in frames where it isn't reserved,
+             * in AP mode it's reserved in non-bufferable management frames
+             * (cf. IEEE 802.11-2012 8.2.4.1.7 Power Management field)
+             */
+            (!ieee80211_is_mgmt(hdr->frame_control) ||
+             ieee80211_is_bufferable_mmpdu(hdr->frame_control))) {
                 if (test_sta_flag(sta, WLAN_STA_PS_STA)) {
-                        /*
-                         * Ignore doze->wake transitions that are
-                         * indicated by non-data frames, the standard
-                         * is unclear here, but for example going to
-                         * PS mode and then scanning would cause a
-                         * doze->wake transition for the probe request,
-                         * and that is clearly undesirable.
-                         */
-                        if (ieee80211_is_data(hdr->frame_control) &&
-                            !ieee80211_has_pm(hdr->frame_control))
+                        if (!ieee80211_has_pm(hdr->frame_control))
                                 sta_ps_end(sta);
                 } else {
                         if (ieee80211_has_pm(hdr->frame_control))
@@ -1845,8 +1807,7 @@ static int ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data *rx)
                  * having configured keys.
                  */
                 if (unlikely(ieee80211_is_action(fc) && !rx->key &&
-                             ieee80211_is_robust_mgmt_frame(
-                                     (struct ieee80211_hdr *) rx->skb->data)))
+                             ieee80211_is_robust_mgmt_frame(rx->skb)))
                         return -EACCES;
         }
 
diff --git a/net/mac80211/sta_info.h b/net/mac80211/sta_info.h
index d77ff7090630..d4d85de0d75d 100644
--- a/net/mac80211/sta_info.h
+++ b/net/mac80211/sta_info.h
@@ -261,6 +261,7 @@ struct ieee80211_tx_latency_stat {
  *      "the" transmit rate
  * @last_rx_rate_idx: rx status rate index of the last data packet
  * @last_rx_rate_flag: rx status flag of the last data packet
+ * @last_rx_rate_vht_flag: rx status vht flag of the last data packet
  * @last_rx_rate_vht_nss: rx status nss of last data packet
  * @lock: used for locking all fields that require locking, see comments
  *      in the header file.
@@ -397,6 +398,7 @@ struct sta_info {
         struct ieee80211_tx_rate last_tx_rate;
         int last_rx_rate_idx;
         u32 last_rx_rate_flag;
+        u32 last_rx_rate_vht_flag;
         u8 last_rx_rate_vht_nss;
         u16 tid_seq[IEEE80211_QOS_CTL_TID_MASK + 1];
 
diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index 1ee85c402439..e6e574a307c8 100644
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -479,7 +479,7 @@ static void ieee80211_tx_latency_end_msrmnt(struct ieee80211_local *local,
         u32 msrmnt;
         u16 tid;
         u8 *qc;
-        int i, bin_range_count, bin_count;
+        int i, bin_range_count;
         u32 *bin_ranges;
         __le16 fc;
         struct ieee80211_tx_latency_stat *tx_lat;
@@ -522,7 +522,6 @@ static void ieee80211_tx_latency_end_msrmnt(struct ieee80211_local *local,
         /* count how many Tx frames transmitted with the appropriate latency */
         bin_range_count = tx_latency->n_ranges;
         bin_ranges = tx_latency->ranges;
-        bin_count = tx_lat->bin_count;
 
         for (i = 0; i < bin_range_count; i++) {
                 if (msrmnt <= bin_ranges[i]) {
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 97a02d3f7d87..722151fa5dce 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -452,8 +452,7 @@ static int ieee80211_use_mfp(__le16 fc, struct sta_info *sta,
         if (sta == NULL || !test_sta_flag(sta, WLAN_STA_MFP))
                 return 0;
 
-        if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *)
-                                            skb->data))
+        if (!ieee80211_is_robust_mgmt_frame(skb))
                 return 0;
 
         return 1;
@@ -523,11 +522,8 @@ ieee80211_tx_h_ps_buf(struct ieee80211_tx_data *tx)
         if (unlikely(tx->flags & IEEE80211_TX_PS_BUFFERED))
                 return TX_CONTINUE;
 
-        /* only deauth, disassoc and action are bufferable MMPDUs */
         if (ieee80211_is_mgmt(hdr->frame_control) &&
-            !ieee80211_is_deauth(hdr->frame_control) &&
-            !ieee80211_is_disassoc(hdr->frame_control) &&
-            !ieee80211_is_action(hdr->frame_control)) {
+            !ieee80211_is_bufferable_mmpdu(hdr->frame_control)) {
                 if (tx->flags & IEEE80211_TX_UNICAST)
                         info->flags |= IEEE80211_TX_CTL_NO_PS_BUFFER;
                 return TX_CONTINUE;
@@ -567,7 +563,7 @@ ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx)
                 tx->key = key;
         else if (ieee80211_is_mgmt(hdr->frame_control) &&
                  is_multicast_ether_addr(hdr->addr1) &&
-                 ieee80211_is_robust_mgmt_frame(hdr) &&
+                 ieee80211_is_robust_mgmt_frame(tx->skb) &&
                  (key = rcu_dereference(tx->sdata->default_mgmt_key)))
                 tx->key = key;
         else if (is_multicast_ether_addr(hdr->addr1) &&
@@ -582,12 +578,12 @@ ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx)
                 tx->key = NULL;
         else if (tx->skb->protocol == tx->sdata->control_port_protocol)
                 tx->key = NULL;
-        else if (ieee80211_is_robust_mgmt_frame(hdr) &&
+        else if (ieee80211_is_robust_mgmt_frame(tx->skb) &&
                  !(ieee80211_is_action(hdr->frame_control) &&
                    tx->sta && test_sta_flag(tx->sta, WLAN_STA_MFP)))
                 tx->key = NULL;
         else if (ieee80211_is_mgmt(hdr->frame_control) &&
-                 !ieee80211_is_robust_mgmt_frame(hdr))
+                 !ieee80211_is_robust_mgmt_frame(tx->skb))
                 tx->key = NULL;
         else {
                 I802_DEBUG_INC(tx->local->tx_handlers_drop_unencrypted);
@@ -2402,15 +2398,6 @@ static int ieee80211_beacon_add_tim(struct ieee80211_sub_if_data *sdata,
         return 0;
 }
 
-void ieee80211_csa_finish(struct ieee80211_vif *vif)
-{
-        struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
-
-        ieee80211_queue_work(&sdata->local->hw,
-                             &sdata->csa_finalize_work);
-}
-EXPORT_SYMBOL(ieee80211_csa_finish);
-
 static void ieee80211_update_csa(struct ieee80211_sub_if_data *sdata,
                                  struct beacon_data *beacon)
 {
@@ -2439,8 +2426,12 @@ static void ieee80211_update_csa(struct ieee80211_sub_if_data *sdata,
         if (WARN_ON(counter_offset_beacon >= beacon_data_len))
                 return;
 
-        /* warn if the driver did not check for/react to csa completeness */
-        if (WARN_ON(beacon_data[counter_offset_beacon] == 0))
+        /* Warn if the driver did not check for/react to csa
+         * completeness.  A beacon with CSA counter set to 0 should
+         * never occur, because a counter of 1 means switch just
+         * before the next beacon.
+         */
+        if (WARN_ON(beacon_data[counter_offset_beacon] == 1))
                 return;
 
         beacon_data[counter_offset_beacon]--;
@@ -2506,7 +2497,7 @@ bool ieee80211_csa_is_complete(struct ieee80211_vif *vif)
         if (WARN_ON(counter_beacon > beacon_data_len))
                 goto out;
 
-        if (beacon_data[counter_beacon] == 0)
+        if (beacon_data[counter_beacon] == 1)
                 ret = true;
  out:
         rcu_read_unlock();
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 676dc0967f37..d842af5c8a95 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -34,7 +34,7 @@
 #include "wep.h"
 
 /* privid for wiphys to determine whether they belong to us or not */
-void *mac80211_wiphy_privid = &mac80211_wiphy_privid;
+const void *const mac80211_wiphy_privid = &mac80211_wiphy_privid;
 
 struct ieee80211_hw *wiphy_to_ieee80211_hw(struct wiphy *wiphy)
 {
@@ -1281,13 +1281,32 @@ int ieee80211_build_preq_ies(struct ieee80211_local *local, u8 *buffer,
          * that calculates local->scan_ies_len.
          */
 
-        /* add any remaining custom IEs */
+        /* insert custom IEs that go before VHT */
         if (ie && ie_len) {
-                noffset = ie_len;
+                static const u8 before_vht[] = {
+                        WLAN_EID_SSID,
+                        WLAN_EID_SUPP_RATES,
+                        WLAN_EID_REQUEST,
+                        WLAN_EID_EXT_SUPP_RATES,
+                        WLAN_EID_DS_PARAMS,
+                        WLAN_EID_SUPPORTED_REGULATORY_CLASSES,
+                        WLAN_EID_HT_CAPABILITY,
+                        WLAN_EID_BSS_COEX_2040,
+                        WLAN_EID_EXT_CAPABILITY,
+                        WLAN_EID_SSID_LIST,
+                        WLAN_EID_CHANNEL_USAGE,
+                        WLAN_EID_INTERWORKING,
+                        /* mesh ID can't happen here */
+                        /* 60 GHz can't happen here right now */
+                };
+                noffset = ieee80211_ie_split(ie, ie_len,
+                                             before_vht, ARRAY_SIZE(before_vht),
+                                             offset);
                 if (end - pos < noffset - offset)
                         goto out_err;
                 memcpy(pos, ie + offset, noffset - offset);
                 pos += noffset - offset;
+                offset = noffset;
         }
 
         if (sband->vht_cap.vht_supported) {
@@ -1297,6 +1316,15 @@ int ieee80211_build_preq_ies(struct ieee80211_local *local, u8 *buffer,
                                                  sband->vht_cap.cap);
         }
 
+        /* add any remaining custom IEs */
+        if (ie && ie_len) {
+                noffset = ie_len;
+                if (end - pos < noffset - offset)
+                        goto out_err;
+                memcpy(pos, ie + offset, noffset - offset);
+                pos += noffset - offset;
+        }
+
         return pos - buffer;
  out_err:
         WARN_ONCE(1, "not enough space for preq IEs\n");
@@ -1374,7 +1402,6 @@ u32 ieee80211_sta_get_rates(struct ieee80211_sub_if_data *sdata,
                             enum ieee80211_band band, u32 *basic_rates)
 {
         struct ieee80211_supported_band *sband;
-        struct ieee80211_rate *bitrates;
         size_t num_rates;
         u32 supp_rates, rate_flags;
         int i, j, shift;
@@ -1386,7 +1413,6 @@ u32 ieee80211_sta_get_rates(struct ieee80211_sub_if_data *sdata,
         if (WARN_ON(!sband))
                 return 1;
 
-        bitrates = sband->bitrates;
         num_rates = sband->n_bitrates;
         supp_rates = 0;
         for (i = 0; i < elems->supp_rates_len +
@@ -2272,11 +2298,11 @@ u64 ieee80211_calculate_rx_timestamp(struct ieee80211_local *local,
                 ri.nss = status->vht_nss;
                 if (status->flag & RX_FLAG_40MHZ)
                         ri.flags |= RATE_INFO_FLAGS_40_MHZ_WIDTH;
-                if (status->flag & RX_FLAG_80MHZ)
+                if (status->vht_flag & RX_VHT_FLAG_80MHZ)
                         ri.flags |= RATE_INFO_FLAGS_80_MHZ_WIDTH;
-                if (status->flag & RX_FLAG_80P80MHZ)
+                if (status->vht_flag & RX_VHT_FLAG_80P80MHZ)
                         ri.flags |= RATE_INFO_FLAGS_80P80_MHZ_WIDTH;
-                if (status->flag & RX_FLAG_160MHZ)
+                if (status->vht_flag & RX_VHT_FLAG_160MHZ)
                         ri.flags |= RATE_INFO_FLAGS_160_MHZ_WIDTH;
                 if (status->flag & RX_FLAG_SHORT_GI)
                         ri.flags |= RATE_INFO_FLAGS_SHORT_GI;
diff --git a/net/mac80211/vht.c b/net/mac80211/vht.c
index d75f35c6e1a0..e9e36a256165 100644
--- a/net/mac80211/vht.c
+++ b/net/mac80211/vht.c
@@ -349,9 +349,9 @@ void ieee80211_sta_set_rx_nss(struct sta_info *sta)
         sta->sta.rx_nss = max_t(u8, 1, ht_rx_nss);
 }
 
-void ieee80211_vht_handle_opmode(struct ieee80211_sub_if_data *sdata,
-                                 struct sta_info *sta, u8 opmode,
-                                 enum ieee80211_band band, bool nss_only)
+u32 __ieee80211_vht_handle_opmode(struct ieee80211_sub_if_data *sdata,
+                                  struct sta_info *sta, u8 opmode,
+                                  enum ieee80211_band band, bool nss_only)
 {
         struct ieee80211_local *local = sdata->local;
         struct ieee80211_supported_band *sband;
@@ -363,7 +363,7 @@ void ieee80211_vht_handle_opmode(struct ieee80211_sub_if_data *sdata,
 
         /* ignore - no support for BF yet */
         if (opmode & IEEE80211_OPMODE_NOTIF_RX_NSS_TYPE_BF)
-                return;
+                return 0;
 
         nss = opmode & IEEE80211_OPMODE_NOTIF_RX_NSS_MASK;
         nss >>= IEEE80211_OPMODE_NOTIF_RX_NSS_SHIFT;
@@ -375,7 +375,7 @@ void ieee80211_vht_handle_opmode(struct ieee80211_sub_if_data *sdata,
         }
 
         if (nss_only)
-                goto change;
+                return changed;
 
         switch (opmode & IEEE80211_OPMODE_NOTIF_CHANWIDTH_MASK) {
         case IEEE80211_OPMODE_NOTIF_CHANWIDTH_20MHZ:
@@ -398,7 +398,19 @@ void ieee80211_vht_handle_opmode(struct ieee80211_sub_if_data *sdata,
                 changed |= IEEE80211_RC_BW_CHANGED;
         }
 
- change:
-        if (changed)
+        return changed;
+}
+
+void ieee80211_vht_handle_opmode(struct ieee80211_sub_if_data *sdata,
+                                 struct sta_info *sta, u8 opmode,
+                                 enum ieee80211_band band, bool nss_only)
+{
+        struct ieee80211_local *local = sdata->local;
+        struct ieee80211_supported_band *sband = local->hw.wiphy->bands[band];
+
+        u32 changed = __ieee80211_vht_handle_opmode(sdata, sta, opmode,
+                                                    band, nss_only);
+
+        if (changed > 0)
                 rate_control_rate_update(local, sband, sta, changed);
 }
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index 21448d629b15..b8600e3c29c8 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -301,8 +301,7 @@ ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx)
 }
 
 
-static void ccmp_special_blocks(struct sk_buff *skb, u8 *pn, u8 *b_0, u8 *aad,
-                                int encrypted)
+static void ccmp_special_blocks(struct sk_buff *skb, u8 *pn, u8 *b_0, u8 *aad)
 {
         __le16 mask_fc;
         int a4_included, mgmt;
@@ -456,7 +455,7 @@ static int ccmp_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb)
                 return 0;
 
         pos += IEEE80211_CCMP_HDR_LEN;
-        ccmp_special_blocks(skb, pn, b_0, aad, 0);
+        ccmp_special_blocks(skb, pn, b_0, aad);
         ieee80211_aes_ccm_encrypt(key->u.ccmp.tfm, b_0, aad, pos, len,
                                   skb_put(skb, IEEE80211_CCMP_MIC_LEN));
 
@@ -495,7 +494,7 @@ ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx)
         hdrlen = ieee80211_hdrlen(hdr->frame_control);
 
         if (!ieee80211_is_data(hdr->frame_control) &&
-            !ieee80211_is_robust_mgmt_frame(hdr))
+            !ieee80211_is_robust_mgmt_frame(skb))
                 return RX_CONTINUE;
 
         data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN -
@@ -524,7 +523,7 @@ ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx)
                 u8 aad[2 * AES_BLOCK_SIZE];
                 u8 b_0[AES_BLOCK_SIZE];
                 /* hardware didn't decrypt/verify MIC */
-                ccmp_special_blocks(skb, pn, b_0, aad, 1);
+                ccmp_special_blocks(skb, pn, b_0, aad);
 
                 if (ieee80211_aes_ccm_decrypt(
                             key->u.ccmp.tfm, b_0, aad,
diff --git a/net/rfkill/core.c b/net/rfkill/core.c
index ed7e0b4e7f90..b3b16c070a7f 100644
--- a/net/rfkill/core.c
+++ b/net/rfkill/core.c
@@ -789,7 +789,8 @@ void rfkill_resume_polling(struct rfkill *rfkill)
         if (!rfkill->ops->poll)
                 return;
 
-        schedule_work(&rfkill->poll_work.work);
+        queue_delayed_work(system_power_efficient_wq,
+                           &rfkill->poll_work, 0);
 }
 EXPORT_SYMBOL(rfkill_resume_polling);
 
@@ -894,7 +895,8 @@ static void rfkill_poll(struct work_struct *work)
          */
         rfkill->ops->poll(rfkill, rfkill->data);
 
-        schedule_delayed_work(&rfkill->poll_work,
+        queue_delayed_work(system_power_efficient_wq,
+                &rfkill->poll_work,
                 round_jiffies_relative(POLL_INTERVAL));
 }
 
@@ -958,7 +960,8 @@ int __must_check rfkill_register(struct rfkill *rfkill)
         INIT_WORK(&rfkill->sync_work, rfkill_sync_work);
 
         if (rfkill->ops->poll)
-                schedule_delayed_work(&rfkill->poll_work,
+                queue_delayed_work(system_power_efficient_wq,
+                        &rfkill->poll_work,
                         round_jiffies_relative(POLL_INTERVAL));
 
         if (!rfkill->persistent || rfkill_epo_lock_active) {
diff --git a/net/wireless/ap.c b/net/wireless/ap.c
index 11ee4ed04f73..68602be07cc1 100644
--- a/net/wireless/ap.c
+++ b/net/wireless/ap.c
@@ -27,9 +27,10 @@ static int __cfg80211_stop_ap(struct cfg80211_registered_device *rdev,
         err = rdev_stop_ap(rdev, dev);
         if (!err) {
                 wdev->beacon_interval = 0;
-                wdev->channel = NULL;
+                memset(&wdev->chandef, 0, sizeof(wdev->chandef));
                 wdev->ssid_len = 0;
                 rdev_set_qos_map(rdev, dev, NULL);
+                nl80211_send_ap_stopped(wdev);
         }
 
         return err;
diff --git a/net/wireless/chan.c b/net/wireless/chan.c
index a04b884f5d04..2d4268c5529d 100644
--- a/net/wireless/chan.c
+++ b/net/wireless/chan.c
@@ -642,7 +642,8 @@ int cfg80211_set_monitor_channel(struct cfg80211_registered_device *rdev,
 void
 cfg80211_get_chan_state(struct wireless_dev *wdev,
                         struct ieee80211_channel **chan,
-                        enum cfg80211_chan_mode *chanmode)
+                        enum cfg80211_chan_mode *chanmode,
+                        u8 *radar_detect)
 {
         *chan = NULL;
         *chanmode = CHAN_MODE_UNDEFINED;
@@ -660,6 +661,11 @@ cfg80211_get_chan_state(struct wireless_dev *wdev,
                                      !wdev->ibss_dfs_possible)
                                   ? CHAN_MODE_SHARED
                                   : CHAN_MODE_EXCLUSIVE;
+
+                        /* consider worst-case - IBSS can try to return to the
+                         * original user-specified channel as creator */
+                        if (wdev->ibss_dfs_possible)
+                                *radar_detect |= BIT(wdev->chandef.width);
                         return;
                 }
                 break;
@@ -674,17 +680,26 @@ cfg80211_get_chan_state(struct wireless_dev *wdev,
         case NL80211_IFTYPE_AP:
         case NL80211_IFTYPE_P2P_GO:
                 if (wdev->cac_started) {
-                        *chan = wdev->channel;
+                        *chan = wdev->chandef.chan;
                         *chanmode = CHAN_MODE_SHARED;
+                        *radar_detect |= BIT(wdev->chandef.width);
                 } else if (wdev->beacon_interval) {
-                        *chan = wdev->channel;
+                        *chan = wdev->chandef.chan;
                         *chanmode = CHAN_MODE_SHARED;
+
+                        if (cfg80211_chandef_dfs_required(wdev->wiphy,
+                                                          &wdev->chandef))
+                                *radar_detect |= BIT(wdev->chandef.width);
                 }
                 return;
         case NL80211_IFTYPE_MESH_POINT:
                 if (wdev->mesh_id_len) {
-                        *chan = wdev->channel;
+                        *chan = wdev->chandef.chan;
                         *chanmode = CHAN_MODE_SHARED;
+
+                        if (cfg80211_chandef_dfs_required(wdev->wiphy,
+                                                          &wdev->chandef))
+                                *radar_detect |= BIT(wdev->chandef.width);
                 }
                 return;
         case NL80211_IFTYPE_MONITOR:
diff --git a/net/wireless/core.c b/net/wireless/core.c
index 010892b81a06..76ae6a605abb 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -737,7 +737,7 @@ void cfg80211_unregister_wdev(struct wireless_dev *wdev)
 }
 EXPORT_SYMBOL(cfg80211_unregister_wdev);
 
-static struct device_type wiphy_type = {
+static const struct device_type wiphy_type = {
         .name   = "wlan",
 };
 
diff --git a/net/wireless/core.h b/net/wireless/core.h
index f1d193b557b6..40683004d523 100644
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -211,6 +211,7 @@ struct cfg80211_event {
                 } dc;
                 struct {
                         u8 bssid[ETH_ALEN];
+                        struct ieee80211_channel *channel;
                 } ij;
         };
 };
@@ -258,7 +259,8 @@ int __cfg80211_leave_ibss(struct cfg80211_registered_device *rdev,
                           struct net_device *dev, bool nowext);
 int cfg80211_leave_ibss(struct cfg80211_registered_device *rdev,
                         struct net_device *dev, bool nowext);
-void __cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid);
+void __cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid,
+                            struct ieee80211_channel *channel);
 int cfg80211_ibss_wext_join(struct cfg80211_registered_device *rdev,
                             struct wireless_dev *wdev);
 
@@ -443,7 +445,8 @@ static inline unsigned int elapsed_jiffies_msecs(unsigned long start)
 void
 cfg80211_get_chan_state(struct wireless_dev *wdev,
                         struct ieee80211_channel **chan,
-                        enum cfg80211_chan_mode *chanmode);
+                        enum cfg80211_chan_mode *chanmode,
+                        u8 *radar_detect);
 
 int cfg80211_set_monitor_channel(struct cfg80211_registered_device *rdev,
                                  struct cfg80211_chan_def *chandef);
diff --git a/net/wireless/ibss.c b/net/wireless/ibss.c
index f911c5f9f903..1470b90e438f 100644
--- a/net/wireless/ibss.c
+++ b/net/wireless/ibss.c
@@ -14,7 +14,8 @@
 #include "rdev-ops.h"
 
 
-void __cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid)
+void __cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid,
+                            struct ieee80211_channel *channel)
 {
         struct wireless_dev *wdev = dev->ieee80211_ptr;
         struct cfg80211_bss *bss;
@@ -28,8 +29,7 @@ void __cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid)
         if (!wdev->ssid_len)
                 return;
 
-        bss = cfg80211_get_bss(wdev->wiphy, NULL, bssid,
-                               wdev->ssid, wdev->ssid_len,
+        bss = cfg80211_get_bss(wdev->wiphy, channel, bssid, NULL, 0,
                                WLAN_CAPABILITY_IBSS, WLAN_CAPABILITY_IBSS);
 
         if (WARN_ON(!bss))
@@ -54,21 +54,26 @@ void __cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid)
 #endif
 }
 
-void cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid, gfp_t gfp)
+void cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid,
+                          struct ieee80211_channel *channel, gfp_t gfp)
 {
         struct wireless_dev *wdev = dev->ieee80211_ptr;
         struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
         struct cfg80211_event *ev;
         unsigned long flags;
 
-        trace_cfg80211_ibss_joined(dev, bssid);
+        trace_cfg80211_ibss_joined(dev, bssid, channel);
+
+        if (WARN_ON(!channel))
+                return;
 
         ev = kzalloc(sizeof(*ev), gfp);
         if (!ev)
                 return;
 
         ev->type = EVENT_IBSS_JOINED;
-        memcpy(ev->cr.bssid, bssid, ETH_ALEN);
+        memcpy(ev->ij.bssid, bssid, ETH_ALEN);
+        ev->ij.channel = channel;
 
         spin_lock_irqsave(&wdev->event_lock, flags);
         list_add_tail(&ev->list, &wdev->event_list);
@@ -117,6 +122,7 @@ int __cfg80211_join_ibss(struct cfg80211_registered_device *rdev,
 
         wdev->ibss_fixed = params->channel_fixed;
         wdev->ibss_dfs_possible = params->userspace_handles_dfs;
+        wdev->chandef = params->chandef;
 #ifdef CONFIG_CFG80211_WEXT
         wdev->wext.ibss.chandef = params->chandef;
 #endif
@@ -200,6 +206,7 @@ static void __cfg80211_clear_ibss(struct net_device *dev, bool nowext)
 
         wdev->current_bss = NULL;
         wdev->ssid_len = 0;
+        memset(&wdev->chandef, 0, sizeof(wdev->chandef));
 #ifdef CONFIG_CFG80211_WEXT
         if (!nowext)
                 wdev->wext.ibss.ssid_len = 0;
diff --git a/net/wireless/mesh.c b/net/wireless/mesh.c
index 885862447b63..d42a3fcb2f67 100644
--- a/net/wireless/mesh.c
+++ b/net/wireless/mesh.c
@@ -195,7 +195,7 @@ int __cfg80211_join_mesh(struct cfg80211_registered_device *rdev,
         if (!err) {
                 memcpy(wdev->ssid, setup->mesh_id, setup->mesh_id_len);
                 wdev->mesh_id_len = setup->mesh_id_len;
-                wdev->channel = setup->chandef.chan;
+                wdev->chandef = setup->chandef;
         }
 
         return err;
@@ -244,7 +244,7 @@ int cfg80211_set_mesh_channel(struct cfg80211_registered_device *rdev,
                 err = rdev_libertas_set_mesh_channel(rdev, wdev->netdev,
                                                      chandef->chan);
                 if (!err)
-                        wdev->channel = chandef->chan;
+                        wdev->chandef = *chandef;
 
                 return err;
         }
@@ -276,7 +276,7 @@ static int __cfg80211_leave_mesh(struct cfg80211_registered_device *rdev,
         err = rdev_leave_mesh(rdev, dev);
         if (!err) {
                 wdev->mesh_id_len = 0;
-                wdev->channel = NULL;
+                memset(&wdev->chandef, 0, sizeof(wdev->chandef));
                 rdev_set_qos_map(rdev, dev, NULL);
         }
 
diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c
index 52cca05044a8..d47c9d127b1e 100644
--- a/net/wireless/mlme.c
+++ b/net/wireless/mlme.c
@@ -772,7 +772,7 @@ void cfg80211_cac_event(struct net_device *netdev,
         if (WARN_ON(!wdev->cac_started))
                 return;
 
-        if (WARN_ON(!wdev->channel))
+        if (WARN_ON(!wdev->chandef.chan))
                 return;
 
         switch (event) {
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 4fe2e6e2bc76..8e6b6a2d35cb 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -382,6 +382,8 @@ static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
         [NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
         [NL80211_ATTR_QOS_MAP] = { .type = NLA_BINARY,
                                    .len = IEEE80211_QOS_MAP_LEN_MAX },
+        [NL80211_ATTR_MAC_HINT] = { .len = ETH_ALEN },
+        [NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
 };
 
 /* policy for the key attributes */
@@ -855,6 +857,19 @@ static int nl80211_key_allowed(struct wireless_dev *wdev)
         return 0;
 }
 
+static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
+                                                        struct nlattr *tb)
+{
+        struct ieee80211_channel *chan;
+
+        if (tb == NULL)
+                return NULL;
+        chan = ieee80211_get_channel(wiphy, nla_get_u32(tb));
+        if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
+                return NULL;
+        return chan;
+}
+
 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
 {
         struct nlattr *nl_modes = nla_nest_start(msg, attr);
@@ -1586,6 +1601,12 @@ static int nl80211_send_wiphy(struct cfg80211_registered_device *dev,
                     (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
                      nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
                         goto nla_put_failure;
+
+                if (dev->wiphy.max_ap_assoc_sta &&
+                    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
+                                dev->wiphy.max_ap_assoc_sta))
+                        goto nla_put_failure;
+
                 state->split_start++;
                 break;
         case 11:
@@ -2035,10 +2056,12 @@ static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
                 nla_for_each_nested(nl_txq_params,
                                     info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
                                     rem_txq_params) {
-                        nla_parse(tb, NL80211_TXQ_ATTR_MAX,
-                                  nla_data(nl_txq_params),
-                                  nla_len(nl_txq_params),
-                                  txq_params_policy);
+                        result = nla_parse(tb, NL80211_TXQ_ATTR_MAX,
+                                           nla_data(nl_txq_params),
+                                           nla_len(nl_txq_params),
+                                           txq_params_policy);
+                        if (result)
+                                return result;
                         result = parse_txq_params(tb, &txq_params);
                         if (result)
                                 return result;
@@ -3259,7 +3282,7 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
         if (!err) {
                 wdev->preset_chandef = params.chandef;
                 wdev->beacon_interval = params.beacon_interval;
-                wdev->channel = params.chandef.chan;
+                wdev->chandef = params.chandef;
                 wdev->ssid_len = params.ssid_len;
                 memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
         }
@@ -3902,8 +3925,8 @@ static struct net_device *get_vlan(struct genl_info *info,
         return ERR_PTR(ret);
 }
 
-static struct nla_policy
-nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] __read_mostly = {
+static const struct nla_policy
+nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
         [NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
         [NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
 };
@@ -4604,8 +4627,6 @@ static int parse_reg_rule(struct nlattr *tb[],
                 return -EINVAL;
         if (!tb[NL80211_ATTR_FREQ_RANGE_END])
                 return -EINVAL;
-        if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
-                return -EINVAL;
         if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
                 return -EINVAL;
 
@@ -4615,8 +4636,9 @@ static int parse_reg_rule(struct nlattr *tb[],
                 nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
         freq_range->end_freq_khz =
                 nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
-        freq_range->max_bandwidth_khz =
-                nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
+        if (tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
+                freq_range->max_bandwidth_khz =
+                        nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
 
         power_rule->max_eirp =
                 nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
@@ -5086,6 +5108,7 @@ static int nl80211_get_reg(struct sk_buff *skb, struct genl_info *info)
                 const struct ieee80211_reg_rule *reg_rule;
                 const struct ieee80211_freq_range *freq_range;
                 const struct ieee80211_power_rule *power_rule;
+                unsigned int max_bandwidth_khz;
 
                 reg_rule = &regdom->reg_rules[i];
                 freq_range = &reg_rule->freq_range;
@@ -5095,6 +5118,11 @@ static int nl80211_get_reg(struct sk_buff *skb, struct genl_info *info)
                 if (!nl_reg_rule)
                         goto nla_put_failure_rcu;
 
+                max_bandwidth_khz = freq_range->max_bandwidth_khz;
+                if (!max_bandwidth_khz)
+                        max_bandwidth_khz = reg_get_max_bandwidth(regdom,
+                                                                  reg_rule);
+
                 if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
                                 reg_rule->flags) ||
                     nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
@@ -5102,7 +5130,7 @@ static int nl80211_get_reg(struct sk_buff *skb, struct genl_info *info)
                     nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
                                 freq_range->end_freq_khz) ||
                     nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
-                                freq_range->max_bandwidth_khz) ||
+                                max_bandwidth_khz) ||
                     nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
                                 power_rule->max_antenna_gain) ||
                     nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
@@ -5178,9 +5206,11 @@ static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
 
         nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
                             rem_reg_rules) {
-                nla_parse(tb, NL80211_REG_RULE_ATTR_MAX,
-                          nla_data(nl_reg_rule), nla_len(nl_reg_rule),
-                          reg_rule_policy);
+                r = nla_parse(tb, NL80211_REG_RULE_ATTR_MAX,
+                              nla_data(nl_reg_rule), nla_len(nl_reg_rule),
+                              reg_rule_policy);
+                if (r)
+                        goto bad_reg;
                 r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
                 if (r)
                         goto bad_reg;
@@ -5443,6 +5473,7 @@ static int nl80211_start_sched_scan(struct sk_buff *skb,
         enum ieee80211_band band;
         size_t ie_len;
         struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
+        s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
 
         if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
             !rdev->ops->sched_scan_start)
@@ -5477,11 +5508,40 @@ static int nl80211_start_sched_scan(struct sk_buff *skb,
         if (n_ssids > wiphy->max_sched_scan_ssids)
                 return -EINVAL;
 
-        if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH])
+        /*
+         * First, count the number of 'real' matchsets. Due to an issue with
+         * the old implementation, matchsets containing only the RSSI attribute
+         * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
+         * RSSI for all matchsets, rather than their own matchset for reporting
+         * all APs with a strong RSSI. This is needed to be compatible with
+         * older userspace that treated a matchset with only the RSSI as the
+         * global RSSI for all other matchsets - if there are other matchsets.
+         */
+        if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
                 nla_for_each_nested(attr,
                                     info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
-                                    tmp)
-                        n_match_sets++;
+                                    tmp) {
+                        struct nlattr *rssi;
+
+                        err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
+                                        nla_data(attr), nla_len(attr),
+                                        nl80211_match_policy);
+                        if (err)
+                                return err;
+                        /* add other standalone attributes here */
+                        if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID]) {
+                                n_match_sets++;
+                                continue;
+                        }
+                        rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
+                        if (rssi)
+                                default_match_rssi = nla_get_s32(rssi);
+                }
+        }
+
+        /* However, if there's no other matchset, add the RSSI one */
+        if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
+                n_match_sets = 1;
 
         if (n_match_sets > wiphy->max_match_sets)
                 return -EINVAL;
@@ -5602,11 +5662,22 @@ static int nl80211_start_sched_scan(struct sk_buff *skb,
                                     tmp) {
                         struct nlattr *ssid, *rssi;
 
-                        nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
-                                  nla_data(attr), nla_len(attr),
-                                  nl80211_match_policy);
+                        err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
+                                        nla_data(attr), nla_len(attr),
+                                        nl80211_match_policy);
+                        if (err)
+                                goto out_free;
                         ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
                         if (ssid) {
+                                if (WARN_ON(i >= n_match_sets)) {
+                                        /* this indicates a programming error,
+                                         * the loop above should have verified
+                                         * things properly
+                                         */
+                                        err = -EINVAL;
+                                        goto out_free;
+                                }
+
                                 if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
                                         err = -EINVAL;
                                         goto out_free;
@@ -5615,15 +5686,28 @@ static int nl80211_start_sched_scan(struct sk_buff *skb,
                                        nla_data(ssid), nla_len(ssid));
                                 request->match_sets[i].ssid.ssid_len =
                                         nla_len(ssid);
+                                /* special attribute - old implemenation w/a */
+                                request->match_sets[i].rssi_thold =
+                                        default_match_rssi;
+                                rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
+                                if (rssi)
+                                        request->match_sets[i].rssi_thold =
+                                                nla_get_s32(rssi);
                         }
-                        rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
-                        if (rssi)
-                                request->rssi_thold = nla_get_u32(rssi);
-                        else
-                                request->rssi_thold =
-                                                   NL80211_SCAN_RSSI_THOLD_OFF;
                         i++;
                 }
+
+                /* there was no other matchset, so the RSSI one is alone */
+                if (i == 0)
+                        request->match_sets[0].rssi_thold = default_match_rssi;
+
+                request->min_rssi_thold = INT_MAX;
+                for (i = 0; i < n_match_sets; i++)
+                        request->min_rssi_thold =
+                                min(request->match_sets[i].rssi_thold,
+                                    request->min_rssi_thold);
+        } else {
+                request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
         }
 
         if (info->attrs[NL80211_ATTR_IE]) {
@@ -5719,7 +5803,7 @@ static int nl80211_start_radar_detection(struct sk_buff *skb,
 
         err = rdev->ops->start_radar_detection(&rdev->wiphy, dev, &chandef);
         if (!err) {
-                wdev->channel = chandef.chan;
+                wdev->chandef = chandef;
                 wdev->cac_started = true;
                 wdev->cac_start_time = jiffies;
         }
@@ -5751,10 +5835,15 @@ static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
 
                 /* useless if AP is not running */
                 if (!wdev->beacon_interval)
-                        return -EINVAL;
+                        return -ENOTCONN;
                 break;
         case NL80211_IFTYPE_ADHOC:
+                if (!wdev->ssid_len)
+                        return -ENOTCONN;
+                break;
         case NL80211_IFTYPE_MESH_POINT:
+                if (!wdev->mesh_id_len)
+                        return -ENOTCONN;
                 break;
         default:
                 return -EOPNOTSUPP;
@@ -6192,9 +6281,9 @@ static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
                 return -EOPNOTSUPP;
 
         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
-        chan = ieee80211_get_channel(&rdev->wiphy,
-                nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
-        if (!chan || (chan->flags & IEEE80211_CHAN_DISABLED))
+        chan = nl80211_get_valid_chan(&rdev->wiphy,
+                                      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
+        if (!chan)
                 return -EINVAL;
 
         ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
@@ -6347,9 +6436,9 @@ static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
 
         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
 
-        chan = ieee80211_get_channel(&rdev->wiphy,
-                nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
-        if (!chan || (chan->flags & IEEE80211_CHAN_DISABLED))
+        chan = nl80211_get_valid_chan(&rdev->wiphy,
+                                      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
+        if (!chan)
                 return -EINVAL;
 
         ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
@@ -6985,6 +7074,9 @@ static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
 
         if (info->attrs[NL80211_ATTR_MAC])
                 connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
+        else if (info->attrs[NL80211_ATTR_MAC_HINT])
+                connect.bssid_hint =
+                        nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
         connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
         connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
 
@@ -7003,11 +7095,14 @@ static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
         }
 
         if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
-                connect.channel =
-                        ieee80211_get_channel(wiphy,
-                            nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
-                if (!connect.channel ||
-                    connect.channel->flags & IEEE80211_CHAN_DISABLED)
+                connect.channel = nl80211_get_valid_chan(
+                        wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ]);
+                if (!connect.channel)
+                        return -EINVAL;
+        } else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
+                connect.channel_hint = nl80211_get_valid_chan(
+                        wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
+                if (!connect.channel_hint)
                         return -EINVAL;
         }
 
@@ -7421,6 +7516,7 @@ static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
         [NL80211_TXRATE_HT] = { .type = NLA_BINARY,
                                 .len = NL80211_MAX_SUPP_HT_RATES },
         [NL80211_TXRATE_VHT] = { .len = sizeof(struct nl80211_txrate_vht)},
+        [NL80211_TXRATE_GI] = { .type = NLA_U8 },
 };
 
 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
@@ -7467,16 +7563,19 @@ static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
          * directly to the enum ieee80211_band values used in cfg80211.
          */
         BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
-        nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem)
-        {
+        nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) {
                 enum ieee80211_band band = nla_type(tx_rates);
+                int err;
+
                 if (band < 0 || band >= IEEE80211_NUM_BANDS)
                         return -EINVAL;
                 sband = rdev->wiphy.bands[band];
                 if (sband == NULL)
                         return -EINVAL;
-                nla_parse(tb, NL80211_TXRATE_MAX, nla_data(tx_rates),
-                          nla_len(tx_rates), nl80211_txattr_policy);
+                err = nla_parse(tb, NL80211_TXRATE_MAX, nla_data(tx_rates),
+                                nla_len(tx_rates), nl80211_txattr_policy);
+                if (err)
+                        return err;
                 if (tb[NL80211_TXRATE_LEGACY]) {
                         mask.control[band].legacy = rateset_to_mask(
                                 sband,
@@ -7501,6 +7600,12 @@ static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
                                         mask.control[band].vht_mcs))
                                 return -EINVAL;
                 }
+                if (tb[NL80211_TXRATE_GI]) {
+                        mask.control[band].gi =
+                                nla_get_u8(tb[NL80211_TXRATE_GI]);
+                        if (mask.control[band].gi > NL80211_TXRATE_FORCE_LGI)
+                                return -EINVAL;
+                }
 
                 if (mask.control[band].legacy == 0) {
                         /* don't allow empty legacy rates if HT or VHT
@@ -7777,8 +7882,8 @@ static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
         return err;
 }
 
-static struct nla_policy
-nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] __read_mostly = {
+static const struct nla_policy
+nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
         [NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_U32 },
         [NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
         [NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
@@ -11107,7 +11212,8 @@ void cfg80211_ch_switch_notify(struct net_device *dev,
                     wdev->iftype != NL80211_IFTYPE_MESH_POINT))
                 return;
 
-        wdev->channel = chandef->chan;
+        wdev->chandef = *chandef;
+        wdev->preset_chandef = *chandef;
         nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL);
 }
 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
@@ -11621,6 +11727,35 @@ void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
 }
 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
 
+void nl80211_send_ap_stopped(struct wireless_dev *wdev)
+{
+        struct wiphy *wiphy = wdev->wiphy;
+        struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
+        struct sk_buff *msg;
+        void *hdr;
+
+        msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+        if (!msg)
+                return;
+
+        hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
+        if (!hdr)
+                goto out;
+
+        if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
+            nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
+            nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
+                goto out;
+
+        genlmsg_end(msg, hdr);
+
+        genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
+                                NL80211_MCGRP_MLME, GFP_KERNEL);
+        return;
+ out:
+        nlmsg_free(msg);
+}
+
 /* initialisation/exit functions */
 
 int nl80211_init(void)
diff --git a/net/wireless/nl80211.h b/net/wireless/nl80211.h
index 75799746d845..1e6df9630f42 100644
--- a/net/wireless/nl80211.h
+++ b/net/wireless/nl80211.h
@@ -74,6 +74,8 @@ nl80211_radar_notify(struct cfg80211_registered_device *rdev,
                      enum nl80211_radar_event event,
                      struct net_device *netdev, gfp_t gfp);
 
+void nl80211_send_ap_stopped(struct wireless_dev *wdev);
+
 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev);
 
 #endif /* __NET_WIRELESS_NL80211_H */
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 9b897fca7487..27c5253e7a61 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -91,7 +91,7 @@ static struct regulatory_request __rcu *last_request =
 /* To trigger userspace events */
 static struct platform_device *reg_pdev;
 
-static struct device_type reg_device_type = {
+static const struct device_type reg_device_type = {
         .uevent = reg_device_uevent,
 };
 
@@ -522,6 +522,77 @@ bool reg_is_valid_request(const char *alpha2)
         return alpha2_equal(lr->alpha2, alpha2);
 }
 
+static const struct ieee80211_regdomain *reg_get_regdomain(struct wiphy *wiphy)
+{
+        struct regulatory_request *lr = get_last_request();
+
+        /*
+         * Follow the driver's regulatory domain, if present, unless a country
+         * IE has been processed or a user wants to help complaince further
+         */
+        if (lr->initiator != NL80211_REGDOM_SET_BY_COUNTRY_IE &&
+            lr->initiator != NL80211_REGDOM_SET_BY_USER &&
+            wiphy->regd)
+                return get_wiphy_regdom(wiphy);
+
+        return get_cfg80211_regdom();
+}
+
+unsigned int reg_get_max_bandwidth(const struct ieee80211_regdomain *rd,
+                                   const struct ieee80211_reg_rule *rule)
+{
+        const struct ieee80211_freq_range *freq_range = &rule->freq_range;
+        const struct ieee80211_freq_range *freq_range_tmp;
+        const struct ieee80211_reg_rule *tmp;
+        u32 start_freq, end_freq, idx, no;
+
+        for (idx = 0; idx < rd->n_reg_rules; idx++)
+                if (rule == &rd->reg_rules[idx])
+                        break;
+
+        if (idx == rd->n_reg_rules)
+                return 0;
+
+        /* get start_freq */
+        no = idx;
+
+        while (no) {
+                tmp = &rd->reg_rules[--no];
+                freq_range_tmp = &tmp->freq_range;
+
+                if (freq_range_tmp->end_freq_khz < freq_range->start_freq_khz)
+                        break;
+
+                if (freq_range_tmp->max_bandwidth_khz)
+                        break;
+
+                freq_range = freq_range_tmp;
+        }
+
+        start_freq = freq_range->start_freq_khz;
+
+        /* get end_freq */
+        freq_range = &rule->freq_range;
+        no = idx;
+
+        while (no < rd->n_reg_rules - 1) {
+                tmp = &rd->reg_rules[++no];
+                freq_range_tmp = &tmp->freq_range;
+
+                if (freq_range_tmp->start_freq_khz > freq_range->end_freq_khz)
+                        break;
+
+                if (freq_range_tmp->max_bandwidth_khz)
+                        break;
+
+                freq_range = freq_range_tmp;
+        }
+
+        end_freq = freq_range->end_freq_khz;
+
+        return end_freq - start_freq;
+}
+
 /* Sanity check on a regulatory rule */
 static bool is_valid_reg_rule(const struct ieee80211_reg_rule *rule)
 {
@@ -630,7 +701,9 @@ reg_intersect_dfs_region(const enum nl80211_dfs_regions dfs_region1,
  * Helper for regdom_intersect(), this does the real
  * mathematical intersection fun
  */
-static int reg_rules_intersect(const struct ieee80211_reg_rule *rule1,
+static int reg_rules_intersect(const struct ieee80211_regdomain *rd1,
+                               const struct ieee80211_regdomain *rd2,
+                               const struct ieee80211_reg_rule *rule1,
                                const struct ieee80211_reg_rule *rule2,
                                struct ieee80211_reg_rule *intersected_rule)
 {
@@ -638,7 +711,7 @@ static int reg_rules_intersect(const struct ieee80211_reg_rule *rule1,
         struct ieee80211_freq_range *freq_range;
         const struct ieee80211_power_rule *power_rule1, *power_rule2;
         struct ieee80211_power_rule *power_rule;
-        u32 freq_diff;
+        u32 freq_diff, max_bandwidth1, max_bandwidth2;
 
         freq_range1 = &rule1->freq_range;
         freq_range2 = &rule2->freq_range;
@@ -652,8 +725,24 @@ static int reg_rules_intersect(const struct ieee80211_reg_rule *rule1,
                                          freq_range2->start_freq_khz);
         freq_range->end_freq_khz = min(freq_range1->end_freq_khz,
                                        freq_range2->end_freq_khz);
-        freq_range->max_bandwidth_khz = min(freq_range1->max_bandwidth_khz,
-                                            freq_range2->max_bandwidth_khz);
+
+        max_bandwidth1 = freq_range1->max_bandwidth_khz;
+        max_bandwidth2 = freq_range2->max_bandwidth_khz;
+
+        /*
+         * In case max_bandwidth1 == 0 and max_bandwith2 == 0 set
+         * output bandwidth as 0 (auto calculation). Next we will
+         * calculate this correctly in handle_channel function.
+         * In other case calculate output bandwidth here.
+         */
+        if (max_bandwidth1 || max_bandwidth2) {
+                if (!max_bandwidth1)
+                        max_bandwidth1 = reg_get_max_bandwidth(rd1, rule1);
+                if (!max_bandwidth2)
+                        max_bandwidth2 = reg_get_max_bandwidth(rd2, rule2);
+        }
+
+        freq_range->max_bandwidth_khz = min(max_bandwidth1, max_bandwidth2);
 
         freq_diff = freq_range->end_freq_khz - freq_range->start_freq_khz;
         if (freq_range->max_bandwidth_khz > freq_diff)
@@ -713,7 +802,8 @@ regdom_intersect(const struct ieee80211_regdomain *rd1,
                 rule1 = &rd1->reg_rules[x];
                 for (y = 0; y < rd2->n_reg_rules; y++) {
                         rule2 = &rd2->reg_rules[y];
-                        if (!reg_rules_intersect(rule1, rule2, &dummy_rule))
+                        if (!reg_rules_intersect(rd1, rd2, rule1, rule2,
+                                                 &dummy_rule))
                                 num_rules++;
                 }
         }
@@ -738,7 +828,8 @@ regdom_intersect(const struct ieee80211_regdomain *rd1,
                          * a memcpy()
                          */
                         intersected_rule = &rd->reg_rules[rule_idx];
-                        r = reg_rules_intersect(rule1, rule2, intersected_rule);
+                        r = reg_rules_intersect(rd1, rd2, rule1, rule2,
+                                                intersected_rule);
                         /*
                          * No need to memset here the intersected rule here as
                          * we're not using the stack anymore
@@ -821,18 +912,8 @@ const struct ieee80211_reg_rule *freq_reg_info(struct wiphy *wiphy,
                                                u32 center_freq)
 {
         const struct ieee80211_regdomain *regd;
-        struct regulatory_request *lr = get_last_request();
 
-        /*
-         * Follow the driver's regulatory domain, if present, unless a country
-         * IE has been processed or a user wants to help complaince further
-         */
-        if (lr->initiator != NL80211_REGDOM_SET_BY_COUNTRY_IE &&
-            lr->initiator != NL80211_REGDOM_SET_BY_USER &&
-            wiphy->regd)
-                regd = get_wiphy_regdom(wiphy);
-        else
-                regd = get_cfg80211_regdom();
+        regd = reg_get_regdomain(wiphy);
 
         return freq_reg_info_regd(wiphy, center_freq, regd);
 }
@@ -903,6 +984,8 @@ static void handle_channel(struct wiphy *wiphy,
         const struct ieee80211_freq_range *freq_range = NULL;
         struct wiphy *request_wiphy = NULL;
         struct regulatory_request *lr = get_last_request();
+        const struct ieee80211_regdomain *regd;
+        u32 max_bandwidth_khz;
 
         request_wiphy = wiphy_idx_to_wiphy(lr->wiphy_idx);
 
@@ -944,11 +1027,18 @@ static void handle_channel(struct wiphy *wiphy,
         power_rule = &reg_rule->power_rule;
         freq_range = &reg_rule->freq_range;
 
-        if (freq_range->max_bandwidth_khz < MHZ_TO_KHZ(40))
+        max_bandwidth_khz = freq_range->max_bandwidth_khz;
+        /* Check if auto calculation requested */
+        if (!max_bandwidth_khz) {
+                regd = reg_get_regdomain(wiphy);
+                max_bandwidth_khz = reg_get_max_bandwidth(regd, reg_rule);
+        }
+
+        if (max_bandwidth_khz < MHZ_TO_KHZ(40))
                 bw_flags = IEEE80211_CHAN_NO_HT40;
-        if (freq_range->max_bandwidth_khz < MHZ_TO_KHZ(80))
+        if (max_bandwidth_khz < MHZ_TO_KHZ(80))
                 bw_flags |= IEEE80211_CHAN_NO_80MHZ;
-        if (freq_range->max_bandwidth_khz < MHZ_TO_KHZ(160))
+        if (max_bandwidth_khz < MHZ_TO_KHZ(160))
                 bw_flags |= IEEE80211_CHAN_NO_160MHZ;
 
         if (lr->initiator == NL80211_REGDOM_SET_BY_DRIVER &&
@@ -1334,6 +1424,7 @@ static void handle_channel_custom(struct wiphy *wiphy,
         const struct ieee80211_reg_rule *reg_rule = NULL;
         const struct ieee80211_power_rule *power_rule = NULL;
         const struct ieee80211_freq_range *freq_range = NULL;
+        u32 max_bandwidth_khz;
 
         reg_rule = freq_reg_info_regd(wiphy, MHZ_TO_KHZ(chan->center_freq),
                                       regd);
@@ -1351,11 +1442,16 @@ static void handle_channel_custom(struct wiphy *wiphy,
         power_rule = &reg_rule->power_rule;
         freq_range = &reg_rule->freq_range;
 
-        if (freq_range->max_bandwidth_khz < MHZ_TO_KHZ(40))
+        max_bandwidth_khz = freq_range->max_bandwidth_khz;
+        /* Check if auto calculation requested */
+        if (!max_bandwidth_khz)
+                max_bandwidth_khz = reg_get_max_bandwidth(regd, reg_rule);
+
+        if (max_bandwidth_khz < MHZ_TO_KHZ(40))
                 bw_flags = IEEE80211_CHAN_NO_HT40;
-        if (freq_range->max_bandwidth_khz < MHZ_TO_KHZ(80))
+        if (max_bandwidth_khz < MHZ_TO_KHZ(80))
                 bw_flags |= IEEE80211_CHAN_NO_80MHZ;
-        if (freq_range->max_bandwidth_khz < MHZ_TO_KHZ(160))
+        if (max_bandwidth_khz < MHZ_TO_KHZ(160))
                 bw_flags |= IEEE80211_CHAN_NO_160MHZ;
 
         chan->flags |= map_regdom_flags(reg_rule->flags) | bw_flags;
@@ -1683,17 +1779,9 @@ static void reg_process_hint(struct regulatory_request *reg_request)
         struct wiphy *wiphy = NULL;
         enum reg_request_treatment treatment;
 
-        if (WARN_ON(!reg_request->alpha2))
-                return;
-
         if (reg_request->wiphy_idx != WIPHY_IDX_INVALID)
                 wiphy = wiphy_idx_to_wiphy(reg_request->wiphy_idx);
 
-        if (reg_request->initiator == NL80211_REGDOM_SET_BY_DRIVER && !wiphy) {
-                kfree(reg_request);
-                return;
-        }
-
         switch (reg_request->initiator) {
         case NL80211_REGDOM_SET_BY_CORE:
                 reg_process_hint_core(reg_request);
@@ -1703,23 +1791,33 @@ static void reg_process_hint(struct regulatory_request *reg_request)
                 if (treatment == REG_REQ_OK ||
                     treatment == REG_REQ_ALREADY_SET)
                         return;
-                schedule_delayed_work(&reg_timeout, msecs_to_jiffies(3142));
+                queue_delayed_work(system_power_efficient_wq,
+                                   &reg_timeout, msecs_to_jiffies(3142));
                 return;
         case NL80211_REGDOM_SET_BY_DRIVER:
+                if (!wiphy)
+                        goto out_free;
                 treatment = reg_process_hint_driver(wiphy, reg_request);
                 break;
         case NL80211_REGDOM_SET_BY_COUNTRY_IE:
+                if (!wiphy)
+                        goto out_free;
                 treatment = reg_process_hint_country_ie(wiphy, reg_request);
                 break;
         default:
                 WARN(1, "invalid initiator %d\n", reg_request->initiator);
-                return;
+                goto out_free;
         }
 
         /* This is required so that the orig_* parameters are saved */
         if (treatment == REG_REQ_ALREADY_SET && wiphy &&
             wiphy->regulatory_flags & REGULATORY_STRICT_REG)
                 wiphy_update_regulatory(wiphy, reg_request->initiator);
+
+        return;
+
+out_free:
+        kfree(reg_request);
 }
 
 /*
@@ -2147,6 +2245,7 @@ static void print_rd_rules(const struct ieee80211_regdomain *rd)
         const struct ieee80211_reg_rule *reg_rule = NULL;
         const struct ieee80211_freq_range *freq_range = NULL;
         const struct ieee80211_power_rule *power_rule = NULL;
+        char bw[32];
 
         pr_info("  (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)\n");
 
@@ -2155,22 +2254,29 @@ static void print_rd_rules(const struct ieee80211_regdomain *rd)
                 freq_range = &reg_rule->freq_range;
                 power_rule = &reg_rule->power_rule;
 
+                if (!freq_range->max_bandwidth_khz)
+                        snprintf(bw, 32, "%d KHz, AUTO",
+                                 reg_get_max_bandwidth(rd, reg_rule));
+                else
+                        snprintf(bw, 32, "%d KHz",
+                                 freq_range->max_bandwidth_khz);
+
                 /*
                  * There may not be documentation for max antenna gain
                  * in certain regions
                  */
                 if (power_rule->max_antenna_gain)
-                        pr_info("  (%d KHz - %d KHz @ %d KHz), (%d mBi, %d mBm)\n",
+                        pr_info("  (%d KHz - %d KHz @ %s), (%d mBi, %d mBm)\n",
                                 freq_range->start_freq_khz,
                                 freq_range->end_freq_khz,
-                                freq_range->max_bandwidth_khz,
+                                bw,
                                 power_rule->max_antenna_gain,
                                 power_rule->max_eirp);
                 else
-                        pr_info("  (%d KHz - %d KHz @ %d KHz), (N/A, %d mBm)\n",
+                        pr_info("  (%d KHz - %d KHz @ %s), (N/A, %d mBm)\n",
                                 freq_range->start_freq_khz,
                                 freq_range->end_freq_khz,
-                                freq_range->max_bandwidth_khz,
+                                bw,
                                 power_rule->max_eirp);
         }
 }
@@ -2294,7 +2400,8 @@ static int reg_set_rd_driver(const struct ieee80211_regdomain *rd,
 
         request_wiphy = wiphy_idx_to_wiphy(driver_request->wiphy_idx);
         if (!request_wiphy) {
-                schedule_delayed_work(&reg_timeout, 0);
+                queue_delayed_work(system_power_efficient_wq,
+                                   &reg_timeout, 0);
                 return -ENODEV;
         }
 
@@ -2354,7 +2461,8 @@ static int reg_set_rd_country_ie(const struct ieee80211_regdomain *rd,
 
         request_wiphy = wiphy_idx_to_wiphy(country_ie_request->wiphy_idx);
         if (!request_wiphy) {
-                schedule_delayed_work(&reg_timeout, 0);
+                queue_delayed_work(system_power_efficient_wq,
+                                   &reg_timeout, 0);
                 return -ENODEV;
         }
 
diff --git a/net/wireless/reg.h b/net/wireless/reg.h
index 02bd8f4b0921..18524617ab62 100644
--- a/net/wireless/reg.h
+++ b/net/wireless/reg.h
@@ -34,6 +34,8 @@ int __init regulatory_init(void);
 void regulatory_exit(void);
 
 int set_regdom(const struct ieee80211_regdomain *rd);
+unsigned int reg_get_max_bandwidth(const struct ieee80211_regdomain *rd,
+                                   const struct ieee80211_reg_rule *rule);
 
 bool reg_last_request_cell_base(void);
 
diff --git a/net/wireless/trace.h b/net/wireless/trace.h
index fbcc23edee54..5eaeed59db07 100644
--- a/net/wireless/trace.h
+++ b/net/wireless/trace.h
@@ -2278,11 +2278,6 @@ DECLARE_EVENT_CLASS(cfg80211_rx_evt,
         TP_printk(NETDEV_PR_FMT ", " MAC_PR_FMT, NETDEV_PR_ARG, MAC_PR_ARG(addr))
 );
 
-DEFINE_EVENT(cfg80211_rx_evt, cfg80211_ibss_joined,
-        TP_PROTO(struct net_device *netdev, const u8 *addr),
-        TP_ARGS(netdev, addr)
-);
-
 DEFINE_EVENT(cfg80211_rx_evt, cfg80211_rx_spurious_frame,
         TP_PROTO(struct net_device *netdev, const u8 *addr),
         TP_ARGS(netdev, addr)
@@ -2293,6 +2288,24 @@ DEFINE_EVENT(cfg80211_rx_evt, cfg80211_rx_unexpected_4addr_frame,
         TP_ARGS(netdev, addr)
 );
 
+TRACE_EVENT(cfg80211_ibss_joined,
+        TP_PROTO(struct net_device *netdev, const u8 *bssid,
+                 struct ieee80211_channel *channel),
+        TP_ARGS(netdev, bssid, channel),
+        TP_STRUCT__entry(
+                NETDEV_ENTRY
+                MAC_ENTRY(bssid)
+                CHAN_ENTRY
+        ),
+        TP_fast_assign(
+                NETDEV_ASSIGN;
+                MAC_ASSIGN(bssid, bssid);
+                CHAN_ASSIGN(channel);
+        ),
+        TP_printk(NETDEV_PR_FMT ", bssid: " MAC_PR_FMT ", " CHAN_PR_FMT,
+                  NETDEV_PR_ARG, MAC_PR_ARG(bssid), CHAN_PR_ARG)
+);
+
 TRACE_EVENT(cfg80211_probe_status,
         TP_PROTO(struct net_device *netdev, const u8 *addr, u64 cookie,
                  bool acked),
diff --git a/net/wireless/util.c b/net/wireless/util.c
index d39c37104ae2..780b4546c9c7 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -820,7 +820,8 @@ void cfg80211_process_wdev_events(struct wireless_dev *wdev)
                                                 ev->dc.reason, true);
                         break;
                 case EVENT_IBSS_JOINED:
-                        __cfg80211_ibss_joined(wdev->netdev, ev->ij.bssid);
+                        __cfg80211_ibss_joined(wdev->netdev, ev->ij.bssid,
+                                               ev->ij.channel);
                         break;
                 }
                 wdev_unlock(wdev);
@@ -1356,7 +1357,7 @@ int cfg80211_can_use_iftype_chan(struct cfg80211_registered_device *rdev,
                  */
                 mutex_lock_nested(&wdev_iter->mtx, 1);
                 __acquire(wdev_iter->mtx);
-                cfg80211_get_chan_state(wdev_iter, &ch, &chmode);
+                cfg80211_get_chan_state(wdev_iter, &ch, &chmode, &radar_detect);
                 wdev_unlock(wdev_iter);
 
                 switch (chmode) {